]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add support for logging early exporter secret
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19
20 #include "ssltestlib.h"
21 #include "testutil.h"
22 #include "testutil/output.h"
23 #include "internal/nelem.h"
24 #include "../ssl/ssl_locl.h"
25
26 static char *cert = NULL;
27 static char *privkey = NULL;
28 static char *srpvfile = NULL;
29 static char *tmpfilename = NULL;
30
31 #define LOG_BUFFER_SIZE 2048
32 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
33 static size_t server_log_buffer_index = 0;
34 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
35 static size_t client_log_buffer_index = 0;
36 static int error_writing_log = 0;
37
38 #ifndef OPENSSL_NO_OCSP
39 static const unsigned char orespder[] = "Dummy OCSP Response";
40 static int ocsp_server_called = 0;
41 static int ocsp_client_called = 0;
42
43 static int cdummyarg = 1;
44 static X509 *ocspcert = NULL;
45 #endif
46
47 #define NUM_EXTRA_CERTS 40
48 #define CLIENT_VERSION_LEN 2
49
50 /*
51 * This structure is used to validate that the correct number of log messages
52 * of various types are emitted when emitting secret logs.
53 */
54 struct sslapitest_log_counts {
55 unsigned int rsa_key_exchange_count;
56 unsigned int master_secret_count;
57 unsigned int client_early_secret_count;
58 unsigned int client_handshake_secret_count;
59 unsigned int server_handshake_secret_count;
60 unsigned int client_application_secret_count;
61 unsigned int server_application_secret_count;
62 unsigned int early_exporter_secret_count;
63 unsigned int exporter_secret_count;
64 };
65
66
67 static unsigned char serverinfov1[] = {
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
71 };
72
73 static unsigned char serverinfov2[] = {
74 0x00, 0x00, 0x00,
75 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
76 0xff, 0xff, /* Dummy extension type */
77 0x00, 0x01, /* Extension length is 1 byte */
78 0xff /* Dummy extension data */
79 };
80
81 static void client_keylog_callback(const SSL *ssl, const char *line)
82 {
83 int line_length = strlen(line);
84
85 /* If the log doesn't fit, error out. */
86 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
87 TEST_info("Client log too full");
88 error_writing_log = 1;
89 return;
90 }
91
92 strcat(client_log_buffer, line);
93 client_log_buffer_index += line_length;
94 client_log_buffer[client_log_buffer_index++] = '\n';
95 }
96
97 static void server_keylog_callback(const SSL *ssl, const char *line)
98 {
99 int line_length = strlen(line);
100
101 /* If the log doesn't fit, error out. */
102 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
103 TEST_info("Server log too full");
104 error_writing_log = 1;
105 return;
106 }
107
108 strcat(server_log_buffer, line);
109 server_log_buffer_index += line_length;
110 server_log_buffer[server_log_buffer_index++] = '\n';
111 }
112
113 static int compare_hex_encoded_buffer(const char *hex_encoded,
114 size_t hex_length,
115 const uint8_t *raw,
116 size_t raw_length)
117 {
118 size_t i, j;
119 char hexed[3];
120
121 if (!TEST_size_t_eq(raw_length * 2, hex_length))
122 return 1;
123
124 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
125 sprintf(hexed, "%02x", raw[i]);
126 if (!TEST_int_eq(hexed[0], hex_encoded[j])
127 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
128 return 1;
129 }
130
131 return 0;
132 }
133
134 static int test_keylog_output(char *buffer, const SSL *ssl,
135 const SSL_SESSION *session,
136 struct sslapitest_log_counts *expected)
137 {
138 char *token = NULL;
139 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
140 size_t client_random_size = SSL3_RANDOM_SIZE;
141 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
142 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
143 unsigned int rsa_key_exchange_count = 0;
144 unsigned int master_secret_count = 0;
145 unsigned int client_early_secret_count = 0;
146 unsigned int client_handshake_secret_count = 0;
147 unsigned int server_handshake_secret_count = 0;
148 unsigned int client_application_secret_count = 0;
149 unsigned int server_application_secret_count = 0;
150 unsigned int early_exporter_secret_count = 0;
151 unsigned int exporter_secret_count = 0;
152
153 for (token = strtok(buffer, " \n"); token != NULL;
154 token = strtok(NULL, " \n")) {
155 if (strcmp(token, "RSA") == 0) {
156 /*
157 * Premaster secret. Tokens should be: 16 ASCII bytes of
158 * hex-encoded encrypted secret, then the hex-encoded pre-master
159 * secret.
160 */
161 if (!TEST_ptr(token = strtok(NULL, " \n")))
162 return 0;
163 if (!TEST_size_t_eq(strlen(token), 16))
164 return 0;
165 if (!TEST_ptr(token = strtok(NULL, " \n")))
166 return 0;
167 /*
168 * We can't sensibly check the log because the premaster secret is
169 * transient, and OpenSSL doesn't keep hold of it once the master
170 * secret is generated.
171 */
172 rsa_key_exchange_count++;
173 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
174 /*
175 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
176 * client random, then the hex-encoded master secret.
177 */
178 client_random_size = SSL_get_client_random(ssl,
179 actual_client_random,
180 SSL3_RANDOM_SIZE);
181 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
182 return 0;
183
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
185 return 0;
186 if (!TEST_size_t_eq(strlen(token), 64))
187 return 0;
188 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
189 actual_client_random,
190 client_random_size)))
191 return 0;
192
193 if (!TEST_ptr(token = strtok(NULL, " \n")))
194 return 0;
195 master_key_size = SSL_SESSION_get_master_key(session,
196 actual_master_key,
197 master_key_size);
198 if (!TEST_size_t_ne(master_key_size, 0))
199 return 0;
200 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
201 actual_master_key,
202 master_key_size)))
203 return 0;
204 master_secret_count++;
205 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
206 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
207 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
208 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
209 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
210 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
211 || strcmp(token, "EXPORTER_SECRET") == 0) {
212 /*
213 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
214 * client random, and then the hex-encoded secret. In this case,
215 * we treat all of these secrets identically and then just
216 * distinguish between them when counting what we saw.
217 */
218 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
219 client_early_secret_count++;
220 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
221 client_handshake_secret_count++;
222 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
223 server_handshake_secret_count++;
224 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
225 client_application_secret_count++;
226 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
227 server_application_secret_count++;
228 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
229 early_exporter_secret_count++;
230 else if (strcmp(token, "EXPORTER_SECRET") == 0)
231 exporter_secret_count++;
232
233 client_random_size = SSL_get_client_random(ssl,
234 actual_client_random,
235 SSL3_RANDOM_SIZE);
236 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
237 return 0;
238
239 if (!TEST_ptr(token = strtok(NULL, " \n")))
240 return 0;
241 if (!TEST_size_t_eq(strlen(token), 64))
242 return 0;
243 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
244 actual_client_random,
245 client_random_size)))
246 return 0;
247
248 if (!TEST_ptr(token = strtok(NULL, " \n")))
249 return 0;
250
251 /*
252 * TODO(TLS1.3): test that application traffic secrets are what
253 * we expect */
254 } else {
255 TEST_info("Unexpected token %s\n", token);
256 return 0;
257 }
258 }
259
260 /* Got what we expected? */
261 if (!TEST_size_t_eq(rsa_key_exchange_count,
262 expected->rsa_key_exchange_count)
263 || !TEST_size_t_eq(master_secret_count,
264 expected->master_secret_count)
265 || !TEST_size_t_eq(client_early_secret_count,
266 expected->client_early_secret_count)
267 || !TEST_size_t_eq(client_handshake_secret_count,
268 expected->client_handshake_secret_count)
269 || !TEST_size_t_eq(server_handshake_secret_count,
270 expected->server_handshake_secret_count)
271 || !TEST_size_t_eq(client_application_secret_count,
272 expected->client_application_secret_count)
273 || !TEST_size_t_eq(server_application_secret_count,
274 expected->server_application_secret_count)
275 || !TEST_size_t_eq(early_exporter_secret_count,
276 expected->early_exporter_secret_count)
277 || !TEST_size_t_eq(exporter_secret_count,
278 expected->exporter_secret_count))
279 return 0;
280 return 1;
281 }
282
283 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
284 static int test_keylog(void)
285 {
286 SSL_CTX *cctx = NULL, *sctx = NULL;
287 SSL *clientssl = NULL, *serverssl = NULL;
288 int testresult = 0;
289 struct sslapitest_log_counts expected = {0};
290
291 /* Clean up logging space */
292 memset(client_log_buffer, 0, sizeof(client_log_buffer));
293 memset(server_log_buffer, 0, sizeof(server_log_buffer));
294 client_log_buffer_index = 0;
295 server_log_buffer_index = 0;
296 error_writing_log = 0;
297
298 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
299 TLS_client_method(),
300 TLS1_VERSION, TLS_MAX_VERSION,
301 &sctx, &cctx, cert, privkey)))
302 return 0;
303
304 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
305 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
306 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
307
308 /* We also want to ensure that we use RSA-based key exchange. */
309 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
310 goto end;
311
312 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
313 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
314 goto end;
315 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
316 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
317 == client_keylog_callback))
318 goto end;
319 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
320 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
321 == server_keylog_callback))
322 goto end;
323
324 /* Now do a handshake and check that the logs have been written to. */
325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
326 &clientssl, NULL, NULL))
327 || !TEST_true(create_ssl_connection(serverssl, clientssl,
328 SSL_ERROR_NONE))
329 || !TEST_false(error_writing_log)
330 || !TEST_int_gt(client_log_buffer_index, 0)
331 || !TEST_int_gt(server_log_buffer_index, 0))
332 goto end;
333
334 /*
335 * Now we want to test that our output data was vaguely sensible. We
336 * do that by using strtok and confirming that we have more or less the
337 * data we expect. For both client and server, we expect to see one master
338 * secret. The client should also see a RSA key exchange.
339 */
340 expected.rsa_key_exchange_count = 1;
341 expected.master_secret_count = 1;
342 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
343 SSL_get_session(clientssl), &expected)))
344 goto end;
345
346 expected.rsa_key_exchange_count = 0;
347 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
348 SSL_get_session(serverssl), &expected)))
349 goto end;
350
351 testresult = 1;
352
353 end:
354 SSL_free(serverssl);
355 SSL_free(clientssl);
356 SSL_CTX_free(sctx);
357 SSL_CTX_free(cctx);
358
359 return testresult;
360 }
361 #endif
362
363 #ifndef OPENSSL_NO_TLS1_3
364 static int test_keylog_no_master_key(void)
365 {
366 SSL_CTX *cctx = NULL, *sctx = NULL;
367 SSL *clientssl = NULL, *serverssl = NULL;
368 SSL_SESSION *sess = NULL;
369 int testresult = 0;
370 struct sslapitest_log_counts expected = {0};
371 unsigned char buf[1];
372 size_t readbytes, written;
373
374 /* Clean up logging space */
375 memset(client_log_buffer, 0, sizeof(client_log_buffer));
376 memset(server_log_buffer, 0, sizeof(server_log_buffer));
377 client_log_buffer_index = 0;
378 server_log_buffer_index = 0;
379 error_writing_log = 0;
380
381 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
382 TLS1_VERSION, TLS_MAX_VERSION,
383 &sctx, &cctx, cert, privkey))
384 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
385 SSL3_RT_MAX_PLAIN_LENGTH))
386 || !TEST_true(SSL_CTX_set_max_early_data(cctx,
387 SSL3_RT_MAX_PLAIN_LENGTH)))
388 return 0;
389
390 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
391 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
392 goto end;
393
394 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
395 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
396 == client_keylog_callback))
397 goto end;
398
399 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
400 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
401 == server_keylog_callback))
402 goto end;
403
404 /* Now do a handshake and check that the logs have been written to. */
405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
406 &clientssl, NULL, NULL))
407 || !TEST_true(create_ssl_connection(serverssl, clientssl,
408 SSL_ERROR_NONE))
409 || !TEST_false(error_writing_log))
410 goto end;
411
412 /*
413 * Now we want to test that our output data was vaguely sensible. For this
414 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
415 * TLSv1.3, but we do expect both client and server to emit keys.
416 */
417 expected.client_handshake_secret_count = 1;
418 expected.server_handshake_secret_count = 1;
419 expected.client_application_secret_count = 1;
420 expected.server_application_secret_count = 1;
421 expected.exporter_secret_count = 1;
422 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
423 SSL_get_session(clientssl), &expected))
424 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl),
426 &expected)))
427 goto end;
428
429 /* Terminate old session and resume with early data. */
430 sess = SSL_get1_session(clientssl);
431 SSL_shutdown(clientssl);
432 SSL_shutdown(serverssl);
433 SSL_free(serverssl);
434 SSL_free(clientssl);
435 serverssl = clientssl = NULL;
436
437 /* Reset key log */
438 memset(client_log_buffer, 0, sizeof(client_log_buffer));
439 memset(server_log_buffer, 0, sizeof(server_log_buffer));
440 client_log_buffer_index = 0;
441 server_log_buffer_index = 0;
442
443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
444 &clientssl, NULL, NULL))
445 || !TEST_true(SSL_set_session(clientssl, sess))
446 /* Here writing 0 length early data is enough. */
447 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
448 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
449 &readbytes),
450 SSL_READ_EARLY_DATA_ERROR)
451 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
452 SSL_EARLY_DATA_ACCEPTED)
453 || !TEST_true(create_ssl_connection(serverssl, clientssl,
454 SSL_ERROR_NONE))
455 || !TEST_true(SSL_session_reused(clientssl)))
456 goto end;
457
458 /* In addition to the previous entries, expect early secrets. */
459 expected.client_early_secret_count = 1;
460 expected.early_exporter_secret_count = 1;
461 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
462 SSL_get_session(clientssl), &expected))
463 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
464 SSL_get_session(serverssl),
465 &expected)))
466 goto end;
467
468 testresult = 1;
469
470 end:
471 SSL_SESSION_free(sess);
472 SSL_free(serverssl);
473 SSL_free(clientssl);
474 SSL_CTX_free(sctx);
475 SSL_CTX_free(cctx);
476
477 return testresult;
478 }
479 #endif
480
481 #ifndef OPENSSL_NO_TLS1_2
482 static int full_client_hello_callback(SSL *s, int *al, void *arg)
483 {
484 int *ctr = arg;
485 const unsigned char *p;
486 int *exts;
487 /* We only configure two ciphers, but the SCSV is added automatically. */
488 #ifdef OPENSSL_NO_EC
489 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
490 #else
491 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
492 0x2c, 0x00, 0xff};
493 #endif
494 const int expected_extensions[] = {
495 #ifndef OPENSSL_NO_EC
496 11, 10,
497 #endif
498 35, 22, 23, 13};
499 size_t len;
500
501 /* Make sure we can defer processing and get called back. */
502 if ((*ctr)++ == 0)
503 return SSL_CLIENT_HELLO_RETRY;
504
505 len = SSL_client_hello_get0_ciphers(s, &p);
506 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
507 || !TEST_size_t_eq(
508 SSL_client_hello_get0_compression_methods(s, &p), 1)
509 || !TEST_int_eq(*p, 0))
510 return SSL_CLIENT_HELLO_ERROR;
511 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
512 return SSL_CLIENT_HELLO_ERROR;
513 if (len != OSSL_NELEM(expected_extensions) ||
514 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
515 printf("ClientHello callback expected extensions mismatch\n");
516 OPENSSL_free(exts);
517 return SSL_CLIENT_HELLO_ERROR;
518 }
519 OPENSSL_free(exts);
520 return SSL_CLIENT_HELLO_SUCCESS;
521 }
522
523 static int test_client_hello_cb(void)
524 {
525 SSL_CTX *cctx = NULL, *sctx = NULL;
526 SSL *clientssl = NULL, *serverssl = NULL;
527 int testctr = 0, testresult = 0;
528
529 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
530 TLS1_VERSION, TLS_MAX_VERSION,
531 &sctx, &cctx, cert, privkey)))
532 goto end;
533 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
534
535 /* The gimpy cipher list we configure can't do TLS 1.3. */
536 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
537
538 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
539 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
540 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
541 &clientssl, NULL, NULL))
542 || !TEST_false(create_ssl_connection(serverssl, clientssl,
543 SSL_ERROR_WANT_CLIENT_HELLO_CB))
544 /*
545 * Passing a -1 literal is a hack since
546 * the real value was lost.
