]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
test: TLS1.3 and new ciphers for kTLS
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_numbers.h>
32 #include <openssl/provider.h>
33
34 #include "ssltestlib.h"
35 #include "testutil.h"
36 #include "testutil/output.h"
37 #include "internal/nelem.h"
38 #include "internal/ktls.h"
39 #include "../ssl/ssl_local.h"
40
41 /* Defined in filterprov.c */
42 OSSL_provider_init_fn filter_provider_init;
43 int filter_provider_set_filter(int operation, const char *name);
44
45 DEFINE_STACK_OF(OCSP_RESPID)
46 DEFINE_STACK_OF(X509)
47 DEFINE_STACK_OF(X509_NAME)
48
49 static OPENSSL_CTX *libctx = NULL;
50 static OSSL_PROVIDER *defctxnull = NULL;
51
52 #ifndef OPENSSL_NO_TLS1_3
53
54 static SSL_SESSION *clientpsk = NULL;
55 static SSL_SESSION *serverpsk = NULL;
56 static const char *pskid = "Identity";
57 static const char *srvid;
58
59 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
60 size_t *idlen, SSL_SESSION **sess);
61 static int find_session_cb(SSL *ssl, const unsigned char *identity,
62 size_t identity_len, SSL_SESSION **sess);
63
64 static int use_session_cb_cnt = 0;
65 static int find_session_cb_cnt = 0;
66
67 static SSL_SESSION *create_a_psk(SSL *ssl);
68 #endif
69
70 static char *certsdir = NULL;
71 static char *cert = NULL;
72 static char *privkey = NULL;
73 static char *cert2 = NULL;
74 static char *privkey2 = NULL;
75 static char *srpvfile = NULL;
76 static char *tmpfilename = NULL;
77
78 static int is_fips = 0;
79
80 #define LOG_BUFFER_SIZE 2048
81 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
82 static size_t server_log_buffer_index = 0;
83 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
84 static size_t client_log_buffer_index = 0;
85 static int error_writing_log = 0;
86
87 #ifndef OPENSSL_NO_OCSP
88 static const unsigned char orespder[] = "Dummy OCSP Response";
89 static int ocsp_server_called = 0;
90 static int ocsp_client_called = 0;
91
92 static int cdummyarg = 1;
93 static X509 *ocspcert = NULL;
94 #endif
95
96 #define NUM_EXTRA_CERTS 40
97 #define CLIENT_VERSION_LEN 2
98
99 /*
100 * This structure is used to validate that the correct number of log messages
101 * of various types are emitted when emitting secret logs.
102 */
103 struct sslapitest_log_counts {
104 unsigned int rsa_key_exchange_count;
105 unsigned int master_secret_count;
106 unsigned int client_early_secret_count;
107 unsigned int client_handshake_secret_count;
108 unsigned int server_handshake_secret_count;
109 unsigned int client_application_secret_count;
110 unsigned int server_application_secret_count;
111 unsigned int early_exporter_secret_count;
112 unsigned int exporter_secret_count;
113 };
114
115
116 static unsigned char serverinfov1[] = {
117 0xff, 0xff, /* Dummy extension type */
118 0x00, 0x01, /* Extension length is 1 byte */
119 0xff /* Dummy extension data */
120 };
121
122 static unsigned char serverinfov2[] = {
123 0x00, 0x00, 0x00,
124 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
125 0xff, 0xff, /* Dummy extension type */
126 0x00, 0x01, /* Extension length is 1 byte */
127 0xff /* Dummy extension data */
128 };
129
130 static int hostname_cb(SSL *s, int *al, void *arg)
131 {
132 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
133
134 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
135 || strcmp(hostname, "altgoodhost") == 0))
136 return SSL_TLSEXT_ERR_OK;
137
138 return SSL_TLSEXT_ERR_NOACK;
139 }
140
141 static void client_keylog_callback(const SSL *ssl, const char *line)
142 {
143 int line_length = strlen(line);
144
145 /* If the log doesn't fit, error out. */
146 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
147 TEST_info("Client log too full");
148 error_writing_log = 1;
149 return;
150 }
151
152 strcat(client_log_buffer, line);
153 client_log_buffer_index += line_length;
154 client_log_buffer[client_log_buffer_index++] = '\n';
155 }
156
157 static void server_keylog_callback(const SSL *ssl, const char *line)
158 {
159 int line_length = strlen(line);
160
161 /* If the log doesn't fit, error out. */
162 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
163 TEST_info("Server log too full");
164 error_writing_log = 1;
165 return;
166 }
167
168 strcat(server_log_buffer, line);
169 server_log_buffer_index += line_length;
170 server_log_buffer[server_log_buffer_index++] = '\n';
171 }
172
173 static int compare_hex_encoded_buffer(const char *hex_encoded,
174 size_t hex_length,
175 const uint8_t *raw,
176 size_t raw_length)
177 {
178 size_t i, j;
179 char hexed[3];
180
181 if (!TEST_size_t_eq(raw_length * 2, hex_length))
182 return 1;
183
184 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
185 sprintf(hexed, "%02x", raw[i]);
186 if (!TEST_int_eq(hexed[0], hex_encoded[j])
187 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
188 return 1;
189 }
190
191 return 0;
192 }
193
194 static int test_keylog_output(char *buffer, const SSL *ssl,
195 const SSL_SESSION *session,
196 struct sslapitest_log_counts *expected)
197 {
198 char *token = NULL;
199 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
200 size_t client_random_size = SSL3_RANDOM_SIZE;
201 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
202 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
203 unsigned int rsa_key_exchange_count = 0;
204 unsigned int master_secret_count = 0;
205 unsigned int client_early_secret_count = 0;
206 unsigned int client_handshake_secret_count = 0;
207 unsigned int server_handshake_secret_count = 0;
208 unsigned int client_application_secret_count = 0;
209 unsigned int server_application_secret_count = 0;
210 unsigned int early_exporter_secret_count = 0;
211 unsigned int exporter_secret_count = 0;
212
213 for (token = strtok(buffer, " \n"); token != NULL;
214 token = strtok(NULL, " \n")) {
215 if (strcmp(token, "RSA") == 0) {
216 /*
217 * Premaster secret. Tokens should be: 16 ASCII bytes of
218 * hex-encoded encrypted secret, then the hex-encoded pre-master
219 * secret.
220 */
221 if (!TEST_ptr(token = strtok(NULL, " \n")))
222 return 0;
223 if (!TEST_size_t_eq(strlen(token), 16))
224 return 0;
225 if (!TEST_ptr(token = strtok(NULL, " \n")))
226 return 0;
227 /*
228 * We can't sensibly check the log because the premaster secret is
229 * transient, and OpenSSL doesn't keep hold of it once the master
230 * secret is generated.
231 */
232 rsa_key_exchange_count++;
233 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
234 /*
235 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
236 * client random, then the hex-encoded master secret.
237 */
238 client_random_size = SSL_get_client_random(ssl,
239 actual_client_random,
240 SSL3_RANDOM_SIZE);
241 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
242 return 0;
243
244 if (!TEST_ptr(token = strtok(NULL, " \n")))
245 return 0;
246 if (!TEST_size_t_eq(strlen(token), 64))
247 return 0;
248 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
249 actual_client_random,
250 client_random_size)))
251 return 0;
252
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 return 0;
255 master_key_size = SSL_SESSION_get_master_key(session,
256 actual_master_key,
257 master_key_size);
258 if (!TEST_size_t_ne(master_key_size, 0))
259 return 0;
260 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
261 actual_master_key,
262 master_key_size)))
263 return 0;
264 master_secret_count++;
265 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
266 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
267 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
268 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
269 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
270 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
271 || strcmp(token, "EXPORTER_SECRET") == 0) {
272 /*
273 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
274 * client random, and then the hex-encoded secret. In this case,
275 * we treat all of these secrets identically and then just
276 * distinguish between them when counting what we saw.
277 */
278 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
279 client_early_secret_count++;
280 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
281 client_handshake_secret_count++;
282 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
283 server_handshake_secret_count++;
284 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
285 client_application_secret_count++;
286 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
287 server_application_secret_count++;
288 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
289 early_exporter_secret_count++;
290 else if (strcmp(token, "EXPORTER_SECRET") == 0)
291 exporter_secret_count++;
292
293 client_random_size = SSL_get_client_random(ssl,
294 actual_client_random,
295 SSL3_RANDOM_SIZE);
296 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
297 return 0;
298
299 if (!TEST_ptr(token = strtok(NULL, " \n")))
300 return 0;
301 if (!TEST_size_t_eq(strlen(token), 64))
302 return 0;
303 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
304 actual_client_random,
305 client_random_size)))
306 return 0;
307
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 return 0;
310
311 /*
312 * TODO(TLS1.3): test that application traffic secrets are what
313 * we expect */
314 } else {
315 TEST_info("Unexpected token %s\n", token);
316 return 0;
317 }
318 }
319
320 /* Got what we expected? */
321 if (!TEST_size_t_eq(rsa_key_exchange_count,
322 expected->rsa_key_exchange_count)
323 || !TEST_size_t_eq(master_secret_count,
324 expected->master_secret_count)
325 || !TEST_size_t_eq(client_early_secret_count,
326 expected->client_early_secret_count)
327 || !TEST_size_t_eq(client_handshake_secret_count,
328 expected->client_handshake_secret_count)
329 || !TEST_size_t_eq(server_handshake_secret_count,
330 expected->server_handshake_secret_count)
331 || !TEST_size_t_eq(client_application_secret_count,
332 expected->client_application_secret_count)
333 || !TEST_size_t_eq(server_application_secret_count,
334 expected->server_application_secret_count)
335 || !TEST_size_t_eq(early_exporter_secret_count,
336 expected->early_exporter_secret_count)
337 || !TEST_size_t_eq(exporter_secret_count,
338 expected->exporter_secret_count))
339 return 0;
340 return 1;
341 }
342
343 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
344 static int test_keylog(void)
345 {
346 SSL_CTX *cctx = NULL, *sctx = NULL;
347 SSL *clientssl = NULL, *serverssl = NULL;
348 int testresult = 0;
349 struct sslapitest_log_counts expected;
350
351 /* Clean up logging space */
352 memset(&expected, 0, sizeof(expected));
353 memset(client_log_buffer, 0, sizeof(client_log_buffer));
354 memset(server_log_buffer, 0, sizeof(server_log_buffer));
355 client_log_buffer_index = 0;
356 server_log_buffer_index = 0;
357 error_writing_log = 0;
358
359 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
360 TLS_client_method(),
361 TLS1_VERSION, 0,
362 &sctx, &cctx, cert, privkey)))
363 return 0;
364
365 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
366 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
367 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
368
369 /* We also want to ensure that we use RSA-based key exchange. */
370 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
371 goto end;
372
373 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
374 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
375 goto end;
376 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
378 == client_keylog_callback))
379 goto end;
380 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
382 == server_keylog_callback))
383 goto end;
384
385 /* Now do a handshake and check that the logs have been written to. */
386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
387 &clientssl, NULL, NULL))
388 || !TEST_true(create_ssl_connection(serverssl, clientssl,
389 SSL_ERROR_NONE))
390 || !TEST_false(error_writing_log)
391 || !TEST_int_gt(client_log_buffer_index, 0)
392 || !TEST_int_gt(server_log_buffer_index, 0))
393 goto end;
394
395 /*
396 * Now we want to test that our output data was vaguely sensible. We
397 * do that by using strtok and confirming that we have more or less the
398 * data we expect. For both client and server, we expect to see one master
399 * secret. The client should also see a RSA key exchange.
400 */
401 expected.rsa_key_exchange_count = 1;
402 expected.master_secret_count = 1;
403 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
404 SSL_get_session(clientssl), &expected)))
405 goto end;
406
407 expected.rsa_key_exchange_count = 0;
408 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
409 SSL_get_session(serverssl), &expected)))
410 goto end;
411
412 testresult = 1;
413
414 end:
415 SSL_free(serverssl);
416 SSL_free(clientssl);
417 SSL_CTX_free(sctx);
418 SSL_CTX_free(cctx);
419
420 return testresult;
421 }
422 #endif
423
424 #ifndef OPENSSL_NO_TLS1_3
425 static int test_keylog_no_master_key(void)
426 {
427 SSL_CTX *cctx = NULL, *sctx = NULL;
428 SSL *clientssl = NULL, *serverssl = NULL;
429 SSL_SESSION *sess = NULL;
430 int testresult = 0;
431 struct sslapitest_log_counts expected;
432 unsigned char buf[1];
433 size_t readbytes, written;
434
435 /* Clean up logging space */
436 memset(&expected, 0, sizeof(expected));
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441 error_writing_log = 0;
442
443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
444 TLS_client_method(), TLS1_VERSION, 0,
445 &sctx, &cctx, cert, privkey))
446 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
447 SSL3_RT_MAX_PLAIN_LENGTH)))
448 return 0;
449
450 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
451 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
452 goto end;
453
454 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
456 == client_keylog_callback))
457 goto end;
458
459 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
461 == server_keylog_callback))
462 goto end;
463
464 /* Now do a handshake and check that the logs have been written to. */
465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_true(create_ssl_connection(serverssl, clientssl,
468 SSL_ERROR_NONE))
469 || !TEST_false(error_writing_log))
470 goto end;
471
472 /*
473 * Now we want to test that our output data was vaguely sensible. For this
474 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
475 * TLSv1.3, but we do expect both client and server to emit keys.
476 */
477 expected.client_handshake_secret_count = 1;
478 expected.server_handshake_secret_count = 1;
479 expected.client_application_secret_count = 1;
480 expected.server_application_secret_count = 1;
481 expected.exporter_secret_count = 1;
482 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
483 SSL_get_session(clientssl), &expected))
484 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
485 SSL_get_session(serverssl),
486 &expected)))
487 goto end;
488
489 /* Terminate old session and resume with early data. */
490 sess = SSL_get1_session(clientssl);
491 SSL_shutdown(clientssl);
492 SSL_shutdown(serverssl);
493 SSL_free(serverssl);
494 SSL_free(clientssl);
495 serverssl = clientssl = NULL;
496
497 /* Reset key log */
498 memset(client_log_buffer, 0, sizeof(client_log_buffer));
499 memset(server_log_buffer, 0, sizeof(server_log_buffer));
500 client_log_buffer_index = 0;
501 server_log_buffer_index = 0;
502
503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
504 &clientssl, NULL, NULL))
505 || !TEST_true(SSL_set_session(clientssl, sess))
506 /* Here writing 0 length early data is enough. */
507 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
508 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
509 &readbytes),
510 SSL_READ_EARLY_DATA_ERROR)
511 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
512 SSL_EARLY_DATA_ACCEPTED)
513 || !TEST_true(create_ssl_connection(serverssl, clientssl,
514 SSL_ERROR_NONE))
515 || !TEST_true(SSL_session_reused(clientssl)))
516 goto end;
517
518 /* In addition to the previous entries, expect early secrets. */
519 expected.client_early_secret_count = 1;
520 expected.early_exporter_secret_count = 1;
521 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
522 SSL_get_session(clientssl), &expected))
523 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
524 SSL_get_session(serverssl),
525 &expected)))
526 goto end;
527
528 testresult = 1;
529
530 end:
531 SSL_SESSION_free(sess);
532 SSL_free(serverssl);
533 SSL_free(clientssl);
534 SSL_CTX_free(sctx);
535 SSL_CTX_free(cctx);
536
537 return testresult;
538 }
539 #endif
540
541 #ifndef OPENSSL_NO_TLS1_2
542 static int full_client_hello_callback(SSL *s, int *al, void *arg)
543 {
544 int *ctr = arg;
545 const unsigned char *p;
546 int *exts;
547 /* We only configure two ciphers, but the SCSV is added automatically. */
548 #ifdef OPENSSL_NO_EC
549 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
550 #else
551 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
552 0x2c, 0x00, 0xff};
553 #endif
554 const int expected_extensions[] = {
555 #ifndef OPENSSL_NO_EC
556 11, 10,
557 #endif
558 35, 22, 23, 13};
559 size_t len;
560
561 /* Make sure we can defer processing and get called back. */
562 if ((*ctr)++ == 0)
563 return SSL_CLIENT_HELLO_RETRY;
564
565 len = SSL_client_hello_get0_ciphers(s, &p);
566 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
567 || !TEST_size_t_eq(
568 SSL_client_hello_get0_compression_methods(s, &p), 1)
569 || !TEST_int_eq(*p, 0))
570 return SSL_CLIENT_HELLO_ERROR;
571 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
572 return SSL_CLIENT_HELLO_ERROR;
573 if (len != OSSL_NELEM(expected_extensions) ||
574 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
575 printf("ClientHello callback expected extensions mismatch\n");
576 OPENSSL_free(exts);
577 return SSL_CLIENT_HELLO_ERROR;
578 }
579 OPENSSL_free(exts);
580 return SSL_CLIENT_HELLO_SUCCESS;
581 }
582
583 static int test_client_hello_cb(void)
584 {
585 SSL_CTX *cctx = NULL, *sctx = NULL;
586 SSL *clientssl = NULL, *serverssl = NULL;
587 int testctr = 0, testresult = 0;
588
589 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
590 TLS_client_method(), TLS1_VERSION, 0,
591 &sctx, &cctx, cert, privkey)))
592 goto end;
593 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
594
595 /* The gimpy cipher list we configure can't do TLS 1.3. */
596 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
597
598 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
599 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
600 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
601 &clientssl, NULL, NULL))
602 || !TEST_false(create_ssl_connection(serverssl, clientssl,
603 SSL_ERROR_WANT_CLIENT_HELLO_CB))
604 /*
605 * Passing a -1 literal is a hack since
606 * the real value was lost.
607 * */
608 || !TEST_int_eq(SSL_get_error(serverssl, -1),
609 SSL_ERROR_WANT_CLIENT_HELLO_CB)
610 || !TEST_true(create_ssl_connection(serverssl, clientssl,
611 SSL_ERROR_NONE)))
612 goto end;
613
614 testresult = 1;
615
616 end:
617 SSL_free(serverssl);
618 SSL_free(clientssl);
619 SSL_CTX_free(sctx);
620 SSL_CTX_free(cctx);
621
622 return testresult;
623 }
624
625 static int test_no_ems(void)
626 {
627 SSL_CTX *cctx = NULL, *sctx = NULL;
628 SSL *clientssl = NULL, *serverssl = NULL;
629 int testresult = 0;
630
631 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
632 TLS1_VERSION, TLS1_2_VERSION,
633 &sctx, &cctx, cert, privkey)) {
634 printf("Unable to create SSL_CTX pair\n");
635 goto end;
636 }
637
638 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
639
640 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
641 printf("Unable to create SSL objects\n");
642 goto end;
643 }
644
645 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
646 printf("Creating SSL connection failed\n");
647 goto end;
648 }
649
650 if (SSL_get_extms_support(serverssl)) {
651 printf("Server reports Extended Master Secret support\n");
652 goto end;
653 }
654
655 if (SSL_get_extms_support(clientssl)) {
656 printf("Client reports Extended Master Secret support\n");
657 goto end;
658 }
659 testresult = 1;
660
661 end:
662 SSL_free(serverssl);
663 SSL_free(clientssl);
664 SSL_CTX_free(sctx);
665 SSL_CTX_free(cctx);
666
667 return testresult;
668 }
669
670 /*
671 * Very focused test to exercise a single case in the server-side state
672 * machine, when the ChangeCipherState message needs to actually change
673 * from one cipher to a different cipher (i.e., not changing from null
674 * encryption to real encryption).
675 */
676 static int test_ccs_change_cipher(void)
677 {
678 SSL_CTX *cctx = NULL, *sctx = NULL;
679 SSL *clientssl = NULL, *serverssl = NULL;
680 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
681 int testresult = 0;
682 int i;
683 unsigned char buf;
684 size_t readbytes;
685
686 /*
687 * Create a conection so we can resume and potentially (but not) use
688 * a different cipher in the second connection.
689 */
690 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
691 TLS_client_method(),
692 TLS1_VERSION, TLS1_2_VERSION,
693 &sctx, &cctx, cert, privkey))
694 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
695 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
696 NULL, NULL))
697 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
698 || !TEST_true(create_ssl_connection(serverssl, clientssl,
699 SSL_ERROR_NONE))
700 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
701 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
702 goto end;
703
704 shutdown_ssl_connection(serverssl, clientssl);
705 serverssl = clientssl = NULL;
706
707 /* Resume, preferring a different cipher. Our server will force the
708 * same cipher to be used as the initial handshake. */
709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
710 NULL, NULL))
711 || !TEST_true(SSL_set_session(clientssl, sess))
712 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
714 SSL_ERROR_NONE))
715 || !TEST_true(SSL_session_reused(clientssl))
716 || !TEST_true(SSL_session_reused(serverssl))
717 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
718 || !TEST_ptr_eq(sesspre, sesspost)
719 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
720 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
721 goto end;
722 shutdown_ssl_connection(serverssl, clientssl);
723 serverssl = clientssl = NULL;
724
725 /*
726 * Now create a fresh connection and try to renegotiate a different
727 * cipher on it.
728 */
729 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
730 NULL, NULL))
731 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
732 || !TEST_true(create_ssl_connection(serverssl, clientssl,
733 SSL_ERROR_NONE))
734 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
735 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
736 || !TEST_true(SSL_renegotiate(clientssl))
737 || !TEST_true(SSL_renegotiate_pending(clientssl)))
738 goto end;
739 /* Actually drive the renegotiation. */
740 for (i = 0; i < 3; i++) {
741 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
743 goto end;
744 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
745 SSL_ERROR_WANT_READ)) {
746 goto end;
747 }
748 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
749 if (!TEST_ulong_eq(readbytes, 0))
750 goto end;
751 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
752 SSL_ERROR_WANT_READ)) {
753 goto end;
754 }
755 }
756 /* sesspre and sesspost should be different since the cipher changed. */
757 if (!TEST_false(SSL_renegotiate_pending(clientssl))
758 || !TEST_false(SSL_session_reused(clientssl))
759 || !TEST_false(SSL_session_reused(serverssl))
760 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
761 || !TEST_ptr_ne(sesspre, sesspost)
762 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
763 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
764 goto end;
765
766 shutdown_ssl_connection(serverssl, clientssl);
767 serverssl = clientssl = NULL;
768
769 testresult = 1;
770
771 end:
772 SSL_free(serverssl);
773 SSL_free(clientssl);
774 SSL_CTX_free(sctx);
775 SSL_CTX_free(cctx);
776 SSL_SESSION_free(sess);
777
778 return testresult;
779 }
780 #endif
781
782 static int execute_test_large_message(const SSL_METHOD *smeth,
783 const SSL_METHOD *cmeth,
784 int min_version, int max_version,
785 int read_ahead)
786 {
787 SSL_CTX *cctx = NULL, *sctx = NULL;
788 SSL *clientssl = NULL, *serverssl = NULL;
789 int testresult = 0;
790 int i;
791 BIO *certbio = NULL;
792 X509 *chaincert = NULL;
793 int certlen;
794
795 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
796 goto end;
797 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
798 BIO_free(certbio);
799 certbio = NULL;
800 if (!TEST_ptr(chaincert))
801 goto end;
802
803 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
804 max_version, &sctx, &cctx, cert,
805 privkey)))
806 goto end;
807
808 if (read_ahead) {
809 /*
810 * Test that read_ahead works correctly when dealing with large
811 * records
812 */
813 SSL_CTX_set_read_ahead(cctx, 1);
814 }
815
816 /*
817 * We assume the supplied certificate is big enough so that if we add
818 * NUM_EXTRA_CERTS it will make the overall message large enough. The
819 * default buffer size is requested to be 16k, but due to the way BUF_MEM
820 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
821 * test we need to have a message larger than that.
822 */
823 certlen = i2d_X509(chaincert, NULL);
824 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
825 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
826 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
827 if (!X509_up_ref(chaincert))
828 goto end;
829 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
830 X509_free(chaincert);
831 goto end;
832 }
833 }
834
835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
836 NULL, NULL))
837 || !TEST_true(create_ssl_connection(serverssl, clientssl,
838 SSL_ERROR_NONE)))
839 goto end;
840
841 /*
842 * Calling SSL_clear() first is not required but this tests that SSL_clear()
843 * doesn't leak.
