]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add test that changes ciphers on CCS
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31
32 #include "ssltestlib.h"
33 #include "testutil.h"
34 #include "testutil/output.h"
35 #include "internal/nelem.h"
36 #include "internal/ktls.h"
37 #include "../ssl/ssl_local.h"
38
39 #ifndef OPENSSL_NO_TLS1_3
40
41 static SSL_SESSION *clientpsk = NULL;
42 static SSL_SESSION *serverpsk = NULL;
43 static const char *pskid = "Identity";
44 static const char *srvid;
45
46 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
47 size_t *idlen, SSL_SESSION **sess);
48 static int find_session_cb(SSL *ssl, const unsigned char *identity,
49 size_t identity_len, SSL_SESSION **sess);
50
51 static int use_session_cb_cnt = 0;
52 static int find_session_cb_cnt = 0;
53
54 static SSL_SESSION *create_a_psk(SSL *ssl);
55 #endif
56
57 static char *certsdir = NULL;
58 static char *cert = NULL;
59 static char *privkey = NULL;
60 static char *srpvfile = NULL;
61 static char *tmpfilename = NULL;
62
63 #define LOG_BUFFER_SIZE 2048
64 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
65 static size_t server_log_buffer_index = 0;
66 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
67 static size_t client_log_buffer_index = 0;
68 static int error_writing_log = 0;
69
70 #ifndef OPENSSL_NO_OCSP
71 static const unsigned char orespder[] = "Dummy OCSP Response";
72 static int ocsp_server_called = 0;
73 static int ocsp_client_called = 0;
74
75 static int cdummyarg = 1;
76 static X509 *ocspcert = NULL;
77 #endif
78
79 #define NUM_EXTRA_CERTS 40
80 #define CLIENT_VERSION_LEN 2
81
82 /*
83 * This structure is used to validate that the correct number of log messages
84 * of various types are emitted when emitting secret logs.
85 */
86 struct sslapitest_log_counts {
87 unsigned int rsa_key_exchange_count;
88 unsigned int master_secret_count;
89 unsigned int client_early_secret_count;
90 unsigned int client_handshake_secret_count;
91 unsigned int server_handshake_secret_count;
92 unsigned int client_application_secret_count;
93 unsigned int server_application_secret_count;
94 unsigned int early_exporter_secret_count;
95 unsigned int exporter_secret_count;
96 };
97
98
99 static unsigned char serverinfov1[] = {
100 0xff, 0xff, /* Dummy extension type */
101 0x00, 0x01, /* Extension length is 1 byte */
102 0xff /* Dummy extension data */
103 };
104
105 static unsigned char serverinfov2[] = {
106 0x00, 0x00, 0x00,
107 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
108 0xff, 0xff, /* Dummy extension type */
109 0x00, 0x01, /* Extension length is 1 byte */
110 0xff /* Dummy extension data */
111 };
112
113 static int hostname_cb(SSL *s, int *al, void *arg)
114 {
115 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
116
117 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
118 || strcmp(hostname, "altgoodhost") == 0))
119 return SSL_TLSEXT_ERR_OK;
120
121 return SSL_TLSEXT_ERR_NOACK;
122 }
123
124 static void client_keylog_callback(const SSL *ssl, const char *line)
125 {
126 int line_length = strlen(line);
127
128 /* If the log doesn't fit, error out. */
129 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
130 TEST_info("Client log too full");
131 error_writing_log = 1;
132 return;
133 }
134
135 strcat(client_log_buffer, line);
136 client_log_buffer_index += line_length;
137 client_log_buffer[client_log_buffer_index++] = '\n';
138 }
139
140 static void server_keylog_callback(const SSL *ssl, const char *line)
141 {
142 int line_length = strlen(line);
143
144 /* If the log doesn't fit, error out. */
145 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
146 TEST_info("Server log too full");
147 error_writing_log = 1;
148 return;
149 }
150
151 strcat(server_log_buffer, line);
152 server_log_buffer_index += line_length;
153 server_log_buffer[server_log_buffer_index++] = '\n';
154 }
155
156 static int compare_hex_encoded_buffer(const char *hex_encoded,
157 size_t hex_length,
158 const uint8_t *raw,
159 size_t raw_length)
160 {
161 size_t i, j;
162 char hexed[3];
163
164 if (!TEST_size_t_eq(raw_length * 2, hex_length))
165 return 1;
166
167 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
168 sprintf(hexed, "%02x", raw[i]);
169 if (!TEST_int_eq(hexed[0], hex_encoded[j])
170 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
171 return 1;
172 }
173
174 return 0;
175 }
176
177 static int test_keylog_output(char *buffer, const SSL *ssl,
178 const SSL_SESSION *session,
179 struct sslapitest_log_counts *expected)
180 {
181 char *token = NULL;
182 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
183 size_t client_random_size = SSL3_RANDOM_SIZE;
184 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
185 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
186 unsigned int rsa_key_exchange_count = 0;
187 unsigned int master_secret_count = 0;
188 unsigned int client_early_secret_count = 0;
189 unsigned int client_handshake_secret_count = 0;
190 unsigned int server_handshake_secret_count = 0;
191 unsigned int client_application_secret_count = 0;
192 unsigned int server_application_secret_count = 0;
193 unsigned int early_exporter_secret_count = 0;
194 unsigned int exporter_secret_count = 0;
195
196 for (token = strtok(buffer, " \n"); token != NULL;
197 token = strtok(NULL, " \n")) {
198 if (strcmp(token, "RSA") == 0) {
199 /*
200 * Premaster secret. Tokens should be: 16 ASCII bytes of
201 * hex-encoded encrypted secret, then the hex-encoded pre-master
202 * secret.
203 */
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
205 return 0;
206 if (!TEST_size_t_eq(strlen(token), 16))
207 return 0;
208 if (!TEST_ptr(token = strtok(NULL, " \n")))
209 return 0;
210 /*
211 * We can't sensibly check the log because the premaster secret is
212 * transient, and OpenSSL doesn't keep hold of it once the master
213 * secret is generated.
214 */
215 rsa_key_exchange_count++;
216 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
217 /*
218 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
219 * client random, then the hex-encoded master secret.
220 */
221 client_random_size = SSL_get_client_random(ssl,
222 actual_client_random,
223 SSL3_RANDOM_SIZE);
224 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
225 return 0;
226
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
228 return 0;
229 if (!TEST_size_t_eq(strlen(token), 64))
230 return 0;
231 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
232 actual_client_random,
233 client_random_size)))
234 return 0;
235
236 if (!TEST_ptr(token = strtok(NULL, " \n")))
237 return 0;
238 master_key_size = SSL_SESSION_get_master_key(session,
239 actual_master_key,
240 master_key_size);
241 if (!TEST_size_t_ne(master_key_size, 0))
242 return 0;
243 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
244 actual_master_key,
245 master_key_size)))
246 return 0;
247 master_secret_count++;
248 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
249 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
250 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
251 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
252 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
253 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
254 || strcmp(token, "EXPORTER_SECRET") == 0) {
255 /*
256 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
257 * client random, and then the hex-encoded secret. In this case,
258 * we treat all of these secrets identically and then just
259 * distinguish between them when counting what we saw.
260 */
261 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
262 client_early_secret_count++;
263 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
264 client_handshake_secret_count++;
265 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
266 server_handshake_secret_count++;
267 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
268 client_application_secret_count++;
269 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
270 server_application_secret_count++;
271 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
272 early_exporter_secret_count++;
273 else if (strcmp(token, "EXPORTER_SECRET") == 0)
274 exporter_secret_count++;
275
276 client_random_size = SSL_get_client_random(ssl,
277 actual_client_random,
278 SSL3_RANDOM_SIZE);
279 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
280 return 0;
281
282 if (!TEST_ptr(token = strtok(NULL, " \n")))
283 return 0;
284 if (!TEST_size_t_eq(strlen(token), 64))
285 return 0;
286 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
287 actual_client_random,
288 client_random_size)))
289 return 0;
290
291 if (!TEST_ptr(token = strtok(NULL, " \n")))
292 return 0;
293
294 /*
295 * TODO(TLS1.3): test that application traffic secrets are what
296 * we expect */
297 } else {
298 TEST_info("Unexpected token %s\n", token);
299 return 0;
300 }
301 }
302
303 /* Got what we expected? */
304 if (!TEST_size_t_eq(rsa_key_exchange_count,
305 expected->rsa_key_exchange_count)
306 || !TEST_size_t_eq(master_secret_count,
307 expected->master_secret_count)
308 || !TEST_size_t_eq(client_early_secret_count,
309 expected->client_early_secret_count)
310 || !TEST_size_t_eq(client_handshake_secret_count,
311 expected->client_handshake_secret_count)
312 || !TEST_size_t_eq(server_handshake_secret_count,
313 expected->server_handshake_secret_count)
314 || !TEST_size_t_eq(client_application_secret_count,
315 expected->client_application_secret_count)
316 || !TEST_size_t_eq(server_application_secret_count,
317 expected->server_application_secret_count)
318 || !TEST_size_t_eq(early_exporter_secret_count,
319 expected->early_exporter_secret_count)
320 || !TEST_size_t_eq(exporter_secret_count,
321 expected->exporter_secret_count))
322 return 0;
323 return 1;
324 }
325
326 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
327 static int test_keylog(void)
328 {
329 SSL_CTX *cctx = NULL, *sctx = NULL;
330 SSL *clientssl = NULL, *serverssl = NULL;
331 int testresult = 0;
332 struct sslapitest_log_counts expected;
333
334 /* Clean up logging space */
335 memset(&expected, 0, sizeof(expected));
336 memset(client_log_buffer, 0, sizeof(client_log_buffer));
337 memset(server_log_buffer, 0, sizeof(server_log_buffer));
338 client_log_buffer_index = 0;
339 server_log_buffer_index = 0;
340 error_writing_log = 0;
341
342 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
343 TLS_client_method(),
344 TLS1_VERSION, 0,
345 &sctx, &cctx, cert, privkey)))
346 return 0;
347
348 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
349 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
350 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
351
352 /* We also want to ensure that we use RSA-based key exchange. */
353 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
354 goto end;
355
356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
358 goto end;
359 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
360 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
361 == client_keylog_callback))
362 goto end;
363 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
364 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
365 == server_keylog_callback))
366 goto end;
367
368 /* Now do a handshake and check that the logs have been written to. */
369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
370 &clientssl, NULL, NULL))
371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
372 SSL_ERROR_NONE))
373 || !TEST_false(error_writing_log)
374 || !TEST_int_gt(client_log_buffer_index, 0)
375 || !TEST_int_gt(server_log_buffer_index, 0))
376 goto end;
377
378 /*
379 * Now we want to test that our output data was vaguely sensible. We
380 * do that by using strtok and confirming that we have more or less the
381 * data we expect. For both client and server, we expect to see one master
382 * secret. The client should also see a RSA key exchange.
383 */
384 expected.rsa_key_exchange_count = 1;
385 expected.master_secret_count = 1;
386 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
387 SSL_get_session(clientssl), &expected)))
388 goto end;
389
390 expected.rsa_key_exchange_count = 0;
391 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
392 SSL_get_session(serverssl), &expected)))
393 goto end;
394
395 testresult = 1;
396
397 end:
398 SSL_free(serverssl);
399 SSL_free(clientssl);
400 SSL_CTX_free(sctx);
401 SSL_CTX_free(cctx);
402
403 return testresult;
404 }
405 #endif
406
407 #ifndef OPENSSL_NO_TLS1_3
408 static int test_keylog_no_master_key(void)
409 {
410 SSL_CTX *cctx = NULL, *sctx = NULL;
411 SSL *clientssl = NULL, *serverssl = NULL;
412 SSL_SESSION *sess = NULL;
413 int testresult = 0;
414 struct sslapitest_log_counts expected;
415 unsigned char buf[1];
416 size_t readbytes, written;
417
418 /* Clean up logging space */
419 memset(&expected, 0, sizeof(expected));
420 memset(client_log_buffer, 0, sizeof(client_log_buffer));
421 memset(server_log_buffer, 0, sizeof(server_log_buffer));
422 client_log_buffer_index = 0;
423 server_log_buffer_index = 0;
424 error_writing_log = 0;
425
426 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
427 TLS1_VERSION, 0,
428 &sctx, &cctx, cert, privkey))
429 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
430 SSL3_RT_MAX_PLAIN_LENGTH)))
431 return 0;
432
433 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
434 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
435 goto end;
436
437 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
438 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
439 == client_keylog_callback))
440 goto end;
441
442 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
443 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
444 == server_keylog_callback))
445 goto end;
446
447 /* Now do a handshake and check that the logs have been written to. */
448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
449 &clientssl, NULL, NULL))
450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
451 SSL_ERROR_NONE))
452 || !TEST_false(error_writing_log))
453 goto end;
454
455 /*
456 * Now we want to test that our output data was vaguely sensible. For this
457 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
458 * TLSv1.3, but we do expect both client and server to emit keys.
459 */
460 expected.client_handshake_secret_count = 1;
461 expected.server_handshake_secret_count = 1;
462 expected.client_application_secret_count = 1;
463 expected.server_application_secret_count = 1;
464 expected.exporter_secret_count = 1;
465 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
466 SSL_get_session(clientssl), &expected))
467 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
468 SSL_get_session(serverssl),
469 &expected)))
470 goto end;
471
472 /* Terminate old session and resume with early data. */
473 sess = SSL_get1_session(clientssl);
474 SSL_shutdown(clientssl);
475 SSL_shutdown(serverssl);
476 SSL_free(serverssl);
477 SSL_free(clientssl);
478 serverssl = clientssl = NULL;
479
480 /* Reset key log */
481 memset(client_log_buffer, 0, sizeof(client_log_buffer));
482 memset(server_log_buffer, 0, sizeof(server_log_buffer));
483 client_log_buffer_index = 0;
484 server_log_buffer_index = 0;
485
486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
487 &clientssl, NULL, NULL))
488 || !TEST_true(SSL_set_session(clientssl, sess))
489 /* Here writing 0 length early data is enough. */
490 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
491 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
492 &readbytes),
493 SSL_READ_EARLY_DATA_ERROR)
494 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
495 SSL_EARLY_DATA_ACCEPTED)
496 || !TEST_true(create_ssl_connection(serverssl, clientssl,
497 SSL_ERROR_NONE))
498 || !TEST_true(SSL_session_reused(clientssl)))
499 goto end;
500
501 /* In addition to the previous entries, expect early secrets. */
502 expected.client_early_secret_count = 1;
503 expected.early_exporter_secret_count = 1;
504 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
505 SSL_get_session(clientssl), &expected))
506 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
507 SSL_get_session(serverssl),
508 &expected)))
509 goto end;
510
511 testresult = 1;
512
513 end:
514 SSL_SESSION_free(sess);
515 SSL_free(serverssl);
516 SSL_free(clientssl);
517 SSL_CTX_free(sctx);
518 SSL_CTX_free(cctx);
519
520 return testresult;
521 }
522 #endif
523
524 #ifndef OPENSSL_NO_TLS1_2
525 static int full_client_hello_callback(SSL *s, int *al, void *arg)
526 {
527 int *ctr = arg;
528 const unsigned char *p;
529 int *exts;
530 /* We only configure two ciphers, but the SCSV is added automatically. */
531 #ifdef OPENSSL_NO_EC
532 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
533 #else
534 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
535 0x2c, 0x00, 0xff};
536 #endif
537 const int expected_extensions[] = {
538 #ifndef OPENSSL_NO_EC
539 11, 10,
540 #endif
541 35, 22, 23, 13};
542 size_t len;
543
544 /* Make sure we can defer processing and get called back. */
545 if ((*ctr)++ == 0)
546 return SSL_CLIENT_HELLO_RETRY;
547
548 len = SSL_client_hello_get0_ciphers(s, &p);
549 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
550 || !TEST_size_t_eq(
551 SSL_client_hello_get0_compression_methods(s, &p), 1)
552 || !TEST_int_eq(*p, 0))
553 return SSL_CLIENT_HELLO_ERROR;
554 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
555 return SSL_CLIENT_HELLO_ERROR;
556 if (len != OSSL_NELEM(expected_extensions) ||
557 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
558 printf("ClientHello callback expected extensions mismatch\n");
559 OPENSSL_free(exts);
560 return SSL_CLIENT_HELLO_ERROR;
561 }
562 OPENSSL_free(exts);
563 return SSL_CLIENT_HELLO_SUCCESS;
564 }
565
566 static int test_client_hello_cb(void)
567 {
568 SSL_CTX *cctx = NULL, *sctx = NULL;
569 SSL *clientssl = NULL, *serverssl = NULL;
570 int testctr = 0, testresult = 0;
571
572 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
573 TLS1_VERSION, 0,
574 &sctx, &cctx, cert, privkey)))
575 goto end;
576 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
577
578 /* The gimpy cipher list we configure can't do TLS 1.3. */
579 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
580
581 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
582 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
584 &clientssl, NULL, NULL))
585 || !TEST_false(create_ssl_connection(serverssl, clientssl,
586 SSL_ERROR_WANT_CLIENT_HELLO_CB))
587 /*
588 * Passing a -1 literal is a hack since
589 * the real value was lost.
590 * */
591 || !TEST_int_eq(SSL_get_error(serverssl, -1),
592 SSL_ERROR_WANT_CLIENT_HELLO_CB)
593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
594 SSL_ERROR_NONE)))
595 goto end;
596
597 testresult = 1;
598
599 end:
600 SSL_free(serverssl);
601 SSL_free(clientssl);
602 SSL_CTX_free(sctx);
603 SSL_CTX_free(cctx);
604
605 return testresult;
606 }
607
608 static int test_no_ems(void)
609 {
610 SSL_CTX *cctx = NULL, *sctx = NULL;
611 SSL *clientssl = NULL, *serverssl = NULL;
612 int testresult = 0;
613
614 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
615 TLS1_VERSION, TLS1_2_VERSION,
616 &sctx, &cctx, cert, privkey)) {
617 printf("Unable to create SSL_CTX pair\n");
618 goto end;
619 }
620
621 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
622
623 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
624 printf("Unable to create SSL objects\n");
625 goto end;
626 }
627
628 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
629 printf("Creating SSL connection failed\n");
630 goto end;
631 }
632
633 if (SSL_get_extms_support(serverssl)) {
634 printf("Server reports Extended Master Secret support\n");
635 goto end;
636 }
637
638 if (SSL_get_extms_support(clientssl)) {
639 printf("Client reports Extended Master Secret support\n");
640 goto end;
641 }
642 testresult = 1;
643
644 end:
645 SSL_free(serverssl);
646 SSL_free(clientssl);
647 SSL_CTX_free(sctx);
648 SSL_CTX_free(cctx);
649
650 return testresult;
651 }
652 #endif
653
654 /*
655 * Very focused test to exercise a single case in the server-side state
656 * machine, when the ChangeCipherState message needs to actually change
657 * from one cipher to a different cipher (i.e., not changing from null
658 * encryption to reall encryption).
659 */
660 static int test_ccs_change_cipher(void)
661 {
662 SSL_CTX *cctx = NULL, *sctx = NULL;
663 SSL *clientssl = NULL, *serverssl = NULL;
664 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
665 int testresult = 0;
666 int i;
667 unsigned char buf;
668 size_t readbytes;
669
670 /*
671 * Create a conection so we can resume and potentially (but not) use
672 * a different cipher in the second connection.
673 */
674 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
675 TLS_client_method(),
676 TLS1_VERSION, TLS1_2_VERSION,
677 &sctx, &cctx, cert, privkey))
678 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
679 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
680 NULL, NULL))
681 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
682 || !TEST_true(create_ssl_connection(serverssl, clientssl,
683 SSL_ERROR_NONE))
684 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
685 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
686 goto end;
687
688 shutdown_ssl_connection(serverssl, clientssl);
689 serverssl = clientssl = NULL;
690
691 /* Resume, preferring a different cipher. Our server will force the
692 * same cipher to be used as the initial handshake. */
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
694 NULL, NULL))
695 || !TEST_true(SSL_set_session(clientssl, sess))
696 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
697 || !TEST_true(create_ssl_connection(serverssl, clientssl,
698 SSL_ERROR_NONE))
699 || !TEST_true(SSL_session_reused(clientssl))
700 || !TEST_true(SSL_session_reused(serverssl))
701 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
702 || !TEST_ptr_eq(sesspre, sesspost)
703 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
704 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
705 goto end;
706 shutdown_ssl_connection(serverssl, clientssl);
707 serverssl = clientssl = NULL;
708
709 /*
710 * Now create a fresh connection and try to renegotiate a different
711 * cipher on it.
712 */
713 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
714 TLS_client_method(),
715 TLS1_VERSION, TLS1_2_VERSION,
716 &sctx, &cctx, cert, privkey))
717 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
718 NULL, NULL))
719 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
720 || !TEST_true(create_ssl_connection(serverssl, clientssl,
721 SSL_ERROR_NONE))
722 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
723 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
724 || !TEST_true(SSL_renegotiate(clientssl))
725 || !TEST_true(SSL_renegotiate_pending(clientssl)))
726 goto end;
727 /* Actually drive the renegotiation. */
728 for (i = 0; i < 3; i++) {
729 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
730 if (!TEST_ulong_eq(readbytes, 0))
731 goto end;
732 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
733 SSL_ERROR_WANT_READ)) {
734 goto end;
735 }
736 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
737 if (!TEST_ulong_eq(readbytes, 0))
738 goto end;
739 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
740 SSL_ERROR_WANT_READ)) {
741 goto end;
742 }
743 }
744 /* sesspre and sesspost should be different since the cipher changed. */
745 if (!TEST_false(SSL_renegotiate_pending(clientssl))
746 || !TEST_false(SSL_session_reused(clientssl))
747 || !TEST_false(SSL_session_reused(serverssl))
748 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
749 || !TEST_ptr_ne(sesspre, sesspost)
750 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
751 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
752 goto end;
753
754 shutdown_ssl_connection(serverssl, clientssl);
755 serverssl = clientssl = NULL;
756
757 testresult = 1;
758
759 end:
760 SSL_free(serverssl);
761 SSL_free(clientssl);
762 SSL_CTX_free(sctx);
763 SSL_CTX_free(cctx);
764 SSL_SESSION_free(sess);
765
766 return testresult;
767 }
768
769 static int execute_test_large_message(const SSL_METHOD *smeth,
770 const SSL_METHOD *cmeth,
771 int min_version, int max_version,
772 int read_ahead)
773 {
774 SSL_CTX *cctx = NULL, *sctx = NULL;
775 SSL *clientssl = NULL, *serverssl = NULL;
776 int testresult = 0;
777 int i;
778 BIO *certbio = NULL;
779 X509 *chaincert = NULL;
780 int certlen;
781
782 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
783 goto end;
784 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
785 BIO_free(certbio);
786 certbio = NULL;
787 if (!TEST_ptr(chaincert))
788 goto end;
789
790 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
791 &sctx, &cctx, cert, privkey)))
792 goto end;
793
794 if (read_ahead) {
795 /*
796 * Test that read_ahead works correctly when dealing with large
797 * records
798 */
799 SSL_CTX_set_read_ahead(cctx, 1);
800 }
801
802 /*
803 * We assume the supplied certificate is big enough so that if we add
804 * NUM_EXTRA_CERTS it will make the overall message large enough. The
805 * default buffer size is requested to be 16k, but due to the way BUF_MEM
806 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
807 * test we need to have a message larger than that.
808 */
809 certlen = i2d_X509(chaincert, NULL);
810 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
811 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
812 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
813 if (!X509_up_ref(chaincert))
814 goto end;
815 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
816 X509_free(chaincert);
817 goto end;
818 }
819 }
820
821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
822 NULL, NULL))
823 || !TEST_true(create_ssl_connection(serverssl, clientssl,
824 SSL_ERROR_NONE)))
825 goto end;
826
827 /*
828 * Calling SSL_clear() first is not required but this tests that SSL_clear()
829 * doesn't leak.
