]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix a failure in sslapitest
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36
37 #include "helpers/ssltestlib.h"
38 #include "testutil.h"
39 #include "testutil/output.h"
40 #include "internal/nelem.h"
41 #include "internal/ktls.h"
42 #include "../ssl/ssl_local.h"
43 #include "filterprov.h"
44
45 #undef OSSL_NO_USABLE_TLS1_3
46 #if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48 /*
49 * If we don't have ec or dh then there are no built-in groups that are usable
50 * with TLSv1.3
51 */
52 # define OSSL_NO_USABLE_TLS1_3
53 #endif
54
55 /* Defined in tls-provider.c */
56 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
59 void **provctx);
60
61 static OSSL_LIB_CTX *libctx = NULL;
62 static OSSL_PROVIDER *defctxnull = NULL;
63
64 #ifndef OSSL_NO_USABLE_TLS1_3
65
66 static SSL_SESSION *clientpsk = NULL;
67 static SSL_SESSION *serverpsk = NULL;
68 static const char *pskid = "Identity";
69 static const char *srvid;
70
71 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73 static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
75
76 static int use_session_cb_cnt = 0;
77 static int find_session_cb_cnt = 0;
78
79 static SSL_SESSION *create_a_psk(SSL *ssl);
80 #endif
81
82 static char *certsdir = NULL;
83 static char *cert = NULL;
84 static char *privkey = NULL;
85 static char *cert2 = NULL;
86 static char *privkey2 = NULL;
87 static char *cert1024 = NULL;
88 static char *privkey1024 = NULL;
89 static char *cert3072 = NULL;
90 static char *privkey3072 = NULL;
91 static char *cert4096 = NULL;
92 static char *privkey4096 = NULL;
93 static char *cert8192 = NULL;
94 static char *privkey8192 = NULL;
95 static char *srpvfile = NULL;
96 static char *tmpfilename = NULL;
97
98 static int is_fips = 0;
99
100 #define LOG_BUFFER_SIZE 2048
101 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
102 static size_t server_log_buffer_index = 0;
103 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104 static size_t client_log_buffer_index = 0;
105 static int error_writing_log = 0;
106
107 #ifndef OPENSSL_NO_OCSP
108 static const unsigned char orespder[] = "Dummy OCSP Response";
109 static int ocsp_server_called = 0;
110 static int ocsp_client_called = 0;
111
112 static int cdummyarg = 1;
113 static X509 *ocspcert = NULL;
114 #endif
115
116 #define NUM_EXTRA_CERTS 40
117 #define CLIENT_VERSION_LEN 2
118
119 /*
120 * This structure is used to validate that the correct number of log messages
121 * of various types are emitted when emitting secret logs.
122 */
123 struct sslapitest_log_counts {
124 unsigned int rsa_key_exchange_count;
125 unsigned int master_secret_count;
126 unsigned int client_early_secret_count;
127 unsigned int client_handshake_secret_count;
128 unsigned int server_handshake_secret_count;
129 unsigned int client_application_secret_count;
130 unsigned int server_application_secret_count;
131 unsigned int early_exporter_secret_count;
132 unsigned int exporter_secret_count;
133 };
134
135
136 static unsigned char serverinfov1[] = {
137 0xff, 0xff, /* Dummy extension type */
138 0x00, 0x01, /* Extension length is 1 byte */
139 0xff /* Dummy extension data */
140 };
141
142 static unsigned char serverinfov2[] = {
143 0x00, 0x00, 0x00,
144 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
145 0xff, 0xff, /* Dummy extension type */
146 0x00, 0x01, /* Extension length is 1 byte */
147 0xff /* Dummy extension data */
148 };
149
150 static int hostname_cb(SSL *s, int *al, void *arg)
151 {
152 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
153
154 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
155 || strcmp(hostname, "altgoodhost") == 0))
156 return SSL_TLSEXT_ERR_OK;
157
158 return SSL_TLSEXT_ERR_NOACK;
159 }
160
161 static void client_keylog_callback(const SSL *ssl, const char *line)
162 {
163 int line_length = strlen(line);
164
165 /* If the log doesn't fit, error out. */
166 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
167 TEST_info("Client log too full");
168 error_writing_log = 1;
169 return;
170 }
171
172 strcat(client_log_buffer, line);
173 client_log_buffer_index += line_length;
174 client_log_buffer[client_log_buffer_index++] = '\n';
175 }
176
177 static void server_keylog_callback(const SSL *ssl, const char *line)
178 {
179 int line_length = strlen(line);
180
181 /* If the log doesn't fit, error out. */
182 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
183 TEST_info("Server log too full");
184 error_writing_log = 1;
185 return;
186 }
187
188 strcat(server_log_buffer, line);
189 server_log_buffer_index += line_length;
190 server_log_buffer[server_log_buffer_index++] = '\n';
191 }
192
193 static int compare_hex_encoded_buffer(const char *hex_encoded,
194 size_t hex_length,
195 const uint8_t *raw,
196 size_t raw_length)
197 {
198 size_t i, j;
199 char hexed[3];
200
201 if (!TEST_size_t_eq(raw_length * 2, hex_length))
202 return 1;
203
204 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
205 sprintf(hexed, "%02x", raw[i]);
206 if (!TEST_int_eq(hexed[0], hex_encoded[j])
207 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
208 return 1;
209 }
210
211 return 0;
212 }
213
214 static int test_keylog_output(char *buffer, const SSL *ssl,
215 const SSL_SESSION *session,
216 struct sslapitest_log_counts *expected)
217 {
218 char *token = NULL;
219 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
220 size_t client_random_size = SSL3_RANDOM_SIZE;
221 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
222 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
223 unsigned int rsa_key_exchange_count = 0;
224 unsigned int master_secret_count = 0;
225 unsigned int client_early_secret_count = 0;
226 unsigned int client_handshake_secret_count = 0;
227 unsigned int server_handshake_secret_count = 0;
228 unsigned int client_application_secret_count = 0;
229 unsigned int server_application_secret_count = 0;
230 unsigned int early_exporter_secret_count = 0;
231 unsigned int exporter_secret_count = 0;
232
233 for (token = strtok(buffer, " \n"); token != NULL;
234 token = strtok(NULL, " \n")) {
235 if (strcmp(token, "RSA") == 0) {
236 /*
237 * Premaster secret. Tokens should be: 16 ASCII bytes of
238 * hex-encoded encrypted secret, then the hex-encoded pre-master
239 * secret.
240 */
241 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 return 0;
243 if (!TEST_size_t_eq(strlen(token), 16))
244 return 0;
245 if (!TEST_ptr(token = strtok(NULL, " \n")))
246 return 0;
247 /*
248 * We can't sensibly check the log because the premaster secret is
249 * transient, and OpenSSL doesn't keep hold of it once the master
250 * secret is generated.
251 */
252 rsa_key_exchange_count++;
253 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
254 /*
255 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
256 * client random, then the hex-encoded master secret.
257 */
258 client_random_size = SSL_get_client_random(ssl,
259 actual_client_random,
260 SSL3_RANDOM_SIZE);
261 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
262 return 0;
263
264 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 return 0;
266 if (!TEST_size_t_eq(strlen(token), 64))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
269 actual_client_random,
270 client_random_size)))
271 return 0;
272
273 if (!TEST_ptr(token = strtok(NULL, " \n")))
274 return 0;
275 master_key_size = SSL_SESSION_get_master_key(session,
276 actual_master_key,
277 master_key_size);
278 if (!TEST_size_t_ne(master_key_size, 0))
279 return 0;
280 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
281 actual_master_key,
282 master_key_size)))
283 return 0;
284 master_secret_count++;
285 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
289 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
291 || strcmp(token, "EXPORTER_SECRET") == 0) {
292 /*
293 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
294 * client random, and then the hex-encoded secret. In this case,
295 * we treat all of these secrets identically and then just
296 * distinguish between them when counting what we saw.
297 */
298 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
299 client_early_secret_count++;
300 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 client_handshake_secret_count++;
302 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
303 server_handshake_secret_count++;
304 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
305 client_application_secret_count++;
306 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
307 server_application_secret_count++;
308 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
309 early_exporter_secret_count++;
310 else if (strcmp(token, "EXPORTER_SECRET") == 0)
311 exporter_secret_count++;
312
313 client_random_size = SSL_get_client_random(ssl,
314 actual_client_random,
315 SSL3_RANDOM_SIZE);
316 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
317 return 0;
318
319 if (!TEST_ptr(token = strtok(NULL, " \n")))
320 return 0;
321 if (!TEST_size_t_eq(strlen(token), 64))
322 return 0;
323 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
324 actual_client_random,
325 client_random_size)))
326 return 0;
327
328 if (!TEST_ptr(token = strtok(NULL, " \n")))
329 return 0;
330 } else {
331 TEST_info("Unexpected token %s\n", token);
332 return 0;
333 }
334 }
335
336 /* Got what we expected? */
337 if (!TEST_size_t_eq(rsa_key_exchange_count,
338 expected->rsa_key_exchange_count)
339 || !TEST_size_t_eq(master_secret_count,
340 expected->master_secret_count)
341 || !TEST_size_t_eq(client_early_secret_count,
342 expected->client_early_secret_count)
343 || !TEST_size_t_eq(client_handshake_secret_count,
344 expected->client_handshake_secret_count)
345 || !TEST_size_t_eq(server_handshake_secret_count,
346 expected->server_handshake_secret_count)
347 || !TEST_size_t_eq(client_application_secret_count,
348 expected->client_application_secret_count)
349 || !TEST_size_t_eq(server_application_secret_count,
350 expected->server_application_secret_count)
351 || !TEST_size_t_eq(early_exporter_secret_count,
352 expected->early_exporter_secret_count)
353 || !TEST_size_t_eq(exporter_secret_count,
354 expected->exporter_secret_count))
355 return 0;
356 return 1;
357 }
358
359 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
360 static int test_keylog(void)
361 {
362 SSL_CTX *cctx = NULL, *sctx = NULL;
363 SSL *clientssl = NULL, *serverssl = NULL;
364 int testresult = 0;
365 struct sslapitest_log_counts expected;
366
367 /* Clean up logging space */
368 memset(&expected, 0, sizeof(expected));
369 memset(client_log_buffer, 0, sizeof(client_log_buffer));
370 memset(server_log_buffer, 0, sizeof(server_log_buffer));
371 client_log_buffer_index = 0;
372 server_log_buffer_index = 0;
373 error_writing_log = 0;
374
375 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
376 TLS_client_method(),
377 TLS1_VERSION, 0,
378 &sctx, &cctx, cert, privkey)))
379 return 0;
380
381 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
382 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
383 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
384
385 /* We also want to ensure that we use RSA-based key exchange. */
386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
387 goto end;
388
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
391 goto end;
392 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
394 == client_keylog_callback))
395 goto end;
396 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
397 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
398 == server_keylog_callback))
399 goto end;
400
401 /* Now do a handshake and check that the logs have been written to. */
402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
403 &clientssl, NULL, NULL))
404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
405 SSL_ERROR_NONE))
406 || !TEST_false(error_writing_log)
407 || !TEST_int_gt(client_log_buffer_index, 0)
408 || !TEST_int_gt(server_log_buffer_index, 0))
409 goto end;
410
411 /*
412 * Now we want to test that our output data was vaguely sensible. We
413 * do that by using strtok and confirming that we have more or less the
414 * data we expect. For both client and server, we expect to see one master
415 * secret. The client should also see a RSA key exchange.
416 */
417 expected.rsa_key_exchange_count = 1;
418 expected.master_secret_count = 1;
419 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
420 SSL_get_session(clientssl), &expected)))
421 goto end;
422
423 expected.rsa_key_exchange_count = 0;
424 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl), &expected)))
426 goto end;
427
428 testresult = 1;
429
430 end:
431 SSL_free(serverssl);
432 SSL_free(clientssl);
433 SSL_CTX_free(sctx);
434 SSL_CTX_free(cctx);
435
436 return testresult;
437 }
438 #endif
439
440 #ifndef OSSL_NO_USABLE_TLS1_3
441 static int test_keylog_no_master_key(void)
442 {
443 SSL_CTX *cctx = NULL, *sctx = NULL;
444 SSL *clientssl = NULL, *serverssl = NULL;
445 SSL_SESSION *sess = NULL;
446 int testresult = 0;
447 struct sslapitest_log_counts expected;
448 unsigned char buf[1];
449 size_t readbytes, written;
450
451 /* Clean up logging space */
452 memset(&expected, 0, sizeof(expected));
453 memset(client_log_buffer, 0, sizeof(client_log_buffer));
454 memset(server_log_buffer, 0, sizeof(server_log_buffer));
455 client_log_buffer_index = 0;
456 server_log_buffer_index = 0;
457 error_writing_log = 0;
458
459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
460 TLS_client_method(), TLS1_VERSION, 0,
461 &sctx, &cctx, cert, privkey))
462 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
463 SSL3_RT_MAX_PLAIN_LENGTH)))
464 return 0;
465
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
467 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
468 goto end;
469
470 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
472 == client_keylog_callback))
473 goto end;
474
475 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
476 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
477 == server_keylog_callback))
478 goto end;
479
480 /* Now do a handshake and check that the logs have been written to. */
481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
482 &clientssl, NULL, NULL))
483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
484 SSL_ERROR_NONE))
485 || !TEST_false(error_writing_log))
486 goto end;
487
488 /*
489 * Now we want to test that our output data was vaguely sensible. For this
490 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
491 * TLSv1.3, but we do expect both client and server to emit keys.
492 */
493 expected.client_handshake_secret_count = 1;
494 expected.server_handshake_secret_count = 1;
495 expected.client_application_secret_count = 1;
496 expected.server_application_secret_count = 1;
497 expected.exporter_secret_count = 1;
498 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
499 SSL_get_session(clientssl), &expected))
500 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
501 SSL_get_session(serverssl),
502 &expected)))
503 goto end;
504
505 /* Terminate old session and resume with early data. */
506 sess = SSL_get1_session(clientssl);
507 SSL_shutdown(clientssl);
508 SSL_shutdown(serverssl);
509 SSL_free(serverssl);
510 SSL_free(clientssl);
511 serverssl = clientssl = NULL;
512
513 /* Reset key log */
514 memset(client_log_buffer, 0, sizeof(client_log_buffer));
515 memset(server_log_buffer, 0, sizeof(server_log_buffer));
516 client_log_buffer_index = 0;
517 server_log_buffer_index = 0;
518
519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
520 &clientssl, NULL, NULL))
521 || !TEST_true(SSL_set_session(clientssl, sess))
522 /* Here writing 0 length early data is enough. */
523 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
524 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
525 &readbytes),
526 SSL_READ_EARLY_DATA_ERROR)
527 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
528 SSL_EARLY_DATA_ACCEPTED)
529 || !TEST_true(create_ssl_connection(serverssl, clientssl,
530 SSL_ERROR_NONE))
531 || !TEST_true(SSL_session_reused(clientssl)))
532 goto end;
533
534 /* In addition to the previous entries, expect early secrets. */
535 expected.client_early_secret_count = 1;
536 expected.early_exporter_secret_count = 1;
537 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
538 SSL_get_session(clientssl), &expected))
539 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
540 SSL_get_session(serverssl),
541 &expected)))
542 goto end;
543
544 testresult = 1;
545
546 end:
547 SSL_SESSION_free(sess);
548 SSL_free(serverssl);
549 SSL_free(clientssl);
550 SSL_CTX_free(sctx);
551 SSL_CTX_free(cctx);
552
553 return testresult;
554 }
555 #endif
556
557 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
558 {
559 int res = X509_verify_cert(ctx);
560
561 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
562 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
563 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
564 return res;
565 }
566
567 static int test_client_cert_verify_cb(void)
568 {
569 /* server key, cert, chain, and root */
570 char *skey = test_mk_file_path(certsdir, "leaf.key");
571 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
572 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
573 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
574 char *root = test_mk_file_path(certsdir, "rootCA.pem");
575 X509 *crt1 = NULL, *crt2 = NULL;
576 STACK_OF(X509) *server_chain;
577 SSL_CTX *cctx = NULL, *sctx = NULL;
578 SSL *clientssl = NULL, *serverssl = NULL;
579 int testresult = 0;
580
581 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
582 TLS_client_method(), TLS1_VERSION, 0,
583 &sctx, &cctx, NULL, NULL)))
584 goto end;
585 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
586 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
587 SSL_FILETYPE_PEM), 1)
588 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 goto end;
590 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 goto end;
592 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
593 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
595 &clientssl, NULL, NULL)))
596 goto end;
597
598 /* attempt SSL_connect() with incomplete server chain */
599 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
600 SSL_ERROR_WANT_RETRY_VERIFY)))
601 goto end;
602
603 /* application provides intermediate certs needed to verify server cert */
604 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
605 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
606 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 goto end;
608 /* add certs in reverse order to demonstrate real chain building */
609 if (!TEST_true(sk_X509_push(server_chain, crt1)))
610 goto end;
611 crt1 = NULL;
612 if (!TEST_true(sk_X509_push(server_chain, crt2)))
613 goto end;
614 crt2 = NULL;
615
616 /* continue SSL_connect(), must now succeed with completed server chain */
617 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
618 SSL_ERROR_NONE)))
619 goto end;
620
621 testresult = 1;
622
623 end:
624 X509_free(crt1);
625 X509_free(crt2);
626 if (clientssl != NULL) {
627 SSL_shutdown(clientssl);
628 SSL_free(clientssl);
629 }
630 if (serverssl != NULL) {
631 SSL_shutdown(serverssl);
632 SSL_free(serverssl);
633 }
634 SSL_CTX_free(sctx);
635 SSL_CTX_free(cctx);
636
637 OPENSSL_free(skey);
638 OPENSSL_free(leaf);
639 OPENSSL_free(int2);
640 OPENSSL_free(int1);
641 OPENSSL_free(root);
642
643 return testresult;
644 }
645
646 static int test_ssl_build_cert_chain(void)
647 {
648 int ret = 0;
649 SSL_CTX *ssl_ctx = NULL;
650 SSL *ssl = NULL;
651 char *skey = test_mk_file_path(certsdir, "leaf.key");
652 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653
654 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 goto end;
656 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 goto end;
658 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
659 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
660 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
661 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 goto end;
663 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
664 | SSL_BUILD_CHAIN_FLAG_CHECK)))
665 goto end;
666 ret = 1;
667 end:
668 SSL_free(ssl);
669 SSL_CTX_free(ssl_ctx);
670 OPENSSL_free(leaf_chain);
671 OPENSSL_free(skey);
672 return ret;
673 }
674
675 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
676 {
677 static const char pass[] = "testpass";
678
679 if (!TEST_int_eq(size, PEM_BUFSIZE))
680 return -1;
681
682 memcpy(buf, pass, sizeof(pass) - 1);
683 return sizeof(pass) - 1;
684 }
685
686 static int test_ssl_ctx_build_cert_chain(void)
687 {
688 int ret = 0;
689 SSL_CTX *ctx = NULL;
690 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
691 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
692
693 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
694 goto end;
695 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
696 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
697 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
698 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
699 SSL_FILETYPE_PEM), 1)
700 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
701 goto end;
702 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
703 | SSL_BUILD_CHAIN_FLAG_CHECK)))
704 goto end;
705 ret = 1;
706 end:
707 SSL_CTX_free(ctx);
708 OPENSSL_free(leaf_chain);
709 OPENSSL_free(skey);
710 return ret;
711 }
712
713 #ifndef OPENSSL_NO_TLS1_2
714 static int full_client_hello_callback(SSL *s, int *al, void *arg)
715 {
716 int *ctr = arg;
717 const unsigned char *p;
718 int *exts;
719 /* We only configure two ciphers, but the SCSV is added automatically. */
720 #ifdef OPENSSL_NO_EC
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
722 #else
723 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
724 0x2c, 0x00, 0xff};
725 #endif
726 const int expected_extensions[] = {
727 #ifndef OPENSSL_NO_EC
728 11, 10,
729 #endif
730 35, 22, 23, 13};
731 size_t len;
732
733 /* Make sure we can defer processing and get called back. */
734 if ((*ctr)++ == 0)
735 return SSL_CLIENT_HELLO_RETRY;
736
737 len = SSL_client_hello_get0_ciphers(s, &p);
738 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
739 || !TEST_size_t_eq(
740 SSL_client_hello_get0_compression_methods(s, &p), 1)
741 || !TEST_int_eq(*p, 0))
742 return SSL_CLIENT_HELLO_ERROR;
743 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
744 return SSL_CLIENT_HELLO_ERROR;
745 if (len != OSSL_NELEM(expected_extensions) ||
746 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
747 printf("ClientHello callback expected extensions mismatch\n");
748 OPENSSL_free(exts);
749 return SSL_CLIENT_HELLO_ERROR;
750 }
751 OPENSSL_free(exts);
752 return SSL_CLIENT_HELLO_SUCCESS;
753 }
754
755 static int test_client_hello_cb(void)
756 {
757 SSL_CTX *cctx = NULL, *sctx = NULL;
758 SSL *clientssl = NULL, *serverssl = NULL;
759 int testctr = 0, testresult = 0;
760
761 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
762 TLS_client_method(), TLS1_VERSION, 0,
763 &sctx, &cctx, cert, privkey)))
764 goto end;
765 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
766
767 /* The gimpy cipher list we configure can't do TLS 1.3. */
768 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
769
770 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
771 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
772 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
773 &clientssl, NULL, NULL))
774 || !TEST_false(create_ssl_connection(serverssl, clientssl,
775 SSL_ERROR_WANT_CLIENT_HELLO_CB))
776 /*
777 * Passing a -1 literal is a hack since
778 * the real value was lost.
779 * */
780 || !TEST_int_eq(SSL_get_error(serverssl, -1),
781 SSL_ERROR_WANT_CLIENT_HELLO_CB)
782 || !TEST_true(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE)))
784 goto end;
785
786 testresult = 1;
787
788 end:
789 SSL_free(serverssl);
790 SSL_free(clientssl);
791 SSL_CTX_free(sctx);
792 SSL_CTX_free(cctx);
793
794 return testresult;
795 }
796
797 static int test_no_ems(void)
798 {
799 SSL_CTX *cctx = NULL, *sctx = NULL;
800 SSL *clientssl = NULL, *serverssl = NULL;
801 int testresult = 0;
802
803 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
804 TLS1_VERSION, TLS1_2_VERSION,
805 &sctx, &cctx, cert, privkey)) {
806 printf("Unable to create SSL_CTX pair\n");
807 goto end;
808 }
809
810 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
811
812 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
813 printf("Unable to create SSL objects\n");
814 goto end;
815 }
816
817 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
818 printf("Creating SSL connection failed\n");
819 goto end;
820 }
821
822 if (SSL_get_extms_support(serverssl)) {
823 printf("Server reports Extended Master Secret support\n");
824 goto end;
825 }
826
827 if (SSL_get_extms_support(clientssl)) {
828 printf("Client reports Extended Master Secret support\n");
829 goto end;
830 }
831 testresult = 1;
832
833 end:
834 SSL_free(serverssl);
835 SSL_free(clientssl);
836 SSL_CTX_free(sctx);
837 SSL_CTX_free(cctx);
838
839 return testresult;
840 }
841
842 /*
843 * Very focused test to exercise a single case in the server-side state
844 * machine, when the ChangeCipherState message needs to actually change
845 * from one cipher to a different cipher (i.e., not changing from null
846 * encryption to real encryption).
847 */
848 static int test_ccs_change_cipher(void)
849 {
850 SSL_CTX *cctx = NULL, *sctx = NULL;
851 SSL *clientssl = NULL, *serverssl = NULL;
852 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
853 int testresult = 0;
854 int i;
855 unsigned char buf;
856 size_t readbytes;
857
858 /*
859 * Create a connection so we can resume and potentially (but not) use
860 * a different cipher in the second connection.
861 */
862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
863 TLS_client_method(),
864 TLS1_VERSION, TLS1_2_VERSION,
865 &sctx, &cctx, cert, privkey))
866 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
867 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
868 NULL, NULL))
869 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
870 || !TEST_true(create_ssl_connection(serverssl, clientssl,
871 SSL_ERROR_NONE))
872 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
873 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
874 goto end;
875
876 shutdown_ssl_connection(serverssl, clientssl);
877 serverssl = clientssl = NULL;
878
879 /* Resume, preferring a different cipher. Our server will force the
880 * same cipher to be used as the initial handshake. */
881 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
882 NULL, NULL))
883 || !TEST_true(SSL_set_session(clientssl, sess))
884 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
885 || !TEST_true(create_ssl_connection(serverssl, clientssl,
886 SSL_ERROR_NONE))
887 || !TEST_true(SSL_session_reused(clientssl))
888 || !TEST_true(SSL_session_reused(serverssl))
889 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
890 || !TEST_ptr_eq(sesspre, sesspost)
891 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
892 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
893 goto end;
894 shutdown_ssl_connection(serverssl, clientssl);
895 serverssl = clientssl = NULL;
896
897 /*
898 * Now create a fresh connection and try to renegotiate a different
899 * cipher on it.
900 */
901 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
902 NULL, NULL))
903 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
904 || !TEST_true(create_ssl_connection(serverssl, clientssl,
905 SSL_ERROR_NONE))
906 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
907 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
908 || !TEST_true(SSL_renegotiate(clientssl))
909 || !TEST_true(SSL_renegotiate_pending(clientssl)))
910 goto end;
911 /* Actually drive the renegotiation. */
912 for (i = 0; i < 3; i++) {
913 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
914 if (!TEST_ulong_eq(readbytes, 0))
915 goto end;
916 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
917 SSL_ERROR_WANT_READ)) {
918 goto end;
919 }
920 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
921 if (!TEST_ulong_eq(readbytes, 0))
922 goto end;
923 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
924 SSL_ERROR_WANT_READ)) {
925 goto end;
926 }
927 }
928 /* sesspre and sesspost should be different since the cipher changed. */
929 if (!TEST_false(SSL_renegotiate_pending(clientssl))
930 || !TEST_false(SSL_session_reused(clientssl))
931 || !TEST_false(SSL_session_reused(serverssl))
932 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
933 || !TEST_ptr_ne(sesspre, sesspost)
934 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
935 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
936 goto end;
937
938 shutdown_ssl_connection(serverssl, clientssl);
939 serverssl = clientssl = NULL;
940
941 testresult = 1;
942
943 end:
944 SSL_free(serverssl);
945 SSL_free(clientssl);
946 SSL_CTX_free(sctx);
947 SSL_CTX_free(cctx);
948 SSL_SESSION_free(sess);
949
950 return testresult;
951 }
952 #endif
953
954 static int execute_test_large_message(const SSL_METHOD *smeth,
955 const SSL_METHOD *cmeth,
956 int min_version, int max_version,
957 int read_ahead)
958 {
959 SSL_CTX *cctx = NULL, *sctx = NULL;
960 SSL *clientssl = NULL, *serverssl = NULL;
961 int testresult = 0;
962 int i;
963 BIO *certbio = NULL;
964 X509 *chaincert = NULL;
965 int certlen;
966
967 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
968 goto end;
969
970 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
971 goto end;
972
973 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
974 goto end;
975 BIO_free(certbio);
976 certbio = NULL;
977
978 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
979 max_version, &sctx, &cctx, cert,
980 privkey)))
981 goto end;
982
983 #ifdef OPENSSL_NO_DTLS1_2
984 if (smeth == DTLS_server_method()) {
985 /*
986 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
987 * level 0
988 */
989 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
990 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
991 "DEFAULT:@SECLEVEL=0")))
992 goto end;
993 }
994 #endif
995
996 if (read_ahead) {
997 /*
998 * Test that read_ahead works correctly when dealing with large
999 * records
1000 */
1001 SSL_CTX_set_read_ahead(cctx, 1);
1002 }
1003
1004 /*
1005 * We assume the supplied certificate is big enough so that if we add
1006 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1007 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1008 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1009 * test we need to have a message larger than that.
1010 */
1011 certlen = i2d_X509(chaincert, NULL);
1012 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1013 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1014 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1015 if (!X509_up_ref(chaincert))
1016 goto end;
1017 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1018 X509_free(chaincert);
1019 goto end;
1020 }
1021 }
1022
1023 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1024 NULL, NULL))
1025 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1026 SSL_ERROR_NONE)))
1027 goto end;
1028
1029 /*
1030 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1031 * doesn't leak.
1032 */
1033 if (!TEST_true(SSL_clear(serverssl)))
1034 goto end;
1035
1036 testresult = 1;
1037 end:
1038 BIO_free(certbio);
1039 X509_free(chaincert);
1040 SSL_free(serverssl);
1041 SSL_free(clientssl);
1042 SSL_CTX_free(sctx);
1043 SSL_CTX_free(cctx);
1044
1045 return testresult;
1046 }
1047
1048 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1049 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1050 /* sock must be connected */
1051 static int ktls_chk_platform(int sock)
1052 {
1053 if (!ktls_enable(sock))
1054 return 0;
1055 return 1;
1056 }
1057
1058 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1059 {
1060 static char count = 1;
1061 unsigned char cbuf[16000] = {0};
1062 unsigned char sbuf[16000];
1063 size_t err = 0;
1064 char crec_wseq_before[SEQ_NUM_SIZE];
1065 char crec_wseq_after[SEQ_NUM_SIZE];
1066 char crec_rseq_before[SEQ_NUM_SIZE];
1067 char crec_rseq_after[SEQ_NUM_SIZE];
1068 char srec_wseq_before[SEQ_NUM_SIZE];
1069 char srec_wseq_after[SEQ_NUM_SIZE];
1070 char srec_rseq_before[SEQ_NUM_SIZE];
1071 char srec_rseq_after[SEQ_NUM_SIZE];
1072
1073 cbuf[0] = count++;
1074 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1075 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1076 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1077 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1078
1079 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1080 goto end;
1081
1082 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1083 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1084 goto end;
1085 }
1086 }
1087
1088 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1089 goto end;
1090
1091 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1092 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1093 goto end;
1094 }
1095 }
1096
1097 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1098 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1099 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1100 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1101
1102 /* verify the payload */
1103 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1104 goto end;
1105
1106 /*
1107 * If ktls is used then kernel sequences are used instead of
1108 * OpenSSL sequences
1109 */
1110 if (!BIO_get_ktls_send(clientssl->wbio)) {
1111 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1112 crec_wseq_after, SEQ_NUM_SIZE))
1113 goto end;
1114 } else {
1115 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1116 crec_wseq_after, SEQ_NUM_SIZE))
1117 goto end;
1118 }
1119
1120 if (!BIO_get_ktls_send(serverssl->wbio)) {
1121 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1122 srec_wseq_after, SEQ_NUM_SIZE))
1123 goto end;
1124 } else {
1125 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1126 srec_wseq_after, SEQ_NUM_SIZE))
1127 goto end;
1128 }
1129
1130 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1131 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1132 crec_rseq_after, SEQ_NUM_SIZE))
1133 goto end;
1134 } else {
1135 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1136 crec_rseq_after, SEQ_NUM_SIZE))
1137 goto end;
1138 }
1139
1140 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1141 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1142 srec_rseq_after, SEQ_NUM_SIZE))
1143 goto end;
1144 } else {
1145 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1146 srec_rseq_after, SEQ_NUM_SIZE))
1147 goto end;
1148 }
1149
1150 return 1;
1151 end:
1152 return 0;
1153 }
1154
1155 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1156 int tls_version, const char *cipher)
1157 {
1158 SSL_CTX *cctx = NULL, *sctx = NULL;
1159 SSL *clientssl = NULL, *serverssl = NULL;
1160 int ktls_used = 0, testresult = 0;
1161 int cfd = -1, sfd = -1;
1162 int rx_supported;
1163
1164 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1165 goto end;
1166
1167 /* Skip this test if the platform does not support ktls */
1168 if (!ktls_chk_platform(cfd)) {
1169 testresult = TEST_skip("Kernel does not support KTLS");
1170 goto end;
1171 }
1172
1173 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1174 testresult = TEST_skip("CHACHA is not supported in FIPS");
1175 goto end;
1176 }
1177
1178 /* Create a session based on SHA-256 */
1179 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1180 TLS_client_method(),
1181 tls_version, tls_version,
1182 &sctx, &cctx, cert, privkey)))
1183 goto end;
1184
1185 if (tls_version == TLS1_3_VERSION) {
1186 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1187 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1188 goto end;
1189 } else {
1190 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1191 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1192 goto end;
1193 }
1194
1195 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1196 &clientssl, sfd, cfd)))
1197 goto end;
1198
1199 if (cis_ktls) {
1200 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1201 goto end;
1202 }
1203
1204 if (sis_ktls) {
1205 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1206 goto end;
1207 }
1208
1209 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1210 goto end;
1211
1212 /*
1213 * The running kernel may not support a given cipher suite
1214 * or direction, so just check that KTLS isn't used when it
1215 * isn't enabled.
