mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-17 14:32:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

Stop disabling TLSv1.3 if ec and dh are disabled

Browse Source 
Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.

Fixes #13767

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
This commit is contained in:
Matt Caswell 2021-01-14 15:50:20 +00:00
parent 8b1db5d329
commit a763ca1177
31 changed files with 241 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGES.md
View File

@ -23,6 +23,17 @@ OpenSSL 3.0
### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
* Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
Typically if OpenSSL has no EC or DH algorithms then it cannot support
connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
through providers. Therefore third party providers may supply group
implementations even where there are no built-in ones. Attempting to create
TLS connections in such a build without also disabling TLSv1.3 at run time or
using third party provider groups may result in handshake failures. TLSv1.3
can be disabled at compile time using the "no-tls1_3" Configure option.
*Matt Caswell*
* The undocumented function X509_certificate_type() has been deprecated;
applications can use X509_get0_pubkey() and X509_get0_signature() to
get the same information.

2
Configure
View File

@ -563,8 +563,6 @@ my @disable_cascades = (
"zlib" => [ "zlib-dynamic" ],
"des" => [ "mdc2" ],
"ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ],
sub { $disabled{"ec"} && $disabled{"dh"} }
=> [ "tls1_3" ],
"dgram" => [ "dtls", "sctp" ],
"sock" => [ "dgram" ],
"dtls" => [ @dtls ],

49
test/helpers/ssltestlib.c
View File

@ -685,18 +685,19 @@ static int always_retry_puts(BIO *bio, const char *str)
}
int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm,
const SSL_METHOD *cm,
int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile)
const SSL_METHOD *cm, int min_proto_version,
int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx,
char *certfile, char *privkeyfile)
{
SSL_CTX *serverctx = NULL;
SSL_CTX *clientctx = NULL;
if (*sctx != NULL)
serverctx = *sctx;
else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm)))
goto err;
if (sctx != NULL) {
if (*sctx != NULL)
serverctx = *sctx;
else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm)))
goto err;
}
if (cctx != NULL) {
if (*cctx != NULL)
@ -705,12 +706,25 @@ const SSL_METHOD *cm,
goto err;
}
if ((min_proto_version > 0
&& !TEST_true(SSL_CTX_set_min_proto_version(serverctx,
min_proto_version)))
|| (max_proto_version > 0
&& !TEST_true(SSL_CTX_set_max_proto_version(serverctx,
max_proto_version))))
#if !defined(OPENSSL_NO_TLS1_3) \
&& defined(OPENSSL_NO_EC) \
&& defined(OPENSSL_NO_DH)
/*
* There are no usable built-in TLSv1.3 groups if ec and dh are both
* disabled
*/
if (max_proto_version == 0
&& (sm == TLS_server_method() || cm == TLS_client_method()))
max_proto_version = TLS1_2_VERSION;
#endif
if (serverctx != NULL
&& ((min_proto_version > 0
&& !TEST_true(SSL_CTX_set_min_proto_version(serverctx,
min_proto_version)))
|| (max_proto_version > 0
&& !TEST_true(SSL_CTX_set_max_proto_version(serverctx,
max_proto_version)))))
goto err;
if (clientctx != NULL
&& ((min_proto_version > 0
@ -721,7 +735,7 @@ const SSL_METHOD *cm,
max_proto_version)))))
goto err;
if (certfile != NULL && privkeyfile != NULL) {
if (serverctx != NULL && certfile != NULL && privkeyfile != NULL) {
if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile,
SSL_FILETYPE_PEM), 1)
|| !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx,
@ -731,13 +745,14 @@ const SSL_METHOD *cm,
goto err;
}
*sctx = serverctx;
if (sctx != NULL)
*sctx = serverctx;
if (cctx != NULL)
*cctx = clientctx;
return 1;
err:
if (*sctx == NULL)
if (sctx != NULL && *sctx == NULL)
SSL_CTX_free(serverctx);
if (cctx != NULL && *cctx == NULL)
SSL_CTX_free(clientctx);

3
test/recipes/70-test_comp.t
View File

@ -65,7 +65,8 @@ SKIP: {
}
SKIP: {
skip "TLSv1.3 disabled", 2 if disabled("tls1_3");
skip "TLSv1.3 disabled", 2
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 3: Check that sending multiple compression methods in a TLSv1.3
# ClientHello fails
$proxy->clear();