830 */
831 if (!TEST_true(SSL_clear(serverssl)))
832 goto end;
833
834 testresult = 1;
835 end:
836 X509_free(chaincert);
837 SSL_free(serverssl);
838 SSL_free(clientssl);
839 SSL_CTX_free(sctx);
840 SSL_CTX_free(cctx);
841
842 return testresult;
843 }
844
845 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
846 && !defined(OPENSSL_NO_SOCK)
847
848 /* sock must be connected */
849 static int ktls_chk_platform(int sock)
850 {
851 if (!ktls_enable(sock))
852 return 0;
853 return 1;
854 }
855
856 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
857 {
858 static char count = 1;
859 unsigned char cbuf[16000] = {0};
860 unsigned char sbuf[16000];
861 size_t err = 0;
862 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
863 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
864 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
865 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
866 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
867 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
868 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
869 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870
871 cbuf[0] = count++;
872 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
873 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
874 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
875 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
876 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
877 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
878 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
879 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
880
881 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
882 goto end;
883
884 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
885 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
886 goto end;
887 }
888 }
889
890 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
891 goto end;
892
893 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
894 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
895 goto end;
896 }
897 }
898
899 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
900 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
901 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
902 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
903 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
904 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
905 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
906 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
907
908 /* verify the payload */
909 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
910 goto end;
911
912 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
913 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
914 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
915 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
916 goto end;
917 } else {
918 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
919 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
920 goto end;
921 }
922
923 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
924 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
925 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
926 goto end;
927 } else {
928 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
929 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
930 goto end;
931 }
932
933 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
934 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
935 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
936 goto end;
937 } else {
938 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
939 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
940 goto end;
941 }
942
943 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
944 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
945 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
946 goto end;
947 } else {
948 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
949 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
950 goto end;
951 }
952
953 return 1;
954 end:
955 return 0;
956 }
957
958 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
959 int sis_ktls_tx, int sis_ktls_rx)
960 {
961 SSL_CTX *cctx = NULL, *sctx = NULL;
962 SSL *clientssl = NULL, *serverssl = NULL;
963 int testresult = 0;
964 int cfd, sfd;
965
966 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
967 goto end;
968
969 /* Skip this test if the platform does not support ktls */
970 if (!ktls_chk_platform(cfd))
971 return 1;
972
973 /* Create a session based on SHA-256 */
974 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
975 TLS_client_method(),
976 TLS1_2_VERSION, TLS1_2_VERSION,
977 &sctx, &cctx, cert, privkey))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "AES128-GCM-SHA256"))
980 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
981 &clientssl, sfd, cfd)))
982 goto end;
983
984 if (!cis_ktls_tx) {
985 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
986 goto end;
987 }
988
989 if (!sis_ktls_tx) {
990 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
991 goto end;
992 }
993
994 if (!cis_ktls_rx) {
995 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
996 goto end;
997 }
998
999 if (!sis_ktls_rx) {
1000 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1001 goto end;
1002 }
1003
1004 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1005 SSL_ERROR_NONE)))
1006 goto end;
1007
1008 if (!cis_ktls_tx) {
1009 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1010 goto end;
1011 } else {
1012 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1013 goto end;
1014 }
1015
1016 if (!sis_ktls_tx) {
1017 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1018 goto end;
1019 } else {
1020 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1021 goto end;
1022 }
1023
1024 if (!cis_ktls_rx) {
1025 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1026 goto end;
1027 } else {
1028 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1029 goto end;
1030 }
1031
1032 if (!sis_ktls_rx) {
1033 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1034 goto end;
1035 } else {
1036 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1037 goto end;
1038 }
1039
1040 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1041 goto end;
1042
1043 testresult = 1;
1044 end:
1045 if (clientssl) {
1046 SSL_shutdown(clientssl);
1047 SSL_free(clientssl);
1048 }
1049 if (serverssl) {
1050 SSL_shutdown(serverssl);
1051 SSL_free(serverssl);
1052 }
1053 SSL_CTX_free(sctx);
1054 SSL_CTX_free(cctx);
1055 serverssl = clientssl = NULL;
1056 return testresult;
1057 }
1058
1059 #define SENDFILE_SZ (16 * 4096)
1060 #define SENDFILE_CHUNK (4 * 4096)
1061 #define min(a,b) ((a) > (b) ? (b) : (a))
1062
1063 static int test_ktls_sendfile(void)
1064 {
1065 SSL_CTX *cctx = NULL, *sctx = NULL;
1066 SSL *clientssl = NULL, *serverssl = NULL;
1067 unsigned char *buf, *buf_dst;
1068 BIO *out = NULL, *in = NULL;
1069 int cfd, sfd, ffd, err;
1070 ssize_t chunk_size = 0;
1071 off_t chunk_off = 0;
1072 int testresult = 0;
1073 FILE *ffdp;
1074
1075 buf = OPENSSL_zalloc(SENDFILE_SZ);
1076 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1077 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1078 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1079 goto end;
1080
1081 /* Skip this test if the platform does not support ktls */
1082 if (!ktls_chk_platform(sfd)) {
1083 testresult = 1;
1084 goto end;
1085 }
1086
1087 /* Create a session based on SHA-256 */
1088 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1089 TLS_client_method(),
1090 TLS1_2_VERSION, TLS1_2_VERSION,
1091 &sctx, &cctx, cert, privkey))
1092 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1093 "AES128-GCM-SHA256"))
1094 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1095 &clientssl, sfd, cfd)))
1096 goto end;
1097
1098 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1099 SSL_ERROR_NONE))
1100 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1101 goto end;
1102
1103 RAND_bytes(buf, SENDFILE_SZ);
1104 out = BIO_new_file(tmpfilename, "wb");
1105 if (!TEST_ptr(out))
1106 goto end;
1107
1108 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1109 goto end;
1110
1111 BIO_free(out);
1112 out = NULL;
1113 in = BIO_new_file(tmpfilename, "rb");
1114 BIO_get_fp(in, &ffdp);
1115 ffd = fileno(ffdp);
1116
1117 while (chunk_off < SENDFILE_SZ) {
1118 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1119 while ((err = SSL_sendfile(serverssl,
1120 ffd,
1121 chunk_off,
1122 chunk_size,
1123 0)) != chunk_size) {
1124 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1125 goto end;
1126 }
1127 while ((err = SSL_read(clientssl,
1128 buf_dst + chunk_off,
1129 chunk_size)) != chunk_size) {
1130 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1131 goto end;
1132 }
1133
1134 /* verify the payload */
1135 if (!TEST_mem_eq(buf_dst + chunk_off,
1136 chunk_size,
1137 buf + chunk_off,
1138 chunk_size))
1139 goto end;
1140
1141 chunk_off += chunk_size;
1142 }
1143
1144 testresult = 1;
1145 end:
1146 if (clientssl) {
1147 SSL_shutdown(clientssl);
1148 SSL_free(clientssl);
1149 }
1150 if (serverssl) {
1151 SSL_shutdown(serverssl);
1152 SSL_free(serverssl);
1153 }
1154 SSL_CTX_free(sctx);
1155 SSL_CTX_free(cctx);
1156 serverssl = clientssl = NULL;
1157 BIO_free(out);
1158 BIO_free(in);
1159 OPENSSL_free(buf);
1160 OPENSSL_free(buf_dst);
1161 return testresult;
1162 }
1163
1164 static int test_ktls_no_txrx_client_no_txrx_server(void)
1165 {
1166 return execute_test_ktls(0, 0, 0, 0);
1167 }
1168
1169 static int test_ktls_no_rx_client_no_txrx_server(void)
1170 {
1171 return execute_test_ktls(1, 0, 0, 0);
1172 }
1173
1174 static int test_ktls_no_tx_client_no_txrx_server(void)
1175 {
1176 return execute_test_ktls(0, 1, 0, 0);
1177 }
1178
1179 static int test_ktls_client_no_txrx_server(void)
1180 {
1181 return execute_test_ktls(1, 1, 0, 0);
1182 }
1183
1184 static int test_ktls_no_txrx_client_no_rx_server(void)
1185 {
1186 return execute_test_ktls(0, 0, 1, 0);
1187 }
1188
1189 static int test_ktls_no_rx_client_no_rx_server(void)
1190 {
1191 return execute_test_ktls(1, 0, 1, 0);
1192 }
1193
1194 static int test_ktls_no_tx_client_no_rx_server(void)
1195 {
1196 return execute_test_ktls(0, 1, 1, 0);
1197 }
1198
1199 static int test_ktls_client_no_rx_server(void)
1200 {
1201 return execute_test_ktls(1, 1, 1, 0);
1202 }
1203
1204 static int test_ktls_no_txrx_client_no_tx_server(void)
1205 {
1206 return execute_test_ktls(0, 0, 0, 1);
1207 }
1208
1209 static int test_ktls_no_rx_client_no_tx_server(void)
1210 {
1211 return execute_test_ktls(1, 0, 0, 1);
1212 }
1213
1214 static int test_ktls_no_tx_client_no_tx_server(void)
1215 {
1216 return execute_test_ktls(0, 1, 0, 1);
1217 }
1218
1219 static int test_ktls_client_no_tx_server(void)
1220 {
1221 return execute_test_ktls(1, 1, 0, 1);
1222 }
1223
1224 static int test_ktls_no_txrx_client_server(void)
1225 {
1226 return execute_test_ktls(0, 0, 1, 1);
1227 }
1228
1229 static int test_ktls_no_rx_client_server(void)
1230 {
1231 return execute_test_ktls(1, 0, 1, 1);
1232 }
1233
1234 static int test_ktls_no_tx_client_server(void)
1235 {
1236 return execute_test_ktls(0, 1, 1, 1);
1237 }
1238
1239 static int test_ktls_client_server(void)
1240 {
1241 return execute_test_ktls(1, 1, 1, 1);
1242 }
1243 #endif
1244
1245 static int test_large_message_tls(void)
1246 {
1247 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1248 TLS1_VERSION, 0, 0);
1249 }
1250
1251 static int test_large_message_tls_read_ahead(void)
1252 {
1253 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1254 TLS1_VERSION, 0, 1);
1255 }
1256
1257 #ifndef OPENSSL_NO_DTLS
1258 static int test_large_message_dtls(void)
1259 {
1260 /*
1261 * read_ahead is not relevant to DTLS because DTLS always acts as if
1262 * read_ahead is set.
1263 */
1264 return execute_test_large_message(DTLS_server_method(),
1265 DTLS_client_method(),
1266 DTLS1_VERSION, 0, 0);
1267 }
1268 #endif
1269
1270 #ifndef OPENSSL_NO_OCSP
1271 static int ocsp_server_cb(SSL *s, void *arg)
1272 {
1273 int *argi = (int *)arg;
1274 unsigned char *copy = NULL;
1275 STACK_OF(OCSP_RESPID) *ids = NULL;
1276 OCSP_RESPID *id = NULL;
1277
1278 if (*argi == 2) {
1279 /* In this test we are expecting exactly 1 OCSP_RESPID */
1280 SSL_get_tlsext_status_ids(s, &ids);
1281 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1282 return SSL_TLSEXT_ERR_ALERT_FATAL;
1283
1284 id = sk_OCSP_RESPID_value(ids, 0);
1285 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1286 return SSL_TLSEXT_ERR_ALERT_FATAL;
1287 } else if (*argi != 1) {
1288 return SSL_TLSEXT_ERR_ALERT_FATAL;
1289 }
1290
1291 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1292 return SSL_TLSEXT_ERR_ALERT_FATAL;
1293
1294 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1295 ocsp_server_called = 1;
1296 return SSL_TLSEXT_ERR_OK;
1297 }
1298
1299 static int ocsp_client_cb(SSL *s, void *arg)
1300 {
1301 int *argi = (int *)arg;
1302 const unsigned char *respderin;
1303 size_t len;
1304
1305 if (*argi != 1 && *argi != 2)
1306 return 0;
1307
1308 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1309 if (!TEST_mem_eq(orespder, len, respderin, len))
1310 return 0;
1311
1312 ocsp_client_called = 1;
1313 return 1;
1314 }
1315
1316 static int test_tlsext_status_type(void)
1317 {
1318 SSL_CTX *cctx = NULL, *sctx = NULL;
1319 SSL *clientssl = NULL, *serverssl = NULL;
1320 int testresult = 0;
1321 STACK_OF(OCSP_RESPID) *ids = NULL;
1322 OCSP_RESPID *id = NULL;
1323 BIO *certbio = NULL;
1324
1325 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1326 TLS1_VERSION, 0,
1327 &sctx, &cctx, cert, privkey))
1328 return 0;
1329
1330 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1331 goto end;
1332
1333 /* First just do various checks getting and setting tlsext_status_type */
1334
1335 clientssl = SSL_new(cctx);
1336 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1337 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1338 TLSEXT_STATUSTYPE_ocsp))
1339 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1340 TLSEXT_STATUSTYPE_ocsp))
1341 goto end;
1342
1343 SSL_free(clientssl);
1344 clientssl = NULL;
1345
1346 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1347 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1348 goto end;
1349
1350 clientssl = SSL_new(cctx);
1351 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1352 goto end;
1353 SSL_free(clientssl);
1354 clientssl = NULL;
1355
1356 /*
1357 * Now actually do a handshake and check OCSP information is exchanged and
1358 * the callbacks get called
1359 */
1360 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1361 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1362 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1363 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1365 &clientssl, NULL, NULL))
1366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1367 SSL_ERROR_NONE))
1368 || !TEST_true(ocsp_client_called)
1369 || !TEST_true(ocsp_server_called))
1370 goto end;
1371 SSL_free(serverssl);
1372 SSL_free(clientssl);
1373 serverssl = NULL;
1374 clientssl = NULL;
1375
1376 /* Try again but this time force the server side callback to fail */
1377 ocsp_client_called = 0;
1378 ocsp_server_called = 0;
1379 cdummyarg = 0;
1380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1381 &clientssl, NULL, NULL))
1382 /* This should fail because the callback will fail */
1383 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1384 SSL_ERROR_NONE))
1385 || !TEST_false(ocsp_client_called)
1386 || !TEST_false(ocsp_server_called))
1387 goto end;
1388 SSL_free(serverssl);
1389 SSL_free(clientssl);
1390 serverssl = NULL;
1391 clientssl = NULL;
1392
1393 /*
1394 * This time we'll get the client to send an OCSP_RESPID that it will
1395 * accept.
1396 */
1397 ocsp_client_called = 0;
1398 ocsp_server_called = 0;
1399 cdummyarg = 2;
1400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1401 &clientssl, NULL, NULL)))
1402 goto end;
1403
1404 /*
1405 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1406 * specific one. We'll use the server cert.
1407 */
1408 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1409 || !TEST_ptr(id = OCSP_RESPID_new())
1410 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1411 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1412 NULL, NULL, NULL))
1413 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1414 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1415 goto end;
1416 id = NULL;
1417 SSL_set_tlsext_status_ids(clientssl, ids);
1418 /* Control has been transferred */
1419 ids = NULL;
1420
1421 BIO_free(certbio);
1422 certbio = NULL;
1423
1424 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1425 SSL_ERROR_NONE))
1426 || !TEST_true(ocsp_client_called)
1427 || !TEST_true(ocsp_server_called))
1428 goto end;
1429
1430 testresult = 1;
1431
1432 end:
1433 SSL_free(serverssl);
1434 SSL_free(clientssl);
1435 SSL_CTX_free(sctx);
1436 SSL_CTX_free(cctx);
1437 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1438 OCSP_RESPID_free(id);
1439 BIO_free(certbio);
1440 X509_free(ocspcert);
1441 ocspcert = NULL;
1442
1443 return testresult;
1444 }
1445 #endif
1446
1447 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1448 static int new_called, remove_called, get_called;
1449
1450 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1451 {
1452 new_called++;
1453 /*
1454 * sess has been up-refed for us, but we don't actually need it so free it
1455 * immediately.
1456 */
1457 SSL_SESSION_free(sess);
1458 return 1;
1459 }
1460
1461 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1462 {
1463 remove_called++;
1464 }
1465
1466 static SSL_SESSION *get_sess_val = NULL;
1467
1468 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1469 int *copy)
1470 {
1471 get_called++;
1472 *copy = 1;
1473 return get_sess_val;
1474 }
1475
1476 static int execute_test_session(int maxprot, int use_int_cache,
1477 int use_ext_cache)
1478 {
1479 SSL_CTX *sctx = NULL, *cctx = NULL;
1480 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1481 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1482 # ifndef OPENSSL_NO_TLS1_1
1483 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1484 # endif
1485 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1486 int testresult = 0, numnewsesstick = 1;
1487
1488 new_called = remove_called = 0;
1489
1490 /* TLSv1.3 sends 2 NewSessionTickets */
1491 if (maxprot == TLS1_3_VERSION)
1492 numnewsesstick = 2;
1493
1494 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1495 TLS1_VERSION, 0,
1496 &sctx, &cctx, cert, privkey)))
1497 return 0;
1498
1499 /*
1500 * Only allow the max protocol version so we can force a connection failure
1501 * later
1502 */
1503 SSL_CTX_set_min_proto_version(cctx, maxprot);
1504 SSL_CTX_set_max_proto_version(cctx, maxprot);
1505
1506 /* Set up session cache */
1507 if (use_ext_cache) {
1508 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1509 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1510 }
1511 if (use_int_cache) {
1512 /* Also covers instance where both are set */
1513 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1514 } else {
1515 SSL_CTX_set_session_cache_mode(cctx,
1516 SSL_SESS_CACHE_CLIENT
1517 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1518 }
1519
1520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1521 NULL, NULL))
1522 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1523 SSL_ERROR_NONE))
1524 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1525 goto end;
1526
1527 /* Should fail because it should already be in the cache */
1528 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1529 goto end;
1530 if (use_ext_cache
1531 && (!TEST_int_eq(new_called, numnewsesstick)
1532
1533 || !TEST_int_eq(remove_called, 0)))
1534 goto end;
1535
1536 new_called = remove_called = 0;
1537 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1538 &clientssl2, NULL, NULL))
1539 || !TEST_true(SSL_set_session(clientssl2, sess1))
1540 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1541 SSL_ERROR_NONE))
1542 || !TEST_true(SSL_session_reused(clientssl2)))
1543 goto end;
1544
1545 if (maxprot == TLS1_3_VERSION) {
1546 /*
1547 * In TLSv1.3 we should have created a new session even though we have
1548 * resumed. Since we attempted a resume we should also have removed the
1549 * old ticket from the cache so that we try to only use tickets once.
1550 */
1551 if (use_ext_cache
1552 && (!TEST_int_eq(new_called, 1)
1553 || !TEST_int_eq(remove_called, 1)))
1554 goto end;
1555 } else {
1556 /*
1557 * In TLSv1.2 we expect to have resumed so no sessions added or
1558 * removed.
1559 */
1560 if (use_ext_cache
1561 && (!TEST_int_eq(new_called, 0)
1562 || !TEST_int_eq(remove_called, 0)))
1563 goto end;
1564 }
1565
1566 SSL_SESSION_free(sess1);
1567 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1568 goto end;
1569 shutdown_ssl_connection(serverssl2, clientssl2);
1570 serverssl2 = clientssl2 = NULL;
1571
1572 new_called = remove_called = 0;
1573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1574 &clientssl2, NULL, NULL))
1575 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1576 SSL_ERROR_NONE)))
1577 goto end;
1578
1579 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1580 goto end;
1581
1582 if (use_ext_cache
1583 && (!TEST_int_eq(new_called, numnewsesstick)
1584 || !TEST_int_eq(remove_called, 0)))
1585 goto end;
1586
1587 new_called = remove_called = 0;
1588 /*
1589 * This should clear sess2 from the cache because it is a "bad" session.
1590 * See SSL_set_session() documentation.
1591 */
1592 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1593 goto end;
1594 if (use_ext_cache
1595 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1596 goto end;
1597 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1598 goto end;
1599
1600 if (use_int_cache) {
1601 /* Should succeeded because it should not already be in the cache */
1602 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1603 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1604 goto end;
1605 }
1606
1607 new_called = remove_called = 0;
1608 /* This shouldn't be in the cache so should fail */
1609 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1610 goto end;
1611
1612 if (use_ext_cache
1613 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1614 goto end;
1615
1616 # if !defined(OPENSSL_NO_TLS1_1)
1617 new_called = remove_called = 0;
1618 /* Force a connection failure */
1619 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1621 &clientssl3, NULL, NULL))
1622 || !TEST_true(SSL_set_session(clientssl3, sess1))
1623 /* This should fail because of the mismatched protocol versions */
1624 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1625 SSL_ERROR_NONE)))
1626 goto end;
1627
1628 /* We should have automatically removed the session from the cache */
1629 if (use_ext_cache
1630 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1631 goto end;
1632
1633 /* Should succeed because it should not already be in the cache */
1634 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1635 goto end;
1636 # endif
1637
1638 /* Now do some tests for server side caching */
1639 if (use_ext_cache) {
1640 SSL_CTX_sess_set_new_cb(cctx, NULL);
1641 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1642 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1643 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1644 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1645 get_sess_val = NULL;
1646 }
1647
1648 SSL_CTX_set_session_cache_mode(cctx, 0);
1649 /* Internal caching is the default on the server side */
1650 if (!use_int_cache)
1651 SSL_CTX_set_session_cache_mode(sctx,
1652 SSL_SESS_CACHE_SERVER
1653 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1654
1655 SSL_free(serverssl1);
1656 SSL_free(clientssl1);
1657 serverssl1 = clientssl1 = NULL;
1658 SSL_free(serverssl2);
1659 SSL_free(clientssl2);
1660 serverssl2 = clientssl2 = NULL;
1661 SSL_SESSION_free(sess1);
1662 sess1 = NULL;
1663 SSL_SESSION_free(sess2);
1664 sess2 = NULL;
1665
1666 SSL_CTX_set_max_proto_version(sctx, maxprot);
1667 if (maxprot == TLS1_2_VERSION)
1668 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1669 new_called = remove_called = get_called = 0;
1670 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1671 NULL, NULL))
1672 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1673 SSL_ERROR_NONE))
1674 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1675 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1676 goto end;
1677
1678 if (use_int_cache) {
1679 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1680 /*
1681 * In TLSv1.3 it should not have been added to the internal cache,
1682 * except in the case where we also have an external cache (in that
1683 * case it gets added to the cache in order to generate remove
1684 * events after timeout).
1685 */
1686 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1687 goto end;
1688 } else {
1689 /* Should fail because it should already be in the cache */
1690 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1691 goto end;
1692 }
1693 }
1694
1695 if (use_ext_cache) {
1696 SSL_SESSION *tmp = sess2;
1697
1698 if (!TEST_int_eq(new_called, numnewsesstick)
1699 || !TEST_int_eq(remove_called, 0)
1700 || !TEST_int_eq(get_called, 0))
1701 goto end;
1702 /*
1703 * Delete the session from the internal cache to force a lookup from
1704 * the external cache. We take a copy first because
1705 * SSL_CTX_remove_session() also marks the session as non-resumable.
1706 */
1707 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1708 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1709 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1710 goto end;
1711 SSL_SESSION_free(sess2);
1712 }
1713 sess2 = tmp;
1714 }
1715
1716 new_called = remove_called = get_called = 0;
1717 get_sess_val = sess2;
1718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1719 &clientssl2, NULL, NULL))
1720 || !TEST_true(SSL_set_session(clientssl2, sess1))
1721 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1722 SSL_ERROR_NONE))
1723 || !TEST_true(SSL_session_reused(clientssl2)))
1724 goto end;
1725
1726 if (use_ext_cache) {
1727 if (!TEST_int_eq(remove_called, 0))
1728 goto end;
1729
1730 if (maxprot == TLS1_3_VERSION) {
1731 if (!TEST_int_eq(new_called, 1)
1732 || !TEST_int_eq(get_called, 0))
1733 goto end;
1734 } else {
1735 if (!TEST_int_eq(new_called, 0)
1736 || !TEST_int_eq(get_called, 1))
1737 goto end;
1738 }
1739 }
1740
1741 testresult = 1;
1742
1743 end:
1744 SSL_free(serverssl1);
1745 SSL_free(clientssl1);
1746 SSL_free(serverssl2);
1747 SSL_free(clientssl2);
1748 # ifndef OPENSSL_NO_TLS1_1
1749 SSL_free(serverssl3);
1750 SSL_free(clientssl3);
1751 # endif
1752 SSL_SESSION_free(sess1);
1753 SSL_SESSION_free(sess2);
1754 SSL_CTX_free(sctx);
1755 SSL_CTX_free(cctx);
1756
1757 return testresult;
1758 }
1759 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1760
1761 static int test_session_with_only_int_cache(void)
1762 {
1763 #ifndef OPENSSL_NO_TLS1_3
1764 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1765 return 0;
1766 #endif
1767
1768 #ifndef OPENSSL_NO_TLS1_2
1769 return execute_test_session(TLS1_2_VERSION, 1, 0);
1770 #else
1771 return 1;
1772 #endif
1773 }
1774
1775 static int test_session_with_only_ext_cache(void)
1776 {
1777 #ifndef OPENSSL_NO_TLS1_3
1778 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1779 return 0;
1780 #endif
1781
1782 #ifndef OPENSSL_NO_TLS1_2
1783 return execute_test_session(TLS1_2_VERSION, 0, 1);
1784 #else
1785 return 1;
1786 #endif
1787 }
1788
1789 static int test_session_with_both_cache(void)
1790 {
1791 #ifndef OPENSSL_NO_TLS1_3
1792 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1793 return 0;
1794 #endif
1795
1796 #ifndef OPENSSL_NO_TLS1_2
1797 return execute_test_session(TLS1_2_VERSION, 1, 1);
1798 #else
1799 return 1;
1800 #endif
1801 }
1802
1803 #ifndef OPENSSL_NO_TLS1_3
1804 static SSL_SESSION *sesscache[6];
1805 static int do_cache;
1806
1807 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1808 {
1809 if (do_cache) {
1810 sesscache[new_called] = sess;
1811 } else {
1812 /* We don't need the reference to the session, so free it */
1813 SSL_SESSION_free(sess);
1814 }
1815 new_called++;
1816
1817 return 1;
1818 }
1819
1820 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1821 {
1822 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1823 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1824 return 0;
1825
1826 /* Start handshake on the server and client */
1827 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1828 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1829 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1830 || !TEST_true(create_ssl_connection(sssl, cssl,
1831 SSL_ERROR_NONE)))
1832 return 0;
1833
1834 return 1;
1835 }
1836
1837 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1838 SSL_CTX **cctx)
1839 {
1840 int sess_id_ctx = 1;
1841
1842 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1843 TLS1_VERSION, 0, sctx,
1844 cctx, cert, privkey))
1845 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1846 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1847 (void *)&sess_id_ctx,
1848 sizeof(sess_id_ctx))))
1849 return 0;
1850
1851 if (stateful)
1852 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1853
1854 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1855 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1856 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1857
1858 return 1;
1859 }
1860
1861 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1862 {
1863 SSL *serverssl = NULL, *clientssl = NULL;
1864 int i;
1865
1866 /* Test that we can resume with all the tickets we got given */
1867 for (i = 0; i < idx * 2; i++) {
1868 new_called = 0;
1869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1870 &clientssl, NULL, NULL))
1871 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1872 goto end;
1873
1874 SSL_set_post_handshake_auth(clientssl, 1);
1875
1876 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1877 SSL_ERROR_NONE)))
1878 goto end;
1879
1880 /*
1881 * Following a successful resumption we only get 1 ticket. After a
1882 * failed one we should get idx tickets.
