]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Always call the new_session_cb when issuing a NewSessionTicket in TLSv1.3
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17
18 #include "ssltestlib.h"
19 #include "testutil.h"
20 #include "testutil/output.h"
21 #include "internal/nelem.h"
22 #include "../ssl/ssl_locl.h"
23
24 static char *cert = NULL;
25 static char *privkey = NULL;
26
27 #define LOG_BUFFER_SIZE 1024
28 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
29 static size_t server_log_buffer_index = 0;
30 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
31 static size_t client_log_buffer_index = 0;
32 static int error_writing_log = 0;
33
34 #ifndef OPENSSL_NO_OCSP
35 static const unsigned char orespder[] = "Dummy OCSP Response";
36 static int ocsp_server_called = 0;
37 static int ocsp_client_called = 0;
38
39 static int cdummyarg = 1;
40 static X509 *ocspcert = NULL;
41 #endif
42
43 #define NUM_EXTRA_CERTS 40
44 #define CLIENT_VERSION_LEN 2
45
46 /*
47 * This structure is used to validate that the correct number of log messages
48 * of various types are emitted when emitting secret logs.
49 */
50 struct sslapitest_log_counts {
51 unsigned int rsa_key_exchange_count;
52 unsigned int master_secret_count;
53 unsigned int client_handshake_secret_count;
54 unsigned int server_handshake_secret_count;
55 unsigned int client_application_secret_count;
56 unsigned int server_application_secret_count;
57 };
58
59
60 static unsigned char serverinfov1[] = {
61 0xff, 0xff, /* Dummy extension type */
62 0x00, 0x01, /* Extension length is 1 byte */
63 0xff /* Dummy extension data */
64 };
65
66 static unsigned char serverinfov2[] = {
67 0x00, 0x00, 0x00,
68 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72 };
73
74 static void client_keylog_callback(const SSL *ssl, const char *line)
75 {
76 int line_length = strlen(line);
77
78 /* If the log doesn't fit, error out. */
79 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
80 TEST_info("Client log too full");
81 error_writing_log = 1;
82 return;
83 }
84
85 strcat(client_log_buffer, line);
86 client_log_buffer_index += line_length;
87 client_log_buffer[client_log_buffer_index++] = '\n';
88 }
89
90 static void server_keylog_callback(const SSL *ssl, const char *line)
91 {
92 int line_length = strlen(line);
93
94 /* If the log doesn't fit, error out. */
95 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
96 TEST_info("Server log too full");
97 error_writing_log = 1;
98 return;
99 }
100
101 strcat(server_log_buffer, line);
102 server_log_buffer_index += line_length;
103 server_log_buffer[server_log_buffer_index++] = '\n';
104 }
105
106 static int compare_hex_encoded_buffer(const char *hex_encoded,
107 size_t hex_length,
108 const uint8_t *raw,
109 size_t raw_length)
110 {
111 size_t i, j;
112 char hexed[3];
113
114 if (!TEST_size_t_eq(raw_length * 2, hex_length))
115 return 1;
116
117 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
118 sprintf(hexed, "%02x", raw[i]);
119 if (!TEST_int_eq(hexed[0], hex_encoded[j])
120 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
121 return 1;
122 }
123
124 return 0;
125 }
126
127 static int test_keylog_output(char *buffer, const SSL *ssl,
128 const SSL_SESSION *session,
129 struct sslapitest_log_counts *expected)
130 {
131 char *token = NULL;
132 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
133 size_t client_random_size = SSL3_RANDOM_SIZE;
134 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
135 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
136 unsigned int rsa_key_exchange_count = 0;
137 unsigned int master_secret_count = 0;
138 unsigned int client_handshake_secret_count = 0;
139 unsigned int server_handshake_secret_count = 0;
140 unsigned int client_application_secret_count = 0;
141 unsigned int server_application_secret_count = 0;
142
143 for (token = strtok(buffer, " \n"); token != NULL;
144 token = strtok(NULL, " \n")) {
145 if (strcmp(token, "RSA") == 0) {
146 /*
147 * Premaster secret. Tokens should be: 16 ASCII bytes of
148 * hex-encoded encrypted secret, then the hex-encoded pre-master
149 * secret.
150 */
151 if (!TEST_ptr(token = strtok(NULL, " \n")))
152 return 0;
153 if (!TEST_size_t_eq(strlen(token), 16))
154 return 0;
155 if (!TEST_ptr(token = strtok(NULL, " \n")))
156 return 0;
157 /*
158 * We can't sensibly check the log because the premaster secret is
159 * transient, and OpenSSL doesn't keep hold of it once the master
160 * secret is generated.
161 */
162 rsa_key_exchange_count++;
163 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
164 /*
165 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
166 * client random, then the hex-encoded master secret.
167 */
168 client_random_size = SSL_get_client_random(ssl,
169 actual_client_random,
170 SSL3_RANDOM_SIZE);
171 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
172 return 0;
173
174 if (!TEST_ptr(token = strtok(NULL, " \n")))
175 return 0;
176 if (!TEST_size_t_eq(strlen(token), 64))
177 return 0;
178 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
179 actual_client_random,
180 client_random_size)))
181 return 0;
182
183 if (!TEST_ptr(token = strtok(NULL, " \n")))
184 return 0;
185 master_key_size = SSL_SESSION_get_master_key(session,
186 actual_master_key,
187 master_key_size);
188 if (!TEST_size_t_ne(master_key_size, 0))
189 return 0;
190 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
191 actual_master_key,
192 master_key_size)))
193 return 0;
194 master_secret_count++;
195 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
197 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
198 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
199 /*
200 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
201 * client random, and then the hex-encoded secret. In this case,
202 * we treat all of these secrets identically and then just
203 * distinguish between them when counting what we saw.
204 */
205 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 client_handshake_secret_count++;
207 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
208 server_handshake_secret_count++;
209 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
210 client_application_secret_count++;
211 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
212 server_application_secret_count++;
213
214 client_random_size = SSL_get_client_random(ssl,
215 actual_client_random,
216 SSL3_RANDOM_SIZE);
217 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
218 return 0;
219
220 if (!TEST_ptr(token = strtok(NULL, " \n")))
221 return 0;
222 if (!TEST_size_t_eq(strlen(token), 64))
223 return 0;
224 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
225 actual_client_random,
226 client_random_size)))
227 return 0;
228
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 return 0;
231
232 /*
233 * TODO(TLS1.3): test that application traffic secrets are what
234 * we expect */
235 } else {
236 TEST_info("Unexpected token %s\n", token);
237 return 0;
238 }
239 }
240
241 /* Got what we expected? */
242 if (!TEST_size_t_eq(rsa_key_exchange_count,
243 expected->rsa_key_exchange_count)
244 || !TEST_size_t_eq(master_secret_count,
245 expected->master_secret_count)
246 || !TEST_size_t_eq(client_handshake_secret_count,
247 expected->client_handshake_secret_count)
248 || !TEST_size_t_eq(server_handshake_secret_count,
249 expected->server_handshake_secret_count)
250 || !TEST_size_t_eq(client_application_secret_count,
251 expected->client_application_secret_count)
252 || !TEST_size_t_eq(server_application_secret_count,
253 expected->server_application_secret_count))
254 return 0;
255 return 1;
256 }
257
258 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
259 static int test_keylog(void)
260 {
261 SSL_CTX *cctx = NULL, *sctx = NULL;
262 SSL *clientssl = NULL, *serverssl = NULL;
263 int testresult = 0;
264 struct sslapitest_log_counts expected = {0};
265
266 /* Clean up logging space */
267 memset(client_log_buffer, 0, sizeof(client_log_buffer));
268 memset(server_log_buffer, 0, sizeof(server_log_buffer));
269 client_log_buffer_index = 0;
270 server_log_buffer_index = 0;
271 error_writing_log = 0;
272
273 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
274 TLS_client_method(),
275 &sctx, &cctx, cert, privkey)))
276 return 0;
277
278 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
279 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
280 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
281
282 /* We also want to ensure that we use RSA-based key exchange. */
283 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
284 goto end;
285
286 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
287 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
288 goto end;
289 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
290 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
291 == client_keylog_callback))
292 goto end;
293 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
294 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
295 == server_keylog_callback))
296 goto end;
297
298 /* Now do a handshake and check that the logs have been written to. */
299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
300 &clientssl, NULL, NULL))
301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
302 SSL_ERROR_NONE))
303 || !TEST_false(error_writing_log)
304 || !TEST_int_gt(client_log_buffer_index, 0)
305 || !TEST_int_gt(server_log_buffer_index, 0))
306 goto end;
307
308 /*
309 * Now we want to test that our output data was vaguely sensible. We
310 * do that by using strtok and confirming that we have more or less the
311 * data we expect. For both client and server, we expect to see one master
312 * secret. The client should also see a RSA key exchange.
313 */
314 expected.rsa_key_exchange_count = 1;
315 expected.master_secret_count = 1;
316 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
317 SSL_get_session(clientssl), &expected)))
318 goto end;
319
320 expected.rsa_key_exchange_count = 0;
321 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
322 SSL_get_session(serverssl), &expected)))
323 goto end;
324
325 testresult = 1;
326
327 end:
328 SSL_free(serverssl);
329 SSL_free(clientssl);
330 SSL_CTX_free(sctx);
331 SSL_CTX_free(cctx);
332
333 return testresult;
334 }
335 #endif
336
337 #ifndef OPENSSL_NO_TLS1_3
338 static int test_keylog_no_master_key(void)
339 {
340 SSL_CTX *cctx = NULL, *sctx = NULL;
341 SSL *clientssl = NULL, *serverssl = NULL;
342 int testresult = 0;
343 struct sslapitest_log_counts expected = {0};
344
345 /* Clean up logging space */
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
351
352 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
353 TLS_client_method(), &sctx,
354 &cctx, cert, privkey)))
355 return 0;
356
357 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
358 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
359 goto end;
360
361 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
362 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
363 == client_keylog_callback))
364 goto end;
365
366 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
367 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
368 == server_keylog_callback))
369 goto end;
370
371 /* Now do a handshake and check that the logs have been written to. */
372 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
373 &clientssl, NULL, NULL))
374 || !TEST_true(create_ssl_connection(serverssl, clientssl,
375 SSL_ERROR_NONE))
376 || !TEST_false(error_writing_log))
377 goto end;
378
379 /*
380 * Now we want to test that our output data was vaguely sensible. For this
381 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
382 * TLSv1.3, but we do expect both client and server to emit keys.
383 */
384 expected.client_handshake_secret_count = 1;
385 expected.server_handshake_secret_count = 1;
386 expected.client_application_secret_count = 1;
387 expected.server_application_secret_count = 1;
388 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
389 SSL_get_session(clientssl), &expected))
390 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
391 SSL_get_session(serverssl),
392 &expected)))
393 goto end;
394
395 testresult = 1;
396
397 end:
398 SSL_free(serverssl);
399 SSL_free(clientssl);
400 SSL_CTX_free(sctx);
401 SSL_CTX_free(cctx);
402
403 return testresult;
404 }
405 #endif
406
407 #ifndef OPENSSL_NO_TLS1_2
408 static int full_client_hello_callback(SSL *s, int *al, void *arg)
409 {
410 int *ctr = arg;
411 const unsigned char *p;
412 int *exts;
413 /* We only configure two ciphers, but the SCSV is added automatically. */
414 #ifdef OPENSSL_NO_EC
415 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
416 #else
417 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
418 0x2c, 0x00, 0xff};
419 #endif
420 const int expected_extensions[] = {
421 #ifndef OPENSSL_NO_EC
422 11, 10,
423 #endif
424 35, 22, 23, 13};
425 size_t len;
426
427 /* Make sure we can defer processing and get called back. */
428 if ((*ctr)++ == 0)
429 return SSL_CLIENT_HELLO_RETRY;
430
431 len = SSL_client_hello_get0_ciphers(s, &p);
432 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
433 || !TEST_size_t_eq(
434 SSL_client_hello_get0_compression_methods(s, &p), 1)
435 || !TEST_int_eq(*p, 0))
436 return SSL_CLIENT_HELLO_ERROR;
437 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
438 return SSL_CLIENT_HELLO_ERROR;
439 if (len != OSSL_NELEM(expected_extensions) ||
440 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
441 printf("ClientHello callback expected extensions mismatch\n");
442 OPENSSL_free(exts);
443 return SSL_CLIENT_HELLO_ERROR;
444 }
445 OPENSSL_free(exts);
446 return SSL_CLIENT_HELLO_SUCCESS;
447 }
448
449 static int test_client_hello_cb(void)
450 {
451 SSL_CTX *cctx = NULL, *sctx = NULL;
452 SSL *clientssl = NULL, *serverssl = NULL;
453 int testctr = 0, testresult = 0;
454
455 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
456 TLS_client_method(), &sctx,
457 &cctx, cert, privkey)))
458 goto end;
459 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
460
461 /* The gimpy cipher list we configure can't do TLS 1.3. */
462 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
463
464 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
465 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
466 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_false(create_ssl_connection(serverssl, clientssl,
469 SSL_ERROR_WANT_CLIENT_HELLO_CB))
470 /*
471 * Passing a -1 literal is a hack since
472 * the real value was lost.
