From c8dddc61d49f84d1667de97e9548f07ccc92dddf Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 29 Apr 2024 16:58:24 +0100 Subject: [PATCH] Add a test for the session_secret_cb Ensure that if a session_secret_cb is being used that a connection can be successfully made Reviewed-by: Neil Horman Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24309) --- test/sslapitest.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/test/sslapitest.c b/test/sslapitest.c index b57ca8b1133..e948ae01a2a 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -10121,6 +10121,94 @@ static int test_ssl_dup(void) return testresult; } +static int secret_cb(SSL *s, void *secretin, int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, + const SSL_CIPHER **cipher, void *arg) +{ + int i; + unsigned char *secret = secretin; + + /* Just use a fixed master secret */ + for (i = 0; i < *secret_len; i++) + secret[i] = 0xff; + + /* We don't set a preferred cipher */ + + return 1; +} + +/* + * Test the session_secret_cb which is designed for use with EAP-FAST + */ +static int test_session_secret_cb(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + SSL_SESSION *secret_sess = NULL; + int testresult = 0; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), + 0, + 0, + &sctx, &cctx, cert, privkey))) + goto end; + + /* Create an initial connection and save the session */ + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + /* session_secret_cb does not support TLSv1.3 */ + if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION)) + || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl))) + goto end; + + shutdown_ssl_connection(serverssl, clientssl); + serverssl = clientssl = NULL; + + /* Resume the earlier session */ + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + /* + * No session ids for EAP-FAST - otherwise the state machine gets very + * confused. + */ + if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0))) + goto end; + + if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION)) + || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)) + || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb, + NULL)) + || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb, + NULL)) + || !TEST_true(SSL_set_session(clientssl, secret_sess))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + testresult = 1; + + end: + SSL_SESSION_free(secret_sess); + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + # ifndef OPENSSL_NO_DH static EVP_PKEY *tmp_dh_params = NULL; @@ -12144,6 +12232,7 @@ int setup_tests(void) #endif #ifndef OPENSSL_NO_TLS1_2 ADD_TEST(test_ssl_dup); + ADD_TEST(test_session_secret_cb); # ifndef OPENSSL_NO_DH ADD_ALL_TESTS(test_set_tmp_dh, 11); ADD_ALL_TESTS(test_dh_auto, 7); -- 2.47.2