1883 */
1884 if (succ) {
1885 if (!TEST_true(SSL_session_reused(clientssl))
1886 || !TEST_int_eq(new_called, 1))
1887 goto end;
1888 } else {
1889 if (!TEST_false(SSL_session_reused(clientssl))
1890 || !TEST_int_eq(new_called, idx))
1891 goto end;
1892 }
1893
1894 new_called = 0;
1895 /* After a post-handshake authentication we should get 1 new ticket */
1896 if (succ
1897 && (!post_handshake_verify(serverssl, clientssl)
1898 || !TEST_int_eq(new_called, 1)))
1899 goto end;
1900
1901 SSL_shutdown(clientssl);
1902 SSL_shutdown(serverssl);
1903 SSL_free(serverssl);
1904 SSL_free(clientssl);
1905 serverssl = clientssl = NULL;
1906 SSL_SESSION_free(sesscache[i]);
1907 sesscache[i] = NULL;
1908 }
1909
1910 return 1;
1911
1912 end:
1913 SSL_free(clientssl);
1914 SSL_free(serverssl);
1915 return 0;
1916 }
1917
1918 static int test_tickets(int stateful, int idx)
1919 {
1920 SSL_CTX *sctx = NULL, *cctx = NULL;
1921 SSL *serverssl = NULL, *clientssl = NULL;
1922 int testresult = 0;
1923 size_t j;
1924
1925 /* idx is the test number, but also the number of tickets we want */
1926
1927 new_called = 0;
1928 do_cache = 1;
1929
1930 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1931 goto end;
1932
1933 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1934 &clientssl, NULL, NULL)))
1935 goto end;
1936
1937 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1938 SSL_ERROR_NONE))
1939 /* Check we got the number of tickets we were expecting */
1940 || !TEST_int_eq(idx, new_called))
1941 goto end;
1942
1943 SSL_shutdown(clientssl);
1944 SSL_shutdown(serverssl);
1945 SSL_free(serverssl);
1946 SSL_free(clientssl);
1947 SSL_CTX_free(sctx);
1948 SSL_CTX_free(cctx);
1949 clientssl = serverssl = NULL;
1950 sctx = cctx = NULL;
1951
1952 /*
1953 * Now we try to resume with the tickets we previously created. The
1954 * resumption attempt is expected to fail (because we're now using a new
1955 * SSL_CTX). We should see idx number of tickets issued again.
1956 */
1957
1958 /* Stop caching sessions - just count them */
1959 do_cache = 0;
1960
1961 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1962 goto end;
1963
1964 if (!check_resumption(idx, sctx, cctx, 0))
1965 goto end;
1966
1967 /* Start again with caching sessions */
1968 new_called = 0;
1969 do_cache = 1;
1970 SSL_CTX_free(sctx);
1971 SSL_CTX_free(cctx);
1972 sctx = cctx = NULL;
1973
1974 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1975 goto end;
1976
1977 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1978 &clientssl, NULL, NULL)))
1979 goto end;
1980
1981 SSL_set_post_handshake_auth(clientssl, 1);
1982
1983 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1984 SSL_ERROR_NONE))
1985 /* Check we got the number of tickets we were expecting */
1986 || !TEST_int_eq(idx, new_called))
1987 goto end;
1988
1989 /* After a post-handshake authentication we should get new tickets issued */
1990 if (!post_handshake_verify(serverssl, clientssl)
1991 || !TEST_int_eq(idx * 2, new_called))
1992 goto end;
1993
1994 SSL_shutdown(clientssl);
1995 SSL_shutdown(serverssl);
1996 SSL_free(serverssl);
1997 SSL_free(clientssl);
1998 serverssl = clientssl = NULL;
1999
2000 /* Stop caching sessions - just count them */
2001 do_cache = 0;
2002
2003 /*
2004 * Check we can resume with all the tickets we created. This time around the
2005 * resumptions should all be successful.
2006 */
2007 if (!check_resumption(idx, sctx, cctx, 1))
2008 goto end;
2009
2010 testresult = 1;
2011
2012 end:
2013 SSL_free(serverssl);
2014 SSL_free(clientssl);
2015 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2016 SSL_SESSION_free(sesscache[j]);
2017 sesscache[j] = NULL;
2018 }
2019 SSL_CTX_free(sctx);
2020 SSL_CTX_free(cctx);
2021
2022 return testresult;
2023 }
2024
2025 static int test_stateless_tickets(int idx)
2026 {
2027 return test_tickets(0, idx);
2028 }
2029
2030 static int test_stateful_tickets(int idx)
2031 {
2032 return test_tickets(1, idx);
2033 }
2034
2035 static int test_psk_tickets(void)
2036 {
2037 SSL_CTX *sctx = NULL, *cctx = NULL;
2038 SSL *serverssl = NULL, *clientssl = NULL;
2039 int testresult = 0;
2040 int sess_id_ctx = 1;
2041
2042 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2043 TLS1_VERSION, 0, &sctx,
2044 &cctx, NULL, NULL))
2045 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2046 (void *)&sess_id_ctx,
2047 sizeof(sess_id_ctx))))
2048 goto end;
2049
2050 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2052 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2053 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2054 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2055 use_session_cb_cnt = 0;
2056 find_session_cb_cnt = 0;
2057 srvid = pskid;
2058 new_called = 0;
2059
2060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2061 NULL, NULL)))
2062 goto end;
2063 clientpsk = serverpsk = create_a_psk(clientssl);
2064 if (!TEST_ptr(clientpsk))
2065 goto end;
2066 SSL_SESSION_up_ref(clientpsk);
2067
2068 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2069 SSL_ERROR_NONE))
2070 || !TEST_int_eq(1, find_session_cb_cnt)
2071 || !TEST_int_eq(1, use_session_cb_cnt)
2072 /* We should always get 1 ticket when using external PSK */
2073 || !TEST_int_eq(1, new_called))
2074 goto end;
2075
2076 testresult = 1;
2077
2078 end:
2079 SSL_free(serverssl);
2080 SSL_free(clientssl);
2081 SSL_CTX_free(sctx);
2082 SSL_CTX_free(cctx);
2083 SSL_SESSION_free(clientpsk);
2084 SSL_SESSION_free(serverpsk);
2085 clientpsk = serverpsk = NULL;
2086
2087 return testresult;
2088 }
2089 #endif
2090
2091 #define USE_NULL 0
2092 #define USE_BIO_1 1
2093 #define USE_BIO_2 2
2094 #define USE_DEFAULT 3
2095
2096 #define CONNTYPE_CONNECTION_SUCCESS 0
2097 #define CONNTYPE_CONNECTION_FAIL 1
2098 #define CONNTYPE_NO_CONNECTION 2
2099
2100 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2101 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2102 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2103 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2104 #else
2105 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2106 #endif
2107
2108 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2109 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2110 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2111
2112 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2113 {
2114 switch (type) {
2115 case USE_NULL:
2116 *res = NULL;
2117 break;
2118 case USE_BIO_1:
2119 *res = bio1;
2120 break;
2121 case USE_BIO_2:
2122 *res = bio2;
2123 break;
2124 }
2125 }
2126
2127
2128 /*
2129 * Tests calls to SSL_set_bio() under various conditions.
2130 *
2131 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2132 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2133 * then do more tests where we create a successful connection first using our
2134 * standard connection setup functions, and then call SSL_set_bio() with
2135 * various combinations of valid BIOs or NULL. We then repeat these tests
2136 * following a failed connection. In this last case we are looking to check that
2137 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2138 */
2139 static int test_ssl_set_bio(int idx)
2140 {
2141 SSL_CTX *sctx = NULL, *cctx = NULL;
2142 BIO *bio1 = NULL;
2143 BIO *bio2 = NULL;
2144 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2145 SSL *serverssl = NULL, *clientssl = NULL;
2146 int initrbio, initwbio, newrbio, newwbio, conntype;
2147 int testresult = 0;
2148
2149 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2150 initrbio = idx % 3;
2151 idx /= 3;
2152 initwbio = idx % 3;
2153 idx /= 3;
2154 newrbio = idx % 3;
2155 idx /= 3;
2156 newwbio = idx % 3;
2157 conntype = CONNTYPE_NO_CONNECTION;
2158 } else {
2159 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2160 initrbio = initwbio = USE_DEFAULT;
2161 newrbio = idx % 2;
2162 idx /= 2;
2163 newwbio = idx % 2;
2164 idx /= 2;
2165 conntype = idx % 2;
2166 }
2167
2168 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2169 TLS1_VERSION, 0,
2170 &sctx, &cctx, cert, privkey)))
2171 goto end;
2172
2173 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2174 /*
2175 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2176 * because we reduced the number of tests in the definition of
2177 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2178 * mismatched protocol versions we will force a connection failure.
2179 */
2180 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2181 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2182 }
2183
2184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2185 NULL, NULL)))
2186 goto end;
2187
2188 if (initrbio == USE_BIO_1
2189 || initwbio == USE_BIO_1
2190 || newrbio == USE_BIO_1
2191 || newwbio == USE_BIO_1) {
2192 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2193 goto end;
2194 }
2195
2196 if (initrbio == USE_BIO_2
2197 || initwbio == USE_BIO_2
2198 || newrbio == USE_BIO_2
2199 || newwbio == USE_BIO_2) {
2200 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2201 goto end;
2202 }
2203
2204 if (initrbio != USE_DEFAULT) {
2205 setupbio(&irbio, bio1, bio2, initrbio);
2206 setupbio(&iwbio, bio1, bio2, initwbio);
2207 SSL_set_bio(clientssl, irbio, iwbio);
2208
2209 /*
2210 * We want to maintain our own refs to these BIO, so do an up ref for
2211 * each BIO that will have ownership transferred in the SSL_set_bio()
2212 * call
2213 */
2214 if (irbio != NULL)
2215 BIO_up_ref(irbio);
2216 if (iwbio != NULL && iwbio != irbio)
2217 BIO_up_ref(iwbio);
2218 }
2219
2220 if (conntype != CONNTYPE_NO_CONNECTION
2221 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2222 SSL_ERROR_NONE)
2223 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2224 goto end;
2225
2226 setupbio(&nrbio, bio1, bio2, newrbio);
2227 setupbio(&nwbio, bio1, bio2, newwbio);
2228
2229 /*
2230 * We will (maybe) transfer ownership again so do more up refs.
2231 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2232 * already been set!
2233 */
2234 if (nrbio != NULL
2235 && nrbio != irbio
2236 && (nwbio != iwbio || nrbio != nwbio))
2237 BIO_up_ref(nrbio);
2238 if (nwbio != NULL
2239 && nwbio != nrbio
2240 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2241 BIO_up_ref(nwbio);
2242
2243 SSL_set_bio(clientssl, nrbio, nwbio);
2244
2245 testresult = 1;
2246
2247 end:
2248 BIO_free(bio1);
2249 BIO_free(bio2);
2250
2251 /*
2252 * This test is checking that the ref counting for SSL_set_bio is correct.
2253 * If we get here and we did too many frees then we will fail in the above
2254 * functions.
2255 */
2256 SSL_free(serverssl);
2257 SSL_free(clientssl);
2258 SSL_CTX_free(sctx);
2259 SSL_CTX_free(cctx);
2260 return testresult;
2261 }
2262
2263 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2264
2265 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2266 {
2267 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2268 SSL_CTX *ctx;
2269 SSL *ssl = NULL;
2270 int testresult = 0;
2271
2272 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2273 || !TEST_ptr(ssl = SSL_new(ctx))
2274 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2275 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2276 goto end;
2277
2278 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2279
2280 /*
2281 * If anything goes wrong here then we could leak memory.
2282 */
2283 BIO_push(sslbio, membio1);
2284
2285 /* Verify changing the rbio/wbio directly does not cause leaks */
2286 if (change_bio != NO_BIO_CHANGE) {
2287 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2288 goto end;
2289 if (change_bio == CHANGE_RBIO)
2290 SSL_set0_rbio(ssl, membio2);
2291 else
2292 SSL_set0_wbio(ssl, membio2);
2293 }
2294 ssl = NULL;
2295
2296 if (pop_ssl)
2297 BIO_pop(sslbio);
2298 else
2299 BIO_pop(membio1);
2300
2301 testresult = 1;
2302 end:
2303 BIO_free(membio1);
2304 BIO_free(sslbio);
2305 SSL_free(ssl);
2306 SSL_CTX_free(ctx);
2307
2308 return testresult;
2309 }
2310
2311 static int test_ssl_bio_pop_next_bio(void)
2312 {
2313 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2314 }
2315
2316 static int test_ssl_bio_pop_ssl_bio(void)
2317 {
2318 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2319 }
2320
2321 static int test_ssl_bio_change_rbio(void)
2322 {
2323 return execute_test_ssl_bio(0, CHANGE_RBIO);
2324 }
2325
2326 static int test_ssl_bio_change_wbio(void)
2327 {
2328 return execute_test_ssl_bio(0, CHANGE_WBIO);
2329 }
2330
2331 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2332 typedef struct {
2333 /* The list of sig algs */
2334 const int *list;
2335 /* The length of the list */
2336 size_t listlen;
2337 /* A sigalgs list in string format */
2338 const char *liststr;
2339 /* Whether setting the list should succeed */
2340 int valid;
2341 /* Whether creating a connection with the list should succeed */
2342 int connsuccess;
2343 } sigalgs_list;
2344
2345 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2346 # ifndef OPENSSL_NO_EC
2347 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2348 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2349 # endif
2350 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2351 static const int invalidlist2[] = {NID_sha256, NID_undef};
2352 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2353 static const int invalidlist4[] = {NID_sha256};
2354 static const sigalgs_list testsigalgs[] = {
2355 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2356 # ifndef OPENSSL_NO_EC
2357 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2358 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2359 # endif
2360 {NULL, 0, "RSA+SHA256", 1, 1},
2361 # ifndef OPENSSL_NO_EC
2362 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2363 {NULL, 0, "ECDSA+SHA512", 1, 0},
2364 # endif
2365 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2366 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2367 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2368 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2369 {NULL, 0, "RSA", 0, 0},
2370 {NULL, 0, "SHA256", 0, 0},
2371 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2372 {NULL, 0, "Invalid", 0, 0}
2373 };
2374
2375 static int test_set_sigalgs(int idx)
2376 {
2377 SSL_CTX *cctx = NULL, *sctx = NULL;
2378 SSL *clientssl = NULL, *serverssl = NULL;
2379 int testresult = 0;
2380 const sigalgs_list *curr;
2381 int testctx;
2382
2383 /* Should never happen */
2384 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2385 return 0;
2386
2387 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2388 curr = testctx ? &testsigalgs[idx]
2389 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2390
2391 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2392 TLS1_VERSION, 0,
2393 &sctx, &cctx, cert, privkey)))
2394 return 0;
2395
2396 /*
2397 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2398 * for TLSv1.2 for now until we add a new API.
2399 */
2400 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2401
2402 if (testctx) {
2403 int ret;
2404
2405 if (curr->list != NULL)
2406 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2407 else
2408 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2409
2410 if (!ret) {
2411 if (curr->valid)
2412 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2413 else
2414 testresult = 1;
2415 goto end;
2416 }
2417 if (!curr->valid) {
2418 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2419 goto end;
2420 }
2421 }
2422
2423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2424 &clientssl, NULL, NULL)))
2425 goto end;
2426
2427 if (!testctx) {
2428 int ret;
2429
2430 if (curr->list != NULL)
2431 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2432 else
2433 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2434 if (!ret) {
2435 if (curr->valid)
2436 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2437 else
2438 testresult = 1;
2439 goto end;
2440 }
2441 if (!curr->valid)
2442 goto end;
2443 }
2444
2445 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2446 SSL_ERROR_NONE),
2447 curr->connsuccess))
2448 goto end;
2449
2450 testresult = 1;
2451
2452 end:
2453 SSL_free(serverssl);
2454 SSL_free(clientssl);
2455 SSL_CTX_free(sctx);
2456 SSL_CTX_free(cctx);
2457
2458 return testresult;
2459 }
2460 #endif
2461
2462 #ifndef OPENSSL_NO_TLS1_3
2463 static int psk_client_cb_cnt = 0;
2464 static int psk_server_cb_cnt = 0;
2465
2466 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2467 size_t *idlen, SSL_SESSION **sess)
2468 {
2469 switch (++use_session_cb_cnt) {
2470 case 1:
2471 /* The first call should always have a NULL md */
2472 if (md != NULL)
2473 return 0;
2474 break;
2475
2476 case 2:
2477 /* The second call should always have an md */
2478 if (md == NULL)
2479 return 0;
2480 break;
2481
2482 default:
2483 /* We should only be called a maximum of twice */
2484 return 0;
2485 }
2486
2487 if (clientpsk != NULL)
2488 SSL_SESSION_up_ref(clientpsk);
2489
2490 *sess = clientpsk;
2491 *id = (const unsigned char *)pskid;
2492 *idlen = strlen(pskid);
2493
2494 return 1;
2495 }
2496
2497 #ifndef OPENSSL_NO_PSK
2498 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2499 unsigned int max_id_len,
2500 unsigned char *psk,
2501 unsigned int max_psk_len)
2502 {
2503 unsigned int psklen = 0;
2504
2505 psk_client_cb_cnt++;
2506
2507 if (strlen(pskid) + 1 > max_id_len)
2508 return 0;
2509
2510 /* We should only ever be called a maximum of twice per connection */
2511 if (psk_client_cb_cnt > 2)
2512 return 0;
2513
2514 if (clientpsk == NULL)
2515 return 0;
2516
2517 /* We'll reuse the PSK we set up for TLSv1.3 */
2518 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2519 return 0;
2520 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2521 strncpy(id, pskid, max_id_len);
2522
2523 return psklen;
2524 }
2525 #endif /* OPENSSL_NO_PSK */
2526
2527 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2528 size_t identity_len, SSL_SESSION **sess)
2529 {
2530 find_session_cb_cnt++;
2531
2532 /* We should only ever be called a maximum of twice per connection */
2533 if (find_session_cb_cnt > 2)
2534 return 0;
2535
2536 if (serverpsk == NULL)
2537 return 0;
2538
2539 /* Identity should match that set by the client */
2540 if (strlen(srvid) != identity_len
2541 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2542 /* No PSK found, continue but without a PSK */
2543 *sess = NULL;
2544 return 1;
2545 }
2546
2547 SSL_SESSION_up_ref(serverpsk);
2548 *sess = serverpsk;
2549
2550 return 1;
2551 }
2552
2553 #ifndef OPENSSL_NO_PSK
2554 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2555 unsigned char *psk, unsigned int max_psk_len)
2556 {
2557 unsigned int psklen = 0;
2558
2559 psk_server_cb_cnt++;
2560
2561 /* We should only ever be called a maximum of twice per connection */
2562 if (find_session_cb_cnt > 2)
2563 return 0;
2564
2565 if (serverpsk == NULL)
2566 return 0;
2567
2568 /* Identity should match that set by the client */
2569 if (strcmp(srvid, identity) != 0) {
2570 return 0;
2571 }
2572
2573 /* We'll reuse the PSK we set up for TLSv1.3 */
2574 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2575 return 0;
2576 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2577
2578 return psklen;
2579 }
2580 #endif /* OPENSSL_NO_PSK */
2581
2582 #define MSG1 "Hello"
2583 #define MSG2 "World."
2584 #define MSG3 "This"
2585 #define MSG4 "is"
2586 #define MSG5 "a"
2587 #define MSG6 "test"
2588 #define MSG7 "message."
2589
2590 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2591 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2592
2593
2594 static SSL_SESSION *create_a_psk(SSL *ssl)
2595 {
2596 const SSL_CIPHER *cipher = NULL;
2597 const unsigned char key[] = {
2598 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2599 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2600 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2601 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2602 0x2c, 0x2d, 0x2e, 0x2f
2603 };
2604 SSL_SESSION *sess = NULL;
2605
2606 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2607 sess = SSL_SESSION_new();
2608 if (!TEST_ptr(sess)
2609 || !TEST_ptr(cipher)
2610 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2611 sizeof(key)))
2612 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2613 || !TEST_true(
2614 SSL_SESSION_set_protocol_version(sess,
2615 TLS1_3_VERSION))) {
2616 SSL_SESSION_free(sess);
2617 return NULL;
2618 }
2619 return sess;
2620 }
2621
2622 /*
2623 * Helper method to setup objects for early data test. Caller frees objects on
2624 * error.
2625 */
2626 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2627 SSL **serverssl, SSL_SESSION **sess, int idx)
2628 {
2629 if (*sctx == NULL
2630 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2631 TLS_client_method(),
2632 TLS1_VERSION, 0,
2633 sctx, cctx, cert, privkey)))
2634 return 0;
2635
2636 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2637 return 0;
2638
2639 if (idx == 1) {
2640 /* When idx == 1 we repeat the tests with read_ahead set */
2641 SSL_CTX_set_read_ahead(*cctx, 1);
2642 SSL_CTX_set_read_ahead(*sctx, 1);
2643 } else if (idx == 2) {
2644 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2645 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2646 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2647 use_session_cb_cnt = 0;
2648 find_session_cb_cnt = 0;
2649 srvid = pskid;
2650 }
2651
2652 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2653 NULL, NULL)))
2654 return 0;
2655
2656 /*
2657 * For one of the run throughs (doesn't matter which one), we'll try sending
2658 * some SNI data in the initial ClientHello. This will be ignored (because
2659 * there is no SNI cb set up by the server), so it should not impact
2660 * early_data.
2661 */
2662 if (idx == 1
2663 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2664 return 0;
2665
2666 if (idx == 2) {
2667 clientpsk = create_a_psk(*clientssl);
2668 if (!TEST_ptr(clientpsk)
2669 /*
2670 * We just choose an arbitrary value for max_early_data which
2671 * should be big enough for testing purposes.
2672 */
2673 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2674 0x100))
2675 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2676 SSL_SESSION_free(clientpsk);
2677 clientpsk = NULL;
2678 return 0;
2679 }
2680 serverpsk = clientpsk;
2681
2682 if (sess != NULL) {
2683 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2684 SSL_SESSION_free(clientpsk);
2685 SSL_SESSION_free(serverpsk);
2686 clientpsk = serverpsk = NULL;
2687 return 0;
2688 }
2689 *sess = clientpsk;
2690 }
2691 return 1;
2692 }
2693
2694 if (sess == NULL)
2695 return 1;
2696
2697 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2698 SSL_ERROR_NONE)))
2699 return 0;
2700
2701 *sess = SSL_get1_session(*clientssl);
2702 SSL_shutdown(*clientssl);
2703 SSL_shutdown(*serverssl);
2704 SSL_free(*serverssl);
2705 SSL_free(*clientssl);
2706 *serverssl = *clientssl = NULL;
2707
2708 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2709 clientssl, NULL, NULL))
2710 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2711 return 0;
2712
2713 return 1;
2714 }
2715
2716 static int test_early_data_read_write(int idx)
2717 {
2718 SSL_CTX *cctx = NULL, *sctx = NULL;
2719 SSL *clientssl = NULL, *serverssl = NULL;
2720 int testresult = 0;
2721 SSL_SESSION *sess = NULL;
2722 unsigned char buf[20], data[1024];
2723 size_t readbytes, written, eoedlen, rawread, rawwritten;
2724 BIO *rbio;
2725
2726 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2727 &serverssl, &sess, idx)))
2728 goto end;
2729
2730 /* Write and read some early data */
2731 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2732 &written))
2733 || !TEST_size_t_eq(written, strlen(MSG1))
2734 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2735 sizeof(buf), &readbytes),
2736 SSL_READ_EARLY_DATA_SUCCESS)
2737 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2738 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2739 SSL_EARLY_DATA_ACCEPTED))
2740 goto end;
2741
2742 /*
2743 * Server should be able to write data, and client should be able to
2744 * read it.
2745 */
2746 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2747 &written))
2748 || !TEST_size_t_eq(written, strlen(MSG2))
2749 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2750 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2751 goto end;
2752
2753 /* Even after reading normal data, client should be able write early data */
2754 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2755 &written))
2756 || !TEST_size_t_eq(written, strlen(MSG3)))
2757 goto end;
2758
2759 /* Server should still be able read early data after writing data */
2760 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2761 &readbytes),
2762 SSL_READ_EARLY_DATA_SUCCESS)
2763 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2764 goto end;
2765
2766 /* Write more data from server and read it from client */
2767 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2768 &written))
2769 || !TEST_size_t_eq(written, strlen(MSG4))
2770 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2771 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2772 goto end;
2773
2774 /*
2775 * If client writes normal data it should mean writing early data is no
2776 * longer possible.
2777 */
2778 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2779 || !TEST_size_t_eq(written, strlen(MSG5))
2780 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2781 SSL_EARLY_DATA_ACCEPTED))
2782 goto end;
2783
2784 /*
2785 * At this point the client has written EndOfEarlyData, ClientFinished and
2786 * normal (fully protected) data. We are going to cause a delay between the
2787 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2788 * in the read BIO, and then just put back the EndOfEarlyData message.
2789 */
2790 rbio = SSL_get_rbio(serverssl);
2791 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2792 || !TEST_size_t_lt(rawread, sizeof(data))
2793 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2794 goto end;
2795
2796 /* Record length is in the 4th and 5th bytes of the record header */
2797 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2798 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2799 || !TEST_size_t_eq(rawwritten, eoedlen))
2800 goto end;
2801
2802 /* Server should be told that there is no more early data */
2803 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2804 &readbytes),
2805 SSL_READ_EARLY_DATA_FINISH)
2806 || !TEST_size_t_eq(readbytes, 0))
2807 goto end;
2808
2809 /*
2810 * Server has not finished init yet, so should still be able to write early
2811 * data.