473 * */
474 || !TEST_int_eq(SSL_get_error(serverssl, -1),
475 SSL_ERROR_WANT_CLIENT_HELLO_CB)
476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
477 SSL_ERROR_NONE)))
478 goto end;
479
480 testresult = 1;
481
482 end:
483 SSL_free(serverssl);
484 SSL_free(clientssl);
485 SSL_CTX_free(sctx);
486 SSL_CTX_free(cctx);
487
488 return testresult;
489 }
490 #endif
491
492 static int execute_test_large_message(const SSL_METHOD *smeth,
493 const SSL_METHOD *cmeth, int read_ahead)
494 {
495 SSL_CTX *cctx = NULL, *sctx = NULL;
496 SSL *clientssl = NULL, *serverssl = NULL;
497 int testresult = 0;
498 int i;
499 BIO *certbio = NULL;
500 X509 *chaincert = NULL;
501 int certlen;
502
503 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
504 goto end;
505 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
506 BIO_free(certbio);
507 certbio = NULL;
508 if (!TEST_ptr(chaincert))
509 goto end;
510
511 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
512 &cctx, cert, privkey)))
513 goto end;
514
515 if (read_ahead) {
516 /*
517 * Test that read_ahead works correctly when dealing with large
518 * records
519 */
520 SSL_CTX_set_read_ahead(cctx, 1);
521 }
522
523 /*
524 * We assume the supplied certificate is big enough so that if we add
525 * NUM_EXTRA_CERTS it will make the overall message large enough. The
526 * default buffer size is requested to be 16k, but due to the way BUF_MEM
527 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
528 * test we need to have a message larger than that.
529 */
530 certlen = i2d_X509(chaincert, NULL);
531 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
532 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
533 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
534 if (!X509_up_ref(chaincert))
535 goto end;
536 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
537 X509_free(chaincert);
538 goto end;
539 }
540 }
541
542 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
543 NULL, NULL))
544 || !TEST_true(create_ssl_connection(serverssl, clientssl,
545 SSL_ERROR_NONE)))
546 goto end;
547
548 /*
549 * Calling SSL_clear() first is not required but this tests that SSL_clear()
550 * doesn't leak (when using enable-crypto-mdebug).
551 */
552 if (!TEST_true(SSL_clear(serverssl)))
553 goto end;
554
555 testresult = 1;
556 end:
557 X509_free(chaincert);
558 SSL_free(serverssl);
559 SSL_free(clientssl);
560 SSL_CTX_free(sctx);
561 SSL_CTX_free(cctx);
562
563 return testresult;
564 }
565
566 static int test_large_message_tls(void)
567 {
568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
569 0);
570 }
571
572 static int test_large_message_tls_read_ahead(void)
573 {
574 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
575 1);
576 }
577
578 #ifndef OPENSSL_NO_DTLS
579 static int test_large_message_dtls(void)
580 {
581 /*
582 * read_ahead is not relevant to DTLS because DTLS always acts as if
583 * read_ahead is set.
584 */
585 return execute_test_large_message(DTLS_server_method(),
586 DTLS_client_method(), 0);
587 }
588 #endif
589
590 #ifndef OPENSSL_NO_OCSP
591 static int ocsp_server_cb(SSL *s, void *arg)
592 {
593 int *argi = (int *)arg;
594 unsigned char *copy = NULL;
595 STACK_OF(OCSP_RESPID) *ids = NULL;
596 OCSP_RESPID *id = NULL;
597
598 if (*argi == 2) {
599 /* In this test we are expecting exactly 1 OCSP_RESPID */
600 SSL_get_tlsext_status_ids(s, &ids);
601 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
603
604 id = sk_OCSP_RESPID_value(ids, 0);
605 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
607 } else if (*argi != 1) {
608 return SSL_TLSEXT_ERR_ALERT_FATAL;
609 }
610
611 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
612 return SSL_TLSEXT_ERR_ALERT_FATAL;
613
614 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
615 ocsp_server_called = 1;
616 return SSL_TLSEXT_ERR_OK;
617 }
618
619 static int ocsp_client_cb(SSL *s, void *arg)
620 {
621 int *argi = (int *)arg;
622 const unsigned char *respderin;
623 size_t len;
624
625 if (*argi != 1 && *argi != 2)
626 return 0;
627
628 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
629 if (!TEST_mem_eq(orespder, len, respderin, len))
630 return 0;
631
632 ocsp_client_called = 1;
633 return 1;
634 }
635
636 static int test_tlsext_status_type(void)
637 {
638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
640 int testresult = 0;
641 STACK_OF(OCSP_RESPID) *ids = NULL;
642 OCSP_RESPID *id = NULL;
643 BIO *certbio = NULL;
644
645 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
646 &cctx, cert, privkey))
647 return 0;
648
649 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
650 goto end;
651
652 /* First just do various checks getting and setting tlsext_status_type */
653
654 clientssl = SSL_new(cctx);
655 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
656 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
657 TLSEXT_STATUSTYPE_ocsp))
658 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
659 TLSEXT_STATUSTYPE_ocsp))
660 goto end;
661
662 SSL_free(clientssl);
663 clientssl = NULL;
664
665 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
666 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
667 goto end;
668
669 clientssl = SSL_new(cctx);
670 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
671 goto end;
672 SSL_free(clientssl);
673 clientssl = NULL;
674
675 /*
676 * Now actually do a handshake and check OCSP information is exchanged and
677 * the callbacks get called
678 */
679 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
680 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
681 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
682 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
684 &clientssl, NULL, NULL))
685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
686 SSL_ERROR_NONE))
687 || !TEST_true(ocsp_client_called)
688 || !TEST_true(ocsp_server_called))
689 goto end;
690 SSL_free(serverssl);
691 SSL_free(clientssl);
692 serverssl = NULL;
693 clientssl = NULL;
694
695 /* Try again but this time force the server side callback to fail */
696 ocsp_client_called = 0;
697 ocsp_server_called = 0;
698 cdummyarg = 0;
699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
700 &clientssl, NULL, NULL))
701 /* This should fail because the callback will fail */
702 || !TEST_false(create_ssl_connection(serverssl, clientssl,
703 SSL_ERROR_NONE))
704 || !TEST_false(ocsp_client_called)
705 || !TEST_false(ocsp_server_called))
706 goto end;
707 SSL_free(serverssl);
708 SSL_free(clientssl);
709 serverssl = NULL;
710 clientssl = NULL;
711
712 /*
713 * This time we'll get the client to send an OCSP_RESPID that it will
714 * accept.
715 */
716 ocsp_client_called = 0;
717 ocsp_server_called = 0;
718 cdummyarg = 2;
719 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
720 &clientssl, NULL, NULL)))
721 goto end;
722
723 /*
724 * We'll just use any old cert for this test - it doesn't have to be an OCSP
725 * specific one. We'll use the server cert.
726 */
727 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
728 || !TEST_ptr(id = OCSP_RESPID_new())
729 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
730 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
731 NULL, NULL, NULL))
732 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
733 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
734 goto end;
735 id = NULL;
736 SSL_set_tlsext_status_ids(clientssl, ids);
737 /* Control has been transferred */
738 ids = NULL;
739
740 BIO_free(certbio);
741 certbio = NULL;
742
743 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
744 SSL_ERROR_NONE))
745 || !TEST_true(ocsp_client_called)
746 || !TEST_true(ocsp_server_called))
747 goto end;
748
749 testresult = 1;
750
751 end:
752 SSL_free(serverssl);
753 SSL_free(clientssl);
754 SSL_CTX_free(sctx);
755 SSL_CTX_free(cctx);
756 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
757 OCSP_RESPID_free(id);
758 BIO_free(certbio);
759 X509_free(ocspcert);
760 ocspcert = NULL;
761
762 return testresult;
763 }
764 #endif
765
766 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
767 static int new_called, remove_called, get_called;
768
769 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
770 {
771 new_called++;
772 /*
773 * sess has been up-refed for us, but we don't actually need it so free it
774 * immediately.
775 */
776 SSL_SESSION_free(sess);
777 return 1;
778 }
779
780 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
781 {
782 remove_called++;
783 }
784
785 static SSL_SESSION *get_sess_val = NULL;
786
787 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
788 int *copy)
789 {
790 get_called++;
791 *copy = 1;
792 return get_sess_val;
793 }
794
795 static int execute_test_session(int maxprot, int use_int_cache,
796 int use_ext_cache)
797 {
798 SSL_CTX *sctx = NULL, *cctx = NULL;
799 SSL *serverssl1 = NULL, *clientssl1 = NULL;
800 SSL *serverssl2 = NULL, *clientssl2 = NULL;
801 # ifndef OPENSSL_NO_TLS1_1
802 SSL *serverssl3 = NULL, *clientssl3 = NULL;
803 # endif
804 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
805 int testresult = 0;
806
807 new_called = remove_called = 0;
808
809 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
810 TLS_client_method(), &sctx,
811 &cctx, cert, privkey)))
812 return 0;
813
814 /*
815 * Only allow the max protocol version so we can force a connection failure
816 * later
817 */
818 SSL_CTX_set_min_proto_version(cctx, maxprot);
819 SSL_CTX_set_max_proto_version(cctx, maxprot);
820
821 /* Set up session cache */
822 if (use_ext_cache) {
823 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
824 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
825 }
826 if (use_int_cache) {
827 /* Also covers instance where both are set */
828 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
829 } else {
830 SSL_CTX_set_session_cache_mode(cctx,
831 SSL_SESS_CACHE_CLIENT
832 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
833 }
834
835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
836 NULL, NULL))
837 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
838 SSL_ERROR_NONE))
839 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
840 goto end;
841
842 /* Should fail because it should already be in the cache */
843 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
844 goto end;
845 if (use_ext_cache
846 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
847 goto end;
848
849 new_called = remove_called = 0;
850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
851 &clientssl2, NULL, NULL))
852 || !TEST_true(SSL_set_session(clientssl2, sess1))
853 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
854 SSL_ERROR_NONE))
855 || !TEST_true(SSL_session_reused(clientssl2)))
856 goto end;
857
858 if (maxprot == TLS1_3_VERSION) {
859 /*
860 * In TLSv1.3 we should have created a new session even though we have
861 * resumed. The original session should also have been removed.
862 */
863 if (use_ext_cache
864 && (!TEST_int_eq(new_called, 1)
865 || !TEST_int_eq(remove_called, 1)))
866 goto end;
867 } else {
868 /*
869 * In TLSv1.2 we expect to have resumed so no sessions added or
870 * removed.
871 */
872 if (use_ext_cache
873 && (!TEST_int_eq(new_called, 0)
874 || !TEST_int_eq(remove_called, 0)))
875 goto end;
876 }
877
878 SSL_SESSION_free(sess1);
879 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
880 goto end;
881 shutdown_ssl_connection(serverssl2, clientssl2);
882 serverssl2 = clientssl2 = NULL;
883
884 new_called = remove_called = 0;
885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
886 &clientssl2, NULL, NULL))
887 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
888 SSL_ERROR_NONE)))
889 goto end;
890
891 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
892 goto end;
893
894 if (use_ext_cache
895 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
896 goto end;
897
898 new_called = remove_called = 0;
899 /*
900 * This should clear sess2 from the cache because it is a "bad" session.
901 * See SSL_set_session() documentation.
902 */
903 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
904 goto end;
905 if (use_ext_cache
906 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
907 goto end;
908 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
909 goto end;
910
911 if (use_int_cache) {
912 /* Should succeeded because it should not already be in the cache */
913 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
914 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
915 goto end;
916 }
917
918 new_called = remove_called = 0;
919 /* This shouldn't be in the cache so should fail */
920 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
921 goto end;
922
923 if (use_ext_cache
924 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
925 goto end;
926
927 # if !defined(OPENSSL_NO_TLS1_1)
928 new_called = remove_called = 0;
929 /* Force a connection failure */
930 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
932 &clientssl3, NULL, NULL))
933 || !TEST_true(SSL_set_session(clientssl3, sess1))
934 /* This should fail because of the mismatched protocol versions */
935 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
936 SSL_ERROR_NONE)))
937 goto end;
938
939 /* We should have automatically removed the session from the cache */
940 if (use_ext_cache
941 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
942 goto end;
943
944 /* Should succeed because it should not already be in the cache */
945 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
946 goto end;
947 # endif
948
949 /* Now do some tests for server side caching */
950 if (use_ext_cache) {
951 SSL_CTX_sess_set_new_cb(cctx, NULL);
952 SSL_CTX_sess_set_remove_cb(cctx, NULL);
953 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
954 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
955 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
956 get_sess_val = NULL;
957 }
958
959 SSL_CTX_set_session_cache_mode(cctx, 0);
960 /* Internal caching is the default on the server side */
961 if (!use_int_cache)
962 SSL_CTX_set_session_cache_mode(sctx,
963 SSL_SESS_CACHE_SERVER
964 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
965
966 SSL_free(serverssl1);
967 SSL_free(clientssl1);
968 serverssl1 = clientssl1 = NULL;
969 SSL_free(serverssl2);
970 SSL_free(clientssl2);
971 serverssl2 = clientssl2 = NULL;
972 SSL_SESSION_free(sess1);
973 sess1 = NULL;
974 SSL_SESSION_free(sess2);
975 sess2 = NULL;
976
977 SSL_CTX_set_max_proto_version(sctx, maxprot);
978 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
979 new_called = remove_called = get_called = 0;
980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
981 NULL, NULL))
982 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
983 SSL_ERROR_NONE))
984 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
985 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
986 goto end;
987
988 /* Should fail because it should already be in the cache */
989 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
990 goto end;
991
992 if (use_ext_cache) {
993 SSL_SESSION *tmp = sess2;
994
995 if (!TEST_int_eq(new_called, 1)
996 || !TEST_int_eq(remove_called, 0)
997 || !TEST_int_eq(get_called, 0))
998 goto end;
999 /*
1000 * Delete the session from the internal cache to force a lookup from
1001 * the external cache. We take a copy first because
1002 * SSL_CTX_remove_session() also marks the session as non-resumable.
