]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
first cut at sigalg loading
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "../ssl/record/methods/recmethod_local.h"
45 #include "filterprov.h"
46
47 #undef OSSL_NO_USABLE_TLS1_3
48 #if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
50 /*
51 * If we don't have ec or dh then there are no built-in groups that are usable
52 * with TLSv1.3
53 */
54 # define OSSL_NO_USABLE_TLS1_3
55 #endif
56
57 /* Defined in tls-provider.c */
58 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
61 void **provctx);
62
63 static OSSL_LIB_CTX *libctx = NULL;
64 static OSSL_PROVIDER *defctxnull = NULL;
65
66 #ifndef OSSL_NO_USABLE_TLS1_3
67
68 static SSL_SESSION *clientpsk = NULL;
69 static SSL_SESSION *serverpsk = NULL;
70 static const char *pskid = "Identity";
71 static const char *srvid;
72
73 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75 static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
77
78 static int use_session_cb_cnt = 0;
79 static int find_session_cb_cnt = 0;
80
81 static SSL_SESSION *create_a_psk(SSL *ssl);
82 #endif
83
84 static char *certsdir = NULL;
85 static char *cert = NULL;
86 static char *privkey = NULL;
87 static char *cert2 = NULL;
88 static char *privkey2 = NULL;
89 static char *cert1024 = NULL;
90 static char *privkey1024 = NULL;
91 static char *cert3072 = NULL;
92 static char *privkey3072 = NULL;
93 static char *cert4096 = NULL;
94 static char *privkey4096 = NULL;
95 static char *cert8192 = NULL;
96 static char *privkey8192 = NULL;
97 static char *srpvfile = NULL;
98 static char *tmpfilename = NULL;
99 static char *dhfile = NULL;
100
101 static int is_fips = 0;
102
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t server_log_buffer_index = 0;
106 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t client_log_buffer_index = 0;
108 static int error_writing_log = 0;
109
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder[] = "Dummy OCSP Response";
112 static int ocsp_server_called = 0;
113 static int ocsp_client_called = 0;
114
115 static int cdummyarg = 1;
116 static X509 *ocspcert = NULL;
117 #endif
118
119 #define NUM_EXTRA_CERTS 40
120 #define CLIENT_VERSION_LEN 2
121
122 /*
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
125 */
126 struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
129 unsigned int client_early_secret_count;
130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
134 unsigned int early_exporter_secret_count;
135 unsigned int exporter_secret_count;
136 };
137
138
139 static int hostname_cb(SSL *s, int *al, void *arg)
140 {
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
146
147 return SSL_TLSEXT_ERR_NOACK;
148 }
149
150 static void client_keylog_callback(const SSL *ssl, const char *line)
151 {
152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
163 client_log_buffer[client_log_buffer_index++] = '\n';
164 }
165
166 static void server_keylog_callback(const SSL *ssl, const char *line)
167 {
168 int line_length = strlen(line);
169
170 /* If the log doesn't fit, error out. */
171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
172 TEST_info("Server log too full");
173 error_writing_log = 1;
174 return;
175 }
176
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
179 server_log_buffer[server_log_buffer_index++] = '\n';
180 }
181
182 static int compare_hex_encoded_buffer(const char *hex_encoded,
183 size_t hex_length,
184 const uint8_t *raw,
185 size_t raw_length)
186 {
187 size_t i, j;
188 char hexed[3];
189
190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
191 return 1;
192
193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
194 sprintf(hexed, "%02x", raw[i]);
195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
197 return 1;
198 }
199
200 return 0;
201 }
202
203 static int test_keylog_output(char *buffer, const SSL *ssl,
204 const SSL_SESSION *session,
205 struct sslapitest_log_counts *expected)
206 {
207 char *token = NULL;
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
214 unsigned int client_early_secret_count = 0;
215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
219 unsigned int early_exporter_secret_count = 0;
220 unsigned int exporter_secret_count = 0;
221
222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
224 if (strcmp(token, "RSA") == 0) {
225 /*
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
227 * hex-encoded encrypted secret, then the hex-encoded pre-master
228 * secret.
229 */
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 return 0;
232 if (!TEST_size_t_eq(strlen(token), 16))
233 return 0;
234 if (!TEST_ptr(token = strtok(NULL, " \n")))
235 return 0;
236 /*
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
240 */
241 rsa_key_exchange_count++;
242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
243 /*
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, then the hex-encoded master secret.
246 */
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
249 SSL3_RANDOM_SIZE);
250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
251 return 0;
252
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 return 0;
255 if (!TEST_size_t_eq(strlen(token), 64))
256 return 0;
257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 master_key_size = SSL_SESSION_get_master_key(session,
265 actual_master_key,
266 master_key_size);
267 if (!TEST_size_t_ne(master_key_size, 0))
268 return 0;
269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
270 actual_master_key,
271 master_key_size)))
272 return 0;
273 master_secret_count++;
274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
280 || strcmp(token, "EXPORTER_SECRET") == 0) {
281 /*
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
286 */
287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
301
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
304 SSL3_RANDOM_SIZE);
305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
306 return 0;
307
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 return 0;
310 if (!TEST_size_t_eq(strlen(token), 64))
311 return 0;
312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
315 return 0;
316
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
318 return 0;
319 } else {
320 TEST_info("Unexpected token %s\n", token);
321 return 0;
322 }
323 }
324
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
344 return 0;
345 return 1;
346 }
347
348 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
349 static int test_keylog(void)
350 {
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
354 struct sslapitest_log_counts expected;
355
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
365 TLS_client_method(),
366 TLS1_VERSION, 0,
367 &sctx, &cctx, cert, privkey)))
368 return 0;
369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
376 goto end;
377
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
380 goto end;
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
384 goto end;
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
388 goto end;
389
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
398 goto end;
399
400 /*
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see an RSA key exchange.
405 */
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
410 goto end;
411
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
415 goto end;
416
417 testresult = 1;
418
419 end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426 }
427 #endif
428
429 #ifndef OSSL_NO_USABLE_TLS1_3
430 static int test_keylog_no_master_key(void)
431 {
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
435 int testresult = 0;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
439
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
453 return 0;
454
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
457 goto end;
458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
462 goto end;
463
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
467 goto end;
468
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
475 goto end;
476
477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
481 */
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
492 goto end;
493
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
533 testresult = 1;
534
535 end:
536 SSL_SESSION_free(sess);
537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543 }
544 #endif
545
546 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547 {
548 int res = X509_verify_cert(ctx);
549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
550 SSL *ssl;
551
552 /* this should not happen but check anyway */
553 if (idx < 0
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
555 return 0;
556
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
561
562 return res;
563 }
564
565 static int test_client_cert_verify_cb(void)
566 {
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
577 int testresult = 0;
578
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
582 goto end;
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 goto end;
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 goto end;
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
594 goto end;
595
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
599 goto end;
600
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 goto end;
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
608 goto end;
609 crt1 = NULL;
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
611 goto end;
612 crt2 = NULL;
613
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
617 goto end;
618
619 testresult = 1;
620
621 end:
622 X509_free(crt1);
623 X509_free(crt2);
624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
626 SSL_free(clientssl);
627 }
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
630 SSL_free(serverssl);
631 }
632 SSL_CTX_free(sctx);
633 SSL_CTX_free(cctx);
634
635 OPENSSL_free(skey);
636 OPENSSL_free(leaf);
637 OPENSSL_free(int2);
638 OPENSSL_free(int1);
639 OPENSSL_free(root);
640
641 return testresult;
642 }
643
644 static int test_ssl_build_cert_chain(void)
645 {
646 int ret = 0;
647 SSL_CTX *ssl_ctx = NULL;
648 SSL *ssl = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 goto end;
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 goto end;
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 goto end;
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
663 goto end;
664 ret = 1;
665 end:
666 SSL_free(ssl);
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
669 OPENSSL_free(skey);
670 return ret;
671 }
672
673 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674 {
675 static const char pass[] = "testpass";
676
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
678 return -1;
679
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
682 }
683
684 static int test_ssl_ctx_build_cert_chain(void)
685 {
686 int ret = 0;
687 SSL_CTX *ctx = NULL;
688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 goto end;
693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 goto end;
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
702 goto end;
703 ret = 1;
704 end:
705 SSL_CTX_free(ctx);
706 OPENSSL_free(leaf_chain);
707 OPENSSL_free(skey);
708 return ret;
709 }
710
711 #ifndef OPENSSL_NO_TLS1_2
712 static int full_client_hello_callback(SSL *s, int *al, void *arg)
713 {
714 int *ctr = arg;
715 const unsigned char *p;
716 int *exts;
717 /* We only configure two ciphers, but the SCSV is added automatically. */
718 #ifdef OPENSSL_NO_EC
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
720 #else
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 0x2c, 0x00, 0xff};
723 #endif
724 const int expected_extensions[] = {
725 #ifndef OPENSSL_NO_EC
726 11, 10,
727 #endif
728 35, 22, 23, 13};
729 size_t len;
730
731 /* Make sure we can defer processing and get called back. */
732 if ((*ctr)++ == 0)
733 return SSL_CLIENT_HELLO_RETRY;
734
735 len = SSL_client_hello_get0_ciphers(s, &p);
736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
737 || !TEST_size_t_eq(
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
739 || !TEST_int_eq(*p, 0))
740 return SSL_CLIENT_HELLO_ERROR;
741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
742 return SSL_CLIENT_HELLO_ERROR;
743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
745 printf("ClientHello callback expected extensions mismatch\n");
746 OPENSSL_free(exts);
747 return SSL_CLIENT_HELLO_ERROR;
748 }
749 OPENSSL_free(exts);
750 return SSL_CLIENT_HELLO_SUCCESS;
751 }
752
753 static int test_client_hello_cb(void)
754 {
755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
758
759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
761 &sctx, &cctx, cert, privkey)))
762 goto end;
763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
764
765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
767
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 /*
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
777 * */
778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
781 SSL_ERROR_NONE)))
782 goto end;
783
784 testresult = 1;
785
786 end:
787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 SSL_CTX_free(sctx);
790 SSL_CTX_free(cctx);
791
792 return testresult;
793 }
794
795 static int test_no_ems(void)
796 {
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
799 int testresult = 0;
800
801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
805 goto end;
806 }
807
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
812 goto end;
813 }
814
815 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
816 printf("Creating SSL connection failed\n");
817 goto end;
818 }
819
820 if (SSL_get_extms_support(serverssl)) {
821 printf("Server reports Extended Master Secret support\n");
822 goto end;
823 }
824
825 if (SSL_get_extms_support(clientssl)) {
826 printf("Client reports Extended Master Secret support\n");
827 goto end;
828 }
829 testresult = 1;
830
831 end:
832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836
837 return testresult;
838 }
839
840 /*
841 * Very focused test to exercise a single case in the server-side state
842 * machine, when the ChangeCipherState message needs to actually change
843 * from one cipher to a different cipher (i.e., not changing from null
844 * encryption to real encryption).
845 */
846 static int test_ccs_change_cipher(void)
847 {
848 SSL_CTX *cctx = NULL, *sctx = NULL;
849 SSL *clientssl = NULL, *serverssl = NULL;
850 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
851 int testresult = 0;
852 int i;
853 unsigned char buf;
854 size_t readbytes;
855
856 /*
857 * Create a connection so we can resume and potentially (but not) use
858 * a different cipher in the second connection.
859 */
860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
861 TLS_client_method(),
862 TLS1_VERSION, TLS1_2_VERSION,
863 &sctx, &cctx, cert, privkey))
864 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
865 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
866 NULL, NULL))
867 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
868 || !TEST_true(create_ssl_connection(serverssl, clientssl,
869 SSL_ERROR_NONE))
870 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
871 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
872 goto end;
873
874 shutdown_ssl_connection(serverssl, clientssl);
875 serverssl = clientssl = NULL;
876
877 /* Resume, preferring a different cipher. Our server will force the
878 * same cipher to be used as the initial handshake. */
879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
880 NULL, NULL))
881 || !TEST_true(SSL_set_session(clientssl, sess))
882 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl, clientssl,
884 SSL_ERROR_NONE))
885 || !TEST_true(SSL_session_reused(clientssl))
886 || !TEST_true(SSL_session_reused(serverssl))
887 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
888 || !TEST_ptr_eq(sesspre, sesspost)
889 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
890 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
891 goto end;
892 shutdown_ssl_connection(serverssl, clientssl);
893 serverssl = clientssl = NULL;
894
895 /*
896 * Now create a fresh connection and try to renegotiate a different
897 * cipher on it.
898 */
899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
900 NULL, NULL))
901 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
902 || !TEST_true(create_ssl_connection(serverssl, clientssl,
903 SSL_ERROR_NONE))
904 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
905 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
906 || !TEST_true(SSL_renegotiate(clientssl))
907 || !TEST_true(SSL_renegotiate_pending(clientssl)))
908 goto end;
909 /* Actually drive the renegotiation. */
910 for (i = 0; i < 3; i++) {
911 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
912 if (!TEST_ulong_eq(readbytes, 0))
913 goto end;
914 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
915 SSL_ERROR_WANT_READ)) {
916 goto end;
917 }
918 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
920 goto end;
921 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
922 SSL_ERROR_WANT_READ)) {
923 goto end;
924 }
925 }
926 /* sesspre and sesspost should be different since the cipher changed. */
927 if (!TEST_false(SSL_renegotiate_pending(clientssl))
928 || !TEST_false(SSL_session_reused(clientssl))
929 || !TEST_false(SSL_session_reused(serverssl))
930 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
931 || !TEST_ptr_ne(sesspre, sesspost)
932 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
933 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
934 goto end;
935
936 shutdown_ssl_connection(serverssl, clientssl);
937 serverssl = clientssl = NULL;
938
939 testresult = 1;
940
941 end:
942 SSL_free(serverssl);
943 SSL_free(clientssl);
944 SSL_CTX_free(sctx);
945 SSL_CTX_free(cctx);
946 SSL_SESSION_free(sess);
947
948 return testresult;
949 }
950 #endif
951
952 static int execute_test_large_message(const SSL_METHOD *smeth,
953 const SSL_METHOD *cmeth,
954 int min_version, int max_version,
955 int read_ahead)
956 {
957 SSL_CTX *cctx = NULL, *sctx = NULL;
958 SSL *clientssl = NULL, *serverssl = NULL;
959 int testresult = 0;
960 int i;
961 BIO *certbio = NULL;
962 X509 *chaincert = NULL;
963 int certlen;
964
965 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
966 goto end;
967
968 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
969 goto end;
970
971 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
972 goto end;
973 BIO_free(certbio);
974 certbio = NULL;
975
976 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977 max_version, &sctx, &cctx, cert,
978 privkey)))
979 goto end;
980
981 #ifdef OPENSSL_NO_DTLS1_2
982 if (smeth == DTLS_server_method()) {
983 /*
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
985 * level 0
986 */
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989 "DEFAULT:@SECLEVEL=0")))
990 goto end;
991 }
992 #endif
993
994 if (read_ahead) {
995 /*
996 * Test that read_ahead works correctly when dealing with large
997 * records
998 */
999 SSL_CTX_set_read_ahead(cctx, 1);
1000 }
1001
1002 /*
1003 * We assume the supplied certificate is big enough so that if we add
1004 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1005 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1006 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1007 * test we need to have a message larger than that.
1008 */
1009 certlen = i2d_X509(chaincert, NULL);
1010 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1011 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1012 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1013 if (!X509_up_ref(chaincert))
1014 goto end;
1015 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1016 X509_free(chaincert);
1017 goto end;
1018 }
1019 }
1020
1021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1022 NULL, NULL))
1023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1024 SSL_ERROR_NONE)))
1025 goto end;
1026
1027 /*
1028 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1029 * doesn't leak.
1030 */
1031 if (!TEST_true(SSL_clear(serverssl)))
1032 goto end;
1033
1034 testresult = 1;
1035 end:
1036 BIO_free(certbio);
1037 X509_free(chaincert);
1038 SSL_free(serverssl);
1039 SSL_free(clientssl);
1040 SSL_CTX_free(sctx);
1041 SSL_CTX_free(cctx);
1042
1043 return testresult;
1044 }
1045
1046 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1047 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1048 /* sock must be connected */
1049 static int ktls_chk_platform(int sock)
1050 {
1051 if (!ktls_enable(sock))
1052 return 0;
1053 return 1;
1054 }
1055
1056 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1057 {
1058 static char count = 1;
1059 unsigned char cbuf[16000] = {0};
1060 unsigned char sbuf[16000];
1061 size_t err = 0;
1062 char crec_wseq_before[SEQ_NUM_SIZE];
1063 char crec_wseq_after[SEQ_NUM_SIZE];
1064 char crec_rseq_before[SEQ_NUM_SIZE];
1065 char crec_rseq_after[SEQ_NUM_SIZE];
1066 char srec_wseq_before[SEQ_NUM_SIZE];
1067 char srec_wseq_after[SEQ_NUM_SIZE];
1068 char srec_rseq_before[SEQ_NUM_SIZE];
1069 char srec_rseq_after[SEQ_NUM_SIZE];
1070 SSL_CONNECTION *clientsc, *serversc;
1071
1072 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1073 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1074 goto end;
1075
1076 cbuf[0] = count++;
1077 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1078 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1079 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1080 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1081
1082 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1083 goto end;
1084
1085 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1086 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1087 goto end;
1088 }
1089 }
1090
1091 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1092 goto end;
1093
1094 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1095 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1096 goto end;
1097 }
1098 }
1099
1100 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1101 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1102 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1103 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1104
1105 /* verify the payload */
1106 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1107 goto end;
1108
1109 /*
1110 * If ktls is used then kernel sequences are used instead of
1111 * OpenSSL sequences
1112 */
1113 if (!BIO_get_ktls_send(clientsc->wbio)) {
1114 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1115 crec_wseq_after, SEQ_NUM_SIZE))
1116 goto end;
1117 } else {
1118 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1119 crec_wseq_after, SEQ_NUM_SIZE))
1120 goto end;
1121 }
1122
1123 if (!BIO_get_ktls_send(serversc->wbio)) {
1124 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1125 srec_wseq_after, SEQ_NUM_SIZE))
1126 goto end;
1127 } else {
1128 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1129 srec_wseq_after, SEQ_NUM_SIZE))
1130 goto end;
1131 }
1132
1133 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1134 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1135 crec_rseq_after, SEQ_NUM_SIZE))
1136 goto end;
1137 } else {
1138 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1139 crec_rseq_after, SEQ_NUM_SIZE))
1140 goto end;
1141 }
1142
1143 if (!BIO_get_ktls_recv(serversc->wbio)) {
1144 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1145 srec_rseq_after, SEQ_NUM_SIZE))
1146 goto end;
1147 } else {
1148 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1149 srec_rseq_after, SEQ_NUM_SIZE))
1150 goto end;
1151 }
1152
1153 return 1;
1154 end:
1155 return 0;
1156 }
1157
1158 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1159 int tls_version, const char *cipher)
1160 {
1161 SSL_CTX *cctx = NULL, *sctx = NULL;
1162 SSL *clientssl = NULL, *serverssl = NULL;
1163 int ktls_used = 0, testresult = 0;
1164 int cfd = -1, sfd = -1;
1165 int rx_supported;
1166 SSL_CONNECTION *clientsc, *serversc;
1167
1168 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1169 goto end;
1170
1171 /* Skip this test if the platform does not support ktls */
1172 if (!ktls_chk_platform(cfd)) {
1173 testresult = TEST_skip("Kernel does not support KTLS");
1174 goto end;
1175 }
1176
1177 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1178 testresult = TEST_skip("CHACHA is not supported in FIPS");
1179 goto end;
1180 }
1181
1182 /* Create a session based on SHA-256 */
1183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1184 TLS_client_method(),
1185 tls_version, tls_version,
1186 &sctx, &cctx, cert, privkey)))
1187 goto end;
1188
1189 if (tls_version == TLS1_3_VERSION) {
1190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1191 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1192 goto end;
1193 } else {
1194 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1195 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1196 goto end;
1197 }
1198
1199 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1200 &clientssl, sfd, cfd)))
1201 goto end;
1202
1203 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1204 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1205 goto end;
1206
1207 if (cis_ktls) {
1208 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1209 goto end;
1210 }
1211
1212 if (sis_ktls) {
1213 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1214 goto end;
1215 }
1216
1217 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1218 goto end;
1219
1220 /*
1221 * The running kernel may not support a given cipher suite
1222 * or direction, so just check that KTLS isn't used when it
1223 * isn't enabled.
1224 */
1225 if (!cis_ktls) {
1226 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1227 goto end;
1228 } else {
1229 if (BIO_get_ktls_send(clientsc->wbio))
1230 ktls_used = 1;
1231 }
1232
1233 if (!sis_ktls) {
1234 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1235 goto end;
1236 } else {
1237 if (BIO_get_ktls_send(serversc->wbio))
1238 ktls_used = 1;
1239 }
1240
1241 #if defined(OPENSSL_NO_KTLS_RX)
1242 rx_supported = 0;
1243 #else
1244 rx_supported = 1;
1245 #endif
1246 if (!cis_ktls || !rx_supported) {
1247 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1248 goto end;
1249 } else {
1250 if (BIO_get_ktls_send(clientsc->rbio))
1251 ktls_used = 1;
1252 }
1253
1254 if (!sis_ktls || !rx_supported) {
1255 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1256 goto end;
1257 } else {
1258 if (BIO_get_ktls_send(serversc->rbio))
1259 ktls_used = 1;
1260 }
1261
1262 if ((cis_ktls || sis_ktls) && !ktls_used) {
1263 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1264 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1265 "TLS 1.2", cipher);
1266 goto end;
1267 }
1268
1269 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1270 goto end;
1271
1272 testresult = 1;
1273 end:
1274 if (clientssl) {
1275 SSL_shutdown(clientssl);
1276 SSL_free(clientssl);
1277 }
1278 if (serverssl) {
1279 SSL_shutdown(serverssl);
1280 SSL_free(serverssl);
1281 }
1282 SSL_CTX_free(sctx);
1283 SSL_CTX_free(cctx);
1284 serverssl = clientssl = NULL;
1285 if (cfd != -1)
1286 close(cfd);
1287 if (sfd != -1)
1288 close(sfd);
1289 return testresult;
1290 }
1291
1292 #define SENDFILE_SZ (16 * 4096)
1293 #define SENDFILE_CHUNK (4 * 4096)
1294 #define min(a,b) ((a) > (b) ? (b) : (a))
1295
1296 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1297 int zerocopy)
1298 {
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
1303 int cfd = -1, sfd = -1, ffd, err;
1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1306 int testresult = 0;
1307 FILE *ffdp;
1308 SSL_CONNECTION *serversc;
1309
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1314 goto end;
1315
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
1318 testresult = TEST_skip("Kernel does not support KTLS");
1319 goto end;
1320 }
1321
1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1324 goto end;
1325 }
1326
1327 /* Create a session based on SHA-256 */
1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1329 TLS_client_method(),
1330 tls_version, tls_version,
1331 &sctx, &cctx, cert, privkey)))
1332 goto end;
1333
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1337 goto end;
1338 } else {
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1341 goto end;
1342 }
1343
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1346 goto end;
1347
1348 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1349 goto end;
1350
1351 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1352 goto end;
1353
1354 if (zerocopy) {
1355 if (!TEST_true(SSL_set_options(serverssl,
1356 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1357 goto end;
1358 }
1359
1360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1361 SSL_ERROR_NONE)))
1362 goto end;
1363
1364 if (!BIO_get_ktls_send(serversc->wbio)) {
1365 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1366 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1367 "TLS 1.2", cipher);
1368 goto end;
1369 }
1370
1371 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1372 goto end;
1373
1374 out = BIO_new_file(tmpfilename, "wb");
1375 if (!TEST_ptr(out))
1376 goto end;
1377
1378 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1379 goto end;
1380
1381 BIO_free(out);
1382 out = NULL;
1383 in = BIO_new_file(tmpfilename, "rb");
1384 BIO_get_fp(in, &ffdp);
1385 ffd = fileno(ffdp);
1386
1387 while (chunk_off < SENDFILE_SZ) {
1388 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1389 while ((err = SSL_sendfile(serverssl,
1390 ffd,
1391 chunk_off,
1392 chunk_size,
1393 0)) != chunk_size) {
1394 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1395 goto end;
1396 }
1397 while ((err = SSL_read(clientssl,
1398 buf_dst + chunk_off,
1399 chunk_size)) != chunk_size) {
1400 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1401 goto end;
1402 }
1403
1404 /* verify the payload */
1405 if (!TEST_mem_eq(buf_dst + chunk_off,
1406 chunk_size,
1407 buf + chunk_off,
1408 chunk_size))
1409 goto end;
1410
1411 chunk_off += chunk_size;
1412 }
1413
1414 testresult = 1;
1415 end:
1416 if (clientssl) {
1417 SSL_shutdown(clientssl);
1418 SSL_free(clientssl);
1419 }
1420 if (serverssl) {
1421 SSL_shutdown(serverssl);
1422 SSL_free(serverssl);
1423 }
1424 SSL_CTX_free(sctx);
1425 SSL_CTX_free(cctx);
1426 serverssl = clientssl = NULL;
1427 BIO_free(out);
1428 BIO_free(in);
1429 if (cfd != -1)
1430 close(cfd);
1431 if (sfd != -1)
1432 close(sfd);
1433 OPENSSL_free(buf);
1434 OPENSSL_free(buf_dst);
1435 return testresult;
1436 }
1437
1438 static struct ktls_test_cipher {
1439 int tls_version;
1440 const char *cipher;
1441 } ktls_test_ciphers[] = {
1442 # if !defined(OPENSSL_NO_TLS1_2)
1443 # ifdef OPENSSL_KTLS_AES_GCM_128
1444 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1445 # endif
1446 # ifdef OPENSSL_KTLS_AES_CCM_128
1447 { TLS1_2_VERSION, "AES128-CCM"},
1448 # endif
1449 # ifdef OPENSSL_KTLS_AES_GCM_256
1450 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1451 # endif
1452 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1453 # ifndef OPENSSL_NO_EC
1454 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1455 # endif
1456 # endif
1457 # endif
1458 # if !defined(OSSL_NO_USABLE_TLS1_3)
1459 # ifdef OPENSSL_KTLS_AES_GCM_128
1460 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1461 # endif
1462 # ifdef OPENSSL_KTLS_AES_CCM_128
1463 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1464 # endif
1465 # ifdef OPENSSL_KTLS_AES_GCM_256
1466 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1467 # endif
1468 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1469 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1470 # endif
1471 # endif
1472 };
1473
1474 #define NUM_KTLS_TEST_CIPHERS \
1475 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1476
1477 static int test_ktls(int test)
1478 {
1479 struct ktls_test_cipher *cipher;
1480 int cis_ktls, sis_ktls;
1481
1482 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1483 cipher = &ktls_test_ciphers[test / 4];
1484
1485 cis_ktls = (test & 1) != 0;
1486 sis_ktls = (test & 2) != 0;
1487
1488 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1489 cipher->cipher);
1490 }
1491
1492 static int test_ktls_sendfile(int test)
1493 {
1494 struct ktls_test_cipher *cipher;
1495 int tst = test >> 1;
1496
1497 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1498 cipher = &ktls_test_ciphers[tst];
1499
1500 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1501 test & 1);
1502 }
1503 #endif
1504
1505 static int test_large_message_tls(void)
1506 {
1507 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1508 TLS1_VERSION, 0, 0);
1509 }
1510
1511 static int test_large_message_tls_read_ahead(void)
1512 {
1513 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1514 TLS1_VERSION, 0, 1);
1515 }
1516
1517 #ifndef OPENSSL_NO_DTLS
1518 static int test_large_message_dtls(void)
1519 {
1520 # ifdef OPENSSL_NO_DTLS1_2
1521 /* Not supported in the FIPS provider */
1522 if (is_fips)
1523 return 1;
1524 # endif
1525 /*
1526 * read_ahead is not relevant to DTLS because DTLS always acts as if
1527 * read_ahead is set.
1528 */
1529 return execute_test_large_message(DTLS_server_method(),
1530 DTLS_client_method(),
1531 DTLS1_VERSION, 0, 0);
1532 }
1533 #endif
1534
1535 /*
1536 * Test we can successfully send the maximum amount of application data. We
1537 * test each protocol version individually, each with and without EtM enabled.
1538 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1539 * simpler this way. We also test all combinations with and without the
1540 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1541 * underlying buffer.
1542 */
1543 static int test_large_app_data(int tst)
1544 {
1545 SSL_CTX *cctx = NULL, *sctx = NULL;
1546 SSL *clientssl = NULL, *serverssl = NULL;
1547 int testresult = 0, prot;
1548 unsigned char *msg, *buf = NULL;
1549 size_t written, readbytes;
1550 const SSL_METHOD *smeth = TLS_server_method();
1551 const SSL_METHOD *cmeth = TLS_client_method();
1552
1553 switch (tst >> 2) {
1554 case 0:
1555 #ifndef OSSL_NO_USABLE_TLS1_3
1556 prot = TLS1_3_VERSION;
1557 break;
1558 #else
1559 return 1;
1560 #endif
1561
1562 case 1:
1563 #ifndef OPENSSL_NO_TLS1_2
1564 prot = TLS1_2_VERSION;
1565 break;
1566 #else
1567 return 1;
1568 #endif
1569
1570 case 2:
1571 #ifndef OPENSSL_NO_TLS1_1
1572 prot = TLS1_1_VERSION;
1573 break;
1574 #else
1575 return 1;
1576 #endif
1577
1578 case 3:
1579 #ifndef OPENSSL_NO_TLS1
1580 prot = TLS1_VERSION;
1581 break;
1582 #else
1583 return 1;
1584 #endif
1585
1586 case 4:
1587 #ifndef OPENSSL_NO_SSL3
1588 prot = SSL3_VERSION;
1589 break;
1590 #else
1591 return 1;
1592 #endif
1593
1594 case 5:
1595 #ifndef OPENSSL_NO_DTLS1_2
1596 prot = DTLS1_2_VERSION;
1597 smeth = DTLS_server_method();
1598 cmeth = DTLS_client_method();
1599 break;
1600 #else
1601 return 1;
1602 #endif
1603
1604 case 6:
1605 #ifndef OPENSSL_NO_DTLS1
1606 prot = DTLS1_VERSION;
1607 smeth = DTLS_server_method();
1608 cmeth = DTLS_client_method();
1609 break;
1610 #else
1611 return 1;
1612 #endif
1613
1614 default:
1615 /* Shouldn't happen */
1616 return 0;
1617 }
1618
1619 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1620 return 1;
1621
1622 /* Maximal sized message of zeros */
1623 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1624 if (!TEST_ptr(msg))
1625 goto end;
1626
1627 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1628 if (!TEST_ptr(buf))
1629 goto end;
1630 /* Set whole buffer to all bits set */
1631 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1632
1633 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1634 &sctx, &cctx, cert, privkey)))
1635 goto end;
1636
1637 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1638 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1639 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1640 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1641 "DEFAULT:@SECLEVEL=0")))
1642 goto end;
1643 }
1644
1645 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1646 &clientssl, NULL, NULL)))
1647 goto end;
1648
1649 if ((tst & 1) != 0) {
1650 /* Setting this option gives us a minimally sized underlying buffer */
1651 if (!TEST_true(SSL_set_options(serverssl,
1652 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1653 || !TEST_true(SSL_set_options(clientssl,
1654 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1655 goto end;
1656 }
1657
1658 if ((tst & 2) != 0) {
1659 /*
1660 * Setting this option means the MAC is added before encryption
1661 * giving us a larger record for the encryption process
1662 */
1663 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1664 || !TEST_true(SSL_set_options(clientssl,
1665 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1666 goto end;
1667 }
1668
1669 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1670 goto end;
1671
1672 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1673 &written))
1674 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1675 goto end;
1676
1677 /* We provide a buffer slightly larger than what we are actually expecting */
1678 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1679 &readbytes)))
1680 goto end;
1681
1682 if (!TEST_mem_eq(msg, written, buf, readbytes))
1683 goto end;
1684
1685 testresult = 1;
1686 end:
1687 OPENSSL_free(msg);
1688 OPENSSL_free(buf);
1689 SSL_free(serverssl);
1690 SSL_free(clientssl);
1691 SSL_CTX_free(sctx);
1692 SSL_CTX_free(cctx);
1693 return testresult;
1694 }
1695
1696 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1697 const SSL_METHOD *cmeth,
1698 int min_version, int max_version)
1699 {
1700 size_t i;
1701 SSL_CTX *cctx = NULL, *sctx = NULL;
1702 SSL *clientssl = NULL, *serverssl = NULL;
1703 int testresult = 0;
1704 void *zbuf;
1705 SSL_CONNECTION *serversc;
1706 TLS_RECORD *rr;
1707
1708 static unsigned char cbuf[16000];
1709 static unsigned char sbuf[16000];
1710
1711 if (!TEST_true(create_ssl_ctx_pair(libctx,
1712 smeth, cmeth,
1713 min_version, max_version,
1714 &sctx, &cctx, cert,
1715 privkey)))
1716 goto end;
1717
1718 #ifdef OPENSSL_NO_DTLS1_2
1719 if (smeth == DTLS_server_method()) {
1720 # ifdef OPENSSL_NO_DTLS1_2
1721 /* Not supported in the FIPS provider */
1722 if (is_fips) {
1723 testresult = 1;
1724 goto end;
1725 };
1726 # endif
1727 /*
1728 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1729 * level 0
1730 */
1731 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1732 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1733 "DEFAULT:@SECLEVEL=0")))
1734 goto end;
1735 }
1736 #endif
1737
1738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1739 NULL, NULL)))
1740 goto end;
1741
1742 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1743 goto end;
1744
1745 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1746 SSL_ERROR_NONE)))
1747 goto end;
1748
1749 for (i = 0; i < sizeof(cbuf); i++) {
1750 cbuf[i] = i & 0xff;
1751 }
1752
1753 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1754 goto end;
1755
1756 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1757 goto end;
1758
1759 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1760 goto end;
1761
1762 /*
1763 * Since we called SSL_peek(), we know the data in the record
1764 * layer is a plaintext record. We can gather the pointer to check
1765 * for zeroization after SSL_read().
