]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Test server side session caching
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17
18 #include "ssltestlib.h"
19 #include "testutil.h"
20 #include "e_os.h"
21 #include "../ssl/ssl_locl.h"
22
23 static char *cert = NULL;
24 static char *privkey = NULL;
25
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
32
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
37
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
40 #endif
41
42 #define NUM_EXTRA_CERTS 40
43
44 /*
45 * This structure is used to validate that the correct number of log messages
46 * of various types are emitted when emitting secret logs.
47 */
48 struct sslapitest_log_counts {
49 unsigned int rsa_key_exchange_count;
50 unsigned int master_secret_count;
51 unsigned int client_handshake_secret_count;
52 unsigned int server_handshake_secret_count;
53 unsigned int client_application_secret_count;
54 unsigned int server_application_secret_count;
55 };
56
57
58 static unsigned char serverinfov1[] = {
59 0xff, 0xff, /* Dummy extension type */
60 0x00, 0x01, /* Extension length is 1 byte */
61 0xff /* Dummy extension data */
62 };
63
64 static unsigned char serverinfov2[] = {
65 0x00, 0x00, 0x00,
66 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
67 0xff, 0xff, /* Dummy extension type */
68 0x00, 0x01, /* Extension length is 1 byte */
69 0xff /* Dummy extension data */
70 };
71
72 static void client_keylog_callback(const SSL *ssl, const char *line)
73 {
74 int line_length = strlen(line);
75
76 /* If the log doesn't fit, error out. */
77 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
78 TEST_info("Client log too full");
79 error_writing_log = 1;
80 return;
81 }
82
83 strcat(client_log_buffer, line);
84 client_log_buffer_index += line_length;
85 client_log_buffer[client_log_buffer_index++] = '\n';
86 }
87
88 static void server_keylog_callback(const SSL *ssl, const char *line)
89 {
90 int line_length = strlen(line);
91
92 /* If the log doesn't fit, error out. */
93 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
94 TEST_info("Server og too full");
95 error_writing_log = 1;
96 return;
97 }
98
99 strcat(server_log_buffer, line);
100 server_log_buffer_index += line_length;
101 server_log_buffer[server_log_buffer_index++] = '\n';
102 }
103
104 static int compare_hex_encoded_buffer(const char *hex_encoded,
105 size_t hex_length,
106 const uint8_t *raw,
107 size_t raw_length)
108 {
109 size_t i, j;
110 char hexed[3];
111
112 if (!TEST_size_t_eq(raw_length * 2, hex_length))
113 return 1;
114
115 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
116 sprintf(hexed, "%02x", raw[i]);
117 if (!TEST_int_eq(hexed[0], hex_encoded[j])
118 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
119 return 1;
120 }
121
122 return 0;
123 }
124
125 static int test_keylog_output(char *buffer, const SSL *ssl,
126 const SSL_SESSION *session,
127 struct sslapitest_log_counts *expected)
128 {
129 char *token = NULL;
130 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
131 size_t client_random_size = SSL3_RANDOM_SIZE;
132 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
133 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
134 unsigned int rsa_key_exchange_count = 0;
135 unsigned int master_secret_count = 0;
136 unsigned int client_handshake_secret_count = 0;
137 unsigned int server_handshake_secret_count = 0;
138 unsigned int client_application_secret_count = 0;
139 unsigned int server_application_secret_count = 0;
140
141 for (token = strtok(buffer, " \n"); token != NULL;
142 token = strtok(NULL, " \n")) {
143 if (strcmp(token, "RSA") == 0) {
144 /*
145 * Premaster secret. Tokens should be: 16 ASCII bytes of
146 * hex-encoded encrypted secret, then the hex-encoded pre-master
147 * secret.
148 */
149 if (!TEST_ptr(token = strtok(NULL, " \n")))
150 return 0;
151 if (!TEST_size_t_eq(strlen(token), 16))
152 return 0;
153 if (!TEST_ptr(token = strtok(NULL, " \n")))
154 return 0;
155 /*
156 * We can't sensibly check the log because the premaster secret is
157 * transient, and OpenSSL doesn't keep hold of it once the master
158 * secret is generated.
159 */
160 rsa_key_exchange_count++;
161 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
162 /*
163 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
164 * client random, then the hex-encoded master secret.
165 */
166 client_random_size = SSL_get_client_random(ssl,
167 actual_client_random,
168 SSL3_RANDOM_SIZE);
169 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
170 return 0;
171
172 if (!TEST_ptr(token = strtok(NULL, " \n")))
173 return 0;
174 if (!TEST_size_t_eq(strlen(token), 64))
175 return 0;
176 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
177 actual_client_random,
178 client_random_size)))
179 return 0;
180
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
182 return 0;
183 master_key_size = SSL_SESSION_get_master_key(session,
184 actual_master_key,
185 master_key_size);
186 if (!TEST_size_t_ne(master_key_size, 0))
187 return 0;
188 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
189 actual_master_key,
190 master_key_size)))
191 return 0;
192 master_secret_count++;
193 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
194 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
196 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
197 /*
198 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, and then the hex-encoded secret. In this case,
200 * we treat all of these secrets identically and then just
201 * distinguish between them when counting what we saw.
202 */
203 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
204 client_handshake_secret_count++;
205 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 server_handshake_secret_count++;
207 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
208 client_application_secret_count++;
209 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
210 server_application_secret_count++;
211
212 client_random_size = SSL_get_client_random(ssl,
213 actual_client_random,
214 SSL3_RANDOM_SIZE);
215 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
216 return 0;
217
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
219 return 0;
220 if (!TEST_size_t_eq(strlen(token), 64))
221 return 0;
222 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
223 actual_client_random,
224 client_random_size)))
225 return 0;
226
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
228 return 0;
229
230 /*
231 * TODO(TLS1.3): test that application traffic secrets are what
232 * we expect */
233 } else {
234 TEST_info("Unexpected token %s\n", token);
235 return 0;
236 }
237 }
238
239 /* Got what we expected? */
240 if (!TEST_size_t_eq(rsa_key_exchange_count,
241 expected->rsa_key_exchange_count)
242 || !TEST_size_t_eq(master_secret_count,
243 expected->master_secret_count)
244 || !TEST_size_t_eq(client_handshake_secret_count,
245 expected->client_handshake_secret_count)
246 || !TEST_size_t_eq(server_handshake_secret_count,
247 expected->server_handshake_secret_count)
248 || !TEST_size_t_eq(client_application_secret_count,
249 expected->client_application_secret_count)
250 || !TEST_size_t_eq(server_application_secret_count,
251 expected->server_application_secret_count))
252 return 0;
253 return 1;
254 }
255
256 static int test_keylog(void)
257 {
258 SSL_CTX *cctx = NULL, *sctx = NULL;
259 SSL *clientssl = NULL, *serverssl = NULL;
260 int testresult = 0;
261 struct sslapitest_log_counts expected = {0};
262
263 /* Clean up logging space */
264 memset(client_log_buffer, 0, sizeof(client_log_buffer));
265 memset(server_log_buffer, 0, sizeof(server_log_buffer));
266 client_log_buffer_index = 0;
267 server_log_buffer_index = 0;
268 error_writing_log = 0;
269
270 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
271 TLS_client_method(),
272 &sctx, &cctx, cert, privkey)))
273 return 0;
274
275 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
276 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
277 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
278
279 /* We also want to ensure that we use RSA-based key exchange. */
280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
281 goto end;
282
283 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
284 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
285 goto end;
286 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
287 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
288 == client_keylog_callback))
289 goto end;
290 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
291 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
292 == server_keylog_callback))
293 goto end;
294
295 /* Now do a handshake and check that the logs have been written to. */
296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
297 &clientssl, NULL, NULL))
298 || !TEST_true(create_ssl_connection(serverssl, clientssl,
299 SSL_ERROR_NONE))
300 || !TEST_false(error_writing_log)
301 || !TEST_int_gt(client_log_buffer_index, 0)
302 || !TEST_int_gt(server_log_buffer_index, 0))
303 goto end;
304
305 /*
306 * Now we want to test that our output data was vaguely sensible. We
307 * do that by using strtok and confirming that we have more or less the
308 * data we expect. For both client and server, we expect to see one master
309 * secret. The client should also see a RSA key exchange.
310 */
311 expected.rsa_key_exchange_count = 1;
312 expected.master_secret_count = 1;
313 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
314 SSL_get_session(clientssl), &expected)))
315 goto end;
316
317 expected.rsa_key_exchange_count = 0;
318 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
319 SSL_get_session(serverssl), &expected)))
320 goto end;
321
322 testresult = 1;
323
324 end:
325 SSL_free(serverssl);
326 SSL_free(clientssl);
327 SSL_CTX_free(sctx);
328 SSL_CTX_free(cctx);
329
330 return testresult;
331 }
332
333 #ifndef OPENSSL_NO_TLS1_3
334 static int test_keylog_no_master_key(void)
335 {
336 SSL_CTX *cctx = NULL, *sctx = NULL;
337 SSL *clientssl = NULL, *serverssl = NULL;
338 int testresult = 0;
339 struct sslapitest_log_counts expected = {0};
340
341 /* Clean up logging space */
342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
347
348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
349 TLS_client_method(), &sctx,
350 &cctx, cert, privkey)))
351 return 0;
352
353 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
354 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
355 goto end;
356
357 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
358 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
359 == client_keylog_callback))
360 goto end;
361
362 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
363 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
364 == server_keylog_callback))
365 goto end;
366
367 /* Now do a handshake and check that the logs have been written to. */
368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
369 &clientssl, NULL, NULL))
370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
371 SSL_ERROR_NONE))
372 || !TEST_false(error_writing_log))
373 goto end;
374
375 /*
376 * Now we want to test that our output data was vaguely sensible. For this
377 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
378 * TLSv1.3, but we do expect both client and server to emit keys.