1003 */
1004 if (use_int_cache) {
1005 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1006 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1007 goto end;
1008 SSL_SESSION_free(sess2);
1009 }
1010 sess2 = tmp;
1011 }
1012
1013 new_called = remove_called = get_called = 0;
1014 get_sess_val = sess2;
1015 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1016 &clientssl2, NULL, NULL))
1017 || !TEST_true(SSL_set_session(clientssl2, sess1))
1018 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1019 SSL_ERROR_NONE))
1020 || !TEST_true(SSL_session_reused(clientssl2)))
1021 goto end;
1022
1023 if (use_ext_cache) {
1024 if (!TEST_int_eq(remove_called, 0))
1025 goto end;
1026
1027 if (maxprot == TLS1_3_VERSION) {
1028 /*
1029 * Every time we issue a NewSessionTicket we are creating a new
1030 * session for next time in TLSv1.3
1031 */
1032 if (!TEST_int_eq(new_called, 1)
1033 || !TEST_int_eq(get_called, 0))
1034 goto end;
1035 } else {
1036 if (!TEST_int_eq(new_called, 0)
1037 || !TEST_int_eq(get_called, 1))
1038 goto end;
1039 }
1040 }
1041
1042 testresult = 1;
1043
1044 end:
1045 SSL_free(serverssl1);
1046 SSL_free(clientssl1);
1047 SSL_free(serverssl2);
1048 SSL_free(clientssl2);
1049 # ifndef OPENSSL_NO_TLS1_1
1050 SSL_free(serverssl3);
1051 SSL_free(clientssl3);
1052 # endif
1053 SSL_SESSION_free(sess1);
1054 SSL_SESSION_free(sess2);
1055 SSL_CTX_free(sctx);
1056 SSL_CTX_free(cctx);
1057
1058 return testresult;
1059 }
1060 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1061
1062 static int test_session_with_only_int_cache(void)
1063 {
1064 #ifndef OPENSSL_NO_TLS1_3
1065 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1066 return 0;
1067 #endif
1068
1069 #ifndef OPENSSL_NO_TLS1_2
1070 return execute_test_session(TLS1_2_VERSION, 1, 0);
1071 #else
1072 return 1;
1073 #endif
1074 }
1075
1076 static int test_session_with_only_ext_cache(void)
1077 {
1078 #ifndef OPENSSL_NO_TLS1_3
1079 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1080 return 0;
1081 #endif
1082
1083 #ifndef OPENSSL_NO_TLS1_2
1084 return execute_test_session(TLS1_2_VERSION, 0, 1);
1085 #else
1086 return 1;
1087 #endif
1088 }
1089
1090 static int test_session_with_both_cache(void)
1091 {
1092 #ifndef OPENSSL_NO_TLS1_3
1093 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1094 return 0;
1095 #endif
1096
1097 #ifndef OPENSSL_NO_TLS1_2
1098 return execute_test_session(TLS1_2_VERSION, 1, 1);
1099 #else
1100 return 1;
1101 #endif
1102 }
1103
1104 #define USE_NULL 0
1105 #define USE_BIO_1 1
1106 #define USE_BIO_2 2
1107
1108 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1109
1110 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1111 {
1112 switch (type) {
1113 case USE_NULL:
1114 *res = NULL;
1115 break;
1116 case USE_BIO_1:
1117 *res = bio1;
1118 break;
1119 case USE_BIO_2:
1120 *res = bio2;
1121 break;
1122 }
1123 }
1124
1125 static int test_ssl_set_bio(int idx)
1126 {
1127 SSL_CTX *ctx;
1128 BIO *bio1 = NULL;
1129 BIO *bio2 = NULL;
1130 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1131 SSL *ssl = NULL;
1132 int initrbio, initwbio, newrbio, newwbio;
1133 int testresult = 0;
1134
1135 initrbio = idx % 3;
1136 idx /= 3;
1137 initwbio = idx % 3;
1138 idx /= 3;
1139 newrbio = idx % 3;
1140 idx /= 3;
1141 newwbio = idx;
1142 if (!TEST_int_le(newwbio, 2))
1143 return 0;
1144
1145 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1146 || !TEST_ptr(ssl = SSL_new(ctx)))
1147 goto end;
1148
1149 if (initrbio == USE_BIO_1
1150 || initwbio == USE_BIO_1
1151 || newrbio == USE_BIO_1
1152 || newwbio == USE_BIO_1) {
1153 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1154 goto end;
1155 }
1156
1157 if (initrbio == USE_BIO_2
1158 || initwbio == USE_BIO_2
1159 || newrbio == USE_BIO_2
1160 || newwbio == USE_BIO_2) {
1161 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1162 goto end;
1163 }
1164
1165 setupbio(&irbio, bio1, bio2, initrbio);
1166 setupbio(&iwbio, bio1, bio2, initwbio);
1167
1168 /*
1169 * We want to maintain our own refs to these BIO, so do an up ref for each
1170 * BIO that will have ownership transferred in the SSL_set_bio() call
1171 */
1172 if (irbio != NULL)
1173 BIO_up_ref(irbio);
1174 if (iwbio != NULL && iwbio != irbio)
1175 BIO_up_ref(iwbio);
1176
1177 SSL_set_bio(ssl, irbio, iwbio);
1178
1179 setupbio(&nrbio, bio1, bio2, newrbio);
1180 setupbio(&nwbio, bio1, bio2, newwbio);
1181
1182 /*
1183 * We will (maybe) transfer ownership again so do more up refs.
1184 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1185 * already been set!
1186 */
1187 if (nrbio != NULL
1188 && nrbio != irbio
1189 && (nwbio != iwbio || nrbio != nwbio))
1190 BIO_up_ref(nrbio);
1191 if (nwbio != NULL
1192 && nwbio != nrbio
1193 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1194 BIO_up_ref(nwbio);
1195
1196 SSL_set_bio(ssl, nrbio, nwbio);
1197
1198 testresult = 1;
1199
1200 end:
1201 SSL_free(ssl);
1202 BIO_free(bio1);
1203 BIO_free(bio2);
1204
1205 /*
1206 * This test is checking that the ref counting for SSL_set_bio is correct.
1207 * If we get here and we did too many frees then we will fail in the above
1208 * functions. If we haven't done enough then this will only be detected in
1209 * a crypto-mdebug build
1210 */
1211 SSL_CTX_free(ctx);
1212 return testresult;
1213 }
1214
1215 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1216
1217 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1218 {
1219 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1220 SSL_CTX *ctx;
1221 SSL *ssl = NULL;
1222 int testresult = 0;
1223
1224 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1225 || !TEST_ptr(ssl = SSL_new(ctx))
1226 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1227 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1228 goto end;
1229
1230 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1231
1232 /*
1233 * If anything goes wrong here then we could leak memory, so this will
1234 * be caught in a crypto-mdebug build
1235 */
1236 BIO_push(sslbio, membio1);
1237
1238 /* Verify changing the rbio/wbio directly does not cause leaks */
1239 if (change_bio != NO_BIO_CHANGE) {
1240 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1241 goto end;
1242 if (change_bio == CHANGE_RBIO)
1243 SSL_set0_rbio(ssl, membio2);
1244 else
1245 SSL_set0_wbio(ssl, membio2);
1246 }
1247 ssl = NULL;
1248
1249 if (pop_ssl)
1250 BIO_pop(sslbio);
1251 else
1252 BIO_pop(membio1);
1253
1254 testresult = 1;
1255 end:
1256 BIO_free(membio1);
1257 BIO_free(sslbio);
1258 SSL_free(ssl);
1259 SSL_CTX_free(ctx);
1260
1261 return testresult;
1262 }
1263
1264 static int test_ssl_bio_pop_next_bio(void)
1265 {
1266 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1267 }
1268
1269 static int test_ssl_bio_pop_ssl_bio(void)
1270 {
1271 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1272 }
1273
1274 static int test_ssl_bio_change_rbio(void)
1275 {
1276 return execute_test_ssl_bio(0, CHANGE_RBIO);
1277 }
1278
1279 static int test_ssl_bio_change_wbio(void)
1280 {
1281 return execute_test_ssl_bio(0, CHANGE_WBIO);
1282 }
1283
1284 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1285 typedef struct {
1286 /* The list of sig algs */
1287 const int *list;
1288 /* The length of the list */
1289 size_t listlen;
1290 /* A sigalgs list in string format */
1291 const char *liststr;
1292 /* Whether setting the list should succeed */
1293 int valid;
1294 /* Whether creating a connection with the list should succeed */
1295 int connsuccess;
1296 } sigalgs_list;
1297
1298 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1299 # ifndef OPENSSL_NO_EC
1300 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1301 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1302 # endif
1303 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1304 static const int invalidlist2[] = {NID_sha256, NID_undef};
1305 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1306 static const int invalidlist4[] = {NID_sha256};
1307 static const sigalgs_list testsigalgs[] = {
1308 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1309 # ifndef OPENSSL_NO_EC
1310 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1311 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1312 # endif
1313 {NULL, 0, "RSA+SHA256", 1, 1},
1314 # ifndef OPENSSL_NO_EC
1315 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1316 {NULL, 0, "ECDSA+SHA512", 1, 0},
1317 # endif
1318 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1319 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1320 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1321 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1322 {NULL, 0, "RSA", 0, 0},
1323 {NULL, 0, "SHA256", 0, 0},
1324 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1325 {NULL, 0, "Invalid", 0, 0}
1326 };
1327
1328 static int test_set_sigalgs(int idx)
1329 {
1330 SSL_CTX *cctx = NULL, *sctx = NULL;
1331 SSL *clientssl = NULL, *serverssl = NULL;
1332 int testresult = 0;
1333 const sigalgs_list *curr;
1334 int testctx;
1335
1336 /* Should never happen */
1337 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1338 return 0;
1339
1340 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1341 curr = testctx ? &testsigalgs[idx]
1342 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1343
1344 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1345 TLS_client_method(), &sctx,
1346 &cctx, cert, privkey)))
1347 return 0;
1348
1349 /*
1350 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1351 * for TLSv1.2 for now until we add a new API.
1352 */
1353 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1354
1355 if (testctx) {
1356 int ret;
1357
1358 if (curr->list != NULL)
1359 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1360 else
1361 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1362
1363 if (!ret) {
1364 if (curr->valid)
1365 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1366 else
1367 testresult = 1;
1368 goto end;
1369 }
1370 if (!curr->valid) {
1371 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1372 goto end;
1373 }
1374 }
1375
1376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1377 &clientssl, NULL, NULL)))
1378 goto end;
1379
1380 if (!testctx) {
1381 int ret;
1382
1383 if (curr->list != NULL)
1384 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1385 else
1386 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1387 if (!ret) {
1388 if (curr->valid)
1389 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1390 else
1391 testresult = 1;
1392 goto end;
1393 }
1394 if (!curr->valid)
1395 goto end;
1396 }
1397
1398 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1399 SSL_ERROR_NONE),
1400 curr->connsuccess))
1401 goto end;
1402
1403 testresult = 1;
1404
1405 end:
1406 SSL_free(serverssl);
1407 SSL_free(clientssl);
1408 SSL_CTX_free(sctx);
1409 SSL_CTX_free(cctx);
1410
1411 return testresult;
1412 }
1413 #endif
1414
1415 #ifndef OPENSSL_NO_TLS1_3
1416
1417 static SSL_SESSION *clientpsk = NULL;
1418 static SSL_SESSION *serverpsk = NULL;
1419 static const char *pskid = "Identity";
1420 static const char *srvid;
1421
1422 static int use_session_cb_cnt = 0;
1423 static int find_session_cb_cnt = 0;
1424 static int psk_client_cb_cnt = 0;
1425 static int psk_server_cb_cnt = 0;
1426
1427 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1428 size_t *idlen, SSL_SESSION **sess)
1429 {
1430 switch (++use_session_cb_cnt) {
1431 case 1:
1432 /* The first call should always have a NULL md */
1433 if (md != NULL)
1434 return 0;
1435 break;
1436
1437 case 2:
1438 /* The second call should always have an md */
1439 if (md == NULL)
1440 return 0;
1441 break;
1442
1443 default:
1444 /* We should only be called a maximum of twice */
1445 return 0;
1446 }
1447
1448 if (clientpsk != NULL)
1449 SSL_SESSION_up_ref(clientpsk);
1450
1451 *sess = clientpsk;
1452 *id = (const unsigned char *)pskid;
1453 *idlen = strlen(pskid);
1454
1455 return 1;
1456 }
1457
1458 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1459 unsigned int max_id_len,
1460 unsigned char *psk,
1461 unsigned int max_psk_len)
1462 {
1463 unsigned int psklen = 0;
1464
1465 psk_client_cb_cnt++;
1466
1467 if (strlen(pskid) + 1 > max_id_len)
1468 return 0;
1469
1470 /* We should only ever be called a maximum of twice per connection */
1471 if (psk_client_cb_cnt > 2)
1472 return 0;
1473
1474 if (clientpsk == NULL)
1475 return 0;
1476
1477 /* We'll reuse the PSK we set up for TLSv1.3 */
1478 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1479 return 0;
1480 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1481 strncpy(id, pskid, max_id_len);
1482
1483 return psklen;
1484 }
1485
1486 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1487 size_t identity_len, SSL_SESSION **sess)
1488 {
1489 find_session_cb_cnt++;
1490
1491 /* We should only ever be called a maximum of twice per connection */
1492 if (find_session_cb_cnt > 2)
1493 return 0;
1494
1495 if (serverpsk == NULL)
1496 return 0;
1497
1498 /* Identity should match that set by the client */
1499 if (strlen(srvid) != identity_len
1500 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1501 /* No PSK found, continue but without a PSK */
1502 *sess = NULL;
1503 return 1;
1504 }
1505
1506 SSL_SESSION_up_ref(serverpsk);
1507 *sess = serverpsk;
1508
1509 return 1;
1510 }
1511
1512 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1513 unsigned char *psk, unsigned int max_psk_len)
1514 {
1515 unsigned int psklen = 0;
1516
1517 psk_server_cb_cnt++;
1518
1519 /* We should only ever be called a maximum of twice per connection */
1520 if (find_session_cb_cnt > 2)
1521 return 0;
1522
1523 if (serverpsk == NULL)
1524 return 0;
1525
1526 /* Identity should match that set by the client */
1527 if (strcmp(srvid, identity) != 0) {
1528 return 0;
1529 }
1530
1531 /* We'll reuse the PSK we set up for TLSv1.3 */
1532 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1533 return 0;
1534 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1535
1536 return psklen;
1537 }
1538
1539 #define MSG1 "Hello"
1540 #define MSG2 "World."
