#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/core_names.h>
+#include <openssl/core_dispatch.h>
#include <openssl/provider.h>
#include "ssltestlib.h"
#include "internal/ktls.h"
#include "../ssl/ssl_local.h"
+/* Defined in filterprov.c */
+OSSL_provider_init_fn filter_provider_init;
+int filter_provider_set_filter(int operation, const char *name);
+
+/* Defined in tls-provider.c */
+int tls_provider_init(const OSSL_CORE_HANDLE *handle,
+ const OSSL_DISPATCH *in,
+ const OSSL_DISPATCH **out,
+ void **provctx);
DEFINE_STACK_OF(OCSP_RESPID)
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(X509_NAME)
static char *certsdir = NULL;
static char *cert = NULL;
static char *privkey = NULL;
+static char *cert2 = NULL;
+static char *privkey2 = NULL;
static char *srpvfile = NULL;
static char *tmpfilename = NULL;
return testresult;
}
-#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
- && !defined(OPENSSL_NO_SOCK)
-
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
+ !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
+#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
/* sock must be connected */
static int ktls_chk_platform(int sock)
{
return 1;
}
-static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
+static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
{
static char count = 1;
unsigned char cbuf[16000] = {0};
unsigned char sbuf[16000];
size_t err = 0;
- char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
- char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
- char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
- char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
- char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
- char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
- char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
- char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
+ char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
+ char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
+ char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
+ char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
+ char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
+ char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
+ char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
+ char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
cbuf[0] = count++;
- memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+ memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
+ memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
+ memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
+ memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
goto end;
}
}
- memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+ memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
+ memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
+ memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
+ memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
/* verify the payload */
if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
/* ktls is used then kernel sequences are used instead of OpenSSL sequences */
if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
- if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
- crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
+ if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
+ crec_wseq_after, rec_seq_size))
goto end;
} else {
- if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
- crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
+ if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
+ crec_wseq_after, rec_seq_size))
goto end;
}
if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
- if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
- srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
+ if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
+ srec_wseq_after, rec_seq_size))
goto end;
} else {
- if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
- srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
+ if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
+ srec_wseq_after, rec_seq_size))
goto end;
}
if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
- if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
- crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
+ if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
+ crec_rseq_after, rec_seq_size))
goto end;
} else {
- if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
- crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
+ if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
+ crec_rseq_after, rec_seq_size))
goto end;
}
if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
- if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
- srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
+ if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
+ srec_rseq_after, rec_seq_size))
goto end;
} else {
- if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
- srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
+ if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
+ srec_rseq_after, rec_seq_size))
goto end;
}
}
static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
- int sis_ktls_tx, int sis_ktls_rx)
+ int sis_ktls_tx, int sis_ktls_rx,
+ int tls_version, const char *cipher,
+ int rec_seq_size)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
/* Create a session based on SHA-256 */
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
- TLS1_2_VERSION, TLS1_2_VERSION,
+ tls_version, tls_version,
&sctx, &cctx, cert, privkey))
- || !TEST_true(SSL_CTX_set_cipher_list(cctx,
- "AES128-GCM-SHA256"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
|| !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
&clientssl, sfd, cfd)))
goto end;
goto end;
}
- if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
+ if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
+ rec_seq_size)))
goto end;
testresult = 1;
#define SENDFILE_CHUNK (4 * 4096)
#define min(a,b) ((a) > (b) ? (b) : (a))
-static int test_ktls_sendfile(void)
+static int test_ktls_sendfile(int tls_version, const char *cipher)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