547 * */
548 || !TEST_int_eq(SSL_get_error(serverssl, -1),
549 SSL_ERROR_WANT_CLIENT_HELLO_CB)
550 || !TEST_true(create_ssl_connection(serverssl, clientssl,
551 SSL_ERROR_NONE)))
552 goto end;
553
554 testresult = 1;
555
556 end:
557 SSL_free(serverssl);
558 SSL_free(clientssl);
559 SSL_CTX_free(sctx);
560 SSL_CTX_free(cctx);
561
562 return testresult;
563 }
564 #endif
565
566 static int execute_test_large_message(const SSL_METHOD *smeth,
567 const SSL_METHOD *cmeth,
568 int min_version, int max_version,
569 int read_ahead)
570 {
571 SSL_CTX *cctx = NULL, *sctx = NULL;
572 SSL *clientssl = NULL, *serverssl = NULL;
573 int testresult = 0;
574 int i;
575 BIO *certbio = NULL;
576 X509 *chaincert = NULL;
577 int certlen;
578
579 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
580 goto end;
581 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
582 BIO_free(certbio);
583 certbio = NULL;
584 if (!TEST_ptr(chaincert))
585 goto end;
586
587 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
588 &sctx, &cctx, cert, privkey)))
589 goto end;
590
591 if (read_ahead) {
592 /*
593 * Test that read_ahead works correctly when dealing with large
594 * records
595 */
596 SSL_CTX_set_read_ahead(cctx, 1);
597 }
598
599 /*
600 * We assume the supplied certificate is big enough so that if we add
601 * NUM_EXTRA_CERTS it will make the overall message large enough. The
602 * default buffer size is requested to be 16k, but due to the way BUF_MEM
603 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
604 * test we need to have a message larger than that.
605 */
606 certlen = i2d_X509(chaincert, NULL);
607 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
608 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
609 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
610 if (!X509_up_ref(chaincert))
611 goto end;
612 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
613 X509_free(chaincert);
614 goto end;
615 }
616 }
617
618 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
619 NULL, NULL))
620 || !TEST_true(create_ssl_connection(serverssl, clientssl,
621 SSL_ERROR_NONE)))
622 goto end;
623
624 /*
625 * Calling SSL_clear() first is not required but this tests that SSL_clear()
626 * doesn't leak (when using enable-crypto-mdebug).
627 */
628 if (!TEST_true(SSL_clear(serverssl)))
629 goto end;
630
631 testresult = 1;
632 end:
633 X509_free(chaincert);
634 SSL_free(serverssl);
635 SSL_free(clientssl);
636 SSL_CTX_free(sctx);
637 SSL_CTX_free(cctx);
638
639 return testresult;
640 }
641
642 static int test_large_message_tls(void)
643 {
644 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
645 TLS1_VERSION, TLS_MAX_VERSION,
646 0);
647 }
648
649 static int test_large_message_tls_read_ahead(void)
650 {
651 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
652 TLS1_VERSION, TLS_MAX_VERSION,
653 1);
654 }
655
656 #ifndef OPENSSL_NO_DTLS
657 static int test_large_message_dtls(void)
658 {
659 /*
660 * read_ahead is not relevant to DTLS because DTLS always acts as if
661 * read_ahead is set.
662 */
663 return execute_test_large_message(DTLS_server_method(),
664 DTLS_client_method(),
665 DTLS1_VERSION, DTLS_MAX_VERSION,
666 0);
667 }
668 #endif
669
670 #ifndef OPENSSL_NO_OCSP
671 static int ocsp_server_cb(SSL *s, void *arg)
672 {
673 int *argi = (int *)arg;
674 unsigned char *copy = NULL;
675 STACK_OF(OCSP_RESPID) *ids = NULL;
676 OCSP_RESPID *id = NULL;
677
678 if (*argi == 2) {
679 /* In this test we are expecting exactly 1 OCSP_RESPID */
680 SSL_get_tlsext_status_ids(s, &ids);
681 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
682 return SSL_TLSEXT_ERR_ALERT_FATAL;
683
684 id = sk_OCSP_RESPID_value(ids, 0);
685 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
686 return SSL_TLSEXT_ERR_ALERT_FATAL;
687 } else if (*argi != 1) {
688 return SSL_TLSEXT_ERR_ALERT_FATAL;
689 }
690
691 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
692 return SSL_TLSEXT_ERR_ALERT_FATAL;
693
694 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
695 ocsp_server_called = 1;
696 return SSL_TLSEXT_ERR_OK;
697 }
698
699 static int ocsp_client_cb(SSL *s, void *arg)
700 {
701 int *argi = (int *)arg;
702 const unsigned char *respderin;
703 size_t len;
704
705 if (*argi != 1 && *argi != 2)
706 return 0;
707
708 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
709 if (!TEST_mem_eq(orespder, len, respderin, len))
710 return 0;
711
712 ocsp_client_called = 1;
713 return 1;
714 }
715
716 static int test_tlsext_status_type(void)
717 {
718 SSL_CTX *cctx = NULL, *sctx = NULL;
719 SSL *clientssl = NULL, *serverssl = NULL;
720 int testresult = 0;
721 STACK_OF(OCSP_RESPID) *ids = NULL;
722 OCSP_RESPID *id = NULL;
723 BIO *certbio = NULL;
724
725 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
726 TLS1_VERSION, TLS_MAX_VERSION,
727 &sctx, &cctx, cert, privkey))
728 return 0;
729
730 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
731 goto end;
732
733 /* First just do various checks getting and setting tlsext_status_type */
734
735 clientssl = SSL_new(cctx);
736 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
737 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
738 TLSEXT_STATUSTYPE_ocsp))
739 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
740 TLSEXT_STATUSTYPE_ocsp))
741 goto end;
742
743 SSL_free(clientssl);
744 clientssl = NULL;
745
746 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
747 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
748 goto end;
749
750 clientssl = SSL_new(cctx);
751 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
752 goto end;
753 SSL_free(clientssl);
754 clientssl = NULL;
755
756 /*
757 * Now actually do a handshake and check OCSP information is exchanged and
758 * the callbacks get called
759 */
760 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
761 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
762 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
763 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
764 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
765 &clientssl, NULL, NULL))
766 || !TEST_true(create_ssl_connection(serverssl, clientssl,
767 SSL_ERROR_NONE))
768 || !TEST_true(ocsp_client_called)
769 || !TEST_true(ocsp_server_called))
770 goto end;
771 SSL_free(serverssl);
772 SSL_free(clientssl);
773 serverssl = NULL;
774 clientssl = NULL;
775
776 /* Try again but this time force the server side callback to fail */
777 ocsp_client_called = 0;
778 ocsp_server_called = 0;
779 cdummyarg = 0;
780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
781 &clientssl, NULL, NULL))
782 /* This should fail because the callback will fail */
783 || !TEST_false(create_ssl_connection(serverssl, clientssl,
784 SSL_ERROR_NONE))
785 || !TEST_false(ocsp_client_called)
786 || !TEST_false(ocsp_server_called))
787 goto end;
788 SSL_free(serverssl);
789 SSL_free(clientssl);
790 serverssl = NULL;
791 clientssl = NULL;
792
793 /*
794 * This time we'll get the client to send an OCSP_RESPID that it will
795 * accept.
796 */
797 ocsp_client_called = 0;
798 ocsp_server_called = 0;
799 cdummyarg = 2;
800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
801 &clientssl, NULL, NULL)))
802 goto end;
803
804 /*
805 * We'll just use any old cert for this test - it doesn't have to be an OCSP
806 * specific one. We'll use the server cert.
807 */
808 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
809 || !TEST_ptr(id = OCSP_RESPID_new())
810 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
811 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
812 NULL, NULL, NULL))
813 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
814 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
815 goto end;
816 id = NULL;
817 SSL_set_tlsext_status_ids(clientssl, ids);
818 /* Control has been transferred */
819 ids = NULL;
820
821 BIO_free(certbio);
822 certbio = NULL;
823
824 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
825 SSL_ERROR_NONE))
826 || !TEST_true(ocsp_client_called)
827 || !TEST_true(ocsp_server_called))
828 goto end;
829
830 testresult = 1;
831
832 end:
833 SSL_free(serverssl);
834 SSL_free(clientssl);
835 SSL_CTX_free(sctx);
836 SSL_CTX_free(cctx);
837 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
838 OCSP_RESPID_free(id);
839 BIO_free(certbio);
840 X509_free(ocspcert);
841 ocspcert = NULL;
842
843 return testresult;
844 }
845 #endif
846
847 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
848 static int new_called, remove_called, get_called;
849
850 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
851 {
852 new_called++;
853 /*
854 * sess has been up-refed for us, but we don't actually need it so free it
855 * immediately.
856 */
857 SSL_SESSION_free(sess);
858 return 1;
859 }
860
861 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
862 {
863 remove_called++;
864 }
865
866 static SSL_SESSION *get_sess_val = NULL;
867
868 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
869 int *copy)
870 {
871 get_called++;
872 *copy = 1;
873 return get_sess_val;
874 }
875
876 static int execute_test_session(int maxprot, int use_int_cache,
877 int use_ext_cache)
878 {
879 SSL_CTX *sctx = NULL, *cctx = NULL;
880 SSL *serverssl1 = NULL, *clientssl1 = NULL;
881 SSL *serverssl2 = NULL, *clientssl2 = NULL;
882 # ifndef OPENSSL_NO_TLS1_1
883 SSL *serverssl3 = NULL, *clientssl3 = NULL;
884 # endif
885 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
886 int testresult = 0;
887
888 new_called = remove_called = 0;
889
890 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
891 TLS1_VERSION, TLS_MAX_VERSION,
892 &sctx, &cctx, cert, privkey)))
893 return 0;
894
895 /*
896 * Only allow the max protocol version so we can force a connection failure
897 * later
898 */
899 SSL_CTX_set_min_proto_version(cctx, maxprot);
900 SSL_CTX_set_max_proto_version(cctx, maxprot);
901
902 /* Set up session cache */
903 if (use_ext_cache) {
904 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
905 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
906 }
907 if (use_int_cache) {
908 /* Also covers instance where both are set */
909 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
910 } else {
911 SSL_CTX_set_session_cache_mode(cctx,
912 SSL_SESS_CACHE_CLIENT
913 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
914 }
915
916 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
917 NULL, NULL))
918 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
919 SSL_ERROR_NONE))
920 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
921 goto end;
922
923 /* Should fail because it should already be in the cache */
924 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
925 goto end;
926 if (use_ext_cache
927 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
928 goto end;
929
930 new_called = remove_called = 0;
931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
932 &clientssl2, NULL, NULL))
933 || !TEST_true(SSL_set_session(clientssl2, sess1))
934 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
935 SSL_ERROR_NONE))
936 || !TEST_true(SSL_session_reused(clientssl2)))
937 goto end;
938
939 if (maxprot == TLS1_3_VERSION) {
940 /*
941 * In TLSv1.3 we should have created a new session even though we have
942 * resumed. The original session should also have been removed.
943 */
944 if (use_ext_cache
945 && (!TEST_int_eq(new_called, 1)
946 || !TEST_int_eq(remove_called, 1)))
947 goto end;
948 } else {
949 /*
950 * In TLSv1.2 we expect to have resumed so no sessions added or
951 * removed.
952 */
953 if (use_ext_cache
954 && (!TEST_int_eq(new_called, 0)
955 || !TEST_int_eq(remove_called, 0)))
956 goto end;
957 }
958
959 SSL_SESSION_free(sess1);
960 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
961 goto end;
962 shutdown_ssl_connection(serverssl2, clientssl2);
963 serverssl2 = clientssl2 = NULL;
964
965 new_called = remove_called = 0;
966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
967 &clientssl2, NULL, NULL))
968 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
969 SSL_ERROR_NONE)))
970 goto end;
971
972 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
973 goto end;
974
975 if (use_ext_cache
976 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
977 goto end;
978
979 new_called = remove_called = 0;
980 /*
981 * This should clear sess2 from the cache because it is a "bad" session.
982 * See SSL_set_session() documentation.
983 */
984 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
985 goto end;
986 if (use_ext_cache
987 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
988 goto end;
989 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
990 goto end;
991
992 if (use_int_cache) {
993 /* Should succeeded because it should not already be in the cache */
994 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
995 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
996 goto end;
997 }
998
999 new_called = remove_called = 0;
1000 /* This shouldn't be in the cache so should fail */
1001 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1002 goto end;
1003
1004 if (use_ext_cache
1005 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1006 goto end;
1007
1008 # if !defined(OPENSSL_NO_TLS1_1)
1009 new_called = remove_called = 0;
1010 /* Force a connection failure */
1011 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1012 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1013 &clientssl3, NULL, NULL))
1014 || !TEST_true(SSL_set_session(clientssl3, sess1))
1015 /* This should fail because of the mismatched protocol versions */
1016 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1017 SSL_ERROR_NONE)))
1018 goto end;
1019
1020 /* We should have automatically removed the session from the cache */
1021 if (use_ext_cache
1022 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1023 goto end;
1024
1025 /* Should succeed because it should not already be in the cache */
1026 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1027 goto end;
1028 # endif
1029
1030 /* Now do some tests for server side caching */
1031 if (use_ext_cache) {
1032 SSL_CTX_sess_set_new_cb(cctx, NULL);
1033 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1034 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1035 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1036 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1037 get_sess_val = NULL;
1038 }
1039
1040 SSL_CTX_set_session_cache_mode(cctx, 0);
1041 /* Internal caching is the default on the server side */
1042 if (!use_int_cache)
1043 SSL_CTX_set_session_cache_mode(sctx,
1044 SSL_SESS_CACHE_SERVER
1045 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1046
1047 SSL_free(serverssl1);
1048 SSL_free(clientssl1);
1049 serverssl1 = clientssl1 = NULL;
1050 SSL_free(serverssl2);
1051 SSL_free(clientssl2);
1052 serverssl2 = clientssl2 = NULL;
1053 SSL_SESSION_free(sess1);
1054 sess1 = NULL;
1055 SSL_SESSION_free(sess2);
1056 sess2 = NULL;
1057
1058 SSL_CTX_set_max_proto_version(sctx, maxprot);
1059 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1060 new_called = remove_called = get_called = 0;
1061 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1062 NULL, NULL))
1063 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1064 SSL_ERROR_NONE))
1065 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1066 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1067 goto end;
1068
1069 /* Should fail because it should already be in the cache */
1070 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1071 goto end;
1072
1073 if (use_ext_cache) {
1074 SSL_SESSION *tmp = sess2;
1075
1076 if (!TEST_int_eq(new_called, 1)
1077 || !TEST_int_eq(remove_called, 0)
1078 || !TEST_int_eq(get_called, 0))
1079 goto end;
1080 /*
1081 * Delete the session from the internal cache to force a lookup from
1082 * the external cache. We take a copy first because
1083 * SSL_CTX_remove_session() also marks the session as non-resumable.
