]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
sslapitest: only compile test when it will be used
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/provider.h>
32
33 #include "ssltestlib.h"
34 #include "testutil.h"
35 #include "testutil/output.h"
36 #include "internal/nelem.h"
37 #include "internal/ktls.h"
38 #include "../ssl/ssl_local.h"
39
40 DEFINE_STACK_OF(OCSP_RESPID)
41 DEFINE_STACK_OF(X509)
42 DEFINE_STACK_OF(X509_NAME)
43
44 static OPENSSL_CTX *libctx = NULL;
45 static OSSL_PROVIDER *defctxnull = NULL;
46
47 #ifndef OPENSSL_NO_TLS1_3
48
49 static SSL_SESSION *clientpsk = NULL;
50 static SSL_SESSION *serverpsk = NULL;
51 static const char *pskid = "Identity";
52 static const char *srvid;
53
54 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
55 size_t *idlen, SSL_SESSION **sess);
56 static int find_session_cb(SSL *ssl, const unsigned char *identity,
57 size_t identity_len, SSL_SESSION **sess);
58
59 static int use_session_cb_cnt = 0;
60 static int find_session_cb_cnt = 0;
61
62 static SSL_SESSION *create_a_psk(SSL *ssl);
63 #endif
64
65 static char *certsdir = NULL;
66 static char *cert = NULL;
67 static char *privkey = NULL;
68 static char *srpvfile = NULL;
69 static char *tmpfilename = NULL;
70
71 static int is_fips = 0;
72
73 #define LOG_BUFFER_SIZE 2048
74 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
75 static size_t server_log_buffer_index = 0;
76 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
77 static size_t client_log_buffer_index = 0;
78 static int error_writing_log = 0;
79
80 #ifndef OPENSSL_NO_OCSP
81 static const unsigned char orespder[] = "Dummy OCSP Response";
82 static int ocsp_server_called = 0;
83 static int ocsp_client_called = 0;
84
85 static int cdummyarg = 1;
86 static X509 *ocspcert = NULL;
87 #endif
88
89 #define NUM_EXTRA_CERTS 40
90 #define CLIENT_VERSION_LEN 2
91
92 /*
93 * This structure is used to validate that the correct number of log messages
94 * of various types are emitted when emitting secret logs.
95 */
96 struct sslapitest_log_counts {
97 unsigned int rsa_key_exchange_count;
98 unsigned int master_secret_count;
99 unsigned int client_early_secret_count;
100 unsigned int client_handshake_secret_count;
101 unsigned int server_handshake_secret_count;
102 unsigned int client_application_secret_count;
103 unsigned int server_application_secret_count;
104 unsigned int early_exporter_secret_count;
105 unsigned int exporter_secret_count;
106 };
107
108
109 static unsigned char serverinfov1[] = {
110 0xff, 0xff, /* Dummy extension type */
111 0x00, 0x01, /* Extension length is 1 byte */
112 0xff /* Dummy extension data */
113 };
114
115 static unsigned char serverinfov2[] = {
116 0x00, 0x00, 0x00,
117 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
118 0xff, 0xff, /* Dummy extension type */
119 0x00, 0x01, /* Extension length is 1 byte */
120 0xff /* Dummy extension data */
121 };
122
123 static int hostname_cb(SSL *s, int *al, void *arg)
124 {
125 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
126
127 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
128 || strcmp(hostname, "altgoodhost") == 0))
129 return SSL_TLSEXT_ERR_OK;
130
131 return SSL_TLSEXT_ERR_NOACK;
132 }
133
134 static void client_keylog_callback(const SSL *ssl, const char *line)
135 {
136 int line_length = strlen(line);
137
138 /* If the log doesn't fit, error out. */
139 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
140 TEST_info("Client log too full");
141 error_writing_log = 1;
142 return;
143 }
144
145 strcat(client_log_buffer, line);
146 client_log_buffer_index += line_length;
147 client_log_buffer[client_log_buffer_index++] = '\n';
148 }
149
150 static void server_keylog_callback(const SSL *ssl, const char *line)
151 {
152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
155 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
156 TEST_info("Server log too full");
157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(server_log_buffer, line);
162 server_log_buffer_index += line_length;
163 server_log_buffer[server_log_buffer_index++] = '\n';
164 }
165
166 static int compare_hex_encoded_buffer(const char *hex_encoded,
167 size_t hex_length,
168 const uint8_t *raw,
169 size_t raw_length)
170 {
171 size_t i, j;
172 char hexed[3];
173
174 if (!TEST_size_t_eq(raw_length * 2, hex_length))
175 return 1;
176
177 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
178 sprintf(hexed, "%02x", raw[i]);
179 if (!TEST_int_eq(hexed[0], hex_encoded[j])
180 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
181 return 1;
182 }
183
184 return 0;
185 }
186
187 static int test_keylog_output(char *buffer, const SSL *ssl,
188 const SSL_SESSION *session,
189 struct sslapitest_log_counts *expected)
190 {
191 char *token = NULL;
192 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
193 size_t client_random_size = SSL3_RANDOM_SIZE;
194 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
195 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
196 unsigned int rsa_key_exchange_count = 0;
197 unsigned int master_secret_count = 0;
198 unsigned int client_early_secret_count = 0;
199 unsigned int client_handshake_secret_count = 0;
200 unsigned int server_handshake_secret_count = 0;
201 unsigned int client_application_secret_count = 0;
202 unsigned int server_application_secret_count = 0;
203 unsigned int early_exporter_secret_count = 0;
204 unsigned int exporter_secret_count = 0;
205
206 for (token = strtok(buffer, " \n"); token != NULL;
207 token = strtok(NULL, " \n")) {
208 if (strcmp(token, "RSA") == 0) {
209 /*
210 * Premaster secret. Tokens should be: 16 ASCII bytes of
211 * hex-encoded encrypted secret, then the hex-encoded pre-master
212 * secret.
213 */
214 if (!TEST_ptr(token = strtok(NULL, " \n")))
215 return 0;
216 if (!TEST_size_t_eq(strlen(token), 16))
217 return 0;
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
219 return 0;
220 /*
221 * We can't sensibly check the log because the premaster secret is
222 * transient, and OpenSSL doesn't keep hold of it once the master
223 * secret is generated.
224 */
225 rsa_key_exchange_count++;
226 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
227 /*
228 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
229 * client random, then the hex-encoded master secret.
230 */
231 client_random_size = SSL_get_client_random(ssl,
232 actual_client_random,
233 SSL3_RANDOM_SIZE);
234 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
235 return 0;
236
237 if (!TEST_ptr(token = strtok(NULL, " \n")))
238 return 0;
239 if (!TEST_size_t_eq(strlen(token), 64))
240 return 0;
241 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
242 actual_client_random,
243 client_random_size)))
244 return 0;
245
246 if (!TEST_ptr(token = strtok(NULL, " \n")))
247 return 0;
248 master_key_size = SSL_SESSION_get_master_key(session,
249 actual_master_key,
250 master_key_size);
251 if (!TEST_size_t_ne(master_key_size, 0))
252 return 0;
253 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
254 actual_master_key,
255 master_key_size)))
256 return 0;
257 master_secret_count++;
258 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
259 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
260 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
261 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
262 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
263 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
264 || strcmp(token, "EXPORTER_SECRET") == 0) {
265 /*
266 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
267 * client random, and then the hex-encoded secret. In this case,
268 * we treat all of these secrets identically and then just
269 * distinguish between them when counting what we saw.
270 */
271 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
272 client_early_secret_count++;
273 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
274 client_handshake_secret_count++;
275 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
276 server_handshake_secret_count++;
277 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
278 client_application_secret_count++;
279 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
280 server_application_secret_count++;
281 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
282 early_exporter_secret_count++;
283 else if (strcmp(token, "EXPORTER_SECRET") == 0)
284 exporter_secret_count++;
285
286 client_random_size = SSL_get_client_random(ssl,
287 actual_client_random,
288 SSL3_RANDOM_SIZE);
289 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
290 return 0;
291
292 if (!TEST_ptr(token = strtok(NULL, " \n")))
293 return 0;
294 if (!TEST_size_t_eq(strlen(token), 64))
295 return 0;
296 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
297 actual_client_random,
298 client_random_size)))
299 return 0;
300
301 if (!TEST_ptr(token = strtok(NULL, " \n")))
302 return 0;
303
304 /*
305 * TODO(TLS1.3): test that application traffic secrets are what
306 * we expect */
307 } else {
308 TEST_info("Unexpected token %s\n", token);
309 return 0;
310 }
311 }
312
313 /* Got what we expected? */
314 if (!TEST_size_t_eq(rsa_key_exchange_count,
315 expected->rsa_key_exchange_count)
316 || !TEST_size_t_eq(master_secret_count,
317 expected->master_secret_count)
318 || !TEST_size_t_eq(client_early_secret_count,
319 expected->client_early_secret_count)
320 || !TEST_size_t_eq(client_handshake_secret_count,
321 expected->client_handshake_secret_count)
322 || !TEST_size_t_eq(server_handshake_secret_count,
323 expected->server_handshake_secret_count)
324 || !TEST_size_t_eq(client_application_secret_count,
325 expected->client_application_secret_count)
326 || !TEST_size_t_eq(server_application_secret_count,
327 expected->server_application_secret_count)
328 || !TEST_size_t_eq(early_exporter_secret_count,
329 expected->early_exporter_secret_count)
330 || !TEST_size_t_eq(exporter_secret_count,
331 expected->exporter_secret_count))
332 return 0;
333 return 1;
334 }
335
336 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
337 static int test_keylog(void)
338 {
339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
341 int testresult = 0;
342 struct sslapitest_log_counts expected;
343
344 /* Clean up logging space */
345 memset(&expected, 0, sizeof(expected));
346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
351
352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
353 TLS_client_method(),
354 TLS1_VERSION, 0,
355 &sctx, &cctx, cert, privkey)))
356 return 0;
357
358 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
359 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
360 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
361
362 /* We also want to ensure that we use RSA-based key exchange. */
363 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
364 goto end;
365
366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
367 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
368 goto end;
369 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
370 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
371 == client_keylog_callback))
372 goto end;
373 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
374 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
375 == server_keylog_callback))
376 goto end;
377
378 /* Now do a handshake and check that the logs have been written to. */
379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
380 &clientssl, NULL, NULL))
381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
382 SSL_ERROR_NONE))
383 || !TEST_false(error_writing_log)
384 || !TEST_int_gt(client_log_buffer_index, 0)
385 || !TEST_int_gt(server_log_buffer_index, 0))
386 goto end;
387
388 /*
389 * Now we want to test that our output data was vaguely sensible. We
390 * do that by using strtok and confirming that we have more or less the
391 * data we expect. For both client and server, we expect to see one master
392 * secret. The client should also see a RSA key exchange.
393 */
394 expected.rsa_key_exchange_count = 1;
395 expected.master_secret_count = 1;
396 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
397 SSL_get_session(clientssl), &expected)))
398 goto end;
399
400 expected.rsa_key_exchange_count = 0;
401 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
402 SSL_get_session(serverssl), &expected)))
403 goto end;
404
405 testresult = 1;
406
407 end:
408 SSL_free(serverssl);
409 SSL_free(clientssl);
410 SSL_CTX_free(sctx);
411 SSL_CTX_free(cctx);
412
413 return testresult;
414 }
415 #endif
416
417 #ifndef OPENSSL_NO_TLS1_3
418 static int test_keylog_no_master_key(void)
419 {
420 SSL_CTX *cctx = NULL, *sctx = NULL;
421 SSL *clientssl = NULL, *serverssl = NULL;
422 SSL_SESSION *sess = NULL;
423 int testresult = 0;
424 struct sslapitest_log_counts expected;
425 unsigned char buf[1];
426 size_t readbytes, written;
427
428 /* Clean up logging space */
429 memset(&expected, 0, sizeof(expected));
430 memset(client_log_buffer, 0, sizeof(client_log_buffer));
431 memset(server_log_buffer, 0, sizeof(server_log_buffer));
432 client_log_buffer_index = 0;
433 server_log_buffer_index = 0;
434 error_writing_log = 0;
435
436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
437 TLS_client_method(), TLS1_VERSION, 0,
438 &sctx, &cctx, cert, privkey))
439 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
440 SSL3_RT_MAX_PLAIN_LENGTH)))
441 return 0;
442
443 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
444 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
445 goto end;
446
447 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
448 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
449 == client_keylog_callback))
450 goto end;
451
452 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
453 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
454 == server_keylog_callback))
455 goto end;
456
457 /* Now do a handshake and check that the logs have been written to. */
458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
459 &clientssl, NULL, NULL))
460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
461 SSL_ERROR_NONE))
462 || !TEST_false(error_writing_log))
463 goto end;
464
465 /*
466 * Now we want to test that our output data was vaguely sensible. For this
467 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
468 * TLSv1.3, but we do expect both client and server to emit keys.
469 */
470 expected.client_handshake_secret_count = 1;
471 expected.server_handshake_secret_count = 1;
472 expected.client_application_secret_count = 1;
473 expected.server_application_secret_count = 1;
474 expected.exporter_secret_count = 1;
475 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
476 SSL_get_session(clientssl), &expected))
477 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
478 SSL_get_session(serverssl),
479 &expected)))
480 goto end;
481
482 /* Terminate old session and resume with early data. */
483 sess = SSL_get1_session(clientssl);
484 SSL_shutdown(clientssl);
485 SSL_shutdown(serverssl);
486 SSL_free(serverssl);
487 SSL_free(clientssl);
488 serverssl = clientssl = NULL;
489
490 /* Reset key log */
491 memset(client_log_buffer, 0, sizeof(client_log_buffer));
492 memset(server_log_buffer, 0, sizeof(server_log_buffer));
493 client_log_buffer_index = 0;
494 server_log_buffer_index = 0;
495
496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
497 &clientssl, NULL, NULL))
498 || !TEST_true(SSL_set_session(clientssl, sess))
499 /* Here writing 0 length early data is enough. */
500 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
501 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
502 &readbytes),
503 SSL_READ_EARLY_DATA_ERROR)
504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
505 SSL_EARLY_DATA_ACCEPTED)
506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
507 SSL_ERROR_NONE))
508 || !TEST_true(SSL_session_reused(clientssl)))
509 goto end;
510
511 /* In addition to the previous entries, expect early secrets. */
512 expected.client_early_secret_count = 1;
513 expected.early_exporter_secret_count = 1;
514 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
515 SSL_get_session(clientssl), &expected))
516 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
517 SSL_get_session(serverssl),
518 &expected)))
519 goto end;
520
521 testresult = 1;
522
523 end:
524 SSL_SESSION_free(sess);
525 SSL_free(serverssl);
526 SSL_free(clientssl);
527 SSL_CTX_free(sctx);
528 SSL_CTX_free(cctx);
529
530 return testresult;
531 }
532 #endif
533
534 #ifndef OPENSSL_NO_TLS1_2
535 static int full_client_hello_callback(SSL *s, int *al, void *arg)
536 {
537 int *ctr = arg;
538 const unsigned char *p;
539 int *exts;
540 /* We only configure two ciphers, but the SCSV is added automatically. */
541 #ifdef OPENSSL_NO_EC
542 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
543 #else
544 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
545 0x2c, 0x00, 0xff};
546 #endif
547 const int expected_extensions[] = {
548 #ifndef OPENSSL_NO_EC
549 11, 10,
550 #endif
551 35, 22, 23, 13};
552 size_t len;
553
554 /* Make sure we can defer processing and get called back. */
555 if ((*ctr)++ == 0)
556 return SSL_CLIENT_HELLO_RETRY;
557
558 len = SSL_client_hello_get0_ciphers(s, &p);
559 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
560 || !TEST_size_t_eq(
561 SSL_client_hello_get0_compression_methods(s, &p), 1)
562 || !TEST_int_eq(*p, 0))
563 return SSL_CLIENT_HELLO_ERROR;
564 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
565 return SSL_CLIENT_HELLO_ERROR;
566 if (len != OSSL_NELEM(expected_extensions) ||
567 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
568 printf("ClientHello callback expected extensions mismatch\n");
569 OPENSSL_free(exts);
570 return SSL_CLIENT_HELLO_ERROR;
571 }
572 OPENSSL_free(exts);
573 return SSL_CLIENT_HELLO_SUCCESS;
574 }
575
576 static int test_client_hello_cb(void)
577 {
578 SSL_CTX *cctx = NULL, *sctx = NULL;
579 SSL *clientssl = NULL, *serverssl = NULL;
580 int testctr = 0, testresult = 0;
581
582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
583 TLS_client_method(), TLS1_VERSION, 0,
584 &sctx, &cctx, cert, privkey)))
585 goto end;
586 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
587
588 /* The gimpy cipher list we configure can't do TLS 1.3. */
589 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
590
591 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
592 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL))
595 || !TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_CLIENT_HELLO_CB))
597 /*
598 * Passing a -1 literal is a hack since
599 * the real value was lost.
600 * */
601 || !TEST_int_eq(SSL_get_error(serverssl, -1),
602 SSL_ERROR_WANT_CLIENT_HELLO_CB)
603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
604 SSL_ERROR_NONE)))
605 goto end;
606
607 testresult = 1;
608
609 end:
610 SSL_free(serverssl);
611 SSL_free(clientssl);
612 SSL_CTX_free(sctx);
613 SSL_CTX_free(cctx);
614
615 return testresult;
616 }
617
618 static int test_no_ems(void)
619 {
620 SSL_CTX *cctx = NULL, *sctx = NULL;
621 SSL *clientssl = NULL, *serverssl = NULL;
622 int testresult = 0;
623
624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
625 TLS1_VERSION, TLS1_2_VERSION,
626 &sctx, &cctx, cert, privkey)) {
627 printf("Unable to create SSL_CTX pair\n");
628 goto end;
629 }
630
631 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
632
633 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
634 printf("Unable to create SSL objects\n");
635 goto end;
636 }
637
638 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
639 printf("Creating SSL connection failed\n");
640 goto end;
641 }
642
643 if (SSL_get_extms_support(serverssl)) {
644 printf("Server reports Extended Master Secret support\n");
645 goto end;
646 }
647
648 if (SSL_get_extms_support(clientssl)) {
649 printf("Client reports Extended Master Secret support\n");
650 goto end;
651 }
652 testresult = 1;
653
654 end:
655 SSL_free(serverssl);
656 SSL_free(clientssl);
657 SSL_CTX_free(sctx);
658 SSL_CTX_free(cctx);
659
660 return testresult;
661 }
662
663 /*
664 * Very focused test to exercise a single case in the server-side state
665 * machine, when the ChangeCipherState message needs to actually change
666 * from one cipher to a different cipher (i.e., not changing from null
667 * encryption to real encryption).
668 */
669 static int test_ccs_change_cipher(void)
670 {
671 SSL_CTX *cctx = NULL, *sctx = NULL;
672 SSL *clientssl = NULL, *serverssl = NULL;
673 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
674 int testresult = 0;
675 int i;
676 unsigned char buf;
677 size_t readbytes;
678
679 /*
680 * Create a conection so we can resume and potentially (but not) use
681 * a different cipher in the second connection.
682 */
683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
684 TLS_client_method(),
685 TLS1_VERSION, TLS1_2_VERSION,
686 &sctx, &cctx, cert, privkey))
687 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
689 NULL, NULL))
690 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
692 SSL_ERROR_NONE))
693 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
694 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
695 goto end;
696
697 shutdown_ssl_connection(serverssl, clientssl);
698 serverssl = clientssl = NULL;
699
700 /* Resume, preferring a different cipher. Our server will force the
701 * same cipher to be used as the initial handshake. */
702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
703 NULL, NULL))
704 || !TEST_true(SSL_set_session(clientssl, sess))
705 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
707 SSL_ERROR_NONE))
708 || !TEST_true(SSL_session_reused(clientssl))
709 || !TEST_true(SSL_session_reused(serverssl))
710 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
711 || !TEST_ptr_eq(sesspre, sesspost)
712 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
713 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
714 goto end;
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
717
718 /*
719 * Now create a fresh connection and try to renegotiate a different
720 * cipher on it.
721 */
722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
723 NULL, NULL))
724 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
726 SSL_ERROR_NONE))
727 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
728 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
729 || !TEST_true(SSL_renegotiate(clientssl))
730 || !TEST_true(SSL_renegotiate_pending(clientssl)))
731 goto end;
732 /* Actually drive the renegotiation. */
733 for (i = 0; i < 3; i++) {
734 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
735 if (!TEST_ulong_eq(readbytes, 0))
736 goto end;
737 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
738 SSL_ERROR_WANT_READ)) {
739 goto end;
740 }
741 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
743 goto end;
744 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
745 SSL_ERROR_WANT_READ)) {
746 goto end;
747 }
748 }
749 /* sesspre and sesspost should be different since the cipher changed. */
750 if (!TEST_false(SSL_renegotiate_pending(clientssl))
751 || !TEST_false(SSL_session_reused(clientssl))
752 || !TEST_false(SSL_session_reused(serverssl))
753 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
754 || !TEST_ptr_ne(sesspre, sesspost)
755 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
756 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
757 goto end;
758
759 shutdown_ssl_connection(serverssl, clientssl);
760 serverssl = clientssl = NULL;
761
762 testresult = 1;
763
764 end:
765 SSL_free(serverssl);
766 SSL_free(clientssl);
767 SSL_CTX_free(sctx);
768 SSL_CTX_free(cctx);
769 SSL_SESSION_free(sess);
770
771 return testresult;
772 }
773 #endif
774
775 static int execute_test_large_message(const SSL_METHOD *smeth,
776 const SSL_METHOD *cmeth,
777 int min_version, int max_version,
778 int read_ahead)
779 {
780 SSL_CTX *cctx = NULL, *sctx = NULL;
781 SSL *clientssl = NULL, *serverssl = NULL;
782 int testresult = 0;
783 int i;
784 BIO *certbio = NULL;
785 X509 *chaincert = NULL;
786 int certlen;
787
788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
789 goto end;
790 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
791 BIO_free(certbio);
792 certbio = NULL;
793 if (!TEST_ptr(chaincert))
794 goto end;
795
796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
797 max_version, &sctx, &cctx, cert,
798 privkey)))
799 goto end;
800
801 if (read_ahead) {
802 /*
803 * Test that read_ahead works correctly when dealing with large
804 * records
805 */
806 SSL_CTX_set_read_ahead(cctx, 1);
807 }
808
809 /*
810 * We assume the supplied certificate is big enough so that if we add
811 * NUM_EXTRA_CERTS it will make the overall message large enough. The
812 * default buffer size is requested to be 16k, but due to the way BUF_MEM
813 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
814 * test we need to have a message larger than that.
815 */
816 certlen = i2d_X509(chaincert, NULL);
817 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
818 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
819 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
820 if (!X509_up_ref(chaincert))
821 goto end;
822 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
823 X509_free(chaincert);
824 goto end;
825 }
826 }
827
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
829 NULL, NULL))
830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
831 SSL_ERROR_NONE)))
832 goto end;
833
834 /*
835 * Calling SSL_clear() first is not required but this tests that SSL_clear()
836 * doesn't leak.
