]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Reorganize local header files
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <string.h>
12
13 #include <openssl/opensslconf.h>
14 #include <openssl/bio.h>
15 #include <openssl/crypto.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ocsp.h>
18 #include <openssl/srp.h>
19 #include <openssl/txt_db.h>
20 #include <openssl/aes.h>
21 #include <openssl/rand.h>
22
23 #include "ssltestlib.h"
24 #include "testutil.h"
25 #include "testutil/output.h"
26 #include "internal/nelem.h"
27 #include "internal/ktls.h"
28 #include "../ssl/ssl_local.h"
29
30 #ifndef OPENSSL_NO_TLS1_3
31
32 static SSL_SESSION *clientpsk = NULL;
33 static SSL_SESSION *serverpsk = NULL;
34 static const char *pskid = "Identity";
35 static const char *srvid;
36
37 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
38 size_t *idlen, SSL_SESSION **sess);
39 static int find_session_cb(SSL *ssl, const unsigned char *identity,
40 size_t identity_len, SSL_SESSION **sess);
41
42 static int use_session_cb_cnt = 0;
43 static int find_session_cb_cnt = 0;
44
45 static SSL_SESSION *create_a_psk(SSL *ssl);
46 #endif
47
48 static char *certsdir = NULL;
49 static char *cert = NULL;
50 static char *privkey = NULL;
51 static char *srpvfile = NULL;
52 static char *tmpfilename = NULL;
53
54 #define LOG_BUFFER_SIZE 2048
55 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
56 static size_t server_log_buffer_index = 0;
57 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
58 static size_t client_log_buffer_index = 0;
59 static int error_writing_log = 0;
60
61 #ifndef OPENSSL_NO_OCSP
62 static const unsigned char orespder[] = "Dummy OCSP Response";
63 static int ocsp_server_called = 0;
64 static int ocsp_client_called = 0;
65
66 static int cdummyarg = 1;
67 static X509 *ocspcert = NULL;
68 #endif
69
70 #define NUM_EXTRA_CERTS 40
71 #define CLIENT_VERSION_LEN 2
72
73 /*
74 * This structure is used to validate that the correct number of log messages
75 * of various types are emitted when emitting secret logs.
76 */
77 struct sslapitest_log_counts {
78 unsigned int rsa_key_exchange_count;
79 unsigned int master_secret_count;
80 unsigned int client_early_secret_count;
81 unsigned int client_handshake_secret_count;
82 unsigned int server_handshake_secret_count;
83 unsigned int client_application_secret_count;
84 unsigned int server_application_secret_count;
85 unsigned int early_exporter_secret_count;
86 unsigned int exporter_secret_count;
87 };
88
89
90 static unsigned char serverinfov1[] = {
91 0xff, 0xff, /* Dummy extension type */
92 0x00, 0x01, /* Extension length is 1 byte */
93 0xff /* Dummy extension data */
94 };
95
96 static unsigned char serverinfov2[] = {
97 0x00, 0x00, 0x00,
98 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
99 0xff, 0xff, /* Dummy extension type */
100 0x00, 0x01, /* Extension length is 1 byte */
101 0xff /* Dummy extension data */
102 };
103
104 static void client_keylog_callback(const SSL *ssl, const char *line)
105 {
106 int line_length = strlen(line);
107
108 /* If the log doesn't fit, error out. */
109 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
110 TEST_info("Client log too full");
111 error_writing_log = 1;
112 return;
113 }
114
115 strcat(client_log_buffer, line);
116 client_log_buffer_index += line_length;
117 client_log_buffer[client_log_buffer_index++] = '\n';
118 }
119
120 static void server_keylog_callback(const SSL *ssl, const char *line)
121 {
122 int line_length = strlen(line);
123
124 /* If the log doesn't fit, error out. */
125 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
126 TEST_info("Server log too full");
127 error_writing_log = 1;
128 return;
129 }
130
131 strcat(server_log_buffer, line);
132 server_log_buffer_index += line_length;
133 server_log_buffer[server_log_buffer_index++] = '\n';
134 }
135
136 static int compare_hex_encoded_buffer(const char *hex_encoded,
137 size_t hex_length,
138 const uint8_t *raw,
139 size_t raw_length)
140 {
141 size_t i, j;
142 char hexed[3];
143
144 if (!TEST_size_t_eq(raw_length * 2, hex_length))
145 return 1;
146
147 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
148 sprintf(hexed, "%02x", raw[i]);
149 if (!TEST_int_eq(hexed[0], hex_encoded[j])
150 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
151 return 1;
152 }
153
154 return 0;
155 }
156
157 static int test_keylog_output(char *buffer, const SSL *ssl,
158 const SSL_SESSION *session,
159 struct sslapitest_log_counts *expected)
160 {
161 char *token = NULL;
162 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
163 size_t client_random_size = SSL3_RANDOM_SIZE;
164 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
165 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
166 unsigned int rsa_key_exchange_count = 0;
167 unsigned int master_secret_count = 0;
168 unsigned int client_early_secret_count = 0;
169 unsigned int client_handshake_secret_count = 0;
170 unsigned int server_handshake_secret_count = 0;
171 unsigned int client_application_secret_count = 0;
172 unsigned int server_application_secret_count = 0;
173 unsigned int early_exporter_secret_count = 0;
174 unsigned int exporter_secret_count = 0;
175
176 for (token = strtok(buffer, " \n"); token != NULL;
177 token = strtok(NULL, " \n")) {
178 if (strcmp(token, "RSA") == 0) {
179 /*
180 * Premaster secret. Tokens should be: 16 ASCII bytes of
181 * hex-encoded encrypted secret, then the hex-encoded pre-master
182 * secret.
183 */
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
185 return 0;
186 if (!TEST_size_t_eq(strlen(token), 16))
187 return 0;
188 if (!TEST_ptr(token = strtok(NULL, " \n")))
189 return 0;
190 /*
191 * We can't sensibly check the log because the premaster secret is
192 * transient, and OpenSSL doesn't keep hold of it once the master
193 * secret is generated.
194 */
195 rsa_key_exchange_count++;
196 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
197 /*
198 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, then the hex-encoded master secret.
200 */
201 client_random_size = SSL_get_client_random(ssl,
202 actual_client_random,
203 SSL3_RANDOM_SIZE);
204 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
205 return 0;
206
207 if (!TEST_ptr(token = strtok(NULL, " \n")))
208 return 0;
209 if (!TEST_size_t_eq(strlen(token), 64))
210 return 0;
211 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
212 actual_client_random,
213 client_random_size)))
214 return 0;
215
216 if (!TEST_ptr(token = strtok(NULL, " \n")))
217 return 0;
218 master_key_size = SSL_SESSION_get_master_key(session,
219 actual_master_key,
220 master_key_size);
221 if (!TEST_size_t_ne(master_key_size, 0))
222 return 0;
223 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
224 actual_master_key,
225 master_key_size)))
226 return 0;
227 master_secret_count++;
228 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
229 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
230 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
231 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
232 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
233 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
234 || strcmp(token, "EXPORTER_SECRET") == 0) {
235 /*
236 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
237 * client random, and then the hex-encoded secret. In this case,
238 * we treat all of these secrets identically and then just
239 * distinguish between them when counting what we saw.
240 */
241 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
242 client_early_secret_count++;
243 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
244 client_handshake_secret_count++;
245 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
246 server_handshake_secret_count++;
247 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
248 client_application_secret_count++;
249 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
250 server_application_secret_count++;
251 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
252 early_exporter_secret_count++;
253 else if (strcmp(token, "EXPORTER_SECRET") == 0)
254 exporter_secret_count++;
255
256 client_random_size = SSL_get_client_random(ssl,
257 actual_client_random,
258 SSL3_RANDOM_SIZE);
259 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 if (!TEST_size_t_eq(strlen(token), 64))
265 return 0;
266 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267 actual_client_random,
268 client_random_size)))
269 return 0;
270
271 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 return 0;
273
274 /*
275 * TODO(TLS1.3): test that application traffic secrets are what
276 * we expect */
277 } else {
278 TEST_info("Unexpected token %s\n", token);
279 return 0;
280 }
281 }
282
283 /* Got what we expected? */
284 if (!TEST_size_t_eq(rsa_key_exchange_count,
285 expected->rsa_key_exchange_count)
286 || !TEST_size_t_eq(master_secret_count,
287 expected->master_secret_count)
288 || !TEST_size_t_eq(client_early_secret_count,
289 expected->client_early_secret_count)
290 || !TEST_size_t_eq(client_handshake_secret_count,
291 expected->client_handshake_secret_count)
292 || !TEST_size_t_eq(server_handshake_secret_count,
293 expected->server_handshake_secret_count)
294 || !TEST_size_t_eq(client_application_secret_count,
295 expected->client_application_secret_count)
296 || !TEST_size_t_eq(server_application_secret_count,
297 expected->server_application_secret_count)
298 || !TEST_size_t_eq(early_exporter_secret_count,
299 expected->early_exporter_secret_count)
300 || !TEST_size_t_eq(exporter_secret_count,
301 expected->exporter_secret_count))
302 return 0;
303 return 1;
304 }
305
306 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
307 static int test_keylog(void)
308 {
309 SSL_CTX *cctx = NULL, *sctx = NULL;
310 SSL *clientssl = NULL, *serverssl = NULL;
311 int testresult = 0;
312 struct sslapitest_log_counts expected;
313
314 /* Clean up logging space */
315 memset(&expected, 0, sizeof(expected));
316 memset(client_log_buffer, 0, sizeof(client_log_buffer));
317 memset(server_log_buffer, 0, sizeof(server_log_buffer));
318 client_log_buffer_index = 0;
319 server_log_buffer_index = 0;
320 error_writing_log = 0;
321
322 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
323 TLS_client_method(),
324 TLS1_VERSION, 0,
325 &sctx, &cctx, cert, privkey)))
326 return 0;
327
328 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
329 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
330 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
331
332 /* We also want to ensure that we use RSA-based key exchange. */
333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
334 goto end;
335
336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
337 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
338 goto end;
339 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
340 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
341 == client_keylog_callback))
342 goto end;
343 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
344 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
345 == server_keylog_callback))
346 goto end;
347
348 /* Now do a handshake and check that the logs have been written to. */
349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
350 &clientssl, NULL, NULL))
351 || !TEST_true(create_ssl_connection(serverssl, clientssl,
352 SSL_ERROR_NONE))
353 || !TEST_false(error_writing_log)
354 || !TEST_int_gt(client_log_buffer_index, 0)
355 || !TEST_int_gt(server_log_buffer_index, 0))
356 goto end;
357
358 /*
359 * Now we want to test that our output data was vaguely sensible. We
360 * do that by using strtok and confirming that we have more or less the
361 * data we expect. For both client and server, we expect to see one master
362 * secret. The client should also see a RSA key exchange.
363 */
364 expected.rsa_key_exchange_count = 1;
365 expected.master_secret_count = 1;
366 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
367 SSL_get_session(clientssl), &expected)))
368 goto end;
369
370 expected.rsa_key_exchange_count = 0;
371 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
372 SSL_get_session(serverssl), &expected)))
373 goto end;
374
375 testresult = 1;
376
377 end:
378 SSL_free(serverssl);
379 SSL_free(clientssl);
380 SSL_CTX_free(sctx);
381 SSL_CTX_free(cctx);
382
383 return testresult;
384 }
385 #endif
386
387 #ifndef OPENSSL_NO_TLS1_3
388 static int test_keylog_no_master_key(void)
389 {
390 SSL_CTX *cctx = NULL, *sctx = NULL;
391 SSL *clientssl = NULL, *serverssl = NULL;
392 SSL_SESSION *sess = NULL;
393 int testresult = 0;
394 struct sslapitest_log_counts expected;
395 unsigned char buf[1];
396 size_t readbytes, written;
397
398 /* Clean up logging space */
399 memset(&expected, 0, sizeof(expected));
400 memset(client_log_buffer, 0, sizeof(client_log_buffer));
401 memset(server_log_buffer, 0, sizeof(server_log_buffer));
402 client_log_buffer_index = 0;
403 server_log_buffer_index = 0;
404 error_writing_log = 0;
405
406 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
407 TLS1_VERSION, 0,
408 &sctx, &cctx, cert, privkey))
409 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
410 SSL3_RT_MAX_PLAIN_LENGTH)))
411 return 0;
412
413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
414 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
415 goto end;
416
417 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
418 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
419 == client_keylog_callback))
420 goto end;
421
422 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
423 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
424 == server_keylog_callback))
425 goto end;
426
427 /* Now do a handshake and check that the logs have been written to. */
428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
429 &clientssl, NULL, NULL))
430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
431 SSL_ERROR_NONE))
432 || !TEST_false(error_writing_log))
433 goto end;
434
435 /*
436 * Now we want to test that our output data was vaguely sensible. For this
437 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
438 * TLSv1.3, but we do expect both client and server to emit keys.
439 */
440 expected.client_handshake_secret_count = 1;
441 expected.server_handshake_secret_count = 1;
442 expected.client_application_secret_count = 1;
443 expected.server_application_secret_count = 1;
444 expected.exporter_secret_count = 1;
445 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
446 SSL_get_session(clientssl), &expected))
447 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
448 SSL_get_session(serverssl),
449 &expected)))
450 goto end;
451
452 /* Terminate old session and resume with early data. */
453 sess = SSL_get1_session(clientssl);
454 SSL_shutdown(clientssl);
455 SSL_shutdown(serverssl);
456 SSL_free(serverssl);
457 SSL_free(clientssl);
458 serverssl = clientssl = NULL;
459
460 /* Reset key log */
461 memset(client_log_buffer, 0, sizeof(client_log_buffer));
462 memset(server_log_buffer, 0, sizeof(server_log_buffer));
463 client_log_buffer_index = 0;
464 server_log_buffer_index = 0;
465
466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_true(SSL_set_session(clientssl, sess))
469 /* Here writing 0 length early data is enough. */
470 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
471 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
472 &readbytes),
473 SSL_READ_EARLY_DATA_ERROR)
474 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
475 SSL_EARLY_DATA_ACCEPTED)
476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
477 SSL_ERROR_NONE))
478 || !TEST_true(SSL_session_reused(clientssl)))
479 goto end;
480
481 /* In addition to the previous entries, expect early secrets. */
482 expected.client_early_secret_count = 1;
483 expected.early_exporter_secret_count = 1;
484 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
485 SSL_get_session(clientssl), &expected))
486 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
487 SSL_get_session(serverssl),
488 &expected)))
489 goto end;
490
491 testresult = 1;
492
493 end:
494 SSL_SESSION_free(sess);
495 SSL_free(serverssl);
496 SSL_free(clientssl);
497 SSL_CTX_free(sctx);
498 SSL_CTX_free(cctx);
499
500 return testresult;
501 }
502 #endif
503
504 #ifndef OPENSSL_NO_TLS1_2
505 static int full_client_hello_callback(SSL *s, int *al, void *arg)
506 {
507 int *ctr = arg;
508 const unsigned char *p;
509 int *exts;
510 /* We only configure two ciphers, but the SCSV is added automatically. */
511 #ifdef OPENSSL_NO_EC
512 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
513 #else
514 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
515 0x2c, 0x00, 0xff};
516 #endif
517 const int expected_extensions[] = {
518 #ifndef OPENSSL_NO_EC
519 11, 10,
520 #endif
521 35, 22, 23, 13};
522 size_t len;
523
524 /* Make sure we can defer processing and get called back. */
525 if ((*ctr)++ == 0)
526 return SSL_CLIENT_HELLO_RETRY;
527
528 len = SSL_client_hello_get0_ciphers(s, &p);
529 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
530 || !TEST_size_t_eq(
531 SSL_client_hello_get0_compression_methods(s, &p), 1)
532 || !TEST_int_eq(*p, 0))
533 return SSL_CLIENT_HELLO_ERROR;
534 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
535 return SSL_CLIENT_HELLO_ERROR;
536 if (len != OSSL_NELEM(expected_extensions) ||
537 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
538 printf("ClientHello callback expected extensions mismatch\n");
539 OPENSSL_free(exts);
540 return SSL_CLIENT_HELLO_ERROR;
541 }
542 OPENSSL_free(exts);
543 return SSL_CLIENT_HELLO_SUCCESS;
544 }
545
546 static int test_client_hello_cb(void)
547 {
548 SSL_CTX *cctx = NULL, *sctx = NULL;
549 SSL *clientssl = NULL, *serverssl = NULL;
550 int testctr = 0, testresult = 0;
551
552 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
553 TLS1_VERSION, 0,
554 &sctx, &cctx, cert, privkey)))
555 goto end;
556 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
557
558 /* The gimpy cipher list we configure can't do TLS 1.3. */
559 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
560
561 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
562 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
563 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
564 &clientssl, NULL, NULL))
565 || !TEST_false(create_ssl_connection(serverssl, clientssl,
566 SSL_ERROR_WANT_CLIENT_HELLO_CB))
567 /*
568 * Passing a -1 literal is a hack since
569 * the real value was lost.
570 * */
571 || !TEST_int_eq(SSL_get_error(serverssl, -1),
572 SSL_ERROR_WANT_CLIENT_HELLO_CB)
573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
574 SSL_ERROR_NONE)))
575 goto end;
576
577 testresult = 1;
578
579 end:
580 SSL_free(serverssl);
581 SSL_free(clientssl);
582 SSL_CTX_free(sctx);
583 SSL_CTX_free(cctx);
584
585 return testresult;
586 }
587
588 static int test_no_ems(void)
589 {
590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
592 int testresult = 0;
593
594 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
595 TLS1_VERSION, TLS1_2_VERSION,
596 &sctx, &cctx, cert, privkey)) {
597 printf("Unable to create SSL_CTX pair\n");
598 goto end;
599 }
600
601 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
602
603 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
604 printf("Unable to create SSL objects\n");
605 goto end;
606 }
607
608 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
609 printf("Creating SSL connection failed\n");
610 goto end;
611 }
612
613 if (SSL_get_extms_support(serverssl)) {
614 printf("Server reports Extended Master Secret support\n");
615 goto end;
616 }
617
618 if (SSL_get_extms_support(clientssl)) {
619 printf("Client reports Extended Master Secret support\n");
620 goto end;
621 }
622 testresult = 1;
623
624 end:
625 SSL_free(serverssl);
626 SSL_free(clientssl);
627 SSL_CTX_free(sctx);
628 SSL_CTX_free(cctx);
629
630 return testresult;
631 }
632 #endif
633
634 static int execute_test_large_message(const SSL_METHOD *smeth,
635 const SSL_METHOD *cmeth,
636 int min_version, int max_version,
637 int read_ahead)
638 {
639 SSL_CTX *cctx = NULL, *sctx = NULL;
640 SSL *clientssl = NULL, *serverssl = NULL;
641 int testresult = 0;
642 int i;
643 BIO *certbio = NULL;
644 X509 *chaincert = NULL;
645 int certlen;
646
647 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
648 goto end;
649 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
650 BIO_free(certbio);
651 certbio = NULL;
652 if (!TEST_ptr(chaincert))
653 goto end;
654
655 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
656 &sctx, &cctx, cert, privkey)))
657 goto end;
658
659 if (read_ahead) {
660 /*
661 * Test that read_ahead works correctly when dealing with large
662 * records
663 */
664 SSL_CTX_set_read_ahead(cctx, 1);
665 }
666
667 /*
668 * We assume the supplied certificate is big enough so that if we add
669 * NUM_EXTRA_CERTS it will make the overall message large enough. The
670 * default buffer size is requested to be 16k, but due to the way BUF_MEM
671 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
672 * test we need to have a message larger than that.
673 */
674 certlen = i2d_X509(chaincert, NULL);
675 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
676 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
677 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
678 if (!X509_up_ref(chaincert))
679 goto end;
680 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
681 X509_free(chaincert);
682 goto end;
683 }
684 }
685
686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
687 NULL, NULL))
688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
689 SSL_ERROR_NONE)))
690 goto end;
691
692 /*
693 * Calling SSL_clear() first is not required but this tests that SSL_clear()
694 * doesn't leak (when using enable-crypto-mdebug).
