]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix SSL_check_chain()
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <string.h>
12
13 #include <openssl/opensslconf.h>
14 #include <openssl/bio.h>
15 #include <openssl/crypto.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ocsp.h>
18 #include <openssl/srp.h>
19 #include <openssl/txt_db.h>
20 #include <openssl/aes.h>
21 #include <openssl/rand.h>
22
23 #include "ssltestlib.h"
24 #include "testutil.h"
25 #include "testutil/output.h"
26 #include "internal/nelem.h"
27 #include "internal/ktls.h"
28 #include "../ssl/ssl_locl.h"
29
30 #ifndef OPENSSL_NO_TLS1_3
31
32 static SSL_SESSION *clientpsk = NULL;
33 static SSL_SESSION *serverpsk = NULL;
34 static const char *pskid = "Identity";
35 static const char *srvid;
36
37 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
38 size_t *idlen, SSL_SESSION **sess);
39 static int find_session_cb(SSL *ssl, const unsigned char *identity,
40 size_t identity_len, SSL_SESSION **sess);
41
42 static int use_session_cb_cnt = 0;
43 static int find_session_cb_cnt = 0;
44
45 static SSL_SESSION *create_a_psk(SSL *ssl);
46 #endif
47
48 static char *cert = NULL;
49 static char *privkey = NULL;
50 static char *srpvfile = NULL;
51 static char *tmpfilename = NULL;
52
53 #define LOG_BUFFER_SIZE 2048
54 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55 static size_t server_log_buffer_index = 0;
56 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
57 static size_t client_log_buffer_index = 0;
58 static int error_writing_log = 0;
59
60 #ifndef OPENSSL_NO_OCSP
61 static const unsigned char orespder[] = "Dummy OCSP Response";
62 static int ocsp_server_called = 0;
63 static int ocsp_client_called = 0;
64
65 static int cdummyarg = 1;
66 static X509 *ocspcert = NULL;
67 #endif
68
69 #define NUM_EXTRA_CERTS 40
70 #define CLIENT_VERSION_LEN 2
71
72 /*
73 * This structure is used to validate that the correct number of log messages
74 * of various types are emitted when emitting secret logs.
75 */
76 struct sslapitest_log_counts {
77 unsigned int rsa_key_exchange_count;
78 unsigned int master_secret_count;
79 unsigned int client_early_secret_count;
80 unsigned int client_handshake_secret_count;
81 unsigned int server_handshake_secret_count;
82 unsigned int client_application_secret_count;
83 unsigned int server_application_secret_count;
84 unsigned int early_exporter_secret_count;
85 unsigned int exporter_secret_count;
86 };
87
88
89 static unsigned char serverinfov1[] = {
90 0xff, 0xff, /* Dummy extension type */
91 0x00, 0x01, /* Extension length is 1 byte */
92 0xff /* Dummy extension data */
93 };
94
95 static unsigned char serverinfov2[] = {
96 0x00, 0x00, 0x00,
97 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
98 0xff, 0xff, /* Dummy extension type */
99 0x00, 0x01, /* Extension length is 1 byte */
100 0xff /* Dummy extension data */
101 };
102
103 static void client_keylog_callback(const SSL *ssl, const char *line)
104 {
105 int line_length = strlen(line);
106
107 /* If the log doesn't fit, error out. */
108 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
109 TEST_info("Client log too full");
110 error_writing_log = 1;
111 return;
112 }
113
114 strcat(client_log_buffer, line);
115 client_log_buffer_index += line_length;
116 client_log_buffer[client_log_buffer_index++] = '\n';
117 }
118
119 static void server_keylog_callback(const SSL *ssl, const char *line)
120 {
121 int line_length = strlen(line);
122
123 /* If the log doesn't fit, error out. */
124 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
125 TEST_info("Server log too full");
126 error_writing_log = 1;
127 return;
128 }
129
130 strcat(server_log_buffer, line);
131 server_log_buffer_index += line_length;
132 server_log_buffer[server_log_buffer_index++] = '\n';
133 }
134
135 static int compare_hex_encoded_buffer(const char *hex_encoded,
136 size_t hex_length,
137 const uint8_t *raw,
138 size_t raw_length)
139 {
140 size_t i, j;
141 char hexed[3];
142
143 if (!TEST_size_t_eq(raw_length * 2, hex_length))
144 return 1;
145
146 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
147 sprintf(hexed, "%02x", raw[i]);
148 if (!TEST_int_eq(hexed[0], hex_encoded[j])
149 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
150 return 1;
151 }
152
153 return 0;
154 }
155
156 static int test_keylog_output(char *buffer, const SSL *ssl,
157 const SSL_SESSION *session,
158 struct sslapitest_log_counts *expected)
159 {
160 char *token = NULL;
161 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
162 size_t client_random_size = SSL3_RANDOM_SIZE;
163 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
164 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
165 unsigned int rsa_key_exchange_count = 0;
166 unsigned int master_secret_count = 0;
167 unsigned int client_early_secret_count = 0;
168 unsigned int client_handshake_secret_count = 0;
169 unsigned int server_handshake_secret_count = 0;
170 unsigned int client_application_secret_count = 0;
171 unsigned int server_application_secret_count = 0;
172 unsigned int early_exporter_secret_count = 0;
173 unsigned int exporter_secret_count = 0;
174
175 for (token = strtok(buffer, " \n"); token != NULL;
176 token = strtok(NULL, " \n")) {
177 if (strcmp(token, "RSA") == 0) {
178 /*
179 * Premaster secret. Tokens should be: 16 ASCII bytes of
180 * hex-encoded encrypted secret, then the hex-encoded pre-master
181 * secret.
182 */
183 if (!TEST_ptr(token = strtok(NULL, " \n")))
184 return 0;
185 if (!TEST_size_t_eq(strlen(token), 16))
186 return 0;
187 if (!TEST_ptr(token = strtok(NULL, " \n")))
188 return 0;
189 /*
190 * We can't sensibly check the log because the premaster secret is
191 * transient, and OpenSSL doesn't keep hold of it once the master
192 * secret is generated.
193 */
194 rsa_key_exchange_count++;
195 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
196 /*
197 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
198 * client random, then the hex-encoded master secret.
199 */
200 client_random_size = SSL_get_client_random(ssl,
201 actual_client_random,
202 SSL3_RANDOM_SIZE);
203 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
204 return 0;
205
206 if (!TEST_ptr(token = strtok(NULL, " \n")))
207 return 0;
208 if (!TEST_size_t_eq(strlen(token), 64))
209 return 0;
210 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
211 actual_client_random,
212 client_random_size)))
213 return 0;
214
215 if (!TEST_ptr(token = strtok(NULL, " \n")))
216 return 0;
217 master_key_size = SSL_SESSION_get_master_key(session,
218 actual_master_key,
219 master_key_size);
220 if (!TEST_size_t_ne(master_key_size, 0))
221 return 0;
222 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
223 actual_master_key,
224 master_key_size)))
225 return 0;
226 master_secret_count++;
227 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
229 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
230 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
231 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
232 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
233 || strcmp(token, "EXPORTER_SECRET") == 0) {
234 /*
235 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
236 * client random, and then the hex-encoded secret. In this case,
237 * we treat all of these secrets identically and then just
238 * distinguish between them when counting what we saw.
239 */
240 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
241 client_early_secret_count++;
242 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 client_handshake_secret_count++;
244 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
245 server_handshake_secret_count++;
246 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
247 client_application_secret_count++;
248 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
249 server_application_secret_count++;
250 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
251 early_exporter_secret_count++;
252 else if (strcmp(token, "EXPORTER_SECRET") == 0)
253 exporter_secret_count++;
254
255 client_random_size = SSL_get_client_random(ssl,
256 actual_client_random,
257 SSL3_RANDOM_SIZE);
258 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
259 return 0;
260
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
262 return 0;
263 if (!TEST_size_t_eq(strlen(token), 64))
264 return 0;
265 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
266 actual_client_random,
267 client_random_size)))
268 return 0;
269
270 if (!TEST_ptr(token = strtok(NULL, " \n")))
271 return 0;
272
273 /*
274 * TODO(TLS1.3): test that application traffic secrets are what
275 * we expect */
276 } else {
277 TEST_info("Unexpected token %s\n", token);
278 return 0;
279 }
280 }
281
282 /* Got what we expected? */
283 if (!TEST_size_t_eq(rsa_key_exchange_count,
284 expected->rsa_key_exchange_count)
285 || !TEST_size_t_eq(master_secret_count,
286 expected->master_secret_count)
287 || !TEST_size_t_eq(client_early_secret_count,
288 expected->client_early_secret_count)
289 || !TEST_size_t_eq(client_handshake_secret_count,
290 expected->client_handshake_secret_count)
291 || !TEST_size_t_eq(server_handshake_secret_count,
292 expected->server_handshake_secret_count)
293 || !TEST_size_t_eq(client_application_secret_count,
294 expected->client_application_secret_count)
295 || !TEST_size_t_eq(server_application_secret_count,
296 expected->server_application_secret_count)
297 || !TEST_size_t_eq(early_exporter_secret_count,
298 expected->early_exporter_secret_count)
299 || !TEST_size_t_eq(exporter_secret_count,
300 expected->exporter_secret_count))
301 return 0;
302 return 1;
303 }
304
305 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
306 static int test_keylog(void)
307 {
308 SSL_CTX *cctx = NULL, *sctx = NULL;
309 SSL *clientssl = NULL, *serverssl = NULL;
310 int testresult = 0;
311 struct sslapitest_log_counts expected;
312
313 /* Clean up logging space */
314 memset(&expected, 0, sizeof(expected));
315 memset(client_log_buffer, 0, sizeof(client_log_buffer));
316 memset(server_log_buffer, 0, sizeof(server_log_buffer));
317 client_log_buffer_index = 0;
318 server_log_buffer_index = 0;
319 error_writing_log = 0;
320
321 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
322 TLS_client_method(),
323 TLS1_VERSION, 0,
324 &sctx, &cctx, cert, privkey)))
325 return 0;
326
327 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
328 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
329 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
330
331 /* We also want to ensure that we use RSA-based key exchange. */
332 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
333 goto end;
334
335 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
336 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
337 goto end;
338 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
339 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
340 == client_keylog_callback))
341 goto end;
342 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
343 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
344 == server_keylog_callback))
345 goto end;
346
347 /* Now do a handshake and check that the logs have been written to. */
348 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
349 &clientssl, NULL, NULL))
350 || !TEST_true(create_ssl_connection(serverssl, clientssl,
351 SSL_ERROR_NONE))
352 || !TEST_false(error_writing_log)
353 || !TEST_int_gt(client_log_buffer_index, 0)
354 || !TEST_int_gt(server_log_buffer_index, 0))
355 goto end;
356
357 /*
358 * Now we want to test that our output data was vaguely sensible. We
359 * do that by using strtok and confirming that we have more or less the
360 * data we expect. For both client and server, we expect to see one master
361 * secret. The client should also see a RSA key exchange.
362 */
363 expected.rsa_key_exchange_count = 1;
364 expected.master_secret_count = 1;
365 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
366 SSL_get_session(clientssl), &expected)))
367 goto end;
368
369 expected.rsa_key_exchange_count = 0;
370 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
371 SSL_get_session(serverssl), &expected)))
372 goto end;
373
374 testresult = 1;
375
376 end:
377 SSL_free(serverssl);
378 SSL_free(clientssl);
379 SSL_CTX_free(sctx);
380 SSL_CTX_free(cctx);
381
382 return testresult;
383 }
384 #endif
385
386 #ifndef OPENSSL_NO_TLS1_3
387 static int test_keylog_no_master_key(void)
388 {
389 SSL_CTX *cctx = NULL, *sctx = NULL;
390 SSL *clientssl = NULL, *serverssl = NULL;
391 SSL_SESSION *sess = NULL;
392 int testresult = 0;
393 struct sslapitest_log_counts expected;
394 unsigned char buf[1];
395 size_t readbytes, written;
396
397 /* Clean up logging space */
398 memset(&expected, 0, sizeof(expected));
399 memset(client_log_buffer, 0, sizeof(client_log_buffer));
400 memset(server_log_buffer, 0, sizeof(server_log_buffer));
401 client_log_buffer_index = 0;
402 server_log_buffer_index = 0;
403 error_writing_log = 0;
404
405 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
406 TLS1_VERSION, 0,
407 &sctx, &cctx, cert, privkey))
408 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
409 SSL3_RT_MAX_PLAIN_LENGTH)))
410 return 0;
411
412 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
413 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
414 goto end;
415
416 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
417 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
418 == client_keylog_callback))
419 goto end;
420
421 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
422 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
423 == server_keylog_callback))
424 goto end;
425
426 /* Now do a handshake and check that the logs have been written to. */
427 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
428 &clientssl, NULL, NULL))
429 || !TEST_true(create_ssl_connection(serverssl, clientssl,
430 SSL_ERROR_NONE))
431 || !TEST_false(error_writing_log))
432 goto end;
433
434 /*
435 * Now we want to test that our output data was vaguely sensible. For this
436 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
437 * TLSv1.3, but we do expect both client and server to emit keys.
438 */
439 expected.client_handshake_secret_count = 1;
440 expected.server_handshake_secret_count = 1;
441 expected.client_application_secret_count = 1;
442 expected.server_application_secret_count = 1;
443 expected.exporter_secret_count = 1;
444 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
445 SSL_get_session(clientssl), &expected))
446 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
447 SSL_get_session(serverssl),
448 &expected)))
449 goto end;
450
451 /* Terminate old session and resume with early data. */
452 sess = SSL_get1_session(clientssl);
453 SSL_shutdown(clientssl);
454 SSL_shutdown(serverssl);
455 SSL_free(serverssl);
456 SSL_free(clientssl);
457 serverssl = clientssl = NULL;
458
459 /* Reset key log */
460 memset(client_log_buffer, 0, sizeof(client_log_buffer));
461 memset(server_log_buffer, 0, sizeof(server_log_buffer));
462 client_log_buffer_index = 0;
463 server_log_buffer_index = 0;
464
465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_true(SSL_set_session(clientssl, sess))
468 /* Here writing 0 length early data is enough. */
469 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
470 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
471 &readbytes),
472 SSL_READ_EARLY_DATA_ERROR)
473 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
474 SSL_EARLY_DATA_ACCEPTED)
475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
476 SSL_ERROR_NONE))
477 || !TEST_true(SSL_session_reused(clientssl)))
478 goto end;
479
480 /* In addition to the previous entries, expect early secrets. */
481 expected.client_early_secret_count = 1;
482 expected.early_exporter_secret_count = 1;
483 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
484 SSL_get_session(clientssl), &expected))
485 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
486 SSL_get_session(serverssl),
487 &expected)))
488 goto end;
489
490 testresult = 1;
491
492 end:
493 SSL_SESSION_free(sess);
494 SSL_free(serverssl);
495 SSL_free(clientssl);
496 SSL_CTX_free(sctx);
497 SSL_CTX_free(cctx);
498
499 return testresult;
500 }
501 #endif
502
503 #ifndef OPENSSL_NO_TLS1_2
504 static int full_client_hello_callback(SSL *s, int *al, void *arg)
505 {
506 int *ctr = arg;
507 const unsigned char *p;
508 int *exts;
509 /* We only configure two ciphers, but the SCSV is added automatically. */
510 #ifdef OPENSSL_NO_EC
511 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
512 #else
513 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
514 0x2c, 0x00, 0xff};
515 #endif
516 const int expected_extensions[] = {
517 #ifndef OPENSSL_NO_EC
518 11, 10,
519 #endif
520 35, 22, 23, 13};
521 size_t len;
522
523 /* Make sure we can defer processing and get called back. */
524 if ((*ctr)++ == 0)
525 return SSL_CLIENT_HELLO_RETRY;
526
527 len = SSL_client_hello_get0_ciphers(s, &p);
528 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
529 || !TEST_size_t_eq(
530 SSL_client_hello_get0_compression_methods(s, &p), 1)
531 || !TEST_int_eq(*p, 0))
532 return SSL_CLIENT_HELLO_ERROR;
533 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
534 return SSL_CLIENT_HELLO_ERROR;
535 if (len != OSSL_NELEM(expected_extensions) ||
536 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
537 printf("ClientHello callback expected extensions mismatch\n");
538 OPENSSL_free(exts);
539 return SSL_CLIENT_HELLO_ERROR;
540 }
541 OPENSSL_free(exts);
542 return SSL_CLIENT_HELLO_SUCCESS;
543 }
544
545 static int test_client_hello_cb(void)
546 {
547 SSL_CTX *cctx = NULL, *sctx = NULL;
548 SSL *clientssl = NULL, *serverssl = NULL;
549 int testctr = 0, testresult = 0;
550
551 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
552 TLS1_VERSION, 0,
553 &sctx, &cctx, cert, privkey)))
554 goto end;
555 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
556
557 /* The gimpy cipher list we configure can't do TLS 1.3. */
558 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
559
560 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
561 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
562 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
563 &clientssl, NULL, NULL))
564 || !TEST_false(create_ssl_connection(serverssl, clientssl,
565 SSL_ERROR_WANT_CLIENT_HELLO_CB))
566 /*
567 * Passing a -1 literal is a hack since
568 * the real value was lost.
569 * */
570 || !TEST_int_eq(SSL_get_error(serverssl, -1),
571 SSL_ERROR_WANT_CLIENT_HELLO_CB)
572 || !TEST_true(create_ssl_connection(serverssl, clientssl,
573 SSL_ERROR_NONE)))
574 goto end;
575
576 testresult = 1;
577
578 end:
579 SSL_free(serverssl);
580 SSL_free(clientssl);
581 SSL_CTX_free(sctx);
582 SSL_CTX_free(cctx);
583
584 return testresult;
585 }
586
587 static int test_no_ems(void)
588 {
589 SSL_CTX *cctx = NULL, *sctx = NULL;
590 SSL *clientssl = NULL, *serverssl = NULL;
591 int testresult = 0;
592
593 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
594 TLS1_VERSION, TLS1_2_VERSION,
595 &sctx, &cctx, cert, privkey)) {
596 printf("Unable to create SSL_CTX pair\n");
597 goto end;
598 }
599
600 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
601
602 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
603 printf("Unable to create SSL objects\n");
604 goto end;
605 }
606
607 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
608 printf("Creating SSL connection failed\n");
609 goto end;
610 }
611
612 if (SSL_get_extms_support(serverssl)) {
613 printf("Server reports Extended Master Secret support\n");
614 goto end;
615 }
616
617 if (SSL_get_extms_support(clientssl)) {
618 printf("Client reports Extended Master Secret support\n");
619 goto end;
620 }
621 testresult = 1;
622
623 end:
624 SSL_free(serverssl);
625 SSL_free(clientssl);
626 SSL_CTX_free(sctx);
627 SSL_CTX_free(cctx);
628
629 return testresult;
630 }
631 #endif
632
633 static int execute_test_large_message(const SSL_METHOD *smeth,
634 const SSL_METHOD *cmeth,
635 int min_version, int max_version,
636 int read_ahead)
637 {
638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
640 int testresult = 0;
641 int i;
642 BIO *certbio = NULL;
643 X509 *chaincert = NULL;
644 int certlen;
645
646 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
647 goto end;
648 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
649 BIO_free(certbio);
650 certbio = NULL;
651 if (!TEST_ptr(chaincert))
652 goto end;
653
654 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
655 &sctx, &cctx, cert, privkey)))
656 goto end;
657
658 if (read_ahead) {
659 /*
660 * Test that read_ahead works correctly when dealing with large
661 * records
662 */
663 SSL_CTX_set_read_ahead(cctx, 1);
664 }
665
666 /*
667 * We assume the supplied certificate is big enough so that if we add
668 * NUM_EXTRA_CERTS it will make the overall message large enough. The
669 * default buffer size is requested to be 16k, but due to the way BUF_MEM
670 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
671 * test we need to have a message larger than that.
672 */
673 certlen = i2d_X509(chaincert, NULL);
674 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
675 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
676 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
677 if (!X509_up_ref(chaincert))
678 goto end;
679 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
680 X509_free(chaincert);
681 goto end;
682 }
683 }
684
685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
686 NULL, NULL))
687 || !TEST_true(create_ssl_connection(serverssl, clientssl,
688 SSL_ERROR_NONE)))
689 goto end;
690
691 /*
692 * Calling SSL_clear() first is not required but this tests that SSL_clear()
693 * doesn't leak (when using enable-crypto-mdebug).