3
test/recipes/70-test_key_share.t
View File

@ -60,6 +60,9 @@ plan skip_all => "$test_name needs the sock feature enabled"
plan skip_all => "$test_name needs TLS1.3 enabled"
if disabled("tls1_3");
plan skip_all => "$test_name needs EC or DH enabled"
if disabled("ec") && disabled("dh");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(

2
test/recipes/70-test_sslcbcpadding.t
View File

@ -43,6 +43,7 @@ my @test_offsets = (0, 128, 254, 255);
# Test that maximally-padded records are accepted.
my $bad_padding_offset = -1;
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->serverconnects(1 + scalar(@test_offsets));
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 1 + scalar(@test_offsets);
@ -55,6 +56,7 @@ foreach my $offset (@test_offsets) {
$bad_padding_offset = $offset;
$fatal_alert = 0;
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3");
$proxy->clientstart();
ok($fatal_alert, "Invalid padding byte $bad_padding_offset");
}

6
test/recipes/70-test_sslextension.t
View File

@ -197,6 +197,7 @@ ok($fatal_alert, "Duplicate ClientHello extension");
$fatal_alert = 0;
$proxy->clear();
$proxy->filter(\&inject_duplicate_extension_serverhello);
$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok($fatal_alert, "Duplicate ServerHello extension");
@ -207,6 +208,7 @@ SKIP: {
$proxy->clear();
$proxy->filter(\&extension_filter);
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok(TLSProxy::Message->success, "Zero extension length test");
@ -244,7 +246,8 @@ SKIP: {
}
SKIP: {
skip "TLS 1.3 disabled", 1 if disabled("tls1_3");
skip "TLS 1.3 disabled", 1
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 7: Inject an unsolicited extension (TLSv1.3)
$fatal_alert = 0;
$proxy->clear();
@ -260,5 +263,6 @@ SKIP: {
# ignore it in a ClientHello
$proxy->clear();
$proxy->filter(\&inject_cryptopro_extension);
$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello");

13
test/recipes/70-test_sslrecords.t
View File

@ -43,6 +43,7 @@ my $fatal_alert = 0; # set by filters at expected fatal alerts
my $content_type = TLSProxy::Record::RT_APPLICATION_DATA;
my $inject_recs_num = 1;
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 20;
ok($fatal_alert, "Out of context empty records test");
@ -51,6 +52,7 @@ ok($fatal_alert, "Out of context empty records test");
$proxy->clear();
$content_type = TLSProxy::Record::RT_HANDSHAKE;
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok(TLSProxy::Message->success(), "In context empty records test");
@ -60,6 +62,7 @@ $proxy->clear();
#We allow 32 consecutive in context empty records
$inject_recs_num = 33;
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok($fatal_alert, "Too many in context empty records test");
@ -70,6 +73,7 @@ $fatal_alert = 0;
$proxy->clear();
$proxy->filter(\&add_frag_alert_filter);
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok($fatal_alert, "Fragmented alert records test");
@ -92,6 +96,7 @@ my $sslv2testtype = TLSV1_2_IN_SSLV2;
$proxy->clear();
$proxy->filter(\&add_sslv2_filter);
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
@ -102,6 +107,7 @@ ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
$sslv2testtype = SSLV2_IN_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test");
@ -112,6 +118,7 @@ ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test");
$sslv2testtype = FRAGMENTED_IN_TLSV1_2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test");
@ -121,6 +128,7 @@ ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test");
$sslv2testtype = FRAGMENTED_IN_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
@ -130,6 +138,7 @@ ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
$sslv2testtype = ALERT_BEFORE_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test");
@ -140,6 +149,7 @@ ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test");
$fatal_alert = 0;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->filter(\&add_unknown_record_type);
$proxy->start();
ok($fatal_alert, "Unrecognised record type in TLS1.2");
@ -166,7 +176,8 @@ ok($fatal_alert, "Changed record version in TLS1.2");
#TLS1.3 specific tests
SKIP: {
skip "TLSv1.3 disabled", 8 if disabled("tls1_3");
skip "TLSv1.3 disabled", 8
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 13: Sending a different record version in TLS1.3 should fail
$proxy->clear();

