]> git.ipfire.org Git - thirdparty/openssl.git/blame_incremental - test/sslapitest.c
projects / thirdparty / openssl.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Updated test command line parsing to support commmon commands
[thirdparty/openssl.git] / test / sslapitest.c
... / ...
CommitLineData
1/*
2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <string.h>
11
12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
16#include <openssl/ocsp.h>
17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
19#include <openssl/aes.h>
20
21#include "ssltestlib.h"
22#include "testutil.h"
23#include "testutil/output.h"
24#include "internal/nelem.h"
25#include "internal/ktls.h"
26#include "../ssl/ssl_locl.h"
27
28#ifndef OPENSSL_NO_TLS1_3
29
30static SSL_SESSION *clientpsk = NULL;
31static SSL_SESSION *serverpsk = NULL;
32static const char *pskid = "Identity";
33static const char *srvid;
34
35static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
39
40static int use_session_cb_cnt = 0;
41static int find_session_cb_cnt = 0;
42
43static SSL_SESSION *create_a_psk(SSL *ssl);
44#endif
45
46static char *cert = NULL;
47static char *privkey = NULL;
48static char *srpvfile = NULL;
49static char *tmpfilename = NULL;
50
51#define LOG_BUFFER_SIZE 2048
52static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
53static size_t server_log_buffer_index = 0;
54static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55static size_t client_log_buffer_index = 0;
56static int error_writing_log = 0;
57
58#ifndef OPENSSL_NO_OCSP
59static const unsigned char orespder[] = "Dummy OCSP Response";
60static int ocsp_server_called = 0;
61static int ocsp_client_called = 0;
62
63static int cdummyarg = 1;
64static X509 *ocspcert = NULL;
65#endif
66
67#define NUM_EXTRA_CERTS 40
68#define CLIENT_VERSION_LEN 2
69
70/*
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
73 */
74struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
77 unsigned int client_early_secret_count;
78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
82 unsigned int early_exporter_secret_count;
83 unsigned int exporter_secret_count;
84};
85
86
87static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
91};
92
93static unsigned char serverinfov2[] = {
94 0x00, 0x00, 0x00,
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
99};
100
101static void client_keylog_callback(const SSL *ssl, const char *line)
102{
103 int line_length = strlen(line);
104
105 /* If the log doesn't fit, error out. */
106 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
107 TEST_info("Client log too full");
108 error_writing_log = 1;
109 return;
110 }
111
112 strcat(client_log_buffer, line);
113 client_log_buffer_index += line_length;
114 client_log_buffer[client_log_buffer_index++] = '\n';
115}
116
117static void server_keylog_callback(const SSL *ssl, const char *line)
118{
119 int line_length = strlen(line);
120
121 /* If the log doesn't fit, error out. */
122 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
123 TEST_info("Server log too full");
124 error_writing_log = 1;
125 return;
126 }
127
128 strcat(server_log_buffer, line);
129 server_log_buffer_index += line_length;
130 server_log_buffer[server_log_buffer_index++] = '\n';
131}
132
133static int compare_hex_encoded_buffer(const char *hex_encoded,
134 size_t hex_length,
135 const uint8_t *raw,
136 size_t raw_length)
137{
138 size_t i, j;
139 char hexed[3];
140
141 if (!TEST_size_t_eq(raw_length * 2, hex_length))
142 return 1;
143
144 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
145 sprintf(hexed, "%02x", raw[i]);
146 if (!TEST_int_eq(hexed[0], hex_encoded[j])
147 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
148 return 1;
149 }
150
151 return 0;
152}
153
154static int test_keylog_output(char *buffer, const SSL *ssl,
155 const SSL_SESSION *session,
156 struct sslapitest_log_counts *expected)
157{
158 char *token = NULL;
159 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
160 size_t client_random_size = SSL3_RANDOM_SIZE;
161 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
162 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
163 unsigned int rsa_key_exchange_count = 0;
164 unsigned int master_secret_count = 0;
165 unsigned int client_early_secret_count = 0;
166 unsigned int client_handshake_secret_count = 0;
167 unsigned int server_handshake_secret_count = 0;
168 unsigned int client_application_secret_count = 0;
169 unsigned int server_application_secret_count = 0;
170 unsigned int early_exporter_secret_count = 0;
171 unsigned int exporter_secret_count = 0;
172
173 for (token = strtok(buffer, " \n"); token != NULL;
174 token = strtok(NULL, " \n")) {
175 if (strcmp(token, "RSA") == 0) {
176 /*
177 * Premaster secret. Tokens should be: 16 ASCII bytes of
178 * hex-encoded encrypted secret, then the hex-encoded pre-master
179 * secret.
180 */
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
182 return 0;
183 if (!TEST_size_t_eq(strlen(token), 16))
184 return 0;
185 if (!TEST_ptr(token = strtok(NULL, " \n")))
186 return 0;
187 /*
188 * We can't sensibly check the log because the premaster secret is
189 * transient, and OpenSSL doesn't keep hold of it once the master
190 * secret is generated.
191 */
192 rsa_key_exchange_count++;
193 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
194 /*
195 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
196 * client random, then the hex-encoded master secret.
197 */
198 client_random_size = SSL_get_client_random(ssl,
199 actual_client_random,
200 SSL3_RANDOM_SIZE);
201 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
202 return 0;
203
204 if (!TEST_ptr(token = strtok(NULL, " \n")))
205 return 0;
206 if (!TEST_size_t_eq(strlen(token), 64))
207 return 0;
208 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
209 actual_client_random,
210 client_random_size)))
211 return 0;
212
213 if (!TEST_ptr(token = strtok(NULL, " \n")))
214 return 0;
215 master_key_size = SSL_SESSION_get_master_key(session,
216 actual_master_key,
217 master_key_size);
218 if (!TEST_size_t_ne(master_key_size, 0))
219 return 0;
220 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
221 actual_master_key,
222 master_key_size)))
223 return 0;
224 master_secret_count++;
225 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
226 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
227 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
229 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
230 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
231 || strcmp(token, "EXPORTER_SECRET") == 0) {
232 /*
233 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
234 * client random, and then the hex-encoded secret. In this case,
235 * we treat all of these secrets identically and then just
236 * distinguish between them when counting what we saw.
237 */
238 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
239 client_early_secret_count++;
240 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
241 client_handshake_secret_count++;
242 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 server_handshake_secret_count++;
244 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
245 client_application_secret_count++;
246 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
247 server_application_secret_count++;
248 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
249 early_exporter_secret_count++;
250 else if (strcmp(token, "EXPORTER_SECRET") == 0)
251 exporter_secret_count++;
252
253 client_random_size = SSL_get_client_random(ssl,
254 actual_client_random,
255 SSL3_RANDOM_SIZE);
256 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
257 return 0;
258
259 if (!TEST_ptr(token = strtok(NULL, " \n")))
260 return 0;
261 if (!TEST_size_t_eq(strlen(token), 64))
262 return 0;
263 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
264 actual_client_random,
265 client_random_size)))
266 return 0;
267
268 if (!TEST_ptr(token = strtok(NULL, " \n")))
269 return 0;
270
271 /*
272 * TODO(TLS1.3): test that application traffic secrets are what
273 * we expect */
274 } else {
275 TEST_info("Unexpected token %s\n", token);
276 return 0;
277 }
278 }
279
280 /* Got what we expected? */
281 if (!TEST_size_t_eq(rsa_key_exchange_count,
282 expected->rsa_key_exchange_count)
283 || !TEST_size_t_eq(master_secret_count,
284 expected->master_secret_count)
285 || !TEST_size_t_eq(client_early_secret_count,
286 expected->client_early_secret_count)
287 || !TEST_size_t_eq(client_handshake_secret_count,
288 expected->client_handshake_secret_count)
289 || !TEST_size_t_eq(server_handshake_secret_count,
290 expected->server_handshake_secret_count)
291 || !TEST_size_t_eq(client_application_secret_count,
292 expected->client_application_secret_count)
293 || !TEST_size_t_eq(server_application_secret_count,
294 expected->server_application_secret_count)
295 || !TEST_size_t_eq(early_exporter_secret_count,
296 expected->early_exporter_secret_count)
297 || !TEST_size_t_eq(exporter_secret_count,
298 expected->exporter_secret_count))
299 return 0;
300 return 1;
301}
302
303#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
304static int test_keylog(void)
305{
306 SSL_CTX *cctx = NULL, *sctx = NULL;
307 SSL *clientssl = NULL, *serverssl = NULL;
308 int testresult = 0;
309 struct sslapitest_log_counts expected = {0};
310
311 /* Clean up logging space */
312 memset(client_log_buffer, 0, sizeof(client_log_buffer));
313 memset(server_log_buffer, 0, sizeof(server_log_buffer));
314 client_log_buffer_index = 0;
315 server_log_buffer_index = 0;
316 error_writing_log = 0;
317
318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
319 TLS_client_method(),
320 TLS1_VERSION, 0,
321 &sctx, &cctx, cert, privkey)))
322 return 0;
323
324 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
325 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
326 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
327
328 /* We also want to ensure that we use RSA-based key exchange. */
329 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
330 goto end;
331
332 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
333 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
334 goto end;
335 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
337 == client_keylog_callback))
338 goto end;
339 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
340 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
341 == server_keylog_callback))
342 goto end;
343
344 /* Now do a handshake and check that the logs have been written to. */
345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
346 &clientssl, NULL, NULL))
347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
348 SSL_ERROR_NONE))
349 || !TEST_false(error_writing_log)
350 || !TEST_int_gt(client_log_buffer_index, 0)
351 || !TEST_int_gt(server_log_buffer_index, 0))
352 goto end;
353
354 /*
355 * Now we want to test that our output data was vaguely sensible. We
356 * do that by using strtok and confirming that we have more or less the
357 * data we expect. For both client and server, we expect to see one master
358 * secret. The client should also see a RSA key exchange.
359 */
360 expected.rsa_key_exchange_count = 1;
361 expected.master_secret_count = 1;
362 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
363 SSL_get_session(clientssl), &expected)))
364 goto end;
365
366 expected.rsa_key_exchange_count = 0;
367 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
368 SSL_get_session(serverssl), &expected)))
369 goto end;
370
371 testresult = 1;
372
373end:
374 SSL_free(serverssl);
375 SSL_free(clientssl);
376 SSL_CTX_free(sctx);
377 SSL_CTX_free(cctx);
378
379 return testresult;
380}
381#endif
382
383#ifndef OPENSSL_NO_TLS1_3
384static int test_keylog_no_master_key(void)
385{
386 SSL_CTX *cctx = NULL, *sctx = NULL;
387 SSL *clientssl = NULL, *serverssl = NULL;
388 SSL_SESSION *sess = NULL;
389 int testresult = 0;
390 struct sslapitest_log_counts expected = {0};
391 unsigned char buf[1];
392 size_t readbytes, written;
393
394 /* Clean up logging space */
395 memset(client_log_buffer, 0, sizeof(client_log_buffer));
396 memset(server_log_buffer, 0, sizeof(server_log_buffer));
397 client_log_buffer_index = 0;
398 server_log_buffer_index = 0;
399 error_writing_log = 0;
400
401 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
402 TLS1_VERSION, 0,
403 &sctx, &cctx, cert, privkey))
404 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
405 SSL3_RT_MAX_PLAIN_LENGTH)))
406 return 0;
407
408 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
409 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
410 goto end;
411
412 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
414 == client_keylog_callback))
415 goto end;
416
417 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
418 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
419 == server_keylog_callback))
420 goto end;
421
422 /* Now do a handshake and check that the logs have been written to. */
423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
424 &clientssl, NULL, NULL))
425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
426 SSL_ERROR_NONE))
427 || !TEST_false(error_writing_log))
428 goto end;
429
430 /*
431 * Now we want to test that our output data was vaguely sensible. For this
432 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
433 * TLSv1.3, but we do expect both client and server to emit keys.
434 */
435 expected.client_handshake_secret_count = 1;
436 expected.server_handshake_secret_count = 1;
437 expected.client_application_secret_count = 1;
438 expected.server_application_secret_count = 1;
439 expected.exporter_secret_count = 1;
440 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
441 SSL_get_session(clientssl), &expected))
442 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
443 SSL_get_session(serverssl),
444 &expected)))
445 goto end;
446
447 /* Terminate old session and resume with early data. */
448 sess = SSL_get1_session(clientssl);
449 SSL_shutdown(clientssl);
450 SSL_shutdown(serverssl);
451 SSL_free(serverssl);
452 SSL_free(clientssl);
453 serverssl = clientssl = NULL;
454
455 /* Reset key log */
456 memset(client_log_buffer, 0, sizeof(client_log_buffer));
457 memset(server_log_buffer, 0, sizeof(server_log_buffer));
458 client_log_buffer_index = 0;
459 server_log_buffer_index = 0;
460
461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_true(SSL_set_session(clientssl, sess))
464 /* Here writing 0 length early data is enough. */
465 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
466 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
467 &readbytes),
468 SSL_READ_EARLY_DATA_ERROR)
469 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
470 SSL_EARLY_DATA_ACCEPTED)
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_true(SSL_session_reused(clientssl)))
474 goto end;
475
476 /* In addition to the previous entries, expect early secrets. */
477 expected.client_early_secret_count = 1;
478 expected.early_exporter_secret_count = 1;
479 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
480 SSL_get_session(clientssl), &expected))
481 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
482 SSL_get_session(serverssl),
483 &expected)))
484 goto end;
485
486 testresult = 1;
487
488end:
489 SSL_SESSION_free(sess);
490 SSL_free(serverssl);
491 SSL_free(clientssl);
492 SSL_CTX_free(sctx);
493 SSL_CTX_free(cctx);
494
495 return testresult;
496}
497#endif
498
499#ifndef OPENSSL_NO_TLS1_2
500static int full_client_hello_callback(SSL *s, int *al, void *arg)
501{
502 int *ctr = arg;
503 const unsigned char *p;
504 int *exts;
505 /* We only configure two ciphers, but the SCSV is added automatically. */
506#ifdef OPENSSL_NO_EC
507 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
508#else
509 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
510 0x2c, 0x00, 0xff};
511#endif
512 const int expected_extensions[] = {
513#ifndef OPENSSL_NO_EC
514 11, 10,
515#endif
516 35, 22, 23, 13};
517 size_t len;
518
519 /* Make sure we can defer processing and get called back. */
520 if ((*ctr)++ == 0)
521 return SSL_CLIENT_HELLO_RETRY;
522
523 len = SSL_client_hello_get0_ciphers(s, &p);
524 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
525 || !TEST_size_t_eq(
526 SSL_client_hello_get0_compression_methods(s, &p), 1)
527 || !TEST_int_eq(*p, 0))
528 return SSL_CLIENT_HELLO_ERROR;
529 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
530 return SSL_CLIENT_HELLO_ERROR;
531 if (len != OSSL_NELEM(expected_extensions) ||
532 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
533 printf("ClientHello callback expected extensions mismatch\n");
534 OPENSSL_free(exts);
535 return SSL_CLIENT_HELLO_ERROR;
536 }
537 OPENSSL_free(exts);
538 return SSL_CLIENT_HELLO_SUCCESS;
539}
540
541static int test_client_hello_cb(void)
542{
543 SSL_CTX *cctx = NULL, *sctx = NULL;
544 SSL *clientssl = NULL, *serverssl = NULL;
545 int testctr = 0, testresult = 0;
546
547 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
548 TLS1_VERSION, 0,
549 &sctx, &cctx, cert, privkey)))
550 goto end;
551 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
552
553 /* The gimpy cipher list we configure can't do TLS 1.3. */
554 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
555
556 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
557 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
558 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
559 &clientssl, NULL, NULL))
560 || !TEST_false(create_ssl_connection(serverssl, clientssl,
561 SSL_ERROR_WANT_CLIENT_HELLO_CB))
562 /*
563 * Passing a -1 literal is a hack since
564 * the real value was lost.
565 * */
566 || !TEST_int_eq(SSL_get_error(serverssl, -1),
567 SSL_ERROR_WANT_CLIENT_HELLO_CB)
568 || !TEST_true(create_ssl_connection(serverssl, clientssl,
569 SSL_ERROR_NONE)))
570 goto end;
571
572 testresult = 1;
573
574end:
575 SSL_free(serverssl);
576 SSL_free(clientssl);
577 SSL_CTX_free(sctx);
578 SSL_CTX_free(cctx);
579
580 return testresult;
581}
582#endif
583
584static int execute_test_large_message(const SSL_METHOD *smeth,
585 const SSL_METHOD *cmeth,
586 int min_version, int max_version,
587 int read_ahead)
588{
589 SSL_CTX *cctx = NULL, *sctx = NULL;
590 SSL *clientssl = NULL, *serverssl = NULL;
591 int testresult = 0;
592 int i;
593 BIO *certbio = NULL;
594 X509 *chaincert = NULL;
595 int certlen;
596
597 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
598 goto end;
599 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
600 BIO_free(certbio);
601 certbio = NULL;
602 if (!TEST_ptr(chaincert))
603 goto end;
604
605 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
606 &sctx, &cctx, cert, privkey)))
607 goto end;
608
609 if (read_ahead) {
610 /*
611 * Test that read_ahead works correctly when dealing with large
612 * records
613 */
614 SSL_CTX_set_read_ahead(cctx, 1);
615 }
616
617 /*
618 * We assume the supplied certificate is big enough so that if we add
619 * NUM_EXTRA_CERTS it will make the overall message large enough. The
620 * default buffer size is requested to be 16k, but due to the way BUF_MEM
621 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
622 * test we need to have a message larger than that.
623 */
624 certlen = i2d_X509(chaincert, NULL);
625 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
626 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
627 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
628 if (!X509_up_ref(chaincert))
629 goto end;
630 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
631 X509_free(chaincert);
632 goto end;
633 }
634 }
635
636 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
637 NULL, NULL))
638 || !TEST_true(create_ssl_connection(serverssl, clientssl,
639 SSL_ERROR_NONE)))
640 goto end;
641
642 /*
643 * Calling SSL_clear() first is not required but this tests that SSL_clear()
644 * doesn't leak (when using enable-crypto-mdebug).
645 */
646 if (!TEST_true(SSL_clear(serverssl)))
647 goto end;
648
649 testresult = 1;
650 end:
651 X509_free(chaincert);
652 SSL_free(serverssl);
653 SSL_free(clientssl);
654 SSL_CTX_free(sctx);
655 SSL_CTX_free(cctx);
656
657 return testresult;
658}
659
660#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
661 && !defined(OPENSSL_NO_SOCK)
662
663/* sock must be connected */
664static int ktls_chk_platform(int sock)
665{
666 if (!ktls_enable(sock))
667 return 0;
668 return 1;
669}
670
671static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
672{
673 static char count = 1;
674 unsigned char cbuf[16000] = {0};
675 unsigned char sbuf[16000];
676 size_t err = 0;
677 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
678 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
679 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
680 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
681 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
682 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
683
684 cbuf[0] = count++;
685 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
686 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
687 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
688 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
689 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
690 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
691
692 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
693 goto end;
694
695 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
696 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
697 goto end;
698 }
699 }
700
701 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
702 goto end;
703
704 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
705 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
706 goto end;
707 }
708 }
709
710 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
711 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
712 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
713 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
714 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
715 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
716
717 /* verify the payload */
718 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
719 goto end;
720
721 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
722 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
723 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
724 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
725 goto end;
726 } else {
727 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
728 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
729 goto end;
730 }
731
732 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
733 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
734 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
735 goto end;
736 } else {
737 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
738 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
739 goto end;
740 }
741
742 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
743 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
744 goto end;
745
746 return 1;
747end:
748 return 0;
749}
750
751static int execute_test_ktls(int cis_ktls_tx, int sis_ktls_tx)
752{
753 SSL_CTX *cctx = NULL, *sctx = NULL;
754 SSL *clientssl = NULL, *serverssl = NULL;
755 int testresult = 0;
756 int cfd, sfd;
757
758 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
759 goto end;
760
761 /* Skip this test if the platform does not support ktls */
762 if (!ktls_chk_platform(cfd))
763 return 1;
764
765 /* Create a session based on SHA-256 */
766 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
767 TLS_client_method(),
768 TLS1_2_VERSION, TLS1_2_VERSION,
769 &sctx, &cctx, cert, privkey))
770 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
771 "AES128-GCM-SHA256"))
772 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
773 &clientssl, sfd, cfd)))
774 goto end;
775
776 if (!cis_ktls_tx) {
777 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
778 goto end;
779 }
780
781 if (!sis_ktls_tx) {
782 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
783 goto end;
784 }
785
786 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
787 SSL_ERROR_NONE)))
788 goto end;
789
790 if (!cis_ktls_tx) {
791 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
792 goto end;
793 } else {
794 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
795 goto end;
796 }
797
798 if (!sis_ktls_tx) {
799 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
800 goto end;
801 } else {
802 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
803 goto end;
804 }
805
806 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
807 goto end;
808
809 testresult = 1;
810end:
811 if (clientssl) {
812 SSL_shutdown(clientssl);
813 SSL_free(clientssl);
814 }
815 if (serverssl) {
816 SSL_shutdown(serverssl);
817 SSL_free(serverssl);
818 }
819 SSL_CTX_free(sctx);
820 SSL_CTX_free(cctx);
821 serverssl = clientssl = NULL;
822 return testresult;
823}
824
825static int test_ktls_client_server(void)
826{
827 return execute_test_ktls(1, 1);
828}
829
830static int test_ktls_no_client_server(void)
831{
832 return execute_test_ktls(0, 1);
833}
834
835static int test_ktls_client_no_server(void)
836{
837 return execute_test_ktls(1, 0);
838}
839
840static int test_ktls_no_client_no_server(void)
841{
842 return execute_test_ktls(0, 0);
843}
844
845#endif
846
847static int test_large_message_tls(void)
848{
849 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
850 TLS1_VERSION, 0, 0);
851}
852
853static int test_large_message_tls_read_ahead(void)
854{
855 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
856 TLS1_VERSION, 0, 1);
857}
858
859#ifndef OPENSSL_NO_DTLS
860static int test_large_message_dtls(void)
861{
862 /*
863 * read_ahead is not relevant to DTLS because DTLS always acts as if
864 * read_ahead is set.