1541 #define MSG3 "This"
1542 #define MSG4 "is"
1543 #define MSG5 "a"
1544 #define MSG6 "test"
1545 #define MSG7 "message."
1546
1547 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1548 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1549
1550 /*
1551 * Helper method to setup objects for early data test. Caller frees objects on
1552 * error.
1553 */
1554 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1555 SSL **serverssl, SSL_SESSION **sess, int idx)
1556 {
1557 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1558 TLS_client_method(), sctx,
1559 cctx, cert, privkey))
1560 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1561 SSL3_RT_MAX_PLAIN_LENGTH))
1562 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1563 SSL3_RT_MAX_PLAIN_LENGTH)))
1564 return 0;
1565
1566 if (idx == 1) {
1567 /* When idx == 1 we repeat the tests with read_ahead set */
1568 SSL_CTX_set_read_ahead(*cctx, 1);
1569 SSL_CTX_set_read_ahead(*sctx, 1);
1570 } else if (idx == 2) {
1571 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1572 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1573 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1574 use_session_cb_cnt = 0;
1575 find_session_cb_cnt = 0;
1576 srvid = pskid;
1577 }
1578
1579 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1580 NULL, NULL)))
1581 return 0;
1582
1583 /*
1584 * For one of the run throughs (doesn't matter which one), we'll try sending
1585 * some SNI data in the initial ClientHello. This will be ignored (because
1586 * there is no SNI cb set up by the server), so it should not impact
1587 * early_data.
1588 */
1589 if (idx == 1
1590 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1591 return 0;
1592
1593 if (idx == 2) {
1594 /* Create the PSK */
1595 const SSL_CIPHER *cipher = NULL;
1596 const unsigned char key[] = {
1597 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1598 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1599 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1600 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1601 0x2c, 0x2d, 0x2e, 0x2f
1602 };
1603
1604 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1605 clientpsk = SSL_SESSION_new();
1606 if (!TEST_ptr(clientpsk)
1607 || !TEST_ptr(cipher)
1608 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1609 sizeof(key)))
1610 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1611 || !TEST_true(
1612 SSL_SESSION_set_protocol_version(clientpsk,
1613 TLS1_3_VERSION))
1614 /*
1615 * We just choose an arbitrary value for max_early_data which
1616 * should be big enough for testing purposes.
1617 */
1618 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1619 0x100))
1620 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1621 SSL_SESSION_free(clientpsk);
1622 clientpsk = NULL;
1623 return 0;
1624 }
1625 serverpsk = clientpsk;
1626
1627 if (sess != NULL)
1628 *sess = clientpsk;
1629 return 1;
1630 }
1631
1632 if (sess == NULL)
1633 return 1;
1634
1635 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1636 SSL_ERROR_NONE)))
1637 return 0;
1638
1639 *sess = SSL_get1_session(*clientssl);
1640 SSL_shutdown(*clientssl);
1641 SSL_shutdown(*serverssl);
1642 SSL_free(*serverssl);
1643 SSL_free(*clientssl);
1644 *serverssl = *clientssl = NULL;
1645
1646 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1647 clientssl, NULL, NULL))
1648 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1649 return 0;
1650
1651 return 1;
1652 }
1653
1654 static int test_early_data_read_write(int idx)
1655 {
1656 SSL_CTX *cctx = NULL, *sctx = NULL;
1657 SSL *clientssl = NULL, *serverssl = NULL;
1658 int testresult = 0;
1659 SSL_SESSION *sess = NULL;
1660 unsigned char buf[20], data[1024];
1661 size_t readbytes, written, eoedlen, rawread, rawwritten;
1662 BIO *rbio;
1663
1664 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1665 &serverssl, &sess, idx)))
1666 goto end;
1667
1668 /* Write and read some early data */
1669 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1670 &written))
1671 || !TEST_size_t_eq(written, strlen(MSG1))
1672 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1673 sizeof(buf), &readbytes),
1674 SSL_READ_EARLY_DATA_SUCCESS)
1675 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1676 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1677 SSL_EARLY_DATA_ACCEPTED))
1678 goto end;
1679
1680 /*
1681 * Server should be able to write data, and client should be able to
1682 * read it.
1683 */
1684 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1685 &written))
1686 || !TEST_size_t_eq(written, strlen(MSG2))
1687 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1688 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1689 goto end;
1690
1691 /* Even after reading normal data, client should be able write early data */
1692 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1693 &written))
1694 || !TEST_size_t_eq(written, strlen(MSG3)))
1695 goto end;
1696
1697 /* Server should still be able read early data after writing data */
1698 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1699 &readbytes),
1700 SSL_READ_EARLY_DATA_SUCCESS)
1701 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1702 goto end;
1703
1704 /* Write more data from server and read it from client */
1705 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1706 &written))
1707 || !TEST_size_t_eq(written, strlen(MSG4))
1708 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1709 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1710 goto end;
1711
1712 /*
1713 * If client writes normal data it should mean writing early data is no
1714 * longer possible.
1715 */
1716 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1717 || !TEST_size_t_eq(written, strlen(MSG5))
1718 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1719 SSL_EARLY_DATA_ACCEPTED))
1720 goto end;
1721
1722 /*
1723 * At this point the client has written EndOfEarlyData, ClientFinished and
1724 * normal (fully protected) data. We are going to cause a delay between the
1725 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1726 * in the read BIO, and then just put back the EndOfEarlyData message.
1727 */
1728 rbio = SSL_get_rbio(serverssl);
1729 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1730 || !TEST_size_t_lt(rawread, sizeof(data))
1731 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1732 goto end;
1733
1734 /* Record length is in the 4th and 5th bytes of the record header */
1735 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1736 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1737 || !TEST_size_t_eq(rawwritten, eoedlen))
1738 goto end;
1739
1740 /* Server should be told that there is no more early data */
1741 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1742 &readbytes),
1743 SSL_READ_EARLY_DATA_FINISH)
1744 || !TEST_size_t_eq(readbytes, 0))
1745 goto end;
1746
1747 /*
1748 * Server has not finished init yet, so should still be able to write early
1749 * data.
1750 */
1751 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1752 &written))
1753 || !TEST_size_t_eq(written, strlen(MSG6)))
1754 goto end;
1755
1756 /* Push the ClientFinished and the normal data back into the server rbio */
1757 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1758 &rawwritten))
1759 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1760 goto end;
1761
1762 /* Server should be able to read normal data */
1763 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1764 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1765 goto end;
1766
1767 /* Client and server should not be able to write/read early data now */
1768 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1769 &written)))
1770 goto end;
1771 ERR_clear_error();
1772 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1773 &readbytes),
1774 SSL_READ_EARLY_DATA_ERROR))
1775 goto end;
1776 ERR_clear_error();
1777
1778 /* Client should be able to read the data sent by the server */
1779 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1780 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1781 goto end;
1782
1783 /*
1784 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1785 * We attempt a read which we do not expect to return any data.
1786 */
1787 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1788 goto end;
1789
1790 /* Server should be able to write normal data */
1791 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1792 || !TEST_size_t_eq(written, strlen(MSG7))
1793 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1794 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1795 goto end;
1796
1797 /* We keep the PSK session around if using PSK */
1798 if (idx != 2)
1799 SSL_SESSION_free(sess);
1800 sess = SSL_get1_session(clientssl);
1801 use_session_cb_cnt = 0;
1802 find_session_cb_cnt = 0;
1803
1804 SSL_shutdown(clientssl);
1805 SSL_shutdown(serverssl);
1806 SSL_free(serverssl);
1807 SSL_free(clientssl);
1808 serverssl = clientssl = NULL;
1809 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1810 &clientssl, NULL, NULL))
1811 || !TEST_true(SSL_set_session(clientssl, sess)))
1812 goto end;
1813
1814 /* Write and read some early data */
1815 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1816 &written))
1817 || !TEST_size_t_eq(written, strlen(MSG1))
1818 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1819 &readbytes),
1820 SSL_READ_EARLY_DATA_SUCCESS)
1821 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1822 goto end;
1823
1824 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1825 || !TEST_int_gt(SSL_accept(serverssl), 0))
1826 goto end;
1827
1828 /* Client and server should not be able to write/read early data now */
1829 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1830 &written)))
1831 goto end;
1832 ERR_clear_error();
1833 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1834 &readbytes),
1835 SSL_READ_EARLY_DATA_ERROR))
1836 goto end;
1837 ERR_clear_error();
1838
1839 /* Client and server should be able to write/read normal data */
1840 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1841 || !TEST_size_t_eq(written, strlen(MSG5))
1842 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1843 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1844 goto end;
1845
1846 testresult = 1;
1847
1848 end:
1849 if (sess != clientpsk)
1850 SSL_SESSION_free(sess);
1851 SSL_SESSION_free(clientpsk);
1852 SSL_SESSION_free(serverpsk);
1853 clientpsk = serverpsk = NULL;
1854 SSL_free(serverssl);
1855 SSL_free(clientssl);
1856 SSL_CTX_free(sctx);
1857 SSL_CTX_free(cctx);
1858 return testresult;
1859 }
1860
1861 /*
1862 * Helper function to test that a server attempting to read early data can
1863 * handle a connection from a client where the early data should be skipped.
1864 */
1865 static int early_data_skip_helper(int hrr, int idx)
1866 {
1867 SSL_CTX *cctx = NULL, *sctx = NULL;
1868 SSL *clientssl = NULL, *serverssl = NULL;
1869 int testresult = 0;
1870 SSL_SESSION *sess = NULL;
1871 unsigned char buf[20];
1872 size_t readbytes, written;
1873
1874 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1875 &serverssl, &sess, idx)))
1876 goto end;
1877
1878 if (hrr) {
1879 /* Force an HRR to occur */
1880 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1881 goto end;
1882 } else if (idx == 2) {
1883 /*
1884 * We force early_data rejection by ensuring the PSK identity is
1885 * unrecognised
1886 */
1887 srvid = "Dummy Identity";
1888 } else {
1889 /*
1890 * Deliberately corrupt the creation time. We take 20 seconds off the
1891 * time. It could be any value as long as it is not within tolerance.
1892 * This should mean the ticket is rejected.
1893 */
1894 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
1895 goto end;
1896 }
1897
1898 /* Write some early data */
1899 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1900 &written))
1901 || !TEST_size_t_eq(written, strlen(MSG1)))
1902 goto end;
1903
1904 /* Server should reject the early data and skip over it */
1905 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1906 &readbytes),
1907 SSL_READ_EARLY_DATA_FINISH)
1908 || !TEST_size_t_eq(readbytes, 0)
1909 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1910 SSL_EARLY_DATA_REJECTED))
1911 goto end;
1912
1913 if (hrr) {
1914 /*
1915 * Finish off the handshake. We perform the same writes and reads as
1916 * further down but we expect them to fail due to the incomplete
1917 * handshake.
1918 */
1919 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1920 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1921 &readbytes)))
1922 goto end;
1923 }
1924
1925 /* Should be able to send normal data despite rejection of early data */
1926 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1927 || !TEST_size_t_eq(written, strlen(MSG2))
1928 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1929 SSL_EARLY_DATA_REJECTED)
1930 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1931 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1932 goto end;
1933
1934 testresult = 1;
1935
1936 end:
1937 if (sess != clientpsk)
1938 SSL_SESSION_free(clientpsk);
1939 SSL_SESSION_free(serverpsk);
1940 clientpsk = serverpsk = NULL;
1941 SSL_SESSION_free(sess);
1942 SSL_free(serverssl);
1943 SSL_free(clientssl);
1944 SSL_CTX_free(sctx);
1945 SSL_CTX_free(cctx);
1946 return testresult;
1947 }
1948
1949 /*
1950 * Test that a server attempting to read early data can handle a connection
1951 * from a client where the early data is not acceptable.
