]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Extend tests of SSL_check_chain()
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <string.h>
12
13 #include <openssl/opensslconf.h>
14 #include <openssl/bio.h>
15 #include <openssl/crypto.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ocsp.h>
18 #include <openssl/srp.h>
19 #include <openssl/txt_db.h>
20 #include <openssl/aes.h>
21 #include <openssl/rand.h>
22
23 #include "ssltestlib.h"
24 #include "testutil.h"
25 #include "testutil/output.h"
26 #include "internal/nelem.h"
27 #include "internal/ktls.h"
28 #include "../ssl/ssl_locl.h"
29
30 #ifndef OPENSSL_NO_TLS1_3
31
32 static SSL_SESSION *clientpsk = NULL;
33 static SSL_SESSION *serverpsk = NULL;
34 static const char *pskid = "Identity";
35 static const char *srvid;
36
37 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
38 size_t *idlen, SSL_SESSION **sess);
39 static int find_session_cb(SSL *ssl, const unsigned char *identity,
40 size_t identity_len, SSL_SESSION **sess);
41
42 static int use_session_cb_cnt = 0;
43 static int find_session_cb_cnt = 0;
44
45 static SSL_SESSION *create_a_psk(SSL *ssl);
46 #endif
47
48 static char *certsdir = NULL;
49 static char *cert = NULL;
50 static char *privkey = NULL;
51 static char *srpvfile = NULL;
52 static char *tmpfilename = NULL;
53
54 #define LOG_BUFFER_SIZE 2048
55 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
56 static size_t server_log_buffer_index = 0;
57 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
58 static size_t client_log_buffer_index = 0;
59 static int error_writing_log = 0;
60
61 #ifndef OPENSSL_NO_OCSP
62 static const unsigned char orespder[] = "Dummy OCSP Response";
63 static int ocsp_server_called = 0;
64 static int ocsp_client_called = 0;
65
66 static int cdummyarg = 1;
67 static X509 *ocspcert = NULL;
68 #endif
69
70 #define NUM_EXTRA_CERTS 40
71 #define CLIENT_VERSION_LEN 2
72
73 /*
74 * This structure is used to validate that the correct number of log messages
75 * of various types are emitted when emitting secret logs.
76 */
77 struct sslapitest_log_counts {
78 unsigned int rsa_key_exchange_count;
79 unsigned int master_secret_count;
80 unsigned int client_early_secret_count;
81 unsigned int client_handshake_secret_count;
82 unsigned int server_handshake_secret_count;
83 unsigned int client_application_secret_count;
84 unsigned int server_application_secret_count;
85 unsigned int early_exporter_secret_count;
86 unsigned int exporter_secret_count;
87 };
88
89
90 static unsigned char serverinfov1[] = {
91 0xff, 0xff, /* Dummy extension type */
92 0x00, 0x01, /* Extension length is 1 byte */
93 0xff /* Dummy extension data */
94 };
95
96 static unsigned char serverinfov2[] = {
97 0x00, 0x00, 0x00,
98 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
99 0xff, 0xff, /* Dummy extension type */
100 0x00, 0x01, /* Extension length is 1 byte */
101 0xff /* Dummy extension data */
102 };
103
104 static void client_keylog_callback(const SSL *ssl, const char *line)
105 {
106 int line_length = strlen(line);
107
108 /* If the log doesn't fit, error out. */
109 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
110 TEST_info("Client log too full");
111 error_writing_log = 1;
112 return;
113 }
114
115 strcat(client_log_buffer, line);
116 client_log_buffer_index += line_length;
117 client_log_buffer[client_log_buffer_index++] = '\n';
118 }
119
120 static void server_keylog_callback(const SSL *ssl, const char *line)
121 {
122 int line_length = strlen(line);
123
124 /* If the log doesn't fit, error out. */
125 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
126 TEST_info("Server log too full");
127 error_writing_log = 1;
128 return;
129 }
130
131 strcat(server_log_buffer, line);
132 server_log_buffer_index += line_length;
133 server_log_buffer[server_log_buffer_index++] = '\n';
134 }
135
136 static int compare_hex_encoded_buffer(const char *hex_encoded,
137 size_t hex_length,
138 const uint8_t *raw,
139 size_t raw_length)
140 {
141 size_t i, j;
142 char hexed[3];
143
144 if (!TEST_size_t_eq(raw_length * 2, hex_length))
145 return 1;
146
147 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
148 sprintf(hexed, "%02x", raw[i]);
149 if (!TEST_int_eq(hexed[0], hex_encoded[j])
150 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
151 return 1;
152 }
153
154 return 0;
155 }
156
157 static int test_keylog_output(char *buffer, const SSL *ssl,
158 const SSL_SESSION *session,
159 struct sslapitest_log_counts *expected)
160 {
161 char *token = NULL;
162 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
163 size_t client_random_size = SSL3_RANDOM_SIZE;
164 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
165 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
166 unsigned int rsa_key_exchange_count = 0;
167 unsigned int master_secret_count = 0;
168 unsigned int client_early_secret_count = 0;
169 unsigned int client_handshake_secret_count = 0;
170 unsigned int server_handshake_secret_count = 0;
171 unsigned int client_application_secret_count = 0;
172 unsigned int server_application_secret_count = 0;
173 unsigned int early_exporter_secret_count = 0;
174 unsigned int exporter_secret_count = 0;
175
176 for (token = strtok(buffer, " \n"); token != NULL;
177 token = strtok(NULL, " \n")) {
178 if (strcmp(token, "RSA") == 0) {
179 /*
180 * Premaster secret. Tokens should be: 16 ASCII bytes of
181 * hex-encoded encrypted secret, then the hex-encoded pre-master
182 * secret.
183 */
184 if (!TEST_ptr(token = strtok(NULL, " \n")))
185 return 0;
186 if (!TEST_size_t_eq(strlen(token), 16))
187 return 0;
188 if (!TEST_ptr(token = strtok(NULL, " \n")))
189 return 0;
190 /*
191 * We can't sensibly check the log because the premaster secret is
192 * transient, and OpenSSL doesn't keep hold of it once the master
193 * secret is generated.
194 */
195 rsa_key_exchange_count++;
196 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
197 /*
198 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, then the hex-encoded master secret.
200 */
201 client_random_size = SSL_get_client_random(ssl,
202 actual_client_random,
203 SSL3_RANDOM_SIZE);
204 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
205 return 0;
206
207 if (!TEST_ptr(token = strtok(NULL, " \n")))
208 return 0;
209 if (!TEST_size_t_eq(strlen(token), 64))
210 return 0;
211 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
212 actual_client_random,
213 client_random_size)))
214 return 0;
215
216 if (!TEST_ptr(token = strtok(NULL, " \n")))
217 return 0;
218 master_key_size = SSL_SESSION_get_master_key(session,
219 actual_master_key,
220 master_key_size);
221 if (!TEST_size_t_ne(master_key_size, 0))
222 return 0;
223 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
224 actual_master_key,
225 master_key_size)))
226 return 0;
227 master_secret_count++;
228 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
229 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
230 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
231 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
232 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
233 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
234 || strcmp(token, "EXPORTER_SECRET") == 0) {
235 /*
236 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
237 * client random, and then the hex-encoded secret. In this case,
238 * we treat all of these secrets identically and then just
239 * distinguish between them when counting what we saw.
240 */
241 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
242 client_early_secret_count++;
243 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
244 client_handshake_secret_count++;
245 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
246 server_handshake_secret_count++;
247 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
248 client_application_secret_count++;
249 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
250 server_application_secret_count++;
251 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
252 early_exporter_secret_count++;
253 else if (strcmp(token, "EXPORTER_SECRET") == 0)
254 exporter_secret_count++;
255
256 client_random_size = SSL_get_client_random(ssl,
257 actual_client_random,
258 SSL3_RANDOM_SIZE);
259 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 if (!TEST_size_t_eq(strlen(token), 64))
265 return 0;
266 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267 actual_client_random,
268 client_random_size)))
269 return 0;
270
271 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 return 0;
273
274 /*
275 * TODO(TLS1.3): test that application traffic secrets are what
276 * we expect */
277 } else {
278 TEST_info("Unexpected token %s\n", token);
279 return 0;
280 }
281 }
282
283 /* Got what we expected? */
284 if (!TEST_size_t_eq(rsa_key_exchange_count,
285 expected->rsa_key_exchange_count)
286 || !TEST_size_t_eq(master_secret_count,
287 expected->master_secret_count)
288 || !TEST_size_t_eq(client_early_secret_count,
289 expected->client_early_secret_count)
290 || !TEST_size_t_eq(client_handshake_secret_count,
291 expected->client_handshake_secret_count)
292 || !TEST_size_t_eq(server_handshake_secret_count,
293 expected->server_handshake_secret_count)
294 || !TEST_size_t_eq(client_application_secret_count,
295 expected->client_application_secret_count)
296 || !TEST_size_t_eq(server_application_secret_count,
297 expected->server_application_secret_count)
298 || !TEST_size_t_eq(early_exporter_secret_count,
299 expected->early_exporter_secret_count)
300 || !TEST_size_t_eq(exporter_secret_count,
301 expected->exporter_secret_count))
302 return 0;
303 return 1;
304 }
305
306 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
307 static int test_keylog(void)
308 {
309 SSL_CTX *cctx = NULL, *sctx = NULL;
310 SSL *clientssl = NULL, *serverssl = NULL;
311 int testresult = 0;
312 struct sslapitest_log_counts expected;
313
314 /* Clean up logging space */
315 memset(&expected, 0, sizeof(expected));
316 memset(client_log_buffer, 0, sizeof(client_log_buffer));
317 memset(server_log_buffer, 0, sizeof(server_log_buffer));
318 client_log_buffer_index = 0;
319 server_log_buffer_index = 0;
320 error_writing_log = 0;
321
322 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
323 TLS_client_method(),
324 TLS1_VERSION, 0,
325 &sctx, &cctx, cert, privkey)))
326 return 0;
327
328 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
329 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
330 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
331
332 /* We also want to ensure that we use RSA-based key exchange. */
333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
334 goto end;
335
336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
337 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
338 goto end;
339 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
340 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
341 == client_keylog_callback))
342 goto end;
343 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
344 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
345 == server_keylog_callback))
346 goto end;
347
348 /* Now do a handshake and check that the logs have been written to. */
349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
350 &clientssl, NULL, NULL))
351 || !TEST_true(create_ssl_connection(serverssl, clientssl,
352 SSL_ERROR_NONE))
353 || !TEST_false(error_writing_log)
354 || !TEST_int_gt(client_log_buffer_index, 0)
355 || !TEST_int_gt(server_log_buffer_index, 0))
356 goto end;
357
358 /*
359 * Now we want to test that our output data was vaguely sensible. We
360 * do that by using strtok and confirming that we have more or less the
361 * data we expect. For both client and server, we expect to see one master
362 * secret. The client should also see a RSA key exchange.
363 */
364 expected.rsa_key_exchange_count = 1;
365 expected.master_secret_count = 1;
366 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
367 SSL_get_session(clientssl), &expected)))
368 goto end;
369
370 expected.rsa_key_exchange_count = 0;
371 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
372 SSL_get_session(serverssl), &expected)))
373 goto end;
374
375 testresult = 1;
376
377 end:
378 SSL_free(serverssl);
379 SSL_free(clientssl);
380 SSL_CTX_free(sctx);
381 SSL_CTX_free(cctx);
382
383 return testresult;
384 }
385 #endif
386
387 #ifndef OPENSSL_NO_TLS1_3
388 static int test_keylog_no_master_key(void)
389 {
390 SSL_CTX *cctx = NULL, *sctx = NULL;
391 SSL *clientssl = NULL, *serverssl = NULL;
392 SSL_SESSION *sess = NULL;
393 int testresult = 0;
394 struct sslapitest_log_counts expected;
395 unsigned char buf[1];
396 size_t readbytes, written;
397
398 /* Clean up logging space */
399 memset(&expected, 0, sizeof(expected));
400 memset(client_log_buffer, 0, sizeof(client_log_buffer));
401 memset(server_log_buffer, 0, sizeof(server_log_buffer));
402 client_log_buffer_index = 0;
403 server_log_buffer_index = 0;
404 error_writing_log = 0;
405
406 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
407 TLS1_VERSION, 0,
408 &sctx, &cctx, cert, privkey))
409 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
410 SSL3_RT_MAX_PLAIN_LENGTH)))
411 return 0;
412
413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
414 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
415 goto end;
416
417 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
418 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
419 == client_keylog_callback))
420 goto end;
421
422 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
423 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
424 == server_keylog_callback))
425 goto end;
426
427 /* Now do a handshake and check that the logs have been written to. */
428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
429 &clientssl, NULL, NULL))
430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
431 SSL_ERROR_NONE))
432 || !TEST_false(error_writing_log))
433 goto end;
434
435 /*
436 * Now we want to test that our output data was vaguely sensible. For this
437 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
438 * TLSv1.3, but we do expect both client and server to emit keys.
439 */
440 expected.client_handshake_secret_count = 1;
441 expected.server_handshake_secret_count = 1;
442 expected.client_application_secret_count = 1;
443 expected.server_application_secret_count = 1;
444 expected.exporter_secret_count = 1;
445 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
446 SSL_get_session(clientssl), &expected))
447 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
448 SSL_get_session(serverssl),
449 &expected)))
450 goto end;
451
452 /* Terminate old session and resume with early data. */
453 sess = SSL_get1_session(clientssl);
454 SSL_shutdown(clientssl);
455 SSL_shutdown(serverssl);
456 SSL_free(serverssl);
457 SSL_free(clientssl);
458 serverssl = clientssl = NULL;
459
460 /* Reset key log */
461 memset(client_log_buffer, 0, sizeof(client_log_buffer));
462 memset(server_log_buffer, 0, sizeof(server_log_buffer));
463 client_log_buffer_index = 0;
464 server_log_buffer_index = 0;
465
466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_true(SSL_set_session(clientssl, sess))
469 /* Here writing 0 length early data is enough. */
470 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
471 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
472 &readbytes),
473 SSL_READ_EARLY_DATA_ERROR)
474 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
475 SSL_EARLY_DATA_ACCEPTED)
476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
477 SSL_ERROR_NONE))
478 || !TEST_true(SSL_session_reused(clientssl)))
479 goto end;
480
481 /* In addition to the previous entries, expect early secrets. */
482 expected.client_early_secret_count = 1;
483 expected.early_exporter_secret_count = 1;
484 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
485 SSL_get_session(clientssl), &expected))
486 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
487 SSL_get_session(serverssl),
488 &expected)))
489 goto end;
490
491 testresult = 1;
492
493 end:
494 SSL_SESSION_free(sess);
495 SSL_free(serverssl);
496 SSL_free(clientssl);
497 SSL_CTX_free(sctx);
498 SSL_CTX_free(cctx);
499
500 return testresult;
501 }
502 #endif
503
504 #ifndef OPENSSL_NO_TLS1_2
505 static int full_client_hello_callback(SSL *s, int *al, void *arg)
506 {
507 int *ctr = arg;
508 const unsigned char *p;
509 int *exts;
510 /* We only configure two ciphers, but the SCSV is added automatically. */
511 #ifdef OPENSSL_NO_EC
512 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
513 #else
514 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
515 0x2c, 0x00, 0xff};
516 #endif
517 const int expected_extensions[] = {
518 #ifndef OPENSSL_NO_EC
519 11, 10,
520 #endif
521 35, 22, 23, 13};
522 size_t len;
523
524 /* Make sure we can defer processing and get called back. */
525 if ((*ctr)++ == 0)
526 return SSL_CLIENT_HELLO_RETRY;
527
528 len = SSL_client_hello_get0_ciphers(s, &p);
529 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
530 || !TEST_size_t_eq(
531 SSL_client_hello_get0_compression_methods(s, &p), 1)
532 || !TEST_int_eq(*p, 0))
533 return SSL_CLIENT_HELLO_ERROR;
534 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
535 return SSL_CLIENT_HELLO_ERROR;
536 if (len != OSSL_NELEM(expected_extensions) ||
537 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
538 printf("ClientHello callback expected extensions mismatch\n");
539 OPENSSL_free(exts);
540 return SSL_CLIENT_HELLO_ERROR;
541 }
542 OPENSSL_free(exts);
543 return SSL_CLIENT_HELLO_SUCCESS;
544 }
545
546 static int test_client_hello_cb(void)
547 {
548 SSL_CTX *cctx = NULL, *sctx = NULL;
549 SSL *clientssl = NULL, *serverssl = NULL;
550 int testctr = 0, testresult = 0;
551
552 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
553 TLS1_VERSION, 0,
554 &sctx, &cctx, cert, privkey)))
555 goto end;
556 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
557
558 /* The gimpy cipher list we configure can't do TLS 1.3. */
559 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
560
561 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
562 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
563 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
564 &clientssl, NULL, NULL))
565 || !TEST_false(create_ssl_connection(serverssl, clientssl,
566 SSL_ERROR_WANT_CLIENT_HELLO_CB))
567 /*
568 * Passing a -1 literal is a hack since
569 * the real value was lost.
570 * */
571 || !TEST_int_eq(SSL_get_error(serverssl, -1),
572 SSL_ERROR_WANT_CLIENT_HELLO_CB)
573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
574 SSL_ERROR_NONE)))
575 goto end;
576
577 testresult = 1;
578
579 end:
580 SSL_free(serverssl);
581 SSL_free(clientssl);
582 SSL_CTX_free(sctx);
583 SSL_CTX_free(cctx);
584
585 return testresult;
586 }
587
588 static int test_no_ems(void)
589 {
590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
592 int testresult = 0;
593
594 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
595 TLS1_VERSION, TLS1_2_VERSION,
596 &sctx, &cctx, cert, privkey)) {
597 printf("Unable to create SSL_CTX pair\n");
598 goto end;
599 }
600
601 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
602
603 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
604 printf("Unable to create SSL objects\n");
605 goto end;
606 }
607
608 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
609 printf("Creating SSL connection failed\n");
610 goto end;
611 }
612
613 if (SSL_get_extms_support(serverssl)) {
614 printf("Server reports Extended Master Secret support\n");
615 goto end;
616 }
617
618 if (SSL_get_extms_support(clientssl)) {
619 printf("Client reports Extended Master Secret support\n");
620 goto end;
621 }
622 testresult = 1;
623
624 end:
625 SSL_free(serverssl);
626 SSL_free(clientssl);
627 SSL_CTX_free(sctx);
628 SSL_CTX_free(cctx);
629
630 return testresult;
631 }
632 #endif
633
634 static int execute_test_large_message(const SSL_METHOD *smeth,
635 const SSL_METHOD *cmeth,
636 int min_version, int max_version,
637 int read_ahead)
638 {
639 SSL_CTX *cctx = NULL, *sctx = NULL;
640 SSL *clientssl = NULL, *serverssl = NULL;
641 int testresult = 0;
642 int i;
643 BIO *certbio = NULL;
644 X509 *chaincert = NULL;
645 int certlen;
646
647 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
648 goto end;
649 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
650 BIO_free(certbio);
651 certbio = NULL;
652 if (!TEST_ptr(chaincert))
653 goto end;
654
655 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
656 &sctx, &cctx, cert, privkey)))
657 goto end;
658
659 if (read_ahead) {
660 /*
661 * Test that read_ahead works correctly when dealing with large
662 * records
663 */
664 SSL_CTX_set_read_ahead(cctx, 1);
665 }
666
667 /*
668 * We assume the supplied certificate is big enough so that if we add
669 * NUM_EXTRA_CERTS it will make the overall message large enough. The
670 * default buffer size is requested to be 16k, but due to the way BUF_MEM
671 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
672 * test we need to have a message larger than that.
673 */
674 certlen = i2d_X509(chaincert, NULL);
675 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
676 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
677 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
678 if (!X509_up_ref(chaincert))
679 goto end;
680 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
681 X509_free(chaincert);
682 goto end;
683 }
684 }
685
686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
687 NULL, NULL))
688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
689 SSL_ERROR_NONE)))
690 goto end;
691
692 /*
693 * Calling SSL_clear() first is not required but this tests that SSL_clear()
694 * doesn't leak (when using enable-crypto-mdebug).
