]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Test TLSv1.3 out-of-band PSK with all 5 ciphersuites
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/provider.h>
32
33 #include "ssltestlib.h"
34 #include "testutil.h"
35 #include "testutil/output.h"
36 #include "internal/nelem.h"
37 #include "internal/ktls.h"
38 #include "../ssl/ssl_local.h"
39
40 DEFINE_STACK_OF(OCSP_RESPID)
41 DEFINE_STACK_OF(X509)
42 DEFINE_STACK_OF(X509_NAME)
43
44 static OPENSSL_CTX *libctx = NULL;
45 static OSSL_PROVIDER *defctxnull = NULL;
46
47 #ifndef OPENSSL_NO_TLS1_3
48
49 static SSL_SESSION *clientpsk = NULL;
50 static SSL_SESSION *serverpsk = NULL;
51 static const char *pskid = "Identity";
52 static const char *srvid;
53
54 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
55 size_t *idlen, SSL_SESSION **sess);
56 static int find_session_cb(SSL *ssl, const unsigned char *identity,
57 size_t identity_len, SSL_SESSION **sess);
58
59 static int use_session_cb_cnt = 0;
60 static int find_session_cb_cnt = 0;
61
62 static SSL_SESSION *create_a_psk(SSL *ssl);
63 #endif
64
65 static char *certsdir = NULL;
66 static char *cert = NULL;
67 static char *privkey = NULL;
68 static char *srpvfile = NULL;
69 static char *tmpfilename = NULL;
70
71 static int is_fips = 0;
72
73 #define LOG_BUFFER_SIZE 2048
74 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
75 static size_t server_log_buffer_index = 0;
76 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
77 static size_t client_log_buffer_index = 0;
78 static int error_writing_log = 0;
79
80 #ifndef OPENSSL_NO_OCSP
81 static const unsigned char orespder[] = "Dummy OCSP Response";
82 static int ocsp_server_called = 0;
83 static int ocsp_client_called = 0;
84
85 static int cdummyarg = 1;
86 static X509 *ocspcert = NULL;
87 #endif
88
89 #define NUM_EXTRA_CERTS 40
90 #define CLIENT_VERSION_LEN 2
91
92 /*
93 * This structure is used to validate that the correct number of log messages
94 * of various types are emitted when emitting secret logs.
95 */
96 struct sslapitest_log_counts {
97 unsigned int rsa_key_exchange_count;
98 unsigned int master_secret_count;
99 unsigned int client_early_secret_count;
100 unsigned int client_handshake_secret_count;
101 unsigned int server_handshake_secret_count;
102 unsigned int client_application_secret_count;
103 unsigned int server_application_secret_count;
104 unsigned int early_exporter_secret_count;
105 unsigned int exporter_secret_count;
106 };
107
108
109 static unsigned char serverinfov1[] = {
110 0xff, 0xff, /* Dummy extension type */
111 0x00, 0x01, /* Extension length is 1 byte */
112 0xff /* Dummy extension data */
113 };
114
115 static unsigned char serverinfov2[] = {
116 0x00, 0x00, 0x00,
117 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
118 0xff, 0xff, /* Dummy extension type */
119 0x00, 0x01, /* Extension length is 1 byte */
120 0xff /* Dummy extension data */
121 };
122
123 static int hostname_cb(SSL *s, int *al, void *arg)
124 {
125 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
126
127 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
128 || strcmp(hostname, "altgoodhost") == 0))
129 return SSL_TLSEXT_ERR_OK;
130
131 return SSL_TLSEXT_ERR_NOACK;
132 }
133
134 static void client_keylog_callback(const SSL *ssl, const char *line)
135 {
136 int line_length = strlen(line);
137
138 /* If the log doesn't fit, error out. */
139 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
140 TEST_info("Client log too full");
141 error_writing_log = 1;
142 return;
143 }
144
145 strcat(client_log_buffer, line);
146 client_log_buffer_index += line_length;
147 client_log_buffer[client_log_buffer_index++] = '\n';
148 }
149
150 static void server_keylog_callback(const SSL *ssl, const char *line)
151 {
152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
155 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
156 TEST_info("Server log too full");
157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(server_log_buffer, line);
162 server_log_buffer_index += line_length;
163 server_log_buffer[server_log_buffer_index++] = '\n';
164 }
165
166 static int compare_hex_encoded_buffer(const char *hex_encoded,
167 size_t hex_length,
168 const uint8_t *raw,
169 size_t raw_length)
170 {
171 size_t i, j;
172 char hexed[3];
173
174 if (!TEST_size_t_eq(raw_length * 2, hex_length))
175 return 1;
176
177 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
178 sprintf(hexed, "%02x", raw[i]);
179 if (!TEST_int_eq(hexed[0], hex_encoded[j])
180 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
181 return 1;
182 }
183
184 return 0;
185 }
186
187 static int test_keylog_output(char *buffer, const SSL *ssl,
188 const SSL_SESSION *session,
189 struct sslapitest_log_counts *expected)
190 {
191 char *token = NULL;
192 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
193 size_t client_random_size = SSL3_RANDOM_SIZE;
194 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
195 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
196 unsigned int rsa_key_exchange_count = 0;
197 unsigned int master_secret_count = 0;
198 unsigned int client_early_secret_count = 0;
199 unsigned int client_handshake_secret_count = 0;
200 unsigned int server_handshake_secret_count = 0;
201 unsigned int client_application_secret_count = 0;
202 unsigned int server_application_secret_count = 0;
203 unsigned int early_exporter_secret_count = 0;
204 unsigned int exporter_secret_count = 0;
205
206 for (token = strtok(buffer, " \n"); token != NULL;
207 token = strtok(NULL, " \n")) {
208 if (strcmp(token, "RSA") == 0) {
209 /*
210 * Premaster secret. Tokens should be: 16 ASCII bytes of
211 * hex-encoded encrypted secret, then the hex-encoded pre-master
212 * secret.
213 */
214 if (!TEST_ptr(token = strtok(NULL, " \n")))
215 return 0;
216 if (!TEST_size_t_eq(strlen(token), 16))
217 return 0;
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
219 return 0;
220 /*
221 * We can't sensibly check the log because the premaster secret is
222 * transient, and OpenSSL doesn't keep hold of it once the master
223 * secret is generated.
224 */
225 rsa_key_exchange_count++;
226 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
227 /*
228 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
229 * client random, then the hex-encoded master secret.
230 */
231 client_random_size = SSL_get_client_random(ssl,
232 actual_client_random,
233 SSL3_RANDOM_SIZE);
234 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
235 return 0;
236
237 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 return 0;
239 if (!TEST_size_t_eq(strlen(token), 64))
240 return 0;
241 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
242 actual_client_random,
243 client_random_size)))
244 return 0;
245
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
247 return 0;
248 master_key_size = SSL_SESSION_get_master_key(session,
249 actual_master_key,
250 master_key_size);
251 if (!TEST_size_t_ne(master_key_size, 0))
252 return 0;
253 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
254 actual_master_key,
255 master_key_size)))
256 return 0;
257 master_secret_count++;
258 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
259 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
260 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
261 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
262 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
263 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
264 || strcmp(token, "EXPORTER_SECRET") == 0) {
265 /*
266 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
267 * client random, and then the hex-encoded secret. In this case,
268 * we treat all of these secrets identically and then just
269 * distinguish between them when counting what we saw.
270 */
271 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
272 client_early_secret_count++;
273 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
274 client_handshake_secret_count++;
275 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
276 server_handshake_secret_count++;
277 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
278 client_application_secret_count++;
279 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
280 server_application_secret_count++;
281 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
282 early_exporter_secret_count++;
283 else if (strcmp(token, "EXPORTER_SECRET") == 0)
284 exporter_secret_count++;
285
286 client_random_size = SSL_get_client_random(ssl,
287 actual_client_random,
288 SSL3_RANDOM_SIZE);
289 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
290 return 0;
291
292 if (!TEST_ptr(token = strtok(NULL, " \n")))
293 return 0;
294 if (!TEST_size_t_eq(strlen(token), 64))
295 return 0;
296 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
297 actual_client_random,
298 client_random_size)))
299 return 0;
300
301 if (!TEST_ptr(token = strtok(NULL, " \n")))
302 return 0;
303
304 /*
305 * TODO(TLS1.3): test that application traffic secrets are what
306 * we expect */
307 } else {
308 TEST_info("Unexpected token %s\n", token);
309 return 0;
310 }
311 }
312
313 /* Got what we expected? */
314 if (!TEST_size_t_eq(rsa_key_exchange_count,
315 expected->rsa_key_exchange_count)
316 || !TEST_size_t_eq(master_secret_count,
317 expected->master_secret_count)
318 || !TEST_size_t_eq(client_early_secret_count,
319 expected->client_early_secret_count)
320 || !TEST_size_t_eq(client_handshake_secret_count,
321 expected->client_handshake_secret_count)
322 || !TEST_size_t_eq(server_handshake_secret_count,
323 expected->server_handshake_secret_count)
324 || !TEST_size_t_eq(client_application_secret_count,
325 expected->client_application_secret_count)
326 || !TEST_size_t_eq(server_application_secret_count,
327 expected->server_application_secret_count)
328 || !TEST_size_t_eq(early_exporter_secret_count,
329 expected->early_exporter_secret_count)
330 || !TEST_size_t_eq(exporter_secret_count,
331 expected->exporter_secret_count))
332 return 0;
333 return 1;
334 }
335
336 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
337 static int test_keylog(void)
338 {
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
341 int testresult = 0;
342 struct sslapitest_log_counts expected;
343
344 /* Clean up logging space */
345 memset(&expected, 0, sizeof(expected));
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
351
352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
353 TLS_client_method(),
354 TLS1_VERSION, 0,
355 &sctx, &cctx, cert, privkey)))
356 return 0;
357
358 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
359 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
360 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
361
362 /* We also want to ensure that we use RSA-based key exchange. */
363 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
364 goto end;
365
366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
367 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
368 goto end;
369 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
370 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
371 == client_keylog_callback))
372 goto end;
373 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
374 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
375 == server_keylog_callback))
376 goto end;
377
378 /* Now do a handshake and check that the logs have been written to. */
379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
380 &clientssl, NULL, NULL))
381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
382 SSL_ERROR_NONE))
383 || !TEST_false(error_writing_log)
384 || !TEST_int_gt(client_log_buffer_index, 0)
385 || !TEST_int_gt(server_log_buffer_index, 0))
386 goto end;
387
388 /*
389 * Now we want to test that our output data was vaguely sensible. We
390 * do that by using strtok and confirming that we have more or less the
391 * data we expect. For both client and server, we expect to see one master
392 * secret. The client should also see a RSA key exchange.
393 */
394 expected.rsa_key_exchange_count = 1;
395 expected.master_secret_count = 1;
396 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
397 SSL_get_session(clientssl), &expected)))
398 goto end;
399
400 expected.rsa_key_exchange_count = 0;
401 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
402 SSL_get_session(serverssl), &expected)))
403 goto end;
404
405 testresult = 1;
406
407 end:
408 SSL_free(serverssl);
409 SSL_free(clientssl);
410 SSL_CTX_free(sctx);
411 SSL_CTX_free(cctx);
412
413 return testresult;
414 }
415 #endif
416
417 #ifndef OPENSSL_NO_TLS1_3
418 static int test_keylog_no_master_key(void)
419 {
420 SSL_CTX *cctx = NULL, *sctx = NULL;
421 SSL *clientssl = NULL, *serverssl = NULL;
422 SSL_SESSION *sess = NULL;
423 int testresult = 0;
424 struct sslapitest_log_counts expected;
425 unsigned char buf[1];
426 size_t readbytes, written;
427
428 /* Clean up logging space */
429 memset(&expected, 0, sizeof(expected));
430 memset(client_log_buffer, 0, sizeof(client_log_buffer));
431 memset(server_log_buffer, 0, sizeof(server_log_buffer));
432 client_log_buffer_index = 0;
433 server_log_buffer_index = 0;
434 error_writing_log = 0;
435
436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
437 TLS_client_method(), TLS1_VERSION, 0,
438 &sctx, &cctx, cert, privkey))
439 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
440 SSL3_RT_MAX_PLAIN_LENGTH)))
441 return 0;
442
443 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
444 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
445 goto end;
446
447 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
448 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
449 == client_keylog_callback))
450 goto end;
451
452 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
453 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
454 == server_keylog_callback))
455 goto end;
456
457 /* Now do a handshake and check that the logs have been written to. */
458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
459 &clientssl, NULL, NULL))
460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
461 SSL_ERROR_NONE))
462 || !TEST_false(error_writing_log))
463 goto end;
464
465 /*
466 * Now we want to test that our output data was vaguely sensible. For this
467 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
468 * TLSv1.3, but we do expect both client and server to emit keys.
469 */
470 expected.client_handshake_secret_count = 1;
471 expected.server_handshake_secret_count = 1;
472 expected.client_application_secret_count = 1;
473 expected.server_application_secret_count = 1;
474 expected.exporter_secret_count = 1;
475 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
476 SSL_get_session(clientssl), &expected))
477 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
478 SSL_get_session(serverssl),
479 &expected)))
480 goto end;
481
482 /* Terminate old session and resume with early data. */
483 sess = SSL_get1_session(clientssl);
484 SSL_shutdown(clientssl);
485 SSL_shutdown(serverssl);
486 SSL_free(serverssl);
487 SSL_free(clientssl);
488 serverssl = clientssl = NULL;
489
490 /* Reset key log */
491 memset(client_log_buffer, 0, sizeof(client_log_buffer));
492 memset(server_log_buffer, 0, sizeof(server_log_buffer));
493 client_log_buffer_index = 0;
494 server_log_buffer_index = 0;
495
496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
497 &clientssl, NULL, NULL))
498 || !TEST_true(SSL_set_session(clientssl, sess))
499 /* Here writing 0 length early data is enough. */
500 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
501 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
502 &readbytes),
503 SSL_READ_EARLY_DATA_ERROR)
504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
505 SSL_EARLY_DATA_ACCEPTED)
506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
507 SSL_ERROR_NONE))
508 || !TEST_true(SSL_session_reused(clientssl)))
509 goto end;
510
511 /* In addition to the previous entries, expect early secrets. */
512 expected.client_early_secret_count = 1;
513 expected.early_exporter_secret_count = 1;
514 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
515 SSL_get_session(clientssl), &expected))
516 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
517 SSL_get_session(serverssl),
518 &expected)))
519 goto end;
520
521 testresult = 1;
522
523 end:
524 SSL_SESSION_free(sess);
525 SSL_free(serverssl);
526 SSL_free(clientssl);
527 SSL_CTX_free(sctx);
528 SSL_CTX_free(cctx);
529
530 return testresult;
531 }
532 #endif
533
534 #ifndef OPENSSL_NO_TLS1_2
535 static int full_client_hello_callback(SSL *s, int *al, void *arg)
536 {
537 int *ctr = arg;
538 const unsigned char *p;
539 int *exts;
540 /* We only configure two ciphers, but the SCSV is added automatically. */
541 #ifdef OPENSSL_NO_EC
542 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
543 #else
544 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
545 0x2c, 0x00, 0xff};
546 #endif
547 const int expected_extensions[] = {
548 #ifndef OPENSSL_NO_EC
549 11, 10,
550 #endif
551 35, 22, 23, 13};
552 size_t len;
553
554 /* Make sure we can defer processing and get called back. */
555 if ((*ctr)++ == 0)
556 return SSL_CLIENT_HELLO_RETRY;
557
558 len = SSL_client_hello_get0_ciphers(s, &p);
559 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
560 || !TEST_size_t_eq(
561 SSL_client_hello_get0_compression_methods(s, &p), 1)
562 || !TEST_int_eq(*p, 0))
563 return SSL_CLIENT_HELLO_ERROR;
564 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
565 return SSL_CLIENT_HELLO_ERROR;
566 if (len != OSSL_NELEM(expected_extensions) ||
567 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
568 printf("ClientHello callback expected extensions mismatch\n");
569 OPENSSL_free(exts);
570 return SSL_CLIENT_HELLO_ERROR;
571 }
572 OPENSSL_free(exts);
573 return SSL_CLIENT_HELLO_SUCCESS;
574 }
575
576 static int test_client_hello_cb(void)
577 {
578 SSL_CTX *cctx = NULL, *sctx = NULL;
579 SSL *clientssl = NULL, *serverssl = NULL;
580 int testctr = 0, testresult = 0;
581
582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
583 TLS_client_method(), TLS1_VERSION, 0,
584 &sctx, &cctx, cert, privkey)))
585 goto end;
586 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
587
588 /* The gimpy cipher list we configure can't do TLS 1.3. */
589 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
590
591 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
592 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL))
595 || !TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_CLIENT_HELLO_CB))
597 /*
598 * Passing a -1 literal is a hack since
599 * the real value was lost.
600 * */
601 || !TEST_int_eq(SSL_get_error(serverssl, -1),
602 SSL_ERROR_WANT_CLIENT_HELLO_CB)
603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
604 SSL_ERROR_NONE)))
605 goto end;
606
607 testresult = 1;
608
609 end:
610 SSL_free(serverssl);
611 SSL_free(clientssl);
612 SSL_CTX_free(sctx);
613 SSL_CTX_free(cctx);
614
615 return testresult;
616 }
617
618 static int test_no_ems(void)
619 {
620 SSL_CTX *cctx = NULL, *sctx = NULL;
621 SSL *clientssl = NULL, *serverssl = NULL;
622 int testresult = 0;
623
624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
625 TLS1_VERSION, TLS1_2_VERSION,
626 &sctx, &cctx, cert, privkey)) {
627 printf("Unable to create SSL_CTX pair\n");
628 goto end;
629 }
630
631 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
632
633 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
634 printf("Unable to create SSL objects\n");
635 goto end;
636 }
637
638 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
639 printf("Creating SSL connection failed\n");
640 goto end;
641 }
642
643 if (SSL_get_extms_support(serverssl)) {
644 printf("Server reports Extended Master Secret support\n");
645 goto end;
646 }
647
648 if (SSL_get_extms_support(clientssl)) {
649 printf("Client reports Extended Master Secret support\n");
650 goto end;
651 }
652 testresult = 1;
653
654 end:
655 SSL_free(serverssl);
656 SSL_free(clientssl);
657 SSL_CTX_free(sctx);
658 SSL_CTX_free(cctx);
659
660 return testresult;
661 }
662
663 /*
664 * Very focused test to exercise a single case in the server-side state
665 * machine, when the ChangeCipherState message needs to actually change
666 * from one cipher to a different cipher (i.e., not changing from null
667 * encryption to real encryption).
668 */
669 static int test_ccs_change_cipher(void)
670 {
671 SSL_CTX *cctx = NULL, *sctx = NULL;
672 SSL *clientssl = NULL, *serverssl = NULL;
673 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
674 int testresult = 0;
675 int i;
676 unsigned char buf;
677 size_t readbytes;
678
679 /*
680 * Create a conection so we can resume and potentially (but not) use
681 * a different cipher in the second connection.
682 */
683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
684 TLS_client_method(),
685 TLS1_VERSION, TLS1_2_VERSION,
686 &sctx, &cctx, cert, privkey))
687 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
689 NULL, NULL))
690 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
692 SSL_ERROR_NONE))
693 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
694 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
695 goto end;
696
697 shutdown_ssl_connection(serverssl, clientssl);
698 serverssl = clientssl = NULL;
699
700 /* Resume, preferring a different cipher. Our server will force the
701 * same cipher to be used as the initial handshake. */
702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
703 NULL, NULL))
704 || !TEST_true(SSL_set_session(clientssl, sess))
705 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
707 SSL_ERROR_NONE))
708 || !TEST_true(SSL_session_reused(clientssl))
709 || !TEST_true(SSL_session_reused(serverssl))
710 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
711 || !TEST_ptr_eq(sesspre, sesspost)
712 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
713 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
714 goto end;
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
717
718 /*
719 * Now create a fresh connection and try to renegotiate a different
720 * cipher on it.
721 */
722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
723 NULL, NULL))
724 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
726 SSL_ERROR_NONE))
727 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
728 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
729 || !TEST_true(SSL_renegotiate(clientssl))
730 || !TEST_true(SSL_renegotiate_pending(clientssl)))
731 goto end;
732 /* Actually drive the renegotiation. */
733 for (i = 0; i < 3; i++) {
734 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
735 if (!TEST_ulong_eq(readbytes, 0))
736 goto end;
737 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
738 SSL_ERROR_WANT_READ)) {
739 goto end;
740 }
741 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
743 goto end;
744 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
745 SSL_ERROR_WANT_READ)) {
746 goto end;
747 }
748 }
749 /* sesspre and sesspost should be different since the cipher changed. */
750 if (!TEST_false(SSL_renegotiate_pending(clientssl))
751 || !TEST_false(SSL_session_reused(clientssl))
752 || !TEST_false(SSL_session_reused(serverssl))
753 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
754 || !TEST_ptr_ne(sesspre, sesspost)
755 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
756 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
757 goto end;
758
759 shutdown_ssl_connection(serverssl, clientssl);
760 serverssl = clientssl = NULL;
761
762 testresult = 1;
763
764 end:
765 SSL_free(serverssl);
766 SSL_free(clientssl);
767 SSL_CTX_free(sctx);
768 SSL_CTX_free(cctx);
769 SSL_SESSION_free(sess);
770
771 return testresult;
772 }
773 #endif
774
775 static int execute_test_large_message(const SSL_METHOD *smeth,
776 const SSL_METHOD *cmeth,
777 int min_version, int max_version,
778 int read_ahead)
779 {
780 SSL_CTX *cctx = NULL, *sctx = NULL;
781 SSL *clientssl = NULL, *serverssl = NULL;
782 int testresult = 0;
783 int i;
784 BIO *certbio = NULL;
785 X509 *chaincert = NULL;
786 int certlen;
787
788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
789 goto end;
790 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
791 BIO_free(certbio);
792 certbio = NULL;
793 if (!TEST_ptr(chaincert))
794 goto end;
795
796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
797 max_version, &sctx, &cctx, cert,
798 privkey)))
799 goto end;
800
801 if (read_ahead) {
802 /*
803 * Test that read_ahead works correctly when dealing with large
804 * records
805 */
806 SSL_CTX_set_read_ahead(cctx, 1);
807 }
808
809 /*
810 * We assume the supplied certificate is big enough so that if we add
811 * NUM_EXTRA_CERTS it will make the overall message large enough. The
812 * default buffer size is requested to be 16k, but due to the way BUF_MEM
813 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
814 * test we need to have a message larger than that.
815 */
816 certlen = i2d_X509(chaincert, NULL);
817 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
818 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
819 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
820 if (!X509_up_ref(chaincert))
821 goto end;
822 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
823 X509_free(chaincert);
824 goto end;
825 }
826 }
827
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
829 NULL, NULL))
830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
831 SSL_ERROR_NONE)))
832 goto end;
833
834 /*
835 * Calling SSL_clear() first is not required but this tests that SSL_clear()
836 * doesn't leak.