379 */
380 expected.client_handshake_secret_count = 1;
381 expected.server_handshake_secret_count = 1;
382 expected.client_application_secret_count = 1;
383 expected.server_application_secret_count = 1;
384 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
385 SSL_get_session(clientssl), &expected))
386 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
387 SSL_get_session(serverssl),
388 &expected)))
389 goto end;
390
391 testresult = 1;
392
393 end:
394 SSL_free(serverssl);
395 SSL_free(clientssl);
396 SSL_CTX_free(sctx);
397 SSL_CTX_free(cctx);
398
399 return testresult;
400 }
401 #endif
402
403 #ifndef OPENSSL_NO_TLS1_2
404 static int full_early_callback(SSL *s, int *al, void *arg)
405 {
406 int *ctr = arg;
407 const unsigned char *p;
408 int *exts;
409 /* We only configure two ciphers, but the SCSV is added automatically. */
410 #ifdef OPENSSL_NO_EC
411 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
412 #else
413 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
414 0x2c, 0x00, 0xff};
415 #endif
416 const int expected_extensions[] = {
417 #ifndef OPENSSL_NO_EC
418 11, 10,
419 #endif
420 35, 13, 22, 23};
421 size_t len;
422
423 /* Make sure we can defer processing and get called back. */
424 if ((*ctr)++ == 0)
425 return -1;
426
427 len = SSL_early_get0_ciphers(s, &p);
428 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
429 || !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1)
430 || !TEST_int_eq(*p, 0))
431 return 0;
432 if (!SSL_early_get1_extensions_present(s, &exts, &len))
433 return 0;
434 if (len != OSSL_NELEM(expected_extensions) ||
435 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
436 printf("Early callback expected ClientHello extensions mismatch\n");
437 OPENSSL_free(exts);
438 return 0;
439 }
440 OPENSSL_free(exts);
441 return 1;
442 }
443
444 static int test_early_cb(void)
445 {
446 SSL_CTX *cctx = NULL, *sctx = NULL;
447 SSL *clientssl = NULL, *serverssl = NULL;
448 int testctr = 0, testresult = 0;
449
450 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
451 TLS_client_method(), &sctx,
452 &cctx, cert, privkey)))
453 goto end;
454 SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr);
455
456 /* The gimpy cipher list we configure can't do TLS 1.3. */
457 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
458
459 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
460 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
461 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_false(create_ssl_connection(serverssl, clientssl,
464 SSL_ERROR_WANT_EARLY))
465 /*
466 * Passing a -1 literal is a hack since
467 * the real value was lost.
468 * */
469 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
471 SSL_ERROR_NONE)))
472 goto end;
473
474 testresult = 1;
475
476 end:
477 SSL_free(serverssl);
478 SSL_free(clientssl);
479 SSL_CTX_free(sctx);
480 SSL_CTX_free(cctx);
481
482 return testresult;
483 }
484 #endif
485
486 static int execute_test_large_message(const SSL_METHOD *smeth,
487 const SSL_METHOD *cmeth, int read_ahead)
488 {
489 SSL_CTX *cctx = NULL, *sctx = NULL;
490 SSL *clientssl = NULL, *serverssl = NULL;
491 int testresult = 0;
492 int i;
493 BIO *certbio = NULL;
494 X509 *chaincert = NULL;
495 int certlen;
496
497 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
498 goto end;
499 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
500 BIO_free(certbio);
501 certbio = NULL;
502 if (!TEST_ptr(chaincert))
503 goto end;
504
505 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
506 &cctx, cert, privkey)))
507 goto end;
508
509 if (read_ahead) {
510 /*
511 * Test that read_ahead works correctly when dealing with large
512 * records
513 */
514 SSL_CTX_set_read_ahead(cctx, 1);
515 }
516
517 /*
518 * We assume the supplied certificate is big enough so that if we add
519 * NUM_EXTRA_CERTS it will make the overall message large enough. The
520 * default buffer size is requested to be 16k, but due to the way BUF_MEM
521 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
522 * test we need to have a message larger than that.
523 */
524 certlen = i2d_X509(chaincert, NULL);
525 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
526 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
527 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
528 if (!X509_up_ref(chaincert))
529 goto end;
530 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
531 X509_free(chaincert);
532 goto end;
533 }
534 }
535
536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
537 NULL, NULL))
538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
539 SSL_ERROR_NONE)))
540 goto end;
541
542 /*
543 * Calling SSL_clear() first is not required but this tests that SSL_clear()
544 * doesn't leak (when using enable-crypto-mdebug).
545 */
546 if (!TEST_true(SSL_clear(serverssl)))
547 goto end;
548
549 testresult = 1;
550 end:
551 X509_free(chaincert);
552 SSL_free(serverssl);
553 SSL_free(clientssl);
554 SSL_CTX_free(sctx);
555 SSL_CTX_free(cctx);
556
557 return testresult;
558 }
559
560 static int test_large_message_tls(void)
561 {
562 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
563 0);
564 }
565
566 static int test_large_message_tls_read_ahead(void)
567 {
568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
569 1);
570 }
571
572 #ifndef OPENSSL_NO_DTLS
573 static int test_large_message_dtls(void)
574 {
575 /*
576 * read_ahead is not relevant to DTLS because DTLS always acts as if
577 * read_ahead is set.
578 */
579 return execute_test_large_message(DTLS_server_method(),
580 DTLS_client_method(), 0);
581 }
582 #endif
583
584 #ifndef OPENSSL_NO_OCSP
585 static int ocsp_server_cb(SSL *s, void *arg)
586 {
587 int *argi = (int *)arg;
588 unsigned char *copy = NULL;
589 STACK_OF(OCSP_RESPID) *ids = NULL;
590 OCSP_RESPID *id = NULL;
591
592 if (*argi == 2) {
593 /* In this test we are expecting exactly 1 OCSP_RESPID */
594 SSL_get_tlsext_status_ids(s, &ids);
595 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
596 return SSL_TLSEXT_ERR_ALERT_FATAL;
597
598 id = sk_OCSP_RESPID_value(ids, 0);
599 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
600 return SSL_TLSEXT_ERR_ALERT_FATAL;
601 } else if (*argi != 1) {
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
603 }
604
605 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
607
608 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
609 ocsp_server_called = 1;
610 return SSL_TLSEXT_ERR_OK;
611 }
612
613 static int ocsp_client_cb(SSL *s, void *arg)
614 {
615 int *argi = (int *)arg;
616 const unsigned char *respderin;
617 size_t len;
618
619 if (*argi != 1 && *argi != 2)
620 return 0;
621
622 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
623 if (!TEST_mem_eq(orespder, len, respderin, len))
624 return 0;
625
626 ocsp_client_called = 1;
627 return 1;
628 }
629
630 static int test_tlsext_status_type(void)
631 {
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
634 int testresult = 0;
635 STACK_OF(OCSP_RESPID) *ids = NULL;
636 OCSP_RESPID *id = NULL;
637 BIO *certbio = NULL;
638
639 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
640 &cctx, cert, privkey))
641 return 0;
642
643 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
644 goto end;
645
646 /* First just do various checks getting and setting tlsext_status_type */
647
648 clientssl = SSL_new(cctx);
649 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
650 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
651 TLSEXT_STATUSTYPE_ocsp))
652 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
653 TLSEXT_STATUSTYPE_ocsp))
654 goto end;
655
656 SSL_free(clientssl);
657 clientssl = NULL;
658
659 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
660 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
661 goto end;
662
663 clientssl = SSL_new(cctx);
664 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
665 goto end;
666 SSL_free(clientssl);
667 clientssl = NULL;
668
669 /*
670 * Now actually do a handshake and check OCSP information is exchanged and
671 * the callbacks get called
672 */
673 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
674 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
675 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
676 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
678 &clientssl, NULL, NULL))
679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
680 SSL_ERROR_NONE))
681 || !TEST_true(ocsp_client_called)
682 || !TEST_true(ocsp_server_called))
683 goto end;
684 SSL_free(serverssl);
685 SSL_free(clientssl);
686 serverssl = NULL;
687 clientssl = NULL;
688
689 /* Try again but this time force the server side callback to fail */
690 ocsp_client_called = 0;
691 ocsp_server_called = 0;
692 cdummyarg = 0;
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
694 &clientssl, NULL, NULL))
695 /* This should fail because the callback will fail */
696 || !TEST_false(create_ssl_connection(serverssl, clientssl,
697 SSL_ERROR_NONE))
698 || !TEST_false(ocsp_client_called)
699 || !TEST_false(ocsp_server_called))
700 goto end;
701 SSL_free(serverssl);
702 SSL_free(clientssl);
703 serverssl = NULL;
704 clientssl = NULL;
705
706 /*
707 * This time we'll get the client to send an OCSP_RESPID that it will
708 * accept.
709 */
710 ocsp_client_called = 0;
711 ocsp_server_called = 0;
712 cdummyarg = 2;
713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
714 &clientssl, NULL, NULL)))
715 goto end;
716
717 /*
718 * We'll just use any old cert for this test - it doesn't have to be an OCSP
719 * specific one. We'll use the server cert.
720 */
721 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
722 || !TEST_ptr(id = OCSP_RESPID_new())
723 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
724 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
725 NULL, NULL, NULL))
726 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
727 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
728 goto end;
729 id = NULL;
730 SSL_set_tlsext_status_ids(clientssl, ids);
731 /* Control has been transferred */
732 ids = NULL;
733
734 BIO_free(certbio);
735 certbio = NULL;
736
737 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
738 SSL_ERROR_NONE))
739 || !TEST_true(ocsp_client_called)
740 || !TEST_true(ocsp_server_called))
741 goto end;
742
743 testresult = 1;
744
745 end:
746 SSL_free(serverssl);
747 SSL_free(clientssl);
748 SSL_CTX_free(sctx);
749 SSL_CTX_free(cctx);
750 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
751 OCSP_RESPID_free(id);
752 BIO_free(certbio);
753 X509_free(ocspcert);
754 ocspcert = NULL;
755
756 return testresult;
757 }
758 #endif
759
760 static int new_called = 0, remove_called = 0;
761
762 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
763 {
764 new_called++;
765 /*
766 * sess has been up-refed for us, but we don't actually need it so free it
767 * immediately.