865 */
866 return execute_test_large_message(DTLS_server_method(),
867 DTLS_client_method(),
868 DTLS1_VERSION, 0, 0);
869}
870#endif
871
872#ifndef OPENSSL_NO_OCSP
873static int ocsp_server_cb(SSL *s, void *arg)
874{
875 int *argi = (int *)arg;
876 unsigned char *copy = NULL;
877 STACK_OF(OCSP_RESPID) *ids = NULL;
878 OCSP_RESPID *id = NULL;
879
880 if (*argi == 2) {
881 /* In this test we are expecting exactly 1 OCSP_RESPID */
882 SSL_get_tlsext_status_ids(s, &ids);
883 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
884 return SSL_TLSEXT_ERR_ALERT_FATAL;
885
886 id = sk_OCSP_RESPID_value(ids, 0);
887 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
888 return SSL_TLSEXT_ERR_ALERT_FATAL;
889 } else if (*argi != 1) {
890 return SSL_TLSEXT_ERR_ALERT_FATAL;
891 }
892
893 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
894 return SSL_TLSEXT_ERR_ALERT_FATAL;
895
896 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
897 ocsp_server_called = 1;
898 return SSL_TLSEXT_ERR_OK;
899}
900
901static int ocsp_client_cb(SSL *s, void *arg)
902{
903 int *argi = (int *)arg;
904 const unsigned char *respderin;
905 size_t len;
906
907 if (*argi != 1 && *argi != 2)
908 return 0;
909
910 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
911 if (!TEST_mem_eq(orespder, len, respderin, len))
912 return 0;
913
914 ocsp_client_called = 1;
915 return 1;
916}
917
918static int test_tlsext_status_type(void)
919{
920 SSL_CTX *cctx = NULL, *sctx = NULL;
921 SSL *clientssl = NULL, *serverssl = NULL;
922 int testresult = 0;
923 STACK_OF(OCSP_RESPID) *ids = NULL;
924 OCSP_RESPID *id = NULL;
925 BIO *certbio = NULL;
926
927 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
928 TLS1_VERSION, 0,
929 &sctx, &cctx, cert, privkey))
930 return 0;
931
932 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
933 goto end;
934
935 /* First just do various checks getting and setting tlsext_status_type */
936
937 clientssl = SSL_new(cctx);
938 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
939 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
940 TLSEXT_STATUSTYPE_ocsp))
941 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
942 TLSEXT_STATUSTYPE_ocsp))
943 goto end;
944
945 SSL_free(clientssl);
946 clientssl = NULL;
947
948 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
949 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
950 goto end;
951
952 clientssl = SSL_new(cctx);
953 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
954 goto end;
955 SSL_free(clientssl);
956 clientssl = NULL;
957
958 /*
959 * Now actually do a handshake and check OCSP information is exchanged and
960 * the callbacks get called
961 */
962 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
963 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
964 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
965 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
967 &clientssl, NULL, NULL))
968 || !TEST_true(create_ssl_connection(serverssl, clientssl,
969 SSL_ERROR_NONE))
970 || !TEST_true(ocsp_client_called)
971 || !TEST_true(ocsp_server_called))
972 goto end;
973 SSL_free(serverssl);
974 SSL_free(clientssl);
975 serverssl = NULL;
976 clientssl = NULL;
977
978 /* Try again but this time force the server side callback to fail */
979 ocsp_client_called = 0;
980 ocsp_server_called = 0;
981 cdummyarg = 0;
982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
983 &clientssl, NULL, NULL))
984 /* This should fail because the callback will fail */
985 || !TEST_false(create_ssl_connection(serverssl, clientssl,
986 SSL_ERROR_NONE))
987 || !TEST_false(ocsp_client_called)
988 || !TEST_false(ocsp_server_called))
989 goto end;
990 SSL_free(serverssl);
991 SSL_free(clientssl);
992 serverssl = NULL;
993 clientssl = NULL;
994
995 /*
996 * This time we'll get the client to send an OCSP_RESPID that it will
997 * accept.
998 */
999 ocsp_client_called = 0;
1000 ocsp_server_called = 0;
1001 cdummyarg = 2;
1002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1003 &clientssl, NULL, NULL)))
1004 goto end;
1005
1006 /*
1007 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1008 * specific one. We'll use the server cert.
1009 */
1010 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1011 || !TEST_ptr(id = OCSP_RESPID_new())
1012 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1013 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1014 NULL, NULL, NULL))
1015 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1016 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1017 goto end;
1018 id = NULL;
1019 SSL_set_tlsext_status_ids(clientssl, ids);
1020 /* Control has been transferred */
1021 ids = NULL;
1022
1023 BIO_free(certbio);
1024 certbio = NULL;
1025
1026 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1027 SSL_ERROR_NONE))
1028 || !TEST_true(ocsp_client_called)
1029 || !TEST_true(ocsp_server_called))
1030 goto end;
1031
1032 testresult = 1;
1033
1034 end:
1035 SSL_free(serverssl);
1036 SSL_free(clientssl);
1037 SSL_CTX_free(sctx);
1038 SSL_CTX_free(cctx);
1039 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1040 OCSP_RESPID_free(id);
1041 BIO_free(certbio);
1042 X509_free(ocspcert);
1043 ocspcert = NULL;
1044
1045 return testresult;
1046}
1047#endif
1048
1049#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1050static int new_called, remove_called, get_called;
1051
1052static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1053{
1054 new_called++;
1055 /*
1056 * sess has been up-refed for us, but we don't actually need it so free it
1057 * immediately.
1058 */
1059 SSL_SESSION_free(sess);
1060 return 1;
1061}
1062
1063static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1064{
1065 remove_called++;
1066}
1067
1068static SSL_SESSION *get_sess_val = NULL;
1069
1070static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1071 int *copy)
1072{
1073 get_called++;
1074 *copy = 1;
1075 return get_sess_val;
1076}
1077
1078static int execute_test_session(int maxprot, int use_int_cache,
1079 int use_ext_cache)
1080{
1081 SSL_CTX *sctx = NULL, *cctx = NULL;
1082 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1083 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1084# ifndef OPENSSL_NO_TLS1_1
1085 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1086# endif
1087 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1088 int testresult = 0, numnewsesstick = 1;
1089
1090 new_called = remove_called = 0;
1091
1092 /* TLSv1.3 sends 2 NewSessionTickets */
1093 if (maxprot == TLS1_3_VERSION)
1094 numnewsesstick = 2;
1095
1096 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1097 TLS1_VERSION, 0,
1098 &sctx, &cctx, cert, privkey)))
1099 return 0;
1100
1101 /*
1102 * Only allow the max protocol version so we can force a connection failure
1103 * later
1104 */
1105 SSL_CTX_set_min_proto_version(cctx, maxprot);
1106 SSL_CTX_set_max_proto_version(cctx, maxprot);
1107
1108 /* Set up session cache */
1109 if (use_ext_cache) {
1110 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1111 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1112 }
1113 if (use_int_cache) {
1114 /* Also covers instance where both are set */
1115 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1116 } else {
1117 SSL_CTX_set_session_cache_mode(cctx,
1118 SSL_SESS_CACHE_CLIENT
1119 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1120 }
1121
1122 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1123 NULL, NULL))
1124 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1125 SSL_ERROR_NONE))
1126 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1127 goto end;
1128
1129 /* Should fail because it should already be in the cache */
1130 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1131 goto end;
1132 if (use_ext_cache
1133 && (!TEST_int_eq(new_called, numnewsesstick)
1134
1135 || !TEST_int_eq(remove_called, 0)))
1136 goto end;
1137
1138 new_called = remove_called = 0;
1139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1140 &clientssl2, NULL, NULL))
1141 || !TEST_true(SSL_set_session(clientssl2, sess1))
1142 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1143 SSL_ERROR_NONE))
1144 || !TEST_true(SSL_session_reused(clientssl2)))
1145 goto end;
1146
1147 if (maxprot == TLS1_3_VERSION) {
1148 /*
1149 * In TLSv1.3 we should have created a new session even though we have
1150 * resumed. Since we attempted a resume we should also have removed the
1151 * old ticket from the cache so that we try to only use tickets once.
1152 */
1153 if (use_ext_cache
1154 && (!TEST_int_eq(new_called, 1)
1155 || !TEST_int_eq(remove_called, 1)))
1156 goto end;
1157 } else {
1158 /*
1159 * In TLSv1.2 we expect to have resumed so no sessions added or
1160 * removed.
1161 */
1162 if (use_ext_cache
1163 && (!TEST_int_eq(new_called, 0)
1164 || !TEST_int_eq(remove_called, 0)))
1165 goto end;
1166 }
1167
1168 SSL_SESSION_free(sess1);
1169 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1170 goto end;
1171 shutdown_ssl_connection(serverssl2, clientssl2);
1172 serverssl2 = clientssl2 = NULL;
1173
1174 new_called = remove_called = 0;
1175 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1176 &clientssl2, NULL, NULL))
1177 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1178 SSL_ERROR_NONE)))
1179 goto end;
1180
1181 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1182 goto end;
1183
1184 if (use_ext_cache
1185 && (!TEST_int_eq(new_called, numnewsesstick)
1186 || !TEST_int_eq(remove_called, 0)))
1187 goto end;
1188
1189 new_called = remove_called = 0;
1190 /*
1191 * This should clear sess2 from the cache because it is a "bad" session.
1192 * See SSL_set_session() documentation.
1193 */
1194 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1195 goto end;
1196 if (use_ext_cache
1197 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1198 goto end;
1199 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1200 goto end;
1201
1202 if (use_int_cache) {
1203 /* Should succeeded because it should not already be in the cache */
1204 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1205 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1206 goto end;
1207 }
1208
1209 new_called = remove_called = 0;
1210 /* This shouldn't be in the cache so should fail */
1211 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1212 goto end;
1213
1214 if (use_ext_cache
1215 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1216 goto end;
1217
1218# if !defined(OPENSSL_NO_TLS1_1)
1219 new_called = remove_called = 0;
1220 /* Force a connection failure */
1221 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1223 &clientssl3, NULL, NULL))
1224 || !TEST_true(SSL_set_session(clientssl3, sess1))
1225 /* This should fail because of the mismatched protocol versions */
1226 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1227 SSL_ERROR_NONE)))
1228 goto end;
1229
1230 /* We should have automatically removed the session from the cache */
1231 if (use_ext_cache
1232 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1233 goto end;
1234
1235 /* Should succeed because it should not already be in the cache */
1236 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1237 goto end;
1238# endif
1239
1240 /* Now do some tests for server side caching */
1241 if (use_ext_cache) {
1242 SSL_CTX_sess_set_new_cb(cctx, NULL);
1243 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1244 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1245 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1246 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1247 get_sess_val = NULL;
1248 }
1249
1250 SSL_CTX_set_session_cache_mode(cctx, 0);
1251 /* Internal caching is the default on the server side */
1252 if (!use_int_cache)
1253 SSL_CTX_set_session_cache_mode(sctx,
1254 SSL_SESS_CACHE_SERVER
1255 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1256
1257 SSL_free(serverssl1);
1258 SSL_free(clientssl1);
1259 serverssl1 = clientssl1 = NULL;
1260 SSL_free(serverssl2);
1261 SSL_free(clientssl2);
1262 serverssl2 = clientssl2 = NULL;
1263 SSL_SESSION_free(sess1);
1264 sess1 = NULL;
1265 SSL_SESSION_free(sess2);
1266 sess2 = NULL;
1267
1268 SSL_CTX_set_max_proto_version(sctx, maxprot);
1269 if (maxprot == TLS1_2_VERSION)
1270 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1271 new_called = remove_called = get_called = 0;
1272 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1273 NULL, NULL))
1274 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1275 SSL_ERROR_NONE))
1276 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1277 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1278 goto end;
1279
1280 if (use_int_cache) {
1281 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1282 /*
1283 * In TLSv1.3 it should not have been added to the internal cache,
1284 * except in the case where we also have an external cache (in that
1285 * case it gets added to the cache in order to generate remove
1286 * events after timeout).
1287 */
1288 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1289 goto end;
1290 } else {
1291 /* Should fail because it should already be in the cache */
1292 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1293 goto end;
1294 }
1295 }
1296
1297 if (use_ext_cache) {
1298 SSL_SESSION *tmp = sess2;
1299
1300 if (!TEST_int_eq(new_called, numnewsesstick)
1301 || !TEST_int_eq(remove_called, 0)
1302 || !TEST_int_eq(get_called, 0))
1303 goto end;
1304 /*
1305 * Delete the session from the internal cache to force a lookup from
1306 * the external cache. We take a copy first because
1307 * SSL_CTX_remove_session() also marks the session as non-resumable.
1308 */
1309 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1310 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1311 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1312 goto end;
1313 SSL_SESSION_free(sess2);
1314 }
1315 sess2 = tmp;
1316 }
1317
1318 new_called = remove_called = get_called = 0;
1319 get_sess_val = sess2;
1320 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1321 &clientssl2, NULL, NULL))
1322 || !TEST_true(SSL_set_session(clientssl2, sess1))
1323 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1324 SSL_ERROR_NONE))
1325 || !TEST_true(SSL_session_reused(clientssl2)))
1326 goto end;
1327
1328 if (use_ext_cache) {
1329 if (!TEST_int_eq(remove_called, 0))
1330 goto end;
1331
1332 if (maxprot == TLS1_3_VERSION) {
1333 if (!TEST_int_eq(new_called, 1)
1334 || !TEST_int_eq(get_called, 0))
1335 goto end;
1336 } else {
1337 if (!TEST_int_eq(new_called, 0)
1338 || !TEST_int_eq(get_called, 1))
1339 goto end;
1340 }
1341 }
1342
1343 testresult = 1;
1344
1345 end:
1346 SSL_free(serverssl1);
1347 SSL_free(clientssl1);
1348 SSL_free(serverssl2);
1349 SSL_free(clientssl2);
1350# ifndef OPENSSL_NO_TLS1_1
1351 SSL_free(serverssl3);
1352 SSL_free(clientssl3);
1353# endif
1354 SSL_SESSION_free(sess1);
1355 SSL_SESSION_free(sess2);
1356 SSL_CTX_free(sctx);
1357 SSL_CTX_free(cctx);
1358
1359 return testresult;
1360}
1361#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1362
1363static int test_session_with_only_int_cache(void)
1364{
1365#ifndef OPENSSL_NO_TLS1_3
1366 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1367 return 0;
1368#endif
1369
1370#ifndef OPENSSL_NO_TLS1_2
1371 return execute_test_session(TLS1_2_VERSION, 1, 0);
1372#else
1373 return 1;
1374#endif
1375}
1376
1377static int test_session_with_only_ext_cache(void)
1378{
1379#ifndef OPENSSL_NO_TLS1_3
1380 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1381 return 0;
1382#endif
1383
1384#ifndef OPENSSL_NO_TLS1_2
1385 return execute_test_session(TLS1_2_VERSION, 0, 1);
1386#else
1387 return 1;
1388#endif
1389}
1390
1391static int test_session_with_both_cache(void)
1392{
1393#ifndef OPENSSL_NO_TLS1_3
1394 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1395 return 0;
1396#endif
1397
1398#ifndef OPENSSL_NO_TLS1_2
1399 return execute_test_session(TLS1_2_VERSION, 1, 1);
1400#else
1401 return 1;
1402#endif
1403}
1404
1405#ifndef OPENSSL_NO_TLS1_3
1406static SSL_SESSION *sesscache[6];
1407static int do_cache;
1408
1409static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1410{
1411 if (do_cache) {
1412 sesscache[new_called] = sess;
1413 } else {
1414 /* We don't need the reference to the session, so free it */
1415 SSL_SESSION_free(sess);
1416 }
1417 new_called++;
1418
1419 return 1;
1420}
1421
1422static int post_handshake_verify(SSL *sssl, SSL *cssl)
1423{
1424 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1425 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1426 return 0;
1427
1428 /* Start handshake on the server and client */
1429 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1430 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1431 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1432 || !TEST_true(create_ssl_connection(sssl, cssl,
1433 SSL_ERROR_NONE)))
1434 return 0;
1435
1436 return 1;
1437}
1438
1439static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1440 SSL_CTX **cctx)
1441{
1442 int sess_id_ctx = 1;
1443
1444 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1445 TLS1_VERSION, 0, sctx,
1446 cctx, cert, privkey))
1447 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1448 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1449 (void *)&sess_id_ctx,
1450 sizeof(sess_id_ctx))))
1451 return 0;
1452
1453 if (stateful)
1454 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1455
1456 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1457 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1458 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1459
1460 return 1;
1461}
1462
1463static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1464{
1465 SSL *serverssl = NULL, *clientssl = NULL;
1466 int i;
1467
1468 /* Test that we can resume with all the tickets we got given */
1469 for (i = 0; i < idx * 2; i++) {
1470 new_called = 0;
1471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1472 &clientssl, NULL, NULL))
1473 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1474 goto end;
1475
1476 SSL_set_post_handshake_auth(clientssl, 1);
1477
1478 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1479 SSL_ERROR_NONE)))
1480 goto end;
1481
1482 /*
1483 * Following a successful resumption we only get 1 ticket. After a
1484 * failed one we should get idx tickets.
1485 */
1486 if (succ) {
1487 if (!TEST_true(SSL_session_reused(clientssl))
1488 || !TEST_int_eq(new_called, 1))
1489 goto end;
1490 } else {
1491 if (!TEST_false(SSL_session_reused(clientssl))
1492 || !TEST_int_eq(new_called, idx))
1493 goto end;
1494 }
1495
1496 new_called = 0;
1497 /* After a post-handshake authentication we should get 1 new ticket */
1498 if (succ
1499 && (!post_handshake_verify(serverssl, clientssl)
1500 || !TEST_int_eq(new_called, 1)))
1501 goto end;
1502
1503 SSL_shutdown(clientssl);
1504 SSL_shutdown(serverssl);
1505 SSL_free(serverssl);
1506 SSL_free(clientssl);
1507 serverssl = clientssl = NULL;
1508 SSL_SESSION_free(sesscache[i]);
1509 sesscache[i] = NULL;
1510 }
1511
1512 return 1;
1513
1514 end:
1515 SSL_free(clientssl);
1516 SSL_free(serverssl);
1517 return 0;
1518}
1519
1520static int test_tickets(int stateful, int idx)
1521{
1522 SSL_CTX *sctx = NULL, *cctx = NULL;
1523 SSL *serverssl = NULL, *clientssl = NULL;
1524 int testresult = 0;
1525 size_t j;
1526
1527 /* idx is the test number, but also the number of tickets we want */
1528
1529 new_called = 0;
1530 do_cache = 1;
1531
1532 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1533 goto end;
1534
1535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1536 &clientssl, NULL, NULL)))
1537 goto end;
1538
1539 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1540 SSL_ERROR_NONE))
1541 /* Check we got the number of tickets we were expecting */
1542 || !TEST_int_eq(idx, new_called))
1543 goto end;
1544
1545 SSL_shutdown(clientssl);
1546 SSL_shutdown(serverssl);
1547 SSL_free(serverssl);
1548 SSL_free(clientssl);
1549 SSL_CTX_free(sctx);
1550 SSL_CTX_free(cctx);
1551 clientssl = serverssl = NULL;
1552 sctx = cctx = NULL;
1553
1554 /*
1555 * Now we try to resume with the tickets we previously created. The
1556 * resumption attempt is expected to fail (because we're now using a new
1557 * SSL_CTX). We should see idx number of tickets issued again.
1558 */
1559
1560 /* Stop caching sessions - just count them */
1561 do_cache = 0;
1562
1563 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1564 goto end;
1565
1566 if (!check_resumption(idx, sctx, cctx, 0))
1567 goto end;
1568
1569 /* Start again with caching sessions */
1570 new_called = 0;
1571 do_cache = 1;
1572 SSL_CTX_free(sctx);
1573 SSL_CTX_free(cctx);
1574 sctx = cctx = NULL;
1575
1576 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1577 goto end;
1578
1579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1580 &clientssl, NULL, NULL)))
1581 goto end;
1582
1583 SSL_set_post_handshake_auth(clientssl, 1);
1584
1585 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1586 SSL_ERROR_NONE))
1587 /* Check we got the number of tickets we were expecting */
1588 || !TEST_int_eq(idx, new_called))
1589 goto end;
1590
1591 /* After a post-handshake authentication we should get new tickets issued */
1592 if (!post_handshake_verify(serverssl, clientssl)
1593 || !TEST_int_eq(idx * 2, new_called))
1594 goto end;
1595
1596 SSL_shutdown(clientssl);
1597 SSL_shutdown(serverssl);
1598 SSL_free(serverssl);
1599 SSL_free(clientssl);
1600 serverssl = clientssl = NULL;
1601
1602 /* Stop caching sessions - just count them */
1603 do_cache = 0;
1604
1605 /*
1606 * Check we can resume with all the tickets we created. This time around the
1607 * resumptions should all be successful.
