]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
test/recipes/01-test_symbol_presence.t: check for duplicate symbols in static libs
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
46
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
50 /*
51 * If we don't have ec or dh then there are no built-in groups that are usable
52 * with TLSv1.3
53 */
54 # define OSSL_NO_USABLE_TLS1_3
55 #endif
56
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
61 void **provctx);
62
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
65
66 #ifndef OSSL_NO_USABLE_TLS1_3
67
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
72
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
77
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
80
81 static SSL_SESSION *create_a_psk(SSL *ssl);
82 #endif
83
84 static char *certsdir = NULL;
85 static char *cert = NULL;
86 static char *privkey = NULL;
87 static char *cert2 = NULL;
88 static char *privkey2 = NULL;
89 static char *cert1024 = NULL;
90 static char *privkey1024 = NULL;
91 static char *cert3072 = NULL;
92 static char *privkey3072 = NULL;
93 static char *cert4096 = NULL;
94 static char *privkey4096 = NULL;
95 static char *cert8192 = NULL;
96 static char *privkey8192 = NULL;
97 static char *srpvfile = NULL;
98 static char *tmpfilename = NULL;
99 static char *dhfile = NULL;
100
101 static int is_fips = 0;
102
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t server_log_buffer_index = 0;
106 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t client_log_buffer_index = 0;
108 static int error_writing_log = 0;
109
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder[] = "Dummy OCSP Response";
112 static int ocsp_server_called = 0;
113 static int ocsp_client_called = 0;
114
115 static int cdummyarg = 1;
116 static X509 *ocspcert = NULL;
117 #endif
118
119 #define NUM_EXTRA_CERTS 40
120 #define CLIENT_VERSION_LEN 2
121
122 /*
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
125 */
126 struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
129 unsigned int client_early_secret_count;
130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
134 unsigned int early_exporter_secret_count;
135 unsigned int exporter_secret_count;
136 };
137
138
139 static int hostname_cb(SSL *s, int *al, void *arg)
140 {
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
146
147 return SSL_TLSEXT_ERR_NOACK;
148 }
149
150 static void client_keylog_callback(const SSL *ssl, const char *line)
151 {
152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
163 client_log_buffer[client_log_buffer_index++] = '\n';
164 }
165
166 static void server_keylog_callback(const SSL *ssl, const char *line)
167 {
168 int line_length = strlen(line);
169
170 /* If the log doesn't fit, error out. */
171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
172 TEST_info("Server log too full");
173 error_writing_log = 1;
174 return;
175 }
176
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
179 server_log_buffer[server_log_buffer_index++] = '\n';
180 }
181
182 static int compare_hex_encoded_buffer(const char *hex_encoded,
183 size_t hex_length,
184 const uint8_t *raw,
185 size_t raw_length)
186 {
187 size_t i, j;
188 char hexed[3];
189
190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
191 return 1;
192
193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
194 sprintf(hexed, "%02x", raw[i]);
195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
197 return 1;
198 }
199
200 return 0;
201 }
202
203 static int test_keylog_output(char *buffer, const SSL *ssl,
204 const SSL_SESSION *session,
205 struct sslapitest_log_counts *expected)
206 {
207 char *token = NULL;
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
214 unsigned int client_early_secret_count = 0;
215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
219 unsigned int early_exporter_secret_count = 0;
220 unsigned int exporter_secret_count = 0;
221
222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
224 if (strcmp(token, "RSA") == 0) {
225 /*
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
227 * hex-encoded encrypted secret, then the hex-encoded pre-master
228 * secret.
229 */
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 return 0;
232 if (!TEST_size_t_eq(strlen(token), 16))
233 return 0;
234 if (!TEST_ptr(token = strtok(NULL, " \n")))
235 return 0;
236 /*
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
240 */
241 rsa_key_exchange_count++;
242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
243 /*
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, then the hex-encoded master secret.
246 */
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
249 SSL3_RANDOM_SIZE);
250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
251 return 0;
252
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 return 0;
255 if (!TEST_size_t_eq(strlen(token), 64))
256 return 0;
257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 master_key_size = SSL_SESSION_get_master_key(session,
265 actual_master_key,
266 master_key_size);
267 if (!TEST_size_t_ne(master_key_size, 0))
268 return 0;
269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
270 actual_master_key,
271 master_key_size)))
272 return 0;
273 master_secret_count++;
274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
280 || strcmp(token, "EXPORTER_SECRET") == 0) {
281 /*
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
286 */
287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
301
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
304 SSL3_RANDOM_SIZE);
305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
306 return 0;
307
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 return 0;
310 if (!TEST_size_t_eq(strlen(token), 64))
311 return 0;
312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
315 return 0;
316
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
318 return 0;
319 } else {
320 TEST_info("Unexpected token %s\n", token);
321 return 0;
322 }
323 }
324
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
344 return 0;
345 return 1;
346 }
347
348 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
349 static int test_keylog(void)
350 {
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
354 struct sslapitest_log_counts expected;
355
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
365 TLS_client_method(),
366 TLS1_VERSION, 0,
367 &sctx, &cctx, cert, privkey)))
368 return 0;
369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
376 goto end;
377
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
380 goto end;
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
384 goto end;
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
388 goto end;
389
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
398 goto end;
399
400 /*
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see an RSA key exchange.
405 */
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
410 goto end;
411
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
415 goto end;
416
417 testresult = 1;
418
419 end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426 }
427 #endif
428
429 #ifndef OSSL_NO_USABLE_TLS1_3
430 static int test_keylog_no_master_key(void)
431 {
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
435 int testresult = 0;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
439
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
453 return 0;
454
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
457 goto end;
458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
462 goto end;
463
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
467 goto end;
468
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
475 goto end;
476
477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
481 */
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
492 goto end;
493
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
533 testresult = 1;
534
535 end:
536 SSL_SESSION_free(sess);
537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543 }
544 #endif
545
546 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547 {
548 int res = X509_verify_cert(ctx);
549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
550 SSL *ssl;
551
552 /* this should not happen but check anyway */
553 if (idx < 0
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
555 return 0;
556
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
561
562 return res;
563 }
564
565 static int test_client_cert_verify_cb(void)
566 {
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
577 int testresult = 0;
578
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
582 goto end;
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 goto end;
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 goto end;
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
594 goto end;
595
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
599 goto end;
600
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 goto end;
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
608 goto end;
609 crt1 = NULL;
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
611 goto end;
612 crt2 = NULL;
613
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
617 goto end;
618
619 testresult = 1;
620
621 end:
622 X509_free(crt1);
623 X509_free(crt2);
624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
626 SSL_free(clientssl);
627 }
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
630 SSL_free(serverssl);
631 }
632 SSL_CTX_free(sctx);
633 SSL_CTX_free(cctx);
634
635 OPENSSL_free(skey);
636 OPENSSL_free(leaf);
637 OPENSSL_free(int2);
638 OPENSSL_free(int1);
639 OPENSSL_free(root);
640
641 return testresult;
642 }
643
644 static int test_ssl_build_cert_chain(void)
645 {
646 int ret = 0;
647 SSL_CTX *ssl_ctx = NULL;
648 SSL *ssl = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 goto end;
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 goto end;
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 goto end;
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
663 goto end;
664 ret = 1;
665 end:
666 SSL_free(ssl);
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
669 OPENSSL_free(skey);
670 return ret;
671 }
672
673 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674 {
675 static const char pass[] = "testpass";
676
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
678 return -1;
679
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
682 }
683
684 static int test_ssl_ctx_build_cert_chain(void)
685 {
686 int ret = 0;
687 SSL_CTX *ctx = NULL;
688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 goto end;
693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 goto end;
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
702 goto end;
703 ret = 1;
704 end:
705 SSL_CTX_free(ctx);
706 OPENSSL_free(leaf_chain);
707 OPENSSL_free(skey);
708 return ret;
709 }
710
711 #ifndef OPENSSL_NO_TLS1_2
712 static int full_client_hello_callback(SSL *s, int *al, void *arg)
713 {
714 int *ctr = arg;
715 const unsigned char *p;
716 int *exts;
717 /* We only configure two ciphers, but the SCSV is added automatically. */
718 #ifdef OPENSSL_NO_EC
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
720 #else
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 0x2c, 0x00, 0xff};
723 #endif
724 const int expected_extensions[] = {
725 #ifndef OPENSSL_NO_EC
726 11, 10,
727 #endif
728 35, 22, 23, 13};
729 size_t len;
730
731 /* Make sure we can defer processing and get called back. */
732 if ((*ctr)++ == 0)
733 return SSL_CLIENT_HELLO_RETRY;
734
735 len = SSL_client_hello_get0_ciphers(s, &p);
736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
737 || !TEST_size_t_eq(
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
739 || !TEST_int_eq(*p, 0))
740 return SSL_CLIENT_HELLO_ERROR;
741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
742 return SSL_CLIENT_HELLO_ERROR;
743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
745 printf("ClientHello callback expected extensions mismatch\n");
746 OPENSSL_free(exts);
747 return SSL_CLIENT_HELLO_ERROR;
748 }
749 OPENSSL_free(exts);
750 return SSL_CLIENT_HELLO_SUCCESS;
751 }
752
753 static int test_client_hello_cb(void)
754 {
755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
758
759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
761 &sctx, &cctx, cert, privkey)))
762 goto end;
763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
764
765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
767
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 /*
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
777 * */
778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
781 SSL_ERROR_NONE)))
782 goto end;
783
784 testresult = 1;
785
786 end:
787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 SSL_CTX_free(sctx);
790 SSL_CTX_free(cctx);
791
792 return testresult;
793 }
794
795 static int test_no_ems(void)
796 {
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
799 int testresult = 0;
800
801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
805 goto end;
806 }
807
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
812 goto end;
813 }
814
815 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
816 printf("Creating SSL connection failed\n");
817 goto end;
818 }
819
820 if (SSL_get_extms_support(serverssl)) {
821 printf("Server reports Extended Master Secret support\n");
822 goto end;
823 }
824
825 if (SSL_get_extms_support(clientssl)) {
826 printf("Client reports Extended Master Secret support\n");
827 goto end;
828 }
829 testresult = 1;
830
831 end:
832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836
837 return testresult;
838 }
839
840 /*
841 * Very focused test to exercise a single case in the server-side state
842 * machine, when the ChangeCipherState message needs to actually change
843 * from one cipher to a different cipher (i.e., not changing from null
844 * encryption to real encryption).
845 */
846 static int test_ccs_change_cipher(void)
847 {
848 SSL_CTX *cctx = NULL, *sctx = NULL;
849 SSL *clientssl = NULL, *serverssl = NULL;
850 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
851 int testresult = 0;
852 int i;
853 unsigned char buf;
854 size_t readbytes;
855
856 /*
857 * Create a connection so we can resume and potentially (but not) use
858 * a different cipher in the second connection.
859 */
860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
861 TLS_client_method(),
862 TLS1_VERSION, TLS1_2_VERSION,
863 &sctx, &cctx, cert, privkey))
864 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
865 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
866 NULL, NULL))
867 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
868 || !TEST_true(create_ssl_connection(serverssl, clientssl,
869 SSL_ERROR_NONE))
870 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
871 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
872 goto end;
873
874 shutdown_ssl_connection(serverssl, clientssl);
875 serverssl = clientssl = NULL;
876
877 /* Resume, preferring a different cipher. Our server will force the
878 * same cipher to be used as the initial handshake. */
879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
880 NULL, NULL))
881 || !TEST_true(SSL_set_session(clientssl, sess))
882 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl, clientssl,
884 SSL_ERROR_NONE))
885 || !TEST_true(SSL_session_reused(clientssl))
886 || !TEST_true(SSL_session_reused(serverssl))
887 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
888 || !TEST_ptr_eq(sesspre, sesspost)
889 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
890 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
891 goto end;
892 shutdown_ssl_connection(serverssl, clientssl);
893 serverssl = clientssl = NULL;
894
895 /*
896 * Now create a fresh connection and try to renegotiate a different
897 * cipher on it.
898 */
899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
900 NULL, NULL))
901 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
902 || !TEST_true(create_ssl_connection(serverssl, clientssl,
903 SSL_ERROR_NONE))
904 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
905 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
906 || !TEST_true(SSL_renegotiate(clientssl))
907 || !TEST_true(SSL_renegotiate_pending(clientssl)))
908 goto end;
909 /* Actually drive the renegotiation. */
910 for (i = 0; i < 3; i++) {
911 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
912 if (!TEST_ulong_eq(readbytes, 0))
913 goto end;
914 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
915 SSL_ERROR_WANT_READ)) {
916 goto end;
917 }
918 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
920 goto end;
921 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
922 SSL_ERROR_WANT_READ)) {
923 goto end;
924 }
925 }
926 /* sesspre and sesspost should be different since the cipher changed. */
927 if (!TEST_false(SSL_renegotiate_pending(clientssl))
928 || !TEST_false(SSL_session_reused(clientssl))
929 || !TEST_false(SSL_session_reused(serverssl))
930 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
931 || !TEST_ptr_ne(sesspre, sesspost)
932 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
933 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
934 goto end;
935
936 shutdown_ssl_connection(serverssl, clientssl);
937 serverssl = clientssl = NULL;
938
939 testresult = 1;
940
941 end:
942 SSL_free(serverssl);
943 SSL_free(clientssl);
944 SSL_CTX_free(sctx);
945 SSL_CTX_free(cctx);
946 SSL_SESSION_free(sess);
947
948 return testresult;
949 }
950 #endif
951
952 static int execute_test_large_message(const SSL_METHOD *smeth,
953 const SSL_METHOD *cmeth,
954 int min_version, int max_version,
955 int read_ahead)
956 {
957 SSL_CTX *cctx = NULL, *sctx = NULL;
958 SSL *clientssl = NULL, *serverssl = NULL;
959 int testresult = 0;
960 int i;
961 BIO *certbio = NULL;
962 X509 *chaincert = NULL;
963 int certlen;
964
965 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
966 goto end;
967
968 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
969 goto end;
970
971 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
972 goto end;
973 BIO_free(certbio);
974 certbio = NULL;
975
976 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977 max_version, &sctx, &cctx, cert,
978 privkey)))
979 goto end;
980
981 #ifdef OPENSSL_NO_DTLS1_2
982 if (smeth == DTLS_server_method()) {
983 /*
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
985 * level 0
986 */
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989 "DEFAULT:@SECLEVEL=0")))
990 goto end;
991 }
992 #endif
993
994 if (read_ahead) {
995 /*
996 * Test that read_ahead works correctly when dealing with large
997 * records
998 */
999 SSL_CTX_set_read_ahead(cctx, 1);
1000 }
1001
1002 /*
1003 * We assume the supplied certificate is big enough so that if we add
1004 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1005 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1006 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1007 * test we need to have a message larger than that.
1008 */
1009 certlen = i2d_X509(chaincert, NULL);
1010 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1011 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1012 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1013 if (!X509_up_ref(chaincert))
1014 goto end;
1015 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1016 X509_free(chaincert);
1017 goto end;
1018 }
1019 }
1020
1021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1022 NULL, NULL))
1023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1024 SSL_ERROR_NONE)))
1025 goto end;
1026
1027 /*
1028 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1029 * doesn't leak.
1030 */
1031 if (!TEST_true(SSL_clear(serverssl)))
1032 goto end;
1033
1034 testresult = 1;
1035 end:
1036 BIO_free(certbio);
1037 X509_free(chaincert);
1038 SSL_free(serverssl);
1039 SSL_free(clientssl);
1040 SSL_CTX_free(sctx);
1041 SSL_CTX_free(cctx);
1042
1043 return testresult;
1044 }
1045
1046 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1047 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1048 /* sock must be connected */
1049 static int ktls_chk_platform(int sock)
1050 {
1051 if (!ktls_enable(sock))
1052 return 0;
1053 return 1;
1054 }
1055
1056 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1057 {
1058 static char count = 1;
1059 unsigned char cbuf[16000] = {0};
1060 unsigned char sbuf[16000];
1061 size_t err = 0;
1062 char crec_wseq_before[SEQ_NUM_SIZE];
1063 char crec_wseq_after[SEQ_NUM_SIZE];
1064 char crec_rseq_before[SEQ_NUM_SIZE];
1065 char crec_rseq_after[SEQ_NUM_SIZE];
1066 char srec_wseq_before[SEQ_NUM_SIZE];
1067 char srec_wseq_after[SEQ_NUM_SIZE];
1068 char srec_rseq_before[SEQ_NUM_SIZE];
1069 char srec_rseq_after[SEQ_NUM_SIZE];
1070 SSL_CONNECTION *clientsc, *serversc;
1071
1072 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1073 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1074 goto end;
1075
1076 cbuf[0] = count++;
1077 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1078 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1079 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1080 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1081
1082 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1083 goto end;
1084
1085 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1086 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1087 goto end;
1088 }
1089 }
1090
1091 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1092 goto end;
1093
1094 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1095 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1096 goto end;
1097 }
1098 }
1099
1100 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1101 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1102 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1103 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1104
1105 /* verify the payload */
1106 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1107 goto end;
1108
1109 /*
1110 * If ktls is used then kernel sequences are used instead of
1111 * OpenSSL sequences
1112 */
1113 if (!BIO_get_ktls_send(clientsc->wbio)) {
1114 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1115 crec_wseq_after, SEQ_NUM_SIZE))
1116 goto end;
1117 } else {
1118 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1119 crec_wseq_after, SEQ_NUM_SIZE))
1120 goto end;
1121 }
1122
1123 if (!BIO_get_ktls_send(serversc->wbio)) {
1124 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1125 srec_wseq_after, SEQ_NUM_SIZE))
1126 goto end;
1127 } else {
1128 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1129 srec_wseq_after, SEQ_NUM_SIZE))
1130 goto end;
1131 }
1132
1133 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1134 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1135 crec_rseq_after, SEQ_NUM_SIZE))
1136 goto end;
1137 } else {
1138 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1139 crec_rseq_after, SEQ_NUM_SIZE))
1140 goto end;
1141 }
1142
1143 if (!BIO_get_ktls_recv(serversc->wbio)) {
1144 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1145 srec_rseq_after, SEQ_NUM_SIZE))
1146 goto end;
1147 } else {
1148 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1149 srec_rseq_after, SEQ_NUM_SIZE))
1150 goto end;
1151 }
1152
1153 return 1;
1154 end:
1155 return 0;
1156 }
1157
1158 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1159 int tls_version, const char *cipher)
1160 {
1161 SSL_CTX *cctx = NULL, *sctx = NULL;
1162 SSL *clientssl = NULL, *serverssl = NULL;
1163 int ktls_used = 0, testresult = 0;
1164 int cfd = -1, sfd = -1;
1165 int rx_supported;
1166 SSL_CONNECTION *clientsc, *serversc;
1167
1168 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1169 goto end;
1170
1171 /* Skip this test if the platform does not support ktls */
1172 if (!ktls_chk_platform(cfd)) {
1173 testresult = TEST_skip("Kernel does not support KTLS");
1174 goto end;
1175 }
1176
1177 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1178 testresult = TEST_skip("CHACHA is not supported in FIPS");
1179 goto end;
1180 }
1181
1182 /* Create a session based on SHA-256 */
1183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1184 TLS_client_method(),
1185 tls_version, tls_version,
1186 &sctx, &cctx, cert, privkey)))
1187 goto end;
1188
1189 if (tls_version == TLS1_3_VERSION) {
1190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1191 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1192 goto end;
1193 } else {
1194 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1195 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1196 goto end;
1197 }
1198
1199 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1200 &clientssl, sfd, cfd)))
1201 goto end;
1202
1203 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1204 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1205 goto end;
1206
1207 if (cis_ktls) {
1208 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1209 goto end;
1210 }
1211
1212 if (sis_ktls) {
1213 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1214 goto end;
1215 }
1216
1217 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1218 goto end;
1219
1220 /*
1221 * The running kernel may not support a given cipher suite
1222 * or direction, so just check that KTLS isn't used when it
1223 * isn't enabled.
1224 */
1225 if (!cis_ktls) {
1226 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1227 goto end;
1228 } else {
1229 if (BIO_get_ktls_send(clientsc->wbio))
1230 ktls_used = 1;
1231 }
1232
1233 if (!sis_ktls) {
1234 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1235 goto end;
1236 } else {
1237 if (BIO_get_ktls_send(serversc->wbio))
1238 ktls_used = 1;
1239 }
1240
1241 #if defined(OPENSSL_NO_KTLS_RX)
1242 rx_supported = 0;
1243 #else
1244 rx_supported = 1;
1245 #endif
1246 if (!cis_ktls || !rx_supported) {
1247 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1248 goto end;
1249 } else {
1250 if (BIO_get_ktls_send(clientsc->rbio))
1251 ktls_used = 1;
1252 }
1253
1254 if (!sis_ktls || !rx_supported) {
1255 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1256 goto end;
1257 } else {
1258 if (BIO_get_ktls_send(serversc->rbio))
1259 ktls_used = 1;
1260 }
1261
1262 if ((cis_ktls || sis_ktls) && !ktls_used) {
1263 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1264 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1265 "TLS 1.2", cipher);
1266 goto end;
1267 }
1268
1269 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1270 goto end;
1271
1272 testresult = 1;
1273 end:
1274 if (clientssl) {
1275 SSL_shutdown(clientssl);
1276 SSL_free(clientssl);
1277 }
1278 if (serverssl) {
1279 SSL_shutdown(serverssl);
1280 SSL_free(serverssl);
1281 }
1282 SSL_CTX_free(sctx);
1283 SSL_CTX_free(cctx);
1284 serverssl = clientssl = NULL;
1285 if (cfd != -1)
1286 close(cfd);
1287 if (sfd != -1)
1288 close(sfd);
1289 return testresult;
1290 }
1291
1292 #define SENDFILE_SZ (16 * 4096)
1293 #define SENDFILE_CHUNK (4 * 4096)
1294 #define min(a,b) ((a) > (b) ? (b) : (a))
1295
1296 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1297 int zerocopy)
1298 {
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
1303 int cfd = -1, sfd = -1, ffd, err;
1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1306 int testresult = 0;
1307 FILE *ffdp;
1308 SSL_CONNECTION *serversc;
1309
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1314 goto end;
1315
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
1318 testresult = TEST_skip("Kernel does not support KTLS");
1319 goto end;
1320 }
1321
1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1324 goto end;
1325 }
1326
1327 /* Create a session based on SHA-256 */
1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1329 TLS_client_method(),
1330 tls_version, tls_version,
1331 &sctx, &cctx, cert, privkey)))
1332 goto end;
1333
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1337 goto end;
1338 } else {
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1341 goto end;
1342 }
1343
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1346 goto end;
1347
1348 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1349 goto end;
1350
1351 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1352 goto end;
1353
1354 if (zerocopy) {
1355 if (!TEST_true(SSL_set_options(serverssl,
1356 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1357 goto end;
1358 }
1359
1360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1361 SSL_ERROR_NONE)))
1362 goto end;
1363
1364 if (!BIO_get_ktls_send(serversc->wbio)) {
1365 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1366 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1367 "TLS 1.2", cipher);
1368 goto end;
1369 }
1370
1371 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1372 goto end;
1373
1374 out = BIO_new_file(tmpfilename, "wb");
1375 if (!TEST_ptr(out))
1376 goto end;
1377
1378 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1379 goto end;
1380
1381 BIO_free(out);
1382 out = NULL;
1383 in = BIO_new_file(tmpfilename, "rb");
1384 BIO_get_fp(in, &ffdp);
1385 ffd = fileno(ffdp);
1386
1387 while (chunk_off < SENDFILE_SZ) {
1388 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1389 while ((err = SSL_sendfile(serverssl,
1390 ffd,
1391 chunk_off,
1392 chunk_size,
1393 0)) != chunk_size) {
1394 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1395 goto end;
1396 }
1397 while ((err = SSL_read(clientssl,
1398 buf_dst + chunk_off,
1399 chunk_size)) != chunk_size) {
1400 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1401 goto end;
1402 }
1403
1404 /* verify the payload */
1405 if (!TEST_mem_eq(buf_dst + chunk_off,
1406 chunk_size,
1407 buf + chunk_off,
1408 chunk_size))
1409 goto end;
1410
1411 chunk_off += chunk_size;
1412 }
1413
1414 testresult = 1;
1415 end:
1416 if (clientssl) {
1417 SSL_shutdown(clientssl);
1418 SSL_free(clientssl);
1419 }
1420 if (serverssl) {
1421 SSL_shutdown(serverssl);
1422 SSL_free(serverssl);
1423 }
1424 SSL_CTX_free(sctx);
1425 SSL_CTX_free(cctx);
1426 serverssl = clientssl = NULL;
1427 BIO_free(out);
1428 BIO_free(in);
1429 if (cfd != -1)
1430 close(cfd);
1431 if (sfd != -1)
1432 close(sfd);
1433 OPENSSL_free(buf);
1434 OPENSSL_free(buf_dst);
1435 return testresult;
1436 }
1437
1438 static struct ktls_test_cipher {
1439 int tls_version;
1440 const char *cipher;
1441 } ktls_test_ciphers[] = {
1442 # if !defined(OPENSSL_NO_TLS1_2)
1443 # ifdef OPENSSL_KTLS_AES_GCM_128
1444 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1445 # endif
1446 # ifdef OPENSSL_KTLS_AES_CCM_128
1447 { TLS1_2_VERSION, "AES128-CCM"},
1448 # endif
1449 # ifdef OPENSSL_KTLS_AES_GCM_256
1450 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1451 # endif
1452 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1453 # ifndef OPENSSL_NO_EC
1454 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1455 # endif
1456 # endif
1457 # endif
1458 # if !defined(OSSL_NO_USABLE_TLS1_3)
1459 # ifdef OPENSSL_KTLS_AES_GCM_128
1460 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1461 # endif
1462 # ifdef OPENSSL_KTLS_AES_CCM_128
1463 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1464 # endif
1465 # ifdef OPENSSL_KTLS_AES_GCM_256
1466 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1467 # endif
1468 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1469 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1470 # endif
1471 # endif
1472 };
1473
1474 #define NUM_KTLS_TEST_CIPHERS \
1475 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1476
1477 static int test_ktls(int test)
1478 {
1479 struct ktls_test_cipher *cipher;
1480 int cis_ktls, sis_ktls;
1481
1482 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1483 cipher = &ktls_test_ciphers[test / 4];
1484
1485 cis_ktls = (test & 1) != 0;
1486 sis_ktls = (test & 2) != 0;
1487
1488 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1489 cipher->cipher);
1490 }
1491
1492 static int test_ktls_sendfile(int test)
1493 {
1494 struct ktls_test_cipher *cipher;
1495 int tst = test >> 1;
1496
1497 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1498 cipher = &ktls_test_ciphers[tst];
1499
1500 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1501 test & 1);
1502 }
1503 #endif
1504
1505 static int test_large_message_tls(void)
1506 {
1507 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1508 TLS1_VERSION, 0, 0);
1509 }
1510
1511 static int test_large_message_tls_read_ahead(void)
1512 {
1513 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1514 TLS1_VERSION, 0, 1);
1515 }
1516
1517 #ifndef OPENSSL_NO_DTLS
1518 static int test_large_message_dtls(void)
1519 {
1520 # ifdef OPENSSL_NO_DTLS1_2
1521 /* Not supported in the FIPS provider */
1522 if (is_fips)
1523 return 1;
1524 # endif
1525 /*
1526 * read_ahead is not relevant to DTLS because DTLS always acts as if
1527 * read_ahead is set.
1528 */
1529 return execute_test_large_message(DTLS_server_method(),
1530 DTLS_client_method(),
1531 DTLS1_VERSION, 0, 0);
1532 }
1533 #endif
1534
1535 /*
1536 * Test we can successfully send the maximum amount of application data. We
1537 * test each protocol version individually, each with and without EtM enabled.
1538 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1539 * simpler this way. We also test all combinations with and without the
1540 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1541 * underlying buffer.
1542 */
1543 static int test_large_app_data(int tst)
1544 {
1545 SSL_CTX *cctx = NULL, *sctx = NULL;
1546 SSL *clientssl = NULL, *serverssl = NULL;
1547 int testresult = 0, prot;
1548 unsigned char *msg, *buf = NULL;
1549 size_t written, readbytes;
1550 const SSL_METHOD *smeth = TLS_server_method();
1551 const SSL_METHOD *cmeth = TLS_client_method();
1552
1553 switch (tst >> 2) {
1554 case 0:
1555 #ifndef OSSL_NO_USABLE_TLS1_3
1556 prot = TLS1_3_VERSION;
1557 break;
1558 #else
1559 return 1;
1560 #endif
1561
1562 case 1:
1563 #ifndef OPENSSL_NO_TLS1_2
1564 prot = TLS1_2_VERSION;
1565 break;
1566 #else
1567 return 1;
1568 #endif
1569
1570 case 2:
1571 #ifndef OPENSSL_NO_TLS1_1
1572 prot = TLS1_1_VERSION;
1573 break;
1574 #else
1575 return 1;
1576 #endif
1577
1578 case 3:
1579 #ifndef OPENSSL_NO_TLS1
1580 prot = TLS1_VERSION;
1581 break;
1582 #else
1583 return 1;
1584 #endif
1585
1586 case 4:
1587 #ifndef OPENSSL_NO_SSL3
1588 prot = SSL3_VERSION;
1589 break;
1590 #else
1591 return 1;
1592 #endif
1593
1594 case 5:
1595 #ifndef OPENSSL_NO_DTLS1_2
1596 prot = DTLS1_2_VERSION;
1597 smeth = DTLS_server_method();
1598 cmeth = DTLS_client_method();
1599 break;
1600 #else
1601 return 1;
1602 #endif
1603
1604 case 6:
1605 #ifndef OPENSSL_NO_DTLS1
1606 prot = DTLS1_VERSION;
1607 smeth = DTLS_server_method();
1608 cmeth = DTLS_client_method();
1609 break;
1610 #else
1611 return 1;
1612 #endif
1613
1614 default:
1615 /* Shouldn't happen */
1616 return 0;
1617 }
1618
1619 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1620 return 1;
1621
1622 /* Maximal sized message of zeros */
1623 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1624 if (!TEST_ptr(msg))
1625 goto end;
1626
1627 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1628 if (!TEST_ptr(buf))
1629 goto end;
1630 /* Set whole buffer to all bits set */
1631 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1632
1633 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1634 &sctx, &cctx, cert, privkey)))
1635 goto end;
1636
1637 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1638 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1639 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1640 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1641 "DEFAULT:@SECLEVEL=0")))
1642 goto end;
1643 }
1644
1645 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1646 &clientssl, NULL, NULL)))
1647 goto end;
1648
1649 if ((tst & 1) != 0) {
1650 /* Setting this option gives us a minimally sized underlying buffer */
1651 if (!TEST_true(SSL_set_options(serverssl,
1652 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1653 || !TEST_true(SSL_set_options(clientssl,
1654 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1655 goto end;
1656 }
1657
1658 if ((tst & 2) != 0) {
1659 /*
1660 * Setting this option means the MAC is added before encryption
1661 * giving us a larger record for the encryption process
1662 */
1663 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1664 || !TEST_true(SSL_set_options(clientssl,
1665 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1666 goto end;
1667 }
1668
1669 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1670 goto end;
1671
1672 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1673 &written))
1674 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1675 goto end;
1676
1677 /* We provide a buffer slightly larger than what we are actually expecting */
1678 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1679 &readbytes)))
1680 goto end;
1681
1682 if (!TEST_mem_eq(msg, written, buf, readbytes))
1683 goto end;
1684
1685 testresult = 1;
1686 end:
1687 OPENSSL_free(msg);
1688 OPENSSL_free(buf);
1689 SSL_free(serverssl);
1690 SSL_free(clientssl);
1691 SSL_CTX_free(sctx);
1692 SSL_CTX_free(cctx);
1693 return testresult;
1694 }
1695
1696 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1697 const SSL_METHOD *cmeth,
1698 int min_version, int max_version)
1699 {
1700 size_t i;
1701 SSL_CTX *cctx = NULL, *sctx = NULL;
1702 SSL *clientssl = NULL, *serverssl = NULL;
1703 int testresult = 0;
1704 void *zbuf;
1705 SSL_CONNECTION *serversc;
1706 TLS_RECORD *rr;
1707
1708 static unsigned char cbuf[16000];
1709 static unsigned char sbuf[16000];
1710
1711 if (!TEST_true(create_ssl_ctx_pair(libctx,
1712 smeth, cmeth,
1713 min_version, max_version,
1714 &sctx, &cctx, cert,
1715 privkey)))
1716 goto end;
1717
1718 #ifdef OPENSSL_NO_DTLS1_2
1719 if (smeth == DTLS_server_method()) {
1720 # ifdef OPENSSL_NO_DTLS1_2
1721 /* Not supported in the FIPS provider */
1722 if (is_fips) {
1723 testresult = 1;
1724 goto end;
1725 };
1726 # endif
1727 /*
1728 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1729 * level 0
1730 */
1731 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1732 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1733 "DEFAULT:@SECLEVEL=0")))
1734 goto end;
1735 }
1736 #endif
1737
1738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1739 NULL, NULL)))
1740 goto end;
1741
1742 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1743 goto end;
1744
1745 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1746 SSL_ERROR_NONE)))
1747 goto end;
1748
1749 for (i = 0; i < sizeof(cbuf); i++) {
1750 cbuf[i] = i & 0xff;
1751 }
1752
1753 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1754 goto end;
1755
1756 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1757 goto end;
1758
1759 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1760 goto end;
1761
1762 /*
1763 * Since we called SSL_peek(), we know the data in the record
1764 * layer is a plaintext record. We can gather the pointer to check
1765 * for zeroization after SSL_read().
1766 */
1767 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1768 goto end;
1769 rr = serversc->rlayer.tlsrecs;
1770
1771 zbuf = &rr->data[rr->off];
1772 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1773 goto end;
1774
1775 /*
1776 * After SSL_peek() the plaintext must still be stored in the
1777 * record.