/* Create a session based on SHA-256 */
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
- TLS1_2_VERSION, TLS1_2_VERSION,
+ tls_version, tls_version,
&sctx, &cctx, cert, privkey))
- || !TEST_true(SSL_CTX_set_cipher_list(cctx,
- "AES128-GCM-SHA256"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
|| !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
&clientssl, sfd, cfd)))
goto end;
return testresult;
}
-static int test_ktls_no_txrx_client_no_txrx_server(void)
+static int test_ktls_no_txrx_client_no_txrx_server(int tlsver)
{
- return execute_test_ktls(0, 0, 0, 0);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_rx_client_no_txrx_server(void)
+static int test_ktls_no_rx_client_no_txrx_server(int tlsver)
{
- return execute_test_ktls(1, 0, 0, 0);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_tx_client_no_txrx_server(void)
+static int test_ktls_no_tx_client_no_txrx_server(int tlsver)
{
- return execute_test_ktls(0, 1, 0, 0);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_client_no_txrx_server(void)
+static int test_ktls_client_no_txrx_server(int tlsver)
{
- return execute_test_ktls(1, 1, 0, 0);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_txrx_client_no_rx_server(void)
+static int test_ktls_no_txrx_client_no_rx_server(int tlsver)
{
- return execute_test_ktls(0, 0, 1, 0);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_rx_client_no_rx_server(void)
+static int test_ktls_no_rx_client_no_rx_server(int tlsver)
{
- return execute_test_ktls(1, 0, 1, 0);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_tx_client_no_rx_server(void)
+static int test_ktls_no_tx_client_no_rx_server(int tlsver)
{
- return execute_test_ktls(0, 1, 1, 0);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_client_no_rx_server(void)
+static int test_ktls_client_no_rx_server(int tlsver)
{
- return execute_test_ktls(1, 1, 1, 0);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_txrx_client_no_tx_server(void)
+static int test_ktls_no_txrx_client_no_tx_server(int tlsver)
{
- return execute_test_ktls(0, 0, 0, 1);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_rx_client_no_tx_server(void)
+static int test_ktls_no_rx_client_no_tx_server(int tlsver)
{
- return execute_test_ktls(1, 0, 0, 1);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_tx_client_no_tx_server(void)
+static int test_ktls_no_tx_client_no_tx_server(int tlsver)
{
- return execute_test_ktls(0, 1, 0, 1);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_client_no_tx_server(void)
+static int test_ktls_client_no_tx_server(int tlsver)
{
- return execute_test_ktls(1, 1, 0, 1);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_txrx_client_server(void)
+static int test_ktls_no_txrx_client_server(int tlsver)
{
- return execute_test_ktls(0, 0, 1, 1);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_rx_client_server(void)
+static int test_ktls_no_rx_client_server(int tlsver)
{
- return execute_test_ktls(1, 0, 1, 1);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_no_tx_client_server(void)
+static int test_ktls_no_tx_client_server(int tlsver)
{
- return execute_test_ktls(0, 1, 1, 1);
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
+}
+
+static int test_ktls_client_server(int tlsver)
+{
+ int testresult = 1;
+
+#ifdef OPENSSL_KTLS_AES_GCM_128
+ testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
+ "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_CCM_128
+ testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
+ "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+#endif
+#ifdef OPENSSL_KTLS_AES_GCM_256
+ testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
+ "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+#endif
+ return testresult;
}
-static int test_ktls_client_server(void)
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+static int test_ktls(int test)
{
- return execute_test_ktls(1, 1, 1, 1);
+ int tlsver;
+
+ if (test > 15) {
+#if defined(OPENSSL_NO_TLS1_3)
+ return 1;
+#else
+ test -= 16;
+ tlsver = TLS1_3_VERSION;
+#endif
+ } else {
+#if defined(OPENSSL_NO_TLS1_2)
+ return 1;
+#else
+ tlsver = TLS1_2_VERSION;
+#endif
+ }
+
+ switch(test) {
+ case 0:
+ return test_ktls_no_txrx_client_no_txrx_server(tlsver);
+ case 1:
+ return test_ktls_no_rx_client_no_txrx_server(tlsver);
+ case 2:
+ return test_ktls_no_tx_client_no_txrx_server(tlsver);
+ case 3:
+ return test_ktls_client_no_txrx_server(tlsver);
+ case 4:
+ return test_ktls_no_txrx_client_no_rx_server(tlsver);
+ case 5:
+ return test_ktls_no_rx_client_no_rx_server(tlsver);
+ case 6:
+ return test_ktls_no_tx_client_no_rx_server(tlsver);
+ case 7:
+ return test_ktls_client_no_rx_server(tlsver);
+ case 8:
+ return test_ktls_no_txrx_client_no_tx_server(tlsver);
+ case 9:
+ return test_ktls_no_rx_client_no_tx_server(tlsver);
+ case 10:
+ return test_ktls_no_tx_client_no_tx_server(tlsver);
+ case 11:
+ return test_ktls_client_no_tx_server(tlsver);
+ case 12:
+ return test_ktls_no_txrx_client_server(tlsver);
+ case 13:
+ return test_ktls_no_rx_client_server(tlsver);
+ case 14:
+ return test_ktls_no_tx_client_server(tlsver);
+ case 15:
+ return test_ktls_client_server(tlsver);
+ default:
+ return 0;
+ }
+}
+
+static int test_ktls_sendfile_anytls(int tst)
+{
+ char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM-SHA256","AES256-GCM-SHA384"};
+ int tlsver;
+
+ if (tst > 2) {
+#if defined(OPENSSL_NO_TLS1_3)
+ return 1;
+#else
+ tst -= 3;
+ tlsver = TLS1_3_VERSION;
+#endif
+ } else {
+#if defined(OPENSSL_NO_TLS1_2)
+ return 1;
+#else
+ tlsver = TLS1_2_VERSION;
+#endif
+ }
+
+#ifndef OPENSSL_KTLS_AES_GCM_128
+ if(tst == 0) return 1;
+#endif
+#ifndef OPENSSL_KTLS_AES_CCM_128
+ if(tst == 1) return 1;
+#endif
+#ifndef OPENSSL_KTLS_AES_GCM_256
+ if(tst == 2) return 1;
+#endif
+ return test_ktls_sendfile(tlsver, cipher[tst]);
}
+
+#endif
#endif
static int test_large_message_tls(void)
params[2] = OSSL_PARAM_construct_end();
if (aes128cbc == NULL
|| !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
- || !EVP_MAC_CTX_set_params(hctx, params)
+ || !EVP_MAC_set_ctx_params(hctx, params)
|| !EVP_MAC_init(hctx))
ret = -1;
else
return testresult;
}
+/*
+ * Test incorrect shutdown.
