]> git.ipfire.org Git - thirdparty/openssl.git/blame_incremental - test/sslapitest.c
projects / thirdparty / openssl.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.
[thirdparty/openssl.git] / test / sslapitest.c
... / ...
CommitLineData
1/*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <string.h>
11
12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
16#include <openssl/ocsp.h>
17
18#include "ssltestlib.h"
19#include "testutil.h"
20#include "internal/nelem.h"
21#include "../ssl/ssl_locl.h"
22
23static char *cert = NULL;
24static char *privkey = NULL;
25
26#define LOG_BUFFER_SIZE 1024
27static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28static size_t server_log_buffer_index = 0;
29static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30static size_t client_log_buffer_index = 0;
31static int error_writing_log = 0;
32
33#ifndef OPENSSL_NO_OCSP
34static const unsigned char orespder[] = "Dummy OCSP Response";
35static int ocsp_server_called = 0;
36static int ocsp_client_called = 0;
37
38static int cdummyarg = 1;
39static X509 *ocspcert = NULL;
40#endif
41
42#define NUM_EXTRA_CERTS 40
43
44/*
45 * This structure is used to validate that the correct number of log messages
46 * of various types are emitted when emitting secret logs.
47 */
48struct sslapitest_log_counts {
49 unsigned int rsa_key_exchange_count;
50 unsigned int master_secret_count;
51 unsigned int client_handshake_secret_count;
52 unsigned int server_handshake_secret_count;
53 unsigned int client_application_secret_count;
54 unsigned int server_application_secret_count;
55};
56
57
58static unsigned char serverinfov1[] = {
59 0xff, 0xff, /* Dummy extension type */
60 0x00, 0x01, /* Extension length is 1 byte */
61 0xff /* Dummy extension data */
62};
63
64static unsigned char serverinfov2[] = {
65 0x00, 0x00, 0x00,
66 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
67 0xff, 0xff, /* Dummy extension type */
68 0x00, 0x01, /* Extension length is 1 byte */
69 0xff /* Dummy extension data */
70};
71
72static void client_keylog_callback(const SSL *ssl, const char *line)
73{
74 int line_length = strlen(line);
75
76 /* If the log doesn't fit, error out. */
77 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
78 TEST_info("Client log too full");
79 error_writing_log = 1;
80 return;
81 }
82
83 strcat(client_log_buffer, line);
84 client_log_buffer_index += line_length;
85 client_log_buffer[client_log_buffer_index++] = '\n';
86}
87
88static void server_keylog_callback(const SSL *ssl, const char *line)
89{
90 int line_length = strlen(line);
91
92 /* If the log doesn't fit, error out. */
93 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
94 TEST_info("Server log too full");
95 error_writing_log = 1;
96 return;
97 }
98
99 strcat(server_log_buffer, line);
100 server_log_buffer_index += line_length;
101 server_log_buffer[server_log_buffer_index++] = '\n';
102}
103
104static int compare_hex_encoded_buffer(const char *hex_encoded,
105 size_t hex_length,
106 const uint8_t *raw,
107 size_t raw_length)
108{
109 size_t i, j;
110 char hexed[3];
111
112 if (!TEST_size_t_eq(raw_length * 2, hex_length))
113 return 1;
114
115 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
116 sprintf(hexed, "%02x", raw[i]);
117 if (!TEST_int_eq(hexed[0], hex_encoded[j])
118 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
119 return 1;
120 }
121
122 return 0;
123}
124
125static int test_keylog_output(char *buffer, const SSL *ssl,
126 const SSL_SESSION *session,
127 struct sslapitest_log_counts *expected)
128{
129 char *token = NULL;
130 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
131 size_t client_random_size = SSL3_RANDOM_SIZE;
132 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
133 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
134 unsigned int rsa_key_exchange_count = 0;
135 unsigned int master_secret_count = 0;
136 unsigned int client_handshake_secret_count = 0;
137 unsigned int server_handshake_secret_count = 0;
138 unsigned int client_application_secret_count = 0;
139 unsigned int server_application_secret_count = 0;
140
141 for (token = strtok(buffer, " \n"); token != NULL;
142 token = strtok(NULL, " \n")) {
143 if (strcmp(token, "RSA") == 0) {
144 /*
145 * Premaster secret. Tokens should be: 16 ASCII bytes of
146 * hex-encoded encrypted secret, then the hex-encoded pre-master
147 * secret.
148 */
149 if (!TEST_ptr(token = strtok(NULL, " \n")))
150 return 0;
151 if (!TEST_size_t_eq(strlen(token), 16))
152 return 0;
153 if (!TEST_ptr(token = strtok(NULL, " \n")))
154 return 0;
155 /*
156 * We can't sensibly check the log because the premaster secret is
157 * transient, and OpenSSL doesn't keep hold of it once the master
158 * secret is generated.
159 */
160 rsa_key_exchange_count++;
161 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
162 /*
163 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
164 * client random, then the hex-encoded master secret.
165 */
166 client_random_size = SSL_get_client_random(ssl,
167 actual_client_random,
168 SSL3_RANDOM_SIZE);
169 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
170 return 0;
171
172 if (!TEST_ptr(token = strtok(NULL, " \n")))
173 return 0;
174 if (!TEST_size_t_eq(strlen(token), 64))
175 return 0;
176 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
177 actual_client_random,
178 client_random_size)))
179 return 0;
180
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
182 return 0;
183 master_key_size = SSL_SESSION_get_master_key(session,
184 actual_master_key,
185 master_key_size);
186 if (!TEST_size_t_ne(master_key_size, 0))
187 return 0;
188 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
189 actual_master_key,
190 master_key_size)))
191 return 0;
192 master_secret_count++;
193 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
194 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
196 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
197 /*
198 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, and then the hex-encoded secret. In this case,
200 * we treat all of these secrets identically and then just
201 * distinguish between them when counting what we saw.
202 */
203 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
204 client_handshake_secret_count++;
205 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 server_handshake_secret_count++;
207 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
208 client_application_secret_count++;
209 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
210 server_application_secret_count++;
211
212 client_random_size = SSL_get_client_random(ssl,
213 actual_client_random,
214 SSL3_RANDOM_SIZE);
215 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
216 return 0;
217
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
219 return 0;
220 if (!TEST_size_t_eq(strlen(token), 64))
221 return 0;
222 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
223 actual_client_random,
224 client_random_size)))
225 return 0;
226
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
228 return 0;
229
230 /*
231 * TODO(TLS1.3): test that application traffic secrets are what
232 * we expect */
233 } else {
234 TEST_info("Unexpected token %s\n", token);
235 return 0;
236 }
237 }
238
239 /* Got what we expected? */
240 if (!TEST_size_t_eq(rsa_key_exchange_count,
241 expected->rsa_key_exchange_count)
242 || !TEST_size_t_eq(master_secret_count,
243 expected->master_secret_count)
244 || !TEST_size_t_eq(client_handshake_secret_count,
245 expected->client_handshake_secret_count)
246 || !TEST_size_t_eq(server_handshake_secret_count,
247 expected->server_handshake_secret_count)
248 || !TEST_size_t_eq(client_application_secret_count,
249 expected->client_application_secret_count)
250 || !TEST_size_t_eq(server_application_secret_count,
251 expected->server_application_secret_count))
252 return 0;
253 return 1;
254}
255
256static int test_keylog(void)
257{
258 SSL_CTX *cctx = NULL, *sctx = NULL;
259 SSL *clientssl = NULL, *serverssl = NULL;
260 int testresult = 0;
261 struct sslapitest_log_counts expected = {0};
262
263 /* Clean up logging space */
264 memset(client_log_buffer, 0, sizeof(client_log_buffer));
265 memset(server_log_buffer, 0, sizeof(server_log_buffer));
266 client_log_buffer_index = 0;
267 server_log_buffer_index = 0;
268 error_writing_log = 0;
269
270 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
271 TLS_client_method(),
272 &sctx, &cctx, cert, privkey)))
273 return 0;
274
275 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
276 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
277 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
278
279 /* We also want to ensure that we use RSA-based key exchange. */
280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
281 goto end;
282
283 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
284 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
285 goto end;
286 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
287 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
288 == client_keylog_callback))
289 goto end;
290 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
291 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
292 == server_keylog_callback))
293 goto end;
294
295 /* Now do a handshake and check that the logs have been written to. */
296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
297 &clientssl, NULL, NULL))
298 || !TEST_true(create_ssl_connection(serverssl, clientssl,
299 SSL_ERROR_NONE))
300 || !TEST_false(error_writing_log)
301 || !TEST_int_gt(client_log_buffer_index, 0)
302 || !TEST_int_gt(server_log_buffer_index, 0))
303 goto end;
304
305 /*
306 * Now we want to test that our output data was vaguely sensible. We
307 * do that by using strtok and confirming that we have more or less the
308 * data we expect. For both client and server, we expect to see one master
309 * secret. The client should also see a RSA key exchange.
310 */
311 expected.rsa_key_exchange_count = 1;
312 expected.master_secret_count = 1;
313 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
314 SSL_get_session(clientssl), &expected)))
315 goto end;
316
317 expected.rsa_key_exchange_count = 0;
318 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
319 SSL_get_session(serverssl), &expected)))
320 goto end;
321
322 testresult = 1;
323
324end:
325 SSL_free(serverssl);
326 SSL_free(clientssl);
327 SSL_CTX_free(sctx);
328 SSL_CTX_free(cctx);
329
330 return testresult;
331}
332
333#ifndef OPENSSL_NO_TLS1_3
334static int test_keylog_no_master_key(void)
335{
336 SSL_CTX *cctx = NULL, *sctx = NULL;
337 SSL *clientssl = NULL, *serverssl = NULL;
338 int testresult = 0;
339 struct sslapitest_log_counts expected = {0};
340
341 /* Clean up logging space */
342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
347
348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
349 TLS_client_method(), &sctx,
350 &cctx, cert, privkey)))
351 return 0;
352
353 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
354 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
355 goto end;
356
357 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
358 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
359 == client_keylog_callback))
360 goto end;
361
362 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
363 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
364 == server_keylog_callback))
365 goto end;
366
367 /* Now do a handshake and check that the logs have been written to. */
368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
369 &clientssl, NULL, NULL))
370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
371 SSL_ERROR_NONE))
372 || !TEST_false(error_writing_log))
373 goto end;
374
375 /*
376 * Now we want to test that our output data was vaguely sensible. For this
377 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
378 * TLSv1.3, but we do expect both client and server to emit keys.