15
test/recipes/70-test_sslsigalgs.t
View File

@ -54,13 +54,15 @@ use constant {
# the sigalgs
#Test 1: Default sig algs should succeed
$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 26;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;
SKIP: {
skip "TLSv1.3 disabled", 6 if disabled("tls1_3");
skip "TLSv1.3 disabled", 6
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$proxy->filter(\&sigalgs_filter);
@ -237,7 +239,10 @@ SKIP: {
my ($dsa_status, $sha1_status, $sha224_status);
SKIP: {
skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa");
skip "TLSv1.3 disabled", 2
if disabled("tls1_3")
|| disabled("dsa")
|| (disabled("ec") && disabled("dh"));
#Test 20: signature_algorithms with 1.3-only ClientHello
$testtype = PURE_SIGALGS;
$dsa_status = $sha1_status = $sha224_status = 0;
@ -263,7 +268,8 @@ SKIP: {
}
SKIP: {
skip "TLSv1.3 disabled", 3 if disabled("tls1_3");
skip "TLSv1.3 disabled", 5
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 22: Insert signature_algorithms_cert that match normal sigalgs
$testtype = SIGALGS_CERT_ALL;
$proxy->clear();
@ -284,10 +290,7 @@ SKIP: {
$proxy->filter(\&modify_sigalgs_cert_filter);
$proxy->start();
ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
}
SKIP: {
skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
#Test 25: Send an unrecognized signature_algorithms_cert
# We should be able to skip over the unrecognized value and use a
# valid one that appears later in the list.

4
test/recipes/70-test_sslsignature.t
View File

@ -45,12 +45,14 @@ $proxy->filter(\&signature_filter);
#Test 1: No corruption should succeed
my $testtype = NO_CORRUPTION;
$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 4;
ok(TLSProxy::Message->success, "No corruption");
SKIP: {
skip "TLSv1.3 disabled", 1 if disabled("tls1_3");
skip "TLSv1.3 disabled", 1
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 2: Corrupting a server CertVerify signature in TLSv1.3 should fail
$proxy->clear();

5
test/recipes/70-test_sslversions.t
View File

@ -37,7 +37,10 @@ plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled"
if disabled("tls1_3") || disabled("tls1_2") || disabled("tls1_1");
if disabled("tls1_3")
|| (disabled("ec") && disabled("dh"))
|| disabled("tls1_2")
|| disabled("tls1_1");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';

2
test/recipes/70-test_tls13alerts.t
View File

@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3 enabled"
if disabled("tls1_3");
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';

2
test/recipes/70-test_tls13cookie.t
View File

@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3 enabled"
if disabled("tls1_3");
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';

4
test/recipes/70-test_tls13downgrade.t
View File

@ -24,7 +24,9 @@ plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled"
if disabled("tls1_3") || disabled("tls1_2");
if disabled("tls1_3")
|| (disabled("ec") && disabled("dh"))
|| disabled("tls1_2");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';

2
test/recipes/70-test_tls13hrr.t
View File

@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3 enabled"
if disabled("tls1_3");
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';

2
test/recipes/70-test_tls13kexmodes.t
View File

@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLSv1.3 enabled"
if disabled("tls1_3");
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
plan skip_all => "$test_name needs EC enabled"
if disabled("ec");

2
test/recipes/70-test_tls13psk.t
View File

@ -25,7 +25,7 @@ plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLSv1.3 enabled"
if disabled("tls1_3");
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';

17
test/recipes/70-test_tlsextms.t
View File

@ -56,9 +56,7 @@ my $proxy = TLSProxy::Proxy->new(
setrmextms(0, 0);
$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
my $numtests = 9;
$numtests++ if (!disabled("tls1_3"));
plan tests => $numtests;
plan tests => 10;
checkmessages(1, "Default extended master secret test", 1, 1, 1);
#Test 2: If client omits extended master secret extension, server should too.
@ -175,11 +173,14 @@ $proxy->clientstart();
ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2");
unlink $session;
#Test 10: In TLS1.3 we should not negotiate extended master secret
#Expected result: ClientHello extension seen; ServerHello extension not seen
# TLS1.3 handshake (will appear as abbreviated handshake
# because of no CKE message)
if (!disabled("tls1_3")) {
SKIP: {
skip "TLS 1.3 disabled", 1
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 10: In TLS1.3 we should not negotiate extended master secret
#Expected result: ClientHello extension seen; ServerHello extension not seen
# TLS1.3 handshake (will appear as abbreviated handshake
# because of no CKE message)
clearall();
setrmextms(0, 0);
$proxy->start();