844 */
845 if (!TEST_true(SSL_clear(serverssl)))
846 goto end;
847
848 testresult = 1;
849 end:
850 X509_free(chaincert);
851 SSL_free(serverssl);
852 SSL_free(clientssl);
853 SSL_CTX_free(sctx);
854 SSL_CTX_free(cctx);
855
856 return testresult;
857 }
858
859 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
860 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
861 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
862 /* sock must be connected */
863 static int ktls_chk_platform(int sock)
864 {
865 if (!ktls_enable(sock))
866 return 0;
867 return 1;
868 }
869
870 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
871 {
872 static char count = 1;
873 unsigned char cbuf[16000] = {0};
874 unsigned char sbuf[16000];
875 size_t err = 0;
876 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
877 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
878 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
879 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
880 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
881 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
882 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
883 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
884
885 cbuf[0] = count++;
886 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
887 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
888 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
889 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
890
891 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
892 goto end;
893
894 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
895 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
896 goto end;
897 }
898 }
899
900 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
901 goto end;
902
903 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
904 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
905 goto end;
906 }
907 }
908
909 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
910 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
911 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
913
914 /* verify the payload */
915 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
916 goto end;
917
918 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
919 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
920 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
921 crec_wseq_after, rec_seq_size))
922 goto end;
923 } else {
924 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
925 crec_wseq_after, rec_seq_size))
926 goto end;
927 }
928
929 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
930 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
931 srec_wseq_after, rec_seq_size))
932 goto end;
933 } else {
934 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
935 srec_wseq_after, rec_seq_size))
936 goto end;
937 }
938
939 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
940 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
941 crec_rseq_after, rec_seq_size))
942 goto end;
943 } else {
944 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
945 crec_rseq_after, rec_seq_size))
946 goto end;
947 }
948
949 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
950 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
951 srec_rseq_after, rec_seq_size))
952 goto end;
953 } else {
954 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
955 srec_rseq_after, rec_seq_size))
956 goto end;
957 }
958
959 return 1;
960 end:
961 return 0;
962 }
963
964 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
965 int sis_ktls_tx, int sis_ktls_rx,
966 int tls_version, const char *cipher,
967 int rec_seq_size)
968 {
969 SSL_CTX *cctx = NULL, *sctx = NULL;
970 SSL *clientssl = NULL, *serverssl = NULL;
971 int testresult = 0;
972 int cfd, sfd;
973
974 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
975 goto end;
976
977 /* Skip this test if the platform does not support ktls */
978 if (!ktls_chk_platform(cfd))
979 return 1;
980
981 /* Create a session based on SHA-256 */
982 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
983 TLS_client_method(),
984 tls_version, tls_version,
985 &sctx, &cctx, cert, privkey))
986 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
989 goto end;
990
991 if (!cis_ktls_tx) {
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
993 goto end;
994 }
995
996 if (!sis_ktls_tx) {
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
998 goto end;
999 }
1000
1001 if (!cis_ktls_rx) {
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1003 goto end;
1004 }
1005
1006 if (!sis_ktls_rx) {
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1008 goto end;
1009 }
1010
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1012 SSL_ERROR_NONE)))
1013 goto end;
1014
1015 if (!cis_ktls_tx) {
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1017 goto end;
1018 } else {
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1020 goto end;
1021 }
1022
1023 if (!sis_ktls_tx) {
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1025 goto end;
1026 } else {
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1028 goto end;
1029 }
1030
1031 if (!cis_ktls_rx) {
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1033 goto end;
1034 } else {
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1036 goto end;
1037 }
1038
1039 if (!sis_ktls_rx) {
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1041 goto end;
1042 } else {
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1044 goto end;
1045 }
1046
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1048 rec_seq_size)))
1049 goto end;
1050
1051 testresult = 1;
1052 end:
1053 if (clientssl) {
1054 SSL_shutdown(clientssl);
1055 SSL_free(clientssl);
1056 }
1057 if (serverssl) {
1058 SSL_shutdown(serverssl);
1059 SSL_free(serverssl);
1060 }
1061 SSL_CTX_free(sctx);
1062 SSL_CTX_free(cctx);
1063 serverssl = clientssl = NULL;
1064 return testresult;
1065 }
1066
1067 #define SENDFILE_SZ (16 * 4096)
1068 #define SENDFILE_CHUNK (4 * 4096)
1069 #define min(a,b) ((a) > (b) ? (b) : (a))
1070
1071 static int test_ktls_sendfile(int tls_version, const char *cipher)
1072 {
1073 SSL_CTX *cctx = NULL, *sctx = NULL;
1074 SSL *clientssl = NULL, *serverssl = NULL;
1075 unsigned char *buf, *buf_dst;
1076 BIO *out = NULL, *in = NULL;
1077 int cfd, sfd, ffd, err;
1078 ssize_t chunk_size = 0;
1079 off_t chunk_off = 0;
1080 int testresult = 0;
1081 FILE *ffdp;
1082
1083 buf = OPENSSL_zalloc(SENDFILE_SZ);
1084 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1085 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1086 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1087 goto end;
1088
1089 /* Skip this test if the platform does not support ktls */
1090 if (!ktls_chk_platform(sfd)) {
1091 testresult = 1;
1092 goto end;
1093 }
1094
1095 /* Create a session based on SHA-256 */
1096 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1097 TLS_client_method(),
1098 tls_version, tls_version,
1099 &sctx, &cctx, cert, privkey))
1100 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1103 goto end;
1104
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1106 SSL_ERROR_NONE))
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1108 goto end;
1109
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1112 if (!TEST_ptr(out))
1113 goto end;
1114
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1116 goto end;
1117
1118 BIO_free(out);
1119 out = NULL;
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1122 ffd = fileno(ffdp);
1123
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1127 ffd,
1128 chunk_off,
1129 chunk_size,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1132 goto end;
1133 }
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1138 goto end;
1139 }
1140
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1143 chunk_size,
1144 buf + chunk_off,
1145 chunk_size))
1146 goto end;
1147
1148 chunk_off += chunk_size;
1149 }
1150
1151 testresult = 1;
1152 end:
1153 if (clientssl) {
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1156 }
1157 if (serverssl) {
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1160 }
1161 SSL_CTX_free(sctx);
1162 SSL_CTX_free(cctx);
1163 serverssl = clientssl = NULL;
1164 BIO_free(out);
1165 BIO_free(in);
1166 OPENSSL_free(buf);
1167 OPENSSL_free(buf_dst);
1168 return testresult;
1169 }
1170
1171 static int test_ktls_no_txrx_client_no_txrx_server(int tlsver)
1172 {
1173 int testresult = 1;
1174
1175 #ifdef OPENSSL_KTLS_AES_GCM_128
1176 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1177 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1178 #endif
1179 #ifdef OPENSSL_KTLS_AES_CCM_128
1180 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1181 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1182 #endif
1183 #ifdef OPENSSL_KTLS_AES_GCM_256
1184 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1185 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1186 #endif
1187 return testresult;
1188 }
1189
1190 static int test_ktls_no_rx_client_no_txrx_server(int tlsver)
1191 {
1192 int testresult = 1;
1193
1194 #ifdef OPENSSL_KTLS_AES_GCM_128
1195 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1196 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1197 #endif
1198 #ifdef OPENSSL_KTLS_AES_CCM_128
1199 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1200 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1201 #endif
1202 #ifdef OPENSSL_KTLS_AES_GCM_256
1203 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1204 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1205 #endif
1206 return testresult;
1207 }
1208
1209 static int test_ktls_no_tx_client_no_txrx_server(int tlsver)
1210 {
1211 int testresult = 1;
1212
1213 #ifdef OPENSSL_KTLS_AES_GCM_128
1214 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1215 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1216 #endif
1217 #ifdef OPENSSL_KTLS_AES_CCM_128
1218 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1219 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1220 #endif
1221 #ifdef OPENSSL_KTLS_AES_GCM_256
1222 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1223 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1224 #endif
1225 return testresult;
1226 }
1227
1228 static int test_ktls_client_no_txrx_server(int tlsver)
1229 {
1230 int testresult = 1;
1231
1232 #ifdef OPENSSL_KTLS_AES_GCM_128
1233 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1234 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1235 #endif
1236 #ifdef OPENSSL_KTLS_AES_CCM_128
1237 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1238 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1239 #endif
1240 #ifdef OPENSSL_KTLS_AES_GCM_256
1241 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1242 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1243 #endif
1244 return testresult;
1245 }
1246
1247 static int test_ktls_no_txrx_client_no_rx_server(int tlsver)
1248 {
1249 int testresult = 1;
1250
1251 #ifdef OPENSSL_KTLS_AES_GCM_128
1252 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1253 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1254 #endif
1255 #ifdef OPENSSL_KTLS_AES_CCM_128
1256 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1257 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1258 #endif
1259 #ifdef OPENSSL_KTLS_AES_GCM_256
1260 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1261 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1262 #endif
1263 return testresult;
1264 }
1265
1266 static int test_ktls_no_rx_client_no_rx_server(int tlsver)
1267 {
1268 int testresult = 1;
1269
1270 #ifdef OPENSSL_KTLS_AES_GCM_128
1271 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1272 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1273 #endif
1274 #ifdef OPENSSL_KTLS_AES_CCM_128
1275 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1276 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1277 #endif
1278 #ifdef OPENSSL_KTLS_AES_GCM_256
1279 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1280 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1281 #endif
1282 return testresult;
1283 }
1284
1285 static int test_ktls_no_tx_client_no_rx_server(int tlsver)
1286 {
1287 int testresult = 1;
1288
1289 #ifdef OPENSSL_KTLS_AES_GCM_128
1290 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1291 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1292 #endif
1293 #ifdef OPENSSL_KTLS_AES_CCM_128
1294 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1295 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1296 #endif
1297 #ifdef OPENSSL_KTLS_AES_GCM_256
1298 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1299 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1300 #endif
1301 return testresult;
1302 }
1303
1304 static int test_ktls_client_no_rx_server(int tlsver)
1305 {
1306 int testresult = 1;
1307
1308 #ifdef OPENSSL_KTLS_AES_GCM_128
1309 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1310 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1311 #endif
1312 #ifdef OPENSSL_KTLS_AES_CCM_128
1313 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1314 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1315 #endif
1316 #ifdef OPENSSL_KTLS_AES_GCM_256
1317 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1318 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1319 #endif
1320 return testresult;
1321 }
1322
1323 static int test_ktls_no_txrx_client_no_tx_server(int tlsver)
1324 {
1325 int testresult = 1;
1326
1327 #ifdef OPENSSL_KTLS_AES_GCM_128
1328 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1329 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1330 #endif
1331 #ifdef OPENSSL_KTLS_AES_CCM_128
1332 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1333 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1334 #endif
1335 #ifdef OPENSSL_KTLS_AES_GCM_256
1336 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1337 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1338 #endif
1339 return testresult;
1340 }
1341
1342 static int test_ktls_no_rx_client_no_tx_server(int tlsver)
1343 {
1344 int testresult = 1;
1345
1346 #ifdef OPENSSL_KTLS_AES_GCM_128
1347 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1348 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1349 #endif
1350 #ifdef OPENSSL_KTLS_AES_CCM_128
1351 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1352 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1353 #endif
1354 #ifdef OPENSSL_KTLS_AES_GCM_256
1355 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1356 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1357 #endif
1358 return testresult;
1359 }
1360
1361 static int test_ktls_no_tx_client_no_tx_server(int tlsver)
1362 {
1363 int testresult = 1;
1364
1365 #ifdef OPENSSL_KTLS_AES_GCM_128
1366 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1367 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1368 #endif
1369 #ifdef OPENSSL_KTLS_AES_CCM_128
1370 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1371 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1372 #endif
1373 #ifdef OPENSSL_KTLS_AES_GCM_256
1374 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1375 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1376 #endif
1377 return testresult;
1378 }
1379
1380 static int test_ktls_client_no_tx_server(int tlsver)
1381 {
1382 int testresult = 1;
1383
1384 #ifdef OPENSSL_KTLS_AES_GCM_128
1385 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1386 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1387 #endif
1388 #ifdef OPENSSL_KTLS_AES_CCM_128
1389 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1390 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1391 #endif
1392 #ifdef OPENSSL_KTLS_AES_GCM_256
1393 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1394 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1395 #endif
1396 return testresult;
1397 }
1398
1399 static int test_ktls_no_txrx_client_server(int tlsver)
1400 {
1401 int testresult = 1;
1402
1403 #ifdef OPENSSL_KTLS_AES_GCM_128
1404 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1405 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1406 #endif
1407 #ifdef OPENSSL_KTLS_AES_CCM_128
1408 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1409 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1410 #endif
1411 #ifdef OPENSSL_KTLS_AES_GCM_256
1412 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1413 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1414 #endif
1415 return testresult;
1416 }
1417
1418 static int test_ktls_no_rx_client_server(int tlsver)
1419 {
1420 int testresult = 1;
1421
1422 #ifdef OPENSSL_KTLS_AES_GCM_128
1423 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1424 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1425 #endif
1426 #ifdef OPENSSL_KTLS_AES_CCM_128
1427 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1428 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1429 #endif
1430 #ifdef OPENSSL_KTLS_AES_GCM_256
1431 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1432 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1433 #endif
1434 return testresult;
1435 }
1436
1437 static int test_ktls_no_tx_client_server(int tlsver)
1438 {
1439 int testresult = 1;
1440
1441 #ifdef OPENSSL_KTLS_AES_GCM_128
1442 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1443 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1444 #endif
1445 #ifdef OPENSSL_KTLS_AES_CCM_128
1446 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1447 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1448 #endif
1449 #ifdef OPENSSL_KTLS_AES_GCM_256
1450 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1451 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1452 #endif
1453 return testresult;
1454 }
1455
1456 static int test_ktls_client_server(int tlsver)
1457 {
1458 int testresult = 1;
1459
1460 #ifdef OPENSSL_KTLS_AES_GCM_128
1461 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1462 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1463 #endif
1464 #ifdef OPENSSL_KTLS_AES_CCM_128
1465 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1466 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1467 #endif
1468 #ifdef OPENSSL_KTLS_AES_GCM_256
1469 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1470 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1471 #endif
1472 return testresult;
1473 }
1474
1475 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1476 static int test_ktls(int test)
1477 {
1478 int tlsver;
1479
1480 if (test > 15) {
1481 #if defined(OPENSSL_NO_TLS1_3)
1482 return 1;
1483 #else
1484 test -= 16;
1485 tlsver = TLS1_3_VERSION;
1486 #endif
1487 } else {
1488 #if defined(OPENSSL_NO_TLS1_2)
1489 return 1;
1490 #else
1491 tlsver = TLS1_2_VERSION;
1492 #endif
1493 }
1494
1495 switch(test) {
1496 case 0:
1497 return test_ktls_no_txrx_client_no_txrx_server(tlsver);
1498 case 1:
1499 return test_ktls_no_rx_client_no_txrx_server(tlsver);
1500 case 2:
1501 return test_ktls_no_tx_client_no_txrx_server(tlsver);
1502 case 3:
1503 return test_ktls_client_no_txrx_server(tlsver);
1504 case 4:
1505 return test_ktls_no_txrx_client_no_rx_server(tlsver);
1506 case 5:
1507 return test_ktls_no_rx_client_no_rx_server(tlsver);
1508 case 6:
1509 return test_ktls_no_tx_client_no_rx_server(tlsver);
1510 case 7:
1511 return test_ktls_client_no_rx_server(tlsver);
1512 case 8:
1513 return test_ktls_no_txrx_client_no_tx_server(tlsver);
1514 case 9:
1515 return test_ktls_no_rx_client_no_tx_server(tlsver);
1516 case 10:
1517 return test_ktls_no_tx_client_no_tx_server(tlsver);
1518 case 11:
1519 return test_ktls_client_no_tx_server(tlsver);
1520 case 12:
1521 return test_ktls_no_txrx_client_server(tlsver);
1522 case 13:
1523 return test_ktls_no_rx_client_server(tlsver);
1524 case 14:
1525 return test_ktls_no_tx_client_server(tlsver);
1526 case 15:
1527 return test_ktls_client_server(tlsver);
1528 default:
1529 return 0;
1530 }
1531 }
1532
1533 static int test_ktls_sendfile_anytls(int tst)
1534 {
1535 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM-SHA256","AES256-GCM-SHA384"};
1536 int tlsver;
1537
1538 if (tst > 2) {
1539 #if defined(OPENSSL_NO_TLS1_3)
1540 return 1;
1541 #else
1542 tst -= 3;
1543 tlsver = TLS1_3_VERSION;
1544 #endif
1545 } else {
1546 #if defined(OPENSSL_NO_TLS1_2)
1547 return 1;
1548 #else
1549 tlsver = TLS1_2_VERSION;
1550 #endif
1551 }
1552
1553 #ifndef OPENSSL_KTLS_AES_GCM_128
1554 if(tst == 0) return 1;
1555 #endif
1556 #ifndef OPENSSL_KTLS_AES_CCM_128
1557 if(tst == 1) return 1;
1558 #endif
1559 #ifndef OPENSSL_KTLS_AES_GCM_256
1560 if(tst == 2) return 1;
1561 #endif
1562 return test_ktls_sendfile(tlsver, cipher[tst]);
1563 }
1564
1565 #endif
1566 #endif
1567
1568 static int test_large_message_tls(void)
1569 {
1570 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1571 TLS1_VERSION, 0, 0);
1572 }
1573
1574 static int test_large_message_tls_read_ahead(void)
1575 {
1576 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1577 TLS1_VERSION, 0, 1);
1578 }
1579
1580 #ifndef OPENSSL_NO_DTLS
1581 static int test_large_message_dtls(void)
1582 {
1583 /*
1584 * read_ahead is not relevant to DTLS because DTLS always acts as if
1585 * read_ahead is set.
1586 */
1587 return execute_test_large_message(DTLS_server_method(),
1588 DTLS_client_method(),
1589 DTLS1_VERSION, 0, 0);
1590 }
1591 #endif
1592
1593 #ifndef OPENSSL_NO_OCSP
1594 static int ocsp_server_cb(SSL *s, void *arg)
1595 {
1596 int *argi = (int *)arg;
1597 unsigned char *copy = NULL;
1598 STACK_OF(OCSP_RESPID) *ids = NULL;
1599 OCSP_RESPID *id = NULL;
1600
1601 if (*argi == 2) {
1602 /* In this test we are expecting exactly 1 OCSP_RESPID */
1603 SSL_get_tlsext_status_ids(s, &ids);
1604 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1605 return SSL_TLSEXT_ERR_ALERT_FATAL;
1606
1607 id = sk_OCSP_RESPID_value(ids, 0);
1608 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1609 return SSL_TLSEXT_ERR_ALERT_FATAL;
1610 } else if (*argi != 1) {
1611 return SSL_TLSEXT_ERR_ALERT_FATAL;
1612 }
1613
1614 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1615 return SSL_TLSEXT_ERR_ALERT_FATAL;
1616
1617 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1618 ocsp_server_called = 1;
1619 return SSL_TLSEXT_ERR_OK;
1620 }
1621
1622 static int ocsp_client_cb(SSL *s, void *arg)
1623 {
1624 int *argi = (int *)arg;
1625 const unsigned char *respderin;
1626 size_t len;
1627
1628 if (*argi != 1 && *argi != 2)
1629 return 0;
1630
1631 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1632 if (!TEST_mem_eq(orespder, len, respderin, len))
1633 return 0;
1634
1635 ocsp_client_called = 1;
1636 return 1;
1637 }
1638
1639 static int test_tlsext_status_type(void)
1640 {
1641 SSL_CTX *cctx = NULL, *sctx = NULL;
1642 SSL *clientssl = NULL, *serverssl = NULL;
1643 int testresult = 0;
1644 STACK_OF(OCSP_RESPID) *ids = NULL;
1645 OCSP_RESPID *id = NULL;
1646 BIO *certbio = NULL;
1647
1648 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1649 TLS1_VERSION, 0,
1650 &sctx, &cctx, cert, privkey))
1651 return 0;
1652
1653 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1654 goto end;
1655
1656 /* First just do various checks getting and setting tlsext_status_type */
1657
1658 clientssl = SSL_new(cctx);
1659 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1660 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1661 TLSEXT_STATUSTYPE_ocsp))
1662 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1663 TLSEXT_STATUSTYPE_ocsp))
1664 goto end;
1665
1666 SSL_free(clientssl);
1667 clientssl = NULL;
1668
1669 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1670 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1671 goto end;
1672
1673 clientssl = SSL_new(cctx);
1674 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1675 goto end;
1676 SSL_free(clientssl);
1677 clientssl = NULL;
1678
1679 /*
1680 * Now actually do a handshake and check OCSP information is exchanged and
1681 * the callbacks get called
1682 */
1683 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1684 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1685 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1686 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1687 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1688 &clientssl, NULL, NULL))
1689 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1690 SSL_ERROR_NONE))
1691 || !TEST_true(ocsp_client_called)
1692 || !TEST_true(ocsp_server_called))
1693 goto end;
1694 SSL_free(serverssl);
1695 SSL_free(clientssl);
1696 serverssl = NULL;
1697 clientssl = NULL;
1698
1699 /* Try again but this time force the server side callback to fail */
1700 ocsp_client_called = 0;
1701 ocsp_server_called = 0;
1702 cdummyarg = 0;
1703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1704 &clientssl, NULL, NULL))
1705 /* This should fail because the callback will fail */
1706 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1707 SSL_ERROR_NONE))
1708 || !TEST_false(ocsp_client_called)
1709 || !TEST_false(ocsp_server_called))
1710 goto end;
1711 SSL_free(serverssl);
1712 SSL_free(clientssl);
1713 serverssl = NULL;
1714 clientssl = NULL;
1715
1716 /*
1717 * This time we'll get the client to send an OCSP_RESPID that it will
1718 * accept.
1719 */
1720 ocsp_client_called = 0;
1721 ocsp_server_called = 0;
1722 cdummyarg = 2;
1723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1724 &clientssl, NULL, NULL)))
1725 goto end;
1726
1727 /*
1728 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1729 * specific one. We'll use the server cert.
1730 */
1731 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1732 || !TEST_ptr(id = OCSP_RESPID_new())
1733 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1734 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1735 NULL, NULL, NULL))
1736 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1737 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1738 goto end;
1739 id = NULL;
1740 SSL_set_tlsext_status_ids(clientssl, ids);
1741 /* Control has been transferred */
1742 ids = NULL;
1743
1744 BIO_free(certbio);
1745 certbio = NULL;
1746
1747 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1748 SSL_ERROR_NONE))
1749 || !TEST_true(ocsp_client_called)
1750 || !TEST_true(ocsp_server_called))
1751 goto end;
1752
1753 testresult = 1;
1754
1755 end:
1756 SSL_free(serverssl);
1757 SSL_free(clientssl);
1758 SSL_CTX_free(sctx);
1759 SSL_CTX_free(cctx);
1760 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1761 OCSP_RESPID_free(id);
1762 BIO_free(certbio);
1763 X509_free(ocspcert);
1764 ocspcert = NULL;
1765
1766 return testresult;
1767 }
1768 #endif
1769
1770 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1771 static int new_called, remove_called, get_called;
1772
1773 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1774 {
1775 new_called++;
1776 /*
1777 * sess has been up-refed for us, but we don't actually need it so free it
1778 * immediately.
1779 */
1780 SSL_SESSION_free(sess);
1781 return 1;
1782 }
1783
1784 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1785 {
1786 remove_called++;
1787 }
1788
1789 static SSL_SESSION *get_sess_val = NULL;
1790
1791 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1792 int *copy)
1793 {
1794 get_called++;
1795 *copy = 1;
1796 return get_sess_val;
1797 }
1798
1799 static int execute_test_session(int maxprot, int use_int_cache,
1800 int use_ext_cache, long s_options)
1801 {
1802 SSL_CTX *sctx = NULL, *cctx = NULL;
1803 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1804 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1805 # ifndef OPENSSL_NO_TLS1_1
1806 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1807 # endif
1808 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1809 int testresult = 0, numnewsesstick = 1;
1810
1811 new_called = remove_called = 0;
1812
1813 /* TLSv1.3 sends 2 NewSessionTickets */
1814 if (maxprot == TLS1_3_VERSION)
1815 numnewsesstick = 2;
1816
1817 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1818 TLS_client_method(), TLS1_VERSION, 0,
1819 &sctx, &cctx, cert, privkey)))
1820 return 0;
1821
1822 /*
1823 * Only allow the max protocol version so we can force a connection failure
1824 * later
1825 */
1826 SSL_CTX_set_min_proto_version(cctx, maxprot);
1827 SSL_CTX_set_max_proto_version(cctx, maxprot);
1828
1829 /* Set up session cache */
1830 if (use_ext_cache) {
1831 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1832 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1833 }
1834 if (use_int_cache) {
1835 /* Also covers instance where both are set */
1836 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1837 } else {
1838 SSL_CTX_set_session_cache_mode(cctx,
1839 SSL_SESS_CACHE_CLIENT
1840 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1841 }
1842
1843 if (s_options) {
1844 SSL_CTX_set_options(sctx, s_options);
1845 }
1846
1847 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1848 NULL, NULL))
1849 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1850 SSL_ERROR_NONE))
1851 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1852 goto end;
1853
1854 /* Should fail because it should already be in the cache */
1855 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1856 goto end;
1857 if (use_ext_cache
1858 && (!TEST_int_eq(new_called, numnewsesstick)
1859
1860 || !TEST_int_eq(remove_called, 0)))
1861 goto end;
1862
1863 new_called = remove_called = 0;
1864 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1865 &clientssl2, NULL, NULL))
1866 || !TEST_true(SSL_set_session(clientssl2, sess1))
1867 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1868 SSL_ERROR_NONE))
1869 || !TEST_true(SSL_session_reused(clientssl2)))
1870 goto end;
1871
1872 if (maxprot == TLS1_3_VERSION) {
1873 /*
1874 * In TLSv1.3 we should have created a new session even though we have
1875 * resumed. Since we attempted a resume we should also have removed the
1876 * old ticket from the cache so that we try to only use tickets once.
1877 */
1878 if (use_ext_cache
1879 && (!TEST_int_eq(new_called, 1)
1880 || !TEST_int_eq(remove_called, 1)))
1881 goto end;
1882 } else {
1883 /*
1884 * In TLSv1.2 we expect to have resumed so no sessions added or
1885 * removed.
1886 */
1887 if (use_ext_cache
1888 && (!TEST_int_eq(new_called, 0)
1889 || !TEST_int_eq(remove_called, 0)))
1890 goto end;
1891 }
1892
1893 SSL_SESSION_free(sess1);
1894 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1895 goto end;
1896 shutdown_ssl_connection(serverssl2, clientssl2);
1897 serverssl2 = clientssl2 = NULL;
1898
1899 new_called = remove_called = 0;
1900 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1901 &clientssl2, NULL, NULL))
1902 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1903 SSL_ERROR_NONE)))
1904 goto end;
1905
1906 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1907 goto end;
1908
1909 if (use_ext_cache
1910 && (!TEST_int_eq(new_called, numnewsesstick)
1911 || !TEST_int_eq(remove_called, 0)))
1912 goto end;
1913
1914 new_called = remove_called = 0;
1915 /*
1916 * This should clear sess2 from the cache because it is a "bad" session.
1917 * See SSL_set_session() documentation.
1918 */
1919 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1920 goto end;
1921 if (use_ext_cache
1922 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1923 goto end;
1924 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1925 goto end;
1926
1927 if (use_int_cache) {
1928 /* Should succeeded because it should not already be in the cache */
1929 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1930 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1931 goto end;
1932 }
1933
1934 new_called = remove_called = 0;
1935 /* This shouldn't be in the cache so should fail */
1936 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1937 goto end;
1938
1939 if (use_ext_cache
1940 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1941 goto end;
1942
1943 # if !defined(OPENSSL_NO_TLS1_1)
1944 new_called = remove_called = 0;
1945 /* Force a connection failure */
1946 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1947 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1948 &clientssl3, NULL, NULL))
1949 || !TEST_true(SSL_set_session(clientssl3, sess1))
1950 /* This should fail because of the mismatched protocol versions */
1951 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1952 SSL_ERROR_NONE)))
1953 goto end;
1954
1955 /* We should have automatically removed the session from the cache */
1956 if (use_ext_cache
1957 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1958 goto end;
1959
1960 /* Should succeed because it should not already be in the cache */
1961 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1962 goto end;
1963 # endif
1964
1965 /* Now do some tests for server side caching */
1966 if (use_ext_cache) {
1967 SSL_CTX_sess_set_new_cb(cctx, NULL);
1968 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1969 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1970 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1971 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1972 get_sess_val = NULL;
1973 }
1974
1975 SSL_CTX_set_session_cache_mode(cctx, 0);
1976 /* Internal caching is the default on the server side */
1977 if (!use_int_cache)
1978 SSL_CTX_set_session_cache_mode(sctx,
1979 SSL_SESS_CACHE_SERVER
1980 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1981
1982 SSL_free(serverssl1);
1983 SSL_free(clientssl1);
1984 serverssl1 = clientssl1 = NULL;
1985 SSL_free(serverssl2);
1986 SSL_free(clientssl2);
1987 serverssl2 = clientssl2 = NULL;
1988 SSL_SESSION_free(sess1);
1989 sess1 = NULL;
1990 SSL_SESSION_free(sess2);
1991 sess2 = NULL;
1992
1993 SSL_CTX_set_max_proto_version(sctx, maxprot);
1994 if (maxprot == TLS1_2_VERSION)
1995 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1996 new_called = remove_called = get_called = 0;
1997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1998 NULL, NULL))
1999 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2000 SSL_ERROR_NONE))
2001 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2002 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2003 goto end;
2004
2005 if (use_int_cache) {
2006 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2007 /*
2008 * In TLSv1.3 it should not have been added to the internal cache,
2009 * except in the case where we also have an external cache (in that
2010 * case it gets added to the cache in order to generate remove
2011 * events after timeout).
2012 */
2013 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2014 goto end;
2015 } else {
2016 /* Should fail because it should already be in the cache */
2017 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2018 goto end;
2019 }
2020 }
2021
2022 if (use_ext_cache) {
2023 SSL_SESSION *tmp = sess2;
2024
2025 if (!TEST_int_eq(new_called, numnewsesstick)
2026 || !TEST_int_eq(remove_called, 0)
2027 || !TEST_int_eq(get_called, 0))
2028 goto end;
2029 /*
2030 * Delete the session from the internal cache to force a lookup from
2031 * the external cache. We take a copy first because
2032 * SSL_CTX_remove_session() also marks the session as non-resumable.
2033 */
2034 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2035 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2036 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2037 goto end;
2038 SSL_SESSION_free(sess2);
2039 }
2040 sess2 = tmp;
2041 }
2042
2043 new_called = remove_called = get_called = 0;
2044 get_sess_val = sess2;
2045 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2046 &clientssl2, NULL, NULL))
2047 || !TEST_true(SSL_set_session(clientssl2, sess1))
2048 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2049 SSL_ERROR_NONE))
2050 || !TEST_true(SSL_session_reused(clientssl2)))
2051 goto end;
2052
2053 if (use_ext_cache) {
2054 if (!TEST_int_eq(remove_called, 0))
2055 goto end;
2056
2057 if (maxprot == TLS1_3_VERSION) {
2058 if (!TEST_int_eq(new_called, 1)
2059 || !TEST_int_eq(get_called, 0))
2060 goto end;
2061 } else {
2062 if (!TEST_int_eq(new_called, 0)
2063 || !TEST_int_eq(get_called, 1))
2064 goto end;
2065 }
2066 }
2067
2068 testresult = 1;
2069
2070 end:
2071 SSL_free(serverssl1);
2072 SSL_free(clientssl1);
2073 SSL_free(serverssl2);
2074 SSL_free(clientssl2);
2075 # ifndef OPENSSL_NO_TLS1_1
2076 SSL_free(serverssl3);
2077 SSL_free(clientssl3);
2078 # endif
2079 SSL_SESSION_free(sess1);
2080 SSL_SESSION_free(sess2);
2081 SSL_CTX_free(sctx);
2082 SSL_CTX_free(cctx);
2083
2084 return testresult;
2085 }
2086 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2087
2088 static int test_session_with_only_int_cache(void)
2089 {
2090 #ifndef OPENSSL_NO_TLS1_3
2091 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2092 return 0;
2093 #endif
2094
2095 #ifndef OPENSSL_NO_TLS1_2
2096 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2097 #else
2098 return 1;
2099 #endif
2100 }
2101
2102 static int test_session_with_only_ext_cache(void)
2103 {
2104 #ifndef OPENSSL_NO_TLS1_3
2105 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2106 return 0;
2107 #endif
2108
2109 #ifndef OPENSSL_NO_TLS1_2
2110 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2111 #else
2112 return 1;
2113 #endif
2114 }
2115
2116 static int test_session_with_both_cache(void)
2117 {
2118 #ifndef OPENSSL_NO_TLS1_3
2119 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2120 return 0;
2121 #endif
2122
2123 #ifndef OPENSSL_NO_TLS1_2
2124 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2125 #else
2126 return 1;
2127 #endif
2128 }
2129
2130 static int test_session_wo_ca_names(void)
2131 {
2132 #ifndef OPENSSL_NO_TLS1_3
2133 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2134 return 0;
2135 #endif
2136
2137 #ifndef OPENSSL_NO_TLS1_2
2138 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2139 #else
2140 return 1;
2141 #endif
2142 }
2143
2144
2145 #ifndef OPENSSL_NO_TLS1_3
2146 static SSL_SESSION *sesscache[6];
2147 static int do_cache;
2148
2149 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2150 {
2151 if (do_cache) {
2152 sesscache[new_called] = sess;
2153 } else {
2154 /* We don't need the reference to the session, so free it */
2155 SSL_SESSION_free(sess);
2156 }
2157 new_called++;
2158
2159 return 1;
2160 }
2161
2162 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2163 {
2164 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2165 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2166 return 0;
2167
2168 /* Start handshake on the server and client */
2169 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2170 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2171 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2172 || !TEST_true(create_ssl_connection(sssl, cssl,
2173 SSL_ERROR_NONE)))
2174 return 0;
2175
2176 return 1;
2177 }
2178
2179 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2180 SSL_CTX **cctx)
2181 {
2182 int sess_id_ctx = 1;
2183
2184 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2185 TLS_client_method(), TLS1_VERSION, 0,
2186 sctx, cctx, cert, privkey))
2187 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2188 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2189 (void *)&sess_id_ctx,
2190 sizeof(sess_id_ctx))))
2191 return 0;
2192
2193 if (stateful)
2194 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2195
2196 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2197 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2198 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2199
2200 return 1;
2201 }
2202
2203 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2204 {
2205 SSL *serverssl = NULL, *clientssl = NULL;
2206 int i;
2207
2208 /* Test that we can resume with all the tickets we got given */
2209 for (i = 0; i < idx * 2; i++) {
2210 new_called = 0;
2211 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2212 &clientssl, NULL, NULL))
2213 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2214 goto end;
2215
2216 SSL_set_post_handshake_auth(clientssl, 1);
2217
2218 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2219 SSL_ERROR_NONE)))
2220 goto end;
2221
2222 /*
2223 * Following a successful resumption we only get 1 ticket. After a
2224 * failed one we should get idx tickets.