2812 */
2813 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2814 &written))
2815 || !TEST_size_t_eq(written, strlen(MSG6)))
2816 goto end;
2817
2818 /* Push the ClientFinished and the normal data back into the server rbio */
2819 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2820 &rawwritten))
2821 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2822 goto end;
2823
2824 /* Server should be able to read normal data */
2825 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2826 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2827 goto end;
2828
2829 /* Client and server should not be able to write/read early data now */
2830 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2831 &written)))
2832 goto end;
2833 ERR_clear_error();
2834 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2835 &readbytes),
2836 SSL_READ_EARLY_DATA_ERROR))
2837 goto end;
2838 ERR_clear_error();
2839
2840 /* Client should be able to read the data sent by the server */
2841 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2842 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2843 goto end;
2844
2845 /*
2846 * Make sure we process the two NewSessionTickets. These arrive
2847 * post-handshake. We attempt reads which we do not expect to return any
2848 * data.
2849 */
2850 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2851 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2852 &readbytes)))
2853 goto end;
2854
2855 /* Server should be able to write normal data */
2856 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2857 || !TEST_size_t_eq(written, strlen(MSG7))
2858 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2859 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2860 goto end;
2861
2862 SSL_SESSION_free(sess);
2863 sess = SSL_get1_session(clientssl);
2864 use_session_cb_cnt = 0;
2865 find_session_cb_cnt = 0;
2866
2867 SSL_shutdown(clientssl);
2868 SSL_shutdown(serverssl);
2869 SSL_free(serverssl);
2870 SSL_free(clientssl);
2871 serverssl = clientssl = NULL;
2872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2873 &clientssl, NULL, NULL))
2874 || !TEST_true(SSL_set_session(clientssl, sess)))
2875 goto end;
2876
2877 /* Write and read some early data */
2878 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2879 &written))
2880 || !TEST_size_t_eq(written, strlen(MSG1))
2881 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2882 &readbytes),
2883 SSL_READ_EARLY_DATA_SUCCESS)
2884 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2885 goto end;
2886
2887 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2888 || !TEST_int_gt(SSL_accept(serverssl), 0))
2889 goto end;
2890
2891 /* Client and server should not be able to write/read early data now */
2892 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2893 &written)))
2894 goto end;
2895 ERR_clear_error();
2896 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2897 &readbytes),
2898 SSL_READ_EARLY_DATA_ERROR))
2899 goto end;
2900 ERR_clear_error();
2901
2902 /* Client and server should be able to write/read normal data */
2903 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2904 || !TEST_size_t_eq(written, strlen(MSG5))
2905 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2906 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2907 goto end;
2908
2909 testresult = 1;
2910
2911 end:
2912 SSL_SESSION_free(sess);
2913 SSL_SESSION_free(clientpsk);
2914 SSL_SESSION_free(serverpsk);
2915 clientpsk = serverpsk = NULL;
2916 SSL_free(serverssl);
2917 SSL_free(clientssl);
2918 SSL_CTX_free(sctx);
2919 SSL_CTX_free(cctx);
2920 return testresult;
2921 }
2922
2923 static int allow_ed_cb_called = 0;
2924
2925 static int allow_early_data_cb(SSL *s, void *arg)
2926 {
2927 int *usecb = (int *)arg;
2928
2929 allow_ed_cb_called++;
2930
2931 if (*usecb == 1)
2932 return 0;
2933
2934 return 1;
2935 }
2936
2937 /*
2938 * idx == 0: Standard early_data setup
2939 * idx == 1: early_data setup using read_ahead
2940 * usecb == 0: Don't use a custom early data callback
2941 * usecb == 1: Use a custom early data callback and reject the early data
2942 * usecb == 2: Use a custom early data callback and accept the early data
2943 * confopt == 0: Configure anti-replay directly
2944 * confopt == 1: Configure anti-replay using SSL_CONF
2945 */
2946 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2947 {
2948 SSL_CTX *cctx = NULL, *sctx = NULL;
2949 SSL *clientssl = NULL, *serverssl = NULL;
2950 int testresult = 0;
2951 SSL_SESSION *sess = NULL;
2952 size_t readbytes, written;
2953 unsigned char buf[20];
2954
2955 allow_ed_cb_called = 0;
2956
2957 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2958 TLS1_VERSION, 0, &sctx,
2959 &cctx, cert, privkey)))
2960 return 0;
2961
2962 if (usecb > 0) {
2963 if (confopt == 0) {
2964 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2965 } else {
2966 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2967
2968 if (!TEST_ptr(confctx))
2969 goto end;
2970 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2971 | SSL_CONF_FLAG_SERVER);
2972 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2973 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2974 2)) {
2975 SSL_CONF_CTX_free(confctx);
2976 goto end;
2977 }
2978 SSL_CONF_CTX_free(confctx);
2979 }
2980 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2981 }
2982
2983 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2984 &serverssl, &sess, idx)))
2985 goto end;
2986
2987 /*
2988 * The server is configured to accept early data. Create a connection to
2989 * "use up" the ticket
2990 */
2991 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2992 || !TEST_true(SSL_session_reused(clientssl)))
2993 goto end;
2994
2995 SSL_shutdown(clientssl);
2996 SSL_shutdown(serverssl);
2997 SSL_free(serverssl);
2998 SSL_free(clientssl);
2999 serverssl = clientssl = NULL;
3000
3001 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3002 &clientssl, NULL, NULL))
3003 || !TEST_true(SSL_set_session(clientssl, sess)))
3004 goto end;
3005
3006 /* Write and read some early data */
3007 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3008 &written))
3009 || !TEST_size_t_eq(written, strlen(MSG1)))
3010 goto end;
3011
3012 if (usecb <= 1) {
3013 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3014 &readbytes),
3015 SSL_READ_EARLY_DATA_FINISH)
3016 /*
3017 * The ticket was reused, so the we should have rejected the
3018 * early data
3019 */
3020 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3021 SSL_EARLY_DATA_REJECTED))
3022 goto end;
3023 } else {
3024 /* In this case the callback decides to accept the early data */
3025 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3026 &readbytes),
3027 SSL_READ_EARLY_DATA_SUCCESS)
3028 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3029 /*
3030 * Server will have sent its flight so client can now send
3031 * end of early data and complete its half of the handshake
3032 */
3033 || !TEST_int_gt(SSL_connect(clientssl), 0)
3034 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3035 &readbytes),
3036 SSL_READ_EARLY_DATA_FINISH)
3037 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3038 SSL_EARLY_DATA_ACCEPTED))
3039 goto end;
3040 }
3041
3042 /* Complete the connection */
3043 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3044 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3045 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3046 goto end;
3047
3048 testresult = 1;
3049
3050 end:
3051 SSL_SESSION_free(sess);
3052 SSL_SESSION_free(clientpsk);
3053 SSL_SESSION_free(serverpsk);
3054 clientpsk = serverpsk = NULL;
3055 SSL_free(serverssl);
3056 SSL_free(clientssl);
3057 SSL_CTX_free(sctx);
3058 SSL_CTX_free(cctx);
3059 return testresult;
3060 }
3061
3062 static int test_early_data_replay(int idx)
3063 {
3064 int ret = 1, usecb, confopt;
3065
3066 for (usecb = 0; usecb < 3; usecb++) {
3067 for (confopt = 0; confopt < 2; confopt++)
3068 ret &= test_early_data_replay_int(idx, usecb, confopt);
3069 }
3070
3071 return ret;
3072 }
3073
3074 /*
3075 * Helper function to test that a server attempting to read early data can
3076 * handle a connection from a client where the early data should be skipped.
3077 * testtype: 0 == No HRR
3078 * testtype: 1 == HRR
3079 * testtype: 2 == HRR, invalid early_data sent after HRR
3080 * testtype: 3 == recv_max_early_data set to 0
3081 */
3082 static int early_data_skip_helper(int testtype, int idx)
3083 {
3084 SSL_CTX *cctx = NULL, *sctx = NULL;
3085 SSL *clientssl = NULL, *serverssl = NULL;
3086 int testresult = 0;
3087 SSL_SESSION *sess = NULL;
3088 unsigned char buf[20];
3089 size_t readbytes, written;
3090
3091 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3092 &serverssl, &sess, idx)))
3093 goto end;
3094
3095 if (testtype == 1 || testtype == 2) {
3096 /* Force an HRR to occur */
3097 #if defined(OPENSSL_NO_EC)
3098 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3099 goto end;
3100 #else
3101 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3102 goto end;
3103 #endif
3104 } else if (idx == 2) {
3105 /*
3106 * We force early_data rejection by ensuring the PSK identity is
3107 * unrecognised
3108 */
3109 srvid = "Dummy Identity";
3110 } else {
3111 /*
3112 * Deliberately corrupt the creation time. We take 20 seconds off the
3113 * time. It could be any value as long as it is not within tolerance.
3114 * This should mean the ticket is rejected.
3115 */
3116 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3117 goto end;
3118 }
3119
3120 if (testtype == 3
3121 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3122 goto end;
3123
3124 /* Write some early data */
3125 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3126 &written))
3127 || !TEST_size_t_eq(written, strlen(MSG1)))
3128 goto end;
3129
3130 /* Server should reject the early data */
3131 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3132 &readbytes),
3133 SSL_READ_EARLY_DATA_FINISH)
3134 || !TEST_size_t_eq(readbytes, 0)
3135 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3136 SSL_EARLY_DATA_REJECTED))
3137 goto end;
3138
3139 switch (testtype) {
3140 case 0:
3141 /* Nothing to do */
3142 break;
3143
3144 case 1:
3145 /*
3146 * Finish off the handshake. We perform the same writes and reads as
3147 * further down but we expect them to fail due to the incomplete
3148 * handshake.
3149 */
3150 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3151 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3152 &readbytes)))
3153 goto end;
3154 break;
3155
3156 case 2:
3157 {
3158 BIO *wbio = SSL_get_wbio(clientssl);
3159 /* A record that will appear as bad early_data */
3160 const unsigned char bad_early_data[] = {
3161 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3162 };
3163
3164 /*
3165 * We force the client to attempt a write. This will fail because
3166 * we're still in the handshake. It will cause the second
3167 * ClientHello to be sent.
3168 */
3169 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3170 &written)))
3171 goto end;
3172
3173 /*
3174 * Inject some early_data after the second ClientHello. This should
3175 * cause the server to fail
3176 */
3177 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3178 sizeof(bad_early_data), &written)))
3179 goto end;
3180 }
3181 /* fallthrough */
3182
3183 case 3:
3184 /*
3185 * This client has sent more early_data than we are willing to skip
3186 * (case 3) or sent invalid early_data (case 2) so the connection should
3187 * abort.
3188 */
3189 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3190 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3191 goto end;
3192
3193 /* Connection has failed - nothing more to do */
3194 testresult = 1;
3195 goto end;
3196
3197 default:
3198 TEST_error("Invalid test type");
3199 goto end;
3200 }
3201
3202 /*
3203 * Should be able to send normal data despite rejection of early data. The
3204 * early_data should be skipped.
3205 */
3206 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3207 || !TEST_size_t_eq(written, strlen(MSG2))
3208 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3209 SSL_EARLY_DATA_REJECTED)
3210 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3211 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3212 goto end;
3213
3214 testresult = 1;
3215
3216 end:
3217 SSL_SESSION_free(clientpsk);
3218 SSL_SESSION_free(serverpsk);
3219 clientpsk = serverpsk = NULL;
3220 SSL_SESSION_free(sess);
3221 SSL_free(serverssl);
3222 SSL_free(clientssl);
3223 SSL_CTX_free(sctx);
3224 SSL_CTX_free(cctx);
3225 return testresult;
3226 }
3227
3228 /*
3229 * Test that a server attempting to read early data can handle a connection
3230 * from a client where the early data is not acceptable.
3231 */
3232 static int test_early_data_skip(int idx)
3233 {
3234 return early_data_skip_helper(0, idx);
3235 }
3236
3237 /*
3238 * Test that a server attempting to read early data can handle a connection
3239 * from a client where an HRR occurs.
3240 */
3241 static int test_early_data_skip_hrr(int idx)
3242 {
3243 return early_data_skip_helper(1, idx);
3244 }
3245
3246 /*
3247 * Test that a server attempting to read early data can handle a connection
3248 * from a client where an HRR occurs and correctly fails if early_data is sent
3249 * after the HRR
3250 */
3251 static int test_early_data_skip_hrr_fail(int idx)
3252 {
3253 return early_data_skip_helper(2, idx);
3254 }
3255
3256 /*
3257 * Test that a server attempting to read early data will abort if it tries to
3258 * skip over too much.
3259 */
3260 static int test_early_data_skip_abort(int idx)
3261 {
3262 return early_data_skip_helper(3, idx);
3263 }
3264
3265 /*
3266 * Test that a server attempting to read early data can handle a connection
3267 * from a client that doesn't send any.
3268 */
3269 static int test_early_data_not_sent(int idx)
3270 {
3271 SSL_CTX *cctx = NULL, *sctx = NULL;
3272 SSL *clientssl = NULL, *serverssl = NULL;
3273 int testresult = 0;
3274 SSL_SESSION *sess = NULL;
3275 unsigned char buf[20];
3276 size_t readbytes, written;
3277
3278 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3279 &serverssl, &sess, idx)))
3280 goto end;
3281
3282 /* Write some data - should block due to handshake with server */
3283 SSL_set_connect_state(clientssl);
3284 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3285 goto end;
3286
3287 /* Server should detect that early data has not been sent */
3288 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3289 &readbytes),
3290 SSL_READ_EARLY_DATA_FINISH)
3291 || !TEST_size_t_eq(readbytes, 0)
3292 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3293 SSL_EARLY_DATA_NOT_SENT)
3294 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3295 SSL_EARLY_DATA_NOT_SENT))
3296 goto end;
3297
3298 /* Continue writing the message we started earlier */
3299 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3300 || !TEST_size_t_eq(written, strlen(MSG1))
3301 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3302 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3303 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3304 || !TEST_size_t_eq(written, strlen(MSG2)))
3305 goto end;
3306
3307 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3308 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3309 goto end;
3310
3311 testresult = 1;
3312
3313 end:
3314 SSL_SESSION_free(sess);
3315 SSL_SESSION_free(clientpsk);
3316 SSL_SESSION_free(serverpsk);
3317 clientpsk = serverpsk = NULL;
3318 SSL_free(serverssl);
3319 SSL_free(clientssl);
3320 SSL_CTX_free(sctx);
3321 SSL_CTX_free(cctx);
3322 return testresult;
3323 }
3324
3325 static const char *servalpn;
3326
3327 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3328 unsigned char *outlen, const unsigned char *in,
3329 unsigned int inlen, void *arg)
3330 {
3331 unsigned int protlen = 0;
3332 const unsigned char *prot;
3333
3334 for (prot = in; prot < in + inlen; prot += protlen) {
3335 protlen = *prot++;
3336 if (in + inlen < prot + protlen)
3337 return SSL_TLSEXT_ERR_NOACK;
3338
3339 if (protlen == strlen(servalpn)
3340 && memcmp(prot, servalpn, protlen) == 0) {
3341 *out = prot;
3342 *outlen = protlen;
3343 return SSL_TLSEXT_ERR_OK;
3344 }
3345 }
3346
3347 return SSL_TLSEXT_ERR_NOACK;
3348 }
3349
3350 /* Test that a PSK can be used to send early_data */
3351 static int test_early_data_psk(int idx)
3352 {
3353 SSL_CTX *cctx = NULL, *sctx = NULL;
3354 SSL *clientssl = NULL, *serverssl = NULL;
3355 int testresult = 0;
3356 SSL_SESSION *sess = NULL;
3357 unsigned char alpnlist[] = {
3358 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3359 'l', 'p', 'n'
3360 };
3361 #define GOODALPNLEN 9
3362 #define BADALPNLEN 8
3363 #define GOODALPN (alpnlist)
3364 #define BADALPN (alpnlist + GOODALPNLEN)
3365 int err = 0;
3366 unsigned char buf[20];
3367 size_t readbytes, written;
3368 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3369 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3370
3371 /* We always set this up with a final parameter of "2" for PSK */
3372 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3373 &serverssl, &sess, 2)))
3374 goto end;
3375
3376 servalpn = "goodalpn";
3377
3378 /*
3379 * Note: There is no test for inconsistent SNI with late client detection.
3380 * This is because servers do not acknowledge SNI even if they are using
3381 * it in a resumption handshake - so it is not actually possible for a
3382 * client to detect a problem.
3383 */
3384 switch (idx) {
3385 case 0:
3386 /* Set inconsistent SNI (early client detection) */
3387 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3388 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3389 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3390 goto end;
3391 break;
3392
3393 case 1:
3394 /* Set inconsistent ALPN (early client detection) */
3395 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3396 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3397 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3398 GOODALPNLEN))
3399 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3400 BADALPNLEN)))
3401 goto end;
3402 break;
3403
3404 case 2:
3405 /*
3406 * Set invalid protocol version. Technically this affects PSKs without
3407 * early_data too, but we test it here because it is similar to the
3408 * SNI/ALPN consistency tests.
3409 */
3410 err = SSL_R_BAD_PSK;
3411 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3412 goto end;
3413 break;
3414
3415 case 3:
3416 /*
3417 * Set inconsistent SNI (server side). In this case the connection
3418 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3419 * is associated with each handshake - not the session. Therefore it
3420 * should not matter that we used a different server name last time.
3421 */
3422 SSL_SESSION_free(serverpsk);
3423 serverpsk = SSL_SESSION_dup(clientpsk);
3424 if (!TEST_ptr(serverpsk)
3425 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3426 goto end;
3427 /* Fall through */
3428 case 4:
3429 /* Set consistent SNI */
3430 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3431 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3432 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3433 hostname_cb)))
3434 goto end;
3435 break;
3436
3437 case 5:
3438 /*
3439 * Set inconsistent ALPN (server detected). In this case the connection
3440 * will succeed but reject early_data.
3441 */
3442 servalpn = "badalpn";
3443 edstatus = SSL_EARLY_DATA_REJECTED;
3444 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3445 /* Fall through */
3446 case 6:
3447 /*
3448 * Set consistent ALPN.
3449 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3450 * accepts a list of protos (each one length prefixed).
3451 * SSL_set1_alpn_selected accepts a single protocol (not length
3452 * prefixed)
3453 */
3454 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3455 GOODALPNLEN - 1))
3456 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3457 GOODALPNLEN)))
3458 goto end;
3459
3460 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3461 break;
3462
3463 case 7:
3464 /* Set inconsistent ALPN (late client detection) */
3465 SSL_SESSION_free(serverpsk);
3466 serverpsk = SSL_SESSION_dup(clientpsk);
3467 if (!TEST_ptr(serverpsk)
3468 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3469 BADALPN + 1,
3470 BADALPNLEN - 1))
3471 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3472 GOODALPN + 1,
3473 GOODALPNLEN - 1))
3474 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3475 sizeof(alpnlist))))
3476 goto end;
3477 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3478 edstatus = SSL_EARLY_DATA_ACCEPTED;
3479 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3480 /* SSL_connect() call should fail */
3481 connectres = -1;
3482 break;
3483
3484 default:
3485 TEST_error("Bad test index");
3486 goto end;
3487 }
3488
3489 SSL_set_connect_state(clientssl);
3490 if (err != 0) {
3491 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3492 &written))
3493 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3494 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3495 goto end;
3496 } else {
3497 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3498 &written)))
3499 goto end;
3500
3501 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3502 &readbytes), readearlyres)
3503 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3504 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3505 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3506 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3507 goto end;
3508 }
3509
3510 testresult = 1;
3511
3512 end:
3513 SSL_SESSION_free(sess);
3514 SSL_SESSION_free(clientpsk);
3515 SSL_SESSION_free(serverpsk);
3516 clientpsk = serverpsk = NULL;
3517 SSL_free(serverssl);
3518 SSL_free(clientssl);
3519 SSL_CTX_free(sctx);
3520 SSL_CTX_free(cctx);
3521 return testresult;
3522 }
3523
3524 /*
3525 * Test that a server that doesn't try to read early data can handle a
3526 * client sending some.
3527 */
3528 static int test_early_data_not_expected(int idx)
3529 {
3530 SSL_CTX *cctx = NULL, *sctx = NULL;
3531 SSL *clientssl = NULL, *serverssl = NULL;
3532 int testresult = 0;
3533 SSL_SESSION *sess = NULL;
3534 unsigned char buf[20];
3535 size_t readbytes, written;
3536
3537 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3538 &serverssl, &sess, idx)))
3539 goto end;
3540
3541 /* Write some early data */
3542 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3543 &written)))
3544 goto end;
3545
3546 /*
3547 * Server should skip over early data and then block waiting for client to
3548 * continue handshake
3549 */
3550 if (!TEST_int_le(SSL_accept(serverssl), 0)
3551 || !TEST_int_gt(SSL_connect(clientssl), 0)
3552 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3553 SSL_EARLY_DATA_REJECTED)
3554 || !TEST_int_gt(SSL_accept(serverssl), 0)
3555 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3556 SSL_EARLY_DATA_REJECTED))
3557 goto end;
3558
3559 /* Send some normal data from client to server */
3560 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3561 || !TEST_size_t_eq(written, strlen(MSG2)))
3562 goto end;
3563
3564 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3565 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3566 goto end;
3567
3568 testresult = 1;
3569
3570 end:
3571 SSL_SESSION_free(sess);
3572 SSL_SESSION_free(clientpsk);
3573 SSL_SESSION_free(serverpsk);
3574 clientpsk = serverpsk = NULL;
3575 SSL_free(serverssl);
3576 SSL_free(clientssl);
3577 SSL_CTX_free(sctx);
3578 SSL_CTX_free(cctx);
3579 return testresult;
3580 }
3581
3582
3583 # ifndef OPENSSL_NO_TLS1_2
3584 /*
3585 * Test that a server attempting to read early data can handle a connection
3586 * from a TLSv1.2 client.
3587 */
3588 static int test_early_data_tls1_2(int idx)
3589 {
3590 SSL_CTX *cctx = NULL, *sctx = NULL;
3591 SSL *clientssl = NULL, *serverssl = NULL;
3592 int testresult = 0;
3593 unsigned char buf[20];
3594 size_t readbytes, written;
3595
3596 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3597 &serverssl, NULL, idx)))
3598 goto end;
3599
3600 /* Write some data - should block due to handshake with server */
3601 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3602 SSL_set_connect_state(clientssl);
3603 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3604 goto end;
3605
3606 /*
3607 * Server should do TLSv1.2 handshake. First it will block waiting for more
3608 * messages from client after ServerDone. Then SSL_read_early_data should
3609 * finish and detect that early data has not been sent
3610 */
3611 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3612 &readbytes),
3613 SSL_READ_EARLY_DATA_ERROR))
3614 goto end;
3615
3616 /*
3617 * Continue writing the message we started earlier. Will still block waiting
3618 * for the CCS/Finished from server
3619 */
3620 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3621 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3622 &readbytes),
3623 SSL_READ_EARLY_DATA_FINISH)
3624 || !TEST_size_t_eq(readbytes, 0)
3625 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3626 SSL_EARLY_DATA_NOT_SENT))
3627 goto end;
3628
3629 /* Continue writing the message we started earlier */
3630 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3631 || !TEST_size_t_eq(written, strlen(MSG1))
3632 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3633 SSL_EARLY_DATA_NOT_SENT)
3634 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3635 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3636 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3637 || !TEST_size_t_eq(written, strlen(MSG2))
3638 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3639 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3640 goto end;
3641
3642 testresult = 1;
3643
3644 end:
3645 SSL_SESSION_free(clientpsk);
3646 SSL_SESSION_free(serverpsk);
3647 clientpsk = serverpsk = NULL;
3648 SSL_free(serverssl);
3649 SSL_free(clientssl);
3650 SSL_CTX_free(sctx);
3651 SSL_CTX_free(cctx);
3652
3653 return testresult;
3654 }
3655 # endif /* OPENSSL_NO_TLS1_2 */
3656
3657 /*
3658 * Test configuring the TLSv1.3 ciphersuites
3659 *
3660 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3661 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3662 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3663 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3664 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3665 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3666 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3667 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3668 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3669 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3670 */
3671 static int test_set_ciphersuite(int idx)
3672 {
3673 SSL_CTX *cctx = NULL, *sctx = NULL;
3674 SSL *clientssl = NULL, *serverssl = NULL;
3675 int testresult = 0;
3676
3677 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3678 TLS1_VERSION, 0,
3679 &sctx, &cctx, cert, privkey))
3680 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3681 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3682 goto end;
3683
3684 if (idx >=4 && idx <= 7) {
3685 /* SSL_CTX explicit cipher list */
3686 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3687 goto end;
3688 }
3689
3690 if (idx == 0 || idx == 4) {
3691 /* Default ciphersuite */
3692 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3693 "TLS_AES_128_GCM_SHA256")))
3694 goto end;
3695 } else if (idx == 1 || idx == 5) {
3696 /* Non default ciphersuite */
3697 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3698 "TLS_AES_128_CCM_SHA256")))
3699 goto end;
3700 }
3701
3702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3703 &clientssl, NULL, NULL)))
3704 goto end;
3705
3706 if (idx == 8 || idx == 9) {
3707 /* SSL explicit cipher list */
3708 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3709 goto end;
3710 }
3711
3712 if (idx == 2 || idx == 6 || idx == 8) {
3713 /* Default ciphersuite */
3714 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3715 "TLS_AES_128_GCM_SHA256")))
3716 goto end;
3717 } else if (idx == 3 || idx == 7 || idx == 9) {
3718 /* Non default ciphersuite */
3719 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3720 "TLS_AES_128_CCM_SHA256")))
3721 goto end;
3722 }
3723
3724 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3725 goto end;
3726
3727 testresult = 1;
3728
3729 end:
3730 SSL_free(serverssl);
3731 SSL_free(clientssl);
3732 SSL_CTX_free(sctx);
3733 SSL_CTX_free(cctx);
3734
3735 return testresult;
3736 }
3737
3738 static int test_ciphersuite_change(void)
3739 {
3740 SSL_CTX *cctx = NULL, *sctx = NULL;
3741 SSL *clientssl = NULL, *serverssl = NULL;
3742 SSL_SESSION *clntsess = NULL;
3743 int testresult = 0;
3744 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3745
3746 /* Create a session based on SHA-256 */
3747 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3748 TLS1_VERSION, 0,
3749 &sctx, &cctx, cert, privkey))
3750 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3751 "TLS_AES_128_GCM_SHA256"))
3752 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3753 &clientssl, NULL, NULL))
3754 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3755 SSL_ERROR_NONE)))
3756 goto end;
3757
3758 clntsess = SSL_get1_session(clientssl);
3759 /* Save for later */
3760 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3761 SSL_shutdown(clientssl);
3762 SSL_shutdown(serverssl);
3763 SSL_free(serverssl);
3764 SSL_free(clientssl);
3765 serverssl = clientssl = NULL;
3766
3767 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3768 /* Check we can resume a session with a different SHA-256 ciphersuite */
3769 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3770 "TLS_CHACHA20_POLY1305_SHA256"))
3771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3772 NULL, NULL))
3773 || !TEST_true(SSL_set_session(clientssl, clntsess))
3774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3775 SSL_ERROR_NONE))
3776 || !TEST_true(SSL_session_reused(clientssl)))
3777 goto end;
3778
3779 SSL_SESSION_free(clntsess);
3780 clntsess = SSL_get1_session(clientssl);
3781 SSL_shutdown(clientssl);
3782 SSL_shutdown(serverssl);
3783 SSL_free(serverssl);
3784 SSL_free(clientssl);
3785 serverssl = clientssl = NULL;
3786 # endif
3787
3788 /*
3789 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3790 * succeeds but does not resume.