379 */
380 expected.client_handshake_secret_count = 1;
381 expected.server_handshake_secret_count = 1;
382 expected.client_application_secret_count = 1;
383 expected.server_application_secret_count = 1;
384 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
385 SSL_get_session(clientssl), &expected))
386 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
387 SSL_get_session(serverssl),
388 &expected)))
389 goto end;
390
391 testresult = 1;
392
393end:
394 SSL_free(serverssl);
395 SSL_free(clientssl);
396 SSL_CTX_free(sctx);
397 SSL_CTX_free(cctx);
398
399 return testresult;
400}
401#endif
402
403#ifndef OPENSSL_NO_TLS1_2
404static int full_client_hello_callback(SSL *s, int *al, void *arg)
405{
406 int *ctr = arg;
407 const unsigned char *p;
408 int *exts;
409 /* We only configure two ciphers, but the SCSV is added automatically. */
410#ifdef OPENSSL_NO_EC
411 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
412#else
413 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
414 0x2c, 0x00, 0xff};
415#endif
416 const int expected_extensions[] = {
417#ifndef OPENSSL_NO_EC
418 11, 10,
419#endif
420 35, 22, 23, 13};
421 size_t len;
422
423 /* Make sure we can defer processing and get called back. */
424 if ((*ctr)++ == 0)
425 return SSL_CLIENT_HELLO_RETRY;
426
427 len = SSL_client_hello_get0_ciphers(s, &p);
428 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
429 || !TEST_size_t_eq(
430 SSL_client_hello_get0_compression_methods(s, &p), 1)
431 || !TEST_int_eq(*p, 0))
432 return SSL_CLIENT_HELLO_ERROR;
433 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
434 return SSL_CLIENT_HELLO_ERROR;
435 if (len != OSSL_NELEM(expected_extensions) ||
436 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
437 printf("ClientHello callback expected extensions mismatch\n");
438 OPENSSL_free(exts);
439 return SSL_CLIENT_HELLO_ERROR;
440 }
441 OPENSSL_free(exts);
442 return SSL_CLIENT_HELLO_SUCCESS;
443}
444
445static int test_client_hello_cb(void)
446{
447 SSL_CTX *cctx = NULL, *sctx = NULL;
448 SSL *clientssl = NULL, *serverssl = NULL;
449 int testctr = 0, testresult = 0;
450
451 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
452 TLS_client_method(), &sctx,
453 &cctx, cert, privkey)))
454 goto end;
455 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
456
457 /* The gimpy cipher list we configure can't do TLS 1.3. */
458 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
459
460 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
461 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
462 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
463 &clientssl, NULL, NULL))
464 || !TEST_false(create_ssl_connection(serverssl, clientssl,
465 SSL_ERROR_WANT_CLIENT_HELLO_CB))
466 /*
467 * Passing a -1 literal is a hack since
468 * the real value was lost.
469 * */
470 || !TEST_int_eq(SSL_get_error(serverssl, -1),
471 SSL_ERROR_WANT_CLIENT_HELLO_CB)
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE)))
474 goto end;
475
476 testresult = 1;
477
478end:
479 SSL_free(serverssl);
480 SSL_free(clientssl);
481 SSL_CTX_free(sctx);
482 SSL_CTX_free(cctx);
483
484 return testresult;
485}
486#endif
487
488static int execute_test_large_message(const SSL_METHOD *smeth,
489 const SSL_METHOD *cmeth, int read_ahead)
490{
491 SSL_CTX *cctx = NULL, *sctx = NULL;
492 SSL *clientssl = NULL, *serverssl = NULL;
493 int testresult = 0;
494 int i;
495 BIO *certbio = NULL;
496 X509 *chaincert = NULL;
497 int certlen;
498
499 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
500 goto end;
501 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
502 BIO_free(certbio);
503 certbio = NULL;
504 if (!TEST_ptr(chaincert))
505 goto end;
506
507 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
508 &cctx, cert, privkey)))
509 goto end;
510
511 if (read_ahead) {
512 /*
513 * Test that read_ahead works correctly when dealing with large
514 * records
515 */
516 SSL_CTX_set_read_ahead(cctx, 1);
517 }
518
519 /*
520 * We assume the supplied certificate is big enough so that if we add
521 * NUM_EXTRA_CERTS it will make the overall message large enough. The
522 * default buffer size is requested to be 16k, but due to the way BUF_MEM
523 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
524 * test we need to have a message larger than that.
525 */
526 certlen = i2d_X509(chaincert, NULL);
527 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
528 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
529 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
530 if (!X509_up_ref(chaincert))
531 goto end;
532 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
533 X509_free(chaincert);
534 goto end;
535 }
536 }
537
538 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
539 NULL, NULL))
540 || !TEST_true(create_ssl_connection(serverssl, clientssl,
541 SSL_ERROR_NONE)))
542 goto end;
543
544 /*
545 * Calling SSL_clear() first is not required but this tests that SSL_clear()
546 * doesn't leak (when using enable-crypto-mdebug).
547 */
548 if (!TEST_true(SSL_clear(serverssl)))
549 goto end;
550
551 testresult = 1;
552 end:
553 X509_free(chaincert);
554 SSL_free(serverssl);
555 SSL_free(clientssl);
556 SSL_CTX_free(sctx);
557 SSL_CTX_free(cctx);
558
559 return testresult;
560}
561
562static int test_large_message_tls(void)
563{
564 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
565 0);
566}
567
568static int test_large_message_tls_read_ahead(void)
569{
570 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
571 1);
572}
573
574#ifndef OPENSSL_NO_DTLS
575static int test_large_message_dtls(void)
576{
577 /*
578 * read_ahead is not relevant to DTLS because DTLS always acts as if
579 * read_ahead is set.
580 */
581 return execute_test_large_message(DTLS_server_method(),
582 DTLS_client_method(), 0);
583}
584#endif
585
586#ifndef OPENSSL_NO_OCSP
587static int ocsp_server_cb(SSL *s, void *arg)
588{
589 int *argi = (int *)arg;
590 unsigned char *copy = NULL;
591 STACK_OF(OCSP_RESPID) *ids = NULL;
592 OCSP_RESPID *id = NULL;
593
594 if (*argi == 2) {
595 /* In this test we are expecting exactly 1 OCSP_RESPID */
596 SSL_get_tlsext_status_ids(s, &ids);
597 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
598 return SSL_TLSEXT_ERR_ALERT_FATAL;
599
600 id = sk_OCSP_RESPID_value(ids, 0);
601 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
603 } else if (*argi != 1) {
604 return SSL_TLSEXT_ERR_ALERT_FATAL;
605 }
606
607 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
608 return SSL_TLSEXT_ERR_ALERT_FATAL;
609
610 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
611 ocsp_server_called = 1;
612 return SSL_TLSEXT_ERR_OK;
613}
614
615static int ocsp_client_cb(SSL *s, void *arg)
616{
617 int *argi = (int *)arg;
618 const unsigned char *respderin;
619 size_t len;
620
621 if (*argi != 1 && *argi != 2)
622 return 0;
623
624 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
625 if (!TEST_mem_eq(orespder, len, respderin, len))
626 return 0;
627
628 ocsp_client_called = 1;
629 return 1;
630}
631
632static int test_tlsext_status_type(void)
633{
634 SSL_CTX *cctx = NULL, *sctx = NULL;
635 SSL *clientssl = NULL, *serverssl = NULL;
636 int testresult = 0;
637 STACK_OF(OCSP_RESPID) *ids = NULL;
638 OCSP_RESPID *id = NULL;
639 BIO *certbio = NULL;
640
641 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
642 &cctx, cert, privkey))
643 return 0;
644
645 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
646 goto end;
647
648 /* First just do various checks getting and setting tlsext_status_type */
649
650 clientssl = SSL_new(cctx);
651 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
652 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
653 TLSEXT_STATUSTYPE_ocsp))
654 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
655 TLSEXT_STATUSTYPE_ocsp))
656 goto end;
657
658 SSL_free(clientssl);
659 clientssl = NULL;
660
661 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
662 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
663 goto end;
664
665 clientssl = SSL_new(cctx);
666 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
667 goto end;
668 SSL_free(clientssl);
669 clientssl = NULL;
670
671 /*
672 * Now actually do a handshake and check OCSP information is exchanged and
673 * the callbacks get called
674 */
675 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
676 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
677 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
678 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
680 &clientssl, NULL, NULL))
681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
682 SSL_ERROR_NONE))
683 || !TEST_true(ocsp_client_called)
684 || !TEST_true(ocsp_server_called))
685 goto end;
686 SSL_free(serverssl);
687 SSL_free(clientssl);
688 serverssl = NULL;
689 clientssl = NULL;
690
691 /* Try again but this time force the server side callback to fail */
692 ocsp_client_called = 0;
693 ocsp_server_called = 0;
694 cdummyarg = 0;
695 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
696 &clientssl, NULL, NULL))
697 /* This should fail because the callback will fail */
698 || !TEST_false(create_ssl_connection(serverssl, clientssl,
699 SSL_ERROR_NONE))
700 || !TEST_false(ocsp_client_called)
701 || !TEST_false(ocsp_server_called))
702 goto end;
703 SSL_free(serverssl);
704 SSL_free(clientssl);
705 serverssl = NULL;
706 clientssl = NULL;
707
708 /*
709 * This time we'll get the client to send an OCSP_RESPID that it will
710 * accept.
711 */
712 ocsp_client_called = 0;
713 ocsp_server_called = 0;
714 cdummyarg = 2;
715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
716 &clientssl, NULL, NULL)))
717 goto end;
718
719 /*
720 * We'll just use any old cert for this test - it doesn't have to be an OCSP
721 * specific one. We'll use the server cert.
722 */
723 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
724 || !TEST_ptr(id = OCSP_RESPID_new())
725 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
726 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
727 NULL, NULL, NULL))
728 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
729 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
730 goto end;
731 id = NULL;
732 SSL_set_tlsext_status_ids(clientssl, ids);
733 /* Control has been transferred */
734 ids = NULL;
735
736 BIO_free(certbio);
737 certbio = NULL;
738
739 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
740 SSL_ERROR_NONE))
741 || !TEST_true(ocsp_client_called)
742 || !TEST_true(ocsp_server_called))
743 goto end;
744
745 testresult = 1;
746
747 end:
748 SSL_free(serverssl);
749 SSL_free(clientssl);
750 SSL_CTX_free(sctx);
751 SSL_CTX_free(cctx);
752 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
753 OCSP_RESPID_free(id);
754 BIO_free(certbio);
755 X509_free(ocspcert);
756 ocspcert = NULL;
757
758 return testresult;
759}
760#endif
761
762#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
763static int new_called, remove_called, get_called;
764
765static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
766{
767 new_called++;
768 /*
769 * sess has been up-refed for us, but we don't actually need it so free it
770 * immediately.
771 */
772 SSL_SESSION_free(sess);
773 return 1;
774}
775
776static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
777{
778 remove_called++;
779}
780
781static SSL_SESSION *get_sess_val = NULL;
782
783static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
784 int *copy)
785{
786 get_called++;
787 *copy = 1;
788 return get_sess_val;
789}
790
791static int execute_test_session(int maxprot, int use_int_cache,
792 int use_ext_cache)
793{
794 SSL_CTX *sctx = NULL, *cctx = NULL;
795 SSL *serverssl1 = NULL, *clientssl1 = NULL;
796 SSL *serverssl2 = NULL, *clientssl2 = NULL;
797# ifndef OPENSSL_NO_TLS1_1
798 SSL *serverssl3 = NULL, *clientssl3 = NULL;
799# endif
800 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
801 int testresult = 0;
802
803 new_called = remove_called = 0;
804
805 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
806 TLS_client_method(), &sctx,
807 &cctx, cert, privkey)))
808 return 0;
809
810 /*
811 * Only allow the max protocol version so we can force a connection failure
812 * later
813 */
814 SSL_CTX_set_min_proto_version(cctx, maxprot);
815 SSL_CTX_set_max_proto_version(cctx, maxprot);
816
817 /* Set up session cache */
818 if (use_ext_cache) {
819 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
820 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
821 }
822 if (use_int_cache) {
823 /* Also covers instance where both are set */
824 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
825 } else {
826 SSL_CTX_set_session_cache_mode(cctx,
827 SSL_SESS_CACHE_CLIENT
828 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
829 }
830
831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
832 NULL, NULL))
833 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
834 SSL_ERROR_NONE))
835 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
836 goto end;
837
838 /* Should fail because it should already be in the cache */
839 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
840 goto end;
841 if (use_ext_cache
842 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
843 goto end;
844
845 new_called = remove_called = 0;
846 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
847 &clientssl2, NULL, NULL))
848 || !TEST_true(SSL_set_session(clientssl2, sess1))
849 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
850 SSL_ERROR_NONE))
851 || !TEST_true(SSL_session_reused(clientssl2)))
852 goto end;
853
854 if (maxprot == TLS1_3_VERSION) {
855 /*
856 * In TLSv1.3 we should have created a new session even though we have
857 * resumed. The original session should also have been removed.
