]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/rpktest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
RFC7250 (RPK) support
[thirdparty/openssl.git] / test / rpktest.c
1 /*
2 * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9 #include <openssl/ssl.h>
10
11 #include "helpers/ssltestlib.h"
12 #include "internal/dane.h"
13 #include "testutil.h"
14
15 #undef OSSL_NO_USABLE_TLS1_3
16 #if defined(OPENSSL_NO_TLS1_3) \
17 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
18 /*
19 * If we don't have ec or dh then there are no built-in groups that are usable
20 * with TLSv1.3
21 */
22 # define OSSL_NO_USABLE_TLS1_3
23 #endif
24
25 static char *certsdir = NULL;
26 static char *rootcert = NULL;
27 static char *cert = NULL;
28 static char *privkey = NULL;
29 static char *cert2 = NULL;
30 static char *privkey2 = NULL;
31 static char *cert448 = NULL;
32 static char *privkey448 = NULL;
33 static char *cert25519 = NULL;
34 static char *privkey25519 = NULL;
35 static OSSL_LIB_CTX *libctx = NULL;
36 static OSSL_PROVIDER *defctxnull = NULL;
37
38 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
39 static const unsigned char SID_CTX[] = { 'r', 'p', 'k' };
40
41 static int rpk_verify_client_cb(int ok, X509_STORE_CTX *ctx)
42 {
43 int err = X509_STORE_CTX_get_error(ctx);
44
45 if (X509_STORE_CTX_get0_rpk(ctx) != NULL) {
46 if (err != X509_V_OK) {
47 TEST_info("rpk_verify_client_cb: ok=%d err=%d", ok, err);
48 return 0;
49 }
50 }
51 return 1;
52 }
53 static int rpk_verify_server_cb(int ok, X509_STORE_CTX *ctx)
54 {
55 int err = X509_STORE_CTX_get_error(ctx);
56
57 if (X509_STORE_CTX_get0_rpk(ctx) != NULL) {
58 if (err != X509_V_OK) {
59 TEST_info("rpk_verify_server_cb: ok=%d err=%d", ok, err);
60 return 0;
61 }
62 }
63 return 1;
64 }
65
66 /*
67 * Test dimensions:
68 * (2) server_cert_type RPK off/on for server
69 * (2) client_cert_type RPK off/on for server
70 * (2) server_cert_type RPK off/on for client
71 * (2) client_cert_type RPK off/on for client
72 * (4) RSA vs ECDSA vs Ed25519 vs Ed448 certificates
73 * (2) TLSv1.2 vs TLSv1.3
74 *
75 * Tests:
76 * idx = 0 - is the normal success case, certificate, single peer key
77 * idx = 1 - only a private key
78 * idx = 2 - add client authentication
79 * idx = 3 - add second peer key (rootcert.pem)
80 * idx = 4 - add second peer key (different, RSA or ECDSA)
81 * idx = 5 - reverse peer keys (rootcert.pem, different order)
82 * idx = 6 - reverse peer keys (RSA or ECDSA, different order)
83 * idx = 7 - expects failure due to mismatched key (RSA or ECDSA)
84 * idx = 8 - expects failure due to no configured key on client
85 * idx = 9 - add client authentication (PHA)
86 * idx = 10 - add client authentication (privake key only)
87 * idx = 11 - simple resumption
88 * idx = 12 - simple resumption, no ticket
89 * idx = 13 - resumption with client authentication
90 * idx = 14 - resumption with client authentication, no ticket
91 * idx = 15 - like 0, but use non-default libctx
92 *
93 * 16 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests
94 */
95 static int test_rpk(int idx)
96 {
97 # define RPK_TESTS 16
98 # define RPK_DIMS (2 * 4 * 2 * 2 * 2 * 2)
99 SSL_CTX *cctx = NULL, *sctx = NULL;
100 SSL *clientssl = NULL, *serverssl = NULL;
101 EVP_PKEY *pkey = NULL, *other_pkey = NULL, *root_pkey = NULL;
102 X509 *x509 = NULL, *other_x509 = NULL, *root_x509 = NULL;
103 int testresult = 0, ret, expected = 1;
104 int client_expected = X509_V_OK;
105 int verify;
106 int tls_version;
107 char *cert_file = NULL;
108 char *privkey_file = NULL;
109 char *other_cert_file = NULL;
110 SSL_SESSION *client_sess = NULL;
111 SSL_SESSION *server_sess = NULL;
112 int idx_server_server_rpk, idx_server_client_rpk;
113 int idx_client_server_rpk, idx_client_client_rpk;
114 int idx_cert, idx_prot;
115 int client_auth = 0;
116 int resumption = 0;
117 long server_verify_result = 0;
118 long client_verify_result = 0;
119 OSSL_LIB_CTX *test_libctx = NULL;