694 */
695 if (!TEST_true(SSL_clear(serverssl)))
696 goto end;
697
698 testresult = 1;
699 end:
700 X509_free(chaincert);
701 SSL_free(serverssl);
702 SSL_free(clientssl);
703 SSL_CTX_free(sctx);
704 SSL_CTX_free(cctx);
705
706 return testresult;
707 }
708
709 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
710 && !defined(OPENSSL_NO_SOCK)
711
712 /* sock must be connected */
713 static int ktls_chk_platform(int sock)
714 {
715 if (!ktls_enable(sock))
716 return 0;
717 return 1;
718 }
719
720 static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
721 {
722 static char count = 1;
723 unsigned char cbuf[16000] = {0};
724 unsigned char sbuf[16000];
725 size_t err = 0;
726 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
727 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
729 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
731 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
732 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
733 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
734
735 cbuf[0] = count++;
736 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
737 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
738 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
739 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
740 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
741 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
742 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
743 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
744
745 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
746 goto end;
747
748 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
749 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
750 goto end;
751 }
752 }
753
754 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
755 goto end;
756
757 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
758 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
759 goto end;
760 }
761 }
762
763 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
764 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
765 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
766 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
767 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
768 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
769 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
770 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
771
772 /* verify the payload */
773 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
774 goto end;
775
776 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
777 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
778 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
779 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
780 goto end;
781 } else {
782 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
783 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
784 goto end;
785 }
786
787 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
788 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
789 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
790 goto end;
791 } else {
792 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
793 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
794 goto end;
795 }
796
797 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
798 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
799 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
800 goto end;
801 } else {
802 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
803 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
804 goto end;
805 }
806
807 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
808 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
809 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
810 goto end;
811 } else {
812 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
813 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
814 goto end;
815 }
816
817 return 1;
818 end:
819 return 0;
820 }
821
822 static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
823 int sis_ktls_tx, int sis_ktls_rx)
824 {
825 SSL_CTX *cctx = NULL, *sctx = NULL;
826 SSL *clientssl = NULL, *serverssl = NULL;
827 int testresult = 0;
828 int cfd, sfd;
829
830 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
831 goto end;
832
833 /* Skip this test if the platform does not support ktls */
834 if (!ktls_chk_platform(cfd))
835 return 1;
836
837 /* Create a session based on SHA-256 */
838 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
839 TLS_client_method(),
840 TLS1_2_VERSION, TLS1_2_VERSION,
841 &sctx, &cctx, cert, privkey))
842 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
843 "AES128-GCM-SHA256"))
844 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
845 &clientssl, sfd, cfd)))
846 goto end;
847
848 if (!cis_ktls_tx) {
849 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
850 goto end;
851 }
852
853 if (!sis_ktls_tx) {
854 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
855 goto end;
856 }
857
858 if (!cis_ktls_rx) {
859 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
860 goto end;
861 }
862
863 if (!sis_ktls_rx) {
864 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
865 goto end;
866 }
867
868 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
869 SSL_ERROR_NONE)))
870 goto end;
871
872 if (!cis_ktls_tx) {
873 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
874 goto end;
875 } else {
876 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
877 goto end;
878 }
879
880 if (!sis_ktls_tx) {
881 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
882 goto end;
883 } else {
884 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
885 goto end;
886 }
887
888 if (!cis_ktls_rx) {
889 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
890 goto end;
891 } else {
892 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
893 goto end;
894 }
895
896 if (!sis_ktls_rx) {
897 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
898 goto end;
899 } else {
900 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
901 goto end;
902 }
903
904 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
905 goto end;
906
907 testresult = 1;
908 end:
909 if (clientssl) {
910 SSL_shutdown(clientssl);
911 SSL_free(clientssl);
912 }
913 if (serverssl) {
914 SSL_shutdown(serverssl);
915 SSL_free(serverssl);
916 }
917 SSL_CTX_free(sctx);
918 SSL_CTX_free(cctx);
919 serverssl = clientssl = NULL;
920 return testresult;
921 }
922
923 #define SENDFILE_SZ (16 * 4096)
924 #define SENDFILE_CHUNK (4 * 4096)
925 #define min(a,b) ((a) > (b) ? (b) : (a))
926
927 static int test_ktls_sendfile(void)
928 {
929 SSL_CTX *cctx = NULL, *sctx = NULL;
930 SSL *clientssl = NULL, *serverssl = NULL;
931 unsigned char *buf, *buf_dst;
932 BIO *out = NULL, *in = NULL;
933 int cfd, sfd, ffd, err;
934 ssize_t chunk_size = 0;
935 off_t chunk_off = 0;
936 int testresult = 0;
937 FILE *ffdp;
938
939 buf = OPENSSL_zalloc(SENDFILE_SZ);
940 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
941 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
942 || !TEST_true(create_test_sockets(&cfd, &sfd)))
943 goto end;
944
945 /* Skip this test if the platform does not support ktls */
946 if (!ktls_chk_platform(sfd)) {
947 testresult = 1;
948 goto end;
949 }
950
951 /* Create a session based on SHA-256 */
952 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
953 TLS_client_method(),
954 TLS1_2_VERSION, TLS1_2_VERSION,
955 &sctx, &cctx, cert, privkey))
956 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
957 "AES128-GCM-SHA256"))
958 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
959 &clientssl, sfd, cfd)))
960 goto end;
961
962 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
963 SSL_ERROR_NONE))
964 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
965 goto end;
966
967 RAND_bytes(buf, SENDFILE_SZ);
968 out = BIO_new_file(tmpfilename, "wb");
969 if (!TEST_ptr(out))
970 goto end;
971
972 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
973 goto end;
974
975 BIO_free(out);
976 out = NULL;
977 in = BIO_new_file(tmpfilename, "rb");
978 BIO_get_fp(in, &ffdp);
979 ffd = fileno(ffdp);
980
981 while (chunk_off < SENDFILE_SZ) {
982 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
983 while ((err = SSL_sendfile(serverssl,
984 ffd,
985 chunk_off,
986 chunk_size,
987 0)) != chunk_size) {
988 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
989 goto end;
990 }
991 while ((err = SSL_read(clientssl,
992 buf_dst + chunk_off,
993 chunk_size)) != chunk_size) {
994 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
995 goto end;
996 }
997
998 /* verify the payload */
999 if (!TEST_mem_eq(buf_dst + chunk_off,
1000 chunk_size,
1001 buf + chunk_off,
1002 chunk_size))
1003 goto end;
1004
1005 chunk_off += chunk_size;
1006 }
1007
1008 testresult = 1;
1009 end:
1010 if (clientssl) {
1011 SSL_shutdown(clientssl);
1012 SSL_free(clientssl);
1013 }
1014 if (serverssl) {
1015 SSL_shutdown(serverssl);
1016 SSL_free(serverssl);
1017 }
1018 SSL_CTX_free(sctx);
1019 SSL_CTX_free(cctx);
1020 serverssl = clientssl = NULL;
1021 BIO_free(out);
1022 BIO_free(in);
1023 OPENSSL_free(buf);
1024 OPENSSL_free(buf_dst);
1025 return testresult;
1026 }
1027
1028 static int test_ktls_no_txrx_client_no_txrx_server(void)
1029 {
1030 return execute_test_ktls(0, 0, 0, 0);
1031 }
1032
1033 static int test_ktls_no_rx_client_no_txrx_server(void)
1034 {
1035 return execute_test_ktls(1, 0, 0, 0);
1036 }
1037
1038 static int test_ktls_no_tx_client_no_txrx_server(void)
1039 {
1040 return execute_test_ktls(0, 1, 0, 0);
1041 }
1042
1043 static int test_ktls_client_no_txrx_server(void)
1044 {
1045 return execute_test_ktls(1, 1, 0, 0);
1046 }
1047
1048 static int test_ktls_no_txrx_client_no_rx_server(void)
1049 {
1050 return execute_test_ktls(0, 0, 1, 0);
1051 }
1052
1053 static int test_ktls_no_rx_client_no_rx_server(void)
1054 {
1055 return execute_test_ktls(1, 0, 1, 0);
1056 }
1057
1058 static int test_ktls_no_tx_client_no_rx_server(void)
1059 {
1060 return execute_test_ktls(0, 1, 1, 0);
1061 }
1062
1063 static int test_ktls_client_no_rx_server(void)
1064 {
1065 return execute_test_ktls(1, 1, 1, 0);
1066 }
1067
1068 static int test_ktls_no_txrx_client_no_tx_server(void)
1069 {
1070 return execute_test_ktls(0, 0, 0, 1);
1071 }
1072
1073 static int test_ktls_no_rx_client_no_tx_server(void)
1074 {
1075 return execute_test_ktls(1, 0, 0, 1);
1076 }
1077
1078 static int test_ktls_no_tx_client_no_tx_server(void)
1079 {
1080 return execute_test_ktls(0, 1, 0, 1);
1081 }
1082
1083 static int test_ktls_client_no_tx_server(void)
1084 {
1085 return execute_test_ktls(1, 1, 0, 1);
1086 }
1087
1088 static int test_ktls_no_txrx_client_server(void)
1089 {
1090 return execute_test_ktls(0, 0, 1, 1);
1091 }
1092
1093 static int test_ktls_no_rx_client_server(void)
1094 {
1095 return execute_test_ktls(1, 0, 1, 1);
1096 }
1097
1098 static int test_ktls_no_tx_client_server(void)
1099 {
1100 return execute_test_ktls(0, 1, 1, 1);
1101 }
1102
1103 static int test_ktls_client_server(void)
1104 {
1105 return execute_test_ktls(1, 1, 1, 1);
1106 }
1107 #endif
1108
1109 static int test_large_message_tls(void)
1110 {
1111 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1112 TLS1_VERSION, 0, 0);
1113 }
1114
1115 static int test_large_message_tls_read_ahead(void)
1116 {
1117 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1118 TLS1_VERSION, 0, 1);
1119 }
1120
1121 #ifndef OPENSSL_NO_DTLS
1122 static int test_large_message_dtls(void)
1123 {
1124 /*
1125 * read_ahead is not relevant to DTLS because DTLS always acts as if
1126 * read_ahead is set.
1127 */
1128 return execute_test_large_message(DTLS_server_method(),
1129 DTLS_client_method(),
1130 DTLS1_VERSION, 0, 0);
1131 }
1132 #endif
1133
1134 #ifndef OPENSSL_NO_OCSP
1135 static int ocsp_server_cb(SSL *s, void *arg)
1136 {
1137 int *argi = (int *)arg;
1138 unsigned char *copy = NULL;
1139 STACK_OF(OCSP_RESPID) *ids = NULL;
1140 OCSP_RESPID *id = NULL;
1141
1142 if (*argi == 2) {
1143 /* In this test we are expecting exactly 1 OCSP_RESPID */
1144 SSL_get_tlsext_status_ids(s, &ids);
1145 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1146 return SSL_TLSEXT_ERR_ALERT_FATAL;
1147
1148 id = sk_OCSP_RESPID_value(ids, 0);
1149 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1150 return SSL_TLSEXT_ERR_ALERT_FATAL;
1151 } else if (*argi != 1) {
1152 return SSL_TLSEXT_ERR_ALERT_FATAL;
1153 }
1154
1155 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1156 return SSL_TLSEXT_ERR_ALERT_FATAL;
1157
1158 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1159 ocsp_server_called = 1;
1160 return SSL_TLSEXT_ERR_OK;
1161 }
1162
1163 static int ocsp_client_cb(SSL *s, void *arg)
1164 {
1165 int *argi = (int *)arg;
1166 const unsigned char *respderin;
1167 size_t len;
1168
1169 if (*argi != 1 && *argi != 2)
1170 return 0;
1171
1172 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1173 if (!TEST_mem_eq(orespder, len, respderin, len))
1174 return 0;
1175
1176 ocsp_client_called = 1;
1177 return 1;
1178 }
1179
1180 static int test_tlsext_status_type(void)
1181 {
1182 SSL_CTX *cctx = NULL, *sctx = NULL;
1183 SSL *clientssl = NULL, *serverssl = NULL;
1184 int testresult = 0;
1185 STACK_OF(OCSP_RESPID) *ids = NULL;
1186 OCSP_RESPID *id = NULL;
1187 BIO *certbio = NULL;
1188
1189 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1190 TLS1_VERSION, 0,
1191 &sctx, &cctx, cert, privkey))
1192 return 0;
1193
1194 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1195 goto end;
1196
1197 /* First just do various checks getting and setting tlsext_status_type */
1198
1199 clientssl = SSL_new(cctx);
1200 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1201 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1202 TLSEXT_STATUSTYPE_ocsp))
1203 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1204 TLSEXT_STATUSTYPE_ocsp))
1205 goto end;
1206
1207 SSL_free(clientssl);
1208 clientssl = NULL;
1209
1210 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1211 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1212 goto end;
1213
1214 clientssl = SSL_new(cctx);
1215 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1216 goto end;
1217 SSL_free(clientssl);
1218 clientssl = NULL;
1219
1220 /*
1221 * Now actually do a handshake and check OCSP information is exchanged and
1222 * the callbacks get called
1223 */
1224 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1225 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1226 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1227 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1228 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1229 &clientssl, NULL, NULL))
1230 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1231 SSL_ERROR_NONE))
1232 || !TEST_true(ocsp_client_called)
1233 || !TEST_true(ocsp_server_called))
1234 goto end;
1235 SSL_free(serverssl);
1236 SSL_free(clientssl);
1237 serverssl = NULL;
1238 clientssl = NULL;
1239
1240 /* Try again but this time force the server side callback to fail */
1241 ocsp_client_called = 0;
1242 ocsp_server_called = 0;
1243 cdummyarg = 0;
1244 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1245 &clientssl, NULL, NULL))
1246 /* This should fail because the callback will fail */
1247 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1248 SSL_ERROR_NONE))
1249 || !TEST_false(ocsp_client_called)
1250 || !TEST_false(ocsp_server_called))
1251 goto end;
1252 SSL_free(serverssl);
1253 SSL_free(clientssl);
1254 serverssl = NULL;
1255 clientssl = NULL;
1256
1257 /*
1258 * This time we'll get the client to send an OCSP_RESPID that it will
1259 * accept.
1260 */
1261 ocsp_client_called = 0;
1262 ocsp_server_called = 0;
1263 cdummyarg = 2;
1264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1265 &clientssl, NULL, NULL)))
1266 goto end;
1267
1268 /*
1269 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1270 * specific one. We'll use the server cert.
1271 */
1272 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1273 || !TEST_ptr(id = OCSP_RESPID_new())
1274 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1275 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1276 NULL, NULL, NULL))
1277 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1278 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1279 goto end;
1280 id = NULL;
1281 SSL_set_tlsext_status_ids(clientssl, ids);
1282 /* Control has been transferred */
1283 ids = NULL;
1284
1285 BIO_free(certbio);
1286 certbio = NULL;
1287
1288 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1289 SSL_ERROR_NONE))
1290 || !TEST_true(ocsp_client_called)
1291 || !TEST_true(ocsp_server_called))
1292 goto end;
1293
1294 testresult = 1;
1295
1296 end:
1297 SSL_free(serverssl);
1298 SSL_free(clientssl);
1299 SSL_CTX_free(sctx);
1300 SSL_CTX_free(cctx);
1301 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1302 OCSP_RESPID_free(id);
1303 BIO_free(certbio);
1304 X509_free(ocspcert);
1305 ocspcert = NULL;
1306
1307 return testresult;
1308 }
1309 #endif
1310
1311 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1312 static int new_called, remove_called, get_called;
1313
1314 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1315 {
1316 new_called++;
1317 /*
1318 * sess has been up-refed for us, but we don't actually need it so free it
1319 * immediately.
1320 */
1321 SSL_SESSION_free(sess);
1322 return 1;
1323 }
1324
1325 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1326 {
1327 remove_called++;
1328 }
1329
1330 static SSL_SESSION *get_sess_val = NULL;
1331
1332 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1333 int *copy)
1334 {
1335 get_called++;
1336 *copy = 1;
1337 return get_sess_val;
1338 }
1339
1340 static int execute_test_session(int maxprot, int use_int_cache,
1341 int use_ext_cache)
1342 {
1343 SSL_CTX *sctx = NULL, *cctx = NULL;
1344 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1345 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1346 # ifndef OPENSSL_NO_TLS1_1
1347 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1348 # endif
1349 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1350 int testresult = 0, numnewsesstick = 1;
1351
1352 new_called = remove_called = 0;
1353
1354 /* TLSv1.3 sends 2 NewSessionTickets */
1355 if (maxprot == TLS1_3_VERSION)
1356 numnewsesstick = 2;
1357
1358 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1359 TLS1_VERSION, 0,
1360 &sctx, &cctx, cert, privkey)))
1361 return 0;
1362
1363 /*
1364 * Only allow the max protocol version so we can force a connection failure
1365 * later
1366 */
1367 SSL_CTX_set_min_proto_version(cctx, maxprot);
1368 SSL_CTX_set_max_proto_version(cctx, maxprot);
1369
1370 /* Set up session cache */
1371 if (use_ext_cache) {
1372 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1373 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1374 }
1375 if (use_int_cache) {
1376 /* Also covers instance where both are set */
1377 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1378 } else {
1379 SSL_CTX_set_session_cache_mode(cctx,
1380 SSL_SESS_CACHE_CLIENT
1381 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1382 }
1383
1384 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1385 NULL, NULL))
1386 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1387 SSL_ERROR_NONE))
1388 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1389 goto end;
1390
1391 /* Should fail because it should already be in the cache */
1392 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1393 goto end;
1394 if (use_ext_cache
1395 && (!TEST_int_eq(new_called, numnewsesstick)
1396
1397 || !TEST_int_eq(remove_called, 0)))
1398 goto end;
1399
1400 new_called = remove_called = 0;
1401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1402 &clientssl2, NULL, NULL))
1403 || !TEST_true(SSL_set_session(clientssl2, sess1))
1404 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1405 SSL_ERROR_NONE))
1406 || !TEST_true(SSL_session_reused(clientssl2)))
1407 goto end;
1408
1409 if (maxprot == TLS1_3_VERSION) {
1410 /*
1411 * In TLSv1.3 we should have created a new session even though we have
1412 * resumed. Since we attempted a resume we should also have removed the
1413 * old ticket from the cache so that we try to only use tickets once.
1414 */
1415 if (use_ext_cache
1416 && (!TEST_int_eq(new_called, 1)
1417 || !TEST_int_eq(remove_called, 1)))
1418 goto end;
1419 } else {
1420 /*
1421 * In TLSv1.2 we expect to have resumed so no sessions added or
1422 * removed.
1423 */
1424 if (use_ext_cache
1425 && (!TEST_int_eq(new_called, 0)
1426 || !TEST_int_eq(remove_called, 0)))
1427 goto end;
1428 }
1429
1430 SSL_SESSION_free(sess1);
1431 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1432 goto end;
1433 shutdown_ssl_connection(serverssl2, clientssl2);
1434 serverssl2 = clientssl2 = NULL;
1435
1436 new_called = remove_called = 0;
1437 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1438 &clientssl2, NULL, NULL))
1439 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1440 SSL_ERROR_NONE)))
1441 goto end;
1442
1443 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1444 goto end;
1445
1446 if (use_ext_cache
1447 && (!TEST_int_eq(new_called, numnewsesstick)
1448 || !TEST_int_eq(remove_called, 0)))
1449 goto end;
1450
1451 new_called = remove_called = 0;
1452 /*
1453 * This should clear sess2 from the cache because it is a "bad" session.
1454 * See SSL_set_session() documentation.
1455 */
1456 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1457 goto end;
1458 if (use_ext_cache
1459 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1460 goto end;
1461 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1462 goto end;
1463
1464 if (use_int_cache) {
1465 /* Should succeeded because it should not already be in the cache */
1466 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1467 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1468 goto end;
1469 }
1470
1471 new_called = remove_called = 0;
1472 /* This shouldn't be in the cache so should fail */
1473 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1474 goto end;
1475
1476 if (use_ext_cache
1477 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1478 goto end;
1479
1480 # if !defined(OPENSSL_NO_TLS1_1)
1481 new_called = remove_called = 0;
1482 /* Force a connection failure */
1483 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1485 &clientssl3, NULL, NULL))
1486 || !TEST_true(SSL_set_session(clientssl3, sess1))
1487 /* This should fail because of the mismatched protocol versions */
1488 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1489 SSL_ERROR_NONE)))
1490 goto end;
1491
1492 /* We should have automatically removed the session from the cache */
1493 if (use_ext_cache
1494 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1495 goto end;
1496
1497 /* Should succeed because it should not already be in the cache */
1498 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1499 goto end;
1500 # endif
1501
1502 /* Now do some tests for server side caching */
1503 if (use_ext_cache) {
1504 SSL_CTX_sess_set_new_cb(cctx, NULL);
1505 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1506 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1507 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1508 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1509 get_sess_val = NULL;
1510 }
1511
1512 SSL_CTX_set_session_cache_mode(cctx, 0);
1513 /* Internal caching is the default on the server side */
1514 if (!use_int_cache)
1515 SSL_CTX_set_session_cache_mode(sctx,
1516 SSL_SESS_CACHE_SERVER
1517 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1518
1519 SSL_free(serverssl1);
1520 SSL_free(clientssl1);
1521 serverssl1 = clientssl1 = NULL;
1522 SSL_free(serverssl2);
1523 SSL_free(clientssl2);
1524 serverssl2 = clientssl2 = NULL;
1525 SSL_SESSION_free(sess1);
1526 sess1 = NULL;
1527 SSL_SESSION_free(sess2);
1528 sess2 = NULL;
1529
1530 SSL_CTX_set_max_proto_version(sctx, maxprot);
1531 if (maxprot == TLS1_2_VERSION)
1532 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1533 new_called = remove_called = get_called = 0;
1534 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1535 NULL, NULL))
1536 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1537 SSL_ERROR_NONE))
1538 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1539 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1540 goto end;
1541
1542 if (use_int_cache) {
1543 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1544 /*
1545 * In TLSv1.3 it should not have been added to the internal cache,
1546 * except in the case where we also have an external cache (in that
1547 * case it gets added to the cache in order to generate remove
1548 * events after timeout).
1549 */
1550 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1551 goto end;
1552 } else {
1553 /* Should fail because it should already be in the cache */
1554 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1555 goto end;
1556 }
1557 }
1558
1559 if (use_ext_cache) {
1560 SSL_SESSION *tmp = sess2;
1561
1562 if (!TEST_int_eq(new_called, numnewsesstick)
1563 || !TEST_int_eq(remove_called, 0)
1564 || !TEST_int_eq(get_called, 0))
1565 goto end;
1566 /*
1567 * Delete the session from the internal cache to force a lookup from
1568 * the external cache. We take a copy first because
1569 * SSL_CTX_remove_session() also marks the session as non-resumable.
1570 */
1571 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1572 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1573 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1574 goto end;
1575 SSL_SESSION_free(sess2);
1576 }
1577 sess2 = tmp;
1578 }
1579
1580 new_called = remove_called = get_called = 0;
1581 get_sess_val = sess2;
1582 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1583 &clientssl2, NULL, NULL))
1584 || !TEST_true(SSL_set_session(clientssl2, sess1))
1585 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1586 SSL_ERROR_NONE))
1587 || !TEST_true(SSL_session_reused(clientssl2)))
1588 goto end;
1589
1590 if (use_ext_cache) {
1591 if (!TEST_int_eq(remove_called, 0))
1592 goto end;
1593
1594 if (maxprot == TLS1_3_VERSION) {
1595 if (!TEST_int_eq(new_called, 1)
1596 || !TEST_int_eq(get_called, 0))
1597 goto end;
1598 } else {
1599 if (!TEST_int_eq(new_called, 0)
1600 || !TEST_int_eq(get_called, 1))
1601 goto end;
1602 }
1603 }
1604
1605 testresult = 1;
1606
1607 end:
1608 SSL_free(serverssl1);
1609 SSL_free(clientssl1);
1610 SSL_free(serverssl2);
1611 SSL_free(clientssl2);
1612 # ifndef OPENSSL_NO_TLS1_1
1613 SSL_free(serverssl3);
1614 SSL_free(clientssl3);
1615 # endif
1616 SSL_SESSION_free(sess1);
1617 SSL_SESSION_free(sess2);
1618 SSL_CTX_free(sctx);
1619 SSL_CTX_free(cctx);
1620
1621 return testresult;
1622 }
1623 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1624
1625 static int test_session_with_only_int_cache(void)
1626 {
1627 #ifndef OPENSSL_NO_TLS1_3
1628 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1629 return 0;
1630 #endif
1631
1632 #ifndef OPENSSL_NO_TLS1_2
1633 return execute_test_session(TLS1_2_VERSION, 1, 0);
1634 #else
1635 return 1;
1636 #endif
1637 }
1638
1639 static int test_session_with_only_ext_cache(void)
1640 {
1641 #ifndef OPENSSL_NO_TLS1_3
1642 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1643 return 0;
1644 #endif
1645
1646 #ifndef OPENSSL_NO_TLS1_2
1647 return execute_test_session(TLS1_2_VERSION, 0, 1);
1648 #else
1649 return 1;
1650 #endif
1651 }
1652
1653 static int test_session_with_both_cache(void)
1654 {
1655 #ifndef OPENSSL_NO_TLS1_3
1656 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1657 return 0;
1658 #endif
1659
1660 #ifndef OPENSSL_NO_TLS1_2
1661 return execute_test_session(TLS1_2_VERSION, 1, 1);
1662 #else
1663 return 1;
1664 #endif
1665 }
1666
1667 #ifndef OPENSSL_NO_TLS1_3
1668 static SSL_SESSION *sesscache[6];
1669 static int do_cache;
1670
1671 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1672 {
1673 if (do_cache) {
1674 sesscache[new_called] = sess;
1675 } else {
1676 /* We don't need the reference to the session, so free it */
1677 SSL_SESSION_free(sess);
1678 }
1679 new_called++;
1680
1681 return 1;
1682 }
1683
1684 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1685 {
1686 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1687 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1688 return 0;
1689
1690 /* Start handshake on the server and client */
1691 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1692 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1693 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1694 || !TEST_true(create_ssl_connection(sssl, cssl,
1695 SSL_ERROR_NONE)))
1696 return 0;
1697
1698 return 1;
1699 }
1700
1701 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1702 SSL_CTX **cctx)
1703 {
1704 int sess_id_ctx = 1;
1705
1706 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1707 TLS1_VERSION, 0, sctx,
1708 cctx, cert, privkey))
1709 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1710 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1711 (void *)&sess_id_ctx,
1712 sizeof(sess_id_ctx))))
1713 return 0;
1714
1715 if (stateful)
1716 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1717
1718 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1719 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1720 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1721
1722 return 1;
1723 }
1724
1725 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1726 {
1727 SSL *serverssl = NULL, *clientssl = NULL;
1728 int i;
1729
1730 /* Test that we can resume with all the tickets we got given */
1731 for (i = 0; i < idx * 2; i++) {
1732 new_called = 0;
1733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1734 &clientssl, NULL, NULL))
1735 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1736 goto end;
1737
1738 SSL_set_post_handshake_auth(clientssl, 1);
1739
1740 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1741 SSL_ERROR_NONE)))
1742 goto end;
1743
1744 /*
1745 * Following a successful resumption we only get 1 ticket. After a
1746 * failed one we should get idx tickets.