768 */
769 SSL_SESSION_free(sess);
770 return 1;
771 }
772
773 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
774 {
775 remove_called++;
776 }
777
778 static SSL_SESSION *get_sess_val = NULL;
779
780 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
781 int *copy)
782 {
783 *copy = 1;
784 return get_sess_val;
785 }
786
787
788 static int execute_test_session(int maxprot, int use_int_cache,
789 int use_ext_cache)
790 {
791 SSL_CTX *sctx = NULL, *cctx = NULL;
792 SSL *serverssl1 = NULL, *clientssl1 = NULL;
793 SSL *serverssl2 = NULL, *clientssl2 = NULL;
794 #ifndef OPENSSL_NO_TLS1_1
795 SSL *serverssl3 = NULL, *clientssl3 = NULL;
796 #endif
797 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
798 int testresult = 0;
799
800 new_called = remove_called = 0;
801
802 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
803 TLS_client_method(), &sctx,
804 &cctx, cert, privkey)))
805 return 0;
806
807 /*
808 * Only allow the max protocol version so we can force a connection failure
809 * later
810 */
811 SSL_CTX_set_min_proto_version(cctx, maxprot);
812 SSL_CTX_set_max_proto_version(cctx, maxprot);
813
814 /* Set up session cache */
815 if (use_ext_cache) {
816 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
817 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
818 }
819 if (use_int_cache) {
820 /* Also covers instance where both are set */
821 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
822 } else {
823 SSL_CTX_set_session_cache_mode(cctx,
824 SSL_SESS_CACHE_CLIENT
825 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
826 }
827
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
829 NULL, NULL))
830 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
831 SSL_ERROR_NONE))
832 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
833 goto end;
834
835 /* Should fail because it should already be in the cache */
836 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
837 goto end;
838 if (use_ext_cache
839 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
840 goto end;
841
842 new_called = remove_called = 0;
843 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
844 &clientssl2, NULL, NULL))
845 || !TEST_true(SSL_set_session(clientssl2, sess1))
846 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
847 SSL_ERROR_NONE))
848 || !TEST_true(SSL_session_reused(clientssl2)))
849 goto end;
850
851 if (maxprot == TLS1_3_VERSION) {
852 /*
853 * In TLSv1.3 we should have created a new session even though we have
854 * resumed. The original session should also have been removed.
855 */
856 if (use_ext_cache
857 && (!TEST_int_eq(new_called, 1)
858 || !TEST_int_eq(remove_called, 1)))
859 goto end;
860 } else {
861 /*
862 * In TLSv1.2 we expect to have resumed so no sessions added or
863 * removed.
864 */
865 if (use_ext_cache
866 && (!TEST_int_eq(new_called, 0)
867 || !TEST_int_eq(remove_called, 0)))
868 goto end;
869 }
870
871 SSL_SESSION_free(sess1);
872 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
873 goto end;
874 shutdown_ssl_connection(serverssl2, clientssl2);
875 serverssl2 = clientssl2 = NULL;
876
877 new_called = remove_called = 0;
878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
879 &clientssl2, NULL, NULL))
880 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
881 SSL_ERROR_NONE)))
882 goto end;
883
884 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
885 goto end;
886
887 if (use_ext_cache
888 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
889 goto end;
890
891 new_called = remove_called = 0;
892 /*
893 * This should clear sess2 from the cache because it is a "bad" session.
894 * See SSL_set_session() documentation.
895 */
896 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
897 goto end;
898 if (use_ext_cache
899 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
900 goto end;
901 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
902 goto end;
903
904 if (use_int_cache) {
905 /* Should succeeded because it should not already be in the cache */
906 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
907 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
908 goto end;
909 }
910
911 new_called = remove_called = 0;
912 /* This shouldn't be in the cache so should fail */
913 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
914 goto end;
915
916 if (use_ext_cache
917 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
918 goto end;
919
920 #if !defined(OPENSSL_NO_TLS1_1)
921 new_called = remove_called = 0;
922 /* Force a connection failure */
923 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
924 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
925 &clientssl3, NULL, NULL))
926 || !TEST_true(SSL_set_session(clientssl3, sess1))
927 /* This should fail because of the mismatched protocol versions */
928 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
929 SSL_ERROR_NONE)))
930 goto end;
931
932 /* We should have automatically removed the session from the cache */
933 if (use_ext_cache
934 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
935 goto end;
936
937 /* Should succeed because it should not already be in the cache */
938 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
939 goto end;
940 #endif
941
942 /* Now do some tests for server side caching */
943 if (use_ext_cache) {
944 SSL_CTX_sess_set_new_cb(cctx, NULL);
945 SSL_CTX_sess_set_remove_cb(cctx, NULL);
946 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
947 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
948 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
949 get_sess_val = NULL;
950 }
951
952 SSL_CTX_set_session_cache_mode(cctx, 0);
953 /* Internal caching is the default on the server side */
954 if (!use_int_cache)
955 SSL_CTX_set_session_cache_mode(sctx,
956 SSL_SESS_CACHE_SERVER
957 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
958
959 SSL_free(serverssl1);
960 SSL_free(clientssl1);
961 serverssl1 = clientssl1 = NULL;
962 SSL_free(serverssl2);
963 SSL_free(clientssl2);
964 serverssl2 = clientssl2 = NULL;
965 SSL_SESSION_free(sess1);
966 sess1 = NULL;
967 SSL_SESSION_free(sess2);
968 sess2 = NULL;
969
970 SSL_CTX_set_max_proto_version(sctx, maxprot);
971 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
972 new_called = remove_called = 0;
973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
974 NULL, NULL))
975 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
976 SSL_ERROR_NONE))
977 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
978 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
979 goto end;
980
981 /* Should fail because it should already be in the cache */
982 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
983 goto end;
984
985 if (use_ext_cache) {
986 SSL_SESSION *tmp = sess2;
987
988 if (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0))
989 goto end;
990 /*
991 * Delete the session from the internal cache to force a lookup from
992 * the external cache. We take a copy first because
993 * SSL_CTX_remove_session() also marks the session as non-resumable.
994 */
995 if (use_int_cache
996 && (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
997 || !TEST_true(SSL_CTX_remove_session(sctx, sess2))))
998 goto end;
999 sess2 = tmp;
1000 }
1001
1002 new_called = remove_called = 0;
1003 get_sess_val = sess2;
1004 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1005 &clientssl2, NULL, NULL))
1006 || !TEST_true(SSL_set_session(clientssl2, sess1))
1007 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1008 SSL_ERROR_NONE))
1009 || !TEST_true(SSL_session_reused(clientssl2)))
1010 goto end;
1011
1012 if (use_ext_cache
1013 && (!TEST_int_eq(new_called, 0)
1014 || !TEST_int_eq(remove_called, 0)))
1015 goto end;
1016
1017 testresult = 1;
1018
1019 end:
1020 SSL_free(serverssl1);
1021 SSL_free(clientssl1);
1022 SSL_free(serverssl2);
1023 SSL_free(clientssl2);
1024 #ifndef OPENSSL_NO_TLS1_1
1025 SSL_free(serverssl3);
1026 SSL_free(clientssl3);
1027 #endif
1028 SSL_SESSION_free(sess1);
1029 SSL_SESSION_free(sess2);
1030 SSL_CTX_free(sctx);
1031 SSL_CTX_free(cctx);
1032
1033 return testresult;
1034 }
1035
1036 static int test_session_with_only_int_cache(void)
1037 {
1038 #ifndef OPENSSL_NO_TLS1_3
1039 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1040 return 0;
1041 #endif
1042
1043 #ifndef OPENSSL_NO_TLS1_2
1044 return execute_test_session(TLS1_2_VERSION, 1, 0);
1045 #else
1046 return 1;
1047 #endif
1048 }
1049
1050 static int test_session_with_only_ext_cache(void)
1051 {
1052 #ifndef OPENSSL_NO_TLS1_3
1053 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1054 return 0;
1055 #endif
1056
1057 #ifndef OPENSSL_NO_TLS1_2
1058 return execute_test_session(TLS1_2_VERSION, 0, 1);
1059 #else
1060 return 1;
1061 #endif
1062 }
1063
1064 static int test_session_with_both_cache(void)
1065 {
1066 #ifndef OPENSSL_NO_TLS1_3
1067 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1068 return 0;
1069 #endif
1070
1071 #ifndef OPENSSL_NO_TLS1_2
1072 return execute_test_session(TLS1_2_VERSION, 1, 1);
1073 #else
1074 return 1;
1075 #endif
1076 }
1077
1078 #define USE_NULL 0
1079 #define USE_BIO_1 1
1080 #define USE_BIO_2 2
1081
1082 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1083
1084 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1085 {
1086 switch (type) {
1087 case USE_NULL:
1088 *res = NULL;
1089 break;
1090 case USE_BIO_1:
1091 *res = bio1;
1092 break;
1093 case USE_BIO_2:
1094 *res = bio2;
1095 break;
1096 }
1097 }
1098
1099 static int test_ssl_set_bio(int idx)
1100 {
1101 SSL_CTX *ctx;
1102 BIO *bio1 = NULL;
1103 BIO *bio2 = NULL;
1104 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1105 SSL *ssl = NULL;
1106 int initrbio, initwbio, newrbio, newwbio;
1107 int testresult = 0;
1108
1109 initrbio = idx % 3;
1110 idx /= 3;
1111 initwbio = idx % 3;
1112 idx /= 3;
1113 newrbio = idx % 3;
1114 idx /= 3;
1115 newwbio = idx;
1116 if (!TEST_int_le(newwbio, 2))
1117 return 0;
1118
1119 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1120 || !TEST_ptr(ssl = SSL_new(ctx)))
1121 goto end;
1122
1123 if (initrbio == USE_BIO_1
1124 || initwbio == USE_BIO_1
1125 || newrbio == USE_BIO_1
1126 || newwbio == USE_BIO_1) {
1127 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1128 goto end;
1129 }
1130
1131 if (initrbio == USE_BIO_2
1132 || initwbio == USE_BIO_2
1133 || newrbio == USE_BIO_2
1134 || newwbio == USE_BIO_2) {
1135 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1136 goto end;
1137 }
1138
1139 setupbio(&irbio, bio1, bio2, initrbio);
1140 setupbio(&iwbio, bio1, bio2, initwbio);
1141
1142 /*
1143 * We want to maintain our own refs to these BIO, so do an up ref for each
1144 * BIO that will have ownership transferred in the SSL_set_bio() call
1145 */
1146 if (irbio != NULL)
1147 BIO_up_ref(irbio);
1148 if (iwbio != NULL && iwbio != irbio)
1149 BIO_up_ref(iwbio);
1150
1151 SSL_set_bio(ssl, irbio, iwbio);
1152
1153 setupbio(&nrbio, bio1, bio2, newrbio);
1154 setupbio(&nwbio, bio1, bio2, newwbio);
1155
1156 /*
1157 * We will (maybe) transfer ownership again so do more up refs.