1766 */
1767 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1768 goto end;
1769 rr = serversc->rlayer.tlsrecs;
1770
1771 zbuf = &rr->data[rr->off];
1772 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1773 goto end;
1774
1775 /*
1776 * After SSL_peek() the plaintext must still be stored in the
1777 * record.
1778 */
1779 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1780 goto end;
1781
1782 memset(sbuf, 0, sizeof(sbuf));
1783 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1784 goto end;
1785
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 /* Check if rbuf is cleansed */
1790 memset(cbuf, 0, sizeof(cbuf));
1791 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1792 goto end;
1793
1794 testresult = 1;
1795 end:
1796 SSL_free(serverssl);
1797 SSL_free(clientssl);
1798 SSL_CTX_free(sctx);
1799 SSL_CTX_free(cctx);
1800
1801 return testresult;
1802 }
1803
1804 static int test_cleanse_plaintext(void)
1805 {
1806 #if !defined(OPENSSL_NO_TLS1_2)
1807 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1808 TLS_client_method(),
1809 TLS1_2_VERSION,
1810 TLS1_2_VERSION)))
1811 return 0;
1812
1813 #endif
1814
1815 #if !defined(OSSL_NO_USABLE_TLS1_3)
1816 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1817 TLS_client_method(),
1818 TLS1_3_VERSION,
1819 TLS1_3_VERSION)))
1820 return 0;
1821 #endif
1822
1823 #if !defined(OPENSSL_NO_DTLS)
1824
1825 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1826 DTLS_client_method(),
1827 DTLS1_VERSION,
1828 0)))
1829 return 0;
1830 #endif
1831 return 1;
1832 }
1833
1834 #ifndef OPENSSL_NO_OCSP
1835 static int ocsp_server_cb(SSL *s, void *arg)
1836 {
1837 int *argi = (int *)arg;
1838 unsigned char *copy = NULL;
1839 STACK_OF(OCSP_RESPID) *ids = NULL;
1840 OCSP_RESPID *id = NULL;
1841
1842 if (*argi == 2) {
1843 /* In this test we are expecting exactly 1 OCSP_RESPID */
1844 SSL_get_tlsext_status_ids(s, &ids);
1845 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1846 return SSL_TLSEXT_ERR_ALERT_FATAL;
1847
1848 id = sk_OCSP_RESPID_value(ids, 0);
1849 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1850 return SSL_TLSEXT_ERR_ALERT_FATAL;
1851 } else if (*argi != 1) {
1852 return SSL_TLSEXT_ERR_ALERT_FATAL;
1853 }
1854
1855 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1856 return SSL_TLSEXT_ERR_ALERT_FATAL;
1857
1858 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1859 sizeof(orespder)))) {
1860 OPENSSL_free(copy);
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 }
1863 ocsp_server_called = 1;
1864 return SSL_TLSEXT_ERR_OK;
1865 }
1866
1867 static int ocsp_client_cb(SSL *s, void *arg)
1868 {
1869 int *argi = (int *)arg;
1870 const unsigned char *respderin;
1871 size_t len;
1872
1873 if (*argi != 1 && *argi != 2)
1874 return 0;
1875
1876 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1877 if (!TEST_mem_eq(orespder, len, respderin, len))
1878 return 0;
1879
1880 ocsp_client_called = 1;
1881 return 1;
1882 }
1883
1884 static int test_tlsext_status_type(void)
1885 {
1886 SSL_CTX *cctx = NULL, *sctx = NULL;
1887 SSL *clientssl = NULL, *serverssl = NULL;
1888 int testresult = 0;
1889 STACK_OF(OCSP_RESPID) *ids = NULL;
1890 OCSP_RESPID *id = NULL;
1891 BIO *certbio = NULL;
1892
1893 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1894 TLS1_VERSION, 0,
1895 &sctx, &cctx, cert, privkey))
1896 return 0;
1897
1898 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1899 goto end;
1900
1901 /* First just do various checks getting and setting tlsext_status_type */
1902
1903 clientssl = SSL_new(cctx);
1904 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1905 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1906 TLSEXT_STATUSTYPE_ocsp))
1907 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1908 TLSEXT_STATUSTYPE_ocsp))
1909 goto end;
1910
1911 SSL_free(clientssl);
1912 clientssl = NULL;
1913
1914 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1915 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1916 goto end;
1917
1918 clientssl = SSL_new(cctx);
1919 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1920 goto end;
1921 SSL_free(clientssl);
1922 clientssl = NULL;
1923
1924 /*
1925 * Now actually do a handshake and check OCSP information is exchanged and
1926 * the callbacks get called
1927 */
1928 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1929 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1930 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1931 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1932 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1933 &clientssl, NULL, NULL))
1934 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1935 SSL_ERROR_NONE))
1936 || !TEST_true(ocsp_client_called)
1937 || !TEST_true(ocsp_server_called))
1938 goto end;
1939 SSL_free(serverssl);
1940 SSL_free(clientssl);
1941 serverssl = NULL;
1942 clientssl = NULL;
1943
1944 /* Try again but this time force the server side callback to fail */
1945 ocsp_client_called = 0;
1946 ocsp_server_called = 0;
1947 cdummyarg = 0;
1948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1949 &clientssl, NULL, NULL))
1950 /* This should fail because the callback will fail */
1951 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1952 SSL_ERROR_NONE))
1953 || !TEST_false(ocsp_client_called)
1954 || !TEST_false(ocsp_server_called))
1955 goto end;
1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 serverssl = NULL;
1959 clientssl = NULL;
1960
1961 /*
1962 * This time we'll get the client to send an OCSP_RESPID that it will
1963 * accept.
1964 */
1965 ocsp_client_called = 0;
1966 ocsp_server_called = 0;
1967 cdummyarg = 2;
1968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1969 &clientssl, NULL, NULL)))
1970 goto end;
1971
1972 /*
1973 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1974 * specific one. We'll use the server cert.
1975 */
1976 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1977 || !TEST_ptr(id = OCSP_RESPID_new())
1978 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1979 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1980 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1981 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1982 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1983 goto end;
1984 id = NULL;
1985 SSL_set_tlsext_status_ids(clientssl, ids);
1986 /* Control has been transferred */
1987 ids = NULL;
1988
1989 BIO_free(certbio);
1990 certbio = NULL;
1991
1992 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1993 SSL_ERROR_NONE))
1994 || !TEST_true(ocsp_client_called)
1995 || !TEST_true(ocsp_server_called))
1996 goto end;
1997
1998 testresult = 1;
1999
2000 end:
2001 SSL_free(serverssl);
2002 SSL_free(clientssl);
2003 SSL_CTX_free(sctx);
2004 SSL_CTX_free(cctx);
2005 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2006 OCSP_RESPID_free(id);
2007 BIO_free(certbio);
2008 X509_free(ocspcert);
2009 ocspcert = NULL;
2010
2011 return testresult;
2012 }
2013 #endif
2014
2015 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2016 static int new_called, remove_called, get_called;
2017
2018 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2019 {
2020 new_called++;
2021 /*
2022 * sess has been up-refed for us, but we don't actually need it so free it
2023 * immediately.
2024 */
2025 SSL_SESSION_free(sess);
2026 return 1;
2027 }
2028
2029 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2030 {
2031 remove_called++;
2032 }
2033
2034 static SSL_SESSION *get_sess_val = NULL;
2035
2036 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2037 int *copy)
2038 {
2039 get_called++;
2040 *copy = 1;
2041 return get_sess_val;
2042 }
2043
2044 static int execute_test_session(int maxprot, int use_int_cache,
2045 int use_ext_cache, long s_options)
2046 {
2047 SSL_CTX *sctx = NULL, *cctx = NULL;
2048 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2049 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2050 # ifndef OPENSSL_NO_TLS1_1
2051 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2052 # endif
2053 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2054 int testresult = 0, numnewsesstick = 1;
2055
2056 new_called = remove_called = 0;
2057
2058 /* TLSv1.3 sends 2 NewSessionTickets */
2059 if (maxprot == TLS1_3_VERSION)
2060 numnewsesstick = 2;
2061
2062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2063 TLS_client_method(), TLS1_VERSION, 0,
2064 &sctx, &cctx, cert, privkey)))
2065 return 0;
2066
2067 /*
2068 * Only allow the max protocol version so we can force a connection failure
2069 * later
2070 */
2071 SSL_CTX_set_min_proto_version(cctx, maxprot);
2072 SSL_CTX_set_max_proto_version(cctx, maxprot);
2073
2074 /* Set up session cache */
2075 if (use_ext_cache) {
2076 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2077 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2078 }
2079 if (use_int_cache) {
2080 /* Also covers instance where both are set */
2081 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2082 } else {
2083 SSL_CTX_set_session_cache_mode(cctx,
2084 SSL_SESS_CACHE_CLIENT
2085 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2086 }
2087
2088 if (s_options) {
2089 SSL_CTX_set_options(sctx, s_options);
2090 }
2091
2092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2093 NULL, NULL))
2094 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2095 SSL_ERROR_NONE))
2096 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2097 goto end;
2098
2099 /* Should fail because it should already be in the cache */
2100 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2101 goto end;
2102 if (use_ext_cache
2103 && (!TEST_int_eq(new_called, numnewsesstick)
2104
2105 || !TEST_int_eq(remove_called, 0)))
2106 goto end;
2107
2108 new_called = remove_called = 0;
2109 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2110 &clientssl2, NULL, NULL))
2111 || !TEST_true(SSL_set_session(clientssl2, sess1))
2112 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2113 SSL_ERROR_NONE))
2114 || !TEST_true(SSL_session_reused(clientssl2)))
2115 goto end;
2116
2117 if (maxprot == TLS1_3_VERSION) {
2118 /*
2119 * In TLSv1.3 we should have created a new session even though we have
2120 * resumed. Since we attempted a resume we should also have removed the
2121 * old ticket from the cache so that we try to only use tickets once.
2122 */
2123 if (use_ext_cache
2124 && (!TEST_int_eq(new_called, 1)
2125 || !TEST_int_eq(remove_called, 1)))
2126 goto end;
2127 } else {
2128 /*
2129 * In TLSv1.2 we expect to have resumed so no sessions added or
2130 * removed.
2131 */
2132 if (use_ext_cache
2133 && (!TEST_int_eq(new_called, 0)
2134 || !TEST_int_eq(remove_called, 0)))
2135 goto end;
2136 }
2137
2138 SSL_SESSION_free(sess1);
2139 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2140 goto end;
2141 shutdown_ssl_connection(serverssl2, clientssl2);
2142 serverssl2 = clientssl2 = NULL;
2143
2144 new_called = remove_called = 0;
2145 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2146 &clientssl2, NULL, NULL))
2147 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2148 SSL_ERROR_NONE)))
2149 goto end;
2150
2151 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2152 goto end;
2153
2154 if (use_ext_cache
2155 && (!TEST_int_eq(new_called, numnewsesstick)
2156 || !TEST_int_eq(remove_called, 0)))
2157 goto end;
2158
2159 new_called = remove_called = 0;
2160 /*
2161 * This should clear sess2 from the cache because it is a "bad" session.
2162 * See SSL_set_session() documentation.
2163 */
2164 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2165 goto end;
2166 if (use_ext_cache
2167 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2168 goto end;
2169 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2170 goto end;
2171
2172 if (use_int_cache) {
2173 /* Should succeeded because it should not already be in the cache */
2174 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2175 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2176 goto end;
2177 }
2178
2179 new_called = remove_called = 0;
2180 /* This shouldn't be in the cache so should fail */
2181 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2182 goto end;
2183
2184 if (use_ext_cache
2185 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2186 goto end;
2187
2188 # if !defined(OPENSSL_NO_TLS1_1)
2189 new_called = remove_called = 0;
2190 /* Force a connection failure */
2191 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2192 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2193 &clientssl3, NULL, NULL))
2194 || !TEST_true(SSL_set_session(clientssl3, sess1))
2195 /* This should fail because of the mismatched protocol versions */
2196 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2197 SSL_ERROR_NONE)))
2198 goto end;
2199
2200 /* We should have automatically removed the session from the cache */
2201 if (use_ext_cache
2202 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2203 goto end;
2204
2205 /* Should succeed because it should not already be in the cache */
2206 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2207 goto end;
2208 # endif
2209
2210 /* Now do some tests for server side caching */
2211 if (use_ext_cache) {
2212 SSL_CTX_sess_set_new_cb(cctx, NULL);
2213 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2214 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2215 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2216 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2217 get_sess_val = NULL;
2218 }
2219
2220 SSL_CTX_set_session_cache_mode(cctx, 0);
2221 /* Internal caching is the default on the server side */
2222 if (!use_int_cache)
2223 SSL_CTX_set_session_cache_mode(sctx,
2224 SSL_SESS_CACHE_SERVER
2225 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2226
2227 SSL_free(serverssl1);
2228 SSL_free(clientssl1);
2229 serverssl1 = clientssl1 = NULL;
2230 SSL_free(serverssl2);
2231 SSL_free(clientssl2);
2232 serverssl2 = clientssl2 = NULL;
2233 SSL_SESSION_free(sess1);
2234 sess1 = NULL;
2235 SSL_SESSION_free(sess2);
2236 sess2 = NULL;
2237
2238 SSL_CTX_set_max_proto_version(sctx, maxprot);
2239 if (maxprot == TLS1_2_VERSION)
2240 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2241 new_called = remove_called = get_called = 0;
2242 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2243 NULL, NULL))
2244 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2245 SSL_ERROR_NONE))
2246 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2247 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2248 goto end;
2249
2250 if (use_int_cache) {
2251 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2252 /*
2253 * In TLSv1.3 it should not have been added to the internal cache,
2254 * except in the case where we also have an external cache (in that
2255 * case it gets added to the cache in order to generate remove
2256 * events after timeout).
2257 */
2258 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2259 goto end;
2260 } else {
2261 /* Should fail because it should already be in the cache */
2262 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2263 goto end;
2264 }
2265 }
2266
2267 if (use_ext_cache) {
2268 SSL_SESSION *tmp = sess2;
2269
2270 if (!TEST_int_eq(new_called, numnewsesstick)
2271 || !TEST_int_eq(remove_called, 0)
2272 || !TEST_int_eq(get_called, 0))
2273 goto end;
2274 /*
2275 * Delete the session from the internal cache to force a lookup from
2276 * the external cache. We take a copy first because
2277 * SSL_CTX_remove_session() also marks the session as non-resumable.
2278 */
2279 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2280 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2281 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2282 goto end;
2283 SSL_SESSION_free(sess2);
2284 }
2285 sess2 = tmp;
2286 }
2287
2288 new_called = remove_called = get_called = 0;
2289 get_sess_val = sess2;
2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2291 &clientssl2, NULL, NULL))
2292 || !TEST_true(SSL_set_session(clientssl2, sess1))
2293 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2294 SSL_ERROR_NONE))
2295 || !TEST_true(SSL_session_reused(clientssl2)))
2296 goto end;
2297
2298 if (use_ext_cache) {
2299 if (!TEST_int_eq(remove_called, 0))
2300 goto end;
2301
2302 if (maxprot == TLS1_3_VERSION) {
2303 if (!TEST_int_eq(new_called, 1)
2304 || !TEST_int_eq(get_called, 0))
2305 goto end;
2306 } else {
2307 if (!TEST_int_eq(new_called, 0)
2308 || !TEST_int_eq(get_called, 1))
2309 goto end;
2310 }
2311 }
2312 /*
2313 * Make a small cache, force out all other sessions but
2314 * sess2, try to add sess1, which should succeed. Then
2315 * make sure it's there by checking the owners. Despite
2316 * the timeouts, sess1 should have kicked out sess2
2317 */
2318
2319 /* Make sess1 expire before sess2 */
2320 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2321 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2322 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2323 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2324 goto end;
2325
2326 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2327 goto end;
2328
2329 /* Don't care about results - cache should only be sess2 at end */
2330 SSL_CTX_add_session(sctx, sess1);
2331 SSL_CTX_add_session(sctx, sess2);
2332
2333 /* Now add sess1, and make sure it remains, despite timeout */
2334 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2335 || !TEST_ptr(sess1->owner)
2336 || !TEST_ptr_null(sess2->owner))
2337 goto end;
2338
2339 testresult = 1;
2340
2341 end:
2342 SSL_free(serverssl1);
2343 SSL_free(clientssl1);
2344 SSL_free(serverssl2);
2345 SSL_free(clientssl2);
2346 # ifndef OPENSSL_NO_TLS1_1
2347 SSL_free(serverssl3);
2348 SSL_free(clientssl3);
2349 # endif
2350 SSL_SESSION_free(sess1);
2351 SSL_SESSION_free(sess2);
2352 SSL_CTX_free(sctx);
2353 SSL_CTX_free(cctx);
2354
2355 return testresult;
2356 }
2357 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2358
2359 static int test_session_with_only_int_cache(void)
2360 {
2361 #ifndef OSSL_NO_USABLE_TLS1_3
2362 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2363 return 0;
2364 #endif
2365
2366 #ifndef OPENSSL_NO_TLS1_2
2367 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2368 #else
2369 return 1;
2370 #endif
2371 }
2372
2373 static int test_session_with_only_ext_cache(void)
2374 {
2375 #ifndef OSSL_NO_USABLE_TLS1_3
2376 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2377 return 0;
2378 #endif
2379
2380 #ifndef OPENSSL_NO_TLS1_2
2381 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2382 #else
2383 return 1;
2384 #endif
2385 }
2386
2387 static int test_session_with_both_cache(void)
2388 {
2389 #ifndef OSSL_NO_USABLE_TLS1_3
2390 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2391 return 0;
2392 #endif
2393
2394 #ifndef OPENSSL_NO_TLS1_2
2395 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2396 #else
2397 return 1;
2398 #endif
2399 }
2400
2401 static int test_session_wo_ca_names(void)
2402 {
2403 #ifndef OSSL_NO_USABLE_TLS1_3
2404 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2405 return 0;
2406 #endif
2407
2408 #ifndef OPENSSL_NO_TLS1_2
2409 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2410 #else
2411 return 1;
2412 #endif
2413 }
2414
2415
2416 #ifndef OSSL_NO_USABLE_TLS1_3
2417 static SSL_SESSION *sesscache[6];
2418 static int do_cache;
2419
2420 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2421 {
2422 if (do_cache) {
2423 sesscache[new_called] = sess;
2424 } else {
2425 /* We don't need the reference to the session, so free it */
2426 SSL_SESSION_free(sess);
2427 }
2428 new_called++;
2429
2430 return 1;
2431 }
2432
2433 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2434 {
2435 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2436 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2437 return 0;
2438
2439 /* Start handshake on the server and client */
2440 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2441 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2442 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2443 || !TEST_true(create_ssl_connection(sssl, cssl,
2444 SSL_ERROR_NONE)))
2445 return 0;
2446
2447 return 1;
2448 }
2449
2450 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2451 SSL_CTX **cctx)
2452 {
2453 int sess_id_ctx = 1;
2454
2455 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2456 TLS_client_method(), TLS1_VERSION, 0,
2457 sctx, cctx, cert, privkey))
2458 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2459 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2460 (void *)&sess_id_ctx,
2461 sizeof(sess_id_ctx))))
2462 return 0;
2463
2464 if (stateful)
2465 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2466
2467 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2468 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2469 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2470
2471 return 1;
2472 }
2473
2474 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2475 {
2476 SSL *serverssl = NULL, *clientssl = NULL;
2477 int i;
2478
2479 /* Test that we can resume with all the tickets we got given */
2480 for (i = 0; i < idx * 2; i++) {
2481 new_called = 0;
2482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2483 &clientssl, NULL, NULL))
2484 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2485 goto end;
2486
2487 SSL_set_post_handshake_auth(clientssl, 1);
2488
2489 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2490 SSL_ERROR_NONE)))
2491 goto end;
2492
2493 /*
2494 * Following a successful resumption we only get 1 ticket. After a
2495 * failed one we should get idx tickets.
2496 */
2497 if (succ) {
2498 if (!TEST_true(SSL_session_reused(clientssl))
2499 || !TEST_int_eq(new_called, 1))
2500 goto end;
2501 } else {
2502 if (!TEST_false(SSL_session_reused(clientssl))
2503 || !TEST_int_eq(new_called, idx))
2504 goto end;
2505 }
2506
2507 new_called = 0;
2508 /* After a post-handshake authentication we should get 1 new ticket */
2509 if (succ
2510 && (!post_handshake_verify(serverssl, clientssl)
2511 || !TEST_int_eq(new_called, 1)))
2512 goto end;
2513
2514 SSL_shutdown(clientssl);
2515 SSL_shutdown(serverssl);
2516 SSL_free(serverssl);
2517 SSL_free(clientssl);
2518 serverssl = clientssl = NULL;
2519 SSL_SESSION_free(sesscache[i]);
2520 sesscache[i] = NULL;
2521 }
2522
2523 return 1;
2524
2525 end:
2526 SSL_free(clientssl);
2527 SSL_free(serverssl);
2528 return 0;
2529 }
2530
2531 static int test_tickets(int stateful, int idx)
2532 {
2533 SSL_CTX *sctx = NULL, *cctx = NULL;
2534 SSL *serverssl = NULL, *clientssl = NULL;
2535 int testresult = 0;
2536 size_t j;
2537
2538 /* idx is the test number, but also the number of tickets we want */
2539
2540 new_called = 0;
2541 do_cache = 1;
2542
2543 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2544 goto end;
2545
2546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2547 &clientssl, NULL, NULL)))
2548 goto end;
2549
2550 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2551 SSL_ERROR_NONE))
2552 /* Check we got the number of tickets we were expecting */
2553 || !TEST_int_eq(idx, new_called))
2554 goto end;
2555
2556 SSL_shutdown(clientssl);
2557 SSL_shutdown(serverssl);
2558 SSL_free(serverssl);
2559 SSL_free(clientssl);
2560 SSL_CTX_free(sctx);
2561 SSL_CTX_free(cctx);
2562 clientssl = serverssl = NULL;
2563 sctx = cctx = NULL;
2564
2565 /*
2566 * Now we try to resume with the tickets we previously created. The
2567 * resumption attempt is expected to fail (because we're now using a new
2568 * SSL_CTX). We should see idx number of tickets issued again.
2569 */
2570
2571 /* Stop caching sessions - just count them */
2572 do_cache = 0;
2573
2574 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2575 goto end;
2576
2577 if (!check_resumption(idx, sctx, cctx, 0))
2578 goto end;
2579
2580 /* Start again with caching sessions */
2581 new_called = 0;
2582 do_cache = 1;
2583 SSL_CTX_free(sctx);
2584 SSL_CTX_free(cctx);
2585 sctx = cctx = NULL;
2586
2587 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2588 goto end;
2589
2590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2591 &clientssl, NULL, NULL)))
2592 goto end;
2593
2594 SSL_set_post_handshake_auth(clientssl, 1);
2595
2596 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2597 SSL_ERROR_NONE))
2598 /* Check we got the number of tickets we were expecting */
2599 || !TEST_int_eq(idx, new_called))
2600 goto end;
2601
2602 /* After a post-handshake authentication we should get new tickets issued */
2603 if (!post_handshake_verify(serverssl, clientssl)
2604 || !TEST_int_eq(idx * 2, new_called))
2605 goto end;
2606
2607 SSL_shutdown(clientssl);
2608 SSL_shutdown(serverssl);
2609 SSL_free(serverssl);
2610 SSL_free(clientssl);
2611 serverssl = clientssl = NULL;
2612
2613 /* Stop caching sessions - just count them */
2614 do_cache = 0;
2615
2616 /*
2617 * Check we can resume with all the tickets we created. This time around the
2618 * resumptions should all be successful.
2619 */
2620 if (!check_resumption(idx, sctx, cctx, 1))
2621 goto end;
2622
2623 testresult = 1;
2624
2625 end:
2626 SSL_free(serverssl);
2627 SSL_free(clientssl);
2628 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2629 SSL_SESSION_free(sesscache[j]);
2630 sesscache[j] = NULL;
2631 }
2632 SSL_CTX_free(sctx);
2633 SSL_CTX_free(cctx);
2634
2635 return testresult;
2636 }
2637
2638 static int test_stateless_tickets(int idx)
2639 {
2640 return test_tickets(0, idx);
2641 }
2642
2643 static int test_stateful_tickets(int idx)
2644 {
2645 return test_tickets(1, idx);
2646 }
2647
2648 static int test_psk_tickets(void)
2649 {
2650 SSL_CTX *sctx = NULL, *cctx = NULL;
2651 SSL *serverssl = NULL, *clientssl = NULL;
2652 int testresult = 0;
2653 int sess_id_ctx = 1;
2654
2655 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2656 TLS_client_method(), TLS1_VERSION, 0,
2657 &sctx, &cctx, NULL, NULL))
2658 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2659 (void *)&sess_id_ctx,
2660 sizeof(sess_id_ctx))))
2661 goto end;
2662
2663 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2665 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2666 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2667 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2668 use_session_cb_cnt = 0;
2669 find_session_cb_cnt = 0;
2670 srvid = pskid;
2671 new_called = 0;
2672
2673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2674 NULL, NULL)))
2675 goto end;
2676 clientpsk = serverpsk = create_a_psk(clientssl);
2677 if (!TEST_ptr(clientpsk))
2678 goto end;
2679 SSL_SESSION_up_ref(clientpsk);
2680
2681 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2682 SSL_ERROR_NONE))
2683 || !TEST_int_eq(1, find_session_cb_cnt)
2684 || !TEST_int_eq(1, use_session_cb_cnt)
2685 /* We should always get 1 ticket when using external PSK */
2686 || !TEST_int_eq(1, new_called))
2687 goto end;
2688
2689 testresult = 1;
2690
2691 end:
2692 SSL_free(serverssl);
2693 SSL_free(clientssl);
2694 SSL_CTX_free(sctx);
2695 SSL_CTX_free(cctx);
2696 SSL_SESSION_free(clientpsk);
2697 SSL_SESSION_free(serverpsk);
2698 clientpsk = serverpsk = NULL;
2699
2700 return testresult;
2701 }
2702
2703 static int test_extra_tickets(int idx)
2704 {
2705 SSL_CTX *sctx = NULL, *cctx = NULL;
2706 SSL *serverssl = NULL, *clientssl = NULL;
2707 BIO *bretry = BIO_new(bio_s_always_retry());
2708 BIO *tmp = NULL;
2709 int testresult = 0;
2710 int stateful = 0;
2711 size_t nbytes;
2712 unsigned char c, buf[1];
2713
2714 new_called = 0;
2715 do_cache = 1;
2716
2717 if (idx >= 3) {
2718 idx -= 3;
2719 stateful = 1;
2720 }
2721
2722 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2723 goto end;
2724 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2725 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2726 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2727
2728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2729 &clientssl, NULL, NULL)))
2730 goto end;
2731
2732 /*
2733 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2734 * incremented by both client and server.
2735 */
2736 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2737 SSL_ERROR_NONE))
2738 /* Check we got the number of tickets we were expecting */
2739 || !TEST_int_eq(idx * 2, new_called)
2740 || !TEST_true(SSL_new_session_ticket(serverssl))
2741 || !TEST_true(SSL_new_session_ticket(serverssl))
2742 || !TEST_int_eq(idx * 2, new_called))
2743 goto end;
2744
2745 /* Now try a (real) write to actually send the tickets */
2746 c = '1';
2747 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2748 || !TEST_size_t_eq(1, nbytes)
2749 || !TEST_int_eq(idx * 2 + 2, new_called)
2750 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2751 || !TEST_int_eq(idx * 2 + 4, new_called)
2752 || !TEST_int_eq(sizeof(buf), nbytes)
2753 || !TEST_int_eq(c, buf[0])
2754 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2755 goto end;
2756
2757 /* Try with only requesting one new ticket, too */
2758 c = '2';
2759 new_called = 0;
2760 if (!TEST_true(SSL_new_session_ticket(serverssl))
2761 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2762 || !TEST_size_t_eq(sizeof(c), nbytes)
2763 || !TEST_int_eq(1, new_called)
2764 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2765 || !TEST_int_eq(2, new_called)
2766 || !TEST_size_t_eq(sizeof(buf), nbytes)
2767 || !TEST_int_eq(c, buf[0]))
2768 goto end;
2769
2770 /* Do it again but use dummy writes to drive the ticket generation */
2771 c = '3';
2772 new_called = 0;
2773 if (!TEST_true(SSL_new_session_ticket(serverssl))
2774 || !TEST_true(SSL_new_session_ticket(serverssl))
2775 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2776 || !TEST_size_t_eq(0, nbytes)
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2779 || !TEST_int_eq(4, new_called))
2780 goto end;
2781
2782 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2783 c = '4';
2784 new_called = 0;
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_do_handshake(serverssl))
2788 || !TEST_int_eq(2, new_called)
2789 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2790 || !TEST_int_eq(4, new_called))
2791 goto end;
2792
2793 /*
2794 * Use the always-retry BIO to exercise the logic that forces ticket
2795 * generation to wait until a record boundary.
2796 */
2797 c = '5';
2798 new_called = 0;
2799 tmp = SSL_get_wbio(serverssl);
2800 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2801 tmp = NULL;
2802 goto end;
2803 }
2804 SSL_set0_wbio(serverssl, bretry);
2805 bretry = NULL;
2806 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2807 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2808 || !TEST_size_t_eq(nbytes, 0))
2809 goto end;
2810 /* Restore a BIO that will let the write succeed */
2811 SSL_set0_wbio(serverssl, tmp);
2812 tmp = NULL;
2813 /*
2814 * These calls should just queue the request and not send anything
2815 * even if we explicitly try to hit the state machine.
2816 */
2817 if (!TEST_true(SSL_new_session_ticket(serverssl))
2818 || !TEST_true(SSL_new_session_ticket(serverssl))
2819 || !TEST_int_eq(0, new_called)
2820 || !TEST_true(SSL_do_handshake(serverssl))
2821 || !TEST_int_eq(0, new_called))
2822 goto end;
2823 /* Re-do the write; still no tickets sent */
2824 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2825 || !TEST_size_t_eq(1, nbytes)
2826 || !TEST_int_eq(0, new_called)
2827 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2828 || !TEST_int_eq(0, new_called)
2829 || !TEST_int_eq(sizeof(buf), nbytes)
2830 || !TEST_int_eq(c, buf[0])
2831 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2832 goto end;
2833 /* Even trying to hit the state machine now will still not send tickets */
2834 if (!TEST_true(SSL_do_handshake(serverssl))
2835 || !TEST_int_eq(0, new_called))
2836 goto end;
2837 /* Now the *next* write should send the tickets */
2838 c = '6';
2839 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2840 || !TEST_size_t_eq(1, nbytes)
2841 || !TEST_int_eq(2, new_called)
2842 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2843 || !TEST_int_eq(4, new_called)
2844 || !TEST_int_eq(sizeof(buf), nbytes)
2845 || !TEST_int_eq(c, buf[0])
2846 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2847 goto end;
2848
2849 SSL_shutdown(clientssl);
2850 SSL_shutdown(serverssl);
2851 testresult = 1;
2852
2853 end:
2854 BIO_free(bretry);
2855 BIO_free(tmp);
2856 SSL_free(serverssl);
2857 SSL_free(clientssl);
2858 SSL_CTX_free(sctx);
2859 SSL_CTX_free(cctx);
2860 clientssl = serverssl = NULL;
2861 sctx = cctx = NULL;
2862 return testresult;
2863 }
2864 #endif
2865
2866 #define USE_NULL 0
2867 #define USE_BIO_1 1
2868 #define USE_BIO_2 2
2869 #define USE_DEFAULT 3
2870
2871 #define CONNTYPE_CONNECTION_SUCCESS 0
2872 #define CONNTYPE_CONNECTION_FAIL 1
2873 #define CONNTYPE_NO_CONNECTION 2
2874
2875 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2876 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2877 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2878 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2879 #else
2880 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2881 #endif
2882
2883 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2884 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2885 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2886
2887 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2888 {
2889 switch (type) {
2890 case USE_NULL:
2891 *res = NULL;
2892 break;
2893 case USE_BIO_1:
2894 *res = bio1;
2895 break;
2896 case USE_BIO_2:
2897 *res = bio2;
2898 break;
2899 }
2900 }
2901
2902
2903 /*
2904 * Tests calls to SSL_set_bio() under various conditions.
