]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Test the new PSK behaviour
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17
18 #include "ssltestlib.h"
19 #include "testutil.h"
20 #include "internal/nelem.h"
21 #include "../ssl/ssl_locl.h"
22
23 static char *cert = NULL;
24 static char *privkey = NULL;
25
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
32
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
37
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
40 #endif
41
42 #define NUM_EXTRA_CERTS 40
43 #define CLIENT_VERSION_LEN 2
44
45 /*
46 * This structure is used to validate that the correct number of log messages
47 * of various types are emitted when emitting secret logs.
48 */
49 struct sslapitest_log_counts {
50 unsigned int rsa_key_exchange_count;
51 unsigned int master_secret_count;
52 unsigned int client_handshake_secret_count;
53 unsigned int server_handshake_secret_count;
54 unsigned int client_application_secret_count;
55 unsigned int server_application_secret_count;
56 };
57
58
59 static unsigned char serverinfov1[] = {
60 0xff, 0xff, /* Dummy extension type */
61 0x00, 0x01, /* Extension length is 1 byte */
62 0xff /* Dummy extension data */
63 };
64
65 static unsigned char serverinfov2[] = {
66 0x00, 0x00, 0x00,
67 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
71 };
72
73 static void client_keylog_callback(const SSL *ssl, const char *line)
74 {
75 int line_length = strlen(line);
76
77 /* If the log doesn't fit, error out. */
78 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
79 TEST_info("Client log too full");
80 error_writing_log = 1;
81 return;
82 }
83
84 strcat(client_log_buffer, line);
85 client_log_buffer_index += line_length;
86 client_log_buffer[client_log_buffer_index++] = '\n';
87 }
88
89 static void server_keylog_callback(const SSL *ssl, const char *line)
90 {
91 int line_length = strlen(line);
92
93 /* If the log doesn't fit, error out. */
94 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
95 TEST_info("Server log too full");
96 error_writing_log = 1;
97 return;
98 }
99
100 strcat(server_log_buffer, line);
101 server_log_buffer_index += line_length;
102 server_log_buffer[server_log_buffer_index++] = '\n';
103 }
104
105 static int compare_hex_encoded_buffer(const char *hex_encoded,
106 size_t hex_length,
107 const uint8_t *raw,
108 size_t raw_length)
109 {
110 size_t i, j;
111 char hexed[3];
112
113 if (!TEST_size_t_eq(raw_length * 2, hex_length))
114 return 1;
115
116 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
117 sprintf(hexed, "%02x", raw[i]);
118 if (!TEST_int_eq(hexed[0], hex_encoded[j])
119 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
120 return 1;
121 }
122
123 return 0;
124 }
125
126 static int test_keylog_output(char *buffer, const SSL *ssl,
127 const SSL_SESSION *session,
128 struct sslapitest_log_counts *expected)
129 {
130 char *token = NULL;
131 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
132 size_t client_random_size = SSL3_RANDOM_SIZE;
133 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
134 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
135 unsigned int rsa_key_exchange_count = 0;
136 unsigned int master_secret_count = 0;
137 unsigned int client_handshake_secret_count = 0;
138 unsigned int server_handshake_secret_count = 0;
139 unsigned int client_application_secret_count = 0;
140 unsigned int server_application_secret_count = 0;
141
142 for (token = strtok(buffer, " \n"); token != NULL;
143 token = strtok(NULL, " \n")) {
144 if (strcmp(token, "RSA") == 0) {
145 /*
146 * Premaster secret. Tokens should be: 16 ASCII bytes of
147 * hex-encoded encrypted secret, then the hex-encoded pre-master
148 * secret.
149 */
150 if (!TEST_ptr(token = strtok(NULL, " \n")))
151 return 0;
152 if (!TEST_size_t_eq(strlen(token), 16))
153 return 0;
154 if (!TEST_ptr(token = strtok(NULL, " \n")))
155 return 0;
156 /*
157 * We can't sensibly check the log because the premaster secret is
158 * transient, and OpenSSL doesn't keep hold of it once the master
159 * secret is generated.
160 */
161 rsa_key_exchange_count++;
162 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
163 /*
164 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
165 * client random, then the hex-encoded master secret.
166 */
167 client_random_size = SSL_get_client_random(ssl,
168 actual_client_random,
169 SSL3_RANDOM_SIZE);
170 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
171 return 0;
172
173 if (!TEST_ptr(token = strtok(NULL, " \n")))
174 return 0;
175 if (!TEST_size_t_eq(strlen(token), 64))
176 return 0;
177 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
178 actual_client_random,
179 client_random_size)))
180 return 0;
181
182 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 return 0;
184 master_key_size = SSL_SESSION_get_master_key(session,
185 actual_master_key,
186 master_key_size);
187 if (!TEST_size_t_ne(master_key_size, 0))
188 return 0;
189 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
190 actual_master_key,
191 master_key_size)))
192 return 0;
193 master_secret_count++;
194 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
197 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
198 /*
199 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
200 * client random, and then the hex-encoded secret. In this case,
201 * we treat all of these secrets identically and then just
202 * distinguish between them when counting what we saw.
203 */
204 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
205 client_handshake_secret_count++;
206 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
207 server_handshake_secret_count++;
208 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
209 client_application_secret_count++;
210 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
211 server_application_secret_count++;
212
213 client_random_size = SSL_get_client_random(ssl,
214 actual_client_random,
215 SSL3_RANDOM_SIZE);
216 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
217 return 0;
218
219 if (!TEST_ptr(token = strtok(NULL, " \n")))
220 return 0;
221 if (!TEST_size_t_eq(strlen(token), 64))
222 return 0;
223 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
224 actual_client_random,
225 client_random_size)))
226 return 0;
227
228 if (!TEST_ptr(token = strtok(NULL, " \n")))
229 return 0;
230
231 /*
232 * TODO(TLS1.3): test that application traffic secrets are what
233 * we expect */
234 } else {
235 TEST_info("Unexpected token %s\n", token);
236 return 0;
237 }
238 }
239
240 /* Got what we expected? */
241 if (!TEST_size_t_eq(rsa_key_exchange_count,
242 expected->rsa_key_exchange_count)
243 || !TEST_size_t_eq(master_secret_count,
244 expected->master_secret_count)
245 || !TEST_size_t_eq(client_handshake_secret_count,
246 expected->client_handshake_secret_count)
247 || !TEST_size_t_eq(server_handshake_secret_count,
248 expected->server_handshake_secret_count)
249 || !TEST_size_t_eq(client_application_secret_count,
250 expected->client_application_secret_count)
251 || !TEST_size_t_eq(server_application_secret_count,
252 expected->server_application_secret_count))
253 return 0;
254 return 1;
255 }
256
257 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
258 static int test_keylog(void)
259 {
260 SSL_CTX *cctx = NULL, *sctx = NULL;
261 SSL *clientssl = NULL, *serverssl = NULL;
262 int testresult = 0;
263 struct sslapitest_log_counts expected = {0};
264
265 /* Clean up logging space */
266 memset(client_log_buffer, 0, sizeof(client_log_buffer));
267 memset(server_log_buffer, 0, sizeof(server_log_buffer));
268 client_log_buffer_index = 0;
269 server_log_buffer_index = 0;
270 error_writing_log = 0;
271
272 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
273 TLS_client_method(),
274 &sctx, &cctx, cert, privkey)))
275 return 0;
276
277 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
278 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
279 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
280
281 /* We also want to ensure that we use RSA-based key exchange. */
282 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
283 goto end;
284
285 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
286 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
287 goto end;
288 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
289 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
290 == client_keylog_callback))
291 goto end;
292 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
293 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
294 == server_keylog_callback))
295 goto end;
296
297 /* Now do a handshake and check that the logs have been written to. */
298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
299 &clientssl, NULL, NULL))
300 || !TEST_true(create_ssl_connection(serverssl, clientssl,
301 SSL_ERROR_NONE))
302 || !TEST_false(error_writing_log)
303 || !TEST_int_gt(client_log_buffer_index, 0)
304 || !TEST_int_gt(server_log_buffer_index, 0))
305 goto end;
306
307 /*
308 * Now we want to test that our output data was vaguely sensible. We
309 * do that by using strtok and confirming that we have more or less the
310 * data we expect. For both client and server, we expect to see one master
311 * secret. The client should also see a RSA key exchange.
312 */
313 expected.rsa_key_exchange_count = 1;
314 expected.master_secret_count = 1;
315 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
316 SSL_get_session(clientssl), &expected)))
317 goto end;
318
319 expected.rsa_key_exchange_count = 0;
320 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
321 SSL_get_session(serverssl), &expected)))
322 goto end;
323
324 testresult = 1;
325
326 end:
327 SSL_free(serverssl);
328 SSL_free(clientssl);
329 SSL_CTX_free(sctx);
330 SSL_CTX_free(cctx);
331
332 return testresult;
333 }
334 #endif
335
336 #ifndef OPENSSL_NO_TLS1_3
337 static int test_keylog_no_master_key(void)
338 {
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
341 int testresult = 0;
342 struct sslapitest_log_counts expected = {0};
343
344 /* Clean up logging space */
345 memset(client_log_buffer, 0, sizeof(client_log_buffer));
346 memset(server_log_buffer, 0, sizeof(server_log_buffer));
347 client_log_buffer_index = 0;
348 server_log_buffer_index = 0;
349 error_writing_log = 0;
350
351 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
352 TLS_client_method(), &sctx,
353 &cctx, cert, privkey)))
354 return 0;
355
356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
358 goto end;
359
360 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
361 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
362 == client_keylog_callback))
363 goto end;
364
365 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
366 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
367 == server_keylog_callback))
368 goto end;
369
370 /* Now do a handshake and check that the logs have been written to. */
371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
372 &clientssl, NULL, NULL))
373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
374 SSL_ERROR_NONE))
375 || !TEST_false(error_writing_log))
376 goto end;
377
378 /*
379 * Now we want to test that our output data was vaguely sensible. For this
380 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
381 * TLSv1.3, but we do expect both client and server to emit keys.
382 */
383 expected.client_handshake_secret_count = 1;
384 expected.server_handshake_secret_count = 1;
385 expected.client_application_secret_count = 1;
386 expected.server_application_secret_count = 1;
387 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
388 SSL_get_session(clientssl), &expected))
389 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
390 SSL_get_session(serverssl),
391 &expected)))
392 goto end;
393
394 testresult = 1;
395
396 end:
397 SSL_free(serverssl);
398 SSL_free(clientssl);
399 SSL_CTX_free(sctx);
400 SSL_CTX_free(cctx);
401
402 return testresult;
403 }
404 #endif
405
406 #ifndef OPENSSL_NO_TLS1_2
407 static int full_client_hello_callback(SSL *s, int *al, void *arg)
408 {
409 int *ctr = arg;
410 const unsigned char *p;
411 int *exts;
412 /* We only configure two ciphers, but the SCSV is added automatically. */
413 #ifdef OPENSSL_NO_EC
414 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
415 #else
416 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
417 0x2c, 0x00, 0xff};
418 #endif
419 const int expected_extensions[] = {
420 #ifndef OPENSSL_NO_EC
421 11, 10,
422 #endif
423 35, 22, 23, 13};
424 size_t len;
425
426 /* Make sure we can defer processing and get called back. */
427 if ((*ctr)++ == 0)
428 return SSL_CLIENT_HELLO_RETRY;
429
430 len = SSL_client_hello_get0_ciphers(s, &p);
431 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
432 || !TEST_size_t_eq(
433 SSL_client_hello_get0_compression_methods(s, &p), 1)
434 || !TEST_int_eq(*p, 0))
435 return SSL_CLIENT_HELLO_ERROR;
436 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
437 return SSL_CLIENT_HELLO_ERROR;
438 if (len != OSSL_NELEM(expected_extensions) ||
439 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
440 printf("ClientHello callback expected extensions mismatch\n");
441 OPENSSL_free(exts);
442 return SSL_CLIENT_HELLO_ERROR;
443 }
444 OPENSSL_free(exts);
445 return SSL_CLIENT_HELLO_SUCCESS;
446 }
447
448 static int test_client_hello_cb(void)
449 {
450 SSL_CTX *cctx = NULL, *sctx = NULL;
451 SSL *clientssl = NULL, *serverssl = NULL;
452 int testctr = 0, testresult = 0;
453
454 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
455 TLS_client_method(), &sctx,
456 &cctx, cert, privkey)))
457 goto end;
458 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
459
460 /* The gimpy cipher list we configure can't do TLS 1.3. */
461 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
462
463 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
464 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
465 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_false(create_ssl_connection(serverssl, clientssl,
468 SSL_ERROR_WANT_CLIENT_HELLO_CB))
469 /*
470 * Passing a -1 literal is a hack since
471 * the real value was lost.
