From b4eee58a5f9dfa493d6cc34b4af871415c67beda Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 10 Nov 2016 15:35:42 +0000 Subject: [PATCH] Fix test_sslcorrupt when using TLSv1.3 The test loops through all the ciphers, attempting to test each one in turn. However version negotiation happens before cipher selection, so with TLSv1.3 switched on if we use a non-TLSv1.3 compatible cipher suite we get "no share cipher". Reviewed-by: Rich Salz --- test/sslcorrupttest.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c index 34ac8f774c..f07cfceda7 100644 --- a/test/sslcorrupttest.c +++ b/test/sslcorrupttest.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include #include "ssltestlib.h" #include "testutil.h" @@ -182,6 +183,8 @@ static int test_ssl_corrupt(int testidx) BIO *c_to_s_fbio; int testresult = 0; static unsigned char junk[16000] = { 0 }; + STACK_OF(SSL_CIPHER) *ciphers; + const SSL_CIPHER *currcipher; printf("Starting Test %d, %s\n", testidx, cipher_list[testidx]); @@ -196,6 +199,29 @@ static int test_ssl_corrupt(int testidx) goto end; } + ciphers = SSL_CTX_get_ciphers(cctx); + if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) != 1) { + printf("Unexpected ciphers set\n"); + goto end; + } + currcipher = sk_SSL_CIPHER_value(ciphers, 0); + if (currcipher == NULL) { + printf("Failed getting the current cipher\n"); + goto end; + } + + /* + * If we haven't got a TLSv1.3 cipher, then we mustn't attempt to use + * TLSv1.3. Version negotiation happens before cipher selection, so we will + * get a "no shared cipher" error. + */ + if (strcmp(SSL_CIPHER_get_version(currcipher), "TLSv1.3") != 0) { + if (!SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION)) { + printf("Failed setting max protocol version\n"); + goto end; + } + } + c_to_s_fbio = BIO_new(bio_f_tls_corrupt_filter()); if (c_to_s_fbio == NULL) { printf("Failed to create filter BIO\n"); -- 2.25.1