11
test/recipes/80-test_ssl_new.t
View File

@ -43,13 +43,16 @@ plan tests => 30 # = scalar @conf_srcs
# verify generated sources in the default configuration.
my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
!disabled("tls1_1") && !disabled("tls1_2") &&
!disabled("tls1_3"));
!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")));
my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
my $no_tls = alldisabled(available_protocols("tls"));
my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3"));
if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) {
$no_tls = 1;
}
my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
my $no_dtls = alldisabled(available_protocols("dtls"));
my $no_npn = disabled("nextprotoneg");
@ -105,13 +108,13 @@ my %skip = (
"18-dtls-renegotiate.cnf" => $no_dtls,
"19-mac-then-encrypt.cnf" => $no_pre_tls1_3,
"20-cert-select.cnf" => disabled("tls1_2") || $no_ec,
"21-key-update.cnf" => disabled("tls1_3"),
"21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"22-compression.cnf" => disabled("zlib") || $no_tls,
"23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1")
&& disabled("tls1_2")) || disabled("srp"),
"24-padding.cnf" => disabled("tls1_3"),
"24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"25-cipher.cnf" => disabled("ec") || disabled("tls1_2"),
"26-tls13_client_auth.cnf" => disabled("tls1_3"),
"26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
);

2
test/recipes/80-test_ssl_old.t
View File

@ -33,6 +33,8 @@ my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk,
anydisabled qw/rsa dsa dh ec psk
ssl3 tls1 tls1_1 tls1_2 tls1_3
dtls dtls1 dtls1_2 ct/;
#If ec and dh are disabled then don't use TLSv1.3
$no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh);
my $no_anytls = alldisabled(available_protocols("tls"));
my $no_anydtls = alldisabled(available_protocols("dtls"));

2
test/recipes/90-test_tls13ccs.t
View File

@ -14,7 +14,7 @@ my $test_name = "test_tls13ccs";
setup($test_name);
plan skip_all => "$test_name is not supported in this build"
if disabled("tls1_3");
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
plan tests => 1;

2
test/recipes/90-test_tls13encryption.t
View File

@ -13,7 +13,7 @@ my $test_name = "tls13encryption";
setup($test_name);
plan skip_all => "$test_name is not supported in this build"
if disabled("tls1_3");
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
plan tests => 1;

4
test/recipes/90-test_tls13secrets.t
View File

@ -13,7 +13,9 @@ my $test_name = "tls13secrets";
setup($test_name);
plan skip_all => "$test_name is not supported in this build"
if disabled("tls1_3") || disabled("shared");
if disabled("tls1_3")
|| disabled("shared")
|| (disabled("ec") && disabled("dh"));
plan tests => 1;

3
test/recordlentest.c
View File

@ -94,7 +94,8 @@ static int test_record_overflow(int idx)
|| idx == TEST_ENCRYPTED_OVERFLOW_TLS1_2_NOT_OK)
return 1;
#endif
#ifdef OPENSSL_NO_TLS1_3
#if defined(OPENSSL_NO_TLS1_3) \
|| (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
if (idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_OK
|| idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_NOT_OK)
return 1;

15
test/servername_test.c
View File

@ -31,6 +31,13 @@ static const char *host = "dummy-host";
static char *cert = NULL;
static char *privkey = NULL;
#if defined(OPENSSL_NO_TLS1_3) || \
(defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
static int maxversion = TLS1_2_VERSION;
#else
static int maxversion = 0;
#endif
static int get_sni_from_client_hello(BIO *bio, char **sni)
{
long len;
@ -101,6 +108,10 @@ static int client_setup_sni_before_state(void)
if (!TEST_ptr(ctx))
goto end;
if (maxversion > 0
&& !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion)))
goto end;
con = SSL_new(ctx);
if (!TEST_ptr(con))
goto end;
@ -149,6 +160,10 @@ static int client_setup_sni_after_state(void)
if (!TEST_ptr(ctx))
goto end;
if (maxversion > 0
&& !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion)))
goto end;
con = SSL_new(ctx);
if (!TEST_ptr(con))
goto end;