1084 */
1085 if (use_int_cache) {
1086 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1087 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1088 goto end;
1089 SSL_SESSION_free(sess2);
1090 }
1091 sess2 = tmp;
1092 }
1093
1094 new_called = remove_called = get_called = 0;
1095 get_sess_val = sess2;
1096 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1097 &clientssl2, NULL, NULL))
1098 || !TEST_true(SSL_set_session(clientssl2, sess1))
1099 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1100 SSL_ERROR_NONE))
1101 || !TEST_true(SSL_session_reused(clientssl2)))
1102 goto end;
1103
1104 if (use_ext_cache) {
1105 if (!TEST_int_eq(remove_called, 0))
1106 goto end;
1107
1108 if (maxprot == TLS1_3_VERSION) {
1109 /*
1110 * Every time we issue a NewSessionTicket we are creating a new
1111 * session for next time in TLSv1.3
1112 */
1113 if (!TEST_int_eq(new_called, 1)
1114 || !TEST_int_eq(get_called, 0))
1115 goto end;
1116 } else {
1117 if (!TEST_int_eq(new_called, 0)
1118 || !TEST_int_eq(get_called, 1))
1119 goto end;
1120 }
1121 }
1122
1123 testresult = 1;
1124
1125 end:
1126 SSL_free(serverssl1);
1127 SSL_free(clientssl1);
1128 SSL_free(serverssl2);
1129 SSL_free(clientssl2);
1130 # ifndef OPENSSL_NO_TLS1_1
1131 SSL_free(serverssl3);
1132 SSL_free(clientssl3);
1133 # endif
1134 SSL_SESSION_free(sess1);
1135 SSL_SESSION_free(sess2);
1136 SSL_CTX_free(sctx);
1137 SSL_CTX_free(cctx);
1138
1139 return testresult;
1140 }
1141 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1142
1143 static int test_session_with_only_int_cache(void)
1144 {
1145 #ifndef OPENSSL_NO_TLS1_3
1146 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1147 return 0;
1148 #endif
1149
1150 #ifndef OPENSSL_NO_TLS1_2
1151 return execute_test_session(TLS1_2_VERSION, 1, 0);
1152 #else
1153 return 1;
1154 #endif
1155 }
1156
1157 static int test_session_with_only_ext_cache(void)
1158 {
1159 #ifndef OPENSSL_NO_TLS1_3
1160 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1161 return 0;
1162 #endif
1163
1164 #ifndef OPENSSL_NO_TLS1_2
1165 return execute_test_session(TLS1_2_VERSION, 0, 1);
1166 #else
1167 return 1;
1168 #endif
1169 }
1170
1171 static int test_session_with_both_cache(void)
1172 {
1173 #ifndef OPENSSL_NO_TLS1_3
1174 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1175 return 0;
1176 #endif
1177
1178 #ifndef OPENSSL_NO_TLS1_2
1179 return execute_test_session(TLS1_2_VERSION, 1, 1);
1180 #else
1181 return 1;
1182 #endif
1183 }
1184
1185 #define USE_NULL 0
1186 #define USE_BIO_1 1
1187 #define USE_BIO_2 2
1188 #define USE_DEFAULT 3
1189
1190 #define CONNTYPE_CONNECTION_SUCCESS 0
1191 #define CONNTYPE_CONNECTION_FAIL 1
1192 #define CONNTYPE_NO_CONNECTION 2
1193
1194 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1195 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1196 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1197 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1198 #else
1199 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1200 #endif
1201
1202
1203 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1204 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1205 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1206
1207 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1208 {
1209 switch (type) {
1210 case USE_NULL:
1211 *res = NULL;
1212 break;
1213 case USE_BIO_1:
1214 *res = bio1;
1215 break;
1216 case USE_BIO_2:
1217 *res = bio2;
1218 break;
1219 }
1220 }
1221
1222
1223 /*
1224 * Tests calls to SSL_set_bio() under various conditions.
1225 *
1226 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1227 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1228 * then do more tests where we create a successful connection first using our
1229 * standard connection setup functions, and then call SSL_set_bio() with
1230 * various combinations of valid BIOs or NULL. We then repeat these tests
1231 * following a failed connection. In this last case we are looking to check that
1232 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1233 */
1234 static int test_ssl_set_bio(int idx)
1235 {
1236 SSL_CTX *sctx = NULL, *cctx = NULL;
1237 BIO *bio1 = NULL;
1238 BIO *bio2 = NULL;
1239 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1240 SSL *serverssl = NULL, *clientssl = NULL;
1241 int initrbio, initwbio, newrbio, newwbio, conntype;
1242 int testresult = 0;
1243
1244 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1245 initrbio = idx % 3;
1246 idx /= 3;
1247 initwbio = idx % 3;
1248 idx /= 3;
1249 newrbio = idx % 3;
1250 idx /= 3;
1251 newwbio = idx % 3;
1252 conntype = CONNTYPE_NO_CONNECTION;
1253 } else {
1254 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1255 initrbio = initwbio = USE_DEFAULT;
1256 newrbio = idx % 2;
1257 idx /= 2;
1258 newwbio = idx % 2;
1259 idx /= 2;
1260 conntype = idx % 2;
1261 }
1262
1263 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1264 TLS1_VERSION, TLS_MAX_VERSION,
1265 &sctx, &cctx, cert, privkey)))
1266 goto end;
1267
1268 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1269 /*
1270 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1271 * because we reduced the number of tests in the definition of
1272 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1273 * mismatched protocol versions we will force a connection failure.
1274 */
1275 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1276 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1277 }
1278
1279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1280 NULL, NULL)))
1281 goto end;
1282
1283 if (initrbio == USE_BIO_1
1284 || initwbio == USE_BIO_1
1285 || newrbio == USE_BIO_1
1286 || newwbio == USE_BIO_1) {
1287 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1288 goto end;
1289 }
1290
1291 if (initrbio == USE_BIO_2
1292 || initwbio == USE_BIO_2
1293 || newrbio == USE_BIO_2
1294 || newwbio == USE_BIO_2) {
1295 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1296 goto end;
1297 }
1298
1299 if (initrbio != USE_DEFAULT) {
1300 setupbio(&irbio, bio1, bio2, initrbio);
1301 setupbio(&iwbio, bio1, bio2, initwbio);
1302 SSL_set_bio(clientssl, irbio, iwbio);
1303
1304 /*
1305 * We want to maintain our own refs to these BIO, so do an up ref for
1306 * each BIO that will have ownership transferred in the SSL_set_bio()
1307 * call
1308 */
1309 if (irbio != NULL)
1310 BIO_up_ref(irbio);
1311 if (iwbio != NULL && iwbio != irbio)
1312 BIO_up_ref(iwbio);
1313 }
1314
1315 if (conntype != CONNTYPE_NO_CONNECTION
1316 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1317 SSL_ERROR_NONE)
1318 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1319 goto end;
1320
1321 setupbio(&nrbio, bio1, bio2, newrbio);
1322 setupbio(&nwbio, bio1, bio2, newwbio);
1323
1324 /*
1325 * We will (maybe) transfer ownership again so do more up refs.
1326 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1327 * already been set!
1328 */
1329 if (nrbio != NULL
1330 && nrbio != irbio
1331 && (nwbio != iwbio || nrbio != nwbio))
1332 BIO_up_ref(nrbio);
1333 if (nwbio != NULL
1334 && nwbio != nrbio
1335 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1336 BIO_up_ref(nwbio);
1337
1338 SSL_set_bio(clientssl, nrbio, nwbio);
1339
1340 testresult = 1;
1341
1342 end:
1343 BIO_free(bio1);
1344 BIO_free(bio2);
1345
1346 /*
1347 * This test is checking that the ref counting for SSL_set_bio is correct.
1348 * If we get here and we did too many frees then we will fail in the above
1349 * functions. If we haven't done enough then this will only be detected in
1350 * a crypto-mdebug build
1351 */
1352 SSL_free(serverssl);
1353 SSL_free(clientssl);
1354 SSL_CTX_free(sctx);
1355 SSL_CTX_free(cctx);
1356 return testresult;
1357 }
1358
1359 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1360
1361 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1362 {
1363 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1364 SSL_CTX *ctx;
1365 SSL *ssl = NULL;
1366 int testresult = 0;
1367
1368 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1369 || !TEST_ptr(ssl = SSL_new(ctx))
1370 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1371 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1372 goto end;
1373
1374 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1375
1376 /*
1377 * If anything goes wrong here then we could leak memory, so this will
1378 * be caught in a crypto-mdebug build
1379 */
1380 BIO_push(sslbio, membio1);
1381
1382 /* Verify changing the rbio/wbio directly does not cause leaks */
1383 if (change_bio != NO_BIO_CHANGE) {
1384 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1385 goto end;
1386 if (change_bio == CHANGE_RBIO)
1387 SSL_set0_rbio(ssl, membio2);
1388 else
1389 SSL_set0_wbio(ssl, membio2);
1390 }
1391 ssl = NULL;
1392
1393 if (pop_ssl)
1394 BIO_pop(sslbio);
1395 else
1396 BIO_pop(membio1);
1397
1398 testresult = 1;
1399 end:
1400 BIO_free(membio1);
1401 BIO_free(sslbio);
1402 SSL_free(ssl);
1403 SSL_CTX_free(ctx);
1404
1405 return testresult;
1406 }
1407
1408 static int test_ssl_bio_pop_next_bio(void)
1409 {
1410 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1411 }
1412
1413 static int test_ssl_bio_pop_ssl_bio(void)
1414 {
1415 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1416 }
1417
1418 static int test_ssl_bio_change_rbio(void)
1419 {
1420 return execute_test_ssl_bio(0, CHANGE_RBIO);
1421 }
1422
1423 static int test_ssl_bio_change_wbio(void)
1424 {
1425 return execute_test_ssl_bio(0, CHANGE_WBIO);
1426 }
1427
1428 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1429 typedef struct {
1430 /* The list of sig algs */
1431 const int *list;
1432 /* The length of the list */
1433 size_t listlen;
1434 /* A sigalgs list in string format */
1435 const char *liststr;
1436 /* Whether setting the list should succeed */
1437 int valid;
1438 /* Whether creating a connection with the list should succeed */
1439 int connsuccess;
1440 } sigalgs_list;
1441
1442 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1443 # ifndef OPENSSL_NO_EC
1444 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1445 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1446 # endif
1447 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1448 static const int invalidlist2[] = {NID_sha256, NID_undef};
1449 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1450 static const int invalidlist4[] = {NID_sha256};
1451 static const sigalgs_list testsigalgs[] = {
1452 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1453 # ifndef OPENSSL_NO_EC
1454 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1455 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1456 # endif
1457 {NULL, 0, "RSA+SHA256", 1, 1},
1458 # ifndef OPENSSL_NO_EC
1459 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1460 {NULL, 0, "ECDSA+SHA512", 1, 0},
1461 # endif
1462 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1463 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1464 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1465 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1466 {NULL, 0, "RSA", 0, 0},
1467 {NULL, 0, "SHA256", 0, 0},
1468 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1469 {NULL, 0, "Invalid", 0, 0}
1470 };
1471
1472 static int test_set_sigalgs(int idx)
1473 {
1474 SSL_CTX *cctx = NULL, *sctx = NULL;
1475 SSL *clientssl = NULL, *serverssl = NULL;
1476 int testresult = 0;
1477 const sigalgs_list *curr;
1478 int testctx;
1479
1480 /* Should never happen */
1481 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1482 return 0;
1483
1484 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1485 curr = testctx ? &testsigalgs[idx]
1486 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1487
1488 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1489 TLS1_VERSION, TLS_MAX_VERSION,
1490 &sctx, &cctx, cert, privkey)))
1491 return 0;
1492
1493 /*
1494 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1495 * for TLSv1.2 for now until we add a new API.
1496 */
1497 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1498
1499 if (testctx) {
1500 int ret;
1501
1502 if (curr->list != NULL)
1503 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1504 else
1505 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1506
1507 if (!ret) {
1508 if (curr->valid)
1509 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1510 else
1511 testresult = 1;
1512 goto end;
1513 }
1514 if (!curr->valid) {
1515 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1516 goto end;
1517 }
1518 }
1519
1520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1521 &clientssl, NULL, NULL)))
1522 goto end;
1523
1524 if (!testctx) {
1525 int ret;
1526
1527 if (curr->list != NULL)
1528 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1529 else
1530 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1531 if (!ret) {
1532 if (curr->valid)
1533 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1534 else
1535 testresult = 1;
1536 goto end;
1537 }
1538 if (!curr->valid)
1539 goto end;
1540 }
1541
1542 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1543 SSL_ERROR_NONE),
1544 curr->connsuccess))
1545 goto end;
1546
1547 testresult = 1;
1548
1549 end:
1550 SSL_free(serverssl);
1551 SSL_free(clientssl);
1552 SSL_CTX_free(sctx);
1553 SSL_CTX_free(cctx);
1554
1555 return testresult;
1556 }
1557 #endif
1558
1559 #ifndef OPENSSL_NO_TLS1_3
1560
1561 static SSL_SESSION *clientpsk = NULL;
1562 static SSL_SESSION *serverpsk = NULL;
1563 static const char *pskid = "Identity";
1564 static const char *srvid;
1565
1566 static int use_session_cb_cnt = 0;
1567 static int find_session_cb_cnt = 0;
1568 static int psk_client_cb_cnt = 0;
1569 static int psk_server_cb_cnt = 0;
1570
1571 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1572 size_t *idlen, SSL_SESSION **sess)
1573 {
1574 switch (++use_session_cb_cnt) {
1575 case 1:
1576 /* The first call should always have a NULL md */
1577 if (md != NULL)
1578 return 0;
1579 break;
1580
1581 case 2:
1582 /* The second call should always have an md */
1583 if (md == NULL)
1584 return 0;
1585 break;
1586
1587 default:
1588 /* We should only be called a maximum of twice */
1589 return 0;
1590 }
1591
1592 if (clientpsk != NULL)
1593 SSL_SESSION_up_ref(clientpsk);
1594
1595 *sess = clientpsk;
1596 *id = (const unsigned char *)pskid;
1597 *idlen = strlen(pskid);
1598
1599 return 1;
1600 }
1601
1602 #ifndef OPENSSL_NO_PSK
1603 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1604 unsigned int max_id_len,
1605 unsigned char *psk,
1606 unsigned int max_psk_len)
1607 {
1608 unsigned int psklen = 0;
1609
1610 psk_client_cb_cnt++;
1611
1612 if (strlen(pskid) + 1 > max_id_len)
1613 return 0;
1614
1615 /* We should only ever be called a maximum of twice per connection */
1616 if (psk_client_cb_cnt > 2)
1617 return 0;
1618
1619 if (clientpsk == NULL)
1620 return 0;
1621
1622 /* We'll reuse the PSK we set up for TLSv1.3 */
1623 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1624 return 0;
1625 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1626 strncpy(id, pskid, max_id_len);
1627
1628 return psklen;
1629 }
1630 #endif /* OPENSSL_NO_PSK */
1631
1632 static int find_session_cb(SSL *ssl, const unsigned char *identity,
1633 size_t identity_len, SSL_SESSION **sess)
1634 {
1635 find_session_cb_cnt++;
1636
1637 /* We should only ever be called a maximum of twice per connection */
1638 if (find_session_cb_cnt > 2)
1639 return 0;
1640
1641 if (serverpsk == NULL)
1642 return 0;
1643
1644 /* Identity should match that set by the client */
1645 if (strlen(srvid) != identity_len
1646 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1647 /* No PSK found, continue but without a PSK */
1648 *sess = NULL;
1649 return 1;
1650 }
1651
1652 SSL_SESSION_up_ref(serverpsk);
1653 *sess = serverpsk;
1654
1655 return 1;
1656 }
1657
1658 #ifndef OPENSSL_NO_PSK
1659 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1660 unsigned char *psk, unsigned int max_psk_len)
1661 {
1662 unsigned int psklen = 0;
1663
1664 psk_server_cb_cnt++;
1665
1666 /* We should only ever be called a maximum of twice per connection */
1667 if (find_session_cb_cnt > 2)
1668 return 0;
1669
1670 if (serverpsk == NULL)
1671 return 0;
1672
1673 /* Identity should match that set by the client */
1674 if (strcmp(srvid, identity) != 0) {
1675 return 0;
1676 }
1677
1678 /* We'll reuse the PSK we set up for TLSv1.3 */
1679 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1680 return 0;
1681 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1682
1683 return psklen;
1684 }
1685 #endif /* OPENSSL_NO_PSK */
1686
1687 #define MSG1 "Hello"
1688 #define MSG2 "World."
1689 #define MSG3 "This"
1690 #define MSG4 "is"
1691 #define MSG5 "a"
1692 #define MSG6 "test"
1693 #define MSG7 "message."
1694
1695 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1696 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
1697
1698 /*
1699 * Helper method to setup objects for early data test. Caller frees objects on
1700 * error.