1778 */
1779 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1780 goto end;
1781
1782 memset(sbuf, 0, sizeof(sbuf));
1783 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1784 goto end;
1785
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 /* Check if rbuf is cleansed */
1790 memset(cbuf, 0, sizeof(cbuf));
1791 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1792 goto end;
1793
1794 testresult = 1;
1795 end:
1796 SSL_free(serverssl);
1797 SSL_free(clientssl);
1798 SSL_CTX_free(sctx);
1799 SSL_CTX_free(cctx);
1800
1801 return testresult;
1802 }
1803
1804 static int test_cleanse_plaintext(void)
1805 {
1806 #if !defined(OPENSSL_NO_TLS1_2)
1807 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1808 TLS_client_method(),
1809 TLS1_2_VERSION,
1810 TLS1_2_VERSION)))
1811 return 0;
1812
1813 #endif
1814
1815 #if !defined(OSSL_NO_USABLE_TLS1_3)
1816 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1817 TLS_client_method(),
1818 TLS1_3_VERSION,
1819 TLS1_3_VERSION)))
1820 return 0;
1821 #endif
1822
1823 #if !defined(OPENSSL_NO_DTLS)
1824
1825 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1826 DTLS_client_method(),
1827 DTLS1_VERSION,
1828 0)))
1829 return 0;
1830 #endif
1831 return 1;
1832 }
1833
1834 #ifndef OPENSSL_NO_OCSP
1835 static int ocsp_server_cb(SSL *s, void *arg)
1836 {
1837 int *argi = (int *)arg;
1838 unsigned char *copy = NULL;
1839 STACK_OF(OCSP_RESPID) *ids = NULL;
1840 OCSP_RESPID *id = NULL;
1841
1842 if (*argi == 2) {
1843 /* In this test we are expecting exactly 1 OCSP_RESPID */
1844 SSL_get_tlsext_status_ids(s, &ids);
1845 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1846 return SSL_TLSEXT_ERR_ALERT_FATAL;
1847
1848 id = sk_OCSP_RESPID_value(ids, 0);
1849 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1850 return SSL_TLSEXT_ERR_ALERT_FATAL;
1851 } else if (*argi != 1) {
1852 return SSL_TLSEXT_ERR_ALERT_FATAL;
1853 }
1854
1855 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1856 return SSL_TLSEXT_ERR_ALERT_FATAL;
1857
1858 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1859 sizeof(orespder)))) {
1860 OPENSSL_free(copy);
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 }
1863 ocsp_server_called = 1;
1864 return SSL_TLSEXT_ERR_OK;
1865 }
1866
1867 static int ocsp_client_cb(SSL *s, void *arg)
1868 {
1869 int *argi = (int *)arg;
1870 const unsigned char *respderin;
1871 size_t len;
1872
1873 if (*argi != 1 && *argi != 2)
1874 return 0;
1875
1876 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1877 if (!TEST_mem_eq(orespder, len, respderin, len))
1878 return 0;
1879
1880 ocsp_client_called = 1;
1881 return 1;
1882 }
1883
1884 static int test_tlsext_status_type(void)
1885 {
1886 SSL_CTX *cctx = NULL, *sctx = NULL;
1887 SSL *clientssl = NULL, *serverssl = NULL;
1888 int testresult = 0;
1889 STACK_OF(OCSP_RESPID) *ids = NULL;
1890 OCSP_RESPID *id = NULL;
1891 BIO *certbio = NULL;
1892
1893 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1894 TLS1_VERSION, 0,
1895 &sctx, &cctx, cert, privkey))
1896 return 0;
1897
1898 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1899 goto end;
1900
1901 /* First just do various checks getting and setting tlsext_status_type */
1902
1903 clientssl = SSL_new(cctx);
1904 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1905 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1906 TLSEXT_STATUSTYPE_ocsp))
1907 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1908 TLSEXT_STATUSTYPE_ocsp))
1909 goto end;
1910
1911 SSL_free(clientssl);
1912 clientssl = NULL;
1913
1914 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1915 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1916 goto end;
1917
1918 clientssl = SSL_new(cctx);
1919 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1920 goto end;
1921 SSL_free(clientssl);
1922 clientssl = NULL;
1923
1924 /*
1925 * Now actually do a handshake and check OCSP information is exchanged and
1926 * the callbacks get called
1927 */
1928 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1929 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1930 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1931 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1932 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1933 &clientssl, NULL, NULL))
1934 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1935 SSL_ERROR_NONE))
1936 || !TEST_true(ocsp_client_called)
1937 || !TEST_true(ocsp_server_called))
1938 goto end;
1939 SSL_free(serverssl);
1940 SSL_free(clientssl);
1941 serverssl = NULL;
1942 clientssl = NULL;
1943
1944 /* Try again but this time force the server side callback to fail */
1945 ocsp_client_called = 0;
1946 ocsp_server_called = 0;
1947 cdummyarg = 0;
1948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1949 &clientssl, NULL, NULL))
1950 /* This should fail because the callback will fail */
1951 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1952 SSL_ERROR_NONE))
1953 || !TEST_false(ocsp_client_called)
1954 || !TEST_false(ocsp_server_called))
1955 goto end;
1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 serverssl = NULL;
1959 clientssl = NULL;
1960
1961 /*
1962 * This time we'll get the client to send an OCSP_RESPID that it will
1963 * accept.
1964 */
1965 ocsp_client_called = 0;
1966 ocsp_server_called = 0;
1967 cdummyarg = 2;
1968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1969 &clientssl, NULL, NULL)))
1970 goto end;
1971
1972 /*
1973 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1974 * specific one. We'll use the server cert.
1975 */
1976 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1977 || !TEST_ptr(id = OCSP_RESPID_new())
1978 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1979 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1980 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1981 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1982 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1983 goto end;
1984 id = NULL;
1985 SSL_set_tlsext_status_ids(clientssl, ids);
1986 /* Control has been transferred */
1987 ids = NULL;
1988
1989 BIO_free(certbio);
1990 certbio = NULL;
1991
1992 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1993 SSL_ERROR_NONE))
1994 || !TEST_true(ocsp_client_called)
1995 || !TEST_true(ocsp_server_called))
1996 goto end;
1997
1998 testresult = 1;
1999
2000 end:
2001 SSL_free(serverssl);
2002 SSL_free(clientssl);
2003 SSL_CTX_free(sctx);
2004 SSL_CTX_free(cctx);
2005 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2006 OCSP_RESPID_free(id);
2007 BIO_free(certbio);
2008 X509_free(ocspcert);
2009 ocspcert = NULL;
2010
2011 return testresult;
2012 }
2013 #endif
2014
2015 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2016 static int new_called, remove_called, get_called;
2017
2018 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2019 {
2020 new_called++;
2021 /*
2022 * sess has been up-refed for us, but we don't actually need it so free it
2023 * immediately.
2024 */
2025 SSL_SESSION_free(sess);
2026 return 1;
2027 }
2028
2029 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2030 {
2031 remove_called++;
2032 }
2033
2034 static SSL_SESSION *get_sess_val = NULL;
2035
2036 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2037 int *copy)
2038 {
2039 get_called++;
2040 *copy = 1;
2041 return get_sess_val;
2042 }
2043
2044 static int execute_test_session(int maxprot, int use_int_cache,
2045 int use_ext_cache, long s_options)
2046 {
2047 SSL_CTX *sctx = NULL, *cctx = NULL;
2048 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2049 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2050 # ifndef OPENSSL_NO_TLS1_1
2051 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2052 # endif
2053 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2054 int testresult = 0, numnewsesstick = 1;
2055
2056 new_called = remove_called = 0;
2057
2058 /* TLSv1.3 sends 2 NewSessionTickets */
2059 if (maxprot == TLS1_3_VERSION)
2060 numnewsesstick = 2;
2061
2062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2063 TLS_client_method(), TLS1_VERSION, 0,
2064 &sctx, &cctx, cert, privkey)))
2065 return 0;
2066
2067 /*
2068 * Only allow the max protocol version so we can force a connection failure
2069 * later
2070 */
2071 SSL_CTX_set_min_proto_version(cctx, maxprot);
2072 SSL_CTX_set_max_proto_version(cctx, maxprot);
2073
2074 /* Set up session cache */
2075 if (use_ext_cache) {
2076 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2077 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2078 }
2079 if (use_int_cache) {
2080 /* Also covers instance where both are set */
2081 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2082 } else {
2083 SSL_CTX_set_session_cache_mode(cctx,
2084 SSL_SESS_CACHE_CLIENT
2085 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2086 }
2087
2088 if (s_options) {
2089 SSL_CTX_set_options(sctx, s_options);
2090 }
2091
2092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2093 NULL, NULL))
2094 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2095 SSL_ERROR_NONE))
2096 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2097 goto end;
2098
2099 /* Should fail because it should already be in the cache */
2100 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2101 goto end;
2102 if (use_ext_cache
2103 && (!TEST_int_eq(new_called, numnewsesstick)
2104
2105 || !TEST_int_eq(remove_called, 0)))
2106 goto end;
2107
2108 new_called = remove_called = 0;
2109 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2110 &clientssl2, NULL, NULL))
2111 || !TEST_true(SSL_set_session(clientssl2, sess1))
2112 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2113 SSL_ERROR_NONE))
2114 || !TEST_true(SSL_session_reused(clientssl2)))
2115 goto end;
2116
2117 if (maxprot == TLS1_3_VERSION) {
2118 /*
2119 * In TLSv1.3 we should have created a new session even though we have
2120 * resumed. Since we attempted a resume we should also have removed the
2121 * old ticket from the cache so that we try to only use tickets once.
2122 */
2123 if (use_ext_cache
2124 && (!TEST_int_eq(new_called, 1)
2125 || !TEST_int_eq(remove_called, 1)))
2126 goto end;
2127 } else {
2128 /*
2129 * In TLSv1.2 we expect to have resumed so no sessions added or
2130 * removed.
2131 */
2132 if (use_ext_cache
2133 && (!TEST_int_eq(new_called, 0)
2134 || !TEST_int_eq(remove_called, 0)))
2135 goto end;
2136 }
2137
2138 SSL_SESSION_free(sess1);
2139 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2140 goto end;
2141 shutdown_ssl_connection(serverssl2, clientssl2);
2142 serverssl2 = clientssl2 = NULL;
2143
2144 new_called = remove_called = 0;
2145 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2146 &clientssl2, NULL, NULL))
2147 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2148 SSL_ERROR_NONE)))
2149 goto end;
2150
2151 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2152 goto end;
2153
2154 if (use_ext_cache
2155 && (!TEST_int_eq(new_called, numnewsesstick)
2156 || !TEST_int_eq(remove_called, 0)))
2157 goto end;
2158
2159 new_called = remove_called = 0;
2160 /*
2161 * This should clear sess2 from the cache because it is a "bad" session.
2162 * See SSL_set_session() documentation.
2163 */
2164 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2165 goto end;
2166 if (use_ext_cache
2167 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2168 goto end;
2169 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2170 goto end;
2171
2172 if (use_int_cache) {
2173 /* Should succeeded because it should not already be in the cache */
2174 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2175 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2176 goto end;
2177 }
2178
2179 new_called = remove_called = 0;
2180 /* This shouldn't be in the cache so should fail */
2181 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2182 goto end;
2183
2184 if (use_ext_cache
2185 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2186 goto end;
2187
2188 # if !defined(OPENSSL_NO_TLS1_1)
2189 new_called = remove_called = 0;
2190 /* Force a connection failure */
2191 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2192 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2193 &clientssl3, NULL, NULL))
2194 || !TEST_true(SSL_set_session(clientssl3, sess1))
2195 /* This should fail because of the mismatched protocol versions */
2196 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2197 SSL_ERROR_NONE)))
2198 goto end;
2199
2200 /* We should have automatically removed the session from the cache */
2201 if (use_ext_cache
2202 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2203 goto end;
2204
2205 /* Should succeed because it should not already be in the cache */
2206 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2207 goto end;
2208 # endif
2209
2210 /* Now do some tests for server side caching */
2211 if (use_ext_cache) {
2212 SSL_CTX_sess_set_new_cb(cctx, NULL);
2213 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2214 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2215 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2216 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2217 get_sess_val = NULL;
2218 }
2219
2220 SSL_CTX_set_session_cache_mode(cctx, 0);
2221 /* Internal caching is the default on the server side */
2222 if (!use_int_cache)
2223 SSL_CTX_set_session_cache_mode(sctx,
2224 SSL_SESS_CACHE_SERVER
2225 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2226
2227 SSL_free(serverssl1);
2228 SSL_free(clientssl1);
2229 serverssl1 = clientssl1 = NULL;
2230 SSL_free(serverssl2);
2231 SSL_free(clientssl2);
2232 serverssl2 = clientssl2 = NULL;
2233 SSL_SESSION_free(sess1);
2234 sess1 = NULL;
2235 SSL_SESSION_free(sess2);
2236 sess2 = NULL;
2237
2238 SSL_CTX_set_max_proto_version(sctx, maxprot);
2239 if (maxprot == TLS1_2_VERSION)
2240 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2241 new_called = remove_called = get_called = 0;
2242 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2243 NULL, NULL))
2244 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2245 SSL_ERROR_NONE))
2246 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2247 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2248 goto end;
2249
2250 if (use_int_cache) {
2251 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2252 /*
2253 * In TLSv1.3 it should not have been added to the internal cache,
2254 * except in the case where we also have an external cache (in that
2255 * case it gets added to the cache in order to generate remove
2256 * events after timeout).
2257 */
2258 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2259 goto end;
2260 } else {
2261 /* Should fail because it should already be in the cache */
2262 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2263 goto end;
2264 }
2265 }
2266
2267 if (use_ext_cache) {
2268 SSL_SESSION *tmp = sess2;
2269
2270 if (!TEST_int_eq(new_called, numnewsesstick)
2271 || !TEST_int_eq(remove_called, 0)
2272 || !TEST_int_eq(get_called, 0))
2273 goto end;
2274 /*
2275 * Delete the session from the internal cache to force a lookup from
2276 * the external cache. We take a copy first because
2277 * SSL_CTX_remove_session() also marks the session as non-resumable.
2278 */
2279 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2280 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2281 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2282 goto end;
2283 SSL_SESSION_free(sess2);
2284 }
2285 sess2 = tmp;
2286 }
2287
2288 new_called = remove_called = get_called = 0;
2289 get_sess_val = sess2;
2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2291 &clientssl2, NULL, NULL))
2292 || !TEST_true(SSL_set_session(clientssl2, sess1))
2293 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2294 SSL_ERROR_NONE))
2295 || !TEST_true(SSL_session_reused(clientssl2)))
2296 goto end;
2297
2298 if (use_ext_cache) {
2299 if (!TEST_int_eq(remove_called, 0))
2300 goto end;
2301
2302 if (maxprot == TLS1_3_VERSION) {
2303 if (!TEST_int_eq(new_called, 1)
2304 || !TEST_int_eq(get_called, 0))
2305 goto end;
2306 } else {
2307 if (!TEST_int_eq(new_called, 0)
2308 || !TEST_int_eq(get_called, 1))
2309 goto end;
2310 }
2311 }
2312 /*
2313 * Make a small cache, force out all other sessions but
2314 * sess2, try to add sess1, which should succeed. Then
2315 * make sure it's there by checking the owners. Despite
2316 * the timeouts, sess1 should have kicked out sess2
2317 */
2318
2319 /* Make sess1 expire before sess2 */
2320 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2321 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2322 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2323 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2324 goto end;
2325
2326 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2327 goto end;
2328
2329 /* Don't care about results - cache should only be sess2 at end */
2330 SSL_CTX_add_session(sctx, sess1);
2331 SSL_CTX_add_session(sctx, sess2);
2332
2333 /* Now add sess1, and make sure it remains, despite timeout */
2334 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2335 || !TEST_ptr(sess1->owner)
2336 || !TEST_ptr_null(sess2->owner))
2337 goto end;
2338
2339 testresult = 1;
2340
2341 end:
2342 SSL_free(serverssl1);
2343 SSL_free(clientssl1);
2344 SSL_free(serverssl2);
2345 SSL_free(clientssl2);
2346 # ifndef OPENSSL_NO_TLS1_1
2347 SSL_free(serverssl3);
2348 SSL_free(clientssl3);
2349 # endif
2350 SSL_SESSION_free(sess1);
2351 SSL_SESSION_free(sess2);
2352 SSL_CTX_free(sctx);
2353 SSL_CTX_free(cctx);
2354
2355 return testresult;
2356 }
2357 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2358
2359 static int test_session_with_only_int_cache(void)
2360 {
2361 #ifndef OSSL_NO_USABLE_TLS1_3
2362 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2363 return 0;
2364 #endif
2365
2366 #ifndef OPENSSL_NO_TLS1_2
2367 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2368 #else
2369 return 1;
2370 #endif
2371 }
2372
2373 static int test_session_with_only_ext_cache(void)
2374 {
2375 #ifndef OSSL_NO_USABLE_TLS1_3
2376 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2377 return 0;
2378 #endif
2379
2380 #ifndef OPENSSL_NO_TLS1_2
2381 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2382 #else
2383 return 1;
2384 #endif
2385 }
2386
2387 static int test_session_with_both_cache(void)
2388 {
2389 #ifndef OSSL_NO_USABLE_TLS1_3
2390 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2391 return 0;
2392 #endif
2393
2394 #ifndef OPENSSL_NO_TLS1_2
2395 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2396 #else
2397 return 1;
2398 #endif
2399 }
2400
2401 static int test_session_wo_ca_names(void)
2402 {
2403 #ifndef OSSL_NO_USABLE_TLS1_3
2404 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2405 return 0;
2406 #endif
2407
2408 #ifndef OPENSSL_NO_TLS1_2
2409 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2410 #else
2411 return 1;
2412 #endif
2413 }
2414
2415
2416 #ifndef OSSL_NO_USABLE_TLS1_3
2417 static SSL_SESSION *sesscache[6];
2418 static int do_cache;
2419
2420 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2421 {
2422 if (do_cache) {
2423 sesscache[new_called] = sess;
2424 } else {
2425 /* We don't need the reference to the session, so free it */
2426 SSL_SESSION_free(sess);
2427 }
2428 new_called++;
2429
2430 return 1;
2431 }
2432
2433 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2434 {
2435 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2436 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2437 return 0;
2438
2439 /* Start handshake on the server and client */
2440 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2441 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2442 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2443 || !TEST_true(create_ssl_connection(sssl, cssl,
2444 SSL_ERROR_NONE)))
2445 return 0;
2446
2447 return 1;
2448 }
2449
2450 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2451 SSL_CTX **cctx)
2452 {
2453 int sess_id_ctx = 1;
2454
2455 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2456 TLS_client_method(), TLS1_VERSION, 0,
2457 sctx, cctx, cert, privkey))
2458 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2459 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2460 (void *)&sess_id_ctx,
2461 sizeof(sess_id_ctx))))
2462 return 0;
2463
2464 if (stateful)
2465 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2466
2467 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2468 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2469 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2470
2471 return 1;
2472 }
2473
2474 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2475 {
2476 SSL *serverssl = NULL, *clientssl = NULL;
2477 int i;
2478
2479 /* Test that we can resume with all the tickets we got given */
2480 for (i = 0; i < idx * 2; i++) {
2481 new_called = 0;
2482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2483 &clientssl, NULL, NULL))
2484 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2485 goto end;
2486
2487 SSL_set_post_handshake_auth(clientssl, 1);
2488
2489 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2490 SSL_ERROR_NONE)))
2491 goto end;
2492
2493 /*
2494 * Following a successful resumption we only get 1 ticket. After a
2495 * failed one we should get idx tickets.
2496 */
2497 if (succ) {
2498 if (!TEST_true(SSL_session_reused(clientssl))
2499 || !TEST_int_eq(new_called, 1))
2500 goto end;
2501 } else {
2502 if (!TEST_false(SSL_session_reused(clientssl))
2503 || !TEST_int_eq(new_called, idx))
2504 goto end;
2505 }
2506
2507 new_called = 0;
2508 /* After a post-handshake authentication we should get 1 new ticket */
2509 if (succ
2510 && (!post_handshake_verify(serverssl, clientssl)
2511 || !TEST_int_eq(new_called, 1)))
2512 goto end;
2513
2514 SSL_shutdown(clientssl);
2515 SSL_shutdown(serverssl);
2516 SSL_free(serverssl);
2517 SSL_free(clientssl);
2518 serverssl = clientssl = NULL;
2519 SSL_SESSION_free(sesscache[i]);
2520 sesscache[i] = NULL;
2521 }
2522
2523 return 1;
2524
2525 end:
2526 SSL_free(clientssl);
2527 SSL_free(serverssl);
2528 return 0;
2529 }
2530
2531 static int test_tickets(int stateful, int idx)
2532 {
2533 SSL_CTX *sctx = NULL, *cctx = NULL;
2534 SSL *serverssl = NULL, *clientssl = NULL;
2535 int testresult = 0;
2536 size_t j;
2537
2538 /* idx is the test number, but also the number of tickets we want */
2539
2540 new_called = 0;
2541 do_cache = 1;
2542
2543 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2544 goto end;
2545
2546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2547 &clientssl, NULL, NULL)))
2548 goto end;
2549
2550 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2551 SSL_ERROR_NONE))
2552 /* Check we got the number of tickets we were expecting */
2553 || !TEST_int_eq(idx, new_called))
2554 goto end;
2555
2556 SSL_shutdown(clientssl);
2557 SSL_shutdown(serverssl);
2558 SSL_free(serverssl);
2559 SSL_free(clientssl);
2560 SSL_CTX_free(sctx);
2561 SSL_CTX_free(cctx);
2562 clientssl = serverssl = NULL;
2563 sctx = cctx = NULL;
2564
2565 /*
2566 * Now we try to resume with the tickets we previously created. The
2567 * resumption attempt is expected to fail (because we're now using a new
2568 * SSL_CTX). We should see idx number of tickets issued again.
2569 */
2570
2571 /* Stop caching sessions - just count them */
2572 do_cache = 0;
2573
2574 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2575 goto end;
2576
2577 if (!check_resumption(idx, sctx, cctx, 0))
2578 goto end;
2579
2580 /* Start again with caching sessions */
2581 new_called = 0;
2582 do_cache = 1;
2583 SSL_CTX_free(sctx);
2584 SSL_CTX_free(cctx);
2585 sctx = cctx = NULL;
2586
2587 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2588 goto end;
2589
2590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2591 &clientssl, NULL, NULL)))
2592 goto end;
2593
2594 SSL_set_post_handshake_auth(clientssl, 1);
2595
2596 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2597 SSL_ERROR_NONE))
2598 /* Check we got the number of tickets we were expecting */
2599 || !TEST_int_eq(idx, new_called))
2600 goto end;
2601
2602 /* After a post-handshake authentication we should get new tickets issued */
2603 if (!post_handshake_verify(serverssl, clientssl)
2604 || !TEST_int_eq(idx * 2, new_called))
2605 goto end;
2606
2607 SSL_shutdown(clientssl);
2608 SSL_shutdown(serverssl);
2609 SSL_free(serverssl);
2610 SSL_free(clientssl);
2611 serverssl = clientssl = NULL;
2612
2613 /* Stop caching sessions - just count them */
2614 do_cache = 0;
2615
2616 /*
2617 * Check we can resume with all the tickets we created. This time around the
2618 * resumptions should all be successful.
2619 */
2620 if (!check_resumption(idx, sctx, cctx, 1))
2621 goto end;
2622
2623 testresult = 1;
2624
2625 end:
2626 SSL_free(serverssl);
2627 SSL_free(clientssl);
2628 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2629 SSL_SESSION_free(sesscache[j]);
2630 sesscache[j] = NULL;
2631 }
2632 SSL_CTX_free(sctx);
2633 SSL_CTX_free(cctx);
2634
2635 return testresult;
2636 }
2637
2638 static int test_stateless_tickets(int idx)
2639 {
2640 return test_tickets(0, idx);
2641 }
2642
2643 static int test_stateful_tickets(int idx)
2644 {
2645 return test_tickets(1, idx);
2646 }
2647
2648 static int test_psk_tickets(void)
2649 {
2650 SSL_CTX *sctx = NULL, *cctx = NULL;
2651 SSL *serverssl = NULL, *clientssl = NULL;
2652 int testresult = 0;
2653 int sess_id_ctx = 1;
2654
2655 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2656 TLS_client_method(), TLS1_VERSION, 0,
2657 &sctx, &cctx, NULL, NULL))
2658 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2659 (void *)&sess_id_ctx,
2660 sizeof(sess_id_ctx))))
2661 goto end;
2662
2663 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2665 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2666 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2667 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2668 use_session_cb_cnt = 0;
2669 find_session_cb_cnt = 0;
2670 srvid = pskid;
2671 new_called = 0;
2672
2673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2674 NULL, NULL)))
2675 goto end;
2676 clientpsk = serverpsk = create_a_psk(clientssl);
2677 if (!TEST_ptr(clientpsk))
2678 goto end;
2679 SSL_SESSION_up_ref(clientpsk);
2680
2681 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2682 SSL_ERROR_NONE))
2683 || !TEST_int_eq(1, find_session_cb_cnt)
2684 || !TEST_int_eq(1, use_session_cb_cnt)
2685 /* We should always get 1 ticket when using external PSK */
2686 || !TEST_int_eq(1, new_called))
2687 goto end;
2688
2689 testresult = 1;
2690
2691 end:
2692 SSL_free(serverssl);
2693 SSL_free(clientssl);
2694 SSL_CTX_free(sctx);
2695 SSL_CTX_free(cctx);
2696 SSL_SESSION_free(clientpsk);
2697 SSL_SESSION_free(serverpsk);
2698 clientpsk = serverpsk = NULL;
2699
2700 return testresult;
2701 }
2702
2703 static int test_extra_tickets(int idx)
2704 {
2705 SSL_CTX *sctx = NULL, *cctx = NULL;
2706 SSL *serverssl = NULL, *clientssl = NULL;
2707 BIO *bretry = BIO_new(bio_s_always_retry());
2708 BIO *tmp = NULL;
2709 int testresult = 0;
2710 int stateful = 0;
2711 size_t nbytes;
2712 unsigned char c, buf[1];
2713
2714 new_called = 0;
2715 do_cache = 1;
2716
2717 if (idx >= 3) {
2718 idx -= 3;
2719 stateful = 1;
2720 }
2721
2722 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2723 goto end;
2724 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2725 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2726 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2727
2728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2729 &clientssl, NULL, NULL)))
2730 goto end;
2731
2732 /*
2733 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2734 * incremented by both client and server.
2735 */
2736 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2737 SSL_ERROR_NONE))
2738 /* Check we got the number of tickets we were expecting */
2739 || !TEST_int_eq(idx * 2, new_called)
2740 || !TEST_true(SSL_new_session_ticket(serverssl))
2741 || !TEST_true(SSL_new_session_ticket(serverssl))
2742 || !TEST_int_eq(idx * 2, new_called))
2743 goto end;
2744
2745 /* Now try a (real) write to actually send the tickets */
2746 c = '1';
2747 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2748 || !TEST_size_t_eq(1, nbytes)
2749 || !TEST_int_eq(idx * 2 + 2, new_called)
2750 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2751 || !TEST_int_eq(idx * 2 + 4, new_called)
2752 || !TEST_int_eq(sizeof(buf), nbytes)
2753 || !TEST_int_eq(c, buf[0])
2754 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2755 goto end;
2756
2757 /* Try with only requesting one new ticket, too */
2758 c = '2';
2759 new_called = 0;
2760 if (!TEST_true(SSL_new_session_ticket(serverssl))
2761 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2762 || !TEST_size_t_eq(sizeof(c), nbytes)
2763 || !TEST_int_eq(1, new_called)
2764 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2765 || !TEST_int_eq(2, new_called)
2766 || !TEST_size_t_eq(sizeof(buf), nbytes)
2767 || !TEST_int_eq(c, buf[0]))
2768 goto end;
2769
2770 /* Do it again but use dummy writes to drive the ticket generation */
2771 c = '3';
2772 new_called = 0;
2773 if (!TEST_true(SSL_new_session_ticket(serverssl))
2774 || !TEST_true(SSL_new_session_ticket(serverssl))
2775 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2776 || !TEST_size_t_eq(0, nbytes)
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2779 || !TEST_int_eq(4, new_called))
2780 goto end;
2781
2782 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2783 c = '4';
2784 new_called = 0;
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_do_handshake(serverssl))
2788 || !TEST_int_eq(2, new_called)
2789 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2790 || !TEST_int_eq(4, new_called))
2791 goto end;
2792
2793 /*
2794 * Use the always-retry BIO to exercise the logic that forces ticket
2795 * generation to wait until a record boundary.
2796 */
2797 c = '5';
2798 new_called = 0;
2799 tmp = SSL_get_wbio(serverssl);
2800 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2801 tmp = NULL;
2802 goto end;
2803 }
2804 SSL_set0_wbio(serverssl, bretry);
2805 bretry = NULL;
2806 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2807 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2808 || !TEST_size_t_eq(nbytes, 0))
2809 goto end;
2810 /* Restore a BIO that will let the write succeed */
2811 SSL_set0_wbio(serverssl, tmp);
2812 tmp = NULL;
2813 /*
2814 * These calls should just queue the request and not send anything
2815 * even if we explicitly try to hit the state machine.
2816 */
2817 if (!TEST_true(SSL_new_session_ticket(serverssl))
2818 || !TEST_true(SSL_new_session_ticket(serverssl))
2819 || !TEST_int_eq(0, new_called)
2820 || !TEST_true(SSL_do_handshake(serverssl))
2821 || !TEST_int_eq(0, new_called))
2822 goto end;
2823 /* Re-do the write; still no tickets sent */
2824 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2825 || !TEST_size_t_eq(1, nbytes)
2826 || !TEST_int_eq(0, new_called)
2827 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2828 || !TEST_int_eq(0, new_called)
2829 || !TEST_int_eq(sizeof(buf), nbytes)
2830 || !TEST_int_eq(c, buf[0])
2831 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2832 goto end;
2833 /* Even trying to hit the state machine now will still not send tickets */
2834 if (!TEST_true(SSL_do_handshake(serverssl))
2835 || !TEST_int_eq(0, new_called))
2836 goto end;
2837 /* Now the *next* write should send the tickets */
2838 c = '6';
2839 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2840 || !TEST_size_t_eq(1, nbytes)
2841 || !TEST_int_eq(2, new_called)
2842 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2843 || !TEST_int_eq(4, new_called)
2844 || !TEST_int_eq(sizeof(buf), nbytes)
2845 || !TEST_int_eq(c, buf[0])
2846 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2847 goto end;
2848
2849 SSL_shutdown(clientssl);
2850 SSL_shutdown(serverssl);
2851 testresult = 1;
2852
2853 end:
2854 BIO_free(bretry);
2855 BIO_free(tmp);
2856 SSL_free(serverssl);
2857 SSL_free(clientssl);
2858 SSL_CTX_free(sctx);
2859 SSL_CTX_free(cctx);
2860 clientssl = serverssl = NULL;
2861 sctx = cctx = NULL;
2862 return testresult;
2863 }
2864 #endif
2865
2866 #define USE_NULL 0
2867 #define USE_BIO_1 1
2868 #define USE_BIO_2 2
2869 #define USE_DEFAULT 3
2870
2871 #define CONNTYPE_CONNECTION_SUCCESS 0
2872 #define CONNTYPE_CONNECTION_FAIL 1
2873 #define CONNTYPE_NO_CONNECTION 2
2874
2875 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2876 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2877 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2878 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2879 #else
2880 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2881 #endif
2882
2883 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2884 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2885 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2886
2887 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2888 {
2889 switch (type) {
2890 case USE_NULL:
2891 *res = NULL;
2892 break;
2893 case USE_BIO_1:
2894 *res = bio1;
2895 break;
2896 case USE_BIO_2:
2897 *res = bio2;
2898 break;
2899 }
2900 }
2901
2902
2903 /*
2904 * Tests calls to SSL_set_bio() under various conditions.
2905 *
2906 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2907 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2908 * then do more tests where we create a successful connection first using our
2909 * standard connection setup functions, and then call SSL_set_bio() with
2910 * various combinations of valid BIOs or NULL. We then repeat these tests
2911 * following a failed connection. In this last case we are looking to check that
2912 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2913 */
2914 static int test_ssl_set_bio(int idx)
2915 {
2916 SSL_CTX *sctx = NULL, *cctx = NULL;
2917 BIO *bio1 = NULL;
2918 BIO *bio2 = NULL;
2919 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2920 SSL *serverssl = NULL, *clientssl = NULL;
2921 int initrbio, initwbio, newrbio, newwbio, conntype;
2922 int testresult = 0;
2923
2924 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2925 initrbio = idx % 3;
2926 idx /= 3;
2927 initwbio = idx % 3;
2928 idx /= 3;
2929 newrbio = idx % 3;
2930 idx /= 3;
2931 newwbio = idx % 3;
2932 conntype = CONNTYPE_NO_CONNECTION;
2933 } else {
2934 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2935 initrbio = initwbio = USE_DEFAULT;
2936 newrbio = idx % 2;
2937 idx /= 2;
2938 newwbio = idx % 2;
2939 idx /= 2;
2940 conntype = idx % 2;
2941 }
2942
2943 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2944 TLS_client_method(), TLS1_VERSION, 0,
2945 &sctx, &cctx, cert, privkey)))
2946 goto end;
2947
2948 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2949 /*
2950 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2951 * because we reduced the number of tests in the definition of
2952 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2953 * mismatched protocol versions we will force a connection failure.
2954 */
2955 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2956 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2957 }
2958
2959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2960 NULL, NULL)))
2961 goto end;
2962
2963 if (initrbio == USE_BIO_1
2964 || initwbio == USE_BIO_1
2965 || newrbio == USE_BIO_1
2966 || newwbio == USE_BIO_1) {
2967 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2968 goto end;
2969 }
2970
2971 if (initrbio == USE_BIO_2
2972 || initwbio == USE_BIO_2
2973 || newrbio == USE_BIO_2
2974 || newwbio == USE_BIO_2) {
2975 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2976 goto end;
2977 }
2978
2979 if (initrbio != USE_DEFAULT) {
2980 setupbio(&irbio, bio1, bio2, initrbio);
2981 setupbio(&iwbio, bio1, bio2, initwbio);
2982 SSL_set_bio(clientssl, irbio, iwbio);
2983
2984 /*
2985 * We want to maintain our own refs to these BIO, so do an up ref for
2986 * each BIO that will have ownership transferred in the SSL_set_bio()
2987 * call
2988 */
2989 if (irbio != NULL)
2990 BIO_up_ref(irbio);
2991 if (iwbio != NULL && iwbio != irbio)
2992 BIO_up_ref(iwbio);
2993 }
2994
2995 if (conntype != CONNTYPE_NO_CONNECTION
2996 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2997 SSL_ERROR_NONE)
2998 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2999 goto end;
3000
3001 setupbio(&nrbio, bio1, bio2, newrbio);
3002 setupbio(&nwbio, bio1, bio2, newwbio);
3003
3004 /*
3005 * We will (maybe) transfer ownership again so do more up refs.
3006 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3007 * already been set!
3008 */
3009 if (nrbio != NULL
3010 && nrbio != irbio
3011 && (nwbio != iwbio || nrbio != nwbio))
3012 BIO_up_ref(nrbio);
3013 if (nwbio != NULL
3014 && nwbio != nrbio
3015 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3016 BIO_up_ref(nwbio);
3017
3018 SSL_set_bio(clientssl, nrbio, nwbio);
3019
3020 testresult = 1;
3021
3022 end:
3023 BIO_free(bio1);
3024 BIO_free(bio2);
3025
3026 /*
3027 * This test is checking that the ref counting for SSL_set_bio is correct.
3028 * If we get here and we did too many frees then we will fail in the above
3029 * functions.
3030 */
3031 SSL_free(serverssl);
3032 SSL_free(clientssl);
3033 SSL_CTX_free(sctx);
3034 SSL_CTX_free(cctx);
3035 return testresult;
3036 }
3037
3038 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3039
3040 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3041 {
3042 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3043 SSL_CTX *ctx;
3044 SSL *ssl = NULL;
3045 int testresult = 0;
3046
3047 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3048 || !TEST_ptr(ssl = SSL_new(ctx))
3049 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3050 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3051 goto end;
3052
3053 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3054
3055 /*
3056 * If anything goes wrong here then we could leak memory.