695 */
696 if (!TEST_true(SSL_clear(serverssl)))
697 goto end;
698
699 testresult = 1;
700 end:
701 X509_free(chaincert);
702 SSL_free(serverssl);
703 SSL_free(clientssl);
704 SSL_CTX_free(sctx);
705 SSL_CTX_free(cctx);
706
707 return testresult;
708 }
709
710 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
711 && !defined(OPENSSL_NO_SOCK)
712
713 /* sock must be connected */
714 static int ktls_chk_platform(int sock)
715 {
716 if (!ktls_enable(sock))
717 return 0;
718 return 1;
719 }
720
721 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
722 {
723 static char count = 1;
724 unsigned char cbuf[16000] = {0};
725 unsigned char sbuf[16000];
726 size_t err = 0;
727 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
729 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
731 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
732 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
733 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
734 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
735
736 cbuf[0] = count++;
737 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
738 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
739 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
740 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
741 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
742 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
743 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
744 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
745
746 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
747 goto end;
748
749 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
750 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
751 goto end;
752 }
753 }
754
755 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
756 goto end;
757
758 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
759 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
760 goto end;
761 }
762 }
763
764 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
765 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
766 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
767 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
768 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
769 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
770 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
771 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
772
773 /* verify the payload */
774 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
775 goto end;
776
777 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
778 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
779 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
780 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
781 goto end;
782 } else {
783 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
784 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
785 goto end;
786 }
787
788 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
789 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
790 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
791 goto end;
792 } else {
793 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
794 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
795 goto end;
796 }
797
798 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
799 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
800 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
801 goto end;
802 } else {
803 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
804 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
805 goto end;
806 }
807
808 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
809 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
810 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
811 goto end;
812 } else {
813 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
814 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
815 goto end;
816 }
817
818 return 1;
819 end:
820 return 0;
821 }
822
823 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
824 int sis_ktls_tx, int sis_ktls_rx)
825 {
826 SSL_CTX *cctx = NULL, *sctx = NULL;
827 SSL *clientssl = NULL, *serverssl = NULL;
828 int testresult = 0;
829 int cfd, sfd;
830
831 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
832 goto end;
833
834 /* Skip this test if the platform does not support ktls */
835 if (!ktls_chk_platform(cfd))
836 return 1;
837
838 /* Create a session based on SHA-256 */
839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
840 TLS_client_method(),
841 TLS1_2_VERSION, TLS1_2_VERSION,
842 &sctx, &cctx, cert, privkey))
843 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
844 "AES128-GCM-SHA256"))
845 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
846 &clientssl, sfd, cfd)))
847 goto end;
848
849 if (!cis_ktls_tx) {
850 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
851 goto end;
852 }
853
854 if (!sis_ktls_tx) {
855 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
856 goto end;
857 }
858
859 if (!cis_ktls_rx) {
860 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
861 goto end;
862 }
863
864 if (!sis_ktls_rx) {
865 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
866 goto end;
867 }
868
869 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
870 SSL_ERROR_NONE)))
871 goto end;
872
873 if (!cis_ktls_tx) {
874 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
875 goto end;
876 } else {
877 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
878 goto end;
879 }
880
881 if (!sis_ktls_tx) {
882 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
883 goto end;
884 } else {
885 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
886 goto end;
887 }
888
889 if (!cis_ktls_rx) {
890 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
891 goto end;
892 } else {
893 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
894 goto end;
895 }
896
897 if (!sis_ktls_rx) {
898 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
899 goto end;
900 } else {
901 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
902 goto end;
903 }
904
905 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
906 goto end;
907
908 testresult = 1;
909 end:
910 if (clientssl) {
911 SSL_shutdown(clientssl);
912 SSL_free(clientssl);
913 }
914 if (serverssl) {
915 SSL_shutdown(serverssl);
916 SSL_free(serverssl);
917 }
918 SSL_CTX_free(sctx);
919 SSL_CTX_free(cctx);
920 serverssl = clientssl = NULL;
921 return testresult;
922 }
923
924 #define SENDFILE_SZ (16 * 4096)
925 #define SENDFILE_CHUNK (4 * 4096)
926 #define min(a,b) ((a) > (b) ? (b) : (a))
927
928 static int test_ktls_sendfile(void)
929 {
930 SSL_CTX *cctx = NULL, *sctx = NULL;
931 SSL *clientssl = NULL, *serverssl = NULL;
932 unsigned char *buf, *buf_dst;
933 BIO *out = NULL, *in = NULL;
934 int cfd, sfd, ffd, err;
935 ssize_t chunk_size = 0;
936 off_t chunk_off = 0;
937 int testresult = 0;
938 FILE *ffdp;
939
940 buf = OPENSSL_zalloc(SENDFILE_SZ);
941 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
942 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
943 || !TEST_true(create_test_sockets(&cfd, &sfd)))
944 goto end;
945
946 /* Skip this test if the platform does not support ktls */
947 if (!ktls_chk_platform(sfd)) {
948 testresult = 1;
949 goto end;
950 }
951
952 /* Create a session based on SHA-256 */
953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
954 TLS_client_method(),
955 TLS1_2_VERSION, TLS1_2_VERSION,
956 &sctx, &cctx, cert, privkey))
957 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
958 "AES128-GCM-SHA256"))
959 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
960 &clientssl, sfd, cfd)))
961 goto end;
962
963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
964 SSL_ERROR_NONE))
965 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
966 goto end;
967
968 RAND_bytes(buf, SENDFILE_SZ);
969 out = BIO_new_file(tmpfilename, "wb");
970 if (!TEST_ptr(out))
971 goto end;
972
973 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
974 goto end;
975
976 BIO_free(out);
977 out = NULL;
978 in = BIO_new_file(tmpfilename, "rb");
979 BIO_get_fp(in, &ffdp);
980 ffd = fileno(ffdp);
981
982 while (chunk_off < SENDFILE_SZ) {
983 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
984 while ((err = SSL_sendfile(serverssl,
985 ffd,
986 chunk_off,
987 chunk_size,
988 0)) != chunk_size) {
989 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
990 goto end;
991 }
992 while ((err = SSL_read(clientssl,
993 buf_dst + chunk_off,
994 chunk_size)) != chunk_size) {
995 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
996 goto end;
997 }
998
999 /* verify the payload */
1000 if (!TEST_mem_eq(buf_dst + chunk_off,
1001 chunk_size,
1002 buf + chunk_off,
1003 chunk_size))
1004 goto end;
1005
1006 chunk_off += chunk_size;
1007 }
1008
1009 testresult = 1;
1010 end:
1011 if (clientssl) {
1012 SSL_shutdown(clientssl);
1013 SSL_free(clientssl);
1014 }
1015 if (serverssl) {
1016 SSL_shutdown(serverssl);
1017 SSL_free(serverssl);
1018 }
1019 SSL_CTX_free(sctx);
1020 SSL_CTX_free(cctx);
1021 serverssl = clientssl = NULL;
1022 BIO_free(out);
1023 BIO_free(in);
1024 OPENSSL_free(buf);
1025 OPENSSL_free(buf_dst);
1026 return testresult;
1027 }
1028
1029 static int test_ktls_no_txrx_client_no_txrx_server(void)
1030 {
1031 return execute_test_ktls(0, 0, 0, 0);
1032 }
1033
1034 static int test_ktls_no_rx_client_no_txrx_server(void)
1035 {
1036 return execute_test_ktls(1, 0, 0, 0);
1037 }
1038
1039 static int test_ktls_no_tx_client_no_txrx_server(void)
1040 {
1041 return execute_test_ktls(0, 1, 0, 0);
1042 }
1043
1044 static int test_ktls_client_no_txrx_server(void)
1045 {
1046 return execute_test_ktls(1, 1, 0, 0);
1047 }
1048
1049 static int test_ktls_no_txrx_client_no_rx_server(void)
1050 {
1051 return execute_test_ktls(0, 0, 1, 0);
1052 }
1053
1054 static int test_ktls_no_rx_client_no_rx_server(void)
1055 {
1056 return execute_test_ktls(1, 0, 1, 0);
1057 }
1058
1059 static int test_ktls_no_tx_client_no_rx_server(void)
1060 {
1061 return execute_test_ktls(0, 1, 1, 0);
1062 }
1063
1064 static int test_ktls_client_no_rx_server(void)
1065 {
1066 return execute_test_ktls(1, 1, 1, 0);
1067 }
1068
1069 static int test_ktls_no_txrx_client_no_tx_server(void)
1070 {
1071 return execute_test_ktls(0, 0, 0, 1);
1072 }
1073
1074 static int test_ktls_no_rx_client_no_tx_server(void)
1075 {
1076 return execute_test_ktls(1, 0, 0, 1);
1077 }
1078
1079 static int test_ktls_no_tx_client_no_tx_server(void)
1080 {
1081 return execute_test_ktls(0, 1, 0, 1);
1082 }
1083
1084 static int test_ktls_client_no_tx_server(void)
1085 {
1086 return execute_test_ktls(1, 1, 0, 1);
1087 }
1088
1089 static int test_ktls_no_txrx_client_server(void)
1090 {
1091 return execute_test_ktls(0, 0, 1, 1);
1092 }
1093
1094 static int test_ktls_no_rx_client_server(void)
1095 {
1096 return execute_test_ktls(1, 0, 1, 1);
1097 }
1098
1099 static int test_ktls_no_tx_client_server(void)
1100 {
1101 return execute_test_ktls(0, 1, 1, 1);
1102 }
1103
1104 static int test_ktls_client_server(void)
1105 {
1106 return execute_test_ktls(1, 1, 1, 1);
1107 }
1108 #endif
1109
1110 static int test_large_message_tls(void)
1111 {
1112 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1113 TLS1_VERSION, 0, 0);
1114 }
1115
1116 static int test_large_message_tls_read_ahead(void)
1117 {
1118 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1119 TLS1_VERSION, 0, 1);
1120 }
1121
1122 #ifndef OPENSSL_NO_DTLS
1123 static int test_large_message_dtls(void)
1124 {
1125 /*
1126 * read_ahead is not relevant to DTLS because DTLS always acts as if
1127 * read_ahead is set.
1128 */
1129 return execute_test_large_message(DTLS_server_method(),
1130 DTLS_client_method(),
1131 DTLS1_VERSION, 0, 0);
1132 }
1133 #endif
1134
1135 #ifndef OPENSSL_NO_OCSP
1136 static int ocsp_server_cb(SSL *s, void *arg)
1137 {
1138 int *argi = (int *)arg;
1139 unsigned char *copy = NULL;
1140 STACK_OF(OCSP_RESPID) *ids = NULL;
1141 OCSP_RESPID *id = NULL;
1142
1143 if (*argi == 2) {
1144 /* In this test we are expecting exactly 1 OCSP_RESPID */
1145 SSL_get_tlsext_status_ids(s, &ids);
1146 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1147 return SSL_TLSEXT_ERR_ALERT_FATAL;
1148
1149 id = sk_OCSP_RESPID_value(ids, 0);
1150 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1151 return SSL_TLSEXT_ERR_ALERT_FATAL;
1152 } else if (*argi != 1) {
1153 return SSL_TLSEXT_ERR_ALERT_FATAL;
1154 }
1155
1156 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1157 return SSL_TLSEXT_ERR_ALERT_FATAL;
1158
1159 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1160 ocsp_server_called = 1;
1161 return SSL_TLSEXT_ERR_OK;
1162 }
1163
1164 static int ocsp_client_cb(SSL *s, void *arg)
1165 {
1166 int *argi = (int *)arg;
1167 const unsigned char *respderin;
1168 size_t len;
1169
1170 if (*argi != 1 && *argi != 2)
1171 return 0;
1172
1173 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1174 if (!TEST_mem_eq(orespder, len, respderin, len))
1175 return 0;
1176
1177 ocsp_client_called = 1;
1178 return 1;
1179 }
1180
1181 static int test_tlsext_status_type(void)
1182 {
1183 SSL_CTX *cctx = NULL, *sctx = NULL;
1184 SSL *clientssl = NULL, *serverssl = NULL;
1185 int testresult = 0;
1186 STACK_OF(OCSP_RESPID) *ids = NULL;
1187 OCSP_RESPID *id = NULL;
1188 BIO *certbio = NULL;
1189
1190 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1191 TLS1_VERSION, 0,
1192 &sctx, &cctx, cert, privkey))
1193 return 0;
1194
1195 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1196 goto end;
1197
1198 /* First just do various checks getting and setting tlsext_status_type */
1199
1200 clientssl = SSL_new(cctx);
1201 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1202 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1203 TLSEXT_STATUSTYPE_ocsp))
1204 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1205 TLSEXT_STATUSTYPE_ocsp))
1206 goto end;
1207
1208 SSL_free(clientssl);
1209 clientssl = NULL;
1210
1211 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1212 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1213 goto end;
1214
1215 clientssl = SSL_new(cctx);
1216 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1217 goto end;
1218 SSL_free(clientssl);
1219 clientssl = NULL;
1220
1221 /*
1222 * Now actually do a handshake and check OCSP information is exchanged and
1223 * the callbacks get called
1224 */
1225 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1226 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1227 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1228 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1230 &clientssl, NULL, NULL))
1231 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1232 SSL_ERROR_NONE))
1233 || !TEST_true(ocsp_client_called)
1234 || !TEST_true(ocsp_server_called))
1235 goto end;
1236 SSL_free(serverssl);
1237 SSL_free(clientssl);
1238 serverssl = NULL;
1239 clientssl = NULL;
1240
1241 /* Try again but this time force the server side callback to fail */
1242 ocsp_client_called = 0;
1243 ocsp_server_called = 0;
1244 cdummyarg = 0;
1245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1246 &clientssl, NULL, NULL))
1247 /* This should fail because the callback will fail */
1248 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1249 SSL_ERROR_NONE))
1250 || !TEST_false(ocsp_client_called)
1251 || !TEST_false(ocsp_server_called))
1252 goto end;
1253 SSL_free(serverssl);
1254 SSL_free(clientssl);
1255 serverssl = NULL;
1256 clientssl = NULL;
1257
1258 /*
1259 * This time we'll get the client to send an OCSP_RESPID that it will
1260 * accept.
1261 */
1262 ocsp_client_called = 0;
1263 ocsp_server_called = 0;
1264 cdummyarg = 2;
1265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1266 &clientssl, NULL, NULL)))
1267 goto end;
1268
1269 /*
1270 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1271 * specific one. We'll use the server cert.
1272 */
1273 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1274 || !TEST_ptr(id = OCSP_RESPID_new())
1275 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1276 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1277 NULL, NULL, NULL))
1278 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1279 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1280 goto end;
1281 id = NULL;
1282 SSL_set_tlsext_status_ids(clientssl, ids);
1283 /* Control has been transferred */
1284 ids = NULL;
1285
1286 BIO_free(certbio);
1287 certbio = NULL;
1288
1289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1290 SSL_ERROR_NONE))
1291 || !TEST_true(ocsp_client_called)
1292 || !TEST_true(ocsp_server_called))
1293 goto end;
1294
1295 testresult = 1;
1296
1297 end:
1298 SSL_free(serverssl);
1299 SSL_free(clientssl);
1300 SSL_CTX_free(sctx);
1301 SSL_CTX_free(cctx);
1302 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1303 OCSP_RESPID_free(id);
1304 BIO_free(certbio);
1305 X509_free(ocspcert);
1306 ocspcert = NULL;
1307
1308 return testresult;
1309 }
1310 #endif
1311
1312 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1313 static int new_called, remove_called, get_called;
1314
1315 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1316 {
1317 new_called++;
1318 /*
1319 * sess has been up-refed for us, but we don't actually need it so free it
1320 * immediately.
1321 */
1322 SSL_SESSION_free(sess);
1323 return 1;
1324 }
1325
1326 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1327 {
1328 remove_called++;
1329 }
1330
1331 static SSL_SESSION *get_sess_val = NULL;
1332
1333 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1334 int *copy)
1335 {
1336 get_called++;
1337 *copy = 1;
1338 return get_sess_val;
1339 }
1340
1341 static int execute_test_session(int maxprot, int use_int_cache,
1342 int use_ext_cache)
1343 {
1344 SSL_CTX *sctx = NULL, *cctx = NULL;
1345 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1346 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1347 # ifndef OPENSSL_NO_TLS1_1
1348 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1349 # endif
1350 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1351 int testresult = 0, numnewsesstick = 1;
1352
1353 new_called = remove_called = 0;
1354
1355 /* TLSv1.3 sends 2 NewSessionTickets */
1356 if (maxprot == TLS1_3_VERSION)
1357 numnewsesstick = 2;
1358
1359 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1360 TLS1_VERSION, 0,
1361 &sctx, &cctx, cert, privkey)))
1362 return 0;
1363
1364 /*
1365 * Only allow the max protocol version so we can force a connection failure
1366 * later
1367 */
1368 SSL_CTX_set_min_proto_version(cctx, maxprot);
1369 SSL_CTX_set_max_proto_version(cctx, maxprot);
1370
1371 /* Set up session cache */
1372 if (use_ext_cache) {
1373 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1374 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1375 }
1376 if (use_int_cache) {
1377 /* Also covers instance where both are set */
1378 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1379 } else {
1380 SSL_CTX_set_session_cache_mode(cctx,
1381 SSL_SESS_CACHE_CLIENT
1382 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1383 }
1384
1385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1386 NULL, NULL))
1387 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1388 SSL_ERROR_NONE))
1389 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1390 goto end;
1391
1392 /* Should fail because it should already be in the cache */
1393 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1394 goto end;
1395 if (use_ext_cache
1396 && (!TEST_int_eq(new_called, numnewsesstick)
1397
1398 || !TEST_int_eq(remove_called, 0)))
1399 goto end;
1400
1401 new_called = remove_called = 0;
1402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1403 &clientssl2, NULL, NULL))
1404 || !TEST_true(SSL_set_session(clientssl2, sess1))
1405 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1406 SSL_ERROR_NONE))
1407 || !TEST_true(SSL_session_reused(clientssl2)))
1408 goto end;
1409
1410 if (maxprot == TLS1_3_VERSION) {
1411 /*
1412 * In TLSv1.3 we should have created a new session even though we have
1413 * resumed. Since we attempted a resume we should also have removed the
1414 * old ticket from the cache so that we try to only use tickets once.
1415 */
1416 if (use_ext_cache
1417 && (!TEST_int_eq(new_called, 1)
1418 || !TEST_int_eq(remove_called, 1)))
1419 goto end;
1420 } else {
1421 /*
1422 * In TLSv1.2 we expect to have resumed so no sessions added or
1423 * removed.
1424 */
1425 if (use_ext_cache
1426 && (!TEST_int_eq(new_called, 0)
1427 || !TEST_int_eq(remove_called, 0)))
1428 goto end;
1429 }
1430
1431 SSL_SESSION_free(sess1);
1432 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1433 goto end;
1434 shutdown_ssl_connection(serverssl2, clientssl2);
1435 serverssl2 = clientssl2 = NULL;
1436
1437 new_called = remove_called = 0;
1438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1439 &clientssl2, NULL, NULL))
1440 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1441 SSL_ERROR_NONE)))
1442 goto end;
1443
1444 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1445 goto end;
1446
1447 if (use_ext_cache
1448 && (!TEST_int_eq(new_called, numnewsesstick)
1449 || !TEST_int_eq(remove_called, 0)))
1450 goto end;
1451
1452 new_called = remove_called = 0;
1453 /*
1454 * This should clear sess2 from the cache because it is a "bad" session.
1455 * See SSL_set_session() documentation.
1456 */
1457 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1458 goto end;
1459 if (use_ext_cache
1460 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1461 goto end;
1462 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1463 goto end;
1464
1465 if (use_int_cache) {
1466 /* Should succeeded because it should not already be in the cache */
1467 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1468 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1469 goto end;
1470 }
1471
1472 new_called = remove_called = 0;
1473 /* This shouldn't be in the cache so should fail */
1474 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1475 goto end;
1476
1477 if (use_ext_cache
1478 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1479 goto end;
1480
1481 # if !defined(OPENSSL_NO_TLS1_1)
1482 new_called = remove_called = 0;
1483 /* Force a connection failure */
1484 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1485 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1486 &clientssl3, NULL, NULL))
1487 || !TEST_true(SSL_set_session(clientssl3, sess1))
1488 /* This should fail because of the mismatched protocol versions */
1489 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1490 SSL_ERROR_NONE)))
1491 goto end;
1492
1493 /* We should have automatically removed the session from the cache */
1494 if (use_ext_cache
1495 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1496 goto end;
1497
1498 /* Should succeed because it should not already be in the cache */
1499 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1500 goto end;
1501 # endif
1502
1503 /* Now do some tests for server side caching */
1504 if (use_ext_cache) {
1505 SSL_CTX_sess_set_new_cb(cctx, NULL);
1506 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1507 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1508 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1509 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1510 get_sess_val = NULL;
1511 }
1512
1513 SSL_CTX_set_session_cache_mode(cctx, 0);
1514 /* Internal caching is the default on the server side */
1515 if (!use_int_cache)
1516 SSL_CTX_set_session_cache_mode(sctx,
1517 SSL_SESS_CACHE_SERVER
1518 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1519
1520 SSL_free(serverssl1);
1521 SSL_free(clientssl1);
1522 serverssl1 = clientssl1 = NULL;
1523 SSL_free(serverssl2);
1524 SSL_free(clientssl2);
1525 serverssl2 = clientssl2 = NULL;
1526 SSL_SESSION_free(sess1);
1527 sess1 = NULL;
1528 SSL_SESSION_free(sess2);
1529 sess2 = NULL;
1530
1531 SSL_CTX_set_max_proto_version(sctx, maxprot);
1532 if (maxprot == TLS1_2_VERSION)
1533 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1534 new_called = remove_called = get_called = 0;
1535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1536 NULL, NULL))
1537 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1538 SSL_ERROR_NONE))
1539 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1540 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1541 goto end;
1542
1543 if (use_int_cache) {
1544 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1545 /*
1546 * In TLSv1.3 it should not have been added to the internal cache,
1547 * except in the case where we also have an external cache (in that
1548 * case it gets added to the cache in order to generate remove
1549 * events after timeout).
1550 */
1551 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1552 goto end;
1553 } else {
1554 /* Should fail because it should already be in the cache */
1555 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1556 goto end;
1557 }
1558 }
1559
1560 if (use_ext_cache) {
1561 SSL_SESSION *tmp = sess2;
1562
1563 if (!TEST_int_eq(new_called, numnewsesstick)
1564 || !TEST_int_eq(remove_called, 0)
1565 || !TEST_int_eq(get_called, 0))
1566 goto end;
1567 /*
1568 * Delete the session from the internal cache to force a lookup from
1569 * the external cache. We take a copy first because
1570 * SSL_CTX_remove_session() also marks the session as non-resumable.
1571 */
1572 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1573 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1574 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1575 goto end;
1576 SSL_SESSION_free(sess2);
1577 }
1578 sess2 = tmp;
1579 }
1580
1581 new_called = remove_called = get_called = 0;
1582 get_sess_val = sess2;
1583 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1584 &clientssl2, NULL, NULL))
1585 || !TEST_true(SSL_set_session(clientssl2, sess1))
1586 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1587 SSL_ERROR_NONE))
1588 || !TEST_true(SSL_session_reused(clientssl2)))
1589 goto end;
1590
1591 if (use_ext_cache) {
1592 if (!TEST_int_eq(remove_called, 0))
1593 goto end;
1594
1595 if (maxprot == TLS1_3_VERSION) {
1596 if (!TEST_int_eq(new_called, 1)
1597 || !TEST_int_eq(get_called, 0))
1598 goto end;
1599 } else {
1600 if (!TEST_int_eq(new_called, 0)
1601 || !TEST_int_eq(get_called, 1))
1602 goto end;
1603 }
1604 }
1605
1606 testresult = 1;
1607
1608 end:
1609 SSL_free(serverssl1);
1610 SSL_free(clientssl1);
1611 SSL_free(serverssl2);
1612 SSL_free(clientssl2);
1613 # ifndef OPENSSL_NO_TLS1_1
1614 SSL_free(serverssl3);
1615 SSL_free(clientssl3);
1616 # endif
1617 SSL_SESSION_free(sess1);
1618 SSL_SESSION_free(sess2);
1619 SSL_CTX_free(sctx);
1620 SSL_CTX_free(cctx);
1621
1622 return testresult;
1623 }
1624 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1625
1626 static int test_session_with_only_int_cache(void)
1627 {
1628 #ifndef OPENSSL_NO_TLS1_3
1629 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1630 return 0;
1631 #endif
1632
1633 #ifndef OPENSSL_NO_TLS1_2
1634 return execute_test_session(TLS1_2_VERSION, 1, 0);
1635 #else
1636 return 1;
1637 #endif
1638 }
1639
1640 static int test_session_with_only_ext_cache(void)
1641 {
1642 #ifndef OPENSSL_NO_TLS1_3
1643 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1644 return 0;
1645 #endif
1646
1647 #ifndef OPENSSL_NO_TLS1_2
1648 return execute_test_session(TLS1_2_VERSION, 0, 1);
1649 #else
1650 return 1;
1651 #endif
1652 }
1653
1654 static int test_session_with_both_cache(void)
1655 {
1656 #ifndef OPENSSL_NO_TLS1_3
1657 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1658 return 0;
1659 #endif
1660
1661 #ifndef OPENSSL_NO_TLS1_2
1662 return execute_test_session(TLS1_2_VERSION, 1, 1);
1663 #else
1664 return 1;
1665 #endif
1666 }
1667
1668 #ifndef OPENSSL_NO_TLS1_3
1669 static SSL_SESSION *sesscache[6];
1670 static int do_cache;
1671
1672 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1673 {
1674 if (do_cache) {
1675 sesscache[new_called] = sess;
1676 } else {
1677 /* We don't need the reference to the session, so free it */
1678 SSL_SESSION_free(sess);
1679 }
1680 new_called++;
1681
1682 return 1;
1683 }
1684
1685 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1686 {
1687 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1688 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1689 return 0;
1690
1691 /* Start handshake on the server and client */
1692 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1693 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1694 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1695 || !TEST_true(create_ssl_connection(sssl, cssl,
1696 SSL_ERROR_NONE)))
1697 return 0;
1698
1699 return 1;
1700 }
1701
1702 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1703 SSL_CTX **cctx)
1704 {
1705 int sess_id_ctx = 1;
1706
1707 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1708 TLS1_VERSION, 0, sctx,
1709 cctx, cert, privkey))
1710 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1711 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1712 (void *)&sess_id_ctx,
1713 sizeof(sess_id_ctx))))
1714 return 0;
1715
1716 if (stateful)
1717 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1718
1719 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1720 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1721 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1722
1723 return 1;
1724 }
1725
1726 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1727 {
1728 SSL *serverssl = NULL, *clientssl = NULL;
1729 int i;
1730
1731 /* Test that we can resume with all the tickets we got given */
1732 for (i = 0; i < idx * 2; i++) {
1733 new_called = 0;
1734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1735 &clientssl, NULL, NULL))
1736 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1737 goto end;
1738
1739 SSL_set_post_handshake_auth(clientssl, 1);
1740
1741 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1742 SSL_ERROR_NONE)))
1743 goto end;
1744
1745 /*
1746 * Following a successful resumption we only get 1 ticket. After a
1747 * failed one we should get idx tickets.