2905 *
2906 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2907 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2908 * then do more tests where we create a successful connection first using our
2909 * standard connection setup functions, and then call SSL_set_bio() with
2910 * various combinations of valid BIOs or NULL. We then repeat these tests
2911 * following a failed connection. In this last case we are looking to check that
2912 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2913 */
2914 static int test_ssl_set_bio(int idx)
2915 {
2916 SSL_CTX *sctx = NULL, *cctx = NULL;
2917 BIO *bio1 = NULL;
2918 BIO *bio2 = NULL;
2919 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2920 SSL *serverssl = NULL, *clientssl = NULL;
2921 int initrbio, initwbio, newrbio, newwbio, conntype;
2922 int testresult = 0;
2923
2924 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2925 initrbio = idx % 3;
2926 idx /= 3;
2927 initwbio = idx % 3;
2928 idx /= 3;
2929 newrbio = idx % 3;
2930 idx /= 3;
2931 newwbio = idx % 3;
2932 conntype = CONNTYPE_NO_CONNECTION;
2933 } else {
2934 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2935 initrbio = initwbio = USE_DEFAULT;
2936 newrbio = idx % 2;
2937 idx /= 2;
2938 newwbio = idx % 2;
2939 idx /= 2;
2940 conntype = idx % 2;
2941 }
2942
2943 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2944 TLS_client_method(), TLS1_VERSION, 0,
2945 &sctx, &cctx, cert, privkey)))
2946 goto end;
2947
2948 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2949 /*
2950 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2951 * because we reduced the number of tests in the definition of
2952 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2953 * mismatched protocol versions we will force a connection failure.
2954 */
2955 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2956 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2957 }
2958
2959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2960 NULL, NULL)))
2961 goto end;
2962
2963 if (initrbio == USE_BIO_1
2964 || initwbio == USE_BIO_1
2965 || newrbio == USE_BIO_1
2966 || newwbio == USE_BIO_1) {
2967 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2968 goto end;
2969 }
2970
2971 if (initrbio == USE_BIO_2
2972 || initwbio == USE_BIO_2
2973 || newrbio == USE_BIO_2
2974 || newwbio == USE_BIO_2) {
2975 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2976 goto end;
2977 }
2978
2979 if (initrbio != USE_DEFAULT) {
2980 setupbio(&irbio, bio1, bio2, initrbio);
2981 setupbio(&iwbio, bio1, bio2, initwbio);
2982 SSL_set_bio(clientssl, irbio, iwbio);
2983
2984 /*
2985 * We want to maintain our own refs to these BIO, so do an up ref for
2986 * each BIO that will have ownership transferred in the SSL_set_bio()
2987 * call
2988 */
2989 if (irbio != NULL)
2990 BIO_up_ref(irbio);
2991 if (iwbio != NULL && iwbio != irbio)
2992 BIO_up_ref(iwbio);
2993 }
2994
2995 if (conntype != CONNTYPE_NO_CONNECTION
2996 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2997 SSL_ERROR_NONE)
2998 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2999 goto end;
3000
3001 setupbio(&nrbio, bio1, bio2, newrbio);
3002 setupbio(&nwbio, bio1, bio2, newwbio);
3003
3004 /*
3005 * We will (maybe) transfer ownership again so do more up refs.
3006 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3007 * already been set!
3008 */
3009 if (nrbio != NULL
3010 && nrbio != irbio
3011 && (nwbio != iwbio || nrbio != nwbio))
3012 BIO_up_ref(nrbio);
3013 if (nwbio != NULL
3014 && nwbio != nrbio
3015 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3016 BIO_up_ref(nwbio);
3017
3018 SSL_set_bio(clientssl, nrbio, nwbio);
3019
3020 testresult = 1;
3021
3022 end:
3023 BIO_free(bio1);
3024 BIO_free(bio2);
3025
3026 /*
3027 * This test is checking that the ref counting for SSL_set_bio is correct.
3028 * If we get here and we did too many frees then we will fail in the above
3029 * functions.
3030 */
3031 SSL_free(serverssl);
3032 SSL_free(clientssl);
3033 SSL_CTX_free(sctx);
3034 SSL_CTX_free(cctx);
3035 return testresult;
3036 }
3037
3038 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3039
3040 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3041 {
3042 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3043 SSL_CTX *ctx;
3044 SSL *ssl = NULL;
3045 int testresult = 0;
3046
3047 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3048 || !TEST_ptr(ssl = SSL_new(ctx))
3049 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3050 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3051 goto end;
3052
3053 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3054
3055 /*
3056 * If anything goes wrong here then we could leak memory.
3057 */
3058 BIO_push(sslbio, membio1);
3059
3060 /* Verify changing the rbio/wbio directly does not cause leaks */
3061 if (change_bio != NO_BIO_CHANGE) {
3062 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3063 ssl = NULL;
3064 goto end;
3065 }
3066 if (change_bio == CHANGE_RBIO)
3067 SSL_set0_rbio(ssl, membio2);
3068 else
3069 SSL_set0_wbio(ssl, membio2);
3070 }
3071 ssl = NULL;
3072
3073 if (pop_ssl)
3074 BIO_pop(sslbio);
3075 else
3076 BIO_pop(membio1);
3077
3078 testresult = 1;
3079 end:
3080 BIO_free(membio1);
3081 BIO_free(sslbio);
3082 SSL_free(ssl);
3083 SSL_CTX_free(ctx);
3084
3085 return testresult;
3086 }
3087
3088 static int test_ssl_bio_pop_next_bio(void)
3089 {
3090 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3091 }
3092
3093 static int test_ssl_bio_pop_ssl_bio(void)
3094 {
3095 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3096 }
3097
3098 static int test_ssl_bio_change_rbio(void)
3099 {
3100 return execute_test_ssl_bio(0, CHANGE_RBIO);
3101 }
3102
3103 static int test_ssl_bio_change_wbio(void)
3104 {
3105 return execute_test_ssl_bio(0, CHANGE_WBIO);
3106 }
3107
3108 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3109 typedef struct {
3110 /* The list of sig algs */
3111 const int *list;
3112 /* The length of the list */
3113 size_t listlen;
3114 /* A sigalgs list in string format */
3115 const char *liststr;
3116 /* Whether setting the list should succeed */
3117 int valid;
3118 /* Whether creating a connection with the list should succeed */
3119 int connsuccess;
3120 } sigalgs_list;
3121
3122 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3123 # ifndef OPENSSL_NO_EC
3124 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3125 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3126 # endif
3127 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3128 static const int invalidlist2[] = {NID_sha256, NID_undef};
3129 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3130 static const int invalidlist4[] = {NID_sha256};
3131 static const sigalgs_list testsigalgs[] = {
3132 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3133 # ifndef OPENSSL_NO_EC
3134 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3135 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3136 # endif
3137 {NULL, 0, "RSA+SHA256", 1, 1},
3138 # ifndef OPENSSL_NO_EC
3139 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3140 {NULL, 0, "ECDSA+SHA512", 1, 0},
3141 # endif
3142 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3143 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3144 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3145 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3146 {NULL, 0, "RSA", 0, 0},
3147 {NULL, 0, "SHA256", 0, 0},
3148 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3149 {NULL, 0, "Invalid", 0, 0}
3150 };
3151
3152 static int test_set_sigalgs(int idx)
3153 {
3154 SSL_CTX *cctx = NULL, *sctx = NULL;
3155 SSL *clientssl = NULL, *serverssl = NULL;
3156 int testresult = 0;
3157 const sigalgs_list *curr;
3158 int testctx;
3159
3160 /* Should never happen */
3161 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3162 return 0;
3163
3164 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3165 curr = testctx ? &testsigalgs[idx]
3166 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3167
3168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3169 TLS_client_method(), TLS1_VERSION, 0,
3170 &sctx, &cctx, cert, privkey)))
3171 return 0;
3172
3173 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3174
3175 if (testctx) {
3176 int ret;
3177
3178 if (curr->list != NULL)
3179 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3180 else
3181 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3182
3183 if (!ret) {
3184 if (curr->valid)
3185 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3186 else
3187 testresult = 1;
3188 goto end;
3189 }
3190 if (!curr->valid) {
3191 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3192 goto end;
3193 }
3194 }
3195
3196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3197 &clientssl, NULL, NULL)))
3198 goto end;
3199
3200 if (!testctx) {
3201 int ret;
3202
3203 if (curr->list != NULL)
3204 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3205 else
3206 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3207 if (!ret) {
3208 if (curr->valid)
3209 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3210 else
3211 testresult = 1;
3212 goto end;
3213 }
3214 if (!curr->valid)
3215 goto end;
3216 }
3217
3218 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3219 SSL_ERROR_NONE),
3220 curr->connsuccess))
3221 goto end;
3222
3223 testresult = 1;
3224
3225 end:
3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3228 SSL_CTX_free(sctx);
3229 SSL_CTX_free(cctx);
3230
3231 return testresult;
3232 }
3233 #endif
3234
3235 #ifndef OSSL_NO_USABLE_TLS1_3
3236 static int psk_client_cb_cnt = 0;
3237 static int psk_server_cb_cnt = 0;
3238
3239 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3240 size_t *idlen, SSL_SESSION **sess)
3241 {
3242 switch (++use_session_cb_cnt) {
3243 case 1:
3244 /* The first call should always have a NULL md */
3245 if (md != NULL)
3246 return 0;
3247 break;
3248
3249 case 2:
3250 /* The second call should always have an md */
3251 if (md == NULL)
3252 return 0;
3253 break;
3254
3255 default:
3256 /* We should only be called a maximum of twice */
3257 return 0;
3258 }
3259
3260 if (clientpsk != NULL)
3261 SSL_SESSION_up_ref(clientpsk);
3262
3263 *sess = clientpsk;
3264 *id = (const unsigned char *)pskid;
3265 *idlen = strlen(pskid);
3266
3267 return 1;
3268 }
3269
3270 #ifndef OPENSSL_NO_PSK
3271 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3272 unsigned int max_id_len,
3273 unsigned char *psk,
3274 unsigned int max_psk_len)
3275 {
3276 unsigned int psklen = 0;
3277
3278 psk_client_cb_cnt++;
3279
3280 if (strlen(pskid) + 1 > max_id_len)
3281 return 0;
3282
3283 /* We should only ever be called a maximum of twice per connection */
3284 if (psk_client_cb_cnt > 2)
3285 return 0;
3286
3287 if (clientpsk == NULL)
3288 return 0;
3289
3290 /* We'll reuse the PSK we set up for TLSv1.3 */
3291 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3292 return 0;
3293 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3294 strncpy(id, pskid, max_id_len);
3295
3296 return psklen;
3297 }
3298 #endif /* OPENSSL_NO_PSK */
3299
3300 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3301 size_t identity_len, SSL_SESSION **sess)
3302 {
3303 find_session_cb_cnt++;
3304
3305 /* We should only ever be called a maximum of twice per connection */
3306 if (find_session_cb_cnt > 2)
3307 return 0;
3308
3309 if (serverpsk == NULL)
3310 return 0;
3311
3312 /* Identity should match that set by the client */
3313 if (strlen(srvid) != identity_len
3314 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3315 /* No PSK found, continue but without a PSK */
3316 *sess = NULL;
3317 return 1;
3318 }
3319
3320 SSL_SESSION_up_ref(serverpsk);
3321 *sess = serverpsk;
3322
3323 return 1;
3324 }
3325
3326 #ifndef OPENSSL_NO_PSK
3327 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3328 unsigned char *psk, unsigned int max_psk_len)
3329 {
3330 unsigned int psklen = 0;
3331
3332 psk_server_cb_cnt++;
3333
3334 /* We should only ever be called a maximum of twice per connection */
3335 if (find_session_cb_cnt > 2)
3336 return 0;
3337
3338 if (serverpsk == NULL)
3339 return 0;
3340
3341 /* Identity should match that set by the client */
3342 if (strcmp(srvid, identity) != 0) {
3343 return 0;
3344 }
3345
3346 /* We'll reuse the PSK we set up for TLSv1.3 */
3347 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3348 return 0;
3349 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3350
3351 return psklen;
3352 }
3353 #endif /* OPENSSL_NO_PSK */
3354
3355 #define MSG1 "Hello"
3356 #define MSG2 "World."
3357 #define MSG3 "This"
3358 #define MSG4 "is"
3359 #define MSG5 "a"
3360 #define MSG6 "test"
3361 #define MSG7 "message."
3362
3363 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3364 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3365 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3366 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3367 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3368
3369
3370 static SSL_SESSION *create_a_psk(SSL *ssl)
3371 {
3372 const SSL_CIPHER *cipher = NULL;
3373 const unsigned char key[] = {
3374 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3375 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3376 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3377 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3378 0x2c, 0x2d, 0x2e, 0x2f
3379 };
3380 SSL_SESSION *sess = NULL;
3381
3382 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3383 sess = SSL_SESSION_new();
3384 if (!TEST_ptr(sess)
3385 || !TEST_ptr(cipher)
3386 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3387 sizeof(key)))
3388 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3389 || !TEST_true(
3390 SSL_SESSION_set_protocol_version(sess,
3391 TLS1_3_VERSION))) {
3392 SSL_SESSION_free(sess);
3393 return NULL;
3394 }
3395 return sess;
3396 }
3397
3398 /*
3399 * Helper method to setup objects for early data test. Caller frees objects on
3400 * error.
3401 */
3402 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3403 SSL **serverssl, SSL_SESSION **sess, int idx)
3404 {
3405 if (*sctx == NULL
3406 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3407 TLS_client_method(),
3408 TLS1_VERSION, 0,
3409 sctx, cctx, cert, privkey)))
3410 return 0;
3411
3412 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3413 return 0;
3414
3415 if (idx == 1) {
3416 /* When idx == 1 we repeat the tests with read_ahead set */
3417 SSL_CTX_set_read_ahead(*cctx, 1);
3418 SSL_CTX_set_read_ahead(*sctx, 1);
3419 } else if (idx == 2) {
3420 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3421 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3422 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3423 use_session_cb_cnt = 0;
3424 find_session_cb_cnt = 0;
3425 srvid = pskid;
3426 }
3427
3428 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3429 NULL, NULL)))
3430 return 0;
3431
3432 /*
3433 * For one of the run throughs (doesn't matter which one), we'll try sending
3434 * some SNI data in the initial ClientHello. This will be ignored (because
3435 * there is no SNI cb set up by the server), so it should not impact
3436 * early_data.
3437 */
3438 if (idx == 1
3439 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3440 return 0;
3441
3442 if (idx == 2) {
3443 clientpsk = create_a_psk(*clientssl);
3444 if (!TEST_ptr(clientpsk)
3445 /*
3446 * We just choose an arbitrary value for max_early_data which
3447 * should be big enough for testing purposes.
3448 */
3449 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3450 0x100))
3451 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3452 SSL_SESSION_free(clientpsk);
3453 clientpsk = NULL;
3454 return 0;
3455 }
3456 serverpsk = clientpsk;
3457
3458 if (sess != NULL) {
3459 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460 SSL_SESSION_free(clientpsk);
3461 SSL_SESSION_free(serverpsk);
3462 clientpsk = serverpsk = NULL;
3463 return 0;
3464 }
3465 *sess = clientpsk;
3466 }
3467 return 1;
3468 }
3469
3470 if (sess == NULL)
3471 return 1;
3472
3473 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3474 SSL_ERROR_NONE)))
3475 return 0;
3476
3477 *sess = SSL_get1_session(*clientssl);
3478 SSL_shutdown(*clientssl);
3479 SSL_shutdown(*serverssl);
3480 SSL_free(*serverssl);
3481 SSL_free(*clientssl);
3482 *serverssl = *clientssl = NULL;
3483
3484 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3485 clientssl, NULL, NULL))
3486 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3487 return 0;
3488
3489 return 1;
3490 }
3491
3492 static int test_early_data_read_write(int idx)
3493 {
3494 SSL_CTX *cctx = NULL, *sctx = NULL;
3495 SSL *clientssl = NULL, *serverssl = NULL;
3496 int testresult = 0;
3497 SSL_SESSION *sess = NULL;
3498 unsigned char buf[20], data[1024];
3499 size_t readbytes, written, eoedlen, rawread, rawwritten;
3500 BIO *rbio;
3501
3502 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3503 &serverssl, &sess, idx)))
3504 goto end;
3505
3506 /* Write and read some early data */
3507 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3508 &written))
3509 || !TEST_size_t_eq(written, strlen(MSG1))
3510 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3511 sizeof(buf), &readbytes),
3512 SSL_READ_EARLY_DATA_SUCCESS)
3513 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3514 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3515 SSL_EARLY_DATA_ACCEPTED))
3516 goto end;
3517
3518 /*
3519 * Server should be able to write data, and client should be able to
3520 * read it.
3521 */
3522 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3523 &written))
3524 || !TEST_size_t_eq(written, strlen(MSG2))
3525 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3526 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3527 goto end;
3528
3529 /* Even after reading normal data, client should be able write early data */
3530 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3531 &written))
3532 || !TEST_size_t_eq(written, strlen(MSG3)))
3533 goto end;
3534
3535 /* Server should still be able read early data after writing data */
3536 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3537 &readbytes),
3538 SSL_READ_EARLY_DATA_SUCCESS)
3539 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3540 goto end;
3541
3542 /* Write more data from server and read it from client */
3543 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3544 &written))
3545 || !TEST_size_t_eq(written, strlen(MSG4))
3546 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3547 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3548 goto end;
3549
3550 /*
3551 * If client writes normal data it should mean writing early data is no
3552 * longer possible.
3553 */
3554 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3555 || !TEST_size_t_eq(written, strlen(MSG5))
3556 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3557 SSL_EARLY_DATA_ACCEPTED))
3558 goto end;
3559
3560 /*
3561 * At this point the client has written EndOfEarlyData, ClientFinished and
3562 * normal (fully protected) data. We are going to cause a delay between the
3563 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3564 * in the read BIO, and then just put back the EndOfEarlyData message.
3565 */
3566 rbio = SSL_get_rbio(serverssl);
3567 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3568 || !TEST_size_t_lt(rawread, sizeof(data))
3569 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3570 goto end;
3571
3572 /* Record length is in the 4th and 5th bytes of the record header */
3573 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3574 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3575 || !TEST_size_t_eq(rawwritten, eoedlen))
3576 goto end;
3577
3578 /* Server should be told that there is no more early data */
3579 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3580 &readbytes),
3581 SSL_READ_EARLY_DATA_FINISH)
3582 || !TEST_size_t_eq(readbytes, 0))
3583 goto end;
3584
3585 /*
3586 * Server has not finished init yet, so should still be able to write early
3587 * data.
3588 */
3589 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3590 &written))
3591 || !TEST_size_t_eq(written, strlen(MSG6)))
3592 goto end;
3593
3594 /* Push the ClientFinished and the normal data back into the server rbio */
3595 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3596 &rawwritten))
3597 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3598 goto end;
3599
3600 /* Server should be able to read normal data */
3601 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3602 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3603 goto end;
3604
3605 /* Client and server should not be able to write/read early data now */
3606 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3607 &written)))
3608 goto end;
3609 ERR_clear_error();
3610 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3611 &readbytes),
3612 SSL_READ_EARLY_DATA_ERROR))
3613 goto end;
3614 ERR_clear_error();
3615
3616 /* Client should be able to read the data sent by the server */
3617 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3618 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3619 goto end;
3620
3621 /*
3622 * Make sure we process the two NewSessionTickets. These arrive
3623 * post-handshake. We attempt reads which we do not expect to return any
3624 * data.
3625 */
3626 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3627 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3628 &readbytes)))
3629 goto end;
3630
3631 /* Server should be able to write normal data */
3632 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3633 || !TEST_size_t_eq(written, strlen(MSG7))
3634 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3635 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3636 goto end;
3637
3638 SSL_SESSION_free(sess);
3639 sess = SSL_get1_session(clientssl);
3640 use_session_cb_cnt = 0;
3641 find_session_cb_cnt = 0;
3642
3643 SSL_shutdown(clientssl);
3644 SSL_shutdown(serverssl);
3645 SSL_free(serverssl);
3646 SSL_free(clientssl);
3647 serverssl = clientssl = NULL;
3648 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3649 &clientssl, NULL, NULL))
3650 || !TEST_true(SSL_set_session(clientssl, sess)))
3651 goto end;
3652
3653 /* Write and read some early data */
3654 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3655 &written))
3656 || !TEST_size_t_eq(written, strlen(MSG1))
3657 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3658 &readbytes),
3659 SSL_READ_EARLY_DATA_SUCCESS)
3660 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3661 goto end;
3662
3663 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3664 || !TEST_int_gt(SSL_accept(serverssl), 0))
3665 goto end;
3666
3667 /* Client and server should not be able to write/read early data now */
3668 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3669 &written)))
3670 goto end;
3671 ERR_clear_error();
3672 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3673 &readbytes),
3674 SSL_READ_EARLY_DATA_ERROR))
3675 goto end;
3676 ERR_clear_error();
3677
3678 /* Client and server should be able to write/read normal data */
3679 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3680 || !TEST_size_t_eq(written, strlen(MSG5))
3681 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3683 goto end;
3684
3685 testresult = 1;
3686
3687 end:
3688 SSL_SESSION_free(sess);
3689 SSL_SESSION_free(clientpsk);
3690 SSL_SESSION_free(serverpsk);
3691 clientpsk = serverpsk = NULL;
3692 SSL_free(serverssl);
3693 SSL_free(clientssl);
3694 SSL_CTX_free(sctx);
3695 SSL_CTX_free(cctx);
3696 return testresult;
3697 }
3698
3699 static int allow_ed_cb_called = 0;
3700
3701 static int allow_early_data_cb(SSL *s, void *arg)
3702 {
3703 int *usecb = (int *)arg;
3704
3705 allow_ed_cb_called++;
3706
3707 if (*usecb == 1)
3708 return 0;
3709
3710 return 1;
3711 }
3712
3713 /*
3714 * idx == 0: Standard early_data setup
3715 * idx == 1: early_data setup using read_ahead
3716 * usecb == 0: Don't use a custom early data callback
3717 * usecb == 1: Use a custom early data callback and reject the early data
3718 * usecb == 2: Use a custom early data callback and accept the early data
3719 * confopt == 0: Configure anti-replay directly
3720 * confopt == 1: Configure anti-replay using SSL_CONF
3721 */
3722 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3723 {
3724 SSL_CTX *cctx = NULL, *sctx = NULL;
3725 SSL *clientssl = NULL, *serverssl = NULL;
3726 int testresult = 0;
3727 SSL_SESSION *sess = NULL;
3728 size_t readbytes, written;
3729 unsigned char buf[20];
3730
3731 allow_ed_cb_called = 0;
3732
3733 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3734 TLS_client_method(), TLS1_VERSION, 0,
3735 &sctx, &cctx, cert, privkey)))
3736 return 0;
3737
3738 if (usecb > 0) {
3739 if (confopt == 0) {
3740 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3741 } else {
3742 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3743
3744 if (!TEST_ptr(confctx))
3745 goto end;
3746 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3747 | SSL_CONF_FLAG_SERVER);
3748 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3749 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3750 2)) {
3751 SSL_CONF_CTX_free(confctx);
3752 goto end;
3753 }
3754 SSL_CONF_CTX_free(confctx);
3755 }
3756 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3757 }
3758
3759 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3760 &serverssl, &sess, idx)))
3761 goto end;
3762
3763 /*
3764 * The server is configured to accept early data. Create a connection to
3765 * "use up" the ticket
3766 */
3767 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3768 || !TEST_true(SSL_session_reused(clientssl)))
3769 goto end;
3770
3771 SSL_shutdown(clientssl);
3772 SSL_shutdown(serverssl);
3773 SSL_free(serverssl);
3774 SSL_free(clientssl);
3775 serverssl = clientssl = NULL;
3776
3777 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3778 &clientssl, NULL, NULL))
3779 || !TEST_true(SSL_set_session(clientssl, sess)))
3780 goto end;
3781
3782 /* Write and read some early data */
3783 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3784 &written))
3785 || !TEST_size_t_eq(written, strlen(MSG1)))
3786 goto end;
3787
3788 if (usecb <= 1) {
3789 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3790 &readbytes),
3791 SSL_READ_EARLY_DATA_FINISH)
3792 /*
3793 * The ticket was reused, so the we should have rejected the
3794 * early data
3795 */
3796 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3797 SSL_EARLY_DATA_REJECTED))
3798 goto end;
3799 } else {
3800 /* In this case the callback decides to accept the early data */
3801 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3802 &readbytes),
3803 SSL_READ_EARLY_DATA_SUCCESS)
3804 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3805 /*
3806 * Server will have sent its flight so client can now send
3807 * end of early data and complete its half of the handshake
3808 */
3809 || !TEST_int_gt(SSL_connect(clientssl), 0)
3810 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3811 &readbytes),
3812 SSL_READ_EARLY_DATA_FINISH)
3813 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3814 SSL_EARLY_DATA_ACCEPTED))
3815 goto end;
3816 }
3817
3818 /* Complete the connection */
3819 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3820 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3821 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3822 goto end;
3823
3824 testresult = 1;
3825
3826 end:
3827 SSL_SESSION_free(sess);
3828 SSL_SESSION_free(clientpsk);
3829 SSL_SESSION_free(serverpsk);
3830 clientpsk = serverpsk = NULL;
3831 SSL_free(serverssl);
3832 SSL_free(clientssl);
3833 SSL_CTX_free(sctx);
3834 SSL_CTX_free(cctx);
3835 return testresult;
3836 }
3837
3838 static int test_early_data_replay(int idx)
3839 {
3840 int ret = 1, usecb, confopt;
3841
3842 for (usecb = 0; usecb < 3; usecb++) {
3843 for (confopt = 0; confopt < 2; confopt++)
3844 ret &= test_early_data_replay_int(idx, usecb, confopt);
3845 }
3846
3847 return ret;
3848 }
3849
3850 /*
3851 * Helper function to test that a server attempting to read early data can
3852 * handle a connection from a client where the early data should be skipped.
3853 * testtype: 0 == No HRR
3854 * testtype: 1 == HRR
3855 * testtype: 2 == HRR, invalid early_data sent after HRR
3856 * testtype: 3 == recv_max_early_data set to 0
3857 */
3858 static int early_data_skip_helper(int testtype, int idx)
3859 {
3860 SSL_CTX *cctx = NULL, *sctx = NULL;
3861 SSL *clientssl = NULL, *serverssl = NULL;
3862 int testresult = 0;
3863 SSL_SESSION *sess = NULL;
3864 unsigned char buf[20];
3865 size_t readbytes, written;
3866
3867 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3868 &serverssl, &sess, idx)))
3869 goto end;
3870
3871 if (testtype == 1 || testtype == 2) {
3872 /* Force an HRR to occur */
3873 #if defined(OPENSSL_NO_EC)
3874 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3875 goto end;
3876 #else
3877 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3878 goto end;
3879 #endif
3880 } else if (idx == 2) {
3881 /*
3882 * We force early_data rejection by ensuring the PSK identity is
3883 * unrecognised
3884 */
3885 srvid = "Dummy Identity";
3886 } else {
3887 /*
3888 * Deliberately corrupt the creation time. We take 20 seconds off the
3889 * time. It could be any value as long as it is not within tolerance.
3890 * This should mean the ticket is rejected.
3891 */
3892 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3893 goto end;
3894 }
3895
3896 if (testtype == 3
3897 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3898 goto end;
3899
3900 /* Write some early data */
3901 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3902 &written))
3903 || !TEST_size_t_eq(written, strlen(MSG1)))
3904 goto end;
3905
3906 /* Server should reject the early data */
3907 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3908 &readbytes),
3909 SSL_READ_EARLY_DATA_FINISH)
3910 || !TEST_size_t_eq(readbytes, 0)
3911 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3912 SSL_EARLY_DATA_REJECTED))
3913 goto end;
3914
3915 switch (testtype) {
3916 case 0:
3917 /* Nothing to do */
3918 break;
3919
3920 case 1:
3921 /*
3922 * Finish off the handshake. We perform the same writes and reads as
3923 * further down but we expect them to fail due to the incomplete
3924 * handshake.
3925 */
3926 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3927 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3928 &readbytes)))
3929 goto end;
3930 break;
3931
3932 case 2:
3933 {
3934 BIO *wbio = SSL_get_wbio(clientssl);
3935 /* A record that will appear as bad early_data */
3936 const unsigned char bad_early_data[] = {
3937 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3938 };
3939
3940 /*
3941 * We force the client to attempt a write. This will fail because
3942 * we're still in the handshake. It will cause the second
3943 * ClientHello to be sent.
3944 */
3945 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3946 &written)))
3947 goto end;
3948
3949 /*
3950 * Inject some early_data after the second ClientHello. This should
3951 * cause the server to fail
3952 */
3953 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3954 sizeof(bad_early_data), &written)))
3955 goto end;
3956 }
3957 /* fallthrough */
3958
3959 case 3:
3960 /*
3961 * This client has sent more early_data than we are willing to skip
3962 * (case 3) or sent invalid early_data (case 2) so the connection should
3963 * abort.
3964 */
3965 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3966 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3967 goto end;
3968
3969 /* Connection has failed - nothing more to do */
3970 testresult = 1;
3971 goto end;
3972
3973 default:
3974 TEST_error("Invalid test type");
3975 goto end;
3976 }
3977
3978 /*
3979 * Should be able to send normal data despite rejection of early data. The
3980 * early_data should be skipped.
3981 */
3982 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3983 || !TEST_size_t_eq(written, strlen(MSG2))
3984 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3985 SSL_EARLY_DATA_REJECTED)
3986 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3987 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3988 goto end;
3989
3990 testresult = 1;
3991
3992 end:
3993 SSL_SESSION_free(clientpsk);
3994 SSL_SESSION_free(serverpsk);
3995 clientpsk = serverpsk = NULL;
3996 SSL_SESSION_free(sess);
3997 SSL_free(serverssl);
3998 SSL_free(clientssl);
3999 SSL_CTX_free(sctx);
4000 SSL_CTX_free(cctx);
4001 return testresult;
4002 }
4003
4004 /*
4005 * Test that a server attempting to read early data can handle a connection
4006 * from a client where the early data is not acceptable.
4007 */
4008 static int test_early_data_skip(int idx)
4009 {
4010 return early_data_skip_helper(0, idx);
4011 }
4012
4013 /*
4014 * Test that a server attempting to read early data can handle a connection
4015 * from a client where an HRR occurs.
4016 */
4017 static int test_early_data_skip_hrr(int idx)
4018 {
4019 return early_data_skip_helper(1, idx);
4020 }
4021
4022 /*
4023 * Test that a server attempting to read early data can handle a connection
4024 * from a client where an HRR occurs and correctly fails if early_data is sent
4025 * after the HRR
4026 */
4027 static int test_early_data_skip_hrr_fail(int idx)
4028 {
4029 return early_data_skip_helper(2, idx);
4030 }
4031
4032 /*
4033 * Test that a server attempting to read early data will abort if it tries to
4034 * skip over too much.
4035 */
4036 static int test_early_data_skip_abort(int idx)
4037 {
4038 return early_data_skip_helper(3, idx);
4039 }
4040
4041 /*
4042 * Test that a server attempting to read early data can handle a connection
4043 * from a client that doesn't send any.