1747 */
1748 if (succ) {
1749 if (!TEST_true(SSL_session_reused(clientssl))
1750 || !TEST_int_eq(new_called, 1))
1751 goto end;
1752 } else {
1753 if (!TEST_false(SSL_session_reused(clientssl))
1754 || !TEST_int_eq(new_called, idx))
1755 goto end;
1756 }
1757
1758 new_called = 0;
1759 /* After a post-handshake authentication we should get 1 new ticket */
1760 if (succ
1761 && (!post_handshake_verify(serverssl, clientssl)
1762 || !TEST_int_eq(new_called, 1)))
1763 goto end;
1764
1765 SSL_shutdown(clientssl);
1766 SSL_shutdown(serverssl);
1767 SSL_free(serverssl);
1768 SSL_free(clientssl);
1769 serverssl = clientssl = NULL;
1770 SSL_SESSION_free(sesscache[i]);
1771 sesscache[i] = NULL;
1772 }
1773
1774 return 1;
1775
1776 end:
1777 SSL_free(clientssl);
1778 SSL_free(serverssl);
1779 return 0;
1780 }
1781
1782 static int test_tickets(int stateful, int idx)
1783 {
1784 SSL_CTX *sctx = NULL, *cctx = NULL;
1785 SSL *serverssl = NULL, *clientssl = NULL;
1786 int testresult = 0;
1787 size_t j;
1788
1789 /* idx is the test number, but also the number of tickets we want */
1790
1791 new_called = 0;
1792 do_cache = 1;
1793
1794 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1795 goto end;
1796
1797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1798 &clientssl, NULL, NULL)))
1799 goto end;
1800
1801 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1802 SSL_ERROR_NONE))
1803 /* Check we got the number of tickets we were expecting */
1804 || !TEST_int_eq(idx, new_called))
1805 goto end;
1806
1807 SSL_shutdown(clientssl);
1808 SSL_shutdown(serverssl);
1809 SSL_free(serverssl);
1810 SSL_free(clientssl);
1811 SSL_CTX_free(sctx);
1812 SSL_CTX_free(cctx);
1813 clientssl = serverssl = NULL;
1814 sctx = cctx = NULL;
1815
1816 /*
1817 * Now we try to resume with the tickets we previously created. The
1818 * resumption attempt is expected to fail (because we're now using a new
1819 * SSL_CTX). We should see idx number of tickets issued again.
1820 */
1821
1822 /* Stop caching sessions - just count them */
1823 do_cache = 0;
1824
1825 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1826 goto end;
1827
1828 if (!check_resumption(idx, sctx, cctx, 0))
1829 goto end;
1830
1831 /* Start again with caching sessions */
1832 new_called = 0;
1833 do_cache = 1;
1834 SSL_CTX_free(sctx);
1835 SSL_CTX_free(cctx);
1836 sctx = cctx = NULL;
1837
1838 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1839 goto end;
1840
1841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1842 &clientssl, NULL, NULL)))
1843 goto end;
1844
1845 SSL_set_post_handshake_auth(clientssl, 1);
1846
1847 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1848 SSL_ERROR_NONE))
1849 /* Check we got the number of tickets we were expecting */
1850 || !TEST_int_eq(idx, new_called))
1851 goto end;
1852
1853 /* After a post-handshake authentication we should get new tickets issued */
1854 if (!post_handshake_verify(serverssl, clientssl)
1855 || !TEST_int_eq(idx * 2, new_called))
1856 goto end;
1857
1858 SSL_shutdown(clientssl);
1859 SSL_shutdown(serverssl);
1860 SSL_free(serverssl);
1861 SSL_free(clientssl);
1862 serverssl = clientssl = NULL;
1863
1864 /* Stop caching sessions - just count them */
1865 do_cache = 0;
1866
1867 /*
1868 * Check we can resume with all the tickets we created. This time around the
1869 * resumptions should all be successful.
1870 */
1871 if (!check_resumption(idx, sctx, cctx, 1))
1872 goto end;
1873
1874 testresult = 1;
1875
1876 end:
1877 SSL_free(serverssl);
1878 SSL_free(clientssl);
1879 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1880 SSL_SESSION_free(sesscache[j]);
1881 sesscache[j] = NULL;
1882 }
1883 SSL_CTX_free(sctx);
1884 SSL_CTX_free(cctx);
1885
1886 return testresult;
1887 }
1888
1889 static int test_stateless_tickets(int idx)
1890 {
1891 return test_tickets(0, idx);
1892 }
1893
1894 static int test_stateful_tickets(int idx)
1895 {
1896 return test_tickets(1, idx);
1897 }
1898
1899 static int test_psk_tickets(void)
1900 {
1901 SSL_CTX *sctx = NULL, *cctx = NULL;
1902 SSL *serverssl = NULL, *clientssl = NULL;
1903 int testresult = 0;
1904 int sess_id_ctx = 1;
1905
1906 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1907 TLS1_VERSION, 0, &sctx,
1908 &cctx, NULL, NULL))
1909 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1910 (void *)&sess_id_ctx,
1911 sizeof(sess_id_ctx))))
1912 goto end;
1913
1914 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1915 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1916 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1917 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1918 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1919 use_session_cb_cnt = 0;
1920 find_session_cb_cnt = 0;
1921 srvid = pskid;
1922 new_called = 0;
1923
1924 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1925 NULL, NULL)))
1926 goto end;
1927 clientpsk = serverpsk = create_a_psk(clientssl);
1928 if (!TEST_ptr(clientpsk))
1929 goto end;
1930 SSL_SESSION_up_ref(clientpsk);
1931
1932 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1933 SSL_ERROR_NONE))
1934 || !TEST_int_eq(1, find_session_cb_cnt)
1935 || !TEST_int_eq(1, use_session_cb_cnt)
1936 /* We should always get 1 ticket when using external PSK */
1937 || !TEST_int_eq(1, new_called))
1938 goto end;
1939
1940 testresult = 1;
1941
1942 end:
1943 SSL_free(serverssl);
1944 SSL_free(clientssl);
1945 SSL_CTX_free(sctx);
1946 SSL_CTX_free(cctx);
1947 SSL_SESSION_free(clientpsk);
1948 SSL_SESSION_free(serverpsk);
1949 clientpsk = serverpsk = NULL;
1950
1951 return testresult;
1952 }
1953 #endif
1954
1955 #define USE_NULL 0
1956 #define USE_BIO_1 1
1957 #define USE_BIO_2 2
1958 #define USE_DEFAULT 3
1959
1960 #define CONNTYPE_CONNECTION_SUCCESS 0
1961 #define CONNTYPE_CONNECTION_FAIL 1
1962 #define CONNTYPE_NO_CONNECTION 2
1963
1964 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1965 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1966 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1967 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1968 #else
1969 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1970 #endif
1971
1972 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1973 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1974 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1975
1976 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1977 {
1978 switch (type) {
1979 case USE_NULL:
1980 *res = NULL;
1981 break;
1982 case USE_BIO_1:
1983 *res = bio1;
1984 break;
1985 case USE_BIO_2:
1986 *res = bio2;
1987 break;
1988 }
1989 }
1990
1991
1992 /*
1993 * Tests calls to SSL_set_bio() under various conditions.
1994 *
1995 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1996 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1997 * then do more tests where we create a successful connection first using our
1998 * standard connection setup functions, and then call SSL_set_bio() with
1999 * various combinations of valid BIOs or NULL. We then repeat these tests
2000 * following a failed connection. In this last case we are looking to check that
2001 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2002 */
2003 static int test_ssl_set_bio(int idx)
2004 {
2005 SSL_CTX *sctx = NULL, *cctx = NULL;
2006 BIO *bio1 = NULL;
2007 BIO *bio2 = NULL;
2008 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2009 SSL *serverssl = NULL, *clientssl = NULL;
2010 int initrbio, initwbio, newrbio, newwbio, conntype;
2011 int testresult = 0;
2012
2013 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2014 initrbio = idx % 3;
2015 idx /= 3;
2016 initwbio = idx % 3;
2017 idx /= 3;
2018 newrbio = idx % 3;
2019 idx /= 3;
2020 newwbio = idx % 3;
2021 conntype = CONNTYPE_NO_CONNECTION;
2022 } else {
2023 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2024 initrbio = initwbio = USE_DEFAULT;
2025 newrbio = idx % 2;
2026 idx /= 2;
2027 newwbio = idx % 2;
2028 idx /= 2;
2029 conntype = idx % 2;
2030 }
2031
2032 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2033 TLS1_VERSION, 0,
2034 &sctx, &cctx, cert, privkey)))
2035 goto end;
2036
2037 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2038 /*
2039 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2040 * because we reduced the number of tests in the definition of
2041 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2042 * mismatched protocol versions we will force a connection failure.
2043 */
2044 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2045 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2046 }
2047
2048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2049 NULL, NULL)))
2050 goto end;
2051
2052 if (initrbio == USE_BIO_1
2053 || initwbio == USE_BIO_1
2054 || newrbio == USE_BIO_1
2055 || newwbio == USE_BIO_1) {
2056 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2057 goto end;
2058 }
2059
2060 if (initrbio == USE_BIO_2
2061 || initwbio == USE_BIO_2
2062 || newrbio == USE_BIO_2
2063 || newwbio == USE_BIO_2) {
2064 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2065 goto end;
2066 }
2067
2068 if (initrbio != USE_DEFAULT) {
2069 setupbio(&irbio, bio1, bio2, initrbio);
2070 setupbio(&iwbio, bio1, bio2, initwbio);
2071 SSL_set_bio(clientssl, irbio, iwbio);
2072
2073 /*
2074 * We want to maintain our own refs to these BIO, so do an up ref for
2075 * each BIO that will have ownership transferred in the SSL_set_bio()
2076 * call
2077 */
2078 if (irbio != NULL)
2079 BIO_up_ref(irbio);
2080 if (iwbio != NULL && iwbio != irbio)
2081 BIO_up_ref(iwbio);
2082 }
2083
2084 if (conntype != CONNTYPE_NO_CONNECTION
2085 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2086 SSL_ERROR_NONE)
2087 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2088 goto end;
2089
2090 setupbio(&nrbio, bio1, bio2, newrbio);
2091 setupbio(&nwbio, bio1, bio2, newwbio);
2092
2093 /*
2094 * We will (maybe) transfer ownership again so do more up refs.
2095 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2096 * already been set!
2097 */
2098 if (nrbio != NULL
2099 && nrbio != irbio
2100 && (nwbio != iwbio || nrbio != nwbio))
2101 BIO_up_ref(nrbio);
2102 if (nwbio != NULL
2103 && nwbio != nrbio
2104 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2105 BIO_up_ref(nwbio);
2106
2107 SSL_set_bio(clientssl, nrbio, nwbio);
2108
2109 testresult = 1;
2110
2111 end:
2112 BIO_free(bio1);
2113 BIO_free(bio2);
2114
2115 /*
2116 * This test is checking that the ref counting for SSL_set_bio is correct.
2117 * If we get here and we did too many frees then we will fail in the above
2118 * functions. If we haven't done enough then this will only be detected in
2119 * a crypto-mdebug build
2120 */
2121 SSL_free(serverssl);
2122 SSL_free(clientssl);
2123 SSL_CTX_free(sctx);
2124 SSL_CTX_free(cctx);
2125 return testresult;
2126 }
2127
2128 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2129
2130 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2131 {
2132 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2133 SSL_CTX *ctx;
2134 SSL *ssl = NULL;
2135 int testresult = 0;
2136
2137 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2138 || !TEST_ptr(ssl = SSL_new(ctx))
2139 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2140 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2141 goto end;
2142
2143 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2144
2145 /*
2146 * If anything goes wrong here then we could leak memory, so this will
2147 * be caught in a crypto-mdebug build
2148 */
2149 BIO_push(sslbio, membio1);
2150
2151 /* Verify changing the rbio/wbio directly does not cause leaks */
2152 if (change_bio != NO_BIO_CHANGE) {
2153 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
2154 goto end;
2155 if (change_bio == CHANGE_RBIO)
2156 SSL_set0_rbio(ssl, membio2);
2157 else
2158 SSL_set0_wbio(ssl, membio2);
2159 }
2160 ssl = NULL;
2161
2162 if (pop_ssl)
2163 BIO_pop(sslbio);
2164 else
2165 BIO_pop(membio1);
2166
2167 testresult = 1;
2168 end:
2169 BIO_free(membio1);
2170 BIO_free(sslbio);
2171 SSL_free(ssl);
2172 SSL_CTX_free(ctx);
2173
2174 return testresult;
2175 }
2176
2177 static int test_ssl_bio_pop_next_bio(void)
2178 {
2179 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2180 }
2181
2182 static int test_ssl_bio_pop_ssl_bio(void)
2183 {
2184 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2185 }
2186
2187 static int test_ssl_bio_change_rbio(void)
2188 {
2189 return execute_test_ssl_bio(0, CHANGE_RBIO);
2190 }
2191
2192 static int test_ssl_bio_change_wbio(void)
2193 {
2194 return execute_test_ssl_bio(0, CHANGE_WBIO);
2195 }
2196
2197 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2198 typedef struct {
2199 /* The list of sig algs */
2200 const int *list;
2201 /* The length of the list */
2202 size_t listlen;
2203 /* A sigalgs list in string format */
2204 const char *liststr;
2205 /* Whether setting the list should succeed */
2206 int valid;
2207 /* Whether creating a connection with the list should succeed */
2208 int connsuccess;
2209 } sigalgs_list;
2210
2211 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2212 # ifndef OPENSSL_NO_EC
2213 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2214 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2215 # endif
2216 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2217 static const int invalidlist2[] = {NID_sha256, NID_undef};
2218 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2219 static const int invalidlist4[] = {NID_sha256};
2220 static const sigalgs_list testsigalgs[] = {
2221 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2222 # ifndef OPENSSL_NO_EC
2223 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2224 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2225 # endif
2226 {NULL, 0, "RSA+SHA256", 1, 1},
2227 # ifndef OPENSSL_NO_EC
2228 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2229 {NULL, 0, "ECDSA+SHA512", 1, 0},
2230 # endif
2231 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2232 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2233 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2234 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2235 {NULL, 0, "RSA", 0, 0},
2236 {NULL, 0, "SHA256", 0, 0},
2237 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2238 {NULL, 0, "Invalid", 0, 0}
2239 };
2240
2241 static int test_set_sigalgs(int idx)
2242 {
2243 SSL_CTX *cctx = NULL, *sctx = NULL;
2244 SSL *clientssl = NULL, *serverssl = NULL;
2245 int testresult = 0;
2246 const sigalgs_list *curr;
2247 int testctx;
2248
2249 /* Should never happen */
2250 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2251 return 0;
2252
2253 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2254 curr = testctx ? &testsigalgs[idx]
2255 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2256
2257 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2258 TLS1_VERSION, 0,
2259 &sctx, &cctx, cert, privkey)))
2260 return 0;
2261
2262 /*
2263 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2264 * for TLSv1.2 for now until we add a new API.
2265 */
2266 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2267
2268 if (testctx) {
2269 int ret;
2270
2271 if (curr->list != NULL)
2272 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2273 else
2274 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2275
2276 if (!ret) {
2277 if (curr->valid)
2278 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2279 else
2280 testresult = 1;
2281 goto end;
2282 }
2283 if (!curr->valid) {
2284 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2285 goto end;
2286 }
2287 }
2288
2289 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2290 &clientssl, NULL, NULL)))
2291 goto end;
2292
2293 if (!testctx) {
2294 int ret;
2295
2296 if (curr->list != NULL)
2297 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2298 else
2299 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2300 if (!ret) {
2301 if (curr->valid)
2302 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2303 else
2304 testresult = 1;
2305 goto end;
2306 }
2307 if (!curr->valid)
2308 goto end;
2309 }
2310
2311 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2312 SSL_ERROR_NONE),
2313 curr->connsuccess))
2314 goto end;
2315
2316 testresult = 1;
2317
2318 end:
2319 SSL_free(serverssl);
2320 SSL_free(clientssl);
2321 SSL_CTX_free(sctx);
2322 SSL_CTX_free(cctx);
2323
2324 return testresult;
2325 }
2326 #endif
2327
2328 #ifndef OPENSSL_NO_TLS1_3
2329 static int psk_client_cb_cnt = 0;
2330 static int psk_server_cb_cnt = 0;
2331
2332 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2333 size_t *idlen, SSL_SESSION **sess)
2334 {
2335 switch (++use_session_cb_cnt) {
2336 case 1:
2337 /* The first call should always have a NULL md */
2338 if (md != NULL)
2339 return 0;
2340 break;
2341
2342 case 2:
2343 /* The second call should always have an md */
2344 if (md == NULL)
2345 return 0;
2346 break;
2347
2348 default:
2349 /* We should only be called a maximum of twice */
2350 return 0;
2351 }
2352
2353 if (clientpsk != NULL)
2354 SSL_SESSION_up_ref(clientpsk);
2355
2356 *sess = clientpsk;
2357 *id = (const unsigned char *)pskid;
2358 *idlen = strlen(pskid);
2359
2360 return 1;
2361 }
2362
2363 #ifndef OPENSSL_NO_PSK
2364 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2365 unsigned int max_id_len,
2366 unsigned char *psk,
2367 unsigned int max_psk_len)
2368 {
2369 unsigned int psklen = 0;
2370
2371 psk_client_cb_cnt++;
2372
2373 if (strlen(pskid) + 1 > max_id_len)
2374 return 0;
2375
2376 /* We should only ever be called a maximum of twice per connection */
2377 if (psk_client_cb_cnt > 2)
2378 return 0;
2379
2380 if (clientpsk == NULL)
2381 return 0;
2382
2383 /* We'll reuse the PSK we set up for TLSv1.3 */
2384 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2385 return 0;
2386 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2387 strncpy(id, pskid, max_id_len);
2388
2389 return psklen;
2390 }
2391 #endif /* OPENSSL_NO_PSK */
2392
2393 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2394 size_t identity_len, SSL_SESSION **sess)
2395 {
2396 find_session_cb_cnt++;
2397
2398 /* We should only ever be called a maximum of twice per connection */
2399 if (find_session_cb_cnt > 2)
2400 return 0;
2401
2402 if (serverpsk == NULL)
2403 return 0;
2404
2405 /* Identity should match that set by the client */
2406 if (strlen(srvid) != identity_len
2407 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2408 /* No PSK found, continue but without a PSK */
2409 *sess = NULL;
2410 return 1;
2411 }
2412
2413 SSL_SESSION_up_ref(serverpsk);
2414 *sess = serverpsk;
2415
2416 return 1;
2417 }
2418
2419 #ifndef OPENSSL_NO_PSK
2420 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2421 unsigned char *psk, unsigned int max_psk_len)
2422 {
2423 unsigned int psklen = 0;
2424
2425 psk_server_cb_cnt++;
2426
2427 /* We should only ever be called a maximum of twice per connection */
2428 if (find_session_cb_cnt > 2)
2429 return 0;
2430
2431 if (serverpsk == NULL)
2432 return 0;
2433
2434 /* Identity should match that set by the client */
2435 if (strcmp(srvid, identity) != 0) {
2436 return 0;
2437 }
2438
2439 /* We'll reuse the PSK we set up for TLSv1.3 */
2440 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2441 return 0;
2442 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2443
2444 return psklen;
2445 }
2446 #endif /* OPENSSL_NO_PSK */
2447
2448 #define MSG1 "Hello"
2449 #define MSG2 "World."
2450 #define MSG3 "This"
2451 #define MSG4 "is"
2452 #define MSG5 "a"
2453 #define MSG6 "test"
2454 #define MSG7 "message."
2455
2456 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2457 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2458
2459
2460 static SSL_SESSION *create_a_psk(SSL *ssl)
2461 {
2462 const SSL_CIPHER *cipher = NULL;
2463 const unsigned char key[] = {
2464 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2465 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2466 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2467 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2468 0x2c, 0x2d, 0x2e, 0x2f
2469 };
2470 SSL_SESSION *sess = NULL;
2471
2472 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2473 sess = SSL_SESSION_new();
2474 if (!TEST_ptr(sess)
2475 || !TEST_ptr(cipher)
2476 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2477 sizeof(key)))
2478 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2479 || !TEST_true(
2480 SSL_SESSION_set_protocol_version(sess,
2481 TLS1_3_VERSION))) {
2482 SSL_SESSION_free(sess);
2483 return NULL;
2484 }
2485 return sess;
2486 }
2487
2488 /*
2489 * Helper method to setup objects for early data test. Caller frees objects on
2490 * error.
2491 */
2492 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2493 SSL **serverssl, SSL_SESSION **sess, int idx)
2494 {
2495 if (*sctx == NULL
2496 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2497 TLS_client_method(),
2498 TLS1_VERSION, 0,
2499 sctx, cctx, cert, privkey)))
2500 return 0;
2501
2502 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2503 return 0;
2504
2505 if (idx == 1) {
2506 /* When idx == 1 we repeat the tests with read_ahead set */
2507 SSL_CTX_set_read_ahead(*cctx, 1);
2508 SSL_CTX_set_read_ahead(*sctx, 1);
2509 } else if (idx == 2) {
2510 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2511 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2512 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2513 use_session_cb_cnt = 0;
2514 find_session_cb_cnt = 0;
2515 srvid = pskid;
2516 }
2517
2518 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2519 NULL, NULL)))
2520 return 0;
2521
2522 /*
2523 * For one of the run throughs (doesn't matter which one), we'll try sending
2524 * some SNI data in the initial ClientHello. This will be ignored (because
2525 * there is no SNI cb set up by the server), so it should not impact
2526 * early_data.
2527 */
2528 if (idx == 1
2529 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2530 return 0;
2531
2532 if (idx == 2) {
2533 clientpsk = create_a_psk(*clientssl);
2534 if (!TEST_ptr(clientpsk)
2535 /*
2536 * We just choose an arbitrary value for max_early_data which
2537 * should be big enough for testing purposes.
2538 */
2539 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2540 0x100))
2541 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2542 SSL_SESSION_free(clientpsk);
2543 clientpsk = NULL;
2544 return 0;
2545 }
2546 serverpsk = clientpsk;
2547
2548 if (sess != NULL) {
2549 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2550 SSL_SESSION_free(clientpsk);
2551 SSL_SESSION_free(serverpsk);
2552 clientpsk = serverpsk = NULL;
2553 return 0;
2554 }
2555 *sess = clientpsk;
2556 }
2557 return 1;
2558 }
2559
2560 if (sess == NULL)
2561 return 1;
2562
2563 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2564 SSL_ERROR_NONE)))
2565 return 0;
2566
2567 *sess = SSL_get1_session(*clientssl);
2568 SSL_shutdown(*clientssl);
2569 SSL_shutdown(*serverssl);
2570 SSL_free(*serverssl);
2571 SSL_free(*clientssl);
2572 *serverssl = *clientssl = NULL;
2573
2574 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2575 clientssl, NULL, NULL))
2576 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2577 return 0;
2578
2579 return 1;
2580 }
2581
2582 static int test_early_data_read_write(int idx)
2583 {
2584 SSL_CTX *cctx = NULL, *sctx = NULL;
2585 SSL *clientssl = NULL, *serverssl = NULL;
2586 int testresult = 0;
2587 SSL_SESSION *sess = NULL;
2588 unsigned char buf[20], data[1024];
2589 size_t readbytes, written, eoedlen, rawread, rawwritten;
2590 BIO *rbio;
2591
2592 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2593 &serverssl, &sess, idx)))
2594 goto end;
2595
2596 /* Write and read some early data */
2597 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2598 &written))
2599 || !TEST_size_t_eq(written, strlen(MSG1))
2600 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2601 sizeof(buf), &readbytes),
2602 SSL_READ_EARLY_DATA_SUCCESS)
2603 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2604 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2605 SSL_EARLY_DATA_ACCEPTED))
2606 goto end;
2607
2608 /*
2609 * Server should be able to write data, and client should be able to
2610 * read it.