472 * */
473 || !TEST_int_eq(SSL_get_error(serverssl, -1),
474 SSL_ERROR_WANT_CLIENT_HELLO_CB)
475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
476 SSL_ERROR_NONE)))
477 goto end;
478
479 testresult = 1;
480
481 end:
482 SSL_free(serverssl);
483 SSL_free(clientssl);
484 SSL_CTX_free(sctx);
485 SSL_CTX_free(cctx);
486
487 return testresult;
488 }
489 #endif
490
491 static int execute_test_large_message(const SSL_METHOD *smeth,
492 const SSL_METHOD *cmeth, int read_ahead)
493 {
494 SSL_CTX *cctx = NULL, *sctx = NULL;
495 SSL *clientssl = NULL, *serverssl = NULL;
496 int testresult = 0;
497 int i;
498 BIO *certbio = NULL;
499 X509 *chaincert = NULL;
500 int certlen;
501
502 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
503 goto end;
504 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
505 BIO_free(certbio);
506 certbio = NULL;
507 if (!TEST_ptr(chaincert))
508 goto end;
509
510 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
511 &cctx, cert, privkey)))
512 goto end;
513
514 if (read_ahead) {
515 /*
516 * Test that read_ahead works correctly when dealing with large
517 * records
518 */
519 SSL_CTX_set_read_ahead(cctx, 1);
520 }
521
522 /*
523 * We assume the supplied certificate is big enough so that if we add
524 * NUM_EXTRA_CERTS it will make the overall message large enough. The
525 * default buffer size is requested to be 16k, but due to the way BUF_MEM
526 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
527 * test we need to have a message larger than that.
528 */
529 certlen = i2d_X509(chaincert, NULL);
530 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
531 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
532 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
533 if (!X509_up_ref(chaincert))
534 goto end;
535 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
536 X509_free(chaincert);
537 goto end;
538 }
539 }
540
541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
542 NULL, NULL))
543 || !TEST_true(create_ssl_connection(serverssl, clientssl,
544 SSL_ERROR_NONE)))
545 goto end;
546
547 /*
548 * Calling SSL_clear() first is not required but this tests that SSL_clear()
549 * doesn't leak (when using enable-crypto-mdebug).
550 */
551 if (!TEST_true(SSL_clear(serverssl)))
552 goto end;
553
554 testresult = 1;
555 end:
556 X509_free(chaincert);
557 SSL_free(serverssl);
558 SSL_free(clientssl);
559 SSL_CTX_free(sctx);
560 SSL_CTX_free(cctx);
561
562 return testresult;
563 }
564
565 static int test_large_message_tls(void)
566 {
567 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
568 0);
569 }
570
571 static int test_large_message_tls_read_ahead(void)
572 {
573 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
574 1);
575 }
576
577 #ifndef OPENSSL_NO_DTLS
578 static int test_large_message_dtls(void)
579 {
580 /*
581 * read_ahead is not relevant to DTLS because DTLS always acts as if
582 * read_ahead is set.
583 */
584 return execute_test_large_message(DTLS_server_method(),
585 DTLS_client_method(), 0);
586 }
587 #endif
588
589 #ifndef OPENSSL_NO_OCSP
590 static int ocsp_server_cb(SSL *s, void *arg)
591 {
592 int *argi = (int *)arg;
593 unsigned char *copy = NULL;
594 STACK_OF(OCSP_RESPID) *ids = NULL;
595 OCSP_RESPID *id = NULL;
596
597 if (*argi == 2) {
598 /* In this test we are expecting exactly 1 OCSP_RESPID */
599 SSL_get_tlsext_status_ids(s, &ids);
600 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
601 return SSL_TLSEXT_ERR_ALERT_FATAL;
602
603 id = sk_OCSP_RESPID_value(ids, 0);
604 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
605 return SSL_TLSEXT_ERR_ALERT_FATAL;
606 } else if (*argi != 1) {
607 return SSL_TLSEXT_ERR_ALERT_FATAL;
608 }
609
610 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
611 return SSL_TLSEXT_ERR_ALERT_FATAL;
612
613 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
614 ocsp_server_called = 1;
615 return SSL_TLSEXT_ERR_OK;
616 }
617
618 static int ocsp_client_cb(SSL *s, void *arg)
619 {
620 int *argi = (int *)arg;
621 const unsigned char *respderin;
622 size_t len;
623
624 if (*argi != 1 && *argi != 2)
625 return 0;
626
627 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
628 if (!TEST_mem_eq(orespder, len, respderin, len))
629 return 0;
630
631 ocsp_client_called = 1;
632 return 1;
633 }
634
635 static int test_tlsext_status_type(void)
636 {
637 SSL_CTX *cctx = NULL, *sctx = NULL;
638 SSL *clientssl = NULL, *serverssl = NULL;
639 int testresult = 0;
640 STACK_OF(OCSP_RESPID) *ids = NULL;
641 OCSP_RESPID *id = NULL;
642 BIO *certbio = NULL;
643
644 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
645 &cctx, cert, privkey))
646 return 0;
647
648 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
649 goto end;
650
651 /* First just do various checks getting and setting tlsext_status_type */
652
653 clientssl = SSL_new(cctx);
654 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
655 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
656 TLSEXT_STATUSTYPE_ocsp))
657 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
658 TLSEXT_STATUSTYPE_ocsp))
659 goto end;
660
661 SSL_free(clientssl);
662 clientssl = NULL;
663
664 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
665 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
666 goto end;
667
668 clientssl = SSL_new(cctx);
669 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
670 goto end;
671 SSL_free(clientssl);
672 clientssl = NULL;
673
674 /*
675 * Now actually do a handshake and check OCSP information is exchanged and
676 * the callbacks get called
677 */
678 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
679 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
680 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
681 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
683 &clientssl, NULL, NULL))
684 || !TEST_true(create_ssl_connection(serverssl, clientssl,
685 SSL_ERROR_NONE))
686 || !TEST_true(ocsp_client_called)
687 || !TEST_true(ocsp_server_called))
688 goto end;
689 SSL_free(serverssl);
690 SSL_free(clientssl);
691 serverssl = NULL;
692 clientssl = NULL;
693
694 /* Try again but this time force the server side callback to fail */
695 ocsp_client_called = 0;
696 ocsp_server_called = 0;
697 cdummyarg = 0;
698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
699 &clientssl, NULL, NULL))
700 /* This should fail because the callback will fail */
701 || !TEST_false(create_ssl_connection(serverssl, clientssl,
702 SSL_ERROR_NONE))
703 || !TEST_false(ocsp_client_called)
704 || !TEST_false(ocsp_server_called))
705 goto end;
706 SSL_free(serverssl);
707 SSL_free(clientssl);
708 serverssl = NULL;
709 clientssl = NULL;
710
711 /*
712 * This time we'll get the client to send an OCSP_RESPID that it will
713 * accept.
714 */
715 ocsp_client_called = 0;
716 ocsp_server_called = 0;
717 cdummyarg = 2;
718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
719 &clientssl, NULL, NULL)))
720 goto end;
721
722 /*
723 * We'll just use any old cert for this test - it doesn't have to be an OCSP
724 * specific one. We'll use the server cert.
725 */
726 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
727 || !TEST_ptr(id = OCSP_RESPID_new())
728 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
729 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
730 NULL, NULL, NULL))
731 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
732 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
733 goto end;
734 id = NULL;
735 SSL_set_tlsext_status_ids(clientssl, ids);
736 /* Control has been transferred */
737 ids = NULL;
738
739 BIO_free(certbio);
740 certbio = NULL;
741
742 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
743 SSL_ERROR_NONE))
744 || !TEST_true(ocsp_client_called)
745 || !TEST_true(ocsp_server_called))
746 goto end;
747
748 testresult = 1;
749
750 end:
751 SSL_free(serverssl);
752 SSL_free(clientssl);
753 SSL_CTX_free(sctx);
754 SSL_CTX_free(cctx);
755 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
756 OCSP_RESPID_free(id);
757 BIO_free(certbio);
758 X509_free(ocspcert);
759 ocspcert = NULL;
760
761 return testresult;
762 }
763 #endif
764
765 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
766 static int new_called, remove_called, get_called;
767
768 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
769 {
770 new_called++;
771 /*
772 * sess has been up-refed for us, but we don't actually need it so free it
773 * immediately.
774 */
775 SSL_SESSION_free(sess);
776 return 1;
777 }
778
779 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
780 {
781 remove_called++;
782 }
783
784 static SSL_SESSION *get_sess_val = NULL;
785
786 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
787 int *copy)
788 {
789 get_called++;
790 *copy = 1;
791 return get_sess_val;
792 }
793
794 static int execute_test_session(int maxprot, int use_int_cache,
795 int use_ext_cache)
796 {
797 SSL_CTX *sctx = NULL, *cctx = NULL;
798 SSL *serverssl1 = NULL, *clientssl1 = NULL;
799 SSL *serverssl2 = NULL, *clientssl2 = NULL;
800 # ifndef OPENSSL_NO_TLS1_1
801 SSL *serverssl3 = NULL, *clientssl3 = NULL;
802 # endif
803 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
804 int testresult = 0;
805
806 new_called = remove_called = 0;
807
808 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
809 TLS_client_method(), &sctx,
810 &cctx, cert, privkey)))
811 return 0;
812
813 /*
814 * Only allow the max protocol version so we can force a connection failure
815 * later
816 */
817 SSL_CTX_set_min_proto_version(cctx, maxprot);
818 SSL_CTX_set_max_proto_version(cctx, maxprot);
819
820 /* Set up session cache */
821 if (use_ext_cache) {
822 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
823 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
824 }
825 if (use_int_cache) {
826 /* Also covers instance where both are set */
827 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
828 } else {
829 SSL_CTX_set_session_cache_mode(cctx,
830 SSL_SESS_CACHE_CLIENT
831 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
832 }
833
834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
835 NULL, NULL))
836 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
837 SSL_ERROR_NONE))
838 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
839 goto end;
840
841 /* Should fail because it should already be in the cache */
842 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
843 goto end;
844 if (use_ext_cache
845 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
846 goto end;
847
848 new_called = remove_called = 0;
849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
850 &clientssl2, NULL, NULL))
851 || !TEST_true(SSL_set_session(clientssl2, sess1))
852 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
853 SSL_ERROR_NONE))
854 || !TEST_true(SSL_session_reused(clientssl2)))
855 goto end;
856
857 if (maxprot == TLS1_3_VERSION) {
858 /*
859 * In TLSv1.3 we should have created a new session even though we have
860 * resumed. The original session should also have been removed.
861 */
862 if (use_ext_cache
863 && (!TEST_int_eq(new_called, 1)
864 || !TEST_int_eq(remove_called, 1)))
865 goto end;
866 } else {
867 /*
868 * In TLSv1.2 we expect to have resumed so no sessions added or
869 * removed.
870 */
871 if (use_ext_cache
872 && (!TEST_int_eq(new_called, 0)
873 || !TEST_int_eq(remove_called, 0)))
874 goto end;
875 }
876
877 SSL_SESSION_free(sess1);
878 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
879 goto end;
880 shutdown_ssl_connection(serverssl2, clientssl2);
881 serverssl2 = clientssl2 = NULL;
882
883 new_called = remove_called = 0;
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
885 &clientssl2, NULL, NULL))
886 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
887 SSL_ERROR_NONE)))
888 goto end;
889
890 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
891 goto end;
892
893 if (use_ext_cache
894 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
895 goto end;
896
897 new_called = remove_called = 0;
898 /*
899 * This should clear sess2 from the cache because it is a "bad" session.
900 * See SSL_set_session() documentation.
901 */
902 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
903 goto end;
904 if (use_ext_cache
905 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
906 goto end;
907 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
908 goto end;
909
910 if (use_int_cache) {
911 /* Should succeeded because it should not already be in the cache */
912 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
913 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
914 goto end;
915 }
916
917 new_called = remove_called = 0;
918 /* This shouldn't be in the cache so should fail */
919 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
920 goto end;
921
922 if (use_ext_cache
923 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
924 goto end;
925
926 # if !defined(OPENSSL_NO_TLS1_1)
927 new_called = remove_called = 0;
928 /* Force a connection failure */
929 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
931 &clientssl3, NULL, NULL))
932 || !TEST_true(SSL_set_session(clientssl3, sess1))
933 /* This should fail because of the mismatched protocol versions */
934 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
935 SSL_ERROR_NONE)))
936 goto end;
937
938 /* We should have automatically removed the session from the cache */
939 if (use_ext_cache
940 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
941 goto end;
942
943 /* Should succeed because it should not already be in the cache */
944 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
945 goto end;
946 # endif
947
948 /* Now do some tests for server side caching */
949 if (use_ext_cache) {
950 SSL_CTX_sess_set_new_cb(cctx, NULL);
951 SSL_CTX_sess_set_remove_cb(cctx, NULL);
952 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
953 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
954 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
955 get_sess_val = NULL;
956 }
957
958 SSL_CTX_set_session_cache_mode(cctx, 0);
959 /* Internal caching is the default on the server side */
960 if (!use_int_cache)
961 SSL_CTX_set_session_cache_mode(sctx,
962 SSL_SESS_CACHE_SERVER
963 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
964
965 SSL_free(serverssl1);
966 SSL_free(clientssl1);
967 serverssl1 = clientssl1 = NULL;
968 SSL_free(serverssl2);
969 SSL_free(clientssl2);
970 serverssl2 = clientssl2 = NULL;
971 SSL_SESSION_free(sess1);
972 sess1 = NULL;
973 SSL_SESSION_free(sess2);
974 sess2 = NULL;
975
976 SSL_CTX_set_max_proto_version(sctx, maxprot);
977 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
978 new_called = remove_called = get_called = 0;
979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
980 NULL, NULL))
981 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
982 SSL_ERROR_NONE))
983 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
984 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
985 goto end;
986
987 /* Should fail because it should already be in the cache */
988 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
989 goto end;
990
991 if (use_ext_cache) {
992 SSL_SESSION *tmp = sess2;
993
994 if (!TEST_int_eq(new_called, 1)
995 || !TEST_int_eq(remove_called, 0)
996 || !TEST_int_eq(get_called, 0))
997 goto end;
998 /*
999 * Delete the session from the internal cache to force a lookup from
1000 * the external cache. We take a copy first because
1001 * SSL_CTX_remove_session() also marks the session as non-resumable.