837 */
838 if (!TEST_true(SSL_clear(serverssl)))
839 goto end;
840
841 testresult = 1;
842 end:
843 X509_free(chaincert);
844 SSL_free(serverssl);
845 SSL_free(clientssl);
846 SSL_CTX_free(sctx);
847 SSL_CTX_free(cctx);
848
849 return testresult;
850 }
851
852 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
853 && !defined(OPENSSL_NO_SOCK)
854
855 /* sock must be connected */
856 static int ktls_chk_platform(int sock)
857 {
858 if (!ktls_enable(sock))
859 return 0;
860 return 1;
861 }
862
863 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
864 {
865 static char count = 1;
866 unsigned char cbuf[16000] = {0};
867 unsigned char sbuf[16000];
868 size_t err = 0;
869 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
873 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
874 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
876 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
877
878 cbuf[0] = count++;
879 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
883 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
884 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
885 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
886 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
887
888 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
889 goto end;
890
891 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
892 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
893 goto end;
894 }
895 }
896
897 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
898 goto end;
899
900 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
901 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
902 goto end;
903 }
904 }
905
906 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
910 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
911 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
913 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
914
915 /* verify the payload */
916 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
917 goto end;
918
919 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
920 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
921 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
923 goto end;
924 } else {
925 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
926 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
927 goto end;
928 }
929
930 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
931 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
933 goto end;
934 } else {
935 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
936 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
937 goto end;
938 }
939
940 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
941 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
943 goto end;
944 } else {
945 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
946 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
947 goto end;
948 }
949
950 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
951 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
953 goto end;
954 } else {
955 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
956 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
957 goto end;
958 }
959
960 return 1;
961 end:
962 return 0;
963 }
964
965 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
966 int sis_ktls_tx, int sis_ktls_rx)
967 {
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
970 int testresult = 0;
971 int cfd, sfd;
972
973 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
974 goto end;
975
976 /* Skip this test if the platform does not support ktls */
977 if (!ktls_chk_platform(cfd))
978 return 1;
979
980 /* Create a session based on SHA-256 */
981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
982 TLS_client_method(),
983 TLS1_2_VERSION, TLS1_2_VERSION,
984 &sctx, &cctx, cert, privkey))
985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
986 "AES128-GCM-SHA256"))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
989 goto end;
990
991 if (!cis_ktls_tx) {
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
993 goto end;
994 }
995
996 if (!sis_ktls_tx) {
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
998 goto end;
999 }
1000
1001 if (!cis_ktls_rx) {
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1003 goto end;
1004 }
1005
1006 if (!sis_ktls_rx) {
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1008 goto end;
1009 }
1010
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1012 SSL_ERROR_NONE)))
1013 goto end;
1014
1015 if (!cis_ktls_tx) {
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1017 goto end;
1018 } else {
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1020 goto end;
1021 }
1022
1023 if (!sis_ktls_tx) {
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1025 goto end;
1026 } else {
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1028 goto end;
1029 }
1030
1031 if (!cis_ktls_rx) {
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1033 goto end;
1034 } else {
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1036 goto end;
1037 }
1038
1039 if (!sis_ktls_rx) {
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1041 goto end;
1042 } else {
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1044 goto end;
1045 }
1046
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1048 goto end;
1049
1050 testresult = 1;
1051 end:
1052 if (clientssl) {
1053 SSL_shutdown(clientssl);
1054 SSL_free(clientssl);
1055 }
1056 if (serverssl) {
1057 SSL_shutdown(serverssl);
1058 SSL_free(serverssl);
1059 }
1060 SSL_CTX_free(sctx);
1061 SSL_CTX_free(cctx);
1062 serverssl = clientssl = NULL;
1063 return testresult;
1064 }
1065
1066 #define SENDFILE_SZ (16 * 4096)
1067 #define SENDFILE_CHUNK (4 * 4096)
1068 #define min(a,b) ((a) > (b) ? (b) : (a))
1069
1070 static int test_ktls_sendfile(void)
1071 {
1072 SSL_CTX *cctx = NULL, *sctx = NULL;
1073 SSL *clientssl = NULL, *serverssl = NULL;
1074 unsigned char *buf, *buf_dst;
1075 BIO *out = NULL, *in = NULL;
1076 int cfd, sfd, ffd, err;
1077 ssize_t chunk_size = 0;
1078 off_t chunk_off = 0;
1079 int testresult = 0;
1080 FILE *ffdp;
1081
1082 buf = OPENSSL_zalloc(SENDFILE_SZ);
1083 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1084 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1085 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1086 goto end;
1087
1088 /* Skip this test if the platform does not support ktls */
1089 if (!ktls_chk_platform(sfd)) {
1090 testresult = 1;
1091 goto end;
1092 }
1093
1094 /* Create a session based on SHA-256 */
1095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1096 TLS_client_method(),
1097 TLS1_2_VERSION, TLS1_2_VERSION,
1098 &sctx, &cctx, cert, privkey))
1099 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1100 "AES128-GCM-SHA256"))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1103 goto end;
1104
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1106 SSL_ERROR_NONE))
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1108 goto end;
1109
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1112 if (!TEST_ptr(out))
1113 goto end;
1114
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1116 goto end;
1117
1118 BIO_free(out);
1119 out = NULL;
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1122 ffd = fileno(ffdp);
1123
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1127 ffd,
1128 chunk_off,
1129 chunk_size,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1132 goto end;
1133 }
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1138 goto end;
1139 }
1140
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1143 chunk_size,
1144 buf + chunk_off,
1145 chunk_size))
1146 goto end;
1147
1148 chunk_off += chunk_size;
1149 }
1150
1151 testresult = 1;
1152 end:
1153 if (clientssl) {
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1156 }
1157 if (serverssl) {
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1160 }
1161 SSL_CTX_free(sctx);
1162 SSL_CTX_free(cctx);
1163 serverssl = clientssl = NULL;
1164 BIO_free(out);
1165 BIO_free(in);
1166 OPENSSL_free(buf);
1167 OPENSSL_free(buf_dst);
1168 return testresult;
1169 }
1170
1171 static int test_ktls_no_txrx_client_no_txrx_server(void)
1172 {
1173 return execute_test_ktls(0, 0, 0, 0);
1174 }
1175
1176 static int test_ktls_no_rx_client_no_txrx_server(void)
1177 {
1178 return execute_test_ktls(1, 0, 0, 0);
1179 }
1180
1181 static int test_ktls_no_tx_client_no_txrx_server(void)
1182 {
1183 return execute_test_ktls(0, 1, 0, 0);
1184 }
1185
1186 static int test_ktls_client_no_txrx_server(void)
1187 {
1188 return execute_test_ktls(1, 1, 0, 0);
1189 }
1190
1191 static int test_ktls_no_txrx_client_no_rx_server(void)
1192 {
1193 return execute_test_ktls(0, 0, 1, 0);
1194 }
1195
1196 static int test_ktls_no_rx_client_no_rx_server(void)
1197 {
1198 return execute_test_ktls(1, 0, 1, 0);
1199 }
1200
1201 static int test_ktls_no_tx_client_no_rx_server(void)
1202 {
1203 return execute_test_ktls(0, 1, 1, 0);
1204 }
1205
1206 static int test_ktls_client_no_rx_server(void)
1207 {
1208 return execute_test_ktls(1, 1, 1, 0);
1209 }
1210
1211 static int test_ktls_no_txrx_client_no_tx_server(void)
1212 {
1213 return execute_test_ktls(0, 0, 0, 1);
1214 }
1215
1216 static int test_ktls_no_rx_client_no_tx_server(void)
1217 {
1218 return execute_test_ktls(1, 0, 0, 1);
1219 }
1220
1221 static int test_ktls_no_tx_client_no_tx_server(void)
1222 {
1223 return execute_test_ktls(0, 1, 0, 1);
1224 }
1225
1226 static int test_ktls_client_no_tx_server(void)
1227 {
1228 return execute_test_ktls(1, 1, 0, 1);
1229 }
1230
1231 static int test_ktls_no_txrx_client_server(void)
1232 {
1233 return execute_test_ktls(0, 0, 1, 1);
1234 }
1235
1236 static int test_ktls_no_rx_client_server(void)
1237 {
1238 return execute_test_ktls(1, 0, 1, 1);
1239 }
1240
1241 static int test_ktls_no_tx_client_server(void)
1242 {
1243 return execute_test_ktls(0, 1, 1, 1);
1244 }
1245
1246 static int test_ktls_client_server(void)
1247 {
1248 return execute_test_ktls(1, 1, 1, 1);
1249 }
1250 #endif
1251
1252 static int test_large_message_tls(void)
1253 {
1254 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1255 TLS1_VERSION, 0, 0);
1256 }
1257
1258 static int test_large_message_tls_read_ahead(void)
1259 {
1260 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1261 TLS1_VERSION, 0, 1);
1262 }
1263
1264 #ifndef OPENSSL_NO_DTLS
1265 static int test_large_message_dtls(void)
1266 {
1267 /*
1268 * read_ahead is not relevant to DTLS because DTLS always acts as if
1269 * read_ahead is set.
1270 */
1271 return execute_test_large_message(DTLS_server_method(),
1272 DTLS_client_method(),
1273 DTLS1_VERSION, 0, 0);
1274 }
1275 #endif
1276
1277 #ifndef OPENSSL_NO_OCSP
1278 static int ocsp_server_cb(SSL *s, void *arg)
1279 {
1280 int *argi = (int *)arg;
1281 unsigned char *copy = NULL;
1282 STACK_OF(OCSP_RESPID) *ids = NULL;
1283 OCSP_RESPID *id = NULL;
1284
1285 if (*argi == 2) {
1286 /* In this test we are expecting exactly 1 OCSP_RESPID */
1287 SSL_get_tlsext_status_ids(s, &ids);
1288 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1290
1291 id = sk_OCSP_RESPID_value(ids, 0);
1292 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1293 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 } else if (*argi != 1) {
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1296 }
1297
1298 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1299 return SSL_TLSEXT_ERR_ALERT_FATAL;
1300
1301 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1302 ocsp_server_called = 1;
1303 return SSL_TLSEXT_ERR_OK;
1304 }
1305
1306 static int ocsp_client_cb(SSL *s, void *arg)
1307 {
1308 int *argi = (int *)arg;
1309 const unsigned char *respderin;
1310 size_t len;
1311
1312 if (*argi != 1 && *argi != 2)
1313 return 0;
1314
1315 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1316 if (!TEST_mem_eq(orespder, len, respderin, len))
1317 return 0;
1318
1319 ocsp_client_called = 1;
1320 return 1;
1321 }
1322
1323 static int test_tlsext_status_type(void)
1324 {
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1327 int testresult = 0;
1328 STACK_OF(OCSP_RESPID) *ids = NULL;
1329 OCSP_RESPID *id = NULL;
1330 BIO *certbio = NULL;
1331
1332 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1333 TLS1_VERSION, 0,
1334 &sctx, &cctx, cert, privkey))
1335 return 0;
1336
1337 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1338 goto end;
1339
1340 /* First just do various checks getting and setting tlsext_status_type */
1341
1342 clientssl = SSL_new(cctx);
1343 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1344 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1345 TLSEXT_STATUSTYPE_ocsp))
1346 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1347 TLSEXT_STATUSTYPE_ocsp))
1348 goto end;
1349
1350 SSL_free(clientssl);
1351 clientssl = NULL;
1352
1353 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1354 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1355 goto end;
1356
1357 clientssl = SSL_new(cctx);
1358 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1359 goto end;
1360 SSL_free(clientssl);
1361 clientssl = NULL;
1362
1363 /*
1364 * Now actually do a handshake and check OCSP information is exchanged and
1365 * the callbacks get called
1366 */
1367 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1368 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1369 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1370 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL))
1373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1374 SSL_ERROR_NONE))
1375 || !TEST_true(ocsp_client_called)
1376 || !TEST_true(ocsp_server_called))
1377 goto end;
1378 SSL_free(serverssl);
1379 SSL_free(clientssl);
1380 serverssl = NULL;
1381 clientssl = NULL;
1382
1383 /* Try again but this time force the server side callback to fail */
1384 ocsp_client_called = 0;
1385 ocsp_server_called = 0;
1386 cdummyarg = 0;
1387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1388 &clientssl, NULL, NULL))
1389 /* This should fail because the callback will fail */
1390 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1391 SSL_ERROR_NONE))
1392 || !TEST_false(ocsp_client_called)
1393 || !TEST_false(ocsp_server_called))
1394 goto end;
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1397 serverssl = NULL;
1398 clientssl = NULL;
1399
1400 /*
1401 * This time we'll get the client to send an OCSP_RESPID that it will
1402 * accept.
1403 */
1404 ocsp_client_called = 0;
1405 ocsp_server_called = 0;
1406 cdummyarg = 2;
1407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1408 &clientssl, NULL, NULL)))
1409 goto end;
1410
1411 /*
1412 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1413 * specific one. We'll use the server cert.
1414 */
1415 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1416 || !TEST_ptr(id = OCSP_RESPID_new())
1417 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1418 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1419 NULL, NULL, NULL))
1420 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1421 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1422 goto end;
1423 id = NULL;
1424 SSL_set_tlsext_status_ids(clientssl, ids);
1425 /* Control has been transferred */
1426 ids = NULL;
1427
1428 BIO_free(certbio);
1429 certbio = NULL;
1430
1431 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1432 SSL_ERROR_NONE))
1433 || !TEST_true(ocsp_client_called)
1434 || !TEST_true(ocsp_server_called))
1435 goto end;
1436
1437 testresult = 1;
1438
1439 end:
1440 SSL_free(serverssl);
1441 SSL_free(clientssl);
1442 SSL_CTX_free(sctx);
1443 SSL_CTX_free(cctx);
1444 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1445 OCSP_RESPID_free(id);
1446 BIO_free(certbio);
1447 X509_free(ocspcert);
1448 ocspcert = NULL;
1449
1450 return testresult;
1451 }
1452 #endif
1453
1454 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1455 static int new_called, remove_called, get_called;
1456
1457 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1458 {
1459 new_called++;
1460 /*
1461 * sess has been up-refed for us, but we don't actually need it so free it
1462 * immediately.
1463 */
1464 SSL_SESSION_free(sess);
1465 return 1;
1466 }
1467
1468 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1469 {
1470 remove_called++;
1471 }
1472
1473 static SSL_SESSION *get_sess_val = NULL;
1474
1475 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1476 int *copy)
1477 {
1478 get_called++;
1479 *copy = 1;
1480 return get_sess_val;
1481 }
1482
1483 static int execute_test_session(int maxprot, int use_int_cache,
1484 int use_ext_cache, long s_options)
1485 {
1486 SSL_CTX *sctx = NULL, *cctx = NULL;
1487 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1488 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1489 # ifndef OPENSSL_NO_TLS1_1
1490 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1491 # endif
1492 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1493 int testresult = 0, numnewsesstick = 1;
1494
1495 new_called = remove_called = 0;
1496
1497 /* TLSv1.3 sends 2 NewSessionTickets */
1498 if (maxprot == TLS1_3_VERSION)
1499 numnewsesstick = 2;
1500
1501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1502 TLS_client_method(), TLS1_VERSION, 0,
1503 &sctx, &cctx, cert, privkey)))
1504 return 0;
1505
1506 /*
1507 * Only allow the max protocol version so we can force a connection failure
1508 * later
1509 */
1510 SSL_CTX_set_min_proto_version(cctx, maxprot);
1511 SSL_CTX_set_max_proto_version(cctx, maxprot);
1512
1513 /* Set up session cache */
1514 if (use_ext_cache) {
1515 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1516 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1517 }
1518 if (use_int_cache) {
1519 /* Also covers instance where both are set */
1520 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1521 } else {
1522 SSL_CTX_set_session_cache_mode(cctx,
1523 SSL_SESS_CACHE_CLIENT
1524 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1525 }
1526
1527 if (s_options) {
1528 SSL_CTX_set_options(sctx, s_options);
1529 }
1530
1531 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1532 NULL, NULL))
1533 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1534 SSL_ERROR_NONE))
1535 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1536 goto end;
1537
1538 /* Should fail because it should already be in the cache */
1539 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1540 goto end;
1541 if (use_ext_cache
1542 && (!TEST_int_eq(new_called, numnewsesstick)
1543
1544 || !TEST_int_eq(remove_called, 0)))
1545 goto end;
1546
1547 new_called = remove_called = 0;
1548 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1549 &clientssl2, NULL, NULL))
1550 || !TEST_true(SSL_set_session(clientssl2, sess1))
1551 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1552 SSL_ERROR_NONE))
1553 || !TEST_true(SSL_session_reused(clientssl2)))
1554 goto end;
1555
1556 if (maxprot == TLS1_3_VERSION) {
1557 /*
1558 * In TLSv1.3 we should have created a new session even though we have
1559 * resumed. Since we attempted a resume we should also have removed the
1560 * old ticket from the cache so that we try to only use tickets once.
1561 */
1562 if (use_ext_cache
1563 && (!TEST_int_eq(new_called, 1)
1564 || !TEST_int_eq(remove_called, 1)))
1565 goto end;
1566 } else {
1567 /*
1568 * In TLSv1.2 we expect to have resumed so no sessions added or
1569 * removed.
1570 */
1571 if (use_ext_cache
1572 && (!TEST_int_eq(new_called, 0)
1573 || !TEST_int_eq(remove_called, 0)))
1574 goto end;
1575 }
1576
1577 SSL_SESSION_free(sess1);
1578 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1579 goto end;
1580 shutdown_ssl_connection(serverssl2, clientssl2);
1581 serverssl2 = clientssl2 = NULL;
1582
1583 new_called = remove_called = 0;
1584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1585 &clientssl2, NULL, NULL))
1586 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1587 SSL_ERROR_NONE)))
1588 goto end;
1589
1590 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1591 goto end;
1592
1593 if (use_ext_cache
1594 && (!TEST_int_eq(new_called, numnewsesstick)
1595 || !TEST_int_eq(remove_called, 0)))
1596 goto end;
1597
1598 new_called = remove_called = 0;
1599 /*
1600 * This should clear sess2 from the cache because it is a "bad" session.
1601 * See SSL_set_session() documentation.
1602 */
1603 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1604 goto end;
1605 if (use_ext_cache
1606 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1607 goto end;
1608 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1609 goto end;
1610
1611 if (use_int_cache) {
1612 /* Should succeeded because it should not already be in the cache */
1613 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1614 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1615 goto end;
1616 }
1617
1618 new_called = remove_called = 0;
1619 /* This shouldn't be in the cache so should fail */
1620 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1621 goto end;
1622
1623 if (use_ext_cache
1624 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1625 goto end;
1626
1627 # if !defined(OPENSSL_NO_TLS1_1)
1628 new_called = remove_called = 0;
1629 /* Force a connection failure */
1630 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1632 &clientssl3, NULL, NULL))
1633 || !TEST_true(SSL_set_session(clientssl3, sess1))
1634 /* This should fail because of the mismatched protocol versions */
1635 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1636 SSL_ERROR_NONE)))
1637 goto end;
1638
1639 /* We should have automatically removed the session from the cache */
1640 if (use_ext_cache
1641 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1642 goto end;
1643
1644 /* Should succeed because it should not already be in the cache */
1645 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1646 goto end;
1647 # endif
1648
1649 /* Now do some tests for server side caching */
1650 if (use_ext_cache) {
1651 SSL_CTX_sess_set_new_cb(cctx, NULL);
1652 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1653 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1654 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1655 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1656 get_sess_val = NULL;
1657 }
1658
1659 SSL_CTX_set_session_cache_mode(cctx, 0);
1660 /* Internal caching is the default on the server side */
1661 if (!use_int_cache)
1662 SSL_CTX_set_session_cache_mode(sctx,
1663 SSL_SESS_CACHE_SERVER
1664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1665
1666 SSL_free(serverssl1);
1667 SSL_free(clientssl1);
1668 serverssl1 = clientssl1 = NULL;
1669 SSL_free(serverssl2);
1670 SSL_free(clientssl2);
1671 serverssl2 = clientssl2 = NULL;
1672 SSL_SESSION_free(sess1);
1673 sess1 = NULL;
1674 SSL_SESSION_free(sess2);
1675 sess2 = NULL;
1676
1677 SSL_CTX_set_max_proto_version(sctx, maxprot);
1678 if (maxprot == TLS1_2_VERSION)
1679 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1680 new_called = remove_called = get_called = 0;
1681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1682 NULL, NULL))
1683 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1684 SSL_ERROR_NONE))
1685 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1686 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1687 goto end;
1688
1689 if (use_int_cache) {
1690 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1691 /*
1692 * In TLSv1.3 it should not have been added to the internal cache,
1693 * except in the case where we also have an external cache (in that
1694 * case it gets added to the cache in order to generate remove
1695 * events after timeout).
1696 */
1697 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1698 goto end;
1699 } else {
1700 /* Should fail because it should already be in the cache */
1701 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1702 goto end;
1703 }
1704 }
1705
1706 if (use_ext_cache) {
1707 SSL_SESSION *tmp = sess2;
1708
1709 if (!TEST_int_eq(new_called, numnewsesstick)
1710 || !TEST_int_eq(remove_called, 0)
1711 || !TEST_int_eq(get_called, 0))
1712 goto end;
1713 /*
1714 * Delete the session from the internal cache to force a lookup from
1715 * the external cache. We take a copy first because
1716 * SSL_CTX_remove_session() also marks the session as non-resumable.
1717 */
1718 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1719 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1720 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1721 goto end;
1722 SSL_SESSION_free(sess2);
1723 }
1724 sess2 = tmp;
1725 }
1726
1727 new_called = remove_called = get_called = 0;
1728 get_sess_val = sess2;
1729 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1730 &clientssl2, NULL, NULL))
1731 || !TEST_true(SSL_set_session(clientssl2, sess1))
1732 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1733 SSL_ERROR_NONE))
1734 || !TEST_true(SSL_session_reused(clientssl2)))
1735 goto end;
1736
1737 if (use_ext_cache) {
1738 if (!TEST_int_eq(remove_called, 0))
1739 goto end;
1740
1741 if (maxprot == TLS1_3_VERSION) {
1742 if (!TEST_int_eq(new_called, 1)
1743 || !TEST_int_eq(get_called, 0))
1744 goto end;
1745 } else {
1746 if (!TEST_int_eq(new_called, 0)
1747 || !TEST_int_eq(get_called, 1))
1748 goto end;
1749 }
1750 }
1751
1752 testresult = 1;
1753
1754 end:
1755 SSL_free(serverssl1);
1756 SSL_free(clientssl1);
1757 SSL_free(serverssl2);
1758 SSL_free(clientssl2);
1759 # ifndef OPENSSL_NO_TLS1_1
1760 SSL_free(serverssl3);
1761 SSL_free(clientssl3);
1762 # endif
1763 SSL_SESSION_free(sess1);
1764 SSL_SESSION_free(sess2);
1765 SSL_CTX_free(sctx);
1766 SSL_CTX_free(cctx);
1767
1768 return testresult;
1769 }
1770 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1771
1772 static int test_session_with_only_int_cache(void)
1773 {
1774 #ifndef OPENSSL_NO_TLS1_3
1775 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
1776 return 0;
1777 #endif
1778
1779 #ifndef OPENSSL_NO_TLS1_2
1780 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
1781 #else
1782 return 1;
1783 #endif
1784 }
1785
1786 static int test_session_with_only_ext_cache(void)
1787 {
1788 #ifndef OPENSSL_NO_TLS1_3
1789 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
1790 return 0;
1791 #endif
1792
1793 #ifndef OPENSSL_NO_TLS1_2
1794 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
1795 #else
1796 return 1;
1797 #endif
1798 }
1799
1800 static int test_session_with_both_cache(void)
1801 {
1802 #ifndef OPENSSL_NO_TLS1_3
1803 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1804 return 0;
1805 #endif
1806
1807 #ifndef OPENSSL_NO_TLS1_2
1808 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1809 #else
1810 return 1;
1811 #endif
1812 }
1813
1814 static int test_session_wo_ca_names(void)
1815 {
1816 #ifndef OPENSSL_NO_TLS1_3
1817 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
1818 return 0;
1819 #endif
1820
1821 #ifndef OPENSSL_NO_TLS1_2
1822 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
1823 #else
1824 return 1;
1825 #endif
1826 }
1827
1828
1829 #ifndef OPENSSL_NO_TLS1_3
1830 static SSL_SESSION *sesscache[6];
1831 static int do_cache;
1832
1833 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1834 {
1835 if (do_cache) {
1836 sesscache[new_called] = sess;
1837 } else {
1838 /* We don't need the reference to the session, so free it */
1839 SSL_SESSION_free(sess);
1840 }
1841 new_called++;
1842
1843 return 1;
1844 }
1845
1846 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1847 {
1848 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1849 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1850 return 0;
1851
1852 /* Start handshake on the server and client */
1853 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1854 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1855 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1856 || !TEST_true(create_ssl_connection(sssl, cssl,
1857 SSL_ERROR_NONE)))
1858 return 0;
1859
1860 return 1;
1861 }
1862
1863 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1864 SSL_CTX **cctx)
1865 {
1866 int sess_id_ctx = 1;
1867
1868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1869 TLS_client_method(), TLS1_VERSION, 0,
1870 sctx, cctx, cert, privkey))
1871 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1872 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1873 (void *)&sess_id_ctx,
1874 sizeof(sess_id_ctx))))
1875 return 0;
1876
1877 if (stateful)
1878 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1879
1880 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1881 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1882 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1883
1884 return 1;
1885 }
1886
1887 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1888 {
1889 SSL *serverssl = NULL, *clientssl = NULL;
1890 int i;
1891
1892 /* Test that we can resume with all the tickets we got given */
1893 for (i = 0; i < idx * 2; i++) {
1894 new_called = 0;
1895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1896 &clientssl, NULL, NULL))
1897 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1898 goto end;
1899
1900 SSL_set_post_handshake_auth(clientssl, 1);
1901
1902 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1903 SSL_ERROR_NONE)))
1904 goto end;
1905
1906 /*
1907 * Following a successful resumption we only get 1 ticket. After a
1908 * failed one we should get idx tickets.
1909 */
1910 if (succ) {
1911 if (!TEST_true(SSL_session_reused(clientssl))
1912 || !TEST_int_eq(new_called, 1))
1913 goto end;
1914 } else {
1915 if (!TEST_false(SSL_session_reused(clientssl))
1916 || !TEST_int_eq(new_called, idx))
1917 goto end;
1918 }
1919
1920 new_called = 0;
1921 /* After a post-handshake authentication we should get 1 new ticket */
1922 if (succ
1923 && (!post_handshake_verify(serverssl, clientssl)
1924 || !TEST_int_eq(new_called, 1)))
1925 goto end;
1926
1927 SSL_shutdown(clientssl);
1928 SSL_shutdown(serverssl);
1929 SSL_free(serverssl);
1930 SSL_free(clientssl);
1931 serverssl = clientssl = NULL;
1932 SSL_SESSION_free(sesscache[i]);
1933 sesscache[i] = NULL;
1934 }
1935
1936 return 1;
1937
1938 end:
1939 SSL_free(clientssl);
1940 SSL_free(serverssl);
1941 return 0;
1942 }
1943
1944 static int test_tickets(int stateful, int idx)
1945 {
1946 SSL_CTX *sctx = NULL, *cctx = NULL;
1947 SSL *serverssl = NULL, *clientssl = NULL;
1948 int testresult = 0;
1949 size_t j;
1950
1951 /* idx is the test number, but also the number of tickets we want */
1952
1953 new_called = 0;
1954 do_cache = 1;
1955
1956 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1957 goto end;
1958
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL)))
1961 goto end;
1962
1963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1964 SSL_ERROR_NONE))
1965 /* Check we got the number of tickets we were expecting */
1966 || !TEST_int_eq(idx, new_called))
1967 goto end;
1968
1969 SSL_shutdown(clientssl);
1970 SSL_shutdown(serverssl);
1971 SSL_free(serverssl);
1972 SSL_free(clientssl);
1973 SSL_CTX_free(sctx);
1974 SSL_CTX_free(cctx);
1975 clientssl = serverssl = NULL;
1976 sctx = cctx = NULL;
1977
1978 /*
1979 * Now we try to resume with the tickets we previously created. The
1980 * resumption attempt is expected to fail (because we're now using a new
1981 * SSL_CTX). We should see idx number of tickets issued again.
1982 */
1983
1984 /* Stop caching sessions - just count them */
1985 do_cache = 0;
1986
1987 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1988 goto end;
1989
1990 if (!check_resumption(idx, sctx, cctx, 0))
1991 goto end;
1992
1993 /* Start again with caching sessions */
1994 new_called = 0;
1995 do_cache = 1;
1996 SSL_CTX_free(sctx);
1997 SSL_CTX_free(cctx);
1998 sctx = cctx = NULL;
1999
2000 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2001 goto end;
2002
2003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2004 &clientssl, NULL, NULL)))
2005 goto end;
2006
2007 SSL_set_post_handshake_auth(clientssl, 1);
2008
2009 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2010 SSL_ERROR_NONE))
2011 /* Check we got the number of tickets we were expecting */
2012 || !TEST_int_eq(idx, new_called))
2013 goto end;
2014
2015 /* After a post-handshake authentication we should get new tickets issued */
2016 if (!post_handshake_verify(serverssl, clientssl)
2017 || !TEST_int_eq(idx * 2, new_called))
2018 goto end;
2019
2020 SSL_shutdown(clientssl);
2021 SSL_shutdown(serverssl);
2022 SSL_free(serverssl);
2023 SSL_free(clientssl);
2024 serverssl = clientssl = NULL;
2025
2026 /* Stop caching sessions - just count them */
2027 do_cache = 0;
2028
2029 /*
2030 * Check we can resume with all the tickets we created. This time around the
2031 * resumptions should all be successful.