1748 */
1749 if (succ) {
1750 if (!TEST_true(SSL_session_reused(clientssl))
1751 || !TEST_int_eq(new_called, 1))
1752 goto end;
1753 } else {
1754 if (!TEST_false(SSL_session_reused(clientssl))
1755 || !TEST_int_eq(new_called, idx))
1756 goto end;
1757 }
1758
1759 new_called = 0;
1760 /* After a post-handshake authentication we should get 1 new ticket */
1761 if (succ
1762 && (!post_handshake_verify(serverssl, clientssl)
1763 || !TEST_int_eq(new_called, 1)))
1764 goto end;
1765
1766 SSL_shutdown(clientssl);
1767 SSL_shutdown(serverssl);
1768 SSL_free(serverssl);
1769 SSL_free(clientssl);
1770 serverssl = clientssl = NULL;
1771 SSL_SESSION_free(sesscache[i]);
1772 sesscache[i] = NULL;
1773 }
1774
1775 return 1;
1776
1777 end:
1778 SSL_free(clientssl);
1779 SSL_free(serverssl);
1780 return 0;
1781 }
1782
1783 static int test_tickets(int stateful, int idx)
1784 {
1785 SSL_CTX *sctx = NULL, *cctx = NULL;
1786 SSL *serverssl = NULL, *clientssl = NULL;
1787 int testresult = 0;
1788 size_t j;
1789
1790 /* idx is the test number, but also the number of tickets we want */
1791
1792 new_called = 0;
1793 do_cache = 1;
1794
1795 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1796 goto end;
1797
1798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1799 &clientssl, NULL, NULL)))
1800 goto end;
1801
1802 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1803 SSL_ERROR_NONE))
1804 /* Check we got the number of tickets we were expecting */
1805 || !TEST_int_eq(idx, new_called))
1806 goto end;
1807
1808 SSL_shutdown(clientssl);
1809 SSL_shutdown(serverssl);
1810 SSL_free(serverssl);
1811 SSL_free(clientssl);
1812 SSL_CTX_free(sctx);
1813 SSL_CTX_free(cctx);
1814 clientssl = serverssl = NULL;
1815 sctx = cctx = NULL;
1816
1817 /*
1818 * Now we try to resume with the tickets we previously created. The
1819 * resumption attempt is expected to fail (because we're now using a new
1820 * SSL_CTX). We should see idx number of tickets issued again.
1821 */
1822
1823 /* Stop caching sessions - just count them */
1824 do_cache = 0;
1825
1826 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1827 goto end;
1828
1829 if (!check_resumption(idx, sctx, cctx, 0))
1830 goto end;
1831
1832 /* Start again with caching sessions */
1833 new_called = 0;
1834 do_cache = 1;
1835 SSL_CTX_free(sctx);
1836 SSL_CTX_free(cctx);
1837 sctx = cctx = NULL;
1838
1839 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1840 goto end;
1841
1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
1844 goto end;
1845
1846 SSL_set_post_handshake_auth(clientssl, 1);
1847
1848 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1849 SSL_ERROR_NONE))
1850 /* Check we got the number of tickets we were expecting */
1851 || !TEST_int_eq(idx, new_called))
1852 goto end;
1853
1854 /* After a post-handshake authentication we should get new tickets issued */
1855 if (!post_handshake_verify(serverssl, clientssl)
1856 || !TEST_int_eq(idx * 2, new_called))
1857 goto end;
1858
1859 SSL_shutdown(clientssl);
1860 SSL_shutdown(serverssl);
1861 SSL_free(serverssl);
1862 SSL_free(clientssl);
1863 serverssl = clientssl = NULL;
1864
1865 /* Stop caching sessions - just count them */
1866 do_cache = 0;
1867
1868 /*
1869 * Check we can resume with all the tickets we created. This time around the
1870 * resumptions should all be successful.
1871 */
1872 if (!check_resumption(idx, sctx, cctx, 1))
1873 goto end;
1874
1875 testresult = 1;
1876
1877 end:
1878 SSL_free(serverssl);
1879 SSL_free(clientssl);
1880 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1881 SSL_SESSION_free(sesscache[j]);
1882 sesscache[j] = NULL;
1883 }
1884 SSL_CTX_free(sctx);
1885 SSL_CTX_free(cctx);
1886
1887 return testresult;
1888 }
1889
1890 static int test_stateless_tickets(int idx)
1891 {
1892 return test_tickets(0, idx);
1893 }
1894
1895 static int test_stateful_tickets(int idx)
1896 {
1897 return test_tickets(1, idx);
1898 }
1899
1900 static int test_psk_tickets(void)
1901 {
1902 SSL_CTX *sctx = NULL, *cctx = NULL;
1903 SSL *serverssl = NULL, *clientssl = NULL;
1904 int testresult = 0;
1905 int sess_id_ctx = 1;
1906
1907 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1908 TLS1_VERSION, 0, &sctx,
1909 &cctx, NULL, NULL))
1910 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1911 (void *)&sess_id_ctx,
1912 sizeof(sess_id_ctx))))
1913 goto end;
1914
1915 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1917 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1918 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1919 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1920 use_session_cb_cnt = 0;
1921 find_session_cb_cnt = 0;
1922 srvid = pskid;
1923 new_called = 0;
1924
1925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1926 NULL, NULL)))
1927 goto end;
1928 clientpsk = serverpsk = create_a_psk(clientssl);
1929 if (!TEST_ptr(clientpsk))
1930 goto end;
1931 SSL_SESSION_up_ref(clientpsk);
1932
1933 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1934 SSL_ERROR_NONE))
1935 || !TEST_int_eq(1, find_session_cb_cnt)
1936 || !TEST_int_eq(1, use_session_cb_cnt)
1937 /* We should always get 1 ticket when using external PSK */
1938 || !TEST_int_eq(1, new_called))
1939 goto end;
1940
1941 testresult = 1;
1942
1943 end:
1944 SSL_free(serverssl);
1945 SSL_free(clientssl);
1946 SSL_CTX_free(sctx);
1947 SSL_CTX_free(cctx);
1948 SSL_SESSION_free(clientpsk);
1949 SSL_SESSION_free(serverpsk);
1950 clientpsk = serverpsk = NULL;
1951
1952 return testresult;
1953 }
1954 #endif
1955
1956 #define USE_NULL 0
1957 #define USE_BIO_1 1
1958 #define USE_BIO_2 2
1959 #define USE_DEFAULT 3
1960
1961 #define CONNTYPE_CONNECTION_SUCCESS 0
1962 #define CONNTYPE_CONNECTION_FAIL 1
1963 #define CONNTYPE_NO_CONNECTION 2
1964
1965 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1966 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1967 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1968 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1969 #else
1970 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1971 #endif
1972
1973 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1974 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1975 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1976
1977 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1978 {
1979 switch (type) {
1980 case USE_NULL:
1981 *res = NULL;
1982 break;
1983 case USE_BIO_1:
1984 *res = bio1;
1985 break;
1986 case USE_BIO_2:
1987 *res = bio2;
1988 break;
1989 }
1990 }
1991
1992
1993 /*
1994 * Tests calls to SSL_set_bio() under various conditions.
1995 *
1996 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1997 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1998 * then do more tests where we create a successful connection first using our
1999 * standard connection setup functions, and then call SSL_set_bio() with
2000 * various combinations of valid BIOs or NULL. We then repeat these tests
2001 * following a failed connection. In this last case we are looking to check that
2002 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2003 */
2004 static int test_ssl_set_bio(int idx)
2005 {
2006 SSL_CTX *sctx = NULL, *cctx = NULL;
2007 BIO *bio1 = NULL;
2008 BIO *bio2 = NULL;
2009 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2010 SSL *serverssl = NULL, *clientssl = NULL;
2011 int initrbio, initwbio, newrbio, newwbio, conntype;
2012 int testresult = 0;
2013
2014 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2015 initrbio = idx % 3;
2016 idx /= 3;
2017 initwbio = idx % 3;
2018 idx /= 3;
2019 newrbio = idx % 3;
2020 idx /= 3;
2021 newwbio = idx % 3;
2022 conntype = CONNTYPE_NO_CONNECTION;
2023 } else {
2024 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2025 initrbio = initwbio = USE_DEFAULT;
2026 newrbio = idx % 2;
2027 idx /= 2;
2028 newwbio = idx % 2;
2029 idx /= 2;
2030 conntype = idx % 2;
2031 }
2032
2033 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2034 TLS1_VERSION, 0,
2035 &sctx, &cctx, cert, privkey)))
2036 goto end;
2037
2038 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2039 /*
2040 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2041 * because we reduced the number of tests in the definition of
2042 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2043 * mismatched protocol versions we will force a connection failure.
2044 */
2045 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2046 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2047 }
2048
2049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2050 NULL, NULL)))
2051 goto end;
2052
2053 if (initrbio == USE_BIO_1
2054 || initwbio == USE_BIO_1
2055 || newrbio == USE_BIO_1
2056 || newwbio == USE_BIO_1) {
2057 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2058 goto end;
2059 }
2060
2061 if (initrbio == USE_BIO_2
2062 || initwbio == USE_BIO_2
2063 || newrbio == USE_BIO_2
2064 || newwbio == USE_BIO_2) {
2065 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2066 goto end;
2067 }
2068
2069 if (initrbio != USE_DEFAULT) {
2070 setupbio(&irbio, bio1, bio2, initrbio);
2071 setupbio(&iwbio, bio1, bio2, initwbio);
2072 SSL_set_bio(clientssl, irbio, iwbio);
2073
2074 /*
2075 * We want to maintain our own refs to these BIO, so do an up ref for
2076 * each BIO that will have ownership transferred in the SSL_set_bio()
2077 * call
2078 */
2079 if (irbio != NULL)
2080 BIO_up_ref(irbio);
2081 if (iwbio != NULL && iwbio != irbio)
2082 BIO_up_ref(iwbio);
2083 }
2084
2085 if (conntype != CONNTYPE_NO_CONNECTION
2086 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2087 SSL_ERROR_NONE)
2088 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2089 goto end;
2090
2091 setupbio(&nrbio, bio1, bio2, newrbio);
2092 setupbio(&nwbio, bio1, bio2, newwbio);
2093
2094 /*
2095 * We will (maybe) transfer ownership again so do more up refs.
2096 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2097 * already been set!
2098 */
2099 if (nrbio != NULL
2100 && nrbio != irbio
2101 && (nwbio != iwbio || nrbio != nwbio))
2102 BIO_up_ref(nrbio);
2103 if (nwbio != NULL
2104 && nwbio != nrbio
2105 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2106 BIO_up_ref(nwbio);
2107
2108 SSL_set_bio(clientssl, nrbio, nwbio);
2109
2110 testresult = 1;
2111
2112 end:
2113 BIO_free(bio1);
2114 BIO_free(bio2);
2115
2116 /*
2117 * This test is checking that the ref counting for SSL_set_bio is correct.
2118 * If we get here and we did too many frees then we will fail in the above
2119 * functions. If we haven't done enough then this will only be detected in
2120 * a crypto-mdebug build
2121 */
2122 SSL_free(serverssl);
2123 SSL_free(clientssl);
2124 SSL_CTX_free(sctx);
2125 SSL_CTX_free(cctx);
2126 return testresult;
2127 }
2128
2129 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2130
2131 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2132 {
2133 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2134 SSL_CTX *ctx;
2135 SSL *ssl = NULL;
2136 int testresult = 0;
2137
2138 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2139 || !TEST_ptr(ssl = SSL_new(ctx))
2140 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2141 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2142 goto end;
2143
2144 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2145
2146 /*
2147 * If anything goes wrong here then we could leak memory, so this will
2148 * be caught in a crypto-mdebug build
2149 */
2150 BIO_push(sslbio, membio1);
2151
2152 /* Verify changing the rbio/wbio directly does not cause leaks */
2153 if (change_bio != NO_BIO_CHANGE) {
2154 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2155 goto end;
2156 if (change_bio == CHANGE_RBIO)
2157 SSL_set0_rbio(ssl, membio2);
2158 else
2159 SSL_set0_wbio(ssl, membio2);
2160 }
2161 ssl = NULL;
2162
2163 if (pop_ssl)
2164 BIO_pop(sslbio);
2165 else
2166 BIO_pop(membio1);
2167
2168 testresult = 1;
2169 end:
2170 BIO_free(membio1);
2171 BIO_free(sslbio);
2172 SSL_free(ssl);
2173 SSL_CTX_free(ctx);
2174
2175 return testresult;
2176 }
2177
2178 static int test_ssl_bio_pop_next_bio(void)
2179 {
2180 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2181 }
2182
2183 static int test_ssl_bio_pop_ssl_bio(void)
2184 {
2185 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2186 }
2187
2188 static int test_ssl_bio_change_rbio(void)
2189 {
2190 return execute_test_ssl_bio(0, CHANGE_RBIO);
2191 }
2192
2193 static int test_ssl_bio_change_wbio(void)
2194 {
2195 return execute_test_ssl_bio(0, CHANGE_WBIO);
2196 }
2197
2198 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2199 typedef struct {
2200 /* The list of sig algs */
2201 const int *list;
2202 /* The length of the list */
2203 size_t listlen;
2204 /* A sigalgs list in string format */
2205 const char *liststr;
2206 /* Whether setting the list should succeed */
2207 int valid;
2208 /* Whether creating a connection with the list should succeed */
2209 int connsuccess;
2210 } sigalgs_list;
2211
2212 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2213 # ifndef OPENSSL_NO_EC
2214 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2215 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2216 # endif
2217 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2218 static const int invalidlist2[] = {NID_sha256, NID_undef};
2219 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2220 static const int invalidlist4[] = {NID_sha256};
2221 static const sigalgs_list testsigalgs[] = {
2222 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2223 # ifndef OPENSSL_NO_EC
2224 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2225 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2226 # endif
2227 {NULL, 0, "RSA+SHA256", 1, 1},
2228 # ifndef OPENSSL_NO_EC
2229 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2230 {NULL, 0, "ECDSA+SHA512", 1, 0},
2231 # endif
2232 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2233 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2234 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2235 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2236 {NULL, 0, "RSA", 0, 0},
2237 {NULL, 0, "SHA256", 0, 0},
2238 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2239 {NULL, 0, "Invalid", 0, 0}
2240 };
2241
2242 static int test_set_sigalgs(int idx)
2243 {
2244 SSL_CTX *cctx = NULL, *sctx = NULL;
2245 SSL *clientssl = NULL, *serverssl = NULL;
2246 int testresult = 0;
2247 const sigalgs_list *curr;
2248 int testctx;
2249
2250 /* Should never happen */
2251 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2252 return 0;
2253
2254 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2255 curr = testctx ? &testsigalgs[idx]
2256 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2257
2258 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2259 TLS1_VERSION, 0,
2260 &sctx, &cctx, cert, privkey)))
2261 return 0;
2262
2263 /*
2264 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2265 * for TLSv1.2 for now until we add a new API.
2266 */
2267 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2268
2269 if (testctx) {
2270 int ret;
2271
2272 if (curr->list != NULL)
2273 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2274 else
2275 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2276
2277 if (!ret) {
2278 if (curr->valid)
2279 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2280 else
2281 testresult = 1;
2282 goto end;
2283 }
2284 if (!curr->valid) {
2285 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2286 goto end;
2287 }
2288 }
2289
2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2291 &clientssl, NULL, NULL)))
2292 goto end;
2293
2294 if (!testctx) {
2295 int ret;
2296
2297 if (curr->list != NULL)
2298 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2299 else
2300 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2301 if (!ret) {
2302 if (curr->valid)
2303 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2304 else
2305 testresult = 1;
2306 goto end;
2307 }
2308 if (!curr->valid)
2309 goto end;
2310 }
2311
2312 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2313 SSL_ERROR_NONE),
2314 curr->connsuccess))
2315 goto end;
2316
2317 testresult = 1;
2318
2319 end:
2320 SSL_free(serverssl);
2321 SSL_free(clientssl);
2322 SSL_CTX_free(sctx);
2323 SSL_CTX_free(cctx);
2324
2325 return testresult;
2326 }
2327 #endif
2328
2329 #ifndef OPENSSL_NO_TLS1_3
2330 static int psk_client_cb_cnt = 0;
2331 static int psk_server_cb_cnt = 0;
2332
2333 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2334 size_t *idlen, SSL_SESSION **sess)
2335 {
2336 switch (++use_session_cb_cnt) {
2337 case 1:
2338 /* The first call should always have a NULL md */
2339 if (md != NULL)
2340 return 0;
2341 break;
2342
2343 case 2:
2344 /* The second call should always have an md */
2345 if (md == NULL)
2346 return 0;
2347 break;
2348
2349 default:
2350 /* We should only be called a maximum of twice */
2351 return 0;
2352 }
2353
2354 if (clientpsk != NULL)
2355 SSL_SESSION_up_ref(clientpsk);
2356
2357 *sess = clientpsk;
2358 *id = (const unsigned char *)pskid;
2359 *idlen = strlen(pskid);
2360
2361 return 1;
2362 }
2363
2364 #ifndef OPENSSL_NO_PSK
2365 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2366 unsigned int max_id_len,
2367 unsigned char *psk,
2368 unsigned int max_psk_len)
2369 {
2370 unsigned int psklen = 0;
2371
2372 psk_client_cb_cnt++;
2373
2374 if (strlen(pskid) + 1 > max_id_len)
2375 return 0;
2376
2377 /* We should only ever be called a maximum of twice per connection */
2378 if (psk_client_cb_cnt > 2)
2379 return 0;
2380
2381 if (clientpsk == NULL)
2382 return 0;
2383
2384 /* We'll reuse the PSK we set up for TLSv1.3 */
2385 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2386 return 0;
2387 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2388 strncpy(id, pskid, max_id_len);
2389
2390 return psklen;
2391 }
2392 #endif /* OPENSSL_NO_PSK */
2393
2394 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2395 size_t identity_len, SSL_SESSION **sess)
2396 {
2397 find_session_cb_cnt++;
2398
2399 /* We should only ever be called a maximum of twice per connection */
2400 if (find_session_cb_cnt > 2)
2401 return 0;
2402
2403 if (serverpsk == NULL)
2404 return 0;
2405
2406 /* Identity should match that set by the client */
2407 if (strlen(srvid) != identity_len
2408 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2409 /* No PSK found, continue but without a PSK */
2410 *sess = NULL;
2411 return 1;
2412 }
2413
2414 SSL_SESSION_up_ref(serverpsk);
2415 *sess = serverpsk;
2416
2417 return 1;
2418 }
2419
2420 #ifndef OPENSSL_NO_PSK
2421 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2422 unsigned char *psk, unsigned int max_psk_len)
2423 {
2424 unsigned int psklen = 0;
2425
2426 psk_server_cb_cnt++;
2427
2428 /* We should only ever be called a maximum of twice per connection */
2429 if (find_session_cb_cnt > 2)
2430 return 0;
2431
2432 if (serverpsk == NULL)
2433 return 0;
2434
2435 /* Identity should match that set by the client */
2436 if (strcmp(srvid, identity) != 0) {
2437 return 0;
2438 }
2439
2440 /* We'll reuse the PSK we set up for TLSv1.3 */
2441 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2442 return 0;
2443 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2444
2445 return psklen;
2446 }
2447 #endif /* OPENSSL_NO_PSK */
2448
2449 #define MSG1 "Hello"
2450 #define MSG2 "World."
2451 #define MSG3 "This"
2452 #define MSG4 "is"
2453 #define MSG5 "a"
2454 #define MSG6 "test"
2455 #define MSG7 "message."
2456
2457 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2458 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2459
2460
2461 static SSL_SESSION *create_a_psk(SSL *ssl)
2462 {
2463 const SSL_CIPHER *cipher = NULL;
2464 const unsigned char key[] = {
2465 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2466 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2467 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2468 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2469 0x2c, 0x2d, 0x2e, 0x2f
2470 };
2471 SSL_SESSION *sess = NULL;
2472
2473 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2474 sess = SSL_SESSION_new();
2475 if (!TEST_ptr(sess)
2476 || !TEST_ptr(cipher)
2477 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2478 sizeof(key)))
2479 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2480 || !TEST_true(
2481 SSL_SESSION_set_protocol_version(sess,
2482 TLS1_3_VERSION))) {
2483 SSL_SESSION_free(sess);
2484 return NULL;
2485 }
2486 return sess;
2487 }
2488
2489 /*
2490 * Helper method to setup objects for early data test. Caller frees objects on
2491 * error.
2492 */
2493 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2494 SSL **serverssl, SSL_SESSION **sess, int idx)
2495 {
2496 if (*sctx == NULL
2497 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2498 TLS_client_method(),
2499 TLS1_VERSION, 0,
2500 sctx, cctx, cert, privkey)))
2501 return 0;
2502
2503 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2504 return 0;
2505
2506 if (idx == 1) {
2507 /* When idx == 1 we repeat the tests with read_ahead set */
2508 SSL_CTX_set_read_ahead(*cctx, 1);
2509 SSL_CTX_set_read_ahead(*sctx, 1);
2510 } else if (idx == 2) {
2511 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2512 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2513 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2514 use_session_cb_cnt = 0;
2515 find_session_cb_cnt = 0;
2516 srvid = pskid;
2517 }
2518
2519 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2520 NULL, NULL)))
2521 return 0;
2522
2523 /*
2524 * For one of the run throughs (doesn't matter which one), we'll try sending
2525 * some SNI data in the initial ClientHello. This will be ignored (because
2526 * there is no SNI cb set up by the server), so it should not impact
2527 * early_data.
2528 */
2529 if (idx == 1
2530 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2531 return 0;
2532
2533 if (idx == 2) {
2534 clientpsk = create_a_psk(*clientssl);
2535 if (!TEST_ptr(clientpsk)
2536 /*
2537 * We just choose an arbitrary value for max_early_data which
2538 * should be big enough for testing purposes.
2539 */
2540 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2541 0x100))
2542 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2543 SSL_SESSION_free(clientpsk);
2544 clientpsk = NULL;
2545 return 0;
2546 }
2547 serverpsk = clientpsk;
2548
2549 if (sess != NULL) {
2550 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2551 SSL_SESSION_free(clientpsk);
2552 SSL_SESSION_free(serverpsk);
2553 clientpsk = serverpsk = NULL;
2554 return 0;
2555 }
2556 *sess = clientpsk;
2557 }
2558 return 1;
2559 }
2560
2561 if (sess == NULL)
2562 return 1;
2563
2564 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2565 SSL_ERROR_NONE)))
2566 return 0;
2567
2568 *sess = SSL_get1_session(*clientssl);
2569 SSL_shutdown(*clientssl);
2570 SSL_shutdown(*serverssl);
2571 SSL_free(*serverssl);
2572 SSL_free(*clientssl);
2573 *serverssl = *clientssl = NULL;
2574
2575 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2576 clientssl, NULL, NULL))
2577 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2578 return 0;
2579
2580 return 1;
2581 }
2582
2583 static int test_early_data_read_write(int idx)
2584 {
2585 SSL_CTX *cctx = NULL, *sctx = NULL;
2586 SSL *clientssl = NULL, *serverssl = NULL;
2587 int testresult = 0;
2588 SSL_SESSION *sess = NULL;
2589 unsigned char buf[20], data[1024];
2590 size_t readbytes, written, eoedlen, rawread, rawwritten;
2591 BIO *rbio;
2592
2593 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2594 &serverssl, &sess, idx)))
2595 goto end;
2596
2597 /* Write and read some early data */
2598 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2599 &written))
2600 || !TEST_size_t_eq(written, strlen(MSG1))
2601 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2602 sizeof(buf), &readbytes),
2603 SSL_READ_EARLY_DATA_SUCCESS)
2604 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2605 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2606 SSL_EARLY_DATA_ACCEPTED))
2607 goto end;
2608
2609 /*
2610 * Server should be able to write data, and client should be able to
2611 * read it.
2612 */
2613 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2614 &written))
2615 || !TEST_size_t_eq(written, strlen(MSG2))
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2617 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2618 goto end;
2619
2620 /* Even after reading normal data, client should be able write early data */
2621 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2622 &written))
2623 || !TEST_size_t_eq(written, strlen(MSG3)))
2624 goto end;
2625
2626 /* Server should still be able read early data after writing data */
2627 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2628 &readbytes),
2629 SSL_READ_EARLY_DATA_SUCCESS)
2630 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2631 goto end;
2632
2633 /* Write more data from server and read it from client */
2634 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2635 &written))
2636 || !TEST_size_t_eq(written, strlen(MSG4))
2637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2638 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2639 goto end;
2640
2641 /*
2642 * If client writes normal data it should mean writing early data is no
2643 * longer possible.