1216 */
1217 if (!cis_ktls) {
1218 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1219 goto end;
1220 } else {
1221 if (BIO_get_ktls_send(clientssl->wbio))
1222 ktls_used = 1;
1223 }
1224
1225 if (!sis_ktls) {
1226 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1227 goto end;
1228 } else {
1229 if (BIO_get_ktls_send(serverssl->wbio))
1230 ktls_used = 1;
1231 }
1232
1233 #if defined(OPENSSL_NO_KTLS_RX)
1234 rx_supported = 0;
1235 #else
1236 rx_supported = (tls_version != TLS1_3_VERSION);
1237 #endif
1238 if (!cis_ktls || !rx_supported) {
1239 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1240 goto end;
1241 } else {
1242 if (BIO_get_ktls_send(clientssl->rbio))
1243 ktls_used = 1;
1244 }
1245
1246 if (!sis_ktls || !rx_supported) {
1247 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1248 goto end;
1249 } else {
1250 if (BIO_get_ktls_send(serverssl->rbio))
1251 ktls_used = 1;
1252 }
1253
1254 if ((cis_ktls || sis_ktls) && !ktls_used) {
1255 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1256 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1257 "TLS 1.2", cipher);
1258 goto end;
1259 }
1260
1261 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1262 goto end;
1263
1264 testresult = 1;
1265 end:
1266 if (clientssl) {
1267 SSL_shutdown(clientssl);
1268 SSL_free(clientssl);
1269 }
1270 if (serverssl) {
1271 SSL_shutdown(serverssl);
1272 SSL_free(serverssl);
1273 }
1274 SSL_CTX_free(sctx);
1275 SSL_CTX_free(cctx);
1276 serverssl = clientssl = NULL;
1277 if (cfd != -1)
1278 close(cfd);
1279 if (sfd != -1)
1280 close(sfd);
1281 return testresult;
1282 }
1283
1284 #define SENDFILE_SZ (16 * 4096)
1285 #define SENDFILE_CHUNK (4 * 4096)
1286 #define min(a,b) ((a) > (b) ? (b) : (a))
1287
1288 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1289 {
1290 SSL_CTX *cctx = NULL, *sctx = NULL;
1291 SSL *clientssl = NULL, *serverssl = NULL;
1292 unsigned char *buf, *buf_dst;
1293 BIO *out = NULL, *in = NULL;
1294 int cfd = -1, sfd = -1, ffd, err;
1295 ssize_t chunk_size = 0;
1296 off_t chunk_off = 0;
1297 int testresult = 0;
1298 FILE *ffdp;
1299
1300 buf = OPENSSL_zalloc(SENDFILE_SZ);
1301 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1302 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1303 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1304 goto end;
1305
1306 /* Skip this test if the platform does not support ktls */
1307 if (!ktls_chk_platform(sfd)) {
1308 testresult = TEST_skip("Kernel does not support KTLS");
1309 goto end;
1310 }
1311
1312 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1313 testresult = TEST_skip("CHACHA is not supported in FIPS");
1314 goto end;
1315 }
1316
1317 /* Create a session based on SHA-256 */
1318 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1319 TLS_client_method(),
1320 tls_version, tls_version,
1321 &sctx, &cctx, cert, privkey)))
1322 goto end;
1323
1324 if (tls_version == TLS1_3_VERSION) {
1325 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1326 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1327 goto end;
1328 } else {
1329 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1330 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1331 goto end;
1332 }
1333
1334 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1335 &clientssl, sfd, cfd)))
1336 goto end;
1337
1338 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1339 goto end;
1340
1341 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1342 SSL_ERROR_NONE)))
1343 goto end;
1344
1345 if (!BIO_get_ktls_send(serverssl->wbio)) {
1346 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1347 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1348 "TLS 1.2", cipher);
1349 goto end;
1350 }
1351
1352 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1353 goto end;
1354
1355 out = BIO_new_file(tmpfilename, "wb");
1356 if (!TEST_ptr(out))
1357 goto end;
1358
1359 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1360 goto end;
1361
1362 BIO_free(out);
1363 out = NULL;
1364 in = BIO_new_file(tmpfilename, "rb");
1365 BIO_get_fp(in, &ffdp);
1366 ffd = fileno(ffdp);
1367
1368 while (chunk_off < SENDFILE_SZ) {
1369 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1370 while ((err = SSL_sendfile(serverssl,
1371 ffd,
1372 chunk_off,
1373 chunk_size,
1374 0)) != chunk_size) {
1375 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1376 goto end;
1377 }
1378 while ((err = SSL_read(clientssl,
1379 buf_dst + chunk_off,
1380 chunk_size)) != chunk_size) {
1381 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1382 goto end;
1383 }
1384
1385 /* verify the payload */
1386 if (!TEST_mem_eq(buf_dst + chunk_off,
1387 chunk_size,
1388 buf + chunk_off,
1389 chunk_size))
1390 goto end;
1391
1392 chunk_off += chunk_size;
1393 }
1394
1395 testresult = 1;
1396 end:
1397 if (clientssl) {
1398 SSL_shutdown(clientssl);
1399 SSL_free(clientssl);
1400 }
1401 if (serverssl) {
1402 SSL_shutdown(serverssl);
1403 SSL_free(serverssl);
1404 }
1405 SSL_CTX_free(sctx);
1406 SSL_CTX_free(cctx);
1407 serverssl = clientssl = NULL;
1408 BIO_free(out);
1409 BIO_free(in);
1410 if (cfd != -1)
1411 close(cfd);
1412 if (sfd != -1)
1413 close(sfd);
1414 OPENSSL_free(buf);
1415 OPENSSL_free(buf_dst);
1416 return testresult;
1417 }
1418
1419 static struct ktls_test_cipher {
1420 int tls_version;
1421 const char *cipher;
1422 } ktls_test_ciphers[] = {
1423 # if !defined(OPENSSL_NO_TLS1_2)
1424 # ifdef OPENSSL_KTLS_AES_GCM_128
1425 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1426 # endif
1427 # ifdef OPENSSL_KTLS_AES_CCM_128
1428 { TLS1_2_VERSION, "AES128-CCM"},
1429 # endif
1430 # ifdef OPENSSL_KTLS_AES_GCM_256
1431 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1432 # endif
1433 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1434 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1435 # endif
1436 # endif
1437 # if !defined(OSSL_NO_USABLE_TLS1_3)
1438 # ifdef OPENSSL_KTLS_AES_GCM_128
1439 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1440 # endif
1441 # ifdef OPENSSL_KTLS_AES_CCM_128
1442 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1443 # endif
1444 # ifdef OPENSSL_KTLS_AES_GCM_256
1445 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1446 # endif
1447 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1448 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1449 # endif
1450 # endif
1451 };
1452
1453 #define NUM_KTLS_TEST_CIPHERS \
1454 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1455
1456 static int test_ktls(int test)
1457 {
1458 struct ktls_test_cipher *cipher;
1459 int cis_ktls, sis_ktls;
1460
1461 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1462 cipher = &ktls_test_ciphers[test / 4];
1463
1464 cis_ktls = (test & 1) != 0;
1465 sis_ktls = (test & 2) != 0;
1466
1467 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1468 cipher->cipher);
1469 }
1470
1471 static int test_ktls_sendfile(int tst)
1472 {
1473 struct ktls_test_cipher *cipher;
1474
1475 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1476 cipher = &ktls_test_ciphers[tst];
1477
1478 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1479 }
1480 #endif
1481
1482 static int test_large_message_tls(void)
1483 {
1484 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1485 TLS1_VERSION, 0, 0);
1486 }
1487
1488 static int test_large_message_tls_read_ahead(void)
1489 {
1490 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1491 TLS1_VERSION, 0, 1);
1492 }
1493
1494 #ifndef OPENSSL_NO_DTLS
1495 static int test_large_message_dtls(void)
1496 {
1497 # ifdef OPENSSL_NO_DTLS1_2
1498 /* Not supported in the FIPS provider */
1499 if (is_fips)
1500 return 1;
1501 # endif
1502 /*
1503 * read_ahead is not relevant to DTLS because DTLS always acts as if
1504 * read_ahead is set.
1505 */
1506 return execute_test_large_message(DTLS_server_method(),
1507 DTLS_client_method(),
1508 DTLS1_VERSION, 0, 0);
1509 }
1510 #endif
1511
1512 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1513 const SSL_METHOD *cmeth,
1514 int min_version, int max_version)
1515 {
1516 size_t i;
1517 SSL_CTX *cctx = NULL, *sctx = NULL;
1518 SSL *clientssl = NULL, *serverssl = NULL;
1519 int testresult = 0;
1520 SSL3_RECORD *rr;
1521 void *zbuf;
1522
1523 static unsigned char cbuf[16000];
1524 static unsigned char sbuf[16000];
1525
1526 if (!TEST_true(create_ssl_ctx_pair(libctx,
1527 smeth, cmeth,
1528 min_version, max_version,
1529 &sctx, &cctx, cert,
1530 privkey)))
1531 goto end;
1532
1533 #ifdef OPENSSL_NO_DTLS1_2
1534 if (smeth == DTLS_server_method()) {
1535 # ifdef OPENSSL_NO_DTLS1_2
1536 /* Not supported in the FIPS provider */
1537 if (is_fips) {
1538 testresult = 1;
1539 goto end;
1540 };
1541 # endif
1542 /*
1543 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1544 * level 0
1545 */
1546 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1547 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1548 "DEFAULT:@SECLEVEL=0")))
1549 goto end;
1550 }
1551 #endif
1552
1553 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1554 NULL, NULL)))
1555 goto end;
1556
1557 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1558 goto end;
1559
1560 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1561 SSL_ERROR_NONE)))
1562 goto end;
1563
1564 for (i = 0; i < sizeof(cbuf); i++) {
1565 cbuf[i] = i & 0xff;
1566 }
1567
1568 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1569 goto end;
1570
1571 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1572 goto end;
1573
1574 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1575 goto end;
1576
1577 /*
1578 * Since we called SSL_peek(), we know the data in the record
1579 * layer is a plaintext record. We can gather the pointer to check
1580 * for zeroization after SSL_read().
1581 */
1582 rr = serverssl->rlayer.rrec;
1583 zbuf = &rr->data[rr->off];
1584 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1585 goto end;
1586
1587 /*
1588 * After SSL_peek() the plaintext must still be stored in the
1589 * record.
1590 */
1591 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1592 goto end;
1593
1594 memset(sbuf, 0, sizeof(sbuf));
1595 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1596 goto end;
1597
1598 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1599 goto end;
1600
1601 /* Check if rbuf is cleansed */
1602 memset(cbuf, 0, sizeof(cbuf));
1603 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1604 goto end;
1605
1606 testresult = 1;
1607 end:
1608 SSL_free(serverssl);
1609 SSL_free(clientssl);
1610 SSL_CTX_free(sctx);
1611 SSL_CTX_free(cctx);
1612
1613 return testresult;
1614 }
1615
1616 static int test_cleanse_plaintext(void)
1617 {
1618 #if !defined(OPENSSL_NO_TLS1_2)
1619 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1620 TLS_client_method(),
1621 TLS1_2_VERSION,
1622 TLS1_2_VERSION)))
1623 return 0;
1624
1625 #endif
1626
1627 #if !defined(OSSL_NO_USABLE_TLS1_3)
1628 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1629 TLS_client_method(),
1630 TLS1_3_VERSION,
1631 TLS1_3_VERSION)))
1632 return 0;
1633 #endif
1634
1635 #if !defined(OPENSSL_NO_DTLS)
1636
1637 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1638 DTLS_client_method(),
1639 DTLS1_VERSION,
1640 0)))
1641 return 0;
1642 #endif
1643 return 1;
1644 }
1645
1646 #ifndef OPENSSL_NO_OCSP
1647 static int ocsp_server_cb(SSL *s, void *arg)
1648 {
1649 int *argi = (int *)arg;
1650 unsigned char *copy = NULL;
1651 STACK_OF(OCSP_RESPID) *ids = NULL;
1652 OCSP_RESPID *id = NULL;
1653
1654 if (*argi == 2) {
1655 /* In this test we are expecting exactly 1 OCSP_RESPID */
1656 SSL_get_tlsext_status_ids(s, &ids);
1657 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1658 return SSL_TLSEXT_ERR_ALERT_FATAL;
1659
1660 id = sk_OCSP_RESPID_value(ids, 0);
1661 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1662 return SSL_TLSEXT_ERR_ALERT_FATAL;
1663 } else if (*argi != 1) {
1664 return SSL_TLSEXT_ERR_ALERT_FATAL;
1665 }
1666
1667 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1668 return SSL_TLSEXT_ERR_ALERT_FATAL;
1669
1670 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1671 sizeof(orespder)))) {
1672 OPENSSL_free(copy);
1673 return SSL_TLSEXT_ERR_ALERT_FATAL;
1674 }
1675 ocsp_server_called = 1;
1676 return SSL_TLSEXT_ERR_OK;
1677 }
1678
1679 static int ocsp_client_cb(SSL *s, void *arg)
1680 {
1681 int *argi = (int *)arg;
1682 const unsigned char *respderin;
1683 size_t len;
1684
1685 if (*argi != 1 && *argi != 2)
1686 return 0;
1687
1688 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1689 if (!TEST_mem_eq(orespder, len, respderin, len))
1690 return 0;
1691
1692 ocsp_client_called = 1;
1693 return 1;
1694 }
1695
1696 static int test_tlsext_status_type(void)
1697 {
1698 SSL_CTX *cctx = NULL, *sctx = NULL;
1699 SSL *clientssl = NULL, *serverssl = NULL;
1700 int testresult = 0;
1701 STACK_OF(OCSP_RESPID) *ids = NULL;
1702 OCSP_RESPID *id = NULL;
1703 BIO *certbio = NULL;
1704
1705 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1706 TLS1_VERSION, 0,
1707 &sctx, &cctx, cert, privkey))
1708 return 0;
1709
1710 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1711 goto end;
1712
1713 /* First just do various checks getting and setting tlsext_status_type */
1714
1715 clientssl = SSL_new(cctx);
1716 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1717 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1718 TLSEXT_STATUSTYPE_ocsp))
1719 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1720 TLSEXT_STATUSTYPE_ocsp))
1721 goto end;
1722
1723 SSL_free(clientssl);
1724 clientssl = NULL;
1725
1726 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1727 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1728 goto end;
1729
1730 clientssl = SSL_new(cctx);
1731 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1732 goto end;
1733 SSL_free(clientssl);
1734 clientssl = NULL;
1735
1736 /*
1737 * Now actually do a handshake and check OCSP information is exchanged and
1738 * the callbacks get called
1739 */
1740 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1741 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1742 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1743 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1744 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1745 &clientssl, NULL, NULL))
1746 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1747 SSL_ERROR_NONE))
1748 || !TEST_true(ocsp_client_called)
1749 || !TEST_true(ocsp_server_called))
1750 goto end;
1751 SSL_free(serverssl);
1752 SSL_free(clientssl);
1753 serverssl = NULL;
1754 clientssl = NULL;
1755
1756 /* Try again but this time force the server side callback to fail */
1757 ocsp_client_called = 0;
1758 ocsp_server_called = 0;
1759 cdummyarg = 0;
1760 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1761 &clientssl, NULL, NULL))
1762 /* This should fail because the callback will fail */
1763 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1764 SSL_ERROR_NONE))
1765 || !TEST_false(ocsp_client_called)
1766 || !TEST_false(ocsp_server_called))
1767 goto end;
1768 SSL_free(serverssl);
1769 SSL_free(clientssl);
1770 serverssl = NULL;
1771 clientssl = NULL;
1772
1773 /*
1774 * This time we'll get the client to send an OCSP_RESPID that it will
1775 * accept.
1776 */
1777 ocsp_client_called = 0;
1778 ocsp_server_called = 0;
1779 cdummyarg = 2;
1780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1781 &clientssl, NULL, NULL)))
1782 goto end;
1783
1784 /*
1785 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1786 * specific one. We'll use the server cert.
1787 */
1788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1789 || !TEST_ptr(id = OCSP_RESPID_new())
1790 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1791 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1792 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1793 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1794 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1795 goto end;
1796 id = NULL;
1797 SSL_set_tlsext_status_ids(clientssl, ids);
1798 /* Control has been transferred */
1799 ids = NULL;
1800
1801 BIO_free(certbio);
1802 certbio = NULL;
1803
1804 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1805 SSL_ERROR_NONE))
1806 || !TEST_true(ocsp_client_called)
1807 || !TEST_true(ocsp_server_called))
1808 goto end;
1809
1810 testresult = 1;
1811
1812 end:
1813 SSL_free(serverssl);
1814 SSL_free(clientssl);
1815 SSL_CTX_free(sctx);
1816 SSL_CTX_free(cctx);
1817 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1818 OCSP_RESPID_free(id);
1819 BIO_free(certbio);
1820 X509_free(ocspcert);
1821 ocspcert = NULL;
1822
1823 return testresult;
1824 }
1825 #endif
1826
1827 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1828 static int new_called, remove_called, get_called;
1829
1830 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1831 {
1832 new_called++;
1833 /*
1834 * sess has been up-refed for us, but we don't actually need it so free it
1835 * immediately.
1836 */
1837 SSL_SESSION_free(sess);
1838 return 1;
1839 }
1840
1841 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1842 {
1843 remove_called++;
1844 }
1845
1846 static SSL_SESSION *get_sess_val = NULL;
1847
1848 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1849 int *copy)
1850 {
1851 get_called++;
1852 *copy = 1;
1853 return get_sess_val;
1854 }
1855
1856 static int execute_test_session(int maxprot, int use_int_cache,
1857 int use_ext_cache, long s_options)
1858 {
1859 SSL_CTX *sctx = NULL, *cctx = NULL;
1860 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1861 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1862 # ifndef OPENSSL_NO_TLS1_1
1863 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1864 # endif
1865 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1866 int testresult = 0, numnewsesstick = 1;
1867
1868 new_called = remove_called = 0;
1869
1870 /* TLSv1.3 sends 2 NewSessionTickets */
1871 if (maxprot == TLS1_3_VERSION)
1872 numnewsesstick = 2;
1873
1874 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1875 TLS_client_method(), TLS1_VERSION, 0,
1876 &sctx, &cctx, cert, privkey)))
1877 return 0;
1878
1879 /*
1880 * Only allow the max protocol version so we can force a connection failure
1881 * later
1882 */
1883 SSL_CTX_set_min_proto_version(cctx, maxprot);
1884 SSL_CTX_set_max_proto_version(cctx, maxprot);
1885
1886 /* Set up session cache */
1887 if (use_ext_cache) {
1888 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1889 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1890 }
1891 if (use_int_cache) {
1892 /* Also covers instance where both are set */
1893 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1894 } else {
1895 SSL_CTX_set_session_cache_mode(cctx,
1896 SSL_SESS_CACHE_CLIENT
1897 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1898 }
1899
1900 if (s_options) {
1901 SSL_CTX_set_options(sctx, s_options);
1902 }
1903
1904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1905 NULL, NULL))
1906 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1907 SSL_ERROR_NONE))
1908 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1909 goto end;
1910
1911 /* Should fail because it should already be in the cache */
1912 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1913 goto end;
1914 if (use_ext_cache
1915 && (!TEST_int_eq(new_called, numnewsesstick)
1916
1917 || !TEST_int_eq(remove_called, 0)))
1918 goto end;
1919
1920 new_called = remove_called = 0;
1921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1922 &clientssl2, NULL, NULL))
1923 || !TEST_true(SSL_set_session(clientssl2, sess1))
1924 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1925 SSL_ERROR_NONE))
1926 || !TEST_true(SSL_session_reused(clientssl2)))
1927 goto end;
1928
1929 if (maxprot == TLS1_3_VERSION) {
1930 /*
1931 * In TLSv1.3 we should have created a new session even though we have
1932 * resumed. Since we attempted a resume we should also have removed the
1933 * old ticket from the cache so that we try to only use tickets once.
1934 */
1935 if (use_ext_cache
1936 && (!TEST_int_eq(new_called, 1)
1937 || !TEST_int_eq(remove_called, 1)))
1938 goto end;
1939 } else {
1940 /*
1941 * In TLSv1.2 we expect to have resumed so no sessions added or
1942 * removed.
1943 */
1944 if (use_ext_cache
1945 && (!TEST_int_eq(new_called, 0)
1946 || !TEST_int_eq(remove_called, 0)))
1947 goto end;
1948 }
1949
1950 SSL_SESSION_free(sess1);
1951 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1952 goto end;
1953 shutdown_ssl_connection(serverssl2, clientssl2);
1954 serverssl2 = clientssl2 = NULL;
1955
1956 new_called = remove_called = 0;
1957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1958 &clientssl2, NULL, NULL))
1959 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1960 SSL_ERROR_NONE)))
1961 goto end;
1962
1963 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1964 goto end;
1965
1966 if (use_ext_cache
1967 && (!TEST_int_eq(new_called, numnewsesstick)
1968 || !TEST_int_eq(remove_called, 0)))
1969 goto end;
1970
1971 new_called = remove_called = 0;
1972 /*
1973 * This should clear sess2 from the cache because it is a "bad" session.
1974 * See SSL_set_session() documentation.
1975 */
1976 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1977 goto end;
1978 if (use_ext_cache
1979 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1980 goto end;
1981 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1982 goto end;
1983
1984 if (use_int_cache) {
1985 /* Should succeeded because it should not already be in the cache */
1986 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1987 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1988 goto end;
1989 }
1990
1991 new_called = remove_called = 0;
1992 /* This shouldn't be in the cache so should fail */
1993 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1994 goto end;
1995
1996 if (use_ext_cache
1997 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1998 goto end;
1999
2000 # if !defined(OPENSSL_NO_TLS1_1)
2001 new_called = remove_called = 0;
2002 /* Force a connection failure */
2003 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2004 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2005 &clientssl3, NULL, NULL))
2006 || !TEST_true(SSL_set_session(clientssl3, sess1))
2007 /* This should fail because of the mismatched protocol versions */
2008 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2009 SSL_ERROR_NONE)))
2010 goto end;
2011
2012 /* We should have automatically removed the session from the cache */
2013 if (use_ext_cache
2014 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2015 goto end;
2016
2017 /* Should succeed because it should not already be in the cache */
2018 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2019 goto end;
2020 # endif
2021
2022 /* Now do some tests for server side caching */
2023 if (use_ext_cache) {
2024 SSL_CTX_sess_set_new_cb(cctx, NULL);
2025 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2026 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2027 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2028 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2029 get_sess_val = NULL;
2030 }
2031
2032 SSL_CTX_set_session_cache_mode(cctx, 0);
2033 /* Internal caching is the default on the server side */
2034 if (!use_int_cache)
2035 SSL_CTX_set_session_cache_mode(sctx,
2036 SSL_SESS_CACHE_SERVER
2037 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2038
2039 SSL_free(serverssl1);
2040 SSL_free(clientssl1);
2041 serverssl1 = clientssl1 = NULL;
2042 SSL_free(serverssl2);
2043 SSL_free(clientssl2);
2044 serverssl2 = clientssl2 = NULL;
2045 SSL_SESSION_free(sess1);
2046 sess1 = NULL;
2047 SSL_SESSION_free(sess2);
2048 sess2 = NULL;
2049
2050 SSL_CTX_set_max_proto_version(sctx, maxprot);
2051 if (maxprot == TLS1_2_VERSION)
2052 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2053 new_called = remove_called = get_called = 0;
2054 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2055 NULL, NULL))
2056 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2057 SSL_ERROR_NONE))
2058 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2059 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2060 goto end;
2061
2062 if (use_int_cache) {
2063 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2064 /*
2065 * In TLSv1.3 it should not have been added to the internal cache,
2066 * except in the case where we also have an external cache (in that
2067 * case it gets added to the cache in order to generate remove
2068 * events after timeout).
2069 */
2070 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2071 goto end;
2072 } else {
2073 /* Should fail because it should already be in the cache */
2074 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2075 goto end;
2076 }
2077 }
2078
2079 if (use_ext_cache) {
2080 SSL_SESSION *tmp = sess2;
2081
2082 if (!TEST_int_eq(new_called, numnewsesstick)
2083 || !TEST_int_eq(remove_called, 0)
2084 || !TEST_int_eq(get_called, 0))
2085 goto end;
2086 /*
2087 * Delete the session from the internal cache to force a lookup from
2088 * the external cache. We take a copy first because
2089 * SSL_CTX_remove_session() also marks the session as non-resumable.
2090 */
2091 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2092 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2093 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2094 goto end;
2095 SSL_SESSION_free(sess2);
2096 }
2097 sess2 = tmp;
2098 }
2099
2100 new_called = remove_called = get_called = 0;
2101 get_sess_val = sess2;
2102 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2103 &clientssl2, NULL, NULL))
2104 || !TEST_true(SSL_set_session(clientssl2, sess1))
2105 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2106 SSL_ERROR_NONE))
2107 || !TEST_true(SSL_session_reused(clientssl2)))
2108 goto end;
2109
2110 if (use_ext_cache) {
2111 if (!TEST_int_eq(remove_called, 0))
2112 goto end;
2113
2114 if (maxprot == TLS1_3_VERSION) {
2115 if (!TEST_int_eq(new_called, 1)
2116 || !TEST_int_eq(get_called, 0))
2117 goto end;
2118 } else {
2119 if (!TEST_int_eq(new_called, 0)
2120 || !TEST_int_eq(get_called, 1))
2121 goto end;
2122 }
2123 }
2124
2125 testresult = 1;
2126
2127 end:
2128 SSL_free(serverssl1);
2129 SSL_free(clientssl1);
2130 SSL_free(serverssl2);
2131 SSL_free(clientssl2);
2132 # ifndef OPENSSL_NO_TLS1_1
2133 SSL_free(serverssl3);
2134 SSL_free(clientssl3);
2135 # endif
2136 SSL_SESSION_free(sess1);
2137 SSL_SESSION_free(sess2);
2138 SSL_CTX_free(sctx);
2139 SSL_CTX_free(cctx);
2140
2141 return testresult;
2142 }
2143 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2144
2145 static int test_session_with_only_int_cache(void)
2146 {
2147 #ifndef OSSL_NO_USABLE_TLS1_3
2148 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2149 return 0;
2150 #endif
2151
2152 #ifndef OPENSSL_NO_TLS1_2
2153 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2154 #else
2155 return 1;
2156 #endif
2157 }
2158
2159 static int test_session_with_only_ext_cache(void)
2160 {
2161 #ifndef OSSL_NO_USABLE_TLS1_3
2162 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2163 return 0;
2164 #endif
2165
2166 #ifndef OPENSSL_NO_TLS1_2
2167 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2168 #else
2169 return 1;
2170 #endif
2171 }
2172
2173 static int test_session_with_both_cache(void)
2174 {
2175 #ifndef OSSL_NO_USABLE_TLS1_3
2176 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2177 return 0;
2178 #endif
2179
2180 #ifndef OPENSSL_NO_TLS1_2
2181 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2182 #else
2183 return 1;
2184 #endif
2185 }
2186
2187 static int test_session_wo_ca_names(void)
2188 {
2189 #ifndef OSSL_NO_USABLE_TLS1_3
2190 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2191 return 0;
2192 #endif
2193
2194 #ifndef OPENSSL_NO_TLS1_2
2195 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2196 #else
2197 return 1;
2198 #endif
2199 }
2200
2201
2202 #ifndef OSSL_NO_USABLE_TLS1_3
2203 static SSL_SESSION *sesscache[6];
2204 static int do_cache;
2205
2206 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2207 {
2208 if (do_cache) {
2209 sesscache[new_called] = sess;
2210 } else {
2211 /* We don't need the reference to the session, so free it */
2212 SSL_SESSION_free(sess);
2213 }
2214 new_called++;
2215
2216 return 1;
2217 }
2218
2219 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2220 {
2221 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2222 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2223 return 0;
2224
2225 /* Start handshake on the server and client */
2226 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2227 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2228 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2229 || !TEST_true(create_ssl_connection(sssl, cssl,
2230 SSL_ERROR_NONE)))
2231 return 0;
2232
2233 return 1;
2234 }
2235
2236 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2237 SSL_CTX **cctx)
2238 {
2239 int sess_id_ctx = 1;
2240
2241 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2242 TLS_client_method(), TLS1_VERSION, 0,
2243 sctx, cctx, cert, privkey))
2244 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2245 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2246 (void *)&sess_id_ctx,
2247 sizeof(sess_id_ctx))))
2248 return 0;
2249
2250 if (stateful)
2251 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2252
2253 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2254 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2255 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2256
2257 return 1;
2258 }
2259
2260 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2261 {
2262 SSL *serverssl = NULL, *clientssl = NULL;
2263 int i;
2264
2265 /* Test that we can resume with all the tickets we got given */
2266 for (i = 0; i < idx * 2; i++) {
2267 new_called = 0;
2268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2269 &clientssl, NULL, NULL))
2270 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2271 goto end;
2272
2273 SSL_set_post_handshake_auth(clientssl, 1);
2274
2275 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2276 SSL_ERROR_NONE)))
2277 goto end;
2278
2279 /*
2280 * Following a successful resumption we only get 1 ticket. After a
2281 * failed one we should get idx tickets.
2282 */
2283 if (succ) {
2284 if (!TEST_true(SSL_session_reused(clientssl))
2285 || !TEST_int_eq(new_called, 1))
2286 goto end;
2287 } else {
2288 if (!TEST_false(SSL_session_reused(clientssl))
2289 || !TEST_int_eq(new_called, idx))
2290 goto end;
2291 }
2292
2293 new_called = 0;
2294 /* After a post-handshake authentication we should get 1 new ticket */
2295 if (succ
2296 && (!post_handshake_verify(serverssl, clientssl)
2297 || !TEST_int_eq(new_called, 1)))
2298 goto end;
2299
2300 SSL_shutdown(clientssl);
2301 SSL_shutdown(serverssl);
2302 SSL_free(serverssl);
2303 SSL_free(clientssl);
2304 serverssl = clientssl = NULL;
2305 SSL_SESSION_free(sesscache[i]);
2306 sesscache[i] = NULL;
2307 }
2308
2309 return 1;
2310
2311 end:
2312 SSL_free(clientssl);
2313 SSL_free(serverssl);
2314 return 0;
2315 }
2316
2317 static int test_tickets(int stateful, int idx)
2318 {
2319 SSL_CTX *sctx = NULL, *cctx = NULL;
2320 SSL *serverssl = NULL, *clientssl = NULL;
2321 int testresult = 0;
2322 size_t j;
2323
2324 /* idx is the test number, but also the number of tickets we want */
2325
2326 new_called = 0;
2327 do_cache = 1;
2328
2329 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2330 goto end;
2331
2332 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2333 &clientssl, NULL, NULL)))
2334 goto end;
2335
2336 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2337 SSL_ERROR_NONE))
2338 /* Check we got the number of tickets we were expecting */
2339 || !TEST_int_eq(idx, new_called))
2340 goto end;
2341
2342 SSL_shutdown(clientssl);
2343 SSL_shutdown(serverssl);
2344 SSL_free(serverssl);
2345 SSL_free(clientssl);
2346 SSL_CTX_free(sctx);
2347 SSL_CTX_free(cctx);
2348 clientssl = serverssl = NULL;
2349 sctx = cctx = NULL;
2350
2351 /*
2352 * Now we try to resume with the tickets we previously created. The
2353 * resumption attempt is expected to fail (because we're now using a new
2354 * SSL_CTX). We should see idx number of tickets issued again.
2355 */
2356
2357 /* Stop caching sessions - just count them */
2358 do_cache = 0;
2359
2360 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2361 goto end;
2362
2363 if (!check_resumption(idx, sctx, cctx, 0))
2364 goto end;
2365
2366 /* Start again with caching sessions */
2367 new_called = 0;
2368 do_cache = 1;
2369 SSL_CTX_free(sctx);
2370 SSL_CTX_free(cctx);
2371 sctx = cctx = NULL;
2372
2373 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2374 goto end;
2375
2376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2377 &clientssl, NULL, NULL)))
2378 goto end;
2379
2380 SSL_set_post_handshake_auth(clientssl, 1);
2381
2382 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2383 SSL_ERROR_NONE))
2384 /* Check we got the number of tickets we were expecting */
2385 || !TEST_int_eq(idx, new_called))
2386 goto end;
2387
2388 /* After a post-handshake authentication we should get new tickets issued */
2389 if (!post_handshake_verify(serverssl, clientssl)
2390 || !TEST_int_eq(idx * 2, new_called))
2391 goto end;
2392
2393 SSL_shutdown(clientssl);
2394 SSL_shutdown(serverssl);
2395 SSL_free(serverssl);
2396 SSL_free(clientssl);
2397 serverssl = clientssl = NULL;
2398
2399 /* Stop caching sessions - just count them */
2400 do_cache = 0;
2401
2402 /*
2403 * Check we can resume with all the tickets we created. This time around the
2404 * resumptions should all be successful.
2405 */
2406 if (!check_resumption(idx, sctx, cctx, 1))
2407 goto end;
2408
2409 testresult = 1;
2410
2411 end:
2412 SSL_free(serverssl);
2413 SSL_free(clientssl);
2414 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2415 SSL_SESSION_free(sesscache[j]);
2416 sesscache[j] = NULL;
2417 }
2418 SSL_CTX_free(sctx);
2419 SSL_CTX_free(cctx);
2420
2421 return testresult;
2422 }
2423
2424 static int test_stateless_tickets(int idx)
2425 {
2426 return test_tickets(0, idx);
2427 }
2428
2429 static int test_stateful_tickets(int idx)
2430 {
2431 return test_tickets(1, idx);
2432 }
2433
2434 static int test_psk_tickets(void)
2435 {
2436 SSL_CTX *sctx = NULL, *cctx = NULL;
2437 SSL *serverssl = NULL, *clientssl = NULL;
2438 int testresult = 0;
2439 int sess_id_ctx = 1;
2440
2441 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2442 TLS_client_method(), TLS1_VERSION, 0,
2443 &sctx, &cctx, NULL, NULL))
2444 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2445 (void *)&sess_id_ctx,
2446 sizeof(sess_id_ctx))))
2447 goto end;
2448
2449 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2450 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2451 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2452 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2453 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2454 use_session_cb_cnt = 0;
2455 find_session_cb_cnt = 0;
2456 srvid = pskid;
2457 new_called = 0;
2458
2459 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2460 NULL, NULL)))
2461 goto end;
2462 clientpsk = serverpsk = create_a_psk(clientssl);
2463 if (!TEST_ptr(clientpsk))
2464 goto end;
2465 SSL_SESSION_up_ref(clientpsk);
2466
2467 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2468 SSL_ERROR_NONE))
2469 || !TEST_int_eq(1, find_session_cb_cnt)
2470 || !TEST_int_eq(1, use_session_cb_cnt)
2471 /* We should always get 1 ticket when using external PSK */
2472 || !TEST_int_eq(1, new_called))
2473 goto end;
2474
2475 testresult = 1;
2476
2477 end:
2478 SSL_free(serverssl);
2479 SSL_free(clientssl);
2480 SSL_CTX_free(sctx);
2481 SSL_CTX_free(cctx);
2482 SSL_SESSION_free(clientpsk);
2483 SSL_SESSION_free(serverpsk);
2484 clientpsk = serverpsk = NULL;
2485
2486 return testresult;
2487 }
2488
2489 static int test_extra_tickets(int idx)
2490 {
2491 SSL_CTX *sctx = NULL, *cctx = NULL;
2492 SSL *serverssl = NULL, *clientssl = NULL;
2493 BIO *bretry = BIO_new(bio_s_always_retry());
2494 BIO *tmp = NULL;
2495 int testresult = 0;
2496 int stateful = 0;
2497 size_t nbytes;
2498 unsigned char c, buf[1];
2499
2500 new_called = 0;
2501 do_cache = 1;
2502
2503 if (idx >= 3) {
2504 idx -= 3;
2505 stateful = 1;
2506 }
2507
2508 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2509 goto end;
2510 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2511 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2512 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2513
2514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2515 &clientssl, NULL, NULL)))
2516 goto end;
2517
2518 /*
2519 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2520 * incremented by both client and server.