2032 */
2033 if (!check_resumption(idx, sctx, cctx, 1))
2034 goto end;
2035
2036 testresult = 1;
2037
2038 end:
2039 SSL_free(serverssl);
2040 SSL_free(clientssl);
2041 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2042 SSL_SESSION_free(sesscache[j]);
2043 sesscache[j] = NULL;
2044 }
2045 SSL_CTX_free(sctx);
2046 SSL_CTX_free(cctx);
2047
2048 return testresult;
2049 }
2050
2051 static int test_stateless_tickets(int idx)
2052 {
2053 return test_tickets(0, idx);
2054 }
2055
2056 static int test_stateful_tickets(int idx)
2057 {
2058 return test_tickets(1, idx);
2059 }
2060
2061 static int test_psk_tickets(void)
2062 {
2063 SSL_CTX *sctx = NULL, *cctx = NULL;
2064 SSL *serverssl = NULL, *clientssl = NULL;
2065 int testresult = 0;
2066 int sess_id_ctx = 1;
2067
2068 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2069 TLS_client_method(), TLS1_VERSION, 0,
2070 &sctx, &cctx, NULL, NULL))
2071 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2072 (void *)&sess_id_ctx,
2073 sizeof(sess_id_ctx))))
2074 goto end;
2075
2076 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2077 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2078 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2079 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2080 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2081 use_session_cb_cnt = 0;
2082 find_session_cb_cnt = 0;
2083 srvid = pskid;
2084 new_called = 0;
2085
2086 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2087 NULL, NULL)))
2088 goto end;
2089 clientpsk = serverpsk = create_a_psk(clientssl);
2090 if (!TEST_ptr(clientpsk))
2091 goto end;
2092 SSL_SESSION_up_ref(clientpsk);
2093
2094 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2095 SSL_ERROR_NONE))
2096 || !TEST_int_eq(1, find_session_cb_cnt)
2097 || !TEST_int_eq(1, use_session_cb_cnt)
2098 /* We should always get 1 ticket when using external PSK */
2099 || !TEST_int_eq(1, new_called))
2100 goto end;
2101
2102 testresult = 1;
2103
2104 end:
2105 SSL_free(serverssl);
2106 SSL_free(clientssl);
2107 SSL_CTX_free(sctx);
2108 SSL_CTX_free(cctx);
2109 SSL_SESSION_free(clientpsk);
2110 SSL_SESSION_free(serverpsk);
2111 clientpsk = serverpsk = NULL;
2112
2113 return testresult;
2114 }
2115
2116 static int test_extra_tickets(int idx)
2117 {
2118 SSL_CTX *sctx = NULL, *cctx = NULL;
2119 SSL *serverssl = NULL, *clientssl = NULL;
2120 BIO *bretry = BIO_new(bio_s_always_retry());
2121 BIO *tmp = NULL;
2122 int testresult = 0;
2123 int stateful = 0;
2124 size_t nbytes;
2125 unsigned char c, buf[1];
2126
2127 new_called = 0;
2128 do_cache = 1;
2129
2130 if (idx >= 3) {
2131 idx -= 3;
2132 stateful = 1;
2133 }
2134
2135 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2136 goto end;
2137 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2138 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2139 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2140
2141 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2142 &clientssl, NULL, NULL)))
2143 goto end;
2144
2145 /*
2146 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2147 * incremented by both client and server.
2148 */
2149 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2150 SSL_ERROR_NONE))
2151 /* Check we got the number of tickets we were expecting */
2152 || !TEST_int_eq(idx * 2, new_called)
2153 || !TEST_true(SSL_new_session_ticket(serverssl))
2154 || !TEST_true(SSL_new_session_ticket(serverssl))
2155 || !TEST_int_eq(idx * 2, new_called))
2156 goto end;
2157
2158 /* Now try a (real) write to actually send the tickets */
2159 c = '1';
2160 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2161 || !TEST_size_t_eq(1, nbytes)
2162 || !TEST_int_eq(idx * 2 + 2, new_called)
2163 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2164 || !TEST_int_eq(idx * 2 + 4, new_called)
2165 || !TEST_int_eq(sizeof(buf), nbytes)
2166 || !TEST_int_eq(c, buf[0])
2167 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2168 goto end;
2169
2170 /* Try with only requesting one new ticket, too */
2171 c = '2';
2172 new_called = 0;
2173 if (!TEST_true(SSL_new_session_ticket(serverssl))
2174 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2175 || !TEST_size_t_eq(sizeof(c), nbytes)
2176 || !TEST_int_eq(1, new_called)
2177 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2178 || !TEST_int_eq(2, new_called)
2179 || !TEST_size_t_eq(sizeof(buf), nbytes)
2180 || !TEST_int_eq(c, buf[0]))
2181 goto end;
2182
2183 /* Do it again but use dummy writes to drive the ticket generation */
2184 c = '3';
2185 new_called = 0;
2186 if (!TEST_true(SSL_new_session_ticket(serverssl))
2187 || !TEST_true(SSL_new_session_ticket(serverssl))
2188 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2189 || !TEST_size_t_eq(0, nbytes)
2190 || !TEST_int_eq(2, new_called)
2191 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2192 || !TEST_int_eq(4, new_called))
2193 goto end;
2194
2195 /*
2196 * Use the always-retry BIO to exercise the logic that forces ticket
2197 * generation to wait until a record boundary.
2198 */
2199 c = '4';
2200 new_called = 0;
2201 tmp = SSL_get_wbio(serverssl);
2202 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2203 tmp = NULL;
2204 goto end;
2205 }
2206 SSL_set0_wbio(serverssl, bretry);
2207 bretry = NULL;
2208 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2209 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2210 || !TEST_size_t_eq(nbytes, 0))
2211 goto end;
2212 /* Restore a BIO that will let the write succeed */
2213 SSL_set0_wbio(serverssl, tmp);
2214 tmp = NULL;
2215 /* These calls should just queue the request and not send anything. */
2216 if (!TEST_true(SSL_new_session_ticket(serverssl))
2217 || !TEST_true(SSL_new_session_ticket(serverssl))
2218 || !TEST_int_eq(0, new_called))
2219 goto end;
2220 /* Re-do the write; still no tickets sent */
2221 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2222 || !TEST_size_t_eq(1, nbytes)
2223 || !TEST_int_eq(0, new_called)
2224 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2225 || !TEST_int_eq(0, new_called)
2226 || !TEST_int_eq(sizeof(buf), nbytes)
2227 || !TEST_int_eq(c, buf[0])
2228 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2229 goto end;
2230 /* Now the *next* write should send the tickets */
2231 c = '5';
2232 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2233 || !TEST_size_t_eq(1, nbytes)
2234 || !TEST_int_eq(2, new_called)
2235 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2236 || !TEST_int_eq(4, new_called)
2237 || !TEST_int_eq(sizeof(buf), nbytes)
2238 || !TEST_int_eq(c, buf[0])
2239 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2240 goto end;
2241
2242 SSL_shutdown(clientssl);
2243 SSL_shutdown(serverssl);
2244 testresult = 1;
2245
2246 end:
2247 BIO_free(bretry);
2248 BIO_free(tmp);
2249 SSL_free(serverssl);
2250 SSL_free(clientssl);
2251 SSL_CTX_free(sctx);
2252 SSL_CTX_free(cctx);
2253 clientssl = serverssl = NULL;
2254 sctx = cctx = NULL;
2255 return testresult;
2256 }
2257 #endif
2258
2259 #define USE_NULL 0
2260 #define USE_BIO_1 1
2261 #define USE_BIO_2 2
2262 #define USE_DEFAULT 3
2263
2264 #define CONNTYPE_CONNECTION_SUCCESS 0
2265 #define CONNTYPE_CONNECTION_FAIL 1
2266 #define CONNTYPE_NO_CONNECTION 2
2267
2268 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2269 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2270 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2271 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2272 #else
2273 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2274 #endif
2275
2276 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2277 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2278 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2279
2280 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2281 {
2282 switch (type) {
2283 case USE_NULL:
2284 *res = NULL;
2285 break;
2286 case USE_BIO_1:
2287 *res = bio1;
2288 break;
2289 case USE_BIO_2:
2290 *res = bio2;
2291 break;
2292 }
2293 }
2294
2295
2296 /*
2297 * Tests calls to SSL_set_bio() under various conditions.
2298 *
2299 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2300 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2301 * then do more tests where we create a successful connection first using our
2302 * standard connection setup functions, and then call SSL_set_bio() with
2303 * various combinations of valid BIOs or NULL. We then repeat these tests
2304 * following a failed connection. In this last case we are looking to check that
2305 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2306 */
2307 static int test_ssl_set_bio(int idx)
2308 {
2309 SSL_CTX *sctx = NULL, *cctx = NULL;
2310 BIO *bio1 = NULL;
2311 BIO *bio2 = NULL;
2312 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2313 SSL *serverssl = NULL, *clientssl = NULL;
2314 int initrbio, initwbio, newrbio, newwbio, conntype;
2315 int testresult = 0;
2316
2317 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2318 initrbio = idx % 3;
2319 idx /= 3;
2320 initwbio = idx % 3;
2321 idx /= 3;
2322 newrbio = idx % 3;
2323 idx /= 3;
2324 newwbio = idx % 3;
2325 conntype = CONNTYPE_NO_CONNECTION;
2326 } else {
2327 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2328 initrbio = initwbio = USE_DEFAULT;
2329 newrbio = idx % 2;
2330 idx /= 2;
2331 newwbio = idx % 2;
2332 idx /= 2;
2333 conntype = idx % 2;
2334 }
2335
2336 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2337 TLS_client_method(), TLS1_VERSION, 0,
2338 &sctx, &cctx, cert, privkey)))
2339 goto end;
2340
2341 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2342 /*
2343 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2344 * because we reduced the number of tests in the definition of
2345 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2346 * mismatched protocol versions we will force a connection failure.
2347 */
2348 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2349 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2350 }
2351
2352 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2353 NULL, NULL)))
2354 goto end;
2355
2356 if (initrbio == USE_BIO_1
2357 || initwbio == USE_BIO_1
2358 || newrbio == USE_BIO_1
2359 || newwbio == USE_BIO_1) {
2360 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2361 goto end;
2362 }
2363
2364 if (initrbio == USE_BIO_2
2365 || initwbio == USE_BIO_2
2366 || newrbio == USE_BIO_2
2367 || newwbio == USE_BIO_2) {
2368 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2369 goto end;
2370 }
2371
2372 if (initrbio != USE_DEFAULT) {
2373 setupbio(&irbio, bio1, bio2, initrbio);
2374 setupbio(&iwbio, bio1, bio2, initwbio);
2375 SSL_set_bio(clientssl, irbio, iwbio);
2376
2377 /*
2378 * We want to maintain our own refs to these BIO, so do an up ref for
2379 * each BIO that will have ownership transferred in the SSL_set_bio()
2380 * call
2381 */
2382 if (irbio != NULL)
2383 BIO_up_ref(irbio);
2384 if (iwbio != NULL && iwbio != irbio)
2385 BIO_up_ref(iwbio);
2386 }
2387
2388 if (conntype != CONNTYPE_NO_CONNECTION
2389 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2390 SSL_ERROR_NONE)
2391 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2392 goto end;
2393
2394 setupbio(&nrbio, bio1, bio2, newrbio);
2395 setupbio(&nwbio, bio1, bio2, newwbio);
2396
2397 /*
2398 * We will (maybe) transfer ownership again so do more up refs.
2399 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2400 * already been set!
2401 */
2402 if (nrbio != NULL
2403 && nrbio != irbio
2404 && (nwbio != iwbio || nrbio != nwbio))
2405 BIO_up_ref(nrbio);
2406 if (nwbio != NULL
2407 && nwbio != nrbio
2408 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2409 BIO_up_ref(nwbio);
2410
2411 SSL_set_bio(clientssl, nrbio, nwbio);
2412
2413 testresult = 1;
2414
2415 end:
2416 BIO_free(bio1);
2417 BIO_free(bio2);
2418
2419 /*
2420 * This test is checking that the ref counting for SSL_set_bio is correct.
2421 * If we get here and we did too many frees then we will fail in the above
2422 * functions.
2423 */
2424 SSL_free(serverssl);
2425 SSL_free(clientssl);
2426 SSL_CTX_free(sctx);
2427 SSL_CTX_free(cctx);
2428 return testresult;
2429 }
2430
2431 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2432
2433 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2434 {
2435 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2436 SSL_CTX *ctx;
2437 SSL *ssl = NULL;
2438 int testresult = 0;
2439
2440 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2441 || !TEST_ptr(ssl = SSL_new(ctx))
2442 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2443 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2444 goto end;
2445
2446 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2447
2448 /*
2449 * If anything goes wrong here then we could leak memory.
2450 */
2451 BIO_push(sslbio, membio1);
2452
2453 /* Verify changing the rbio/wbio directly does not cause leaks */
2454 if (change_bio != NO_BIO_CHANGE) {
2455 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2456 goto end;
2457 if (change_bio == CHANGE_RBIO)
2458 SSL_set0_rbio(ssl, membio2);
2459 else
2460 SSL_set0_wbio(ssl, membio2);
2461 }
2462 ssl = NULL;
2463
2464 if (pop_ssl)
2465 BIO_pop(sslbio);
2466 else
2467 BIO_pop(membio1);
2468
2469 testresult = 1;
2470 end:
2471 BIO_free(membio1);
2472 BIO_free(sslbio);
2473 SSL_free(ssl);
2474 SSL_CTX_free(ctx);
2475
2476 return testresult;
2477 }
2478
2479 static int test_ssl_bio_pop_next_bio(void)
2480 {
2481 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2482 }
2483
2484 static int test_ssl_bio_pop_ssl_bio(void)
2485 {
2486 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2487 }
2488
2489 static int test_ssl_bio_change_rbio(void)
2490 {
2491 return execute_test_ssl_bio(0, CHANGE_RBIO);
2492 }
2493
2494 static int test_ssl_bio_change_wbio(void)
2495 {
2496 return execute_test_ssl_bio(0, CHANGE_WBIO);
2497 }
2498
2499 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2500 typedef struct {
2501 /* The list of sig algs */
2502 const int *list;
2503 /* The length of the list */
2504 size_t listlen;
2505 /* A sigalgs list in string format */
2506 const char *liststr;
2507 /* Whether setting the list should succeed */
2508 int valid;
2509 /* Whether creating a connection with the list should succeed */
2510 int connsuccess;
2511 } sigalgs_list;
2512
2513 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2514 # ifndef OPENSSL_NO_EC
2515 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2516 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2517 # endif
2518 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2519 static const int invalidlist2[] = {NID_sha256, NID_undef};
2520 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2521 static const int invalidlist4[] = {NID_sha256};
2522 static const sigalgs_list testsigalgs[] = {
2523 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2524 # ifndef OPENSSL_NO_EC
2525 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2526 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2527 # endif
2528 {NULL, 0, "RSA+SHA256", 1, 1},
2529 # ifndef OPENSSL_NO_EC
2530 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2531 {NULL, 0, "ECDSA+SHA512", 1, 0},
2532 # endif
2533 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2534 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2535 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2536 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2537 {NULL, 0, "RSA", 0, 0},
2538 {NULL, 0, "SHA256", 0, 0},
2539 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2540 {NULL, 0, "Invalid", 0, 0}
2541 };
2542
2543 static int test_set_sigalgs(int idx)
2544 {
2545 SSL_CTX *cctx = NULL, *sctx = NULL;
2546 SSL *clientssl = NULL, *serverssl = NULL;
2547 int testresult = 0;
2548 const sigalgs_list *curr;
2549 int testctx;
2550
2551 /* Should never happen */
2552 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2553 return 0;
2554
2555 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2556 curr = testctx ? &testsigalgs[idx]
2557 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2558
2559 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2560 TLS_client_method(), TLS1_VERSION, 0,
2561 &sctx, &cctx, cert, privkey)))
2562 return 0;
2563
2564 /*
2565 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2566 * for TLSv1.2 for now until we add a new API.
2567 */
2568 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2569
2570 if (testctx) {
2571 int ret;
2572
2573 if (curr->list != NULL)
2574 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2575 else
2576 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2577
2578 if (!ret) {
2579 if (curr->valid)
2580 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2581 else
2582 testresult = 1;
2583 goto end;
2584 }
2585 if (!curr->valid) {
2586 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2587 goto end;
2588 }
2589 }
2590
2591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2592 &clientssl, NULL, NULL)))
2593 goto end;
2594
2595 if (!testctx) {
2596 int ret;
2597
2598 if (curr->list != NULL)
2599 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2600 else
2601 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2602 if (!ret) {
2603 if (curr->valid)
2604 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2605 else
2606 testresult = 1;
2607 goto end;
2608 }
2609 if (!curr->valid)
2610 goto end;
2611 }
2612
2613 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2614 SSL_ERROR_NONE),
2615 curr->connsuccess))
2616 goto end;
2617
2618 testresult = 1;
2619
2620 end:
2621 SSL_free(serverssl);
2622 SSL_free(clientssl);
2623 SSL_CTX_free(sctx);
2624 SSL_CTX_free(cctx);
2625
2626 return testresult;
2627 }
2628 #endif
2629
2630 #ifndef OPENSSL_NO_TLS1_3
2631 static int psk_client_cb_cnt = 0;
2632 static int psk_server_cb_cnt = 0;
2633
2634 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2635 size_t *idlen, SSL_SESSION **sess)
2636 {
2637 switch (++use_session_cb_cnt) {
2638 case 1:
2639 /* The first call should always have a NULL md */
2640 if (md != NULL)
2641 return 0;
2642 break;
2643
2644 case 2:
2645 /* The second call should always have an md */
2646 if (md == NULL)
2647 return 0;
2648 break;
2649
2650 default:
2651 /* We should only be called a maximum of twice */
2652 return 0;
2653 }
2654
2655 if (clientpsk != NULL)
2656 SSL_SESSION_up_ref(clientpsk);
2657
2658 *sess = clientpsk;
2659 *id = (const unsigned char *)pskid;
2660 *idlen = strlen(pskid);
2661
2662 return 1;
2663 }
2664
2665 #ifndef OPENSSL_NO_PSK
2666 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2667 unsigned int max_id_len,
2668 unsigned char *psk,
2669 unsigned int max_psk_len)
2670 {
2671 unsigned int psklen = 0;
2672
2673 psk_client_cb_cnt++;
2674
2675 if (strlen(pskid) + 1 > max_id_len)
2676 return 0;
2677
2678 /* We should only ever be called a maximum of twice per connection */
2679 if (psk_client_cb_cnt > 2)
2680 return 0;
2681
2682 if (clientpsk == NULL)
2683 return 0;
2684
2685 /* We'll reuse the PSK we set up for TLSv1.3 */
2686 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2687 return 0;
2688 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2689 strncpy(id, pskid, max_id_len);
2690
2691 return psklen;
2692 }
2693 #endif /* OPENSSL_NO_PSK */
2694
2695 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2696 size_t identity_len, SSL_SESSION **sess)
2697 {
2698 find_session_cb_cnt++;
2699
2700 /* We should only ever be called a maximum of twice per connection */
2701 if (find_session_cb_cnt > 2)
2702 return 0;
2703
2704 if (serverpsk == NULL)
2705 return 0;
2706
2707 /* Identity should match that set by the client */
2708 if (strlen(srvid) != identity_len
2709 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2710 /* No PSK found, continue but without a PSK */
2711 *sess = NULL;
2712 return 1;
2713 }
2714
2715 SSL_SESSION_up_ref(serverpsk);
2716 *sess = serverpsk;
2717
2718 return 1;
2719 }
2720
2721 #ifndef OPENSSL_NO_PSK
2722 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2723 unsigned char *psk, unsigned int max_psk_len)
2724 {
2725 unsigned int psklen = 0;
2726
2727 psk_server_cb_cnt++;
2728
2729 /* We should only ever be called a maximum of twice per connection */
2730 if (find_session_cb_cnt > 2)
2731 return 0;
2732
2733 if (serverpsk == NULL)
2734 return 0;
2735
2736 /* Identity should match that set by the client */
2737 if (strcmp(srvid, identity) != 0) {
2738 return 0;
2739 }
2740
2741 /* We'll reuse the PSK we set up for TLSv1.3 */
2742 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2743 return 0;
2744 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2745
2746 return psklen;
2747 }
2748 #endif /* OPENSSL_NO_PSK */
2749
2750 #define MSG1 "Hello"
2751 #define MSG2 "World."
2752 #define MSG3 "This"
2753 #define MSG4 "is"
2754 #define MSG5 "a"
2755 #define MSG6 "test"
2756 #define MSG7 "message."
2757
2758 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2759 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2760 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2761 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2762 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2763
2764
2765 static SSL_SESSION *create_a_psk(SSL *ssl)
2766 {
2767 const SSL_CIPHER *cipher = NULL;
2768 const unsigned char key[] = {
2769 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2770 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2771 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2772 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2773 0x2c, 0x2d, 0x2e, 0x2f
2774 };
2775 SSL_SESSION *sess = NULL;
2776
2777 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2778 sess = SSL_SESSION_new();
2779 if (!TEST_ptr(sess)
2780 || !TEST_ptr(cipher)
2781 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2782 sizeof(key)))
2783 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2784 || !TEST_true(
2785 SSL_SESSION_set_protocol_version(sess,
2786 TLS1_3_VERSION))) {
2787 SSL_SESSION_free(sess);
2788 return NULL;
2789 }
2790 return sess;
2791 }
2792
2793 /*
2794 * Helper method to setup objects for early data test. Caller frees objects on
2795 * error.
2796 */
2797 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2798 SSL **serverssl, SSL_SESSION **sess, int idx)
2799 {
2800 if (*sctx == NULL
2801 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2802 TLS_client_method(),
2803 TLS1_VERSION, 0,
2804 sctx, cctx, cert, privkey)))
2805 return 0;
2806
2807 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2808 return 0;
2809
2810 if (idx == 1) {
2811 /* When idx == 1 we repeat the tests with read_ahead set */
2812 SSL_CTX_set_read_ahead(*cctx, 1);
2813 SSL_CTX_set_read_ahead(*sctx, 1);
2814 } else if (idx == 2) {
2815 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2816 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2817 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2818 use_session_cb_cnt = 0;
2819 find_session_cb_cnt = 0;
2820 srvid = pskid;
2821 }
2822
2823 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2824 NULL, NULL)))
2825 return 0;
2826
2827 /*
2828 * For one of the run throughs (doesn't matter which one), we'll try sending
2829 * some SNI data in the initial ClientHello. This will be ignored (because
2830 * there is no SNI cb set up by the server), so it should not impact
2831 * early_data.
2832 */
2833 if (idx == 1
2834 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2835 return 0;
2836
2837 if (idx == 2) {
2838 clientpsk = create_a_psk(*clientssl);
2839 if (!TEST_ptr(clientpsk)
2840 /*
2841 * We just choose an arbitrary value for max_early_data which
2842 * should be big enough for testing purposes.
2843 */
2844 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2845 0x100))
2846 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2847 SSL_SESSION_free(clientpsk);
2848 clientpsk = NULL;
2849 return 0;
2850 }
2851 serverpsk = clientpsk;
2852
2853 if (sess != NULL) {
2854 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2855 SSL_SESSION_free(clientpsk);
2856 SSL_SESSION_free(serverpsk);
2857 clientpsk = serverpsk = NULL;
2858 return 0;
2859 }
2860 *sess = clientpsk;
2861 }
2862 return 1;
2863 }
2864
2865 if (sess == NULL)
2866 return 1;
2867
2868 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2869 SSL_ERROR_NONE)))
2870 return 0;
2871
2872 *sess = SSL_get1_session(*clientssl);
2873 SSL_shutdown(*clientssl);
2874 SSL_shutdown(*serverssl);
2875 SSL_free(*serverssl);
2876 SSL_free(*clientssl);
2877 *serverssl = *clientssl = NULL;
2878
2879 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2880 clientssl, NULL, NULL))
2881 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2882 return 0;
2883
2884 return 1;
2885 }
2886
2887 static int test_early_data_read_write(int idx)
2888 {
2889 SSL_CTX *cctx = NULL, *sctx = NULL;
2890 SSL *clientssl = NULL, *serverssl = NULL;
2891 int testresult = 0;
2892 SSL_SESSION *sess = NULL;
2893 unsigned char buf[20], data[1024];
2894 size_t readbytes, written, eoedlen, rawread, rawwritten;
2895 BIO *rbio;
2896
2897 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2898 &serverssl, &sess, idx)))
2899 goto end;
2900
2901 /* Write and read some early data */
2902 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2903 &written))
2904 || !TEST_size_t_eq(written, strlen(MSG1))
2905 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2906 sizeof(buf), &readbytes),
2907 SSL_READ_EARLY_DATA_SUCCESS)
2908 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2909 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2910 SSL_EARLY_DATA_ACCEPTED))
2911 goto end;
2912
2913 /*
2914 * Server should be able to write data, and client should be able to
2915 * read it.
2916 */
2917 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2918 &written))
2919 || !TEST_size_t_eq(written, strlen(MSG2))
2920 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2921 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2922 goto end;
2923
2924 /* Even after reading normal data, client should be able write early data */
2925 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2926 &written))
2927 || !TEST_size_t_eq(written, strlen(MSG3)))
2928 goto end;
2929
2930 /* Server should still be able read early data after writing data */
2931 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2932 &readbytes),
2933 SSL_READ_EARLY_DATA_SUCCESS)
2934 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2935 goto end;
2936
2937 /* Write more data from server and read it from client */
2938 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2939 &written))
2940 || !TEST_size_t_eq(written, strlen(MSG4))
2941 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2942 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2943 goto end;
2944
2945 /*
2946 * If client writes normal data it should mean writing early data is no
2947 * longer possible.
2948 */
2949 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2950 || !TEST_size_t_eq(written, strlen(MSG5))
2951 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2952 SSL_EARLY_DATA_ACCEPTED))
2953 goto end;
2954
2955 /*
2956 * At this point the client has written EndOfEarlyData, ClientFinished and
2957 * normal (fully protected) data. We are going to cause a delay between the
2958 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2959 * in the read BIO, and then just put back the EndOfEarlyData message.
2960 */
2961 rbio = SSL_get_rbio(serverssl);
2962 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2963 || !TEST_size_t_lt(rawread, sizeof(data))
2964 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2965 goto end;
2966
2967 /* Record length is in the 4th and 5th bytes of the record header */
2968 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2969 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2970 || !TEST_size_t_eq(rawwritten, eoedlen))
2971 goto end;
2972
2973 /* Server should be told that there is no more early data */
2974 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2975 &readbytes),
2976 SSL_READ_EARLY_DATA_FINISH)
2977 || !TEST_size_t_eq(readbytes, 0))
2978 goto end;
2979
2980 /*
2981 * Server has not finished init yet, so should still be able to write early
2982 * data.
2983 */
2984 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2985 &written))
2986 || !TEST_size_t_eq(written, strlen(MSG6)))
2987 goto end;
2988
2989 /* Push the ClientFinished and the normal data back into the server rbio */
2990 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2991 &rawwritten))
2992 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2993 goto end;
2994
2995 /* Server should be able to read normal data */
2996 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2997 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2998 goto end;
2999
3000 /* Client and server should not be able to write/read early data now */
3001 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3002 &written)))
3003 goto end;
3004 ERR_clear_error();
3005 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3006 &readbytes),
3007 SSL_READ_EARLY_DATA_ERROR))
3008 goto end;
3009 ERR_clear_error();
3010
3011 /* Client should be able to read the data sent by the server */
3012 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3013 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3014 goto end;
3015
3016 /*
3017 * Make sure we process the two NewSessionTickets. These arrive
3018 * post-handshake. We attempt reads which we do not expect to return any
3019 * data.
