|
|
81356c |
diff -up openssl-1.1.1k/ssl/statem/statem_lib.c.servername-cb openssl-1.1.1k/ssl/statem/statem_lib.c
|
|
|
81356c |
--- openssl-1.1.1k/ssl/statem/statem_lib.c.servername-cb 2021-07-16 16:03:04.200024170 +0200
|
|
|
81356c |
+++ openssl-1.1.1k/ssl/statem/statem_lib.c 2021-07-16 16:08:04.076630415 +0200
|
|
|
81356c |
@@ -1504,8 +1504,8 @@ static int ssl_method_error(const SSL *s
|
|
|
81356c |
|
|
|
81356c |
/*
|
|
|
81356c |
* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
|
|
|
81356c |
- * certificate type, or has PSK or a certificate callback configured, or has
|
|
|
81356c |
- * a servername callback configured. Otherwise returns 0.
|
|
|
81356c |
+ * certificate type, or has PSK or a certificate callback configured. Otherwise
|
|
|
81356c |
+ * returns 0.
|
|
|
81356c |
*/
|
|
|
81356c |
static int is_tls13_capable(const SSL *s)
|
|
|
81356c |
{
|
|
|
81356c |
@@ -1515,17 +1515,6 @@ static int is_tls13_capable(const SSL *s
|
|
|
81356c |
EC_KEY *eckey;
|
|
|
81356c |
#endif
|
|
|
81356c |
|
|
|
81356c |
- if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
|
|
|
81356c |
- return 0;
|
|
|
81356c |
-
|
|
|
81356c |
- /*
|
|
|
81356c |
- * A servername callback can change the available certs, so if a servername
|
|
|
81356c |
- * cb is set then we just assume TLSv1.3 will be ok
|
|
|
81356c |
- */
|
|
|
81356c |
- if (s->ctx->ext.servername_cb != NULL
|
|
|
81356c |
- || s->session_ctx->ext.servername_cb != NULL)
|
|
|
81356c |
- return 1;
|
|
|
81356c |
-
|
|
|
81356c |
#ifndef OPENSSL_NO_PSK
|
|
|
81356c |
if (s->psk_server_callback != NULL)
|
|
|
81356c |
return 1;
|
|
|
81356c |
diff -up openssl-1.1.1k/test/sslapitest.c.servername-cb openssl-1.1.1k/test/sslapitest.c
|
|
|
81356c |
--- openssl-1.1.1k/test/sslapitest.c.servername-cb 2021-07-16 16:08:20.094823046 +0200
|
|
|
81356c |
+++ openssl-1.1.1k/test/sslapitest.c 2021-07-16 16:09:25.708612095 +0200
|
|
|
81356c |
@@ -6658,62 +6658,6 @@ static int test_ssl_dup(void)
|
|
|
81356c |
}
|
|
|
81356c |
#endif
|
|
|
81356c |
|
|
|
81356c |
-#ifndef OPENSSL_NO_TLS1_3
|
|
|
81356c |
-/*
|
|
|
81356c |
- * Test that setting an SNI callback works with TLSv1.3. Specifically we check
|
|
|
81356c |
- * that it works even without a certificate configured for the original
|
|
|
81356c |
- * SSL_CTX
|
|
|
81356c |
- */
|
|
|
81356c |
-static int test_sni_tls13(void)
|
|
|
81356c |
-{
|
|
|
81356c |
- SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
|
|
|
81356c |
- SSL *clientssl = NULL, *serverssl = NULL;
|
|
|
81356c |
- int testresult = 0;
|
|
|
81356c |
-
|
|
|
81356c |
- /* Reset callback counter */
|
|
|
81356c |
- snicb = 0;
|
|
|
81356c |
-
|
|
|
81356c |
- /* Create an initial SSL_CTX with no certificate configured */
|
|
|
81356c |
- sctx = SSL_CTX_new(TLS_server_method());
|
|
|
81356c |
- if (!TEST_ptr(sctx))
|
|
|
81356c |
- goto end;
|
|
|
81356c |
- /* Require TLSv1.3 as a minimum */
|
|
|
81356c |
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
|
|
|
81356c |
- TLS1_3_VERSION, 0, &sctx2, &cctx, cert,
|
|
|
81356c |
- privkey)))
|
|
|
81356c |
- goto end;
|
|
|
81356c |
-
|
|
|
81356c |
- /* Set up SNI */
|
|
|
81356c |
- if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
|
|
|
81356c |
- || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
|
|
|
81356c |
- goto end;
|
|
|
81356c |
-
|
|
|
81356c |
- /*
|
|
|
81356c |
- * Connection should still succeed because the final SSL_CTX has the right
|
|
|
81356c |
- * certificates configured.
|
|
|
81356c |
- */
|
|
|
81356c |
- if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
|
|
|
81356c |
- &clientssl, NULL, NULL))
|
|
|
81356c |
- || !TEST_true(create_ssl_connection(serverssl, clientssl,
|
|
|
81356c |
- SSL_ERROR_NONE)))
|
|
|
81356c |
- goto end;
|
|
|
81356c |
-
|
|
|
81356c |
- /* We should have had the SNI callback called exactly once */
|
|
|
81356c |
- if (!TEST_int_eq(snicb, 1))
|
|
|
81356c |
- goto end;
|
|
|
81356c |
-
|
|
|
81356c |
- testresult = 1;
|
|
|
81356c |
-
|
|
|
81356c |
-end:
|
|
|
81356c |
- SSL_free(serverssl);
|
|
|
81356c |
- SSL_free(clientssl);
|
|
|
81356c |
- SSL_CTX_free(sctx2);
|
|
|
81356c |
- SSL_CTX_free(sctx);
|
|
|
81356c |
- SSL_CTX_free(cctx);
|
|
|
81356c |
- return testresult;
|
|
|
81356c |
-}
|
|
|
81356c |
-#endif
|
|
|
81356c |
-
|
|
|
81356c |
int setup_tests(void)
|
|
|
81356c |
{
|
|
|
81356c |
if (!TEST_ptr(certsdir = test_get_argument(0))
|
|
|
81356c |
@@ -6837,9 +6781,6 @@ int setup_tests(void)
|
|
|
81356c |
#ifndef OPENSSL_NO_TLS1_2
|
|
|
81356c |
ADD_TEST(test_ssl_dup);
|
|
|
81356c |
#endif
|
|
|
81356c |
-#ifndef OPENSSL_NO_TLS1_3
|
|
|
81356c |
- ADD_TEST(test_sni_tls13);
|
|
|
81356c |
-#endif
|
|
|
81356c |
return 1;
|
|
|
81356c |
}
|
|
|
81356c |
|