3057 */
3058 BIO_push(sslbio, membio1);
3059
3060 /* Verify changing the rbio/wbio directly does not cause leaks */
3061 if (change_bio != NO_BIO_CHANGE) {
3062 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3063 ssl = NULL;
3064 goto end;
3065 }
3066 if (change_bio == CHANGE_RBIO)
3067 SSL_set0_rbio(ssl, membio2);
3068 else
3069 SSL_set0_wbio(ssl, membio2);
3070 }
3071 ssl = NULL;
3072
3073 if (pop_ssl)
3074 BIO_pop(sslbio);
3075 else
3076 BIO_pop(membio1);
3077
3078 testresult = 1;
3079 end:
3080 BIO_free(membio1);
3081 BIO_free(sslbio);
3082 SSL_free(ssl);
3083 SSL_CTX_free(ctx);
3084
3085 return testresult;
3086 }
3087
3088 static int test_ssl_bio_pop_next_bio(void)
3089 {
3090 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3091 }
3092
3093 static int test_ssl_bio_pop_ssl_bio(void)
3094 {
3095 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3096 }
3097
3098 static int test_ssl_bio_change_rbio(void)
3099 {
3100 return execute_test_ssl_bio(0, CHANGE_RBIO);
3101 }
3102
3103 static int test_ssl_bio_change_wbio(void)
3104 {
3105 return execute_test_ssl_bio(0, CHANGE_WBIO);
3106 }
3107
3108 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3109 typedef struct {
3110 /* The list of sig algs */
3111 const int *list;
3112 /* The length of the list */
3113 size_t listlen;
3114 /* A sigalgs list in string format */
3115 const char *liststr;
3116 /* Whether setting the list should succeed */
3117 int valid;
3118 /* Whether creating a connection with the list should succeed */
3119 int connsuccess;
3120 } sigalgs_list;
3121
3122 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3123 # ifndef OPENSSL_NO_EC
3124 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3125 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3126 # endif
3127 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3128 static const int invalidlist2[] = {NID_sha256, NID_undef};
3129 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3130 static const int invalidlist4[] = {NID_sha256};
3131 static const sigalgs_list testsigalgs[] = {
3132 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3133 # ifndef OPENSSL_NO_EC
3134 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3135 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3136 # endif
3137 {NULL, 0, "RSA+SHA256", 1, 1},
3138 # ifndef OPENSSL_NO_EC
3139 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3140 {NULL, 0, "ECDSA+SHA512", 1, 0},
3141 # endif
3142 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3143 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3144 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3145 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3146 {NULL, 0, "RSA", 0, 0},
3147 {NULL, 0, "SHA256", 0, 0},
3148 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3149 {NULL, 0, "Invalid", 0, 0}
3150 };
3151
3152 static int test_set_sigalgs(int idx)
3153 {
3154 SSL_CTX *cctx = NULL, *sctx = NULL;
3155 SSL *clientssl = NULL, *serverssl = NULL;
3156 int testresult = 0;
3157 const sigalgs_list *curr;
3158 int testctx;
3159
3160 /* Should never happen */
3161 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3162 return 0;
3163
3164 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3165 curr = testctx ? &testsigalgs[idx]
3166 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3167
3168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3169 TLS_client_method(), TLS1_VERSION, 0,
3170 &sctx, &cctx, cert, privkey)))
3171 return 0;
3172
3173 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3174
3175 if (testctx) {
3176 int ret;
3177
3178 if (curr->list != NULL)
3179 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3180 else
3181 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3182
3183 if (!ret) {
3184 if (curr->valid)
3185 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3186 else
3187 testresult = 1;
3188 goto end;
3189 }
3190 if (!curr->valid) {
3191 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3192 goto end;
3193 }
3194 }
3195
3196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3197 &clientssl, NULL, NULL)))
3198 goto end;
3199
3200 if (!testctx) {
3201 int ret;
3202
3203 if (curr->list != NULL)
3204 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3205 else
3206 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3207 if (!ret) {
3208 if (curr->valid)
3209 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3210 else
3211 testresult = 1;
3212 goto end;
3213 }
3214 if (!curr->valid)
3215 goto end;
3216 }
3217
3218 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3219 SSL_ERROR_NONE),
3220 curr->connsuccess))
3221 goto end;
3222
3223 testresult = 1;
3224
3225 end:
3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3228 SSL_CTX_free(sctx);
3229 SSL_CTX_free(cctx);
3230
3231 return testresult;
3232 }
3233 #endif
3234
3235 #ifndef OSSL_NO_USABLE_TLS1_3
3236 static int psk_client_cb_cnt = 0;
3237 static int psk_server_cb_cnt = 0;
3238
3239 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3240 size_t *idlen, SSL_SESSION **sess)
3241 {
3242 switch (++use_session_cb_cnt) {
3243 case 1:
3244 /* The first call should always have a NULL md */
3245 if (md != NULL)
3246 return 0;
3247 break;
3248
3249 case 2:
3250 /* The second call should always have an md */
3251 if (md == NULL)
3252 return 0;
3253 break;
3254
3255 default:
3256 /* We should only be called a maximum of twice */
3257 return 0;
3258 }
3259
3260 if (clientpsk != NULL)
3261 SSL_SESSION_up_ref(clientpsk);
3262
3263 *sess = clientpsk;
3264 *id = (const unsigned char *)pskid;
3265 *idlen = strlen(pskid);
3266
3267 return 1;
3268 }
3269
3270 #ifndef OPENSSL_NO_PSK
3271 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3272 unsigned int max_id_len,
3273 unsigned char *psk,
3274 unsigned int max_psk_len)
3275 {
3276 unsigned int psklen = 0;
3277
3278 psk_client_cb_cnt++;
3279
3280 if (strlen(pskid) + 1 > max_id_len)
3281 return 0;
3282
3283 /* We should only ever be called a maximum of twice per connection */
3284 if (psk_client_cb_cnt > 2)
3285 return 0;
3286
3287 if (clientpsk == NULL)
3288 return 0;
3289
3290 /* We'll reuse the PSK we set up for TLSv1.3 */
3291 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3292 return 0;
3293 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3294 strncpy(id, pskid, max_id_len);
3295
3296 return psklen;
3297 }
3298 #endif /* OPENSSL_NO_PSK */
3299
3300 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3301 size_t identity_len, SSL_SESSION **sess)
3302 {
3303 find_session_cb_cnt++;
3304
3305 /* We should only ever be called a maximum of twice per connection */
3306 if (find_session_cb_cnt > 2)
3307 return 0;
3308
3309 if (serverpsk == NULL)
3310 return 0;
3311
3312 /* Identity should match that set by the client */
3313 if (strlen(srvid) != identity_len
3314 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3315 /* No PSK found, continue but without a PSK */
3316 *sess = NULL;
3317 return 1;
3318 }
3319
3320 SSL_SESSION_up_ref(serverpsk);
3321 *sess = serverpsk;
3322
3323 return 1;
3324 }
3325
3326 #ifndef OPENSSL_NO_PSK
3327 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3328 unsigned char *psk, unsigned int max_psk_len)
3329 {
3330 unsigned int psklen = 0;
3331
3332 psk_server_cb_cnt++;
3333
3334 /* We should only ever be called a maximum of twice per connection */
3335 if (find_session_cb_cnt > 2)
3336 return 0;
3337
3338 if (serverpsk == NULL)
3339 return 0;
3340
3341 /* Identity should match that set by the client */
3342 if (strcmp(srvid, identity) != 0) {
3343 return 0;
3344 }
3345
3346 /* We'll reuse the PSK we set up for TLSv1.3 */
3347 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3348 return 0;
3349 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3350
3351 return psklen;
3352 }
3353 #endif /* OPENSSL_NO_PSK */
3354
3355 #define MSG1 "Hello"
3356 #define MSG2 "World."
3357 #define MSG3 "This"
3358 #define MSG4 "is"
3359 #define MSG5 "a"
3360 #define MSG6 "test"
3361 #define MSG7 "message."
3362
3363 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3364 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3365 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3366 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3367 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3368
3369
3370 static SSL_SESSION *create_a_psk(SSL *ssl)
3371 {
3372 const SSL_CIPHER *cipher = NULL;
3373 const unsigned char key[] = {
3374 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3375 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3376 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3377 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3378 0x2c, 0x2d, 0x2e, 0x2f
3379 };
3380 SSL_SESSION *sess = NULL;
3381
3382 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3383 sess = SSL_SESSION_new();
3384 if (!TEST_ptr(sess)
3385 || !TEST_ptr(cipher)
3386 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3387 sizeof(key)))
3388 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3389 || !TEST_true(
3390 SSL_SESSION_set_protocol_version(sess,
3391 TLS1_3_VERSION))) {
3392 SSL_SESSION_free(sess);
3393 return NULL;
3394 }
3395 return sess;
3396 }
3397
3398 /*
3399 * Helper method to setup objects for early data test. Caller frees objects on
3400 * error.
3401 */
3402 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3403 SSL **serverssl, SSL_SESSION **sess, int idx)
3404 {
3405 if (*sctx == NULL
3406 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3407 TLS_client_method(),
3408 TLS1_VERSION, 0,
3409 sctx, cctx, cert, privkey)))
3410 return 0;
3411
3412 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3413 return 0;
3414
3415 if (idx == 1) {
3416 /* When idx == 1 we repeat the tests with read_ahead set */
3417 SSL_CTX_set_read_ahead(*cctx, 1);
3418 SSL_CTX_set_read_ahead(*sctx, 1);
3419 } else if (idx == 2) {
3420 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3421 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3422 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3423 use_session_cb_cnt = 0;
3424 find_session_cb_cnt = 0;
3425 srvid = pskid;
3426 }
3427
3428 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3429 NULL, NULL)))
3430 return 0;
3431
3432 /*
3433 * For one of the run throughs (doesn't matter which one), we'll try sending
3434 * some SNI data in the initial ClientHello. This will be ignored (because
3435 * there is no SNI cb set up by the server), so it should not impact
3436 * early_data.
3437 */
3438 if (idx == 1
3439 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3440 return 0;
3441
3442 if (idx == 2) {
3443 clientpsk = create_a_psk(*clientssl);
3444 if (!TEST_ptr(clientpsk)
3445 /*
3446 * We just choose an arbitrary value for max_early_data which
3447 * should be big enough for testing purposes.
3448 */
3449 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3450 0x100))
3451 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3452 SSL_SESSION_free(clientpsk);
3453 clientpsk = NULL;
3454 return 0;
3455 }
3456 serverpsk = clientpsk;
3457
3458 if (sess != NULL) {
3459 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460 SSL_SESSION_free(clientpsk);
3461 SSL_SESSION_free(serverpsk);
3462 clientpsk = serverpsk = NULL;
3463 return 0;
3464 }
3465 *sess = clientpsk;
3466 }
3467 return 1;
3468 }
3469
3470 if (sess == NULL)
3471 return 1;
3472
3473 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3474 SSL_ERROR_NONE)))
3475 return 0;
3476
3477 *sess = SSL_get1_session(*clientssl);
3478 SSL_shutdown(*clientssl);
3479 SSL_shutdown(*serverssl);
3480 SSL_free(*serverssl);
3481 SSL_free(*clientssl);
3482 *serverssl = *clientssl = NULL;
3483
3484 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3485 clientssl, NULL, NULL))
3486 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3487 return 0;
3488
3489 return 1;
3490 }
3491
3492 static int test_early_data_read_write(int idx)
3493 {
3494 SSL_CTX *cctx = NULL, *sctx = NULL;
3495 SSL *clientssl = NULL, *serverssl = NULL;
3496 int testresult = 0;
3497 SSL_SESSION *sess = NULL;
3498 unsigned char buf[20], data[1024];
3499 size_t readbytes, written, eoedlen, rawread, rawwritten;
3500 BIO *rbio;
3501
3502 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3503 &serverssl, &sess, idx)))
3504 goto end;
3505
3506 /* Write and read some early data */
3507 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3508 &written))
3509 || !TEST_size_t_eq(written, strlen(MSG1))
3510 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3511 sizeof(buf), &readbytes),
3512 SSL_READ_EARLY_DATA_SUCCESS)
3513 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3514 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3515 SSL_EARLY_DATA_ACCEPTED))
3516 goto end;
3517
3518 /*
3519 * Server should be able to write data, and client should be able to
3520 * read it.
3521 */
3522 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3523 &written))
3524 || !TEST_size_t_eq(written, strlen(MSG2))
3525 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3526 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3527 goto end;
3528
3529 /* Even after reading normal data, client should be able write early data */
3530 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3531 &written))
3532 || !TEST_size_t_eq(written, strlen(MSG3)))
3533 goto end;
3534
3535 /* Server should still be able read early data after writing data */
3536 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3537 &readbytes),
3538 SSL_READ_EARLY_DATA_SUCCESS)
3539 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3540 goto end;
3541
3542 /* Write more data from server and read it from client */
3543 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3544 &written))
3545 || !TEST_size_t_eq(written, strlen(MSG4))
3546 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3547 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3548 goto end;
3549
3550 /*
3551 * If client writes normal data it should mean writing early data is no
3552 * longer possible.
3553 */
3554 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3555 || !TEST_size_t_eq(written, strlen(MSG5))
3556 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3557 SSL_EARLY_DATA_ACCEPTED))
3558 goto end;
3559
3560 /*
3561 * At this point the client has written EndOfEarlyData, ClientFinished and
3562 * normal (fully protected) data. We are going to cause a delay between the
3563 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3564 * in the read BIO, and then just put back the EndOfEarlyData message.
3565 */
3566 rbio = SSL_get_rbio(serverssl);
3567 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3568 || !TEST_size_t_lt(rawread, sizeof(data))
3569 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3570 goto end;
3571
3572 /* Record length is in the 4th and 5th bytes of the record header */
3573 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3574 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3575 || !TEST_size_t_eq(rawwritten, eoedlen))
3576 goto end;
3577
3578 /* Server should be told that there is no more early data */
3579 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3580 &readbytes),
3581 SSL_READ_EARLY_DATA_FINISH)
3582 || !TEST_size_t_eq(readbytes, 0))
3583 goto end;
3584
3585 /*
3586 * Server has not finished init yet, so should still be able to write early
3587 * data.
3588 */
3589 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3590 &written))
3591 || !TEST_size_t_eq(written, strlen(MSG6)))
3592 goto end;
3593
3594 /* Push the ClientFinished and the normal data back into the server rbio */
3595 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3596 &rawwritten))
3597 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3598 goto end;
3599
3600 /* Server should be able to read normal data */
3601 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3602 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3603 goto end;
3604
3605 /* Client and server should not be able to write/read early data now */
3606 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3607 &written)))
3608 goto end;
3609 ERR_clear_error();
3610 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3611 &readbytes),
3612 SSL_READ_EARLY_DATA_ERROR))
3613 goto end;
3614 ERR_clear_error();
3615
3616 /* Client should be able to read the data sent by the server */
3617 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3618 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3619 goto end;
3620
3621 /*
3622 * Make sure we process the two NewSessionTickets. These arrive
3623 * post-handshake. We attempt reads which we do not expect to return any
3624 * data.
3625 */
3626 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3627 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3628 &readbytes)))
3629 goto end;
3630
3631 /* Server should be able to write normal data */
3632 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3633 || !TEST_size_t_eq(written, strlen(MSG7))
3634 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3635 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3636 goto end;
3637
3638 SSL_SESSION_free(sess);
3639 sess = SSL_get1_session(clientssl);
3640 use_session_cb_cnt = 0;
3641 find_session_cb_cnt = 0;
3642
3643 SSL_shutdown(clientssl);
3644 SSL_shutdown(serverssl);
3645 SSL_free(serverssl);
3646 SSL_free(clientssl);
3647 serverssl = clientssl = NULL;
3648 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3649 &clientssl, NULL, NULL))
3650 || !TEST_true(SSL_set_session(clientssl, sess)))
3651 goto end;
3652
3653 /* Write and read some early data */
3654 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3655 &written))
3656 || !TEST_size_t_eq(written, strlen(MSG1))
3657 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3658 &readbytes),
3659 SSL_READ_EARLY_DATA_SUCCESS)
3660 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3661 goto end;
3662
3663 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3664 || !TEST_int_gt(SSL_accept(serverssl), 0))
3665 goto end;
3666
3667 /* Client and server should not be able to write/read early data now */
3668 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3669 &written)))
3670 goto end;
3671 ERR_clear_error();
3672 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3673 &readbytes),
3674 SSL_READ_EARLY_DATA_ERROR))
3675 goto end;
3676 ERR_clear_error();
3677
3678 /* Client and server should be able to write/read normal data */
3679 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3680 || !TEST_size_t_eq(written, strlen(MSG5))
3681 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3683 goto end;
3684
3685 testresult = 1;
3686
3687 end:
3688 SSL_SESSION_free(sess);
3689 SSL_SESSION_free(clientpsk);
3690 SSL_SESSION_free(serverpsk);
3691 clientpsk = serverpsk = NULL;
3692 SSL_free(serverssl);
3693 SSL_free(clientssl);
3694 SSL_CTX_free(sctx);
3695 SSL_CTX_free(cctx);
3696 return testresult;
3697 }
3698
3699 static int allow_ed_cb_called = 0;
3700
3701 static int allow_early_data_cb(SSL *s, void *arg)
3702 {
3703 int *usecb = (int *)arg;
3704
3705 allow_ed_cb_called++;
3706
3707 if (*usecb == 1)
3708 return 0;
3709
3710 return 1;
3711 }
3712
3713 /*
3714 * idx == 0: Standard early_data setup
3715 * idx == 1: early_data setup using read_ahead
3716 * usecb == 0: Don't use a custom early data callback
3717 * usecb == 1: Use a custom early data callback and reject the early data
3718 * usecb == 2: Use a custom early data callback and accept the early data
3719 * confopt == 0: Configure anti-replay directly
3720 * confopt == 1: Configure anti-replay using SSL_CONF
3721 */
3722 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3723 {
3724 SSL_CTX *cctx = NULL, *sctx = NULL;
3725 SSL *clientssl = NULL, *serverssl = NULL;
3726 int testresult = 0;
3727 SSL_SESSION *sess = NULL;
3728 size_t readbytes, written;
3729 unsigned char buf[20];
3730
3731 allow_ed_cb_called = 0;
3732
3733 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3734 TLS_client_method(), TLS1_VERSION, 0,
3735 &sctx, &cctx, cert, privkey)))
3736 return 0;
3737
3738 if (usecb > 0) {
3739 if (confopt == 0) {
3740 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3741 } else {
3742 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3743
3744 if (!TEST_ptr(confctx))
3745 goto end;
3746 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3747 | SSL_CONF_FLAG_SERVER);
3748 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3749 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3750 2)) {
3751 SSL_CONF_CTX_free(confctx);
3752 goto end;
3753 }
3754 SSL_CONF_CTX_free(confctx);
3755 }
3756 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3757 }
3758
3759 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3760 &serverssl, &sess, idx)))
3761 goto end;
3762
3763 /*
3764 * The server is configured to accept early data. Create a connection to
3765 * "use up" the ticket
3766 */
3767 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3768 || !TEST_true(SSL_session_reused(clientssl)))
3769 goto end;
3770
3771 SSL_shutdown(clientssl);
3772 SSL_shutdown(serverssl);
3773 SSL_free(serverssl);
3774 SSL_free(clientssl);
3775 serverssl = clientssl = NULL;
3776
3777 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3778 &clientssl, NULL, NULL))
3779 || !TEST_true(SSL_set_session(clientssl, sess)))
3780 goto end;
3781
3782 /* Write and read some early data */
3783 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3784 &written))
3785 || !TEST_size_t_eq(written, strlen(MSG1)))
3786 goto end;
3787
3788 if (usecb <= 1) {
3789 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3790 &readbytes),
3791 SSL_READ_EARLY_DATA_FINISH)
3792 /*
3793 * The ticket was reused, so the we should have rejected the
3794 * early data
3795 */
3796 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3797 SSL_EARLY_DATA_REJECTED))
3798 goto end;
3799 } else {
3800 /* In this case the callback decides to accept the early data */
3801 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3802 &readbytes),
3803 SSL_READ_EARLY_DATA_SUCCESS)
3804 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3805 /*
3806 * Server will have sent its flight so client can now send
3807 * end of early data and complete its half of the handshake
3808 */
3809 || !TEST_int_gt(SSL_connect(clientssl), 0)
3810 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3811 &readbytes),
3812 SSL_READ_EARLY_DATA_FINISH)
3813 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3814 SSL_EARLY_DATA_ACCEPTED))
3815 goto end;
3816 }
3817
3818 /* Complete the connection */
3819 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3820 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3821 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3822 goto end;
3823
3824 testresult = 1;
3825
3826 end:
3827 SSL_SESSION_free(sess);
3828 SSL_SESSION_free(clientpsk);
3829 SSL_SESSION_free(serverpsk);
3830 clientpsk = serverpsk = NULL;
3831 SSL_free(serverssl);
3832 SSL_free(clientssl);
3833 SSL_CTX_free(sctx);
3834 SSL_CTX_free(cctx);
3835 return testresult;
3836 }
3837
3838 static int test_early_data_replay(int idx)
3839 {
3840 int ret = 1, usecb, confopt;
3841
3842 for (usecb = 0; usecb < 3; usecb++) {
3843 for (confopt = 0; confopt < 2; confopt++)
3844 ret &= test_early_data_replay_int(idx, usecb, confopt);
3845 }
3846
3847 return ret;
3848 }
3849
3850 /*
3851 * Helper function to test that a server attempting to read early data can
3852 * handle a connection from a client where the early data should be skipped.
3853 * testtype: 0 == No HRR
3854 * testtype: 1 == HRR
3855 * testtype: 2 == HRR, invalid early_data sent after HRR
3856 * testtype: 3 == recv_max_early_data set to 0
3857 */
3858 static int early_data_skip_helper(int testtype, int idx)
3859 {
3860 SSL_CTX *cctx = NULL, *sctx = NULL;
3861 SSL *clientssl = NULL, *serverssl = NULL;
3862 int testresult = 0;
3863 SSL_SESSION *sess = NULL;
3864 unsigned char buf[20];
3865 size_t readbytes, written;
3866
3867 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3868 &serverssl, &sess, idx)))
3869 goto end;
3870
3871 if (testtype == 1 || testtype == 2) {
3872 /* Force an HRR to occur */
3873 #if defined(OPENSSL_NO_EC)
3874 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3875 goto end;
3876 #else
3877 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3878 goto end;
3879 #endif
3880 } else if (idx == 2) {
3881 /*
3882 * We force early_data rejection by ensuring the PSK identity is
3883 * unrecognised
3884 */
3885 srvid = "Dummy Identity";
3886 } else {
3887 /*
3888 * Deliberately corrupt the creation time. We take 20 seconds off the
3889 * time. It could be any value as long as it is not within tolerance.
3890 * This should mean the ticket is rejected.
3891 */
3892 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3893 goto end;
3894 }
3895
3896 if (testtype == 3
3897 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3898 goto end;
3899
3900 /* Write some early data */
3901 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3902 &written))
3903 || !TEST_size_t_eq(written, strlen(MSG1)))
3904 goto end;
3905
3906 /* Server should reject the early data */
3907 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3908 &readbytes),
3909 SSL_READ_EARLY_DATA_FINISH)
3910 || !TEST_size_t_eq(readbytes, 0)
3911 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3912 SSL_EARLY_DATA_REJECTED))
3913 goto end;
3914
3915 switch (testtype) {
3916 case 0:
3917 /* Nothing to do */
3918 break;
3919
3920 case 1:
3921 /*
3922 * Finish off the handshake. We perform the same writes and reads as
3923 * further down but we expect them to fail due to the incomplete
3924 * handshake.
3925 */
3926 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3927 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3928 &readbytes)))
3929 goto end;
3930 break;
3931
3932 case 2:
3933 {
3934 BIO *wbio = SSL_get_wbio(clientssl);
3935 /* A record that will appear as bad early_data */
3936 const unsigned char bad_early_data[] = {
3937 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3938 };
3939
3940 /*
3941 * We force the client to attempt a write. This will fail because
3942 * we're still in the handshake. It will cause the second
3943 * ClientHello to be sent.
3944 */
3945 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3946 &written)))
3947 goto end;
3948
3949 /*
3950 * Inject some early_data after the second ClientHello. This should
3951 * cause the server to fail
3952 */
3953 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3954 sizeof(bad_early_data), &written)))
3955 goto end;
3956 }
3957 /* fallthrough */
3958
3959 case 3:
3960 /*
3961 * This client has sent more early_data than we are willing to skip
3962 * (case 3) or sent invalid early_data (case 2) so the connection should
3963 * abort.
3964 */
3965 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3966 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3967 goto end;
3968
3969 /* Connection has failed - nothing more to do */
3970 testresult = 1;
3971 goto end;
3972
3973 default:
3974 TEST_error("Invalid test type");
3975 goto end;
3976 }
3977
3978 /*
3979 * Should be able to send normal data despite rejection of early data. The
3980 * early_data should be skipped.
3981 */
3982 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3983 || !TEST_size_t_eq(written, strlen(MSG2))
3984 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3985 SSL_EARLY_DATA_REJECTED)
3986 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3987 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3988 goto end;
3989
3990 testresult = 1;
3991
3992 end:
3993 SSL_SESSION_free(clientpsk);
3994 SSL_SESSION_free(serverpsk);
3995 clientpsk = serverpsk = NULL;
3996 SSL_SESSION_free(sess);
3997 SSL_free(serverssl);
3998 SSL_free(clientssl);
3999 SSL_CTX_free(sctx);
4000 SSL_CTX_free(cctx);
4001 return testresult;
4002 }
4003
4004 /*
4005 * Test that a server attempting to read early data can handle a connection
4006 * from a client where the early data is not acceptable.
4007 */
4008 static int test_early_data_skip(int idx)
4009 {
4010 return early_data_skip_helper(0, idx);
4011 }
4012
4013 /*
4014 * Test that a server attempting to read early data can handle a connection
4015 * from a client where an HRR occurs.
4016 */
4017 static int test_early_data_skip_hrr(int idx)
4018 {
4019 return early_data_skip_helper(1, idx);
4020 }
4021
4022 /*
4023 * Test that a server attempting to read early data can handle a connection
4024 * from a client where an HRR occurs and correctly fails if early_data is sent
4025 * after the HRR
4026 */
4027 static int test_early_data_skip_hrr_fail(int idx)
4028 {
4029 return early_data_skip_helper(2, idx);
4030 }
4031
4032 /*
4033 * Test that a server attempting to read early data will abort if it tries to
4034 * skip over too much.
4035 */
4036 static int test_early_data_skip_abort(int idx)
4037 {
4038 return early_data_skip_helper(3, idx);
4039 }
4040
4041 /*
4042 * Test that a server attempting to read early data can handle a connection
4043 * from a client that doesn't send any.
4044 */
4045 static int test_early_data_not_sent(int idx)
4046 {
4047 SSL_CTX *cctx = NULL, *sctx = NULL;
4048 SSL *clientssl = NULL, *serverssl = NULL;
4049 int testresult = 0;
4050 SSL_SESSION *sess = NULL;
4051 unsigned char buf[20];
4052 size_t readbytes, written;
4053
4054 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4055 &serverssl, &sess, idx)))
4056 goto end;
4057
4058 /* Write some data - should block due to handshake with server */
4059 SSL_set_connect_state(clientssl);
4060 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4061 goto end;
4062
4063 /* Server should detect that early data has not been sent */
4064 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4065 &readbytes),
4066 SSL_READ_EARLY_DATA_FINISH)
4067 || !TEST_size_t_eq(readbytes, 0)
4068 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4069 SSL_EARLY_DATA_NOT_SENT)
4070 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4071 SSL_EARLY_DATA_NOT_SENT))
4072 goto end;
4073
4074 /* Continue writing the message we started earlier */
4075 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4076 || !TEST_size_t_eq(written, strlen(MSG1))
4077 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4078 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4079 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4080 || !TEST_size_t_eq(written, strlen(MSG2)))
4081 goto end;
4082
4083 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4084 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4085 goto end;
4086
4087 testresult = 1;
4088
4089 end:
4090 SSL_SESSION_free(sess);
4091 SSL_SESSION_free(clientpsk);
4092 SSL_SESSION_free(serverpsk);
4093 clientpsk = serverpsk = NULL;
4094 SSL_free(serverssl);
4095 SSL_free(clientssl);
4096 SSL_CTX_free(sctx);
4097 SSL_CTX_free(cctx);
4098 return testresult;
4099 }
4100
4101 static const char *servalpn;
4102
4103 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4104 unsigned char *outlen, const unsigned char *in,
4105 unsigned int inlen, void *arg)
4106 {
4107 unsigned int protlen = 0;
4108 const unsigned char *prot;
4109
4110 for (prot = in; prot < in + inlen; prot += protlen) {
4111 protlen = *prot++;
4112 if (in + inlen < prot + protlen)
4113 return SSL_TLSEXT_ERR_NOACK;
4114
4115 if (protlen == strlen(servalpn)
4116 && memcmp(prot, servalpn, protlen) == 0) {
4117 *out = prot;
4118 *outlen = protlen;
4119 return SSL_TLSEXT_ERR_OK;
4120 }
4121 }
4122
4123 return SSL_TLSEXT_ERR_NOACK;
4124 }
4125
4126 /* Test that a PSK can be used to send early_data */
4127 static int test_early_data_psk(int idx)
4128 {
4129 SSL_CTX *cctx = NULL, *sctx = NULL;
4130 SSL *clientssl = NULL, *serverssl = NULL;
4131 int testresult = 0;
4132 SSL_SESSION *sess = NULL;
4133 unsigned char alpnlist[] = {
4134 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4135 'l', 'p', 'n'
4136 };
4137 #define GOODALPNLEN 9
4138 #define BADALPNLEN 8
4139 #define GOODALPN (alpnlist)
4140 #define BADALPN (alpnlist + GOODALPNLEN)
4141 int err = 0;
4142 unsigned char buf[20];
4143 size_t readbytes, written;
4144 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4145 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4146
4147 /* We always set this up with a final parameter of "2" for PSK */
4148 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4149 &serverssl, &sess, 2)))
4150 goto end;
4151
4152 servalpn = "goodalpn";
4153
4154 /*
4155 * Note: There is no test for inconsistent SNI with late client detection.
4156 * This is because servers do not acknowledge SNI even if they are using
4157 * it in a resumption handshake - so it is not actually possible for a
4158 * client to detect a problem.
4159 */
4160 switch (idx) {
4161 case 0:
4162 /* Set inconsistent SNI (early client detection) */
4163 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4164 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4165 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4166 goto end;
4167 break;
4168
4169 case 1:
4170 /* Set inconsistent ALPN (early client detection) */
4171 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4172 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4173 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4174 GOODALPNLEN))
4175 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4176 BADALPNLEN)))
4177 goto end;
4178 break;
4179
4180 case 2:
4181 /*
4182 * Set invalid protocol version. Technically this affects PSKs without
4183 * early_data too, but we test it here because it is similar to the
4184 * SNI/ALPN consistency tests.
4185 */
4186 err = SSL_R_BAD_PSK;
4187 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4188 goto end;
4189 break;
4190
4191 case 3:
4192 /*
4193 * Set inconsistent SNI (server side). In this case the connection
4194 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4195 * is associated with each handshake - not the session. Therefore it
4196 * should not matter that we used a different server name last time.
4197 */
4198 SSL_SESSION_free(serverpsk);
4199 serverpsk = SSL_SESSION_dup(clientpsk);
4200 if (!TEST_ptr(serverpsk)
4201 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4202 goto end;
4203 /* Fall through */
4204 case 4:
4205 /* Set consistent SNI */
4206 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4207 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4208 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4209 hostname_cb)))
4210 goto end;
4211 break;
4212
4213 case 5:
4214 /*
4215 * Set inconsistent ALPN (server detected). In this case the connection
4216 * will succeed but reject early_data.
4217 */
4218 servalpn = "badalpn";
4219 edstatus = SSL_EARLY_DATA_REJECTED;
4220 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4221 /* Fall through */
4222 case 6:
4223 /*
4224 * Set consistent ALPN.
4225 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4226 * accepts a list of protos (each one length prefixed).
4227 * SSL_set1_alpn_selected accepts a single protocol (not length
4228 * prefixed)
4229 */
4230 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4231 GOODALPNLEN - 1))
4232 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4233 GOODALPNLEN)))
4234 goto end;
4235
4236 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4237 break;
4238
4239 case 7:
4240 /* Set inconsistent ALPN (late client detection) */
4241 SSL_SESSION_free(serverpsk);
4242 serverpsk = SSL_SESSION_dup(clientpsk);
4243 if (!TEST_ptr(serverpsk)
4244 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4245 BADALPN + 1,
4246 BADALPNLEN - 1))
4247 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4248 GOODALPN + 1,
4249 GOODALPNLEN - 1))
4250 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4251 sizeof(alpnlist))))
4252 goto end;
4253 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4254 edstatus = SSL_EARLY_DATA_ACCEPTED;
4255 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4256 /* SSL_connect() call should fail */
4257 connectres = -1;
4258 break;
4259
4260 default:
4261 TEST_error("Bad test index");
4262 goto end;
4263 }
4264
4265 SSL_set_connect_state(clientssl);
4266 if (err != 0) {
4267 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4268 &written))
4269 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4270 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4271 goto end;
4272 } else {
4273 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4274 &written)))
4275 goto end;
4276
4277 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4278 &readbytes), readearlyres)
4279 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4280 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4281 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4282 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4283 goto end;
4284 }
4285
4286 testresult = 1;
4287
4288 end:
4289 SSL_SESSION_free(sess);
4290 SSL_SESSION_free(clientpsk);
4291 SSL_SESSION_free(serverpsk);
4292 clientpsk = serverpsk = NULL;
4293 SSL_free(serverssl);
4294 SSL_free(clientssl);
4295 SSL_CTX_free(sctx);
4296 SSL_CTX_free(cctx);
4297 return testresult;
4298 }
4299
4300 /*
4301 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4302 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4303 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4304 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4305 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4306 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4307 */
4308 static int test_early_data_psk_with_all_ciphers(int idx)
4309 {
4310 SSL_CTX *cctx = NULL, *sctx = NULL;
4311 SSL *clientssl = NULL, *serverssl = NULL;
4312 int testresult = 0;
4313 SSL_SESSION *sess = NULL;
4314 unsigned char buf[20];
4315 size_t readbytes, written;
4316 const SSL_CIPHER *cipher;
4317 const char *cipher_str[] = {
4318 TLS1_3_RFC_AES_128_GCM_SHA256,
4319 TLS1_3_RFC_AES_256_GCM_SHA384,
4320 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4321 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4322 # else
4323 NULL,
4324 # endif
4325 TLS1_3_RFC_AES_128_CCM_SHA256,
4326 TLS1_3_RFC_AES_128_CCM_8_SHA256
4327 };
4328 const unsigned char *cipher_bytes[] = {
4329 TLS13_AES_128_GCM_SHA256_BYTES,
4330 TLS13_AES_256_GCM_SHA384_BYTES,
4331 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4332 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4333 # else
4334 NULL,
4335 # endif
4336 TLS13_AES_128_CCM_SHA256_BYTES,
4337 TLS13_AES_128_CCM_8_SHA256_BYTES
4338 };
4339
4340 if (cipher_str[idx] == NULL)
4341 return 1;
4342 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4343 if (idx == 2 && is_fips == 1)
4344 return 1;
4345
4346 /* We always set this up with a final parameter of "2" for PSK */
4347 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4348 &serverssl, &sess, 2)))
4349 goto end;
4350
4351 if (idx == 4) {
4352 /* CCM8 ciphers are considered low security due to their short tag */
4353 SSL_set_security_level(clientssl, 0);
4354 SSL_set_security_level(serverssl, 0);
4355 }
4356
4357 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4358 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4359 goto end;
4360
4361 /*
4362 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4363 * and assigns to both client and server with incremented reference
4364 * and the same instance is updated in 'sess'.
4365 * So updating ciphersuite in 'sess' which will get reflected in
4366 * PSK handshake using psk use sess and find sess cb.
4367 */
4368 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4369 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4370 goto end;
4371
4372 SSL_set_connect_state(clientssl);
4373 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4374 &written)))
4375 goto end;
4376
4377 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4378 &readbytes),
4379 SSL_READ_EARLY_DATA_SUCCESS)
4380 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4381 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4382 SSL_EARLY_DATA_ACCEPTED)
4383 || !TEST_int_eq(SSL_connect(clientssl), 1)
4384 || !TEST_int_eq(SSL_accept(serverssl), 1))
4385 goto end;
4386
4387 /* Send some normal data from client to server */
4388 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4389 || !TEST_size_t_eq(written, strlen(MSG2)))
4390 goto end;
4391
4392 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4393 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4394 goto end;
4395
4396 testresult = 1;
4397 end:
4398 SSL_SESSION_free(sess);
4399 SSL_SESSION_free(clientpsk);
4400 SSL_SESSION_free(serverpsk);
4401 clientpsk = serverpsk = NULL;
4402 if (clientssl != NULL)
4403 SSL_shutdown(clientssl);
4404 if (serverssl != NULL)
4405 SSL_shutdown(serverssl);
4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4408 SSL_CTX_free(sctx);
4409 SSL_CTX_free(cctx);
4410 return testresult;
4411 }
4412
4413 /*
4414 * Test that a server that doesn't try to read early data can handle a
4415 * client sending some.