3020 */
3021 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3022 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3023 &readbytes)))
3024 goto end;
3025
3026 /* Server should be able to write normal data */
3027 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3028 || !TEST_size_t_eq(written, strlen(MSG7))
3029 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3030 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3031 goto end;
3032
3033 SSL_SESSION_free(sess);
3034 sess = SSL_get1_session(clientssl);
3035 use_session_cb_cnt = 0;
3036 find_session_cb_cnt = 0;
3037
3038 SSL_shutdown(clientssl);
3039 SSL_shutdown(serverssl);
3040 SSL_free(serverssl);
3041 SSL_free(clientssl);
3042 serverssl = clientssl = NULL;
3043 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3044 &clientssl, NULL, NULL))
3045 || !TEST_true(SSL_set_session(clientssl, sess)))
3046 goto end;
3047
3048 /* Write and read some early data */
3049 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3050 &written))
3051 || !TEST_size_t_eq(written, strlen(MSG1))
3052 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3053 &readbytes),
3054 SSL_READ_EARLY_DATA_SUCCESS)
3055 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3056 goto end;
3057
3058 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3059 || !TEST_int_gt(SSL_accept(serverssl), 0))
3060 goto end;
3061
3062 /* Client and server should not be able to write/read early data now */
3063 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3064 &written)))
3065 goto end;
3066 ERR_clear_error();
3067 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3068 &readbytes),
3069 SSL_READ_EARLY_DATA_ERROR))
3070 goto end;
3071 ERR_clear_error();
3072
3073 /* Client and server should be able to write/read normal data */
3074 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3075 || !TEST_size_t_eq(written, strlen(MSG5))
3076 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3077 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3078 goto end;
3079
3080 testresult = 1;
3081
3082 end:
3083 SSL_SESSION_free(sess);
3084 SSL_SESSION_free(clientpsk);
3085 SSL_SESSION_free(serverpsk);
3086 clientpsk = serverpsk = NULL;
3087 SSL_free(serverssl);
3088 SSL_free(clientssl);
3089 SSL_CTX_free(sctx);
3090 SSL_CTX_free(cctx);
3091 return testresult;
3092 }
3093
3094 static int allow_ed_cb_called = 0;
3095
3096 static int allow_early_data_cb(SSL *s, void *arg)
3097 {
3098 int *usecb = (int *)arg;
3099
3100 allow_ed_cb_called++;
3101
3102 if (*usecb == 1)
3103 return 0;
3104
3105 return 1;
3106 }
3107
3108 /*
3109 * idx == 0: Standard early_data setup
3110 * idx == 1: early_data setup using read_ahead
3111 * usecb == 0: Don't use a custom early data callback
3112 * usecb == 1: Use a custom early data callback and reject the early data
3113 * usecb == 2: Use a custom early data callback and accept the early data
3114 * confopt == 0: Configure anti-replay directly
3115 * confopt == 1: Configure anti-replay using SSL_CONF
3116 */
3117 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3118 {
3119 SSL_CTX *cctx = NULL, *sctx = NULL;
3120 SSL *clientssl = NULL, *serverssl = NULL;
3121 int testresult = 0;
3122 SSL_SESSION *sess = NULL;
3123 size_t readbytes, written;
3124 unsigned char buf[20];
3125
3126 allow_ed_cb_called = 0;
3127
3128 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3129 TLS_client_method(), TLS1_VERSION, 0,
3130 &sctx, &cctx, cert, privkey)))
3131 return 0;
3132
3133 if (usecb > 0) {
3134 if (confopt == 0) {
3135 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3136 } else {
3137 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3138
3139 if (!TEST_ptr(confctx))
3140 goto end;
3141 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3142 | SSL_CONF_FLAG_SERVER);
3143 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3144 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3145 2)) {
3146 SSL_CONF_CTX_free(confctx);
3147 goto end;
3148 }
3149 SSL_CONF_CTX_free(confctx);
3150 }
3151 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3152 }
3153
3154 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3155 &serverssl, &sess, idx)))
3156 goto end;
3157
3158 /*
3159 * The server is configured to accept early data. Create a connection to
3160 * "use up" the ticket
3161 */
3162 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3163 || !TEST_true(SSL_session_reused(clientssl)))
3164 goto end;
3165
3166 SSL_shutdown(clientssl);
3167 SSL_shutdown(serverssl);
3168 SSL_free(serverssl);
3169 SSL_free(clientssl);
3170 serverssl = clientssl = NULL;
3171
3172 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3173 &clientssl, NULL, NULL))
3174 || !TEST_true(SSL_set_session(clientssl, sess)))
3175 goto end;
3176
3177 /* Write and read some early data */
3178 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3179 &written))
3180 || !TEST_size_t_eq(written, strlen(MSG1)))
3181 goto end;
3182
3183 if (usecb <= 1) {
3184 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3185 &readbytes),
3186 SSL_READ_EARLY_DATA_FINISH)
3187 /*
3188 * The ticket was reused, so the we should have rejected the
3189 * early data
3190 */
3191 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3192 SSL_EARLY_DATA_REJECTED))
3193 goto end;
3194 } else {
3195 /* In this case the callback decides to accept the early data */
3196 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3197 &readbytes),
3198 SSL_READ_EARLY_DATA_SUCCESS)
3199 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3200 /*
3201 * Server will have sent its flight so client can now send
3202 * end of early data and complete its half of the handshake
3203 */
3204 || !TEST_int_gt(SSL_connect(clientssl), 0)
3205 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3206 &readbytes),
3207 SSL_READ_EARLY_DATA_FINISH)
3208 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3209 SSL_EARLY_DATA_ACCEPTED))
3210 goto end;
3211 }
3212
3213 /* Complete the connection */
3214 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3215 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3216 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3217 goto end;
3218
3219 testresult = 1;
3220
3221 end:
3222 SSL_SESSION_free(sess);
3223 SSL_SESSION_free(clientpsk);
3224 SSL_SESSION_free(serverpsk);
3225 clientpsk = serverpsk = NULL;
3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3228 SSL_CTX_free(sctx);
3229 SSL_CTX_free(cctx);
3230 return testresult;
3231 }
3232
3233 static int test_early_data_replay(int idx)
3234 {
3235 int ret = 1, usecb, confopt;
3236
3237 for (usecb = 0; usecb < 3; usecb++) {
3238 for (confopt = 0; confopt < 2; confopt++)
3239 ret &= test_early_data_replay_int(idx, usecb, confopt);
3240 }
3241
3242 return ret;
3243 }
3244
3245 /*
3246 * Helper function to test that a server attempting to read early data can
3247 * handle a connection from a client where the early data should be skipped.
3248 * testtype: 0 == No HRR
3249 * testtype: 1 == HRR
3250 * testtype: 2 == HRR, invalid early_data sent after HRR
3251 * testtype: 3 == recv_max_early_data set to 0
3252 */
3253 static int early_data_skip_helper(int testtype, int idx)
3254 {
3255 SSL_CTX *cctx = NULL, *sctx = NULL;
3256 SSL *clientssl = NULL, *serverssl = NULL;
3257 int testresult = 0;
3258 SSL_SESSION *sess = NULL;
3259 unsigned char buf[20];
3260 size_t readbytes, written;
3261
3262 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3263 &serverssl, &sess, idx)))
3264 goto end;
3265
3266 if (testtype == 1 || testtype == 2) {
3267 /* Force an HRR to occur */
3268 #if defined(OPENSSL_NO_EC)
3269 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3270 goto end;
3271 #else
3272 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3273 goto end;
3274 #endif
3275 } else if (idx == 2) {
3276 /*
3277 * We force early_data rejection by ensuring the PSK identity is
3278 * unrecognised
3279 */
3280 srvid = "Dummy Identity";
3281 } else {
3282 /*
3283 * Deliberately corrupt the creation time. We take 20 seconds off the
3284 * time. It could be any value as long as it is not within tolerance.
3285 * This should mean the ticket is rejected.
3286 */
3287 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3288 goto end;
3289 }
3290
3291 if (testtype == 3
3292 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3293 goto end;
3294
3295 /* Write some early data */
3296 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3297 &written))
3298 || !TEST_size_t_eq(written, strlen(MSG1)))
3299 goto end;
3300
3301 /* Server should reject the early data */
3302 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3303 &readbytes),
3304 SSL_READ_EARLY_DATA_FINISH)
3305 || !TEST_size_t_eq(readbytes, 0)
3306 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3307 SSL_EARLY_DATA_REJECTED))
3308 goto end;
3309
3310 switch (testtype) {
3311 case 0:
3312 /* Nothing to do */
3313 break;
3314
3315 case 1:
3316 /*
3317 * Finish off the handshake. We perform the same writes and reads as
3318 * further down but we expect them to fail due to the incomplete
3319 * handshake.
3320 */
3321 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3322 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3323 &readbytes)))
3324 goto end;
3325 break;
3326
3327 case 2:
3328 {
3329 BIO *wbio = SSL_get_wbio(clientssl);
3330 /* A record that will appear as bad early_data */
3331 const unsigned char bad_early_data[] = {
3332 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3333 };
3334
3335 /*
3336 * We force the client to attempt a write. This will fail because
3337 * we're still in the handshake. It will cause the second
3338 * ClientHello to be sent.
3339 */
3340 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3341 &written)))
3342 goto end;
3343
3344 /*
3345 * Inject some early_data after the second ClientHello. This should
3346 * cause the server to fail
3347 */
3348 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3349 sizeof(bad_early_data), &written)))
3350 goto end;
3351 }
3352 /* fallthrough */
3353
3354 case 3:
3355 /*
3356 * This client has sent more early_data than we are willing to skip
3357 * (case 3) or sent invalid early_data (case 2) so the connection should
3358 * abort.
3359 */
3360 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3361 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3362 goto end;
3363
3364 /* Connection has failed - nothing more to do */
3365 testresult = 1;
3366 goto end;
3367
3368 default:
3369 TEST_error("Invalid test type");
3370 goto end;
3371 }
3372
3373 /*
3374 * Should be able to send normal data despite rejection of early data. The
3375 * early_data should be skipped.
3376 */
3377 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3378 || !TEST_size_t_eq(written, strlen(MSG2))
3379 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3380 SSL_EARLY_DATA_REJECTED)
3381 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3382 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3383 goto end;
3384
3385 testresult = 1;
3386
3387 end:
3388 SSL_SESSION_free(clientpsk);
3389 SSL_SESSION_free(serverpsk);
3390 clientpsk = serverpsk = NULL;
3391 SSL_SESSION_free(sess);
3392 SSL_free(serverssl);
3393 SSL_free(clientssl);
3394 SSL_CTX_free(sctx);
3395 SSL_CTX_free(cctx);
3396 return testresult;
3397 }
3398
3399 /*
3400 * Test that a server attempting to read early data can handle a connection
3401 * from a client where the early data is not acceptable.
3402 */
3403 static int test_early_data_skip(int idx)
3404 {
3405 return early_data_skip_helper(0, idx);
3406 }
3407
3408 /*
3409 * Test that a server attempting to read early data can handle a connection
3410 * from a client where an HRR occurs.
3411 */
3412 static int test_early_data_skip_hrr(int idx)
3413 {
3414 return early_data_skip_helper(1, idx);
3415 }
3416
3417 /*
3418 * Test that a server attempting to read early data can handle a connection
3419 * from a client where an HRR occurs and correctly fails if early_data is sent
3420 * after the HRR
3421 */
3422 static int test_early_data_skip_hrr_fail(int idx)
3423 {
3424 return early_data_skip_helper(2, idx);
3425 }
3426
3427 /*
3428 * Test that a server attempting to read early data will abort if it tries to
3429 * skip over too much.
3430 */
3431 static int test_early_data_skip_abort(int idx)
3432 {
3433 return early_data_skip_helper(3, idx);
3434 }
3435
3436 /*
3437 * Test that a server attempting to read early data can handle a connection
3438 * from a client that doesn't send any.
3439 */
3440 static int test_early_data_not_sent(int idx)
3441 {
3442 SSL_CTX *cctx = NULL, *sctx = NULL;
3443 SSL *clientssl = NULL, *serverssl = NULL;
3444 int testresult = 0;
3445 SSL_SESSION *sess = NULL;
3446 unsigned char buf[20];
3447 size_t readbytes, written;
3448
3449 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3450 &serverssl, &sess, idx)))
3451 goto end;
3452
3453 /* Write some data - should block due to handshake with server */
3454 SSL_set_connect_state(clientssl);
3455 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3456 goto end;
3457
3458 /* Server should detect that early data has not been sent */
3459 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3460 &readbytes),
3461 SSL_READ_EARLY_DATA_FINISH)
3462 || !TEST_size_t_eq(readbytes, 0)
3463 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3464 SSL_EARLY_DATA_NOT_SENT)
3465 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3466 SSL_EARLY_DATA_NOT_SENT))
3467 goto end;
3468
3469 /* Continue writing the message we started earlier */
3470 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3471 || !TEST_size_t_eq(written, strlen(MSG1))
3472 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3473 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3474 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3475 || !TEST_size_t_eq(written, strlen(MSG2)))
3476 goto end;
3477
3478 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3479 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3480 goto end;
3481
3482 testresult = 1;
3483
3484 end:
3485 SSL_SESSION_free(sess);
3486 SSL_SESSION_free(clientpsk);
3487 SSL_SESSION_free(serverpsk);
3488 clientpsk = serverpsk = NULL;
3489 SSL_free(serverssl);
3490 SSL_free(clientssl);
3491 SSL_CTX_free(sctx);
3492 SSL_CTX_free(cctx);
3493 return testresult;
3494 }
3495
3496 static const char *servalpn;
3497
3498 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3499 unsigned char *outlen, const unsigned char *in,
3500 unsigned int inlen, void *arg)
3501 {
3502 unsigned int protlen = 0;
3503 const unsigned char *prot;
3504
3505 for (prot = in; prot < in + inlen; prot += protlen) {
3506 protlen = *prot++;
3507 if (in + inlen < prot + protlen)
3508 return SSL_TLSEXT_ERR_NOACK;
3509
3510 if (protlen == strlen(servalpn)
3511 && memcmp(prot, servalpn, protlen) == 0) {
3512 *out = prot;
3513 *outlen = protlen;
3514 return SSL_TLSEXT_ERR_OK;
3515 }
3516 }
3517
3518 return SSL_TLSEXT_ERR_NOACK;
3519 }
3520
3521 /* Test that a PSK can be used to send early_data */
3522 static int test_early_data_psk(int idx)
3523 {
3524 SSL_CTX *cctx = NULL, *sctx = NULL;
3525 SSL *clientssl = NULL, *serverssl = NULL;
3526 int testresult = 0;
3527 SSL_SESSION *sess = NULL;
3528 unsigned char alpnlist[] = {
3529 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3530 'l', 'p', 'n'
3531 };
3532 #define GOODALPNLEN 9
3533 #define BADALPNLEN 8
3534 #define GOODALPN (alpnlist)
3535 #define BADALPN (alpnlist + GOODALPNLEN)
3536 int err = 0;
3537 unsigned char buf[20];
3538 size_t readbytes, written;
3539 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3540 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3541
3542 /* We always set this up with a final parameter of "2" for PSK */
3543 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3544 &serverssl, &sess, 2)))
3545 goto end;
3546
3547 servalpn = "goodalpn";
3548
3549 /*
3550 * Note: There is no test for inconsistent SNI with late client detection.
3551 * This is because servers do not acknowledge SNI even if they are using
3552 * it in a resumption handshake - so it is not actually possible for a
3553 * client to detect a problem.
3554 */
3555 switch (idx) {
3556 case 0:
3557 /* Set inconsistent SNI (early client detection) */
3558 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3559 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3560 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3561 goto end;
3562 break;
3563
3564 case 1:
3565 /* Set inconsistent ALPN (early client detection) */
3566 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3567 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3568 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3569 GOODALPNLEN))
3570 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3571 BADALPNLEN)))
3572 goto end;
3573 break;
3574
3575 case 2:
3576 /*
3577 * Set invalid protocol version. Technically this affects PSKs without
3578 * early_data too, but we test it here because it is similar to the
3579 * SNI/ALPN consistency tests.
3580 */
3581 err = SSL_R_BAD_PSK;
3582 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3583 goto end;
3584 break;
3585
3586 case 3:
3587 /*
3588 * Set inconsistent SNI (server side). In this case the connection
3589 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3590 * is associated with each handshake - not the session. Therefore it
3591 * should not matter that we used a different server name last time.
3592 */
3593 SSL_SESSION_free(serverpsk);
3594 serverpsk = SSL_SESSION_dup(clientpsk);
3595 if (!TEST_ptr(serverpsk)
3596 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3597 goto end;
3598 /* Fall through */
3599 case 4:
3600 /* Set consistent SNI */
3601 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3602 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3603 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3604 hostname_cb)))
3605 goto end;
3606 break;
3607
3608 case 5:
3609 /*
3610 * Set inconsistent ALPN (server detected). In this case the connection
3611 * will succeed but reject early_data.
3612 */
3613 servalpn = "badalpn";
3614 edstatus = SSL_EARLY_DATA_REJECTED;
3615 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3616 /* Fall through */
3617 case 6:
3618 /*
3619 * Set consistent ALPN.
3620 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3621 * accepts a list of protos (each one length prefixed).
3622 * SSL_set1_alpn_selected accepts a single protocol (not length
3623 * prefixed)
3624 */
3625 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3626 GOODALPNLEN - 1))
3627 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3628 GOODALPNLEN)))
3629 goto end;
3630
3631 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3632 break;
3633
3634 case 7:
3635 /* Set inconsistent ALPN (late client detection) */
3636 SSL_SESSION_free(serverpsk);
3637 serverpsk = SSL_SESSION_dup(clientpsk);
3638 if (!TEST_ptr(serverpsk)
3639 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3640 BADALPN + 1,
3641 BADALPNLEN - 1))
3642 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3643 GOODALPN + 1,
3644 GOODALPNLEN - 1))
3645 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3646 sizeof(alpnlist))))
3647 goto end;
3648 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3649 edstatus = SSL_EARLY_DATA_ACCEPTED;
3650 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3651 /* SSL_connect() call should fail */
3652 connectres = -1;
3653 break;
3654
3655 default:
3656 TEST_error("Bad test index");
3657 goto end;
3658 }
3659
3660 SSL_set_connect_state(clientssl);
3661 if (err != 0) {
3662 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3663 &written))
3664 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3665 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3666 goto end;
3667 } else {
3668 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3669 &written)))
3670 goto end;
3671
3672 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3673 &readbytes), readearlyres)
3674 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3675 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3676 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3677 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3678 goto end;
3679 }
3680
3681 testresult = 1;
3682
3683 end:
3684 SSL_SESSION_free(sess);
3685 SSL_SESSION_free(clientpsk);
3686 SSL_SESSION_free(serverpsk);
3687 clientpsk = serverpsk = NULL;
3688 SSL_free(serverssl);
3689 SSL_free(clientssl);
3690 SSL_CTX_free(sctx);
3691 SSL_CTX_free(cctx);
3692 return testresult;
3693 }
3694
3695 /*
3696 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3697 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3698 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3699 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3700 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3701 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3702 */
3703 static int test_early_data_psk_with_all_ciphers(int idx)
3704 {
3705 SSL_CTX *cctx = NULL, *sctx = NULL;
3706 SSL *clientssl = NULL, *serverssl = NULL;
3707 int testresult = 0;
3708 SSL_SESSION *sess = NULL;
3709 unsigned char buf[20];
3710 size_t readbytes, written;
3711 const SSL_CIPHER *cipher;
3712 const char *cipher_str[] = {
3713 TLS1_3_RFC_AES_128_GCM_SHA256,
3714 TLS1_3_RFC_AES_256_GCM_SHA384,
3715 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3716 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3717 # else
3718 NULL,
3719 # endif
3720 TLS1_3_RFC_AES_128_CCM_SHA256,
3721 TLS1_3_RFC_AES_128_CCM_8_SHA256
3722 };
3723 const unsigned char *cipher_bytes[] = {
3724 TLS13_AES_128_GCM_SHA256_BYTES,
3725 TLS13_AES_256_GCM_SHA384_BYTES,
3726 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3727 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3728 # else
3729 NULL,
3730 # endif
3731 TLS13_AES_128_CCM_SHA256_BYTES,
3732 TLS13_AES_128_CCM_8_SHA256_BYTES
3733 };
3734
3735 if (cipher_str[idx] == NULL)
3736 return 1;
3737 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3738 if (idx == 2 && is_fips == 1)
3739 return 1;
3740
3741 /* We always set this up with a final parameter of "2" for PSK */
3742 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3743 &serverssl, &sess, 2)))
3744 goto end;
3745
3746 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3747 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3748 goto end;
3749
3750 /*
3751 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3752 * and assigns to both client and server with incremented reference
3753 * and the same instance is updated in 'sess'.
3754 * So updating ciphersuite in 'sess' which will get reflected in
3755 * PSK handshake using psk use sess and find sess cb.
3756 */
3757 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3758 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3759 goto end;
3760
3761 SSL_set_connect_state(clientssl);
3762 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3763 &written)))
3764 goto end;
3765
3766 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3767 &readbytes),
3768 SSL_READ_EARLY_DATA_SUCCESS)
3769 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3770 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3771 SSL_EARLY_DATA_ACCEPTED)
3772 || !TEST_int_eq(SSL_connect(clientssl), 1)
3773 || !TEST_int_eq(SSL_accept(serverssl), 1))
3774 goto end;
3775
3776 /* Send some normal data from client to server */
3777 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3778 || !TEST_size_t_eq(written, strlen(MSG2)))
3779 goto end;
3780
3781 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3782 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3783 goto end;
3784
3785 testresult = 1;
3786 end:
3787 SSL_SESSION_free(sess);
3788 SSL_SESSION_free(clientpsk);
3789 SSL_SESSION_free(serverpsk);
3790 clientpsk = serverpsk = NULL;
3791 if (clientssl != NULL)
3792 SSL_shutdown(clientssl);
3793 if (serverssl != NULL)
3794 SSL_shutdown(serverssl);
3795 SSL_free(serverssl);
3796 SSL_free(clientssl);
3797 SSL_CTX_free(sctx);
3798 SSL_CTX_free(cctx);
3799 return testresult;
3800 }
3801
3802 /*
3803 * Test that a server that doesn't try to read early data can handle a
3804 * client sending some.
3805 */
3806 static int test_early_data_not_expected(int idx)
3807 {
3808 SSL_CTX *cctx = NULL, *sctx = NULL;
3809 SSL *clientssl = NULL, *serverssl = NULL;
3810 int testresult = 0;
3811 SSL_SESSION *sess = NULL;
3812 unsigned char buf[20];
3813 size_t readbytes, written;
3814
3815 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3816 &serverssl, &sess, idx)))
3817 goto end;
3818
3819 /* Write some early data */
3820 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3821 &written)))
3822 goto end;
3823
3824 /*
3825 * Server should skip over early data and then block waiting for client to
3826 * continue handshake
3827 */
3828 if (!TEST_int_le(SSL_accept(serverssl), 0)
3829 || !TEST_int_gt(SSL_connect(clientssl), 0)
3830 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3831 SSL_EARLY_DATA_REJECTED)
3832 || !TEST_int_gt(SSL_accept(serverssl), 0)
3833 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3834 SSL_EARLY_DATA_REJECTED))
3835 goto end;
3836
3837 /* Send some normal data from client to server */
3838 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3839 || !TEST_size_t_eq(written, strlen(MSG2)))
3840 goto end;
3841
3842 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3843 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3844 goto end;
3845
3846 testresult = 1;
3847
3848 end:
3849 SSL_SESSION_free(sess);
3850 SSL_SESSION_free(clientpsk);
3851 SSL_SESSION_free(serverpsk);
3852 clientpsk = serverpsk = NULL;
3853 SSL_free(serverssl);
3854 SSL_free(clientssl);
3855 SSL_CTX_free(sctx);
3856 SSL_CTX_free(cctx);
3857 return testresult;
3858 }
3859
3860
3861 # ifndef OPENSSL_NO_TLS1_2
3862 /*
3863 * Test that a server attempting to read early data can handle a connection
3864 * from a TLSv1.2 client.
3865 */
3866 static int test_early_data_tls1_2(int idx)
3867 {
3868 SSL_CTX *cctx = NULL, *sctx = NULL;
3869 SSL *clientssl = NULL, *serverssl = NULL;
3870 int testresult = 0;
3871 unsigned char buf[20];
3872 size_t readbytes, written;
3873
3874 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3875 &serverssl, NULL, idx)))
3876 goto end;
3877
3878 /* Write some data - should block due to handshake with server */
3879 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3880 SSL_set_connect_state(clientssl);
3881 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3882 goto end;
3883
3884 /*
3885 * Server should do TLSv1.2 handshake. First it will block waiting for more
3886 * messages from client after ServerDone. Then SSL_read_early_data should
3887 * finish and detect that early data has not been sent
3888 */
3889 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3890 &readbytes),
3891 SSL_READ_EARLY_DATA_ERROR))
3892 goto end;
3893
3894 /*
3895 * Continue writing the message we started earlier. Will still block waiting
3896 * for the CCS/Finished from server
3897 */
3898 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3899 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3900 &readbytes),
3901 SSL_READ_EARLY_DATA_FINISH)
3902 || !TEST_size_t_eq(readbytes, 0)
3903 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3904 SSL_EARLY_DATA_NOT_SENT))
3905 goto end;
3906
3907 /* Continue writing the message we started earlier */
3908 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3909 || !TEST_size_t_eq(written, strlen(MSG1))
3910 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3911 SSL_EARLY_DATA_NOT_SENT)
3912 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3913 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3914 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3915 || !TEST_size_t_eq(written, strlen(MSG2))
3916 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3917 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3918 goto end;
3919
3920 testresult = 1;
3921
3922 end:
3923 SSL_SESSION_free(clientpsk);
3924 SSL_SESSION_free(serverpsk);
3925 clientpsk = serverpsk = NULL;
3926 SSL_free(serverssl);
3927 SSL_free(clientssl);
3928 SSL_CTX_free(sctx);
3929 SSL_CTX_free(cctx);
3930
3931 return testresult;
3932 }
3933 # endif /* OPENSSL_NO_TLS1_2 */
3934
3935 /*
3936 * Test configuring the TLSv1.3 ciphersuites
3937 *
3938 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3939 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3940 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3941 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3942 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3943 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3944 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3945 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3946 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3947 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3948 */
3949 static int test_set_ciphersuite(int idx)
3950 {
3951 SSL_CTX *cctx = NULL, *sctx = NULL;
3952 SSL *clientssl = NULL, *serverssl = NULL;
3953 int testresult = 0;
3954
3955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3956 TLS_client_method(), TLS1_VERSION, 0,
3957 &sctx, &cctx, cert, privkey))
3958 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3959 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3960 goto end;
3961
3962 if (idx >=4 && idx <= 7) {
3963 /* SSL_CTX explicit cipher list */
3964 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3965 goto end;
3966 }
3967
3968 if (idx == 0 || idx == 4) {
3969 /* Default ciphersuite */
3970 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3971 "TLS_AES_128_GCM_SHA256")))
3972 goto end;
3973 } else if (idx == 1 || idx == 5) {
3974 /* Non default ciphersuite */
3975 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3976 "TLS_AES_128_CCM_SHA256")))
3977 goto end;
3978 }
3979
3980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3981 &clientssl, NULL, NULL)))
3982 goto end;
3983
3984 if (idx == 8 || idx == 9) {
3985 /* SSL explicit cipher list */
3986 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3987 goto end;
3988 }
3989
3990 if (idx == 2 || idx == 6 || idx == 8) {
3991 /* Default ciphersuite */
3992 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3993 "TLS_AES_128_GCM_SHA256")))
3994 goto end;
3995 } else if (idx == 3 || idx == 7 || idx == 9) {
3996 /* Non default ciphersuite */
3997 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3998 "TLS_AES_128_CCM_SHA256")))
3999 goto end;
4000 }
4001
4002 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4003 goto end;
4004
4005 testresult = 1;
4006
4007 end:
4008 SSL_free(serverssl);
4009 SSL_free(clientssl);
4010 SSL_CTX_free(sctx);
4011 SSL_CTX_free(cctx);
4012
4013 return testresult;
4014 }
4015
4016 static int test_ciphersuite_change(void)
4017 {
4018 SSL_CTX *cctx = NULL, *sctx = NULL;
4019 SSL *clientssl = NULL, *serverssl = NULL;
4020 SSL_SESSION *clntsess = NULL;
4021 int testresult = 0;
4022 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4023
4024 /* Create a session based on SHA-256 */
4025 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4026 TLS_client_method(), TLS1_VERSION, 0,
4027 &sctx, &cctx, cert, privkey))
4028 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4029 "TLS_AES_128_GCM_SHA256:"
4030 "TLS_AES_256_GCM_SHA384:"
4031 "TLS_AES_128_CCM_SHA256"))
4032 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4033 "TLS_AES_128_GCM_SHA256"))
4034 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4035 &clientssl, NULL, NULL))
4036 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4037 SSL_ERROR_NONE)))
4038 goto end;
4039
4040 clntsess = SSL_get1_session(clientssl);
4041 /* Save for later */
4042 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4043 SSL_shutdown(clientssl);
4044 SSL_shutdown(serverssl);
4045 SSL_free(serverssl);
4046 SSL_free(clientssl);
4047 serverssl = clientssl = NULL;
4048
4049 /* Check we can resume a session with a different SHA-256 ciphersuite */
4050 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4051 "TLS_AES_128_CCM_SHA256"))
4052 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4053 &clientssl, NULL, NULL))
4054 || !TEST_true(SSL_set_session(clientssl, clntsess))
4055 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4056 SSL_ERROR_NONE))
4057 || !TEST_true(SSL_session_reused(clientssl)))
4058 goto end;
4059
4060 SSL_SESSION_free(clntsess);
4061 clntsess = SSL_get1_session(clientssl);
4062 SSL_shutdown(clientssl);
4063 SSL_shutdown(serverssl);
4064 SSL_free(serverssl);
4065 SSL_free(clientssl);
4066 serverssl = clientssl = NULL;
4067
4068 /*
4069 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4070 * succeeds but does not resume.