2225 */
2226 if (succ) {
2227 if (!TEST_true(SSL_session_reused(clientssl))
2228 || !TEST_int_eq(new_called, 1))
2229 goto end;
2230 } else {
2231 if (!TEST_false(SSL_session_reused(clientssl))
2232 || !TEST_int_eq(new_called, idx))
2233 goto end;
2234 }
2235
2236 new_called = 0;
2237 /* After a post-handshake authentication we should get 1 new ticket */
2238 if (succ
2239 && (!post_handshake_verify(serverssl, clientssl)
2240 || !TEST_int_eq(new_called, 1)))
2241 goto end;
2242
2243 SSL_shutdown(clientssl);
2244 SSL_shutdown(serverssl);
2245 SSL_free(serverssl);
2246 SSL_free(clientssl);
2247 serverssl = clientssl = NULL;
2248 SSL_SESSION_free(sesscache[i]);
2249 sesscache[i] = NULL;
2250 }
2251
2252 return 1;
2253
2254 end:
2255 SSL_free(clientssl);
2256 SSL_free(serverssl);
2257 return 0;
2258 }
2259
2260 static int test_tickets(int stateful, int idx)
2261 {
2262 SSL_CTX *sctx = NULL, *cctx = NULL;
2263 SSL *serverssl = NULL, *clientssl = NULL;
2264 int testresult = 0;
2265 size_t j;
2266
2267 /* idx is the test number, but also the number of tickets we want */
2268
2269 new_called = 0;
2270 do_cache = 1;
2271
2272 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2273 goto end;
2274
2275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2276 &clientssl, NULL, NULL)))
2277 goto end;
2278
2279 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2280 SSL_ERROR_NONE))
2281 /* Check we got the number of tickets we were expecting */
2282 || !TEST_int_eq(idx, new_called))
2283 goto end;
2284
2285 SSL_shutdown(clientssl);
2286 SSL_shutdown(serverssl);
2287 SSL_free(serverssl);
2288 SSL_free(clientssl);
2289 SSL_CTX_free(sctx);
2290 SSL_CTX_free(cctx);
2291 clientssl = serverssl = NULL;
2292 sctx = cctx = NULL;
2293
2294 /*
2295 * Now we try to resume with the tickets we previously created. The
2296 * resumption attempt is expected to fail (because we're now using a new
2297 * SSL_CTX). We should see idx number of tickets issued again.
2298 */
2299
2300 /* Stop caching sessions - just count them */
2301 do_cache = 0;
2302
2303 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2304 goto end;
2305
2306 if (!check_resumption(idx, sctx, cctx, 0))
2307 goto end;
2308
2309 /* Start again with caching sessions */
2310 new_called = 0;
2311 do_cache = 1;
2312 SSL_CTX_free(sctx);
2313 SSL_CTX_free(cctx);
2314 sctx = cctx = NULL;
2315
2316 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2317 goto end;
2318
2319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2320 &clientssl, NULL, NULL)))
2321 goto end;
2322
2323 SSL_set_post_handshake_auth(clientssl, 1);
2324
2325 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2326 SSL_ERROR_NONE))
2327 /* Check we got the number of tickets we were expecting */
2328 || !TEST_int_eq(idx, new_called))
2329 goto end;
2330
2331 /* After a post-handshake authentication we should get new tickets issued */
2332 if (!post_handshake_verify(serverssl, clientssl)
2333 || !TEST_int_eq(idx * 2, new_called))
2334 goto end;
2335
2336 SSL_shutdown(clientssl);
2337 SSL_shutdown(serverssl);
2338 SSL_free(serverssl);
2339 SSL_free(clientssl);
2340 serverssl = clientssl = NULL;
2341
2342 /* Stop caching sessions - just count them */
2343 do_cache = 0;
2344
2345 /*
2346 * Check we can resume with all the tickets we created. This time around the
2347 * resumptions should all be successful.
2348 */
2349 if (!check_resumption(idx, sctx, cctx, 1))
2350 goto end;
2351
2352 testresult = 1;
2353
2354 end:
2355 SSL_free(serverssl);
2356 SSL_free(clientssl);
2357 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2358 SSL_SESSION_free(sesscache[j]);
2359 sesscache[j] = NULL;
2360 }
2361 SSL_CTX_free(sctx);
2362 SSL_CTX_free(cctx);
2363
2364 return testresult;
2365 }
2366
2367 static int test_stateless_tickets(int idx)
2368 {
2369 return test_tickets(0, idx);
2370 }
2371
2372 static int test_stateful_tickets(int idx)
2373 {
2374 return test_tickets(1, idx);
2375 }
2376
2377 static int test_psk_tickets(void)
2378 {
2379 SSL_CTX *sctx = NULL, *cctx = NULL;
2380 SSL *serverssl = NULL, *clientssl = NULL;
2381 int testresult = 0;
2382 int sess_id_ctx = 1;
2383
2384 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2385 TLS_client_method(), TLS1_VERSION, 0,
2386 &sctx, &cctx, NULL, NULL))
2387 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2388 (void *)&sess_id_ctx,
2389 sizeof(sess_id_ctx))))
2390 goto end;
2391
2392 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2393 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2394 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2395 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2396 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2397 use_session_cb_cnt = 0;
2398 find_session_cb_cnt = 0;
2399 srvid = pskid;
2400 new_called = 0;
2401
2402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2403 NULL, NULL)))
2404 goto end;
2405 clientpsk = serverpsk = create_a_psk(clientssl);
2406 if (!TEST_ptr(clientpsk))
2407 goto end;
2408 SSL_SESSION_up_ref(clientpsk);
2409
2410 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2411 SSL_ERROR_NONE))
2412 || !TEST_int_eq(1, find_session_cb_cnt)
2413 || !TEST_int_eq(1, use_session_cb_cnt)
2414 /* We should always get 1 ticket when using external PSK */
2415 || !TEST_int_eq(1, new_called))
2416 goto end;
2417
2418 testresult = 1;
2419
2420 end:
2421 SSL_free(serverssl);
2422 SSL_free(clientssl);
2423 SSL_CTX_free(sctx);
2424 SSL_CTX_free(cctx);
2425 SSL_SESSION_free(clientpsk);
2426 SSL_SESSION_free(serverpsk);
2427 clientpsk = serverpsk = NULL;
2428
2429 return testresult;
2430 }
2431
2432 static int test_extra_tickets(int idx)
2433 {
2434 SSL_CTX *sctx = NULL, *cctx = NULL;
2435 SSL *serverssl = NULL, *clientssl = NULL;
2436 BIO *bretry = BIO_new(bio_s_always_retry());
2437 BIO *tmp = NULL;
2438 int testresult = 0;
2439 int stateful = 0;
2440 size_t nbytes;
2441 unsigned char c, buf[1];
2442
2443 new_called = 0;
2444 do_cache = 1;
2445
2446 if (idx >= 3) {
2447 idx -= 3;
2448 stateful = 1;
2449 }
2450
2451 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2452 goto end;
2453 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2454 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2455 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2456
2457 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2458 &clientssl, NULL, NULL)))
2459 goto end;
2460
2461 /*
2462 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2463 * incremented by both client and server.
2464 */
2465 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2466 SSL_ERROR_NONE))
2467 /* Check we got the number of tickets we were expecting */
2468 || !TEST_int_eq(idx * 2, new_called)
2469 || !TEST_true(SSL_new_session_ticket(serverssl))
2470 || !TEST_true(SSL_new_session_ticket(serverssl))
2471 || !TEST_int_eq(idx * 2, new_called))
2472 goto end;
2473
2474 /* Now try a (real) write to actually send the tickets */
2475 c = '1';
2476 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2477 || !TEST_size_t_eq(1, nbytes)
2478 || !TEST_int_eq(idx * 2 + 2, new_called)
2479 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2480 || !TEST_int_eq(idx * 2 + 4, new_called)
2481 || !TEST_int_eq(sizeof(buf), nbytes)
2482 || !TEST_int_eq(c, buf[0])
2483 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2484 goto end;
2485
2486 /* Try with only requesting one new ticket, too */
2487 c = '2';
2488 new_called = 0;
2489 if (!TEST_true(SSL_new_session_ticket(serverssl))
2490 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2491 || !TEST_size_t_eq(sizeof(c), nbytes)
2492 || !TEST_int_eq(1, new_called)
2493 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2494 || !TEST_int_eq(2, new_called)
2495 || !TEST_size_t_eq(sizeof(buf), nbytes)
2496 || !TEST_int_eq(c, buf[0]))
2497 goto end;
2498
2499 /* Do it again but use dummy writes to drive the ticket generation */
2500 c = '3';
2501 new_called = 0;
2502 if (!TEST_true(SSL_new_session_ticket(serverssl))
2503 || !TEST_true(SSL_new_session_ticket(serverssl))
2504 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2505 || !TEST_size_t_eq(0, nbytes)
2506 || !TEST_int_eq(2, new_called)
2507 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2508 || !TEST_int_eq(4, new_called))
2509 goto end;
2510
2511 /*
2512 * Use the always-retry BIO to exercise the logic that forces ticket
2513 * generation to wait until a record boundary.
2514 */
2515 c = '4';
2516 new_called = 0;
2517 tmp = SSL_get_wbio(serverssl);
2518 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2519 tmp = NULL;
2520 goto end;
2521 }
2522 SSL_set0_wbio(serverssl, bretry);
2523 bretry = NULL;
2524 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2525 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2526 || !TEST_size_t_eq(nbytes, 0))
2527 goto end;
2528 /* Restore a BIO that will let the write succeed */
2529 SSL_set0_wbio(serverssl, tmp);
2530 tmp = NULL;
2531 /* These calls should just queue the request and not send anything. */
2532 if (!TEST_true(SSL_new_session_ticket(serverssl))
2533 || !TEST_true(SSL_new_session_ticket(serverssl))
2534 || !TEST_int_eq(0, new_called))
2535 goto end;
2536 /* Re-do the write; still no tickets sent */
2537 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2538 || !TEST_size_t_eq(1, nbytes)
2539 || !TEST_int_eq(0, new_called)
2540 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2541 || !TEST_int_eq(0, new_called)
2542 || !TEST_int_eq(sizeof(buf), nbytes)
2543 || !TEST_int_eq(c, buf[0])
2544 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2545 goto end;
2546 /* Now the *next* write should send the tickets */
2547 c = '5';
2548 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2549 || !TEST_size_t_eq(1, nbytes)
2550 || !TEST_int_eq(2, new_called)
2551 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2552 || !TEST_int_eq(4, new_called)
2553 || !TEST_int_eq(sizeof(buf), nbytes)
2554 || !TEST_int_eq(c, buf[0])
2555 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2556 goto end;
2557
2558 SSL_shutdown(clientssl);
2559 SSL_shutdown(serverssl);
2560 testresult = 1;
2561
2562 end:
2563 BIO_free(bretry);
2564 BIO_free(tmp);
2565 SSL_free(serverssl);
2566 SSL_free(clientssl);
2567 SSL_CTX_free(sctx);
2568 SSL_CTX_free(cctx);
2569 clientssl = serverssl = NULL;
2570 sctx = cctx = NULL;
2571 return testresult;
2572 }
2573 #endif
2574
2575 #define USE_NULL 0
2576 #define USE_BIO_1 1
2577 #define USE_BIO_2 2
2578 #define USE_DEFAULT 3
2579
2580 #define CONNTYPE_CONNECTION_SUCCESS 0
2581 #define CONNTYPE_CONNECTION_FAIL 1
2582 #define CONNTYPE_NO_CONNECTION 2
2583
2584 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2585 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2586 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2587 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2588 #else
2589 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2590 #endif
2591
2592 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2593 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2594 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2595
2596 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2597 {
2598 switch (type) {
2599 case USE_NULL:
2600 *res = NULL;
2601 break;
2602 case USE_BIO_1:
2603 *res = bio1;
2604 break;
2605 case USE_BIO_2:
2606 *res = bio2;
2607 break;
2608 }
2609 }
2610
2611
2612 /*
2613 * Tests calls to SSL_set_bio() under various conditions.
2614 *
2615 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2616 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2617 * then do more tests where we create a successful connection first using our
2618 * standard connection setup functions, and then call SSL_set_bio() with
2619 * various combinations of valid BIOs or NULL. We then repeat these tests
2620 * following a failed connection. In this last case we are looking to check that
2621 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2622 */
2623 static int test_ssl_set_bio(int idx)
2624 {
2625 SSL_CTX *sctx = NULL, *cctx = NULL;
2626 BIO *bio1 = NULL;
2627 BIO *bio2 = NULL;
2628 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2629 SSL *serverssl = NULL, *clientssl = NULL;
2630 int initrbio, initwbio, newrbio, newwbio, conntype;
2631 int testresult = 0;
2632
2633 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2634 initrbio = idx % 3;
2635 idx /= 3;
2636 initwbio = idx % 3;
2637 idx /= 3;
2638 newrbio = idx % 3;
2639 idx /= 3;
2640 newwbio = idx % 3;
2641 conntype = CONNTYPE_NO_CONNECTION;
2642 } else {
2643 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2644 initrbio = initwbio = USE_DEFAULT;
2645 newrbio = idx % 2;
2646 idx /= 2;
2647 newwbio = idx % 2;
2648 idx /= 2;
2649 conntype = idx % 2;
2650 }
2651
2652 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2653 TLS_client_method(), TLS1_VERSION, 0,
2654 &sctx, &cctx, cert, privkey)))
2655 goto end;
2656
2657 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2658 /*
2659 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2660 * because we reduced the number of tests in the definition of
2661 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2662 * mismatched protocol versions we will force a connection failure.
2663 */
2664 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2665 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2666 }
2667
2668 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2669 NULL, NULL)))
2670 goto end;
2671
2672 if (initrbio == USE_BIO_1
2673 || initwbio == USE_BIO_1
2674 || newrbio == USE_BIO_1
2675 || newwbio == USE_BIO_1) {
2676 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2677 goto end;
2678 }
2679
2680 if (initrbio == USE_BIO_2
2681 || initwbio == USE_BIO_2
2682 || newrbio == USE_BIO_2
2683 || newwbio == USE_BIO_2) {
2684 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2685 goto end;
2686 }
2687
2688 if (initrbio != USE_DEFAULT) {
2689 setupbio(&irbio, bio1, bio2, initrbio);
2690 setupbio(&iwbio, bio1, bio2, initwbio);
2691 SSL_set_bio(clientssl, irbio, iwbio);
2692
2693 /*
2694 * We want to maintain our own refs to these BIO, so do an up ref for
2695 * each BIO that will have ownership transferred in the SSL_set_bio()
2696 * call
2697 */
2698 if (irbio != NULL)
2699 BIO_up_ref(irbio);
2700 if (iwbio != NULL && iwbio != irbio)
2701 BIO_up_ref(iwbio);
2702 }
2703
2704 if (conntype != CONNTYPE_NO_CONNECTION
2705 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2706 SSL_ERROR_NONE)
2707 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2708 goto end;
2709
2710 setupbio(&nrbio, bio1, bio2, newrbio);
2711 setupbio(&nwbio, bio1, bio2, newwbio);
2712
2713 /*
2714 * We will (maybe) transfer ownership again so do more up refs.
2715 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2716 * already been set!
2717 */
2718 if (nrbio != NULL
2719 && nrbio != irbio
2720 && (nwbio != iwbio || nrbio != nwbio))
2721 BIO_up_ref(nrbio);
2722 if (nwbio != NULL
2723 && nwbio != nrbio
2724 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2725 BIO_up_ref(nwbio);
2726
2727 SSL_set_bio(clientssl, nrbio, nwbio);
2728
2729 testresult = 1;
2730
2731 end:
2732 BIO_free(bio1);
2733 BIO_free(bio2);
2734
2735 /*
2736 * This test is checking that the ref counting for SSL_set_bio is correct.
2737 * If we get here and we did too many frees then we will fail in the above
2738 * functions.
2739 */
2740 SSL_free(serverssl);
2741 SSL_free(clientssl);
2742 SSL_CTX_free(sctx);
2743 SSL_CTX_free(cctx);
2744 return testresult;
2745 }
2746
2747 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2748
2749 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2750 {
2751 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2752 SSL_CTX *ctx;
2753 SSL *ssl = NULL;
2754 int testresult = 0;
2755
2756 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2757 || !TEST_ptr(ssl = SSL_new(ctx))
2758 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2759 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2760 goto end;
2761
2762 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2763
2764 /*
2765 * If anything goes wrong here then we could leak memory.
2766 */
2767 BIO_push(sslbio, membio1);
2768
2769 /* Verify changing the rbio/wbio directly does not cause leaks */
2770 if (change_bio != NO_BIO_CHANGE) {
2771 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2772 goto end;
2773 if (change_bio == CHANGE_RBIO)
2774 SSL_set0_rbio(ssl, membio2);
2775 else
2776 SSL_set0_wbio(ssl, membio2);
2777 }
2778 ssl = NULL;
2779
2780 if (pop_ssl)
2781 BIO_pop(sslbio);
2782 else
2783 BIO_pop(membio1);
2784
2785 testresult = 1;
2786 end:
2787 BIO_free(membio1);
2788 BIO_free(sslbio);
2789 SSL_free(ssl);
2790 SSL_CTX_free(ctx);
2791
2792 return testresult;
2793 }
2794
2795 static int test_ssl_bio_pop_next_bio(void)
2796 {
2797 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2798 }
2799
2800 static int test_ssl_bio_pop_ssl_bio(void)
2801 {
2802 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2803 }
2804
2805 static int test_ssl_bio_change_rbio(void)
2806 {
2807 return execute_test_ssl_bio(0, CHANGE_RBIO);
2808 }
2809
2810 static int test_ssl_bio_change_wbio(void)
2811 {
2812 return execute_test_ssl_bio(0, CHANGE_WBIO);
2813 }
2814
2815 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2816 typedef struct {
2817 /* The list of sig algs */
2818 const int *list;
2819 /* The length of the list */
2820 size_t listlen;
2821 /* A sigalgs list in string format */
2822 const char *liststr;
2823 /* Whether setting the list should succeed */
2824 int valid;
2825 /* Whether creating a connection with the list should succeed */
2826 int connsuccess;
2827 } sigalgs_list;
2828
2829 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2830 # ifndef OPENSSL_NO_EC
2831 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2832 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2833 # endif
2834 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2835 static const int invalidlist2[] = {NID_sha256, NID_undef};
2836 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2837 static const int invalidlist4[] = {NID_sha256};
2838 static const sigalgs_list testsigalgs[] = {
2839 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2840 # ifndef OPENSSL_NO_EC
2841 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2842 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2843 # endif
2844 {NULL, 0, "RSA+SHA256", 1, 1},
2845 # ifndef OPENSSL_NO_EC
2846 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2847 {NULL, 0, "ECDSA+SHA512", 1, 0},
2848 # endif
2849 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2850 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2851 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2852 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2853 {NULL, 0, "RSA", 0, 0},
2854 {NULL, 0, "SHA256", 0, 0},
2855 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2856 {NULL, 0, "Invalid", 0, 0}
2857 };
2858
2859 static int test_set_sigalgs(int idx)
2860 {
2861 SSL_CTX *cctx = NULL, *sctx = NULL;
2862 SSL *clientssl = NULL, *serverssl = NULL;
2863 int testresult = 0;
2864 const sigalgs_list *curr;
2865 int testctx;
2866
2867 /* Should never happen */
2868 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2869 return 0;
2870
2871 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2872 curr = testctx ? &testsigalgs[idx]
2873 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2874
2875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2876 TLS_client_method(), TLS1_VERSION, 0,
2877 &sctx, &cctx, cert, privkey)))
2878 return 0;
2879
2880 /*
2881 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2882 * for TLSv1.2 for now until we add a new API.
2883 */
2884 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2885
2886 if (testctx) {
2887 int ret;
2888
2889 if (curr->list != NULL)
2890 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2891 else
2892 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2893
2894 if (!ret) {
2895 if (curr->valid)
2896 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2897 else
2898 testresult = 1;
2899 goto end;
2900 }
2901 if (!curr->valid) {
2902 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2903 goto end;
2904 }
2905 }
2906
2907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2908 &clientssl, NULL, NULL)))
2909 goto end;
2910
2911 if (!testctx) {
2912 int ret;
2913
2914 if (curr->list != NULL)
2915 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2916 else
2917 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2918 if (!ret) {
2919 if (curr->valid)
2920 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2921 else
2922 testresult = 1;
2923 goto end;
2924 }
2925 if (!curr->valid)
2926 goto end;
2927 }
2928
2929 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2930 SSL_ERROR_NONE),
2931 curr->connsuccess))
2932 goto end;
2933
2934 testresult = 1;
2935
2936 end:
2937 SSL_free(serverssl);
2938 SSL_free(clientssl);
2939 SSL_CTX_free(sctx);
2940 SSL_CTX_free(cctx);
2941
2942 return testresult;
2943 }
2944 #endif
2945
2946 #ifndef OPENSSL_NO_TLS1_3
2947 static int psk_client_cb_cnt = 0;
2948 static int psk_server_cb_cnt = 0;
2949
2950 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2951 size_t *idlen, SSL_SESSION **sess)
2952 {
2953 switch (++use_session_cb_cnt) {
2954 case 1:
2955 /* The first call should always have a NULL md */
2956 if (md != NULL)
2957 return 0;
2958 break;
2959
2960 case 2:
2961 /* The second call should always have an md */
2962 if (md == NULL)
2963 return 0;
2964 break;
2965
2966 default:
2967 /* We should only be called a maximum of twice */
2968 return 0;
2969 }
2970
2971 if (clientpsk != NULL)
2972 SSL_SESSION_up_ref(clientpsk);
2973
2974 *sess = clientpsk;
2975 *id = (const unsigned char *)pskid;
2976 *idlen = strlen(pskid);
2977
2978 return 1;
2979 }
2980
2981 #ifndef OPENSSL_NO_PSK
2982 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2983 unsigned int max_id_len,
2984 unsigned char *psk,
2985 unsigned int max_psk_len)
2986 {
2987 unsigned int psklen = 0;
2988
2989 psk_client_cb_cnt++;
2990
2991 if (strlen(pskid) + 1 > max_id_len)
2992 return 0;
2993
2994 /* We should only ever be called a maximum of twice per connection */
2995 if (psk_client_cb_cnt > 2)
2996 return 0;
2997
2998 if (clientpsk == NULL)
2999 return 0;
3000
3001 /* We'll reuse the PSK we set up for TLSv1.3 */
3002 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3003 return 0;
3004 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3005 strncpy(id, pskid, max_id_len);
3006
3007 return psklen;
3008 }
3009 #endif /* OPENSSL_NO_PSK */
3010
3011 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3012 size_t identity_len, SSL_SESSION **sess)
3013 {
3014 find_session_cb_cnt++;
3015
3016 /* We should only ever be called a maximum of twice per connection */
3017 if (find_session_cb_cnt > 2)
3018 return 0;
3019
3020 if (serverpsk == NULL)
3021 return 0;
3022
3023 /* Identity should match that set by the client */
3024 if (strlen(srvid) != identity_len
3025 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3026 /* No PSK found, continue but without a PSK */
3027 *sess = NULL;
3028 return 1;
3029 }
3030
3031 SSL_SESSION_up_ref(serverpsk);
3032 *sess = serverpsk;
3033
3034 return 1;
3035 }
3036
3037 #ifndef OPENSSL_NO_PSK
3038 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3039 unsigned char *psk, unsigned int max_psk_len)
3040 {
3041 unsigned int psklen = 0;
3042
3043 psk_server_cb_cnt++;
3044
3045 /* We should only ever be called a maximum of twice per connection */
3046 if (find_session_cb_cnt > 2)
3047 return 0;
3048
3049 if (serverpsk == NULL)
3050 return 0;
3051
3052 /* Identity should match that set by the client */
3053 if (strcmp(srvid, identity) != 0) {
3054 return 0;
3055 }
3056
3057 /* We'll reuse the PSK we set up for TLSv1.3 */
3058 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3059 return 0;
3060 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3061
3062 return psklen;
3063 }
3064 #endif /* OPENSSL_NO_PSK */
3065
3066 #define MSG1 "Hello"
3067 #define MSG2 "World."
3068 #define MSG3 "This"
3069 #define MSG4 "is"
3070 #define MSG5 "a"
3071 #define MSG6 "test"
3072 #define MSG7 "message."
3073
3074 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3075 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3076 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3077 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3078 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3079
3080
3081 static SSL_SESSION *create_a_psk(SSL *ssl)
3082 {
3083 const SSL_CIPHER *cipher = NULL;
3084 const unsigned char key[] = {
3085 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3086 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3087 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3088 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3089 0x2c, 0x2d, 0x2e, 0x2f
3090 };
3091 SSL_SESSION *sess = NULL;
3092
3093 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3094 sess = SSL_SESSION_new();
3095 if (!TEST_ptr(sess)
3096 || !TEST_ptr(cipher)
3097 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3098 sizeof(key)))
3099 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3100 || !TEST_true(
3101 SSL_SESSION_set_protocol_version(sess,
3102 TLS1_3_VERSION))) {
3103 SSL_SESSION_free(sess);
3104 return NULL;
3105 }
3106 return sess;
3107 }
3108
3109 /*
3110 * Helper method to setup objects for early data test. Caller frees objects on
3111 * error.
3112 */
3113 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3114 SSL **serverssl, SSL_SESSION **sess, int idx)
3115 {
3116 if (*sctx == NULL
3117 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3118 TLS_client_method(),
3119 TLS1_VERSION, 0,
3120 sctx, cctx, cert, privkey)))
3121 return 0;
3122
3123 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3124 return 0;
3125
3126 if (idx == 1) {
3127 /* When idx == 1 we repeat the tests with read_ahead set */
3128 SSL_CTX_set_read_ahead(*cctx, 1);
3129 SSL_CTX_set_read_ahead(*sctx, 1);
3130 } else if (idx == 2) {
3131 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3132 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3133 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3134 use_session_cb_cnt = 0;
3135 find_session_cb_cnt = 0;
3136 srvid = pskid;
3137 }
3138
3139 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3140 NULL, NULL)))
3141 return 0;
3142
3143 /*
3144 * For one of the run throughs (doesn't matter which one), we'll try sending
3145 * some SNI data in the initial ClientHello. This will be ignored (because
3146 * there is no SNI cb set up by the server), so it should not impact
3147 * early_data.
3148 */
3149 if (idx == 1
3150 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3151 return 0;
3152
3153 if (idx == 2) {
3154 clientpsk = create_a_psk(*clientssl);
3155 if (!TEST_ptr(clientpsk)
3156 /*
3157 * We just choose an arbitrary value for max_early_data which
3158 * should be big enough for testing purposes.