120
121 if (!TEST_int_le(idx, RPK_TESTS * RPK_DIMS))
122 return 0;
123
124 idx_server_server_rpk = idx / (RPK_TESTS * 2 * 4 * 2 * 2 * 2);
125 idx %= RPK_TESTS * 2 * 4 * 2 * 2 * 2;
126 idx_server_client_rpk = idx / (RPK_TESTS * 2 * 4 * 2 * 2);
127 idx %= RPK_TESTS * 2 * 4 * 2 * 2;
128 idx_client_server_rpk = idx / (RPK_TESTS * 2 * 4 * 2);
129 idx %= RPK_TESTS * 2 * 4 * 2;
130 idx_client_client_rpk = idx / (RPK_TESTS * 2 * 4);
131 idx %= RPK_TESTS * 2 * 4;
132 idx_cert = idx / (RPK_TESTS * 2);
133 idx %= RPK_TESTS * 2;
134 idx_prot = idx / RPK_TESTS;
135 idx %= RPK_TESTS;
136
137 /* Load "root" cert/pubkey */
138 root_x509 = load_cert_pem(rootcert, NULL);
139 if (!TEST_ptr(root_x509))
140 goto end;
141 root_pkey = X509_get0_pubkey(root_x509);
142 if (!TEST_ptr(root_pkey))
143 goto end;
144
145 switch (idx_cert) {
146 case 0:
147 /* use RSA */
148 cert_file = cert;
149 privkey_file = privkey;
150 other_cert_file = cert2;
151 break;
152 #ifndef OPENSSL_NO_ECDSA
153 case 1:
154 /* use ECDSA */
155 cert_file = cert2;
156 privkey_file = privkey2;
157 other_cert_file = cert;
158 break;
159 case 2:
160 /* use Ed448 */
161 cert_file = cert448;
162 privkey_file = privkey448;
163 other_cert_file = cert;
164 break;
165 case 3:
166 /* use Ed25519 */
167 cert_file = cert25519;
168 privkey_file = privkey25519;
169 other_cert_file = cert;
170 break;
171 #endif
172 default:
173 testresult = TEST_skip("EDCSA disabled");
174 goto end;
175 }
176 /* Load primary cert */
177 x509 = load_cert_pem(cert_file, NULL);
178 if (!TEST_ptr(x509))
179 goto end;
180 pkey = X509_get0_pubkey(x509);
181 /* load other cert */
182 other_x509 = load_cert_pem(other_cert_file, NULL);
183 if (!TEST_ptr(other_x509))
184 goto end;
185 other_pkey = X509_get0_pubkey(other_x509);
186 #ifdef OPENSSL_NO_ECDSA
187 /* Can't get other_key if it's ECDSA */
188 if (other_pkey == NULL && idx_cert == 0
189 && (idx == 4 || idx == 6 || idx == 7)) {
190 testresult = TEST_skip("EDCSA disabled");
191 goto end;
192 }
193 #endif
194
195 switch (idx_prot) {
196 case 0:
197 #ifdef OSSL_NO_USABLE_TLS1_3
198 testresult = TEST_skip("TLSv1.3 disabled");
199 goto end;
200 #else
201 tls_version = TLS1_3_VERSION;
202 break;
203 #endif
204 case 1:
205 #ifdef OPENSSL_NO_TLS1_2
206 testresult = TEST_skip("TLSv1.2 disabled");
207 goto end;
208 #else
209 tls_version = TLS1_2_VERSION;
210 break;
211 #endif
212 default:
213 goto end;
214 }
215
216 if (idx == 15) {
217 test_libctx = libctx;
218 defctxnull = OSSL_PROVIDER_load(NULL, "null");
219 if (!TEST_ptr(defctxnull))
220 goto end;
221 }
222 if (!TEST_true(create_ssl_ctx_pair(test_libctx,
223 TLS_server_method(), TLS_client_method(),
224 tls_version, tls_version,
225 &sctx, &cctx, NULL, NULL)))
226 goto end;
227
228 if (idx_server_server_rpk)
229 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx, cert_type_rpk, sizeof(cert_type_rpk))))
230 goto end;
231 if (idx_server_client_rpk)
232 if (!TEST_true(SSL_CTX_set1_client_cert_type(sctx, cert_type_rpk, sizeof(cert_type_rpk))))
233 goto end;
234 if (idx_client_server_rpk)
235 if (!TEST_true(SSL_CTX_set1_server_cert_type(cctx, cert_type_rpk, sizeof(cert_type_rpk))))
236 goto end;
237 if (idx_client_client_rpk)
238 if (!TEST_true(SSL_CTX_set1_client_cert_type(cctx, cert_type_rpk, sizeof(cert_type_rpk))))
239 goto end;
240 if (!TEST_true(SSL_CTX_set_session_id_context(sctx, SID_CTX, sizeof(SID_CTX))))
241 goto end;
242 if (!TEST_true(SSL_CTX_set_session_id_context(cctx, SID_CTX, sizeof(SID_CTX))))
243 goto end;
244
245 if (!TEST_int_gt(SSL_CTX_dane_enable(sctx), 0))
246 goto end;
247 if (!TEST_int_gt(SSL_CTX_dane_enable(cctx), 0))
248 goto end;
249
250 /* NEW */
251 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, rpk_verify_client_cb);
252
253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
254 NULL, NULL)))
255 goto end;
256
257 if (!TEST_int_gt(SSL_dane_enable(serverssl, NULL), 0))
258 goto end;