+ * Test 0: client does not shutdown properly,
+ * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
+ * server should get SSL_ERROR_SSL
+ * Test 1: client does not shutdown properly,
+ * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
+ * server should get SSL_ERROR_ZERO_RETURN
+ */
+static int test_incorrect_shutdown(int tst)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ char buf[80];
+ BIO *c2s;
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), 0, 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (tst == 1)
+ SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ c2s = SSL_get_rbio(serverssl);
+ BIO_set_mem_eof_return(c2s, 0);
+
+ if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
+ goto end;
+
+ if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
+ goto end;
+ if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+
/*
* Test bi-directional shutdown.
* Test 0: TLSv1.2
return testresult;
}
+#ifndef OPENSSL_NO_EC
+/*
+ * Test that if signature algorithms are not available, then we do not offer or
+ * accept them.
+ * Test 0: Two RSA sig algs available: both RSA sig algs shared
+ * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
+ * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
+ * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
+ * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
+ * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
+ */
+static int test_sigalgs_available(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
+ OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
+ OSSL_PROVIDER *filterprov = NULL;
+ int sig, hash;
+
+ if (!TEST_ptr(tmpctx))
+ goto end;
+
+ if (idx != 0 && idx != 3) {
+ if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
+ filter_provider_init)))
+ goto end;
+
+ filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
+ if (!TEST_ptr(filterprov))
+ goto end;
+
+ if (idx < 3) {
+ /*
+ * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
+ * or accepted for the peer that uses this libctx. Note that libssl
+ * *requires* SHA2-256 to be available so we cannot disable that. We
+ * also need SHA1 for our certificate.
+ */
+ if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
+ "SHA2-256:SHA1")))
+ goto end;
+ } else {
+ if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
+ "ECDSA"))
+ || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
+ "EC:X25519:X448")))
+ goto end;
+ }
+
+ if (idx == 1 || idx == 4)
+ clientctx = tmpctx;
+ else
+ serverctx = tmpctx;
+ }
+
+ cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
+ sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
+ if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
+ goto end;
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(),
+ TLS1_VERSION,
+ 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (idx < 3) {
+ if (!SSL_CTX_set1_sigalgs_list(cctx,
+ "rsa_pss_rsae_sha384"
+ ":rsa_pss_rsae_sha256")
+ || !SSL_CTX_set1_sigalgs_list(sctx,
+ "rsa_pss_rsae_sha384"
+ ":rsa_pss_rsae_sha256"))
+ goto end;
+ } else {
+ if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
+ || !SSL_CTX_set1_sigalgs_list(sctx,
+ "rsa_pss_rsae_sha256:ECDSA+SHA256"))
+ goto end;
+ }
+
+ if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
+ SSL_FILETYPE_PEM), 1)
+ || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
+ privkey2,
+ SSL_FILETYPE_PEM), 1)
+ || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
+ if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
+ NULL, NULL),
+ (idx == 0 || idx == 3) ? 2 : 1))
+ goto end;
+
+ if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
+ goto end;
+
+ if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
+ : NID_rsassaPss))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ OSSL_PROVIDER_unload(filterprov);
+ OPENSSL_CTX_free(tmpctx);
+
+ return testresult;
+}
+#endif /* OPENSSL_NO_EC */
+
+#ifndef OPENSSL_NO_TLS1_3
+static int test_pluggable_group(void)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
+
+ if (!TEST_ptr(tlsprov))
+ goto end;
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(),
+ TLS1_3_VERSION,
+ TLS1_3_VERSION,
+ &sctx, &cctx, cert, privkey))
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
+ || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ OSSL_PROVIDER_unload(tlsprov);