837 */
838 if (!TEST_true(SSL_clear(serverssl)))
839 goto end;
840
841 testresult = 1;
842 end:
843 X509_free(chaincert);
844 SSL_free(serverssl);
845 SSL_free(clientssl);
846 SSL_CTX_free(sctx);
847 SSL_CTX_free(cctx);
848
849 return testresult;
850 }
851
852 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
853 && !defined(OPENSSL_NO_SOCK)
854
855 /* sock must be connected */
856 static int ktls_chk_platform(int sock)
857 {
858 if (!ktls_enable(sock))
859 return 0;
860 return 1;
861 }
862
863 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
864 {
865 static char count = 1;
866 unsigned char cbuf[16000] = {0};
867 unsigned char sbuf[16000];
868 size_t err = 0;
869 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
873 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
874 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
876 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
877
878 cbuf[0] = count++;
879 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
883 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
884 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
885 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
886 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
887
888 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
889 goto end;
890
891 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
892 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
893 goto end;
894 }
895 }
896
897 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
898 goto end;
899
900 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
901 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
902 goto end;
903 }
904 }
905
906 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
910 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
911 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
913 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
914
915 /* verify the payload */
916 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
917 goto end;
918
919 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
920 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
921 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
923 goto end;
924 } else {
925 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
926 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
927 goto end;
928 }
929
930 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
931 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
933 goto end;
934 } else {
935 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
936 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
937 goto end;
938 }
939
940 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
941 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
943 goto end;
944 } else {
945 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
946 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
947 goto end;
948 }
949
950 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
951 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
953 goto end;
954 } else {
955 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
956 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
957 goto end;
958 }
959
960 return 1;
961 end:
962 return 0;
963 }
964
965 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
966 int sis_ktls_tx, int sis_ktls_rx)
967 {
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
970 int testresult = 0;
971 int cfd, sfd;
972
973 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
974 goto end;
975
976 /* Skip this test if the platform does not support ktls */
977 if (!ktls_chk_platform(cfd))
978 return 1;
979
980 /* Create a session based on SHA-256 */
981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
982 TLS_client_method(),
983 TLS1_2_VERSION, TLS1_2_VERSION,
984 &sctx, &cctx, cert, privkey))
985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
986 "AES128-GCM-SHA256"))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
989 goto end;
990
991 if (!cis_ktls_tx) {
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
993 goto end;
994 }
995
996 if (!sis_ktls_tx) {
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
998 goto end;
999 }
1000
1001 if (!cis_ktls_rx) {
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1003 goto end;
1004 }
1005
1006 if (!sis_ktls_rx) {
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1008 goto end;
1009 }
1010
1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1012 SSL_ERROR_NONE)))
1013 goto end;
1014
1015 if (!cis_ktls_tx) {
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1017 goto end;
1018 } else {
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1020 goto end;
1021 }
1022
1023 if (!sis_ktls_tx) {
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1025 goto end;
1026 } else {
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1028 goto end;
1029 }
1030
1031 if (!cis_ktls_rx) {
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1033 goto end;
1034 } else {
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1036 goto end;
1037 }
1038
1039 if (!sis_ktls_rx) {
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1041 goto end;
1042 } else {
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1044 goto end;
1045 }
1046
1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1048 goto end;
1049
1050 testresult = 1;
1051 end:
1052 if (clientssl) {
1053 SSL_shutdown(clientssl);
1054 SSL_free(clientssl);
1055 }
1056 if (serverssl) {
1057 SSL_shutdown(serverssl);
1058 SSL_free(serverssl);
1059 }
1060 SSL_CTX_free(sctx);
1061 SSL_CTX_free(cctx);
1062 serverssl = clientssl = NULL;
1063 return testresult;
1064 }
1065
1066 #define SENDFILE_SZ (16 * 4096)
1067 #define SENDFILE_CHUNK (4 * 4096)
1068 #define min(a,b) ((a) > (b) ? (b) : (a))
1069
1070 static int test_ktls_sendfile(void)
1071 {
1072 SSL_CTX *cctx = NULL, *sctx = NULL;
1073 SSL *clientssl = NULL, *serverssl = NULL;
1074 unsigned char *buf, *buf_dst;
1075 BIO *out = NULL, *in = NULL;
1076 int cfd, sfd, ffd, err;
1077 ssize_t chunk_size = 0;
1078 off_t chunk_off = 0;
1079 int testresult = 0;
1080 FILE *ffdp;
1081
1082 buf = OPENSSL_zalloc(SENDFILE_SZ);
1083 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1084 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1085 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1086 goto end;
1087
1088 /* Skip this test if the platform does not support ktls */
1089 if (!ktls_chk_platform(sfd)) {
1090 testresult = 1;
1091 goto end;
1092 }
1093
1094 /* Create a session based on SHA-256 */
1095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1096 TLS_client_method(),
1097 TLS1_2_VERSION, TLS1_2_VERSION,
1098 &sctx, &cctx, cert, privkey))
1099 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1100 "AES128-GCM-SHA256"))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1103 goto end;
1104
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1106 SSL_ERROR_NONE))
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1108 goto end;
1109
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1112 if (!TEST_ptr(out))
1113 goto end;
1114
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1116 goto end;
1117
1118 BIO_free(out);
1119 out = NULL;
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1122 ffd = fileno(ffdp);
1123
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1127 ffd,
1128 chunk_off,
1129 chunk_size,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1132 goto end;
1133 }
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1138 goto end;
1139 }
1140
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1143 chunk_size,
1144 buf + chunk_off,
1145 chunk_size))
1146 goto end;
1147
1148 chunk_off += chunk_size;
1149 }
1150
1151 testresult = 1;
1152 end:
1153 if (clientssl) {
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1156 }
1157 if (serverssl) {
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1160 }
1161 SSL_CTX_free(sctx);
1162 SSL_CTX_free(cctx);
1163 serverssl = clientssl = NULL;
1164 BIO_free(out);
1165 BIO_free(in);
1166 OPENSSL_free(buf);
1167 OPENSSL_free(buf_dst);
1168 return testresult;
1169 }
1170
1171 static int test_ktls_no_txrx_client_no_txrx_server(void)
1172 {
1173 return execute_test_ktls(0, 0, 0, 0);
1174 }
1175
1176 static int test_ktls_no_rx_client_no_txrx_server(void)
1177 {
1178 return execute_test_ktls(1, 0, 0, 0);
1179 }
1180
1181 static int test_ktls_no_tx_client_no_txrx_server(void)
1182 {
1183 return execute_test_ktls(0, 1, 0, 0);
1184 }
1185
1186 static int test_ktls_client_no_txrx_server(void)
1187 {
1188 return execute_test_ktls(1, 1, 0, 0);
1189 }
1190
1191 static int test_ktls_no_txrx_client_no_rx_server(void)
1192 {
1193 return execute_test_ktls(0, 0, 1, 0);
1194 }
1195
1196 static int test_ktls_no_rx_client_no_rx_server(void)
1197 {
1198 return execute_test_ktls(1, 0, 1, 0);
1199 }
1200
1201 static int test_ktls_no_tx_client_no_rx_server(void)
1202 {
1203 return execute_test_ktls(0, 1, 1, 0);
1204 }
1205
1206 static int test_ktls_client_no_rx_server(void)
1207 {
1208 return execute_test_ktls(1, 1, 1, 0);
1209 }
1210
1211 static int test_ktls_no_txrx_client_no_tx_server(void)
1212 {
1213 return execute_test_ktls(0, 0, 0, 1);
1214 }
1215
1216 static int test_ktls_no_rx_client_no_tx_server(void)
1217 {
1218 return execute_test_ktls(1, 0, 0, 1);
1219 }
1220
1221 static int test_ktls_no_tx_client_no_tx_server(void)
1222 {
1223 return execute_test_ktls(0, 1, 0, 1);
1224 }
1225
1226 static int test_ktls_client_no_tx_server(void)
1227 {
1228 return execute_test_ktls(1, 1, 0, 1);
1229 }
1230
1231 static int test_ktls_no_txrx_client_server(void)
1232 {
1233 return execute_test_ktls(0, 0, 1, 1);
1234 }
1235
1236 static int test_ktls_no_rx_client_server(void)
1237 {
1238 return execute_test_ktls(1, 0, 1, 1);
1239 }
1240
1241 static int test_ktls_no_tx_client_server(void)
1242 {
1243 return execute_test_ktls(0, 1, 1, 1);
1244 }
1245
1246 static int test_ktls_client_server(void)
1247 {
1248 return execute_test_ktls(1, 1, 1, 1);
1249 }
1250 #endif
1251
1252 static int test_large_message_tls(void)
1253 {
1254 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1255 TLS1_VERSION, 0, 0);
1256 }
1257
1258 static int test_large_message_tls_read_ahead(void)
1259 {
1260 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1261 TLS1_VERSION, 0, 1);
1262 }
1263
1264 #ifndef OPENSSL_NO_DTLS
1265 static int test_large_message_dtls(void)
1266 {
1267 /*
1268 * read_ahead is not relevant to DTLS because DTLS always acts as if
1269 * read_ahead is set.
1270 */
1271 return execute_test_large_message(DTLS_server_method(),
1272 DTLS_client_method(),
1273 DTLS1_VERSION, 0, 0);
1274 }
1275 #endif
1276
1277 #ifndef OPENSSL_NO_OCSP
1278 static int ocsp_server_cb(SSL *s, void *arg)
1279 {
1280 int *argi = (int *)arg;
1281 unsigned char *copy = NULL;
1282 STACK_OF(OCSP_RESPID) *ids = NULL;
1283 OCSP_RESPID *id = NULL;
1284
1285 if (*argi == 2) {
1286 /* In this test we are expecting exactly 1 OCSP_RESPID */
1287 SSL_get_tlsext_status_ids(s, &ids);
1288 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1290
1291 id = sk_OCSP_RESPID_value(ids, 0);
1292 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1293 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 } else if (*argi != 1) {
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1296 }
1297
1298 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1299 return SSL_TLSEXT_ERR_ALERT_FATAL;
1300
1301 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1302 ocsp_server_called = 1;
1303 return SSL_TLSEXT_ERR_OK;
1304 }
1305
1306 static int ocsp_client_cb(SSL *s, void *arg)
1307 {
1308 int *argi = (int *)arg;
1309 const unsigned char *respderin;
1310 size_t len;
1311
1312 if (*argi != 1 && *argi != 2)
1313 return 0;
1314
1315 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1316 if (!TEST_mem_eq(orespder, len, respderin, len))
1317 return 0;
1318
1319 ocsp_client_called = 1;
1320 return 1;
1321 }
1322
1323 static int test_tlsext_status_type(void)
1324 {
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1327 int testresult = 0;
1328 STACK_OF(OCSP_RESPID) *ids = NULL;
1329 OCSP_RESPID *id = NULL;
1330 BIO *certbio = NULL;
1331
1332 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1333 TLS1_VERSION, 0,
1334 &sctx, &cctx, cert, privkey))
1335 return 0;
1336
1337 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1338 goto end;
1339
1340 /* First just do various checks getting and setting tlsext_status_type */
1341
1342 clientssl = SSL_new(cctx);
1343 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1344 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1345 TLSEXT_STATUSTYPE_ocsp))
1346 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1347 TLSEXT_STATUSTYPE_ocsp))
1348 goto end;
1349
1350 SSL_free(clientssl);
1351 clientssl = NULL;
1352
1353 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1354 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1355 goto end;
1356
1357 clientssl = SSL_new(cctx);
1358 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1359 goto end;
1360 SSL_free(clientssl);
1361 clientssl = NULL;
1362
1363 /*
1364 * Now actually do a handshake and check OCSP information is exchanged and
1365 * the callbacks get called
1366 */
1367 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1368 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1369 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1370 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL))
1373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1374 SSL_ERROR_NONE))
1375 || !TEST_true(ocsp_client_called)
1376 || !TEST_true(ocsp_server_called))
1377 goto end;
1378 SSL_free(serverssl);
1379 SSL_free(clientssl);
1380 serverssl = NULL;
1381 clientssl = NULL;
1382
1383 /* Try again but this time force the server side callback to fail */
1384 ocsp_client_called = 0;
1385 ocsp_server_called = 0;
1386 cdummyarg = 0;
1387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1388 &clientssl, NULL, NULL))
1389 /* This should fail because the callback will fail */
1390 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1391 SSL_ERROR_NONE))
1392 || !TEST_false(ocsp_client_called)
1393 || !TEST_false(ocsp_server_called))
1394 goto end;
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1397 serverssl = NULL;
1398 clientssl = NULL;
1399
1400 /*
1401 * This time we'll get the client to send an OCSP_RESPID that it will
1402 * accept.
1403 */
1404 ocsp_client_called = 0;
1405 ocsp_server_called = 0;
1406 cdummyarg = 2;
1407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1408 &clientssl, NULL, NULL)))
1409 goto end;
1410
1411 /*
1412 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1413 * specific one. We'll use the server cert.
1414 */
1415 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1416 || !TEST_ptr(id = OCSP_RESPID_new())
1417 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1418 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1419 NULL, NULL, NULL))
1420 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1421 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1422 goto end;
1423 id = NULL;
1424 SSL_set_tlsext_status_ids(clientssl, ids);
1425 /* Control has been transferred */
1426 ids = NULL;
1427
1428 BIO_free(certbio);
1429 certbio = NULL;
1430
1431 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1432 SSL_ERROR_NONE))
1433 || !TEST_true(ocsp_client_called)
1434 || !TEST_true(ocsp_server_called))
1435 goto end;
1436
1437 testresult = 1;
1438
1439 end:
1440 SSL_free(serverssl);
1441 SSL_free(clientssl);
1442 SSL_CTX_free(sctx);
1443 SSL_CTX_free(cctx);
1444 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1445 OCSP_RESPID_free(id);
1446 BIO_free(certbio);
1447 X509_free(ocspcert);
1448 ocspcert = NULL;
1449
1450 return testresult;
1451 }
1452 #endif
1453
1454 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1455 static int new_called, remove_called, get_called;
1456
1457 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1458 {
1459 new_called++;
1460 /*
1461 * sess has been up-refed for us, but we don't actually need it so free it
1462 * immediately.
1463 */
1464 SSL_SESSION_free(sess);
1465 return 1;
1466 }
1467
1468 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1469 {
1470 remove_called++;
1471 }
1472
1473 static SSL_SESSION *get_sess_val = NULL;
1474
1475 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1476 int *copy)
1477 {
1478 get_called++;
1479 *copy = 1;
1480 return get_sess_val;
1481 }
1482
1483 static int execute_test_session(int maxprot, int use_int_cache,
1484 int use_ext_cache)
1485 {
1486 SSL_CTX *sctx = NULL, *cctx = NULL;
1487 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1488 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1489 # ifndef OPENSSL_NO_TLS1_1
1490 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1491 # endif
1492 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1493 int testresult = 0, numnewsesstick = 1;
1494
1495 new_called = remove_called = 0;
1496
1497 /* TLSv1.3 sends 2 NewSessionTickets */
1498 if (maxprot == TLS1_3_VERSION)
1499 numnewsesstick = 2;
1500
1501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1502 TLS_client_method(), TLS1_VERSION, 0,
1503 &sctx, &cctx, cert, privkey)))
1504 return 0;
1505
1506 /*
1507 * Only allow the max protocol version so we can force a connection failure
1508 * later
1509 */
1510 SSL_CTX_set_min_proto_version(cctx, maxprot);
1511 SSL_CTX_set_max_proto_version(cctx, maxprot);
1512
1513 /* Set up session cache */
1514 if (use_ext_cache) {
1515 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1516 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1517 }
1518 if (use_int_cache) {
1519 /* Also covers instance where both are set */
1520 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1521 } else {
1522 SSL_CTX_set_session_cache_mode(cctx,
1523 SSL_SESS_CACHE_CLIENT
1524 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1525 }
1526
1527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1528 NULL, NULL))
1529 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1530 SSL_ERROR_NONE))
1531 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1532 goto end;
1533
1534 /* Should fail because it should already be in the cache */
1535 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1536 goto end;
1537 if (use_ext_cache
1538 && (!TEST_int_eq(new_called, numnewsesstick)
1539
1540 || !TEST_int_eq(remove_called, 0)))
1541 goto end;
1542
1543 new_called = remove_called = 0;
1544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1545 &clientssl2, NULL, NULL))
1546 || !TEST_true(SSL_set_session(clientssl2, sess1))
1547 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1548 SSL_ERROR_NONE))
1549 || !TEST_true(SSL_session_reused(clientssl2)))
1550 goto end;
1551
1552 if (maxprot == TLS1_3_VERSION) {
1553 /*
1554 * In TLSv1.3 we should have created a new session even though we have
1555 * resumed. Since we attempted a resume we should also have removed the
1556 * old ticket from the cache so that we try to only use tickets once.
1557 */
1558 if (use_ext_cache
1559 && (!TEST_int_eq(new_called, 1)
1560 || !TEST_int_eq(remove_called, 1)))
1561 goto end;
1562 } else {
1563 /*
1564 * In TLSv1.2 we expect to have resumed so no sessions added or
1565 * removed.
1566 */
1567 if (use_ext_cache
1568 && (!TEST_int_eq(new_called, 0)
1569 || !TEST_int_eq(remove_called, 0)))
1570 goto end;
1571 }
1572
1573 SSL_SESSION_free(sess1);
1574 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1575 goto end;
1576 shutdown_ssl_connection(serverssl2, clientssl2);
1577 serverssl2 = clientssl2 = NULL;
1578
1579 new_called = remove_called = 0;
1580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1581 &clientssl2, NULL, NULL))
1582 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1583 SSL_ERROR_NONE)))
1584 goto end;
1585
1586 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1587 goto end;
1588
1589 if (use_ext_cache
1590 && (!TEST_int_eq(new_called, numnewsesstick)
1591 || !TEST_int_eq(remove_called, 0)))
1592 goto end;
1593
1594 new_called = remove_called = 0;
1595 /*
1596 * This should clear sess2 from the cache because it is a "bad" session.
1597 * See SSL_set_session() documentation.
1598 */
1599 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1600 goto end;
1601 if (use_ext_cache
1602 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1603 goto end;
1604 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1605 goto end;
1606
1607 if (use_int_cache) {
1608 /* Should succeeded because it should not already be in the cache */
1609 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1610 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1611 goto end;
1612 }
1613
1614 new_called = remove_called = 0;
1615 /* This shouldn't be in the cache so should fail */
1616 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1617 goto end;
1618
1619 if (use_ext_cache
1620 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1621 goto end;
1622
1623 # if !defined(OPENSSL_NO_TLS1_1)
1624 new_called = remove_called = 0;
1625 /* Force a connection failure */
1626 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1628 &clientssl3, NULL, NULL))
1629 || !TEST_true(SSL_set_session(clientssl3, sess1))
1630 /* This should fail because of the mismatched protocol versions */
1631 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1632 SSL_ERROR_NONE)))
1633 goto end;
1634
1635 /* We should have automatically removed the session from the cache */
1636 if (use_ext_cache
1637 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1638 goto end;
1639
1640 /* Should succeed because it should not already be in the cache */
1641 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1642 goto end;
1643 # endif
1644
1645 /* Now do some tests for server side caching */
1646 if (use_ext_cache) {
1647 SSL_CTX_sess_set_new_cb(cctx, NULL);
1648 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1649 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1650 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1651 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1652 get_sess_val = NULL;
1653 }
1654
1655 SSL_CTX_set_session_cache_mode(cctx, 0);
1656 /* Internal caching is the default on the server side */
1657 if (!use_int_cache)
1658 SSL_CTX_set_session_cache_mode(sctx,
1659 SSL_SESS_CACHE_SERVER
1660 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1661
1662 SSL_free(serverssl1);
1663 SSL_free(clientssl1);
1664 serverssl1 = clientssl1 = NULL;
1665 SSL_free(serverssl2);
1666 SSL_free(clientssl2);
1667 serverssl2 = clientssl2 = NULL;
1668 SSL_SESSION_free(sess1);
1669 sess1 = NULL;
1670 SSL_SESSION_free(sess2);
1671 sess2 = NULL;
1672
1673 SSL_CTX_set_max_proto_version(sctx, maxprot);
1674 if (maxprot == TLS1_2_VERSION)
1675 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1676 new_called = remove_called = get_called = 0;
1677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1678 NULL, NULL))
1679 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1680 SSL_ERROR_NONE))
1681 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1682 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1683 goto end;
1684
1685 if (use_int_cache) {
1686 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1687 /*
1688 * In TLSv1.3 it should not have been added to the internal cache,
1689 * except in the case where we also have an external cache (in that
1690 * case it gets added to the cache in order to generate remove
1691 * events after timeout).
1692 */
1693 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1694 goto end;
1695 } else {
1696 /* Should fail because it should already be in the cache */
1697 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1698 goto end;
1699 }
1700 }
1701
1702 if (use_ext_cache) {
1703 SSL_SESSION *tmp = sess2;
1704
1705 if (!TEST_int_eq(new_called, numnewsesstick)
1706 || !TEST_int_eq(remove_called, 0)
1707 || !TEST_int_eq(get_called, 0))
1708 goto end;
1709 /*
1710 * Delete the session from the internal cache to force a lookup from
1711 * the external cache. We take a copy first because
1712 * SSL_CTX_remove_session() also marks the session as non-resumable.
1713 */
1714 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1715 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1716 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1717 goto end;
1718 SSL_SESSION_free(sess2);
1719 }
1720 sess2 = tmp;
1721 }
1722
1723 new_called = remove_called = get_called = 0;
1724 get_sess_val = sess2;
1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1726 &clientssl2, NULL, NULL))
1727 || !TEST_true(SSL_set_session(clientssl2, sess1))
1728 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1729 SSL_ERROR_NONE))
1730 || !TEST_true(SSL_session_reused(clientssl2)))
1731 goto end;
1732
1733 if (use_ext_cache) {
1734 if (!TEST_int_eq(remove_called, 0))
1735 goto end;
1736
1737 if (maxprot == TLS1_3_VERSION) {
1738 if (!TEST_int_eq(new_called, 1)
1739 || !TEST_int_eq(get_called, 0))
1740 goto end;
1741 } else {
1742 if (!TEST_int_eq(new_called, 0)
1743 || !TEST_int_eq(get_called, 1))
1744 goto end;
1745 }
1746 }
1747
1748 testresult = 1;
1749
1750 end:
1751 SSL_free(serverssl1);
1752 SSL_free(clientssl1);
1753 SSL_free(serverssl2);
1754 SSL_free(clientssl2);
1755 # ifndef OPENSSL_NO_TLS1_1
1756 SSL_free(serverssl3);
1757 SSL_free(clientssl3);
1758 # endif
1759 SSL_SESSION_free(sess1);
1760 SSL_SESSION_free(sess2);
1761 SSL_CTX_free(sctx);
1762 SSL_CTX_free(cctx);
1763
1764 return testresult;
1765 }
1766 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1767
1768 static int test_session_with_only_int_cache(void)
1769 {
1770 #ifndef OPENSSL_NO_TLS1_3
1771 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1772 return 0;
1773 #endif
1774
1775 #ifndef OPENSSL_NO_TLS1_2
1776 return execute_test_session(TLS1_2_VERSION, 1, 0);
1777 #else
1778 return 1;
1779 #endif
1780 }
1781
1782 static int test_session_with_only_ext_cache(void)
1783 {
1784 #ifndef OPENSSL_NO_TLS1_3
1785 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1786 return 0;
1787 #endif
1788
1789 #ifndef OPENSSL_NO_TLS1_2
1790 return execute_test_session(TLS1_2_VERSION, 0, 1);
1791 #else
1792 return 1;
1793 #endif
1794 }
1795
1796 static int test_session_with_both_cache(void)
1797 {
1798 #ifndef OPENSSL_NO_TLS1_3
1799 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1800 return 0;
1801 #endif
1802
1803 #ifndef OPENSSL_NO_TLS1_2
1804 return execute_test_session(TLS1_2_VERSION, 1, 1);
1805 #else
1806 return 1;
1807 #endif
1808 }
1809
1810 #ifndef OPENSSL_NO_TLS1_3
1811 static SSL_SESSION *sesscache[6];
1812 static int do_cache;
1813
1814 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1815 {
1816 if (do_cache) {
1817 sesscache[new_called] = sess;
1818 } else {
1819 /* We don't need the reference to the session, so free it */
1820 SSL_SESSION_free(sess);
1821 }
1822 new_called++;
1823
1824 return 1;
1825 }
1826
1827 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1828 {
1829 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1830 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1831 return 0;
1832
1833 /* Start handshake on the server and client */
1834 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1835 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1836 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1837 || !TEST_true(create_ssl_connection(sssl, cssl,
1838 SSL_ERROR_NONE)))
1839 return 0;
1840
1841 return 1;
1842 }
1843
1844 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1845 SSL_CTX **cctx)
1846 {
1847 int sess_id_ctx = 1;
1848
1849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1850 TLS_client_method(), TLS1_VERSION, 0,
1851 sctx, cctx, cert, privkey))
1852 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1853 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1854 (void *)&sess_id_ctx,
1855 sizeof(sess_id_ctx))))
1856 return 0;
1857
1858 if (stateful)
1859 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1860
1861 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1862 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1863 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1864
1865 return 1;
1866 }
1867
1868 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1869 {
1870 SSL *serverssl = NULL, *clientssl = NULL;
1871 int i;
1872
1873 /* Test that we can resume with all the tickets we got given */
1874 for (i = 0; i < idx * 2; i++) {
1875 new_called = 0;
1876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1877 &clientssl, NULL, NULL))
1878 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1879 goto end;
1880
1881 SSL_set_post_handshake_auth(clientssl, 1);
1882
1883 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1884 SSL_ERROR_NONE)))
1885 goto end;
1886
1887 /*
1888 * Following a successful resumption we only get 1 ticket. After a
1889 * failed one we should get idx tickets.
1890 */
1891 if (succ) {
1892 if (!TEST_true(SSL_session_reused(clientssl))
1893 || !TEST_int_eq(new_called, 1))
1894 goto end;
1895 } else {
1896 if (!TEST_false(SSL_session_reused(clientssl))
1897 || !TEST_int_eq(new_called, idx))
1898 goto end;
1899 }
1900
1901 new_called = 0;
1902 /* After a post-handshake authentication we should get 1 new ticket */
1903 if (succ
1904 && (!post_handshake_verify(serverssl, clientssl)
1905 || !TEST_int_eq(new_called, 1)))
1906 goto end;
1907
1908 SSL_shutdown(clientssl);
1909 SSL_shutdown(serverssl);
1910 SSL_free(serverssl);
1911 SSL_free(clientssl);
1912 serverssl = clientssl = NULL;
1913 SSL_SESSION_free(sesscache[i]);
1914 sesscache[i] = NULL;
1915 }
1916
1917 return 1;
1918
1919 end:
1920 SSL_free(clientssl);
1921 SSL_free(serverssl);
1922 return 0;
1923 }
1924
1925 static int test_tickets(int stateful, int idx)
1926 {
1927 SSL_CTX *sctx = NULL, *cctx = NULL;
1928 SSL *serverssl = NULL, *clientssl = NULL;
1929 int testresult = 0;
1930 size_t j;
1931
1932 /* idx is the test number, but also the number of tickets we want */
1933
1934 new_called = 0;
1935 do_cache = 1;
1936
1937 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1938 goto end;
1939
1940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1941 &clientssl, NULL, NULL)))
1942 goto end;
1943
1944 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1945 SSL_ERROR_NONE))
1946 /* Check we got the number of tickets we were expecting */
1947 || !TEST_int_eq(idx, new_called))
1948 goto end;
1949
1950 SSL_shutdown(clientssl);
1951 SSL_shutdown(serverssl);
1952 SSL_free(serverssl);
1953 SSL_free(clientssl);
1954 SSL_CTX_free(sctx);
1955 SSL_CTX_free(cctx);
1956 clientssl = serverssl = NULL;
1957 sctx = cctx = NULL;
1958
1959 /*
1960 * Now we try to resume with the tickets we previously created. The
1961 * resumption attempt is expected to fail (because we're now using a new
1962 * SSL_CTX). We should see idx number of tickets issued again.