1002 */
1003 if (use_int_cache) {
1004 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1005 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1006 goto end;
1007 SSL_SESSION_free(sess2);
1008 }
1009 sess2 = tmp;
1010 }
1011
1012 new_called = remove_called = get_called = 0;
1013 get_sess_val = sess2;
1014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1015 &clientssl2, NULL, NULL))
1016 || !TEST_true(SSL_set_session(clientssl2, sess1))
1017 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1018 SSL_ERROR_NONE))
1019 || !TEST_true(SSL_session_reused(clientssl2)))
1020 goto end;
1021
1022 if (use_ext_cache) {
1023 if (!TEST_int_eq(new_called, 0)
1024 || !TEST_int_eq(remove_called, 0))
1025 goto end;
1026
1027 if (maxprot == TLS1_3_VERSION) {
1028 if (!TEST_int_eq(get_called, 0))
1029 goto end;
1030 } else {
1031 if (!TEST_int_eq(get_called, 1))
1032 goto end;
1033 }
1034 }
1035
1036 testresult = 1;
1037
1038 end:
1039 SSL_free(serverssl1);
1040 SSL_free(clientssl1);
1041 SSL_free(serverssl2);
1042 SSL_free(clientssl2);
1043 # ifndef OPENSSL_NO_TLS1_1
1044 SSL_free(serverssl3);
1045 SSL_free(clientssl3);
1046 # endif
1047 SSL_SESSION_free(sess1);
1048 SSL_SESSION_free(sess2);
1049 SSL_CTX_free(sctx);
1050 SSL_CTX_free(cctx);
1051
1052 return testresult;
1053 }
1054 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1055
1056 static int test_session_with_only_int_cache(void)
1057 {
1058 #ifndef OPENSSL_NO_TLS1_3
1059 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1060 return 0;
1061 #endif
1062
1063 #ifndef OPENSSL_NO_TLS1_2
1064 return execute_test_session(TLS1_2_VERSION, 1, 0);
1065 #else
1066 return 1;
1067 #endif
1068 }
1069
1070 static int test_session_with_only_ext_cache(void)
1071 {
1072 #ifndef OPENSSL_NO_TLS1_3
1073 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1074 return 0;
1075 #endif
1076
1077 #ifndef OPENSSL_NO_TLS1_2
1078 return execute_test_session(TLS1_2_VERSION, 0, 1);
1079 #else
1080 return 1;
1081 #endif
1082 }
1083
1084 static int test_session_with_both_cache(void)
1085 {
1086 #ifndef OPENSSL_NO_TLS1_3
1087 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1088 return 0;
1089 #endif
1090
1091 #ifndef OPENSSL_NO_TLS1_2
1092 return execute_test_session(TLS1_2_VERSION, 1, 1);
1093 #else
1094 return 1;
1095 #endif
1096 }
1097
1098 #define USE_NULL 0
1099 #define USE_BIO_1 1
1100 #define USE_BIO_2 2
1101
1102 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1103
1104 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1105 {
1106 switch (type) {
1107 case USE_NULL:
1108 *res = NULL;
1109 break;
1110 case USE_BIO_1:
1111 *res = bio1;
1112 break;
1113 case USE_BIO_2:
1114 *res = bio2;
1115 break;
1116 }
1117 }
1118
1119 static int test_ssl_set_bio(int idx)
1120 {
1121 SSL_CTX *ctx;
1122 BIO *bio1 = NULL;
1123 BIO *bio2 = NULL;
1124 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1125 SSL *ssl = NULL;
1126 int initrbio, initwbio, newrbio, newwbio;
1127 int testresult = 0;
1128
1129 initrbio = idx % 3;
1130 idx /= 3;
1131 initwbio = idx % 3;
1132 idx /= 3;
1133 newrbio = idx % 3;
1134 idx /= 3;
1135 newwbio = idx;
1136 if (!TEST_int_le(newwbio, 2))
1137 return 0;
1138
1139 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1140 || !TEST_ptr(ssl = SSL_new(ctx)))
1141 goto end;
1142
1143 if (initrbio == USE_BIO_1
1144 || initwbio == USE_BIO_1
1145 || newrbio == USE_BIO_1
1146 || newwbio == USE_BIO_1) {
1147 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1148 goto end;
1149 }
1150
1151 if (initrbio == USE_BIO_2
1152 || initwbio == USE_BIO_2
1153 || newrbio == USE_BIO_2
1154 || newwbio == USE_BIO_2) {
1155 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1156 goto end;
1157 }
1158
1159 setupbio(&irbio, bio1, bio2, initrbio);
1160 setupbio(&iwbio, bio1, bio2, initwbio);
1161
1162 /*
1163 * We want to maintain our own refs to these BIO, so do an up ref for each
1164 * BIO that will have ownership transferred in the SSL_set_bio() call
1165 */
1166 if (irbio != NULL)
1167 BIO_up_ref(irbio);
1168 if (iwbio != NULL && iwbio != irbio)
1169 BIO_up_ref(iwbio);
1170
1171 SSL_set_bio(ssl, irbio, iwbio);
1172
1173 setupbio(&nrbio, bio1, bio2, newrbio);
1174 setupbio(&nwbio, bio1, bio2, newwbio);
1175
1176 /*
1177 * We will (maybe) transfer ownership again so do more up refs.
1178 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1179 * already been set!
1180 */
1181 if (nrbio != NULL
1182 && nrbio != irbio
1183 && (nwbio != iwbio || nrbio != nwbio))
1184 BIO_up_ref(nrbio);
1185 if (nwbio != NULL
1186 && nwbio != nrbio
1187 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1188 BIO_up_ref(nwbio);
1189
1190 SSL_set_bio(ssl, nrbio, nwbio);
1191
1192 testresult = 1;
1193
1194 end:
1195 SSL_free(ssl);
1196 BIO_free(bio1);
1197 BIO_free(bio2);
1198
1199 /*
1200 * This test is checking that the ref counting for SSL_set_bio is correct.
1201 * If we get here and we did too many frees then we will fail in the above
1202 * functions. If we haven't done enough then this will only be detected in
1203 * a crypto-mdebug build
1204 */
1205 SSL_CTX_free(ctx);
1206 return testresult;
1207 }
1208
1209 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1210
1211 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1212 {
1213 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1214 SSL_CTX *ctx;
1215 SSL *ssl = NULL;
1216 int testresult = 0;
1217
1218 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1219 || !TEST_ptr(ssl = SSL_new(ctx))
1220 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1221 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1222 goto end;
1223
1224 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1225
1226 /*
1227 * If anything goes wrong here then we could leak memory, so this will
1228 * be caught in a crypto-mdebug build
1229 */
1230 BIO_push(sslbio, membio1);
1231
1232 /* Verify changing the rbio/wbio directly does not cause leaks */
1233 if (change_bio != NO_BIO_CHANGE) {
1234 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1235 goto end;
1236 if (change_bio == CHANGE_RBIO)
1237 SSL_set0_rbio(ssl, membio2);
1238 else
1239 SSL_set0_wbio(ssl, membio2);
1240 }
1241 ssl = NULL;
1242
1243 if (pop_ssl)
1244 BIO_pop(sslbio);
1245 else
1246 BIO_pop(membio1);
1247
1248 testresult = 1;
1249 end:
1250 BIO_free(membio1);
1251 BIO_free(sslbio);
1252 SSL_free(ssl);
1253 SSL_CTX_free(ctx);
1254
1255 return testresult;
1256 }
1257
1258 static int test_ssl_bio_pop_next_bio(void)
1259 {
1260 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1261 }
1262
1263 static int test_ssl_bio_pop_ssl_bio(void)
1264 {
1265 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1266 }
1267
1268 static int test_ssl_bio_change_rbio(void)
1269 {
1270 return execute_test_ssl_bio(0, CHANGE_RBIO);
1271 }
1272
1273 static int test_ssl_bio_change_wbio(void)
1274 {
1275 return execute_test_ssl_bio(0, CHANGE_WBIO);
1276 }
1277
1278 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1279 typedef struct {
1280 /* The list of sig algs */
1281 const int *list;
1282 /* The length of the list */
1283 size_t listlen;
1284 /* A sigalgs list in string format */
1285 const char *liststr;
1286 /* Whether setting the list should succeed */
1287 int valid;
1288 /* Whether creating a connection with the list should succeed */
1289 int connsuccess;
1290 } sigalgs_list;
1291
1292 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1293 # ifndef OPENSSL_NO_EC
1294 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1295 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1296 # endif
1297 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1298 static const int invalidlist2[] = {NID_sha256, NID_undef};
1299 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1300 static const int invalidlist4[] = {NID_sha256};
1301 static const sigalgs_list testsigalgs[] = {
1302 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1303 # ifndef OPENSSL_NO_EC
1304 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1305 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1306 # endif
1307 {NULL, 0, "RSA+SHA256", 1, 1},
1308 # ifndef OPENSSL_NO_EC
1309 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1310 {NULL, 0, "ECDSA+SHA512", 1, 0},
1311 # endif
1312 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1313 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1314 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1315 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1316 {NULL, 0, "RSA", 0, 0},
1317 {NULL, 0, "SHA256", 0, 0},
1318 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1319 {NULL, 0, "Invalid", 0, 0}
1320 };
1321
1322 static int test_set_sigalgs(int idx)
1323 {
1324 SSL_CTX *cctx = NULL, *sctx = NULL;
1325 SSL *clientssl = NULL, *serverssl = NULL;
1326 int testresult = 0;
1327 const sigalgs_list *curr;
1328 int testctx;
1329
1330 /* Should never happen */
1331 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1332 return 0;
1333
1334 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1335 curr = testctx ? &testsigalgs[idx]
1336 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1337
1338 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1339 TLS_client_method(), &sctx,
1340 &cctx, cert, privkey)))
1341 return 0;
1342
1343 /*
1344 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1345 * for TLSv1.2 for now until we add a new API.
1346 */
1347 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1348
1349 if (testctx) {
1350 int ret;
1351
1352 if (curr->list != NULL)
1353 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1354 else
1355 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1356
1357 if (!ret) {
1358 if (curr->valid)
1359 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1360 else
1361 testresult = 1;
1362 goto end;
1363 }
1364 if (!curr->valid) {
1365 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1366 goto end;
1367 }
1368 }
1369
1370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1371 &clientssl, NULL, NULL)))
1372 goto end;
1373
1374 if (!testctx) {
1375 int ret;
1376
1377 if (curr->list != NULL)
1378 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1379 else
1380 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1381 if (!ret) {
1382 if (curr->valid)
1383 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1384 else
1385 testresult = 1;
1386 goto end;
1387 }
1388 if (!curr->valid)
1389 goto end;
1390 }
1391
1392 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1393 SSL_ERROR_NONE),
1394 curr->connsuccess))
1395 goto end;
1396
1397 testresult = 1;
1398
1399 end:
1400 SSL_free(serverssl);
1401 SSL_free(clientssl);
1402 SSL_CTX_free(sctx);
1403 SSL_CTX_free(cctx);
1404
1405 return testresult;
1406 }
1407 #endif
1408
1409 #ifndef OPENSSL_NO_TLS1_3
1410
1411 static SSL_SESSION *clientpsk = NULL;
1412 static SSL_SESSION *serverpsk = NULL;
1413 static const char *pskid = "Identity";
1414 static const char *srvid;
1415
1416 static int use_session_cb_cnt = 0;
1417 static int find_session_cb_cnt = 0;
1418 static int psk_client_cb_cnt = 0;
1419 static int psk_server_cb_cnt = 0;
1420
1421 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1422 size_t *idlen, SSL_SESSION **sess)
1423 {
1424 switch (++use_session_cb_cnt) {
1425 case 1:
1426 /* The first call should always have a NULL md */
1427 if (md != NULL)
1428 return 0;
1429 break;
1430
1431 case 2:
1432 /* The second call should always have an md */
1433 if (md == NULL)
1434 return 0;
1435 break;
1436
1437 default:
1438 /* We should only be called a maximum of twice */
1439 return 0;
1440 }
1441
1442 if (clientpsk != NULL)
1443 SSL_SESSION_up_ref(clientpsk);
1444
1445 *sess = clientpsk;
1446 *id = (const unsigned char *)pskid;
1447 *idlen = strlen(pskid);
1448
1449 return 1;
1450 }
1451
1452 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1453 unsigned int max_id_len,
1454 unsigned char *psk,
1455 unsigned int max_psk_len)
1456 {
1457 unsigned int psklen = 0;
1458
1459 psk_client_cb_cnt++;
1460
1461 if (strlen(pskid) + 1 > max_id_len)
1462 return 0;
1463
1464 /* We should only ever be called a maximum of twice per connection */
1465 if (psk_client_cb_cnt > 2)
1466 return 0;
1467
1468 if (clientpsk == NULL)
1469 return 0;
1470
1471 /* We'll reuse the PSK we set up for TLSv1.3 */
1472 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1473 return 0;
1474 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1475 strncpy(id, pskid, max_id_len);
1476
1477 return psklen;
1478 }
1479
1480 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1481 size_t identity_len, SSL_SESSION **sess)
1482 {
1483 find_session_cb_cnt++;
1484
1485 /* We should only ever be called a maximum of twice per connection */
1486 if (find_session_cb_cnt > 2)
1487 return 0;
1488
1489 if (serverpsk == NULL)
1490 return 0;
1491
1492 /* Identity should match that set by the client */
1493 if (strlen(srvid) != identity_len
1494 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1495 /* No PSK found, continue but without a PSK */
1496 *sess = NULL;
1497 return 1;
1498 }
1499
1500 SSL_SESSION_up_ref(serverpsk);
1501 *sess = serverpsk;
1502
1503 return 1;
1504 }
1505
1506 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1507 unsigned char *psk, unsigned int max_psk_len)
1508 {
1509 unsigned int psklen = 0;
1510
1511 psk_server_cb_cnt++;
1512
1513 /* We should only ever be called a maximum of twice per connection */
1514 if (find_session_cb_cnt > 2)
1515 return 0;
1516
1517 if (serverpsk == NULL)
1518 return 0;
1519
1520 /* Identity should match that set by the client */
1521 if (strcmp(srvid, identity) != 0) {
1522 return 0;
1523 }
1524
1525 /* We'll reuse the PSK we set up for TLSv1.3 */
1526 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1527 return 0;
1528 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1529
1530 return psklen;
1531 }
1532
1533 #define MSG1 "Hello"
1534 #define MSG2 "World."