4416 */
4417 static int test_early_data_not_expected(int idx)
4418 {
4419 SSL_CTX *cctx = NULL, *sctx = NULL;
4420 SSL *clientssl = NULL, *serverssl = NULL;
4421 int testresult = 0;
4422 SSL_SESSION *sess = NULL;
4423 unsigned char buf[20];
4424 size_t readbytes, written;
4425
4426 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4427 &serverssl, &sess, idx)))
4428 goto end;
4429
4430 /* Write some early data */
4431 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4432 &written)))
4433 goto end;
4434
4435 /*
4436 * Server should skip over early data and then block waiting for client to
4437 * continue handshake
4438 */
4439 if (!TEST_int_le(SSL_accept(serverssl), 0)
4440 || !TEST_int_gt(SSL_connect(clientssl), 0)
4441 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4442 SSL_EARLY_DATA_REJECTED)
4443 || !TEST_int_gt(SSL_accept(serverssl), 0)
4444 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4445 SSL_EARLY_DATA_REJECTED))
4446 goto end;
4447
4448 /* Send some normal data from client to server */
4449 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4450 || !TEST_size_t_eq(written, strlen(MSG2)))
4451 goto end;
4452
4453 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4454 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4455 goto end;
4456
4457 testresult = 1;
4458
4459 end:
4460 SSL_SESSION_free(sess);
4461 SSL_SESSION_free(clientpsk);
4462 SSL_SESSION_free(serverpsk);
4463 clientpsk = serverpsk = NULL;
4464 SSL_free(serverssl);
4465 SSL_free(clientssl);
4466 SSL_CTX_free(sctx);
4467 SSL_CTX_free(cctx);
4468 return testresult;
4469 }
4470
4471
4472 # ifndef OPENSSL_NO_TLS1_2
4473 /*
4474 * Test that a server attempting to read early data can handle a connection
4475 * from a TLSv1.2 client.
4476 */
4477 static int test_early_data_tls1_2(int idx)
4478 {
4479 SSL_CTX *cctx = NULL, *sctx = NULL;
4480 SSL *clientssl = NULL, *serverssl = NULL;
4481 int testresult = 0;
4482 unsigned char buf[20];
4483 size_t readbytes, written;
4484
4485 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4486 &serverssl, NULL, idx)))
4487 goto end;
4488
4489 /* Write some data - should block due to handshake with server */
4490 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4491 SSL_set_connect_state(clientssl);
4492 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4493 goto end;
4494
4495 /*
4496 * Server should do TLSv1.2 handshake. First it will block waiting for more
4497 * messages from client after ServerDone. Then SSL_read_early_data should
4498 * finish and detect that early data has not been sent
4499 */
4500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4501 &readbytes),
4502 SSL_READ_EARLY_DATA_ERROR))
4503 goto end;
4504
4505 /*
4506 * Continue writing the message we started earlier. Will still block waiting
4507 * for the CCS/Finished from server
4508 */
4509 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4510 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4511 &readbytes),
4512 SSL_READ_EARLY_DATA_FINISH)
4513 || !TEST_size_t_eq(readbytes, 0)
4514 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4515 SSL_EARLY_DATA_NOT_SENT))
4516 goto end;
4517
4518 /* Continue writing the message we started earlier */
4519 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4520 || !TEST_size_t_eq(written, strlen(MSG1))
4521 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4522 SSL_EARLY_DATA_NOT_SENT)
4523 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4524 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4525 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4526 || !TEST_size_t_eq(written, strlen(MSG2))
4527 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4528 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4529 goto end;
4530
4531 testresult = 1;
4532
4533 end:
4534 SSL_SESSION_free(clientpsk);
4535 SSL_SESSION_free(serverpsk);
4536 clientpsk = serverpsk = NULL;
4537 SSL_free(serverssl);
4538 SSL_free(clientssl);
4539 SSL_CTX_free(sctx);
4540 SSL_CTX_free(cctx);
4541
4542 return testresult;
4543 }
4544 # endif /* OPENSSL_NO_TLS1_2 */
4545
4546 /*
4547 * Test configuring the TLSv1.3 ciphersuites
4548 *
4549 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4550 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4551 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4552 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4553 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4554 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4555 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4556 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4557 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4558 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4559 */
4560 static int test_set_ciphersuite(int idx)
4561 {
4562 SSL_CTX *cctx = NULL, *sctx = NULL;
4563 SSL *clientssl = NULL, *serverssl = NULL;
4564 int testresult = 0;
4565
4566 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4567 TLS_client_method(), TLS1_VERSION, 0,
4568 &sctx, &cctx, cert, privkey))
4569 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4570 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4571 goto end;
4572
4573 if (idx >=4 && idx <= 7) {
4574 /* SSL_CTX explicit cipher list */
4575 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4576 goto end;
4577 }
4578
4579 if (idx == 0 || idx == 4) {
4580 /* Default ciphersuite */
4581 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4582 "TLS_AES_128_GCM_SHA256")))
4583 goto end;
4584 } else if (idx == 1 || idx == 5) {
4585 /* Non default ciphersuite */
4586 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4587 "TLS_AES_128_CCM_SHA256")))
4588 goto end;
4589 }
4590
4591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4592 &clientssl, NULL, NULL)))
4593 goto end;
4594
4595 if (idx == 8 || idx == 9) {
4596 /* SSL explicit cipher list */
4597 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4598 goto end;
4599 }
4600
4601 if (idx == 2 || idx == 6 || idx == 8) {
4602 /* Default ciphersuite */
4603 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4604 "TLS_AES_128_GCM_SHA256")))
4605 goto end;
4606 } else if (idx == 3 || idx == 7 || idx == 9) {
4607 /* Non default ciphersuite */
4608 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4609 "TLS_AES_128_CCM_SHA256")))
4610 goto end;
4611 }
4612
4613 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4614 goto end;
4615
4616 testresult = 1;
4617
4618 end:
4619 SSL_free(serverssl);
4620 SSL_free(clientssl);
4621 SSL_CTX_free(sctx);
4622 SSL_CTX_free(cctx);
4623
4624 return testresult;
4625 }
4626
4627 static int test_ciphersuite_change(void)
4628 {
4629 SSL_CTX *cctx = NULL, *sctx = NULL;
4630 SSL *clientssl = NULL, *serverssl = NULL;
4631 SSL_SESSION *clntsess = NULL;
4632 int testresult = 0;
4633 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4634
4635 /* Create a session based on SHA-256 */
4636 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4637 TLS_client_method(), TLS1_VERSION, 0,
4638 &sctx, &cctx, cert, privkey))
4639 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4640 "TLS_AES_128_GCM_SHA256:"
4641 "TLS_AES_256_GCM_SHA384:"
4642 "TLS_AES_128_CCM_SHA256"))
4643 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4644 "TLS_AES_128_GCM_SHA256")))
4645 goto end;
4646
4647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4648 NULL, NULL))
4649 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4650 SSL_ERROR_NONE)))
4651 goto end;
4652
4653 clntsess = SSL_get1_session(clientssl);
4654 /* Save for later */
4655 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4656 SSL_shutdown(clientssl);
4657 SSL_shutdown(serverssl);
4658 SSL_free(serverssl);
4659 SSL_free(clientssl);
4660 serverssl = clientssl = NULL;
4661
4662 /* Check we can resume a session with a different SHA-256 ciphersuite */
4663 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4664 "TLS_AES_128_CCM_SHA256"))
4665 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4666 &clientssl, NULL, NULL))
4667 || !TEST_true(SSL_set_session(clientssl, clntsess))
4668 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4669 SSL_ERROR_NONE))
4670 || !TEST_true(SSL_session_reused(clientssl)))
4671 goto end;
4672
4673 SSL_SESSION_free(clntsess);
4674 clntsess = SSL_get1_session(clientssl);
4675 SSL_shutdown(clientssl);
4676 SSL_shutdown(serverssl);
4677 SSL_free(serverssl);
4678 SSL_free(clientssl);
4679 serverssl = clientssl = NULL;
4680
4681 /*
4682 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4683 * succeeds but does not resume.
4684 */
4685 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4686 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4687 NULL, NULL))
4688 || !TEST_true(SSL_set_session(clientssl, clntsess))
4689 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4690 SSL_ERROR_SSL))
4691 || !TEST_false(SSL_session_reused(clientssl)))
4692 goto end;
4693
4694 SSL_SESSION_free(clntsess);
4695 clntsess = NULL;
4696 SSL_shutdown(clientssl);
4697 SSL_shutdown(serverssl);
4698 SSL_free(serverssl);
4699 SSL_free(clientssl);
4700 serverssl = clientssl = NULL;
4701
4702 /* Create a session based on SHA384 */
4703 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4705 &clientssl, NULL, NULL))
4706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4707 SSL_ERROR_NONE)))
4708 goto end;
4709
4710 clntsess = SSL_get1_session(clientssl);
4711 SSL_shutdown(clientssl);
4712 SSL_shutdown(serverssl);
4713 SSL_free(serverssl);
4714 SSL_free(clientssl);
4715 serverssl = clientssl = NULL;
4716
4717 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4718 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4719 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4720 "TLS_AES_256_GCM_SHA384"))
4721 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4722 NULL, NULL))
4723 || !TEST_true(SSL_set_session(clientssl, clntsess))
4724 /*
4725 * We use SSL_ERROR_WANT_READ below so that we can pause the
4726 * connection after the initial ClientHello has been sent to
4727 * enable us to make some session changes.
4728 */
4729 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4730 SSL_ERROR_WANT_READ)))
4731 goto end;
4732
4733 /* Trick the client into thinking this session is for a different digest */
4734 clntsess->cipher = aes_128_gcm_sha256;
4735 clntsess->cipher_id = clntsess->cipher->id;
4736
4737 /*
4738 * Continue the previously started connection. Server has selected a SHA-384
4739 * ciphersuite, but client thinks the session is for SHA-256, so it should
4740 * bail out.
4741 */
4742 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4743 SSL_ERROR_SSL))
4744 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4745 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4746 goto end;
4747
4748 testresult = 1;
4749
4750 end:
4751 SSL_SESSION_free(clntsess);
4752 SSL_free(serverssl);
4753 SSL_free(clientssl);
4754 SSL_CTX_free(sctx);
4755 SSL_CTX_free(cctx);
4756
4757 return testresult;
4758 }
4759
4760 /*
4761 * Test TLSv1.3 Key exchange
4762 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4763 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4764 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4765 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4766 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4767 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4768 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4769 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4770 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4771 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4772 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4773 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4774 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4775 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4776 */
4777 # ifndef OPENSSL_NO_EC
4778 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4779 NID_secp521r1, NID_X25519, NID_X448};
4780 # endif
4781 # ifndef OPENSSL_NO_DH
4782 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4783 NID_ffdhe6144, NID_ffdhe8192};
4784 # endif
4785 static int test_key_exchange(int idx)
4786 {
4787 SSL_CTX *sctx = NULL, *cctx = NULL;
4788 SSL *serverssl = NULL, *clientssl = NULL;
4789 int testresult = 0;
4790 int kexch_alg;
4791 int *kexch_groups = &kexch_alg;
4792 int kexch_groups_size = 1;
4793 int max_version = TLS1_3_VERSION;
4794 char *kexch_name0 = NULL;
4795
4796 switch (idx) {
4797 # ifndef OPENSSL_NO_EC
4798 # ifndef OPENSSL_NO_TLS1_2
4799 case 12:
4800 max_version = TLS1_2_VERSION;
4801 # endif
4802 /* Fall through */
4803 case 0:
4804 kexch_groups = ecdhe_kexch_groups;
4805 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4806 kexch_name0 = "secp256r1";
4807 break;
4808 case 1:
4809 kexch_alg = NID_X9_62_prime256v1;
4810 kexch_name0 = "secp256r1";
4811 break;
4812 case 2:
4813 kexch_alg = NID_secp384r1;
4814 kexch_name0 = "secp384r1";
4815 break;
4816 case 3:
4817 kexch_alg = NID_secp521r1;
4818 kexch_name0 = "secp521r1";
4819 break;
4820 case 4:
4821 kexch_alg = NID_X25519;
4822 kexch_name0 = "x25519";
4823 break;
4824 case 5:
4825 kexch_alg = NID_X448;
4826 kexch_name0 = "x448";
4827 break;
4828 # endif
4829 # ifndef OPENSSL_NO_DH
4830 # ifndef OPENSSL_NO_TLS1_2
4831 case 13:
4832 max_version = TLS1_2_VERSION;
4833 kexch_name0 = "ffdhe2048";
4834 # endif
4835 /* Fall through */
4836 case 6:
4837 kexch_groups = ffdhe_kexch_groups;
4838 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4839 kexch_name0 = "ffdhe2048";
4840 break;
4841 case 7:
4842 kexch_alg = NID_ffdhe2048;
4843 kexch_name0 = "ffdhe2048";
4844 break;
4845 case 8:
4846 kexch_alg = NID_ffdhe3072;
4847 kexch_name0 = "ffdhe3072";
4848 break;
4849 case 9:
4850 kexch_alg = NID_ffdhe4096;
4851 kexch_name0 = "ffdhe4096";
4852 break;
4853 case 10:
4854 kexch_alg = NID_ffdhe6144;
4855 kexch_name0 = "ffdhe6144";
4856 break;
4857 case 11:
4858 kexch_alg = NID_ffdhe8192;
4859 kexch_name0 = "ffdhe8192";
4860 break;
4861 # endif
4862 default:
4863 /* We're skipping this test */
4864 return 1;
4865 }
4866
4867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4868 TLS_client_method(), TLS1_VERSION,
4869 max_version, &sctx, &cctx, cert,
4870 privkey)))
4871 goto end;
4872
4873 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4874 TLS1_3_RFC_AES_128_GCM_SHA256)))
4875 goto end;
4876
4877 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4878 TLS1_3_RFC_AES_128_GCM_SHA256)))
4879 goto end;
4880
4881 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4882 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4883 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4884 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4885 goto end;
4886
4887 /*
4888 * Must include an EC ciphersuite so that we send supported groups in
4889 * TLSv1.2
4890 */
4891 # ifndef OPENSSL_NO_TLS1_2
4892 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4893 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4894 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4895 goto end;
4896 # endif
4897
4898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4899 NULL, NULL)))
4900 goto end;
4901
4902 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4903 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4904 goto end;
4905
4906 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4907 goto end;
4908
4909 /*
4910 * If Handshake succeeds the negotiated kexch alg should be the first one in
4911 * configured, except in the case of FFDHE groups (idx 13), which are
4912 * TLSv1.3 only so we expect no shared group to exist.
4913 */
4914 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4915 idx == 13 ? 0 : kexch_groups[0]))
4916 goto end;
4917
4918 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4919 kexch_name0))
4920 goto end;
4921
4922 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4923 if (idx != 13) {
4924 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4925 goto end;
4926 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4927 goto end;
4928 }
4929
4930 testresult = 1;
4931 end:
4932 SSL_free(serverssl);
4933 SSL_free(clientssl);
4934 SSL_CTX_free(sctx);
4935 SSL_CTX_free(cctx);
4936 return testresult;
4937 }
4938
4939 # if !defined(OPENSSL_NO_TLS1_2) \
4940 && !defined(OPENSSL_NO_EC) \
4941 && !defined(OPENSSL_NO_DH)
4942 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4943 int isecdhe, int idx)
4944 {
4945 int kexch_alg;
4946 int *kexch_groups = &kexch_alg;
4947 int numec, numff;
4948
4949 numec = OSSL_NELEM(ecdhe_kexch_groups);
4950 numff = OSSL_NELEM(ffdhe_kexch_groups);
4951 if (isecdhe)
4952 kexch_alg = ecdhe_kexch_groups[idx];
4953 else
4954 kexch_alg = ffdhe_kexch_groups[idx];
4955
4956 if (clientmulti) {
4957 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4958 return 0;
4959 if (isecdhe) {
4960 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4961 numec)))
4962 return 0;
4963 } else {
4964 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4965 numff)))
4966 return 0;
4967 }
4968 } else {
4969 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4970 return 0;
4971 if (isecdhe) {
4972 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4973 numec)))
4974 return 0;
4975 } else {
4976 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4977 numff)))
4978 return 0;
4979 }
4980 }
4981 return 1;
4982 }
4983
4984 /*-
4985 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4986 * Run through both the ECDHE and FFDHE group lists used in the previous
4987 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4988 * confirming the expected result; then perform a resumption handshake
4989 * while offering the same group list, and another resumption handshake
4990 * offering a different group list. The returned value should be the
4991 * negotiated group for the initial handshake; for TLS 1.3 resumption
4992 * handshakes the returned value will be negotiated on the resumption
4993 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4994 * be cached in the session from the original handshake, regardless of what
4995 * was offered in the resumption ClientHello.
4996 *
4997 * Using E for the number of EC groups and F for the number of FF groups:
4998 * E tests of ECDHE with TLS 1.3, server only has one group
4999 * F tests of FFDHE with TLS 1.3, server only has one group
5000 * E tests of ECDHE with TLS 1.2, server only has one group
5001 * F tests of FFDHE with TLS 1.2, server only has one group
5002 * E tests of ECDHE with TLS 1.3, client sends only one group
5003 * F tests of FFDHE with TLS 1.3, client sends only one group
5004 * E tests of ECDHE with TLS 1.2, client sends only one group
5005 * F tests of FFDHE with TLS 1.2, client sends only one group
5006 */
5007 static int test_negotiated_group(int idx)
5008 {
5009 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5010 int expectednid;
5011 SSL_CTX *sctx = NULL, *cctx = NULL;
5012 SSL *serverssl = NULL, *clientssl = NULL;
5013 SSL_SESSION *origsess = NULL;
5014 int testresult = 0;
5015 int kexch_alg;
5016 int max_version = TLS1_3_VERSION;
5017
5018 numec = OSSL_NELEM(ecdhe_kexch_groups);
5019 numff = OSSL_NELEM(ffdhe_kexch_groups);
5020 numgroups = numec + numff;
5021 clientmulti = (idx < 2 * numgroups);
5022 idx = idx % (2 * numgroups);
5023 istls13 = (idx < numgroups);
5024 idx = idx % numgroups;
5025 isecdhe = (idx < numec);
5026 if (!isecdhe)
5027 idx -= numec;
5028 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5029 if (isecdhe)
5030 kexch_alg = ecdhe_kexch_groups[idx];
5031 else
5032 kexch_alg = ffdhe_kexch_groups[idx];
5033 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5034 if (!istls13 && !isecdhe)
5035 expectednid = NID_undef;
5036 else
5037 expectednid = kexch_alg;
5038
5039 if (!istls13)
5040 max_version = TLS1_2_VERSION;
5041
5042 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5043 TLS_client_method(), TLS1_VERSION,
5044 max_version, &sctx, &cctx, cert,
5045 privkey)))
5046 goto end;
5047
5048 /*
5049 * Force (EC)DHE ciphers for TLS 1.2.
5050 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5051 */
5052 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5053 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5054 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5055 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5056 goto end;
5057 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5058 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5059 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5060 goto end;
5061
5062 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5063 NULL, NULL)))
5064 goto end;
5065
5066 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5067 idx)))
5068 goto end;
5069
5070 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5071 goto end;
5072
5073 /* Initial handshake; always the configured one */
5074 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5075 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5076 goto end;
5077
5078 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5079 goto end;
5080
5081 SSL_shutdown(clientssl);
5082 SSL_shutdown(serverssl);
5083 SSL_free(serverssl);
5084 SSL_free(clientssl);
5085 serverssl = clientssl = NULL;
5086
5087 /* First resumption attempt; use the same config as initial handshake */
5088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5089 NULL, NULL))
5090 || !TEST_true(SSL_set_session(clientssl, origsess))
5091 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5092 isecdhe, idx)))
5093 goto end;
5094
5095 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5096 || !TEST_true(SSL_session_reused(clientssl)))
5097 goto end;
5098
5099 /* Still had better agree, since nothing changed... */
5100 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5101 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5102 goto end;
5103
5104 SSL_shutdown(clientssl);
5105 SSL_shutdown(serverssl);
5106 SSL_free(serverssl);
5107 SSL_free(clientssl);
5108 serverssl = clientssl = NULL;
5109
5110 /*-
5111 * Second resumption attempt
5112 * The party that picks one group changes it, which we effectuate by
5113 * changing 'idx' and updating what we expect.
5114 */
5115 if (idx == 0)
5116 idx = 1;
5117 else
5118 idx--;
5119 if (istls13) {
5120 if (isecdhe)
5121 expectednid = ecdhe_kexch_groups[idx];
5122 else
5123 expectednid = ffdhe_kexch_groups[idx];
5124 /* Verify that we are changing what we expect. */
5125 if (!TEST_int_ne(expectednid, kexch_alg))
5126 goto end;
5127 } else {
5128 /* TLS 1.2 only supports named groups for ECDHE. */
5129 if (isecdhe)
5130 expectednid = kexch_alg;
5131 else
5132 expectednid = 0;
5133 }
5134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5135 NULL, NULL))
5136 || !TEST_true(SSL_set_session(clientssl, origsess))
5137 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5138 isecdhe, idx)))
5139 goto end;
5140
5141 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5142 || !TEST_true(SSL_session_reused(clientssl)))
5143 goto end;
5144
5145 /* Check that we get what we expected */
5146 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5147 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5148 goto end;
5149
5150 testresult = 1;
5151 end:
5152 SSL_free(serverssl);
5153 SSL_free(clientssl);
5154 SSL_CTX_free(sctx);
5155 SSL_CTX_free(cctx);
5156 SSL_SESSION_free(origsess);
5157 return testresult;
5158 }
5159 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5160
5161 /*
5162 * Test TLSv1.3 Cipher Suite
5163 * Test 0 = Set TLS1.3 cipher on context
5164 * Test 1 = Set TLS1.3 cipher on SSL
5165 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5166 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5167 */
5168 static int test_tls13_ciphersuite(int idx)
5169 {
5170 SSL_CTX *sctx = NULL, *cctx = NULL;
5171 SSL *serverssl = NULL, *clientssl = NULL;
5172 static const struct {
5173 const char *ciphername;
5174 int fipscapable;
5175 int low_security;
5176 } t13_ciphers[] = {
5177 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5178 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5179 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5180 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5181 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5182 { TLS1_3_RFC_AES_256_GCM_SHA384
5183 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5184 # endif
5185 /* CCM8 ciphers are considered low security due to their short tag */
5186 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5187 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5188 };
5189 const char *t13_cipher = NULL;
5190 const char *t12_cipher = NULL;
5191 const char *negotiated_scipher;
5192 const char *negotiated_ccipher;
5193 int set_at_ctx = 0;
5194 int set_at_ssl = 0;
5195 int testresult = 0;
5196 int max_ver;
5197 size_t i;
5198
5199 switch (idx) {
5200 case 0:
5201 set_at_ctx = 1;
5202 break;
5203 case 1:
5204 set_at_ssl = 1;
5205 break;
5206 case 2:
5207 set_at_ctx = 1;
5208 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5209 break;
5210 case 3:
5211 set_at_ssl = 1;
5212 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5213 break;
5214 }
5215
5216 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5217 # ifdef OPENSSL_NO_TLS1_2
5218 if (max_ver == TLS1_2_VERSION)
5219 continue;
5220 # endif
5221 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5222 if (is_fips && !t13_ciphers[i].fipscapable)
5223 continue;
5224 t13_cipher = t13_ciphers[i].ciphername;
5225 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5226 TLS_client_method(),
5227 TLS1_VERSION, max_ver,
5228 &sctx, &cctx, cert, privkey)))
5229 goto end;
5230
5231 if (t13_ciphers[i].low_security) {
5232 SSL_CTX_set_security_level(sctx, 0);
5233 SSL_CTX_set_security_level(cctx, 0);
5234 }
5235
5236 if (set_at_ctx) {
5237 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5238 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5239 goto end;
5240 if (t12_cipher != NULL) {
5241 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5242 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5243 t12_cipher)))
5244 goto end;
5245 }
5246 }
5247
5248 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5249 &clientssl, NULL, NULL)))
5250 goto end;
5251
5252 if (set_at_ssl) {
5253 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5254 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5255 goto end;
5256 if (t12_cipher != NULL) {
5257 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5258 || !TEST_true(SSL_set_cipher_list(clientssl,
5259 t12_cipher)))
5260 goto end;
5261 }
5262 }
5263
5264 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5265 SSL_ERROR_NONE)))
5266 goto end;
5267
5268 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5269 serverssl));
5270 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5271 clientssl));
5272 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5273 goto end;
5274
5275 /*
5276 * TEST_strn_eq is used below because t13_cipher can contain
5277 * multiple ciphersuites
5278 */
5279 if (max_ver == TLS1_3_VERSION
5280 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5281 strlen(negotiated_scipher)))
5282 goto end;
5283
5284 # ifndef OPENSSL_NO_TLS1_2
5285 /* Below validation is not done when t12_cipher is NULL */
5286 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5287 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5288 goto end;
5289 # endif
5290
5291 SSL_free(serverssl);
5292 serverssl = NULL;
5293 SSL_free(clientssl);
5294 clientssl = NULL;
5295 SSL_CTX_free(sctx);
5296 sctx = NULL;
5297 SSL_CTX_free(cctx);
5298 cctx = NULL;
5299 }
5300 }
5301
5302 testresult = 1;
5303 end:
5304 SSL_free(serverssl);
5305 SSL_free(clientssl);
5306 SSL_CTX_free(sctx);
5307 SSL_CTX_free(cctx);
5308 return testresult;
5309 }
5310
5311 /*
5312 * Test TLSv1.3 PSKs
5313 * Test 0 = Test new style callbacks
5314 * Test 1 = Test both new and old style callbacks
5315 * Test 2 = Test old style callbacks
5316 * Test 3 = Test old style callbacks with no certificate
5317 */
5318 static int test_tls13_psk(int idx)
5319 {
5320 SSL_CTX *sctx = NULL, *cctx = NULL;
5321 SSL *serverssl = NULL, *clientssl = NULL;
5322 const SSL_CIPHER *cipher = NULL;
5323 const unsigned char key[] = {
5324 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5325 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5326 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5327 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5328 };
5329 int testresult = 0;
5330
5331 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5332 TLS_client_method(), TLS1_VERSION, 0,
5333 &sctx, &cctx, idx == 3 ? NULL : cert,
5334 idx == 3 ? NULL : privkey)))
5335 goto end;
5336
5337 if (idx != 3) {
5338 /*
5339 * We use a ciphersuite with SHA256 to ease testing old style PSK
5340 * callbacks which will always default to SHA256. This should not be
5341 * necessary if we have no cert/priv key. In that case the server should
5342 * prefer SHA256 automatically.
5343 */
5344 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5345 "TLS_AES_128_GCM_SHA256")))
5346 goto end;
5347 } else {
5348 /*
5349 * As noted above the server should prefer SHA256 automatically. However
5350 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5351 * code works even if we are testing with only the FIPS provider loaded.
5352 */
5353 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5354 "TLS_AES_256_GCM_SHA384:"
5355 "TLS_AES_128_GCM_SHA256")))
5356 goto end;
5357 }
5358
5359 /*
5360 * Test 0: New style callbacks only
5361 * Test 1: New and old style callbacks (only the new ones should be used)
5362 * Test 2: Old style callbacks only
5363 */
5364 if (idx == 0 || idx == 1) {
5365 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5366 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5367 }
5368 #ifndef OPENSSL_NO_PSK
5369 if (idx >= 1) {
5370 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5371 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5372 }
5373 #endif
5374 srvid = pskid;
5375 use_session_cb_cnt = 0;
5376 find_session_cb_cnt = 0;
5377 psk_client_cb_cnt = 0;
5378 psk_server_cb_cnt = 0;
5379
5380 if (idx != 3) {
5381 /*
5382 * Check we can create a connection if callback decides not to send a
5383 * PSK
5384 */
5385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5386 NULL, NULL))
5387 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5388 SSL_ERROR_NONE))
5389 || !TEST_false(SSL_session_reused(clientssl))
5390 || !TEST_false(SSL_session_reused(serverssl)))
5391 goto end;
5392
5393 if (idx == 0 || idx == 1) {
5394 if (!TEST_true(use_session_cb_cnt == 1)
5395 || !TEST_true(find_session_cb_cnt == 0)
5396 /*
5397 * If no old style callback then below should be 0
5398 * otherwise 1
5399 */
5400 || !TEST_true(psk_client_cb_cnt == idx)
5401 || !TEST_true(psk_server_cb_cnt == 0))
5402 goto end;
5403 } else {
5404 if (!TEST_true(use_session_cb_cnt == 0)
5405 || !TEST_true(find_session_cb_cnt == 0)
5406 || !TEST_true(psk_client_cb_cnt == 1)
5407 || !TEST_true(psk_server_cb_cnt == 0))
5408 goto end;
5409 }
5410
5411 shutdown_ssl_connection(serverssl, clientssl);
5412 serverssl = clientssl = NULL;
5413 use_session_cb_cnt = psk_client_cb_cnt = 0;
5414 }
5415
5416 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5417 NULL, NULL)))
5418 goto end;
5419
5420 /* Create the PSK */
5421 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5422 clientpsk = SSL_SESSION_new();
5423 if (!TEST_ptr(clientpsk)
5424 || !TEST_ptr(cipher)
5425 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5426 sizeof(key)))
5427 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5428 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5429 TLS1_3_VERSION))
5430 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5431 goto end;
5432 serverpsk = clientpsk;
5433
5434 /* Check we can create a connection and the PSK is used */
5435 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5436 || !TEST_true(SSL_session_reused(clientssl))
5437 || !TEST_true(SSL_session_reused(serverssl)))
5438 goto end;
5439
5440 if (idx == 0 || idx == 1) {
5441 if (!TEST_true(use_session_cb_cnt == 1)
5442 || !TEST_true(find_session_cb_cnt == 1)
5443 || !TEST_true(psk_client_cb_cnt == 0)
5444 || !TEST_true(psk_server_cb_cnt == 0))
5445 goto end;
5446 } else {
5447 if (!TEST_true(use_session_cb_cnt == 0)
5448 || !TEST_true(find_session_cb_cnt == 0)
5449 || !TEST_true(psk_client_cb_cnt == 1)
5450 || !TEST_true(psk_server_cb_cnt == 1))
5451 goto end;
5452 }
5453
5454 shutdown_ssl_connection(serverssl, clientssl);
5455 serverssl = clientssl = NULL;
5456 use_session_cb_cnt = find_session_cb_cnt = 0;
5457 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5458
5459 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5460 NULL, NULL)))
5461 goto end;
5462
5463 /* Force an HRR */
5464 #if defined(OPENSSL_NO_EC)
5465 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5466 goto end;
5467 #else
5468 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5469 goto end;
5470 #endif
5471
5472 /*
5473 * Check we can create a connection, the PSK is used and the callbacks are
5474 * called twice.
5475 */
5476 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5477 || !TEST_true(SSL_session_reused(clientssl))
5478 || !TEST_true(SSL_session_reused(serverssl)))
5479 goto end;
5480
5481 if (idx == 0 || idx == 1) {
5482 if (!TEST_true(use_session_cb_cnt == 2)
5483 || !TEST_true(find_session_cb_cnt == 2)
5484 || !TEST_true(psk_client_cb_cnt == 0)
5485 || !TEST_true(psk_server_cb_cnt == 0))
5486 goto end;
5487 } else {
5488 if (!TEST_true(use_session_cb_cnt == 0)
5489 || !TEST_true(find_session_cb_cnt == 0)
5490 || !TEST_true(psk_client_cb_cnt == 2)
5491 || !TEST_true(psk_server_cb_cnt == 2))
5492 goto end;
5493 }
5494
5495 shutdown_ssl_connection(serverssl, clientssl);
5496 serverssl = clientssl = NULL;
5497 use_session_cb_cnt = find_session_cb_cnt = 0;
5498 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5499
5500 if (idx != 3) {
5501 /*
5502 * Check that if the server rejects the PSK we can still connect, but with
5503 * a full handshake
5504 */
5505 srvid = "Dummy Identity";
5506 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5507 NULL, NULL))
5508 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5509 SSL_ERROR_NONE))
5510 || !TEST_false(SSL_session_reused(clientssl))
5511 || !TEST_false(SSL_session_reused(serverssl)))
5512 goto end;
5513
5514 if (idx == 0 || idx == 1) {
5515 if (!TEST_true(use_session_cb_cnt == 1)
5516 || !TEST_true(find_session_cb_cnt == 1)
5517 || !TEST_true(psk_client_cb_cnt == 0)
5518 /*
5519 * If no old style callback then below should be 0
5520 * otherwise 1
5521 */
5522 || !TEST_true(psk_server_cb_cnt == idx))
5523 goto end;
5524 } else {
5525 if (!TEST_true(use_session_cb_cnt == 0)
5526 || !TEST_true(find_session_cb_cnt == 0)
5527 || !TEST_true(psk_client_cb_cnt == 1)
5528 || !TEST_true(psk_server_cb_cnt == 1))
5529 goto end;
5530 }
5531
5532 shutdown_ssl_connection(serverssl, clientssl);
5533 serverssl = clientssl = NULL;
5534 }
5535 testresult = 1;
5536
5537 end:
5538 SSL_SESSION_free(clientpsk);
5539 SSL_SESSION_free(serverpsk);
5540 clientpsk = serverpsk = NULL;
5541 SSL_free(serverssl);
5542 SSL_free(clientssl);
5543 SSL_CTX_free(sctx);
5544 SSL_CTX_free(cctx);
5545 return testresult;
5546 }
5547
5548 static unsigned char cookie_magic_value[] = "cookie magic";
5549
5550 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5551 unsigned int *cookie_len)
5552 {
5553 /*
5554 * Not suitable as a real cookie generation function but good enough for
5555 * testing!
5556 */
5557 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5558 *cookie_len = sizeof(cookie_magic_value) - 1;
5559
5560 return 1;
5561 }
5562
5563 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5564 unsigned int cookie_len)
5565 {
5566 if (cookie_len == sizeof(cookie_magic_value) - 1
5567 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5568 return 1;
5569
5570 return 0;
5571 }
5572
5573 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5574 size_t *cookie_len)
5575 {
5576 unsigned int temp;
5577 int res = generate_cookie_callback(ssl, cookie, &temp);
5578 *cookie_len = temp;
5579 return res;
5580 }
5581
5582 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5583 size_t cookie_len)
5584 {
5585 return verify_cookie_callback(ssl, cookie, cookie_len);
5586 }
5587
5588 static int test_stateless(void)
5589 {
5590 SSL_CTX *sctx = NULL, *cctx = NULL;
5591 SSL *serverssl = NULL, *clientssl = NULL;
5592 int testresult = 0;
5593
5594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5595 TLS_client_method(), TLS1_VERSION, 0,
5596 &sctx, &cctx, cert, privkey)))
5597 goto end;
5598
5599 /* The arrival of CCS messages can confuse the test */
5600 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5601
5602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5603 NULL, NULL))
5604 /* Send the first ClientHello */
5605 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5606 SSL_ERROR_WANT_READ))
5607 /*
5608 * This should fail with a -1 return because we have no callbacks
5609 * set up
5610 */
5611 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5612 goto end;
5613
5614 /* Fatal error so abandon the connection from this client */
5615 SSL_free(clientssl);
5616 clientssl = NULL;
5617
5618 /* Set up the cookie generation and verification callbacks */
5619 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5620 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5621
5622 /*
5623 * Create a new connection from the client (we can reuse the server SSL
5624 * object).