2521 */
2522 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2523 SSL_ERROR_NONE))
2524 /* Check we got the number of tickets we were expecting */
2525 || !TEST_int_eq(idx * 2, new_called)
2526 || !TEST_true(SSL_new_session_ticket(serverssl))
2527 || !TEST_true(SSL_new_session_ticket(serverssl))
2528 || !TEST_int_eq(idx * 2, new_called))
2529 goto end;
2530
2531 /* Now try a (real) write to actually send the tickets */
2532 c = '1';
2533 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2534 || !TEST_size_t_eq(1, nbytes)
2535 || !TEST_int_eq(idx * 2 + 2, new_called)
2536 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2537 || !TEST_int_eq(idx * 2 + 4, new_called)
2538 || !TEST_int_eq(sizeof(buf), nbytes)
2539 || !TEST_int_eq(c, buf[0])
2540 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2541 goto end;
2542
2543 /* Try with only requesting one new ticket, too */
2544 c = '2';
2545 new_called = 0;
2546 if (!TEST_true(SSL_new_session_ticket(serverssl))
2547 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2548 || !TEST_size_t_eq(sizeof(c), nbytes)
2549 || !TEST_int_eq(1, new_called)
2550 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2551 || !TEST_int_eq(2, new_called)
2552 || !TEST_size_t_eq(sizeof(buf), nbytes)
2553 || !TEST_int_eq(c, buf[0]))
2554 goto end;
2555
2556 /* Do it again but use dummy writes to drive the ticket generation */
2557 c = '3';
2558 new_called = 0;
2559 if (!TEST_true(SSL_new_session_ticket(serverssl))
2560 || !TEST_true(SSL_new_session_ticket(serverssl))
2561 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2562 || !TEST_size_t_eq(0, nbytes)
2563 || !TEST_int_eq(2, new_called)
2564 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2565 || !TEST_int_eq(4, new_called))
2566 goto end;
2567
2568 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2569 c = '4';
2570 new_called = 0;
2571 if (!TEST_true(SSL_new_session_ticket(serverssl))
2572 || !TEST_true(SSL_new_session_ticket(serverssl))
2573 || !TEST_true(SSL_do_handshake(serverssl))
2574 || !TEST_int_eq(2, new_called)
2575 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2576 || !TEST_int_eq(4, new_called))
2577 goto end;
2578
2579 /*
2580 * Use the always-retry BIO to exercise the logic that forces ticket
2581 * generation to wait until a record boundary.
2582 */
2583 c = '5';
2584 new_called = 0;
2585 tmp = SSL_get_wbio(serverssl);
2586 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2587 tmp = NULL;
2588 goto end;
2589 }
2590 SSL_set0_wbio(serverssl, bretry);
2591 bretry = NULL;
2592 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2593 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2594 || !TEST_size_t_eq(nbytes, 0))
2595 goto end;
2596 /* Restore a BIO that will let the write succeed */
2597 SSL_set0_wbio(serverssl, tmp);
2598 tmp = NULL;
2599 /*
2600 * These calls should just queue the request and not send anything
2601 * even if we explicitly try to hit the state machine.
2602 */
2603 if (!TEST_true(SSL_new_session_ticket(serverssl))
2604 || !TEST_true(SSL_new_session_ticket(serverssl))
2605 || !TEST_int_eq(0, new_called)
2606 || !TEST_true(SSL_do_handshake(serverssl))
2607 || !TEST_int_eq(0, new_called))
2608 goto end;
2609 /* Re-do the write; still no tickets sent */
2610 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2611 || !TEST_size_t_eq(1, nbytes)
2612 || !TEST_int_eq(0, new_called)
2613 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2614 || !TEST_int_eq(0, new_called)
2615 || !TEST_int_eq(sizeof(buf), nbytes)
2616 || !TEST_int_eq(c, buf[0])
2617 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2618 goto end;
2619 /* Even trying to hit the state machine now will still not send tickets */
2620 if (!TEST_true(SSL_do_handshake(serverssl))
2621 || !TEST_int_eq(0, new_called))
2622 goto end;
2623 /* Now the *next* write should send the tickets */
2624 c = '6';
2625 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2626 || !TEST_size_t_eq(1, nbytes)
2627 || !TEST_int_eq(2, new_called)
2628 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2629 || !TEST_int_eq(4, new_called)
2630 || !TEST_int_eq(sizeof(buf), nbytes)
2631 || !TEST_int_eq(c, buf[0])
2632 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2633 goto end;
2634
2635 SSL_shutdown(clientssl);
2636 SSL_shutdown(serverssl);
2637 testresult = 1;
2638
2639 end:
2640 BIO_free(bretry);
2641 BIO_free(tmp);
2642 SSL_free(serverssl);
2643 SSL_free(clientssl);
2644 SSL_CTX_free(sctx);
2645 SSL_CTX_free(cctx);
2646 clientssl = serverssl = NULL;
2647 sctx = cctx = NULL;
2648 return testresult;
2649 }
2650 #endif
2651
2652 #define USE_NULL 0
2653 #define USE_BIO_1 1
2654 #define USE_BIO_2 2
2655 #define USE_DEFAULT 3
2656
2657 #define CONNTYPE_CONNECTION_SUCCESS 0
2658 #define CONNTYPE_CONNECTION_FAIL 1
2659 #define CONNTYPE_NO_CONNECTION 2
2660
2661 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2662 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2663 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2664 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2665 #else
2666 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2667 #endif
2668
2669 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2670 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2671 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2672
2673 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2674 {
2675 switch (type) {
2676 case USE_NULL:
2677 *res = NULL;
2678 break;
2679 case USE_BIO_1:
2680 *res = bio1;
2681 break;
2682 case USE_BIO_2:
2683 *res = bio2;
2684 break;
2685 }
2686 }
2687
2688
2689 /*
2690 * Tests calls to SSL_set_bio() under various conditions.
2691 *
2692 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2693 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2694 * then do more tests where we create a successful connection first using our
2695 * standard connection setup functions, and then call SSL_set_bio() with
2696 * various combinations of valid BIOs or NULL. We then repeat these tests
2697 * following a failed connection. In this last case we are looking to check that
2698 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2699 */
2700 static int test_ssl_set_bio(int idx)
2701 {
2702 SSL_CTX *sctx = NULL, *cctx = NULL;
2703 BIO *bio1 = NULL;
2704 BIO *bio2 = NULL;
2705 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2706 SSL *serverssl = NULL, *clientssl = NULL;
2707 int initrbio, initwbio, newrbio, newwbio, conntype;
2708 int testresult = 0;
2709
2710 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2711 initrbio = idx % 3;
2712 idx /= 3;
2713 initwbio = idx % 3;
2714 idx /= 3;
2715 newrbio = idx % 3;
2716 idx /= 3;
2717 newwbio = idx % 3;
2718 conntype = CONNTYPE_NO_CONNECTION;
2719 } else {
2720 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2721 initrbio = initwbio = USE_DEFAULT;
2722 newrbio = idx % 2;
2723 idx /= 2;
2724 newwbio = idx % 2;
2725 idx /= 2;
2726 conntype = idx % 2;
2727 }
2728
2729 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2730 TLS_client_method(), TLS1_VERSION, 0,
2731 &sctx, &cctx, cert, privkey)))
2732 goto end;
2733
2734 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2735 /*
2736 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2737 * because we reduced the number of tests in the definition of
2738 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2739 * mismatched protocol versions we will force a connection failure.
2740 */
2741 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2742 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2743 }
2744
2745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2746 NULL, NULL)))
2747 goto end;
2748
2749 if (initrbio == USE_BIO_1
2750 || initwbio == USE_BIO_1
2751 || newrbio == USE_BIO_1
2752 || newwbio == USE_BIO_1) {
2753 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2754 goto end;
2755 }
2756
2757 if (initrbio == USE_BIO_2
2758 || initwbio == USE_BIO_2
2759 || newrbio == USE_BIO_2
2760 || newwbio == USE_BIO_2) {
2761 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2762 goto end;
2763 }
2764
2765 if (initrbio != USE_DEFAULT) {
2766 setupbio(&irbio, bio1, bio2, initrbio);
2767 setupbio(&iwbio, bio1, bio2, initwbio);
2768 SSL_set_bio(clientssl, irbio, iwbio);
2769
2770 /*
2771 * We want to maintain our own refs to these BIO, so do an up ref for
2772 * each BIO that will have ownership transferred in the SSL_set_bio()
2773 * call
2774 */
2775 if (irbio != NULL)
2776 BIO_up_ref(irbio);
2777 if (iwbio != NULL && iwbio != irbio)
2778 BIO_up_ref(iwbio);
2779 }
2780
2781 if (conntype != CONNTYPE_NO_CONNECTION
2782 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2783 SSL_ERROR_NONE)
2784 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2785 goto end;
2786
2787 setupbio(&nrbio, bio1, bio2, newrbio);
2788 setupbio(&nwbio, bio1, bio2, newwbio);
2789
2790 /*
2791 * We will (maybe) transfer ownership again so do more up refs.
2792 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2793 * already been set!
2794 */
2795 if (nrbio != NULL
2796 && nrbio != irbio
2797 && (nwbio != iwbio || nrbio != nwbio))
2798 BIO_up_ref(nrbio);
2799 if (nwbio != NULL
2800 && nwbio != nrbio
2801 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2802 BIO_up_ref(nwbio);
2803
2804 SSL_set_bio(clientssl, nrbio, nwbio);
2805
2806 testresult = 1;
2807
2808 end:
2809 BIO_free(bio1);
2810 BIO_free(bio2);
2811
2812 /*
2813 * This test is checking that the ref counting for SSL_set_bio is correct.
2814 * If we get here and we did too many frees then we will fail in the above
2815 * functions.
2816 */
2817 SSL_free(serverssl);
2818 SSL_free(clientssl);
2819 SSL_CTX_free(sctx);
2820 SSL_CTX_free(cctx);
2821 return testresult;
2822 }
2823
2824 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2825
2826 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2827 {
2828 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2829 SSL_CTX *ctx;
2830 SSL *ssl = NULL;
2831 int testresult = 0;
2832
2833 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2834 || !TEST_ptr(ssl = SSL_new(ctx))
2835 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2836 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2837 goto end;
2838
2839 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2840
2841 /*
2842 * If anything goes wrong here then we could leak memory.
2843 */
2844 BIO_push(sslbio, membio1);
2845
2846 /* Verify changing the rbio/wbio directly does not cause leaks */
2847 if (change_bio != NO_BIO_CHANGE) {
2848 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2849 ssl = NULL;
2850 goto end;
2851 }
2852 if (change_bio == CHANGE_RBIO)
2853 SSL_set0_rbio(ssl, membio2);
2854 else
2855 SSL_set0_wbio(ssl, membio2);
2856 }
2857 ssl = NULL;
2858
2859 if (pop_ssl)
2860 BIO_pop(sslbio);
2861 else
2862 BIO_pop(membio1);
2863
2864 testresult = 1;
2865 end:
2866 BIO_free(membio1);
2867 BIO_free(sslbio);
2868 SSL_free(ssl);
2869 SSL_CTX_free(ctx);
2870
2871 return testresult;
2872 }
2873
2874 static int test_ssl_bio_pop_next_bio(void)
2875 {
2876 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2877 }
2878
2879 static int test_ssl_bio_pop_ssl_bio(void)
2880 {
2881 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2882 }
2883
2884 static int test_ssl_bio_change_rbio(void)
2885 {
2886 return execute_test_ssl_bio(0, CHANGE_RBIO);
2887 }
2888
2889 static int test_ssl_bio_change_wbio(void)
2890 {
2891 return execute_test_ssl_bio(0, CHANGE_WBIO);
2892 }
2893
2894 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2895 typedef struct {
2896 /* The list of sig algs */
2897 const int *list;
2898 /* The length of the list */
2899 size_t listlen;
2900 /* A sigalgs list in string format */
2901 const char *liststr;
2902 /* Whether setting the list should succeed */
2903 int valid;
2904 /* Whether creating a connection with the list should succeed */
2905 int connsuccess;
2906 } sigalgs_list;
2907
2908 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2909 # ifndef OPENSSL_NO_EC
2910 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2911 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2912 # endif
2913 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2914 static const int invalidlist2[] = {NID_sha256, NID_undef};
2915 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2916 static const int invalidlist4[] = {NID_sha256};
2917 static const sigalgs_list testsigalgs[] = {
2918 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2919 # ifndef OPENSSL_NO_EC
2920 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2921 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2922 # endif
2923 {NULL, 0, "RSA+SHA256", 1, 1},
2924 # ifndef OPENSSL_NO_EC
2925 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2926 {NULL, 0, "ECDSA+SHA512", 1, 0},
2927 # endif
2928 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2929 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2930 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2931 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2932 {NULL, 0, "RSA", 0, 0},
2933 {NULL, 0, "SHA256", 0, 0},
2934 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2935 {NULL, 0, "Invalid", 0, 0}
2936 };
2937
2938 static int test_set_sigalgs(int idx)
2939 {
2940 SSL_CTX *cctx = NULL, *sctx = NULL;
2941 SSL *clientssl = NULL, *serverssl = NULL;
2942 int testresult = 0;
2943 const sigalgs_list *curr;
2944 int testctx;
2945
2946 /* Should never happen */
2947 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2948 return 0;
2949
2950 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2951 curr = testctx ? &testsigalgs[idx]
2952 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2953
2954 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2955 TLS_client_method(), TLS1_VERSION, 0,
2956 &sctx, &cctx, cert, privkey)))
2957 return 0;
2958
2959 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2960
2961 if (testctx) {
2962 int ret;
2963
2964 if (curr->list != NULL)
2965 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2966 else
2967 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2968
2969 if (!ret) {
2970 if (curr->valid)
2971 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2972 else
2973 testresult = 1;
2974 goto end;
2975 }
2976 if (!curr->valid) {
2977 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2978 goto end;
2979 }
2980 }
2981
2982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2983 &clientssl, NULL, NULL)))
2984 goto end;
2985
2986 if (!testctx) {
2987 int ret;
2988
2989 if (curr->list != NULL)
2990 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2991 else
2992 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2993 if (!ret) {
2994 if (curr->valid)
2995 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2996 else
2997 testresult = 1;
2998 goto end;
2999 }
3000 if (!curr->valid)
3001 goto end;
3002 }
3003
3004 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3005 SSL_ERROR_NONE),
3006 curr->connsuccess))
3007 goto end;
3008
3009 testresult = 1;
3010
3011 end:
3012 SSL_free(serverssl);
3013 SSL_free(clientssl);
3014 SSL_CTX_free(sctx);
3015 SSL_CTX_free(cctx);
3016
3017 return testresult;
3018 }
3019 #endif
3020
3021 #ifndef OSSL_NO_USABLE_TLS1_3
3022 static int psk_client_cb_cnt = 0;
3023 static int psk_server_cb_cnt = 0;
3024
3025 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3026 size_t *idlen, SSL_SESSION **sess)
3027 {
3028 switch (++use_session_cb_cnt) {
3029 case 1:
3030 /* The first call should always have a NULL md */
3031 if (md != NULL)
3032 return 0;
3033 break;
3034
3035 case 2:
3036 /* The second call should always have an md */
3037 if (md == NULL)
3038 return 0;
3039 break;
3040
3041 default:
3042 /* We should only be called a maximum of twice */
3043 return 0;
3044 }
3045
3046 if (clientpsk != NULL)
3047 SSL_SESSION_up_ref(clientpsk);
3048
3049 *sess = clientpsk;
3050 *id = (const unsigned char *)pskid;
3051 *idlen = strlen(pskid);
3052
3053 return 1;
3054 }
3055
3056 #ifndef OPENSSL_NO_PSK
3057 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3058 unsigned int max_id_len,
3059 unsigned char *psk,
3060 unsigned int max_psk_len)
3061 {
3062 unsigned int psklen = 0;
3063
3064 psk_client_cb_cnt++;
3065
3066 if (strlen(pskid) + 1 > max_id_len)
3067 return 0;
3068
3069 /* We should only ever be called a maximum of twice per connection */
3070 if (psk_client_cb_cnt > 2)
3071 return 0;
3072
3073 if (clientpsk == NULL)
3074 return 0;
3075
3076 /* We'll reuse the PSK we set up for TLSv1.3 */
3077 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3078 return 0;
3079 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3080 strncpy(id, pskid, max_id_len);
3081
3082 return psklen;
3083 }
3084 #endif /* OPENSSL_NO_PSK */
3085
3086 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3087 size_t identity_len, SSL_SESSION **sess)
3088 {
3089 find_session_cb_cnt++;
3090
3091 /* We should only ever be called a maximum of twice per connection */
3092 if (find_session_cb_cnt > 2)
3093 return 0;
3094
3095 if (serverpsk == NULL)
3096 return 0;
3097
3098 /* Identity should match that set by the client */
3099 if (strlen(srvid) != identity_len
3100 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3101 /* No PSK found, continue but without a PSK */
3102 *sess = NULL;
3103 return 1;
3104 }
3105
3106 SSL_SESSION_up_ref(serverpsk);
3107 *sess = serverpsk;
3108
3109 return 1;
3110 }
3111
3112 #ifndef OPENSSL_NO_PSK
3113 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3114 unsigned char *psk, unsigned int max_psk_len)
3115 {
3116 unsigned int psklen = 0;
3117
3118 psk_server_cb_cnt++;
3119
3120 /* We should only ever be called a maximum of twice per connection */
3121 if (find_session_cb_cnt > 2)
3122 return 0;
3123
3124 if (serverpsk == NULL)
3125 return 0;
3126
3127 /* Identity should match that set by the client */
3128 if (strcmp(srvid, identity) != 0) {
3129 return 0;
3130 }
3131
3132 /* We'll reuse the PSK we set up for TLSv1.3 */
3133 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3134 return 0;
3135 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3136
3137 return psklen;
3138 }
3139 #endif /* OPENSSL_NO_PSK */
3140
3141 #define MSG1 "Hello"
3142 #define MSG2 "World."
3143 #define MSG3 "This"
3144 #define MSG4 "is"
3145 #define MSG5 "a"
3146 #define MSG6 "test"
3147 #define MSG7 "message."
3148
3149 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3150 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3151 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3152 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3153 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3154
3155
3156 static SSL_SESSION *create_a_psk(SSL *ssl)
3157 {
3158 const SSL_CIPHER *cipher = NULL;
3159 const unsigned char key[] = {
3160 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3161 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3162 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3163 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3164 0x2c, 0x2d, 0x2e, 0x2f
3165 };
3166 SSL_SESSION *sess = NULL;
3167
3168 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3169 sess = SSL_SESSION_new();
3170 if (!TEST_ptr(sess)
3171 || !TEST_ptr(cipher)
3172 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3173 sizeof(key)))
3174 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3175 || !TEST_true(
3176 SSL_SESSION_set_protocol_version(sess,
3177 TLS1_3_VERSION))) {
3178 SSL_SESSION_free(sess);
3179 return NULL;
3180 }
3181 return sess;
3182 }
3183
3184 /*
3185 * Helper method to setup objects for early data test. Caller frees objects on
3186 * error.
3187 */
3188 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3189 SSL **serverssl, SSL_SESSION **sess, int idx)
3190 {
3191 if (*sctx == NULL
3192 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3193 TLS_client_method(),
3194 TLS1_VERSION, 0,
3195 sctx, cctx, cert, privkey)))
3196 return 0;
3197
3198 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3199 return 0;
3200
3201 if (idx == 1) {
3202 /* When idx == 1 we repeat the tests with read_ahead set */
3203 SSL_CTX_set_read_ahead(*cctx, 1);
3204 SSL_CTX_set_read_ahead(*sctx, 1);
3205 } else if (idx == 2) {
3206 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3207 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3208 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3209 use_session_cb_cnt = 0;
3210 find_session_cb_cnt = 0;
3211 srvid = pskid;
3212 }
3213
3214 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3215 NULL, NULL)))
3216 return 0;
3217
3218 /*
3219 * For one of the run throughs (doesn't matter which one), we'll try sending
3220 * some SNI data in the initial ClientHello. This will be ignored (because
3221 * there is no SNI cb set up by the server), so it should not impact
3222 * early_data.
3223 */
3224 if (idx == 1
3225 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3226 return 0;
3227
3228 if (idx == 2) {
3229 clientpsk = create_a_psk(*clientssl);
3230 if (!TEST_ptr(clientpsk)
3231 /*
3232 * We just choose an arbitrary value for max_early_data which
3233 * should be big enough for testing purposes.
3234 */
3235 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3236 0x100))
3237 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3238 SSL_SESSION_free(clientpsk);
3239 clientpsk = NULL;
3240 return 0;
3241 }
3242 serverpsk = clientpsk;
3243
3244 if (sess != NULL) {
3245 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3246 SSL_SESSION_free(clientpsk);
3247 SSL_SESSION_free(serverpsk);
3248 clientpsk = serverpsk = NULL;
3249 return 0;
3250 }
3251 *sess = clientpsk;
3252 }
3253 return 1;
3254 }
3255
3256 if (sess == NULL)
3257 return 1;
3258
3259 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3260 SSL_ERROR_NONE)))
3261 return 0;
3262
3263 *sess = SSL_get1_session(*clientssl);
3264 SSL_shutdown(*clientssl);
3265 SSL_shutdown(*serverssl);
3266 SSL_free(*serverssl);
3267 SSL_free(*clientssl);
3268 *serverssl = *clientssl = NULL;
3269
3270 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3271 clientssl, NULL, NULL))
3272 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3273 return 0;
3274
3275 return 1;
3276 }
3277
3278 static int test_early_data_read_write(int idx)
3279 {
3280 SSL_CTX *cctx = NULL, *sctx = NULL;
3281 SSL *clientssl = NULL, *serverssl = NULL;
3282 int testresult = 0;
3283 SSL_SESSION *sess = NULL;
3284 unsigned char buf[20], data[1024];
3285 size_t readbytes, written, eoedlen, rawread, rawwritten;
3286 BIO *rbio;
3287
3288 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3289 &serverssl, &sess, idx)))
3290 goto end;
3291
3292 /* Write and read some early data */
3293 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3294 &written))
3295 || !TEST_size_t_eq(written, strlen(MSG1))
3296 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3297 sizeof(buf), &readbytes),
3298 SSL_READ_EARLY_DATA_SUCCESS)
3299 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3300 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3301 SSL_EARLY_DATA_ACCEPTED))
3302 goto end;
3303
3304 /*
3305 * Server should be able to write data, and client should be able to
3306 * read it.
3307 */
3308 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3309 &written))
3310 || !TEST_size_t_eq(written, strlen(MSG2))
3311 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3312 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3313 goto end;
3314
3315 /* Even after reading normal data, client should be able write early data */
3316 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3317 &written))
3318 || !TEST_size_t_eq(written, strlen(MSG3)))
3319 goto end;
3320
3321 /* Server should still be able read early data after writing data */
3322 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3323 &readbytes),
3324 SSL_READ_EARLY_DATA_SUCCESS)
3325 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3326 goto end;
3327
3328 /* Write more data from server and read it from client */
3329 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3330 &written))
3331 || !TEST_size_t_eq(written, strlen(MSG4))
3332 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3333 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3334 goto end;
3335
3336 /*
3337 * If client writes normal data it should mean writing early data is no
3338 * longer possible.
3339 */
3340 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3341 || !TEST_size_t_eq(written, strlen(MSG5))
3342 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3343 SSL_EARLY_DATA_ACCEPTED))
3344 goto end;
3345
3346 /*
3347 * At this point the client has written EndOfEarlyData, ClientFinished and
3348 * normal (fully protected) data. We are going to cause a delay between the
3349 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3350 * in the read BIO, and then just put back the EndOfEarlyData message.
3351 */
3352 rbio = SSL_get_rbio(serverssl);
3353 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3354 || !TEST_size_t_lt(rawread, sizeof(data))
3355 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3356 goto end;
3357
3358 /* Record length is in the 4th and 5th bytes of the record header */
3359 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3360 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3361 || !TEST_size_t_eq(rawwritten, eoedlen))
3362 goto end;
3363
3364 /* Server should be told that there is no more early data */
3365 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3366 &readbytes),
3367 SSL_READ_EARLY_DATA_FINISH)
3368 || !TEST_size_t_eq(readbytes, 0))
3369 goto end;
3370
3371 /*
3372 * Server has not finished init yet, so should still be able to write early
3373 * data.
3374 */
3375 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3376 &written))
3377 || !TEST_size_t_eq(written, strlen(MSG6)))
3378 goto end;
3379
3380 /* Push the ClientFinished and the normal data back into the server rbio */
3381 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3382 &rawwritten))
3383 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3384 goto end;
3385
3386 /* Server should be able to read normal data */
3387 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3388 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3389 goto end;
3390
3391 /* Client and server should not be able to write/read early data now */
3392 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3393 &written)))
3394 goto end;
3395 ERR_clear_error();
3396 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3397 &readbytes),
3398 SSL_READ_EARLY_DATA_ERROR))
3399 goto end;
3400 ERR_clear_error();
3401
3402 /* Client should be able to read the data sent by the server */
3403 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3404 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3405 goto end;
3406
3407 /*
3408 * Make sure we process the two NewSessionTickets. These arrive
3409 * post-handshake. We attempt reads which we do not expect to return any
3410 * data.
3411 */
3412 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3413 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3414 &readbytes)))
3415 goto end;
3416
3417 /* Server should be able to write normal data */
3418 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3419 || !TEST_size_t_eq(written, strlen(MSG7))
3420 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3421 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3422 goto end;
3423
3424 SSL_SESSION_free(sess);
3425 sess = SSL_get1_session(clientssl);
3426 use_session_cb_cnt = 0;
3427 find_session_cb_cnt = 0;
3428
3429 SSL_shutdown(clientssl);
3430 SSL_shutdown(serverssl);
3431 SSL_free(serverssl);
3432 SSL_free(clientssl);
3433 serverssl = clientssl = NULL;
3434 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3435 &clientssl, NULL, NULL))
3436 || !TEST_true(SSL_set_session(clientssl, sess)))
3437 goto end;
3438
3439 /* Write and read some early data */
3440 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3441 &written))
3442 || !TEST_size_t_eq(written, strlen(MSG1))
3443 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3444 &readbytes),
3445 SSL_READ_EARLY_DATA_SUCCESS)
3446 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3447 goto end;
3448
3449 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3450 || !TEST_int_gt(SSL_accept(serverssl), 0))
3451 goto end;
3452
3453 /* Client and server should not be able to write/read early data now */
3454 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3455 &written)))
3456 goto end;
3457 ERR_clear_error();
3458 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3459 &readbytes),
3460 SSL_READ_EARLY_DATA_ERROR))
3461 goto end;
3462 ERR_clear_error();
3463
3464 /* Client and server should be able to write/read normal data */
3465 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3466 || !TEST_size_t_eq(written, strlen(MSG5))
3467 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3468 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3469 goto end;
3470
3471 testresult = 1;
3472
3473 end:
3474 SSL_SESSION_free(sess);
3475 SSL_SESSION_free(clientpsk);
3476 SSL_SESSION_free(serverpsk);
3477 clientpsk = serverpsk = NULL;
3478 SSL_free(serverssl);
3479 SSL_free(clientssl);
3480 SSL_CTX_free(sctx);
3481 SSL_CTX_free(cctx);
3482 return testresult;
3483 }
3484
3485 static int allow_ed_cb_called = 0;
3486
3487 static int allow_early_data_cb(SSL *s, void *arg)
3488 {
3489 int *usecb = (int *)arg;
3490
3491 allow_ed_cb_called++;
3492
3493 if (*usecb == 1)
3494 return 0;
3495
3496 return 1;
3497 }
3498
3499 /*
3500 * idx == 0: Standard early_data setup
3501 * idx == 1: early_data setup using read_ahead
3502 * usecb == 0: Don't use a custom early data callback
3503 * usecb == 1: Use a custom early data callback and reject the early data
3504 * usecb == 2: Use a custom early data callback and accept the early data
3505 * confopt == 0: Configure anti-replay directly
3506 * confopt == 1: Configure anti-replay using SSL_CONF
3507 */
3508 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3509 {
3510 SSL_CTX *cctx = NULL, *sctx = NULL;
3511 SSL *clientssl = NULL, *serverssl = NULL;
3512 int testresult = 0;
3513 SSL_SESSION *sess = NULL;
3514 size_t readbytes, written;
3515 unsigned char buf[20];
3516
3517 allow_ed_cb_called = 0;
3518
3519 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3520 TLS_client_method(), TLS1_VERSION, 0,
3521 &sctx, &cctx, cert, privkey)))
3522 return 0;
3523
3524 if (usecb > 0) {
3525 if (confopt == 0) {
3526 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3527 } else {
3528 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3529
3530 if (!TEST_ptr(confctx))
3531 goto end;
3532 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3533 | SSL_CONF_FLAG_SERVER);
3534 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3535 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3536 2)) {
3537 SSL_CONF_CTX_free(confctx);
3538 goto end;
3539 }
3540 SSL_CONF_CTX_free(confctx);
3541 }
3542 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3543 }
3544
3545 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3546 &serverssl, &sess, idx)))
3547 goto end;
3548
3549 /*
3550 * The server is configured to accept early data. Create a connection to
3551 * "use up" the ticket
3552 */
3553 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3554 || !TEST_true(SSL_session_reused(clientssl)))
3555 goto end;
3556
3557 SSL_shutdown(clientssl);
3558 SSL_shutdown(serverssl);
3559 SSL_free(serverssl);
3560 SSL_free(clientssl);
3561 serverssl = clientssl = NULL;
3562
3563 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3564 &clientssl, NULL, NULL))
3565 || !TEST_true(SSL_set_session(clientssl, sess)))
3566 goto end;
3567
3568 /* Write and read some early data */
3569 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3570 &written))
3571 || !TEST_size_t_eq(written, strlen(MSG1)))
3572 goto end;
3573
3574 if (usecb <= 1) {
3575 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3576 &readbytes),
3577 SSL_READ_EARLY_DATA_FINISH)
3578 /*
3579 * The ticket was reused, so the we should have rejected the
3580 * early data
3581 */
3582 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3583 SSL_EARLY_DATA_REJECTED))
3584 goto end;
3585 } else {
3586 /* In this case the callback decides to accept the early data */
3587 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3588 &readbytes),
3589 SSL_READ_EARLY_DATA_SUCCESS)
3590 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3591 /*
3592 * Server will have sent its flight so client can now send
3593 * end of early data and complete its half of the handshake
3594 */
3595 || !TEST_int_gt(SSL_connect(clientssl), 0)
3596 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3597 &readbytes),
3598 SSL_READ_EARLY_DATA_FINISH)
3599 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3600 SSL_EARLY_DATA_ACCEPTED))
3601 goto end;
3602 }
3603
3604 /* Complete the connection */
3605 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3606 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3607 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3608 goto end;
3609
3610 testresult = 1;
3611
3612 end:
3613 SSL_SESSION_free(sess);
3614 SSL_SESSION_free(clientpsk);
3615 SSL_SESSION_free(serverpsk);
3616 clientpsk = serverpsk = NULL;
3617 SSL_free(serverssl);
3618 SSL_free(clientssl);
3619 SSL_CTX_free(sctx);
3620 SSL_CTX_free(cctx);
3621 return testresult;
3622 }
3623
3624 static int test_early_data_replay(int idx)
3625 {
3626 int ret = 1, usecb, confopt;
3627
3628 for (usecb = 0; usecb < 3; usecb++) {
3629 for (confopt = 0; confopt < 2; confopt++)
3630 ret &= test_early_data_replay_int(idx, usecb, confopt);
3631 }
3632
3633 return ret;
3634 }
3635
3636 /*
3637 * Helper function to test that a server attempting to read early data can
3638 * handle a connection from a client where the early data should be skipped.
3639 * testtype: 0 == No HRR
3640 * testtype: 1 == HRR
3641 * testtype: 2 == HRR, invalid early_data sent after HRR
3642 * testtype: 3 == recv_max_early_data set to 0
3643 */
3644 static int early_data_skip_helper(int testtype, int idx)
3645 {
3646 SSL_CTX *cctx = NULL, *sctx = NULL;
3647 SSL *clientssl = NULL, *serverssl = NULL;
3648 int testresult = 0;
3649 SSL_SESSION *sess = NULL;
3650 unsigned char buf[20];
3651 size_t readbytes, written;
3652
3653 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3654 &serverssl, &sess, idx)))
3655 goto end;
3656
3657 if (testtype == 1 || testtype == 2) {
3658 /* Force an HRR to occur */
3659 #if defined(OPENSSL_NO_EC)
3660 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3661 goto end;
3662 #else
3663 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3664 goto end;
3665 #endif
3666 } else if (idx == 2) {
3667 /*
3668 * We force early_data rejection by ensuring the PSK identity is
3669 * unrecognised
3670 */
3671 srvid = "Dummy Identity";
3672 } else {
3673 /*
3674 * Deliberately corrupt the creation time. We take 20 seconds off the
3675 * time. It could be any value as long as it is not within tolerance.
3676 * This should mean the ticket is rejected.
3677 */
3678 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3679 goto end;
3680 }
3681
3682 if (testtype == 3
3683 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3684 goto end;
3685
3686 /* Write some early data */
3687 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3688 &written))
3689 || !TEST_size_t_eq(written, strlen(MSG1)))
3690 goto end;
3691
3692 /* Server should reject the early data */
3693 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3694 &readbytes),
3695 SSL_READ_EARLY_DATA_FINISH)
3696 || !TEST_size_t_eq(readbytes, 0)
3697 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3698 SSL_EARLY_DATA_REJECTED))
3699 goto end;
3700
3701 switch (testtype) {
3702 case 0:
3703 /* Nothing to do */
3704 break;
3705
3706 case 1:
3707 /*
3708 * Finish off the handshake. We perform the same writes and reads as
3709 * further down but we expect them to fail due to the incomplete
3710 * handshake.