695 */
696 if (!TEST_true(SSL_clear(serverssl)))
697 goto end;
698
699 testresult = 1;
700 end:
701 X509_free(chaincert);
702 SSL_free(serverssl);
703 SSL_free(clientssl);
704 SSL_CTX_free(sctx);
705 SSL_CTX_free(cctx);
706
707 return testresult;
708 }
709
710 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
711 && !defined(OPENSSL_NO_SOCK)
712
713 /* sock must be connected */
714 static int ktls_chk_platform(int sock)
715 {
716 if (!ktls_enable(sock))
717 return 0;
718 return 1;
719 }
720
721 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
722 {
723 static char count = 1;
724 unsigned char cbuf[16000] = {0};
725 unsigned char sbuf[16000];
726 size_t err = 0;
727 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
729 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
731 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
732 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
733 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
734 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
735
736 cbuf[0] = count++;
737 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
738 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
739 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
740 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
741 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
742 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
743 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
744 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
745
746 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
747 goto end;
748
749 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
750 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
751 goto end;
752 }
753 }
754
755 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
756 goto end;
757
758 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
759 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
760 goto end;
761 }
762 }
763
764 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
765 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
766 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
767 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
768 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
769 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
770 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
771 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
772
773 /* verify the payload */
774 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
775 goto end;
776
777 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
778 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
779 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
780 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
781 goto end;
782 } else {
783 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
784 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
785 goto end;
786 }
787
788 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
789 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
790 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
791 goto end;
792 } else {
793 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
794 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
795 goto end;
796 }
797
798 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
799 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
800 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
801 goto end;
802 } else {
803 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
804 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
805 goto end;
806 }
807
808 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
809 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
810 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
811 goto end;
812 } else {
813 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
814 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
815 goto end;
816 }
817
818 return 1;
819 end:
820 return 0;
821 }
822
823 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
824 int sis_ktls_tx, int sis_ktls_rx)
825 {
826 SSL_CTX *cctx = NULL, *sctx = NULL;
827 SSL *clientssl = NULL, *serverssl = NULL;
828 int testresult = 0;
829 int cfd, sfd;
830
831 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
832 goto end;
833
834 /* Skip this test if the platform does not support ktls */
835 if (!ktls_chk_platform(cfd))
836 return 1;
837
838 /* Create a session based on SHA-256 */
839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
840 TLS_client_method(),
841 TLS1_2_VERSION, TLS1_2_VERSION,
842 &sctx, &cctx, cert, privkey))
843 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
844 "AES128-GCM-SHA256"))
845 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
846 &clientssl, sfd, cfd)))
847 goto end;
848
849 if (!cis_ktls_tx) {
850 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
851 goto end;
852 }
853
854 if (!sis_ktls_tx) {
855 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
856 goto end;
857 }
858
859 if (!cis_ktls_rx) {
860 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
861 goto end;
862 }
863
864 if (!sis_ktls_rx) {
865 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
866 goto end;
867 }
868
869 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
870 SSL_ERROR_NONE)))
871 goto end;
872
873 if (!cis_ktls_tx) {
874 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
875 goto end;
876 } else {
877 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
878 goto end;
879 }
880
881 if (!sis_ktls_tx) {
882 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
883 goto end;
884 } else {
885 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
886 goto end;
887 }
888
889 if (!cis_ktls_rx) {
890 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
891 goto end;
892 } else {
893 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
894 goto end;
895 }
896
897 if (!sis_ktls_rx) {
898 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
899 goto end;
900 } else {
901 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
902 goto end;
903 }
904
905 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
906 goto end;
907
908 testresult = 1;
909 end:
910 if (clientssl) {
911 SSL_shutdown(clientssl);
912 SSL_free(clientssl);
913 }
914 if (serverssl) {
915 SSL_shutdown(serverssl);
916 SSL_free(serverssl);
917 }
918 SSL_CTX_free(sctx);
919 SSL_CTX_free(cctx);
920 serverssl = clientssl = NULL;
921 return testresult;
922 }
923
924 #define SENDFILE_SZ (16 * 4096)
925 #define SENDFILE_CHUNK (4 * 4096)
926 #define min(a,b) ((a) > (b) ? (b) : (a))
927
928 static int test_ktls_sendfile(void)
929 {
930 SSL_CTX *cctx = NULL, *sctx = NULL;
931 SSL *clientssl = NULL, *serverssl = NULL;
932 unsigned char *buf, *buf_dst;
933 BIO *out = NULL, *in = NULL;
934 int cfd, sfd, ffd, err;
935 ssize_t chunk_size = 0;
936 off_t chunk_off = 0;
937 int testresult = 0;
938 FILE *ffdp;
939
940 buf = OPENSSL_zalloc(SENDFILE_SZ);
941 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
942 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
943 || !TEST_true(create_test_sockets(&cfd, &sfd)))
944 goto end;
945
946 /* Skip this test if the platform does not support ktls */
947 if (!ktls_chk_platform(sfd)) {
948 testresult = 1;
949 goto end;
950 }
951
952 /* Create a session based on SHA-256 */
953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
954 TLS_client_method(),
955 TLS1_2_VERSION, TLS1_2_VERSION,
956 &sctx, &cctx, cert, privkey))
957 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
958 "AES128-GCM-SHA256"))
959 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
960 &clientssl, sfd, cfd)))
961 goto end;
962
963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
964 SSL_ERROR_NONE))
965 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
966 goto end;
967
968 RAND_bytes(buf, SENDFILE_SZ);
969 out = BIO_new_file(tmpfilename, "wb");
970 if (!TEST_ptr(out))
971 goto end;
972
973 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
974 goto end;
975
976 BIO_free(out);
977 out = NULL;
978 in = BIO_new_file(tmpfilename, "rb");
979 BIO_get_fp(in, &ffdp);
980 ffd = fileno(ffdp);
981
982 while (chunk_off < SENDFILE_SZ) {
983 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
984 while ((err = SSL_sendfile(serverssl,
985 ffd,
986 chunk_off,
987 chunk_size,
988 0)) != chunk_size) {
989 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
990 goto end;
991 }
992 while ((err = SSL_read(clientssl,
993 buf_dst + chunk_off,
994 chunk_size)) != chunk_size) {
995 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
996 goto end;
997 }
998
999 /* verify the payload */
1000 if (!TEST_mem_eq(buf_dst + chunk_off,
1001 chunk_size,
1002 buf + chunk_off,
1003 chunk_size))
1004 goto end;
1005
1006 chunk_off += chunk_size;
1007 }
1008
1009 testresult = 1;
1010 end:
1011 if (clientssl) {
1012 SSL_shutdown(clientssl);
1013 SSL_free(clientssl);
1014 }
1015 if (serverssl) {
1016 SSL_shutdown(serverssl);
1017 SSL_free(serverssl);
1018 }
1019 SSL_CTX_free(sctx);
1020 SSL_CTX_free(cctx);
1021 serverssl = clientssl = NULL;
1022 BIO_free(out);
1023 BIO_free(in);
1024 OPENSSL_free(buf);
1025 OPENSSL_free(buf_dst);
1026 return testresult;
1027 }
1028
1029 static int test_ktls_no_txrx_client_no_txrx_server(void)
1030 {
1031 return execute_test_ktls(0, 0, 0, 0);
1032 }
1033
1034 static int test_ktls_no_rx_client_no_txrx_server(void)
1035 {
1036 return execute_test_ktls(1, 0, 0, 0);
1037 }
1038
1039 static int test_ktls_no_tx_client_no_txrx_server(void)
1040 {
1041 return execute_test_ktls(0, 1, 0, 0);
1042 }
1043
1044 static int test_ktls_client_no_txrx_server(void)
1045 {
1046 return execute_test_ktls(1, 1, 0, 0);
1047 }
1048
1049 static int test_ktls_no_txrx_client_no_rx_server(void)
1050 {
1051 return execute_test_ktls(0, 0, 1, 0);
1052 }
1053
1054 static int test_ktls_no_rx_client_no_rx_server(void)
1055 {
1056 return execute_test_ktls(1, 0, 1, 0);
1057 }
1058
1059 static int test_ktls_no_tx_client_no_rx_server(void)
1060 {
1061 return execute_test_ktls(0, 1, 1, 0);
1062 }
1063
1064 static int test_ktls_client_no_rx_server(void)
1065 {
1066 return execute_test_ktls(1, 1, 1, 0);
1067 }
1068
1069 static int test_ktls_no_txrx_client_no_tx_server(void)
1070 {
1071 return execute_test_ktls(0, 0, 0, 1);
1072 }
1073
1074 static int test_ktls_no_rx_client_no_tx_server(void)
1075 {
1076 return execute_test_ktls(1, 0, 0, 1);
1077 }
1078
1079 static int test_ktls_no_tx_client_no_tx_server(void)
1080 {
1081 return execute_test_ktls(0, 1, 0, 1);
1082 }
1083
1084 static int test_ktls_client_no_tx_server(void)
1085 {
1086 return execute_test_ktls(1, 1, 0, 1);
1087 }
1088
1089 static int test_ktls_no_txrx_client_server(void)
1090 {
1091 return execute_test_ktls(0, 0, 1, 1);
1092 }
1093
1094 static int test_ktls_no_rx_client_server(void)
1095 {
1096 return execute_test_ktls(1, 0, 1, 1);
1097 }
1098
1099 static int test_ktls_no_tx_client_server(void)
1100 {
1101 return execute_test_ktls(0, 1, 1, 1);
1102 }
1103
1104 static int test_ktls_client_server(void)
1105 {
1106 return execute_test_ktls(1, 1, 1, 1);
1107 }
1108 #endif
1109
1110 static int test_large_message_tls(void)
1111 {
1112 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1113 TLS1_VERSION, 0, 0);
1114 }
1115
1116 static int test_large_message_tls_read_ahead(void)
1117 {
1118 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1119 TLS1_VERSION, 0, 1);
1120 }
1121
1122 #ifndef OPENSSL_NO_DTLS
1123 static int test_large_message_dtls(void)
1124 {
1125 /*
1126 * read_ahead is not relevant to DTLS because DTLS always acts as if
1127 * read_ahead is set.
1128 */
1129 return execute_test_large_message(DTLS_server_method(),
1130 DTLS_client_method(),
1131 DTLS1_VERSION, 0, 0);
1132 }
1133 #endif
1134
1135 #ifndef OPENSSL_NO_OCSP
1136 static int ocsp_server_cb(SSL *s, void *arg)
1137 {
1138 int *argi = (int *)arg;
1139 unsigned char *copy = NULL;
1140 STACK_OF(OCSP_RESPID) *ids = NULL;
1141 OCSP_RESPID *id = NULL;
1142
1143 if (*argi == 2) {
1144 /* In this test we are expecting exactly 1 OCSP_RESPID */
1145 SSL_get_tlsext_status_ids(s, &ids);
1146 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1147 return SSL_TLSEXT_ERR_ALERT_FATAL;
1148
1149 id = sk_OCSP_RESPID_value(ids, 0);
1150 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1151 return SSL_TLSEXT_ERR_ALERT_FATAL;
1152 } else if (*argi != 1) {
1153 return SSL_TLSEXT_ERR_ALERT_FATAL;
1154 }
1155
1156 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1157 return SSL_TLSEXT_ERR_ALERT_FATAL;
1158
1159 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1160 ocsp_server_called = 1;
1161 return SSL_TLSEXT_ERR_OK;
1162 }
1163
1164 static int ocsp_client_cb(SSL *s, void *arg)
1165 {
1166 int *argi = (int *)arg;
1167 const unsigned char *respderin;
1168 size_t len;
1169
1170 if (*argi != 1 && *argi != 2)
1171 return 0;
1172
1173 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1174 if (!TEST_mem_eq(orespder, len, respderin, len))
1175 return 0;
1176
1177 ocsp_client_called = 1;
1178 return 1;
1179 }
1180
1181 static int test_tlsext_status_type(void)
1182 {
1183 SSL_CTX *cctx = NULL, *sctx = NULL;
1184 SSL *clientssl = NULL, *serverssl = NULL;
1185 int testresult = 0;
1186 STACK_OF(OCSP_RESPID) *ids = NULL;
1187 OCSP_RESPID *id = NULL;
1188 BIO *certbio = NULL;
1189
1190 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1191 TLS1_VERSION, 0,
1192 &sctx, &cctx, cert, privkey))
1193 return 0;
1194
1195 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1196 goto end;
1197
1198 /* First just do various checks getting and setting tlsext_status_type */
1199
1200 clientssl = SSL_new(cctx);
1201 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1202 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1203 TLSEXT_STATUSTYPE_ocsp))
1204 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1205 TLSEXT_STATUSTYPE_ocsp))
1206 goto end;
1207
1208 SSL_free(clientssl);
1209 clientssl = NULL;
1210
1211 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1212 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1213 goto end;
1214
1215 clientssl = SSL_new(cctx);
1216 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1217 goto end;
1218 SSL_free(clientssl);
1219 clientssl = NULL;
1220
1221 /*
1222 * Now actually do a handshake and check OCSP information is exchanged and
1223 * the callbacks get called
1224 */
1225 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1226 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1227 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1228 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1230 &clientssl, NULL, NULL))
1231 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1232 SSL_ERROR_NONE))
1233 || !TEST_true(ocsp_client_called)
1234 || !TEST_true(ocsp_server_called))
1235 goto end;
1236 SSL_free(serverssl);
1237 SSL_free(clientssl);
1238 serverssl = NULL;
1239 clientssl = NULL;
1240
1241 /* Try again but this time force the server side callback to fail */
1242 ocsp_client_called = 0;
1243 ocsp_server_called = 0;
1244 cdummyarg = 0;
1245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1246 &clientssl, NULL, NULL))
1247 /* This should fail because the callback will fail */
1248 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1249 SSL_ERROR_NONE))
1250 || !TEST_false(ocsp_client_called)
1251 || !TEST_false(ocsp_server_called))
1252 goto end;
1253 SSL_free(serverssl);
1254 SSL_free(clientssl);
1255 serverssl = NULL;
1256 clientssl = NULL;
1257
1258 /*
1259 * This time we'll get the client to send an OCSP_RESPID that it will
1260 * accept.
1261 */
1262 ocsp_client_called = 0;
1263 ocsp_server_called = 0;
1264 cdummyarg = 2;
1265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1266 &clientssl, NULL, NULL)))
1267 goto end;
1268
1269 /*
1270 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1271 * specific one. We'll use the server cert.
1272 */
1273 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1274 || !TEST_ptr(id = OCSP_RESPID_new())
1275 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1276 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1277 NULL, NULL, NULL))
1278 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1279 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1280 goto end;
1281 id = NULL;
1282 SSL_set_tlsext_status_ids(clientssl, ids);
1283 /* Control has been transferred */
1284 ids = NULL;
1285
1286 BIO_free(certbio);
1287 certbio = NULL;
1288
1289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1290 SSL_ERROR_NONE))
1291 || !TEST_true(ocsp_client_called)
1292 || !TEST_true(ocsp_server_called))
1293 goto end;
1294
1295 testresult = 1;
1296
1297 end:
1298 SSL_free(serverssl);
1299 SSL_free(clientssl);
1300 SSL_CTX_free(sctx);
1301 SSL_CTX_free(cctx);
1302 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1303 OCSP_RESPID_free(id);
1304 BIO_free(certbio);
1305 X509_free(ocspcert);
1306 ocspcert = NULL;
1307
1308 return testresult;
1309 }
1310 #endif
1311
1312 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1313 static int new_called, remove_called, get_called;
1314
1315 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1316 {
1317 new_called++;
1318 /*
1319 * sess has been up-refed for us, but we don't actually need it so free it
1320 * immediately.
1321 */
1322 SSL_SESSION_free(sess);
1323 return 1;
1324 }
1325
1326 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1327 {
1328 remove_called++;
1329 }
1330
1331 static SSL_SESSION *get_sess_val = NULL;
1332
1333 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1334 int *copy)
1335 {
1336 get_called++;
1337 *copy = 1;
1338 return get_sess_val;
1339 }
1340
1341 static int execute_test_session(int maxprot, int use_int_cache,
1342 int use_ext_cache)
1343 {
1344 SSL_CTX *sctx = NULL, *cctx = NULL;
1345 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1346 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1347 # ifndef OPENSSL_NO_TLS1_1
1348 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1349 # endif
1350 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1351 int testresult = 0, numnewsesstick = 1;
1352
1353 new_called = remove_called = 0;
1354
1355 /* TLSv1.3 sends 2 NewSessionTickets */
1356 if (maxprot == TLS1_3_VERSION)
1357 numnewsesstick = 2;
1358
1359 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1360 TLS1_VERSION, 0,
1361 &sctx, &cctx, cert, privkey)))
1362 return 0;
1363
1364 /*
1365 * Only allow the max protocol version so we can force a connection failure
1366 * later
1367 */
1368 SSL_CTX_set_min_proto_version(cctx, maxprot);
1369 SSL_CTX_set_max_proto_version(cctx, maxprot);
1370
1371 /* Set up session cache */
1372 if (use_ext_cache) {
1373 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1374 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1375 }
1376 if (use_int_cache) {
1377 /* Also covers instance where both are set */
1378 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1379 } else {
1380 SSL_CTX_set_session_cache_mode(cctx,
1381 SSL_SESS_CACHE_CLIENT
1382 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1383 }
1384
1385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1386 NULL, NULL))
1387 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1388 SSL_ERROR_NONE))
1389 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1390 goto end;
1391
1392 /* Should fail because it should already be in the cache */
1393 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1394 goto end;
1395 if (use_ext_cache
1396 && (!TEST_int_eq(new_called, numnewsesstick)
1397
1398 || !TEST_int_eq(remove_called, 0)))
1399 goto end;
1400
1401 new_called = remove_called = 0;
1402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1403 &clientssl2, NULL, NULL))
1404 || !TEST_true(SSL_set_session(clientssl2, sess1))
1405 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1406 SSL_ERROR_NONE))
1407 || !TEST_true(SSL_session_reused(clientssl2)))
1408 goto end;
1409
1410 if (maxprot == TLS1_3_VERSION) {
1411 /*
1412 * In TLSv1.3 we should have created a new session even though we have
1413 * resumed. Since we attempted a resume we should also have removed the
1414 * old ticket from the cache so that we try to only use tickets once.
1415 */
1416 if (use_ext_cache
1417 && (!TEST_int_eq(new_called, 1)
1418 || !TEST_int_eq(remove_called, 1)))
1419 goto end;
1420 } else {
1421 /*
1422 * In TLSv1.2 we expect to have resumed so no sessions added or
1423 * removed.
1424 */
1425 if (use_ext_cache
1426 && (!TEST_int_eq(new_called, 0)
1427 || !TEST_int_eq(remove_called, 0)))
1428 goto end;
1429 }
1430
1431 SSL_SESSION_free(sess1);
1432 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1433 goto end;
1434 shutdown_ssl_connection(serverssl2, clientssl2);
1435 serverssl2 = clientssl2 = NULL;
1436
1437 new_called = remove_called = 0;
1438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1439 &clientssl2, NULL, NULL))
1440 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1441 SSL_ERROR_NONE)))
1442 goto end;
1443
1444 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1445 goto end;
1446
1447 if (use_ext_cache
1448 && (!TEST_int_eq(new_called, numnewsesstick)
1449 || !TEST_int_eq(remove_called, 0)))
1450 goto end;
1451
1452 new_called = remove_called = 0;
1453 /*
1454 * This should clear sess2 from the cache because it is a "bad" session.
1455 * See SSL_set_session() documentation.
1456 */
1457 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1458 goto end;
1459 if (use_ext_cache
1460 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1461 goto end;
1462 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1463 goto end;
1464
1465 if (use_int_cache) {
1466 /* Should succeeded because it should not already be in the cache */
1467 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1468 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1469 goto end;
1470 }
1471
1472 new_called = remove_called = 0;
1473 /* This shouldn't be in the cache so should fail */
1474 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1475 goto end;
1476
1477 if (use_ext_cache
1478 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1479 goto end;
1480
1481 # if !defined(OPENSSL_NO_TLS1_1)
1482 new_called = remove_called = 0;
1483 /* Force a connection failure */
1484 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1485 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1486 &clientssl3, NULL, NULL))
1487 || !TEST_true(SSL_set_session(clientssl3, sess1))
1488 /* This should fail because of the mismatched protocol versions */
1489 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1490 SSL_ERROR_NONE)))
1491 goto end;
1492
1493 /* We should have automatically removed the session from the cache */
1494 if (use_ext_cache
1495 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1496 goto end;
1497
1498 /* Should succeed because it should not already be in the cache */
1499 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1500 goto end;
1501 # endif
1502
1503 /* Now do some tests for server side caching */
1504 if (use_ext_cache) {
1505 SSL_CTX_sess_set_new_cb(cctx, NULL);
1506 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1507 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1508 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1509 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1510 get_sess_val = NULL;
1511 }
1512
1513 SSL_CTX_set_session_cache_mode(cctx, 0);
1514 /* Internal caching is the default on the server side */
1515 if (!use_int_cache)
1516 SSL_CTX_set_session_cache_mode(sctx,
1517 SSL_SESS_CACHE_SERVER
1518 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1519
1520 SSL_free(serverssl1);
1521 SSL_free(clientssl1);
1522 serverssl1 = clientssl1 = NULL;
1523 SSL_free(serverssl2);
1524 SSL_free(clientssl2);
1525 serverssl2 = clientssl2 = NULL;
1526 SSL_SESSION_free(sess1);
1527 sess1 = NULL;
1528 SSL_SESSION_free(sess2);
1529 sess2 = NULL;
1530
1531 SSL_CTX_set_max_proto_version(sctx, maxprot);
1532 if (maxprot == TLS1_2_VERSION)
1533 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1534 new_called = remove_called = get_called = 0;
1535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1536 NULL, NULL))
1537 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1538 SSL_ERROR_NONE))
1539 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1540 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1541 goto end;
1542
1543 if (use_int_cache) {
1544 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1545 /*
1546 * In TLSv1.3 it should not have been added to the internal cache,
1547 * except in the case where we also have an external cache (in that
1548 * case it gets added to the cache in order to generate remove
1549 * events after timeout).
1550 */
1551 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1552 goto end;
1553 } else {
1554 /* Should fail because it should already be in the cache */
1555 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1556 goto end;
1557 }
1558 }
1559
1560 if (use_ext_cache) {
1561 SSL_SESSION *tmp = sess2;
1562
1563 if (!TEST_int_eq(new_called, numnewsesstick)
1564 || !TEST_int_eq(remove_called, 0)
1565 || !TEST_int_eq(get_called, 0))
1566 goto end;
1567 /*
1568 * Delete the session from the internal cache to force a lookup from
1569 * the external cache. We take a copy first because
1570 * SSL_CTX_remove_session() also marks the session as non-resumable.
1571 */
1572 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1573 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1574 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1575 goto end;
1576 SSL_SESSION_free(sess2);
1577 }
1578 sess2 = tmp;
1579 }
1580
1581 new_called = remove_called = get_called = 0;
1582 get_sess_val = sess2;
1583 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1584 &clientssl2, NULL, NULL))
1585 || !TEST_true(SSL_set_session(clientssl2, sess1))
1586 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1587 SSL_ERROR_NONE))
1588 || !TEST_true(SSL_session_reused(clientssl2)))
1589 goto end;
1590
1591 if (use_ext_cache) {
1592 if (!TEST_int_eq(remove_called, 0))
1593 goto end;
1594
1595 if (maxprot == TLS1_3_VERSION) {
1596 if (!TEST_int_eq(new_called, 1)
1597 || !TEST_int_eq(get_called, 0))
1598 goto end;
1599 } else {
1600 if (!TEST_int_eq(new_called, 0)
1601 || !TEST_int_eq(get_called, 1))
1602 goto end;
1603 }
1604 }
1605
1606 testresult = 1;
1607
1608 end:
1609 SSL_free(serverssl1);
1610 SSL_free(clientssl1);
1611 SSL_free(serverssl2);
1612 SSL_free(clientssl2);
1613 # ifndef OPENSSL_NO_TLS1_1
1614 SSL_free(serverssl3);
1615 SSL_free(clientssl3);
1616 # endif
1617 SSL_SESSION_free(sess1);
1618 SSL_SESSION_free(sess2);
1619 SSL_CTX_free(sctx);
1620 SSL_CTX_free(cctx);
1621
1622 return testresult;
1623 }
1624 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1625
1626 static int test_session_with_only_int_cache(void)
1627 {
1628 #ifndef OPENSSL_NO_TLS1_3
1629 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1630 return 0;
1631 #endif
1632
1633 #ifndef OPENSSL_NO_TLS1_2
1634 return execute_test_session(TLS1_2_VERSION, 1, 0);
1635 #else
1636 return 1;
1637 #endif
1638 }
1639
1640 static int test_session_with_only_ext_cache(void)
1641 {
1642 #ifndef OPENSSL_NO_TLS1_3
1643 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1644 return 0;
1645 #endif
1646
1647 #ifndef OPENSSL_NO_TLS1_2
1648 return execute_test_session(TLS1_2_VERSION, 0, 1);
1649 #else
1650 return 1;
1651 #endif
1652 }
1653
1654 static int test_session_with_both_cache(void)
1655 {
1656 #ifndef OPENSSL_NO_TLS1_3
1657 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1658 return 0;
1659 #endif
1660
1661 #ifndef OPENSSL_NO_TLS1_2
1662 return execute_test_session(TLS1_2_VERSION, 1, 1);
1663 #else
1664 return 1;
1665 #endif
1666 }
1667
1668 #ifndef OPENSSL_NO_TLS1_3
1669 static SSL_SESSION *sesscache[6];
1670 static int do_cache;
1671
1672 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1673 {
1674 if (do_cache) {
1675 sesscache[new_called] = sess;
1676 } else {
1677 /* We don't need the reference to the session, so free it */
1678 SSL_SESSION_free(sess);
1679 }
1680 new_called++;
1681
1682 return 1;
1683 }
1684
1685 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1686 {
1687 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1688 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1689 return 0;
1690
1691 /* Start handshake on the server and client */
1692 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1693 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1694 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1695 || !TEST_true(create_ssl_connection(sssl, cssl,
1696 SSL_ERROR_NONE)))
1697 return 0;
1698
1699 return 1;
1700 }
1701
1702 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1703 SSL_CTX **cctx)
1704 {
1705 int sess_id_ctx = 1;
1706
1707 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1708 TLS1_VERSION, 0, sctx,
1709 cctx, cert, privkey))
1710 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1711 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1712 (void *)&sess_id_ctx,
1713 sizeof(sess_id_ctx))))
1714 return 0;
1715
1716 if (stateful)
1717 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1718
1719 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1720 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1721 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1722
1723 return 1;
1724 }
1725
1726 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1727 {
1728 SSL *serverssl = NULL, *clientssl = NULL;
1729 int i;
1730
1731 /* Test that we can resume with all the tickets we got given */
1732 for (i = 0; i < idx * 2; i++) {
1733 new_called = 0;
1734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1735 &clientssl, NULL, NULL))
1736 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1737 goto end;
1738
1739 SSL_set_post_handshake_auth(clientssl, 1);
1740
1741 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1742 SSL_ERROR_NONE)))
1743 goto end;
1744
1745 /*
1746 * Following a successful resumption we only get 1 ticket. After a
1747 * failed one we should get idx tickets.