2611 */
2612 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2613 &written))
2614 || !TEST_size_t_eq(written, strlen(MSG2))
2615 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2616 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2617 goto end;
2618
2619 /* Even after reading normal data, client should be able write early data */
2620 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2621 &written))
2622 || !TEST_size_t_eq(written, strlen(MSG3)))
2623 goto end;
2624
2625 /* Server should still be able read early data after writing data */
2626 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2627 &readbytes),
2628 SSL_READ_EARLY_DATA_SUCCESS)
2629 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2630 goto end;
2631
2632 /* Write more data from server and read it from client */
2633 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2634 &written))
2635 || !TEST_size_t_eq(written, strlen(MSG4))
2636 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2637 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2638 goto end;
2639
2640 /*
2641 * If client writes normal data it should mean writing early data is no
2642 * longer possible.
2643 */
2644 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2645 || !TEST_size_t_eq(written, strlen(MSG5))
2646 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2647 SSL_EARLY_DATA_ACCEPTED))
2648 goto end;
2649
2650 /*
2651 * At this point the client has written EndOfEarlyData, ClientFinished and
2652 * normal (fully protected) data. We are going to cause a delay between the
2653 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2654 * in the read BIO, and then just put back the EndOfEarlyData message.
2655 */
2656 rbio = SSL_get_rbio(serverssl);
2657 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2658 || !TEST_size_t_lt(rawread, sizeof(data))
2659 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2660 goto end;
2661
2662 /* Record length is in the 4th and 5th bytes of the record header */
2663 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2664 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2665 || !TEST_size_t_eq(rawwritten, eoedlen))
2666 goto end;
2667
2668 /* Server should be told that there is no more early data */
2669 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2670 &readbytes),
2671 SSL_READ_EARLY_DATA_FINISH)
2672 || !TEST_size_t_eq(readbytes, 0))
2673 goto end;
2674
2675 /*
2676 * Server has not finished init yet, so should still be able to write early
2677 * data.
2678 */
2679 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2680 &written))
2681 || !TEST_size_t_eq(written, strlen(MSG6)))
2682 goto end;
2683
2684 /* Push the ClientFinished and the normal data back into the server rbio */
2685 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2686 &rawwritten))
2687 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2688 goto end;
2689
2690 /* Server should be able to read normal data */
2691 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2692 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2693 goto end;
2694
2695 /* Client and server should not be able to write/read early data now */
2696 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2697 &written)))
2698 goto end;
2699 ERR_clear_error();
2700 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2701 &readbytes),
2702 SSL_READ_EARLY_DATA_ERROR))
2703 goto end;
2704 ERR_clear_error();
2705
2706 /* Client should be able to read the data sent by the server */
2707 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2708 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2709 goto end;
2710
2711 /*
2712 * Make sure we process the two NewSessionTickets. These arrive
2713 * post-handshake. We attempt reads which we do not expect to return any
2714 * data.
2715 */
2716 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2717 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2718 &readbytes)))
2719 goto end;
2720
2721 /* Server should be able to write normal data */
2722 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2723 || !TEST_size_t_eq(written, strlen(MSG7))
2724 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2725 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2726 goto end;
2727
2728 SSL_SESSION_free(sess);
2729 sess = SSL_get1_session(clientssl);
2730 use_session_cb_cnt = 0;
2731 find_session_cb_cnt = 0;
2732
2733 SSL_shutdown(clientssl);
2734 SSL_shutdown(serverssl);
2735 SSL_free(serverssl);
2736 SSL_free(clientssl);
2737 serverssl = clientssl = NULL;
2738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2739 &clientssl, NULL, NULL))
2740 || !TEST_true(SSL_set_session(clientssl, sess)))
2741 goto end;
2742
2743 /* Write and read some early data */
2744 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2745 &written))
2746 || !TEST_size_t_eq(written, strlen(MSG1))
2747 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2748 &readbytes),
2749 SSL_READ_EARLY_DATA_SUCCESS)
2750 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2751 goto end;
2752
2753 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2754 || !TEST_int_gt(SSL_accept(serverssl), 0))
2755 goto end;
2756
2757 /* Client and server should not be able to write/read early data now */
2758 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2759 &written)))
2760 goto end;
2761 ERR_clear_error();
2762 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2763 &readbytes),
2764 SSL_READ_EARLY_DATA_ERROR))
2765 goto end;
2766 ERR_clear_error();
2767
2768 /* Client and server should be able to write/read normal data */
2769 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2770 || !TEST_size_t_eq(written, strlen(MSG5))
2771 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2772 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2773 goto end;
2774
2775 testresult = 1;
2776
2777 end:
2778 SSL_SESSION_free(sess);
2779 SSL_SESSION_free(clientpsk);
2780 SSL_SESSION_free(serverpsk);
2781 clientpsk = serverpsk = NULL;
2782 SSL_free(serverssl);
2783 SSL_free(clientssl);
2784 SSL_CTX_free(sctx);
2785 SSL_CTX_free(cctx);
2786 return testresult;
2787 }
2788
2789 static int allow_ed_cb_called = 0;
2790
2791 static int allow_early_data_cb(SSL *s, void *arg)
2792 {
2793 int *usecb = (int *)arg;
2794
2795 allow_ed_cb_called++;
2796
2797 if (*usecb == 1)
2798 return 0;
2799
2800 return 1;
2801 }
2802
2803 /*
2804 * idx == 0: Standard early_data setup
2805 * idx == 1: early_data setup using read_ahead
2806 * usecb == 0: Don't use a custom early data callback
2807 * usecb == 1: Use a custom early data callback and reject the early data
2808 * usecb == 2: Use a custom early data callback and accept the early data
2809 * confopt == 0: Configure anti-replay directly
2810 * confopt == 1: Configure anti-replay using SSL_CONF
2811 */
2812 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2813 {
2814 SSL_CTX *cctx = NULL, *sctx = NULL;
2815 SSL *clientssl = NULL, *serverssl = NULL;
2816 int testresult = 0;
2817 SSL_SESSION *sess = NULL;
2818 size_t readbytes, written;
2819 unsigned char buf[20];
2820
2821 allow_ed_cb_called = 0;
2822
2823 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2824 TLS1_VERSION, 0, &sctx,
2825 &cctx, cert, privkey)))
2826 return 0;
2827
2828 if (usecb > 0) {
2829 if (confopt == 0) {
2830 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2831 } else {
2832 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2833
2834 if (!TEST_ptr(confctx))
2835 goto end;
2836 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2837 | SSL_CONF_FLAG_SERVER);
2838 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2839 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2840 2)) {
2841 SSL_CONF_CTX_free(confctx);
2842 goto end;
2843 }
2844 SSL_CONF_CTX_free(confctx);
2845 }
2846 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2847 }
2848
2849 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2850 &serverssl, &sess, idx)))
2851 goto end;
2852
2853 /*
2854 * The server is configured to accept early data. Create a connection to
2855 * "use up" the ticket
2856 */
2857 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2858 || !TEST_true(SSL_session_reused(clientssl)))
2859 goto end;
2860
2861 SSL_shutdown(clientssl);
2862 SSL_shutdown(serverssl);
2863 SSL_free(serverssl);
2864 SSL_free(clientssl);
2865 serverssl = clientssl = NULL;
2866
2867 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2868 &clientssl, NULL, NULL))
2869 || !TEST_true(SSL_set_session(clientssl, sess)))
2870 goto end;
2871
2872 /* Write and read some early data */
2873 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2874 &written))
2875 || !TEST_size_t_eq(written, strlen(MSG1)))
2876 goto end;
2877
2878 if (usecb <= 1) {
2879 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2880 &readbytes),
2881 SSL_READ_EARLY_DATA_FINISH)
2882 /*
2883 * The ticket was reused, so the we should have rejected the
2884 * early data
2885 */
2886 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2887 SSL_EARLY_DATA_REJECTED))
2888 goto end;
2889 } else {
2890 /* In this case the callback decides to accept the early data */
2891 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2892 &readbytes),
2893 SSL_READ_EARLY_DATA_SUCCESS)
2894 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2895 /*
2896 * Server will have sent its flight so client can now send
2897 * end of early data and complete its half of the handshake
2898 */
2899 || !TEST_int_gt(SSL_connect(clientssl), 0)
2900 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2901 &readbytes),
2902 SSL_READ_EARLY_DATA_FINISH)
2903 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2904 SSL_EARLY_DATA_ACCEPTED))
2905 goto end;
2906 }
2907
2908 /* Complete the connection */
2909 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2910 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2911 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2912 goto end;
2913
2914 testresult = 1;
2915
2916 end:
2917 SSL_SESSION_free(sess);
2918 SSL_SESSION_free(clientpsk);
2919 SSL_SESSION_free(serverpsk);
2920 clientpsk = serverpsk = NULL;
2921 SSL_free(serverssl);
2922 SSL_free(clientssl);
2923 SSL_CTX_free(sctx);
2924 SSL_CTX_free(cctx);
2925 return testresult;
2926 }
2927
2928 static int test_early_data_replay(int idx)
2929 {
2930 int ret = 1, usecb, confopt;
2931
2932 for (usecb = 0; usecb < 3; usecb++) {
2933 for (confopt = 0; confopt < 2; confopt++)
2934 ret &= test_early_data_replay_int(idx, usecb, confopt);
2935 }
2936
2937 return ret;
2938 }
2939
2940 /*
2941 * Helper function to test that a server attempting to read early data can
2942 * handle a connection from a client where the early data should be skipped.
2943 * testtype: 0 == No HRR
2944 * testtype: 1 == HRR
2945 * testtype: 2 == HRR, invalid early_data sent after HRR
2946 * testtype: 3 == recv_max_early_data set to 0
2947 */
2948 static int early_data_skip_helper(int testtype, int idx)
2949 {
2950 SSL_CTX *cctx = NULL, *sctx = NULL;
2951 SSL *clientssl = NULL, *serverssl = NULL;
2952 int testresult = 0;
2953 SSL_SESSION *sess = NULL;
2954 unsigned char buf[20];
2955 size_t readbytes, written;
2956
2957 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2958 &serverssl, &sess, idx)))
2959 goto end;
2960
2961 if (testtype == 1 || testtype == 2) {
2962 /* Force an HRR to occur */
2963 #if defined(OPENSSL_NO_EC)
2964 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2965 goto end;
2966 #else
2967 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2968 goto end;
2969 #endif
2970 } else if (idx == 2) {
2971 /*
2972 * We force early_data rejection by ensuring the PSK identity is
2973 * unrecognised
2974 */
2975 srvid = "Dummy Identity";
2976 } else {
2977 /*
2978 * Deliberately corrupt the creation time. We take 20 seconds off the
2979 * time. It could be any value as long as it is not within tolerance.
2980 * This should mean the ticket is rejected.
2981 */
2982 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2983 goto end;
2984 }
2985
2986 if (testtype == 3
2987 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2988 goto end;
2989
2990 /* Write some early data */
2991 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2992 &written))
2993 || !TEST_size_t_eq(written, strlen(MSG1)))
2994 goto end;
2995
2996 /* Server should reject the early data */
2997 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2998 &readbytes),
2999 SSL_READ_EARLY_DATA_FINISH)
3000 || !TEST_size_t_eq(readbytes, 0)
3001 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3002 SSL_EARLY_DATA_REJECTED))
3003 goto end;
3004
3005 switch (testtype) {
3006 case 0:
3007 /* Nothing to do */
3008 break;
3009
3010 case 1:
3011 /*
3012 * Finish off the handshake. We perform the same writes and reads as
3013 * further down but we expect them to fail due to the incomplete
3014 * handshake.
3015 */
3016 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3017 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3018 &readbytes)))
3019 goto end;
3020 break;
3021
3022 case 2:
3023 {
3024 BIO *wbio = SSL_get_wbio(clientssl);
3025 /* A record that will appear as bad early_data */
3026 const unsigned char bad_early_data[] = {
3027 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3028 };
3029
3030 /*
3031 * We force the client to attempt a write. This will fail because
3032 * we're still in the handshake. It will cause the second
3033 * ClientHello to be sent.
3034 */
3035 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3036 &written)))
3037 goto end;
3038
3039 /*
3040 * Inject some early_data after the second ClientHello. This should
3041 * cause the server to fail
3042 */
3043 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3044 sizeof(bad_early_data), &written)))
3045 goto end;
3046 }
3047 /* fallthrough */
3048
3049 case 3:
3050 /*
3051 * This client has sent more early_data than we are willing to skip
3052 * (case 3) or sent invalid early_data (case 2) so the connection should
3053 * abort.
3054 */
3055 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3056 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3057 goto end;
3058
3059 /* Connection has failed - nothing more to do */
3060 testresult = 1;
3061 goto end;
3062
3063 default:
3064 TEST_error("Invalid test type");
3065 goto end;
3066 }
3067
3068 /*
3069 * Should be able to send normal data despite rejection of early data. The
3070 * early_data should be skipped.
3071 */
3072 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3073 || !TEST_size_t_eq(written, strlen(MSG2))
3074 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3075 SSL_EARLY_DATA_REJECTED)
3076 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3077 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3078 goto end;
3079
3080 testresult = 1;
3081
3082 end:
3083 SSL_SESSION_free(clientpsk);
3084 SSL_SESSION_free(serverpsk);
3085 clientpsk = serverpsk = NULL;
3086 SSL_SESSION_free(sess);
3087 SSL_free(serverssl);
3088 SSL_free(clientssl);
3089 SSL_CTX_free(sctx);
3090 SSL_CTX_free(cctx);
3091 return testresult;
3092 }
3093
3094 /*
3095 * Test that a server attempting to read early data can handle a connection
3096 * from a client where the early data is not acceptable.
3097 */
3098 static int test_early_data_skip(int idx)
3099 {
3100 return early_data_skip_helper(0, idx);
3101 }
3102
3103 /*
3104 * Test that a server attempting to read early data can handle a connection
3105 * from a client where an HRR occurs.
3106 */
3107 static int test_early_data_skip_hrr(int idx)
3108 {
3109 return early_data_skip_helper(1, idx);
3110 }
3111
3112 /*
3113 * Test that a server attempting to read early data can handle a connection
3114 * from a client where an HRR occurs and correctly fails if early_data is sent
3115 * after the HRR
3116 */
3117 static int test_early_data_skip_hrr_fail(int idx)
3118 {
3119 return early_data_skip_helper(2, idx);
3120 }
3121
3122 /*
3123 * Test that a server attempting to read early data will abort if it tries to
3124 * skip over too much.
3125 */
3126 static int test_early_data_skip_abort(int idx)
3127 {
3128 return early_data_skip_helper(3, idx);
3129 }
3130
3131 /*
3132 * Test that a server attempting to read early data can handle a connection
3133 * from a client that doesn't send any.
3134 */
3135 static int test_early_data_not_sent(int idx)
3136 {
3137 SSL_CTX *cctx = NULL, *sctx = NULL;
3138 SSL *clientssl = NULL, *serverssl = NULL;
3139 int testresult = 0;
3140 SSL_SESSION *sess = NULL;
3141 unsigned char buf[20];
3142 size_t readbytes, written;
3143
3144 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3145 &serverssl, &sess, idx)))
3146 goto end;
3147
3148 /* Write some data - should block due to handshake with server */
3149 SSL_set_connect_state(clientssl);
3150 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3151 goto end;
3152
3153 /* Server should detect that early data has not been sent */
3154 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3155 &readbytes),
3156 SSL_READ_EARLY_DATA_FINISH)
3157 || !TEST_size_t_eq(readbytes, 0)
3158 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3159 SSL_EARLY_DATA_NOT_SENT)
3160 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3161 SSL_EARLY_DATA_NOT_SENT))
3162 goto end;
3163
3164 /* Continue writing the message we started earlier */
3165 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3166 || !TEST_size_t_eq(written, strlen(MSG1))
3167 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3168 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3169 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3170 || !TEST_size_t_eq(written, strlen(MSG2)))
3171 goto end;
3172
3173 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3174 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3175 goto end;
3176
3177 testresult = 1;
3178
3179 end:
3180 SSL_SESSION_free(sess);
3181 SSL_SESSION_free(clientpsk);
3182 SSL_SESSION_free(serverpsk);
3183 clientpsk = serverpsk = NULL;
3184 SSL_free(serverssl);
3185 SSL_free(clientssl);
3186 SSL_CTX_free(sctx);
3187 SSL_CTX_free(cctx);
3188 return testresult;
3189 }
3190
3191 static int hostname_cb(SSL *s, int *al, void *arg)
3192 {
3193 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3194
3195 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
3196 return SSL_TLSEXT_ERR_OK;
3197
3198 return SSL_TLSEXT_ERR_NOACK;
3199 }
3200
3201 static const char *servalpn;
3202
3203 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3204 unsigned char *outlen, const unsigned char *in,
3205 unsigned int inlen, void *arg)
3206 {
3207 unsigned int protlen = 0;
3208 const unsigned char *prot;
3209
3210 for (prot = in; prot < in + inlen; prot += protlen) {
3211 protlen = *prot++;
3212 if (in + inlen < prot + protlen)
3213 return SSL_TLSEXT_ERR_NOACK;
3214
3215 if (protlen == strlen(servalpn)
3216 && memcmp(prot, servalpn, protlen) == 0) {
3217 *out = prot;
3218 *outlen = protlen;
3219 return SSL_TLSEXT_ERR_OK;
3220 }
3221 }
3222
3223 return SSL_TLSEXT_ERR_NOACK;
3224 }
3225
3226 /* Test that a PSK can be used to send early_data */
3227 static int test_early_data_psk(int idx)
3228 {
3229 SSL_CTX *cctx = NULL, *sctx = NULL;
3230 SSL *clientssl = NULL, *serverssl = NULL;
3231 int testresult = 0;
3232 SSL_SESSION *sess = NULL;
3233 unsigned char alpnlist[] = {
3234 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3235 'l', 'p', 'n'
3236 };
3237 #define GOODALPNLEN 9
3238 #define BADALPNLEN 8
3239 #define GOODALPN (alpnlist)
3240 #define BADALPN (alpnlist + GOODALPNLEN)
3241 int err = 0;
3242 unsigned char buf[20];
3243 size_t readbytes, written;
3244 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3245 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3246
3247 /* We always set this up with a final parameter of "2" for PSK */
3248 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3249 &serverssl, &sess, 2)))
3250 goto end;
3251
3252 servalpn = "goodalpn";
3253
3254 /*
3255 * Note: There is no test for inconsistent SNI with late client detection.
3256 * This is because servers do not acknowledge SNI even if they are using
3257 * it in a resumption handshake - so it is not actually possible for a
3258 * client to detect a problem.
3259 */
3260 switch (idx) {
3261 case 0:
3262 /* Set inconsistent SNI (early client detection) */
3263 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3264 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3265 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3266 goto end;
3267 break;
3268
3269 case 1:
3270 /* Set inconsistent ALPN (early client detection) */
3271 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3272 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3273 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3274 GOODALPNLEN))
3275 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3276 BADALPNLEN)))
3277 goto end;
3278 break;
3279
3280 case 2:
3281 /*
3282 * Set invalid protocol version. Technically this affects PSKs without
3283 * early_data too, but we test it here because it is similar to the
3284 * SNI/ALPN consistency tests.
3285 */
3286 err = SSL_R_BAD_PSK;
3287 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3288 goto end;
3289 break;
3290
3291 case 3:
3292 /*
3293 * Set inconsistent SNI (server detected). In this case the connection
3294 * will succeed but reject early_data.
3295 */
3296 SSL_SESSION_free(serverpsk);
3297 serverpsk = SSL_SESSION_dup(clientpsk);
3298 if (!TEST_ptr(serverpsk)
3299 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3300 goto end;
3301 edstatus = SSL_EARLY_DATA_REJECTED;
3302 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3303 /* Fall through */
3304 case 4:
3305 /* Set consistent SNI */
3306 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3307 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3308 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3309 hostname_cb)))
3310 goto end;
3311 break;
3312
3313 case 5:
3314 /*
3315 * Set inconsistent ALPN (server detected). In this case the connection
3316 * will succeed but reject early_data.
3317 */
3318 servalpn = "badalpn";
3319 edstatus = SSL_EARLY_DATA_REJECTED;
3320 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3321 /* Fall through */
3322 case 6:
3323 /*
3324 * Set consistent ALPN.
3325 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3326 * accepts a list of protos (each one length prefixed).
3327 * SSL_set1_alpn_selected accepts a single protocol (not length
3328 * prefixed)
3329 */
3330 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3331 GOODALPNLEN - 1))
3332 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3333 GOODALPNLEN)))
3334 goto end;
3335
3336 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3337 break;
3338
3339 case 7:
3340 /* Set inconsistent ALPN (late client detection) */
3341 SSL_SESSION_free(serverpsk);
3342 serverpsk = SSL_SESSION_dup(clientpsk);
3343 if (!TEST_ptr(serverpsk)
3344 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3345 BADALPN + 1,
3346 BADALPNLEN - 1))
3347 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3348 GOODALPN + 1,
3349 GOODALPNLEN - 1))
3350 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3351 sizeof(alpnlist))))
3352 goto end;
3353 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3354 edstatus = SSL_EARLY_DATA_ACCEPTED;
3355 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3356 /* SSL_connect() call should fail */
3357 connectres = -1;
3358 break;
3359
3360 default:
3361 TEST_error("Bad test index");
3362 goto end;
3363 }
3364
3365 SSL_set_connect_state(clientssl);
3366 if (err != 0) {
3367 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3368 &written))
3369 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3370 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3371 goto end;
3372 } else {
3373 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3374 &written)))
3375 goto end;
3376
3377 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3378 &readbytes), readearlyres)
3379 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3380 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3381 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3382 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3383 goto end;
3384 }
3385
3386 testresult = 1;
3387
3388 end:
3389 SSL_SESSION_free(sess);
3390 SSL_SESSION_free(clientpsk);
3391 SSL_SESSION_free(serverpsk);
3392 clientpsk = serverpsk = NULL;
3393 SSL_free(serverssl);
3394 SSL_free(clientssl);
3395 SSL_CTX_free(sctx);
3396 SSL_CTX_free(cctx);
3397 return testresult;
3398 }
3399
3400 /*
3401 * Test that a server that doesn't try to read early data can handle a
3402 * client sending some.
3403 */
3404 static int test_early_data_not_expected(int idx)
3405 {
3406 SSL_CTX *cctx = NULL, *sctx = NULL;
3407 SSL *clientssl = NULL, *serverssl = NULL;
3408 int testresult = 0;
3409 SSL_SESSION *sess = NULL;
3410 unsigned char buf[20];
3411 size_t readbytes, written;
3412
3413 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3414 &serverssl, &sess, idx)))
3415 goto end;
3416
3417 /* Write some early data */
3418 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3419 &written)))
3420 goto end;
3421
3422 /*
3423 * Server should skip over early data and then block waiting for client to
3424 * continue handshake
3425 */
3426 if (!TEST_int_le(SSL_accept(serverssl), 0)
3427 || !TEST_int_gt(SSL_connect(clientssl), 0)
3428 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3429 SSL_EARLY_DATA_REJECTED)
3430 || !TEST_int_gt(SSL_accept(serverssl), 0)
3431 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3432 SSL_EARLY_DATA_REJECTED))
3433 goto end;
3434
3435 /* Send some normal data from client to server */
3436 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3437 || !TEST_size_t_eq(written, strlen(MSG2)))
3438 goto end;
3439
3440 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3441 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3442 goto end;
3443
3444 testresult = 1;
3445
3446 end:
3447 SSL_SESSION_free(sess);
3448 SSL_SESSION_free(clientpsk);
3449 SSL_SESSION_free(serverpsk);
3450 clientpsk = serverpsk = NULL;
3451 SSL_free(serverssl);
3452 SSL_free(clientssl);
3453 SSL_CTX_free(sctx);
3454 SSL_CTX_free(cctx);
3455 return testresult;
3456 }
3457
3458
3459 # ifndef OPENSSL_NO_TLS1_2
3460 /*
3461 * Test that a server attempting to read early data can handle a connection
3462 * from a TLSv1.2 client.
