]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add TLSv1.3 post-handshake authentication (PHA)
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17
18 #include "ssltestlib.h"
19 #include "testutil.h"
20 #include "internal/nelem.h"
21 #include "../ssl/ssl_locl.h"
22
23 static char *cert = NULL;
24 static char *privkey = NULL;
25
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
32
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
37
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
40 #endif
41
42 #define NUM_EXTRA_CERTS 40
43 #define CLIENT_VERSION_LEN 2
44
45 /*
46 * This structure is used to validate that the correct number of log messages
47 * of various types are emitted when emitting secret logs.
48 */
49 struct sslapitest_log_counts {
50 unsigned int rsa_key_exchange_count;
51 unsigned int master_secret_count;
52 unsigned int client_handshake_secret_count;
53 unsigned int server_handshake_secret_count;
54 unsigned int client_application_secret_count;
55 unsigned int server_application_secret_count;
56 };
57
58
59 static unsigned char serverinfov1[] = {
60 0xff, 0xff, /* Dummy extension type */
61 0x00, 0x01, /* Extension length is 1 byte */
62 0xff /* Dummy extension data */
63 };
64
65 static unsigned char serverinfov2[] = {
66 0x00, 0x00, 0x00,
67 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
71 };
72
73 static void client_keylog_callback(const SSL *ssl, const char *line)
74 {
75 int line_length = strlen(line);
76
77 /* If the log doesn't fit, error out. */
78 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
79 TEST_info("Client log too full");
80 error_writing_log = 1;
81 return;
82 }
83
84 strcat(client_log_buffer, line);
85 client_log_buffer_index += line_length;
86 client_log_buffer[client_log_buffer_index++] = '\n';
87 }
88
89 static void server_keylog_callback(const SSL *ssl, const char *line)
90 {
91 int line_length = strlen(line);
92
93 /* If the log doesn't fit, error out. */
94 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
95 TEST_info("Server log too full");
96 error_writing_log = 1;
97 return;
98 }
99
100 strcat(server_log_buffer, line);
101 server_log_buffer_index += line_length;
102 server_log_buffer[server_log_buffer_index++] = '\n';
103 }
104
105 static int compare_hex_encoded_buffer(const char *hex_encoded,
106 size_t hex_length,
107 const uint8_t *raw,
108 size_t raw_length)
109 {
110 size_t i, j;
111 char hexed[3];
112
113 if (!TEST_size_t_eq(raw_length * 2, hex_length))
114 return 1;
115
116 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
117 sprintf(hexed, "%02x", raw[i]);
118 if (!TEST_int_eq(hexed[0], hex_encoded[j])
119 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
120 return 1;
121 }
122
123 return 0;
124 }
125
126 static int test_keylog_output(char *buffer, const SSL *ssl,
127 const SSL_SESSION *session,
128 struct sslapitest_log_counts *expected)
129 {
130 char *token = NULL;
131 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
132 size_t client_random_size = SSL3_RANDOM_SIZE;
133 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
134 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
135 unsigned int rsa_key_exchange_count = 0;
136 unsigned int master_secret_count = 0;
137 unsigned int client_handshake_secret_count = 0;
138 unsigned int server_handshake_secret_count = 0;
139 unsigned int client_application_secret_count = 0;
140 unsigned int server_application_secret_count = 0;
141
142 for (token = strtok(buffer, " \n"); token != NULL;
143 token = strtok(NULL, " \n")) {
144 if (strcmp(token, "RSA") == 0) {
145 /*
146 * Premaster secret. Tokens should be: 16 ASCII bytes of
147 * hex-encoded encrypted secret, then the hex-encoded pre-master
148 * secret.
149 */
150 if (!TEST_ptr(token = strtok(NULL, " \n")))
151 return 0;
152 if (!TEST_size_t_eq(strlen(token), 16))
153 return 0;
154 if (!TEST_ptr(token = strtok(NULL, " \n")))
155 return 0;
156 /*
157 * We can't sensibly check the log because the premaster secret is
158 * transient, and OpenSSL doesn't keep hold of it once the master
159 * secret is generated.
160 */
161 rsa_key_exchange_count++;
162 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
163 /*
164 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
165 * client random, then the hex-encoded master secret.
166 */
167 client_random_size = SSL_get_client_random(ssl,
168 actual_client_random,
169 SSL3_RANDOM_SIZE);
170 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
171 return 0;
172
173 if (!TEST_ptr(token = strtok(NULL, " \n")))
174 return 0;
175 if (!TEST_size_t_eq(strlen(token), 64))
176 return 0;
177 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
178 actual_client_random,
179 client_random_size)))
180 return 0;
181
182 if (!TEST_ptr(token = strtok(NULL, " \n")))
183 return 0;
184 master_key_size = SSL_SESSION_get_master_key(session,
185 actual_master_key,
186 master_key_size);
187 if (!TEST_size_t_ne(master_key_size, 0))
188 return 0;
189 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
190 actual_master_key,
191 master_key_size)))
192 return 0;
193 master_secret_count++;
194 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
197 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
198 /*
199 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
200 * client random, and then the hex-encoded secret. In this case,
201 * we treat all of these secrets identically and then just
202 * distinguish between them when counting what we saw.
203 */
204 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
205 client_handshake_secret_count++;
206 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
207 server_handshake_secret_count++;
208 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
209 client_application_secret_count++;
210 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
211 server_application_secret_count++;
212
213 client_random_size = SSL_get_client_random(ssl,
214 actual_client_random,
215 SSL3_RANDOM_SIZE);
216 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
217 return 0;
218
219 if (!TEST_ptr(token = strtok(NULL, " \n")))
220 return 0;
221 if (!TEST_size_t_eq(strlen(token), 64))
222 return 0;
223 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
224 actual_client_random,
225 client_random_size)))
226 return 0;
227
228 if (!TEST_ptr(token = strtok(NULL, " \n")))
229 return 0;
230
231 /*
232 * TODO(TLS1.3): test that application traffic secrets are what
233 * we expect */
234 } else {
235 TEST_info("Unexpected token %s\n", token);
236 return 0;
237 }
238 }
239
240 /* Got what we expected? */
241 if (!TEST_size_t_eq(rsa_key_exchange_count,
242 expected->rsa_key_exchange_count)
243 || !TEST_size_t_eq(master_secret_count,
244 expected->master_secret_count)
245 || !TEST_size_t_eq(client_handshake_secret_count,
246 expected->client_handshake_secret_count)
247 || !TEST_size_t_eq(server_handshake_secret_count,
248 expected->server_handshake_secret_count)
249 || !TEST_size_t_eq(client_application_secret_count,
250 expected->client_application_secret_count)
251 || !TEST_size_t_eq(server_application_secret_count,
252 expected->server_application_secret_count))
253 return 0;
254 return 1;
255 }
256
257 static int test_keylog(void)
258 {
259 SSL_CTX *cctx = NULL, *sctx = NULL;
260 SSL *clientssl = NULL, *serverssl = NULL;
261 int testresult = 0;
262 struct sslapitest_log_counts expected = {0};
263
264 /* Clean up logging space */
265 memset(client_log_buffer, 0, sizeof(client_log_buffer));
266 memset(server_log_buffer, 0, sizeof(server_log_buffer));
267 client_log_buffer_index = 0;
268 server_log_buffer_index = 0;
269 error_writing_log = 0;
270
271 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
272 TLS_client_method(),
273 &sctx, &cctx, cert, privkey)))
274 return 0;
275
276 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
277 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
278 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
279
280 /* We also want to ensure that we use RSA-based key exchange. */
281 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
282 goto end;
283
284 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
285 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
286 goto end;
287 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
288 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
289 == client_keylog_callback))
290 goto end;
291 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
292 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
293 == server_keylog_callback))
294 goto end;
295
296 /* Now do a handshake and check that the logs have been written to. */
297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
298 &clientssl, NULL, NULL))
299 || !TEST_true(create_ssl_connection(serverssl, clientssl,
300 SSL_ERROR_NONE))
301 || !TEST_false(error_writing_log)
302 || !TEST_int_gt(client_log_buffer_index, 0)
303 || !TEST_int_gt(server_log_buffer_index, 0))
304 goto end;
305
306 /*
307 * Now we want to test that our output data was vaguely sensible. We
308 * do that by using strtok and confirming that we have more or less the
309 * data we expect. For both client and server, we expect to see one master
310 * secret. The client should also see a RSA key exchange.
311 */
312 expected.rsa_key_exchange_count = 1;
313 expected.master_secret_count = 1;
314 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
315 SSL_get_session(clientssl), &expected)))
316 goto end;
317
318 expected.rsa_key_exchange_count = 0;
319 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
320 SSL_get_session(serverssl), &expected)))
321 goto end;
322
323 testresult = 1;
324
325 end:
326 SSL_free(serverssl);
327 SSL_free(clientssl);
328 SSL_CTX_free(sctx);
329 SSL_CTX_free(cctx);
330
331 return testresult;
332 }
333
334 #ifndef OPENSSL_NO_TLS1_3
335 static int test_keylog_no_master_key(void)
336 {
337 SSL_CTX *cctx = NULL, *sctx = NULL;
338 SSL *clientssl = NULL, *serverssl = NULL;
339 int testresult = 0;
340 struct sslapitest_log_counts expected = {0};
341
342 /* Clean up logging space */
343 memset(client_log_buffer, 0, sizeof(client_log_buffer));
344 memset(server_log_buffer, 0, sizeof(server_log_buffer));
345 client_log_buffer_index = 0;
346 server_log_buffer_index = 0;
347 error_writing_log = 0;
348
349 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
350 TLS_client_method(), &sctx,
351 &cctx, cert, privkey)))
352 return 0;
353
354 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
355 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
356 goto end;
357
358 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
359 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
360 == client_keylog_callback))
361 goto end;
362
363 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
364 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
365 == server_keylog_callback))
366 goto end;
367
368 /* Now do a handshake and check that the logs have been written to. */
369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
370 &clientssl, NULL, NULL))
371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
372 SSL_ERROR_NONE))
373 || !TEST_false(error_writing_log))
374 goto end;
375
376 /*
377 * Now we want to test that our output data was vaguely sensible. For this
378 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
379 * TLSv1.3, but we do expect both client and server to emit keys.
380 */
381 expected.client_handshake_secret_count = 1;
382 expected.server_handshake_secret_count = 1;
383 expected.client_application_secret_count = 1;
384 expected.server_application_secret_count = 1;
385 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
386 SSL_get_session(clientssl), &expected))
387 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
388 SSL_get_session(serverssl),
389 &expected)))
390 goto end;
391
392 testresult = 1;
393
394 end:
395 SSL_free(serverssl);
396 SSL_free(clientssl);
397 SSL_CTX_free(sctx);
398 SSL_CTX_free(cctx);
399
400 return testresult;
401 }
402 #endif
403
404 #ifndef OPENSSL_NO_TLS1_2
405 static int full_client_hello_callback(SSL *s, int *al, void *arg)
406 {
407 int *ctr = arg;
408 const unsigned char *p;
409 int *exts;
410 /* We only configure two ciphers, but the SCSV is added automatically. */
411 #ifdef OPENSSL_NO_EC
412 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
413 #else
414 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
415 0x2c, 0x00, 0xff};
416 #endif
417 const int expected_extensions[] = {
418 #ifndef OPENSSL_NO_EC
419 11, 10,
420 #endif
421 35, 22, 23, 13};
422 size_t len;
423
424 /* Make sure we can defer processing and get called back. */
425 if ((*ctr)++ == 0)
426 return SSL_CLIENT_HELLO_RETRY;
427
428 len = SSL_client_hello_get0_ciphers(s, &p);
429 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
430 || !TEST_size_t_eq(
431 SSL_client_hello_get0_compression_methods(s, &p), 1)
432 || !TEST_int_eq(*p, 0))
433 return SSL_CLIENT_HELLO_ERROR;
434 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
435 return SSL_CLIENT_HELLO_ERROR;
436 if (len != OSSL_NELEM(expected_extensions) ||
437 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
438 printf("ClientHello callback expected extensions mismatch\n");
439 OPENSSL_free(exts);
440 return SSL_CLIENT_HELLO_ERROR;
441 }
442 OPENSSL_free(exts);
443 return SSL_CLIENT_HELLO_SUCCESS;
444 }
445
446 static int test_client_hello_cb(void)
447 {
448 SSL_CTX *cctx = NULL, *sctx = NULL;
449 SSL *clientssl = NULL, *serverssl = NULL;
450 int testctr = 0, testresult = 0;
451
452 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
453 TLS_client_method(), &sctx,
454 &cctx, cert, privkey)))
455 goto end;
456 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
457
458 /* The gimpy cipher list we configure can't do TLS 1.3. */
459 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
460
461 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
462 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
463 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
464 &clientssl, NULL, NULL))
465 || !TEST_false(create_ssl_connection(serverssl, clientssl,
466 SSL_ERROR_WANT_CLIENT_HELLO_CB))
467 /*
468 * Passing a -1 literal is a hack since
469 * the real value was lost.