1748 */
1749 if (succ) {
1750 if (!TEST_true(SSL_session_reused(clientssl))
1751 || !TEST_int_eq(new_called, 1))
1752 goto end;
1753 } else {
1754 if (!TEST_false(SSL_session_reused(clientssl))
1755 || !TEST_int_eq(new_called, idx))
1756 goto end;
1757 }
1758
1759 new_called = 0;
1760 /* After a post-handshake authentication we should get 1 new ticket */
1761 if (succ
1762 && (!post_handshake_verify(serverssl, clientssl)
1763 || !TEST_int_eq(new_called, 1)))
1764 goto end;
1765
1766 SSL_shutdown(clientssl);
1767 SSL_shutdown(serverssl);
1768 SSL_free(serverssl);
1769 SSL_free(clientssl);
1770 serverssl = clientssl = NULL;
1771 SSL_SESSION_free(sesscache[i]);
1772 sesscache[i] = NULL;
1773 }
1774
1775 return 1;
1776
1777 end:
1778 SSL_free(clientssl);
1779 SSL_free(serverssl);
1780 return 0;
1781 }
1782
1783 static int test_tickets(int stateful, int idx)
1784 {
1785 SSL_CTX *sctx = NULL, *cctx = NULL;
1786 SSL *serverssl = NULL, *clientssl = NULL;
1787 int testresult = 0;
1788 size_t j;
1789
1790 /* idx is the test number, but also the number of tickets we want */
1791
1792 new_called = 0;
1793 do_cache = 1;
1794
1795 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1796 goto end;
1797
1798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1799 &clientssl, NULL, NULL)))
1800 goto end;
1801
1802 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1803 SSL_ERROR_NONE))
1804 /* Check we got the number of tickets we were expecting */
1805 || !TEST_int_eq(idx, new_called))
1806 goto end;
1807
1808 SSL_shutdown(clientssl);
1809 SSL_shutdown(serverssl);
1810 SSL_free(serverssl);
1811 SSL_free(clientssl);
1812 SSL_CTX_free(sctx);
1813 SSL_CTX_free(cctx);
1814 clientssl = serverssl = NULL;
1815 sctx = cctx = NULL;
1816
1817 /*
1818 * Now we try to resume with the tickets we previously created. The
1819 * resumption attempt is expected to fail (because we're now using a new
1820 * SSL_CTX). We should see idx number of tickets issued again.
1821 */
1822
1823 /* Stop caching sessions - just count them */
1824 do_cache = 0;
1825
1826 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1827 goto end;
1828
1829 if (!check_resumption(idx, sctx, cctx, 0))
1830 goto end;
1831
1832 /* Start again with caching sessions */
1833 new_called = 0;
1834 do_cache = 1;
1835 SSL_CTX_free(sctx);
1836 SSL_CTX_free(cctx);
1837 sctx = cctx = NULL;
1838
1839 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1840 goto end;
1841
1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
1844 goto end;
1845
1846 SSL_set_post_handshake_auth(clientssl, 1);
1847
1848 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1849 SSL_ERROR_NONE))
1850 /* Check we got the number of tickets we were expecting */
1851 || !TEST_int_eq(idx, new_called))
1852 goto end;
1853
1854 /* After a post-handshake authentication we should get new tickets issued */
1855 if (!post_handshake_verify(serverssl, clientssl)
1856 || !TEST_int_eq(idx * 2, new_called))
1857 goto end;
1858
1859 SSL_shutdown(clientssl);
1860 SSL_shutdown(serverssl);
1861 SSL_free(serverssl);
1862 SSL_free(clientssl);
1863 serverssl = clientssl = NULL;
1864
1865 /* Stop caching sessions - just count them */
1866 do_cache = 0;
1867
1868 /*
1869 * Check we can resume with all the tickets we created. This time around the
1870 * resumptions should all be successful.
1871 */
1872 if (!check_resumption(idx, sctx, cctx, 1))
1873 goto end;
1874
1875 testresult = 1;
1876
1877 end:
1878 SSL_free(serverssl);
1879 SSL_free(clientssl);
1880 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1881 SSL_SESSION_free(sesscache[j]);
1882 sesscache[j] = NULL;
1883 }
1884 SSL_CTX_free(sctx);
1885 SSL_CTX_free(cctx);
1886
1887 return testresult;
1888 }
1889
1890 static int test_stateless_tickets(int idx)
1891 {
1892 return test_tickets(0, idx);
1893 }
1894
1895 static int test_stateful_tickets(int idx)
1896 {
1897 return test_tickets(1, idx);
1898 }
1899
1900 static int test_psk_tickets(void)
1901 {
1902 SSL_CTX *sctx = NULL, *cctx = NULL;
1903 SSL *serverssl = NULL, *clientssl = NULL;
1904 int testresult = 0;
1905 int sess_id_ctx = 1;
1906
1907 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1908 TLS1_VERSION, 0, &sctx,
1909 &cctx, NULL, NULL))
1910 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1911 (void *)&sess_id_ctx,
1912 sizeof(sess_id_ctx))))
1913 goto end;
1914
1915 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1917 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1918 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1919 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1920 use_session_cb_cnt = 0;
1921 find_session_cb_cnt = 0;
1922 srvid = pskid;
1923 new_called = 0;
1924
1925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1926 NULL, NULL)))
1927 goto end;
1928 clientpsk = serverpsk = create_a_psk(clientssl);
1929 if (!TEST_ptr(clientpsk))
1930 goto end;
1931 SSL_SESSION_up_ref(clientpsk);
1932
1933 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1934 SSL_ERROR_NONE))
1935 || !TEST_int_eq(1, find_session_cb_cnt)
1936 || !TEST_int_eq(1, use_session_cb_cnt)
1937 /* We should always get 1 ticket when using external PSK */
1938 || !TEST_int_eq(1, new_called))
1939 goto end;
1940
1941 testresult = 1;
1942
1943 end:
1944 SSL_free(serverssl);
1945 SSL_free(clientssl);
1946 SSL_CTX_free(sctx);
1947 SSL_CTX_free(cctx);
1948 SSL_SESSION_free(clientpsk);
1949 SSL_SESSION_free(serverpsk);
1950 clientpsk = serverpsk = NULL;
1951
1952 return testresult;
1953 }
1954 #endif
1955
1956 #define USE_NULL 0
1957 #define USE_BIO_1 1
1958 #define USE_BIO_2 2
1959 #define USE_DEFAULT 3
1960
1961 #define CONNTYPE_CONNECTION_SUCCESS 0
1962 #define CONNTYPE_CONNECTION_FAIL 1
1963 #define CONNTYPE_NO_CONNECTION 2
1964
1965 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1966 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1967 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1968 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1969 #else
1970 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1971 #endif
1972
1973 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1974 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1975 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1976
1977 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1978 {
1979 switch (type) {
1980 case USE_NULL:
1981 *res = NULL;
1982 break;
1983 case USE_BIO_1:
1984 *res = bio1;
1985 break;
1986 case USE_BIO_2:
1987 *res = bio2;
1988 break;
1989 }
1990 }
1991
1992
1993 /*
1994 * Tests calls to SSL_set_bio() under various conditions.
1995 *
1996 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1997 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1998 * then do more tests where we create a successful connection first using our
1999 * standard connection setup functions, and then call SSL_set_bio() with
2000 * various combinations of valid BIOs or NULL. We then repeat these tests
2001 * following a failed connection. In this last case we are looking to check that
2002 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2003 */
2004 static int test_ssl_set_bio(int idx)
2005 {
2006 SSL_CTX *sctx = NULL, *cctx = NULL;
2007 BIO *bio1 = NULL;
2008 BIO *bio2 = NULL;
2009 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2010 SSL *serverssl = NULL, *clientssl = NULL;
2011 int initrbio, initwbio, newrbio, newwbio, conntype;
2012 int testresult = 0;
2013
2014 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2015 initrbio = idx % 3;
2016 idx /= 3;
2017 initwbio = idx % 3;
2018 idx /= 3;
2019 newrbio = idx % 3;
2020 idx /= 3;
2021 newwbio = idx % 3;
2022 conntype = CONNTYPE_NO_CONNECTION;
2023 } else {
2024 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2025 initrbio = initwbio = USE_DEFAULT;
2026 newrbio = idx % 2;
2027 idx /= 2;
2028 newwbio = idx % 2;
2029 idx /= 2;
2030 conntype = idx % 2;
2031 }
2032
2033 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2034 TLS1_VERSION, 0,
2035 &sctx, &cctx, cert, privkey)))
2036 goto end;
2037
2038 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2039 /*
2040 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2041 * because we reduced the number of tests in the definition of
2042 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2043 * mismatched protocol versions we will force a connection failure.
2044 */
2045 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2046 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2047 }
2048
2049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2050 NULL, NULL)))
2051 goto end;
2052
2053 if (initrbio == USE_BIO_1
2054 || initwbio == USE_BIO_1
2055 || newrbio == USE_BIO_1
2056 || newwbio == USE_BIO_1) {
2057 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2058 goto end;
2059 }
2060
2061 if (initrbio == USE_BIO_2
2062 || initwbio == USE_BIO_2
2063 || newrbio == USE_BIO_2
2064 || newwbio == USE_BIO_2) {
2065 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2066 goto end;
2067 }
2068
2069 if (initrbio != USE_DEFAULT) {
2070 setupbio(&irbio, bio1, bio2, initrbio);
2071 setupbio(&iwbio, bio1, bio2, initwbio);
2072 SSL_set_bio(clientssl, irbio, iwbio);
2073
2074 /*
2075 * We want to maintain our own refs to these BIO, so do an up ref for
2076 * each BIO that will have ownership transferred in the SSL_set_bio()
2077 * call
2078 */
2079 if (irbio != NULL)
2080 BIO_up_ref(irbio);
2081 if (iwbio != NULL && iwbio != irbio)
2082 BIO_up_ref(iwbio);
2083 }
2084
2085 if (conntype != CONNTYPE_NO_CONNECTION
2086 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2087 SSL_ERROR_NONE)
2088 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2089 goto end;
2090
2091 setupbio(&nrbio, bio1, bio2, newrbio);
2092 setupbio(&nwbio, bio1, bio2, newwbio);
2093
2094 /*
2095 * We will (maybe) transfer ownership again so do more up refs.
2096 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2097 * already been set!
2098 */
2099 if (nrbio != NULL
2100 && nrbio != irbio
2101 && (nwbio != iwbio || nrbio != nwbio))
2102 BIO_up_ref(nrbio);
2103 if (nwbio != NULL
2104 && nwbio != nrbio
2105 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2106 BIO_up_ref(nwbio);
2107
2108 SSL_set_bio(clientssl, nrbio, nwbio);
2109
2110 testresult = 1;
2111
2112 end:
2113 BIO_free(bio1);
2114 BIO_free(bio2);
2115
2116 /*
2117 * This test is checking that the ref counting for SSL_set_bio is correct.
2118 * If we get here and we did too many frees then we will fail in the above
2119 * functions. If we haven't done enough then this will only be detected in
2120 * a crypto-mdebug build
2121 */
2122 SSL_free(serverssl);
2123 SSL_free(clientssl);
2124 SSL_CTX_free(sctx);
2125 SSL_CTX_free(cctx);
2126 return testresult;
2127 }
2128
2129 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2130
2131 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2132 {
2133 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2134 SSL_CTX *ctx;
2135 SSL *ssl = NULL;
2136 int testresult = 0;
2137
2138 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2139 || !TEST_ptr(ssl = SSL_new(ctx))
2140 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2141 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2142 goto end;
2143
2144 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2145
2146 /*
2147 * If anything goes wrong here then we could leak memory, so this will
2148 * be caught in a crypto-mdebug build
2149 */
2150 BIO_push(sslbio, membio1);
2151
2152 /* Verify changing the rbio/wbio directly does not cause leaks */
2153 if (change_bio != NO_BIO_CHANGE) {
2154 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2155 goto end;
2156 if (change_bio == CHANGE_RBIO)
2157 SSL_set0_rbio(ssl, membio2);
2158 else
2159 SSL_set0_wbio(ssl, membio2);
2160 }
2161 ssl = NULL;
2162
2163 if (pop_ssl)
2164 BIO_pop(sslbio);
2165 else
2166 BIO_pop(membio1);
2167
2168 testresult = 1;
2169 end:
2170 BIO_free(membio1);
2171 BIO_free(sslbio);
2172 SSL_free(ssl);
2173 SSL_CTX_free(ctx);
2174
2175 return testresult;
2176 }
2177
2178 static int test_ssl_bio_pop_next_bio(void)
2179 {
2180 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2181 }
2182
2183 static int test_ssl_bio_pop_ssl_bio(void)
2184 {
2185 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2186 }
2187
2188 static int test_ssl_bio_change_rbio(void)
2189 {
2190 return execute_test_ssl_bio(0, CHANGE_RBIO);
2191 }
2192
2193 static int test_ssl_bio_change_wbio(void)
2194 {
2195 return execute_test_ssl_bio(0, CHANGE_WBIO);
2196 }
2197
2198 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2199 typedef struct {
2200 /* The list of sig algs */
2201 const int *list;
2202 /* The length of the list */
2203 size_t listlen;
2204 /* A sigalgs list in string format */
2205 const char *liststr;
2206 /* Whether setting the list should succeed */
2207 int valid;
2208 /* Whether creating a connection with the list should succeed */
2209 int connsuccess;
2210 } sigalgs_list;
2211
2212 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2213 # ifndef OPENSSL_NO_EC
2214 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2215 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2216 # endif
2217 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2218 static const int invalidlist2[] = {NID_sha256, NID_undef};
2219 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2220 static const int invalidlist4[] = {NID_sha256};
2221 static const sigalgs_list testsigalgs[] = {
2222 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2223 # ifndef OPENSSL_NO_EC
2224 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2225 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2226 # endif
2227 {NULL, 0, "RSA+SHA256", 1, 1},
2228 # ifndef OPENSSL_NO_EC
2229 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2230 {NULL, 0, "ECDSA+SHA512", 1, 0},
2231 # endif
2232 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2233 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2234 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2235 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2236 {NULL, 0, "RSA", 0, 0},
2237 {NULL, 0, "SHA256", 0, 0},
2238 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2239 {NULL, 0, "Invalid", 0, 0}
2240 };
2241
2242 static int test_set_sigalgs(int idx)
2243 {
2244 SSL_CTX *cctx = NULL, *sctx = NULL;
2245 SSL *clientssl = NULL, *serverssl = NULL;
2246 int testresult = 0;
2247 const sigalgs_list *curr;
2248 int testctx;
2249
2250 /* Should never happen */
2251 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2252 return 0;
2253
2254 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2255 curr = testctx ? &testsigalgs[idx]
2256 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2257
2258 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2259 TLS1_VERSION, 0,
2260 &sctx, &cctx, cert, privkey)))
2261 return 0;
2262
2263 /*
2264 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2265 * for TLSv1.2 for now until we add a new API.
2266 */
2267 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2268
2269 if (testctx) {
2270 int ret;
2271
2272 if (curr->list != NULL)
2273 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2274 else
2275 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2276
2277 if (!ret) {
2278 if (curr->valid)
2279 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2280 else
2281 testresult = 1;
2282 goto end;
2283 }
2284 if (!curr->valid) {
2285 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2286 goto end;
2287 }
2288 }
2289
2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2291 &clientssl, NULL, NULL)))
2292 goto end;
2293
2294 if (!testctx) {
2295 int ret;
2296
2297 if (curr->list != NULL)
2298 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2299 else
2300 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2301 if (!ret) {
2302 if (curr->valid)
2303 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2304 else
2305 testresult = 1;
2306 goto end;
2307 }
2308 if (!curr->valid)
2309 goto end;
2310 }
2311
2312 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2313 SSL_ERROR_NONE),
2314 curr->connsuccess))
2315 goto end;
2316
2317 testresult = 1;
2318
2319 end:
2320 SSL_free(serverssl);
2321 SSL_free(clientssl);
2322 SSL_CTX_free(sctx);
2323 SSL_CTX_free(cctx);
2324
2325 return testresult;
2326 }
2327 #endif
2328
2329 #ifndef OPENSSL_NO_TLS1_3
2330 static int psk_client_cb_cnt = 0;
2331 static int psk_server_cb_cnt = 0;
2332
2333 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2334 size_t *idlen, SSL_SESSION **sess)
2335 {
2336 switch (++use_session_cb_cnt) {
2337 case 1:
2338 /* The first call should always have a NULL md */
2339 if (md != NULL)
2340 return 0;
2341 break;
2342
2343 case 2:
2344 /* The second call should always have an md */
2345 if (md == NULL)
2346 return 0;
2347 break;
2348
2349 default:
2350 /* We should only be called a maximum of twice */
2351 return 0;
2352 }
2353
2354 if (clientpsk != NULL)
2355 SSL_SESSION_up_ref(clientpsk);
2356
2357 *sess = clientpsk;
2358 *id = (const unsigned char *)pskid;
2359 *idlen = strlen(pskid);
2360
2361 return 1;
2362 }
2363
2364 #ifndef OPENSSL_NO_PSK
2365 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2366 unsigned int max_id_len,
2367 unsigned char *psk,
2368 unsigned int max_psk_len)
2369 {
2370 unsigned int psklen = 0;
2371
2372 psk_client_cb_cnt++;
2373
2374 if (strlen(pskid) + 1 > max_id_len)
2375 return 0;
2376
2377 /* We should only ever be called a maximum of twice per connection */
2378 if (psk_client_cb_cnt > 2)
2379 return 0;
2380
2381 if (clientpsk == NULL)
2382 return 0;
2383
2384 /* We'll reuse the PSK we set up for TLSv1.3 */
2385 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2386 return 0;
2387 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2388 strncpy(id, pskid, max_id_len);
2389
2390 return psklen;
2391 }
2392 #endif /* OPENSSL_NO_PSK */
2393
2394 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2395 size_t identity_len, SSL_SESSION **sess)
2396 {
2397 find_session_cb_cnt++;
2398
2399 /* We should only ever be called a maximum of twice per connection */
2400 if (find_session_cb_cnt > 2)
2401 return 0;
2402
2403 if (serverpsk == NULL)
2404 return 0;
2405
2406 /* Identity should match that set by the client */
2407 if (strlen(srvid) != identity_len
2408 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2409 /* No PSK found, continue but without a PSK */
2410 *sess = NULL;
2411 return 1;
2412 }
2413
2414 SSL_SESSION_up_ref(serverpsk);
2415 *sess = serverpsk;
2416
2417 return 1;
2418 }
2419
2420 #ifndef OPENSSL_NO_PSK
2421 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2422 unsigned char *psk, unsigned int max_psk_len)
2423 {
2424 unsigned int psklen = 0;
2425
2426 psk_server_cb_cnt++;
2427
2428 /* We should only ever be called a maximum of twice per connection */
2429 if (find_session_cb_cnt > 2)
2430 return 0;
2431
2432 if (serverpsk == NULL)
2433 return 0;
2434
2435 /* Identity should match that set by the client */
2436 if (strcmp(srvid, identity) != 0) {
2437 return 0;
2438 }
2439
2440 /* We'll reuse the PSK we set up for TLSv1.3 */
2441 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2442 return 0;
2443 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2444
2445 return psklen;
2446 }
2447 #endif /* OPENSSL_NO_PSK */
2448
2449 #define MSG1 "Hello"
2450 #define MSG2 "World."
2451 #define MSG3 "This"
2452 #define MSG4 "is"
2453 #define MSG5 "a"
2454 #define MSG6 "test"
2455 #define MSG7 "message."
2456
2457 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2458 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2459
2460
2461 static SSL_SESSION *create_a_psk(SSL *ssl)
2462 {
2463 const SSL_CIPHER *cipher = NULL;
2464 const unsigned char key[] = {
2465 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2466 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2467 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2468 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2469 0x2c, 0x2d, 0x2e, 0x2f
2470 };
2471 SSL_SESSION *sess = NULL;
2472
2473 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2474 sess = SSL_SESSION_new();
2475 if (!TEST_ptr(sess)
2476 || !TEST_ptr(cipher)
2477 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2478 sizeof(key)))
2479 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2480 || !TEST_true(
2481 SSL_SESSION_set_protocol_version(sess,
2482 TLS1_3_VERSION))) {
2483 SSL_SESSION_free(sess);
2484 return NULL;
2485 }
2486 return sess;
2487 }
2488
2489 /*
2490 * Helper method to setup objects for early data test. Caller frees objects on
2491 * error.
2492 */
2493 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2494 SSL **serverssl, SSL_SESSION **sess, int idx)
2495 {
2496 if (*sctx == NULL
2497 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2498 TLS_client_method(),
2499 TLS1_VERSION, 0,
2500 sctx, cctx, cert, privkey)))
2501 return 0;
2502
2503 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2504 return 0;
2505
2506 if (idx == 1) {
2507 /* When idx == 1 we repeat the tests with read_ahead set */
2508 SSL_CTX_set_read_ahead(*cctx, 1);
2509 SSL_CTX_set_read_ahead(*sctx, 1);
2510 } else if (idx == 2) {
2511 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2512 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2513 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2514 use_session_cb_cnt = 0;
2515 find_session_cb_cnt = 0;
2516 srvid = pskid;
2517 }
2518
2519 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2520 NULL, NULL)))
2521 return 0;
2522
2523 /*
2524 * For one of the run throughs (doesn't matter which one), we'll try sending
2525 * some SNI data in the initial ClientHello. This will be ignored (because
2526 * there is no SNI cb set up by the server), so it should not impact
2527 * early_data.
2528 */
2529 if (idx == 1
2530 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2531 return 0;
2532
2533 if (idx == 2) {
2534 clientpsk = create_a_psk(*clientssl);
2535 if (!TEST_ptr(clientpsk)
2536 /*
2537 * We just choose an arbitrary value for max_early_data which
2538 * should be big enough for testing purposes.
2539 */
2540 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2541 0x100))
2542 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2543 SSL_SESSION_free(clientpsk);
2544 clientpsk = NULL;
2545 return 0;
2546 }
2547 serverpsk = clientpsk;
2548
2549 if (sess != NULL) {
2550 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2551 SSL_SESSION_free(clientpsk);
2552 SSL_SESSION_free(serverpsk);
2553 clientpsk = serverpsk = NULL;
2554 return 0;
2555 }
2556 *sess = clientpsk;
2557 }
2558 return 1;
2559 }
2560
2561 if (sess == NULL)
2562 return 1;
2563
2564 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2565 SSL_ERROR_NONE)))
2566 return 0;
2567
2568 *sess = SSL_get1_session(*clientssl);
2569 SSL_shutdown(*clientssl);
2570 SSL_shutdown(*serverssl);
2571 SSL_free(*serverssl);
2572 SSL_free(*clientssl);
2573 *serverssl = *clientssl = NULL;
2574
2575 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2576 clientssl, NULL, NULL))
2577 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2578 return 0;
2579
2580 return 1;
2581 }
2582
2583 static int test_early_data_read_write(int idx)
2584 {
2585 SSL_CTX *cctx = NULL, *sctx = NULL;
2586 SSL *clientssl = NULL, *serverssl = NULL;
2587 int testresult = 0;
2588 SSL_SESSION *sess = NULL;
2589 unsigned char buf[20], data[1024];
2590 size_t readbytes, written, eoedlen, rawread, rawwritten;
2591 BIO *rbio;
2592
2593 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2594 &serverssl, &sess, idx)))
2595 goto end;
2596
2597 /* Write and read some early data */
2598 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2599 &written))
2600 || !TEST_size_t_eq(written, strlen(MSG1))
2601 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2602 sizeof(buf), &readbytes),
2603 SSL_READ_EARLY_DATA_SUCCESS)
2604 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2605 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2606 SSL_EARLY_DATA_ACCEPTED))
2607 goto end;
2608
2609 /*
2610 * Server should be able to write data, and client should be able to
2611 * read it.
2612 */
2613 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2614 &written))
2615 || !TEST_size_t_eq(written, strlen(MSG2))
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2617 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2618 goto end;
2619
2620 /* Even after reading normal data, client should be able write early data */
2621 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2622 &written))
2623 || !TEST_size_t_eq(written, strlen(MSG3)))
2624 goto end;
2625
2626 /* Server should still be able read early data after writing data */
2627 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2628 &readbytes),
2629 SSL_READ_EARLY_DATA_SUCCESS)
2630 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2631 goto end;
2632
2633 /* Write more data from server and read it from client */
2634 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2635 &written))
2636 || !TEST_size_t_eq(written, strlen(MSG4))
2637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2638 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2639 goto end;
2640
2641 /*
2642 * If client writes normal data it should mean writing early data is no
2643 * longer possible.
2644 */
2645 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2646 || !TEST_size_t_eq(written, strlen(MSG5))
2647 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2648 SSL_EARLY_DATA_ACCEPTED))
2649 goto end;
2650
2651 /*
2652 * At this point the client has written EndOfEarlyData, ClientFinished and
2653 * normal (fully protected) data. We are going to cause a delay between the
2654 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2655 * in the read BIO, and then just put back the EndOfEarlyData message.