3791 */
3792 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3793 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3794 NULL, NULL))
3795 || !TEST_true(SSL_set_session(clientssl, clntsess))
3796 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3797 SSL_ERROR_SSL))
3798 || !TEST_false(SSL_session_reused(clientssl)))
3799 goto end;
3800
3801 SSL_SESSION_free(clntsess);
3802 clntsess = NULL;
3803 SSL_shutdown(clientssl);
3804 SSL_shutdown(serverssl);
3805 SSL_free(serverssl);
3806 SSL_free(clientssl);
3807 serverssl = clientssl = NULL;
3808
3809 /* Create a session based on SHA384 */
3810 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3811 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3812 &clientssl, NULL, NULL))
3813 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3814 SSL_ERROR_NONE)))
3815 goto end;
3816
3817 clntsess = SSL_get1_session(clientssl);
3818 SSL_shutdown(clientssl);
3819 SSL_shutdown(serverssl);
3820 SSL_free(serverssl);
3821 SSL_free(clientssl);
3822 serverssl = clientssl = NULL;
3823
3824 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3825 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3826 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3827 "TLS_AES_256_GCM_SHA384"))
3828 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3829 NULL, NULL))
3830 || !TEST_true(SSL_set_session(clientssl, clntsess))
3831 /*
3832 * We use SSL_ERROR_WANT_READ below so that we can pause the
3833 * connection after the initial ClientHello has been sent to
3834 * enable us to make some session changes.
3835 */
3836 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3837 SSL_ERROR_WANT_READ)))
3838 goto end;
3839
3840 /* Trick the client into thinking this session is for a different digest */
3841 clntsess->cipher = aes_128_gcm_sha256;
3842 clntsess->cipher_id = clntsess->cipher->id;
3843
3844 /*
3845 * Continue the previously started connection. Server has selected a SHA-384
3846 * ciphersuite, but client thinks the session is for SHA-256, so it should
3847 * bail out.
3848 */
3849 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3850 SSL_ERROR_SSL))
3851 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3852 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3853 goto end;
3854
3855 testresult = 1;
3856
3857 end:
3858 SSL_SESSION_free(clntsess);
3859 SSL_free(serverssl);
3860 SSL_free(clientssl);
3861 SSL_CTX_free(sctx);
3862 SSL_CTX_free(cctx);
3863
3864 return testresult;
3865 }
3866
3867 /*
3868 * Test TLSv1.3 Key exchange
3869 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3870 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3871 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3872 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3873 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3874 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3875 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3876 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3877 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3878 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3879 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3880 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3881 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3882 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3883 */
3884 static int test_key_exchange(int idx)
3885 {
3886 SSL_CTX *sctx = NULL, *cctx = NULL;
3887 SSL *serverssl = NULL, *clientssl = NULL;
3888 int testresult = 0;
3889 # ifndef OPENSSL_NO_EC
3890 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3891 NID_secp521r1, NID_X25519, NID_X448};
3892 # endif
3893 # ifndef OPENSSL_NO_DH
3894 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3895 NID_ffdhe6144, NID_ffdhe8192};
3896 # endif
3897 int kexch_alg;
3898 int *kexch_groups = &kexch_alg;
3899 int kexch_groups_size = 1;
3900 int max_version = TLS1_3_VERSION;
3901
3902 switch (idx) {
3903 # ifndef OPENSSL_NO_EC
3904 # ifndef OPENSSL_NO_TLS1_2
3905 case 12:
3906 max_version = TLS1_2_VERSION;
3907 # endif
3908 /* Fall through */
3909 case 0:
3910 kexch_groups = ecdhe_kexch_groups;
3911 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3912 break;
3913 case 1:
3914 kexch_alg = NID_X9_62_prime256v1;
3915 break;
3916 case 2:
3917 kexch_alg = NID_secp384r1;
3918 break;
3919 case 3:
3920 kexch_alg = NID_secp521r1;
3921 break;
3922 case 4:
3923 kexch_alg = NID_X25519;
3924 break;
3925 case 5:
3926 kexch_alg = NID_X448;
3927 break;
3928 # endif
3929 # ifndef OPENSSL_NO_DH
3930 # ifndef OPENSSL_NO_TLS1_2
3931 case 13:
3932 max_version = TLS1_2_VERSION;
3933 # endif
3934 /* Fall through */
3935 case 6:
3936 kexch_groups = ffdhe_kexch_groups;
3937 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3938 break;
3939 case 7:
3940 kexch_alg = NID_ffdhe2048;
3941 break;
3942 case 8:
3943 kexch_alg = NID_ffdhe3072;
3944 break;
3945 case 9:
3946 kexch_alg = NID_ffdhe4096;
3947 break;
3948 case 10:
3949 kexch_alg = NID_ffdhe6144;
3950 break;
3951 case 11:
3952 kexch_alg = NID_ffdhe8192;
3953 break;
3954 # endif
3955 default:
3956 /* We're skipping this test */
3957 return 1;
3958 }
3959
3960 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3961 TLS1_VERSION, max_version,
3962 &sctx, &cctx, cert, privkey)))
3963 goto end;
3964
3965 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3966 TLS1_3_RFC_AES_128_GCM_SHA256)))
3967 goto end;
3968
3969 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3970 TLS1_3_RFC_AES_128_GCM_SHA256)))
3971 goto end;
3972
3973 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3974 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3975 goto end;
3976
3977 /*
3978 * Must include an EC ciphersuite so that we send supported groups in
3979 * TLSv1.2
3980 */
3981 # ifndef OPENSSL_NO_TLS1_2
3982 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3983 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3984 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3985 goto end;
3986 # endif
3987
3988 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3989 NULL, NULL)))
3990 goto end;
3991
3992 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3993 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3994 goto end;
3995
3996 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3997 goto end;
3998
3999 /*
4000 * If Handshake succeeds the negotiated kexch alg should be the first one in
4001 * configured, except in the case of FFDHE groups (idx 13), which are
4002 * TLSv1.3 only so we expect no shared group to exist.
4003 */
4004 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4005 idx == 13 ? 0 : kexch_groups[0]))
4006 goto end;
4007 if (max_version == TLS1_3_VERSION) {
4008 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4009 goto end;
4010 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4011 goto end;
4012 }
4013
4014 testresult = 1;
4015 end:
4016 SSL_free(serverssl);
4017 SSL_free(clientssl);
4018 SSL_CTX_free(sctx);
4019 SSL_CTX_free(cctx);
4020 return testresult;
4021 }
4022
4023 /*
4024 * Test TLSv1.3 Cipher Suite
4025 * Test 0 = Set TLS1.3 cipher on context
4026 * Test 1 = Set TLS1.3 cipher on SSL
4027 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4028 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4029 */
4030 static int test_tls13_ciphersuite(int idx)
4031 {
4032 SSL_CTX *sctx = NULL, *cctx = NULL;
4033 SSL *serverssl = NULL, *clientssl = NULL;
4034 static const char *t13_ciphers[] = {
4035 TLS1_3_RFC_AES_128_GCM_SHA256,
4036 TLS1_3_RFC_AES_256_GCM_SHA384,
4037 TLS1_3_RFC_AES_128_CCM_SHA256,
4038 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4039 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4040 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4041 # endif
4042 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
4043 };
4044 const char *t13_cipher = NULL;
4045 const char *t12_cipher = NULL;
4046 const char *negotiated_scipher;
4047 const char *negotiated_ccipher;
4048 int set_at_ctx = 0;
4049 int set_at_ssl = 0;
4050 int testresult = 0;
4051 int max_ver;
4052 size_t i;
4053
4054 switch (idx) {
4055 case 0:
4056 set_at_ctx = 1;
4057 break;
4058 case 1:
4059 set_at_ssl = 1;
4060 break;
4061 case 2:
4062 set_at_ctx = 1;
4063 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4064 break;
4065 case 3:
4066 set_at_ssl = 1;
4067 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4068 break;
4069 }
4070
4071 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4072 # ifdef OPENSSL_NO_TLS1_2
4073 if (max_ver == TLS1_2_VERSION)
4074 continue;
4075 # endif
4076 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4077 t13_cipher = t13_ciphers[i];
4078 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4079 TLS_client_method(),
4080 TLS1_VERSION, max_ver,
4081 &sctx, &cctx, cert, privkey)))
4082 goto end;
4083
4084 if (set_at_ctx) {
4085 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4086 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4087 goto end;
4088 if (t12_cipher != NULL) {
4089 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4090 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4091 t12_cipher)))
4092 goto end;
4093 }
4094 }
4095
4096 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4097 &clientssl, NULL, NULL)))
4098 goto end;
4099
4100 if (set_at_ssl) {
4101 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4102 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4103 goto end;
4104 if (t12_cipher != NULL) {
4105 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4106 || !TEST_true(SSL_set_cipher_list(clientssl,
4107 t12_cipher)))
4108 goto end;
4109 }
4110 }
4111
4112 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4113 SSL_ERROR_NONE)))
4114 goto end;
4115
4116 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4117 serverssl));
4118 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4119 clientssl));
4120 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4121 goto end;
4122
4123 /*
4124 * TEST_strn_eq is used below because t13_cipher can contain
4125 * multiple ciphersuites
4126 */
4127 if (max_ver == TLS1_3_VERSION
4128 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4129 strlen(negotiated_scipher)))
4130 goto end;
4131
4132 # ifndef OPENSSL_NO_TLS1_2
4133 /* Below validation is not done when t12_cipher is NULL */
4134 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4135 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4136 goto end;
4137 # endif
4138
4139 SSL_free(serverssl);
4140 serverssl = NULL;
4141 SSL_free(clientssl);
4142 clientssl = NULL;
4143 SSL_CTX_free(sctx);
4144 sctx = NULL;
4145 SSL_CTX_free(cctx);
4146 cctx = NULL;
4147 }
4148 }
4149
4150 testresult = 1;
4151 end:
4152 SSL_free(serverssl);
4153 SSL_free(clientssl);
4154 SSL_CTX_free(sctx);
4155 SSL_CTX_free(cctx);
4156 return testresult;
4157 }
4158
4159 /*
4160 * Test TLSv1.3 PSKs
4161 * Test 0 = Test new style callbacks
4162 * Test 1 = Test both new and old style callbacks
4163 * Test 2 = Test old style callbacks
4164 * Test 3 = Test old style callbacks with no certificate
4165 */
4166 static int test_tls13_psk(int idx)
4167 {
4168 SSL_CTX *sctx = NULL, *cctx = NULL;
4169 SSL *serverssl = NULL, *clientssl = NULL;
4170 const SSL_CIPHER *cipher = NULL;
4171 const unsigned char key[] = {
4172 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4173 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4174 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4175 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4176 };
4177 int testresult = 0;
4178
4179 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4180 TLS1_VERSION, 0,
4181 &sctx, &cctx, idx == 3 ? NULL : cert,
4182 idx == 3 ? NULL : privkey)))
4183 goto end;
4184
4185 if (idx != 3) {
4186 /*
4187 * We use a ciphersuite with SHA256 to ease testing old style PSK
4188 * callbacks which will always default to SHA256. This should not be
4189 * necessary if we have no cert/priv key. In that case the server should
4190 * prefer SHA256 automatically.
4191 */
4192 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4193 "TLS_AES_128_GCM_SHA256")))
4194 goto end;
4195 }
4196
4197 /*
4198 * Test 0: New style callbacks only
4199 * Test 1: New and old style callbacks (only the new ones should be used)
4200 * Test 2: Old style callbacks only
4201 */
4202 if (idx == 0 || idx == 1) {
4203 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4204 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4205 }
4206 #ifndef OPENSSL_NO_PSK
4207 if (idx >= 1) {
4208 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4209 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4210 }
4211 #endif
4212 srvid = pskid;
4213 use_session_cb_cnt = 0;
4214 find_session_cb_cnt = 0;
4215 psk_client_cb_cnt = 0;
4216 psk_server_cb_cnt = 0;
4217
4218 if (idx != 3) {
4219 /*
4220 * Check we can create a connection if callback decides not to send a
4221 * PSK
4222 */
4223 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4224 NULL, NULL))
4225 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4226 SSL_ERROR_NONE))
4227 || !TEST_false(SSL_session_reused(clientssl))
4228 || !TEST_false(SSL_session_reused(serverssl)))
4229 goto end;
4230
4231 if (idx == 0 || idx == 1) {
4232 if (!TEST_true(use_session_cb_cnt == 1)
4233 || !TEST_true(find_session_cb_cnt == 0)
4234 /*
4235 * If no old style callback then below should be 0
4236 * otherwise 1
4237 */
4238 || !TEST_true(psk_client_cb_cnt == idx)
4239 || !TEST_true(psk_server_cb_cnt == 0))
4240 goto end;
4241 } else {
4242 if (!TEST_true(use_session_cb_cnt == 0)
4243 || !TEST_true(find_session_cb_cnt == 0)
4244 || !TEST_true(psk_client_cb_cnt == 1)
4245 || !TEST_true(psk_server_cb_cnt == 0))
4246 goto end;
4247 }
4248
4249 shutdown_ssl_connection(serverssl, clientssl);
4250 serverssl = clientssl = NULL;
4251 use_session_cb_cnt = psk_client_cb_cnt = 0;
4252 }
4253
4254 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4255 NULL, NULL)))
4256 goto end;
4257
4258 /* Create the PSK */
4259 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4260 clientpsk = SSL_SESSION_new();
4261 if (!TEST_ptr(clientpsk)
4262 || !TEST_ptr(cipher)
4263 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4264 sizeof(key)))
4265 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4266 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4267 TLS1_3_VERSION))
4268 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4269 goto end;
4270 serverpsk = clientpsk;
4271
4272 /* Check we can create a connection and the PSK is used */
4273 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4274 || !TEST_true(SSL_session_reused(clientssl))
4275 || !TEST_true(SSL_session_reused(serverssl)))
4276 goto end;
4277
4278 if (idx == 0 || idx == 1) {
4279 if (!TEST_true(use_session_cb_cnt == 1)
4280 || !TEST_true(find_session_cb_cnt == 1)
4281 || !TEST_true(psk_client_cb_cnt == 0)
4282 || !TEST_true(psk_server_cb_cnt == 0))
4283 goto end;
4284 } else {
4285 if (!TEST_true(use_session_cb_cnt == 0)
4286 || !TEST_true(find_session_cb_cnt == 0)
4287 || !TEST_true(psk_client_cb_cnt == 1)
4288 || !TEST_true(psk_server_cb_cnt == 1))
4289 goto end;
4290 }
4291
4292 shutdown_ssl_connection(serverssl, clientssl);
4293 serverssl = clientssl = NULL;
4294 use_session_cb_cnt = find_session_cb_cnt = 0;
4295 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4296
4297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4298 NULL, NULL)))
4299 goto end;
4300
4301 /* Force an HRR */
4302 #if defined(OPENSSL_NO_EC)
4303 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4304 goto end;
4305 #else
4306 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4307 goto end;
4308 #endif
4309
4310 /*
4311 * Check we can create a connection, the PSK is used and the callbacks are
4312 * called twice.
4313 */
4314 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4315 || !TEST_true(SSL_session_reused(clientssl))
4316 || !TEST_true(SSL_session_reused(serverssl)))
4317 goto end;
4318
4319 if (idx == 0 || idx == 1) {
4320 if (!TEST_true(use_session_cb_cnt == 2)
4321 || !TEST_true(find_session_cb_cnt == 2)
4322 || !TEST_true(psk_client_cb_cnt == 0)
4323 || !TEST_true(psk_server_cb_cnt == 0))
4324 goto end;
4325 } else {
4326 if (!TEST_true(use_session_cb_cnt == 0)
4327 || !TEST_true(find_session_cb_cnt == 0)
4328 || !TEST_true(psk_client_cb_cnt == 2)
4329 || !TEST_true(psk_server_cb_cnt == 2))
4330 goto end;
4331 }
4332
4333 shutdown_ssl_connection(serverssl, clientssl);
4334 serverssl = clientssl = NULL;
4335 use_session_cb_cnt = find_session_cb_cnt = 0;
4336 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4337
4338 if (idx != 3) {
4339 /*
4340 * Check that if the server rejects the PSK we can still connect, but with
4341 * a full handshake
4342 */
4343 srvid = "Dummy Identity";
4344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4345 NULL, NULL))
4346 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4347 SSL_ERROR_NONE))
4348 || !TEST_false(SSL_session_reused(clientssl))
4349 || !TEST_false(SSL_session_reused(serverssl)))
4350 goto end;
4351
4352 if (idx == 0 || idx == 1) {
4353 if (!TEST_true(use_session_cb_cnt == 1)
4354 || !TEST_true(find_session_cb_cnt == 1)
4355 || !TEST_true(psk_client_cb_cnt == 0)
4356 /*
4357 * If no old style callback then below should be 0
4358 * otherwise 1
4359 */
4360 || !TEST_true(psk_server_cb_cnt == idx))
4361 goto end;
4362 } else {
4363 if (!TEST_true(use_session_cb_cnt == 0)
4364 || !TEST_true(find_session_cb_cnt == 0)
4365 || !TEST_true(psk_client_cb_cnt == 1)
4366 || !TEST_true(psk_server_cb_cnt == 1))
4367 goto end;
4368 }
4369
4370 shutdown_ssl_connection(serverssl, clientssl);
4371 serverssl = clientssl = NULL;
4372 }
4373 testresult = 1;
4374
4375 end:
4376 SSL_SESSION_free(clientpsk);
4377 SSL_SESSION_free(serverpsk);
4378 clientpsk = serverpsk = NULL;
4379 SSL_free(serverssl);
4380 SSL_free(clientssl);
4381 SSL_CTX_free(sctx);
4382 SSL_CTX_free(cctx);
4383 return testresult;
4384 }
4385
4386 static unsigned char cookie_magic_value[] = "cookie magic";
4387
4388 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4389 unsigned int *cookie_len)
4390 {
4391 /*
4392 * Not suitable as a real cookie generation function but good enough for
4393 * testing!
4394 */
4395 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4396 *cookie_len = sizeof(cookie_magic_value) - 1;
4397
4398 return 1;
4399 }
4400
4401 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4402 unsigned int cookie_len)
4403 {
4404 if (cookie_len == sizeof(cookie_magic_value) - 1
4405 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4406 return 1;
4407
4408 return 0;
4409 }
4410
4411 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4412 size_t *cookie_len)
4413 {
4414 unsigned int temp;
4415 int res = generate_cookie_callback(ssl, cookie, &temp);
4416 *cookie_len = temp;
4417 return res;
4418 }
4419
4420 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4421 size_t cookie_len)
4422 {
4423 return verify_cookie_callback(ssl, cookie, cookie_len);
4424 }
4425
4426 static int test_stateless(void)
4427 {
4428 SSL_CTX *sctx = NULL, *cctx = NULL;
4429 SSL *serverssl = NULL, *clientssl = NULL;
4430 int testresult = 0;
4431
4432 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4433 TLS1_VERSION, 0,
4434 &sctx, &cctx, cert, privkey)))
4435 goto end;
4436
4437 /* The arrival of CCS messages can confuse the test */
4438 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4439
4440 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4441 NULL, NULL))
4442 /* Send the first ClientHello */
4443 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4444 SSL_ERROR_WANT_READ))
4445 /*
4446 * This should fail with a -1 return because we have no callbacks
4447 * set up
4448 */
4449 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4450 goto end;
4451
4452 /* Fatal error so abandon the connection from this client */
4453 SSL_free(clientssl);
4454 clientssl = NULL;
4455
4456 /* Set up the cookie generation and verification callbacks */
4457 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4458 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4459
4460 /*
4461 * Create a new connection from the client (we can reuse the server SSL
4462 * object).
4463 */
4464 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4465 NULL, NULL))
4466 /* Send the first ClientHello */
4467 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4468 SSL_ERROR_WANT_READ))
4469 /* This should fail because there is no cookie */
4470 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4471 goto end;
4472
4473 /* Abandon the connection from this client */
4474 SSL_free(clientssl);
4475 clientssl = NULL;
4476
4477 /*
4478 * Now create a connection from a new client but with the same server SSL
4479 * object
4480 */
4481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4482 NULL, NULL))
4483 /* Send the first ClientHello */
4484 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4485 SSL_ERROR_WANT_READ))
4486 /* This should fail because there is no cookie */
4487 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4488 /* Send the second ClientHello */
4489 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4490 SSL_ERROR_WANT_READ))
4491 /* This should succeed because a cookie is now present */
4492 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4493 /* Complete the connection */
4494 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4495 SSL_ERROR_NONE)))
4496 goto end;
4497
4498 shutdown_ssl_connection(serverssl, clientssl);
4499 serverssl = clientssl = NULL;
4500 testresult = 1;
4501
4502 end:
4503 SSL_free(serverssl);
4504 SSL_free(clientssl);
4505 SSL_CTX_free(sctx);
4506 SSL_CTX_free(cctx);
4507 return testresult;
4508
4509 }
4510 #endif /* OPENSSL_NO_TLS1_3 */
4511
4512 static int clntaddoldcb = 0;
4513 static int clntparseoldcb = 0;
4514 static int srvaddoldcb = 0;
4515 static int srvparseoldcb = 0;
4516 static int clntaddnewcb = 0;
4517 static int clntparsenewcb = 0;
4518 static int srvaddnewcb = 0;
4519 static int srvparsenewcb = 0;
4520 static int snicb = 0;
4521
4522 #define TEST_EXT_TYPE1 0xff00
4523
4524 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4525 size_t *outlen, int *al, void *add_arg)
4526 {
4527 int *server = (int *)add_arg;
4528 unsigned char *data;
4529
4530 if (SSL_is_server(s))
4531 srvaddoldcb++;
4532 else
4533 clntaddoldcb++;
4534
4535 if (*server != SSL_is_server(s)
4536 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4537 return -1;
4538
4539 *data = 1;
4540 *out = data;
4541 *outlen = sizeof(char);
4542 return 1;
4543 }
4544
4545 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4546 void *add_arg)
4547 {
4548 OPENSSL_free((unsigned char *)out);
4549 }
4550
4551 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4552 size_t inlen, int *al, void *parse_arg)
4553 {
4554 int *server = (int *)parse_arg;
4555
4556 if (SSL_is_server(s))
4557 srvparseoldcb++;
4558 else
4559 clntparseoldcb++;
4560
4561 if (*server != SSL_is_server(s)
4562 || inlen != sizeof(char)
4563 || *in != 1)
4564 return -1;
4565
4566 return 1;
4567 }
4568
4569 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4570 const unsigned char **out, size_t *outlen, X509 *x,
4571 size_t chainidx, int *al, void *add_arg)
4572 {
4573 int *server = (int *)add_arg;
4574 unsigned char *data;
4575
4576 if (SSL_is_server(s))
4577 srvaddnewcb++;
4578 else
4579 clntaddnewcb++;
4580
4581 if (*server != SSL_is_server(s)
4582 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4583 return -1;
4584
4585 *data = 1;
4586 *out = data;
4587 *outlen = sizeof(*data);
4588 return 1;
4589 }
4590
4591 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4592 const unsigned char *out, void *add_arg)
4593 {
4594 OPENSSL_free((unsigned char *)out);
4595 }
4596
4597 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4598 const unsigned char *in, size_t inlen, X509 *x,
4599 size_t chainidx, int *al, void *parse_arg)
4600 {
4601 int *server = (int *)parse_arg;
4602
4603 if (SSL_is_server(s))
4604 srvparsenewcb++;
4605 else
4606 clntparsenewcb++;
4607
4608 if (*server != SSL_is_server(s)
4609 || inlen != sizeof(char) || *in != 1)
4610 return -1;
4611
4612 return 1;
4613 }
4614
4615 static int sni_cb(SSL *s, int *al, void *arg)
4616 {
4617 SSL_CTX *ctx = (SSL_CTX *)arg;
4618
4619 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4620 *al = SSL_AD_INTERNAL_ERROR;
4621 return SSL_TLSEXT_ERR_ALERT_FATAL;
4622 }
4623 snicb++;
4624 return SSL_TLSEXT_ERR_OK;
4625 }
4626
4627 /*
4628 * Custom call back tests.
