]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add some SSL BIO tests
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/opensslconf.h>
11 #include <openssl/bio.h>
12 #include <openssl/crypto.h>
13 #include <openssl/ssl.h>
14
15 #include "ssltestlib.h"
16 #include "testutil.h"
17
18 static char *cert = NULL;
19 static char *privkey = NULL;
20
21 static int test_tlsext_status_type(void)
22 {
23 SSL_CTX *ctx = NULL;
24 SSL *con = NULL;
25 int testresult = 0;
26
27 /* Test tlsext_status_type */
28 ctx = SSL_CTX_new(TLS_method());
29
30 if (SSL_CTX_get_tlsext_status_type(ctx) != -1) {
31 printf("Unexpected initial value for "
32 "SSL_CTX_get_tlsext_status_type()\n");
33 goto end;
34 }
35
36 con = SSL_new(ctx);
37
38 if (SSL_get_tlsext_status_type(con) != -1) {
39 printf("Unexpected initial value for SSL_get_tlsext_status_type()\n");
40 goto end;
41 }
42
43 if (!SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp)) {
44 printf("Unexpected fail for SSL_set_tlsext_status_type()\n");
45 goto end;
46 }
47
48 if (SSL_get_tlsext_status_type(con) != TLSEXT_STATUSTYPE_ocsp) {
49 printf("Unexpected result for SSL_get_tlsext_status_type()\n");
50 goto end;
51 }
52
53 SSL_free(con);
54 con = NULL;
55
56 if (!SSL_CTX_set_tlsext_status_type(ctx, TLSEXT_STATUSTYPE_ocsp)) {
57 printf("Unexpected fail for SSL_CTX_set_tlsext_status_type()\n");
58 goto end;
59 }
60
61 if (SSL_CTX_get_tlsext_status_type(ctx) != TLSEXT_STATUSTYPE_ocsp) {
62 printf("Unexpected result for SSL_CTX_get_tlsext_status_type()\n");
63 goto end;
64 }
65
66 con = SSL_new(ctx);
67
68 if (SSL_get_tlsext_status_type(con) != TLSEXT_STATUSTYPE_ocsp) {
69 printf("Unexpected result for SSL_get_tlsext_status_type() (test 2)\n");
70 goto end;
71 }
72
73 testresult = 1;
74
75 end:
76 SSL_free(con);
77 SSL_CTX_free(ctx);
78
79 return testresult;
80 }
81
82 typedef struct ssl_session_test_fixture {
83 const char *test_case_name;
84 int use_ext_cache;
85 int use_int_cache;
86 } SSL_SESSION_TEST_FIXTURE;
87
88 static int new_called = 0, remove_called = 0;
89
90 static SSL_SESSION_TEST_FIXTURE
91 ssl_session_set_up(const char *const test_case_name)
92 {
93 SSL_SESSION_TEST_FIXTURE fixture;
94
95 fixture.test_case_name = test_case_name;
96 fixture.use_ext_cache = 1;
97 fixture.use_int_cache = 1;
98
99 new_called = remove_called = 0;
100
101 return fixture;
102 }
103
104 static void ssl_session_tear_down(SSL_SESSION_TEST_FIXTURE fixture)
105 {
106 }
107
108 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
109 {
110 new_called++;
111
112 return 1;
113 }
114
115 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
116 {
117 remove_called++;
118 }
119
120 static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
121 {
122 SSL_CTX *sctx = NULL, *cctx = NULL;
123 SSL *serverssl1 = NULL, *clientssl1 = NULL;
124 SSL *serverssl2 = NULL, *clientssl2 = NULL;
125 SSL *serverssl3 = NULL, *clientssl3 = NULL;
126 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
127 int testresult = 0;
128
129 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
130 &cctx, cert, privkey)) {
131 printf("Unable to create SSL_CTX pair\n");
132 return 0;
133 }
134
135 #ifndef OPENSSL_NO_TLS1_2
136 /* Only allow TLS1.2 so we can force a connection failure later */
137 SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION);
138 #endif
139
140 /* Set up session cache */
141 if (fix.use_ext_cache) {
142 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
143 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
144 }
145 if (fix.use_int_cache) {
146 /* Also covers instance where both are set */
147 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
148 } else {
149 SSL_CTX_set_session_cache_mode(cctx,
150 SSL_SESS_CACHE_CLIENT
151 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
152 }
153
154 if (!create_ssl_connection(sctx, cctx, &serverssl1, &clientssl1, NULL,
155 NULL)) {
156 printf("Unable to create SSL connection\n");
157 goto end;
158 }
159 sess1 = SSL_get1_session(clientssl1);
160 if (sess1 == NULL) {
161 printf("Unexpected NULL session\n");
162 goto end;
163 }
164
165 if (fix.use_int_cache && SSL_CTX_add_session(cctx, sess1)) {
166 /* Should have failed because it should already be in the cache */
167 printf("Unexpected success adding session to cache\n");
168 goto end;
169 }
170
171 if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) {
172 printf("Session not added to cache\n");
173 goto end;
174 }
175
176 if (!create_ssl_connection(sctx, cctx, &serverssl2, &clientssl2, NULL,
177 NULL)) {
178 printf("Unable to create second SSL connection\n");
179 goto end;
180 }
181
182 sess2 = SSL_get1_session(clientssl2);
183 if (sess2 == NULL) {
184 printf("Unexpected NULL session from clientssl2\n");
185 goto end;
186 }
187
188 if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) {
189 printf("Remove session callback unexpectedly called\n");
190 goto end;
191 }
192
193 /*
194 * This should clear sess2 from the cache because it is a "bad" session. See
195 * SSL_set_session() documentation.