1701 */
1702 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1703 SSL **serverssl, SSL_SESSION **sess, int idx)
1704 {
1705 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1706 TLS1_VERSION, TLS_MAX_VERSION,
1707 sctx, cctx, cert, privkey))
1708 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1709 SSL3_RT_MAX_PLAIN_LENGTH))
1710 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1711 SSL3_RT_MAX_PLAIN_LENGTH)))
1712 return 0;
1713
1714 if (idx == 1) {
1715 /* When idx == 1 we repeat the tests with read_ahead set */
1716 SSL_CTX_set_read_ahead(*cctx, 1);
1717 SSL_CTX_set_read_ahead(*sctx, 1);
1718 } else if (idx == 2) {
1719 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1720 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1721 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1722 use_session_cb_cnt = 0;
1723 find_session_cb_cnt = 0;
1724 srvid = pskid;
1725 }
1726
1727 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1728 NULL, NULL)))
1729 return 0;
1730
1731 /*
1732 * For one of the run throughs (doesn't matter which one), we'll try sending
1733 * some SNI data in the initial ClientHello. This will be ignored (because
1734 * there is no SNI cb set up by the server), so it should not impact
1735 * early_data.
1736 */
1737 if (idx == 1
1738 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1739 return 0;
1740
1741 if (idx == 2) {
1742 /* Create the PSK */
1743 const SSL_CIPHER *cipher = NULL;
1744 const unsigned char key[] = {
1745 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1746 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1747 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1748 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1749 0x2c, 0x2d, 0x2e, 0x2f
1750 };
1751
1752 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
1753 clientpsk = SSL_SESSION_new();
1754 if (!TEST_ptr(clientpsk)
1755 || !TEST_ptr(cipher)
1756 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
1757 sizeof(key)))
1758 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
1759 || !TEST_true(
1760 SSL_SESSION_set_protocol_version(clientpsk,
1761 TLS1_3_VERSION))
1762 /*
1763 * We just choose an arbitrary value for max_early_data which
1764 * should be big enough for testing purposes.
1765 */
1766 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1767 0x100))
1768 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1769 SSL_SESSION_free(clientpsk);
1770 clientpsk = NULL;
1771 return 0;
1772 }
1773 serverpsk = clientpsk;
1774
1775 if (sess != NULL)
1776 *sess = clientpsk;
1777 return 1;
1778 }
1779
1780 if (sess == NULL)
1781 return 1;
1782
1783 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1784 SSL_ERROR_NONE)))
1785 return 0;
1786
1787 *sess = SSL_get1_session(*clientssl);
1788 SSL_shutdown(*clientssl);
1789 SSL_shutdown(*serverssl);
1790 SSL_free(*serverssl);
1791 SSL_free(*clientssl);
1792 *serverssl = *clientssl = NULL;
1793
1794 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1795 clientssl, NULL, NULL))
1796 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1797 return 0;
1798
1799 return 1;
1800 }
1801
1802 static int test_early_data_read_write(int idx)
1803 {
1804 SSL_CTX *cctx = NULL, *sctx = NULL;
1805 SSL *clientssl = NULL, *serverssl = NULL;
1806 int testresult = 0;
1807 SSL_SESSION *sess = NULL;
1808 unsigned char buf[20], data[1024];
1809 size_t readbytes, written, eoedlen, rawread, rawwritten;
1810 BIO *rbio;
1811
1812 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1813 &serverssl, &sess, idx)))
1814 goto end;
1815
1816 /* Write and read some early data */
1817 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1818 &written))
1819 || !TEST_size_t_eq(written, strlen(MSG1))
1820 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1821 sizeof(buf), &readbytes),
1822 SSL_READ_EARLY_DATA_SUCCESS)
1823 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1824 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1825 SSL_EARLY_DATA_ACCEPTED))
1826 goto end;
1827
1828 /*
1829 * Server should be able to write data, and client should be able to
1830 * read it.
1831 */
1832 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1833 &written))
1834 || !TEST_size_t_eq(written, strlen(MSG2))
1835 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1836 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1837 goto end;
1838
1839 /* Even after reading normal data, client should be able write early data */
1840 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1841 &written))
1842 || !TEST_size_t_eq(written, strlen(MSG3)))
1843 goto end;
1844
1845 /* Server should still be able read early data after writing data */
1846 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1847 &readbytes),
1848 SSL_READ_EARLY_DATA_SUCCESS)
1849 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1850 goto end;
1851
1852 /* Write more data from server and read it from client */
1853 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1854 &written))
1855 || !TEST_size_t_eq(written, strlen(MSG4))
1856 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1857 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1858 goto end;
1859
1860 /*
1861 * If client writes normal data it should mean writing early data is no
1862 * longer possible.
1863 */
1864 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1865 || !TEST_size_t_eq(written, strlen(MSG5))
1866 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1867 SSL_EARLY_DATA_ACCEPTED))
1868 goto end;
1869
1870 /*
1871 * At this point the client has written EndOfEarlyData, ClientFinished and
1872 * normal (fully protected) data. We are going to cause a delay between the
1873 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1874 * in the read BIO, and then just put back the EndOfEarlyData message.
1875 */
1876 rbio = SSL_get_rbio(serverssl);
1877 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1878 || !TEST_size_t_lt(rawread, sizeof(data))
1879 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1880 goto end;
1881
1882 /* Record length is in the 4th and 5th bytes of the record header */
1883 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1884 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1885 || !TEST_size_t_eq(rawwritten, eoedlen))
1886 goto end;
1887
1888 /* Server should be told that there is no more early data */
1889 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1890 &readbytes),
1891 SSL_READ_EARLY_DATA_FINISH)
1892 || !TEST_size_t_eq(readbytes, 0))
1893 goto end;
1894
1895 /*
1896 * Server has not finished init yet, so should still be able to write early
1897 * data.
1898 */
1899 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1900 &written))
1901 || !TEST_size_t_eq(written, strlen(MSG6)))
1902 goto end;
1903
1904 /* Push the ClientFinished and the normal data back into the server rbio */
1905 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1906 &rawwritten))
1907 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1908 goto end;
1909
1910 /* Server should be able to read normal data */
1911 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1912 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1913 goto end;
1914
1915 /* Client and server should not be able to write/read early data now */
1916 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1917 &written)))
1918 goto end;
1919 ERR_clear_error();
1920 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1921 &readbytes),
1922 SSL_READ_EARLY_DATA_ERROR))
1923 goto end;
1924 ERR_clear_error();
1925
1926 /* Client should be able to read the data sent by the server */
1927 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1928 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1929 goto end;
1930
1931 /*
1932 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1933 * We attempt a read which we do not expect to return any data.
1934 */
1935 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1936 goto end;
1937
1938 /* Server should be able to write normal data */
1939 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1940 || !TEST_size_t_eq(written, strlen(MSG7))
1941 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1942 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1943 goto end;
1944
1945 /* We keep the PSK session around if using PSK */
1946 if (idx != 2)
1947 SSL_SESSION_free(sess);
1948 sess = SSL_get1_session(clientssl);
1949 use_session_cb_cnt = 0;
1950 find_session_cb_cnt = 0;
1951
1952 SSL_shutdown(clientssl);
1953 SSL_shutdown(serverssl);
1954 SSL_free(serverssl);
1955 SSL_free(clientssl);
1956 serverssl = clientssl = NULL;
1957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1958 &clientssl, NULL, NULL))
1959 || !TEST_true(SSL_set_session(clientssl, sess)))
1960 goto end;
1961
1962 /* Write and read some early data */
1963 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1964 &written))
1965 || !TEST_size_t_eq(written, strlen(MSG1))
1966 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1967 &readbytes),
1968 SSL_READ_EARLY_DATA_SUCCESS)
1969 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1970 goto end;
1971
1972 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1973 || !TEST_int_gt(SSL_accept(serverssl), 0))
1974 goto end;
1975
1976 /* Client and server should not be able to write/read early data now */
1977 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1978 &written)))
1979 goto end;
1980 ERR_clear_error();
1981 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1982 &readbytes),
1983 SSL_READ_EARLY_DATA_ERROR))
1984 goto end;
1985 ERR_clear_error();
1986
1987 /* Client and server should be able to write/read normal data */
1988 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1989 || !TEST_size_t_eq(written, strlen(MSG5))
1990 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1991 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1992 goto end;
1993
1994 testresult = 1;
1995
1996 end:
1997 if (sess != clientpsk)
1998 SSL_SESSION_free(sess);
1999 SSL_SESSION_free(clientpsk);
2000 SSL_SESSION_free(serverpsk);
2001 clientpsk = serverpsk = NULL;
2002 SSL_free(serverssl);
2003 SSL_free(clientssl);
2004 SSL_CTX_free(sctx);
2005 SSL_CTX_free(cctx);
2006 return testresult;
2007 }
2008
2009 static int test_early_data_replay(int idx)
2010 {
2011 SSL_CTX *cctx = NULL, *sctx = NULL;
2012 SSL *clientssl = NULL, *serverssl = NULL;
2013 int testresult = 0;
2014 SSL_SESSION *sess = NULL;
2015
2016 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2017 &serverssl, &sess, idx)))
2018 goto end;
2019
2020 /*
2021 * The server is configured to accept early data. Create a connection to
2022 * "use up" the ticket
2023 */
2024 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2025 || !TEST_true(SSL_session_reused(clientssl)))
2026 goto end;
2027
2028 SSL_shutdown(clientssl);
2029 SSL_shutdown(serverssl);
2030 SSL_free(serverssl);
2031 SSL_free(clientssl);
2032 serverssl = clientssl = NULL;
2033
2034 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2035 &clientssl, NULL, NULL))
2036 || !TEST_true(SSL_set_session(clientssl, sess))
2037 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2038 SSL_ERROR_NONE))
2039 /*
2040 * This time we should not have resumed the session because we
2041 * already used it once.
2042 */
2043 || !TEST_false(SSL_session_reused(clientssl)))
2044 goto end;
2045
2046 testresult = 1;
2047
2048 end:
2049 if (sess != clientpsk)
2050 SSL_SESSION_free(sess);
2051 SSL_SESSION_free(clientpsk);
2052 SSL_SESSION_free(serverpsk);
2053 clientpsk = serverpsk = NULL;
2054 SSL_free(serverssl);
2055 SSL_free(clientssl);
2056 SSL_CTX_free(sctx);
2057 SSL_CTX_free(cctx);
2058 return testresult;
2059 }
2060
2061 /*
2062 * Helper function to test that a server attempting to read early data can
2063 * handle a connection from a client where the early data should be skipped.
2064 */
2065 static int early_data_skip_helper(int hrr, int idx)
2066 {
2067 SSL_CTX *cctx = NULL, *sctx = NULL;
2068 SSL *clientssl = NULL, *serverssl = NULL;
2069 int testresult = 0;
2070 SSL_SESSION *sess = NULL;
2071 unsigned char buf[20];
2072 size_t readbytes, written;
2073
2074 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2075 &serverssl, &sess, idx)))
2076 goto end;
2077
2078 if (hrr) {
2079 /* Force an HRR to occur */
2080 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2081 goto end;
2082 } else if (idx == 2) {
2083 /*
2084 * We force early_data rejection by ensuring the PSK identity is
2085 * unrecognised
2086 */
2087 srvid = "Dummy Identity";
2088 } else {
2089 /*
2090 * Deliberately corrupt the creation time. We take 20 seconds off the
2091 * time. It could be any value as long as it is not within tolerance.
2092 * This should mean the ticket is rejected.
2093 */
2094 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2095 goto end;
2096 }
2097
2098 /* Write some early data */
2099 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2100 &written))
2101 || !TEST_size_t_eq(written, strlen(MSG1)))
2102 goto end;
2103
2104 /* Server should reject the early data and skip over it */
2105 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2106 &readbytes),
2107 SSL_READ_EARLY_DATA_FINISH)
2108 || !TEST_size_t_eq(readbytes, 0)
2109 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2110 SSL_EARLY_DATA_REJECTED))
2111 goto end;
2112
2113 if (hrr) {
2114 /*
2115 * Finish off the handshake. We perform the same writes and reads as
2116 * further down but we expect them to fail due to the incomplete
2117 * handshake.
2118 */
2119 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2120 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2121 &readbytes)))
2122 goto end;
2123 }
2124
2125 /* Should be able to send normal data despite rejection of early data */
2126 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2127 || !TEST_size_t_eq(written, strlen(MSG2))
2128 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2129 SSL_EARLY_DATA_REJECTED)
2130 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2131 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2132 goto end;
2133
2134 testresult = 1;
2135
2136 end:
2137 if (sess != clientpsk)
2138 SSL_SESSION_free(clientpsk);
2139 SSL_SESSION_free(serverpsk);
2140 clientpsk = serverpsk = NULL;
2141 SSL_SESSION_free(sess);
2142 SSL_free(serverssl);
2143 SSL_free(clientssl);
2144 SSL_CTX_free(sctx);
2145 SSL_CTX_free(cctx);
2146 return testresult;
2147 }
2148
2149 /*
2150 * Test that a server attempting to read early data can handle a connection
2151 * from a client where the early data is not acceptable.
2152 */
2153 static int test_early_data_skip(int idx)
2154 {
2155 return early_data_skip_helper(0, idx);
2156 }
2157
2158 /*
2159 * Test that a server attempting to read early data can handle a connection
2160 * from a client where an HRR occurs.
2161 */
2162 static int test_early_data_skip_hrr(int idx)
2163 {
2164 return early_data_skip_helper(1, idx);
2165 }
2166
2167 /*
2168 * Test that a server attempting to read early data can handle a connection
2169 * from a client that doesn't send any.
2170 */
2171 static int test_early_data_not_sent(int idx)
2172 {
2173 SSL_CTX *cctx = NULL, *sctx = NULL;
2174 SSL *clientssl = NULL, *serverssl = NULL;
2175 int testresult = 0;
2176 SSL_SESSION *sess = NULL;
2177 unsigned char buf[20];
2178 size_t readbytes, written;
2179
2180 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2181 &serverssl, &sess, idx)))
2182 goto end;
2183
2184 /* Write some data - should block due to handshake with server */
2185 SSL_set_connect_state(clientssl);
2186 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2187 goto end;
2188
2189 /* Server should detect that early data has not been sent */
2190 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2191 &readbytes),
2192 SSL_READ_EARLY_DATA_FINISH)
2193 || !TEST_size_t_eq(readbytes, 0)
2194 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2195 SSL_EARLY_DATA_NOT_SENT)
2196 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2197 SSL_EARLY_DATA_NOT_SENT))
2198 goto end;
2199
2200 /* Continue writing the message we started earlier */
2201 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2202 || !TEST_size_t_eq(written, strlen(MSG1))
2203 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2204 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2205 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2206 || !TEST_size_t_eq(written, strlen(MSG2)))
2207 goto end;
2208
2209 /*
2210 * Should block due to the NewSessionTicket arrival unless we're using
2211 * read_ahead
2212 */
2213 if (idx != 1) {
2214 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
2215 goto end;
2216 }
2217
2218 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2219 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2220 goto end;
2221
2222 testresult = 1;
2223
2224 end:
2225 /* If using PSK then clientpsk and sess are the same */
2226 SSL_SESSION_free(sess);
2227 SSL_SESSION_free(serverpsk);
2228 clientpsk = serverpsk = NULL;
2229 SSL_free(serverssl);
2230 SSL_free(clientssl);
2231 SSL_CTX_free(sctx);
2232 SSL_CTX_free(cctx);
2233 return testresult;
2234 }
2235
2236 static int hostname_cb(SSL *s, int *al, void *arg)
2237 {
2238 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2239
2240 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
2241 return SSL_TLSEXT_ERR_OK;
2242
2243 return SSL_TLSEXT_ERR_NOACK;
2244 }
2245
2246 static const char *servalpn;
2247
2248 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2249 unsigned char *outlen, const unsigned char *in,
2250 unsigned int inlen, void *arg)
2251 {
2252 unsigned int protlen = 0;
2253 const unsigned char *prot;
2254
2255 for (prot = in; prot < in + inlen; prot += protlen) {
2256 protlen = *prot++;
2257 if (in + inlen < prot + protlen)
2258 return SSL_TLSEXT_ERR_NOACK;
2259
2260 if (protlen == strlen(servalpn)
2261 && memcmp(prot, servalpn, protlen) == 0) {
2262 *out = prot;
2263 *outlen = protlen;
2264 return SSL_TLSEXT_ERR_OK;
2265 }
2266 }
2267
2268 return SSL_TLSEXT_ERR_NOACK;
2269 }
2270
2271 /* Test that a PSK can be used to send early_data */
2272 static int test_early_data_psk(int idx)
2273 {
2274 SSL_CTX *cctx = NULL, *sctx = NULL;
2275 SSL *clientssl = NULL, *serverssl = NULL;
2276 int testresult = 0;
2277 SSL_SESSION *sess = NULL;
2278 unsigned char alpnlist[] = {
2279 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2280 'l', 'p', 'n'
2281 };
2282 #define GOODALPNLEN 9
2283 #define BADALPNLEN 8
2284 #define GOODALPN (alpnlist)
2285 #define BADALPN (alpnlist + GOODALPNLEN)
2286 int err = 0;
2287 unsigned char buf[20];
2288 size_t readbytes, written;
2289 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2290 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2291
2292 /* We always set this up with a final parameter of "2" for PSK */
2293 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2294 &serverssl, &sess, 2)))
2295 goto end;
2296
2297 servalpn = "goodalpn";
2298
2299 /*
2300 * Note: There is no test for inconsistent SNI with late client detection.