1963 */
1964
1965 /* Stop caching sessions - just count them */
1966 do_cache = 0;
1967
1968 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1969 goto end;
1970
1971 if (!check_resumption(idx, sctx, cctx, 0))
1972 goto end;
1973
1974 /* Start again with caching sessions */
1975 new_called = 0;
1976 do_cache = 1;
1977 SSL_CTX_free(sctx);
1978 SSL_CTX_free(cctx);
1979 sctx = cctx = NULL;
1980
1981 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1982 goto end;
1983
1984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1985 &clientssl, NULL, NULL)))
1986 goto end;
1987
1988 SSL_set_post_handshake_auth(clientssl, 1);
1989
1990 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1991 SSL_ERROR_NONE))
1992 /* Check we got the number of tickets we were expecting */
1993 || !TEST_int_eq(idx, new_called))
1994 goto end;
1995
1996 /* After a post-handshake authentication we should get new tickets issued */
1997 if (!post_handshake_verify(serverssl, clientssl)
1998 || !TEST_int_eq(idx * 2, new_called))
1999 goto end;
2000
2001 SSL_shutdown(clientssl);
2002 SSL_shutdown(serverssl);
2003 SSL_free(serverssl);
2004 SSL_free(clientssl);
2005 serverssl = clientssl = NULL;
2006
2007 /* Stop caching sessions - just count them */
2008 do_cache = 0;
2009
2010 /*
2011 * Check we can resume with all the tickets we created. This time around the
2012 * resumptions should all be successful.
2013 */
2014 if (!check_resumption(idx, sctx, cctx, 1))
2015 goto end;
2016
2017 testresult = 1;
2018
2019 end:
2020 SSL_free(serverssl);
2021 SSL_free(clientssl);
2022 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2023 SSL_SESSION_free(sesscache[j]);
2024 sesscache[j] = NULL;
2025 }
2026 SSL_CTX_free(sctx);
2027 SSL_CTX_free(cctx);
2028
2029 return testresult;
2030 }
2031
2032 static int test_stateless_tickets(int idx)
2033 {
2034 return test_tickets(0, idx);
2035 }
2036
2037 static int test_stateful_tickets(int idx)
2038 {
2039 return test_tickets(1, idx);
2040 }
2041
2042 static int test_psk_tickets(void)
2043 {
2044 SSL_CTX *sctx = NULL, *cctx = NULL;
2045 SSL *serverssl = NULL, *clientssl = NULL;
2046 int testresult = 0;
2047 int sess_id_ctx = 1;
2048
2049 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2050 TLS_client_method(), TLS1_VERSION, 0,
2051 &sctx, &cctx, NULL, NULL))
2052 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2053 (void *)&sess_id_ctx,
2054 sizeof(sess_id_ctx))))
2055 goto end;
2056
2057 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2058 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2059 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2060 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2061 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2062 use_session_cb_cnt = 0;
2063 find_session_cb_cnt = 0;
2064 srvid = pskid;
2065 new_called = 0;
2066
2067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2068 NULL, NULL)))
2069 goto end;
2070 clientpsk = serverpsk = create_a_psk(clientssl);
2071 if (!TEST_ptr(clientpsk))
2072 goto end;
2073 SSL_SESSION_up_ref(clientpsk);
2074
2075 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2076 SSL_ERROR_NONE))
2077 || !TEST_int_eq(1, find_session_cb_cnt)
2078 || !TEST_int_eq(1, use_session_cb_cnt)
2079 /* We should always get 1 ticket when using external PSK */
2080 || !TEST_int_eq(1, new_called))
2081 goto end;
2082
2083 testresult = 1;
2084
2085 end:
2086 SSL_free(serverssl);
2087 SSL_free(clientssl);
2088 SSL_CTX_free(sctx);
2089 SSL_CTX_free(cctx);
2090 SSL_SESSION_free(clientpsk);
2091 SSL_SESSION_free(serverpsk);
2092 clientpsk = serverpsk = NULL;
2093
2094 return testresult;
2095 }
2096 #endif
2097
2098 #define USE_NULL 0
2099 #define USE_BIO_1 1
2100 #define USE_BIO_2 2
2101 #define USE_DEFAULT 3
2102
2103 #define CONNTYPE_CONNECTION_SUCCESS 0
2104 #define CONNTYPE_CONNECTION_FAIL 1
2105 #define CONNTYPE_NO_CONNECTION 2
2106
2107 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2108 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2109 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2110 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2111 #else
2112 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2113 #endif
2114
2115 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2116 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2117 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2118
2119 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2120 {
2121 switch (type) {
2122 case USE_NULL:
2123 *res = NULL;
2124 break;
2125 case USE_BIO_1:
2126 *res = bio1;
2127 break;
2128 case USE_BIO_2:
2129 *res = bio2;
2130 break;
2131 }
2132 }
2133
2134
2135 /*
2136 * Tests calls to SSL_set_bio() under various conditions.
2137 *
2138 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2139 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2140 * then do more tests where we create a successful connection first using our
2141 * standard connection setup functions, and then call SSL_set_bio() with
2142 * various combinations of valid BIOs or NULL. We then repeat these tests
2143 * following a failed connection. In this last case we are looking to check that
2144 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2145 */
2146 static int test_ssl_set_bio(int idx)
2147 {
2148 SSL_CTX *sctx = NULL, *cctx = NULL;
2149 BIO *bio1 = NULL;
2150 BIO *bio2 = NULL;
2151 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2152 SSL *serverssl = NULL, *clientssl = NULL;
2153 int initrbio, initwbio, newrbio, newwbio, conntype;
2154 int testresult = 0;
2155
2156 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2157 initrbio = idx % 3;
2158 idx /= 3;
2159 initwbio = idx % 3;
2160 idx /= 3;
2161 newrbio = idx % 3;
2162 idx /= 3;
2163 newwbio = idx % 3;
2164 conntype = CONNTYPE_NO_CONNECTION;
2165 } else {
2166 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2167 initrbio = initwbio = USE_DEFAULT;
2168 newrbio = idx % 2;
2169 idx /= 2;
2170 newwbio = idx % 2;
2171 idx /= 2;
2172 conntype = idx % 2;
2173 }
2174
2175 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2176 TLS_client_method(), TLS1_VERSION, 0,
2177 &sctx, &cctx, cert, privkey)))
2178 goto end;
2179
2180 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2181 /*
2182 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2183 * because we reduced the number of tests in the definition of
2184 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2185 * mismatched protocol versions we will force a connection failure.
2186 */
2187 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2188 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2189 }
2190
2191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2192 NULL, NULL)))
2193 goto end;
2194
2195 if (initrbio == USE_BIO_1
2196 || initwbio == USE_BIO_1
2197 || newrbio == USE_BIO_1
2198 || newwbio == USE_BIO_1) {
2199 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2200 goto end;
2201 }
2202
2203 if (initrbio == USE_BIO_2
2204 || initwbio == USE_BIO_2
2205 || newrbio == USE_BIO_2
2206 || newwbio == USE_BIO_2) {
2207 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2208 goto end;
2209 }
2210
2211 if (initrbio != USE_DEFAULT) {
2212 setupbio(&irbio, bio1, bio2, initrbio);
2213 setupbio(&iwbio, bio1, bio2, initwbio);
2214 SSL_set_bio(clientssl, irbio, iwbio);
2215
2216 /*
2217 * We want to maintain our own refs to these BIO, so do an up ref for
2218 * each BIO that will have ownership transferred in the SSL_set_bio()
2219 * call
2220 */
2221 if (irbio != NULL)
2222 BIO_up_ref(irbio);
2223 if (iwbio != NULL && iwbio != irbio)
2224 BIO_up_ref(iwbio);
2225 }
2226
2227 if (conntype != CONNTYPE_NO_CONNECTION
2228 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2229 SSL_ERROR_NONE)
2230 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2231 goto end;
2232
2233 setupbio(&nrbio, bio1, bio2, newrbio);
2234 setupbio(&nwbio, bio1, bio2, newwbio);
2235
2236 /*
2237 * We will (maybe) transfer ownership again so do more up refs.
2238 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2239 * already been set!
2240 */
2241 if (nrbio != NULL
2242 && nrbio != irbio
2243 && (nwbio != iwbio || nrbio != nwbio))
2244 BIO_up_ref(nrbio);
2245 if (nwbio != NULL
2246 && nwbio != nrbio
2247 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2248 BIO_up_ref(nwbio);
2249
2250 SSL_set_bio(clientssl, nrbio, nwbio);
2251
2252 testresult = 1;
2253
2254 end:
2255 BIO_free(bio1);
2256 BIO_free(bio2);
2257
2258 /*
2259 * This test is checking that the ref counting for SSL_set_bio is correct.
2260 * If we get here and we did too many frees then we will fail in the above
2261 * functions.
2262 */
2263 SSL_free(serverssl);
2264 SSL_free(clientssl);
2265 SSL_CTX_free(sctx);
2266 SSL_CTX_free(cctx);
2267 return testresult;
2268 }
2269
2270 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2271
2272 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2273 {
2274 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2275 SSL_CTX *ctx;
2276 SSL *ssl = NULL;
2277 int testresult = 0;
2278
2279 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
2280 || !TEST_ptr(ssl = SSL_new(ctx))
2281 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2282 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2283 goto end;
2284
2285 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2286
2287 /*
2288 * If anything goes wrong here then we could leak memory.
2289 */
2290 BIO_push(sslbio, membio1);
2291
2292 /* Verify changing the rbio/wbio directly does not cause leaks */
2293 if (change_bio != NO_BIO_CHANGE) {
2294 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2295 goto end;
2296 if (change_bio == CHANGE_RBIO)
2297 SSL_set0_rbio(ssl, membio2);
2298 else
2299 SSL_set0_wbio(ssl, membio2);
2300 }
2301 ssl = NULL;
2302
2303 if (pop_ssl)
2304 BIO_pop(sslbio);
2305 else
2306 BIO_pop(membio1);
2307
2308 testresult = 1;
2309 end:
2310 BIO_free(membio1);
2311 BIO_free(sslbio);
2312 SSL_free(ssl);
2313 SSL_CTX_free(ctx);
2314
2315 return testresult;
2316 }
2317
2318 static int test_ssl_bio_pop_next_bio(void)
2319 {
2320 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2321 }
2322
2323 static int test_ssl_bio_pop_ssl_bio(void)
2324 {
2325 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2326 }
2327
2328 static int test_ssl_bio_change_rbio(void)
2329 {
2330 return execute_test_ssl_bio(0, CHANGE_RBIO);
2331 }
2332
2333 static int test_ssl_bio_change_wbio(void)
2334 {
2335 return execute_test_ssl_bio(0, CHANGE_WBIO);
2336 }
2337
2338 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2339 typedef struct {
2340 /* The list of sig algs */
2341 const int *list;
2342 /* The length of the list */
2343 size_t listlen;
2344 /* A sigalgs list in string format */
2345 const char *liststr;
2346 /* Whether setting the list should succeed */
2347 int valid;
2348 /* Whether creating a connection with the list should succeed */
2349 int connsuccess;
2350 } sigalgs_list;
2351
2352 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2353 # ifndef OPENSSL_NO_EC
2354 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2355 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2356 # endif
2357 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2358 static const int invalidlist2[] = {NID_sha256, NID_undef};
2359 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2360 static const int invalidlist4[] = {NID_sha256};
2361 static const sigalgs_list testsigalgs[] = {
2362 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2363 # ifndef OPENSSL_NO_EC
2364 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2365 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2366 # endif
2367 {NULL, 0, "RSA+SHA256", 1, 1},
2368 # ifndef OPENSSL_NO_EC
2369 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2370 {NULL, 0, "ECDSA+SHA512", 1, 0},
2371 # endif
2372 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2373 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2374 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2375 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2376 {NULL, 0, "RSA", 0, 0},
2377 {NULL, 0, "SHA256", 0, 0},
2378 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2379 {NULL, 0, "Invalid", 0, 0}
2380 };
2381
2382 static int test_set_sigalgs(int idx)
2383 {
2384 SSL_CTX *cctx = NULL, *sctx = NULL;
2385 SSL *clientssl = NULL, *serverssl = NULL;
2386 int testresult = 0;
2387 const sigalgs_list *curr;
2388 int testctx;
2389
2390 /* Should never happen */
2391 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2392 return 0;
2393
2394 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2395 curr = testctx ? &testsigalgs[idx]
2396 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2397
2398 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2399 TLS_client_method(), TLS1_VERSION, 0,
2400 &sctx, &cctx, cert, privkey)))
2401 return 0;
2402
2403 /*
2404 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2405 * for TLSv1.2 for now until we add a new API.
2406 */
2407 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2408
2409 if (testctx) {
2410 int ret;
2411
2412 if (curr->list != NULL)
2413 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2414 else
2415 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2416
2417 if (!ret) {
2418 if (curr->valid)
2419 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2420 else
2421 testresult = 1;
2422 goto end;
2423 }
2424 if (!curr->valid) {
2425 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2426 goto end;
2427 }
2428 }
2429
2430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2431 &clientssl, NULL, NULL)))
2432 goto end;
2433
2434 if (!testctx) {
2435 int ret;
2436
2437 if (curr->list != NULL)
2438 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2439 else
2440 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2441 if (!ret) {
2442 if (curr->valid)
2443 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2444 else
2445 testresult = 1;
2446 goto end;
2447 }
2448 if (!curr->valid)
2449 goto end;
2450 }
2451
2452 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2453 SSL_ERROR_NONE),
2454 curr->connsuccess))
2455 goto end;
2456
2457 testresult = 1;
2458
2459 end:
2460 SSL_free(serverssl);
2461 SSL_free(clientssl);
2462 SSL_CTX_free(sctx);
2463 SSL_CTX_free(cctx);
2464
2465 return testresult;
2466 }
2467 #endif
2468
2469 #ifndef OPENSSL_NO_TLS1_3
2470 static int psk_client_cb_cnt = 0;
2471 static int psk_server_cb_cnt = 0;
2472
2473 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2474 size_t *idlen, SSL_SESSION **sess)
2475 {
2476 switch (++use_session_cb_cnt) {
2477 case 1:
2478 /* The first call should always have a NULL md */
2479 if (md != NULL)
2480 return 0;
2481 break;
2482
2483 case 2:
2484 /* The second call should always have an md */
2485 if (md == NULL)
2486 return 0;
2487 break;
2488
2489 default:
2490 /* We should only be called a maximum of twice */
2491 return 0;
2492 }
2493
2494 if (clientpsk != NULL)
2495 SSL_SESSION_up_ref(clientpsk);
2496
2497 *sess = clientpsk;
2498 *id = (const unsigned char *)pskid;
2499 *idlen = strlen(pskid);
2500
2501 return 1;
2502 }
2503
2504 #ifndef OPENSSL_NO_PSK
2505 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2506 unsigned int max_id_len,
2507 unsigned char *psk,
2508 unsigned int max_psk_len)
2509 {
2510 unsigned int psklen = 0;
2511
2512 psk_client_cb_cnt++;
2513
2514 if (strlen(pskid) + 1 > max_id_len)
2515 return 0;
2516
2517 /* We should only ever be called a maximum of twice per connection */
2518 if (psk_client_cb_cnt > 2)
2519 return 0;
2520
2521 if (clientpsk == NULL)
2522 return 0;
2523
2524 /* We'll reuse the PSK we set up for TLSv1.3 */
2525 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2526 return 0;
2527 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2528 strncpy(id, pskid, max_id_len);
2529
2530 return psklen;
2531 }
2532 #endif /* OPENSSL_NO_PSK */
2533
2534 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2535 size_t identity_len, SSL_SESSION **sess)
2536 {
2537 find_session_cb_cnt++;
2538
2539 /* We should only ever be called a maximum of twice per connection */
2540 if (find_session_cb_cnt > 2)
2541 return 0;
2542
2543 if (serverpsk == NULL)
2544 return 0;
2545
2546 /* Identity should match that set by the client */
2547 if (strlen(srvid) != identity_len
2548 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2549 /* No PSK found, continue but without a PSK */
2550 *sess = NULL;
2551 return 1;
2552 }
2553
2554 SSL_SESSION_up_ref(serverpsk);
2555 *sess = serverpsk;
2556
2557 return 1;
2558 }
2559
2560 #ifndef OPENSSL_NO_PSK
2561 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2562 unsigned char *psk, unsigned int max_psk_len)
2563 {
2564 unsigned int psklen = 0;
2565
2566 psk_server_cb_cnt++;
2567
2568 /* We should only ever be called a maximum of twice per connection */
2569 if (find_session_cb_cnt > 2)
2570 return 0;
2571
2572 if (serverpsk == NULL)
2573 return 0;
2574
2575 /* Identity should match that set by the client */
2576 if (strcmp(srvid, identity) != 0) {
2577 return 0;
2578 }
2579
2580 /* We'll reuse the PSK we set up for TLSv1.3 */
2581 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2582 return 0;
2583 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2584
2585 return psklen;
2586 }
2587 #endif /* OPENSSL_NO_PSK */
2588
2589 #define MSG1 "Hello"
2590 #define MSG2 "World."
2591 #define MSG3 "This"
2592 #define MSG4 "is"
2593 #define MSG5 "a"
2594 #define MSG6 "test"
2595 #define MSG7 "message."
2596
2597 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2598 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2599
2600
2601 static SSL_SESSION *create_a_psk(SSL *ssl)
2602 {
2603 const SSL_CIPHER *cipher = NULL;
2604 const unsigned char key[] = {
2605 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2606 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2607 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2608 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2609 0x2c, 0x2d, 0x2e, 0x2f
2610 };
2611 SSL_SESSION *sess = NULL;
2612
2613 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2614 sess = SSL_SESSION_new();
2615 if (!TEST_ptr(sess)
2616 || !TEST_ptr(cipher)
2617 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2618 sizeof(key)))
2619 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2620 || !TEST_true(
2621 SSL_SESSION_set_protocol_version(sess,
2622 TLS1_3_VERSION))) {
2623 SSL_SESSION_free(sess);
2624 return NULL;
2625 }
2626 return sess;
2627 }
2628
2629 /*
2630 * Helper method to setup objects for early data test. Caller frees objects on
2631 * error.
2632 */
2633 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2634 SSL **serverssl, SSL_SESSION **sess, int idx)
2635 {
2636 if (*sctx == NULL
2637 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2638 TLS_client_method(),
2639 TLS1_VERSION, 0,
2640 sctx, cctx, cert, privkey)))
2641 return 0;
2642
2643 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2644 return 0;
2645
2646 if (idx == 1) {
2647 /* When idx == 1 we repeat the tests with read_ahead set */
2648 SSL_CTX_set_read_ahead(*cctx, 1);
2649 SSL_CTX_set_read_ahead(*sctx, 1);
2650 } else if (idx == 2) {
2651 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2652 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2653 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2654 use_session_cb_cnt = 0;
2655 find_session_cb_cnt = 0;
2656 srvid = pskid;
2657 }
2658
2659 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2660 NULL, NULL)))
2661 return 0;
2662
2663 /*
2664 * For one of the run throughs (doesn't matter which one), we'll try sending
2665 * some SNI data in the initial ClientHello. This will be ignored (because
2666 * there is no SNI cb set up by the server), so it should not impact
2667 * early_data.
2668 */
2669 if (idx == 1
2670 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2671 return 0;
2672
2673 if (idx == 2) {
2674 clientpsk = create_a_psk(*clientssl);
2675 if (!TEST_ptr(clientpsk)
2676 /*
2677 * We just choose an arbitrary value for max_early_data which
2678 * should be big enough for testing purposes.
2679 */
2680 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2681 0x100))
2682 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2683 SSL_SESSION_free(clientpsk);
2684 clientpsk = NULL;
2685 return 0;
2686 }
2687 serverpsk = clientpsk;
2688
2689 if (sess != NULL) {
2690 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2691 SSL_SESSION_free(clientpsk);
2692 SSL_SESSION_free(serverpsk);
2693 clientpsk = serverpsk = NULL;
2694 return 0;
2695 }
2696 *sess = clientpsk;
2697 }
2698 return 1;
2699 }
2700
2701 if (sess == NULL)
2702 return 1;
2703
2704 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2705 SSL_ERROR_NONE)))
2706 return 0;
2707
2708 *sess = SSL_get1_session(*clientssl);
2709 SSL_shutdown(*clientssl);
2710 SSL_shutdown(*serverssl);
2711 SSL_free(*serverssl);
2712 SSL_free(*clientssl);
2713 *serverssl = *clientssl = NULL;
2714
2715 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2716 clientssl, NULL, NULL))
2717 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2718 return 0;
2719
2720 return 1;
2721 }
2722
2723 static int test_early_data_read_write(int idx)
2724 {
2725 SSL_CTX *cctx = NULL, *sctx = NULL;
2726 SSL *clientssl = NULL, *serverssl = NULL;
2727 int testresult = 0;
2728 SSL_SESSION *sess = NULL;
2729 unsigned char buf[20], data[1024];
2730 size_t readbytes, written, eoedlen, rawread, rawwritten;
2731 BIO *rbio;
2732
2733 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2734 &serverssl, &sess, idx)))
2735 goto end;
2736
2737 /* Write and read some early data */
2738 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2739 &written))
2740 || !TEST_size_t_eq(written, strlen(MSG1))
2741 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2742 sizeof(buf), &readbytes),
2743 SSL_READ_EARLY_DATA_SUCCESS)
2744 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2745 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2746 SSL_EARLY_DATA_ACCEPTED))
2747 goto end;
2748
2749 /*
2750 * Server should be able to write data, and client should be able to
2751 * read it.
2752 */
2753 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2754 &written))
2755 || !TEST_size_t_eq(written, strlen(MSG2))
2756 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2757 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2758 goto end;
2759
2760 /* Even after reading normal data, client should be able write early data */
2761 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2762 &written))
2763 || !TEST_size_t_eq(written, strlen(MSG3)))
2764 goto end;
2765
2766 /* Server should still be able read early data after writing data */
2767 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2768 &readbytes),
2769 SSL_READ_EARLY_DATA_SUCCESS)
2770 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2771 goto end;
2772
2773 /* Write more data from server and read it from client */
2774 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2775 &written))
2776 || !TEST_size_t_eq(written, strlen(MSG4))
2777 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2778 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2779 goto end;
2780
2781 /*
2782 * If client writes normal data it should mean writing early data is no
2783 * longer possible.
2784 */
2785 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2786 || !TEST_size_t_eq(written, strlen(MSG5))
2787 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2788 SSL_EARLY_DATA_ACCEPTED))
2789 goto end;
2790
2791 /*
2792 * At this point the client has written EndOfEarlyData, ClientFinished and
2793 * normal (fully protected) data. We are going to cause a delay between the
2794 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2795 * in the read BIO, and then just put back the EndOfEarlyData message.
2796 */
2797 rbio = SSL_get_rbio(serverssl);
2798 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2799 || !TEST_size_t_lt(rawread, sizeof(data))
2800 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2801 goto end;
2802
2803 /* Record length is in the 4th and 5th bytes of the record header */
2804 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2805 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2806 || !TEST_size_t_eq(rawwritten, eoedlen))
2807 goto end;
2808
2809 /* Server should be told that there is no more early data */
2810 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2811 &readbytes),
2812 SSL_READ_EARLY_DATA_FINISH)
2813 || !TEST_size_t_eq(readbytes, 0))
2814 goto end;
2815
2816 /*
2817 * Server has not finished init yet, so should still be able to write early
2818 * data.
2819 */
2820 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2821 &written))
2822 || !TEST_size_t_eq(written, strlen(MSG6)))
2823 goto end;
2824
2825 /* Push the ClientFinished and the normal data back into the server rbio */
2826 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2827 &rawwritten))
2828 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2829 goto end;
2830
2831 /* Server should be able to read normal data */
2832 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2833 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2834 goto end;
2835
2836 /* Client and server should not be able to write/read early data now */
2837 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2838 &written)))
2839 goto end;
2840 ERR_clear_error();
2841 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2842 &readbytes),
2843 SSL_READ_EARLY_DATA_ERROR))
2844 goto end;
2845 ERR_clear_error();
2846
2847 /* Client should be able to read the data sent by the server */
2848 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2849 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2850 goto end;
2851
2852 /*
2853 * Make sure we process the two NewSessionTickets. These arrive
2854 * post-handshake. We attempt reads which we do not expect to return any
2855 * data.