2644 */
2645 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2646 || !TEST_size_t_eq(written, strlen(MSG5))
2647 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2648 SSL_EARLY_DATA_ACCEPTED))
2649 goto end;
2650
2651 /*
2652 * At this point the client has written EndOfEarlyData, ClientFinished and
2653 * normal (fully protected) data. We are going to cause a delay between the
2654 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2655 * in the read BIO, and then just put back the EndOfEarlyData message.
2656 */
2657 rbio = SSL_get_rbio(serverssl);
2658 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2659 || !TEST_size_t_lt(rawread, sizeof(data))
2660 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2661 goto end;
2662
2663 /* Record length is in the 4th and 5th bytes of the record header */
2664 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2665 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2666 || !TEST_size_t_eq(rawwritten, eoedlen))
2667 goto end;
2668
2669 /* Server should be told that there is no more early data */
2670 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2671 &readbytes),
2672 SSL_READ_EARLY_DATA_FINISH)
2673 || !TEST_size_t_eq(readbytes, 0))
2674 goto end;
2675
2676 /*
2677 * Server has not finished init yet, so should still be able to write early
2678 * data.
2679 */
2680 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2681 &written))
2682 || !TEST_size_t_eq(written, strlen(MSG6)))
2683 goto end;
2684
2685 /* Push the ClientFinished and the normal data back into the server rbio */
2686 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2687 &rawwritten))
2688 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2689 goto end;
2690
2691 /* Server should be able to read normal data */
2692 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2693 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2694 goto end;
2695
2696 /* Client and server should not be able to write/read early data now */
2697 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2698 &written)))
2699 goto end;
2700 ERR_clear_error();
2701 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2702 &readbytes),
2703 SSL_READ_EARLY_DATA_ERROR))
2704 goto end;
2705 ERR_clear_error();
2706
2707 /* Client should be able to read the data sent by the server */
2708 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2709 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2710 goto end;
2711
2712 /*
2713 * Make sure we process the two NewSessionTickets. These arrive
2714 * post-handshake. We attempt reads which we do not expect to return any
2715 * data.
2716 */
2717 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2718 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2719 &readbytes)))
2720 goto end;
2721
2722 /* Server should be able to write normal data */
2723 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2724 || !TEST_size_t_eq(written, strlen(MSG7))
2725 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2726 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2727 goto end;
2728
2729 SSL_SESSION_free(sess);
2730 sess = SSL_get1_session(clientssl);
2731 use_session_cb_cnt = 0;
2732 find_session_cb_cnt = 0;
2733
2734 SSL_shutdown(clientssl);
2735 SSL_shutdown(serverssl);
2736 SSL_free(serverssl);
2737 SSL_free(clientssl);
2738 serverssl = clientssl = NULL;
2739 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2740 &clientssl, NULL, NULL))
2741 || !TEST_true(SSL_set_session(clientssl, sess)))
2742 goto end;
2743
2744 /* Write and read some early data */
2745 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2746 &written))
2747 || !TEST_size_t_eq(written, strlen(MSG1))
2748 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2749 &readbytes),
2750 SSL_READ_EARLY_DATA_SUCCESS)
2751 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2752 goto end;
2753
2754 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2755 || !TEST_int_gt(SSL_accept(serverssl), 0))
2756 goto end;
2757
2758 /* Client and server should not be able to write/read early data now */
2759 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2760 &written)))
2761 goto end;
2762 ERR_clear_error();
2763 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2764 &readbytes),
2765 SSL_READ_EARLY_DATA_ERROR))
2766 goto end;
2767 ERR_clear_error();
2768
2769 /* Client and server should be able to write/read normal data */
2770 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2771 || !TEST_size_t_eq(written, strlen(MSG5))
2772 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2773 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2774 goto end;
2775
2776 testresult = 1;
2777
2778 end:
2779 SSL_SESSION_free(sess);
2780 SSL_SESSION_free(clientpsk);
2781 SSL_SESSION_free(serverpsk);
2782 clientpsk = serverpsk = NULL;
2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2785 SSL_CTX_free(sctx);
2786 SSL_CTX_free(cctx);
2787 return testresult;
2788 }
2789
2790 static int allow_ed_cb_called = 0;
2791
2792 static int allow_early_data_cb(SSL *s, void *arg)
2793 {
2794 int *usecb = (int *)arg;
2795
2796 allow_ed_cb_called++;
2797
2798 if (*usecb == 1)
2799 return 0;
2800
2801 return 1;
2802 }
2803
2804 /*
2805 * idx == 0: Standard early_data setup
2806 * idx == 1: early_data setup using read_ahead
2807 * usecb == 0: Don't use a custom early data callback
2808 * usecb == 1: Use a custom early data callback and reject the early data
2809 * usecb == 2: Use a custom early data callback and accept the early data
2810 * confopt == 0: Configure anti-replay directly
2811 * confopt == 1: Configure anti-replay using SSL_CONF
2812 */
2813 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2814 {
2815 SSL_CTX *cctx = NULL, *sctx = NULL;
2816 SSL *clientssl = NULL, *serverssl = NULL;
2817 int testresult = 0;
2818 SSL_SESSION *sess = NULL;
2819 size_t readbytes, written;
2820 unsigned char buf[20];
2821
2822 allow_ed_cb_called = 0;
2823
2824 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2825 TLS1_VERSION, 0, &sctx,
2826 &cctx, cert, privkey)))
2827 return 0;
2828
2829 if (usecb > 0) {
2830 if (confopt == 0) {
2831 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2832 } else {
2833 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2834
2835 if (!TEST_ptr(confctx))
2836 goto end;
2837 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2838 | SSL_CONF_FLAG_SERVER);
2839 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2840 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2841 2)) {
2842 SSL_CONF_CTX_free(confctx);
2843 goto end;
2844 }
2845 SSL_CONF_CTX_free(confctx);
2846 }
2847 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2848 }
2849
2850 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2851 &serverssl, &sess, idx)))
2852 goto end;
2853
2854 /*
2855 * The server is configured to accept early data. Create a connection to
2856 * "use up" the ticket
2857 */
2858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2859 || !TEST_true(SSL_session_reused(clientssl)))
2860 goto end;
2861
2862 SSL_shutdown(clientssl);
2863 SSL_shutdown(serverssl);
2864 SSL_free(serverssl);
2865 SSL_free(clientssl);
2866 serverssl = clientssl = NULL;
2867
2868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2869 &clientssl, NULL, NULL))
2870 || !TEST_true(SSL_set_session(clientssl, sess)))
2871 goto end;
2872
2873 /* Write and read some early data */
2874 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2875 &written))
2876 || !TEST_size_t_eq(written, strlen(MSG1)))
2877 goto end;
2878
2879 if (usecb <= 1) {
2880 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2881 &readbytes),
2882 SSL_READ_EARLY_DATA_FINISH)
2883 /*
2884 * The ticket was reused, so the we should have rejected the
2885 * early data
2886 */
2887 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2888 SSL_EARLY_DATA_REJECTED))
2889 goto end;
2890 } else {
2891 /* In this case the callback decides to accept the early data */
2892 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2893 &readbytes),
2894 SSL_READ_EARLY_DATA_SUCCESS)
2895 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2896 /*
2897 * Server will have sent its flight so client can now send
2898 * end of early data and complete its half of the handshake
2899 */
2900 || !TEST_int_gt(SSL_connect(clientssl), 0)
2901 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2902 &readbytes),
2903 SSL_READ_EARLY_DATA_FINISH)
2904 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2905 SSL_EARLY_DATA_ACCEPTED))
2906 goto end;
2907 }
2908
2909 /* Complete the connection */
2910 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2911 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2912 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2913 goto end;
2914
2915 testresult = 1;
2916
2917 end:
2918 SSL_SESSION_free(sess);
2919 SSL_SESSION_free(clientpsk);
2920 SSL_SESSION_free(serverpsk);
2921 clientpsk = serverpsk = NULL;
2922 SSL_free(serverssl);
2923 SSL_free(clientssl);
2924 SSL_CTX_free(sctx);
2925 SSL_CTX_free(cctx);
2926 return testresult;
2927 }
2928
2929 static int test_early_data_replay(int idx)
2930 {
2931 int ret = 1, usecb, confopt;
2932
2933 for (usecb = 0; usecb < 3; usecb++) {
2934 for (confopt = 0; confopt < 2; confopt++)
2935 ret &= test_early_data_replay_int(idx, usecb, confopt);
2936 }
2937
2938 return ret;
2939 }
2940
2941 /*
2942 * Helper function to test that a server attempting to read early data can
2943 * handle a connection from a client where the early data should be skipped.
2944 * testtype: 0 == No HRR
2945 * testtype: 1 == HRR
2946 * testtype: 2 == HRR, invalid early_data sent after HRR
2947 * testtype: 3 == recv_max_early_data set to 0
2948 */
2949 static int early_data_skip_helper(int testtype, int idx)
2950 {
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2953 int testresult = 0;
2954 SSL_SESSION *sess = NULL;
2955 unsigned char buf[20];
2956 size_t readbytes, written;
2957
2958 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2959 &serverssl, &sess, idx)))
2960 goto end;
2961
2962 if (testtype == 1 || testtype == 2) {
2963 /* Force an HRR to occur */
2964 #if defined(OPENSSL_NO_EC)
2965 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2966 goto end;
2967 #else
2968 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2969 goto end;
2970 #endif
2971 } else if (idx == 2) {
2972 /*
2973 * We force early_data rejection by ensuring the PSK identity is
2974 * unrecognised
2975 */
2976 srvid = "Dummy Identity";
2977 } else {
2978 /*
2979 * Deliberately corrupt the creation time. We take 20 seconds off the
2980 * time. It could be any value as long as it is not within tolerance.
2981 * This should mean the ticket is rejected.
2982 */
2983 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2984 goto end;
2985 }
2986
2987 if (testtype == 3
2988 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2989 goto end;
2990
2991 /* Write some early data */
2992 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2993 &written))
2994 || !TEST_size_t_eq(written, strlen(MSG1)))
2995 goto end;
2996
2997 /* Server should reject the early data */
2998 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2999 &readbytes),
3000 SSL_READ_EARLY_DATA_FINISH)
3001 || !TEST_size_t_eq(readbytes, 0)
3002 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3003 SSL_EARLY_DATA_REJECTED))
3004 goto end;
3005
3006 switch (testtype) {
3007 case 0:
3008 /* Nothing to do */
3009 break;
3010
3011 case 1:
3012 /*
3013 * Finish off the handshake. We perform the same writes and reads as
3014 * further down but we expect them to fail due to the incomplete
3015 * handshake.
3016 */
3017 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3018 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3019 &readbytes)))
3020 goto end;
3021 break;
3022
3023 case 2:
3024 {
3025 BIO *wbio = SSL_get_wbio(clientssl);
3026 /* A record that will appear as bad early_data */
3027 const unsigned char bad_early_data[] = {
3028 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3029 };
3030
3031 /*
3032 * We force the client to attempt a write. This will fail because
3033 * we're still in the handshake. It will cause the second
3034 * ClientHello to be sent.
3035 */
3036 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3037 &written)))
3038 goto end;
3039
3040 /*
3041 * Inject some early_data after the second ClientHello. This should
3042 * cause the server to fail
3043 */
3044 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3045 sizeof(bad_early_data), &written)))
3046 goto end;
3047 }
3048 /* fallthrough */
3049
3050 case 3:
3051 /*
3052 * This client has sent more early_data than we are willing to skip
3053 * (case 3) or sent invalid early_data (case 2) so the connection should
3054 * abort.
3055 */
3056 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3057 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3058 goto end;
3059
3060 /* Connection has failed - nothing more to do */
3061 testresult = 1;
3062 goto end;
3063
3064 default:
3065 TEST_error("Invalid test type");
3066 goto end;
3067 }
3068
3069 /*
3070 * Should be able to send normal data despite rejection of early data. The
3071 * early_data should be skipped.
3072 */
3073 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3074 || !TEST_size_t_eq(written, strlen(MSG2))
3075 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3076 SSL_EARLY_DATA_REJECTED)
3077 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3078 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3079 goto end;
3080
3081 testresult = 1;
3082
3083 end:
3084 SSL_SESSION_free(clientpsk);
3085 SSL_SESSION_free(serverpsk);
3086 clientpsk = serverpsk = NULL;
3087 SSL_SESSION_free(sess);
3088 SSL_free(serverssl);
3089 SSL_free(clientssl);
3090 SSL_CTX_free(sctx);
3091 SSL_CTX_free(cctx);
3092 return testresult;
3093 }
3094
3095 /*
3096 * Test that a server attempting to read early data can handle a connection
3097 * from a client where the early data is not acceptable.
3098 */
3099 static int test_early_data_skip(int idx)
3100 {
3101 return early_data_skip_helper(0, idx);
3102 }
3103
3104 /*
3105 * Test that a server attempting to read early data can handle a connection
3106 * from a client where an HRR occurs.
3107 */
3108 static int test_early_data_skip_hrr(int idx)
3109 {
3110 return early_data_skip_helper(1, idx);
3111 }
3112
3113 /*
3114 * Test that a server attempting to read early data can handle a connection
3115 * from a client where an HRR occurs and correctly fails if early_data is sent
3116 * after the HRR
3117 */
3118 static int test_early_data_skip_hrr_fail(int idx)
3119 {
3120 return early_data_skip_helper(2, idx);
3121 }
3122
3123 /*
3124 * Test that a server attempting to read early data will abort if it tries to
3125 * skip over too much.
3126 */
3127 static int test_early_data_skip_abort(int idx)
3128 {
3129 return early_data_skip_helper(3, idx);
3130 }
3131
3132 /*
3133 * Test that a server attempting to read early data can handle a connection
3134 * from a client that doesn't send any.
3135 */
3136 static int test_early_data_not_sent(int idx)
3137 {
3138 SSL_CTX *cctx = NULL, *sctx = NULL;
3139 SSL *clientssl = NULL, *serverssl = NULL;
3140 int testresult = 0;
3141 SSL_SESSION *sess = NULL;
3142 unsigned char buf[20];
3143 size_t readbytes, written;
3144
3145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3146 &serverssl, &sess, idx)))
3147 goto end;
3148
3149 /* Write some data - should block due to handshake with server */
3150 SSL_set_connect_state(clientssl);
3151 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3152 goto end;
3153
3154 /* Server should detect that early data has not been sent */
3155 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3156 &readbytes),
3157 SSL_READ_EARLY_DATA_FINISH)
3158 || !TEST_size_t_eq(readbytes, 0)
3159 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3160 SSL_EARLY_DATA_NOT_SENT)
3161 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3162 SSL_EARLY_DATA_NOT_SENT))
3163 goto end;
3164
3165 /* Continue writing the message we started earlier */
3166 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3167 || !TEST_size_t_eq(written, strlen(MSG1))
3168 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3169 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3170 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3171 || !TEST_size_t_eq(written, strlen(MSG2)))
3172 goto end;
3173
3174 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3175 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3176 goto end;
3177
3178 testresult = 1;
3179
3180 end:
3181 SSL_SESSION_free(sess);
3182 SSL_SESSION_free(clientpsk);
3183 SSL_SESSION_free(serverpsk);
3184 clientpsk = serverpsk = NULL;
3185 SSL_free(serverssl);
3186 SSL_free(clientssl);
3187 SSL_CTX_free(sctx);
3188 SSL_CTX_free(cctx);
3189 return testresult;
3190 }
3191
3192 static int hostname_cb(SSL *s, int *al, void *arg)
3193 {
3194 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3195
3196 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
3197 return SSL_TLSEXT_ERR_OK;
3198
3199 return SSL_TLSEXT_ERR_NOACK;
3200 }
3201
3202 static const char *servalpn;
3203
3204 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3205 unsigned char *outlen, const unsigned char *in,
3206 unsigned int inlen, void *arg)
3207 {
3208 unsigned int protlen = 0;
3209 const unsigned char *prot;
3210
3211 for (prot = in; prot < in + inlen; prot += protlen) {
3212 protlen = *prot++;
3213 if (in + inlen < prot + protlen)
3214 return SSL_TLSEXT_ERR_NOACK;
3215
3216 if (protlen == strlen(servalpn)
3217 && memcmp(prot, servalpn, protlen) == 0) {
3218 *out = prot;
3219 *outlen = protlen;
3220 return SSL_TLSEXT_ERR_OK;
3221 }
3222 }
3223
3224 return SSL_TLSEXT_ERR_NOACK;
3225 }
3226
3227 /* Test that a PSK can be used to send early_data */
3228 static int test_early_data_psk(int idx)
3229 {
3230 SSL_CTX *cctx = NULL, *sctx = NULL;
3231 SSL *clientssl = NULL, *serverssl = NULL;
3232 int testresult = 0;
3233 SSL_SESSION *sess = NULL;
3234 unsigned char alpnlist[] = {
3235 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3236 'l', 'p', 'n'
3237 };
3238 #define GOODALPNLEN 9
3239 #define BADALPNLEN 8
3240 #define GOODALPN (alpnlist)
3241 #define BADALPN (alpnlist + GOODALPNLEN)
3242 int err = 0;
3243 unsigned char buf[20];
3244 size_t readbytes, written;
3245 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3246 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3247
3248 /* We always set this up with a final parameter of "2" for PSK */
3249 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3250 &serverssl, &sess, 2)))
3251 goto end;
3252
3253 servalpn = "goodalpn";
3254
3255 /*
3256 * Note: There is no test for inconsistent SNI with late client detection.
3257 * This is because servers do not acknowledge SNI even if they are using
3258 * it in a resumption handshake - so it is not actually possible for a
3259 * client to detect a problem.
3260 */
3261 switch (idx) {
3262 case 0:
3263 /* Set inconsistent SNI (early client detection) */
3264 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3265 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3266 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3267 goto end;
3268 break;
3269
3270 case 1:
3271 /* Set inconsistent ALPN (early client detection) */
3272 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3273 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3274 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3275 GOODALPNLEN))
3276 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3277 BADALPNLEN)))
3278 goto end;
3279 break;
3280
3281 case 2:
3282 /*
3283 * Set invalid protocol version. Technically this affects PSKs without
3284 * early_data too, but we test it here because it is similar to the
3285 * SNI/ALPN consistency tests.
3286 */
3287 err = SSL_R_BAD_PSK;
3288 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3289 goto end;
3290 break;
3291
3292 case 3:
3293 /*
3294 * Set inconsistent SNI (server detected). In this case the connection
3295 * will succeed but reject early_data.
3296 */
3297 SSL_SESSION_free(serverpsk);
3298 serverpsk = SSL_SESSION_dup(clientpsk);
3299 if (!TEST_ptr(serverpsk)
3300 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3301 goto end;
3302 edstatus = SSL_EARLY_DATA_REJECTED;
3303 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3304 /* Fall through */
3305 case 4:
3306 /* Set consistent SNI */
3307 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3308 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3309 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3310 hostname_cb)))
3311 goto end;
3312 break;
3313
3314 case 5:
3315 /*
3316 * Set inconsistent ALPN (server detected). In this case the connection
3317 * will succeed but reject early_data.
3318 */
3319 servalpn = "badalpn";
3320 edstatus = SSL_EARLY_DATA_REJECTED;
3321 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3322 /* Fall through */
3323 case 6:
3324 /*
3325 * Set consistent ALPN.
3326 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3327 * accepts a list of protos (each one length prefixed).
3328 * SSL_set1_alpn_selected accepts a single protocol (not length
3329 * prefixed)
3330 */
3331 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3332 GOODALPNLEN - 1))
3333 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3334 GOODALPNLEN)))
3335 goto end;
3336
3337 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3338 break;
3339
3340 case 7:
3341 /* Set inconsistent ALPN (late client detection) */
3342 SSL_SESSION_free(serverpsk);
3343 serverpsk = SSL_SESSION_dup(clientpsk);
3344 if (!TEST_ptr(serverpsk)
3345 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3346 BADALPN + 1,
3347 BADALPNLEN - 1))
3348 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3349 GOODALPN + 1,
3350 GOODALPNLEN - 1))
3351 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3352 sizeof(alpnlist))))
3353 goto end;
3354 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3355 edstatus = SSL_EARLY_DATA_ACCEPTED;
3356 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3357 /* SSL_connect() call should fail */
3358 connectres = -1;
3359 break;
3360
3361 default:
3362 TEST_error("Bad test index");
3363 goto end;
3364 }
3365
3366 SSL_set_connect_state(clientssl);
3367 if (err != 0) {
3368 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3369 &written))
3370 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3371 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3372 goto end;
3373 } else {
3374 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3375 &written)))
3376 goto end;
3377
3378 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3379 &readbytes), readearlyres)
3380 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3381 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3382 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3383 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3384 goto end;
3385 }
3386
3387 testresult = 1;
3388
3389 end:
3390 SSL_SESSION_free(sess);
3391 SSL_SESSION_free(clientpsk);
3392 SSL_SESSION_free(serverpsk);
3393 clientpsk = serverpsk = NULL;
3394 SSL_free(serverssl);
3395 SSL_free(clientssl);
3396 SSL_CTX_free(sctx);
3397 SSL_CTX_free(cctx);
3398 return testresult;
3399 }
3400
3401 /*
3402 * Test that a server that doesn't try to read early data can handle a
3403 * client sending some.
3404 */
3405 static int test_early_data_not_expected(int idx)
3406 {
3407 SSL_CTX *cctx = NULL, *sctx = NULL;
3408 SSL *clientssl = NULL, *serverssl = NULL;
3409 int testresult = 0;
3410 SSL_SESSION *sess = NULL;
3411 unsigned char buf[20];
3412 size_t readbytes, written;
3413
3414 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3415 &serverssl, &sess, idx)))
3416 goto end;
3417
3418 /* Write some early data */
3419 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3420 &written)))
3421 goto end;
3422
3423 /*
3424 * Server should skip over early data and then block waiting for client to
3425 * continue handshake
3426 */
3427 if (!TEST_int_le(SSL_accept(serverssl), 0)
3428 || !TEST_int_gt(SSL_connect(clientssl), 0)
3429 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3430 SSL_EARLY_DATA_REJECTED)
3431 || !TEST_int_gt(SSL_accept(serverssl), 0)
3432 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3433 SSL_EARLY_DATA_REJECTED))
3434 goto end;
3435
3436 /* Send some normal data from client to server */
3437 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3438 || !TEST_size_t_eq(written, strlen(MSG2)))
3439 goto end;
3440
3441 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3442 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3443 goto end;
3444
3445 testresult = 1;
3446
3447 end:
3448 SSL_SESSION_free(sess);
3449 SSL_SESSION_free(clientpsk);
3450 SSL_SESSION_free(serverpsk);
3451 clientpsk = serverpsk = NULL;
3452 SSL_free(serverssl);
3453 SSL_free(clientssl);
3454 SSL_CTX_free(sctx);
3455 SSL_CTX_free(cctx);
3456 return testresult;
3457 }
3458
3459
3460 # ifndef OPENSSL_NO_TLS1_2
3461 /*
3462 * Test that a server attempting to read early data can handle a connection
3463 * from a TLSv1.2 client.