3711 */
3712 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3713 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3714 &readbytes)))
3715 goto end;
3716 break;
3717
3718 case 2:
3719 {
3720 BIO *wbio = SSL_get_wbio(clientssl);
3721 /* A record that will appear as bad early_data */
3722 const unsigned char bad_early_data[] = {
3723 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3724 };
3725
3726 /*
3727 * We force the client to attempt a write. This will fail because
3728 * we're still in the handshake. It will cause the second
3729 * ClientHello to be sent.
3730 */
3731 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3732 &written)))
3733 goto end;
3734
3735 /*
3736 * Inject some early_data after the second ClientHello. This should
3737 * cause the server to fail
3738 */
3739 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3740 sizeof(bad_early_data), &written)))
3741 goto end;
3742 }
3743 /* fallthrough */
3744
3745 case 3:
3746 /*
3747 * This client has sent more early_data than we are willing to skip
3748 * (case 3) or sent invalid early_data (case 2) so the connection should
3749 * abort.
3750 */
3751 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3752 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3753 goto end;
3754
3755 /* Connection has failed - nothing more to do */
3756 testresult = 1;
3757 goto end;
3758
3759 default:
3760 TEST_error("Invalid test type");
3761 goto end;
3762 }
3763
3764 /*
3765 * Should be able to send normal data despite rejection of early data. The
3766 * early_data should be skipped.
3767 */
3768 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3769 || !TEST_size_t_eq(written, strlen(MSG2))
3770 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3771 SSL_EARLY_DATA_REJECTED)
3772 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3773 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3774 goto end;
3775
3776 testresult = 1;
3777
3778 end:
3779 SSL_SESSION_free(clientpsk);
3780 SSL_SESSION_free(serverpsk);
3781 clientpsk = serverpsk = NULL;
3782 SSL_SESSION_free(sess);
3783 SSL_free(serverssl);
3784 SSL_free(clientssl);
3785 SSL_CTX_free(sctx);
3786 SSL_CTX_free(cctx);
3787 return testresult;
3788 }
3789
3790 /*
3791 * Test that a server attempting to read early data can handle a connection
3792 * from a client where the early data is not acceptable.
3793 */
3794 static int test_early_data_skip(int idx)
3795 {
3796 return early_data_skip_helper(0, idx);
3797 }
3798
3799 /*
3800 * Test that a server attempting to read early data can handle a connection
3801 * from a client where an HRR occurs.
3802 */
3803 static int test_early_data_skip_hrr(int idx)
3804 {
3805 return early_data_skip_helper(1, idx);
3806 }
3807
3808 /*
3809 * Test that a server attempting to read early data can handle a connection
3810 * from a client where an HRR occurs and correctly fails if early_data is sent
3811 * after the HRR
3812 */
3813 static int test_early_data_skip_hrr_fail(int idx)
3814 {
3815 return early_data_skip_helper(2, idx);
3816 }
3817
3818 /*
3819 * Test that a server attempting to read early data will abort if it tries to
3820 * skip over too much.
3821 */
3822 static int test_early_data_skip_abort(int idx)
3823 {
3824 return early_data_skip_helper(3, idx);
3825 }
3826
3827 /*
3828 * Test that a server attempting to read early data can handle a connection
3829 * from a client that doesn't send any.
3830 */
3831 static int test_early_data_not_sent(int idx)
3832 {
3833 SSL_CTX *cctx = NULL, *sctx = NULL;
3834 SSL *clientssl = NULL, *serverssl = NULL;
3835 int testresult = 0;
3836 SSL_SESSION *sess = NULL;
3837 unsigned char buf[20];
3838 size_t readbytes, written;
3839
3840 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3841 &serverssl, &sess, idx)))
3842 goto end;
3843
3844 /* Write some data - should block due to handshake with server */
3845 SSL_set_connect_state(clientssl);
3846 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3847 goto end;
3848
3849 /* Server should detect that early data has not been sent */
3850 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3851 &readbytes),
3852 SSL_READ_EARLY_DATA_FINISH)
3853 || !TEST_size_t_eq(readbytes, 0)
3854 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3855 SSL_EARLY_DATA_NOT_SENT)
3856 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3857 SSL_EARLY_DATA_NOT_SENT))
3858 goto end;
3859
3860 /* Continue writing the message we started earlier */
3861 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3862 || !TEST_size_t_eq(written, strlen(MSG1))
3863 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3864 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3865 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3866 || !TEST_size_t_eq(written, strlen(MSG2)))
3867 goto end;
3868
3869 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3870 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3871 goto end;
3872
3873 testresult = 1;
3874
3875 end:
3876 SSL_SESSION_free(sess);
3877 SSL_SESSION_free(clientpsk);
3878 SSL_SESSION_free(serverpsk);
3879 clientpsk = serverpsk = NULL;
3880 SSL_free(serverssl);
3881 SSL_free(clientssl);
3882 SSL_CTX_free(sctx);
3883 SSL_CTX_free(cctx);
3884 return testresult;
3885 }
3886
3887 static const char *servalpn;
3888
3889 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3890 unsigned char *outlen, const unsigned char *in,
3891 unsigned int inlen, void *arg)
3892 {
3893 unsigned int protlen = 0;
3894 const unsigned char *prot;
3895
3896 for (prot = in; prot < in + inlen; prot += protlen) {
3897 protlen = *prot++;
3898 if (in + inlen < prot + protlen)
3899 return SSL_TLSEXT_ERR_NOACK;
3900
3901 if (protlen == strlen(servalpn)
3902 && memcmp(prot, servalpn, protlen) == 0) {
3903 *out = prot;
3904 *outlen = protlen;
3905 return SSL_TLSEXT_ERR_OK;
3906 }
3907 }
3908
3909 return SSL_TLSEXT_ERR_NOACK;
3910 }
3911
3912 /* Test that a PSK can be used to send early_data */
3913 static int test_early_data_psk(int idx)
3914 {
3915 SSL_CTX *cctx = NULL, *sctx = NULL;
3916 SSL *clientssl = NULL, *serverssl = NULL;
3917 int testresult = 0;
3918 SSL_SESSION *sess = NULL;
3919 unsigned char alpnlist[] = {
3920 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3921 'l', 'p', 'n'
3922 };
3923 #define GOODALPNLEN 9
3924 #define BADALPNLEN 8
3925 #define GOODALPN (alpnlist)
3926 #define BADALPN (alpnlist + GOODALPNLEN)
3927 int err = 0;
3928 unsigned char buf[20];
3929 size_t readbytes, written;
3930 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3931 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3932
3933 /* We always set this up with a final parameter of "2" for PSK */
3934 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3935 &serverssl, &sess, 2)))
3936 goto end;
3937
3938 servalpn = "goodalpn";
3939
3940 /*
3941 * Note: There is no test for inconsistent SNI with late client detection.
3942 * This is because servers do not acknowledge SNI even if they are using
3943 * it in a resumption handshake - so it is not actually possible for a
3944 * client to detect a problem.
3945 */
3946 switch (idx) {
3947 case 0:
3948 /* Set inconsistent SNI (early client detection) */
3949 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3950 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3951 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3952 goto end;
3953 break;
3954
3955 case 1:
3956 /* Set inconsistent ALPN (early client detection) */
3957 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3958 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3959 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3960 GOODALPNLEN))
3961 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3962 BADALPNLEN)))
3963 goto end;
3964 break;
3965
3966 case 2:
3967 /*
3968 * Set invalid protocol version. Technically this affects PSKs without
3969 * early_data too, but we test it here because it is similar to the
3970 * SNI/ALPN consistency tests.
3971 */
3972 err = SSL_R_BAD_PSK;
3973 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3974 goto end;
3975 break;
3976
3977 case 3:
3978 /*
3979 * Set inconsistent SNI (server side). In this case the connection
3980 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3981 * is associated with each handshake - not the session. Therefore it
3982 * should not matter that we used a different server name last time.
3983 */
3984 SSL_SESSION_free(serverpsk);
3985 serverpsk = SSL_SESSION_dup(clientpsk);
3986 if (!TEST_ptr(serverpsk)
3987 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3988 goto end;
3989 /* Fall through */
3990 case 4:
3991 /* Set consistent SNI */
3992 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3993 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3994 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3995 hostname_cb)))
3996 goto end;
3997 break;
3998
3999 case 5:
4000 /*
4001 * Set inconsistent ALPN (server detected). In this case the connection
4002 * will succeed but reject early_data.
4003 */
4004 servalpn = "badalpn";
4005 edstatus = SSL_EARLY_DATA_REJECTED;
4006 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4007 /* Fall through */
4008 case 6:
4009 /*
4010 * Set consistent ALPN.
4011 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4012 * accepts a list of protos (each one length prefixed).
4013 * SSL_set1_alpn_selected accepts a single protocol (not length
4014 * prefixed)
4015 */
4016 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4017 GOODALPNLEN - 1))
4018 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4019 GOODALPNLEN)))
4020 goto end;
4021
4022 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4023 break;
4024
4025 case 7:
4026 /* Set inconsistent ALPN (late client detection) */
4027 SSL_SESSION_free(serverpsk);
4028 serverpsk = SSL_SESSION_dup(clientpsk);
4029 if (!TEST_ptr(serverpsk)
4030 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4031 BADALPN + 1,
4032 BADALPNLEN - 1))
4033 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4034 GOODALPN + 1,
4035 GOODALPNLEN - 1))
4036 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4037 sizeof(alpnlist))))
4038 goto end;
4039 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4040 edstatus = SSL_EARLY_DATA_ACCEPTED;
4041 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4042 /* SSL_connect() call should fail */
4043 connectres = -1;
4044 break;
4045
4046 default:
4047 TEST_error("Bad test index");
4048 goto end;
4049 }
4050
4051 SSL_set_connect_state(clientssl);
4052 if (err != 0) {
4053 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4054 &written))
4055 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4056 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4057 goto end;
4058 } else {
4059 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4060 &written)))
4061 goto end;
4062
4063 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4064 &readbytes), readearlyres)
4065 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4066 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4067 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4068 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4069 goto end;
4070 }
4071
4072 testresult = 1;
4073
4074 end:
4075 SSL_SESSION_free(sess);
4076 SSL_SESSION_free(clientpsk);
4077 SSL_SESSION_free(serverpsk);
4078 clientpsk = serverpsk = NULL;
4079 SSL_free(serverssl);
4080 SSL_free(clientssl);
4081 SSL_CTX_free(sctx);
4082 SSL_CTX_free(cctx);
4083 return testresult;
4084 }
4085
4086 /*
4087 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4088 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4089 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4090 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4091 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4092 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4093 */
4094 static int test_early_data_psk_with_all_ciphers(int idx)
4095 {
4096 SSL_CTX *cctx = NULL, *sctx = NULL;
4097 SSL *clientssl = NULL, *serverssl = NULL;
4098 int testresult = 0;
4099 SSL_SESSION *sess = NULL;
4100 unsigned char buf[20];
4101 size_t readbytes, written;
4102 const SSL_CIPHER *cipher;
4103 const char *cipher_str[] = {
4104 TLS1_3_RFC_AES_128_GCM_SHA256,
4105 TLS1_3_RFC_AES_256_GCM_SHA384,
4106 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4107 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4108 # else
4109 NULL,
4110 # endif
4111 TLS1_3_RFC_AES_128_CCM_SHA256,
4112 TLS1_3_RFC_AES_128_CCM_8_SHA256
4113 };
4114 const unsigned char *cipher_bytes[] = {
4115 TLS13_AES_128_GCM_SHA256_BYTES,
4116 TLS13_AES_256_GCM_SHA384_BYTES,
4117 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4118 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4119 # else
4120 NULL,
4121 # endif
4122 TLS13_AES_128_CCM_SHA256_BYTES,
4123 TLS13_AES_128_CCM_8_SHA256_BYTES
4124 };
4125
4126 if (cipher_str[idx] == NULL)
4127 return 1;
4128 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4129 if (idx == 2 && is_fips == 1)
4130 return 1;
4131
4132 /* We always set this up with a final parameter of "2" for PSK */
4133 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4134 &serverssl, &sess, 2)))
4135 goto end;
4136
4137 if (idx == 4) {
4138 /* CCM8 ciphers are considered low security due to their short tag */
4139 SSL_set_security_level(clientssl, 0);
4140 SSL_set_security_level(serverssl, 0);
4141 }
4142
4143 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4144 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4145 goto end;
4146
4147 /*
4148 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4149 * and assigns to both client and server with incremented reference
4150 * and the same instance is updated in 'sess'.
4151 * So updating ciphersuite in 'sess' which will get reflected in
4152 * PSK handshake using psk use sess and find sess cb.
4153 */
4154 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4155 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4156 goto end;
4157
4158 SSL_set_connect_state(clientssl);
4159 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4160 &written)))
4161 goto end;
4162
4163 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4164 &readbytes),
4165 SSL_READ_EARLY_DATA_SUCCESS)
4166 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4167 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4168 SSL_EARLY_DATA_ACCEPTED)
4169 || !TEST_int_eq(SSL_connect(clientssl), 1)
4170 || !TEST_int_eq(SSL_accept(serverssl), 1))
4171 goto end;
4172
4173 /* Send some normal data from client to server */
4174 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4175 || !TEST_size_t_eq(written, strlen(MSG2)))
4176 goto end;
4177
4178 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4179 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4180 goto end;
4181
4182 testresult = 1;
4183 end:
4184 SSL_SESSION_free(sess);
4185 SSL_SESSION_free(clientpsk);
4186 SSL_SESSION_free(serverpsk);
4187 clientpsk = serverpsk = NULL;
4188 if (clientssl != NULL)
4189 SSL_shutdown(clientssl);
4190 if (serverssl != NULL)
4191 SSL_shutdown(serverssl);
4192 SSL_free(serverssl);
4193 SSL_free(clientssl);
4194 SSL_CTX_free(sctx);
4195 SSL_CTX_free(cctx);
4196 return testresult;
4197 }
4198
4199 /*
4200 * Test that a server that doesn't try to read early data can handle a
4201 * client sending some.
4202 */
4203 static int test_early_data_not_expected(int idx)
4204 {
4205 SSL_CTX *cctx = NULL, *sctx = NULL;
4206 SSL *clientssl = NULL, *serverssl = NULL;
4207 int testresult = 0;
4208 SSL_SESSION *sess = NULL;
4209 unsigned char buf[20];
4210 size_t readbytes, written;
4211
4212 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4213 &serverssl, &sess, idx)))
4214 goto end;
4215
4216 /* Write some early data */
4217 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4218 &written)))
4219 goto end;
4220
4221 /*
4222 * Server should skip over early data and then block waiting for client to
4223 * continue handshake
4224 */
4225 if (!TEST_int_le(SSL_accept(serverssl), 0)
4226 || !TEST_int_gt(SSL_connect(clientssl), 0)
4227 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4228 SSL_EARLY_DATA_REJECTED)
4229 || !TEST_int_gt(SSL_accept(serverssl), 0)
4230 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4231 SSL_EARLY_DATA_REJECTED))
4232 goto end;
4233
4234 /* Send some normal data from client to server */
4235 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4236 || !TEST_size_t_eq(written, strlen(MSG2)))
4237 goto end;
4238
4239 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4240 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4241 goto end;
4242
4243 testresult = 1;
4244
4245 end:
4246 SSL_SESSION_free(sess);
4247 SSL_SESSION_free(clientpsk);
4248 SSL_SESSION_free(serverpsk);
4249 clientpsk = serverpsk = NULL;
4250 SSL_free(serverssl);
4251 SSL_free(clientssl);
4252 SSL_CTX_free(sctx);
4253 SSL_CTX_free(cctx);
4254 return testresult;
4255 }
4256
4257
4258 # ifndef OPENSSL_NO_TLS1_2
4259 /*
4260 * Test that a server attempting to read early data can handle a connection
4261 * from a TLSv1.2 client.
4262 */
4263 static int test_early_data_tls1_2(int idx)
4264 {
4265 SSL_CTX *cctx = NULL, *sctx = NULL;
4266 SSL *clientssl = NULL, *serverssl = NULL;
4267 int testresult = 0;
4268 unsigned char buf[20];
4269 size_t readbytes, written;
4270
4271 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4272 &serverssl, NULL, idx)))
4273 goto end;
4274
4275 /* Write some data - should block due to handshake with server */
4276 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4277 SSL_set_connect_state(clientssl);
4278 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4279 goto end;
4280
4281 /*
4282 * Server should do TLSv1.2 handshake. First it will block waiting for more
4283 * messages from client after ServerDone. Then SSL_read_early_data should
4284 * finish and detect that early data has not been sent
4285 */
4286 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4287 &readbytes),
4288 SSL_READ_EARLY_DATA_ERROR))
4289 goto end;
4290
4291 /*
4292 * Continue writing the message we started earlier. Will still block waiting
4293 * for the CCS/Finished from server
4294 */
4295 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4296 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4297 &readbytes),
4298 SSL_READ_EARLY_DATA_FINISH)
4299 || !TEST_size_t_eq(readbytes, 0)
4300 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4301 SSL_EARLY_DATA_NOT_SENT))
4302 goto end;
4303
4304 /* Continue writing the message we started earlier */
4305 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4306 || !TEST_size_t_eq(written, strlen(MSG1))
4307 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4308 SSL_EARLY_DATA_NOT_SENT)
4309 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4310 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4311 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4312 || !TEST_size_t_eq(written, strlen(MSG2))
4313 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4314 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4315 goto end;
4316
4317 testresult = 1;
4318
4319 end:
4320 SSL_SESSION_free(clientpsk);
4321 SSL_SESSION_free(serverpsk);
4322 clientpsk = serverpsk = NULL;
4323 SSL_free(serverssl);
4324 SSL_free(clientssl);
4325 SSL_CTX_free(sctx);
4326 SSL_CTX_free(cctx);
4327
4328 return testresult;
4329 }
4330 # endif /* OPENSSL_NO_TLS1_2 */
4331
4332 /*
4333 * Test configuring the TLSv1.3 ciphersuites
4334 *
4335 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4336 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4337 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4338 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4339 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4340 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4341 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4342 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4343 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4344 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4345 */
4346 static int test_set_ciphersuite(int idx)
4347 {
4348 SSL_CTX *cctx = NULL, *sctx = NULL;
4349 SSL *clientssl = NULL, *serverssl = NULL;
4350 int testresult = 0;
4351
4352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4353 TLS_client_method(), TLS1_VERSION, 0,
4354 &sctx, &cctx, cert, privkey))
4355 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4356 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4357 goto end;
4358
4359 if (idx >=4 && idx <= 7) {
4360 /* SSL_CTX explicit cipher list */
4361 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4362 goto end;
4363 }
4364
4365 if (idx == 0 || idx == 4) {
4366 /* Default ciphersuite */
4367 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4368 "TLS_AES_128_GCM_SHA256")))
4369 goto end;
4370 } else if (idx == 1 || idx == 5) {
4371 /* Non default ciphersuite */
4372 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4373 "TLS_AES_128_CCM_SHA256")))
4374 goto end;
4375 }
4376
4377 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4378 &clientssl, NULL, NULL)))
4379 goto end;
4380
4381 if (idx == 8 || idx == 9) {
4382 /* SSL explicit cipher list */
4383 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4384 goto end;
4385 }
4386
4387 if (idx == 2 || idx == 6 || idx == 8) {
4388 /* Default ciphersuite */
4389 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4390 "TLS_AES_128_GCM_SHA256")))
4391 goto end;
4392 } else if (idx == 3 || idx == 7 || idx == 9) {
4393 /* Non default ciphersuite */
4394 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4395 "TLS_AES_128_CCM_SHA256")))
4396 goto end;
4397 }
4398
4399 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4400 goto end;
4401
4402 testresult = 1;
4403
4404 end:
4405 SSL_free(serverssl);
4406 SSL_free(clientssl);
4407 SSL_CTX_free(sctx);
4408 SSL_CTX_free(cctx);
4409
4410 return testresult;
4411 }
4412
4413 static int test_ciphersuite_change(void)
4414 {
4415 SSL_CTX *cctx = NULL, *sctx = NULL;
4416 SSL *clientssl = NULL, *serverssl = NULL;
4417 SSL_SESSION *clntsess = NULL;
4418 int testresult = 0;
4419 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4420
4421 /* Create a session based on SHA-256 */
4422 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4423 TLS_client_method(), TLS1_VERSION, 0,
4424 &sctx, &cctx, cert, privkey))
4425 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4426 "TLS_AES_128_GCM_SHA256:"
4427 "TLS_AES_256_GCM_SHA384:"
4428 "TLS_AES_128_CCM_SHA256"))
4429 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4430 "TLS_AES_128_GCM_SHA256")))
4431 goto end;
4432
4433 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4434 NULL, NULL))
4435 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4436 SSL_ERROR_NONE)))
4437 goto end;
4438
4439 clntsess = SSL_get1_session(clientssl);
4440 /* Save for later */
4441 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4442 SSL_shutdown(clientssl);
4443 SSL_shutdown(serverssl);
4444 SSL_free(serverssl);
4445 SSL_free(clientssl);
4446 serverssl = clientssl = NULL;
4447
4448 /* Check we can resume a session with a different SHA-256 ciphersuite */
4449 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4450 "TLS_AES_128_CCM_SHA256"))
4451 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4452 &clientssl, NULL, NULL))
4453 || !TEST_true(SSL_set_session(clientssl, clntsess))
4454 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4455 SSL_ERROR_NONE))
4456 || !TEST_true(SSL_session_reused(clientssl)))
4457 goto end;
4458
4459 SSL_SESSION_free(clntsess);
4460 clntsess = SSL_get1_session(clientssl);
4461 SSL_shutdown(clientssl);
4462 SSL_shutdown(serverssl);
4463 SSL_free(serverssl);
4464 SSL_free(clientssl);
4465 serverssl = clientssl = NULL;
4466
4467 /*
4468 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4469 * succeeds but does not resume.
4470 */
4471 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4472 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4473 NULL, NULL))
4474 || !TEST_true(SSL_set_session(clientssl, clntsess))
4475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4476 SSL_ERROR_SSL))
4477 || !TEST_false(SSL_session_reused(clientssl)))
4478 goto end;
4479
4480 SSL_SESSION_free(clntsess);
4481 clntsess = NULL;
4482 SSL_shutdown(clientssl);
4483 SSL_shutdown(serverssl);
4484 SSL_free(serverssl);
4485 SSL_free(clientssl);
4486 serverssl = clientssl = NULL;
4487
4488 /* Create a session based on SHA384 */
4489 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4490 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4491 &clientssl, NULL, NULL))
4492 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4493 SSL_ERROR_NONE)))
4494 goto end;
4495
4496 clntsess = SSL_get1_session(clientssl);
4497 SSL_shutdown(clientssl);
4498 SSL_shutdown(serverssl);
4499 SSL_free(serverssl);
4500 SSL_free(clientssl);
4501 serverssl = clientssl = NULL;
4502
4503 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4504 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4505 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4506 "TLS_AES_256_GCM_SHA384"))
4507 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4508 NULL, NULL))
4509 || !TEST_true(SSL_set_session(clientssl, clntsess))
4510 /*
4511 * We use SSL_ERROR_WANT_READ below so that we can pause the
4512 * connection after the initial ClientHello has been sent to
4513 * enable us to make some session changes.
4514 */
4515 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4516 SSL_ERROR_WANT_READ)))
4517 goto end;
4518
4519 /* Trick the client into thinking this session is for a different digest */
4520 clntsess->cipher = aes_128_gcm_sha256;
4521 clntsess->cipher_id = clntsess->cipher->id;
4522
4523 /*
4524 * Continue the previously started connection. Server has selected a SHA-384
4525 * ciphersuite, but client thinks the session is for SHA-256, so it should
4526 * bail out.
4527 */
4528 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4529 SSL_ERROR_SSL))
4530 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4531 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4532 goto end;
4533
4534 testresult = 1;
4535
4536 end:
4537 SSL_SESSION_free(clntsess);
4538 SSL_free(serverssl);
4539 SSL_free(clientssl);
4540 SSL_CTX_free(sctx);
4541 SSL_CTX_free(cctx);
4542
4543 return testresult;
4544 }
4545
4546 /*
4547 * Test TLSv1.3 Key exchange
4548 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4549 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4550 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4551 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4552 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4553 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4554 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4555 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4556 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4557 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4558 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4559 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4560 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4561 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4562 */
4563 # ifndef OPENSSL_NO_EC
4564 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4565 NID_secp521r1, NID_X25519, NID_X448};
4566 # endif
4567 # ifndef OPENSSL_NO_DH
4568 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4569 NID_ffdhe6144, NID_ffdhe8192};
4570 # endif
4571 static int test_key_exchange(int idx)
4572 {
4573 SSL_CTX *sctx = NULL, *cctx = NULL;
4574 SSL *serverssl = NULL, *clientssl = NULL;
4575 int testresult = 0;
4576 int kexch_alg;
4577 int *kexch_groups = &kexch_alg;
4578 int kexch_groups_size = 1;
4579 int max_version = TLS1_3_VERSION;
4580 char *kexch_name0 = NULL;
4581
4582 switch (idx) {
4583 # ifndef OPENSSL_NO_EC
4584 # ifndef OPENSSL_NO_TLS1_2
4585 case 12:
4586 max_version = TLS1_2_VERSION;
4587 # endif
4588 /* Fall through */
4589 case 0:
4590 kexch_groups = ecdhe_kexch_groups;
4591 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4592 kexch_name0 = "secp256r1";
4593 break;
4594 case 1:
4595 kexch_alg = NID_X9_62_prime256v1;
4596 kexch_name0 = "secp256r1";
4597 break;
4598 case 2:
4599 kexch_alg = NID_secp384r1;
4600 kexch_name0 = "secp384r1";
4601 break;
4602 case 3:
4603 kexch_alg = NID_secp521r1;
4604 kexch_name0 = "secp521r1";
4605 break;
4606 case 4:
4607 kexch_alg = NID_X25519;
4608 kexch_name0 = "x25519";
4609 break;
4610 case 5:
4611 kexch_alg = NID_X448;
4612 kexch_name0 = "x448";
4613 break;
4614 # endif
4615 # ifndef OPENSSL_NO_DH
4616 # ifndef OPENSSL_NO_TLS1_2
4617 case 13:
4618 max_version = TLS1_2_VERSION;
4619 kexch_name0 = "ffdhe2048";
4620 # endif
4621 /* Fall through */
4622 case 6:
4623 kexch_groups = ffdhe_kexch_groups;
4624 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4625 kexch_name0 = "ffdhe2048";
4626 break;
4627 case 7:
4628 kexch_alg = NID_ffdhe2048;
4629 kexch_name0 = "ffdhe2048";
4630 break;
4631 case 8:
4632 kexch_alg = NID_ffdhe3072;
4633 kexch_name0 = "ffdhe3072";
4634 break;
4635 case 9:
4636 kexch_alg = NID_ffdhe4096;
4637 kexch_name0 = "ffdhe4096";
4638 break;
4639 case 10:
4640 kexch_alg = NID_ffdhe6144;
4641 kexch_name0 = "ffdhe6144";
4642 break;
4643 case 11:
4644 kexch_alg = NID_ffdhe8192;
4645 kexch_name0 = "ffdhe8192";
4646 break;
4647 # endif
4648 default:
4649 /* We're skipping this test */
4650 return 1;
4651 }
4652
4653 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4654 TLS_client_method(), TLS1_VERSION,
4655 max_version, &sctx, &cctx, cert,
4656 privkey)))
4657 goto end;
4658
4659 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4660 TLS1_3_RFC_AES_128_GCM_SHA256)))
4661 goto end;
4662
4663 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4664 TLS1_3_RFC_AES_128_GCM_SHA256)))
4665 goto end;
4666
4667 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4668 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4669 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4670 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4671 goto end;
4672
4673 /*
4674 * Must include an EC ciphersuite so that we send supported groups in
4675 * TLSv1.2
4676 */
4677 # ifndef OPENSSL_NO_TLS1_2
4678 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4679 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4680 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4681 goto end;
4682 # endif
4683
4684 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4685 NULL, NULL)))
4686 goto end;
4687
4688 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4689 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4690 goto end;
4691
4692 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4693 goto end;
4694
4695 /*
4696 * If Handshake succeeds the negotiated kexch alg should be the first one in
4697 * configured, except in the case of FFDHE groups (idx 13), which are
4698 * TLSv1.3 only so we expect no shared group to exist.
4699 */
4700 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4701 idx == 13 ? 0 : kexch_groups[0]))
4702 goto end;
4703
4704 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4705 kexch_name0))
4706 goto end;
4707
4708 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4709 if (idx != 13) {
4710 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4711 goto end;
4712 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4713 goto end;
4714 }
4715
4716 testresult = 1;
4717 end:
4718 SSL_free(serverssl);
4719 SSL_free(clientssl);
4720 SSL_CTX_free(sctx);
4721 SSL_CTX_free(cctx);
4722 return testresult;
4723 }
4724
4725 # if !defined(OPENSSL_NO_TLS1_2) \
4726 && !defined(OPENSSL_NO_EC) \
4727 && !defined(OPENSSL_NO_DH)
4728 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4729 int isecdhe, int idx)
4730 {
4731 int kexch_alg;
4732 int *kexch_groups = &kexch_alg;
4733 int numec, numff;
4734
4735 numec = OSSL_NELEM(ecdhe_kexch_groups);
4736 numff = OSSL_NELEM(ffdhe_kexch_groups);
4737 if (isecdhe)
4738 kexch_alg = ecdhe_kexch_groups[idx];
4739 else
4740 kexch_alg = ffdhe_kexch_groups[idx];
4741
4742 if (clientmulti) {
4743 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4744 return 0;
4745 if (isecdhe) {
4746 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4747 numec)))
4748 return 0;
4749 } else {
4750 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4751 numff)))
4752 return 0;
4753 }
4754 } else {
4755 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4756 return 0;
4757 if (isecdhe) {
4758 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4759 numec)))
4760 return 0;
4761 } else {
4762 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4763 numff)))
4764 return 0;
4765 }
4766 }
4767 return 1;
4768 }
4769
4770 /*-
4771 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4772 * Run through both the ECDHE and FFDHE group lists used in the previous
4773 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4774 * confirming the expected result; then perform a resumption handshake
4775 * while offering the same group list, and another resumption handshake
4776 * offering a different group list. The returned value should be the
4777 * negotiated group for the initial handshake; for TLS 1.3 resumption
4778 * handshakes the returned value will be negotiated on the resumption
4779 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4780 * be cached in the session from the original handshake, regardless of what
4781 * was offered in the resumption ClientHello.
4782 *
4783 * Using E for the number of EC groups and F for the number of FF groups:
4784 * E tests of ECDHE with TLS 1.3, server only has one group
4785 * F tests of FFDHE with TLS 1.3, server only has one group
4786 * E tests of ECDHE with TLS 1.2, server only has one group
4787 * F tests of FFDHE with TLS 1.2, server only has one group
4788 * E tests of ECDHE with TLS 1.3, client sends only one group
4789 * F tests of FFDHE with TLS 1.3, client sends only one group
4790 * E tests of ECDHE with TLS 1.2, client sends only one group
4791 * F tests of FFDHE with TLS 1.2, client sends only one group
4792 */
4793 static int test_negotiated_group(int idx)
4794 {
4795 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4796 int expectednid;
4797 SSL_CTX *sctx = NULL, *cctx = NULL;
4798 SSL *serverssl = NULL, *clientssl = NULL;
4799 SSL_SESSION *origsess = NULL;
4800 int testresult = 0;
4801 int kexch_alg;
4802 int max_version = TLS1_3_VERSION;
4803
4804 numec = OSSL_NELEM(ecdhe_kexch_groups);
4805 numff = OSSL_NELEM(ffdhe_kexch_groups);
4806 numgroups = numec + numff;
4807 clientmulti = (idx < 2 * numgroups);
4808 idx = idx % (2 * numgroups);
4809 istls13 = (idx < numgroups);
4810 idx = idx % numgroups;
4811 isecdhe = (idx < numec);
4812 if (!isecdhe)
4813 idx -= numec;
4814 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4815 if (isecdhe)
4816 kexch_alg = ecdhe_kexch_groups[idx];
4817 else
4818 kexch_alg = ffdhe_kexch_groups[idx];
4819 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4820 if (!istls13 && !isecdhe)
4821 expectednid = NID_undef;
4822 else
4823 expectednid = kexch_alg;
4824
4825 if (!istls13)
4826 max_version = TLS1_2_VERSION;
4827
4828 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4829 TLS_client_method(), TLS1_VERSION,
4830 max_version, &sctx, &cctx, cert,
4831 privkey)))
4832 goto end;
4833
4834 /*
4835 * Force (EC)DHE ciphers for TLS 1.2.
4836 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4837 */
4838 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4839 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4840 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4841 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4842 goto end;
4843 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4844 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4845 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4846 goto end;
4847
4848 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4849 NULL, NULL)))
4850 goto end;
4851
4852 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4853 idx)))
4854 goto end;
4855
4856 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4857 goto end;
4858
4859 /* Initial handshake; always the configured one */
4860 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4861 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4862 goto end;
4863
4864 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4865 goto end;
4866
4867 SSL_shutdown(clientssl);
4868 SSL_shutdown(serverssl);
4869 SSL_free(serverssl);
4870 SSL_free(clientssl);
4871 serverssl = clientssl = NULL;
4872
4873 /* First resumption attempt; use the same config as initial handshake */
4874 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4875 NULL, NULL))
4876 || !TEST_true(SSL_set_session(clientssl, origsess))
4877 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4878 isecdhe, idx)))
4879 goto end;
4880
4881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4882 || !TEST_true(SSL_session_reused(clientssl)))
4883 goto end;
4884
4885 /* Still had better agree, since nothing changed... */
4886 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4887 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4888 goto end;
4889
4890 SSL_shutdown(clientssl);
4891 SSL_shutdown(serverssl);
4892 SSL_free(serverssl);
4893 SSL_free(clientssl);
4894 serverssl = clientssl = NULL;
4895
4896 /*-
4897 * Second resumption attempt
4898 * The party that picks one group changes it, which we effectuate by
4899 * changing 'idx' and updating what we expect.