470 * */
471 || !TEST_int_eq(SSL_get_error(serverssl, -1),
472 SSL_ERROR_WANT_CLIENT_HELLO_CB)
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
474 SSL_ERROR_NONE)))
475 goto end;
476
477 testresult = 1;
478
479 end:
480 SSL_free(serverssl);
481 SSL_free(clientssl);
482 SSL_CTX_free(sctx);
483 SSL_CTX_free(cctx);
484
485 return testresult;
486 }
487 #endif
488
489 static int execute_test_large_message(const SSL_METHOD *smeth,
490 const SSL_METHOD *cmeth, int read_ahead)
491 {
492 SSL_CTX *cctx = NULL, *sctx = NULL;
493 SSL *clientssl = NULL, *serverssl = NULL;
494 int testresult = 0;
495 int i;
496 BIO *certbio = NULL;
497 X509 *chaincert = NULL;
498 int certlen;
499
500 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
501 goto end;
502 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
503 BIO_free(certbio);
504 certbio = NULL;
505 if (!TEST_ptr(chaincert))
506 goto end;
507
508 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
509 &cctx, cert, privkey)))
510 goto end;
511
512 if (read_ahead) {
513 /*
514 * Test that read_ahead works correctly when dealing with large
515 * records
516 */
517 SSL_CTX_set_read_ahead(cctx, 1);
518 }
519
520 /*
521 * We assume the supplied certificate is big enough so that if we add
522 * NUM_EXTRA_CERTS it will make the overall message large enough. The
523 * default buffer size is requested to be 16k, but due to the way BUF_MEM
524 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
525 * test we need to have a message larger than that.
526 */
527 certlen = i2d_X509(chaincert, NULL);
528 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
529 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
530 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
531 if (!X509_up_ref(chaincert))
532 goto end;
533 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
534 X509_free(chaincert);
535 goto end;
536 }
537 }
538
539 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
540 NULL, NULL))
541 || !TEST_true(create_ssl_connection(serverssl, clientssl,
542 SSL_ERROR_NONE)))
543 goto end;
544
545 /*
546 * Calling SSL_clear() first is not required but this tests that SSL_clear()
547 * doesn't leak (when using enable-crypto-mdebug).
548 */
549 if (!TEST_true(SSL_clear(serverssl)))
550 goto end;
551
552 testresult = 1;
553 end:
554 X509_free(chaincert);
555 SSL_free(serverssl);
556 SSL_free(clientssl);
557 SSL_CTX_free(sctx);
558 SSL_CTX_free(cctx);
559
560 return testresult;
561 }
562
563 static int test_large_message_tls(void)
564 {
565 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
566 0);
567 }
568
569 static int test_large_message_tls_read_ahead(void)
570 {
571 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
572 1);
573 }
574
575 #ifndef OPENSSL_NO_DTLS
576 static int test_large_message_dtls(void)
577 {
578 /*
579 * read_ahead is not relevant to DTLS because DTLS always acts as if
580 * read_ahead is set.
581 */
582 return execute_test_large_message(DTLS_server_method(),
583 DTLS_client_method(), 0);
584 }
585 #endif
586
587 #ifndef OPENSSL_NO_OCSP
588 static int ocsp_server_cb(SSL *s, void *arg)
589 {
590 int *argi = (int *)arg;
591 unsigned char *copy = NULL;
592 STACK_OF(OCSP_RESPID) *ids = NULL;
593 OCSP_RESPID *id = NULL;
594
595 if (*argi == 2) {
596 /* In this test we are expecting exactly 1 OCSP_RESPID */
597 SSL_get_tlsext_status_ids(s, &ids);
598 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
599 return SSL_TLSEXT_ERR_ALERT_FATAL;
600
601 id = sk_OCSP_RESPID_value(ids, 0);
602 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
603 return SSL_TLSEXT_ERR_ALERT_FATAL;
604 } else if (*argi != 1) {
605 return SSL_TLSEXT_ERR_ALERT_FATAL;
606 }
607
608 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
609 return SSL_TLSEXT_ERR_ALERT_FATAL;
610
611 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
612 ocsp_server_called = 1;
613 return SSL_TLSEXT_ERR_OK;
614 }
615
616 static int ocsp_client_cb(SSL *s, void *arg)
617 {
618 int *argi = (int *)arg;
619 const unsigned char *respderin;
620 size_t len;
621
622 if (*argi != 1 && *argi != 2)
623 return 0;
624
625 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
626 if (!TEST_mem_eq(orespder, len, respderin, len))
627 return 0;
628
629 ocsp_client_called = 1;
630 return 1;
631 }
632
633 static int test_tlsext_status_type(void)
634 {
635 SSL_CTX *cctx = NULL, *sctx = NULL;
636 SSL *clientssl = NULL, *serverssl = NULL;
637 int testresult = 0;
638 STACK_OF(OCSP_RESPID) *ids = NULL;
639 OCSP_RESPID *id = NULL;
640 BIO *certbio = NULL;
641
642 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
643 &cctx, cert, privkey))
644 return 0;
645
646 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
647 goto end;
648
649 /* First just do various checks getting and setting tlsext_status_type */
650
651 clientssl = SSL_new(cctx);
652 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
653 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
654 TLSEXT_STATUSTYPE_ocsp))
655 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
656 TLSEXT_STATUSTYPE_ocsp))
657 goto end;
658
659 SSL_free(clientssl);
660 clientssl = NULL;
661
662 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
663 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
664 goto end;
665
666 clientssl = SSL_new(cctx);
667 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
668 goto end;
669 SSL_free(clientssl);
670 clientssl = NULL;
671
672 /*
673 * Now actually do a handshake and check OCSP information is exchanged and
674 * the callbacks get called
675 */
676 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
677 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
678 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
679 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
680 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
681 &clientssl, NULL, NULL))
682 || !TEST_true(create_ssl_connection(serverssl, clientssl,
683 SSL_ERROR_NONE))
684 || !TEST_true(ocsp_client_called)
685 || !TEST_true(ocsp_server_called))
686 goto end;
687 SSL_free(serverssl);
688 SSL_free(clientssl);
689 serverssl = NULL;
690 clientssl = NULL;
691
692 /* Try again but this time force the server side callback to fail */
693 ocsp_client_called = 0;
694 ocsp_server_called = 0;
695 cdummyarg = 0;
696 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
697 &clientssl, NULL, NULL))
698 /* This should fail because the callback will fail */
699 || !TEST_false(create_ssl_connection(serverssl, clientssl,
700 SSL_ERROR_NONE))
701 || !TEST_false(ocsp_client_called)
702 || !TEST_false(ocsp_server_called))
703 goto end;
704 SSL_free(serverssl);
705 SSL_free(clientssl);
706 serverssl = NULL;
707 clientssl = NULL;
708
709 /*
710 * This time we'll get the client to send an OCSP_RESPID that it will
711 * accept.
712 */
713 ocsp_client_called = 0;
714 ocsp_server_called = 0;
715 cdummyarg = 2;
716 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
717 &clientssl, NULL, NULL)))
718 goto end;
719
720 /*
721 * We'll just use any old cert for this test - it doesn't have to be an OCSP
722 * specific one. We'll use the server cert.
723 */
724 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
725 || !TEST_ptr(id = OCSP_RESPID_new())
726 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
727 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
728 NULL, NULL, NULL))
729 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
730 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
731 goto end;
732 id = NULL;
733 SSL_set_tlsext_status_ids(clientssl, ids);
734 /* Control has been transferred */
735 ids = NULL;
736
737 BIO_free(certbio);
738 certbio = NULL;
739
740 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
741 SSL_ERROR_NONE))
742 || !TEST_true(ocsp_client_called)
743 || !TEST_true(ocsp_server_called))
744 goto end;
745
746 testresult = 1;
747
748 end:
749 SSL_free(serverssl);
750 SSL_free(clientssl);
751 SSL_CTX_free(sctx);
752 SSL_CTX_free(cctx);
753 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
754 OCSP_RESPID_free(id);
755 BIO_free(certbio);
756 X509_free(ocspcert);
757 ocspcert = NULL;
758
759 return testresult;
760 }
761 #endif
762
763 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
764 static int new_called, remove_called, get_called;
765
766 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
767 {
768 new_called++;
769 /*
770 * sess has been up-refed for us, but we don't actually need it so free it
771 * immediately.
772 */
773 SSL_SESSION_free(sess);
774 return 1;
775 }
776
777 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
778 {
779 remove_called++;
780 }
781
782 static SSL_SESSION *get_sess_val = NULL;
783
784 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
785 int *copy)
786 {
787 get_called++;
788 *copy = 1;
789 return get_sess_val;
790 }
791
792 static int execute_test_session(int maxprot, int use_int_cache,
793 int use_ext_cache)
794 {
795 SSL_CTX *sctx = NULL, *cctx = NULL;
796 SSL *serverssl1 = NULL, *clientssl1 = NULL;
797 SSL *serverssl2 = NULL, *clientssl2 = NULL;
798 # ifndef OPENSSL_NO_TLS1_1
799 SSL *serverssl3 = NULL, *clientssl3 = NULL;
800 # endif
801 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
802 int testresult = 0;
803
804 new_called = remove_called = 0;
805
806 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
807 TLS_client_method(), &sctx,
808 &cctx, cert, privkey)))
809 return 0;
810
811 /*
812 * Only allow the max protocol version so we can force a connection failure
813 * later
814 */
815 SSL_CTX_set_min_proto_version(cctx, maxprot);
816 SSL_CTX_set_max_proto_version(cctx, maxprot);
817
818 /* Set up session cache */
819 if (use_ext_cache) {
820 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
821 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
822 }
823 if (use_int_cache) {
824 /* Also covers instance where both are set */
825 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
826 } else {
827 SSL_CTX_set_session_cache_mode(cctx,
828 SSL_SESS_CACHE_CLIENT
829 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
830 }
831
832 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
833 NULL, NULL))
834 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
835 SSL_ERROR_NONE))
836 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
837 goto end;
838
839 /* Should fail because it should already be in the cache */
840 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
841 goto end;
842 if (use_ext_cache
843 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
844 goto end;
845
846 new_called = remove_called = 0;
847 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
848 &clientssl2, NULL, NULL))
849 || !TEST_true(SSL_set_session(clientssl2, sess1))
850 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
851 SSL_ERROR_NONE))
852 || !TEST_true(SSL_session_reused(clientssl2)))
853 goto end;
854
855 if (maxprot == TLS1_3_VERSION) {
856 /*
857 * In TLSv1.3 we should have created a new session even though we have
858 * resumed. The original session should also have been removed.
859 */
860 if (use_ext_cache
861 && (!TEST_int_eq(new_called, 1)
862 || !TEST_int_eq(remove_called, 1)))
863 goto end;
864 } else {
865 /*
866 * In TLSv1.2 we expect to have resumed so no sessions added or
867 * removed.
868 */
869 if (use_ext_cache
870 && (!TEST_int_eq(new_called, 0)
871 || !TEST_int_eq(remove_called, 0)))
872 goto end;
873 }
874
875 SSL_SESSION_free(sess1);
876 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
877 goto end;
878 shutdown_ssl_connection(serverssl2, clientssl2);
879 serverssl2 = clientssl2 = NULL;
880
881 new_called = remove_called = 0;
882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
883 &clientssl2, NULL, NULL))
884 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
885 SSL_ERROR_NONE)))
886 goto end;
887
888 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
889 goto end;
890
891 if (use_ext_cache
892 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
893 goto end;
894
895 new_called = remove_called = 0;
896 /*
897 * This should clear sess2 from the cache because it is a "bad" session.