1535 #define MSG3 "This"
1536 #define MSG4 "is"
1537 #define MSG5 "a"
1538 #define MSG6 "test"
1539 #define MSG7 "message."
1540
1541 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1542 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1543
1544 /*
1545 * Helper method to setup objects for early data test. Caller frees objects on
1546 * error.
1547 */
1548 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1549 SSL **serverssl, SSL_SESSION **sess, int idx)
1550 {
1551 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1552 TLS_client_method(), sctx,
1553 cctx, cert, privkey))
1554 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1555 SSL3_RT_MAX_PLAIN_LENGTH))
1556 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1557 SSL3_RT_MAX_PLAIN_LENGTH)))
1558 return 0;
1559
1560 if (idx == 1) {
1561 /* When idx == 1 we repeat the tests with read_ahead set */
1562 SSL_CTX_set_read_ahead(*cctx, 1);
1563 SSL_CTX_set_read_ahead(*sctx, 1);
1564 } else if (idx == 2) {
1565 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1566 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1567 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1568 use_session_cb_cnt = 0;
1569 find_session_cb_cnt = 0;
1570 srvid = pskid;
1571 }
1572
1573 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1574 NULL, NULL)))
1575 return 0;
1576
1577 /*
1578 * For one of the run throughs (doesn't matter which one), we'll try sending
1579 * some SNI data in the initial ClientHello. This will be ignored (because
1580 * there is no SNI cb set up by the server), so it should not impact
1581 * early_data.
1582 */
1583 if (idx == 1
1584 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1585 return 0;
1586
1587 if (idx == 2) {
1588 /* Create the PSK */
1589 const SSL_CIPHER *cipher = NULL;
1590 const unsigned char key[] = {
1591 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1592 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1593 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1594 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1595 0x2c, 0x2d, 0x2e, 0x2f
1596 };
1597
1598 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1599 clientpsk = SSL_SESSION_new();
1600 if (!TEST_ptr(clientpsk)
1601 || !TEST_ptr(cipher)
1602 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1603 sizeof(key)))
1604 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1605 || !TEST_true(
1606 SSL_SESSION_set_protocol_version(clientpsk,
1607 TLS1_3_VERSION))
1608 /*
1609 * We just choose an arbitrary value for max_early_data which
1610 * should be big enough for testing purposes.
1611 */
1612 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1613 0x100))
1614 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1615 SSL_SESSION_free(clientpsk);
1616 clientpsk = NULL;
1617 return 0;
1618 }
1619 serverpsk = clientpsk;
1620
1621 if (sess != NULL)
1622 *sess = clientpsk;
1623 return 1;
1624 }
1625
1626 if (sess == NULL)
1627 return 1;
1628
1629 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1630 SSL_ERROR_NONE)))
1631 return 0;
1632
1633 *sess = SSL_get1_session(*clientssl);
1634 SSL_shutdown(*clientssl);
1635 SSL_shutdown(*serverssl);
1636 SSL_free(*serverssl);
1637 SSL_free(*clientssl);
1638 *serverssl = *clientssl = NULL;
1639
1640 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1641 clientssl, NULL, NULL))
1642 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1643 return 0;
1644
1645 return 1;
1646 }
1647
1648 static int test_early_data_read_write(int idx)
1649 {
1650 SSL_CTX *cctx = NULL, *sctx = NULL;
1651 SSL *clientssl = NULL, *serverssl = NULL;
1652 int testresult = 0;
1653 SSL_SESSION *sess = NULL;
1654 unsigned char buf[20], data[1024];
1655 size_t readbytes, written, eoedlen, rawread, rawwritten;
1656 BIO *rbio;
1657
1658 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1659 &serverssl, &sess, idx)))
1660 goto end;
1661
1662 /* Write and read some early data */
1663 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1664 &written))
1665 || !TEST_size_t_eq(written, strlen(MSG1))
1666 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1667 sizeof(buf), &readbytes),
1668 SSL_READ_EARLY_DATA_SUCCESS)
1669 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1670 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1671 SSL_EARLY_DATA_ACCEPTED))
1672 goto end;
1673
1674 /*
1675 * Server should be able to write data, and client should be able to
1676 * read it.
1677 */
1678 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1679 &written))
1680 || !TEST_size_t_eq(written, strlen(MSG2))
1681 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1682 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1683 goto end;
1684
1685 /* Even after reading normal data, client should be able write early data */
1686 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1687 &written))
1688 || !TEST_size_t_eq(written, strlen(MSG3)))
1689 goto end;
1690
1691 /* Server should still be able read early data after writing data */
1692 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1693 &readbytes),
1694 SSL_READ_EARLY_DATA_SUCCESS)
1695 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1696 goto end;
1697
1698 /* Write more data from server and read it from client */
1699 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1700 &written))
1701 || !TEST_size_t_eq(written, strlen(MSG4))
1702 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1703 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1704 goto end;
1705
1706 /*
1707 * If client writes normal data it should mean writing early data is no
1708 * longer possible.
1709 */
1710 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1711 || !TEST_size_t_eq(written, strlen(MSG5))
1712 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1713 SSL_EARLY_DATA_ACCEPTED))
1714 goto end;
1715
1716 /*
1717 * At this point the client has written EndOfEarlyData, ClientFinished and
1718 * normal (fully protected) data. We are going to cause a delay between the
1719 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1720 * in the read BIO, and then just put back the EndOfEarlyData message.
1721 */
1722 rbio = SSL_get_rbio(serverssl);
1723 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1724 || !TEST_size_t_lt(rawread, sizeof(data))
1725 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1726 goto end;
1727
1728 /* Record length is in the 4th and 5th bytes of the record header */
1729 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1730 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1731 || !TEST_size_t_eq(rawwritten, eoedlen))
1732 goto end;
1733
1734 /* Server should be told that there is no more early data */
1735 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1736 &readbytes),
1737 SSL_READ_EARLY_DATA_FINISH)
1738 || !TEST_size_t_eq(readbytes, 0))
1739 goto end;
1740
1741 /*
1742 * Server has not finished init yet, so should still be able to write early
1743 * data.
1744 */
1745 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1746 &written))
1747 || !TEST_size_t_eq(written, strlen(MSG6)))
1748 goto end;
1749
1750 /* Push the ClientFinished and the normal data back into the server rbio */
1751 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1752 &rawwritten))
1753 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1754 goto end;
1755
1756 /* Server should be able to read normal data */
1757 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1758 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1759 goto end;
1760
1761 /* Client and server should not be able to write/read early data now */
1762 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1763 &written)))
1764 goto end;
1765 ERR_clear_error();
1766 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1767 &readbytes),
1768 SSL_READ_EARLY_DATA_ERROR))
1769 goto end;
1770 ERR_clear_error();
1771
1772 /* Client should be able to read the data sent by the server */
1773 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1774 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1775 goto end;
1776
1777 /*
1778 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1779 * We attempt a read which we do not expect to return any data.
1780 */
1781 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1782 goto end;
1783
1784 /* Server should be able to write normal data */
1785 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1786 || !TEST_size_t_eq(written, strlen(MSG7))
1787 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1788 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1789 goto end;
1790
1791 /* We keep the PSK session around if using PSK */
1792 if (idx != 2)
1793 SSL_SESSION_free(sess);
1794 sess = SSL_get1_session(clientssl);
1795 use_session_cb_cnt = 0;
1796 find_session_cb_cnt = 0;
1797
1798 SSL_shutdown(clientssl);
1799 SSL_shutdown(serverssl);
1800 SSL_free(serverssl);
1801 SSL_free(clientssl);
1802 serverssl = clientssl = NULL;
1803 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1804 &clientssl, NULL, NULL))
1805 || !TEST_true(SSL_set_session(clientssl, sess)))
1806 goto end;
1807
1808 /* Write and read some early data */
1809 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1810 &written))
1811 || !TEST_size_t_eq(written, strlen(MSG1))
1812 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1813 &readbytes),
1814 SSL_READ_EARLY_DATA_SUCCESS)
1815 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1816 goto end;
1817
1818 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1819 || !TEST_int_gt(SSL_accept(serverssl), 0))
1820 goto end;
1821
1822 /* Client and server should not be able to write/read early data now */
1823 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1824 &written)))
1825 goto end;
1826 ERR_clear_error();
1827 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1828 &readbytes),
1829 SSL_READ_EARLY_DATA_ERROR))
1830 goto end;
1831 ERR_clear_error();
1832
1833 /* Client and server should be able to write/read normal data */
1834 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1835 || !TEST_size_t_eq(written, strlen(MSG5))
1836 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1837 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1838 goto end;
1839
1840 testresult = 1;
1841
1842 end:
1843 if (sess != clientpsk)
1844 SSL_SESSION_free(sess);
1845 SSL_SESSION_free(clientpsk);
1846 SSL_SESSION_free(serverpsk);
1847 clientpsk = serverpsk = NULL;
1848 SSL_free(serverssl);
1849 SSL_free(clientssl);
1850 SSL_CTX_free(sctx);
1851 SSL_CTX_free(cctx);
1852 return testresult;
1853 }
1854
1855 /*
1856 * Helper function to test that a server attempting to read early data can
1857 * handle a connection from a client where the early data should be skipped.
1858 */
1859 static int early_data_skip_helper(int hrr, int idx)
1860 {
1861 SSL_CTX *cctx = NULL, *sctx = NULL;
1862 SSL *clientssl = NULL, *serverssl = NULL;
1863 int testresult = 0;
1864 SSL_SESSION *sess = NULL;
1865 unsigned char buf[20];
1866 size_t readbytes, written;
1867
1868 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1869 &serverssl, &sess, idx)))
1870 goto end;
1871
1872 if (hrr) {
1873 /* Force an HRR to occur */
1874 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1875 goto end;
1876 } else if (idx == 2) {
1877 /*
1878 * We force early_data rejection by ensuring the PSK identity is
1879 * unrecognised
1880 */
1881 srvid = "Dummy Identity";
1882 } else {
1883 /*
1884 * Deliberately corrupt the creation time. We take 20 seconds off the
1885 * time. It could be any value as long as it is not within tolerance.
1886 * This should mean the ticket is rejected.
1887 */
1888 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
1889 goto end;
1890 }
1891
1892 /* Write some early data */
1893 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1894 &written))
1895 || !TEST_size_t_eq(written, strlen(MSG1)))
1896 goto end;
1897
1898 /* Server should reject the early data and skip over it */
1899 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1900 &readbytes),
1901 SSL_READ_EARLY_DATA_FINISH)
1902 || !TEST_size_t_eq(readbytes, 0)
1903 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1904 SSL_EARLY_DATA_REJECTED))
1905 goto end;
1906
1907 if (hrr) {
1908 /*
1909 * Finish off the handshake. We perform the same writes and reads as
1910 * further down but we expect them to fail due to the incomplete
1911 * handshake.