3159 */
3160 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3161 0x100))
3162 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3163 SSL_SESSION_free(clientpsk);
3164 clientpsk = NULL;
3165 return 0;
3166 }
3167 serverpsk = clientpsk;
3168
3169 if (sess != NULL) {
3170 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3171 SSL_SESSION_free(clientpsk);
3172 SSL_SESSION_free(serverpsk);
3173 clientpsk = serverpsk = NULL;
3174 return 0;
3175 }
3176 *sess = clientpsk;
3177 }
3178 return 1;
3179 }
3180
3181 if (sess == NULL)
3182 return 1;
3183
3184 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3185 SSL_ERROR_NONE)))
3186 return 0;
3187
3188 *sess = SSL_get1_session(*clientssl);
3189 SSL_shutdown(*clientssl);
3190 SSL_shutdown(*serverssl);
3191 SSL_free(*serverssl);
3192 SSL_free(*clientssl);
3193 *serverssl = *clientssl = NULL;
3194
3195 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3196 clientssl, NULL, NULL))
3197 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3198 return 0;
3199
3200 return 1;
3201 }
3202
3203 static int test_early_data_read_write(int idx)
3204 {
3205 SSL_CTX *cctx = NULL, *sctx = NULL;
3206 SSL *clientssl = NULL, *serverssl = NULL;
3207 int testresult = 0;
3208 SSL_SESSION *sess = NULL;
3209 unsigned char buf[20], data[1024];
3210 size_t readbytes, written, eoedlen, rawread, rawwritten;
3211 BIO *rbio;
3212
3213 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3214 &serverssl, &sess, idx)))
3215 goto end;
3216
3217 /* Write and read some early data */
3218 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3219 &written))
3220 || !TEST_size_t_eq(written, strlen(MSG1))
3221 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3222 sizeof(buf), &readbytes),
3223 SSL_READ_EARLY_DATA_SUCCESS)
3224 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3225 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3226 SSL_EARLY_DATA_ACCEPTED))
3227 goto end;
3228
3229 /*
3230 * Server should be able to write data, and client should be able to
3231 * read it.
3232 */
3233 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3234 &written))
3235 || !TEST_size_t_eq(written, strlen(MSG2))
3236 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3237 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3238 goto end;
3239
3240 /* Even after reading normal data, client should be able write early data */
3241 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3242 &written))
3243 || !TEST_size_t_eq(written, strlen(MSG3)))
3244 goto end;
3245
3246 /* Server should still be able read early data after writing data */
3247 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3248 &readbytes),
3249 SSL_READ_EARLY_DATA_SUCCESS)
3250 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3251 goto end;
3252
3253 /* Write more data from server and read it from client */
3254 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3255 &written))
3256 || !TEST_size_t_eq(written, strlen(MSG4))
3257 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3258 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3259 goto end;
3260
3261 /*
3262 * If client writes normal data it should mean writing early data is no
3263 * longer possible.
3264 */
3265 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3266 || !TEST_size_t_eq(written, strlen(MSG5))
3267 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3268 SSL_EARLY_DATA_ACCEPTED))
3269 goto end;
3270
3271 /*
3272 * At this point the client has written EndOfEarlyData, ClientFinished and
3273 * normal (fully protected) data. We are going to cause a delay between the
3274 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3275 * in the read BIO, and then just put back the EndOfEarlyData message.
3276 */
3277 rbio = SSL_get_rbio(serverssl);
3278 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3279 || !TEST_size_t_lt(rawread, sizeof(data))
3280 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3281 goto end;
3282
3283 /* Record length is in the 4th and 5th bytes of the record header */
3284 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3285 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3286 || !TEST_size_t_eq(rawwritten, eoedlen))
3287 goto end;
3288
3289 /* Server should be told that there is no more early data */
3290 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3291 &readbytes),
3292 SSL_READ_EARLY_DATA_FINISH)
3293 || !TEST_size_t_eq(readbytes, 0))
3294 goto end;
3295
3296 /*
3297 * Server has not finished init yet, so should still be able to write early
3298 * data.
3299 */
3300 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3301 &written))
3302 || !TEST_size_t_eq(written, strlen(MSG6)))
3303 goto end;
3304
3305 /* Push the ClientFinished and the normal data back into the server rbio */
3306 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3307 &rawwritten))
3308 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3309 goto end;
3310
3311 /* Server should be able to read normal data */
3312 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3313 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3314 goto end;
3315
3316 /* Client and server should not be able to write/read early data now */
3317 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3318 &written)))
3319 goto end;
3320 ERR_clear_error();
3321 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3322 &readbytes),
3323 SSL_READ_EARLY_DATA_ERROR))
3324 goto end;
3325 ERR_clear_error();
3326
3327 /* Client should be able to read the data sent by the server */
3328 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3329 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3330 goto end;
3331
3332 /*
3333 * Make sure we process the two NewSessionTickets. These arrive
3334 * post-handshake. We attempt reads which we do not expect to return any
3335 * data.
3336 */
3337 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3338 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3339 &readbytes)))
3340 goto end;
3341
3342 /* Server should be able to write normal data */
3343 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3344 || !TEST_size_t_eq(written, strlen(MSG7))
3345 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3346 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3347 goto end;
3348
3349 SSL_SESSION_free(sess);
3350 sess = SSL_get1_session(clientssl);
3351 use_session_cb_cnt = 0;
3352 find_session_cb_cnt = 0;
3353
3354 SSL_shutdown(clientssl);
3355 SSL_shutdown(serverssl);
3356 SSL_free(serverssl);
3357 SSL_free(clientssl);
3358 serverssl = clientssl = NULL;
3359 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3360 &clientssl, NULL, NULL))
3361 || !TEST_true(SSL_set_session(clientssl, sess)))
3362 goto end;
3363
3364 /* Write and read some early data */
3365 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3366 &written))
3367 || !TEST_size_t_eq(written, strlen(MSG1))
3368 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3369 &readbytes),
3370 SSL_READ_EARLY_DATA_SUCCESS)
3371 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3372 goto end;
3373
3374 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3375 || !TEST_int_gt(SSL_accept(serverssl), 0))
3376 goto end;
3377
3378 /* Client and server should not be able to write/read early data now */
3379 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3380 &written)))
3381 goto end;
3382 ERR_clear_error();
3383 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3384 &readbytes),
3385 SSL_READ_EARLY_DATA_ERROR))
3386 goto end;
3387 ERR_clear_error();
3388
3389 /* Client and server should be able to write/read normal data */
3390 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3391 || !TEST_size_t_eq(written, strlen(MSG5))
3392 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3393 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3394 goto end;
3395
3396 testresult = 1;
3397
3398 end:
3399 SSL_SESSION_free(sess);
3400 SSL_SESSION_free(clientpsk);
3401 SSL_SESSION_free(serverpsk);
3402 clientpsk = serverpsk = NULL;
3403 SSL_free(serverssl);
3404 SSL_free(clientssl);
3405 SSL_CTX_free(sctx);
3406 SSL_CTX_free(cctx);
3407 return testresult;
3408 }
3409
3410 static int allow_ed_cb_called = 0;
3411
3412 static int allow_early_data_cb(SSL *s, void *arg)
3413 {
3414 int *usecb = (int *)arg;
3415
3416 allow_ed_cb_called++;
3417
3418 if (*usecb == 1)
3419 return 0;
3420
3421 return 1;
3422 }
3423
3424 /*
3425 * idx == 0: Standard early_data setup
3426 * idx == 1: early_data setup using read_ahead
3427 * usecb == 0: Don't use a custom early data callback
3428 * usecb == 1: Use a custom early data callback and reject the early data
3429 * usecb == 2: Use a custom early data callback and accept the early data
3430 * confopt == 0: Configure anti-replay directly
3431 * confopt == 1: Configure anti-replay using SSL_CONF
3432 */
3433 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3434 {
3435 SSL_CTX *cctx = NULL, *sctx = NULL;
3436 SSL *clientssl = NULL, *serverssl = NULL;
3437 int testresult = 0;
3438 SSL_SESSION *sess = NULL;
3439 size_t readbytes, written;
3440 unsigned char buf[20];
3441
3442 allow_ed_cb_called = 0;
3443
3444 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3445 TLS_client_method(), TLS1_VERSION, 0,
3446 &sctx, &cctx, cert, privkey)))
3447 return 0;
3448
3449 if (usecb > 0) {
3450 if (confopt == 0) {
3451 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3452 } else {
3453 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3454
3455 if (!TEST_ptr(confctx))
3456 goto end;
3457 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3458 | SSL_CONF_FLAG_SERVER);
3459 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3460 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3461 2)) {
3462 SSL_CONF_CTX_free(confctx);
3463 goto end;
3464 }
3465 SSL_CONF_CTX_free(confctx);
3466 }
3467 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3468 }
3469
3470 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3471 &serverssl, &sess, idx)))
3472 goto end;
3473
3474 /*
3475 * The server is configured to accept early data. Create a connection to
3476 * "use up" the ticket
3477 */
3478 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3479 || !TEST_true(SSL_session_reused(clientssl)))
3480 goto end;
3481
3482 SSL_shutdown(clientssl);
3483 SSL_shutdown(serverssl);
3484 SSL_free(serverssl);
3485 SSL_free(clientssl);
3486 serverssl = clientssl = NULL;
3487
3488 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3489 &clientssl, NULL, NULL))
3490 || !TEST_true(SSL_set_session(clientssl, sess)))
3491 goto end;
3492
3493 /* Write and read some early data */
3494 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3495 &written))
3496 || !TEST_size_t_eq(written, strlen(MSG1)))
3497 goto end;
3498
3499 if (usecb <= 1) {
3500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3501 &readbytes),
3502 SSL_READ_EARLY_DATA_FINISH)
3503 /*
3504 * The ticket was reused, so the we should have rejected the
3505 * early data
3506 */
3507 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3508 SSL_EARLY_DATA_REJECTED))
3509 goto end;
3510 } else {
3511 /* In this case the callback decides to accept the early data */
3512 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3513 &readbytes),
3514 SSL_READ_EARLY_DATA_SUCCESS)
3515 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3516 /*
3517 * Server will have sent its flight so client can now send
3518 * end of early data and complete its half of the handshake
3519 */
3520 || !TEST_int_gt(SSL_connect(clientssl), 0)
3521 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3522 &readbytes),
3523 SSL_READ_EARLY_DATA_FINISH)
3524 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3525 SSL_EARLY_DATA_ACCEPTED))
3526 goto end;
3527 }
3528
3529 /* Complete the connection */
3530 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3531 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3532 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3533 goto end;
3534
3535 testresult = 1;
3536
3537 end:
3538 SSL_SESSION_free(sess);
3539 SSL_SESSION_free(clientpsk);
3540 SSL_SESSION_free(serverpsk);
3541 clientpsk = serverpsk = NULL;
3542 SSL_free(serverssl);
3543 SSL_free(clientssl);
3544 SSL_CTX_free(sctx);
3545 SSL_CTX_free(cctx);
3546 return testresult;
3547 }
3548
3549 static int test_early_data_replay(int idx)
3550 {
3551 int ret = 1, usecb, confopt;
3552
3553 for (usecb = 0; usecb < 3; usecb++) {
3554 for (confopt = 0; confopt < 2; confopt++)
3555 ret &= test_early_data_replay_int(idx, usecb, confopt);
3556 }
3557
3558 return ret;
3559 }
3560
3561 /*
3562 * Helper function to test that a server attempting to read early data can
3563 * handle a connection from a client where the early data should be skipped.
3564 * testtype: 0 == No HRR
3565 * testtype: 1 == HRR
3566 * testtype: 2 == HRR, invalid early_data sent after HRR
3567 * testtype: 3 == recv_max_early_data set to 0
3568 */
3569 static int early_data_skip_helper(int testtype, int idx)
3570 {
3571 SSL_CTX *cctx = NULL, *sctx = NULL;
3572 SSL *clientssl = NULL, *serverssl = NULL;
3573 int testresult = 0;
3574 SSL_SESSION *sess = NULL;
3575 unsigned char buf[20];
3576 size_t readbytes, written;
3577
3578 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3579 &serverssl, &sess, idx)))
3580 goto end;
3581
3582 if (testtype == 1 || testtype == 2) {
3583 /* Force an HRR to occur */
3584 #if defined(OPENSSL_NO_EC)
3585 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3586 goto end;
3587 #else
3588 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3589 goto end;
3590 #endif
3591 } else if (idx == 2) {
3592 /*
3593 * We force early_data rejection by ensuring the PSK identity is
3594 * unrecognised
3595 */
3596 srvid = "Dummy Identity";
3597 } else {
3598 /*
3599 * Deliberately corrupt the creation time. We take 20 seconds off the
3600 * time. It could be any value as long as it is not within tolerance.
3601 * This should mean the ticket is rejected.
3602 */
3603 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3604 goto end;
3605 }
3606
3607 if (testtype == 3
3608 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3609 goto end;
3610
3611 /* Write some early data */
3612 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3613 &written))
3614 || !TEST_size_t_eq(written, strlen(MSG1)))
3615 goto end;
3616
3617 /* Server should reject the early data */
3618 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3619 &readbytes),
3620 SSL_READ_EARLY_DATA_FINISH)
3621 || !TEST_size_t_eq(readbytes, 0)
3622 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3623 SSL_EARLY_DATA_REJECTED))
3624 goto end;
3625
3626 switch (testtype) {
3627 case 0:
3628 /* Nothing to do */
3629 break;
3630
3631 case 1:
3632 /*
3633 * Finish off the handshake. We perform the same writes and reads as
3634 * further down but we expect them to fail due to the incomplete
3635 * handshake.
3636 */
3637 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3638 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3639 &readbytes)))
3640 goto end;
3641 break;
3642
3643 case 2:
3644 {
3645 BIO *wbio = SSL_get_wbio(clientssl);
3646 /* A record that will appear as bad early_data */
3647 const unsigned char bad_early_data[] = {
3648 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3649 };
3650
3651 /*
3652 * We force the client to attempt a write. This will fail because
3653 * we're still in the handshake. It will cause the second
3654 * ClientHello to be sent.
3655 */
3656 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3657 &written)))
3658 goto end;
3659
3660 /*
3661 * Inject some early_data after the second ClientHello. This should
3662 * cause the server to fail
3663 */
3664 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3665 sizeof(bad_early_data), &written)))
3666 goto end;
3667 }
3668 /* fallthrough */
3669
3670 case 3:
3671 /*
3672 * This client has sent more early_data than we are willing to skip
3673 * (case 3) or sent invalid early_data (case 2) so the connection should
3674 * abort.
3675 */
3676 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3677 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3678 goto end;
3679
3680 /* Connection has failed - nothing more to do */
3681 testresult = 1;
3682 goto end;
3683
3684 default:
3685 TEST_error("Invalid test type");
3686 goto end;
3687 }
3688
3689 /*
3690 * Should be able to send normal data despite rejection of early data. The
3691 * early_data should be skipped.
3692 */
3693 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3694 || !TEST_size_t_eq(written, strlen(MSG2))
3695 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3696 SSL_EARLY_DATA_REJECTED)
3697 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3698 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3699 goto end;
3700
3701 testresult = 1;
3702
3703 end:
3704 SSL_SESSION_free(clientpsk);
3705 SSL_SESSION_free(serverpsk);
3706 clientpsk = serverpsk = NULL;
3707 SSL_SESSION_free(sess);
3708 SSL_free(serverssl);
3709 SSL_free(clientssl);
3710 SSL_CTX_free(sctx);
3711 SSL_CTX_free(cctx);
3712 return testresult;
3713 }
3714
3715 /*
3716 * Test that a server attempting to read early data can handle a connection
3717 * from a client where the early data is not acceptable.
3718 */
3719 static int test_early_data_skip(int idx)
3720 {
3721 return early_data_skip_helper(0, idx);
3722 }
3723
3724 /*
3725 * Test that a server attempting to read early data can handle a connection
3726 * from a client where an HRR occurs.
3727 */
3728 static int test_early_data_skip_hrr(int idx)
3729 {
3730 return early_data_skip_helper(1, idx);
3731 }
3732
3733 /*
3734 * Test that a server attempting to read early data can handle a connection
3735 * from a client where an HRR occurs and correctly fails if early_data is sent
3736 * after the HRR
3737 */
3738 static int test_early_data_skip_hrr_fail(int idx)
3739 {
3740 return early_data_skip_helper(2, idx);
3741 }
3742
3743 /*
3744 * Test that a server attempting to read early data will abort if it tries to
3745 * skip over too much.
3746 */
3747 static int test_early_data_skip_abort(int idx)
3748 {
3749 return early_data_skip_helper(3, idx);
3750 }
3751
3752 /*
3753 * Test that a server attempting to read early data can handle a connection
3754 * from a client that doesn't send any.
3755 */
3756 static int test_early_data_not_sent(int idx)
3757 {
3758 SSL_CTX *cctx = NULL, *sctx = NULL;
3759 SSL *clientssl = NULL, *serverssl = NULL;
3760 int testresult = 0;
3761 SSL_SESSION *sess = NULL;
3762 unsigned char buf[20];
3763 size_t readbytes, written;
3764
3765 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3766 &serverssl, &sess, idx)))
3767 goto end;
3768
3769 /* Write some data - should block due to handshake with server */
3770 SSL_set_connect_state(clientssl);
3771 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3772 goto end;
3773
3774 /* Server should detect that early data has not been sent */
3775 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3776 &readbytes),
3777 SSL_READ_EARLY_DATA_FINISH)
3778 || !TEST_size_t_eq(readbytes, 0)
3779 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3780 SSL_EARLY_DATA_NOT_SENT)
3781 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3782 SSL_EARLY_DATA_NOT_SENT))
3783 goto end;
3784
3785 /* Continue writing the message we started earlier */
3786 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3787 || !TEST_size_t_eq(written, strlen(MSG1))
3788 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3789 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3790 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3791 || !TEST_size_t_eq(written, strlen(MSG2)))
3792 goto end;
3793
3794 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3795 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3796 goto end;
3797
3798 testresult = 1;
3799
3800 end:
3801 SSL_SESSION_free(sess);
3802 SSL_SESSION_free(clientpsk);
3803 SSL_SESSION_free(serverpsk);
3804 clientpsk = serverpsk = NULL;
3805 SSL_free(serverssl);
3806 SSL_free(clientssl);
3807 SSL_CTX_free(sctx);
3808 SSL_CTX_free(cctx);
3809 return testresult;
3810 }
3811
3812 static const char *servalpn;
3813
3814 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3815 unsigned char *outlen, const unsigned char *in,
3816 unsigned int inlen, void *arg)
3817 {
3818 unsigned int protlen = 0;
3819 const unsigned char *prot;
3820
3821 for (prot = in; prot < in + inlen; prot += protlen) {
3822 protlen = *prot++;
3823 if (in + inlen < prot + protlen)
3824 return SSL_TLSEXT_ERR_NOACK;
3825
3826 if (protlen == strlen(servalpn)
3827 && memcmp(prot, servalpn, protlen) == 0) {
3828 *out = prot;
3829 *outlen = protlen;
3830 return SSL_TLSEXT_ERR_OK;
3831 }
3832 }
3833
3834 return SSL_TLSEXT_ERR_NOACK;
3835 }
3836
3837 /* Test that a PSK can be used to send early_data */
3838 static int test_early_data_psk(int idx)
3839 {
3840 SSL_CTX *cctx = NULL, *sctx = NULL;
3841 SSL *clientssl = NULL, *serverssl = NULL;
3842 int testresult = 0;
3843 SSL_SESSION *sess = NULL;
3844 unsigned char alpnlist[] = {
3845 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3846 'l', 'p', 'n'
3847 };
3848 #define GOODALPNLEN 9
3849 #define BADALPNLEN 8
3850 #define GOODALPN (alpnlist)
3851 #define BADALPN (alpnlist + GOODALPNLEN)
3852 int err = 0;
3853 unsigned char buf[20];
3854 size_t readbytes, written;
3855 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3856 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3857
3858 /* We always set this up with a final parameter of "2" for PSK */
3859 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3860 &serverssl, &sess, 2)))
3861 goto end;
3862
3863 servalpn = "goodalpn";
3864
3865 /*
3866 * Note: There is no test for inconsistent SNI with late client detection.
3867 * This is because servers do not acknowledge SNI even if they are using
3868 * it in a resumption handshake - so it is not actually possible for a
3869 * client to detect a problem.
3870 */
3871 switch (idx) {
3872 case 0:
3873 /* Set inconsistent SNI (early client detection) */
3874 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3875 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3876 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3877 goto end;
3878 break;
3879
3880 case 1:
3881 /* Set inconsistent ALPN (early client detection) */
3882 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3883 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3884 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3885 GOODALPNLEN))
3886 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3887 BADALPNLEN)))
3888 goto end;
3889 break;
3890
3891 case 2:
3892 /*
3893 * Set invalid protocol version. Technically this affects PSKs without
3894 * early_data too, but we test it here because it is similar to the
3895 * SNI/ALPN consistency tests.
3896 */
3897 err = SSL_R_BAD_PSK;
3898 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3899 goto end;
3900 break;
3901
3902 case 3:
3903 /*
3904 * Set inconsistent SNI (server side). In this case the connection
3905 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3906 * is associated with each handshake - not the session. Therefore it
3907 * should not matter that we used a different server name last time.
3908 */
3909 SSL_SESSION_free(serverpsk);
3910 serverpsk = SSL_SESSION_dup(clientpsk);
3911 if (!TEST_ptr(serverpsk)
3912 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3913 goto end;
3914 /* Fall through */
3915 case 4:
3916 /* Set consistent SNI */
3917 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3918 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3919 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3920 hostname_cb)))
3921 goto end;
3922 break;
3923
3924 case 5:
3925 /*
3926 * Set inconsistent ALPN (server detected). In this case the connection
3927 * will succeed but reject early_data.
3928 */
3929 servalpn = "badalpn";
3930 edstatus = SSL_EARLY_DATA_REJECTED;
3931 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3932 /* Fall through */
3933 case 6:
3934 /*
3935 * Set consistent ALPN.
3936 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3937 * accepts a list of protos (each one length prefixed).
3938 * SSL_set1_alpn_selected accepts a single protocol (not length
3939 * prefixed)
3940 */
3941 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3942 GOODALPNLEN - 1))
3943 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3944 GOODALPNLEN)))
3945 goto end;
3946
3947 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3948 break;
3949
3950 case 7:
3951 /* Set inconsistent ALPN (late client detection) */
3952 SSL_SESSION_free(serverpsk);
3953 serverpsk = SSL_SESSION_dup(clientpsk);
3954 if (!TEST_ptr(serverpsk)
3955 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3956 BADALPN + 1,
3957 BADALPNLEN - 1))
3958 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3959 GOODALPN + 1,
3960 GOODALPNLEN - 1))
3961 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3962 sizeof(alpnlist))))
3963 goto end;
3964 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3965 edstatus = SSL_EARLY_DATA_ACCEPTED;
3966 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3967 /* SSL_connect() call should fail */
3968 connectres = -1;
3969 break;
3970
3971 default:
3972 TEST_error("Bad test index");
3973 goto end;
3974 }
3975
3976 SSL_set_connect_state(clientssl);
3977 if (err != 0) {
3978 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3979 &written))
3980 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3981 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3982 goto end;
3983 } else {
3984 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3985 &written)))
3986 goto end;
3987
3988 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3989 &readbytes), readearlyres)
3990 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3991 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3992 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3993 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3994 goto end;
3995 }
3996
3997 testresult = 1;
3998
3999 end:
4000 SSL_SESSION_free(sess);
4001 SSL_SESSION_free(clientpsk);
4002 SSL_SESSION_free(serverpsk);
4003 clientpsk = serverpsk = NULL;
4004 SSL_free(serverssl);
4005 SSL_free(clientssl);
4006 SSL_CTX_free(sctx);
4007 SSL_CTX_free(cctx);
4008 return testresult;
4009 }
4010
4011 /*
4012 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4013 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4014 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4015 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4016 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4017 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4018 */
4019 static int test_early_data_psk_with_all_ciphers(int idx)
4020 {
4021 SSL_CTX *cctx = NULL, *sctx = NULL;
4022 SSL *clientssl = NULL, *serverssl = NULL;
4023 int testresult = 0;
4024 SSL_SESSION *sess = NULL;
4025 unsigned char buf[20];
4026 size_t readbytes, written;
4027 const SSL_CIPHER *cipher;
4028 const char *cipher_str[] = {
4029 TLS1_3_RFC_AES_128_GCM_SHA256,
4030 TLS1_3_RFC_AES_256_GCM_SHA384,
4031 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4032 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4033 # else
4034 NULL,
4035 # endif
4036 TLS1_3_RFC_AES_128_CCM_SHA256,
4037 TLS1_3_RFC_AES_128_CCM_8_SHA256
4038 };
4039 const unsigned char *cipher_bytes[] = {
4040 TLS13_AES_128_GCM_SHA256_BYTES,
4041 TLS13_AES_256_GCM_SHA384_BYTES,
4042 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4043 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4044 # else
4045 NULL,
4046 # endif
4047 TLS13_AES_128_CCM_SHA256_BYTES,
4048 TLS13_AES_128_CCM_8_SHA256_BYTES
4049 };
4050
4051 if (cipher_str[idx] == NULL)
4052 return 1;
4053 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4054 if (idx == 2 && is_fips == 1)
4055 return 1;
4056
4057 /* We always set this up with a final parameter of "2" for PSK */
4058 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4059 &serverssl, &sess, 2)))
4060 goto end;
4061
4062 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4063 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4064 goto end;
4065
4066 /*
4067 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4068 * and assigns to both client and server with incremented reference
4069 * and the same instance is updated in 'sess'.
4070 * So updating ciphersuite in 'sess' which will get reflected in
4071 * PSK handshake using psk use sess and find sess cb.
4072 */
4073 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4074 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4075 goto end;
4076
4077 SSL_set_connect_state(clientssl);
4078 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4079 &written)))
4080 goto end;
4081
4082 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4083 &readbytes),
4084 SSL_READ_EARLY_DATA_SUCCESS)
4085 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4086 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4087 SSL_EARLY_DATA_ACCEPTED)
4088 || !TEST_int_eq(SSL_connect(clientssl), 1)
4089 || !TEST_int_eq(SSL_accept(serverssl), 1))
4090 goto end;
4091
4092 /* Send some normal data from client to server */
4093 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4094 || !TEST_size_t_eq(written, strlen(MSG2)))
4095 goto end;
4096
4097 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4098 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4099 goto end;
4100
4101 testresult = 1;
4102 end:
4103 SSL_SESSION_free(sess);
4104 SSL_SESSION_free(clientpsk);
4105 SSL_SESSION_free(serverpsk);
4106 clientpsk = serverpsk = NULL;
4107 if (clientssl != NULL)
4108 SSL_shutdown(clientssl);
4109 if (serverssl != NULL)
4110 SSL_shutdown(serverssl);
4111 SSL_free(serverssl);
4112 SSL_free(clientssl);
4113 SSL_CTX_free(sctx);
4114 SSL_CTX_free(cctx);
4115 return testresult;
4116 }
4117
4118 /*
4119 * Test that a server that doesn't try to read early data can handle a
4120 * client sending some.
4121 */
4122 static int test_early_data_not_expected(int idx)
4123 {
4124 SSL_CTX *cctx = NULL, *sctx = NULL;
4125 SSL *clientssl = NULL, *serverssl = NULL;
4126 int testresult = 0;
4127 SSL_SESSION *sess = NULL;
4128 unsigned char buf[20];
4129 size_t readbytes, written;
4130
4131 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4132 &serverssl, &sess, idx)))
4133 goto end;
4134
4135 /* Write some early data */
4136 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4137 &written)))
4138 goto end;
4139
4140 /*
4141 * Server should skip over early data and then block waiting for client to
4142 * continue handshake
4143 */
4144 if (!TEST_int_le(SSL_accept(serverssl), 0)
4145 || !TEST_int_gt(SSL_connect(clientssl), 0)
4146 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4147 SSL_EARLY_DATA_REJECTED)
4148 || !TEST_int_gt(SSL_accept(serverssl), 0)
4149 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4150 SSL_EARLY_DATA_REJECTED))
4151 goto end;
4152
4153 /* Send some normal data from client to server */
4154 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4155 || !TEST_size_t_eq(written, strlen(MSG2)))
4156 goto end;
4157
4158 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4159 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4160 goto end;
4161
4162 testresult = 1;
4163
4164 end:
4165 SSL_SESSION_free(sess);
4166 SSL_SESSION_free(clientpsk);
4167 SSL_SESSION_free(serverpsk);
4168 clientpsk = serverpsk = NULL;
4169 SSL_free(serverssl);
4170 SSL_free(clientssl);
4171 SSL_CTX_free(sctx);
4172 SSL_CTX_free(cctx);
4173 return testresult;
4174 }
4175
4176
4177 # ifndef OPENSSL_NO_TLS1_2
4178 /*
4179 * Test that a server attempting to read early data can handle a connection
4180 * from a TLSv1.2 client.