4044 */
4045 static int test_early_data_not_sent(int idx)
4046 {
4047 SSL_CTX *cctx = NULL, *sctx = NULL;
4048 SSL *clientssl = NULL, *serverssl = NULL;
4049 int testresult = 0;
4050 SSL_SESSION *sess = NULL;
4051 unsigned char buf[20];
4052 size_t readbytes, written;
4053
4054 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4055 &serverssl, &sess, idx)))
4056 goto end;
4057
4058 /* Write some data - should block due to handshake with server */
4059 SSL_set_connect_state(clientssl);
4060 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4061 goto end;
4062
4063 /* Server should detect that early data has not been sent */
4064 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4065 &readbytes),
4066 SSL_READ_EARLY_DATA_FINISH)
4067 || !TEST_size_t_eq(readbytes, 0)
4068 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4069 SSL_EARLY_DATA_NOT_SENT)
4070 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4071 SSL_EARLY_DATA_NOT_SENT))
4072 goto end;
4073
4074 /* Continue writing the message we started earlier */
4075 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4076 || !TEST_size_t_eq(written, strlen(MSG1))
4077 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4078 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4079 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4080 || !TEST_size_t_eq(written, strlen(MSG2)))
4081 goto end;
4082
4083 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4084 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4085 goto end;
4086
4087 testresult = 1;
4088
4089 end:
4090 SSL_SESSION_free(sess);
4091 SSL_SESSION_free(clientpsk);
4092 SSL_SESSION_free(serverpsk);
4093 clientpsk = serverpsk = NULL;
4094 SSL_free(serverssl);
4095 SSL_free(clientssl);
4096 SSL_CTX_free(sctx);
4097 SSL_CTX_free(cctx);
4098 return testresult;
4099 }
4100
4101 static const char *servalpn;
4102
4103 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4104 unsigned char *outlen, const unsigned char *in,
4105 unsigned int inlen, void *arg)
4106 {
4107 unsigned int protlen = 0;
4108 const unsigned char *prot;
4109
4110 for (prot = in; prot < in + inlen; prot += protlen) {
4111 protlen = *prot++;
4112 if (in + inlen < prot + protlen)
4113 return SSL_TLSEXT_ERR_NOACK;
4114
4115 if (protlen == strlen(servalpn)
4116 && memcmp(prot, servalpn, protlen) == 0) {
4117 *out = prot;
4118 *outlen = protlen;
4119 return SSL_TLSEXT_ERR_OK;
4120 }
4121 }
4122
4123 return SSL_TLSEXT_ERR_NOACK;
4124 }
4125
4126 /* Test that a PSK can be used to send early_data */
4127 static int test_early_data_psk(int idx)
4128 {
4129 SSL_CTX *cctx = NULL, *sctx = NULL;
4130 SSL *clientssl = NULL, *serverssl = NULL;
4131 int testresult = 0;
4132 SSL_SESSION *sess = NULL;
4133 unsigned char alpnlist[] = {
4134 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4135 'l', 'p', 'n'
4136 };
4137 #define GOODALPNLEN 9
4138 #define BADALPNLEN 8
4139 #define GOODALPN (alpnlist)
4140 #define BADALPN (alpnlist + GOODALPNLEN)
4141 int err = 0;
4142 unsigned char buf[20];
4143 size_t readbytes, written;
4144 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4145 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4146
4147 /* We always set this up with a final parameter of "2" for PSK */
4148 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4149 &serverssl, &sess, 2)))
4150 goto end;
4151
4152 servalpn = "goodalpn";
4153
4154 /*
4155 * Note: There is no test for inconsistent SNI with late client detection.
4156 * This is because servers do not acknowledge SNI even if they are using
4157 * it in a resumption handshake - so it is not actually possible for a
4158 * client to detect a problem.
4159 */
4160 switch (idx) {
4161 case 0:
4162 /* Set inconsistent SNI (early client detection) */
4163 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4164 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4165 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4166 goto end;
4167 break;
4168
4169 case 1:
4170 /* Set inconsistent ALPN (early client detection) */
4171 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4172 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4173 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4174 GOODALPNLEN))
4175 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4176 BADALPNLEN)))
4177 goto end;
4178 break;
4179
4180 case 2:
4181 /*
4182 * Set invalid protocol version. Technically this affects PSKs without
4183 * early_data too, but we test it here because it is similar to the
4184 * SNI/ALPN consistency tests.
4185 */
4186 err = SSL_R_BAD_PSK;
4187 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4188 goto end;
4189 break;
4190
4191 case 3:
4192 /*
4193 * Set inconsistent SNI (server side). In this case the connection
4194 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4195 * is associated with each handshake - not the session. Therefore it
4196 * should not matter that we used a different server name last time.
4197 */
4198 SSL_SESSION_free(serverpsk);
4199 serverpsk = SSL_SESSION_dup(clientpsk);
4200 if (!TEST_ptr(serverpsk)
4201 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4202 goto end;
4203 /* Fall through */
4204 case 4:
4205 /* Set consistent SNI */
4206 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4207 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4208 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4209 hostname_cb)))
4210 goto end;
4211 break;
4212
4213 case 5:
4214 /*
4215 * Set inconsistent ALPN (server detected). In this case the connection
4216 * will succeed but reject early_data.
4217 */
4218 servalpn = "badalpn";
4219 edstatus = SSL_EARLY_DATA_REJECTED;
4220 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4221 /* Fall through */
4222 case 6:
4223 /*
4224 * Set consistent ALPN.
4225 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4226 * accepts a list of protos (each one length prefixed).
4227 * SSL_set1_alpn_selected accepts a single protocol (not length
4228 * prefixed)
4229 */
4230 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4231 GOODALPNLEN - 1))
4232 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4233 GOODALPNLEN)))
4234 goto end;
4235
4236 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4237 break;
4238
4239 case 7:
4240 /* Set inconsistent ALPN (late client detection) */
4241 SSL_SESSION_free(serverpsk);
4242 serverpsk = SSL_SESSION_dup(clientpsk);
4243 if (!TEST_ptr(serverpsk)
4244 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4245 BADALPN + 1,
4246 BADALPNLEN - 1))
4247 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4248 GOODALPN + 1,
4249 GOODALPNLEN - 1))
4250 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4251 sizeof(alpnlist))))
4252 goto end;
4253 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4254 edstatus = SSL_EARLY_DATA_ACCEPTED;
4255 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4256 /* SSL_connect() call should fail */
4257 connectres = -1;
4258 break;
4259
4260 default:
4261 TEST_error("Bad test index");
4262 goto end;
4263 }
4264
4265 SSL_set_connect_state(clientssl);
4266 if (err != 0) {
4267 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4268 &written))
4269 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4270 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4271 goto end;
4272 } else {
4273 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4274 &written)))
4275 goto end;
4276
4277 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4278 &readbytes), readearlyres)
4279 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4280 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4281 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4282 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4283 goto end;
4284 }
4285
4286 testresult = 1;
4287
4288 end:
4289 SSL_SESSION_free(sess);
4290 SSL_SESSION_free(clientpsk);
4291 SSL_SESSION_free(serverpsk);
4292 clientpsk = serverpsk = NULL;
4293 SSL_free(serverssl);
4294 SSL_free(clientssl);
4295 SSL_CTX_free(sctx);
4296 SSL_CTX_free(cctx);
4297 return testresult;
4298 }
4299
4300 /*
4301 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4302 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4303 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4304 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4305 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4306 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4307 */
4308 static int test_early_data_psk_with_all_ciphers(int idx)
4309 {
4310 SSL_CTX *cctx = NULL, *sctx = NULL;
4311 SSL *clientssl = NULL, *serverssl = NULL;
4312 int testresult = 0;
4313 SSL_SESSION *sess = NULL;
4314 unsigned char buf[20];
4315 size_t readbytes, written;
4316 const SSL_CIPHER *cipher;
4317 const char *cipher_str[] = {
4318 TLS1_3_RFC_AES_128_GCM_SHA256,
4319 TLS1_3_RFC_AES_256_GCM_SHA384,
4320 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4321 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4322 # else
4323 NULL,
4324 # endif
4325 TLS1_3_RFC_AES_128_CCM_SHA256,
4326 TLS1_3_RFC_AES_128_CCM_8_SHA256
4327 };
4328 const unsigned char *cipher_bytes[] = {
4329 TLS13_AES_128_GCM_SHA256_BYTES,
4330 TLS13_AES_256_GCM_SHA384_BYTES,
4331 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4332 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4333 # else
4334 NULL,
4335 # endif
4336 TLS13_AES_128_CCM_SHA256_BYTES,
4337 TLS13_AES_128_CCM_8_SHA256_BYTES
4338 };
4339
4340 if (cipher_str[idx] == NULL)
4341 return 1;
4342 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4343 if (idx == 2 && is_fips == 1)
4344 return 1;
4345
4346 /* We always set this up with a final parameter of "2" for PSK */
4347 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4348 &serverssl, &sess, 2)))
4349 goto end;
4350
4351 if (idx == 4) {
4352 /* CCM8 ciphers are considered low security due to their short tag */
4353 SSL_set_security_level(clientssl, 0);
4354 SSL_set_security_level(serverssl, 0);
4355 }
4356
4357 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4358 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4359 goto end;
4360
4361 /*
4362 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4363 * and assigns to both client and server with incremented reference
4364 * and the same instance is updated in 'sess'.
4365 * So updating ciphersuite in 'sess' which will get reflected in
4366 * PSK handshake using psk use sess and find sess cb.
4367 */
4368 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4369 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4370 goto end;
4371
4372 SSL_set_connect_state(clientssl);
4373 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4374 &written)))
4375 goto end;
4376
4377 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4378 &readbytes),
4379 SSL_READ_EARLY_DATA_SUCCESS)
4380 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4381 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4382 SSL_EARLY_DATA_ACCEPTED)
4383 || !TEST_int_eq(SSL_connect(clientssl), 1)
4384 || !TEST_int_eq(SSL_accept(serverssl), 1))
4385 goto end;
4386
4387 /* Send some normal data from client to server */
4388 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4389 || !TEST_size_t_eq(written, strlen(MSG2)))
4390 goto end;
4391
4392 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4393 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4394 goto end;
4395
4396 testresult = 1;
4397 end:
4398 SSL_SESSION_free(sess);
4399 SSL_SESSION_free(clientpsk);
4400 SSL_SESSION_free(serverpsk);
4401 clientpsk = serverpsk = NULL;
4402 if (clientssl != NULL)
4403 SSL_shutdown(clientssl);
4404 if (serverssl != NULL)
4405 SSL_shutdown(serverssl);
4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4408 SSL_CTX_free(sctx);
4409 SSL_CTX_free(cctx);
4410 return testresult;
4411 }
4412
4413 /*
4414 * Test that a server that doesn't try to read early data can handle a
4415 * client sending some.
4416 */
4417 static int test_early_data_not_expected(int idx)
4418 {
4419 SSL_CTX *cctx = NULL, *sctx = NULL;
4420 SSL *clientssl = NULL, *serverssl = NULL;
4421 int testresult = 0;
4422 SSL_SESSION *sess = NULL;
4423 unsigned char buf[20];
4424 size_t readbytes, written;
4425
4426 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4427 &serverssl, &sess, idx)))
4428 goto end;
4429
4430 /* Write some early data */
4431 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4432 &written)))
4433 goto end;
4434
4435 /*
4436 * Server should skip over early data and then block waiting for client to
4437 * continue handshake
4438 */
4439 if (!TEST_int_le(SSL_accept(serverssl), 0)
4440 || !TEST_int_gt(SSL_connect(clientssl), 0)
4441 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4442 SSL_EARLY_DATA_REJECTED)
4443 || !TEST_int_gt(SSL_accept(serverssl), 0)
4444 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4445 SSL_EARLY_DATA_REJECTED))
4446 goto end;
4447
4448 /* Send some normal data from client to server */
4449 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4450 || !TEST_size_t_eq(written, strlen(MSG2)))
4451 goto end;
4452
4453 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4454 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4455 goto end;
4456
4457 testresult = 1;
4458
4459 end:
4460 SSL_SESSION_free(sess);
4461 SSL_SESSION_free(clientpsk);
4462 SSL_SESSION_free(serverpsk);
4463 clientpsk = serverpsk = NULL;
4464 SSL_free(serverssl);
4465 SSL_free(clientssl);
4466 SSL_CTX_free(sctx);
4467 SSL_CTX_free(cctx);
4468 return testresult;
4469 }
4470
4471
4472 # ifndef OPENSSL_NO_TLS1_2
4473 /*
4474 * Test that a server attempting to read early data can handle a connection
4475 * from a TLSv1.2 client.
4476 */
4477 static int test_early_data_tls1_2(int idx)
4478 {
4479 SSL_CTX *cctx = NULL, *sctx = NULL;
4480 SSL *clientssl = NULL, *serverssl = NULL;
4481 int testresult = 0;
4482 unsigned char buf[20];
4483 size_t readbytes, written;
4484
4485 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4486 &serverssl, NULL, idx)))
4487 goto end;
4488
4489 /* Write some data - should block due to handshake with server */
4490 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4491 SSL_set_connect_state(clientssl);
4492 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4493 goto end;
4494
4495 /*
4496 * Server should do TLSv1.2 handshake. First it will block waiting for more
4497 * messages from client after ServerDone. Then SSL_read_early_data should
4498 * finish and detect that early data has not been sent
4499 */
4500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4501 &readbytes),
4502 SSL_READ_EARLY_DATA_ERROR))
4503 goto end;
4504
4505 /*
4506 * Continue writing the message we started earlier. Will still block waiting
4507 * for the CCS/Finished from server
4508 */
4509 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4510 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4511 &readbytes),
4512 SSL_READ_EARLY_DATA_FINISH)
4513 || !TEST_size_t_eq(readbytes, 0)
4514 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4515 SSL_EARLY_DATA_NOT_SENT))
4516 goto end;
4517
4518 /* Continue writing the message we started earlier */
4519 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4520 || !TEST_size_t_eq(written, strlen(MSG1))
4521 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4522 SSL_EARLY_DATA_NOT_SENT)
4523 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4524 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4525 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4526 || !TEST_size_t_eq(written, strlen(MSG2))
4527 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4528 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4529 goto end;
4530
4531 testresult = 1;
4532
4533 end:
4534 SSL_SESSION_free(clientpsk);
4535 SSL_SESSION_free(serverpsk);
4536 clientpsk = serverpsk = NULL;
4537 SSL_free(serverssl);
4538 SSL_free(clientssl);
4539 SSL_CTX_free(sctx);
4540 SSL_CTX_free(cctx);
4541
4542 return testresult;
4543 }
4544 # endif /* OPENSSL_NO_TLS1_2 */
4545
4546 /*
4547 * Test configuring the TLSv1.3 ciphersuites
4548 *
4549 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4550 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4551 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4552 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4553 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4554 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4555 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4556 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4557 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4558 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4559 */
4560 static int test_set_ciphersuite(int idx)
4561 {
4562 SSL_CTX *cctx = NULL, *sctx = NULL;
4563 SSL *clientssl = NULL, *serverssl = NULL;
4564 int testresult = 0;
4565
4566 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4567 TLS_client_method(), TLS1_VERSION, 0,
4568 &sctx, &cctx, cert, privkey))
4569 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4570 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4571 goto end;
4572
4573 if (idx >=4 && idx <= 7) {
4574 /* SSL_CTX explicit cipher list */
4575 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4576 goto end;
4577 }
4578
4579 if (idx == 0 || idx == 4) {
4580 /* Default ciphersuite */
4581 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4582 "TLS_AES_128_GCM_SHA256")))
4583 goto end;
4584 } else if (idx == 1 || idx == 5) {
4585 /* Non default ciphersuite */
4586 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4587 "TLS_AES_128_CCM_SHA256")))
4588 goto end;
4589 }
4590
4591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4592 &clientssl, NULL, NULL)))
4593 goto end;
4594
4595 if (idx == 8 || idx == 9) {
4596 /* SSL explicit cipher list */
4597 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4598 goto end;
4599 }
4600
4601 if (idx == 2 || idx == 6 || idx == 8) {
4602 /* Default ciphersuite */
4603 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4604 "TLS_AES_128_GCM_SHA256")))
4605 goto end;
4606 } else if (idx == 3 || idx == 7 || idx == 9) {
4607 /* Non default ciphersuite */
4608 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4609 "TLS_AES_128_CCM_SHA256")))
4610 goto end;
4611 }
4612
4613 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4614 goto end;
4615
4616 testresult = 1;
4617
4618 end:
4619 SSL_free(serverssl);
4620 SSL_free(clientssl);
4621 SSL_CTX_free(sctx);
4622 SSL_CTX_free(cctx);
4623
4624 return testresult;
4625 }
4626
4627 static int test_ciphersuite_change(void)
4628 {
4629 SSL_CTX *cctx = NULL, *sctx = NULL;
4630 SSL *clientssl = NULL, *serverssl = NULL;
4631 SSL_SESSION *clntsess = NULL;
4632 int testresult = 0;
4633 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4634
4635 /* Create a session based on SHA-256 */
4636 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4637 TLS_client_method(), TLS1_VERSION, 0,
4638 &sctx, &cctx, cert, privkey))
4639 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4640 "TLS_AES_128_GCM_SHA256:"
4641 "TLS_AES_256_GCM_SHA384:"
4642 "TLS_AES_128_CCM_SHA256"))
4643 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4644 "TLS_AES_128_GCM_SHA256")))
4645 goto end;
4646
4647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4648 NULL, NULL))
4649 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4650 SSL_ERROR_NONE)))
4651 goto end;
4652
4653 clntsess = SSL_get1_session(clientssl);
4654 /* Save for later */
4655 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4656 SSL_shutdown(clientssl);
4657 SSL_shutdown(serverssl);
4658 SSL_free(serverssl);
4659 SSL_free(clientssl);
4660 serverssl = clientssl = NULL;
4661
4662 /* Check we can resume a session with a different SHA-256 ciphersuite */
4663 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4664 "TLS_AES_128_CCM_SHA256"))
4665 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4666 &clientssl, NULL, NULL))
4667 || !TEST_true(SSL_set_session(clientssl, clntsess))
4668 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4669 SSL_ERROR_NONE))
4670 || !TEST_true(SSL_session_reused(clientssl)))
4671 goto end;
4672
4673 SSL_SESSION_free(clntsess);
4674 clntsess = SSL_get1_session(clientssl);
4675 SSL_shutdown(clientssl);
4676 SSL_shutdown(serverssl);
4677 SSL_free(serverssl);
4678 SSL_free(clientssl);
4679 serverssl = clientssl = NULL;
4680
4681 /*
4682 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4683 * succeeds but does not resume.
4684 */
4685 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4686 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4687 NULL, NULL))
4688 || !TEST_true(SSL_set_session(clientssl, clntsess))
4689 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4690 SSL_ERROR_SSL))
4691 || !TEST_false(SSL_session_reused(clientssl)))
4692 goto end;
4693
4694 SSL_SESSION_free(clntsess);
4695 clntsess = NULL;
4696 SSL_shutdown(clientssl);
4697 SSL_shutdown(serverssl);
4698 SSL_free(serverssl);
4699 SSL_free(clientssl);
4700 serverssl = clientssl = NULL;
4701
4702 /* Create a session based on SHA384 */
4703 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4705 &clientssl, NULL, NULL))
4706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4707 SSL_ERROR_NONE)))
4708 goto end;
4709
4710 clntsess = SSL_get1_session(clientssl);
4711 SSL_shutdown(clientssl);
4712 SSL_shutdown(serverssl);
4713 SSL_free(serverssl);
4714 SSL_free(clientssl);
4715 serverssl = clientssl = NULL;
4716
4717 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4718 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4719 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4720 "TLS_AES_256_GCM_SHA384"))
4721 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4722 NULL, NULL))
4723 || !TEST_true(SSL_set_session(clientssl, clntsess))
4724 /*
4725 * We use SSL_ERROR_WANT_READ below so that we can pause the
4726 * connection after the initial ClientHello has been sent to
4727 * enable us to make some session changes.
4728 */
4729 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4730 SSL_ERROR_WANT_READ)))
4731 goto end;
4732
4733 /* Trick the client into thinking this session is for a different digest */
4734 clntsess->cipher = aes_128_gcm_sha256;
4735 clntsess->cipher_id = clntsess->cipher->id;
4736
4737 /*
4738 * Continue the previously started connection. Server has selected a SHA-384
4739 * ciphersuite, but client thinks the session is for SHA-256, so it should
4740 * bail out.
4741 */
4742 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4743 SSL_ERROR_SSL))
4744 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4745 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4746 goto end;
4747
4748 testresult = 1;
4749
4750 end:
4751 SSL_SESSION_free(clntsess);
4752 SSL_free(serverssl);
4753 SSL_free(clientssl);
4754 SSL_CTX_free(sctx);
4755 SSL_CTX_free(cctx);
4756
4757 return testresult;
4758 }
4759
4760 /*
4761 * Test TLSv1.3 Key exchange
4762 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4763 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4764 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4765 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4766 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4767 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4768 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4769 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4770 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4771 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4772 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4773 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4774 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4775 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4776 */
4777 # ifndef OPENSSL_NO_EC
4778 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4779 NID_secp521r1, NID_X25519, NID_X448};
4780 # endif
4781 # ifndef OPENSSL_NO_DH
4782 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4783 NID_ffdhe6144, NID_ffdhe8192};
4784 # endif
4785 static int test_key_exchange(int idx)
4786 {
4787 SSL_CTX *sctx = NULL, *cctx = NULL;
4788 SSL *serverssl = NULL, *clientssl = NULL;
4789 int testresult = 0;
4790 int kexch_alg;
4791 int *kexch_groups = &kexch_alg;
4792 int kexch_groups_size = 1;
4793 int max_version = TLS1_3_VERSION;
4794 char *kexch_name0 = NULL;
4795
4796 switch (idx) {
4797 # ifndef OPENSSL_NO_EC
4798 # ifndef OPENSSL_NO_TLS1_2
4799 case 12:
4800 max_version = TLS1_2_VERSION;
4801 # endif
4802 /* Fall through */
4803 case 0:
4804 kexch_groups = ecdhe_kexch_groups;
4805 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4806 kexch_name0 = "secp256r1";
4807 break;
4808 case 1:
4809 kexch_alg = NID_X9_62_prime256v1;
4810 kexch_name0 = "secp256r1";
4811 break;
4812 case 2:
4813 kexch_alg = NID_secp384r1;
4814 kexch_name0 = "secp384r1";
4815 break;
4816 case 3:
4817 kexch_alg = NID_secp521r1;
4818 kexch_name0 = "secp521r1";
4819 break;
4820 case 4:
4821 kexch_alg = NID_X25519;
4822 kexch_name0 = "x25519";
4823 break;
4824 case 5:
4825 kexch_alg = NID_X448;
4826 kexch_name0 = "x448";
4827 break;
4828 # endif
4829 # ifndef OPENSSL_NO_DH
4830 # ifndef OPENSSL_NO_TLS1_2
4831 case 13:
4832 max_version = TLS1_2_VERSION;
4833 kexch_name0 = "ffdhe2048";
4834 # endif
4835 /* Fall through */
4836 case 6:
4837 kexch_groups = ffdhe_kexch_groups;
4838 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4839 kexch_name0 = "ffdhe2048";
4840 break;
4841 case 7:
4842 kexch_alg = NID_ffdhe2048;
4843 kexch_name0 = "ffdhe2048";
4844 break;
4845 case 8:
4846 kexch_alg = NID_ffdhe3072;
4847 kexch_name0 = "ffdhe3072";
4848 break;
4849 case 9:
4850 kexch_alg = NID_ffdhe4096;
4851 kexch_name0 = "ffdhe4096";
4852 break;
4853 case 10:
4854 kexch_alg = NID_ffdhe6144;
4855 kexch_name0 = "ffdhe6144";
4856 break;
4857 case 11:
4858 kexch_alg = NID_ffdhe8192;
4859 kexch_name0 = "ffdhe8192";
4860 break;
4861 # endif
4862 default:
4863 /* We're skipping this test */
4864 return 1;
4865 }
4866
4867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4868 TLS_client_method(), TLS1_VERSION,
4869 max_version, &sctx, &cctx, cert,
4870 privkey)))
4871 goto end;
4872
4873 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4874 TLS1_3_RFC_AES_128_GCM_SHA256)))
4875 goto end;
4876
4877 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4878 TLS1_3_RFC_AES_128_GCM_SHA256)))
4879 goto end;
4880
4881 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4882 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4883 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4884 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4885 goto end;
4886
4887 /*
4888 * Must include an EC ciphersuite so that we send supported groups in
4889 * TLSv1.2
4890 */
4891 # ifndef OPENSSL_NO_TLS1_2
4892 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4893 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4894 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4895 goto end;
4896 # endif
4897
4898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4899 NULL, NULL)))
4900 goto end;
4901
4902 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4903 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4904 goto end;
4905
4906 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4907 goto end;
4908
4909 /*
4910 * If Handshake succeeds the negotiated kexch alg should be the first one in
4911 * configured, except in the case of FFDHE groups (idx 13), which are
4912 * TLSv1.3 only so we expect no shared group to exist.
4913 */
4914 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4915 idx == 13 ? 0 : kexch_groups[0]))
4916 goto end;
4917
4918 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4919 kexch_name0))
4920 goto end;
4921
4922 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4923 if (idx != 13) {
4924 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4925 goto end;
4926 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4927 goto end;
4928 }
4929
4930 testresult = 1;
4931 end:
4932 SSL_free(serverssl);
4933 SSL_free(clientssl);
4934 SSL_CTX_free(sctx);
4935 SSL_CTX_free(cctx);
4936 return testresult;
4937 }
4938
4939 # if !defined(OPENSSL_NO_TLS1_2) \
4940 && !defined(OPENSSL_NO_EC) \
4941 && !defined(OPENSSL_NO_DH)
4942 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4943 int isecdhe, int idx)
4944 {
4945 int kexch_alg;
4946 int *kexch_groups = &kexch_alg;
4947 int numec, numff;
4948
4949 numec = OSSL_NELEM(ecdhe_kexch_groups);
4950 numff = OSSL_NELEM(ffdhe_kexch_groups);
4951 if (isecdhe)
4952 kexch_alg = ecdhe_kexch_groups[idx];
4953 else
4954 kexch_alg = ffdhe_kexch_groups[idx];
4955
4956 if (clientmulti) {
4957 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4958 return 0;
4959 if (isecdhe) {
4960 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4961 numec)))
4962 return 0;
4963 } else {
4964 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4965 numff)))
4966 return 0;
4967 }
4968 } else {
4969 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4970 return 0;
4971 if (isecdhe) {
4972 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4973 numec)))
4974 return 0;
4975 } else {
4976 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4977 numff)))
4978 return 0;
4979 }
4980 }
4981 return 1;
4982 }
4983
4984 /*-
4985 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4986 * Run through both the ECDHE and FFDHE group lists used in the previous
4987 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4988 * confirming the expected result; then perform a resumption handshake
4989 * while offering the same group list, and another resumption handshake
4990 * offering a different group list. The returned value should be the
4991 * negotiated group for the initial handshake; for TLS 1.3 resumption
4992 * handshakes the returned value will be negotiated on the resumption
4993 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4994 * be cached in the session from the original handshake, regardless of what
4995 * was offered in the resumption ClientHello.
4996 *
4997 * Using E for the number of EC groups and F for the number of FF groups:
4998 * E tests of ECDHE with TLS 1.3, server only has one group
4999 * F tests of FFDHE with TLS 1.3, server only has one group
5000 * E tests of ECDHE with TLS 1.2, server only has one group
5001 * F tests of FFDHE with TLS 1.2, server only has one group
5002 * E tests of ECDHE with TLS 1.3, client sends only one group
5003 * F tests of FFDHE with TLS 1.3, client sends only one group
5004 * E tests of ECDHE with TLS 1.2, client sends only one group
5005 * F tests of FFDHE with TLS 1.2, client sends only one group
5006 */
5007 static int test_negotiated_group(int idx)
5008 {
5009 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5010 int expectednid;
5011 SSL_CTX *sctx = NULL, *cctx = NULL;
5012 SSL *serverssl = NULL, *clientssl = NULL;
5013 SSL_SESSION *origsess = NULL;
5014 int testresult = 0;
5015 int kexch_alg;
5016 int max_version = TLS1_3_VERSION;
5017
5018 numec = OSSL_NELEM(ecdhe_kexch_groups);
5019 numff = OSSL_NELEM(ffdhe_kexch_groups);
5020 numgroups = numec + numff;
5021 clientmulti = (idx < 2 * numgroups);
5022 idx = idx % (2 * numgroups);
5023 istls13 = (idx < numgroups);
5024 idx = idx % numgroups;
5025 isecdhe = (idx < numec);
5026 if (!isecdhe)
5027 idx -= numec;
5028 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5029 if (isecdhe)
5030 kexch_alg = ecdhe_kexch_groups[idx];
5031 else
5032 kexch_alg = ffdhe_kexch_groups[idx];
5033 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5034 if (!istls13 && !isecdhe)
5035 expectednid = NID_undef;
5036 else
5037 expectednid = kexch_alg;
5038
5039 if (!istls13)
5040 max_version = TLS1_2_VERSION;
5041
5042 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5043 TLS_client_method(), TLS1_VERSION,
5044 max_version, &sctx, &cctx, cert,
5045 privkey)))
5046 goto end;
5047
5048 /*
5049 * Force (EC)DHE ciphers for TLS 1.2.
5050 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5051 */
5052 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5053 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5054 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5055 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5056 goto end;
5057 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5058 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5059 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5060 goto end;
5061
5062 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5063 NULL, NULL)))
5064 goto end;
5065
5066 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5067 idx)))
5068 goto end;
5069
5070 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5071 goto end;
5072
5073 /* Initial handshake; always the configured one */
5074 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5075 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5076 goto end;
5077
5078 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5079 goto end;
5080
5081 SSL_shutdown(clientssl);
5082 SSL_shutdown(serverssl);
5083 SSL_free(serverssl);
5084 SSL_free(clientssl);
5085 serverssl = clientssl = NULL;
5086
5087 /* First resumption attempt; use the same config as initial handshake */
5088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5089 NULL, NULL))
5090 || !TEST_true(SSL_set_session(clientssl, origsess))
5091 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5092 isecdhe, idx)))
5093 goto end;
5094
5095 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5096 || !TEST_true(SSL_session_reused(clientssl)))
5097 goto end;
5098
5099 /* Still had better agree, since nothing changed... */
5100 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5101 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5102 goto end;
5103
5104 SSL_shutdown(clientssl);
5105 SSL_shutdown(serverssl);
5106 SSL_free(serverssl);
5107 SSL_free(clientssl);
5108 serverssl = clientssl = NULL;
5109
5110 /*-
5111 * Second resumption attempt
5112 * The party that picks one group changes it, which we effectuate by
5113 * changing 'idx' and updating what we expect.