5625 */
5626 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5627 NULL, NULL))
5628 /* Send the first ClientHello */
5629 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5630 SSL_ERROR_WANT_READ))
5631 /* This should fail because there is no cookie */
5632 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5633 goto end;
5634
5635 /* Abandon the connection from this client */
5636 SSL_free(clientssl);
5637 clientssl = NULL;
5638
5639 /*
5640 * Now create a connection from a new client but with the same server SSL
5641 * object
5642 */
5643 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5644 NULL, NULL))
5645 /* Send the first ClientHello */
5646 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5647 SSL_ERROR_WANT_READ))
5648 /* This should fail because there is no cookie */
5649 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5650 /* Send the second ClientHello */
5651 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5652 SSL_ERROR_WANT_READ))
5653 /* This should succeed because a cookie is now present */
5654 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5655 /* Complete the connection */
5656 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5657 SSL_ERROR_NONE)))
5658 goto end;
5659
5660 shutdown_ssl_connection(serverssl, clientssl);
5661 serverssl = clientssl = NULL;
5662 testresult = 1;
5663
5664 end:
5665 SSL_free(serverssl);
5666 SSL_free(clientssl);
5667 SSL_CTX_free(sctx);
5668 SSL_CTX_free(cctx);
5669 return testresult;
5670
5671 }
5672 #endif /* OSSL_NO_USABLE_TLS1_3 */
5673
5674 static int clntaddoldcb = 0;
5675 static int clntparseoldcb = 0;
5676 static int srvaddoldcb = 0;
5677 static int srvparseoldcb = 0;
5678 static int clntaddnewcb = 0;
5679 static int clntparsenewcb = 0;
5680 static int srvaddnewcb = 0;
5681 static int srvparsenewcb = 0;
5682 static int snicb = 0;
5683
5684 #define TEST_EXT_TYPE1 0xff00
5685
5686 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5687 size_t *outlen, int *al, void *add_arg)
5688 {
5689 int *server = (int *)add_arg;
5690 unsigned char *data;
5691
5692 if (SSL_is_server(s))
5693 srvaddoldcb++;
5694 else
5695 clntaddoldcb++;
5696
5697 if (*server != SSL_is_server(s)
5698 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5699 return -1;
5700
5701 *data = 1;
5702 *out = data;
5703 *outlen = sizeof(char);
5704 return 1;
5705 }
5706
5707 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5708 void *add_arg)
5709 {
5710 OPENSSL_free((unsigned char *)out);
5711 }
5712
5713 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5714 size_t inlen, int *al, void *parse_arg)
5715 {
5716 int *server = (int *)parse_arg;
5717
5718 if (SSL_is_server(s))
5719 srvparseoldcb++;
5720 else
5721 clntparseoldcb++;
5722
5723 if (*server != SSL_is_server(s)
5724 || inlen != sizeof(char)
5725 || *in != 1)
5726 return -1;
5727
5728 return 1;
5729 }
5730
5731 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5732 const unsigned char **out, size_t *outlen, X509 *x,
5733 size_t chainidx, int *al, void *add_arg)
5734 {
5735 int *server = (int *)add_arg;
5736 unsigned char *data;
5737
5738 if (SSL_is_server(s))
5739 srvaddnewcb++;
5740 else
5741 clntaddnewcb++;
5742
5743 if (*server != SSL_is_server(s)
5744 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5745 return -1;
5746
5747 *data = 1;
5748 *out = data;
5749 *outlen = sizeof(*data);
5750 return 1;
5751 }
5752
5753 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5754 const unsigned char *out, void *add_arg)
5755 {
5756 OPENSSL_free((unsigned char *)out);
5757 }
5758
5759 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5760 const unsigned char *in, size_t inlen, X509 *x,
5761 size_t chainidx, int *al, void *parse_arg)
5762 {
5763 int *server = (int *)parse_arg;
5764
5765 if (SSL_is_server(s))
5766 srvparsenewcb++;
5767 else
5768 clntparsenewcb++;
5769
5770 if (*server != SSL_is_server(s)
5771 || inlen != sizeof(char) || *in != 1)
5772 return -1;
5773
5774 return 1;
5775 }
5776
5777 static int sni_cb(SSL *s, int *al, void *arg)
5778 {
5779 SSL_CTX *ctx = (SSL_CTX *)arg;
5780
5781 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5782 *al = SSL_AD_INTERNAL_ERROR;
5783 return SSL_TLSEXT_ERR_ALERT_FATAL;
5784 }
5785 snicb++;
5786 return SSL_TLSEXT_ERR_OK;
5787 }
5788
5789 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5790 {
5791 return 1;
5792 }
5793
5794 /*
5795 * Custom call back tests.
5796 * Test 0: Old style callbacks in TLSv1.2
5797 * Test 1: New style callbacks in TLSv1.2
5798 * Test 2: New style callbacks in TLSv1.2 with SNI
5799 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5800 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5801 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5802 */
5803 static int test_custom_exts(int tst)
5804 {
5805 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5806 SSL *clientssl = NULL, *serverssl = NULL;
5807 int testresult = 0;
5808 static int server = 1;
5809 static int client = 0;
5810 SSL_SESSION *sess = NULL;
5811 unsigned int context;
5812
5813 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5814 /* Skip tests for TLSv1.2 and below in this case */
5815 if (tst < 3)
5816 return 1;
5817 #endif
5818
5819 /* Reset callback counters */
5820 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5821 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5822 snicb = 0;
5823
5824 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5825 TLS_client_method(), TLS1_VERSION, 0,
5826 &sctx, &cctx, cert, privkey)))
5827 goto end;
5828
5829 if (tst == 2
5830 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5831 TLS1_VERSION, 0,
5832 &sctx2, NULL, cert, privkey)))
5833 goto end;
5834
5835
5836 if (tst < 3) {
5837 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5838 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5839 if (sctx2 != NULL)
5840 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5841 }
5842
5843 if (tst == 5) {
5844 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5845 | SSL_EXT_TLS1_3_CERTIFICATE;
5846 SSL_CTX_set_verify(sctx,
5847 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5848 verify_cb);
5849 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5850 SSL_FILETYPE_PEM), 1)
5851 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5852 SSL_FILETYPE_PEM), 1)
5853 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5854 goto end;
5855 } else if (tst == 4) {
5856 context = SSL_EXT_CLIENT_HELLO
5857 | SSL_EXT_TLS1_2_SERVER_HELLO
5858 | SSL_EXT_TLS1_3_SERVER_HELLO
5859 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5860 | SSL_EXT_TLS1_3_CERTIFICATE
5861 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5862 } else {
5863 context = SSL_EXT_CLIENT_HELLO
5864 | SSL_EXT_TLS1_2_SERVER_HELLO
5865 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5866 }
5867
5868 /* Create a client side custom extension */
5869 if (tst == 0) {
5870 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5871 old_add_cb, old_free_cb,
5872 &client, old_parse_cb,
5873 &client)))
5874 goto end;
5875 } else {
5876 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5877 new_add_cb, new_free_cb,
5878 &client, new_parse_cb, &client)))
5879 goto end;
5880 }
5881
5882 /* Should not be able to add duplicates */
5883 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5884 old_add_cb, old_free_cb,
5885 &client, old_parse_cb,
5886 &client))
5887 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5888 context, new_add_cb,
5889 new_free_cb, &client,
5890 new_parse_cb, &client)))
5891 goto end;
5892
5893 /* Create a server side custom extension */
5894 if (tst == 0) {
5895 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5896 old_add_cb, old_free_cb,
5897 &server, old_parse_cb,
5898 &server)))
5899 goto end;
5900 } else {
5901 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5902 new_add_cb, new_free_cb,
5903 &server, new_parse_cb, &server)))
5904 goto end;
5905 if (sctx2 != NULL
5906 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5907 context, new_add_cb,
5908 new_free_cb, &server,
5909 new_parse_cb, &server)))
5910 goto end;
5911 }
5912
5913 /* Should not be able to add duplicates */
5914 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5915 old_add_cb, old_free_cb,
5916 &server, old_parse_cb,
5917 &server))
5918 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5919 context, new_add_cb,
5920 new_free_cb, &server,
5921 new_parse_cb, &server)))
5922 goto end;
5923
5924 if (tst == 2) {
5925 /* Set up SNI */
5926 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5927 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5928 goto end;
5929 }
5930
5931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5932 &clientssl, NULL, NULL))
5933 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5934 SSL_ERROR_NONE)))
5935 goto end;
5936
5937 if (tst == 0) {
5938 if (clntaddoldcb != 1
5939 || clntparseoldcb != 1
5940 || srvaddoldcb != 1
5941 || srvparseoldcb != 1)
5942 goto end;
5943 } else if (tst == 1 || tst == 2 || tst == 3) {
5944 if (clntaddnewcb != 1
5945 || clntparsenewcb != 1
5946 || srvaddnewcb != 1
5947 || srvparsenewcb != 1
5948 || (tst != 2 && snicb != 0)
5949 || (tst == 2 && snicb != 1))
5950 goto end;
5951 } else if (tst == 5) {
5952 if (clntaddnewcb != 1
5953 || clntparsenewcb != 1
5954 || srvaddnewcb != 1
5955 || srvparsenewcb != 1)
5956 goto end;
5957 } else {
5958 /* In this case there 2 NewSessionTicket messages created */
5959 if (clntaddnewcb != 1
5960 || clntparsenewcb != 5
5961 || srvaddnewcb != 5
5962 || srvparsenewcb != 1)
5963 goto end;
5964 }
5965
5966 sess = SSL_get1_session(clientssl);
5967 SSL_shutdown(clientssl);
5968 SSL_shutdown(serverssl);
5969 SSL_free(serverssl);
5970 SSL_free(clientssl);
5971 serverssl = clientssl = NULL;
5972
5973 if (tst == 3 || tst == 5) {
5974 /* We don't bother with the resumption aspects for these tests */
5975 testresult = 1;
5976 goto end;
5977 }
5978
5979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5980 NULL, NULL))
5981 || !TEST_true(SSL_set_session(clientssl, sess))
5982 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5983 SSL_ERROR_NONE)))
5984 goto end;
5985
5986 /*
5987 * For a resumed session we expect to add the ClientHello extension. For the
5988 * old style callbacks we ignore it on the server side because they set
5989 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5990 * them.
5991 */
5992 if (tst == 0) {
5993 if (clntaddoldcb != 2
5994 || clntparseoldcb != 1
5995 || srvaddoldcb != 1
5996 || srvparseoldcb != 1)
5997 goto end;
5998 } else if (tst == 1 || tst == 2 || tst == 3) {
5999 if (clntaddnewcb != 2
6000 || clntparsenewcb != 2
6001 || srvaddnewcb != 2
6002 || srvparsenewcb != 2)
6003 goto end;
6004 } else {
6005 /*
6006 * No Certificate message extensions in the resumption handshake,
6007 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6008 */
6009 if (clntaddnewcb != 2
6010 || clntparsenewcb != 8
6011 || srvaddnewcb != 8
6012 || srvparsenewcb != 2)
6013 goto end;
6014 }
6015
6016 testresult = 1;
6017
6018 end:
6019 SSL_SESSION_free(sess);
6020 SSL_free(serverssl);
6021 SSL_free(clientssl);
6022 SSL_CTX_free(sctx2);
6023 SSL_CTX_free(sctx);
6024 SSL_CTX_free(cctx);
6025 return testresult;
6026 }
6027
6028 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6029
6030 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6031 | SSL_EXT_CLIENT_HELLO \
6032 | SSL_EXT_TLS1_2_SERVER_HELLO \
6033 | SSL_EXT_IGNORE_ON_RESUMPTION)
6034
6035 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6036 | SSL_EXT_TLS1_2_SERVER_HELLO \
6037 | SSL_EXT_CLIENT_HELLO)
6038
6039 #define SERVERINFO_CUSTOM \
6040 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6041 0x00, 0x03, \
6042 0x04, 0x05, 0x06 \
6043
6044 static const unsigned char serverinfo_custom_tls13[] = {
6045 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6046 SERVERINFO_CUSTOM
6047 };
6048 static const unsigned char serverinfo_custom_v2[] = {
6049 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6050 SERVERINFO_CUSTOM
6051 };
6052 static const unsigned char serverinfo_custom_v1[] = {
6053 SERVERINFO_CUSTOM
6054 };
6055 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6056 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6057 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6058
6059 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6060 unsigned int context,
6061 const unsigned char *in,
6062 size_t inlen, X509 *x,
6063 size_t chainidx, int *al,
6064 void *parse_arg)
6065 {
6066 const size_t len = serverinfo_custom_v1_len;
6067 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6068 int *p_cb_result = (int*)parse_arg;
6069 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6070 return 1;
6071 }
6072
6073 static int test_serverinfo_custom(const int idx)
6074 {
6075 SSL_CTX *sctx = NULL, *cctx = NULL;
6076 SSL *clientssl = NULL, *serverssl = NULL;
6077 int testresult = 0;
6078 int cb_result = 0;
6079
6080 /*
6081 * Following variables are set in the switch statement
6082 * according to the test iteration.
6083 * Default values do not make much sense: test would fail with them.
6084 */
6085 int serverinfo_version = 0;
6086 int protocol_version = 0;
6087 unsigned int extension_context = 0;
6088 const unsigned char *si = NULL;
6089 size_t si_len = 0;
6090
6091 const int call_use_serverinfo_ex = idx > 0;
6092 switch (idx) {
6093 case 0: /* FALLTHROUGH */
6094 case 1:
6095 serverinfo_version = SSL_SERVERINFOV1;
6096 protocol_version = TLS1_2_VERSION;
6097 extension_context = SYNTHV1CONTEXT;
6098 si = serverinfo_custom_v1;
6099 si_len = serverinfo_custom_v1_len;
6100 break;
6101 case 2:
6102 serverinfo_version = SSL_SERVERINFOV2;
6103 protocol_version = TLS1_2_VERSION;
6104 extension_context = SYNTHV1CONTEXT;
6105 si = serverinfo_custom_v2;
6106 si_len = serverinfo_custom_v2_len;
6107 break;
6108 case 3:
6109 serverinfo_version = SSL_SERVERINFOV2;
6110 protocol_version = TLS1_3_VERSION;
6111 extension_context = TLS13CONTEXT;
6112 si = serverinfo_custom_tls13;
6113 si_len = serverinfo_custom_tls13_len;
6114 break;
6115 }
6116
6117 if (!TEST_true(create_ssl_ctx_pair(libctx,
6118 TLS_method(),
6119 TLS_method(),
6120 protocol_version,
6121 protocol_version,
6122 &sctx, &cctx, cert, privkey)))
6123 goto end;
6124
6125 if (call_use_serverinfo_ex) {
6126 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6127 si, si_len)))
6128 goto end;
6129 } else {
6130 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6131 goto end;
6132 }
6133
6134 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6135 extension_context,
6136 NULL, NULL, NULL,
6137 serverinfo_custom_parse_cb,
6138 &cb_result))
6139 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6140 NULL, NULL))
6141 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6142 SSL_ERROR_NONE))
6143 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6144 goto end;
6145
6146 if (!TEST_true(cb_result))
6147 goto end;
6148
6149 testresult = 1;
6150
6151 end:
6152 SSL_free(serverssl);
6153 SSL_free(clientssl);
6154 SSL_CTX_free(sctx);
6155 SSL_CTX_free(cctx);
6156
6157 return testresult;
6158 }
6159 #endif
6160
6161 /*
6162 * Test that SSL_export_keying_material() produces expected results. There are
6163 * no test vectors so all we do is test that both sides of the communication
6164 * produce the same results for different protocol versions.
6165 */
6166 #define SMALL_LABEL_LEN 10
6167 #define LONG_LABEL_LEN 249
6168 static int test_export_key_mat(int tst)
6169 {
6170 int testresult = 0;
6171 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6172 SSL *clientssl = NULL, *serverssl = NULL;
6173 const char label[LONG_LABEL_LEN + 1] = "test label";
6174 const unsigned char context[] = "context";
6175 const unsigned char *emptycontext = NULL;
6176 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6177 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6178 size_t labellen;
6179 const int protocols[] = {
6180 TLS1_VERSION,
6181 TLS1_1_VERSION,
6182 TLS1_2_VERSION,
6183 TLS1_3_VERSION,
6184 TLS1_3_VERSION,
6185 TLS1_3_VERSION
6186 };
6187
6188 #ifdef OPENSSL_NO_TLS1
6189 if (tst == 0)
6190 return 1;
6191 #endif
6192 #ifdef OPENSSL_NO_TLS1_1
6193 if (tst == 1)
6194 return 1;
6195 #endif
6196 if (is_fips && (tst == 0 || tst == 1))
6197 return 1;
6198 #ifdef OPENSSL_NO_TLS1_2
6199 if (tst == 2)
6200 return 1;
6201 #endif
6202 #ifdef OSSL_NO_USABLE_TLS1_3
6203 if (tst >= 3)
6204 return 1;
6205 #endif
6206 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6207 TLS_client_method(), TLS1_VERSION, 0,
6208 &sctx, &cctx, cert, privkey)))
6209 goto end;
6210
6211 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6212 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6213 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6214 if ((protocols[tst] < TLS1_2_VERSION) &&
6215 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6216 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6217 goto end;
6218
6219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6220 NULL)))
6221 goto end;
6222
6223 /*
6224 * Premature call of SSL_export_keying_material should just fail.
6225 */
6226 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6227 sizeof(ckeymat1), label,
6228 SMALL_LABEL_LEN + 1, context,
6229 sizeof(context) - 1, 1), 0))
6230 goto end;
6231
6232 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6233 SSL_ERROR_NONE)))
6234 goto end;
6235
6236 if (tst == 5) {
6237 /*
6238 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6239 * go over that.
6240 */
6241 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6242 sizeof(ckeymat1), label,
6243 LONG_LABEL_LEN + 1, context,
6244 sizeof(context) - 1, 1), 0))
6245 goto end;
6246
6247 testresult = 1;
6248 goto end;
6249 } else if (tst == 4) {
6250 labellen = LONG_LABEL_LEN;
6251 } else {
6252 labellen = SMALL_LABEL_LEN;
6253 }
6254
6255 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6256 sizeof(ckeymat1), label,
6257 labellen, context,
6258 sizeof(context) - 1, 1), 1)
6259 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6260 sizeof(ckeymat2), label,
6261 labellen,
6262 emptycontext,
6263 0, 1), 1)
6264 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6265 sizeof(ckeymat3), label,
6266 labellen,
6267 NULL, 0, 0), 1)
6268 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6269 sizeof(skeymat1), label,
6270 labellen,
6271 context,
6272 sizeof(context) -1, 1),
6273 1)
6274 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6275 sizeof(skeymat2), label,
6276 labellen,
6277 emptycontext,
6278 0, 1), 1)
6279 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6280 sizeof(skeymat3), label,
6281 labellen,
6282 NULL, 0, 0), 1)
6283 /*
6284 * Check that both sides created the same key material with the
6285 * same context.
6286 */
6287 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6288 sizeof(skeymat1))
6289 /*
6290 * Check that both sides created the same key material with an
6291 * empty context.
6292 */
6293 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6294 sizeof(skeymat2))
6295 /*
6296 * Check that both sides created the same key material without a
6297 * context.
6298 */
6299 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6300 sizeof(skeymat3))
6301 /* Different contexts should produce different results */
6302 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6303 sizeof(ckeymat2)))
6304 goto end;
6305
6306 /*
6307 * Check that an empty context and no context produce different results in
6308 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6309 */
6310 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6311 sizeof(ckeymat3)))
6312 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6313 sizeof(ckeymat3))))
6314 goto end;
6315
6316 testresult = 1;
6317
6318 end:
6319 SSL_free(serverssl);
6320 SSL_free(clientssl);
6321 SSL_CTX_free(sctx2);
6322 SSL_CTX_free(sctx);
6323 SSL_CTX_free(cctx);
6324
6325 return testresult;
6326 }
6327
6328 #ifndef OSSL_NO_USABLE_TLS1_3
6329 /*
6330 * Test that SSL_export_keying_material_early() produces expected
6331 * results. There are no test vectors so all we do is test that both
6332 * sides of the communication produce the same results for different
6333 * protocol versions.
6334 */
6335 static int test_export_key_mat_early(int idx)
6336 {
6337 static const char label[] = "test label";
6338 static const unsigned char context[] = "context";
6339 int testresult = 0;
6340 SSL_CTX *cctx = NULL, *sctx = NULL;
6341 SSL *clientssl = NULL, *serverssl = NULL;
6342 SSL_SESSION *sess = NULL;
6343 const unsigned char *emptycontext = NULL;
6344 unsigned char ckeymat1[80], ckeymat2[80];
6345 unsigned char skeymat1[80], skeymat2[80];
6346 unsigned char buf[1];
6347 size_t readbytes, written;
6348
6349 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6350 &sess, idx)))
6351 goto end;
6352
6353 /* Here writing 0 length early data is enough. */
6354 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6355 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6356 &readbytes),
6357 SSL_READ_EARLY_DATA_ERROR)
6358 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6359 SSL_EARLY_DATA_ACCEPTED))
6360 goto end;
6361
6362 if (!TEST_int_eq(SSL_export_keying_material_early(
6363 clientssl, ckeymat1, sizeof(ckeymat1), label,
6364 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6365 || !TEST_int_eq(SSL_export_keying_material_early(
6366 clientssl, ckeymat2, sizeof(ckeymat2), label,
6367 sizeof(label) - 1, emptycontext, 0), 1)
6368 || !TEST_int_eq(SSL_export_keying_material_early(
6369 serverssl, skeymat1, sizeof(skeymat1), label,
6370 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6371 || !TEST_int_eq(SSL_export_keying_material_early(
6372 serverssl, skeymat2, sizeof(skeymat2), label,
6373 sizeof(label) - 1, emptycontext, 0), 1)
6374 /*
6375 * Check that both sides created the same key material with the
6376 * same context.
6377 */
6378 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6379 sizeof(skeymat1))
6380 /*
6381 * Check that both sides created the same key material with an
6382 * empty context.
6383 */
6384 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6385 sizeof(skeymat2))
6386 /* Different contexts should produce different results */
6387 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6388 sizeof(ckeymat2)))
6389 goto end;
6390
6391 testresult = 1;
6392
6393 end:
6394 SSL_SESSION_free(sess);
6395 SSL_SESSION_free(clientpsk);
6396 SSL_SESSION_free(serverpsk);
6397 clientpsk = serverpsk = NULL;
6398 SSL_free(serverssl);
6399 SSL_free(clientssl);
6400 SSL_CTX_free(sctx);
6401 SSL_CTX_free(cctx);
6402
6403 return testresult;
6404 }
6405
6406 #define NUM_KEY_UPDATE_MESSAGES 40
6407 /*
6408 * Test KeyUpdate.
6409 */
6410 static int test_key_update(void)
6411 {
6412 SSL_CTX *cctx = NULL, *sctx = NULL;
6413 SSL *clientssl = NULL, *serverssl = NULL;
6414 int testresult = 0, i, j;
6415 char buf[20];
6416 static char *mess = "A test message";
6417
6418 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6419 TLS_client_method(),
6420 TLS1_3_VERSION,
6421 0,
6422 &sctx, &cctx, cert, privkey))
6423 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6424 NULL, NULL))
6425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6426 SSL_ERROR_NONE)))
6427 goto end;
6428
6429 for (j = 0; j < 2; j++) {
6430 /* Send lots of KeyUpdate messages */
6431 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6432 if (!TEST_true(SSL_key_update(clientssl,
6433 (j == 0)
6434 ? SSL_KEY_UPDATE_NOT_REQUESTED
6435 : SSL_KEY_UPDATE_REQUESTED))
6436 || !TEST_true(SSL_do_handshake(clientssl)))
6437 goto end;
6438 }
6439
6440 /* Check that sending and receiving app data is ok */
6441 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6442 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6443 strlen(mess)))
6444 goto end;
6445
6446 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6447 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6448 strlen(mess)))
6449 goto end;
6450 }
6451
6452 testresult = 1;
6453
6454 end:
6455 SSL_free(serverssl);
6456 SSL_free(clientssl);
6457 SSL_CTX_free(sctx);
6458 SSL_CTX_free(cctx);
6459
6460 return testresult;
6461 }
6462
6463 /*
6464 * Test we can handle a KeyUpdate (update requested) message while
6465 * write data is pending in peer.
6466 * Test 0: Client sends KeyUpdate while Server is writing
6467 * Test 1: Server sends KeyUpdate while Client is writing
6468 */
6469 static int test_key_update_peer_in_write(int tst)
6470 {
6471 SSL_CTX *cctx = NULL, *sctx = NULL;
6472 SSL *clientssl = NULL, *serverssl = NULL;
6473 int testresult = 0;
6474 char buf[20];
6475 static char *mess = "A test message";
6476 BIO *bretry = BIO_new(bio_s_always_retry());
6477 BIO *tmp = NULL;
6478 SSL *peerupdate = NULL, *peerwrite = NULL;
6479
6480 if (!TEST_ptr(bretry)
6481 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6482 TLS_client_method(),
6483 TLS1_3_VERSION,
6484 0,
6485 &sctx, &cctx, cert, privkey))
6486 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6487 NULL, NULL))
6488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6489 SSL_ERROR_NONE)))
6490 goto end;
6491
6492 peerupdate = tst == 0 ? clientssl : serverssl;
6493 peerwrite = tst == 0 ? serverssl : clientssl;
6494
6495 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6496 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6497 goto end;
6498
6499 /* Swap the writing endpoint's write BIO to force a retry */
6500 tmp = SSL_get_wbio(peerwrite);
6501 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6502 tmp = NULL;
6503 goto end;
6504 }
6505 SSL_set0_wbio(peerwrite, bretry);
6506 bretry = NULL;
6507
6508 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6509 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6510 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6511 goto end;
6512
6513 /* Reinstate the original writing endpoint's write BIO */
6514 SSL_set0_wbio(peerwrite, tmp);
6515 tmp = NULL;
6516
6517 /* Now read some data - we will read the key update */
6518 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6519 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6520 goto end;
6521
6522 /*
6523 * Complete the write we started previously and read it from the other
6524 * endpoint
6525 */
6526 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6527 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6528 goto end;
6529
6530 /* Write more data to ensure we send the KeyUpdate message back */
6531 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6532 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6533 goto end;
6534
6535 testresult = 1;
6536
6537 end:
6538 SSL_free(serverssl);
6539 SSL_free(clientssl);
6540 SSL_CTX_free(sctx);
6541 SSL_CTX_free(cctx);
6542 BIO_free(bretry);
6543 BIO_free(tmp);
6544
6545 return testresult;
6546 }
6547
6548 /*
6549 * Test we can handle a KeyUpdate (update requested) message while
6550 * peer read data is pending after peer accepted keyupdate(the msg header
6551 * had been read 5 bytes).
6552 * Test 0: Client sends KeyUpdate while Server is reading
6553 * Test 1: Server sends KeyUpdate while Client is reading
6554 */
6555 static int test_key_update_peer_in_read(int tst)
6556 {
6557 SSL_CTX *cctx = NULL, *sctx = NULL;
6558 SSL *clientssl = NULL, *serverssl = NULL;
6559 int testresult = 0;
6560 char prbuf[515], lwbuf[515] = {0};
6561 static char *mess = "A test message";
6562 BIO *lbio = NULL, *pbio = NULL;
6563 SSL *local = NULL, *peer = NULL;
6564
6565 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6566 TLS_client_method(),
6567 TLS1_3_VERSION,
6568 0,
6569 &sctx, &cctx, cert, privkey))
6570 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6571 NULL, NULL))
6572 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6573 SSL_ERROR_NONE)))
6574 goto end;
6575
6576 local = tst == 0 ? clientssl : serverssl;
6577 peer = tst == 0 ? serverssl : clientssl;
6578
6579 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6580 goto end;
6581
6582 SSL_set_bio(local, lbio, lbio);
6583 SSL_set_bio(peer, pbio, pbio);
6584
6585 /*
6586 * we first write keyupdate msg then appdata in local
6587 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6588 * lwbuf app data msg size + key updata msg size > 512(the size of
6589 * the bio pair buffer)
6590 */
6591 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6592 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6593 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6594 goto end;
6595
6596 /*
6597 * first read keyupdate msg in peer in peer
6598 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6599 */
6600 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6601 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6602 goto end;
6603
6604 /* Now write some data in peer - we will write the key update */
6605 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6606 goto end;
6607
6608 /*
6609 * write data in local previously that we will complete
6610 * read data in peer previously that we will complete
6611 */
6612 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6613 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6614 goto end;
6615
6616 /* check that sending and receiving appdata ok */
6617 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6618 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6619 goto end;
6620
6621 testresult = 1;
6622
6623 end:
6624 SSL_free(serverssl);
6625 SSL_free(clientssl);
6626 SSL_CTX_free(sctx);
6627 SSL_CTX_free(cctx);
6628
6629 return testresult;
6630 }
6631
6632 /*
6633 * Test we can't send a KeyUpdate (update requested) message while
6634 * local write data is pending.
6635 * Test 0: Client sends KeyUpdate while Client is writing
6636 * Test 1: Server sends KeyUpdate while Server is writing
6637 */
6638 static int test_key_update_local_in_write(int tst)
6639 {
6640 SSL_CTX *cctx = NULL, *sctx = NULL;
6641 SSL *clientssl = NULL, *serverssl = NULL;
6642 int testresult = 0;
6643 char buf[20];
6644 static char *mess = "A test message";
6645 BIO *bretry = BIO_new(bio_s_always_retry());
6646 BIO *tmp = NULL;
6647 SSL *local = NULL, *peer = NULL;
6648
6649 if (!TEST_ptr(bretry)
6650 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6651 TLS_client_method(),
6652 TLS1_3_VERSION,
6653 0,
6654 &sctx, &cctx, cert, privkey))
6655 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6656 NULL, NULL))
6657 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6658 SSL_ERROR_NONE)))
6659 goto end;
6660
6661 local = tst == 0 ? clientssl : serverssl;
6662 peer = tst == 0 ? serverssl : clientssl;
6663
6664 /* Swap the writing endpoint's write BIO to force a retry */
6665 tmp = SSL_get_wbio(local);
6666 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6667 tmp = NULL;
6668 goto end;
6669 }
6670 SSL_set0_wbio(local, bretry);
6671 bretry = NULL;
6672
6673 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6674 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6675 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6676 goto end;
6677
6678 /* Reinstate the original writing endpoint's write BIO */
6679 SSL_set0_wbio(local, tmp);
6680 tmp = NULL;
6681
6682 /* SSL_key_update will fail, because writing in local*/
6683 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6684 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6685 goto end;
6686
6687 ERR_clear_error();
6688 /* write data in local previously that we will complete */
6689 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6690 goto end;
6691
6692 /* SSL_key_update will succeed because there is no pending write data */
6693 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6694 || !TEST_int_eq(SSL_do_handshake(local), 1))
6695 goto end;
6696
6697 /*
6698 * we write some appdata in local
6699 * read data in peer - we will read the keyupdate msg
6700 */
6701 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6702 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6703 goto end;
6704
6705 /* Write more peer more data to ensure we send the keyupdate message back */
6706 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6707 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6708 goto end;
6709
6710 testresult = 1;
6711
6712 end:
6713 SSL_free(serverssl);
6714 SSL_free(clientssl);
6715 SSL_CTX_free(sctx);
6716 SSL_CTX_free(cctx);
6717 BIO_free(bretry);
6718 BIO_free(tmp);
6719
6720 return testresult;
6721 }
6722
6723 /*
6724 * Test we can handle a KeyUpdate (update requested) message while
6725 * local read data is pending(the msg header had been read 5 bytes).
6726 * Test 0: Client sends KeyUpdate while Client is reading
6727 * Test 1: Server sends KeyUpdate while Server is reading
6728 */
6729 static int test_key_update_local_in_read(int tst)
6730 {
6731 SSL_CTX *cctx = NULL, *sctx = NULL;
6732 SSL *clientssl = NULL, *serverssl = NULL;
6733 int testresult = 0;
6734 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6735 static char *mess = "A test message";
6736 BIO *lbio = NULL, *pbio = NULL;
6737 SSL *local = NULL, *peer = NULL;
6738
6739 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6740 TLS_client_method(),
6741 TLS1_3_VERSION,
6742 0,
6743 &sctx, &cctx, cert, privkey))
6744 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6745 NULL, NULL))
6746 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6747 SSL_ERROR_NONE)))
6748 goto end;
6749
6750 local = tst == 0 ? clientssl : serverssl;
6751 peer = tst == 0 ? serverssl : clientssl;
6752
6753 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6754 goto end;
6755
6756 SSL_set_bio(local, lbio, lbio);
6757 SSL_set_bio(peer, pbio, pbio);
6758
6759 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6760 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6761 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6762 goto end;
6763
6764 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6765 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6766 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6767 goto end;
6768
6769 /* SSL_do_handshake will send keyupdate msg */
6770 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6771 || !TEST_int_eq(SSL_do_handshake(local), 1))
6772 goto end;
6773
6774 /*
6775 * write data in peer previously that we will complete
6776 * read data in local previously that we will complete
6777 */
6778 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6779 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6780 goto end;
6781
6782 /*
6783 * write data in local
6784 * read data in peer - we will read the key update
6785 */
6786 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6787 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6788 goto end;
6789
6790 /* Write more peer data to ensure we send the keyupdate message back */
6791 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6792 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6793 goto end;
6794
6795 testresult = 1;
6796
6797 end:
6798 SSL_free(serverssl);
6799 SSL_free(clientssl);
6800 SSL_CTX_free(sctx);
6801 SSL_CTX_free(cctx);
6802
6803 return testresult;
6804 }
6805 #endif /* OSSL_NO_USABLE_TLS1_3 */
6806
6807 static int test_ssl_clear(int idx)
6808 {
6809 SSL_CTX *cctx = NULL, *sctx = NULL;
6810 SSL *clientssl = NULL, *serverssl = NULL;
6811 int testresult = 0;
6812
6813 #ifdef OPENSSL_NO_TLS1_2
6814 if (idx == 1)
6815 return 1;
6816 #endif
6817
6818 /* Create an initial connection */
6819 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6820 TLS_client_method(), TLS1_VERSION, 0,
6821 &sctx, &cctx, cert, privkey))
6822 || (idx == 1
6823 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6824 TLS1_2_VERSION)))
6825 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6826 &clientssl, NULL, NULL))
6827 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6828 SSL_ERROR_NONE)))
6829 goto end;
6830
6831 SSL_shutdown(clientssl);
6832 SSL_shutdown(serverssl);
6833 SSL_free(serverssl);
6834 serverssl = NULL;
6835
6836 /* Clear clientssl - we're going to reuse the object */
6837 if (!TEST_true(SSL_clear(clientssl)))
6838 goto end;
6839
6840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6841 NULL, NULL))
6842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6843 SSL_ERROR_NONE))
6844 || !TEST_true(SSL_session_reused(clientssl)))
6845 goto end;
6846
6847 SSL_shutdown(clientssl);
6848 SSL_shutdown(serverssl);
6849
6850 testresult = 1;
6851
6852 end:
6853 SSL_free(serverssl);
6854 SSL_free(clientssl);
6855 SSL_CTX_free(sctx);
6856 SSL_CTX_free(cctx);
6857
6858 return testresult;
6859 }
6860
6861 /* Parse CH and retrieve any MFL extension value if present */
6862 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6863 {
6864 long len;
6865 unsigned char *data;
6866 PACKET pkt, pkt2, pkt3;
6867 unsigned int MFL_code = 0, type = 0;
6868
6869 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6870 goto end;
6871
6872 memset(&pkt, 0, sizeof(pkt));
6873 memset(&pkt2, 0, sizeof(pkt2));
6874 memset(&pkt3, 0, sizeof(pkt3));
6875
6876 if (!TEST_long_gt(len, 0)
6877 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6878 /* Skip the record header */
6879 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6880 /* Skip the handshake message header */
6881 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6882 /* Skip client version and random */
6883 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6884 + SSL3_RANDOM_SIZE))
6885 /* Skip session id */
6886 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6887 /* Skip ciphers */
6888 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6889 /* Skip compression */
6890 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6891 /* Extensions len */
6892 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6893 goto end;
6894
6895 /* Loop through all extensions */
6896 while (PACKET_remaining(&pkt2)) {
6897 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6898 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6899 goto end;
6900
6901 if (type == TLSEXT_TYPE_max_fragment_length) {
6902 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6903 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6904 goto end;
6905
6906 *mfl_codemfl_code = MFL_code;
6907 return 1;
6908 }
6909 }
6910
6911 end:
6912 return 0;
6913 }
6914
6915 /* Maximum-Fragment-Length TLS extension mode to test */
6916 static const unsigned char max_fragment_len_test[] = {
6917 TLSEXT_max_fragment_length_512,
6918 TLSEXT_max_fragment_length_1024,
6919 TLSEXT_max_fragment_length_2048,
6920 TLSEXT_max_fragment_length_4096
6921 };
6922
6923 static int test_max_fragment_len_ext(int idx_tst)
6924 {
6925 SSL_CTX *ctx = NULL;
6926 SSL *con = NULL;
6927 int testresult = 0, MFL_mode = 0;
6928 BIO *rbio, *wbio;
6929
6930 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6931 TLS1_VERSION, 0, NULL, &ctx, NULL,
6932 NULL)))
6933 return 0;
6934
6935 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6936 ctx, max_fragment_len_test[idx_tst])))
6937 goto end;
6938
6939 con = SSL_new(ctx);
6940 if (!TEST_ptr(con))
6941 goto end;
6942
6943 rbio = BIO_new(BIO_s_mem());
6944 wbio = BIO_new(BIO_s_mem());
6945 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6946 BIO_free(rbio);
6947 BIO_free(wbio);
6948 goto end;
6949 }
6950
6951 SSL_set_bio(con, rbio, wbio);
6952
6953 if (!TEST_int_le(SSL_connect(con), 0)) {
6954 /* This shouldn't succeed because we don't have a server! */
6955 goto end;
6956 }
6957
6958 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6959 /* no MFL in client hello */
6960 goto end;
6961 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6962 goto end;
6963
6964 testresult = 1;
6965
6966 end:
6967 SSL_free(con);
6968 SSL_CTX_free(ctx);
6969
6970 return testresult;
6971 }
6972
6973 #ifndef OSSL_NO_USABLE_TLS1_3
6974 static int test_pha_key_update(void)
6975 {
6976 SSL_CTX *cctx = NULL, *sctx = NULL;
6977 SSL *clientssl = NULL, *serverssl = NULL;
6978 int testresult = 0;
6979
6980 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6981 TLS_client_method(), TLS1_VERSION, 0,
6982 &sctx, &cctx, cert, privkey)))
6983 return 0;
6984
6985 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6986 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6987 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6988 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6989 goto end;
6990
6991 SSL_CTX_set_post_handshake_auth(cctx, 1);
6992
6993 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6994 NULL, NULL)))
6995 goto end;
6996
6997 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6998 SSL_ERROR_NONE)))
6999 goto end;
7000
7001 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7002 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7003 goto end;
7004
7005 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7006 goto end;
7007
7008 /* Start handshake on the server */
7009 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7010 goto end;
7011
7012 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7013 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7014 SSL_ERROR_NONE)))
7015 goto end;
7016
7017 SSL_shutdown(clientssl);
7018 SSL_shutdown(serverssl);
7019
7020 testresult = 1;
7021
7022 end:
7023 SSL_free(serverssl);
7024 SSL_free(clientssl);
7025 SSL_CTX_free(sctx);
7026 SSL_CTX_free(cctx);
7027 return testresult;
7028 }
7029 #endif
7030
7031 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7032
7033 static SRP_VBASE *vbase = NULL;
7034
7035 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7036 {
7037 int ret = SSL3_AL_FATAL;
7038 char *username;
7039 SRP_user_pwd *user = NULL;
7040
7041 username = SSL_get_srp_username(s);
7042 if (username == NULL) {
7043 *ad = SSL_AD_INTERNAL_ERROR;
7044 goto err;
7045 }
7046
7047 user = SRP_VBASE_get1_by_user(vbase, username);
7048 if (user == NULL) {
7049 *ad = SSL_AD_INTERNAL_ERROR;
7050 goto err;
7051 }
7052
7053 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7054 user->info) <= 0) {
7055 *ad = SSL_AD_INTERNAL_ERROR;
7056 goto err;
7057 }
7058
7059 ret = 0;
7060
7061 err:
7062 SRP_user_pwd_free(user);
7063 return ret;
7064 }
7065
7066 static int create_new_vfile(char *userid, char *password, const char *filename)
7067 {
7068 char *gNid = NULL;
7069 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7070 TXT_DB *db = NULL;
7071 int ret = 0;
7072 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7073 size_t i;
7074
7075 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7076 goto end;
7077
7078 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7079 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7080 if (!TEST_ptr(gNid))
7081 goto end;
7082
7083 /*
7084 * The only way to create an empty TXT_DB is to provide a BIO with no data
7085 * in it!