1608 */
1609 if (!check_resumption(idx, sctx, cctx, 1))
1610 goto end;
1611
1612 testresult = 1;
1613
1614 end:
1615 SSL_free(serverssl);
1616 SSL_free(clientssl);
1617 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1618 SSL_SESSION_free(sesscache[j]);
1619 sesscache[j] = NULL;
1620 }
1621 SSL_CTX_free(sctx);
1622 SSL_CTX_free(cctx);
1623
1624 return testresult;
1625}
1626
1627static int test_stateless_tickets(int idx)
1628{
1629 return test_tickets(0, idx);
1630}
1631
1632static int test_stateful_tickets(int idx)
1633{
1634 return test_tickets(1, idx);
1635}
1636
1637static int test_psk_tickets(void)
1638{
1639 SSL_CTX *sctx = NULL, *cctx = NULL;
1640 SSL *serverssl = NULL, *clientssl = NULL;
1641 int testresult = 0;
1642 int sess_id_ctx = 1;
1643
1644 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1645 TLS1_VERSION, 0, &sctx,
1646 &cctx, NULL, NULL))
1647 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1648 (void *)&sess_id_ctx,
1649 sizeof(sess_id_ctx))))
1650 goto end;
1651
1652 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1653 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1654 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1655 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1656 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1657 use_session_cb_cnt = 0;
1658 find_session_cb_cnt = 0;
1659 srvid = pskid;
1660 new_called = 0;
1661
1662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1663 NULL, NULL)))
1664 goto end;
1665 clientpsk = serverpsk = create_a_psk(clientssl);
1666 if (!TEST_ptr(clientpsk))
1667 goto end;
1668 SSL_SESSION_up_ref(clientpsk);
1669
1670 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1671 SSL_ERROR_NONE))
1672 || !TEST_int_eq(1, find_session_cb_cnt)
1673 || !TEST_int_eq(1, use_session_cb_cnt)
1674 /* We should always get 1 ticket when using external PSK */
1675 || !TEST_int_eq(1, new_called))
1676 goto end;
1677
1678 testresult = 1;
1679
1680 end:
1681 SSL_free(serverssl);
1682 SSL_free(clientssl);
1683 SSL_CTX_free(sctx);
1684 SSL_CTX_free(cctx);
1685 SSL_SESSION_free(clientpsk);
1686 SSL_SESSION_free(serverpsk);
1687 clientpsk = serverpsk = NULL;
1688
1689 return testresult;
1690}
1691#endif
1692
1693#define USE_NULL 0
1694#define USE_BIO_1 1
1695#define USE_BIO_2 2
1696#define USE_DEFAULT 3
1697
1698#define CONNTYPE_CONNECTION_SUCCESS 0
1699#define CONNTYPE_CONNECTION_FAIL 1
1700#define CONNTYPE_NO_CONNECTION 2
1701
1702#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1703#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1704#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1705# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1706#else
1707# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1708#endif
1709
1710#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1711 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1712 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1713
1714static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1715{
1716 switch (type) {
1717 case USE_NULL:
1718 *res = NULL;
1719 break;
1720 case USE_BIO_1:
1721 *res = bio1;
1722 break;
1723 case USE_BIO_2:
1724 *res = bio2;
1725 break;
1726 }
1727}
1728
1729
1730/*
1731 * Tests calls to SSL_set_bio() under various conditions.
1732 *
1733 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1734 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1735 * then do more tests where we create a successful connection first using our
1736 * standard connection setup functions, and then call SSL_set_bio() with
1737 * various combinations of valid BIOs or NULL. We then repeat these tests
1738 * following a failed connection. In this last case we are looking to check that
1739 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1740 */
1741static int test_ssl_set_bio(int idx)
1742{
1743 SSL_CTX *sctx = NULL, *cctx = NULL;
1744 BIO *bio1 = NULL;
1745 BIO *bio2 = NULL;
1746 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1747 SSL *serverssl = NULL, *clientssl = NULL;
1748 int initrbio, initwbio, newrbio, newwbio, conntype;
1749 int testresult = 0;
1750
1751 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1752 initrbio = idx % 3;
1753 idx /= 3;
1754 initwbio = idx % 3;
1755 idx /= 3;
1756 newrbio = idx % 3;
1757 idx /= 3;
1758 newwbio = idx % 3;
1759 conntype = CONNTYPE_NO_CONNECTION;
1760 } else {
1761 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1762 initrbio = initwbio = USE_DEFAULT;
1763 newrbio = idx % 2;
1764 idx /= 2;
1765 newwbio = idx % 2;
1766 idx /= 2;
1767 conntype = idx % 2;
1768 }
1769
1770 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1771 TLS1_VERSION, 0,
1772 &sctx, &cctx, cert, privkey)))
1773 goto end;
1774
1775 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1776 /*
1777 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1778 * because we reduced the number of tests in the definition of
1779 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1780 * mismatched protocol versions we will force a connection failure.
1781 */
1782 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1783 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1784 }
1785
1786 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1787 NULL, NULL)))
1788 goto end;
1789
1790 if (initrbio == USE_BIO_1
1791 || initwbio == USE_BIO_1
1792 || newrbio == USE_BIO_1
1793 || newwbio == USE_BIO_1) {
1794 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1795 goto end;
1796 }
1797
1798 if (initrbio == USE_BIO_2
1799 || initwbio == USE_BIO_2
1800 || newrbio == USE_BIO_2
1801 || newwbio == USE_BIO_2) {
1802 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1803 goto end;
1804 }
1805
1806 if (initrbio != USE_DEFAULT) {
1807 setupbio(&irbio, bio1, bio2, initrbio);
1808 setupbio(&iwbio, bio1, bio2, initwbio);
1809 SSL_set_bio(clientssl, irbio, iwbio);
1810
1811 /*
1812 * We want to maintain our own refs to these BIO, so do an up ref for
1813 * each BIO that will have ownership transferred in the SSL_set_bio()
1814 * call
1815 */
1816 if (irbio != NULL)
1817 BIO_up_ref(irbio);
1818 if (iwbio != NULL && iwbio != irbio)
1819 BIO_up_ref(iwbio);
1820 }
1821
1822 if (conntype != CONNTYPE_NO_CONNECTION
1823 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1824 SSL_ERROR_NONE)
1825 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1826 goto end;
1827
1828 setupbio(&nrbio, bio1, bio2, newrbio);
1829 setupbio(&nwbio, bio1, bio2, newwbio);
1830
1831 /*
1832 * We will (maybe) transfer ownership again so do more up refs.
1833 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1834 * already been set!
1835 */
1836 if (nrbio != NULL
1837 && nrbio != irbio
1838 && (nwbio != iwbio || nrbio != nwbio))
1839 BIO_up_ref(nrbio);
1840 if (nwbio != NULL
1841 && nwbio != nrbio
1842 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1843 BIO_up_ref(nwbio);
1844
1845 SSL_set_bio(clientssl, nrbio, nwbio);
1846
1847 testresult = 1;
1848
1849 end:
1850 BIO_free(bio1);
1851 BIO_free(bio2);
1852
1853 /*
1854 * This test is checking that the ref counting for SSL_set_bio is correct.
1855 * If we get here and we did too many frees then we will fail in the above
1856 * functions. If we haven't done enough then this will only be detected in
1857 * a crypto-mdebug build
1858 */
1859 SSL_free(serverssl);
1860 SSL_free(clientssl);
1861 SSL_CTX_free(sctx);
1862 SSL_CTX_free(cctx);
1863 return testresult;
1864}
1865
1866typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1867
1868static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1869{
1870 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1871 SSL_CTX *ctx;
1872 SSL *ssl = NULL;
1873 int testresult = 0;
1874
1875 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1876 || !TEST_ptr(ssl = SSL_new(ctx))
1877 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1878 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1879 goto end;
1880
1881 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1882
1883 /*
1884 * If anything goes wrong here then we could leak memory, so this will
1885 * be caught in a crypto-mdebug build
1886 */
1887 BIO_push(sslbio, membio1);
1888
1889 /* Verify changing the rbio/wbio directly does not cause leaks */
1890 if (change_bio != NO_BIO_CHANGE) {
1891 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1892 goto end;
1893 if (change_bio == CHANGE_RBIO)
1894 SSL_set0_rbio(ssl, membio2);
1895 else
1896 SSL_set0_wbio(ssl, membio2);
1897 }
1898 ssl = NULL;
1899
1900 if (pop_ssl)
1901 BIO_pop(sslbio);
1902 else
1903 BIO_pop(membio1);
1904
1905 testresult = 1;
1906 end:
1907 BIO_free(membio1);
1908 BIO_free(sslbio);
1909 SSL_free(ssl);
1910 SSL_CTX_free(ctx);
1911
1912 return testresult;
1913}
1914
1915static int test_ssl_bio_pop_next_bio(void)
1916{
1917 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1918}
1919
1920static int test_ssl_bio_pop_ssl_bio(void)
1921{
1922 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1923}
1924
1925static int test_ssl_bio_change_rbio(void)
1926{
1927 return execute_test_ssl_bio(0, CHANGE_RBIO);
1928}
1929
1930static int test_ssl_bio_change_wbio(void)
1931{
1932 return execute_test_ssl_bio(0, CHANGE_WBIO);
1933}
1934
1935#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1936typedef struct {
1937 /* The list of sig algs */
1938 const int *list;
1939 /* The length of the list */
1940 size_t listlen;
1941 /* A sigalgs list in string format */
1942 const char *liststr;
1943 /* Whether setting the list should succeed */
1944 int valid;
1945 /* Whether creating a connection with the list should succeed */
1946 int connsuccess;
1947} sigalgs_list;
1948
1949static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1950# ifndef OPENSSL_NO_EC
1951static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1952static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1953# endif
1954static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1955static const int invalidlist2[] = {NID_sha256, NID_undef};
1956static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1957static const int invalidlist4[] = {NID_sha256};
1958static const sigalgs_list testsigalgs[] = {
1959 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1960# ifndef OPENSSL_NO_EC
1961 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1962 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1963# endif
1964 {NULL, 0, "RSA+SHA256", 1, 1},
1965# ifndef OPENSSL_NO_EC
1966 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1967 {NULL, 0, "ECDSA+SHA512", 1, 0},
1968# endif
1969 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1970 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1971 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1972 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1973 {NULL, 0, "RSA", 0, 0},
1974 {NULL, 0, "SHA256", 0, 0},
1975 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1976 {NULL, 0, "Invalid", 0, 0}
1977};
1978
1979static int test_set_sigalgs(int idx)
1980{
1981 SSL_CTX *cctx = NULL, *sctx = NULL;
1982 SSL *clientssl = NULL, *serverssl = NULL;
1983 int testresult = 0;
1984 const sigalgs_list *curr;
1985 int testctx;
1986
1987 /* Should never happen */
1988 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1989 return 0;
1990
1991 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1992 curr = testctx ? &testsigalgs[idx]
1993 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1994
1995 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1996 TLS1_VERSION, 0,
1997 &sctx, &cctx, cert, privkey)))
1998 return 0;
1999
2000 /*
2001 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2002 * for TLSv1.2 for now until we add a new API.
2003 */
2004 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2005
2006 if (testctx) {
2007 int ret;
2008
2009 if (curr->list != NULL)
2010 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2011 else
2012 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2013
2014 if (!ret) {
2015 if (curr->valid)
2016 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2017 else
2018 testresult = 1;
2019 goto end;
2020 }
2021 if (!curr->valid) {
2022 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2023 goto end;
2024 }
2025 }
2026
2027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2028 &clientssl, NULL, NULL)))
2029 goto end;
2030
2031 if (!testctx) {
2032 int ret;
2033
2034 if (curr->list != NULL)
2035 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2036 else
2037 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2038 if (!ret) {
2039 if (curr->valid)
2040 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2041 else
2042 testresult = 1;
2043 goto end;
2044 }
2045 if (!curr->valid)
2046 goto end;
2047 }
2048
2049 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2050 SSL_ERROR_NONE),
2051 curr->connsuccess))
2052 goto end;
2053
2054 testresult = 1;
2055
2056 end:
2057 SSL_free(serverssl);
2058 SSL_free(clientssl);
2059 SSL_CTX_free(sctx);
2060 SSL_CTX_free(cctx);
2061
2062 return testresult;
2063}
2064#endif
2065
2066#ifndef OPENSSL_NO_TLS1_3
2067static int psk_client_cb_cnt = 0;
2068static int psk_server_cb_cnt = 0;
2069
2070static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2071 size_t *idlen, SSL_SESSION **sess)
2072{
2073 switch (++use_session_cb_cnt) {
2074 case 1:
2075 /* The first call should always have a NULL md */
2076 if (md != NULL)
2077 return 0;
2078 break;
2079
2080 case 2:
2081 /* The second call should always have an md */
2082 if (md == NULL)
2083 return 0;
2084 break;
2085
2086 default:
2087 /* We should only be called a maximum of twice */
2088 return 0;
2089 }
2090
2091 if (clientpsk != NULL)
2092 SSL_SESSION_up_ref(clientpsk);
2093
2094 *sess = clientpsk;
2095 *id = (const unsigned char *)pskid;
2096 *idlen = strlen(pskid);
2097
2098 return 1;
2099}
2100
2101#ifndef OPENSSL_NO_PSK
2102static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2103 unsigned int max_id_len,
2104 unsigned char *psk,
2105 unsigned int max_psk_len)
2106{
2107 unsigned int psklen = 0;
2108
2109 psk_client_cb_cnt++;
2110
2111 if (strlen(pskid) + 1 > max_id_len)
2112 return 0;
2113
2114 /* We should only ever be called a maximum of twice per connection */
2115 if (psk_client_cb_cnt > 2)
2116 return 0;
2117
2118 if (clientpsk == NULL)
2119 return 0;
2120
2121 /* We'll reuse the PSK we set up for TLSv1.3 */
2122 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2123 return 0;
2124 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2125 strncpy(id, pskid, max_id_len);
2126
2127 return psklen;
2128}
2129#endif /* OPENSSL_NO_PSK */
2130
2131static int find_session_cb(SSL *ssl, const unsigned char *identity,
2132 size_t identity_len, SSL_SESSION **sess)
2133{
2134 find_session_cb_cnt++;
2135
2136 /* We should only ever be called a maximum of twice per connection */
2137 if (find_session_cb_cnt > 2)
2138 return 0;
2139
2140 if (serverpsk == NULL)
2141 return 0;
2142
2143 /* Identity should match that set by the client */
2144 if (strlen(srvid) != identity_len
2145 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2146 /* No PSK found, continue but without a PSK */
2147 *sess = NULL;
2148 return 1;
2149 }
2150
2151 SSL_SESSION_up_ref(serverpsk);
2152 *sess = serverpsk;
2153
2154 return 1;
2155}
2156
2157#ifndef OPENSSL_NO_PSK
2158static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2159 unsigned char *psk, unsigned int max_psk_len)
2160{
2161 unsigned int psklen = 0;
2162
2163 psk_server_cb_cnt++;
2164
2165 /* We should only ever be called a maximum of twice per connection */
2166 if (find_session_cb_cnt > 2)
2167 return 0;
2168
2169 if (serverpsk == NULL)
2170 return 0;
2171
2172 /* Identity should match that set by the client */
2173 if (strcmp(srvid, identity) != 0) {
2174 return 0;
2175 }
2176
2177 /* We'll reuse the PSK we set up for TLSv1.3 */
2178 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2179 return 0;
2180 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2181
2182 return psklen;
2183}
2184#endif /* OPENSSL_NO_PSK */
2185
2186#define MSG1 "Hello"
2187#define MSG2 "World."
2188#define MSG3 "This"
2189#define MSG4 "is"
2190#define MSG5 "a"
2191#define MSG6 "test"
2192#define MSG7 "message."
2193
2194#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2195#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2196
2197
2198static SSL_SESSION *create_a_psk(SSL *ssl)
2199{
2200 const SSL_CIPHER *cipher = NULL;
2201 const unsigned char key[] = {
2202 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2203 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2204 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2205 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2206 0x2c, 0x2d, 0x2e, 0x2f
2207 };
2208 SSL_SESSION *sess = NULL;
2209
2210 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2211 sess = SSL_SESSION_new();
2212 if (!TEST_ptr(sess)
2213 || !TEST_ptr(cipher)
2214 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2215 sizeof(key)))
2216 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2217 || !TEST_true(
2218 SSL_SESSION_set_protocol_version(sess,
2219 TLS1_3_VERSION))) {
2220 SSL_SESSION_free(sess);
2221 return NULL;
2222 }
2223 return sess;
2224}
2225
2226/*
2227 * Helper method to setup objects for early data test. Caller frees objects on
2228 * error.
2229 */
2230static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2231 SSL **serverssl, SSL_SESSION **sess, int idx)
2232{
2233 if (*sctx == NULL
2234 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2235 TLS_client_method(),
2236 TLS1_VERSION, 0,
2237 sctx, cctx, cert, privkey)))
2238 return 0;
2239
2240 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2241 return 0;
2242
2243 if (idx == 1) {
2244 /* When idx == 1 we repeat the tests with read_ahead set */
2245 SSL_CTX_set_read_ahead(*cctx, 1);
2246 SSL_CTX_set_read_ahead(*sctx, 1);
2247 } else if (idx == 2) {
2248 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2249 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2250 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2251 use_session_cb_cnt = 0;
2252 find_session_cb_cnt = 0;
2253 srvid = pskid;
2254 }
2255
2256 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2257 NULL, NULL)))
2258 return 0;
2259
2260 /*
2261 * For one of the run throughs (doesn't matter which one), we'll try sending
2262 * some SNI data in the initial ClientHello. This will be ignored (because
2263 * there is no SNI cb set up by the server), so it should not impact
2264 * early_data.
2265 */
2266 if (idx == 1
2267 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2268 return 0;
2269
2270 if (idx == 2) {
2271 clientpsk = create_a_psk(*clientssl);
2272 if (!TEST_ptr(clientpsk)
2273 /*
2274 * We just choose an arbitrary value for max_early_data which
2275 * should be big enough for testing purposes.
2276 */
2277 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2278 0x100))
2279 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2280 SSL_SESSION_free(clientpsk);
2281 clientpsk = NULL;
2282 return 0;
2283 }
2284 serverpsk = clientpsk;
2285
2286 if (sess != NULL) {
2287 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2288 SSL_SESSION_free(clientpsk);
2289 SSL_SESSION_free(serverpsk);
2290 clientpsk = serverpsk = NULL;
2291 return 0;
2292 }
2293 *sess = clientpsk;
2294 }
2295 return 1;
2296 }
2297
2298 if (sess == NULL)
2299 return 1;
2300
2301 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2302 SSL_ERROR_NONE)))
2303 return 0;
2304
2305 *sess = SSL_get1_session(*clientssl);
2306 SSL_shutdown(*clientssl);
2307 SSL_shutdown(*serverssl);
2308 SSL_free(*serverssl);
2309 SSL_free(*clientssl);
2310 *serverssl = *clientssl = NULL;
2311
2312 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2313 clientssl, NULL, NULL))
2314 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2315 return 0;
2316
2317 return 1;
2318}
2319
2320static int test_early_data_read_write(int idx)
2321{
2322 SSL_CTX *cctx = NULL, *sctx = NULL;
2323 SSL *clientssl = NULL, *serverssl = NULL;
2324 int testresult = 0;
2325 SSL_SESSION *sess = NULL;
2326 unsigned char buf[20], data[1024];
2327 size_t readbytes, written, eoedlen, rawread, rawwritten;
2328 BIO *rbio;
2329
2330 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2331 &serverssl, &sess, idx)))
2332 goto end;
2333
2334 /* Write and read some early data */
2335 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2336 &written))
2337 || !TEST_size_t_eq(written, strlen(MSG1))
2338 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2339 sizeof(buf), &readbytes),
2340 SSL_READ_EARLY_DATA_SUCCESS)
2341 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2342 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2343 SSL_EARLY_DATA_ACCEPTED))
2344 goto end;
2345
2346 /*
2347 * Server should be able to write data, and client should be able to
2348 * read it.
2349 */
2350 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2351 &written))
2352 || !TEST_size_t_eq(written, strlen(MSG2))
2353 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2354 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2355 goto end;
2356
2357 /* Even after reading normal data, client should be able write early data */
2358 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2359 &written))
2360 || !TEST_size_t_eq(written, strlen(MSG3)))
2361 goto end;
2362
2363 /* Server should still be able read early data after writing data */
2364 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2365 &readbytes),
2366 SSL_READ_EARLY_DATA_SUCCESS)
2367 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2368 goto end;
2369
2370 /* Write more data from server and read it from client */
2371 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2372 &written))
2373 || !TEST_size_t_eq(written, strlen(MSG4))
2374 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2375 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2376 goto end;
2377
2378 /*
2379 * If client writes normal data it should mean writing early data is no
2380 * longer possible.