2301 * This is because servers do not acknowledge SNI even if they are using
2302 * it in a resumption handshake - so it is not actually possible for a
2303 * client to detect a problem.
2304 */
2305 switch (idx) {
2306 case 0:
2307 /* Set inconsistent SNI (early client detection) */
2308 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2309 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2310 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2311 goto end;
2312 break;
2313
2314 case 1:
2315 /* Set inconsistent ALPN (early client detection) */
2316 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2317 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2318 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2319 GOODALPNLEN))
2320 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2321 BADALPNLEN)))
2322 goto end;
2323 break;
2324
2325 case 2:
2326 /*
2327 * Set invalid protocol version. Technically this affects PSKs without
2328 * early_data too, but we test it here because it is similar to the
2329 * SNI/ALPN consistency tests.
2330 */
2331 err = SSL_R_BAD_PSK;
2332 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2333 goto end;
2334 break;
2335
2336 case 3:
2337 /*
2338 * Set inconsistent SNI (server detected). In this case the connection
2339 * will succeed but reject early_data.
2340 */
2341 SSL_SESSION_free(serverpsk);
2342 serverpsk = SSL_SESSION_dup(clientpsk);
2343 if (!TEST_ptr(serverpsk)
2344 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2345 goto end;
2346 edstatus = SSL_EARLY_DATA_REJECTED;
2347 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2348 /* Fall through */
2349 case 4:
2350 /* Set consistent SNI */
2351 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2352 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2353 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2354 hostname_cb)))
2355 goto end;
2356 break;
2357
2358 case 5:
2359 /*
2360 * Set inconsistent ALPN (server detected). In this case the connection
2361 * will succeed but reject early_data.
2362 */
2363 servalpn = "badalpn";
2364 edstatus = SSL_EARLY_DATA_REJECTED;
2365 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2366 /* Fall through */
2367 case 6:
2368 /*
2369 * Set consistent ALPN.
2370 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2371 * accepts a list of protos (each one length prefixed).
2372 * SSL_set1_alpn_selected accepts a single protocol (not length
2373 * prefixed)
2374 */
2375 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2376 GOODALPNLEN - 1))
2377 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2378 GOODALPNLEN)))
2379 goto end;
2380
2381 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2382 break;
2383
2384 case 7:
2385 /* Set inconsistent ALPN (late client detection) */
2386 SSL_SESSION_free(serverpsk);
2387 serverpsk = SSL_SESSION_dup(clientpsk);
2388 if (!TEST_ptr(serverpsk)
2389 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2390 BADALPN + 1,
2391 BADALPNLEN - 1))
2392 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2393 GOODALPN + 1,
2394 GOODALPNLEN - 1))
2395 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2396 sizeof(alpnlist))))
2397 goto end;
2398 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2399 edstatus = SSL_EARLY_DATA_ACCEPTED;
2400 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2401 /* SSL_connect() call should fail */
2402 connectres = -1;
2403 break;
2404
2405 default:
2406 TEST_error("Bad test index");
2407 goto end;
2408 }
2409
2410 SSL_set_connect_state(clientssl);
2411 if (err != 0) {
2412 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2413 &written))
2414 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2415 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2416 goto end;
2417 } else {
2418 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2419 &written)))
2420 goto end;
2421
2422 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2423 &readbytes), readearlyres)
2424 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2425 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2426 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2427 || !TEST_int_eq(SSL_connect(clientssl), connectres))
2428 goto end;
2429 }
2430
2431 testresult = 1;
2432
2433 end:
2434 SSL_SESSION_free(clientpsk);
2435 SSL_SESSION_free(serverpsk);
2436 clientpsk = serverpsk = NULL;
2437 SSL_free(serverssl);
2438 SSL_free(clientssl);
2439 SSL_CTX_free(sctx);
2440 SSL_CTX_free(cctx);
2441 return testresult;
2442 }
2443
2444 /*
2445 * Test that a server that doesn't try to read early data can handle a
2446 * client sending some.
2447 */
2448 static int test_early_data_not_expected(int idx)
2449 {
2450 SSL_CTX *cctx = NULL, *sctx = NULL;
2451 SSL *clientssl = NULL, *serverssl = NULL;
2452 int testresult = 0;
2453 SSL_SESSION *sess = NULL;
2454 unsigned char buf[20];
2455 size_t readbytes, written;
2456
2457 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2458 &serverssl, &sess, idx)))
2459 goto end;
2460
2461 /* Write some early data */
2462 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2463 &written)))
2464 goto end;
2465
2466 /*
2467 * Server should skip over early data and then block waiting for client to
2468 * continue handshake
2469 */
2470 if (!TEST_int_le(SSL_accept(serverssl), 0)
2471 || !TEST_int_gt(SSL_connect(clientssl), 0)
2472 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2473 SSL_EARLY_DATA_REJECTED)
2474 || !TEST_int_gt(SSL_accept(serverssl), 0)
2475 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2476 SSL_EARLY_DATA_REJECTED))
2477 goto end;
2478
2479 /* Send some normal data from client to server */
2480 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2481 || !TEST_size_t_eq(written, strlen(MSG2)))
2482 goto end;
2483
2484 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2485 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2486 goto end;
2487
2488 testresult = 1;
2489
2490 end:
2491 /* If using PSK then clientpsk and sess are the same */
2492 SSL_SESSION_free(sess);
2493 SSL_SESSION_free(serverpsk);
2494 clientpsk = serverpsk = NULL;
2495 SSL_free(serverssl);
2496 SSL_free(clientssl);
2497 SSL_CTX_free(sctx);
2498 SSL_CTX_free(cctx);
2499 return testresult;
2500 }
2501
2502
2503 # ifndef OPENSSL_NO_TLS1_2
2504 /*
2505 * Test that a server attempting to read early data can handle a connection
2506 * from a TLSv1.2 client.
2507 */
2508 static int test_early_data_tls1_2(int idx)
2509 {
2510 SSL_CTX *cctx = NULL, *sctx = NULL;
2511 SSL *clientssl = NULL, *serverssl = NULL;
2512 int testresult = 0;
2513 unsigned char buf[20];
2514 size_t readbytes, written;
2515
2516 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2517 &serverssl, NULL, idx)))
2518 goto end;
2519
2520 /* Write some data - should block due to handshake with server */
2521 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2522 SSL_set_connect_state(clientssl);
2523 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2524 goto end;
2525
2526 /*
2527 * Server should do TLSv1.2 handshake. First it will block waiting for more
2528 * messages from client after ServerDone. Then SSL_read_early_data should
2529 * finish and detect that early data has not been sent
2530 */
2531 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2532 &readbytes),
2533 SSL_READ_EARLY_DATA_ERROR))
2534 goto end;
2535
2536 /*
2537 * Continue writing the message we started earlier. Will still block waiting
2538 * for the CCS/Finished from server
2539 */
2540 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2541 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2542 &readbytes),
2543 SSL_READ_EARLY_DATA_FINISH)
2544 || !TEST_size_t_eq(readbytes, 0)
2545 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2546 SSL_EARLY_DATA_NOT_SENT))
2547 goto end;
2548
2549 /* Continue writing the message we started earlier */
2550 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2551 || !TEST_size_t_eq(written, strlen(MSG1))
2552 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2553 SSL_EARLY_DATA_NOT_SENT)
2554 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2555 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2556 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2557 || !TEST_size_t_eq(written, strlen(MSG2))
2558 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2559 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2560 goto end;
2561
2562 testresult = 1;
2563
2564 end:
2565 /* If using PSK then clientpsk and sess are the same */
2566 SSL_SESSION_free(clientpsk);
2567 SSL_SESSION_free(serverpsk);
2568 clientpsk = serverpsk = NULL;
2569 SSL_free(serverssl);
2570 SSL_free(clientssl);
2571 SSL_CTX_free(sctx);
2572 SSL_CTX_free(cctx);
2573
2574 return testresult;
2575 }
2576 # endif /* OPENSSL_NO_TLS1_2 */
2577
2578 /*
2579 * Test configuring the TLSv1.3 ciphersuites
2580 *
2581 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2582 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2583 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2584 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2585 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2586 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2587 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2588 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2589 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2590 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2591 */
2592 static int test_set_ciphersuite(int idx)
2593 {
2594 SSL_CTX *cctx = NULL, *sctx = NULL;
2595 SSL *clientssl = NULL, *serverssl = NULL;
2596 int testresult = 0;
2597
2598 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2599 TLS1_VERSION, TLS_MAX_VERSION,
2600 &sctx, &cctx, cert, privkey))
2601 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2602 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2603 goto end;
2604
2605 if (idx >=4 && idx <= 7) {
2606 /* SSL_CTX explicit cipher list */
2607 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2608 goto end;
2609 }
2610
2611 if (idx == 0 || idx == 4) {
2612 /* Default ciphersuite */
2613 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2614 "TLS_AES_128_GCM_SHA256")))
2615 goto end;
2616 } else if (idx == 1 || idx == 5) {
2617 /* Non default ciphersuite */
2618 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2619 "TLS_AES_128_CCM_SHA256")))
2620 goto end;
2621 }
2622
2623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2624 &clientssl, NULL, NULL)))
2625 goto end;
2626
2627 if (idx == 8 || idx == 9) {
2628 /* SSL explicit cipher list */
2629 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2630 goto end;
2631 }
2632
2633 if (idx == 2 || idx == 6 || idx == 8) {
2634 /* Default ciphersuite */
2635 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2636 "TLS_AES_128_GCM_SHA256")))
2637 goto end;
2638 } else if (idx == 3 || idx == 7 || idx == 9) {
2639 /* Non default ciphersuite */
2640 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2641 "TLS_AES_128_CCM_SHA256")))
2642 goto end;
2643 }
2644
2645 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2646 goto end;
2647
2648 testresult = 1;
2649
2650 end:
2651 SSL_free(serverssl);
2652 SSL_free(clientssl);
2653 SSL_CTX_free(sctx);
2654 SSL_CTX_free(cctx);
2655
2656 return testresult;
2657 }
2658
2659 static int test_ciphersuite_change(void)
2660 {
2661 SSL_CTX *cctx = NULL, *sctx = NULL;
2662 SSL *clientssl = NULL, *serverssl = NULL;
2663 SSL_SESSION *clntsess = NULL;
2664 int testresult = 0;
2665 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2666
2667 /* Create a session based on SHA-256 */
2668 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2669 TLS1_VERSION, TLS_MAX_VERSION,
2670 &sctx, &cctx, cert, privkey))
2671 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2672 "TLS_AES_128_GCM_SHA256"))
2673 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2674 &clientssl, NULL, NULL))
2675 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2676 SSL_ERROR_NONE)))
2677 goto end;
2678
2679 clntsess = SSL_get1_session(clientssl);
2680 /* Save for later */
2681 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2682 SSL_shutdown(clientssl);
2683 SSL_shutdown(serverssl);
2684 SSL_free(serverssl);
2685 SSL_free(clientssl);
2686 serverssl = clientssl = NULL;
2687
2688 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2689 /* Check we can resume a session with a different SHA-256 ciphersuite */
2690 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2691 "TLS_CHACHA20_POLY1305_SHA256"))
2692 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2693 NULL, NULL))
2694 || !TEST_true(SSL_set_session(clientssl, clntsess))
2695 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2696 SSL_ERROR_NONE))
2697 || !TEST_true(SSL_session_reused(clientssl)))
2698 goto end;
2699
2700 SSL_SESSION_free(clntsess);
2701 clntsess = SSL_get1_session(clientssl);
2702 SSL_shutdown(clientssl);
2703 SSL_shutdown(serverssl);
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2706 serverssl = clientssl = NULL;
2707 # endif
2708
2709 /*
2710 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
2711 * succeeds but does not resume.
2712 */
2713 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2714 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2715 NULL, NULL))
2716 || !TEST_true(SSL_set_session(clientssl, clntsess))
2717 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2718 SSL_ERROR_SSL))
2719 || !TEST_false(SSL_session_reused(clientssl)))
2720 goto end;
2721
2722 SSL_SESSION_free(clntsess);
2723 clntsess = NULL;
2724 SSL_shutdown(clientssl);
2725 SSL_shutdown(serverssl);
2726 SSL_free(serverssl);
2727 SSL_free(clientssl);
2728 serverssl = clientssl = NULL;
2729
2730 /* Create a session based on SHA384 */
2731 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
2732 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2733 &clientssl, NULL, NULL))
2734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2735 SSL_ERROR_NONE)))
2736 goto end;
2737
2738 clntsess = SSL_get1_session(clientssl);
2739 SSL_shutdown(clientssl);
2740 SSL_shutdown(serverssl);
2741 SSL_free(serverssl);
2742 SSL_free(clientssl);
2743 serverssl = clientssl = NULL;
2744
2745 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2746 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2747 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2748 "TLS_AES_256_GCM_SHA384"))
2749 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2750 NULL, NULL))
2751 || !TEST_true(SSL_set_session(clientssl, clntsess))
2752 /*
2753 * We use SSL_ERROR_WANT_READ below so that we can pause the
2754 * connection after the initial ClientHello has been sent to
2755 * enable us to make some session changes.
2756 */
2757 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2758 SSL_ERROR_WANT_READ)))
2759 goto end;
2760
2761 /* Trick the client into thinking this session is for a different digest */
2762 clntsess->cipher = aes_128_gcm_sha256;
2763 clntsess->cipher_id = clntsess->cipher->id;
2764
2765 /*
2766 * Continue the previously started connection. Server has selected a SHA-384
2767 * ciphersuite, but client thinks the session is for SHA-256, so it should
2768 * bail out.