2656 */
2657 rbio = SSL_get_rbio(serverssl);
2658 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2659 || !TEST_size_t_lt(rawread, sizeof(data))
2660 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2661 goto end;
2662
2663 /* Record length is in the 4th and 5th bytes of the record header */
2664 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2665 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2666 || !TEST_size_t_eq(rawwritten, eoedlen))
2667 goto end;
2668
2669 /* Server should be told that there is no more early data */
2670 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2671 &readbytes),
2672 SSL_READ_EARLY_DATA_FINISH)
2673 || !TEST_size_t_eq(readbytes, 0))
2674 goto end;
2675
2676 /*
2677 * Server has not finished init yet, so should still be able to write early
2678 * data.
2679 */
2680 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2681 &written))
2682 || !TEST_size_t_eq(written, strlen(MSG6)))
2683 goto end;
2684
2685 /* Push the ClientFinished and the normal data back into the server rbio */
2686 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2687 &rawwritten))
2688 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2689 goto end;
2690
2691 /* Server should be able to read normal data */
2692 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2693 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2694 goto end;
2695
2696 /* Client and server should not be able to write/read early data now */
2697 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2698 &written)))
2699 goto end;
2700 ERR_clear_error();
2701 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2702 &readbytes),
2703 SSL_READ_EARLY_DATA_ERROR))
2704 goto end;
2705 ERR_clear_error();
2706
2707 /* Client should be able to read the data sent by the server */
2708 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2709 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2710 goto end;
2711
2712 /*
2713 * Make sure we process the two NewSessionTickets. These arrive
2714 * post-handshake. We attempt reads which we do not expect to return any
2715 * data.
2716 */
2717 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2718 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2719 &readbytes)))
2720 goto end;
2721
2722 /* Server should be able to write normal data */
2723 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2724 || !TEST_size_t_eq(written, strlen(MSG7))
2725 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2726 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2727 goto end;
2728
2729 SSL_SESSION_free(sess);
2730 sess = SSL_get1_session(clientssl);
2731 use_session_cb_cnt = 0;
2732 find_session_cb_cnt = 0;
2733
2734 SSL_shutdown(clientssl);
2735 SSL_shutdown(serverssl);
2736 SSL_free(serverssl);
2737 SSL_free(clientssl);
2738 serverssl = clientssl = NULL;
2739 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2740 &clientssl, NULL, NULL))
2741 || !TEST_true(SSL_set_session(clientssl, sess)))
2742 goto end;
2743
2744 /* Write and read some early data */
2745 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2746 &written))
2747 || !TEST_size_t_eq(written, strlen(MSG1))
2748 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2749 &readbytes),
2750 SSL_READ_EARLY_DATA_SUCCESS)
2751 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2752 goto end;
2753
2754 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2755 || !TEST_int_gt(SSL_accept(serverssl), 0))
2756 goto end;
2757
2758 /* Client and server should not be able to write/read early data now */
2759 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2760 &written)))
2761 goto end;
2762 ERR_clear_error();
2763 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2764 &readbytes),
2765 SSL_READ_EARLY_DATA_ERROR))
2766 goto end;
2767 ERR_clear_error();
2768
2769 /* Client and server should be able to write/read normal data */
2770 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2771 || !TEST_size_t_eq(written, strlen(MSG5))
2772 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2773 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2774 goto end;
2775
2776 testresult = 1;
2777
2778 end:
2779 SSL_SESSION_free(sess);
2780 SSL_SESSION_free(clientpsk);
2781 SSL_SESSION_free(serverpsk);
2782 clientpsk = serverpsk = NULL;
2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2785 SSL_CTX_free(sctx);
2786 SSL_CTX_free(cctx);
2787 return testresult;
2788 }
2789
2790 static int allow_ed_cb_called = 0;
2791
2792 static int allow_early_data_cb(SSL *s, void *arg)
2793 {
2794 int *usecb = (int *)arg;
2795
2796 allow_ed_cb_called++;
2797
2798 if (*usecb == 1)
2799 return 0;
2800
2801 return 1;
2802 }
2803
2804 /*
2805 * idx == 0: Standard early_data setup
2806 * idx == 1: early_data setup using read_ahead
2807 * usecb == 0: Don't use a custom early data callback
2808 * usecb == 1: Use a custom early data callback and reject the early data
2809 * usecb == 2: Use a custom early data callback and accept the early data
2810 * confopt == 0: Configure anti-replay directly
2811 * confopt == 1: Configure anti-replay using SSL_CONF
2812 */
2813 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2814 {
2815 SSL_CTX *cctx = NULL, *sctx = NULL;
2816 SSL *clientssl = NULL, *serverssl = NULL;
2817 int testresult = 0;
2818 SSL_SESSION *sess = NULL;
2819 size_t readbytes, written;
2820 unsigned char buf[20];
2821
2822 allow_ed_cb_called = 0;
2823
2824 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2825 TLS1_VERSION, 0, &sctx,
2826 &cctx, cert, privkey)))
2827 return 0;
2828
2829 if (usecb > 0) {
2830 if (confopt == 0) {
2831 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2832 } else {
2833 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2834
2835 if (!TEST_ptr(confctx))
2836 goto end;
2837 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2838 | SSL_CONF_FLAG_SERVER);
2839 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2840 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2841 2)) {
2842 SSL_CONF_CTX_free(confctx);
2843 goto end;
2844 }
2845 SSL_CONF_CTX_free(confctx);
2846 }
2847 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2848 }
2849
2850 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2851 &serverssl, &sess, idx)))
2852 goto end;
2853
2854 /*
2855 * The server is configured to accept early data. Create a connection to
2856 * "use up" the ticket
2857 */
2858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2859 || !TEST_true(SSL_session_reused(clientssl)))
2860 goto end;
2861
2862 SSL_shutdown(clientssl);
2863 SSL_shutdown(serverssl);
2864 SSL_free(serverssl);
2865 SSL_free(clientssl);
2866 serverssl = clientssl = NULL;
2867
2868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2869 &clientssl, NULL, NULL))
2870 || !TEST_true(SSL_set_session(clientssl, sess)))
2871 goto end;
2872
2873 /* Write and read some early data */
2874 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2875 &written))
2876 || !TEST_size_t_eq(written, strlen(MSG1)))
2877 goto end;
2878
2879 if (usecb <= 1) {
2880 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2881 &readbytes),
2882 SSL_READ_EARLY_DATA_FINISH)
2883 /*
2884 * The ticket was reused, so the we should have rejected the
2885 * early data
2886 */
2887 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2888 SSL_EARLY_DATA_REJECTED))
2889 goto end;
2890 } else {
2891 /* In this case the callback decides to accept the early data */
2892 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2893 &readbytes),
2894 SSL_READ_EARLY_DATA_SUCCESS)
2895 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2896 /*
2897 * Server will have sent its flight so client can now send
2898 * end of early data and complete its half of the handshake
2899 */
2900 || !TEST_int_gt(SSL_connect(clientssl), 0)
2901 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2902 &readbytes),
2903 SSL_READ_EARLY_DATA_FINISH)
2904 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2905 SSL_EARLY_DATA_ACCEPTED))
2906 goto end;
2907 }
2908
2909 /* Complete the connection */
2910 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2911 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2912 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2913 goto end;
2914
2915 testresult = 1;
2916
2917 end:
2918 SSL_SESSION_free(sess);
2919 SSL_SESSION_free(clientpsk);
2920 SSL_SESSION_free(serverpsk);
2921 clientpsk = serverpsk = NULL;
2922 SSL_free(serverssl);
2923 SSL_free(clientssl);
2924 SSL_CTX_free(sctx);
2925 SSL_CTX_free(cctx);
2926 return testresult;
2927 }
2928
2929 static int test_early_data_replay(int idx)
2930 {
2931 int ret = 1, usecb, confopt;
2932
2933 for (usecb = 0; usecb < 3; usecb++) {
2934 for (confopt = 0; confopt < 2; confopt++)
2935 ret &= test_early_data_replay_int(idx, usecb, confopt);
2936 }
2937
2938 return ret;
2939 }
2940
2941 /*
2942 * Helper function to test that a server attempting to read early data can
2943 * handle a connection from a client where the early data should be skipped.
2944 * testtype: 0 == No HRR
2945 * testtype: 1 == HRR
2946 * testtype: 2 == HRR, invalid early_data sent after HRR
2947 * testtype: 3 == recv_max_early_data set to 0
2948 */
2949 static int early_data_skip_helper(int testtype, int idx)
2950 {
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2953 int testresult = 0;
2954 SSL_SESSION *sess = NULL;
2955 unsigned char buf[20];
2956 size_t readbytes, written;
2957
2958 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2959 &serverssl, &sess, idx)))
2960 goto end;
2961
2962 if (testtype == 1 || testtype == 2) {
2963 /* Force an HRR to occur */
2964 #if defined(OPENSSL_NO_EC)
2965 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2966 goto end;
2967 #else
2968 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2969 goto end;
2970 #endif
2971 } else if (idx == 2) {
2972 /*
2973 * We force early_data rejection by ensuring the PSK identity is
2974 * unrecognised
2975 */
2976 srvid = "Dummy Identity";
2977 } else {
2978 /*
2979 * Deliberately corrupt the creation time. We take 20 seconds off the
2980 * time. It could be any value as long as it is not within tolerance.
2981 * This should mean the ticket is rejected.
2982 */
2983 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2984 goto end;
2985 }
2986
2987 if (testtype == 3
2988 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2989 goto end;
2990
2991 /* Write some early data */
2992 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2993 &written))
2994 || !TEST_size_t_eq(written, strlen(MSG1)))
2995 goto end;
2996
2997 /* Server should reject the early data */
2998 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2999 &readbytes),
3000 SSL_READ_EARLY_DATA_FINISH)
3001 || !TEST_size_t_eq(readbytes, 0)
3002 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3003 SSL_EARLY_DATA_REJECTED))
3004 goto end;
3005
3006 switch (testtype) {
3007 case 0:
3008 /* Nothing to do */
3009 break;
3010
3011 case 1:
3012 /*
3013 * Finish off the handshake. We perform the same writes and reads as
3014 * further down but we expect them to fail due to the incomplete
3015 * handshake.
3016 */
3017 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3018 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3019 &readbytes)))
3020 goto end;
3021 break;
3022
3023 case 2:
3024 {
3025 BIO *wbio = SSL_get_wbio(clientssl);
3026 /* A record that will appear as bad early_data */
3027 const unsigned char bad_early_data[] = {
3028 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3029 };
3030
3031 /*
3032 * We force the client to attempt a write. This will fail because
3033 * we're still in the handshake. It will cause the second
3034 * ClientHello to be sent.
3035 */
3036 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3037 &written)))
3038 goto end;
3039
3040 /*
3041 * Inject some early_data after the second ClientHello. This should
3042 * cause the server to fail
3043 */
3044 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3045 sizeof(bad_early_data), &written)))
3046 goto end;
3047 }
3048 /* fallthrough */
3049
3050 case 3:
3051 /*
3052 * This client has sent more early_data than we are willing to skip
3053 * (case 3) or sent invalid early_data (case 2) so the connection should
3054 * abort.
3055 */
3056 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3057 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3058 goto end;
3059
3060 /* Connection has failed - nothing more to do */
3061 testresult = 1;
3062 goto end;
3063
3064 default:
3065 TEST_error("Invalid test type");
3066 goto end;
3067 }
3068
3069 /*
3070 * Should be able to send normal data despite rejection of early data. The
3071 * early_data should be skipped.
3072 */
3073 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3074 || !TEST_size_t_eq(written, strlen(MSG2))
3075 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3076 SSL_EARLY_DATA_REJECTED)
3077 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3078 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3079 goto end;
3080
3081 testresult = 1;
3082
3083 end:
3084 SSL_SESSION_free(clientpsk);
3085 SSL_SESSION_free(serverpsk);
3086 clientpsk = serverpsk = NULL;
3087 SSL_SESSION_free(sess);
3088 SSL_free(serverssl);
3089 SSL_free(clientssl);
3090 SSL_CTX_free(sctx);
3091 SSL_CTX_free(cctx);
3092 return testresult;
3093 }
3094
3095 /*
3096 * Test that a server attempting to read early data can handle a connection
3097 * from a client where the early data is not acceptable.
3098 */
3099 static int test_early_data_skip(int idx)
3100 {
3101 return early_data_skip_helper(0, idx);
3102 }
3103
3104 /*
3105 * Test that a server attempting to read early data can handle a connection
3106 * from a client where an HRR occurs.
3107 */
3108 static int test_early_data_skip_hrr(int idx)
3109 {
3110 return early_data_skip_helper(1, idx);
3111 }
3112
3113 /*
3114 * Test that a server attempting to read early data can handle a connection
3115 * from a client where an HRR occurs and correctly fails if early_data is sent
3116 * after the HRR
3117 */
3118 static int test_early_data_skip_hrr_fail(int idx)
3119 {
3120 return early_data_skip_helper(2, idx);
3121 }
3122
3123 /*
3124 * Test that a server attempting to read early data will abort if it tries to
3125 * skip over too much.
3126 */
3127 static int test_early_data_skip_abort(int idx)
3128 {
3129 return early_data_skip_helper(3, idx);
3130 }
3131
3132 /*
3133 * Test that a server attempting to read early data can handle a connection
3134 * from a client that doesn't send any.
3135 */
3136 static int test_early_data_not_sent(int idx)
3137 {
3138 SSL_CTX *cctx = NULL, *sctx = NULL;
3139 SSL *clientssl = NULL, *serverssl = NULL;
3140 int testresult = 0;
3141 SSL_SESSION *sess = NULL;
3142 unsigned char buf[20];
3143 size_t readbytes, written;
3144
3145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3146 &serverssl, &sess, idx)))
3147 goto end;
3148
3149 /* Write some data - should block due to handshake with server */
3150 SSL_set_connect_state(clientssl);
3151 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3152 goto end;
3153
3154 /* Server should detect that early data has not been sent */
3155 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3156 &readbytes),
3157 SSL_READ_EARLY_DATA_FINISH)
3158 || !TEST_size_t_eq(readbytes, 0)
3159 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3160 SSL_EARLY_DATA_NOT_SENT)
3161 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3162 SSL_EARLY_DATA_NOT_SENT))
3163 goto end;
3164
3165 /* Continue writing the message we started earlier */
3166 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3167 || !TEST_size_t_eq(written, strlen(MSG1))
3168 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3169 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3170 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3171 || !TEST_size_t_eq(written, strlen(MSG2)))
3172 goto end;
3173
3174 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3175 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3176 goto end;
3177
3178 testresult = 1;
3179
3180 end:
3181 SSL_SESSION_free(sess);
3182 SSL_SESSION_free(clientpsk);
3183 SSL_SESSION_free(serverpsk);
3184 clientpsk = serverpsk = NULL;
3185 SSL_free(serverssl);
3186 SSL_free(clientssl);
3187 SSL_CTX_free(sctx);
3188 SSL_CTX_free(cctx);
3189 return testresult;
3190 }
3191
3192 static int hostname_cb(SSL *s, int *al, void *arg)
3193 {
3194 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3195
3196 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
3197 return SSL_TLSEXT_ERR_OK;
3198
3199 return SSL_TLSEXT_ERR_NOACK;
3200 }
3201
3202 static const char *servalpn;
3203
3204 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3205 unsigned char *outlen, const unsigned char *in,
3206 unsigned int inlen, void *arg)
3207 {
3208 unsigned int protlen = 0;
3209 const unsigned char *prot;
3210
3211 for (prot = in; prot < in + inlen; prot += protlen) {
3212 protlen = *prot++;
3213 if (in + inlen < prot + protlen)
3214 return SSL_TLSEXT_ERR_NOACK;
3215
3216 if (protlen == strlen(servalpn)
3217 && memcmp(prot, servalpn, protlen) == 0) {
3218 *out = prot;
3219 *outlen = protlen;
3220 return SSL_TLSEXT_ERR_OK;
3221 }
3222 }
3223
3224 return SSL_TLSEXT_ERR_NOACK;
3225 }
3226
3227 /* Test that a PSK can be used to send early_data */
3228 static int test_early_data_psk(int idx)
3229 {
3230 SSL_CTX *cctx = NULL, *sctx = NULL;
3231 SSL *clientssl = NULL, *serverssl = NULL;
3232 int testresult = 0;
3233 SSL_SESSION *sess = NULL;
3234 unsigned char alpnlist[] = {
3235 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3236 'l', 'p', 'n'
3237 };
3238 #define GOODALPNLEN 9
3239 #define BADALPNLEN 8
3240 #define GOODALPN (alpnlist)
3241 #define BADALPN (alpnlist + GOODALPNLEN)
3242 int err = 0;
3243 unsigned char buf[20];
3244 size_t readbytes, written;
3245 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3246 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3247
3248 /* We always set this up with a final parameter of "2" for PSK */
3249 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3250 &serverssl, &sess, 2)))
3251 goto end;
3252
3253 servalpn = "goodalpn";
3254
3255 /*
3256 * Note: There is no test for inconsistent SNI with late client detection.
3257 * This is because servers do not acknowledge SNI even if they are using
3258 * it in a resumption handshake - so it is not actually possible for a
3259 * client to detect a problem.
3260 */
3261 switch (idx) {
3262 case 0:
3263 /* Set inconsistent SNI (early client detection) */
3264 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3265 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3266 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3267 goto end;
3268 break;
3269
3270 case 1:
3271 /* Set inconsistent ALPN (early client detection) */
3272 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3273 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3274 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3275 GOODALPNLEN))
3276 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3277 BADALPNLEN)))
3278 goto end;
3279 break;
3280
3281 case 2:
3282 /*
3283 * Set invalid protocol version. Technically this affects PSKs without
3284 * early_data too, but we test it here because it is similar to the
3285 * SNI/ALPN consistency tests.
3286 */
3287 err = SSL_R_BAD_PSK;
3288 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3289 goto end;
3290 break;
3291
3292 case 3:
3293 /*
3294 * Set inconsistent SNI (server detected). In this case the connection
3295 * will succeed but reject early_data.
3296 */
3297 SSL_SESSION_free(serverpsk);
3298 serverpsk = SSL_SESSION_dup(clientpsk);
3299 if (!TEST_ptr(serverpsk)
3300 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3301 goto end;
3302 edstatus = SSL_EARLY_DATA_REJECTED;
3303 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3304 /* Fall through */
3305 case 4:
3306 /* Set consistent SNI */
3307 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3308 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3309 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3310 hostname_cb)))
3311 goto end;
3312 break;
3313
3314 case 5:
3315 /*
3316 * Set inconsistent ALPN (server detected). In this case the connection
3317 * will succeed but reject early_data.
3318 */
3319 servalpn = "badalpn";
3320 edstatus = SSL_EARLY_DATA_REJECTED;
3321 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3322 /* Fall through */
3323 case 6:
3324 /*
3325 * Set consistent ALPN.
3326 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3327 * accepts a list of protos (each one length prefixed).
3328 * SSL_set1_alpn_selected accepts a single protocol (not length
3329 * prefixed)
3330 */
3331 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3332 GOODALPNLEN - 1))
3333 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3334 GOODALPNLEN)))
3335 goto end;
3336
3337 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3338 break;
3339
3340 case 7:
3341 /* Set inconsistent ALPN (late client detection) */
3342 SSL_SESSION_free(serverpsk);
3343 serverpsk = SSL_SESSION_dup(clientpsk);
3344 if (!TEST_ptr(serverpsk)
3345 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3346 BADALPN + 1,
3347 BADALPNLEN - 1))
3348 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3349 GOODALPN + 1,
3350 GOODALPNLEN - 1))
3351 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3352 sizeof(alpnlist))))
3353 goto end;
3354 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3355 edstatus = SSL_EARLY_DATA_ACCEPTED;
3356 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3357 /* SSL_connect() call should fail */
3358 connectres = -1;
3359 break;
3360
3361 default:
3362 TEST_error("Bad test index");
3363 goto end;
3364 }
3365
3366 SSL_set_connect_state(clientssl);
3367 if (err != 0) {
3368 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3369 &written))
3370 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3371 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3372 goto end;
3373 } else {
3374 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3375 &written)))
3376 goto end;
3377
3378 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3379 &readbytes), readearlyres)
3380 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3381 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3382 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3383 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3384 goto end;
3385 }
3386
3387 testresult = 1;
3388
3389 end:
3390 SSL_SESSION_free(sess);
3391 SSL_SESSION_free(clientpsk);
3392 SSL_SESSION_free(serverpsk);
3393 clientpsk = serverpsk = NULL;
3394 SSL_free(serverssl);
3395 SSL_free(clientssl);
3396 SSL_CTX_free(sctx);
3397 SSL_CTX_free(cctx);
3398 return testresult;
3399 }
3400
3401 /*
3402 * Test that a server that doesn't try to read early data can handle a
3403 * client sending some.
3404 */
3405 static int test_early_data_not_expected(int idx)
3406 {
3407 SSL_CTX *cctx = NULL, *sctx = NULL;
3408 SSL *clientssl = NULL, *serverssl = NULL;
3409 int testresult = 0;
3410 SSL_SESSION *sess = NULL;
3411 unsigned char buf[20];
3412 size_t readbytes, written;
3413
3414 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3415 &serverssl, &sess, idx)))
3416 goto end;
3417
3418 /* Write some early data */
3419 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3420 &written)))
3421 goto end;
3422
3423 /*
3424 * Server should skip over early data and then block waiting for client to
3425 * continue handshake
3426 */
3427 if (!TEST_int_le(SSL_accept(serverssl), 0)
3428 || !TEST_int_gt(SSL_connect(clientssl), 0)
3429 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3430 SSL_EARLY_DATA_REJECTED)
3431 || !TEST_int_gt(SSL_accept(serverssl), 0)
3432 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3433 SSL_EARLY_DATA_REJECTED))
3434 goto end;
3435
3436 /* Send some normal data from client to server */
3437 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3438 || !TEST_size_t_eq(written, strlen(MSG2)))
3439 goto end;
3440
3441 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3442 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3443 goto end;
3444
3445 testresult = 1;
3446
3447 end:
3448 SSL_SESSION_free(sess);
3449 SSL_SESSION_free(clientpsk);
3450 SSL_SESSION_free(serverpsk);
3451 clientpsk = serverpsk = NULL;
3452 SSL_free(serverssl);
3453 SSL_free(clientssl);
3454 SSL_CTX_free(sctx);
3455 SSL_CTX_free(cctx);
3456 return testresult;
3457 }
3458
3459
3460 # ifndef OPENSSL_NO_TLS1_2
3461 /*
3462 * Test that a server attempting to read early data can handle a connection
3463 * from a TLSv1.2 client.