2381 */
2382 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2383 || !TEST_size_t_eq(written, strlen(MSG5))
2384 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2385 SSL_EARLY_DATA_ACCEPTED))
2386 goto end;
2387
2388 /*
2389 * At this point the client has written EndOfEarlyData, ClientFinished and
2390 * normal (fully protected) data. We are going to cause a delay between the
2391 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2392 * in the read BIO, and then just put back the EndOfEarlyData message.
2393 */
2394 rbio = SSL_get_rbio(serverssl);
2395 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2396 || !TEST_size_t_lt(rawread, sizeof(data))
2397 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2398 goto end;
2399
2400 /* Record length is in the 4th and 5th bytes of the record header */
2401 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2402 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2403 || !TEST_size_t_eq(rawwritten, eoedlen))
2404 goto end;
2405
2406 /* Server should be told that there is no more early data */
2407 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2408 &readbytes),
2409 SSL_READ_EARLY_DATA_FINISH)
2410 || !TEST_size_t_eq(readbytes, 0))
2411 goto end;
2412
2413 /*
2414 * Server has not finished init yet, so should still be able to write early
2415 * data.
2416 */
2417 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2418 &written))
2419 || !TEST_size_t_eq(written, strlen(MSG6)))
2420 goto end;
2421
2422 /* Push the ClientFinished and the normal data back into the server rbio */
2423 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2424 &rawwritten))
2425 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2426 goto end;
2427
2428 /* Server should be able to read normal data */
2429 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2430 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2431 goto end;
2432
2433 /* Client and server should not be able to write/read early data now */
2434 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2435 &written)))
2436 goto end;
2437 ERR_clear_error();
2438 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2439 &readbytes),
2440 SSL_READ_EARLY_DATA_ERROR))
2441 goto end;
2442 ERR_clear_error();
2443
2444 /* Client should be able to read the data sent by the server */
2445 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2446 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2447 goto end;
2448
2449 /*
2450 * Make sure we process the two NewSessionTickets. These arrive
2451 * post-handshake. We attempt reads which we do not expect to return any
2452 * data.
2453 */
2454 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2455 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2456 &readbytes)))
2457 goto end;
2458
2459 /* Server should be able to write normal data */
2460 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2461 || !TEST_size_t_eq(written, strlen(MSG7))
2462 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2463 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2464 goto end;
2465
2466 SSL_SESSION_free(sess);
2467 sess = SSL_get1_session(clientssl);
2468 use_session_cb_cnt = 0;
2469 find_session_cb_cnt = 0;
2470
2471 SSL_shutdown(clientssl);
2472 SSL_shutdown(serverssl);
2473 SSL_free(serverssl);
2474 SSL_free(clientssl);
2475 serverssl = clientssl = NULL;
2476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2477 &clientssl, NULL, NULL))
2478 || !TEST_true(SSL_set_session(clientssl, sess)))
2479 goto end;
2480
2481 /* Write and read some early data */
2482 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2483 &written))
2484 || !TEST_size_t_eq(written, strlen(MSG1))
2485 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2486 &readbytes),
2487 SSL_READ_EARLY_DATA_SUCCESS)
2488 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2489 goto end;
2490
2491 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2492 || !TEST_int_gt(SSL_accept(serverssl), 0))
2493 goto end;
2494
2495 /* Client and server should not be able to write/read early data now */
2496 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2497 &written)))
2498 goto end;
2499 ERR_clear_error();
2500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2501 &readbytes),
2502 SSL_READ_EARLY_DATA_ERROR))
2503 goto end;
2504 ERR_clear_error();
2505
2506 /* Client and server should be able to write/read normal data */
2507 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2508 || !TEST_size_t_eq(written, strlen(MSG5))
2509 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2510 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2511 goto end;
2512
2513 testresult = 1;
2514
2515 end:
2516 SSL_SESSION_free(sess);
2517 SSL_SESSION_free(clientpsk);
2518 SSL_SESSION_free(serverpsk);
2519 clientpsk = serverpsk = NULL;
2520 SSL_free(serverssl);
2521 SSL_free(clientssl);
2522 SSL_CTX_free(sctx);
2523 SSL_CTX_free(cctx);
2524 return testresult;
2525}
2526
2527static int allow_ed_cb_called = 0;
2528
2529static int allow_early_data_cb(SSL *s, void *arg)
2530{
2531 int *usecb = (int *)arg;
2532
2533 allow_ed_cb_called++;
2534
2535 if (*usecb == 1)
2536 return 0;
2537
2538 return 1;
2539}
2540
2541/*
2542 * idx == 0: Standard early_data setup
2543 * idx == 1: early_data setup using read_ahead
2544 * usecb == 0: Don't use a custom early data callback
2545 * usecb == 1: Use a custom early data callback and reject the early data
2546 * usecb == 2: Use a custom early data callback and accept the early data
2547 * confopt == 0: Configure anti-replay directly
2548 * confopt == 1: Configure anti-replay using SSL_CONF
2549 */
2550static int test_early_data_replay_int(int idx, int usecb, int confopt)
2551{
2552 SSL_CTX *cctx = NULL, *sctx = NULL;
2553 SSL *clientssl = NULL, *serverssl = NULL;
2554 int testresult = 0;
2555 SSL_SESSION *sess = NULL;
2556 size_t readbytes, written;
2557 unsigned char buf[20];
2558
2559 allow_ed_cb_called = 0;
2560
2561 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2562 TLS1_VERSION, 0, &sctx,
2563 &cctx, cert, privkey)))
2564 return 0;
2565
2566 if (usecb > 0) {
2567 if (confopt == 0) {
2568 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2569 } else {
2570 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2571
2572 if (!TEST_ptr(confctx))
2573 goto end;
2574 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2575 | SSL_CONF_FLAG_SERVER);
2576 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2577 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2578 2)) {
2579 SSL_CONF_CTX_free(confctx);
2580 goto end;
2581 }
2582 SSL_CONF_CTX_free(confctx);
2583 }
2584 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2585 }
2586
2587 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2588 &serverssl, &sess, idx)))
2589 goto end;
2590
2591 /*
2592 * The server is configured to accept early data. Create a connection to
2593 * "use up" the ticket
2594 */
2595 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2596 || !TEST_true(SSL_session_reused(clientssl)))
2597 goto end;
2598
2599 SSL_shutdown(clientssl);
2600 SSL_shutdown(serverssl);
2601 SSL_free(serverssl);
2602 SSL_free(clientssl);
2603 serverssl = clientssl = NULL;
2604
2605 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2606 &clientssl, NULL, NULL))
2607 || !TEST_true(SSL_set_session(clientssl, sess)))
2608 goto end;
2609
2610 /* Write and read some early data */
2611 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2612 &written))
2613 || !TEST_size_t_eq(written, strlen(MSG1)))
2614 goto end;
2615
2616 if (usecb <= 1) {
2617 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2618 &readbytes),
2619 SSL_READ_EARLY_DATA_FINISH)
2620 /*
2621 * The ticket was reused, so the we should have rejected the
2622 * early data
2623 */
2624 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2625 SSL_EARLY_DATA_REJECTED))
2626 goto end;
2627 } else {
2628 /* In this case the callback decides to accept the early data */
2629 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2630 &readbytes),
2631 SSL_READ_EARLY_DATA_SUCCESS)
2632 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2633 /*
2634 * Server will have sent its flight so client can now send
2635 * end of early data and complete its half of the handshake
2636 */
2637 || !TEST_int_gt(SSL_connect(clientssl), 0)
2638 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2639 &readbytes),
2640 SSL_READ_EARLY_DATA_FINISH)
2641 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2642 SSL_EARLY_DATA_ACCEPTED))
2643 goto end;
2644 }
2645
2646 /* Complete the connection */
2647 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2648 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2649 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2650 goto end;
2651
2652 testresult = 1;
2653
2654 end:
2655 SSL_SESSION_free(sess);
2656 SSL_SESSION_free(clientpsk);
2657 SSL_SESSION_free(serverpsk);
2658 clientpsk = serverpsk = NULL;
2659 SSL_free(serverssl);
2660 SSL_free(clientssl);
2661 SSL_CTX_free(sctx);
2662 SSL_CTX_free(cctx);
2663 return testresult;
2664}
2665
2666static int test_early_data_replay(int idx)
2667{
2668 int ret = 1, usecb, confopt;
2669
2670 for (usecb = 0; usecb < 3; usecb++) {
2671 for (confopt = 0; confopt < 2; confopt++)
2672 ret &= test_early_data_replay_int(idx, usecb, confopt);
2673 }
2674
2675 return ret;
2676}
2677
2678/*
2679 * Helper function to test that a server attempting to read early data can
2680 * handle a connection from a client where the early data should be skipped.
2681 * testtype: 0 == No HRR
2682 * testtype: 1 == HRR
2683 * testtype: 2 == HRR, invalid early_data sent after HRR
2684 * testtype: 3 == recv_max_early_data set to 0
2685 */
2686static int early_data_skip_helper(int testtype, int idx)
2687{
2688 SSL_CTX *cctx = NULL, *sctx = NULL;
2689 SSL *clientssl = NULL, *serverssl = NULL;
2690 int testresult = 0;
2691 SSL_SESSION *sess = NULL;
2692 unsigned char buf[20];
2693 size_t readbytes, written;
2694
2695 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2696 &serverssl, &sess, idx)))
2697 goto end;
2698
2699 if (testtype == 1 || testtype == 2) {
2700 /* Force an HRR to occur */
2701 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2702 goto end;
2703 } else if (idx == 2) {
2704 /*
2705 * We force early_data rejection by ensuring the PSK identity is
2706 * unrecognised
2707 */
2708 srvid = "Dummy Identity";
2709 } else {
2710 /*
2711 * Deliberately corrupt the creation time. We take 20 seconds off the
2712 * time. It could be any value as long as it is not within tolerance.
2713 * This should mean the ticket is rejected.
2714 */
2715 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2716 goto end;
2717 }
2718
2719 if (testtype == 3
2720 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2721 goto end;
2722
2723 /* Write some early data */
2724 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2725 &written))
2726 || !TEST_size_t_eq(written, strlen(MSG1)))
2727 goto end;
2728
2729 /* Server should reject the early data */
2730 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2731 &readbytes),
2732 SSL_READ_EARLY_DATA_FINISH)
2733 || !TEST_size_t_eq(readbytes, 0)
2734 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2735 SSL_EARLY_DATA_REJECTED))
2736 goto end;
2737
2738 switch (testtype) {
2739 case 0:
2740 /* Nothing to do */
2741 break;
2742
2743 case 1:
2744 /*
2745 * Finish off the handshake. We perform the same writes and reads as
2746 * further down but we expect them to fail due to the incomplete
2747 * handshake.
2748 */
2749 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2750 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2751 &readbytes)))
2752 goto end;
2753 break;
2754
2755 case 2:
2756 {
2757 BIO *wbio = SSL_get_wbio(clientssl);
2758 /* A record that will appear as bad early_data */
2759 const unsigned char bad_early_data[] = {
2760 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2761 };
2762
2763 /*
2764 * We force the client to attempt a write. This will fail because
2765 * we're still in the handshake. It will cause the second
2766 * ClientHello to be sent.
2767 */
2768 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2769 &written)))
2770 goto end;
2771
2772 /*
2773 * Inject some early_data after the second ClientHello. This should
2774 * cause the server to fail
2775 */
2776 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2777 sizeof(bad_early_data), &written)))
2778 goto end;
2779 }
2780 /* fallthrough */
2781
2782 case 3:
2783 /*
2784 * This client has sent more early_data than we are willing to skip
2785 * (case 3) or sent invalid early_data (case 2) so the connection should
2786 * abort.
2787 */
2788 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2789 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2790 goto end;
2791
2792 /* Connection has failed - nothing more to do */
2793 testresult = 1;
2794 goto end;
2795
2796 default:
2797 TEST_error("Invalid test type");
2798 goto end;
2799 }
2800
2801 /*
2802 * Should be able to send normal data despite rejection of early data. The
2803 * early_data should be skipped.
2804 */
2805 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2806 || !TEST_size_t_eq(written, strlen(MSG2))
2807 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2808 SSL_EARLY_DATA_REJECTED)
2809 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2810 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2811 goto end;
2812
2813 testresult = 1;
2814
2815 end:
2816 SSL_SESSION_free(clientpsk);
2817 SSL_SESSION_free(serverpsk);
2818 clientpsk = serverpsk = NULL;
2819 SSL_SESSION_free(sess);
2820 SSL_free(serverssl);
2821 SSL_free(clientssl);
2822 SSL_CTX_free(sctx);
2823 SSL_CTX_free(cctx);
2824 return testresult;
2825}
2826
2827/*
2828 * Test that a server attempting to read early data can handle a connection
2829 * from a client where the early data is not acceptable.
2830 */
2831static int test_early_data_skip(int idx)
2832{
2833 return early_data_skip_helper(0, idx);
2834}
2835
2836/*
2837 * Test that a server attempting to read early data can handle a connection
2838 * from a client where an HRR occurs.
2839 */
2840static int test_early_data_skip_hrr(int idx)
2841{
2842 return early_data_skip_helper(1, idx);
2843}
2844
2845/*
2846 * Test that a server attempting to read early data can handle a connection
2847 * from a client where an HRR occurs and correctly fails if early_data is sent
2848 * after the HRR
2849 */
2850static int test_early_data_skip_hrr_fail(int idx)
2851{
2852 return early_data_skip_helper(2, idx);
2853}
2854
2855/*
2856 * Test that a server attempting to read early data will abort if it tries to
2857 * skip over too much.
2858 */
2859static int test_early_data_skip_abort(int idx)
2860{
2861 return early_data_skip_helper(3, idx);
2862}
2863
2864/*
2865 * Test that a server attempting to read early data can handle a connection
2866 * from a client that doesn't send any.
2867 */
2868static int test_early_data_not_sent(int idx)
2869{
2870 SSL_CTX *cctx = NULL, *sctx = NULL;
2871 SSL *clientssl = NULL, *serverssl = NULL;
2872 int testresult = 0;
2873 SSL_SESSION *sess = NULL;
2874 unsigned char buf[20];
2875 size_t readbytes, written;
2876
2877 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2878 &serverssl, &sess, idx)))
2879 goto end;
2880
2881 /* Write some data - should block due to handshake with server */
2882 SSL_set_connect_state(clientssl);
2883 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2884 goto end;
2885
2886 /* Server should detect that early data has not been sent */
2887 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2888 &readbytes),
2889 SSL_READ_EARLY_DATA_FINISH)
2890 || !TEST_size_t_eq(readbytes, 0)
2891 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2892 SSL_EARLY_DATA_NOT_SENT)
2893 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2894 SSL_EARLY_DATA_NOT_SENT))
2895 goto end;
2896
2897 /* Continue writing the message we started earlier */
2898 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2899 || !TEST_size_t_eq(written, strlen(MSG1))
2900 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2901 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2902 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2903 || !TEST_size_t_eq(written, strlen(MSG2)))
2904 goto end;
2905
2906 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2907 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2908 goto end;
2909
2910 testresult = 1;
2911
2912 end:
2913 SSL_SESSION_free(sess);
2914 SSL_SESSION_free(clientpsk);
2915 SSL_SESSION_free(serverpsk);
2916 clientpsk = serverpsk = NULL;
2917 SSL_free(serverssl);
2918 SSL_free(clientssl);
2919 SSL_CTX_free(sctx);
2920 SSL_CTX_free(cctx);
2921 return testresult;
2922}
2923
2924static int hostname_cb(SSL *s, int *al, void *arg)
2925{
2926 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2927
2928 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2929 return SSL_TLSEXT_ERR_OK;
2930
2931 return SSL_TLSEXT_ERR_NOACK;
2932}
2933
2934static const char *servalpn;
2935
2936static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2937 unsigned char *outlen, const unsigned char *in,
2938 unsigned int inlen, void *arg)
2939{
2940 unsigned int protlen = 0;
2941 const unsigned char *prot;
2942
2943 for (prot = in; prot < in + inlen; prot += protlen) {
2944 protlen = *prot++;
2945 if (in + inlen < prot + protlen)
2946 return SSL_TLSEXT_ERR_NOACK;
2947
2948 if (protlen == strlen(servalpn)
2949 && memcmp(prot, servalpn, protlen) == 0) {
2950 *out = prot;
2951 *outlen = protlen;
2952 return SSL_TLSEXT_ERR_OK;
2953 }
2954 }
2955
2956 return SSL_TLSEXT_ERR_NOACK;
2957}
2958
2959/* Test that a PSK can be used to send early_data */
2960static int test_early_data_psk(int idx)
2961{
2962 SSL_CTX *cctx = NULL, *sctx = NULL;
2963 SSL *clientssl = NULL, *serverssl = NULL;
2964 int testresult = 0;
2965 SSL_SESSION *sess = NULL;
2966 unsigned char alpnlist[] = {
2967 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2968 'l', 'p', 'n'
2969 };
2970#define GOODALPNLEN 9
2971#define BADALPNLEN 8
2972#define GOODALPN (alpnlist)
2973#define BADALPN (alpnlist + GOODALPNLEN)
2974 int err = 0;
2975 unsigned char buf[20];
2976 size_t readbytes, written;
2977 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2978 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2979
2980 /* We always set this up with a final parameter of "2" for PSK */
2981 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2982 &serverssl, &sess, 2)))
2983 goto end;
2984
2985 servalpn = "goodalpn";
2986
2987 /*
2988 * Note: There is no test for inconsistent SNI with late client detection.
2989 * This is because servers do not acknowledge SNI even if they are using
2990 * it in a resumption handshake - so it is not actually possible for a
2991 * client to detect a problem.
2992 */
2993 switch (idx) {
2994 case 0:
2995 /* Set inconsistent SNI (early client detection) */
2996 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2997 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2998 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2999 goto end;
3000 break;
3001
3002 case 1:
3003 /* Set inconsistent ALPN (early client detection) */
3004 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3005 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3006 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3007 GOODALPNLEN))
3008 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3009 BADALPNLEN)))
3010 goto end;
3011 break;
3012
3013 case 2:
3014 /*
3015 * Set invalid protocol version. Technically this affects PSKs without
3016 * early_data too, but we test it here because it is similar to the
3017 * SNI/ALPN consistency tests.
3018 */
3019 err = SSL_R_BAD_PSK;
3020 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3021 goto end;
3022 break;
3023
3024 case 3:
3025 /*
3026 * Set inconsistent SNI (server detected). In this case the connection
3027 * will succeed but reject early_data.
3028 */
3029 SSL_SESSION_free(serverpsk);
3030 serverpsk = SSL_SESSION_dup(clientpsk);
3031 if (!TEST_ptr(serverpsk)
3032 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3033 goto end;
3034 edstatus = SSL_EARLY_DATA_REJECTED;
3035 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3036 /* Fall through */
3037 case 4:
3038 /* Set consistent SNI */
3039 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3040 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3041 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3042 hostname_cb)))
3043 goto end;
3044 break;
3045
3046 case 5:
3047 /*
3048 * Set inconsistent ALPN (server detected). In this case the connection
3049 * will succeed but reject early_data.
3050 */
3051 servalpn = "badalpn";
3052 edstatus = SSL_EARLY_DATA_REJECTED;
3053 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3054 /* Fall through */
3055 case 6:
3056 /*
3057 * Set consistent ALPN.
3058 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3059 * accepts a list of protos (each one length prefixed).
3060 * SSL_set1_alpn_selected accepts a single protocol (not length
3061 * prefixed)
3062 */
3063 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3064 GOODALPNLEN - 1))
3065 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3066 GOODALPNLEN)))
3067 goto end;
3068
3069 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3070 break;
3071
3072 case 7:
3073 /* Set inconsistent ALPN (late client detection) */
3074 SSL_SESSION_free(serverpsk);
3075 serverpsk = SSL_SESSION_dup(clientpsk);
3076 if (!TEST_ptr(serverpsk)
3077 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3078 BADALPN + 1,
3079 BADALPNLEN - 1))
3080 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3081 GOODALPN + 1,
3082 GOODALPNLEN - 1))
3083 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3084 sizeof(alpnlist))))
3085 goto end;
3086 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3087 edstatus = SSL_EARLY_DATA_ACCEPTED;
3088 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3089 /* SSL_connect() call should fail */
3090 connectres = -1;
3091 break;
3092
3093 default:
3094 TEST_error("Bad test index");
3095 goto end;
3096 }
3097
3098 SSL_set_connect_state(clientssl);
3099 if (err != 0) {
3100 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3101 &written))
3102 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3103 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3104 goto end;
3105 } else {
3106 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3107 &written)))
3108 goto end;
3109
3110 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3111 &readbytes), readearlyres)
3112 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3113 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3114 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3115 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3116 goto end;
3117 }
3118
3119 testresult = 1;
3120
3121 end:
3122 SSL_SESSION_free(sess);
3123 SSL_SESSION_free(clientpsk);
3124 SSL_SESSION_free(serverpsk);
3125 clientpsk = serverpsk = NULL;
3126 SSL_free(serverssl);
3127 SSL_free(clientssl);
3128 SSL_CTX_free(sctx);
3129 SSL_CTX_free(cctx);
3130 return testresult;
3131}
3132
3133/*
3134 * Test that a server that doesn't try to read early data can handle a
3135 * client sending some.