2769 */
2770 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2771 SSL_ERROR_SSL))
2772 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2773 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2774 goto end;
2775
2776 testresult = 1;
2777
2778 end:
2779 SSL_SESSION_free(clntsess);
2780 SSL_free(serverssl);
2781 SSL_free(clientssl);
2782 SSL_CTX_free(sctx);
2783 SSL_CTX_free(cctx);
2784
2785 return testresult;
2786 }
2787
2788 static int test_tls13_psk(int idx)
2789 {
2790 SSL_CTX *sctx = NULL, *cctx = NULL;
2791 SSL *serverssl = NULL, *clientssl = NULL;
2792 const SSL_CIPHER *cipher = NULL;
2793 const unsigned char key[] = {
2794 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2795 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2796 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2797 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2798 };
2799 int testresult = 0;
2800
2801 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2802 TLS1_VERSION, TLS_MAX_VERSION,
2803 &sctx, &cctx, cert, privkey)))
2804 goto end;
2805
2806 /*
2807 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2808 * which will always default to SHA256
2809 */
2810 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
2811 goto end;
2812
2813 /*
2814 * Test 0: New style callbacks only
2815 * Test 1: New and old style callbacks (only the new ones should be used)
2816 * Test 2: Old style callbacks only
2817 */
2818 if (idx == 0 || idx == 1) {
2819 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2820 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2821 }
2822 #ifndef OPENSSL_NO_PSK
2823 if (idx == 1 || idx == 2) {
2824 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2825 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2826 }
2827 #endif
2828 srvid = pskid;
2829 use_session_cb_cnt = 0;
2830 find_session_cb_cnt = 0;
2831 psk_client_cb_cnt = 0;
2832 psk_server_cb_cnt = 0;
2833
2834 /* Check we can create a connection if callback decides not to send a PSK */
2835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2836 NULL, NULL))
2837 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2838 SSL_ERROR_NONE))
2839 || !TEST_false(SSL_session_reused(clientssl))
2840 || !TEST_false(SSL_session_reused(serverssl)))
2841 goto end;
2842
2843 if (idx == 0 || idx == 1) {
2844 if (!TEST_true(use_session_cb_cnt == 1)
2845 || !TEST_true(find_session_cb_cnt == 0)
2846 /*
2847 * If no old style callback then below should be 0
2848 * otherwise 1
2849 */
2850 || !TEST_true(psk_client_cb_cnt == idx)
2851 || !TEST_true(psk_server_cb_cnt == 0))
2852 goto end;
2853 } else {
2854 if (!TEST_true(use_session_cb_cnt == 0)
2855 || !TEST_true(find_session_cb_cnt == 0)
2856 || !TEST_true(psk_client_cb_cnt == 1)
2857 || !TEST_true(psk_server_cb_cnt == 0))
2858 goto end;
2859 }
2860
2861 shutdown_ssl_connection(serverssl, clientssl);
2862 serverssl = clientssl = NULL;
2863 use_session_cb_cnt = psk_client_cb_cnt = 0;
2864
2865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2866 NULL, NULL)))
2867 goto end;
2868
2869 /* Create the PSK */
2870 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
2871 clientpsk = SSL_SESSION_new();
2872 if (!TEST_ptr(clientpsk)
2873 || !TEST_ptr(cipher)
2874 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2875 sizeof(key)))
2876 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2877 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2878 TLS1_3_VERSION))
2879 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2880 goto end;
2881 serverpsk = clientpsk;
2882
2883 /* Check we can create a connection and the PSK is used */
2884 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2885 || !TEST_true(SSL_session_reused(clientssl))
2886 || !TEST_true(SSL_session_reused(serverssl)))
2887 goto end;
2888
2889 if (idx == 0 || idx == 1) {
2890 if (!TEST_true(use_session_cb_cnt == 1)
2891 || !TEST_true(find_session_cb_cnt == 1)
2892 || !TEST_true(psk_client_cb_cnt == 0)
2893 || !TEST_true(psk_server_cb_cnt == 0))
2894 goto end;
2895 } else {
2896 if (!TEST_true(use_session_cb_cnt == 0)
2897 || !TEST_true(find_session_cb_cnt == 0)
2898 || !TEST_true(psk_client_cb_cnt == 1)
2899 || !TEST_true(psk_server_cb_cnt == 1))
2900 goto end;
2901 }
2902
2903 shutdown_ssl_connection(serverssl, clientssl);
2904 serverssl = clientssl = NULL;
2905 use_session_cb_cnt = find_session_cb_cnt = 0;
2906 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2907
2908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2909 NULL, NULL)))
2910 goto end;
2911
2912 /* Force an HRR */
2913 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2914 goto end;
2915
2916 /*
2917 * Check we can create a connection, the PSK is used and the callbacks are
2918 * called twice.
2919 */
2920 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2921 || !TEST_true(SSL_session_reused(clientssl))
2922 || !TEST_true(SSL_session_reused(serverssl)))
2923 goto end;
2924
2925 if (idx == 0 || idx == 1) {
2926 if (!TEST_true(use_session_cb_cnt == 2)
2927 || !TEST_true(find_session_cb_cnt == 2)
2928 || !TEST_true(psk_client_cb_cnt == 0)
2929 || !TEST_true(psk_server_cb_cnt == 0))
2930 goto end;
2931 } else {
2932 if (!TEST_true(use_session_cb_cnt == 0)
2933 || !TEST_true(find_session_cb_cnt == 0)
2934 || !TEST_true(psk_client_cb_cnt == 2)
2935 || !TEST_true(psk_server_cb_cnt == 2))
2936 goto end;
2937 }
2938
2939 shutdown_ssl_connection(serverssl, clientssl);
2940 serverssl = clientssl = NULL;
2941 use_session_cb_cnt = find_session_cb_cnt = 0;
2942 psk_client_cb_cnt = psk_server_cb_cnt = 0;
2943
2944 /*
2945 * Check that if the server rejects the PSK we can still connect, but with
2946 * a full handshake
2947 */
2948 srvid = "Dummy Identity";
2949 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2950 NULL, NULL))
2951 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2952 SSL_ERROR_NONE))
2953 || !TEST_false(SSL_session_reused(clientssl))
2954 || !TEST_false(SSL_session_reused(serverssl)))
2955 goto end;
2956
2957 if (idx == 0 || idx == 1) {
2958 if (!TEST_true(use_session_cb_cnt == 1)
2959 || !TEST_true(find_session_cb_cnt == 1)
2960 || !TEST_true(psk_client_cb_cnt == 0)
2961 /*
2962 * If no old style callback then below should be 0
2963 * otherwise 1
2964 */
2965 || !TEST_true(psk_server_cb_cnt == idx))
2966 goto end;
2967 } else {
2968 if (!TEST_true(use_session_cb_cnt == 0)
2969 || !TEST_true(find_session_cb_cnt == 0)
2970 || !TEST_true(psk_client_cb_cnt == 1)
2971 || !TEST_true(psk_server_cb_cnt == 1))
2972 goto end;
2973 }
2974
2975 shutdown_ssl_connection(serverssl, clientssl);
2976 serverssl = clientssl = NULL;
2977 testresult = 1;
2978
2979 end:
2980 SSL_SESSION_free(clientpsk);
2981 SSL_SESSION_free(serverpsk);
2982 clientpsk = serverpsk = NULL;
2983 SSL_free(serverssl);
2984 SSL_free(clientssl);
2985 SSL_CTX_free(sctx);
2986 SSL_CTX_free(cctx);
2987 return testresult;
2988 }
2989
2990 static unsigned char cookie_magic_value[] = "cookie magic";
2991
2992 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2993 unsigned int *cookie_len)
2994 {
2995 /*
2996 * Not suitable as a real cookie generation function but good enough for
2997 * testing!
2998 */
2999 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3000 *cookie_len = sizeof(cookie_magic_value) - 1;
3001
3002 return 1;
3003 }
3004
3005 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3006 unsigned int cookie_len)
3007 {
3008 if (cookie_len == sizeof(cookie_magic_value) - 1
3009 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3010 return 1;
3011
3012 return 0;
3013 }
3014
3015 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3016 size_t *cookie_len)
3017 {
3018 unsigned int temp;
3019 int res = generate_cookie_callback(ssl, cookie, &temp);
3020 *cookie_len = temp;
3021 return res;
3022 }
3023
3024 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3025 size_t cookie_len)
3026 {
3027 return verify_cookie_callback(ssl, cookie, cookie_len);
3028 }
3029
3030 static int test_stateless(void)
3031 {
3032 SSL_CTX *sctx = NULL, *cctx = NULL;
3033 SSL *serverssl = NULL, *clientssl = NULL;
3034 int testresult = 0;
3035
3036 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3037 TLS1_VERSION, TLS_MAX_VERSION,
3038 &sctx, &cctx, cert, privkey)))
3039 goto end;
3040
3041 /* The arrival of CCS messages can confuse the test */
3042 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3043
3044 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3045 NULL, NULL))
3046 /* Send the first ClientHello */
3047 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3048 SSL_ERROR_WANT_READ))
3049 /*
3050 * This should fail with a -1 return because we have no callbacks
3051 * set up
3052 */
3053 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3054 goto end;
3055
3056 /* Fatal error so abandon the connection from this client */
3057 SSL_free(clientssl);
3058 clientssl = NULL;
3059
3060 /* Set up the cookie generation and verification callbacks */
3061 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3062 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3063
3064 /*
3065 * Create a new connection from the client (we can reuse the server SSL
3066 * object).
3067 */
3068 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3069 NULL, NULL))
3070 /* Send the first ClientHello */
3071 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3072 SSL_ERROR_WANT_READ))
3073 /* This should fail because there is no cookie */
3074 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3075 goto end;
3076
3077 /* Abandon the connection from this client */
3078 SSL_free(clientssl);
3079 clientssl = NULL;
3080
3081 /*
3082 * Now create a connection from a new client but with the same server SSL
3083 * object
3084 */
3085 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3086 NULL, NULL))
3087 /* Send the first ClientHello */
3088 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3089 SSL_ERROR_WANT_READ))
3090 /* This should fail because there is no cookie */
3091 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3092 /* Send the second ClientHello */
3093 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3094 SSL_ERROR_WANT_READ))
3095 /* This should succeed because a cookie is now present */
3096 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3097 /* Complete the connection */
3098 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3099 SSL_ERROR_NONE)))
3100 goto end;
3101
3102 shutdown_ssl_connection(serverssl, clientssl);
3103 serverssl = clientssl = NULL;
3104 testresult = 1;
3105
3106 end:
3107 SSL_free(serverssl);
3108 SSL_free(clientssl);
3109 SSL_CTX_free(sctx);
3110 SSL_CTX_free(cctx);
3111 return testresult;
3112
3113 }
3114 #endif /* OPENSSL_NO_TLS1_3 */
3115
3116 static int clntaddoldcb = 0;
3117 static int clntparseoldcb = 0;
3118 static int srvaddoldcb = 0;
3119 static int srvparseoldcb = 0;
3120 static int clntaddnewcb = 0;
3121 static int clntparsenewcb = 0;
3122 static int srvaddnewcb = 0;
3123 static int srvparsenewcb = 0;
3124 static int snicb = 0;
3125
3126 #define TEST_EXT_TYPE1 0xff00
3127
3128 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3129 size_t *outlen, int *al, void *add_arg)
3130 {
3131 int *server = (int *)add_arg;
3132 unsigned char *data;
3133
3134 if (SSL_is_server(s))
3135 srvaddoldcb++;
3136 else
3137 clntaddoldcb++;
3138
3139 if (*server != SSL_is_server(s)
3140 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3141 return -1;
3142
3143 *data = 1;
3144 *out = data;
3145 *outlen = sizeof(char);
3146 return 1;
3147 }
3148
3149 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3150 void *add_arg)
3151 {
3152 OPENSSL_free((unsigned char *)out);
3153 }
3154
3155 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3156 size_t inlen, int *al, void *parse_arg)
3157 {
3158 int *server = (int *)parse_arg;
3159
3160 if (SSL_is_server(s))
3161 srvparseoldcb++;
3162 else
3163 clntparseoldcb++;
3164
3165 if (*server != SSL_is_server(s)
3166 || inlen != sizeof(char)
3167 || *in != 1)
3168 return -1;
3169
3170 return 1;
3171 }
3172
3173 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3174 const unsigned char **out, size_t *outlen, X509 *x,
3175 size_t chainidx, int *al, void *add_arg)
3176 {
3177 int *server = (int *)add_arg;
3178 unsigned char *data;
3179
3180 if (SSL_is_server(s))
3181 srvaddnewcb++;
3182 else
3183 clntaddnewcb++;
3184
3185 if (*server != SSL_is_server(s)
3186 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3187 return -1;
3188
3189 *data = 1;
3190 *out = data;
3191 *outlen = sizeof(*data);
3192 return 1;
3193 }
3194
3195 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3196 const unsigned char *out, void *add_arg)
3197 {
3198 OPENSSL_free((unsigned char *)out);
3199 }
3200
3201 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3202 const unsigned char *in, size_t inlen, X509 *x,
3203 size_t chainidx, int *al, void *parse_arg)
3204 {
3205 int *server = (int *)parse_arg;
3206
3207 if (SSL_is_server(s))
3208 srvparsenewcb++;
3209 else
3210 clntparsenewcb++;
3211
3212 if (*server != SSL_is_server(s)
3213 || inlen != sizeof(char) || *in != 1)
3214 return -1;
3215
3216 return 1;
3217 }
3218
3219 static int sni_cb(SSL *s, int *al, void *arg)
3220 {
3221 SSL_CTX *ctx = (SSL_CTX *)arg;
3222
3223 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3224 *al = SSL_AD_INTERNAL_ERROR;
3225 return SSL_TLSEXT_ERR_ALERT_FATAL;
3226 }
3227 snicb++;
3228 return SSL_TLSEXT_ERR_OK;
3229 }
3230
3231 /*
3232 * Custom call back tests.
3233 * Test 0: Old style callbacks in TLSv1.2
3234 * Test 1: New style callbacks in TLSv1.2
3235 * Test 2: New style callbacks in TLSv1.2 with SNI
3236 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3237 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
3238 */
3239 static int test_custom_exts(int tst)
3240 {
3241 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3242 SSL *clientssl = NULL, *serverssl = NULL;
3243 int testresult = 0;
3244 static int server = 1;
3245 static int client = 0;
3246 SSL_SESSION *sess = NULL;
3247 unsigned int context;
3248
3249 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3250 /* Skip tests for TLSv1.2 and below in this case */
3251 if (tst < 3)
3252 return 1;
3253 #endif
3254
3255 /* Reset callback counters */
3256 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3257 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
3258 snicb = 0;
3259
3260 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3261 TLS1_VERSION, TLS_MAX_VERSION,
3262 &sctx, &cctx, cert, privkey)))
3263 goto end;
3264
3265 if (tst == 2
3266 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3267 TLS1_VERSION, TLS_MAX_VERSION,
3268 &sctx2, NULL, cert, privkey)))
3269 goto end;
3270
3271
3272 if (tst < 3) {
3273 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3274 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
3275 if (sctx2 != NULL)
3276 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
3277 }
3278
3279 if (tst == 4) {
3280 context = SSL_EXT_CLIENT_HELLO
3281 | SSL_EXT_TLS1_2_SERVER_HELLO
3282 | SSL_EXT_TLS1_3_SERVER_HELLO
3283 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3284 | SSL_EXT_TLS1_3_CERTIFICATE
3285 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3286 } else {
3287 context = SSL_EXT_CLIENT_HELLO
3288 | SSL_EXT_TLS1_2_SERVER_HELLO
3289 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3290 }
3291
3292 /* Create a client side custom extension */
3293 if (tst == 0) {
3294 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3295 old_add_cb, old_free_cb,
3296 &client, old_parse_cb,
3297 &client)))
3298 goto end;
3299 } else {
3300 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3301 new_add_cb, new_free_cb,
3302 &client, new_parse_cb, &client)))
3303 goto end;
3304 }
3305
3306 /* Should not be able to add duplicates */
3307 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3308 old_add_cb, old_free_cb,
3309 &client, old_parse_cb,
3310 &client))
3311 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3312 context, new_add_cb,
3313 new_free_cb, &client,
3314 new_parse_cb, &client)))
3315 goto end;
3316
3317 /* Create a server side custom extension */
3318 if (tst == 0) {
3319 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3320 old_add_cb, old_free_cb,
3321 &server, old_parse_cb,
3322 &server)))
3323 goto end;
3324 } else {
3325 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3326 new_add_cb, new_free_cb,
3327 &server, new_parse_cb, &server)))
3328 goto end;
3329 if (sctx2 != NULL
3330 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3331 context, new_add_cb,
3332 new_free_cb, &server,
3333 new_parse_cb, &server)))
3334 goto end;
3335 }
3336
3337 /* Should not be able to add duplicates */
3338 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3339 old_add_cb, old_free_cb,
3340 &server, old_parse_cb,
3341 &server))
3342 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3343 context, new_add_cb,
3344 new_free_cb, &server,
3345 new_parse_cb, &server)))
3346 goto end;
3347
3348 if (tst == 2) {
3349 /* Set up SNI */
3350 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3351 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3352 goto end;
3353 }
3354
3355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3356 &clientssl, NULL, NULL))
3357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3358 SSL_ERROR_NONE)))
3359 goto end;
3360
3361 if (tst == 0) {
3362 if (clntaddoldcb != 1
3363 || clntparseoldcb != 1
3364 || srvaddoldcb != 1
3365 || srvparseoldcb != 1)
3366 goto end;
3367 } else if (tst == 1 || tst == 2 || tst == 3) {
3368 if (clntaddnewcb != 1
3369 || clntparsenewcb != 1
3370 || srvaddnewcb != 1
3371 || srvparsenewcb != 1
3372 || (tst != 2 && snicb != 0)
3373 || (tst == 2 && snicb != 1))
3374 goto end;
3375 } else {
3376 if (clntaddnewcb != 1
3377 || clntparsenewcb != 4
3378 || srvaddnewcb != 4
3379 || srvparsenewcb != 1)
3380 goto end;
3381 }
3382
3383 sess = SSL_get1_session(clientssl);
3384 SSL_shutdown(clientssl);
3385 SSL_shutdown(serverssl);
3386 SSL_free(serverssl);
3387 SSL_free(clientssl);
3388 serverssl = clientssl = NULL;
3389
3390 if (tst == 3) {
3391 /* We don't bother with the resumption aspects for this test */
3392 testresult = 1;
3393 goto end;
3394 }
3395
3396 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3397 NULL, NULL))
3398 || !TEST_true(SSL_set_session(clientssl, sess))
3399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3400 SSL_ERROR_NONE)))
3401 goto end;
3402
3403 /*
3404 * For a resumed session we expect to add the ClientHello extension. For the
3405 * old style callbacks we ignore it on the server side because they set
3406 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3407 * them.