1912 */
1913 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1914 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1915 &readbytes)))
1916 goto end;
1917 }
1918
1919 /* Should be able to send normal data despite rejection of early data */
1920 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1921 || !TEST_size_t_eq(written, strlen(MSG2))
1922 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1923 SSL_EARLY_DATA_REJECTED)
1924 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1925 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1926 goto end;
1927
1928 testresult = 1;
1929
1930 end:
1931 if (sess != clientpsk)
1932 SSL_SESSION_free(clientpsk);
1933 SSL_SESSION_free(serverpsk);
1934 clientpsk = serverpsk = NULL;
1935 SSL_SESSION_free(sess);
1936 SSL_free(serverssl);
1937 SSL_free(clientssl);
1938 SSL_CTX_free(sctx);
1939 SSL_CTX_free(cctx);
1940 return testresult;
1941 }
1942
1943 /*
1944 * Test that a server attempting to read early data can handle a connection
1945 * from a client where the early data is not acceptable.
1946 */
1947 static int test_early_data_skip(int idx)
1948 {
1949 return early_data_skip_helper(0, idx);
1950 }
1951
1952 /*
1953 * Test that a server attempting to read early data can handle a connection
1954 * from a client where an HRR occurs.
1955 */
1956 static int test_early_data_skip_hrr(int idx)
1957 {
1958 return early_data_skip_helper(1, idx);
1959 }
1960
1961 /*
1962 * Test that a server attempting to read early data can handle a connection
1963 * from a client that doesn't send any.
1964 */
1965 static int test_early_data_not_sent(int idx)
1966 {
1967 SSL_CTX *cctx = NULL, *sctx = NULL;
1968 SSL *clientssl = NULL, *serverssl = NULL;
1969 int testresult = 0;
1970 SSL_SESSION *sess = NULL;
1971 unsigned char buf[20];
1972 size_t readbytes, written;
1973
1974 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1975 &serverssl, &sess, idx)))
1976 goto end;
1977
1978 /* Write some data - should block due to handshake with server */
1979 SSL_set_connect_state(clientssl);
1980 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1981 goto end;
1982
1983 /* Server should detect that early data has not been sent */
1984 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1985 &readbytes),
1986 SSL_READ_EARLY_DATA_FINISH)
1987 || !TEST_size_t_eq(readbytes, 0)
1988 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1989 SSL_EARLY_DATA_NOT_SENT)
1990 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1991 SSL_EARLY_DATA_NOT_SENT))
1992 goto end;
1993
1994 /* Continue writing the message we started earlier */
1995 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1996 || !TEST_size_t_eq(written, strlen(MSG1))
1997 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1998 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1999 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2000 || !TEST_size_t_eq(written, strlen(MSG2)))
2001 goto end;
2002
2003 /*
2004 * Should block due to the NewSessionTicket arrival unless we're using
2005 * read_ahead
2006 */
2007 if (idx != 1) {
2008 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2009 goto end;
2010 }
2011
2012 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2013 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2014 goto end;
2015
2016 testresult = 1;
2017
2018 end:
2019 /* If using PSK then clientpsk and sess are the same */
2020 SSL_SESSION_free(sess);
2021 SSL_SESSION_free(serverpsk);
2022 clientpsk = serverpsk = NULL;
2023 SSL_free(serverssl);
2024 SSL_free(clientssl);
2025 SSL_CTX_free(sctx);
2026 SSL_CTX_free(cctx);
2027 return testresult;
2028 }
2029
2030 static int hostname_cb(SSL *s, int *al, void *arg)
2031 {
2032 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2033
2034 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2035 return SSL_TLSEXT_ERR_OK;
2036
2037 return SSL_TLSEXT_ERR_NOACK;
2038 }
2039
2040 static const char *servalpn;
2041
2042 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2043 unsigned char *outlen, const unsigned char *in,
2044 unsigned int inlen, void *arg)
2045 {
2046 unsigned int protlen = 0;
2047 const unsigned char *prot;
2048
2049 for (prot = in; prot < in + inlen; prot += protlen) {
2050 protlen = *prot++;
2051 if (in + inlen < prot + protlen)
2052 return SSL_TLSEXT_ERR_NOACK;
2053
2054 if (protlen == strlen(servalpn)
2055 && memcmp(prot, servalpn, protlen) == 0) {
2056 *out = prot;
2057 *outlen = protlen;
2058 return SSL_TLSEXT_ERR_OK;
2059 }
2060 }
2061
2062 return SSL_TLSEXT_ERR_NOACK;
2063 }
2064
2065 /* Test that a PSK can be used to send early_data */
2066 static int test_early_data_psk(int idx)
2067 {
2068 SSL_CTX *cctx = NULL, *sctx = NULL;
2069 SSL *clientssl = NULL, *serverssl = NULL;
2070 int testresult = 0;
2071 SSL_SESSION *sess = NULL;
2072 unsigned char alpnlist[] = {
2073 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2074 'l', 'p', 'n'
2075 };
2076 #define GOODALPNLEN 9
2077 #define BADALPNLEN 8
2078 #define GOODALPN (alpnlist)
2079 #define BADALPN (alpnlist + GOODALPNLEN)
2080 int err = 0;
2081 unsigned char buf[20];
2082 size_t readbytes, written;
2083 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2084 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2085
2086 /* We always set this up with a final parameter of "2" for PSK */
2087 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2088 &serverssl, &sess, 2)))
2089 goto end;
2090
2091 servalpn = "goodalpn";
2092
2093 /*
2094 * Note: There is no test for inconsistent SNI with late client detection.
2095 * This is because servers do not acknowledge SNI even if they are using
2096 * it in a resumption handshake - so it is not actually possible for a
2097 * client to detect a problem.
2098 */
2099 switch (idx) {
2100 case 0:
2101 /* Set inconsistent SNI (early client detection) */
2102 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2103 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2104 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2105 goto end;
2106 break;
2107
2108 case 1:
2109 /* Set inconsistent ALPN (early client detection) */
2110 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2111 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2112 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2113 GOODALPNLEN))
2114 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2115 BADALPNLEN)))
2116 goto end;
2117 break;
2118
2119 case 2:
2120 /*
2121 * Set invalid protocol version. Technically this affects PSKs without
2122 * early_data too, but we test it here because it is similar to the
2123 * SNI/ALPN consistency tests.
2124 */
2125 err = SSL_R_BAD_PSK;
2126 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2127 goto end;
2128 break;
2129
2130 case 3:
2131 /*
2132 * Set inconsistent SNI (server detected). In this case the connection
2133 * will succeed but reject early_data.
2134 */
2135 SSL_SESSION_free(serverpsk);
2136 serverpsk = SSL_SESSION_dup(clientpsk);
2137 if (!TEST_ptr(serverpsk)
2138 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2139 goto end;
2140 edstatus = SSL_EARLY_DATA_REJECTED;
2141 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2142 /* Fall through */
2143 case 4:
2144 /* Set consistent SNI */
2145 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2146 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2147 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2148 hostname_cb)))
2149 goto end;
2150 break;
2151
2152 case 5:
2153 /*
2154 * Set inconsistent ALPN (server detected). In this case the connection
2155 * will succeed but reject early_data.
2156 */
2157 servalpn = "badalpn";
2158 edstatus = SSL_EARLY_DATA_REJECTED;
2159 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2160 /* Fall through */
2161 case 6:
2162 /*
2163 * Set consistent ALPN.
2164 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2165 * accepts a list of protos (each one length prefixed).
2166 * SSL_set1_alpn_selected accepts a single protocol (not length
2167 * prefixed)
2168 */
2169 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2170 GOODALPNLEN - 1))
2171 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2172 GOODALPNLEN)))
2173 goto end;
2174
2175 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2176 break;
2177
2178 case 7:
2179 /* Set inconsistent ALPN (late client detection) */
2180 SSL_SESSION_free(serverpsk);
2181 serverpsk = SSL_SESSION_dup(clientpsk);
2182 if (!TEST_ptr(serverpsk)
2183 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2184 BADALPN + 1,
2185 BADALPNLEN - 1))
2186 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2187 GOODALPN + 1,
2188 GOODALPNLEN - 1))
2189 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2190 sizeof(alpnlist))))
2191 goto end;
2192 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2193 edstatus = SSL_EARLY_DATA_ACCEPTED;
2194 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2195 /* SSL_connect() call should fail */
2196 connectres = -1;
2197 break;
2198
2199 default:
2200 TEST_error("Bad test index");
2201 goto end;
2202 }
2203
2204 SSL_set_connect_state(clientssl);
2205 if (err != 0) {
2206 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2207 &written))
2208 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2209 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2210 goto end;
2211 } else {
2212 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2213 &written)))
2214 goto end;
2215
2216 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2217 &readbytes), readearlyres)
2218 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2219 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2220 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2221 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2222 goto end;
2223 }
2224
2225 testresult = 1;
2226
2227 end:
2228 SSL_SESSION_free(clientpsk);
2229 SSL_SESSION_free(serverpsk);
2230 clientpsk = serverpsk = NULL;
2231 SSL_free(serverssl);
2232 SSL_free(clientssl);
2233 SSL_CTX_free(sctx);
2234 SSL_CTX_free(cctx);
2235 return testresult;
2236 }
2237
2238 /*
2239 * Test that a server that doesn't try to read early data can handle a
2240 * client sending some.
2241 */
2242 static int test_early_data_not_expected(int idx)
2243 {
2244 SSL_CTX *cctx = NULL, *sctx = NULL;
2245 SSL *clientssl = NULL, *serverssl = NULL;
2246 int testresult = 0;
2247 SSL_SESSION *sess = NULL;
2248 unsigned char buf[20];
2249 size_t readbytes, written;
2250
2251 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2252 &serverssl, &sess, idx)))
2253 goto end;
2254
2255 /* Write some early data */
2256 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2257 &written)))
2258 goto end;
2259
2260 /*
2261 * Server should skip over early data and then block waiting for client to
2262 * continue handshake
2263 */
2264 if (!TEST_int_le(SSL_accept(serverssl), 0)
2265 || !TEST_int_gt(SSL_connect(clientssl), 0)
2266 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2267 SSL_EARLY_DATA_REJECTED)
2268 || !TEST_int_gt(SSL_accept(serverssl), 0)
2269 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2270 SSL_EARLY_DATA_REJECTED))
2271 goto end;
2272
2273 /* Send some normal data from client to server */
2274 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2275 || !TEST_size_t_eq(written, strlen(MSG2)))
2276 goto end;
2277
2278 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2279 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2280 goto end;
2281
2282 testresult = 1;
2283
2284 end:
2285 /* If using PSK then clientpsk and sess are the same */
2286 SSL_SESSION_free(sess);
2287 SSL_SESSION_free(serverpsk);
2288 clientpsk = serverpsk = NULL;
2289 SSL_free(serverssl);
2290 SSL_free(clientssl);
2291 SSL_CTX_free(sctx);
2292 SSL_CTX_free(cctx);
2293 return testresult;
2294 }
2295
2296
2297 # ifndef OPENSSL_NO_TLS1_2
2298 /*
2299 * Test that a server attempting to read early data can handle a connection
2300 * from a TLSv1.2 client.
2301 */
2302 static int test_early_data_tls1_2(int idx)
2303 {
2304 SSL_CTX *cctx = NULL, *sctx = NULL;
2305 SSL *clientssl = NULL, *serverssl = NULL;
2306 int testresult = 0;
2307 unsigned char buf[20];
2308 size_t readbytes, written;
2309
2310 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2311 &serverssl, NULL, idx)))
2312 goto end;
2313
2314 /* Write some data - should block due to handshake with server */
2315 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2316 SSL_set_connect_state(clientssl);
2317 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2318 goto end;
2319
2320 /*
2321 * Server should do TLSv1.2 handshake. First it will block waiting for more
2322 * messages from client after ServerDone. Then SSL_read_early_data should
2323 * finish and detect that early data has not been sent
2324 */
2325 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2326 &readbytes),
2327 SSL_READ_EARLY_DATA_ERROR))
2328 goto end;
2329
2330 /*
2331 * Continue writing the message we started earlier. Will still block waiting
2332 * for the CCS/Finished from server
2333 */
2334 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2335 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2336 &readbytes),
2337 SSL_READ_EARLY_DATA_FINISH)
2338 || !TEST_size_t_eq(readbytes, 0)
2339 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2340 SSL_EARLY_DATA_NOT_SENT))
2341 goto end;
2342
2343 /* Continue writing the message we started earlier */
2344 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2345 || !TEST_size_t_eq(written, strlen(MSG1))
2346 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2347 SSL_EARLY_DATA_NOT_SENT)
2348 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2349 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2350 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2351 || !TEST_size_t_eq(written, strlen(MSG2))
2352 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2353 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2354 goto end;
2355
2356 testresult = 1;
2357
2358 end:
2359 /* If using PSK then clientpsk and sess are the same */
2360 SSL_SESSION_free(clientpsk);
2361 SSL_SESSION_free(serverpsk);
2362 clientpsk = serverpsk = NULL;
2363 SSL_free(serverssl);
2364 SSL_free(clientssl);
2365 SSL_CTX_free(sctx);
2366 SSL_CTX_free(cctx);
2367
2368 return testresult;
2369 }
2370 # endif /* OPENSSL_NO_TLS1_2 */
2371
2372 static int test_ciphersuite_change(void)
2373 {
2374 SSL_CTX *cctx = NULL, *sctx = NULL;
2375 SSL *clientssl = NULL, *serverssl = NULL;
2376 SSL_SESSION *clntsess = NULL;
2377 int testresult = 0;
2378 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2379
2380 /* Create a session based on SHA-256 */
2381 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2382 TLS_client_method(), &sctx,
2383 &cctx, cert, privkey))
2384 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2385 "TLS13-AES-128-GCM-SHA256"))
2386 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2387 &clientssl, NULL, NULL))
2388 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2389 SSL_ERROR_NONE)))
2390 goto end;
2391
2392 clntsess = SSL_get1_session(clientssl);
2393 /* Save for later */
2394 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2395 SSL_shutdown(clientssl);
2396 SSL_shutdown(serverssl);
2397 SSL_free(serverssl);
2398 SSL_free(clientssl);
2399 serverssl = clientssl = NULL;
2400
2401 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2402 /* Check we can resume a session with a different SHA-256 ciphersuite */
2403 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2404 "TLS13-CHACHA20-POLY1305-SHA256"))
2405 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2406 NULL, NULL))
2407 || !TEST_true(SSL_set_session(clientssl, clntsess))
2408 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2409 SSL_ERROR_NONE))
2410 || !TEST_true(SSL_session_reused(clientssl)))
2411 goto end;
2412
2413 SSL_SESSION_free(clntsess);
2414 clntsess = SSL_get1_session(clientssl);
2415 SSL_shutdown(clientssl);
2416 SSL_shutdown(serverssl);
2417 SSL_free(serverssl);
2418 SSL_free(clientssl);
2419 serverssl = clientssl = NULL;
2420 # endif
2421
2422 /*
2423 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2424 * succeeds but does not resume.