898 * See SSL_set_session() documentation.
899 */
900 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
901 goto end;
902 if (use_ext_cache
903 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
904 goto end;
905 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
906 goto end;
907
908 if (use_int_cache) {
909 /* Should succeeded because it should not already be in the cache */
910 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
911 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
912 goto end;
913 }
914
915 new_called = remove_called = 0;
916 /* This shouldn't be in the cache so should fail */
917 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
918 goto end;
919
920 if (use_ext_cache
921 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
922 goto end;
923
924 # if !defined(OPENSSL_NO_TLS1_1)
925 new_called = remove_called = 0;
926 /* Force a connection failure */
927 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
928 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
929 &clientssl3, NULL, NULL))
930 || !TEST_true(SSL_set_session(clientssl3, sess1))
931 /* This should fail because of the mismatched protocol versions */
932 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
933 SSL_ERROR_NONE)))
934 goto end;
935
936 /* We should have automatically removed the session from the cache */
937 if (use_ext_cache
938 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
939 goto end;
940
941 /* Should succeed because it should not already be in the cache */
942 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
943 goto end;
944 # endif
945
946 /* Now do some tests for server side caching */
947 if (use_ext_cache) {
948 SSL_CTX_sess_set_new_cb(cctx, NULL);
949 SSL_CTX_sess_set_remove_cb(cctx, NULL);
950 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
951 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
952 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
953 get_sess_val = NULL;
954 }
955
956 SSL_CTX_set_session_cache_mode(cctx, 0);
957 /* Internal caching is the default on the server side */
958 if (!use_int_cache)
959 SSL_CTX_set_session_cache_mode(sctx,
960 SSL_SESS_CACHE_SERVER
961 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
962
963 SSL_free(serverssl1);
964 SSL_free(clientssl1);
965 serverssl1 = clientssl1 = NULL;
966 SSL_free(serverssl2);
967 SSL_free(clientssl2);
968 serverssl2 = clientssl2 = NULL;
969 SSL_SESSION_free(sess1);
970 sess1 = NULL;
971 SSL_SESSION_free(sess2);
972 sess2 = NULL;
973
974 SSL_CTX_set_max_proto_version(sctx, maxprot);
975 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
976 new_called = remove_called = get_called = 0;
977 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
978 NULL, NULL))
979 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
980 SSL_ERROR_NONE))
981 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
982 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
983 goto end;
984
985 /* Should fail because it should already be in the cache */
986 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
987 goto end;
988
989 if (use_ext_cache) {
990 SSL_SESSION *tmp = sess2;
991
992 if (!TEST_int_eq(new_called, 1)
993 || !TEST_int_eq(remove_called, 0)
994 || !TEST_int_eq(get_called, 0))
995 goto end;
996 /*
997 * Delete the session from the internal cache to force a lookup from
998 * the external cache. We take a copy first because
999 * SSL_CTX_remove_session() also marks the session as non-resumable.
1000 */
1001 if (use_int_cache) {
1002 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1003 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1004 goto end;
1005 SSL_SESSION_free(sess2);
1006 }
1007 sess2 = tmp;
1008 }
1009
1010 new_called = remove_called = get_called = 0;
1011 get_sess_val = sess2;
1012 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1013 &clientssl2, NULL, NULL))
1014 || !TEST_true(SSL_set_session(clientssl2, sess1))
1015 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1016 SSL_ERROR_NONE))
1017 || !TEST_true(SSL_session_reused(clientssl2)))
1018 goto end;
1019
1020 if (use_ext_cache) {
1021 if (!TEST_int_eq(new_called, 0)
1022 || !TEST_int_eq(remove_called, 0))
1023 goto end;
1024
1025 if (maxprot == TLS1_3_VERSION) {
1026 if (!TEST_int_eq(get_called, 0))
1027 goto end;
1028 } else {
1029 if (!TEST_int_eq(get_called, 1))
1030 goto end;
1031 }
1032 }
1033
1034 testresult = 1;
1035
1036 end:
1037 SSL_free(serverssl1);
1038 SSL_free(clientssl1);
1039 SSL_free(serverssl2);
1040 SSL_free(clientssl2);
1041 # ifndef OPENSSL_NO_TLS1_1
1042 SSL_free(serverssl3);
1043 SSL_free(clientssl3);
1044 # endif
1045 SSL_SESSION_free(sess1);
1046 SSL_SESSION_free(sess2);
1047 SSL_CTX_free(sctx);
1048 SSL_CTX_free(cctx);
1049
1050 return testresult;
1051 }
1052 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1053
1054 static int test_session_with_only_int_cache(void)
1055 {
1056 #ifndef OPENSSL_NO_TLS1_3
1057 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1058 return 0;
1059 #endif
1060
1061 #ifndef OPENSSL_NO_TLS1_2
1062 return execute_test_session(TLS1_2_VERSION, 1, 0);
1063 #else
1064 return 1;
1065 #endif
1066 }
1067
1068 static int test_session_with_only_ext_cache(void)
1069 {
1070 #ifndef OPENSSL_NO_TLS1_3
1071 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1072 return 0;
1073 #endif
1074
1075 #ifndef OPENSSL_NO_TLS1_2
1076 return execute_test_session(TLS1_2_VERSION, 0, 1);
1077 #else
1078 return 1;
1079 #endif
1080 }
1081
1082 static int test_session_with_both_cache(void)
1083 {
1084 #ifndef OPENSSL_NO_TLS1_3
1085 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1086 return 0;
1087 #endif
1088
1089 #ifndef OPENSSL_NO_TLS1_2
1090 return execute_test_session(TLS1_2_VERSION, 1, 1);
1091 #else
1092 return 1;
1093 #endif
1094 }
1095
1096 #define USE_NULL 0
1097 #define USE_BIO_1 1
1098 #define USE_BIO_2 2
1099
1100 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1101
1102 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1103 {
1104 switch (type) {
1105 case USE_NULL:
1106 *res = NULL;
1107 break;
1108 case USE_BIO_1:
1109 *res = bio1;
1110 break;
1111 case USE_BIO_2:
1112 *res = bio2;
1113 break;
1114 }
1115 }
1116
1117 static int test_ssl_set_bio(int idx)
1118 {
1119 SSL_CTX *ctx;
1120 BIO *bio1 = NULL;
1121 BIO *bio2 = NULL;
1122 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1123 SSL *ssl = NULL;
1124 int initrbio, initwbio, newrbio, newwbio;
1125 int testresult = 0;
1126
1127 initrbio = idx % 3;
1128 idx /= 3;
1129 initwbio = idx % 3;
1130 idx /= 3;
1131 newrbio = idx % 3;
1132 idx /= 3;
1133 newwbio = idx;
1134 if (!TEST_int_le(newwbio, 2))
1135 return 0;
1136
1137 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1138 || !TEST_ptr(ssl = SSL_new(ctx)))
1139 goto end;
1140
1141 if (initrbio == USE_BIO_1
1142 || initwbio == USE_BIO_1
1143 || newrbio == USE_BIO_1
1144 || newwbio == USE_BIO_1) {
1145 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1146 goto end;
1147 }
1148
1149 if (initrbio == USE_BIO_2
1150 || initwbio == USE_BIO_2
1151 || newrbio == USE_BIO_2
1152 || newwbio == USE_BIO_2) {
1153 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1154 goto end;
1155 }
1156
1157 setupbio(&irbio, bio1, bio2, initrbio);
1158 setupbio(&iwbio, bio1, bio2, initwbio);
1159
1160 /*
1161 * We want to maintain our own refs to these BIO, so do an up ref for each
1162 * BIO that will have ownership transferred in the SSL_set_bio() call
1163 */
1164 if (irbio != NULL)
1165 BIO_up_ref(irbio);
1166 if (iwbio != NULL && iwbio != irbio)
1167 BIO_up_ref(iwbio);
1168
1169 SSL_set_bio(ssl, irbio, iwbio);
1170
1171 setupbio(&nrbio, bio1, bio2, newrbio);
1172 setupbio(&nwbio, bio1, bio2, newwbio);
1173
1174 /*
1175 * We will (maybe) transfer ownership again so do more up refs.
1176 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1177 * already been set!
1178 */
1179 if (nrbio != NULL
1180 && nrbio != irbio
1181 && (nwbio != iwbio || nrbio != nwbio))
1182 BIO_up_ref(nrbio);
1183 if (nwbio != NULL
1184 && nwbio != nrbio
1185 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1186 BIO_up_ref(nwbio);
1187
1188 SSL_set_bio(ssl, nrbio, nwbio);
1189
1190 testresult = 1;
1191
1192 end:
1193 SSL_free(ssl);
1194 BIO_free(bio1);
1195 BIO_free(bio2);
1196
1197 /*
1198 * This test is checking that the ref counting for SSL_set_bio is correct.
1199 * If we get here and we did too many frees then we will fail in the above
1200 * functions. If we haven't done enough then this will only be detected in
1201 * a crypto-mdebug build
1202 */
1203 SSL_CTX_free(ctx);
1204 return testresult;
1205 }
1206
1207 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1208
1209 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1210 {
1211 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1212 SSL_CTX *ctx;
1213 SSL *ssl = NULL;
1214 int testresult = 0;
1215
1216 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1217 || !TEST_ptr(ssl = SSL_new(ctx))
1218 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1219 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1220 goto end;
1221
1222 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1223
1224 /*
1225 * If anything goes wrong here then we could leak memory, so this will
1226 * be caught in a crypto-mdebug build
1227 */
1228 BIO_push(sslbio, membio1);
1229
1230 /* Verify changing the rbio/wbio directly does not cause leaks */
1231 if (change_bio != NO_BIO_CHANGE) {
1232 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1233 goto end;
1234 if (change_bio == CHANGE_RBIO)
1235 SSL_set0_rbio(ssl, membio2);
1236 else
1237 SSL_set0_wbio(ssl, membio2);
1238 }
1239 ssl = NULL;
1240
1241 if (pop_ssl)
1242 BIO_pop(sslbio);
1243 else
1244 BIO_pop(membio1);
1245
1246 testresult = 1;
1247 end:
1248 BIO_free(membio1);
1249 BIO_free(sslbio);
1250 SSL_free(ssl);
1251 SSL_CTX_free(ctx);
1252
1253 return testresult;
1254 }
1255
1256 static int test_ssl_bio_pop_next_bio(void)
1257 {
1258 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1259 }
1260
1261 static int test_ssl_bio_pop_ssl_bio(void)
1262 {
1263 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1264 }
1265
1266 static int test_ssl_bio_change_rbio(void)
1267 {
1268 return execute_test_ssl_bio(0, CHANGE_RBIO);
1269 }
1270
1271 static int test_ssl_bio_change_wbio(void)
1272 {
1273 return execute_test_ssl_bio(0, CHANGE_WBIO);
1274 }
1275
1276 typedef struct {
1277 /* The list of sig algs */
1278 const int *list;
1279 /* The length of the list */
1280 size_t listlen;
1281 /* A sigalgs list in string format */
1282 const char *liststr;
1283 /* Whether setting the list should succeed */
1284 int valid;
1285 /* Whether creating a connection with the list should succeed */
1286 int connsuccess;
1287 } sigalgs_list;
1288
1289 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1290 #ifndef OPENSSL_NO_EC
1291 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1292 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1293 #endif
1294 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1295 static const int invalidlist2[] = {NID_sha256, NID_undef};
1296 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1297 static const int invalidlist4[] = {NID_sha256};
1298 static const sigalgs_list testsigalgs[] = {
1299 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1300 #ifndef OPENSSL_NO_EC
1301 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1302 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1303 #endif
1304 {NULL, 0, "RSA+SHA256", 1, 1},
1305 #ifndef OPENSSL_NO_EC
1306 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1307 {NULL, 0, "ECDSA+SHA512", 1, 0},
1308 #endif
1309 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1310 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1311 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1312 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1313 {NULL, 0, "RSA", 0, 0},
1314 {NULL, 0, "SHA256", 0, 0},
1315 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1316 {NULL, 0, "Invalid", 0, 0}
1317 };
1318
1319 static int test_set_sigalgs(int idx)
1320 {
1321 SSL_CTX *cctx = NULL, *sctx = NULL;
1322 SSL *clientssl = NULL, *serverssl = NULL;
1323 int testresult = 0;
1324 const sigalgs_list *curr;
1325 int testctx;
1326
1327 /* Should never happen */
1328 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1329 return 0;
1330
1331 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1332 curr = testctx ? &testsigalgs[idx]
1333 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1334
1335 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1336 TLS_client_method(), &sctx,
1337 &cctx, cert, privkey)))
1338 return 0;
1339
1340 /*
1341 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1342 * for TLSv1.2 for now until we add a new API.