2856 */
2857 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2858 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2859 &readbytes)))
2860 goto end;
2861
2862 /* Server should be able to write normal data */
2863 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2864 || !TEST_size_t_eq(written, strlen(MSG7))
2865 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2866 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2867 goto end;
2868
2869 SSL_SESSION_free(sess);
2870 sess = SSL_get1_session(clientssl);
2871 use_session_cb_cnt = 0;
2872 find_session_cb_cnt = 0;
2873
2874 SSL_shutdown(clientssl);
2875 SSL_shutdown(serverssl);
2876 SSL_free(serverssl);
2877 SSL_free(clientssl);
2878 serverssl = clientssl = NULL;
2879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2880 &clientssl, NULL, NULL))
2881 || !TEST_true(SSL_set_session(clientssl, sess)))
2882 goto end;
2883
2884 /* Write and read some early data */
2885 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2886 &written))
2887 || !TEST_size_t_eq(written, strlen(MSG1))
2888 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2889 &readbytes),
2890 SSL_READ_EARLY_DATA_SUCCESS)
2891 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2892 goto end;
2893
2894 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2895 || !TEST_int_gt(SSL_accept(serverssl), 0))
2896 goto end;
2897
2898 /* Client and server should not be able to write/read early data now */
2899 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2900 &written)))
2901 goto end;
2902 ERR_clear_error();
2903 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2904 &readbytes),
2905 SSL_READ_EARLY_DATA_ERROR))
2906 goto end;
2907 ERR_clear_error();
2908
2909 /* Client and server should be able to write/read normal data */
2910 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2911 || !TEST_size_t_eq(written, strlen(MSG5))
2912 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2913 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2914 goto end;
2915
2916 testresult = 1;
2917
2918 end:
2919 SSL_SESSION_free(sess);
2920 SSL_SESSION_free(clientpsk);
2921 SSL_SESSION_free(serverpsk);
2922 clientpsk = serverpsk = NULL;
2923 SSL_free(serverssl);
2924 SSL_free(clientssl);
2925 SSL_CTX_free(sctx);
2926 SSL_CTX_free(cctx);
2927 return testresult;
2928 }
2929
2930 static int allow_ed_cb_called = 0;
2931
2932 static int allow_early_data_cb(SSL *s, void *arg)
2933 {
2934 int *usecb = (int *)arg;
2935
2936 allow_ed_cb_called++;
2937
2938 if (*usecb == 1)
2939 return 0;
2940
2941 return 1;
2942 }
2943
2944 /*
2945 * idx == 0: Standard early_data setup
2946 * idx == 1: early_data setup using read_ahead
2947 * usecb == 0: Don't use a custom early data callback
2948 * usecb == 1: Use a custom early data callback and reject the early data
2949 * usecb == 2: Use a custom early data callback and accept the early data
2950 * confopt == 0: Configure anti-replay directly
2951 * confopt == 1: Configure anti-replay using SSL_CONF
2952 */
2953 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2954 {
2955 SSL_CTX *cctx = NULL, *sctx = NULL;
2956 SSL *clientssl = NULL, *serverssl = NULL;
2957 int testresult = 0;
2958 SSL_SESSION *sess = NULL;
2959 size_t readbytes, written;
2960 unsigned char buf[20];
2961
2962 allow_ed_cb_called = 0;
2963
2964 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2965 TLS_client_method(), TLS1_VERSION, 0,
2966 &sctx, &cctx, cert, privkey)))
2967 return 0;
2968
2969 if (usecb > 0) {
2970 if (confopt == 0) {
2971 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2972 } else {
2973 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2974
2975 if (!TEST_ptr(confctx))
2976 goto end;
2977 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2978 | SSL_CONF_FLAG_SERVER);
2979 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2980 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2981 2)) {
2982 SSL_CONF_CTX_free(confctx);
2983 goto end;
2984 }
2985 SSL_CONF_CTX_free(confctx);
2986 }
2987 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2988 }
2989
2990 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2991 &serverssl, &sess, idx)))
2992 goto end;
2993
2994 /*
2995 * The server is configured to accept early data. Create a connection to
2996 * "use up" the ticket
2997 */
2998 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2999 || !TEST_true(SSL_session_reused(clientssl)))
3000 goto end;
3001
3002 SSL_shutdown(clientssl);
3003 SSL_shutdown(serverssl);
3004 SSL_free(serverssl);
3005 SSL_free(clientssl);
3006 serverssl = clientssl = NULL;
3007
3008 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3009 &clientssl, NULL, NULL))
3010 || !TEST_true(SSL_set_session(clientssl, sess)))
3011 goto end;
3012
3013 /* Write and read some early data */
3014 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3015 &written))
3016 || !TEST_size_t_eq(written, strlen(MSG1)))
3017 goto end;
3018
3019 if (usecb <= 1) {
3020 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3021 &readbytes),
3022 SSL_READ_EARLY_DATA_FINISH)
3023 /*
3024 * The ticket was reused, so the we should have rejected the
3025 * early data
3026 */
3027 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3028 SSL_EARLY_DATA_REJECTED))
3029 goto end;
3030 } else {
3031 /* In this case the callback decides to accept the early data */
3032 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3033 &readbytes),
3034 SSL_READ_EARLY_DATA_SUCCESS)
3035 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3036 /*
3037 * Server will have sent its flight so client can now send
3038 * end of early data and complete its half of the handshake
3039 */
3040 || !TEST_int_gt(SSL_connect(clientssl), 0)
3041 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3042 &readbytes),
3043 SSL_READ_EARLY_DATA_FINISH)
3044 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3045 SSL_EARLY_DATA_ACCEPTED))
3046 goto end;
3047 }
3048
3049 /* Complete the connection */
3050 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3051 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3052 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3053 goto end;
3054
3055 testresult = 1;
3056
3057 end:
3058 SSL_SESSION_free(sess);
3059 SSL_SESSION_free(clientpsk);
3060 SSL_SESSION_free(serverpsk);
3061 clientpsk = serverpsk = NULL;
3062 SSL_free(serverssl);
3063 SSL_free(clientssl);
3064 SSL_CTX_free(sctx);
3065 SSL_CTX_free(cctx);
3066 return testresult;
3067 }
3068
3069 static int test_early_data_replay(int idx)
3070 {
3071 int ret = 1, usecb, confopt;
3072
3073 for (usecb = 0; usecb < 3; usecb++) {
3074 for (confopt = 0; confopt < 2; confopt++)
3075 ret &= test_early_data_replay_int(idx, usecb, confopt);
3076 }
3077
3078 return ret;
3079 }
3080
3081 /*
3082 * Helper function to test that a server attempting to read early data can
3083 * handle a connection from a client where the early data should be skipped.
3084 * testtype: 0 == No HRR
3085 * testtype: 1 == HRR
3086 * testtype: 2 == HRR, invalid early_data sent after HRR
3087 * testtype: 3 == recv_max_early_data set to 0
3088 */
3089 static int early_data_skip_helper(int testtype, int idx)
3090 {
3091 SSL_CTX *cctx = NULL, *sctx = NULL;
3092 SSL *clientssl = NULL, *serverssl = NULL;
3093 int testresult = 0;
3094 SSL_SESSION *sess = NULL;
3095 unsigned char buf[20];
3096 size_t readbytes, written;
3097
3098 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3099 &serverssl, &sess, idx)))
3100 goto end;
3101
3102 if (testtype == 1 || testtype == 2) {
3103 /* Force an HRR to occur */
3104 #if defined(OPENSSL_NO_EC)
3105 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3106 goto end;
3107 #else
3108 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3109 goto end;
3110 #endif
3111 } else if (idx == 2) {
3112 /*
3113 * We force early_data rejection by ensuring the PSK identity is
3114 * unrecognised
3115 */
3116 srvid = "Dummy Identity";
3117 } else {
3118 /*
3119 * Deliberately corrupt the creation time. We take 20 seconds off the
3120 * time. It could be any value as long as it is not within tolerance.
3121 * This should mean the ticket is rejected.
3122 */
3123 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3124 goto end;
3125 }
3126
3127 if (testtype == 3
3128 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3129 goto end;
3130
3131 /* Write some early data */
3132 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3133 &written))
3134 || !TEST_size_t_eq(written, strlen(MSG1)))
3135 goto end;
3136
3137 /* Server should reject the early data */
3138 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3139 &readbytes),
3140 SSL_READ_EARLY_DATA_FINISH)
3141 || !TEST_size_t_eq(readbytes, 0)
3142 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3143 SSL_EARLY_DATA_REJECTED))
3144 goto end;
3145
3146 switch (testtype) {
3147 case 0:
3148 /* Nothing to do */
3149 break;
3150
3151 case 1:
3152 /*
3153 * Finish off the handshake. We perform the same writes and reads as
3154 * further down but we expect them to fail due to the incomplete
3155 * handshake.
3156 */
3157 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3158 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3159 &readbytes)))
3160 goto end;
3161 break;
3162
3163 case 2:
3164 {
3165 BIO *wbio = SSL_get_wbio(clientssl);
3166 /* A record that will appear as bad early_data */
3167 const unsigned char bad_early_data[] = {
3168 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3169 };
3170
3171 /*
3172 * We force the client to attempt a write. This will fail because
3173 * we're still in the handshake. It will cause the second
3174 * ClientHello to be sent.
3175 */
3176 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3177 &written)))
3178 goto end;
3179
3180 /*
3181 * Inject some early_data after the second ClientHello. This should
3182 * cause the server to fail
3183 */
3184 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3185 sizeof(bad_early_data), &written)))
3186 goto end;
3187 }
3188 /* fallthrough */
3189
3190 case 3:
3191 /*
3192 * This client has sent more early_data than we are willing to skip
3193 * (case 3) or sent invalid early_data (case 2) so the connection should
3194 * abort.
3195 */
3196 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3197 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3198 goto end;
3199
3200 /* Connection has failed - nothing more to do */
3201 testresult = 1;
3202 goto end;
3203
3204 default:
3205 TEST_error("Invalid test type");
3206 goto end;
3207 }
3208
3209 /*
3210 * Should be able to send normal data despite rejection of early data. The
3211 * early_data should be skipped.
3212 */
3213 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3214 || !TEST_size_t_eq(written, strlen(MSG2))
3215 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3216 SSL_EARLY_DATA_REJECTED)
3217 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3218 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3219 goto end;
3220
3221 testresult = 1;
3222
3223 end:
3224 SSL_SESSION_free(clientpsk);
3225 SSL_SESSION_free(serverpsk);
3226 clientpsk = serverpsk = NULL;
3227 SSL_SESSION_free(sess);
3228 SSL_free(serverssl);
3229 SSL_free(clientssl);
3230 SSL_CTX_free(sctx);
3231 SSL_CTX_free(cctx);
3232 return testresult;
3233 }
3234
3235 /*
3236 * Test that a server attempting to read early data can handle a connection
3237 * from a client where the early data is not acceptable.
3238 */
3239 static int test_early_data_skip(int idx)
3240 {
3241 return early_data_skip_helper(0, idx);
3242 }
3243
3244 /*
3245 * Test that a server attempting to read early data can handle a connection
3246 * from a client where an HRR occurs.
3247 */
3248 static int test_early_data_skip_hrr(int idx)
3249 {
3250 return early_data_skip_helper(1, idx);
3251 }
3252
3253 /*
3254 * Test that a server attempting to read early data can handle a connection
3255 * from a client where an HRR occurs and correctly fails if early_data is sent
3256 * after the HRR
3257 */
3258 static int test_early_data_skip_hrr_fail(int idx)
3259 {
3260 return early_data_skip_helper(2, idx);
3261 }
3262
3263 /*
3264 * Test that a server attempting to read early data will abort if it tries to
3265 * skip over too much.
3266 */
3267 static int test_early_data_skip_abort(int idx)
3268 {
3269 return early_data_skip_helper(3, idx);
3270 }
3271
3272 /*
3273 * Test that a server attempting to read early data can handle a connection
3274 * from a client that doesn't send any.
3275 */
3276 static int test_early_data_not_sent(int idx)
3277 {
3278 SSL_CTX *cctx = NULL, *sctx = NULL;
3279 SSL *clientssl = NULL, *serverssl = NULL;
3280 int testresult = 0;
3281 SSL_SESSION *sess = NULL;
3282 unsigned char buf[20];
3283 size_t readbytes, written;
3284
3285 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3286 &serverssl, &sess, idx)))
3287 goto end;
3288
3289 /* Write some data - should block due to handshake with server */
3290 SSL_set_connect_state(clientssl);
3291 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3292 goto end;
3293
3294 /* Server should detect that early data has not been sent */
3295 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3296 &readbytes),
3297 SSL_READ_EARLY_DATA_FINISH)
3298 || !TEST_size_t_eq(readbytes, 0)
3299 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3300 SSL_EARLY_DATA_NOT_SENT)
3301 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3302 SSL_EARLY_DATA_NOT_SENT))
3303 goto end;
3304
3305 /* Continue writing the message we started earlier */
3306 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3307 || !TEST_size_t_eq(written, strlen(MSG1))
3308 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3309 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3310 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3311 || !TEST_size_t_eq(written, strlen(MSG2)))
3312 goto end;
3313
3314 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3315 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3316 goto end;
3317
3318 testresult = 1;
3319
3320 end:
3321 SSL_SESSION_free(sess);
3322 SSL_SESSION_free(clientpsk);
3323 SSL_SESSION_free(serverpsk);
3324 clientpsk = serverpsk = NULL;
3325 SSL_free(serverssl);
3326 SSL_free(clientssl);
3327 SSL_CTX_free(sctx);
3328 SSL_CTX_free(cctx);
3329 return testresult;
3330 }
3331
3332 static const char *servalpn;
3333
3334 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3335 unsigned char *outlen, const unsigned char *in,
3336 unsigned int inlen, void *arg)
3337 {
3338 unsigned int protlen = 0;
3339 const unsigned char *prot;
3340
3341 for (prot = in; prot < in + inlen; prot += protlen) {
3342 protlen = *prot++;
3343 if (in + inlen < prot + protlen)
3344 return SSL_TLSEXT_ERR_NOACK;
3345
3346 if (protlen == strlen(servalpn)
3347 && memcmp(prot, servalpn, protlen) == 0) {
3348 *out = prot;
3349 *outlen = protlen;
3350 return SSL_TLSEXT_ERR_OK;
3351 }
3352 }
3353
3354 return SSL_TLSEXT_ERR_NOACK;
3355 }
3356
3357 /* Test that a PSK can be used to send early_data */
3358 static int test_early_data_psk(int idx)
3359 {
3360 SSL_CTX *cctx = NULL, *sctx = NULL;
3361 SSL *clientssl = NULL, *serverssl = NULL;
3362 int testresult = 0;
3363 SSL_SESSION *sess = NULL;
3364 unsigned char alpnlist[] = {
3365 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3366 'l', 'p', 'n'
3367 };
3368 #define GOODALPNLEN 9
3369 #define BADALPNLEN 8
3370 #define GOODALPN (alpnlist)
3371 #define BADALPN (alpnlist + GOODALPNLEN)
3372 int err = 0;
3373 unsigned char buf[20];
3374 size_t readbytes, written;
3375 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3376 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3377
3378 /* We always set this up with a final parameter of "2" for PSK */
3379 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3380 &serverssl, &sess, 2)))
3381 goto end;
3382
3383 servalpn = "goodalpn";
3384
3385 /*
3386 * Note: There is no test for inconsistent SNI with late client detection.
3387 * This is because servers do not acknowledge SNI even if they are using
3388 * it in a resumption handshake - so it is not actually possible for a
3389 * client to detect a problem.
3390 */
3391 switch (idx) {
3392 case 0:
3393 /* Set inconsistent SNI (early client detection) */
3394 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3395 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3396 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3397 goto end;
3398 break;
3399
3400 case 1:
3401 /* Set inconsistent ALPN (early client detection) */
3402 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3403 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3404 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3405 GOODALPNLEN))
3406 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3407 BADALPNLEN)))
3408 goto end;
3409 break;
3410
3411 case 2:
3412 /*
3413 * Set invalid protocol version. Technically this affects PSKs without
3414 * early_data too, but we test it here because it is similar to the
3415 * SNI/ALPN consistency tests.
3416 */
3417 err = SSL_R_BAD_PSK;
3418 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3419 goto end;
3420 break;
3421
3422 case 3:
3423 /*
3424 * Set inconsistent SNI (server side). In this case the connection
3425 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3426 * is associated with each handshake - not the session. Therefore it
3427 * should not matter that we used a different server name last time.
3428 */
3429 SSL_SESSION_free(serverpsk);
3430 serverpsk = SSL_SESSION_dup(clientpsk);
3431 if (!TEST_ptr(serverpsk)
3432 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3433 goto end;
3434 /* Fall through */
3435 case 4:
3436 /* Set consistent SNI */
3437 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3438 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3439 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3440 hostname_cb)))
3441 goto end;
3442 break;
3443
3444 case 5:
3445 /*
3446 * Set inconsistent ALPN (server detected). In this case the connection
3447 * will succeed but reject early_data.
3448 */
3449 servalpn = "badalpn";
3450 edstatus = SSL_EARLY_DATA_REJECTED;
3451 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3452 /* Fall through */
3453 case 6:
3454 /*
3455 * Set consistent ALPN.
3456 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3457 * accepts a list of protos (each one length prefixed).
3458 * SSL_set1_alpn_selected accepts a single protocol (not length
3459 * prefixed)
3460 */
3461 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3462 GOODALPNLEN - 1))
3463 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3464 GOODALPNLEN)))
3465 goto end;
3466
3467 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3468 break;
3469
3470 case 7:
3471 /* Set inconsistent ALPN (late client detection) */
3472 SSL_SESSION_free(serverpsk);
3473 serverpsk = SSL_SESSION_dup(clientpsk);
3474 if (!TEST_ptr(serverpsk)
3475 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3476 BADALPN + 1,
3477 BADALPNLEN - 1))
3478 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3479 GOODALPN + 1,
3480 GOODALPNLEN - 1))
3481 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3482 sizeof(alpnlist))))
3483 goto end;
3484 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3485 edstatus = SSL_EARLY_DATA_ACCEPTED;
3486 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3487 /* SSL_connect() call should fail */
3488 connectres = -1;
3489 break;
3490
3491 default:
3492 TEST_error("Bad test index");
3493 goto end;
3494 }
3495
3496 SSL_set_connect_state(clientssl);
3497 if (err != 0) {
3498 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3499 &written))
3500 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3501 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3502 goto end;
3503 } else {
3504 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3505 &written)))
3506 goto end;
3507
3508 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3509 &readbytes), readearlyres)
3510 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3511 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3512 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3513 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3514 goto end;
3515 }
3516
3517 testresult = 1;
3518
3519 end:
3520 SSL_SESSION_free(sess);
3521 SSL_SESSION_free(clientpsk);
3522 SSL_SESSION_free(serverpsk);
3523 clientpsk = serverpsk = NULL;
3524 SSL_free(serverssl);
3525 SSL_free(clientssl);
3526 SSL_CTX_free(sctx);
3527 SSL_CTX_free(cctx);
3528 return testresult;
3529 }
3530
3531 /*
3532 * Test that a server that doesn't try to read early data can handle a
3533 * client sending some.
3534 */
3535 static int test_early_data_not_expected(int idx)
3536 {
3537 SSL_CTX *cctx = NULL, *sctx = NULL;
3538 SSL *clientssl = NULL, *serverssl = NULL;
3539 int testresult = 0;
3540 SSL_SESSION *sess = NULL;
3541 unsigned char buf[20];
3542 size_t readbytes, written;
3543
3544 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3545 &serverssl, &sess, idx)))
3546 goto end;
3547
3548 /* Write some early data */
3549 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3550 &written)))
3551 goto end;
3552
3553 /*
3554 * Server should skip over early data and then block waiting for client to
3555 * continue handshake
3556 */
3557 if (!TEST_int_le(SSL_accept(serverssl), 0)
3558 || !TEST_int_gt(SSL_connect(clientssl), 0)
3559 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3560 SSL_EARLY_DATA_REJECTED)
3561 || !TEST_int_gt(SSL_accept(serverssl), 0)
3562 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3563 SSL_EARLY_DATA_REJECTED))
3564 goto end;
3565
3566 /* Send some normal data from client to server */
3567 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3568 || !TEST_size_t_eq(written, strlen(MSG2)))
3569 goto end;
3570
3571 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3572 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3573 goto end;
3574
3575 testresult = 1;
3576
3577 end:
3578 SSL_SESSION_free(sess);
3579 SSL_SESSION_free(clientpsk);
3580 SSL_SESSION_free(serverpsk);
3581 clientpsk = serverpsk = NULL;
3582 SSL_free(serverssl);
3583 SSL_free(clientssl);
3584 SSL_CTX_free(sctx);
3585 SSL_CTX_free(cctx);
3586 return testresult;
3587 }
3588
3589
3590 # ifndef OPENSSL_NO_TLS1_2
3591 /*
3592 * Test that a server attempting to read early data can handle a connection
3593 * from a TLSv1.2 client.
3594 */
3595 static int test_early_data_tls1_2(int idx)
3596 {
3597 SSL_CTX *cctx = NULL, *sctx = NULL;
3598 SSL *clientssl = NULL, *serverssl = NULL;
3599 int testresult = 0;
3600 unsigned char buf[20];
3601 size_t readbytes, written;
3602
3603 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3604 &serverssl, NULL, idx)))
3605 goto end;
3606
3607 /* Write some data - should block due to handshake with server */
3608 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3609 SSL_set_connect_state(clientssl);
3610 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3611 goto end;
3612
3613 /*
3614 * Server should do TLSv1.2 handshake. First it will block waiting for more
3615 * messages from client after ServerDone. Then SSL_read_early_data should
3616 * finish and detect that early data has not been sent
3617 */
3618 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3619 &readbytes),
3620 SSL_READ_EARLY_DATA_ERROR))
3621 goto end;
3622
3623 /*
3624 * Continue writing the message we started earlier. Will still block waiting
3625 * for the CCS/Finished from server
3626 */
3627 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3628 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3629 &readbytes),
3630 SSL_READ_EARLY_DATA_FINISH)
3631 || !TEST_size_t_eq(readbytes, 0)
3632 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3633 SSL_EARLY_DATA_NOT_SENT))
3634 goto end;
3635
3636 /* Continue writing the message we started earlier */
3637 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3638 || !TEST_size_t_eq(written, strlen(MSG1))
3639 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3640 SSL_EARLY_DATA_NOT_SENT)
3641 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3642 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3643 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3644 || !TEST_size_t_eq(written, strlen(MSG2))
3645 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3646 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3647 goto end;
3648
3649 testresult = 1;
3650
3651 end:
3652 SSL_SESSION_free(clientpsk);
3653 SSL_SESSION_free(serverpsk);
3654 clientpsk = serverpsk = NULL;
3655 SSL_free(serverssl);
3656 SSL_free(clientssl);
3657 SSL_CTX_free(sctx);
3658 SSL_CTX_free(cctx);
3659
3660 return testresult;
3661 }
3662 # endif /* OPENSSL_NO_TLS1_2 */
3663
3664 /*
3665 * Test configuring the TLSv1.3 ciphersuites
3666 *
3667 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3668 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3669 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3670 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3671 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3672 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3673 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3674 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3675 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3676 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3677 */
3678 static int test_set_ciphersuite(int idx)
3679 {
3680 SSL_CTX *cctx = NULL, *sctx = NULL;
3681 SSL *clientssl = NULL, *serverssl = NULL;
3682 int testresult = 0;
3683
3684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3685 TLS_client_method(), TLS1_VERSION, 0,
3686 &sctx, &cctx, cert, privkey))
3687 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3688 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3689 goto end;
3690
3691 if (idx >=4 && idx <= 7) {
3692 /* SSL_CTX explicit cipher list */
3693 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3694 goto end;
3695 }
3696
3697 if (idx == 0 || idx == 4) {
3698 /* Default ciphersuite */
3699 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3700 "TLS_AES_128_GCM_SHA256")))
3701 goto end;
3702 } else if (idx == 1 || idx == 5) {
3703 /* Non default ciphersuite */
3704 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3705 "TLS_AES_128_CCM_SHA256")))
3706 goto end;
3707 }
3708
3709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3710 &clientssl, NULL, NULL)))
3711 goto end;
3712
3713 if (idx == 8 || idx == 9) {
3714 /* SSL explicit cipher list */
3715 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3716 goto end;
3717 }
3718
3719 if (idx == 2 || idx == 6 || idx == 8) {
3720 /* Default ciphersuite */
3721 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3722 "TLS_AES_128_GCM_SHA256")))
3723 goto end;
3724 } else if (idx == 3 || idx == 7 || idx == 9) {
3725 /* Non default ciphersuite */
3726 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3727 "TLS_AES_128_CCM_SHA256")))
3728 goto end;
3729 }
3730
3731 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3732 goto end;
3733
3734 testresult = 1;
3735
3736 end:
3737 SSL_free(serverssl);
3738 SSL_free(clientssl);
3739 SSL_CTX_free(sctx);
3740 SSL_CTX_free(cctx);
3741
3742 return testresult;
3743 }
3744
3745 static int test_ciphersuite_change(void)
3746 {
3747 SSL_CTX *cctx = NULL, *sctx = NULL;
3748 SSL *clientssl = NULL, *serverssl = NULL;
3749 SSL_SESSION *clntsess = NULL;
3750 int testresult = 0;
3751 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3752
3753 /* Create a session based on SHA-256 */
3754 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3755 TLS_client_method(), TLS1_VERSION, 0,
3756 &sctx, &cctx, cert, privkey))
3757 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3758 "TLS_AES_128_GCM_SHA256:"
3759 "TLS_AES_256_GCM_SHA384:"
3760 "TLS_AES_128_CCM_SHA256"))
3761 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3762 "TLS_AES_128_GCM_SHA256"))
3763 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3764 &clientssl, NULL, NULL))
3765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3766 SSL_ERROR_NONE)))
3767 goto end;
3768
3769 clntsess = SSL_get1_session(clientssl);
3770 /* Save for later */
3771 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3772 SSL_shutdown(clientssl);
3773 SSL_shutdown(serverssl);
3774 SSL_free(serverssl);
3775 SSL_free(clientssl);
3776 serverssl = clientssl = NULL;
3777
3778 /* Check we can resume a session with a different SHA-256 ciphersuite */
3779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3780 "TLS_AES_128_CCM_SHA256"))
3781 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3782 &clientssl, NULL, NULL))
3783 || !TEST_true(SSL_set_session(clientssl, clntsess))
3784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3785 SSL_ERROR_NONE))
3786 || !TEST_true(SSL_session_reused(clientssl)))
3787 goto end;
3788
3789 SSL_SESSION_free(clntsess);
3790 clntsess = SSL_get1_session(clientssl);
3791 SSL_shutdown(clientssl);
3792 SSL_shutdown(serverssl);
3793 SSL_free(serverssl);
3794 SSL_free(clientssl);
3795 serverssl = clientssl = NULL;
3796
3797 /*
3798 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3799 * succeeds but does not resume.