2425 */
2426 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2427 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2428 NULL, NULL))
2429 || !TEST_true(SSL_set_session(clientssl, clntsess))
2430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2431 SSL_ERROR_SSL))
2432 || !TEST_false(SSL_session_reused(clientssl)))
2433 goto end;
2434
2435 SSL_SESSION_free(clntsess);
2436 clntsess = NULL;
2437 SSL_shutdown(clientssl);
2438 SSL_shutdown(serverssl);
2439 SSL_free(serverssl);
2440 SSL_free(clientssl);
2441 serverssl = clientssl = NULL;
2442
2443 /* Create a session based on SHA384 */
2444 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2445 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2446 &clientssl, NULL, NULL))
2447 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2448 SSL_ERROR_NONE)))
2449 goto end;
2450
2451 clntsess = SSL_get1_session(clientssl);
2452 SSL_shutdown(clientssl);
2453 SSL_shutdown(serverssl);
2454 SSL_free(serverssl);
2455 SSL_free(clientssl);
2456 serverssl = clientssl = NULL;
2457
2458 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2459 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
2460 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2461 "TLS13-AES-256-GCM-SHA384"))
2462 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2463 NULL, NULL))
2464 || !TEST_true(SSL_set_session(clientssl, clntsess))
2465 /*
2466 * We use SSL_ERROR_WANT_READ below so that we can pause the
2467 * connection after the initial ClientHello has been sent to
2468 * enable us to make some session changes.
2469 */
2470 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2471 SSL_ERROR_WANT_READ)))
2472 goto end;
2473
2474 /* Trick the client into thinking this session is for a different digest */
2475 clntsess->cipher = aes_128_gcm_sha256;
2476 clntsess->cipher_id = clntsess->cipher->id;
2477
2478 /*
2479 * Continue the previously started connection. Server has selected a SHA-384
2480 * ciphersuite, but client thinks the session is for SHA-256, so it should
2481 * bail out.
2482 */
2483 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2484 SSL_ERROR_SSL))
2485 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2486 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2487 goto end;
2488
2489 testresult = 1;
2490
2491 end:
2492 SSL_SESSION_free(clntsess);
2493 SSL_free(serverssl);
2494 SSL_free(clientssl);
2495 SSL_CTX_free(sctx);
2496 SSL_CTX_free(cctx);
2497
2498 return testresult;
2499 }
2500
2501 static int test_tls13_psk(int idx)
2502 {
2503 SSL_CTX *sctx = NULL, *cctx = NULL;
2504 SSL *serverssl = NULL, *clientssl = NULL;
2505 const SSL_CIPHER *cipher = NULL;
2506 const unsigned char key[] = {
2507 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2508 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2509 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2510 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2511 };
2512 int testresult = 0;
2513
2514 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2515 TLS_client_method(), &sctx,
2516 &cctx, cert, privkey)))
2517 goto end;
2518
2519 /*
2520 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2521 * which will always default to SHA256
2522 */
2523 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-128-GCM-SHA256")))
2524 goto end;
2525
2526 /*
2527 * Test 0: New style callbacks only
2528 * Test 1: New and old style callbacks (only the new ones should be used)
2529 * Test 2: Old style callbacks only
2530 */
2531 if (idx == 0 || idx == 1) {
2532 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2533 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2534 }
2535 if (idx == 1 || idx == 2) {
2536 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2537 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2538 }
2539 srvid = pskid;
2540 use_session_cb_cnt = 0;
2541 find_session_cb_cnt = 0;
2542 psk_client_cb_cnt = 0;
2543 psk_server_cb_cnt = 0;
2544
2545 /* Check we can create a connection if callback decides not to send a PSK */
2546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2547 NULL, NULL))
2548 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2549 SSL_ERROR_NONE))
2550 || !TEST_false(SSL_session_reused(clientssl))
2551 || !TEST_false(SSL_session_reused(serverssl)))
2552 goto end;
2553
2554 if (idx == 0 || idx == 1) {
2555 if (!TEST_true(use_session_cb_cnt == 1)
2556 || !TEST_true(find_session_cb_cnt == 0)
2557 /*
2558 * If no old style callback then below should be 0
2559 * otherwise 1
2560 */
2561 || !TEST_true(psk_client_cb_cnt == idx)
2562 || !TEST_true(psk_server_cb_cnt == 0))
2563 goto end;
2564 } else {
2565 if (!TEST_true(use_session_cb_cnt == 0)
2566 || !TEST_true(find_session_cb_cnt == 0)
2567 || !TEST_true(psk_client_cb_cnt == 1)
2568 || !TEST_true(psk_server_cb_cnt == 0))
2569 goto end;
2570 }
2571
2572 shutdown_ssl_connection(serverssl, clientssl);
2573 serverssl = clientssl = NULL;
2574 use_session_cb_cnt = psk_client_cb_cnt = 0;
2575
2576 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2577 NULL, NULL)))
2578 goto end;
2579
2580 /* Create the PSK */
2581 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2582 clientpsk = SSL_SESSION_new();
2583 if (!TEST_ptr(clientpsk)
2584 || !TEST_ptr(cipher)
2585 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2586 sizeof(key)))
2587 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2588 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2589 TLS1_3_VERSION))
2590 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2591 goto end;
2592 serverpsk = clientpsk;
2593
2594 /* Check we can create a connection and the PSK is used */
2595 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2596 || !TEST_true(SSL_session_reused(clientssl))
2597 || !TEST_true(SSL_session_reused(serverssl)))
2598 goto end;
2599
2600 if (idx == 0 || idx == 1) {
2601 if (!TEST_true(use_session_cb_cnt == 1)
2602 || !TEST_true(find_session_cb_cnt == 1)
2603 || !TEST_true(psk_client_cb_cnt == 0)
2604 || !TEST_true(psk_server_cb_cnt == 0))
2605 goto end;
2606 } else {
2607 if (!TEST_true(use_session_cb_cnt == 0)
2608 || !TEST_true(find_session_cb_cnt == 0)
2609 || !TEST_true(psk_client_cb_cnt == 1)
2610 || !TEST_true(psk_server_cb_cnt == 1))
2611 goto end;
2612 }
2613
2614 shutdown_ssl_connection(serverssl, clientssl);
2615 serverssl = clientssl = NULL;
2616 use_session_cb_cnt = find_session_cb_cnt = 0;
2617 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2618
2619 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2620 NULL, NULL)))
2621 goto end;
2622
2623 /* Force an HRR */
2624 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2625 goto end;
2626
2627 /*
2628 * Check we can create a connection, the PSK is used and the callbacks are
2629 * called twice.
2630 */
2631 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2632 || !TEST_true(SSL_session_reused(clientssl))
2633 || !TEST_true(SSL_session_reused(serverssl)))
2634 goto end;
2635
2636 if (idx == 0 || idx == 1) {
2637 if (!TEST_true(use_session_cb_cnt == 2)
2638 || !TEST_true(find_session_cb_cnt == 2)
2639 || !TEST_true(psk_client_cb_cnt == 0)
2640 || !TEST_true(psk_server_cb_cnt == 0))
2641 goto end;
2642 } else {
2643 if (!TEST_true(use_session_cb_cnt == 0)
2644 || !TEST_true(find_session_cb_cnt == 0)
2645 || !TEST_true(psk_client_cb_cnt == 2)
2646 || !TEST_true(psk_server_cb_cnt == 2))
2647 goto end;
2648 }
2649
2650 shutdown_ssl_connection(serverssl, clientssl);
2651 serverssl = clientssl = NULL;
2652 use_session_cb_cnt = find_session_cb_cnt = 0;
2653 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2654
2655 /*
2656 * Check that if the server rejects the PSK we can still connect, but with
2657 * a full handshake
2658 */
2659 srvid = "Dummy Identity";
2660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2661 NULL, NULL))
2662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2663 SSL_ERROR_NONE))
2664 || !TEST_false(SSL_session_reused(clientssl))
2665 || !TEST_false(SSL_session_reused(serverssl)))
2666 goto end;
2667
2668 if (idx == 0 || idx == 1) {
2669 if (!TEST_true(use_session_cb_cnt == 1)
2670 || !TEST_true(find_session_cb_cnt == 1)
2671 || !TEST_true(psk_client_cb_cnt == 0)
2672 /*
2673 * If no old style callback then below should be 0
2674 * otherwise 1
2675 */
2676 || !TEST_true(psk_server_cb_cnt == idx))
2677 goto end;
2678 } else {
2679 if (!TEST_true(use_session_cb_cnt == 0)
2680 || !TEST_true(find_session_cb_cnt == 0)
2681 || !TEST_true(psk_client_cb_cnt == 1)
2682 || !TEST_true(psk_server_cb_cnt == 1))
2683 goto end;
2684 }
2685
2686 shutdown_ssl_connection(serverssl, clientssl);
2687 serverssl = clientssl = NULL;
2688 testresult = 1;
2689
2690 end:
2691 SSL_SESSION_free(clientpsk);
2692 SSL_SESSION_free(serverpsk);
2693 clientpsk = serverpsk = NULL;
2694 SSL_free(serverssl);
2695 SSL_free(clientssl);
2696 SSL_CTX_free(sctx);
2697 SSL_CTX_free(cctx);
2698 return testresult;
2699 }
2700
2701 static unsigned char cookie_magic_value[] = "cookie magic";
2702
2703 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2704 unsigned int *cookie_len)
2705 {
2706 /*
2707 * Not suitable as a real cookie generation function but good enough for
2708 * testing!