4629 * Test 0: Old style callbacks in TLSv1.2
4630 * Test 1: New style callbacks in TLSv1.2
4631 * Test 2: New style callbacks in TLSv1.2 with SNI
4632 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4633 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4634 */
4635 static int test_custom_exts(int tst)
4636 {
4637 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4638 SSL *clientssl = NULL, *serverssl = NULL;
4639 int testresult = 0;
4640 static int server = 1;
4641 static int client = 0;
4642 SSL_SESSION *sess = NULL;
4643 unsigned int context;
4644
4645 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4646 /* Skip tests for TLSv1.2 and below in this case */
4647 if (tst < 3)
4648 return 1;
4649 #endif
4650
4651 /* Reset callback counters */
4652 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4653 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4654 snicb = 0;
4655
4656 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4657 TLS1_VERSION, 0,
4658 &sctx, &cctx, cert, privkey)))
4659 goto end;
4660
4661 if (tst == 2
4662 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4663 TLS1_VERSION, 0,
4664 &sctx2, NULL, cert, privkey)))
4665 goto end;
4666
4667
4668 if (tst < 3) {
4669 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4670 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4671 if (sctx2 != NULL)
4672 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4673 }
4674
4675 if (tst == 4) {
4676 context = SSL_EXT_CLIENT_HELLO
4677 | SSL_EXT_TLS1_2_SERVER_HELLO
4678 | SSL_EXT_TLS1_3_SERVER_HELLO
4679 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4680 | SSL_EXT_TLS1_3_CERTIFICATE
4681 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4682 } else {
4683 context = SSL_EXT_CLIENT_HELLO
4684 | SSL_EXT_TLS1_2_SERVER_HELLO
4685 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4686 }
4687
4688 /* Create a client side custom extension */
4689 if (tst == 0) {
4690 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4691 old_add_cb, old_free_cb,
4692 &client, old_parse_cb,
4693 &client)))
4694 goto end;
4695 } else {
4696 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4697 new_add_cb, new_free_cb,
4698 &client, new_parse_cb, &client)))
4699 goto end;
4700 }
4701
4702 /* Should not be able to add duplicates */
4703 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4704 old_add_cb, old_free_cb,
4705 &client, old_parse_cb,
4706 &client))
4707 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4708 context, new_add_cb,
4709 new_free_cb, &client,
4710 new_parse_cb, &client)))
4711 goto end;
4712
4713 /* Create a server side custom extension */
4714 if (tst == 0) {
4715 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4716 old_add_cb, old_free_cb,
4717 &server, old_parse_cb,
4718 &server)))
4719 goto end;
4720 } else {
4721 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4722 new_add_cb, new_free_cb,
4723 &server, new_parse_cb, &server)))
4724 goto end;
4725 if (sctx2 != NULL
4726 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4727 context, new_add_cb,
4728 new_free_cb, &server,
4729 new_parse_cb, &server)))
4730 goto end;
4731 }
4732
4733 /* Should not be able to add duplicates */
4734 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4735 old_add_cb, old_free_cb,
4736 &server, old_parse_cb,
4737 &server))
4738 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4739 context, new_add_cb,
4740 new_free_cb, &server,
4741 new_parse_cb, &server)))
4742 goto end;
4743
4744 if (tst == 2) {
4745 /* Set up SNI */
4746 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4747 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4748 goto end;
4749 }
4750
4751 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4752 &clientssl, NULL, NULL))
4753 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4754 SSL_ERROR_NONE)))
4755 goto end;
4756
4757 if (tst == 0) {
4758 if (clntaddoldcb != 1
4759 || clntparseoldcb != 1
4760 || srvaddoldcb != 1
4761 || srvparseoldcb != 1)
4762 goto end;
4763 } else if (tst == 1 || tst == 2 || tst == 3) {
4764 if (clntaddnewcb != 1
4765 || clntparsenewcb != 1
4766 || srvaddnewcb != 1
4767 || srvparsenewcb != 1
4768 || (tst != 2 && snicb != 0)
4769 || (tst == 2 && snicb != 1))
4770 goto end;
4771 } else {
4772 /* In this case there 2 NewSessionTicket messages created */
4773 if (clntaddnewcb != 1
4774 || clntparsenewcb != 5
4775 || srvaddnewcb != 5
4776 || srvparsenewcb != 1)
4777 goto end;
4778 }
4779
4780 sess = SSL_get1_session(clientssl);
4781 SSL_shutdown(clientssl);
4782 SSL_shutdown(serverssl);
4783 SSL_free(serverssl);
4784 SSL_free(clientssl);
4785 serverssl = clientssl = NULL;
4786
4787 if (tst == 3) {
4788 /* We don't bother with the resumption aspects for this test */
4789 testresult = 1;
4790 goto end;
4791 }
4792
4793 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4794 NULL, NULL))
4795 || !TEST_true(SSL_set_session(clientssl, sess))
4796 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4797 SSL_ERROR_NONE)))
4798 goto end;
4799
4800 /*
4801 * For a resumed session we expect to add the ClientHello extension. For the
4802 * old style callbacks we ignore it on the server side because they set
4803 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4804 * them.
4805 */
4806 if (tst == 0) {
4807 if (clntaddoldcb != 2
4808 || clntparseoldcb != 1
4809 || srvaddoldcb != 1
4810 || srvparseoldcb != 1)
4811 goto end;
4812 } else if (tst == 1 || tst == 2 || tst == 3) {
4813 if (clntaddnewcb != 2
4814 || clntparsenewcb != 2
4815 || srvaddnewcb != 2
4816 || srvparsenewcb != 2)
4817 goto end;
4818 } else {
4819 /*
4820 * No Certificate message extensions in the resumption handshake,
4821 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4822 */
4823 if (clntaddnewcb != 2
4824 || clntparsenewcb != 8
4825 || srvaddnewcb != 8
4826 || srvparsenewcb != 2)
4827 goto end;
4828 }
4829
4830 testresult = 1;
4831
4832 end:
4833 SSL_SESSION_free(sess);
4834 SSL_free(serverssl);
4835 SSL_free(clientssl);
4836 SSL_CTX_free(sctx2);
4837 SSL_CTX_free(sctx);
4838 SSL_CTX_free(cctx);
4839 return testresult;
4840 }
4841
4842 /*
4843 * Test loading of serverinfo data in various formats. test_sslmessages actually
4844 * tests to make sure the extensions appear in the handshake
4845 */
4846 static int test_serverinfo(int tst)
4847 {
4848 unsigned int version;
4849 unsigned char *sibuf;
4850 size_t sibuflen;
4851 int ret, expected, testresult = 0;
4852 SSL_CTX *ctx;
4853
4854 ctx = SSL_CTX_new(TLS_method());
4855 if (!TEST_ptr(ctx))
4856 goto end;
4857
4858 if ((tst & 0x01) == 0x01)
4859 version = SSL_SERVERINFOV2;
4860 else
4861 version = SSL_SERVERINFOV1;
4862
4863 if ((tst & 0x02) == 0x02) {
4864 sibuf = serverinfov2;
4865 sibuflen = sizeof(serverinfov2);
4866 expected = (version == SSL_SERVERINFOV2);
4867 } else {
4868 sibuf = serverinfov1;
4869 sibuflen = sizeof(serverinfov1);
4870 expected = (version == SSL_SERVERINFOV1);
4871 }
4872
4873 if ((tst & 0x04) == 0x04) {
4874 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4875 } else {
4876 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4877
4878 /*
4879 * The version variable is irrelevant in this case - it's what is in the
4880 * buffer that matters
4881 */
4882 if ((tst & 0x02) == 0x02)
4883 expected = 0;
4884 else
4885 expected = 1;
4886 }
4887
4888 if (!TEST_true(ret == expected))
4889 goto end;
4890
4891 testresult = 1;
4892
4893 end:
4894 SSL_CTX_free(ctx);
4895
4896 return testresult;
4897 }
4898
4899 /*
4900 * Test that SSL_export_keying_material() produces expected results. There are
4901 * no test vectors so all we do is test that both sides of the communication
4902 * produce the same results for different protocol versions.
4903 */
4904 #define SMALL_LABEL_LEN 10
4905 #define LONG_LABEL_LEN 249
4906 static int test_export_key_mat(int tst)
4907 {
4908 int testresult = 0;
4909 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4910 SSL *clientssl = NULL, *serverssl = NULL;
4911 const char label[LONG_LABEL_LEN + 1] = "test label";
4912 const unsigned char context[] = "context";
4913 const unsigned char *emptycontext = NULL;
4914 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4915 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4916 size_t labellen;
4917 const int protocols[] = {
4918 TLS1_VERSION,
4919 TLS1_1_VERSION,
4920 TLS1_2_VERSION,
4921 TLS1_3_VERSION,
4922 TLS1_3_VERSION,
4923 TLS1_3_VERSION
4924 };
4925
4926 #ifdef OPENSSL_NO_TLS1
4927 if (tst == 0)
4928 return 1;
4929 #endif
4930 #ifdef OPENSSL_NO_TLS1_1
4931 if (tst == 1)
4932 return 1;
4933 #endif
4934 #ifdef OPENSSL_NO_TLS1_2
4935 if (tst == 2)
4936 return 1;
4937 #endif
4938 #ifdef OPENSSL_NO_TLS1_3
4939 if (tst >= 3)
4940 return 1;
4941 #endif
4942 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4943 TLS1_VERSION, 0,
4944 &sctx, &cctx, cert, privkey)))
4945 goto end;
4946
4947 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4948 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4949 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4950
4951 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4952 NULL))
4953 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4954 SSL_ERROR_NONE)))
4955 goto end;
4956
4957 if (tst == 5) {
4958 /*
4959 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4960 * go over that.
4961 */
4962 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4963 sizeof(ckeymat1), label,
4964 LONG_LABEL_LEN + 1, context,
4965 sizeof(context) - 1, 1), 0))
4966 goto end;
4967
4968 testresult = 1;
4969 goto end;
4970 } else if (tst == 4) {
4971 labellen = LONG_LABEL_LEN;
4972 } else {
4973 labellen = SMALL_LABEL_LEN;
4974 }
4975
4976 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4977 sizeof(ckeymat1), label,
4978 labellen, context,
4979 sizeof(context) - 1, 1), 1)
4980 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4981 sizeof(ckeymat2), label,
4982 labellen,
4983 emptycontext,
4984 0, 1), 1)
4985 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4986 sizeof(ckeymat3), label,
4987 labellen,
4988 NULL, 0, 0), 1)
4989 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4990 sizeof(skeymat1), label,
4991 labellen,
4992 context,
4993 sizeof(context) -1, 1),
4994 1)
4995 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4996 sizeof(skeymat2), label,
4997 labellen,
4998 emptycontext,
4999 0, 1), 1)
5000 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5001 sizeof(skeymat3), label,
5002 labellen,
5003 NULL, 0, 0), 1)
5004 /*
5005 * Check that both sides created the same key material with the
5006 * same context.
5007 */
5008 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5009 sizeof(skeymat1))
5010 /*
5011 * Check that both sides created the same key material with an
5012 * empty context.
5013 */
5014 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5015 sizeof(skeymat2))
5016 /*
5017 * Check that both sides created the same key material without a
5018 * context.
5019 */
5020 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5021 sizeof(skeymat3))
5022 /* Different contexts should produce different results */
5023 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5024 sizeof(ckeymat2)))
5025 goto end;
5026
5027 /*
5028 * Check that an empty context and no context produce different results in
5029 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5030 */
5031 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5032 sizeof(ckeymat3)))
5033 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5034 sizeof(ckeymat3))))
5035 goto end;
5036
5037 testresult = 1;
5038
5039 end:
5040 SSL_free(serverssl);
5041 SSL_free(clientssl);
5042 SSL_CTX_free(sctx2);
5043 SSL_CTX_free(sctx);
5044 SSL_CTX_free(cctx);
5045
5046 return testresult;
5047 }
5048
5049 #ifndef OPENSSL_NO_TLS1_3
5050 /*
5051 * Test that SSL_export_keying_material_early() produces expected
5052 * results. There are no test vectors so all we do is test that both
5053 * sides of the communication produce the same results for different
5054 * protocol versions.
5055 */
5056 static int test_export_key_mat_early(int idx)
5057 {
5058 static const char label[] = "test label";
5059 static const unsigned char context[] = "context";
5060 int testresult = 0;
5061 SSL_CTX *cctx = NULL, *sctx = NULL;
5062 SSL *clientssl = NULL, *serverssl = NULL;
5063 SSL_SESSION *sess = NULL;
5064 const unsigned char *emptycontext = NULL;
5065 unsigned char ckeymat1[80], ckeymat2[80];
5066 unsigned char skeymat1[80], skeymat2[80];
5067 unsigned char buf[1];
5068 size_t readbytes, written;
5069
5070 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5071 &sess, idx)))
5072 goto end;
5073
5074 /* Here writing 0 length early data is enough. */
5075 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5076 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5077 &readbytes),
5078 SSL_READ_EARLY_DATA_ERROR)
5079 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5080 SSL_EARLY_DATA_ACCEPTED))
5081 goto end;
5082
5083 if (!TEST_int_eq(SSL_export_keying_material_early(
5084 clientssl, ckeymat1, sizeof(ckeymat1), label,
5085 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5086 || !TEST_int_eq(SSL_export_keying_material_early(
5087 clientssl, ckeymat2, sizeof(ckeymat2), label,
5088 sizeof(label) - 1, emptycontext, 0), 1)
5089 || !TEST_int_eq(SSL_export_keying_material_early(
5090 serverssl, skeymat1, sizeof(skeymat1), label,
5091 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5092 || !TEST_int_eq(SSL_export_keying_material_early(
5093 serverssl, skeymat2, sizeof(skeymat2), label,
5094 sizeof(label) - 1, emptycontext, 0), 1)
5095 /*
5096 * Check that both sides created the same key material with the
5097 * same context.
5098 */
5099 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5100 sizeof(skeymat1))
5101 /*
5102 * Check that both sides created the same key material with an
5103 * empty context.
5104 */
5105 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5106 sizeof(skeymat2))
5107 /* Different contexts should produce different results */
5108 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5109 sizeof(ckeymat2)))
5110 goto end;
5111
5112 testresult = 1;
5113
5114 end:
5115 SSL_SESSION_free(sess);
5116 SSL_SESSION_free(clientpsk);
5117 SSL_SESSION_free(serverpsk);
5118 clientpsk = serverpsk = NULL;
5119 SSL_free(serverssl);
5120 SSL_free(clientssl);
5121 SSL_CTX_free(sctx);
5122 SSL_CTX_free(cctx);
5123
5124 return testresult;
5125 }
5126
5127 #define NUM_KEY_UPDATE_MESSAGES 40
5128 /*
5129 * Test KeyUpdate.
5130 */
5131 static int test_key_update(void)
5132 {
5133 SSL_CTX *cctx = NULL, *sctx = NULL;
5134 SSL *clientssl = NULL, *serverssl = NULL;
5135 int testresult = 0, i, j;
5136 char buf[20];
5137 static char *mess = "A test message";
5138
5139 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5140 TLS_client_method(),
5141 TLS1_3_VERSION,
5142 0,
5143 &sctx, &cctx, cert, privkey))
5144 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5145 NULL, NULL))
5146 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5147 SSL_ERROR_NONE)))
5148 goto end;
5149
5150 for (j = 0; j < 2; j++) {
5151 /* Send lots of KeyUpdate messages */
5152 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5153 if (!TEST_true(SSL_key_update(clientssl,
5154 (j == 0)
5155 ? SSL_KEY_UPDATE_NOT_REQUESTED
5156 : SSL_KEY_UPDATE_REQUESTED))
5157 || !TEST_true(SSL_do_handshake(clientssl)))
5158 goto end;
5159 }
5160
5161 /* Check that sending and receiving app data is ok */
5162 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5163 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5164 strlen(mess)))
5165 goto end;
5166
5167 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5168 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5169 strlen(mess)))
5170 goto end;
5171 }
5172
5173 testresult = 1;
5174
5175 end:
5176 SSL_free(serverssl);
5177 SSL_free(clientssl);
5178 SSL_CTX_free(sctx);
5179 SSL_CTX_free(cctx);
5180
5181 return testresult;
5182 }
5183
5184 /*
5185 * Test we can handle a KeyUpdate (update requested) message while write data
5186 * is pending.
5187 * Test 0: Client sends KeyUpdate while Server is writing
5188 * Test 1: Server sends KeyUpdate while Client is writing
5189 */
5190 static int test_key_update_in_write(int tst)
5191 {
5192 SSL_CTX *cctx = NULL, *sctx = NULL;
5193 SSL *clientssl = NULL, *serverssl = NULL;
5194 int testresult = 0;
5195 char buf[20];
5196 static char *mess = "A test message";
5197 BIO *bretry = BIO_new(bio_s_always_retry());
5198 BIO *tmp = NULL;
5199 SSL *peerupdate = NULL, *peerwrite = NULL;
5200
5201 if (!TEST_ptr(bretry)
5202 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5203 TLS_client_method(),
5204 TLS1_3_VERSION,
5205 0,
5206 &sctx, &cctx, cert, privkey))
5207 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5208 NULL, NULL))
5209 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5210 SSL_ERROR_NONE)))
5211 goto end;
5212
5213 peerupdate = tst == 0 ? clientssl : serverssl;
5214 peerwrite = tst == 0 ? serverssl : clientssl;
5215
5216 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5217 || !TEST_true(SSL_do_handshake(peerupdate)))
5218 goto end;
5219
5220 /* Swap the writing endpoint's write BIO to force a retry */
5221 tmp = SSL_get_wbio(peerwrite);
5222 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5223 tmp = NULL;
5224 goto end;
5225 }
5226 SSL_set0_wbio(peerwrite, bretry);
5227 bretry = NULL;
5228
5229 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5230 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5231 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5232 goto end;
5233
5234 /* Reinstate the original writing endpoint's write BIO */
5235 SSL_set0_wbio(peerwrite, tmp);
5236 tmp = NULL;
5237
5238 /* Now read some data - we will read the key update */
5239 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5240 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5241 goto end;
5242
5243 /*
5244 * Complete the write we started previously and read it from the other
5245 * endpoint
5246 */
5247 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5248 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5249 goto end;
5250
5251 /* Write more data to ensure we send the KeyUpdate message back */
5252 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5253 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5254 goto end;
5255
5256 testresult = 1;
5257
5258 end:
5259 SSL_free(serverssl);
5260 SSL_free(clientssl);
5261 SSL_CTX_free(sctx);
5262 SSL_CTX_free(cctx);
5263 BIO_free(bretry);
5264 BIO_free(tmp);
5265
5266 return testresult;
5267 }
5268 #endif /* OPENSSL_NO_TLS1_3 */
5269
5270 static int test_ssl_clear(int idx)
5271 {
5272 SSL_CTX *cctx = NULL, *sctx = NULL;
5273 SSL *clientssl = NULL, *serverssl = NULL;
5274 int testresult = 0;
5275
5276 #ifdef OPENSSL_NO_TLS1_2
5277 if (idx == 1)
5278 return 1;
5279 #endif
5280
5281 /* Create an initial connection */
5282 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5283 TLS1_VERSION, 0,
5284 &sctx, &cctx, cert, privkey))
5285 || (idx == 1
5286 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5287 TLS1_2_VERSION)))
5288 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5289 &clientssl, NULL, NULL))
5290 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5291 SSL_ERROR_NONE)))
5292 goto end;
5293
5294 SSL_shutdown(clientssl);
5295 SSL_shutdown(serverssl);
5296 SSL_free(serverssl);
5297 serverssl = NULL;
5298
5299 /* Clear clientssl - we're going to reuse the object */
5300 if (!TEST_true(SSL_clear(clientssl)))
5301 goto end;
5302
5303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5304 NULL, NULL))
5305 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5306 SSL_ERROR_NONE))
5307 || !TEST_true(SSL_session_reused(clientssl)))
5308 goto end;
5309
5310 SSL_shutdown(clientssl);
5311 SSL_shutdown(serverssl);
5312
5313 testresult = 1;
5314
5315 end:
5316 SSL_free(serverssl);
5317 SSL_free(clientssl);
5318 SSL_CTX_free(sctx);
5319 SSL_CTX_free(cctx);
5320
5321 return testresult;
5322 }
5323
5324 /* Parse CH and retrieve any MFL extension value if present */
5325 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5326 {
5327 long len;
5328 unsigned char *data;
5329 PACKET pkt, pkt2, pkt3;
5330 unsigned int MFL_code = 0, type = 0;
5331
5332 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5333 goto end;
5334
5335 memset(&pkt, 0, sizeof(pkt));
5336 memset(&pkt2, 0, sizeof(pkt2));
5337 memset(&pkt3, 0, sizeof(pkt3));
5338
5339 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5340 /* Skip the record header */
5341 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5342 /* Skip the handshake message header */
5343 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5344 /* Skip client version and random */
5345 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5346 + SSL3_RANDOM_SIZE))
5347 /* Skip session id */
5348 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5349 /* Skip ciphers */
5350 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5351 /* Skip compression */
5352 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5353 /* Extensions len */
5354 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5355 goto end;
5356
5357 /* Loop through all extensions */
5358 while (PACKET_remaining(&pkt2)) {
5359 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5360 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5361 goto end;
5362
5363 if (type == TLSEXT_TYPE_max_fragment_length) {
5364 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5365 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5366 goto end;
5367
5368 *mfl_codemfl_code = MFL_code;
5369 return 1;
5370 }
5371 }
5372
5373 end:
5374 return 0;
5375 }
5376
5377 /* Maximum-Fragment-Length TLS extension mode to test */
5378 static const unsigned char max_fragment_len_test[] = {
5379 TLSEXT_max_fragment_length_512,
5380 TLSEXT_max_fragment_length_1024,
5381 TLSEXT_max_fragment_length_2048,
5382 TLSEXT_max_fragment_length_4096
5383 };
5384
5385 static int test_max_fragment_len_ext(int idx_tst)
5386 {
5387 SSL_CTX *ctx;
5388 SSL *con = NULL;
5389 int testresult = 0, MFL_mode = 0;
5390 BIO *rbio, *wbio;
5391
5392 ctx = SSL_CTX_new(TLS_method());
5393 if (!TEST_ptr(ctx))
5394 goto end;
5395
5396 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5397 ctx, max_fragment_len_test[idx_tst])))
5398 goto end;
5399
5400 con = SSL_new(ctx);
5401 if (!TEST_ptr(con))
5402 goto end;
5403
5404 rbio = BIO_new(BIO_s_mem());
5405 wbio = BIO_new(BIO_s_mem());
5406 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5407 BIO_free(rbio);
5408 BIO_free(wbio);
5409 goto end;
5410 }
5411
5412 SSL_set_bio(con, rbio, wbio);
5413 SSL_set_connect_state(con);
5414
5415 if (!TEST_int_le(SSL_connect(con), 0)) {
5416 /* This shouldn't succeed because we don't have a server! */
5417 goto end;
5418 }
5419
5420 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5421 /* no MFL in client hello */
5422 goto end;
5423 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5424 goto end;
5425
5426 testresult = 1;
5427
5428 end:
5429 SSL_free(con);
5430 SSL_CTX_free(ctx);
5431
5432 return testresult;
5433 }
5434
5435 #ifndef OPENSSL_NO_TLS1_3
5436 static int test_pha_key_update(void)
5437 {
5438 SSL_CTX *cctx = NULL, *sctx = NULL;
5439 SSL *clientssl = NULL, *serverssl = NULL;
5440 int testresult = 0;
5441
5442 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5443 TLS1_VERSION, 0,
5444 &sctx, &cctx, cert, privkey)))
5445 return 0;
5446
5447 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5448 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5449 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5450 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5451 goto end;
5452
5453 SSL_CTX_set_post_handshake_auth(cctx, 1);
5454
5455 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5456 NULL, NULL)))
5457 goto end;
5458
5459 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5460 SSL_ERROR_NONE)))
5461 goto end;
5462
5463 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5464 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5465 goto end;
5466
5467 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5468 goto end;
5469
5470 /* Start handshake on the server */
5471 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5472 goto end;
5473
5474 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5475 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5476 SSL_ERROR_NONE)))
5477 goto end;
5478
5479 SSL_shutdown(clientssl);
5480 SSL_shutdown(serverssl);
5481
5482 testresult = 1;
5483
5484 end:
5485 SSL_free(serverssl);
5486 SSL_free(clientssl);
5487 SSL_CTX_free(sctx);
5488 SSL_CTX_free(cctx);
5489 return testresult;
5490 }
5491 #endif
5492
5493 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5494
5495 static SRP_VBASE *vbase = NULL;
5496
5497 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5498 {
5499 int ret = SSL3_AL_FATAL;
5500 char *username;
5501 SRP_user_pwd *user = NULL;
5502
5503 username = SSL_get_srp_username(s);
5504 if (username == NULL) {
5505 *ad = SSL_AD_INTERNAL_ERROR;
5506 goto err;
5507 }
5508
5509 user = SRP_VBASE_get1_by_user(vbase, username);
5510 if (user == NULL) {
5511 *ad = SSL_AD_INTERNAL_ERROR;
5512 goto err;
5513 }
5514
5515 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5516 user->info) <= 0) {
5517 *ad = SSL_AD_INTERNAL_ERROR;
5518 goto err;
5519 }
5520
5521 ret = 0;
5522
5523 err:
5524 SRP_user_pwd_free(user);
5525 return ret;
5526 }
5527
5528 static int create_new_vfile(char *userid, char *password, const char *filename)
5529 {
5530 char *gNid = NULL;
5531 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5532 TXT_DB *db = NULL;
5533 int ret = 0;
5534 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5535 size_t i;
5536
5537 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5538 goto end;
5539
5540 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5541 &row[DB_srpverifier], NULL, NULL);
5542 if (!TEST_ptr(gNid))
5543 goto end;
5544
5545 /*
5546 * The only way to create an empty TXT_DB is to provide a BIO with no data
5547 * in it!