4181 */
4182 static int test_early_data_tls1_2(int idx)
4183 {
4184 SSL_CTX *cctx = NULL, *sctx = NULL;
4185 SSL *clientssl = NULL, *serverssl = NULL;
4186 int testresult = 0;
4187 unsigned char buf[20];
4188 size_t readbytes, written;
4189
4190 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4191 &serverssl, NULL, idx)))
4192 goto end;
4193
4194 /* Write some data - should block due to handshake with server */
4195 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4196 SSL_set_connect_state(clientssl);
4197 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4198 goto end;
4199
4200 /*
4201 * Server should do TLSv1.2 handshake. First it will block waiting for more
4202 * messages from client after ServerDone. Then SSL_read_early_data should
4203 * finish and detect that early data has not been sent
4204 */
4205 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4206 &readbytes),
4207 SSL_READ_EARLY_DATA_ERROR))
4208 goto end;
4209
4210 /*
4211 * Continue writing the message we started earlier. Will still block waiting
4212 * for the CCS/Finished from server
4213 */
4214 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4215 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4216 &readbytes),
4217 SSL_READ_EARLY_DATA_FINISH)
4218 || !TEST_size_t_eq(readbytes, 0)
4219 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4220 SSL_EARLY_DATA_NOT_SENT))
4221 goto end;
4222
4223 /* Continue writing the message we started earlier */
4224 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4225 || !TEST_size_t_eq(written, strlen(MSG1))
4226 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4227 SSL_EARLY_DATA_NOT_SENT)
4228 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4229 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4230 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4231 || !TEST_size_t_eq(written, strlen(MSG2))
4232 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4233 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4234 goto end;
4235
4236 testresult = 1;
4237
4238 end:
4239 SSL_SESSION_free(clientpsk);
4240 SSL_SESSION_free(serverpsk);
4241 clientpsk = serverpsk = NULL;
4242 SSL_free(serverssl);
4243 SSL_free(clientssl);
4244 SSL_CTX_free(sctx);
4245 SSL_CTX_free(cctx);
4246
4247 return testresult;
4248 }
4249 # endif /* OPENSSL_NO_TLS1_2 */
4250
4251 /*
4252 * Test configuring the TLSv1.3 ciphersuites
4253 *
4254 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4255 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4256 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4257 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4258 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4259 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4260 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4261 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4262 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4263 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4264 */
4265 static int test_set_ciphersuite(int idx)
4266 {
4267 SSL_CTX *cctx = NULL, *sctx = NULL;
4268 SSL *clientssl = NULL, *serverssl = NULL;
4269 int testresult = 0;
4270
4271 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4272 TLS_client_method(), TLS1_VERSION, 0,
4273 &sctx, &cctx, cert, privkey))
4274 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4275 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4276 goto end;
4277
4278 if (idx >=4 && idx <= 7) {
4279 /* SSL_CTX explicit cipher list */
4280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4281 goto end;
4282 }
4283
4284 if (idx == 0 || idx == 4) {
4285 /* Default ciphersuite */
4286 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4287 "TLS_AES_128_GCM_SHA256")))
4288 goto end;
4289 } else if (idx == 1 || idx == 5) {
4290 /* Non default ciphersuite */
4291 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4292 "TLS_AES_128_CCM_SHA256")))
4293 goto end;
4294 }
4295
4296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4297 &clientssl, NULL, NULL)))
4298 goto end;
4299
4300 if (idx == 8 || idx == 9) {
4301 /* SSL explicit cipher list */
4302 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4303 goto end;
4304 }
4305
4306 if (idx == 2 || idx == 6 || idx == 8) {
4307 /* Default ciphersuite */
4308 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4309 "TLS_AES_128_GCM_SHA256")))
4310 goto end;
4311 } else if (idx == 3 || idx == 7 || idx == 9) {
4312 /* Non default ciphersuite */
4313 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4314 "TLS_AES_128_CCM_SHA256")))
4315 goto end;
4316 }
4317
4318 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4319 goto end;
4320
4321 testresult = 1;
4322
4323 end:
4324 SSL_free(serverssl);
4325 SSL_free(clientssl);
4326 SSL_CTX_free(sctx);
4327 SSL_CTX_free(cctx);
4328
4329 return testresult;
4330 }
4331
4332 static int test_ciphersuite_change(void)
4333 {
4334 SSL_CTX *cctx = NULL, *sctx = NULL;
4335 SSL *clientssl = NULL, *serverssl = NULL;
4336 SSL_SESSION *clntsess = NULL;
4337 int testresult = 0;
4338 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4339
4340 /* Create a session based on SHA-256 */
4341 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4342 TLS_client_method(), TLS1_VERSION, 0,
4343 &sctx, &cctx, cert, privkey))
4344 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4345 "TLS_AES_128_GCM_SHA256:"
4346 "TLS_AES_256_GCM_SHA384:"
4347 "TLS_AES_128_CCM_SHA256"))
4348 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4349 "TLS_AES_128_GCM_SHA256"))
4350 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4351 &clientssl, NULL, NULL))
4352 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4353 SSL_ERROR_NONE)))
4354 goto end;
4355
4356 clntsess = SSL_get1_session(clientssl);
4357 /* Save for later */
4358 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4359 SSL_shutdown(clientssl);
4360 SSL_shutdown(serverssl);
4361 SSL_free(serverssl);
4362 SSL_free(clientssl);
4363 serverssl = clientssl = NULL;
4364
4365 /* Check we can resume a session with a different SHA-256 ciphersuite */
4366 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4367 "TLS_AES_128_CCM_SHA256"))
4368 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4369 &clientssl, NULL, NULL))
4370 || !TEST_true(SSL_set_session(clientssl, clntsess))
4371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4372 SSL_ERROR_NONE))
4373 || !TEST_true(SSL_session_reused(clientssl)))
4374 goto end;
4375
4376 SSL_SESSION_free(clntsess);
4377 clntsess = SSL_get1_session(clientssl);
4378 SSL_shutdown(clientssl);
4379 SSL_shutdown(serverssl);
4380 SSL_free(serverssl);
4381 SSL_free(clientssl);
4382 serverssl = clientssl = NULL;
4383
4384 /*
4385 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4386 * succeeds but does not resume.
4387 */
4388 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4389 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4390 NULL, NULL))
4391 || !TEST_true(SSL_set_session(clientssl, clntsess))
4392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4393 SSL_ERROR_SSL))
4394 || !TEST_false(SSL_session_reused(clientssl)))
4395 goto end;
4396
4397 SSL_SESSION_free(clntsess);
4398 clntsess = NULL;
4399 SSL_shutdown(clientssl);
4400 SSL_shutdown(serverssl);
4401 SSL_free(serverssl);
4402 SSL_free(clientssl);
4403 serverssl = clientssl = NULL;
4404
4405 /* Create a session based on SHA384 */
4406 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4407 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4408 &clientssl, NULL, NULL))
4409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4410 SSL_ERROR_NONE)))
4411 goto end;
4412
4413 clntsess = SSL_get1_session(clientssl);
4414 SSL_shutdown(clientssl);
4415 SSL_shutdown(serverssl);
4416 SSL_free(serverssl);
4417 SSL_free(clientssl);
4418 serverssl = clientssl = NULL;
4419
4420 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4421 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4422 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4423 "TLS_AES_256_GCM_SHA384"))
4424 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4425 NULL, NULL))
4426 || !TEST_true(SSL_set_session(clientssl, clntsess))
4427 /*
4428 * We use SSL_ERROR_WANT_READ below so that we can pause the
4429 * connection after the initial ClientHello has been sent to
4430 * enable us to make some session changes.
4431 */
4432 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4433 SSL_ERROR_WANT_READ)))
4434 goto end;
4435
4436 /* Trick the client into thinking this session is for a different digest */
4437 clntsess->cipher = aes_128_gcm_sha256;
4438 clntsess->cipher_id = clntsess->cipher->id;
4439
4440 /*
4441 * Continue the previously started connection. Server has selected a SHA-384
4442 * ciphersuite, but client thinks the session is for SHA-256, so it should
4443 * bail out.
4444 */
4445 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4446 SSL_ERROR_SSL))
4447 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4448 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4449 goto end;
4450
4451 testresult = 1;
4452
4453 end:
4454 SSL_SESSION_free(clntsess);
4455 SSL_free(serverssl);
4456 SSL_free(clientssl);
4457 SSL_CTX_free(sctx);
4458 SSL_CTX_free(cctx);
4459
4460 return testresult;
4461 }
4462
4463 /*
4464 * Test TLSv1.3 Key exchange
4465 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4466 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4467 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4468 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4469 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4470 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4471 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4472 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4473 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4474 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4475 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4476 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4477 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4478 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4479 */
4480 static int test_key_exchange(int idx)
4481 {
4482 SSL_CTX *sctx = NULL, *cctx = NULL;
4483 SSL *serverssl = NULL, *clientssl = NULL;
4484 int testresult = 0;
4485 # ifndef OPENSSL_NO_EC
4486 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4487 NID_secp521r1, NID_X25519, NID_X448};
4488 # endif
4489 # ifndef OPENSSL_NO_DH
4490 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4491 NID_ffdhe6144, NID_ffdhe8192};
4492 # endif
4493 int kexch_alg;
4494 int *kexch_groups = &kexch_alg;
4495 int kexch_groups_size = 1;
4496 int max_version = TLS1_3_VERSION;
4497
4498 switch (idx) {
4499 # ifndef OPENSSL_NO_EC
4500 # ifndef OPENSSL_NO_TLS1_2
4501 case 12:
4502 max_version = TLS1_2_VERSION;
4503 # endif
4504 /* Fall through */
4505 case 0:
4506 kexch_groups = ecdhe_kexch_groups;
4507 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4508 break;
4509 case 1:
4510 kexch_alg = NID_X9_62_prime256v1;
4511 break;
4512 case 2:
4513 kexch_alg = NID_secp384r1;
4514 break;
4515 case 3:
4516 kexch_alg = NID_secp521r1;
4517 break;
4518 case 4:
4519 kexch_alg = NID_X25519;
4520 break;
4521 case 5:
4522 kexch_alg = NID_X448;
4523 break;
4524 # endif
4525 # ifndef OPENSSL_NO_DH
4526 # ifndef OPENSSL_NO_TLS1_2
4527 case 13:
4528 max_version = TLS1_2_VERSION;
4529 # endif
4530 /* Fall through */
4531 case 6:
4532 kexch_groups = ffdhe_kexch_groups;
4533 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4534 break;
4535 case 7:
4536 kexch_alg = NID_ffdhe2048;
4537 break;
4538 case 8:
4539 kexch_alg = NID_ffdhe3072;
4540 break;
4541 case 9:
4542 kexch_alg = NID_ffdhe4096;
4543 break;
4544 case 10:
4545 kexch_alg = NID_ffdhe6144;
4546 break;
4547 case 11:
4548 kexch_alg = NID_ffdhe8192;
4549 break;
4550 # endif
4551 default:
4552 /* We're skipping this test */
4553 return 1;
4554 }
4555
4556 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4557 TLS_client_method(), TLS1_VERSION,
4558 max_version, &sctx, &cctx, cert,
4559 privkey)))
4560 goto end;
4561
4562 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4563 TLS1_3_RFC_AES_128_GCM_SHA256)))
4564 goto end;
4565
4566 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4567 TLS1_3_RFC_AES_128_GCM_SHA256)))
4568 goto end;
4569
4570 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4571 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4572 goto end;
4573
4574 /*
4575 * Must include an EC ciphersuite so that we send supported groups in
4576 * TLSv1.2
4577 */
4578 # ifndef OPENSSL_NO_TLS1_2
4579 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4580 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4581 TLS1_TXT_RSA_WITH_AES_128_SHA)))
4582 goto end;
4583 # endif
4584
4585 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4586 NULL, NULL)))
4587 goto end;
4588
4589 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4590 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4591 goto end;
4592
4593 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4594 goto end;
4595
4596 /*
4597 * If Handshake succeeds the negotiated kexch alg should be the first one in
4598 * configured, except in the case of FFDHE groups (idx 13), which are
4599 * TLSv1.3 only so we expect no shared group to exist.
4600 */
4601 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4602 idx == 13 ? 0 : kexch_groups[0]))
4603 goto end;
4604 if (max_version == TLS1_3_VERSION) {
4605 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4606 goto end;
4607 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4608 goto end;
4609 }
4610
4611 testresult = 1;
4612 end:
4613 SSL_free(serverssl);
4614 SSL_free(clientssl);
4615 SSL_CTX_free(sctx);
4616 SSL_CTX_free(cctx);
4617 return testresult;
4618 }
4619
4620 /*
4621 * Test TLSv1.3 Cipher Suite
4622 * Test 0 = Set TLS1.3 cipher on context
4623 * Test 1 = Set TLS1.3 cipher on SSL
4624 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4625 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4626 */
4627 static int test_tls13_ciphersuite(int idx)
4628 {
4629 SSL_CTX *sctx = NULL, *cctx = NULL;
4630 SSL *serverssl = NULL, *clientssl = NULL;
4631 static const struct {
4632 const char *ciphername;
4633 int fipscapable;
4634 } t13_ciphers[] = {
4635 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4636 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4637 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4638 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4639 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4640 { TLS1_3_RFC_AES_256_GCM_SHA384
4641 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4642 # endif
4643 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4644 };
4645 const char *t13_cipher = NULL;
4646 const char *t12_cipher = NULL;
4647 const char *negotiated_scipher;
4648 const char *negotiated_ccipher;
4649 int set_at_ctx = 0;
4650 int set_at_ssl = 0;
4651 int testresult = 0;
4652 int max_ver;
4653 size_t i;
4654
4655 switch (idx) {
4656 case 0:
4657 set_at_ctx = 1;
4658 break;
4659 case 1:
4660 set_at_ssl = 1;
4661 break;
4662 case 2:
4663 set_at_ctx = 1;
4664 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4665 break;
4666 case 3:
4667 set_at_ssl = 1;
4668 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4669 break;
4670 }
4671
4672 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4673 # ifdef OPENSSL_NO_TLS1_2
4674 if (max_ver == TLS1_2_VERSION)
4675 continue;
4676 # endif
4677 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4678 if (is_fips && !t13_ciphers[i].fipscapable)
4679 continue;
4680 t13_cipher = t13_ciphers[i].ciphername;
4681 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4682 TLS_client_method(),
4683 TLS1_VERSION, max_ver,
4684 &sctx, &cctx, cert, privkey)))
4685 goto end;
4686
4687 if (set_at_ctx) {
4688 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4689 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4690 goto end;
4691 if (t12_cipher != NULL) {
4692 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4693 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4694 t12_cipher)))
4695 goto end;
4696 }
4697 }
4698
4699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4700 &clientssl, NULL, NULL)))
4701 goto end;
4702
4703 if (set_at_ssl) {
4704 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4705 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4706 goto end;
4707 if (t12_cipher != NULL) {
4708 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4709 || !TEST_true(SSL_set_cipher_list(clientssl,
4710 t12_cipher)))
4711 goto end;
4712 }
4713 }
4714
4715 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4716 SSL_ERROR_NONE)))
4717 goto end;
4718
4719 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4720 serverssl));
4721 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4722 clientssl));
4723 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4724 goto end;
4725
4726 /*
4727 * TEST_strn_eq is used below because t13_cipher can contain
4728 * multiple ciphersuites
4729 */
4730 if (max_ver == TLS1_3_VERSION
4731 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4732 strlen(negotiated_scipher)))
4733 goto end;
4734
4735 # ifndef OPENSSL_NO_TLS1_2
4736 /* Below validation is not done when t12_cipher is NULL */
4737 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4738 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4739 goto end;
4740 # endif
4741
4742 SSL_free(serverssl);
4743 serverssl = NULL;
4744 SSL_free(clientssl);
4745 clientssl = NULL;
4746 SSL_CTX_free(sctx);
4747 sctx = NULL;
4748 SSL_CTX_free(cctx);
4749 cctx = NULL;
4750 }
4751 }
4752
4753 testresult = 1;
4754 end:
4755 SSL_free(serverssl);
4756 SSL_free(clientssl);
4757 SSL_CTX_free(sctx);
4758 SSL_CTX_free(cctx);
4759 return testresult;
4760 }
4761
4762 /*
4763 * Test TLSv1.3 PSKs
4764 * Test 0 = Test new style callbacks
4765 * Test 1 = Test both new and old style callbacks
4766 * Test 2 = Test old style callbacks
4767 * Test 3 = Test old style callbacks with no certificate
4768 */
4769 static int test_tls13_psk(int idx)
4770 {
4771 SSL_CTX *sctx = NULL, *cctx = NULL;
4772 SSL *serverssl = NULL, *clientssl = NULL;
4773 const SSL_CIPHER *cipher = NULL;
4774 const unsigned char key[] = {
4775 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4776 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4777 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4778 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4779 };
4780 int testresult = 0;
4781
4782 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4783 TLS_client_method(), TLS1_VERSION, 0,
4784 &sctx, &cctx, idx == 3 ? NULL : cert,
4785 idx == 3 ? NULL : privkey)))
4786 goto end;
4787
4788 if (idx != 3) {
4789 /*
4790 * We use a ciphersuite with SHA256 to ease testing old style PSK
4791 * callbacks which will always default to SHA256. This should not be
4792 * necessary if we have no cert/priv key. In that case the server should
4793 * prefer SHA256 automatically.
4794 */
4795 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4796 "TLS_AES_128_GCM_SHA256")))
4797 goto end;
4798 } else {
4799 /*
4800 * As noted above the server should prefer SHA256 automatically. However
4801 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4802 * code works even if we are testing with only the FIPS provider loaded.
4803 */
4804 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4805 "TLS_AES_256_GCM_SHA384:"
4806 "TLS_AES_128_GCM_SHA256")))
4807 goto end;
4808 }
4809
4810 /*
4811 * Test 0: New style callbacks only
4812 * Test 1: New and old style callbacks (only the new ones should be used)
4813 * Test 2: Old style callbacks only
4814 */
4815 if (idx == 0 || idx == 1) {
4816 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4817 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4818 }
4819 #ifndef OPENSSL_NO_PSK
4820 if (idx >= 1) {
4821 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4822 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4823 }
4824 #endif
4825 srvid = pskid;
4826 use_session_cb_cnt = 0;
4827 find_session_cb_cnt = 0;
4828 psk_client_cb_cnt = 0;
4829 psk_server_cb_cnt = 0;
4830
4831 if (idx != 3) {
4832 /*
4833 * Check we can create a connection if callback decides not to send a
4834 * PSK
4835 */
4836 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4837 NULL, NULL))
4838 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4839 SSL_ERROR_NONE))
4840 || !TEST_false(SSL_session_reused(clientssl))
4841 || !TEST_false(SSL_session_reused(serverssl)))
4842 goto end;
4843
4844 if (idx == 0 || idx == 1) {
4845 if (!TEST_true(use_session_cb_cnt == 1)
4846 || !TEST_true(find_session_cb_cnt == 0)
4847 /*
4848 * If no old style callback then below should be 0
4849 * otherwise 1
4850 */
4851 || !TEST_true(psk_client_cb_cnt == idx)
4852 || !TEST_true(psk_server_cb_cnt == 0))
4853 goto end;
4854 } else {
4855 if (!TEST_true(use_session_cb_cnt == 0)
4856 || !TEST_true(find_session_cb_cnt == 0)
4857 || !TEST_true(psk_client_cb_cnt == 1)
4858 || !TEST_true(psk_server_cb_cnt == 0))
4859 goto end;
4860 }
4861
4862 shutdown_ssl_connection(serverssl, clientssl);
4863 serverssl = clientssl = NULL;
4864 use_session_cb_cnt = psk_client_cb_cnt = 0;
4865 }
4866
4867 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4868 NULL, NULL)))
4869 goto end;
4870
4871 /* Create the PSK */
4872 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4873 clientpsk = SSL_SESSION_new();
4874 if (!TEST_ptr(clientpsk)
4875 || !TEST_ptr(cipher)
4876 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4877 sizeof(key)))
4878 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4879 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4880 TLS1_3_VERSION))
4881 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4882 goto end;
4883 serverpsk = clientpsk;
4884
4885 /* Check we can create a connection and the PSK is used */
4886 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4887 || !TEST_true(SSL_session_reused(clientssl))
4888 || !TEST_true(SSL_session_reused(serverssl)))
4889 goto end;
4890
4891 if (idx == 0 || idx == 1) {
4892 if (!TEST_true(use_session_cb_cnt == 1)
4893 || !TEST_true(find_session_cb_cnt == 1)
4894 || !TEST_true(psk_client_cb_cnt == 0)
4895 || !TEST_true(psk_server_cb_cnt == 0))
4896 goto end;
4897 } else {
4898 if (!TEST_true(use_session_cb_cnt == 0)
4899 || !TEST_true(find_session_cb_cnt == 0)
4900 || !TEST_true(psk_client_cb_cnt == 1)
4901 || !TEST_true(psk_server_cb_cnt == 1))
4902 goto end;
4903 }
4904
4905 shutdown_ssl_connection(serverssl, clientssl);
4906 serverssl = clientssl = NULL;
4907 use_session_cb_cnt = find_session_cb_cnt = 0;
4908 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4909
4910 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4911 NULL, NULL)))
4912 goto end;
4913
4914 /* Force an HRR */
4915 #if defined(OPENSSL_NO_EC)
4916 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4917 goto end;
4918 #else
4919 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4920 goto end;
4921 #endif
4922
4923 /*
4924 * Check we can create a connection, the PSK is used and the callbacks are
4925 * called twice.
4926 */
4927 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4928 || !TEST_true(SSL_session_reused(clientssl))
4929 || !TEST_true(SSL_session_reused(serverssl)))
4930 goto end;
4931
4932 if (idx == 0 || idx == 1) {
4933 if (!TEST_true(use_session_cb_cnt == 2)
4934 || !TEST_true(find_session_cb_cnt == 2)
4935 || !TEST_true(psk_client_cb_cnt == 0)
4936 || !TEST_true(psk_server_cb_cnt == 0))
4937 goto end;
4938 } else {
4939 if (!TEST_true(use_session_cb_cnt == 0)
4940 || !TEST_true(find_session_cb_cnt == 0)
4941 || !TEST_true(psk_client_cb_cnt == 2)
4942 || !TEST_true(psk_server_cb_cnt == 2))
4943 goto end;
4944 }
4945
4946 shutdown_ssl_connection(serverssl, clientssl);
4947 serverssl = clientssl = NULL;
4948 use_session_cb_cnt = find_session_cb_cnt = 0;
4949 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4950
4951 if (idx != 3) {
4952 /*
4953 * Check that if the server rejects the PSK we can still connect, but with
4954 * a full handshake
4955 */
4956 srvid = "Dummy Identity";
4957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4958 NULL, NULL))
4959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4960 SSL_ERROR_NONE))
4961 || !TEST_false(SSL_session_reused(clientssl))
4962 || !TEST_false(SSL_session_reused(serverssl)))
4963 goto end;
4964
4965 if (idx == 0 || idx == 1) {
4966 if (!TEST_true(use_session_cb_cnt == 1)
4967 || !TEST_true(find_session_cb_cnt == 1)
4968 || !TEST_true(psk_client_cb_cnt == 0)
4969 /*
4970 * If no old style callback then below should be 0
4971 * otherwise 1
4972 */
4973 || !TEST_true(psk_server_cb_cnt == idx))
4974 goto end;
4975 } else {
4976 if (!TEST_true(use_session_cb_cnt == 0)
4977 || !TEST_true(find_session_cb_cnt == 0)
4978 || !TEST_true(psk_client_cb_cnt == 1)
4979 || !TEST_true(psk_server_cb_cnt == 1))
4980 goto end;
4981 }
4982
4983 shutdown_ssl_connection(serverssl, clientssl);
4984 serverssl = clientssl = NULL;
4985 }
4986 testresult = 1;
4987
4988 end:
4989 SSL_SESSION_free(clientpsk);
4990 SSL_SESSION_free(serverpsk);
4991 clientpsk = serverpsk = NULL;
4992 SSL_free(serverssl);
4993 SSL_free(clientssl);
4994 SSL_CTX_free(sctx);
4995 SSL_CTX_free(cctx);
4996 return testresult;
4997 }
4998
4999 static unsigned char cookie_magic_value[] = "cookie magic";
5000
5001 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5002 unsigned int *cookie_len)
5003 {
5004 /*
5005 * Not suitable as a real cookie generation function but good enough for
5006 * testing!
5007 */
5008 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5009 *cookie_len = sizeof(cookie_magic_value) - 1;
5010
5011 return 1;
5012 }
5013
5014 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5015 unsigned int cookie_len)
5016 {
5017 if (cookie_len == sizeof(cookie_magic_value) - 1
5018 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5019 return 1;
5020
5021 return 0;
5022 }
5023
5024 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5025 size_t *cookie_len)
5026 {
5027 unsigned int temp;
5028 int res = generate_cookie_callback(ssl, cookie, &temp);
5029 *cookie_len = temp;
5030 return res;
5031 }
5032
5033 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5034 size_t cookie_len)
5035 {
5036 return verify_cookie_callback(ssl, cookie, cookie_len);
5037 }
5038
5039 static int test_stateless(void)
5040 {
5041 SSL_CTX *sctx = NULL, *cctx = NULL;
5042 SSL *serverssl = NULL, *clientssl = NULL;
5043 int testresult = 0;
5044
5045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5046 TLS_client_method(), TLS1_VERSION, 0,
5047 &sctx, &cctx, cert, privkey)))
5048 goto end;
5049
5050 /* The arrival of CCS messages can confuse the test */
5051 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5052
5053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5054 NULL, NULL))
5055 /* Send the first ClientHello */
5056 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5057 SSL_ERROR_WANT_READ))
5058 /*
5059 * This should fail with a -1 return because we have no callbacks
5060 * set up
5061 */
5062 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5063 goto end;
5064
5065 /* Fatal error so abandon the connection from this client */
5066 SSL_free(clientssl);
5067 clientssl = NULL;
5068
5069 /* Set up the cookie generation and verification callbacks */
5070 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5071 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5072
5073 /*
5074 * Create a new connection from the client (we can reuse the server SSL
5075 * object).
5076 */
5077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5078 NULL, NULL))
5079 /* Send the first ClientHello */
5080 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5081 SSL_ERROR_WANT_READ))
5082 /* This should fail because there is no cookie */
5083 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5084 goto end;
5085
5086 /* Abandon the connection from this client */
5087 SSL_free(clientssl);
5088 clientssl = NULL;
5089
5090 /*
5091 * Now create a connection from a new client but with the same server SSL
5092 * object
5093 */
5094 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5095 NULL, NULL))
5096 /* Send the first ClientHello */
5097 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5098 SSL_ERROR_WANT_READ))
5099 /* This should fail because there is no cookie */
5100 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5101 /* Send the second ClientHello */
5102 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5103 SSL_ERROR_WANT_READ))
5104 /* This should succeed because a cookie is now present */
5105 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5106 /* Complete the connection */
5107 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5108 SSL_ERROR_NONE)))
5109 goto end;
5110
5111 shutdown_ssl_connection(serverssl, clientssl);
5112 serverssl = clientssl = NULL;
5113 testresult = 1;
5114
5115 end:
5116 SSL_free(serverssl);
5117 SSL_free(clientssl);
5118 SSL_CTX_free(sctx);
5119 SSL_CTX_free(cctx);
5120 return testresult;
5121
5122 }
5123 #endif /* OPENSSL_NO_TLS1_3 */
5124
5125 static int clntaddoldcb = 0;
5126 static int clntparseoldcb = 0;
5127 static int srvaddoldcb = 0;
5128 static int srvparseoldcb = 0;
5129 static int clntaddnewcb = 0;
5130 static int clntparsenewcb = 0;
5131 static int srvaddnewcb = 0;
5132 static int srvparsenewcb = 0;
5133 static int snicb = 0;
5134
5135 #define TEST_EXT_TYPE1 0xff00
5136
5137 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5138 size_t *outlen, int *al, void *add_arg)
5139 {
5140 int *server = (int *)add_arg;
5141 unsigned char *data;
5142
5143 if (SSL_is_server(s))
5144 srvaddoldcb++;
5145 else
5146 clntaddoldcb++;
5147
5148 if (*server != SSL_is_server(s)
5149 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5150 return -1;
5151
5152 *data = 1;
5153 *out = data;
5154 *outlen = sizeof(char);
5155 return 1;
5156 }
5157
5158 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5159 void *add_arg)
5160 {
5161 OPENSSL_free((unsigned char *)out);
5162 }
5163
5164 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5165 size_t inlen, int *al, void *parse_arg)
5166 {
5167 int *server = (int *)parse_arg;
5168
5169 if (SSL_is_server(s))
5170 srvparseoldcb++;
5171 else
5172 clntparseoldcb++;
5173
5174 if (*server != SSL_is_server(s)
5175 || inlen != sizeof(char)
5176 || *in != 1)
5177 return -1;
5178
5179 return 1;
5180 }
5181
5182 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5183 const unsigned char **out, size_t *outlen, X509 *x,
5184 size_t chainidx, int *al, void *add_arg)
5185 {
5186 int *server = (int *)add_arg;
5187 unsigned char *data;
5188
5189 if (SSL_is_server(s))
5190 srvaddnewcb++;
5191 else
5192 clntaddnewcb++;
5193
5194 if (*server != SSL_is_server(s)
5195 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5196 return -1;
5197
5198 *data = 1;
5199 *out = data;
5200 *outlen = sizeof(*data);
5201 return 1;
5202 }
5203
5204 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5205 const unsigned char *out, void *add_arg)
5206 {
5207 OPENSSL_free((unsigned char *)out);
5208 }
5209
5210 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5211 const unsigned char *in, size_t inlen, X509 *x,
5212 size_t chainidx, int *al, void *parse_arg)
5213 {
5214 int *server = (int *)parse_arg;
5215
5216 if (SSL_is_server(s))
5217 srvparsenewcb++;
5218 else
5219 clntparsenewcb++;
5220
5221 if (*server != SSL_is_server(s)
5222 || inlen != sizeof(char) || *in != 1)
5223 return -1;
5224
5225 return 1;
5226 }
5227
5228 static int sni_cb(SSL *s, int *al, void *arg)
5229 {
5230 SSL_CTX *ctx = (SSL_CTX *)arg;
5231
5232 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5233 *al = SSL_AD_INTERNAL_ERROR;
5234 return SSL_TLSEXT_ERR_ALERT_FATAL;
5235 }
5236 snicb++;
5237 return SSL_TLSEXT_ERR_OK;
5238 }
5239
5240 /*
5241 * Custom call back tests.