259 if (!TEST_int_gt(SSL_dane_enable(clientssl, "example.com"), 0))
260 goto end;
261
262 /* Set private key and certificate */
263 if (!TEST_int_eq(SSL_use_PrivateKey_file(serverssl, privkey_file, SSL_FILETYPE_PEM), 1))
264 goto end;
265 /* Only a private key */
266 if (idx == 1) {
267 if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0)
268 expected = 0;
269 } else {
270 /* Add certificate */
271 if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1))
272 goto end;
273 if (!TEST_int_eq(SSL_check_private_key(serverssl), 1))
274 goto end;
275 }
276
277 switch (idx) {
278 default:
279 if (!TEST_true(idx < RPK_TESTS))
280 goto end;
281 break;
282 case 0:
283 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
284 goto end;
285 break;
286 case 1:
287 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
288 goto end;
289 break;
290 case 2:
291 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
292 goto end;
293 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey)))
294 goto end;
295 /* Use the same key for client auth */
296 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1))
297 goto end;
298 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1))
299 goto end;
300 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1))
301 goto end;
302 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb);
303 client_auth = 1;
304 break;
305 case 3:
306 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
307 goto end;
308 if (!TEST_true(SSL_add_expected_rpk(clientssl, root_pkey)))
309 goto end;
310 break;
311 case 4:
312 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
313 goto end;
314 if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey)))
315 goto end;
316 break;
317 case 5:
318 if (!TEST_true(SSL_add_expected_rpk(clientssl, root_pkey)))
319 goto end;
320 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
321 goto end;
322 break;
323 case 6:
324 if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey)))
325 goto end;
326 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
327 goto end;
328 break;
329 case 7:
330 if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1)
331 client_expected = -1;
332 if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey)))
333 goto end;
334 client_verify_result = X509_V_ERR_DANE_NO_MATCH;
335 break;
336 case 8:
337 if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1)
338 client_expected = -1;
339 /* no peer keys */
340 client_verify_result = X509_V_ERR_RPK_UNTRUSTED;
341 break;
342 case 9:
343 if (tls_version != TLS1_3_VERSION) {
344 testresult = TEST_skip("PHA requires TLSv1.3");
345 goto end;
346 }
347 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
348 goto end;
349 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey)))
350 goto end;
351 /* Use the same key for client auth */
352 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1))
353 goto end;
354 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1))
355 goto end;
356 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1))
357 goto end;
358 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_POST_HANDSHAKE, rpk_verify_server_cb);
359 SSL_set_post_handshake_auth(clientssl, 1);
360 client_auth = 1;
361 break;
362 case 10:
363 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
364 goto end;
365 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey)))
366 goto end;
367 /* Use the same key for client auth */
368 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1))
369 goto end;
370 /* Since there's no cert, this is expected to fail without RPK support */
371 if (!idx_server_client_rpk || !idx_client_client_rpk)
372 expected = 0;
373 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb);
374 client_auth = 1;
375 break;
376 case 11:
377 if (!idx_server_server_rpk || !idx_client_server_rpk) {
378 testresult = TEST_skip("Only testing resumption with server RPK");
379 goto end;
380 }
381 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