858 */
859 if (use_ext_cache
860 && (!TEST_int_eq(new_called, 1)
861 || !TEST_int_eq(remove_called, 1)))
862 goto end;
863 } else {
864 /*
865 * In TLSv1.2 we expect to have resumed so no sessions added or
866 * removed.
867 */
868 if (use_ext_cache
869 && (!TEST_int_eq(new_called, 0)
870 || !TEST_int_eq(remove_called, 0)))
871 goto end;
872 }
873
874 SSL_SESSION_free(sess1);
875 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
876 goto end;
877 shutdown_ssl_connection(serverssl2, clientssl2);
878 serverssl2 = clientssl2 = NULL;
879
880 new_called = remove_called = 0;
881 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
882 &clientssl2, NULL, NULL))
883 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
884 SSL_ERROR_NONE)))
885 goto end;
886
887 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
888 goto end;
889
890 if (use_ext_cache
891 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
892 goto end;
893
894 new_called = remove_called = 0;
895 /*
896 * This should clear sess2 from the cache because it is a "bad" session.
897 * See SSL_set_session() documentation.
898 */
899 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
900 goto end;
901 if (use_ext_cache
902 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
903 goto end;
904 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
905 goto end;
906
907 if (use_int_cache) {
908 /* Should succeeded because it should not already be in the cache */
909 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
910 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
911 goto end;
912 }
913
914 new_called = remove_called = 0;
915 /* This shouldn't be in the cache so should fail */
916 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
917 goto end;
918
919 if (use_ext_cache
920 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
921 goto end;
922
923# if !defined(OPENSSL_NO_TLS1_1)
924 new_called = remove_called = 0;
925 /* Force a connection failure */
926 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
928 &clientssl3, NULL, NULL))
929 || !TEST_true(SSL_set_session(clientssl3, sess1))
930 /* This should fail because of the mismatched protocol versions */
931 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
932 SSL_ERROR_NONE)))
933 goto end;
934
935 /* We should have automatically removed the session from the cache */
936 if (use_ext_cache
937 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
938 goto end;
939
940 /* Should succeed because it should not already be in the cache */
941 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
942 goto end;
943# endif
944
945 /* Now do some tests for server side caching */
946 if (use_ext_cache) {
947 SSL_CTX_sess_set_new_cb(cctx, NULL);
948 SSL_CTX_sess_set_remove_cb(cctx, NULL);
949 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
950 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
951 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
952 get_sess_val = NULL;
953 }
954
955 SSL_CTX_set_session_cache_mode(cctx, 0);
956 /* Internal caching is the default on the server side */
957 if (!use_int_cache)
958 SSL_CTX_set_session_cache_mode(sctx,
959 SSL_SESS_CACHE_SERVER
960 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
961
962 SSL_free(serverssl1);
963 SSL_free(clientssl1);
964 serverssl1 = clientssl1 = NULL;
965 SSL_free(serverssl2);
966 SSL_free(clientssl2);
967 serverssl2 = clientssl2 = NULL;
968 SSL_SESSION_free(sess1);
969 sess1 = NULL;
970 SSL_SESSION_free(sess2);
971 sess2 = NULL;
972
973 SSL_CTX_set_max_proto_version(sctx, maxprot);
974 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
975 new_called = remove_called = get_called = 0;
976 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
977 NULL, NULL))
978 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
979 SSL_ERROR_NONE))
980 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
981 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
982 goto end;
983
984 /* Should fail because it should already be in the cache */
985 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
986 goto end;
987
988 if (use_ext_cache) {
989 SSL_SESSION *tmp = sess2;
990
991 if (!TEST_int_eq(new_called, 1)
992 || !TEST_int_eq(remove_called, 0)
993 || !TEST_int_eq(get_called, 0))
994 goto end;
995 /*
996 * Delete the session from the internal cache to force a lookup from
997 * the external cache. We take a copy first because
998 * SSL_CTX_remove_session() also marks the session as non-resumable.
999 */
1000 if (use_int_cache) {
1001 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1002 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1003 goto end;
1004 SSL_SESSION_free(sess2);
1005 }
1006 sess2 = tmp;
1007 }
1008
1009 new_called = remove_called = get_called = 0;
1010 get_sess_val = sess2;
1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1012 &clientssl2, NULL, NULL))
1013 || !TEST_true(SSL_set_session(clientssl2, sess1))
1014 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1015 SSL_ERROR_NONE))
1016 || !TEST_true(SSL_session_reused(clientssl2)))
1017 goto end;
1018
1019 if (use_ext_cache) {
1020 if (!TEST_int_eq(new_called, 0)
1021 || !TEST_int_eq(remove_called, 0))
1022 goto end;
1023
1024 if (maxprot == TLS1_3_VERSION) {
1025 if (!TEST_int_eq(get_called, 0))
1026 goto end;
1027 } else {
1028 if (!TEST_int_eq(get_called, 1))
1029 goto end;
1030 }
1031 }
1032
1033 testresult = 1;
1034
1035 end:
1036 SSL_free(serverssl1);
1037 SSL_free(clientssl1);
1038 SSL_free(serverssl2);
1039 SSL_free(clientssl2);
1040# ifndef OPENSSL_NO_TLS1_1
1041 SSL_free(serverssl3);
1042 SSL_free(clientssl3);
1043# endif
1044 SSL_SESSION_free(sess1);
1045 SSL_SESSION_free(sess2);
1046 SSL_CTX_free(sctx);
1047 SSL_CTX_free(cctx);
1048
1049 return testresult;
1050}
1051#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1052
1053static int test_session_with_only_int_cache(void)
1054{
1055#ifndef OPENSSL_NO_TLS1_3
1056 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1057 return 0;
1058#endif
1059
1060#ifndef OPENSSL_NO_TLS1_2
1061 return execute_test_session(TLS1_2_VERSION, 1, 0);
1062#else
1063 return 1;
1064#endif
1065}
1066
1067static int test_session_with_only_ext_cache(void)
1068{
1069#ifndef OPENSSL_NO_TLS1_3
1070 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1071 return 0;
1072#endif
1073
1074#ifndef OPENSSL_NO_TLS1_2
1075 return execute_test_session(TLS1_2_VERSION, 0, 1);
1076#else
1077 return 1;
1078#endif
1079}
1080
1081static int test_session_with_both_cache(void)
1082{
1083#ifndef OPENSSL_NO_TLS1_3
1084 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1085 return 0;
1086#endif
1087
1088#ifndef OPENSSL_NO_TLS1_2
1089 return execute_test_session(TLS1_2_VERSION, 1, 1);
1090#else
1091 return 1;
1092#endif
1093}
1094
1095#define USE_NULL 0
1096#define USE_BIO_1 1
1097#define USE_BIO_2 2
1098
1099#define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1100
1101static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1102{
1103 switch (type) {
1104 case USE_NULL:
1105 *res = NULL;
1106 break;
1107 case USE_BIO_1:
1108 *res = bio1;
1109 break;
1110 case USE_BIO_2:
1111 *res = bio2;
1112 break;
1113 }
1114}
1115
1116static int test_ssl_set_bio(int idx)
1117{
1118 SSL_CTX *ctx;
1119 BIO *bio1 = NULL;
1120 BIO *bio2 = NULL;
1121 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1122 SSL *ssl = NULL;
1123 int initrbio, initwbio, newrbio, newwbio;
1124 int testresult = 0;
1125
1126 initrbio = idx % 3;
1127 idx /= 3;
1128 initwbio = idx % 3;
1129 idx /= 3;
1130 newrbio = idx % 3;
1131 idx /= 3;
1132 newwbio = idx;
1133 if (!TEST_int_le(newwbio, 2))
1134 return 0;
1135
1136 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1137 || !TEST_ptr(ssl = SSL_new(ctx)))
1138 goto end;
1139
1140 if (initrbio == USE_BIO_1
1141 || initwbio == USE_BIO_1
1142 || newrbio == USE_BIO_1
1143 || newwbio == USE_BIO_1) {
1144 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1145 goto end;
1146 }
1147
1148 if (initrbio == USE_BIO_2
1149 || initwbio == USE_BIO_2
1150 || newrbio == USE_BIO_2
1151 || newwbio == USE_BIO_2) {
1152 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1153 goto end;
1154 }
1155
1156 setupbio(&irbio, bio1, bio2, initrbio);
1157 setupbio(&iwbio, bio1, bio2, initwbio);
1158
1159 /*
1160 * We want to maintain our own refs to these BIO, so do an up ref for each
1161 * BIO that will have ownership transferred in the SSL_set_bio() call
1162 */
1163 if (irbio != NULL)
1164 BIO_up_ref(irbio);
1165 if (iwbio != NULL && iwbio != irbio)
1166 BIO_up_ref(iwbio);
1167
1168 SSL_set_bio(ssl, irbio, iwbio);
1169
1170 setupbio(&nrbio, bio1, bio2, newrbio);
1171 setupbio(&nwbio, bio1, bio2, newwbio);
1172
1173 /*
1174 * We will (maybe) transfer ownership again so do more up refs.
1175 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1176 * already been set!
1177 */
1178 if (nrbio != NULL
1179 && nrbio != irbio
1180 && (nwbio != iwbio || nrbio != nwbio))
1181 BIO_up_ref(nrbio);
1182 if (nwbio != NULL
1183 && nwbio != nrbio
1184 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1185 BIO_up_ref(nwbio);
1186
1187 SSL_set_bio(ssl, nrbio, nwbio);
1188
1189 testresult = 1;
1190
1191 end:
1192 SSL_free(ssl);
1193 BIO_free(bio1);
1194 BIO_free(bio2);
1195
1196 /*
1197 * This test is checking that the ref counting for SSL_set_bio is correct.