4900 */
4901 if (idx == 0)
4902 idx = 1;
4903 else
4904 idx--;
4905 if (istls13) {
4906 if (isecdhe)
4907 expectednid = ecdhe_kexch_groups[idx];
4908 else
4909 expectednid = ffdhe_kexch_groups[idx];
4910 /* Verify that we are changing what we expect. */
4911 if (!TEST_int_ne(expectednid, kexch_alg))
4912 goto end;
4913 } else {
4914 /* TLS 1.2 only supports named groups for ECDHE. */
4915 if (isecdhe)
4916 expectednid = kexch_alg;
4917 else
4918 expectednid = 0;
4919 }
4920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4921 NULL, NULL))
4922 || !TEST_true(SSL_set_session(clientssl, origsess))
4923 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4924 isecdhe, idx)))
4925 goto end;
4926
4927 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4928 || !TEST_true(SSL_session_reused(clientssl)))
4929 goto end;
4930
4931 /* Check that we get what we expected */
4932 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4933 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4934 goto end;
4935
4936 testresult = 1;
4937 end:
4938 SSL_free(serverssl);
4939 SSL_free(clientssl);
4940 SSL_CTX_free(sctx);
4941 SSL_CTX_free(cctx);
4942 SSL_SESSION_free(origsess);
4943 return testresult;
4944 }
4945 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4946
4947 /*
4948 * Test TLSv1.3 Cipher Suite
4949 * Test 0 = Set TLS1.3 cipher on context
4950 * Test 1 = Set TLS1.3 cipher on SSL
4951 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4952 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4953 */
4954 static int test_tls13_ciphersuite(int idx)
4955 {
4956 SSL_CTX *sctx = NULL, *cctx = NULL;
4957 SSL *serverssl = NULL, *clientssl = NULL;
4958 static const struct {
4959 const char *ciphername;
4960 int fipscapable;
4961 int low_security;
4962 } t13_ciphers[] = {
4963 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
4964 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
4965 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
4966 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4967 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4968 { TLS1_3_RFC_AES_256_GCM_SHA384
4969 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4970 # endif
4971 /* CCM8 ciphers are considered low security due to their short tag */
4972 { TLS1_3_RFC_AES_128_CCM_8_SHA256
4973 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
4974 };
4975 const char *t13_cipher = NULL;
4976 const char *t12_cipher = NULL;
4977 const char *negotiated_scipher;
4978 const char *negotiated_ccipher;
4979 int set_at_ctx = 0;
4980 int set_at_ssl = 0;
4981 int testresult = 0;
4982 int max_ver;
4983 size_t i;
4984
4985 switch (idx) {
4986 case 0:
4987 set_at_ctx = 1;
4988 break;
4989 case 1:
4990 set_at_ssl = 1;
4991 break;
4992 case 2:
4993 set_at_ctx = 1;
4994 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4995 break;
4996 case 3:
4997 set_at_ssl = 1;
4998 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4999 break;
5000 }
5001
5002 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5003 # ifdef OPENSSL_NO_TLS1_2
5004 if (max_ver == TLS1_2_VERSION)
5005 continue;
5006 # endif
5007 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5008 if (is_fips && !t13_ciphers[i].fipscapable)
5009 continue;
5010 t13_cipher = t13_ciphers[i].ciphername;
5011 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5012 TLS_client_method(),
5013 TLS1_VERSION, max_ver,
5014 &sctx, &cctx, cert, privkey)))
5015 goto end;
5016
5017 if (t13_ciphers[i].low_security) {
5018 SSL_CTX_set_security_level(sctx, 0);
5019 SSL_CTX_set_security_level(cctx, 0);
5020 }
5021
5022 if (set_at_ctx) {
5023 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5024 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5025 goto end;
5026 if (t12_cipher != NULL) {
5027 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5028 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5029 t12_cipher)))
5030 goto end;
5031 }
5032 }
5033
5034 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5035 &clientssl, NULL, NULL)))
5036 goto end;
5037
5038 if (set_at_ssl) {
5039 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5040 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5041 goto end;
5042 if (t12_cipher != NULL) {
5043 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5044 || !TEST_true(SSL_set_cipher_list(clientssl,
5045 t12_cipher)))
5046 goto end;
5047 }
5048 }
5049
5050 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5051 SSL_ERROR_NONE)))
5052 goto end;
5053
5054 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5055 serverssl));
5056 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5057 clientssl));
5058 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5059 goto end;
5060
5061 /*
5062 * TEST_strn_eq is used below because t13_cipher can contain
5063 * multiple ciphersuites
5064 */
5065 if (max_ver == TLS1_3_VERSION
5066 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5067 strlen(negotiated_scipher)))
5068 goto end;
5069
5070 # ifndef OPENSSL_NO_TLS1_2
5071 /* Below validation is not done when t12_cipher is NULL */
5072 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5073 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5074 goto end;
5075 # endif
5076
5077 SSL_free(serverssl);
5078 serverssl = NULL;
5079 SSL_free(clientssl);
5080 clientssl = NULL;
5081 SSL_CTX_free(sctx);
5082 sctx = NULL;
5083 SSL_CTX_free(cctx);
5084 cctx = NULL;
5085 }
5086 }
5087
5088 testresult = 1;
5089 end:
5090 SSL_free(serverssl);
5091 SSL_free(clientssl);
5092 SSL_CTX_free(sctx);
5093 SSL_CTX_free(cctx);
5094 return testresult;
5095 }
5096
5097 /*
5098 * Test TLSv1.3 PSKs
5099 * Test 0 = Test new style callbacks
5100 * Test 1 = Test both new and old style callbacks
5101 * Test 2 = Test old style callbacks
5102 * Test 3 = Test old style callbacks with no certificate
5103 */
5104 static int test_tls13_psk(int idx)
5105 {
5106 SSL_CTX *sctx = NULL, *cctx = NULL;
5107 SSL *serverssl = NULL, *clientssl = NULL;
5108 const SSL_CIPHER *cipher = NULL;
5109 const unsigned char key[] = {
5110 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5111 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5112 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5113 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5114 };
5115 int testresult = 0;
5116
5117 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5118 TLS_client_method(), TLS1_VERSION, 0,
5119 &sctx, &cctx, idx == 3 ? NULL : cert,
5120 idx == 3 ? NULL : privkey)))
5121 goto end;
5122
5123 if (idx != 3) {
5124 /*
5125 * We use a ciphersuite with SHA256 to ease testing old style PSK
5126 * callbacks which will always default to SHA256. This should not be
5127 * necessary if we have no cert/priv key. In that case the server should
5128 * prefer SHA256 automatically.
5129 */
5130 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5131 "TLS_AES_128_GCM_SHA256")))
5132 goto end;
5133 } else {
5134 /*
5135 * As noted above the server should prefer SHA256 automatically. However
5136 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5137 * code works even if we are testing with only the FIPS provider loaded.
5138 */
5139 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5140 "TLS_AES_256_GCM_SHA384:"
5141 "TLS_AES_128_GCM_SHA256")))
5142 goto end;
5143 }
5144
5145 /*
5146 * Test 0: New style callbacks only
5147 * Test 1: New and old style callbacks (only the new ones should be used)
5148 * Test 2: Old style callbacks only
5149 */
5150 if (idx == 0 || idx == 1) {
5151 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5152 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5153 }
5154 #ifndef OPENSSL_NO_PSK
5155 if (idx >= 1) {
5156 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5157 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5158 }
5159 #endif
5160 srvid = pskid;
5161 use_session_cb_cnt = 0;
5162 find_session_cb_cnt = 0;
5163 psk_client_cb_cnt = 0;
5164 psk_server_cb_cnt = 0;
5165
5166 if (idx != 3) {
5167 /*
5168 * Check we can create a connection if callback decides not to send a
5169 * PSK
5170 */
5171 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5172 NULL, NULL))
5173 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5174 SSL_ERROR_NONE))
5175 || !TEST_false(SSL_session_reused(clientssl))
5176 || !TEST_false(SSL_session_reused(serverssl)))
5177 goto end;
5178
5179 if (idx == 0 || idx == 1) {
5180 if (!TEST_true(use_session_cb_cnt == 1)
5181 || !TEST_true(find_session_cb_cnt == 0)
5182 /*
5183 * If no old style callback then below should be 0
5184 * otherwise 1
5185 */
5186 || !TEST_true(psk_client_cb_cnt == idx)
5187 || !TEST_true(psk_server_cb_cnt == 0))
5188 goto end;
5189 } else {
5190 if (!TEST_true(use_session_cb_cnt == 0)
5191 || !TEST_true(find_session_cb_cnt == 0)
5192 || !TEST_true(psk_client_cb_cnt == 1)
5193 || !TEST_true(psk_server_cb_cnt == 0))
5194 goto end;
5195 }
5196
5197 shutdown_ssl_connection(serverssl, clientssl);
5198 serverssl = clientssl = NULL;
5199 use_session_cb_cnt = psk_client_cb_cnt = 0;
5200 }
5201
5202 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5203 NULL, NULL)))
5204 goto end;
5205
5206 /* Create the PSK */
5207 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5208 clientpsk = SSL_SESSION_new();
5209 if (!TEST_ptr(clientpsk)
5210 || !TEST_ptr(cipher)
5211 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5212 sizeof(key)))
5213 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5214 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5215 TLS1_3_VERSION))
5216 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5217 goto end;
5218 serverpsk = clientpsk;
5219
5220 /* Check we can create a connection and the PSK is used */
5221 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5222 || !TEST_true(SSL_session_reused(clientssl))
5223 || !TEST_true(SSL_session_reused(serverssl)))
5224 goto end;
5225
5226 if (idx == 0 || idx == 1) {
5227 if (!TEST_true(use_session_cb_cnt == 1)
5228 || !TEST_true(find_session_cb_cnt == 1)
5229 || !TEST_true(psk_client_cb_cnt == 0)
5230 || !TEST_true(psk_server_cb_cnt == 0))
5231 goto end;
5232 } else {
5233 if (!TEST_true(use_session_cb_cnt == 0)
5234 || !TEST_true(find_session_cb_cnt == 0)
5235 || !TEST_true(psk_client_cb_cnt == 1)
5236 || !TEST_true(psk_server_cb_cnt == 1))
5237 goto end;
5238 }
5239
5240 shutdown_ssl_connection(serverssl, clientssl);
5241 serverssl = clientssl = NULL;
5242 use_session_cb_cnt = find_session_cb_cnt = 0;
5243 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5244
5245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5246 NULL, NULL)))
5247 goto end;
5248
5249 /* Force an HRR */
5250 #if defined(OPENSSL_NO_EC)
5251 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5252 goto end;
5253 #else
5254 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5255 goto end;
5256 #endif
5257
5258 /*
5259 * Check we can create a connection, the PSK is used and the callbacks are
5260 * called twice.
5261 */
5262 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5263 || !TEST_true(SSL_session_reused(clientssl))
5264 || !TEST_true(SSL_session_reused(serverssl)))
5265 goto end;
5266
5267 if (idx == 0 || idx == 1) {
5268 if (!TEST_true(use_session_cb_cnt == 2)
5269 || !TEST_true(find_session_cb_cnt == 2)
5270 || !TEST_true(psk_client_cb_cnt == 0)
5271 || !TEST_true(psk_server_cb_cnt == 0))
5272 goto end;
5273 } else {
5274 if (!TEST_true(use_session_cb_cnt == 0)
5275 || !TEST_true(find_session_cb_cnt == 0)
5276 || !TEST_true(psk_client_cb_cnt == 2)
5277 || !TEST_true(psk_server_cb_cnt == 2))
5278 goto end;
5279 }
5280
5281 shutdown_ssl_connection(serverssl, clientssl);
5282 serverssl = clientssl = NULL;
5283 use_session_cb_cnt = find_session_cb_cnt = 0;
5284 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5285
5286 if (idx != 3) {
5287 /*
5288 * Check that if the server rejects the PSK we can still connect, but with
5289 * a full handshake
5290 */
5291 srvid = "Dummy Identity";
5292 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5293 NULL, NULL))
5294 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5295 SSL_ERROR_NONE))
5296 || !TEST_false(SSL_session_reused(clientssl))
5297 || !TEST_false(SSL_session_reused(serverssl)))
5298 goto end;
5299
5300 if (idx == 0 || idx == 1) {
5301 if (!TEST_true(use_session_cb_cnt == 1)
5302 || !TEST_true(find_session_cb_cnt == 1)
5303 || !TEST_true(psk_client_cb_cnt == 0)
5304 /*
5305 * If no old style callback then below should be 0
5306 * otherwise 1
5307 */
5308 || !TEST_true(psk_server_cb_cnt == idx))
5309 goto end;
5310 } else {
5311 if (!TEST_true(use_session_cb_cnt == 0)
5312 || !TEST_true(find_session_cb_cnt == 0)
5313 || !TEST_true(psk_client_cb_cnt == 1)
5314 || !TEST_true(psk_server_cb_cnt == 1))
5315 goto end;
5316 }
5317
5318 shutdown_ssl_connection(serverssl, clientssl);
5319 serverssl = clientssl = NULL;
5320 }
5321 testresult = 1;
5322
5323 end:
5324 SSL_SESSION_free(clientpsk);
5325 SSL_SESSION_free(serverpsk);
5326 clientpsk = serverpsk = NULL;
5327 SSL_free(serverssl);
5328 SSL_free(clientssl);
5329 SSL_CTX_free(sctx);
5330 SSL_CTX_free(cctx);
5331 return testresult;
5332 }
5333
5334 static unsigned char cookie_magic_value[] = "cookie magic";
5335
5336 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5337 unsigned int *cookie_len)
5338 {
5339 /*
5340 * Not suitable as a real cookie generation function but good enough for
5341 * testing!
5342 */
5343 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5344 *cookie_len = sizeof(cookie_magic_value) - 1;
5345
5346 return 1;
5347 }
5348
5349 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5350 unsigned int cookie_len)
5351 {
5352 if (cookie_len == sizeof(cookie_magic_value) - 1
5353 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5354 return 1;
5355
5356 return 0;
5357 }
5358
5359 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5360 size_t *cookie_len)
5361 {
5362 unsigned int temp;
5363 int res = generate_cookie_callback(ssl, cookie, &temp);
5364 *cookie_len = temp;
5365 return res;
5366 }
5367
5368 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5369 size_t cookie_len)
5370 {
5371 return verify_cookie_callback(ssl, cookie, cookie_len);
5372 }
5373
5374 static int test_stateless(void)
5375 {
5376 SSL_CTX *sctx = NULL, *cctx = NULL;
5377 SSL *serverssl = NULL, *clientssl = NULL;
5378 int testresult = 0;
5379
5380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5381 TLS_client_method(), TLS1_VERSION, 0,
5382 &sctx, &cctx, cert, privkey)))
5383 goto end;
5384
5385 /* The arrival of CCS messages can confuse the test */
5386 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5387
5388 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5389 NULL, NULL))
5390 /* Send the first ClientHello */
5391 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5392 SSL_ERROR_WANT_READ))
5393 /*
5394 * This should fail with a -1 return because we have no callbacks
5395 * set up
5396 */
5397 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5398 goto end;
5399
5400 /* Fatal error so abandon the connection from this client */
5401 SSL_free(clientssl);
5402 clientssl = NULL;
5403
5404 /* Set up the cookie generation and verification callbacks */
5405 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5406 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5407
5408 /*
5409 * Create a new connection from the client (we can reuse the server SSL
5410 * object).
5411 */
5412 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5413 NULL, NULL))
5414 /* Send the first ClientHello */
5415 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5416 SSL_ERROR_WANT_READ))
5417 /* This should fail because there is no cookie */
5418 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5419 goto end;
5420
5421 /* Abandon the connection from this client */
5422 SSL_free(clientssl);
5423 clientssl = NULL;
5424
5425 /*
5426 * Now create a connection from a new client but with the same server SSL
5427 * object
5428 */
5429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5430 NULL, NULL))
5431 /* Send the first ClientHello */
5432 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5433 SSL_ERROR_WANT_READ))
5434 /* This should fail because there is no cookie */
5435 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5436 /* Send the second ClientHello */
5437 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5438 SSL_ERROR_WANT_READ))
5439 /* This should succeed because a cookie is now present */
5440 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5441 /* Complete the connection */
5442 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5443 SSL_ERROR_NONE)))
5444 goto end;
5445
5446 shutdown_ssl_connection(serverssl, clientssl);
5447 serverssl = clientssl = NULL;
5448 testresult = 1;
5449
5450 end:
5451 SSL_free(serverssl);
5452 SSL_free(clientssl);
5453 SSL_CTX_free(sctx);
5454 SSL_CTX_free(cctx);
5455 return testresult;
5456
5457 }
5458 #endif /* OSSL_NO_USABLE_TLS1_3 */
5459
5460 static int clntaddoldcb = 0;
5461 static int clntparseoldcb = 0;
5462 static int srvaddoldcb = 0;
5463 static int srvparseoldcb = 0;
5464 static int clntaddnewcb = 0;
5465 static int clntparsenewcb = 0;
5466 static int srvaddnewcb = 0;
5467 static int srvparsenewcb = 0;
5468 static int snicb = 0;
5469
5470 #define TEST_EXT_TYPE1 0xff00
5471
5472 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5473 size_t *outlen, int *al, void *add_arg)
5474 {
5475 int *server = (int *)add_arg;
5476 unsigned char *data;
5477
5478 if (SSL_is_server(s))
5479 srvaddoldcb++;
5480 else
5481 clntaddoldcb++;
5482
5483 if (*server != SSL_is_server(s)
5484 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5485 return -1;
5486
5487 *data = 1;
5488 *out = data;
5489 *outlen = sizeof(char);
5490 return 1;
5491 }
5492
5493 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5494 void *add_arg)
5495 {
5496 OPENSSL_free((unsigned char *)out);
5497 }
5498
5499 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5500 size_t inlen, int *al, void *parse_arg)
5501 {
5502 int *server = (int *)parse_arg;
5503
5504 if (SSL_is_server(s))
5505 srvparseoldcb++;
5506 else
5507 clntparseoldcb++;
5508
5509 if (*server != SSL_is_server(s)
5510 || inlen != sizeof(char)
5511 || *in != 1)
5512 return -1;
5513
5514 return 1;
5515 }
5516
5517 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5518 const unsigned char **out, size_t *outlen, X509 *x,
5519 size_t chainidx, int *al, void *add_arg)
5520 {
5521 int *server = (int *)add_arg;
5522 unsigned char *data;
5523
5524 if (SSL_is_server(s))
5525 srvaddnewcb++;
5526 else
5527 clntaddnewcb++;
5528
5529 if (*server != SSL_is_server(s)
5530 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5531 return -1;
5532
5533 *data = 1;
5534 *out = data;
5535 *outlen = sizeof(*data);
5536 return 1;
5537 }
5538
5539 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5540 const unsigned char *out, void *add_arg)
5541 {
5542 OPENSSL_free((unsigned char *)out);
5543 }
5544
5545 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5546 const unsigned char *in, size_t inlen, X509 *x,
5547 size_t chainidx, int *al, void *parse_arg)
5548 {
5549 int *server = (int *)parse_arg;
5550
5551 if (SSL_is_server(s))
5552 srvparsenewcb++;
5553 else
5554 clntparsenewcb++;
5555
5556 if (*server != SSL_is_server(s)
5557 || inlen != sizeof(char) || *in != 1)
5558 return -1;
5559
5560 return 1;
5561 }
5562
5563 static int sni_cb(SSL *s, int *al, void *arg)
5564 {
5565 SSL_CTX *ctx = (SSL_CTX *)arg;
5566
5567 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5568 *al = SSL_AD_INTERNAL_ERROR;
5569 return SSL_TLSEXT_ERR_ALERT_FATAL;
5570 }
5571 snicb++;
5572 return SSL_TLSEXT_ERR_OK;
5573 }
5574
5575 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5576 {
5577 return 1;
5578 }
5579
5580 /*
5581 * Custom call back tests.
5582 * Test 0: Old style callbacks in TLSv1.2
5583 * Test 1: New style callbacks in TLSv1.2
5584 * Test 2: New style callbacks in TLSv1.2 with SNI
5585 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5586 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5587 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5588 */
5589 static int test_custom_exts(int tst)
5590 {
5591 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5592 SSL *clientssl = NULL, *serverssl = NULL;
5593 int testresult = 0;
5594 static int server = 1;
5595 static int client = 0;
5596 SSL_SESSION *sess = NULL;
5597 unsigned int context;
5598
5599 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5600 /* Skip tests for TLSv1.2 and below in this case */
5601 if (tst < 3)
5602 return 1;
5603 #endif
5604
5605 /* Reset callback counters */
5606 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5607 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5608 snicb = 0;
5609
5610 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5611 TLS_client_method(), TLS1_VERSION, 0,
5612 &sctx, &cctx, cert, privkey)))
5613 goto end;
5614
5615 if (tst == 2
5616 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5617 TLS1_VERSION, 0,
5618 &sctx2, NULL, cert, privkey)))
5619 goto end;
5620
5621
5622 if (tst < 3) {
5623 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5624 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5625 if (sctx2 != NULL)
5626 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5627 }
5628
5629 if (tst == 5) {
5630 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5631 | SSL_EXT_TLS1_3_CERTIFICATE;
5632 SSL_CTX_set_verify(sctx,
5633 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5634 verify_cb);
5635 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5636 SSL_FILETYPE_PEM), 1)
5637 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5638 SSL_FILETYPE_PEM), 1)
5639 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5640 goto end;
5641 } else if (tst == 4) {
5642 context = SSL_EXT_CLIENT_HELLO
5643 | SSL_EXT_TLS1_2_SERVER_HELLO
5644 | SSL_EXT_TLS1_3_SERVER_HELLO
5645 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5646 | SSL_EXT_TLS1_3_CERTIFICATE
5647 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5648 } else {
5649 context = SSL_EXT_CLIENT_HELLO
5650 | SSL_EXT_TLS1_2_SERVER_HELLO
5651 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5652 }
5653
5654 /* Create a client side custom extension */
5655 if (tst == 0) {
5656 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5657 old_add_cb, old_free_cb,
5658 &client, old_parse_cb,
5659 &client)))
5660 goto end;
5661 } else {
5662 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5663 new_add_cb, new_free_cb,
5664 &client, new_parse_cb, &client)))
5665 goto end;
5666 }
5667
5668 /* Should not be able to add duplicates */
5669 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5670 old_add_cb, old_free_cb,
5671 &client, old_parse_cb,
5672 &client))
5673 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5674 context, new_add_cb,
5675 new_free_cb, &client,
5676 new_parse_cb, &client)))
5677 goto end;
5678
5679 /* Create a server side custom extension */
5680 if (tst == 0) {
5681 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5682 old_add_cb, old_free_cb,
5683 &server, old_parse_cb,
5684 &server)))
5685 goto end;
5686 } else {
5687 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5688 new_add_cb, new_free_cb,
5689 &server, new_parse_cb, &server)))
5690 goto end;
5691 if (sctx2 != NULL
5692 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5693 context, new_add_cb,
5694 new_free_cb, &server,
5695 new_parse_cb, &server)))
5696 goto end;
5697 }
5698
5699 /* Should not be able to add duplicates */
5700 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5701 old_add_cb, old_free_cb,
5702 &server, old_parse_cb,
5703 &server))
5704 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5705 context, new_add_cb,
5706 new_free_cb, &server,
5707 new_parse_cb, &server)))
5708 goto end;
5709
5710 if (tst == 2) {
5711 /* Set up SNI */
5712 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5713 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5714 goto end;
5715 }
5716
5717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5718 &clientssl, NULL, NULL))
5719 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5720 SSL_ERROR_NONE)))
5721 goto end;
5722
5723 if (tst == 0) {
5724 if (clntaddoldcb != 1
5725 || clntparseoldcb != 1
5726 || srvaddoldcb != 1
5727 || srvparseoldcb != 1)
5728 goto end;
5729 } else if (tst == 1 || tst == 2 || tst == 3) {
5730 if (clntaddnewcb != 1
5731 || clntparsenewcb != 1
5732 || srvaddnewcb != 1
5733 || srvparsenewcb != 1
5734 || (tst != 2 && snicb != 0)
5735 || (tst == 2 && snicb != 1))
5736 goto end;
5737 } else if (tst == 5) {
5738 if (clntaddnewcb != 1
5739 || clntparsenewcb != 1
5740 || srvaddnewcb != 1
5741 || srvparsenewcb != 1)
5742 goto end;
5743 } else {
5744 /* In this case there 2 NewSessionTicket messages created */
5745 if (clntaddnewcb != 1
5746 || clntparsenewcb != 5
5747 || srvaddnewcb != 5
5748 || srvparsenewcb != 1)
5749 goto end;
5750 }
5751
5752 sess = SSL_get1_session(clientssl);
5753 SSL_shutdown(clientssl);
5754 SSL_shutdown(serverssl);
5755 SSL_free(serverssl);
5756 SSL_free(clientssl);
5757 serverssl = clientssl = NULL;
5758
5759 if (tst == 3 || tst == 5) {
5760 /* We don't bother with the resumption aspects for these tests */
5761 testresult = 1;
5762 goto end;
5763 }
5764
5765 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5766 NULL, NULL))
5767 || !TEST_true(SSL_set_session(clientssl, sess))
5768 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5769 SSL_ERROR_NONE)))
5770 goto end;
5771
5772 /*
5773 * For a resumed session we expect to add the ClientHello extension. For the
5774 * old style callbacks we ignore it on the server side because they set
5775 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5776 * them.
5777 */
5778 if (tst == 0) {
5779 if (clntaddoldcb != 2
5780 || clntparseoldcb != 1
5781 || srvaddoldcb != 1
5782 || srvparseoldcb != 1)
5783 goto end;
5784 } else if (tst == 1 || tst == 2 || tst == 3) {
5785 if (clntaddnewcb != 2
5786 || clntparsenewcb != 2
5787 || srvaddnewcb != 2
5788 || srvparsenewcb != 2)
5789 goto end;
5790 } else {
5791 /*
5792 * No Certificate message extensions in the resumption handshake,
5793 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5794 */
5795 if (clntaddnewcb != 2
5796 || clntparsenewcb != 8
5797 || srvaddnewcb != 8
5798 || srvparsenewcb != 2)
5799 goto end;
5800 }
5801
5802 testresult = 1;
5803
5804 end:
5805 SSL_SESSION_free(sess);
5806 SSL_free(serverssl);
5807 SSL_free(clientssl);
5808 SSL_CTX_free(sctx2);
5809 SSL_CTX_free(sctx);
5810 SSL_CTX_free(cctx);
5811 return testresult;
5812 }
5813
5814 /*
5815 * Test loading of serverinfo data in various formats. test_sslmessages actually
5816 * tests to make sure the extensions appear in the handshake
5817 */
5818 static int test_serverinfo(int tst)
5819 {
5820 unsigned int version;
5821 unsigned char *sibuf;
5822 size_t sibuflen;
5823 int ret, expected, testresult = 0;
5824 SSL_CTX *ctx;
5825
5826 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5827 if (!TEST_ptr(ctx))
5828 goto end;
5829
5830 if ((tst & 0x01) == 0x01)
5831 version = SSL_SERVERINFOV2;
5832 else
5833 version = SSL_SERVERINFOV1;
5834
5835 if ((tst & 0x02) == 0x02) {
5836 sibuf = serverinfov2;
5837 sibuflen = sizeof(serverinfov2);
5838 expected = (version == SSL_SERVERINFOV2);
5839 } else {
5840 sibuf = serverinfov1;
5841 sibuflen = sizeof(serverinfov1);
5842 expected = (version == SSL_SERVERINFOV1);
5843 }
5844
5845 if ((tst & 0x04) == 0x04) {
5846 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5847 } else {
5848 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5849
5850 /*
5851 * The version variable is irrelevant in this case - it's what is in the
5852 * buffer that matters
5853 */
5854 if ((tst & 0x02) == 0x02)
5855 expected = 0;
5856 else
5857 expected = 1;
5858 }
5859
5860 if (!TEST_true(ret == expected))
5861 goto end;
5862
5863 testresult = 1;
5864
5865 end:
5866 SSL_CTX_free(ctx);
5867
5868 return testresult;
5869 }
5870
5871 /*
5872 * Test that SSL_export_keying_material() produces expected results. There are
5873 * no test vectors so all we do is test that both sides of the communication
5874 * produce the same results for different protocol versions.
5875 */
5876 #define SMALL_LABEL_LEN 10
5877 #define LONG_LABEL_LEN 249
5878 static int test_export_key_mat(int tst)
5879 {
5880 int testresult = 0;
5881 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5882 SSL *clientssl = NULL, *serverssl = NULL;
5883 const char label[LONG_LABEL_LEN + 1] = "test label";
5884 const unsigned char context[] = "context";
5885 const unsigned char *emptycontext = NULL;
5886 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5887 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5888 size_t labellen;
5889 const int protocols[] = {
5890 TLS1_VERSION,
5891 TLS1_1_VERSION,
5892 TLS1_2_VERSION,
5893 TLS1_3_VERSION,
5894 TLS1_3_VERSION,
5895 TLS1_3_VERSION
5896 };
5897
5898 #ifdef OPENSSL_NO_TLS1
5899 if (tst == 0)
5900 return 1;
5901 #endif
5902 #ifdef OPENSSL_NO_TLS1_1
5903 if (tst == 1)
5904 return 1;
5905 #endif
5906 if (is_fips && (tst == 0 || tst == 1))
5907 return 1;
5908 #ifdef OPENSSL_NO_TLS1_2
5909 if (tst == 2)
5910 return 1;
5911 #endif
5912 #ifdef OSSL_NO_USABLE_TLS1_3
5913 if (tst >= 3)
5914 return 1;
5915 #endif
5916 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5917 TLS_client_method(), TLS1_VERSION, 0,
5918 &sctx, &cctx, cert, privkey)))
5919 goto end;
5920
5921 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5922 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5923 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5924 if ((protocols[tst] < TLS1_2_VERSION) &&
5925 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5926 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5927 goto end;
5928
5929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5930 NULL)))
5931 goto end;
5932
5933 /*
5934 * Premature call of SSL_export_keying_material should just fail.
5935 */
5936 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5937 sizeof(ckeymat1), label,
5938 SMALL_LABEL_LEN + 1, context,
5939 sizeof(context) - 1, 1), 0))
5940 goto end;
5941
5942 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5943 SSL_ERROR_NONE)))
5944 goto end;
5945
5946 if (tst == 5) {
5947 /*
5948 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5949 * go over that.
5950 */
5951 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5952 sizeof(ckeymat1), label,
5953 LONG_LABEL_LEN + 1, context,
5954 sizeof(context) - 1, 1), 0))
5955 goto end;
5956
5957 testresult = 1;
5958 goto end;
5959 } else if (tst == 4) {
5960 labellen = LONG_LABEL_LEN;
5961 } else {
5962 labellen = SMALL_LABEL_LEN;
5963 }
5964
5965 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5966 sizeof(ckeymat1), label,
5967 labellen, context,
5968 sizeof(context) - 1, 1), 1)
5969 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5970 sizeof(ckeymat2), label,
5971 labellen,
5972 emptycontext,
5973 0, 1), 1)
5974 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5975 sizeof(ckeymat3), label,
5976 labellen,
5977 NULL, 0, 0), 1)
5978 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5979 sizeof(skeymat1), label,
5980 labellen,
5981 context,
5982 sizeof(context) -1, 1),
5983 1)
5984 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5985 sizeof(skeymat2), label,
5986 labellen,
5987 emptycontext,
5988 0, 1), 1)
5989 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5990 sizeof(skeymat3), label,
5991 labellen,
5992 NULL, 0, 0), 1)
5993 /*
5994 * Check that both sides created the same key material with the
5995 * same context.
5996 */
5997 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5998 sizeof(skeymat1))
5999 /*
6000 * Check that both sides created the same key material with an
6001 * empty context.
6002 */
6003 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6004 sizeof(skeymat2))
6005 /*
6006 * Check that both sides created the same key material without a
6007 * context.
6008 */
6009 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6010 sizeof(skeymat3))
6011 /* Different contexts should produce different results */
6012 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6013 sizeof(ckeymat2)))
6014 goto end;
6015
6016 /*
6017 * Check that an empty context and no context produce different results in
6018 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6019 */
6020 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6021 sizeof(ckeymat3)))
6022 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6023 sizeof(ckeymat3))))
6024 goto end;
6025
6026 testresult = 1;
6027
6028 end:
6029 SSL_free(serverssl);
6030 SSL_free(clientssl);
6031 SSL_CTX_free(sctx2);
6032 SSL_CTX_free(sctx);
6033 SSL_CTX_free(cctx);
6034
6035 return testresult;
6036 }
6037
6038 #ifndef OSSL_NO_USABLE_TLS1_3
6039 /*
6040 * Test that SSL_export_keying_material_early() produces expected
6041 * results. There are no test vectors so all we do is test that both
6042 * sides of the communication produce the same results for different
6043 * protocol versions.
