Fix test_sslcorrupt when using TLSv1.3

The test loops through all the ciphers, attempting to test each one in turn.
However version negotiation happens before cipher selection, so with TLSv1.3
switched on if we use a non-TLSv1.3 compatible cipher suite we get "no
share cipher".

Reviewed-by: Rich Salz <rsalz@openssl.org>

1 files changed, 26 insertions, 0 deletions

diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c
index 34ac8f774c..f07cfceda7 100644
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include <string.h>
 #include "ssltestlib.h"
 #include "testutil.h"
 
@@ -182,6 +183,8 @@ static int test_ssl_corrupt(int testidx)
     BIO *c_to_s_fbio;
     int testresult = 0;
     static unsigned char junk[16000] = { 0 };
+    STACK_OF(SSL_CIPHER) *ciphers;
+    const SSL_CIPHER *currcipher;
 
     printf("Starting Test %d, %s\n", testidx, cipher_list[testidx]);
 
@@ -196,6 +199,29 @@ static int test_ssl_corrupt(int testidx)
         goto end;
     }
 
+    ciphers = SSL_CTX_get_ciphers(cctx);
+    if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) != 1) {
+        printf("Unexpected ciphers set\n");
+        goto end;
+    }
+    currcipher = sk_SSL_CIPHER_value(ciphers, 0);
+    if (currcipher == NULL) {
+        printf("Failed getting the current cipher\n");
+        goto end;
+    }
+
+    /*
+     * If we haven't got a TLSv1.3 cipher, then we mustn't attempt to use
+     * TLSv1.3. Version negotiation happens before cipher selection, so we will
+     * get a "no shared cipher" error.
+     */
+    if (strcmp(SSL_CIPHER_get_version(currcipher), "TLSv1.3") != 0) {
+        if (!SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION)) {
+            printf("Failed setting max protocol version\n");
+            goto end;
+        }
+    }
+
     c_to_s_fbio = BIO_new(bio_f_tls_corrupt_filter());
     if (c_to_s_fbio == NULL) {
         printf("Failed to create filter BIO\n");