1952 */
1953 static int test_early_data_skip(int idx)
1954 {
1955 return early_data_skip_helper(0, idx);
1956 }
1957
1958 /*
1959 * Test that a server attempting to read early data can handle a connection
1960 * from a client where an HRR occurs.
1961 */
1962 static int test_early_data_skip_hrr(int idx)
1963 {
1964 return early_data_skip_helper(1, idx);
1965 }
1966
1967 /*
1968 * Test that a server attempting to read early data can handle a connection
1969 * from a client that doesn't send any.
1970 */
1971 static int test_early_data_not_sent(int idx)
1972 {
1973 SSL_CTX *cctx = NULL, *sctx = NULL;
1974 SSL *clientssl = NULL, *serverssl = NULL;
1975 int testresult = 0;
1976 SSL_SESSION *sess = NULL;
1977 unsigned char buf[20];
1978 size_t readbytes, written;
1979
1980 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1981 &serverssl, &sess, idx)))
1982 goto end;
1983
1984 /* Write some data - should block due to handshake with server */
1985 SSL_set_connect_state(clientssl);
1986 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1987 goto end;
1988
1989 /* Server should detect that early data has not been sent */
1990 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1991 &readbytes),
1992 SSL_READ_EARLY_DATA_FINISH)
1993 || !TEST_size_t_eq(readbytes, 0)
1994 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1995 SSL_EARLY_DATA_NOT_SENT)
1996 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1997 SSL_EARLY_DATA_NOT_SENT))
1998 goto end;
1999
2000 /* Continue writing the message we started earlier */
2001 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2002 || !TEST_size_t_eq(written, strlen(MSG1))
2003 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2004 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2005 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2006 || !TEST_size_t_eq(written, strlen(MSG2)))
2007 goto end;
2008
2009 /*
2010 * Should block due to the NewSessionTicket arrival unless we're using
2011 * read_ahead
2012 */
2013 if (idx != 1) {
2014 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2015 goto end;
2016 }
2017
2018 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2019 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2020 goto end;
2021
2022 testresult = 1;
2023
2024 end:
2025 /* If using PSK then clientpsk and sess are the same */
2026 SSL_SESSION_free(sess);
2027 SSL_SESSION_free(serverpsk);
2028 clientpsk = serverpsk = NULL;
2029 SSL_free(serverssl);
2030 SSL_free(clientssl);
2031 SSL_CTX_free(sctx);
2032 SSL_CTX_free(cctx);
2033 return testresult;
2034 }
2035
2036 static int hostname_cb(SSL *s, int *al, void *arg)
2037 {
2038 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2039
2040 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2041 return SSL_TLSEXT_ERR_OK;
2042
2043 return SSL_TLSEXT_ERR_NOACK;
2044 }
2045
2046 static const char *servalpn;
2047
2048 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2049 unsigned char *outlen, const unsigned char *in,
2050 unsigned int inlen, void *arg)
2051 {
2052 unsigned int protlen = 0;
2053 const unsigned char *prot;
2054
2055 for (prot = in; prot < in + inlen; prot += protlen) {
2056 protlen = *prot++;
2057 if (in + inlen < prot + protlen)
2058 return SSL_TLSEXT_ERR_NOACK;
2059
2060 if (protlen == strlen(servalpn)
2061 && memcmp(prot, servalpn, protlen) == 0) {
2062 *out = prot;
2063 *outlen = protlen;
2064 return SSL_TLSEXT_ERR_OK;
2065 }
2066 }
2067
2068 return SSL_TLSEXT_ERR_NOACK;
2069 }
2070
2071 /* Test that a PSK can be used to send early_data */
2072 static int test_early_data_psk(int idx)
2073 {
2074 SSL_CTX *cctx = NULL, *sctx = NULL;
2075 SSL *clientssl = NULL, *serverssl = NULL;
2076 int testresult = 0;
2077 SSL_SESSION *sess = NULL;
2078 unsigned char alpnlist[] = {
2079 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2080 'l', 'p', 'n'
2081 };
2082 #define GOODALPNLEN 9
2083 #define BADALPNLEN 8
2084 #define GOODALPN (alpnlist)
2085 #define BADALPN (alpnlist + GOODALPNLEN)
2086 int err = 0;
2087 unsigned char buf[20];
2088 size_t readbytes, written;
2089 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2090 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2091
2092 /* We always set this up with a final parameter of "2" for PSK */
2093 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2094 &serverssl, &sess, 2)))
2095 goto end;
2096
2097 servalpn = "goodalpn";
2098
2099 /*
2100 * Note: There is no test for inconsistent SNI with late client detection.
2101 * This is because servers do not acknowledge SNI even if they are using
2102 * it in a resumption handshake - so it is not actually possible for a
2103 * client to detect a problem.
2104 */
2105 switch (idx) {
2106 case 0:
2107 /* Set inconsistent SNI (early client detection) */
2108 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2109 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2110 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2111 goto end;
2112 break;
2113
2114 case 1:
2115 /* Set inconsistent ALPN (early client detection) */
2116 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2117 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2118 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2119 GOODALPNLEN))
2120 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2121 BADALPNLEN)))
2122 goto end;
2123 break;
2124
2125 case 2:
2126 /*
2127 * Set invalid protocol version. Technically this affects PSKs without
2128 * early_data too, but we test it here because it is similar to the
2129 * SNI/ALPN consistency tests.
2130 */
2131 err = SSL_R_BAD_PSK;
2132 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2133 goto end;
2134 break;
2135
2136 case 3:
2137 /*
2138 * Set inconsistent SNI (server detected). In this case the connection
2139 * will succeed but reject early_data.
2140 */
2141 SSL_SESSION_free(serverpsk);
2142 serverpsk = SSL_SESSION_dup(clientpsk);
2143 if (!TEST_ptr(serverpsk)
2144 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2145 goto end;
2146 edstatus = SSL_EARLY_DATA_REJECTED;
2147 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2148 /* Fall through */
2149 case 4:
2150 /* Set consistent SNI */
2151 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2152 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2153 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2154 hostname_cb)))
2155 goto end;
2156 break;
2157
2158 case 5:
2159 /*
2160 * Set inconsistent ALPN (server detected). In this case the connection
2161 * will succeed but reject early_data.
2162 */
2163 servalpn = "badalpn";
2164 edstatus = SSL_EARLY_DATA_REJECTED;
2165 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2166 /* Fall through */
2167 case 6:
2168 /*
2169 * Set consistent ALPN.
2170 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2171 * accepts a list of protos (each one length prefixed).
2172 * SSL_set1_alpn_selected accepts a single protocol (not length
2173 * prefixed)
2174 */
2175 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2176 GOODALPNLEN - 1))
2177 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2178 GOODALPNLEN)))
2179 goto end;
2180
2181 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2182 break;
2183
2184 case 7:
2185 /* Set inconsistent ALPN (late client detection) */
2186 SSL_SESSION_free(serverpsk);
2187 serverpsk = SSL_SESSION_dup(clientpsk);
2188 if (!TEST_ptr(serverpsk)
2189 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2190 BADALPN + 1,
2191 BADALPNLEN - 1))
2192 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2193 GOODALPN + 1,
2194 GOODALPNLEN - 1))
2195 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2196 sizeof(alpnlist))))
2197 goto end;
2198 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2199 edstatus = SSL_EARLY_DATA_ACCEPTED;
2200 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2201 /* SSL_connect() call should fail */
2202 connectres = -1;
2203 break;
2204
2205 default:
2206 TEST_error("Bad test index");
2207 goto end;
2208 }
2209
2210 SSL_set_connect_state(clientssl);
2211 if (err != 0) {
2212 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2213 &written))
2214 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2215 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2216 goto end;
2217 } else {
2218 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2219 &written)))
2220 goto end;
2221
2222 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2223 &readbytes), readearlyres)
2224 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2225 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2226 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2227 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2228 goto end;
2229 }
2230
2231 testresult = 1;
2232
2233 end:
2234 SSL_SESSION_free(clientpsk);
2235 SSL_SESSION_free(serverpsk);
2236 clientpsk = serverpsk = NULL;
2237 SSL_free(serverssl);
2238 SSL_free(clientssl);
2239 SSL_CTX_free(sctx);
2240 SSL_CTX_free(cctx);
2241 return testresult;
2242 }
2243
2244 /*
2245 * Test that a server that doesn't try to read early data can handle a
2246 * client sending some.
2247 */
2248 static int test_early_data_not_expected(int idx)
2249 {
2250 SSL_CTX *cctx = NULL, *sctx = NULL;
2251 SSL *clientssl = NULL, *serverssl = NULL;
2252 int testresult = 0;
2253 SSL_SESSION *sess = NULL;
2254 unsigned char buf[20];
2255 size_t readbytes, written;
2256
2257 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2258 &serverssl, &sess, idx)))
2259 goto end;
2260
2261 /* Write some early data */
2262 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2263 &written)))
2264 goto end;
2265
2266 /*
2267 * Server should skip over early data and then block waiting for client to
2268 * continue handshake
2269 */
2270 if (!TEST_int_le(SSL_accept(serverssl), 0)
2271 || !TEST_int_gt(SSL_connect(clientssl), 0)
2272 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2273 SSL_EARLY_DATA_REJECTED)
2274 || !TEST_int_gt(SSL_accept(serverssl), 0)
2275 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2276 SSL_EARLY_DATA_REJECTED))
2277 goto end;
2278
2279 /* Send some normal data from client to server */
2280 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2281 || !TEST_size_t_eq(written, strlen(MSG2)))
2282 goto end;
2283
2284 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2285 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2286 goto end;
2287
2288 testresult = 1;
2289
2290 end:
2291 /* If using PSK then clientpsk and sess are the same */
2292 SSL_SESSION_free(sess);
2293 SSL_SESSION_free(serverpsk);
2294 clientpsk = serverpsk = NULL;
2295 SSL_free(serverssl);
2296 SSL_free(clientssl);
2297 SSL_CTX_free(sctx);
2298 SSL_CTX_free(cctx);
2299 return testresult;
2300 }
2301
2302
2303 # ifndef OPENSSL_NO_TLS1_2
2304 /*
2305 * Test that a server attempting to read early data can handle a connection
2306 * from a TLSv1.2 client.
2307 */
2308 static int test_early_data_tls1_2(int idx)
2309 {
2310 SSL_CTX *cctx = NULL, *sctx = NULL;
2311 SSL *clientssl = NULL, *serverssl = NULL;
2312 int testresult = 0;
2313 unsigned char buf[20];
2314 size_t readbytes, written;
2315
2316 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2317 &serverssl, NULL, idx)))
2318 goto end;
2319
2320 /* Write some data - should block due to handshake with server */
2321 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2322 SSL_set_connect_state(clientssl);
2323 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2324 goto end;
2325
2326 /*
2327 * Server should do TLSv1.2 handshake. First it will block waiting for more
2328 * messages from client after ServerDone. Then SSL_read_early_data should
2329 * finish and detect that early data has not been sent
2330 */
2331 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2332 &readbytes),
2333 SSL_READ_EARLY_DATA_ERROR))
2334 goto end;
2335
2336 /*
2337 * Continue writing the message we started earlier. Will still block waiting
2338 * for the CCS/Finished from server
2339 */
2340 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2341 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2342 &readbytes),
2343 SSL_READ_EARLY_DATA_FINISH)
2344 || !TEST_size_t_eq(readbytes, 0)
2345 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2346 SSL_EARLY_DATA_NOT_SENT))
2347 goto end;
2348
2349 /* Continue writing the message we started earlier */
2350 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2351 || !TEST_size_t_eq(written, strlen(MSG1))
2352 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2353 SSL_EARLY_DATA_NOT_SENT)
2354 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2355 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2356 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2357 || !TEST_size_t_eq(written, strlen(MSG2))
2358 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2359 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2360 goto end;
2361
2362 testresult = 1;
2363
2364 end:
2365 /* If using PSK then clientpsk and sess are the same */
2366 SSL_SESSION_free(clientpsk);
2367 SSL_SESSION_free(serverpsk);
2368 clientpsk = serverpsk = NULL;
2369 SSL_free(serverssl);
2370 SSL_free(clientssl);
2371 SSL_CTX_free(sctx);
2372 SSL_CTX_free(cctx);
2373
2374 return testresult;
2375 }
2376 # endif /* OPENSSL_NO_TLS1_2 */
2377
2378 static int test_ciphersuite_change(void)
2379 {
2380 SSL_CTX *cctx = NULL, *sctx = NULL;
2381 SSL *clientssl = NULL, *serverssl = NULL;
2382 SSL_SESSION *clntsess = NULL;
2383 int testresult = 0;
2384 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2385
2386 /* Create a session based on SHA-256 */
2387 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2388 TLS_client_method(), &sctx,
2389 &cctx, cert, privkey))
2390 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2391 "TLS_AES_128_GCM_SHA256"))
2392 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2393 &clientssl, NULL, NULL))
2394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2395 SSL_ERROR_NONE)))
2396 goto end;
2397
2398 clntsess = SSL_get1_session(clientssl);
2399 /* Save for later */
2400 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2401 SSL_shutdown(clientssl);
2402 SSL_shutdown(serverssl);
2403 SSL_free(serverssl);
2404 SSL_free(clientssl);
2405 serverssl = clientssl = NULL;
2406
2407 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2408 /* Check we can resume a session with a different SHA-256 ciphersuite */
2409 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2410 "TLS_CHACHA20_POLY1305_SHA256"))
2411 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2412 NULL, NULL))
2413 || !TEST_true(SSL_set_session(clientssl, clntsess))
2414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2415 SSL_ERROR_NONE))
2416 || !TEST_true(SSL_session_reused(clientssl)))
2417 goto end;
2418
2419 SSL_SESSION_free(clntsess);
2420 clntsess = SSL_get1_session(clientssl);
2421 SSL_shutdown(clientssl);
2422 SSL_shutdown(serverssl);
2423 SSL_free(serverssl);
2424 SSL_free(clientssl);
2425 serverssl = clientssl = NULL;
2426 # endif
2427
2428 /*
2429 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2430 * succeeds but does not resume.