6044 */
6045 static int test_export_key_mat_early(int idx)
6046 {
6047 static const char label[] = "test label";
6048 static const unsigned char context[] = "context";
6049 int testresult = 0;
6050 SSL_CTX *cctx = NULL, *sctx = NULL;
6051 SSL *clientssl = NULL, *serverssl = NULL;
6052 SSL_SESSION *sess = NULL;
6053 const unsigned char *emptycontext = NULL;
6054 unsigned char ckeymat1[80], ckeymat2[80];
6055 unsigned char skeymat1[80], skeymat2[80];
6056 unsigned char buf[1];
6057 size_t readbytes, written;
6058
6059 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6060 &sess, idx)))
6061 goto end;
6062
6063 /* Here writing 0 length early data is enough. */
6064 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6065 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6066 &readbytes),
6067 SSL_READ_EARLY_DATA_ERROR)
6068 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6069 SSL_EARLY_DATA_ACCEPTED))
6070 goto end;
6071
6072 if (!TEST_int_eq(SSL_export_keying_material_early(
6073 clientssl, ckeymat1, sizeof(ckeymat1), label,
6074 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6075 || !TEST_int_eq(SSL_export_keying_material_early(
6076 clientssl, ckeymat2, sizeof(ckeymat2), label,
6077 sizeof(label) - 1, emptycontext, 0), 1)
6078 || !TEST_int_eq(SSL_export_keying_material_early(
6079 serverssl, skeymat1, sizeof(skeymat1), label,
6080 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6081 || !TEST_int_eq(SSL_export_keying_material_early(
6082 serverssl, skeymat2, sizeof(skeymat2), label,
6083 sizeof(label) - 1, emptycontext, 0), 1)
6084 /*
6085 * Check that both sides created the same key material with the
6086 * same context.
6087 */
6088 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6089 sizeof(skeymat1))
6090 /*
6091 * Check that both sides created the same key material with an
6092 * empty context.
6093 */
6094 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6095 sizeof(skeymat2))
6096 /* Different contexts should produce different results */
6097 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6098 sizeof(ckeymat2)))
6099 goto end;
6100
6101 testresult = 1;
6102
6103 end:
6104 SSL_SESSION_free(sess);
6105 SSL_SESSION_free(clientpsk);
6106 SSL_SESSION_free(serverpsk);
6107 clientpsk = serverpsk = NULL;
6108 SSL_free(serverssl);
6109 SSL_free(clientssl);
6110 SSL_CTX_free(sctx);
6111 SSL_CTX_free(cctx);
6112
6113 return testresult;
6114 }
6115
6116 #define NUM_KEY_UPDATE_MESSAGES 40
6117 /*
6118 * Test KeyUpdate.
6119 */
6120 static int test_key_update(void)
6121 {
6122 SSL_CTX *cctx = NULL, *sctx = NULL;
6123 SSL *clientssl = NULL, *serverssl = NULL;
6124 int testresult = 0, i, j;
6125 char buf[20];
6126 static char *mess = "A test message";
6127
6128 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6129 TLS_client_method(),
6130 TLS1_3_VERSION,
6131 0,
6132 &sctx, &cctx, cert, privkey))
6133 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6134 NULL, NULL))
6135 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6136 SSL_ERROR_NONE)))
6137 goto end;
6138
6139 for (j = 0; j < 2; j++) {
6140 /* Send lots of KeyUpdate messages */
6141 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6142 if (!TEST_true(SSL_key_update(clientssl,
6143 (j == 0)
6144 ? SSL_KEY_UPDATE_NOT_REQUESTED
6145 : SSL_KEY_UPDATE_REQUESTED))
6146 || !TEST_true(SSL_do_handshake(clientssl)))
6147 goto end;
6148 }
6149
6150 /* Check that sending and receiving app data is ok */
6151 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6152 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6153 strlen(mess)))
6154 goto end;
6155
6156 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6157 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6158 strlen(mess)))
6159 goto end;
6160 }
6161
6162 testresult = 1;
6163
6164 end:
6165 SSL_free(serverssl);
6166 SSL_free(clientssl);
6167 SSL_CTX_free(sctx);
6168 SSL_CTX_free(cctx);
6169
6170 return testresult;
6171 }
6172
6173 /*
6174 * Test we can handle a KeyUpdate (update requested) message while
6175 * write data is pending in peer.
6176 * Test 0: Client sends KeyUpdate while Server is writing
6177 * Test 1: Server sends KeyUpdate while Client is writing
6178 */
6179 static int test_key_update_peer_in_write(int tst)
6180 {
6181 SSL_CTX *cctx = NULL, *sctx = NULL;
6182 SSL *clientssl = NULL, *serverssl = NULL;
6183 int testresult = 0;
6184 char buf[20];
6185 static char *mess = "A test message";
6186 BIO *bretry = BIO_new(bio_s_always_retry());
6187 BIO *tmp = NULL;
6188 SSL *peerupdate = NULL, *peerwrite = NULL;
6189
6190 if (!TEST_ptr(bretry)
6191 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6192 TLS_client_method(),
6193 TLS1_3_VERSION,
6194 0,
6195 &sctx, &cctx, cert, privkey))
6196 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6197 NULL, NULL))
6198 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6199 SSL_ERROR_NONE)))
6200 goto end;
6201
6202 peerupdate = tst == 0 ? clientssl : serverssl;
6203 peerwrite = tst == 0 ? serverssl : clientssl;
6204
6205 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6206 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6207 goto end;
6208
6209 /* Swap the writing endpoint's write BIO to force a retry */
6210 tmp = SSL_get_wbio(peerwrite);
6211 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6212 tmp = NULL;
6213 goto end;
6214 }
6215 SSL_set0_wbio(peerwrite, bretry);
6216 bretry = NULL;
6217
6218 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6219 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6220 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6221 goto end;
6222
6223 /* Reinstate the original writing endpoint's write BIO */
6224 SSL_set0_wbio(peerwrite, tmp);
6225 tmp = NULL;
6226
6227 /* Now read some data - we will read the key update */
6228 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6229 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6230 goto end;
6231
6232 /*
6233 * Complete the write we started previously and read it from the other
6234 * endpoint
6235 */
6236 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6237 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6238 goto end;
6239
6240 /* Write more data to ensure we send the KeyUpdate message back */
6241 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6242 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6243 goto end;
6244
6245 testresult = 1;
6246
6247 end:
6248 SSL_free(serverssl);
6249 SSL_free(clientssl);
6250 SSL_CTX_free(sctx);
6251 SSL_CTX_free(cctx);
6252 BIO_free(bretry);
6253 BIO_free(tmp);
6254
6255 return testresult;
6256 }
6257
6258 /*
6259 * Test we can handle a KeyUpdate (update requested) message while
6260 * peer read data is pending after peer accepted keyupdate(the msg header
6261 * had been read 5 bytes).
6262 * Test 0: Client sends KeyUpdate while Server is reading
6263 * Test 1: Server sends KeyUpdate while Client is reading
6264 */
6265 static int test_key_update_peer_in_read(int tst)
6266 {
6267 SSL_CTX *cctx = NULL, *sctx = NULL;
6268 SSL *clientssl = NULL, *serverssl = NULL;
6269 int testresult = 0;
6270 char prbuf[515], lwbuf[515] = {0};
6271 static char *mess = "A test message";
6272 BIO *lbio = NULL, *pbio = NULL;
6273 SSL *local = NULL, *peer = NULL;
6274
6275 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6276 TLS_client_method(),
6277 TLS1_3_VERSION,
6278 0,
6279 &sctx, &cctx, cert, privkey))
6280 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6281 NULL, NULL))
6282 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6283 SSL_ERROR_NONE)))
6284 goto end;
6285
6286 local = tst == 0 ? clientssl : serverssl;
6287 peer = tst == 0 ? serverssl : clientssl;
6288
6289 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6290 goto end;
6291
6292 SSL_set_bio(local, lbio, lbio);
6293 SSL_set_bio(peer, pbio, pbio);
6294
6295 /*
6296 * we first write keyupdate msg then appdata in local
6297 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6298 * lwbuf app data msg size + key updata msg size > 512(the size of
6299 * the bio pair buffer)
6300 */
6301 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6302 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6303 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6304 goto end;
6305
6306 /*
6307 * first read keyupdate msg in peer in peer
6308 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6309 */
6310 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6311 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6312 goto end;
6313
6314 /* Now write some data in peer - we will write the key update */
6315 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6316 goto end;
6317
6318 /*
6319 * write data in local previously that we will complete
6320 * read data in peer previously that we will complete
6321 */
6322 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6323 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6324 goto end;
6325
6326 /* check that sending and receiving appdata ok */
6327 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6328 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6329 goto end;
6330
6331 testresult = 1;
6332
6333 end:
6334 SSL_free(serverssl);
6335 SSL_free(clientssl);
6336 SSL_CTX_free(sctx);
6337 SSL_CTX_free(cctx);
6338
6339 return testresult;
6340 }
6341
6342 /*
6343 * Test we can't send a KeyUpdate (update requested) message while
6344 * local write data is pending.
6345 * Test 0: Client sends KeyUpdate while Client is writing
6346 * Test 1: Server sends KeyUpdate while Server is writing
6347 */
6348 static int test_key_update_local_in_write(int tst)
6349 {
6350 SSL_CTX *cctx = NULL, *sctx = NULL;
6351 SSL *clientssl = NULL, *serverssl = NULL;
6352 int testresult = 0;
6353 char buf[20];
6354 static char *mess = "A test message";
6355 BIO *bretry = BIO_new(bio_s_always_retry());
6356 BIO *tmp = NULL;
6357 SSL *local = NULL, *peer = NULL;
6358
6359 if (!TEST_ptr(bretry)
6360 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6361 TLS_client_method(),
6362 TLS1_3_VERSION,
6363 0,
6364 &sctx, &cctx, cert, privkey))
6365 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6366 NULL, NULL))
6367 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6368 SSL_ERROR_NONE)))
6369 goto end;
6370
6371 local = tst == 0 ? clientssl : serverssl;
6372 peer = tst == 0 ? serverssl : clientssl;
6373
6374 /* Swap the writing endpoint's write BIO to force a retry */
6375 tmp = SSL_get_wbio(local);
6376 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6377 tmp = NULL;
6378 goto end;
6379 }
6380 SSL_set0_wbio(local, bretry);
6381 bretry = NULL;
6382
6383 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6384 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6385 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6386 goto end;
6387
6388 /* Reinstate the original writing endpoint's write BIO */
6389 SSL_set0_wbio(local, tmp);
6390 tmp = NULL;
6391
6392 /* SSL_key_update will fail, because writing in local*/
6393 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6394 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6395 goto end;
6396
6397 ERR_clear_error();
6398 /* write data in local previously that we will complete */
6399 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6400 goto end;
6401
6402 /* SSL_key_update will succeed because there is no pending write data */
6403 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6404 || !TEST_int_eq(SSL_do_handshake(local), 1))
6405 goto end;
6406
6407 /*
6408 * we write some appdata in local
6409 * read data in peer - we will read the keyupdate msg
6410 */
6411 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6412 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6413 goto end;
6414
6415 /* Write more peer more data to ensure we send the keyupdate message back */
6416 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6417 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6418 goto end;
6419
6420 testresult = 1;
6421
6422 end:
6423 SSL_free(serverssl);
6424 SSL_free(clientssl);
6425 SSL_CTX_free(sctx);
6426 SSL_CTX_free(cctx);
6427 BIO_free(bretry);
6428 BIO_free(tmp);
6429
6430 return testresult;
6431 }
6432
6433 /*
6434 * Test we can handle a KeyUpdate (update requested) message while
6435 * local read data is pending(the msg header had been read 5 bytes).
6436 * Test 0: Client sends KeyUpdate while Client is reading
6437 * Test 1: Server sends KeyUpdate while Server is reading
6438 */
6439 static int test_key_update_local_in_read(int tst)
6440 {
6441 SSL_CTX *cctx = NULL, *sctx = NULL;
6442 SSL *clientssl = NULL, *serverssl = NULL;
6443 int testresult = 0;
6444 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6445 static char *mess = "A test message";
6446 BIO *lbio = NULL, *pbio = NULL;
6447 SSL *local = NULL, *peer = NULL;
6448
6449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6450 TLS_client_method(),
6451 TLS1_3_VERSION,
6452 0,
6453 &sctx, &cctx, cert, privkey))
6454 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6455 NULL, NULL))
6456 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6457 SSL_ERROR_NONE)))
6458 goto end;
6459
6460 local = tst == 0 ? clientssl : serverssl;
6461 peer = tst == 0 ? serverssl : clientssl;
6462
6463 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6464 goto end;
6465
6466 SSL_set_bio(local, lbio, lbio);
6467 SSL_set_bio(peer, pbio, pbio);
6468
6469 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6470 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6471 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6472 goto end;
6473
6474 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6475 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6476 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6477 goto end;
6478
6479 /* SSL_do_handshake will send keyupdate msg */
6480 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6481 || !TEST_int_eq(SSL_do_handshake(local), 1))
6482 goto end;
6483
6484 /*
6485 * write data in peer previously that we will complete
6486 * read data in local previously that we will complete
6487 */
6488 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6489 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6490 goto end;
6491
6492 /*
6493 * write data in local
6494 * read data in peer - we will read the key update
6495 */
6496 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6497 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6498 goto end;
6499
6500 /* Write more peer data to ensure we send the keyupdate message back */
6501 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6502 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6503 goto end;
6504
6505 testresult = 1;
6506
6507 end:
6508 SSL_free(serverssl);
6509 SSL_free(clientssl);
6510 SSL_CTX_free(sctx);
6511 SSL_CTX_free(cctx);
6512
6513 return testresult;
6514 }
6515 #endif /* OSSL_NO_USABLE_TLS1_3 */
6516
6517 static int test_ssl_clear(int idx)
6518 {
6519 SSL_CTX *cctx = NULL, *sctx = NULL;
6520 SSL *clientssl = NULL, *serverssl = NULL;
6521 int testresult = 0;
6522
6523 #ifdef OPENSSL_NO_TLS1_2
6524 if (idx == 1)
6525 return 1;
6526 #endif
6527
6528 /* Create an initial connection */
6529 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6530 TLS_client_method(), TLS1_VERSION, 0,
6531 &sctx, &cctx, cert, privkey))
6532 || (idx == 1
6533 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6534 TLS1_2_VERSION)))
6535 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6536 &clientssl, NULL, NULL))
6537 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6538 SSL_ERROR_NONE)))
6539 goto end;
6540
6541 SSL_shutdown(clientssl);
6542 SSL_shutdown(serverssl);
6543 SSL_free(serverssl);
6544 serverssl = NULL;
6545
6546 /* Clear clientssl - we're going to reuse the object */
6547 if (!TEST_true(SSL_clear(clientssl)))
6548 goto end;
6549
6550 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6551 NULL, NULL))
6552 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6553 SSL_ERROR_NONE))
6554 || !TEST_true(SSL_session_reused(clientssl)))
6555 goto end;
6556
6557 SSL_shutdown(clientssl);
6558 SSL_shutdown(serverssl);
6559
6560 testresult = 1;
6561
6562 end:
6563 SSL_free(serverssl);
6564 SSL_free(clientssl);
6565 SSL_CTX_free(sctx);
6566 SSL_CTX_free(cctx);
6567
6568 return testresult;
6569 }
6570
6571 /* Parse CH and retrieve any MFL extension value if present */
6572 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6573 {
6574 long len;
6575 unsigned char *data;
6576 PACKET pkt, pkt2, pkt3;
6577 unsigned int MFL_code = 0, type = 0;
6578
6579 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6580 goto end;
6581
6582 memset(&pkt, 0, sizeof(pkt));
6583 memset(&pkt2, 0, sizeof(pkt2));
6584 memset(&pkt3, 0, sizeof(pkt3));
6585
6586 if (!TEST_long_gt(len, 0)
6587 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6588 /* Skip the record header */
6589 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6590 /* Skip the handshake message header */
6591 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6592 /* Skip client version and random */
6593 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6594 + SSL3_RANDOM_SIZE))
6595 /* Skip session id */
6596 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6597 /* Skip ciphers */
6598 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6599 /* Skip compression */
6600 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6601 /* Extensions len */
6602 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6603 goto end;
6604
6605 /* Loop through all extensions */
6606 while (PACKET_remaining(&pkt2)) {
6607 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6608 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6609 goto end;
6610
6611 if (type == TLSEXT_TYPE_max_fragment_length) {
6612 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6613 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6614 goto end;
6615
6616 *mfl_codemfl_code = MFL_code;
6617 return 1;
6618 }
6619 }
6620
6621 end:
6622 return 0;
6623 }
6624
6625 /* Maximum-Fragment-Length TLS extension mode to test */
6626 static const unsigned char max_fragment_len_test[] = {
6627 TLSEXT_max_fragment_length_512,
6628 TLSEXT_max_fragment_length_1024,
6629 TLSEXT_max_fragment_length_2048,
6630 TLSEXT_max_fragment_length_4096
6631 };
6632
6633 static int test_max_fragment_len_ext(int idx_tst)
6634 {
6635 SSL_CTX *ctx = NULL;
6636 SSL *con = NULL;
6637 int testresult = 0, MFL_mode = 0;
6638 BIO *rbio, *wbio;
6639
6640 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6641 TLS1_VERSION, 0, NULL, &ctx, NULL,
6642 NULL)))
6643 return 0;
6644
6645 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6646 ctx, max_fragment_len_test[idx_tst])))
6647 goto end;
6648
6649 con = SSL_new(ctx);
6650 if (!TEST_ptr(con))
6651 goto end;
6652
6653 rbio = BIO_new(BIO_s_mem());
6654 wbio = BIO_new(BIO_s_mem());
6655 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6656 BIO_free(rbio);
6657 BIO_free(wbio);
6658 goto end;
6659 }
6660
6661 SSL_set_bio(con, rbio, wbio);
6662
6663 if (!TEST_int_le(SSL_connect(con), 0)) {
6664 /* This shouldn't succeed because we don't have a server! */
6665 goto end;
6666 }
6667
6668 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6669 /* no MFL in client hello */
6670 goto end;
6671 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6672 goto end;
6673
6674 testresult = 1;
6675
6676 end:
6677 SSL_free(con);
6678 SSL_CTX_free(ctx);
6679
6680 return testresult;
6681 }
6682
6683 #ifndef OSSL_NO_USABLE_TLS1_3
6684 static int test_pha_key_update(void)
6685 {
6686 SSL_CTX *cctx = NULL, *sctx = NULL;
6687 SSL *clientssl = NULL, *serverssl = NULL;
6688 int testresult = 0;
6689
6690 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6691 TLS_client_method(), TLS1_VERSION, 0,
6692 &sctx, &cctx, cert, privkey)))
6693 return 0;
6694
6695 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6696 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6697 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6698 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6699 goto end;
6700
6701 SSL_CTX_set_post_handshake_auth(cctx, 1);
6702
6703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6704 NULL, NULL)))
6705 goto end;
6706
6707 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6708 SSL_ERROR_NONE)))
6709 goto end;
6710
6711 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6712 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6713 goto end;
6714
6715 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6716 goto end;
6717
6718 /* Start handshake on the server */
6719 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6720 goto end;
6721
6722 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6723 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6724 SSL_ERROR_NONE)))
6725 goto end;
6726
6727 SSL_shutdown(clientssl);
6728 SSL_shutdown(serverssl);
6729
6730 testresult = 1;
6731
6732 end:
6733 SSL_free(serverssl);
6734 SSL_free(clientssl);
6735 SSL_CTX_free(sctx);
6736 SSL_CTX_free(cctx);
6737 return testresult;
6738 }
6739 #endif
6740
6741 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6742
6743 static SRP_VBASE *vbase = NULL;
6744
6745 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6746 {
6747 int ret = SSL3_AL_FATAL;
6748 char *username;
6749 SRP_user_pwd *user = NULL;
6750
6751 username = SSL_get_srp_username(s);
6752 if (username == NULL) {
6753 *ad = SSL_AD_INTERNAL_ERROR;
6754 goto err;
6755 }
6756
6757 user = SRP_VBASE_get1_by_user(vbase, username);
6758 if (user == NULL) {
6759 *ad = SSL_AD_INTERNAL_ERROR;
6760 goto err;
6761 }
6762
6763 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6764 user->info) <= 0) {
6765 *ad = SSL_AD_INTERNAL_ERROR;
6766 goto err;
6767 }
6768
6769 ret = 0;
6770
6771 err:
6772 SRP_user_pwd_free(user);
6773 return ret;
6774 }
6775
6776 static int create_new_vfile(char *userid, char *password, const char *filename)
6777 {
6778 char *gNid = NULL;
6779 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6780 TXT_DB *db = NULL;
6781 int ret = 0;
6782 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6783 size_t i;
6784
6785 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6786 goto end;
6787
6788 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6789 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6790 if (!TEST_ptr(gNid))
6791 goto end;
6792
6793 /*
6794 * The only way to create an empty TXT_DB is to provide a BIO with no data
6795 * in it!
6796 */
6797 db = TXT_DB_read(dummy, DB_NUMBER);
6798 if (!TEST_ptr(db))
6799 goto end;
6800
6801 out = BIO_new_file(filename, "w");
6802 if (!TEST_ptr(out))
6803 goto end;
6804
6805 row[DB_srpid] = OPENSSL_strdup(userid);
6806 row[DB_srptype] = OPENSSL_strdup("V");
6807 row[DB_srpgN] = OPENSSL_strdup(gNid);
6808
6809 if (!TEST_ptr(row[DB_srpid])
6810 || !TEST_ptr(row[DB_srptype])
6811 || !TEST_ptr(row[DB_srpgN])
6812 || !TEST_true(TXT_DB_insert(db, row)))
6813 goto end;
6814
6815 row = NULL;
6816
6817 if (TXT_DB_write(out, db) <= 0)
6818 goto end;
6819
6820 ret = 1;
6821 end:
6822 if (row != NULL) {
6823 for (i = 0; i < DB_NUMBER; i++)
6824 OPENSSL_free(row[i]);
6825 }
6826 OPENSSL_free(row);
6827 BIO_free(dummy);
6828 BIO_free(out);
6829 TXT_DB_free(db);
6830
6831 return ret;
6832 }
6833
6834 static int create_new_vbase(char *userid, char *password)
6835 {
6836 BIGNUM *verifier = NULL, *salt = NULL;
6837 const SRP_gN *lgN = NULL;
6838 SRP_user_pwd *user_pwd = NULL;
6839 int ret = 0;
6840
6841 lgN = SRP_get_default_gN(NULL);
6842 if (!TEST_ptr(lgN))
6843 goto end;
6844
6845 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6846 lgN->N, lgN->g, libctx, NULL)))
6847 goto end;
6848
6849 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6850 if (!TEST_ptr(user_pwd))
6851 goto end;
6852
6853 user_pwd->N = lgN->N;
6854 user_pwd->g = lgN->g;
6855 user_pwd->id = OPENSSL_strdup(userid);
6856 if (!TEST_ptr(user_pwd->id))
6857 goto end;
6858
6859 user_pwd->v = verifier;
6860 user_pwd->s = salt;
6861 verifier = salt = NULL;
6862
6863 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6864 goto end;
6865 user_pwd = NULL;
6866
6867 ret = 1;
6868 end:
6869 SRP_user_pwd_free(user_pwd);
6870 BN_free(salt);
6871 BN_free(verifier);
6872
6873 return ret;
6874 }
6875
6876 /*
6877 * SRP tests
6878 *
6879 * Test 0: Simple successful SRP connection, new vbase
6880 * Test 1: Connection failure due to bad password, new vbase
6881 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6882 * Test 3: Connection failure due to bad password, vbase loaded from existing
6883 * file
6884 * Test 4: Simple successful SRP connection, vbase loaded from new file
6885 * Test 5: Connection failure due to bad password, vbase loaded from new file
6886 */
6887 static int test_srp(int tst)
6888 {
6889 char *userid = "test", *password = "password", *tstsrpfile;
6890 SSL_CTX *cctx = NULL, *sctx = NULL;
6891 SSL *clientssl = NULL, *serverssl = NULL;
6892 int ret, testresult = 0;
6893
6894 vbase = SRP_VBASE_new(NULL);
6895 if (!TEST_ptr(vbase))
6896 goto end;
6897
6898 if (tst == 0 || tst == 1) {
6899 if (!TEST_true(create_new_vbase(userid, password)))
6900 goto end;
6901 } else {
6902 if (tst == 4 || tst == 5) {
6903 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6904 goto end;
6905 tstsrpfile = tmpfilename;
6906 } else {
6907 tstsrpfile = srpvfile;
6908 }
6909 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6910 goto end;
6911 }
6912
6913 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6914 TLS_client_method(), TLS1_VERSION, 0,
6915 &sctx, &cctx, cert, privkey)))
6916 goto end;
6917
6918 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6919 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6920 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6921 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6922 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6923 goto end;
6924
6925 if (tst % 2 == 1) {
6926 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6927 goto end;
6928 } else {
6929 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6930 goto end;
6931 }
6932
6933 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6934 NULL, NULL)))
6935 goto end;
6936
6937 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6938 if (ret) {
6939 if (!TEST_true(tst % 2 == 0))
6940 goto end;
6941 } else {
6942 if (!TEST_true(tst % 2 == 1))
6943 goto end;
6944 }
6945
6946 testresult = 1;
6947
6948 end:
6949 SRP_VBASE_free(vbase);
6950 vbase = NULL;
6951 SSL_free(serverssl);
6952 SSL_free(clientssl);
6953 SSL_CTX_free(sctx);
6954 SSL_CTX_free(cctx);
6955
6956 return testresult;
6957 }
6958 #endif
6959
6960 static int info_cb_failed = 0;
6961 static int info_cb_offset = 0;
6962 static int info_cb_this_state = -1;
6963
6964 static struct info_cb_states_st {
6965 int where;
6966 const char *statestr;
6967 } info_cb_states[][60] = {
6968 {
6969 /* TLSv1.2 server followed by resumption */
6970 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6971 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6972 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6973 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6974 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6975 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6976 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6977 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6978 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
6979 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6980 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6981 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6982 {SSL_CB_EXIT, NULL}, {0, NULL},
6983 }, {
6984 /* TLSv1.2 client followed by resumption */
6985 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6986 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6987 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6988 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6989 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6990 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6991 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6992 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6993 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6994 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6995 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6996 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6997 }, {
6998 /* TLSv1.3 server followed by resumption */
6999 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7000 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7001 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7002 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7003 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7004 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7005 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7006 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7007 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7008 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7009 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7010 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7011 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7012 }, {
7013 /* TLSv1.3 client followed by resumption */
7014 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7015 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7016 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7017 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7018 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7019 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7020 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7021 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7022 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7023 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7024 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7025 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7026 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7027 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7028 {SSL_CB_EXIT, NULL}, {0, NULL},
7029 }, {
7030 /* TLSv1.3 server, early_data */
7031 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7032 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7033 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7034 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7035 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7036 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7037 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7038 {SSL_CB_EXIT, NULL}, {0, NULL},
7039 }, {
7040 /* TLSv1.3 client, early_data */
7041 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7042 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7043 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7044 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7045 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7046 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7047 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7048 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7049 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7050 }, {
7051 {0, NULL},
7052 }
7053 };
7054
7055 static void sslapi_info_callback(const SSL *s, int where, int ret)
7056 {
7057 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7058
7059 /* We do not ever expect a connection to fail in this test */
7060 if (!TEST_false(ret == 0)) {
7061 info_cb_failed = 1;
7062 return;
7063 }
7064
7065 /*
7066 * Do some sanity checks. We never expect these things to happen in this
7067 * test
7068 */
7069 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7070 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7071 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7072 info_cb_failed = 1;
7073 return;
7074 }
7075
7076 /* Now check we're in the right state */
7077 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7078 info_cb_failed = 1;
7079 return;
7080 }
7081 if ((where & SSL_CB_LOOP) != 0
7082 && !TEST_int_eq(strcmp(SSL_state_string(s),
7083 state[info_cb_this_state].statestr), 0)) {
7084 info_cb_failed = 1;
7085 return;
7086 }
7087
7088 /*
7089 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7090 */
7091 if ((where & SSL_CB_HANDSHAKE_DONE)
7092 && SSL_in_init((SSL *)s) != 0) {
7093 info_cb_failed = 1;
7094 return;
7095 }
7096 }
7097
7098 /*
7099 * Test the info callback gets called when we expect it to.
7100 *
7101 * Test 0: TLSv1.2, server
7102 * Test 1: TLSv1.2, client
7103 * Test 2: TLSv1.3, server
7104 * Test 3: TLSv1.3, client
7105 * Test 4: TLSv1.3, server, early_data
7106 * Test 5: TLSv1.3, client, early_data
7107 */
7108 static int test_info_callback(int tst)
7109 {
7110 SSL_CTX *cctx = NULL, *sctx = NULL;
7111 SSL *clientssl = NULL, *serverssl = NULL;
7112 SSL_SESSION *clntsess = NULL;
7113 int testresult = 0;
7114 int tlsvers;
7115
7116 if (tst < 2) {
7117 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7118 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7119 || !defined(OPENSSL_NO_DH))
7120 tlsvers = TLS1_2_VERSION;
7121 #else
7122 return 1;
7123 #endif
7124 } else {
7125 #ifndef OSSL_NO_USABLE_TLS1_3
7126 tlsvers = TLS1_3_VERSION;
7127 #else
7128 return 1;
7129 #endif
7130 }
7131
7132 /* Reset globals */
7133 info_cb_failed = 0;
7134 info_cb_this_state = -1;
7135 info_cb_offset = tst;
7136
7137 #ifndef OSSL_NO_USABLE_TLS1_3
7138 if (tst >= 4) {
7139 SSL_SESSION *sess = NULL;
7140 size_t written, readbytes;
7141 unsigned char buf[80];
7142
7143 /* early_data tests */
7144 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7145 &serverssl, &sess, 0)))
7146 goto end;
7147
7148 /* We don't actually need this reference */
7149 SSL_SESSION_free(sess);
7150
7151 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7152 sslapi_info_callback);
7153
7154 /* Write and read some early data and then complete the connection */
7155 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7156 &written))
7157 || !TEST_size_t_eq(written, strlen(MSG1))
7158 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7159 sizeof(buf), &readbytes),
7160 SSL_READ_EARLY_DATA_SUCCESS)
7161 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7162 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7163 SSL_EARLY_DATA_ACCEPTED)
7164 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7165 SSL_ERROR_NONE))
7166 || !TEST_false(info_cb_failed))
7167 goto end;
7168
7169 testresult = 1;
7170 goto end;
7171 }
7172 #endif
7173
7174 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7175 TLS_client_method(),
7176 tlsvers, tlsvers, &sctx, &cctx, cert,
7177 privkey)))
7178 goto end;
7179
7180 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7181 goto end;
7182
7183 /*
7184 * For even numbered tests we check the server callbacks. For odd numbers we
7185 * check the client.
7186 */
7187 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7188 sslapi_info_callback);
7189
7190 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7191 &clientssl, NULL, NULL))
7192 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7193 SSL_ERROR_NONE))
7194 || !TEST_false(info_cb_failed))
7195 goto end;
7196
7197
7198
7199 clntsess = SSL_get1_session(clientssl);
7200 SSL_shutdown(clientssl);
7201 SSL_shutdown(serverssl);
7202 SSL_free(serverssl);
7203 SSL_free(clientssl);
7204 serverssl = clientssl = NULL;
7205
7206 /* Now do a resumption */
7207 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7208 NULL))
7209 || !TEST_true(SSL_set_session(clientssl, clntsess))
7210 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7211 SSL_ERROR_NONE))
7212 || !TEST_true(SSL_session_reused(clientssl))
7213 || !TEST_false(info_cb_failed))
7214 goto end;
7215
7216 testresult = 1;
7217
7218 end:
7219 SSL_free(serverssl);
7220 SSL_free(clientssl);
7221 SSL_SESSION_free(clntsess);
7222 SSL_CTX_free(sctx);
7223 SSL_CTX_free(cctx);
7224 return testresult;
7225 }
7226
7227 static int test_ssl_pending(int tst)
7228 {
7229 SSL_CTX *cctx = NULL, *sctx = NULL;
7230 SSL *clientssl = NULL, *serverssl = NULL;
7231 int testresult = 0;
7232 char msg[] = "A test message";
7233 char buf[5];
7234 size_t written, readbytes;
7235
7236 if (tst == 0) {
7237 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7238 TLS_client_method(),
7239 TLS1_VERSION, 0,
7240 &sctx, &cctx, cert, privkey)))
7241 goto end;
7242 } else {
7243 #ifndef OPENSSL_NO_DTLS
7244 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7245 DTLS_client_method(),
7246 DTLS1_VERSION, 0,
7247 &sctx, &cctx, cert, privkey)))
7248 goto end;
7249
7250 # ifdef OPENSSL_NO_DTLS1_2
7251 /* Not supported in the FIPS provider */
7252 if (is_fips) {
7253 testresult = 1;
7254 goto end;
7255 };
7256 /*
7257 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7258 * level 0
7259 */
7260 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7261 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7262 "DEFAULT:@SECLEVEL=0")))
7263 goto end;
7264 # endif
7265 #else
7266 return 1;
7267 #endif
7268 }
7269
7270 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7271 NULL, NULL))
7272 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7273 SSL_ERROR_NONE)))
7274 goto end;
7275
7276 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7277 || !TEST_false(SSL_has_pending(clientssl))
7278 || !TEST_int_eq(SSL_pending(serverssl), 0)
7279 || !TEST_false(SSL_has_pending(serverssl))
7280 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7281 || !TEST_size_t_eq(written, sizeof(msg))
7282 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7283 || !TEST_size_t_eq(readbytes, sizeof(buf))
7284 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7285 || !TEST_true(SSL_has_pending(clientssl)))
7286 goto end;
7287
7288 testresult = 1;
7289
7290 end:
7291 SSL_free(serverssl);
7292 SSL_free(clientssl);
7293 SSL_CTX_free(sctx);
7294 SSL_CTX_free(cctx);
7295
7296 return testresult;
7297 }
7298
7299 static struct {
7300 unsigned int maxprot;
7301 const char *clntciphers;
7302 const char *clnttls13ciphers;
7303 const char *srvrciphers;
7304 const char *srvrtls13ciphers;
7305 const char *shared;
7306 const char *fipsshared;
7307 } shared_ciphers_data[] = {
7308 /*
7309 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7310 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7311 */
7312 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7313 {
7314 TLS1_2_VERSION,
7315 "AES128-SHA:AES256-SHA",
7316 NULL,
7317 "AES256-SHA:DHE-RSA-AES128-SHA",
7318 NULL,
7319 "AES256-SHA",
7320 "AES256-SHA"
7321 },
7322 # if !defined(OPENSSL_NO_CHACHA) \
7323 && !defined(OPENSSL_NO_POLY1305) \
7324 && !defined(OPENSSL_NO_EC)
7325 {
7326 TLS1_2_VERSION,
7327 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7328 NULL,
7329 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7330 NULL,
7331 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7332 "AES128-SHA"
7333 },
7334 # endif
7335 {
7336 TLS1_2_VERSION,
7337 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7338 NULL,
7339 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7340 NULL,
7341 "AES128-SHA:AES256-SHA",
7342 "AES128-SHA:AES256-SHA"
7343 },
7344 {
7345 TLS1_2_VERSION,
7346 "AES128-SHA:AES256-SHA",
7347 NULL,
7348 "AES128-SHA:DHE-RSA-AES128-SHA",
7349 NULL,
7350 "AES128-SHA",
7351 "AES128-SHA"
7352 },
7353 #endif
7354 /*
7355 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7356 * enabled.