5242 * Test 0: Old style callbacks in TLSv1.2
5243 * Test 1: New style callbacks in TLSv1.2
5244 * Test 2: New style callbacks in TLSv1.2 with SNI
5245 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5246 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5247 */
5248 static int test_custom_exts(int tst)
5249 {
5250 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5251 SSL *clientssl = NULL, *serverssl = NULL;
5252 int testresult = 0;
5253 static int server = 1;
5254 static int client = 0;
5255 SSL_SESSION *sess = NULL;
5256 unsigned int context;
5257
5258 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5259 /* Skip tests for TLSv1.2 and below in this case */
5260 if (tst < 3)
5261 return 1;
5262 #endif
5263
5264 /* Reset callback counters */
5265 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5266 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5267 snicb = 0;
5268
5269 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5270 TLS_client_method(), TLS1_VERSION, 0,
5271 &sctx, &cctx, cert, privkey)))
5272 goto end;
5273
5274 if (tst == 2
5275 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5276 TLS1_VERSION, 0,
5277 &sctx2, NULL, cert, privkey)))
5278 goto end;
5279
5280
5281 if (tst < 3) {
5282 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5283 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5284 if (sctx2 != NULL)
5285 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5286 }
5287
5288 if (tst == 4) {
5289 context = SSL_EXT_CLIENT_HELLO
5290 | SSL_EXT_TLS1_2_SERVER_HELLO
5291 | SSL_EXT_TLS1_3_SERVER_HELLO
5292 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5293 | SSL_EXT_TLS1_3_CERTIFICATE
5294 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5295 } else {
5296 context = SSL_EXT_CLIENT_HELLO
5297 | SSL_EXT_TLS1_2_SERVER_HELLO
5298 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5299 }
5300
5301 /* Create a client side custom extension */
5302 if (tst == 0) {
5303 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5304 old_add_cb, old_free_cb,
5305 &client, old_parse_cb,
5306 &client)))
5307 goto end;
5308 } else {
5309 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5310 new_add_cb, new_free_cb,
5311 &client, new_parse_cb, &client)))
5312 goto end;
5313 }
5314
5315 /* Should not be able to add duplicates */
5316 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5317 old_add_cb, old_free_cb,
5318 &client, old_parse_cb,
5319 &client))
5320 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5321 context, new_add_cb,
5322 new_free_cb, &client,
5323 new_parse_cb, &client)))
5324 goto end;
5325
5326 /* Create a server side custom extension */
5327 if (tst == 0) {
5328 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5329 old_add_cb, old_free_cb,
5330 &server, old_parse_cb,
5331 &server)))
5332 goto end;
5333 } else {
5334 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5335 new_add_cb, new_free_cb,
5336 &server, new_parse_cb, &server)))
5337 goto end;
5338 if (sctx2 != NULL
5339 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5340 context, new_add_cb,
5341 new_free_cb, &server,
5342 new_parse_cb, &server)))
5343 goto end;
5344 }
5345
5346 /* Should not be able to add duplicates */
5347 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5348 old_add_cb, old_free_cb,
5349 &server, old_parse_cb,
5350 &server))
5351 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5352 context, new_add_cb,
5353 new_free_cb, &server,
5354 new_parse_cb, &server)))
5355 goto end;
5356
5357 if (tst == 2) {
5358 /* Set up SNI */
5359 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5360 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5361 goto end;
5362 }
5363
5364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5365 &clientssl, NULL, NULL))
5366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5367 SSL_ERROR_NONE)))
5368 goto end;
5369
5370 if (tst == 0) {
5371 if (clntaddoldcb != 1
5372 || clntparseoldcb != 1
5373 || srvaddoldcb != 1
5374 || srvparseoldcb != 1)
5375 goto end;
5376 } else if (tst == 1 || tst == 2 || tst == 3) {
5377 if (clntaddnewcb != 1
5378 || clntparsenewcb != 1
5379 || srvaddnewcb != 1
5380 || srvparsenewcb != 1
5381 || (tst != 2 && snicb != 0)
5382 || (tst == 2 && snicb != 1))
5383 goto end;
5384 } else {
5385 /* In this case there 2 NewSessionTicket messages created */
5386 if (clntaddnewcb != 1
5387 || clntparsenewcb != 5
5388 || srvaddnewcb != 5
5389 || srvparsenewcb != 1)
5390 goto end;
5391 }
5392
5393 sess = SSL_get1_session(clientssl);
5394 SSL_shutdown(clientssl);
5395 SSL_shutdown(serverssl);
5396 SSL_free(serverssl);
5397 SSL_free(clientssl);
5398 serverssl = clientssl = NULL;
5399
5400 if (tst == 3) {
5401 /* We don't bother with the resumption aspects for this test */
5402 testresult = 1;
5403 goto end;
5404 }
5405
5406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5407 NULL, NULL))
5408 || !TEST_true(SSL_set_session(clientssl, sess))
5409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5410 SSL_ERROR_NONE)))
5411 goto end;
5412
5413 /*
5414 * For a resumed session we expect to add the ClientHello extension. For the
5415 * old style callbacks we ignore it on the server side because they set
5416 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5417 * them.
5418 */
5419 if (tst == 0) {
5420 if (clntaddoldcb != 2
5421 || clntparseoldcb != 1
5422 || srvaddoldcb != 1
5423 || srvparseoldcb != 1)
5424 goto end;
5425 } else if (tst == 1 || tst == 2 || tst == 3) {
5426 if (clntaddnewcb != 2
5427 || clntparsenewcb != 2
5428 || srvaddnewcb != 2
5429 || srvparsenewcb != 2)
5430 goto end;
5431 } else {
5432 /*
5433 * No Certificate message extensions in the resumption handshake,
5434 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5435 */
5436 if (clntaddnewcb != 2
5437 || clntparsenewcb != 8
5438 || srvaddnewcb != 8
5439 || srvparsenewcb != 2)
5440 goto end;
5441 }
5442
5443 testresult = 1;
5444
5445 end:
5446 SSL_SESSION_free(sess);
5447 SSL_free(serverssl);
5448 SSL_free(clientssl);
5449 SSL_CTX_free(sctx2);
5450 SSL_CTX_free(sctx);
5451 SSL_CTX_free(cctx);
5452 return testresult;
5453 }
5454
5455 /*
5456 * Test loading of serverinfo data in various formats. test_sslmessages actually
5457 * tests to make sure the extensions appear in the handshake
5458 */
5459 static int test_serverinfo(int tst)
5460 {
5461 unsigned int version;
5462 unsigned char *sibuf;
5463 size_t sibuflen;
5464 int ret, expected, testresult = 0;
5465 SSL_CTX *ctx;
5466
5467 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5468 if (!TEST_ptr(ctx))
5469 goto end;
5470
5471 if ((tst & 0x01) == 0x01)
5472 version = SSL_SERVERINFOV2;
5473 else
5474 version = SSL_SERVERINFOV1;
5475
5476 if ((tst & 0x02) == 0x02) {
5477 sibuf = serverinfov2;
5478 sibuflen = sizeof(serverinfov2);
5479 expected = (version == SSL_SERVERINFOV2);
5480 } else {
5481 sibuf = serverinfov1;
5482 sibuflen = sizeof(serverinfov1);
5483 expected = (version == SSL_SERVERINFOV1);
5484 }
5485
5486 if ((tst & 0x04) == 0x04) {
5487 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5488 } else {
5489 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5490
5491 /*
5492 * The version variable is irrelevant in this case - it's what is in the
5493 * buffer that matters
5494 */
5495 if ((tst & 0x02) == 0x02)
5496 expected = 0;
5497 else
5498 expected = 1;
5499 }
5500
5501 if (!TEST_true(ret == expected))
5502 goto end;
5503
5504 testresult = 1;
5505
5506 end:
5507 SSL_CTX_free(ctx);
5508
5509 return testresult;
5510 }
5511
5512 /*
5513 * Test that SSL_export_keying_material() produces expected results. There are
5514 * no test vectors so all we do is test that both sides of the communication
5515 * produce the same results for different protocol versions.
5516 */
5517 #define SMALL_LABEL_LEN 10
5518 #define LONG_LABEL_LEN 249
5519 static int test_export_key_mat(int tst)
5520 {
5521 int testresult = 0;
5522 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5523 SSL *clientssl = NULL, *serverssl = NULL;
5524 const char label[LONG_LABEL_LEN + 1] = "test label";
5525 const unsigned char context[] = "context";
5526 const unsigned char *emptycontext = NULL;
5527 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5528 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5529 size_t labellen;
5530 const int protocols[] = {
5531 TLS1_VERSION,
5532 TLS1_1_VERSION,
5533 TLS1_2_VERSION,
5534 TLS1_3_VERSION,
5535 TLS1_3_VERSION,
5536 TLS1_3_VERSION
5537 };
5538
5539 #ifdef OPENSSL_NO_TLS1
5540 if (tst == 0)
5541 return 1;
5542 #endif
5543 #ifdef OPENSSL_NO_TLS1_1
5544 if (tst == 1)
5545 return 1;
5546 #endif
5547 if (is_fips && (tst == 0 || tst == 1))
5548 return 1;
5549 #ifdef OPENSSL_NO_TLS1_2
5550 if (tst == 2)
5551 return 1;
5552 #endif
5553 #ifdef OPENSSL_NO_TLS1_3
5554 if (tst >= 3)
5555 return 1;
5556 #endif
5557 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5558 TLS_client_method(), TLS1_VERSION, 0,
5559 &sctx, &cctx, cert, privkey)))
5560 goto end;
5561
5562 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5563 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5564 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5565
5566 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5567 NULL))
5568 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5569 SSL_ERROR_NONE)))
5570 goto end;
5571
5572 if (tst == 5) {
5573 /*
5574 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5575 * go over that.
5576 */
5577 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5578 sizeof(ckeymat1), label,
5579 LONG_LABEL_LEN + 1, context,
5580 sizeof(context) - 1, 1), 0))
5581 goto end;
5582
5583 testresult = 1;
5584 goto end;
5585 } else if (tst == 4) {
5586 labellen = LONG_LABEL_LEN;
5587 } else {
5588 labellen = SMALL_LABEL_LEN;
5589 }
5590
5591 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5592 sizeof(ckeymat1), label,
5593 labellen, context,
5594 sizeof(context) - 1, 1), 1)
5595 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5596 sizeof(ckeymat2), label,
5597 labellen,
5598 emptycontext,
5599 0, 1), 1)
5600 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5601 sizeof(ckeymat3), label,
5602 labellen,
5603 NULL, 0, 0), 1)
5604 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5605 sizeof(skeymat1), label,
5606 labellen,
5607 context,
5608 sizeof(context) -1, 1),
5609 1)
5610 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5611 sizeof(skeymat2), label,
5612 labellen,
5613 emptycontext,
5614 0, 1), 1)
5615 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5616 sizeof(skeymat3), label,
5617 labellen,
5618 NULL, 0, 0), 1)
5619 /*
5620 * Check that both sides created the same key material with the
5621 * same context.
5622 */
5623 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5624 sizeof(skeymat1))
5625 /*
5626 * Check that both sides created the same key material with an
5627 * empty context.
5628 */
5629 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5630 sizeof(skeymat2))
5631 /*
5632 * Check that both sides created the same key material without a
5633 * context.
5634 */
5635 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5636 sizeof(skeymat3))
5637 /* Different contexts should produce different results */
5638 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5639 sizeof(ckeymat2)))
5640 goto end;
5641
5642 /*
5643 * Check that an empty context and no context produce different results in
5644 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5645 */
5646 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5647 sizeof(ckeymat3)))
5648 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5649 sizeof(ckeymat3))))
5650 goto end;
5651
5652 testresult = 1;
5653
5654 end:
5655 SSL_free(serverssl);
5656 SSL_free(clientssl);
5657 SSL_CTX_free(sctx2);
5658 SSL_CTX_free(sctx);
5659 SSL_CTX_free(cctx);
5660
5661 return testresult;
5662 }
5663
5664 #ifndef OPENSSL_NO_TLS1_3
5665 /*
5666 * Test that SSL_export_keying_material_early() produces expected
5667 * results. There are no test vectors so all we do is test that both
5668 * sides of the communication produce the same results for different
5669 * protocol versions.
5670 */
5671 static int test_export_key_mat_early(int idx)
5672 {
5673 static const char label[] = "test label";
5674 static const unsigned char context[] = "context";
5675 int testresult = 0;
5676 SSL_CTX *cctx = NULL, *sctx = NULL;
5677 SSL *clientssl = NULL, *serverssl = NULL;
5678 SSL_SESSION *sess = NULL;
5679 const unsigned char *emptycontext = NULL;
5680 unsigned char ckeymat1[80], ckeymat2[80];
5681 unsigned char skeymat1[80], skeymat2[80];
5682 unsigned char buf[1];
5683 size_t readbytes, written;
5684
5685 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5686 &sess, idx)))
5687 goto end;
5688
5689 /* Here writing 0 length early data is enough. */
5690 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5691 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5692 &readbytes),
5693 SSL_READ_EARLY_DATA_ERROR)
5694 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5695 SSL_EARLY_DATA_ACCEPTED))
5696 goto end;
5697
5698 if (!TEST_int_eq(SSL_export_keying_material_early(
5699 clientssl, ckeymat1, sizeof(ckeymat1), label,
5700 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5701 || !TEST_int_eq(SSL_export_keying_material_early(
5702 clientssl, ckeymat2, sizeof(ckeymat2), label,
5703 sizeof(label) - 1, emptycontext, 0), 1)
5704 || !TEST_int_eq(SSL_export_keying_material_early(
5705 serverssl, skeymat1, sizeof(skeymat1), label,
5706 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5707 || !TEST_int_eq(SSL_export_keying_material_early(
5708 serverssl, skeymat2, sizeof(skeymat2), label,
5709 sizeof(label) - 1, emptycontext, 0), 1)
5710 /*
5711 * Check that both sides created the same key material with the
5712 * same context.
5713 */
5714 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5715 sizeof(skeymat1))
5716 /*
5717 * Check that both sides created the same key material with an
5718 * empty context.
5719 */
5720 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5721 sizeof(skeymat2))
5722 /* Different contexts should produce different results */
5723 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5724 sizeof(ckeymat2)))
5725 goto end;
5726
5727 testresult = 1;
5728
5729 end:
5730 SSL_SESSION_free(sess);
5731 SSL_SESSION_free(clientpsk);
5732 SSL_SESSION_free(serverpsk);
5733 clientpsk = serverpsk = NULL;
5734 SSL_free(serverssl);
5735 SSL_free(clientssl);
5736 SSL_CTX_free(sctx);
5737 SSL_CTX_free(cctx);
5738
5739 return testresult;
5740 }
5741
5742 #define NUM_KEY_UPDATE_MESSAGES 40
5743 /*
5744 * Test KeyUpdate.
5745 */
5746 static int test_key_update(void)
5747 {
5748 SSL_CTX *cctx = NULL, *sctx = NULL;
5749 SSL *clientssl = NULL, *serverssl = NULL;
5750 int testresult = 0, i, j;
5751 char buf[20];
5752 static char *mess = "A test message";
5753
5754 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5755 TLS_client_method(),
5756 TLS1_3_VERSION,
5757 0,
5758 &sctx, &cctx, cert, privkey))
5759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5760 NULL, NULL))
5761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5762 SSL_ERROR_NONE)))
5763 goto end;
5764
5765 for (j = 0; j < 2; j++) {
5766 /* Send lots of KeyUpdate messages */
5767 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5768 if (!TEST_true(SSL_key_update(clientssl,
5769 (j == 0)
5770 ? SSL_KEY_UPDATE_NOT_REQUESTED
5771 : SSL_KEY_UPDATE_REQUESTED))
5772 || !TEST_true(SSL_do_handshake(clientssl)))
5773 goto end;
5774 }
5775
5776 /* Check that sending and receiving app data is ok */
5777 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5778 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5779 strlen(mess)))
5780 goto end;
5781
5782 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5783 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5784 strlen(mess)))
5785 goto end;
5786 }
5787
5788 testresult = 1;
5789
5790 end:
5791 SSL_free(serverssl);
5792 SSL_free(clientssl);
5793 SSL_CTX_free(sctx);
5794 SSL_CTX_free(cctx);
5795
5796 return testresult;
5797 }
5798
5799 /*
5800 * Test we can handle a KeyUpdate (update requested) message while write data
5801 * is pending.
5802 * Test 0: Client sends KeyUpdate while Server is writing
5803 * Test 1: Server sends KeyUpdate while Client is writing
5804 */
5805 static int test_key_update_in_write(int tst)
5806 {
5807 SSL_CTX *cctx = NULL, *sctx = NULL;
5808 SSL *clientssl = NULL, *serverssl = NULL;
5809 int testresult = 0;
5810 char buf[20];
5811 static char *mess = "A test message";
5812 BIO *bretry = BIO_new(bio_s_always_retry());
5813 BIO *tmp = NULL;
5814 SSL *peerupdate = NULL, *peerwrite = NULL;
5815
5816 if (!TEST_ptr(bretry)
5817 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5818 TLS_client_method(),
5819 TLS1_3_VERSION,
5820 0,
5821 &sctx, &cctx, cert, privkey))
5822 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5823 NULL, NULL))
5824 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5825 SSL_ERROR_NONE)))
5826 goto end;
5827
5828 peerupdate = tst == 0 ? clientssl : serverssl;
5829 peerwrite = tst == 0 ? serverssl : clientssl;
5830
5831 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5832 || !TEST_true(SSL_do_handshake(peerupdate)))
5833 goto end;
5834
5835 /* Swap the writing endpoint's write BIO to force a retry */
5836 tmp = SSL_get_wbio(peerwrite);
5837 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5838 tmp = NULL;
5839 goto end;
5840 }
5841 SSL_set0_wbio(peerwrite, bretry);
5842 bretry = NULL;
5843
5844 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5845 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5846 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5847 goto end;
5848
5849 /* Reinstate the original writing endpoint's write BIO */
5850 SSL_set0_wbio(peerwrite, tmp);
5851 tmp = NULL;
5852
5853 /* Now read some data - we will read the key update */
5854 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5855 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5856 goto end;
5857
5858 /*
5859 * Complete the write we started previously and read it from the other
5860 * endpoint
5861 */
5862 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5863 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5864 goto end;
5865
5866 /* Write more data to ensure we send the KeyUpdate message back */
5867 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5868 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5869 goto end;
5870
5871 testresult = 1;
5872
5873 end:
5874 SSL_free(serverssl);
5875 SSL_free(clientssl);
5876 SSL_CTX_free(sctx);
5877 SSL_CTX_free(cctx);
5878 BIO_free(bretry);
5879 BIO_free(tmp);
5880
5881 return testresult;
5882 }
5883 #endif /* OPENSSL_NO_TLS1_3 */
5884
5885 static int test_ssl_clear(int idx)
5886 {
5887 SSL_CTX *cctx = NULL, *sctx = NULL;
5888 SSL *clientssl = NULL, *serverssl = NULL;
5889 int testresult = 0;
5890
5891 #ifdef OPENSSL_NO_TLS1_2
5892 if (idx == 1)
5893 return 1;
5894 #endif
5895
5896 /* Create an initial connection */
5897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5898 TLS_client_method(), TLS1_VERSION, 0,
5899 &sctx, &cctx, cert, privkey))
5900 || (idx == 1
5901 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5902 TLS1_2_VERSION)))
5903 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5904 &clientssl, NULL, NULL))
5905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5906 SSL_ERROR_NONE)))
5907 goto end;
5908
5909 SSL_shutdown(clientssl);
5910 SSL_shutdown(serverssl);
5911 SSL_free(serverssl);
5912 serverssl = NULL;
5913
5914 /* Clear clientssl - we're going to reuse the object */
5915 if (!TEST_true(SSL_clear(clientssl)))
5916 goto end;
5917
5918 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5919 NULL, NULL))
5920 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5921 SSL_ERROR_NONE))
5922 || !TEST_true(SSL_session_reused(clientssl)))
5923 goto end;
5924
5925 SSL_shutdown(clientssl);
5926 SSL_shutdown(serverssl);
5927
5928 testresult = 1;
5929
5930 end:
5931 SSL_free(serverssl);
5932 SSL_free(clientssl);
5933 SSL_CTX_free(sctx);
5934 SSL_CTX_free(cctx);
5935
5936 return testresult;
5937 }
5938
5939 /* Parse CH and retrieve any MFL extension value if present */
5940 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5941 {
5942 long len;
5943 unsigned char *data;
5944 PACKET pkt, pkt2, pkt3;
5945 unsigned int MFL_code = 0, type = 0;
5946
5947 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5948 goto end;
5949
5950 memset(&pkt, 0, sizeof(pkt));
5951 memset(&pkt2, 0, sizeof(pkt2));
5952 memset(&pkt3, 0, sizeof(pkt3));
5953
5954 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5955 /* Skip the record header */
5956 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5957 /* Skip the handshake message header */
5958 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5959 /* Skip client version and random */
5960 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5961 + SSL3_RANDOM_SIZE))
5962 /* Skip session id */
5963 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5964 /* Skip ciphers */
5965 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5966 /* Skip compression */
5967 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5968 /* Extensions len */
5969 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5970 goto end;
5971
5972 /* Loop through all extensions */
5973 while (PACKET_remaining(&pkt2)) {
5974 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5975 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5976 goto end;
5977
5978 if (type == TLSEXT_TYPE_max_fragment_length) {
5979 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5980 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5981 goto end;
5982
5983 *mfl_codemfl_code = MFL_code;
5984 return 1;
5985 }
5986 }
5987
5988 end:
5989 return 0;
5990 }
5991
5992 /* Maximum-Fragment-Length TLS extension mode to test */
5993 static const unsigned char max_fragment_len_test[] = {
5994 TLSEXT_max_fragment_length_512,
5995 TLSEXT_max_fragment_length_1024,
5996 TLSEXT_max_fragment_length_2048,
5997 TLSEXT_max_fragment_length_4096
5998 };
5999
6000 static int test_max_fragment_len_ext(int idx_tst)
6001 {
6002 SSL_CTX *ctx;
6003 SSL *con = NULL;
6004 int testresult = 0, MFL_mode = 0;
6005 BIO *rbio, *wbio;
6006
6007 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
6008 if (!TEST_ptr(ctx))
6009 goto end;
6010
6011 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6012 ctx, max_fragment_len_test[idx_tst])))
6013 goto end;
6014
6015 con = SSL_new(ctx);
6016 if (!TEST_ptr(con))
6017 goto end;
6018
6019 rbio = BIO_new(BIO_s_mem());
6020 wbio = BIO_new(BIO_s_mem());
6021 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6022 BIO_free(rbio);
6023 BIO_free(wbio);
6024 goto end;
6025 }
6026
6027 SSL_set_bio(con, rbio, wbio);
6028 SSL_set_connect_state(con);
6029
6030 if (!TEST_int_le(SSL_connect(con), 0)) {
6031 /* This shouldn't succeed because we don't have a server! */
6032 goto end;
6033 }
6034
6035 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6036 /* no MFL in client hello */
6037 goto end;
6038 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6039 goto end;
6040
6041 testresult = 1;
6042
6043 end:
6044 SSL_free(con);
6045 SSL_CTX_free(ctx);
6046
6047 return testresult;
6048 }
6049
6050 #ifndef OPENSSL_NO_TLS1_3
6051 static int test_pha_key_update(void)
6052 {
6053 SSL_CTX *cctx = NULL, *sctx = NULL;
6054 SSL *clientssl = NULL, *serverssl = NULL;
6055 int testresult = 0;
6056
6057 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6058 TLS_client_method(), TLS1_VERSION, 0,
6059 &sctx, &cctx, cert, privkey)))
6060 return 0;
6061
6062 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6063 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6064 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6065 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6066 goto end;
6067
6068 SSL_CTX_set_post_handshake_auth(cctx, 1);
6069
6070 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6071 NULL, NULL)))
6072 goto end;
6073
6074 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6075 SSL_ERROR_NONE)))
6076 goto end;
6077
6078 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6079 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6080 goto end;
6081
6082 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6083 goto end;
6084
6085 /* Start handshake on the server */
6086 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6087 goto end;
6088
6089 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6090 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6091 SSL_ERROR_NONE)))
6092 goto end;
6093
6094 SSL_shutdown(clientssl);
6095 SSL_shutdown(serverssl);
6096
6097 testresult = 1;
6098
6099 end:
6100 SSL_free(serverssl);
6101 SSL_free(clientssl);
6102 SSL_CTX_free(sctx);
6103 SSL_CTX_free(cctx);
6104 return testresult;
6105 }
6106 #endif
6107
6108 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6109
6110 static SRP_VBASE *vbase = NULL;
6111
6112 DEFINE_STACK_OF(SRP_user_pwd)
6113
6114 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6115 {
6116 int ret = SSL3_AL_FATAL;
6117 char *username;
6118 SRP_user_pwd *user = NULL;
6119
6120 username = SSL_get_srp_username(s);
6121 if (username == NULL) {
6122 *ad = SSL_AD_INTERNAL_ERROR;
6123 goto err;
6124 }
6125
6126 user = SRP_VBASE_get1_by_user(vbase, username);
6127 if (user == NULL) {
6128 *ad = SSL_AD_INTERNAL_ERROR;
6129 goto err;
6130 }
6131
6132 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6133 user->info) <= 0) {
6134 *ad = SSL_AD_INTERNAL_ERROR;
6135 goto err;
6136 }
6137
6138 ret = 0;
6139
6140 err:
6141 SRP_user_pwd_free(user);
6142 return ret;
6143 }
6144
6145 static int create_new_vfile(char *userid, char *password, const char *filename)
6146 {
6147 char *gNid = NULL;
6148 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6149 TXT_DB *db = NULL;
6150 int ret = 0;
6151 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6152 size_t i;
6153
6154 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6155 goto end;
6156
6157 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6158 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6159 if (!TEST_ptr(gNid))
6160 goto end;
6161
6162 /*
6163 * The only way to create an empty TXT_DB is to provide a BIO with no data
6164 * in it!