196 */
197 if (!SSL_set_session(clientssl2, sess1)) {
198 printf("Unexpected failure setting session\n");
199 goto end;
200 }
201
202 if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) {
203 printf("Failed to call callback to remove session\n");
204 goto end;
205 }
206
207
208 if (SSL_get_session(clientssl2) != sess1) {
209 printf("Unexpected session found\n");
210 goto end;
211 }
212
213 if (fix.use_int_cache) {
214 if (!SSL_CTX_add_session(cctx, sess2)) {
215 /*
216 * Should have succeeded because it should not already be in the cache
217 */
218 printf("Unexpected failure adding session to cache\n");
219 goto end;
220 }
221
222 if (!SSL_CTX_remove_session(cctx, sess2)) {
223 printf("Unexpected failure removing session from cache\n");
224 goto end;
225 }
226
227 /* This is for the purposes of internal cache testing...ignore the
228 * counter for external cache
229 */
230 if (fix.use_ext_cache)
231 remove_called--;
232 }
233
234 /* This shouldn't be in the cache so should fail */
235 if (SSL_CTX_remove_session(cctx, sess2)) {
236 printf("Unexpected success removing session from cache\n");
237 goto end;
238 }
239
240 if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) {
241 printf("Failed to call callback to remove session #2\n");
242 goto end;
243 }
244
245 #if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2)
246 /* Force a connection failure */
247 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
248 clientssl3 = SSL_new(cctx);
249 if (clientssl3 == NULL) {
250 printf("Malloc failure\n");
251 goto end;
252 }
253 if (!SSL_set_session(clientssl3, sess1)) {
254 printf("Unable to set session for third connection\n");
255 goto end;
256 }
257
258 /* This should fail because of the mismatched protocol versions */
259 if (create_ssl_connection(sctx, cctx, &serverssl3, &clientssl3, NULL,
260 NULL)) {
261 printf("Unexpected success creating SSL connection\n");
262 goto end;
263 }
264
265 /* We should have automatically removed the session from the cache */
266 if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) {
267 printf("Failed to call callback to remove session #2\n");
268 goto end;
269 }
270
271 if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) {
272 /*
273 * Should have succeeded because it should not already be in the cache
274 */
275 printf("Unexpected failure adding session to cache #2\n");
276 goto end;
277 }
278 #endif
279
280 testresult = 1;
281
282 end:
283 SSL_free(serverssl1);
284 SSL_free(clientssl1);
285 SSL_free(serverssl2);
286 SSL_free(clientssl2);
287 SSL_free(serverssl3);
288 SSL_free(clientssl3);
289 SSL_SESSION_free(sess1);
290 SSL_SESSION_free(sess2);
291 /*
292 * Check if we need to remove any sessions up-refed for the external cache
293 */
294 if (new_called >= 1)
295 SSL_SESSION_free(sess1);
296 if (new_called >= 2)
297 SSL_SESSION_free(sess2);
298 SSL_CTX_free(sctx);
299 SSL_CTX_free(cctx);
300
301 return testresult;
302 }
303
304 static int test_session_with_only_int_cache(void)
305 {
306 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
307
308 fixture.use_ext_cache = 0;
309