3136 */
3137static int test_early_data_not_expected(int idx)
3138{
3139 SSL_CTX *cctx = NULL, *sctx = NULL;
3140 SSL *clientssl = NULL, *serverssl = NULL;
3141 int testresult = 0;
3142 SSL_SESSION *sess = NULL;
3143 unsigned char buf[20];
3144 size_t readbytes, written;
3145
3146 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3147 &serverssl, &sess, idx)))
3148 goto end;
3149
3150 /* Write some early data */
3151 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3152 &written)))
3153 goto end;
3154
3155 /*
3156 * Server should skip over early data and then block waiting for client to
3157 * continue handshake
3158 */
3159 if (!TEST_int_le(SSL_accept(serverssl), 0)
3160 || !TEST_int_gt(SSL_connect(clientssl), 0)
3161 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3162 SSL_EARLY_DATA_REJECTED)
3163 || !TEST_int_gt(SSL_accept(serverssl), 0)
3164 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3165 SSL_EARLY_DATA_REJECTED))
3166 goto end;
3167
3168 /* Send some normal data from client to server */
3169 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3170 || !TEST_size_t_eq(written, strlen(MSG2)))
3171 goto end;
3172
3173 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3174 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3175 goto end;
3176
3177 testresult = 1;
3178
3179 end:
3180 SSL_SESSION_free(sess);
3181 SSL_SESSION_free(clientpsk);
3182 SSL_SESSION_free(serverpsk);
3183 clientpsk = serverpsk = NULL;
3184 SSL_free(serverssl);
3185 SSL_free(clientssl);
3186 SSL_CTX_free(sctx);
3187 SSL_CTX_free(cctx);
3188 return testresult;
3189}
3190
3191
3192# ifndef OPENSSL_NO_TLS1_2
3193/*
3194 * Test that a server attempting to read early data can handle a connection
3195 * from a TLSv1.2 client.
3196 */
3197static int test_early_data_tls1_2(int idx)
3198{
3199 SSL_CTX *cctx = NULL, *sctx = NULL;
3200 SSL *clientssl = NULL, *serverssl = NULL;
3201 int testresult = 0;
3202 unsigned char buf[20];
3203 size_t readbytes, written;
3204
3205 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3206 &serverssl, NULL, idx)))
3207 goto end;
3208
3209 /* Write some data - should block due to handshake with server */
3210 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3211 SSL_set_connect_state(clientssl);
3212 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3213 goto end;
3214
3215 /*
3216 * Server should do TLSv1.2 handshake. First it will block waiting for more
3217 * messages from client after ServerDone. Then SSL_read_early_data should
3218 * finish and detect that early data has not been sent
3219 */
3220 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3221 &readbytes),
3222 SSL_READ_EARLY_DATA_ERROR))
3223 goto end;
3224
3225 /*
3226 * Continue writing the message we started earlier. Will still block waiting
3227 * for the CCS/Finished from server
3228 */
3229 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3230 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3231 &readbytes),
3232 SSL_READ_EARLY_DATA_FINISH)
3233 || !TEST_size_t_eq(readbytes, 0)
3234 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3235 SSL_EARLY_DATA_NOT_SENT))
3236 goto end;
3237
3238 /* Continue writing the message we started earlier */
3239 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3240 || !TEST_size_t_eq(written, strlen(MSG1))
3241 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3242 SSL_EARLY_DATA_NOT_SENT)
3243 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3244 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3245 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3246 || !TEST_size_t_eq(written, strlen(MSG2))
3247 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3248 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3249 goto end;
3250
3251 testresult = 1;
3252
3253 end:
3254 SSL_SESSION_free(clientpsk);
3255 SSL_SESSION_free(serverpsk);
3256 clientpsk = serverpsk = NULL;
3257 SSL_free(serverssl);
3258 SSL_free(clientssl);
3259 SSL_CTX_free(sctx);
3260 SSL_CTX_free(cctx);
3261
3262 return testresult;
3263}
3264# endif /* OPENSSL_NO_TLS1_2 */
3265
3266/*
3267 * Test configuring the TLSv1.3 ciphersuites
3268 *
3269 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3270 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3271 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3272 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3273 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3274 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3275 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3276 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3277 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3278 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3279 */
3280static int test_set_ciphersuite(int idx)
3281{
3282 SSL_CTX *cctx = NULL, *sctx = NULL;
3283 SSL *clientssl = NULL, *serverssl = NULL;
3284 int testresult = 0;
3285
3286 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3287 TLS1_VERSION, 0,
3288 &sctx, &cctx, cert, privkey))
3289 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3290 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3291 goto end;
3292
3293 if (idx >=4 && idx <= 7) {
3294 /* SSL_CTX explicit cipher list */
3295 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3296 goto end;
3297 }
3298
3299 if (idx == 0 || idx == 4) {
3300 /* Default ciphersuite */
3301 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3302 "TLS_AES_128_GCM_SHA256")))
3303 goto end;
3304 } else if (idx == 1 || idx == 5) {
3305 /* Non default ciphersuite */
3306 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3307 "TLS_AES_128_CCM_SHA256")))
3308 goto end;
3309 }
3310
3311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3312 &clientssl, NULL, NULL)))
3313 goto end;
3314
3315 if (idx == 8 || idx == 9) {
3316 /* SSL explicit cipher list */
3317 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3318 goto end;
3319 }
3320
3321 if (idx == 2 || idx == 6 || idx == 8) {
3322 /* Default ciphersuite */
3323 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3324 "TLS_AES_128_GCM_SHA256")))
3325 goto end;
3326 } else if (idx == 3 || idx == 7 || idx == 9) {
3327 /* Non default ciphersuite */
3328 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3329 "TLS_AES_128_CCM_SHA256")))
3330 goto end;
3331 }
3332
3333 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3334 goto end;
3335
3336 testresult = 1;
3337
3338 end:
3339 SSL_free(serverssl);
3340 SSL_free(clientssl);
3341 SSL_CTX_free(sctx);
3342 SSL_CTX_free(cctx);
3343
3344 return testresult;
3345}
3346
3347static int test_ciphersuite_change(void)
3348{
3349 SSL_CTX *cctx = NULL, *sctx = NULL;
3350 SSL *clientssl = NULL, *serverssl = NULL;
3351 SSL_SESSION *clntsess = NULL;
3352 int testresult = 0;
3353 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3354
3355 /* Create a session based on SHA-256 */
3356 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3357 TLS1_VERSION, 0,
3358 &sctx, &cctx, cert, privkey))
3359 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3360 "TLS_AES_128_GCM_SHA256"))
3361 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3362 &clientssl, NULL, NULL))
3363 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3364 SSL_ERROR_NONE)))
3365 goto end;
3366
3367 clntsess = SSL_get1_session(clientssl);
3368 /* Save for later */
3369 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3370 SSL_shutdown(clientssl);
3371 SSL_shutdown(serverssl);
3372 SSL_free(serverssl);
3373 SSL_free(clientssl);
3374 serverssl = clientssl = NULL;
3375
3376# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3377 /* Check we can resume a session with a different SHA-256 ciphersuite */
3378 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3379 "TLS_CHACHA20_POLY1305_SHA256"))
3380 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3381 NULL, NULL))
3382 || !TEST_true(SSL_set_session(clientssl, clntsess))
3383 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3384 SSL_ERROR_NONE))
3385 || !TEST_true(SSL_session_reused(clientssl)))
3386 goto end;
3387
3388 SSL_SESSION_free(clntsess);
3389 clntsess = SSL_get1_session(clientssl);
3390 SSL_shutdown(clientssl);
3391 SSL_shutdown(serverssl);
3392 SSL_free(serverssl);
3393 SSL_free(clientssl);
3394 serverssl = clientssl = NULL;
3395# endif
3396
3397 /*
3398 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3399 * succeeds but does not resume.
3400 */
3401 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3402 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3403 NULL, NULL))
3404 || !TEST_true(SSL_set_session(clientssl, clntsess))
3405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3406 SSL_ERROR_SSL))
3407 || !TEST_false(SSL_session_reused(clientssl)))
3408 goto end;
3409
3410 SSL_SESSION_free(clntsess);
3411 clntsess = NULL;
3412 SSL_shutdown(clientssl);
3413 SSL_shutdown(serverssl);
3414 SSL_free(serverssl);
3415 SSL_free(clientssl);
3416 serverssl = clientssl = NULL;
3417
3418 /* Create a session based on SHA384 */
3419 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3420 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3421 &clientssl, NULL, NULL))
3422 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3423 SSL_ERROR_NONE)))
3424 goto end;
3425
3426 clntsess = SSL_get1_session(clientssl);
3427 SSL_shutdown(clientssl);
3428 SSL_shutdown(serverssl);
3429 SSL_free(serverssl);
3430 SSL_free(clientssl);
3431 serverssl = clientssl = NULL;
3432
3433 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3434 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3435 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3436 "TLS_AES_256_GCM_SHA384"))
3437 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3438 NULL, NULL))
3439 || !TEST_true(SSL_set_session(clientssl, clntsess))
3440 /*
3441 * We use SSL_ERROR_WANT_READ below so that we can pause the
3442 * connection after the initial ClientHello has been sent to
3443 * enable us to make some session changes.
3444 */
3445 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3446 SSL_ERROR_WANT_READ)))
3447 goto end;
3448
3449 /* Trick the client into thinking this session is for a different digest */
3450 clntsess->cipher = aes_128_gcm_sha256;
3451 clntsess->cipher_id = clntsess->cipher->id;
3452
3453 /*
3454 * Continue the previously started connection. Server has selected a SHA-384
3455 * ciphersuite, but client thinks the session is for SHA-256, so it should
3456 * bail out.
3457 */
3458 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3459 SSL_ERROR_SSL))
3460 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3461 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3462 goto end;
3463
3464 testresult = 1;
3465
3466 end:
3467 SSL_SESSION_free(clntsess);
3468 SSL_free(serverssl);
3469 SSL_free(clientssl);
3470 SSL_CTX_free(sctx);
3471 SSL_CTX_free(cctx);
3472
3473 return testresult;
3474}
3475
3476/*
3477 * Test TLSv1.3 PSKs
3478 * Test 0 = Test new style callbacks
3479 * Test 1 = Test both new and old style callbacks
3480 * Test 2 = Test old style callbacks
3481 * Test 3 = Test old style callbacks with no certificate
3482 */
3483static int test_tls13_psk(int idx)
3484{
3485 SSL_CTX *sctx = NULL, *cctx = NULL;
3486 SSL *serverssl = NULL, *clientssl = NULL;
3487 const SSL_CIPHER *cipher = NULL;
3488 const unsigned char key[] = {
3489 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3490 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3491 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3492 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3493 };
3494 int testresult = 0;
3495
3496 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3497 TLS1_VERSION, 0,
3498 &sctx, &cctx, idx == 3 ? NULL : cert,
3499 idx == 3 ? NULL : privkey)))
3500 goto end;
3501
3502 if (idx != 3) {
3503 /*
3504 * We use a ciphersuite with SHA256 to ease testing old style PSK
3505 * callbacks which will always default to SHA256. This should not be
3506 * necessary if we have no cert/priv key. In that case the server should
3507 * prefer SHA256 automatically.
3508 */
3509 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3510 "TLS_AES_128_GCM_SHA256")))
3511 goto end;
3512 }
3513
3514 /*
3515 * Test 0: New style callbacks only
3516 * Test 1: New and old style callbacks (only the new ones should be used)
3517 * Test 2: Old style callbacks only
3518 */
3519 if (idx == 0 || idx == 1) {
3520 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3521 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3522 }
3523#ifndef OPENSSL_NO_PSK
3524 if (idx >= 1) {
3525 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3526 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3527 }
3528#endif
3529 srvid = pskid;
3530 use_session_cb_cnt = 0;
3531 find_session_cb_cnt = 0;
3532 psk_client_cb_cnt = 0;
3533 psk_server_cb_cnt = 0;
3534
3535 if (idx != 3) {
3536 /*
3537 * Check we can create a connection if callback decides not to send a
3538 * PSK
3539 */
3540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3541 NULL, NULL))
3542 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3543 SSL_ERROR_NONE))
3544 || !TEST_false(SSL_session_reused(clientssl))
3545 || !TEST_false(SSL_session_reused(serverssl)))
3546 goto end;
3547
3548 if (idx == 0 || idx == 1) {
3549 if (!TEST_true(use_session_cb_cnt == 1)
3550 || !TEST_true(find_session_cb_cnt == 0)
3551 /*
3552 * If no old style callback then below should be 0
3553 * otherwise 1
3554 */
3555 || !TEST_true(psk_client_cb_cnt == idx)
3556 || !TEST_true(psk_server_cb_cnt == 0))
3557 goto end;
3558 } else {
3559 if (!TEST_true(use_session_cb_cnt == 0)
3560 || !TEST_true(find_session_cb_cnt == 0)
3561 || !TEST_true(psk_client_cb_cnt == 1)
3562 || !TEST_true(psk_server_cb_cnt == 0))
3563 goto end;
3564 }
3565
3566 shutdown_ssl_connection(serverssl, clientssl);
3567 serverssl = clientssl = NULL;
3568 use_session_cb_cnt = psk_client_cb_cnt = 0;
3569 }
3570
3571 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3572 NULL, NULL)))
3573 goto end;
3574
3575 /* Create the PSK */
3576 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3577 clientpsk = SSL_SESSION_new();
3578 if (!TEST_ptr(clientpsk)
3579 || !TEST_ptr(cipher)
3580 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3581 sizeof(key)))
3582 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3583 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3584 TLS1_3_VERSION))
3585 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3586 goto end;
3587 serverpsk = clientpsk;
3588
3589 /* Check we can create a connection and the PSK is used */
3590 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3591 || !TEST_true(SSL_session_reused(clientssl))
3592 || !TEST_true(SSL_session_reused(serverssl)))
3593 goto end;
3594
3595 if (idx == 0 || idx == 1) {
3596 if (!TEST_true(use_session_cb_cnt == 1)
3597 || !TEST_true(find_session_cb_cnt == 1)
3598 || !TEST_true(psk_client_cb_cnt == 0)
3599 || !TEST_true(psk_server_cb_cnt == 0))
3600 goto end;
3601 } else {
3602 if (!TEST_true(use_session_cb_cnt == 0)
3603 || !TEST_true(find_session_cb_cnt == 0)
3604 || !TEST_true(psk_client_cb_cnt == 1)
3605 || !TEST_true(psk_server_cb_cnt == 1))
3606 goto end;
3607 }
3608
3609 shutdown_ssl_connection(serverssl, clientssl);
3610 serverssl = clientssl = NULL;
3611 use_session_cb_cnt = find_session_cb_cnt = 0;
3612 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3613
3614 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3615 NULL, NULL)))
3616 goto end;
3617
3618 /* Force an HRR */
3619 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3620 goto end;
3621
3622 /*
3623 * Check we can create a connection, the PSK is used and the callbacks are
3624 * called twice.
3625 */
3626 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3627 || !TEST_true(SSL_session_reused(clientssl))
3628 || !TEST_true(SSL_session_reused(serverssl)))
3629 goto end;
3630
3631 if (idx == 0 || idx == 1) {
3632 if (!TEST_true(use_session_cb_cnt == 2)
3633 || !TEST_true(find_session_cb_cnt == 2)
3634 || !TEST_true(psk_client_cb_cnt == 0)
3635 || !TEST_true(psk_server_cb_cnt == 0))
3636 goto end;
3637 } else {
3638 if (!TEST_true(use_session_cb_cnt == 0)
3639 || !TEST_true(find_session_cb_cnt == 0)
3640 || !TEST_true(psk_client_cb_cnt == 2)
3641 || !TEST_true(psk_server_cb_cnt == 2))
3642 goto end;
3643 }
3644
3645 shutdown_ssl_connection(serverssl, clientssl);
3646 serverssl = clientssl = NULL;
3647 use_session_cb_cnt = find_session_cb_cnt = 0;
3648 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3649
3650 if (idx != 3) {
3651 /*
3652 * Check that if the server rejects the PSK we can still connect, but with
3653 * a full handshake
3654 */
3655 srvid = "Dummy Identity";
3656 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3657 NULL, NULL))
3658 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3659 SSL_ERROR_NONE))
3660 || !TEST_false(SSL_session_reused(clientssl))
3661 || !TEST_false(SSL_session_reused(serverssl)))
3662 goto end;
3663
3664 if (idx == 0 || idx == 1) {
3665 if (!TEST_true(use_session_cb_cnt == 1)
3666 || !TEST_true(find_session_cb_cnt == 1)
3667 || !TEST_true(psk_client_cb_cnt == 0)
3668 /*
3669 * If no old style callback then below should be 0
3670 * otherwise 1
3671 */
3672 || !TEST_true(psk_server_cb_cnt == idx))
3673 goto end;
3674 } else {
3675 if (!TEST_true(use_session_cb_cnt == 0)
3676 || !TEST_true(find_session_cb_cnt == 0)
3677 || !TEST_true(psk_client_cb_cnt == 1)
3678 || !TEST_true(psk_server_cb_cnt == 1))
3679 goto end;
3680 }
3681
3682 shutdown_ssl_connection(serverssl, clientssl);
3683 serverssl = clientssl = NULL;
3684 }
3685 testresult = 1;
3686
3687 end:
3688 SSL_SESSION_free(clientpsk);
3689 SSL_SESSION_free(serverpsk);
3690 clientpsk = serverpsk = NULL;
3691 SSL_free(serverssl);
3692 SSL_free(clientssl);
3693 SSL_CTX_free(sctx);
3694 SSL_CTX_free(cctx);
3695 return testresult;
3696}
3697
3698static unsigned char cookie_magic_value[] = "cookie magic";
3699
3700static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3701 unsigned int *cookie_len)
3702{
3703 /*
3704 * Not suitable as a real cookie generation function but good enough for
3705 * testing!
3706 */
3707 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3708 *cookie_len = sizeof(cookie_magic_value) - 1;
3709
3710 return 1;
3711}
3712
3713static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3714 unsigned int cookie_len)
3715{
3716 if (cookie_len == sizeof(cookie_magic_value) - 1
3717 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3718 return 1;
3719
3720 return 0;
3721}
3722
3723static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3724 size_t *cookie_len)
3725{
3726 unsigned int temp;
3727 int res = generate_cookie_callback(ssl, cookie, &temp);
3728 *cookie_len = temp;
3729 return res;
3730}
3731
3732static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3733 size_t cookie_len)
3734{
3735 return verify_cookie_callback(ssl, cookie, cookie_len);
3736}
3737
3738static int test_stateless(void)
3739{
3740 SSL_CTX *sctx = NULL, *cctx = NULL;
3741 SSL *serverssl = NULL, *clientssl = NULL;
3742 int testresult = 0;
3743
3744 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3745 TLS1_VERSION, 0,
3746 &sctx, &cctx, cert, privkey)))
3747 goto end;
3748
3749 /* The arrival of CCS messages can confuse the test */
3750 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3751
3752 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3753 NULL, NULL))
3754 /* Send the first ClientHello */
3755 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3756 SSL_ERROR_WANT_READ))
3757 /*
3758 * This should fail with a -1 return because we have no callbacks
3759 * set up
3760 */
3761 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3762 goto end;
3763
3764 /* Fatal error so abandon the connection from this client */
3765 SSL_free(clientssl);
3766 clientssl = NULL;
3767
3768 /* Set up the cookie generation and verification callbacks */
3769 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3770 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3771
3772 /*
3773 * Create a new connection from the client (we can reuse the server SSL
3774 * object).