2431 */
2432 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2433 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2434 NULL, NULL))
2435 || !TEST_true(SSL_set_session(clientssl, clntsess))
2436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2437 SSL_ERROR_SSL))
2438 || !TEST_false(SSL_session_reused(clientssl)))
2439 goto end;
2440
2441 SSL_SESSION_free(clntsess);
2442 clntsess = NULL;
2443 SSL_shutdown(clientssl);
2444 SSL_shutdown(serverssl);
2445 SSL_free(serverssl);
2446 SSL_free(clientssl);
2447 serverssl = clientssl = NULL;
2448
2449 /* Create a session based on SHA384 */
2450 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2451 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2452 &clientssl, NULL, NULL))
2453 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2454 SSL_ERROR_NONE)))
2455 goto end;
2456
2457 clntsess = SSL_get1_session(clientssl);
2458 SSL_shutdown(clientssl);
2459 SSL_shutdown(serverssl);
2460 SSL_free(serverssl);
2461 SSL_free(clientssl);
2462 serverssl = clientssl = NULL;
2463
2464 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2465 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2466 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2467 "TLS_AES_256_GCM_SHA384"))
2468 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2469 NULL, NULL))
2470 || !TEST_true(SSL_set_session(clientssl, clntsess))
2471 /*
2472 * We use SSL_ERROR_WANT_READ below so that we can pause the
2473 * connection after the initial ClientHello has been sent to
2474 * enable us to make some session changes.
2475 */
2476 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2477 SSL_ERROR_WANT_READ)))
2478 goto end;
2479
2480 /* Trick the client into thinking this session is for a different digest */
2481 clntsess->cipher = aes_128_gcm_sha256;
2482 clntsess->cipher_id = clntsess->cipher->id;
2483
2484 /*
2485 * Continue the previously started connection. Server has selected a SHA-384
2486 * ciphersuite, but client thinks the session is for SHA-256, so it should
2487 * bail out.
2488 */
2489 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2490 SSL_ERROR_SSL))
2491 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2492 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2493 goto end;
2494
2495 testresult = 1;
2496
2497 end:
2498 SSL_SESSION_free(clntsess);
2499 SSL_free(serverssl);
2500 SSL_free(clientssl);
2501 SSL_CTX_free(sctx);
2502 SSL_CTX_free(cctx);
2503
2504 return testresult;
2505 }
2506
2507 static int test_tls13_psk(int idx)
2508 {
2509 SSL_CTX *sctx = NULL, *cctx = NULL;
2510 SSL *serverssl = NULL, *clientssl = NULL;
2511 const SSL_CIPHER *cipher = NULL;
2512 const unsigned char key[] = {
2513 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2514 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2515 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2516 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2517 };
2518 int testresult = 0;
2519
2520 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2521 TLS_client_method(), &sctx,
2522 &cctx, cert, privkey)))
2523 goto end;
2524
2525 /*
2526 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2527 * which will always default to SHA256
2528 */
2529 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
2530 goto end;
2531
2532 /*
2533 * Test 0: New style callbacks only
2534 * Test 1: New and old style callbacks (only the new ones should be used)
2535 * Test 2: Old style callbacks only
2536 */
2537 if (idx == 0 || idx == 1) {
2538 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2539 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2540 }
2541 if (idx == 1 || idx == 2) {
2542 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2543 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2544 }
2545 srvid = pskid;
2546 use_session_cb_cnt = 0;
2547 find_session_cb_cnt = 0;
2548 psk_client_cb_cnt = 0;
2549 psk_server_cb_cnt = 0;
2550
2551 /* Check we can create a connection if callback decides not to send a PSK */
2552 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2553 NULL, NULL))
2554 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2555 SSL_ERROR_NONE))
2556 || !TEST_false(SSL_session_reused(clientssl))
2557 || !TEST_false(SSL_session_reused(serverssl)))
2558 goto end;
2559
2560 if (idx == 0 || idx == 1) {
2561 if (!TEST_true(use_session_cb_cnt == 1)
2562 || !TEST_true(find_session_cb_cnt == 0)
2563 /*
2564 * If no old style callback then below should be 0
2565 * otherwise 1
2566 */
2567 || !TEST_true(psk_client_cb_cnt == idx)
2568 || !TEST_true(psk_server_cb_cnt == 0))
2569 goto end;
2570 } else {
2571 if (!TEST_true(use_session_cb_cnt == 0)
2572 || !TEST_true(find_session_cb_cnt == 0)
2573 || !TEST_true(psk_client_cb_cnt == 1)
2574 || !TEST_true(psk_server_cb_cnt == 0))
2575 goto end;
2576 }
2577
2578 shutdown_ssl_connection(serverssl, clientssl);
2579 serverssl = clientssl = NULL;
2580 use_session_cb_cnt = psk_client_cb_cnt = 0;
2581
2582 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2583 NULL, NULL)))
2584 goto end;
2585
2586 /* Create the PSK */
2587 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2588 clientpsk = SSL_SESSION_new();
2589 if (!TEST_ptr(clientpsk)
2590 || !TEST_ptr(cipher)
2591 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2592 sizeof(key)))
2593 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2594 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2595 TLS1_3_VERSION))
2596 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2597 goto end;
2598 serverpsk = clientpsk;
2599
2600 /* Check we can create a connection and the PSK is used */
2601 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2602 || !TEST_true(SSL_session_reused(clientssl))
2603 || !TEST_true(SSL_session_reused(serverssl)))
2604 goto end;
2605
2606 if (idx == 0 || idx == 1) {
2607 if (!TEST_true(use_session_cb_cnt == 1)
2608 || !TEST_true(find_session_cb_cnt == 1)
2609 || !TEST_true(psk_client_cb_cnt == 0)
2610 || !TEST_true(psk_server_cb_cnt == 0))
2611 goto end;
2612 } else {
2613 if (!TEST_true(use_session_cb_cnt == 0)
2614 || !TEST_true(find_session_cb_cnt == 0)
2615 || !TEST_true(psk_client_cb_cnt == 1)
2616 || !TEST_true(psk_server_cb_cnt == 1))
2617 goto end;
2618 }
2619
2620 shutdown_ssl_connection(serverssl, clientssl);
2621 serverssl = clientssl = NULL;
2622 use_session_cb_cnt = find_session_cb_cnt = 0;
2623 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2624
2625 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2626 NULL, NULL)))
2627 goto end;
2628
2629 /* Force an HRR */
2630 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2631 goto end;
2632
2633 /*
2634 * Check we can create a connection, the PSK is used and the callbacks are
2635 * called twice.
2636 */
2637 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2638 || !TEST_true(SSL_session_reused(clientssl))
2639 || !TEST_true(SSL_session_reused(serverssl)))
2640 goto end;
2641
2642 if (idx == 0 || idx == 1) {
2643 if (!TEST_true(use_session_cb_cnt == 2)
2644 || !TEST_true(find_session_cb_cnt == 2)
2645 || !TEST_true(psk_client_cb_cnt == 0)
2646 || !TEST_true(psk_server_cb_cnt == 0))
2647 goto end;
2648 } else {
2649 if (!TEST_true(use_session_cb_cnt == 0)
2650 || !TEST_true(find_session_cb_cnt == 0)
2651 || !TEST_true(psk_client_cb_cnt == 2)
2652 || !TEST_true(psk_server_cb_cnt == 2))
2653 goto end;
2654 }
2655
2656 shutdown_ssl_connection(serverssl, clientssl);
2657 serverssl = clientssl = NULL;
2658 use_session_cb_cnt = find_session_cb_cnt = 0;
2659 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2660
2661 /*
2662 * Check that if the server rejects the PSK we can still connect, but with
2663 * a full handshake
2664 */
2665 srvid = "Dummy Identity";
2666 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2667 NULL, NULL))
2668 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2669 SSL_ERROR_NONE))
2670 || !TEST_false(SSL_session_reused(clientssl))
2671 || !TEST_false(SSL_session_reused(serverssl)))
2672 goto end;
2673
2674 if (idx == 0 || idx == 1) {
2675 if (!TEST_true(use_session_cb_cnt == 1)
2676 || !TEST_true(find_session_cb_cnt == 1)
2677 || !TEST_true(psk_client_cb_cnt == 0)
2678 /*
2679 * If no old style callback then below should be 0
2680 * otherwise 1
2681 */
2682 || !TEST_true(psk_server_cb_cnt == idx))
2683 goto end;
2684 } else {
2685 if (!TEST_true(use_session_cb_cnt == 0)
2686 || !TEST_true(find_session_cb_cnt == 0)
2687 || !TEST_true(psk_client_cb_cnt == 1)
2688 || !TEST_true(psk_server_cb_cnt == 1))
2689 goto end;
2690 }
2691
2692 shutdown_ssl_connection(serverssl, clientssl);
2693 serverssl = clientssl = NULL;
2694 testresult = 1;
2695
2696 end:
2697 SSL_SESSION_free(clientpsk);
2698 SSL_SESSION_free(serverpsk);
2699 clientpsk = serverpsk = NULL;
2700 SSL_free(serverssl);
2701 SSL_free(clientssl);
2702 SSL_CTX_free(sctx);
2703 SSL_CTX_free(cctx);
2704 return testresult;
2705 }
2706
2707 static unsigned char cookie_magic_value[] = "cookie magic";
2708
2709 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2710 unsigned int *cookie_len)
2711 {
2712 /*
2713 * Not suitable as a real cookie generation function but good enough for
2714 * testing!
2715 */
2716 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2717 *cookie_len = sizeof(cookie_magic_value) - 1;
2718
2719 return 1;
2720 }
2721
2722 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2723 unsigned int cookie_len)
2724 {
2725 if (cookie_len == sizeof(cookie_magic_value) - 1
2726 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2727 return 1;
2728
2729 return 0;
2730 }
2731
2732 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
2733 size_t *cookie_len)
2734 {
2735 unsigned int temp;
2736 int res = generate_cookie_callback(ssl, cookie, &temp);
2737 *cookie_len = temp;
2738 return res;
2739 }
2740
2741 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
2742 size_t cookie_len)
2743 {
2744 return verify_cookie_callback(ssl, cookie, cookie_len);
2745 }
2746
2747 static int test_stateless(void)
2748 {
2749 SSL_CTX *sctx = NULL, *cctx = NULL;
2750 SSL *serverssl = NULL, *clientssl = NULL;
2751 int testresult = 0;
2752
2753 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2754 TLS_client_method(), &sctx,
2755 &cctx, cert, privkey)))
2756 goto end;
2757
2758 /* The arrival of CCS messages can confuse the test */
2759 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2760
2761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2762 NULL, NULL))
2763 /* Send the first ClientHello */
2764 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2765 SSL_ERROR_WANT_READ))
2766 /*
2767 * This should fail with a -1 return because we have no callbacks
2768 * set up
2769 */
2770 || !TEST_int_eq(SSL_stateless(serverssl), -1))
2771 goto end;
2772
2773 /* Fatal error so abandon the connection from this client */
2774 SSL_free(clientssl);
2775 clientssl = NULL;
2776
2777 /* Set up the cookie generation and verification callbacks */
2778 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
2779 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
2780
2781 /*
2782 * Create a new connection from the client (we can reuse the server SSL
2783 * object).