3464 */
3465 static int test_early_data_tls1_2(int idx)
3466 {
3467 SSL_CTX *cctx = NULL, *sctx = NULL;
3468 SSL *clientssl = NULL, *serverssl = NULL;
3469 int testresult = 0;
3470 unsigned char buf[20];
3471 size_t readbytes, written;
3472
3473 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3474 &serverssl, NULL, idx)))
3475 goto end;
3476
3477 /* Write some data - should block due to handshake with server */
3478 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3479 SSL_set_connect_state(clientssl);
3480 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3481 goto end;
3482
3483 /*
3484 * Server should do TLSv1.2 handshake. First it will block waiting for more
3485 * messages from client after ServerDone. Then SSL_read_early_data should
3486 * finish and detect that early data has not been sent
3487 */
3488 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3489 &readbytes),
3490 SSL_READ_EARLY_DATA_ERROR))
3491 goto end;
3492
3493 /*
3494 * Continue writing the message we started earlier. Will still block waiting
3495 * for the CCS/Finished from server
3496 */
3497 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3498 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3499 &readbytes),
3500 SSL_READ_EARLY_DATA_FINISH)
3501 || !TEST_size_t_eq(readbytes, 0)
3502 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3503 SSL_EARLY_DATA_NOT_SENT))
3504 goto end;
3505
3506 /* Continue writing the message we started earlier */
3507 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3508 || !TEST_size_t_eq(written, strlen(MSG1))
3509 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3510 SSL_EARLY_DATA_NOT_SENT)
3511 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3512 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3513 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3514 || !TEST_size_t_eq(written, strlen(MSG2))
3515 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3516 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3517 goto end;
3518
3519 testresult = 1;
3520
3521 end:
3522 SSL_SESSION_free(clientpsk);
3523 SSL_SESSION_free(serverpsk);
3524 clientpsk = serverpsk = NULL;
3525 SSL_free(serverssl);
3526 SSL_free(clientssl);
3527 SSL_CTX_free(sctx);
3528 SSL_CTX_free(cctx);
3529
3530 return testresult;
3531 }
3532 # endif /* OPENSSL_NO_TLS1_2 */
3533
3534 /*
3535 * Test configuring the TLSv1.3 ciphersuites
3536 *
3537 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3538 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3539 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3540 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3541 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3542 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3543 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3544 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3545 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3546 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3547 */
3548 static int test_set_ciphersuite(int idx)
3549 {
3550 SSL_CTX *cctx = NULL, *sctx = NULL;
3551 SSL *clientssl = NULL, *serverssl = NULL;
3552 int testresult = 0;
3553
3554 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3555 TLS1_VERSION, 0,
3556 &sctx, &cctx, cert, privkey))
3557 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3558 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3559 goto end;
3560
3561 if (idx >=4 && idx <= 7) {
3562 /* SSL_CTX explicit cipher list */
3563 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3564 goto end;
3565 }
3566
3567 if (idx == 0 || idx == 4) {
3568 /* Default ciphersuite */
3569 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3570 "TLS_AES_128_GCM_SHA256")))
3571 goto end;
3572 } else if (idx == 1 || idx == 5) {
3573 /* Non default ciphersuite */
3574 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3575 "TLS_AES_128_CCM_SHA256")))
3576 goto end;
3577 }
3578
3579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3580 &clientssl, NULL, NULL)))
3581 goto end;
3582
3583 if (idx == 8 || idx == 9) {
3584 /* SSL explicit cipher list */
3585 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3586 goto end;
3587 }
3588
3589 if (idx == 2 || idx == 6 || idx == 8) {
3590 /* Default ciphersuite */
3591 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3592 "TLS_AES_128_GCM_SHA256")))
3593 goto end;
3594 } else if (idx == 3 || idx == 7 || idx == 9) {
3595 /* Non default ciphersuite */
3596 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3597 "TLS_AES_128_CCM_SHA256")))
3598 goto end;
3599 }
3600
3601 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3602 goto end;
3603
3604 testresult = 1;
3605
3606 end:
3607 SSL_free(serverssl);
3608 SSL_free(clientssl);
3609 SSL_CTX_free(sctx);
3610 SSL_CTX_free(cctx);
3611
3612 return testresult;
3613 }
3614
3615 static int test_ciphersuite_change(void)
3616 {
3617 SSL_CTX *cctx = NULL, *sctx = NULL;
3618 SSL *clientssl = NULL, *serverssl = NULL;
3619 SSL_SESSION *clntsess = NULL;
3620 int testresult = 0;
3621 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3622
3623 /* Create a session based on SHA-256 */
3624 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3625 TLS1_VERSION, 0,
3626 &sctx, &cctx, cert, privkey))
3627 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3628 "TLS_AES_128_GCM_SHA256"))
3629 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3630 &clientssl, NULL, NULL))
3631 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3632 SSL_ERROR_NONE)))
3633 goto end;
3634
3635 clntsess = SSL_get1_session(clientssl);
3636 /* Save for later */
3637 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3638 SSL_shutdown(clientssl);
3639 SSL_shutdown(serverssl);
3640 SSL_free(serverssl);
3641 SSL_free(clientssl);
3642 serverssl = clientssl = NULL;
3643
3644 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3645 /* Check we can resume a session with a different SHA-256 ciphersuite */
3646 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3647 "TLS_CHACHA20_POLY1305_SHA256"))
3648 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3649 NULL, NULL))
3650 || !TEST_true(SSL_set_session(clientssl, clntsess))
3651 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3652 SSL_ERROR_NONE))
3653 || !TEST_true(SSL_session_reused(clientssl)))
3654 goto end;
3655
3656 SSL_SESSION_free(clntsess);
3657 clntsess = SSL_get1_session(clientssl);
3658 SSL_shutdown(clientssl);
3659 SSL_shutdown(serverssl);
3660 SSL_free(serverssl);
3661 SSL_free(clientssl);
3662 serverssl = clientssl = NULL;
3663 # endif
3664
3665 /*
3666 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3667 * succeeds but does not resume.
3668 */
3669 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3670 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3671 NULL, NULL))
3672 || !TEST_true(SSL_set_session(clientssl, clntsess))
3673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3674 SSL_ERROR_SSL))
3675 || !TEST_false(SSL_session_reused(clientssl)))
3676 goto end;
3677
3678 SSL_SESSION_free(clntsess);
3679 clntsess = NULL;
3680 SSL_shutdown(clientssl);
3681 SSL_shutdown(serverssl);
3682 SSL_free(serverssl);
3683 SSL_free(clientssl);
3684 serverssl = clientssl = NULL;
3685
3686 /* Create a session based on SHA384 */
3687 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3689 &clientssl, NULL, NULL))
3690 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3691 SSL_ERROR_NONE)))
3692 goto end;
3693
3694 clntsess = SSL_get1_session(clientssl);
3695 SSL_shutdown(clientssl);
3696 SSL_shutdown(serverssl);
3697 SSL_free(serverssl);
3698 SSL_free(clientssl);
3699 serverssl = clientssl = NULL;
3700
3701 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3702 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3703 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3704 "TLS_AES_256_GCM_SHA384"))
3705 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3706 NULL, NULL))
3707 || !TEST_true(SSL_set_session(clientssl, clntsess))
3708 /*
3709 * We use SSL_ERROR_WANT_READ below so that we can pause the
3710 * connection after the initial ClientHello has been sent to
3711 * enable us to make some session changes.
3712 */
3713 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3714 SSL_ERROR_WANT_READ)))
3715 goto end;
3716
3717 /* Trick the client into thinking this session is for a different digest */
3718 clntsess->cipher = aes_128_gcm_sha256;
3719 clntsess->cipher_id = clntsess->cipher->id;
3720
3721 /*
3722 * Continue the previously started connection. Server has selected a SHA-384
3723 * ciphersuite, but client thinks the session is for SHA-256, so it should
3724 * bail out.
3725 */
3726 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3727 SSL_ERROR_SSL))
3728 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3729 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3730 goto end;
3731
3732 testresult = 1;
3733
3734 end:
3735 SSL_SESSION_free(clntsess);
3736 SSL_free(serverssl);
3737 SSL_free(clientssl);
3738 SSL_CTX_free(sctx);
3739 SSL_CTX_free(cctx);
3740
3741 return testresult;
3742 }
3743
3744 /*
3745 * Test Key exchange
3746 * Test 0 = Test ECDHE Key exchange with TLSv1.3 client and server
3747 * Test 1 = Test ECDHE with TLSv1.2 client and server
3748 * Test 2 = Test FFDHE Key exchange with TLSv1.3 client and server
3749 * Test 3 = Test FFDHE with TLSv1.2 client and server
3750 * Test 4 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3751 * Test 5 = Test NID_secp384r1 with TLSv1.3 client and server
3752 * Test 6 = Test NID_secp521r1 with TLSv1.3 client and server
3753 * Test 7 = Test NID_X25519 with TLSv1.3 client and server
3754 * Test 8 = Test NID_X448 with TLSv1.3 client and server
3755 * Test 9 = Test NID_ffdhe2048 with TLSv1.3 client and server
3756 * Test 10 = Test NID_ffdhe3072 with TLSv1.3 client and server
3757 * Test 11 = Test NID_ffdhe4096 with TLSv1.3 client and server
3758 * Test 12 = Test NID_ffdhe6144 with TLSv1.3 client and server
3759 * Test 13 = Test NID_ffdhe8192 with TLSv1.3 client and server
3760 */
3761 static int test_key_exchange(int idx)
3762 {
3763 SSL_CTX *sctx = NULL, *cctx = NULL;
3764 SSL *serverssl = NULL, *clientssl = NULL;
3765 int testresult = 0;
3766 #if !defined(OPENSSL_NO_EC)
3767 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1,
3768 NID_X25519, NID_X448};
3769 #endif
3770 #ifndef OPENSSL_NO_DH
3771 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3772 NID_ffdhe6144, NID_ffdhe8192};
3773 #endif
3774 int kexch_alg;
3775 int *kexch_groups = &kexch_alg;
3776 int kexch_groups_size = 1;
3777 int max_version = TLS1_3_VERSION;
3778 int want_err = SSL_ERROR_NONE;
3779 int expected_err_reason = 0;
3780
3781 switch (idx) {
3782 #ifndef OPENSSL_NO_EC
3783 # ifndef OPENSSL_NO_TLS1_2
3784 case 1:
3785 max_version = TLS1_2_VERSION;
3786 # endif
3787 /* Fall through */
3788 case 0:
3789 kexch_groups = ecdhe_kexch_groups;
3790 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3791 break;
3792 case 4:
3793 kexch_alg = NID_X9_62_prime256v1;
3794 break;
3795 case 5:
3796 kexch_alg = NID_secp384r1;
3797 break;
3798 case 6:
3799 kexch_alg = NID_secp521r1;
3800 break;
3801 case 7:
3802 kexch_alg = NID_X25519;
3803 break;
3804 case 8:
3805 kexch_alg = NID_X448;
3806 break;
3807 #endif
3808 #ifndef OPENSSL_NO_DH
3809 # ifndef OPENSSL_NO_TLS1_2
3810 case 3:
3811 max_version = TLS1_2_VERSION;
3812 # endif
3813 /* Fall through */
3814 case 2:
3815 kexch_groups = ffdhe_kexch_groups;
3816 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3817 break;
3818 case 9:
3819 kexch_alg = NID_ffdhe2048;
3820 break;
3821 case 10:
3822 kexch_alg = NID_ffdhe3072;
3823 break;
3824 case 11:
3825 kexch_alg = NID_ffdhe4096;
3826 break;
3827 case 12:
3828 kexch_alg = NID_ffdhe6144;
3829 break;
3830 case 13:
3831 kexch_alg = NID_ffdhe8192;
3832 break;
3833 #endif
3834 default:
3835 /* We're skipping this test */
3836 return 1;
3837 }
3838
3839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3840 TLS1_VERSION, max_version,
3841 &sctx, &cctx, cert, privkey)))
3842 goto end;
3843
3844 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
3845 goto end;
3846
3847 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
3848 goto end;
3849
3850 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_RSA_WITH_AES_128_SHA)))
3851 goto end;
3852
3853 /*
3854 * Must include an EC ciphersuite so that we send supported groups in
3855 * TLSv1.2
3856 */
3857 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3858 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3859 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3860 goto end;
3861
3862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3863 NULL, NULL)))
3864 goto end;
3865
3866 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3867 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3868 goto end;
3869
3870 if (!TEST_true(create_ssl_connection(serverssl, clientssl, want_err))) {
3871 /* Fail only if no error is expected in handshake */
3872 if (expected_err_reason == 0)
3873 goto end;
3874 }
3875
3876 /* Fail if expected error is not happening for failure testcases */
3877 if (expected_err_reason != 0) {
3878 unsigned long err_code = ERR_get_error();
3879
3880 ERR_print_errors_fp(stdout);
3881 if (TEST_int_eq(ERR_GET_REASON(err_code), expected_err_reason))
3882 testresult = 1;
3883 goto end;
3884 }
3885
3886 /*
3887 * If Handshake succeeds the negotiated kexch alg should the first one in
3888 * configured, except in the case of FFDHE groups which are TLSv1.3 only
3889 * so we expect no shared group to exist.
3890 */
3891 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
3892 idx == 3 ? 0 : kexch_groups[0]))
3893 goto end;
3894 if (max_version == TLS1_3_VERSION) {
3895 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3896 goto end;
3897 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3898 goto end;
3899 }
3900
3901 testresult = 1;
3902 end:
3903 SSL_free(serverssl);
3904 SSL_free(clientssl);
3905 SSL_CTX_free(sctx);
3906 SSL_CTX_free(cctx);
3907 return testresult;
3908 }
3909
3910 /*
3911 * Test TLSv1.3 PSKs
3912 * Test 0 = Test new style callbacks
3913 * Test 1 = Test both new and old style callbacks
3914 * Test 2 = Test old style callbacks
3915 * Test 3 = Test old style callbacks with no certificate
3916 */
3917 static int test_tls13_psk(int idx)
3918 {
3919 SSL_CTX *sctx = NULL, *cctx = NULL;
3920 SSL *serverssl = NULL, *clientssl = NULL;
3921 const SSL_CIPHER *cipher = NULL;
3922 const unsigned char key[] = {
3923 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3924 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3925 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3926 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3927 };
3928 int testresult = 0;
3929
3930 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3931 TLS1_VERSION, 0,
3932 &sctx, &cctx, idx == 3 ? NULL : cert,
3933 idx == 3 ? NULL : privkey)))
3934 goto end;
3935
3936 if (idx != 3) {
3937 /*
3938 * We use a ciphersuite with SHA256 to ease testing old style PSK
3939 * callbacks which will always default to SHA256. This should not be
3940 * necessary if we have no cert/priv key. In that case the server should
3941 * prefer SHA256 automatically.
3942 */
3943 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3944 "TLS_AES_128_GCM_SHA256")))
3945 goto end;
3946 }
3947
3948 /*
3949 * Test 0: New style callbacks only
3950 * Test 1: New and old style callbacks (only the new ones should be used)
3951 * Test 2: Old style callbacks only
3952 */
3953 if (idx == 0 || idx == 1) {
3954 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3955 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3956 }
3957 #ifndef OPENSSL_NO_PSK
3958 if (idx >= 1) {
3959 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3960 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3961 }
3962 #endif
3963 srvid = pskid;
3964 use_session_cb_cnt = 0;
3965 find_session_cb_cnt = 0;
3966 psk_client_cb_cnt = 0;
3967 psk_server_cb_cnt = 0;
3968
3969 if (idx != 3) {
3970 /*
3971 * Check we can create a connection if callback decides not to send a
3972 * PSK
3973 */
3974 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3975 NULL, NULL))
3976 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3977 SSL_ERROR_NONE))
3978 || !TEST_false(SSL_session_reused(clientssl))
3979 || !TEST_false(SSL_session_reused(serverssl)))
3980 goto end;
3981
3982 if (idx == 0 || idx == 1) {
3983 if (!TEST_true(use_session_cb_cnt == 1)
3984 || !TEST_true(find_session_cb_cnt == 0)
3985 /*
3986 * If no old style callback then below should be 0
3987 * otherwise 1
3988 */
3989 || !TEST_true(psk_client_cb_cnt == idx)
3990 || !TEST_true(psk_server_cb_cnt == 0))
3991 goto end;
3992 } else {
3993 if (!TEST_true(use_session_cb_cnt == 0)
3994 || !TEST_true(find_session_cb_cnt == 0)
3995 || !TEST_true(psk_client_cb_cnt == 1)
3996 || !TEST_true(psk_server_cb_cnt == 0))
3997 goto end;
3998 }
3999
4000 shutdown_ssl_connection(serverssl, clientssl);
4001 serverssl = clientssl = NULL;
4002 use_session_cb_cnt = psk_client_cb_cnt = 0;
4003 }
4004
4005 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4006 NULL, NULL)))
4007 goto end;
4008
4009 /* Create the PSK */
4010 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4011 clientpsk = SSL_SESSION_new();
4012 if (!TEST_ptr(clientpsk)
4013 || !TEST_ptr(cipher)
4014 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4015 sizeof(key)))
4016 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4017 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4018 TLS1_3_VERSION))
4019 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4020 goto end;
4021 serverpsk = clientpsk;
4022
4023 /* Check we can create a connection and the PSK is used */
4024 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4025 || !TEST_true(SSL_session_reused(clientssl))
4026 || !TEST_true(SSL_session_reused(serverssl)))
4027 goto end;
4028
4029 if (idx == 0 || idx == 1) {
4030 if (!TEST_true(use_session_cb_cnt == 1)
4031 || !TEST_true(find_session_cb_cnt == 1)
4032 || !TEST_true(psk_client_cb_cnt == 0)
4033 || !TEST_true(psk_server_cb_cnt == 0))
4034 goto end;
4035 } else {
4036 if (!TEST_true(use_session_cb_cnt == 0)
4037 || !TEST_true(find_session_cb_cnt == 0)
4038 || !TEST_true(psk_client_cb_cnt == 1)
4039 || !TEST_true(psk_server_cb_cnt == 1))
4040 goto end;
4041 }
4042
4043 shutdown_ssl_connection(serverssl, clientssl);
4044 serverssl = clientssl = NULL;
4045 use_session_cb_cnt = find_session_cb_cnt = 0;
4046 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4047
4048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4049 NULL, NULL)))
4050 goto end;
4051
4052 /* Force an HRR */
4053 #if defined(OPENSSL_NO_EC)
4054 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4055 goto end;
4056 #else
4057 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4058 goto end;
4059 #endif
4060
4061 /*
4062 * Check we can create a connection, the PSK is used and the callbacks are
4063 * called twice.
4064 */
4065 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4066 || !TEST_true(SSL_session_reused(clientssl))
4067 || !TEST_true(SSL_session_reused(serverssl)))
4068 goto end;
4069
4070 if (idx == 0 || idx == 1) {
4071 if (!TEST_true(use_session_cb_cnt == 2)
4072 || !TEST_true(find_session_cb_cnt == 2)
4073 || !TEST_true(psk_client_cb_cnt == 0)
4074 || !TEST_true(psk_server_cb_cnt == 0))
4075 goto end;
4076 } else {
4077 if (!TEST_true(use_session_cb_cnt == 0)
4078 || !TEST_true(find_session_cb_cnt == 0)
4079 || !TEST_true(psk_client_cb_cnt == 2)
4080 || !TEST_true(psk_server_cb_cnt == 2))
4081 goto end;
4082 }
4083
4084 shutdown_ssl_connection(serverssl, clientssl);
4085 serverssl = clientssl = NULL;
4086 use_session_cb_cnt = find_session_cb_cnt = 0;
4087 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4088
4089 if (idx != 3) {
4090 /*
4091 * Check that if the server rejects the PSK we can still connect, but with
4092 * a full handshake
4093 */
4094 srvid = "Dummy Identity";
4095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4096 NULL, NULL))
4097 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4098 SSL_ERROR_NONE))
4099 || !TEST_false(SSL_session_reused(clientssl))
4100 || !TEST_false(SSL_session_reused(serverssl)))
4101 goto end;
4102
4103 if (idx == 0 || idx == 1) {
4104 if (!TEST_true(use_session_cb_cnt == 1)
4105 || !TEST_true(find_session_cb_cnt == 1)
4106 || !TEST_true(psk_client_cb_cnt == 0)
4107 /*
4108 * If no old style callback then below should be 0
4109 * otherwise 1
4110 */
4111 || !TEST_true(psk_server_cb_cnt == idx))
4112 goto end;
4113 } else {
4114 if (!TEST_true(use_session_cb_cnt == 0)
4115 || !TEST_true(find_session_cb_cnt == 0)
4116 || !TEST_true(psk_client_cb_cnt == 1)
4117 || !TEST_true(psk_server_cb_cnt == 1))
4118 goto end;
4119 }
4120
4121 shutdown_ssl_connection(serverssl, clientssl);
4122 serverssl = clientssl = NULL;
4123 }
4124 testresult = 1;
4125
4126 end:
4127 SSL_SESSION_free(clientpsk);
4128 SSL_SESSION_free(serverpsk);
4129 clientpsk = serverpsk = NULL;
4130 SSL_free(serverssl);
4131 SSL_free(clientssl);
4132 SSL_CTX_free(sctx);
4133 SSL_CTX_free(cctx);
4134 return testresult;
4135 }
4136
4137 static unsigned char cookie_magic_value[] = "cookie magic";
4138
4139 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4140 unsigned int *cookie_len)
4141 {
4142 /*
4143 * Not suitable as a real cookie generation function but good enough for
4144 * testing!
4145 */
4146 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4147 *cookie_len = sizeof(cookie_magic_value) - 1;
4148
4149 return 1;
4150 }
4151
4152 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4153 unsigned int cookie_len)
4154 {
4155 if (cookie_len == sizeof(cookie_magic_value) - 1
4156 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4157 return 1;
4158
4159 return 0;
4160 }
4161
4162 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4163 size_t *cookie_len)
4164 {
4165 unsigned int temp;
4166 int res = generate_cookie_callback(ssl, cookie, &temp);
4167 *cookie_len = temp;
4168 return res;
4169 }
4170
4171 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4172 size_t cookie_len)
4173 {
4174 return verify_cookie_callback(ssl, cookie, cookie_len);
4175 }
4176
4177 static int test_stateless(void)
4178 {
4179 SSL_CTX *sctx = NULL, *cctx = NULL;
4180 SSL *serverssl = NULL, *clientssl = NULL;
4181 int testresult = 0;
4182
4183 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4184 TLS1_VERSION, 0,
4185 &sctx, &cctx, cert, privkey)))
4186 goto end;
4187
4188 /* The arrival of CCS messages can confuse the test */
4189 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4190
4191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4192 NULL, NULL))
4193 /* Send the first ClientHello */
4194 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4195 SSL_ERROR_WANT_READ))
4196 /*
4197 * This should fail with a -1 return because we have no callbacks
4198 * set up
4199 */
4200 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4201 goto end;
4202
4203 /* Fatal error so abandon the connection from this client */
4204 SSL_free(clientssl);
4205 clientssl = NULL;
4206
4207 /* Set up the cookie generation and verification callbacks */
4208 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4209 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4210
4211 /*
4212 * Create a new connection from the client (we can reuse the server SSL
4213 * object).