4
test/ssl-tests/04-client_auth.cnf.in
View File

@ -116,7 +116,9 @@ sub generate_tests() {
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" =>
($protocol_name eq "flex" && !disabled("tls1_3"))
($protocol_name eq "flex"
&& !disabled("tls1_3")
&& (!disabled("ec") || !disabled("dh")))
? "CertificateRequired" : "HandshakeFailure",
"Method" => $method,
},

3
test/ssl-tests/27-ticket-appdata.cnf.in
View File

@ -96,4 +96,5 @@ our @tests13 = (
our @tests = ();
push @tests, @tests12 unless disabled("tls1_2");
push @tests, @tests13 unless disabled("tls1_3");
push @tests, @tests13 unless disabled("tls1_3")
|| (disabled("ec") && disabled("dh"));

22
test/ssl-tests/protocol_version.pm
View File

@ -64,7 +64,10 @@ sub max_prot_enabled {
my $max_enabled;
foreach my $i (0..$#protocols) {
if (!$is_disabled[$i]) {
if (!$is_disabled[$i]
&& ($protocols[$i] ne "TLSv1.3"
|| !disabled("ec")
|| !disabled("dh"))) {
$max_enabled = $i;
}
}
@ -172,7 +175,11 @@ sub generate_version_tests {
}
}
}
return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls;
return @tests
if disabled("tls1_3")
|| disabled("tls1_2")
|| (disabled("ec") && disabled("dh"))
|| $dtls;
#Add some version/ciphersuite sanity check tests
push @tests, {
@ -307,7 +314,7 @@ sub generate_resumption_tests {
}
}
if (!disabled("tls1_3") && !$dtls) {
if (!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")) && !$dtls) {
push @client_tests, {
"name" => "resumption-with-hrr",
"client" => {
@ -332,7 +339,9 @@ sub generate_resumption_tests {
sub expected_result {
my ($c_min, $c_max, $s_min, $s_max, $min_enabled, $max_enabled,
$protocols) = @_;
my @prots = @$protocols;
my $orig_c_max = $c_max;
# Adjust for "undef" (no limit).
$c_min = $c_min == 0 ? 0 : $c_min - 1;
$c_max = $c_max == scalar @$protocols ? $c_max - 1 : $c_max;
@ -346,7 +355,11 @@ sub expected_result {
$c_max = min $c_max, $max_enabled;
$s_max = min $s_max, $max_enabled;
if ($c_min > $c_max) {
if ($c_min > $c_max
|| ($orig_c_max != scalar @$protocols
&& $prots[$orig_c_max] eq "TLSv1.3"
&& $c_max != $orig_c_max
&& !disabled("tls1_3"))) {
# Client should fail to even send a hello.
return ("ClientFail", undef);
} elsif ($s_min > $s_max) {
@ -356,7 +369,6 @@ sub expected_result {
# Server doesn't support the client range.
return ("ServerFail", undef);
} elsif ($c_min > $s_max) {
my @prots = @$protocols;
if ($prots[$c_max] eq "TLSv1.3") {
# Client will have sent supported_versions, so server will know
# that there are no overlapping versions.

5
test/ssl_old_test.c
View File

@ -1321,7 +1321,12 @@ int main(int argc, char *argv[])
max_version = TLS1_2_VERSION;
} else {
min_version = 0;
# if defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)
/* We only have ec and dh based built-in groups for TLSv1.3 */
max_version = TLS1_2_VERSION;
# else
max_version = 0;
# endif
}
#endif
#ifndef OPENSSL_NO_DTLS

22
test/ssl_test.c
View File

@ -436,8 +436,17 @@ static int test_handshake(int idx)
}
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
#if !defined(OPENSSL_NO_TLS1_3) \
&& defined(OPENSSL_NO_EC) \
&& defined(OPENSSL_NO_DH)
/* Without ec or dh there are no built-in groups for TLSv1.3 */
int maxversion = TLS1_2_VERSION;
#else
int maxversion = 0;
#endif
server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0)))
if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion)))
goto err;
/* SNI on resumption isn't supported/tested yet. */
if (test_ctx->extra.server.servername_callback !=
@ -445,21 +454,24 @@ static int test_handshake(int idx)
if (!TEST_ptr(server2_ctx =
SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
goto err;
if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, 0)))
if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
maxversion)))
goto err;
}
client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0)))
if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, maxversion)))
goto err;
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_server_method());
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0)))
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
maxversion)))
goto err;
resume_client_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_client_method());
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0)))
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
maxversion)))
goto err;
if (!TEST_ptr(resume_server_ctx)
|| !TEST_ptr(resume_client_ctx))