6165 */
6166 db = TXT_DB_read(dummy, DB_NUMBER);
6167 if (!TEST_ptr(db))
6168 goto end;
6169
6170 out = BIO_new_file(filename, "w");
6171 if (!TEST_ptr(out))
6172 goto end;
6173
6174 row[DB_srpid] = OPENSSL_strdup(userid);
6175 row[DB_srptype] = OPENSSL_strdup("V");
6176 row[DB_srpgN] = OPENSSL_strdup(gNid);
6177
6178 if (!TEST_ptr(row[DB_srpid])
6179 || !TEST_ptr(row[DB_srptype])
6180 || !TEST_ptr(row[DB_srpgN])
6181 || !TEST_true(TXT_DB_insert(db, row)))
6182 goto end;
6183
6184 row = NULL;
6185
6186 if (!TXT_DB_write(out, db))
6187 goto end;
6188
6189 ret = 1;
6190 end:
6191 if (row != NULL) {
6192 for (i = 0; i < DB_NUMBER; i++)
6193 OPENSSL_free(row[i]);
6194 }
6195 OPENSSL_free(row);
6196 BIO_free(dummy);
6197 BIO_free(out);
6198 TXT_DB_free(db);
6199
6200 return ret;
6201 }
6202
6203 static int create_new_vbase(char *userid, char *password)
6204 {
6205 BIGNUM *verifier = NULL, *salt = NULL;
6206 const SRP_gN *lgN = NULL;
6207 SRP_user_pwd *user_pwd = NULL;
6208 int ret = 0;
6209
6210 lgN = SRP_get_default_gN(NULL);
6211 if (!TEST_ptr(lgN))
6212 goto end;
6213
6214 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6215 lgN->N, lgN->g, libctx, NULL)))
6216 goto end;
6217
6218 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6219 if (!TEST_ptr(user_pwd))
6220 goto end;
6221
6222 user_pwd->N = lgN->N;
6223 user_pwd->g = lgN->g;
6224 user_pwd->id = OPENSSL_strdup(userid);
6225 if (!TEST_ptr(user_pwd->id))
6226 goto end;
6227
6228 user_pwd->v = verifier;
6229 user_pwd->s = salt;
6230 verifier = salt = NULL;
6231
6232 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6233 goto end;
6234 user_pwd = NULL;
6235
6236 ret = 1;
6237 end:
6238 SRP_user_pwd_free(user_pwd);
6239 BN_free(salt);
6240 BN_free(verifier);
6241
6242 return ret;
6243 }
6244
6245 /*
6246 * SRP tests
6247 *
6248 * Test 0: Simple successful SRP connection, new vbase
6249 * Test 1: Connection failure due to bad password, new vbase
6250 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6251 * Test 3: Connection failure due to bad password, vbase loaded from existing
6252 * file
6253 * Test 4: Simple successful SRP connection, vbase loaded from new file
6254 * Test 5: Connection failure due to bad password, vbase loaded from new file
6255 */
6256 static int test_srp(int tst)
6257 {
6258 char *userid = "test", *password = "password", *tstsrpfile;
6259 SSL_CTX *cctx = NULL, *sctx = NULL;
6260 SSL *clientssl = NULL, *serverssl = NULL;
6261 int ret, testresult = 0;
6262
6263 vbase = SRP_VBASE_new(NULL);
6264 if (!TEST_ptr(vbase))
6265 goto end;
6266
6267 if (tst == 0 || tst == 1) {
6268 if (!TEST_true(create_new_vbase(userid, password)))
6269 goto end;
6270 } else {
6271 if (tst == 4 || tst == 5) {
6272 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6273 goto end;
6274 tstsrpfile = tmpfilename;
6275 } else {
6276 tstsrpfile = srpvfile;
6277 }
6278 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6279 goto end;
6280 }
6281
6282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6283 TLS_client_method(), TLS1_VERSION, 0,
6284 &sctx, &cctx, cert, privkey)))
6285 goto end;
6286
6287 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6288 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6289 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6290 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6291 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6292 goto end;
6293
6294 if (tst % 2 == 1) {
6295 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6296 goto end;
6297 } else {
6298 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6299 goto end;
6300 }
6301
6302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6303 NULL, NULL)))
6304 goto end;
6305
6306 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6307 if (ret) {
6308 if (!TEST_true(tst % 2 == 0))
6309 goto end;
6310 } else {
6311 if (!TEST_true(tst % 2 == 1))
6312 goto end;
6313 }
6314
6315 testresult = 1;
6316
6317 end:
6318 SRP_VBASE_free(vbase);
6319 vbase = NULL;
6320 SSL_free(serverssl);
6321 SSL_free(clientssl);
6322 SSL_CTX_free(sctx);
6323 SSL_CTX_free(cctx);
6324
6325 return testresult;
6326 }
6327 #endif
6328
6329 static int info_cb_failed = 0;
6330 static int info_cb_offset = 0;
6331 static int info_cb_this_state = -1;
6332
6333 static struct info_cb_states_st {
6334 int where;
6335 const char *statestr;
6336 } info_cb_states[][60] = {
6337 {
6338 /* TLSv1.2 server followed by resumption */
6339 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6340 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6341 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6342 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6343 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6344 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6345 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6346 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6347 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6348 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6349 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6350 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6351 {SSL_CB_EXIT, NULL}, {0, NULL},
6352 }, {
6353 /* TLSv1.2 client followed by resumption */
6354 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6355 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6356 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6357 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6358 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6359 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6360 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6361 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6362 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6363 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6364 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6366 }, {
6367 /* TLSv1.3 server followed by resumption */
6368 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6369 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6370 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6371 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6372 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6373 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6374 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6375 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6376 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6377 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6378 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6379 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6380 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6381 }, {
6382 /* TLSv1.3 client followed by resumption */
6383 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6384 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6385 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6386 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6387 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6388 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6389 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6390 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6391 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6392 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6393 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6394 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6395 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6396 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6397 {SSL_CB_EXIT, NULL}, {0, NULL},
6398 }, {
6399 /* TLSv1.3 server, early_data */
6400 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6401 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6402 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6403 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6404 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6405 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
6406 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6407 {SSL_CB_EXIT, NULL}, {0, NULL},
6408 }, {
6409 /* TLSv1.3 client, early_data */
6410 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6411 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6412 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6413 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6414 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6415 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6416 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6417 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6418 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6419 }, {
6420 {0, NULL},
6421 }
6422 };
6423
6424 static void sslapi_info_callback(const SSL *s, int where, int ret)
6425 {
6426 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6427
6428 /* We do not ever expect a connection to fail in this test */
6429 if (!TEST_false(ret == 0)) {
6430 info_cb_failed = 1;
6431 return;
6432 }
6433
6434 /*
6435 * Do some sanity checks. We never expect these things to happen in this
6436 * test
6437 */
6438 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6439 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6440 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6441 info_cb_failed = 1;
6442 return;
6443 }
6444
6445 /* Now check we're in the right state */
6446 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6447 info_cb_failed = 1;
6448 return;
6449 }
6450 if ((where & SSL_CB_LOOP) != 0
6451 && !TEST_int_eq(strcmp(SSL_state_string(s),
6452 state[info_cb_this_state].statestr), 0)) {
6453 info_cb_failed = 1;
6454 return;
6455 }
6456
6457 /*
6458 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6459 */
6460 if ((where & SSL_CB_HANDSHAKE_DONE)
6461 && SSL_in_init((SSL *)s) != 0) {
6462 info_cb_failed = 1;
6463 return;
6464 }
6465 }
6466
6467 /*
6468 * Test the info callback gets called when we expect it to.
6469 *
6470 * Test 0: TLSv1.2, server
6471 * Test 1: TLSv1.2, client
6472 * Test 2: TLSv1.3, server
6473 * Test 3: TLSv1.3, client
6474 * Test 4: TLSv1.3, server, early_data
6475 * Test 5: TLSv1.3, client, early_data
6476 */
6477 static int test_info_callback(int tst)
6478 {
6479 SSL_CTX *cctx = NULL, *sctx = NULL;
6480 SSL *clientssl = NULL, *serverssl = NULL;
6481 SSL_SESSION *clntsess = NULL;
6482 int testresult = 0;
6483 int tlsvers;
6484
6485 if (tst < 2) {
6486 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
6487 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6488 || !defined(OPENSSL_NO_DH))
6489 tlsvers = TLS1_2_VERSION;
6490 #else
6491 return 1;
6492 #endif
6493 } else {
6494 #ifndef OPENSSL_NO_TLS1_3
6495 tlsvers = TLS1_3_VERSION;
6496 #else
6497 return 1;
6498 #endif
6499 }
6500
6501 /* Reset globals */
6502 info_cb_failed = 0;
6503 info_cb_this_state = -1;
6504 info_cb_offset = tst;
6505
6506 #ifndef OPENSSL_NO_TLS1_3
6507 if (tst >= 4) {
6508 SSL_SESSION *sess = NULL;
6509 size_t written, readbytes;
6510 unsigned char buf[80];
6511
6512 /* early_data tests */
6513 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6514 &serverssl, &sess, 0)))
6515 goto end;
6516
6517 /* We don't actually need this reference */
6518 SSL_SESSION_free(sess);
6519
6520 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6521 sslapi_info_callback);
6522
6523 /* Write and read some early data and then complete the connection */
6524 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6525 &written))
6526 || !TEST_size_t_eq(written, strlen(MSG1))
6527 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6528 sizeof(buf), &readbytes),
6529 SSL_READ_EARLY_DATA_SUCCESS)
6530 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6531 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6532 SSL_EARLY_DATA_ACCEPTED)
6533 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6534 SSL_ERROR_NONE))
6535 || !TEST_false(info_cb_failed))
6536 goto end;
6537
6538 testresult = 1;
6539 goto end;
6540 }
6541 #endif
6542
6543 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6544 TLS_client_method(),
6545 tlsvers, tlsvers, &sctx, &cctx, cert,
6546 privkey)))
6547 goto end;
6548
6549 /*
6550 * For even numbered tests we check the server callbacks. For odd numbers we
6551 * check the client.
6552 */
6553 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6554 sslapi_info_callback);
6555
6556 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6557 &clientssl, NULL, NULL))
6558 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6559 SSL_ERROR_NONE))
6560 || !TEST_false(info_cb_failed))
6561 goto end;
6562
6563
6564
6565 clntsess = SSL_get1_session(clientssl);
6566 SSL_shutdown(clientssl);
6567 SSL_shutdown(serverssl);
6568 SSL_free(serverssl);
6569 SSL_free(clientssl);
6570 serverssl = clientssl = NULL;
6571
6572 /* Now do a resumption */
6573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6574 NULL))
6575 || !TEST_true(SSL_set_session(clientssl, clntsess))
6576 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6577 SSL_ERROR_NONE))
6578 || !TEST_true(SSL_session_reused(clientssl))
6579 || !TEST_false(info_cb_failed))
6580 goto end;
6581
6582 testresult = 1;
6583
6584 end:
6585 SSL_free(serverssl);
6586 SSL_free(clientssl);
6587 SSL_SESSION_free(clntsess);
6588 SSL_CTX_free(sctx);
6589 SSL_CTX_free(cctx);
6590 return testresult;
6591 }
6592
6593 static int test_ssl_pending(int tst)
6594 {
6595 SSL_CTX *cctx = NULL, *sctx = NULL;
6596 SSL *clientssl = NULL, *serverssl = NULL;
6597 int testresult = 0;
6598 char msg[] = "A test message";
6599 char buf[5];
6600 size_t written, readbytes;
6601
6602 if (tst == 0) {
6603 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6604 TLS_client_method(),
6605 TLS1_VERSION, 0,
6606 &sctx, &cctx, cert, privkey)))
6607 goto end;
6608 } else {
6609 #ifndef OPENSSL_NO_DTLS
6610 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6611 DTLS_client_method(),
6612 DTLS1_VERSION, 0,
6613 &sctx, &cctx, cert, privkey)))
6614 goto end;
6615 #else
6616 return 1;
6617 #endif
6618 }
6619
6620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6621 NULL, NULL))
6622 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6623 SSL_ERROR_NONE)))
6624 goto end;
6625
6626 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6627 || !TEST_false(SSL_has_pending(clientssl))
6628 || !TEST_int_eq(SSL_pending(serverssl), 0)
6629 || !TEST_false(SSL_has_pending(serverssl))
6630 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6631 || !TEST_size_t_eq(written, sizeof(msg))
6632 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6633 || !TEST_size_t_eq(readbytes, sizeof(buf))
6634 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6635 || !TEST_true(SSL_has_pending(clientssl)))
6636 goto end;
6637
6638 testresult = 1;
6639
6640 end:
6641 SSL_free(serverssl);
6642 SSL_free(clientssl);
6643 SSL_CTX_free(sctx);
6644 SSL_CTX_free(cctx);
6645
6646 return testresult;
6647 }
6648
6649 static struct {
6650 unsigned int maxprot;
6651 const char *clntciphers;
6652 const char *clnttls13ciphers;
6653 const char *srvrciphers;
6654 const char *srvrtls13ciphers;
6655 const char *shared;
6656 const char *fipsshared;
6657 } shared_ciphers_data[] = {
6658 /*
6659 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6660 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6661 */
6662 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6663 {
6664 TLS1_2_VERSION,
6665 "AES128-SHA:AES256-SHA",
6666 NULL,
6667 "AES256-SHA:DHE-RSA-AES128-SHA",
6668 NULL,
6669 "AES256-SHA",
6670 "AES256-SHA"
6671 },
6672 # if !defined(OPENSSL_NO_CHACHA) \
6673 && !defined(OPENSSL_NO_POLY1305) \
6674 && !defined(OPENSSL_NO_EC)
6675 {
6676 TLS1_2_VERSION,
6677 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6678 NULL,
6679 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6680 NULL,
6681 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6682 "AES128-SHA"
6683 },
6684 # endif
6685 {
6686 TLS1_2_VERSION,
6687 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6688 NULL,
6689 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6690 NULL,
6691 "AES128-SHA:AES256-SHA",
6692 "AES128-SHA:AES256-SHA"
6693 },
6694 {
6695 TLS1_2_VERSION,
6696 "AES128-SHA:AES256-SHA",
6697 NULL,
6698 "AES128-SHA:DHE-RSA-AES128-SHA",
6699 NULL,
6700 "AES128-SHA",
6701 "AES128-SHA"
6702 },
6703 #endif
6704 /*
6705 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6706 * enabled.
6707 */
6708 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6709 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6710 {
6711 TLS1_3_VERSION,
6712 "AES128-SHA:AES256-SHA",
6713 NULL,
6714 "AES256-SHA:AES128-SHA256",
6715 NULL,
6716 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6717 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6718 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
6719 },
6720 #endif
6721 #ifndef OPENSSL_NO_TLS1_3
6722 {
6723 TLS1_3_VERSION,
6724 "AES128-SHA",
6725 "TLS_AES_256_GCM_SHA384",
6726 "AES256-SHA",
6727 "TLS_AES_256_GCM_SHA384",
6728 "TLS_AES_256_GCM_SHA384",
6729 "TLS_AES_256_GCM_SHA384"
6730 },
6731 #endif
6732 };
6733
6734 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
6735 {
6736 SSL_CTX *cctx = NULL, *sctx = NULL;
6737 SSL *clientssl = NULL, *serverssl = NULL;
6738 int testresult = 0;
6739 char buf[1024];
6740 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6741
6742 if (!TEST_ptr(tmplibctx))
6743 goto end;
6744
6745 /*
6746 * Regardless of whether we're testing with the FIPS provider loaded into
6747 * libctx, we want one peer to always use the full set of ciphersuites
6748 * available. Therefore we use a separate libctx with the default provider
6749 * loaded into it. We run the same tests twice - once with the client side
6750 * having the full set of ciphersuites and once with the server side.
6751 */
6752 if (clnt) {
6753 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6754 if (!TEST_ptr(cctx))
6755 goto end;
6756 } else {
6757 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6758 if (!TEST_ptr(sctx))
6759 goto end;
6760 }
6761
6762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6763 TLS_client_method(),
6764 TLS1_VERSION,
6765 shared_ciphers_data[tst].maxprot,
6766 &sctx, &cctx, cert, privkey)))
6767 goto end;
6768
6769 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6770 shared_ciphers_data[tst].clntciphers))
6771 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6772 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6773 shared_ciphers_data[tst].clnttls13ciphers)))
6774 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6775 shared_ciphers_data[tst].srvrciphers))
6776 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6777 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6778 shared_ciphers_data[tst].srvrtls13ciphers))))
6779 goto end;
6780
6781
6782 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6783 NULL, NULL))
6784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6785 SSL_ERROR_NONE)))
6786 goto end;
6787
6788 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6789 || !TEST_int_eq(strcmp(buf,
6790 is_fips
6791 ? shared_ciphers_data[tst].fipsshared
6792 : shared_ciphers_data[tst].shared),
6793 0)) {
6794 TEST_info("Shared ciphers are: %s\n", buf);
6795 goto end;
6796 }
6797
6798 testresult = 1;
6799
6800 end:
6801 SSL_free(serverssl);
6802 SSL_free(clientssl);
6803 SSL_CTX_free(sctx);
6804 SSL_CTX_free(cctx);
6805 OPENSSL_CTX_free(tmplibctx);
6806
6807 return testresult;
6808 }
6809
6810 static int test_ssl_get_shared_ciphers(int tst)
6811 {
6812 return int_test_ssl_get_shared_ciphers(tst, 0)
6813 && int_test_ssl_get_shared_ciphers(tst, 1);
6814 }
6815
6816
6817 static const char *appdata = "Hello World";
6818 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6819 static int tick_key_renew = 0;
6820 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6821
6822 static int gen_tick_cb(SSL *s, void *arg)
6823 {
6824 gen_tick_called = 1;
6825
6826 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6827 strlen(appdata));
6828 }
6829
6830 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6831 const unsigned char *keyname,
6832 size_t keyname_length,
6833 SSL_TICKET_STATUS status,
6834 void *arg)
6835 {
6836 void *tickdata;
6837 size_t tickdlen;
6838
6839 dec_tick_called = 1;
6840
6841 if (status == SSL_TICKET_EMPTY)
6842 return SSL_TICKET_RETURN_IGNORE_RENEW;
6843
6844 if (!TEST_true(status == SSL_TICKET_SUCCESS
6845 || status == SSL_TICKET_SUCCESS_RENEW))
6846 return SSL_TICKET_RETURN_ABORT;
6847
6848 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6849 &tickdlen))
6850 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6851 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6852 return SSL_TICKET_RETURN_ABORT;
6853
6854 if (tick_key_cb_called) {
6855 /* Don't change what the ticket key callback wanted to do */
6856 switch (status) {
6857 case SSL_TICKET_NO_DECRYPT:
6858 return SSL_TICKET_RETURN_IGNORE_RENEW;
6859
6860 case SSL_TICKET_SUCCESS:
6861 return SSL_TICKET_RETURN_USE;
6862
6863 case SSL_TICKET_SUCCESS_RENEW:
6864 return SSL_TICKET_RETURN_USE_RENEW;
6865
6866 default:
6867 return SSL_TICKET_RETURN_ABORT;
6868 }
6869 }
6870 return tick_dec_ret;
6871
6872 }
6873
6874 #ifndef OPENSSL_NO_DEPRECATED_3_0
6875 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6876 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6877 HMAC_CTX *hctx, int enc)
6878 {
6879 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6880 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6881 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6882 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6883 int ret;
6884
6885 tick_key_cb_called = 1;
6886 memset(iv, 0, AES_BLOCK_SIZE);
6887 memset(key_name, 0, 16);
6888 if (aes128cbc == NULL
6889 || sha256 == NULL
6890 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6891 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6892 NULL))
6893 ret = -1;
6894 else
6895 ret = tick_key_renew ? 2 : 1;
6896
6897 EVP_CIPHER_free(aes128cbc);
6898 EVP_MD_free(sha256);
6899
6900 return ret;
6901 }
6902 #endif
6903
6904 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6905 unsigned char iv[EVP_MAX_IV_LENGTH],
6906 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6907 {
6908 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6909 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6910 OSSL_PARAM params[3];
6911 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6912 int ret;
6913
6914 tick_key_cb_called = 1;
6915 memset(iv, 0, AES_BLOCK_SIZE);
6916 memset(key_name, 0, 16);
6917 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6918 "SHA256", 0);
6919 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6920 tick_hmac_key,
6921 sizeof(tick_hmac_key));
6922 params[2] = OSSL_PARAM_construct_end();
6923 if (aes128cbc == NULL
6924 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6925 || !EVP_MAC_CTX_set_params(hctx, params)
6926 || !EVP_MAC_init(hctx))
6927 ret = -1;
6928 else
6929 ret = tick_key_renew ? 2 : 1;
6930
6931 EVP_CIPHER_free(aes128cbc);
6932
6933 return ret;
6934 }
6935
6936 /*
6937 * Test the various ticket callbacks
6938 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6939 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6940 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6941 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6942 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6943 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6944 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6945 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6946 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6947 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6948 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6949 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6950 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6951 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6952 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6953 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6954 */
6955 static int test_ticket_callbacks(int tst)
6956 {
6957 SSL_CTX *cctx = NULL, *sctx = NULL;
6958 SSL *clientssl = NULL, *serverssl = NULL;
6959 SSL_SESSION *clntsess = NULL;
6960 int testresult = 0;
6961
6962 #ifdef OPENSSL_NO_TLS1_2
6963 if (tst % 2 == 0)
6964 return 1;
6965 #endif
6966 #ifdef OPENSSL_NO_TLS1_3
6967 if (tst % 2 == 1)
6968 return 1;
6969 #endif
6970 #ifdef OPENSSL_NO_DEPRECATED_3_0
6971 if (tst >= 8 && tst <= 11)
6972 return 1;
6973 #endif
6974
6975 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6976
6977 /* Which tests the ticket key callback should request renewal for */
6978 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6979 tick_key_renew = 1;
6980 else
6981 tick_key_renew = 0;
6982
6983 /* Which tests the decrypt ticket callback should request renewal for */
6984 switch (tst) {
6985 case 0:
6986 case 1:
6987 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6988 break;
6989
6990 case 2:
6991 case 3:
6992 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6993 break;
6994
6995 case 4:
6996 case 5:
6997 tick_dec_ret = SSL_TICKET_RETURN_USE;
6998 break;
6999
7000 case 6:
7001 case 7:
7002 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7003 break;
7004
7005 default:
7006 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7007 }
7008
7009 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7010 TLS_client_method(),
7011 TLS1_VERSION,
7012 ((tst % 2) == 0) ? TLS1_2_VERSION
7013 : TLS1_3_VERSION,
7014 &sctx, &cctx, cert, privkey)))
7015 goto end;
7016
7017 /*
7018 * We only want sessions to resume from tickets - not the session cache. So
7019 * switch the cache off.
7020 */
7021 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7022 goto end;
7023
7024 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7025 NULL)))
7026 goto end;
7027
7028 if (tst >= 12) {
7029 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7030 goto end;
7031 #ifndef OPENSSL_NO_DEPRECATED_3_0
7032 } else if (tst >= 8) {
7033 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7034 goto end;
7035 #endif
7036 }
7037
7038 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7039 NULL, NULL))
7040 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7041 SSL_ERROR_NONE)))
7042 goto end;
7043
7044 /*
7045 * The decrypt ticket key callback in TLSv1.2 should be called even though
7046 * we have no ticket yet, because it gets called with a status of
7047 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7048 * actually send any ticket data). This does not happen in TLSv1.3 because
7049 * it is not valid to send empty ticket data in TLSv1.3.
7050 */
7051 if (!TEST_int_eq(gen_tick_called, 1)
7052 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7053 goto end;
7054
7055 gen_tick_called = dec_tick_called = 0;
7056
7057 clntsess = SSL_get1_session(clientssl);
7058 SSL_shutdown(clientssl);
7059 SSL_shutdown(serverssl);
7060 SSL_free(serverssl);
7061 SSL_free(clientssl);
7062 serverssl = clientssl = NULL;
7063
7064 /* Now do a resumption */
7065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7066 NULL))
7067 || !TEST_true(SSL_set_session(clientssl, clntsess))
7068 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7069 SSL_ERROR_NONE)))
7070 goto end;
7071
7072 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7073 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7074 if (!TEST_false(SSL_session_reused(clientssl)))
7075 goto end;
7076 } else {
7077 if (!TEST_true(SSL_session_reused(clientssl)))
7078 goto end;
7079 }
7080
7081 if (!TEST_int_eq(gen_tick_called,
7082 (tick_key_renew
7083 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7084 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7085 ? 1 : 0)
7086 || !TEST_int_eq(dec_tick_called, 1))
7087 goto end;
7088
7089 testresult = 1;
7090
7091 end:
7092 SSL_SESSION_free(clntsess);
7093 SSL_free(serverssl);
7094 SSL_free(clientssl);
7095 SSL_CTX_free(sctx);
7096 SSL_CTX_free(cctx);
7097
7098 return testresult;
7099 }
7100
7101 /*
7102 * Test incorrect shutdown.
7103 * Test 0: client does not shutdown properly,
7104 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7105 * server should get SSL_ERROR_SSL
7106 * Test 1: client does not shutdown properly,
7107 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7108 * server should get SSL_ERROR_ZERO_RETURN
7109 */
7110 static int test_incorrect_shutdown(int tst)
7111 {
7112 SSL_CTX *cctx = NULL, *sctx = NULL;
7113 SSL *clientssl = NULL, *serverssl = NULL;
7114 int testresult = 0;
7115 char buf[80];
7116 BIO *c2s;
7117
7118 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7119 TLS_client_method(), 0, 0,
7120 &sctx, &cctx, cert, privkey)))
7121 goto end;
7122
7123 if (tst == 1)
7124 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7125
7126 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7127 NULL, NULL)))
7128 goto end;
7129
7130 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7131 SSL_ERROR_NONE)))
7132 goto end;
7133
7134 c2s = SSL_get_rbio(serverssl);
7135 BIO_set_mem_eof_return(c2s, 0);
7136
7137 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7138 goto end;
7139
7140 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7141 goto end;
7142 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7143 goto end;
7144
7145 testresult = 1;
7146
7147 end:
7148 SSL_free(serverssl);
7149 SSL_free(clientssl);
7150 SSL_CTX_free(sctx);
7151 SSL_CTX_free(cctx);
7152
7153 return testresult;
7154 }
7155
7156 /*
7157 * Test bi-directional shutdown.
7158 * Test 0: TLSv1.2
7159 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7160 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7161 * Test 3: TLSv1.3, pending NewSessionTicket messages
7162 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7163 * sends key update, client reads it
7164 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7165 * sends CertificateRequest, client reads and ignores it
7166 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7167 * doesn't read it
7168 */
7169 static int test_shutdown(int tst)
7170 {
7171 SSL_CTX *cctx = NULL, *sctx = NULL;
7172 SSL *clientssl = NULL, *serverssl = NULL;
7173 int testresult = 0;
7174 char msg[] = "A test message";
7175 char buf[80];
7176 size_t written, readbytes;
7177 SSL_SESSION *sess;
7178
7179 #ifdef OPENSSL_NO_TLS1_2
7180 if (tst <= 1)
7181 return 1;
7182 #endif
7183 #ifdef OPENSSL_NO_TLS1_3
7184 if (tst >= 2)
7185 return 1;
7186 #endif
7187
7188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7189 TLS_client_method(),
7190 TLS1_VERSION,
7191 (tst <= 1) ? TLS1_2_VERSION
7192 : TLS1_3_VERSION,
7193 &sctx, &cctx, cert, privkey)))
7194 goto end;
7195
7196 if (tst == 5)
7197 SSL_CTX_set_post_handshake_auth(cctx, 1);
7198
7199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7200 NULL, NULL)))
7201 goto end;
7202
7203 if (tst == 3) {
7204 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7205 SSL_ERROR_NONE, 1))
7206 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7207 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7208 goto end;
7209 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7210 SSL_ERROR_NONE))
7211 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7212 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7213 goto end;
7214 }
7215
7216 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7217 goto end;
7218
7219 if (tst >= 4) {
7220 /*
7221 * Reading on the server after the client has sent close_notify should
7222 * fail and provide SSL_ERROR_ZERO_RETURN
7223 */
7224 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7225 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7226 SSL_ERROR_ZERO_RETURN)
7227 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7228 SSL_RECEIVED_SHUTDOWN)
7229 /*
7230 * Even though we're shutdown on receive we should still be
7231 * able to write.
7232 */
7233 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7234 goto end;
7235 if (tst == 4
7236 && !TEST_true(SSL_key_update(serverssl,
7237 SSL_KEY_UPDATE_REQUESTED)))
7238 goto end;
7239 if (tst == 5) {
7240 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7241 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7242 goto end;
7243 }
7244 if ((tst == 4 || tst == 5)
7245 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7246 goto end;
7247 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7248 goto end;
7249 if (tst == 4 || tst == 5) {
7250 /* Should still be able to read data from server */
7251 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7252 &readbytes))
7253 || !TEST_size_t_eq(readbytes, sizeof(msg))
7254 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7255 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7256 &readbytes))
7257 || !TEST_size_t_eq(readbytes, sizeof(msg))
7258 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7259 goto end;
7260 }
7261 }
7262
7263 /* Writing on the client after sending close_notify shouldn't be possible */
7264 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7265 goto end;
7266
7267 if (tst < 4) {
7268 /*
7269 * For these tests the client has sent close_notify but it has not yet
7270 * been received by the server. The server has not sent close_notify
7271 * yet.
7272 */
7273 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7274 /*
7275 * Writing on the server after sending close_notify shouldn't
7276 * be possible.
7277 */
7278 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7279 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7280 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7281 || !TEST_true(SSL_SESSION_is_resumable(sess))
7282 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7283 goto end;
7284 } else if (tst == 4 || tst == 5) {
7285 /*
7286 * In this test the client has sent close_notify and it has been
7287 * received by the server which has responded with a close_notify. The
7288 * client needs to read the close_notify sent by the server.
7289 */
7290 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7291 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7292 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7293 goto end;
7294 } else {
7295 /*
7296 * tst == 6
7297 *
7298 * The client has sent close_notify and is expecting a close_notify
7299 * back, but instead there is application data first. The shutdown
7300 * should fail with a fatal error.
7301 */
7302 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7303 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7304 goto end;
7305 }
7306
7307 testresult = 1;
7308
7309 end:
7310 SSL_free(serverssl);
7311 SSL_free(clientssl);
7312 SSL_CTX_free(sctx);
7313 SSL_CTX_free(cctx);
7314
7315 return testresult;
7316 }
7317
7318 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7319 static int cert_cb_cnt;
7320
7321 static int cert_cb(SSL *s, void *arg)
7322 {
7323 SSL_CTX *ctx = (SSL_CTX *)arg;
7324 BIO *in = NULL;
7325 EVP_PKEY *pkey = NULL;
7326 X509 *x509 = NULL, *rootx = NULL;
7327 STACK_OF(X509) *chain = NULL;
7328 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7329 int ret = 0;
7330
7331 if (cert_cb_cnt == 0) {
7332 /* Suspend the handshake */
7333 cert_cb_cnt++;
7334 return -1;
7335 } else if (cert_cb_cnt == 1) {
7336 /*
7337 * Update the SSL_CTX, set the certificate and private key and then
7338 * continue the handshake normally.