4214 */
4215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4216 NULL, NULL))
4217 /* Send the first ClientHello */
4218 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4219 SSL_ERROR_WANT_READ))
4220 /* This should fail because there is no cookie */
4221 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4222 goto end;
4223
4224 /* Abandon the connection from this client */
4225 SSL_free(clientssl);
4226 clientssl = NULL;
4227
4228 /*
4229 * Now create a connection from a new client but with the same server SSL
4230 * object
4231 */
4232 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4233 NULL, NULL))
4234 /* Send the first ClientHello */
4235 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4236 SSL_ERROR_WANT_READ))
4237 /* This should fail because there is no cookie */
4238 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4239 /* Send the second ClientHello */
4240 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4241 SSL_ERROR_WANT_READ))
4242 /* This should succeed because a cookie is now present */
4243 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4244 /* Complete the connection */
4245 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4246 SSL_ERROR_NONE)))
4247 goto end;
4248
4249 shutdown_ssl_connection(serverssl, clientssl);
4250 serverssl = clientssl = NULL;
4251 testresult = 1;
4252
4253 end:
4254 SSL_free(serverssl);
4255 SSL_free(clientssl);
4256 SSL_CTX_free(sctx);
4257 SSL_CTX_free(cctx);
4258 return testresult;
4259
4260 }
4261 #endif /* OPENSSL_NO_TLS1_3 */
4262
4263 static int clntaddoldcb = 0;
4264 static int clntparseoldcb = 0;
4265 static int srvaddoldcb = 0;
4266 static int srvparseoldcb = 0;
4267 static int clntaddnewcb = 0;
4268 static int clntparsenewcb = 0;
4269 static int srvaddnewcb = 0;
4270 static int srvparsenewcb = 0;
4271 static int snicb = 0;
4272
4273 #define TEST_EXT_TYPE1 0xff00
4274
4275 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4276 size_t *outlen, int *al, void *add_arg)
4277 {
4278 int *server = (int *)add_arg;
4279 unsigned char *data;
4280
4281 if (SSL_is_server(s))
4282 srvaddoldcb++;
4283 else
4284 clntaddoldcb++;
4285
4286 if (*server != SSL_is_server(s)
4287 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4288 return -1;
4289
4290 *data = 1;
4291 *out = data;
4292 *outlen = sizeof(char);
4293 return 1;
4294 }
4295
4296 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4297 void *add_arg)
4298 {
4299 OPENSSL_free((unsigned char *)out);
4300 }
4301
4302 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4303 size_t inlen, int *al, void *parse_arg)
4304 {
4305 int *server = (int *)parse_arg;
4306
4307 if (SSL_is_server(s))
4308 srvparseoldcb++;
4309 else
4310 clntparseoldcb++;
4311
4312 if (*server != SSL_is_server(s)
4313 || inlen != sizeof(char)
4314 || *in != 1)
4315 return -1;
4316
4317 return 1;
4318 }
4319
4320 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4321 const unsigned char **out, size_t *outlen, X509 *x,
4322 size_t chainidx, int *al, void *add_arg)
4323 {
4324 int *server = (int *)add_arg;
4325 unsigned char *data;
4326
4327 if (SSL_is_server(s))
4328 srvaddnewcb++;
4329 else
4330 clntaddnewcb++;
4331
4332 if (*server != SSL_is_server(s)
4333 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4334 return -1;
4335
4336 *data = 1;
4337 *out = data;
4338 *outlen = sizeof(*data);
4339 return 1;
4340 }
4341
4342 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4343 const unsigned char *out, void *add_arg)
4344 {
4345 OPENSSL_free((unsigned char *)out);
4346 }
4347
4348 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4349 const unsigned char *in, size_t inlen, X509 *x,
4350 size_t chainidx, int *al, void *parse_arg)
4351 {
4352 int *server = (int *)parse_arg;
4353
4354 if (SSL_is_server(s))
4355 srvparsenewcb++;
4356 else
4357 clntparsenewcb++;
4358
4359 if (*server != SSL_is_server(s)
4360 || inlen != sizeof(char) || *in != 1)
4361 return -1;
4362
4363 return 1;
4364 }
4365
4366 static int sni_cb(SSL *s, int *al, void *arg)
4367 {
4368 SSL_CTX *ctx = (SSL_CTX *)arg;
4369
4370 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4371 *al = SSL_AD_INTERNAL_ERROR;
4372 return SSL_TLSEXT_ERR_ALERT_FATAL;
4373 }
4374 snicb++;
4375 return SSL_TLSEXT_ERR_OK;
4376 }
4377
4378 /*
4379 * Custom call back tests.
4380 * Test 0: Old style callbacks in TLSv1.2
4381 * Test 1: New style callbacks in TLSv1.2
4382 * Test 2: New style callbacks in TLSv1.2 with SNI
4383 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4384 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4385 */
4386 static int test_custom_exts(int tst)
4387 {
4388 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4389 SSL *clientssl = NULL, *serverssl = NULL;
4390 int testresult = 0;
4391 static int server = 1;
4392 static int client = 0;
4393 SSL_SESSION *sess = NULL;
4394 unsigned int context;
4395
4396 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4397 /* Skip tests for TLSv1.2 and below in this case */
4398 if (tst < 3)
4399 return 1;
4400 #endif
4401
4402 /* Reset callback counters */
4403 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4404 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4405 snicb = 0;
4406
4407 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4408 TLS1_VERSION, 0,
4409 &sctx, &cctx, cert, privkey)))
4410 goto end;
4411
4412 if (tst == 2
4413 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4414 TLS1_VERSION, 0,
4415 &sctx2, NULL, cert, privkey)))
4416 goto end;
4417
4418
4419 if (tst < 3) {
4420 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4421 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4422 if (sctx2 != NULL)
4423 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4424 }
4425
4426 if (tst == 4) {
4427 context = SSL_EXT_CLIENT_HELLO
4428 | SSL_EXT_TLS1_2_SERVER_HELLO
4429 | SSL_EXT_TLS1_3_SERVER_HELLO
4430 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4431 | SSL_EXT_TLS1_3_CERTIFICATE
4432 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4433 } else {
4434 context = SSL_EXT_CLIENT_HELLO
4435 | SSL_EXT_TLS1_2_SERVER_HELLO
4436 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4437 }
4438
4439 /* Create a client side custom extension */
4440 if (tst == 0) {
4441 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4442 old_add_cb, old_free_cb,
4443 &client, old_parse_cb,
4444 &client)))
4445 goto end;
4446 } else {
4447 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4448 new_add_cb, new_free_cb,
4449 &client, new_parse_cb, &client)))
4450 goto end;
4451 }
4452
4453 /* Should not be able to add duplicates */
4454 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4455 old_add_cb, old_free_cb,
4456 &client, old_parse_cb,
4457 &client))
4458 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4459 context, new_add_cb,
4460 new_free_cb, &client,
4461 new_parse_cb, &client)))
4462 goto end;
4463
4464 /* Create a server side custom extension */
4465 if (tst == 0) {
4466 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4467 old_add_cb, old_free_cb,
4468 &server, old_parse_cb,
4469 &server)))
4470 goto end;
4471 } else {
4472 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4473 new_add_cb, new_free_cb,
4474 &server, new_parse_cb, &server)))
4475 goto end;
4476 if (sctx2 != NULL
4477 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4478 context, new_add_cb,
4479 new_free_cb, &server,
4480 new_parse_cb, &server)))
4481 goto end;
4482 }
4483
4484 /* Should not be able to add duplicates */
4485 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4486 old_add_cb, old_free_cb,
4487 &server, old_parse_cb,
4488 &server))
4489 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4490 context, new_add_cb,
4491 new_free_cb, &server,
4492 new_parse_cb, &server)))
4493 goto end;
4494
4495 if (tst == 2) {
4496 /* Set up SNI */
4497 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4498 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4499 goto end;
4500 }
4501
4502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4503 &clientssl, NULL, NULL))
4504 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4505 SSL_ERROR_NONE)))
4506 goto end;
4507
4508 if (tst == 0) {
4509 if (clntaddoldcb != 1
4510 || clntparseoldcb != 1
4511 || srvaddoldcb != 1
4512 || srvparseoldcb != 1)
4513 goto end;
4514 } else if (tst == 1 || tst == 2 || tst == 3) {
4515 if (clntaddnewcb != 1
4516 || clntparsenewcb != 1
4517 || srvaddnewcb != 1
4518 || srvparsenewcb != 1
4519 || (tst != 2 && snicb != 0)
4520 || (tst == 2 && snicb != 1))
4521 goto end;
4522 } else {
4523 /* In this case there 2 NewSessionTicket messages created */
4524 if (clntaddnewcb != 1
4525 || clntparsenewcb != 5
4526 || srvaddnewcb != 5
4527 || srvparsenewcb != 1)
4528 goto end;
4529 }
4530
4531 sess = SSL_get1_session(clientssl);
4532 SSL_shutdown(clientssl);
4533 SSL_shutdown(serverssl);
4534 SSL_free(serverssl);
4535 SSL_free(clientssl);
4536 serverssl = clientssl = NULL;
4537
4538 if (tst == 3) {
4539 /* We don't bother with the resumption aspects for this test */
4540 testresult = 1;
4541 goto end;
4542 }
4543
4544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4545 NULL, NULL))
4546 || !TEST_true(SSL_set_session(clientssl, sess))
4547 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4548 SSL_ERROR_NONE)))
4549 goto end;
4550
4551 /*
4552 * For a resumed session we expect to add the ClientHello extension. For the
4553 * old style callbacks we ignore it on the server side because they set
4554 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4555 * them.
4556 */
4557 if (tst == 0) {
4558 if (clntaddoldcb != 2
4559 || clntparseoldcb != 1
4560 || srvaddoldcb != 1
4561 || srvparseoldcb != 1)
4562 goto end;
4563 } else if (tst == 1 || tst == 2 || tst == 3) {
4564 if (clntaddnewcb != 2
4565 || clntparsenewcb != 2
4566 || srvaddnewcb != 2
4567 || srvparsenewcb != 2)
4568 goto end;
4569 } else {
4570 /*
4571 * No Certificate message extensions in the resumption handshake,
4572 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4573 */
4574 if (clntaddnewcb != 2
4575 || clntparsenewcb != 8
4576 || srvaddnewcb != 8
4577 || srvparsenewcb != 2)
4578 goto end;
4579 }
4580
4581 testresult = 1;
4582
4583 end:
4584 SSL_SESSION_free(sess);
4585 SSL_free(serverssl);
4586 SSL_free(clientssl);
4587 SSL_CTX_free(sctx2);
4588 SSL_CTX_free(sctx);
4589 SSL_CTX_free(cctx);
4590 return testresult;
4591 }
4592
4593 /*
4594 * Test loading of serverinfo data in various formats. test_sslmessages actually
4595 * tests to make sure the extensions appear in the handshake
4596 */
4597 static int test_serverinfo(int tst)
4598 {
4599 unsigned int version;
4600 unsigned char *sibuf;
4601 size_t sibuflen;
4602 int ret, expected, testresult = 0;
4603 SSL_CTX *ctx;
4604
4605 ctx = SSL_CTX_new(TLS_method());
4606 if (!TEST_ptr(ctx))
4607 goto end;
4608
4609 if ((tst & 0x01) == 0x01)
4610 version = SSL_SERVERINFOV2;
4611 else
4612 version = SSL_SERVERINFOV1;
4613
4614 if ((tst & 0x02) == 0x02) {
4615 sibuf = serverinfov2;
4616 sibuflen = sizeof(serverinfov2);
4617 expected = (version == SSL_SERVERINFOV2);
4618 } else {
4619 sibuf = serverinfov1;
4620 sibuflen = sizeof(serverinfov1);
4621 expected = (version == SSL_SERVERINFOV1);
4622 }
4623
4624 if ((tst & 0x04) == 0x04) {
4625 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4626 } else {
4627 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4628
4629 /*
4630 * The version variable is irrelevant in this case - it's what is in the
4631 * buffer that matters
4632 */
4633 if ((tst & 0x02) == 0x02)
4634 expected = 0;
4635 else
4636 expected = 1;
4637 }
4638
4639 if (!TEST_true(ret == expected))
4640 goto end;
4641
4642 testresult = 1;
4643
4644 end:
4645 SSL_CTX_free(ctx);
4646
4647 return testresult;
4648 }
4649
4650 /*
4651 * Test that SSL_export_keying_material() produces expected results. There are
4652 * no test vectors so all we do is test that both sides of the communication
4653 * produce the same results for different protocol versions.
4654 */
4655 #define SMALL_LABEL_LEN 10
4656 #define LONG_LABEL_LEN 249
4657 static int test_export_key_mat(int tst)
4658 {
4659 int testresult = 0;
4660 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4661 SSL *clientssl = NULL, *serverssl = NULL;
4662 const char label[LONG_LABEL_LEN + 1] = "test label";
4663 const unsigned char context[] = "context";
4664 const unsigned char *emptycontext = NULL;
4665 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4666 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4667 size_t labellen;
4668 const int protocols[] = {
4669 TLS1_VERSION,
4670 TLS1_1_VERSION,
4671 TLS1_2_VERSION,
4672 TLS1_3_VERSION,
4673 TLS1_3_VERSION,
4674 TLS1_3_VERSION
4675 };
4676
4677 #ifdef OPENSSL_NO_TLS1
4678 if (tst == 0)
4679 return 1;
4680 #endif
4681 #ifdef OPENSSL_NO_TLS1_1
4682 if (tst == 1)
4683 return 1;
4684 #endif
4685 #ifdef OPENSSL_NO_TLS1_2
4686 if (tst == 2)
4687 return 1;
4688 #endif
4689 #ifdef OPENSSL_NO_TLS1_3
4690 if (tst >= 3)
4691 return 1;
4692 #endif
4693 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4694 TLS1_VERSION, 0,
4695 &sctx, &cctx, cert, privkey)))
4696 goto end;
4697
4698 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4699 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4700 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4701
4702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4703 NULL))
4704 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4705 SSL_ERROR_NONE)))
4706 goto end;
4707
4708 if (tst == 5) {
4709 /*
4710 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4711 * go over that.
4712 */
4713 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4714 sizeof(ckeymat1), label,
4715 LONG_LABEL_LEN + 1, context,
4716 sizeof(context) - 1, 1), 0))
4717 goto end;
4718
4719 testresult = 1;
4720 goto end;
4721 } else if (tst == 4) {
4722 labellen = LONG_LABEL_LEN;
4723 } else {
4724 labellen = SMALL_LABEL_LEN;
4725 }
4726
4727 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4728 sizeof(ckeymat1), label,
4729 labellen, context,
4730 sizeof(context) - 1, 1), 1)
4731 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4732 sizeof(ckeymat2), label,
4733 labellen,
4734 emptycontext,
4735 0, 1), 1)
4736 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4737 sizeof(ckeymat3), label,
4738 labellen,
4739 NULL, 0, 0), 1)
4740 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4741 sizeof(skeymat1), label,
4742 labellen,
4743 context,
4744 sizeof(context) -1, 1),
4745 1)
4746 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4747 sizeof(skeymat2), label,
4748 labellen,
4749 emptycontext,
4750 0, 1), 1)
4751 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4752 sizeof(skeymat3), label,
4753 labellen,
4754 NULL, 0, 0), 1)
4755 /*
4756 * Check that both sides created the same key material with the
4757 * same context.
4758 */
4759 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4760 sizeof(skeymat1))
4761 /*
4762 * Check that both sides created the same key material with an
4763 * empty context.
4764 */
4765 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4766 sizeof(skeymat2))
4767 /*
4768 * Check that both sides created the same key material without a
4769 * context.
4770 */
4771 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4772 sizeof(skeymat3))
4773 /* Different contexts should produce different results */
4774 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4775 sizeof(ckeymat2)))
4776 goto end;
4777
4778 /*
4779 * Check that an empty context and no context produce different results in
4780 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4781 */
4782 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4783 sizeof(ckeymat3)))
4784 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4785 sizeof(ckeymat3))))
4786 goto end;
4787
4788 testresult = 1;
4789
4790 end:
4791 SSL_free(serverssl);
4792 SSL_free(clientssl);
4793 SSL_CTX_free(sctx2);
4794 SSL_CTX_free(sctx);
4795 SSL_CTX_free(cctx);
4796
4797 return testresult;
4798 }
4799
4800 #ifndef OPENSSL_NO_TLS1_3
4801 /*
4802 * Test that SSL_export_keying_material_early() produces expected
4803 * results. There are no test vectors so all we do is test that both
4804 * sides of the communication produce the same results for different
4805 * protocol versions.
4806 */
4807 static int test_export_key_mat_early(int idx)
4808 {
4809 static const char label[] = "test label";
4810 static const unsigned char context[] = "context";
4811 int testresult = 0;
4812 SSL_CTX *cctx = NULL, *sctx = NULL;
4813 SSL *clientssl = NULL, *serverssl = NULL;
4814 SSL_SESSION *sess = NULL;
4815 const unsigned char *emptycontext = NULL;
4816 unsigned char ckeymat1[80], ckeymat2[80];
4817 unsigned char skeymat1[80], skeymat2[80];
4818 unsigned char buf[1];
4819 size_t readbytes, written;
4820
4821 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4822 &sess, idx)))
4823 goto end;
4824
4825 /* Here writing 0 length early data is enough. */
4826 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4827 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4828 &readbytes),
4829 SSL_READ_EARLY_DATA_ERROR)
4830 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4831 SSL_EARLY_DATA_ACCEPTED))
4832 goto end;
4833
4834 if (!TEST_int_eq(SSL_export_keying_material_early(
4835 clientssl, ckeymat1, sizeof(ckeymat1), label,
4836 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4837 || !TEST_int_eq(SSL_export_keying_material_early(
4838 clientssl, ckeymat2, sizeof(ckeymat2), label,
4839 sizeof(label) - 1, emptycontext, 0), 1)
4840 || !TEST_int_eq(SSL_export_keying_material_early(
4841 serverssl, skeymat1, sizeof(skeymat1), label,
4842 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4843 || !TEST_int_eq(SSL_export_keying_material_early(
4844 serverssl, skeymat2, sizeof(skeymat2), label,
4845 sizeof(label) - 1, emptycontext, 0), 1)
4846 /*
4847 * Check that both sides created the same key material with the
4848 * same context.
4849 */
4850 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4851 sizeof(skeymat1))
4852 /*
4853 * Check that both sides created the same key material with an
4854 * empty context.
4855 */
4856 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4857 sizeof(skeymat2))
4858 /* Different contexts should produce different results */
4859 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4860 sizeof(ckeymat2)))
4861 goto end;
4862
4863 testresult = 1;
4864
4865 end:
4866 SSL_SESSION_free(sess);
4867 SSL_SESSION_free(clientpsk);
4868 SSL_SESSION_free(serverpsk);
4869 clientpsk = serverpsk = NULL;
4870 SSL_free(serverssl);
4871 SSL_free(clientssl);
4872 SSL_CTX_free(sctx);
4873 SSL_CTX_free(cctx);
4874
4875 return testresult;
4876 }
4877
4878 #define NUM_KEY_UPDATE_MESSAGES 40
4879 /*
4880 * Test KeyUpdate.
4881 */
4882 static int test_key_update(void)
4883 {
4884 SSL_CTX *cctx = NULL, *sctx = NULL;
4885 SSL *clientssl = NULL, *serverssl = NULL;
4886 int testresult = 0, i, j;
4887 char buf[20];
4888 static char *mess = "A test message";
4889
4890 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4891 TLS_client_method(),
4892 TLS1_3_VERSION,
4893 0,
4894 &sctx, &cctx, cert, privkey))
4895 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4896 NULL, NULL))
4897 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4898 SSL_ERROR_NONE)))
4899 goto end;
4900
4901 for (j = 0; j < 2; j++) {
4902 /* Send lots of KeyUpdate messages */
4903 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4904 if (!TEST_true(SSL_key_update(clientssl,
4905 (j == 0)
4906 ? SSL_KEY_UPDATE_NOT_REQUESTED
4907 : SSL_KEY_UPDATE_REQUESTED))
4908 || !TEST_true(SSL_do_handshake(clientssl)))
4909 goto end;
4910 }
4911
4912 /* Check that sending and receiving app data is ok */
4913 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4914 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4915 strlen(mess)))
4916 goto end;
4917
4918 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4919 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4920 strlen(mess)))
4921 goto end;
4922 }
4923
4924 testresult = 1;
4925
4926 end:
4927 SSL_free(serverssl);
4928 SSL_free(clientssl);
4929 SSL_CTX_free(sctx);
4930 SSL_CTX_free(cctx);
4931
4932 return testresult;
4933 }
4934
4935 /*
4936 * Test we can handle a KeyUpdate (update requested) message while write data
4937 * is pending.