1198 * If we get here and we did too many frees then we will fail in the above
1199 * functions. If we haven't done enough then this will only be detected in
1200 * a crypto-mdebug build
1201 */
1202 SSL_CTX_free(ctx);
1203 return testresult;
1204}
1205
1206typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1207
1208static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1209{
1210 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1211 SSL_CTX *ctx;
1212 SSL *ssl = NULL;
1213 int testresult = 0;
1214
1215 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1216 || !TEST_ptr(ssl = SSL_new(ctx))
1217 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1218 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1219 goto end;
1220
1221 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1222
1223 /*
1224 * If anything goes wrong here then we could leak memory, so this will
1225 * be caught in a crypto-mdebug build
1226 */
1227 BIO_push(sslbio, membio1);
1228
1229 /* Verify changing the rbio/wbio directly does not cause leaks */
1230 if (change_bio != NO_BIO_CHANGE) {
1231 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1232 goto end;
1233 if (change_bio == CHANGE_RBIO)
1234 SSL_set0_rbio(ssl, membio2);
1235 else
1236 SSL_set0_wbio(ssl, membio2);
1237 }
1238 ssl = NULL;
1239
1240 if (pop_ssl)
1241 BIO_pop(sslbio);
1242 else
1243 BIO_pop(membio1);
1244
1245 testresult = 1;
1246 end:
1247 BIO_free(membio1);
1248 BIO_free(sslbio);
1249 SSL_free(ssl);
1250 SSL_CTX_free(ctx);
1251
1252 return testresult;
1253}
1254
1255static int test_ssl_bio_pop_next_bio(void)
1256{
1257 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1258}
1259
1260static int test_ssl_bio_pop_ssl_bio(void)
1261{
1262 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1263}
1264
1265static int test_ssl_bio_change_rbio(void)
1266{
1267 return execute_test_ssl_bio(0, CHANGE_RBIO);
1268}
1269
1270static int test_ssl_bio_change_wbio(void)
1271{
1272 return execute_test_ssl_bio(0, CHANGE_WBIO);
1273}
1274
1275typedef struct {
1276 /* The list of sig algs */
1277 const int *list;
1278 /* The length of the list */
1279 size_t listlen;
1280 /* A sigalgs list in string format */
1281 const char *liststr;
1282 /* Whether setting the list should succeed */
1283 int valid;
1284 /* Whether creating a connection with the list should succeed */
1285 int connsuccess;
1286} sigalgs_list;
1287
1288static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1289#ifndef OPENSSL_NO_EC
1290static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1291static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1292#endif
1293static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1294static const int invalidlist2[] = {NID_sha256, NID_undef};
1295static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1296static const int invalidlist4[] = {NID_sha256};
1297static const sigalgs_list testsigalgs[] = {
1298 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1299#ifndef OPENSSL_NO_EC
1300 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1301 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1302#endif
1303 {NULL, 0, "RSA+SHA256", 1, 1},
1304#ifndef OPENSSL_NO_EC
1305 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1306 {NULL, 0, "ECDSA+SHA512", 1, 0},
1307#endif
1308 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1309 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1310 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1311 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1312 {NULL, 0, "RSA", 0, 0},
1313 {NULL, 0, "SHA256", 0, 0},
1314 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1315 {NULL, 0, "Invalid", 0, 0}
1316};
1317
1318static int test_set_sigalgs(int idx)
1319{
1320 SSL_CTX *cctx = NULL, *sctx = NULL;
1321 SSL *clientssl = NULL, *serverssl = NULL;
1322 int testresult = 0;
1323 const sigalgs_list *curr;
1324 int testctx;
1325
1326 /* Should never happen */
1327 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1328 return 0;
1329
1330 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1331 curr = testctx ? &testsigalgs[idx]
1332 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1333
1334 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1335 TLS_client_method(), &sctx,
1336 &cctx, cert, privkey)))
1337 return 0;
1338
1339 /*
1340 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1341 * for TLSv1.2 for now until we add a new API.
1342 */
1343 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1344
1345 if (testctx) {
1346 int ret;
1347
1348 if (curr->list != NULL)
1349 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1350 else
1351 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1352
1353 if (!ret) {
1354 if (curr->valid)
1355 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1356 else
1357 testresult = 1;
1358 goto end;
1359 }
1360 if (!curr->valid) {
1361 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1362 goto end;
1363 }
1364 }
1365
1366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1367 &clientssl, NULL, NULL)))
1368 goto end;
1369
1370 if (!testctx) {
1371 int ret;
1372
1373 if (curr->list != NULL)
1374 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1375 else
1376 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1377 if (!ret) {
1378 if (curr->valid)
1379 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1380 else
1381 testresult = 1;
1382 goto end;
1383 }
1384 if (!curr->valid)
1385 goto end;
1386 }
1387
1388 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1389 SSL_ERROR_NONE),
1390 curr->connsuccess))
1391 goto end;
1392
1393 testresult = 1;
1394
1395 end:
1396 SSL_free(serverssl);
1397 SSL_free(clientssl);
1398 SSL_CTX_free(sctx);
1399 SSL_CTX_free(cctx);
1400
1401 return testresult;
1402}
1403
1404#ifndef OPENSSL_NO_TLS1_3
1405
1406static SSL_SESSION *clientpsk = NULL;
1407static SSL_SESSION *serverpsk = NULL;
1408static const char *pskid = "Identity";
1409static const char *srvid;
1410
1411static int use_session_cb_cnt = 0;
1412static int find_session_cb_cnt = 0;
1413
1414static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1415 size_t *idlen, SSL_SESSION **sess)
1416{
1417 switch (++use_session_cb_cnt) {
1418 case 1:
1419 /* The first call should always have a NULL md */
1420 if (md != NULL)
1421 return 0;
1422 break;
1423
1424 case 2:
1425 /* The second call should always have an md */
1426 if (md == NULL)
1427 return 0;
1428 break;
1429
1430 default:
1431 /* We should only be called a maximum of twice */
1432 return 0;
1433 }
1434
1435 if (clientpsk != NULL)
1436 SSL_SESSION_up_ref(clientpsk);
1437
1438 *sess = clientpsk;
1439 *id = (const unsigned char *)pskid;
1440 *idlen = strlen(pskid);
1441
1442 return 1;
1443}
1444
1445static int find_session_cb(SSL *ssl, const unsigned char *identity,
1446 size_t identity_len, SSL_SESSION **sess)
1447{
1448 find_session_cb_cnt++;
1449
1450 /* We should only ever be called a maximum of twice per connection */
1451 if (find_session_cb_cnt > 2)
1452 return 0;
1453
1454 if (serverpsk == NULL)
1455 return 0;
1456
1457 /* Identity should match that set by the client */
1458 if (strlen(srvid) != identity_len
1459 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1460 /* No PSK found, continue but without a PSK */
1461 *sess = NULL;
1462 return 1;
1463 }
1464
1465 SSL_SESSION_up_ref(serverpsk);
1466 *sess = serverpsk;
1467
1468 return 1;
1469}
1470
1471#define MSG1 "Hello"
1472#define MSG2 "World."
1473#define MSG3 "This"
1474#define MSG4 "is"
1475#define MSG5 "a"
1476#define MSG6 "test"
1477#define MSG7 "message."
1478
1479#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1480
1481/*
1482 * Helper method to setup objects for early data test. Caller frees objects on
1483 * error.
1484 */
1485static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1486 SSL **serverssl, SSL_SESSION **sess, int idx)
1487{
1488 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1489 TLS_client_method(), sctx,
1490 cctx, cert, privkey)))
1491 return 0;
1492
1493 if (idx == 1) {
1494 /* When idx == 1 we repeat the tests with read_ahead set */
1495 SSL_CTX_set_read_ahead(*cctx, 1);
1496 SSL_CTX_set_read_ahead(*sctx, 1);
1497 } else if (idx == 2) {
1498 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1499 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1500 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1501 use_session_cb_cnt = 0;
1502 find_session_cb_cnt = 0;
1503 srvid = pskid;
1504 }
1505
1506 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1507 NULL, NULL)))
1508 return 0;
1509
1510 /*
1511 * For one of the run throughs (doesn't matter which one), we'll try sending
1512 * some SNI data in the initial ClientHello. This will be ignored (because
1513 * there is no SNI cb set up by the server), so it should not impact
1514 * early_data.
1515 */
1516 if (idx == 1
1517 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1518 return 0;
1519
1520 if (idx == 2) {
1521 /* Create the PSK */
1522 const SSL_CIPHER *cipher = NULL;
1523 const unsigned char key[] = {
1524 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1525 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1526 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1527 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1528 0x2c, 0x2d, 0x2e, 0x2f
1529 };
1530
1531 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1532 clientpsk = SSL_SESSION_new();
1533 if (!TEST_ptr(clientpsk)
1534 || !TEST_ptr(cipher)
1535 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1536 sizeof(key)))
1537 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1538 || !TEST_true(
1539 SSL_SESSION_set_protocol_version(clientpsk,
1540 TLS1_3_VERSION))
1541 /*
1542 * We just choose an arbitrary value for max_early_data which
1543 * should be big enough for testing purposes.
1544 */
1545 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1546 0x100))
1547 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1548 SSL_SESSION_free(clientpsk);
1549 clientpsk = NULL;
1550 return 0;
1551 }
1552 serverpsk = clientpsk;
1553
1554 if (sess != NULL)
1555 *sess = clientpsk;
1556 return 1;
1557 }
1558
1559 if (sess == NULL)
1560 return 1;
1561
1562 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1563 SSL_ERROR_NONE)))
1564 return 0;
1565
1566 *sess = SSL_get1_session(*clientssl);
1567 SSL_shutdown(*clientssl);
1568 SSL_shutdown(*serverssl);
1569 SSL_free(*serverssl);
1570 SSL_free(*clientssl);
1571 *serverssl = *clientssl = NULL;
1572
1573 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1574 clientssl, NULL, NULL))
1575 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1576 return 0;
1577
1578 return 1;
1579}
1580
1581static int test_early_data_read_write(int idx)
1582{
1583 SSL_CTX *cctx = NULL, *sctx = NULL;
1584 SSL *clientssl = NULL, *serverssl = NULL;
1585 int testresult = 0;
1586 SSL_SESSION *sess = NULL;
1587 unsigned char buf[20], data[1024];
1588 size_t readbytes, written, eoedlen, rawread, rawwritten;
1589 BIO *rbio;
1590
1591 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1592 &serverssl, &sess, idx)))
1593 goto end;
1594
1595 /* Write and read some early data */
1596 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1597 &written))
1598 || !TEST_size_t_eq(written, strlen(MSG1))
1599 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1600 sizeof(buf), &readbytes),
1601 SSL_READ_EARLY_DATA_SUCCESS)
1602 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1603 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1604 SSL_EARLY_DATA_ACCEPTED))
1605 goto end;
1606
1607 /*
1608 * Server should be able to write data, and client should be able to
1609 * read it.
1610 */
1611 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1612 &written))
1613 || !TEST_size_t_eq(written, strlen(MSG2))
1614 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1615 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1616 goto end;
1617
1618 /* Even after reading normal data, client should be able write early data */
1619 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1620 &written))
1621 || !TEST_size_t_eq(written, strlen(MSG3)))
1622 goto end;
1623
1624 /* Server should still be able read early data after writing data */
1625 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1626 &readbytes),
1627 SSL_READ_EARLY_DATA_SUCCESS)
1628 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1629 goto end;
1630
1631 /* Write more data from server and read it from client */
1632 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1633 &written))
1634 || !TEST_size_t_eq(written, strlen(MSG4))
1635 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1636 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1637 goto end;
1638
1639 /*
1640 * If client writes normal data it should mean writing early data is no
1641 * longer possible.