121
test/sslapitest.c
View File

@ -39,6 +39,16 @@
#include "internal/ktls.h"
#include "../ssl/ssl_local.h"
#undef OSSL_NO_USABLE_TLS1_3
#if defined(OPENSSL_NO_TLS1_3) \
|| (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
/*
* If we don't have ec or dh then there are no built-in groups that are usable
* with TLSv1.3
*/
# define OSSL_NO_USABLE_TLS1_3
#endif
/* Defined in filterprov.c */
OSSL_provider_init_fn filter_provider_init;
int filter_provider_set_filter(int operation, const char *name);
@ -52,7 +62,7 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle,
static OSSL_LIB_CTX *libctx = NULL;
static OSSL_PROVIDER *defctxnull = NULL;
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
static SSL_SESSION *clientpsk = NULL;
static SSL_SESSION *serverpsk = NULL;
@ -351,7 +361,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
return 1;
}
#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
static int test_keylog(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
@ -432,7 +442,7 @@ end:
}
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
static int test_keylog_no_master_key(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
@ -957,7 +967,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
}
#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
!(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
!(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
/* sock must be connected */
static int ktls_chk_platform(int sock)
@ -1272,14 +1282,14 @@ end:
return testresult;
}
#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
static int test_ktls(int test)
{
int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
int tlsver, testresult;
if (test > 15) {
#if defined(OPENSSL_NO_TLS1_3)
#if defined(OSSL_NO_USABLE_TLS1_3)
return 1;
#else
test -= 16;
@ -1302,7 +1312,7 @@ static int test_ktls(int test)
if (cis_ktls_rx || sis_ktls_rx)
return 1;
#endif
#if !defined(OPENSSL_NO_TLS1_3)
#if !defined(OSSL_NO_USABLE_TLS1_3)
if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
return 1;
#endif
@ -1332,7 +1342,7 @@ static int test_ktls_sendfile_anytls(int tst)
int tlsver;
if (tst > 2) {
#if defined(OPENSSL_NO_TLS1_3)
#if defined(OSSL_NO_USABLE_TLS1_3)
return 1;
#else
tst -= 3;
@ -1481,7 +1491,7 @@ static int test_cleanse_plaintext(void)
#endif
#if !defined(OPENSSL_NO_TLS1_3)
#if !defined(OSSL_NO_USABLE_TLS1_3)
if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
TLS_client_method(),
TLS1_3_VERSION,
@ -1676,7 +1686,7 @@ static int test_tlsext_status_type(void)
}
#endif
#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
static int new_called, remove_called, get_called;
static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
@ -1992,11 +2002,11 @@ static int execute_test_session(int maxprot, int use_int_cache,
return testresult;
}
#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
static int test_session_with_only_int_cache(void)
{
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
return 0;
#endif
@ -2010,7 +2020,7 @@ static int test_session_with_only_int_cache(void)
static int test_session_with_only_ext_cache(void)
{
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
return 0;
#endif
@ -2024,7 +2034,7 @@ static int test_session_with_only_ext_cache(void)
static int test_session_with_both_cache(void)
{
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
return 0;
#endif
@ -2038,7 +2048,7 @@ static int test_session_with_both_cache(void)
static int test_session_wo_ca_names(void)
{
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
return 0;
#endif
@ -2051,7 +2061,7 @@ static int test_session_wo_ca_names(void)
}
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
static SSL_SESSION *sesscache[6];
static int do_cache;
@ -2492,7 +2502,7 @@ static int test_extra_tickets(int idx)
#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
#else
# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
@ -2721,7 +2731,7 @@ static int test_ssl_bio_change_wbio(void)
return execute_test_ssl_bio(0, CHANGE_WBIO);