1343 */
1344 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1345
1346 if (testctx) {
1347 int ret;
1348
1349 if (curr->list != NULL)
1350 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1351 else
1352 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1353
1354 if (!ret) {
1355 if (curr->valid)
1356 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1357 else
1358 testresult = 1;
1359 goto end;
1360 }
1361 if (!curr->valid) {
1362 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1363 goto end;
1364 }
1365 }
1366
1367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1368 &clientssl, NULL, NULL)))
1369 goto end;
1370
1371 if (!testctx) {
1372 int ret;
1373
1374 if (curr->list != NULL)
1375 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1376 else
1377 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1378 if (!ret) {
1379 if (curr->valid)
1380 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1381 else
1382 testresult = 1;
1383 goto end;
1384 }
1385 if (!curr->valid)
1386 goto end;
1387 }
1388
1389 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1390 SSL_ERROR_NONE),
1391 curr->connsuccess))
1392 goto end;
1393
1394 testresult = 1;
1395
1396 end:
1397 SSL_free(serverssl);
1398 SSL_free(clientssl);
1399 SSL_CTX_free(sctx);
1400 SSL_CTX_free(cctx);
1401
1402 return testresult;
1403 }
1404
1405 #ifndef OPENSSL_NO_TLS1_3
1406
1407 static SSL_SESSION *clientpsk = NULL;
1408 static SSL_SESSION *serverpsk = NULL;
1409 static const char *pskid = "Identity";
1410 static const char *srvid;
1411
1412 static int use_session_cb_cnt = 0;
1413 static int find_session_cb_cnt = 0;
1414
1415 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1416 size_t *idlen, SSL_SESSION **sess)
1417 {
1418 switch (++use_session_cb_cnt) {
1419 case 1:
1420 /* The first call should always have a NULL md */
1421 if (md != NULL)
1422 return 0;
1423 break;
1424
1425 case 2:
1426 /* The second call should always have an md */
1427 if (md == NULL)
1428 return 0;
1429 break;
1430
1431 default:
1432 /* We should only be called a maximum of twice */
1433 return 0;
1434 }
1435
1436 if (clientpsk != NULL)
1437 SSL_SESSION_up_ref(clientpsk);
1438
1439 *sess = clientpsk;
1440 *id = (const unsigned char *)pskid;
1441 *idlen = strlen(pskid);
1442
1443 return 1;
1444 }
1445
1446 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1447 size_t identity_len, SSL_SESSION **sess)
1448 {
1449 find_session_cb_cnt++;
1450
1451 /* We should only ever be called a maximum of twice per connection */
1452 if (find_session_cb_cnt > 2)
1453 return 0;
1454
1455 if (serverpsk == NULL)
1456 return 0;
1457
1458 /* Identity should match that set by the client */
1459 if (strlen(srvid) != identity_len
1460 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1461 /* No PSK found, continue but without a PSK */
1462 *sess = NULL;
1463 return 1;
1464 }
1465
1466 SSL_SESSION_up_ref(serverpsk);
1467 *sess = serverpsk;
1468
1469 return 1;
1470 }
1471
1472 #define MSG1 "Hello"
1473 #define MSG2 "World."
1474 #define MSG3 "This"
1475 #define MSG4 "is"
1476 #define MSG5 "a"
1477 #define MSG6 "test"
1478 #define MSG7 "message."
1479
1480 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1481
1482 /*
1483 * Helper method to setup objects for early data test. Caller frees objects on
1484 * error.
1485 */
1486 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1487 SSL **serverssl, SSL_SESSION **sess, int idx)
1488 {
1489 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1490 TLS_client_method(), sctx,
1491 cctx, cert, privkey)))
1492 return 0;
1493
1494 if (idx == 1) {
1495 /* When idx == 1 we repeat the tests with read_ahead set */
1496 SSL_CTX_set_read_ahead(*cctx, 1);
1497 SSL_CTX_set_read_ahead(*sctx, 1);
1498 } else if (idx == 2) {
1499 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1500 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1501 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1502 use_session_cb_cnt = 0;
1503 find_session_cb_cnt = 0;
1504 srvid = pskid;
1505 }
1506
1507 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1508 NULL, NULL)))
1509 return 0;
1510
1511 /*
1512 * For one of the run throughs (doesn't matter which one), we'll try sending
1513 * some SNI data in the initial ClientHello. This will be ignored (because
1514 * there is no SNI cb set up by the server), so it should not impact
1515 * early_data.
1516 */
1517 if (idx == 1
1518 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1519 return 0;
1520
1521 if (idx == 2) {
1522 /* Create the PSK */
1523 const SSL_CIPHER *cipher = NULL;
1524 const unsigned char key[] = {
1525 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1526 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1527 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1528 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1529 0x2c, 0x2d, 0x2e, 0x2f
1530 };
1531
1532 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1533 clientpsk = SSL_SESSION_new();
1534 if (!TEST_ptr(clientpsk)
1535 || !TEST_ptr(cipher)
1536 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1537 sizeof(key)))
1538 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1539 || !TEST_true(
1540 SSL_SESSION_set_protocol_version(clientpsk,
1541 TLS1_3_VERSION))
1542 /*
1543 * We just choose an arbitrary value for max_early_data which
1544 * should be big enough for testing purposes.
1545 */
1546 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1547 0x100))
1548 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1549 SSL_SESSION_free(clientpsk);
1550 clientpsk = NULL;
1551 return 0;
1552 }
1553 serverpsk = clientpsk;
1554
1555 if (sess != NULL)
1556 *sess = clientpsk;
1557 return 1;
1558 }
1559
1560 if (sess == NULL)
1561 return 1;
1562
1563 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1564 SSL_ERROR_NONE)))
1565 return 0;
1566
1567 *sess = SSL_get1_session(*clientssl);
1568 SSL_shutdown(*clientssl);
1569 SSL_shutdown(*serverssl);
1570 SSL_free(*serverssl);
1571 SSL_free(*clientssl);
1572 *serverssl = *clientssl = NULL;
1573
1574 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1575 clientssl, NULL, NULL))
1576 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1577 return 0;
1578
1579 return 1;
1580 }
1581
1582 static int test_early_data_read_write(int idx)
1583 {
1584 SSL_CTX *cctx = NULL, *sctx = NULL;
1585 SSL *clientssl = NULL, *serverssl = NULL;
1586 int testresult = 0;
1587 SSL_SESSION *sess = NULL;
1588 unsigned char buf[20], data[1024];
1589 size_t readbytes, written, eoedlen, rawread, rawwritten;
1590 BIO *rbio;
1591
1592 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1593 &serverssl, &sess, idx)))
1594 goto end;
1595
1596 /* Write and read some early data */
1597 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1598 &written))
1599 || !TEST_size_t_eq(written, strlen(MSG1))
1600 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1601 sizeof(buf), &readbytes),
1602 SSL_READ_EARLY_DATA_SUCCESS)
1603 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1604 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1605 SSL_EARLY_DATA_ACCEPTED))
1606 goto end;
1607
1608 /*
1609 * Server should be able to write data, and client should be able to
1610 * read it.
1611 */
1612 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1613 &written))
1614 || !TEST_size_t_eq(written, strlen(MSG2))
1615 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1616 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1617 goto end;
1618
1619 /* Even after reading normal data, client should be able write early data */
1620 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1621 &written))
1622 || !TEST_size_t_eq(written, strlen(MSG3)))
1623 goto end;
1624
1625 /* Server should still be able read early data after writing data */
1626 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1627 &readbytes),
1628 SSL_READ_EARLY_DATA_SUCCESS)
1629 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1630 goto end;
1631
1632 /* Write more data from server and read it from client */
1633 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1634 &written))
1635 || !TEST_size_t_eq(written, strlen(MSG4))
1636 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1637 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1638 goto end;
1639
1640 /*
1641 * If client writes normal data it should mean writing early data is no
1642 * longer possible.
1643 */
1644 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1645 || !TEST_size_t_eq(written, strlen(MSG5))
1646 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1647 SSL_EARLY_DATA_ACCEPTED))
1648 goto end;
1649
1650 /*
1651 * At this point the client has written EndOfEarlyData, ClientFinished and
1652 * normal (fully protected) data. We are going to cause a delay between the
1653 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1654 * in the read BIO, and then just put back the EndOfEarlyData message.
1655 */
1656 rbio = SSL_get_rbio(serverssl);
1657 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1658 || !TEST_size_t_lt(rawread, sizeof(data))
1659 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1660 goto end;
1661
1662 /* Record length is in the 4th and 5th bytes of the record header */
1663 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1664 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1665 || !TEST_size_t_eq(rawwritten, eoedlen))
1666 goto end;
1667
1668 /* Server should be told that there is no more early data */
1669 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1670 &readbytes),
1671 SSL_READ_EARLY_DATA_FINISH)
1672 || !TEST_size_t_eq(readbytes, 0))
1673 goto end;
1674
1675 /*
1676 * Server has not finished init yet, so should still be able to write early
1677 * data.
1678 */
1679 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1680 &written))
1681 || !TEST_size_t_eq(written, strlen(MSG6)))
1682 goto end;
1683
1684 /* Push the ClientFinished and the normal data back into the server rbio */
1685 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1686 &rawwritten))
1687 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1688 goto end;
1689
1690 /* Server should be able to read normal data */
1691 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1692 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1693 goto end;
1694
1695 /* Client and server should not be able to write/read early data now */
1696 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1697 &written)))
1698 goto end;
1699 ERR_clear_error();
1700 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1701 &readbytes),
1702 SSL_READ_EARLY_DATA_ERROR))
1703 goto end;
1704 ERR_clear_error();
1705
1706 /* Client should be able to read the data sent by the server */
1707 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1708 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1709 goto end;
1710
1711 /*
1712 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1713 * We attempt a read which we do not expect to return any data.
1714 */
1715 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1716 goto end;
1717
1718 /* Server should be able to write normal data */
1719 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1720 || !TEST_size_t_eq(written, strlen(MSG7))
1721 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1722 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1723 goto end;
1724
1725 /* We keep the PSK session around if using PSK */
1726 if (idx != 2)
1727 SSL_SESSION_free(sess);
1728 sess = SSL_get1_session(clientssl);
1729 use_session_cb_cnt = 0;
1730 find_session_cb_cnt = 0;
1731
1732 SSL_shutdown(clientssl);
1733 SSL_shutdown(serverssl);
1734 SSL_free(serverssl);
1735 SSL_free(clientssl);
1736 serverssl = clientssl = NULL;
1737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1738 &clientssl, NULL, NULL))
1739 || !TEST_true(SSL_set_session(clientssl, sess)))
1740 goto end;
1741
1742 /* Write and read some early data */
1743 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1744 &written))
1745 || !TEST_size_t_eq(written, strlen(MSG1))
1746 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1747 &readbytes),
1748 SSL_READ_EARLY_DATA_SUCCESS)
1749 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1750 goto end;
1751
1752 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1753 || !TEST_int_gt(SSL_accept(serverssl), 0))
1754 goto end;
1755
1756 /* Client and server should not be able to write/read early data now */
1757 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1758 &written)))
1759 goto end;
1760 ERR_clear_error();
1761 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1762 &readbytes),
1763 SSL_READ_EARLY_DATA_ERROR))
1764 goto end;
1765 ERR_clear_error();
1766
1767 /* Client and server should be able to write/read normal data */
1768 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1769 || !TEST_size_t_eq(written, strlen(MSG5))
1770 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1771 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1772 goto end;
1773
1774 testresult = 1;
1775
1776 end:
1777 if (sess != clientpsk)
1778 SSL_SESSION_free(sess);
1779 SSL_SESSION_free(clientpsk);
1780 SSL_SESSION_free(serverpsk);
1781 clientpsk = serverpsk = NULL;
1782 SSL_free(serverssl);
1783 SSL_free(clientssl);
1784 SSL_CTX_free(sctx);
1785 SSL_CTX_free(cctx);
1786 return testresult;
1787 }
1788
1789 /*
1790 * Helper function to test that a server attempting to read early data can
1791 * handle a connection from a client where the early data should be skipped.