3463 */
3464 static int test_early_data_tls1_2(int idx)
3465 {
3466 SSL_CTX *cctx = NULL, *sctx = NULL;
3467 SSL *clientssl = NULL, *serverssl = NULL;
3468 int testresult = 0;
3469 unsigned char buf[20];
3470 size_t readbytes, written;
3471
3472 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3473 &serverssl, NULL, idx)))
3474 goto end;
3475
3476 /* Write some data - should block due to handshake with server */
3477 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3478 SSL_set_connect_state(clientssl);
3479 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3480 goto end;
3481
3482 /*
3483 * Server should do TLSv1.2 handshake. First it will block waiting for more
3484 * messages from client after ServerDone. Then SSL_read_early_data should
3485 * finish and detect that early data has not been sent
3486 */
3487 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3488 &readbytes),
3489 SSL_READ_EARLY_DATA_ERROR))
3490 goto end;
3491
3492 /*
3493 * Continue writing the message we started earlier. Will still block waiting
3494 * for the CCS/Finished from server
3495 */
3496 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3497 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3498 &readbytes),
3499 SSL_READ_EARLY_DATA_FINISH)
3500 || !TEST_size_t_eq(readbytes, 0)
3501 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3502 SSL_EARLY_DATA_NOT_SENT))
3503 goto end;
3504
3505 /* Continue writing the message we started earlier */
3506 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3507 || !TEST_size_t_eq(written, strlen(MSG1))
3508 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3509 SSL_EARLY_DATA_NOT_SENT)
3510 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3511 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3512 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3513 || !TEST_size_t_eq(written, strlen(MSG2))
3514 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3515 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3516 goto end;
3517
3518 testresult = 1;
3519
3520 end:
3521 SSL_SESSION_free(clientpsk);
3522 SSL_SESSION_free(serverpsk);
3523 clientpsk = serverpsk = NULL;
3524 SSL_free(serverssl);
3525 SSL_free(clientssl);
3526 SSL_CTX_free(sctx);
3527 SSL_CTX_free(cctx);
3528
3529 return testresult;
3530 }
3531 # endif /* OPENSSL_NO_TLS1_2 */
3532
3533 /*
3534 * Test configuring the TLSv1.3 ciphersuites
3535 *
3536 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3537 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3538 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3539 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3540 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3541 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3542 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3543 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3544 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3545 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3546 */
3547 static int test_set_ciphersuite(int idx)
3548 {
3549 SSL_CTX *cctx = NULL, *sctx = NULL;
3550 SSL *clientssl = NULL, *serverssl = NULL;
3551 int testresult = 0;
3552
3553 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3554 TLS1_VERSION, 0,
3555 &sctx, &cctx, cert, privkey))
3556 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3557 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3558 goto end;
3559
3560 if (idx >=4 && idx <= 7) {
3561 /* SSL_CTX explicit cipher list */
3562 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3563 goto end;
3564 }
3565
3566 if (idx == 0 || idx == 4) {
3567 /* Default ciphersuite */
3568 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3569 "TLS_AES_128_GCM_SHA256")))
3570 goto end;
3571 } else if (idx == 1 || idx == 5) {
3572 /* Non default ciphersuite */
3573 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3574 "TLS_AES_128_CCM_SHA256")))
3575 goto end;
3576 }
3577
3578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3579 &clientssl, NULL, NULL)))
3580 goto end;
3581
3582 if (idx == 8 || idx == 9) {
3583 /* SSL explicit cipher list */
3584 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3585 goto end;
3586 }
3587
3588 if (idx == 2 || idx == 6 || idx == 8) {
3589 /* Default ciphersuite */
3590 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3591 "TLS_AES_128_GCM_SHA256")))
3592 goto end;
3593 } else if (idx == 3 || idx == 7 || idx == 9) {
3594 /* Non default ciphersuite */
3595 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3596 "TLS_AES_128_CCM_SHA256")))
3597 goto end;
3598 }
3599
3600 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3601 goto end;
3602
3603 testresult = 1;
3604
3605 end:
3606 SSL_free(serverssl);
3607 SSL_free(clientssl);
3608 SSL_CTX_free(sctx);
3609 SSL_CTX_free(cctx);
3610
3611 return testresult;
3612 }
3613
3614 static int test_ciphersuite_change(void)
3615 {
3616 SSL_CTX *cctx = NULL, *sctx = NULL;
3617 SSL *clientssl = NULL, *serverssl = NULL;
3618 SSL_SESSION *clntsess = NULL;
3619 int testresult = 0;
3620 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3621
3622 /* Create a session based on SHA-256 */
3623 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3624 TLS1_VERSION, 0,
3625 &sctx, &cctx, cert, privkey))
3626 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3627 "TLS_AES_128_GCM_SHA256"))
3628 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3629 &clientssl, NULL, NULL))
3630 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3631 SSL_ERROR_NONE)))
3632 goto end;
3633
3634 clntsess = SSL_get1_session(clientssl);
3635 /* Save for later */
3636 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3637 SSL_shutdown(clientssl);
3638 SSL_shutdown(serverssl);
3639 SSL_free(serverssl);
3640 SSL_free(clientssl);
3641 serverssl = clientssl = NULL;
3642
3643 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3644 /* Check we can resume a session with a different SHA-256 ciphersuite */
3645 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3646 "TLS_CHACHA20_POLY1305_SHA256"))
3647 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3648 NULL, NULL))
3649 || !TEST_true(SSL_set_session(clientssl, clntsess))
3650 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3651 SSL_ERROR_NONE))
3652 || !TEST_true(SSL_session_reused(clientssl)))
3653 goto end;
3654
3655 SSL_SESSION_free(clntsess);
3656 clntsess = SSL_get1_session(clientssl);
3657 SSL_shutdown(clientssl);
3658 SSL_shutdown(serverssl);
3659 SSL_free(serverssl);
3660 SSL_free(clientssl);
3661 serverssl = clientssl = NULL;
3662 # endif
3663
3664 /*
3665 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3666 * succeeds but does not resume.
3667 */
3668 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3669 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3670 NULL, NULL))
3671 || !TEST_true(SSL_set_session(clientssl, clntsess))
3672 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3673 SSL_ERROR_SSL))
3674 || !TEST_false(SSL_session_reused(clientssl)))
3675 goto end;
3676
3677 SSL_SESSION_free(clntsess);
3678 clntsess = NULL;
3679 SSL_shutdown(clientssl);
3680 SSL_shutdown(serverssl);
3681 SSL_free(serverssl);
3682 SSL_free(clientssl);
3683 serverssl = clientssl = NULL;
3684
3685 /* Create a session based on SHA384 */
3686 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3687 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3688 &clientssl, NULL, NULL))
3689 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3690 SSL_ERROR_NONE)))
3691 goto end;
3692
3693 clntsess = SSL_get1_session(clientssl);
3694 SSL_shutdown(clientssl);
3695 SSL_shutdown(serverssl);
3696 SSL_free(serverssl);
3697 SSL_free(clientssl);
3698 serverssl = clientssl = NULL;
3699
3700 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3701 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3702 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3703 "TLS_AES_256_GCM_SHA384"))
3704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3705 NULL, NULL))
3706 || !TEST_true(SSL_set_session(clientssl, clntsess))
3707 /*
3708 * We use SSL_ERROR_WANT_READ below so that we can pause the
3709 * connection after the initial ClientHello has been sent to
3710 * enable us to make some session changes.
3711 */
3712 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3713 SSL_ERROR_WANT_READ)))
3714 goto end;
3715
3716 /* Trick the client into thinking this session is for a different digest */
3717 clntsess->cipher = aes_128_gcm_sha256;
3718 clntsess->cipher_id = clntsess->cipher->id;
3719
3720 /*
3721 * Continue the previously started connection. Server has selected a SHA-384
3722 * ciphersuite, but client thinks the session is for SHA-256, so it should
3723 * bail out.
3724 */
3725 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3726 SSL_ERROR_SSL))
3727 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3728 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3729 goto end;
3730
3731 testresult = 1;
3732
3733 end:
3734 SSL_SESSION_free(clntsess);
3735 SSL_free(serverssl);
3736 SSL_free(clientssl);
3737 SSL_CTX_free(sctx);
3738 SSL_CTX_free(cctx);
3739
3740 return testresult;
3741 }
3742
3743 /*
3744 * Test Key exchange
3745 * Test 0 = Test ECDHE Key exchange with TLSv1.3 client and server
3746 * Test 1 = Test ECDHE with TLSv1.2 client and server
3747 * Test 2 = Test FFDHE Key exchange with TLSv1.3 client and server
3748 * Test 3 = Test FFDHE with TLSv1.2 client and server
3749 * Test 4 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3750 * Test 5 = Test NID_secp384r1 with TLSv1.3 client and server
3751 * Test 6 = Test NID_secp521r1 with TLSv1.3 client and server
3752 * Test 7 = Test NID_X25519 with TLSv1.3 client and server
3753 * Test 8 = Test NID_X448 with TLSv1.3 client and server
3754 * Test 9 = Test NID_ffdhe2048 with TLSv1.3 client and server
3755 * Test 10 = Test NID_ffdhe3072 with TLSv1.3 client and server
3756 * Test 11 = Test NID_ffdhe4096 with TLSv1.3 client and server
3757 * Test 12 = Test NID_ffdhe6144 with TLSv1.3 client and server
3758 * Test 13 = Test NID_ffdhe8192 with TLSv1.3 client and server
3759 */
3760 static int test_key_exchange(int idx)
3761 {
3762 SSL_CTX *sctx = NULL, *cctx = NULL;
3763 SSL *serverssl = NULL, *clientssl = NULL;
3764 int testresult = 0;
3765 #if !defined(OPENSSL_NO_EC)
3766 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1,
3767 NID_X25519, NID_X448};
3768 #endif
3769 #ifndef OPENSSL_NO_DH
3770 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3771 NID_ffdhe6144, NID_ffdhe8192};
3772 #endif
3773 int kexch_alg;
3774 int *kexch_groups = &kexch_alg;
3775 int kexch_groups_size = 1;
3776 int max_version = TLS1_3_VERSION;
3777 int want_err = SSL_ERROR_NONE;
3778 int expected_err_reason = 0;
3779
3780 switch (idx) {
3781 #ifndef OPENSSL_NO_EC
3782 # ifndef OPENSSL_NO_TLS1_2
3783 case 1:
3784 max_version = TLS1_2_VERSION;
3785 # endif
3786 /* Fall through */
3787 case 0:
3788 kexch_groups = ecdhe_kexch_groups;
3789 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3790 break;
3791 case 4:
3792 kexch_alg = NID_X9_62_prime256v1;
3793 break;
3794 case 5:
3795 kexch_alg = NID_secp384r1;
3796 break;
3797 case 6:
3798 kexch_alg = NID_secp521r1;
3799 break;
3800 case 7:
3801 kexch_alg = NID_X25519;
3802 break;
3803 case 8:
3804 kexch_alg = NID_X448;
3805 break;
3806 #endif
3807 #ifndef OPENSSL_NO_DH
3808 # ifndef OPENSSL_NO_TLS1_2
3809 case 3:
3810 max_version = TLS1_2_VERSION;
3811 # endif
3812 /* Fall through */
3813 case 2:
3814 kexch_groups = ffdhe_kexch_groups;
3815 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3816 break;
3817 case 9:
3818 kexch_alg = NID_ffdhe2048;
3819 break;
3820 case 10:
3821 kexch_alg = NID_ffdhe3072;
3822 break;
3823 case 11:
3824 kexch_alg = NID_ffdhe4096;
3825 break;
3826 case 12:
3827 kexch_alg = NID_ffdhe6144;
3828 break;
3829 case 13:
3830 kexch_alg = NID_ffdhe8192;
3831 break;
3832 #endif
3833 default:
3834 /* We're skipping this test */
3835 return 1;
3836 }
3837
3838 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3839 TLS1_VERSION, max_version,
3840 &sctx, &cctx, cert, privkey)))
3841 goto end;
3842
3843 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
3844 goto end;
3845
3846 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
3847 goto end;
3848
3849 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_RSA_WITH_AES_128_SHA)))
3850 goto end;
3851
3852 /*
3853 * Must include an EC ciphersuite so that we send supported groups in
3854 * TLSv1.2
3855 */
3856 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3857 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3858 TLS1_TXT_RSA_WITH_AES_128_SHA)))
3859 goto end;
3860
3861 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3862 NULL, NULL)))
3863 goto end;
3864
3865 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3866 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3867 goto end;
3868
3869 if (!TEST_true(create_ssl_connection(serverssl, clientssl, want_err))) {
3870 /* Fail only if no error is expected in handshake */
3871 if (expected_err_reason == 0)
3872 goto end;
3873 }
3874
3875 /* Fail if expected error is not happening for failure testcases */
3876 if (expected_err_reason != 0) {
3877 unsigned long err_code = ERR_get_error();
3878
3879 ERR_print_errors_fp(stdout);
3880 if (TEST_int_eq(ERR_GET_REASON(err_code), expected_err_reason))
3881 testresult = 1;
3882 goto end;
3883 }
3884
3885 /*
3886 * If Handshake succeeds the negotiated kexch alg should the first one in
3887 * configured, except in the case of FFDHE groups which are TLSv1.3 only
3888 * so we expect no shared group to exist.
3889 */
3890 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
3891 idx == 3 ? 0 : kexch_groups[0]))
3892 goto end;
3893 if (max_version == TLS1_3_VERSION) {
3894 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3895 goto end;
3896 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3897 goto end;
3898 }
3899
3900 testresult = 1;
3901 end:
3902 SSL_free(serverssl);
3903 SSL_free(clientssl);
3904 SSL_CTX_free(sctx);
3905 SSL_CTX_free(cctx);
3906 return testresult;
3907 }
3908
3909 /*
3910 * Test TLSv1.3 PSKs
3911 * Test 0 = Test new style callbacks
3912 * Test 1 = Test both new and old style callbacks
3913 * Test 2 = Test old style callbacks
3914 * Test 3 = Test old style callbacks with no certificate
3915 */
3916 static int test_tls13_psk(int idx)
3917 {
3918 SSL_CTX *sctx = NULL, *cctx = NULL;
3919 SSL *serverssl = NULL, *clientssl = NULL;
3920 const SSL_CIPHER *cipher = NULL;
3921 const unsigned char key[] = {
3922 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3923 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3924 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3925 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3926 };
3927 int testresult = 0;
3928
3929 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3930 TLS1_VERSION, 0,
3931 &sctx, &cctx, idx == 3 ? NULL : cert,
3932 idx == 3 ? NULL : privkey)))
3933 goto end;
3934
3935 if (idx != 3) {
3936 /*
3937 * We use a ciphersuite with SHA256 to ease testing old style PSK
3938 * callbacks which will always default to SHA256. This should not be
3939 * necessary if we have no cert/priv key. In that case the server should
3940 * prefer SHA256 automatically.
3941 */
3942 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3943 "TLS_AES_128_GCM_SHA256")))
3944 goto end;
3945 }
3946
3947 /*
3948 * Test 0: New style callbacks only
3949 * Test 1: New and old style callbacks (only the new ones should be used)
3950 * Test 2: Old style callbacks only
3951 */
3952 if (idx == 0 || idx == 1) {
3953 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3954 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3955 }
3956 #ifndef OPENSSL_NO_PSK
3957 if (idx >= 1) {
3958 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3959 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3960 }
3961 #endif
3962 srvid = pskid;
3963 use_session_cb_cnt = 0;
3964 find_session_cb_cnt = 0;
3965 psk_client_cb_cnt = 0;
3966 psk_server_cb_cnt = 0;
3967
3968 if (idx != 3) {
3969 /*
3970 * Check we can create a connection if callback decides not to send a
3971 * PSK
3972 */
3973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3974 NULL, NULL))
3975 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3976 SSL_ERROR_NONE))
3977 || !TEST_false(SSL_session_reused(clientssl))
3978 || !TEST_false(SSL_session_reused(serverssl)))
3979 goto end;
3980
3981 if (idx == 0 || idx == 1) {
3982 if (!TEST_true(use_session_cb_cnt == 1)
3983 || !TEST_true(find_session_cb_cnt == 0)
3984 /*
3985 * If no old style callback then below should be 0
3986 * otherwise 1
3987 */
3988 || !TEST_true(psk_client_cb_cnt == idx)
3989 || !TEST_true(psk_server_cb_cnt == 0))
3990 goto end;
3991 } else {
3992 if (!TEST_true(use_session_cb_cnt == 0)
3993 || !TEST_true(find_session_cb_cnt == 0)
3994 || !TEST_true(psk_client_cb_cnt == 1)
3995 || !TEST_true(psk_server_cb_cnt == 0))
3996 goto end;
3997 }
3998
3999 shutdown_ssl_connection(serverssl, clientssl);
4000 serverssl = clientssl = NULL;
4001 use_session_cb_cnt = psk_client_cb_cnt = 0;
4002 }
4003
4004 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4005 NULL, NULL)))
4006 goto end;
4007
4008 /* Create the PSK */
4009 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4010 clientpsk = SSL_SESSION_new();
4011 if (!TEST_ptr(clientpsk)
4012 || !TEST_ptr(cipher)
4013 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4014 sizeof(key)))
4015 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4016 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4017 TLS1_3_VERSION))
4018 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4019 goto end;
4020 serverpsk = clientpsk;
4021
4022 /* Check we can create a connection and the PSK is used */
4023 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4024 || !TEST_true(SSL_session_reused(clientssl))
4025 || !TEST_true(SSL_session_reused(serverssl)))
4026 goto end;
4027
4028 if (idx == 0 || idx == 1) {
4029 if (!TEST_true(use_session_cb_cnt == 1)
4030 || !TEST_true(find_session_cb_cnt == 1)
4031 || !TEST_true(psk_client_cb_cnt == 0)
4032 || !TEST_true(psk_server_cb_cnt == 0))
4033 goto end;
4034 } else {
4035 if (!TEST_true(use_session_cb_cnt == 0)
4036 || !TEST_true(find_session_cb_cnt == 0)
4037 || !TEST_true(psk_client_cb_cnt == 1)
4038 || !TEST_true(psk_server_cb_cnt == 1))
4039 goto end;
4040 }
4041
4042 shutdown_ssl_connection(serverssl, clientssl);
4043 serverssl = clientssl = NULL;
4044 use_session_cb_cnt = find_session_cb_cnt = 0;
4045 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4046
4047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4048 NULL, NULL)))
4049 goto end;
4050
4051 /* Force an HRR */
4052 #if defined(OPENSSL_NO_EC)
4053 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4054 goto end;
4055 #else
4056 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4057 goto end;
4058 #endif
4059
4060 /*
4061 * Check we can create a connection, the PSK is used and the callbacks are
4062 * called twice.
4063 */
4064 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4065 || !TEST_true(SSL_session_reused(clientssl))
4066 || !TEST_true(SSL_session_reused(serverssl)))
4067 goto end;
4068
4069 if (idx == 0 || idx == 1) {
4070 if (!TEST_true(use_session_cb_cnt == 2)
4071 || !TEST_true(find_session_cb_cnt == 2)
4072 || !TEST_true(psk_client_cb_cnt == 0)
4073 || !TEST_true(psk_server_cb_cnt == 0))
4074 goto end;
4075 } else {
4076 if (!TEST_true(use_session_cb_cnt == 0)
4077 || !TEST_true(find_session_cb_cnt == 0)
4078 || !TEST_true(psk_client_cb_cnt == 2)
4079 || !TEST_true(psk_server_cb_cnt == 2))
4080 goto end;
4081 }
4082
4083 shutdown_ssl_connection(serverssl, clientssl);
4084 serverssl = clientssl = NULL;
4085 use_session_cb_cnt = find_session_cb_cnt = 0;
4086 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4087
4088 if (idx != 3) {
4089 /*
4090 * Check that if the server rejects the PSK we can still connect, but with
4091 * a full handshake
4092 */
4093 srvid = "Dummy Identity";
4094 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4095 NULL, NULL))
4096 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4097 SSL_ERROR_NONE))
4098 || !TEST_false(SSL_session_reused(clientssl))
4099 || !TEST_false(SSL_session_reused(serverssl)))
4100 goto end;
4101
4102 if (idx == 0 || idx == 1) {
4103 if (!TEST_true(use_session_cb_cnt == 1)
4104 || !TEST_true(find_session_cb_cnt == 1)
4105 || !TEST_true(psk_client_cb_cnt == 0)
4106 /*
4107 * If no old style callback then below should be 0
4108 * otherwise 1
4109 */
4110 || !TEST_true(psk_server_cb_cnt == idx))
4111 goto end;
4112 } else {
4113 if (!TEST_true(use_session_cb_cnt == 0)
4114 || !TEST_true(find_session_cb_cnt == 0)
4115 || !TEST_true(psk_client_cb_cnt == 1)
4116 || !TEST_true(psk_server_cb_cnt == 1))
4117 goto end;
4118 }
4119
4120 shutdown_ssl_connection(serverssl, clientssl);
4121 serverssl = clientssl = NULL;
4122 }
4123 testresult = 1;
4124
4125 end:
4126 SSL_SESSION_free(clientpsk);
4127 SSL_SESSION_free(serverpsk);
4128 clientpsk = serverpsk = NULL;
4129 SSL_free(serverssl);
4130 SSL_free(clientssl);
4131 SSL_CTX_free(sctx);
4132 SSL_CTX_free(cctx);
4133 return testresult;
4134 }
4135
4136 static unsigned char cookie_magic_value[] = "cookie magic";
4137
4138 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4139 unsigned int *cookie_len)
4140 {
4141 /*
4142 * Not suitable as a real cookie generation function but good enough for
4143 * testing!
4144 */
4145 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4146 *cookie_len = sizeof(cookie_magic_value) - 1;
4147
4148 return 1;
4149 }
4150
4151 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4152 unsigned int cookie_len)
4153 {
4154 if (cookie_len == sizeof(cookie_magic_value) - 1
4155 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4156 return 1;
4157
4158 return 0;
4159 }
4160
4161 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4162 size_t *cookie_len)
4163 {
4164 unsigned int temp;
4165 int res = generate_cookie_callback(ssl, cookie, &temp);
4166 *cookie_len = temp;
4167 return res;
4168 }
4169
4170 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4171 size_t cookie_len)
4172 {
4173 return verify_cookie_callback(ssl, cookie, cookie_len);
4174 }
4175
4176 static int test_stateless(void)
4177 {
4178 SSL_CTX *sctx = NULL, *cctx = NULL;
4179 SSL *serverssl = NULL, *clientssl = NULL;
4180 int testresult = 0;
4181
4182 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4183 TLS1_VERSION, 0,
4184 &sctx, &cctx, cert, privkey)))
4185 goto end;
4186
4187 /* The arrival of CCS messages can confuse the test */
4188 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4189
4190 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4191 NULL, NULL))
4192 /* Send the first ClientHello */
4193 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4194 SSL_ERROR_WANT_READ))
4195 /*
4196 * This should fail with a -1 return because we have no callbacks
4197 * set up
4198 */
4199 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4200 goto end;
4201
4202 /* Fatal error so abandon the connection from this client */
4203 SSL_free(clientssl);
4204 clientssl = NULL;
4205
4206 /* Set up the cookie generation and verification callbacks */
4207 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4208 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4209
4210 /*
4211 * Create a new connection from the client (we can reuse the server SSL
4212 * object).