4071 */
4072 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4073 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4074 NULL, NULL))
4075 || !TEST_true(SSL_set_session(clientssl, clntsess))
4076 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4077 SSL_ERROR_SSL))
4078 || !TEST_false(SSL_session_reused(clientssl)))
4079 goto end;
4080
4081 SSL_SESSION_free(clntsess);
4082 clntsess = NULL;
4083 SSL_shutdown(clientssl);
4084 SSL_shutdown(serverssl);
4085 SSL_free(serverssl);
4086 SSL_free(clientssl);
4087 serverssl = clientssl = NULL;
4088
4089 /* Create a session based on SHA384 */
4090 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4091 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4092 &clientssl, NULL, NULL))
4093 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4094 SSL_ERROR_NONE)))
4095 goto end;
4096
4097 clntsess = SSL_get1_session(clientssl);
4098 SSL_shutdown(clientssl);
4099 SSL_shutdown(serverssl);
4100 SSL_free(serverssl);
4101 SSL_free(clientssl);
4102 serverssl = clientssl = NULL;
4103
4104 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4105 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4106 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4107 "TLS_AES_256_GCM_SHA384"))
4108 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4109 NULL, NULL))
4110 || !TEST_true(SSL_set_session(clientssl, clntsess))
4111 /*
4112 * We use SSL_ERROR_WANT_READ below so that we can pause the
4113 * connection after the initial ClientHello has been sent to
4114 * enable us to make some session changes.
4115 */
4116 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4117 SSL_ERROR_WANT_READ)))
4118 goto end;
4119
4120 /* Trick the client into thinking this session is for a different digest */
4121 clntsess->cipher = aes_128_gcm_sha256;
4122 clntsess->cipher_id = clntsess->cipher->id;
4123
4124 /*
4125 * Continue the previously started connection. Server has selected a SHA-384
4126 * ciphersuite, but client thinks the session is for SHA-256, so it should
4127 * bail out.
4128 */
4129 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4130 SSL_ERROR_SSL))
4131 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4132 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4133 goto end;
4134
4135 testresult = 1;
4136
4137 end:
4138 SSL_SESSION_free(clntsess);
4139 SSL_free(serverssl);
4140 SSL_free(clientssl);
4141 SSL_CTX_free(sctx);
4142 SSL_CTX_free(cctx);
4143
4144 return testresult;
4145 }
4146
4147 /*
4148 * Test TLSv1.3 Key exchange
4149 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4150 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4151 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4152 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4153 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4154 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4155 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4156 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4157 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4158 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4159 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4160 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4161 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4162 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4163 */
4164 static int test_key_exchange(int idx)
4165 {
4166 SSL_CTX *sctx = NULL, *cctx = NULL;
4167 SSL *serverssl = NULL, *clientssl = NULL;
4168 int testresult = 0;
4169 # ifndef OPENSSL_NO_EC
4170 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4171 NID_secp521r1, NID_X25519, NID_X448};
4172 # endif
4173 # ifndef OPENSSL_NO_DH
4174 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4175 NID_ffdhe6144, NID_ffdhe8192};
4176 # endif
4177 int kexch_alg;
4178 int *kexch_groups = &kexch_alg;
4179 int kexch_groups_size = 1;
4180 int max_version = TLS1_3_VERSION;
4181
4182 switch (idx) {
4183 # ifndef OPENSSL_NO_EC
4184 # ifndef OPENSSL_NO_TLS1_2
4185 case 12:
4186 max_version = TLS1_2_VERSION;
4187 # endif
4188 /* Fall through */
4189 case 0:
4190 kexch_groups = ecdhe_kexch_groups;
4191 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4192 break;
4193 case 1:
4194 kexch_alg = NID_X9_62_prime256v1;
4195 break;
4196 case 2:
4197 kexch_alg = NID_secp384r1;
4198 break;
4199 case 3:
4200 kexch_alg = NID_secp521r1;
4201 break;
4202 case 4:
4203 kexch_alg = NID_X25519;
4204 break;
4205 case 5:
4206 kexch_alg = NID_X448;
4207 break;
4208 # endif
4209 # ifndef OPENSSL_NO_DH
4210 # ifndef OPENSSL_NO_TLS1_2
4211 case 13:
4212 max_version = TLS1_2_VERSION;
4213 # endif
4214 /* Fall through */
4215 case 6:
4216 kexch_groups = ffdhe_kexch_groups;
4217 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4218 break;
4219 case 7:
4220 kexch_alg = NID_ffdhe2048;
4221 break;
4222 case 8:
4223 kexch_alg = NID_ffdhe3072;
4224 break;
4225 case 9:
4226 kexch_alg = NID_ffdhe4096;
4227 break;
4228 case 10:
4229 kexch_alg = NID_ffdhe6144;
4230 break;
4231 case 11:
4232 kexch_alg = NID_ffdhe8192;
4233 break;
4234 # endif
4235 default:
4236 /* We're skipping this test */
4237 return 1;
4238 }
4239
4240 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4241 TLS_client_method(), TLS1_VERSION,
4242 max_version, &sctx, &cctx, cert,
4243 privkey)))
4244 goto end;
4245
4246 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4247 TLS1_3_RFC_AES_128_GCM_SHA256)))
4248 goto end;
4249
4250 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4251 TLS1_3_RFC_AES_128_GCM_SHA256)))
4252 goto end;
4253
4254 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4255 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4256 goto end;
4257
4258 /*
4259 * Must include an EC ciphersuite so that we send supported groups in
4260 * TLSv1.2
4261 */
4262 # ifndef OPENSSL_NO_TLS1_2
4263 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4264 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4265 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4266 goto end;
4267 # endif
4268
4269 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4270 NULL, NULL)))
4271 goto end;
4272
4273 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4274 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4275 goto end;
4276
4277 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4278 goto end;
4279
4280 /*
4281 * If Handshake succeeds the negotiated kexch alg should be the first one in
4282 * configured, except in the case of FFDHE groups (idx 13), which are
4283 * TLSv1.3 only so we expect no shared group to exist.
4284 */
4285 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4286 idx == 13 ? 0 : kexch_groups[0]))
4287 goto end;
4288 if (max_version == TLS1_3_VERSION) {
4289 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4290 goto end;
4291 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4292 goto end;
4293 }
4294
4295 testresult = 1;
4296 end:
4297 SSL_free(serverssl);
4298 SSL_free(clientssl);
4299 SSL_CTX_free(sctx);
4300 SSL_CTX_free(cctx);
4301 return testresult;
4302 }
4303
4304 /*
4305 * Test TLSv1.3 Cipher Suite
4306 * Test 0 = Set TLS1.3 cipher on context
4307 * Test 1 = Set TLS1.3 cipher on SSL
4308 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4309 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4310 */
4311 static int test_tls13_ciphersuite(int idx)
4312 {
4313 SSL_CTX *sctx = NULL, *cctx = NULL;
4314 SSL *serverssl = NULL, *clientssl = NULL;
4315 static const struct {
4316 const char *ciphername;
4317 int fipscapable;
4318 } t13_ciphers[] = {
4319 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4320 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4321 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4322 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4323 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4324 { TLS1_3_RFC_AES_256_GCM_SHA384
4325 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4326 # endif
4327 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4328 };
4329 const char *t13_cipher = NULL;
4330 const char *t12_cipher = NULL;
4331 const char *negotiated_scipher;
4332 const char *negotiated_ccipher;
4333 int set_at_ctx = 0;
4334 int set_at_ssl = 0;
4335 int testresult = 0;
4336 int max_ver;
4337 size_t i;
4338
4339 switch (idx) {
4340 case 0:
4341 set_at_ctx = 1;
4342 break;
4343 case 1:
4344 set_at_ssl = 1;
4345 break;
4346 case 2:
4347 set_at_ctx = 1;
4348 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4349 break;
4350 case 3:
4351 set_at_ssl = 1;
4352 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4353 break;
4354 }
4355
4356 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4357 # ifdef OPENSSL_NO_TLS1_2
4358 if (max_ver == TLS1_2_VERSION)
4359 continue;
4360 # endif
4361 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4362 if (is_fips && !t13_ciphers[i].fipscapable)
4363 continue;
4364 t13_cipher = t13_ciphers[i].ciphername;
4365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4366 TLS_client_method(),
4367 TLS1_VERSION, max_ver,
4368 &sctx, &cctx, cert, privkey)))
4369 goto end;
4370
4371 if (set_at_ctx) {
4372 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4373 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4374 goto end;
4375 if (t12_cipher != NULL) {
4376 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4377 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4378 t12_cipher)))
4379 goto end;
4380 }
4381 }
4382
4383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4384 &clientssl, NULL, NULL)))
4385 goto end;
4386
4387 if (set_at_ssl) {
4388 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4389 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4390 goto end;
4391 if (t12_cipher != NULL) {
4392 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4393 || !TEST_true(SSL_set_cipher_list(clientssl,
4394 t12_cipher)))
4395 goto end;
4396 }
4397 }
4398
4399 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4400 SSL_ERROR_NONE)))
4401 goto end;
4402
4403 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4404 serverssl));
4405 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4406 clientssl));
4407 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4408 goto end;
4409
4410 /*
4411 * TEST_strn_eq is used below because t13_cipher can contain
4412 * multiple ciphersuites
4413 */
4414 if (max_ver == TLS1_3_VERSION
4415 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4416 strlen(negotiated_scipher)))
4417 goto end;
4418
4419 # ifndef OPENSSL_NO_TLS1_2
4420 /* Below validation is not done when t12_cipher is NULL */
4421 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4422 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4423 goto end;
4424 # endif
4425
4426 SSL_free(serverssl);
4427 serverssl = NULL;
4428 SSL_free(clientssl);
4429 clientssl = NULL;
4430 SSL_CTX_free(sctx);
4431 sctx = NULL;
4432 SSL_CTX_free(cctx);
4433 cctx = NULL;
4434 }
4435 }
4436
4437 testresult = 1;
4438 end:
4439 SSL_free(serverssl);
4440 SSL_free(clientssl);
4441 SSL_CTX_free(sctx);
4442 SSL_CTX_free(cctx);
4443 return testresult;
4444 }
4445
4446 /*
4447 * Test TLSv1.3 PSKs
4448 * Test 0 = Test new style callbacks
4449 * Test 1 = Test both new and old style callbacks
4450 * Test 2 = Test old style callbacks
4451 * Test 3 = Test old style callbacks with no certificate
4452 */
4453 static int test_tls13_psk(int idx)
4454 {
4455 SSL_CTX *sctx = NULL, *cctx = NULL;
4456 SSL *serverssl = NULL, *clientssl = NULL;
4457 const SSL_CIPHER *cipher = NULL;
4458 const unsigned char key[] = {
4459 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4460 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4461 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4462 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4463 };
4464 int testresult = 0;
4465
4466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4467 TLS_client_method(), TLS1_VERSION, 0,
4468 &sctx, &cctx, idx == 3 ? NULL : cert,
4469 idx == 3 ? NULL : privkey)))
4470 goto end;
4471
4472 if (idx != 3) {
4473 /*
4474 * We use a ciphersuite with SHA256 to ease testing old style PSK
4475 * callbacks which will always default to SHA256. This should not be
4476 * necessary if we have no cert/priv key. In that case the server should
4477 * prefer SHA256 automatically.
4478 */
4479 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4480 "TLS_AES_128_GCM_SHA256")))
4481 goto end;
4482 } else {
4483 /*
4484 * As noted above the server should prefer SHA256 automatically. However
4485 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4486 * code works even if we are testing with only the FIPS provider loaded.
4487 */
4488 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4489 "TLS_AES_256_GCM_SHA384:"
4490 "TLS_AES_128_GCM_SHA256")))
4491 goto end;
4492 }
4493
4494 /*
4495 * Test 0: New style callbacks only
4496 * Test 1: New and old style callbacks (only the new ones should be used)
4497 * Test 2: Old style callbacks only
4498 */
4499 if (idx == 0 || idx == 1) {
4500 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4501 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4502 }
4503 #ifndef OPENSSL_NO_PSK
4504 if (idx >= 1) {
4505 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4506 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4507 }
4508 #endif
4509 srvid = pskid;
4510 use_session_cb_cnt = 0;
4511 find_session_cb_cnt = 0;
4512 psk_client_cb_cnt = 0;
4513 psk_server_cb_cnt = 0;
4514
4515 if (idx != 3) {
4516 /*
4517 * Check we can create a connection if callback decides not to send a
4518 * PSK
4519 */
4520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4521 NULL, NULL))
4522 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4523 SSL_ERROR_NONE))
4524 || !TEST_false(SSL_session_reused(clientssl))
4525 || !TEST_false(SSL_session_reused(serverssl)))
4526 goto end;
4527
4528 if (idx == 0 || idx == 1) {
4529 if (!TEST_true(use_session_cb_cnt == 1)
4530 || !TEST_true(find_session_cb_cnt == 0)
4531 /*
4532 * If no old style callback then below should be 0
4533 * otherwise 1
4534 */
4535 || !TEST_true(psk_client_cb_cnt == idx)
4536 || !TEST_true(psk_server_cb_cnt == 0))
4537 goto end;
4538 } else {
4539 if (!TEST_true(use_session_cb_cnt == 0)
4540 || !TEST_true(find_session_cb_cnt == 0)
4541 || !TEST_true(psk_client_cb_cnt == 1)
4542 || !TEST_true(psk_server_cb_cnt == 0))
4543 goto end;
4544 }
4545
4546 shutdown_ssl_connection(serverssl, clientssl);
4547 serverssl = clientssl = NULL;
4548 use_session_cb_cnt = psk_client_cb_cnt = 0;
4549 }
4550
4551 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4552 NULL, NULL)))
4553 goto end;
4554
4555 /* Create the PSK */
4556 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4557 clientpsk = SSL_SESSION_new();
4558 if (!TEST_ptr(clientpsk)
4559 || !TEST_ptr(cipher)
4560 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4561 sizeof(key)))
4562 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4563 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4564 TLS1_3_VERSION))
4565 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4566 goto end;
4567 serverpsk = clientpsk;
4568
4569 /* Check we can create a connection and the PSK is used */
4570 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4571 || !TEST_true(SSL_session_reused(clientssl))
4572 || !TEST_true(SSL_session_reused(serverssl)))
4573 goto end;
4574
4575 if (idx == 0 || idx == 1) {
4576 if (!TEST_true(use_session_cb_cnt == 1)
4577 || !TEST_true(find_session_cb_cnt == 1)
4578 || !TEST_true(psk_client_cb_cnt == 0)
4579 || !TEST_true(psk_server_cb_cnt == 0))
4580 goto end;
4581 } else {
4582 if (!TEST_true(use_session_cb_cnt == 0)
4583 || !TEST_true(find_session_cb_cnt == 0)
4584 || !TEST_true(psk_client_cb_cnt == 1)
4585 || !TEST_true(psk_server_cb_cnt == 1))
4586 goto end;
4587 }
4588
4589 shutdown_ssl_connection(serverssl, clientssl);
4590 serverssl = clientssl = NULL;
4591 use_session_cb_cnt = find_session_cb_cnt = 0;
4592 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4593
4594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4595 NULL, NULL)))
4596 goto end;
4597
4598 /* Force an HRR */
4599 #if defined(OPENSSL_NO_EC)
4600 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4601 goto end;
4602 #else
4603 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4604 goto end;
4605 #endif
4606
4607 /*
4608 * Check we can create a connection, the PSK is used and the callbacks are
4609 * called twice.
4610 */
4611 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4612 || !TEST_true(SSL_session_reused(clientssl))
4613 || !TEST_true(SSL_session_reused(serverssl)))
4614 goto end;
4615
4616 if (idx == 0 || idx == 1) {
4617 if (!TEST_true(use_session_cb_cnt == 2)
4618 || !TEST_true(find_session_cb_cnt == 2)
4619 || !TEST_true(psk_client_cb_cnt == 0)
4620 || !TEST_true(psk_server_cb_cnt == 0))
4621 goto end;
4622 } else {
4623 if (!TEST_true(use_session_cb_cnt == 0)
4624 || !TEST_true(find_session_cb_cnt == 0)
4625 || !TEST_true(psk_client_cb_cnt == 2)
4626 || !TEST_true(psk_server_cb_cnt == 2))
4627 goto end;
4628 }
4629
4630 shutdown_ssl_connection(serverssl, clientssl);
4631 serverssl = clientssl = NULL;
4632 use_session_cb_cnt = find_session_cb_cnt = 0;
4633 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4634
4635 if (idx != 3) {
4636 /*
4637 * Check that if the server rejects the PSK we can still connect, but with
4638 * a full handshake
4639 */
4640 srvid = "Dummy Identity";
4641 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4642 NULL, NULL))
4643 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4644 SSL_ERROR_NONE))
4645 || !TEST_false(SSL_session_reused(clientssl))
4646 || !TEST_false(SSL_session_reused(serverssl)))
4647 goto end;
4648
4649 if (idx == 0 || idx == 1) {
4650 if (!TEST_true(use_session_cb_cnt == 1)
4651 || !TEST_true(find_session_cb_cnt == 1)
4652 || !TEST_true(psk_client_cb_cnt == 0)
4653 /*
4654 * If no old style callback then below should be 0
4655 * otherwise 1
4656 */
4657 || !TEST_true(psk_server_cb_cnt == idx))
4658 goto end;
4659 } else {
4660 if (!TEST_true(use_session_cb_cnt == 0)
4661 || !TEST_true(find_session_cb_cnt == 0)
4662 || !TEST_true(psk_client_cb_cnt == 1)
4663 || !TEST_true(psk_server_cb_cnt == 1))
4664 goto end;
4665 }
4666
4667 shutdown_ssl_connection(serverssl, clientssl);
4668 serverssl = clientssl = NULL;
4669 }
4670 testresult = 1;
4671
4672 end:
4673 SSL_SESSION_free(clientpsk);
4674 SSL_SESSION_free(serverpsk);
4675 clientpsk = serverpsk = NULL;
4676 SSL_free(serverssl);
4677 SSL_free(clientssl);
4678 SSL_CTX_free(sctx);
4679 SSL_CTX_free(cctx);
4680 return testresult;
4681 }
4682
4683 static unsigned char cookie_magic_value[] = "cookie magic";
4684
4685 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4686 unsigned int *cookie_len)
4687 {
4688 /*
4689 * Not suitable as a real cookie generation function but good enough for
4690 * testing!
4691 */
4692 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4693 *cookie_len = sizeof(cookie_magic_value) - 1;
4694
4695 return 1;
4696 }
4697
4698 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4699 unsigned int cookie_len)
4700 {
4701 if (cookie_len == sizeof(cookie_magic_value) - 1
4702 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4703 return 1;
4704
4705 return 0;
4706 }
4707
4708 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4709 size_t *cookie_len)
4710 {
4711 unsigned int temp;
4712 int res = generate_cookie_callback(ssl, cookie, &temp);
4713 *cookie_len = temp;
4714 return res;
4715 }
4716
4717 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4718 size_t cookie_len)
4719 {
4720 return verify_cookie_callback(ssl, cookie, cookie_len);
4721 }
4722
4723 static int test_stateless(void)
4724 {
4725 SSL_CTX *sctx = NULL, *cctx = NULL;
4726 SSL *serverssl = NULL, *clientssl = NULL;
4727 int testresult = 0;
4728
4729 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4730 TLS_client_method(), TLS1_VERSION, 0,
4731 &sctx, &cctx, cert, privkey)))
4732 goto end;
4733
4734 /* The arrival of CCS messages can confuse the test */
4735 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4736
4737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4738 NULL, NULL))
4739 /* Send the first ClientHello */
4740 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4741 SSL_ERROR_WANT_READ))
4742 /*
4743 * This should fail with a -1 return because we have no callbacks
4744 * set up
4745 */
4746 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4747 goto end;
4748
4749 /* Fatal error so abandon the connection from this client */
4750 SSL_free(clientssl);
4751 clientssl = NULL;
4752
4753 /* Set up the cookie generation and verification callbacks */
4754 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4755 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4756
4757 /*
4758 * Create a new connection from the client (we can reuse the server SSL
4759 * object).
4760 */
4761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4762 NULL, NULL))
4763 /* Send the first ClientHello */
4764 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4765 SSL_ERROR_WANT_READ))
4766 /* This should fail because there is no cookie */
4767 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4768 goto end;
4769
4770 /* Abandon the connection from this client */
4771 SSL_free(clientssl);
4772 clientssl = NULL;
4773
4774 /*
4775 * Now create a connection from a new client but with the same server SSL
4776 * object
4777 */
4778 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4779 NULL, NULL))
4780 /* Send the first ClientHello */
4781 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4782 SSL_ERROR_WANT_READ))
4783 /* This should fail because there is no cookie */
4784 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4785 /* Send the second ClientHello */
4786 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4787 SSL_ERROR_WANT_READ))
4788 /* This should succeed because a cookie is now present */
4789 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4790 /* Complete the connection */
4791 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4792 SSL_ERROR_NONE)))
4793 goto end;
4794
4795 shutdown_ssl_connection(serverssl, clientssl);
4796 serverssl = clientssl = NULL;
4797 testresult = 1;
4798
4799 end:
4800 SSL_free(serverssl);
4801 SSL_free(clientssl);
4802 SSL_CTX_free(sctx);
4803 SSL_CTX_free(cctx);
4804 return testresult;
4805
4806 }
4807 #endif /* OPENSSL_NO_TLS1_3 */
4808
4809 static int clntaddoldcb = 0;
4810 static int clntparseoldcb = 0;
4811 static int srvaddoldcb = 0;
4812 static int srvparseoldcb = 0;
4813 static int clntaddnewcb = 0;
4814 static int clntparsenewcb = 0;
4815 static int srvaddnewcb = 0;
4816 static int srvparsenewcb = 0;
4817 static int snicb = 0;
4818
4819 #define TEST_EXT_TYPE1 0xff00
4820
4821 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4822 size_t *outlen, int *al, void *add_arg)
4823 {
4824 int *server = (int *)add_arg;
4825 unsigned char *data;
4826
4827 if (SSL_is_server(s))
4828 srvaddoldcb++;
4829 else
4830 clntaddoldcb++;
4831
4832 if (*server != SSL_is_server(s)
4833 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4834 return -1;
4835
4836 *data = 1;
4837 *out = data;
4838 *outlen = sizeof(char);
4839 return 1;
4840 }
4841
4842 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4843 void *add_arg)
4844 {
4845 OPENSSL_free((unsigned char *)out);
4846 }
4847
4848 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4849 size_t inlen, int *al, void *parse_arg)
4850 {
4851 int *server = (int *)parse_arg;
4852
4853 if (SSL_is_server(s))
4854 srvparseoldcb++;
4855 else
4856 clntparseoldcb++;
4857
4858 if (*server != SSL_is_server(s)
4859 || inlen != sizeof(char)
4860 || *in != 1)
4861 return -1;
4862
4863 return 1;
4864 }
4865
4866 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4867 const unsigned char **out, size_t *outlen, X509 *x,
4868 size_t chainidx, int *al, void *add_arg)
4869 {
4870 int *server = (int *)add_arg;
4871 unsigned char *data;
4872
4873 if (SSL_is_server(s))
4874 srvaddnewcb++;
4875 else
4876 clntaddnewcb++;
4877
4878 if (*server != SSL_is_server(s)
4879 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4880 return -1;
4881
4882 *data = 1;
4883 *out = data;
4884 *outlen = sizeof(*data);
4885 return 1;
4886 }
4887
4888 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4889 const unsigned char *out, void *add_arg)
4890 {
4891 OPENSSL_free((unsigned char *)out);
4892 }
4893
4894 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4895 const unsigned char *in, size_t inlen, X509 *x,
4896 size_t chainidx, int *al, void *parse_arg)
4897 {
4898 int *server = (int *)parse_arg;
4899
4900 if (SSL_is_server(s))
4901 srvparsenewcb++;
4902 else
4903 clntparsenewcb++;
4904
4905 if (*server != SSL_is_server(s)
4906 || inlen != sizeof(char) || *in != 1)
4907 return -1;
4908
4909 return 1;
4910 }
4911
4912 static int sni_cb(SSL *s, int *al, void *arg)
4913 {
4914 SSL_CTX *ctx = (SSL_CTX *)arg;
4915
4916 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4917 *al = SSL_AD_INTERNAL_ERROR;
4918 return SSL_TLSEXT_ERR_ALERT_FATAL;
4919 }
4920 snicb++;
4921 return SSL_TLSEXT_ERR_OK;
4922 }
4923
4924 /*
4925 * Custom call back tests.