2784 */
2785 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2786 NULL, NULL))
2787 /* Send the first ClientHello */
2788 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2789 SSL_ERROR_WANT_READ))
2790 /* This should fail because there is no cookie */
2791 || !TEST_int_eq(SSL_stateless(serverssl), 0))
2792 goto end;
2793
2794 /* Abandon the connection from this client */
2795 SSL_free(clientssl);
2796 clientssl = NULL;
2797
2798 /*
2799 * Now create a connection from a new client but with the same server SSL
2800 * object
2801 */
2802 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2803 NULL, NULL))
2804 /* Send the first ClientHello */
2805 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2806 SSL_ERROR_WANT_READ))
2807 /* This should fail because there is no cookie */
2808 || !TEST_int_eq(SSL_stateless(serverssl), 0)
2809 /* Send the second ClientHello */
2810 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2811 SSL_ERROR_WANT_READ))
2812 /* This should succeed because a cookie is now present */
2813 || !TEST_int_eq(SSL_stateless(serverssl), 1)
2814 /* Complete the connection */
2815 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2816 SSL_ERROR_NONE)))
2817 goto end;
2818
2819 shutdown_ssl_connection(serverssl, clientssl);
2820 serverssl = clientssl = NULL;
2821 testresult = 1;
2822
2823 end:
2824 SSL_free(serverssl);
2825 SSL_free(clientssl);
2826 SSL_CTX_free(sctx);
2827 SSL_CTX_free(cctx);
2828 return testresult;
2829
2830 }
2831 #endif /* OPENSSL_NO_TLS1_3 */
2832
2833 static int clntaddoldcb = 0;
2834 static int clntparseoldcb = 0;
2835 static int srvaddoldcb = 0;
2836 static int srvparseoldcb = 0;
2837 static int clntaddnewcb = 0;
2838 static int clntparsenewcb = 0;
2839 static int srvaddnewcb = 0;
2840 static int srvparsenewcb = 0;
2841 static int snicb = 0;
2842
2843 #define TEST_EXT_TYPE1 0xff00
2844
2845 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2846 size_t *outlen, int *al, void *add_arg)
2847 {
2848 int *server = (int *)add_arg;
2849 unsigned char *data;
2850
2851 if (SSL_is_server(s))
2852 srvaddoldcb++;
2853 else
2854 clntaddoldcb++;
2855
2856 if (*server != SSL_is_server(s)
2857 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2858 return -1;
2859
2860 *data = 1;
2861 *out = data;
2862 *outlen = sizeof(char);
2863 return 1;
2864 }
2865
2866 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2867 void *add_arg)
2868 {
2869 OPENSSL_free((unsigned char *)out);
2870 }
2871
2872 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2873 size_t inlen, int *al, void *parse_arg)
2874 {
2875 int *server = (int *)parse_arg;
2876
2877 if (SSL_is_server(s))
2878 srvparseoldcb++;
2879 else
2880 clntparseoldcb++;
2881
2882 if (*server != SSL_is_server(s)
2883 || inlen != sizeof(char)
2884 || *in != 1)
2885 return -1;
2886
2887 return 1;
2888 }
2889
2890 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2891 const unsigned char **out, size_t *outlen, X509 *x,
2892 size_t chainidx, int *al, void *add_arg)
2893 {
2894 int *server = (int *)add_arg;
2895 unsigned char *data;
2896
2897 if (SSL_is_server(s))
2898 srvaddnewcb++;
2899 else
2900 clntaddnewcb++;
2901
2902 if (*server != SSL_is_server(s)
2903 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2904 return -1;
2905
2906 *data = 1;
2907 *out = data;
2908 *outlen = sizeof(*data);
2909 return 1;
2910 }
2911
2912 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2913 const unsigned char *out, void *add_arg)
2914 {
2915 OPENSSL_free((unsigned char *)out);
2916 }
2917
2918 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2919 const unsigned char *in, size_t inlen, X509 *x,
2920 size_t chainidx, int *al, void *parse_arg)
2921 {
2922 int *server = (int *)parse_arg;
2923
2924 if (SSL_is_server(s))
2925 srvparsenewcb++;
2926 else
2927 clntparsenewcb++;
2928
2929 if (*server != SSL_is_server(s)
2930 || inlen != sizeof(char) || *in != 1)
2931 return -1;
2932
2933 return 1;
2934 }
2935
2936 static int sni_cb(SSL *s, int *al, void *arg)
2937 {
2938 SSL_CTX *ctx = (SSL_CTX *)arg;
2939
2940 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2941 *al = SSL_AD_INTERNAL_ERROR;
2942 return SSL_TLSEXT_ERR_ALERT_FATAL;
2943 }
2944 snicb++;
2945 return SSL_TLSEXT_ERR_OK;
2946 }
2947
2948 /*
2949 * Custom call back tests.
2950 * Test 0: Old style callbacks in TLSv1.2
2951 * Test 1: New style callbacks in TLSv1.2
2952 * Test 2: New style callbacks in TLSv1.2 with SNI
2953 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2954 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2955 */
2956 static int test_custom_exts(int tst)
2957 {
2958 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2959 SSL *clientssl = NULL, *serverssl = NULL;
2960 int testresult = 0;
2961 static int server = 1;
2962 static int client = 0;
2963 SSL_SESSION *sess = NULL;
2964 unsigned int context;
2965
2966 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
2967 /* Skip tests for TLSv1.2 and below in this case */
2968 if (tst < 3)
2969 return 1;
2970 #endif
2971
2972 /* Reset callback counters */
2973 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2974 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2975 snicb = 0;
2976
2977 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2978 TLS_client_method(), &sctx,
2979 &cctx, cert, privkey)))
2980 goto end;
2981
2982 if (tst == 2
2983 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2984 NULL, cert, privkey)))
2985 goto end;
2986
2987
2988 if (tst < 3) {
2989 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2990 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2991 if (sctx2 != NULL)
2992 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2993 }
2994
2995 if (tst == 4) {
2996 context = SSL_EXT_CLIENT_HELLO
2997 | SSL_EXT_TLS1_2_SERVER_HELLO
2998 | SSL_EXT_TLS1_3_SERVER_HELLO
2999 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3000 | SSL_EXT_TLS1_3_CERTIFICATE
3001 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3002 } else {
3003 context = SSL_EXT_CLIENT_HELLO
3004 | SSL_EXT_TLS1_2_SERVER_HELLO
3005 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3006 }
3007
3008 /* Create a client side custom extension */
3009 if (tst == 0) {
3010 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3011 old_add_cb, old_free_cb,
3012 &client, old_parse_cb,
3013 &client)))
3014 goto end;
3015 } else {
3016 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3017 new_add_cb, new_free_cb,
3018 &client, new_parse_cb, &client)))
3019 goto end;
3020 }
3021
3022 /* Should not be able to add duplicates */
3023 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3024 old_add_cb, old_free_cb,
3025 &client, old_parse_cb,
3026 &client))
3027 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3028 context, new_add_cb,
3029 new_free_cb, &client,
3030 new_parse_cb, &client)))
3031 goto end;
3032
3033 /* Create a server side custom extension */
3034 if (tst == 0) {
3035 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3036 old_add_cb, old_free_cb,
3037 &server, old_parse_cb,
3038 &server)))
3039 goto end;
3040 } else {
3041 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3042 new_add_cb, new_free_cb,
3043 &server, new_parse_cb, &server)))
3044 goto end;
3045 if (sctx2 != NULL
3046 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3047 context, new_add_cb,
3048 new_free_cb, &server,
3049 new_parse_cb, &server)))
3050 goto end;
3051 }
3052
3053 /* Should not be able to add duplicates */
3054 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3055 old_add_cb, old_free_cb,
3056 &server, old_parse_cb,
3057 &server))
3058 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3059 context, new_add_cb,
3060 new_free_cb, &server,
3061 new_parse_cb, &server)))
3062 goto end;
3063
3064 if (tst == 2) {
3065 /* Set up SNI */
3066 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3067 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3068 goto end;
3069 }
3070
3071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3072 &clientssl, NULL, NULL))
3073 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3074 SSL_ERROR_NONE)))
3075 goto end;
3076
3077 if (tst == 0) {
3078 if (clntaddoldcb != 1
3079 || clntparseoldcb != 1
3080 || srvaddoldcb != 1
3081 || srvparseoldcb != 1)
3082 goto end;
3083 } else if (tst == 1 || tst == 2 || tst == 3) {
3084 if (clntaddnewcb != 1
3085 || clntparsenewcb != 1
3086 || srvaddnewcb != 1
3087 || srvparsenewcb != 1
3088 || (tst != 2 && snicb != 0)
3089 || (tst == 2 && snicb != 1))
3090 goto end;
3091 } else {
3092 if (clntaddnewcb != 1
3093 || clntparsenewcb != 4
3094 || srvaddnewcb != 4
3095 || srvparsenewcb != 1)
3096 goto end;
3097 }
3098
3099 sess = SSL_get1_session(clientssl);
3100 SSL_shutdown(clientssl);
3101 SSL_shutdown(serverssl);
3102 SSL_free(serverssl);
3103 SSL_free(clientssl);
3104 serverssl = clientssl = NULL;
3105
3106 if (tst == 3) {
3107 /* We don't bother with the resumption aspects for this test */
3108 testresult = 1;
3109 goto end;
3110 }
3111
3112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3113 NULL, NULL))
3114 || !TEST_true(SSL_set_session(clientssl, sess))
3115 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3116 SSL_ERROR_NONE)))
3117 goto end;
3118
3119 /*
3120 * For a resumed session we expect to add the ClientHello extension. For the
3121 * old style callbacks we ignore it on the server side because they set
3122 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3123 * them.
3124 */
3125 if (tst == 0) {
3126 if (clntaddoldcb != 2
3127 || clntparseoldcb != 1
3128 || srvaddoldcb != 1
3129 || srvparseoldcb != 1)
3130 goto end;
3131 } else if (tst == 1 || tst == 2 || tst == 3) {
3132 if (clntaddnewcb != 2
3133 || clntparsenewcb != 2
3134 || srvaddnewcb != 2
3135 || srvparsenewcb != 2)
3136 goto end;
3137 } else {
3138 /* No Certificate message extensions in the resumption handshake */
3139 if (clntaddnewcb != 2
3140 || clntparsenewcb != 7
3141 || srvaddnewcb != 7
3142 || srvparsenewcb != 2)
3143 goto end;
3144 }
3145
3146 testresult = 1;
3147
3148 end:
3149 SSL_SESSION_free(sess);
3150 SSL_free(serverssl);
3151 SSL_free(clientssl);
3152 SSL_CTX_free(sctx2);
3153 SSL_CTX_free(sctx);
3154 SSL_CTX_free(cctx);
3155 return testresult;
3156 }
3157
3158 /*
3159 * Test loading of serverinfo data in various formats. test_sslmessages actually
3160 * tests to make sure the extensions appear in the handshake
3161 */
3162 static int test_serverinfo(int tst)
3163 {
3164 unsigned int version;
3165 unsigned char *sibuf;
3166 size_t sibuflen;
3167 int ret, expected, testresult = 0;
3168 SSL_CTX *ctx;
3169
3170 ctx = SSL_CTX_new(TLS_method());
3171 if (!TEST_ptr(ctx))
3172 goto end;
3173
3174 if ((tst & 0x01) == 0x01)
3175 version = SSL_SERVERINFOV2;
3176 else
3177 version = SSL_SERVERINFOV1;
3178
3179 if ((tst & 0x02) == 0x02) {
3180 sibuf = serverinfov2;
3181 sibuflen = sizeof(serverinfov2);
3182 expected = (version == SSL_SERVERINFOV2);
3183 } else {
3184 sibuf = serverinfov1;
3185 sibuflen = sizeof(serverinfov1);
3186 expected = (version == SSL_SERVERINFOV1);
3187 }
3188
3189 if ((tst & 0x04) == 0x04) {
3190 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3191 } else {
3192 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3193
3194 /*
3195 * The version variable is irrelevant in this case - it's what is in the
3196 * buffer that matters
3197 */
3198 if ((tst & 0x02) == 0x02)
3199 expected = 0;
3200 else
3201 expected = 1;
3202 }
3203
3204 if (!TEST_true(ret == expected))
3205 goto end;
3206
3207 testresult = 1;
3208
3209 end:
3210 SSL_CTX_free(ctx);
3211
3212 return testresult;
3213 }
3214
3215 /*
3216 * Test that SSL_export_keying_material() produces expected results. There are
3217 * no test vectors so all we do is test that both sides of the communication
3218 * produce the same results for different protocol versions.
3219 */
3220 static int test_export_key_mat(int tst)
3221 {
3222 int testresult = 0;
3223 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3224 SSL *clientssl = NULL, *serverssl = NULL;
3225 const char label[] = "test label";
3226 const unsigned char context[] = "context";
3227 const unsigned char *emptycontext = NULL;
3228 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3229 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3230 const int protocols[] = {
3231 TLS1_VERSION,
3232 TLS1_1_VERSION,
3233 TLS1_2_VERSION,
3234 TLS1_3_VERSION
3235 };
3236
3237 #ifdef OPENSSL_NO_TLS1
3238 if (tst == 0)
3239 return 1;
3240 #endif
3241 #ifdef OPENSSL_NO_TLS1_1
3242 if (tst == 1)
3243 return 1;
3244 #endif
3245 #ifdef OPENSSL_NO_TLS1_2
3246 if (tst == 2)
3247 return 1;
3248 #endif
3249 #ifdef OPENSSL_NO_TLS1_3
3250 if (tst == 3)
3251 return 1;
3252 #endif
3253 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3254 TLS_client_method(), &sctx,
3255 &cctx, cert, privkey)))
3256 goto end;
3257
3258 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3259 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3260 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3261
3262 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3263 NULL))
3264 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3265 SSL_ERROR_NONE)))
3266 goto end;
3267
3268 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3269 sizeof(ckeymat1), label,
3270 sizeof(label) - 1, context,
3271 sizeof(context) - 1, 1), 1)
3272 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3273 sizeof(ckeymat2), label,
3274 sizeof(label) - 1,
3275 emptycontext,
3276 0, 1), 1)
3277 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3278 sizeof(ckeymat3), label,
3279 sizeof(label) - 1,
3280 NULL, 0, 0), 1)
3281 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3282 sizeof(skeymat1), label,
3283 sizeof(label) - 1,
3284 context,
3285 sizeof(context) -1, 1),
3286 1)
3287 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3288 sizeof(skeymat2), label,
3289 sizeof(label) - 1,
3290 emptycontext,
3291 0, 1), 1)
3292 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3293 sizeof(skeymat3), label,
3294 sizeof(label) - 1,
3295 NULL, 0, 0), 1)
3296 /*
3297 * Check that both sides created the same key material with the
3298 * same context.