5548 */
5549 db = TXT_DB_read(dummy, DB_NUMBER);
5550 if (!TEST_ptr(db))
5551 goto end;
5552
5553 out = BIO_new_file(filename, "w");
5554 if (!TEST_ptr(out))
5555 goto end;
5556
5557 row[DB_srpid] = OPENSSL_strdup(userid);
5558 row[DB_srptype] = OPENSSL_strdup("V");
5559 row[DB_srpgN] = OPENSSL_strdup(gNid);
5560
5561 if (!TEST_ptr(row[DB_srpid])
5562 || !TEST_ptr(row[DB_srptype])
5563 || !TEST_ptr(row[DB_srpgN])
5564 || !TEST_true(TXT_DB_insert(db, row)))
5565 goto end;
5566
5567 row = NULL;
5568
5569 if (!TXT_DB_write(out, db))
5570 goto end;
5571
5572 ret = 1;
5573 end:
5574 if (row != NULL) {
5575 for (i = 0; i < DB_NUMBER; i++)
5576 OPENSSL_free(row[i]);
5577 }
5578 OPENSSL_free(row);
5579 BIO_free(dummy);
5580 BIO_free(out);
5581 TXT_DB_free(db);
5582
5583 return ret;
5584 }
5585
5586 static int create_new_vbase(char *userid, char *password)
5587 {
5588 BIGNUM *verifier = NULL, *salt = NULL;
5589 const SRP_gN *lgN = NULL;
5590 SRP_user_pwd *user_pwd = NULL;
5591 int ret = 0;
5592
5593 lgN = SRP_get_default_gN(NULL);
5594 if (!TEST_ptr(lgN))
5595 goto end;
5596
5597 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5598 lgN->N, lgN->g)))
5599 goto end;
5600
5601 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5602 if (!TEST_ptr(user_pwd))
5603 goto end;
5604
5605 user_pwd->N = lgN->N;
5606 user_pwd->g = lgN->g;
5607 user_pwd->id = OPENSSL_strdup(userid);
5608 if (!TEST_ptr(user_pwd->id))
5609 goto end;
5610
5611 user_pwd->v = verifier;
5612 user_pwd->s = salt;
5613 verifier = salt = NULL;
5614
5615 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5616 goto end;
5617 user_pwd = NULL;
5618
5619 ret = 1;
5620 end:
5621 SRP_user_pwd_free(user_pwd);
5622 BN_free(salt);
5623 BN_free(verifier);
5624
5625 return ret;
5626 }
5627
5628 /*
5629 * SRP tests
5630 *
5631 * Test 0: Simple successful SRP connection, new vbase
5632 * Test 1: Connection failure due to bad password, new vbase
5633 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5634 * Test 3: Connection failure due to bad password, vbase loaded from existing
5635 * file
5636 * Test 4: Simple successful SRP connection, vbase loaded from new file
5637 * Test 5: Connection failure due to bad password, vbase loaded from new file
5638 */
5639 static int test_srp(int tst)
5640 {
5641 char *userid = "test", *password = "password", *tstsrpfile;
5642 SSL_CTX *cctx = NULL, *sctx = NULL;
5643 SSL *clientssl = NULL, *serverssl = NULL;
5644 int ret, testresult = 0;
5645
5646 vbase = SRP_VBASE_new(NULL);
5647 if (!TEST_ptr(vbase))
5648 goto end;
5649
5650 if (tst == 0 || tst == 1) {
5651 if (!TEST_true(create_new_vbase(userid, password)))
5652 goto end;
5653 } else {
5654 if (tst == 4 || tst == 5) {
5655 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5656 goto end;
5657 tstsrpfile = tmpfilename;
5658 } else {
5659 tstsrpfile = srpvfile;
5660 }
5661 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5662 goto end;
5663 }
5664
5665 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5666 TLS1_VERSION, 0,
5667 &sctx, &cctx, cert, privkey)))
5668 goto end;
5669
5670 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5671 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5672 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5673 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5674 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5675 goto end;
5676
5677 if (tst % 2 == 1) {
5678 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5679 goto end;
5680 } else {
5681 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5682 goto end;
5683 }
5684
5685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5686 NULL, NULL)))
5687 goto end;
5688
5689 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5690 if (ret) {
5691 if (!TEST_true(tst % 2 == 0))
5692 goto end;
5693 } else {
5694 if (!TEST_true(tst % 2 == 1))
5695 goto end;
5696 }
5697
5698 testresult = 1;
5699
5700 end:
5701 SRP_VBASE_free(vbase);
5702 vbase = NULL;
5703 SSL_free(serverssl);
5704 SSL_free(clientssl);
5705 SSL_CTX_free(sctx);
5706 SSL_CTX_free(cctx);
5707
5708 return testresult;
5709 }
5710 #endif
5711
5712 static int info_cb_failed = 0;
5713 static int info_cb_offset = 0;
5714 static int info_cb_this_state = -1;
5715
5716 static struct info_cb_states_st {
5717 int where;
5718 const char *statestr;
5719 } info_cb_states[][60] = {
5720 {
5721 /* TLSv1.2 server followed by resumption */
5722 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5723 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5724 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5725 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5726 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5727 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5728 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5729 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5730 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5731 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5732 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5733 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5734 {SSL_CB_EXIT, NULL}, {0, NULL},
5735 }, {
5736 /* TLSv1.2 client followed by resumption */
5737 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5738 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5739 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5740 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5741 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5742 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5743 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5744 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5745 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5746 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5747 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5748 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5749 }, {
5750 /* TLSv1.3 server followed by resumption */
5751 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5752 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5753 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5754 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5755 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5756 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5757 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5758 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5759 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5760 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5761 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5762 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5763 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5764 }, {
5765 /* TLSv1.3 client followed by resumption */
5766 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5767 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5768 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5769 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5770 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5771 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5772 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5773 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5774 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5775 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5776 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5777 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5778 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5779 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5780 {SSL_CB_EXIT, NULL}, {0, NULL},
5781 }, {
5782 /* TLSv1.3 server, early_data */
5783 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5784 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5785 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5786 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5787 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5788 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5789 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5790 {SSL_CB_EXIT, NULL}, {0, NULL},
5791 }, {
5792 /* TLSv1.3 client, early_data */
5793 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5794 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5795 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5796 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5797 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5798 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5799 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5800 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5801 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5802 }, {
5803 {0, NULL},
5804 }
5805 };
5806
5807 static void sslapi_info_callback(const SSL *s, int where, int ret)
5808 {
5809 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5810
5811 /* We do not ever expect a connection to fail in this test */
5812 if (!TEST_false(ret == 0)) {
5813 info_cb_failed = 1;
5814 return;
5815 }
5816
5817 /*
5818 * Do some sanity checks. We never expect these things to happen in this
5819 * test
5820 */
5821 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5822 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5823 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5824 info_cb_failed = 1;
5825 return;
5826 }
5827
5828 /* Now check we're in the right state */
5829 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5830 info_cb_failed = 1;
5831 return;
5832 }
5833 if ((where & SSL_CB_LOOP) != 0
5834 && !TEST_int_eq(strcmp(SSL_state_string(s),
5835 state[info_cb_this_state].statestr), 0)) {
5836 info_cb_failed = 1;
5837 return;
5838 }
5839
5840 /*
5841 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5842 */
5843 if ((where & SSL_CB_HANDSHAKE_DONE)
5844 && SSL_in_init((SSL *)s) != 0) {
5845 info_cb_failed = 1;
5846 return;
5847 }
5848 }
5849
5850 /*
5851 * Test the info callback gets called when we expect it to.
5852 *
5853 * Test 0: TLSv1.2, server
5854 * Test 1: TLSv1.2, client
5855 * Test 2: TLSv1.3, server
5856 * Test 3: TLSv1.3, client
5857 * Test 4: TLSv1.3, server, early_data
5858 * Test 5: TLSv1.3, client, early_data
5859 */
5860 static int test_info_callback(int tst)
5861 {
5862 SSL_CTX *cctx = NULL, *sctx = NULL;
5863 SSL *clientssl = NULL, *serverssl = NULL;
5864 SSL_SESSION *clntsess = NULL;
5865 int testresult = 0;
5866 int tlsvers;
5867
5868 if (tst < 2) {
5869 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5870 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5871 || !defined(OPENSSL_NO_DH))
5872 tlsvers = TLS1_2_VERSION;
5873 #else
5874 return 1;
5875 #endif
5876 } else {
5877 #ifndef OPENSSL_NO_TLS1_3
5878 tlsvers = TLS1_3_VERSION;
5879 #else
5880 return 1;
5881 #endif
5882 }
5883
5884 /* Reset globals */
5885 info_cb_failed = 0;
5886 info_cb_this_state = -1;
5887 info_cb_offset = tst;
5888
5889 #ifndef OPENSSL_NO_TLS1_3
5890 if (tst >= 4) {
5891 SSL_SESSION *sess = NULL;
5892 size_t written, readbytes;
5893 unsigned char buf[80];
5894
5895 /* early_data tests */
5896 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5897 &serverssl, &sess, 0)))
5898 goto end;
5899
5900 /* We don't actually need this reference */
5901 SSL_SESSION_free(sess);
5902
5903 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5904 sslapi_info_callback);
5905
5906 /* Write and read some early data and then complete the connection */
5907 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5908 &written))
5909 || !TEST_size_t_eq(written, strlen(MSG1))
5910 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5911 sizeof(buf), &readbytes),
5912 SSL_READ_EARLY_DATA_SUCCESS)
5913 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5914 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5915 SSL_EARLY_DATA_ACCEPTED)
5916 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5917 SSL_ERROR_NONE))
5918 || !TEST_false(info_cb_failed))
5919 goto end;
5920
5921 testresult = 1;
5922 goto end;
5923 }
5924 #endif
5925
5926 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5927 TLS_client_method(),
5928 tlsvers, tlsvers, &sctx, &cctx, cert,
5929 privkey)))
5930 goto end;
5931
5932 /*
5933 * For even numbered tests we check the server callbacks. For odd numbers we
5934 * check the client.
5935 */
5936 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5937 sslapi_info_callback);
5938
5939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5940 &clientssl, NULL, NULL))
5941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5942 SSL_ERROR_NONE))
5943 || !TEST_false(info_cb_failed))
5944 goto end;
5945
5946
5947
5948 clntsess = SSL_get1_session(clientssl);
5949 SSL_shutdown(clientssl);
5950 SSL_shutdown(serverssl);
5951 SSL_free(serverssl);
5952 SSL_free(clientssl);
5953 serverssl = clientssl = NULL;
5954
5955 /* Now do a resumption */
5956 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5957 NULL))
5958 || !TEST_true(SSL_set_session(clientssl, clntsess))
5959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5960 SSL_ERROR_NONE))
5961 || !TEST_true(SSL_session_reused(clientssl))
5962 || !TEST_false(info_cb_failed))
5963 goto end;
5964
5965 testresult = 1;
5966
5967 end:
5968 SSL_free(serverssl);
5969 SSL_free(clientssl);
5970 SSL_SESSION_free(clntsess);
5971 SSL_CTX_free(sctx);
5972 SSL_CTX_free(cctx);
5973 return testresult;
5974 }
5975
5976 static int test_ssl_pending(int tst)
5977 {
5978 SSL_CTX *cctx = NULL, *sctx = NULL;
5979 SSL *clientssl = NULL, *serverssl = NULL;
5980 int testresult = 0;
5981 char msg[] = "A test message";
5982 char buf[5];
5983 size_t written, readbytes;
5984
5985 if (tst == 0) {
5986 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5987 TLS_client_method(),
5988 TLS1_VERSION, 0,
5989 &sctx, &cctx, cert, privkey)))
5990 goto end;
5991 } else {
5992 #ifndef OPENSSL_NO_DTLS
5993 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5994 DTLS_client_method(),
5995 DTLS1_VERSION, 0,
5996 &sctx, &cctx, cert, privkey)))
5997 goto end;
5998 #else
5999 return 1;
6000 #endif
6001 }
6002
6003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6004 NULL, NULL))
6005 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6006 SSL_ERROR_NONE)))
6007 goto end;
6008
6009 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6010 || !TEST_false(SSL_has_pending(clientssl))
6011 || !TEST_int_eq(SSL_pending(serverssl), 0)
6012 || !TEST_false(SSL_has_pending(serverssl))
6013 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6014 || !TEST_size_t_eq(written, sizeof(msg))
6015 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6016 || !TEST_size_t_eq(readbytes, sizeof(buf))
6017 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6018 || !TEST_true(SSL_has_pending(clientssl)))
6019 goto end;
6020
6021 testresult = 1;
6022
6023 end:
6024 SSL_free(serverssl);
6025 SSL_free(clientssl);
6026 SSL_CTX_free(sctx);
6027 SSL_CTX_free(cctx);
6028
6029 return testresult;
6030 }
6031
6032 static struct {
6033 unsigned int maxprot;
6034 const char *clntciphers;
6035 const char *clnttls13ciphers;
6036 const char *srvrciphers;
6037 const char *srvrtls13ciphers;
6038 const char *shared;
6039 } shared_ciphers_data[] = {
6040 /*
6041 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6042 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6043 */
6044 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6045 {
6046 TLS1_2_VERSION,
6047 "AES128-SHA:AES256-SHA",
6048 NULL,
6049 "AES256-SHA:DHE-RSA-AES128-SHA",
6050 NULL,
6051 "AES256-SHA"
6052 },
6053 {
6054 TLS1_2_VERSION,
6055 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6056 NULL,
6057 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6058 NULL,
6059 "AES128-SHA:AES256-SHA"
6060 },
6061 {
6062 TLS1_2_VERSION,
6063 "AES128-SHA:AES256-SHA",
6064 NULL,
6065 "AES128-SHA:DHE-RSA-AES128-SHA",
6066 NULL,
6067 "AES128-SHA"
6068 },
6069 #endif
6070 /*
6071 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6072 * enabled.
6073 */
6074 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6075 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6076 {
6077 TLS1_3_VERSION,
6078 "AES128-SHA:AES256-SHA",
6079 NULL,
6080 "AES256-SHA:AES128-SHA256",
6081 NULL,
6082 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6083 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6084 },
6085 #endif
6086 #ifndef OPENSSL_NO_TLS1_3
6087 {
6088 TLS1_3_VERSION,
6089 "AES128-SHA",
6090 "TLS_AES_256_GCM_SHA384",
6091 "AES256-SHA",
6092 "TLS_AES_256_GCM_SHA384",
6093 "TLS_AES_256_GCM_SHA384"
6094 },
6095 #endif
6096 };
6097
6098 static int test_ssl_get_shared_ciphers(int tst)
6099 {
6100 SSL_CTX *cctx = NULL, *sctx = NULL;
6101 SSL *clientssl = NULL, *serverssl = NULL;
6102 int testresult = 0;
6103 char buf[1024];
6104
6105 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6106 TLS_client_method(),
6107 TLS1_VERSION,
6108 shared_ciphers_data[tst].maxprot,
6109 &sctx, &cctx, cert, privkey)))
6110 goto end;
6111
6112 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6113 shared_ciphers_data[tst].clntciphers))
6114 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6115 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6116 shared_ciphers_data[tst].clnttls13ciphers)))
6117 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6118 shared_ciphers_data[tst].srvrciphers))
6119 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6120 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6121 shared_ciphers_data[tst].srvrtls13ciphers))))
6122 goto end;
6123
6124
6125 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6126 NULL, NULL))
6127 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6128 SSL_ERROR_NONE)))
6129 goto end;
6130
6131 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6132 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6133 TEST_info("Shared ciphers are: %s\n", buf);
6134 goto end;
6135 }
6136
6137 testresult = 1;
6138
6139 end:
6140 SSL_free(serverssl);
6141 SSL_free(clientssl);
6142 SSL_CTX_free(sctx);
6143 SSL_CTX_free(cctx);
6144
6145 return testresult;
6146 }
6147
6148 static const char *appdata = "Hello World";
6149 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6150 static int tick_key_renew = 0;
6151 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6152
6153 static int gen_tick_cb(SSL *s, void *arg)
6154 {
6155 gen_tick_called = 1;
6156
6157 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6158 strlen(appdata));
6159 }
6160
6161 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6162 const unsigned char *keyname,
6163 size_t keyname_length,
6164 SSL_TICKET_STATUS status,
6165 void *arg)
6166 {
6167 void *tickdata;
6168 size_t tickdlen;
6169
6170 dec_tick_called = 1;
6171
6172 if (status == SSL_TICKET_EMPTY)
6173 return SSL_TICKET_RETURN_IGNORE_RENEW;
6174
6175 if (!TEST_true(status == SSL_TICKET_SUCCESS
6176 || status == SSL_TICKET_SUCCESS_RENEW))
6177 return SSL_TICKET_RETURN_ABORT;
6178
6179 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6180 &tickdlen))
6181 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6182 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6183 return SSL_TICKET_RETURN_ABORT;
6184
6185 if (tick_key_cb_called) {
6186 /* Don't change what the ticket key callback wanted to do */
6187 switch (status) {
6188 case SSL_TICKET_NO_DECRYPT:
6189 return SSL_TICKET_RETURN_IGNORE_RENEW;
6190
6191 case SSL_TICKET_SUCCESS:
6192 return SSL_TICKET_RETURN_USE;
6193
6194 case SSL_TICKET_SUCCESS_RENEW:
6195 return SSL_TICKET_RETURN_USE_RENEW;
6196
6197 default:
6198 return SSL_TICKET_RETURN_ABORT;
6199 }
6200 }
6201 return tick_dec_ret;
6202
6203 }
6204
6205 #ifndef OPENSSL_NO_DEPRECATED_3_0
6206 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6207 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6208 HMAC_CTX *hctx, int enc)
6209 {
6210 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6211 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6212
6213 tick_key_cb_called = 1;
6214 memset(iv, 0, AES_BLOCK_SIZE);
6215 memset(key_name, 0, 16);
6216 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6217 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6218 EVP_sha256(), NULL))
6219 return -1;
6220
6221 return tick_key_renew ? 2 : 1;
6222 }
6223 #endif
6224
6225 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6226 unsigned char iv[EVP_MAX_IV_LENGTH],
6227 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6228 {
6229 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6230 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6231 OSSL_PARAM params[3];
6232
6233 tick_key_cb_called = 1;
6234 memset(iv, 0, AES_BLOCK_SIZE);
6235 memset(key_name, 0, 16);
6236 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6237 "SHA256", 0);
6238 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6239 tick_hmac_key,
6240 sizeof(tick_hmac_key));
6241 params[2] = OSSL_PARAM_construct_end();
6242 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6243 || !EVP_MAC_CTX_set_params(hctx, params)
6244 || !EVP_MAC_init(hctx))
6245 return -1;
6246
6247 return tick_key_renew ? 2 : 1;
6248 }
6249
6250 /*
6251 * Test the various ticket callbacks
6252 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6253 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6254 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6255 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6256 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6257 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6258 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6259 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6260 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6261 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6262 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6263 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6264 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6265 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6266 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6267 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6268 */
6269 static int test_ticket_callbacks(int tst)
6270 {
6271 SSL_CTX *cctx = NULL, *sctx = NULL;
6272 SSL *clientssl = NULL, *serverssl = NULL;
6273 SSL_SESSION *clntsess = NULL;
6274 int testresult = 0;
6275
6276 #ifdef OPENSSL_NO_TLS1_2
6277 if (tst % 2 == 0)
6278 return 1;
6279 #endif
6280 #ifdef OPENSSL_NO_TLS1_3
6281 if (tst % 2 == 1)
6282 return 1;
6283 #endif
6284 #ifdef OPENSSL_NO_DEPRECATED_3_0
6285 if (tst >= 8 && tst <= 11)
6286 return 1;
6287 #endif
6288
6289 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6290
6291 /* Which tests the ticket key callback should request renewal for */
6292 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6293 tick_key_renew = 1;
6294 else
6295 tick_key_renew = 0;
6296
6297 /* Which tests the decrypt ticket callback should request renewal for */
6298 switch (tst) {
6299 case 0:
6300 case 1:
6301 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6302 break;
6303
6304 case 2:
6305 case 3:
6306 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6307 break;
6308
6309 case 4:
6310 case 5:
6311 tick_dec_ret = SSL_TICKET_RETURN_USE;
6312 break;
6313
6314 case 6:
6315 case 7:
6316 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6317 break;
6318
6319 default:
6320 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6321 }
6322
6323 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6324 TLS_client_method(),
6325 TLS1_VERSION,
6326 ((tst % 2) == 0) ? TLS1_2_VERSION
6327 : TLS1_3_VERSION,
6328 &sctx, &cctx, cert, privkey)))
6329 goto end;
6330
6331 /*
6332 * We only want sessions to resume from tickets - not the session cache. So
6333 * switch the cache off.
6334 */
6335 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6336 goto end;
6337
6338 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6339 NULL)))
6340 goto end;
6341
6342 if (tst >= 12) {
6343 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6344 goto end;
6345 #ifndef OPENSSL_NO_DEPRECATED_3_0
6346 } else if (tst >= 8) {
6347 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6348 goto end;
6349 #endif
6350 }
6351
6352 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6353 NULL, NULL))
6354 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6355 SSL_ERROR_NONE)))
6356 goto end;
6357
6358 /*
6359 * The decrypt ticket key callback in TLSv1.2 should be called even though
6360 * we have no ticket yet, because it gets called with a status of
6361 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6362 * actually send any ticket data). This does not happen in TLSv1.3 because
6363 * it is not valid to send empty ticket data in TLSv1.3.
6364 */
6365 if (!TEST_int_eq(gen_tick_called, 1)
6366 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6367 goto end;
6368
6369 gen_tick_called = dec_tick_called = 0;
6370
6371 clntsess = SSL_get1_session(clientssl);
6372 SSL_shutdown(clientssl);
6373 SSL_shutdown(serverssl);
6374 SSL_free(serverssl);
6375 SSL_free(clientssl);
6376 serverssl = clientssl = NULL;
6377
6378 /* Now do a resumption */
6379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6380 NULL))
6381 || !TEST_true(SSL_set_session(clientssl, clntsess))
6382 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6383 SSL_ERROR_NONE)))
6384 goto end;
6385
6386 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6387 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6388 if (!TEST_false(SSL_session_reused(clientssl)))
6389 goto end;
6390 } else {
6391 if (!TEST_true(SSL_session_reused(clientssl)))
6392 goto end;
6393 }
6394
6395 if (!TEST_int_eq(gen_tick_called,
6396 (tick_key_renew
6397 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6398 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6399 ? 1 : 0)
6400 || !TEST_int_eq(dec_tick_called, 1))
6401 goto end;
6402
6403 testresult = 1;
6404
6405 end:
6406 SSL_SESSION_free(clntsess);
6407 SSL_free(serverssl);
6408 SSL_free(clientssl);
6409 SSL_CTX_free(sctx);
6410 SSL_CTX_free(cctx);
6411
6412 return testresult;
6413 }
6414
6415 /*
6416 * Test bi-directional shutdown.
6417 * Test 0: TLSv1.2
6418 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6419 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6420 * Test 3: TLSv1.3, pending NewSessionTicket messages
6421 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6422 * sends key update, client reads it
6423 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6424 * sends CertificateRequest, client reads and ignores it
6425 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6426 * doesn't read it
6427 */
6428 static int test_shutdown(int tst)
6429 {
6430 SSL_CTX *cctx = NULL, *sctx = NULL;
6431 SSL *clientssl = NULL, *serverssl = NULL;
6432 int testresult = 0;
6433 char msg[] = "A test message";
6434 char buf[80];
6435 size_t written, readbytes;
6436 SSL_SESSION *sess;
6437
6438 #ifdef OPENSSL_NO_TLS1_2
6439 if (tst <= 1)
6440 return 1;
6441 #endif
6442 #ifdef OPENSSL_NO_TLS1_3
6443 if (tst >= 2)
6444 return 1;
6445 #endif
6446
6447 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6448 TLS_client_method(),
6449 TLS1_VERSION,
6450 (tst <= 1) ? TLS1_2_VERSION
6451 : TLS1_3_VERSION,
6452 &sctx, &cctx, cert, privkey)))
6453 goto end;
6454
6455 if (tst == 5)
6456 SSL_CTX_set_post_handshake_auth(cctx, 1);
6457
6458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6459 NULL, NULL)))
6460 goto end;
6461
6462 if (tst == 3) {
6463 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6464 SSL_ERROR_NONE, 1))
6465 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6466 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6467 goto end;
6468 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6469 SSL_ERROR_NONE))
6470 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6471 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6472 goto end;
6473 }
6474
6475 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6476 goto end;
6477
6478 if (tst >= 4) {
6479 /*
6480 * Reading on the server after the client has sent close_notify should
6481 * fail and provide SSL_ERROR_ZERO_RETURN
6482 */
6483 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6484 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6485 SSL_ERROR_ZERO_RETURN)
6486 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6487 SSL_RECEIVED_SHUTDOWN)
6488 /*
6489 * Even though we're shutdown on receive we should still be
6490 * able to write.
6491 */
6492 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6493 goto end;
6494 if (tst == 4
6495 && !TEST_true(SSL_key_update(serverssl,
6496 SSL_KEY_UPDATE_REQUESTED)))
6497 goto end;
6498 if (tst == 5) {
6499 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6500 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6501 goto end;
6502 }
6503 if ((tst == 4 || tst == 5)
6504 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6505 goto end;
6506 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6507 goto end;
6508 if (tst == 4 || tst == 5) {
6509 /* Should still be able to read data from server */
6510 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6511 &readbytes))
6512 || !TEST_size_t_eq(readbytes, sizeof(msg))
6513 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6514 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6515 &readbytes))
6516 || !TEST_size_t_eq(readbytes, sizeof(msg))
6517 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6518 goto end;
6519 }
6520 }
6521
6522 /* Writing on the client after sending close_notify shouldn't be possible */
6523 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6524 goto end;
6525
6526 if (tst < 4) {
6527 /*
6528 * For these tests the client has sent close_notify but it has not yet
6529 * been received by the server. The server has not sent close_notify
6530 * yet.