3775 */
3776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3777 NULL, NULL))
3778 /* Send the first ClientHello */
3779 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3780 SSL_ERROR_WANT_READ))
3781 /* This should fail because there is no cookie */
3782 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3783 goto end;
3784
3785 /* Abandon the connection from this client */
3786 SSL_free(clientssl);
3787 clientssl = NULL;
3788
3789 /*
3790 * Now create a connection from a new client but with the same server SSL
3791 * object
3792 */
3793 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3794 NULL, NULL))
3795 /* Send the first ClientHello */
3796 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3797 SSL_ERROR_WANT_READ))
3798 /* This should fail because there is no cookie */
3799 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3800 /* Send the second ClientHello */
3801 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3802 SSL_ERROR_WANT_READ))
3803 /* This should succeed because a cookie is now present */
3804 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3805 /* Complete the connection */
3806 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3807 SSL_ERROR_NONE)))
3808 goto end;
3809
3810 shutdown_ssl_connection(serverssl, clientssl);
3811 serverssl = clientssl = NULL;
3812 testresult = 1;
3813
3814 end:
3815 SSL_free(serverssl);
3816 SSL_free(clientssl);
3817 SSL_CTX_free(sctx);
3818 SSL_CTX_free(cctx);
3819 return testresult;
3820
3821}
3822#endif /* OPENSSL_NO_TLS1_3 */
3823
3824static int clntaddoldcb = 0;
3825static int clntparseoldcb = 0;
3826static int srvaddoldcb = 0;
3827static int srvparseoldcb = 0;
3828static int clntaddnewcb = 0;
3829static int clntparsenewcb = 0;
3830static int srvaddnewcb = 0;
3831static int srvparsenewcb = 0;
3832static int snicb = 0;
3833
3834#define TEST_EXT_TYPE1 0xff00
3835
3836static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3837 size_t *outlen, int *al, void *add_arg)
3838{
3839 int *server = (int *)add_arg;
3840 unsigned char *data;
3841
3842 if (SSL_is_server(s))
3843 srvaddoldcb++;
3844 else
3845 clntaddoldcb++;
3846
3847 if (*server != SSL_is_server(s)
3848 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3849 return -1;
3850
3851 *data = 1;
3852 *out = data;
3853 *outlen = sizeof(char);
3854 return 1;
3855}
3856
3857static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3858 void *add_arg)
3859{
3860 OPENSSL_free((unsigned char *)out);
3861}
3862
3863static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3864 size_t inlen, int *al, void *parse_arg)
3865{
3866 int *server = (int *)parse_arg;
3867
3868 if (SSL_is_server(s))
3869 srvparseoldcb++;
3870 else
3871 clntparseoldcb++;
3872
3873 if (*server != SSL_is_server(s)
3874 || inlen != sizeof(char)
3875 || *in != 1)
3876 return -1;
3877
3878 return 1;
3879}
3880
3881static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3882 const unsigned char **out, size_t *outlen, X509 *x,
3883 size_t chainidx, int *al, void *add_arg)
3884{
3885 int *server = (int *)add_arg;
3886 unsigned char *data;
3887
3888 if (SSL_is_server(s))
3889 srvaddnewcb++;
3890 else
3891 clntaddnewcb++;
3892
3893 if (*server != SSL_is_server(s)
3894 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3895 return -1;
3896
3897 *data = 1;
3898 *out = data;
3899 *outlen = sizeof(*data);
3900 return 1;
3901}
3902
3903static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3904 const unsigned char *out, void *add_arg)
3905{
3906 OPENSSL_free((unsigned char *)out);
3907}
3908
3909static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3910 const unsigned char *in, size_t inlen, X509 *x,
3911 size_t chainidx, int *al, void *parse_arg)
3912{
3913 int *server = (int *)parse_arg;
3914
3915 if (SSL_is_server(s))
3916 srvparsenewcb++;
3917 else
3918 clntparsenewcb++;
3919
3920 if (*server != SSL_is_server(s)
3921 || inlen != sizeof(char) || *in != 1)
3922 return -1;
3923
3924 return 1;
3925}
3926
3927static int sni_cb(SSL *s, int *al, void *arg)
3928{
3929 SSL_CTX *ctx = (SSL_CTX *)arg;
3930
3931 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3932 *al = SSL_AD_INTERNAL_ERROR;
3933 return SSL_TLSEXT_ERR_ALERT_FATAL;
3934 }
3935 snicb++;
3936 return SSL_TLSEXT_ERR_OK;
3937}
3938
3939/*
3940 * Custom call back tests.
3941 * Test 0: Old style callbacks in TLSv1.2
3942 * Test 1: New style callbacks in TLSv1.2
3943 * Test 2: New style callbacks in TLSv1.2 with SNI
3944 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3945 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3946 */
3947static int test_custom_exts(int tst)
3948{
3949 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3950 SSL *clientssl = NULL, *serverssl = NULL;
3951 int testresult = 0;
3952 static int server = 1;
3953 static int client = 0;
3954 SSL_SESSION *sess = NULL;
3955 unsigned int context;
3956
3957#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3958 /* Skip tests for TLSv1.2 and below in this case */
3959 if (tst < 3)
3960 return 1;
3961#endif
3962
3963 /* Reset callback counters */
3964 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3965 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3966 snicb = 0;
3967
3968 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3969 TLS1_VERSION, 0,
3970 &sctx, &cctx, cert, privkey)))
3971 goto end;
3972
3973 if (tst == 2
3974 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3975 TLS1_VERSION, 0,
3976 &sctx2, NULL, cert, privkey)))
3977 goto end;
3978
3979
3980 if (tst < 3) {
3981 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3982 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3983 if (sctx2 != NULL)
3984 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3985 }
3986
3987 if (tst == 4) {
3988 context = SSL_EXT_CLIENT_HELLO
3989 | SSL_EXT_TLS1_2_SERVER_HELLO
3990 | SSL_EXT_TLS1_3_SERVER_HELLO
3991 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3992 | SSL_EXT_TLS1_3_CERTIFICATE
3993 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3994 } else {
3995 context = SSL_EXT_CLIENT_HELLO
3996 | SSL_EXT_TLS1_2_SERVER_HELLO
3997 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3998 }
3999
4000 /* Create a client side custom extension */
4001 if (tst == 0) {
4002 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4003 old_add_cb, old_free_cb,
4004 &client, old_parse_cb,
4005 &client)))
4006 goto end;
4007 } else {
4008 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4009 new_add_cb, new_free_cb,
4010 &client, new_parse_cb, &client)))
4011 goto end;
4012 }
4013
4014 /* Should not be able to add duplicates */
4015 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4016 old_add_cb, old_free_cb,
4017 &client, old_parse_cb,
4018 &client))
4019 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4020 context, new_add_cb,
4021 new_free_cb, &client,
4022 new_parse_cb, &client)))
4023 goto end;
4024
4025 /* Create a server side custom extension */
4026 if (tst == 0) {
4027 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4028 old_add_cb, old_free_cb,
4029 &server, old_parse_cb,
4030 &server)))
4031 goto end;
4032 } else {
4033 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4034 new_add_cb, new_free_cb,
4035 &server, new_parse_cb, &server)))
4036 goto end;
4037 if (sctx2 != NULL
4038 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4039 context, new_add_cb,
4040 new_free_cb, &server,
4041 new_parse_cb, &server)))
4042 goto end;
4043 }
4044
4045 /* Should not be able to add duplicates */
4046 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4047 old_add_cb, old_free_cb,
4048 &server, old_parse_cb,
4049 &server))
4050 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4051 context, new_add_cb,
4052 new_free_cb, &server,
4053 new_parse_cb, &server)))
4054 goto end;
4055
4056 if (tst == 2) {
4057 /* Set up SNI */
4058 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4059 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4060 goto end;
4061 }
4062
4063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4064 &clientssl, NULL, NULL))
4065 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4066 SSL_ERROR_NONE)))
4067 goto end;
4068
4069 if (tst == 0) {
4070 if (clntaddoldcb != 1
4071 || clntparseoldcb != 1
4072 || srvaddoldcb != 1
4073 || srvparseoldcb != 1)
4074 goto end;
4075 } else if (tst == 1 || tst == 2 || tst == 3) {
4076 if (clntaddnewcb != 1
4077 || clntparsenewcb != 1
4078 || srvaddnewcb != 1
4079 || srvparsenewcb != 1
4080 || (tst != 2 && snicb != 0)
4081 || (tst == 2 && snicb != 1))
4082 goto end;
4083 } else {
4084 /* In this case there 2 NewSessionTicket messages created */
4085 if (clntaddnewcb != 1
4086 || clntparsenewcb != 5
4087 || srvaddnewcb != 5
4088 || srvparsenewcb != 1)
4089 goto end;
4090 }
4091
4092 sess = SSL_get1_session(clientssl);
4093 SSL_shutdown(clientssl);
4094 SSL_shutdown(serverssl);
4095 SSL_free(serverssl);
4096 SSL_free(clientssl);
4097 serverssl = clientssl = NULL;
4098
4099 if (tst == 3) {
4100 /* We don't bother with the resumption aspects for this test */
4101 testresult = 1;
4102 goto end;
4103 }
4104
4105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4106 NULL, NULL))
4107 || !TEST_true(SSL_set_session(clientssl, sess))
4108 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4109 SSL_ERROR_NONE)))
4110 goto end;
4111
4112 /*
4113 * For a resumed session we expect to add the ClientHello extension. For the
4114 * old style callbacks we ignore it on the server side because they set
4115 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4116 * them.
4117 */
4118 if (tst == 0) {
4119 if (clntaddoldcb != 2
4120 || clntparseoldcb != 1
4121 || srvaddoldcb != 1
4122 || srvparseoldcb != 1)
4123 goto end;
4124 } else if (tst == 1 || tst == 2 || tst == 3) {
4125 if (clntaddnewcb != 2
4126 || clntparsenewcb != 2
4127 || srvaddnewcb != 2
4128 || srvparsenewcb != 2)
4129 goto end;
4130 } else {
4131 /*
4132 * No Certificate message extensions in the resumption handshake,
4133 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4134 */
4135 if (clntaddnewcb != 2
4136 || clntparsenewcb != 8
4137 || srvaddnewcb != 8
4138 || srvparsenewcb != 2)
4139 goto end;
4140 }
4141
4142 testresult = 1;
4143
4144end:
4145 SSL_SESSION_free(sess);
4146 SSL_free(serverssl);
4147 SSL_free(clientssl);
4148 SSL_CTX_free(sctx2);
4149 SSL_CTX_free(sctx);
4150 SSL_CTX_free(cctx);
4151 return testresult;
4152}
4153
4154/*
4155 * Test loading of serverinfo data in various formats. test_sslmessages actually
4156 * tests to make sure the extensions appear in the handshake
4157 */
4158static int test_serverinfo(int tst)
4159{
4160 unsigned int version;
4161 unsigned char *sibuf;
4162 size_t sibuflen;
4163 int ret, expected, testresult = 0;
4164 SSL_CTX *ctx;
4165
4166 ctx = SSL_CTX_new(TLS_method());
4167 if (!TEST_ptr(ctx))
4168 goto end;
4169
4170 if ((tst & 0x01) == 0x01)
4171 version = SSL_SERVERINFOV2;
4172 else
4173 version = SSL_SERVERINFOV1;
4174
4175 if ((tst & 0x02) == 0x02) {
4176 sibuf = serverinfov2;
4177 sibuflen = sizeof(serverinfov2);
4178 expected = (version == SSL_SERVERINFOV2);
4179 } else {
4180 sibuf = serverinfov1;
4181 sibuflen = sizeof(serverinfov1);
4182 expected = (version == SSL_SERVERINFOV1);
4183 }
4184
4185 if ((tst & 0x04) == 0x04) {
4186 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4187 } else {
4188 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4189
4190 /*
4191 * The version variable is irrelevant in this case - it's what is in the
4192 * buffer that matters
4193 */
4194 if ((tst & 0x02) == 0x02)
4195 expected = 0;
4196 else
4197 expected = 1;
4198 }
4199
4200 if (!TEST_true(ret == expected))
4201 goto end;
4202
4203 testresult = 1;
4204
4205 end:
4206 SSL_CTX_free(ctx);
4207
4208 return testresult;
4209}
4210
4211/*
4212 * Test that SSL_export_keying_material() produces expected results. There are
4213 * no test vectors so all we do is test that both sides of the communication
4214 * produce the same results for different protocol versions.
4215 */
4216#define SMALL_LABEL_LEN 10
4217#define LONG_LABEL_LEN 249
4218static int test_export_key_mat(int tst)
4219{
4220 int testresult = 0;
4221 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4222 SSL *clientssl = NULL, *serverssl = NULL;
4223 const char label[LONG_LABEL_LEN + 1] = "test label";
4224 const unsigned char context[] = "context";
4225 const unsigned char *emptycontext = NULL;
4226 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4227 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4228 size_t labellen;
4229 const int protocols[] = {
4230 TLS1_VERSION,
4231 TLS1_1_VERSION,
4232 TLS1_2_VERSION,
4233 TLS1_3_VERSION,
4234 TLS1_3_VERSION,
4235 TLS1_3_VERSION
4236 };
4237
4238#ifdef OPENSSL_NO_TLS1
4239 if (tst == 0)
4240 return 1;
4241#endif
4242#ifdef OPENSSL_NO_TLS1_1
4243 if (tst == 1)
4244 return 1;
4245#endif
4246#ifdef OPENSSL_NO_TLS1_2
4247 if (tst == 2)
4248 return 1;
4249#endif
4250#ifdef OPENSSL_NO_TLS1_3
4251 if (tst >= 3)
4252 return 1;
4253#endif
4254 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4255 TLS1_VERSION, 0,
4256 &sctx, &cctx, cert, privkey)))
4257 goto end;
4258
4259 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4260 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4261 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4262
4263 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4264 NULL))
4265 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4266 SSL_ERROR_NONE)))
4267 goto end;
4268
4269 if (tst == 5) {
4270 /*
4271 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4272 * go over that.
4273 */
4274 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4275 sizeof(ckeymat1), label,
4276 LONG_LABEL_LEN + 1, context,
4277 sizeof(context) - 1, 1), 0))
4278 goto end;
4279
4280 testresult = 1;
4281 goto end;
4282 } else if (tst == 4) {
4283 labellen = LONG_LABEL_LEN;
4284 } else {
4285 labellen = SMALL_LABEL_LEN;
4286 }
4287
4288 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4289 sizeof(ckeymat1), label,
4290 labellen, context,
4291 sizeof(context) - 1, 1), 1)
4292 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4293 sizeof(ckeymat2), label,
4294 labellen,
4295 emptycontext,
4296 0, 1), 1)
4297 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4298 sizeof(ckeymat3), label,
4299 labellen,
4300 NULL, 0, 0), 1)
4301 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4302 sizeof(skeymat1), label,
4303 labellen,
4304 context,
4305 sizeof(context) -1, 1),
4306 1)
4307 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4308 sizeof(skeymat2), label,
4309 labellen,
4310 emptycontext,
4311 0, 1), 1)
4312 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4313 sizeof(skeymat3), label,
4314 labellen,
4315 NULL, 0, 0), 1)
4316 /*
4317 * Check that both sides created the same key material with the
4318 * same context.
4319 */
4320 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4321 sizeof(skeymat1))
4322 /*
4323 * Check that both sides created the same key material with an
4324 * empty context.
4325 */
4326 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4327 sizeof(skeymat2))
4328 /*
4329 * Check that both sides created the same key material without a
4330 * context.
4331 */
4332 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4333 sizeof(skeymat3))
4334 /* Different contexts should produce different results */
4335 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4336 sizeof(ckeymat2)))
4337 goto end;
4338
4339 /*
4340 * Check that an empty context and no context produce different results in
4341 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4342 */
4343 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4344 sizeof(ckeymat3)))
4345 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4346 sizeof(ckeymat3))))
4347 goto end;
4348
4349 testresult = 1;
4350
4351 end:
4352 SSL_free(serverssl);
4353 SSL_free(clientssl);
4354 SSL_CTX_free(sctx2);
4355 SSL_CTX_free(sctx);
4356 SSL_CTX_free(cctx);
4357
4358 return testresult;
4359}
4360
4361#ifndef OPENSSL_NO_TLS1_3
4362/*
4363 * Test that SSL_export_keying_material_early() produces expected
4364 * results. There are no test vectors so all we do is test that both
4365 * sides of the communication produce the same results for different
4366 * protocol versions.
4367 */
4368static int test_export_key_mat_early(int idx)
4369{
4370 static const char label[] = "test label";
4371 static const unsigned char context[] = "context";
4372 int testresult = 0;
4373 SSL_CTX *cctx = NULL, *sctx = NULL;
4374 SSL *clientssl = NULL, *serverssl = NULL;
4375 SSL_SESSION *sess = NULL;
4376 const unsigned char *emptycontext = NULL;
4377 unsigned char ckeymat1[80], ckeymat2[80];
4378 unsigned char skeymat1[80], skeymat2[80];
4379 unsigned char buf[1];
4380 size_t readbytes, written;
4381
4382 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4383 &sess, idx)))
4384 goto end;
4385
4386 /* Here writing 0 length early data is enough. */
4387 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4388 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4389 &readbytes),
4390 SSL_READ_EARLY_DATA_ERROR)
4391 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4392 SSL_EARLY_DATA_ACCEPTED))
4393 goto end;
4394
4395 if (!TEST_int_eq(SSL_export_keying_material_early(
4396 clientssl, ckeymat1, sizeof(ckeymat1), label,
4397 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4398 || !TEST_int_eq(SSL_export_keying_material_early(
4399 clientssl, ckeymat2, sizeof(ckeymat2), label,
4400 sizeof(label) - 1, emptycontext, 0), 1)
4401 || !TEST_int_eq(SSL_export_keying_material_early(
4402 serverssl, skeymat1, sizeof(skeymat1), label,
4403 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4404 || !TEST_int_eq(SSL_export_keying_material_early(
4405 serverssl, skeymat2, sizeof(skeymat2), label,
4406 sizeof(label) - 1, emptycontext, 0), 1)
4407 /*
4408 * Check that both sides created the same key material with the
4409 * same context.
4410 */
4411 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4412 sizeof(skeymat1))
4413 /*
4414 * Check that both sides created the same key material with an
4415 * empty context.
4416 */
4417 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4418 sizeof(skeymat2))
4419 /* Different contexts should produce different results */
4420 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4421 sizeof(ckeymat2)))
4422 goto end;
4423
4424 testresult = 1;
4425
4426 end:
4427 SSL_SESSION_free(sess);
4428 SSL_SESSION_free(clientpsk);
4429 SSL_SESSION_free(serverpsk);
4430 clientpsk = serverpsk = NULL;
4431 SSL_free(serverssl);
4432 SSL_free(clientssl);
4433 SSL_CTX_free(sctx);
4434 SSL_CTX_free(cctx);
4435
4436 return testresult;
4437}
4438#endif /* OPENSSL_NO_TLS1_3 */
4439
4440static int test_ssl_clear(int idx)
4441{
4442 SSL_CTX *cctx = NULL, *sctx = NULL;
4443 SSL *clientssl = NULL, *serverssl = NULL;
4444 int testresult = 0;
4445
4446#ifdef OPENSSL_NO_TLS1_2
4447 if (idx == 1)
4448 return 1;
4449#endif
4450
4451 /* Create an initial connection */
4452 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4453 TLS1_VERSION, 0,
4454 &sctx, &cctx, cert, privkey))
4455 || (idx == 1
4456 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4457 TLS1_2_VERSION)))
4458 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4459 &clientssl, NULL, NULL))
4460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4461 SSL_ERROR_NONE)))
4462 goto end;
4463
4464 SSL_shutdown(clientssl);
4465 SSL_shutdown(serverssl);
4466 SSL_free(serverssl);
4467 serverssl = NULL;
4468
4469 /* Clear clientssl - we're going to reuse the object */
4470 if (!TEST_true(SSL_clear(clientssl)))
4471 goto end;
4472
4473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4474 NULL, NULL))
4475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4476 SSL_ERROR_NONE))
4477 || !TEST_true(SSL_session_reused(clientssl)))
4478 goto end;
4479
4480 SSL_shutdown(clientssl);
4481 SSL_shutdown(serverssl);
4482
4483 testresult = 1;
4484
4485 end:
4486 SSL_free(serverssl);
4487 SSL_free(clientssl);
4488 SSL_CTX_free(sctx);
4489 SSL_CTX_free(cctx);
4490
4491 return testresult;
4492}
4493
4494/* Parse CH and retrieve any MFL extension value if present */
4495static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4496{
4497 long len;
4498 unsigned char *data;
4499 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4500 unsigned int MFL_code = 0, type = 0;
4501
4502 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4503 goto end;
4504
4505 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4506 /* Skip the record header */
4507 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4508 /* Skip the handshake message header */
4509 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4510 /* Skip client version and random */
4511 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4512 + SSL3_RANDOM_SIZE))
4513 /* Skip session id */
4514 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4515 /* Skip ciphers */
4516 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4517 /* Skip compression */
4518 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4519 /* Extensions len */
4520 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4521 goto end;
4522
4523 /* Loop through all extensions */
4524 while (PACKET_remaining(&pkt2)) {
4525 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4526 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4527 goto end;
4528
4529 if (type == TLSEXT_TYPE_max_fragment_length) {
4530 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4531 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4532 goto end;
4533
4534 *mfl_codemfl_code = MFL_code;
4535 return 1;
4536 }
4537 }
4538
4539 end:
4540 return 0;
4541}
4542
4543/* Maximum-Fragment-Length TLS extension mode to test */
4544static const unsigned char max_fragment_len_test[] = {
4545 TLSEXT_max_fragment_length_512,
4546 TLSEXT_max_fragment_length_1024,
4547 TLSEXT_max_fragment_length_2048,
4548 TLSEXT_max_fragment_length_4096
4549};
4550
4551static int test_max_fragment_len_ext(int idx_tst)
4552{
4553 SSL_CTX *ctx;
4554 SSL *con = NULL;
4555 int testresult = 0, MFL_mode = 0;
4556 BIO *rbio, *wbio;
4557
4558 ctx = SSL_CTX_new(TLS_method());
4559 if (!TEST_ptr(ctx))
4560 goto end;
4561
4562 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4563 ctx, max_fragment_len_test[idx_tst])))
4564 goto end;
4565
4566 con = SSL_new(ctx);
4567 if (!TEST_ptr(con))
4568 goto end;
4569
4570 rbio = BIO_new(BIO_s_mem());
4571 wbio = BIO_new(BIO_s_mem());
4572 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4573 BIO_free(rbio);
4574 BIO_free(wbio);
4575 goto end;
4576 }
4577
4578 SSL_set_bio(con, rbio, wbio);
4579 SSL_set_connect_state(con);
4580
4581 if (!TEST_int_le(SSL_connect(con), 0)) {
4582 /* This shouldn't succeed because we don't have a server! */
4583 goto end;
4584 }
4585
4586 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4587 /* no MFL in client hello */
4588 goto end;
4589 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4590 goto end;
4591
4592 testresult = 1;
4593
4594end:
4595 SSL_free(con);
4596 SSL_CTX_free(ctx);
4597
4598 return testresult;
4599}
4600
4601#ifndef OPENSSL_NO_TLS1_3
4602static int test_pha_key_update(void)
4603{
4604 SSL_CTX *cctx = NULL, *sctx = NULL;
4605 SSL *clientssl = NULL, *serverssl = NULL;
4606 int testresult = 0;
4607
4608 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4609 TLS1_VERSION, 0,
4610 &sctx, &cctx, cert, privkey)))
4611 return 0;
4612
4613 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4614 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4615 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4616 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4617 goto end;
4618
4619 SSL_CTX_set_post_handshake_auth(cctx, 1);
4620
4621 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4622 NULL, NULL)))
4623 goto end;
4624
4625 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4626 SSL_ERROR_NONE)))
4627 goto end;
4628
4629 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4630 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4631 goto end;
4632
4633 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4634 goto end;
4635
4636 /* Start handshake on the server */
4637 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4638 goto end;
4639
4640 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4641 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4642 SSL_ERROR_NONE)))
4643 goto end;
4644
4645 SSL_shutdown(clientssl);
4646 SSL_shutdown(serverssl);
4647
4648 testresult = 1;
4649
4650 end:
4651 SSL_free(serverssl);
4652 SSL_free(clientssl);
4653 SSL_CTX_free(sctx);
4654 SSL_CTX_free(cctx);
4655 return testresult;
4656}
4657#endif
4658
4659#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4660
4661static SRP_VBASE *vbase = NULL;
4662
4663static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4664{
4665 int ret = SSL3_AL_FATAL;
4666 char *username;
4667 SRP_user_pwd *user = NULL;
4668
4669 username = SSL_get_srp_username(s);
4670 if (username == NULL) {
4671 *ad = SSL_AD_INTERNAL_ERROR;
4672 goto err;
4673 }
4674
4675 user = SRP_VBASE_get1_by_user(vbase, username);
4676 if (user == NULL) {
4677 *ad = SSL_AD_INTERNAL_ERROR;
4678 goto err;
4679 }
4680
4681 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4682 user->info) <= 0) {
4683 *ad = SSL_AD_INTERNAL_ERROR;
4684 goto err;
4685 }
4686
4687 ret = 0;
4688
4689 err:
4690 SRP_user_pwd_free(user);
4691 return ret;
4692}
4693
4694static int create_new_vfile(char *userid, char *password, const char *filename)
4695{
4696 char *gNid = NULL;
4697 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4698 TXT_DB *db = NULL;
4699 int ret = 0;
4700 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4701 size_t i;
4702
4703 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4704 goto end;
4705
4706 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4707 &row[DB_srpverifier], NULL, NULL);
4708 if (!TEST_ptr(gNid))
4709 goto end;
4710
4711 /*
4712 * The only way to create an empty TXT_DB is to provide a BIO with no data
4713 * in it!