5114 */
5115 if (idx == 0)
5116 idx = 1;
5117 else
5118 idx--;
5119 if (istls13) {
5120 if (isecdhe)
5121 expectednid = ecdhe_kexch_groups[idx];
5122 else
5123 expectednid = ffdhe_kexch_groups[idx];
5124 /* Verify that we are changing what we expect. */
5125 if (!TEST_int_ne(expectednid, kexch_alg))
5126 goto end;
5127 } else {
5128 /* TLS 1.2 only supports named groups for ECDHE. */
5129 if (isecdhe)
5130 expectednid = kexch_alg;
5131 else
5132 expectednid = 0;
5133 }
5134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5135 NULL, NULL))
5136 || !TEST_true(SSL_set_session(clientssl, origsess))
5137 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5138 isecdhe, idx)))
5139 goto end;
5140
5141 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5142 || !TEST_true(SSL_session_reused(clientssl)))
5143 goto end;
5144
5145 /* Check that we get what we expected */
5146 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5147 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5148 goto end;
5149
5150 testresult = 1;
5151 end:
5152 SSL_free(serverssl);
5153 SSL_free(clientssl);
5154 SSL_CTX_free(sctx);
5155 SSL_CTX_free(cctx);
5156 SSL_SESSION_free(origsess);
5157 return testresult;
5158 }
5159 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5160
5161 /*
5162 * Test TLSv1.3 Cipher Suite
5163 * Test 0 = Set TLS1.3 cipher on context
5164 * Test 1 = Set TLS1.3 cipher on SSL
5165 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5166 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5167 */
5168 static int test_tls13_ciphersuite(int idx)
5169 {
5170 SSL_CTX *sctx = NULL, *cctx = NULL;
5171 SSL *serverssl = NULL, *clientssl = NULL;
5172 static const struct {
5173 const char *ciphername;
5174 int fipscapable;
5175 int low_security;
5176 } t13_ciphers[] = {
5177 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5178 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5179 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5180 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5181 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5182 { TLS1_3_RFC_AES_256_GCM_SHA384
5183 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5184 # endif
5185 /* CCM8 ciphers are considered low security due to their short tag */
5186 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5187 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5188 };
5189 const char *t13_cipher = NULL;
5190 const char *t12_cipher = NULL;
5191 const char *negotiated_scipher;
5192 const char *negotiated_ccipher;
5193 int set_at_ctx = 0;
5194 int set_at_ssl = 0;
5195 int testresult = 0;
5196 int max_ver;
5197 size_t i;
5198
5199 switch (idx) {
5200 case 0:
5201 set_at_ctx = 1;
5202 break;
5203 case 1:
5204 set_at_ssl = 1;
5205 break;
5206 case 2:
5207 set_at_ctx = 1;
5208 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5209 break;
5210 case 3:
5211 set_at_ssl = 1;
5212 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5213 break;
5214 }
5215
5216 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5217 # ifdef OPENSSL_NO_TLS1_2
5218 if (max_ver == TLS1_2_VERSION)
5219 continue;
5220 # endif
5221 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5222 if (is_fips && !t13_ciphers[i].fipscapable)
5223 continue;
5224 t13_cipher = t13_ciphers[i].ciphername;
5225 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5226 TLS_client_method(),
5227 TLS1_VERSION, max_ver,
5228 &sctx, &cctx, cert, privkey)))
5229 goto end;
5230
5231 if (t13_ciphers[i].low_security) {
5232 SSL_CTX_set_security_level(sctx, 0);
5233 SSL_CTX_set_security_level(cctx, 0);
5234 }
5235
5236 if (set_at_ctx) {
5237 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5238 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5239 goto end;
5240 if (t12_cipher != NULL) {
5241 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5242 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5243 t12_cipher)))
5244 goto end;
5245 }
5246 }
5247
5248 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5249 &clientssl, NULL, NULL)))
5250 goto end;
5251
5252 if (set_at_ssl) {
5253 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5254 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5255 goto end;
5256 if (t12_cipher != NULL) {
5257 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5258 || !TEST_true(SSL_set_cipher_list(clientssl,
5259 t12_cipher)))
5260 goto end;
5261 }
5262 }
5263
5264 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5265 SSL_ERROR_NONE)))
5266 goto end;
5267
5268 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5269 serverssl));
5270 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5271 clientssl));
5272 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5273 goto end;
5274
5275 /*
5276 * TEST_strn_eq is used below because t13_cipher can contain
5277 * multiple ciphersuites
5278 */
5279 if (max_ver == TLS1_3_VERSION
5280 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5281 strlen(negotiated_scipher)))
5282 goto end;
5283
5284 # ifndef OPENSSL_NO_TLS1_2
5285 /* Below validation is not done when t12_cipher is NULL */
5286 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5287 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5288 goto end;
5289 # endif
5290
5291 SSL_free(serverssl);
5292 serverssl = NULL;
5293 SSL_free(clientssl);
5294 clientssl = NULL;
5295 SSL_CTX_free(sctx);
5296 sctx = NULL;
5297 SSL_CTX_free(cctx);
5298 cctx = NULL;
5299 }
5300 }
5301
5302 testresult = 1;
5303 end:
5304 SSL_free(serverssl);
5305 SSL_free(clientssl);
5306 SSL_CTX_free(sctx);
5307 SSL_CTX_free(cctx);
5308 return testresult;
5309 }
5310
5311 /*
5312 * Test TLSv1.3 PSKs
5313 * Test 0 = Test new style callbacks
5314 * Test 1 = Test both new and old style callbacks
5315 * Test 2 = Test old style callbacks
5316 * Test 3 = Test old style callbacks with no certificate
5317 */
5318 static int test_tls13_psk(int idx)
5319 {
5320 SSL_CTX *sctx = NULL, *cctx = NULL;
5321 SSL *serverssl = NULL, *clientssl = NULL;
5322 const SSL_CIPHER *cipher = NULL;
5323 const unsigned char key[] = {
5324 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5325 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5326 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5327 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5328 };
5329 int testresult = 0;
5330
5331 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5332 TLS_client_method(), TLS1_VERSION, 0,
5333 &sctx, &cctx, idx == 3 ? NULL : cert,
5334 idx == 3 ? NULL : privkey)))
5335 goto end;
5336
5337 if (idx != 3) {
5338 /*
5339 * We use a ciphersuite with SHA256 to ease testing old style PSK
5340 * callbacks which will always default to SHA256. This should not be
5341 * necessary if we have no cert/priv key. In that case the server should
5342 * prefer SHA256 automatically.
5343 */
5344 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5345 "TLS_AES_128_GCM_SHA256")))
5346 goto end;
5347 } else {
5348 /*
5349 * As noted above the server should prefer SHA256 automatically. However
5350 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5351 * code works even if we are testing with only the FIPS provider loaded.
5352 */
5353 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5354 "TLS_AES_256_GCM_SHA384:"
5355 "TLS_AES_128_GCM_SHA256")))
5356 goto end;
5357 }
5358
5359 /*
5360 * Test 0: New style callbacks only
5361 * Test 1: New and old style callbacks (only the new ones should be used)
5362 * Test 2: Old style callbacks only
5363 */
5364 if (idx == 0 || idx == 1) {
5365 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5366 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5367 }
5368 #ifndef OPENSSL_NO_PSK
5369 if (idx >= 1) {
5370 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5371 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5372 }
5373 #endif
5374 srvid = pskid;
5375 use_session_cb_cnt = 0;
5376 find_session_cb_cnt = 0;
5377 psk_client_cb_cnt = 0;
5378 psk_server_cb_cnt = 0;
5379
5380 if (idx != 3) {
5381 /*
5382 * Check we can create a connection if callback decides not to send a
5383 * PSK
5384 */
5385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5386 NULL, NULL))
5387 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5388 SSL_ERROR_NONE))
5389 || !TEST_false(SSL_session_reused(clientssl))
5390 || !TEST_false(SSL_session_reused(serverssl)))
5391 goto end;
5392
5393 if (idx == 0 || idx == 1) {
5394 if (!TEST_true(use_session_cb_cnt == 1)
5395 || !TEST_true(find_session_cb_cnt == 0)
5396 /*
5397 * If no old style callback then below should be 0
5398 * otherwise 1
5399 */
5400 || !TEST_true(psk_client_cb_cnt == idx)
5401 || !TEST_true(psk_server_cb_cnt == 0))
5402 goto end;
5403 } else {
5404 if (!TEST_true(use_session_cb_cnt == 0)
5405 || !TEST_true(find_session_cb_cnt == 0)
5406 || !TEST_true(psk_client_cb_cnt == 1)
5407 || !TEST_true(psk_server_cb_cnt == 0))
5408 goto end;
5409 }
5410
5411 shutdown_ssl_connection(serverssl, clientssl);
5412 serverssl = clientssl = NULL;
5413 use_session_cb_cnt = psk_client_cb_cnt = 0;
5414 }
5415
5416 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5417 NULL, NULL)))
5418 goto end;
5419
5420 /* Create the PSK */
5421 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5422 clientpsk = SSL_SESSION_new();
5423 if (!TEST_ptr(clientpsk)
5424 || !TEST_ptr(cipher)
5425 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5426 sizeof(key)))
5427 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5428 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5429 TLS1_3_VERSION))
5430 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5431 goto end;
5432 serverpsk = clientpsk;
5433
5434 /* Check we can create a connection and the PSK is used */
5435 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5436 || !TEST_true(SSL_session_reused(clientssl))
5437 || !TEST_true(SSL_session_reused(serverssl)))
5438 goto end;
5439
5440 if (idx == 0 || idx == 1) {
5441 if (!TEST_true(use_session_cb_cnt == 1)
5442 || !TEST_true(find_session_cb_cnt == 1)
5443 || !TEST_true(psk_client_cb_cnt == 0)
5444 || !TEST_true(psk_server_cb_cnt == 0))
5445 goto end;
5446 } else {
5447 if (!TEST_true(use_session_cb_cnt == 0)
5448 || !TEST_true(find_session_cb_cnt == 0)
5449 || !TEST_true(psk_client_cb_cnt == 1)
5450 || !TEST_true(psk_server_cb_cnt == 1))
5451 goto end;
5452 }
5453
5454 shutdown_ssl_connection(serverssl, clientssl);
5455 serverssl = clientssl = NULL;
5456 use_session_cb_cnt = find_session_cb_cnt = 0;
5457 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5458
5459 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5460 NULL, NULL)))
5461 goto end;
5462
5463 /* Force an HRR */
5464 #if defined(OPENSSL_NO_EC)
5465 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5466 goto end;
5467 #else
5468 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5469 goto end;
5470 #endif
5471
5472 /*
5473 * Check we can create a connection, the PSK is used and the callbacks are
5474 * called twice.
5475 */
5476 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5477 || !TEST_true(SSL_session_reused(clientssl))
5478 || !TEST_true(SSL_session_reused(serverssl)))
5479 goto end;
5480
5481 if (idx == 0 || idx == 1) {
5482 if (!TEST_true(use_session_cb_cnt == 2)
5483 || !TEST_true(find_session_cb_cnt == 2)
5484 || !TEST_true(psk_client_cb_cnt == 0)
5485 || !TEST_true(psk_server_cb_cnt == 0))
5486 goto end;
5487 } else {
5488 if (!TEST_true(use_session_cb_cnt == 0)
5489 || !TEST_true(find_session_cb_cnt == 0)
5490 || !TEST_true(psk_client_cb_cnt == 2)
5491 || !TEST_true(psk_server_cb_cnt == 2))
5492 goto end;
5493 }
5494
5495 shutdown_ssl_connection(serverssl, clientssl);
5496 serverssl = clientssl = NULL;
5497 use_session_cb_cnt = find_session_cb_cnt = 0;
5498 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5499
5500 if (idx != 3) {
5501 /*
5502 * Check that if the server rejects the PSK we can still connect, but with
5503 * a full handshake
5504 */
5505 srvid = "Dummy Identity";
5506 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5507 NULL, NULL))
5508 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5509 SSL_ERROR_NONE))
5510 || !TEST_false(SSL_session_reused(clientssl))
5511 || !TEST_false(SSL_session_reused(serverssl)))
5512 goto end;
5513
5514 if (idx == 0 || idx == 1) {
5515 if (!TEST_true(use_session_cb_cnt == 1)
5516 || !TEST_true(find_session_cb_cnt == 1)
5517 || !TEST_true(psk_client_cb_cnt == 0)
5518 /*
5519 * If no old style callback then below should be 0
5520 * otherwise 1
5521 */
5522 || !TEST_true(psk_server_cb_cnt == idx))
5523 goto end;
5524 } else {
5525 if (!TEST_true(use_session_cb_cnt == 0)
5526 || !TEST_true(find_session_cb_cnt == 0)
5527 || !TEST_true(psk_client_cb_cnt == 1)
5528 || !TEST_true(psk_server_cb_cnt == 1))
5529 goto end;
5530 }
5531
5532 shutdown_ssl_connection(serverssl, clientssl);
5533 serverssl = clientssl = NULL;
5534 }
5535 testresult = 1;
5536
5537 end:
5538 SSL_SESSION_free(clientpsk);
5539 SSL_SESSION_free(serverpsk);
5540 clientpsk = serverpsk = NULL;
5541 SSL_free(serverssl);
5542 SSL_free(clientssl);
5543 SSL_CTX_free(sctx);
5544 SSL_CTX_free(cctx);
5545 return testresult;
5546 }
5547
5548 static unsigned char cookie_magic_value[] = "cookie magic";
5549
5550 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5551 unsigned int *cookie_len)
5552 {
5553 /*
5554 * Not suitable as a real cookie generation function but good enough for
5555 * testing!
5556 */
5557 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5558 *cookie_len = sizeof(cookie_magic_value) - 1;
5559
5560 return 1;
5561 }
5562
5563 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5564 unsigned int cookie_len)
5565 {
5566 if (cookie_len == sizeof(cookie_magic_value) - 1
5567 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5568 return 1;
5569
5570 return 0;
5571 }
5572
5573 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5574 size_t *cookie_len)
5575 {
5576 unsigned int temp;
5577 int res = generate_cookie_callback(ssl, cookie, &temp);
5578 *cookie_len = temp;
5579 return res;
5580 }
5581
5582 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5583 size_t cookie_len)
5584 {
5585 return verify_cookie_callback(ssl, cookie, cookie_len);
5586 }
5587
5588 static int test_stateless(void)
5589 {
5590 SSL_CTX *sctx = NULL, *cctx = NULL;
5591 SSL *serverssl = NULL, *clientssl = NULL;
5592 int testresult = 0;
5593
5594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5595 TLS_client_method(), TLS1_VERSION, 0,
5596 &sctx, &cctx, cert, privkey)))
5597 goto end;
5598
5599 /* The arrival of CCS messages can confuse the test */
5600 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5601
5602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5603 NULL, NULL))
5604 /* Send the first ClientHello */
5605 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5606 SSL_ERROR_WANT_READ))
5607 /*
5608 * This should fail with a -1 return because we have no callbacks
5609 * set up
5610 */
5611 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5612 goto end;
5613
5614 /* Fatal error so abandon the connection from this client */
5615 SSL_free(clientssl);
5616 clientssl = NULL;
5617
5618 /* Set up the cookie generation and verification callbacks */
5619 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5620 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5621
5622 /*
5623 * Create a new connection from the client (we can reuse the server SSL
5624 * object).
5625 */
5626 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5627 NULL, NULL))
5628 /* Send the first ClientHello */
5629 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5630 SSL_ERROR_WANT_READ))
5631 /* This should fail because there is no cookie */
5632 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5633 goto end;
5634
5635 /* Abandon the connection from this client */
5636 SSL_free(clientssl);
5637 clientssl = NULL;
5638
5639 /*
5640 * Now create a connection from a new client but with the same server SSL
5641 * object
5642 */
5643 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5644 NULL, NULL))
5645 /* Send the first ClientHello */
5646 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5647 SSL_ERROR_WANT_READ))
5648 /* This should fail because there is no cookie */
5649 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5650 /* Send the second ClientHello */
5651 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5652 SSL_ERROR_WANT_READ))
5653 /* This should succeed because a cookie is now present */
5654 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5655 /* Complete the connection */
5656 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5657 SSL_ERROR_NONE)))
5658 goto end;
5659
5660 shutdown_ssl_connection(serverssl, clientssl);
5661 serverssl = clientssl = NULL;
5662 testresult = 1;
5663
5664 end:
5665 SSL_free(serverssl);
5666 SSL_free(clientssl);
5667 SSL_CTX_free(sctx);
5668 SSL_CTX_free(cctx);
5669 return testresult;
5670
5671 }
5672 #endif /* OSSL_NO_USABLE_TLS1_3 */
5673
5674 static int clntaddoldcb = 0;
5675 static int clntparseoldcb = 0;
5676 static int srvaddoldcb = 0;
5677 static int srvparseoldcb = 0;
5678 static int clntaddnewcb = 0;
5679 static int clntparsenewcb = 0;
5680 static int srvaddnewcb = 0;
5681 static int srvparsenewcb = 0;
5682 static int snicb = 0;
5683
5684 #define TEST_EXT_TYPE1 0xff00
5685
5686 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5687 size_t *outlen, int *al, void *add_arg)
5688 {
5689 int *server = (int *)add_arg;
5690 unsigned char *data;
5691
5692 if (SSL_is_server(s))
5693 srvaddoldcb++;
5694 else
5695 clntaddoldcb++;
5696
5697 if (*server != SSL_is_server(s)
5698 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5699 return -1;
5700
5701 *data = 1;
5702 *out = data;
5703 *outlen = sizeof(char);
5704 return 1;
5705 }
5706
5707 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5708 void *add_arg)
5709 {
5710 OPENSSL_free((unsigned char *)out);
5711 }
5712
5713 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5714 size_t inlen, int *al, void *parse_arg)
5715 {
5716 int *server = (int *)parse_arg;
5717
5718 if (SSL_is_server(s))
5719 srvparseoldcb++;
5720 else
5721 clntparseoldcb++;
5722
5723 if (*server != SSL_is_server(s)
5724 || inlen != sizeof(char)
5725 || *in != 1)
5726 return -1;
5727
5728 return 1;
5729 }
5730
5731 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5732 const unsigned char **out, size_t *outlen, X509 *x,
5733 size_t chainidx, int *al, void *add_arg)
5734 {
5735 int *server = (int *)add_arg;
5736 unsigned char *data;
5737
5738 if (SSL_is_server(s))
5739 srvaddnewcb++;
5740 else
5741 clntaddnewcb++;
5742
5743 if (*server != SSL_is_server(s)
5744 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5745 return -1;
5746
5747 *data = 1;
5748 *out = data;
5749 *outlen = sizeof(*data);
5750 return 1;
5751 }
5752
5753 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5754 const unsigned char *out, void *add_arg)
5755 {
5756 OPENSSL_free((unsigned char *)out);
5757 }
5758
5759 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5760 const unsigned char *in, size_t inlen, X509 *x,
5761 size_t chainidx, int *al, void *parse_arg)
5762 {
5763 int *server = (int *)parse_arg;
5764
5765 if (SSL_is_server(s))
5766 srvparsenewcb++;
5767 else
5768 clntparsenewcb++;
5769
5770 if (*server != SSL_is_server(s)
5771 || inlen != sizeof(char) || *in != 1)
5772 return -1;
5773
5774 return 1;
5775 }
5776
5777 static int sni_cb(SSL *s, int *al, void *arg)
5778 {
5779 SSL_CTX *ctx = (SSL_CTX *)arg;
5780
5781 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5782 *al = SSL_AD_INTERNAL_ERROR;
5783 return SSL_TLSEXT_ERR_ALERT_FATAL;
5784 }
5785 snicb++;
5786 return SSL_TLSEXT_ERR_OK;
5787 }
5788
5789 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5790 {
5791 return 1;
5792 }
5793
5794 /*
5795 * Custom call back tests.
5796 * Test 0: Old style callbacks in TLSv1.2
5797 * Test 1: New style callbacks in TLSv1.2
5798 * Test 2: New style callbacks in TLSv1.2 with SNI
5799 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5800 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5801 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5802 */
5803 static int test_custom_exts(int tst)
5804 {
5805 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5806 SSL *clientssl = NULL, *serverssl = NULL;
5807 int testresult = 0;
5808 static int server = 1;
5809 static int client = 0;
5810 SSL_SESSION *sess = NULL;
5811 unsigned int context;
5812
5813 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5814 /* Skip tests for TLSv1.2 and below in this case */
5815 if (tst < 3)
5816 return 1;
5817 #endif
5818
5819 /* Reset callback counters */
5820 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5821 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5822 snicb = 0;
5823
5824 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5825 TLS_client_method(), TLS1_VERSION, 0,
5826 &sctx, &cctx, cert, privkey)))
5827 goto end;
5828
5829 if (tst == 2
5830 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5831 TLS1_VERSION, 0,
5832 &sctx2, NULL, cert, privkey)))
5833 goto end;
5834
5835
5836 if (tst < 3) {
5837 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5838 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5839 if (sctx2 != NULL)
5840 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5841 }
5842
5843 if (tst == 5) {
5844 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5845 | SSL_EXT_TLS1_3_CERTIFICATE;
5846 SSL_CTX_set_verify(sctx,
5847 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5848 verify_cb);
5849 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5850 SSL_FILETYPE_PEM), 1)
5851 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5852 SSL_FILETYPE_PEM), 1)
5853 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5854 goto end;
5855 } else if (tst == 4) {
5856 context = SSL_EXT_CLIENT_HELLO
5857 | SSL_EXT_TLS1_2_SERVER_HELLO
5858 | SSL_EXT_TLS1_3_SERVER_HELLO
5859 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5860 | SSL_EXT_TLS1_3_CERTIFICATE
5861 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5862 } else {
5863 context = SSL_EXT_CLIENT_HELLO
5864 | SSL_EXT_TLS1_2_SERVER_HELLO
5865 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5866 }
5867
5868 /* Create a client side custom extension */
5869 if (tst == 0) {
5870 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5871 old_add_cb, old_free_cb,
5872 &client, old_parse_cb,
5873 &client)))
5874 goto end;
5875 } else {
5876 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5877 new_add_cb, new_free_cb,
5878 &client, new_parse_cb, &client)))
5879 goto end;
5880 }
5881
5882 /* Should not be able to add duplicates */
5883 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5884 old_add_cb, old_free_cb,
5885 &client, old_parse_cb,
5886 &client))
5887 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5888 context, new_add_cb,
5889 new_free_cb, &client,
5890 new_parse_cb, &client)))
5891 goto end;
5892
5893 /* Create a server side custom extension */
5894 if (tst == 0) {
5895 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5896 old_add_cb, old_free_cb,
5897 &server, old_parse_cb,
5898 &server)))
5899 goto end;
5900 } else {
5901 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5902 new_add_cb, new_free_cb,
5903 &server, new_parse_cb, &server)))
5904 goto end;
5905 if (sctx2 != NULL
5906 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5907 context, new_add_cb,
5908 new_free_cb, &server,
5909 new_parse_cb, &server)))
5910 goto end;
5911 }
5912
5913 /* Should not be able to add duplicates */
5914 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5915 old_add_cb, old_free_cb,
5916 &server, old_parse_cb,
5917 &server))
5918 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5919 context, new_add_cb,
5920 new_free_cb, &server,
5921 new_parse_cb, &server)))
5922 goto end;
5923
5924 if (tst == 2) {
5925 /* Set up SNI */
5926 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5927 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5928 goto end;
5929 }
5930
5931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5932 &clientssl, NULL, NULL))
5933 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5934 SSL_ERROR_NONE)))
5935 goto end;
5936
5937 if (tst == 0) {
5938 if (clntaddoldcb != 1
5939 || clntparseoldcb != 1
5940 || srvaddoldcb != 1
5941 || srvparseoldcb != 1)
5942 goto end;
5943 } else if (tst == 1 || tst == 2 || tst == 3) {
5944 if (clntaddnewcb != 1
5945 || clntparsenewcb != 1
5946 || srvaddnewcb != 1
5947 || srvparsenewcb != 1
5948 || (tst != 2 && snicb != 0)
5949 || (tst == 2 && snicb != 1))
5950 goto end;
5951 } else if (tst == 5) {
5952 if (clntaddnewcb != 1
5953 || clntparsenewcb != 1
5954 || srvaddnewcb != 1
5955 || srvparsenewcb != 1)
5956 goto end;
5957 } else {
5958 /* In this case there 2 NewSessionTicket messages created */
5959 if (clntaddnewcb != 1
5960 || clntparsenewcb != 5
5961 || srvaddnewcb != 5
5962 || srvparsenewcb != 1)
5963 goto end;
5964 }
5965
5966 sess = SSL_get1_session(clientssl);
5967 SSL_shutdown(clientssl);
5968 SSL_shutdown(serverssl);
5969 SSL_free(serverssl);
5970 SSL_free(clientssl);
5971 serverssl = clientssl = NULL;
5972
5973 if (tst == 3 || tst == 5) {
5974 /* We don't bother with the resumption aspects for these tests */
5975 testresult = 1;
5976 goto end;
5977 }
5978
5979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5980 NULL, NULL))
5981 || !TEST_true(SSL_set_session(clientssl, sess))
5982 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5983 SSL_ERROR_NONE)))
5984 goto end;
5985
5986 /*
5987 * For a resumed session we expect to add the ClientHello extension. For the
5988 * old style callbacks we ignore it on the server side because they set
5989 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5990 * them.
5991 */
5992 if (tst == 0) {
5993 if (clntaddoldcb != 2
5994 || clntparseoldcb != 1
5995 || srvaddoldcb != 1
5996 || srvparseoldcb != 1)
5997 goto end;
5998 } else if (tst == 1 || tst == 2 || tst == 3) {
5999 if (clntaddnewcb != 2
6000 || clntparsenewcb != 2
6001 || srvaddnewcb != 2
6002 || srvparsenewcb != 2)
6003 goto end;
6004 } else {
6005 /*
6006 * No Certificate message extensions in the resumption handshake,
6007 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6008 */
6009 if (clntaddnewcb != 2
6010 || clntparsenewcb != 8
6011 || srvaddnewcb != 8
6012 || srvparsenewcb != 2)
6013 goto end;
6014 }
6015
6016 testresult = 1;
6017
6018 end:
6019 SSL_SESSION_free(sess);
6020 SSL_free(serverssl);
6021 SSL_free(clientssl);
6022 SSL_CTX_free(sctx2);
6023 SSL_CTX_free(sctx);
6024 SSL_CTX_free(cctx);
6025 return testresult;
6026 }
6027
6028 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6029
6030 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6031 | SSL_EXT_CLIENT_HELLO \
6032 | SSL_EXT_TLS1_2_SERVER_HELLO \
6033 | SSL_EXT_IGNORE_ON_RESUMPTION)
6034
6035 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6036 | SSL_EXT_TLS1_2_SERVER_HELLO \
6037 | SSL_EXT_CLIENT_HELLO)
6038
6039 #define SERVERINFO_CUSTOM \
6040 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6041 0x00, 0x03, \
6042 0x04, 0x05, 0x06 \
6043
6044 static const unsigned char serverinfo_custom_tls13[] = {
6045 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6046 SERVERINFO_CUSTOM
6047 };
6048 static const unsigned char serverinfo_custom_v2[] = {
6049 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6050 SERVERINFO_CUSTOM
6051 };
6052 static const unsigned char serverinfo_custom_v1[] = {
6053 SERVERINFO_CUSTOM
6054 };
6055 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6056 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6057 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6058
6059 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6060 unsigned int context,
6061 const unsigned char *in,
6062 size_t inlen, X509 *x,
6063 size_t chainidx, int *al,
6064 void *parse_arg)
6065 {
6066 const size_t len = serverinfo_custom_v1_len;
6067 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6068 int *p_cb_result = (int*)parse_arg;
6069 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6070 return 1;
6071 }
6072
6073 static int test_serverinfo_custom(const int idx)
6074 {
6075 SSL_CTX *sctx = NULL, *cctx = NULL;
6076 SSL *clientssl = NULL, *serverssl = NULL;
6077 int testresult = 0;
6078 int cb_result = 0;
6079
6080 /*
6081 * Following variables are set in the switch statement
6082 * according to the test iteration.
6083 * Default values do not make much sense: test would fail with them.
6084 */
6085 int serverinfo_version = 0;
6086 int protocol_version = 0;
6087 unsigned int extension_context = 0;
6088 const unsigned char *si = NULL;
6089 size_t si_len = 0;
6090
6091 const int call_use_serverinfo_ex = idx > 0;
6092 switch (idx) {
6093 case 0: /* FALLTHROUGH */
6094 case 1:
6095 serverinfo_version = SSL_SERVERINFOV1;
6096 protocol_version = TLS1_2_VERSION;
6097 extension_context = SYNTHV1CONTEXT;
6098 si = serverinfo_custom_v1;
6099 si_len = serverinfo_custom_v1_len;
6100 break;
6101 case 2:
6102 serverinfo_version = SSL_SERVERINFOV2;
6103 protocol_version = TLS1_2_VERSION;
6104 extension_context = SYNTHV1CONTEXT;
6105 si = serverinfo_custom_v2;
6106 si_len = serverinfo_custom_v2_len;
6107 break;
6108 case 3:
6109 serverinfo_version = SSL_SERVERINFOV2;
6110 protocol_version = TLS1_3_VERSION;
6111 extension_context = TLS13CONTEXT;
6112 si = serverinfo_custom_tls13;
6113 si_len = serverinfo_custom_tls13_len;
6114 break;
6115 }
6116
6117 if (!TEST_true(create_ssl_ctx_pair(libctx,
6118 TLS_method(),
6119 TLS_method(),
6120 protocol_version,
6121 protocol_version,
6122 &sctx, &cctx, cert, privkey)))
6123 goto end;
6124
6125 if (call_use_serverinfo_ex) {
6126 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6127 si, si_len)))
6128 goto end;
6129 } else {
6130 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6131 goto end;
6132 }
6133
6134 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6135 extension_context,
6136 NULL, NULL, NULL,
6137 serverinfo_custom_parse_cb,
6138 &cb_result))
6139 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6140 NULL, NULL))
6141 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6142 SSL_ERROR_NONE))
6143 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6144 goto end;
6145
6146 if (!TEST_true(cb_result))
6147 goto end;
6148
6149 testresult = 1;
6150
6151 end:
6152 SSL_free(serverssl);
6153 SSL_free(clientssl);
6154 SSL_CTX_free(sctx);
6155 SSL_CTX_free(cctx);
6156
6157 return testresult;
6158 }
6159 #endif
6160
6161 /*
6162 * Test that SSL_export_keying_material() produces expected results. There are
6163 * no test vectors so all we do is test that both sides of the communication
6164 * produce the same results for different protocol versions.
6165 */
6166 #define SMALL_LABEL_LEN 10
6167 #define LONG_LABEL_LEN 249
6168 static int test_export_key_mat(int tst)
6169 {
6170 int testresult = 0;
6171 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6172 SSL *clientssl = NULL, *serverssl = NULL;
6173 const char label[LONG_LABEL_LEN + 1] = "test label";
6174 const unsigned char context[] = "context";
6175 const unsigned char *emptycontext = NULL;
6176 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6177 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6178 size_t labellen;
6179 const int protocols[] = {
6180 TLS1_VERSION,
6181 TLS1_1_VERSION,
6182 TLS1_2_VERSION,
6183 TLS1_3_VERSION,
6184 TLS1_3_VERSION,
6185 TLS1_3_VERSION
6186 };
6187
6188 #ifdef OPENSSL_NO_TLS1
6189 if (tst == 0)
6190 return 1;
6191 #endif
6192 #ifdef OPENSSL_NO_TLS1_1
6193 if (tst == 1)
6194 return 1;
6195 #endif
6196 if (is_fips && (tst == 0 || tst == 1))
6197 return 1;
6198 #ifdef OPENSSL_NO_TLS1_2
6199 if (tst == 2)
6200 return 1;
6201 #endif
6202 #ifdef OSSL_NO_USABLE_TLS1_3
6203 if (tst >= 3)
6204 return 1;
6205 #endif
6206 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6207 TLS_client_method(), TLS1_VERSION, 0,
6208 &sctx, &cctx, cert, privkey)))
6209 goto end;
6210
6211 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6212 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6213 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6214 if ((protocols[tst] < TLS1_2_VERSION) &&
6215 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6216 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6217 goto end;
6218
6219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6220 NULL)))
6221 goto end;
6222
6223 /*
6224 * Premature call of SSL_export_keying_material should just fail.
6225 */
6226 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6227 sizeof(ckeymat1), label,
6228 SMALL_LABEL_LEN + 1, context,
6229 sizeof(context) - 1, 1), 0))
6230 goto end;
6231
6232 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6233 SSL_ERROR_NONE)))
6234 goto end;
6235
6236 if (tst == 5) {
6237 /*
6238 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6239 * go over that.
6240 */
6241 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6242 sizeof(ckeymat1), label,
6243 LONG_LABEL_LEN + 1, context,
6244 sizeof(context) - 1, 1), 0))
6245 goto end;
6246
6247 testresult = 1;
6248 goto end;
6249 } else if (tst == 4) {
6250 labellen = LONG_LABEL_LEN;
6251 } else {
6252 labellen = SMALL_LABEL_LEN;
6253 }
6254
6255 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6256 sizeof(ckeymat1), label,
6257 labellen, context,
6258 sizeof(context) - 1, 1), 1)
6259 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6260 sizeof(ckeymat2), label,
6261 labellen,
6262 emptycontext,
6263 0, 1), 1)
6264 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6265 sizeof(ckeymat3), label,
6266 labellen,
6267 NULL, 0, 0), 1)
6268 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6269 sizeof(skeymat1), label,
6270 labellen,
6271 context,
6272 sizeof(context) -1, 1),
6273 1)
6274 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6275 sizeof(skeymat2), label,
6276 labellen,
6277 emptycontext,
6278 0, 1), 1)
6279 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6280 sizeof(skeymat3), label,
6281 labellen,
6282 NULL, 0, 0), 1)
6283 /*
6284 * Check that both sides created the same key material with the
6285 * same context.
6286 */
6287 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6288 sizeof(skeymat1))
6289 /*
6290 * Check that both sides created the same key material with an
6291 * empty context.
6292 */
6293 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6294 sizeof(skeymat2))
6295 /*
6296 * Check that both sides created the same key material without a
6297 * context.