4926 * Test 0: Old style callbacks in TLSv1.2
4927 * Test 1: New style callbacks in TLSv1.2
4928 * Test 2: New style callbacks in TLSv1.2 with SNI
4929 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4930 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4931 */
4932 static int test_custom_exts(int tst)
4933 {
4934 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4935 SSL *clientssl = NULL, *serverssl = NULL;
4936 int testresult = 0;
4937 static int server = 1;
4938 static int client = 0;
4939 SSL_SESSION *sess = NULL;
4940 unsigned int context;
4941
4942 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4943 /* Skip tests for TLSv1.2 and below in this case */
4944 if (tst < 3)
4945 return 1;
4946 #endif
4947
4948 /* Reset callback counters */
4949 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4950 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4951 snicb = 0;
4952
4953 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4954 TLS_client_method(), TLS1_VERSION, 0,
4955 &sctx, &cctx, cert, privkey)))
4956 goto end;
4957
4958 if (tst == 2
4959 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
4960 TLS1_VERSION, 0,
4961 &sctx2, NULL, cert, privkey)))
4962 goto end;
4963
4964
4965 if (tst < 3) {
4966 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4967 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4968 if (sctx2 != NULL)
4969 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4970 }
4971
4972 if (tst == 4) {
4973 context = SSL_EXT_CLIENT_HELLO
4974 | SSL_EXT_TLS1_2_SERVER_HELLO
4975 | SSL_EXT_TLS1_3_SERVER_HELLO
4976 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4977 | SSL_EXT_TLS1_3_CERTIFICATE
4978 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4979 } else {
4980 context = SSL_EXT_CLIENT_HELLO
4981 | SSL_EXT_TLS1_2_SERVER_HELLO
4982 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4983 }
4984
4985 /* Create a client side custom extension */
4986 if (tst == 0) {
4987 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4988 old_add_cb, old_free_cb,
4989 &client, old_parse_cb,
4990 &client)))
4991 goto end;
4992 } else {
4993 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4994 new_add_cb, new_free_cb,
4995 &client, new_parse_cb, &client)))
4996 goto end;
4997 }
4998
4999 /* Should not be able to add duplicates */
5000 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5001 old_add_cb, old_free_cb,
5002 &client, old_parse_cb,
5003 &client))
5004 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5005 context, new_add_cb,
5006 new_free_cb, &client,
5007 new_parse_cb, &client)))
5008 goto end;
5009
5010 /* Create a server side custom extension */
5011 if (tst == 0) {
5012 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5013 old_add_cb, old_free_cb,
5014 &server, old_parse_cb,
5015 &server)))
5016 goto end;
5017 } else {
5018 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5019 new_add_cb, new_free_cb,
5020 &server, new_parse_cb, &server)))
5021 goto end;
5022 if (sctx2 != NULL
5023 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5024 context, new_add_cb,
5025 new_free_cb, &server,
5026 new_parse_cb, &server)))
5027 goto end;
5028 }
5029
5030 /* Should not be able to add duplicates */
5031 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5032 old_add_cb, old_free_cb,
5033 &server, old_parse_cb,
5034 &server))
5035 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5036 context, new_add_cb,
5037 new_free_cb, &server,
5038 new_parse_cb, &server)))
5039 goto end;
5040
5041 if (tst == 2) {
5042 /* Set up SNI */
5043 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5044 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5045 goto end;
5046 }
5047
5048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5049 &clientssl, NULL, NULL))
5050 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5051 SSL_ERROR_NONE)))
5052 goto end;
5053
5054 if (tst == 0) {
5055 if (clntaddoldcb != 1
5056 || clntparseoldcb != 1
5057 || srvaddoldcb != 1
5058 || srvparseoldcb != 1)
5059 goto end;
5060 } else if (tst == 1 || tst == 2 || tst == 3) {
5061 if (clntaddnewcb != 1
5062 || clntparsenewcb != 1
5063 || srvaddnewcb != 1
5064 || srvparsenewcb != 1
5065 || (tst != 2 && snicb != 0)
5066 || (tst == 2 && snicb != 1))
5067 goto end;
5068 } else {
5069 /* In this case there 2 NewSessionTicket messages created */
5070 if (clntaddnewcb != 1
5071 || clntparsenewcb != 5
5072 || srvaddnewcb != 5
5073 || srvparsenewcb != 1)
5074 goto end;
5075 }
5076
5077 sess = SSL_get1_session(clientssl);
5078 SSL_shutdown(clientssl);
5079 SSL_shutdown(serverssl);
5080 SSL_free(serverssl);
5081 SSL_free(clientssl);
5082 serverssl = clientssl = NULL;
5083
5084 if (tst == 3) {
5085 /* We don't bother with the resumption aspects for this test */
5086 testresult = 1;
5087 goto end;
5088 }
5089
5090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5091 NULL, NULL))
5092 || !TEST_true(SSL_set_session(clientssl, sess))
5093 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5094 SSL_ERROR_NONE)))
5095 goto end;
5096
5097 /*
5098 * For a resumed session we expect to add the ClientHello extension. For the
5099 * old style callbacks we ignore it on the server side because they set
5100 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5101 * them.
5102 */
5103 if (tst == 0) {
5104 if (clntaddoldcb != 2
5105 || clntparseoldcb != 1
5106 || srvaddoldcb != 1
5107 || srvparseoldcb != 1)
5108 goto end;
5109 } else if (tst == 1 || tst == 2 || tst == 3) {
5110 if (clntaddnewcb != 2
5111 || clntparsenewcb != 2
5112 || srvaddnewcb != 2
5113 || srvparsenewcb != 2)
5114 goto end;
5115 } else {
5116 /*
5117 * No Certificate message extensions in the resumption handshake,
5118 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5119 */
5120 if (clntaddnewcb != 2
5121 || clntparsenewcb != 8
5122 || srvaddnewcb != 8
5123 || srvparsenewcb != 2)
5124 goto end;
5125 }
5126
5127 testresult = 1;
5128
5129 end:
5130 SSL_SESSION_free(sess);
5131 SSL_free(serverssl);
5132 SSL_free(clientssl);
5133 SSL_CTX_free(sctx2);
5134 SSL_CTX_free(sctx);
5135 SSL_CTX_free(cctx);
5136 return testresult;
5137 }
5138
5139 /*
5140 * Test loading of serverinfo data in various formats. test_sslmessages actually
5141 * tests to make sure the extensions appear in the handshake
5142 */
5143 static int test_serverinfo(int tst)
5144 {
5145 unsigned int version;
5146 unsigned char *sibuf;
5147 size_t sibuflen;
5148 int ret, expected, testresult = 0;
5149 SSL_CTX *ctx;
5150
5151 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5152 if (!TEST_ptr(ctx))
5153 goto end;
5154
5155 if ((tst & 0x01) == 0x01)
5156 version = SSL_SERVERINFOV2;
5157 else
5158 version = SSL_SERVERINFOV1;
5159
5160 if ((tst & 0x02) == 0x02) {
5161 sibuf = serverinfov2;
5162 sibuflen = sizeof(serverinfov2);
5163 expected = (version == SSL_SERVERINFOV2);
5164 } else {
5165 sibuf = serverinfov1;
5166 sibuflen = sizeof(serverinfov1);
5167 expected = (version == SSL_SERVERINFOV1);
5168 }
5169
5170 if ((tst & 0x04) == 0x04) {
5171 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5172 } else {
5173 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5174
5175 /*
5176 * The version variable is irrelevant in this case - it's what is in the
5177 * buffer that matters
5178 */
5179 if ((tst & 0x02) == 0x02)
5180 expected = 0;
5181 else
5182 expected = 1;
5183 }
5184
5185 if (!TEST_true(ret == expected))
5186 goto end;
5187
5188 testresult = 1;
5189
5190 end:
5191 SSL_CTX_free(ctx);
5192
5193 return testresult;
5194 }
5195
5196 /*
5197 * Test that SSL_export_keying_material() produces expected results. There are
5198 * no test vectors so all we do is test that both sides of the communication
5199 * produce the same results for different protocol versions.
5200 */
5201 #define SMALL_LABEL_LEN 10
5202 #define LONG_LABEL_LEN 249
5203 static int test_export_key_mat(int tst)
5204 {
5205 int testresult = 0;
5206 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5207 SSL *clientssl = NULL, *serverssl = NULL;
5208 const char label[LONG_LABEL_LEN + 1] = "test label";
5209 const unsigned char context[] = "context";
5210 const unsigned char *emptycontext = NULL;
5211 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5212 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5213 size_t labellen;
5214 const int protocols[] = {
5215 TLS1_VERSION,
5216 TLS1_1_VERSION,
5217 TLS1_2_VERSION,
5218 TLS1_3_VERSION,
5219 TLS1_3_VERSION,
5220 TLS1_3_VERSION
5221 };
5222
5223 #ifdef OPENSSL_NO_TLS1
5224 if (tst == 0)
5225 return 1;
5226 #endif
5227 #ifdef OPENSSL_NO_TLS1_1
5228 if (tst == 1)
5229 return 1;
5230 #endif
5231 if (is_fips && (tst == 0 || tst == 1))
5232 return 1;
5233 #ifdef OPENSSL_NO_TLS1_2
5234 if (tst == 2)
5235 return 1;
5236 #endif
5237 #ifdef OPENSSL_NO_TLS1_3
5238 if (tst >= 3)
5239 return 1;
5240 #endif
5241 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5242 TLS_client_method(), TLS1_VERSION, 0,
5243 &sctx, &cctx, cert, privkey)))
5244 goto end;
5245
5246 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5247 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5248 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5249
5250 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5251 NULL))
5252 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5253 SSL_ERROR_NONE)))
5254 goto end;
5255
5256 if (tst == 5) {
5257 /*
5258 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5259 * go over that.
5260 */
5261 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5262 sizeof(ckeymat1), label,
5263 LONG_LABEL_LEN + 1, context,
5264 sizeof(context) - 1, 1), 0))
5265 goto end;
5266
5267 testresult = 1;
5268 goto end;
5269 } else if (tst == 4) {
5270 labellen = LONG_LABEL_LEN;
5271 } else {
5272 labellen = SMALL_LABEL_LEN;
5273 }
5274
5275 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5276 sizeof(ckeymat1), label,
5277 labellen, context,
5278 sizeof(context) - 1, 1), 1)
5279 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5280 sizeof(ckeymat2), label,
5281 labellen,
5282 emptycontext,
5283 0, 1), 1)
5284 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5285 sizeof(ckeymat3), label,
5286 labellen,
5287 NULL, 0, 0), 1)
5288 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5289 sizeof(skeymat1), label,
5290 labellen,
5291 context,
5292 sizeof(context) -1, 1),
5293 1)
5294 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5295 sizeof(skeymat2), label,
5296 labellen,
5297 emptycontext,
5298 0, 1), 1)
5299 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5300 sizeof(skeymat3), label,
5301 labellen,
5302 NULL, 0, 0), 1)
5303 /*
5304 * Check that both sides created the same key material with the
5305 * same context.
5306 */
5307 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5308 sizeof(skeymat1))
5309 /*
5310 * Check that both sides created the same key material with an
5311 * empty context.
5312 */
5313 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5314 sizeof(skeymat2))
5315 /*
5316 * Check that both sides created the same key material without a
5317 * context.
5318 */
5319 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5320 sizeof(skeymat3))
5321 /* Different contexts should produce different results */
5322 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5323 sizeof(ckeymat2)))
5324 goto end;
5325
5326 /*
5327 * Check that an empty context and no context produce different results in
5328 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5329 */
5330 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5331 sizeof(ckeymat3)))
5332 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5333 sizeof(ckeymat3))))
5334 goto end;
5335
5336 testresult = 1;
5337
5338 end:
5339 SSL_free(serverssl);
5340 SSL_free(clientssl);
5341 SSL_CTX_free(sctx2);
5342 SSL_CTX_free(sctx);
5343 SSL_CTX_free(cctx);
5344
5345 return testresult;
5346 }
5347
5348 #ifndef OPENSSL_NO_TLS1_3
5349 /*
5350 * Test that SSL_export_keying_material_early() produces expected
5351 * results. There are no test vectors so all we do is test that both
5352 * sides of the communication produce the same results for different
5353 * protocol versions.
5354 */
5355 static int test_export_key_mat_early(int idx)
5356 {
5357 static const char label[] = "test label";
5358 static const unsigned char context[] = "context";
5359 int testresult = 0;
5360 SSL_CTX *cctx = NULL, *sctx = NULL;
5361 SSL *clientssl = NULL, *serverssl = NULL;
5362 SSL_SESSION *sess = NULL;
5363 const unsigned char *emptycontext = NULL;
5364 unsigned char ckeymat1[80], ckeymat2[80];
5365 unsigned char skeymat1[80], skeymat2[80];
5366 unsigned char buf[1];
5367 size_t readbytes, written;
5368
5369 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5370 &sess, idx)))
5371 goto end;
5372
5373 /* Here writing 0 length early data is enough. */
5374 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5375 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5376 &readbytes),
5377 SSL_READ_EARLY_DATA_ERROR)
5378 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5379 SSL_EARLY_DATA_ACCEPTED))
5380 goto end;
5381
5382 if (!TEST_int_eq(SSL_export_keying_material_early(
5383 clientssl, ckeymat1, sizeof(ckeymat1), label,
5384 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5385 || !TEST_int_eq(SSL_export_keying_material_early(
5386 clientssl, ckeymat2, sizeof(ckeymat2), label,
5387 sizeof(label) - 1, emptycontext, 0), 1)
5388 || !TEST_int_eq(SSL_export_keying_material_early(
5389 serverssl, skeymat1, sizeof(skeymat1), label,
5390 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5391 || !TEST_int_eq(SSL_export_keying_material_early(
5392 serverssl, skeymat2, sizeof(skeymat2), label,
5393 sizeof(label) - 1, emptycontext, 0), 1)
5394 /*
5395 * Check that both sides created the same key material with the
5396 * same context.
5397 */
5398 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5399 sizeof(skeymat1))
5400 /*
5401 * Check that both sides created the same key material with an
5402 * empty context.
5403 */
5404 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5405 sizeof(skeymat2))
5406 /* Different contexts should produce different results */
5407 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5408 sizeof(ckeymat2)))
5409 goto end;
5410
5411 testresult = 1;
5412
5413 end:
5414 SSL_SESSION_free(sess);
5415 SSL_SESSION_free(clientpsk);
5416 SSL_SESSION_free(serverpsk);
5417 clientpsk = serverpsk = NULL;
5418 SSL_free(serverssl);
5419 SSL_free(clientssl);
5420 SSL_CTX_free(sctx);
5421 SSL_CTX_free(cctx);
5422
5423 return testresult;
5424 }
5425
5426 #define NUM_KEY_UPDATE_MESSAGES 40
5427 /*
5428 * Test KeyUpdate.
5429 */
5430 static int test_key_update(void)
5431 {
5432 SSL_CTX *cctx = NULL, *sctx = NULL;
5433 SSL *clientssl = NULL, *serverssl = NULL;
5434 int testresult = 0, i, j;
5435 char buf[20];
5436 static char *mess = "A test message";
5437
5438 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5439 TLS_client_method(),
5440 TLS1_3_VERSION,
5441 0,
5442 &sctx, &cctx, cert, privkey))
5443 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5444 NULL, NULL))
5445 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5446 SSL_ERROR_NONE)))
5447 goto end;
5448
5449 for (j = 0; j < 2; j++) {
5450 /* Send lots of KeyUpdate messages */
5451 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5452 if (!TEST_true(SSL_key_update(clientssl,
5453 (j == 0)
5454 ? SSL_KEY_UPDATE_NOT_REQUESTED
5455 : SSL_KEY_UPDATE_REQUESTED))
5456 || !TEST_true(SSL_do_handshake(clientssl)))
5457 goto end;
5458 }
5459
5460 /* Check that sending and receiving app data is ok */
5461 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5462 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5463 strlen(mess)))
5464 goto end;
5465
5466 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5467 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5468 strlen(mess)))
5469 goto end;
5470 }
5471
5472 testresult = 1;
5473
5474 end:
5475 SSL_free(serverssl);
5476 SSL_free(clientssl);
5477 SSL_CTX_free(sctx);
5478 SSL_CTX_free(cctx);
5479
5480 return testresult;
5481 }
5482
5483 /*
5484 * Test we can handle a KeyUpdate (update requested) message while write data
5485 * is pending.
5486 * Test 0: Client sends KeyUpdate while Server is writing
5487 * Test 1: Server sends KeyUpdate while Client is writing
5488 */
5489 static int test_key_update_in_write(int tst)
5490 {
5491 SSL_CTX *cctx = NULL, *sctx = NULL;
5492 SSL *clientssl = NULL, *serverssl = NULL;
5493 int testresult = 0;
5494 char buf[20];
5495 static char *mess = "A test message";
5496 BIO *bretry = BIO_new(bio_s_always_retry());
5497 BIO *tmp = NULL;
5498 SSL *peerupdate = NULL, *peerwrite = NULL;
5499
5500 if (!TEST_ptr(bretry)
5501 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5502 TLS_client_method(),
5503 TLS1_3_VERSION,
5504 0,
5505 &sctx, &cctx, cert, privkey))
5506 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5507 NULL, NULL))
5508 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5509 SSL_ERROR_NONE)))
5510 goto end;
5511
5512 peerupdate = tst == 0 ? clientssl : serverssl;
5513 peerwrite = tst == 0 ? serverssl : clientssl;
5514
5515 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5516 || !TEST_true(SSL_do_handshake(peerupdate)))
5517 goto end;
5518
5519 /* Swap the writing endpoint's write BIO to force a retry */
5520 tmp = SSL_get_wbio(peerwrite);
5521 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5522 tmp = NULL;
5523 goto end;
5524 }
5525 SSL_set0_wbio(peerwrite, bretry);
5526 bretry = NULL;
5527
5528 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5529 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5530 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5531 goto end;
5532
5533 /* Reinstate the original writing endpoint's write BIO */
5534 SSL_set0_wbio(peerwrite, tmp);
5535 tmp = NULL;
5536
5537 /* Now read some data - we will read the key update */
5538 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5539 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5540 goto end;
5541
5542 /*
5543 * Complete the write we started previously and read it from the other
5544 * endpoint
5545 */
5546 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5547 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5548 goto end;
5549
5550 /* Write more data to ensure we send the KeyUpdate message back */
5551 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5552 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5553 goto end;
5554
5555 testresult = 1;
5556
5557 end:
5558 SSL_free(serverssl);
5559 SSL_free(clientssl);
5560 SSL_CTX_free(sctx);
5561 SSL_CTX_free(cctx);
5562 BIO_free(bretry);
5563 BIO_free(tmp);
5564
5565 return testresult;
5566 }
5567 #endif /* OPENSSL_NO_TLS1_3 */
5568
5569 static int test_ssl_clear(int idx)
5570 {
5571 SSL_CTX *cctx = NULL, *sctx = NULL;
5572 SSL *clientssl = NULL, *serverssl = NULL;
5573 int testresult = 0;
5574
5575 #ifdef OPENSSL_NO_TLS1_2
5576 if (idx == 1)
5577 return 1;
5578 #endif
5579
5580 /* Create an initial connection */
5581 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5582 TLS_client_method(), TLS1_VERSION, 0,
5583 &sctx, &cctx, cert, privkey))
5584 || (idx == 1
5585 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5586 TLS1_2_VERSION)))
5587 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5588 &clientssl, NULL, NULL))
5589 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5590 SSL_ERROR_NONE)))
5591 goto end;
5592
5593 SSL_shutdown(clientssl);
5594 SSL_shutdown(serverssl);
5595 SSL_free(serverssl);
5596 serverssl = NULL;
5597
5598 /* Clear clientssl - we're going to reuse the object */
5599 if (!TEST_true(SSL_clear(clientssl)))
5600 goto end;
5601
5602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5603 NULL, NULL))
5604 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5605 SSL_ERROR_NONE))
5606 || !TEST_true(SSL_session_reused(clientssl)))
5607 goto end;
5608
5609 SSL_shutdown(clientssl);
5610 SSL_shutdown(serverssl);
5611
5612 testresult = 1;
5613
5614 end:
5615 SSL_free(serverssl);
5616 SSL_free(clientssl);
5617 SSL_CTX_free(sctx);
5618 SSL_CTX_free(cctx);
5619
5620 return testresult;
5621 }
5622
5623 /* Parse CH and retrieve any MFL extension value if present */
5624 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5625 {
5626 long len;
5627 unsigned char *data;
5628 PACKET pkt, pkt2, pkt3;
5629 unsigned int MFL_code = 0, type = 0;
5630
5631 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5632 goto end;
5633
5634 memset(&pkt, 0, sizeof(pkt));
5635 memset(&pkt2, 0, sizeof(pkt2));
5636 memset(&pkt3, 0, sizeof(pkt3));
5637
5638 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5639 /* Skip the record header */
5640 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5641 /* Skip the handshake message header */
5642 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5643 /* Skip client version and random */
5644 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5645 + SSL3_RANDOM_SIZE))
5646 /* Skip session id */
5647 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5648 /* Skip ciphers */
5649 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5650 /* Skip compression */
5651 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5652 /* Extensions len */
5653 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5654 goto end;
5655
5656 /* Loop through all extensions */
5657 while (PACKET_remaining(&pkt2)) {
5658 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5659 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5660 goto end;
5661
5662 if (type == TLSEXT_TYPE_max_fragment_length) {
5663 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5664 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5665 goto end;
5666
5667 *mfl_codemfl_code = MFL_code;
5668 return 1;
5669 }
5670 }
5671
5672 end:
5673 return 0;
5674 }
5675
5676 /* Maximum-Fragment-Length TLS extension mode to test */
5677 static const unsigned char max_fragment_len_test[] = {
5678 TLSEXT_max_fragment_length_512,
5679 TLSEXT_max_fragment_length_1024,
5680 TLSEXT_max_fragment_length_2048,
5681 TLSEXT_max_fragment_length_4096
5682 };
5683
5684 static int test_max_fragment_len_ext(int idx_tst)
5685 {
5686 SSL_CTX *ctx;
5687 SSL *con = NULL;
5688 int testresult = 0, MFL_mode = 0;
5689 BIO *rbio, *wbio;
5690
5691 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5692 if (!TEST_ptr(ctx))
5693 goto end;
5694
5695 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5696 ctx, max_fragment_len_test[idx_tst])))
5697 goto end;
5698
5699 con = SSL_new(ctx);
5700 if (!TEST_ptr(con))
5701 goto end;
5702
5703 rbio = BIO_new(BIO_s_mem());
5704 wbio = BIO_new(BIO_s_mem());
5705 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5706 BIO_free(rbio);
5707 BIO_free(wbio);
5708 goto end;
5709 }
5710
5711 SSL_set_bio(con, rbio, wbio);
5712 SSL_set_connect_state(con);
5713
5714 if (!TEST_int_le(SSL_connect(con), 0)) {
5715 /* This shouldn't succeed because we don't have a server! */
5716 goto end;
5717 }
5718
5719 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5720 /* no MFL in client hello */
5721 goto end;
5722 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5723 goto end;
5724
5725 testresult = 1;
5726
5727 end:
5728 SSL_free(con);
5729 SSL_CTX_free(ctx);
5730
5731 return testresult;
5732 }
5733
5734 #ifndef OPENSSL_NO_TLS1_3
5735 static int test_pha_key_update(void)
5736 {
5737 SSL_CTX *cctx = NULL, *sctx = NULL;
5738 SSL *clientssl = NULL, *serverssl = NULL;
5739 int testresult = 0;
5740
5741 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5742 TLS_client_method(), TLS1_VERSION, 0,
5743 &sctx, &cctx, cert, privkey)))
5744 return 0;
5745
5746 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5747 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5748 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5749 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5750 goto end;
5751
5752 SSL_CTX_set_post_handshake_auth(cctx, 1);
5753
5754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5755 NULL, NULL)))
5756 goto end;
5757
5758 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5759 SSL_ERROR_NONE)))
5760 goto end;
5761
5762 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5763 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5764 goto end;
5765
5766 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5767 goto end;
5768
5769 /* Start handshake on the server */
5770 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5771 goto end;
5772
5773 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5774 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5775 SSL_ERROR_NONE)))
5776 goto end;
5777
5778 SSL_shutdown(clientssl);
5779 SSL_shutdown(serverssl);
5780
5781 testresult = 1;
5782
5783 end:
5784 SSL_free(serverssl);
5785 SSL_free(clientssl);
5786 SSL_CTX_free(sctx);
5787 SSL_CTX_free(cctx);
5788 return testresult;
5789 }
5790 #endif
5791
5792 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5793
5794 static SRP_VBASE *vbase = NULL;
5795
5796 DEFINE_STACK_OF(SRP_user_pwd)
5797
5798 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5799 {
5800 int ret = SSL3_AL_FATAL;
5801 char *username;
5802 SRP_user_pwd *user = NULL;
5803
5804 username = SSL_get_srp_username(s);
5805 if (username == NULL) {
5806 *ad = SSL_AD_INTERNAL_ERROR;
5807 goto err;
5808 }
5809
5810 user = SRP_VBASE_get1_by_user(vbase, username);
5811 if (user == NULL) {
5812 *ad = SSL_AD_INTERNAL_ERROR;
5813 goto err;
5814 }
5815
5816 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5817 user->info) <= 0) {
5818 *ad = SSL_AD_INTERNAL_ERROR;
5819 goto err;
5820 }
5821
5822 ret = 0;
5823
5824 err:
5825 SRP_user_pwd_free(user);
5826 return ret;
5827 }
5828
5829 static int create_new_vfile(char *userid, char *password, const char *filename)
5830 {
5831 char *gNid = NULL;
5832 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5833 TXT_DB *db = NULL;
5834 int ret = 0;
5835 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5836 size_t i;
5837
5838 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5839 goto end;
5840
5841 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5842 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5843 if (!TEST_ptr(gNid))
5844 goto end;
5845
5846 /*
5847 * The only way to create an empty TXT_DB is to provide a BIO with no data
5848 * in it!