3800 */
3801 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3802 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3803 NULL, NULL))
3804 || !TEST_true(SSL_set_session(clientssl, clntsess))
3805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3806 SSL_ERROR_SSL))
3807 || !TEST_false(SSL_session_reused(clientssl)))
3808 goto end;
3809
3810 SSL_SESSION_free(clntsess);
3811 clntsess = NULL;
3812 SSL_shutdown(clientssl);
3813 SSL_shutdown(serverssl);
3814 SSL_free(serverssl);
3815 SSL_free(clientssl);
3816 serverssl = clientssl = NULL;
3817
3818 /* Create a session based on SHA384 */
3819 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3820 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3821 &clientssl, NULL, NULL))
3822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3823 SSL_ERROR_NONE)))
3824 goto end;
3825
3826 clntsess = SSL_get1_session(clientssl);
3827 SSL_shutdown(clientssl);
3828 SSL_shutdown(serverssl);
3829 SSL_free(serverssl);
3830 SSL_free(clientssl);
3831 serverssl = clientssl = NULL;
3832
3833 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3834 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3835 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3836 "TLS_AES_256_GCM_SHA384"))
3837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3838 NULL, NULL))
3839 || !TEST_true(SSL_set_session(clientssl, clntsess))
3840 /*
3841 * We use SSL_ERROR_WANT_READ below so that we can pause the
3842 * connection after the initial ClientHello has been sent to
3843 * enable us to make some session changes.
3844 */
3845 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3846 SSL_ERROR_WANT_READ)))
3847 goto end;
3848
3849 /* Trick the client into thinking this session is for a different digest */
3850 clntsess->cipher = aes_128_gcm_sha256;
3851 clntsess->cipher_id = clntsess->cipher->id;
3852
3853 /*
3854 * Continue the previously started connection. Server has selected a SHA-384
3855 * ciphersuite, but client thinks the session is for SHA-256, so it should
3856 * bail out.
3857 */
3858 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3859 SSL_ERROR_SSL))
3860 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3861 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3862 goto end;
3863
3864 testresult = 1;
3865
3866 end:
3867 SSL_SESSION_free(clntsess);
3868 SSL_free(serverssl);
3869 SSL_free(clientssl);
3870 SSL_CTX_free(sctx);
3871 SSL_CTX_free(cctx);
3872
3873 return testresult;
3874 }
3875
3876 /*
3877 * Test TLSv1.3 Key exchange
3878 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3879 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3880 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3881 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3882 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3883 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3884 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3885 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3886 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3887 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3888 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3889 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3890 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3891 * Test 13 = Test all FFDHE with TLSv1.2 client and server
3892 */
3893 static int test_key_exchange(int idx)
3894 {
3895 SSL_CTX *sctx = NULL, *cctx = NULL;
3896 SSL *serverssl = NULL, *clientssl = NULL;
3897 int testresult = 0;
3898 # ifndef OPENSSL_NO_EC
3899 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3900 NID_secp521r1, NID_X25519, NID_X448};
3901 # endif
3902 # ifndef OPENSSL_NO_DH
3903 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3904 NID_ffdhe6144, NID_ffdhe8192};
3905 # endif
3906 int kexch_alg;
3907 int *kexch_groups = &kexch_alg;
3908 int kexch_groups_size = 1;
3909 int max_version = TLS1_3_VERSION;
3910
3911 switch (idx) {
3912 # ifndef OPENSSL_NO_EC
3913 # ifndef OPENSSL_NO_TLS1_2
3914 case 12:
3915 max_version = TLS1_2_VERSION;
3916 # endif
3917 /* Fall through */
3918 case 0:
3919 kexch_groups = ecdhe_kexch_groups;
3920 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3921 break;
3922 case 1:
3923 kexch_alg = NID_X9_62_prime256v1;
3924 break;
3925 case 2:
3926 kexch_alg = NID_secp384r1;
3927 break;
3928 case 3:
3929 kexch_alg = NID_secp521r1;
3930 break;
3931 case 4:
3932 kexch_alg = NID_X25519;
3933 break;
3934 case 5:
3935 kexch_alg = NID_X448;
3936 break;
3937 # endif
3938 # ifndef OPENSSL_NO_DH
3939 # ifndef OPENSSL_NO_TLS1_2
3940 case 13:
3941 max_version = TLS1_2_VERSION;
3942 # endif
3943 /* Fall through */
3944 case 6:
3945 kexch_groups = ffdhe_kexch_groups;
3946 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3947 break;
3948 case 7:
3949 kexch_alg = NID_ffdhe2048;
3950 break;
3951 case 8:
3952 kexch_alg = NID_ffdhe3072;
3953 break;
3954 case 9:
3955 kexch_alg = NID_ffdhe4096;
3956 break;
3957 case 10:
3958 kexch_alg = NID_ffdhe6144;
3959 break;
3960 case 11:
3961 kexch_alg = NID_ffdhe8192;
3962 break;
3963 # endif
3964 default:
3965 /* We're skipping this test */
3966 return 1;
3967 }
3968
3969 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3970 TLS_client_method(), TLS1_VERSION,
3971 max_version, &sctx, &cctx, cert,
3972 privkey)))
3973 goto end;
3974
3975 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3976 TLS1_3_RFC_AES_128_GCM_SHA256)))
3977 goto end;
3978
3979 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3980 TLS1_3_RFC_AES_128_GCM_SHA256)))
3981 goto end;
3982
3983 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3984 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3985 goto end;
3986
3987 /*
3988 * Must include an EC ciphersuite so that we send supported groups in
3989 * TLSv1.2
3990 */
3991 # ifndef OPENSSL_NO_TLS1_2
3992 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3993 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3994 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3995 goto end;
3996 # endif
3997
3998 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3999 NULL, NULL)))
4000 goto end;
4001
4002 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4003 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4004 goto end;
4005
4006 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4007 goto end;
4008
4009 /*
4010 * If Handshake succeeds the negotiated kexch alg should be the first one in
4011 * configured, except in the case of FFDHE groups (idx 13), which are
4012 * TLSv1.3 only so we expect no shared group to exist.
4013 */
4014 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4015 idx == 13 ? 0 : kexch_groups[0]))
4016 goto end;
4017 if (max_version == TLS1_3_VERSION) {
4018 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4019 goto end;
4020 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4021 goto end;
4022 }
4023
4024 testresult = 1;
4025 end:
4026 SSL_free(serverssl);
4027 SSL_free(clientssl);
4028 SSL_CTX_free(sctx);
4029 SSL_CTX_free(cctx);
4030 return testresult;
4031 }
4032
4033 /*
4034 * Test TLSv1.3 Cipher Suite
4035 * Test 0 = Set TLS1.3 cipher on context
4036 * Test 1 = Set TLS1.3 cipher on SSL
4037 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4038 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4039 */
4040 static int test_tls13_ciphersuite(int idx)
4041 {
4042 SSL_CTX *sctx = NULL, *cctx = NULL;
4043 SSL *serverssl = NULL, *clientssl = NULL;
4044 static const struct {
4045 const char *ciphername;
4046 int fipscapable;
4047 } t13_ciphers[] = {
4048 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4049 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4050 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4051 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4052 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4053 { TLS1_3_RFC_AES_256_GCM_SHA384
4054 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4055 # endif
4056 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4057 };
4058 const char *t13_cipher = NULL;
4059 const char *t12_cipher = NULL;
4060 const char *negotiated_scipher;
4061 const char *negotiated_ccipher;
4062 int set_at_ctx = 0;
4063 int set_at_ssl = 0;
4064 int testresult = 0;
4065 int max_ver;
4066 size_t i;
4067
4068 switch (idx) {
4069 case 0:
4070 set_at_ctx = 1;
4071 break;
4072 case 1:
4073 set_at_ssl = 1;
4074 break;
4075 case 2:
4076 set_at_ctx = 1;
4077 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4078 break;
4079 case 3:
4080 set_at_ssl = 1;
4081 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4082 break;
4083 }
4084
4085 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4086 # ifdef OPENSSL_NO_TLS1_2
4087 if (max_ver == TLS1_2_VERSION)
4088 continue;
4089 # endif
4090 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4091 if (is_fips && !t13_ciphers[i].fipscapable)
4092 continue;
4093 t13_cipher = t13_ciphers[i].ciphername;
4094 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4095 TLS_client_method(),
4096 TLS1_VERSION, max_ver,
4097 &sctx, &cctx, cert, privkey)))
4098 goto end;
4099
4100 if (set_at_ctx) {
4101 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4102 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4103 goto end;
4104 if (t12_cipher != NULL) {
4105 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4106 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4107 t12_cipher)))
4108 goto end;
4109 }
4110 }
4111
4112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4113 &clientssl, NULL, NULL)))
4114 goto end;
4115
4116 if (set_at_ssl) {
4117 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4118 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4119 goto end;
4120 if (t12_cipher != NULL) {
4121 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4122 || !TEST_true(SSL_set_cipher_list(clientssl,
4123 t12_cipher)))
4124 goto end;
4125 }
4126 }
4127
4128 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4129 SSL_ERROR_NONE)))
4130 goto end;
4131
4132 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4133 serverssl));
4134 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4135 clientssl));
4136 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4137 goto end;
4138
4139 /*
4140 * TEST_strn_eq is used below because t13_cipher can contain
4141 * multiple ciphersuites
4142 */
4143 if (max_ver == TLS1_3_VERSION
4144 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4145 strlen(negotiated_scipher)))
4146 goto end;
4147
4148 # ifndef OPENSSL_NO_TLS1_2
4149 /* Below validation is not done when t12_cipher is NULL */
4150 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4151 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4152 goto end;
4153 # endif
4154
4155 SSL_free(serverssl);
4156 serverssl = NULL;
4157 SSL_free(clientssl);
4158 clientssl = NULL;
4159 SSL_CTX_free(sctx);
4160 sctx = NULL;
4161 SSL_CTX_free(cctx);
4162 cctx = NULL;
4163 }
4164 }
4165
4166 testresult = 1;
4167 end:
4168 SSL_free(serverssl);
4169 SSL_free(clientssl);
4170 SSL_CTX_free(sctx);
4171 SSL_CTX_free(cctx);
4172 return testresult;
4173 }
4174
4175 /*
4176 * Test TLSv1.3 PSKs
4177 * Test 0 = Test new style callbacks
4178 * Test 1 = Test both new and old style callbacks
4179 * Test 2 = Test old style callbacks
4180 * Test 3 = Test old style callbacks with no certificate
4181 */
4182 static int test_tls13_psk(int idx)
4183 {
4184 SSL_CTX *sctx = NULL, *cctx = NULL;
4185 SSL *serverssl = NULL, *clientssl = NULL;
4186 const SSL_CIPHER *cipher = NULL;
4187 const unsigned char key[] = {
4188 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4189 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4190 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4191 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4192 };
4193 int testresult = 0;
4194
4195 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4196 TLS_client_method(), TLS1_VERSION, 0,
4197 &sctx, &cctx, idx == 3 ? NULL : cert,
4198 idx == 3 ? NULL : privkey)))
4199 goto end;
4200
4201 if (idx != 3) {
4202 /*
4203 * We use a ciphersuite with SHA256 to ease testing old style PSK
4204 * callbacks which will always default to SHA256. This should not be
4205 * necessary if we have no cert/priv key. In that case the server should
4206 * prefer SHA256 automatically.
4207 */
4208 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4209 "TLS_AES_128_GCM_SHA256")))
4210 goto end;
4211 } else {
4212 /*
4213 * As noted above the server should prefer SHA256 automatically. However
4214 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4215 * code works even if we are testing with only the FIPS provider loaded.
4216 */
4217 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4218 "TLS_AES_256_GCM_SHA384:"
4219 "TLS_AES_128_GCM_SHA256")))
4220 goto end;
4221 }
4222
4223 /*
4224 * Test 0: New style callbacks only
4225 * Test 1: New and old style callbacks (only the new ones should be used)
4226 * Test 2: Old style callbacks only
4227 */
4228 if (idx == 0 || idx == 1) {
4229 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4230 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4231 }
4232 #ifndef OPENSSL_NO_PSK
4233 if (idx >= 1) {
4234 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4235 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4236 }
4237 #endif
4238 srvid = pskid;
4239 use_session_cb_cnt = 0;
4240 find_session_cb_cnt = 0;
4241 psk_client_cb_cnt = 0;
4242 psk_server_cb_cnt = 0;
4243
4244 if (idx != 3) {
4245 /*
4246 * Check we can create a connection if callback decides not to send a
4247 * PSK
4248 */
4249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4250 NULL, NULL))
4251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4252 SSL_ERROR_NONE))
4253 || !TEST_false(SSL_session_reused(clientssl))
4254 || !TEST_false(SSL_session_reused(serverssl)))
4255 goto end;
4256
4257 if (idx == 0 || idx == 1) {
4258 if (!TEST_true(use_session_cb_cnt == 1)
4259 || !TEST_true(find_session_cb_cnt == 0)
4260 /*
4261 * If no old style callback then below should be 0
4262 * otherwise 1
4263 */
4264 || !TEST_true(psk_client_cb_cnt == idx)
4265 || !TEST_true(psk_server_cb_cnt == 0))
4266 goto end;
4267 } else {
4268 if (!TEST_true(use_session_cb_cnt == 0)
4269 || !TEST_true(find_session_cb_cnt == 0)
4270 || !TEST_true(psk_client_cb_cnt == 1)
4271 || !TEST_true(psk_server_cb_cnt == 0))
4272 goto end;
4273 }
4274
4275 shutdown_ssl_connection(serverssl, clientssl);
4276 serverssl = clientssl = NULL;
4277 use_session_cb_cnt = psk_client_cb_cnt = 0;
4278 }
4279
4280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4281 NULL, NULL)))
4282 goto end;
4283
4284 /* Create the PSK */
4285 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4286 clientpsk = SSL_SESSION_new();
4287 if (!TEST_ptr(clientpsk)
4288 || !TEST_ptr(cipher)
4289 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4290 sizeof(key)))
4291 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4292 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4293 TLS1_3_VERSION))
4294 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4295 goto end;
4296 serverpsk = clientpsk;
4297
4298 /* Check we can create a connection and the PSK is used */
4299 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4300 || !TEST_true(SSL_session_reused(clientssl))
4301 || !TEST_true(SSL_session_reused(serverssl)))
4302 goto end;
4303
4304 if (idx == 0 || idx == 1) {
4305 if (!TEST_true(use_session_cb_cnt == 1)
4306 || !TEST_true(find_session_cb_cnt == 1)
4307 || !TEST_true(psk_client_cb_cnt == 0)
4308 || !TEST_true(psk_server_cb_cnt == 0))
4309 goto end;
4310 } else {
4311 if (!TEST_true(use_session_cb_cnt == 0)
4312 || !TEST_true(find_session_cb_cnt == 0)
4313 || !TEST_true(psk_client_cb_cnt == 1)
4314 || !TEST_true(psk_server_cb_cnt == 1))
4315 goto end;
4316 }
4317
4318 shutdown_ssl_connection(serverssl, clientssl);
4319 serverssl = clientssl = NULL;
4320 use_session_cb_cnt = find_session_cb_cnt = 0;
4321 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4322
4323 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4324 NULL, NULL)))
4325 goto end;
4326
4327 /* Force an HRR */
4328 #if defined(OPENSSL_NO_EC)
4329 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4330 goto end;
4331 #else
4332 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4333 goto end;
4334 #endif
4335
4336 /*
4337 * Check we can create a connection, the PSK is used and the callbacks are
4338 * called twice.
4339 */
4340 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4341 || !TEST_true(SSL_session_reused(clientssl))
4342 || !TEST_true(SSL_session_reused(serverssl)))
4343 goto end;
4344
4345 if (idx == 0 || idx == 1) {
4346 if (!TEST_true(use_session_cb_cnt == 2)
4347 || !TEST_true(find_session_cb_cnt == 2)
4348 || !TEST_true(psk_client_cb_cnt == 0)
4349 || !TEST_true(psk_server_cb_cnt == 0))
4350 goto end;
4351 } else {
4352 if (!TEST_true(use_session_cb_cnt == 0)
4353 || !TEST_true(find_session_cb_cnt == 0)
4354 || !TEST_true(psk_client_cb_cnt == 2)
4355 || !TEST_true(psk_server_cb_cnt == 2))
4356 goto end;
4357 }
4358
4359 shutdown_ssl_connection(serverssl, clientssl);
4360 serverssl = clientssl = NULL;
4361 use_session_cb_cnt = find_session_cb_cnt = 0;
4362 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4363
4364 if (idx != 3) {
4365 /*
4366 * Check that if the server rejects the PSK we can still connect, but with
4367 * a full handshake
4368 */
4369 srvid = "Dummy Identity";
4370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4371 NULL, NULL))
4372 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4373 SSL_ERROR_NONE))
4374 || !TEST_false(SSL_session_reused(clientssl))
4375 || !TEST_false(SSL_session_reused(serverssl)))
4376 goto end;
4377
4378 if (idx == 0 || idx == 1) {
4379 if (!TEST_true(use_session_cb_cnt == 1)
4380 || !TEST_true(find_session_cb_cnt == 1)
4381 || !TEST_true(psk_client_cb_cnt == 0)
4382 /*
4383 * If no old style callback then below should be 0
4384 * otherwise 1
4385 */
4386 || !TEST_true(psk_server_cb_cnt == idx))
4387 goto end;
4388 } else {
4389 if (!TEST_true(use_session_cb_cnt == 0)
4390 || !TEST_true(find_session_cb_cnt == 0)
4391 || !TEST_true(psk_client_cb_cnt == 1)
4392 || !TEST_true(psk_server_cb_cnt == 1))
4393 goto end;
4394 }
4395
4396 shutdown_ssl_connection(serverssl, clientssl);
4397 serverssl = clientssl = NULL;
4398 }
4399 testresult = 1;
4400
4401 end:
4402 SSL_SESSION_free(clientpsk);
4403 SSL_SESSION_free(serverpsk);
4404 clientpsk = serverpsk = NULL;
4405 SSL_free(serverssl);
4406 SSL_free(clientssl);
4407 SSL_CTX_free(sctx);
4408 SSL_CTX_free(cctx);
4409 return testresult;
4410 }
4411
4412 static unsigned char cookie_magic_value[] = "cookie magic";
4413
4414 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4415 unsigned int *cookie_len)
4416 {
4417 /*
4418 * Not suitable as a real cookie generation function but good enough for
4419 * testing!
4420 */
4421 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4422 *cookie_len = sizeof(cookie_magic_value) - 1;
4423
4424 return 1;
4425 }
4426
4427 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4428 unsigned int cookie_len)
4429 {
4430 if (cookie_len == sizeof(cookie_magic_value) - 1
4431 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4432 return 1;
4433
4434 return 0;
4435 }
4436
4437 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4438 size_t *cookie_len)
4439 {
4440 unsigned int temp;
4441 int res = generate_cookie_callback(ssl, cookie, &temp);
4442 *cookie_len = temp;
4443 return res;
4444 }
4445
4446 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4447 size_t cookie_len)
4448 {
4449 return verify_cookie_callback(ssl, cookie, cookie_len);
4450 }
4451
4452 static int test_stateless(void)
4453 {
4454 SSL_CTX *sctx = NULL, *cctx = NULL;
4455 SSL *serverssl = NULL, *clientssl = NULL;
4456 int testresult = 0;
4457
4458 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4459 TLS_client_method(), TLS1_VERSION, 0,
4460 &sctx, &cctx, cert, privkey)))
4461 goto end;
4462
4463 /* The arrival of CCS messages can confuse the test */
4464 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4465
4466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4467 NULL, NULL))
4468 /* Send the first ClientHello */
4469 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4470 SSL_ERROR_WANT_READ))
4471 /*
4472 * This should fail with a -1 return because we have no callbacks
4473 * set up
4474 */
4475 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4476 goto end;
4477
4478 /* Fatal error so abandon the connection from this client */
4479 SSL_free(clientssl);
4480 clientssl = NULL;
4481
4482 /* Set up the cookie generation and verification callbacks */
4483 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4484 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4485
4486 /*
4487 * Create a new connection from the client (we can reuse the server SSL
4488 * object).
4489 */
4490 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4491 NULL, NULL))
4492 /* Send the first ClientHello */
4493 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4494 SSL_ERROR_WANT_READ))
4495 /* This should fail because there is no cookie */
4496 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4497 goto end;
4498
4499 /* Abandon the connection from this client */
4500 SSL_free(clientssl);
4501 clientssl = NULL;
4502
4503 /*
4504 * Now create a connection from a new client but with the same server SSL
4505 * object
4506 */
4507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4508 NULL, NULL))
4509 /* Send the first ClientHello */
4510 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4511 SSL_ERROR_WANT_READ))
4512 /* This should fail because there is no cookie */
4513 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4514 /* Send the second ClientHello */
4515 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4516 SSL_ERROR_WANT_READ))
4517 /* This should succeed because a cookie is now present */
4518 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4519 /* Complete the connection */
4520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4521 SSL_ERROR_NONE)))
4522 goto end;
4523
4524 shutdown_ssl_connection(serverssl, clientssl);
4525 serverssl = clientssl = NULL;
4526 testresult = 1;
4527
4528 end:
4529 SSL_free(serverssl);
4530 SSL_free(clientssl);
4531 SSL_CTX_free(sctx);
4532 SSL_CTX_free(cctx);
4533 return testresult;
4534
4535 }
4536 #endif /* OPENSSL_NO_TLS1_3 */
4537
4538 static int clntaddoldcb = 0;
4539 static int clntparseoldcb = 0;
4540 static int srvaddoldcb = 0;
4541 static int srvparseoldcb = 0;
4542 static int clntaddnewcb = 0;
4543 static int clntparsenewcb = 0;
4544 static int srvaddnewcb = 0;
4545 static int srvparsenewcb = 0;
4546 static int snicb = 0;
4547
4548 #define TEST_EXT_TYPE1 0xff00
4549
4550 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4551 size_t *outlen, int *al, void *add_arg)
4552 {
4553 int *server = (int *)add_arg;
4554 unsigned char *data;
4555
4556 if (SSL_is_server(s))
4557 srvaddoldcb++;
4558 else
4559 clntaddoldcb++;
4560
4561 if (*server != SSL_is_server(s)
4562 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4563 return -1;
4564
4565 *data = 1;
4566 *out = data;
4567 *outlen = sizeof(char);
4568 return 1;
4569 }
4570
4571 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4572 void *add_arg)
4573 {
4574 OPENSSL_free((unsigned char *)out);
4575 }
4576
4577 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4578 size_t inlen, int *al, void *parse_arg)
4579 {
4580 int *server = (int *)parse_arg;
4581
4582 if (SSL_is_server(s))
4583 srvparseoldcb++;
4584 else
4585 clntparseoldcb++;
4586
4587 if (*server != SSL_is_server(s)
4588 || inlen != sizeof(char)
4589 || *in != 1)
4590 return -1;
4591
4592 return 1;
4593 }
4594
4595 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4596 const unsigned char **out, size_t *outlen, X509 *x,
4597 size_t chainidx, int *al, void *add_arg)
4598 {
4599 int *server = (int *)add_arg;
4600 unsigned char *data;
4601
4602 if (SSL_is_server(s))
4603 srvaddnewcb++;
4604 else
4605 clntaddnewcb++;
4606
4607 if (*server != SSL_is_server(s)
4608 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4609 return -1;
4610
4611 *data = 1;
4612 *out = data;
4613 *outlen = sizeof(*data);
4614 return 1;
4615 }
4616
4617 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4618 const unsigned char *out, void *add_arg)
4619 {
4620 OPENSSL_free((unsigned char *)out);
4621 }
4622
4623 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4624 const unsigned char *in, size_t inlen, X509 *x,
4625 size_t chainidx, int *al, void *parse_arg)
4626 {
4627 int *server = (int *)parse_arg;
4628
4629 if (SSL_is_server(s))
4630 srvparsenewcb++;
4631 else
4632 clntparsenewcb++;
4633
4634 if (*server != SSL_is_server(s)
4635 || inlen != sizeof(char) || *in != 1)
4636 return -1;
4637
4638 return 1;
4639 }
4640
4641 static int sni_cb(SSL *s, int *al, void *arg)
4642 {
4643 SSL_CTX *ctx = (SSL_CTX *)arg;
4644
4645 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4646 *al = SSL_AD_INTERNAL_ERROR;
4647 return SSL_TLSEXT_ERR_ALERT_FATAL;
4648 }
4649 snicb++;
4650 return SSL_TLSEXT_ERR_OK;
4651 }
4652
4653 /*
4654 * Custom call back tests.