1158 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1159 * already been set!
1160 */
1161 if (nrbio != NULL
1162 && nrbio != irbio
1163 && (nwbio != iwbio || nrbio != nwbio))
1164 BIO_up_ref(nrbio);
1165 if (nwbio != NULL
1166 && nwbio != nrbio
1167 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1168 BIO_up_ref(nwbio);
1169
1170 SSL_set_bio(ssl, nrbio, nwbio);
1171
1172 testresult = 1;
1173
1174 end:
1175 SSL_free(ssl);
1176 BIO_free(bio1);
1177 BIO_free(bio2);
1178
1179 /*
1180 * This test is checking that the ref counting for SSL_set_bio is correct.
1181 * If we get here and we did too many frees then we will fail in the above
1182 * functions. If we haven't done enough then this will only be detected in
1183 * a crypto-mdebug build
1184 */
1185 SSL_CTX_free(ctx);
1186 return testresult;
1187 }
1188
1189 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1190
1191 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1192 {
1193 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1194 SSL_CTX *ctx;
1195 SSL *ssl = NULL;
1196 int testresult = 0;
1197
1198 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1199 || !TEST_ptr(ssl = SSL_new(ctx))
1200 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1201 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1202 goto end;
1203
1204 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1205
1206 /*
1207 * If anything goes wrong here then we could leak memory, so this will
1208 * be caught in a crypto-mdebug build
1209 */
1210 BIO_push(sslbio, membio1);
1211
1212 /* Verify changing the rbio/wbio directly does not cause leaks */
1213 if (change_bio != NO_BIO_CHANGE) {
1214 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1215 goto end;
1216 if (change_bio == CHANGE_RBIO)
1217 SSL_set0_rbio(ssl, membio2);
1218 else
1219 SSL_set0_wbio(ssl, membio2);
1220 }
1221 ssl = NULL;
1222
1223 if (pop_ssl)
1224 BIO_pop(sslbio);
1225 else
1226 BIO_pop(membio1);
1227
1228 testresult = 1;
1229 end:
1230 BIO_free(membio1);
1231 BIO_free(sslbio);
1232 SSL_free(ssl);
1233 SSL_CTX_free(ctx);
1234
1235 return testresult;
1236 }
1237
1238 static int test_ssl_bio_pop_next_bio(void)
1239 {
1240 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1241 }
1242
1243 static int test_ssl_bio_pop_ssl_bio(void)
1244 {
1245 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1246 }
1247
1248 static int test_ssl_bio_change_rbio(void)
1249 {
1250 return execute_test_ssl_bio(0, CHANGE_RBIO);
1251 }
1252
1253 static int test_ssl_bio_change_wbio(void)
1254 {
1255 return execute_test_ssl_bio(0, CHANGE_WBIO);
1256 }
1257
1258 typedef struct {
1259 /* The list of sig algs */
1260 const int *list;
1261 /* The length of the list */
1262 size_t listlen;
1263 /* A sigalgs list in string format */
1264 const char *liststr;
1265 /* Whether setting the list should succeed */
1266 int valid;
1267 /* Whether creating a connection with the list should succeed */
1268 int connsuccess;
1269 } sigalgs_list;
1270
1271 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1272 #ifndef OPENSSL_NO_EC
1273 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1274 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1275 #endif
1276 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1277 static const int invalidlist2[] = {NID_sha256, NID_undef};
1278 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1279 static const int invalidlist4[] = {NID_sha256};
1280 static const sigalgs_list testsigalgs[] = {
1281 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1282 #ifndef OPENSSL_NO_EC
1283 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1284 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1285 #endif
1286 {NULL, 0, "RSA+SHA256", 1, 1},
1287 #ifndef OPENSSL_NO_EC
1288 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1289 {NULL, 0, "ECDSA+SHA512", 1, 0},
1290 #endif
1291 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1292 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1293 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1294 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1295 {NULL, 0, "RSA", 0, 0},
1296 {NULL, 0, "SHA256", 0, 0},
1297 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1298 {NULL, 0, "Invalid", 0, 0}
1299 };
1300
1301 static int test_set_sigalgs(int idx)
1302 {
1303 SSL_CTX *cctx = NULL, *sctx = NULL;
1304 SSL *clientssl = NULL, *serverssl = NULL;
1305 int testresult = 0;
1306 const sigalgs_list *curr;
1307 int testctx;
1308
1309 /* Should never happen */
1310 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1311 return 0;
1312
1313 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1314 curr = testctx ? &testsigalgs[idx]
1315 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1316
1317 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1318 TLS_client_method(), &sctx,
1319 &cctx, cert, privkey)))
1320 return 0;
1321
1322 /*
1323 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1324 * for TLSv1.2 for now until we add a new API.
1325 */
1326 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1327
1328 if (testctx) {
1329 int ret;
1330
1331 if (curr->list != NULL)
1332 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1333 else
1334 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1335
1336 if (!ret) {
1337 if (curr->valid)
1338 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1339 else
1340 testresult = 1;
1341 goto end;
1342 }
1343 if (!curr->valid) {
1344 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1345 goto end;
1346 }
1347 }
1348
1349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1350 &clientssl, NULL, NULL)))
1351 goto end;
1352
1353 if (!testctx) {
1354 int ret;
1355
1356 if (curr->list != NULL)
1357 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1358 else
1359 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1360 if (!ret) {
1361 if (curr->valid)
1362 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1363 else
1364 testresult = 1;
1365 goto end;
1366 }
1367 if (!curr->valid)
1368 goto end;
1369 }
1370
1371 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1372 SSL_ERROR_NONE),
1373 curr->connsuccess))
1374 goto end;
1375
1376 testresult = 1;
1377
1378 end:
1379 SSL_free(serverssl);
1380 SSL_free(clientssl);
1381 SSL_CTX_free(sctx);
1382 SSL_CTX_free(cctx);
1383
1384 return testresult;
1385 }
1386
1387 #ifndef OPENSSL_NO_TLS1_3
1388
1389 #define MSG1 "Hello"
1390 #define MSG2 "World."
1391 #define MSG3 "This"
1392 #define MSG4 "is"
1393 #define MSG5 "a"
1394 #define MSG6 "test"
1395 #define MSG7 "message."
1396
1397 /*
1398 * Helper method to setup objects for early data test. Caller frees objects on
1399 * error.
1400 */
1401 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1402 SSL **serverssl, SSL_SESSION **sess, int idx)
1403 {
1404 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1405 TLS_client_method(), sctx,
1406 cctx, cert, privkey)))
1407 return 0;
1408
1409 /* When idx == 1 we repeat the tests with read_ahead set */
1410 if (idx > 0) {
1411 SSL_CTX_set_read_ahead(*cctx, 1);
1412 SSL_CTX_set_read_ahead(*sctx, 1);
1413 }
1414
1415 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1416 NULL, NULL))
1417 || !TEST_true(create_ssl_connection(*serverssl, *clientssl,
1418 SSL_ERROR_NONE)))
1419 return 0;
1420
1421 *sess = SSL_get1_session(*clientssl);
1422 SSL_shutdown(*clientssl);
1423 SSL_shutdown(*serverssl);
1424 SSL_free(*serverssl);
1425 SSL_free(*clientssl);
1426 *serverssl = *clientssl = NULL;
1427
1428 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1429 clientssl, NULL, NULL))
1430 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1431 return 0;
1432
1433 return 1;
1434 }
1435
1436 static int test_early_data_read_write(int idx)
1437 {
1438 SSL_CTX *cctx = NULL, *sctx = NULL;
1439 SSL *clientssl = NULL, *serverssl = NULL;
1440 int testresult = 0;
1441 SSL_SESSION *sess = NULL;
1442 unsigned char buf[20], data[1024];
1443 size_t readbytes, written, eoedlen, rawread, rawwritten;
1444 BIO *rbio;
1445
1446 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1447 &serverssl, &sess, idx)))
1448 goto end;
1449
1450 /* Write and read some early data */
1451 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1452 &written))
1453 || !TEST_size_t_eq(written, strlen(MSG1))
1454 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1455 sizeof(buf), &readbytes),
1456 SSL_READ_EARLY_DATA_SUCCESS)
1457 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1458 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1459 SSL_EARLY_DATA_ACCEPTED))
1460 goto end;
1461
1462 /*
1463 * Server should be able to write data, and client should be able to
1464 * read it.
1465 */
1466 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1467 &written))
1468 || !TEST_size_t_eq(written, strlen(MSG2))
1469 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1470 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1471 goto end;
1472
1473 /* Even after reading normal data, client should be able write early data */
1474 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1475 &written))
1476 || !TEST_size_t_eq(written, strlen(MSG3)))
1477 goto end;
1478
1479 /* Server should still be able read early data after writing data */
1480 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1481 &readbytes),
1482 SSL_READ_EARLY_DATA_SUCCESS)
1483 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1484 goto end;
1485
1486 /* Write more data from server and read it from client */
1487 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1488 &written))
1489 || !TEST_size_t_eq(written, strlen(MSG4))
1490 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1491 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1492 goto end;
1493
1494 /*
1495 * If client writes normal data it should mean writing early data is no
1496 * longer possible.
1497 */
1498 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1499 || !TEST_size_t_eq(written, strlen(MSG5))
1500 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1501 SSL_EARLY_DATA_ACCEPTED))
1502 goto end;
1503
1504 /*
1505 * At this point the client has written EndOfEarlyData, ClientFinished and
1506 * normal (fully protected) data. We are going to cause a delay between the
1507 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1508 * in the read BIO, and then just put back the EndOfEarlyData message.