1792 */
1793 static int early_data_skip_helper(int hrr, int idx)
1794 {
1795 SSL_CTX *cctx = NULL, *sctx = NULL;
1796 SSL *clientssl = NULL, *serverssl = NULL;
1797 int testresult = 0;
1798 SSL_SESSION *sess = NULL;
1799 unsigned char buf[20];
1800 size_t readbytes, written;
1801
1802 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1803 &serverssl, &sess, idx)))
1804 goto end;
1805
1806 if (hrr) {
1807 /* Force an HRR to occur */
1808 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1809 goto end;
1810 } else if (idx == 2) {
1811 /*
1812 * We force early_data rejection by ensuring the PSK identity is
1813 * unrecognised
1814 */
1815 srvid = "Dummy Identity";
1816 } else {
1817 /*
1818 * Deliberately corrupt the creation time. We take 20 seconds off the
1819 * time. It could be any value as long as it is not within tolerance.
1820 * This should mean the ticket is rejected.
1821 */
1822 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
1823 goto end;
1824 }
1825
1826 /* Write some early data */
1827 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1828 &written))
1829 || !TEST_size_t_eq(written, strlen(MSG1)))
1830 goto end;
1831
1832 /* Server should reject the early data and skip over it */
1833 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1834 &readbytes),
1835 SSL_READ_EARLY_DATA_FINISH)
1836 || !TEST_size_t_eq(readbytes, 0)
1837 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1838 SSL_EARLY_DATA_REJECTED))
1839 goto end;
1840
1841 if (hrr) {
1842 /*
1843 * Finish off the handshake. We perform the same writes and reads as
1844 * further down but we expect them to fail due to the incomplete
1845 * handshake.
1846 */
1847 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1848 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1849 &readbytes)))
1850 goto end;
1851 }
1852
1853 /* Should be able to send normal data despite rejection of early data */
1854 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1855 || !TEST_size_t_eq(written, strlen(MSG2))
1856 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1857 SSL_EARLY_DATA_REJECTED)
1858 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1859 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1860 goto end;
1861
1862 testresult = 1;
1863
1864 end:
1865 if (sess != clientpsk)
1866 SSL_SESSION_free(clientpsk);
1867 SSL_SESSION_free(serverpsk);
1868 clientpsk = serverpsk = NULL;
1869 SSL_SESSION_free(sess);
1870 SSL_free(serverssl);
1871 SSL_free(clientssl);
1872 SSL_CTX_free(sctx);
1873 SSL_CTX_free(cctx);
1874 return testresult;
1875 }
1876
1877 /*
1878 * Test that a server attempting to read early data can handle a connection
1879 * from a client where the early data is not acceptable.
1880 */
1881 static int test_early_data_skip(int idx)
1882 {
1883 return early_data_skip_helper(0, idx);
1884 }
1885
1886 /*
1887 * Test that a server attempting to read early data can handle a connection
1888 * from a client where an HRR occurs.
1889 */
1890 static int test_early_data_skip_hrr(int idx)
1891 {
1892 return early_data_skip_helper(1, idx);
1893 }
1894
1895 /*
1896 * Test that a server attempting to read early data can handle a connection
1897 * from a client that doesn't send any.
1898 */
1899 static int test_early_data_not_sent(int idx)
1900 {
1901 SSL_CTX *cctx = NULL, *sctx = NULL;
1902 SSL *clientssl = NULL, *serverssl = NULL;
1903 int testresult = 0;
1904 SSL_SESSION *sess = NULL;
1905 unsigned char buf[20];
1906 size_t readbytes, written;
1907
1908 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1909 &serverssl, &sess, idx)))
1910 goto end;
1911
1912 /* Write some data - should block due to handshake with server */
1913 SSL_set_connect_state(clientssl);
1914 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1915 goto end;
1916
1917 /* Server should detect that early data has not been sent */
1918 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1919 &readbytes),
1920 SSL_READ_EARLY_DATA_FINISH)
1921 || !TEST_size_t_eq(readbytes, 0)
1922 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1923 SSL_EARLY_DATA_NOT_SENT)
1924 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1925 SSL_EARLY_DATA_NOT_SENT))
1926 goto end;
1927
1928 /* Continue writing the message we started earlier */
1929 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1930 || !TEST_size_t_eq(written, strlen(MSG1))
1931 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1932 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1933 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1934 || !TEST_size_t_eq(written, strlen(MSG2)))
1935 goto end;
1936
1937 /*
1938 * Should block due to the NewSessionTicket arrival unless we're using
1939 * read_ahead
1940 */
1941 if (idx != 1) {
1942 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1943 goto end;
1944 }
1945
1946 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1947 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1948 goto end;
1949
1950 testresult = 1;
1951
1952 end:
1953 /* If using PSK then clientpsk and sess are the same */
1954 SSL_SESSION_free(sess);
1955 SSL_SESSION_free(serverpsk);
1956 clientpsk = serverpsk = NULL;
1957 SSL_free(serverssl);
1958 SSL_free(clientssl);
1959 SSL_CTX_free(sctx);
1960 SSL_CTX_free(cctx);
1961 return testresult;
1962 }
1963
1964 static int hostname_cb(SSL *s, int *al, void *arg)
1965 {
1966 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1967
1968 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
1969 return SSL_TLSEXT_ERR_OK;
1970
1971 return SSL_TLSEXT_ERR_NOACK;
1972 }
1973
1974 static const char *servalpn;
1975
1976 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
1977 unsigned char *outlen, const unsigned char *in,
1978 unsigned int inlen, void *arg)
1979 {
1980 unsigned int protlen = 0;
1981 const unsigned char *prot;
1982
1983 for (prot = in; prot < in + inlen; prot += protlen) {
1984 protlen = *prot++;
1985 if (in + inlen < prot + protlen)
1986 return SSL_TLSEXT_ERR_NOACK;
1987
1988 if (protlen == strlen(servalpn)
1989 && memcmp(prot, servalpn, protlen) == 0) {
1990 *out = prot;
1991 *outlen = protlen;
1992 return SSL_TLSEXT_ERR_OK;
1993 }
1994 }
1995
1996 return SSL_TLSEXT_ERR_NOACK;
1997 }
1998
1999 /* Test that a PSK can be used to send early_data */
2000 static int test_early_data_psk(int idx)
2001 {
2002 SSL_CTX *cctx = NULL, *sctx = NULL;
2003 SSL *clientssl = NULL, *serverssl = NULL;
2004 int testresult = 0;
2005 SSL_SESSION *sess = NULL;
2006 unsigned char alpnlist[] = {
2007 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2008 'l', 'p', 'n'
2009 };
2010 #define GOODALPNLEN 9
2011 #define BADALPNLEN 8
2012 #define GOODALPN (alpnlist)
2013 #define BADALPN (alpnlist + GOODALPNLEN)
2014 int err = 0;
2015 unsigned char buf[20];
2016 size_t readbytes, written;
2017 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2018 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2019
2020 /* We always set this up with a final parameter of "2" for PSK */
2021 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2022 &serverssl, &sess, 2)))
2023 goto end;
2024
2025 servalpn = "goodalpn";
2026
2027 /*
2028 * Note: There is no test for inconsistent SNI with late client detection.
2029 * This is because servers do not acknowledge SNI even if they are using
2030 * it in a resumption handshake - so it is not actually possible for a
2031 * client to detect a problem.
2032 */
2033 switch (idx) {
2034 case 0:
2035 /* Set inconsistent SNI (early client detection) */
2036 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2037 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2038 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2039 goto end;
2040 break;
2041
2042 case 1:
2043 /* Set inconsistent ALPN (early client detection) */
2044 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2045 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2046 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2047 GOODALPNLEN))
2048 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2049 BADALPNLEN)))
2050 goto end;
2051 break;
2052
2053 case 2:
2054 /*
2055 * Set invalid protocol version. Technically this affects PSKs without
2056 * early_data too, but we test it here because it is similar to the
2057 * SNI/ALPN consistency tests.
2058 */
2059 err = SSL_R_BAD_PSK;
2060 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2061 goto end;
2062 break;
2063
2064 case 3:
2065 /*
2066 * Set inconsistent SNI (server detected). In this case the connection
2067 * will succeed but reject early_data.
2068 */
2069 SSL_SESSION_free(serverpsk);
2070 serverpsk = SSL_SESSION_dup(clientpsk);
2071 if (!TEST_ptr(serverpsk)
2072 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2073 goto end;
2074 edstatus = SSL_EARLY_DATA_REJECTED;
2075 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2076 /* Fall through */
2077 case 4:
2078 /* Set consistent SNI */
2079 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2080 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2081 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2082 hostname_cb)))
2083 goto end;
2084 break;
2085
2086 case 5:
2087 /*
2088 * Set inconsistent ALPN (server detected). In this case the connection
2089 * will succeed but reject early_data.
2090 */
2091 servalpn = "badalpn";
2092 edstatus = SSL_EARLY_DATA_REJECTED;
2093 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2094 /* Fall through */
2095 case 6:
2096 /*
2097 * Set consistent ALPN.
2098 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2099 * accepts a list of protos (each one length prefixed).
2100 * SSL_set1_alpn_selected accepts a single protocol (not length
2101 * prefixed)
2102 */
2103 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2104 GOODALPNLEN - 1))
2105 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2106 GOODALPNLEN)))
2107 goto end;
2108
2109 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2110 break;
2111
2112 case 7:
2113 /* Set inconsistent ALPN (late client detection) */
2114 SSL_SESSION_free(serverpsk);
2115 serverpsk = SSL_SESSION_dup(clientpsk);
2116 if (!TEST_ptr(serverpsk)
2117 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2118 BADALPN + 1,
2119 BADALPNLEN - 1))
2120 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2121 GOODALPN + 1,
2122 GOODALPNLEN - 1))
2123 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2124 sizeof(alpnlist))))
2125 goto end;
2126 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2127 edstatus = SSL_EARLY_DATA_ACCEPTED;
2128 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2129 /* SSL_connect() call should fail */
2130 connectres = -1;
2131 break;
2132
2133 default:
2134 TEST_error("Bad test index");
2135 goto end;
2136 }
2137
2138 SSL_set_connect_state(clientssl);
2139 if (err != 0) {
2140 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2141 &written))
2142 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2143 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2144 goto end;
2145 } else {
2146 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2147 &written)))
2148 goto end;
2149
2150 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2151 &readbytes), readearlyres)
2152 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2153 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2154 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2155 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2156 goto end;
2157 }
2158
2159 testresult = 1;
2160
2161 end:
2162 SSL_SESSION_free(clientpsk);
2163 SSL_SESSION_free(serverpsk);
2164 clientpsk = serverpsk = NULL;
2165 SSL_free(serverssl);
2166 SSL_free(clientssl);
2167 SSL_CTX_free(sctx);
2168 SSL_CTX_free(cctx);
2169 return testresult;
2170 }
2171
2172 /*
2173 * Test that a server that doesn't try to read early data can handle a
2174 * client sending some.