7339 */
7340 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7341 return 0;
7342
7343 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7344 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7345 SSL_FILETYPE_PEM))
7346 || !TEST_true(SSL_check_private_key(s)))
7347 return 0;
7348 cert_cb_cnt++;
7349 return 1;
7350 } else if (cert_cb_cnt == 3) {
7351 int rv;
7352
7353 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7354 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7355 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7356 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7357 goto out;
7358 chain = sk_X509_new_null();
7359 if (!TEST_ptr(chain))
7360 goto out;
7361 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7362 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7363 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
7364 || !TEST_true(sk_X509_push(chain, rootx)))
7365 goto out;
7366 rootx = NULL;
7367 BIO_free(in);
7368 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7369 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7370 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
7371 goto out;
7372 BIO_free(in);
7373 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7374 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7375 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7376 goto out;
7377 rv = SSL_check_chain(s, x509, pkey, chain);
7378 /*
7379 * If the cert doesn't show as valid here (e.g., because we don't
7380 * have any shared sigalgs), then we will not set it, and there will
7381 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7382 * will cause tls_choose_sigalgs() to fail the connection.
7383 */
7384 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7385 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7386 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7387 goto out;
7388 }
7389
7390 ret = 1;
7391 }
7392
7393 /* Abort the handshake */
7394 out:
7395 OPENSSL_free(ecdsacert);
7396 OPENSSL_free(ecdsakey);
7397 OPENSSL_free(rootfile);
7398 BIO_free(in);
7399 EVP_PKEY_free(pkey);
7400 X509_free(x509);
7401 X509_free(rootx);
7402 sk_X509_pop_free(chain, X509_free);
7403 return ret;
7404 }
7405
7406 /*
7407 * Test the certificate callback.
7408 * Test 0: Callback fails
7409 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7410 * Test 2: Success - SSL_set_SSL_CTX() in the callback
7411 * Test 3: Success - Call SSL_check_chain from the callback
7412 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7413 * chain
7414 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
7415 */
7416 static int test_cert_cb_int(int prot, int tst)
7417 {
7418 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7419 SSL *clientssl = NULL, *serverssl = NULL;
7420 int testresult = 0, ret;
7421
7422 #ifdef OPENSSL_NO_EC
7423 /* We use an EC cert in these tests, so we skip in a no-ec build */
7424 if (tst >= 3)
7425 return 1;
7426 #endif
7427
7428 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7429 TLS_client_method(),
7430 TLS1_VERSION,
7431 prot,
7432 &sctx, &cctx, NULL, NULL)))
7433 goto end;
7434
7435 if (tst == 0)
7436 cert_cb_cnt = -1;
7437 else if (tst >= 3)
7438 cert_cb_cnt = 3;
7439 else
7440 cert_cb_cnt = 0;
7441
7442 if (tst == 2)
7443 snictx = SSL_CTX_new(TLS_server_method());
7444 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7445
7446 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7447 NULL, NULL)))
7448 goto end;
7449
7450 if (tst == 4) {
7451 /*
7452 * We cause SSL_check_chain() to fail by specifying sig_algs that
7453 * the chain doesn't meet (the root uses an RSA cert)
7454 */
7455 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7456 "ecdsa_secp256r1_sha256")))
7457 goto end;
7458 } else if (tst == 5) {
7459 /*
7460 * We cause SSL_check_chain() to fail by specifying sig_algs that
7461 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7462 */
7463 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7464 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7465 goto end;
7466 }
7467
7468 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7469 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7470 || (tst > 0
7471 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
7472 goto end;
7473 }
7474
7475 testresult = 1;
7476
7477 end:
7478 SSL_free(serverssl);
7479 SSL_free(clientssl);
7480 SSL_CTX_free(sctx);
7481 SSL_CTX_free(cctx);
7482 SSL_CTX_free(snictx);
7483
7484 return testresult;
7485 }
7486 #endif
7487
7488 static int test_cert_cb(int tst)
7489 {
7490 int testresult = 1;
7491
7492 #ifndef OPENSSL_NO_TLS1_2
7493 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7494 #endif
7495 #ifndef OPENSSL_NO_TLS1_3
7496 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7497 #endif
7498
7499 return testresult;
7500 }
7501
7502 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7503 {
7504 X509 *xcert, *peer;
7505 EVP_PKEY *privpkey;
7506 BIO *in = NULL;
7507
7508 /* Check that SSL_get_peer_certificate() returns something sensible */
7509 peer = SSL_get_peer_certificate(ssl);
7510 if (!TEST_ptr(peer))
7511 return 0;
7512 X509_free(peer);
7513
7514 in = BIO_new_file(cert, "r");
7515 if (!TEST_ptr(in))
7516 return 0;
7517
7518 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7519 BIO_free(in);
7520 if (!TEST_ptr(xcert))
7521 return 0;
7522
7523 in = BIO_new_file(privkey, "r");
7524 if (!TEST_ptr(in)) {
7525 X509_free(xcert);
7526 return 0;
7527 }
7528
7529 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7530 BIO_free(in);
7531 if (!TEST_ptr(privpkey)) {
7532 X509_free(xcert);
7533 return 0;
7534 }
7535
7536 *x509 = xcert;
7537 *pkey = privpkey;
7538
7539 return 1;
7540 }
7541
7542 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7543 {
7544 return 1;
7545 }
7546
7547 static int test_client_cert_cb(int tst)
7548 {
7549 SSL_CTX *cctx = NULL, *sctx = NULL;
7550 SSL *clientssl = NULL, *serverssl = NULL;
7551 int testresult = 0;
7552
7553 #ifdef OPENSSL_NO_TLS1_2
7554 if (tst == 0)
7555 return 1;
7556 #endif
7557 #ifdef OPENSSL_NO_TLS1_3
7558 if (tst == 1)
7559 return 1;
7560 #endif
7561
7562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7563 TLS_client_method(),
7564 TLS1_VERSION,
7565 tst == 0 ? TLS1_2_VERSION
7566 : TLS1_3_VERSION,
7567 &sctx, &cctx, cert, privkey)))
7568 goto end;
7569
7570 /*
7571 * Test that setting a client_cert_cb results in a client certificate being
7572 * sent.
7573 */
7574 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7575 SSL_CTX_set_verify(sctx,
7576 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7577 verify_cb);
7578
7579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7580 NULL, NULL))
7581 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7582 SSL_ERROR_NONE)))
7583 goto end;
7584
7585 testresult = 1;
7586
7587 end:
7588 SSL_free(serverssl);
7589 SSL_free(clientssl);
7590 SSL_CTX_free(sctx);
7591 SSL_CTX_free(cctx);
7592
7593 return testresult;
7594 }
7595
7596 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7597 /*
7598 * Test setting certificate authorities on both client and server.
7599 *
7600 * Test 0: SSL_CTX_set0_CA_list() only
7601 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7602 * Test 2: Only SSL_CTX_set_client_CA_list()
7603 */
7604 static int test_ca_names_int(int prot, int tst)
7605 {
7606 SSL_CTX *cctx = NULL, *sctx = NULL;
7607 SSL *clientssl = NULL, *serverssl = NULL;
7608 int testresult = 0;
7609 size_t i;
7610 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7611 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7612 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7613 const STACK_OF(X509_NAME) *sktmp = NULL;
7614
7615 for (i = 0; i < OSSL_NELEM(name); i++) {
7616 name[i] = X509_NAME_new();
7617 if (!TEST_ptr(name[i])
7618 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7619 MBSTRING_ASC,
7620 (unsigned char *)
7621 strnames[i],
7622 -1, -1, 0)))
7623 goto end;
7624 }
7625
7626 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7627 TLS_client_method(),
7628 TLS1_VERSION,
7629 prot,
7630 &sctx, &cctx, cert, privkey)))
7631 goto end;
7632
7633 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7634
7635 if (tst == 0 || tst == 1) {
7636 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7637 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7638 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7639 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7640 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7641 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7642 goto end;
7643
7644 SSL_CTX_set0_CA_list(sctx, sk1);
7645 SSL_CTX_set0_CA_list(cctx, sk2);
7646 sk1 = sk2 = NULL;
7647 }
7648 if (tst == 1 || tst == 2) {
7649 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7650 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7651 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7652 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7653 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7654 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7655 goto end;
7656
7657 SSL_CTX_set_client_CA_list(sctx, sk1);
7658 SSL_CTX_set_client_CA_list(cctx, sk2);
7659 sk1 = sk2 = NULL;
7660 }
7661
7662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7663 NULL, NULL))
7664 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7665 SSL_ERROR_NONE)))
7666 goto end;
7667
7668 /*
7669 * We only expect certificate authorities to have been sent to the server
7670 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7671 */
7672 sktmp = SSL_get0_peer_CA_list(serverssl);
7673 if (prot == TLS1_3_VERSION
7674 && (tst == 0 || tst == 1)) {
7675 if (!TEST_ptr(sktmp)
7676 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7677 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7678 name[0]), 0)
7679 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7680 name[1]), 0))
7681 goto end;
7682 } else if (!TEST_ptr_null(sktmp)) {
7683 goto end;
7684 }
7685
7686 /*
7687 * In all tests we expect certificate authorities to have been sent to the
7688 * client. However, SSL_set_client_CA_list() should override
7689 * SSL_set0_CA_list()
7690 */
7691 sktmp = SSL_get0_peer_CA_list(clientssl);
7692 if (!TEST_ptr(sktmp)
7693 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7694 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7695 name[tst == 0 ? 0 : 2]), 0)
7696 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7697 name[tst == 0 ? 1 : 3]), 0))
7698 goto end;
7699
7700 testresult = 1;
7701
7702 end:
7703 SSL_free(serverssl);
7704 SSL_free(clientssl);
7705 SSL_CTX_free(sctx);
7706 SSL_CTX_free(cctx);
7707 for (i = 0; i < OSSL_NELEM(name); i++)
7708 X509_NAME_free(name[i]);
7709 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7710 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7711
7712 return testresult;
7713 }
7714 #endif
7715
7716 static int test_ca_names(int tst)
7717 {
7718 int testresult = 1;
7719
7720 #ifndef OPENSSL_NO_TLS1_2
7721 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7722 #endif
7723 #ifndef OPENSSL_NO_TLS1_3
7724 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7725 #endif
7726
7727 return testresult;
7728 }
7729
7730 #ifndef OPENSSL_NO_TLS1_2
7731 static const char *multiblock_cipherlist_data[]=
7732 {
7733 "AES128-SHA",
7734 "AES128-SHA256",
7735 "AES256-SHA",
7736 "AES256-SHA256",
7737 };
7738
7739 /* Reduce the fragment size - so the multiblock test buffer can be small */
7740 # define MULTIBLOCK_FRAGSIZE 512
7741
7742 static int test_multiblock_write(int test_index)
7743 {
7744 static const char *fetchable_ciphers[]=
7745 {
7746 "AES-128-CBC-HMAC-SHA1",
7747 "AES-128-CBC-HMAC-SHA256",
7748 "AES-256-CBC-HMAC-SHA1",
7749 "AES-256-CBC-HMAC-SHA256"
7750 };
7751 const char *cipherlist = multiblock_cipherlist_data[test_index];
7752 const SSL_METHOD *smeth = TLS_server_method();
7753 const SSL_METHOD *cmeth = TLS_client_method();
7754 int min_version = TLS1_VERSION;
7755 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7756 SSL_CTX *cctx = NULL, *sctx = NULL;
7757 SSL *clientssl = NULL, *serverssl = NULL;
7758 int testresult = 0;
7759
7760 /*
7761 * Choose a buffer large enough to perform a multi-block operation
7762 * i.e: write_len >= 4 * frag_size
7763 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7764 */
7765 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7766 unsigned char buf[sizeof(msg)], *p = buf;
7767 size_t readbytes, written, len;
7768 EVP_CIPHER *ciph = NULL;
7769
7770 /*
7771 * Check if the cipher exists before attempting to use it since it only has
7772 * a hardware specific implementation.
7773 */
7774 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7775 if (ciph == NULL) {
7776 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7777 return 1;
7778 }
7779 EVP_CIPHER_free(ciph);
7780
7781 /* Set up a buffer with some data that will be sent to the client */
7782 RAND_bytes(msg, sizeof(msg));
7783
7784 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7785 max_version, &sctx, &cctx, cert,
7786 privkey)))
7787 goto end;
7788
7789 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7790 goto end;
7791
7792 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7793 NULL, NULL)))
7794 goto end;
7795
7796 /* settings to force it to use AES-CBC-HMAC_SHA */
7797 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7798 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7799 goto end;
7800
7801 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7802 goto end;
7803
7804 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7805 || !TEST_size_t_eq(written, sizeof(msg)))
7806 goto end;
7807
7808 len = written;
7809 while (len > 0) {
7810 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7811 goto end;
7812 p += readbytes;
7813 len -= readbytes;
7814 }
7815 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7816 goto end;
7817
7818 testresult = 1;
7819 end:
7820 SSL_free(serverssl);
7821 SSL_free(clientssl);
7822 SSL_CTX_free(sctx);
7823 SSL_CTX_free(cctx);
7824
7825 return testresult;
7826 }
7827 #endif /* OPENSSL_NO_TLS1_2 */
7828
7829 /*
7830 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7831 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7832 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7833 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7834 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7835 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7836 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7837 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7838 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7839 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7840 */
7841 static int test_servername(int tst)
7842 {
7843 SSL_CTX *cctx = NULL, *sctx = NULL;
7844 SSL *clientssl = NULL, *serverssl = NULL;
7845 int testresult = 0;
7846 SSL_SESSION *sess = NULL;
7847 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7848
7849 #ifdef OPENSSL_NO_TLS1_2
7850 if (tst <= 4)
7851 return 1;
7852 #endif
7853 #ifdef OPENSSL_NO_TLS1_3
7854 if (tst >= 5)
7855 return 1;
7856 #endif
7857
7858 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7859 TLS_client_method(),
7860 TLS1_VERSION,
7861 (tst <= 4) ? TLS1_2_VERSION
7862 : TLS1_3_VERSION,
7863 &sctx, &cctx, cert, privkey))
7864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7865 NULL, NULL)))
7866 goto end;
7867
7868 if (tst != 1 && tst != 6) {
7869 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7870 hostname_cb)))
7871 goto end;
7872 }
7873
7874 if (tst != 3 && tst != 8) {
7875 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7876 goto end;
7877 sexpectedhost = cexpectedhost = "goodhost";
7878 }
7879
7880 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7881 goto end;
7882
7883 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7884 cexpectedhost)
7885 || !TEST_str_eq(SSL_get_servername(serverssl,
7886 TLSEXT_NAMETYPE_host_name),
7887 sexpectedhost))
7888 goto end;
7889
7890 /* Now repeat with a resumption handshake */
7891
7892 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7893 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7894 || !TEST_true(SSL_SESSION_is_resumable(sess))
7895 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7896 goto end;
7897
7898 SSL_free(clientssl);
7899 SSL_free(serverssl);
7900 clientssl = serverssl = NULL;
7901
7902 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7903 NULL)))
7904 goto end;
7905
7906 if (!TEST_true(SSL_set_session(clientssl, sess)))
7907 goto end;
7908
7909 sexpectedhost = cexpectedhost = "goodhost";
7910 if (tst == 2 || tst == 7) {
7911 /* Set an inconsistent hostname */
7912 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7913 goto end;
7914 /*
7915 * In TLSv1.2 we expect the hostname from the original handshake, in
7916 * TLSv1.3 we expect the hostname from this handshake
7917 */
7918 if (tst == 7)
7919 sexpectedhost = cexpectedhost = "altgoodhost";
7920
7921 if (!TEST_str_eq(SSL_get_servername(clientssl,
7922 TLSEXT_NAMETYPE_host_name),
7923 "altgoodhost"))
7924 goto end;
7925 } else if (tst == 4 || tst == 9) {
7926 /*
7927 * A TLSv1.3 session does not associate a session with a servername,
7928 * but a TLSv1.2 session does.
7929 */
7930 if (tst == 9)
7931 sexpectedhost = cexpectedhost = NULL;
7932
7933 if (!TEST_str_eq(SSL_get_servername(clientssl,
7934 TLSEXT_NAMETYPE_host_name),
7935 cexpectedhost))
7936 goto end;
7937 } else {
7938 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7939 goto end;
7940 /*
7941 * In a TLSv1.2 resumption where the hostname was not acknowledged
7942 * we expect the hostname on the server to be empty. On the client we
7943 * return what was requested in this case.
7944 *
7945 * Similarly if the client didn't set a hostname on an original TLSv1.2
7946 * session but is now, the server hostname will be empty, but the client
7947 * is as we set it.
7948 */
7949 if (tst == 1 || tst == 3)
7950 sexpectedhost = NULL;
7951
7952 if (!TEST_str_eq(SSL_get_servername(clientssl,
7953 TLSEXT_NAMETYPE_host_name),
7954 "goodhost"))
7955 goto end;
7956 }
7957
7958 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7959 goto end;
7960
7961 if (!TEST_true(SSL_session_reused(clientssl))
7962 || !TEST_true(SSL_session_reused(serverssl))
7963 || !TEST_str_eq(SSL_get_servername(clientssl,
7964 TLSEXT_NAMETYPE_host_name),
7965 cexpectedhost)
7966 || !TEST_str_eq(SSL_get_servername(serverssl,
7967 TLSEXT_NAMETYPE_host_name),
7968 sexpectedhost))
7969 goto end;
7970
7971 testresult = 1;
7972
7973 end:
7974 SSL_SESSION_free(sess);
7975 SSL_free(serverssl);
7976 SSL_free(clientssl);
7977 SSL_CTX_free(sctx);
7978 SSL_CTX_free(cctx);
7979
7980 return testresult;
7981 }
7982
7983 #ifndef OPENSSL_NO_EC
7984 /*
7985 * Test that if signature algorithms are not available, then we do not offer or
7986 * accept them.
7987 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7988 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7989 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7990 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7991 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7992 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7993 */
7994 static int test_sigalgs_available(int idx)
7995 {
7996 SSL_CTX *cctx = NULL, *sctx = NULL;
7997 SSL *clientssl = NULL, *serverssl = NULL;
7998 int testresult = 0;
7999 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
8000 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
8001 OSSL_PROVIDER *filterprov = NULL;
8002 int sig, hash;
8003
8004 if (!TEST_ptr(tmpctx))
8005 goto end;
8006
8007 if (idx != 0 && idx != 3) {
8008 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8009 filter_provider_init)))
8010 goto end;
8011
8012 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8013 if (!TEST_ptr(filterprov))
8014 goto end;
8015
8016 if (idx < 3) {
8017 /*
8018 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8019 * or accepted for the peer that uses this libctx. Note that libssl
8020 * *requires* SHA2-256 to be available so we cannot disable that. We
8021 * also need SHA1 for our certificate.
8022 */
8023 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8024 "SHA2-256:SHA1")))
8025 goto end;
8026 } else {
8027 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8028 "ECDSA"))
8029 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8030 "EC:X25519:X448")))
8031 goto end;
8032 }
8033
8034 if (idx == 1 || idx == 4)
8035 clientctx = tmpctx;
8036 else
8037 serverctx = tmpctx;
8038 }
8039
8040 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
8041 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
8042
8043 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8044 TLS_client_method(),
8045 TLS1_VERSION,
8046 0,
8047 &sctx, &cctx, cert, privkey)))
8048 goto end;
8049
8050 if (idx < 3) {
8051 if (!SSL_CTX_set1_sigalgs_list(cctx,
8052 "rsa_pss_rsae_sha384"
8053 ":rsa_pss_rsae_sha256")
8054 || !SSL_CTX_set1_sigalgs_list(sctx,
8055 "rsa_pss_rsae_sha384"
8056 ":rsa_pss_rsae_sha256"))
8057 goto end;
8058 } else {
8059 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8060 || !SSL_CTX_set1_sigalgs_list(sctx,
8061 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8062 goto end;
8063 }
8064
8065 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8066 SSL_FILETYPE_PEM), 1)
8067 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8068 privkey2,
8069 SSL_FILETYPE_PEM), 1)
8070 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8071 goto end;
8072
8073 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8074 NULL, NULL)))
8075 goto end;
8076
8077 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8078 goto end;
8079
8080 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8081 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8082 NULL, NULL),
8083 (idx == 0 || idx == 3) ? 2 : 1))
8084 goto end;
8085
8086 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8087 goto end;
8088
8089 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8090 : NID_rsassaPss))
8091 goto end;
8092
8093 testresult = 1;
8094
8095 end:
8096 SSL_free(serverssl);
8097 SSL_free(clientssl);
8098 SSL_CTX_free(sctx);
8099 SSL_CTX_free(cctx);
8100 OSSL_PROVIDER_unload(filterprov);
8101 OPENSSL_CTX_free(tmpctx);
8102
8103 return testresult;
8104 }
8105 #endif /* OPENSSL_NO_EC */
8106
8107
8108 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
8109
8110 int setup_tests(void)
8111 {
8112 char *modulename;
8113 char *configfile;
8114
8115 libctx = OPENSSL_CTX_new();
8116 if (!TEST_ptr(libctx))
8117 return 0;
8118
8119 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8120
8121 /*
8122 * Verify that the default and fips providers in the default libctx are not
8123 * available
8124 */
8125 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8126 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8127 return 0;
8128
8129 if (!test_skip_common_options()) {
8130 TEST_error("Error parsing test options\n");
8131 return 0;
8132 }
8133
8134 if (!TEST_ptr(certsdir = test_get_argument(0))
8135 || !TEST_ptr(srpvfile = test_get_argument(1))
8136 || !TEST_ptr(tmpfilename = test_get_argument(2))
8137 || !TEST_ptr(modulename = test_get_argument(3))
8138 || !TEST_ptr(configfile = test_get_argument(4)))
8139 return 0;
8140
8141 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8142 return 0;
8143
8144 /* Check we have the expected provider available */
8145 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8146 return 0;
8147
8148 /* Check the default provider is not available */
8149 if (strcmp(modulename, "default") != 0
8150 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
8151 return 0;
8152
8153 if (strcmp(modulename, "fips") == 0)
8154 is_fips = 1;
8155
8156 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8157 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
8158 TEST_error("not supported in this build");
8159 return 0;
8160 #else
8161 int i, mcount, rcount, fcount;
8162
8163 for (i = 0; i < 4; i++)
8164 test_export_key_mat(i);
8165 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8166 test_printf_stdout("malloc %d realloc %d free %d\n",
8167 mcount, rcount, fcount);
8168 return 1;
8169 #endif
8170 }
8171
8172 cert = test_mk_file_path(certsdir, "servercert.pem");
8173 if (cert == NULL)
8174 goto err;
8175
8176 privkey = test_mk_file_path(certsdir, "serverkey.pem");
8177 if (privkey == NULL)
8178 goto err;
8179
8180 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8181 if (cert2 == NULL)
8182 goto err;
8183
8184 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8185 if (privkey2 == NULL)
8186 goto err;
8187
8188 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8189 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8190 ADD_ALL_TESTS(test_ktls, 32);
8191 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8192 #endif
8193 #endif
8194 ADD_TEST(test_large_message_tls);
8195 ADD_TEST(test_large_message_tls_read_ahead);
8196 #ifndef OPENSSL_NO_DTLS
8197 ADD_TEST(test_large_message_dtls);
8198 #endif
8199 #ifndef OPENSSL_NO_OCSP
8200 ADD_TEST(test_tlsext_status_type);
8201 #endif
8202 ADD_TEST(test_session_with_only_int_cache);
8203 ADD_TEST(test_session_with_only_ext_cache);
8204 ADD_TEST(test_session_with_both_cache);
8205 ADD_TEST(test_session_wo_ca_names);
8206 #ifndef OPENSSL_NO_TLS1_3
8207 ADD_ALL_TESTS(test_stateful_tickets, 3);
8208 ADD_ALL_TESTS(test_stateless_tickets, 3);
8209 ADD_TEST(test_psk_tickets);
8210 ADD_ALL_TESTS(test_extra_tickets, 6);
8211 #endif
8212 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
8213 ADD_TEST(test_ssl_bio_pop_next_bio);
8214 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8215 ADD_TEST(test_ssl_bio_change_rbio);
8216 ADD_TEST(test_ssl_bio_change_wbio);
8217 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
8218 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
8219 ADD_TEST(test_keylog);
8220 #endif
8221 #ifndef OPENSSL_NO_TLS1_3
8222 ADD_TEST(test_keylog_no_master_key);
8223 #endif
8224 #ifndef OPENSSL_NO_TLS1_2
8225 ADD_TEST(test_client_hello_cb);
8226 ADD_TEST(test_no_ems);
8227 ADD_TEST(test_ccs_change_cipher);
8228 #endif
8229 #ifndef OPENSSL_NO_TLS1_3
8230 ADD_ALL_TESTS(test_early_data_read_write, 3);
8231 /*
8232 * We don't do replay tests for external PSK. Replay protection isn't used
8233 * in that scenario.
8234 */
8235 ADD_ALL_TESTS(test_early_data_replay, 2);
8236 ADD_ALL_TESTS(test_early_data_skip, 3);
8237 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
8238 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
8239 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
8240 ADD_ALL_TESTS(test_early_data_not_sent, 3);
8241 ADD_ALL_TESTS(test_early_data_psk, 8);
8242 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
8243 ADD_ALL_TESTS(test_early_data_not_expected, 3);
8244 # ifndef OPENSSL_NO_TLS1_2
8245 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
8246 # endif
8247 #endif
8248 #ifndef OPENSSL_NO_TLS1_3
8249 ADD_ALL_TESTS(test_set_ciphersuite, 10);
8250 ADD_TEST(test_ciphersuite_change);
8251 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8252 # ifdef OPENSSL_NO_PSK
8253 ADD_ALL_TESTS(test_tls13_psk, 1);
8254 # else
8255 ADD_ALL_TESTS(test_tls13_psk, 4);
8256 # endif /* OPENSSL_NO_PSK */
8257 # ifndef OPENSSL_NO_TLS1_2
8258 /* Test with both TLSv1.3 and 1.2 versions */
8259 ADD_ALL_TESTS(test_key_exchange, 14);
8260 # else
8261 /* Test with only TLSv1.3 versions */
8262 ADD_ALL_TESTS(test_key_exchange, 12);
8263 # endif
8264 ADD_ALL_TESTS(test_custom_exts, 5);
8265 ADD_TEST(test_stateless);
8266 ADD_TEST(test_pha_key_update);
8267 #else
8268 ADD_ALL_TESTS(test_custom_exts, 3);
8269 #endif
8270 ADD_ALL_TESTS(test_serverinfo, 8);
8271 ADD_ALL_TESTS(test_export_key_mat, 6);
8272 #ifndef OPENSSL_NO_TLS1_3
8273 ADD_ALL_TESTS(test_export_key_mat_early, 3);
8274 ADD_TEST(test_key_update);
8275 ADD_ALL_TESTS(test_key_update_in_write, 2);
8276 #endif
8277 ADD_ALL_TESTS(test_ssl_clear, 2);
8278 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
8279 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8280 ADD_ALL_TESTS(test_srp, 6);
8281 #endif
8282 ADD_ALL_TESTS(test_info_callback, 6);
8283 ADD_ALL_TESTS(test_ssl_pending, 2);
8284 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
8285 ADD_ALL_TESTS(test_ticket_callbacks, 16);
8286 ADD_ALL_TESTS(test_shutdown, 7);
8287 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
8288 ADD_ALL_TESTS(test_cert_cb, 6);
8289 ADD_ALL_TESTS(test_client_cert_cb, 2);
8290 ADD_ALL_TESTS(test_ca_names, 3);
8291 #ifndef OPENSSL_NO_TLS1_2
8292 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8293 #endif
8294 ADD_ALL_TESTS(test_servername, 10);
8295 #ifndef OPENSSL_NO_EC
8296 ADD_ALL_TESTS(test_sigalgs_available, 6);
8297 #endif
8298 return 1;
8299
8300 err:
8301 OPENSSL_free(cert);
8302 OPENSSL_free(privkey);
8303 OPENSSL_free(cert2);
8304 OPENSSL_free(privkey2);
8305 return 0;
8306 }
8307
8308 void cleanup_tests(void)
8309 {
8310 OPENSSL_free(cert);
8311 OPENSSL_free(privkey);
8312 OPENSSL_free(cert2);
8313 OPENSSL_free(privkey2);
8314 bio_s_mempacket_test_free();
8315 bio_s_always_retry_free();
8316 OSSL_PROVIDER_unload(defctxnull);
8317 OPENSSL_CTX_free(libctx);
8318 }
A mirror of the official openssl repository