1509 */
1510 rbio = SSL_get_rbio(serverssl);
1511 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1512 || !TEST_size_t_lt(rawread, sizeof(data))
1513 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1514 goto end;
1515
1516 /* Record length is in the 4th and 5th bytes of the record header */
1517 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1518 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1519 || !TEST_size_t_eq(rawwritten, eoedlen))
1520 goto end;
1521
1522 /* Server should be told that there is no more early data */
1523 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1524 &readbytes),
1525 SSL_READ_EARLY_DATA_FINISH)
1526 || !TEST_size_t_eq(readbytes, 0))
1527 goto end;
1528
1529 /*
1530 * Server has not finished init yet, so should still be able to write early
1531 * data.
1532 */
1533 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1534 &written))
1535 || !TEST_size_t_eq(written, strlen(MSG6)))
1536 goto end;
1537
1538 /* Push the ClientFinished and the normal data back into the server rbio */
1539 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1540 &rawwritten))
1541 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1542 goto end;
1543
1544 /* Server should be able to read normal data */
1545 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1546 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1547 goto end;
1548
1549 /* Client and server should not be able to write/read early data now */
1550 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1551 &written)))
1552 goto end;
1553 ERR_clear_error();
1554 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1555 &readbytes),
1556 SSL_READ_EARLY_DATA_ERROR))
1557 goto end;
1558 ERR_clear_error();
1559
1560 /* Client should be able to read the data sent by the server */
1561 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1562 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1563 goto end;
1564
1565 /*
1566 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1567 * We attempt a read which we do not expect to return any data.
1568 */
1569 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1570 goto end;
1571
1572 /* Server should be able to write normal data */
1573 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1574 || !TEST_size_t_eq(written, strlen(MSG7))
1575 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1576 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1577 goto end;
1578
1579 SSL_SESSION_free(sess);
1580 sess = SSL_get1_session(clientssl);
1581
1582 SSL_shutdown(clientssl);
1583 SSL_shutdown(serverssl);
1584 SSL_free(serverssl);
1585 SSL_free(clientssl);
1586 serverssl = clientssl = NULL;
1587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1588 &clientssl, NULL, NULL))
1589 || !TEST_true(SSL_set_session(clientssl, sess)))
1590 goto end;
1591
1592 /* Write and read some early data */
1593 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1594 &written))
1595 || !TEST_size_t_eq(written, strlen(MSG1))
1596 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1597 &readbytes),
1598 SSL_READ_EARLY_DATA_SUCCESS)
1599 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1600 goto end;
1601
1602 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1603 || !TEST_int_gt(SSL_accept(serverssl), 0))
1604 goto end;
1605
1606 /* Client and server should not be able to write/read early data now */
1607 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1608 &written)))
1609 goto end;
1610 ERR_clear_error();
1611 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1612 &readbytes),
1613 SSL_READ_EARLY_DATA_ERROR))
1614 goto end;
1615 ERR_clear_error();
1616
1617 /* Client and server should be able to write/read normal data */
1618 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1619 || !TEST_size_t_eq(written, strlen(MSG5))
1620 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1621 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1622 goto end;
1623
1624 testresult = 1;
1625
1626 end:
1627 SSL_SESSION_free(sess);
1628 SSL_free(serverssl);
1629 SSL_free(clientssl);
1630 SSL_CTX_free(sctx);
1631 SSL_CTX_free(cctx);
1632 return testresult;
1633 }
1634
1635 /*
1636 * Helper function to test that a server attempting to read early data can
1637 * handle a connection from a client where the early data should be skipped.
1638 */
1639 static int early_data_skip_helper(int hrr, int idx)
1640 {
1641 SSL_CTX *cctx = NULL, *sctx = NULL;
1642 SSL *clientssl = NULL, *serverssl = NULL;
1643 int testresult = 0;
1644 SSL_SESSION *sess = NULL;
1645 unsigned char buf[20];
1646 size_t readbytes, written;
1647
1648 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1649 &serverssl, &sess, idx)))
1650 goto end;
1651
1652 if (hrr) {
1653 /* Force an HRR to occur */
1654 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1655 goto end;
1656 } else {
1657 /*
1658 * Deliberately corrupt the creation time. We take 20 seconds off the
1659 * time. It could be any value as long as it is not within tolerance.
1660 * This should mean the ticket is rejected.
1661 */
1662 if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20)))
1663 goto end;
1664 }
1665
1666 /* Write some early data */
1667 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1668 &written))
1669 || !TEST_size_t_eq(written, strlen(MSG1)))
1670 goto end;
1671
1672 /* Server should reject the early data and skip over it */
1673 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1674 &readbytes),
1675 SSL_READ_EARLY_DATA_FINISH)
1676 || !TEST_size_t_eq(readbytes, 0)
1677 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1678 SSL_EARLY_DATA_REJECTED))
1679 goto end;
1680
1681 if (hrr) {
1682 /*
1683 * Finish off the handshake. We perform the same writes and reads as
1684 * further down but we expect them to fail due to the incomplete
1685 * handshake.
1686 */
1687 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1688 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1689 &readbytes)))
1690 goto end;
1691 }
1692
1693 /* Should be able to send normal data despite rejection of early data */
1694 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1695 || !TEST_size_t_eq(written, strlen(MSG2))
1696 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1697 SSL_EARLY_DATA_REJECTED)
1698 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1699 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1700 goto end;
1701
1702 testresult = 1;
1703
1704 end:
1705 SSL_SESSION_free(sess);
1706 SSL_free(serverssl);
1707 SSL_free(clientssl);
1708 SSL_CTX_free(sctx);
1709 SSL_CTX_free(cctx);
1710 return testresult;
1711 }
1712
1713 /*
1714 * Test that a server attempting to read early data can handle a connection
1715 * from a client where the early data is not acceptable.
1716 */
1717 static int test_early_data_skip(int idx)
1718 {
1719 return early_data_skip_helper(0, idx);
1720 }
1721
1722 /*
1723 * Test that a server attempting to read early data can handle a connection
1724 * from a client where an HRR occurs.
1725 */
1726 static int test_early_data_skip_hrr(int idx)
1727 {
1728 return early_data_skip_helper(1, idx);
1729 }
1730
1731 /*
1732 * Test that a server attempting to read early data can handle a connection
1733 * from a client that doesn't send any.
1734 */
1735 static int test_early_data_not_sent(int idx)
1736 {
1737 SSL_CTX *cctx = NULL, *sctx = NULL;
1738 SSL *clientssl = NULL, *serverssl = NULL;
1739 int testresult = 0;
1740 SSL_SESSION *sess = NULL;
1741 unsigned char buf[20];
1742 size_t readbytes, written;
1743
1744 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1745 &serverssl, &sess, idx)))
1746 goto end;
1747
1748 /* Write some data - should block due to handshake with server */
1749 SSL_set_connect_state(clientssl);
1750 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1751 goto end;
1752
1753 /* Server should detect that early data has not been sent */
1754 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1755 &readbytes),
1756 SSL_READ_EARLY_DATA_FINISH)
1757 || !TEST_size_t_eq(readbytes, 0)
1758 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1759 SSL_EARLY_DATA_NOT_SENT)
1760 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1761 SSL_EARLY_DATA_NOT_SENT))
1762 goto end;
1763
1764 /* Continue writing the message we started earlier */
1765 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1766 || !TEST_size_t_eq(written, strlen(MSG1))
1767 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1768 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1769 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1770 || !TEST_size_t_eq(written, strlen(MSG2)))
1771 goto end;
1772
1773 /*
1774 * Should block due to the NewSessionTicket arrival unless we're using
1775 * read_ahead
1776 */
1777 if (idx == 0) {
1778 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1779 goto end;
1780 }
1781
1782 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1783 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1784 goto end;
1785
1786 testresult = 1;
1787
1788 end:
1789 SSL_SESSION_free(sess);
1790 SSL_free(serverssl);
1791 SSL_free(clientssl);
1792 SSL_CTX_free(sctx);
1793 SSL_CTX_free(cctx);
1794 return testresult;
1795 }
1796
1797 /*
1798 * Test that a server that doesn't try to read early data can handle a
1799 * client sending some.
1800 */
1801 static int test_early_data_not_expected(int idx)
1802 {
1803 SSL_CTX *cctx = NULL, *sctx = NULL;
1804 SSL *clientssl = NULL, *serverssl = NULL;
1805 int testresult = 0;
1806 SSL_SESSION *sess = NULL;
1807 unsigned char buf[20];
1808 size_t readbytes, written;
1809
1810
1811 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1812 &serverssl, &sess, idx)))
1813 goto end;
1814
1815 /* Write some early data */
1816 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1817 &written)))
1818 goto end;
1819
1820 /*
1821 * Server should skip over early data and then block waiting for client to
1822 * continue handshake
1823 */
1824 if (!TEST_int_le(SSL_accept(serverssl), 0)
1825 || !TEST_int_gt(SSL_connect(clientssl), 0)
1826 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1827 SSL_EARLY_DATA_REJECTED)
1828 || !TEST_int_gt(SSL_accept(serverssl), 0)
1829 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1830 SSL_EARLY_DATA_REJECTED))
1831 goto end;
1832
1833 /* Send some normal data from client to server */
1834 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1835 || !TEST_size_t_eq(written, strlen(MSG2)))
1836 goto end;
1837
1838 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1839 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1840 goto end;
1841
1842 testresult = 1;
1843
1844 end:
1845 SSL_SESSION_free(sess);
1846 SSL_free(serverssl);
1847 SSL_free(clientssl);
1848 SSL_CTX_free(sctx);
1849 SSL_CTX_free(cctx);
1850 return testresult;
1851 }
1852
1853
1854 # ifndef OPENSSL_NO_TLS1_2
1855 /*
1856 * Test that a server attempting to read early data can handle a connection
1857 * from a TLSv1.2 client.