2175 */
2176 static int test_early_data_not_expected(int idx)
2177 {
2178 SSL_CTX *cctx = NULL, *sctx = NULL;
2179 SSL *clientssl = NULL, *serverssl = NULL;
2180 int testresult = 0;
2181 SSL_SESSION *sess = NULL;
2182 unsigned char buf[20];
2183 size_t readbytes, written;
2184
2185 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2186 &serverssl, &sess, idx)))
2187 goto end;
2188
2189 /* Write some early data */
2190 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2191 &written)))
2192 goto end;
2193
2194 /*
2195 * Server should skip over early data and then block waiting for client to
2196 * continue handshake
2197 */
2198 if (!TEST_int_le(SSL_accept(serverssl), 0)
2199 || !TEST_int_gt(SSL_connect(clientssl), 0)
2200 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2201 SSL_EARLY_DATA_REJECTED)
2202 || !TEST_int_gt(SSL_accept(serverssl), 0)
2203 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2204 SSL_EARLY_DATA_REJECTED))
2205 goto end;
2206
2207 /* Send some normal data from client to server */
2208 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2209 || !TEST_size_t_eq(written, strlen(MSG2)))
2210 goto end;
2211
2212 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2213 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2214 goto end;
2215
2216 testresult = 1;
2217
2218 end:
2219 /* If using PSK then clientpsk and sess are the same */
2220 SSL_SESSION_free(sess);
2221 SSL_SESSION_free(serverpsk);
2222 clientpsk = serverpsk = NULL;
2223 SSL_free(serverssl);
2224 SSL_free(clientssl);
2225 SSL_CTX_free(sctx);
2226 SSL_CTX_free(cctx);
2227 return testresult;
2228 }
2229
2230
2231 # ifndef OPENSSL_NO_TLS1_2
2232 /*
2233 * Test that a server attempting to read early data can handle a connection
2234 * from a TLSv1.2 client.
2235 */
2236 static int test_early_data_tls1_2(int idx)
2237 {
2238 SSL_CTX *cctx = NULL, *sctx = NULL;
2239 SSL *clientssl = NULL, *serverssl = NULL;
2240 int testresult = 0;
2241 unsigned char buf[20];
2242 size_t readbytes, written;
2243
2244 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2245 &serverssl, NULL, idx)))
2246 goto end;
2247
2248 /* Write some data - should block due to handshake with server */
2249 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2250 SSL_set_connect_state(clientssl);
2251 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2252 goto end;
2253
2254 /*
2255 * Server should do TLSv1.2 handshake. First it will block waiting for more
2256 * messages from client after ServerDone. Then SSL_read_early_data should
2257 * finish and detect that early data has not been sent
2258 */
2259 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2260 &readbytes),
2261 SSL_READ_EARLY_DATA_ERROR))
2262 goto end;
2263
2264 /*
2265 * Continue writing the message we started earlier. Will still block waiting
2266 * for the CCS/Finished from server
2267 */
2268 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2269 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2270 &readbytes),
2271 SSL_READ_EARLY_DATA_FINISH)
2272 || !TEST_size_t_eq(readbytes, 0)
2273 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2274 SSL_EARLY_DATA_NOT_SENT))
2275 goto end;
2276
2277 /* Continue writing the message we started earlier */
2278 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2279 || !TEST_size_t_eq(written, strlen(MSG1))
2280 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2281 SSL_EARLY_DATA_NOT_SENT)
2282 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2283 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2284 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2285 || !TEST_size_t_eq(written, strlen(MSG2))
2286 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2287 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2288 goto end;
2289
2290 testresult = 1;
2291
2292 end:
2293 /* If using PSK then clientpsk and sess are the same */
2294 SSL_SESSION_free(clientpsk);
2295 SSL_SESSION_free(serverpsk);
2296 clientpsk = serverpsk = NULL;
2297 SSL_free(serverssl);
2298 SSL_free(clientssl);
2299 SSL_CTX_free(sctx);
2300 SSL_CTX_free(cctx);
2301
2302 return testresult;
2303 }
2304 # endif /* OPENSSL_NO_TLS1_2 */
2305
2306 static int test_ciphersuite_change(void)
2307 {
2308 SSL_CTX *cctx = NULL, *sctx = NULL;
2309 SSL *clientssl = NULL, *serverssl = NULL;
2310 SSL_SESSION *clntsess = NULL;
2311 int testresult = 0;
2312 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2313
2314 /* Create a session based on SHA-256 */
2315 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2316 TLS_client_method(), &sctx,
2317 &cctx, cert, privkey))
2318 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2319 "TLS13-AES-128-GCM-SHA256"))
2320 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2321 &clientssl, NULL, NULL))
2322 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2323 SSL_ERROR_NONE)))
2324 goto end;
2325
2326 clntsess = SSL_get1_session(clientssl);
2327 /* Save for later */
2328 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2329 SSL_shutdown(clientssl);
2330 SSL_shutdown(serverssl);
2331 SSL_free(serverssl);
2332 SSL_free(clientssl);
2333 serverssl = clientssl = NULL;
2334
2335 /* Check we can resume a session with a different SHA-256 ciphersuite */
2336 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2337 "TLS13-CHACHA20-POLY1305-SHA256"))
2338 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2339 NULL, NULL))
2340 || !TEST_true(SSL_set_session(clientssl, clntsess))
2341 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2342 SSL_ERROR_NONE))
2343 || !TEST_true(SSL_session_reused(clientssl)))
2344 goto end;
2345
2346 SSL_SESSION_free(clntsess);
2347 clntsess = SSL_get1_session(clientssl);
2348 SSL_shutdown(clientssl);
2349 SSL_shutdown(serverssl);
2350 SSL_free(serverssl);
2351 SSL_free(clientssl);
2352 serverssl = clientssl = NULL;
2353
2354 /*
2355 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2356 * succeeds but does not resume.
2357 */
2358 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2359 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2360 NULL, NULL))
2361 || !TEST_true(SSL_set_session(clientssl, clntsess))
2362 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2363 SSL_ERROR_SSL))
2364 || !TEST_false(SSL_session_reused(clientssl)))
2365 goto end;
2366
2367 SSL_SESSION_free(clntsess);
2368 clntsess = NULL;
2369 SSL_shutdown(clientssl);
2370 SSL_shutdown(serverssl);
2371 SSL_free(serverssl);
2372 SSL_free(clientssl);
2373 serverssl = clientssl = NULL;
2374
2375 /* Create a session based on SHA384 */
2376 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2377 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2378 &clientssl, NULL, NULL))
2379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2380 SSL_ERROR_NONE)))
2381 goto end;
2382
2383 clntsess = SSL_get1_session(clientssl);
2384 SSL_shutdown(clientssl);
2385 SSL_shutdown(serverssl);
2386 SSL_free(serverssl);
2387 SSL_free(clientssl);
2388 serverssl = clientssl = NULL;
2389
2390 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2391 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
2392 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2393 "TLS13-AES-256-GCM-SHA384"))
2394 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2395 NULL, NULL))
2396 || !TEST_true(SSL_set_session(clientssl, clntsess))
2397 /*
2398 * We use SSL_ERROR_WANT_READ below so that we can pause the
2399 * connection after the initial ClientHello has been sent to
2400 * enable us to make some session changes.
2401 */
2402 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2403 SSL_ERROR_WANT_READ)))
2404 goto end;
2405
2406 /* Trick the client into thinking this session is for a different digest */
2407 clntsess->cipher = aes_128_gcm_sha256;
2408 clntsess->cipher_id = clntsess->cipher->id;
2409
2410 /*
2411 * Continue the previously started connection. Server has selected a SHA-384
2412 * ciphersuite, but client thinks the session is for SHA-256, so it should
2413 * bail out.
2414 */
2415 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2416 SSL_ERROR_SSL))
2417 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2418 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2419 goto end;
2420
2421 testresult = 1;
2422
2423 end:
2424 SSL_SESSION_free(clntsess);
2425 SSL_free(serverssl);
2426 SSL_free(clientssl);
2427 SSL_CTX_free(sctx);
2428 SSL_CTX_free(cctx);
2429
2430 return testresult;
2431 }
2432
2433 static int test_tls13_psk(void)
2434 {
2435 SSL_CTX *sctx = NULL, *cctx = NULL;
2436 SSL *serverssl = NULL, *clientssl = NULL;
2437 const SSL_CIPHER *cipher = NULL;
2438 const unsigned char key[] = {
2439 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2440 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2441 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2442 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2443 };
2444 int testresult = 0;
2445
2446 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2447 TLS_client_method(), &sctx,
2448 &cctx, cert, privkey)))
2449 goto end;
2450
2451 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2452 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2453 srvid = pskid;
2454 use_session_cb_cnt = 0;
2455 find_session_cb_cnt = 0;
2456
2457 /* Check we can create a connection if callback decides not to send a PSK */
2458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2459 NULL, NULL))
2460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2461 SSL_ERROR_NONE))
2462 || !TEST_false(SSL_session_reused(clientssl))
2463 || !TEST_false(SSL_session_reused(serverssl))
2464 || !TEST_true(use_session_cb_cnt == 1)
2465 || !TEST_true(find_session_cb_cnt == 0))
2466 goto end;
2467
2468 shutdown_ssl_connection(serverssl, clientssl);
2469 serverssl = clientssl = NULL;
2470 use_session_cb_cnt = 0;
2471
2472 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2473 NULL, NULL)))
2474 goto end;
2475
2476 /* Create the PSK */
2477 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2478 clientpsk = SSL_SESSION_new();
2479 if (!TEST_ptr(clientpsk)
2480 || !TEST_ptr(cipher)
2481 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2482 sizeof(key)))
2483 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2484 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2485 TLS1_3_VERSION))
2486 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2487 goto end;
2488 serverpsk = clientpsk;
2489
2490 /* Check we can create a connection and the PSK is used */
2491 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2492 || !TEST_true(SSL_session_reused(clientssl))
2493 || !TEST_true(SSL_session_reused(serverssl))
2494 || !TEST_true(use_session_cb_cnt == 1)
2495 || !TEST_true(find_session_cb_cnt == 1))
2496 goto end;
2497
2498 shutdown_ssl_connection(serverssl, clientssl);
2499 serverssl = clientssl = NULL;
2500 use_session_cb_cnt = find_session_cb_cnt = 0;
2501
2502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2503 NULL, NULL)))
2504 goto end;
2505
2506 /* Force an HRR */
2507 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2508 goto end;
2509
2510 /*
2511 * Check we can create a connection, the PSK is used and the callbacks are
2512 * called twice.
2513 */
2514 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2515 || !TEST_true(SSL_session_reused(clientssl))
2516 || !TEST_true(SSL_session_reused(serverssl))
2517 || !TEST_true(use_session_cb_cnt == 2)
2518 || !TEST_true(find_session_cb_cnt == 2))
2519 goto end;
2520
2521 shutdown_ssl_connection(serverssl, clientssl);
2522 serverssl = clientssl = NULL;
2523 use_session_cb_cnt = find_session_cb_cnt = 0;
2524
2525 /*
2526 * Check that if the server rejects the PSK we can still connect, but with
2527 * a full handshake
2528 */
2529 srvid = "Dummy Identity";
2530 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2531 NULL, NULL))
2532 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2533 SSL_ERROR_NONE))
2534 || !TEST_false(SSL_session_reused(clientssl))
2535 || !TEST_false(SSL_session_reused(serverssl))
2536 || !TEST_true(use_session_cb_cnt == 1)
2537 || !TEST_true(find_session_cb_cnt == 1))
2538 goto end;
2539
2540 shutdown_ssl_connection(serverssl, clientssl);
2541 serverssl = clientssl = NULL;
2542 testresult = 1;
2543
2544 end:
2545 SSL_SESSION_free(clientpsk);
2546 SSL_SESSION_free(serverpsk);
2547 clientpsk = serverpsk = NULL;
2548 SSL_free(serverssl);
2549 SSL_free(clientssl);
2550 SSL_CTX_free(sctx);
2551 SSL_CTX_free(cctx);
2552 return testresult;
2553 }
2554
2555 static unsigned char cookie_magic_value[] = "cookie magic";
2556
2557 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2558 unsigned int *cookie_len)
2559 {
2560 /*
2561 * Not suitable as a real cookie generation function but good enough for
2562 * testing!