310 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
311 }
312
313 static int test_session_with_only_ext_cache(void)
314 {
315 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
316
317 fixture.use_int_cache = 0;
318
319 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
320 }
321
322 static int test_session_with_both_cache(void)
323 {
324 SETUP_TEST_FIXTURE(SSL_SESSION_TEST_FIXTURE, ssl_session_set_up);
325
326 EXECUTE_TEST(execute_test_session, ssl_session_tear_down);
327 }
328
329 #define USE_NULL 0
330 #define USE_BIO_1 1
331 #define USE_BIO_2 2
332
333 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
334
335 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
336 {
337 switch (type) {
338 case USE_NULL:
339 *res = NULL;
340 break;
341 case USE_BIO_1:
342 *res = bio1;
343 break;
344 case USE_BIO_2:
345 *res = bio2;
346 break;
347 }
348 }
349
350 static int test_ssl_set_bio(int idx)
351 {
352 SSL_CTX *ctx = SSL_CTX_new(TLS_method());
353 BIO *bio1 = NULL;
354 BIO *bio2 = NULL;
355 BIO *irbio, *iwbio, *nrbio, *nwbio;
356 SSL *ssl = NULL;
357 int initrbio, initwbio, newrbio, newwbio;
358 int testresult = 0;
359
360 if (ctx == NULL) {
361 printf("Failed to allocate SSL_CTX\n");
362 goto end;
363 }
364
365 ssl = SSL_new(ctx);
366 if (ssl == NULL) {
367 printf("Failed to allocate SSL object\n");
368 goto end;
369 }
370
371 initrbio = idx % 3;
372 idx /= 3;
373 initwbio = idx % 3;
374 idx /= 3;
375 newrbio = idx % 3;
376 idx /= 3;
377 newwbio = idx;
378 OPENSSL_assert(newwbio <= 2);
379
380 if (initrbio == USE_BIO_1 || initwbio == USE_BIO_1 || newrbio == USE_BIO_1
381 || newwbio == USE_BIO_1) {
382 bio1 = BIO_new(BIO_s_mem());
383 if (bio1 == NULL) {
384 printf("Failed to allocate bio1\n");
385 goto end;
386 }
387 }
388
389 if (initrbio == USE_BIO_2 || initwbio == USE_BIO_2 || newrbio == USE_BIO_2
390 || newwbio == USE_BIO_2) {
391 bio2 = BIO_new(BIO_s_mem());
392 if (bio2 == NULL) {
393 printf("Failed to allocate bio2\n");
394 goto end;
395 }
396 }
397
398 setupbio(&irbio, bio1, bio2, initrbio);
399 setupbio(&iwbio, bio1, bio2, initwbio);
400
401 /*
402 * We want to maintain our own refs to these BIO, so do an up ref for each
403 * BIO that will have ownersip transferred in the SSL_set_bio() call
404 */
405 if (irbio != NULL)
406 BIO_up_ref(irbio);
407 if (iwbio != NULL && iwbio != irbio)
408 BIO_up_ref(iwbio);
409
410 SSL_set_bio(ssl, irbio, iwbio);
411
412 setupbio(&nrbio, bio1, bio2, newrbio);
413 setupbio(&nwbio, bio1, bio2, newwbio);
414
415 /*
416 * We will (maybe) transfer ownership again so do more up refs.
417 * SSL_set_bio() has some really complicated ownership rules where BIOs have
418 * already been set!
419 */
420 if (nrbio != NULL && nrbio != irbio && (nwbio != iwbio || nrbio != nwbio))
421 BIO_up_ref(nrbio);
422 if (nwbio != NULL && nwbio != nrbio && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
423 BIO_up_ref(nwbio);
424
425 SSL_set_bio(ssl, nrbio, nwbio);
426
427 testresult = 1;
428
429 end:
430 SSL_free(ssl);
431 BIO_free(bio1);
432 BIO_free(bio2);
433 /*
434 * This test is checking that the ref counting for SSL_set_bio is correct.