1858 */
1859 static int test_early_data_tls1_2(int idx)
1860 {
1861 SSL_CTX *cctx = NULL, *sctx = NULL;
1862 SSL *clientssl = NULL, *serverssl = NULL;
1863 int testresult = 0;
1864 unsigned char buf[20];
1865 size_t readbytes, written;
1866
1867 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1868 TLS_client_method(), &sctx,
1869 &cctx, cert, privkey)))
1870 goto end;
1871
1872 /* When idx == 1 we repeat the tests with read_ahead set */
1873 if (idx > 0) {
1874 SSL_CTX_set_read_ahead(cctx, 1);
1875 SSL_CTX_set_read_ahead(sctx, 1);
1876 }
1877
1878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1879 &clientssl, NULL, NULL)))
1880 goto end;
1881
1882 /* Write some data - should block due to handshake with server */
1883 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
1884 SSL_set_connect_state(clientssl);
1885 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1886 goto end;
1887
1888 /*
1889 * Server should do TLSv1.2 handshake. First it will block waiting for more
1890 * messages from client after ServerDone. Then SSL_read_early_data should
1891 * finish and detect that early data has not been sent
1892 */
1893 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1894 &readbytes),
1895 SSL_READ_EARLY_DATA_ERROR))
1896 goto end;
1897
1898 /*
1899 * Continue writing the message we started earlier. Will still block waiting
1900 * for the CCS/Finished from server
1901 */
1902 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1903 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1904 &readbytes),
1905 SSL_READ_EARLY_DATA_FINISH)
1906 || !TEST_size_t_eq(readbytes, 0)
1907 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1908 SSL_EARLY_DATA_NOT_SENT))
1909 goto end;
1910
1911 /* Continue writing the message we started earlier */
1912 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1913 || !TEST_size_t_eq(written, strlen(MSG1))
1914 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1915 SSL_EARLY_DATA_NOT_SENT)
1916 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1917 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1918 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
1919 || !TEST_size_t_eq(written, strlen(MSG2))
1920 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
1921 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1922 goto end;
1923
1924 testresult = 1;
1925
1926 end:
1927 SSL_free(serverssl);
1928 SSL_free(clientssl);
1929 SSL_CTX_free(sctx);
1930 SSL_CTX_free(cctx);
1931
1932 return testresult;
1933 }
1934 # endif /* OPENSSL_NO_TLS1_2 */
1935
1936 static int test_ciphersuite_change(void)
1937 {
1938 SSL_CTX *cctx = NULL, *sctx = NULL;
1939 SSL *clientssl = NULL, *serverssl = NULL;
1940 SSL_SESSION *clntsess = NULL;
1941 int testresult = 0;
1942 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
1943
1944 /* Create a session based on SHA-256 */
1945 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1946 TLS_client_method(), &sctx,
1947 &cctx, cert, privkey))
1948 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1949 "TLS13-AES-128-GCM-SHA256"))
1950 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1951 &clientssl, NULL, NULL))
1952 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1953 SSL_ERROR_NONE)))
1954 goto end;
1955
1956 clntsess = SSL_get1_session(clientssl);
1957 /* Save for later */
1958 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
1959 SSL_shutdown(clientssl);
1960 SSL_shutdown(serverssl);
1961 SSL_free(serverssl);
1962 SSL_free(clientssl);
1963 serverssl = clientssl = NULL;
1964
1965 /* Check we can resume a session with a different SHA-256 ciphersuite */
1966 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
1967 "TLS13-CHACHA20-POLY1305-SHA256"))
1968 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1969 NULL, NULL))
1970 || !TEST_true(SSL_set_session(clientssl, clntsess))
1971 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1972 SSL_ERROR_NONE))
1973 || !TEST_true(SSL_session_reused(clientssl)))
1974 goto end;
1975
1976 SSL_SESSION_free(clntsess);
1977 clntsess = SSL_get1_session(clientssl);
1978 SSL_shutdown(clientssl);
1979 SSL_shutdown(serverssl);
1980 SSL_free(serverssl);
1981 SSL_free(clientssl);
1982 serverssl = clientssl = NULL;
1983
1984 /*
1985 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
1986 * succeeds but does not resume.
1987 */
1988 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
1989 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1990 NULL, NULL))
1991 || !TEST_true(SSL_set_session(clientssl, clntsess))
1992 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1993 SSL_ERROR_SSL))
1994 || !TEST_false(SSL_session_reused(clientssl)))
1995 goto end;
1996
1997 SSL_SESSION_free(clntsess);
1998 clntsess = NULL;
1999 SSL_shutdown(clientssl);
2000 SSL_shutdown(serverssl);
2001 SSL_free(serverssl);
2002 SSL_free(clientssl);
2003 serverssl = clientssl = NULL;
2004
2005 /* Create a session based on SHA384 */
2006 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2007 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2008 &clientssl, NULL, NULL))
2009 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2010 SSL_ERROR_NONE)))
2011 goto end;
2012
2013 clntsess = SSL_get1_session(clientssl);
2014 SSL_shutdown(clientssl);
2015 SSL_shutdown(serverssl);
2016 SSL_free(serverssl);
2017 SSL_free(clientssl);
2018 serverssl = clientssl = NULL;
2019
2020 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2021 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
2022 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2023 "TLS13-AES-256-GCM-SHA384"))
2024 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2025 NULL, NULL))
2026 || !TEST_true(SSL_set_session(clientssl, clntsess))
2027 /*
2028 * We use SSL_ERROR_WANT_READ below so that we can pause the
2029 * connection after the initial ClientHello has been sent to
2030 * enable us to make some session changes.
2031 */
2032 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2033 SSL_ERROR_WANT_READ)))
2034 goto end;
2035
2036 /* Trick the client into thinking this session is for a different digest */
2037 clntsess->cipher = aes_128_gcm_sha256;
2038 clntsess->cipher_id = clntsess->cipher->id;
2039
2040 /*
2041 * Continue the previously started connection. Server has selected a SHA-384
2042 * ciphersuite, but client thinks the session is for SHA-256, so it should
2043 * bail out.
2044 */
2045 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2046 SSL_ERROR_SSL))
2047 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2048 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2049 goto end;
2050
2051 testresult = 1;
2052
2053 end:
2054 SSL_SESSION_free(clntsess);
2055 SSL_free(serverssl);
2056 SSL_free(clientssl);
2057 SSL_CTX_free(sctx);
2058 SSL_CTX_free(cctx);
2059
2060 return testresult;
2061 }
2062
2063
2064 static SSL_SESSION *psk = NULL;
2065 static const char *pskid = "Identity";
2066 static const char *srvid;
2067
2068 static int use_session_cb_cnt = 0;
2069 static int find_session_cb_cnt = 0;
2070
2071 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2072 size_t *idlen, SSL_SESSION **sess)
2073 {
2074 switch (++use_session_cb_cnt) {
2075 case 1:
2076 /* The first call should always have a NULL md */
2077 if (md != NULL)
2078 return 0;
2079 break;
2080
2081 case 2:
2082 /* The second call should always have an md */
2083 if (md == NULL)
2084 return 0;
2085 break;
2086
2087 default:
2088 /* We should only be called a maximum of twice */
2089 return 0;
2090 }
2091
2092 if (psk != NULL)
2093 SSL_SESSION_up_ref(psk);
2094
2095 *sess = psk;
2096 *id = (const unsigned char *)pskid;
2097 *idlen = strlen(pskid);
2098
2099 return 1;
2100 }
2101
2102 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2103 size_t identity_len, SSL_SESSION **sess)
2104 {
2105 find_session_cb_cnt++;
2106
2107 /* We should only ever be called a maximum of twice per connection */
2108 if (find_session_cb_cnt > 2)
2109 return 0;
2110
2111 if (psk == NULL)
2112 return 0;
2113
2114 /* Identity should match that set by the client */
2115 if (strlen(srvid) != identity_len
2116 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2117 /* No PSK found, continue but without a PSK */
2118 *sess = NULL;
2119 return 1;
2120 }
2121
2122 SSL_SESSION_up_ref(psk);
2123 *sess = psk;
2124
2125 return 1;
2126 }
2127
2128 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2129
2130 static int test_tls13_psk(void)
2131 {
2132 SSL_CTX *sctx = NULL, *cctx = NULL;
2133 SSL *serverssl = NULL, *clientssl = NULL;
2134 const SSL_CIPHER *cipher = NULL;
2135 const unsigned char key[] = {
2136 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2137 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2138 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2139 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2140 };
2141 int testresult = 0;
2142
2143 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2144 TLS_client_method(), &sctx,
2145 &cctx, cert, privkey)))
2146 goto end;
2147
2148 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2149 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2150 srvid = pskid;
2151
2152 /* Check we can create a connection if callback decides not to send a PSK */
2153 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2154 NULL, NULL))
2155 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2156 SSL_ERROR_NONE))
2157 || !TEST_false(SSL_session_reused(clientssl))
2158 || !TEST_false(SSL_session_reused(serverssl))
2159 || !TEST_true(use_session_cb_cnt == 1)
2160 || !TEST_true(find_session_cb_cnt == 0))
2161 goto end;
2162
2163 shutdown_ssl_connection(serverssl, clientssl);
2164 serverssl = clientssl = NULL;
2165 use_session_cb_cnt = 0;
2166
2167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2168 NULL, NULL)))
2169 goto end;
2170
2171 /* Create the PSK */
2172 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2173 psk = SSL_SESSION_new();
2174 if (!TEST_ptr(psk)
2175 || !TEST_ptr(cipher)
2176 || !TEST_true(SSL_SESSION_set1_master_key(psk, key, sizeof(key)))
2177 || !TEST_true(SSL_SESSION_set_cipher(psk, cipher))
2178 || !TEST_true(SSL_SESSION_set_protocol_version(psk,
2179 TLS1_3_VERSION)))
2180 goto end;
2181
2182 /* Check we can create a connection and the PSK is used */
2183 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2184 || !TEST_true(SSL_session_reused(clientssl))
2185 || !TEST_true(SSL_session_reused(serverssl))
2186 || !TEST_true(use_session_cb_cnt == 1)
2187 || !TEST_true(find_session_cb_cnt == 1))
2188 goto end;
2189
2190 shutdown_ssl_connection(serverssl, clientssl);
2191 serverssl = clientssl = NULL;
2192 use_session_cb_cnt = find_session_cb_cnt = 0;
2193
2194 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2195 NULL, NULL)))
2196 goto end;
2197
2198 /* Force an HRR */
2199 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2200 goto end;
2201
2202 /*
2203 * Check we can create a connection, the PSK is used and the callbacks are
2204 * called twice.