5849 */
5850 db = TXT_DB_read(dummy, DB_NUMBER);
5851 if (!TEST_ptr(db))
5852 goto end;
5853
5854 out = BIO_new_file(filename, "w");
5855 if (!TEST_ptr(out))
5856 goto end;
5857
5858 row[DB_srpid] = OPENSSL_strdup(userid);
5859 row[DB_srptype] = OPENSSL_strdup("V");
5860 row[DB_srpgN] = OPENSSL_strdup(gNid);
5861
5862 if (!TEST_ptr(row[DB_srpid])
5863 || !TEST_ptr(row[DB_srptype])
5864 || !TEST_ptr(row[DB_srpgN])
5865 || !TEST_true(TXT_DB_insert(db, row)))
5866 goto end;
5867
5868 row = NULL;
5869
5870 if (!TXT_DB_write(out, db))
5871 goto end;
5872
5873 ret = 1;
5874 end:
5875 if (row != NULL) {
5876 for (i = 0; i < DB_NUMBER; i++)
5877 OPENSSL_free(row[i]);
5878 }
5879 OPENSSL_free(row);
5880 BIO_free(dummy);
5881 BIO_free(out);
5882 TXT_DB_free(db);
5883
5884 return ret;
5885 }
5886
5887 static int create_new_vbase(char *userid, char *password)
5888 {
5889 BIGNUM *verifier = NULL, *salt = NULL;
5890 const SRP_gN *lgN = NULL;
5891 SRP_user_pwd *user_pwd = NULL;
5892 int ret = 0;
5893
5894 lgN = SRP_get_default_gN(NULL);
5895 if (!TEST_ptr(lgN))
5896 goto end;
5897
5898 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5899 lgN->N, lgN->g, libctx, NULL)))
5900 goto end;
5901
5902 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5903 if (!TEST_ptr(user_pwd))
5904 goto end;
5905
5906 user_pwd->N = lgN->N;
5907 user_pwd->g = lgN->g;
5908 user_pwd->id = OPENSSL_strdup(userid);
5909 if (!TEST_ptr(user_pwd->id))
5910 goto end;
5911
5912 user_pwd->v = verifier;
5913 user_pwd->s = salt;
5914 verifier = salt = NULL;
5915
5916 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5917 goto end;
5918 user_pwd = NULL;
5919
5920 ret = 1;
5921 end:
5922 SRP_user_pwd_free(user_pwd);
5923 BN_free(salt);
5924 BN_free(verifier);
5925
5926 return ret;
5927 }
5928
5929 /*
5930 * SRP tests
5931 *
5932 * Test 0: Simple successful SRP connection, new vbase
5933 * Test 1: Connection failure due to bad password, new vbase
5934 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5935 * Test 3: Connection failure due to bad password, vbase loaded from existing
5936 * file
5937 * Test 4: Simple successful SRP connection, vbase loaded from new file
5938 * Test 5: Connection failure due to bad password, vbase loaded from new file
5939 */
5940 static int test_srp(int tst)
5941 {
5942 char *userid = "test", *password = "password", *tstsrpfile;
5943 SSL_CTX *cctx = NULL, *sctx = NULL;
5944 SSL *clientssl = NULL, *serverssl = NULL;
5945 int ret, testresult = 0;
5946
5947 vbase = SRP_VBASE_new(NULL);
5948 if (!TEST_ptr(vbase))
5949 goto end;
5950
5951 if (tst == 0 || tst == 1) {
5952 if (!TEST_true(create_new_vbase(userid, password)))
5953 goto end;
5954 } else {
5955 if (tst == 4 || tst == 5) {
5956 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5957 goto end;
5958 tstsrpfile = tmpfilename;
5959 } else {
5960 tstsrpfile = srpvfile;
5961 }
5962 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5963 goto end;
5964 }
5965
5966 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5967 TLS_client_method(), TLS1_VERSION, 0,
5968 &sctx, &cctx, cert, privkey)))
5969 goto end;
5970
5971 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5972 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5973 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5974 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5975 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5976 goto end;
5977
5978 if (tst % 2 == 1) {
5979 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5980 goto end;
5981 } else {
5982 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5983 goto end;
5984 }
5985
5986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5987 NULL, NULL)))
5988 goto end;
5989
5990 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5991 if (ret) {
5992 if (!TEST_true(tst % 2 == 0))
5993 goto end;
5994 } else {
5995 if (!TEST_true(tst % 2 == 1))
5996 goto end;
5997 }
5998
5999 testresult = 1;
6000
6001 end:
6002 SRP_VBASE_free(vbase);
6003 vbase = NULL;
6004 SSL_free(serverssl);
6005 SSL_free(clientssl);
6006 SSL_CTX_free(sctx);
6007 SSL_CTX_free(cctx);
6008
6009 return testresult;
6010 }
6011 #endif
6012
6013 static int info_cb_failed = 0;
6014 static int info_cb_offset = 0;
6015 static int info_cb_this_state = -1;
6016
6017 static struct info_cb_states_st {
6018 int where;
6019 const char *statestr;
6020 } info_cb_states[][60] = {
6021 {
6022 /* TLSv1.2 server followed by resumption */
6023 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6024 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6025 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6026 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6027 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6028 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6029 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6030 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6031 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6032 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6033 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6034 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6035 {SSL_CB_EXIT, NULL}, {0, NULL},
6036 }, {
6037 /* TLSv1.2 client followed by resumption */
6038 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6039 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6040 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6041 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6042 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6043 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6044 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6045 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6046 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6047 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6048 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6049 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6050 }, {
6051 /* TLSv1.3 server followed by resumption */
6052 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6053 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6054 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6055 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6056 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6057 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6058 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6059 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6060 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6061 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6062 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6063 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6064 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6065 }, {
6066 /* TLSv1.3 client followed by resumption */
6067 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6068 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6069 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6070 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6071 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6072 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6073 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6074 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6075 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6076 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6077 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6078 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6079 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6080 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6081 {SSL_CB_EXIT, NULL}, {0, NULL},
6082 }, {
6083 /* TLSv1.3 server, early_data */
6084 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6085 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6086 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6087 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6088 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6089 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6090 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6091 {SSL_CB_EXIT, NULL}, {0, NULL},
6092 }, {
6093 /* TLSv1.3 client, early_data */
6094 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6095 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6096 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6097 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6098 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6099 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6100 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6101 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6102 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6103 }, {
6104 {0, NULL},
6105 }
6106 };
6107
6108 static void sslapi_info_callback(const SSL *s, int where, int ret)
6109 {
6110 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6111
6112 /* We do not ever expect a connection to fail in this test */
6113 if (!TEST_false(ret == 0)) {
6114 info_cb_failed = 1;
6115 return;
6116 }
6117
6118 /*
6119 * Do some sanity checks. We never expect these things to happen in this
6120 * test
6121 */
6122 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6123 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6124 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6125 info_cb_failed = 1;
6126 return;
6127 }
6128
6129 /* Now check we're in the right state */
6130 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6131 info_cb_failed = 1;
6132 return;
6133 }
6134 if ((where & SSL_CB_LOOP) != 0
6135 && !TEST_int_eq(strcmp(SSL_state_string(s),
6136 state[info_cb_this_state].statestr), 0)) {
6137 info_cb_failed = 1;
6138 return;
6139 }
6140
6141 /*
6142 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6143 */
6144 if ((where & SSL_CB_HANDSHAKE_DONE)
6145 && SSL_in_init((SSL *)s) != 0) {
6146 info_cb_failed = 1;
6147 return;
6148 }
6149 }
6150
6151 /*
6152 * Test the info callback gets called when we expect it to.
6153 *
6154 * Test 0: TLSv1.2, server
6155 * Test 1: TLSv1.2, client
6156 * Test 2: TLSv1.3, server
6157 * Test 3: TLSv1.3, client
6158 * Test 4: TLSv1.3, server, early_data
6159 * Test 5: TLSv1.3, client, early_data
6160 */
6161 static int test_info_callback(int tst)
6162 {
6163 SSL_CTX *cctx = NULL, *sctx = NULL;
6164 SSL *clientssl = NULL, *serverssl = NULL;
6165 SSL_SESSION *clntsess = NULL;
6166 int testresult = 0;
6167 int tlsvers;
6168
6169 if (tst < 2) {
6170 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6171 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6172 || !defined(OPENSSL_NO_DH))
6173 tlsvers = TLS1_2_VERSION;
6174 #else
6175 return 1;
6176 #endif
6177 } else {
6178 #ifndef OPENSSL_NO_TLS1_3
6179 tlsvers = TLS1_3_VERSION;
6180 #else
6181 return 1;
6182 #endif
6183 }
6184
6185 /* Reset globals */
6186 info_cb_failed = 0;
6187 info_cb_this_state = -1;
6188 info_cb_offset = tst;
6189
6190 #ifndef OPENSSL_NO_TLS1_3
6191 if (tst >= 4) {
6192 SSL_SESSION *sess = NULL;
6193 size_t written, readbytes;
6194 unsigned char buf[80];
6195
6196 /* early_data tests */
6197 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6198 &serverssl, &sess, 0)))
6199 goto end;
6200
6201 /* We don't actually need this reference */
6202 SSL_SESSION_free(sess);
6203
6204 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6205 sslapi_info_callback);
6206
6207 /* Write and read some early data and then complete the connection */
6208 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6209 &written))
6210 || !TEST_size_t_eq(written, strlen(MSG1))
6211 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6212 sizeof(buf), &readbytes),
6213 SSL_READ_EARLY_DATA_SUCCESS)
6214 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6215 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6216 SSL_EARLY_DATA_ACCEPTED)
6217 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6218 SSL_ERROR_NONE))
6219 || !TEST_false(info_cb_failed))
6220 goto end;
6221
6222 testresult = 1;
6223 goto end;
6224 }
6225 #endif
6226
6227 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6228 TLS_client_method(),
6229 tlsvers, tlsvers, &sctx, &cctx, cert,
6230 privkey)))
6231 goto end;
6232
6233 /*
6234 * For even numbered tests we check the server callbacks. For odd numbers we
6235 * check the client.
6236 */
6237 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6238 sslapi_info_callback);
6239
6240 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6241 &clientssl, NULL, NULL))
6242 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6243 SSL_ERROR_NONE))
6244 || !TEST_false(info_cb_failed))
6245 goto end;
6246
6247
6248
6249 clntsess = SSL_get1_session(clientssl);
6250 SSL_shutdown(clientssl);
6251 SSL_shutdown(serverssl);
6252 SSL_free(serverssl);
6253 SSL_free(clientssl);
6254 serverssl = clientssl = NULL;
6255
6256 /* Now do a resumption */
6257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6258 NULL))
6259 || !TEST_true(SSL_set_session(clientssl, clntsess))
6260 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6261 SSL_ERROR_NONE))
6262 || !TEST_true(SSL_session_reused(clientssl))
6263 || !TEST_false(info_cb_failed))
6264 goto end;
6265
6266 testresult = 1;
6267
6268 end:
6269 SSL_free(serverssl);
6270 SSL_free(clientssl);
6271 SSL_SESSION_free(clntsess);
6272 SSL_CTX_free(sctx);
6273 SSL_CTX_free(cctx);
6274 return testresult;
6275 }
6276
6277 static int test_ssl_pending(int tst)
6278 {
6279 SSL_CTX *cctx = NULL, *sctx = NULL;
6280 SSL *clientssl = NULL, *serverssl = NULL;
6281 int testresult = 0;
6282 char msg[] = "A test message";
6283 char buf[5];
6284 size_t written, readbytes;
6285
6286 if (tst == 0) {
6287 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6288 TLS_client_method(),
6289 TLS1_VERSION, 0,
6290 &sctx, &cctx, cert, privkey)))
6291 goto end;
6292 } else {
6293 #ifndef OPENSSL_NO_DTLS
6294 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6295 DTLS_client_method(),
6296 DTLS1_VERSION, 0,
6297 &sctx, &cctx, cert, privkey)))
6298 goto end;
6299 #else
6300 return 1;
6301 #endif
6302 }
6303
6304 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6305 NULL, NULL))
6306 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6307 SSL_ERROR_NONE)))
6308 goto end;
6309
6310 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6311 || !TEST_false(SSL_has_pending(clientssl))
6312 || !TEST_int_eq(SSL_pending(serverssl), 0)
6313 || !TEST_false(SSL_has_pending(serverssl))
6314 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6315 || !TEST_size_t_eq(written, sizeof(msg))
6316 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6317 || !TEST_size_t_eq(readbytes, sizeof(buf))
6318 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6319 || !TEST_true(SSL_has_pending(clientssl)))
6320 goto end;
6321
6322 testresult = 1;
6323
6324 end:
6325 SSL_free(serverssl);
6326 SSL_free(clientssl);
6327 SSL_CTX_free(sctx);
6328 SSL_CTX_free(cctx);
6329
6330 return testresult;
6331 }
6332
6333 static struct {
6334 unsigned int maxprot;
6335 const char *clntciphers;
6336 const char *clnttls13ciphers;
6337 const char *srvrciphers;
6338 const char *srvrtls13ciphers;
6339 const char *shared;
6340 const char *fipsshared;
6341 } shared_ciphers_data[] = {
6342 /*
6343 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6344 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6345 */
6346 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6347 {
6348 TLS1_2_VERSION,
6349 "AES128-SHA:AES256-SHA",
6350 NULL,
6351 "AES256-SHA:DHE-RSA-AES128-SHA",
6352 NULL,
6353 "AES256-SHA",
6354 "AES256-SHA"
6355 },
6356 # if !defined(OPENSSL_NO_CHACHA) \
6357 && !defined(OPENSSL_NO_POLY1305) \
6358 && !defined(OPENSSL_NO_EC)
6359 {
6360 TLS1_2_VERSION,
6361 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6362 NULL,
6363 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6364 NULL,
6365 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6366 "AES128-SHA"
6367 },
6368 # endif
6369 {
6370 TLS1_2_VERSION,
6371 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6372 NULL,
6373 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6374 NULL,
6375 "AES128-SHA:AES256-SHA",
6376 "AES128-SHA:AES256-SHA"
6377 },
6378 {
6379 TLS1_2_VERSION,
6380 "AES128-SHA:AES256-SHA",
6381 NULL,
6382 "AES128-SHA:DHE-RSA-AES128-SHA",
6383 NULL,
6384 "AES128-SHA",
6385 "AES128-SHA"
6386 },
6387 #endif
6388 /*
6389 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6390 * enabled.
6391 */
6392 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6393 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6394 {
6395 TLS1_3_VERSION,
6396 "AES128-SHA:AES256-SHA",
6397 NULL,
6398 "AES256-SHA:AES128-SHA256",
6399 NULL,
6400 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6401 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6402 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6403 },
6404 #endif
6405 #ifndef OPENSSL_NO_TLS1_3
6406 {
6407 TLS1_3_VERSION,
6408 "AES128-SHA",
6409 "TLS_AES_256_GCM_SHA384",
6410 "AES256-SHA",
6411 "TLS_AES_256_GCM_SHA384",
6412 "TLS_AES_256_GCM_SHA384",
6413 "TLS_AES_256_GCM_SHA384"
6414 },
6415 #endif
6416 };
6417
6418 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6419 {
6420 SSL_CTX *cctx = NULL, *sctx = NULL;
6421 SSL *clientssl = NULL, *serverssl = NULL;
6422 int testresult = 0;
6423 char buf[1024];
6424 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6425
6426 if (!TEST_ptr(tmplibctx))
6427 goto end;
6428
6429 /*
6430 * Regardless of whether we're testing with the FIPS provider loaded into
6431 * libctx, we want one peer to always use the full set of ciphersuites
6432 * available. Therefore we use a separate libctx with the default provider
6433 * loaded into it. We run the same tests twice - once with the client side
6434 * having the full set of ciphersuites and once with the server side.
6435 */
6436 if (clnt) {
6437 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6438 if (!TEST_ptr(cctx))
6439 goto end;
6440 } else {
6441 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6442 if (!TEST_ptr(sctx))
6443 goto end;
6444 }
6445
6446 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6447 TLS_client_method(),
6448 TLS1_VERSION,
6449 shared_ciphers_data[tst].maxprot,
6450 &sctx, &cctx, cert, privkey)))
6451 goto end;
6452
6453 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6454 shared_ciphers_data[tst].clntciphers))
6455 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6456 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6457 shared_ciphers_data[tst].clnttls13ciphers)))
6458 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6459 shared_ciphers_data[tst].srvrciphers))
6460 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6461 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6462 shared_ciphers_data[tst].srvrtls13ciphers))))
6463 goto end;
6464
6465
6466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6467 NULL, NULL))
6468 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6469 SSL_ERROR_NONE)))
6470 goto end;
6471
6472 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6473 || !TEST_int_eq(strcmp(buf,
6474 is_fips
6475 ? shared_ciphers_data[tst].fipsshared
6476 : shared_ciphers_data[tst].shared),
6477 0)) {
6478 TEST_info("Shared ciphers are: %s\n", buf);
6479 goto end;
6480 }
6481
6482 testresult = 1;
6483
6484 end:
6485 SSL_free(serverssl);
6486 SSL_free(clientssl);
6487 SSL_CTX_free(sctx);
6488 SSL_CTX_free(cctx);
6489 OPENSSL_CTX_free(tmplibctx);
6490
6491 return testresult;
6492 }
6493
6494 static int test_ssl_get_shared_ciphers(int tst)
6495 {
6496 return int_test_ssl_get_shared_ciphers(tst, 0)
6497 && int_test_ssl_get_shared_ciphers(tst, 1);
6498 }
6499
6500
6501 static const char *appdata = "Hello World";
6502 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6503 static int tick_key_renew = 0;
6504 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6505
6506 static int gen_tick_cb(SSL *s, void *arg)
6507 {
6508 gen_tick_called = 1;
6509
6510 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6511 strlen(appdata));
6512 }
6513
6514 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6515 const unsigned char *keyname,
6516 size_t keyname_length,
6517 SSL_TICKET_STATUS status,
6518 void *arg)
6519 {
6520 void *tickdata;
6521 size_t tickdlen;
6522
6523 dec_tick_called = 1;
6524
6525 if (status == SSL_TICKET_EMPTY)
6526 return SSL_TICKET_RETURN_IGNORE_RENEW;
6527
6528 if (!TEST_true(status == SSL_TICKET_SUCCESS
6529 || status == SSL_TICKET_SUCCESS_RENEW))
6530 return SSL_TICKET_RETURN_ABORT;
6531
6532 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6533 &tickdlen))
6534 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6535 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6536 return SSL_TICKET_RETURN_ABORT;
6537
6538 if (tick_key_cb_called) {
6539 /* Don't change what the ticket key callback wanted to do */
6540 switch (status) {
6541 case SSL_TICKET_NO_DECRYPT:
6542 return SSL_TICKET_RETURN_IGNORE_RENEW;
6543
6544 case SSL_TICKET_SUCCESS:
6545 return SSL_TICKET_RETURN_USE;
6546
6547 case SSL_TICKET_SUCCESS_RENEW:
6548 return SSL_TICKET_RETURN_USE_RENEW;
6549
6550 default:
6551 return SSL_TICKET_RETURN_ABORT;
6552 }
6553 }
6554 return tick_dec_ret;
6555
6556 }
6557
6558 #ifndef OPENSSL_NO_DEPRECATED_3_0
6559 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6560 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6561 HMAC_CTX *hctx, int enc)
6562 {
6563 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6564 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6565 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6566 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6567 int ret;
6568
6569 tick_key_cb_called = 1;
6570 memset(iv, 0, AES_BLOCK_SIZE);
6571 memset(key_name, 0, 16);
6572 if (aes128cbc == NULL
6573 || sha256 == NULL
6574 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6575 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6576 NULL))
6577 ret = -1;
6578 else
6579 ret = tick_key_renew ? 2 : 1;
6580
6581 EVP_CIPHER_free(aes128cbc);
6582 EVP_MD_free(sha256);
6583
6584 return ret;
6585 }
6586 #endif
6587
6588 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6589 unsigned char iv[EVP_MAX_IV_LENGTH],
6590 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6591 {
6592 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6593 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6594 OSSL_PARAM params[3];
6595 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6596 int ret;
6597
6598 tick_key_cb_called = 1;
6599 memset(iv, 0, AES_BLOCK_SIZE);
6600 memset(key_name, 0, 16);
6601 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6602 "SHA256", 0);
6603 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6604 tick_hmac_key,
6605 sizeof(tick_hmac_key));
6606 params[2] = OSSL_PARAM_construct_end();
6607 if (aes128cbc == NULL
6608 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6609 || !EVP_MAC_CTX_set_params(hctx, params)
6610 || !EVP_MAC_init(hctx))
6611 ret = -1;
6612 else
6613 ret = tick_key_renew ? 2 : 1;
6614
6615 EVP_CIPHER_free(aes128cbc);
6616
6617 return ret;
6618 }
6619
6620 /*
6621 * Test the various ticket callbacks
6622 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6623 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6624 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6625 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6626 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6627 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6628 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6629 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6630 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6631 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6632 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6633 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6634 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6635 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6636 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6637 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6638 */
6639 static int test_ticket_callbacks(int tst)
6640 {
6641 SSL_CTX *cctx = NULL, *sctx = NULL;
6642 SSL *clientssl = NULL, *serverssl = NULL;
6643 SSL_SESSION *clntsess = NULL;
6644 int testresult = 0;
6645
6646 #ifdef OPENSSL_NO_TLS1_2
6647 if (tst % 2 == 0)
6648 return 1;
6649 #endif
6650 #ifdef OPENSSL_NO_TLS1_3
6651 if (tst % 2 == 1)
6652 return 1;
6653 #endif
6654 #ifdef OPENSSL_NO_DEPRECATED_3_0
6655 if (tst >= 8 && tst <= 11)
6656 return 1;
6657 #endif
6658
6659 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6660
6661 /* Which tests the ticket key callback should request renewal for */
6662 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6663 tick_key_renew = 1;
6664 else
6665 tick_key_renew = 0;
6666
6667 /* Which tests the decrypt ticket callback should request renewal for */
6668 switch (tst) {
6669 case 0:
6670 case 1:
6671 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6672 break;
6673
6674 case 2:
6675 case 3:
6676 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6677 break;
6678
6679 case 4:
6680 case 5:
6681 tick_dec_ret = SSL_TICKET_RETURN_USE;
6682 break;
6683
6684 case 6:
6685 case 7:
6686 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6687 break;
6688
6689 default:
6690 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6691 }
6692
6693 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6694 TLS_client_method(),
6695 TLS1_VERSION,
6696 ((tst % 2) == 0) ? TLS1_2_VERSION
6697 : TLS1_3_VERSION,
6698 &sctx, &cctx, cert, privkey)))
6699 goto end;
6700
6701 /*
6702 * We only want sessions to resume from tickets - not the session cache. So
6703 * switch the cache off.
6704 */
6705 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6706 goto end;
6707
6708 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6709 NULL)))
6710 goto end;
6711
6712 if (tst >= 12) {
6713 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6714 goto end;
6715 #ifndef OPENSSL_NO_DEPRECATED_3_0
6716 } else if (tst >= 8) {
6717 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6718 goto end;
6719 #endif
6720 }
6721
6722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6723 NULL, NULL))
6724 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6725 SSL_ERROR_NONE)))
6726 goto end;
6727
6728 /*
6729 * The decrypt ticket key callback in TLSv1.2 should be called even though
6730 * we have no ticket yet, because it gets called with a status of
6731 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6732 * actually send any ticket data). This does not happen in TLSv1.3 because
6733 * it is not valid to send empty ticket data in TLSv1.3.
6734 */
6735 if (!TEST_int_eq(gen_tick_called, 1)
6736 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6737 goto end;
6738
6739 gen_tick_called = dec_tick_called = 0;
6740
6741 clntsess = SSL_get1_session(clientssl);
6742 SSL_shutdown(clientssl);
6743 SSL_shutdown(serverssl);
6744 SSL_free(serverssl);
6745 SSL_free(clientssl);
6746 serverssl = clientssl = NULL;
6747
6748 /* Now do a resumption */
6749 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6750 NULL))
6751 || !TEST_true(SSL_set_session(clientssl, clntsess))
6752 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6753 SSL_ERROR_NONE)))
6754 goto end;
6755
6756 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6757 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6758 if (!TEST_false(SSL_session_reused(clientssl)))
6759 goto end;
6760 } else {
6761 if (!TEST_true(SSL_session_reused(clientssl)))
6762 goto end;
6763 }
6764
6765 if (!TEST_int_eq(gen_tick_called,
6766 (tick_key_renew
6767 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6768 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6769 ? 1 : 0)
6770 || !TEST_int_eq(dec_tick_called, 1))
6771 goto end;
6772
6773 testresult = 1;
6774
6775 end:
6776 SSL_SESSION_free(clntsess);
6777 SSL_free(serverssl);
6778 SSL_free(clientssl);
6779 SSL_CTX_free(sctx);
6780 SSL_CTX_free(cctx);
6781
6782 return testresult;
6783 }
6784
6785 /*
6786 * Test bi-directional shutdown.
6787 * Test 0: TLSv1.2
6788 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6789 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6790 * Test 3: TLSv1.3, pending NewSessionTicket messages
6791 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6792 * sends key update, client reads it
6793 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6794 * sends CertificateRequest, client reads and ignores it
6795 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6796 * doesn't read it
6797 */
6798 static int test_shutdown(int tst)
6799 {
6800 SSL_CTX *cctx = NULL, *sctx = NULL;
6801 SSL *clientssl = NULL, *serverssl = NULL;
6802 int testresult = 0;
6803 char msg[] = "A test message";
6804 char buf[80];
6805 size_t written, readbytes;
6806 SSL_SESSION *sess;
6807
6808 #ifdef OPENSSL_NO_TLS1_2
6809 if (tst <= 1)
6810 return 1;
6811 #endif
6812 #ifdef OPENSSL_NO_TLS1_3
6813 if (tst >= 2)
6814 return 1;
6815 #endif
6816
6817 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6818 TLS_client_method(),
6819 TLS1_VERSION,
6820 (tst <= 1) ? TLS1_2_VERSION
6821 : TLS1_3_VERSION,
6822 &sctx, &cctx, cert, privkey)))
6823 goto end;
6824
6825 if (tst == 5)
6826 SSL_CTX_set_post_handshake_auth(cctx, 1);
6827
6828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6829 NULL, NULL)))
6830 goto end;
6831
6832 if (tst == 3) {
6833 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6834 SSL_ERROR_NONE, 1))
6835 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6836 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6837 goto end;
6838 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6839 SSL_ERROR_NONE))
6840 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6841 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6842 goto end;
6843 }
6844
6845 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6846 goto end;
6847
6848 if (tst >= 4) {
6849 /*
6850 * Reading on the server after the client has sent close_notify should
6851 * fail and provide SSL_ERROR_ZERO_RETURN
6852 */
6853 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6854 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6855 SSL_ERROR_ZERO_RETURN)
6856 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6857 SSL_RECEIVED_SHUTDOWN)
6858 /*
6859 * Even though we're shutdown on receive we should still be
6860 * able to write.
6861 */
6862 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6863 goto end;
6864 if (tst == 4
6865 && !TEST_true(SSL_key_update(serverssl,
6866 SSL_KEY_UPDATE_REQUESTED)))
6867 goto end;
6868 if (tst == 5) {
6869 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6870 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6871 goto end;
6872 }
6873 if ((tst == 4 || tst == 5)
6874 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6875 goto end;
6876 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6877 goto end;
6878 if (tst == 4 || tst == 5) {
6879 /* Should still be able to read data from server */
6880 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6881 &readbytes))
6882 || !TEST_size_t_eq(readbytes, sizeof(msg))
6883 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6884 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6885 &readbytes))
6886 || !TEST_size_t_eq(readbytes, sizeof(msg))
6887 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6888 goto end;
6889 }
6890 }
6891
6892 /* Writing on the client after sending close_notify shouldn't be possible */
6893 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6894 goto end;
6895
6896 if (tst < 4) {
6897 /*
6898 * For these tests the client has sent close_notify but it has not yet
6899 * been received by the server. The server has not sent close_notify
6900 * yet.