3464 */
3465 static int test_early_data_tls1_2(int idx)
3466 {
3467 SSL_CTX *cctx = NULL, *sctx = NULL;
3468 SSL *clientssl = NULL, *serverssl = NULL;
3469 int testresult = 0;
3470 unsigned char buf[20];
3471 size_t readbytes, written;
3472
3473 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3474 &serverssl, NULL, idx)))
3475 goto end;
3476
3477 /* Write some data - should block due to handshake with server */
3478 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3479 SSL_set_connect_state(clientssl);
3480 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3481 goto end;
3482
3483 /*
3484 * Server should do TLSv1.2 handshake. First it will block waiting for more
3485 * messages from client after ServerDone. Then SSL_read_early_data should
3486 * finish and detect that early data has not been sent
3487 */
3488 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3489 &readbytes),
3490 SSL_READ_EARLY_DATA_ERROR))
3491 goto end;
3492
3493 /*
3494 * Continue writing the message we started earlier. Will still block waiting
3495 * for the CCS/Finished from server
3496 */
3497 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3498 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3499 &readbytes),
3500 SSL_READ_EARLY_DATA_FINISH)
3501 || !TEST_size_t_eq(readbytes, 0)
3502 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3503 SSL_EARLY_DATA_NOT_SENT))
3504 goto end;
3505
3506 /* Continue writing the message we started earlier */
3507 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3508 || !TEST_size_t_eq(written, strlen(MSG1))
3509 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3510 SSL_EARLY_DATA_NOT_SENT)
3511 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3512 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3513 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3514 || !TEST_size_t_eq(written, strlen(MSG2))
3515 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3516 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3517 goto end;
3518
3519 testresult = 1;
3520
3521 end:
3522 SSL_SESSION_free(clientpsk);
3523 SSL_SESSION_free(serverpsk);
3524 clientpsk = serverpsk = NULL;
3525 SSL_free(serverssl);
3526 SSL_free(clientssl);
3527 SSL_CTX_free(sctx);
3528 SSL_CTX_free(cctx);
3529
3530 return testresult;
3531 }
3532 # endif /* OPENSSL_NO_TLS1_2 */
3533
3534 /*
3535 * Test configuring the TLSv1.3 ciphersuites
3536 *
3537 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3538 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3539 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3540 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3541 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3542 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3543 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3544 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3545 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3546 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3547 */
3548 static int test_set_ciphersuite(int idx)
3549 {
3550 SSL_CTX *cctx = NULL, *sctx = NULL;
3551 SSL *clientssl = NULL, *serverssl = NULL;
3552 int testresult = 0;
3553
3554 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3555 TLS1_VERSION, 0,
3556 &sctx, &cctx, cert, privkey))
3557 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3558 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3559 goto end;
3560
3561 if (idx >=4 && idx <= 7) {
3562 /* SSL_CTX explicit cipher list */
3563 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3564 goto end;
3565 }
3566
3567 if (idx == 0 || idx == 4) {
3568 /* Default ciphersuite */
3569 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3570 "TLS_AES_128_GCM_SHA256")))
3571 goto end;
3572 } else if (idx == 1 || idx == 5) {
3573 /* Non default ciphersuite */
3574 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3575 "TLS_AES_128_CCM_SHA256")))
3576 goto end;
3577 }
3578
3579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3580 &clientssl, NULL, NULL)))
3581 goto end;
3582
3583 if (idx == 8 || idx == 9) {
3584 /* SSL explicit cipher list */
3585 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3586 goto end;
3587 }
3588
3589 if (idx == 2 || idx == 6 || idx == 8) {
3590 /* Default ciphersuite */
3591 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3592 "TLS_AES_128_GCM_SHA256")))
3593 goto end;
3594 } else if (idx == 3 || idx == 7 || idx == 9) {
3595 /* Non default ciphersuite */
3596 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3597 "TLS_AES_128_CCM_SHA256")))
3598 goto end;
3599 }
3600
3601 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3602 goto end;
3603
3604 testresult = 1;
3605
3606 end:
3607 SSL_free(serverssl);
3608 SSL_free(clientssl);
3609 SSL_CTX_free(sctx);
3610 SSL_CTX_free(cctx);
3611
3612 return testresult;
3613 }
3614
3615 static int test_ciphersuite_change(void)
3616 {
3617 SSL_CTX *cctx = NULL, *sctx = NULL;
3618 SSL *clientssl = NULL, *serverssl = NULL;
3619 SSL_SESSION *clntsess = NULL;
3620 int testresult = 0;
3621 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3622
3623 /* Create a session based on SHA-256 */
3624 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3625 TLS1_VERSION, 0,
3626 &sctx, &cctx, cert, privkey))
3627 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3628 "TLS_AES_128_GCM_SHA256"))
3629 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3630 &clientssl, NULL, NULL))
3631 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3632 SSL_ERROR_NONE)))
3633 goto end;
3634
3635 clntsess = SSL_get1_session(clientssl);
3636 /* Save for later */
3637 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3638 SSL_shutdown(clientssl);
3639 SSL_shutdown(serverssl);
3640 SSL_free(serverssl);
3641 SSL_free(clientssl);
3642 serverssl = clientssl = NULL;
3643
3644 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3645 /* Check we can resume a session with a different SHA-256 ciphersuite */
3646 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3647 "TLS_CHACHA20_POLY1305_SHA256"))
3648 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3649 NULL, NULL))
3650 || !TEST_true(SSL_set_session(clientssl, clntsess))
3651 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3652 SSL_ERROR_NONE))
3653 || !TEST_true(SSL_session_reused(clientssl)))
3654 goto end;
3655
3656 SSL_SESSION_free(clntsess);
3657 clntsess = SSL_get1_session(clientssl);
3658 SSL_shutdown(clientssl);
3659 SSL_shutdown(serverssl);
3660 SSL_free(serverssl);
3661 SSL_free(clientssl);
3662 serverssl = clientssl = NULL;
3663 # endif
3664
3665 /*
3666 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3667 * succeeds but does not resume.
3668 */
3669 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3670 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3671 NULL, NULL))
3672 || !TEST_true(SSL_set_session(clientssl, clntsess))
3673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3674 SSL_ERROR_SSL))
3675 || !TEST_false(SSL_session_reused(clientssl)))
3676 goto end;
3677
3678 SSL_SESSION_free(clntsess);
3679 clntsess = NULL;
3680 SSL_shutdown(clientssl);
3681 SSL_shutdown(serverssl);
3682 SSL_free(serverssl);
3683 SSL_free(clientssl);
3684 serverssl = clientssl = NULL;
3685
3686 /* Create a session based on SHA384 */
3687 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3689 &clientssl, NULL, NULL))
3690 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3691 SSL_ERROR_NONE)))
3692 goto end;
3693
3694 clntsess = SSL_get1_session(clientssl);
3695 SSL_shutdown(clientssl);
3696 SSL_shutdown(serverssl);
3697 SSL_free(serverssl);
3698 SSL_free(clientssl);
3699 serverssl = clientssl = NULL;
3700
3701 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3702 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3703 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3704 "TLS_AES_256_GCM_SHA384"))
3705 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3706 NULL, NULL))
3707 || !TEST_true(SSL_set_session(clientssl, clntsess))
3708 /*
3709 * We use SSL_ERROR_WANT_READ below so that we can pause the
3710 * connection after the initial ClientHello has been sent to
3711 * enable us to make some session changes.
3712 */
3713 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3714 SSL_ERROR_WANT_READ)))
3715 goto end;
3716
3717 /* Trick the client into thinking this session is for a different digest */
3718 clntsess->cipher = aes_128_gcm_sha256;
3719 clntsess->cipher_id = clntsess->cipher->id;
3720
3721 /*
3722 * Continue the previously started connection. Server has selected a SHA-384
3723 * ciphersuite, but client thinks the session is for SHA-256, so it should
3724 * bail out.
3725 */
3726 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3727 SSL_ERROR_SSL))
3728 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3729 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3730 goto end;
3731
3732 testresult = 1;
3733
3734 end:
3735 SSL_SESSION_free(clntsess);
3736 SSL_free(serverssl);
3737 SSL_free(clientssl);
3738 SSL_CTX_free(sctx);
3739 SSL_CTX_free(cctx);
3740
3741 return testresult;
3742 }
3743
3744 /*
3745 * Test TLSv1.3 Key exchange
3746 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3747 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3748 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3749 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3750 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3751 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3752 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3753 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3754 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3755 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3756 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3757 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3758 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3759 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3760 */
3761 static int test_key_exchange(int idx)
3762 {
3763 SSL_CTX *sctx = NULL, *cctx = NULL;
3764 SSL *serverssl = NULL, *clientssl = NULL;
3765 int testresult = 0;
3766 # ifndef OPENSSL_NO_EC
3767 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3768 NID_secp521r1, NID_X25519, NID_X448};
3769 # endif
3770 # ifndef OPENSSL_NO_DH
3771 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3772 NID_ffdhe6144, NID_ffdhe8192};
3773 # endif
3774 int kexch_alg;
3775 int *kexch_groups = &kexch_alg;
3776 int kexch_groups_size = 1;
3777 int max_version = TLS1_3_VERSION;
3778
3779 switch (idx) {
3780 # ifndef OPENSSL_NO_EC
3781 # ifndef OPENSSL_NO_TLS1_2
3782 case 12:
3783 max_version = TLS1_2_VERSION;
3784 # endif
3785 /* Fall through */
3786 case 0:
3787 kexch_groups = ecdhe_kexch_groups;
3788 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3789 break;
3790 case 1:
3791 kexch_alg = NID_X9_62_prime256v1;
3792 break;
3793 case 2:
3794 kexch_alg = NID_secp384r1;
3795 break;
3796 case 3:
3797 kexch_alg = NID_secp521r1;
3798 break;
3799 case 4:
3800 kexch_alg = NID_X25519;
3801 break;
3802 case 5:
3803 kexch_alg = NID_X448;
3804 break;
3805 # endif
3806 # ifndef OPENSSL_NO_DH
3807 # ifndef OPENSSL_NO_TLS1_2
3808 case 13:
3809 max_version = TLS1_2_VERSION;
3810 # endif
3811 /* Fall through */
3812 case 6:
3813 kexch_groups = ffdhe_kexch_groups;
3814 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3815 break;
3816 case 7:
3817 kexch_alg = NID_ffdhe2048;
3818 break;
3819 case 8:
3820 kexch_alg = NID_ffdhe3072;
3821 break;
3822 case 9:
3823 kexch_alg = NID_ffdhe4096;
3824 break;
3825 case 10:
3826 kexch_alg = NID_ffdhe6144;
3827 break;
3828 case 11:
3829 kexch_alg = NID_ffdhe8192;
3830 break;
3831 # endif
3832 default:
3833 /* We're skipping this test */
3834 return 1;
3835 }
3836
3837 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3838 TLS1_VERSION, max_version,
3839 &sctx, &cctx, cert, privkey)))
3840 goto end;
3841
3842 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3843 TLS1_3_RFC_AES_128_GCM_SHA256)))
3844 goto end;
3845
3846 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3847 TLS1_3_RFC_AES_128_GCM_SHA256)))
3848 goto end;
3849
3850 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3851 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3852 goto end;
3853
3854 /*
3855 * Must include an EC ciphersuite so that we send supported groups in
3856 * TLSv1.2
3857 */
3858 # ifndef OPENSSL_NO_TLS1_2
3859 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3860 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3861 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3862 goto end;
3863 # endif
3864
3865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3866 NULL, NULL)))
3867 goto end;
3868
3869 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3870 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3871 goto end;
3872
3873 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3874 goto end;
3875
3876 /*
3877 * If Handshake succeeds the negotiated kexch alg should be the first one in
3878 * configured, except in the case of FFDHE groups (idx 13), which are
3879 * TLSv1.3 only so we expect no shared group to exist.
3880 */
3881 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
3882 idx == 13 ? 0 : kexch_groups[0]))
3883 goto end;
3884 if (max_version == TLS1_3_VERSION) {
3885 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3886 goto end;
3887 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3888 goto end;
3889 }
3890
3891 testresult = 1;
3892 end:
3893 SSL_free(serverssl);
3894 SSL_free(clientssl);
3895 SSL_CTX_free(sctx);
3896 SSL_CTX_free(cctx);
3897 return testresult;
3898 }
3899
3900 /*
3901 * Test TLSv1.3 Cipher Suite
3902 * Test 0 = Set TLS1.3 cipher on context
3903 * Test 1 = Set TLS1.3 cipher on SSL
3904 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3905 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3906 */
3907 static int test_tls13_ciphersuite(int idx)
3908 {
3909 SSL_CTX *sctx = NULL, *cctx = NULL;
3910 SSL *serverssl = NULL, *clientssl = NULL;
3911 static const char *t13_ciphers[] = {
3912 TLS1_3_RFC_AES_128_GCM_SHA256,
3913 TLS1_3_RFC_AES_256_GCM_SHA384,
3914 TLS1_3_RFC_AES_128_CCM_SHA256,
3915 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3916 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3917 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3918 # endif
3919 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3920 };
3921 const char *t13_cipher = NULL;
3922 const char *t12_cipher = NULL;
3923 const char *negotiated_scipher;
3924 const char *negotiated_ccipher;
3925 int set_at_ctx = 0;
3926 int set_at_ssl = 0;
3927 int testresult = 0;
3928 int max_ver;
3929 size_t i;
3930
3931 switch (idx) {
3932 case 0:
3933 set_at_ctx = 1;
3934 break;
3935 case 1:
3936 set_at_ssl = 1;
3937 break;
3938 case 2:
3939 set_at_ctx = 1;
3940 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
3941 break;
3942 case 3:
3943 set_at_ssl = 1;
3944 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
3945 break;
3946 }
3947
3948 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3949 # ifdef OPENSSL_NO_TLS1_2
3950 if (max_ver == TLS1_2_VERSION)
3951 continue;
3952 # endif
3953 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3954 t13_cipher = t13_ciphers[i];
3955 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3956 TLS_client_method(),
3957 TLS1_VERSION, max_ver,
3958 &sctx, &cctx, cert, privkey)))
3959 goto end;
3960
3961 if (set_at_ctx) {
3962 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3963 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3964 goto end;
3965 if (t12_cipher != NULL) {
3966 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3967 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3968 t12_cipher)))
3969 goto end;
3970 }
3971 }
3972
3973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3974 &clientssl, NULL, NULL)))
3975 goto end;
3976
3977 if (set_at_ssl) {
3978 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3979 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3980 goto end;
3981 if (t12_cipher != NULL) {
3982 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3983 || !TEST_true(SSL_set_cipher_list(clientssl,
3984 t12_cipher)))
3985 goto end;
3986 }
3987 }
3988
3989 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3990 SSL_ERROR_NONE)))
3991 goto end;
3992
3993 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3994 serverssl));
3995 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3996 clientssl));
3997 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
3998 goto end;
3999
4000 /*
4001 * TEST_strn_eq is used below because t13_cipher can contain
4002 * multiple ciphersuites
4003 */
4004 if (max_ver == TLS1_3_VERSION
4005 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4006 strlen(negotiated_scipher)))
4007 goto end;
4008
4009 # ifndef OPENSSL_NO_TLS1_2
4010 /* Below validation is not done when t12_cipher is NULL */
4011 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4012 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4013 goto end;
4014 # endif
4015
4016 SSL_free(serverssl);
4017 serverssl = NULL;
4018 SSL_free(clientssl);
4019 clientssl = NULL;
4020 SSL_CTX_free(sctx);
4021 sctx = NULL;
4022 SSL_CTX_free(cctx);
4023 cctx = NULL;
4024 }
4025 }
4026
4027 testresult = 1;
4028 end:
4029 SSL_free(serverssl);
4030 SSL_free(clientssl);
4031 SSL_CTX_free(sctx);
4032 SSL_CTX_free(cctx);
4033 return testresult;
4034 }
4035
4036 /*
4037 * Test TLSv1.3 PSKs
4038 * Test 0 = Test new style callbacks
4039 * Test 1 = Test both new and old style callbacks
4040 * Test 2 = Test old style callbacks
4041 * Test 3 = Test old style callbacks with no certificate
4042 */
4043 static int test_tls13_psk(int idx)
4044 {
4045 SSL_CTX *sctx = NULL, *cctx = NULL;
4046 SSL *serverssl = NULL, *clientssl = NULL;
4047 const SSL_CIPHER *cipher = NULL;
4048 const unsigned char key[] = {
4049 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4050 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4051 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4052 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4053 };
4054 int testresult = 0;
4055
4056 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4057 TLS1_VERSION, 0,
4058 &sctx, &cctx, idx == 3 ? NULL : cert,
4059 idx == 3 ? NULL : privkey)))
4060 goto end;
4061
4062 if (idx != 3) {
4063 /*
4064 * We use a ciphersuite with SHA256 to ease testing old style PSK
4065 * callbacks which will always default to SHA256. This should not be
4066 * necessary if we have no cert/priv key. In that case the server should
4067 * prefer SHA256 automatically.
4068 */
4069 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4070 "TLS_AES_128_GCM_SHA256")))
4071 goto end;
4072 }
4073
4074 /*
4075 * Test 0: New style callbacks only
4076 * Test 1: New and old style callbacks (only the new ones should be used)
4077 * Test 2: Old style callbacks only
4078 */
4079 if (idx == 0 || idx == 1) {
4080 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4081 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4082 }
4083 #ifndef OPENSSL_NO_PSK
4084 if (idx >= 1) {
4085 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4086 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4087 }
4088 #endif
4089 srvid = pskid;
4090 use_session_cb_cnt = 0;
4091 find_session_cb_cnt = 0;
4092 psk_client_cb_cnt = 0;
4093 psk_server_cb_cnt = 0;
4094
4095 if (idx != 3) {
4096 /*
4097 * Check we can create a connection if callback decides not to send a
4098 * PSK
4099 */
4100 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4101 NULL, NULL))
4102 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4103 SSL_ERROR_NONE))
4104 || !TEST_false(SSL_session_reused(clientssl))
4105 || !TEST_false(SSL_session_reused(serverssl)))
4106 goto end;
4107
4108 if (idx == 0 || idx == 1) {
4109 if (!TEST_true(use_session_cb_cnt == 1)
4110 || !TEST_true(find_session_cb_cnt == 0)
4111 /*
4112 * If no old style callback then below should be 0
4113 * otherwise 1
4114 */
4115 || !TEST_true(psk_client_cb_cnt == idx)
4116 || !TEST_true(psk_server_cb_cnt == 0))
4117 goto end;
4118 } else {
4119 if (!TEST_true(use_session_cb_cnt == 0)
4120 || !TEST_true(find_session_cb_cnt == 0)
4121 || !TEST_true(psk_client_cb_cnt == 1)
4122 || !TEST_true(psk_server_cb_cnt == 0))
4123 goto end;
4124 }
4125
4126 shutdown_ssl_connection(serverssl, clientssl);
4127 serverssl = clientssl = NULL;
4128 use_session_cb_cnt = psk_client_cb_cnt = 0;
4129 }
4130
4131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4132 NULL, NULL)))
4133 goto end;
4134
4135 /* Create the PSK */
4136 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4137 clientpsk = SSL_SESSION_new();
4138 if (!TEST_ptr(clientpsk)
4139 || !TEST_ptr(cipher)
4140 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4141 sizeof(key)))
4142 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4143 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4144 TLS1_3_VERSION))
4145 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4146 goto end;
4147 serverpsk = clientpsk;
4148
4149 /* Check we can create a connection and the PSK is used */
4150 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4151 || !TEST_true(SSL_session_reused(clientssl))
4152 || !TEST_true(SSL_session_reused(serverssl)))
4153 goto end;
4154
4155 if (idx == 0 || idx == 1) {
4156 if (!TEST_true(use_session_cb_cnt == 1)
4157 || !TEST_true(find_session_cb_cnt == 1)
4158 || !TEST_true(psk_client_cb_cnt == 0)
4159 || !TEST_true(psk_server_cb_cnt == 0))
4160 goto end;
4161 } else {
4162 if (!TEST_true(use_session_cb_cnt == 0)
4163 || !TEST_true(find_session_cb_cnt == 0)
4164 || !TEST_true(psk_client_cb_cnt == 1)
4165 || !TEST_true(psk_server_cb_cnt == 1))
4166 goto end;
4167 }
4168
4169 shutdown_ssl_connection(serverssl, clientssl);
4170 serverssl = clientssl = NULL;
4171 use_session_cb_cnt = find_session_cb_cnt = 0;
4172 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4173
4174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4175 NULL, NULL)))
4176 goto end;
4177
4178 /* Force an HRR */
4179 #if defined(OPENSSL_NO_EC)
4180 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4181 goto end;
4182 #else
4183 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4184 goto end;
4185 #endif
4186
4187 /*
4188 * Check we can create a connection, the PSK is used and the callbacks are
4189 * called twice.
4190 */
4191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4192 || !TEST_true(SSL_session_reused(clientssl))
4193 || !TEST_true(SSL_session_reused(serverssl)))
4194 goto end;
4195
4196 if (idx == 0 || idx == 1) {
4197 if (!TEST_true(use_session_cb_cnt == 2)
4198 || !TEST_true(find_session_cb_cnt == 2)
4199 || !TEST_true(psk_client_cb_cnt == 0)
4200 || !TEST_true(psk_server_cb_cnt == 0))
4201 goto end;
4202 } else {
4203 if (!TEST_true(use_session_cb_cnt == 0)
4204 || !TEST_true(find_session_cb_cnt == 0)
4205 || !TEST_true(psk_client_cb_cnt == 2)
4206 || !TEST_true(psk_server_cb_cnt == 2))
4207 goto end;
4208 }
4209
4210 shutdown_ssl_connection(serverssl, clientssl);
4211 serverssl = clientssl = NULL;
4212 use_session_cb_cnt = find_session_cb_cnt = 0;
4213 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4214
4215 if (idx != 3) {
4216 /*
4217 * Check that if the server rejects the PSK we can still connect, but with
4218 * a full handshake
4219 */
4220 srvid = "Dummy Identity";
4221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4222 NULL, NULL))
4223 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4224 SSL_ERROR_NONE))
4225 || !TEST_false(SSL_session_reused(clientssl))
4226 || !TEST_false(SSL_session_reused(serverssl)))
4227 goto end;
4228
4229 if (idx == 0 || idx == 1) {
4230 if (!TEST_true(use_session_cb_cnt == 1)
4231 || !TEST_true(find_session_cb_cnt == 1)
4232 || !TEST_true(psk_client_cb_cnt == 0)
4233 /*
4234 * If no old style callback then below should be 0
4235 * otherwise 1
4236 */
4237 || !TEST_true(psk_server_cb_cnt == idx))
4238 goto end;
4239 } else {
4240 if (!TEST_true(use_session_cb_cnt == 0)
4241 || !TEST_true(find_session_cb_cnt == 0)
4242 || !TEST_true(psk_client_cb_cnt == 1)
4243 || !TEST_true(psk_server_cb_cnt == 1))
4244 goto end;
4245 }
4246
4247 shutdown_ssl_connection(serverssl, clientssl);
4248 serverssl = clientssl = NULL;
4249 }
4250 testresult = 1;
4251
4252 end:
4253 SSL_SESSION_free(clientpsk);
4254 SSL_SESSION_free(serverpsk);
4255 clientpsk = serverpsk = NULL;
4256 SSL_free(serverssl);
4257 SSL_free(clientssl);
4258 SSL_CTX_free(sctx);
4259 SSL_CTX_free(cctx);
4260 return testresult;
4261 }
4262
4263 static unsigned char cookie_magic_value[] = "cookie magic";
4264
4265 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4266 unsigned int *cookie_len)
4267 {
4268 /*
4269 * Not suitable as a real cookie generation function but good enough for
4270 * testing!
4271 */
4272 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4273 *cookie_len = sizeof(cookie_magic_value) - 1;
4274
4275 return 1;
4276 }
4277
4278 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4279 unsigned int cookie_len)
4280 {
4281 if (cookie_len == sizeof(cookie_magic_value) - 1
4282 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4283 return 1;
4284
4285 return 0;
4286 }
4287
4288 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4289 size_t *cookie_len)
4290 {
4291 unsigned int temp;
4292 int res = generate_cookie_callback(ssl, cookie, &temp);
4293 *cookie_len = temp;
4294 return res;
4295 }
4296
4297 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4298 size_t cookie_len)
4299 {
4300 return verify_cookie_callback(ssl, cookie, cookie_len);
4301 }
4302
4303 static int test_stateless(void)
4304 {
4305 SSL_CTX *sctx = NULL, *cctx = NULL;
4306 SSL *serverssl = NULL, *clientssl = NULL;
4307 int testresult = 0;
4308
4309 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4310 TLS1_VERSION, 0,
4311 &sctx, &cctx, cert, privkey)))
4312 goto end;
4313
4314 /* The arrival of CCS messages can confuse the test */
4315 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4316
4317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4318 NULL, NULL))
4319 /* Send the first ClientHello */
4320 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4321 SSL_ERROR_WANT_READ))
4322 /*
4323 * This should fail with a -1 return because we have no callbacks
4324 * set up
4325 */
4326 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4327 goto end;
4328
4329 /* Fatal error so abandon the connection from this client */
4330 SSL_free(clientssl);
4331 clientssl = NULL;
4332
4333 /* Set up the cookie generation and verification callbacks */
4334 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4335 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4336
4337 /*
4338 * Create a new connection from the client (we can reuse the server SSL
4339 * object).