2205 */
2206 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2207 || !TEST_true(SSL_session_reused(clientssl))
2208 || !TEST_true(SSL_session_reused(serverssl))
2209 || !TEST_true(use_session_cb_cnt == 2)
2210 || !TEST_true(find_session_cb_cnt == 2))
2211 goto end;
2212
2213 shutdown_ssl_connection(serverssl, clientssl);
2214 serverssl = clientssl = NULL;
2215 use_session_cb_cnt = find_session_cb_cnt = 0;
2216
2217 /*
2218 * Check that if the server rejects the PSK we can still connect, but with
2219 * a full handshake
2220 */
2221 srvid = "Dummy Identity";
2222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2223 NULL, NULL))
2224 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2225 SSL_ERROR_NONE))
2226 || !TEST_false(SSL_session_reused(clientssl))
2227 || !TEST_false(SSL_session_reused(serverssl))
2228 || !TEST_true(use_session_cb_cnt == 1)
2229 || !TEST_true(find_session_cb_cnt == 1))
2230 goto end;
2231
2232 shutdown_ssl_connection(serverssl, clientssl);
2233 serverssl = clientssl = NULL;
2234 testresult = 1;
2235
2236 end:
2237 SSL_SESSION_free(psk);
2238 SSL_free(serverssl);
2239 SSL_free(clientssl);
2240 SSL_CTX_free(sctx);
2241 SSL_CTX_free(cctx);
2242 return testresult;
2243 }
2244
2245 #endif /* OPENSSL_NO_TLS1_3 */
2246
2247 static int clntaddoldcb = 0;
2248 static int clntparseoldcb = 0;
2249 static int srvaddoldcb = 0;
2250 static int srvparseoldcb = 0;
2251 static int clntaddnewcb = 0;
2252 static int clntparsenewcb = 0;
2253 static int srvaddnewcb = 0;
2254 static int srvparsenewcb = 0;
2255 static int snicb = 0;
2256
2257 #define TEST_EXT_TYPE1 0xff00
2258
2259 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2260 size_t *outlen, int *al, void *add_arg)
2261 {
2262 int *server = (int *)add_arg;
2263 unsigned char *data;
2264
2265 if (SSL_is_server(s))
2266 srvaddoldcb++;
2267 else
2268 clntaddoldcb++;
2269
2270 if (*server != SSL_is_server(s)
2271 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2272 return -1;
2273
2274 *data = 1;
2275 *out = data;
2276 *outlen = sizeof(char);
2277 return 1;
2278 }
2279
2280 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2281 void *add_arg)
2282 {
2283 OPENSSL_free((unsigned char *)out);
2284 }
2285
2286 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2287 size_t inlen, int *al, void *parse_arg)
2288 {
2289 int *server = (int *)parse_arg;
2290
2291 if (SSL_is_server(s))
2292 srvparseoldcb++;
2293 else
2294 clntparseoldcb++;
2295
2296 if (*server != SSL_is_server(s)
2297 || inlen != sizeof(char)
2298 || *in != 1)
2299 return -1;
2300
2301 return 1;
2302 }
2303
2304 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2305 const unsigned char **out, size_t *outlen, X509 *x,
2306 size_t chainidx, int *al, void *add_arg)
2307 {
2308 int *server = (int *)add_arg;
2309 unsigned char *data;
2310
2311 if (SSL_is_server(s))
2312 srvaddnewcb++;
2313 else
2314 clntaddnewcb++;
2315
2316 if (*server != SSL_is_server(s)
2317 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2318 return -1;
2319
2320 *data = 1;
2321 *out = data;
2322 *outlen = sizeof(*data);
2323 return 1;
2324 }
2325
2326 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2327 const unsigned char *out, void *add_arg)
2328 {
2329 OPENSSL_free((unsigned char *)out);
2330 }
2331
2332 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2333 const unsigned char *in, size_t inlen, X509 *x,
2334 size_t chainidx, int *al, void *parse_arg)
2335 {
2336 int *server = (int *)parse_arg;
2337
2338 if (SSL_is_server(s))
2339 srvparsenewcb++;
2340 else
2341 clntparsenewcb++;
2342
2343 if (*server != SSL_is_server(s)
2344 || inlen != sizeof(char) || *in != 1)
2345 return -1;
2346
2347 return 1;
2348 }
2349
2350 static int sni_cb(SSL *s, int *al, void *arg)
2351 {
2352 SSL_CTX *ctx = (SSL_CTX *)arg;
2353
2354 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2355 *al = SSL_AD_INTERNAL_ERROR;
2356 return SSL_TLSEXT_ERR_ALERT_FATAL;
2357 }
2358 snicb++;
2359 return SSL_TLSEXT_ERR_OK;
2360 }
2361
2362 /*
2363 * Custom call back tests.
2364 * Test 0: Old style callbacks in TLSv1.2
2365 * Test 1: New style callbacks in TLSv1.2
2366 * Test 2: New style callbacks in TLSv1.2 with SNI
2367 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2368 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2369 */
2370 static int test_custom_exts(int tst)
2371 {
2372 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2373 SSL *clientssl = NULL, *serverssl = NULL;
2374 int testresult = 0;
2375 static int server = 1;
2376 static int client = 0;
2377 SSL_SESSION *sess = NULL;
2378 unsigned int context;
2379
2380 /* Reset callback counters */
2381 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2382 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2383 snicb = 0;
2384
2385 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2386 TLS_client_method(), &sctx,
2387 &cctx, cert, privkey)))
2388 goto end;
2389
2390 if (tst == 2
2391 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2392 NULL, cert, privkey)))
2393 goto end;
2394
2395
2396 if (tst < 3) {
2397 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2398 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2399 if (sctx2 != NULL)
2400 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2401 }
2402
2403 if (tst == 4) {
2404 context = SSL_EXT_CLIENT_HELLO
2405 | SSL_EXT_TLS1_2_SERVER_HELLO
2406 | SSL_EXT_TLS1_3_SERVER_HELLO
2407 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2408 | SSL_EXT_TLS1_3_CERTIFICATE
2409 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2410 } else {
2411 context = SSL_EXT_CLIENT_HELLO
2412 | SSL_EXT_TLS1_2_SERVER_HELLO
2413 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2414 }
2415
2416 /* Create a client side custom extension */
2417 if (tst == 0) {
2418 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2419 old_add_cb, old_free_cb,
2420 &client, old_parse_cb,
2421 &client)))
2422 goto end;
2423 } else {
2424 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2425 new_add_cb, new_free_cb,
2426 &client, new_parse_cb, &client)))
2427 goto end;
2428 }
2429
2430 /* Should not be able to add duplicates */
2431 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2432 old_add_cb, old_free_cb,
2433 &client, old_parse_cb,
2434 &client))
2435 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2436 context, new_add_cb,
2437 new_free_cb, &client,
2438 new_parse_cb, &client)))
2439 goto end;
2440
2441 /* Create a server side custom extension */
2442 if (tst == 0) {
2443 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2444 old_add_cb, old_free_cb,
2445 &server, old_parse_cb,
2446 &server)))
2447 goto end;
2448 } else {
2449 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2450 new_add_cb, new_free_cb,
2451 &server, new_parse_cb, &server)))
2452 goto end;
2453 if (sctx2 != NULL
2454 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2455 context, new_add_cb,
2456 new_free_cb, &server,
2457 new_parse_cb, &server)))
2458 goto end;
2459 }
2460
2461 /* Should not be able to add duplicates */
2462 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2463 old_add_cb, old_free_cb,
2464 &server, old_parse_cb,
2465 &server))
2466 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2467 context, new_add_cb,
2468 new_free_cb, &server,
2469 new_parse_cb, &server)))
2470 goto end;
2471
2472 if (tst == 2) {
2473 /* Set up SNI */
2474 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2475 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2476 goto end;
2477 }
2478
2479 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2480 &clientssl, NULL, NULL))
2481 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2482 SSL_ERROR_NONE)))
2483 goto end;
2484
2485 if (tst == 0) {
2486 if (clntaddoldcb != 1
2487 || clntparseoldcb != 1
2488 || srvaddoldcb != 1
2489 || srvparseoldcb != 1)
2490 goto end;
2491 } else if (tst == 1 || tst == 2 || tst == 3) {
2492 if (clntaddnewcb != 1
2493 || clntparsenewcb != 1
2494 || srvaddnewcb != 1
2495 || srvparsenewcb != 1
2496 || (tst != 2 && snicb != 0)
2497 || (tst == 2 && snicb != 1))
2498 goto end;
2499 } else {
2500 if (clntaddnewcb != 1
2501 || clntparsenewcb != 4
2502 || srvaddnewcb != 4
2503 || srvparsenewcb != 1)
2504 goto end;
2505 }
2506
2507 sess = SSL_get1_session(clientssl);
2508 SSL_shutdown(clientssl);
2509 SSL_shutdown(serverssl);
2510 SSL_free(serverssl);
2511 SSL_free(clientssl);
2512 serverssl = clientssl = NULL;
2513
2514 if (tst == 3) {
2515 /* We don't bother with the resumption aspects for this test */
2516 testresult = 1;
2517 goto end;
2518 }
2519
2520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2521 NULL, NULL))
2522 || !TEST_true(SSL_set_session(clientssl, sess))
2523 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2524 SSL_ERROR_NONE)))
2525 goto end;
2526
2527 /*
2528 * For a resumed session we expect to add the ClientHello extension. For the
2529 * old style callbacks we ignore it on the server side because they set
2530 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2531 * them.