382 goto end;
383 resumption = 1;
384 break;
385 case 12:
386 if (!idx_server_server_rpk || !idx_client_server_rpk) {
387 testresult = TEST_skip("Only testing resumption with server RPK");
388 goto end;
389 }
390 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
391 goto end;
392 SSL_set_options(serverssl, SSL_OP_NO_TICKET);
393 SSL_set_options(clientssl, SSL_OP_NO_TICKET);
394 resumption = 1;
395 break;
396 case 13:
397 if (!idx_server_server_rpk || !idx_client_server_rpk) {
398 testresult = TEST_skip("Only testing resumption with server RPK");
399 goto end;
400 }
401 if (!idx_server_client_rpk || !idx_client_client_rpk) {
402 testresult = TEST_skip("Only testing client authentication resumption with client RPK");
403 goto end;
404 }
405 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
406 goto end;
407 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey)))
408 goto end;
409 /* Use the same key for client auth */
410 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1))
411 goto end;
412 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1))
413 goto end;
414 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1))
415 goto end;
416 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb);
417 client_auth = 1;
418 resumption = 1;
419 break;
420 case 14:
421 if (!idx_server_server_rpk || !idx_client_server_rpk) {
422 testresult = TEST_skip("Only testing resumption with server RPK");
423 goto end;
424 }
425 if (!idx_server_client_rpk || !idx_client_client_rpk) {
426 testresult = TEST_skip("Only testing client authentication resumption with client RPK");
427 goto end;
428 }
429 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
430 goto end;
431 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey)))
432 goto end;
433 /* Use the same key for client auth */
434 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1))
435 goto end;
436 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1))
437 goto end;
438 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1))
439 goto end;
440 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb);
441 SSL_set_options(serverssl, SSL_OP_NO_TICKET);
442 SSL_set_options(clientssl, SSL_OP_NO_TICKET);
443 client_auth = 1;
444 resumption = 1;
445 break;
446 case 15:
447 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
448 goto end;
449 break;
450 }
451
452 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
453 if (!TEST_int_eq(expected, ret))
454 goto end;
455
456 /* Make sure client gets RPK or certificate as configured */
457 if (expected == 1) {
458 if (idx_server_server_rpk && idx_client_server_rpk) {
459 if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result))
460 goto end;
461 if (!TEST_ptr(SSL_get0_peer_rpk(clientssl)))
462 goto end;
463 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk))
464 goto end;
465 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk))
466 goto end;
467 } else {
468 if (!TEST_ptr(SSL_get0_peer_certificate(clientssl)))
469 goto end;
470 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509))
471 goto end;
472 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509))
473 goto end;
474 }
475 }
476
477 if (idx == 9) {
478 /* Make PHA happen... */
479 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
480 goto end;
481 if (!TEST_true(SSL_do_handshake(serverssl)))
482 goto end;
483 if (!TEST_int_le(SSL_read(clientssl, NULL, 0), 0))
484 goto end;
485 if (!TEST_int_le(SSL_read(serverssl, NULL, 0), 0))
486 goto end;
487 }
488
489 /* Make sure server gets an RPK or certificate as configured */
490 if (client_auth) {
491 if (idx_server_client_rpk && idx_client_client_rpk) {
492 if (!TEST_long_eq(SSL_get_verify_result(serverssl), server_verify_result))
493 goto end;
494 if (!TEST_ptr(SSL_get0_peer_rpk(serverssl)))
495 goto end;
496 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_rpk))
497 goto end;
498 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_rpk))