6298 */
6299 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6300 sizeof(skeymat3))
6301 /* Different contexts should produce different results */
6302 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6303 sizeof(ckeymat2)))
6304 goto end;
6305
6306 /*
6307 * Check that an empty context and no context produce different results in
6308 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6309 */
6310 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6311 sizeof(ckeymat3)))
6312 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6313 sizeof(ckeymat3))))
6314 goto end;
6315
6316 testresult = 1;
6317
6318 end:
6319 SSL_free(serverssl);
6320 SSL_free(clientssl);
6321 SSL_CTX_free(sctx2);
6322 SSL_CTX_free(sctx);
6323 SSL_CTX_free(cctx);
6324
6325 return testresult;
6326 }
6327
6328 #ifndef OSSL_NO_USABLE_TLS1_3
6329 /*
6330 * Test that SSL_export_keying_material_early() produces expected
6331 * results. There are no test vectors so all we do is test that both
6332 * sides of the communication produce the same results for different
6333 * protocol versions.
6334 */
6335 static int test_export_key_mat_early(int idx)
6336 {
6337 static const char label[] = "test label";
6338 static const unsigned char context[] = "context";
6339 int testresult = 0;
6340 SSL_CTX *cctx = NULL, *sctx = NULL;
6341 SSL *clientssl = NULL, *serverssl = NULL;
6342 SSL_SESSION *sess = NULL;
6343 const unsigned char *emptycontext = NULL;
6344 unsigned char ckeymat1[80], ckeymat2[80];
6345 unsigned char skeymat1[80], skeymat2[80];
6346 unsigned char buf[1];
6347 size_t readbytes, written;
6348
6349 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6350 &sess, idx)))
6351 goto end;
6352
6353 /* Here writing 0 length early data is enough. */
6354 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6355 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6356 &readbytes),
6357 SSL_READ_EARLY_DATA_ERROR)
6358 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6359 SSL_EARLY_DATA_ACCEPTED))
6360 goto end;
6361
6362 if (!TEST_int_eq(SSL_export_keying_material_early(
6363 clientssl, ckeymat1, sizeof(ckeymat1), label,
6364 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6365 || !TEST_int_eq(SSL_export_keying_material_early(
6366 clientssl, ckeymat2, sizeof(ckeymat2), label,
6367 sizeof(label) - 1, emptycontext, 0), 1)
6368 || !TEST_int_eq(SSL_export_keying_material_early(
6369 serverssl, skeymat1, sizeof(skeymat1), label,
6370 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6371 || !TEST_int_eq(SSL_export_keying_material_early(
6372 serverssl, skeymat2, sizeof(skeymat2), label,
6373 sizeof(label) - 1, emptycontext, 0), 1)
6374 /*
6375 * Check that both sides created the same key material with the
6376 * same context.
6377 */
6378 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6379 sizeof(skeymat1))
6380 /*
6381 * Check that both sides created the same key material with an
6382 * empty context.
6383 */
6384 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6385 sizeof(skeymat2))
6386 /* Different contexts should produce different results */
6387 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6388 sizeof(ckeymat2)))
6389 goto end;
6390
6391 testresult = 1;
6392
6393 end:
6394 SSL_SESSION_free(sess);
6395 SSL_SESSION_free(clientpsk);
6396 SSL_SESSION_free(serverpsk);
6397 clientpsk = serverpsk = NULL;
6398 SSL_free(serverssl);
6399 SSL_free(clientssl);
6400 SSL_CTX_free(sctx);
6401 SSL_CTX_free(cctx);
6402
6403 return testresult;
6404 }
6405
6406 #define NUM_KEY_UPDATE_MESSAGES 40
6407 /*
6408 * Test KeyUpdate.
6409 */
6410 static int test_key_update(void)
6411 {
6412 SSL_CTX *cctx = NULL, *sctx = NULL;
6413 SSL *clientssl = NULL, *serverssl = NULL;
6414 int testresult = 0, i, j;
6415 char buf[20];
6416 static char *mess = "A test message";
6417
6418 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6419 TLS_client_method(),
6420 TLS1_3_VERSION,
6421 0,
6422 &sctx, &cctx, cert, privkey))
6423 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6424 NULL, NULL))
6425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6426 SSL_ERROR_NONE)))
6427 goto end;
6428
6429 for (j = 0; j < 2; j++) {
6430 /* Send lots of KeyUpdate messages */
6431 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6432 if (!TEST_true(SSL_key_update(clientssl,
6433 (j == 0)
6434 ? SSL_KEY_UPDATE_NOT_REQUESTED
6435 : SSL_KEY_UPDATE_REQUESTED))
6436 || !TEST_true(SSL_do_handshake(clientssl)))
6437 goto end;
6438 }
6439
6440 /* Check that sending and receiving app data is ok */
6441 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6442 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6443 strlen(mess)))
6444 goto end;
6445
6446 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6447 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6448 strlen(mess)))
6449 goto end;
6450 }
6451
6452 testresult = 1;
6453
6454 end:
6455 SSL_free(serverssl);
6456 SSL_free(clientssl);
6457 SSL_CTX_free(sctx);
6458 SSL_CTX_free(cctx);
6459
6460 return testresult;
6461 }
6462
6463 /*
6464 * Test we can handle a KeyUpdate (update requested) message while
6465 * write data is pending in peer.
6466 * Test 0: Client sends KeyUpdate while Server is writing
6467 * Test 1: Server sends KeyUpdate while Client is writing
6468 */
6469 static int test_key_update_peer_in_write(int tst)
6470 {
6471 SSL_CTX *cctx = NULL, *sctx = NULL;
6472 SSL *clientssl = NULL, *serverssl = NULL;
6473 int testresult = 0;
6474 char buf[20];
6475 static char *mess = "A test message";
6476 BIO *bretry = BIO_new(bio_s_always_retry());
6477 BIO *tmp = NULL;
6478 SSL *peerupdate = NULL, *peerwrite = NULL;
6479
6480 if (!TEST_ptr(bretry)
6481 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6482 TLS_client_method(),
6483 TLS1_3_VERSION,
6484 0,
6485 &sctx, &cctx, cert, privkey))
6486 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6487 NULL, NULL))
6488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6489 SSL_ERROR_NONE)))
6490 goto end;
6491
6492 peerupdate = tst == 0 ? clientssl : serverssl;
6493 peerwrite = tst == 0 ? serverssl : clientssl;
6494
6495 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6496 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6497 goto end;
6498
6499 /* Swap the writing endpoint's write BIO to force a retry */
6500 tmp = SSL_get_wbio(peerwrite);
6501 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6502 tmp = NULL;
6503 goto end;
6504 }
6505 SSL_set0_wbio(peerwrite, bretry);
6506 bretry = NULL;
6507
6508 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6509 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6510 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6511 goto end;
6512
6513 /* Reinstate the original writing endpoint's write BIO */
6514 SSL_set0_wbio(peerwrite, tmp);
6515 tmp = NULL;
6516
6517 /* Now read some data - we will read the key update */
6518 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6519 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6520 goto end;
6521
6522 /*
6523 * Complete the write we started previously and read it from the other
6524 * endpoint
6525 */
6526 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6527 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6528 goto end;
6529
6530 /* Write more data to ensure we send the KeyUpdate message back */
6531 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6532 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6533 goto end;
6534
6535 testresult = 1;
6536
6537 end:
6538 SSL_free(serverssl);
6539 SSL_free(clientssl);
6540 SSL_CTX_free(sctx);
6541 SSL_CTX_free(cctx);
6542 BIO_free(bretry);
6543 BIO_free(tmp);
6544
6545 return testresult;
6546 }
6547
6548 /*
6549 * Test we can handle a KeyUpdate (update requested) message while
6550 * peer read data is pending after peer accepted keyupdate(the msg header
6551 * had been read 5 bytes).
6552 * Test 0: Client sends KeyUpdate while Server is reading
6553 * Test 1: Server sends KeyUpdate while Client is reading
6554 */
6555 static int test_key_update_peer_in_read(int tst)
6556 {
6557 SSL_CTX *cctx = NULL, *sctx = NULL;
6558 SSL *clientssl = NULL, *serverssl = NULL;
6559 int testresult = 0;
6560 char prbuf[515], lwbuf[515] = {0};
6561 static char *mess = "A test message";
6562 BIO *lbio = NULL, *pbio = NULL;
6563 SSL *local = NULL, *peer = NULL;
6564
6565 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6566 TLS_client_method(),
6567 TLS1_3_VERSION,
6568 0,
6569 &sctx, &cctx, cert, privkey))
6570 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6571 NULL, NULL))
6572 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6573 SSL_ERROR_NONE)))
6574 goto end;
6575
6576 local = tst == 0 ? clientssl : serverssl;
6577 peer = tst == 0 ? serverssl : clientssl;
6578
6579 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6580 goto end;
6581
6582 SSL_set_bio(local, lbio, lbio);
6583 SSL_set_bio(peer, pbio, pbio);
6584
6585 /*
6586 * we first write keyupdate msg then appdata in local
6587 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6588 * lwbuf app data msg size + key updata msg size > 512(the size of
6589 * the bio pair buffer)
6590 */
6591 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6592 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6593 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6594 goto end;
6595
6596 /*
6597 * first read keyupdate msg in peer in peer
6598 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6599 */
6600 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6601 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6602 goto end;
6603
6604 /* Now write some data in peer - we will write the key update */
6605 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6606 goto end;
6607
6608 /*
6609 * write data in local previously that we will complete
6610 * read data in peer previously that we will complete
6611 */
6612 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6613 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6614 goto end;
6615
6616 /* check that sending and receiving appdata ok */
6617 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6618 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6619 goto end;
6620
6621 testresult = 1;
6622
6623 end:
6624 SSL_free(serverssl);
6625 SSL_free(clientssl);
6626 SSL_CTX_free(sctx);
6627 SSL_CTX_free(cctx);
6628
6629 return testresult;
6630 }
6631
6632 /*
6633 * Test we can't send a KeyUpdate (update requested) message while
6634 * local write data is pending.
6635 * Test 0: Client sends KeyUpdate while Client is writing
6636 * Test 1: Server sends KeyUpdate while Server is writing
6637 */
6638 static int test_key_update_local_in_write(int tst)
6639 {
6640 SSL_CTX *cctx = NULL, *sctx = NULL;
6641 SSL *clientssl = NULL, *serverssl = NULL;
6642 int testresult = 0;
6643 char buf[20];
6644 static char *mess = "A test message";
6645 BIO *bretry = BIO_new(bio_s_always_retry());
6646 BIO *tmp = NULL;
6647 SSL *local = NULL, *peer = NULL;
6648
6649 if (!TEST_ptr(bretry)
6650 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6651 TLS_client_method(),
6652 TLS1_3_VERSION,
6653 0,
6654 &sctx, &cctx, cert, privkey))
6655 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6656 NULL, NULL))
6657 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6658 SSL_ERROR_NONE)))
6659 goto end;
6660
6661 local = tst == 0 ? clientssl : serverssl;
6662 peer = tst == 0 ? serverssl : clientssl;
6663
6664 /* Swap the writing endpoint's write BIO to force a retry */
6665 tmp = SSL_get_wbio(local);
6666 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6667 tmp = NULL;
6668 goto end;
6669 }
6670 SSL_set0_wbio(local, bretry);
6671 bretry = NULL;
6672
6673 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6674 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6675 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6676 goto end;
6677
6678 /* Reinstate the original writing endpoint's write BIO */
6679 SSL_set0_wbio(local, tmp);
6680 tmp = NULL;
6681
6682 /* SSL_key_update will fail, because writing in local*/
6683 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6684 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6685 goto end;
6686
6687 ERR_clear_error();
6688 /* write data in local previously that we will complete */
6689 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6690 goto end;
6691
6692 /* SSL_key_update will succeed because there is no pending write data */
6693 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6694 || !TEST_int_eq(SSL_do_handshake(local), 1))
6695 goto end;
6696
6697 /*
6698 * we write some appdata in local
6699 * read data in peer - we will read the keyupdate msg
6700 */
6701 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6702 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6703 goto end;
6704
6705 /* Write more peer more data to ensure we send the keyupdate message back */
6706 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6707 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6708 goto end;
6709
6710 testresult = 1;
6711
6712 end:
6713 SSL_free(serverssl);
6714 SSL_free(clientssl);
6715 SSL_CTX_free(sctx);
6716 SSL_CTX_free(cctx);
6717 BIO_free(bretry);
6718 BIO_free(tmp);
6719
6720 return testresult;
6721 }
6722
6723 /*
6724 * Test we can handle a KeyUpdate (update requested) message while
6725 * local read data is pending(the msg header had been read 5 bytes).
6726 * Test 0: Client sends KeyUpdate while Client is reading
6727 * Test 1: Server sends KeyUpdate while Server is reading
6728 */
6729 static int test_key_update_local_in_read(int tst)
6730 {
6731 SSL_CTX *cctx = NULL, *sctx = NULL;
6732 SSL *clientssl = NULL, *serverssl = NULL;
6733 int testresult = 0;
6734 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6735 static char *mess = "A test message";
6736 BIO *lbio = NULL, *pbio = NULL;
6737 SSL *local = NULL, *peer = NULL;
6738
6739 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6740 TLS_client_method(),
6741 TLS1_3_VERSION,
6742 0,
6743 &sctx, &cctx, cert, privkey))
6744 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6745 NULL, NULL))
6746 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6747 SSL_ERROR_NONE)))
6748 goto end;
6749
6750 local = tst == 0 ? clientssl : serverssl;
6751 peer = tst == 0 ? serverssl : clientssl;
6752
6753 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6754 goto end;
6755
6756 SSL_set_bio(local, lbio, lbio);
6757 SSL_set_bio(peer, pbio, pbio);
6758
6759 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6760 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6761 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6762 goto end;
6763
6764 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6765 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6766 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6767 goto end;
6768
6769 /* SSL_do_handshake will send keyupdate msg */
6770 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6771 || !TEST_int_eq(SSL_do_handshake(local), 1))
6772 goto end;
6773
6774 /*
6775 * write data in peer previously that we will complete
6776 * read data in local previously that we will complete
6777 */
6778 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6779 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6780 goto end;
6781
6782 /*
6783 * write data in local
6784 * read data in peer - we will read the key update
6785 */
6786 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6787 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6788 goto end;
6789
6790 /* Write more peer data to ensure we send the keyupdate message back */
6791 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6792 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6793 goto end;
6794
6795 testresult = 1;
6796
6797 end:
6798 SSL_free(serverssl);
6799 SSL_free(clientssl);
6800 SSL_CTX_free(sctx);
6801 SSL_CTX_free(cctx);
6802
6803 return testresult;
6804 }
6805 #endif /* OSSL_NO_USABLE_TLS1_3 */
6806
6807 static int test_ssl_clear(int idx)
6808 {
6809 SSL_CTX *cctx = NULL, *sctx = NULL;
6810 SSL *clientssl = NULL, *serverssl = NULL;
6811 int testresult = 0;
6812
6813 #ifdef OPENSSL_NO_TLS1_2
6814 if (idx == 1)
6815 return 1;
6816 #endif
6817
6818 /* Create an initial connection */
6819 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6820 TLS_client_method(), TLS1_VERSION, 0,
6821 &sctx, &cctx, cert, privkey))
6822 || (idx == 1
6823 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6824 TLS1_2_VERSION)))
6825 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6826 &clientssl, NULL, NULL))
6827 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6828 SSL_ERROR_NONE)))
6829 goto end;
6830
6831 SSL_shutdown(clientssl);
6832 SSL_shutdown(serverssl);
6833 SSL_free(serverssl);
6834 serverssl = NULL;
6835
6836 /* Clear clientssl - we're going to reuse the object */
6837 if (!TEST_true(SSL_clear(clientssl)))
6838 goto end;
6839
6840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6841 NULL, NULL))
6842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6843 SSL_ERROR_NONE))
6844 || !TEST_true(SSL_session_reused(clientssl)))
6845 goto end;
6846
6847 SSL_shutdown(clientssl);
6848 SSL_shutdown(serverssl);
6849
6850 testresult = 1;
6851
6852 end:
6853 SSL_free(serverssl);
6854 SSL_free(clientssl);
6855 SSL_CTX_free(sctx);
6856 SSL_CTX_free(cctx);
6857
6858 return testresult;
6859 }
6860
6861 /* Parse CH and retrieve any MFL extension value if present */
6862 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6863 {
6864 long len;
6865 unsigned char *data;
6866 PACKET pkt, pkt2, pkt3;
6867 unsigned int MFL_code = 0, type = 0;
6868
6869 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
6870 goto end;
6871
6872 memset(&pkt, 0, sizeof(pkt));
6873 memset(&pkt2, 0, sizeof(pkt2));
6874 memset(&pkt3, 0, sizeof(pkt3));
6875
6876 if (!TEST_long_gt(len, 0)
6877 || !TEST_true(PACKET_buf_init(&pkt, data, len))
6878 /* Skip the record header */
6879 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6880 /* Skip the handshake message header */
6881 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6882 /* Skip client version and random */
6883 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6884 + SSL3_RANDOM_SIZE))
6885 /* Skip session id */
6886 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6887 /* Skip ciphers */
6888 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6889 /* Skip compression */
6890 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6891 /* Extensions len */
6892 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6893 goto end;
6894
6895 /* Loop through all extensions */
6896 while (PACKET_remaining(&pkt2)) {
6897 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6898 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6899 goto end;
6900
6901 if (type == TLSEXT_TYPE_max_fragment_length) {
6902 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6903 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6904 goto end;
6905
6906 *mfl_codemfl_code = MFL_code;
6907 return 1;
6908 }
6909 }
6910
6911 end:
6912 return 0;
6913 }
6914
6915 /* Maximum-Fragment-Length TLS extension mode to test */
6916 static const unsigned char max_fragment_len_test[] = {
6917 TLSEXT_max_fragment_length_512,
6918 TLSEXT_max_fragment_length_1024,
6919 TLSEXT_max_fragment_length_2048,
6920 TLSEXT_max_fragment_length_4096
6921 };
6922
6923 static int test_max_fragment_len_ext(int idx_tst)
6924 {
6925 SSL_CTX *ctx = NULL;
6926 SSL *con = NULL;
6927 int testresult = 0, MFL_mode = 0;
6928 BIO *rbio, *wbio;
6929
6930 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6931 TLS1_VERSION, 0, NULL, &ctx, NULL,
6932 NULL)))
6933 return 0;
6934
6935 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6936 ctx, max_fragment_len_test[idx_tst])))
6937 goto end;
6938
6939 con = SSL_new(ctx);
6940 if (!TEST_ptr(con))
6941 goto end;
6942
6943 rbio = BIO_new(BIO_s_mem());
6944 wbio = BIO_new(BIO_s_mem());
6945 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6946 BIO_free(rbio);
6947 BIO_free(wbio);
6948 goto end;
6949 }
6950
6951 SSL_set_bio(con, rbio, wbio);
6952
6953 if (!TEST_int_le(SSL_connect(con), 0)) {
6954 /* This shouldn't succeed because we don't have a server! */
6955 goto end;
6956 }
6957
6958 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6959 /* no MFL in client hello */
6960 goto end;
6961 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6962 goto end;
6963
6964 testresult = 1;
6965
6966 end:
6967 SSL_free(con);
6968 SSL_CTX_free(ctx);
6969
6970 return testresult;
6971 }
6972
6973 #ifndef OSSL_NO_USABLE_TLS1_3
6974 static int test_pha_key_update(void)
6975 {
6976 SSL_CTX *cctx = NULL, *sctx = NULL;
6977 SSL *clientssl = NULL, *serverssl = NULL;
6978 int testresult = 0;
6979
6980 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6981 TLS_client_method(), TLS1_VERSION, 0,
6982 &sctx, &cctx, cert, privkey)))
6983 return 0;
6984
6985 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6986 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6987 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6988 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6989 goto end;
6990
6991 SSL_CTX_set_post_handshake_auth(cctx, 1);
6992
6993 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6994 NULL, NULL)))
6995 goto end;
6996
6997 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6998 SSL_ERROR_NONE)))
6999 goto end;
7000
7001 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7002 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7003 goto end;
7004
7005 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7006 goto end;
7007
7008 /* Start handshake on the server */
7009 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7010 goto end;
7011
7012 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7013 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7014 SSL_ERROR_NONE)))
7015 goto end;
7016
7017 SSL_shutdown(clientssl);
7018 SSL_shutdown(serverssl);
7019
7020 testresult = 1;
7021
7022 end:
7023 SSL_free(serverssl);
7024 SSL_free(clientssl);
7025 SSL_CTX_free(sctx);
7026 SSL_CTX_free(cctx);
7027 return testresult;
7028 }
7029 #endif
7030
7031 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7032
7033 static SRP_VBASE *vbase = NULL;
7034
7035 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7036 {
7037 int ret = SSL3_AL_FATAL;
7038 char *username;
7039 SRP_user_pwd *user = NULL;
7040
7041 username = SSL_get_srp_username(s);
7042 if (username == NULL) {
7043 *ad = SSL_AD_INTERNAL_ERROR;
7044 goto err;
7045 }
7046
7047 user = SRP_VBASE_get1_by_user(vbase, username);
7048 if (user == NULL) {
7049 *ad = SSL_AD_INTERNAL_ERROR;
7050 goto err;
7051 }
7052
7053 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7054 user->info) <= 0) {
7055 *ad = SSL_AD_INTERNAL_ERROR;
7056 goto err;
7057 }
7058
7059 ret = 0;
7060
7061 err:
7062 SRP_user_pwd_free(user);
7063 return ret;
7064 }
7065
7066 static int create_new_vfile(char *userid, char *password, const char *filename)
7067 {
7068 char *gNid = NULL;
7069 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7070 TXT_DB *db = NULL;
7071 int ret = 0;
7072 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7073 size_t i;
7074
7075 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7076 goto end;
7077
7078 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7079 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7080 if (!TEST_ptr(gNid))
7081 goto end;
7082
7083 /*
7084 * The only way to create an empty TXT_DB is to provide a BIO with no data
7085 * in it!
7086 */
7087 db = TXT_DB_read(dummy, DB_NUMBER);
7088 if (!TEST_ptr(db))
7089 goto end;
7090
7091 out = BIO_new_file(filename, "w");
7092 if (!TEST_ptr(out))
7093 goto end;
7094
7095 row[DB_srpid] = OPENSSL_strdup(userid);
7096 row[DB_srptype] = OPENSSL_strdup("V");
7097 row[DB_srpgN] = OPENSSL_strdup(gNid);
7098
7099 if (!TEST_ptr(row[DB_srpid])
7100 || !TEST_ptr(row[DB_srptype])
7101 || !TEST_ptr(row[DB_srpgN])
7102 || !TEST_true(TXT_DB_insert(db, row)))
7103 goto end;
7104
7105 row = NULL;
7106
7107 if (TXT_DB_write(out, db) <= 0)
7108 goto end;
7109
7110 ret = 1;
7111 end:
7112 if (row != NULL) {
7113 for (i = 0; i < DB_NUMBER; i++)
7114 OPENSSL_free(row[i]);
7115 }
7116 OPENSSL_free(row);
7117 BIO_free(dummy);
7118 BIO_free(out);
7119 TXT_DB_free(db);
7120
7121 return ret;
7122 }
7123
7124 static int create_new_vbase(char *userid, char *password)
7125 {
7126 BIGNUM *verifier = NULL, *salt = NULL;
7127 const SRP_gN *lgN = NULL;
7128 SRP_user_pwd *user_pwd = NULL;
7129 int ret = 0;
7130
7131 lgN = SRP_get_default_gN(NULL);
7132 if (!TEST_ptr(lgN))
7133 goto end;
7134
7135 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7136 lgN->N, lgN->g, libctx, NULL)))
7137 goto end;
7138
7139 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7140 if (!TEST_ptr(user_pwd))
7141 goto end;
7142
7143 user_pwd->N = lgN->N;
7144 user_pwd->g = lgN->g;
7145 user_pwd->id = OPENSSL_strdup(userid);
7146 if (!TEST_ptr(user_pwd->id))
7147 goto end;
7148
7149 user_pwd->v = verifier;
7150 user_pwd->s = salt;
7151 verifier = salt = NULL;
7152
7153 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7154 goto end;
7155 user_pwd = NULL;
7156
7157 ret = 1;
7158 end:
7159 SRP_user_pwd_free(user_pwd);
7160 BN_free(salt);
7161 BN_free(verifier);
7162
7163 return ret;
7164 }
7165
7166 /*
7167 * SRP tests
7168 *
7169 * Test 0: Simple successful SRP connection, new vbase
7170 * Test 1: Connection failure due to bad password, new vbase
7171 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7172 * Test 3: Connection failure due to bad password, vbase loaded from existing
7173 * file
7174 * Test 4: Simple successful SRP connection, vbase loaded from new file
7175 * Test 5: Connection failure due to bad password, vbase loaded from new file
7176 */
7177 static int test_srp(int tst)
7178 {
7179 char *userid = "test", *password = "password", *tstsrpfile;
7180 SSL_CTX *cctx = NULL, *sctx = NULL;
7181 SSL *clientssl = NULL, *serverssl = NULL;
7182 int ret, testresult = 0;
7183
7184 vbase = SRP_VBASE_new(NULL);
7185 if (!TEST_ptr(vbase))
7186 goto end;
7187
7188 if (tst == 0 || tst == 1) {
7189 if (!TEST_true(create_new_vbase(userid, password)))
7190 goto end;
7191 } else {
7192 if (tst == 4 || tst == 5) {
7193 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7194 goto end;
7195 tstsrpfile = tmpfilename;
7196 } else {
7197 tstsrpfile = srpvfile;
7198 }
7199 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7200 goto end;
7201 }
7202
7203 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7204 TLS_client_method(), TLS1_VERSION, 0,
7205 &sctx, &cctx, cert, privkey)))
7206 goto end;
7207
7208 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7209 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7210 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7211 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7212 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7213 goto end;
7214
7215 if (tst % 2 == 1) {
7216 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7217 goto end;
7218 } else {
7219 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7220 goto end;
7221 }
7222
7223 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7224 NULL, NULL)))
7225 goto end;
7226
7227 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7228 if (ret) {
7229 if (!TEST_true(tst % 2 == 0))
7230 goto end;
7231 } else {
7232 if (!TEST_true(tst % 2 == 1))
7233 goto end;
7234 }
7235
7236 testresult = 1;
7237
7238 end:
7239 SRP_VBASE_free(vbase);
7240 vbase = NULL;
7241 SSL_free(serverssl);
7242 SSL_free(clientssl);
7243 SSL_CTX_free(sctx);
7244 SSL_CTX_free(cctx);
7245
7246 return testresult;
7247 }
7248 #endif
7249
7250 static int info_cb_failed = 0;
7251 static int info_cb_offset = 0;
7252 static int info_cb_this_state = -1;
7253
7254 static struct info_cb_states_st {
7255 int where;
7256 const char *statestr;
7257 } info_cb_states[][60] = {
7258 {
7259 /* TLSv1.2 server followed by resumption */
7260 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7261 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7262 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7263 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7264 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7265 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7266 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7267 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7268 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7269 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7270 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7271 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7272 {SSL_CB_EXIT, NULL}, {0, NULL},
7273 }, {
7274 /* TLSv1.2 client followed by resumption */
7275 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7276 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7277 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7278 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7279 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7280 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7281 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7282 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7283 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7284 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7285 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7286 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7287 }, {
7288 /* TLSv1.3 server followed by resumption */
7289 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7290 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7291 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7292 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7293 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7294 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7295 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7296 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7297 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7298 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7299 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7300 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7301 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7302 }, {
7303 /* TLSv1.3 client followed by resumption */
7304 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7305 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7306 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7307 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7308 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7309 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7310 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7311 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7312 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7313 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7314 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7315 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7316 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7317 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7318 {SSL_CB_EXIT, NULL}, {0, NULL},
7319 }, {
7320 /* TLSv1.3 server, early_data */
7321 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7322 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7323 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7324 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7325 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7326 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7327 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7328 {SSL_CB_EXIT, NULL}, {0, NULL},
7329 }, {
7330 /* TLSv1.3 client, early_data */
7331 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7332 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7333 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7334 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7335 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7336 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7337 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7338 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7339 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7340 }, {
7341 /* TLSv1.3 server, certificate compression, followed by resumption */
7342 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7343 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7344 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7345 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7346 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7347 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7348 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7349 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7350 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7351 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7352 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7353 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7354 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7355 }, {
7356 /* TLSv1.3 client, certificate compression, followed by resumption */
7357 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7358 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7359 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7360 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7361 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7362 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7363 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7364 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7365 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7366 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7367 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7368 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7369 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7370 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7371 {SSL_CB_EXIT, NULL}, {0, NULL},
7372 }, {
7373 {0, NULL},
7374 }
7375 };
7376
7377 static void sslapi_info_callback(const SSL *s, int where, int ret)
7378 {
7379 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7380
7381 /* We do not ever expect a connection to fail in this test */
7382 if (!TEST_false(ret == 0)) {
7383 info_cb_failed = 1;
7384 return;
7385 }
7386
7387 /*
7388 * Do some sanity checks. We never expect these things to happen in this
7389 * test
7390 */
7391 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7392 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7393 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7394 info_cb_failed = 1;
7395 return;
7396 }
7397
7398 /* Now check we're in the right state */
7399 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7400 info_cb_failed = 1;
7401 return;
7402 }
7403 if ((where & SSL_CB_LOOP) != 0
7404 && !TEST_int_eq(strcmp(SSL_state_string(s),
7405 state[info_cb_this_state].statestr), 0)) {
7406 info_cb_failed = 1;
7407 return;
7408 }
7409
7410 /*
7411 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7412 */
7413 if ((where & SSL_CB_HANDSHAKE_DONE)
7414 && SSL_in_init((SSL *)s) != 0) {
7415 info_cb_failed = 1;
7416 return;
7417 }
7418 }
7419
7420 /*
7421 * Test the info callback gets called when we expect it to.
7422 *
7423 * Test 0: TLSv1.2, server
7424 * Test 1: TLSv1.2, client
7425 * Test 2: TLSv1.3, server
7426 * Test 3: TLSv1.3, client
7427 * Test 4: TLSv1.3, server, early_data
7428 * Test 5: TLSv1.3, client, early_data
7429 * Test 6: TLSv1.3, server, compressed certificate
7430 * Test 7: TLSv1.3, client, compressed certificate
7431 */
7432 static int test_info_callback(int tst)
7433 {
7434 SSL_CTX *cctx = NULL, *sctx = NULL;
7435 SSL *clientssl = NULL, *serverssl = NULL;
7436 SSL_SESSION *clntsess = NULL;
7437 int testresult = 0;
7438 int tlsvers;
7439
7440 if (tst < 2) {
7441 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7442 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7443 || !defined(OPENSSL_NO_DH))
7444 tlsvers = TLS1_2_VERSION;
7445 #else
7446 return 1;
7447 #endif
7448 } else {
7449 #ifndef OSSL_NO_USABLE_TLS1_3
7450 tlsvers = TLS1_3_VERSION;
7451 #else
7452 return 1;
7453 #endif
7454 }
7455
7456 /* Reset globals */
7457 info_cb_failed = 0;
7458 info_cb_this_state = -1;
7459 info_cb_offset = tst;
7460
7461 #ifndef OSSL_NO_USABLE_TLS1_3
7462 if (tst >= 4 && tst < 6) {
7463 SSL_SESSION *sess = NULL;
7464 size_t written, readbytes;
7465 unsigned char buf[80];
7466
7467 /* early_data tests */
7468 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7469 &serverssl, &sess, 0)))
7470 goto end;
7471
7472 /* We don't actually need this reference */
7473 SSL_SESSION_free(sess);
7474
7475 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7476 sslapi_info_callback);
7477
7478 /* Write and read some early data and then complete the connection */
7479 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7480 &written))
7481 || !TEST_size_t_eq(written, strlen(MSG1))
7482 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7483 sizeof(buf), &readbytes),
7484 SSL_READ_EARLY_DATA_SUCCESS)
7485 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7486 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7487 SSL_EARLY_DATA_ACCEPTED)
7488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7489 SSL_ERROR_NONE))
7490 || !TEST_false(info_cb_failed))
7491 goto end;
7492
7493 testresult = 1;
7494 goto end;
7495 }
7496 #endif
7497
7498 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7499 TLS_client_method(),
7500 tlsvers, tlsvers, &sctx, &cctx, cert,
7501 privkey)))
7502 goto end;
7503
7504 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7505 goto end;
7506
7507 /*
7508 * For even numbered tests we check the server callbacks. For odd numbers we
7509 * check the client.