2532 */
2533 if (tst == 0) {
2534 if (clntaddoldcb != 2
2535 || clntparseoldcb != 1
2536 || srvaddoldcb != 1
2537 || srvparseoldcb != 1)
2538 goto end;
2539 } else if (tst == 1 || tst == 2 || tst == 3) {
2540 if (clntaddnewcb != 2
2541 || clntparsenewcb != 2
2542 || srvaddnewcb != 2
2543 || srvparsenewcb != 2)
2544 goto end;
2545 } else {
2546 /* No Certificate message extensions in the resumption handshake */
2547 if (clntaddnewcb != 2
2548 || clntparsenewcb != 7
2549 || srvaddnewcb != 7
2550 || srvparsenewcb != 2)
2551 goto end;
2552 }
2553
2554 testresult = 1;
2555
2556 end:
2557 SSL_SESSION_free(sess);
2558 SSL_free(serverssl);
2559 SSL_free(clientssl);
2560 SSL_CTX_free(sctx2);
2561 SSL_CTX_free(sctx);
2562 SSL_CTX_free(cctx);
2563 return testresult;
2564 }
2565
2566 /*
2567 * Test loading of serverinfo data in various formats. test_sslmessages actually
2568 * tests to make sure the extensions appear in the handshake
2569 */
2570 static int test_serverinfo(int tst)
2571 {
2572 unsigned int version;
2573 unsigned char *sibuf;
2574 size_t sibuflen;
2575 int ret, expected, testresult = 0;
2576 SSL_CTX *ctx;
2577
2578 ctx = SSL_CTX_new(TLS_method());
2579 if (!TEST_ptr(ctx))
2580 goto end;
2581
2582 if ((tst & 0x01) == 0x01)
2583 version = SSL_SERVERINFOV2;
2584 else
2585 version = SSL_SERVERINFOV1;
2586
2587 if ((tst & 0x02) == 0x02) {
2588 sibuf = serverinfov2;
2589 sibuflen = sizeof(serverinfov2);
2590 expected = (version == SSL_SERVERINFOV2);
2591 } else {
2592 sibuf = serverinfov1;
2593 sibuflen = sizeof(serverinfov1);
2594 expected = (version == SSL_SERVERINFOV1);
2595 }
2596
2597 if ((tst & 0x04) == 0x04) {
2598 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2599 } else {
2600 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
2601
2602 /*
2603 * The version variable is irrelevant in this case - it's what is in the
2604 * buffer that matters
2605 */
2606 if ((tst & 0x02) == 0x02)
2607 expected = 0;
2608 else
2609 expected = 1;
2610 }
2611
2612 if (!TEST_true(ret == expected))
2613 goto end;
2614
2615 testresult = 1;
2616
2617 end:
2618 SSL_CTX_free(ctx);
2619
2620 return testresult;
2621 }
2622
2623 /*
2624 * Test that SSL_export_keying_material() produces expected results. There are
2625 * no test vectors so all we do is test that both sides of the communication
2626 * produce the same results for different protocol versions.
2627 */
2628 static int test_export_key_mat(int tst)
2629 {
2630 int testresult = 0;
2631 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2632 SSL *clientssl = NULL, *serverssl = NULL;
2633 const char label[] = "test label";
2634 const unsigned char context[] = "context";
2635 const unsigned char *emptycontext = NULL;
2636 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
2637 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
2638 const int protocols[] = {
2639 TLS1_VERSION,
2640 TLS1_1_VERSION,
2641 TLS1_2_VERSION,
2642 TLS1_3_VERSION
2643 };
2644
2645 #ifdef OPENSSL_NO_TLS1
2646 if (tst == 0)
2647 return 1;
2648 #endif
2649 #ifdef OPENSSL_NO_TLS1_1
2650 if (tst == 1)
2651 return 1;
2652 #endif
2653 #ifdef OPENSSL_NO_TLS1_2
2654 if (tst == 2)
2655 return 1;
2656 #endif
2657 #ifdef OPENSSL_NO_TLS1_3
2658 if (tst == 3)
2659 return 1;
2660 #endif
2661 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2662 TLS_client_method(), &sctx,
2663 &cctx, cert, privkey)))
2664 goto end;
2665
2666 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
2667 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
2668 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2669
2670 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
2671 NULL))
2672 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2673 SSL_ERROR_NONE)))
2674 goto end;
2675
2676 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
2677 sizeof(ckeymat1), label,
2678 sizeof(label) - 1, context,
2679 sizeof(context) - 1, 1), 1)
2680 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
2681 sizeof(ckeymat2), label,
2682 sizeof(label) - 1,
2683 emptycontext,
2684 0, 1), 1)
2685 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
2686 sizeof(ckeymat3), label,
2687 sizeof(label) - 1,
2688 NULL, 0, 0), 1)
2689 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
2690 sizeof(skeymat1), label,
2691 sizeof(label) - 1,
2692 context,
2693 sizeof(context) -1, 1),
2694 1)
2695 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
2696 sizeof(skeymat2), label,
2697 sizeof(label) - 1,
2698 emptycontext,
2699 0, 1), 1)
2700 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
2701 sizeof(skeymat3), label,
2702 sizeof(label) - 1,
2703 NULL, 0, 0), 1)
2704 /*
2705 * Check that both sides created the same key material with the
2706 * same context.
2707 */
2708 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
2709 sizeof(skeymat1))
2710 /*
2711 * Check that both sides created the same key material with an
2712 * empty context.
2713 */
2714 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
2715 sizeof(skeymat2))
2716 /*
2717 * Check that both sides created the same key material without a
2718 * context.
2719 */
2720 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
2721 sizeof(skeymat3))
2722 /* Different contexts should produce different results */
2723 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
2724 sizeof(ckeymat2)))
2725 goto end;
2726
2727 /*
2728 * Check that an empty context and no context produce different results in
2729 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
2730 */
2731 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2732 sizeof(ckeymat3)))
2733 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
2734 sizeof(ckeymat3))))
2735 goto end;
2736
2737 testresult = 1;
2738
2739 end:
2740 SSL_free(serverssl);
2741 SSL_free(clientssl);
2742 SSL_CTX_free(sctx2);
2743 SSL_CTX_free(sctx);
2744 SSL_CTX_free(cctx);
2745
2746 return testresult;
2747 }
2748
2749 static int test_ssl_clear(int idx)
2750 {
2751 SSL_CTX *cctx = NULL, *sctx = NULL;
2752 SSL *clientssl = NULL, *serverssl = NULL;
2753 int testresult = 0;
2754
2755 #ifdef OPENSSL_NO_TLS1_2
2756 if (idx == 1)
2757 return 1;
2758 #endif
2759
2760 /* Create an initial connection */
2761 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2762 TLS_client_method(), &sctx,
2763 &cctx, cert, privkey))
2764 || (idx == 1
2765 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
2766 TLS1_2_VERSION)))
2767 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2768 &clientssl, NULL, NULL))
2769 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2770 SSL_ERROR_NONE)))
2771 goto end;
2772
2773 SSL_shutdown(clientssl);
2774 SSL_shutdown(serverssl);
2775 SSL_free(serverssl);
2776 serverssl = NULL;
2777
2778 /* Clear clientssl - we're going to reuse the object */
2779 if (!TEST_true(SSL_clear(clientssl)))
2780 goto end;
2781
2782 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2783 NULL, NULL))
2784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2785 SSL_ERROR_NONE))
2786 || !TEST_true(SSL_session_reused(clientssl)))
2787 goto end;
2788
2789 SSL_shutdown(clientssl);
2790 SSL_shutdown(serverssl);
2791
2792 testresult = 1;
2793
2794 end:
2795 SSL_free(serverssl);
2796 SSL_free(clientssl);
2797 SSL_CTX_free(sctx);
2798 SSL_CTX_free(cctx);
2799
2800 return testresult;
2801 }
2802
2803 int setup_tests(void)
2804 {
2805 if (!TEST_ptr(cert = test_get_argument(0))
2806 || !TEST_ptr(privkey = test_get_argument(1)))
2807 return 0;
2808
2809 ADD_TEST(test_large_message_tls);
2810 ADD_TEST(test_large_message_tls_read_ahead);
2811 #ifndef OPENSSL_NO_DTLS
2812 ADD_TEST(test_large_message_dtls);
2813 #endif
2814 #ifndef OPENSSL_NO_OCSP
2815 ADD_TEST(test_tlsext_status_type);
2816 #endif
2817 ADD_TEST(test_session_with_only_int_cache);
2818 ADD_TEST(test_session_with_only_ext_cache);
2819 ADD_TEST(test_session_with_both_cache);
2820 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
2821 ADD_TEST(test_ssl_bio_pop_next_bio);
2822 ADD_TEST(test_ssl_bio_pop_ssl_bio);
2823 ADD_TEST(test_ssl_bio_change_rbio);
2824 ADD_TEST(test_ssl_bio_change_wbio);
2825 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
2826 ADD_TEST(test_keylog);
2827 #ifndef OPENSSL_NO_TLS1_3
2828 ADD_TEST(test_keylog_no_master_key);
2829 #endif
2830 #ifndef OPENSSL_NO_TLS1_2
2831 ADD_TEST(test_early_cb);
2832 #endif
2833 #ifndef OPENSSL_NO_TLS1_3
2834 ADD_ALL_TESTS(test_early_data_read_write, 2);
2835 ADD_ALL_TESTS(test_early_data_skip, 2);
2836 ADD_ALL_TESTS(test_early_data_skip_hrr, 2);
2837 ADD_ALL_TESTS(test_early_data_not_sent, 2);
2838 ADD_ALL_TESTS(test_early_data_not_expected, 2);
2839 # ifndef OPENSSL_NO_TLS1_2
2840 ADD_ALL_TESTS(test_early_data_tls1_2, 2);
2841 # endif
2842 #endif
2843 #ifndef OPENSSL_NO_TLS1_3
2844 ADD_TEST(test_ciphersuite_change);
2845 ADD_TEST(test_tls13_psk);
2846 ADD_ALL_TESTS(test_custom_exts, 5);
2847 #else
2848 ADD_ALL_TESTS(test_custom_exts, 3);
2849 #endif
2850 ADD_ALL_TESTS(test_serverinfo, 8);
2851 ADD_ALL_TESTS(test_export_key_mat, 4);
2852 ADD_ALL_TESTS(test_ssl_clear, 2);
2853 return 1;
2854 }
2855
2856 void cleanup_tests(void)
2857 {
2858 bio_s_mempacket_test_free();
2859 }
A mirror of the official openssl repository