4938 * Test 0: Client sends KeyUpdate while Server is writing
4939 * Test 1: Server sends KeyUpdate while Client is writing
4940 */
4941 static int test_key_update_in_write(int tst)
4942 {
4943 SSL_CTX *cctx = NULL, *sctx = NULL;
4944 SSL *clientssl = NULL, *serverssl = NULL;
4945 int testresult = 0;
4946 char buf[20];
4947 static char *mess = "A test message";
4948 BIO *bretry = BIO_new(bio_s_always_retry());
4949 BIO *tmp = NULL;
4950 SSL *peerupdate = NULL, *peerwrite = NULL;
4951
4952 if (!TEST_ptr(bretry)
4953 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4954 TLS_client_method(),
4955 TLS1_3_VERSION,
4956 0,
4957 &sctx, &cctx, cert, privkey))
4958 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4959 NULL, NULL))
4960 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4961 SSL_ERROR_NONE)))
4962 goto end;
4963
4964 peerupdate = tst == 0 ? clientssl : serverssl;
4965 peerwrite = tst == 0 ? serverssl : clientssl;
4966
4967 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4968 || !TEST_true(SSL_do_handshake(peerupdate)))
4969 goto end;
4970
4971 /* Swap the writing endpoint's write BIO to force a retry */
4972 tmp = SSL_get_wbio(peerwrite);
4973 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4974 tmp = NULL;
4975 goto end;
4976 }
4977 SSL_set0_wbio(peerwrite, bretry);
4978 bretry = NULL;
4979
4980 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4981 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4982 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4983 goto end;
4984
4985 /* Reinstate the original writing endpoint's write BIO */
4986 SSL_set0_wbio(peerwrite, tmp);
4987 tmp = NULL;
4988
4989 /* Now read some data - we will read the key update */
4990 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4991 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4992 goto end;
4993
4994 /*
4995 * Complete the write we started previously and read it from the other
4996 * endpoint
4997 */
4998 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4999 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5000 goto end;
5001
5002 /* Write more data to ensure we send the KeyUpdate message back */
5003 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5004 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5005 goto end;
5006
5007 testresult = 1;
5008
5009 end:
5010 SSL_free(serverssl);
5011 SSL_free(clientssl);
5012 SSL_CTX_free(sctx);
5013 SSL_CTX_free(cctx);
5014 BIO_free(bretry);
5015 BIO_free(tmp);
5016
5017 return testresult;
5018 }
5019 #endif /* OPENSSL_NO_TLS1_3 */
5020
5021 static int test_ssl_clear(int idx)
5022 {
5023 SSL_CTX *cctx = NULL, *sctx = NULL;
5024 SSL *clientssl = NULL, *serverssl = NULL;
5025 int testresult = 0;
5026
5027 #ifdef OPENSSL_NO_TLS1_2
5028 if (idx == 1)
5029 return 1;
5030 #endif
5031
5032 /* Create an initial connection */
5033 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5034 TLS1_VERSION, 0,
5035 &sctx, &cctx, cert, privkey))
5036 || (idx == 1
5037 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5038 TLS1_2_VERSION)))
5039 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5040 &clientssl, NULL, NULL))
5041 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5042 SSL_ERROR_NONE)))
5043 goto end;
5044
5045 SSL_shutdown(clientssl);
5046 SSL_shutdown(serverssl);
5047 SSL_free(serverssl);
5048 serverssl = NULL;
5049
5050 /* Clear clientssl - we're going to reuse the object */
5051 if (!TEST_true(SSL_clear(clientssl)))
5052 goto end;
5053
5054 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5055 NULL, NULL))
5056 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5057 SSL_ERROR_NONE))
5058 || !TEST_true(SSL_session_reused(clientssl)))
5059 goto end;
5060
5061 SSL_shutdown(clientssl);
5062 SSL_shutdown(serverssl);
5063
5064 testresult = 1;
5065
5066 end:
5067 SSL_free(serverssl);
5068 SSL_free(clientssl);
5069 SSL_CTX_free(sctx);
5070 SSL_CTX_free(cctx);
5071
5072 return testresult;
5073 }
5074
5075 /* Parse CH and retrieve any MFL extension value if present */
5076 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5077 {
5078 long len;
5079 unsigned char *data;
5080 PACKET pkt, pkt2, pkt3;
5081 unsigned int MFL_code = 0, type = 0;
5082
5083 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5084 goto end;
5085
5086 memset(&pkt, 0, sizeof(pkt));
5087 memset(&pkt2, 0, sizeof(pkt2));
5088 memset(&pkt3, 0, sizeof(pkt3));
5089
5090 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5091 /* Skip the record header */
5092 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5093 /* Skip the handshake message header */
5094 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5095 /* Skip client version and random */
5096 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5097 + SSL3_RANDOM_SIZE))
5098 /* Skip session id */
5099 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5100 /* Skip ciphers */
5101 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5102 /* Skip compression */
5103 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5104 /* Extensions len */
5105 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5106 goto end;
5107
5108 /* Loop through all extensions */
5109 while (PACKET_remaining(&pkt2)) {
5110 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5111 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5112 goto end;
5113
5114 if (type == TLSEXT_TYPE_max_fragment_length) {
5115 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5116 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5117 goto end;
5118
5119 *mfl_codemfl_code = MFL_code;
5120 return 1;
5121 }
5122 }
5123
5124 end:
5125 return 0;
5126 }
5127
5128 /* Maximum-Fragment-Length TLS extension mode to test */
5129 static const unsigned char max_fragment_len_test[] = {
5130 TLSEXT_max_fragment_length_512,
5131 TLSEXT_max_fragment_length_1024,
5132 TLSEXT_max_fragment_length_2048,
5133 TLSEXT_max_fragment_length_4096
5134 };
5135
5136 static int test_max_fragment_len_ext(int idx_tst)
5137 {
5138 SSL_CTX *ctx;
5139 SSL *con = NULL;
5140 int testresult = 0, MFL_mode = 0;
5141 BIO *rbio, *wbio;
5142
5143 ctx = SSL_CTX_new(TLS_method());
5144 if (!TEST_ptr(ctx))
5145 goto end;
5146
5147 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5148 ctx, max_fragment_len_test[idx_tst])))
5149 goto end;
5150
5151 con = SSL_new(ctx);
5152 if (!TEST_ptr(con))
5153 goto end;
5154
5155 rbio = BIO_new(BIO_s_mem());
5156 wbio = BIO_new(BIO_s_mem());
5157 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5158 BIO_free(rbio);
5159 BIO_free(wbio);
5160 goto end;
5161 }
5162
5163 SSL_set_bio(con, rbio, wbio);
5164 SSL_set_connect_state(con);
5165
5166 if (!TEST_int_le(SSL_connect(con), 0)) {
5167 /* This shouldn't succeed because we don't have a server! */
5168 goto end;
5169 }
5170
5171 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5172 /* no MFL in client hello */
5173 goto end;
5174 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5175 goto end;
5176
5177 testresult = 1;
5178
5179 end:
5180 SSL_free(con);
5181 SSL_CTX_free(ctx);
5182
5183 return testresult;
5184 }
5185
5186 #ifndef OPENSSL_NO_TLS1_3
5187 static int test_pha_key_update(void)
5188 {
5189 SSL_CTX *cctx = NULL, *sctx = NULL;
5190 SSL *clientssl = NULL, *serverssl = NULL;
5191 int testresult = 0;
5192
5193 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5194 TLS1_VERSION, 0,
5195 &sctx, &cctx, cert, privkey)))
5196 return 0;
5197
5198 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5199 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5200 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5201 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5202 goto end;
5203
5204 SSL_CTX_set_post_handshake_auth(cctx, 1);
5205
5206 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5207 NULL, NULL)))
5208 goto end;
5209
5210 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5211 SSL_ERROR_NONE)))
5212 goto end;
5213
5214 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5215 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5216 goto end;
5217
5218 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5219 goto end;
5220
5221 /* Start handshake on the server */
5222 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5223 goto end;
5224
5225 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5226 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5227 SSL_ERROR_NONE)))
5228 goto end;
5229
5230 SSL_shutdown(clientssl);
5231 SSL_shutdown(serverssl);
5232
5233 testresult = 1;
5234
5235 end:
5236 SSL_free(serverssl);
5237 SSL_free(clientssl);
5238 SSL_CTX_free(sctx);
5239 SSL_CTX_free(cctx);
5240 return testresult;
5241 }
5242 #endif
5243
5244 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5245
5246 static SRP_VBASE *vbase = NULL;
5247
5248 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5249 {
5250 int ret = SSL3_AL_FATAL;
5251 char *username;
5252 SRP_user_pwd *user = NULL;
5253
5254 username = SSL_get_srp_username(s);
5255 if (username == NULL) {
5256 *ad = SSL_AD_INTERNAL_ERROR;
5257 goto err;
5258 }
5259
5260 user = SRP_VBASE_get1_by_user(vbase, username);
5261 if (user == NULL) {
5262 *ad = SSL_AD_INTERNAL_ERROR;
5263 goto err;
5264 }
5265
5266 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5267 user->info) <= 0) {
5268 *ad = SSL_AD_INTERNAL_ERROR;
5269 goto err;
5270 }
5271
5272 ret = 0;
5273
5274 err:
5275 SRP_user_pwd_free(user);
5276 return ret;
5277 }
5278
5279 static int create_new_vfile(char *userid, char *password, const char *filename)
5280 {
5281 char *gNid = NULL;
5282 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5283 TXT_DB *db = NULL;
5284 int ret = 0;
5285 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5286 size_t i;
5287
5288 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5289 goto end;
5290
5291 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5292 &row[DB_srpverifier], NULL, NULL);
5293 if (!TEST_ptr(gNid))
5294 goto end;
5295
5296 /*
5297 * The only way to create an empty TXT_DB is to provide a BIO with no data
5298 * in it!
5299 */
5300 db = TXT_DB_read(dummy, DB_NUMBER);
5301 if (!TEST_ptr(db))
5302 goto end;
5303
5304 out = BIO_new_file(filename, "w");
5305 if (!TEST_ptr(out))
5306 goto end;
5307
5308 row[DB_srpid] = OPENSSL_strdup(userid);
5309 row[DB_srptype] = OPENSSL_strdup("V");
5310 row[DB_srpgN] = OPENSSL_strdup(gNid);
5311
5312 if (!TEST_ptr(row[DB_srpid])
5313 || !TEST_ptr(row[DB_srptype])
5314 || !TEST_ptr(row[DB_srpgN])
5315 || !TEST_true(TXT_DB_insert(db, row)))
5316 goto end;
5317
5318 row = NULL;
5319
5320 if (!TXT_DB_write(out, db))
5321 goto end;
5322
5323 ret = 1;
5324 end:
5325 if (row != NULL) {
5326 for (i = 0; i < DB_NUMBER; i++)
5327 OPENSSL_free(row[i]);
5328 }
5329 OPENSSL_free(row);
5330 BIO_free(dummy);
5331 BIO_free(out);
5332 TXT_DB_free(db);
5333
5334 return ret;
5335 }
5336
5337 static int create_new_vbase(char *userid, char *password)
5338 {
5339 BIGNUM *verifier = NULL, *salt = NULL;
5340 const SRP_gN *lgN = NULL;
5341 SRP_user_pwd *user_pwd = NULL;
5342 int ret = 0;
5343
5344 lgN = SRP_get_default_gN(NULL);
5345 if (!TEST_ptr(lgN))
5346 goto end;
5347
5348 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5349 lgN->N, lgN->g)))
5350 goto end;
5351
5352 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5353 if (!TEST_ptr(user_pwd))
5354 goto end;
5355
5356 user_pwd->N = lgN->N;
5357 user_pwd->g = lgN->g;
5358 user_pwd->id = OPENSSL_strdup(userid);
5359 if (!TEST_ptr(user_pwd->id))
5360 goto end;
5361
5362 user_pwd->v = verifier;
5363 user_pwd->s = salt;
5364 verifier = salt = NULL;
5365
5366 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5367 goto end;
5368 user_pwd = NULL;
5369
5370 ret = 1;
5371 end:
5372 SRP_user_pwd_free(user_pwd);
5373 BN_free(salt);
5374 BN_free(verifier);
5375
5376 return ret;
5377 }
5378
5379 /*
5380 * SRP tests
5381 *
5382 * Test 0: Simple successful SRP connection, new vbase
5383 * Test 1: Connection failure due to bad password, new vbase
5384 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5385 * Test 3: Connection failure due to bad password, vbase loaded from existing
5386 * file
5387 * Test 4: Simple successful SRP connection, vbase loaded from new file
5388 * Test 5: Connection failure due to bad password, vbase loaded from new file
5389 */
5390 static int test_srp(int tst)
5391 {
5392 char *userid = "test", *password = "password", *tstsrpfile;
5393 SSL_CTX *cctx = NULL, *sctx = NULL;
5394 SSL *clientssl = NULL, *serverssl = NULL;
5395 int ret, testresult = 0;
5396
5397 vbase = SRP_VBASE_new(NULL);
5398 if (!TEST_ptr(vbase))
5399 goto end;
5400
5401 if (tst == 0 || tst == 1) {
5402 if (!TEST_true(create_new_vbase(userid, password)))
5403 goto end;
5404 } else {
5405 if (tst == 4 || tst == 5) {
5406 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5407 goto end;
5408 tstsrpfile = tmpfilename;
5409 } else {
5410 tstsrpfile = srpvfile;
5411 }
5412 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5413 goto end;
5414 }
5415
5416 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5417 TLS1_VERSION, 0,
5418 &sctx, &cctx, cert, privkey)))
5419 goto end;
5420
5421 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5422 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5423 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5424 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5425 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5426 goto end;
5427
5428 if (tst % 2 == 1) {
5429 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5430 goto end;
5431 } else {
5432 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5433 goto end;
5434 }
5435
5436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5437 NULL, NULL)))
5438 goto end;
5439
5440 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5441 if (ret) {
5442 if (!TEST_true(tst % 2 == 0))
5443 goto end;
5444 } else {
5445 if (!TEST_true(tst % 2 == 1))
5446 goto end;
5447 }
5448
5449 testresult = 1;
5450
5451 end:
5452 SRP_VBASE_free(vbase);
5453 vbase = NULL;
5454 SSL_free(serverssl);
5455 SSL_free(clientssl);
5456 SSL_CTX_free(sctx);
5457 SSL_CTX_free(cctx);
5458
5459 return testresult;
5460 }
5461 #endif
5462
5463 static int info_cb_failed = 0;
5464 static int info_cb_offset = 0;
5465 static int info_cb_this_state = -1;
5466
5467 static struct info_cb_states_st {
5468 int where;
5469 const char *statestr;
5470 } info_cb_states[][60] = {
5471 {
5472 /* TLSv1.2 server followed by resumption */
5473 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5474 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5475 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5476 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5477 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5478 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5479 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5480 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5481 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5482 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5483 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5484 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5485 {SSL_CB_EXIT, NULL}, {0, NULL},
5486 }, {
5487 /* TLSv1.2 client followed by resumption */
5488 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5489 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5490 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5491 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5492 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5493 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5494 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5495 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5496 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5497 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5498 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5499 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5500 }, {
5501 /* TLSv1.3 server followed by resumption */
5502 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5503 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5504 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5505 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5506 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5507 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5508 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5509 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5510 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5511 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5512 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5513 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5514 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5515 }, {
5516 /* TLSv1.3 client followed by resumption */
5517 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5518 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5519 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5520 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5521 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5522 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5523 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5524 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5525 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5526 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5527 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5528 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5529 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5530 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5531 {SSL_CB_EXIT, NULL}, {0, NULL},
5532 }, {
5533 /* TLSv1.3 server, early_data */
5534 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5535 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5536 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5537 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5538 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5539 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5540 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5541 {SSL_CB_EXIT, NULL}, {0, NULL},
5542 }, {
5543 /* TLSv1.3 client, early_data */
5544 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5545 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5546 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5547 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5548 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5549 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5550 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5551 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5552 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5553 }, {
5554 {0, NULL},
5555 }
5556 };
5557
5558 static void sslapi_info_callback(const SSL *s, int where, int ret)
5559 {
5560 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5561
5562 /* We do not ever expect a connection to fail in this test */
5563 if (!TEST_false(ret == 0)) {
5564 info_cb_failed = 1;
5565 return;
5566 }
5567
5568 /*
5569 * Do some sanity checks. We never expect these things to happen in this
5570 * test
5571 */
5572 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5573 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5574 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5575 info_cb_failed = 1;
5576 return;
5577 }
5578
5579 /* Now check we're in the right state */
5580 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5581 info_cb_failed = 1;
5582 return;
5583 }
5584 if ((where & SSL_CB_LOOP) != 0
5585 && !TEST_int_eq(strcmp(SSL_state_string(s),
5586 state[info_cb_this_state].statestr), 0)) {
5587 info_cb_failed = 1;
5588 return;
5589 }
5590
5591 /*
5592 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5593 */
5594 if ((where & SSL_CB_HANDSHAKE_DONE)
5595 && SSL_in_init((SSL *)s) != 0) {
5596 info_cb_failed = 1;
5597 return;
5598 }
5599 }
5600
5601 /*
5602 * Test the info callback gets called when we expect it to.
5603 *
5604 * Test 0: TLSv1.2, server
5605 * Test 1: TLSv1.2, client
5606 * Test 2: TLSv1.3, server
5607 * Test 3: TLSv1.3, client
5608 * Test 4: TLSv1.3, server, early_data
5609 * Test 5: TLSv1.3, client, early_data
5610 */
5611 static int test_info_callback(int tst)
5612 {
5613 SSL_CTX *cctx = NULL, *sctx = NULL;
5614 SSL *clientssl = NULL, *serverssl = NULL;
5615 SSL_SESSION *clntsess = NULL;
5616 int testresult = 0;
5617 int tlsvers;
5618
5619 if (tst < 2) {
5620 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5621 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5622 || !defined(OPENSSL_NO_DH))
5623 tlsvers = TLS1_2_VERSION;
5624 #else
5625 return 1;
5626 #endif
5627 } else {
5628 #ifndef OPENSSL_NO_TLS1_3
5629 tlsvers = TLS1_3_VERSION;
5630 #else
5631 return 1;
5632 #endif
5633 }
5634
5635 /* Reset globals */
5636 info_cb_failed = 0;
5637 info_cb_this_state = -1;
5638 info_cb_offset = tst;
5639
5640 #ifndef OPENSSL_NO_TLS1_3
5641 if (tst >= 4) {
5642 SSL_SESSION *sess = NULL;
5643 size_t written, readbytes;
5644 unsigned char buf[80];
5645
5646 /* early_data tests */
5647 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5648 &serverssl, &sess, 0)))
5649 goto end;
5650
5651 /* We don't actually need this reference */
5652 SSL_SESSION_free(sess);
5653
5654 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5655 sslapi_info_callback);
5656
5657 /* Write and read some early data and then complete the connection */
5658 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5659 &written))
5660 || !TEST_size_t_eq(written, strlen(MSG1))
5661 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5662 sizeof(buf), &readbytes),
5663 SSL_READ_EARLY_DATA_SUCCESS)
5664 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5665 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5666 SSL_EARLY_DATA_ACCEPTED)
5667 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5668 SSL_ERROR_NONE))
5669 || !TEST_false(info_cb_failed))
5670 goto end;
5671
5672 testresult = 1;
5673 goto end;
5674 }
5675 #endif
5676
5677 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5678 TLS_client_method(),
5679 tlsvers, tlsvers, &sctx, &cctx, cert,
5680 privkey)))
5681 goto end;
5682
5683 /*
5684 * For even numbered tests we check the server callbacks. For odd numbers we
5685 * check the client.
5686 */
5687 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5688 sslapi_info_callback);
5689
5690 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5691 &clientssl, NULL, NULL))
5692 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5693 SSL_ERROR_NONE))
5694 || !TEST_false(info_cb_failed))
5695 goto end;
5696
5697
5698
5699 clntsess = SSL_get1_session(clientssl);
5700 SSL_shutdown(clientssl);
5701 SSL_shutdown(serverssl);
5702 SSL_free(serverssl);
5703 SSL_free(clientssl);
5704 serverssl = clientssl = NULL;
5705
5706 /* Now do a resumption */
5707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5708 NULL))
5709 || !TEST_true(SSL_set_session(clientssl, clntsess))
5710 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5711 SSL_ERROR_NONE))
5712 || !TEST_true(SSL_session_reused(clientssl))
5713 || !TEST_false(info_cb_failed))
5714 goto end;
5715
5716 testresult = 1;
5717
5718 end:
5719 SSL_free(serverssl);
5720 SSL_free(clientssl);
5721 SSL_SESSION_free(clntsess);
5722 SSL_CTX_free(sctx);
5723 SSL_CTX_free(cctx);
5724 return testresult;
5725 }
5726
5727 static int test_ssl_pending(int tst)
5728 {
5729 SSL_CTX *cctx = NULL, *sctx = NULL;
5730 SSL *clientssl = NULL, *serverssl = NULL;
5731 int testresult = 0;
5732 char msg[] = "A test message";
5733 char buf[5];
5734 size_t written, readbytes;
5735
5736 if (tst == 0) {
5737 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5738 TLS_client_method(),
5739 TLS1_VERSION, 0,
5740 &sctx, &cctx, cert, privkey)))
5741 goto end;
5742 } else {
5743 #ifndef OPENSSL_NO_DTLS
5744 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5745 DTLS_client_method(),
5746 DTLS1_VERSION, 0,
5747 &sctx, &cctx, cert, privkey)))
5748 goto end;
5749 #else
5750 return 1;
5751 #endif
5752 }
5753
5754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5755 NULL, NULL))
5756 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5757 SSL_ERROR_NONE)))
5758 goto end;
5759
5760 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5761 || !TEST_false(SSL_has_pending(clientssl))
5762 || !TEST_int_eq(SSL_pending(serverssl), 0)
5763 || !TEST_false(SSL_has_pending(serverssl))
5764 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5765 || !TEST_size_t_eq(written, sizeof(msg))
5766 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5767 || !TEST_size_t_eq(readbytes, sizeof(buf))
5768 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5769 || !TEST_true(SSL_has_pending(clientssl)))
5770 goto end;
5771
5772 testresult = 1;
5773
5774 end:
5775 SSL_free(serverssl);
5776 SSL_free(clientssl);
5777 SSL_CTX_free(sctx);
5778 SSL_CTX_free(cctx);
5779
5780 return testresult;
5781 }
5782
5783 static struct {
5784 unsigned int maxprot;
5785 const char *clntciphers;
5786 const char *clnttls13ciphers;
5787 const char *srvrciphers;
5788 const char *srvrtls13ciphers;
5789 const char *shared;
5790 } shared_ciphers_data[] = {
5791 /*
5792 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5793 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5794 */
5795 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5796 {
5797 TLS1_2_VERSION,
5798 "AES128-SHA:AES256-SHA",
5799 NULL,
5800 "AES256-SHA:DHE-RSA-AES128-SHA",
5801 NULL,
5802 "AES256-SHA"
5803 },
5804 {
5805 TLS1_2_VERSION,
5806 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5807 NULL,
5808 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5809 NULL,
5810 "AES128-SHA:AES256-SHA"
5811 },
5812 {
5813 TLS1_2_VERSION,
5814 "AES128-SHA:AES256-SHA",
5815 NULL,
5816 "AES128-SHA:DHE-RSA-AES128-SHA",
5817 NULL,
5818 "AES128-SHA"
5819 },
5820 #endif
5821 /*
5822 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5823 * enabled.
5824 */
5825 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5826 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5827 {
5828 TLS1_3_VERSION,
5829 "AES128-SHA:AES256-SHA",
5830 NULL,
5831 "AES256-SHA:AES128-SHA256",
5832 NULL,
5833 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5834 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5835 },
5836 #endif
5837 #ifndef OPENSSL_NO_TLS1_3
5838 {
5839 TLS1_3_VERSION,
5840 "AES128-SHA",
5841 "TLS_AES_256_GCM_SHA384",
5842 "AES256-SHA",
5843 "TLS_AES_256_GCM_SHA384",
5844 "TLS_AES_256_GCM_SHA384"
5845 },
5846 #endif
5847 };
5848
5849 static int test_ssl_get_shared_ciphers(int tst)
5850 {
5851 SSL_CTX *cctx = NULL, *sctx = NULL;
5852 SSL *clientssl = NULL, *serverssl = NULL;
5853 int testresult = 0;
5854 char buf[1024];
5855
5856 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5857 TLS_client_method(),
5858 TLS1_VERSION,
5859 shared_ciphers_data[tst].maxprot,
5860 &sctx, &cctx, cert, privkey)))
5861 goto end;
5862
5863 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5864 shared_ciphers_data[tst].clntciphers))
5865 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5866 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5867 shared_ciphers_data[tst].clnttls13ciphers)))
5868 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5869 shared_ciphers_data[tst].srvrciphers))
5870 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5871 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5872 shared_ciphers_data[tst].srvrtls13ciphers))))
5873 goto end;
5874
5875
5876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5877 NULL, NULL))
5878 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5879 SSL_ERROR_NONE)))
5880 goto end;
5881
5882 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5883 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5884 TEST_info("Shared ciphers are: %s\n", buf);
5885 goto end;
5886 }
5887
5888 testresult = 1;
5889
5890 end:
5891 SSL_free(serverssl);
5892 SSL_free(clientssl);
5893 SSL_CTX_free(sctx);
5894 SSL_CTX_free(cctx);
5895
5896 return testresult;
5897 }
5898
5899 static const char *appdata = "Hello World";
5900 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5901 static int tick_key_renew = 0;
5902 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5903
5904 static int gen_tick_cb(SSL *s, void *arg)
5905 {
5906 gen_tick_called = 1;
5907
5908 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5909 strlen(appdata));
5910 }
5911
5912 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5913 const unsigned char *keyname,
5914 size_t keyname_length,
5915 SSL_TICKET_STATUS status,
5916 void *arg)
5917 {
5918 void *tickdata;
5919 size_t tickdlen;
5920
5921 dec_tick_called = 1;
5922
5923 if (status == SSL_TICKET_EMPTY)
5924 return SSL_TICKET_RETURN_IGNORE_RENEW;
5925
5926 if (!TEST_true(status == SSL_TICKET_SUCCESS
5927 || status == SSL_TICKET_SUCCESS_RENEW))
5928 return SSL_TICKET_RETURN_ABORT;
5929
5930 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5931 &tickdlen))
5932 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5933 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5934 return SSL_TICKET_RETURN_ABORT;
5935
5936 if (tick_key_cb_called) {
5937 /* Don't change what the ticket key callback wanted to do */
5938 switch (status) {
5939 case SSL_TICKET_NO_DECRYPT:
5940 return SSL_TICKET_RETURN_IGNORE_RENEW;
5941
5942 case SSL_TICKET_SUCCESS:
5943 return SSL_TICKET_RETURN_USE;
5944
5945 case SSL_TICKET_SUCCESS_RENEW:
5946 return SSL_TICKET_RETURN_USE_RENEW;
5947
5948 default:
5949 return SSL_TICKET_RETURN_ABORT;
5950 }
5951 }
5952 return tick_dec_ret;
5953
5954 }
5955
5956 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5957 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5958 HMAC_CTX *hctx, int enc)
5959 {
5960 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5961 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5962
5963 tick_key_cb_called = 1;
5964 memset(iv, 0, AES_BLOCK_SIZE);
5965 memset(key_name, 0, 16);
5966 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5967 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5968 EVP_sha256(), NULL))
5969 return -1;
5970
5971 return tick_key_renew ? 2 : 1;
5972 }
5973
5974 /*
5975 * Test the various ticket callbacks
5976 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5977 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5978 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5979 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5980 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5981 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5982 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5983 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5984 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5985 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5986 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5987 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5988 */
5989 static int test_ticket_callbacks(int tst)
5990 {
5991 SSL_CTX *cctx = NULL, *sctx = NULL;
5992 SSL *clientssl = NULL, *serverssl = NULL;
5993 SSL_SESSION *clntsess = NULL;
5994 int testresult = 0;
5995
5996 #ifdef OPENSSL_NO_TLS1_2
5997 if (tst % 2 == 0)
5998 return 1;
5999 #endif
6000 #ifdef OPENSSL_NO_TLS1_3
6001 if (tst % 2 == 1)
6002 return 1;
6003 #endif
6004
6005 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6006
6007 /* Which tests the ticket key callback should request renewal for */
6008 if (tst == 10 || tst == 11)
6009 tick_key_renew = 1;
6010 else
6011 tick_key_renew = 0;
6012
6013 /* Which tests the decrypt ticket callback should request renewal for */
6014 switch (tst) {
6015 case 0:
6016 case 1:
6017 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6018 break;
6019
6020 case 2:
6021 case 3:
6022 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6023 break;
6024
6025 case 4:
6026 case 5:
6027 tick_dec_ret = SSL_TICKET_RETURN_USE;
6028 break;
6029
6030 case 6:
6031 case 7:
6032 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6033 break;
6034
6035 default:
6036 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6037 }
6038
6039 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6040 TLS_client_method(),
6041 TLS1_VERSION,
6042 ((tst % 2) == 0) ? TLS1_2_VERSION
6043 : TLS1_3_VERSION,
6044 &sctx, &cctx, cert, privkey)))
6045 goto end;
6046
6047 /*
6048 * We only want sessions to resume from tickets - not the session cache. So
6049 * switch the cache off.