4655 * Test 0: Old style callbacks in TLSv1.2
4656 * Test 1: New style callbacks in TLSv1.2
4657 * Test 2: New style callbacks in TLSv1.2 with SNI
4658 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4659 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4660 */
4661 static int test_custom_exts(int tst)
4662 {
4663 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4664 SSL *clientssl = NULL, *serverssl = NULL;
4665 int testresult = 0;
4666 static int server = 1;
4667 static int client = 0;
4668 SSL_SESSION *sess = NULL;
4669 unsigned int context;
4670
4671 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4672 /* Skip tests for TLSv1.2 and below in this case */
4673 if (tst < 3)
4674 return 1;
4675 #endif
4676
4677 /* Reset callback counters */
4678 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4679 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4680 snicb = 0;
4681
4682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4683 TLS_client_method(), TLS1_VERSION, 0,
4684 &sctx, &cctx, cert, privkey)))
4685 goto end;
4686
4687 if (tst == 2
4688 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
4689 TLS1_VERSION, 0,
4690 &sctx2, NULL, cert, privkey)))
4691 goto end;
4692
4693
4694 if (tst < 3) {
4695 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4696 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4697 if (sctx2 != NULL)
4698 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4699 }
4700
4701 if (tst == 4) {
4702 context = SSL_EXT_CLIENT_HELLO
4703 | SSL_EXT_TLS1_2_SERVER_HELLO
4704 | SSL_EXT_TLS1_3_SERVER_HELLO
4705 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4706 | SSL_EXT_TLS1_3_CERTIFICATE
4707 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4708 } else {
4709 context = SSL_EXT_CLIENT_HELLO
4710 | SSL_EXT_TLS1_2_SERVER_HELLO
4711 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4712 }
4713
4714 /* Create a client side custom extension */
4715 if (tst == 0) {
4716 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4717 old_add_cb, old_free_cb,
4718 &client, old_parse_cb,
4719 &client)))
4720 goto end;
4721 } else {
4722 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4723 new_add_cb, new_free_cb,
4724 &client, new_parse_cb, &client)))
4725 goto end;
4726 }
4727
4728 /* Should not be able to add duplicates */
4729 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4730 old_add_cb, old_free_cb,
4731 &client, old_parse_cb,
4732 &client))
4733 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4734 context, new_add_cb,
4735 new_free_cb, &client,
4736 new_parse_cb, &client)))
4737 goto end;
4738
4739 /* Create a server side custom extension */
4740 if (tst == 0) {
4741 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4742 old_add_cb, old_free_cb,
4743 &server, old_parse_cb,
4744 &server)))
4745 goto end;
4746 } else {
4747 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4748 new_add_cb, new_free_cb,
4749 &server, new_parse_cb, &server)))
4750 goto end;
4751 if (sctx2 != NULL
4752 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4753 context, new_add_cb,
4754 new_free_cb, &server,
4755 new_parse_cb, &server)))
4756 goto end;
4757 }
4758
4759 /* Should not be able to add duplicates */
4760 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4761 old_add_cb, old_free_cb,
4762 &server, old_parse_cb,
4763 &server))
4764 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4765 context, new_add_cb,
4766 new_free_cb, &server,
4767 new_parse_cb, &server)))
4768 goto end;
4769
4770 if (tst == 2) {
4771 /* Set up SNI */
4772 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4773 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4774 goto end;
4775 }
4776
4777 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4778 &clientssl, NULL, NULL))
4779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4780 SSL_ERROR_NONE)))
4781 goto end;
4782
4783 if (tst == 0) {
4784 if (clntaddoldcb != 1
4785 || clntparseoldcb != 1
4786 || srvaddoldcb != 1
4787 || srvparseoldcb != 1)
4788 goto end;
4789 } else if (tst == 1 || tst == 2 || tst == 3) {
4790 if (clntaddnewcb != 1
4791 || clntparsenewcb != 1
4792 || srvaddnewcb != 1
4793 || srvparsenewcb != 1
4794 || (tst != 2 && snicb != 0)
4795 || (tst == 2 && snicb != 1))
4796 goto end;
4797 } else {
4798 /* In this case there 2 NewSessionTicket messages created */
4799 if (clntaddnewcb != 1
4800 || clntparsenewcb != 5
4801 || srvaddnewcb != 5
4802 || srvparsenewcb != 1)
4803 goto end;
4804 }
4805
4806 sess = SSL_get1_session(clientssl);
4807 SSL_shutdown(clientssl);
4808 SSL_shutdown(serverssl);
4809 SSL_free(serverssl);
4810 SSL_free(clientssl);
4811 serverssl = clientssl = NULL;
4812
4813 if (tst == 3) {
4814 /* We don't bother with the resumption aspects for this test */
4815 testresult = 1;
4816 goto end;
4817 }
4818
4819 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4820 NULL, NULL))
4821 || !TEST_true(SSL_set_session(clientssl, sess))
4822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4823 SSL_ERROR_NONE)))
4824 goto end;
4825
4826 /*
4827 * For a resumed session we expect to add the ClientHello extension. For the
4828 * old style callbacks we ignore it on the server side because they set
4829 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4830 * them.
4831 */
4832 if (tst == 0) {
4833 if (clntaddoldcb != 2
4834 || clntparseoldcb != 1
4835 || srvaddoldcb != 1
4836 || srvparseoldcb != 1)
4837 goto end;
4838 } else if (tst == 1 || tst == 2 || tst == 3) {
4839 if (clntaddnewcb != 2
4840 || clntparsenewcb != 2
4841 || srvaddnewcb != 2
4842 || srvparsenewcb != 2)
4843 goto end;
4844 } else {
4845 /*
4846 * No Certificate message extensions in the resumption handshake,
4847 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4848 */
4849 if (clntaddnewcb != 2
4850 || clntparsenewcb != 8
4851 || srvaddnewcb != 8
4852 || srvparsenewcb != 2)
4853 goto end;
4854 }
4855
4856 testresult = 1;
4857
4858 end:
4859 SSL_SESSION_free(sess);
4860 SSL_free(serverssl);
4861 SSL_free(clientssl);
4862 SSL_CTX_free(sctx2);
4863 SSL_CTX_free(sctx);
4864 SSL_CTX_free(cctx);
4865 return testresult;
4866 }
4867
4868 /*
4869 * Test loading of serverinfo data in various formats. test_sslmessages actually
4870 * tests to make sure the extensions appear in the handshake
4871 */
4872 static int test_serverinfo(int tst)
4873 {
4874 unsigned int version;
4875 unsigned char *sibuf;
4876 size_t sibuflen;
4877 int ret, expected, testresult = 0;
4878 SSL_CTX *ctx;
4879
4880 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
4881 if (!TEST_ptr(ctx))
4882 goto end;
4883
4884 if ((tst & 0x01) == 0x01)
4885 version = SSL_SERVERINFOV2;
4886 else
4887 version = SSL_SERVERINFOV1;
4888
4889 if ((tst & 0x02) == 0x02) {
4890 sibuf = serverinfov2;
4891 sibuflen = sizeof(serverinfov2);
4892 expected = (version == SSL_SERVERINFOV2);
4893 } else {
4894 sibuf = serverinfov1;
4895 sibuflen = sizeof(serverinfov1);
4896 expected = (version == SSL_SERVERINFOV1);
4897 }
4898
4899 if ((tst & 0x04) == 0x04) {
4900 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4901 } else {
4902 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4903
4904 /*
4905 * The version variable is irrelevant in this case - it's what is in the
4906 * buffer that matters
4907 */
4908 if ((tst & 0x02) == 0x02)
4909 expected = 0;
4910 else
4911 expected = 1;
4912 }
4913
4914 if (!TEST_true(ret == expected))
4915 goto end;
4916
4917 testresult = 1;
4918
4919 end:
4920 SSL_CTX_free(ctx);
4921
4922 return testresult;
4923 }
4924
4925 /*
4926 * Test that SSL_export_keying_material() produces expected results. There are
4927 * no test vectors so all we do is test that both sides of the communication
4928 * produce the same results for different protocol versions.
4929 */
4930 #define SMALL_LABEL_LEN 10
4931 #define LONG_LABEL_LEN 249
4932 static int test_export_key_mat(int tst)
4933 {
4934 int testresult = 0;
4935 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4936 SSL *clientssl = NULL, *serverssl = NULL;
4937 const char label[LONG_LABEL_LEN + 1] = "test label";
4938 const unsigned char context[] = "context";
4939 const unsigned char *emptycontext = NULL;
4940 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4941 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4942 size_t labellen;
4943 const int protocols[] = {
4944 TLS1_VERSION,
4945 TLS1_1_VERSION,
4946 TLS1_2_VERSION,
4947 TLS1_3_VERSION,
4948 TLS1_3_VERSION,
4949 TLS1_3_VERSION
4950 };
4951
4952 #ifdef OPENSSL_NO_TLS1
4953 if (tst == 0)
4954 return 1;
4955 #endif
4956 #ifdef OPENSSL_NO_TLS1_1
4957 if (tst == 1)
4958 return 1;
4959 #endif
4960 if (is_fips && (tst == 0 || tst == 1))
4961 return 1;
4962 #ifdef OPENSSL_NO_TLS1_2
4963 if (tst == 2)
4964 return 1;
4965 #endif
4966 #ifdef OPENSSL_NO_TLS1_3
4967 if (tst >= 3)
4968 return 1;
4969 #endif
4970 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4971 TLS_client_method(), TLS1_VERSION, 0,
4972 &sctx, &cctx, cert, privkey)))
4973 goto end;
4974
4975 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4976 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4977 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4978
4979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4980 NULL))
4981 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4982 SSL_ERROR_NONE)))
4983 goto end;
4984
4985 if (tst == 5) {
4986 /*
4987 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4988 * go over that.
4989 */
4990 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4991 sizeof(ckeymat1), label,
4992 LONG_LABEL_LEN + 1, context,
4993 sizeof(context) - 1, 1), 0))
4994 goto end;
4995
4996 testresult = 1;
4997 goto end;
4998 } else if (tst == 4) {
4999 labellen = LONG_LABEL_LEN;
5000 } else {
5001 labellen = SMALL_LABEL_LEN;
5002 }
5003
5004 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5005 sizeof(ckeymat1), label,
5006 labellen, context,
5007 sizeof(context) - 1, 1), 1)
5008 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5009 sizeof(ckeymat2), label,
5010 labellen,
5011 emptycontext,
5012 0, 1), 1)
5013 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5014 sizeof(ckeymat3), label,
5015 labellen,
5016 NULL, 0, 0), 1)
5017 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5018 sizeof(skeymat1), label,
5019 labellen,
5020 context,
5021 sizeof(context) -1, 1),
5022 1)
5023 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5024 sizeof(skeymat2), label,
5025 labellen,
5026 emptycontext,
5027 0, 1), 1)
5028 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5029 sizeof(skeymat3), label,
5030 labellen,
5031 NULL, 0, 0), 1)
5032 /*
5033 * Check that both sides created the same key material with the
5034 * same context.
5035 */
5036 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5037 sizeof(skeymat1))
5038 /*
5039 * Check that both sides created the same key material with an
5040 * empty context.
5041 */
5042 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5043 sizeof(skeymat2))
5044 /*
5045 * Check that both sides created the same key material without a
5046 * context.
5047 */
5048 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5049 sizeof(skeymat3))
5050 /* Different contexts should produce different results */
5051 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5052 sizeof(ckeymat2)))
5053 goto end;
5054
5055 /*
5056 * Check that an empty context and no context produce different results in
5057 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5058 */
5059 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5060 sizeof(ckeymat3)))
5061 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5062 sizeof(ckeymat3))))
5063 goto end;
5064
5065 testresult = 1;
5066
5067 end:
5068 SSL_free(serverssl);
5069 SSL_free(clientssl);
5070 SSL_CTX_free(sctx2);
5071 SSL_CTX_free(sctx);
5072 SSL_CTX_free(cctx);
5073
5074 return testresult;
5075 }
5076
5077 #ifndef OPENSSL_NO_TLS1_3
5078 /*
5079 * Test that SSL_export_keying_material_early() produces expected
5080 * results. There are no test vectors so all we do is test that both
5081 * sides of the communication produce the same results for different
5082 * protocol versions.
5083 */
5084 static int test_export_key_mat_early(int idx)
5085 {
5086 static const char label[] = "test label";
5087 static const unsigned char context[] = "context";
5088 int testresult = 0;
5089 SSL_CTX *cctx = NULL, *sctx = NULL;
5090 SSL *clientssl = NULL, *serverssl = NULL;
5091 SSL_SESSION *sess = NULL;
5092 const unsigned char *emptycontext = NULL;
5093 unsigned char ckeymat1[80], ckeymat2[80];
5094 unsigned char skeymat1[80], skeymat2[80];
5095 unsigned char buf[1];
5096 size_t readbytes, written;
5097
5098 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5099 &sess, idx)))
5100 goto end;
5101
5102 /* Here writing 0 length early data is enough. */
5103 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5104 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5105 &readbytes),
5106 SSL_READ_EARLY_DATA_ERROR)
5107 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5108 SSL_EARLY_DATA_ACCEPTED))
5109 goto end;
5110
5111 if (!TEST_int_eq(SSL_export_keying_material_early(
5112 clientssl, ckeymat1, sizeof(ckeymat1), label,
5113 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5114 || !TEST_int_eq(SSL_export_keying_material_early(
5115 clientssl, ckeymat2, sizeof(ckeymat2), label,
5116 sizeof(label) - 1, emptycontext, 0), 1)
5117 || !TEST_int_eq(SSL_export_keying_material_early(
5118 serverssl, skeymat1, sizeof(skeymat1), label,
5119 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5120 || !TEST_int_eq(SSL_export_keying_material_early(
5121 serverssl, skeymat2, sizeof(skeymat2), label,
5122 sizeof(label) - 1, emptycontext, 0), 1)
5123 /*
5124 * Check that both sides created the same key material with the
5125 * same context.
5126 */
5127 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5128 sizeof(skeymat1))
5129 /*
5130 * Check that both sides created the same key material with an
5131 * empty context.
5132 */
5133 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5134 sizeof(skeymat2))
5135 /* Different contexts should produce different results */
5136 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5137 sizeof(ckeymat2)))
5138 goto end;
5139
5140 testresult = 1;
5141
5142 end:
5143 SSL_SESSION_free(sess);
5144 SSL_SESSION_free(clientpsk);
5145 SSL_SESSION_free(serverpsk);
5146 clientpsk = serverpsk = NULL;
5147 SSL_free(serverssl);
5148 SSL_free(clientssl);
5149 SSL_CTX_free(sctx);
5150 SSL_CTX_free(cctx);
5151
5152 return testresult;
5153 }
5154
5155 #define NUM_KEY_UPDATE_MESSAGES 40
5156 /*
5157 * Test KeyUpdate.
5158 */
5159 static int test_key_update(void)
5160 {
5161 SSL_CTX *cctx = NULL, *sctx = NULL;
5162 SSL *clientssl = NULL, *serverssl = NULL;
5163 int testresult = 0, i, j;
5164 char buf[20];
5165 static char *mess = "A test message";
5166
5167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5168 TLS_client_method(),
5169 TLS1_3_VERSION,
5170 0,
5171 &sctx, &cctx, cert, privkey))
5172 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5173 NULL, NULL))
5174 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5175 SSL_ERROR_NONE)))
5176 goto end;
5177
5178 for (j = 0; j < 2; j++) {
5179 /* Send lots of KeyUpdate messages */
5180 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5181 if (!TEST_true(SSL_key_update(clientssl,
5182 (j == 0)
5183 ? SSL_KEY_UPDATE_NOT_REQUESTED
5184 : SSL_KEY_UPDATE_REQUESTED))
5185 || !TEST_true(SSL_do_handshake(clientssl)))
5186 goto end;
5187 }
5188
5189 /* Check that sending and receiving app data is ok */
5190 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5191 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5192 strlen(mess)))
5193 goto end;
5194
5195 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5196 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5197 strlen(mess)))
5198 goto end;
5199 }
5200
5201 testresult = 1;
5202
5203 end:
5204 SSL_free(serverssl);
5205 SSL_free(clientssl);
5206 SSL_CTX_free(sctx);
5207 SSL_CTX_free(cctx);
5208
5209 return testresult;
5210 }
5211
5212 /*
5213 * Test we can handle a KeyUpdate (update requested) message while write data
5214 * is pending.
5215 * Test 0: Client sends KeyUpdate while Server is writing
5216 * Test 1: Server sends KeyUpdate while Client is writing
5217 */
5218 static int test_key_update_in_write(int tst)
5219 {
5220 SSL_CTX *cctx = NULL, *sctx = NULL;
5221 SSL *clientssl = NULL, *serverssl = NULL;
5222 int testresult = 0;
5223 char buf[20];
5224 static char *mess = "A test message";
5225 BIO *bretry = BIO_new(bio_s_always_retry());
5226 BIO *tmp = NULL;
5227 SSL *peerupdate = NULL, *peerwrite = NULL;
5228
5229 if (!TEST_ptr(bretry)
5230 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5231 TLS_client_method(),
5232 TLS1_3_VERSION,
5233 0,
5234 &sctx, &cctx, cert, privkey))
5235 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5236 NULL, NULL))
5237 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5238 SSL_ERROR_NONE)))
5239 goto end;
5240
5241 peerupdate = tst == 0 ? clientssl : serverssl;
5242 peerwrite = tst == 0 ? serverssl : clientssl;
5243
5244 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5245 || !TEST_true(SSL_do_handshake(peerupdate)))
5246 goto end;
5247
5248 /* Swap the writing endpoint's write BIO to force a retry */
5249 tmp = SSL_get_wbio(peerwrite);
5250 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5251 tmp = NULL;
5252 goto end;
5253 }
5254 SSL_set0_wbio(peerwrite, bretry);
5255 bretry = NULL;
5256
5257 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5258 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5259 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5260 goto end;
5261
5262 /* Reinstate the original writing endpoint's write BIO */
5263 SSL_set0_wbio(peerwrite, tmp);
5264 tmp = NULL;
5265
5266 /* Now read some data - we will read the key update */
5267 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5268 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5269 goto end;
5270
5271 /*
5272 * Complete the write we started previously and read it from the other
5273 * endpoint
5274 */
5275 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5276 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5277 goto end;
5278
5279 /* Write more data to ensure we send the KeyUpdate message back */
5280 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5281 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5282 goto end;
5283
5284 testresult = 1;
5285
5286 end:
5287 SSL_free(serverssl);
5288 SSL_free(clientssl);
5289 SSL_CTX_free(sctx);
5290 SSL_CTX_free(cctx);
5291 BIO_free(bretry);
5292 BIO_free(tmp);
5293
5294 return testresult;
5295 }
5296 #endif /* OPENSSL_NO_TLS1_3 */
5297
5298 static int test_ssl_clear(int idx)
5299 {
5300 SSL_CTX *cctx = NULL, *sctx = NULL;
5301 SSL *clientssl = NULL, *serverssl = NULL;
5302 int testresult = 0;
5303
5304 #ifdef OPENSSL_NO_TLS1_2
5305 if (idx == 1)
5306 return 1;
5307 #endif
5308
5309 /* Create an initial connection */
5310 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5311 TLS_client_method(), TLS1_VERSION, 0,
5312 &sctx, &cctx, cert, privkey))
5313 || (idx == 1
5314 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5315 TLS1_2_VERSION)))
5316 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5317 &clientssl, NULL, NULL))
5318 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5319 SSL_ERROR_NONE)))
5320 goto end;
5321
5322 SSL_shutdown(clientssl);
5323 SSL_shutdown(serverssl);
5324 SSL_free(serverssl);
5325 serverssl = NULL;
5326
5327 /* Clear clientssl - we're going to reuse the object */
5328 if (!TEST_true(SSL_clear(clientssl)))
5329 goto end;
5330
5331 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5332 NULL, NULL))
5333 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5334 SSL_ERROR_NONE))
5335 || !TEST_true(SSL_session_reused(clientssl)))
5336 goto end;
5337
5338 SSL_shutdown(clientssl);
5339 SSL_shutdown(serverssl);
5340
5341 testresult = 1;
5342
5343 end:
5344 SSL_free(serverssl);
5345 SSL_free(clientssl);
5346 SSL_CTX_free(sctx);
5347 SSL_CTX_free(cctx);
5348
5349 return testresult;
5350 }
5351
5352 /* Parse CH and retrieve any MFL extension value if present */
5353 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5354 {
5355 long len;
5356 unsigned char *data;
5357 PACKET pkt, pkt2, pkt3;
5358 unsigned int MFL_code = 0, type = 0;
5359
5360 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5361 goto end;
5362
5363 memset(&pkt, 0, sizeof(pkt));
5364 memset(&pkt2, 0, sizeof(pkt2));
5365 memset(&pkt3, 0, sizeof(pkt3));
5366
5367 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5368 /* Skip the record header */
5369 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5370 /* Skip the handshake message header */
5371 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5372 /* Skip client version and random */
5373 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5374 + SSL3_RANDOM_SIZE))
5375 /* Skip session id */
5376 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5377 /* Skip ciphers */
5378 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5379 /* Skip compression */
5380 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5381 /* Extensions len */
5382 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5383 goto end;
5384
5385 /* Loop through all extensions */
5386 while (PACKET_remaining(&pkt2)) {
5387 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5388 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5389 goto end;
5390
5391 if (type == TLSEXT_TYPE_max_fragment_length) {
5392 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5393 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5394 goto end;
5395
5396 *mfl_codemfl_code = MFL_code;
5397 return 1;
5398 }
5399 }
5400
5401 end:
5402 return 0;
5403 }
5404
5405 /* Maximum-Fragment-Length TLS extension mode to test */
5406 static const unsigned char max_fragment_len_test[] = {
5407 TLSEXT_max_fragment_length_512,
5408 TLSEXT_max_fragment_length_1024,
5409 TLSEXT_max_fragment_length_2048,
5410 TLSEXT_max_fragment_length_4096
5411 };
5412
5413 static int test_max_fragment_len_ext(int idx_tst)
5414 {
5415 SSL_CTX *ctx;
5416 SSL *con = NULL;
5417 int testresult = 0, MFL_mode = 0;
5418 BIO *rbio, *wbio;
5419
5420 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
5421 if (!TEST_ptr(ctx))
5422 goto end;
5423
5424 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5425 ctx, max_fragment_len_test[idx_tst])))
5426 goto end;
5427
5428 con = SSL_new(ctx);
5429 if (!TEST_ptr(con))
5430 goto end;
5431
5432 rbio = BIO_new(BIO_s_mem());
5433 wbio = BIO_new(BIO_s_mem());
5434 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5435 BIO_free(rbio);
5436 BIO_free(wbio);
5437 goto end;
5438 }
5439
5440 SSL_set_bio(con, rbio, wbio);
5441 SSL_set_connect_state(con);
5442
5443 if (!TEST_int_le(SSL_connect(con), 0)) {
5444 /* This shouldn't succeed because we don't have a server! */
5445 goto end;
5446 }
5447
5448 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5449 /* no MFL in client hello */
5450 goto end;
5451 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5452 goto end;
5453
5454 testresult = 1;
5455
5456 end:
5457 SSL_free(con);
5458 SSL_CTX_free(ctx);
5459
5460 return testresult;
5461 }
5462
5463 #ifndef OPENSSL_NO_TLS1_3
5464 static int test_pha_key_update(void)
5465 {
5466 SSL_CTX *cctx = NULL, *sctx = NULL;
5467 SSL *clientssl = NULL, *serverssl = NULL;
5468 int testresult = 0;
5469
5470 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5471 TLS_client_method(), TLS1_VERSION, 0,
5472 &sctx, &cctx, cert, privkey)))
5473 return 0;
5474
5475 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5476 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5477 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5478 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5479 goto end;
5480
5481 SSL_CTX_set_post_handshake_auth(cctx, 1);
5482
5483 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5484 NULL, NULL)))
5485 goto end;
5486
5487 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5488 SSL_ERROR_NONE)))
5489 goto end;
5490
5491 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5492 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5493 goto end;
5494
5495 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5496 goto end;
5497
5498 /* Start handshake on the server */
5499 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5500 goto end;
5501
5502 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5503 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5504 SSL_ERROR_NONE)))
5505 goto end;
5506
5507 SSL_shutdown(clientssl);
5508 SSL_shutdown(serverssl);
5509
5510 testresult = 1;
5511
5512 end:
5513 SSL_free(serverssl);
5514 SSL_free(clientssl);
5515 SSL_CTX_free(sctx);
5516 SSL_CTX_free(cctx);
5517 return testresult;
5518 }
5519 #endif
5520
5521 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5522
5523 static SRP_VBASE *vbase = NULL;
5524
5525 DEFINE_STACK_OF(SRP_user_pwd)
5526
5527 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5528 {
5529 int ret = SSL3_AL_FATAL;
5530 char *username;
5531 SRP_user_pwd *user = NULL;
5532
5533 username = SSL_get_srp_username(s);
5534 if (username == NULL) {
5535 *ad = SSL_AD_INTERNAL_ERROR;
5536 goto err;
5537 }
5538
5539 user = SRP_VBASE_get1_by_user(vbase, username);
5540 if (user == NULL) {
5541 *ad = SSL_AD_INTERNAL_ERROR;
5542 goto err;
5543 }
5544
5545 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5546 user->info) <= 0) {
5547 *ad = SSL_AD_INTERNAL_ERROR;
5548 goto err;
5549 }
5550
5551 ret = 0;
5552
5553 err:
5554 SRP_user_pwd_free(user);
5555 return ret;
5556 }
5557
5558 static int create_new_vfile(char *userid, char *password, const char *filename)
5559 {
5560 char *gNid = NULL;
5561 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5562 TXT_DB *db = NULL;
5563 int ret = 0;
5564 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5565 size_t i;
5566
5567 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5568 goto end;
5569
5570 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5571 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
5572 if (!TEST_ptr(gNid))
5573 goto end;
5574
5575 /*
5576 * The only way to create an empty TXT_DB is to provide a BIO with no data
5577 * in it!