7086 */
7087 db = TXT_DB_read(dummy, DB_NUMBER);
7088 if (!TEST_ptr(db))
7089 goto end;
7090
7091 out = BIO_new_file(filename, "w");
7092 if (!TEST_ptr(out))
7093 goto end;
7094
7095 row[DB_srpid] = OPENSSL_strdup(userid);
7096 row[DB_srptype] = OPENSSL_strdup("V");
7097 row[DB_srpgN] = OPENSSL_strdup(gNid);
7098
7099 if (!TEST_ptr(row[DB_srpid])
7100 || !TEST_ptr(row[DB_srptype])
7101 || !TEST_ptr(row[DB_srpgN])
7102 || !TEST_true(TXT_DB_insert(db, row)))
7103 goto end;
7104
7105 row = NULL;
7106
7107 if (TXT_DB_write(out, db) <= 0)
7108 goto end;
7109
7110 ret = 1;
7111 end:
7112 if (row != NULL) {
7113 for (i = 0; i < DB_NUMBER; i++)
7114 OPENSSL_free(row[i]);
7115 }
7116 OPENSSL_free(row);
7117 BIO_free(dummy);
7118 BIO_free(out);
7119 TXT_DB_free(db);
7120
7121 return ret;
7122 }
7123
7124 static int create_new_vbase(char *userid, char *password)
7125 {
7126 BIGNUM *verifier = NULL, *salt = NULL;
7127 const SRP_gN *lgN = NULL;
7128 SRP_user_pwd *user_pwd = NULL;
7129 int ret = 0;
7130
7131 lgN = SRP_get_default_gN(NULL);
7132 if (!TEST_ptr(lgN))
7133 goto end;
7134
7135 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7136 lgN->N, lgN->g, libctx, NULL)))
7137 goto end;
7138
7139 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7140 if (!TEST_ptr(user_pwd))
7141 goto end;
7142
7143 user_pwd->N = lgN->N;
7144 user_pwd->g = lgN->g;
7145 user_pwd->id = OPENSSL_strdup(userid);
7146 if (!TEST_ptr(user_pwd->id))
7147 goto end;
7148
7149 user_pwd->v = verifier;
7150 user_pwd->s = salt;
7151 verifier = salt = NULL;
7152
7153 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7154 goto end;
7155 user_pwd = NULL;
7156
7157 ret = 1;
7158 end:
7159 SRP_user_pwd_free(user_pwd);
7160 BN_free(salt);
7161 BN_free(verifier);
7162
7163 return ret;
7164 }
7165
7166 /*
7167 * SRP tests
7168 *
7169 * Test 0: Simple successful SRP connection, new vbase
7170 * Test 1: Connection failure due to bad password, new vbase
7171 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7172 * Test 3: Connection failure due to bad password, vbase loaded from existing
7173 * file
7174 * Test 4: Simple successful SRP connection, vbase loaded from new file
7175 * Test 5: Connection failure due to bad password, vbase loaded from new file
7176 */
7177 static int test_srp(int tst)
7178 {
7179 char *userid = "test", *password = "password", *tstsrpfile;
7180 SSL_CTX *cctx = NULL, *sctx = NULL;
7181 SSL *clientssl = NULL, *serverssl = NULL;
7182 int ret, testresult = 0;
7183
7184 vbase = SRP_VBASE_new(NULL);
7185 if (!TEST_ptr(vbase))
7186 goto end;
7187
7188 if (tst == 0 || tst == 1) {
7189 if (!TEST_true(create_new_vbase(userid, password)))
7190 goto end;
7191 } else {
7192 if (tst == 4 || tst == 5) {
7193 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7194 goto end;
7195 tstsrpfile = tmpfilename;
7196 } else {
7197 tstsrpfile = srpvfile;
7198 }
7199 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7200 goto end;
7201 }
7202
7203 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7204 TLS_client_method(), TLS1_VERSION, 0,
7205 &sctx, &cctx, cert, privkey)))
7206 goto end;
7207
7208 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7209 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7210 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7211 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7212 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7213 goto end;
7214
7215 if (tst % 2 == 1) {
7216 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7217 goto end;
7218 } else {
7219 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7220 goto end;
7221 }
7222
7223 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7224 NULL, NULL)))
7225 goto end;
7226
7227 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7228 if (ret) {
7229 if (!TEST_true(tst % 2 == 0))
7230 goto end;
7231 } else {
7232 if (!TEST_true(tst % 2 == 1))
7233 goto end;
7234 }
7235
7236 testresult = 1;
7237
7238 end:
7239 SRP_VBASE_free(vbase);
7240 vbase = NULL;
7241 SSL_free(serverssl);
7242 SSL_free(clientssl);
7243 SSL_CTX_free(sctx);
7244 SSL_CTX_free(cctx);
7245
7246 return testresult;
7247 }
7248 #endif
7249
7250 static int info_cb_failed = 0;
7251 static int info_cb_offset = 0;
7252 static int info_cb_this_state = -1;
7253
7254 static struct info_cb_states_st {
7255 int where;
7256 const char *statestr;
7257 } info_cb_states[][60] = {
7258 {
7259 /* TLSv1.2 server followed by resumption */
7260 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7261 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7262 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7263 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7264 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7265 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7266 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7267 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7268 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7269 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7270 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7271 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7272 {SSL_CB_EXIT, NULL}, {0, NULL},
7273 }, {
7274 /* TLSv1.2 client followed by resumption */
7275 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7276 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7277 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7278 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7279 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7280 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7281 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7282 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7283 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7284 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7285 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7286 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7287 }, {
7288 /* TLSv1.3 server followed by resumption */
7289 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7290 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7291 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7292 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7293 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7294 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7295 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7296 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7297 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7298 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7299 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7300 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7301 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7302 }, {
7303 /* TLSv1.3 client followed by resumption */
7304 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7305 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7306 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7307 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7308 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7309 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7310 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7311 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7312 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7313 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7314 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7315 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7316 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7317 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7318 {SSL_CB_EXIT, NULL}, {0, NULL},
7319 }, {
7320 /* TLSv1.3 server, early_data */
7321 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7322 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7323 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7324 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7325 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7326 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7327 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7328 {SSL_CB_EXIT, NULL}, {0, NULL},
7329 }, {
7330 /* TLSv1.3 client, early_data */
7331 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7332 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7333 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7334 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7335 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7336 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7337 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7338 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7339 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7340 }, {
7341 /* TLSv1.3 server, certificate compression, followed by resumption */
7342 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7343 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7344 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7345 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7346 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7347 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7348 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7349 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7350 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7351 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7352 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7353 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7354 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7355 }, {
7356 /* TLSv1.3 client, certificate compression, followed by resumption */
7357 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7358 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7359 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7360 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7361 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7362 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7363 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7364 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7365 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7366 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7367 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7368 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7369 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7370 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7371 {SSL_CB_EXIT, NULL}, {0, NULL},
7372 }, {
7373 {0, NULL},
7374 }
7375 };
7376
7377 static void sslapi_info_callback(const SSL *s, int where, int ret)
7378 {
7379 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7380
7381 /* We do not ever expect a connection to fail in this test */
7382 if (!TEST_false(ret == 0)) {
7383 info_cb_failed = 1;
7384 return;
7385 }
7386
7387 /*
7388 * Do some sanity checks. We never expect these things to happen in this
7389 * test
7390 */
7391 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7392 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7393 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7394 info_cb_failed = 1;
7395 return;
7396 }
7397
7398 /* Now check we're in the right state */
7399 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7400 info_cb_failed = 1;
7401 return;
7402 }
7403 if ((where & SSL_CB_LOOP) != 0
7404 && !TEST_int_eq(strcmp(SSL_state_string(s),
7405 state[info_cb_this_state].statestr), 0)) {
7406 info_cb_failed = 1;
7407 return;
7408 }
7409
7410 /*
7411 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7412 */
7413 if ((where & SSL_CB_HANDSHAKE_DONE)
7414 && SSL_in_init((SSL *)s) != 0) {
7415 info_cb_failed = 1;
7416 return;
7417 }
7418 }
7419
7420 /*
7421 * Test the info callback gets called when we expect it to.
7422 *
7423 * Test 0: TLSv1.2, server
7424 * Test 1: TLSv1.2, client
7425 * Test 2: TLSv1.3, server
7426 * Test 3: TLSv1.3, client
7427 * Test 4: TLSv1.3, server, early_data
7428 * Test 5: TLSv1.3, client, early_data
7429 * Test 6: TLSv1.3, server, compressed certificate
7430 * Test 7: TLSv1.3, client, compressed certificate
7431 */
7432 static int test_info_callback(int tst)
7433 {
7434 SSL_CTX *cctx = NULL, *sctx = NULL;
7435 SSL *clientssl = NULL, *serverssl = NULL;
7436 SSL_SESSION *clntsess = NULL;
7437 int testresult = 0;
7438 int tlsvers;
7439
7440 if (tst < 2) {
7441 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7442 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7443 || !defined(OPENSSL_NO_DH))
7444 tlsvers = TLS1_2_VERSION;
7445 #else
7446 return 1;
7447 #endif
7448 } else {
7449 #ifndef OSSL_NO_USABLE_TLS1_3
7450 tlsvers = TLS1_3_VERSION;
7451 #else
7452 return 1;
7453 #endif
7454 }
7455
7456 /* Reset globals */
7457 info_cb_failed = 0;
7458 info_cb_this_state = -1;
7459 info_cb_offset = tst;
7460
7461 #ifndef OSSL_NO_USABLE_TLS1_3
7462 if (tst >= 4 && tst < 6) {
7463 SSL_SESSION *sess = NULL;
7464 size_t written, readbytes;
7465 unsigned char buf[80];
7466
7467 /* early_data tests */
7468 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7469 &serverssl, &sess, 0)))
7470 goto end;
7471
7472 /* We don't actually need this reference */
7473 SSL_SESSION_free(sess);
7474
7475 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7476 sslapi_info_callback);
7477
7478 /* Write and read some early data and then complete the connection */
7479 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7480 &written))
7481 || !TEST_size_t_eq(written, strlen(MSG1))
7482 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7483 sizeof(buf), &readbytes),
7484 SSL_READ_EARLY_DATA_SUCCESS)
7485 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7486 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7487 SSL_EARLY_DATA_ACCEPTED)
7488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7489 SSL_ERROR_NONE))
7490 || !TEST_false(info_cb_failed))
7491 goto end;
7492
7493 testresult = 1;
7494 goto end;
7495 }
7496 #endif
7497
7498 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7499 TLS_client_method(),
7500 tlsvers, tlsvers, &sctx, &cctx, cert,
7501 privkey)))
7502 goto end;
7503
7504 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7505 goto end;
7506
7507 /*
7508 * For even numbered tests we check the server callbacks. For odd numbers we
7509 * check the client.
7510 */
7511 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7512 sslapi_info_callback);
7513 if (tst >= 6) {
7514 if (!SSL_CTX_compress_certs(sctx, 0))
7515 goto end;
7516 }
7517
7518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7519 &clientssl, NULL, NULL))
7520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7521 SSL_ERROR_NONE))
7522 || !TEST_false(info_cb_failed))
7523 goto end;
7524
7525
7526
7527 clntsess = SSL_get1_session(clientssl);
7528 SSL_shutdown(clientssl);
7529 SSL_shutdown(serverssl);
7530 SSL_free(serverssl);
7531 SSL_free(clientssl);
7532 serverssl = clientssl = NULL;
7533
7534 /* Now do a resumption */
7535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7536 NULL))
7537 || !TEST_true(SSL_set_session(clientssl, clntsess))
7538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7539 SSL_ERROR_NONE))
7540 || !TEST_true(SSL_session_reused(clientssl))
7541 || !TEST_false(info_cb_failed))
7542 goto end;
7543
7544 testresult = 1;
7545
7546 end:
7547 SSL_free(serverssl);
7548 SSL_free(clientssl);
7549 SSL_SESSION_free(clntsess);
7550 SSL_CTX_free(sctx);
7551 SSL_CTX_free(cctx);
7552 return testresult;
7553 }
7554
7555 static int test_ssl_pending(int tst)
7556 {
7557 SSL_CTX *cctx = NULL, *sctx = NULL;
7558 SSL *clientssl = NULL, *serverssl = NULL;
7559 int testresult = 0;
7560 char msg[] = "A test message";
7561 char buf[5];
7562 size_t written, readbytes;
7563
7564 if (tst == 0) {
7565 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7566 TLS_client_method(),
7567 TLS1_VERSION, 0,
7568 &sctx, &cctx, cert, privkey)))
7569 goto end;
7570 } else {
7571 #ifndef OPENSSL_NO_DTLS
7572 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7573 DTLS_client_method(),
7574 DTLS1_VERSION, 0,
7575 &sctx, &cctx, cert, privkey)))
7576 goto end;
7577
7578 # ifdef OPENSSL_NO_DTLS1_2
7579 /* Not supported in the FIPS provider */
7580 if (is_fips) {
7581 testresult = 1;
7582 goto end;
7583 };
7584 /*
7585 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7586 * level 0
7587 */
7588 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7589 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7590 "DEFAULT:@SECLEVEL=0")))
7591 goto end;
7592 # endif
7593 #else
7594 return 1;
7595 #endif
7596 }
7597
7598 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7599 NULL, NULL))
7600 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7601 SSL_ERROR_NONE)))
7602 goto end;
7603
7604 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7605 || !TEST_false(SSL_has_pending(clientssl))
7606 || !TEST_int_eq(SSL_pending(serverssl), 0)
7607 || !TEST_false(SSL_has_pending(serverssl))
7608 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7609 || !TEST_size_t_eq(written, sizeof(msg))
7610 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7611 || !TEST_size_t_eq(readbytes, sizeof(buf))
7612 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7613 || !TEST_true(SSL_has_pending(clientssl)))
7614 goto end;
7615
7616 testresult = 1;
7617
7618 end:
7619 SSL_free(serverssl);
7620 SSL_free(clientssl);
7621 SSL_CTX_free(sctx);
7622 SSL_CTX_free(cctx);
7623
7624 return testresult;
7625 }
7626
7627 static struct {
7628 unsigned int maxprot;
7629 const char *clntciphers;
7630 const char *clnttls13ciphers;
7631 const char *srvrciphers;
7632 const char *srvrtls13ciphers;
7633 const char *shared;
7634 const char *fipsshared;
7635 } shared_ciphers_data[] = {
7636 /*
7637 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7638 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7639 */
7640 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7641 {
7642 TLS1_2_VERSION,
7643 "AES128-SHA:AES256-SHA",
7644 NULL,
7645 "AES256-SHA:DHE-RSA-AES128-SHA",
7646 NULL,
7647 "AES256-SHA",
7648 "AES256-SHA"
7649 },
7650 # if !defined(OPENSSL_NO_CHACHA) \
7651 && !defined(OPENSSL_NO_POLY1305) \
7652 && !defined(OPENSSL_NO_EC)
7653 {
7654 TLS1_2_VERSION,
7655 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7656 NULL,
7657 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7658 NULL,
7659 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7660 "AES128-SHA"
7661 },
7662 # endif
7663 {
7664 TLS1_2_VERSION,
7665 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7666 NULL,
7667 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7668 NULL,
7669 "AES128-SHA:AES256-SHA",
7670 "AES128-SHA:AES256-SHA"
7671 },
7672 {
7673 TLS1_2_VERSION,
7674 "AES128-SHA:AES256-SHA",
7675 NULL,
7676 "AES128-SHA:DHE-RSA-AES128-SHA",
7677 NULL,
7678 "AES128-SHA",
7679 "AES128-SHA"
7680 },
7681 #endif
7682 /*
7683 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7684 * enabled.
7685 */
7686 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7687 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7688 {
7689 TLS1_3_VERSION,
7690 "AES128-SHA:AES256-SHA",
7691 NULL,
7692 "AES256-SHA:AES128-SHA256",
7693 NULL,
7694 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7695 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7696 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7697 },
7698 #endif
7699 #ifndef OSSL_NO_USABLE_TLS1_3
7700 {
7701 TLS1_3_VERSION,
7702 "AES128-SHA",
7703 "TLS_AES_256_GCM_SHA384",
7704 "AES256-SHA",
7705 "TLS_AES_256_GCM_SHA384",
7706 "TLS_AES_256_GCM_SHA384",
7707 "TLS_AES_256_GCM_SHA384"
7708 },
7709 #endif
7710 };
7711
7712 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7713 {
7714 SSL_CTX *cctx = NULL, *sctx = NULL;
7715 SSL *clientssl = NULL, *serverssl = NULL;
7716 int testresult = 0;
7717 char buf[1024];
7718 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7719
7720 if (!TEST_ptr(tmplibctx))
7721 goto end;
7722
7723 /*
7724 * Regardless of whether we're testing with the FIPS provider loaded into
7725 * libctx, we want one peer to always use the full set of ciphersuites
7726 * available. Therefore we use a separate libctx with the default provider
7727 * loaded into it. We run the same tests twice - once with the client side
7728 * having the full set of ciphersuites and once with the server side.
7729 */
7730 if (clnt) {
7731 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7732 if (!TEST_ptr(cctx))
7733 goto end;
7734 } else {
7735 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7736 if (!TEST_ptr(sctx))
7737 goto end;
7738 }
7739
7740 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7741 TLS_client_method(),
7742 TLS1_VERSION,
7743 shared_ciphers_data[tst].maxprot,
7744 &sctx, &cctx, cert, privkey)))
7745 goto end;
7746
7747 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7748 shared_ciphers_data[tst].clntciphers))
7749 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7750 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7751 shared_ciphers_data[tst].clnttls13ciphers)))
7752 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7753 shared_ciphers_data[tst].srvrciphers))
7754 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7755 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7756 shared_ciphers_data[tst].srvrtls13ciphers))))
7757 goto end;
7758
7759
7760 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7761 NULL, NULL))
7762 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7763 SSL_ERROR_NONE)))
7764 goto end;
7765
7766 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7767 || !TEST_int_eq(strcmp(buf,
7768 is_fips
7769 ? shared_ciphers_data[tst].fipsshared
7770 : shared_ciphers_data[tst].shared),
7771 0)) {
7772 TEST_info("Shared ciphers are: %s\n", buf);
7773 goto end;
7774 }
7775
7776 testresult = 1;
7777
7778 end:
7779 SSL_free(serverssl);
7780 SSL_free(clientssl);
7781 SSL_CTX_free(sctx);
7782 SSL_CTX_free(cctx);
7783 OSSL_LIB_CTX_free(tmplibctx);
7784
7785 return testresult;
7786 }
7787
7788 static int test_ssl_get_shared_ciphers(int tst)
7789 {
7790 return int_test_ssl_get_shared_ciphers(tst, 0)
7791 && int_test_ssl_get_shared_ciphers(tst, 1);
7792 }
7793
7794
7795 static const char *appdata = "Hello World";
7796 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7797 static int tick_key_renew = 0;
7798 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7799
7800 static int gen_tick_cb(SSL *s, void *arg)
7801 {
7802 gen_tick_called = 1;
7803
7804 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7805 strlen(appdata));
7806 }
7807
7808 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7809 const unsigned char *keyname,
7810 size_t keyname_length,
7811 SSL_TICKET_STATUS status,
7812 void *arg)
7813 {
7814 void *tickdata;
7815 size_t tickdlen;
7816
7817 dec_tick_called = 1;
7818
7819 if (status == SSL_TICKET_EMPTY)
7820 return SSL_TICKET_RETURN_IGNORE_RENEW;
7821
7822 if (!TEST_true(status == SSL_TICKET_SUCCESS
7823 || status == SSL_TICKET_SUCCESS_RENEW))
7824 return SSL_TICKET_RETURN_ABORT;
7825
7826 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7827 &tickdlen))
7828 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7829 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7830 return SSL_TICKET_RETURN_ABORT;
7831
7832 if (tick_key_cb_called) {
7833 /* Don't change what the ticket key callback wanted to do */
7834 switch (status) {
7835 case SSL_TICKET_NO_DECRYPT:
7836 return SSL_TICKET_RETURN_IGNORE_RENEW;
7837
7838 case SSL_TICKET_SUCCESS:
7839 return SSL_TICKET_RETURN_USE;
7840
7841 case SSL_TICKET_SUCCESS_RENEW:
7842 return SSL_TICKET_RETURN_USE_RENEW;
7843
7844 default:
7845 return SSL_TICKET_RETURN_ABORT;
7846 }
7847 }
7848 return tick_dec_ret;
7849
7850 }
7851
7852 #ifndef OPENSSL_NO_DEPRECATED_3_0
7853 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7854 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7855 HMAC_CTX *hctx, int enc)
7856 {
7857 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7858 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7859 EVP_CIPHER *aes128cbc;
7860 EVP_MD *sha256;
7861 int ret;
7862
7863 tick_key_cb_called = 1;
7864
7865 if (tick_key_renew == -1)
7866 return 0;
7867
7868 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7869 if (!TEST_ptr(aes128cbc))
7870 return 0;
7871 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7872 if (!TEST_ptr(sha256)) {
7873 EVP_CIPHER_free(aes128cbc);
7874 return 0;
7875 }
7876
7877 memset(iv, 0, AES_BLOCK_SIZE);
7878 memset(key_name, 0, 16);
7879 if (aes128cbc == NULL
7880 || sha256 == NULL
7881 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7882 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7883 NULL))
7884 ret = -1;
7885 else
7886 ret = tick_key_renew ? 2 : 1;
7887
7888 EVP_CIPHER_free(aes128cbc);
7889 EVP_MD_free(sha256);
7890
7891 return ret;
7892 }
7893 #endif
7894
7895 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7896 unsigned char iv[EVP_MAX_IV_LENGTH],
7897 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7898 {
7899 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7900 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7901 OSSL_PARAM params[2];
7902 EVP_CIPHER *aes128cbc;
7903 int ret;
7904
7905 tick_key_cb_called = 1;
7906
7907 if (tick_key_renew == -1)
7908 return 0;
7909
7910 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7911 if (!TEST_ptr(aes128cbc))
7912 return 0;
7913
7914 memset(iv, 0, AES_BLOCK_SIZE);
7915 memset(key_name, 0, 16);
7916 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7917 "SHA256", 0);
7918 params[1] = OSSL_PARAM_construct_end();
7919 if (aes128cbc == NULL
7920 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7921 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7922 params))
7923 ret = -1;
7924 else
7925 ret = tick_key_renew ? 2 : 1;
7926
7927 EVP_CIPHER_free(aes128cbc);
7928
7929 return ret;
7930 }
7931
7932 /*
7933 * Test the various ticket callbacks
7934 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7935 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7936 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7937 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7938 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7939 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7940 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7941 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7942 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7943 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7944 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7945 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7946 * Test 12: TLSv1.2, old ticket key callback, no ticket
7947 * Test 13: TLSv1.3, old ticket key callback, no ticket
7948 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7949 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7950 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7951 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7952 * Test 18: TLSv1.2, ticket key callback, no ticket
7953 * Test 19: TLSv1.3, ticket key callback, no ticket
7954 */
7955 static int test_ticket_callbacks(int tst)
7956 {
7957 SSL_CTX *cctx = NULL, *sctx = NULL;
7958 SSL *clientssl = NULL, *serverssl = NULL;
7959 SSL_SESSION *clntsess = NULL;
7960 int testresult = 0;
7961
7962 #ifdef OPENSSL_NO_TLS1_2
7963 if (tst % 2 == 0)
7964 return 1;
7965 #endif
7966 #ifdef OSSL_NO_USABLE_TLS1_3
7967 if (tst % 2 == 1)
7968 return 1;
7969 #endif
7970 #ifdef OPENSSL_NO_DEPRECATED_3_0
7971 if (tst >= 8 && tst <= 13)
7972 return 1;
7973 #endif
7974
7975 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7976
7977 /* Which tests the ticket key callback should request renewal for */
7978
7979 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
7980 tick_key_renew = 1;
7981 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7982 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
7983 else
7984 tick_key_renew = 0;
7985
7986 /* Which tests the decrypt ticket callback should request renewal for */
7987 switch (tst) {
7988 case 0:
7989 case 1:
7990 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7991 break;
7992
7993 case 2:
7994 case 3:
7995 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7996 break;
7997
7998 case 4:
7999 case 5:
8000 tick_dec_ret = SSL_TICKET_RETURN_USE;
8001 break;
8002
8003 case 6:
8004 case 7:
8005 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8006 break;
8007
8008 default:
8009 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8010 }
8011
8012 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8013 TLS_client_method(),
8014 TLS1_VERSION,
8015 ((tst % 2) == 0) ? TLS1_2_VERSION
8016 : TLS1_3_VERSION,
8017 &sctx, &cctx, cert, privkey)))
8018 goto end;
8019
8020 /*
8021 * We only want sessions to resume from tickets - not the session cache. So
8022 * switch the cache off.
8023 */
8024 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8025 goto end;
8026
8027 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8028 NULL)))
8029 goto end;
8030
8031 if (tst >= 14) {
8032 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8033 goto end;
8034 #ifndef OPENSSL_NO_DEPRECATED_3_0
8035 } else if (tst >= 8) {
8036 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8037 goto end;
8038 #endif
8039 }
8040
8041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8042 NULL, NULL))
8043 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8044 SSL_ERROR_NONE)))
8045 goto end;
8046
8047 /*
8048 * The decrypt ticket key callback in TLSv1.2 should be called even though
8049 * we have no ticket yet, because it gets called with a status of
8050 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8051 * actually send any ticket data). This does not happen in TLSv1.3 because
8052 * it is not valid to send empty ticket data in TLSv1.3.
8053 */
8054 if (!TEST_int_eq(gen_tick_called, 1)
8055 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8056 goto end;
8057
8058 gen_tick_called = dec_tick_called = 0;
8059
8060 clntsess = SSL_get1_session(clientssl);
8061 SSL_shutdown(clientssl);
8062 SSL_shutdown(serverssl);
8063 SSL_free(serverssl);
8064 SSL_free(clientssl);
8065 serverssl = clientssl = NULL;
8066
8067 /* Now do a resumption */
8068 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8069 NULL))
8070 || !TEST_true(SSL_set_session(clientssl, clntsess))
8071 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8072 SSL_ERROR_NONE)))
8073 goto end;
8074
8075 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8076 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8077 || tick_key_renew == -1) {
8078 if (!TEST_false(SSL_session_reused(clientssl)))
8079 goto end;
8080 } else {
8081 if (!TEST_true(SSL_session_reused(clientssl)))
8082 goto end;
8083 }
8084
8085 if (!TEST_int_eq(gen_tick_called,
8086 (tick_key_renew
8087 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8088 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8089 ? 1 : 0)
8090 /* There is no ticket to decrypt in tests 13 and 19 */
8091 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8092 goto end;
8093
8094 testresult = 1;
8095
8096 end:
8097 SSL_SESSION_free(clntsess);
8098 SSL_free(serverssl);
8099 SSL_free(clientssl);
8100 SSL_CTX_free(sctx);
8101 SSL_CTX_free(cctx);
8102
8103 return testresult;
8104 }
8105
8106 /*
8107 * Test incorrect shutdown.
8108 * Test 0: client does not shutdown properly,
8109 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8110 * server should get SSL_ERROR_SSL
8111 * Test 1: client does not shutdown properly,
8112 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8113 * server should get SSL_ERROR_ZERO_RETURN
8114 */
8115 static int test_incorrect_shutdown(int tst)
8116 {
8117 SSL_CTX *cctx = NULL, *sctx = NULL;
8118 SSL *clientssl = NULL, *serverssl = NULL;
8119 int testresult = 0;
8120 char buf[80];
8121 BIO *c2s;
8122
8123 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8124 TLS_client_method(), 0, 0,
8125 &sctx, &cctx, cert, privkey)))
8126 goto end;
8127
8128 if (tst == 1)
8129 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8130
8131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8132 NULL, NULL)))
8133 goto end;
8134
8135 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8136 SSL_ERROR_NONE)))
8137 goto end;
8138
8139 c2s = SSL_get_rbio(serverssl);
8140 BIO_set_mem_eof_return(c2s, 0);
8141
8142 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8143 goto end;
8144
8145 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8146 goto end;
8147 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8148 goto end;
8149
8150 testresult = 1;
8151
8152 end:
8153 SSL_free(serverssl);
8154 SSL_free(clientssl);
8155 SSL_CTX_free(sctx);
8156 SSL_CTX_free(cctx);
8157
8158 return testresult;
8159 }
8160
8161 /*
8162 * Test bi-directional shutdown.
8163 * Test 0: TLSv1.2
8164 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8165 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8166 * Test 3: TLSv1.3, pending NewSessionTicket messages
8167 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8168 * sends key update, client reads it
8169 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8170 * sends CertificateRequest, client reads and ignores it
8171 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8172 * doesn't read it
8173 */
8174 static int test_shutdown(int tst)
8175 {
8176 SSL_CTX *cctx = NULL, *sctx = NULL;
8177 SSL *clientssl = NULL, *serverssl = NULL;
8178 int testresult = 0;
8179 char msg[] = "A test message";
8180 char buf[80];
8181 size_t written, readbytes;
8182 SSL_SESSION *sess;
8183
8184 #ifdef OPENSSL_NO_TLS1_2
8185 if (tst <= 1)
8186 return 1;
8187 #endif
8188 #ifdef OSSL_NO_USABLE_TLS1_3
8189 if (tst >= 2)
8190 return 1;
8191 #endif
8192
8193 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8194 TLS_client_method(),
8195 TLS1_VERSION,
8196 (tst <= 1) ? TLS1_2_VERSION
8197 : TLS1_3_VERSION,
8198 &sctx, &cctx, cert, privkey)))
8199 goto end;
8200
8201 if (tst == 5)
8202 SSL_CTX_set_post_handshake_auth(cctx, 1);
8203
8204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8205 NULL, NULL)))
8206 goto end;
8207
8208 if (tst == 3) {
8209 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8210 SSL_ERROR_NONE, 1, 0))
8211 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8212 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8213 goto end;
8214 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8215 SSL_ERROR_NONE))
8216 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8217 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8218 goto end;
8219 }
8220
8221 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8222 goto end;
8223
8224 if (tst >= 4) {
8225 /*
8226 * Reading on the server after the client has sent close_notify should
8227 * fail and provide SSL_ERROR_ZERO_RETURN
8228 */
8229 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8230 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8231 SSL_ERROR_ZERO_RETURN)
8232 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8233 SSL_RECEIVED_SHUTDOWN)
8234 /*
8235 * Even though we're shutdown on receive we should still be
8236 * able to write.
8237 */
8238 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8239 goto end;
8240 if (tst == 4
8241 && !TEST_true(SSL_key_update(serverssl,
8242 SSL_KEY_UPDATE_REQUESTED)))
8243 goto end;
8244 if (tst == 5) {
8245 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8246 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8247 goto end;
8248 }
8249 if ((tst == 4 || tst == 5)
8250 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8251 goto end;
8252 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8253 goto end;
8254 if (tst == 4 || tst == 5) {
8255 /* Should still be able to read data from server */
8256 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8257 &readbytes))
8258 || !TEST_size_t_eq(readbytes, sizeof(msg))
8259 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8260 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8261 &readbytes))
8262 || !TEST_size_t_eq(readbytes, sizeof(msg))
8263 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8264 goto end;
8265 }
8266 }
8267
8268 /* Writing on the client after sending close_notify shouldn't be possible */
8269 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8270 goto end;
8271
8272 if (tst < 4) {
8273 /*
8274 * For these tests the client has sent close_notify but it has not yet
8275 * been received by the server. The server has not sent close_notify
8276 * yet.
8277 */
8278 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8279 /*
8280 * Writing on the server after sending close_notify shouldn't
8281 * be possible.
8282 */
8283 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8284 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8285 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8286 || !TEST_true(SSL_SESSION_is_resumable(sess))
8287 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8288 goto end;
8289 } else if (tst == 4 || tst == 5) {
8290 /*
8291 * In this test the client has sent close_notify and it has been
8292 * received by the server which has responded with a close_notify. The
8293 * client needs to read the close_notify sent by the server.