6050 */
6051 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6052 goto end;
6053
6054 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6055 NULL)))
6056 goto end;
6057
6058 if (tst >= 8
6059 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6060 goto end;
6061
6062 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6063 NULL, NULL))
6064 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6065 SSL_ERROR_NONE)))
6066 goto end;
6067
6068 /*
6069 * The decrypt ticket key callback in TLSv1.2 should be called even though
6070 * we have no ticket yet, because it gets called with a status of
6071 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6072 * actually send any ticket data). This does not happen in TLSv1.3 because
6073 * it is not valid to send empty ticket data in TLSv1.3.
6074 */
6075 if (!TEST_int_eq(gen_tick_called, 1)
6076 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6077 goto end;
6078
6079 gen_tick_called = dec_tick_called = 0;
6080
6081 clntsess = SSL_get1_session(clientssl);
6082 SSL_shutdown(clientssl);
6083 SSL_shutdown(serverssl);
6084 SSL_free(serverssl);
6085 SSL_free(clientssl);
6086 serverssl = clientssl = NULL;
6087
6088 /* Now do a resumption */
6089 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6090 NULL))
6091 || !TEST_true(SSL_set_session(clientssl, clntsess))
6092 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6093 SSL_ERROR_NONE)))
6094 goto end;
6095
6096 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6097 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6098 if (!TEST_false(SSL_session_reused(clientssl)))
6099 goto end;
6100 } else {
6101 if (!TEST_true(SSL_session_reused(clientssl)))
6102 goto end;
6103 }
6104
6105 if (!TEST_int_eq(gen_tick_called,
6106 (tick_key_renew
6107 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6108 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6109 ? 1 : 0)
6110 || !TEST_int_eq(dec_tick_called, 1))
6111 goto end;
6112
6113 testresult = 1;
6114
6115 end:
6116 SSL_SESSION_free(clntsess);
6117 SSL_free(serverssl);
6118 SSL_free(clientssl);
6119 SSL_CTX_free(sctx);
6120 SSL_CTX_free(cctx);
6121
6122 return testresult;
6123 }
6124
6125 /*
6126 * Test bi-directional shutdown.
6127 * Test 0: TLSv1.2
6128 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6129 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6130 * Test 3: TLSv1.3, pending NewSessionTicket messages
6131 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6132 * sends key update, client reads it
6133 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6134 * sends CertificateRequest, client reads and ignores it
6135 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6136 * doesn't read it
6137 */
6138 static int test_shutdown(int tst)
6139 {
6140 SSL_CTX *cctx = NULL, *sctx = NULL;
6141 SSL *clientssl = NULL, *serverssl = NULL;
6142 int testresult = 0;
6143 char msg[] = "A test message";
6144 char buf[80];
6145 size_t written, readbytes;
6146 SSL_SESSION *sess;
6147
6148 #ifdef OPENSSL_NO_TLS1_2
6149 if (tst <= 1)
6150 return 1;
6151 #endif
6152 #ifdef OPENSSL_NO_TLS1_3
6153 if (tst >= 2)
6154 return 1;
6155 #endif
6156
6157 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6158 TLS_client_method(),
6159 TLS1_VERSION,
6160 (tst <= 1) ? TLS1_2_VERSION
6161 : TLS1_3_VERSION,
6162 &sctx, &cctx, cert, privkey)))
6163 goto end;
6164
6165 if (tst == 5)
6166 SSL_CTX_set_post_handshake_auth(cctx, 1);
6167
6168 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6169 NULL, NULL)))
6170 goto end;
6171
6172 if (tst == 3) {
6173 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6174 SSL_ERROR_NONE, 1))
6175 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6176 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6177 goto end;
6178 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6179 SSL_ERROR_NONE))
6180 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6181 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6182 goto end;
6183 }
6184
6185 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6186 goto end;
6187
6188 if (tst >= 4) {
6189 /*
6190 * Reading on the server after the client has sent close_notify should
6191 * fail and provide SSL_ERROR_ZERO_RETURN
6192 */
6193 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6194 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6195 SSL_ERROR_ZERO_RETURN)
6196 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6197 SSL_RECEIVED_SHUTDOWN)
6198 /*
6199 * Even though we're shutdown on receive we should still be
6200 * able to write.
6201 */
6202 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6203 goto end;
6204 if (tst == 4
6205 && !TEST_true(SSL_key_update(serverssl,
6206 SSL_KEY_UPDATE_REQUESTED)))
6207 goto end;
6208 if (tst == 5) {
6209 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6210 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6211 goto end;
6212 }
6213 if ((tst == 4 || tst == 5)
6214 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6215 goto end;
6216 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6217 goto end;
6218 if (tst == 4 || tst == 5) {
6219 /* Should still be able to read data from server */
6220 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6221 &readbytes))
6222 || !TEST_size_t_eq(readbytes, sizeof(msg))
6223 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6224 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6225 &readbytes))
6226 || !TEST_size_t_eq(readbytes, sizeof(msg))
6227 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6228 goto end;
6229 }
6230 }
6231
6232 /* Writing on the client after sending close_notify shouldn't be possible */
6233 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6234 goto end;
6235
6236 if (tst < 4) {
6237 /*
6238 * For these tests the client has sent close_notify but it has not yet
6239 * been received by the server. The server has not sent close_notify
6240 * yet.
6241 */
6242 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6243 /*
6244 * Writing on the server after sending close_notify shouldn't
6245 * be possible.
6246 */
6247 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6248 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6249 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6250 || !TEST_true(SSL_SESSION_is_resumable(sess))
6251 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6252 goto end;
6253 } else if (tst == 4 || tst == 5) {
6254 /*
6255 * In this test the client has sent close_notify and it has been
6256 * received by the server which has responded with a close_notify. The
6257 * client needs to read the close_notify sent by the server.
6258 */
6259 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6260 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6261 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6262 goto end;
6263 } else {
6264 /*
6265 * tst == 6
6266 *
6267 * The client has sent close_notify and is expecting a close_notify
6268 * back, but instead there is application data first. The shutdown
6269 * should fail with a fatal error.
6270 */
6271 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6272 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6273 goto end;
6274 }
6275
6276 testresult = 1;
6277
6278 end:
6279 SSL_free(serverssl);
6280 SSL_free(clientssl);
6281 SSL_CTX_free(sctx);
6282 SSL_CTX_free(cctx);
6283
6284 return testresult;
6285 }
6286
6287 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6288 static int cert_cb_cnt;
6289
6290 static int cert_cb(SSL *s, void *arg)
6291 {
6292 SSL_CTX *ctx = (SSL_CTX *)arg;
6293 BIO *in = NULL;
6294 EVP_PKEY *pkey = NULL;
6295 X509 *x509 = NULL, *rootx = NULL;
6296 STACK_OF(X509) *chain = NULL;
6297 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6298 int ret = 0;
6299
6300 if (cert_cb_cnt == 0) {
6301 /* Suspend the handshake */
6302 cert_cb_cnt++;
6303 return -1;
6304 } else if (cert_cb_cnt == 1) {
6305 /*
6306 * Update the SSL_CTX, set the certificate and private key and then
6307 * continue the handshake normally.
6308 */
6309 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6310 return 0;
6311
6312 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6313 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6314 SSL_FILETYPE_PEM))
6315 || !TEST_true(SSL_check_private_key(s)))
6316 return 0;
6317 cert_cb_cnt++;
6318 return 1;
6319 } else if (cert_cb_cnt == 3) {
6320 int rv;
6321
6322 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6323 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6324 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6325 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6326 goto out;
6327 chain = sk_X509_new_null();
6328 if (!TEST_ptr(chain))
6329 goto out;
6330 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6331 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6332 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6333 || !TEST_true(sk_X509_push(chain, rootx)))
6334 goto out;
6335 rootx = NULL;
6336 BIO_free(in);
6337 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6338 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6339 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6340 goto out;
6341 BIO_free(in);
6342 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6343 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6344 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6345 goto out;
6346 rv = SSL_check_chain(s, x509, pkey, chain);
6347 /*
6348 * If the cert doesn't show as valid here (e.g., because we don't
6349 * have any shared sigalgs), then we will not set it, and there will
6350 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6351 * will cause tls_choose_sigalgs() to fail the connection.
6352 */
6353 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6354 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6355 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6356 goto out;
6357 }
6358
6359 ret = 1;
6360 }
6361
6362 /* Abort the handshake */
6363 out:
6364 OPENSSL_free(ecdsacert);
6365 OPENSSL_free(ecdsakey);
6366 OPENSSL_free(rootfile);
6367 BIO_free(in);
6368 EVP_PKEY_free(pkey);
6369 X509_free(x509);
6370 X509_free(rootx);
6371 sk_X509_pop_free(chain, X509_free);
6372 return ret;
6373 }
6374
6375 /*
6376 * Test the certificate callback.
6377 * Test 0: Callback fails
6378 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6379 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6380 * Test 3: Success - Call SSL_check_chain from the callback
6381 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6382 * chain
6383 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6384 */
6385 static int test_cert_cb_int(int prot, int tst)
6386 {
6387 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6388 SSL *clientssl = NULL, *serverssl = NULL;
6389 int testresult = 0, ret;
6390
6391 #ifdef OPENSSL_NO_EC
6392 /* We use an EC cert in these tests, so we skip in a no-ec build */
6393 if (tst >= 3)
6394 return 1;
6395 #endif
6396
6397 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6398 TLS_client_method(),
6399 TLS1_VERSION,
6400 prot,
6401 &sctx, &cctx, NULL, NULL)))
6402 goto end;
6403
6404 if (tst == 0)
6405 cert_cb_cnt = -1;
6406 else if (tst >= 3)
6407 cert_cb_cnt = 3;
6408 else
6409 cert_cb_cnt = 0;
6410
6411 if (tst == 2)
6412 snictx = SSL_CTX_new(TLS_server_method());
6413 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6414
6415 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6416 NULL, NULL)))
6417 goto end;
6418
6419 if (tst == 4) {
6420 /*
6421 * We cause SSL_check_chain() to fail by specifying sig_algs that
6422 * the chain doesn't meet (the root uses an RSA cert)
6423 */
6424 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6425 "ecdsa_secp256r1_sha256")))
6426 goto end;
6427 } else if (tst == 5) {
6428 /*
6429 * We cause SSL_check_chain() to fail by specifying sig_algs that
6430 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6431 */
6432 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6433 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6434 goto end;
6435 }
6436
6437 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6438 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6439 || (tst > 0
6440 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6441 goto end;
6442 }
6443
6444 testresult = 1;
6445
6446 end:
6447 SSL_free(serverssl);
6448 SSL_free(clientssl);
6449 SSL_CTX_free(sctx);
6450 SSL_CTX_free(cctx);
6451 SSL_CTX_free(snictx);
6452
6453 return testresult;
6454 }
6455 #endif
6456
6457 static int test_cert_cb(int tst)
6458 {
6459 int testresult = 1;
6460
6461 #ifndef OPENSSL_NO_TLS1_2
6462 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6463 #endif
6464 #ifndef OPENSSL_NO_TLS1_3
6465 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6466 #endif
6467
6468 return testresult;
6469 }
6470
6471 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6472 {
6473 X509 *xcert, *peer;
6474 EVP_PKEY *privpkey;
6475 BIO *in = NULL;
6476
6477 /* Check that SSL_get_peer_certificate() returns something sensible */
6478 peer = SSL_get_peer_certificate(ssl);
6479 if (!TEST_ptr(peer))
6480 return 0;
6481 X509_free(peer);
6482
6483 in = BIO_new_file(cert, "r");
6484 if (!TEST_ptr(in))
6485 return 0;
6486
6487 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6488 BIO_free(in);
6489 if (!TEST_ptr(xcert))
6490 return 0;
6491
6492 in = BIO_new_file(privkey, "r");
6493 if (!TEST_ptr(in)) {
6494 X509_free(xcert);
6495 return 0;
6496 }
6497
6498 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6499 BIO_free(in);
6500 if (!TEST_ptr(privpkey)) {
6501 X509_free(xcert);
6502 return 0;
6503 }
6504
6505 *x509 = xcert;
6506 *pkey = privpkey;
6507
6508 return 1;
6509 }
6510
6511 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6512 {
6513 return 1;
6514 }
6515
6516 static int test_client_cert_cb(int tst)
6517 {
6518 SSL_CTX *cctx = NULL, *sctx = NULL;
6519 SSL *clientssl = NULL, *serverssl = NULL;
6520 int testresult = 0;
6521
6522 #ifdef OPENSSL_NO_TLS1_2
6523 if (tst == 0)
6524 return 1;
6525 #endif
6526 #ifdef OPENSSL_NO_TLS1_3
6527 if (tst == 1)
6528 return 1;
6529 #endif
6530
6531 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6532 TLS_client_method(),
6533 TLS1_VERSION,
6534 tst == 0 ? TLS1_2_VERSION
6535 : TLS1_3_VERSION,
6536 &sctx, &cctx, cert, privkey)))
6537 goto end;
6538
6539 /*
6540 * Test that setting a client_cert_cb results in a client certificate being
6541 * sent.
6542 */
6543 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6544 SSL_CTX_set_verify(sctx,
6545 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6546 verify_cb);
6547
6548 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6549 NULL, NULL))
6550 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6551 SSL_ERROR_NONE)))
6552 goto end;
6553
6554 testresult = 1;
6555
6556 end:
6557 SSL_free(serverssl);
6558 SSL_free(clientssl);
6559 SSL_CTX_free(sctx);
6560 SSL_CTX_free(cctx);
6561
6562 return testresult;
6563 }
6564
6565 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6566 /*
6567 * Test setting certificate authorities on both client and server.
6568 *
6569 * Test 0: SSL_CTX_set0_CA_list() only
6570 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6571 * Test 2: Only SSL_CTX_set_client_CA_list()
6572 */
6573 static int test_ca_names_int(int prot, int tst)
6574 {
6575 SSL_CTX *cctx = NULL, *sctx = NULL;
6576 SSL *clientssl = NULL, *serverssl = NULL;
6577 int testresult = 0;
6578 size_t i;
6579 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6580 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6581 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6582 const STACK_OF(X509_NAME) *sktmp = NULL;
6583
6584 for (i = 0; i < OSSL_NELEM(name); i++) {
6585 name[i] = X509_NAME_new();
6586 if (!TEST_ptr(name[i])
6587 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6588 MBSTRING_ASC,
6589 (unsigned char *)
6590 strnames[i],
6591 -1, -1, 0)))
6592 goto end;
6593 }
6594
6595 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6596 TLS_client_method(),
6597 TLS1_VERSION,
6598 prot,
6599 &sctx, &cctx, cert, privkey)))
6600 goto end;
6601
6602 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6603
6604 if (tst == 0 || tst == 1) {
6605 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6606 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6607 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6608 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6609 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6610 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6611 goto end;
6612
6613 SSL_CTX_set0_CA_list(sctx, sk1);
6614 SSL_CTX_set0_CA_list(cctx, sk2);
6615 sk1 = sk2 = NULL;
6616 }
6617 if (tst == 1 || tst == 2) {
6618 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6619 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6620 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6621 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6622 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6623 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6624 goto end;
6625
6626 SSL_CTX_set_client_CA_list(sctx, sk1);
6627 SSL_CTX_set_client_CA_list(cctx, sk2);
6628 sk1 = sk2 = NULL;
6629 }
6630
6631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6632 NULL, NULL))
6633 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6634 SSL_ERROR_NONE)))
6635 goto end;
6636
6637 /*
6638 * We only expect certificate authorities to have been sent to the server
6639 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6640 */
6641 sktmp = SSL_get0_peer_CA_list(serverssl);
6642 if (prot == TLS1_3_VERSION
6643 && (tst == 0 || tst == 1)) {
6644 if (!TEST_ptr(sktmp)
6645 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6646 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6647 name[0]), 0)
6648 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6649 name[1]), 0))
6650 goto end;
6651 } else if (!TEST_ptr_null(sktmp)) {
6652 goto end;
6653 }
6654
6655 /*
6656 * In all tests we expect certificate authorities to have been sent to the
6657 * client. However, SSL_set_client_CA_list() should override
6658 * SSL_set0_CA_list()
6659 */
6660 sktmp = SSL_get0_peer_CA_list(clientssl);
6661 if (!TEST_ptr(sktmp)
6662 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6663 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6664 name[tst == 0 ? 0 : 2]), 0)
6665 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6666 name[tst == 0 ? 1 : 3]), 0))
6667 goto end;
6668
6669 testresult = 1;
6670
6671 end:
6672 SSL_free(serverssl);
6673 SSL_free(clientssl);
6674 SSL_CTX_free(sctx);
6675 SSL_CTX_free(cctx);
6676 for (i = 0; i < OSSL_NELEM(name); i++)
6677 X509_NAME_free(name[i]);
6678 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6679 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6680
6681 return testresult;
6682 }
6683 #endif
6684
6685 static int test_ca_names(int tst)
6686 {
6687 int testresult = 1;
6688
6689 #ifndef OPENSSL_NO_TLS1_2
6690 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6691 #endif
6692 #ifndef OPENSSL_NO_TLS1_3
6693 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6694 #endif
6695
6696 return testresult;
6697 }
6698
6699
6700 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6701
6702 int setup_tests(void)
6703 {
6704 if (!TEST_ptr(certsdir = test_get_argument(0))
6705 || !TEST_ptr(srpvfile = test_get_argument(1))
6706 || !TEST_ptr(tmpfilename = test_get_argument(2)))
6707 return 0;
6708
6709 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6710 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6711 TEST_error("not supported in this build");
6712 return 0;
6713 #else
6714 int i, mcount, rcount, fcount;
6715
6716 for (i = 0; i < 4; i++)
6717 test_export_key_mat(i);
6718 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6719 test_printf_stdout("malloc %d realloc %d free %d\n",
6720 mcount, rcount, fcount);
6721 return 1;
6722 #endif
6723 }
6724
6725 cert = test_mk_file_path(certsdir, "servercert.pem");
6726 if (cert == NULL)
6727 return 0;
6728
6729 privkey = test_mk_file_path(certsdir, "serverkey.pem");
6730 if (privkey == NULL) {
6731 OPENSSL_free(cert);
6732 return 0;
6733 }
6734
6735 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6736 && !defined(OPENSSL_NO_SOCK)
6737 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
6738 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
6739 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
6740 ADD_TEST(test_ktls_client_no_txrx_server);
6741 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
6742 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
6743 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
6744 ADD_TEST(test_ktls_client_no_rx_server);
6745 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
6746 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
6747 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
6748 ADD_TEST(test_ktls_client_no_tx_server);
6749 ADD_TEST(test_ktls_no_txrx_client_server);
6750 ADD_TEST(test_ktls_no_rx_client_server);
6751 ADD_TEST(test_ktls_no_tx_client_server);
6752 ADD_TEST(test_ktls_client_server);
6753 ADD_TEST(test_ktls_sendfile);
6754 #endif
6755 ADD_TEST(test_large_message_tls);
6756 ADD_TEST(test_large_message_tls_read_ahead);
6757 #ifndef OPENSSL_NO_DTLS
6758 ADD_TEST(test_large_message_dtls);
6759 #endif
6760 #ifndef OPENSSL_NO_OCSP
6761 ADD_TEST(test_tlsext_status_type);
6762 #endif
6763 ADD_TEST(test_session_with_only_int_cache);
6764 ADD_TEST(test_session_with_only_ext_cache);
6765 ADD_TEST(test_session_with_both_cache);
6766 #ifndef OPENSSL_NO_TLS1_3
6767 ADD_ALL_TESTS(test_stateful_tickets, 3);
6768 ADD_ALL_TESTS(test_stateless_tickets, 3);
6769 ADD_TEST(test_psk_tickets);
6770 #endif
6771 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6772 ADD_TEST(test_ssl_bio_pop_next_bio);
6773 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6774 ADD_TEST(test_ssl_bio_change_rbio);
6775 ADD_TEST(test_ssl_bio_change_wbio);
6776 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6777 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6778 ADD_TEST(test_keylog);
6779 #endif
6780 #ifndef OPENSSL_NO_TLS1_3
6781 ADD_TEST(test_keylog_no_master_key);
6782 #endif
6783 #ifndef OPENSSL_NO_TLS1_2
6784 ADD_TEST(test_client_hello_cb);
6785 ADD_TEST(test_no_ems);
6786 #endif
6787 #ifndef OPENSSL_NO_TLS1_3
6788 ADD_ALL_TESTS(test_early_data_read_write, 3);
6789 /*
6790 * We don't do replay tests for external PSK. Replay protection isn't used
6791 * in that scenario.
6792 */
6793 ADD_ALL_TESTS(test_early_data_replay, 2);
6794 ADD_ALL_TESTS(test_early_data_skip, 3);
6795 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6796 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6797 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6798 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6799 ADD_ALL_TESTS(test_early_data_psk, 8);
6800 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6801 # ifndef OPENSSL_NO_TLS1_2
6802 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6803 # endif
6804 #endif
6805 #ifndef OPENSSL_NO_TLS1_3
6806 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6807 ADD_TEST(test_ciphersuite_change);
6808 #ifdef OPENSSL_NO_PSK
6809 ADD_ALL_TESTS(test_tls13_psk, 1);
6810 #else
6811 ADD_ALL_TESTS(test_tls13_psk, 4);
6812 #endif /* OPENSSL_NO_PSK */
6813 ADD_ALL_TESTS(test_key_exchange, 14);
6814 ADD_ALL_TESTS(test_custom_exts, 5);
6815 ADD_TEST(test_stateless);
6816 ADD_TEST(test_pha_key_update);
6817 #else
6818 ADD_ALL_TESTS(test_custom_exts, 3);
6819 #endif
6820 ADD_ALL_TESTS(test_serverinfo, 8);
6821 ADD_ALL_TESTS(test_export_key_mat, 6);
6822 #ifndef OPENSSL_NO_TLS1_3
6823 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6824 ADD_TEST(test_key_update);
6825 ADD_ALL_TESTS(test_key_update_in_write, 2);
6826 #endif
6827 ADD_ALL_TESTS(test_ssl_clear, 2);
6828 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6829 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6830 ADD_ALL_TESTS(test_srp, 6);
6831 #endif
6832 ADD_ALL_TESTS(test_info_callback, 6);
6833 ADD_ALL_TESTS(test_ssl_pending, 2);
6834 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6835 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6836 ADD_ALL_TESTS(test_shutdown, 7);
6837 ADD_ALL_TESTS(test_cert_cb, 6);
6838 ADD_ALL_TESTS(test_client_cert_cb, 2);
6839 ADD_ALL_TESTS(test_ca_names, 3);
6840 return 1;
6841 }
6842
6843 void cleanup_tests(void)
6844 {
6845 OPENSSL_free(cert);
6846 OPENSSL_free(privkey);
6847 bio_s_mempacket_test_free();
6848 bio_s_always_retry_free();
6849 }
A mirror of the official openssl repository