499 goto end;
500 } else {
501 /* only if connection is expected to succeed */
502 if (expected == 1 && !TEST_ptr(SSL_get0_peer_certificate(serverssl)))
503 goto end;
504 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_x509))
505 goto end;
506 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_x509))
507 goto end;
508 }
509 }
510
511 if (resumption) {
512 EVP_PKEY *client_pkey = NULL;
513 EVP_PKEY *server_pkey = NULL;
514
515 if (!TEST_ptr((client_sess = SSL_get1_session(clientssl)))
516 || !TEST_ptr((client_pkey = SSL_SESSION_get0_peer_rpk(client_sess))))
517 goto end;
518 if (client_auth) {
519 if (!TEST_ptr((server_sess = SSL_get1_session(serverssl)))
520 || !TEST_ptr((server_pkey = SSL_SESSION_get0_peer_rpk(server_sess))))
521 goto end;
522 }
523 SSL_shutdown(clientssl);
524 SSL_shutdown(serverssl);
525 SSL_free(clientssl);
526 SSL_free(serverssl);
527 serverssl = clientssl = NULL;
528
529 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
530 NULL, NULL))
531 || !TEST_true(SSL_set_session(clientssl, client_sess)))
532 goto end;
533
534 /* Set private key (and maybe certificate) */
535 if (!TEST_int_eq(SSL_use_PrivateKey_file(serverssl, privkey_file, SSL_FILETYPE_PEM), 1))
536 goto end;
537 if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1))
538 goto end;
539 if (!TEST_int_eq(SSL_check_private_key(serverssl), 1))
540 goto end;
541 if (!TEST_int_gt(SSL_dane_enable(serverssl, "example.com"), 0))
542 goto end;
543 if (!TEST_int_gt(SSL_dane_enable(clientssl, "example.com"), 0))
544 goto end;
545
546 switch (idx) {
547 default:
548 break;
549 case 11:
550 if (!TEST_true(SSL_add_expected_rpk(clientssl, client_pkey)))
551 goto end;
552 break;
553 case 12:
554 if (!TEST_true(SSL_add_expected_rpk(clientssl, client_pkey)))
555 goto end;
556 SSL_set_options(clientssl, SSL_OP_NO_TICKET);
557 SSL_set_options(serverssl, SSL_OP_NO_TICKET);
558 break;
559 case 13:
560 if (!TEST_true(SSL_add_expected_rpk(clientssl, client_pkey)))
561 goto end;
562 if (!TEST_true(SSL_add_expected_rpk(serverssl, server_pkey)))
563 goto end;
564 /* Use the same key for client auth */
565 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1))
566 goto end;
567 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1))
568 goto end;
569 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1))
570 goto end;
571 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb);
572 break;
573 case 14:
574 if (!TEST_true(SSL_add_expected_rpk(clientssl, client_pkey)))
575 goto end;
576 if (!TEST_true(SSL_add_expected_rpk(serverssl, server_pkey)))
577 goto end;
578 /* Use the same key for client auth */
579 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1))
580 goto end;
581 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1))
582 goto end;
583 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1))
584 goto end;
585 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb);
586 SSL_set_options(serverssl, SSL_OP_NO_TICKET);
587 SSL_set_options(clientssl, SSL_OP_NO_TICKET);
588 break;
589 }
590
591 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
592 if (!TEST_int_eq(expected, ret))
593 goto end;
594 verify = SSL_get_verify_result(clientssl);
595 if (!TEST_int_eq(client_expected, verify))
596 goto end;
597 if (!TEST_true(SSL_session_reused(clientssl)))
598 goto end;
599
600 if (!TEST_ptr(SSL_get0_peer_rpk(clientssl)))
601 goto end;
602 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk))
603 goto end;
604 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk))
605 goto end;
606
607 if (client_auth) {
608 if (!TEST_ptr(SSL_get0_peer_rpk(serverssl)))
609 goto end;
610 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_rpk))
611 goto end;
612 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_rpk))
613 goto end;
614 }
615 }
616
617 testresult = 1;
618
619 end:
620 OSSL_PROVIDER_unload(defctxnull);
621 defctxnull = NULL;