7510 */
7511 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7512 sslapi_info_callback);
7513 if (tst >= 6) {
7514 if (!SSL_CTX_compress_certs(sctx, 0))
7515 goto end;
7516 }
7517
7518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7519 &clientssl, NULL, NULL))
7520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7521 SSL_ERROR_NONE))
7522 || !TEST_false(info_cb_failed))
7523 goto end;
7524
7525
7526
7527 clntsess = SSL_get1_session(clientssl);
7528 SSL_shutdown(clientssl);
7529 SSL_shutdown(serverssl);
7530 SSL_free(serverssl);
7531 SSL_free(clientssl);
7532 serverssl = clientssl = NULL;
7533
7534 /* Now do a resumption */
7535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7536 NULL))
7537 || !TEST_true(SSL_set_session(clientssl, clntsess))
7538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7539 SSL_ERROR_NONE))
7540 || !TEST_true(SSL_session_reused(clientssl))
7541 || !TEST_false(info_cb_failed))
7542 goto end;
7543
7544 testresult = 1;
7545
7546 end:
7547 SSL_free(serverssl);
7548 SSL_free(clientssl);
7549 SSL_SESSION_free(clntsess);
7550 SSL_CTX_free(sctx);
7551 SSL_CTX_free(cctx);
7552 return testresult;
7553 }
7554
7555 static int test_ssl_pending(int tst)
7556 {
7557 SSL_CTX *cctx = NULL, *sctx = NULL;
7558 SSL *clientssl = NULL, *serverssl = NULL;
7559 int testresult = 0;
7560 char msg[] = "A test message";
7561 char buf[5];
7562 size_t written, readbytes;
7563
7564 if (tst == 0) {
7565 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7566 TLS_client_method(),
7567 TLS1_VERSION, 0,
7568 &sctx, &cctx, cert, privkey)))
7569 goto end;
7570 } else {
7571 #ifndef OPENSSL_NO_DTLS
7572 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7573 DTLS_client_method(),
7574 DTLS1_VERSION, 0,
7575 &sctx, &cctx, cert, privkey)))
7576 goto end;
7577
7578 # ifdef OPENSSL_NO_DTLS1_2
7579 /* Not supported in the FIPS provider */
7580 if (is_fips) {
7581 testresult = 1;
7582 goto end;
7583 };
7584 /*
7585 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7586 * level 0
7587 */
7588 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7589 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7590 "DEFAULT:@SECLEVEL=0")))
7591 goto end;
7592 # endif
7593 #else
7594 return 1;
7595 #endif
7596 }
7597
7598 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7599 NULL, NULL))
7600 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7601 SSL_ERROR_NONE)))
7602 goto end;
7603
7604 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7605 || !TEST_false(SSL_has_pending(clientssl))
7606 || !TEST_int_eq(SSL_pending(serverssl), 0)
7607 || !TEST_false(SSL_has_pending(serverssl))
7608 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7609 || !TEST_size_t_eq(written, sizeof(msg))
7610 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7611 || !TEST_size_t_eq(readbytes, sizeof(buf))
7612 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7613 || !TEST_true(SSL_has_pending(clientssl)))
7614 goto end;
7615
7616 testresult = 1;
7617
7618 end:
7619 SSL_free(serverssl);
7620 SSL_free(clientssl);
7621 SSL_CTX_free(sctx);
7622 SSL_CTX_free(cctx);
7623
7624 return testresult;
7625 }
7626
7627 static struct {
7628 unsigned int maxprot;
7629 const char *clntciphers;
7630 const char *clnttls13ciphers;
7631 const char *srvrciphers;
7632 const char *srvrtls13ciphers;
7633 const char *shared;
7634 const char *fipsshared;
7635 } shared_ciphers_data[] = {
7636 /*
7637 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7638 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7639 */
7640 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7641 {
7642 TLS1_2_VERSION,
7643 "AES128-SHA:AES256-SHA",
7644 NULL,
7645 "AES256-SHA:DHE-RSA-AES128-SHA",
7646 NULL,
7647 "AES256-SHA",
7648 "AES256-SHA"
7649 },
7650 # if !defined(OPENSSL_NO_CHACHA) \
7651 && !defined(OPENSSL_NO_POLY1305) \
7652 && !defined(OPENSSL_NO_EC)
7653 {
7654 TLS1_2_VERSION,
7655 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7656 NULL,
7657 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7658 NULL,
7659 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7660 "AES128-SHA"
7661 },
7662 # endif
7663 {
7664 TLS1_2_VERSION,
7665 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7666 NULL,
7667 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7668 NULL,
7669 "AES128-SHA:AES256-SHA",
7670 "AES128-SHA:AES256-SHA"
7671 },
7672 {
7673 TLS1_2_VERSION,
7674 "AES128-SHA:AES256-SHA",
7675 NULL,
7676 "AES128-SHA:DHE-RSA-AES128-SHA",
7677 NULL,
7678 "AES128-SHA",
7679 "AES128-SHA"
7680 },
7681 #endif
7682 /*
7683 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7684 * enabled.
7685 */
7686 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7687 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7688 {
7689 TLS1_3_VERSION,
7690 "AES128-SHA:AES256-SHA",
7691 NULL,
7692 "AES256-SHA:AES128-SHA256",
7693 NULL,
7694 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7695 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7696 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7697 },
7698 #endif
7699 #ifndef OSSL_NO_USABLE_TLS1_3
7700 {
7701 TLS1_3_VERSION,
7702 "AES128-SHA",
7703 "TLS_AES_256_GCM_SHA384",
7704 "AES256-SHA",
7705 "TLS_AES_256_GCM_SHA384",
7706 "TLS_AES_256_GCM_SHA384",
7707 "TLS_AES_256_GCM_SHA384"
7708 },
7709 #endif
7710 };
7711
7712 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7713 {
7714 SSL_CTX *cctx = NULL, *sctx = NULL;
7715 SSL *clientssl = NULL, *serverssl = NULL;
7716 int testresult = 0;
7717 char buf[1024];
7718 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7719
7720 if (!TEST_ptr(tmplibctx))
7721 goto end;
7722
7723 /*
7724 * Regardless of whether we're testing with the FIPS provider loaded into
7725 * libctx, we want one peer to always use the full set of ciphersuites
7726 * available. Therefore we use a separate libctx with the default provider
7727 * loaded into it. We run the same tests twice - once with the client side
7728 * having the full set of ciphersuites and once with the server side.
7729 */
7730 if (clnt) {
7731 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7732 if (!TEST_ptr(cctx))
7733 goto end;
7734 } else {
7735 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7736 if (!TEST_ptr(sctx))
7737 goto end;
7738 }
7739
7740 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7741 TLS_client_method(),
7742 TLS1_VERSION,
7743 shared_ciphers_data[tst].maxprot,
7744 &sctx, &cctx, cert, privkey)))
7745 goto end;
7746
7747 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7748 shared_ciphers_data[tst].clntciphers))
7749 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7750 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7751 shared_ciphers_data[tst].clnttls13ciphers)))
7752 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7753 shared_ciphers_data[tst].srvrciphers))
7754 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7755 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7756 shared_ciphers_data[tst].srvrtls13ciphers))))
7757 goto end;
7758
7759
7760 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7761 NULL, NULL))
7762 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7763 SSL_ERROR_NONE)))
7764 goto end;
7765
7766 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7767 || !TEST_int_eq(strcmp(buf,
7768 is_fips
7769 ? shared_ciphers_data[tst].fipsshared
7770 : shared_ciphers_data[tst].shared),
7771 0)) {
7772 TEST_info("Shared ciphers are: %s\n", buf);
7773 goto end;
7774 }
7775
7776 testresult = 1;
7777
7778 end:
7779 SSL_free(serverssl);
7780 SSL_free(clientssl);
7781 SSL_CTX_free(sctx);
7782 SSL_CTX_free(cctx);
7783 OSSL_LIB_CTX_free(tmplibctx);
7784
7785 return testresult;
7786 }
7787
7788 static int test_ssl_get_shared_ciphers(int tst)
7789 {
7790 return int_test_ssl_get_shared_ciphers(tst, 0)
7791 && int_test_ssl_get_shared_ciphers(tst, 1);
7792 }
7793
7794
7795 static const char *appdata = "Hello World";
7796 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7797 static int tick_key_renew = 0;
7798 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7799
7800 static int gen_tick_cb(SSL *s, void *arg)
7801 {
7802 gen_tick_called = 1;
7803
7804 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7805 strlen(appdata));
7806 }
7807
7808 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7809 const unsigned char *keyname,
7810 size_t keyname_length,
7811 SSL_TICKET_STATUS status,
7812 void *arg)
7813 {
7814 void *tickdata;
7815 size_t tickdlen;
7816
7817 dec_tick_called = 1;
7818
7819 if (status == SSL_TICKET_EMPTY)
7820 return SSL_TICKET_RETURN_IGNORE_RENEW;
7821
7822 if (!TEST_true(status == SSL_TICKET_SUCCESS
7823 || status == SSL_TICKET_SUCCESS_RENEW))
7824 return SSL_TICKET_RETURN_ABORT;
7825
7826 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7827 &tickdlen))
7828 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7829 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7830 return SSL_TICKET_RETURN_ABORT;
7831
7832 if (tick_key_cb_called) {
7833 /* Don't change what the ticket key callback wanted to do */
7834 switch (status) {
7835 case SSL_TICKET_NO_DECRYPT:
7836 return SSL_TICKET_RETURN_IGNORE_RENEW;
7837
7838 case SSL_TICKET_SUCCESS:
7839 return SSL_TICKET_RETURN_USE;
7840
7841 case SSL_TICKET_SUCCESS_RENEW:
7842 return SSL_TICKET_RETURN_USE_RENEW;
7843
7844 default:
7845 return SSL_TICKET_RETURN_ABORT;
7846 }
7847 }
7848 return tick_dec_ret;
7849
7850 }
7851
7852 #ifndef OPENSSL_NO_DEPRECATED_3_0
7853 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7854 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7855 HMAC_CTX *hctx, int enc)
7856 {
7857 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7858 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7859 EVP_CIPHER *aes128cbc;
7860 EVP_MD *sha256;
7861 int ret;
7862
7863 tick_key_cb_called = 1;
7864
7865 if (tick_key_renew == -1)
7866 return 0;
7867
7868 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7869 if (!TEST_ptr(aes128cbc))
7870 return 0;
7871 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7872 if (!TEST_ptr(sha256)) {
7873 EVP_CIPHER_free(aes128cbc);
7874 return 0;
7875 }
7876
7877 memset(iv, 0, AES_BLOCK_SIZE);
7878 memset(key_name, 0, 16);
7879 if (aes128cbc == NULL
7880 || sha256 == NULL
7881 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7882 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7883 NULL))
7884 ret = -1;
7885 else
7886 ret = tick_key_renew ? 2 : 1;
7887
7888 EVP_CIPHER_free(aes128cbc);
7889 EVP_MD_free(sha256);
7890
7891 return ret;
7892 }
7893 #endif
7894
7895 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7896 unsigned char iv[EVP_MAX_IV_LENGTH],
7897 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7898 {
7899 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7900 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7901 OSSL_PARAM params[2];
7902 EVP_CIPHER *aes128cbc;
7903 int ret;
7904
7905 tick_key_cb_called = 1;
7906
7907 if (tick_key_renew == -1)
7908 return 0;
7909
7910 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7911 if (!TEST_ptr(aes128cbc))
7912 return 0;
7913
7914 memset(iv, 0, AES_BLOCK_SIZE);
7915 memset(key_name, 0, 16);
7916 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7917 "SHA256", 0);
7918 params[1] = OSSL_PARAM_construct_end();
7919 if (aes128cbc == NULL
7920 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7921 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7922 params))
7923 ret = -1;
7924 else
7925 ret = tick_key_renew ? 2 : 1;
7926
7927 EVP_CIPHER_free(aes128cbc);
7928
7929 return ret;
7930 }
7931
7932 /*
7933 * Test the various ticket callbacks
7934 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7935 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7936 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7937 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7938 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7939 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7940 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7941 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7942 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7943 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7944 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7945 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7946 * Test 12: TLSv1.2, old ticket key callback, no ticket
7947 * Test 13: TLSv1.3, old ticket key callback, no ticket
7948 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7949 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7950 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7951 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7952 * Test 18: TLSv1.2, ticket key callback, no ticket
7953 * Test 19: TLSv1.3, ticket key callback, no ticket
7954 */
7955 static int test_ticket_callbacks(int tst)
7956 {
7957 SSL_CTX *cctx = NULL, *sctx = NULL;
7958 SSL *clientssl = NULL, *serverssl = NULL;
7959 SSL_SESSION *clntsess = NULL;
7960 int testresult = 0;
7961
7962 #ifdef OPENSSL_NO_TLS1_2
7963 if (tst % 2 == 0)
7964 return 1;
7965 #endif
7966 #ifdef OSSL_NO_USABLE_TLS1_3
7967 if (tst % 2 == 1)
7968 return 1;
7969 #endif
7970 #ifdef OPENSSL_NO_DEPRECATED_3_0
7971 if (tst >= 8 && tst <= 13)
7972 return 1;
7973 #endif
7974
7975 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7976
7977 /* Which tests the ticket key callback should request renewal for */
7978
7979 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
7980 tick_key_renew = 1;
7981 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7982 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
7983 else
7984 tick_key_renew = 0;
7985
7986 /* Which tests the decrypt ticket callback should request renewal for */
7987 switch (tst) {
7988 case 0:
7989 case 1:
7990 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7991 break;
7992
7993 case 2:
7994 case 3:
7995 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7996 break;
7997
7998 case 4:
7999 case 5:
8000 tick_dec_ret = SSL_TICKET_RETURN_USE;
8001 break;
8002
8003 case 6:
8004 case 7:
8005 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8006 break;
8007
8008 default:
8009 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8010 }
8011
8012 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8013 TLS_client_method(),
8014 TLS1_VERSION,
8015 ((tst % 2) == 0) ? TLS1_2_VERSION
8016 : TLS1_3_VERSION,
8017 &sctx, &cctx, cert, privkey)))
8018 goto end;
8019
8020 /*
8021 * We only want sessions to resume from tickets - not the session cache. So
8022 * switch the cache off.
8023 */
8024 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8025 goto end;
8026
8027 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8028 NULL)))
8029 goto end;
8030
8031 if (tst >= 14) {
8032 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8033 goto end;
8034 #ifndef OPENSSL_NO_DEPRECATED_3_0
8035 } else if (tst >= 8) {
8036 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8037 goto end;
8038 #endif
8039 }
8040
8041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8042 NULL, NULL))
8043 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8044 SSL_ERROR_NONE)))
8045 goto end;
8046
8047 /*
8048 * The decrypt ticket key callback in TLSv1.2 should be called even though
8049 * we have no ticket yet, because it gets called with a status of
8050 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8051 * actually send any ticket data). This does not happen in TLSv1.3 because
8052 * it is not valid to send empty ticket data in TLSv1.3.
8053 */
8054 if (!TEST_int_eq(gen_tick_called, 1)
8055 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8056 goto end;
8057
8058 gen_tick_called = dec_tick_called = 0;
8059
8060 clntsess = SSL_get1_session(clientssl);
8061 SSL_shutdown(clientssl);
8062 SSL_shutdown(serverssl);
8063 SSL_free(serverssl);
8064 SSL_free(clientssl);
8065 serverssl = clientssl = NULL;
8066
8067 /* Now do a resumption */
8068 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8069 NULL))
8070 || !TEST_true(SSL_set_session(clientssl, clntsess))
8071 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8072 SSL_ERROR_NONE)))
8073 goto end;
8074
8075 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8076 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8077 || tick_key_renew == -1) {
8078 if (!TEST_false(SSL_session_reused(clientssl)))
8079 goto end;
8080 } else {
8081 if (!TEST_true(SSL_session_reused(clientssl)))
8082 goto end;
8083 }
8084
8085 if (!TEST_int_eq(gen_tick_called,
8086 (tick_key_renew
8087 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8088 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8089 ? 1 : 0)
8090 /* There is no ticket to decrypt in tests 13 and 19 */
8091 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8092 goto end;
8093
8094 testresult = 1;
8095
8096 end:
8097 SSL_SESSION_free(clntsess);
8098 SSL_free(serverssl);
8099 SSL_free(clientssl);
8100 SSL_CTX_free(sctx);
8101 SSL_CTX_free(cctx);
8102
8103 return testresult;
8104 }
8105
8106 /*
8107 * Test incorrect shutdown.
8108 * Test 0: client does not shutdown properly,
8109 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8110 * server should get SSL_ERROR_SSL
8111 * Test 1: client does not shutdown properly,
8112 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8113 * server should get SSL_ERROR_ZERO_RETURN
8114 */
8115 static int test_incorrect_shutdown(int tst)
8116 {
8117 SSL_CTX *cctx = NULL, *sctx = NULL;
8118 SSL *clientssl = NULL, *serverssl = NULL;
8119 int testresult = 0;
8120 char buf[80];
8121 BIO *c2s;
8122
8123 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8124 TLS_client_method(), 0, 0,
8125 &sctx, &cctx, cert, privkey)))
8126 goto end;
8127
8128 if (tst == 1)
8129 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8130
8131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8132 NULL, NULL)))
8133 goto end;
8134
8135 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8136 SSL_ERROR_NONE)))
8137 goto end;
8138
8139 c2s = SSL_get_rbio(serverssl);
8140 BIO_set_mem_eof_return(c2s, 0);
8141
8142 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8143 goto end;
8144
8145 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8146 goto end;
8147 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8148 goto end;
8149
8150 testresult = 1;
8151
8152 end:
8153 SSL_free(serverssl);
8154 SSL_free(clientssl);
8155 SSL_CTX_free(sctx);
8156 SSL_CTX_free(cctx);
8157
8158 return testresult;
8159 }
8160
8161 /*
8162 * Test bi-directional shutdown.
8163 * Test 0: TLSv1.2
8164 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8165 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8166 * Test 3: TLSv1.3, pending NewSessionTicket messages
8167 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8168 * sends key update, client reads it
8169 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8170 * sends CertificateRequest, client reads and ignores it
8171 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8172 * doesn't read it
8173 */
8174 static int test_shutdown(int tst)
8175 {
8176 SSL_CTX *cctx = NULL, *sctx = NULL;
8177 SSL *clientssl = NULL, *serverssl = NULL;
8178 int testresult = 0;
8179 char msg[] = "A test message";
8180 char buf[80];
8181 size_t written, readbytes;
8182 SSL_SESSION *sess;
8183
8184 #ifdef OPENSSL_NO_TLS1_2
8185 if (tst <= 1)
8186 return 1;
8187 #endif
8188 #ifdef OSSL_NO_USABLE_TLS1_3
8189 if (tst >= 2)
8190 return 1;
8191 #endif
8192
8193 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8194 TLS_client_method(),
8195 TLS1_VERSION,
8196 (tst <= 1) ? TLS1_2_VERSION
8197 : TLS1_3_VERSION,
8198 &sctx, &cctx, cert, privkey)))
8199 goto end;
8200
8201 if (tst == 5)
8202 SSL_CTX_set_post_handshake_auth(cctx, 1);
8203
8204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8205 NULL, NULL)))
8206 goto end;
8207
8208 if (tst == 3) {
8209 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8210 SSL_ERROR_NONE, 1, 0))
8211 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8212 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8213 goto end;
8214 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8215 SSL_ERROR_NONE))
8216 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8217 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8218 goto end;
8219 }
8220
8221 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8222 goto end;
8223
8224 if (tst >= 4) {
8225 /*
8226 * Reading on the server after the client has sent close_notify should
8227 * fail and provide SSL_ERROR_ZERO_RETURN
8228 */
8229 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8230 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8231 SSL_ERROR_ZERO_RETURN)
8232 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8233 SSL_RECEIVED_SHUTDOWN)
8234 /*
8235 * Even though we're shutdown on receive we should still be
8236 * able to write.
8237 */
8238 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8239 goto end;
8240 if (tst == 4
8241 && !TEST_true(SSL_key_update(serverssl,
8242 SSL_KEY_UPDATE_REQUESTED)))
8243 goto end;
8244 if (tst == 5) {
8245 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8246 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8247 goto end;
8248 }
8249 if ((tst == 4 || tst == 5)
8250 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8251 goto end;
8252 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8253 goto end;
8254 if (tst == 4 || tst == 5) {
8255 /* Should still be able to read data from server */
8256 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8257 &readbytes))
8258 || !TEST_size_t_eq(readbytes, sizeof(msg))
8259 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8260 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8261 &readbytes))
8262 || !TEST_size_t_eq(readbytes, sizeof(msg))
8263 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8264 goto end;
8265 }
8266 }
8267
8268 /* Writing on the client after sending close_notify shouldn't be possible */
8269 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8270 goto end;
8271
8272 if (tst < 4) {
8273 /*
8274 * For these tests the client has sent close_notify but it has not yet
8275 * been received by the server. The server has not sent close_notify
8276 * yet.
8277 */
8278 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8279 /*
8280 * Writing on the server after sending close_notify shouldn't
8281 * be possible.
8282 */
8283 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8284 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8285 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8286 || !TEST_true(SSL_SESSION_is_resumable(sess))
8287 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8288 goto end;
8289 } else if (tst == 4 || tst == 5) {
8290 /*
8291 * In this test the client has sent close_notify and it has been
8292 * received by the server which has responded with a close_notify. The
8293 * client needs to read the close_notify sent by the server.
8294 */
8295 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8296 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8297 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8298 goto end;
8299 } else {
8300 /*
8301 * tst == 6
8302 *
8303 * The client has sent close_notify and is expecting a close_notify
8304 * back, but instead there is application data first. The shutdown
8305 * should fail with a fatal error.
8306 */
8307 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8308 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8309 goto end;
8310 }
8311
8312 testresult = 1;
8313
8314 end:
8315 SSL_free(serverssl);
8316 SSL_free(clientssl);
8317 SSL_CTX_free(sctx);
8318 SSL_CTX_free(cctx);
8319
8320 return testresult;
8321 }
8322
8323 /*
8324 * Test that sending close_notify alerts works correctly in the case of a
8325 * retryable write failure.
8326 */
8327 static int test_async_shutdown(void)
8328 {
8329 SSL_CTX *cctx = NULL, *sctx = NULL;
8330 SSL *clientssl = NULL, *serverssl = NULL;
8331 int testresult = 0;
8332 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8333
8334 if (!TEST_ptr(bretry))
8335 goto end;
8336
8337 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8338 TLS_client_method(),
8339 0, 0,
8340 &sctx, &cctx, cert, privkey)))
8341 goto end;
8342
8343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8344 NULL)))
8345 goto end;
8346
8347 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8348 goto end;
8349
8350 /* Close write side of clientssl */
8351 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8352 goto end;
8353
8354 tmp = SSL_get_wbio(serverssl);
8355 if (!TEST_true(BIO_up_ref(tmp))) {
8356 tmp = NULL;
8357 goto end;
8358 }
8359 SSL_set0_wbio(serverssl, bretry);
8360 bretry = NULL;
8361
8362 /* First server shutdown should fail because of a retrable write failure */
8363 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8364 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8365 goto end;
8366
8367 /* Second server shutdown should fail for the same reason */
8368 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8369 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8370 goto end;
8371
8372 SSL_set0_wbio(serverssl, tmp);
8373 tmp = NULL;
8374
8375 /* Third server shutdown should send close_notify */
8376 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8377 goto end;
8378
8379 /* Fourth server shutdown should read close_notify from client and finish */
8380 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8381 goto end;
8382
8383 /* Client should also successfully fully shutdown */
8384 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8385 goto end;
8386
8387 testresult = 1;
8388 end:
8389 SSL_free(serverssl);
8390 SSL_free(clientssl);
8391 SSL_CTX_free(sctx);
8392 SSL_CTX_free(cctx);
8393 BIO_free(bretry);
8394 BIO_free(tmp);
8395
8396 return testresult;
8397 }
8398
8399 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8400 static int cert_cb_cnt;
8401
8402 static int cert_cb(SSL *s, void *arg)
8403 {
8404 SSL_CTX *ctx = (SSL_CTX *)arg;
8405 BIO *in = NULL;
8406 EVP_PKEY *pkey = NULL;
8407 X509 *x509 = NULL, *rootx = NULL;
8408 STACK_OF(X509) *chain = NULL;
8409 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8410 int ret = 0;
8411
8412 if (cert_cb_cnt == 0) {
8413 /* Suspend the handshake */
8414 cert_cb_cnt++;
8415 return -1;
8416 } else if (cert_cb_cnt == 1) {
8417 /*
8418 * Update the SSL_CTX, set the certificate and private key and then
8419 * continue the handshake normally.
8420 */
8421 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8422 return 0;
8423
8424 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8425 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8426 SSL_FILETYPE_PEM))
8427 || !TEST_true(SSL_check_private_key(s)))
8428 return 0;
8429 cert_cb_cnt++;
8430 return 1;
8431 } else if (cert_cb_cnt == 3) {
8432 int rv;
8433
8434 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8435 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8436 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8437 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8438 goto out;
8439 chain = sk_X509_new_null();
8440 if (!TEST_ptr(chain))
8441 goto out;
8442 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8443 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8444 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8445 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8446 || !TEST_true(sk_X509_push(chain, rootx)))
8447 goto out;
8448 rootx = NULL;
8449 BIO_free(in);
8450 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8451 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8452 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8453 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8454 goto out;
8455 BIO_free(in);
8456 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8457 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8458 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8459 NULL, NULL,
8460 libctx, NULL)))
8461 goto out;
8462 rv = SSL_check_chain(s, x509, pkey, chain);
8463 /*
8464 * If the cert doesn't show as valid here (e.g., because we don't
8465 * have any shared sigalgs), then we will not set it, and there will
8466 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8467 * will cause tls_choose_sigalgs() to fail the connection.
8468 */
8469 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8470 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8471 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8472 goto out;
8473 }
8474
8475 ret = 1;
8476 }
8477
8478 /* Abort the handshake */
8479 out:
8480 OPENSSL_free(ecdsacert);
8481 OPENSSL_free(ecdsakey);
8482 OPENSSL_free(rootfile);
8483 BIO_free(in);
8484 EVP_PKEY_free(pkey);
8485 X509_free(x509);
8486 X509_free(rootx);
8487 OSSL_STACK_OF_X509_free(chain);
8488 return ret;
8489 }
8490
8491 /*
8492 * Test the certificate callback.
8493 * Test 0: Callback fails
8494 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8495 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8496 * Test 3: Success - Call SSL_check_chain from the callback
8497 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8498 * chain
8499 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8500 */
8501 static int test_cert_cb_int(int prot, int tst)
8502 {
8503 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8504 SSL *clientssl = NULL, *serverssl = NULL;
8505 int testresult = 0, ret;
8506
8507 #ifdef OPENSSL_NO_EC
8508 /* We use an EC cert in these tests, so we skip in a no-ec build */
8509 if (tst >= 3)
8510 return 1;
8511 #endif
8512
8513 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8514 TLS_client_method(),
8515 TLS1_VERSION,
8516 prot,
8517 &sctx, &cctx, NULL, NULL)))
8518 goto end;
8519
8520 if (tst == 0)
8521 cert_cb_cnt = -1;
8522 else if (tst >= 3)
8523 cert_cb_cnt = 3;
8524 else
8525 cert_cb_cnt = 0;
8526
8527 if (tst == 2) {
8528 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8529 if (!TEST_ptr(snictx))
8530 goto end;
8531 }
8532
8533 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8534
8535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8536 NULL, NULL)))
8537 goto end;
8538
8539 if (tst == 4) {
8540 /*
8541 * We cause SSL_check_chain() to fail by specifying sig_algs that
8542 * the chain doesn't meet (the root uses an RSA cert)
8543 */
8544 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8545 "ecdsa_secp256r1_sha256")))
8546 goto end;
8547 } else if (tst == 5) {
8548 /*
8549 * We cause SSL_check_chain() to fail by specifying sig_algs that
8550 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8551 */
8552 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8553 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8554 goto end;
8555 }
8556
8557 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8558 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8559 || (tst > 0
8560 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8561 goto end;
8562 }
8563
8564 testresult = 1;
8565
8566 end:
8567 SSL_free(serverssl);
8568 SSL_free(clientssl);
8569 SSL_CTX_free(sctx);
8570 SSL_CTX_free(cctx);
8571 SSL_CTX_free(snictx);
8572
8573 return testresult;
8574 }
8575 #endif
8576
8577 static int test_cert_cb(int tst)
8578 {
8579 int testresult = 1;
8580
8581 #ifndef OPENSSL_NO_TLS1_2
8582 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8583 #endif
8584 #ifndef OSSL_NO_USABLE_TLS1_3
8585 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8586 #endif
8587
8588 return testresult;
8589 }
8590
8591 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8592 {
8593 X509 *xcert;
8594 EVP_PKEY *privpkey;
8595 BIO *in = NULL;
8596 BIO *priv_in = NULL;
8597
8598 /* Check that SSL_get0_peer_certificate() returns something sensible */
8599 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8600 return 0;
8601
8602 in = BIO_new_file(cert, "r");
8603 if (!TEST_ptr(in))
8604 return 0;
8605
8606 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8607 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8608 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8609 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8610 NULL, NULL,
8611 libctx, NULL)))
8612 goto err;
8613
8614 *x509 = xcert;
8615 *pkey = privpkey;
8616
8617 BIO_free(in);
8618 BIO_free(priv_in);
8619 return 1;
8620 err:
8621 X509_free(xcert);
8622 BIO_free(in);
8623 BIO_free(priv_in);
8624 return 0;
8625 }
8626
8627 static int test_client_cert_cb(int tst)
8628 {
8629 SSL_CTX *cctx = NULL, *sctx = NULL;
8630 SSL *clientssl = NULL, *serverssl = NULL;
8631 int testresult = 0;
8632
8633 #ifdef OPENSSL_NO_TLS1_2
8634 if (tst == 0)
8635 return 1;
8636 #endif
8637 #ifdef OSSL_NO_USABLE_TLS1_3
8638 if (tst == 1)
8639 return 1;
8640 #endif
8641
8642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8643 TLS_client_method(),
8644 TLS1_VERSION,
8645 tst == 0 ? TLS1_2_VERSION
8646 : TLS1_3_VERSION,
8647 &sctx, &cctx, cert, privkey)))
8648 goto end;
8649
8650 /*
8651 * Test that setting a client_cert_cb results in a client certificate being
8652 * sent.
8653 */
8654 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8655 SSL_CTX_set_verify(sctx,
8656 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8657 verify_cb);
8658
8659 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8660 NULL, NULL))
8661 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8662 SSL_ERROR_NONE)))
8663 goto end;
8664
8665 testresult = 1;
8666
8667 end:
8668 SSL_free(serverssl);
8669 SSL_free(clientssl);
8670 SSL_CTX_free(sctx);
8671 SSL_CTX_free(cctx);
8672
8673 return testresult;
8674 }
8675
8676 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8677 /*
8678 * Test setting certificate authorities on both client and server.