4213 */
4214 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4215 NULL, NULL))
4216 /* Send the first ClientHello */
4217 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4218 SSL_ERROR_WANT_READ))
4219 /* This should fail because there is no cookie */
4220 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4221 goto end;
4222
4223 /* Abandon the connection from this client */
4224 SSL_free(clientssl);
4225 clientssl = NULL;
4226
4227 /*
4228 * Now create a connection from a new client but with the same server SSL
4229 * object
4230 */
4231 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4232 NULL, NULL))
4233 /* Send the first ClientHello */
4234 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4235 SSL_ERROR_WANT_READ))
4236 /* This should fail because there is no cookie */
4237 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4238 /* Send the second ClientHello */
4239 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4240 SSL_ERROR_WANT_READ))
4241 /* This should succeed because a cookie is now present */
4242 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4243 /* Complete the connection */
4244 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4245 SSL_ERROR_NONE)))
4246 goto end;
4247
4248 shutdown_ssl_connection(serverssl, clientssl);
4249 serverssl = clientssl = NULL;
4250 testresult = 1;
4251
4252 end:
4253 SSL_free(serverssl);
4254 SSL_free(clientssl);
4255 SSL_CTX_free(sctx);
4256 SSL_CTX_free(cctx);
4257 return testresult;
4258
4259 }
4260 #endif /* OPENSSL_NO_TLS1_3 */
4261
4262 static int clntaddoldcb = 0;
4263 static int clntparseoldcb = 0;
4264 static int srvaddoldcb = 0;
4265 static int srvparseoldcb = 0;
4266 static int clntaddnewcb = 0;
4267 static int clntparsenewcb = 0;
4268 static int srvaddnewcb = 0;
4269 static int srvparsenewcb = 0;
4270 static int snicb = 0;
4271
4272 #define TEST_EXT_TYPE1 0xff00
4273
4274 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4275 size_t *outlen, int *al, void *add_arg)
4276 {
4277 int *server = (int *)add_arg;
4278 unsigned char *data;
4279
4280 if (SSL_is_server(s))
4281 srvaddoldcb++;
4282 else
4283 clntaddoldcb++;
4284
4285 if (*server != SSL_is_server(s)
4286 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4287 return -1;
4288
4289 *data = 1;
4290 *out = data;
4291 *outlen = sizeof(char);
4292 return 1;
4293 }
4294
4295 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4296 void *add_arg)
4297 {
4298 OPENSSL_free((unsigned char *)out);
4299 }
4300
4301 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4302 size_t inlen, int *al, void *parse_arg)
4303 {
4304 int *server = (int *)parse_arg;
4305
4306 if (SSL_is_server(s))
4307 srvparseoldcb++;
4308 else
4309 clntparseoldcb++;
4310
4311 if (*server != SSL_is_server(s)
4312 || inlen != sizeof(char)
4313 || *in != 1)
4314 return -1;
4315
4316 return 1;
4317 }
4318
4319 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4320 const unsigned char **out, size_t *outlen, X509 *x,
4321 size_t chainidx, int *al, void *add_arg)
4322 {
4323 int *server = (int *)add_arg;
4324 unsigned char *data;
4325
4326 if (SSL_is_server(s))
4327 srvaddnewcb++;
4328 else
4329 clntaddnewcb++;
4330
4331 if (*server != SSL_is_server(s)
4332 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4333 return -1;
4334
4335 *data = 1;
4336 *out = data;
4337 *outlen = sizeof(*data);
4338 return 1;
4339 }
4340
4341 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4342 const unsigned char *out, void *add_arg)
4343 {
4344 OPENSSL_free((unsigned char *)out);
4345 }
4346
4347 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4348 const unsigned char *in, size_t inlen, X509 *x,
4349 size_t chainidx, int *al, void *parse_arg)
4350 {
4351 int *server = (int *)parse_arg;
4352
4353 if (SSL_is_server(s))
4354 srvparsenewcb++;
4355 else
4356 clntparsenewcb++;
4357
4358 if (*server != SSL_is_server(s)
4359 || inlen != sizeof(char) || *in != 1)
4360 return -1;
4361
4362 return 1;
4363 }
4364
4365 static int sni_cb(SSL *s, int *al, void *arg)
4366 {
4367 SSL_CTX *ctx = (SSL_CTX *)arg;
4368
4369 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4370 *al = SSL_AD_INTERNAL_ERROR;
4371 return SSL_TLSEXT_ERR_ALERT_FATAL;
4372 }
4373 snicb++;
4374 return SSL_TLSEXT_ERR_OK;
4375 }
4376
4377 /*
4378 * Custom call back tests.
4379 * Test 0: Old style callbacks in TLSv1.2
4380 * Test 1: New style callbacks in TLSv1.2
4381 * Test 2: New style callbacks in TLSv1.2 with SNI
4382 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4383 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4384 */
4385 static int test_custom_exts(int tst)
4386 {
4387 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4388 SSL *clientssl = NULL, *serverssl = NULL;
4389 int testresult = 0;
4390 static int server = 1;
4391 static int client = 0;
4392 SSL_SESSION *sess = NULL;
4393 unsigned int context;
4394
4395 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4396 /* Skip tests for TLSv1.2 and below in this case */
4397 if (tst < 3)
4398 return 1;
4399 #endif
4400
4401 /* Reset callback counters */
4402 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4403 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4404 snicb = 0;
4405
4406 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4407 TLS1_VERSION, 0,
4408 &sctx, &cctx, cert, privkey)))
4409 goto end;
4410
4411 if (tst == 2
4412 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4413 TLS1_VERSION, 0,
4414 &sctx2, NULL, cert, privkey)))
4415 goto end;
4416
4417
4418 if (tst < 3) {
4419 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4420 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4421 if (sctx2 != NULL)
4422 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4423 }
4424
4425 if (tst == 4) {
4426 context = SSL_EXT_CLIENT_HELLO
4427 | SSL_EXT_TLS1_2_SERVER_HELLO
4428 | SSL_EXT_TLS1_3_SERVER_HELLO
4429 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4430 | SSL_EXT_TLS1_3_CERTIFICATE
4431 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4432 } else {
4433 context = SSL_EXT_CLIENT_HELLO
4434 | SSL_EXT_TLS1_2_SERVER_HELLO
4435 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4436 }
4437
4438 /* Create a client side custom extension */
4439 if (tst == 0) {
4440 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4441 old_add_cb, old_free_cb,
4442 &client, old_parse_cb,
4443 &client)))
4444 goto end;
4445 } else {
4446 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4447 new_add_cb, new_free_cb,
4448 &client, new_parse_cb, &client)))
4449 goto end;
4450 }
4451
4452 /* Should not be able to add duplicates */
4453 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4454 old_add_cb, old_free_cb,
4455 &client, old_parse_cb,
4456 &client))
4457 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4458 context, new_add_cb,
4459 new_free_cb, &client,
4460 new_parse_cb, &client)))
4461 goto end;
4462
4463 /* Create a server side custom extension */
4464 if (tst == 0) {
4465 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4466 old_add_cb, old_free_cb,
4467 &server, old_parse_cb,
4468 &server)))
4469 goto end;
4470 } else {
4471 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4472 new_add_cb, new_free_cb,
4473 &server, new_parse_cb, &server)))
4474 goto end;
4475 if (sctx2 != NULL
4476 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4477 context, new_add_cb,
4478 new_free_cb, &server,
4479 new_parse_cb, &server)))
4480 goto end;
4481 }
4482
4483 /* Should not be able to add duplicates */
4484 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4485 old_add_cb, old_free_cb,
4486 &server, old_parse_cb,
4487 &server))
4488 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4489 context, new_add_cb,
4490 new_free_cb, &server,
4491 new_parse_cb, &server)))
4492 goto end;
4493
4494 if (tst == 2) {
4495 /* Set up SNI */
4496 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4497 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4498 goto end;
4499 }
4500
4501 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4502 &clientssl, NULL, NULL))
4503 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4504 SSL_ERROR_NONE)))
4505 goto end;
4506
4507 if (tst == 0) {
4508 if (clntaddoldcb != 1
4509 || clntparseoldcb != 1
4510 || srvaddoldcb != 1
4511 || srvparseoldcb != 1)
4512 goto end;
4513 } else if (tst == 1 || tst == 2 || tst == 3) {
4514 if (clntaddnewcb != 1
4515 || clntparsenewcb != 1
4516 || srvaddnewcb != 1
4517 || srvparsenewcb != 1
4518 || (tst != 2 && snicb != 0)
4519 || (tst == 2 && snicb != 1))
4520 goto end;
4521 } else {
4522 /* In this case there 2 NewSessionTicket messages created */
4523 if (clntaddnewcb != 1
4524 || clntparsenewcb != 5
4525 || srvaddnewcb != 5
4526 || srvparsenewcb != 1)
4527 goto end;
4528 }
4529
4530 sess = SSL_get1_session(clientssl);
4531 SSL_shutdown(clientssl);
4532 SSL_shutdown(serverssl);
4533 SSL_free(serverssl);
4534 SSL_free(clientssl);
4535 serverssl = clientssl = NULL;
4536
4537 if (tst == 3) {
4538 /* We don't bother with the resumption aspects for this test */
4539 testresult = 1;
4540 goto end;
4541 }
4542
4543 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4544 NULL, NULL))
4545 || !TEST_true(SSL_set_session(clientssl, sess))
4546 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4547 SSL_ERROR_NONE)))
4548 goto end;
4549
4550 /*
4551 * For a resumed session we expect to add the ClientHello extension. For the
4552 * old style callbacks we ignore it on the server side because they set
4553 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4554 * them.
4555 */
4556 if (tst == 0) {
4557 if (clntaddoldcb != 2
4558 || clntparseoldcb != 1
4559 || srvaddoldcb != 1
4560 || srvparseoldcb != 1)
4561 goto end;
4562 } else if (tst == 1 || tst == 2 || tst == 3) {
4563 if (clntaddnewcb != 2
4564 || clntparsenewcb != 2
4565 || srvaddnewcb != 2
4566 || srvparsenewcb != 2)
4567 goto end;
4568 } else {
4569 /*
4570 * No Certificate message extensions in the resumption handshake,
4571 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4572 */
4573 if (clntaddnewcb != 2
4574 || clntparsenewcb != 8
4575 || srvaddnewcb != 8
4576 || srvparsenewcb != 2)
4577 goto end;
4578 }
4579
4580 testresult = 1;
4581
4582 end:
4583 SSL_SESSION_free(sess);
4584 SSL_free(serverssl);
4585 SSL_free(clientssl);
4586 SSL_CTX_free(sctx2);
4587 SSL_CTX_free(sctx);
4588 SSL_CTX_free(cctx);
4589 return testresult;
4590 }
4591
4592 /*
4593 * Test loading of serverinfo data in various formats. test_sslmessages actually
4594 * tests to make sure the extensions appear in the handshake
4595 */
4596 static int test_serverinfo(int tst)
4597 {
4598 unsigned int version;
4599 unsigned char *sibuf;
4600 size_t sibuflen;
4601 int ret, expected, testresult = 0;
4602 SSL_CTX *ctx;
4603
4604 ctx = SSL_CTX_new(TLS_method());
4605 if (!TEST_ptr(ctx))
4606 goto end;
4607
4608 if ((tst & 0x01) == 0x01)
4609 version = SSL_SERVERINFOV2;
4610 else
4611 version = SSL_SERVERINFOV1;
4612
4613 if ((tst & 0x02) == 0x02) {
4614 sibuf = serverinfov2;
4615 sibuflen = sizeof(serverinfov2);
4616 expected = (version == SSL_SERVERINFOV2);
4617 } else {
4618 sibuf = serverinfov1;
4619 sibuflen = sizeof(serverinfov1);
4620 expected = (version == SSL_SERVERINFOV1);
4621 }
4622
4623 if ((tst & 0x04) == 0x04) {
4624 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4625 } else {
4626 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4627
4628 /*
4629 * The version variable is irrelevant in this case - it's what is in the
4630 * buffer that matters
4631 */
4632 if ((tst & 0x02) == 0x02)
4633 expected = 0;
4634 else
4635 expected = 1;
4636 }
4637
4638 if (!TEST_true(ret == expected))
4639 goto end;
4640
4641 testresult = 1;
4642
4643 end:
4644 SSL_CTX_free(ctx);
4645
4646 return testresult;
4647 }
4648
4649 /*
4650 * Test that SSL_export_keying_material() produces expected results. There are
4651 * no test vectors so all we do is test that both sides of the communication
4652 * produce the same results for different protocol versions.
4653 */
4654 #define SMALL_LABEL_LEN 10
4655 #define LONG_LABEL_LEN 249
4656 static int test_export_key_mat(int tst)
4657 {
4658 int testresult = 0;
4659 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4660 SSL *clientssl = NULL, *serverssl = NULL;
4661 const char label[LONG_LABEL_LEN + 1] = "test label";
4662 const unsigned char context[] = "context";
4663 const unsigned char *emptycontext = NULL;
4664 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4665 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4666 size_t labellen;
4667 const int protocols[] = {
4668 TLS1_VERSION,
4669 TLS1_1_VERSION,
4670 TLS1_2_VERSION,
4671 TLS1_3_VERSION,
4672 TLS1_3_VERSION,
4673 TLS1_3_VERSION
4674 };
4675
4676 #ifdef OPENSSL_NO_TLS1
4677 if (tst == 0)
4678 return 1;
4679 #endif
4680 #ifdef OPENSSL_NO_TLS1_1
4681 if (tst == 1)
4682 return 1;
4683 #endif
4684 #ifdef OPENSSL_NO_TLS1_2
4685 if (tst == 2)
4686 return 1;
4687 #endif
4688 #ifdef OPENSSL_NO_TLS1_3
4689 if (tst >= 3)
4690 return 1;
4691 #endif
4692 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4693 TLS1_VERSION, 0,
4694 &sctx, &cctx, cert, privkey)))
4695 goto end;
4696
4697 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4698 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4699 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4700
4701 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4702 NULL))
4703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4704 SSL_ERROR_NONE)))
4705 goto end;
4706
4707 if (tst == 5) {
4708 /*
4709 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4710 * go over that.
4711 */
4712 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4713 sizeof(ckeymat1), label,
4714 LONG_LABEL_LEN + 1, context,
4715 sizeof(context) - 1, 1), 0))
4716 goto end;
4717
4718 testresult = 1;
4719 goto end;
4720 } else if (tst == 4) {
4721 labellen = LONG_LABEL_LEN;
4722 } else {
4723 labellen = SMALL_LABEL_LEN;
4724 }
4725
4726 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4727 sizeof(ckeymat1), label,
4728 labellen, context,
4729 sizeof(context) - 1, 1), 1)
4730 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4731 sizeof(ckeymat2), label,
4732 labellen,
4733 emptycontext,
4734 0, 1), 1)
4735 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4736 sizeof(ckeymat3), label,
4737 labellen,
4738 NULL, 0, 0), 1)
4739 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4740 sizeof(skeymat1), label,
4741 labellen,
4742 context,
4743 sizeof(context) -1, 1),
4744 1)
4745 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4746 sizeof(skeymat2), label,
4747 labellen,
4748 emptycontext,
4749 0, 1), 1)
4750 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4751 sizeof(skeymat3), label,
4752 labellen,
4753 NULL, 0, 0), 1)
4754 /*
4755 * Check that both sides created the same key material with the
4756 * same context.
4757 */
4758 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4759 sizeof(skeymat1))
4760 /*
4761 * Check that both sides created the same key material with an
4762 * empty context.
4763 */
4764 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4765 sizeof(skeymat2))
4766 /*
4767 * Check that both sides created the same key material without a
4768 * context.
4769 */
4770 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4771 sizeof(skeymat3))
4772 /* Different contexts should produce different results */
4773 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4774 sizeof(ckeymat2)))
4775 goto end;
4776
4777 /*
4778 * Check that an empty context and no context produce different results in
4779 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4780 */
4781 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4782 sizeof(ckeymat3)))
4783 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4784 sizeof(ckeymat3))))
4785 goto end;
4786
4787 testresult = 1;
4788
4789 end:
4790 SSL_free(serverssl);
4791 SSL_free(clientssl);
4792 SSL_CTX_free(sctx2);
4793 SSL_CTX_free(sctx);
4794 SSL_CTX_free(cctx);
4795
4796 return testresult;
4797 }
4798
4799 #ifndef OPENSSL_NO_TLS1_3
4800 /*
4801 * Test that SSL_export_keying_material_early() produces expected
4802 * results. There are no test vectors so all we do is test that both
4803 * sides of the communication produce the same results for different
4804 * protocol versions.
4805 */
4806 static int test_export_key_mat_early(int idx)
4807 {
4808 static const char label[] = "test label";
4809 static const unsigned char context[] = "context";
4810 int testresult = 0;
4811 SSL_CTX *cctx = NULL, *sctx = NULL;
4812 SSL *clientssl = NULL, *serverssl = NULL;
4813 SSL_SESSION *sess = NULL;
4814 const unsigned char *emptycontext = NULL;
4815 unsigned char ckeymat1[80], ckeymat2[80];
4816 unsigned char skeymat1[80], skeymat2[80];
4817 unsigned char buf[1];
4818 size_t readbytes, written;
4819
4820 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4821 &sess, idx)))
4822 goto end;
4823
4824 /* Here writing 0 length early data is enough. */
4825 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4826 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4827 &readbytes),
4828 SSL_READ_EARLY_DATA_ERROR)
4829 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4830 SSL_EARLY_DATA_ACCEPTED))
4831 goto end;
4832
4833 if (!TEST_int_eq(SSL_export_keying_material_early(
4834 clientssl, ckeymat1, sizeof(ckeymat1), label,
4835 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4836 || !TEST_int_eq(SSL_export_keying_material_early(
4837 clientssl, ckeymat2, sizeof(ckeymat2), label,
4838 sizeof(label) - 1, emptycontext, 0), 1)
4839 || !TEST_int_eq(SSL_export_keying_material_early(
4840 serverssl, skeymat1, sizeof(skeymat1), label,
4841 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4842 || !TEST_int_eq(SSL_export_keying_material_early(
4843 serverssl, skeymat2, sizeof(skeymat2), label,
4844 sizeof(label) - 1, emptycontext, 0), 1)
4845 /*
4846 * Check that both sides created the same key material with the
4847 * same context.
4848 */
4849 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4850 sizeof(skeymat1))
4851 /*
4852 * Check that both sides created the same key material with an
4853 * empty context.
4854 */
4855 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4856 sizeof(skeymat2))
4857 /* Different contexts should produce different results */
4858 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4859 sizeof(ckeymat2)))
4860 goto end;
4861
4862 testresult = 1;
4863
4864 end:
4865 SSL_SESSION_free(sess);
4866 SSL_SESSION_free(clientpsk);
4867 SSL_SESSION_free(serverpsk);
4868 clientpsk = serverpsk = NULL;
4869 SSL_free(serverssl);
4870 SSL_free(clientssl);
4871 SSL_CTX_free(sctx);
4872 SSL_CTX_free(cctx);
4873
4874 return testresult;
4875 }
4876
4877 #define NUM_KEY_UPDATE_MESSAGES 40
4878 /*
4879 * Test KeyUpdate.
4880 */
4881 static int test_key_update(void)
4882 {
4883 SSL_CTX *cctx = NULL, *sctx = NULL;
4884 SSL *clientssl = NULL, *serverssl = NULL;
4885 int testresult = 0, i, j;
4886 char buf[20];
4887 static char *mess = "A test message";
4888
4889 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4890 TLS_client_method(),
4891 TLS1_3_VERSION,
4892 0,
4893 &sctx, &cctx, cert, privkey))
4894 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4895 NULL, NULL))
4896 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4897 SSL_ERROR_NONE)))
4898 goto end;
4899
4900 for (j = 0; j < 2; j++) {
4901 /* Send lots of KeyUpdate messages */
4902 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4903 if (!TEST_true(SSL_key_update(clientssl,
4904 (j == 0)
4905 ? SSL_KEY_UPDATE_NOT_REQUESTED
4906 : SSL_KEY_UPDATE_REQUESTED))
4907 || !TEST_true(SSL_do_handshake(clientssl)))
4908 goto end;
4909 }
4910
4911 /* Check that sending and receiving app data is ok */
4912 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4913 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4914 strlen(mess)))
4915 goto end;
4916
4917 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4918 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4919 strlen(mess)))
4920 goto end;
4921 }
4922
4923 testresult = 1;
4924
4925 end:
4926 SSL_free(serverssl);
4927 SSL_free(clientssl);
4928 SSL_CTX_free(sctx);
4929 SSL_CTX_free(cctx);
4930
4931 return testresult;
4932 }
4933
4934 /*
4935 * Test we can handle a KeyUpdate (update requested) message while write data
4936 * is pending.