4340 */
4341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4342 NULL, NULL))
4343 /* Send the first ClientHello */
4344 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4345 SSL_ERROR_WANT_READ))
4346 /* This should fail because there is no cookie */
4347 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4348 goto end;
4349
4350 /* Abandon the connection from this client */
4351 SSL_free(clientssl);
4352 clientssl = NULL;
4353
4354 /*
4355 * Now create a connection from a new client but with the same server SSL
4356 * object
4357 */
4358 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4359 NULL, NULL))
4360 /* Send the first ClientHello */
4361 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4362 SSL_ERROR_WANT_READ))
4363 /* This should fail because there is no cookie */
4364 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4365 /* Send the second ClientHello */
4366 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4367 SSL_ERROR_WANT_READ))
4368 /* This should succeed because a cookie is now present */
4369 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4370 /* Complete the connection */
4371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4372 SSL_ERROR_NONE)))
4373 goto end;
4374
4375 shutdown_ssl_connection(serverssl, clientssl);
4376 serverssl = clientssl = NULL;
4377 testresult = 1;
4378
4379 end:
4380 SSL_free(serverssl);
4381 SSL_free(clientssl);
4382 SSL_CTX_free(sctx);
4383 SSL_CTX_free(cctx);
4384 return testresult;
4385
4386 }
4387 #endif /* OPENSSL_NO_TLS1_3 */
4388
4389 static int clntaddoldcb = 0;
4390 static int clntparseoldcb = 0;
4391 static int srvaddoldcb = 0;
4392 static int srvparseoldcb = 0;
4393 static int clntaddnewcb = 0;
4394 static int clntparsenewcb = 0;
4395 static int srvaddnewcb = 0;
4396 static int srvparsenewcb = 0;
4397 static int snicb = 0;
4398
4399 #define TEST_EXT_TYPE1 0xff00
4400
4401 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4402 size_t *outlen, int *al, void *add_arg)
4403 {
4404 int *server = (int *)add_arg;
4405 unsigned char *data;
4406
4407 if (SSL_is_server(s))
4408 srvaddoldcb++;
4409 else
4410 clntaddoldcb++;
4411
4412 if (*server != SSL_is_server(s)
4413 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4414 return -1;
4415
4416 *data = 1;
4417 *out = data;
4418 *outlen = sizeof(char);
4419 return 1;
4420 }
4421
4422 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4423 void *add_arg)
4424 {
4425 OPENSSL_free((unsigned char *)out);
4426 }
4427
4428 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4429 size_t inlen, int *al, void *parse_arg)
4430 {
4431 int *server = (int *)parse_arg;
4432
4433 if (SSL_is_server(s))
4434 srvparseoldcb++;
4435 else
4436 clntparseoldcb++;
4437
4438 if (*server != SSL_is_server(s)
4439 || inlen != sizeof(char)
4440 || *in != 1)
4441 return -1;
4442
4443 return 1;
4444 }
4445
4446 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4447 const unsigned char **out, size_t *outlen, X509 *x,
4448 size_t chainidx, int *al, void *add_arg)
4449 {
4450 int *server = (int *)add_arg;
4451 unsigned char *data;
4452
4453 if (SSL_is_server(s))
4454 srvaddnewcb++;
4455 else
4456 clntaddnewcb++;
4457
4458 if (*server != SSL_is_server(s)
4459 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4460 return -1;
4461
4462 *data = 1;
4463 *out = data;
4464 *outlen = sizeof(*data);
4465 return 1;
4466 }
4467
4468 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4469 const unsigned char *out, void *add_arg)
4470 {
4471 OPENSSL_free((unsigned char *)out);
4472 }
4473
4474 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4475 const unsigned char *in, size_t inlen, X509 *x,
4476 size_t chainidx, int *al, void *parse_arg)
4477 {
4478 int *server = (int *)parse_arg;
4479
4480 if (SSL_is_server(s))
4481 srvparsenewcb++;
4482 else
4483 clntparsenewcb++;
4484
4485 if (*server != SSL_is_server(s)
4486 || inlen != sizeof(char) || *in != 1)
4487 return -1;
4488
4489 return 1;
4490 }
4491
4492 static int sni_cb(SSL *s, int *al, void *arg)
4493 {
4494 SSL_CTX *ctx = (SSL_CTX *)arg;
4495
4496 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4497 *al = SSL_AD_INTERNAL_ERROR;
4498 return SSL_TLSEXT_ERR_ALERT_FATAL;
4499 }
4500 snicb++;
4501 return SSL_TLSEXT_ERR_OK;
4502 }
4503
4504 /*
4505 * Custom call back tests.
4506 * Test 0: Old style callbacks in TLSv1.2
4507 * Test 1: New style callbacks in TLSv1.2
4508 * Test 2: New style callbacks in TLSv1.2 with SNI
4509 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4510 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4511 */
4512 static int test_custom_exts(int tst)
4513 {
4514 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4515 SSL *clientssl = NULL, *serverssl = NULL;
4516 int testresult = 0;
4517 static int server = 1;
4518 static int client = 0;
4519 SSL_SESSION *sess = NULL;
4520 unsigned int context;
4521
4522 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4523 /* Skip tests for TLSv1.2 and below in this case */
4524 if (tst < 3)
4525 return 1;
4526 #endif
4527
4528 /* Reset callback counters */
4529 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4530 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4531 snicb = 0;
4532
4533 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4534 TLS1_VERSION, 0,
4535 &sctx, &cctx, cert, privkey)))
4536 goto end;
4537
4538 if (tst == 2
4539 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4540 TLS1_VERSION, 0,
4541 &sctx2, NULL, cert, privkey)))
4542 goto end;
4543
4544
4545 if (tst < 3) {
4546 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4547 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4548 if (sctx2 != NULL)
4549 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4550 }
4551
4552 if (tst == 4) {
4553 context = SSL_EXT_CLIENT_HELLO
4554 | SSL_EXT_TLS1_2_SERVER_HELLO
4555 | SSL_EXT_TLS1_3_SERVER_HELLO
4556 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4557 | SSL_EXT_TLS1_3_CERTIFICATE
4558 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4559 } else {
4560 context = SSL_EXT_CLIENT_HELLO
4561 | SSL_EXT_TLS1_2_SERVER_HELLO
4562 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4563 }
4564
4565 /* Create a client side custom extension */
4566 if (tst == 0) {
4567 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4568 old_add_cb, old_free_cb,
4569 &client, old_parse_cb,
4570 &client)))
4571 goto end;
4572 } else {
4573 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4574 new_add_cb, new_free_cb,
4575 &client, new_parse_cb, &client)))
4576 goto end;
4577 }
4578
4579 /* Should not be able to add duplicates */
4580 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4581 old_add_cb, old_free_cb,
4582 &client, old_parse_cb,
4583 &client))
4584 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4585 context, new_add_cb,
4586 new_free_cb, &client,
4587 new_parse_cb, &client)))
4588 goto end;
4589
4590 /* Create a server side custom extension */
4591 if (tst == 0) {
4592 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4593 old_add_cb, old_free_cb,
4594 &server, old_parse_cb,
4595 &server)))
4596 goto end;
4597 } else {
4598 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4599 new_add_cb, new_free_cb,
4600 &server, new_parse_cb, &server)))
4601 goto end;
4602 if (sctx2 != NULL
4603 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4604 context, new_add_cb,
4605 new_free_cb, &server,
4606 new_parse_cb, &server)))
4607 goto end;
4608 }
4609
4610 /* Should not be able to add duplicates */
4611 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4612 old_add_cb, old_free_cb,
4613 &server, old_parse_cb,
4614 &server))
4615 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4616 context, new_add_cb,
4617 new_free_cb, &server,
4618 new_parse_cb, &server)))
4619 goto end;
4620
4621 if (tst == 2) {
4622 /* Set up SNI */
4623 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4624 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4625 goto end;
4626 }
4627
4628 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4629 &clientssl, NULL, NULL))
4630 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4631 SSL_ERROR_NONE)))
4632 goto end;
4633
4634 if (tst == 0) {
4635 if (clntaddoldcb != 1
4636 || clntparseoldcb != 1
4637 || srvaddoldcb != 1
4638 || srvparseoldcb != 1)
4639 goto end;
4640 } else if (tst == 1 || tst == 2 || tst == 3) {
4641 if (clntaddnewcb != 1
4642 || clntparsenewcb != 1
4643 || srvaddnewcb != 1
4644 || srvparsenewcb != 1
4645 || (tst != 2 && snicb != 0)
4646 || (tst == 2 && snicb != 1))
4647 goto end;
4648 } else {
4649 /* In this case there 2 NewSessionTicket messages created */
4650 if (clntaddnewcb != 1
4651 || clntparsenewcb != 5
4652 || srvaddnewcb != 5
4653 || srvparsenewcb != 1)
4654 goto end;
4655 }
4656
4657 sess = SSL_get1_session(clientssl);
4658 SSL_shutdown(clientssl);
4659 SSL_shutdown(serverssl);
4660 SSL_free(serverssl);
4661 SSL_free(clientssl);
4662 serverssl = clientssl = NULL;
4663
4664 if (tst == 3) {
4665 /* We don't bother with the resumption aspects for this test */
4666 testresult = 1;
4667 goto end;
4668 }
4669
4670 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4671 NULL, NULL))
4672 || !TEST_true(SSL_set_session(clientssl, sess))
4673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4674 SSL_ERROR_NONE)))
4675 goto end;
4676
4677 /*
4678 * For a resumed session we expect to add the ClientHello extension. For the
4679 * old style callbacks we ignore it on the server side because they set
4680 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4681 * them.
4682 */
4683 if (tst == 0) {
4684 if (clntaddoldcb != 2
4685 || clntparseoldcb != 1
4686 || srvaddoldcb != 1
4687 || srvparseoldcb != 1)
4688 goto end;
4689 } else if (tst == 1 || tst == 2 || tst == 3) {
4690 if (clntaddnewcb != 2
4691 || clntparsenewcb != 2
4692 || srvaddnewcb != 2
4693 || srvparsenewcb != 2)
4694 goto end;
4695 } else {
4696 /*
4697 * No Certificate message extensions in the resumption handshake,
4698 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4699 */
4700 if (clntaddnewcb != 2
4701 || clntparsenewcb != 8
4702 || srvaddnewcb != 8
4703 || srvparsenewcb != 2)
4704 goto end;
4705 }
4706
4707 testresult = 1;
4708
4709 end:
4710 SSL_SESSION_free(sess);
4711 SSL_free(serverssl);
4712 SSL_free(clientssl);
4713 SSL_CTX_free(sctx2);
4714 SSL_CTX_free(sctx);
4715 SSL_CTX_free(cctx);
4716 return testresult;
4717 }
4718
4719 /*
4720 * Test loading of serverinfo data in various formats. test_sslmessages actually
4721 * tests to make sure the extensions appear in the handshake
4722 */
4723 static int test_serverinfo(int tst)
4724 {
4725 unsigned int version;
4726 unsigned char *sibuf;
4727 size_t sibuflen;
4728 int ret, expected, testresult = 0;
4729 SSL_CTX *ctx;
4730
4731 ctx = SSL_CTX_new(TLS_method());
4732 if (!TEST_ptr(ctx))
4733 goto end;
4734
4735 if ((tst & 0x01) == 0x01)
4736 version = SSL_SERVERINFOV2;
4737 else
4738 version = SSL_SERVERINFOV1;
4739
4740 if ((tst & 0x02) == 0x02) {
4741 sibuf = serverinfov2;
4742 sibuflen = sizeof(serverinfov2);
4743 expected = (version == SSL_SERVERINFOV2);
4744 } else {
4745 sibuf = serverinfov1;
4746 sibuflen = sizeof(serverinfov1);
4747 expected = (version == SSL_SERVERINFOV1);
4748 }
4749
4750 if ((tst & 0x04) == 0x04) {
4751 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4752 } else {
4753 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4754
4755 /*
4756 * The version variable is irrelevant in this case - it's what is in the
4757 * buffer that matters
4758 */
4759 if ((tst & 0x02) == 0x02)
4760 expected = 0;
4761 else
4762 expected = 1;
4763 }
4764
4765 if (!TEST_true(ret == expected))
4766 goto end;
4767
4768 testresult = 1;
4769
4770 end:
4771 SSL_CTX_free(ctx);
4772
4773 return testresult;
4774 }
4775
4776 /*
4777 * Test that SSL_export_keying_material() produces expected results. There are
4778 * no test vectors so all we do is test that both sides of the communication
4779 * produce the same results for different protocol versions.
4780 */
4781 #define SMALL_LABEL_LEN 10
4782 #define LONG_LABEL_LEN 249
4783 static int test_export_key_mat(int tst)
4784 {
4785 int testresult = 0;
4786 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4787 SSL *clientssl = NULL, *serverssl = NULL;
4788 const char label[LONG_LABEL_LEN + 1] = "test label";
4789 const unsigned char context[] = "context";
4790 const unsigned char *emptycontext = NULL;
4791 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4792 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4793 size_t labellen;
4794 const int protocols[] = {
4795 TLS1_VERSION,
4796 TLS1_1_VERSION,
4797 TLS1_2_VERSION,
4798 TLS1_3_VERSION,
4799 TLS1_3_VERSION,
4800 TLS1_3_VERSION
4801 };
4802
4803 #ifdef OPENSSL_NO_TLS1
4804 if (tst == 0)
4805 return 1;
4806 #endif
4807 #ifdef OPENSSL_NO_TLS1_1
4808 if (tst == 1)
4809 return 1;
4810 #endif
4811 #ifdef OPENSSL_NO_TLS1_2
4812 if (tst == 2)
4813 return 1;
4814 #endif
4815 #ifdef OPENSSL_NO_TLS1_3
4816 if (tst >= 3)
4817 return 1;
4818 #endif
4819 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4820 TLS1_VERSION, 0,
4821 &sctx, &cctx, cert, privkey)))
4822 goto end;
4823
4824 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4825 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4826 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4827
4828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4829 NULL))
4830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4831 SSL_ERROR_NONE)))
4832 goto end;
4833
4834 if (tst == 5) {
4835 /*
4836 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4837 * go over that.
4838 */
4839 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4840 sizeof(ckeymat1), label,
4841 LONG_LABEL_LEN + 1, context,
4842 sizeof(context) - 1, 1), 0))
4843 goto end;
4844
4845 testresult = 1;
4846 goto end;
4847 } else if (tst == 4) {
4848 labellen = LONG_LABEL_LEN;
4849 } else {
4850 labellen = SMALL_LABEL_LEN;
4851 }
4852
4853 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4854 sizeof(ckeymat1), label,
4855 labellen, context,
4856 sizeof(context) - 1, 1), 1)
4857 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4858 sizeof(ckeymat2), label,
4859 labellen,
4860 emptycontext,
4861 0, 1), 1)
4862 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4863 sizeof(ckeymat3), label,
4864 labellen,
4865 NULL, 0, 0), 1)
4866 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4867 sizeof(skeymat1), label,
4868 labellen,
4869 context,
4870 sizeof(context) -1, 1),
4871 1)
4872 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4873 sizeof(skeymat2), label,
4874 labellen,
4875 emptycontext,
4876 0, 1), 1)
4877 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4878 sizeof(skeymat3), label,
4879 labellen,
4880 NULL, 0, 0), 1)
4881 /*
4882 * Check that both sides created the same key material with the
4883 * same context.
4884 */
4885 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4886 sizeof(skeymat1))
4887 /*
4888 * Check that both sides created the same key material with an
4889 * empty context.
4890 */
4891 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4892 sizeof(skeymat2))
4893 /*
4894 * Check that both sides created the same key material without a
4895 * context.
4896 */
4897 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4898 sizeof(skeymat3))
4899 /* Different contexts should produce different results */
4900 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4901 sizeof(ckeymat2)))
4902 goto end;
4903
4904 /*
4905 * Check that an empty context and no context produce different results in
4906 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4907 */
4908 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4909 sizeof(ckeymat3)))
4910 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4911 sizeof(ckeymat3))))
4912 goto end;
4913
4914 testresult = 1;
4915
4916 end:
4917 SSL_free(serverssl);
4918 SSL_free(clientssl);
4919 SSL_CTX_free(sctx2);
4920 SSL_CTX_free(sctx);
4921 SSL_CTX_free(cctx);
4922
4923 return testresult;
4924 }
4925
4926 #ifndef OPENSSL_NO_TLS1_3
4927 /*
4928 * Test that SSL_export_keying_material_early() produces expected
4929 * results. There are no test vectors so all we do is test that both
4930 * sides of the communication produce the same results for different
4931 * protocol versions.
4932 */
4933 static int test_export_key_mat_early(int idx)
4934 {
4935 static const char label[] = "test label";
4936 static const unsigned char context[] = "context";
4937 int testresult = 0;
4938 SSL_CTX *cctx = NULL, *sctx = NULL;
4939 SSL *clientssl = NULL, *serverssl = NULL;
4940 SSL_SESSION *sess = NULL;
4941 const unsigned char *emptycontext = NULL;
4942 unsigned char ckeymat1[80], ckeymat2[80];
4943 unsigned char skeymat1[80], skeymat2[80];
4944 unsigned char buf[1];
4945 size_t readbytes, written;
4946
4947 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4948 &sess, idx)))
4949 goto end;
4950
4951 /* Here writing 0 length early data is enough. */
4952 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4953 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4954 &readbytes),
4955 SSL_READ_EARLY_DATA_ERROR)
4956 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4957 SSL_EARLY_DATA_ACCEPTED))
4958 goto end;
4959
4960 if (!TEST_int_eq(SSL_export_keying_material_early(
4961 clientssl, ckeymat1, sizeof(ckeymat1), label,
4962 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4963 || !TEST_int_eq(SSL_export_keying_material_early(
4964 clientssl, ckeymat2, sizeof(ckeymat2), label,
4965 sizeof(label) - 1, emptycontext, 0), 1)
4966 || !TEST_int_eq(SSL_export_keying_material_early(
4967 serverssl, skeymat1, sizeof(skeymat1), label,
4968 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4969 || !TEST_int_eq(SSL_export_keying_material_early(
4970 serverssl, skeymat2, sizeof(skeymat2), label,
4971 sizeof(label) - 1, emptycontext, 0), 1)
4972 /*
4973 * Check that both sides created the same key material with the
4974 * same context.
4975 */
4976 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4977 sizeof(skeymat1))
4978 /*
4979 * Check that both sides created the same key material with an
4980 * empty context.
4981 */
4982 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4983 sizeof(skeymat2))
4984 /* Different contexts should produce different results */
4985 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4986 sizeof(ckeymat2)))
4987 goto end;
4988
4989 testresult = 1;
4990
4991 end:
4992 SSL_SESSION_free(sess);
4993 SSL_SESSION_free(clientpsk);
4994 SSL_SESSION_free(serverpsk);
4995 clientpsk = serverpsk = NULL;
4996 SSL_free(serverssl);
4997 SSL_free(clientssl);
4998 SSL_CTX_free(sctx);
4999 SSL_CTX_free(cctx);
5000
5001 return testresult;
5002 }
5003
5004 #define NUM_KEY_UPDATE_MESSAGES 40
5005 /*
5006 * Test KeyUpdate.
5007 */
5008 static int test_key_update(void)
5009 {
5010 SSL_CTX *cctx = NULL, *sctx = NULL;
5011 SSL *clientssl = NULL, *serverssl = NULL;
5012 int testresult = 0, i, j;
5013 char buf[20];
5014 static char *mess = "A test message";
5015
5016 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5017 TLS_client_method(),
5018 TLS1_3_VERSION,
5019 0,
5020 &sctx, &cctx, cert, privkey))
5021 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5022 NULL, NULL))
5023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5024 SSL_ERROR_NONE)))
5025 goto end;
5026
5027 for (j = 0; j < 2; j++) {
5028 /* Send lots of KeyUpdate messages */
5029 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5030 if (!TEST_true(SSL_key_update(clientssl,
5031 (j == 0)
5032 ? SSL_KEY_UPDATE_NOT_REQUESTED
5033 : SSL_KEY_UPDATE_REQUESTED))
5034 || !TEST_true(SSL_do_handshake(clientssl)))
5035 goto end;
5036 }
5037
5038 /* Check that sending and receiving app data is ok */
5039 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5040 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5041 strlen(mess)))
5042 goto end;
5043
5044 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5045 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5046 strlen(mess)))
5047 goto end;
5048 }
5049
5050 testresult = 1;
5051
5052 end:
5053 SSL_free(serverssl);
5054 SSL_free(clientssl);
5055 SSL_CTX_free(sctx);
5056 SSL_CTX_free(cctx);
5057
5058 return testresult;
5059 }
5060
5061 /*
5062 * Test we can handle a KeyUpdate (update requested) message while write data
5063 * is pending.