6901 */
6902 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6903 /*
6904 * Writing on the server after sending close_notify shouldn't
6905 * be possible.
6906 */
6907 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6908 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6909 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6910 || !TEST_true(SSL_SESSION_is_resumable(sess))
6911 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6912 goto end;
6913 } else if (tst == 4 || tst == 5) {
6914 /*
6915 * In this test the client has sent close_notify and it has been
6916 * received by the server which has responded with a close_notify. The
6917 * client needs to read the close_notify sent by the server.
6918 */
6919 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6920 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6921 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6922 goto end;
6923 } else {
6924 /*
6925 * tst == 6
6926 *
6927 * The client has sent close_notify and is expecting a close_notify
6928 * back, but instead there is application data first. The shutdown
6929 * should fail with a fatal error.
6930 */
6931 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6932 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6933 goto end;
6934 }
6935
6936 testresult = 1;
6937
6938 end:
6939 SSL_free(serverssl);
6940 SSL_free(clientssl);
6941 SSL_CTX_free(sctx);
6942 SSL_CTX_free(cctx);
6943
6944 return testresult;
6945 }
6946
6947 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6948 static int cert_cb_cnt;
6949
6950 static int cert_cb(SSL *s, void *arg)
6951 {
6952 SSL_CTX *ctx = (SSL_CTX *)arg;
6953 BIO *in = NULL;
6954 EVP_PKEY *pkey = NULL;
6955 X509 *x509 = NULL, *rootx = NULL;
6956 STACK_OF(X509) *chain = NULL;
6957 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6958 int ret = 0;
6959
6960 if (cert_cb_cnt == 0) {
6961 /* Suspend the handshake */
6962 cert_cb_cnt++;
6963 return -1;
6964 } else if (cert_cb_cnt == 1) {
6965 /*
6966 * Update the SSL_CTX, set the certificate and private key and then
6967 * continue the handshake normally.
6968 */
6969 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6970 return 0;
6971
6972 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6973 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6974 SSL_FILETYPE_PEM))
6975 || !TEST_true(SSL_check_private_key(s)))
6976 return 0;
6977 cert_cb_cnt++;
6978 return 1;
6979 } else if (cert_cb_cnt == 3) {
6980 int rv;
6981
6982 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6983 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6984 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6985 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6986 goto out;
6987 chain = sk_X509_new_null();
6988 if (!TEST_ptr(chain))
6989 goto out;
6990 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6991 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6992 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6993 || !TEST_true(sk_X509_push(chain, rootx)))
6994 goto out;
6995 rootx = NULL;
6996 BIO_free(in);
6997 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6998 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6999 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
7000 goto out;
7001 BIO_free(in);
7002 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7003 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7004 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7005 goto out;
7006 rv = SSL_check_chain(s, x509, pkey, chain);
7007 /*
7008 * If the cert doesn't show as valid here (e.g., because we don't
7009 * have any shared sigalgs), then we will not set it, and there will
7010 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7011 * will cause tls_choose_sigalgs() to fail the connection.
7012 */
7013 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7014 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7015 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7016 goto out;
7017 }
7018
7019 ret = 1;
7020 }
7021
7022 /* Abort the handshake */
7023 out:
7024 OPENSSL_free(ecdsacert);
7025 OPENSSL_free(ecdsakey);
7026 OPENSSL_free(rootfile);
7027 BIO_free(in);
7028 EVP_PKEY_free(pkey);
7029 X509_free(x509);
7030 X509_free(rootx);
7031 sk_X509_pop_free(chain, X509_free);
7032 return ret;
7033 }
7034
7035 /*
7036 * Test the certificate callback.
7037 * Test 0: Callback fails
7038 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7039 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7040 * Test 3: Success - Call SSL_check_chain from the callback
7041 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7042 * chain
7043 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7044 */
7045 static int test_cert_cb_int(int prot, int tst)
7046 {
7047 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7048 SSL *clientssl = NULL, *serverssl = NULL;
7049 int testresult = 0, ret;
7050
7051 #ifdef OPENSSL_NO_EC
7052 /* We use an EC cert in these tests, so we skip in a no-ec build */
7053 if (tst >= 3)
7054 return 1;
7055 #endif
7056
7057 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7058 TLS_client_method(),
7059 TLS1_VERSION,
7060 prot,
7061 &sctx, &cctx, NULL, NULL)))
7062 goto end;
7063
7064 if (tst == 0)
7065 cert_cb_cnt = -1;
7066 else if (tst >= 3)
7067 cert_cb_cnt = 3;
7068 else
7069 cert_cb_cnt = 0;
7070
7071 if (tst == 2)
7072 snictx = SSL_CTX_new(TLS_server_method());
7073 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7074
7075 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7076 NULL, NULL)))
7077 goto end;
7078
7079 if (tst == 4) {
7080 /*
7081 * We cause SSL_check_chain() to fail by specifying sig_algs that
7082 * the chain doesn't meet (the root uses an RSA cert)
7083 */
7084 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7085 "ecdsa_secp256r1_sha256")))
7086 goto end;
7087 } else if (tst == 5) {
7088 /*
7089 * We cause SSL_check_chain() to fail by specifying sig_algs that
7090 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7091 */
7092 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7093 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7094 goto end;
7095 }
7096
7097 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7098 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7099 || (tst > 0
7100 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7101 goto end;
7102 }
7103
7104 testresult = 1;
7105
7106 end:
7107 SSL_free(serverssl);
7108 SSL_free(clientssl);
7109 SSL_CTX_free(sctx);
7110 SSL_CTX_free(cctx);
7111 SSL_CTX_free(snictx);
7112
7113 return testresult;
7114 }
7115 #endif
7116
7117 static int test_cert_cb(int tst)
7118 {
7119 int testresult = 1;
7120
7121 #ifndef OPENSSL_NO_TLS1_2
7122 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7123 #endif
7124 #ifndef OPENSSL_NO_TLS1_3
7125 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7126 #endif
7127
7128 return testresult;
7129 }
7130
7131 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7132 {
7133 X509 *xcert, *peer;
7134 EVP_PKEY *privpkey;
7135 BIO *in = NULL;
7136
7137 /* Check that SSL_get_peer_certificate() returns something sensible */
7138 peer = SSL_get_peer_certificate(ssl);
7139 if (!TEST_ptr(peer))
7140 return 0;
7141 X509_free(peer);
7142
7143 in = BIO_new_file(cert, "r");
7144 if (!TEST_ptr(in))
7145 return 0;
7146
7147 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7148 BIO_free(in);
7149 if (!TEST_ptr(xcert))
7150 return 0;
7151
7152 in = BIO_new_file(privkey, "r");
7153 if (!TEST_ptr(in)) {
7154 X509_free(xcert);
7155 return 0;
7156 }
7157
7158 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7159 BIO_free(in);
7160 if (!TEST_ptr(privpkey)) {
7161 X509_free(xcert);
7162 return 0;
7163 }
7164
7165 *x509 = xcert;
7166 *pkey = privpkey;
7167
7168 return 1;
7169 }
7170
7171 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7172 {
7173 return 1;
7174 }
7175
7176 static int test_client_cert_cb(int tst)
7177 {
7178 SSL_CTX *cctx = NULL, *sctx = NULL;
7179 SSL *clientssl = NULL, *serverssl = NULL;
7180 int testresult = 0;
7181
7182 #ifdef OPENSSL_NO_TLS1_2
7183 if (tst == 0)
7184 return 1;
7185 #endif
7186 #ifdef OPENSSL_NO_TLS1_3
7187 if (tst == 1)
7188 return 1;
7189 #endif
7190
7191 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7192 TLS_client_method(),
7193 TLS1_VERSION,
7194 tst == 0 ? TLS1_2_VERSION
7195 : TLS1_3_VERSION,
7196 &sctx, &cctx, cert, privkey)))
7197 goto end;
7198
7199 /*
7200 * Test that setting a client_cert_cb results in a client certificate being
7201 * sent.
7202 */
7203 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7204 SSL_CTX_set_verify(sctx,
7205 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7206 verify_cb);
7207
7208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7209 NULL, NULL))
7210 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7211 SSL_ERROR_NONE)))
7212 goto end;
7213
7214 testresult = 1;
7215
7216 end:
7217 SSL_free(serverssl);
7218 SSL_free(clientssl);
7219 SSL_CTX_free(sctx);
7220 SSL_CTX_free(cctx);
7221
7222 return testresult;
7223 }
7224
7225 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7226 /*
7227 * Test setting certificate authorities on both client and server.
7228 *
7229 * Test 0: SSL_CTX_set0_CA_list() only
7230 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7231 * Test 2: Only SSL_CTX_set_client_CA_list()
7232 */
7233 static int test_ca_names_int(int prot, int tst)
7234 {
7235 SSL_CTX *cctx = NULL, *sctx = NULL;
7236 SSL *clientssl = NULL, *serverssl = NULL;
7237 int testresult = 0;
7238 size_t i;
7239 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7240 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7241 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7242 const STACK_OF(X509_NAME) *sktmp = NULL;
7243
7244 for (i = 0; i < OSSL_NELEM(name); i++) {
7245 name[i] = X509_NAME_new();
7246 if (!TEST_ptr(name[i])
7247 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7248 MBSTRING_ASC,
7249 (unsigned char *)
7250 strnames[i],
7251 -1, -1, 0)))
7252 goto end;
7253 }
7254
7255 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7256 TLS_client_method(),
7257 TLS1_VERSION,
7258 prot,
7259 &sctx, &cctx, cert, privkey)))
7260 goto end;
7261
7262 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7263
7264 if (tst == 0 || tst == 1) {
7265 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7266 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7267 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7268 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7269 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7270 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7271 goto end;
7272
7273 SSL_CTX_set0_CA_list(sctx, sk1);
7274 SSL_CTX_set0_CA_list(cctx, sk2);
7275 sk1 = sk2 = NULL;
7276 }
7277 if (tst == 1 || tst == 2) {
7278 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7279 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7280 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7281 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7282 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7283 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7284 goto end;
7285
7286 SSL_CTX_set_client_CA_list(sctx, sk1);
7287 SSL_CTX_set_client_CA_list(cctx, sk2);
7288 sk1 = sk2 = NULL;
7289 }
7290
7291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7292 NULL, NULL))
7293 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7294 SSL_ERROR_NONE)))
7295 goto end;
7296
7297 /*
7298 * We only expect certificate authorities to have been sent to the server
7299 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7300 */
7301 sktmp = SSL_get0_peer_CA_list(serverssl);
7302 if (prot == TLS1_3_VERSION
7303 && (tst == 0 || tst == 1)) {
7304 if (!TEST_ptr(sktmp)
7305 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7306 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7307 name[0]), 0)
7308 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7309 name[1]), 0))
7310 goto end;
7311 } else if (!TEST_ptr_null(sktmp)) {
7312 goto end;
7313 }
7314
7315 /*
7316 * In all tests we expect certificate authorities to have been sent to the
7317 * client. However, SSL_set_client_CA_list() should override
7318 * SSL_set0_CA_list()
7319 */
7320 sktmp = SSL_get0_peer_CA_list(clientssl);
7321 if (!TEST_ptr(sktmp)
7322 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7323 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7324 name[tst == 0 ? 0 : 2]), 0)
7325 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7326 name[tst == 0 ? 1 : 3]), 0))
7327 goto end;
7328
7329 testresult = 1;
7330
7331 end:
7332 SSL_free(serverssl);
7333 SSL_free(clientssl);
7334 SSL_CTX_free(sctx);
7335 SSL_CTX_free(cctx);
7336 for (i = 0; i < OSSL_NELEM(name); i++)
7337 X509_NAME_free(name[i]);
7338 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7339 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7340
7341 return testresult;
7342 }
7343 #endif
7344
7345 static int test_ca_names(int tst)
7346 {
7347 int testresult = 1;
7348
7349 #ifndef OPENSSL_NO_TLS1_2
7350 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7351 #endif
7352 #ifndef OPENSSL_NO_TLS1_3
7353 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7354 #endif
7355
7356 return testresult;
7357 }
7358
7359 #ifndef OPENSSL_NO_TLS1_2
7360 static const char *multiblock_cipherlist_data[]=
7361 {
7362 "AES128-SHA",
7363 "AES128-SHA256",
7364 "AES256-SHA",
7365 "AES256-SHA256",
7366 };
7367
7368 /* Reduce the fragment size - so the multiblock test buffer can be small */
7369 # define MULTIBLOCK_FRAGSIZE 512
7370
7371 static int test_multiblock_write(int test_index)
7372 {
7373 static const char *fetchable_ciphers[]=
7374 {
7375 "AES-128-CBC-HMAC-SHA1",
7376 "AES-128-CBC-HMAC-SHA256",
7377 "AES-256-CBC-HMAC-SHA1",
7378 "AES-256-CBC-HMAC-SHA256"
7379 };
7380 const char *cipherlist = multiblock_cipherlist_data[test_index];
7381 const SSL_METHOD *smeth = TLS_server_method();
7382 const SSL_METHOD *cmeth = TLS_client_method();
7383 int min_version = TLS1_VERSION;
7384 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7385 SSL_CTX *cctx = NULL, *sctx = NULL;
7386 SSL *clientssl = NULL, *serverssl = NULL;
7387 int testresult = 0;
7388
7389 /*
7390 * Choose a buffer large enough to perform a multi-block operation
7391 * i.e: write_len >= 4 * frag_size
7392 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7393 */
7394 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7395 unsigned char buf[sizeof(msg)], *p = buf;
7396 size_t readbytes, written, len;
7397 EVP_CIPHER *ciph = NULL;
7398
7399 /*
7400 * Check if the cipher exists before attempting to use it since it only has
7401 * a hardware specific implementation.
7402 */
7403 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7404 if (ciph == NULL) {
7405 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7406 return 1;
7407 }
7408 EVP_CIPHER_free(ciph);
7409
7410 /* Set up a buffer with some data that will be sent to the client */
7411 RAND_bytes(msg, sizeof(msg));
7412
7413 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7414 max_version, &sctx, &cctx, cert,
7415 privkey)))
7416 goto end;
7417
7418 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7419 goto end;
7420
7421 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7422 NULL, NULL)))
7423 goto end;
7424
7425 /* settings to force it to use AES-CBC-HMAC_SHA */
7426 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7427 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7428 goto end;
7429
7430 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7431 goto end;
7432
7433 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7434 || !TEST_size_t_eq(written, sizeof(msg)))
7435 goto end;
7436
7437 len = written;
7438 while (len > 0) {
7439 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7440 goto end;
7441 p += readbytes;
7442 len -= readbytes;
7443 }
7444 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7445 goto end;
7446
7447 testresult = 1;
7448 end:
7449 SSL_free(serverssl);
7450 SSL_free(clientssl);
7451 SSL_CTX_free(sctx);
7452 SSL_CTX_free(cctx);
7453
7454 return testresult;
7455 }
7456 #endif /* OPENSSL_NO_TLS1_2 */
7457
7458 /*
7459 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7460 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7461 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7462 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7463 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7464 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7465 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7466 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7467 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7468 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7469 */
7470 static int test_servername(int tst)
7471 {
7472 SSL_CTX *cctx = NULL, *sctx = NULL;
7473 SSL *clientssl = NULL, *serverssl = NULL;
7474 int testresult = 0;
7475 SSL_SESSION *sess = NULL;
7476 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7477
7478 #ifdef OPENSSL_NO_TLS1_2
7479 if (tst <= 4)
7480 return 1;
7481 #endif
7482 #ifdef OPENSSL_NO_TLS1_3
7483 if (tst >= 5)
7484 return 1;
7485 #endif
7486
7487 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7488 TLS_client_method(),
7489 TLS1_VERSION,
7490 (tst <= 4) ? TLS1_2_VERSION
7491 : TLS1_3_VERSION,
7492 &sctx, &cctx, cert, privkey))
7493 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7494 NULL, NULL)))
7495 goto end;
7496
7497 if (tst != 1 && tst != 6) {
7498 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7499 hostname_cb)))
7500 goto end;
7501 }
7502
7503 if (tst != 3 && tst != 8) {
7504 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7505 goto end;
7506 sexpectedhost = cexpectedhost = "goodhost";
7507 }
7508
7509 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7510 goto end;
7511
7512 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7513 cexpectedhost)
7514 || !TEST_str_eq(SSL_get_servername(serverssl,
7515 TLSEXT_NAMETYPE_host_name),
7516 sexpectedhost))
7517 goto end;
7518
7519 /* Now repeat with a resumption handshake */
7520
7521 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7522 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7523 || !TEST_true(SSL_SESSION_is_resumable(sess))
7524 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7525 goto end;
7526
7527 SSL_free(clientssl);
7528 SSL_free(serverssl);
7529 clientssl = serverssl = NULL;
7530
7531 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7532 NULL)))
7533 goto end;
7534
7535 if (!TEST_true(SSL_set_session(clientssl, sess)))
7536 goto end;
7537
7538 sexpectedhost = cexpectedhost = "goodhost";
7539 if (tst == 2 || tst == 7) {
7540 /* Set an inconsistent hostname */
7541 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7542 goto end;
7543 /*
7544 * In TLSv1.2 we expect the hostname from the original handshake, in
7545 * TLSv1.3 we expect the hostname from this handshake
7546 */
7547 if (tst == 7)
7548 sexpectedhost = cexpectedhost = "altgoodhost";
7549
7550 if (!TEST_str_eq(SSL_get_servername(clientssl,
7551 TLSEXT_NAMETYPE_host_name),
7552 "altgoodhost"))
7553 goto end;
7554 } else if (tst == 4 || tst == 9) {
7555 /*
7556 * A TLSv1.3 session does not associate a session with a servername,
7557 * but a TLSv1.2 session does.
7558 */
7559 if (tst == 9)
7560 sexpectedhost = cexpectedhost = NULL;
7561
7562 if (!TEST_str_eq(SSL_get_servername(clientssl,
7563 TLSEXT_NAMETYPE_host_name),
7564 cexpectedhost))
7565 goto end;
7566 } else {
7567 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7568 goto end;
7569 /*
7570 * In a TLSv1.2 resumption where the hostname was not acknowledged
7571 * we expect the hostname on the server to be empty. On the client we
7572 * return what was requested in this case.
7573 *
7574 * Similarly if the client didn't set a hostname on an original TLSv1.2
7575 * session but is now, the server hostname will be empty, but the client
7576 * is as we set it.
7577 */
7578 if (tst == 1 || tst == 3)
7579 sexpectedhost = NULL;
7580
7581 if (!TEST_str_eq(SSL_get_servername(clientssl,
7582 TLSEXT_NAMETYPE_host_name),
7583 "goodhost"))
7584 goto end;
7585 }
7586
7587 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7588 goto end;
7589
7590 if (!TEST_true(SSL_session_reused(clientssl))
7591 || !TEST_true(SSL_session_reused(serverssl))
7592 || !TEST_str_eq(SSL_get_servername(clientssl,
7593 TLSEXT_NAMETYPE_host_name),
7594 cexpectedhost)
7595 || !TEST_str_eq(SSL_get_servername(serverssl,
7596 TLSEXT_NAMETYPE_host_name),
7597 sexpectedhost))
7598 goto end;
7599
7600 testresult = 1;
7601
7602 end:
7603 SSL_SESSION_free(sess);
7604 SSL_free(serverssl);
7605 SSL_free(clientssl);
7606 SSL_CTX_free(sctx);
7607 SSL_CTX_free(cctx);
7608
7609 return testresult;
7610 }
7611
7612 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
7613
7614 int setup_tests(void)
7615 {
7616 char *modulename;
7617 char *configfile;
7618
7619 libctx = OPENSSL_CTX_new();
7620 if (!TEST_ptr(libctx))
7621 return 0;
7622
7623 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7624
7625 /*
7626 * Verify that the default and fips providers in the default libctx are not
7627 * available
7628 */
7629 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7630 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7631 return 0;
7632
7633 if (!test_skip_common_options()) {
7634 TEST_error("Error parsing test options\n");
7635 return 0;
7636 }
7637
7638 if (!TEST_ptr(certsdir = test_get_argument(0))
7639 || !TEST_ptr(srpvfile = test_get_argument(1))
7640 || !TEST_ptr(tmpfilename = test_get_argument(2))
7641 || !TEST_ptr(modulename = test_get_argument(3))
7642 || !TEST_ptr(configfile = test_get_argument(4)))
7643 return 0;
7644
7645 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7646 return 0;
7647
7648 /* Check we have the expected provider available */
7649 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7650 return 0;
7651
7652 /* Check the default provider is not available */
7653 if (strcmp(modulename, "default") != 0
7654 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
7655 return 0;
7656
7657 if (strcmp(modulename, "fips") == 0)
7658 is_fips = 1;
7659
7660 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7661 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7662 TEST_error("not supported in this build");
7663 return 0;
7664 #else
7665 int i, mcount, rcount, fcount;
7666
7667 for (i = 0; i < 4; i++)
7668 test_export_key_mat(i);
7669 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7670 test_printf_stdout("malloc %d realloc %d free %d\n",
7671 mcount, rcount, fcount);
7672 return 1;
7673 #endif
7674 }
7675
7676 cert = test_mk_file_path(certsdir, "servercert.pem");
7677 if (cert == NULL)
7678 return 0;
7679
7680 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7681 if (privkey == NULL) {
7682 OPENSSL_free(cert);
7683 return 0;
7684 }
7685
7686 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7687 && !defined(OPENSSL_NO_SOCK)
7688 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7689 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7690 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7691 ADD_TEST(test_ktls_client_no_txrx_server);
7692 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7693 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7694 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7695 ADD_TEST(test_ktls_client_no_rx_server);
7696 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7697 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7698 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7699 ADD_TEST(test_ktls_client_no_tx_server);
7700 ADD_TEST(test_ktls_no_txrx_client_server);
7701 ADD_TEST(test_ktls_no_rx_client_server);
7702 ADD_TEST(test_ktls_no_tx_client_server);
7703 ADD_TEST(test_ktls_client_server);
7704 ADD_TEST(test_ktls_sendfile);
7705 #endif
7706 ADD_TEST(test_large_message_tls);
7707 ADD_TEST(test_large_message_tls_read_ahead);
7708 #ifndef OPENSSL_NO_DTLS
7709 ADD_TEST(test_large_message_dtls);
7710 #endif
7711 #ifndef OPENSSL_NO_OCSP
7712 ADD_TEST(test_tlsext_status_type);
7713 #endif
7714 ADD_TEST(test_session_with_only_int_cache);
7715 ADD_TEST(test_session_with_only_ext_cache);
7716 ADD_TEST(test_session_with_both_cache);
7717 ADD_TEST(test_session_wo_ca_names);
7718 #ifndef OPENSSL_NO_TLS1_3
7719 ADD_ALL_TESTS(test_stateful_tickets, 3);
7720 ADD_ALL_TESTS(test_stateless_tickets, 3);
7721 ADD_TEST(test_psk_tickets);
7722 ADD_ALL_TESTS(test_extra_tickets, 6);
7723 #endif
7724 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7725 ADD_TEST(test_ssl_bio_pop_next_bio);
7726 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7727 ADD_TEST(test_ssl_bio_change_rbio);
7728 ADD_TEST(test_ssl_bio_change_wbio);
7729 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7730 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7731 ADD_TEST(test_keylog);
7732 #endif
7733 #ifndef OPENSSL_NO_TLS1_3
7734 ADD_TEST(test_keylog_no_master_key);
7735 #endif
7736 #ifndef OPENSSL_NO_TLS1_2
7737 ADD_TEST(test_client_hello_cb);
7738 ADD_TEST(test_no_ems);
7739 ADD_TEST(test_ccs_change_cipher);
7740 #endif
7741 #ifndef OPENSSL_NO_TLS1_3
7742 ADD_ALL_TESTS(test_early_data_read_write, 3);
7743 /*
7744 * We don't do replay tests for external PSK. Replay protection isn't used
7745 * in that scenario.
7746 */
7747 ADD_ALL_TESTS(test_early_data_replay, 2);
7748 ADD_ALL_TESTS(test_early_data_skip, 3);
7749 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7750 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7751 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7752 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7753 ADD_ALL_TESTS(test_early_data_psk, 8);
7754 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
7755 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7756 # ifndef OPENSSL_NO_TLS1_2
7757 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7758 # endif
7759 #endif
7760 #ifndef OPENSSL_NO_TLS1_3
7761 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7762 ADD_TEST(test_ciphersuite_change);
7763 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7764 # ifdef OPENSSL_NO_PSK
7765 ADD_ALL_TESTS(test_tls13_psk, 1);
7766 # else
7767 ADD_ALL_TESTS(test_tls13_psk, 4);
7768 # endif /* OPENSSL_NO_PSK */
7769 # ifndef OPENSSL_NO_TLS1_2
7770 /* Test with both TLSv1.3 and 1.2 versions */
7771 ADD_ALL_TESTS(test_key_exchange, 14);
7772 # else
7773 /* Test with only TLSv1.3 versions */
7774 ADD_ALL_TESTS(test_key_exchange, 12);
7775 # endif
7776 ADD_ALL_TESTS(test_custom_exts, 5);
7777 ADD_TEST(test_stateless);
7778 ADD_TEST(test_pha_key_update);
7779 #else
7780 ADD_ALL_TESTS(test_custom_exts, 3);
7781 #endif
7782 ADD_ALL_TESTS(test_serverinfo, 8);
7783 ADD_ALL_TESTS(test_export_key_mat, 6);
7784 #ifndef OPENSSL_NO_TLS1_3
7785 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7786 ADD_TEST(test_key_update);
7787 ADD_ALL_TESTS(test_key_update_in_write, 2);
7788 #endif
7789 ADD_ALL_TESTS(test_ssl_clear, 2);
7790 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7791 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7792 ADD_ALL_TESTS(test_srp, 6);
7793 #endif
7794 ADD_ALL_TESTS(test_info_callback, 6);
7795 ADD_ALL_TESTS(test_ssl_pending, 2);
7796 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7797 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7798 ADD_ALL_TESTS(test_shutdown, 7);
7799 ADD_ALL_TESTS(test_cert_cb, 6);
7800 ADD_ALL_TESTS(test_client_cert_cb, 2);
7801 ADD_ALL_TESTS(test_ca_names, 3);
7802 #ifndef OPENSSL_NO_TLS1_2
7803 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7804 #endif
7805 ADD_ALL_TESTS(test_servername, 10);
7806 return 1;
7807 }
7808
7809 void cleanup_tests(void)
7810 {
7811 OPENSSL_free(cert);
7812 OPENSSL_free(privkey);
7813 bio_s_mempacket_test_free();
7814 bio_s_always_retry_free();
7815 OSSL_PROVIDER_unload(defctxnull);
7816 OPENSSL_CTX_free(libctx);
7817 }
A mirror of the official openssl repository