5578 */
5579 db = TXT_DB_read(dummy, DB_NUMBER);
5580 if (!TEST_ptr(db))
5581 goto end;
5582
5583 out = BIO_new_file(filename, "w");
5584 if (!TEST_ptr(out))
5585 goto end;
5586
5587 row[DB_srpid] = OPENSSL_strdup(userid);
5588 row[DB_srptype] = OPENSSL_strdup("V");
5589 row[DB_srpgN] = OPENSSL_strdup(gNid);
5590
5591 if (!TEST_ptr(row[DB_srpid])
5592 || !TEST_ptr(row[DB_srptype])
5593 || !TEST_ptr(row[DB_srpgN])
5594 || !TEST_true(TXT_DB_insert(db, row)))
5595 goto end;
5596
5597 row = NULL;
5598
5599 if (!TXT_DB_write(out, db))
5600 goto end;
5601
5602 ret = 1;
5603 end:
5604 if (row != NULL) {
5605 for (i = 0; i < DB_NUMBER; i++)
5606 OPENSSL_free(row[i]);
5607 }
5608 OPENSSL_free(row);
5609 BIO_free(dummy);
5610 BIO_free(out);
5611 TXT_DB_free(db);
5612
5613 return ret;
5614 }
5615
5616 static int create_new_vbase(char *userid, char *password)
5617 {
5618 BIGNUM *verifier = NULL, *salt = NULL;
5619 const SRP_gN *lgN = NULL;
5620 SRP_user_pwd *user_pwd = NULL;
5621 int ret = 0;
5622
5623 lgN = SRP_get_default_gN(NULL);
5624 if (!TEST_ptr(lgN))
5625 goto end;
5626
5627 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5628 lgN->N, lgN->g, libctx, NULL)))
5629 goto end;
5630
5631 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5632 if (!TEST_ptr(user_pwd))
5633 goto end;
5634
5635 user_pwd->N = lgN->N;
5636 user_pwd->g = lgN->g;
5637 user_pwd->id = OPENSSL_strdup(userid);
5638 if (!TEST_ptr(user_pwd->id))
5639 goto end;
5640
5641 user_pwd->v = verifier;
5642 user_pwd->s = salt;
5643 verifier = salt = NULL;
5644
5645 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5646 goto end;
5647 user_pwd = NULL;
5648
5649 ret = 1;
5650 end:
5651 SRP_user_pwd_free(user_pwd);
5652 BN_free(salt);
5653 BN_free(verifier);
5654
5655 return ret;
5656 }
5657
5658 /*
5659 * SRP tests
5660 *
5661 * Test 0: Simple successful SRP connection, new vbase
5662 * Test 1: Connection failure due to bad password, new vbase
5663 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5664 * Test 3: Connection failure due to bad password, vbase loaded from existing
5665 * file
5666 * Test 4: Simple successful SRP connection, vbase loaded from new file
5667 * Test 5: Connection failure due to bad password, vbase loaded from new file
5668 */
5669 static int test_srp(int tst)
5670 {
5671 char *userid = "test", *password = "password", *tstsrpfile;
5672 SSL_CTX *cctx = NULL, *sctx = NULL;
5673 SSL *clientssl = NULL, *serverssl = NULL;
5674 int ret, testresult = 0;
5675
5676 vbase = SRP_VBASE_new(NULL);
5677 if (!TEST_ptr(vbase))
5678 goto end;
5679
5680 if (tst == 0 || tst == 1) {
5681 if (!TEST_true(create_new_vbase(userid, password)))
5682 goto end;
5683 } else {
5684 if (tst == 4 || tst == 5) {
5685 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5686 goto end;
5687 tstsrpfile = tmpfilename;
5688 } else {
5689 tstsrpfile = srpvfile;
5690 }
5691 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5692 goto end;
5693 }
5694
5695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5696 TLS_client_method(), TLS1_VERSION, 0,
5697 &sctx, &cctx, cert, privkey)))
5698 goto end;
5699
5700 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5701 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5702 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5703 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5704 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5705 goto end;
5706
5707 if (tst % 2 == 1) {
5708 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5709 goto end;
5710 } else {
5711 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5712 goto end;
5713 }
5714
5715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5716 NULL, NULL)))
5717 goto end;
5718
5719 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5720 if (ret) {
5721 if (!TEST_true(tst % 2 == 0))
5722 goto end;
5723 } else {
5724 if (!TEST_true(tst % 2 == 1))
5725 goto end;
5726 }
5727
5728 testresult = 1;
5729
5730 end:
5731 SRP_VBASE_free(vbase);
5732 vbase = NULL;
5733 SSL_free(serverssl);
5734 SSL_free(clientssl);
5735 SSL_CTX_free(sctx);
5736 SSL_CTX_free(cctx);
5737
5738 return testresult;
5739 }
5740 #endif
5741
5742 static int info_cb_failed = 0;
5743 static int info_cb_offset = 0;
5744 static int info_cb_this_state = -1;
5745
5746 static struct info_cb_states_st {
5747 int where;
5748 const char *statestr;
5749 } info_cb_states[][60] = {
5750 {
5751 /* TLSv1.2 server followed by resumption */
5752 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5753 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5754 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5755 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5756 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5757 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5758 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5759 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5760 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5761 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5762 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5763 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5764 {SSL_CB_EXIT, NULL}, {0, NULL},
5765 }, {
5766 /* TLSv1.2 client followed by resumption */
5767 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5768 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5769 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5770 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5771 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5772 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5773 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5774 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5775 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5776 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5777 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5778 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5779 }, {
5780 /* TLSv1.3 server followed by resumption */
5781 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5782 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5783 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5784 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5785 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5786 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5787 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5788 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5789 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5790 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5791 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5792 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5793 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5794 }, {
5795 /* TLSv1.3 client followed by resumption */
5796 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5797 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5798 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5799 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5800 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5801 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5802 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5803 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5804 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5805 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5806 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5807 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5808 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5809 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5810 {SSL_CB_EXIT, NULL}, {0, NULL},
5811 }, {
5812 /* TLSv1.3 server, early_data */
5813 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5814 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5815 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5816 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5817 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5818 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5819 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5820 {SSL_CB_EXIT, NULL}, {0, NULL},
5821 }, {
5822 /* TLSv1.3 client, early_data */
5823 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5824 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5825 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5826 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5827 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5828 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5829 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5830 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5831 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5832 }, {
5833 {0, NULL},
5834 }
5835 };
5836
5837 static void sslapi_info_callback(const SSL *s, int where, int ret)
5838 {
5839 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5840
5841 /* We do not ever expect a connection to fail in this test */
5842 if (!TEST_false(ret == 0)) {
5843 info_cb_failed = 1;
5844 return;
5845 }
5846
5847 /*
5848 * Do some sanity checks. We never expect these things to happen in this
5849 * test
5850 */
5851 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5852 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5853 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5854 info_cb_failed = 1;
5855 return;
5856 }
5857
5858 /* Now check we're in the right state */
5859 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5860 info_cb_failed = 1;
5861 return;
5862 }
5863 if ((where & SSL_CB_LOOP) != 0
5864 && !TEST_int_eq(strcmp(SSL_state_string(s),
5865 state[info_cb_this_state].statestr), 0)) {
5866 info_cb_failed = 1;
5867 return;
5868 }
5869
5870 /*
5871 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5872 */
5873 if ((where & SSL_CB_HANDSHAKE_DONE)
5874 && SSL_in_init((SSL *)s) != 0) {
5875 info_cb_failed = 1;
5876 return;
5877 }
5878 }
5879
5880 /*
5881 * Test the info callback gets called when we expect it to.
5882 *
5883 * Test 0: TLSv1.2, server
5884 * Test 1: TLSv1.2, client
5885 * Test 2: TLSv1.3, server
5886 * Test 3: TLSv1.3, client
5887 * Test 4: TLSv1.3, server, early_data
5888 * Test 5: TLSv1.3, client, early_data
5889 */
5890 static int test_info_callback(int tst)
5891 {
5892 SSL_CTX *cctx = NULL, *sctx = NULL;
5893 SSL *clientssl = NULL, *serverssl = NULL;
5894 SSL_SESSION *clntsess = NULL;
5895 int testresult = 0;
5896 int tlsvers;
5897
5898 if (tst < 2) {
5899 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5900 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5901 || !defined(OPENSSL_NO_DH))
5902 tlsvers = TLS1_2_VERSION;
5903 #else
5904 return 1;
5905 #endif
5906 } else {
5907 #ifndef OPENSSL_NO_TLS1_3
5908 tlsvers = TLS1_3_VERSION;
5909 #else
5910 return 1;
5911 #endif
5912 }
5913
5914 /* Reset globals */
5915 info_cb_failed = 0;
5916 info_cb_this_state = -1;
5917 info_cb_offset = tst;
5918
5919 #ifndef OPENSSL_NO_TLS1_3
5920 if (tst >= 4) {
5921 SSL_SESSION *sess = NULL;
5922 size_t written, readbytes;
5923 unsigned char buf[80];
5924
5925 /* early_data tests */
5926 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5927 &serverssl, &sess, 0)))
5928 goto end;
5929
5930 /* We don't actually need this reference */
5931 SSL_SESSION_free(sess);
5932
5933 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5934 sslapi_info_callback);
5935
5936 /* Write and read some early data and then complete the connection */
5937 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5938 &written))
5939 || !TEST_size_t_eq(written, strlen(MSG1))
5940 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5941 sizeof(buf), &readbytes),
5942 SSL_READ_EARLY_DATA_SUCCESS)
5943 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5944 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5945 SSL_EARLY_DATA_ACCEPTED)
5946 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5947 SSL_ERROR_NONE))
5948 || !TEST_false(info_cb_failed))
5949 goto end;
5950
5951 testresult = 1;
5952 goto end;
5953 }
5954 #endif
5955
5956 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5957 TLS_client_method(),
5958 tlsvers, tlsvers, &sctx, &cctx, cert,
5959 privkey)))
5960 goto end;
5961
5962 /*
5963 * For even numbered tests we check the server callbacks. For odd numbers we
5964 * check the client.
5965 */
5966 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5967 sslapi_info_callback);
5968
5969 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5970 &clientssl, NULL, NULL))
5971 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5972 SSL_ERROR_NONE))
5973 || !TEST_false(info_cb_failed))
5974 goto end;
5975
5976
5977
5978 clntsess = SSL_get1_session(clientssl);
5979 SSL_shutdown(clientssl);
5980 SSL_shutdown(serverssl);
5981 SSL_free(serverssl);
5982 SSL_free(clientssl);
5983 serverssl = clientssl = NULL;
5984
5985 /* Now do a resumption */
5986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5987 NULL))
5988 || !TEST_true(SSL_set_session(clientssl, clntsess))
5989 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5990 SSL_ERROR_NONE))
5991 || !TEST_true(SSL_session_reused(clientssl))
5992 || !TEST_false(info_cb_failed))
5993 goto end;
5994
5995 testresult = 1;
5996
5997 end:
5998 SSL_free(serverssl);
5999 SSL_free(clientssl);
6000 SSL_SESSION_free(clntsess);
6001 SSL_CTX_free(sctx);
6002 SSL_CTX_free(cctx);
6003 return testresult;
6004 }
6005
6006 static int test_ssl_pending(int tst)
6007 {
6008 SSL_CTX *cctx = NULL, *sctx = NULL;
6009 SSL *clientssl = NULL, *serverssl = NULL;
6010 int testresult = 0;
6011 char msg[] = "A test message";
6012 char buf[5];
6013 size_t written, readbytes;
6014
6015 if (tst == 0) {
6016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6017 TLS_client_method(),
6018 TLS1_VERSION, 0,
6019 &sctx, &cctx, cert, privkey)))
6020 goto end;
6021 } else {
6022 #ifndef OPENSSL_NO_DTLS
6023 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
6024 DTLS_client_method(),
6025 DTLS1_VERSION, 0,
6026 &sctx, &cctx, cert, privkey)))
6027 goto end;
6028 #else
6029 return 1;
6030 #endif
6031 }
6032
6033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6034 NULL, NULL))
6035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6036 SSL_ERROR_NONE)))
6037 goto end;
6038
6039 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6040 || !TEST_false(SSL_has_pending(clientssl))
6041 || !TEST_int_eq(SSL_pending(serverssl), 0)
6042 || !TEST_false(SSL_has_pending(serverssl))
6043 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6044 || !TEST_size_t_eq(written, sizeof(msg))
6045 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6046 || !TEST_size_t_eq(readbytes, sizeof(buf))
6047 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6048 || !TEST_true(SSL_has_pending(clientssl)))
6049 goto end;
6050
6051 testresult = 1;
6052
6053 end:
6054 SSL_free(serverssl);
6055 SSL_free(clientssl);
6056 SSL_CTX_free(sctx);
6057 SSL_CTX_free(cctx);
6058
6059 return testresult;
6060 }
6061
6062 static struct {
6063 unsigned int maxprot;
6064 const char *clntciphers;
6065 const char *clnttls13ciphers;
6066 const char *srvrciphers;
6067 const char *srvrtls13ciphers;
6068 const char *shared;
6069 } shared_ciphers_data[] = {
6070 /*
6071 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6072 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6073 */
6074 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
6075 {
6076 TLS1_2_VERSION,
6077 "AES128-SHA:AES256-SHA",
6078 NULL,
6079 "AES256-SHA:DHE-RSA-AES128-SHA",
6080 NULL,
6081 "AES256-SHA"
6082 },
6083 {
6084 TLS1_2_VERSION,
6085 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6086 NULL,
6087 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6088 NULL,
6089 "AES128-SHA:AES256-SHA"
6090 },
6091 {
6092 TLS1_2_VERSION,
6093 "AES128-SHA:AES256-SHA",
6094 NULL,
6095 "AES128-SHA:DHE-RSA-AES128-SHA",
6096 NULL,
6097 "AES128-SHA"
6098 },
6099 #endif
6100 /*
6101 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6102 * enabled.
6103 */
6104 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6105 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6106 {
6107 TLS1_3_VERSION,
6108 "AES128-SHA:AES256-SHA",
6109 NULL,
6110 "AES256-SHA:AES128-SHA256",
6111 NULL,
6112 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6113 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6114 },
6115 #endif
6116 #ifndef OPENSSL_NO_TLS1_3
6117 {
6118 TLS1_3_VERSION,
6119 "AES128-SHA",
6120 "TLS_AES_256_GCM_SHA384",
6121 "AES256-SHA",
6122 "TLS_AES_256_GCM_SHA384",
6123 "TLS_AES_256_GCM_SHA384"
6124 },
6125 #endif
6126 };
6127
6128 static int test_ssl_get_shared_ciphers(int tst)
6129 {
6130 SSL_CTX *cctx = NULL, *sctx = NULL;
6131 SSL *clientssl = NULL, *serverssl = NULL;
6132 int testresult = 0;
6133 char buf[1024];
6134
6135 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6136 TLS_client_method(),
6137 TLS1_VERSION,
6138 shared_ciphers_data[tst].maxprot,
6139 &sctx, &cctx, cert, privkey)))
6140 goto end;
6141
6142 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6143 shared_ciphers_data[tst].clntciphers))
6144 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6145 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6146 shared_ciphers_data[tst].clnttls13ciphers)))
6147 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6148 shared_ciphers_data[tst].srvrciphers))
6149 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6150 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6151 shared_ciphers_data[tst].srvrtls13ciphers))))
6152 goto end;
6153
6154
6155 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6156 NULL, NULL))
6157 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6158 SSL_ERROR_NONE)))
6159 goto end;
6160
6161 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6162 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6163 TEST_info("Shared ciphers are: %s\n", buf);
6164 goto end;
6165 }
6166
6167 testresult = 1;
6168
6169 end:
6170 SSL_free(serverssl);
6171 SSL_free(clientssl);
6172 SSL_CTX_free(sctx);
6173 SSL_CTX_free(cctx);
6174
6175 return testresult;
6176 }
6177
6178 static const char *appdata = "Hello World";
6179 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6180 static int tick_key_renew = 0;
6181 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6182
6183 static int gen_tick_cb(SSL *s, void *arg)
6184 {
6185 gen_tick_called = 1;
6186
6187 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6188 strlen(appdata));
6189 }
6190
6191 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6192 const unsigned char *keyname,
6193 size_t keyname_length,
6194 SSL_TICKET_STATUS status,
6195 void *arg)
6196 {
6197 void *tickdata;
6198 size_t tickdlen;
6199
6200 dec_tick_called = 1;
6201
6202 if (status == SSL_TICKET_EMPTY)
6203 return SSL_TICKET_RETURN_IGNORE_RENEW;
6204
6205 if (!TEST_true(status == SSL_TICKET_SUCCESS
6206 || status == SSL_TICKET_SUCCESS_RENEW))
6207 return SSL_TICKET_RETURN_ABORT;
6208
6209 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6210 &tickdlen))
6211 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6212 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6213 return SSL_TICKET_RETURN_ABORT;
6214
6215 if (tick_key_cb_called) {
6216 /* Don't change what the ticket key callback wanted to do */
6217 switch (status) {
6218 case SSL_TICKET_NO_DECRYPT:
6219 return SSL_TICKET_RETURN_IGNORE_RENEW;
6220
6221 case SSL_TICKET_SUCCESS:
6222 return SSL_TICKET_RETURN_USE;
6223
6224 case SSL_TICKET_SUCCESS_RENEW:
6225 return SSL_TICKET_RETURN_USE_RENEW;
6226
6227 default:
6228 return SSL_TICKET_RETURN_ABORT;
6229 }
6230 }
6231 return tick_dec_ret;
6232
6233 }
6234
6235 #ifndef OPENSSL_NO_DEPRECATED_3_0
6236 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6237 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6238 HMAC_CTX *hctx, int enc)
6239 {
6240 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6241 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6242 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6243 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6244 int ret;
6245
6246 tick_key_cb_called = 1;
6247 memset(iv, 0, AES_BLOCK_SIZE);
6248 memset(key_name, 0, 16);
6249 if (aes128cbc == NULL
6250 || sha256 == NULL
6251 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6252 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6253 NULL))
6254 ret = -1;
6255 else
6256 ret = tick_key_renew ? 2 : 1;
6257
6258 EVP_CIPHER_free(aes128cbc);
6259 EVP_MD_free(sha256);
6260
6261 return ret;
6262 }
6263 #endif
6264
6265 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6266 unsigned char iv[EVP_MAX_IV_LENGTH],
6267 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6268 {
6269 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6270 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6271 OSSL_PARAM params[3];
6272 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6273 int ret;
6274
6275 tick_key_cb_called = 1;
6276 memset(iv, 0, AES_BLOCK_SIZE);
6277 memset(key_name, 0, 16);
6278 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6279 "SHA256", 0);
6280 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6281 tick_hmac_key,
6282 sizeof(tick_hmac_key));
6283 params[2] = OSSL_PARAM_construct_end();
6284 if (aes128cbc == NULL
6285 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6286 || !EVP_MAC_CTX_set_params(hctx, params)
6287 || !EVP_MAC_init(hctx))
6288 ret = -1;
6289 else
6290 ret = tick_key_renew ? 2 : 1;
6291
6292 EVP_CIPHER_free(aes128cbc);
6293
6294 return ret;
6295 }
6296
6297 /*
6298 * Test the various ticket callbacks
6299 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6300 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6301 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6302 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6303 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6304 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6305 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6306 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6307 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6308 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6309 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6310 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6311 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6312 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6313 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6314 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
6315 */
6316 static int test_ticket_callbacks(int tst)
6317 {
6318 SSL_CTX *cctx = NULL, *sctx = NULL;
6319 SSL *clientssl = NULL, *serverssl = NULL;
6320 SSL_SESSION *clntsess = NULL;
6321 int testresult = 0;
6322
6323 #ifdef OPENSSL_NO_TLS1_2
6324 if (tst % 2 == 0)
6325 return 1;
6326 #endif
6327 #ifdef OPENSSL_NO_TLS1_3
6328 if (tst % 2 == 1)
6329 return 1;
6330 #endif
6331 #ifdef OPENSSL_NO_DEPRECATED_3_0
6332 if (tst >= 8 && tst <= 11)
6333 return 1;
6334 #endif
6335
6336 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6337
6338 /* Which tests the ticket key callback should request renewal for */
6339 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
6340 tick_key_renew = 1;
6341 else
6342 tick_key_renew = 0;
6343
6344 /* Which tests the decrypt ticket callback should request renewal for */
6345 switch (tst) {
6346 case 0:
6347 case 1:
6348 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6349 break;
6350
6351 case 2:
6352 case 3:
6353 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6354 break;
6355
6356 case 4:
6357 case 5:
6358 tick_dec_ret = SSL_TICKET_RETURN_USE;
6359 break;
6360
6361 case 6:
6362 case 7:
6363 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6364 break;
6365
6366 default:
6367 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6368 }
6369
6370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6371 TLS_client_method(),
6372 TLS1_VERSION,
6373 ((tst % 2) == 0) ? TLS1_2_VERSION
6374 : TLS1_3_VERSION,
6375 &sctx, &cctx, cert, privkey)))
6376 goto end;
6377
6378 /*
6379 * We only want sessions to resume from tickets - not the session cache. So
6380 * switch the cache off.
6381 */
6382 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6383 goto end;
6384
6385 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6386 NULL)))
6387 goto end;
6388
6389 if (tst >= 12) {
6390 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6391 goto end;
6392 #ifndef OPENSSL_NO_DEPRECATED_3_0
6393 } else if (tst >= 8) {
6394 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6395 goto end;
6396 #endif
6397 }
6398
6399 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6400 NULL, NULL))
6401 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6402 SSL_ERROR_NONE)))
6403 goto end;
6404
6405 /*
6406 * The decrypt ticket key callback in TLSv1.2 should be called even though
6407 * we have no ticket yet, because it gets called with a status of
6408 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6409 * actually send any ticket data). This does not happen in TLSv1.3 because
6410 * it is not valid to send empty ticket data in TLSv1.3.
6411 */
6412 if (!TEST_int_eq(gen_tick_called, 1)
6413 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6414 goto end;
6415
6416 gen_tick_called = dec_tick_called = 0;
6417
6418 clntsess = SSL_get1_session(clientssl);
6419 SSL_shutdown(clientssl);
6420 SSL_shutdown(serverssl);
6421 SSL_free(serverssl);
6422 SSL_free(clientssl);
6423 serverssl = clientssl = NULL;
6424
6425 /* Now do a resumption */
6426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6427 NULL))
6428 || !TEST_true(SSL_set_session(clientssl, clntsess))
6429 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6430 SSL_ERROR_NONE)))
6431 goto end;
6432
6433 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6434 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6435 if (!TEST_false(SSL_session_reused(clientssl)))
6436 goto end;
6437 } else {
6438 if (!TEST_true(SSL_session_reused(clientssl)))
6439 goto end;
6440 }
6441
6442 if (!TEST_int_eq(gen_tick_called,
6443 (tick_key_renew
6444 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6445 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6446 ? 1 : 0)
6447 || !TEST_int_eq(dec_tick_called, 1))
6448 goto end;
6449
6450 testresult = 1;
6451
6452 end:
6453 SSL_SESSION_free(clntsess);
6454 SSL_free(serverssl);
6455 SSL_free(clientssl);
6456 SSL_CTX_free(sctx);
6457 SSL_CTX_free(cctx);
6458
6459 return testresult;
6460 }
6461
6462 /*
6463 * Test bi-directional shutdown.
6464 * Test 0: TLSv1.2
6465 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6466 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6467 * Test 3: TLSv1.3, pending NewSessionTicket messages
6468 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6469 * sends key update, client reads it
6470 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6471 * sends CertificateRequest, client reads and ignores it
6472 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6473 * doesn't read it
6474 */
6475 static int test_shutdown(int tst)
6476 {
6477 SSL_CTX *cctx = NULL, *sctx = NULL;
6478 SSL *clientssl = NULL, *serverssl = NULL;
6479 int testresult = 0;
6480 char msg[] = "A test message";
6481 char buf[80];
6482 size_t written, readbytes;
6483 SSL_SESSION *sess;
6484
6485 #ifdef OPENSSL_NO_TLS1_2
6486 if (tst <= 1)
6487 return 1;
6488 #endif
6489 #ifdef OPENSSL_NO_TLS1_3
6490 if (tst >= 2)
6491 return 1;
6492 #endif
6493
6494 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6495 TLS_client_method(),
6496 TLS1_VERSION,
6497 (tst <= 1) ? TLS1_2_VERSION
6498 : TLS1_3_VERSION,
6499 &sctx, &cctx, cert, privkey)))
6500 goto end;
6501
6502 if (tst == 5)
6503 SSL_CTX_set_post_handshake_auth(cctx, 1);
6504
6505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6506 NULL, NULL)))
6507 goto end;
6508
6509 if (tst == 3) {
6510 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6511 SSL_ERROR_NONE, 1))
6512 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6513 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6514 goto end;
6515 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6516 SSL_ERROR_NONE))
6517 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6518 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6519 goto end;
6520 }
6521
6522 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6523 goto end;
6524
6525 if (tst >= 4) {
6526 /*
6527 * Reading on the server after the client has sent close_notify should
6528 * fail and provide SSL_ERROR_ZERO_RETURN
6529 */
6530 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6531 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6532 SSL_ERROR_ZERO_RETURN)
6533 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6534 SSL_RECEIVED_SHUTDOWN)
6535 /*
6536 * Even though we're shutdown on receive we should still be
6537 * able to write.
6538 */
6539 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6540 goto end;
6541 if (tst == 4
6542 && !TEST_true(SSL_key_update(serverssl,
6543 SSL_KEY_UPDATE_REQUESTED)))
6544 goto end;
6545 if (tst == 5) {
6546 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6547 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6548 goto end;
6549 }
6550 if ((tst == 4 || tst == 5)
6551 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6552 goto end;
6553 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6554 goto end;
6555 if (tst == 4 || tst == 5) {
6556 /* Should still be able to read data from server */
6557 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6558 &readbytes))
6559 || !TEST_size_t_eq(readbytes, sizeof(msg))
6560 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6561 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6562 &readbytes))
6563 || !TEST_size_t_eq(readbytes, sizeof(msg))
6564 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6565 goto end;
6566 }
6567 }
6568
6569 /* Writing on the client after sending close_notify shouldn't be possible */
6570 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6571 goto end;
6572
6573 if (tst < 4) {
6574 /*
6575 * For these tests the client has sent close_notify but it has not yet
6576 * been received by the server. The server has not sent close_notify
6577 * yet.
6578 */
6579 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6580 /*
6581 * Writing on the server after sending close_notify shouldn't
6582 * be possible.
6583 */
6584 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6585 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6586 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6587 || !TEST_true(SSL_SESSION_is_resumable(sess))
6588 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6589 goto end;
6590 } else if (tst == 4 || tst == 5) {
6591 /*
6592 * In this test the client has sent close_notify and it has been
6593 * received by the server which has responded with a close_notify. The
6594 * client needs to read the close_notify sent by the server.
6595 */
6596 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6597 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6598 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6599 goto end;
6600 } else {
6601 /*
6602 * tst == 6
6603 *
6604 * The client has sent close_notify and is expecting a close_notify
6605 * back, but instead there is application data first. The shutdown
6606 * should fail with a fatal error.