3408 */
3409 if (tst == 0) {
3410 if (clntaddoldcb != 2
3411 || clntparseoldcb != 1
3412 || srvaddoldcb != 1
3413 || srvparseoldcb != 1)
3414 goto end;
3415 } else if (tst == 1 || tst == 2 || tst == 3) {
3416 if (clntaddnewcb != 2
3417 || clntparsenewcb != 2
3418 || srvaddnewcb != 2
3419 || srvparsenewcb != 2)
3420 goto end;
3421 } else {
3422 /* No Certificate message extensions in the resumption handshake */
3423 if (clntaddnewcb != 2
3424 || clntparsenewcb != 7
3425 || srvaddnewcb != 7
3426 || srvparsenewcb != 2)
3427 goto end;
3428 }
3429
3430 testresult = 1;
3431
3432 end:
3433 SSL_SESSION_free(sess);
3434 SSL_free(serverssl);
3435 SSL_free(clientssl);
3436 SSL_CTX_free(sctx2);
3437 SSL_CTX_free(sctx);
3438 SSL_CTX_free(cctx);
3439 return testresult;
3440 }
3441
3442 /*
3443 * Test loading of serverinfo data in various formats. test_sslmessages actually
3444 * tests to make sure the extensions appear in the handshake
3445 */
3446 static int test_serverinfo(int tst)
3447 {
3448 unsigned int version;
3449 unsigned char *sibuf;
3450 size_t sibuflen;
3451 int ret, expected, testresult = 0;
3452 SSL_CTX *ctx;
3453
3454 ctx = SSL_CTX_new(TLS_method());
3455 if (!TEST_ptr(ctx))
3456 goto end;
3457
3458 if ((tst & 0x01) == 0x01)
3459 version = SSL_SERVERINFOV2;
3460 else
3461 version = SSL_SERVERINFOV1;
3462
3463 if ((tst & 0x02) == 0x02) {
3464 sibuf = serverinfov2;
3465 sibuflen = sizeof(serverinfov2);
3466 expected = (version == SSL_SERVERINFOV2);
3467 } else {
3468 sibuf = serverinfov1;
3469 sibuflen = sizeof(serverinfov1);
3470 expected = (version == SSL_SERVERINFOV1);
3471 }
3472
3473 if ((tst & 0x04) == 0x04) {
3474 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3475 } else {
3476 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3477
3478 /*
3479 * The version variable is irrelevant in this case - it's what is in the
3480 * buffer that matters
3481 */
3482 if ((tst & 0x02) == 0x02)
3483 expected = 0;
3484 else
3485 expected = 1;
3486 }
3487
3488 if (!TEST_true(ret == expected))
3489 goto end;
3490
3491 testresult = 1;
3492
3493 end:
3494 SSL_CTX_free(ctx);
3495
3496 return testresult;
3497 }
3498
3499 /*
3500 * Test that SSL_export_keying_material() produces expected results. There are
3501 * no test vectors so all we do is test that both sides of the communication
3502 * produce the same results for different protocol versions.
3503 */
3504 static int test_export_key_mat(int tst)
3505 {
3506 int testresult = 0;
3507 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3508 SSL *clientssl = NULL, *serverssl = NULL;
3509 const char label[] = "test label";
3510 const unsigned char context[] = "context";
3511 const unsigned char *emptycontext = NULL;
3512 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3513 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
3514 const int protocols[] = {
3515 TLS1_VERSION,
3516 TLS1_1_VERSION,
3517 TLS1_2_VERSION,
3518 TLS1_3_VERSION
3519 };
3520
3521 #ifdef OPENSSL_NO_TLS1
3522 if (tst == 0)
3523 return 1;
3524 #endif
3525 #ifdef OPENSSL_NO_TLS1_1
3526 if (tst == 1)
3527 return 1;
3528 #endif
3529 #ifdef OPENSSL_NO_TLS1_2
3530 if (tst == 2)
3531 return 1;
3532 #endif
3533 #ifdef OPENSSL_NO_TLS1_3
3534 if (tst == 3)
3535 return 1;
3536 #endif
3537 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3538 TLS1_VERSION, TLS_MAX_VERSION,
3539 &sctx, &cctx, cert, privkey)))
3540 goto end;
3541
3542 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3543 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3544 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
3545
3546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3547 NULL))
3548 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3549 SSL_ERROR_NONE)))
3550 goto end;
3551
3552 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3553 sizeof(ckeymat1), label,
3554 sizeof(label) - 1, context,
3555 sizeof(context) - 1, 1), 1)
3556 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3557 sizeof(ckeymat2), label,
3558 sizeof(label) - 1,
3559 emptycontext,
3560 0, 1), 1)
3561 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3562 sizeof(ckeymat3), label,
3563 sizeof(label) - 1,
3564 NULL, 0, 0), 1)
3565 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3566 sizeof(skeymat1), label,
3567 sizeof(label) - 1,
3568 context,
3569 sizeof(context) -1, 1),
3570 1)
3571 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3572 sizeof(skeymat2), label,
3573 sizeof(label) - 1,
3574 emptycontext,
3575 0, 1), 1)
3576 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3577 sizeof(skeymat3), label,
3578 sizeof(label) - 1,
3579 NULL, 0, 0), 1)
3580 /*
3581 * Check that both sides created the same key material with the
3582 * same context.
3583 */
3584 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3585 sizeof(skeymat1))
3586 /*
3587 * Check that both sides created the same key material with an
3588 * empty context.
3589 */
3590 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3591 sizeof(skeymat2))
3592 /*
3593 * Check that both sides created the same key material without a
3594 * context.
3595 */
3596 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3597 sizeof(skeymat3))
3598 /* Different contexts should produce different results */
3599 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3600 sizeof(ckeymat2)))
3601 goto end;
3602
3603 /*
3604 * Check that an empty context and no context produce different results in
3605 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3606 */
3607 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3608 sizeof(ckeymat3)))
3609 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3610 sizeof(ckeymat3))))
3611 goto end;
3612
3613 testresult = 1;
3614
3615 end:
3616 SSL_free(serverssl);
3617 SSL_free(clientssl);
3618 SSL_CTX_free(sctx2);
3619 SSL_CTX_free(sctx);
3620 SSL_CTX_free(cctx);
3621
3622 return testresult;
3623 }
3624
3625 #ifndef OPENSSL_NO_TLS1_3
3626 /*
3627 * Test that SSL_export_keying_material_early() produces expected
3628 * results. There are no test vectors so all we do is test that both
3629 * sides of the communication produce the same results for different
3630 * protocol versions.
3631 */
3632 static int test_export_key_mat_early(int idx)
3633 {
3634 static const char label[] = "test label";
3635 static const unsigned char context[] = "context";
3636 int testresult = 0;
3637 SSL_CTX *cctx = NULL, *sctx = NULL;
3638 SSL *clientssl = NULL, *serverssl = NULL;
3639 SSL_SESSION *sess = NULL;
3640 const unsigned char *emptycontext = NULL;
3641 unsigned char ckeymat1[80], ckeymat2[80];
3642 unsigned char skeymat1[80], skeymat2[80];
3643 unsigned char buf[1];
3644 size_t readbytes, written;
3645
3646 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3647 &sess, idx)))
3648 goto end;
3649
3650 /* Here writing 0 length early data is enough. */
3651 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3652 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3653 &readbytes),
3654 SSL_READ_EARLY_DATA_ERROR)
3655 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3656 SSL_EARLY_DATA_ACCEPTED))
3657 goto end;
3658
3659 if (!TEST_int_eq(SSL_export_keying_material_early(
3660 clientssl, ckeymat1, sizeof(ckeymat1), label,
3661 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3662 || !TEST_int_eq(SSL_export_keying_material_early(
3663 clientssl, ckeymat2, sizeof(ckeymat2), label,
3664 sizeof(label) - 1, emptycontext, 0), 1)
3665 || !TEST_int_eq(SSL_export_keying_material_early(
3666 serverssl, skeymat1, sizeof(skeymat1), label,
3667 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3668 || !TEST_int_eq(SSL_export_keying_material_early(
3669 serverssl, skeymat2, sizeof(skeymat2), label,
3670 sizeof(label) - 1, emptycontext, 0), 1)
3671 /*
3672 * Check that both sides created the same key material with the
3673 * same context.
3674 */
3675 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3676 sizeof(skeymat1))
3677 /*
3678 * Check that both sides created the same key material with an
3679 * empty context.
3680 */
3681 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3682 sizeof(skeymat2))
3683 /* Different contexts should produce different results */
3684 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3685 sizeof(ckeymat2)))
3686 goto end;
3687
3688 testresult = 1;
3689
3690 end:
3691 if (sess != clientpsk)
3692 SSL_SESSION_free(sess);
3693 SSL_SESSION_free(clientpsk);
3694 SSL_SESSION_free(serverpsk);
3695 clientpsk = serverpsk = NULL;
3696 SSL_free(serverssl);
3697 SSL_free(clientssl);
3698 SSL_CTX_free(sctx);
3699 SSL_CTX_free(cctx);
3700
3701 return testresult;
3702 }
3703 #endif /* OPENSSL_NO_TLS1_3 */
3704
3705 static int test_ssl_clear(int idx)
3706 {
3707 SSL_CTX *cctx = NULL, *sctx = NULL;
3708 SSL *clientssl = NULL, *serverssl = NULL;
3709 int testresult = 0;
3710
3711 #ifdef OPENSSL_NO_TLS1_2
3712 if (idx == 1)
3713 return 1;
3714 #endif
3715
3716 /* Create an initial connection */
3717 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3718 TLS1_VERSION, TLS_MAX_VERSION,
3719 &sctx, &cctx, cert, privkey))
3720 || (idx == 1
3721 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3722 TLS1_2_VERSION)))
3723 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3724 &clientssl, NULL, NULL))
3725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3726 SSL_ERROR_NONE)))
3727 goto end;
3728
3729 SSL_shutdown(clientssl);
3730 SSL_shutdown(serverssl);
3731 SSL_free(serverssl);
3732 serverssl = NULL;
3733
3734 /* Clear clientssl - we're going to reuse the object */
3735 if (!TEST_true(SSL_clear(clientssl)))
3736 goto end;
3737
3738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3739 NULL, NULL))
3740 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3741 SSL_ERROR_NONE))
3742 || !TEST_true(SSL_session_reused(clientssl)))
3743 goto end;
3744
3745 SSL_shutdown(clientssl);
3746 SSL_shutdown(serverssl);
3747
3748 testresult = 1;
3749
3750 end:
3751 SSL_free(serverssl);
3752 SSL_free(clientssl);
3753 SSL_CTX_free(sctx);
3754 SSL_CTX_free(cctx);
3755
3756 return testresult;
3757 }
3758
3759 /* Parse CH and retrieve any MFL extension value if present */
3760 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3761 {
3762 long len;
3763 unsigned char *data;
3764 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3765 unsigned int MFL_code = 0, type = 0;
3766
3767 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3768 goto end;
3769
3770 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3771 /* Skip the record header */
3772 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3773 /* Skip the handshake message header */
3774 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3775 /* Skip client version and random */
3776 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3777 + SSL3_RANDOM_SIZE))
3778 /* Skip session id */
3779 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3780 /* Skip ciphers */
3781 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3782 /* Skip compression */
3783 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3784 /* Extensions len */
3785 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3786 goto end;
3787
3788 /* Loop through all extensions */
3789 while (PACKET_remaining(&pkt2)) {
3790 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3791 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3792 goto end;
3793
3794 if (type == TLSEXT_TYPE_max_fragment_length) {
3795 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3796 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3797 goto end;
3798
3799 *mfl_codemfl_code = MFL_code;
3800 return 1;
3801 }
3802 }
3803
3804 end:
3805 return 0;
3806 }
3807
3808 /* Maximum-Fragment-Length TLS extension mode to test */
3809 static const unsigned char max_fragment_len_test[] = {
3810 TLSEXT_max_fragment_length_512,
3811 TLSEXT_max_fragment_length_1024,
3812 TLSEXT_max_fragment_length_2048,
3813 TLSEXT_max_fragment_length_4096
3814 };
3815
3816 static int test_max_fragment_len_ext(int idx_tst)
3817 {
3818 SSL_CTX *ctx;
3819 SSL *con = NULL;
3820 int testresult = 0, MFL_mode = 0;
3821 BIO *rbio, *wbio;
3822
3823 ctx = SSL_CTX_new(TLS_method());
3824 if (!TEST_ptr(ctx))
3825 goto end;
3826
3827 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3828 ctx, max_fragment_len_test[idx_tst])))
3829 goto end;
3830
3831 con = SSL_new(ctx);
3832 if (!TEST_ptr(con))
3833 goto end;
3834
3835 rbio = BIO_new(BIO_s_mem());
3836 wbio = BIO_new(BIO_s_mem());
3837 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3838 BIO_free(rbio);
3839 BIO_free(wbio);
3840 goto end;
3841 }
3842
3843 SSL_set_bio(con, rbio, wbio);
3844 SSL_set_connect_state(con);
3845
3846 if (!TEST_int_le(SSL_connect(con), 0)) {
3847 /* This shouldn't succeed because we don't have a server! */
3848 goto end;
3849 }
3850
3851 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3852 /* no MFL in client hello */
3853 goto end;
3854 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3855 goto end;
3856
3857 testresult = 1;
3858
3859 end:
3860 SSL_free(con);
3861 SSL_CTX_free(ctx);
3862
3863 return testresult;
3864 }
3865
3866 #ifndef OPENSSL_NO_TLS1_3
3867 static int test_pha_key_update(void)
3868 {
3869 SSL_CTX *cctx = NULL, *sctx = NULL;
3870 SSL *clientssl = NULL, *serverssl = NULL;
3871 int testresult = 0;
3872
3873 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3874 TLS1_VERSION, TLS_MAX_VERSION,
3875 &sctx, &cctx, cert, privkey)))
3876 return 0;
3877
3878 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3879 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3880 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3881 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3882 goto end;
3883
3884
3885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3886 NULL, NULL)))
3887 goto end;
3888
3889 SSL_force_post_handshake_auth(clientssl);
3890
3891 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3892 SSL_ERROR_NONE)))
3893 goto end;
3894
3895 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3896 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3897 goto end;
3898
3899 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3900 goto end;
3901
3902 /* Start handshake on the server */
3903 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3904 goto end;
3905
3906 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3907 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3908 SSL_ERROR_NONE)))
3909 goto end;
3910
3911 SSL_shutdown(clientssl);
3912 SSL_shutdown(serverssl);
3913
3914 testresult = 1;
3915
3916 end:
3917 SSL_free(serverssl);
3918 SSL_free(clientssl);
3919 SSL_CTX_free(sctx);
3920 SSL_CTX_free(cctx);
3921 return testresult;
3922 }
3923 #endif
3924
3925 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
3926
3927 static SRP_VBASE *vbase = NULL;
3928
3929 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
3930 {
3931 int ret = SSL3_AL_FATAL;
3932 char *username;
3933 SRP_user_pwd *user = NULL;
3934
3935 username = SSL_get_srp_username(s);
3936 if (username == NULL) {
3937 *ad = SSL_AD_INTERNAL_ERROR;
3938 goto err;
3939 }
3940
3941 user = SRP_VBASE_get1_by_user(vbase, username);
3942 if (user == NULL) {
3943 *ad = SSL_AD_INTERNAL_ERROR;
3944 goto err;
3945 }
3946
3947 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
3948 user->info) <= 0) {
3949 *ad = SSL_AD_INTERNAL_ERROR;
3950 goto err;
3951 }
3952
3953 ret = 0;
3954
3955 err:
3956 SRP_user_pwd_free(user);
3957 return ret;
3958 }
3959
3960 static int create_new_vfile(char *userid, char *password, const char *filename)
3961 {
3962 char *gNid = NULL;
3963 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
3964 TXT_DB *db = NULL;
3965 int ret = 0;
3966 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
3967 size_t i;
3968
3969 if (!TEST_ptr(dummy) || !TEST_ptr(row))
3970 goto end;
3971
3972 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
3973 &row[DB_srpverifier], NULL, NULL);
3974 if (!TEST_ptr(gNid))
3975 goto end;
3976
3977 /*
3978 * The only way to create an empty TXT_DB is to provide a BIO with no data
3979 * in it!