}
#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
typedef struct {
/* The list of sig algs */
const int *list;
@ -2852,7 +2862,7 @@ static int test_set_sigalgs(int idx)
}
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
static int psk_client_cb_cnt = 0;
static int psk_server_cb_cnt = 0;
@ -5048,7 +5058,7 @@ static int test_stateless(void)
return testresult;
}
#endif /* OPENSSL_NO_TLS1_3 */
#endif /* OSSL_NO_USABLE_TLS1_3 */
static int clntaddoldcb = 0;
static int clntparseoldcb = 0;
@ -5183,7 +5193,7 @@ static int test_custom_exts(int tst)
SSL_SESSION *sess = NULL;
unsigned int context;
#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
/* Skip tests for TLSv1.2 and below in this case */
if (tst < 3)
return 1;
@ -5478,7 +5488,7 @@ static int test_export_key_mat(int tst)
if (tst == 2)
return 1;
#endif
#ifdef OPENSSL_NO_TLS1_3
#ifdef OSSL_NO_USABLE_TLS1_3
if (tst >= 3)
return 1;
#endif
@ -5604,7 +5614,7 @@ static int test_export_key_mat(int tst)
return testresult;
}
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
/*
* Test that SSL_export_keying_material_early() produces expected
* results. There are no test vectors so all we do is test that both
@ -5823,7 +5833,7 @@ static int test_key_update_in_write(int tst)
return testresult;
}
#endif /* OPENSSL_NO_TLS1_3 */
#endif /* OSSL_NO_USABLE_TLS1_3 */
static int test_ssl_clear(int idx)
{
@ -5942,14 +5952,15 @@ static const unsigned char max_fragment_len_test[] = {
static int test_max_fragment_len_ext(int idx_tst)
{
SSL_CTX *ctx;
SSL_CTX *ctx = NULL;
SSL *con = NULL;
int testresult = 0, MFL_mode = 0;
BIO *rbio, *wbio;
ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
if (!TEST_ptr(ctx))
goto end;
if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
TLS1_VERSION, 0, NULL, &ctx, NULL,
NULL)))
return 0;
if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
ctx, max_fragment_len_test[idx_tst])))
@ -5968,7 +5979,6 @@ static int test_max_fragment_len_ext(int idx_tst)
}
SSL_set_bio(con, rbio, wbio);
SSL_set_connect_state(con);
if (!TEST_int_le(SSL_connect(con), 0)) {
/* This shouldn't succeed because we don't have a server! */
@ -5990,7 +6000,7 @@ end:
return testresult;
}
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
static int test_pha_key_update(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
@ -6432,7 +6442,7 @@ static int test_info_callback(int tst)
return 1;
#endif
} else {
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
tlsvers = TLS1_3_VERSION;
#else
return 1;
@ -6444,7 +6454,7 @@ static int test_info_callback(int tst)
info_cb_this_state = -1;
info_cb_offset = tst;
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
if (tst >= 4) {
SSL_SESSION *sess = NULL;
size_t written, readbytes;
@ -6603,7 +6613,7 @@ static struct {
* We can't establish a connection (even in TLSv1.1) with these ciphersuites if
* TLSv1.3 is enabled but TLSv1.2 is disabled.
*/
#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
{
TLS1_2_VERSION,
"AES128-SHA:AES256-SHA",
@ -6649,7 +6659,7 @@ static struct {
* This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
* enabled.
*/
#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
&& !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
{
TLS1_3_VERSION,
@ -6662,7 +6672,7 @@ static struct {
"TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
},
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
{
TLS1_3_VERSION,
"AES128-SHA",
@ -6907,7 +6917,7 @@ static int test_ticket_callbacks(int tst)
if (tst % 2 == 0)
return 1;
#endif
#ifdef OPENSSL_NO_TLS1_3
#ifdef OSSL_NO_USABLE_TLS1_3
if (tst % 2 == 1)
return 1;
#endif
@ -7124,7 +7134,7 @@ static int test_shutdown(int tst)
if (tst <= 1)
return 1;
#endif
#ifdef OPENSSL_NO_TLS1_3
#ifdef OSSL_NO_USABLE_TLS1_3
if (tst >= 2)
return 1;
#endif
@ -7259,7 +7269,7 @@ static int test_shutdown(int tst)
return testresult;
}
#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
static int cert_cb_cnt;
static int cert_cb(SSL *s, void *arg)