+
+ return testresult;
+}
+#endif
+
+#ifndef OPENSSL_NO_TLS1_2
+static int test_ssl_dup(void)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
+ int testresult = 0;
+ BIO *rbio = NULL, *wbio = NULL;
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(),
+ 0,
+ 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
+ || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
+ goto end;
+
+ client2ssl = SSL_dup(clientssl);
+ rbio = SSL_get_rbio(clientssl);
+ if (!TEST_ptr(rbio)
+ || !TEST_true(BIO_up_ref(rbio)))
+ goto end;
+ SSL_set0_rbio(client2ssl, rbio);
+ rbio = NULL;
+
+ wbio = SSL_get_wbio(clientssl);
+ if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
+ goto end;
+ SSL_set0_wbio(client2ssl, wbio);
+ rbio = NULL;
+
+ if (!TEST_ptr(client2ssl)
+ /* Handshake not started so pointers should be different */
+ || !TEST_ptr_ne(clientssl, client2ssl))
+ goto end;
+
+ if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
+ || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_free(clientssl);
+ clientssl = SSL_dup(client2ssl);
+ if (!TEST_ptr(clientssl)
+ /* Handshake has finished so pointers should be the same */
+ || !TEST_ptr_eq(clientssl, client2ssl))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_free(client2ssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+#endif
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
int setup_tests(void)
if (strcmp(modulename, "fips") == 0)
is_fips = 1;
+ /*
+ * We add, but don't load the test "tls-provider". We'll load it when we
+ * need it.
+ */
+ if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
+ tls_provider_init)))
+ return 0;
+
+
if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
#ifdef OPENSSL_NO_CRYPTO_MDEBUG
TEST_error("not supported in this build");
cert = test_mk_file_path(certsdir, "servercert.pem");
if (cert == NULL)
- return 0;
+ goto err;
privkey = test_mk_file_path(certsdir, "serverkey.pem");
- if (privkey == NULL) {
- OPENSSL_free(cert);
- return 0;
- }
+ if (privkey == NULL)
+ goto err;
+
+ cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
+ if (cert2 == NULL)
+ goto err;
-#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
- && !defined(OPENSSL_NO_SOCK)
- ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
- ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
- ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
- ADD_TEST(test_ktls_client_no_txrx_server);
- ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
- ADD_TEST(test_ktls_no_rx_client_no_rx_server);
- ADD_TEST(test_ktls_no_tx_client_no_rx_server);
- ADD_TEST(test_ktls_client_no_rx_server);
- ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
- ADD_TEST(test_ktls_no_rx_client_no_tx_server);
- ADD_TEST(test_ktls_no_tx_client_no_tx_server);
- ADD_TEST(test_ktls_client_no_tx_server);
- ADD_TEST(test_ktls_no_txrx_client_server);
- ADD_TEST(test_ktls_no_rx_client_server);
- ADD_TEST(test_ktls_no_tx_client_server);
- ADD_TEST(test_ktls_client_server);
- ADD_TEST(test_ktls_sendfile);
+ privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
+ if (privkey2 == NULL)
+ goto err;
+
+#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+ ADD_ALL_TESTS(test_ktls, 32);
+ ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
+#endif
#endif
ADD_TEST(test_large_message_tls);
ADD_TEST(test_large_message_tls_read_ahead);
ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
ADD_ALL_TESTS(test_ticket_callbacks, 16);
ADD_ALL_TESTS(test_shutdown, 7);
+ ADD_ALL_TESTS(test_incorrect_shutdown, 2);
ADD_ALL_TESTS(test_cert_cb, 6);
ADD_ALL_TESTS(test_client_cert_cb, 2);
ADD_ALL_TESTS(test_ca_names, 3);
ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
#endif
ADD_ALL_TESTS(test_servername, 10);
+#ifndef OPENSSL_NO_EC
+ ADD_ALL_TESTS(test_sigalgs_available, 6);
+#endif
+#ifndef OPENSSL_NO_TLS1_3
+ ADD_TEST(test_pluggable_group);
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+ ADD_TEST(test_ssl_dup);
+#endif
return 1;
+
+ err:
+ OPENSSL_free(cert);
+ OPENSSL_free(privkey);
+ OPENSSL_free(cert2);
+ OPENSSL_free(privkey2);
+ return 0;
}
void cleanup_tests(void)
{
OPENSSL_free(cert);
OPENSSL_free(privkey);
+ OPENSSL_free(cert2);
+ OPENSSL_free(privkey2);
bio_s_mempacket_test_free();
bio_s_always_retry_free();
OSSL_PROVIDER_unload(defctxnull);