6531 */
6532 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6533 /*
6534 * Writing on the server after sending close_notify shouldn't
6535 * be possible.
6536 */
6537 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6538 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6539 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6540 || !TEST_true(SSL_SESSION_is_resumable(sess))
6541 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6542 goto end;
6543 } else if (tst == 4 || tst == 5) {
6544 /*
6545 * In this test the client has sent close_notify and it has been
6546 * received by the server which has responded with a close_notify. The
6547 * client needs to read the close_notify sent by the server.
6548 */
6549 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6550 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6551 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6552 goto end;
6553 } else {
6554 /*
6555 * tst == 6
6556 *
6557 * The client has sent close_notify and is expecting a close_notify
6558 * back, but instead there is application data first. The shutdown
6559 * should fail with a fatal error.
6560 */
6561 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6562 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6563 goto end;
6564 }
6565
6566 testresult = 1;
6567
6568 end:
6569 SSL_free(serverssl);
6570 SSL_free(clientssl);
6571 SSL_CTX_free(sctx);
6572 SSL_CTX_free(cctx);
6573
6574 return testresult;
6575 }
6576
6577 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6578 static int cert_cb_cnt;
6579
6580 static int cert_cb(SSL *s, void *arg)
6581 {
6582 SSL_CTX *ctx = (SSL_CTX *)arg;
6583 BIO *in = NULL;
6584 EVP_PKEY *pkey = NULL;
6585 X509 *x509 = NULL, *rootx = NULL;
6586 STACK_OF(X509) *chain = NULL;
6587 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6588 int ret = 0;
6589
6590 if (cert_cb_cnt == 0) {
6591 /* Suspend the handshake */
6592 cert_cb_cnt++;
6593 return -1;
6594 } else if (cert_cb_cnt == 1) {
6595 /*
6596 * Update the SSL_CTX, set the certificate and private key and then
6597 * continue the handshake normally.
6598 */
6599 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6600 return 0;
6601
6602 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6603 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6604 SSL_FILETYPE_PEM))
6605 || !TEST_true(SSL_check_private_key(s)))
6606 return 0;
6607 cert_cb_cnt++;
6608 return 1;
6609 } else if (cert_cb_cnt == 3) {
6610 int rv;
6611
6612 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6613 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6614 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6615 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6616 goto out;
6617 chain = sk_X509_new_null();
6618 if (!TEST_ptr(chain))
6619 goto out;
6620 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6621 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6622 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6623 || !TEST_true(sk_X509_push(chain, rootx)))
6624 goto out;
6625 rootx = NULL;
6626 BIO_free(in);
6627 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6628 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6629 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6630 goto out;
6631 BIO_free(in);
6632 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6633 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6634 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6635 goto out;
6636 rv = SSL_check_chain(s, x509, pkey, chain);
6637 /*
6638 * If the cert doesn't show as valid here (e.g., because we don't
6639 * have any shared sigalgs), then we will not set it, and there will
6640 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6641 * will cause tls_choose_sigalgs() to fail the connection.
6642 */
6643 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6644 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6645 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6646 goto out;
6647 }
6648
6649 ret = 1;
6650 }
6651
6652 /* Abort the handshake */
6653 out:
6654 OPENSSL_free(ecdsacert);
6655 OPENSSL_free(ecdsakey);
6656 OPENSSL_free(rootfile);
6657 BIO_free(in);
6658 EVP_PKEY_free(pkey);
6659 X509_free(x509);
6660 X509_free(rootx);
6661 sk_X509_pop_free(chain, X509_free);
6662 return ret;
6663 }
6664
6665 /*
6666 * Test the certificate callback.
6667 * Test 0: Callback fails
6668 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6669 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6670 * Test 3: Success - Call SSL_check_chain from the callback
6671 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6672 * chain
6673 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6674 */
6675 static int test_cert_cb_int(int prot, int tst)
6676 {
6677 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6678 SSL *clientssl = NULL, *serverssl = NULL;
6679 int testresult = 0, ret;
6680
6681 #ifdef OPENSSL_NO_EC
6682 /* We use an EC cert in these tests, so we skip in a no-ec build */
6683 if (tst >= 3)
6684 return 1;
6685 #endif
6686
6687 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6688 TLS_client_method(),
6689 TLS1_VERSION,
6690 prot,
6691 &sctx, &cctx, NULL, NULL)))
6692 goto end;
6693
6694 if (tst == 0)
6695 cert_cb_cnt = -1;
6696 else if (tst >= 3)
6697 cert_cb_cnt = 3;
6698 else
6699 cert_cb_cnt = 0;
6700
6701 if (tst == 2)
6702 snictx = SSL_CTX_new(TLS_server_method());
6703 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6704
6705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6706 NULL, NULL)))
6707 goto end;
6708
6709 if (tst == 4) {
6710 /*
6711 * We cause SSL_check_chain() to fail by specifying sig_algs that
6712 * the chain doesn't meet (the root uses an RSA cert)
6713 */
6714 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6715 "ecdsa_secp256r1_sha256")))
6716 goto end;
6717 } else if (tst == 5) {
6718 /*
6719 * We cause SSL_check_chain() to fail by specifying sig_algs that
6720 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6721 */
6722 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6723 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6724 goto end;
6725 }
6726
6727 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6728 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6729 || (tst > 0
6730 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6731 goto end;
6732 }
6733
6734 testresult = 1;
6735
6736 end:
6737 SSL_free(serverssl);
6738 SSL_free(clientssl);
6739 SSL_CTX_free(sctx);
6740 SSL_CTX_free(cctx);
6741 SSL_CTX_free(snictx);
6742
6743 return testresult;
6744 }
6745 #endif
6746
6747 static int test_cert_cb(int tst)
6748 {
6749 int testresult = 1;
6750
6751 #ifndef OPENSSL_NO_TLS1_2
6752 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6753 #endif
6754 #ifndef OPENSSL_NO_TLS1_3
6755 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6756 #endif
6757
6758 return testresult;
6759 }
6760
6761 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6762 {
6763 X509 *xcert, *peer;
6764 EVP_PKEY *privpkey;
6765 BIO *in = NULL;
6766
6767 /* Check that SSL_get_peer_certificate() returns something sensible */
6768 peer = SSL_get_peer_certificate(ssl);
6769 if (!TEST_ptr(peer))
6770 return 0;
6771 X509_free(peer);
6772
6773 in = BIO_new_file(cert, "r");
6774 if (!TEST_ptr(in))
6775 return 0;
6776
6777 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6778 BIO_free(in);
6779 if (!TEST_ptr(xcert))
6780 return 0;
6781
6782 in = BIO_new_file(privkey, "r");
6783 if (!TEST_ptr(in)) {
6784 X509_free(xcert);
6785 return 0;
6786 }
6787
6788 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6789 BIO_free(in);
6790 if (!TEST_ptr(privpkey)) {
6791 X509_free(xcert);
6792 return 0;
6793 }
6794
6795 *x509 = xcert;
6796 *pkey = privpkey;
6797
6798 return 1;
6799 }
6800
6801 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6802 {
6803 return 1;
6804 }
6805
6806 static int test_client_cert_cb(int tst)
6807 {
6808 SSL_CTX *cctx = NULL, *sctx = NULL;
6809 SSL *clientssl = NULL, *serverssl = NULL;
6810 int testresult = 0;
6811
6812 #ifdef OPENSSL_NO_TLS1_2
6813 if (tst == 0)
6814 return 1;
6815 #endif
6816 #ifdef OPENSSL_NO_TLS1_3
6817 if (tst == 1)
6818 return 1;
6819 #endif
6820
6821 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6822 TLS_client_method(),
6823 TLS1_VERSION,
6824 tst == 0 ? TLS1_2_VERSION
6825 : TLS1_3_VERSION,
6826 &sctx, &cctx, cert, privkey)))
6827 goto end;
6828
6829 /*
6830 * Test that setting a client_cert_cb results in a client certificate being
6831 * sent.
6832 */
6833 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6834 SSL_CTX_set_verify(sctx,
6835 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6836 verify_cb);
6837
6838 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6839 NULL, NULL))
6840 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6841 SSL_ERROR_NONE)))
6842 goto end;
6843
6844 testresult = 1;
6845
6846 end:
6847 SSL_free(serverssl);
6848 SSL_free(clientssl);
6849 SSL_CTX_free(sctx);
6850 SSL_CTX_free(cctx);
6851
6852 return testresult;
6853 }
6854
6855 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6856 /*
6857 * Test setting certificate authorities on both client and server.
6858 *
6859 * Test 0: SSL_CTX_set0_CA_list() only
6860 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6861 * Test 2: Only SSL_CTX_set_client_CA_list()
6862 */
6863 static int test_ca_names_int(int prot, int tst)
6864 {
6865 SSL_CTX *cctx = NULL, *sctx = NULL;
6866 SSL *clientssl = NULL, *serverssl = NULL;
6867 int testresult = 0;
6868 size_t i;
6869 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6870 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6871 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6872 const STACK_OF(X509_NAME) *sktmp = NULL;
6873
6874 for (i = 0; i < OSSL_NELEM(name); i++) {
6875 name[i] = X509_NAME_new();
6876 if (!TEST_ptr(name[i])
6877 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6878 MBSTRING_ASC,
6879 (unsigned char *)
6880 strnames[i],
6881 -1, -1, 0)))
6882 goto end;
6883 }
6884
6885 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6886 TLS_client_method(),
6887 TLS1_VERSION,
6888 prot,
6889 &sctx, &cctx, cert, privkey)))
6890 goto end;
6891
6892 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6893
6894 if (tst == 0 || tst == 1) {
6895 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6896 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6897 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6898 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6899 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6900 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6901 goto end;
6902
6903 SSL_CTX_set0_CA_list(sctx, sk1);
6904 SSL_CTX_set0_CA_list(cctx, sk2);
6905 sk1 = sk2 = NULL;
6906 }
6907 if (tst == 1 || tst == 2) {
6908 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6909 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6910 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6911 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6912 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6913 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6914 goto end;
6915
6916 SSL_CTX_set_client_CA_list(sctx, sk1);
6917 SSL_CTX_set_client_CA_list(cctx, sk2);
6918 sk1 = sk2 = NULL;
6919 }
6920
6921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6922 NULL, NULL))
6923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6924 SSL_ERROR_NONE)))
6925 goto end;
6926
6927 /*
6928 * We only expect certificate authorities to have been sent to the server
6929 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6930 */
6931 sktmp = SSL_get0_peer_CA_list(serverssl);
6932 if (prot == TLS1_3_VERSION
6933 && (tst == 0 || tst == 1)) {
6934 if (!TEST_ptr(sktmp)
6935 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6936 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6937 name[0]), 0)
6938 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6939 name[1]), 0))
6940 goto end;
6941 } else if (!TEST_ptr_null(sktmp)) {
6942 goto end;
6943 }
6944
6945 /*
6946 * In all tests we expect certificate authorities to have been sent to the
6947 * client. However, SSL_set_client_CA_list() should override
6948 * SSL_set0_CA_list()
6949 */
6950 sktmp = SSL_get0_peer_CA_list(clientssl);
6951 if (!TEST_ptr(sktmp)
6952 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6953 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6954 name[tst == 0 ? 0 : 2]), 0)
6955 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6956 name[tst == 0 ? 1 : 3]), 0))
6957 goto end;
6958
6959 testresult = 1;
6960
6961 end:
6962 SSL_free(serverssl);
6963 SSL_free(clientssl);
6964 SSL_CTX_free(sctx);
6965 SSL_CTX_free(cctx);
6966 for (i = 0; i < OSSL_NELEM(name); i++)
6967 X509_NAME_free(name[i]);
6968 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6969 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6970
6971 return testresult;
6972 }
6973 #endif
6974
6975 static int test_ca_names(int tst)
6976 {
6977 int testresult = 1;
6978
6979 #ifndef OPENSSL_NO_TLS1_2
6980 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6981 #endif
6982 #ifndef OPENSSL_NO_TLS1_3
6983 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6984 #endif
6985
6986 return testresult;
6987 }
6988
6989 #ifndef OPENSSL_NO_TLS1_2
6990 static const char *multiblock_cipherlist_data[]=
6991 {
6992 "AES128-SHA",
6993 "AES128-SHA256",
6994 "AES256-SHA",
6995 "AES256-SHA256",
6996 };
6997
6998 /* Reduce the fragment size - so the multiblock test buffer can be small */
6999 # define MULTIBLOCK_FRAGSIZE 512
7000
7001 static int test_multiblock_write(int test_index)
7002 {
7003 static const char *fetchable_ciphers[]=
7004 {
7005 "AES-128-CBC-HMAC-SHA1",
7006 "AES-128-CBC-HMAC-SHA256",
7007 "AES-256-CBC-HMAC-SHA1",
7008 "AES-256-CBC-HMAC-SHA256"
7009 };
7010 const char *cipherlist = multiblock_cipherlist_data[test_index];
7011 const SSL_METHOD *smeth = TLS_server_method();
7012 const SSL_METHOD *cmeth = TLS_client_method();
7013 int min_version = TLS1_VERSION;
7014 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7015 SSL_CTX *cctx = NULL, *sctx = NULL;
7016 SSL *clientssl = NULL, *serverssl = NULL;
7017 int testresult = 0;
7018
7019 /*
7020 * Choose a buffer large enough to perform a multi-block operation
7021 * i.e: write_len >= 4 * frag_size
7022 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7023 */
7024 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7025 unsigned char buf[sizeof(msg)], *p = buf;
7026 size_t readbytes, written, len;
7027 EVP_CIPHER *ciph = NULL;
7028
7029 /*
7030 * Check if the cipher exists before attempting to use it since it only has
7031 * a hardware specific implementation.
7032 */
7033 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7034 if (ciph == NULL) {
7035 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7036 return 1;
7037 }
7038 EVP_CIPHER_free(ciph);
7039
7040 /* Set up a buffer with some data that will be sent to the client */
7041 RAND_bytes(msg, sizeof(msg));
7042
7043 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
7044 &sctx, &cctx, cert, privkey)))
7045 goto end;
7046
7047 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7048 goto end;
7049
7050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7051 NULL, NULL)))
7052 goto end;
7053
7054 /* settings to force it to use AES-CBC-HMAC_SHA */
7055 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7056 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7057 goto end;
7058
7059 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7060 goto end;
7061
7062 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7063 || !TEST_size_t_eq(written, sizeof(msg)))
7064 goto end;
7065
7066 len = written;
7067 while (len > 0) {
7068 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7069 goto end;
7070 p += readbytes;
7071 len -= readbytes;
7072 }
7073 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7074 goto end;
7075
7076 testresult = 1;
7077 end:
7078 SSL_free(serverssl);
7079 SSL_free(clientssl);
7080 SSL_CTX_free(sctx);
7081 SSL_CTX_free(cctx);
7082
7083 return testresult;
7084 }
7085 #endif /* OPENSSL_NO_TLS1_2 */
7086
7087 /*
7088 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7089 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7090 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7091 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7092 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7093 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7094 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7095 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7096 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7097 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7098 */
7099 static int test_servername(int tst)
7100 {
7101 SSL_CTX *cctx = NULL, *sctx = NULL;
7102 SSL *clientssl = NULL, *serverssl = NULL;
7103 int testresult = 0;
7104 SSL_SESSION *sess = NULL;
7105 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7106
7107 #ifdef OPENSSL_NO_TLS1_2
7108 if (tst <= 4)
7109 return 1;
7110 #endif
7111 #ifdef OPENSSL_NO_TLS1_3
7112 if (tst >= 5)
7113 return 1;
7114 #endif
7115
7116 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
7117 TLS_client_method(),
7118 TLS1_VERSION,
7119 (tst <= 4) ? TLS1_2_VERSION
7120 : TLS1_3_VERSION,
7121 &sctx, &cctx, cert, privkey))
7122 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7123 NULL, NULL)))
7124 goto end;
7125
7126 if (tst != 1 && tst != 6) {
7127 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7128 hostname_cb)))
7129 goto end;
7130 }
7131
7132 if (tst != 3 && tst != 8) {
7133 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7134 goto end;
7135 sexpectedhost = cexpectedhost = "goodhost";
7136 }
7137
7138 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7139 goto end;
7140
7141 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7142 cexpectedhost)
7143 || !TEST_str_eq(SSL_get_servername(serverssl,
7144 TLSEXT_NAMETYPE_host_name),
7145 sexpectedhost))
7146 goto end;
7147
7148 /* Now repeat with a resumption handshake */
7149
7150 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7151 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7152 || !TEST_true(SSL_SESSION_is_resumable(sess))
7153 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7154 goto end;
7155
7156 SSL_free(clientssl);
7157 SSL_free(serverssl);
7158 clientssl = serverssl = NULL;
7159
7160 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7161 NULL)))
7162 goto end;
7163
7164 if (!TEST_true(SSL_set_session(clientssl, sess)))
7165 goto end;
7166
7167 sexpectedhost = cexpectedhost = "goodhost";
7168 if (tst == 2 || tst == 7) {
7169 /* Set an inconsistent hostname */
7170 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7171 goto end;
7172 /*
7173 * In TLSv1.2 we expect the hostname from the original handshake, in
7174 * TLSv1.3 we expect the hostname from this handshake
7175 */
7176 if (tst == 7)
7177 sexpectedhost = cexpectedhost = "altgoodhost";
7178
7179 if (!TEST_str_eq(SSL_get_servername(clientssl,
7180 TLSEXT_NAMETYPE_host_name),
7181 "altgoodhost"))
7182 goto end;
7183 } else if (tst == 4 || tst == 9) {
7184 /*
7185 * A TLSv1.3 session does not associate a session with a servername,
7186 * but a TLSv1.2 session does.
7187 */
7188 if (tst == 9)
7189 sexpectedhost = cexpectedhost = NULL;
7190
7191 if (!TEST_str_eq(SSL_get_servername(clientssl,
7192 TLSEXT_NAMETYPE_host_name),
7193 cexpectedhost))
7194 goto end;
7195 } else {
7196 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7197 goto end;
7198 /*
7199 * In a TLSv1.2 resumption where the hostname was not acknowledged
7200 * we expect the hostname on the server to be empty. On the client we
7201 * return what was requested in this case.
7202 *
7203 * Similarly if the client didn't set a hostname on an original TLSv1.2
7204 * session but is now, the server hostname will be empty, but the client
7205 * is as we set it.
7206 */
7207 if (tst == 1 || tst == 3)
7208 sexpectedhost = NULL;
7209
7210 if (!TEST_str_eq(SSL_get_servername(clientssl,
7211 TLSEXT_NAMETYPE_host_name),
7212 "goodhost"))
7213 goto end;
7214 }
7215
7216 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7217 goto end;
7218
7219 if (!TEST_true(SSL_session_reused(clientssl))
7220 || !TEST_true(SSL_session_reused(serverssl))
7221 || !TEST_str_eq(SSL_get_servername(clientssl,
7222 TLSEXT_NAMETYPE_host_name),
7223 cexpectedhost)
7224 || !TEST_str_eq(SSL_get_servername(serverssl,
7225 TLSEXT_NAMETYPE_host_name),
7226 sexpectedhost))
7227 goto end;
7228
7229 testresult = 1;
7230
7231 end:
7232 SSL_SESSION_free(sess);
7233 SSL_free(serverssl);
7234 SSL_free(clientssl);
7235 SSL_CTX_free(sctx);
7236 SSL_CTX_free(cctx);
7237
7238 return testresult;
7239 }
7240
7241 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
7242
7243 int setup_tests(void)
7244 {
7245 if (!test_skip_common_options()) {
7246 TEST_error("Error parsing test options\n");
7247 return 0;
7248 }
7249
7250 if (!TEST_ptr(certsdir = test_get_argument(0))
7251 || !TEST_ptr(srpvfile = test_get_argument(1))
7252 || !TEST_ptr(tmpfilename = test_get_argument(2)))
7253 return 0;
7254
7255 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7256 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7257 TEST_error("not supported in this build");
7258 return 0;
7259 #else
7260 int i, mcount, rcount, fcount;
7261
7262 for (i = 0; i < 4; i++)
7263 test_export_key_mat(i);
7264 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7265 test_printf_stdout("malloc %d realloc %d free %d\n",
7266 mcount, rcount, fcount);
7267 return 1;
7268 #endif
7269 }
7270
7271 cert = test_mk_file_path(certsdir, "servercert.pem");
7272 if (cert == NULL)
7273 return 0;
7274
7275 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7276 if (privkey == NULL) {
7277 OPENSSL_free(cert);
7278 return 0;
7279 }
7280
7281 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7282 && !defined(OPENSSL_NO_SOCK)
7283 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7284 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7285 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7286 ADD_TEST(test_ktls_client_no_txrx_server);
7287 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7288 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7289 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7290 ADD_TEST(test_ktls_client_no_rx_server);
7291 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7292 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7293 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7294 ADD_TEST(test_ktls_client_no_tx_server);
7295 ADD_TEST(test_ktls_no_txrx_client_server);
7296 ADD_TEST(test_ktls_no_rx_client_server);
7297 ADD_TEST(test_ktls_no_tx_client_server);
7298 ADD_TEST(test_ktls_client_server);
7299 ADD_TEST(test_ktls_sendfile);
7300 #endif
7301 ADD_TEST(test_large_message_tls);
7302 ADD_TEST(test_large_message_tls_read_ahead);
7303 #ifndef OPENSSL_NO_DTLS
7304 ADD_TEST(test_large_message_dtls);
7305 #endif
7306 #ifndef OPENSSL_NO_OCSP
7307 ADD_TEST(test_tlsext_status_type);
7308 #endif
7309 ADD_TEST(test_session_with_only_int_cache);
7310 ADD_TEST(test_session_with_only_ext_cache);
7311 ADD_TEST(test_session_with_both_cache);
7312 #ifndef OPENSSL_NO_TLS1_3
7313 ADD_ALL_TESTS(test_stateful_tickets, 3);
7314 ADD_ALL_TESTS(test_stateless_tickets, 3);
7315 ADD_TEST(test_psk_tickets);
7316 #endif
7317 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7318 ADD_TEST(test_ssl_bio_pop_next_bio);
7319 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7320 ADD_TEST(test_ssl_bio_change_rbio);
7321 ADD_TEST(test_ssl_bio_change_wbio);
7322 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7323 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7324 ADD_TEST(test_keylog);
7325 #endif
7326 #ifndef OPENSSL_NO_TLS1_3
7327 ADD_TEST(test_keylog_no_master_key);
7328 #endif
7329 #ifndef OPENSSL_NO_TLS1_2
7330 ADD_TEST(test_client_hello_cb);
7331 ADD_TEST(test_no_ems);
7332 ADD_TEST(test_ccs_change_cipher);
7333 #endif
7334 #ifndef OPENSSL_NO_TLS1_3
7335 ADD_ALL_TESTS(test_early_data_read_write, 3);
7336 /*
7337 * We don't do replay tests for external PSK. Replay protection isn't used
7338 * in that scenario.
7339 */
7340 ADD_ALL_TESTS(test_early_data_replay, 2);
7341 ADD_ALL_TESTS(test_early_data_skip, 3);
7342 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7343 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7344 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7345 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7346 ADD_ALL_TESTS(test_early_data_psk, 8);
7347 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7348 # ifndef OPENSSL_NO_TLS1_2
7349 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7350 # endif
7351 #endif
7352 #ifndef OPENSSL_NO_TLS1_3
7353 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7354 ADD_TEST(test_ciphersuite_change);
7355 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7356 # ifdef OPENSSL_NO_PSK
7357 ADD_ALL_TESTS(test_tls13_psk, 1);
7358 # else
7359 ADD_ALL_TESTS(test_tls13_psk, 4);
7360 # endif /* OPENSSL_NO_PSK */
7361 # ifndef OPENSSL_NO_TLS1_2
7362 /* Test with both TLSv1.3 and 1.2 versions */
7363 ADD_ALL_TESTS(test_key_exchange, 14);
7364 # else
7365 /* Test with only TLSv1.3 versions */
7366 ADD_ALL_TESTS(test_key_exchange, 12);
7367 # endif
7368 ADD_ALL_TESTS(test_custom_exts, 5);
7369 ADD_TEST(test_stateless);
7370 ADD_TEST(test_pha_key_update);
7371 #else
7372 ADD_ALL_TESTS(test_custom_exts, 3);
7373 #endif
7374 ADD_ALL_TESTS(test_serverinfo, 8);
7375 ADD_ALL_TESTS(test_export_key_mat, 6);
7376 #ifndef OPENSSL_NO_TLS1_3
7377 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7378 ADD_TEST(test_key_update);
7379 ADD_ALL_TESTS(test_key_update_in_write, 2);
7380 #endif
7381 ADD_ALL_TESTS(test_ssl_clear, 2);
7382 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7383 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7384 ADD_ALL_TESTS(test_srp, 6);
7385 #endif
7386 ADD_ALL_TESTS(test_info_callback, 6);
7387 ADD_ALL_TESTS(test_ssl_pending, 2);
7388 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7389 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7390 ADD_ALL_TESTS(test_shutdown, 7);
7391 ADD_ALL_TESTS(test_cert_cb, 6);
7392 ADD_ALL_TESTS(test_client_cert_cb, 2);
7393 ADD_ALL_TESTS(test_ca_names, 3);
7394 #ifndef OPENSSL_NO_TLS1_2
7395 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7396 #endif
7397 ADD_ALL_TESTS(test_servername, 10);
7398 return 1;
7399 }
7400
7401 void cleanup_tests(void)
7402 {
7403 OPENSSL_free(cert);
7404 OPENSSL_free(privkey);
7405 bio_s_mempacket_test_free();
7406 bio_s_always_retry_free();
7407 }
A mirror of the official openssl repository