4937 * Test 0: Client sends KeyUpdate while Server is writing
4938 * Test 1: Server sends KeyUpdate while Client is writing
4939 */
4940 static int test_key_update_in_write(int tst)
4941 {
4942 SSL_CTX *cctx = NULL, *sctx = NULL;
4943 SSL *clientssl = NULL, *serverssl = NULL;
4944 int testresult = 0;
4945 char buf[20];
4946 static char *mess = "A test message";
4947 BIO *bretry = BIO_new(bio_s_always_retry());
4948 BIO *tmp = NULL;
4949 SSL *peerupdate = NULL, *peerwrite = NULL;
4950
4951 if (!TEST_ptr(bretry)
4952 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4953 TLS_client_method(),
4954 TLS1_3_VERSION,
4955 0,
4956 &sctx, &cctx, cert, privkey))
4957 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4958 NULL, NULL))
4959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4960 SSL_ERROR_NONE)))
4961 goto end;
4962
4963 peerupdate = tst == 0 ? clientssl : serverssl;
4964 peerwrite = tst == 0 ? serverssl : clientssl;
4965
4966 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4967 || !TEST_true(SSL_do_handshake(peerupdate)))
4968 goto end;
4969
4970 /* Swap the writing endpoint's write BIO to force a retry */
4971 tmp = SSL_get_wbio(peerwrite);
4972 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4973 tmp = NULL;
4974 goto end;
4975 }
4976 SSL_set0_wbio(peerwrite, bretry);
4977 bretry = NULL;
4978
4979 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4980 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4981 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4982 goto end;
4983
4984 /* Reinstate the original writing endpoint's write BIO */
4985 SSL_set0_wbio(peerwrite, tmp);
4986 tmp = NULL;
4987
4988 /* Now read some data - we will read the key update */
4989 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4990 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4991 goto end;
4992
4993 /*
4994 * Complete the write we started previously and read it from the other
4995 * endpoint
4996 */
4997 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4998 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4999 goto end;
5000
5001 /* Write more data to ensure we send the KeyUpdate message back */
5002 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5003 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5004 goto end;
5005
5006 testresult = 1;
5007
5008 end:
5009 SSL_free(serverssl);
5010 SSL_free(clientssl);
5011 SSL_CTX_free(sctx);
5012 SSL_CTX_free(cctx);
5013 BIO_free(bretry);
5014 BIO_free(tmp);
5015
5016 return testresult;
5017 }
5018 #endif /* OPENSSL_NO_TLS1_3 */
5019
5020 static int test_ssl_clear(int idx)
5021 {
5022 SSL_CTX *cctx = NULL, *sctx = NULL;
5023 SSL *clientssl = NULL, *serverssl = NULL;
5024 int testresult = 0;
5025
5026 #ifdef OPENSSL_NO_TLS1_2
5027 if (idx == 1)
5028 return 1;
5029 #endif
5030
5031 /* Create an initial connection */
5032 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5033 TLS1_VERSION, 0,
5034 &sctx, &cctx, cert, privkey))
5035 || (idx == 1
5036 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5037 TLS1_2_VERSION)))
5038 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5039 &clientssl, NULL, NULL))
5040 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5041 SSL_ERROR_NONE)))
5042 goto end;
5043
5044 SSL_shutdown(clientssl);
5045 SSL_shutdown(serverssl);
5046 SSL_free(serverssl);
5047 serverssl = NULL;
5048
5049 /* Clear clientssl - we're going to reuse the object */
5050 if (!TEST_true(SSL_clear(clientssl)))
5051 goto end;
5052
5053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5054 NULL, NULL))
5055 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5056 SSL_ERROR_NONE))
5057 || !TEST_true(SSL_session_reused(clientssl)))
5058 goto end;
5059
5060 SSL_shutdown(clientssl);
5061 SSL_shutdown(serverssl);
5062
5063 testresult = 1;
5064
5065 end:
5066 SSL_free(serverssl);
5067 SSL_free(clientssl);
5068 SSL_CTX_free(sctx);
5069 SSL_CTX_free(cctx);
5070
5071 return testresult;
5072 }
5073
5074 /* Parse CH and retrieve any MFL extension value if present */
5075 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5076 {
5077 long len;
5078 unsigned char *data;
5079 PACKET pkt, pkt2, pkt3;
5080 unsigned int MFL_code = 0, type = 0;
5081
5082 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5083 goto end;
5084
5085 memset(&pkt, 0, sizeof(pkt));
5086 memset(&pkt2, 0, sizeof(pkt2));
5087 memset(&pkt3, 0, sizeof(pkt3));
5088
5089 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5090 /* Skip the record header */
5091 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5092 /* Skip the handshake message header */
5093 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5094 /* Skip client version and random */
5095 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5096 + SSL3_RANDOM_SIZE))
5097 /* Skip session id */
5098 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5099 /* Skip ciphers */
5100 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5101 /* Skip compression */
5102 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5103 /* Extensions len */
5104 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5105 goto end;
5106
5107 /* Loop through all extensions */
5108 while (PACKET_remaining(&pkt2)) {
5109 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5110 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5111 goto end;
5112
5113 if (type == TLSEXT_TYPE_max_fragment_length) {
5114 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5115 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5116 goto end;
5117
5118 *mfl_codemfl_code = MFL_code;
5119 return 1;
5120 }
5121 }
5122
5123 end:
5124 return 0;
5125 }
5126
5127 /* Maximum-Fragment-Length TLS extension mode to test */
5128 static const unsigned char max_fragment_len_test[] = {
5129 TLSEXT_max_fragment_length_512,
5130 TLSEXT_max_fragment_length_1024,
5131 TLSEXT_max_fragment_length_2048,
5132 TLSEXT_max_fragment_length_4096
5133 };
5134
5135 static int test_max_fragment_len_ext(int idx_tst)
5136 {
5137 SSL_CTX *ctx;
5138 SSL *con = NULL;
5139 int testresult = 0, MFL_mode = 0;
5140 BIO *rbio, *wbio;
5141
5142 ctx = SSL_CTX_new(TLS_method());
5143 if (!TEST_ptr(ctx))
5144 goto end;
5145
5146 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5147 ctx, max_fragment_len_test[idx_tst])))
5148 goto end;
5149
5150 con = SSL_new(ctx);
5151 if (!TEST_ptr(con))
5152 goto end;
5153
5154 rbio = BIO_new(BIO_s_mem());
5155 wbio = BIO_new(BIO_s_mem());
5156 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5157 BIO_free(rbio);
5158 BIO_free(wbio);
5159 goto end;
5160 }
5161
5162 SSL_set_bio(con, rbio, wbio);
5163 SSL_set_connect_state(con);
5164
5165 if (!TEST_int_le(SSL_connect(con), 0)) {
5166 /* This shouldn't succeed because we don't have a server! */
5167 goto end;
5168 }
5169
5170 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5171 /* no MFL in client hello */
5172 goto end;
5173 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5174 goto end;
5175
5176 testresult = 1;
5177
5178 end:
5179 SSL_free(con);
5180 SSL_CTX_free(ctx);
5181
5182 return testresult;
5183 }
5184
5185 #ifndef OPENSSL_NO_TLS1_3
5186 static int test_pha_key_update(void)
5187 {
5188 SSL_CTX *cctx = NULL, *sctx = NULL;
5189 SSL *clientssl = NULL, *serverssl = NULL;
5190 int testresult = 0;
5191
5192 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5193 TLS1_VERSION, 0,
5194 &sctx, &cctx, cert, privkey)))
5195 return 0;
5196
5197 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5198 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5199 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5200 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5201 goto end;
5202
5203 SSL_CTX_set_post_handshake_auth(cctx, 1);
5204
5205 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5206 NULL, NULL)))
5207 goto end;
5208
5209 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5210 SSL_ERROR_NONE)))
5211 goto end;
5212
5213 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5214 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5215 goto end;
5216
5217 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5218 goto end;
5219
5220 /* Start handshake on the server */
5221 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5222 goto end;
5223
5224 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5225 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5226 SSL_ERROR_NONE)))
5227 goto end;
5228
5229 SSL_shutdown(clientssl);
5230 SSL_shutdown(serverssl);
5231
5232 testresult = 1;
5233
5234 end:
5235 SSL_free(serverssl);
5236 SSL_free(clientssl);
5237 SSL_CTX_free(sctx);
5238 SSL_CTX_free(cctx);
5239 return testresult;
5240 }
5241 #endif
5242
5243 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5244
5245 static SRP_VBASE *vbase = NULL;
5246
5247 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5248 {
5249 int ret = SSL3_AL_FATAL;
5250 char *username;
5251 SRP_user_pwd *user = NULL;
5252
5253 username = SSL_get_srp_username(s);
5254 if (username == NULL) {
5255 *ad = SSL_AD_INTERNAL_ERROR;
5256 goto err;
5257 }
5258
5259 user = SRP_VBASE_get1_by_user(vbase, username);
5260 if (user == NULL) {
5261 *ad = SSL_AD_INTERNAL_ERROR;
5262 goto err;
5263 }
5264
5265 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5266 user->info) <= 0) {
5267 *ad = SSL_AD_INTERNAL_ERROR;
5268 goto err;
5269 }
5270
5271 ret = 0;
5272
5273 err:
5274 SRP_user_pwd_free(user);
5275 return ret;
5276 }
5277
5278 static int create_new_vfile(char *userid, char *password, const char *filename)
5279 {
5280 char *gNid = NULL;
5281 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5282 TXT_DB *db = NULL;
5283 int ret = 0;
5284 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5285 size_t i;
5286
5287 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5288 goto end;
5289
5290 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5291 &row[DB_srpverifier], NULL, NULL);
5292 if (!TEST_ptr(gNid))
5293 goto end;
5294
5295 /*
5296 * The only way to create an empty TXT_DB is to provide a BIO with no data
5297 * in it!
5298 */
5299 db = TXT_DB_read(dummy, DB_NUMBER);
5300 if (!TEST_ptr(db))
5301 goto end;
5302
5303 out = BIO_new_file(filename, "w");
5304 if (!TEST_ptr(out))
5305 goto end;
5306
5307 row[DB_srpid] = OPENSSL_strdup(userid);
5308 row[DB_srptype] = OPENSSL_strdup("V");
5309 row[DB_srpgN] = OPENSSL_strdup(gNid);
5310
5311 if (!TEST_ptr(row[DB_srpid])
5312 || !TEST_ptr(row[DB_srptype])
5313 || !TEST_ptr(row[DB_srpgN])
5314 || !TEST_true(TXT_DB_insert(db, row)))
5315 goto end;
5316
5317 row = NULL;
5318
5319 if (!TXT_DB_write(out, db))
5320 goto end;
5321
5322 ret = 1;
5323 end:
5324 if (row != NULL) {
5325 for (i = 0; i < DB_NUMBER; i++)
5326 OPENSSL_free(row[i]);
5327 }
5328 OPENSSL_free(row);
5329 BIO_free(dummy);
5330 BIO_free(out);
5331 TXT_DB_free(db);
5332
5333 return ret;
5334 }
5335
5336 static int create_new_vbase(char *userid, char *password)
5337 {
5338 BIGNUM *verifier = NULL, *salt = NULL;
5339 const SRP_gN *lgN = NULL;
5340 SRP_user_pwd *user_pwd = NULL;
5341 int ret = 0;
5342
5343 lgN = SRP_get_default_gN(NULL);
5344 if (!TEST_ptr(lgN))
5345 goto end;
5346
5347 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5348 lgN->N, lgN->g)))
5349 goto end;
5350
5351 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5352 if (!TEST_ptr(user_pwd))
5353 goto end;
5354
5355 user_pwd->N = lgN->N;
5356 user_pwd->g = lgN->g;
5357 user_pwd->id = OPENSSL_strdup(userid);
5358 if (!TEST_ptr(user_pwd->id))
5359 goto end;
5360
5361 user_pwd->v = verifier;
5362 user_pwd->s = salt;
5363 verifier = salt = NULL;
5364
5365 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5366 goto end;
5367 user_pwd = NULL;
5368
5369 ret = 1;
5370 end:
5371 SRP_user_pwd_free(user_pwd);
5372 BN_free(salt);
5373 BN_free(verifier);
5374
5375 return ret;
5376 }
5377
5378 /*
5379 * SRP tests
5380 *
5381 * Test 0: Simple successful SRP connection, new vbase
5382 * Test 1: Connection failure due to bad password, new vbase
5383 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5384 * Test 3: Connection failure due to bad password, vbase loaded from existing
5385 * file
5386 * Test 4: Simple successful SRP connection, vbase loaded from new file
5387 * Test 5: Connection failure due to bad password, vbase loaded from new file
5388 */
5389 static int test_srp(int tst)
5390 {
5391 char *userid = "test", *password = "password", *tstsrpfile;
5392 SSL_CTX *cctx = NULL, *sctx = NULL;
5393 SSL *clientssl = NULL, *serverssl = NULL;
5394 int ret, testresult = 0;
5395
5396 vbase = SRP_VBASE_new(NULL);
5397 if (!TEST_ptr(vbase))
5398 goto end;
5399
5400 if (tst == 0 || tst == 1) {
5401 if (!TEST_true(create_new_vbase(userid, password)))
5402 goto end;
5403 } else {
5404 if (tst == 4 || tst == 5) {
5405 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5406 goto end;
5407 tstsrpfile = tmpfilename;
5408 } else {
5409 tstsrpfile = srpvfile;
5410 }
5411 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5412 goto end;
5413 }
5414
5415 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5416 TLS1_VERSION, 0,
5417 &sctx, &cctx, cert, privkey)))
5418 goto end;
5419
5420 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5421 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5422 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5423 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5424 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5425 goto end;
5426
5427 if (tst % 2 == 1) {
5428 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5429 goto end;
5430 } else {
5431 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5432 goto end;
5433 }
5434
5435 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5436 NULL, NULL)))
5437 goto end;
5438
5439 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5440 if (ret) {
5441 if (!TEST_true(tst % 2 == 0))
5442 goto end;
5443 } else {
5444 if (!TEST_true(tst % 2 == 1))
5445 goto end;
5446 }
5447
5448 testresult = 1;
5449
5450 end:
5451 SRP_VBASE_free(vbase);
5452 vbase = NULL;
5453 SSL_free(serverssl);
5454 SSL_free(clientssl);
5455 SSL_CTX_free(sctx);
5456 SSL_CTX_free(cctx);
5457
5458 return testresult;
5459 }
5460 #endif
5461
5462 static int info_cb_failed = 0;
5463 static int info_cb_offset = 0;
5464 static int info_cb_this_state = -1;
5465
5466 static struct info_cb_states_st {
5467 int where;
5468 const char *statestr;
5469 } info_cb_states[][60] = {
5470 {
5471 /* TLSv1.2 server followed by resumption */
5472 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5473 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5474 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5475 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5476 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5477 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5478 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5479 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5480 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5481 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5482 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5483 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5484 {SSL_CB_EXIT, NULL}, {0, NULL},
5485 }, {
5486 /* TLSv1.2 client followed by resumption */
5487 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5488 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5489 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5490 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5491 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5492 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5493 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5494 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5495 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5496 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5497 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5498 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5499 }, {
5500 /* TLSv1.3 server followed by resumption */
5501 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5502 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5503 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5504 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5505 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5506 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5507 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5508 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5509 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5510 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5511 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5512 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5513 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5514 }, {
5515 /* TLSv1.3 client followed by resumption */
5516 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5517 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5518 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5519 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5520 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5521 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5522 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5523 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5524 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5525 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5526 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5527 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5528 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5529 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5530 {SSL_CB_EXIT, NULL}, {0, NULL},
5531 }, {
5532 /* TLSv1.3 server, early_data */
5533 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5534 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5535 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5536 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5537 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5538 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5539 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5540 {SSL_CB_EXIT, NULL}, {0, NULL},
5541 }, {
5542 /* TLSv1.3 client, early_data */
5543 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5544 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5545 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5546 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5547 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5548 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5549 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5550 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5551 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5552 }, {
5553 {0, NULL},
5554 }
5555 };
5556
5557 static void sslapi_info_callback(const SSL *s, int where, int ret)
5558 {
5559 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5560
5561 /* We do not ever expect a connection to fail in this test */
5562 if (!TEST_false(ret == 0)) {
5563 info_cb_failed = 1;
5564 return;
5565 }
5566
5567 /*
5568 * Do some sanity checks. We never expect these things to happen in this
5569 * test
5570 */
5571 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5572 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5573 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5574 info_cb_failed = 1;
5575 return;
5576 }
5577
5578 /* Now check we're in the right state */
5579 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5580 info_cb_failed = 1;
5581 return;
5582 }
5583 if ((where & SSL_CB_LOOP) != 0
5584 && !TEST_int_eq(strcmp(SSL_state_string(s),
5585 state[info_cb_this_state].statestr), 0)) {
5586 info_cb_failed = 1;
5587 return;
5588 }
5589
5590 /*
5591 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5592 */
5593 if ((where & SSL_CB_HANDSHAKE_DONE)
5594 && SSL_in_init((SSL *)s) != 0) {
5595 info_cb_failed = 1;
5596 return;
5597 }
5598 }
5599
5600 /*
5601 * Test the info callback gets called when we expect it to.
5602 *
5603 * Test 0: TLSv1.2, server
5604 * Test 1: TLSv1.2, client
5605 * Test 2: TLSv1.3, server
5606 * Test 3: TLSv1.3, client
5607 * Test 4: TLSv1.3, server, early_data
5608 * Test 5: TLSv1.3, client, early_data
5609 */
5610 static int test_info_callback(int tst)
5611 {
5612 SSL_CTX *cctx = NULL, *sctx = NULL;
5613 SSL *clientssl = NULL, *serverssl = NULL;
5614 SSL_SESSION *clntsess = NULL;
5615 int testresult = 0;
5616 int tlsvers;
5617
5618 if (tst < 2) {
5619 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5620 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5621 || !defined(OPENSSL_NO_DH))
5622 tlsvers = TLS1_2_VERSION;
5623 #else
5624 return 1;
5625 #endif
5626 } else {
5627 #ifndef OPENSSL_NO_TLS1_3
5628 tlsvers = TLS1_3_VERSION;
5629 #else
5630 return 1;
5631 #endif
5632 }
5633
5634 /* Reset globals */
5635 info_cb_failed = 0;
5636 info_cb_this_state = -1;
5637 info_cb_offset = tst;
5638
5639 #ifndef OPENSSL_NO_TLS1_3
5640 if (tst >= 4) {
5641 SSL_SESSION *sess = NULL;
5642 size_t written, readbytes;
5643 unsigned char buf[80];
5644
5645 /* early_data tests */
5646 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5647 &serverssl, &sess, 0)))
5648 goto end;
5649
5650 /* We don't actually need this reference */
5651 SSL_SESSION_free(sess);
5652
5653 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5654 sslapi_info_callback);
5655
5656 /* Write and read some early data and then complete the connection */
5657 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5658 &written))
5659 || !TEST_size_t_eq(written, strlen(MSG1))
5660 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5661 sizeof(buf), &readbytes),
5662 SSL_READ_EARLY_DATA_SUCCESS)
5663 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5664 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5665 SSL_EARLY_DATA_ACCEPTED)
5666 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5667 SSL_ERROR_NONE))
5668 || !TEST_false(info_cb_failed))
5669 goto end;
5670
5671 testresult = 1;
5672 goto end;
5673 }
5674 #endif
5675
5676 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5677 TLS_client_method(),
5678 tlsvers, tlsvers, &sctx, &cctx, cert,
5679 privkey)))
5680 goto end;
5681
5682 /*
5683 * For even numbered tests we check the server callbacks. For odd numbers we
5684 * check the client.
5685 */
5686 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5687 sslapi_info_callback);
5688
5689 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5690 &clientssl, NULL, NULL))
5691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5692 SSL_ERROR_NONE))
5693 || !TEST_false(info_cb_failed))
5694 goto end;
5695
5696
5697
5698 clntsess = SSL_get1_session(clientssl);
5699 SSL_shutdown(clientssl);
5700 SSL_shutdown(serverssl);
5701 SSL_free(serverssl);
5702 SSL_free(clientssl);
5703 serverssl = clientssl = NULL;
5704
5705 /* Now do a resumption */
5706 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5707 NULL))
5708 || !TEST_true(SSL_set_session(clientssl, clntsess))
5709 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5710 SSL_ERROR_NONE))
5711 || !TEST_true(SSL_session_reused(clientssl))
5712 || !TEST_false(info_cb_failed))
5713 goto end;
5714
5715 testresult = 1;
5716
5717 end:
5718 SSL_free(serverssl);
5719 SSL_free(clientssl);
5720 SSL_SESSION_free(clntsess);
5721 SSL_CTX_free(sctx);
5722 SSL_CTX_free(cctx);
5723 return testresult;
5724 }
5725
5726 static int test_ssl_pending(int tst)
5727 {
5728 SSL_CTX *cctx = NULL, *sctx = NULL;
5729 SSL *clientssl = NULL, *serverssl = NULL;
5730 int testresult = 0;
5731 char msg[] = "A test message";
5732 char buf[5];
5733 size_t written, readbytes;
5734
5735 if (tst == 0) {
5736 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5737 TLS_client_method(),
5738 TLS1_VERSION, 0,
5739 &sctx, &cctx, cert, privkey)))
5740 goto end;
5741 } else {
5742 #ifndef OPENSSL_NO_DTLS
5743 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5744 DTLS_client_method(),
5745 DTLS1_VERSION, 0,
5746 &sctx, &cctx, cert, privkey)))
5747 goto end;
5748 #else
5749 return 1;
5750 #endif
5751 }
5752
5753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5754 NULL, NULL))
5755 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5756 SSL_ERROR_NONE)))
5757 goto end;
5758
5759 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5760 || !TEST_false(SSL_has_pending(clientssl))
5761 || !TEST_int_eq(SSL_pending(serverssl), 0)
5762 || !TEST_false(SSL_has_pending(serverssl))
5763 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5764 || !TEST_size_t_eq(written, sizeof(msg))
5765 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5766 || !TEST_size_t_eq(readbytes, sizeof(buf))
5767 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5768 || !TEST_true(SSL_has_pending(clientssl)))
5769 goto end;
5770
5771 testresult = 1;
5772
5773 end:
5774 SSL_free(serverssl);
5775 SSL_free(clientssl);
5776 SSL_CTX_free(sctx);
5777 SSL_CTX_free(cctx);
5778
5779 return testresult;
5780 }
5781
5782 static struct {
5783 unsigned int maxprot;
5784 const char *clntciphers;
5785 const char *clnttls13ciphers;
5786 const char *srvrciphers;
5787 const char *srvrtls13ciphers;
5788 const char *shared;
5789 } shared_ciphers_data[] = {
5790 /*
5791 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5792 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5793 */
5794 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5795 {
5796 TLS1_2_VERSION,
5797 "AES128-SHA:AES256-SHA",
5798 NULL,
5799 "AES256-SHA:DHE-RSA-AES128-SHA",
5800 NULL,
5801 "AES256-SHA"
5802 },
5803 {
5804 TLS1_2_VERSION,
5805 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5806 NULL,
5807 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5808 NULL,
5809 "AES128-SHA:AES256-SHA"
5810 },
5811 {
5812 TLS1_2_VERSION,
5813 "AES128-SHA:AES256-SHA",
5814 NULL,
5815 "AES128-SHA:DHE-RSA-AES128-SHA",
5816 NULL,
5817 "AES128-SHA"
5818 },
5819 #endif
5820 /*
5821 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5822 * enabled.
5823 */
5824 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5825 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5826 {
5827 TLS1_3_VERSION,
5828 "AES128-SHA:AES256-SHA",
5829 NULL,
5830 "AES256-SHA:AES128-SHA256",
5831 NULL,
5832 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5833 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5834 },
5835 #endif
5836 #ifndef OPENSSL_NO_TLS1_3
5837 {
5838 TLS1_3_VERSION,
5839 "AES128-SHA",
5840 "TLS_AES_256_GCM_SHA384",
5841 "AES256-SHA",
5842 "TLS_AES_256_GCM_SHA384",
5843 "TLS_AES_256_GCM_SHA384"
5844 },
5845 #endif
5846 };
5847
5848 static int test_ssl_get_shared_ciphers(int tst)
5849 {
5850 SSL_CTX *cctx = NULL, *sctx = NULL;
5851 SSL *clientssl = NULL, *serverssl = NULL;
5852 int testresult = 0;
5853 char buf[1024];
5854
5855 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5856 TLS_client_method(),
5857 TLS1_VERSION,
5858 shared_ciphers_data[tst].maxprot,
5859 &sctx, &cctx, cert, privkey)))
5860 goto end;
5861
5862 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5863 shared_ciphers_data[tst].clntciphers))
5864 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5865 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5866 shared_ciphers_data[tst].clnttls13ciphers)))
5867 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5868 shared_ciphers_data[tst].srvrciphers))
5869 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5870 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5871 shared_ciphers_data[tst].srvrtls13ciphers))))
5872 goto end;
5873
5874
5875 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5876 NULL, NULL))
5877 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5878 SSL_ERROR_NONE)))
5879 goto end;
5880
5881 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5882 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5883 TEST_info("Shared ciphers are: %s\n", buf);
5884 goto end;
5885 }
5886
5887 testresult = 1;
5888
5889 end:
5890 SSL_free(serverssl);
5891 SSL_free(clientssl);
5892 SSL_CTX_free(sctx);
5893 SSL_CTX_free(cctx);
5894
5895 return testresult;
5896 }
5897
5898 static const char *appdata = "Hello World";
5899 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5900 static int tick_key_renew = 0;
5901 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5902
5903 static int gen_tick_cb(SSL *s, void *arg)
5904 {
5905 gen_tick_called = 1;
5906
5907 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5908 strlen(appdata));
5909 }
5910
5911 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5912 const unsigned char *keyname,
5913 size_t keyname_length,
5914 SSL_TICKET_STATUS status,
5915 void *arg)
5916 {
5917 void *tickdata;
5918 size_t tickdlen;
5919
5920 dec_tick_called = 1;
5921
5922 if (status == SSL_TICKET_EMPTY)
5923 return SSL_TICKET_RETURN_IGNORE_RENEW;
5924
5925 if (!TEST_true(status == SSL_TICKET_SUCCESS
5926 || status == SSL_TICKET_SUCCESS_RENEW))
5927 return SSL_TICKET_RETURN_ABORT;
5928
5929 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5930 &tickdlen))
5931 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5932 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5933 return SSL_TICKET_RETURN_ABORT;
5934
5935 if (tick_key_cb_called) {
5936 /* Don't change what the ticket key callback wanted to do */
5937 switch (status) {
5938 case SSL_TICKET_NO_DECRYPT:
5939 return SSL_TICKET_RETURN_IGNORE_RENEW;
5940
5941 case SSL_TICKET_SUCCESS:
5942 return SSL_TICKET_RETURN_USE;
5943
5944 case SSL_TICKET_SUCCESS_RENEW:
5945 return SSL_TICKET_RETURN_USE_RENEW;
5946
5947 default:
5948 return SSL_TICKET_RETURN_ABORT;
5949 }
5950 }
5951 return tick_dec_ret;
5952
5953 }
5954
5955 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5956 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5957 HMAC_CTX *hctx, int enc)
5958 {
5959 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5960 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5961
5962 tick_key_cb_called = 1;
5963 memset(iv, 0, AES_BLOCK_SIZE);
5964 memset(key_name, 0, 16);
5965 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5966 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5967 EVP_sha256(), NULL))
5968 return -1;
5969
5970 return tick_key_renew ? 2 : 1;
5971 }
5972
5973 /*
5974 * Test the various ticket callbacks
5975 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5976 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5977 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5978 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5979 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5980 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5981 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5982 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5983 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5984 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5985 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5986 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5987 */
5988 static int test_ticket_callbacks(int tst)
5989 {
5990 SSL_CTX *cctx = NULL, *sctx = NULL;
5991 SSL *clientssl = NULL, *serverssl = NULL;
5992 SSL_SESSION *clntsess = NULL;
5993 int testresult = 0;
5994
5995 #ifdef OPENSSL_NO_TLS1_2
5996 if (tst % 2 == 0)
5997 return 1;
5998 #endif
5999 #ifdef OPENSSL_NO_TLS1_3
6000 if (tst % 2 == 1)
6001 return 1;
6002 #endif
6003
6004 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6005
6006 /* Which tests the ticket key callback should request renewal for */
6007 if (tst == 10 || tst == 11)
6008 tick_key_renew = 1;
6009 else
6010 tick_key_renew = 0;
6011
6012 /* Which tests the decrypt ticket callback should request renewal for */
6013 switch (tst) {
6014 case 0:
6015 case 1:
6016 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6017 break;
6018
6019 case 2:
6020 case 3:
6021 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6022 break;
6023
6024 case 4:
6025 case 5:
6026 tick_dec_ret = SSL_TICKET_RETURN_USE;
6027 break;
6028
6029 case 6:
6030 case 7:
6031 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6032 break;
6033
6034 default:
6035 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6036 }
6037
6038 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6039 TLS_client_method(),
6040 TLS1_VERSION,
6041 ((tst % 2) == 0) ? TLS1_2_VERSION
6042 : TLS1_3_VERSION,
6043 &sctx, &cctx, cert, privkey)))
6044 goto end;
6045
6046 /*
6047 * We only want sessions to resume from tickets - not the session cache. So
6048 * switch the cache off.