4714 */
4715 db = TXT_DB_read(dummy, DB_NUMBER);
4716 if (!TEST_ptr(db))
4717 goto end;
4718
4719 out = BIO_new_file(filename, "w");
4720 if (!TEST_ptr(out))
4721 goto end;
4722
4723 row[DB_srpid] = OPENSSL_strdup(userid);
4724 row[DB_srptype] = OPENSSL_strdup("V");
4725 row[DB_srpgN] = OPENSSL_strdup(gNid);
4726
4727 if (!TEST_ptr(row[DB_srpid])
4728 || !TEST_ptr(row[DB_srptype])
4729 || !TEST_ptr(row[DB_srpgN])
4730 || !TEST_true(TXT_DB_insert(db, row)))
4731 goto end;
4732
4733 row = NULL;
4734
4735 if (!TXT_DB_write(out, db))
4736 goto end;
4737
4738 ret = 1;
4739 end:
4740 if (row != NULL) {
4741 for (i = 0; i < DB_NUMBER; i++)
4742 OPENSSL_free(row[i]);
4743 }
4744 OPENSSL_free(row);
4745 BIO_free(dummy);
4746 BIO_free(out);
4747 TXT_DB_free(db);
4748
4749 return ret;
4750}
4751
4752static int create_new_vbase(char *userid, char *password)
4753{
4754 BIGNUM *verifier = NULL, *salt = NULL;
4755 const SRP_gN *lgN = NULL;
4756 SRP_user_pwd *user_pwd = NULL;
4757 int ret = 0;
4758
4759 lgN = SRP_get_default_gN(NULL);
4760 if (!TEST_ptr(lgN))
4761 goto end;
4762
4763 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4764 lgN->N, lgN->g)))
4765 goto end;
4766
4767 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4768 if (!TEST_ptr(user_pwd))
4769 goto end;
4770
4771 user_pwd->N = lgN->N;
4772 user_pwd->g = lgN->g;
4773 user_pwd->id = OPENSSL_strdup(userid);
4774 if (!TEST_ptr(user_pwd->id))
4775 goto end;
4776
4777 user_pwd->v = verifier;
4778 user_pwd->s = salt;
4779 verifier = salt = NULL;
4780
4781 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4782 goto end;
4783 user_pwd = NULL;
4784
4785 ret = 1;
4786end:
4787 SRP_user_pwd_free(user_pwd);
4788 BN_free(salt);
4789 BN_free(verifier);
4790
4791 return ret;
4792}
4793
4794/*
4795 * SRP tests
4796 *
4797 * Test 0: Simple successful SRP connection, new vbase
4798 * Test 1: Connection failure due to bad password, new vbase
4799 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4800 * Test 3: Connection failure due to bad password, vbase loaded from existing
4801 * file
4802 * Test 4: Simple successful SRP connection, vbase loaded from new file
4803 * Test 5: Connection failure due to bad password, vbase loaded from new file
4804 */
4805static int test_srp(int tst)
4806{
4807 char *userid = "test", *password = "password", *tstsrpfile;
4808 SSL_CTX *cctx = NULL, *sctx = NULL;
4809 SSL *clientssl = NULL, *serverssl = NULL;
4810 int ret, testresult = 0;
4811
4812 vbase = SRP_VBASE_new(NULL);
4813 if (!TEST_ptr(vbase))
4814 goto end;
4815
4816 if (tst == 0 || tst == 1) {
4817 if (!TEST_true(create_new_vbase(userid, password)))
4818 goto end;
4819 } else {
4820 if (tst == 4 || tst == 5) {
4821 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4822 goto end;
4823 tstsrpfile = tmpfilename;
4824 } else {
4825 tstsrpfile = srpvfile;
4826 }
4827 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4828 goto end;
4829 }
4830
4831 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4832 TLS1_VERSION, 0,
4833 &sctx, &cctx, cert, privkey)))
4834 goto end;
4835
4836 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4837 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4838 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4839 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4840 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4841 goto end;
4842
4843 if (tst % 2 == 1) {
4844 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4845 goto end;
4846 } else {
4847 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4848 goto end;
4849 }
4850
4851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4852 NULL, NULL)))
4853 goto end;
4854
4855 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4856 if (ret) {
4857 if (!TEST_true(tst % 2 == 0))
4858 goto end;
4859 } else {
4860 if (!TEST_true(tst % 2 == 1))
4861 goto end;
4862 }
4863
4864 testresult = 1;
4865
4866 end:
4867 SRP_VBASE_free(vbase);
4868 vbase = NULL;
4869 SSL_free(serverssl);
4870 SSL_free(clientssl);
4871 SSL_CTX_free(sctx);
4872 SSL_CTX_free(cctx);
4873
4874 return testresult;
4875}
4876#endif
4877
4878static int info_cb_failed = 0;
4879static int info_cb_offset = 0;
4880static int info_cb_this_state = -1;
4881
4882static struct info_cb_states_st {
4883 int where;
4884 const char *statestr;
4885} info_cb_states[][60] = {
4886 {
4887 /* TLSv1.2 server followed by resumption */
4888 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4889 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4890 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4891 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4892 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4893 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4894 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4895 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4896 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4897 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4898 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4899 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4900 {SSL_CB_EXIT, NULL}, {0, NULL},
4901 }, {
4902 /* TLSv1.2 client followed by resumption */
4903 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4904 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4905 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4906 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4907 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4908 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4909 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4910 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4911 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4912 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4913 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4914 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4915 }, {
4916 /* TLSv1.3 server followed by resumption */
4917 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4918 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4919 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4920 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4921 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4922 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4923 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4924 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4925 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4926 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4927 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4928 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4929 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4930 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4931 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4932 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4933 {SSL_CB_EXIT, NULL}, {0, NULL},
4934 }, {
4935 /* TLSv1.3 client followed by resumption */
4936 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4937 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4938 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4939 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4940 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4941 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4942 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4943 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4944 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4945 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4946 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4947 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4948 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4949 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4950 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4951 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4952 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4953 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4954 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4955 }, {
4956 /* TLSv1.3 server, early_data */
4957 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4958 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4959 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4960 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4961 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4962 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4963 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4964 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4965 {SSL_CB_EXIT, NULL}, {0, NULL},
4966 }, {
4967 /* TLSv1.3 client, early_data */
4968 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4969 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4970 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4971 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4972 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4973 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4974 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4975 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4976 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4977 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4978 }, {
4979 {0, NULL},
4980 }
4981};
4982
4983static void sslapi_info_callback(const SSL *s, int where, int ret)
4984{
4985 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4986
4987 /* We do not ever expect a connection to fail in this test */
4988 if (!TEST_false(ret == 0)) {
4989 info_cb_failed = 1;
4990 return;
4991 }
4992
4993 /*
4994 * Do some sanity checks. We never expect these things to happen in this
4995 * test
4996 */
4997 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4998 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4999 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5000 info_cb_failed = 1;
5001 return;
5002 }
5003
5004 /* Now check we're in the right state */
5005 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5006 info_cb_failed = 1;
5007 return;
5008 }
5009 if ((where & SSL_CB_LOOP) != 0
5010 && !TEST_int_eq(strcmp(SSL_state_string(s),
5011 state[info_cb_this_state].statestr), 0)) {
5012 info_cb_failed = 1;
5013 return;
5014 }
5015
5016 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
5017 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
5018 info_cb_failed = 1;
5019 return;
5020 }
5021}
5022
5023/*
5024 * Test the info callback gets called when we expect it to.
5025 *
5026 * Test 0: TLSv1.2, server
5027 * Test 1: TLSv1.2, client
5028 * Test 2: TLSv1.3, server
5029 * Test 3: TLSv1.3, client
5030 * Test 4: TLSv1.3, server, early_data
5031 * Test 5: TLSv1.3, client, early_data
5032 */
5033static int test_info_callback(int tst)
5034{
5035 SSL_CTX *cctx = NULL, *sctx = NULL;
5036 SSL *clientssl = NULL, *serverssl = NULL;
5037 SSL_SESSION *clntsess = NULL;
5038 int testresult = 0;
5039 int tlsvers;
5040
5041 if (tst < 2) {
5042/* We need either ECDHE or DHE for the TLSv1.2 test to work */
5043#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5044 || !defined(OPENSSL_NO_DH))
5045 tlsvers = TLS1_2_VERSION;
5046#else
5047 return 1;
5048#endif
5049 } else {
5050#ifndef OPENSSL_NO_TLS1_3
5051 tlsvers = TLS1_3_VERSION;
5052#else
5053 return 1;
5054#endif
5055 }
5056
5057 /* Reset globals */
5058 info_cb_failed = 0;
5059 info_cb_this_state = -1;
5060 info_cb_offset = tst;
5061
5062#ifndef OPENSSL_NO_TLS1_3
5063 if (tst >= 4) {
5064 SSL_SESSION *sess = NULL;
5065 size_t written, readbytes;
5066 unsigned char buf[80];
5067
5068 /* early_data tests */
5069 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5070 &serverssl, &sess, 0)))
5071 goto end;
5072
5073 /* We don't actually need this reference */
5074 SSL_SESSION_free(sess);
5075
5076 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5077 sslapi_info_callback);
5078
5079 /* Write and read some early data and then complete the connection */
5080 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5081 &written))
5082 || !TEST_size_t_eq(written, strlen(MSG1))
5083 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5084 sizeof(buf), &readbytes),
5085 SSL_READ_EARLY_DATA_SUCCESS)
5086 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5087 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5088 SSL_EARLY_DATA_ACCEPTED)
5089 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5090 SSL_ERROR_NONE))
5091 || !TEST_false(info_cb_failed))
5092 goto end;
5093
5094 testresult = 1;
5095 goto end;
5096 }
5097#endif
5098
5099 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5100 TLS_client_method(),
5101 tlsvers, tlsvers, &sctx, &cctx, cert,
5102 privkey)))
5103 goto end;
5104
5105 /*
5106 * For even numbered tests we check the server callbacks. For odd numbers we
5107 * check the client.
5108 */
5109 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5110 sslapi_info_callback);
5111
5112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5113 &clientssl, NULL, NULL))
5114 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5115 SSL_ERROR_NONE))
5116 || !TEST_false(info_cb_failed))
5117 goto end;
5118
5119
5120
5121 clntsess = SSL_get1_session(clientssl);
5122 SSL_shutdown(clientssl);
5123 SSL_shutdown(serverssl);
5124 SSL_free(serverssl);
5125 SSL_free(clientssl);
5126 serverssl = clientssl = NULL;
5127
5128 /* Now do a resumption */
5129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5130 NULL))
5131 || !TEST_true(SSL_set_session(clientssl, clntsess))
5132 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5133 SSL_ERROR_NONE))
5134 || !TEST_true(SSL_session_reused(clientssl))
5135 || !TEST_false(info_cb_failed))
5136 goto end;
5137
5138 testresult = 1;
5139
5140 end:
5141 SSL_free(serverssl);
5142 SSL_free(clientssl);
5143 SSL_SESSION_free(clntsess);
5144 SSL_CTX_free(sctx);
5145 SSL_CTX_free(cctx);
5146 return testresult;
5147}
5148
5149static int test_ssl_pending(int tst)
5150{
5151 SSL_CTX *cctx = NULL, *sctx = NULL;
5152 SSL *clientssl = NULL, *serverssl = NULL;
5153 int testresult = 0;
5154 char msg[] = "A test message";
5155 char buf[5];
5156 size_t written, readbytes;
5157
5158 if (tst == 0) {
5159 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5160 TLS_client_method(),
5161 TLS1_VERSION, 0,
5162 &sctx, &cctx, cert, privkey)))
5163 goto end;
5164 } else {
5165#ifndef OPENSSL_NO_DTLS
5166 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5167 DTLS_client_method(),
5168 DTLS1_VERSION, 0,
5169 &sctx, &cctx, cert, privkey)))
5170 goto end;
5171#else
5172 return 1;
5173#endif
5174 }
5175
5176 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5177 NULL, NULL))
5178 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5179 SSL_ERROR_NONE)))
5180 goto end;
5181
5182 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5183 || !TEST_false(SSL_has_pending(clientssl))
5184 || !TEST_int_eq(SSL_pending(serverssl), 0)
5185 || !TEST_false(SSL_has_pending(serverssl))
5186 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5187 || !TEST_size_t_eq(written, sizeof(msg))
5188 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5189 || !TEST_size_t_eq(readbytes, sizeof(buf))
5190 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5191 || !TEST_true(SSL_has_pending(clientssl)))
5192 goto end;
5193
5194 testresult = 1;
5195
5196 end:
5197 SSL_free(serverssl);
5198 SSL_free(clientssl);
5199 SSL_CTX_free(sctx);
5200 SSL_CTX_free(cctx);
5201
5202 return testresult;
5203}
5204
5205static struct {
5206 unsigned int maxprot;
5207 const char *clntciphers;
5208 const char *clnttls13ciphers;
5209 const char *srvrciphers;
5210 const char *srvrtls13ciphers;
5211 const char *shared;
5212} shared_ciphers_data[] = {
5213/*
5214 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5215 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5216 */
5217#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5218 {
5219 TLS1_2_VERSION,
5220 "AES128-SHA:AES256-SHA",
5221 NULL,
5222 "AES256-SHA:DHE-RSA-AES128-SHA",
5223 NULL,
5224 "AES256-SHA"
5225 },
5226 {
5227 TLS1_2_VERSION,
5228 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5229 NULL,
5230 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5231 NULL,
5232 "AES128-SHA:AES256-SHA"
5233 },
5234 {
5235 TLS1_2_VERSION,
5236 "AES128-SHA:AES256-SHA",
5237 NULL,
5238 "AES128-SHA:DHE-RSA-AES128-SHA",
5239 NULL,
5240 "AES128-SHA"
5241 },
5242#endif
5243/*
5244 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5245 * enabled.
5246 */
5247#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5248 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5249 {
5250 TLS1_3_VERSION,
5251 "AES128-SHA:AES256-SHA",
5252 NULL,
5253 "AES256-SHA:AES128-SHA256",
5254 NULL,
5255 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5256 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5257 },
5258#endif
5259#ifndef OPENSSL_NO_TLS1_3
5260 {
5261 TLS1_3_VERSION,
5262 "AES128-SHA",
5263 "TLS_AES_256_GCM_SHA384",
5264 "AES256-SHA",
5265 "TLS_AES_256_GCM_SHA384",
5266 "TLS_AES_256_GCM_SHA384"
5267 },
5268#endif
5269};
5270
5271static int test_ssl_get_shared_ciphers(int tst)
5272{
5273 SSL_CTX *cctx = NULL, *sctx = NULL;
5274 SSL *clientssl = NULL, *serverssl = NULL;
5275 int testresult = 0;
5276 char buf[1024];
5277
5278 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5279 TLS_client_method(),
5280 TLS1_VERSION,
5281 shared_ciphers_data[tst].maxprot,
5282 &sctx, &cctx, cert, privkey)))
5283 goto end;
5284
5285 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5286 shared_ciphers_data[tst].clntciphers))
5287 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5288 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5289 shared_ciphers_data[tst].clnttls13ciphers)))
5290 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5291 shared_ciphers_data[tst].srvrciphers))
5292 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5293 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5294 shared_ciphers_data[tst].srvrtls13ciphers))))
5295 goto end;
5296
5297
5298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5299 NULL, NULL))
5300 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5301 SSL_ERROR_NONE)))
5302 goto end;
5303
5304 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5305 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5306 TEST_info("Shared ciphers are: %s\n", buf);
5307 goto end;
5308 }
5309
5310 testresult = 1;
5311
5312 end:
5313 SSL_free(serverssl);
5314 SSL_free(clientssl);
5315 SSL_CTX_free(sctx);
5316 SSL_CTX_free(cctx);
5317
5318 return testresult;
5319}
5320
5321static const char *appdata = "Hello World";
5322static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5323static int tick_key_renew = 0;
5324static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5325
5326static int gen_tick_cb(SSL *s, void *arg)
5327{
5328 gen_tick_called = 1;
5329
5330 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5331 strlen(appdata));
5332}
5333
5334static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5335 const unsigned char *keyname,
5336 size_t keyname_length,
5337 SSL_TICKET_STATUS status,
5338 void *arg)
5339{
5340 void *tickdata;
5341 size_t tickdlen;
5342
5343 dec_tick_called = 1;
5344
5345 if (status == SSL_TICKET_EMPTY)
5346 return SSL_TICKET_RETURN_IGNORE_RENEW;
5347
5348 if (!TEST_true(status == SSL_TICKET_SUCCESS
5349 || status == SSL_TICKET_SUCCESS_RENEW))
5350 return SSL_TICKET_RETURN_ABORT;
5351
5352 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5353 &tickdlen))
5354 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5355 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5356 return SSL_TICKET_RETURN_ABORT;
5357
5358 if (tick_key_cb_called) {
5359 /* Don't change what the ticket key callback wanted to do */
5360 switch (status) {
5361 case SSL_TICKET_NO_DECRYPT:
5362 return SSL_TICKET_RETURN_IGNORE_RENEW;
5363
5364 case SSL_TICKET_SUCCESS:
5365 return SSL_TICKET_RETURN_USE;
5366
5367 case SSL_TICKET_SUCCESS_RENEW:
5368 return SSL_TICKET_RETURN_USE_RENEW;
5369
5370 default:
5371 return SSL_TICKET_RETURN_ABORT;
5372 }
5373 }
5374 return tick_dec_ret;
5375
5376}
5377
5378static int tick_key_cb(SSL *s, unsigned char key_name[16],
5379 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5380 HMAC_CTX *hctx, int enc)
5381{
5382 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5383 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5384
5385 tick_key_cb_called = 1;
5386 memset(iv, 0, AES_BLOCK_SIZE);
5387 memset(key_name, 0, 16);
5388 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5389 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5390 EVP_sha256(), NULL))
5391 return -1;
5392
5393 return tick_key_renew ? 2 : 1;
5394}
5395
5396/*
5397 * Test the various ticket callbacks
5398 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5399 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5400 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5401 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5402 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5403 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5404 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5405 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5406 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5407 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5408 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5409 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5410 */
5411static int test_ticket_callbacks(int tst)
5412{
5413 SSL_CTX *cctx = NULL, *sctx = NULL;
5414 SSL *clientssl = NULL, *serverssl = NULL;
5415 SSL_SESSION *clntsess = NULL;
5416 int testresult = 0;
5417
5418#ifdef OPENSSL_NO_TLS1_2
5419 if (tst % 2 == 0)
5420 return 1;
5421#endif
5422#ifdef OPENSSL_NO_TLS1_3
5423 if (tst % 2 == 1)
5424 return 1;
5425#endif
5426
5427 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5428
5429 /* Which tests the ticket key callback should request renewal for */
5430 if (tst == 10 || tst == 11)
5431 tick_key_renew = 1;
5432 else
5433 tick_key_renew = 0;
5434
5435 /* Which tests the decrypt ticket callback should request renewal for */
5436 switch (tst) {
5437 case 0:
5438 case 1:
5439 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5440 break;
5441
5442 case 2:
5443 case 3:
5444 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5445 break;
5446
5447 case 4:
5448 case 5:
5449 tick_dec_ret = SSL_TICKET_RETURN_USE;
5450 break;
5451
5452 case 6:
5453 case 7:
5454 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5455 break;
5456
5457 default:
5458 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5459 }
5460
5461 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5462 TLS_client_method(),
5463 TLS1_VERSION,
5464 ((tst % 2) == 0) ? TLS1_2_VERSION
5465 : TLS1_3_VERSION,
5466 &sctx, &cctx, cert, privkey)))
5467 goto end;
5468
5469 /*
5470 * We only want sessions to resume from tickets - not the session cache. So
5471 * switch the cache off.