3299 */
3300 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3301 sizeof(skeymat1))
3302 /*
3303 * Check that both sides created the same key material with an
3304 * empty context.
3305 */
3306 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3307 sizeof(skeymat2))
3308 /*
3309 * Check that both sides created the same key material without a
3310 * context.
3311 */
3312 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3313 sizeof(skeymat3))
3314 /* Different contexts should produce different results */
3315 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3316 sizeof(ckeymat2)))
3317 goto end;
3318
3319 /*
3320 * Check that an empty context and no context produce different results in
3321 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3322 */
3323 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3324 sizeof(ckeymat3)))
3325 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3326 sizeof(ckeymat3))))
3327 goto end;
3328
3329 testresult = 1;
3330
3331 end:
3332 SSL_free(serverssl);
3333 SSL_free(clientssl);
3334 SSL_CTX_free(sctx2);
3335 SSL_CTX_free(sctx);
3336 SSL_CTX_free(cctx);
3337
3338 return testresult;
3339 }
3340
3341 #ifndef OPENSSL_NO_TLS1_3
3342 /*
3343 * Test that SSL_export_keying_material_early() produces expected
3344 * results. There are no test vectors so all we do is test that both
3345 * sides of the communication produce the same results for different
3346 * protocol versions.
3347 */
3348 static int test_export_key_mat_early(int idx)
3349 {
3350 static const char label[] = "test label";
3351 static const unsigned char context[] = "context";
3352 int testresult = 0;
3353 SSL_CTX *cctx = NULL, *sctx = NULL;
3354 SSL *clientssl = NULL, *serverssl = NULL;
3355 SSL_SESSION *sess = NULL;
3356 const unsigned char *emptycontext = NULL;
3357 unsigned char ckeymat1[80], ckeymat2[80];
3358 unsigned char skeymat1[80], skeymat2[80];
3359 unsigned char buf[1];
3360 size_t readbytes, written;
3361
3362 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3363 &sess, idx)))
3364 goto end;
3365
3366 /* Here writing 0 length early data is enough. */
3367 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3368 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3369 &readbytes),
3370 SSL_READ_EARLY_DATA_ERROR)
3371 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3372 SSL_EARLY_DATA_ACCEPTED))
3373 goto end;
3374
3375 if (!TEST_int_eq(SSL_export_keying_material_early(
3376 clientssl, ckeymat1, sizeof(ckeymat1), label,
3377 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3378 || !TEST_int_eq(SSL_export_keying_material_early(
3379 clientssl, ckeymat2, sizeof(ckeymat2), label,
3380 sizeof(label) - 1, emptycontext, 0), 1)
3381 || !TEST_int_eq(SSL_export_keying_material_early(
3382 serverssl, skeymat1, sizeof(skeymat1), label,
3383 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3384 || !TEST_int_eq(SSL_export_keying_material_early(
3385 serverssl, skeymat2, sizeof(skeymat2), label,
3386 sizeof(label) - 1, emptycontext, 0), 1)
3387 /*
3388 * Check that both sides created the same key material with the
3389 * same context.
3390 */
3391 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3392 sizeof(skeymat1))
3393 /*
3394 * Check that both sides created the same key material with an
3395 * empty context.
3396 */
3397 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3398 sizeof(skeymat2))
3399 /* Different contexts should produce different results */
3400 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3401 sizeof(ckeymat2)))
3402 goto end;
3403
3404 testresult = 1;
3405
3406 end:
3407 if (sess != clientpsk)
3408 SSL_SESSION_free(sess);
3409 SSL_SESSION_free(clientpsk);
3410 SSL_SESSION_free(serverpsk);
3411 clientpsk = serverpsk = NULL;
3412 SSL_free(serverssl);
3413 SSL_free(clientssl);
3414 SSL_CTX_free(sctx);
3415 SSL_CTX_free(cctx);
3416
3417 return testresult;
3418 }
3419 #endif /* OPENSSL_NO_TLS1_3 */
3420
3421 static int test_ssl_clear(int idx)
3422 {
3423 SSL_CTX *cctx = NULL, *sctx = NULL;
3424 SSL *clientssl = NULL, *serverssl = NULL;
3425 int testresult = 0;
3426
3427 #ifdef OPENSSL_NO_TLS1_2
3428 if (idx == 1)
3429 return 1;
3430 #endif
3431
3432 /* Create an initial connection */
3433 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3434 TLS_client_method(), &sctx,
3435 &cctx, cert, privkey))
3436 || (idx == 1
3437 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3438 TLS1_2_VERSION)))
3439 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3440 &clientssl, NULL, NULL))
3441 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3442 SSL_ERROR_NONE)))
3443 goto end;
3444
3445 SSL_shutdown(clientssl);
3446 SSL_shutdown(serverssl);
3447 SSL_free(serverssl);
3448 serverssl = NULL;
3449
3450 /* Clear clientssl - we're going to reuse the object */
3451 if (!TEST_true(SSL_clear(clientssl)))
3452 goto end;
3453
3454 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3455 NULL, NULL))
3456 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3457 SSL_ERROR_NONE))
3458 || !TEST_true(SSL_session_reused(clientssl)))
3459 goto end;
3460
3461 SSL_shutdown(clientssl);
3462 SSL_shutdown(serverssl);
3463
3464 testresult = 1;
3465
3466 end:
3467 SSL_free(serverssl);
3468 SSL_free(clientssl);
3469 SSL_CTX_free(sctx);
3470 SSL_CTX_free(cctx);
3471
3472 return testresult;
3473 }
3474
3475 /* Parse CH and retrieve any MFL extension value if present */
3476 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3477 {
3478 long len;
3479 unsigned char *data;
3480 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3481 unsigned int MFL_code = 0, type = 0;
3482
3483 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3484 goto end;
3485
3486 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3487 /* Skip the record header */
3488 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3489 /* Skip the handshake message header */
3490 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3491 /* Skip client version and random */
3492 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3493 + SSL3_RANDOM_SIZE))
3494 /* Skip session id */
3495 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3496 /* Skip ciphers */
3497 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3498 /* Skip compression */
3499 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3500 /* Extensions len */
3501 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3502 goto end;
3503
3504 /* Loop through all extensions */
3505 while (PACKET_remaining(&pkt2)) {
3506 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3507 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3508 goto end;
3509
3510 if (type == TLSEXT_TYPE_max_fragment_length) {
3511 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3512 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3513 goto end;
3514
3515 *mfl_codemfl_code = MFL_code;
3516 return 1;
3517 }
3518 }
3519
3520 end:
3521 return 0;
3522 }
3523
3524 /* Maximum-Fragment-Length TLS extension mode to test */
3525 static const unsigned char max_fragment_len_test[] = {
3526 TLSEXT_max_fragment_length_512,
3527 TLSEXT_max_fragment_length_1024,
3528 TLSEXT_max_fragment_length_2048,
3529 TLSEXT_max_fragment_length_4096
3530 };
3531
3532 static int test_max_fragment_len_ext(int idx_tst)
3533 {
3534 SSL_CTX *ctx;
3535 SSL *con = NULL;
3536 int testresult = 0, MFL_mode = 0;
3537 BIO *rbio, *wbio;
3538
3539 ctx = SSL_CTX_new(TLS_method());
3540 if (!TEST_ptr(ctx))
3541 goto end;
3542
3543 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3544 ctx, max_fragment_len_test[idx_tst])))
3545 goto end;
3546
3547 con = SSL_new(ctx);
3548 if (!TEST_ptr(con))
3549 goto end;
3550
3551 rbio = BIO_new(BIO_s_mem());
3552 wbio = BIO_new(BIO_s_mem());
3553 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3554 BIO_free(rbio);
3555 BIO_free(wbio);
3556 goto end;
3557 }
3558
3559 SSL_set_bio(con, rbio, wbio);
3560 SSL_set_connect_state(con);
3561
3562 if (!TEST_int_le(SSL_connect(con), 0)) {
3563 /* This shouldn't succeed because we don't have a server! */
3564 goto end;
3565 }
3566
3567 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3568 /* no MFL in client hello */
3569 goto end;
3570 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3571 goto end;
3572
3573 testresult = 1;
3574
3575 end:
3576 SSL_free(con);
3577 SSL_CTX_free(ctx);
3578
3579 return testresult;
3580 }
3581
3582 #ifndef OPENSSL_NO_TLS1_3
3583 static int test_pha_key_update(void)
3584 {
3585 SSL_CTX *cctx = NULL, *sctx = NULL;
3586 SSL *clientssl = NULL, *serverssl = NULL;
3587 int testresult = 0;
3588
3589 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3590 TLS_client_method(),
3591 &sctx, &cctx, cert, privkey)))
3592 return 0;
3593
3594 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3595 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3596 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3597 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3598 goto end;
3599
3600
3601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3602 NULL, NULL)))
3603 goto end;
3604
3605 SSL_force_post_handshake_auth(clientssl);
3606
3607 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3608 SSL_ERROR_NONE)))
3609 goto end;
3610
3611 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3612 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3613 goto end;
3614
3615 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3616 goto end;
3617
3618 /* Start handshake on the server */
3619 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3620 goto end;
3621
3622 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3623 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3624 SSL_ERROR_NONE)))
3625 goto end;
3626
3627 SSL_shutdown(clientssl);
3628 SSL_shutdown(serverssl);
3629
3630 testresult = 1;
3631
3632 end:
3633 SSL_free(serverssl);
3634 SSL_free(clientssl);
3635 SSL_CTX_free(sctx);
3636 SSL_CTX_free(cctx);
3637 return testresult;
3638 }
3639 #endif
3640
3641 int setup_tests(void)
3642 {
3643 if (!TEST_ptr(cert = test_get_argument(0))
3644 || !TEST_ptr(privkey = test_get_argument(1)))
3645 return 0;
3646
3647 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
3648 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
3649 TEST_error("not supported in this build");
3650 return 0;
3651 #else
3652 int i, mcount, rcount, fcount;
3653
3654 for (i = 0; i < 4; i++)
3655 test_export_key_mat(i);
3656 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
3657 test_printf_stdout("malloc %d realloc %d free %d\n",
3658 mcount, rcount, fcount);
3659 return 1;
3660 #endif
3661 }
3662
3663 ADD_TEST(test_large_message_tls);
3664 ADD_TEST(test_large_message_tls_read_ahead);
3665 #ifndef OPENSSL_NO_DTLS
3666 ADD_TEST(test_large_message_dtls);
3667 #endif
3668 #ifndef OPENSSL_NO_OCSP
3669 ADD_TEST(test_tlsext_status_type);
3670 #endif
3671 ADD_TEST(test_session_with_only_int_cache);
3672 ADD_TEST(test_session_with_only_ext_cache);
3673 ADD_TEST(test_session_with_both_cache);
3674 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3675 ADD_TEST(test_ssl_bio_pop_next_bio);
3676 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3677 ADD_TEST(test_ssl_bio_change_rbio);
3678 ADD_TEST(test_ssl_bio_change_wbio);
3679 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
3680 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3681 ADD_TEST(test_keylog);
3682 #endif
3683 #ifndef OPENSSL_NO_TLS1_3
3684 ADD_TEST(test_keylog_no_master_key);
3685 #endif
3686 #ifndef OPENSSL_NO_TLS1_2
3687 ADD_TEST(test_client_hello_cb);
3688 #endif
3689 #ifndef OPENSSL_NO_TLS1_3
3690 ADD_ALL_TESTS(test_early_data_read_write, 3);
3691 ADD_ALL_TESTS(test_early_data_skip, 3);
3692 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3693 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3694 ADD_ALL_TESTS(test_early_data_psk, 8);
3695 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3696 # ifndef OPENSSL_NO_TLS1_2
3697 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3698 # endif
3699 #endif
3700 #ifndef OPENSSL_NO_TLS1_3
3701 ADD_TEST(test_ciphersuite_change);
3702 ADD_ALL_TESTS(test_tls13_psk, 3);
3703 ADD_ALL_TESTS(test_custom_exts, 5);
3704 ADD_TEST(test_stateless);
3705 ADD_TEST(test_pha_key_update);
3706 #else
3707 ADD_ALL_TESTS(test_custom_exts, 3);
3708 #endif
3709 ADD_ALL_TESTS(test_serverinfo, 8);
3710 ADD_ALL_TESTS(test_export_key_mat, 4);
3711 #ifndef OPENSSL_NO_TLS1_3
3712 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3713 #endif
3714 ADD_ALL_TESTS(test_ssl_clear, 2);
3715 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
3716 return 1;
3717 }
3718
3719 void cleanup_tests(void)
3720 {
3721 bio_s_mempacket_test_free();
3722 }
A mirror of the official openssl repository