@ -7440,7 +7450,7 @@ static int test_cert_cb(int tst)
#ifndef OPENSSL_NO_TLS1_2
testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
#endif
@ -7498,7 +7508,7 @@ static int test_client_cert_cb(int tst)
if (tst == 0)
return 1;
#endif
#ifdef OPENSSL_NO_TLS1_3
#ifdef OSSL_NO_USABLE_TLS1_3
if (tst == 1)
return 1;
#endif
@ -7537,7 +7547,7 @@ static int test_client_cert_cb(int tst)
return testresult;
}
#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
/*
* Test setting certificate authorities on both client and server.
*
@ -7664,7 +7674,7 @@ static int test_ca_names(int tst)
#ifndef OPENSSL_NO_TLS1_2
testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
#endif
@ -7794,7 +7804,7 @@ static int test_servername(int tst)
if (tst <= 4)
return 1;
#endif
#ifdef OPENSSL_NO_TLS1_3
#ifdef OSSL_NO_USABLE_TLS1_3
if (tst >= 5)
return 1;
#endif
@ -7925,7 +7935,7 @@ static int test_servername(int tst)
}
#if !defined(OPENSSL_NO_EC) \
&& (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
/*
* Test that if signature algorithms are not available, then we do not offer or
* accept them.
@ -8062,10 +8072,11 @@ static int test_sigalgs_available(int idx)
}
#endif /*
* !defined(OPENSSL_NO_EC) \
* && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
* && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
*/
#ifndef OPENSSL_NO_TLS1_3
/* This test can run in TLSv1.3 even if ec and dh are disabled */
static int test_pluggable_group(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
@ -8489,7 +8500,7 @@ static int test_dh_auto(int idx)
# endif /* OPENSSL_NO_DH */
#endif /* OPENSSL_NO_TLS1_2 */
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
/*
* Test that setting an SNI callback works with TLSv1.3. Specifically we check
* that it works even without a certificate configured for the original
@ -8667,7 +8678,7 @@ int setup_tests(void)
goto err;
#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
ADD_ALL_TESTS(test_ktls, 32);
ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
# endif
@ -8685,7 +8696,7 @@ int setup_tests(void)
ADD_TEST(test_session_with_only_ext_cache);
ADD_TEST(test_session_with_both_cache);
ADD_TEST(test_session_wo_ca_names);
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_ALL_TESTS(test_stateful_tickets, 3);
ADD_ALL_TESTS(test_stateless_tickets, 3);
ADD_TEST(test_psk_tickets);
@ -8696,11 +8707,11 @@ int setup_tests(void)
ADD_TEST(test_ssl_bio_pop_ssl_bio);
ADD_TEST(test_ssl_bio_change_rbio);
ADD_TEST(test_ssl_bio_change_wbio);
#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
ADD_TEST(test_keylog);
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_TEST(test_keylog_no_master_key);
#endif
ADD_TEST(test_client_cert_verify_cb);
@ -8709,7 +8720,7 @@ int setup_tests(void)
ADD_TEST(test_no_ems);
ADD_TEST(test_ccs_change_cipher);
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_ALL_TESTS(test_early_data_read_write, 3);
/*
* We don't do replay tests for external PSK. Replay protection isn't used
@ -8728,7 +8739,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_early_data_tls1_2, 3);
# endif
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_ALL_TESTS(test_set_ciphersuite, 10);
ADD_TEST(test_ciphersuite_change);
ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
@ -8752,7 +8763,7 @@ int setup_tests(void)
#endif
ADD_ALL_TESTS(test_serverinfo, 8);
ADD_ALL_TESTS(test_export_key_mat, 6);
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_ALL_TESTS(test_export_key_mat_early, 3);
ADD_TEST(test_key_update);
ADD_ALL_TESTS(test_key_update_in_write, 2);
@ -8776,7 +8787,7 @@ int setup_tests(void)
#endif
ADD_ALL_TESTS(test_servername, 10);
#if !defined(OPENSSL_NO_EC) \
&& (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
ADD_ALL_TESTS(test_sigalgs_available, 6);
#endif
#ifndef OPENSSL_NO_TLS1_3
@ -8789,7 +8800,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_dh_auto, 7);
# endif
#endif
#ifndef OPENSSL_NO_TLS1_3
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_TEST(test_sni_tls13);
#endif
return 1;