1642 */
1643 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1644 || !TEST_size_t_eq(written, strlen(MSG5))
1645 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1646 SSL_EARLY_DATA_ACCEPTED))
1647 goto end;
1648
1649 /*
1650 * At this point the client has written EndOfEarlyData, ClientFinished and
1651 * normal (fully protected) data. We are going to cause a delay between the
1652 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1653 * in the read BIO, and then just put back the EndOfEarlyData message.
1654 */
1655 rbio = SSL_get_rbio(serverssl);
1656 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1657 || !TEST_size_t_lt(rawread, sizeof(data))
1658 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1659 goto end;
1660
1661 /* Record length is in the 4th and 5th bytes of the record header */
1662 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1663 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1664 || !TEST_size_t_eq(rawwritten, eoedlen))
1665 goto end;
1666
1667 /* Server should be told that there is no more early data */
1668 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1669 &readbytes),
1670 SSL_READ_EARLY_DATA_FINISH)
1671 || !TEST_size_t_eq(readbytes, 0))
1672 goto end;
1673
1674 /*
1675 * Server has not finished init yet, so should still be able to write early
1676 * data.
1677 */
1678 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1679 &written))
1680 || !TEST_size_t_eq(written, strlen(MSG6)))
1681 goto end;
1682
1683 /* Push the ClientFinished and the normal data back into the server rbio */
1684 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1685 &rawwritten))
1686 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1687 goto end;
1688
1689 /* Server should be able to read normal data */
1690 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1691 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1692 goto end;
1693
1694 /* Client and server should not be able to write/read early data now */
1695 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1696 &written)))
1697 goto end;
1698 ERR_clear_error();
1699 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1700 &readbytes),
1701 SSL_READ_EARLY_DATA_ERROR))
1702 goto end;
1703 ERR_clear_error();
1704
1705 /* Client should be able to read the data sent by the server */
1706 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1707 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1708 goto end;
1709
1710 /*
1711 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1712 * We attempt a read which we do not expect to return any data.
1713 */
1714 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1715 goto end;
1716
1717 /* Server should be able to write normal data */
1718 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1719 || !TEST_size_t_eq(written, strlen(MSG7))
1720 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1721 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1722 goto end;
1723
1724 /* We keep the PSK session around if using PSK */
1725 if (idx != 2)
1726 SSL_SESSION_free(sess);
1727 sess = SSL_get1_session(clientssl);
1728 use_session_cb_cnt = 0;
1729 find_session_cb_cnt = 0;
1730
1731 SSL_shutdown(clientssl);
1732 SSL_shutdown(serverssl);
1733 SSL_free(serverssl);
1734 SSL_free(clientssl);
1735 serverssl = clientssl = NULL;
1736 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1737 &clientssl, NULL, NULL))
1738 || !TEST_true(SSL_set_session(clientssl, sess)))
1739 goto end;
1740
1741 /* Write and read some early data */
1742 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1743 &written))
1744 || !TEST_size_t_eq(written, strlen(MSG1))
1745 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1746 &readbytes),
1747 SSL_READ_EARLY_DATA_SUCCESS)
1748 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1749 goto end;
1750
1751 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1752 || !TEST_int_gt(SSL_accept(serverssl), 0))
1753 goto end;
1754
1755 /* Client and server should not be able to write/read early data now */
1756 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1757 &written)))
1758 goto end;
1759 ERR_clear_error();
1760 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1761 &readbytes),
1762 SSL_READ_EARLY_DATA_ERROR))
1763 goto end;
1764 ERR_clear_error();
1765
1766 /* Client and server should be able to write/read normal data */
1767 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1768 || !TEST_size_t_eq(written, strlen(MSG5))
1769 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1770 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1771 goto end;
1772
1773 testresult = 1;
1774
1775 end:
1776 if (sess != clientpsk)
1777 SSL_SESSION_free(sess);
1778 SSL_SESSION_free(clientpsk);
1779 SSL_SESSION_free(serverpsk);
1780 clientpsk = serverpsk = NULL;
1781 SSL_free(serverssl);
1782 SSL_free(clientssl);
1783 SSL_CTX_free(sctx);
1784 SSL_CTX_free(cctx);
1785 return testresult;
1786}
1787
1788/*
1789 * Helper function to test that a server attempting to read early data can
1790 * handle a connection from a client where the early data should be skipped.
1791 */
1792static int early_data_skip_helper(int hrr, int idx)
1793{
1794 SSL_CTX *cctx = NULL, *sctx = NULL;
1795 SSL *clientssl = NULL, *serverssl = NULL;
1796 int testresult = 0;
1797 SSL_SESSION *sess = NULL;
1798 unsigned char buf[20];
1799 size_t readbytes, written;
1800
1801 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1802 &serverssl, &sess, idx)))
1803 goto end;
1804
1805 if (hrr) {
1806 /* Force an HRR to occur */
1807 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1808 goto end;
1809 } else if (idx == 2) {
1810 /*
1811 * We force early_data rejection by ensuring the PSK identity is
1812 * unrecognised
1813 */
1814 srvid = "Dummy Identity";
1815 } else {
1816 /*
1817 * Deliberately corrupt the creation time. We take 20 seconds off the
1818 * time. It could be any value as long as it is not within tolerance.
1819 * This should mean the ticket is rejected.
1820 */
1821 if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20)))
1822 goto end;
1823 }
1824
1825 /* Write some early data */
1826 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1827 &written))
1828 || !TEST_size_t_eq(written, strlen(MSG1)))
1829 goto end;
1830
1831 /* Server should reject the early data and skip over it */
1832 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1833 &readbytes),
1834 SSL_READ_EARLY_DATA_FINISH)
1835 || !TEST_size_t_eq(readbytes, 0)
1836 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1837 SSL_EARLY_DATA_REJECTED))
1838 goto end;
1839
1840 if (hrr) {
1841 /*
1842 * Finish off the handshake. We perform the same writes and reads as
1843 * further down but we expect them to fail due to the incomplete
1844 * handshake.
1845 */
1846 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1847 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1848 &readbytes)))
1849 goto end;
1850 }
1851
1852 /* Should be able to send normal data despite rejection of early data */
1853 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1854 || !TEST_size_t_eq(written, strlen(MSG2))
1855 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1856 SSL_EARLY_DATA_REJECTED)
1857 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1858 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1859 goto end;
1860
1861 testresult = 1;
1862
1863 end:
1864 if (sess != clientpsk)
1865 SSL_SESSION_free(clientpsk);
1866 SSL_SESSION_free(serverpsk);
1867 clientpsk = serverpsk = NULL;
1868 SSL_SESSION_free(sess);
1869 SSL_free(serverssl);
1870 SSL_free(clientssl);
1871 SSL_CTX_free(sctx);
1872 SSL_CTX_free(cctx);
1873 return testresult;
1874}
1875
1876/*
1877 * Test that a server attempting to read early data can handle a connection
1878 * from a client where the early data is not acceptable.
1879 */
1880static int test_early_data_skip(int idx)
1881{
1882 return early_data_skip_helper(0, idx);
1883}
1884
1885/*
1886 * Test that a server attempting to read early data can handle a connection
1887 * from a client where an HRR occurs.
1888 */
1889static int test_early_data_skip_hrr(int idx)
1890{
1891 return early_data_skip_helper(1, idx);
1892}
1893
1894/*
1895 * Test that a server attempting to read early data can handle a connection
1896 * from a client that doesn't send any.
1897 */
1898static int test_early_data_not_sent(int idx)
1899{
1900 SSL_CTX *cctx = NULL, *sctx = NULL;
1901 SSL *clientssl = NULL, *serverssl = NULL;
1902 int testresult = 0;
1903 SSL_SESSION *sess = NULL;
1904 unsigned char buf[20];
1905 size_t readbytes, written;
1906
1907 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1908 &serverssl, &sess, idx)))
1909 goto end;
1910
1911 /* Write some data - should block due to handshake with server */
1912 SSL_set_connect_state(clientssl);
1913 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1914 goto end;
1915
1916 /* Server should detect that early data has not been sent */
1917 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1918 &readbytes),
1919 SSL_READ_EARLY_DATA_FINISH)
1920 || !TEST_size_t_eq(readbytes, 0)
1921 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1922 SSL_EARLY_DATA_NOT_SENT)
1923 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1924 SSL_EARLY_DATA_NOT_SENT))
1925 goto end;
1926
1927 /* Continue writing the message we started earlier */
1928 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1929 || !TEST_size_t_eq(written, strlen(MSG1))
1930 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1931 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1932 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1933 || !TEST_size_t_eq(written, strlen(MSG2)))
1934 goto end;
1935
1936 /*
1937 * Should block due to the NewSessionTicket arrival unless we're using
1938 * read_ahead
1939 */
1940 if (idx != 1) {
1941 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1942 goto end;
1943 }
1944
1945 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1946 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1947 goto end;
1948
1949 testresult = 1;
1950
1951 end:
1952 /* If using PSK then clientpsk and sess are the same */
1953 SSL_SESSION_free(sess);
1954 SSL_SESSION_free(serverpsk);
1955 clientpsk = serverpsk = NULL;
1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 SSL_CTX_free(sctx);
1959 SSL_CTX_free(cctx);
1960 return testresult;
1961}
1962
1963static const char *servhostname;
1964
1965static int hostname_cb(SSL *s, int *al, void *arg)
1966{
1967 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1968
1969 if (hostname != NULL && strcmp(hostname, servhostname) == 0)
1970 return SSL_TLSEXT_ERR_OK;
1971
1972 return SSL_TLSEXT_ERR_NOACK;
1973}
1974
1975static const char *servalpn;
1976
1977static int alpn_select_cb(SSL *ssl, const unsigned char **out,
1978 unsigned char *outlen, const unsigned char *in,
1979 unsigned int inlen, void *arg)
1980{
1981 unsigned int protlen = 0;
1982 const unsigned char *prot;
1983
1984 for (prot = in; prot < in + inlen; prot += protlen) {
1985 protlen = *prot++;
1986 if (in + inlen - prot < protlen)
1987 return SSL_TLSEXT_ERR_NOACK;
1988
1989 if (protlen == strlen(servalpn)
1990 && memcmp(prot, servalpn, protlen) == 0) {
1991 *out = prot;
1992 *outlen = protlen;
1993 return SSL_TLSEXT_ERR_OK;
1994 }
1995 }
1996
1997 return SSL_TLSEXT_ERR_NOACK;
1998}
1999
2000/* Test that a PSK can be used to send early_data */
2001static int test_early_data_psk(int idx)
2002{
2003 SSL_CTX *cctx = NULL, *sctx = NULL;
2004 SSL *clientssl = NULL, *serverssl = NULL;
2005 int testresult = 0;
2006 SSL_SESSION *sess = NULL;
2007 unsigned char alpnlist[] = {
2008 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2009 'l', 'p', 'n'
2010 };
2011#define GOODALPNLEN 9
2012#define BADALPNLEN 8
2013#define GOODALPN (alpnlist)
2014#define BADALPN (alpnlist + GOODALPNLEN)
2015 int err = 0;
2016 unsigned char buf[20];
2017 size_t readbytes, written;
2018 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2019 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2020
2021 /* We always set this up with a final parameter of "2" for PSK */
2022 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2023 &serverssl, &sess, 2)))
2024 goto end;
2025
2026 servhostname = "goodhost";
2027 servalpn = "goodalpn";
2028
2029 /*
2030 * Note: There is no test for inconsistent SNI with late client detection.