6607 */
6608 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6609 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6610 goto end;
6611 }
6612
6613 testresult = 1;
6614
6615 end:
6616 SSL_free(serverssl);
6617 SSL_free(clientssl);
6618 SSL_CTX_free(sctx);
6619 SSL_CTX_free(cctx);
6620
6621 return testresult;
6622 }
6623
6624 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6625 static int cert_cb_cnt;
6626
6627 static int cert_cb(SSL *s, void *arg)
6628 {
6629 SSL_CTX *ctx = (SSL_CTX *)arg;
6630 BIO *in = NULL;
6631 EVP_PKEY *pkey = NULL;
6632 X509 *x509 = NULL, *rootx = NULL;
6633 STACK_OF(X509) *chain = NULL;
6634 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6635 int ret = 0;
6636
6637 if (cert_cb_cnt == 0) {
6638 /* Suspend the handshake */
6639 cert_cb_cnt++;
6640 return -1;
6641 } else if (cert_cb_cnt == 1) {
6642 /*
6643 * Update the SSL_CTX, set the certificate and private key and then
6644 * continue the handshake normally.
6645 */
6646 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6647 return 0;
6648
6649 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6650 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6651 SSL_FILETYPE_PEM))
6652 || !TEST_true(SSL_check_private_key(s)))
6653 return 0;
6654 cert_cb_cnt++;
6655 return 1;
6656 } else if (cert_cb_cnt == 3) {
6657 int rv;
6658
6659 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6660 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6661 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6662 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6663 goto out;
6664 chain = sk_X509_new_null();
6665 if (!TEST_ptr(chain))
6666 goto out;
6667 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6668 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6669 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6670 || !TEST_true(sk_X509_push(chain, rootx)))
6671 goto out;
6672 rootx = NULL;
6673 BIO_free(in);
6674 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6675 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6676 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6677 goto out;
6678 BIO_free(in);
6679 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6680 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6681 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6682 goto out;
6683 rv = SSL_check_chain(s, x509, pkey, chain);
6684 /*
6685 * If the cert doesn't show as valid here (e.g., because we don't
6686 * have any shared sigalgs), then we will not set it, and there will
6687 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6688 * will cause tls_choose_sigalgs() to fail the connection.
6689 */
6690 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6691 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6692 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6693 goto out;
6694 }
6695
6696 ret = 1;
6697 }
6698
6699 /* Abort the handshake */
6700 out:
6701 OPENSSL_free(ecdsacert);
6702 OPENSSL_free(ecdsakey);
6703 OPENSSL_free(rootfile);
6704 BIO_free(in);
6705 EVP_PKEY_free(pkey);
6706 X509_free(x509);
6707 X509_free(rootx);
6708 sk_X509_pop_free(chain, X509_free);
6709 return ret;
6710 }
6711
6712 /*
6713 * Test the certificate callback.
6714 * Test 0: Callback fails
6715 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6716 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6717 * Test 3: Success - Call SSL_check_chain from the callback
6718 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6719 * chain
6720 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6721 */
6722 static int test_cert_cb_int(int prot, int tst)
6723 {
6724 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6725 SSL *clientssl = NULL, *serverssl = NULL;
6726 int testresult = 0, ret;
6727
6728 #ifdef OPENSSL_NO_EC
6729 /* We use an EC cert in these tests, so we skip in a no-ec build */
6730 if (tst >= 3)
6731 return 1;
6732 #endif
6733
6734 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6735 TLS_client_method(),
6736 TLS1_VERSION,
6737 prot,
6738 &sctx, &cctx, NULL, NULL)))
6739 goto end;
6740
6741 if (tst == 0)
6742 cert_cb_cnt = -1;
6743 else if (tst >= 3)
6744 cert_cb_cnt = 3;
6745 else
6746 cert_cb_cnt = 0;
6747
6748 if (tst == 2)
6749 snictx = SSL_CTX_new(TLS_server_method());
6750 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6751
6752 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6753 NULL, NULL)))
6754 goto end;
6755
6756 if (tst == 4) {
6757 /*
6758 * We cause SSL_check_chain() to fail by specifying sig_algs that
6759 * the chain doesn't meet (the root uses an RSA cert)
6760 */
6761 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6762 "ecdsa_secp256r1_sha256")))
6763 goto end;
6764 } else if (tst == 5) {
6765 /*
6766 * We cause SSL_check_chain() to fail by specifying sig_algs that
6767 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6768 */
6769 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6770 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6771 goto end;
6772 }
6773
6774 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6775 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6776 || (tst > 0
6777 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6778 goto end;
6779 }
6780
6781 testresult = 1;
6782
6783 end:
6784 SSL_free(serverssl);
6785 SSL_free(clientssl);
6786 SSL_CTX_free(sctx);
6787 SSL_CTX_free(cctx);
6788 SSL_CTX_free(snictx);
6789
6790 return testresult;
6791 }
6792 #endif
6793
6794 static int test_cert_cb(int tst)
6795 {
6796 int testresult = 1;
6797
6798 #ifndef OPENSSL_NO_TLS1_2
6799 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6800 #endif
6801 #ifndef OPENSSL_NO_TLS1_3
6802 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6803 #endif
6804
6805 return testresult;
6806 }
6807
6808 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6809 {
6810 X509 *xcert, *peer;
6811 EVP_PKEY *privpkey;
6812 BIO *in = NULL;
6813
6814 /* Check that SSL_get_peer_certificate() returns something sensible */
6815 peer = SSL_get_peer_certificate(ssl);
6816 if (!TEST_ptr(peer))
6817 return 0;
6818 X509_free(peer);
6819
6820 in = BIO_new_file(cert, "r");
6821 if (!TEST_ptr(in))
6822 return 0;
6823
6824 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6825 BIO_free(in);
6826 if (!TEST_ptr(xcert))
6827 return 0;
6828
6829 in = BIO_new_file(privkey, "r");
6830 if (!TEST_ptr(in)) {
6831 X509_free(xcert);
6832 return 0;
6833 }
6834
6835 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6836 BIO_free(in);
6837 if (!TEST_ptr(privpkey)) {
6838 X509_free(xcert);
6839 return 0;
6840 }
6841
6842 *x509 = xcert;
6843 *pkey = privpkey;
6844
6845 return 1;
6846 }
6847
6848 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6849 {
6850 return 1;
6851 }
6852
6853 static int test_client_cert_cb(int tst)
6854 {
6855 SSL_CTX *cctx = NULL, *sctx = NULL;
6856 SSL *clientssl = NULL, *serverssl = NULL;
6857 int testresult = 0;
6858
6859 #ifdef OPENSSL_NO_TLS1_2
6860 if (tst == 0)
6861 return 1;
6862 #endif
6863 #ifdef OPENSSL_NO_TLS1_3
6864 if (tst == 1)
6865 return 1;
6866 #endif
6867
6868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6869 TLS_client_method(),
6870 TLS1_VERSION,
6871 tst == 0 ? TLS1_2_VERSION
6872 : TLS1_3_VERSION,
6873 &sctx, &cctx, cert, privkey)))
6874 goto end;
6875
6876 /*
6877 * Test that setting a client_cert_cb results in a client certificate being
6878 * sent.
6879 */
6880 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6881 SSL_CTX_set_verify(sctx,
6882 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6883 verify_cb);
6884
6885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6886 NULL, NULL))
6887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6888 SSL_ERROR_NONE)))
6889 goto end;
6890
6891 testresult = 1;
6892
6893 end:
6894 SSL_free(serverssl);
6895 SSL_free(clientssl);
6896 SSL_CTX_free(sctx);
6897 SSL_CTX_free(cctx);
6898
6899 return testresult;
6900 }
6901
6902 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6903 /*
6904 * Test setting certificate authorities on both client and server.
6905 *
6906 * Test 0: SSL_CTX_set0_CA_list() only
6907 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6908 * Test 2: Only SSL_CTX_set_client_CA_list()
6909 */
6910 static int test_ca_names_int(int prot, int tst)
6911 {
6912 SSL_CTX *cctx = NULL, *sctx = NULL;
6913 SSL *clientssl = NULL, *serverssl = NULL;
6914 int testresult = 0;
6915 size_t i;
6916 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6917 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6918 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6919 const STACK_OF(X509_NAME) *sktmp = NULL;
6920
6921 for (i = 0; i < OSSL_NELEM(name); i++) {
6922 name[i] = X509_NAME_new();
6923 if (!TEST_ptr(name[i])
6924 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6925 MBSTRING_ASC,
6926 (unsigned char *)
6927 strnames[i],
6928 -1, -1, 0)))
6929 goto end;
6930 }
6931
6932 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6933 TLS_client_method(),
6934 TLS1_VERSION,
6935 prot,
6936 &sctx, &cctx, cert, privkey)))
6937 goto end;
6938
6939 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6940
6941 if (tst == 0 || tst == 1) {
6942 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6943 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6944 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6945 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6946 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6947 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6948 goto end;
6949
6950 SSL_CTX_set0_CA_list(sctx, sk1);
6951 SSL_CTX_set0_CA_list(cctx, sk2);
6952 sk1 = sk2 = NULL;
6953 }
6954 if (tst == 1 || tst == 2) {
6955 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6956 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6957 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6958 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6959 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6960 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6961 goto end;
6962
6963 SSL_CTX_set_client_CA_list(sctx, sk1);
6964 SSL_CTX_set_client_CA_list(cctx, sk2);
6965 sk1 = sk2 = NULL;
6966 }
6967
6968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6969 NULL, NULL))
6970 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6971 SSL_ERROR_NONE)))
6972 goto end;
6973
6974 /*
6975 * We only expect certificate authorities to have been sent to the server
6976 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6977 */
6978 sktmp = SSL_get0_peer_CA_list(serverssl);
6979 if (prot == TLS1_3_VERSION
6980 && (tst == 0 || tst == 1)) {
6981 if (!TEST_ptr(sktmp)
6982 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6983 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6984 name[0]), 0)
6985 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6986 name[1]), 0))
6987 goto end;
6988 } else if (!TEST_ptr_null(sktmp)) {
6989 goto end;
6990 }
6991
6992 /*
6993 * In all tests we expect certificate authorities to have been sent to the
6994 * client. However, SSL_set_client_CA_list() should override
6995 * SSL_set0_CA_list()
6996 */
6997 sktmp = SSL_get0_peer_CA_list(clientssl);
6998 if (!TEST_ptr(sktmp)
6999 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7000 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7001 name[tst == 0 ? 0 : 2]), 0)
7002 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7003 name[tst == 0 ? 1 : 3]), 0))
7004 goto end;
7005
7006 testresult = 1;
7007
7008 end:
7009 SSL_free(serverssl);
7010 SSL_free(clientssl);
7011 SSL_CTX_free(sctx);
7012 SSL_CTX_free(cctx);
7013 for (i = 0; i < OSSL_NELEM(name); i++)
7014 X509_NAME_free(name[i]);
7015 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7016 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7017
7018 return testresult;
7019 }
7020 #endif
7021
7022 static int test_ca_names(int tst)
7023 {
7024 int testresult = 1;
7025
7026 #ifndef OPENSSL_NO_TLS1_2
7027 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7028 #endif
7029 #ifndef OPENSSL_NO_TLS1_3
7030 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7031 #endif
7032
7033 return testresult;
7034 }
7035
7036 #ifndef OPENSSL_NO_TLS1_2
7037 static const char *multiblock_cipherlist_data[]=
7038 {
7039 "AES128-SHA",
7040 "AES128-SHA256",
7041 "AES256-SHA",
7042 "AES256-SHA256",
7043 };
7044
7045 /* Reduce the fragment size - so the multiblock test buffer can be small */
7046 # define MULTIBLOCK_FRAGSIZE 512
7047
7048 static int test_multiblock_write(int test_index)
7049 {
7050 static const char *fetchable_ciphers[]=
7051 {
7052 "AES-128-CBC-HMAC-SHA1",
7053 "AES-128-CBC-HMAC-SHA256",
7054 "AES-256-CBC-HMAC-SHA1",
7055 "AES-256-CBC-HMAC-SHA256"
7056 };
7057 const char *cipherlist = multiblock_cipherlist_data[test_index];
7058 const SSL_METHOD *smeth = TLS_server_method();
7059 const SSL_METHOD *cmeth = TLS_client_method();
7060 int min_version = TLS1_VERSION;
7061 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7062 SSL_CTX *cctx = NULL, *sctx = NULL;
7063 SSL *clientssl = NULL, *serverssl = NULL;
7064 int testresult = 0;
7065
7066 /*
7067 * Choose a buffer large enough to perform a multi-block operation
7068 * i.e: write_len >= 4 * frag_size
7069 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7070 */
7071 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7072 unsigned char buf[sizeof(msg)], *p = buf;
7073 size_t readbytes, written, len;
7074 EVP_CIPHER *ciph = NULL;
7075
7076 /*
7077 * Check if the cipher exists before attempting to use it since it only has
7078 * a hardware specific implementation.
7079 */
7080 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7081 if (ciph == NULL) {
7082 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7083 return 1;
7084 }
7085 EVP_CIPHER_free(ciph);
7086
7087 /* Set up a buffer with some data that will be sent to the client */
7088 RAND_bytes(msg, sizeof(msg));
7089
7090 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7091 max_version, &sctx, &cctx, cert,
7092 privkey)))
7093 goto end;
7094
7095 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7096 goto end;
7097
7098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7099 NULL, NULL)))
7100 goto end;
7101
7102 /* settings to force it to use AES-CBC-HMAC_SHA */
7103 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7104 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7105 goto end;
7106
7107 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7108 goto end;
7109
7110 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7111 || !TEST_size_t_eq(written, sizeof(msg)))
7112 goto end;
7113
7114 len = written;
7115 while (len > 0) {
7116 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7117 goto end;
7118 p += readbytes;
7119 len -= readbytes;
7120 }
7121 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7122 goto end;
7123
7124 testresult = 1;
7125 end:
7126 SSL_free(serverssl);
7127 SSL_free(clientssl);
7128 SSL_CTX_free(sctx);
7129 SSL_CTX_free(cctx);
7130
7131 return testresult;
7132 }
7133 #endif /* OPENSSL_NO_TLS1_2 */
7134
7135 /*
7136 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7137 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7138 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7139 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7140 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7141 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7142 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7143 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7144 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7145 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7146 */
7147 static int test_servername(int tst)
7148 {
7149 SSL_CTX *cctx = NULL, *sctx = NULL;
7150 SSL *clientssl = NULL, *serverssl = NULL;
7151 int testresult = 0;
7152 SSL_SESSION *sess = NULL;
7153 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7154
7155 #ifdef OPENSSL_NO_TLS1_2
7156 if (tst <= 4)
7157 return 1;
7158 #endif
7159 #ifdef OPENSSL_NO_TLS1_3
7160 if (tst >= 5)
7161 return 1;
7162 #endif
7163
7164 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7165 TLS_client_method(),
7166 TLS1_VERSION,
7167 (tst <= 4) ? TLS1_2_VERSION
7168 : TLS1_3_VERSION,
7169 &sctx, &cctx, cert, privkey))
7170 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7171 NULL, NULL)))
7172 goto end;
7173
7174 if (tst != 1 && tst != 6) {
7175 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7176 hostname_cb)))
7177 goto end;
7178 }
7179
7180 if (tst != 3 && tst != 8) {
7181 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7182 goto end;
7183 sexpectedhost = cexpectedhost = "goodhost";
7184 }
7185
7186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7187 goto end;
7188
7189 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7190 cexpectedhost)
7191 || !TEST_str_eq(SSL_get_servername(serverssl,
7192 TLSEXT_NAMETYPE_host_name),
7193 sexpectedhost))
7194 goto end;
7195
7196 /* Now repeat with a resumption handshake */
7197
7198 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7199 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7200 || !TEST_true(SSL_SESSION_is_resumable(sess))
7201 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7202 goto end;
7203
7204 SSL_free(clientssl);
7205 SSL_free(serverssl);
7206 clientssl = serverssl = NULL;
7207
7208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7209 NULL)))
7210 goto end;
7211
7212 if (!TEST_true(SSL_set_session(clientssl, sess)))
7213 goto end;
7214
7215 sexpectedhost = cexpectedhost = "goodhost";
7216 if (tst == 2 || tst == 7) {
7217 /* Set an inconsistent hostname */
7218 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7219 goto end;
7220 /*
7221 * In TLSv1.2 we expect the hostname from the original handshake, in
7222 * TLSv1.3 we expect the hostname from this handshake
7223 */
7224 if (tst == 7)
7225 sexpectedhost = cexpectedhost = "altgoodhost";
7226
7227 if (!TEST_str_eq(SSL_get_servername(clientssl,
7228 TLSEXT_NAMETYPE_host_name),
7229 "altgoodhost"))
7230 goto end;
7231 } else if (tst == 4 || tst == 9) {
7232 /*
7233 * A TLSv1.3 session does not associate a session with a servername,
7234 * but a TLSv1.2 session does.
7235 */
7236 if (tst == 9)
7237 sexpectedhost = cexpectedhost = NULL;
7238
7239 if (!TEST_str_eq(SSL_get_servername(clientssl,
7240 TLSEXT_NAMETYPE_host_name),
7241 cexpectedhost))
7242 goto end;
7243 } else {
7244 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7245 goto end;
7246 /*
7247 * In a TLSv1.2 resumption where the hostname was not acknowledged
7248 * we expect the hostname on the server to be empty. On the client we
7249 * return what was requested in this case.
7250 *
7251 * Similarly if the client didn't set a hostname on an original TLSv1.2
7252 * session but is now, the server hostname will be empty, but the client
7253 * is as we set it.
7254 */
7255 if (tst == 1 || tst == 3)
7256 sexpectedhost = NULL;
7257
7258 if (!TEST_str_eq(SSL_get_servername(clientssl,
7259 TLSEXT_NAMETYPE_host_name),
7260 "goodhost"))
7261 goto end;
7262 }
7263
7264 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7265 goto end;
7266
7267 if (!TEST_true(SSL_session_reused(clientssl))
7268 || !TEST_true(SSL_session_reused(serverssl))
7269 || !TEST_str_eq(SSL_get_servername(clientssl,
7270 TLSEXT_NAMETYPE_host_name),
7271 cexpectedhost)
7272 || !TEST_str_eq(SSL_get_servername(serverssl,
7273 TLSEXT_NAMETYPE_host_name),
7274 sexpectedhost))
7275 goto end;
7276
7277 testresult = 1;
7278
7279 end:
7280 SSL_SESSION_free(sess);
7281 SSL_free(serverssl);
7282 SSL_free(clientssl);
7283 SSL_CTX_free(sctx);
7284 SSL_CTX_free(cctx);
7285
7286 return testresult;
7287 }
7288
7289 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
7290
7291 int setup_tests(void)
7292 {
7293 char *modulename;
7294 char *configfile;
7295
7296 libctx = OPENSSL_CTX_new();
7297 if (!TEST_ptr(libctx))
7298 return 0;
7299
7300 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7301
7302 /*
7303 * Verify that the default and fips providers in the default libctx are not
7304 * available
7305 */
7306 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7307 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7308 return 0;
7309
7310 if (!test_skip_common_options()) {
7311 TEST_error("Error parsing test options\n");
7312 return 0;
7313 }
7314
7315 if (!TEST_ptr(certsdir = test_get_argument(0))
7316 || !TEST_ptr(srpvfile = test_get_argument(1))
7317 || !TEST_ptr(tmpfilename = test_get_argument(2))
7318 || !TEST_ptr(modulename = test_get_argument(3))
7319 || !TEST_ptr(configfile = test_get_argument(4)))
7320 return 0;
7321
7322 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7323 return 0;
7324
7325 /* Check we have the expected provider available */
7326 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7327 return 0;
7328
7329 /* Check the default provider is not available */
7330 if (strcmp(modulename, "default") != 0
7331 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
7332 return 0;
7333
7334 if (strcmp(modulename, "fips") == 0)
7335 is_fips = 1;
7336
7337 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7338 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7339 TEST_error("not supported in this build");
7340 return 0;
7341 #else
7342 int i, mcount, rcount, fcount;
7343
7344 for (i = 0; i < 4; i++)
7345 test_export_key_mat(i);
7346 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7347 test_printf_stdout("malloc %d realloc %d free %d\n",
7348 mcount, rcount, fcount);
7349 return 1;
7350 #endif
7351 }
7352
7353 cert = test_mk_file_path(certsdir, "servercert.pem");
7354 if (cert == NULL)
7355 return 0;
7356
7357 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7358 if (privkey == NULL) {
7359 OPENSSL_free(cert);
7360 return 0;
7361 }
7362
7363 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7364 && !defined(OPENSSL_NO_SOCK)
7365 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7366 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7367 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7368 ADD_TEST(test_ktls_client_no_txrx_server);
7369 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7370 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7371 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7372 ADD_TEST(test_ktls_client_no_rx_server);
7373 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7374 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7375 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7376 ADD_TEST(test_ktls_client_no_tx_server);
7377 ADD_TEST(test_ktls_no_txrx_client_server);
7378 ADD_TEST(test_ktls_no_rx_client_server);
7379 ADD_TEST(test_ktls_no_tx_client_server);
7380 ADD_TEST(test_ktls_client_server);
7381 ADD_TEST(test_ktls_sendfile);
7382 #endif
7383 ADD_TEST(test_large_message_tls);
7384 ADD_TEST(test_large_message_tls_read_ahead);
7385 #ifndef OPENSSL_NO_DTLS
7386 ADD_TEST(test_large_message_dtls);
7387 #endif
7388 #ifndef OPENSSL_NO_OCSP
7389 ADD_TEST(test_tlsext_status_type);
7390 #endif
7391 ADD_TEST(test_session_with_only_int_cache);
7392 ADD_TEST(test_session_with_only_ext_cache);
7393 ADD_TEST(test_session_with_both_cache);
7394 #ifndef OPENSSL_NO_TLS1_3
7395 ADD_ALL_TESTS(test_stateful_tickets, 3);
7396 ADD_ALL_TESTS(test_stateless_tickets, 3);
7397 ADD_TEST(test_psk_tickets);
7398 #endif
7399 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7400 ADD_TEST(test_ssl_bio_pop_next_bio);
7401 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7402 ADD_TEST(test_ssl_bio_change_rbio);
7403 ADD_TEST(test_ssl_bio_change_wbio);
7404 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7405 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7406 ADD_TEST(test_keylog);
7407 #endif
7408 #ifndef OPENSSL_NO_TLS1_3
7409 ADD_TEST(test_keylog_no_master_key);
7410 #endif
7411 #ifndef OPENSSL_NO_TLS1_2
7412 ADD_TEST(test_client_hello_cb);
7413 ADD_TEST(test_no_ems);
7414 ADD_TEST(test_ccs_change_cipher);
7415 #endif
7416 #ifndef OPENSSL_NO_TLS1_3
7417 ADD_ALL_TESTS(test_early_data_read_write, 3);
7418 /*
7419 * We don't do replay tests for external PSK. Replay protection isn't used
7420 * in that scenario.
7421 */
7422 ADD_ALL_TESTS(test_early_data_replay, 2);
7423 ADD_ALL_TESTS(test_early_data_skip, 3);
7424 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7425 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7426 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7427 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7428 ADD_ALL_TESTS(test_early_data_psk, 8);
7429 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7430 # ifndef OPENSSL_NO_TLS1_2
7431 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7432 # endif
7433 #endif
7434 #ifndef OPENSSL_NO_TLS1_3
7435 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7436 ADD_TEST(test_ciphersuite_change);
7437 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7438 # ifdef OPENSSL_NO_PSK
7439 ADD_ALL_TESTS(test_tls13_psk, 1);
7440 # else
7441 ADD_ALL_TESTS(test_tls13_psk, 4);
7442 # endif /* OPENSSL_NO_PSK */
7443 # ifndef OPENSSL_NO_TLS1_2
7444 /* Test with both TLSv1.3 and 1.2 versions */
7445 ADD_ALL_TESTS(test_key_exchange, 14);
7446 # else
7447 /* Test with only TLSv1.3 versions */
7448 ADD_ALL_TESTS(test_key_exchange, 12);
7449 # endif
7450 ADD_ALL_TESTS(test_custom_exts, 5);
7451 ADD_TEST(test_stateless);
7452 ADD_TEST(test_pha_key_update);
7453 #else
7454 ADD_ALL_TESTS(test_custom_exts, 3);
7455 #endif
7456 ADD_ALL_TESTS(test_serverinfo, 8);
7457 ADD_ALL_TESTS(test_export_key_mat, 6);
7458 #ifndef OPENSSL_NO_TLS1_3
7459 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7460 ADD_TEST(test_key_update);
7461 ADD_ALL_TESTS(test_key_update_in_write, 2);
7462 #endif
7463 ADD_ALL_TESTS(test_ssl_clear, 2);
7464 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7465 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7466 ADD_ALL_TESTS(test_srp, 6);
7467 #endif
7468 ADD_ALL_TESTS(test_info_callback, 6);
7469 ADD_ALL_TESTS(test_ssl_pending, 2);
7470 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7471 ADD_ALL_TESTS(test_ticket_callbacks, 16);
7472 ADD_ALL_TESTS(test_shutdown, 7);
7473 ADD_ALL_TESTS(test_cert_cb, 6);
7474 ADD_ALL_TESTS(test_client_cert_cb, 2);
7475 ADD_ALL_TESTS(test_ca_names, 3);
7476 #ifndef OPENSSL_NO_TLS1_2
7477 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7478 #endif
7479 ADD_ALL_TESTS(test_servername, 10);
7480 return 1;
7481 }
7482
7483 void cleanup_tests(void)
7484 {
7485 OPENSSL_free(cert);
7486 OPENSSL_free(privkey);
7487 bio_s_mempacket_test_free();
7488 bio_s_always_retry_free();
7489 OSSL_PROVIDER_unload(defctxnull);
7490 OPENSSL_CTX_free(libctx);
7491 }
A mirror of the official openssl repository