622 SSL_SESSION_free(client_sess);
623 SSL_SESSION_free(server_sess);
624 SSL_free(serverssl);
625 SSL_free(clientssl);
626 SSL_CTX_free(sctx);
627 SSL_CTX_free(cctx);
628 X509_free(x509);
629 X509_free(other_x509);
630 X509_free(root_x509);
631
632 if (testresult == 0) {
633 TEST_info("idx_ss_rpk=%d, idx_sc_rpk=%d, idx_cs_rpk=%d, idx_cc_rpk=%d, idx_cert=%d, idx_prot=%d, idx=%d",
634 idx_server_server_rpk, idx_server_client_rpk,
635 idx_client_server_rpk, idx_client_client_rpk,
636 idx_cert, idx_prot, idx);
637 }
638 return testresult;
639 }
640
641 static int test_rpk_api(void)
642 {
643 int ret = 0;
644 SSL_CTX *cctx = NULL, *sctx = NULL;
645 unsigned char cert_type_dups[] = { TLSEXT_cert_type_rpk,
646 TLSEXT_cert_type_x509,
647 TLSEXT_cert_type_x509 };
648 unsigned char cert_type_bad[] = { 0xFF };
649 unsigned char cert_type_extra[] = { TLSEXT_cert_type_rpk,
650 TLSEXT_cert_type_x509,
651 0xFF };
652 unsigned char cert_type_unsup[] = { TLSEXT_cert_type_pgp,
653 TLSEXT_cert_type_1609dot2 };
654 unsigned char cert_type_just_x509[] = { TLSEXT_cert_type_x509 };
655 unsigned char cert_type_just_rpk[] = { TLSEXT_cert_type_rpk };
656
657 if (!TEST_true(create_ssl_ctx_pair(NULL,
658 TLS_server_method(), TLS_client_method(),
659 TLS1_2_VERSION, TLS1_2_VERSION,
660 &sctx, &cctx, NULL, NULL)))
661 goto end;
662
663 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx, cert_type_dups, sizeof(cert_type_dups))))
664 goto end;
665
666 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx, cert_type_bad, sizeof(cert_type_bad))))
667 goto end;
668
669 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx, cert_type_extra, sizeof(cert_type_extra))))
670 goto end;
671
672 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx, cert_type_unsup, sizeof(cert_type_unsup))))
673 goto end;
674
675 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx, cert_type_just_x509, sizeof(cert_type_just_x509))))
676 goto end;
677
678 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx, cert_type_just_rpk, sizeof(cert_type_just_rpk))))
679 goto end;
680
681 ret = 1;
682 end:
683 SSL_CTX_free(sctx);
684 SSL_CTX_free(cctx);
685 return ret;
686 }
687 OPT_TEST_DECLARE_USAGE("certdir\n")
688
689 int setup_tests(void)
690 {
691 if (!test_skip_common_options()) {
692 TEST_error("Error parsing test options\n");
693 return 0;
694 }
695
696 if (!TEST_ptr(certsdir = test_get_argument(0)))
697 return 0;
698
699 rootcert = test_mk_file_path(certsdir, "rootcert.pem");
700 if (rootcert == NULL)
701 goto err;
702
703 cert = test_mk_file_path(certsdir, "servercert.pem");
704 if (cert == NULL)
705 goto err;
706
707 privkey = test_mk_file_path(certsdir, "serverkey.pem");
708 if (privkey == NULL)
709 goto err;
710
711 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
712 if (cert2 == NULL)
713 goto err;
714
715 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
716 if (privkey2 == NULL)
717 goto err;
718
719 cert448 = test_mk_file_path(certsdir, "server-ed448-cert.pem");
720 if (cert2 == NULL)
721 goto err;
722
723 privkey448 = test_mk_file_path(certsdir, "server-ed448-key.pem");
724 if (privkey2 == NULL)
725 goto err;
726
727 cert25519 = test_mk_file_path(certsdir, "server-ed25519-cert.pem");
728 if (cert2 == NULL)
729 goto err;
730
731 privkey25519 = test_mk_file_path(certsdir, "server-ed25519-key.pem");
732 if (privkey2 == NULL)
733 goto err;
734
735 libctx = OSSL_LIB_CTX_new();
736 if (libctx == NULL)
737 goto err;
738
739 ADD_TEST(test_rpk_api);
740 ADD_ALL_TESTS(test_rpk, RPK_TESTS * RPK_DIMS);
741 return 1;
742
743 err:
744 return 0;
745 }
746
747 void cleanup_tests(void)
748 {
749 OPENSSL_free(rootcert);
750 OPENSSL_free(cert);
751 OPENSSL_free(privkey);
752 OPENSSL_free(cert2);
753 OPENSSL_free(privkey2);
754 OPENSSL_free(cert448);
755 OPENSSL_free(privkey448);
756 OPENSSL_free(cert25519);
757 OPENSSL_free(privkey25519);
758 OSSL_LIB_CTX_free(libctx);
759 }
A mirror of the official openssl repository