2031 * This is because servers do not acknowledge SNI even if they are using
2032 * it in a resumption handshake - so it is not actually possible for a
2033 * client to detect a problem.
2034 */
2035 switch (idx) {
2036 case 0:
2037 /* Set inconsistent SNI (early client detection) */
2038 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2039 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2040 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2041 goto end;
2042 break;
2043
2044 case 1:
2045 /* Set inconsistent ALPN (early client detection) */
2046 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2047 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2048 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2049 GOODALPNLEN))
2050 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2051 BADALPNLEN)))
2052 goto end;
2053 break;
2054
2055 case 2:
2056 /*
2057 * Set invalid protocol version. Technically this affects PSKs without
2058 * early_data too, but we test it here because it is similar to the
2059 * SNI/ALPN consistency tests.
2060 */
2061 err = SSL_R_BAD_PSK;
2062 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2063 goto end;
2064 break;
2065
2066 case 3:
2067 /*
2068 * Set inconsistent SNI (server detected). In this case the connection
2069 * will succeed but reject early_data.
2070 */
2071 servhostname = "badhost";
2072 edstatus = SSL_EARLY_DATA_REJECTED;
2073 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2074 /* Fall through */
2075 case 4:
2076 /* Set consistent SNI */
2077 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2078 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2079 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2080 hostname_cb)))
2081 goto end;
2082 break;
2083
2084 case 5:
2085 /*
2086 * Set inconsistent ALPN (server detected). In this case the connection
2087 * will succeed but reject early_data.
2088 */
2089 servalpn = "badalpn";
2090 edstatus = SSL_EARLY_DATA_REJECTED;
2091 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2092 /* Fall through */
2093 case 6:
2094 /*
2095 * Set consistent ALPN.
2096 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2097 * accepts a list of protos (each one length prefixed).
2098 * SSL_set1_alpn_selected accepts a single protocol (not length
2099 * prefixed)
2100 */
2101 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2102 GOODALPNLEN - 1))
2103 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2104 GOODALPNLEN)))
2105 goto end;
2106
2107 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2108 break;
2109
2110 case 7:
2111 /* Set inconsistent ALPN (late client detection) */
2112 SSL_SESSION_free(serverpsk);
2113 serverpsk = SSL_SESSION_dup(clientpsk);
2114 if (!TEST_ptr(serverpsk)
2115 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2116 BADALPN + 1,
2117 BADALPNLEN - 1))
2118 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2119 GOODALPN + 1,
2120 GOODALPNLEN - 1))
2121 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2122 sizeof(alpnlist))))
2123 goto end;
2124 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2125 edstatus = SSL_EARLY_DATA_ACCEPTED;
2126 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2127 /* SSL_connect() call should fail */
2128 connectres = -1;
2129 break;
2130
2131 default:
2132 TEST_error("Bad test index");
2133 goto end;
2134 }
2135
2136 SSL_set_connect_state(clientssl);
2137 if (err != 0) {
2138 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2139 &written))
2140 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2141 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2142 goto end;
2143 } else {
2144 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2145 &written)))
2146 goto end;
2147
2148 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2149 &readbytes), readearlyres)
2150 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2151 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2152 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2153 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2154 goto end;
2155 }
2156
2157 testresult = 1;
2158
2159 end:
2160 SSL_SESSION_free(clientpsk);
2161 SSL_SESSION_free(serverpsk);
2162 clientpsk = serverpsk = NULL;
2163 SSL_free(serverssl);
2164 SSL_free(clientssl);
2165 SSL_CTX_free(sctx);
2166 SSL_CTX_free(cctx);
2167 return testresult;
2168}
2169
2170/*
2171 * Test that a server that doesn't try to read early data can handle a
2172 * client sending some.
2173 */
2174static int test_early_data_not_expected(int idx)
2175{
2176 SSL_CTX *cctx = NULL, *sctx = NULL;
2177 SSL *clientssl = NULL, *serverssl = NULL;
2178 int testresult = 0;
2179 SSL_SESSION *sess = NULL;
2180 unsigned char buf[20];
2181 size_t readbytes, written;
2182
2183 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2184 &serverssl, &sess, idx)))
2185 goto end;
2186
2187 /* Write some early data */
2188 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2189 &written)))
2190 goto end;
2191
2192 /*
2193 * Server should skip over early data and then block waiting for client to
2194 * continue handshake
2195 */
2196 if (!TEST_int_le(SSL_accept(serverssl), 0)
2197 || !TEST_int_gt(SSL_connect(clientssl), 0)
2198 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2199 SSL_EARLY_DATA_REJECTED)
2200 || !TEST_int_gt(SSL_accept(serverssl), 0)
2201 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2202 SSL_EARLY_DATA_REJECTED))
2203 goto end;
2204
2205 /* Send some normal data from client to server */
2206 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2207 || !TEST_size_t_eq(written, strlen(MSG2)))
2208 goto end;
2209
2210 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2211 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2212 goto end;
2213
2214 testresult = 1;
2215
2216 end:
2217 /* If using PSK then clientpsk and sess are the same */
2218 SSL_SESSION_free(sess);
2219 SSL_SESSION_free(serverpsk);
2220 clientpsk = serverpsk = NULL;
2221 SSL_free(serverssl);
2222 SSL_free(clientssl);
2223 SSL_CTX_free(sctx);
2224 SSL_CTX_free(cctx);
2225 return testresult;
2226}
2227
2228
2229# ifndef OPENSSL_NO_TLS1_2
2230/*
2231 * Test that a server attempting to read early data can handle a connection
2232 * from a TLSv1.2 client.
2233 */
2234static int test_early_data_tls1_2(int idx)
2235{
2236 SSL_CTX *cctx = NULL, *sctx = NULL;
2237 SSL *clientssl = NULL, *serverssl = NULL;
2238 int testresult = 0;
2239 unsigned char buf[20];
2240 size_t readbytes, written;
2241
2242 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2243 &serverssl, NULL, idx)))
2244 goto end;
2245
2246 /* Write some data - should block due to handshake with server */
2247 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2248 SSL_set_connect_state(clientssl);
2249 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2250 goto end;
2251
2252 /*
2253 * Server should do TLSv1.2 handshake. First it will block waiting for more
2254 * messages from client after ServerDone. Then SSL_read_early_data should
2255 * finish and detect that early data has not been sent
2256 */
2257 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2258 &readbytes),
2259 SSL_READ_EARLY_DATA_ERROR))
2260 goto end;
2261
2262 /*
2263 * Continue writing the message we started earlier. Will still block waiting
2264 * for the CCS/Finished from server
2265 */
2266 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2267 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2268 &readbytes),
2269 SSL_READ_EARLY_DATA_FINISH)
2270 || !TEST_size_t_eq(readbytes, 0)
2271 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2272 SSL_EARLY_DATA_NOT_SENT))
2273 goto end;
2274
2275 /* Continue writing the message we started earlier */
2276 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2277 || !TEST_size_t_eq(written, strlen(MSG1))
2278 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2279 SSL_EARLY_DATA_NOT_SENT)
2280 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2281 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2282 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2283 || !TEST_size_t_eq(written, strlen(MSG2))
2284 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2285 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2286 goto end;
2287
2288 testresult = 1;
2289
2290 end:
2291 /* If using PSK then clientpsk and sess are the same */
2292 SSL_SESSION_free(clientpsk);
2293 SSL_SESSION_free(serverpsk);
2294 clientpsk = serverpsk = NULL;
2295 SSL_free(serverssl);
2296 SSL_free(clientssl);
2297 SSL_CTX_free(sctx);
2298 SSL_CTX_free(cctx);
2299
2300 return testresult;
2301}
2302# endif /* OPENSSL_NO_TLS1_2 */
2303
2304static int test_ciphersuite_change(void)
2305{
2306 SSL_CTX *cctx = NULL, *sctx = NULL;
2307 SSL *clientssl = NULL, *serverssl = NULL;
2308 SSL_SESSION *clntsess = NULL;
2309 int testresult = 0;
2310 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2311
2312 /* Create a session based on SHA-256 */
2313 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2314 TLS_client_method(), &sctx,
2315 &cctx, cert, privkey))
2316 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2317 "TLS13-AES-128-GCM-SHA256"))
2318 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2319 &clientssl, NULL, NULL))
2320 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2321 SSL_ERROR_NONE)))
2322 goto end;
2323
2324 clntsess = SSL_get1_session(clientssl);
2325 /* Save for later */
2326 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2327 SSL_shutdown(clientssl);
2328 SSL_shutdown(serverssl);
2329 SSL_free(serverssl);
2330 SSL_free(clientssl);
2331 serverssl = clientssl = NULL;
2332
2333 /* Check we can resume a session with a different SHA-256 ciphersuite */
2334 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2335 "TLS13-CHACHA20-POLY1305-SHA256"))
2336 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2337 NULL, NULL))
2338 || !TEST_true(SSL_set_session(clientssl, clntsess))
2339 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2340 SSL_ERROR_NONE))
2341 || !TEST_true(SSL_session_reused(clientssl)))
2342 goto end;
2343
2344 SSL_SESSION_free(clntsess);
2345 clntsess = SSL_get1_session(clientssl);
2346 SSL_shutdown(clientssl);
2347 SSL_shutdown(serverssl);
2348 SSL_free(serverssl);
2349 SSL_free(clientssl);
2350 serverssl = clientssl = NULL;
2351
2352 /*
2353 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2354 * succeeds but does not resume.
2355 */
2356 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2357 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2358 NULL, NULL))
2359 || !TEST_true(SSL_set_session(clientssl, clntsess))
2360 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2361 SSL_ERROR_SSL))
2362 || !TEST_false(SSL_session_reused(clientssl)))
2363 goto end;
2364
2365 SSL_SESSION_free(clntsess);
2366 clntsess = NULL;
2367 SSL_shutdown(clientssl);
2368 SSL_shutdown(serverssl);
2369 SSL_free(serverssl);
2370 SSL_free(clientssl);
2371 serverssl = clientssl = NULL;
2372
2373 /* Create a session based on SHA384 */
2374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2375 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2376 &clientssl, NULL, NULL))
2377 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2378 SSL_ERROR_NONE)))
2379 goto end;
2380
2381 clntsess = SSL_get1_session(clientssl);
2382 SSL_shutdown(clientssl);
2383 SSL_shutdown(serverssl);
2384 SSL_free(serverssl);
2385 SSL_free(clientssl);
2386 serverssl = clientssl = NULL;
2387
2388 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2389 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
2390 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2391 "TLS13-AES-256-GCM-SHA384"))
2392 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2393 NULL, NULL))
2394 || !TEST_true(SSL_set_session(clientssl, clntsess))
2395 /*
2396 * We use SSL_ERROR_WANT_READ below so that we can pause the
2397 * connection after the initial ClientHello has been sent to
2398 * enable us to make some session changes.
2399 */
2400 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2401 SSL_ERROR_WANT_READ)))
2402 goto end;
2403
2404 /* Trick the client into thinking this session is for a different digest */
2405 clntsess->cipher = aes_128_gcm_sha256;
2406 clntsess->cipher_id = clntsess->cipher->id;
2407
2408 /*
2409 * Continue the previously started connection. Server has selected a SHA-384
2410 * ciphersuite, but client thinks the session is for SHA-256, so it should
2411 * bail out.