8294 */
8295 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8296 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8297 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8298 goto end;
8299 } else {
8300 /*
8301 * tst == 6
8302 *
8303 * The client has sent close_notify and is expecting a close_notify
8304 * back, but instead there is application data first. The shutdown
8305 * should fail with a fatal error.
8306 */
8307 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8308 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8309 goto end;
8310 }
8311
8312 testresult = 1;
8313
8314 end:
8315 SSL_free(serverssl);
8316 SSL_free(clientssl);
8317 SSL_CTX_free(sctx);
8318 SSL_CTX_free(cctx);
8319
8320 return testresult;
8321 }
8322
8323 /*
8324 * Test that sending close_notify alerts works correctly in the case of a
8325 * retryable write failure.
8326 */
8327 static int test_async_shutdown(void)
8328 {
8329 SSL_CTX *cctx = NULL, *sctx = NULL;
8330 SSL *clientssl = NULL, *serverssl = NULL;
8331 int testresult = 0;
8332 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8333
8334 if (!TEST_ptr(bretry))
8335 goto end;
8336
8337 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8338 TLS_client_method(),
8339 0, 0,
8340 &sctx, &cctx, cert, privkey)))
8341 goto end;
8342
8343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8344 NULL)))
8345 goto end;
8346
8347 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8348 goto end;
8349
8350 /* Close write side of clientssl */
8351 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8352 goto end;
8353
8354 tmp = SSL_get_wbio(serverssl);
8355 if (!TEST_true(BIO_up_ref(tmp))) {
8356 tmp = NULL;
8357 goto end;
8358 }
8359 SSL_set0_wbio(serverssl, bretry);
8360 bretry = NULL;
8361
8362 /* First server shutdown should fail because of a retrable write failure */
8363 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8364 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8365 goto end;
8366
8367 /* Second server shutdown should fail for the same reason */
8368 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8369 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8370 goto end;
8371
8372 SSL_set0_wbio(serverssl, tmp);
8373 tmp = NULL;
8374
8375 /* Third server shutdown should send close_notify */
8376 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8377 goto end;
8378
8379 /* Fourth server shutdown should read close_notify from client and finish */
8380 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8381 goto end;
8382
8383 /* Client should also successfully fully shutdown */
8384 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8385 goto end;
8386
8387 testresult = 1;
8388 end:
8389 SSL_free(serverssl);
8390 SSL_free(clientssl);
8391 SSL_CTX_free(sctx);
8392 SSL_CTX_free(cctx);
8393 BIO_free(bretry);
8394 BIO_free(tmp);
8395
8396 return testresult;
8397 }
8398
8399 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8400 static int cert_cb_cnt;
8401
8402 static int cert_cb(SSL *s, void *arg)
8403 {
8404 SSL_CTX *ctx = (SSL_CTX *)arg;
8405 BIO *in = NULL;
8406 EVP_PKEY *pkey = NULL;
8407 X509 *x509 = NULL, *rootx = NULL;
8408 STACK_OF(X509) *chain = NULL;
8409 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8410 int ret = 0;
8411
8412 if (cert_cb_cnt == 0) {
8413 /* Suspend the handshake */
8414 cert_cb_cnt++;
8415 return -1;
8416 } else if (cert_cb_cnt == 1) {
8417 /*
8418 * Update the SSL_CTX, set the certificate and private key and then
8419 * continue the handshake normally.
8420 */
8421 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8422 return 0;
8423
8424 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8425 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8426 SSL_FILETYPE_PEM))
8427 || !TEST_true(SSL_check_private_key(s)))
8428 return 0;
8429 cert_cb_cnt++;
8430 return 1;
8431 } else if (cert_cb_cnt == 3) {
8432 int rv;
8433
8434 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8435 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8436 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8437 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8438 goto out;
8439 chain = sk_X509_new_null();
8440 if (!TEST_ptr(chain))
8441 goto out;
8442 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8443 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8444 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8445 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8446 || !TEST_true(sk_X509_push(chain, rootx)))
8447 goto out;
8448 rootx = NULL;
8449 BIO_free(in);
8450 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8451 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8452 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8453 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8454 goto out;
8455 BIO_free(in);
8456 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8457 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8458 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8459 NULL, NULL,
8460 libctx, NULL)))
8461 goto out;
8462 rv = SSL_check_chain(s, x509, pkey, chain);
8463 /*
8464 * If the cert doesn't show as valid here (e.g., because we don't
8465 * have any shared sigalgs), then we will not set it, and there will
8466 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8467 * will cause tls_choose_sigalgs() to fail the connection.
8468 */
8469 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8470 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8471 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8472 goto out;
8473 }
8474
8475 ret = 1;
8476 }
8477
8478 /* Abort the handshake */
8479 out:
8480 OPENSSL_free(ecdsacert);
8481 OPENSSL_free(ecdsakey);
8482 OPENSSL_free(rootfile);
8483 BIO_free(in);
8484 EVP_PKEY_free(pkey);
8485 X509_free(x509);
8486 X509_free(rootx);
8487 OSSL_STACK_OF_X509_free(chain);
8488 return ret;
8489 }
8490
8491 /*
8492 * Test the certificate callback.
8493 * Test 0: Callback fails
8494 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8495 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8496 * Test 3: Success - Call SSL_check_chain from the callback
8497 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8498 * chain
8499 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8500 */
8501 static int test_cert_cb_int(int prot, int tst)
8502 {
8503 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8504 SSL *clientssl = NULL, *serverssl = NULL;
8505 int testresult = 0, ret;
8506
8507 #ifdef OPENSSL_NO_EC
8508 /* We use an EC cert in these tests, so we skip in a no-ec build */
8509 if (tst >= 3)
8510 return 1;
8511 #endif
8512
8513 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8514 TLS_client_method(),
8515 TLS1_VERSION,
8516 prot,
8517 &sctx, &cctx, NULL, NULL)))
8518 goto end;
8519
8520 if (tst == 0)
8521 cert_cb_cnt = -1;
8522 else if (tst >= 3)
8523 cert_cb_cnt = 3;
8524 else
8525 cert_cb_cnt = 0;
8526
8527 if (tst == 2) {
8528 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8529 if (!TEST_ptr(snictx))
8530 goto end;
8531 }
8532
8533 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8534
8535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8536 NULL, NULL)))
8537 goto end;
8538
8539 if (tst == 4) {
8540 /*
8541 * We cause SSL_check_chain() to fail by specifying sig_algs that
8542 * the chain doesn't meet (the root uses an RSA cert)
8543 */
8544 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8545 "ecdsa_secp256r1_sha256")))
8546 goto end;
8547 } else if (tst == 5) {
8548 /*
8549 * We cause SSL_check_chain() to fail by specifying sig_algs that
8550 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8551 */
8552 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8553 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8554 goto end;
8555 }
8556
8557 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8558 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8559 || (tst > 0
8560 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8561 goto end;
8562 }
8563
8564 testresult = 1;
8565
8566 end:
8567 SSL_free(serverssl);
8568 SSL_free(clientssl);
8569 SSL_CTX_free(sctx);
8570 SSL_CTX_free(cctx);
8571 SSL_CTX_free(snictx);
8572
8573 return testresult;
8574 }
8575 #endif
8576
8577 static int test_cert_cb(int tst)
8578 {
8579 int testresult = 1;
8580
8581 #ifndef OPENSSL_NO_TLS1_2
8582 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8583 #endif
8584 #ifndef OSSL_NO_USABLE_TLS1_3
8585 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8586 #endif
8587
8588 return testresult;
8589 }
8590
8591 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8592 {
8593 X509 *xcert;
8594 EVP_PKEY *privpkey;
8595 BIO *in = NULL;
8596 BIO *priv_in = NULL;
8597
8598 /* Check that SSL_get0_peer_certificate() returns something sensible */
8599 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8600 return 0;
8601
8602 in = BIO_new_file(cert, "r");
8603 if (!TEST_ptr(in))
8604 return 0;
8605
8606 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8607 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8608 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8609 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8610 NULL, NULL,
8611 libctx, NULL)))
8612 goto err;
8613
8614 *x509 = xcert;
8615 *pkey = privpkey;
8616
8617 BIO_free(in);
8618 BIO_free(priv_in);
8619 return 1;
8620 err:
8621 X509_free(xcert);
8622 BIO_free(in);
8623 BIO_free(priv_in);
8624 return 0;
8625 }
8626
8627 static int test_client_cert_cb(int tst)
8628 {
8629 SSL_CTX *cctx = NULL, *sctx = NULL;
8630 SSL *clientssl = NULL, *serverssl = NULL;
8631 int testresult = 0;
8632
8633 #ifdef OPENSSL_NO_TLS1_2
8634 if (tst == 0)
8635 return 1;
8636 #endif
8637 #ifdef OSSL_NO_USABLE_TLS1_3
8638 if (tst == 1)
8639 return 1;
8640 #endif
8641
8642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8643 TLS_client_method(),
8644 TLS1_VERSION,
8645 tst == 0 ? TLS1_2_VERSION
8646 : TLS1_3_VERSION,
8647 &sctx, &cctx, cert, privkey)))
8648 goto end;
8649
8650 /*
8651 * Test that setting a client_cert_cb results in a client certificate being
8652 * sent.
8653 */
8654 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8655 SSL_CTX_set_verify(sctx,
8656 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8657 verify_cb);
8658
8659 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8660 NULL, NULL))
8661 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8662 SSL_ERROR_NONE)))
8663 goto end;
8664
8665 testresult = 1;
8666
8667 end:
8668 SSL_free(serverssl);
8669 SSL_free(clientssl);
8670 SSL_CTX_free(sctx);
8671 SSL_CTX_free(cctx);
8672
8673 return testresult;
8674 }
8675
8676 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8677 /*
8678 * Test setting certificate authorities on both client and server.
8679 *
8680 * Test 0: SSL_CTX_set0_CA_list() only
8681 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8682 * Test 2: Only SSL_CTX_set_client_CA_list()
8683 */
8684 static int test_ca_names_int(int prot, int tst)
8685 {
8686 SSL_CTX *cctx = NULL, *sctx = NULL;
8687 SSL *clientssl = NULL, *serverssl = NULL;
8688 int testresult = 0;
8689 size_t i;
8690 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8691 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8692 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8693 const STACK_OF(X509_NAME) *sktmp = NULL;
8694
8695 for (i = 0; i < OSSL_NELEM(name); i++) {
8696 name[i] = X509_NAME_new();
8697 if (!TEST_ptr(name[i])
8698 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8699 MBSTRING_ASC,
8700 (unsigned char *)
8701 strnames[i],
8702 -1, -1, 0)))
8703 goto end;
8704 }
8705
8706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8707 TLS_client_method(),
8708 TLS1_VERSION,
8709 prot,
8710 &sctx, &cctx, cert, privkey)))
8711 goto end;
8712
8713 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8714
8715 if (tst == 0 || tst == 1) {
8716 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8717 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8718 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8719 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8720 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8721 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8722 goto end;
8723
8724 SSL_CTX_set0_CA_list(sctx, sk1);
8725 SSL_CTX_set0_CA_list(cctx, sk2);
8726 sk1 = sk2 = NULL;
8727 }
8728 if (tst == 1 || tst == 2) {
8729 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8730 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8731 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8732 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8733 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8734 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8735 goto end;
8736
8737 SSL_CTX_set_client_CA_list(sctx, sk1);
8738 SSL_CTX_set_client_CA_list(cctx, sk2);
8739 sk1 = sk2 = NULL;
8740 }
8741
8742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8743 NULL, NULL))
8744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8745 SSL_ERROR_NONE)))
8746 goto end;
8747
8748 /*
8749 * We only expect certificate authorities to have been sent to the server
8750 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8751 */
8752 sktmp = SSL_get0_peer_CA_list(serverssl);
8753 if (prot == TLS1_3_VERSION
8754 && (tst == 0 || tst == 1)) {
8755 if (!TEST_ptr(sktmp)
8756 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8757 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8758 name[0]), 0)
8759 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8760 name[1]), 0))
8761 goto end;
8762 } else if (!TEST_ptr_null(sktmp)) {
8763 goto end;
8764 }
8765
8766 /*
8767 * In all tests we expect certificate authorities to have been sent to the
8768 * client. However, SSL_set_client_CA_list() should override
8769 * SSL_set0_CA_list()
8770 */
8771 sktmp = SSL_get0_peer_CA_list(clientssl);
8772 if (!TEST_ptr(sktmp)
8773 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8774 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8775 name[tst == 0 ? 0 : 2]), 0)
8776 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8777 name[tst == 0 ? 1 : 3]), 0))
8778 goto end;
8779
8780 testresult = 1;
8781
8782 end:
8783 SSL_free(serverssl);
8784 SSL_free(clientssl);
8785 SSL_CTX_free(sctx);
8786 SSL_CTX_free(cctx);
8787 for (i = 0; i < OSSL_NELEM(name); i++)
8788 X509_NAME_free(name[i]);
8789 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8790 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8791
8792 return testresult;
8793 }
8794 #endif
8795
8796 static int test_ca_names(int tst)
8797 {
8798 int testresult = 1;
8799
8800 #ifndef OPENSSL_NO_TLS1_2
8801 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8802 #endif
8803 #ifndef OSSL_NO_USABLE_TLS1_3
8804 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8805 #endif
8806
8807 return testresult;
8808 }
8809
8810 #ifndef OPENSSL_NO_TLS1_2
8811 static const char *multiblock_cipherlist_data[]=
8812 {
8813 "AES128-SHA",
8814 "AES128-SHA256",
8815 "AES256-SHA",
8816 "AES256-SHA256",
8817 };
8818
8819 /* Reduce the fragment size - so the multiblock test buffer can be small */
8820 # define MULTIBLOCK_FRAGSIZE 512
8821
8822 static int test_multiblock_write(int test_index)
8823 {
8824 static const char *fetchable_ciphers[]=
8825 {
8826 "AES-128-CBC-HMAC-SHA1",
8827 "AES-128-CBC-HMAC-SHA256",
8828 "AES-256-CBC-HMAC-SHA1",
8829 "AES-256-CBC-HMAC-SHA256"
8830 };
8831 const char *cipherlist = multiblock_cipherlist_data[test_index];
8832 const SSL_METHOD *smeth = TLS_server_method();
8833 const SSL_METHOD *cmeth = TLS_client_method();
8834 int min_version = TLS1_VERSION;
8835 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8836 SSL_CTX *cctx = NULL, *sctx = NULL;
8837 SSL *clientssl = NULL, *serverssl = NULL;
8838 int testresult = 0;
8839
8840 /*
8841 * Choose a buffer large enough to perform a multi-block operation
8842 * i.e: write_len >= 4 * frag_size
8843 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8844 */
8845 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8846 unsigned char buf[sizeof(msg)], *p = buf;
8847 size_t readbytes, written, len;
8848 EVP_CIPHER *ciph = NULL;
8849
8850 /*
8851 * Check if the cipher exists before attempting to use it since it only has
8852 * a hardware specific implementation.
8853 */
8854 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8855 if (ciph == NULL) {
8856 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8857 return 1;
8858 }
8859 EVP_CIPHER_free(ciph);
8860
8861 /* Set up a buffer with some data that will be sent to the client */
8862 RAND_bytes(msg, sizeof(msg));
8863
8864 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8865 max_version, &sctx, &cctx, cert,
8866 privkey)))
8867 goto end;
8868
8869 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8870 goto end;
8871
8872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8873 NULL, NULL)))
8874 goto end;
8875
8876 /* settings to force it to use AES-CBC-HMAC_SHA */
8877 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8878 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8879 goto end;
8880
8881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8882 goto end;
8883
8884 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8885 || !TEST_size_t_eq(written, sizeof(msg)))
8886 goto end;
8887
8888 len = written;
8889 while (len > 0) {
8890 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8891 goto end;
8892 p += readbytes;
8893 len -= readbytes;
8894 }
8895 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8896 goto end;
8897
8898 testresult = 1;
8899 end:
8900 SSL_free(serverssl);
8901 SSL_free(clientssl);
8902 SSL_CTX_free(sctx);
8903 SSL_CTX_free(cctx);
8904
8905 return testresult;
8906 }
8907 #endif /* OPENSSL_NO_TLS1_2 */
8908
8909 static int test_session_timeout(int test)
8910 {
8911 /*
8912 * Test session ordering and timeout
8913 * Can't explicitly test performance of the new code,
8914 * but can test to see if the ordering of the sessions
8915 * are correct, and they they are removed as expected
8916 */
8917 SSL_SESSION *early = NULL;
8918 SSL_SESSION *middle = NULL;
8919 SSL_SESSION *late = NULL;
8920 SSL_CTX *ctx;
8921 int testresult = 0;
8922 long now = (long)time(NULL);
8923 #define TIMEOUT 10
8924
8925 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8926 || !TEST_ptr(early = SSL_SESSION_new())
8927 || !TEST_ptr(middle = SSL_SESSION_new())
8928 || !TEST_ptr(late = SSL_SESSION_new()))
8929 goto end;
8930
8931 /* assign unique session ids */
8932 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8933 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8934 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8935 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8936 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8937 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8938
8939 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8940 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8941 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8942 goto end;
8943
8944 /* Make sure they are all added */
8945 if (!TEST_ptr(early->prev)
8946 || !TEST_ptr(middle->prev)
8947 || !TEST_ptr(late->prev))
8948 goto end;
8949
8950 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8951 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8952 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8953 goto end;
8954
8955 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8956 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8957 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8958 goto end;
8959
8960 /* Make sure they are all still there */
8961 if (!TEST_ptr(early->prev)
8962 || !TEST_ptr(middle->prev)
8963 || !TEST_ptr(late->prev))
8964 goto end;
8965
8966 /* Make sure they are in the expected order */
8967 if (!TEST_ptr_eq(late->next, middle)
8968 || !TEST_ptr_eq(middle->next, early)
8969 || !TEST_ptr_eq(early->prev, middle)
8970 || !TEST_ptr_eq(middle->prev, late))
8971 goto end;
8972
8973 /* This should remove "early" */
8974 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8975 if (!TEST_ptr_null(early->prev)
8976 || !TEST_ptr(middle->prev)
8977 || !TEST_ptr(late->prev))
8978 goto end;
8979
8980 /* This should remove "middle" */
8981 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8982 if (!TEST_ptr_null(early->prev)
8983 || !TEST_ptr_null(middle->prev)
8984 || !TEST_ptr(late->prev))
8985 goto end;
8986
8987 /* This should remove "late" */
8988 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8989 if (!TEST_ptr_null(early->prev)
8990 || !TEST_ptr_null(middle->prev)
8991 || !TEST_ptr_null(late->prev))
8992 goto end;
8993
8994 /* Add them back in again */
8995 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8996 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8997 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8998 goto end;
8999
9000 /* Make sure they are all added */
9001 if (!TEST_ptr(early->prev)
9002 || !TEST_ptr(middle->prev)
9003 || !TEST_ptr(late->prev))
9004 goto end;
9005
9006 /* This should remove all of them */
9007 SSL_CTX_flush_sessions(ctx, 0);
9008 if (!TEST_ptr_null(early->prev)
9009 || !TEST_ptr_null(middle->prev)
9010 || !TEST_ptr_null(late->prev))
9011 goto end;
9012
9013 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9014 | SSL_CTX_get_session_cache_mode(ctx));
9015
9016 /* make sure |now| is NOT equal to the current time */
9017 now -= 10;
9018 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9019 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9020 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9021 goto end;
9022
9023 testresult = 1;
9024 end:
9025 SSL_CTX_free(ctx);
9026 SSL_SESSION_free(early);
9027 SSL_SESSION_free(middle);
9028 SSL_SESSION_free(late);
9029 return testresult;
9030 }
9031
9032 /*
9033 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9034 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9035 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9036 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9037 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9038 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9039 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9040 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9041 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9042 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9043 */
9044 static int test_servername(int tst)
9045 {
9046 SSL_CTX *cctx = NULL, *sctx = NULL;
9047 SSL *clientssl = NULL, *serverssl = NULL;
9048 int testresult = 0;
9049 SSL_SESSION *sess = NULL;
9050 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9051
9052 #ifdef OPENSSL_NO_TLS1_2
9053 if (tst <= 4)
9054 return 1;
9055 #endif
9056 #ifdef OSSL_NO_USABLE_TLS1_3
9057 if (tst >= 5)
9058 return 1;
9059 #endif
9060
9061 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9062 TLS_client_method(),
9063 TLS1_VERSION,
9064 (tst <= 4) ? TLS1_2_VERSION
9065 : TLS1_3_VERSION,
9066 &sctx, &cctx, cert, privkey))
9067 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9068 NULL, NULL)))
9069 goto end;
9070
9071 if (tst != 1 && tst != 6) {
9072 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9073 hostname_cb)))
9074 goto end;
9075 }
9076
9077 if (tst != 3 && tst != 8) {
9078 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9079 goto end;
9080 sexpectedhost = cexpectedhost = "goodhost";
9081 }
9082
9083 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9084 goto end;
9085
9086 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9087 cexpectedhost)
9088 || !TEST_str_eq(SSL_get_servername(serverssl,
9089 TLSEXT_NAMETYPE_host_name),
9090 sexpectedhost))
9091 goto end;
9092
9093 /* Now repeat with a resumption handshake */
9094
9095 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9096 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9097 || !TEST_true(SSL_SESSION_is_resumable(sess))
9098 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9099 goto end;
9100
9101 SSL_free(clientssl);
9102 SSL_free(serverssl);
9103 clientssl = serverssl = NULL;
9104
9105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9106 NULL)))
9107 goto end;
9108
9109 if (!TEST_true(SSL_set_session(clientssl, sess)))
9110 goto end;
9111
9112 sexpectedhost = cexpectedhost = "goodhost";
9113 if (tst == 2 || tst == 7) {
9114 /* Set an inconsistent hostname */
9115 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9116 goto end;
9117 /*
9118 * In TLSv1.2 we expect the hostname from the original handshake, in
9119 * TLSv1.3 we expect the hostname from this handshake
9120 */
9121 if (tst == 7)
9122 sexpectedhost = cexpectedhost = "altgoodhost";
9123
9124 if (!TEST_str_eq(SSL_get_servername(clientssl,
9125 TLSEXT_NAMETYPE_host_name),
9126 "altgoodhost"))
9127 goto end;
9128 } else if (tst == 4 || tst == 9) {
9129 /*
9130 * A TLSv1.3 session does not associate a session with a servername,
9131 * but a TLSv1.2 session does.
9132 */
9133 if (tst == 9)
9134 sexpectedhost = cexpectedhost = NULL;
9135
9136 if (!TEST_str_eq(SSL_get_servername(clientssl,
9137 TLSEXT_NAMETYPE_host_name),
9138 cexpectedhost))
9139 goto end;
9140 } else {
9141 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9142 goto end;
9143 /*
9144 * In a TLSv1.2 resumption where the hostname was not acknowledged
9145 * we expect the hostname on the server to be empty. On the client we
9146 * return what was requested in this case.
9147 *
9148 * Similarly if the client didn't set a hostname on an original TLSv1.2
9149 * session but is now, the server hostname will be empty, but the client
9150 * is as we set it.
9151 */
9152 if (tst == 1 || tst == 3)
9153 sexpectedhost = NULL;
9154
9155 if (!TEST_str_eq(SSL_get_servername(clientssl,
9156 TLSEXT_NAMETYPE_host_name),
9157 "goodhost"))
9158 goto end;
9159 }
9160
9161 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9162 goto end;
9163
9164 if (!TEST_true(SSL_session_reused(clientssl))
9165 || !TEST_true(SSL_session_reused(serverssl))
9166 || !TEST_str_eq(SSL_get_servername(clientssl,
9167 TLSEXT_NAMETYPE_host_name),
9168 cexpectedhost)
9169 || !TEST_str_eq(SSL_get_servername(serverssl,
9170 TLSEXT_NAMETYPE_host_name),
9171 sexpectedhost))
9172 goto end;
9173
9174 testresult = 1;
9175
9176 end:
9177 SSL_SESSION_free(sess);
9178 SSL_free(serverssl);
9179 SSL_free(clientssl);
9180 SSL_CTX_free(sctx);
9181 SSL_CTX_free(cctx);
9182
9183 return testresult;
9184 }
9185
9186 #if !defined(OPENSSL_NO_EC) \
9187 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9188 /*
9189 * Test that if signature algorithms are not available, then we do not offer or
9190 * accept them.
9191 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9192 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9193 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9194 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9195 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9196 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9197 */
9198 static int test_sigalgs_available(int idx)
9199 {
9200 SSL_CTX *cctx = NULL, *sctx = NULL;
9201 SSL *clientssl = NULL, *serverssl = NULL;
9202 int testresult = 0;
9203 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9204 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9205 OSSL_PROVIDER *filterprov = NULL;
9206 int sig, hash;
9207
9208 if (!TEST_ptr(tmpctx))
9209 goto end;
9210
9211 if (idx != 0 && idx != 3) {
9212 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9213 filter_provider_init)))
9214 goto end;
9215
9216 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9217 if (!TEST_ptr(filterprov))
9218 goto end;
9219
9220 if (idx < 3) {
9221 /*
9222 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9223 * or accepted for the peer that uses this libctx. Note that libssl
9224 * *requires* SHA2-256 to be available so we cannot disable that. We
9225 * also need SHA1 for our certificate.
9226 */
9227 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9228 "SHA2-256:SHA1")))
9229 goto end;
9230 } else {
9231 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9232 "ECDSA"))
9233 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9234 "EC:X25519:X448")))
9235 goto end;
9236 }
9237
9238 if (idx == 1 || idx == 4)
9239 clientctx = tmpctx;
9240 else
9241 serverctx = tmpctx;
9242 }
9243
9244 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9245 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9246 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9247 goto end;
9248
9249 if (idx != 5) {
9250 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9251 TLS_client_method(),
9252 TLS1_VERSION,
9253 0,
9254 &sctx, &cctx, cert, privkey)))
9255 goto end;
9256 } else {
9257 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9258 TLS_client_method(),
9259 TLS1_VERSION,
9260 0,
9261 &sctx, &cctx, cert2, privkey2)))
9262 goto end;
9263 }
9264
9265 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9266 if (idx < 4) {
9267 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9268 "ECDHE-RSA-AES128-GCM-SHA256")))
9269 goto end;
9270 } else {
9271 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9272 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9273 goto end;
9274 }
9275
9276 if (idx < 3) {
9277 if (!SSL_CTX_set1_sigalgs_list(cctx,
9278 "rsa_pss_rsae_sha384"
9279 ":rsa_pss_rsae_sha256")
9280 || !SSL_CTX_set1_sigalgs_list(sctx,
9281 "rsa_pss_rsae_sha384"
9282 ":rsa_pss_rsae_sha256"))
9283 goto end;
9284 } else {
9285 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9286 || !SSL_CTX_set1_sigalgs_list(sctx,
9287 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9288 goto end;
9289 }
9290
9291 if (idx != 5
9292 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9293 SSL_FILETYPE_PEM), 1)
9294 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9295 privkey2,
9296 SSL_FILETYPE_PEM), 1)
9297 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9298 goto end;
9299
9300 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9301 NULL, NULL)))
9302 goto end;
9303
9304 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9305 goto end;
9306
9307 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9308 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9309 NULL, NULL),
9310 (idx == 0 || idx == 3) ? 2 : 1))
9311 goto end;
9312
9313 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9314 goto end;
9315
9316 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9317 : NID_rsassaPss))
9318 goto end;
9319
9320 testresult = filter_provider_check_clean_finish();
9321
9322 end:
9323 SSL_free(serverssl);
9324 SSL_free(clientssl);
9325 SSL_CTX_free(sctx);
9326 SSL_CTX_free(cctx);
9327 OSSL_PROVIDER_unload(filterprov);
9328 OSSL_LIB_CTX_free(tmpctx);
9329
9330 return testresult;
9331 }
9332 #endif /*
9333 * !defined(OPENSSL_NO_EC) \
9334 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9335 */
9336
9337 #ifndef OPENSSL_NO_TLS1_3
9338 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9339 static int test_pluggable_group(int idx)
9340 {
9341 SSL_CTX *cctx = NULL, *sctx = NULL;
9342 SSL *clientssl = NULL, *serverssl = NULL;
9343 int testresult = 0;
9344 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9345 /* Check that we are not impacted by a provider without any groups */
9346 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9347 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9348
9349 if (!TEST_ptr(tlsprov))
9350 goto end;
9351
9352 if (legacyprov == NULL) {
9353 /*
9354 * In this case we assume we've been built with "no-legacy" and skip
9355 * this test (there is no OPENSSL_NO_LEGACY)
9356 */
9357 testresult = 1;
9358 goto end;
9359 }
9360
9361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9362 TLS_client_method(),
9363 TLS1_3_VERSION,
9364 TLS1_3_VERSION,
9365 &sctx, &cctx, cert, privkey))
9366 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9367 NULL, NULL)))
9368 goto end;
9369
9370 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9371 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9372 goto end;
9373
9374 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9375 goto end;
9376
9377 if (!TEST_str_eq(group_name,
9378 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9379 goto end;
9380
9381 testresult = 1;
9382
9383 end:
9384 SSL_free(serverssl);
9385 SSL_free(clientssl);
9386 SSL_CTX_free(sctx);
9387 SSL_CTX_free(cctx);
9388 OSSL_PROVIDER_unload(tlsprov);
9389 OSSL_PROVIDER_unload(legacyprov);
9390
9391 return testresult;
9392 }
9393 #endif
9394
9395 #ifndef OPENSSL_NO_TLS1_2
9396 static int test_ssl_dup(void)
9397 {
9398 SSL_CTX *cctx = NULL, *sctx = NULL;
9399 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9400 int testresult = 0;
9401 BIO *rbio = NULL, *wbio = NULL;
9402
9403 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9404 TLS_client_method(),
9405 0,
9406 0,
9407 &sctx, &cctx, cert, privkey)))
9408 goto end;
9409
9410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9411 NULL, NULL)))
9412 goto end;
9413
9414 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9415 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9416 goto end;
9417
9418 client2ssl = SSL_dup(clientssl);
9419 rbio = SSL_get_rbio(clientssl);
9420 if (!TEST_ptr(rbio)
9421 || !TEST_true(BIO_up_ref(rbio)))
9422 goto end;
9423 SSL_set0_rbio(client2ssl, rbio);
9424 rbio = NULL;
9425
9426 wbio = SSL_get_wbio(clientssl);
9427 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9428 goto end;
9429 SSL_set0_wbio(client2ssl, wbio);
9430 rbio = NULL;
9431
9432 if (!TEST_ptr(client2ssl)
9433 /* Handshake not started so pointers should be different */
9434 || !TEST_ptr_ne(clientssl, client2ssl))
9435 goto end;
9436
9437 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9438 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9439 goto end;
9440
9441 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9442 goto end;
9443
9444 SSL_free(clientssl);
9445 clientssl = SSL_dup(client2ssl);
9446 if (!TEST_ptr(clientssl)
9447 /* Handshake has finished so pointers should be the same */
9448 || !TEST_ptr_eq(clientssl, client2ssl))
9449 goto end;
9450
9451 testresult = 1;
9452
9453 end:
9454 SSL_free(serverssl);
9455 SSL_free(clientssl);
9456 SSL_free(client2ssl);
9457 SSL_CTX_free(sctx);
9458 SSL_CTX_free(cctx);
9459
9460 return testresult;
9461 }
9462
9463 # ifndef OPENSSL_NO_DH
9464
9465 static EVP_PKEY *tmp_dh_params = NULL;
9466
9467 /* Helper function for the test_set_tmp_dh() tests */
9468 static EVP_PKEY *get_tmp_dh_params(void)
9469 {
9470 if (tmp_dh_params == NULL) {
9471 BIGNUM *p = NULL;
9472 OSSL_PARAM_BLD *tmpl = NULL;
9473 EVP_PKEY_CTX *pctx = NULL;
9474 OSSL_PARAM *params = NULL;
9475 EVP_PKEY *dhpkey = NULL;
9476
9477 p = BN_get_rfc3526_prime_2048(NULL);
9478 if (!TEST_ptr(p))
9479 goto end;
9480
9481 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9482 if (!TEST_ptr(pctx)
9483 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9484 goto end;
9485
9486 tmpl = OSSL_PARAM_BLD_new();
9487 if (!TEST_ptr(tmpl)
9488 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9489 OSSL_PKEY_PARAM_FFC_P,
9490 p))
9491 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9492 OSSL_PKEY_PARAM_FFC_G,
9493 2)))
9494 goto end;
9495
9496 params = OSSL_PARAM_BLD_to_param(tmpl);
9497 if (!TEST_ptr(params)
9498 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9499 EVP_PKEY_KEY_PARAMETERS,
9500 params), 1))
9501 goto end;
9502
9503 tmp_dh_params = dhpkey;
9504 end:
9505 BN_free(p);
9506 EVP_PKEY_CTX_free(pctx);
9507 OSSL_PARAM_BLD_free(tmpl);
9508 OSSL_PARAM_free(params);
9509 }
9510
9511 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9512 return NULL;
9513
9514 return tmp_dh_params;
9515 }
9516
9517 # ifndef OPENSSL_NO_DEPRECATED_3_0
9518 /* Callback used by test_set_tmp_dh() */
9519 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9520 {
9521 EVP_PKEY *dhpkey = get_tmp_dh_params();
9522 DH *ret = NULL;
9523
9524 if (!TEST_ptr(dhpkey))
9525 return NULL;
9526
9527 /*
9528 * libssl does not free the returned DH, so we free it now knowing that even
9529 * after we free dhpkey, there will still be a reference to the owning
9530 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9531 * of time we need it for.