5064 * Test 0: Client sends KeyUpdate while Server is writing
5065 * Test 1: Server sends KeyUpdate while Client is writing
5066 */
5067 static int test_key_update_in_write(int tst)
5068 {
5069 SSL_CTX *cctx = NULL, *sctx = NULL;
5070 SSL *clientssl = NULL, *serverssl = NULL;
5071 int testresult = 0;
5072 char buf[20];
5073 static char *mess = "A test message";
5074 BIO *bretry = BIO_new(bio_s_always_retry());
5075 BIO *tmp = NULL;
5076 SSL *peerupdate = NULL, *peerwrite = NULL;
5077
5078 if (!TEST_ptr(bretry)
5079 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5080 TLS_client_method(),
5081 TLS1_3_VERSION,
5082 0,
5083 &sctx, &cctx, cert, privkey))
5084 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5085 NULL, NULL))
5086 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5087 SSL_ERROR_NONE)))
5088 goto end;
5089
5090 peerupdate = tst == 0 ? clientssl : serverssl;
5091 peerwrite = tst == 0 ? serverssl : clientssl;
5092
5093 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5094 || !TEST_true(SSL_do_handshake(peerupdate)))
5095 goto end;
5096
5097 /* Swap the writing endpoint's write BIO to force a retry */
5098 tmp = SSL_get_wbio(peerwrite);
5099 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5100 tmp = NULL;
5101 goto end;
5102 }
5103 SSL_set0_wbio(peerwrite, bretry);
5104 bretry = NULL;
5105
5106 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5107 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5108 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5109 goto end;
5110
5111 /* Reinstate the original writing endpoint's write BIO */
5112 SSL_set0_wbio(peerwrite, tmp);
5113 tmp = NULL;
5114
5115 /* Now read some data - we will read the key update */
5116 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5117 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5118 goto end;
5119
5120 /*
5121 * Complete the write we started previously and read it from the other
5122 * endpoint
5123 */
5124 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5125 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5126 goto end;
5127
5128 /* Write more data to ensure we send the KeyUpdate message back */
5129 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5130 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5131 goto end;
5132
5133 testresult = 1;
5134
5135 end:
5136 SSL_free(serverssl);
5137 SSL_free(clientssl);
5138 SSL_CTX_free(sctx);
5139 SSL_CTX_free(cctx);
5140 BIO_free(bretry);
5141 BIO_free(tmp);
5142
5143 return testresult;
5144 }
5145 #endif /* OPENSSL_NO_TLS1_3 */
5146
5147 static int test_ssl_clear(int idx)
5148 {
5149 SSL_CTX *cctx = NULL, *sctx = NULL;
5150 SSL *clientssl = NULL, *serverssl = NULL;
5151 int testresult = 0;
5152
5153 #ifdef OPENSSL_NO_TLS1_2
5154 if (idx == 1)
5155 return 1;
5156 #endif
5157
5158 /* Create an initial connection */
5159 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5160 TLS1_VERSION, 0,
5161 &sctx, &cctx, cert, privkey))
5162 || (idx == 1
5163 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5164 TLS1_2_VERSION)))
5165 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5166 &clientssl, NULL, NULL))
5167 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5168 SSL_ERROR_NONE)))
5169 goto end;
5170
5171 SSL_shutdown(clientssl);
5172 SSL_shutdown(serverssl);
5173 SSL_free(serverssl);
5174 serverssl = NULL;
5175
5176 /* Clear clientssl - we're going to reuse the object */
5177 if (!TEST_true(SSL_clear(clientssl)))
5178 goto end;
5179
5180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5181 NULL, NULL))
5182 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5183 SSL_ERROR_NONE))
5184 || !TEST_true(SSL_session_reused(clientssl)))
5185 goto end;
5186
5187 SSL_shutdown(clientssl);
5188 SSL_shutdown(serverssl);
5189
5190 testresult = 1;
5191
5192 end:
5193 SSL_free(serverssl);
5194 SSL_free(clientssl);
5195 SSL_CTX_free(sctx);
5196 SSL_CTX_free(cctx);
5197
5198 return testresult;
5199 }
5200
5201 /* Parse CH and retrieve any MFL extension value if present */
5202 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5203 {
5204 long len;
5205 unsigned char *data;
5206 PACKET pkt, pkt2, pkt3;
5207 unsigned int MFL_code = 0, type = 0;
5208
5209 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5210 goto end;
5211
5212 memset(&pkt, 0, sizeof(pkt));
5213 memset(&pkt2, 0, sizeof(pkt2));
5214 memset(&pkt3, 0, sizeof(pkt3));
5215
5216 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5217 /* Skip the record header */
5218 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5219 /* Skip the handshake message header */
5220 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5221 /* Skip client version and random */
5222 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5223 + SSL3_RANDOM_SIZE))
5224 /* Skip session id */
5225 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5226 /* Skip ciphers */
5227 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5228 /* Skip compression */
5229 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5230 /* Extensions len */
5231 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5232 goto end;
5233
5234 /* Loop through all extensions */
5235 while (PACKET_remaining(&pkt2)) {
5236 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5237 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5238 goto end;
5239
5240 if (type == TLSEXT_TYPE_max_fragment_length) {
5241 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5242 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5243 goto end;
5244
5245 *mfl_codemfl_code = MFL_code;
5246 return 1;
5247 }
5248 }
5249
5250 end:
5251 return 0;
5252 }
5253
5254 /* Maximum-Fragment-Length TLS extension mode to test */
5255 static const unsigned char max_fragment_len_test[] = {
5256 TLSEXT_max_fragment_length_512,
5257 TLSEXT_max_fragment_length_1024,
5258 TLSEXT_max_fragment_length_2048,
5259 TLSEXT_max_fragment_length_4096
5260 };
5261
5262 static int test_max_fragment_len_ext(int idx_tst)
5263 {
5264 SSL_CTX *ctx;
5265 SSL *con = NULL;
5266 int testresult = 0, MFL_mode = 0;
5267 BIO *rbio, *wbio;
5268
5269 ctx = SSL_CTX_new(TLS_method());
5270 if (!TEST_ptr(ctx))
5271 goto end;
5272
5273 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5274 ctx, max_fragment_len_test[idx_tst])))
5275 goto end;
5276
5277 con = SSL_new(ctx);
5278 if (!TEST_ptr(con))
5279 goto end;
5280
5281 rbio = BIO_new(BIO_s_mem());
5282 wbio = BIO_new(BIO_s_mem());
5283 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5284 BIO_free(rbio);
5285 BIO_free(wbio);
5286 goto end;
5287 }
5288
5289 SSL_set_bio(con, rbio, wbio);
5290 SSL_set_connect_state(con);
5291
5292 if (!TEST_int_le(SSL_connect(con), 0)) {
5293 /* This shouldn't succeed because we don't have a server! */
5294 goto end;
5295 }
5296
5297 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5298 /* no MFL in client hello */
5299 goto end;
5300 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5301 goto end;
5302
5303 testresult = 1;
5304
5305 end:
5306 SSL_free(con);
5307 SSL_CTX_free(ctx);
5308
5309 return testresult;
5310 }
5311
5312 #ifndef OPENSSL_NO_TLS1_3
5313 static int test_pha_key_update(void)
5314 {
5315 SSL_CTX *cctx = NULL, *sctx = NULL;
5316 SSL *clientssl = NULL, *serverssl = NULL;
5317 int testresult = 0;
5318
5319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5320 TLS1_VERSION, 0,
5321 &sctx, &cctx, cert, privkey)))
5322 return 0;
5323
5324 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5325 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5326 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5327 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5328 goto end;
5329
5330 SSL_CTX_set_post_handshake_auth(cctx, 1);
5331
5332 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5333 NULL, NULL)))
5334 goto end;
5335
5336 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5337 SSL_ERROR_NONE)))
5338 goto end;
5339
5340 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5341 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5342 goto end;
5343
5344 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5345 goto end;
5346
5347 /* Start handshake on the server */
5348 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5349 goto end;
5350
5351 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5352 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5353 SSL_ERROR_NONE)))
5354 goto end;
5355
5356 SSL_shutdown(clientssl);
5357 SSL_shutdown(serverssl);
5358
5359 testresult = 1;
5360
5361 end:
5362 SSL_free(serverssl);
5363 SSL_free(clientssl);
5364 SSL_CTX_free(sctx);
5365 SSL_CTX_free(cctx);
5366 return testresult;
5367 }
5368 #endif
5369
5370 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5371
5372 static SRP_VBASE *vbase = NULL;
5373
5374 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5375 {
5376 int ret = SSL3_AL_FATAL;
5377 char *username;
5378 SRP_user_pwd *user = NULL;
5379
5380 username = SSL_get_srp_username(s);
5381 if (username == NULL) {
5382 *ad = SSL_AD_INTERNAL_ERROR;
5383 goto err;
5384 }
5385
5386 user = SRP_VBASE_get1_by_user(vbase, username);
5387 if (user == NULL) {
5388 *ad = SSL_AD_INTERNAL_ERROR;
5389 goto err;
5390 }
5391
5392 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5393 user->info) <= 0) {
5394 *ad = SSL_AD_INTERNAL_ERROR;
5395 goto err;
5396 }
5397
5398 ret = 0;
5399
5400 err:
5401 SRP_user_pwd_free(user);
5402 return ret;
5403 }
5404
5405 static int create_new_vfile(char *userid, char *password, const char *filename)
5406 {
5407 char *gNid = NULL;
5408 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5409 TXT_DB *db = NULL;
5410 int ret = 0;
5411 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5412 size_t i;
5413
5414 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5415 goto end;
5416
5417 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5418 &row[DB_srpverifier], NULL, NULL);
5419 if (!TEST_ptr(gNid))
5420 goto end;
5421
5422 /*
5423 * The only way to create an empty TXT_DB is to provide a BIO with no data
5424 * in it!
5425 */
5426 db = TXT_DB_read(dummy, DB_NUMBER);
5427 if (!TEST_ptr(db))
5428 goto end;
5429
5430 out = BIO_new_file(filename, "w");
5431 if (!TEST_ptr(out))
5432 goto end;
5433
5434 row[DB_srpid] = OPENSSL_strdup(userid);
5435 row[DB_srptype] = OPENSSL_strdup("V");
5436 row[DB_srpgN] = OPENSSL_strdup(gNid);
5437
5438 if (!TEST_ptr(row[DB_srpid])
5439 || !TEST_ptr(row[DB_srptype])
5440 || !TEST_ptr(row[DB_srpgN])
5441 || !TEST_true(TXT_DB_insert(db, row)))
5442 goto end;
5443
5444 row = NULL;
5445
5446 if (!TXT_DB_write(out, db))
5447 goto end;
5448
5449 ret = 1;
5450 end:
5451 if (row != NULL) {
5452 for (i = 0; i < DB_NUMBER; i++)
5453 OPENSSL_free(row[i]);
5454 }
5455 OPENSSL_free(row);
5456 BIO_free(dummy);
5457 BIO_free(out);
5458 TXT_DB_free(db);
5459
5460 return ret;
5461 }
5462
5463 static int create_new_vbase(char *userid, char *password)
5464 {
5465 BIGNUM *verifier = NULL, *salt = NULL;
5466 const SRP_gN *lgN = NULL;
5467 SRP_user_pwd *user_pwd = NULL;
5468 int ret = 0;
5469
5470 lgN = SRP_get_default_gN(NULL);
5471 if (!TEST_ptr(lgN))
5472 goto end;
5473
5474 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5475 lgN->N, lgN->g)))
5476 goto end;
5477
5478 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5479 if (!TEST_ptr(user_pwd))
5480 goto end;
5481
5482 user_pwd->N = lgN->N;
5483 user_pwd->g = lgN->g;
5484 user_pwd->id = OPENSSL_strdup(userid);
5485 if (!TEST_ptr(user_pwd->id))
5486 goto end;
5487
5488 user_pwd->v = verifier;
5489 user_pwd->s = salt;
5490 verifier = salt = NULL;
5491
5492 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5493 goto end;
5494 user_pwd = NULL;
5495
5496 ret = 1;
5497 end:
5498 SRP_user_pwd_free(user_pwd);
5499 BN_free(salt);
5500 BN_free(verifier);
5501
5502 return ret;
5503 }
5504
5505 /*
5506 * SRP tests
5507 *
5508 * Test 0: Simple successful SRP connection, new vbase
5509 * Test 1: Connection failure due to bad password, new vbase
5510 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5511 * Test 3: Connection failure due to bad password, vbase loaded from existing
5512 * file
5513 * Test 4: Simple successful SRP connection, vbase loaded from new file
5514 * Test 5: Connection failure due to bad password, vbase loaded from new file
5515 */
5516 static int test_srp(int tst)
5517 {
5518 char *userid = "test", *password = "password", *tstsrpfile;
5519 SSL_CTX *cctx = NULL, *sctx = NULL;
5520 SSL *clientssl = NULL, *serverssl = NULL;
5521 int ret, testresult = 0;
5522
5523 vbase = SRP_VBASE_new(NULL);
5524 if (!TEST_ptr(vbase))
5525 goto end;
5526
5527 if (tst == 0 || tst == 1) {
5528 if (!TEST_true(create_new_vbase(userid, password)))
5529 goto end;
5530 } else {
5531 if (tst == 4 || tst == 5) {
5532 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5533 goto end;
5534 tstsrpfile = tmpfilename;
5535 } else {
5536 tstsrpfile = srpvfile;
5537 }
5538 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5539 goto end;
5540 }
5541
5542 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5543 TLS1_VERSION, 0,
5544 &sctx, &cctx, cert, privkey)))
5545 goto end;
5546
5547 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5548 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5549 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5550 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5551 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5552 goto end;
5553
5554 if (tst % 2 == 1) {
5555 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5556 goto end;
5557 } else {
5558 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5559 goto end;
5560 }
5561
5562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5563 NULL, NULL)))
5564 goto end;
5565
5566 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5567 if (ret) {
5568 if (!TEST_true(tst % 2 == 0))
5569 goto end;
5570 } else {
5571 if (!TEST_true(tst % 2 == 1))
5572 goto end;
5573 }
5574
5575 testresult = 1;
5576
5577 end:
5578 SRP_VBASE_free(vbase);
5579 vbase = NULL;
5580 SSL_free(serverssl);
5581 SSL_free(clientssl);
5582 SSL_CTX_free(sctx);
5583 SSL_CTX_free(cctx);
5584
5585 return testresult;
5586 }
5587 #endif
5588
5589 static int info_cb_failed = 0;
5590 static int info_cb_offset = 0;
5591 static int info_cb_this_state = -1;
5592
5593 static struct info_cb_states_st {
5594 int where;
5595 const char *statestr;
5596 } info_cb_states[][60] = {
5597 {
5598 /* TLSv1.2 server followed by resumption */
5599 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5600 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5601 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5602 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5603 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5604 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5605 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5606 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5607 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5608 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5609 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5610 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5611 {SSL_CB_EXIT, NULL}, {0, NULL},
5612 }, {
5613 /* TLSv1.2 client followed by resumption */
5614 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5615 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5616 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5617 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5618 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5619 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5620 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5621 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5622 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5623 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5624 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5625 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5626 }, {
5627 /* TLSv1.3 server followed by resumption */
5628 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5629 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5630 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5631 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5632 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5633 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5634 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5635 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5636 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5637 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5638 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5639 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5640 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5641 }, {
5642 /* TLSv1.3 client followed by resumption */
5643 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5644 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5645 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5646 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5647 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5648 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5649 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5650 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5651 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5652 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5653 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5654 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5655 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5656 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5657 {SSL_CB_EXIT, NULL}, {0, NULL},
5658 }, {
5659 /* TLSv1.3 server, early_data */
5660 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5661 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5662 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5663 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5664 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5665 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5666 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5667 {SSL_CB_EXIT, NULL}, {0, NULL},
5668 }, {
5669 /* TLSv1.3 client, early_data */
5670 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5671 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5672 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5673 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5674 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5675 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5676 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5677 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5678 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5679 }, {
5680 {0, NULL},
5681 }
5682 };
5683
5684 static void sslapi_info_callback(const SSL *s, int where, int ret)
5685 {
5686 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5687
5688 /* We do not ever expect a connection to fail in this test */
5689 if (!TEST_false(ret == 0)) {
5690 info_cb_failed = 1;
5691 return;
5692 }
5693
5694 /*
5695 * Do some sanity checks. We never expect these things to happen in this
5696 * test
5697 */
5698 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5699 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5700 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5701 info_cb_failed = 1;
5702 return;
5703 }
5704
5705 /* Now check we're in the right state */
5706 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5707 info_cb_failed = 1;
5708 return;
5709 }
5710 if ((where & SSL_CB_LOOP) != 0
5711 && !TEST_int_eq(strcmp(SSL_state_string(s),
5712 state[info_cb_this_state].statestr), 0)) {
5713 info_cb_failed = 1;
5714 return;
5715 }
5716
5717 /*
5718 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5719 */
5720 if ((where & SSL_CB_HANDSHAKE_DONE)
5721 && SSL_in_init((SSL *)s) != 0) {
5722 info_cb_failed = 1;
5723 return;
5724 }
5725 }
5726
5727 /*
5728 * Test the info callback gets called when we expect it to.
5729 *
5730 * Test 0: TLSv1.2, server
5731 * Test 1: TLSv1.2, client
5732 * Test 2: TLSv1.3, server
5733 * Test 3: TLSv1.3, client
5734 * Test 4: TLSv1.3, server, early_data
5735 * Test 5: TLSv1.3, client, early_data
5736 */
5737 static int test_info_callback(int tst)
5738 {
5739 SSL_CTX *cctx = NULL, *sctx = NULL;
5740 SSL *clientssl = NULL, *serverssl = NULL;
5741 SSL_SESSION *clntsess = NULL;
5742 int testresult = 0;
5743 int tlsvers;
5744
5745 if (tst < 2) {
5746 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5747 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5748 || !defined(OPENSSL_NO_DH))
5749 tlsvers = TLS1_2_VERSION;
5750 #else
5751 return 1;
5752 #endif
5753 } else {
5754 #ifndef OPENSSL_NO_TLS1_3
5755 tlsvers = TLS1_3_VERSION;
5756 #else
5757 return 1;
5758 #endif
5759 }
5760
5761 /* Reset globals */
5762 info_cb_failed = 0;
5763 info_cb_this_state = -1;
5764 info_cb_offset = tst;
5765
5766 #ifndef OPENSSL_NO_TLS1_3
5767 if (tst >= 4) {
5768 SSL_SESSION *sess = NULL;
5769 size_t written, readbytes;
5770 unsigned char buf[80];
5771
5772 /* early_data tests */
5773 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5774 &serverssl, &sess, 0)))
5775 goto end;
5776
5777 /* We don't actually need this reference */
5778 SSL_SESSION_free(sess);
5779
5780 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5781 sslapi_info_callback);
5782
5783 /* Write and read some early data and then complete the connection */
5784 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5785 &written))
5786 || !TEST_size_t_eq(written, strlen(MSG1))
5787 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5788 sizeof(buf), &readbytes),
5789 SSL_READ_EARLY_DATA_SUCCESS)
5790 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5791 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5792 SSL_EARLY_DATA_ACCEPTED)
5793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5794 SSL_ERROR_NONE))
5795 || !TEST_false(info_cb_failed))
5796 goto end;
5797
5798 testresult = 1;
5799 goto end;
5800 }
5801 #endif
5802
5803 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5804 TLS_client_method(),
5805 tlsvers, tlsvers, &sctx, &cctx, cert,
5806 privkey)))
5807 goto end;
5808
5809 /*
5810 * For even numbered tests we check the server callbacks. For odd numbers we
5811 * check the client.
5812 */
5813 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5814 sslapi_info_callback);
5815
5816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5817 &clientssl, NULL, NULL))
5818 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5819 SSL_ERROR_NONE))
5820 || !TEST_false(info_cb_failed))
5821 goto end;
5822
5823
5824
5825 clntsess = SSL_get1_session(clientssl);
5826 SSL_shutdown(clientssl);
5827 SSL_shutdown(serverssl);
5828 SSL_free(serverssl);
5829 SSL_free(clientssl);
5830 serverssl = clientssl = NULL;
5831
5832 /* Now do a resumption */
5833 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5834 NULL))
5835 || !TEST_true(SSL_set_session(clientssl, clntsess))
5836 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5837 SSL_ERROR_NONE))
5838 || !TEST_true(SSL_session_reused(clientssl))
5839 || !TEST_false(info_cb_failed))
5840 goto end;
5841
5842 testresult = 1;
5843
5844 end:
5845 SSL_free(serverssl);
5846 SSL_free(clientssl);
5847 SSL_SESSION_free(clntsess);
5848 SSL_CTX_free(sctx);
5849 SSL_CTX_free(cctx);
5850 return testresult;
5851 }
5852
5853 static int test_ssl_pending(int tst)
5854 {
5855 SSL_CTX *cctx = NULL, *sctx = NULL;
5856 SSL *clientssl = NULL, *serverssl = NULL;
5857 int testresult = 0;
5858 char msg[] = "A test message";
5859 char buf[5];
5860 size_t written, readbytes;
5861
5862 if (tst == 0) {
5863 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5864 TLS_client_method(),
5865 TLS1_VERSION, 0,
5866 &sctx, &cctx, cert, privkey)))
5867 goto end;
5868 } else {
5869 #ifndef OPENSSL_NO_DTLS
5870 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5871 DTLS_client_method(),
5872 DTLS1_VERSION, 0,
5873 &sctx, &cctx, cert, privkey)))
5874 goto end;
5875 #else
5876 return 1;
5877 #endif
5878 }
5879
5880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5881 NULL, NULL))
5882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5883 SSL_ERROR_NONE)))
5884 goto end;
5885
5886 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5887 || !TEST_false(SSL_has_pending(clientssl))
5888 || !TEST_int_eq(SSL_pending(serverssl), 0)
5889 || !TEST_false(SSL_has_pending(serverssl))
5890 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5891 || !TEST_size_t_eq(written, sizeof(msg))
5892 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5893 || !TEST_size_t_eq(readbytes, sizeof(buf))
5894 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5895 || !TEST_true(SSL_has_pending(clientssl)))
5896 goto end;
5897
5898 testresult = 1;
5899
5900 end:
5901 SSL_free(serverssl);
5902 SSL_free(clientssl);
5903 SSL_CTX_free(sctx);
5904 SSL_CTX_free(cctx);
5905
5906 return testresult;
5907 }
5908
5909 static struct {
5910 unsigned int maxprot;
5911 const char *clntciphers;
5912 const char *clnttls13ciphers;
5913 const char *srvrciphers;
5914 const char *srvrtls13ciphers;
5915 const char *shared;
5916 } shared_ciphers_data[] = {
5917 /*
5918 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5919 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5920 */
5921 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5922 {
5923 TLS1_2_VERSION,
5924 "AES128-SHA:AES256-SHA",
5925 NULL,
5926 "AES256-SHA:DHE-RSA-AES128-SHA",
5927 NULL,
5928 "AES256-SHA"
5929 },
5930 {
5931 TLS1_2_VERSION,
5932 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5933 NULL,
5934 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5935 NULL,
5936 "AES128-SHA:AES256-SHA"
5937 },
5938 {
5939 TLS1_2_VERSION,
5940 "AES128-SHA:AES256-SHA",
5941 NULL,
5942 "AES128-SHA:DHE-RSA-AES128-SHA",
5943 NULL,
5944 "AES128-SHA"
5945 },
5946 #endif
5947 /*
5948 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5949 * enabled.
5950 */
5951 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5952 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5953 {
5954 TLS1_3_VERSION,
5955 "AES128-SHA:AES256-SHA",
5956 NULL,
5957 "AES256-SHA:AES128-SHA256",
5958 NULL,
5959 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5960 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5961 },
5962 #endif
5963 #ifndef OPENSSL_NO_TLS1_3
5964 {
5965 TLS1_3_VERSION,
5966 "AES128-SHA",
5967 "TLS_AES_256_GCM_SHA384",
5968 "AES256-SHA",
5969 "TLS_AES_256_GCM_SHA384",
5970 "TLS_AES_256_GCM_SHA384"
5971 },
5972 #endif
5973 };
5974
5975 static int test_ssl_get_shared_ciphers(int tst)
5976 {
5977 SSL_CTX *cctx = NULL, *sctx = NULL;
5978 SSL *clientssl = NULL, *serverssl = NULL;
5979 int testresult = 0;
5980 char buf[1024];
5981
5982 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5983 TLS_client_method(),
5984 TLS1_VERSION,
5985 shared_ciphers_data[tst].maxprot,
5986 &sctx, &cctx, cert, privkey)))
5987 goto end;
5988
5989 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5990 shared_ciphers_data[tst].clntciphers))
5991 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5992 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5993 shared_ciphers_data[tst].clnttls13ciphers)))
5994 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5995 shared_ciphers_data[tst].srvrciphers))
5996 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5997 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5998 shared_ciphers_data[tst].srvrtls13ciphers))))
5999 goto end;
6000
6001
6002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6003 NULL, NULL))
6004 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6005 SSL_ERROR_NONE)))
6006 goto end;
6007
6008 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6009 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6010 TEST_info("Shared ciphers are: %s\n", buf);
6011 goto end;
6012 }
6013
6014 testresult = 1;
6015
6016 end:
6017 SSL_free(serverssl);
6018 SSL_free(clientssl);
6019 SSL_CTX_free(sctx);
6020 SSL_CTX_free(cctx);
6021
6022 return testresult;
6023 }
6024
6025 static const char *appdata = "Hello World";
6026 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6027 static int tick_key_renew = 0;
6028 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6029
6030 static int gen_tick_cb(SSL *s, void *arg)
6031 {
6032 gen_tick_called = 1;
6033
6034 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6035 strlen(appdata));
6036 }
6037
6038 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6039 const unsigned char *keyname,
6040 size_t keyname_length,
6041 SSL_TICKET_STATUS status,
6042 void *arg)
6043 {
6044 void *tickdata;
6045 size_t tickdlen;
6046
6047 dec_tick_called = 1;
6048
6049 if (status == SSL_TICKET_EMPTY)
6050 return SSL_TICKET_RETURN_IGNORE_RENEW;
6051
6052 if (!TEST_true(status == SSL_TICKET_SUCCESS
6053 || status == SSL_TICKET_SUCCESS_RENEW))
6054 return SSL_TICKET_RETURN_ABORT;
6055
6056 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6057 &tickdlen))
6058 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6059 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6060 return SSL_TICKET_RETURN_ABORT;
6061
6062 if (tick_key_cb_called) {
6063 /* Don't change what the ticket key callback wanted to do */
6064 switch (status) {
6065 case SSL_TICKET_NO_DECRYPT:
6066 return SSL_TICKET_RETURN_IGNORE_RENEW;
6067
6068 case SSL_TICKET_SUCCESS:
6069 return SSL_TICKET_RETURN_USE;
6070
6071 case SSL_TICKET_SUCCESS_RENEW:
6072 return SSL_TICKET_RETURN_USE_RENEW;
6073
6074 default:
6075 return SSL_TICKET_RETURN_ABORT;
6076 }
6077 }
6078 return tick_dec_ret;
6079
6080 }
6081
6082 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6083 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6084 HMAC_CTX *hctx, int enc)
6085 {
6086 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6087 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6088
6089 tick_key_cb_called = 1;
6090 memset(iv, 0, AES_BLOCK_SIZE);
6091 memset(key_name, 0, 16);
6092 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6093 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6094 EVP_sha256(), NULL))
6095 return -1;
6096
6097 return tick_key_renew ? 2 : 1;
6098 }
6099
6100 /*
6101 * Test the various ticket callbacks
6102 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6103 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6104 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6105 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6106 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6107 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6108 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6109 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6110 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
6111 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
6112 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
6113 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
6114 */
6115 static int test_ticket_callbacks(int tst)
6116 {
6117 SSL_CTX *cctx = NULL, *sctx = NULL;
6118 SSL *clientssl = NULL, *serverssl = NULL;
6119 SSL_SESSION *clntsess = NULL;
6120 int testresult = 0;
6121
6122 #ifdef OPENSSL_NO_TLS1_2
6123 if (tst % 2 == 0)
6124 return 1;
6125 #endif
6126 #ifdef OPENSSL_NO_TLS1_3
6127 if (tst % 2 == 1)
6128 return 1;
6129 #endif
6130
6131 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6132
6133 /* Which tests the ticket key callback should request renewal for */
6134 if (tst == 10 || tst == 11)
6135 tick_key_renew = 1;
6136 else
6137 tick_key_renew = 0;
6138
6139 /* Which tests the decrypt ticket callback should request renewal for */
6140 switch (tst) {
6141 case 0:
6142 case 1:
6143 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6144 break;
6145
6146 case 2:
6147 case 3:
6148 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6149 break;
6150
6151 case 4:
6152 case 5:
6153 tick_dec_ret = SSL_TICKET_RETURN_USE;
6154 break;
6155
6156 case 6:
6157 case 7:
6158 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6159 break;
6160
6161 default:
6162 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6163 }
6164
6165 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6166 TLS_client_method(),
6167 TLS1_VERSION,
6168 ((tst % 2) == 0) ? TLS1_2_VERSION
6169 : TLS1_3_VERSION,
6170 &sctx, &cctx, cert, privkey)))
6171 goto end;
6172
6173 /*
6174 * We only want sessions to resume from tickets - not the session cache. So
6175 * switch the cache off.