2412 */
2413 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2414 SSL_ERROR_SSL))
2415 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2416 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2417 goto end;
2418
2419 testresult = 1;
2420
2421 end:
2422 SSL_SESSION_free(clntsess);
2423 SSL_free(serverssl);
2424 SSL_free(clientssl);
2425 SSL_CTX_free(sctx);
2426 SSL_CTX_free(cctx);
2427
2428 return testresult;
2429}
2430
2431static int test_tls13_psk(void)
2432{
2433 SSL_CTX *sctx = NULL, *cctx = NULL;
2434 SSL *serverssl = NULL, *clientssl = NULL;
2435 const SSL_CIPHER *cipher = NULL;
2436 const unsigned char key[] = {
2437 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2438 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2439 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2440 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2441 };
2442 int testresult = 0;
2443
2444 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2445 TLS_client_method(), &sctx,
2446 &cctx, cert, privkey)))
2447 goto end;
2448
2449 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2450 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2451 srvid = pskid;
2452 use_session_cb_cnt = 0;
2453 find_session_cb_cnt = 0;
2454
2455 /* Check we can create a connection if callback decides not to send a PSK */
2456 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2457 NULL, NULL))
2458 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2459 SSL_ERROR_NONE))
2460 || !TEST_false(SSL_session_reused(clientssl))
2461 || !TEST_false(SSL_session_reused(serverssl))
2462 || !TEST_true(use_session_cb_cnt == 1)
2463 || !TEST_true(find_session_cb_cnt == 0))
2464 goto end;
2465
2466 shutdown_ssl_connection(serverssl, clientssl);
2467 serverssl = clientssl = NULL;
2468 use_session_cb_cnt = 0;
2469
2470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2471 NULL, NULL)))
2472 goto end;
2473
2474 /* Create the PSK */
2475 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2476 clientpsk = SSL_SESSION_new();
2477 if (!TEST_ptr(clientpsk)
2478 || !TEST_ptr(cipher)
2479 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2480 sizeof(key)))
2481 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2482 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2483 TLS1_3_VERSION))
2484 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2485 goto end;
2486 serverpsk = clientpsk;
2487
2488 /* Check we can create a connection and the PSK is used */
2489 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2490 || !TEST_true(SSL_session_reused(clientssl))
2491 || !TEST_true(SSL_session_reused(serverssl))
2492 || !TEST_true(use_session_cb_cnt == 1)
2493 || !TEST_true(find_session_cb_cnt == 1))
2494 goto end;
2495
2496 shutdown_ssl_connection(serverssl, clientssl);
2497 serverssl = clientssl = NULL;
2498 use_session_cb_cnt = find_session_cb_cnt = 0;
2499
2500 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2501 NULL, NULL)))
2502 goto end;
2503
2504 /* Force an HRR */
2505 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2506 goto end;
2507
2508 /*
2509 * Check we can create a connection, the PSK is used and the callbacks are
2510 * called twice.
2511 */
2512 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2513 || !TEST_true(SSL_session_reused(clientssl))
2514 || !TEST_true(SSL_session_reused(serverssl))
2515 || !TEST_true(use_session_cb_cnt == 2)
2516 || !TEST_true(find_session_cb_cnt == 2))
2517 goto end;
2518
2519 shutdown_ssl_connection(serverssl, clientssl);
2520 serverssl = clientssl = NULL;
2521 use_session_cb_cnt = find_session_cb_cnt = 0;
2522
2523 /*
2524 * Check that if the server rejects the PSK we can still connect, but with
2525 * a full handshake
2526 */
2527 srvid = "Dummy Identity";
2528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2529 NULL, NULL))
2530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2531 SSL_ERROR_NONE))
2532 || !TEST_false(SSL_session_reused(clientssl))
2533 || !TEST_false(SSL_session_reused(serverssl))
2534 || !TEST_true(use_session_cb_cnt == 1)
2535 || !TEST_true(find_session_cb_cnt == 1))
2536 goto end;
2537
2538 shutdown_ssl_connection(serverssl, clientssl);
2539 serverssl = clientssl = NULL;
2540 testresult = 1;
2541
2542 end:
2543 SSL_SESSION_free(clientpsk);
2544 SSL_SESSION_free(serverpsk);
2545 clientpsk = serverpsk = NULL;
2546 SSL_free(serverssl);
2547 SSL_free(clientssl);
2548 SSL_CTX_free(sctx);
2549 SSL_CTX_free(cctx);
2550 return testresult;
2551}
2552
2553#endif /* OPENSSL_NO_TLS1_3 */
2554
2555static int clntaddoldcb = 0;
2556static int clntparseoldcb = 0;
2557static int srvaddoldcb = 0;
2558static int srvparseoldcb = 0;
2559static int clntaddnewcb = 0;
2560static int clntparsenewcb = 0;
2561static int srvaddnewcb = 0;
2562static int srvparsenewcb = 0;
2563static int snicb = 0;
2564
2565#define TEST_EXT_TYPE1 0xff00
2566
2567static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2568 size_t *outlen, int *al, void *add_arg)
2569{
2570 int *server = (int *)add_arg;
2571 unsigned char *data;
2572
2573 if (SSL_is_server(s))
2574 srvaddoldcb++;
2575 else
2576 clntaddoldcb++;
2577
2578 if (*server != SSL_is_server(s)
2579 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2580 return -1;
2581
2582 *data = 1;
2583 *out = data;
2584 *outlen = sizeof(char);
2585 return 1;
2586}
2587
2588static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2589 void *add_arg)
2590{
2591 OPENSSL_free((unsigned char *)out);
2592}
2593
2594static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2595 size_t inlen, int *al, void *parse_arg)
2596{
2597 int *server = (int *)parse_arg;
2598
2599 if (SSL_is_server(s))
2600 srvparseoldcb++;
2601 else
2602 clntparseoldcb++;
2603
2604 if (*server != SSL_is_server(s)
2605 || inlen != sizeof(char)
2606 || *in != 1)
2607 return -1;
2608
2609 return 1;
2610}
2611
2612static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2613 const unsigned char **out, size_t *outlen, X509 *x,
2614 size_t chainidx, int *al, void *add_arg)
2615{
2616 int *server = (int *)add_arg;
2617 unsigned char *data;
2618
2619 if (SSL_is_server(s))
2620 srvaddnewcb++;
2621 else
2622 clntaddnewcb++;
2623
2624 if (*server != SSL_is_server(s)
2625 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2626 return -1;
2627
2628 *data = 1;
2629 *out = data;
2630 *outlen = sizeof(*data);
2631 return 1;
2632}
2633
2634static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2635 const unsigned char *out, void *add_arg)
2636{
2637 OPENSSL_free((unsigned char *)out);
2638}
2639
2640static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2641 const unsigned char *in, size_t inlen, X509 *x,
2642 size_t chainidx, int *al, void *parse_arg)
2643{
2644 int *server = (int *)parse_arg;
2645
2646 if (SSL_is_server(s))
2647 srvparsenewcb++;
2648 else
2649 clntparsenewcb++;
2650
2651 if (*server != SSL_is_server(s)
2652 || inlen != sizeof(char) || *in != 1)
2653 return -1;
2654
2655 return 1;
2656}
2657
2658static int sni_cb(SSL *s, int *al, void *arg)
2659{
2660 SSL_CTX *ctx = (SSL_CTX *)arg;
2661
2662 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2663 *al = SSL_AD_INTERNAL_ERROR;
2664 return SSL_TLSEXT_ERR_ALERT_FATAL;
2665 }
2666 snicb++;
2667 return SSL_TLSEXT_ERR_OK;
2668}
2669
2670/*
2671 * Custom call back tests.
2672 * Test 0: Old style callbacks in TLSv1.2
2673 * Test 1: New style callbacks in TLSv1.2
2674 * Test 2: New style callbacks in TLSv1.2 with SNI
2675 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2676 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2677 */
2678static int test_custom_exts(int tst)
2679{
2680 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2681 SSL *clientssl = NULL, *serverssl = NULL;
2682 int testresult = 0;
2683 static int server = 1;
2684 static int client = 0;
2685 SSL_SESSION *sess = NULL;
2686 unsigned int context;
2687
2688 /* Reset callback counters */
2689 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2690 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2691 snicb = 0;
2692
2693 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2694 TLS_client_method(), &sctx,
2695 &cctx, cert, privkey)))
2696 goto end;
2697
2698 if (tst == 2
2699 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2700 NULL, cert, privkey)))
2701 goto end;
2702
2703
2704 if (tst < 3) {
2705 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2706 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2707 if (sctx2 != NULL)
2708 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2709 }
2710
2711 if (tst == 4) {
2712 context = SSL_EXT_CLIENT_HELLO
2713 | SSL_EXT_TLS1_2_SERVER_HELLO
2714 | SSL_EXT_TLS1_3_SERVER_HELLO
2715 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2716 | SSL_EXT_TLS1_3_CERTIFICATE
2717 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2718 } else {
2719 context = SSL_EXT_CLIENT_HELLO
2720 | SSL_EXT_TLS1_2_SERVER_HELLO
2721 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2722 }
2723
2724 /* Create a client side custom extension */
2725 if (tst == 0) {
2726 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2727 old_add_cb, old_free_cb,
2728 &client, old_parse_cb,
2729 &client)))
2730 goto end;
2731 } else {
2732 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2733 new_add_cb, new_free_cb,
2734 &client, new_parse_cb, &client)))
2735 goto end;
2736 }
2737
2738 /* Should not be able to add duplicates */
2739 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2740 old_add_cb, old_free_cb,
2741 &client, old_parse_cb,
2742 &client))
2743 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2744 context, new_add_cb,
2745 new_free_cb, &client,
2746 new_parse_cb, &client)))
2747 goto end;
2748
2749 /* Create a server side custom extension */
2750 if (tst == 0) {
2751 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2752 old_add_cb, old_free_cb,
2753 &server, old_parse_cb,
2754 &server)))
2755 goto end;
2756 } else {
2757 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2758 new_add_cb, new_free_cb,
2759 &server, new_parse_cb, &server)))
2760 goto end;
2761 if (sctx2 != NULL
2762 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2763 context, new_add_cb,
2764 new_free_cb, &server,
2765 new_parse_cb, &server)))
2766 goto end;
2767 }
2768
2769 /* Should not be able to add duplicates */
2770 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2771 old_add_cb, old_free_cb,
2772 &server, old_parse_cb,
2773 &server))
2774 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2775 context, new_add_cb,
2776 new_free_cb, &server,
2777 new_parse_cb, &server)))
2778 goto end;
2779
2780 if (tst == 2) {
2781 /* Set up SNI */
2782 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2783 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2784 goto end;
2785 }
2786
2787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2788 &clientssl, NULL, NULL))
2789 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2790 SSL_ERROR_NONE)))
2791 goto end;
2792
2793 if (tst == 0) {
2794 if (clntaddoldcb != 1
2795 || clntparseoldcb != 1
2796 || srvaddoldcb != 1
2797 || srvparseoldcb != 1)
2798 goto end;
2799 } else if (tst == 1 || tst == 2 || tst == 3) {
2800 if (clntaddnewcb != 1
2801 || clntparsenewcb != 1
2802 || srvaddnewcb != 1
2803 || srvparsenewcb != 1
2804 || (tst != 2 && snicb != 0)
2805 || (tst == 2 && snicb != 1))
2806 goto end;
2807 } else {
2808 if (clntaddnewcb != 1
2809 || clntparsenewcb != 4
2810 || srvaddnewcb != 4
2811 || srvparsenewcb != 1)
2812 goto end;
2813 }
2814
2815 sess = SSL_get1_session(clientssl);
2816 SSL_shutdown(clientssl);
2817 SSL_shutdown(serverssl);
2818 SSL_free(serverssl);
2819 SSL_free(clientssl);
2820 serverssl = clientssl = NULL;
2821
2822 if (tst == 3) {
2823 /* We don't bother with the resumption aspects for this test */
2824 testresult = 1;
2825 goto end;
2826 }
2827
2828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2829 NULL, NULL))
2830 || !TEST_true(SSL_set_session(clientssl, sess))
2831 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2832 SSL_ERROR_NONE)))
2833 goto end;
2834
2835 /*
2836 * For a resumed session we expect to add the ClientHello extension. For the
2837 * old style callbacks we ignore it on the server side because they set
2838 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2839 * them.