2563 */
2564 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2565 *cookie_len = sizeof(cookie_magic_value) - 1;
2566
2567 return 1;
2568 }
2569
2570 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2571 unsigned int cookie_len)
2572 {
2573 if (cookie_len == sizeof(cookie_magic_value) - 1
2574 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2575 return 1;
2576
2577 return 0;
2578 }
2579
2580 static int test_stateless(void)
2581 {
2582 SSL_CTX *sctx = NULL, *cctx = NULL;
2583 SSL *serverssl = NULL, *clientssl = NULL;
2584 int testresult = 0;
2585
2586 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2587 TLS_client_method(), &sctx,
2588 &cctx, cert, privkey)))
2589 goto end;
2590
2591 /* Set up the cookie generation and verification callbacks */
2592 SSL_CTX_set_cookie_generate_cb(sctx, generate_cookie_callback);
2593 SSL_CTX_set_cookie_verify_cb(sctx, verify_cookie_callback);
2594
2595 /* The arrival of CCS messages can confuse the test */
2596 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2597
2598 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2599 NULL, NULL))
2600 /* Send the first ClientHello */
2601 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2602 SSL_ERROR_WANT_READ))
2603 /* This should fail because there is no cookie */
2604 || !TEST_false(SSL_stateless(serverssl)))
2605 goto end;
2606
2607 /* Abandon the connection from this client */
2608 SSL_free(clientssl);
2609 clientssl = NULL;
2610
2611 /*
2612 * Now create a connection from a new client but with the same server SSL
2613 * object
2614 */
2615 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2616 NULL, NULL))
2617 /* Send the first ClientHello */
2618 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2619 SSL_ERROR_WANT_READ))
2620 /* This should fail because there is no cookie */
2621 || !TEST_false(SSL_stateless(serverssl))
2622 /* Send the second ClientHello */
2623 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2624 SSL_ERROR_WANT_READ))
2625 /* This should succeed because a cookie is now present */
2626 || !TEST_true(SSL_stateless(serverssl))
2627 /* Complete the connection */
2628 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2629 SSL_ERROR_NONE)))
2630 goto end;
2631
2632 shutdown_ssl_connection(serverssl, clientssl);
2633 serverssl = clientssl = NULL;
2634 testresult = 1;
2635
2636 end:
2637 SSL_free(serverssl);
2638 SSL_free(clientssl);
2639 SSL_CTX_free(sctx);
2640 SSL_CTX_free(cctx);
2641 return testresult;
2642
2643 }
2644 #endif /* OPENSSL_NO_TLS1_3 */
2645
2646 static int clntaddoldcb = 0;
2647 static int clntparseoldcb = 0;
2648 static int srvaddoldcb = 0;
2649 static int srvparseoldcb = 0;
2650 static int clntaddnewcb = 0;
2651 static int clntparsenewcb = 0;
2652 static int srvaddnewcb = 0;
2653 static int srvparsenewcb = 0;
2654 static int snicb = 0;
2655
2656 #define TEST_EXT_TYPE1 0xff00
2657
2658 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2659 size_t *outlen, int *al, void *add_arg)
2660 {
2661 int *server = (int *)add_arg;
2662 unsigned char *data;
2663
2664 if (SSL_is_server(s))
2665 srvaddoldcb++;
2666 else
2667 clntaddoldcb++;
2668
2669 if (*server != SSL_is_server(s)
2670 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2671 return -1;
2672
2673 *data = 1;
2674 *out = data;
2675 *outlen = sizeof(char);
2676 return 1;
2677 }
2678
2679 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2680 void *add_arg)
2681 {
2682 OPENSSL_free((unsigned char *)out);
2683 }
2684
2685 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2686 size_t inlen, int *al, void *parse_arg)
2687 {
2688 int *server = (int *)parse_arg;
2689
2690 if (SSL_is_server(s))
2691 srvparseoldcb++;
2692 else
2693 clntparseoldcb++;
2694
2695 if (*server != SSL_is_server(s)
2696 || inlen != sizeof(char)
2697 || *in != 1)
2698 return -1;
2699
2700 return 1;
2701 }
2702
2703 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2704 const unsigned char **out, size_t *outlen, X509 *x,
2705 size_t chainidx, int *al, void *add_arg)
2706 {
2707 int *server = (int *)add_arg;
2708 unsigned char *data;
2709
2710 if (SSL_is_server(s))
2711 srvaddnewcb++;
2712 else
2713 clntaddnewcb++;
2714
2715 if (*server != SSL_is_server(s)
2716 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2717 return -1;
2718
2719 *data = 1;
2720 *out = data;
2721 *outlen = sizeof(*data);
2722 return 1;
2723 }
2724
2725 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2726 const unsigned char *out, void *add_arg)
2727 {
2728 OPENSSL_free((unsigned char *)out);
2729 }
2730
2731 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2732 const unsigned char *in, size_t inlen, X509 *x,
2733 size_t chainidx, int *al, void *parse_arg)
2734 {
2735 int *server = (int *)parse_arg;
2736
2737 if (SSL_is_server(s))
2738 srvparsenewcb++;
2739 else
2740 clntparsenewcb++;
2741
2742 if (*server != SSL_is_server(s)
2743 || inlen != sizeof(char) || *in != 1)
2744 return -1;
2745
2746 return 1;
2747 }
2748
2749 static int sni_cb(SSL *s, int *al, void *arg)
2750 {
2751 SSL_CTX *ctx = (SSL_CTX *)arg;
2752
2753 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2754 *al = SSL_AD_INTERNAL_ERROR;
2755 return SSL_TLSEXT_ERR_ALERT_FATAL;
2756 }
2757 snicb++;
2758 return SSL_TLSEXT_ERR_OK;
2759 }
2760
2761 /*
2762 * Custom call back tests.
2763 * Test 0: Old style callbacks in TLSv1.2
2764 * Test 1: New style callbacks in TLSv1.2
2765 * Test 2: New style callbacks in TLSv1.2 with SNI
2766 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2767 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2768 */
2769 static int test_custom_exts(int tst)
2770 {
2771 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2772 SSL *clientssl = NULL, *serverssl = NULL;
2773 int testresult = 0;
2774 static int server = 1;
2775 static int client = 0;
2776 SSL_SESSION *sess = NULL;
2777 unsigned int context;
2778
2779 /* Reset callback counters */
2780 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2781 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2782 snicb = 0;
2783
2784 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2785 TLS_client_method(), &sctx,
2786 &cctx, cert, privkey)))
2787 goto end;
2788
2789 if (tst == 2
2790 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2791 NULL, cert, privkey)))
2792 goto end;
2793
2794
2795 if (tst < 3) {
2796 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2797 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2798 if (sctx2 != NULL)
2799 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2800 }
2801
2802 if (tst == 4) {
2803 context = SSL_EXT_CLIENT_HELLO
2804 | SSL_EXT_TLS1_2_SERVER_HELLO
2805 | SSL_EXT_TLS1_3_SERVER_HELLO
2806 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2807 | SSL_EXT_TLS1_3_CERTIFICATE
2808 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2809 } else {
2810 context = SSL_EXT_CLIENT_HELLO
2811 | SSL_EXT_TLS1_2_SERVER_HELLO
2812 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2813 }
2814
2815 /* Create a client side custom extension */
2816 if (tst == 0) {
2817 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2818 old_add_cb, old_free_cb,
2819 &client, old_parse_cb,
2820 &client)))
2821 goto end;
2822 } else {
2823 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2824 new_add_cb, new_free_cb,
2825 &client, new_parse_cb, &client)))
2826 goto end;
2827 }
2828
2829 /* Should not be able to add duplicates */
2830 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2831 old_add_cb, old_free_cb,
2832 &client, old_parse_cb,
2833 &client))
2834 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2835 context, new_add_cb,
2836 new_free_cb, &client,
2837 new_parse_cb, &client)))
2838 goto end;
2839
2840 /* Create a server side custom extension */
2841 if (tst == 0) {
2842 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2843 old_add_cb, old_free_cb,
2844 &server, old_parse_cb,
2845 &server)))
2846 goto end;
2847 } else {
2848 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2849 new_add_cb, new_free_cb,
2850 &server, new_parse_cb, &server)))
2851 goto end;
2852 if (sctx2 != NULL
2853 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2854 context, new_add_cb,
2855 new_free_cb, &server,
2856 new_parse_cb, &server)))
2857 goto end;
2858 }
2859
2860 /* Should not be able to add duplicates */
2861 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2862 old_add_cb, old_free_cb,
2863 &server, old_parse_cb,
2864 &server))
2865 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2866 context, new_add_cb,
2867 new_free_cb, &server,
2868 new_parse_cb, &server)))
2869 goto end;
2870
2871 if (tst == 2) {
2872 /* Set up SNI */
2873 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2874 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2875 goto end;
2876 }
2877
2878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2879 &clientssl, NULL, NULL))
2880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2881 SSL_ERROR_NONE)))
2882 goto end;
2883
2884 if (tst == 0) {
2885 if (clntaddoldcb != 1
2886 || clntparseoldcb != 1
2887 || srvaddoldcb != 1
2888 || srvparseoldcb != 1)
2889 goto end;
2890 } else if (tst == 1 || tst == 2 || tst == 3) {
2891 if (clntaddnewcb != 1
2892 || clntparsenewcb != 1
2893 || srvaddnewcb != 1
2894 || srvparsenewcb != 1
2895 || (tst != 2 && snicb != 0)
2896 || (tst == 2 && snicb != 1))
2897 goto end;
2898 } else {
2899 if (clntaddnewcb != 1
2900 || clntparsenewcb != 4
2901 || srvaddnewcb != 4
2902 || srvparsenewcb != 1)
2903 goto end;
2904 }
2905
2906 sess = SSL_get1_session(clientssl);
2907 SSL_shutdown(clientssl);
2908 SSL_shutdown(serverssl);
2909 SSL_free(serverssl);
2910 SSL_free(clientssl);
2911 serverssl = clientssl = NULL;
2912
2913 if (tst == 3) {
2914 /* We don't bother with the resumption aspects for this test */
2915 testresult = 1;
2916 goto end;
2917 }
2918
2919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2920 NULL, NULL))
2921 || !TEST_true(SSL_set_session(clientssl, sess))
2922 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2923 SSL_ERROR_NONE)))
2924 goto end;
2925
2926 /*
2927 * For a resumed session we expect to add the ClientHello extension. For the
2928 * old style callbacks we ignore it on the server side because they set
2929 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2930 * them.
2931 */
2932 if (tst == 0) {
2933 if (clntaddoldcb != 2
2934 || clntparseoldcb != 1
2935 || srvaddoldcb != 1
2936 || srvparseoldcb != 1)
2937 goto end;
2938 } else if (tst == 1 || tst == 2 || tst == 3) {
2939 if (clntaddnewcb != 2
2940 || clntparsenewcb != 2
2941 || srvaddnewcb != 2
2942 || srvparsenewcb != 2)
2943 goto end;
2944 } else {
2945 /* No Certificate message extensions in the resumption handshake */
2946 if (clntaddnewcb != 2
2947 || clntparsenewcb != 7
2948 || srvaddnewcb != 7
2949 || srvparsenewcb != 2)
2950 goto end;
2951 }
2952
2953 testresult = 1;
2954
2955 end:
2956 SSL_SESSION_free(sess);
2957 SSL_free(serverssl);
2958 SSL_free(clientssl);
2959 SSL_CTX_free(sctx2);
2960 SSL_CTX_free(sctx);
2961 SSL_CTX_free(cctx);
2962 return testresult;
2963 }
2964
2965 /*
2966 * Test loading of serverinfo data in various formats. test_sslmessages actually
2967 * tests to make sure the extensions appear in the handshake
2968 */
2969 static int test_serverinfo(int tst)
2970 {
2971 unsigned int version;
2972 unsigned char *sibuf;
2973 size_t sibuflen;
2974 int ret, expected, testresult = 0;
2975 SSL_CTX *ctx;
2976
2977 ctx = SSL_CTX_new(TLS_method());
2978 if (!TEST_ptr(ctx))
2979 goto end;
2980
2981 if ((tst & 0x01) == 0x01)
2982 version = SSL_SERVERINFOV2;
2983 else
2984 version = SSL_SERVERINFOV1;
2985
2986 if ((tst & 0x02) == 0x02) {
2987 sibuf = serverinfov2;
2988 sibuflen = sizeof(serverinfov2);
2989 expected = (version == SSL_SERVERINFOV2);
2990 } else {
2991 sibuf = serverinfov1;
2992 sibuflen = sizeof(serverinfov1);
2993 expected = (version == SSL_SERVERINFOV1);
2994 }
2995
2996 if ((tst & 0x04) == 0x04) {
2997 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2998 } else {
2999 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3000
3001 /*
3002 * The version variable is irrelevant in this case - it's what is in the
3003 * buffer that matters
3004 */
3005 if ((tst & 0x02) == 0x02)
3006 expected = 0;
3007 else
3008 expected = 1;
3009 }
3010
3011 if (!TEST_true(ret == expected))
3012 goto end;
3013
3014 testresult = 1;
3015
3016 end:
3017 SSL_CTX_free(ctx);
3018
3019 return testresult;
3020 }
3021
3022 /*
3023 * Test that SSL_export_keying_material() produces expected results. There are
3024 * no test vectors so all we do is test that both sides of the communication
3025 * produce the same results for different protocol versions.
