diff options
| author | Todd Short <tshort@akamai.com> | 2017-07-10 19:28:35 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-02-15 11:11:18 +0100 |
| commit | 088dfa133561d7613b9391a56ddbce58f32c934a (patch) | |
| tree | 46ebb1770ded52fd84e2202d80cac0ea9121b49f /test/sslapitest.c | |
| parent | Use order not degree to calculate a buffer size in ecdsatest (diff) | |
| download | openssl-088dfa133561d7613b9391a56ddbce58f32c934a.tar.xz openssl-088dfa133561d7613b9391a56ddbce58f32c934a.zip | |
Add option to disable Extended Master Secret
Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either
an SSL or an SSL_CTX. When processing a ClientHello, if this flag
is set, do not indicate that the EMS TLS extension was received in
either the ssl3 object or the SSL_SESSION. Retain most of the
sanity checks between the previous and current session during
session resumption, but weaken the check when the current SSL
object is configured to not use EMS.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3910)
Diffstat (limited to '')
| -rw-r--r-- | test/sslapitest.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/test/sslapitest.c b/test/sslapitest.c index 02eb1fef7e..788ac4609e 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -579,6 +579,51 @@ end: return testresult; } + +static int test_no_ems(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + + if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS1_2_VERSION, + &sctx, &cctx, cert, privkey)) { + printf("Unable to create SSL_CTX pair\n"); + goto end; + } + + SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET); + + if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { + printf("Unable to create SSL objects\n"); + goto end; + } + + if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { + printf("Creating SSL connection failed\n"); + goto end; + } + + if (SSL_get_extms_support(serverssl)) { + printf("Server reports Extended Master Secret support\n"); + goto end; + } + + if (SSL_get_extms_support(clientssl)) { + printf("Client reports Extended Master Secret support\n"); + goto end; + } + testresult = 1; + +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} #endif static int execute_test_large_message(const SSL_METHOD *smeth, @@ -6087,6 +6132,7 @@ int setup_tests(void) #endif #ifndef OPENSSL_NO_TLS1_2 ADD_TEST(test_client_hello_cb); + ADD_TEST(test_no_ems); #endif #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_early_data_read_write, 3); |