2840 */
2841 if (tst == 0) {
2842 if (clntaddoldcb != 2
2843 || clntparseoldcb != 1
2844 || srvaddoldcb != 1
2845 || srvparseoldcb != 1)
2846 goto end;
2847 } else if (tst == 1 || tst == 2 || tst == 3) {
2848 if (clntaddnewcb != 2
2849 || clntparsenewcb != 2
2850 || srvaddnewcb != 2
2851 || srvparsenewcb != 2)
2852 goto end;
2853 } else {
2854 /* No Certificate message extensions in the resumption handshake */
2855 if (clntaddnewcb != 2
2856 || clntparsenewcb != 7
2857 || srvaddnewcb != 7
2858 || srvparsenewcb != 2)
2859 goto end;
2860 }
2861
2862 testresult = 1;
2863
2864end:
2865 SSL_SESSION_free(sess);
2866 SSL_free(serverssl);
2867 SSL_free(clientssl);
2868 SSL_CTX_free(sctx2);
2869 SSL_CTX_free(sctx);
2870 SSL_CTX_free(cctx);
2871 return testresult;
2872}
2873
2874/*
2875 * Test loading of serverinfo data in various formats. test_sslmessages actually
2876 * tests to make sure the extensions appear in the handshake
2877 */
2878static int test_serverinfo(int tst)
2879{
2880 unsigned int version;
2881 unsigned char *sibuf;
2882 size_t sibuflen;
2883 int ret, expected, testresult = 0;
2884 SSL_CTX *ctx;
2885
2886 ctx = SSL_CTX_new(TLS_method());
2887 if (!TEST_ptr(ctx))
2888 goto end;
2889
2890 if ((tst & 0x01) == 0x01)
2891 version = SSL_SERVERINFOV2;
2892 else
2893 version = SSL_SERVERINFOV1;
2894
2895 if ((tst & 0x02) == 0x02) {
2896 sibuf = serverinfov2;
2897 sibuflen = sizeof(serverinfov2);
2898 expected = (version == SSL_SERVERINFOV2);
2899 } else {
2900 sibuf = serverinfov1;
2901 sibuflen = sizeof(serverinfov1);
2902 expected = (version == SSL_SERVERINFOV1);
2903 }
2904
2905 if ((tst & 0x04) == 0x04) {
2906 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2907 } else {
2908 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
2909
2910 /*
2911 * The version variable is irrelevant in this case - it's what is in the
2912 * buffer that matters
2913 */
2914 if ((tst & 0x02) == 0x02)
2915 expected = 0;
2916 else
2917 expected = 1;
2918 }
2919
2920 if (!TEST_true(ret == expected))
2921 goto end;
2922
2923 testresult = 1;
2924
2925 end:
2926 SSL_CTX_free(ctx);
2927
2928 return testresult;
2929}
2930
2931/*
2932 * Test that SSL_export_keying_material() produces expected results. There are
2933 * no test vectors so all we do is test that both sides of the communication
2934 * produce the same results for different protocol versions.
2935 */
2936static int test_export_key_mat(int tst)
2937{
2938 int testresult = 0;
2939 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2940 SSL *clientssl = NULL, *serverssl = NULL;
2941 const char label[] = "test label";
2942 const unsigned char context[] = "context";
2943 const unsigned char *emptycontext = NULL;
2944 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
2945 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
2946 const int protocols[] = {
2947 TLS1_VERSION,
2948 TLS1_1_VERSION,
2949 TLS1_2_VERSION,
2950 TLS1_3_VERSION
2951 };
2952
2953#ifdef OPENSSL_NO_TLS1
2954 if (tst == 0)
2955 return 1;
2956#endif
2957#ifdef OPENSSL_NO_TLS1_1
2958 if (tst == 1)
2959 return 1;
2960#endif
2961#ifdef OPENSSL_NO_TLS1_2
2962 if (tst == 2)
2963 return 1;
2964#endif
2965#ifdef OPENSSL_NO_TLS1_3
2966 if (tst == 3)
2967 return 1;
2968#endif
2969 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2970 TLS_client_method(), &sctx,
2971 &cctx, cert, privkey)))
2972 goto end;
2973
2974 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
2975 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
2976 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2977
2978 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
2979 NULL))
2980 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2981 SSL_ERROR_NONE)))
2982 goto end;
2983
2984 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
2985 sizeof(ckeymat1), label,
2986 sizeof(label) - 1, context,
2987 sizeof(context) - 1, 1), 1)
2988 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
2989 sizeof(ckeymat2), label,
2990 sizeof(label) - 1,
2991 emptycontext,
2992 0, 1), 1)
2993 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
2994 sizeof(ckeymat3), label,
2995 sizeof(label) - 1,
2996 NULL, 0, 0), 1)
2997 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
2998 sizeof(skeymat1), label,
2999 sizeof(label) - 1,
3000 context,
3001 sizeof(context) -1, 1),
3002 1)
3003 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3004 sizeof(skeymat2), label,
3005 sizeof(label) - 1,
3006 emptycontext,
3007 0, 1), 1)
3008 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3009 sizeof(skeymat3), label,
3010 sizeof(label) - 1,
3011 NULL, 0, 0), 1)
3012 /*
3013 * Check that both sides created the same key material with the
3014 * same context.
3015 */
3016 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3017 sizeof(skeymat1))
3018 /*
3019 * Check that both sides created the same key material with an
3020 * empty context.
3021 */
3022 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3023 sizeof(skeymat2))
3024 /*
3025 * Check that both sides created the same key material without a
3026 * context.
3027 */
3028 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3029 sizeof(skeymat3))
3030 /* Different contexts should produce different results */
3031 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3032 sizeof(ckeymat2)))
3033 goto end;
3034
3035 /*
3036 * Check that an empty context and no context produce different results in
3037 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3038 */
3039 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3040 sizeof(ckeymat3)))
3041 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3042 sizeof(ckeymat3))))
3043 goto end;
3044
3045 testresult = 1;
3046
3047 end:
3048 SSL_free(serverssl);
3049 SSL_free(clientssl);
3050 SSL_CTX_free(sctx2);
3051 SSL_CTX_free(sctx);
3052 SSL_CTX_free(cctx);
3053
3054 return testresult;
3055}
3056
3057static int test_ssl_clear(int idx)
3058{
3059 SSL_CTX *cctx = NULL, *sctx = NULL;
3060 SSL *clientssl = NULL, *serverssl = NULL;
3061 int testresult = 0;
3062
3063#ifdef OPENSSL_NO_TLS1_2
3064 if (idx == 1)
3065 return 1;
3066#endif
3067
3068 /* Create an initial connection */
3069 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3070 TLS_client_method(), &sctx,
3071 &cctx, cert, privkey))
3072 || (idx == 1
3073 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3074 TLS1_2_VERSION)))
3075 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3076 &clientssl, NULL, NULL))
3077 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3078 SSL_ERROR_NONE)))
3079 goto end;
3080
3081 SSL_shutdown(clientssl);
3082 SSL_shutdown(serverssl);
3083 SSL_free(serverssl);
3084 serverssl = NULL;
3085
3086 /* Clear clientssl - we're going to reuse the object */
3087 if (!TEST_true(SSL_clear(clientssl)))
3088 goto end;
3089
3090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3091 NULL, NULL))
3092 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3093 SSL_ERROR_NONE))
3094 || !TEST_true(SSL_session_reused(clientssl)))
3095 goto end;
3096
3097 SSL_shutdown(clientssl);
3098 SSL_shutdown(serverssl);
3099
3100 testresult = 1;
3101
3102 end:
3103 SSL_free(serverssl);
3104 SSL_free(clientssl);
3105 SSL_CTX_free(sctx);
3106 SSL_CTX_free(cctx);
3107
3108 return testresult;
3109}
3110
3111int setup_tests(void)
3112{
3113 if (!TEST_ptr(cert = test_get_argument(0))
3114 || !TEST_ptr(privkey = test_get_argument(1)))
3115 return 0;
3116
3117 ADD_TEST(test_large_message_tls);
3118 ADD_TEST(test_large_message_tls_read_ahead);
3119#ifndef OPENSSL_NO_DTLS
3120 ADD_TEST(test_large_message_dtls);
3121#endif
3122#ifndef OPENSSL_NO_OCSP
3123 ADD_TEST(test_tlsext_status_type);
3124#endif
3125 ADD_TEST(test_session_with_only_int_cache);
3126 ADD_TEST(test_session_with_only_ext_cache);
3127 ADD_TEST(test_session_with_both_cache);
3128 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3129 ADD_TEST(test_ssl_bio_pop_next_bio);
3130 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3131 ADD_TEST(test_ssl_bio_change_rbio);
3132 ADD_TEST(test_ssl_bio_change_wbio);
3133 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3134 ADD_TEST(test_keylog);
3135#ifndef OPENSSL_NO_TLS1_3
3136 ADD_TEST(test_keylog_no_master_key);
3137#endif
3138#ifndef OPENSSL_NO_TLS1_2
3139 ADD_TEST(test_client_hello_cb);
3140#endif
3141#ifndef OPENSSL_NO_TLS1_3
3142 ADD_ALL_TESTS(test_early_data_read_write, 3);
3143 ADD_ALL_TESTS(test_early_data_skip, 3);
3144 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3145 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3146 ADD_ALL_TESTS(test_early_data_psk, 8);
3147 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3148# ifndef OPENSSL_NO_TLS1_2
3149 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3150# endif
3151#endif
3152#ifndef OPENSSL_NO_TLS1_3
3153 ADD_TEST(test_ciphersuite_change);
3154 ADD_TEST(test_tls13_psk);
3155 ADD_ALL_TESTS(test_custom_exts, 5);
3156#else
3157 ADD_ALL_TESTS(test_custom_exts, 3);
3158#endif
3159 ADD_ALL_TESTS(test_serverinfo, 8);
3160 ADD_ALL_TESTS(test_export_key_mat, 4);
3161 ADD_ALL_TESTS(test_ssl_clear, 2);
3162 return 1;
3163}
3164
3165void cleanup_tests(void)
3166{
3167 bio_s_mempacket_test_free();
3168}
A mirror of the official openssl repository