2709 */
2710 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2711 *cookie_len = sizeof(cookie_magic_value) - 1;
2712
2713 return 1;
2714 }
2715
2716 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2717 unsigned int cookie_len)
2718 {
2719 if (cookie_len == sizeof(cookie_magic_value) - 1
2720 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2721 return 1;
2722
2723 return 0;
2724 }
2725
2726 static int test_stateless(void)
2727 {
2728 SSL_CTX *sctx = NULL, *cctx = NULL;
2729 SSL *serverssl = NULL, *clientssl = NULL;
2730 int testresult = 0;
2731
2732 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2733 TLS_client_method(), &sctx,
2734 &cctx, cert, privkey)))
2735 goto end;
2736
2737 /* Set up the cookie generation and verification callbacks */
2738 SSL_CTX_set_cookie_generate_cb(sctx, generate_cookie_callback);
2739 SSL_CTX_set_cookie_verify_cb(sctx, verify_cookie_callback);
2740
2741 /* The arrival of CCS messages can confuse the test */
2742 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2743
2744 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2745 NULL, NULL))
2746 /* Send the first ClientHello */
2747 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2748 SSL_ERROR_WANT_READ))
2749 /* This should fail because there is no cookie */
2750 || !TEST_false(SSL_stateless(serverssl)))
2751 goto end;
2752
2753 /* Abandon the connection from this client */
2754 SSL_free(clientssl);
2755 clientssl = NULL;
2756
2757 /*
2758 * Now create a connection from a new client but with the same server SSL
2759 * object
2760 */
2761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2762 NULL, NULL))
2763 /* Send the first ClientHello */
2764 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2765 SSL_ERROR_WANT_READ))
2766 /* This should fail because there is no cookie */
2767 || !TEST_false(SSL_stateless(serverssl))
2768 /* Send the second ClientHello */
2769 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2770 SSL_ERROR_WANT_READ))
2771 /* This should succeed because a cookie is now present */
2772 || !TEST_true(SSL_stateless(serverssl))
2773 /* Complete the connection */
2774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2775 SSL_ERROR_NONE)))
2776 goto end;
2777
2778 shutdown_ssl_connection(serverssl, clientssl);
2779 serverssl = clientssl = NULL;
2780 testresult = 1;
2781
2782 end:
2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2785 SSL_CTX_free(sctx);
2786 SSL_CTX_free(cctx);
2787 return testresult;
2788
2789 }
2790 #endif /* OPENSSL_NO_TLS1_3 */
2791
2792 static int clntaddoldcb = 0;
2793 static int clntparseoldcb = 0;
2794 static int srvaddoldcb = 0;
2795 static int srvparseoldcb = 0;
2796 static int clntaddnewcb = 0;
2797 static int clntparsenewcb = 0;
2798 static int srvaddnewcb = 0;
2799 static int srvparsenewcb = 0;
2800 static int snicb = 0;
2801
2802 #define TEST_EXT_TYPE1 0xff00
2803
2804 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2805 size_t *outlen, int *al, void *add_arg)
2806 {
2807 int *server = (int *)add_arg;
2808 unsigned char *data;
2809
2810 if (SSL_is_server(s))
2811 srvaddoldcb++;
2812 else
2813 clntaddoldcb++;
2814
2815 if (*server != SSL_is_server(s)
2816 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2817 return -1;
2818
2819 *data = 1;
2820 *out = data;
2821 *outlen = sizeof(char);
2822 return 1;
2823 }
2824
2825 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2826 void *add_arg)
2827 {
2828 OPENSSL_free((unsigned char *)out);
2829 }
2830
2831 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2832 size_t inlen, int *al, void *parse_arg)
2833 {
2834 int *server = (int *)parse_arg;
2835
2836 if (SSL_is_server(s))
2837 srvparseoldcb++;
2838 else
2839 clntparseoldcb++;
2840
2841 if (*server != SSL_is_server(s)
2842 || inlen != sizeof(char)
2843 || *in != 1)
2844 return -1;
2845
2846 return 1;
2847 }
2848
2849 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2850 const unsigned char **out, size_t *outlen, X509 *x,
2851 size_t chainidx, int *al, void *add_arg)
2852 {
2853 int *server = (int *)add_arg;
2854 unsigned char *data;
2855
2856 if (SSL_is_server(s))
2857 srvaddnewcb++;
2858 else
2859 clntaddnewcb++;
2860
2861 if (*server != SSL_is_server(s)
2862 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2863 return -1;
2864
2865 *data = 1;
2866 *out = data;
2867 *outlen = sizeof(*data);
2868 return 1;
2869 }
2870
2871 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2872 const unsigned char *out, void *add_arg)
2873 {
2874 OPENSSL_free((unsigned char *)out);
2875 }
2876
2877 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2878 const unsigned char *in, size_t inlen, X509 *x,
2879 size_t chainidx, int *al, void *parse_arg)
2880 {
2881 int *server = (int *)parse_arg;
2882
2883 if (SSL_is_server(s))
2884 srvparsenewcb++;
2885 else
2886 clntparsenewcb++;
2887
2888 if (*server != SSL_is_server(s)
2889 || inlen != sizeof(char) || *in != 1)
2890 return -1;
2891
2892 return 1;
2893 }
2894
2895 static int sni_cb(SSL *s, int *al, void *arg)
2896 {
2897 SSL_CTX *ctx = (SSL_CTX *)arg;
2898
2899 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2900 *al = SSL_AD_INTERNAL_ERROR;
2901 return SSL_TLSEXT_ERR_ALERT_FATAL;
2902 }
2903 snicb++;
2904 return SSL_TLSEXT_ERR_OK;
2905 }
2906
2907 /*
2908 * Custom call back tests.
2909 * Test 0: Old style callbacks in TLSv1.2
2910 * Test 1: New style callbacks in TLSv1.2
2911 * Test 2: New style callbacks in TLSv1.2 with SNI
2912 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2913 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2914 */
2915 static int test_custom_exts(int tst)
2916 {
2917 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2918 SSL *clientssl = NULL, *serverssl = NULL;
2919 int testresult = 0;
2920 static int server = 1;
2921 static int client = 0;
2922 SSL_SESSION *sess = NULL;
2923 unsigned int context;
2924
2925 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
2926 /* Skip tests for TLSv1.2 and below in this case */
2927 if (tst < 3)
2928 return 1;
2929 #endif
2930
2931 /* Reset callback counters */
2932 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2933 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2934 snicb = 0;
2935
2936 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2937 TLS_client_method(), &sctx,
2938 &cctx, cert, privkey)))
2939 goto end;
2940
2941 if (tst == 2
2942 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2943 NULL, cert, privkey)))
2944 goto end;
2945
2946
2947 if (tst < 3) {
2948 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2949 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2950 if (sctx2 != NULL)
2951 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2952 }
2953
2954 if (tst == 4) {
2955 context = SSL_EXT_CLIENT_HELLO
2956 | SSL_EXT_TLS1_2_SERVER_HELLO
2957 | SSL_EXT_TLS1_3_SERVER_HELLO
2958 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2959 | SSL_EXT_TLS1_3_CERTIFICATE
2960 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2961 } else {
2962 context = SSL_EXT_CLIENT_HELLO
2963 | SSL_EXT_TLS1_2_SERVER_HELLO
2964 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2965 }
2966
2967 /* Create a client side custom extension */
2968 if (tst == 0) {
2969 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2970 old_add_cb, old_free_cb,
2971 &client, old_parse_cb,
2972 &client)))
2973 goto end;
2974 } else {
2975 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2976 new_add_cb, new_free_cb,
2977 &client, new_parse_cb, &client)))
2978 goto end;
2979 }
2980
2981 /* Should not be able to add duplicates */
2982 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2983 old_add_cb, old_free_cb,
2984 &client, old_parse_cb,
2985 &client))
2986 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2987 context, new_add_cb,
2988 new_free_cb, &client,
2989 new_parse_cb, &client)))
2990 goto end;
2991
2992 /* Create a server side custom extension */
2993 if (tst == 0) {
2994 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2995 old_add_cb, old_free_cb,
2996 &server, old_parse_cb,
2997 &server)))
2998 goto end;
2999 } else {
3000 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3001 new_add_cb, new_free_cb,
3002 &server, new_parse_cb, &server)))
3003 goto end;
3004 if (sctx2 != NULL
3005 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3006 context, new_add_cb,
3007 new_free_cb, &server,
3008 new_parse_cb, &server)))
3009 goto end;
3010 }
3011
3012 /* Should not be able to add duplicates */
3013 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3014 old_add_cb, old_free_cb,
3015 &server, old_parse_cb,
3016 &server))
3017 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3018 context, new_add_cb,
3019 new_free_cb, &server,
3020 new_parse_cb, &server)))
3021 goto end;
3022
3023 if (tst == 2) {
3024 /* Set up SNI */
3025 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3026 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3027 goto end;
3028 }
3029
3030 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3031 &clientssl, NULL, NULL))
3032 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3033 SSL_ERROR_NONE)))
3034 goto end;
3035
3036 if (tst == 0) {
3037 if (clntaddoldcb != 1
3038 || clntparseoldcb != 1
3039 || srvaddoldcb != 1
3040 || srvparseoldcb != 1)
3041 goto end;
3042 } else if (tst == 1 || tst == 2 || tst == 3) {
3043 if (clntaddnewcb != 1
3044 || clntparsenewcb != 1
3045 || srvaddnewcb != 1
3046 || srvparsenewcb != 1
3047 || (tst != 2 && snicb != 0)
3048 || (tst == 2 && snicb != 1))
3049 goto end;
3050 } else {
3051 if (clntaddnewcb != 1
3052 || clntparsenewcb != 4
3053 || srvaddnewcb != 4
3054 || srvparsenewcb != 1)
3055 goto end;
3056 }
3057
3058 sess = SSL_get1_session(clientssl);
3059 SSL_shutdown(clientssl);
3060 SSL_shutdown(serverssl);
3061 SSL_free(serverssl);
3062 SSL_free(clientssl);
3063 serverssl = clientssl = NULL;
3064
3065 if (tst == 3) {
3066 /* We don't bother with the resumption aspects for this test */
3067 testresult = 1;
3068 goto end;
3069 }
3070
3071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3072 NULL, NULL))
3073 || !TEST_true(SSL_set_session(clientssl, sess))
3074 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3075 SSL_ERROR_NONE)))
3076 goto end;
3077
3078 /*
3079 * For a resumed session we expect to add the ClientHello extension. For the
3080 * old style callbacks we ignore it on the server side because they set
3081 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3082 * them.
3083 */
3084 if (tst == 0) {
3085 if (clntaddoldcb != 2
3086 || clntparseoldcb != 1
3087 || srvaddoldcb != 1
3088 || srvparseoldcb != 1)
3089 goto end;
3090 } else if (tst == 1 || tst == 2 || tst == 3) {
3091 if (clntaddnewcb != 2
3092 || clntparsenewcb != 2
3093 || srvaddnewcb != 2
3094 || srvparsenewcb != 2)
3095 goto end;
3096 } else {
3097 /* No Certificate message extensions in the resumption handshake */
3098 if (clntaddnewcb != 2
3099 || clntparsenewcb != 7
3100 || srvaddnewcb != 7
3101 || srvparsenewcb != 2)
3102 goto end;
3103 }
3104
3105 testresult = 1;
3106
3107 end:
3108 SSL_SESSION_free(sess);
3109 SSL_free(serverssl);
3110 SSL_free(clientssl);
3111 SSL_CTX_free(sctx2);
3112 SSL_CTX_free(sctx);
3113 SSL_CTX_free(cctx);
3114 return testresult;
3115 }
3116
3117 /*
3118 * Test loading of serverinfo data in various formats. test_sslmessages actually
3119 * tests to make sure the extensions appear in the handshake
3120 */
3121 static int test_serverinfo(int tst)
3122 {
3123 unsigned int version;
3124 unsigned char *sibuf;
3125 size_t sibuflen;
3126 int ret, expected, testresult = 0;
3127 SSL_CTX *ctx;
3128
3129 ctx = SSL_CTX_new(TLS_method());
3130 if (!TEST_ptr(ctx))
3131 goto end;
3132
3133 if ((tst & 0x01) == 0x01)
3134 version = SSL_SERVERINFOV2;
3135 else
3136 version = SSL_SERVERINFOV1;
3137
3138 if ((tst & 0x02) == 0x02) {
3139 sibuf = serverinfov2;
3140 sibuflen = sizeof(serverinfov2);
3141 expected = (version == SSL_SERVERINFOV2);
3142 } else {
3143 sibuf = serverinfov1;
3144 sibuflen = sizeof(serverinfov1);
3145 expected = (version == SSL_SERVERINFOV1);
3146 }
3147
3148 if ((tst & 0x04) == 0x04) {
3149 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3150 } else {
3151 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3152
3153 /*
3154 * The version variable is irrelevant in this case - it's what is in the
3155 * buffer that matters
3156 */
3157 if ((tst & 0x02) == 0x02)
3158 expected = 0;
3159 else
3160 expected = 1;
3161 }
3162
3163 if (!TEST_true(ret == expected))
3164 goto end;
3165
3166 testresult = 1;
3167
3168 end:
3169 SSL_CTX_free(ctx);
3170
3171 return testresult;
3172 }
3173
3174 /*
3175 * Test that SSL_export_keying_material() produces expected results. There are
3176 * no test vectors so all we do is test that both sides of the communication
3177 * produce the same results for different protocol versions.
3178 */
3179 static int test_export_key_mat(int tst)
3180 {
3181 int testresult = 0;
3182 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3183 SSL *clientssl = NULL, *serverssl = NULL;
3184 const char label[] = "test label";
3185 const unsigned char context[] = "context";
3186 const unsigned char *emptycontext = NULL;
3187 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3188 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3189 const int protocols[] = {
3190 TLS1_VERSION,
3191 TLS1_1_VERSION,
3192 TLS1_2_VERSION,
3193 TLS1_3_VERSION
3194 };
3195
3196 #ifdef OPENSSL_NO_TLS1
3197 if (tst == 0)
3198 return 1;
3199 #endif
3200 #ifdef OPENSSL_NO_TLS1_1
3201 if (tst == 1)
3202 return 1;
3203 #endif
3204 #ifdef OPENSSL_NO_TLS1_2
3205 if (tst == 2)
3206 return 1;
3207 #endif
3208 #ifdef OPENSSL_NO_TLS1_3
3209 if (tst == 3)
3210 return 1;
3211 #endif
3212 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3213 TLS_client_method(), &sctx,
3214 &cctx, cert, privkey)))
3215 goto end;
3216
3217 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3218 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3219 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3220
3221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3222 NULL))
3223 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3224 SSL_ERROR_NONE)))
3225 goto end;
3226
3227 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3228 sizeof(ckeymat1), label,
3229 sizeof(label) - 1, context,
3230 sizeof(context) - 1, 1), 1)
3231 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3232 sizeof(ckeymat2), label,
3233 sizeof(label) - 1,
3234 emptycontext,
3235 0, 1), 1)
3236 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3237 sizeof(ckeymat3), label,
3238 sizeof(label) - 1,
3239 NULL, 0, 0), 1)
3240 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3241 sizeof(skeymat1), label,
3242 sizeof(label) - 1,
3243 context,
3244 sizeof(context) -1, 1),
3245 1)
3246 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3247 sizeof(skeymat2), label,
3248 sizeof(label) - 1,
3249 emptycontext,
3250 0, 1), 1)
3251 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3252 sizeof(skeymat3), label,
3253 sizeof(label) - 1,
3254 NULL, 0, 0), 1)
3255 /*
3256 * Check that both sides created the same key material with the
3257 * same context.