6176 */
6177 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6178 goto end;
6179
6180 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6181 NULL)))
6182 goto end;
6183
6184 if (tst >= 8
6185 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6186 goto end;
6187
6188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6189 NULL, NULL))
6190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6191 SSL_ERROR_NONE)))
6192 goto end;
6193
6194 /*
6195 * The decrypt ticket key callback in TLSv1.2 should be called even though
6196 * we have no ticket yet, because it gets called with a status of
6197 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6198 * actually send any ticket data). This does not happen in TLSv1.3 because
6199 * it is not valid to send empty ticket data in TLSv1.3.
6200 */
6201 if (!TEST_int_eq(gen_tick_called, 1)
6202 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6203 goto end;
6204
6205 gen_tick_called = dec_tick_called = 0;
6206
6207 clntsess = SSL_get1_session(clientssl);
6208 SSL_shutdown(clientssl);
6209 SSL_shutdown(serverssl);
6210 SSL_free(serverssl);
6211 SSL_free(clientssl);
6212 serverssl = clientssl = NULL;
6213
6214 /* Now do a resumption */
6215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6216 NULL))
6217 || !TEST_true(SSL_set_session(clientssl, clntsess))
6218 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6219 SSL_ERROR_NONE)))
6220 goto end;
6221
6222 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6223 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6224 if (!TEST_false(SSL_session_reused(clientssl)))
6225 goto end;
6226 } else {
6227 if (!TEST_true(SSL_session_reused(clientssl)))
6228 goto end;
6229 }
6230
6231 if (!TEST_int_eq(gen_tick_called,
6232 (tick_key_renew
6233 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6234 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6235 ? 1 : 0)
6236 || !TEST_int_eq(dec_tick_called, 1))
6237 goto end;
6238
6239 testresult = 1;
6240
6241 end:
6242 SSL_SESSION_free(clntsess);
6243 SSL_free(serverssl);
6244 SSL_free(clientssl);
6245 SSL_CTX_free(sctx);
6246 SSL_CTX_free(cctx);
6247
6248 return testresult;
6249 }
6250
6251 /*
6252 * Test bi-directional shutdown.
6253 * Test 0: TLSv1.2
6254 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6255 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6256 * Test 3: TLSv1.3, pending NewSessionTicket messages
6257 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6258 * sends key update, client reads it
6259 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6260 * sends CertificateRequest, client reads and ignores it
6261 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6262 * doesn't read it
6263 */
6264 static int test_shutdown(int tst)
6265 {
6266 SSL_CTX *cctx = NULL, *sctx = NULL;
6267 SSL *clientssl = NULL, *serverssl = NULL;
6268 int testresult = 0;
6269 char msg[] = "A test message";
6270 char buf[80];
6271 size_t written, readbytes;
6272 SSL_SESSION *sess;
6273
6274 #ifdef OPENSSL_NO_TLS1_2
6275 if (tst <= 1)
6276 return 1;
6277 #endif
6278 #ifdef OPENSSL_NO_TLS1_3
6279 if (tst >= 2)
6280 return 1;
6281 #endif
6282
6283 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6284 TLS_client_method(),
6285 TLS1_VERSION,
6286 (tst <= 1) ? TLS1_2_VERSION
6287 : TLS1_3_VERSION,
6288 &sctx, &cctx, cert, privkey)))
6289 goto end;
6290
6291 if (tst == 5)
6292 SSL_CTX_set_post_handshake_auth(cctx, 1);
6293
6294 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6295 NULL, NULL)))
6296 goto end;
6297
6298 if (tst == 3) {
6299 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6300 SSL_ERROR_NONE, 1))
6301 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6302 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6303 goto end;
6304 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6305 SSL_ERROR_NONE))
6306 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6307 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6308 goto end;
6309 }
6310
6311 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6312 goto end;
6313
6314 if (tst >= 4) {
6315 /*
6316 * Reading on the server after the client has sent close_notify should
6317 * fail and provide SSL_ERROR_ZERO_RETURN
6318 */
6319 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6320 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6321 SSL_ERROR_ZERO_RETURN)
6322 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6323 SSL_RECEIVED_SHUTDOWN)
6324 /*
6325 * Even though we're shutdown on receive we should still be
6326 * able to write.
6327 */
6328 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6329 goto end;
6330 if (tst == 4
6331 && !TEST_true(SSL_key_update(serverssl,
6332 SSL_KEY_UPDATE_REQUESTED)))
6333 goto end;
6334 if (tst == 5) {
6335 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6336 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6337 goto end;
6338 }
6339 if ((tst == 4 || tst == 5)
6340 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6341 goto end;
6342 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6343 goto end;
6344 if (tst == 4 || tst == 5) {
6345 /* Should still be able to read data from server */
6346 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6347 &readbytes))
6348 || !TEST_size_t_eq(readbytes, sizeof(msg))
6349 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6350 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6351 &readbytes))
6352 || !TEST_size_t_eq(readbytes, sizeof(msg))
6353 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6354 goto end;
6355 }
6356 }
6357
6358 /* Writing on the client after sending close_notify shouldn't be possible */
6359 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6360 goto end;
6361
6362 if (tst < 4) {
6363 /*
6364 * For these tests the client has sent close_notify but it has not yet
6365 * been received by the server. The server has not sent close_notify
6366 * yet.
6367 */
6368 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6369 /*
6370 * Writing on the server after sending close_notify shouldn't
6371 * be possible.
6372 */
6373 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6374 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6375 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6376 || !TEST_true(SSL_SESSION_is_resumable(sess))
6377 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6378 goto end;
6379 } else if (tst == 4 || tst == 5) {
6380 /*
6381 * In this test the client has sent close_notify and it has been
6382 * received by the server which has responded with a close_notify. The
6383 * client needs to read the close_notify sent by the server.
6384 */
6385 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6386 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6387 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6388 goto end;
6389 } else {
6390 /*
6391 * tst == 6
6392 *
6393 * The client has sent close_notify and is expecting a close_notify
6394 * back, but instead there is application data first. The shutdown
6395 * should fail with a fatal error.
6396 */
6397 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6398 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6399 goto end;
6400 }
6401
6402 testresult = 1;
6403
6404 end:
6405 SSL_free(serverssl);
6406 SSL_free(clientssl);
6407 SSL_CTX_free(sctx);
6408 SSL_CTX_free(cctx);
6409
6410 return testresult;
6411 }
6412
6413 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6414 static int cert_cb_cnt;
6415
6416 static int cert_cb(SSL *s, void *arg)
6417 {
6418 SSL_CTX *ctx = (SSL_CTX *)arg;
6419 BIO *in = NULL;
6420 EVP_PKEY *pkey = NULL;
6421 X509 *x509 = NULL, *rootx = NULL;
6422 STACK_OF(X509) *chain = NULL;
6423 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6424 int ret = 0;
6425
6426 if (cert_cb_cnt == 0) {
6427 /* Suspend the handshake */
6428 cert_cb_cnt++;
6429 return -1;
6430 } else if (cert_cb_cnt == 1) {
6431 /*
6432 * Update the SSL_CTX, set the certificate and private key and then
6433 * continue the handshake normally.
6434 */
6435 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6436 return 0;
6437
6438 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6439 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6440 SSL_FILETYPE_PEM))
6441 || !TEST_true(SSL_check_private_key(s)))
6442 return 0;
6443 cert_cb_cnt++;
6444 return 1;
6445 } else if (cert_cb_cnt == 3) {
6446 int rv;
6447
6448 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6449 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6450 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6451 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6452 goto out;
6453 chain = sk_X509_new_null();
6454 if (!TEST_ptr(chain))
6455 goto out;
6456 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6457 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6458 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6459 || !TEST_true(sk_X509_push(chain, rootx)))
6460 goto out;
6461 rootx = NULL;
6462 BIO_free(in);
6463 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6464 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6465 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6466 goto out;
6467 BIO_free(in);
6468 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6469 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6470 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6471 goto out;
6472 rv = SSL_check_chain(s, x509, pkey, chain);
6473 /*
6474 * If the cert doesn't show as valid here (e.g., because we don't
6475 * have any shared sigalgs), then we will not set it, and there will
6476 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6477 * will cause tls_choose_sigalgs() to fail the connection.
6478 */
6479 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6480 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6481 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6482 goto out;
6483 }
6484
6485 ret = 1;
6486 }
6487
6488 /* Abort the handshake */
6489 out:
6490 OPENSSL_free(ecdsacert);
6491 OPENSSL_free(ecdsakey);
6492 OPENSSL_free(rootfile);
6493 BIO_free(in);
6494 EVP_PKEY_free(pkey);
6495 X509_free(x509);
6496 X509_free(rootx);
6497 sk_X509_pop_free(chain, X509_free);
6498 return ret;
6499 }
6500
6501 /*
6502 * Test the certificate callback.
6503 * Test 0: Callback fails
6504 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6505 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6506 * Test 3: Success - Call SSL_check_chain from the callback
6507 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6508 * chain
6509 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6510 */
6511 static int test_cert_cb_int(int prot, int tst)
6512 {
6513 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6514 SSL *clientssl = NULL, *serverssl = NULL;
6515 int testresult = 0, ret;
6516
6517 #ifdef OPENSSL_NO_EC
6518 /* We use an EC cert in these tests, so we skip in a no-ec build */
6519 if (tst >= 3)
6520 return 1;
6521 #endif
6522
6523 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6524 TLS_client_method(),
6525 TLS1_VERSION,
6526 prot,
6527 &sctx, &cctx, NULL, NULL)))
6528 goto end;
6529
6530 if (tst == 0)
6531 cert_cb_cnt = -1;
6532 else if (tst >= 3)
6533 cert_cb_cnt = 3;
6534 else
6535 cert_cb_cnt = 0;
6536
6537 if (tst == 2)
6538 snictx = SSL_CTX_new(TLS_server_method());
6539 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6540
6541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6542 NULL, NULL)))
6543 goto end;
6544
6545 if (tst == 4) {
6546 /*
6547 * We cause SSL_check_chain() to fail by specifying sig_algs that
6548 * the chain doesn't meet (the root uses an RSA cert)
6549 */
6550 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6551 "ecdsa_secp256r1_sha256")))
6552 goto end;
6553 } else if (tst == 5) {
6554 /*
6555 * We cause SSL_check_chain() to fail by specifying sig_algs that
6556 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6557 */
6558 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6559 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6560 goto end;
6561 }
6562
6563 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6564 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6565 || (tst > 0
6566 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6567 goto end;
6568 }
6569
6570 testresult = 1;
6571
6572 end:
6573 SSL_free(serverssl);
6574 SSL_free(clientssl);
6575 SSL_CTX_free(sctx);
6576 SSL_CTX_free(cctx);
6577 SSL_CTX_free(snictx);
6578
6579 return testresult;
6580 }
6581 #endif
6582
6583 static int test_cert_cb(int tst)
6584 {
6585 int testresult = 1;
6586
6587 #ifndef OPENSSL_NO_TLS1_2
6588 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6589 #endif
6590 #ifndef OPENSSL_NO_TLS1_3
6591 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6592 #endif
6593
6594 return testresult;
6595 }
6596
6597 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6598 {
6599 X509 *xcert, *peer;
6600 EVP_PKEY *privpkey;
6601 BIO *in = NULL;
6602
6603 /* Check that SSL_get_peer_certificate() returns something sensible */
6604 peer = SSL_get_peer_certificate(ssl);
6605 if (!TEST_ptr(peer))
6606 return 0;
6607 X509_free(peer);
6608
6609 in = BIO_new_file(cert, "r");
6610 if (!TEST_ptr(in))
6611 return 0;
6612
6613 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6614 BIO_free(in);
6615 if (!TEST_ptr(xcert))
6616 return 0;
6617
6618 in = BIO_new_file(privkey, "r");
6619 if (!TEST_ptr(in)) {
6620 X509_free(xcert);
6621 return 0;
6622 }
6623
6624 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6625 BIO_free(in);
6626 if (!TEST_ptr(privpkey)) {
6627 X509_free(xcert);
6628 return 0;
6629 }
6630
6631 *x509 = xcert;
6632 *pkey = privpkey;
6633
6634 return 1;
6635 }
6636
6637 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6638 {
6639 return 1;
6640 }
6641
6642 static int test_client_cert_cb(int tst)
6643 {
6644 SSL_CTX *cctx = NULL, *sctx = NULL;
6645 SSL *clientssl = NULL, *serverssl = NULL;
6646 int testresult = 0;
6647
6648 #ifdef OPENSSL_NO_TLS1_2
6649 if (tst == 0)
6650 return 1;
6651 #endif
6652 #ifdef OPENSSL_NO_TLS1_3
6653 if (tst == 1)
6654 return 1;
6655 #endif
6656
6657 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6658 TLS_client_method(),
6659 TLS1_VERSION,
6660 tst == 0 ? TLS1_2_VERSION
6661 : TLS1_3_VERSION,
6662 &sctx, &cctx, cert, privkey)))
6663 goto end;
6664
6665 /*
6666 * Test that setting a client_cert_cb results in a client certificate being
6667 * sent.
6668 */
6669 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6670 SSL_CTX_set_verify(sctx,
6671 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6672 verify_cb);
6673
6674 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6675 NULL, NULL))
6676 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6677 SSL_ERROR_NONE)))
6678 goto end;
6679
6680 testresult = 1;
6681
6682 end:
6683 SSL_free(serverssl);
6684 SSL_free(clientssl);
6685 SSL_CTX_free(sctx);
6686 SSL_CTX_free(cctx);
6687
6688 return testresult;
6689 }
6690
6691 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6692 /*
6693 * Test setting certificate authorities on both client and server.
6694 *
6695 * Test 0: SSL_CTX_set0_CA_list() only
6696 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6697 * Test 2: Only SSL_CTX_set_client_CA_list()
6698 */
6699 static int test_ca_names_int(int prot, int tst)
6700 {
6701 SSL_CTX *cctx = NULL, *sctx = NULL;
6702 SSL *clientssl = NULL, *serverssl = NULL;
6703 int testresult = 0;
6704 size_t i;
6705 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6706 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6707 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6708 const STACK_OF(X509_NAME) *sktmp = NULL;
6709
6710 for (i = 0; i < OSSL_NELEM(name); i++) {
6711 name[i] = X509_NAME_new();
6712 if (!TEST_ptr(name[i])
6713 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6714 MBSTRING_ASC,
6715 (unsigned char *)
6716 strnames[i],
6717 -1, -1, 0)))
6718 goto end;
6719 }
6720
6721 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6722 TLS_client_method(),
6723 TLS1_VERSION,
6724 prot,
6725 &sctx, &cctx, cert, privkey)))
6726 goto end;
6727
6728 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6729
6730 if (tst == 0 || tst == 1) {
6731 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6732 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6733 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6734 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6735 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6736 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6737 goto end;
6738
6739 SSL_CTX_set0_CA_list(sctx, sk1);
6740 SSL_CTX_set0_CA_list(cctx, sk2);
6741 sk1 = sk2 = NULL;
6742 }
6743 if (tst == 1 || tst == 2) {
6744 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6745 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6746 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6747 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6748 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6749 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6750 goto end;
6751
6752 SSL_CTX_set_client_CA_list(sctx, sk1);
6753 SSL_CTX_set_client_CA_list(cctx, sk2);
6754 sk1 = sk2 = NULL;
6755 }
6756
6757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6758 NULL, NULL))
6759 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6760 SSL_ERROR_NONE)))
6761 goto end;
6762
6763 /*
6764 * We only expect certificate authorities to have been sent to the server
6765 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6766 */
6767 sktmp = SSL_get0_peer_CA_list(serverssl);
6768 if (prot == TLS1_3_VERSION
6769 && (tst == 0 || tst == 1)) {
6770 if (!TEST_ptr(sktmp)
6771 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6772 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6773 name[0]), 0)
6774 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6775 name[1]), 0))
6776 goto end;
6777 } else if (!TEST_ptr_null(sktmp)) {
6778 goto end;
6779 }
6780
6781 /*
6782 * In all tests we expect certificate authorities to have been sent to the
6783 * client. However, SSL_set_client_CA_list() should override
6784 * SSL_set0_CA_list()
6785 */
6786 sktmp = SSL_get0_peer_CA_list(clientssl);
6787 if (!TEST_ptr(sktmp)
6788 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6789 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6790 name[tst == 0 ? 0 : 2]), 0)
6791 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6792 name[tst == 0 ? 1 : 3]), 0))
6793 goto end;
6794
6795 testresult = 1;
6796
6797 end:
6798 SSL_free(serverssl);
6799 SSL_free(clientssl);
6800 SSL_CTX_free(sctx);
6801 SSL_CTX_free(cctx);
6802 for (i = 0; i < OSSL_NELEM(name); i++)
6803 X509_NAME_free(name[i]);
6804 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6805 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6806
6807 return testresult;
6808 }
6809 #endif
6810
6811 static int test_ca_names(int tst)
6812 {
6813 int testresult = 1;
6814
6815 #ifndef OPENSSL_NO_TLS1_2
6816 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6817 #endif
6818 #ifndef OPENSSL_NO_TLS1_3
6819 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6820 #endif
6821
6822 return testresult;
6823 }
6824
6825
6826 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6827
6828 int setup_tests(void)
6829 {
6830 if (!TEST_ptr(certsdir = test_get_argument(0))
6831 || !TEST_ptr(srpvfile = test_get_argument(1))
6832 || !TEST_ptr(tmpfilename = test_get_argument(2)))
6833 return 0;
6834
6835 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6836 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6837 TEST_error("not supported in this build");
6838 return 0;
6839 #else
6840 int i, mcount, rcount, fcount;
6841
6842 for (i = 0; i < 4; i++)
6843 test_export_key_mat(i);
6844 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6845 test_printf_stdout("malloc %d realloc %d free %d\n",
6846 mcount, rcount, fcount);
6847 return 1;
6848 #endif
6849 }
6850
6851 cert = test_mk_file_path(certsdir, "servercert.pem");
6852 if (cert == NULL)
6853 return 0;
6854
6855 privkey = test_mk_file_path(certsdir, "serverkey.pem");
6856 if (privkey == NULL) {
6857 OPENSSL_free(cert);
6858 return 0;
6859 }
6860
6861 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6862 && !defined(OPENSSL_NO_SOCK)
6863 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
6864 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
6865 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
6866 ADD_TEST(test_ktls_client_no_txrx_server);
6867 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
6868 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
6869 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
6870 ADD_TEST(test_ktls_client_no_rx_server);
6871 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
6872 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
6873 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
6874 ADD_TEST(test_ktls_client_no_tx_server);
6875 ADD_TEST(test_ktls_no_txrx_client_server);
6876 ADD_TEST(test_ktls_no_rx_client_server);
6877 ADD_TEST(test_ktls_no_tx_client_server);
6878 ADD_TEST(test_ktls_client_server);
6879 ADD_TEST(test_ktls_sendfile);
6880 #endif
6881 ADD_TEST(test_large_message_tls);
6882 ADD_TEST(test_large_message_tls_read_ahead);
6883 #ifndef OPENSSL_NO_DTLS
6884 ADD_TEST(test_large_message_dtls);
6885 #endif
6886 #ifndef OPENSSL_NO_OCSP
6887 ADD_TEST(test_tlsext_status_type);
6888 #endif
6889 ADD_TEST(test_session_with_only_int_cache);
6890 ADD_TEST(test_session_with_only_ext_cache);
6891 ADD_TEST(test_session_with_both_cache);
6892 #ifndef OPENSSL_NO_TLS1_3
6893 ADD_ALL_TESTS(test_stateful_tickets, 3);
6894 ADD_ALL_TESTS(test_stateless_tickets, 3);
6895 ADD_TEST(test_psk_tickets);
6896 #endif
6897 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6898 ADD_TEST(test_ssl_bio_pop_next_bio);
6899 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6900 ADD_TEST(test_ssl_bio_change_rbio);
6901 ADD_TEST(test_ssl_bio_change_wbio);
6902 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6903 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6904 ADD_TEST(test_keylog);
6905 #endif
6906 #ifndef OPENSSL_NO_TLS1_3
6907 ADD_TEST(test_keylog_no_master_key);
6908 #endif
6909 #ifndef OPENSSL_NO_TLS1_2
6910 ADD_TEST(test_client_hello_cb);
6911 ADD_TEST(test_no_ems);
6912 #endif
6913 #ifndef OPENSSL_NO_TLS1_3
6914 ADD_ALL_TESTS(test_early_data_read_write, 3);
6915 /*
6916 * We don't do replay tests for external PSK. Replay protection isn't used
6917 * in that scenario.
6918 */
6919 ADD_ALL_TESTS(test_early_data_replay, 2);
6920 ADD_ALL_TESTS(test_early_data_skip, 3);
6921 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6922 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6923 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6924 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6925 ADD_ALL_TESTS(test_early_data_psk, 8);
6926 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6927 # ifndef OPENSSL_NO_TLS1_2
6928 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6929 # endif
6930 #endif
6931 #ifndef OPENSSL_NO_TLS1_3
6932 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6933 ADD_TEST(test_ciphersuite_change);
6934 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
6935 # ifdef OPENSSL_NO_PSK
6936 ADD_ALL_TESTS(test_tls13_psk, 1);
6937 # else
6938 ADD_ALL_TESTS(test_tls13_psk, 4);
6939 # endif /* OPENSSL_NO_PSK */
6940 # ifndef OPENSSL_NO_TLS1_2
6941 /* Test with both TLSv1.3 and 1.2 versions */
6942 ADD_ALL_TESTS(test_key_exchange, 14);
6943 # else
6944 /* Test with only TLSv1.3 versions */
6945 ADD_ALL_TESTS(test_key_exchange, 12);
6946 # endif
6947 ADD_ALL_TESTS(test_custom_exts, 5);
6948 ADD_TEST(test_stateless);
6949 ADD_TEST(test_pha_key_update);
6950 #else
6951 ADD_ALL_TESTS(test_custom_exts, 3);
6952 #endif
6953 ADD_ALL_TESTS(test_serverinfo, 8);
6954 ADD_ALL_TESTS(test_export_key_mat, 6);
6955 #ifndef OPENSSL_NO_TLS1_3
6956 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6957 ADD_TEST(test_key_update);
6958 ADD_ALL_TESTS(test_key_update_in_write, 2);
6959 #endif
6960 ADD_ALL_TESTS(test_ssl_clear, 2);
6961 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6962 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6963 ADD_ALL_TESTS(test_srp, 6);
6964 #endif
6965 ADD_ALL_TESTS(test_info_callback, 6);
6966 ADD_ALL_TESTS(test_ssl_pending, 2);
6967 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6968 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6969 ADD_ALL_TESTS(test_shutdown, 7);
6970 ADD_ALL_TESTS(test_cert_cb, 6);
6971 ADD_ALL_TESTS(test_client_cert_cb, 2);
6972 ADD_ALL_TESTS(test_ca_names, 3);
6973 return 1;
6974 }
6975
6976 void cleanup_tests(void)
6977 {
6978 OPENSSL_free(cert);
6979 OPENSSL_free(privkey);
6980 bio_s_mempacket_test_free();
6981 bio_s_always_retry_free();
6982 }
A mirror of the official openssl repository