9532 */
9533 ret = EVP_PKEY_get1_DH(dhpkey);
9534 DH_free(ret);
9535
9536 EVP_PKEY_free(dhpkey);
9537
9538 return ret;
9539 }
9540 # endif
9541
9542 /*
9543 * Test the various methods for setting temporary DH parameters
9544 *
9545 * Test 0: Default (no auto) setting
9546 * Test 1: Explicit SSL_CTX auto off
9547 * Test 2: Explicit SSL auto off
9548 * Test 3: Explicit SSL_CTX auto on
9549 * Test 4: Explicit SSL auto on
9550 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9551 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9552 *
9553 * The following are testing deprecated APIs, so we only run them if available
9554 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9555 * Test 8: Explicit SSL auto off, custom DH params via DH
9556 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9557 * Test 10: Explicit SSL auto off, custom DH params via callback
9558 */
9559 static int test_set_tmp_dh(int idx)
9560 {
9561 SSL_CTX *cctx = NULL, *sctx = NULL;
9562 SSL *clientssl = NULL, *serverssl = NULL;
9563 int testresult = 0;
9564 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9565 int expected = (idx <= 2) ? 0 : 1;
9566 EVP_PKEY *dhpkey = NULL;
9567 # ifndef OPENSSL_NO_DEPRECATED_3_0
9568 DH *dh = NULL;
9569 # else
9570
9571 if (idx >= 7)
9572 return 1;
9573 # endif
9574
9575 if (idx >= 5 && idx <= 8) {
9576 dhpkey = get_tmp_dh_params();
9577 if (!TEST_ptr(dhpkey))
9578 goto end;
9579 }
9580 # ifndef OPENSSL_NO_DEPRECATED_3_0
9581 if (idx == 7 || idx == 8) {
9582 dh = EVP_PKEY_get1_DH(dhpkey);
9583 if (!TEST_ptr(dh))
9584 goto end;
9585 }
9586 # endif
9587
9588 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9589 TLS_client_method(),
9590 0,
9591 0,
9592 &sctx, &cctx, cert, privkey)))
9593 goto end;
9594
9595 if ((idx & 1) == 1) {
9596 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9597 goto end;
9598 }
9599
9600 if (idx == 5) {
9601 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9602 goto end;
9603 dhpkey = NULL;
9604 }
9605 # ifndef OPENSSL_NO_DEPRECATED_3_0
9606 else if (idx == 7) {
9607 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9608 goto end;
9609 } else if (idx == 9) {
9610 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9611 }
9612 # endif
9613
9614 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9615 NULL, NULL)))
9616 goto end;
9617
9618 if ((idx & 1) == 0 && idx != 0) {
9619 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9620 goto end;
9621 }
9622 if (idx == 6) {
9623 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9624 goto end;
9625 dhpkey = NULL;
9626 }
9627 # ifndef OPENSSL_NO_DEPRECATED_3_0
9628 else if (idx == 8) {
9629 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9630 goto end;
9631 } else if (idx == 10) {
9632 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9633 }
9634 # endif
9635
9636 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9637 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9638 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9639 goto end;
9640
9641 /*
9642 * If autoon then we should succeed. Otherwise we expect failure because
9643 * there are no parameters
9644 */
9645 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9646 SSL_ERROR_NONE), expected))
9647 goto end;
9648
9649 testresult = 1;
9650
9651 end:
9652 # ifndef OPENSSL_NO_DEPRECATED_3_0
9653 DH_free(dh);
9654 # endif
9655 SSL_free(serverssl);
9656 SSL_free(clientssl);
9657 SSL_CTX_free(sctx);
9658 SSL_CTX_free(cctx);
9659 EVP_PKEY_free(dhpkey);
9660
9661 return testresult;
9662 }
9663
9664 /*
9665 * Test the auto DH keys are appropriately sized
9666 */
9667 static int test_dh_auto(int idx)
9668 {
9669 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9670 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9671 SSL *clientssl = NULL, *serverssl = NULL;
9672 int testresult = 0;
9673 EVP_PKEY *tmpkey = NULL;
9674 char *thiscert = NULL, *thiskey = NULL;
9675 size_t expdhsize = 0;
9676 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9677
9678 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9679 goto end;
9680
9681 switch (idx) {
9682 case 0:
9683 /* The FIPS provider doesn't support this DH size - so we ignore it */
9684 if (is_fips) {
9685 testresult = 1;
9686 goto end;
9687 }
9688 thiscert = cert1024;
9689 thiskey = privkey1024;
9690 expdhsize = 1024;
9691 SSL_CTX_set_security_level(sctx, 1);
9692 SSL_CTX_set_security_level(cctx, 1);
9693 break;
9694 case 1:
9695 /* 2048 bit prime */
9696 thiscert = cert;
9697 thiskey = privkey;
9698 expdhsize = 2048;
9699 break;
9700 case 2:
9701 thiscert = cert3072;
9702 thiskey = privkey3072;
9703 expdhsize = 3072;
9704 break;
9705 case 3:
9706 thiscert = cert4096;
9707 thiskey = privkey4096;
9708 expdhsize = 4096;
9709 break;
9710 case 4:
9711 thiscert = cert8192;
9712 thiskey = privkey8192;
9713 expdhsize = 8192;
9714 break;
9715 /* No certificate cases */
9716 case 5:
9717 /* The FIPS provider doesn't support this DH size - so we ignore it */
9718 if (is_fips) {
9719 testresult = 1;
9720 goto end;
9721 }
9722 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9723 expdhsize = 1024;
9724 break;
9725 case 6:
9726 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9727 expdhsize = 3072;
9728 break;
9729 default:
9730 TEST_error("Invalid text index");
9731 goto end;
9732 }
9733
9734 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9735 NULL,
9736 0,
9737 0,
9738 &sctx, &cctx, thiscert, thiskey)))
9739 goto end;
9740
9741 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9742 NULL, NULL)))
9743 goto end;
9744
9745 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9746 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9747 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9748 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9749 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9750 goto end;
9751
9752 /*
9753 * Send the server's first flight. At this point the server has created the
9754 * temporary DH key but hasn't finished using it yet. Once used it is
9755 * removed, so we cannot test it.
9756 */
9757 if (!TEST_int_le(SSL_connect(clientssl), 0)
9758 || !TEST_int_le(SSL_accept(serverssl), 0))
9759 goto end;
9760
9761 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9762 goto end;
9763 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9764 goto end;
9765
9766 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9767 goto end;
9768
9769 testresult = 1;
9770
9771 end:
9772 SSL_free(serverssl);
9773 SSL_free(clientssl);
9774 SSL_CTX_free(sctx);
9775 SSL_CTX_free(cctx);
9776 EVP_PKEY_free(tmpkey);
9777
9778 return testresult;
9779
9780 }
9781 # endif /* OPENSSL_NO_DH */
9782 #endif /* OPENSSL_NO_TLS1_2 */
9783
9784 #ifndef OSSL_NO_USABLE_TLS1_3
9785 /*
9786 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9787 * that it works even without a certificate configured for the original
9788 * SSL_CTX
9789 */
9790 static int test_sni_tls13(void)
9791 {
9792 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9793 SSL *clientssl = NULL, *serverssl = NULL;
9794 int testresult = 0;
9795
9796 /* Reset callback counter */
9797 snicb = 0;
9798
9799 /* Create an initial SSL_CTX with no certificate configured */
9800 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9801 if (!TEST_ptr(sctx))
9802 goto end;
9803 /* Require TLSv1.3 as a minimum */
9804 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9805 TLS_client_method(), TLS1_3_VERSION, 0,
9806 &sctx2, &cctx, cert, privkey)))
9807 goto end;
9808
9809 /* Set up SNI */
9810 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9811 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9812 goto end;
9813
9814 /*
9815 * Connection should still succeed because the final SSL_CTX has the right
9816 * certificates configured.
9817 */
9818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9819 &clientssl, NULL, NULL))
9820 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9821 SSL_ERROR_NONE)))
9822 goto end;
9823
9824 /* We should have had the SNI callback called exactly once */
9825 if (!TEST_int_eq(snicb, 1))
9826 goto end;
9827
9828 testresult = 1;
9829
9830 end:
9831 SSL_free(serverssl);
9832 SSL_free(clientssl);
9833 SSL_CTX_free(sctx2);
9834 SSL_CTX_free(sctx);
9835 SSL_CTX_free(cctx);
9836 return testresult;
9837 }
9838
9839 /*
9840 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9841 * 0 = TLSv1.2
9842 * 1 = TLSv1.3
9843 */
9844 static int test_ticket_lifetime(int idx)
9845 {
9846 SSL_CTX *cctx = NULL, *sctx = NULL;
9847 SSL *clientssl = NULL, *serverssl = NULL;
9848 int testresult = 0;
9849 int version = TLS1_3_VERSION;
9850
9851 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9852 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9853
9854 if (idx == 0) {
9855 #ifdef OPENSSL_NO_TLS1_2
9856 return TEST_skip("TLS 1.2 is disabled.");
9857 #else
9858 version = TLS1_2_VERSION;
9859 #endif
9860 }
9861
9862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9863 TLS_client_method(), version, version,
9864 &sctx, &cctx, cert, privkey)))
9865 goto end;
9866
9867 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9868 &clientssl, NULL, NULL)))
9869 goto end;
9870
9871 /*
9872 * Set the timeout to be more than 1 week
9873 * make sure the returned value is the default
9874 */
9875 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9876 SSL_get_default_timeout(serverssl)))
9877 goto end;
9878
9879 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9880 goto end;
9881
9882 if (idx == 0) {
9883 /* TLSv1.2 uses the set value */
9884 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9885 goto end;
9886 } else {
9887 /* TLSv1.3 uses the limited value */
9888 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9889 goto end;
9890 }
9891 testresult = 1;
9892
9893 end:
9894 SSL_free(serverssl);
9895 SSL_free(clientssl);
9896 SSL_CTX_free(sctx);
9897 SSL_CTX_free(cctx);
9898 return testresult;
9899 }
9900 #endif
9901 /*
9902 * Test that setting an ALPN does not violate RFC
9903 */
9904 static int test_set_alpn(void)
9905 {
9906 SSL_CTX *ctx = NULL;
9907 SSL *ssl = NULL;
9908 int testresult = 0;
9909
9910 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9911 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9912 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9913 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9914 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9915 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9916
9917 /* Create an initial SSL_CTX with no certificate configured */
9918 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9919 if (!TEST_ptr(ctx))
9920 goto end;
9921
9922 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9923 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9924 goto end;
9925 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9926 goto end;
9927 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9928 goto end;
9929 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9930 goto end;
9931 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9932 goto end;
9933 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9934 goto end;
9935 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9936 goto end;
9937 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9938 goto end;
9939 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9940 goto end;
9941
9942 ssl = SSL_new(ctx);
9943 if (!TEST_ptr(ssl))
9944 goto end;
9945
9946 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9947 goto end;
9948 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9949 goto end;
9950 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9951 goto end;
9952 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9953 goto end;
9954 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9955 goto end;
9956 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9957 goto end;
9958 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9959 goto end;
9960 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9961 goto end;
9962 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9963 goto end;
9964
9965 testresult = 1;
9966
9967 end:
9968 SSL_free(ssl);
9969 SSL_CTX_free(ctx);
9970 return testresult;
9971 }
9972
9973 /*
9974 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9975 */
9976 static int test_set_verify_cert_store_ssl_ctx(void)
9977 {
9978 SSL_CTX *ctx = NULL;
9979 int testresult = 0;
9980 X509_STORE *store = NULL, *new_store = NULL,
9981 *cstore = NULL, *new_cstore = NULL;
9982
9983 /* Create an initial SSL_CTX. */
9984 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9985 if (!TEST_ptr(ctx))
9986 goto end;
9987
9988 /* Retrieve verify store pointer. */
9989 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9990 goto end;
9991
9992 /* Retrieve chain store pointer. */
9993 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9994 goto end;
9995
9996 /* We haven't set any yet, so this should be NULL. */
9997 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9998 goto end;
9999
10000 /* Create stores. We use separate stores so pointers are different. */
10001 new_store = X509_STORE_new();
10002 if (!TEST_ptr(new_store))
10003 goto end;
10004
10005 new_cstore = X509_STORE_new();
10006 if (!TEST_ptr(new_cstore))
10007 goto end;
10008
10009 /* Set stores. */
10010 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10011 goto end;
10012
10013 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10014 goto end;
10015
10016 /* Should be able to retrieve the same pointer. */
10017 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10018 goto end;
10019
10020 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10021 goto end;
10022
10023 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10024 goto end;
10025
10026 /* Should be able to unset again. */
10027 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10028 goto end;
10029
10030 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10031 goto end;
10032
10033 /* Should now be NULL. */
10034 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10035 goto end;
10036
10037 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10038 goto end;
10039
10040 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10041 goto end;
10042
10043 testresult = 1;
10044
10045 end:
10046 X509_STORE_free(new_store);
10047 X509_STORE_free(new_cstore);
10048 SSL_CTX_free(ctx);
10049 return testresult;
10050 }
10051
10052 /*
10053 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10054 */
10055 static int test_set_verify_cert_store_ssl(void)
10056 {
10057 SSL_CTX *ctx = NULL;
10058 SSL *ssl = NULL;
10059 int testresult = 0;
10060 X509_STORE *store = NULL, *new_store = NULL,
10061 *cstore = NULL, *new_cstore = NULL;
10062
10063 /* Create an initial SSL_CTX. */
10064 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10065 if (!TEST_ptr(ctx))
10066 goto end;
10067
10068 /* Create an SSL object. */
10069 ssl = SSL_new(ctx);
10070 if (!TEST_ptr(ssl))
10071 goto end;
10072
10073 /* Retrieve verify store pointer. */
10074 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10075 goto end;
10076
10077 /* Retrieve chain store pointer. */
10078 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10079 goto end;
10080
10081 /* We haven't set any yet, so this should be NULL. */
10082 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10083 goto end;
10084
10085 /* Create stores. We use separate stores so pointers are different. */
10086 new_store = X509_STORE_new();
10087 if (!TEST_ptr(new_store))
10088 goto end;
10089
10090 new_cstore = X509_STORE_new();
10091 if (!TEST_ptr(new_cstore))
10092 goto end;
10093
10094 /* Set stores. */
10095 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10096 goto end;
10097
10098 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10099 goto end;
10100
10101 /* Should be able to retrieve the same pointer. */
10102 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10103 goto end;
10104
10105 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10106 goto end;
10107
10108 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10109 goto end;
10110
10111 /* Should be able to unset again. */
10112 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10113 goto end;
10114
10115 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10116 goto end;
10117
10118 /* Should now be NULL. */
10119 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10120 goto end;
10121
10122 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10123 goto end;
10124
10125 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10126 goto end;
10127
10128 testresult = 1;
10129
10130 end:
10131 X509_STORE_free(new_store);
10132 X509_STORE_free(new_cstore);
10133 SSL_free(ssl);
10134 SSL_CTX_free(ctx);
10135 return testresult;
10136 }
10137
10138
10139 static int test_inherit_verify_param(void)
10140 {
10141 int testresult = 0;
10142
10143 SSL_CTX *ctx = NULL;
10144 X509_VERIFY_PARAM *cp = NULL;
10145 SSL *ssl = NULL;
10146 X509_VERIFY_PARAM *sp = NULL;
10147 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10148
10149 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10150 if (!TEST_ptr(ctx))
10151 goto end;
10152
10153 cp = SSL_CTX_get0_param(ctx);
10154 if (!TEST_ptr(cp))
10155 goto end;
10156 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10157 goto end;
10158
10159 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10160
10161 ssl = SSL_new(ctx);
10162 if (!TEST_ptr(ssl))
10163 goto end;
10164
10165 sp = SSL_get0_param(ssl);
10166 if (!TEST_ptr(sp))
10167 goto end;
10168 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10169 goto end;
10170
10171 testresult = 1;
10172
10173 end:
10174 SSL_free(ssl);
10175 SSL_CTX_free(ctx);
10176
10177 return testresult;
10178 }
10179
10180 static int test_load_dhfile(void)
10181 {
10182 #ifndef OPENSSL_NO_DH
10183 int testresult = 0;
10184
10185 SSL_CTX *ctx = NULL;
10186 SSL_CONF_CTX *cctx = NULL;
10187
10188 if (dhfile == NULL)
10189 return 1;
10190
10191 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10192 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10193 goto end;
10194
10195 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10196 SSL_CONF_CTX_set_flags(cctx,
10197 SSL_CONF_FLAG_CERTIFICATE
10198 | SSL_CONF_FLAG_SERVER
10199 | SSL_CONF_FLAG_FILE);
10200
10201 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10202 goto end;
10203
10204 testresult = 1;
10205 end:
10206 SSL_CONF_CTX_free(cctx);
10207 SSL_CTX_free(ctx);
10208
10209 return testresult;
10210 #else
10211 return TEST_skip("DH not supported by this build");
10212 #endif
10213 }
10214
10215 #ifndef OSSL_NO_USABLE_TLS1_3
10216 /* Test that read_ahead works across a key change */
10217 static int test_read_ahead_key_change(void)
10218 {
10219 SSL_CTX *cctx = NULL, *sctx = NULL;
10220 SSL *clientssl = NULL, *serverssl = NULL;
10221 int testresult = 0;
10222 char *msg = "Hello World";
10223 size_t written, readbytes;
10224 char buf[80];
10225 int i;
10226
10227 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10228 TLS_client_method(), TLS1_3_VERSION, 0,
10229 &sctx, &cctx, cert, privkey)))
10230 goto end;
10231
10232 SSL_CTX_set_read_ahead(sctx, 1);
10233
10234 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10235 &clientssl, NULL, NULL)))
10236 goto end;
10237
10238 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10239 goto end;
10240
10241 /* Write some data, send a key update, write more data */
10242 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10243 || !TEST_size_t_eq(written, strlen(msg)))
10244 goto end;
10245
10246 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10247 goto end;
10248
10249 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10250 || !TEST_size_t_eq(written, strlen(msg)))
10251 goto end;
10252
10253 /*
10254 * Since read_ahead is on the first read below should read the record with
10255 * the first app data, the second record with the key update message, and
10256 * the third record with the app data all in one go. We should be able to
10257 * still process the read_ahead data correctly even though it crosses
10258 * epochs
10259 */
10260 for (i = 0; i < 2; i++) {
10261 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10262 &readbytes)))
10263 goto end;
10264
10265 buf[readbytes] = '\0';
10266 if (!TEST_str_eq(buf, msg))
10267 goto end;
10268 }
10269
10270 testresult = 1;
10271
10272 end:
10273 SSL_free(serverssl);
10274 SSL_free(clientssl);
10275 SSL_CTX_free(sctx);
10276 SSL_CTX_free(cctx);
10277 return testresult;
10278 }
10279
10280 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10281 {
10282 int *called = arg;
10283
10284 switch ((*called)++) {
10285 case 0:
10286 /* Add some padding to first record */
10287 return 512;
10288 case 1:
10289 /* Maximally pad the second record */
10290 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10291 case 2:
10292 /*
10293 * Exceeding the maximum padding should be fine. It should just pad to
10294 * the maximum anyway
10295 */
10296 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10297 case 3:
10298 /*
10299 * Very large padding should also be ok. Should just pad to the maximum
10300 * allowed
10301 */
10302 return SIZE_MAX;
10303 default:
10304 return 0;
10305 }
10306 }
10307
10308 /*
10309 * Test that setting record padding in TLSv1.3 works as expected
10310 * Test 0: Record padding callback on the SSL_CTX
10311 * Test 1: Record padding callback on the SSL
10312 * Test 2: Record block padding on the SSL_CTX
10313 * Test 3: Record block padding on the SSL
10314 */
10315 static int test_tls13_record_padding(int idx)
10316 {
10317 SSL_CTX *cctx = NULL, *sctx = NULL;
10318 SSL *clientssl = NULL, *serverssl = NULL;
10319 int testresult = 0;
10320 char *msg = "Hello World";
10321 size_t written, readbytes;
10322 char buf[80];
10323 int i;
10324 int called = 0;
10325
10326 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10327 TLS_client_method(), TLS1_3_VERSION, 0,
10328 &sctx, &cctx, cert, privkey)))
10329 goto end;
10330
10331 if (idx == 0) {
10332 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10333 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10334 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10335 goto end;
10336 } else if (idx == 2) {
10337 /* Exceeding the max plain length should fail */
10338 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10339 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10340 goto end;
10341 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10342 goto end;
10343 }
10344
10345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10346 &clientssl, NULL, NULL)))
10347 goto end;
10348
10349 if (idx == 1) {
10350 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10351 SSL_set_record_padding_callback_arg(clientssl, &called);
10352 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10353 goto end;
10354 } else if (idx == 3) {
10355 /* Exceeding the max plain length should fail */
10356 if (!TEST_false(SSL_set_block_padding(clientssl,
10357 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10358 goto end;
10359 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10360 goto end;
10361 }
10362
10363 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10364 goto end;
10365
10366 called = 0;
10367 /*
10368 * Write some data, then check we can read it. Do this four times to check
10369 * we can continue to write and read padded data after the initial record
10370 * padding has been added. We don't actually check that the padding has
10371 * been applied to the record - just that we can continue to communicate
10372 * normally and that the callback has been called (if appropriate).
10373 */
10374 for (i = 0; i < 4; i++) {
10375 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10376 || !TEST_size_t_eq(written, strlen(msg)))
10377 goto end;
10378
10379 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10380 &readbytes))
10381 || !TEST_size_t_eq(written, readbytes))
10382 goto end;
10383
10384 buf[readbytes] = '\0';
10385 if (!TEST_str_eq(buf, msg))
10386 goto end;
10387 }
10388
10389 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10390 goto end;
10391
10392 testresult = 1;
10393 end:
10394 SSL_free(serverssl);
10395 SSL_free(clientssl);
10396 SSL_CTX_free(sctx);
10397 SSL_CTX_free(cctx);
10398 return testresult;
10399 }
10400 #endif /* OSSL_NO_USABLE_TLS1_3 */
10401
10402 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10403 /*
10404 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10405 * support this yet. The only pipeline capable cipher that we have is in the
10406 * dasync engine (providers don't support this yet), so we have to use
10407 * deprecated APIs for this test.
10408 *
10409 * Test 0: Client has pipelining enabled, server does not
10410 * Test 1: Server has pipelining enabled, client does not
10411 * Test 2: Client has pipelining enabled, server does not: not enough data to
10412 * fill all the pipelines
10413 * Test 3: Client has pipelining enabled, server does not: not enough data to
10414 * fill all the pipelines by more than a full pipeline's worth
10415 * Test 4: Client has pipelining enabled, server does not: more data than all
10416 * the available pipelines can take
10417 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10418 */
10419 static int test_pipelining(int idx)
10420 {
10421 SSL_CTX *cctx = NULL, *sctx = NULL;
10422 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10423 int testresult = 0, numreads;
10424 /* A 55 byte message */
10425 unsigned char *msg = (unsigned char *)
10426 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10427 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10428 size_t expectedreads;
10429 unsigned char *buf = NULL;
10430 ENGINE *e;
10431
10432 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10433 return 0;
10434
10435 if (!TEST_true(ENGINE_init(e))) {
10436 ENGINE_free(e);
10437 return 0;
10438 }
10439
10440 if (!TEST_true(ENGINE_register_ciphers(e)))
10441 goto end;
10442
10443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10444 TLS_client_method(), 0,
10445 TLS1_2_VERSION, &sctx, &cctx, cert,
10446 privkey)))
10447 goto end;
10448
10449 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10450 &clientssl, NULL, NULL)))
10451 goto end;
10452
10453 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10454 goto end;
10455
10456 /* peera is always configured for pipelining, while peerb is not. */
10457 if (idx == 1) {
10458 peera = serverssl;
10459 peerb = clientssl;
10460
10461 } else {
10462 peera = clientssl;
10463 peerb = serverssl;
10464 }
10465
10466 if (idx == 5) {
10467 numpipes = 2;
10468 /* Maximum allowed fragment size */
10469 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10470 msglen = fragsize * numpipes;
10471 msg = OPENSSL_malloc(msglen);
10472 if (!TEST_ptr(msg))
10473 goto end;
10474 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10475 goto end;
10476 } else if (idx == 4) {
10477 msglen = 55;
10478 } else {
10479 msglen = 50;
10480 }
10481 if (idx == 2)
10482 msglen -= 2; /* Send 2 less bytes */
10483 else if (idx == 3)
10484 msglen -= 12; /* Send 12 less bytes */
10485
10486 buf = OPENSSL_malloc(msglen);
10487 if (!TEST_ptr(buf))
10488 goto end;
10489
10490 if (idx == 5) {
10491 /*
10492 * Test that setting a split send fragment longer than the maximum
10493 * allowed fails
10494 */
10495 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10496 goto end;
10497 }
10498
10499 /*
10500 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10501 * (50 bytes in total). This is a ridiculously small number of bytes -
10502 * but sufficient for our purposes
10503 */
10504 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10505 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10506 goto end;
10507
10508 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10509 goto end;
10510
10511 /* Write some data from peera to peerb */
10512 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10513 || !TEST_size_t_eq(written, msglen))
10514 goto end;
10515
10516 /*
10517 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10518 * have been used - except in test 3 where only |numpipes - 1| pipelines
10519 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10520 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10521 * expect this to be read in |numpipes| or |numpipes - 1| separate
10522 * SSL_read_ex calls. In the case of test 4, there is then one additional
10523 * read for left over data that couldn't fit in the previous pipelines
10524 */
10525 for (offset = 0, numreads = 0;
10526 offset < msglen;
10527 offset += readbytes, numreads++) {
10528 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10529 msglen - offset, &readbytes)))
10530 goto end;
10531 }
10532
10533 expectedreads = idx == 4 ? numpipes + 1
10534 : (idx == 3 ? numpipes - 1 : numpipes);
10535 if (!TEST_mem_eq(msg, msglen, buf, offset)
10536 || !TEST_int_eq(numreads, expectedreads))
10537 goto end;
10538
10539 /*
10540 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10541 * chunks to exercise the read pipelining code on peera.
10542 */
10543 for (offset = 0; offset < msglen; offset += fragsize) {
10544 size_t sendlen = msglen - offset;
10545
10546 if (sendlen > fragsize)
10547 sendlen = fragsize;
10548 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10549 || !TEST_size_t_eq(written, sendlen))
10550 goto end;
10551 }
10552
10553 /*
10554 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10555 * separate chunks (depending on which test we are running). If the
10556 * pipelining is working then we expect peera to read up to numpipes chunks
10557 * and process them in parallel, giving back the complete result in a single
10558 * call to SSL_read_ex
10559 */
10560 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10561 || !TEST_size_t_le(readbytes, msglen))
10562 goto end;
10563
10564 if (idx == 4) {
10565 size_t readbytes2;
10566
10567 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10568 msglen - readbytes, &readbytes2)))
10569 goto end;
10570 readbytes += readbytes2;
10571 if (!TEST_size_t_le(readbytes, msglen))
10572 goto end;
10573 }
10574
10575 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10576 goto end;
10577
10578 testresult = 1;
10579 end:
10580 SSL_free(serverssl);
10581 SSL_free(clientssl);
10582 SSL_CTX_free(sctx);
10583 SSL_CTX_free(cctx);
10584 ENGINE_unregister_ciphers(e);
10585 ENGINE_finish(e);
10586 ENGINE_free(e);
10587 OPENSSL_free(buf);
10588 if (idx == 5)
10589 OPENSSL_free(msg);
10590 return testresult;
10591 }
10592 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10593
10594 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10595
10596 int setup_tests(void)
10597 {
10598 char *modulename;
10599 char *configfile;
10600
10601 libctx = OSSL_LIB_CTX_new();
10602 if (!TEST_ptr(libctx))
10603 return 0;
10604
10605 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10606
10607 /*
10608 * Verify that the default and fips providers in the default libctx are not
10609 * available
10610 */
10611 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10612 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10613 return 0;
10614
10615 if (!test_skip_common_options()) {
10616 TEST_error("Error parsing test options\n");
10617 return 0;
10618 }
10619
10620 if (!TEST_ptr(certsdir = test_get_argument(0))
10621 || !TEST_ptr(srpvfile = test_get_argument(1))
10622 || !TEST_ptr(tmpfilename = test_get_argument(2))
10623 || !TEST_ptr(modulename = test_get_argument(3))
10624 || !TEST_ptr(configfile = test_get_argument(4))
10625 || !TEST_ptr(dhfile = test_get_argument(5)))
10626 return 0;
10627
10628 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10629 return 0;
10630
10631 /* Check we have the expected provider available */
10632 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10633 return 0;
10634
10635 /* Check the default provider is not available */
10636 if (strcmp(modulename, "default") != 0
10637 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10638 return 0;
10639
10640 if (strcmp(modulename, "fips") == 0)
10641 is_fips = 1;
10642
10643 /*
10644 * We add, but don't load the test "tls-provider". We'll load it when we
10645 * need it.
10646 */
10647 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10648 tls_provider_init)))
10649 return 0;
10650
10651
10652 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10653 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10654 TEST_error("not supported in this build");
10655 return 0;
10656 #else
10657 int i, mcount, rcount, fcount;
10658
10659 for (i = 0; i < 4; i++)
10660 test_export_key_mat(i);
10661 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10662 test_printf_stdout("malloc %d realloc %d free %d\n",
10663 mcount, rcount, fcount);
10664 return 1;
10665 #endif
10666 }
10667
10668 cert = test_mk_file_path(certsdir, "servercert.pem");
10669 if (cert == NULL)
10670 goto err;
10671
10672 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10673 if (privkey == NULL)
10674 goto err;
10675
10676 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10677 if (cert2 == NULL)
10678 goto err;
10679
10680 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10681 if (privkey2 == NULL)
10682 goto err;
10683
10684 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10685 if (cert1024 == NULL)
10686 goto err;
10687
10688 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10689 if (privkey1024 == NULL)
10690 goto err;
10691
10692 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10693 if (cert3072 == NULL)
10694 goto err;
10695
10696 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10697 if (privkey3072 == NULL)
10698 goto err;
10699
10700 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10701 if (cert4096 == NULL)
10702 goto err;
10703
10704 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10705 if (privkey4096 == NULL)
10706 goto err;
10707
10708 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10709 if (cert8192 == NULL)
10710 goto err;
10711
10712 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10713 if (privkey8192 == NULL)
10714 goto err;
10715
10716 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10717 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10718 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10719 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
10720 # endif
10721 #endif
10722 ADD_TEST(test_large_message_tls);
10723 ADD_TEST(test_large_message_tls_read_ahead);
10724 #ifndef OPENSSL_NO_DTLS
10725 ADD_TEST(test_large_message_dtls);
10726 #endif
10727 ADD_ALL_TESTS(test_large_app_data, 28);
10728 ADD_TEST(test_cleanse_plaintext);
10729 #ifndef OPENSSL_NO_OCSP
10730 ADD_TEST(test_tlsext_status_type);
10731 #endif
10732 ADD_TEST(test_session_with_only_int_cache);
10733 ADD_TEST(test_session_with_only_ext_cache);
10734 ADD_TEST(test_session_with_both_cache);
10735 ADD_TEST(test_session_wo_ca_names);
10736 #ifndef OSSL_NO_USABLE_TLS1_3
10737 ADD_ALL_TESTS(test_stateful_tickets, 3);
10738 ADD_ALL_TESTS(test_stateless_tickets, 3);
10739 ADD_TEST(test_psk_tickets);
10740 ADD_ALL_TESTS(test_extra_tickets, 6);
10741 #endif
10742 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10743 ADD_TEST(test_ssl_bio_pop_next_bio);
10744 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10745 ADD_TEST(test_ssl_bio_change_rbio);
10746 ADD_TEST(test_ssl_bio_change_wbio);
10747 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10748 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
10749 ADD_TEST(test_keylog);
10750 #endif
10751 #ifndef OSSL_NO_USABLE_TLS1_3
10752 ADD_TEST(test_keylog_no_master_key);
10753 #endif
10754 ADD_TEST(test_client_cert_verify_cb);
10755 ADD_TEST(test_ssl_build_cert_chain);
10756 ADD_TEST(test_ssl_ctx_build_cert_chain);
10757 #ifndef OPENSSL_NO_TLS1_2
10758 ADD_TEST(test_client_hello_cb);
10759 ADD_TEST(test_no_ems);
10760 ADD_TEST(test_ccs_change_cipher);
10761 #endif
10762 #ifndef OSSL_NO_USABLE_TLS1_3
10763 ADD_ALL_TESTS(test_early_data_read_write, 3);
10764 /*
10765 * We don't do replay tests for external PSK. Replay protection isn't used
10766 * in that scenario.
10767 */
10768 ADD_ALL_TESTS(test_early_data_replay, 2);
10769 ADD_ALL_TESTS(test_early_data_skip, 3);
10770 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
10771 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
10772 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
10773 ADD_ALL_TESTS(test_early_data_not_sent, 3);
10774 ADD_ALL_TESTS(test_early_data_psk, 8);
10775 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
10776 ADD_ALL_TESTS(test_early_data_not_expected, 3);
10777 # ifndef OPENSSL_NO_TLS1_2
10778 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
10779 # endif
10780 #endif
10781 #ifndef OSSL_NO_USABLE_TLS1_3
10782 ADD_ALL_TESTS(test_set_ciphersuite, 10);
10783 ADD_TEST(test_ciphersuite_change);
10784 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10785 # ifdef OPENSSL_NO_PSK
10786 ADD_ALL_TESTS(test_tls13_psk, 1);
10787 # else
10788 ADD_ALL_TESTS(test_tls13_psk, 4);
10789 # endif /* OPENSSL_NO_PSK */
10790 # ifndef OPENSSL_NO_TLS1_2
10791 /* Test with both TLSv1.3 and 1.2 versions */
10792 ADD_ALL_TESTS(test_key_exchange, 14);
10793 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10794 ADD_ALL_TESTS(test_negotiated_group,
10795 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10796 + OSSL_NELEM(ffdhe_kexch_groups)));
10797 # endif
10798 # else
10799 /* Test with only TLSv1.3 versions */
10800 ADD_ALL_TESTS(test_key_exchange, 12);
10801 # endif
10802 ADD_ALL_TESTS(test_custom_exts, 6);
10803 ADD_TEST(test_stateless);
10804 ADD_TEST(test_pha_key_update);
10805 #else
10806 ADD_ALL_TESTS(test_custom_exts, 3);
10807 #endif
10808 ADD_ALL_TESTS(test_export_key_mat, 6);
10809 #ifndef OSSL_NO_USABLE_TLS1_3
10810 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10811 ADD_TEST(test_key_update);
10812 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10813 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10814 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10815 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10816 #endif
10817 ADD_ALL_TESTS(test_ssl_clear, 2);
10818 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10819 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10820 ADD_ALL_TESTS(test_srp, 6);
10821 #endif
10822 #if !defined(OPENSSL_NO_COMP_ALG)
10823 /* Add compression case */
10824 ADD_ALL_TESTS(test_info_callback, 8);
10825 #else
10826 ADD_ALL_TESTS(test_info_callback, 6);
10827 #endif
10828 ADD_ALL_TESTS(test_ssl_pending, 2);
10829 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10830 ADD_ALL_TESTS(test_ticket_callbacks, 20);
10831 ADD_ALL_TESTS(test_shutdown, 7);
10832 ADD_TEST(test_async_shutdown);
10833 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10834 ADD_ALL_TESTS(test_cert_cb, 6);
10835 ADD_ALL_TESTS(test_client_cert_cb, 2);
10836 ADD_ALL_TESTS(test_ca_names, 3);
10837 #ifndef OPENSSL_NO_TLS1_2
10838 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10839 #endif
10840 ADD_ALL_TESTS(test_servername, 10);
10841 #if !defined(OPENSSL_NO_EC) \
10842 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10843 ADD_ALL_TESTS(test_sigalgs_available, 6);
10844 #endif
10845 #ifndef OPENSSL_NO_TLS1_3
10846 ADD_ALL_TESTS(test_pluggable_group, 2);
10847 #endif
10848 #ifndef OPENSSL_NO_TLS1_2
10849 ADD_TEST(test_ssl_dup);
10850 # ifndef OPENSSL_NO_DH
10851 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10852 ADD_ALL_TESTS(test_dh_auto, 7);
10853 # endif
10854 #endif
10855 #ifndef OSSL_NO_USABLE_TLS1_3
10856 ADD_TEST(test_sni_tls13);
10857 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10858 #endif
10859 ADD_TEST(test_inherit_verify_param);
10860 ADD_TEST(test_set_alpn);
10861 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10862 ADD_TEST(test_set_verify_cert_store_ssl);
10863 ADD_ALL_TESTS(test_session_timeout, 1);
10864 ADD_TEST(test_load_dhfile);
10865 #ifndef OSSL_NO_USABLE_TLS1_3
10866 ADD_TEST(test_read_ahead_key_change);
10867 ADD_ALL_TESTS(test_tls13_record_padding, 4);
10868 #endif
10869 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10870 ADD_ALL_TESTS(test_serverinfo_custom, 4);
10871 #endif
10872 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10873 ADD_ALL_TESTS(test_pipelining, 6);
10874 #endif
10875 return 1;
10876
10877 err:
10878 OPENSSL_free(cert);
10879 OPENSSL_free(privkey);
10880 OPENSSL_free(cert2);
10881 OPENSSL_free(privkey2);
10882 return 0;
10883 }
10884
10885 void cleanup_tests(void)
10886 {
10887 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10888 EVP_PKEY_free(tmp_dh_params);
10889 #endif
10890 OPENSSL_free(cert);
10891 OPENSSL_free(privkey);
10892 OPENSSL_free(cert2);
10893 OPENSSL_free(privkey2);
10894 OPENSSL_free(cert1024);
10895 OPENSSL_free(privkey1024);
10896 OPENSSL_free(cert3072);
10897 OPENSSL_free(privkey3072);
10898 OPENSSL_free(cert4096);
10899 OPENSSL_free(privkey4096);
10900 OPENSSL_free(cert8192);
10901 OPENSSL_free(privkey8192);
10902 bio_s_mempacket_test_free();
10903 bio_s_always_retry_free();
10904 OSSL_PROVIDER_unload(defctxnull);
10905 OSSL_LIB_CTX_free(libctx);
10906 }
A mirror of the official openssl repository