3258 */
3259 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3260 sizeof(skeymat1))
3261 /*
3262 * Check that both sides created the same key material with an
3263 * empty context.
3264 */
3265 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3266 sizeof(skeymat2))
3267 /*
3268 * Check that both sides created the same key material without a
3269 * context.
3270 */
3271 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3272 sizeof(skeymat3))
3273 /* Different contexts should produce different results */
3274 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3275 sizeof(ckeymat2)))
3276 goto end;
3277
3278 /*
3279 * Check that an empty context and no context produce different results in
3280 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3281 */
3282 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3283 sizeof(ckeymat3)))
3284 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3285 sizeof(ckeymat3))))
3286 goto end;
3287
3288 testresult = 1;
3289
3290 end:
3291 SSL_free(serverssl);
3292 SSL_free(clientssl);
3293 SSL_CTX_free(sctx2);
3294 SSL_CTX_free(sctx);
3295 SSL_CTX_free(cctx);
3296
3297 return testresult;
3298 }
3299
3300 #ifndef OPENSSL_NO_TLS1_3
3301 /*
3302 * Test that SSL_export_keying_material_early() produces expected
3303 * results. There are no test vectors so all we do is test that both
3304 * sides of the communication produce the same results for different
3305 * protocol versions.
3306 */
3307 static int test_export_key_mat_early(int idx)
3308 {
3309 static const char label[] = "test label";
3310 static const unsigned char context[] = "context";
3311 int testresult = 0;
3312 SSL_CTX *cctx = NULL, *sctx = NULL;
3313 SSL *clientssl = NULL, *serverssl = NULL;
3314 SSL_SESSION *sess = NULL;
3315 const unsigned char *emptycontext = NULL;
3316 unsigned char ckeymat1[80], ckeymat2[80];
3317 unsigned char skeymat1[80], skeymat2[80];
3318 unsigned char buf[1];
3319 size_t readbytes, written;
3320
3321 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3322 &sess, idx)))
3323 goto end;
3324
3325 /* Here writing 0 length early data is enough. */
3326 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3327 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3328 &readbytes),
3329 SSL_READ_EARLY_DATA_ERROR)
3330 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3331 SSL_EARLY_DATA_ACCEPTED))
3332 goto end;
3333
3334 if (!TEST_int_eq(SSL_export_keying_material_early(
3335 clientssl, ckeymat1, sizeof(ckeymat1), label,
3336 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3337 || !TEST_int_eq(SSL_export_keying_material_early(
3338 clientssl, ckeymat2, sizeof(ckeymat2), label,
3339 sizeof(label) - 1, emptycontext, 0), 1)
3340 || !TEST_int_eq(SSL_export_keying_material_early(
3341 serverssl, skeymat1, sizeof(skeymat1), label,
3342 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3343 || !TEST_int_eq(SSL_export_keying_material_early(
3344 serverssl, skeymat2, sizeof(skeymat2), label,
3345 sizeof(label) - 1, emptycontext, 0), 1)
3346 /*
3347 * Check that both sides created the same key material with the
3348 * same context.
3349 */
3350 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3351 sizeof(skeymat1))
3352 /*
3353 * Check that both sides created the same key material with an
3354 * empty context.
3355 */
3356 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3357 sizeof(skeymat2))
3358 /* Different contexts should produce different results */
3359 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3360 sizeof(ckeymat2)))
3361 goto end;
3362
3363 testresult = 1;
3364
3365 end:
3366 if (sess != clientpsk)
3367 SSL_SESSION_free(sess);
3368 SSL_SESSION_free(clientpsk);
3369 SSL_SESSION_free(serverpsk);
3370 clientpsk = serverpsk = NULL;
3371 SSL_free(serverssl);
3372 SSL_free(clientssl);
3373 SSL_CTX_free(sctx);
3374 SSL_CTX_free(cctx);
3375
3376 return testresult;
3377 }
3378 #endif /* OPENSSL_NO_TLS1_3 */
3379
3380 static int test_ssl_clear(int idx)
3381 {
3382 SSL_CTX *cctx = NULL, *sctx = NULL;
3383 SSL *clientssl = NULL, *serverssl = NULL;
3384 int testresult = 0;
3385
3386 #ifdef OPENSSL_NO_TLS1_2
3387 if (idx == 1)
3388 return 1;
3389 #endif
3390
3391 /* Create an initial connection */
3392 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3393 TLS_client_method(), &sctx,
3394 &cctx, cert, privkey))
3395 || (idx == 1
3396 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3397 TLS1_2_VERSION)))
3398 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3399 &clientssl, NULL, NULL))
3400 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3401 SSL_ERROR_NONE)))
3402 goto end;
3403
3404 SSL_shutdown(clientssl);
3405 SSL_shutdown(serverssl);
3406 SSL_free(serverssl);
3407 serverssl = NULL;
3408
3409 /* Clear clientssl - we're going to reuse the object */
3410 if (!TEST_true(SSL_clear(clientssl)))
3411 goto end;
3412
3413 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3414 NULL, NULL))
3415 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3416 SSL_ERROR_NONE))
3417 || !TEST_true(SSL_session_reused(clientssl)))
3418 goto end;
3419
3420 SSL_shutdown(clientssl);
3421 SSL_shutdown(serverssl);
3422
3423 testresult = 1;
3424
3425 end:
3426 SSL_free(serverssl);
3427 SSL_free(clientssl);
3428 SSL_CTX_free(sctx);
3429 SSL_CTX_free(cctx);
3430
3431 return testresult;
3432 }
3433
3434 /* Parse CH and retrieve any MFL extension value if present */
3435 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3436 {
3437 long len;
3438 unsigned char *data;
3439 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3440 unsigned int MFL_code = 0, type = 0;
3441
3442 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3443 goto end;
3444
3445 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3446 /* Skip the record header */
3447 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3448 /* Skip the handshake message header */
3449 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3450 /* Skip client version and random */
3451 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3452 + SSL3_RANDOM_SIZE))
3453 /* Skip session id */
3454 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3455 /* Skip ciphers */
3456 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3457 /* Skip compression */
3458 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3459 /* Extensions len */
3460 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3461 goto end;
3462
3463 /* Loop through all extensions */
3464 while (PACKET_remaining(&pkt2)) {
3465 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3466 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3467 goto end;
3468
3469 if (type == TLSEXT_TYPE_max_fragment_length) {
3470 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3471 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3472 goto end;
3473
3474 *mfl_codemfl_code = MFL_code;
3475 return 1;
3476 }
3477 }
3478
3479 end:
3480 return 0;
3481 }
3482
3483 /* Maximum-Fragment-Length TLS extension mode to test */
3484 static const unsigned char max_fragment_len_test[] = {
3485 TLSEXT_max_fragment_length_512,
3486 TLSEXT_max_fragment_length_1024,
3487 TLSEXT_max_fragment_length_2048,
3488 TLSEXT_max_fragment_length_4096
3489 };
3490
3491 static int test_max_fragment_len_ext(int idx_tst)
3492 {
3493 SSL_CTX *ctx;
3494 SSL *con = NULL;
3495 int testresult = 0, MFL_mode = 0;
3496 BIO *rbio, *wbio;
3497
3498 ctx = SSL_CTX_new(TLS_method());
3499 if (!TEST_ptr(ctx))
3500 goto end;
3501
3502 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3503 ctx, max_fragment_len_test[idx_tst])))
3504 goto end;
3505
3506 con = SSL_new(ctx);
3507 if (!TEST_ptr(con))
3508 goto end;
3509
3510 rbio = BIO_new(BIO_s_mem());
3511 wbio = BIO_new(BIO_s_mem());
3512 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3513 BIO_free(rbio);
3514 BIO_free(wbio);
3515 goto end;
3516 }
3517
3518 SSL_set_bio(con, rbio, wbio);
3519 SSL_set_connect_state(con);
3520
3521 if (!TEST_int_le(SSL_connect(con), 0)) {
3522 /* This shouldn't succeed because we don't have a server! */
3523 goto end;
3524 }
3525
3526 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3527 /* no MFL in client hello */
3528 goto end;
3529 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3530 goto end;
3531
3532 testresult = 1;
3533
3534 end:
3535 SSL_free(con);
3536 SSL_CTX_free(ctx);
3537
3538 return testresult;
3539 }
3540
3541 #ifndef OPENSSL_NO_TLS1_3
3542 static int test_pha_key_update(void)
3543 {
3544 SSL_CTX *cctx = NULL, *sctx = NULL;
3545 SSL *clientssl = NULL, *serverssl = NULL;
3546 int testresult = 0;
3547
3548 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3549 TLS_client_method(),
3550 &sctx, &cctx, cert, privkey)))
3551 return 0;
3552
3553 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3554 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3555 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3556 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3557 goto end;
3558
3559
3560 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3561 NULL, NULL)))
3562 goto end;
3563
3564 SSL_force_post_handshake_auth(clientssl);
3565
3566 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3567 SSL_ERROR_NONE)))
3568 goto end;
3569
3570 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3571 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3572 goto end;
3573
3574 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3575 goto end;
3576
3577 /* Start handshake on the server */
3578 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3579 goto end;
3580
3581 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3582 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3583 SSL_ERROR_NONE)))
3584 goto end;
3585
3586 SSL_shutdown(clientssl);
3587 SSL_shutdown(serverssl);
3588
3589 testresult = 1;
3590
3591 end:
3592 SSL_free(serverssl);
3593 SSL_free(clientssl);
3594 SSL_CTX_free(sctx);
3595 SSL_CTX_free(cctx);
3596 return testresult;
3597 }
3598 #endif
3599
3600 int setup_tests(void)
3601 {
3602 if (!TEST_ptr(cert = test_get_argument(0))
3603 || !TEST_ptr(privkey = test_get_argument(1)))
3604 return 0;
3605
3606 ADD_TEST(test_large_message_tls);
3607 ADD_TEST(test_large_message_tls_read_ahead);
3608 #ifndef OPENSSL_NO_DTLS
3609 ADD_TEST(test_large_message_dtls);
3610 #endif
3611 #ifndef OPENSSL_NO_OCSP
3612 ADD_TEST(test_tlsext_status_type);
3613 #endif
3614 ADD_TEST(test_session_with_only_int_cache);
3615 ADD_TEST(test_session_with_only_ext_cache);
3616 ADD_TEST(test_session_with_both_cache);
3617 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3618 ADD_TEST(test_ssl_bio_pop_next_bio);
3619 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3620 ADD_TEST(test_ssl_bio_change_rbio);
3621 ADD_TEST(test_ssl_bio_change_wbio);
3622 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
3623 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3624 ADD_TEST(test_keylog);
3625 #endif
3626 #ifndef OPENSSL_NO_TLS1_3
3627 ADD_TEST(test_keylog_no_master_key);
3628 #endif
3629 #ifndef OPENSSL_NO_TLS1_2
3630 ADD_TEST(test_client_hello_cb);
3631 #endif
3632 #ifndef OPENSSL_NO_TLS1_3
3633 ADD_ALL_TESTS(test_early_data_read_write, 3);
3634 ADD_ALL_TESTS(test_early_data_skip, 3);
3635 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3636 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3637 ADD_ALL_TESTS(test_early_data_psk, 8);
3638 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3639 # ifndef OPENSSL_NO_TLS1_2
3640 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3641 # endif
3642 #endif
3643 #ifndef OPENSSL_NO_TLS1_3
3644 ADD_TEST(test_ciphersuite_change);
3645 ADD_ALL_TESTS(test_tls13_psk, 3);
3646 ADD_ALL_TESTS(test_custom_exts, 5);
3647 ADD_TEST(test_stateless);
3648 ADD_TEST(test_pha_key_update);
3649 #else
3650 ADD_ALL_TESTS(test_custom_exts, 3);
3651 #endif
3652 ADD_ALL_TESTS(test_serverinfo, 8);
3653 ADD_ALL_TESTS(test_export_key_mat, 4);
3654 #ifndef OPENSSL_NO_TLS1_3
3655 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3656 #endif
3657 ADD_ALL_TESTS(test_ssl_clear, 2);
3658 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
3659 return 1;
3660 }
3661
3662 void cleanup_tests(void)
3663 {
3664 bio_s_mempacket_test_free();
3665 }
A mirror of the official openssl repository