3980 */
3981 db = TXT_DB_read(dummy, DB_NUMBER);
3982 if (!TEST_ptr(db))
3983 goto end;
3984
3985 out = BIO_new_file(filename, "w");
3986 if (!TEST_ptr(out))
3987 goto end;
3988
3989 row[DB_srpid] = OPENSSL_strdup(userid);
3990 row[DB_srptype] = OPENSSL_strdup("V");
3991 row[DB_srpgN] = OPENSSL_strdup(gNid);
3992
3993 if (!TEST_ptr(row[DB_srpid])
3994 || !TEST_ptr(row[DB_srptype])
3995 || !TEST_ptr(row[DB_srpgN])
3996 || !TEST_true(TXT_DB_insert(db, row)))
3997 goto end;
3998
3999 row = NULL;
4000
4001 if (!TXT_DB_write(out, db))
4002 goto end;
4003
4004 ret = 1;
4005 end:
4006 if (row != NULL) {
4007 for (i = 0; i < DB_NUMBER; i++)
4008 OPENSSL_free(row[i]);
4009 }
4010 OPENSSL_free(row);
4011 BIO_free(dummy);
4012 BIO_free(out);
4013 TXT_DB_free(db);
4014
4015 return ret;
4016 }
4017
4018 static int create_new_vbase(char *userid, char *password)
4019 {
4020 BIGNUM *verifier = NULL, *salt = NULL;
4021 const SRP_gN *lgN = NULL;
4022 SRP_user_pwd *user_pwd = NULL;
4023 int ret = 0;
4024
4025 lgN = SRP_get_default_gN(NULL);
4026 if (!TEST_ptr(lgN))
4027 goto end;
4028
4029 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4030 lgN->N, lgN->g)))
4031 goto end;
4032
4033 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4034 if (!TEST_ptr(user_pwd))
4035 goto end;
4036
4037 user_pwd->N = lgN->N;
4038 user_pwd->g = lgN->g;
4039 user_pwd->id = OPENSSL_strdup(userid);
4040 if (!TEST_ptr(user_pwd->id))
4041 goto end;
4042
4043 user_pwd->v = verifier;
4044 user_pwd->s = salt;
4045 verifier = salt = NULL;
4046
4047 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4048 goto end;
4049 user_pwd = NULL;
4050
4051 ret = 1;
4052 end:
4053 SRP_user_pwd_free(user_pwd);
4054 BN_free(salt);
4055 BN_free(verifier);
4056
4057 return ret;
4058 }
4059
4060 /*
4061 * SRP tests
4062 *
4063 * Test 0: Simple successful SRP connection, new vbase
4064 * Test 1: Connection failure due to bad password, new vbase
4065 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4066 * Test 3: Connection failure due to bad password, vbase loaded from existing
4067 * file
4068 * Test 4: Simple successful SRP connection, vbase loaded from new file
4069 * Test 5: Connection failure due to bad password, vbase loaded from new file
4070 */
4071 static int test_srp(int tst)
4072 {
4073 char *userid = "test", *password = "password", *tstsrpfile;
4074 SSL_CTX *cctx = NULL, *sctx = NULL;
4075 SSL *clientssl = NULL, *serverssl = NULL;
4076 int ret, testresult = 0;
4077
4078 vbase = SRP_VBASE_new(NULL);
4079 if (!TEST_ptr(vbase))
4080 goto end;
4081
4082 if (tst == 0 || tst == 1) {
4083 if (!TEST_true(create_new_vbase(userid, password)))
4084 goto end;
4085 } else {
4086 if (tst == 4 || tst == 5) {
4087 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4088 goto end;
4089 tstsrpfile = tmpfilename;
4090 } else {
4091 tstsrpfile = srpvfile;
4092 }
4093 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4094 goto end;
4095 }
4096
4097 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4098 TLS1_VERSION, TLS_MAX_VERSION,
4099 &sctx, &cctx, cert, privkey)))
4100 goto end;
4101
4102 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4103 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4104 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4105 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4106 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4107 goto end;
4108
4109 if (tst % 2 == 1) {
4110 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4111 goto end;
4112 } else {
4113 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4114 goto end;
4115 }
4116
4117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4118 NULL, NULL)))
4119 goto end;
4120
4121 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4122 if (ret) {
4123 if (!TEST_true(tst % 2 == 0))
4124 goto end;
4125 } else {
4126 if (!TEST_true(tst % 2 == 1))
4127 goto end;
4128 }
4129
4130 testresult = 1;
4131
4132 end:
4133 SRP_VBASE_free(vbase);
4134 vbase = NULL;
4135 SSL_free(serverssl);
4136 SSL_free(clientssl);
4137 SSL_CTX_free(sctx);
4138 SSL_CTX_free(cctx);
4139
4140 return testresult;
4141 }
4142 #endif
4143
4144 static int info_cb_failed = 0;
4145 static int info_cb_offset = 0;
4146 static int info_cb_this_state = -1;
4147
4148 static struct info_cb_states_st {
4149 int where;
4150 const char *statestr;
4151 } info_cb_states[][60] = {
4152 {
4153 /* TLSv1.2 server followed by resumption */
4154 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4155 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4156 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4157 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4158 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4159 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4160 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4161 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4162 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4163 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4164 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4165 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4166 {SSL_CB_EXIT, NULL}, {0, NULL},
4167 }, {
4168 /* TLSv1.2 client followed by resumption */
4169 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4170 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4171 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4172 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4173 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4174 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4175 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4176 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4177 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4178 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4179 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4180 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4181 }, {
4182 /* TLSv1.3 server followed by resumption */
4183 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4184 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4185 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4186 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4187 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4188 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4189 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4190 {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4191 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4192 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4193 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4194 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
4195 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4196 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4197 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4198 }, {
4199 /* TLSv1.3 client followed by resumption */
4200 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4201 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4202 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4203 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4204 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4205 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4206 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4207 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4208 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4209 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4210 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4211 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4212 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4213 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4214 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4215 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4216 }, {
4217 /* TLSv1.3 server, early_data */
4218 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4219 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4220 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4221 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4222 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4223 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4224 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4225 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4226 {SSL_CB_EXIT, NULL}, {0, NULL},
4227 }, {
4228 /* TLSv1.3 client, early_data */
4229 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4230 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4231 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4232 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4233 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4234 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4235 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4236 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4237 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4238 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4239 }, {
4240 {0, NULL},
4241 }
4242 };
4243
4244 static void sslapi_info_callback(const SSL *s, int where, int ret)
4245 {
4246 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4247
4248 /* We do not ever expect a connection to fail in this test */
4249 if (!TEST_false(ret == 0)) {
4250 info_cb_failed = 1;
4251 return;
4252 }
4253
4254 /*
4255 * Do some sanity checks. We never expect these things to happen in this
4256 * test
4257 */
4258 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4259 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4260 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4261 info_cb_failed = 1;
4262 return;
4263 }
4264
4265 /* Now check we're in the right state */
4266 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4267 info_cb_failed = 1;
4268 return;
4269 }
4270 if ((where & SSL_CB_LOOP) != 0
4271 && !TEST_int_eq(strcmp(SSL_state_string(s),
4272 state[info_cb_this_state].statestr), 0)) {
4273 info_cb_failed = 1;
4274 return;
4275 }
4276 }
4277
4278 /*
4279 * Test the info callback gets called when we expect it to.
4280 *
4281 * Test 0: TLSv1.2, server
4282 * Test 1: TLSv1.2, client
4283 * Test 2: TLSv1.3, server
4284 * Test 3: TLSv1.3, client
4285 * Test 4: TLSv1.3, server, early_data
4286 * Test 5: TLSv1.3, client, early_data
4287 */
4288 static int test_info_callback(int tst)
4289 {
4290 SSL_CTX *cctx = NULL, *sctx = NULL;
4291 SSL *clientssl = NULL, *serverssl = NULL;
4292 SSL_SESSION *clntsess = NULL;
4293 int testresult = 0;
4294 int tlsvers;
4295
4296 if (tst < 2) {
4297 #ifndef OPENSSL_NO_TLS1_2
4298 tlsvers = TLS1_2_VERSION;
4299 #else
4300 return 1;
4301 #endif
4302 } else {
4303 #ifndef OPENSSL_NO_TLS1_3
4304 tlsvers = TLS1_3_VERSION;
4305 #else
4306 return 1;
4307 #endif
4308 }
4309
4310 /* Reset globals */
4311 info_cb_failed = 0;
4312 info_cb_this_state = -1;
4313 info_cb_offset = tst;
4314
4315 if (tst >= 4) {
4316 SSL_SESSION *sess = NULL;
4317 size_t written, readbytes;
4318 unsigned char buf[80];
4319
4320 /* early_data tests */
4321 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4322 &serverssl, &sess, 0)))
4323 goto end;
4324
4325 /* We don't actually need this reference */
4326 SSL_SESSION_free(sess);
4327
4328 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4329 sslapi_info_callback);
4330
4331 /* Write and read some early data and then complete the connection */
4332 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4333 &written))
4334 || !TEST_size_t_eq(written, strlen(MSG1))
4335 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4336 sizeof(buf), &readbytes),
4337 SSL_READ_EARLY_DATA_SUCCESS)
4338 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4339 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4340 SSL_EARLY_DATA_ACCEPTED)
4341 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4342 SSL_ERROR_NONE))
4343 || !TEST_false(info_cb_failed))
4344 goto end;
4345
4346 testresult = 1;
4347 goto end;
4348 }
4349
4350 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4351 TLS_client_method(),
4352 tlsvers, tlsvers, &sctx, &cctx, cert,
4353 privkey)))
4354 goto end;
4355
4356 /*
4357 * For even numbered tests we check the server callbacks. For odd numbers we
4358 * check the client.
4359 */
4360 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4361 sslapi_info_callback);
4362
4363 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4364 &clientssl, NULL, NULL))
4365 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4366 SSL_ERROR_NONE))
4367 || !TEST_false(info_cb_failed))
4368 goto end;
4369
4370
4371
4372 clntsess = SSL_get1_session(clientssl);
4373 SSL_shutdown(clientssl);
4374 SSL_shutdown(serverssl);
4375 SSL_free(serverssl);
4376 SSL_free(clientssl);
4377 serverssl = clientssl = NULL;
4378
4379 /* Now do a resumption */
4380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4381 NULL))
4382 || !TEST_true(SSL_set_session(clientssl, clntsess))
4383 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4384 SSL_ERROR_NONE))
4385 || !TEST_true(SSL_session_reused(clientssl))
4386 || !TEST_false(info_cb_failed))
4387 goto end;
4388
4389 testresult = 1;
4390
4391 end:
4392 SSL_free(serverssl);
4393 SSL_free(clientssl);
4394 SSL_SESSION_free(clntsess);
4395 SSL_CTX_free(sctx);
4396 SSL_CTX_free(cctx);
4397 return testresult;
4398 }
4399
4400 int setup_tests(void)
4401 {
4402 if (!TEST_ptr(cert = test_get_argument(0))
4403 || !TEST_ptr(privkey = test_get_argument(1))
4404 || !TEST_ptr(srpvfile = test_get_argument(2))
4405 || !TEST_ptr(tmpfilename = test_get_argument(3)))
4406 return 0;
4407
4408 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4409 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
4410 TEST_error("not supported in this build");
4411 return 0;
4412 #else
4413 int i, mcount, rcount, fcount;
4414
4415 for (i = 0; i < 4; i++)
4416 test_export_key_mat(i);
4417 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4418 test_printf_stdout("malloc %d realloc %d free %d\n",
4419 mcount, rcount, fcount);
4420 return 1;
4421 #endif
4422 }
4423
4424 ADD_TEST(test_large_message_tls);
4425 ADD_TEST(test_large_message_tls_read_ahead);
4426 #ifndef OPENSSL_NO_DTLS
4427 ADD_TEST(test_large_message_dtls);
4428 #endif
4429 #ifndef OPENSSL_NO_OCSP
4430 ADD_TEST(test_tlsext_status_type);
4431 #endif
4432 ADD_TEST(test_session_with_only_int_cache);
4433 ADD_TEST(test_session_with_only_ext_cache);
4434 ADD_TEST(test_session_with_both_cache);
4435 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
4436 ADD_TEST(test_ssl_bio_pop_next_bio);
4437 ADD_TEST(test_ssl_bio_pop_ssl_bio);
4438 ADD_TEST(test_ssl_bio_change_rbio);
4439 ADD_TEST(test_ssl_bio_change_wbio);
4440 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
4441 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
4442 ADD_TEST(test_keylog);
4443 #endif
4444 #ifndef OPENSSL_NO_TLS1_3
4445 ADD_TEST(test_keylog_no_master_key);
4446 #endif
4447 #ifndef OPENSSL_NO_TLS1_2
4448 ADD_TEST(test_client_hello_cb);
4449 #endif
4450 #ifndef OPENSSL_NO_TLS1_3
4451 ADD_ALL_TESTS(test_early_data_read_write, 3);
4452 /*
4453 * We don't do replay tests for external PSK. Replay protection isn't used
4454 * in that scenario.
4455 */
4456 ADD_ALL_TESTS(test_early_data_replay, 2);
4457 ADD_ALL_TESTS(test_early_data_skip, 3);
4458 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
4459 ADD_ALL_TESTS(test_early_data_not_sent, 3);
4460 ADD_ALL_TESTS(test_early_data_psk, 8);
4461 ADD_ALL_TESTS(test_early_data_not_expected, 3);
4462 # ifndef OPENSSL_NO_TLS1_2
4463 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
4464 # endif
4465 #endif
4466 #ifndef OPENSSL_NO_TLS1_3
4467 ADD_ALL_TESTS(test_set_ciphersuite, 10);
4468 ADD_TEST(test_ciphersuite_change);
4469 #ifdef OPENSSL_NO_PSK
4470 ADD_ALL_TESTS(test_tls13_psk, 1);
4471 #else
4472 ADD_ALL_TESTS(test_tls13_psk, 3);
4473 #endif /* OPENSSL_NO_PSK */
4474 ADD_ALL_TESTS(test_custom_exts, 5);
4475 ADD_TEST(test_stateless);
4476 ADD_TEST(test_pha_key_update);
4477 #else
4478 ADD_ALL_TESTS(test_custom_exts, 3);
4479 #endif
4480 ADD_ALL_TESTS(test_serverinfo, 8);
4481 ADD_ALL_TESTS(test_export_key_mat, 4);
4482 #ifndef OPENSSL_NO_TLS1_3
4483 ADD_ALL_TESTS(test_export_key_mat_early, 3);
4484 #endif
4485 ADD_ALL_TESTS(test_ssl_clear, 2);
4486 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
4487 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4488 ADD_ALL_TESTS(test_srp, 6);
4489 #endif
4490 ADD_ALL_TESTS(test_info_callback, 6);
4491 return 1;
4492 }
4493
4494 void cleanup_tests(void)
4495 {
4496 bio_s_mempacket_test_free();
4497 }
A mirror of the official openssl repository