7357 */
7358 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7359 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7360 {
7361 TLS1_3_VERSION,
7362 "AES128-SHA:AES256-SHA",
7363 NULL,
7364 "AES256-SHA:AES128-SHA256",
7365 NULL,
7366 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7367 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7368 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7369 },
7370 #endif
7371 #ifndef OSSL_NO_USABLE_TLS1_3
7372 {
7373 TLS1_3_VERSION,
7374 "AES128-SHA",
7375 "TLS_AES_256_GCM_SHA384",
7376 "AES256-SHA",
7377 "TLS_AES_256_GCM_SHA384",
7378 "TLS_AES_256_GCM_SHA384",
7379 "TLS_AES_256_GCM_SHA384"
7380 },
7381 #endif
7382 };
7383
7384 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7385 {
7386 SSL_CTX *cctx = NULL, *sctx = NULL;
7387 SSL *clientssl = NULL, *serverssl = NULL;
7388 int testresult = 0;
7389 char buf[1024];
7390 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7391
7392 if (!TEST_ptr(tmplibctx))
7393 goto end;
7394
7395 /*
7396 * Regardless of whether we're testing with the FIPS provider loaded into
7397 * libctx, we want one peer to always use the full set of ciphersuites
7398 * available. Therefore we use a separate libctx with the default provider
7399 * loaded into it. We run the same tests twice - once with the client side
7400 * having the full set of ciphersuites and once with the server side.
7401 */
7402 if (clnt) {
7403 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7404 if (!TEST_ptr(cctx))
7405 goto end;
7406 } else {
7407 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7408 if (!TEST_ptr(sctx))
7409 goto end;
7410 }
7411
7412 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7413 TLS_client_method(),
7414 TLS1_VERSION,
7415 shared_ciphers_data[tst].maxprot,
7416 &sctx, &cctx, cert, privkey)))
7417 goto end;
7418
7419 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7420 shared_ciphers_data[tst].clntciphers))
7421 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7422 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7423 shared_ciphers_data[tst].clnttls13ciphers)))
7424 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7425 shared_ciphers_data[tst].srvrciphers))
7426 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7427 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7428 shared_ciphers_data[tst].srvrtls13ciphers))))
7429 goto end;
7430
7431
7432 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7433 NULL, NULL))
7434 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7435 SSL_ERROR_NONE)))
7436 goto end;
7437
7438 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7439 || !TEST_int_eq(strcmp(buf,
7440 is_fips
7441 ? shared_ciphers_data[tst].fipsshared
7442 : shared_ciphers_data[tst].shared),
7443 0)) {
7444 TEST_info("Shared ciphers are: %s\n", buf);
7445 goto end;
7446 }
7447
7448 testresult = 1;
7449
7450 end:
7451 SSL_free(serverssl);
7452 SSL_free(clientssl);
7453 SSL_CTX_free(sctx);
7454 SSL_CTX_free(cctx);
7455 OSSL_LIB_CTX_free(tmplibctx);
7456
7457 return testresult;
7458 }
7459
7460 static int test_ssl_get_shared_ciphers(int tst)
7461 {
7462 return int_test_ssl_get_shared_ciphers(tst, 0)
7463 && int_test_ssl_get_shared_ciphers(tst, 1);
7464 }
7465
7466
7467 static const char *appdata = "Hello World";
7468 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7469 static int tick_key_renew = 0;
7470 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7471
7472 static int gen_tick_cb(SSL *s, void *arg)
7473 {
7474 gen_tick_called = 1;
7475
7476 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7477 strlen(appdata));
7478 }
7479
7480 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7481 const unsigned char *keyname,
7482 size_t keyname_length,
7483 SSL_TICKET_STATUS status,
7484 void *arg)
7485 {
7486 void *tickdata;
7487 size_t tickdlen;
7488
7489 dec_tick_called = 1;
7490
7491 if (status == SSL_TICKET_EMPTY)
7492 return SSL_TICKET_RETURN_IGNORE_RENEW;
7493
7494 if (!TEST_true(status == SSL_TICKET_SUCCESS
7495 || status == SSL_TICKET_SUCCESS_RENEW))
7496 return SSL_TICKET_RETURN_ABORT;
7497
7498 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7499 &tickdlen))
7500 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7501 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7502 return SSL_TICKET_RETURN_ABORT;
7503
7504 if (tick_key_cb_called) {
7505 /* Don't change what the ticket key callback wanted to do */
7506 switch (status) {
7507 case SSL_TICKET_NO_DECRYPT:
7508 return SSL_TICKET_RETURN_IGNORE_RENEW;
7509
7510 case SSL_TICKET_SUCCESS:
7511 return SSL_TICKET_RETURN_USE;
7512
7513 case SSL_TICKET_SUCCESS_RENEW:
7514 return SSL_TICKET_RETURN_USE_RENEW;
7515
7516 default:
7517 return SSL_TICKET_RETURN_ABORT;
7518 }
7519 }
7520 return tick_dec_ret;
7521
7522 }
7523
7524 #ifndef OPENSSL_NO_DEPRECATED_3_0
7525 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7526 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7527 HMAC_CTX *hctx, int enc)
7528 {
7529 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7530 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7531 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7532 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7533 int ret;
7534
7535 tick_key_cb_called = 1;
7536 memset(iv, 0, AES_BLOCK_SIZE);
7537 memset(key_name, 0, 16);
7538 if (aes128cbc == NULL
7539 || sha256 == NULL
7540 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7541 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7542 NULL))
7543 ret = -1;
7544 else
7545 ret = tick_key_renew ? 2 : 1;
7546
7547 EVP_CIPHER_free(aes128cbc);
7548 EVP_MD_free(sha256);
7549
7550 return ret;
7551 }
7552 #endif
7553
7554 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7555 unsigned char iv[EVP_MAX_IV_LENGTH],
7556 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7557 {
7558 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7559 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7560 OSSL_PARAM params[2];
7561 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7562 int ret;
7563
7564 tick_key_cb_called = 1;
7565 memset(iv, 0, AES_BLOCK_SIZE);
7566 memset(key_name, 0, 16);
7567 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7568 "SHA256", 0);
7569 params[1] = OSSL_PARAM_construct_end();
7570 if (aes128cbc == NULL
7571 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7572 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7573 params))
7574 ret = -1;
7575 else
7576 ret = tick_key_renew ? 2 : 1;
7577
7578 EVP_CIPHER_free(aes128cbc);
7579
7580 return ret;
7581 }
7582
7583 /*
7584 * Test the various ticket callbacks
7585 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7586 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7587 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7588 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7589 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7590 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7591 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7592 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7593 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7594 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7595 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7596 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7597 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7598 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7599 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7600 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7601 */
7602 static int test_ticket_callbacks(int tst)
7603 {
7604 SSL_CTX *cctx = NULL, *sctx = NULL;
7605 SSL *clientssl = NULL, *serverssl = NULL;
7606 SSL_SESSION *clntsess = NULL;
7607 int testresult = 0;
7608
7609 #ifdef OPENSSL_NO_TLS1_2
7610 if (tst % 2 == 0)
7611 return 1;
7612 #endif
7613 #ifdef OSSL_NO_USABLE_TLS1_3
7614 if (tst % 2 == 1)
7615 return 1;
7616 #endif
7617 #ifdef OPENSSL_NO_DEPRECATED_3_0
7618 if (tst >= 8 && tst <= 11)
7619 return 1;
7620 #endif
7621
7622 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7623
7624 /* Which tests the ticket key callback should request renewal for */
7625 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7626 tick_key_renew = 1;
7627 else
7628 tick_key_renew = 0;
7629
7630 /* Which tests the decrypt ticket callback should request renewal for */
7631 switch (tst) {
7632 case 0:
7633 case 1:
7634 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7635 break;
7636
7637 case 2:
7638 case 3:
7639 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7640 break;
7641
7642 case 4:
7643 case 5:
7644 tick_dec_ret = SSL_TICKET_RETURN_USE;
7645 break;
7646
7647 case 6:
7648 case 7:
7649 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7650 break;
7651
7652 default:
7653 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7654 }
7655
7656 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7657 TLS_client_method(),
7658 TLS1_VERSION,
7659 ((tst % 2) == 0) ? TLS1_2_VERSION
7660 : TLS1_3_VERSION,
7661 &sctx, &cctx, cert, privkey)))
7662 goto end;
7663
7664 /*
7665 * We only want sessions to resume from tickets - not the session cache. So
7666 * switch the cache off.
7667 */
7668 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7669 goto end;
7670
7671 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7672 NULL)))
7673 goto end;
7674
7675 if (tst >= 12) {
7676 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7677 goto end;
7678 #ifndef OPENSSL_NO_DEPRECATED_3_0
7679 } else if (tst >= 8) {
7680 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7681 goto end;
7682 #endif
7683 }
7684
7685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7686 NULL, NULL))
7687 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7688 SSL_ERROR_NONE)))
7689 goto end;
7690
7691 /*
7692 * The decrypt ticket key callback in TLSv1.2 should be called even though
7693 * we have no ticket yet, because it gets called with a status of
7694 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7695 * actually send any ticket data). This does not happen in TLSv1.3 because
7696 * it is not valid to send empty ticket data in TLSv1.3.
7697 */
7698 if (!TEST_int_eq(gen_tick_called, 1)
7699 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7700 goto end;
7701
7702 gen_tick_called = dec_tick_called = 0;
7703
7704 clntsess = SSL_get1_session(clientssl);
7705 SSL_shutdown(clientssl);
7706 SSL_shutdown(serverssl);
7707 SSL_free(serverssl);
7708 SSL_free(clientssl);
7709 serverssl = clientssl = NULL;
7710
7711 /* Now do a resumption */
7712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7713 NULL))
7714 || !TEST_true(SSL_set_session(clientssl, clntsess))
7715 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7716 SSL_ERROR_NONE)))
7717 goto end;
7718
7719 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7720 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7721 if (!TEST_false(SSL_session_reused(clientssl)))
7722 goto end;
7723 } else {
7724 if (!TEST_true(SSL_session_reused(clientssl)))
7725 goto end;
7726 }
7727
7728 if (!TEST_int_eq(gen_tick_called,
7729 (tick_key_renew
7730 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7731 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7732 ? 1 : 0)
7733 || !TEST_int_eq(dec_tick_called, 1))
7734 goto end;
7735
7736 testresult = 1;
7737
7738 end:
7739 SSL_SESSION_free(clntsess);
7740 SSL_free(serverssl);
7741 SSL_free(clientssl);
7742 SSL_CTX_free(sctx);
7743 SSL_CTX_free(cctx);
7744
7745 return testresult;
7746 }
7747
7748 /*
7749 * Test incorrect shutdown.
7750 * Test 0: client does not shutdown properly,
7751 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7752 * server should get SSL_ERROR_SSL
7753 * Test 1: client does not shutdown properly,
7754 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7755 * server should get SSL_ERROR_ZERO_RETURN
7756 */
7757 static int test_incorrect_shutdown(int tst)
7758 {
7759 SSL_CTX *cctx = NULL, *sctx = NULL;
7760 SSL *clientssl = NULL, *serverssl = NULL;
7761 int testresult = 0;
7762 char buf[80];
7763 BIO *c2s;
7764
7765 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7766 TLS_client_method(), 0, 0,
7767 &sctx, &cctx, cert, privkey)))
7768 goto end;
7769
7770 if (tst == 1)
7771 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7772
7773 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7774 NULL, NULL)))
7775 goto end;
7776
7777 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7778 SSL_ERROR_NONE)))
7779 goto end;
7780
7781 c2s = SSL_get_rbio(serverssl);
7782 BIO_set_mem_eof_return(c2s, 0);
7783
7784 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7785 goto end;
7786
7787 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7788 goto end;
7789 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7790 goto end;
7791
7792 testresult = 1;
7793
7794 end:
7795 SSL_free(serverssl);
7796 SSL_free(clientssl);
7797 SSL_CTX_free(sctx);
7798 SSL_CTX_free(cctx);
7799
7800 return testresult;
7801 }
7802
7803 /*
7804 * Test bi-directional shutdown.
7805 * Test 0: TLSv1.2
7806 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7807 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7808 * Test 3: TLSv1.3, pending NewSessionTicket messages
7809 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7810 * sends key update, client reads it
7811 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7812 * sends CertificateRequest, client reads and ignores it
7813 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7814 * doesn't read it
7815 */
7816 static int test_shutdown(int tst)
7817 {
7818 SSL_CTX *cctx = NULL, *sctx = NULL;
7819 SSL *clientssl = NULL, *serverssl = NULL;
7820 int testresult = 0;
7821 char msg[] = "A test message";
7822 char buf[80];
7823 size_t written, readbytes;
7824 SSL_SESSION *sess;
7825
7826 #ifdef OPENSSL_NO_TLS1_2
7827 if (tst <= 1)
7828 return 1;
7829 #endif
7830 #ifdef OSSL_NO_USABLE_TLS1_3
7831 if (tst >= 2)
7832 return 1;
7833 #endif
7834
7835 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7836 TLS_client_method(),
7837 TLS1_VERSION,
7838 (tst <= 1) ? TLS1_2_VERSION
7839 : TLS1_3_VERSION,
7840 &sctx, &cctx, cert, privkey)))
7841 goto end;
7842
7843 if (tst == 5)
7844 SSL_CTX_set_post_handshake_auth(cctx, 1);
7845
7846 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7847 NULL, NULL)))
7848 goto end;
7849
7850 if (tst == 3) {
7851 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7852 SSL_ERROR_NONE, 1))
7853 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7854 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7855 goto end;
7856 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7857 SSL_ERROR_NONE))
7858 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7859 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7860 goto end;
7861 }
7862
7863 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7864 goto end;
7865
7866 if (tst >= 4) {
7867 /*
7868 * Reading on the server after the client has sent close_notify should
7869 * fail and provide SSL_ERROR_ZERO_RETURN
7870 */
7871 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7872 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7873 SSL_ERROR_ZERO_RETURN)
7874 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7875 SSL_RECEIVED_SHUTDOWN)
7876 /*
7877 * Even though we're shutdown on receive we should still be
7878 * able to write.
7879 */
7880 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7881 goto end;
7882 if (tst == 4
7883 && !TEST_true(SSL_key_update(serverssl,
7884 SSL_KEY_UPDATE_REQUESTED)))
7885 goto end;
7886 if (tst == 5) {
7887 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7888 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7889 goto end;
7890 }
7891 if ((tst == 4 || tst == 5)
7892 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7893 goto end;
7894 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7895 goto end;
7896 if (tst == 4 || tst == 5) {
7897 /* Should still be able to read data from server */
7898 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7899 &readbytes))
7900 || !TEST_size_t_eq(readbytes, sizeof(msg))
7901 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7902 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7903 &readbytes))
7904 || !TEST_size_t_eq(readbytes, sizeof(msg))
7905 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7906 goto end;
7907 }
7908 }
7909
7910 /* Writing on the client after sending close_notify shouldn't be possible */
7911 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7912 goto end;
7913
7914 if (tst < 4) {
7915 /*
7916 * For these tests the client has sent close_notify but it has not yet
7917 * been received by the server. The server has not sent close_notify
7918 * yet.
7919 */
7920 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7921 /*
7922 * Writing on the server after sending close_notify shouldn't
7923 * be possible.
7924 */
7925 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7926 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7927 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7928 || !TEST_true(SSL_SESSION_is_resumable(sess))
7929 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7930 goto end;
7931 } else if (tst == 4 || tst == 5) {
7932 /*
7933 * In this test the client has sent close_notify and it has been
7934 * received by the server which has responded with a close_notify. The
7935 * client needs to read the close_notify sent by the server.
7936 */
7937 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7938 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7939 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7940 goto end;
7941 } else {
7942 /*
7943 * tst == 6
7944 *
7945 * The client has sent close_notify and is expecting a close_notify
7946 * back, but instead there is application data first. The shutdown
7947 * should fail with a fatal error.
7948 */
7949 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7950 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7951 goto end;
7952 }
7953
7954 testresult = 1;
7955
7956 end:
7957 SSL_free(serverssl);
7958 SSL_free(clientssl);
7959 SSL_CTX_free(sctx);
7960 SSL_CTX_free(cctx);
7961
7962 return testresult;
7963 }
7964
7965 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7966 static int cert_cb_cnt;
7967
7968 static int cert_cb(SSL *s, void *arg)
7969 {
7970 SSL_CTX *ctx = (SSL_CTX *)arg;
7971 BIO *in = NULL;
7972 EVP_PKEY *pkey = NULL;
7973 X509 *x509 = NULL, *rootx = NULL;
7974 STACK_OF(X509) *chain = NULL;
7975 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7976 int ret = 0;
7977
7978 if (cert_cb_cnt == 0) {
7979 /* Suspend the handshake */
7980 cert_cb_cnt++;
7981 return -1;
7982 } else if (cert_cb_cnt == 1) {
7983 /*
7984 * Update the SSL_CTX, set the certificate and private key and then
7985 * continue the handshake normally.
7986 */
7987 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7988 return 0;
7989
7990 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7991 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7992 SSL_FILETYPE_PEM))
7993 || !TEST_true(SSL_check_private_key(s)))
7994 return 0;
7995 cert_cb_cnt++;
7996 return 1;
7997 } else if (cert_cb_cnt == 3) {
7998 int rv;
7999
8000 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8001 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8002 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8003 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8004 goto out;
8005 chain = sk_X509_new_null();
8006 if (!TEST_ptr(chain))
8007 goto out;
8008 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8009 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8010 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8011 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8012 || !TEST_true(sk_X509_push(chain, rootx)))
8013 goto out;
8014 rootx = NULL;
8015 BIO_free(in);
8016 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8017 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8018 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8019 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8020 goto out;
8021 BIO_free(in);
8022 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8023 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8024 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8025 NULL, NULL,
8026 libctx, NULL)))
8027 goto out;
8028 rv = SSL_check_chain(s, x509, pkey, chain);
8029 /*
8030 * If the cert doesn't show as valid here (e.g., because we don't
8031 * have any shared sigalgs), then we will not set it, and there will
8032 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8033 * will cause tls_choose_sigalgs() to fail the connection.
8034 */
8035 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8036 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8037 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8038 goto out;
8039 }
8040
8041 ret = 1;
8042 }
8043
8044 /* Abort the handshake */
8045 out:
8046 OPENSSL_free(ecdsacert);
8047 OPENSSL_free(ecdsakey);
8048 OPENSSL_free(rootfile);
8049 BIO_free(in);
8050 EVP_PKEY_free(pkey);
8051 X509_free(x509);
8052 X509_free(rootx);
8053 OSSL_STACK_OF_X509_free(chain);
8054 return ret;
8055 }
8056
8057 /*
8058 * Test the certificate callback.
8059 * Test 0: Callback fails
8060 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8061 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8062 * Test 3: Success - Call SSL_check_chain from the callback
8063 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8064 * chain
8065 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8066 */
8067 static int test_cert_cb_int(int prot, int tst)
8068 {
8069 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8070 SSL *clientssl = NULL, *serverssl = NULL;
8071 int testresult = 0, ret;
8072
8073 #ifdef OPENSSL_NO_EC
8074 /* We use an EC cert in these tests, so we skip in a no-ec build */
8075 if (tst >= 3)
8076 return 1;
8077 #endif
8078
8079 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8080 TLS_client_method(),
8081 TLS1_VERSION,
8082 prot,
8083 &sctx, &cctx, NULL, NULL)))
8084 goto end;
8085
8086 if (tst == 0)
8087 cert_cb_cnt = -1;
8088 else if (tst >= 3)
8089 cert_cb_cnt = 3;
8090 else
8091 cert_cb_cnt = 0;
8092
8093 if (tst == 2) {
8094 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8095 if (!TEST_ptr(snictx))
8096 goto end;
8097 }
8098
8099 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8100
8101 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8102 NULL, NULL)))
8103 goto end;
8104
8105 if (tst == 4) {
8106 /*
8107 * We cause SSL_check_chain() to fail by specifying sig_algs that
8108 * the chain doesn't meet (the root uses an RSA cert)
8109 */
8110 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8111 "ecdsa_secp256r1_sha256")))
8112 goto end;
8113 } else if (tst == 5) {
8114 /*
8115 * We cause SSL_check_chain() to fail by specifying sig_algs that
8116 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8117 */
8118 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8119 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8120 goto end;
8121 }
8122
8123 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8124 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8125 || (tst > 0
8126 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8127 goto end;
8128 }
8129
8130 testresult = 1;
8131
8132 end:
8133 SSL_free(serverssl);
8134 SSL_free(clientssl);
8135 SSL_CTX_free(sctx);
8136 SSL_CTX_free(cctx);
8137 SSL_CTX_free(snictx);
8138
8139 return testresult;
8140 }
8141 #endif
8142
8143 static int test_cert_cb(int tst)
8144 {
8145 int testresult = 1;
8146
8147 #ifndef OPENSSL_NO_TLS1_2
8148 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8149 #endif
8150 #ifndef OSSL_NO_USABLE_TLS1_3
8151 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8152 #endif
8153
8154 return testresult;
8155 }
8156
8157 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8158 {
8159 X509 *xcert;
8160 EVP_PKEY *privpkey;
8161 BIO *in = NULL;
8162 BIO *priv_in = NULL;
8163
8164 /* Check that SSL_get0_peer_certificate() returns something sensible */
8165 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8166 return 0;
8167
8168 in = BIO_new_file(cert, "r");
8169 if (!TEST_ptr(in))
8170 return 0;
8171
8172 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8173 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8174 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8175 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8176 NULL, NULL,
8177 libctx, NULL)))
8178 goto err;
8179
8180 *x509 = xcert;
8181 *pkey = privpkey;
8182
8183 BIO_free(in);
8184 BIO_free(priv_in);
8185 return 1;
8186 err:
8187 X509_free(xcert);
8188 BIO_free(in);
8189 BIO_free(priv_in);
8190 return 0;
8191 }
8192
8193 static int test_client_cert_cb(int tst)
8194 {
8195 SSL_CTX *cctx = NULL, *sctx = NULL;
8196 SSL *clientssl = NULL, *serverssl = NULL;
8197 int testresult = 0;
8198
8199 #ifdef OPENSSL_NO_TLS1_2
8200 if (tst == 0)
8201 return 1;
8202 #endif
8203 #ifdef OSSL_NO_USABLE_TLS1_3
8204 if (tst == 1)
8205 return 1;
8206 #endif
8207
8208 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8209 TLS_client_method(),
8210 TLS1_VERSION,
8211 tst == 0 ? TLS1_2_VERSION
8212 : TLS1_3_VERSION,
8213 &sctx, &cctx, cert, privkey)))
8214 goto end;
8215
8216 /*
8217 * Test that setting a client_cert_cb results in a client certificate being
8218 * sent.
8219 */
8220 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8221 SSL_CTX_set_verify(sctx,
8222 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8223 verify_cb);
8224
8225 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8226 NULL, NULL))
8227 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8228 SSL_ERROR_NONE)))
8229 goto end;
8230
8231 testresult = 1;
8232
8233 end:
8234 SSL_free(serverssl);
8235 SSL_free(clientssl);
8236 SSL_CTX_free(sctx);
8237 SSL_CTX_free(cctx);
8238
8239 return testresult;
8240 }
8241
8242 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8243 /*
8244 * Test setting certificate authorities on both client and server.
8245 *
8246 * Test 0: SSL_CTX_set0_CA_list() only
8247 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8248 * Test 2: Only SSL_CTX_set_client_CA_list()
8249 */
8250 static int test_ca_names_int(int prot, int tst)
8251 {
8252 SSL_CTX *cctx = NULL, *sctx = NULL;
8253 SSL *clientssl = NULL, *serverssl = NULL;
8254 int testresult = 0;
8255 size_t i;
8256 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8257 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8258 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8259 const STACK_OF(X509_NAME) *sktmp = NULL;
8260
8261 for (i = 0; i < OSSL_NELEM(name); i++) {
8262 name[i] = X509_NAME_new();
8263 if (!TEST_ptr(name[i])
8264 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8265 MBSTRING_ASC,
8266 (unsigned char *)
8267 strnames[i],
8268 -1, -1, 0)))
8269 goto end;
8270 }
8271
8272 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8273 TLS_client_method(),
8274 TLS1_VERSION,
8275 prot,
8276 &sctx, &cctx, cert, privkey)))
8277 goto end;
8278
8279 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8280
8281 if (tst == 0 || tst == 1) {
8282 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8283 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8284 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8285 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8286 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8287 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8288 goto end;
8289
8290 SSL_CTX_set0_CA_list(sctx, sk1);
8291 SSL_CTX_set0_CA_list(cctx, sk2);
8292 sk1 = sk2 = NULL;
8293 }
8294 if (tst == 1 || tst == 2) {
8295 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8296 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8297 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8298 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8299 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8300 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8301 goto end;
8302
8303 SSL_CTX_set_client_CA_list(sctx, sk1);
8304 SSL_CTX_set_client_CA_list(cctx, sk2);
8305 sk1 = sk2 = NULL;
8306 }
8307
8308 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8309 NULL, NULL))
8310 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8311 SSL_ERROR_NONE)))
8312 goto end;
8313
8314 /*
8315 * We only expect certificate authorities to have been sent to the server
8316 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8317 */
8318 sktmp = SSL_get0_peer_CA_list(serverssl);
8319 if (prot == TLS1_3_VERSION
8320 && (tst == 0 || tst == 1)) {
8321 if (!TEST_ptr(sktmp)
8322 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8323 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8324 name[0]), 0)
8325 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8326 name[1]), 0))
8327 goto end;
8328 } else if (!TEST_ptr_null(sktmp)) {
8329 goto end;
8330 }
8331
8332 /*
8333 * In all tests we expect certificate authorities to have been sent to the
8334 * client. However, SSL_set_client_CA_list() should override
8335 * SSL_set0_CA_list()
8336 */
8337 sktmp = SSL_get0_peer_CA_list(clientssl);
8338 if (!TEST_ptr(sktmp)
8339 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8340 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8341 name[tst == 0 ? 0 : 2]), 0)
8342 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8343 name[tst == 0 ? 1 : 3]), 0))
8344 goto end;
8345
8346 testresult = 1;
8347
8348 end:
8349 SSL_free(serverssl);
8350 SSL_free(clientssl);
8351 SSL_CTX_free(sctx);
8352 SSL_CTX_free(cctx);
8353 for (i = 0; i < OSSL_NELEM(name); i++)
8354 X509_NAME_free(name[i]);
8355 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8356 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8357
8358 return testresult;
8359 }
8360 #endif
8361
8362 static int test_ca_names(int tst)
8363 {
8364 int testresult = 1;
8365
8366 #ifndef OPENSSL_NO_TLS1_2
8367 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8368 #endif
8369 #ifndef OSSL_NO_USABLE_TLS1_3
8370 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8371 #endif
8372
8373 return testresult;
8374 }
8375
8376 #ifndef OPENSSL_NO_TLS1_2
8377 static const char *multiblock_cipherlist_data[]=
8378 {
8379 "AES128-SHA",
8380 "AES128-SHA256",
8381 "AES256-SHA",
8382 "AES256-SHA256",
8383 };
8384
8385 /* Reduce the fragment size - so the multiblock test buffer can be small */
8386 # define MULTIBLOCK_FRAGSIZE 512
8387
8388 static int test_multiblock_write(int test_index)
8389 {
8390 static const char *fetchable_ciphers[]=
8391 {
8392 "AES-128-CBC-HMAC-SHA1",
8393 "AES-128-CBC-HMAC-SHA256",
8394 "AES-256-CBC-HMAC-SHA1",
8395 "AES-256-CBC-HMAC-SHA256"
8396 };
8397 const char *cipherlist = multiblock_cipherlist_data[test_index];
8398 const SSL_METHOD *smeth = TLS_server_method();
8399 const SSL_METHOD *cmeth = TLS_client_method();
8400 int min_version = TLS1_VERSION;
8401 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8402 SSL_CTX *cctx = NULL, *sctx = NULL;
8403 SSL *clientssl = NULL, *serverssl = NULL;
8404 int testresult = 0;
8405
8406 /*
8407 * Choose a buffer large enough to perform a multi-block operation
8408 * i.e: write_len >= 4 * frag_size
8409 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8410 */
8411 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8412 unsigned char buf[sizeof(msg)], *p = buf;
8413 size_t readbytes, written, len;
8414 EVP_CIPHER *ciph = NULL;
8415
8416 /*
8417 * Check if the cipher exists before attempting to use it since it only has
8418 * a hardware specific implementation.
8419 */
8420 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8421 if (ciph == NULL) {
8422 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8423 return 1;
8424 }
8425 EVP_CIPHER_free(ciph);
8426
8427 /* Set up a buffer with some data that will be sent to the client */
8428 RAND_bytes(msg, sizeof(msg));
8429
8430 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8431 max_version, &sctx, &cctx, cert,
8432 privkey)))
8433 goto end;
8434
8435 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8436 goto end;
8437
8438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8439 NULL, NULL)))
8440 goto end;
8441
8442 /* settings to force it to use AES-CBC-HMAC_SHA */
8443 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8444 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8445 goto end;
8446
8447 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8448 goto end;
8449
8450 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8451 || !TEST_size_t_eq(written, sizeof(msg)))
8452 goto end;
8453
8454 len = written;
8455 while (len > 0) {
8456 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8457 goto end;
8458 p += readbytes;
8459 len -= readbytes;
8460 }
8461 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8462 goto end;
8463
8464 testresult = 1;
8465 end:
8466 SSL_free(serverssl);
8467 SSL_free(clientssl);
8468 SSL_CTX_free(sctx);
8469 SSL_CTX_free(cctx);
8470
8471 return testresult;
8472 }
8473 #endif /* OPENSSL_NO_TLS1_2 */
8474
8475 static int test_session_timeout(int test)
8476 {
8477 /*
8478 * Test session ordering and timeout
8479 * Can't explicitly test performance of the new code,
8480 * but can test to see if the ordering of the sessions
8481 * are correct, and they they are removed as expected
8482 */
8483 SSL_SESSION *early = NULL;
8484 SSL_SESSION *middle = NULL;
8485 SSL_SESSION *late = NULL;
8486 SSL_CTX *ctx;
8487 int testresult = 0;
8488 long now = (long)time(NULL);
8489 #define TIMEOUT 10
8490
8491 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8492 || !TEST_ptr(early = SSL_SESSION_new())
8493 || !TEST_ptr(middle = SSL_SESSION_new())
8494 || !TEST_ptr(late = SSL_SESSION_new()))
8495 goto end;
8496
8497 /* assign unique session ids */
8498 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8499 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8500 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8501 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8502 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8503 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8504
8505 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8506 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8507 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8508 goto end;
8509
8510 /* Make sure they are all added */
8511 if (!TEST_ptr(early->prev)
8512 || !TEST_ptr(middle->prev)
8513 || !TEST_ptr(late->prev))
8514 goto end;
8515
8516 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8517 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8518 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8519 goto end;
8520
8521 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8522 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8523 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8524 goto end;
8525
8526 /* Make sure they are all still there */
8527 if (!TEST_ptr(early->prev)
8528 || !TEST_ptr(middle->prev)
8529 || !TEST_ptr(late->prev))
8530 goto end;
8531
8532 /* Make sure they are in the expected order */
8533 if (!TEST_ptr_eq(late->next, middle)
8534 || !TEST_ptr_eq(middle->next, early)
8535 || !TEST_ptr_eq(early->prev, middle)
8536 || !TEST_ptr_eq(middle->prev, late))
8537 goto end;
8538
8539 /* This should remove "early" */
8540 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8541 if (!TEST_ptr_null(early->prev)
8542 || !TEST_ptr(middle->prev)
8543 || !TEST_ptr(late->prev))
8544 goto end;
8545
8546 /* This should remove "middle" */
8547 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8548 if (!TEST_ptr_null(early->prev)
8549 || !TEST_ptr_null(middle->prev)
8550 || !TEST_ptr(late->prev))
8551 goto end;
8552
8553 /* This should remove "late" */
8554 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8555 if (!TEST_ptr_null(early->prev)
8556 || !TEST_ptr_null(middle->prev)
8557 || !TEST_ptr_null(late->prev))
8558 goto end;
8559
8560 /* Add them back in again */
8561 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8562 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8563 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8564 goto end;
8565
8566 /* Make sure they are all added */
8567 if (!TEST_ptr(early->prev)
8568 || !TEST_ptr(middle->prev)
8569 || !TEST_ptr(late->prev))
8570 goto end;
8571
8572 /* This should remove all of them */
8573 SSL_CTX_flush_sessions(ctx, 0);
8574 if (!TEST_ptr_null(early->prev)
8575 || !TEST_ptr_null(middle->prev)
8576 || !TEST_ptr_null(late->prev))
8577 goto end;
8578
8579 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8580 | SSL_CTX_get_session_cache_mode(ctx));
8581
8582 /* make sure |now| is NOT equal to the current time */
8583 now -= 10;
8584 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8585 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8586 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8587 goto end;
8588
8589 testresult = 1;
8590 end:
8591 SSL_CTX_free(ctx);
8592 SSL_SESSION_free(early);
8593 SSL_SESSION_free(middle);
8594 SSL_SESSION_free(late);
8595 return testresult;
8596 }
8597
8598 /*
8599 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8600 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8601 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8602 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8603 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8604 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8605 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8606 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8607 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8608 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8609 */
8610 static int test_servername(int tst)
8611 {
8612 SSL_CTX *cctx = NULL, *sctx = NULL;
8613 SSL *clientssl = NULL, *serverssl = NULL;
8614 int testresult = 0;
8615 SSL_SESSION *sess = NULL;
8616 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8617
8618 #ifdef OPENSSL_NO_TLS1_2
8619 if (tst <= 4)
8620 return 1;
8621 #endif
8622 #ifdef OSSL_NO_USABLE_TLS1_3
8623 if (tst >= 5)
8624 return 1;
8625 #endif
8626
8627 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8628 TLS_client_method(),
8629 TLS1_VERSION,
8630 (tst <= 4) ? TLS1_2_VERSION
8631 : TLS1_3_VERSION,
8632 &sctx, &cctx, cert, privkey))
8633 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8634 NULL, NULL)))
8635 goto end;
8636
8637 if (tst != 1 && tst != 6) {
8638 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8639 hostname_cb)))
8640 goto end;
8641 }
8642
8643 if (tst != 3 && tst != 8) {
8644 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8645 goto end;
8646 sexpectedhost = cexpectedhost = "goodhost";
8647 }
8648
8649 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8650 goto end;
8651
8652 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8653 cexpectedhost)
8654 || !TEST_str_eq(SSL_get_servername(serverssl,
8655 TLSEXT_NAMETYPE_host_name),
8656 sexpectedhost))
8657 goto end;
8658
8659 /* Now repeat with a resumption handshake */
8660
8661 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8662 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8663 || !TEST_true(SSL_SESSION_is_resumable(sess))
8664 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8665 goto end;
8666
8667 SSL_free(clientssl);
8668 SSL_free(serverssl);
8669 clientssl = serverssl = NULL;
8670
8671 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8672 NULL)))
8673 goto end;
8674
8675 if (!TEST_true(SSL_set_session(clientssl, sess)))
8676 goto end;
8677
8678 sexpectedhost = cexpectedhost = "goodhost";
8679 if (tst == 2 || tst == 7) {
8680 /* Set an inconsistent hostname */
8681 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8682 goto end;
8683 /*
8684 * In TLSv1.2 we expect the hostname from the original handshake, in
8685 * TLSv1.3 we expect the hostname from this handshake
8686 */
8687 if (tst == 7)
8688 sexpectedhost = cexpectedhost = "altgoodhost";
8689
8690 if (!TEST_str_eq(SSL_get_servername(clientssl,
8691 TLSEXT_NAMETYPE_host_name),
8692 "altgoodhost"))
8693 goto end;
8694 } else if (tst == 4 || tst == 9) {
8695 /*
8696 * A TLSv1.3 session does not associate a session with a servername,
8697 * but a TLSv1.2 session does.