3026 */
3027 static int test_export_key_mat(int tst)
3028 {
3029 int testresult = 0;
3030 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3031 SSL *clientssl = NULL, *serverssl = NULL;
3032 const char label[] = "test label";
3033 const unsigned char context[] = "context";
3034 const unsigned char *emptycontext = NULL;
3035 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3036 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3037 const int protocols[] = {
3038 TLS1_VERSION,
3039 TLS1_1_VERSION,
3040 TLS1_2_VERSION,
3041 TLS1_3_VERSION
3042 };
3043
3044 #ifdef OPENSSL_NO_TLS1
3045 if (tst == 0)
3046 return 1;
3047 #endif
3048 #ifdef OPENSSL_NO_TLS1_1
3049 if (tst == 1)
3050 return 1;
3051 #endif
3052 #ifdef OPENSSL_NO_TLS1_2
3053 if (tst == 2)
3054 return 1;
3055 #endif
3056 #ifdef OPENSSL_NO_TLS1_3
3057 if (tst == 3)
3058 return 1;
3059 #endif
3060 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3061 TLS_client_method(), &sctx,
3062 &cctx, cert, privkey)))
3063 goto end;
3064
3065 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3066 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3067 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3068
3069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3070 NULL))
3071 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3072 SSL_ERROR_NONE)))
3073 goto end;
3074
3075 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3076 sizeof(ckeymat1), label,
3077 sizeof(label) - 1, context,
3078 sizeof(context) - 1, 1), 1)
3079 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3080 sizeof(ckeymat2), label,
3081 sizeof(label) - 1,
3082 emptycontext,
3083 0, 1), 1)
3084 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3085 sizeof(ckeymat3), label,
3086 sizeof(label) - 1,
3087 NULL, 0, 0), 1)
3088 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3089 sizeof(skeymat1), label,
3090 sizeof(label) - 1,
3091 context,
3092 sizeof(context) -1, 1),
3093 1)
3094 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3095 sizeof(skeymat2), label,
3096 sizeof(label) - 1,
3097 emptycontext,
3098 0, 1), 1)
3099 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3100 sizeof(skeymat3), label,
3101 sizeof(label) - 1,
3102 NULL, 0, 0), 1)
3103 /*
3104 * Check that both sides created the same key material with the
3105 * same context.
3106 */
3107 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3108 sizeof(skeymat1))
3109 /*
3110 * Check that both sides created the same key material with an
3111 * empty context.
3112 */
3113 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3114 sizeof(skeymat2))
3115 /*
3116 * Check that both sides created the same key material without a
3117 * context.
3118 */
3119 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3120 sizeof(skeymat3))
3121 /* Different contexts should produce different results */
3122 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3123 sizeof(ckeymat2)))
3124 goto end;
3125
3126 /*
3127 * Check that an empty context and no context produce different results in
3128 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3129 */
3130 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3131 sizeof(ckeymat3)))
3132 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3133 sizeof(ckeymat3))))
3134 goto end;
3135
3136 testresult = 1;
3137
3138 end:
3139 SSL_free(serverssl);
3140 SSL_free(clientssl);
3141 SSL_CTX_free(sctx2);
3142 SSL_CTX_free(sctx);
3143 SSL_CTX_free(cctx);
3144
3145 return testresult;
3146 }
3147
3148 static int test_ssl_clear(int idx)
3149 {
3150 SSL_CTX *cctx = NULL, *sctx = NULL;
3151 SSL *clientssl = NULL, *serverssl = NULL;
3152 int testresult = 0;
3153
3154 #ifdef OPENSSL_NO_TLS1_2
3155 if (idx == 1)
3156 return 1;
3157 #endif
3158
3159 /* Create an initial connection */
3160 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3161 TLS_client_method(), &sctx,
3162 &cctx, cert, privkey))
3163 || (idx == 1
3164 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3165 TLS1_2_VERSION)))
3166 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3167 &clientssl, NULL, NULL))
3168 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3169 SSL_ERROR_NONE)))
3170 goto end;
3171
3172 SSL_shutdown(clientssl);
3173 SSL_shutdown(serverssl);
3174 SSL_free(serverssl);
3175 serverssl = NULL;
3176
3177 /* Clear clientssl - we're going to reuse the object */
3178 if (!TEST_true(SSL_clear(clientssl)))
3179 goto end;
3180
3181 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3182 NULL, NULL))
3183 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3184 SSL_ERROR_NONE))
3185 || !TEST_true(SSL_session_reused(clientssl)))
3186 goto end;
3187
3188 SSL_shutdown(clientssl);
3189 SSL_shutdown(serverssl);
3190
3191 testresult = 1;
3192
3193 end:
3194 SSL_free(serverssl);
3195 SSL_free(clientssl);
3196 SSL_CTX_free(sctx);
3197 SSL_CTX_free(cctx);
3198
3199 return testresult;
3200 }
3201
3202 /* Parse CH and retrieve any MFL extension value if present */
3203 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3204 {
3205 long len;
3206 unsigned char *data;
3207 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3208 unsigned int MFL_code = 0, type = 0;
3209
3210 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3211 goto end;
3212
3213 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3214 /* Skip the record header */
3215 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3216 /* Skip the handshake message header */
3217 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3218 /* Skip client version and random */
3219 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3220 + SSL3_RANDOM_SIZE))
3221 /* Skip session id */
3222 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3223 /* Skip ciphers */
3224 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3225 /* Skip compression */
3226 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3227 /* Extensions len */
3228 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3229 goto end;
3230
3231 /* Loop through all extensions */
3232 while (PACKET_remaining(&pkt2)) {
3233 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3234 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3235 goto end;
3236
3237 if (type == TLSEXT_TYPE_max_fragment_length) {
3238 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3239 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3240 goto end;
3241
3242 *mfl_codemfl_code = MFL_code;
3243 return 1;
3244 }
3245 }
3246
3247 end:
3248 return 0;
3249 }
3250
3251 /* Maximum-Fragment-Length TLS extension mode to test */
3252 static const unsigned char max_fragment_len_test[] = {
3253 TLSEXT_max_fragment_length_512,
3254 TLSEXT_max_fragment_length_1024,
3255 TLSEXT_max_fragment_length_2048,
3256 TLSEXT_max_fragment_length_4096
3257 };
3258
3259 static int test_max_fragment_len_ext(int idx_tst)
3260 {
3261 SSL_CTX *ctx;
3262 SSL *con = NULL;
3263 int testresult = 0, MFL_mode = 0;
3264 BIO *rbio, *wbio;
3265
3266 ctx = SSL_CTX_new(TLS_method());
3267 if (!TEST_ptr(ctx))
3268 goto end;
3269
3270 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3271 ctx, max_fragment_len_test[idx_tst])))
3272 goto end;
3273
3274 con = SSL_new(ctx);
3275 if (!TEST_ptr(con))
3276 goto end;
3277
3278 rbio = BIO_new(BIO_s_mem());
3279 wbio = BIO_new(BIO_s_mem());
3280 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3281 BIO_free(rbio);
3282 BIO_free(wbio);
3283 goto end;
3284 }
3285
3286 SSL_set_bio(con, rbio, wbio);
3287 SSL_set_connect_state(con);
3288
3289 if (!TEST_int_le(SSL_connect(con), 0)) {
3290 /* This shouldn't succeed because we don't have a server! */
3291 goto end;
3292 }
3293
3294 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3295 /* no MFL in client hello */
3296 goto end;
3297 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3298 goto end;
3299
3300 testresult = 1;
3301
3302 end:
3303 SSL_free(con);
3304 SSL_CTX_free(ctx);
3305
3306 return testresult;
3307 }
3308
3309 #ifndef OPENSSL_NO_TLS1_3
3310 static int test_pha_key_update(void)
3311 {
3312 SSL_CTX *cctx = NULL, *sctx = NULL;
3313 SSL *clientssl = NULL, *serverssl = NULL;
3314 int testresult = 0;
3315
3316 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3317 TLS_client_method(),
3318 &sctx, &cctx, cert, privkey)))
3319 return 0;
3320
3321 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3322 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3323 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3324 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3325 goto end;
3326
3327
3328 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3329 NULL, NULL)))
3330 goto end;
3331
3332 SSL_force_post_handshake_auth(clientssl);
3333
3334 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3335 SSL_ERROR_NONE)))
3336 goto end;
3337
3338 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3339 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3340 goto end;
3341
3342 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3343 goto end;
3344
3345 /* Start handshake on the server */
3346 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3347 goto end;
3348
3349 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3350 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3351 SSL_ERROR_NONE)))
3352 goto end;
3353
3354 SSL_shutdown(clientssl);
3355 SSL_shutdown(serverssl);
3356
3357 testresult = 1;
3358
3359 end:
3360 SSL_free(serverssl);
3361 SSL_free(clientssl);
3362 SSL_CTX_free(sctx);
3363 SSL_CTX_free(cctx);
3364 return testresult;
3365 }
3366 #endif
3367
3368 int setup_tests(void)
3369 {
3370 if (!TEST_ptr(cert = test_get_argument(0))
3371 || !TEST_ptr(privkey = test_get_argument(1)))
3372 return 0;
3373
3374 ADD_TEST(test_large_message_tls);
3375 ADD_TEST(test_large_message_tls_read_ahead);
3376 #ifndef OPENSSL_NO_DTLS
3377 ADD_TEST(test_large_message_dtls);
3378 #endif
3379 #ifndef OPENSSL_NO_OCSP
3380 ADD_TEST(test_tlsext_status_type);
3381 #endif
3382 ADD_TEST(test_session_with_only_int_cache);
3383 ADD_TEST(test_session_with_only_ext_cache);
3384 ADD_TEST(test_session_with_both_cache);
3385 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
3386 ADD_TEST(test_ssl_bio_pop_next_bio);
3387 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3388 ADD_TEST(test_ssl_bio_change_rbio);
3389 ADD_TEST(test_ssl_bio_change_wbio);
3390 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
3391 ADD_TEST(test_keylog);
3392 #ifndef OPENSSL_NO_TLS1_3
3393 ADD_TEST(test_keylog_no_master_key);
3394 #endif
3395 #ifndef OPENSSL_NO_TLS1_2
3396 ADD_TEST(test_client_hello_cb);
3397 #endif
3398 #ifndef OPENSSL_NO_TLS1_3
3399 ADD_ALL_TESTS(test_early_data_read_write, 3);
3400 ADD_ALL_TESTS(test_early_data_skip, 3);
3401 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3402 ADD_ALL_TESTS(test_early_data_not_sent, 3);
3403 ADD_ALL_TESTS(test_early_data_psk, 8);
3404 ADD_ALL_TESTS(test_early_data_not_expected, 3);
3405 # ifndef OPENSSL_NO_TLS1_2
3406 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
3407 # endif
3408 #endif
3409 #ifndef OPENSSL_NO_TLS1_3
3410 ADD_TEST(test_ciphersuite_change);
3411 ADD_TEST(test_tls13_psk);
3412 ADD_ALL_TESTS(test_custom_exts, 5);
3413 ADD_TEST(test_stateless);
3414 ADD_TEST(test_pha_key_update);
3415 #else
3416 ADD_ALL_TESTS(test_custom_exts, 3);
3417 #endif
3418 ADD_ALL_TESTS(test_serverinfo, 8);
3419 ADD_ALL_TESTS(test_export_key_mat, 4);
3420 ADD_ALL_TESTS(test_ssl_clear, 2);
3421 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
3422 return 1;
3423 }
3424
3425 void cleanup_tests(void)
3426 {
3427 bio_s_mempacket_test_free();
3428 }
A mirror of the official openssl repository