435 * If we get here and we did too many frees then we will fail in the above
436 * functions. If we haven't done enough then this will only be detected in
437 * a crypto-mdebug build
438 */
439 SSL_CTX_free(ctx);
440
441 return testresult;
442 }
443
444 typedef struct ssl_bio_test_fixture {
445 const char *test_case_name;
446 int pop_ssl;
447 enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } change_bio;
448 } SSL_BIO_TEST_FIXTURE;
449
450 static SSL_BIO_TEST_FIXTURE ssl_bio_set_up(const char *const test_case_name)
451 {
452 SSL_BIO_TEST_FIXTURE fixture;
453
454 fixture.test_case_name = test_case_name;
455 fixture.pop_ssl = 0;
456
457 return fixture;
458 }
459
460 static void ssl_bio_tear_down(SSL_BIO_TEST_FIXTURE fixture)
461 {
462 }
463
464 static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix)
465 {
466 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
467 SSL_CTX *ctx = SSL_CTX_new(TLS_method());
468 SSL *ssl = NULL;
469 int testresult = 0;
470
471 if (ctx == NULL) {
472 printf("Failed to allocate SSL_CTX\n");
473 return 0;
474 }
475
476 ssl = SSL_new(ctx);
477 if (ssl == NULL) {
478 printf("Failed to allocate SSL object\n");
479 goto end;
480 }
481
482 sslbio = BIO_new(BIO_f_ssl());
483 membio1 = BIO_new(BIO_s_mem());
484
485 if (sslbio == NULL || membio1 == NULL) {
486 printf("Malloc failure creating BIOs\n");
487 goto end;
488 }
489
490 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
491
492 /*
493 * If anything goes wrong here then we could leak memory, so this will
494 * be caught in a crypto-mdebug build
495 */
496 BIO_push(sslbio, membio1);
497
498 /* Verify chaning the rbio/wbio directly does not cause leaks */
499 if (fix.change_bio != NO_BIO_CHANGE) {
500 membio2 = BIO_new(BIO_s_mem());
501 if (membio2 == NULL) {
502 printf("Malloc failure creating membio2\n");
503 goto end;
504 }
505 if (fix.change_bio == CHANGE_RBIO)
506 SSL_set_rbio(ssl, membio2);
507 else
508 SSL_set_wbio(ssl, membio2);
509 }
510 ssl = NULL;
511
512 if (fix.pop_ssl)
513 BIO_pop(sslbio);
514 else
515 BIO_pop(membio1);
516
517 testresult = 1;
518 end:
519 BIO_free(membio1);
520 BIO_free(sslbio);
521 SSL_free(ssl);
522 SSL_CTX_free(ctx);
523
524 return testresult;
525 }
526
527 static int test_ssl_bio_pop_next_bio(void)
528 {
529 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
530
531 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
532 }
533
534 static int test_ssl_bio_pop_ssl_bio(void)
535 {
536 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
537
538 fixture.pop_ssl = 1;
539
540 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
541 }
542
543 static int test_ssl_bio_change_rbio(void)
544 {
545 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
546
547 fixture.change_bio = CHANGE_RBIO;
548
549 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
550 }
551
552 static int test_ssl_bio_change_wbio(void)
553 {
554 SETUP_TEST_FIXTURE(SSL_BIO_TEST_FIXTURE, ssl_bio_set_up);
555
556 fixture.change_bio = CHANGE_WBIO;
557
558 EXECUTE_TEST(execute_test_ssl_bio, ssl_bio_tear_down);
559 }
560
561 int main(int argc, char *argv[])
562 {
563 BIO *err = NULL;
564 int testresult = 1;
565
566 if (argc != 3) {
567 printf("Invalid argument count\n");
568 return 1;
569 }
570
571 cert = argv[1];
572 privkey = argv[2];
573
574 err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
575
576 CRYPTO_set_mem_debug(1);
577 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
578
579 ADD_TEST(test_tlsext_status_type);
580 ADD_TEST(test_session_with_only_int_cache);
581 ADD_TEST(test_session_with_only_ext_cache);
582 ADD_TEST(test_session_with_both_cache);
583 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
584 ADD_TEST(test_ssl_bio_pop_next_bio);
585 ADD_TEST(test_ssl_bio_pop_ssl_bio);
586 ADD_TEST(test_ssl_bio_change_rbio);
587 ADD_TEST(test_ssl_bio_change_wbio);
588
589 testresult = run_tests(argv[0]);
590
591 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
592 if (CRYPTO_mem_leaks(err) <= 0)
593 testresult = 1;
594 #endif
595 BIO_free(err);
596
597 if (!testresult)
598 printf("PASS\n");
599
600 return testresult;
601 }
A mirror of the official openssl repository