8698 */
8699 if (tst == 9)
8700 sexpectedhost = cexpectedhost = NULL;
8701
8702 if (!TEST_str_eq(SSL_get_servername(clientssl,
8703 TLSEXT_NAMETYPE_host_name),
8704 cexpectedhost))
8705 goto end;
8706 } else {
8707 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8708 goto end;
8709 /*
8710 * In a TLSv1.2 resumption where the hostname was not acknowledged
8711 * we expect the hostname on the server to be empty. On the client we
8712 * return what was requested in this case.
8713 *
8714 * Similarly if the client didn't set a hostname on an original TLSv1.2
8715 * session but is now, the server hostname will be empty, but the client
8716 * is as we set it.
8717 */
8718 if (tst == 1 || tst == 3)
8719 sexpectedhost = NULL;
8720
8721 if (!TEST_str_eq(SSL_get_servername(clientssl,
8722 TLSEXT_NAMETYPE_host_name),
8723 "goodhost"))
8724 goto end;
8725 }
8726
8727 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8728 goto end;
8729
8730 if (!TEST_true(SSL_session_reused(clientssl))
8731 || !TEST_true(SSL_session_reused(serverssl))
8732 || !TEST_str_eq(SSL_get_servername(clientssl,
8733 TLSEXT_NAMETYPE_host_name),
8734 cexpectedhost)
8735 || !TEST_str_eq(SSL_get_servername(serverssl,
8736 TLSEXT_NAMETYPE_host_name),
8737 sexpectedhost))
8738 goto end;
8739
8740 testresult = 1;
8741
8742 end:
8743 SSL_SESSION_free(sess);
8744 SSL_free(serverssl);
8745 SSL_free(clientssl);
8746 SSL_CTX_free(sctx);
8747 SSL_CTX_free(cctx);
8748
8749 return testresult;
8750 }
8751
8752 #if !defined(OPENSSL_NO_EC) \
8753 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8754 /*
8755 * Test that if signature algorithms are not available, then we do not offer or
8756 * accept them.
8757 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8758 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8759 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8760 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8761 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8762 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8763 */
8764 static int test_sigalgs_available(int idx)
8765 {
8766 SSL_CTX *cctx = NULL, *sctx = NULL;
8767 SSL *clientssl = NULL, *serverssl = NULL;
8768 int testresult = 0;
8769 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8770 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8771 OSSL_PROVIDER *filterprov = NULL;
8772 int sig, hash;
8773
8774 if (!TEST_ptr(tmpctx))
8775 goto end;
8776
8777 if (idx != 0 && idx != 3) {
8778 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8779 filter_provider_init)))
8780 goto end;
8781
8782 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8783 if (!TEST_ptr(filterprov))
8784 goto end;
8785
8786 if (idx < 3) {
8787 /*
8788 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8789 * or accepted for the peer that uses this libctx. Note that libssl
8790 * *requires* SHA2-256 to be available so we cannot disable that. We
8791 * also need SHA1 for our certificate.
8792 */
8793 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8794 "SHA2-256:SHA1")))
8795 goto end;
8796 } else {
8797 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8798 "ECDSA"))
8799 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8800 "EC:X25519:X448")))
8801 goto end;
8802 }
8803
8804 if (idx == 1 || idx == 4)
8805 clientctx = tmpctx;
8806 else
8807 serverctx = tmpctx;
8808 }
8809
8810 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8811 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8812 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8813 goto end;
8814
8815 if (idx != 5) {
8816 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8817 TLS_client_method(),
8818 TLS1_VERSION,
8819 0,
8820 &sctx, &cctx, cert, privkey)))
8821 goto end;
8822 } else {
8823 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8824 TLS_client_method(),
8825 TLS1_VERSION,
8826 0,
8827 &sctx, &cctx, cert2, privkey2)))
8828 goto end;
8829 }
8830
8831 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8832 if (idx < 4) {
8833 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8834 "ECDHE-RSA-AES128-GCM-SHA256")))
8835 goto end;
8836 } else {
8837 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8838 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8839 goto end;
8840 }
8841
8842 if (idx < 3) {
8843 if (!SSL_CTX_set1_sigalgs_list(cctx,
8844 "rsa_pss_rsae_sha384"
8845 ":rsa_pss_rsae_sha256")
8846 || !SSL_CTX_set1_sigalgs_list(sctx,
8847 "rsa_pss_rsae_sha384"
8848 ":rsa_pss_rsae_sha256"))
8849 goto end;
8850 } else {
8851 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8852 || !SSL_CTX_set1_sigalgs_list(sctx,
8853 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8854 goto end;
8855 }
8856
8857 if (idx != 5
8858 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8859 SSL_FILETYPE_PEM), 1)
8860 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8861 privkey2,
8862 SSL_FILETYPE_PEM), 1)
8863 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8864 goto end;
8865
8866 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8867 NULL, NULL)))
8868 goto end;
8869
8870 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8871 goto end;
8872
8873 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8874 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8875 NULL, NULL),
8876 (idx == 0 || idx == 3) ? 2 : 1))
8877 goto end;
8878
8879 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8880 goto end;
8881
8882 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8883 : NID_rsassaPss))
8884 goto end;
8885
8886 testresult = filter_provider_check_clean_finish();
8887
8888 end:
8889 SSL_free(serverssl);
8890 SSL_free(clientssl);
8891 SSL_CTX_free(sctx);
8892 SSL_CTX_free(cctx);
8893 OSSL_PROVIDER_unload(filterprov);
8894 OSSL_LIB_CTX_free(tmpctx);
8895
8896 return testresult;
8897 }
8898 #endif /*
8899 * !defined(OPENSSL_NO_EC) \
8900 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8901 */
8902
8903 #ifndef OPENSSL_NO_TLS1_3
8904 /* This test can run in TLSv1.3 even if ec and dh are disabled */
8905 static int test_pluggable_group(int idx)
8906 {
8907 SSL_CTX *cctx = NULL, *sctx = NULL;
8908 SSL *clientssl = NULL, *serverssl = NULL;
8909 int testresult = 0;
8910 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8911 /* Check that we are not impacted by a provider without any groups */
8912 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8913 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8914
8915 if (!TEST_ptr(tlsprov))
8916 goto end;
8917
8918 if (legacyprov == NULL) {
8919 /*
8920 * In this case we assume we've been built with "no-legacy" and skip
8921 * this test (there is no OPENSSL_NO_LEGACY)
8922 */
8923 testresult = 1;
8924 goto end;
8925 }
8926
8927 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8928 TLS_client_method(),
8929 TLS1_3_VERSION,
8930 TLS1_3_VERSION,
8931 &sctx, &cctx, cert, privkey))
8932 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8933 NULL, NULL)))
8934 goto end;
8935
8936 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8937 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8938 goto end;
8939
8940 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8941 goto end;
8942
8943 if (!TEST_str_eq(group_name,
8944 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8945 goto end;
8946
8947 testresult = 1;
8948
8949 end:
8950 SSL_free(serverssl);
8951 SSL_free(clientssl);
8952 SSL_CTX_free(sctx);
8953 SSL_CTX_free(cctx);
8954 OSSL_PROVIDER_unload(tlsprov);
8955 OSSL_PROVIDER_unload(legacyprov);
8956
8957 return testresult;
8958 }
8959 #endif
8960
8961 #ifndef OPENSSL_NO_TLS1_2
8962 static int test_ssl_dup(void)
8963 {
8964 SSL_CTX *cctx = NULL, *sctx = NULL;
8965 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8966 int testresult = 0;
8967 BIO *rbio = NULL, *wbio = NULL;
8968
8969 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8970 TLS_client_method(),
8971 0,
8972 0,
8973 &sctx, &cctx, cert, privkey)))
8974 goto end;
8975
8976 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8977 NULL, NULL)))
8978 goto end;
8979
8980 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8981 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8982 goto end;
8983
8984 client2ssl = SSL_dup(clientssl);
8985 rbio = SSL_get_rbio(clientssl);
8986 if (!TEST_ptr(rbio)
8987 || !TEST_true(BIO_up_ref(rbio)))
8988 goto end;
8989 SSL_set0_rbio(client2ssl, rbio);
8990 rbio = NULL;
8991
8992 wbio = SSL_get_wbio(clientssl);
8993 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8994 goto end;
8995 SSL_set0_wbio(client2ssl, wbio);
8996 rbio = NULL;
8997
8998 if (!TEST_ptr(client2ssl)
8999 /* Handshake not started so pointers should be different */
9000 || !TEST_ptr_ne(clientssl, client2ssl))
9001 goto end;
9002
9003 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9004 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9005 goto end;
9006
9007 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9008 goto end;
9009
9010 SSL_free(clientssl);
9011 clientssl = SSL_dup(client2ssl);
9012 if (!TEST_ptr(clientssl)
9013 /* Handshake has finished so pointers should be the same */
9014 || !TEST_ptr_eq(clientssl, client2ssl))
9015 goto end;
9016
9017 testresult = 1;
9018
9019 end:
9020 SSL_free(serverssl);
9021 SSL_free(clientssl);
9022 SSL_free(client2ssl);
9023 SSL_CTX_free(sctx);
9024 SSL_CTX_free(cctx);
9025
9026 return testresult;
9027 }
9028
9029 # ifndef OPENSSL_NO_DH
9030
9031 static EVP_PKEY *tmp_dh_params = NULL;
9032
9033 /* Helper function for the test_set_tmp_dh() tests */
9034 static EVP_PKEY *get_tmp_dh_params(void)
9035 {
9036 if (tmp_dh_params == NULL) {
9037 BIGNUM *p = NULL;
9038 OSSL_PARAM_BLD *tmpl = NULL;
9039 EVP_PKEY_CTX *pctx = NULL;
9040 OSSL_PARAM *params = NULL;
9041 EVP_PKEY *dhpkey = NULL;
9042
9043 p = BN_get_rfc3526_prime_2048(NULL);
9044 if (!TEST_ptr(p))
9045 goto end;
9046
9047 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9048 if (!TEST_ptr(pctx)
9049 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9050 goto end;
9051
9052 tmpl = OSSL_PARAM_BLD_new();
9053 if (!TEST_ptr(tmpl)
9054 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9055 OSSL_PKEY_PARAM_FFC_P,
9056 p))
9057 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9058 OSSL_PKEY_PARAM_FFC_G,
9059 2)))
9060 goto end;
9061
9062 params = OSSL_PARAM_BLD_to_param(tmpl);
9063 if (!TEST_ptr(params)
9064 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9065 EVP_PKEY_KEY_PARAMETERS,
9066 params), 1))
9067 goto end;
9068
9069 tmp_dh_params = dhpkey;
9070 end:
9071 BN_free(p);
9072 EVP_PKEY_CTX_free(pctx);
9073 OSSL_PARAM_BLD_free(tmpl);
9074 OSSL_PARAM_free(params);
9075 }
9076
9077 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9078 return NULL;
9079
9080 return tmp_dh_params;
9081 }
9082
9083 # ifndef OPENSSL_NO_DEPRECATED_3_0
9084 /* Callback used by test_set_tmp_dh() */
9085 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9086 {
9087 EVP_PKEY *dhpkey = get_tmp_dh_params();
9088 DH *ret = NULL;
9089
9090 if (!TEST_ptr(dhpkey))
9091 return NULL;
9092
9093 /*
9094 * libssl does not free the returned DH, so we free it now knowing that even
9095 * after we free dhpkey, there will still be a reference to the owning
9096 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9097 * of time we need it for.
9098 */
9099 ret = EVP_PKEY_get1_DH(dhpkey);
9100 DH_free(ret);
9101
9102 EVP_PKEY_free(dhpkey);
9103
9104 return ret;
9105 }
9106 # endif
9107
9108 /*
9109 * Test the various methods for setting temporary DH parameters
9110 *
9111 * Test 0: Default (no auto) setting
9112 * Test 1: Explicit SSL_CTX auto off
9113 * Test 2: Explicit SSL auto off
9114 * Test 3: Explicit SSL_CTX auto on
9115 * Test 4: Explicit SSL auto on
9116 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9117 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9118 *
9119 * The following are testing deprecated APIs, so we only run them if available
9120 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9121 * Test 8: Explicit SSL auto off, custom DH params via DH
9122 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9123 * Test 10: Explicit SSL auto off, custom DH params via callback
9124 */
9125 static int test_set_tmp_dh(int idx)
9126 {
9127 SSL_CTX *cctx = NULL, *sctx = NULL;
9128 SSL *clientssl = NULL, *serverssl = NULL;
9129 int testresult = 0;
9130 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9131 int expected = (idx <= 2) ? 0 : 1;
9132 EVP_PKEY *dhpkey = NULL;
9133 # ifndef OPENSSL_NO_DEPRECATED_3_0
9134 DH *dh = NULL;
9135 # else
9136
9137 if (idx >= 7)
9138 return 1;
9139 # endif
9140
9141 if (idx >= 5 && idx <= 8) {
9142 dhpkey = get_tmp_dh_params();
9143 if (!TEST_ptr(dhpkey))
9144 goto end;
9145 }
9146 # ifndef OPENSSL_NO_DEPRECATED_3_0
9147 if (idx == 7 || idx == 8) {
9148 dh = EVP_PKEY_get1_DH(dhpkey);
9149 if (!TEST_ptr(dh))
9150 goto end;
9151 }
9152 # endif
9153
9154 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9155 TLS_client_method(),
9156 0,
9157 0,
9158 &sctx, &cctx, cert, privkey)))
9159 goto end;
9160
9161 if ((idx & 1) == 1) {
9162 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9163 goto end;
9164 }
9165
9166 if (idx == 5) {
9167 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9168 goto end;
9169 dhpkey = NULL;
9170 }
9171 # ifndef OPENSSL_NO_DEPRECATED_3_0
9172 else if (idx == 7) {
9173 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9174 goto end;
9175 } else if (idx == 9) {
9176 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9177 }
9178 # endif
9179
9180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9181 NULL, NULL)))
9182 goto end;
9183
9184 if ((idx & 1) == 0 && idx != 0) {
9185 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9186 goto end;
9187 }
9188 if (idx == 6) {
9189 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9190 goto end;
9191 dhpkey = NULL;
9192 }
9193 # ifndef OPENSSL_NO_DEPRECATED_3_0
9194 else if (idx == 8) {
9195 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9196 goto end;
9197 } else if (idx == 10) {
9198 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9199 }
9200 # endif
9201
9202 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9203 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9204 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9205 goto end;
9206
9207 /*
9208 * If autoon then we should succeed. Otherwise we expect failure because
9209 * there are no parameters
9210 */
9211 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9212 SSL_ERROR_NONE), expected))
9213 goto end;
9214
9215 testresult = 1;
9216
9217 end:
9218 # ifndef OPENSSL_NO_DEPRECATED_3_0
9219 DH_free(dh);
9220 # endif
9221 SSL_free(serverssl);
9222 SSL_free(clientssl);
9223 SSL_CTX_free(sctx);
9224 SSL_CTX_free(cctx);
9225 EVP_PKEY_free(dhpkey);
9226
9227 return testresult;
9228 }
9229
9230 /*
9231 * Test the auto DH keys are appropriately sized
9232 */
9233 static int test_dh_auto(int idx)
9234 {
9235 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9236 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9237 SSL *clientssl = NULL, *serverssl = NULL;
9238 int testresult = 0;
9239 EVP_PKEY *tmpkey = NULL;
9240 char *thiscert = NULL, *thiskey = NULL;
9241 size_t expdhsize = 0;
9242 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9243
9244 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9245 goto end;
9246
9247 switch (idx) {
9248 case 0:
9249 /* The FIPS provider doesn't support this DH size - so we ignore it */
9250 if (is_fips) {
9251 testresult = 1;
9252 goto end;
9253 }
9254 thiscert = cert1024;
9255 thiskey = privkey1024;
9256 expdhsize = 1024;
9257 SSL_CTX_set_security_level(sctx, 1);
9258 SSL_CTX_set_security_level(cctx, 1);
9259 break;
9260 case 1:
9261 /* 2048 bit prime */
9262 thiscert = cert;
9263 thiskey = privkey;
9264 expdhsize = 2048;
9265 break;
9266 case 2:
9267 thiscert = cert3072;
9268 thiskey = privkey3072;
9269 expdhsize = 3072;
9270 break;
9271 case 3:
9272 thiscert = cert4096;
9273 thiskey = privkey4096;
9274 expdhsize = 4096;
9275 break;
9276 case 4:
9277 thiscert = cert8192;
9278 thiskey = privkey8192;
9279 expdhsize = 8192;
9280 break;
9281 /* No certificate cases */
9282 case 5:
9283 /* The FIPS provider doesn't support this DH size - so we ignore it */
9284 if (is_fips) {
9285 testresult = 1;
9286 goto end;
9287 }
9288 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9289 expdhsize = 1024;
9290 break;
9291 case 6:
9292 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9293 expdhsize = 3072;
9294 break;
9295 default:
9296 TEST_error("Invalid text index");
9297 goto end;
9298 }
9299
9300 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9301 NULL,
9302 0,
9303 0,
9304 &sctx, &cctx, thiscert, thiskey)))
9305 goto end;
9306
9307 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9308 NULL, NULL)))
9309 goto end;
9310
9311 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9312 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9313 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9314 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9315 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9316 goto end;
9317
9318 /*
9319 * Send the server's first flight. At this point the server has created the
9320 * temporary DH key but hasn't finished using it yet. Once used it is
9321 * removed, so we cannot test it.
9322 */
9323 if (!TEST_int_le(SSL_connect(clientssl), 0)
9324 || !TEST_int_le(SSL_accept(serverssl), 0))
9325 goto end;
9326
9327 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9328 goto end;
9329 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9330 goto end;
9331
9332 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9333 goto end;
9334
9335 testresult = 1;
9336
9337 end:
9338 SSL_free(serverssl);
9339 SSL_free(clientssl);
9340 SSL_CTX_free(sctx);
9341 SSL_CTX_free(cctx);
9342 EVP_PKEY_free(tmpkey);
9343
9344 return testresult;
9345
9346 }
9347 # endif /* OPENSSL_NO_DH */
9348 #endif /* OPENSSL_NO_TLS1_2 */
9349
9350 #ifndef OSSL_NO_USABLE_TLS1_3
9351 /*
9352 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9353 * that it works even without a certificate configured for the original
9354 * SSL_CTX
9355 */
9356 static int test_sni_tls13(void)
9357 {
9358 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9359 SSL *clientssl = NULL, *serverssl = NULL;
9360 int testresult = 0;
9361
9362 /* Reset callback counter */
9363 snicb = 0;
9364
9365 /* Create an initial SSL_CTX with no certificate configured */
9366 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9367 if (!TEST_ptr(sctx))
9368 goto end;
9369 /* Require TLSv1.3 as a minimum */
9370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9371 TLS_client_method(), TLS1_3_VERSION, 0,
9372 &sctx2, &cctx, cert, privkey)))
9373 goto end;
9374
9375 /* Set up SNI */
9376 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9377 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9378 goto end;
9379
9380 /*
9381 * Connection should still succeed because the final SSL_CTX has the right
9382 * certificates configured.
9383 */
9384 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9385 &clientssl, NULL, NULL))
9386 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9387 SSL_ERROR_NONE)))
9388 goto end;
9389
9390 /* We should have had the SNI callback called exactly once */
9391 if (!TEST_int_eq(snicb, 1))
9392 goto end;
9393
9394 testresult = 1;
9395
9396 end:
9397 SSL_free(serverssl);
9398 SSL_free(clientssl);
9399 SSL_CTX_free(sctx2);
9400 SSL_CTX_free(sctx);
9401 SSL_CTX_free(cctx);
9402 return testresult;
9403 }
9404 #endif
9405 /*
9406 * Test that setting an ALPN does not violate RFC
9407 */
9408 static int test_set_alpn(void)
9409 {
9410 SSL_CTX *ctx = NULL;
9411 SSL *ssl = NULL;
9412 int testresult = 0;
9413
9414 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9415 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9416 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9417 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9418 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9419 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9420
9421 /* Create an initial SSL_CTX with no certificate configured */
9422 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9423 if (!TEST_ptr(ctx))
9424 goto end;
9425
9426 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9427 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9428 goto end;
9429 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9430 goto end;
9431 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9432 goto end;
9433 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9434 goto end;
9435 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9436 goto end;
9437 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9438 goto end;
9439 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9440 goto end;
9441 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9442 goto end;
9443 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9444 goto end;
9445
9446 ssl = SSL_new(ctx);
9447 if (!TEST_ptr(ssl))
9448 goto end;
9449
9450 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9451 goto end;
9452 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9453 goto end;
9454 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9455 goto end;
9456 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9457 goto end;
9458 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9459 goto end;
9460 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9461 goto end;
9462 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9463 goto end;
9464 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9465 goto end;
9466 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9467 goto end;
9468
9469 testresult = 1;
9470
9471 end:
9472 SSL_free(ssl);
9473 SSL_CTX_free(ctx);
9474 return testresult;
9475 }
9476
9477 static int test_inherit_verify_param(void)
9478 {
9479 int testresult = 0;
9480
9481 SSL_CTX *ctx = NULL;
9482 X509_VERIFY_PARAM *cp = NULL;
9483 SSL *ssl = NULL;
9484 X509_VERIFY_PARAM *sp = NULL;
9485 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9486
9487 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9488 if (!TEST_ptr(ctx))
9489 goto end;
9490
9491 cp = SSL_CTX_get0_param(ctx);
9492 if (!TEST_ptr(cp))
9493 goto end;
9494 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9495 goto end;
9496
9497 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9498
9499 ssl = SSL_new(ctx);
9500 if (!TEST_ptr(ssl))
9501 goto end;
9502
9503 sp = SSL_get0_param(ssl);
9504 if (!TEST_ptr(sp))
9505 goto end;
9506 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9507 goto end;
9508
9509 testresult = 1;
9510
9511 end:
9512 SSL_free(ssl);
9513 SSL_CTX_free(ctx);
9514
9515 return testresult;
9516 }
9517
9518 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9519
9520 int setup_tests(void)
9521 {
9522 char *modulename;
9523 char *configfile;
9524
9525 libctx = OSSL_LIB_CTX_new();
9526 if (!TEST_ptr(libctx))
9527 return 0;
9528
9529 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9530
9531 /*
9532 * Verify that the default and fips providers in the default libctx are not
9533 * available
9534 */
9535 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9536 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9537 return 0;
9538
9539 if (!test_skip_common_options()) {
9540 TEST_error("Error parsing test options\n");
9541 return 0;
9542 }
9543
9544 if (!TEST_ptr(certsdir = test_get_argument(0))
9545 || !TEST_ptr(srpvfile = test_get_argument(1))
9546 || !TEST_ptr(tmpfilename = test_get_argument(2))
9547 || !TEST_ptr(modulename = test_get_argument(3))
9548 || !TEST_ptr(configfile = test_get_argument(4)))
9549 return 0;
9550
9551 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9552 return 0;
9553
9554 /* Check we have the expected provider available */
9555 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9556 return 0;
9557
9558 /* Check the default provider is not available */
9559 if (strcmp(modulename, "default") != 0
9560 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9561 return 0;
9562
9563 if (strcmp(modulename, "fips") == 0)
9564 is_fips = 1;
9565
9566 /*
9567 * We add, but don't load the test "tls-provider". We'll load it when we
9568 * need it.
9569 */
9570 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9571 tls_provider_init)))
9572 return 0;
9573
9574
9575 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9576 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
9577 TEST_error("not supported in this build");
9578 return 0;
9579 #else
9580 int i, mcount, rcount, fcount;
9581
9582 for (i = 0; i < 4; i++)
9583 test_export_key_mat(i);
9584 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9585 test_printf_stdout("malloc %d realloc %d free %d\n",
9586 mcount, rcount, fcount);
9587 return 1;
9588 #endif
9589 }
9590
9591 cert = test_mk_file_path(certsdir, "servercert.pem");
9592 if (cert == NULL)
9593 goto err;
9594
9595 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9596 if (privkey == NULL)
9597 goto err;
9598
9599 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9600 if (cert2 == NULL)
9601 goto err;
9602
9603 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9604 if (privkey2 == NULL)
9605 goto err;
9606
9607 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9608 if (cert1024 == NULL)
9609 goto err;
9610
9611 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9612 if (privkey1024 == NULL)
9613 goto err;
9614
9615 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9616 if (cert3072 == NULL)
9617 goto err;
9618
9619 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9620 if (privkey3072 == NULL)
9621 goto err;
9622
9623 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9624 if (cert4096 == NULL)
9625 goto err;
9626
9627 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9628 if (privkey4096 == NULL)
9629 goto err;
9630
9631 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9632 if (cert8192 == NULL)
9633 goto err;
9634
9635 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9636 if (privkey8192 == NULL)
9637 goto err;
9638
9639 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9640 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9641 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9642 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9643 # endif
9644 #endif
9645 ADD_TEST(test_large_message_tls);
9646 ADD_TEST(test_large_message_tls_read_ahead);
9647 #ifndef OPENSSL_NO_DTLS
9648 ADD_TEST(test_large_message_dtls);
9649 #endif
9650 ADD_TEST(test_cleanse_plaintext);
9651 #ifndef OPENSSL_NO_OCSP
9652 ADD_TEST(test_tlsext_status_type);
9653 #endif
9654 ADD_TEST(test_session_with_only_int_cache);
9655 ADD_TEST(test_session_with_only_ext_cache);
9656 ADD_TEST(test_session_with_both_cache);
9657 ADD_TEST(test_session_wo_ca_names);
9658 #ifndef OSSL_NO_USABLE_TLS1_3
9659 ADD_ALL_TESTS(test_stateful_tickets, 3);
9660 ADD_ALL_TESTS(test_stateless_tickets, 3);
9661 ADD_TEST(test_psk_tickets);
9662 ADD_ALL_TESTS(test_extra_tickets, 6);
9663 #endif
9664 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9665 ADD_TEST(test_ssl_bio_pop_next_bio);
9666 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9667 ADD_TEST(test_ssl_bio_change_rbio);
9668 ADD_TEST(test_ssl_bio_change_wbio);
9669 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9670 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9671 ADD_TEST(test_keylog);
9672 #endif
9673 #ifndef OSSL_NO_USABLE_TLS1_3
9674 ADD_TEST(test_keylog_no_master_key);
9675 #endif
9676 ADD_TEST(test_client_cert_verify_cb);
9677 ADD_TEST(test_ssl_build_cert_chain);
9678 ADD_TEST(test_ssl_ctx_build_cert_chain);
9679 #ifndef OPENSSL_NO_TLS1_2
9680 ADD_TEST(test_client_hello_cb);
9681 ADD_TEST(test_no_ems);
9682 ADD_TEST(test_ccs_change_cipher);
9683 #endif
9684 #ifndef OSSL_NO_USABLE_TLS1_3
9685 ADD_ALL_TESTS(test_early_data_read_write, 3);
9686 /*
9687 * We don't do replay tests for external PSK. Replay protection isn't used
9688 * in that scenario.
9689 */
9690 ADD_ALL_TESTS(test_early_data_replay, 2);
9691 ADD_ALL_TESTS(test_early_data_skip, 3);
9692 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9693 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9694 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9695 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9696 ADD_ALL_TESTS(test_early_data_psk, 8);
9697 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9698 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9699 # ifndef OPENSSL_NO_TLS1_2
9700 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9701 # endif
9702 #endif
9703 #ifndef OSSL_NO_USABLE_TLS1_3
9704 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9705 ADD_TEST(test_ciphersuite_change);
9706 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9707 # ifdef OPENSSL_NO_PSK
9708 ADD_ALL_TESTS(test_tls13_psk, 1);
9709 # else
9710 ADD_ALL_TESTS(test_tls13_psk, 4);
9711 # endif /* OPENSSL_NO_PSK */
9712 # ifndef OPENSSL_NO_TLS1_2
9713 /* Test with both TLSv1.3 and 1.2 versions */
9714 ADD_ALL_TESTS(test_key_exchange, 14);
9715 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9716 ADD_ALL_TESTS(test_negotiated_group,
9717 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9718 + OSSL_NELEM(ffdhe_kexch_groups)));
9719 # endif
9720 # else
9721 /* Test with only TLSv1.3 versions */
9722 ADD_ALL_TESTS(test_key_exchange, 12);
9723 # endif
9724 ADD_ALL_TESTS(test_custom_exts, 6);
9725 ADD_TEST(test_stateless);
9726 ADD_TEST(test_pha_key_update);
9727 #else
9728 ADD_ALL_TESTS(test_custom_exts, 3);
9729 #endif
9730 ADD_ALL_TESTS(test_serverinfo, 8);
9731 ADD_ALL_TESTS(test_export_key_mat, 6);
9732 #ifndef OSSL_NO_USABLE_TLS1_3
9733 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9734 ADD_TEST(test_key_update);
9735 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9736 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9737 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9738 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
9739 #endif
9740 ADD_ALL_TESTS(test_ssl_clear, 2);
9741 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9742 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9743 ADD_ALL_TESTS(test_srp, 6);
9744 #endif
9745 ADD_ALL_TESTS(test_info_callback, 6);
9746 ADD_ALL_TESTS(test_ssl_pending, 2);
9747 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9748 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9749 ADD_ALL_TESTS(test_shutdown, 7);
9750 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9751 ADD_ALL_TESTS(test_cert_cb, 6);
9752 ADD_ALL_TESTS(test_client_cert_cb, 2);
9753 ADD_ALL_TESTS(test_ca_names, 3);
9754 #ifndef OPENSSL_NO_TLS1_2
9755 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9756 #endif
9757 ADD_ALL_TESTS(test_servername, 10);
9758 #if !defined(OPENSSL_NO_EC) \
9759 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9760 ADD_ALL_TESTS(test_sigalgs_available, 6);
9761 #endif
9762 #ifndef OPENSSL_NO_TLS1_3
9763 ADD_ALL_TESTS(test_pluggable_group, 2);
9764 #endif
9765 #ifndef OPENSSL_NO_TLS1_2
9766 ADD_TEST(test_ssl_dup);
9767 # ifndef OPENSSL_NO_DH
9768 ADD_ALL_TESTS(test_set_tmp_dh, 11);
9769 ADD_ALL_TESTS(test_dh_auto, 7);
9770 # endif
9771 #endif
9772 #ifndef OSSL_NO_USABLE_TLS1_3
9773 ADD_TEST(test_sni_tls13);
9774 #endif
9775 ADD_TEST(test_inherit_verify_param);
9776 ADD_TEST(test_set_alpn);
9777 ADD_ALL_TESTS(test_session_timeout, 1);
9778 return 1;
9779
9780 err:
9781 OPENSSL_free(cert);
9782 OPENSSL_free(privkey);
9783 OPENSSL_free(cert2);
9784 OPENSSL_free(privkey2);
9785 return 0;
9786 }
9787
9788 void cleanup_tests(void)
9789 {
9790 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9791 EVP_PKEY_free(tmp_dh_params);
9792 #endif
9793 OPENSSL_free(cert);
9794 OPENSSL_free(privkey);
9795 OPENSSL_free(cert2);
9796 OPENSSL_free(privkey2);
9797 OPENSSL_free(cert1024);
9798 OPENSSL_free(privkey1024);
9799 OPENSSL_free(cert3072);
9800 OPENSSL_free(privkey3072);
9801 OPENSSL_free(cert4096);
9802 OPENSSL_free(privkey4096);
9803 OPENSSL_free(cert8192);
9804 OPENSSL_free(privkey8192);
9805 bio_s_mempacket_test_free();
9806 bio_s_always_retry_free();
9807 OSSL_PROVIDER_unload(defctxnull);
9808 OSSL_LIB_CTX_free(libctx);
9809 }
A mirror of the official openssl repository