5472 */
5473 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5474 goto end;
5475
5476 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5477 NULL)))
5478 goto end;
5479
5480 if (tst >= 8
5481 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5482 goto end;
5483
5484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5485 NULL, NULL))
5486 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5487 SSL_ERROR_NONE)))
5488 goto end;
5489
5490 /*
5491 * The decrypt ticket key callback in TLSv1.2 should be called even though
5492 * we have no ticket yet, because it gets called with a status of
5493 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5494 * actually send any ticket data). This does not happen in TLSv1.3 because
5495 * it is not valid to send empty ticket data in TLSv1.3.
5496 */
5497 if (!TEST_int_eq(gen_tick_called, 1)
5498 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5499 goto end;
5500
5501 gen_tick_called = dec_tick_called = 0;
5502
5503 clntsess = SSL_get1_session(clientssl);
5504 SSL_shutdown(clientssl);
5505 SSL_shutdown(serverssl);
5506 SSL_free(serverssl);
5507 SSL_free(clientssl);
5508 serverssl = clientssl = NULL;
5509
5510 /* Now do a resumption */
5511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5512 NULL))
5513 || !TEST_true(SSL_set_session(clientssl, clntsess))
5514 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5515 SSL_ERROR_NONE)))
5516 goto end;
5517
5518 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5519 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5520 if (!TEST_false(SSL_session_reused(clientssl)))
5521 goto end;
5522 } else {
5523 if (!TEST_true(SSL_session_reused(clientssl)))
5524 goto end;
5525 }
5526
5527 if (!TEST_int_eq(gen_tick_called,
5528 (tick_key_renew
5529 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5530 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5531 ? 1 : 0)
5532 || !TEST_int_eq(dec_tick_called, 1))
5533 goto end;
5534
5535 testresult = 1;
5536
5537 end:
5538 SSL_SESSION_free(clntsess);
5539 SSL_free(serverssl);
5540 SSL_free(clientssl);
5541 SSL_CTX_free(sctx);
5542 SSL_CTX_free(cctx);
5543
5544 return testresult;
5545}
5546
5547/*
5548 * Test bi-directional shutdown.
5549 * Test 0: TLSv1.2
5550 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5551 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5552 * Test 3: TLSv1.3, pending NewSessionTicket messages
5553 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5554 * sends key update, client reads it
5555 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5556 * sends CertificateRequest, client reads and ignores it
5557 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5558 * doesn't read it
5559 */
5560static int test_shutdown(int tst)
5561{
5562 SSL_CTX *cctx = NULL, *sctx = NULL;
5563 SSL *clientssl = NULL, *serverssl = NULL;
5564 int testresult = 0;
5565 char msg[] = "A test message";
5566 char buf[80];
5567 size_t written, readbytes;
5568 SSL_SESSION *sess;
5569
5570#ifdef OPENSSL_NO_TLS1_2
5571 if (tst <= 1)
5572 return 1;
5573#endif
5574#ifdef OPENSSL_NO_TLS1_3
5575 if (tst >= 2)
5576 return 1;
5577#endif
5578
5579 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5580 TLS_client_method(),
5581 TLS1_VERSION,
5582 (tst <= 1) ? TLS1_2_VERSION
5583 : TLS1_3_VERSION,
5584 &sctx, &cctx, cert, privkey)))
5585 goto end;
5586
5587 if (tst == 5)
5588 SSL_CTX_set_post_handshake_auth(cctx, 1);
5589
5590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5591 NULL, NULL)))
5592 goto end;
5593
5594 if (tst == 3) {
5595 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5596 SSL_ERROR_NONE, 1))
5597 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5598 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5599 goto end;
5600 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5601 SSL_ERROR_NONE))
5602 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5603 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5604 goto end;
5605 }
5606
5607 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5608 goto end;
5609
5610 if (tst >= 4) {
5611 /*
5612 * Reading on the server after the client has sent close_notify should
5613 * fail and provide SSL_ERROR_ZERO_RETURN
5614 */
5615 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5616 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5617 SSL_ERROR_ZERO_RETURN)
5618 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5619 SSL_RECEIVED_SHUTDOWN)
5620 /*
5621 * Even though we're shutdown on receive we should still be
5622 * able to write.
5623 */
5624 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5625 goto end;
5626 if (tst == 4
5627 && !TEST_true(SSL_key_update(serverssl,
5628 SSL_KEY_UPDATE_REQUESTED)))
5629 goto end;
5630 if (tst == 5) {
5631 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5632 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5633 goto end;
5634 }
5635 if ((tst == 4 || tst == 5)
5636 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5637 goto end;
5638 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5639 goto end;
5640 if (tst == 4 || tst == 5) {
5641 /* Should still be able to read data from server */
5642 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5643 &readbytes))
5644 || !TEST_size_t_eq(readbytes, sizeof(msg))
5645 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5646 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5647 &readbytes))
5648 || !TEST_size_t_eq(readbytes, sizeof(msg))
5649 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5650 goto end;
5651 }
5652 }
5653
5654 /* Writing on the client after sending close_notify shouldn't be possible */
5655 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5656 goto end;
5657
5658 if (tst < 4) {
5659 /*
5660 * For these tests the client has sent close_notify but it has not yet
5661 * been received by the server. The server has not sent close_notify
5662 * yet.
5663 */
5664 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5665 /*
5666 * Writing on the server after sending close_notify shouldn't
5667 * be possible.
5668 */
5669 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5670 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5671 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5672 || !TEST_true(SSL_SESSION_is_resumable(sess))
5673 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5674 goto end;
5675 } else if (tst == 4 || tst == 5) {
5676 /*
5677 * In this test the client has sent close_notify and it has been
5678 * received by the server which has responded with a close_notify. The
5679 * client needs to read the close_notify sent by the server.
5680 */
5681 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5682 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5683 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5684 goto end;
5685 } else {
5686 /*
5687 * tst == 6
5688 *
5689 * The client has sent close_notify and is expecting a close_notify
5690 * back, but instead there is application data first. The shutdown
5691 * should fail with a fatal error.
5692 */
5693 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5694 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5695 goto end;
5696 }
5697
5698 testresult = 1;
5699
5700 end:
5701 SSL_free(serverssl);
5702 SSL_free(clientssl);
5703 SSL_CTX_free(sctx);
5704 SSL_CTX_free(cctx);
5705
5706 return testresult;
5707}
5708
5709#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5710static int cert_cb_cnt;
5711
5712static int cert_cb(SSL *s, void *arg)
5713{
5714 SSL_CTX *ctx = (SSL_CTX *)arg;
5715
5716 if (cert_cb_cnt == 0) {
5717 /* Suspend the handshake */
5718 cert_cb_cnt++;
5719 return -1;
5720 } else if (cert_cb_cnt == 1) {
5721 /*
5722 * Update the SSL_CTX, set the certificate and private key and then
5723 * continue the handshake normally.
5724 */
5725 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5726 return 0;
5727
5728 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5729 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5730 SSL_FILETYPE_PEM))
5731 || !TEST_true(SSL_check_private_key(s)))
5732 return 0;
5733 cert_cb_cnt++;
5734 return 1;
5735 }
5736
5737 /* Abort the handshake */
5738 return 0;
5739}
5740
5741/*
5742 * Test the certificate callback.
5743 * Test 0: Callback fails
5744 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5745 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5746 */
5747static int test_cert_cb_int(int prot, int tst)
5748{
5749 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5750 SSL *clientssl = NULL, *serverssl = NULL;
5751 int testresult = 0, ret;
5752
5753 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5754 TLS_client_method(),
5755 TLS1_VERSION,
5756 prot,
5757 &sctx, &cctx, NULL, NULL)))
5758 goto end;
5759
5760 if (tst == 0)
5761 cert_cb_cnt = -1;
5762 else
5763 cert_cb_cnt = 0;
5764 if (tst == 2)
5765 snictx = SSL_CTX_new(TLS_server_method());
5766 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5767
5768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5769 NULL, NULL)))
5770 goto end;
5771
5772 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5773 if (!TEST_true(tst == 0 ? !ret : ret)
5774 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5775 goto end;
5776 }
5777
5778 testresult = 1;
5779
5780 end:
5781 SSL_free(serverssl);
5782 SSL_free(clientssl);
5783 SSL_CTX_free(sctx);
5784 SSL_CTX_free(cctx);
5785 SSL_CTX_free(snictx);
5786
5787 return testresult;
5788}
5789#endif
5790
5791static int test_cert_cb(int tst)
5792{
5793 int testresult = 1;
5794
5795#ifndef OPENSSL_NO_TLS1_2
5796 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5797#endif
5798#ifndef OPENSSL_NO_TLS1_3
5799 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5800#endif
5801
5802 return testresult;
5803}
5804
5805static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
5806{
5807 X509 *xcert, *peer;
5808 EVP_PKEY *privpkey;
5809 BIO *in = NULL;
5810
5811 /* Check that SSL_get_peer_certificate() returns something sensible */
5812 peer = SSL_get_peer_certificate(ssl);
5813 if (!TEST_ptr(peer))
5814 return 0;
5815 X509_free(peer);
5816
5817 in = BIO_new_file(cert, "r");
5818 if (!TEST_ptr(in))
5819 return 0;
5820
5821 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5822 BIO_free(in);
5823 if (!TEST_ptr(xcert))
5824 return 0;
5825
5826 in = BIO_new_file(privkey, "r");
5827 if (!TEST_ptr(in)) {
5828 X509_free(xcert);
5829 return 0;
5830 }
5831
5832 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
5833 BIO_free(in);
5834 if (!TEST_ptr(privpkey)) {
5835 X509_free(xcert);
5836 return 0;
5837 }
5838
5839 *x509 = xcert;
5840 *pkey = privpkey;
5841
5842 return 1;
5843}
5844
5845static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5846{
5847 return 1;
5848}
5849
5850static int test_client_cert_cb(int tst)
5851{
5852 SSL_CTX *cctx = NULL, *sctx = NULL;
5853 SSL *clientssl = NULL, *serverssl = NULL;
5854 int testresult = 0;
5855
5856#ifdef OPENSSL_NO_TLS1_2
5857 if (tst == 0)
5858 return 1;
5859#endif
5860#ifdef OPENSSL_NO_TLS1_3
5861 if (tst == 1)
5862 return 1;
5863#endif
5864
5865 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5866 TLS_client_method(),
5867 TLS1_VERSION,
5868 tst == 0 ? TLS1_2_VERSION
5869 : TLS1_3_VERSION,
5870 &sctx, &cctx, cert, privkey)))
5871 goto end;
5872
5873 /*
5874 * Test that setting a client_cert_cb results in a client certificate being
5875 * sent.
5876 */
5877 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
5878 SSL_CTX_set_verify(sctx,
5879 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5880 verify_cb);
5881
5882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5883 NULL, NULL))
5884 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5885 SSL_ERROR_NONE)))
5886 goto end;
5887
5888 testresult = 1;
5889
5890 end:
5891 SSL_free(serverssl);
5892 SSL_free(clientssl);
5893 SSL_CTX_free(sctx);
5894 SSL_CTX_free(cctx);
5895
5896 return testresult;
5897}
5898
5899#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5900/*
5901 * Test setting certificate authorities on both client and server.
5902 *
5903 * Test 0: SSL_CTX_set0_CA_list() only
5904 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
5905 * Test 2: Only SSL_CTX_set_client_CA_list()
5906 */
5907static int test_ca_names_int(int prot, int tst)
5908{
5909 SSL_CTX *cctx = NULL, *sctx = NULL;
5910 SSL *clientssl = NULL, *serverssl = NULL;
5911 int testresult = 0;
5912 size_t i;
5913 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
5914 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
5915 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
5916 const STACK_OF(X509_NAME) *sktmp = NULL;
5917
5918 for (i = 0; i < OSSL_NELEM(name); i++) {
5919 name[i] = X509_NAME_new();
5920 if (!TEST_ptr(name[i])
5921 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
5922 MBSTRING_ASC,
5923 (unsigned char *)
5924 strnames[i],
5925 -1, -1, 0)))
5926 goto end;
5927 }
5928
5929 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5930 TLS_client_method(),
5931 TLS1_VERSION,
5932 prot,
5933 &sctx, &cctx, cert, privkey)))
5934 goto end;
5935
5936 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
5937
5938 if (tst == 0 || tst == 1) {
5939 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5940 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
5941 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
5942 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5943 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
5944 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
5945 goto end;
5946
5947 SSL_CTX_set0_CA_list(sctx, sk1);
5948 SSL_CTX_set0_CA_list(cctx, sk2);
5949 sk1 = sk2 = NULL;
5950 }
5951 if (tst == 1 || tst == 2) {
5952 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5953 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
5954 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
5955 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5956 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
5957 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
5958 goto end;
5959
5960 SSL_CTX_set_client_CA_list(sctx, sk1);
5961 SSL_CTX_set_client_CA_list(cctx, sk2);
5962 sk1 = sk2 = NULL;
5963 }
5964
5965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5966 NULL, NULL))
5967 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5968 SSL_ERROR_NONE)))
5969 goto end;
5970
5971 /*
5972 * We only expect certificate authorities to have been sent to the server
5973 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
5974 */
5975 sktmp = SSL_get0_peer_CA_list(serverssl);
5976 if (prot == TLS1_3_VERSION
5977 && (tst == 0 || tst == 1)) {
5978 if (!TEST_ptr(sktmp)
5979 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5980 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5981 name[0]), 0)
5982 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
5983 name[1]), 0))
5984 goto end;
5985 } else if (!TEST_ptr_null(sktmp)) {
5986 goto end;
5987 }
5988
5989 /*
5990 * In all tests we expect certificate authorities to have been sent to the
5991 * client. However, SSL_set_client_CA_list() should override
5992 * SSL_set0_CA_list()
5993 */
5994 sktmp = SSL_get0_peer_CA_list(clientssl);
5995 if (!TEST_ptr(sktmp)
5996 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5997 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5998 name[tst == 0 ? 0 : 2]), 0)
5999 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6000 name[tst == 0 ? 1 : 3]), 0))
6001 goto end;
6002
6003 testresult = 1;
6004
6005 end:
6006 SSL_free(serverssl);
6007 SSL_free(clientssl);
6008 SSL_CTX_free(sctx);
6009 SSL_CTX_free(cctx);
6010 for (i = 0; i < OSSL_NELEM(name); i++)
6011 X509_NAME_free(name[i]);
6012 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6013 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6014
6015 return testresult;
6016}
6017#endif
6018
6019static int test_ca_names(int tst)
6020{
6021 int testresult = 1;
6022
6023#ifndef OPENSSL_NO_TLS1_2
6024 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6025#endif
6026#ifndef OPENSSL_NO_TLS1_3
6027 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6028#endif
6029
6030 return testresult;
6031}
6032
6033
6034OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6035
6036int setup_tests(void)
6037{
6038 if (!TEST_ptr(cert = test_get_argument(0))
6039 || !TEST_ptr(privkey = test_get_argument(1))
6040 || !TEST_ptr(srpvfile = test_get_argument(2))
6041 || !TEST_ptr(tmpfilename = test_get_argument(3)))
6042 return 0;
6043
6044 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6045#ifdef OPENSSL_NO_CRYPTO_MDEBUG
6046 TEST_error("not supported in this build");
6047 return 0;
6048#else
6049 int i, mcount, rcount, fcount;
6050
6051 for (i = 0; i < 4; i++)
6052 test_export_key_mat(i);
6053 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6054 test_printf_stdout("malloc %d realloc %d free %d\n",
6055 mcount, rcount, fcount);
6056 return 1;
6057#endif
6058 }
6059
6060#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6061 && !defined(OPENSSL_NO_SOCK)
6062 ADD_TEST(test_ktls_client_server);
6063 ADD_TEST(test_ktls_no_client_server);
6064 ADD_TEST(test_ktls_client_no_server);
6065 ADD_TEST(test_ktls_no_client_no_server);
6066#endif
6067 ADD_TEST(test_large_message_tls);
6068 ADD_TEST(test_large_message_tls_read_ahead);
6069#ifndef OPENSSL_NO_DTLS
6070 ADD_TEST(test_large_message_dtls);
6071#endif
6072#ifndef OPENSSL_NO_OCSP
6073 ADD_TEST(test_tlsext_status_type);
6074#endif
6075 ADD_TEST(test_session_with_only_int_cache);
6076 ADD_TEST(test_session_with_only_ext_cache);
6077 ADD_TEST(test_session_with_both_cache);
6078#ifndef OPENSSL_NO_TLS1_3
6079 ADD_ALL_TESTS(test_stateful_tickets, 3);
6080 ADD_ALL_TESTS(test_stateless_tickets, 3);
6081 ADD_TEST(test_psk_tickets);
6082#endif
6083 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6084 ADD_TEST(test_ssl_bio_pop_next_bio);
6085 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6086 ADD_TEST(test_ssl_bio_change_rbio);
6087 ADD_TEST(test_ssl_bio_change_wbio);
6088#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6089 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6090 ADD_TEST(test_keylog);
6091#endif
6092#ifndef OPENSSL_NO_TLS1_3
6093 ADD_TEST(test_keylog_no_master_key);
6094#endif
6095#ifndef OPENSSL_NO_TLS1_2
6096 ADD_TEST(test_client_hello_cb);
6097#endif
6098#ifndef OPENSSL_NO_TLS1_3
6099 ADD_ALL_TESTS(test_early_data_read_write, 3);
6100 /*
6101 * We don't do replay tests for external PSK. Replay protection isn't used
6102 * in that scenario.
6103 */
6104 ADD_ALL_TESTS(test_early_data_replay, 2);
6105 ADD_ALL_TESTS(test_early_data_skip, 3);
6106 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6107 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6108 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6109 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6110 ADD_ALL_TESTS(test_early_data_psk, 8);
6111 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6112# ifndef OPENSSL_NO_TLS1_2
6113 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6114# endif
6115#endif
6116#ifndef OPENSSL_NO_TLS1_3
6117 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6118 ADD_TEST(test_ciphersuite_change);
6119#ifdef OPENSSL_NO_PSK
6120 ADD_ALL_TESTS(test_tls13_psk, 1);
6121#else
6122 ADD_ALL_TESTS(test_tls13_psk, 4);
6123#endif /* OPENSSL_NO_PSK */
6124 ADD_ALL_TESTS(test_custom_exts, 5);
6125 ADD_TEST(test_stateless);
6126 ADD_TEST(test_pha_key_update);
6127#else
6128 ADD_ALL_TESTS(test_custom_exts, 3);
6129#endif
6130 ADD_ALL_TESTS(test_serverinfo, 8);
6131 ADD_ALL_TESTS(test_export_key_mat, 6);
6132#ifndef OPENSSL_NO_TLS1_3
6133 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6134#endif
6135 ADD_ALL_TESTS(test_ssl_clear, 2);
6136 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6137#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6138 ADD_ALL_TESTS(test_srp, 6);
6139#endif
6140 ADD_ALL_TESTS(test_info_callback, 6);
6141 ADD_ALL_TESTS(test_ssl_pending, 2);
6142 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6143 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6144 ADD_ALL_TESTS(test_shutdown, 7);
6145 ADD_ALL_TESTS(test_cert_cb, 3);
6146 ADD_ALL_TESTS(test_client_cert_cb, 2);
6147 ADD_ALL_TESTS(test_ca_names, 3);
6148 return 1;
6149}
6150
6151void cleanup_tests(void)
6152{
6153 bio_s_mempacket_test_free();
6154}
A mirror of the official openssl repository