6049 */
6050 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6051 goto end;
6052
6053 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6054 NULL)))
6055 goto end;
6056
6057 if (tst >= 8
6058 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6059 goto end;
6060
6061 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6062 NULL, NULL))
6063 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6064 SSL_ERROR_NONE)))
6065 goto end;
6066
6067 /*
6068 * The decrypt ticket key callback in TLSv1.2 should be called even though
6069 * we have no ticket yet, because it gets called with a status of
6070 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6071 * actually send any ticket data). This does not happen in TLSv1.3 because
6072 * it is not valid to send empty ticket data in TLSv1.3.
6073 */
6074 if (!TEST_int_eq(gen_tick_called, 1)
6075 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6076 goto end;
6077
6078 gen_tick_called = dec_tick_called = 0;
6079
6080 clntsess = SSL_get1_session(clientssl);
6081 SSL_shutdown(clientssl);
6082 SSL_shutdown(serverssl);
6083 SSL_free(serverssl);
6084 SSL_free(clientssl);
6085 serverssl = clientssl = NULL;
6086
6087 /* Now do a resumption */
6088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6089 NULL))
6090 || !TEST_true(SSL_set_session(clientssl, clntsess))
6091 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6092 SSL_ERROR_NONE)))
6093 goto end;
6094
6095 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6096 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6097 if (!TEST_false(SSL_session_reused(clientssl)))
6098 goto end;
6099 } else {
6100 if (!TEST_true(SSL_session_reused(clientssl)))
6101 goto end;
6102 }
6103
6104 if (!TEST_int_eq(gen_tick_called,
6105 (tick_key_renew
6106 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6107 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6108 ? 1 : 0)
6109 || !TEST_int_eq(dec_tick_called, 1))
6110 goto end;
6111
6112 testresult = 1;
6113
6114 end:
6115 SSL_SESSION_free(clntsess);
6116 SSL_free(serverssl);
6117 SSL_free(clientssl);
6118 SSL_CTX_free(sctx);
6119 SSL_CTX_free(cctx);
6120
6121 return testresult;
6122 }
6123
6124 /*
6125 * Test bi-directional shutdown.
6126 * Test 0: TLSv1.2
6127 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6128 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6129 * Test 3: TLSv1.3, pending NewSessionTicket messages
6130 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6131 * sends key update, client reads it
6132 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6133 * sends CertificateRequest, client reads and ignores it
6134 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6135 * doesn't read it
6136 */
6137 static int test_shutdown(int tst)
6138 {
6139 SSL_CTX *cctx = NULL, *sctx = NULL;
6140 SSL *clientssl = NULL, *serverssl = NULL;
6141 int testresult = 0;
6142 char msg[] = "A test message";
6143 char buf[80];
6144 size_t written, readbytes;
6145 SSL_SESSION *sess;
6146
6147 #ifdef OPENSSL_NO_TLS1_2
6148 if (tst <= 1)
6149 return 1;
6150 #endif
6151 #ifdef OPENSSL_NO_TLS1_3
6152 if (tst >= 2)
6153 return 1;
6154 #endif
6155
6156 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6157 TLS_client_method(),
6158 TLS1_VERSION,
6159 (tst <= 1) ? TLS1_2_VERSION
6160 : TLS1_3_VERSION,
6161 &sctx, &cctx, cert, privkey)))
6162 goto end;
6163
6164 if (tst == 5)
6165 SSL_CTX_set_post_handshake_auth(cctx, 1);
6166
6167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6168 NULL, NULL)))
6169 goto end;
6170
6171 if (tst == 3) {
6172 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6173 SSL_ERROR_NONE, 1))
6174 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6175 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6176 goto end;
6177 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6178 SSL_ERROR_NONE))
6179 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6180 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6181 goto end;
6182 }
6183
6184 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6185 goto end;
6186
6187 if (tst >= 4) {
6188 /*
6189 * Reading on the server after the client has sent close_notify should
6190 * fail and provide SSL_ERROR_ZERO_RETURN
6191 */
6192 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6193 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6194 SSL_ERROR_ZERO_RETURN)
6195 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6196 SSL_RECEIVED_SHUTDOWN)
6197 /*
6198 * Even though we're shutdown on receive we should still be
6199 * able to write.
6200 */
6201 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6202 goto end;
6203 if (tst == 4
6204 && !TEST_true(SSL_key_update(serverssl,
6205 SSL_KEY_UPDATE_REQUESTED)))
6206 goto end;
6207 if (tst == 5) {
6208 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6209 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6210 goto end;
6211 }
6212 if ((tst == 4 || tst == 5)
6213 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6214 goto end;
6215 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6216 goto end;
6217 if (tst == 4 || tst == 5) {
6218 /* Should still be able to read data from server */
6219 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6220 &readbytes))
6221 || !TEST_size_t_eq(readbytes, sizeof(msg))
6222 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6223 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6224 &readbytes))
6225 || !TEST_size_t_eq(readbytes, sizeof(msg))
6226 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6227 goto end;
6228 }
6229 }
6230
6231 /* Writing on the client after sending close_notify shouldn't be possible */
6232 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6233 goto end;
6234
6235 if (tst < 4) {
6236 /*
6237 * For these tests the client has sent close_notify but it has not yet
6238 * been received by the server. The server has not sent close_notify
6239 * yet.
6240 */
6241 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6242 /*
6243 * Writing on the server after sending close_notify shouldn't
6244 * be possible.
6245 */
6246 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6247 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6248 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6249 || !TEST_true(SSL_SESSION_is_resumable(sess))
6250 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6251 goto end;
6252 } else if (tst == 4 || tst == 5) {
6253 /*
6254 * In this test the client has sent close_notify and it has been
6255 * received by the server which has responded with a close_notify. The
6256 * client needs to read the close_notify sent by the server.
6257 */
6258 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6259 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6260 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6261 goto end;
6262 } else {
6263 /*
6264 * tst == 6
6265 *
6266 * The client has sent close_notify and is expecting a close_notify
6267 * back, but instead there is application data first. The shutdown
6268 * should fail with a fatal error.
6269 */
6270 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6271 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6272 goto end;
6273 }
6274
6275 testresult = 1;
6276
6277 end:
6278 SSL_free(serverssl);
6279 SSL_free(clientssl);
6280 SSL_CTX_free(sctx);
6281 SSL_CTX_free(cctx);
6282
6283 return testresult;
6284 }
6285
6286 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6287 static int cert_cb_cnt;
6288
6289 static int cert_cb(SSL *s, void *arg)
6290 {
6291 SSL_CTX *ctx = (SSL_CTX *)arg;
6292 BIO *in = NULL;
6293 EVP_PKEY *pkey = NULL;
6294 X509 *x509 = NULL;
6295
6296 if (cert_cb_cnt == 0) {
6297 /* Suspend the handshake */
6298 cert_cb_cnt++;
6299 return -1;
6300 } else if (cert_cb_cnt == 1) {
6301 /*
6302 * Update the SSL_CTX, set the certificate and private key and then
6303 * continue the handshake normally.
6304 */
6305 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6306 return 0;
6307
6308 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6309 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6310 SSL_FILETYPE_PEM))
6311 || !TEST_true(SSL_check_private_key(s)))
6312 return 0;
6313 cert_cb_cnt++;
6314 return 1;
6315 } else if (cert_cb_cnt == 3) {
6316 int rv;
6317 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6318 || !TEST_int_ge(BIO_read_filename(in, cert), 0)
6319 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6320 goto out;
6321 BIO_free(in);
6322 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6323 || !TEST_int_ge(BIO_read_filename(in, privkey), 0)
6324 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6325 goto out;
6326 rv = SSL_check_chain(s, x509, pkey, NULL);
6327 /*
6328 * If the cert doesn't show as valid here (e.g., because we don't
6329 * have any shared sigalgs), then we will not set it, and there will
6330 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6331 * will cause tls_choose_sigalgs() to fail the connection.
6332 */
6333 if ((rv & CERT_PKEY_VALID)) {
6334 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6335 goto out;
6336 }
6337 BIO_free(in);
6338 EVP_PKEY_free(pkey);
6339 X509_free(x509);
6340 return 1;
6341 }
6342
6343 /* Abort the handshake */
6344 out:
6345 BIO_free(in);
6346 EVP_PKEY_free(pkey);
6347 X509_free(x509);
6348 return 0;
6349 }
6350
6351 /*
6352 * Test the certificate callback.
6353 * Test 0: Callback fails
6354 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6355 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6356 */
6357 static int test_cert_cb_int(int prot, int tst)
6358 {
6359 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6360 SSL *clientssl = NULL, *serverssl = NULL;
6361 int testresult = 0, ret;
6362
6363 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6364 TLS_client_method(),
6365 TLS1_VERSION,
6366 prot,
6367 &sctx, &cctx, NULL, NULL)))
6368 goto end;
6369
6370 if (tst == 0)
6371 cert_cb_cnt = -1;
6372 else if (tst == 3)
6373 cert_cb_cnt = 3;
6374 else
6375 cert_cb_cnt = 0;
6376 if (tst == 2)
6377 snictx = SSL_CTX_new(TLS_server_method());
6378 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6379
6380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6381 NULL, NULL)))
6382 goto end;
6383
6384 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6385 if (!TEST_true(tst == 0 ? !ret : ret)
6386 || (tst > 0
6387 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6388 goto end;
6389 }
6390
6391 testresult = 1;
6392
6393 end:
6394 SSL_free(serverssl);
6395 SSL_free(clientssl);
6396 SSL_CTX_free(sctx);
6397 SSL_CTX_free(cctx);
6398 SSL_CTX_free(snictx);
6399
6400 return testresult;
6401 }
6402 #endif
6403
6404 static int test_cert_cb(int tst)
6405 {
6406 int testresult = 1;
6407
6408 #ifndef OPENSSL_NO_TLS1_2
6409 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6410 #endif
6411 #ifndef OPENSSL_NO_TLS1_3
6412 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6413 #endif
6414
6415 return testresult;
6416 }
6417
6418 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6419 {
6420 X509 *xcert, *peer;
6421 EVP_PKEY *privpkey;
6422 BIO *in = NULL;
6423
6424 /* Check that SSL_get_peer_certificate() returns something sensible */
6425 peer = SSL_get_peer_certificate(ssl);
6426 if (!TEST_ptr(peer))
6427 return 0;
6428 X509_free(peer);
6429
6430 in = BIO_new_file(cert, "r");
6431 if (!TEST_ptr(in))
6432 return 0;
6433
6434 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6435 BIO_free(in);
6436 if (!TEST_ptr(xcert))
6437 return 0;
6438
6439 in = BIO_new_file(privkey, "r");
6440 if (!TEST_ptr(in)) {
6441 X509_free(xcert);
6442 return 0;
6443 }
6444
6445 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6446 BIO_free(in);
6447 if (!TEST_ptr(privpkey)) {
6448 X509_free(xcert);
6449 return 0;
6450 }
6451
6452 *x509 = xcert;
6453 *pkey = privpkey;
6454
6455 return 1;
6456 }
6457
6458 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6459 {
6460 return 1;
6461 }
6462
6463 static int test_client_cert_cb(int tst)
6464 {
6465 SSL_CTX *cctx = NULL, *sctx = NULL;
6466 SSL *clientssl = NULL, *serverssl = NULL;
6467 int testresult = 0;
6468
6469 #ifdef OPENSSL_NO_TLS1_2
6470 if (tst == 0)
6471 return 1;
6472 #endif
6473 #ifdef OPENSSL_NO_TLS1_3
6474 if (tst == 1)
6475 return 1;
6476 #endif
6477
6478 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6479 TLS_client_method(),
6480 TLS1_VERSION,
6481 tst == 0 ? TLS1_2_VERSION
6482 : TLS1_3_VERSION,
6483 &sctx, &cctx, cert, privkey)))
6484 goto end;
6485
6486 /*
6487 * Test that setting a client_cert_cb results in a client certificate being
6488 * sent.
6489 */
6490 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6491 SSL_CTX_set_verify(sctx,
6492 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6493 verify_cb);
6494
6495 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6496 NULL, NULL))
6497 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6498 SSL_ERROR_NONE)))
6499 goto end;
6500
6501 testresult = 1;
6502
6503 end:
6504 SSL_free(serverssl);
6505 SSL_free(clientssl);
6506 SSL_CTX_free(sctx);
6507 SSL_CTX_free(cctx);
6508
6509 return testresult;
6510 }
6511
6512 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6513 /*
6514 * Test setting certificate authorities on both client and server.
6515 *
6516 * Test 0: SSL_CTX_set0_CA_list() only
6517 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6518 * Test 2: Only SSL_CTX_set_client_CA_list()
6519 */
6520 static int test_ca_names_int(int prot, int tst)
6521 {
6522 SSL_CTX *cctx = NULL, *sctx = NULL;
6523 SSL *clientssl = NULL, *serverssl = NULL;
6524 int testresult = 0;
6525 size_t i;
6526 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6527 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6528 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6529 const STACK_OF(X509_NAME) *sktmp = NULL;
6530
6531 for (i = 0; i < OSSL_NELEM(name); i++) {
6532 name[i] = X509_NAME_new();
6533 if (!TEST_ptr(name[i])
6534 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6535 MBSTRING_ASC,
6536 (unsigned char *)
6537 strnames[i],
6538 -1, -1, 0)))
6539 goto end;
6540 }
6541
6542 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6543 TLS_client_method(),
6544 TLS1_VERSION,
6545 prot,
6546 &sctx, &cctx, cert, privkey)))
6547 goto end;
6548
6549 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6550
6551 if (tst == 0 || tst == 1) {
6552 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6553 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6554 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6555 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6556 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6557 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6558 goto end;
6559
6560 SSL_CTX_set0_CA_list(sctx, sk1);
6561 SSL_CTX_set0_CA_list(cctx, sk2);
6562 sk1 = sk2 = NULL;
6563 }
6564 if (tst == 1 || tst == 2) {
6565 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6566 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6567 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6568 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6569 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6570 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6571 goto end;
6572
6573 SSL_CTX_set_client_CA_list(sctx, sk1);
6574 SSL_CTX_set_client_CA_list(cctx, sk2);
6575 sk1 = sk2 = NULL;
6576 }
6577
6578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6579 NULL, NULL))
6580 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6581 SSL_ERROR_NONE)))
6582 goto end;
6583
6584 /*
6585 * We only expect certificate authorities to have been sent to the server
6586 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6587 */
6588 sktmp = SSL_get0_peer_CA_list(serverssl);
6589 if (prot == TLS1_3_VERSION
6590 && (tst == 0 || tst == 1)) {
6591 if (!TEST_ptr(sktmp)
6592 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6593 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6594 name[0]), 0)
6595 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6596 name[1]), 0))
6597 goto end;
6598 } else if (!TEST_ptr_null(sktmp)) {
6599 goto end;
6600 }
6601
6602 /*
6603 * In all tests we expect certificate authorities to have been sent to the
6604 * client. However, SSL_set_client_CA_list() should override
6605 * SSL_set0_CA_list()
6606 */
6607 sktmp = SSL_get0_peer_CA_list(clientssl);
6608 if (!TEST_ptr(sktmp)
6609 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6610 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6611 name[tst == 0 ? 0 : 2]), 0)
6612 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6613 name[tst == 0 ? 1 : 3]), 0))
6614 goto end;
6615
6616 testresult = 1;
6617
6618 end:
6619 SSL_free(serverssl);
6620 SSL_free(clientssl);
6621 SSL_CTX_free(sctx);
6622 SSL_CTX_free(cctx);
6623 for (i = 0; i < OSSL_NELEM(name); i++)
6624 X509_NAME_free(name[i]);
6625 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6626 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6627
6628 return testresult;
6629 }
6630 #endif
6631
6632 static int test_ca_names(int tst)
6633 {
6634 int testresult = 1;
6635
6636 #ifndef OPENSSL_NO_TLS1_2
6637 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6638 #endif
6639 #ifndef OPENSSL_NO_TLS1_3
6640 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6641 #endif
6642
6643 return testresult;
6644 }
6645
6646
6647 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6648
6649 int setup_tests(void)
6650 {
6651 if (!TEST_ptr(cert = test_get_argument(0))
6652 || !TEST_ptr(privkey = test_get_argument(1))
6653 || !TEST_ptr(srpvfile = test_get_argument(2))
6654 || !TEST_ptr(tmpfilename = test_get_argument(3)))
6655 return 0;
6656
6657 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6658 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6659 TEST_error("not supported in this build");
6660 return 0;
6661 #else
6662 int i, mcount, rcount, fcount;
6663
6664 for (i = 0; i < 4; i++)
6665 test_export_key_mat(i);
6666 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6667 test_printf_stdout("malloc %d realloc %d free %d\n",
6668 mcount, rcount, fcount);
6669 return 1;
6670 #endif
6671 }
6672
6673 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6674 && !defined(OPENSSL_NO_SOCK)
6675 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
6676 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
6677 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
6678 ADD_TEST(test_ktls_client_no_txrx_server);
6679 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
6680 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
6681 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
6682 ADD_TEST(test_ktls_client_no_rx_server);
6683 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
6684 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
6685 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
6686 ADD_TEST(test_ktls_client_no_tx_server);
6687 ADD_TEST(test_ktls_no_txrx_client_server);
6688 ADD_TEST(test_ktls_no_rx_client_server);
6689 ADD_TEST(test_ktls_no_tx_client_server);
6690 ADD_TEST(test_ktls_client_server);
6691 ADD_TEST(test_ktls_sendfile);
6692 #endif
6693 ADD_TEST(test_large_message_tls);
6694 ADD_TEST(test_large_message_tls_read_ahead);
6695 #ifndef OPENSSL_NO_DTLS
6696 ADD_TEST(test_large_message_dtls);
6697 #endif
6698 #ifndef OPENSSL_NO_OCSP
6699 ADD_TEST(test_tlsext_status_type);
6700 #endif
6701 ADD_TEST(test_session_with_only_int_cache);
6702 ADD_TEST(test_session_with_only_ext_cache);
6703 ADD_TEST(test_session_with_both_cache);
6704 #ifndef OPENSSL_NO_TLS1_3
6705 ADD_ALL_TESTS(test_stateful_tickets, 3);
6706 ADD_ALL_TESTS(test_stateless_tickets, 3);
6707 ADD_TEST(test_psk_tickets);
6708 #endif
6709 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6710 ADD_TEST(test_ssl_bio_pop_next_bio);
6711 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6712 ADD_TEST(test_ssl_bio_change_rbio);
6713 ADD_TEST(test_ssl_bio_change_wbio);
6714 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6715 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6716 ADD_TEST(test_keylog);
6717 #endif
6718 #ifndef OPENSSL_NO_TLS1_3
6719 ADD_TEST(test_keylog_no_master_key);
6720 #endif
6721 #ifndef OPENSSL_NO_TLS1_2
6722 ADD_TEST(test_client_hello_cb);
6723 ADD_TEST(test_no_ems);
6724 #endif
6725 #ifndef OPENSSL_NO_TLS1_3
6726 ADD_ALL_TESTS(test_early_data_read_write, 3);
6727 /*
6728 * We don't do replay tests for external PSK. Replay protection isn't used
6729 * in that scenario.
6730 */
6731 ADD_ALL_TESTS(test_early_data_replay, 2);
6732 ADD_ALL_TESTS(test_early_data_skip, 3);
6733 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6734 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6735 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6736 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6737 ADD_ALL_TESTS(test_early_data_psk, 8);
6738 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6739 # ifndef OPENSSL_NO_TLS1_2
6740 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6741 # endif
6742 #endif
6743 #ifndef OPENSSL_NO_TLS1_3
6744 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6745 ADD_TEST(test_ciphersuite_change);
6746 #ifdef OPENSSL_NO_PSK
6747 ADD_ALL_TESTS(test_tls13_psk, 1);
6748 #else
6749 ADD_ALL_TESTS(test_tls13_psk, 4);
6750 #endif /* OPENSSL_NO_PSK */
6751 ADD_ALL_TESTS(test_key_exchange, 14);
6752 ADD_ALL_TESTS(test_custom_exts, 5);
6753 ADD_TEST(test_stateless);
6754 ADD_TEST(test_pha_key_update);
6755 #else
6756 ADD_ALL_TESTS(test_custom_exts, 3);
6757 #endif
6758 ADD_ALL_TESTS(test_serverinfo, 8);
6759 ADD_ALL_TESTS(test_export_key_mat, 6);
6760 #ifndef OPENSSL_NO_TLS1_3
6761 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6762 ADD_TEST(test_key_update);
6763 ADD_ALL_TESTS(test_key_update_in_write, 2);
6764 #endif
6765 ADD_ALL_TESTS(test_ssl_clear, 2);
6766 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6767 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6768 ADD_ALL_TESTS(test_srp, 6);
6769 #endif
6770 ADD_ALL_TESTS(test_info_callback, 6);
6771 ADD_ALL_TESTS(test_ssl_pending, 2);
6772 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6773 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6774 ADD_ALL_TESTS(test_shutdown, 7);
6775 ADD_ALL_TESTS(test_cert_cb, 4);
6776 ADD_ALL_TESTS(test_client_cert_cb, 2);
6777 ADD_ALL_TESTS(test_ca_names, 3);
6778 return 1;
6779 }
6780
6781 void cleanup_tests(void)
6782 {
6783 bio_s_mempacket_test_free();
6784 bio_s_always_retry_free();
6785 }
A mirror of the official openssl repository