8679 *
8680 * Test 0: SSL_CTX_set0_CA_list() only
8681 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8682 * Test 2: Only SSL_CTX_set_client_CA_list()
8683 */
8684 static int test_ca_names_int(int prot, int tst)
8685 {
8686 SSL_CTX *cctx = NULL, *sctx = NULL;
8687 SSL *clientssl = NULL, *serverssl = NULL;
8688 int testresult = 0;
8689 size_t i;
8690 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8691 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8692 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8693 const STACK_OF(X509_NAME) *sktmp = NULL;
8694
8695 for (i = 0; i < OSSL_NELEM(name); i++) {
8696 name[i] = X509_NAME_new();
8697 if (!TEST_ptr(name[i])
8698 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8699 MBSTRING_ASC,
8700 (unsigned char *)
8701 strnames[i],
8702 -1, -1, 0)))
8703 goto end;
8704 }
8705
8706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8707 TLS_client_method(),
8708 TLS1_VERSION,
8709 prot,
8710 &sctx, &cctx, cert, privkey)))
8711 goto end;
8712
8713 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8714
8715 if (tst == 0 || tst == 1) {
8716 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8717 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8718 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8719 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8720 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8721 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8722 goto end;
8723
8724 SSL_CTX_set0_CA_list(sctx, sk1);
8725 SSL_CTX_set0_CA_list(cctx, sk2);
8726 sk1 = sk2 = NULL;
8727 }
8728 if (tst == 1 || tst == 2) {
8729 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8730 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8731 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8732 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8733 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8734 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8735 goto end;
8736
8737 SSL_CTX_set_client_CA_list(sctx, sk1);
8738 SSL_CTX_set_client_CA_list(cctx, sk2);
8739 sk1 = sk2 = NULL;
8740 }
8741
8742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8743 NULL, NULL))
8744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8745 SSL_ERROR_NONE)))
8746 goto end;
8747
8748 /*
8749 * We only expect certificate authorities to have been sent to the server
8750 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8751 */
8752 sktmp = SSL_get0_peer_CA_list(serverssl);
8753 if (prot == TLS1_3_VERSION
8754 && (tst == 0 || tst == 1)) {
8755 if (!TEST_ptr(sktmp)
8756 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8757 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8758 name[0]), 0)
8759 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8760 name[1]), 0))
8761 goto end;
8762 } else if (!TEST_ptr_null(sktmp)) {
8763 goto end;
8764 }
8765
8766 /*
8767 * In all tests we expect certificate authorities to have been sent to the
8768 * client. However, SSL_set_client_CA_list() should override
8769 * SSL_set0_CA_list()
8770 */
8771 sktmp = SSL_get0_peer_CA_list(clientssl);
8772 if (!TEST_ptr(sktmp)
8773 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8774 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8775 name[tst == 0 ? 0 : 2]), 0)
8776 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8777 name[tst == 0 ? 1 : 3]), 0))
8778 goto end;
8779
8780 testresult = 1;
8781
8782 end:
8783 SSL_free(serverssl);
8784 SSL_free(clientssl);
8785 SSL_CTX_free(sctx);
8786 SSL_CTX_free(cctx);
8787 for (i = 0; i < OSSL_NELEM(name); i++)
8788 X509_NAME_free(name[i]);
8789 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8790 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8791
8792 return testresult;
8793 }
8794 #endif
8795
8796 static int test_ca_names(int tst)
8797 {
8798 int testresult = 1;
8799
8800 #ifndef OPENSSL_NO_TLS1_2
8801 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8802 #endif
8803 #ifndef OSSL_NO_USABLE_TLS1_3
8804 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8805 #endif
8806
8807 return testresult;
8808 }
8809
8810 #ifndef OPENSSL_NO_TLS1_2
8811 static const char *multiblock_cipherlist_data[]=
8812 {
8813 "AES128-SHA",
8814 "AES128-SHA256",
8815 "AES256-SHA",
8816 "AES256-SHA256",
8817 };
8818
8819 /* Reduce the fragment size - so the multiblock test buffer can be small */
8820 # define MULTIBLOCK_FRAGSIZE 512
8821
8822 static int test_multiblock_write(int test_index)
8823 {
8824 static const char *fetchable_ciphers[]=
8825 {
8826 "AES-128-CBC-HMAC-SHA1",
8827 "AES-128-CBC-HMAC-SHA256",
8828 "AES-256-CBC-HMAC-SHA1",
8829 "AES-256-CBC-HMAC-SHA256"
8830 };
8831 const char *cipherlist = multiblock_cipherlist_data[test_index];
8832 const SSL_METHOD *smeth = TLS_server_method();
8833 const SSL_METHOD *cmeth = TLS_client_method();
8834 int min_version = TLS1_VERSION;
8835 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8836 SSL_CTX *cctx = NULL, *sctx = NULL;
8837 SSL *clientssl = NULL, *serverssl = NULL;
8838 int testresult = 0;
8839
8840 /*
8841 * Choose a buffer large enough to perform a multi-block operation
8842 * i.e: write_len >= 4 * frag_size
8843 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8844 */
8845 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8846 unsigned char buf[sizeof(msg)], *p = buf;
8847 size_t readbytes, written, len;
8848 EVP_CIPHER *ciph = NULL;
8849
8850 /*
8851 * Check if the cipher exists before attempting to use it since it only has
8852 * a hardware specific implementation.
8853 */
8854 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8855 if (ciph == NULL) {
8856 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8857 return 1;
8858 }
8859 EVP_CIPHER_free(ciph);
8860
8861 /* Set up a buffer with some data that will be sent to the client */
8862 RAND_bytes(msg, sizeof(msg));
8863
8864 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8865 max_version, &sctx, &cctx, cert,
8866 privkey)))
8867 goto end;
8868
8869 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8870 goto end;
8871
8872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8873 NULL, NULL)))
8874 goto end;
8875
8876 /* settings to force it to use AES-CBC-HMAC_SHA */
8877 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8878 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8879 goto end;
8880
8881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8882 goto end;
8883
8884 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8885 || !TEST_size_t_eq(written, sizeof(msg)))
8886 goto end;
8887
8888 len = written;
8889 while (len > 0) {
8890 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8891 goto end;
8892 p += readbytes;
8893 len -= readbytes;
8894 }
8895 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8896 goto end;
8897
8898 testresult = 1;
8899 end:
8900 SSL_free(serverssl);
8901 SSL_free(clientssl);
8902 SSL_CTX_free(sctx);
8903 SSL_CTX_free(cctx);
8904
8905 return testresult;
8906 }
8907 #endif /* OPENSSL_NO_TLS1_2 */
8908
8909 static int test_session_timeout(int test)
8910 {
8911 /*
8912 * Test session ordering and timeout
8913 * Can't explicitly test performance of the new code,
8914 * but can test to see if the ordering of the sessions
8915 * are correct, and they they are removed as expected
8916 */
8917 SSL_SESSION *early = NULL;
8918 SSL_SESSION *middle = NULL;
8919 SSL_SESSION *late = NULL;
8920 SSL_CTX *ctx;
8921 int testresult = 0;
8922 long now = (long)time(NULL);
8923 #define TIMEOUT 10
8924
8925 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8926 || !TEST_ptr(early = SSL_SESSION_new())
8927 || !TEST_ptr(middle = SSL_SESSION_new())
8928 || !TEST_ptr(late = SSL_SESSION_new()))
8929 goto end;
8930
8931 /* assign unique session ids */
8932 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8933 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8934 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8935 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8936 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8937 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8938
8939 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8940 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8941 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8942 goto end;
8943
8944 /* Make sure they are all added */
8945 if (!TEST_ptr(early->prev)
8946 || !TEST_ptr(middle->prev)
8947 || !TEST_ptr(late->prev))
8948 goto end;
8949
8950 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8951 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8952 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8953 goto end;
8954
8955 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8956 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8957 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8958 goto end;
8959
8960 /* Make sure they are all still there */
8961 if (!TEST_ptr(early->prev)
8962 || !TEST_ptr(middle->prev)
8963 || !TEST_ptr(late->prev))
8964 goto end;
8965
8966 /* Make sure they are in the expected order */
8967 if (!TEST_ptr_eq(late->next, middle)
8968 || !TEST_ptr_eq(middle->next, early)
8969 || !TEST_ptr_eq(early->prev, middle)
8970 || !TEST_ptr_eq(middle->prev, late))
8971 goto end;
8972
8973 /* This should remove "early" */
8974 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8975 if (!TEST_ptr_null(early->prev)
8976 || !TEST_ptr(middle->prev)
8977 || !TEST_ptr(late->prev))
8978 goto end;
8979
8980 /* This should remove "middle" */
8981 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8982 if (!TEST_ptr_null(early->prev)
8983 || !TEST_ptr_null(middle->prev)
8984 || !TEST_ptr(late->prev))
8985 goto end;
8986
8987 /* This should remove "late" */
8988 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8989 if (!TEST_ptr_null(early->prev)
8990 || !TEST_ptr_null(middle->prev)
8991 || !TEST_ptr_null(late->prev))
8992 goto end;
8993
8994 /* Add them back in again */
8995 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8996 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8997 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8998 goto end;
8999
9000 /* Make sure they are all added */
9001 if (!TEST_ptr(early->prev)
9002 || !TEST_ptr(middle->prev)
9003 || !TEST_ptr(late->prev))
9004 goto end;
9005
9006 /* This should remove all of them */
9007 SSL_CTX_flush_sessions(ctx, 0);
9008 if (!TEST_ptr_null(early->prev)
9009 || !TEST_ptr_null(middle->prev)
9010 || !TEST_ptr_null(late->prev))
9011 goto end;
9012
9013 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9014 | SSL_CTX_get_session_cache_mode(ctx));
9015
9016 /* make sure |now| is NOT equal to the current time */
9017 now -= 10;
9018 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9019 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9020 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9021 goto end;
9022
9023 testresult = 1;
9024 end:
9025 SSL_CTX_free(ctx);
9026 SSL_SESSION_free(early);
9027 SSL_SESSION_free(middle);
9028 SSL_SESSION_free(late);
9029 return testresult;
9030 }
9031
9032 /*
9033 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9034 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9035 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9036 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9037 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9038 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9039 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9040 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9041 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9042 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9043 */
9044 static int test_servername(int tst)
9045 {
9046 SSL_CTX *cctx = NULL, *sctx = NULL;
9047 SSL *clientssl = NULL, *serverssl = NULL;
9048 int testresult = 0;
9049 SSL_SESSION *sess = NULL;
9050 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9051
9052 #ifdef OPENSSL_NO_TLS1_2
9053 if (tst <= 4)
9054 return 1;
9055 #endif
9056 #ifdef OSSL_NO_USABLE_TLS1_3
9057 if (tst >= 5)
9058 return 1;
9059 #endif
9060
9061 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9062 TLS_client_method(),
9063 TLS1_VERSION,
9064 (tst <= 4) ? TLS1_2_VERSION
9065 : TLS1_3_VERSION,
9066 &sctx, &cctx, cert, privkey))
9067 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9068 NULL, NULL)))
9069 goto end;
9070
9071 if (tst != 1 && tst != 6) {
9072 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9073 hostname_cb)))
9074 goto end;
9075 }
9076
9077 if (tst != 3 && tst != 8) {
9078 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9079 goto end;
9080 sexpectedhost = cexpectedhost = "goodhost";
9081 }
9082
9083 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9084 goto end;
9085
9086 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9087 cexpectedhost)
9088 || !TEST_str_eq(SSL_get_servername(serverssl,
9089 TLSEXT_NAMETYPE_host_name),
9090 sexpectedhost))
9091 goto end;
9092
9093 /* Now repeat with a resumption handshake */
9094
9095 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9096 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9097 || !TEST_true(SSL_SESSION_is_resumable(sess))
9098 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9099 goto end;
9100
9101 SSL_free(clientssl);
9102 SSL_free(serverssl);
9103 clientssl = serverssl = NULL;
9104
9105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9106 NULL)))
9107 goto end;
9108
9109 if (!TEST_true(SSL_set_session(clientssl, sess)))
9110 goto end;
9111
9112 sexpectedhost = cexpectedhost = "goodhost";
9113 if (tst == 2 || tst == 7) {
9114 /* Set an inconsistent hostname */
9115 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9116 goto end;
9117 /*
9118 * In TLSv1.2 we expect the hostname from the original handshake, in
9119 * TLSv1.3 we expect the hostname from this handshake
9120 */
9121 if (tst == 7)
9122 sexpectedhost = cexpectedhost = "altgoodhost";
9123
9124 if (!TEST_str_eq(SSL_get_servername(clientssl,
9125 TLSEXT_NAMETYPE_host_name),
9126 "altgoodhost"))
9127 goto end;
9128 } else if (tst == 4 || tst == 9) {
9129 /*
9130 * A TLSv1.3 session does not associate a session with a servername,
9131 * but a TLSv1.2 session does.
9132 */
9133 if (tst == 9)
9134 sexpectedhost = cexpectedhost = NULL;
9135
9136 if (!TEST_str_eq(SSL_get_servername(clientssl,
9137 TLSEXT_NAMETYPE_host_name),
9138 cexpectedhost))
9139 goto end;
9140 } else {
9141 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9142 goto end;
9143 /*
9144 * In a TLSv1.2 resumption where the hostname was not acknowledged
9145 * we expect the hostname on the server to be empty. On the client we
9146 * return what was requested in this case.
9147 *
9148 * Similarly if the client didn't set a hostname on an original TLSv1.2
9149 * session but is now, the server hostname will be empty, but the client
9150 * is as we set it.
9151 */
9152 if (tst == 1 || tst == 3)
9153 sexpectedhost = NULL;
9154
9155 if (!TEST_str_eq(SSL_get_servername(clientssl,
9156 TLSEXT_NAMETYPE_host_name),
9157 "goodhost"))
9158 goto end;
9159 }
9160
9161 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9162 goto end;
9163
9164 if (!TEST_true(SSL_session_reused(clientssl))
9165 || !TEST_true(SSL_session_reused(serverssl))
9166 || !TEST_str_eq(SSL_get_servername(clientssl,
9167 TLSEXT_NAMETYPE_host_name),
9168 cexpectedhost)
9169 || !TEST_str_eq(SSL_get_servername(serverssl,
9170 TLSEXT_NAMETYPE_host_name),
9171 sexpectedhost))
9172 goto end;
9173
9174 testresult = 1;
9175
9176 end:
9177 SSL_SESSION_free(sess);
9178 SSL_free(serverssl);
9179 SSL_free(clientssl);
9180 SSL_CTX_free(sctx);
9181 SSL_CTX_free(cctx);
9182
9183 return testresult;
9184 }
9185
9186 #if !defined(OPENSSL_NO_EC) \
9187 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9188 /*
9189 * Test that if signature algorithms are not available, then we do not offer or
9190 * accept them.
9191 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9192 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9193 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9194 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9195 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9196 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9197 */
9198 static int test_sigalgs_available(int idx)
9199 {
9200 SSL_CTX *cctx = NULL, *sctx = NULL;
9201 SSL *clientssl = NULL, *serverssl = NULL;
9202 int testresult = 0;
9203 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9204 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9205 OSSL_PROVIDER *filterprov = NULL;
9206 int sig, hash;
9207
9208 if (!TEST_ptr(tmpctx))
9209 goto end;
9210
9211 if (idx != 0 && idx != 3) {
9212 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9213 filter_provider_init)))
9214 goto end;
9215
9216 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9217 if (!TEST_ptr(filterprov))
9218 goto end;
9219
9220 if (idx < 3) {
9221 /*
9222 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9223 * or accepted for the peer that uses this libctx. Note that libssl
9224 * *requires* SHA2-256 to be available so we cannot disable that. We
9225 * also need SHA1 for our certificate.
9226 */
9227 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9228 "SHA2-256:SHA1")))
9229 goto end;
9230 } else {
9231 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9232 "ECDSA"))
9233 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9234 "EC:X25519:X448")))
9235 goto end;
9236 }
9237
9238 if (idx == 1 || idx == 4)
9239 clientctx = tmpctx;
9240 else
9241 serverctx = tmpctx;
9242 }
9243
9244 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9245 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9246 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9247 goto end;
9248
9249 if (idx != 5) {
9250 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9251 TLS_client_method(),
9252 TLS1_VERSION,
9253 0,
9254 &sctx, &cctx, cert, privkey)))
9255 goto end;
9256 } else {
9257 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9258 TLS_client_method(),
9259 TLS1_VERSION,
9260 0,
9261 &sctx, &cctx, cert2, privkey2)))
9262 goto end;
9263 }
9264
9265 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9266 if (idx < 4) {
9267 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9268 "ECDHE-RSA-AES128-GCM-SHA256")))
9269 goto end;
9270 } else {
9271 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9272 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9273 goto end;
9274 }
9275
9276 if (idx < 3) {
9277 if (!SSL_CTX_set1_sigalgs_list(cctx,
9278 "rsa_pss_rsae_sha384"
9279 ":rsa_pss_rsae_sha256")
9280 || !SSL_CTX_set1_sigalgs_list(sctx,
9281 "rsa_pss_rsae_sha384"
9282 ":rsa_pss_rsae_sha256"))
9283 goto end;
9284 } else {
9285 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9286 || !SSL_CTX_set1_sigalgs_list(sctx,
9287 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9288 goto end;
9289 }
9290
9291 if (idx != 5
9292 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9293 SSL_FILETYPE_PEM), 1)
9294 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9295 privkey2,
9296 SSL_FILETYPE_PEM), 1)
9297 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9298 goto end;
9299
9300 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9301 NULL, NULL)))
9302 goto end;
9303
9304 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9305 goto end;
9306
9307 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9308 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9309 NULL, NULL),
9310 (idx == 0 || idx == 3) ? 2 : 1))
9311 goto end;
9312
9313 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9314 goto end;
9315
9316 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9317 : NID_rsassaPss))
9318 goto end;
9319
9320 testresult = filter_provider_check_clean_finish();
9321
9322 end:
9323 SSL_free(serverssl);
9324 SSL_free(clientssl);
9325 SSL_CTX_free(sctx);
9326 SSL_CTX_free(cctx);
9327 OSSL_PROVIDER_unload(filterprov);
9328 OSSL_LIB_CTX_free(tmpctx);
9329
9330 return testresult;
9331 }
9332 #endif /*
9333 * !defined(OPENSSL_NO_EC) \
9334 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9335 */
9336
9337 #ifndef OPENSSL_NO_TLS1_3
9338 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9339 static int test_pluggable_group(int idx)
9340 {
9341 SSL_CTX *cctx = NULL, *sctx = NULL;
9342 SSL *clientssl = NULL, *serverssl = NULL;
9343 int testresult = 0;
9344 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9345 /* Check that we are not impacted by a provider without any groups */
9346 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9347 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9348
9349 if (!TEST_ptr(tlsprov))
9350 goto end;
9351
9352 if (legacyprov == NULL) {
9353 /*
9354 * In this case we assume we've been built with "no-legacy" and skip
9355 * this test (there is no OPENSSL_NO_LEGACY)
9356 */
9357 testresult = 1;
9358 goto end;
9359 }
9360
9361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9362 TLS_client_method(),
9363 TLS1_3_VERSION,
9364 TLS1_3_VERSION,
9365 &sctx, &cctx, cert, privkey))
9366 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9367 NULL, NULL)))
9368 goto end;
9369
9370 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9371 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9372 goto end;
9373
9374 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9375 goto end;
9376
9377 if (!TEST_str_eq(group_name,
9378 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9379 goto end;
9380
9381 testresult = 1;
9382
9383 end:
9384 SSL_free(serverssl);
9385 SSL_free(clientssl);
9386 SSL_CTX_free(sctx);
9387 SSL_CTX_free(cctx);
9388 OSSL_PROVIDER_unload(tlsprov);
9389 OSSL_PROVIDER_unload(legacyprov);
9390
9391 return testresult;
9392 }
9393
9394 /*
9395 * This function triggers encode, decode and sign functions
9396 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9397 * creating private key and certificate files for use in TLS testing.
9398 */
9399 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9400 {
9401 EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9402 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9403 EVP_PKEY *pkey = NULL;
9404 X509 *x509 = X509_new();
9405 X509_NAME *name = NULL;
9406 BIO *keybio = NULL, *certbio = NULL;
9407 int ret = 1;
9408
9409 if (!TEST_ptr(evpctx)
9410 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9411 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9412 || !TEST_ptr(pkey)
9413 || !TEST_ptr(x509)
9414 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9415 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9416 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9417 || !TEST_true(X509_set_pubkey(x509, pkey))
9418 || !TEST_ptr(name = X509_get_subject_name(x509))
9419 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9420 (unsigned char *)"CH", -1, -1, 0))
9421 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9422 (unsigned char *)"test.org", -1, -1, 0))
9423 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9424 (unsigned char *)"localhost", -1, -1, 0))
9425 || !TEST_true(X509_set_issuer_name(x509, name))
9426 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9427 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9428 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9429 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9430 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9431 ret = 0;
9432
9433 EVP_PKEY_free(pkey);
9434 X509_free(x509);
9435 EVP_PKEY_CTX_free(evpctx);
9436 BIO_free(keybio);
9437 BIO_free(certbio);
9438 return ret;
9439 }
9440
9441 /*
9442 * Test that signature algorithms loaded via the provider interface can
9443 * correctly establish a TLS (1.3) connection.
9444 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9445 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9446 */
9447 static int test_pluggable_signature(int idx)
9448 {
9449 SSL_CTX *cctx = NULL, *sctx = NULL;
9450 SSL *clientssl = NULL, *serverssl = NULL;
9451 int testresult = 0;
9452 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9453 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9454 char *certfilename = "tls-prov-cert.pem";
9455 char *privkeyfilename = "tls-prov-key.pem";
9456
9457 /* create key and certificate for the different algorithm types */
9458 if (!TEST_ptr(tlsprov)
9459 || !TEST_true(create_cert_key(idx, certfilename, privkeyfilename)))
9460 goto end;
9461
9462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9463 TLS_client_method(),
9464 TLS1_3_VERSION,
9465 TLS1_3_VERSION,
9466 &sctx, &cctx, certfilename, privkeyfilename))
9467 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9468 NULL, NULL)))
9469 goto end;
9470
9471 /* This is necessary to pass minimal setup w/o other groups configured */
9472 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9473 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9474 goto end;
9475
9476 /*
9477 * If this connection gets established, it must have been completed
9478 * via the tls-provider-implemented "hmacsig" algorithm, testing
9479 * both sign and verify functions during handshake.
9480 */
9481 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9482 goto end;
9483
9484 testresult = 1;
9485
9486 end:
9487 SSL_free(serverssl);
9488 SSL_free(clientssl);
9489 SSL_CTX_free(sctx);
9490 SSL_CTX_free(cctx);
9491 OSSL_PROVIDER_unload(tlsprov);
9492 OSSL_PROVIDER_unload(defaultprov);
9493
9494 return testresult;
9495 }
9496 #endif
9497
9498 #ifndef OPENSSL_NO_TLS1_2
9499 static int test_ssl_dup(void)
9500 {
9501 SSL_CTX *cctx = NULL, *sctx = NULL;
9502 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9503 int testresult = 0;
9504 BIO *rbio = NULL, *wbio = NULL;
9505
9506 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9507 TLS_client_method(),
9508 0,
9509 0,
9510 &sctx, &cctx, cert, privkey)))
9511 goto end;
9512
9513 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9514 NULL, NULL)))
9515 goto end;
9516
9517 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9518 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9519 goto end;
9520
9521 client2ssl = SSL_dup(clientssl);
9522 rbio = SSL_get_rbio(clientssl);
9523 if (!TEST_ptr(rbio)
9524 || !TEST_true(BIO_up_ref(rbio)))
9525 goto end;
9526 SSL_set0_rbio(client2ssl, rbio);
9527 rbio = NULL;
9528
9529 wbio = SSL_get_wbio(clientssl);
9530 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9531 goto end;
9532 SSL_set0_wbio(client2ssl, wbio);
9533 rbio = NULL;
9534
9535 if (!TEST_ptr(client2ssl)
9536 /* Handshake not started so pointers should be different */
9537 || !TEST_ptr_ne(clientssl, client2ssl))
9538 goto end;
9539
9540 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9541 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9542 goto end;
9543
9544 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9545 goto end;
9546
9547 SSL_free(clientssl);
9548 clientssl = SSL_dup(client2ssl);
9549 if (!TEST_ptr(clientssl)
9550 /* Handshake has finished so pointers should be the same */
9551 || !TEST_ptr_eq(clientssl, client2ssl))
9552 goto end;
9553
9554 testresult = 1;
9555
9556 end:
9557 SSL_free(serverssl);
9558 SSL_free(clientssl);
9559 SSL_free(client2ssl);
9560 SSL_CTX_free(sctx);
9561 SSL_CTX_free(cctx);
9562
9563 return testresult;
9564 }
9565
9566 # ifndef OPENSSL_NO_DH
9567
9568 static EVP_PKEY *tmp_dh_params = NULL;
9569
9570 /* Helper function for the test_set_tmp_dh() tests */
9571 static EVP_PKEY *get_tmp_dh_params(void)
9572 {
9573 if (tmp_dh_params == NULL) {
9574 BIGNUM *p = NULL;
9575 OSSL_PARAM_BLD *tmpl = NULL;
9576 EVP_PKEY_CTX *pctx = NULL;
9577 OSSL_PARAM *params = NULL;
9578 EVP_PKEY *dhpkey = NULL;
9579
9580 p = BN_get_rfc3526_prime_2048(NULL);
9581 if (!TEST_ptr(p))
9582 goto end;
9583
9584 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9585 if (!TEST_ptr(pctx)
9586 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9587 goto end;
9588
9589 tmpl = OSSL_PARAM_BLD_new();
9590 if (!TEST_ptr(tmpl)
9591 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9592 OSSL_PKEY_PARAM_FFC_P,
9593 p))
9594 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9595 OSSL_PKEY_PARAM_FFC_G,
9596 2)))
9597 goto end;
9598
9599 params = OSSL_PARAM_BLD_to_param(tmpl);
9600 if (!TEST_ptr(params)
9601 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9602 EVP_PKEY_KEY_PARAMETERS,
9603 params), 1))
9604 goto end;
9605
9606 tmp_dh_params = dhpkey;
9607 end:
9608 BN_free(p);
9609 EVP_PKEY_CTX_free(pctx);
9610 OSSL_PARAM_BLD_free(tmpl);
9611 OSSL_PARAM_free(params);
9612 }
9613
9614 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9615 return NULL;
9616
9617 return tmp_dh_params;
9618 }
9619
9620 # ifndef OPENSSL_NO_DEPRECATED_3_0
9621 /* Callback used by test_set_tmp_dh() */
9622 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9623 {
9624 EVP_PKEY *dhpkey = get_tmp_dh_params();
9625 DH *ret = NULL;
9626
9627 if (!TEST_ptr(dhpkey))
9628 return NULL;
9629
9630 /*
9631 * libssl does not free the returned DH, so we free it now knowing that even
9632 * after we free dhpkey, there will still be a reference to the owning
9633 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9634 * of time we need it for.
9635 */
9636 ret = EVP_PKEY_get1_DH(dhpkey);
9637 DH_free(ret);
9638
9639 EVP_PKEY_free(dhpkey);
9640
9641 return ret;
9642 }
9643 # endif
9644
9645 /*
9646 * Test the various methods for setting temporary DH parameters
9647 *
9648 * Test 0: Default (no auto) setting
9649 * Test 1: Explicit SSL_CTX auto off
9650 * Test 2: Explicit SSL auto off
9651 * Test 3: Explicit SSL_CTX auto on
9652 * Test 4: Explicit SSL auto on
9653 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9654 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9655 *
9656 * The following are testing deprecated APIs, so we only run them if available
9657 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9658 * Test 8: Explicit SSL auto off, custom DH params via DH
9659 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9660 * Test 10: Explicit SSL auto off, custom DH params via callback
9661 */
9662 static int test_set_tmp_dh(int idx)
9663 {
9664 SSL_CTX *cctx = NULL, *sctx = NULL;
9665 SSL *clientssl = NULL, *serverssl = NULL;
9666 int testresult = 0;
9667 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9668 int expected = (idx <= 2) ? 0 : 1;
9669 EVP_PKEY *dhpkey = NULL;
9670 # ifndef OPENSSL_NO_DEPRECATED_3_0
9671 DH *dh = NULL;
9672 # else
9673
9674 if (idx >= 7)
9675 return 1;
9676 # endif
9677
9678 if (idx >= 5 && idx <= 8) {
9679 dhpkey = get_tmp_dh_params();
9680 if (!TEST_ptr(dhpkey))
9681 goto end;
9682 }
9683 # ifndef OPENSSL_NO_DEPRECATED_3_0
9684 if (idx == 7 || idx == 8) {
9685 dh = EVP_PKEY_get1_DH(dhpkey);
9686 if (!TEST_ptr(dh))
9687 goto end;
9688 }
9689 # endif
9690
9691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9692 TLS_client_method(),
9693 0,
9694 0,
9695 &sctx, &cctx, cert, privkey)))
9696 goto end;
9697
9698 if ((idx & 1) == 1) {
9699 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9700 goto end;
9701 }
9702
9703 if (idx == 5) {
9704 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9705 goto end;
9706 dhpkey = NULL;
9707 }
9708 # ifndef OPENSSL_NO_DEPRECATED_3_0
9709 else if (idx == 7) {
9710 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9711 goto end;
9712 } else if (idx == 9) {
9713 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9714 }
9715 # endif
9716
9717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9718 NULL, NULL)))
9719 goto end;
9720
9721 if ((idx & 1) == 0 && idx != 0) {
9722 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9723 goto end;
9724 }
9725 if (idx == 6) {
9726 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9727 goto end;
9728 dhpkey = NULL;
9729 }
9730 # ifndef OPENSSL_NO_DEPRECATED_3_0
9731 else if (idx == 8) {
9732 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9733 goto end;
9734 } else if (idx == 10) {
9735 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9736 }
9737 # endif
9738
9739 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9740 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9741 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9742 goto end;
9743
9744 /*
9745 * If autoon then we should succeed. Otherwise we expect failure because
9746 * there are no parameters
9747 */
9748 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9749 SSL_ERROR_NONE), expected))
9750 goto end;
9751
9752 testresult = 1;
9753
9754 end:
9755 # ifndef OPENSSL_NO_DEPRECATED_3_0
9756 DH_free(dh);
9757 # endif
9758 SSL_free(serverssl);
9759 SSL_free(clientssl);
9760 SSL_CTX_free(sctx);
9761 SSL_CTX_free(cctx);
9762 EVP_PKEY_free(dhpkey);
9763
9764 return testresult;
9765 }
9766
9767 /*
9768 * Test the auto DH keys are appropriately sized
9769 */
9770 static int test_dh_auto(int idx)
9771 {
9772 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9773 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9774 SSL *clientssl = NULL, *serverssl = NULL;
9775 int testresult = 0;
9776 EVP_PKEY *tmpkey = NULL;
9777 char *thiscert = NULL, *thiskey = NULL;
9778 size_t expdhsize = 0;
9779 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9780
9781 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9782 goto end;
9783
9784 switch (idx) {
9785 case 0:
9786 /* The FIPS provider doesn't support this DH size - so we ignore it */
9787 if (is_fips) {
9788 testresult = 1;
9789 goto end;
9790 }
9791 thiscert = cert1024;
9792 thiskey = privkey1024;
9793 expdhsize = 1024;
9794 SSL_CTX_set_security_level(sctx, 1);
9795 SSL_CTX_set_security_level(cctx, 1);
9796 break;
9797 case 1:
9798 /* 2048 bit prime */
9799 thiscert = cert;
9800 thiskey = privkey;
9801 expdhsize = 2048;
9802 break;
9803 case 2:
9804 thiscert = cert3072;
9805 thiskey = privkey3072;
9806 expdhsize = 3072;
9807 break;
9808 case 3:
9809 thiscert = cert4096;
9810 thiskey = privkey4096;
9811 expdhsize = 4096;
9812 break;
9813 case 4:
9814 thiscert = cert8192;
9815 thiskey = privkey8192;
9816 expdhsize = 8192;
9817 break;
9818 /* No certificate cases */
9819 case 5:
9820 /* The FIPS provider doesn't support this DH size - so we ignore it */
9821 if (is_fips) {
9822 testresult = 1;
9823 goto end;
9824 }
9825 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9826 expdhsize = 1024;
9827 break;
9828 case 6:
9829 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9830 expdhsize = 3072;
9831 break;
9832 default:
9833 TEST_error("Invalid text index");
9834 goto end;
9835 }
9836
9837 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9838 NULL,
9839 0,
9840 0,
9841 &sctx, &cctx, thiscert, thiskey)))
9842 goto end;
9843
9844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9845 NULL, NULL)))
9846 goto end;
9847
9848 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9849 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9850 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9851 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9852 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9853 goto end;
9854
9855 /*
9856 * Send the server's first flight. At this point the server has created the
9857 * temporary DH key but hasn't finished using it yet. Once used it is
9858 * removed, so we cannot test it.
9859 */
9860 if (!TEST_int_le(SSL_connect(clientssl), 0)
9861 || !TEST_int_le(SSL_accept(serverssl), 0))
9862 goto end;
9863
9864 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9865 goto end;
9866 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9867 goto end;
9868
9869 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9870 goto end;
9871
9872 testresult = 1;
9873
9874 end:
9875 SSL_free(serverssl);
9876 SSL_free(clientssl);
9877 SSL_CTX_free(sctx);
9878 SSL_CTX_free(cctx);
9879 EVP_PKEY_free(tmpkey);
9880
9881 return testresult;
9882
9883 }
9884 # endif /* OPENSSL_NO_DH */
9885 #endif /* OPENSSL_NO_TLS1_2 */
9886
9887 #ifndef OSSL_NO_USABLE_TLS1_3
9888 /*
9889 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9890 * that it works even without a certificate configured for the original
9891 * SSL_CTX
9892 */
9893 static int test_sni_tls13(void)
9894 {
9895 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9896 SSL *clientssl = NULL, *serverssl = NULL;
9897 int testresult = 0;
9898
9899 /* Reset callback counter */
9900 snicb = 0;
9901
9902 /* Create an initial SSL_CTX with no certificate configured */
9903 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9904 if (!TEST_ptr(sctx))
9905 goto end;
9906 /* Require TLSv1.3 as a minimum */
9907 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9908 TLS_client_method(), TLS1_3_VERSION, 0,
9909 &sctx2, &cctx, cert, privkey)))
9910 goto end;
9911
9912 /* Set up SNI */
9913 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9914 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9915 goto end;
9916
9917 /*
9918 * Connection should still succeed because the final SSL_CTX has the right
9919 * certificates configured.
9920 */
9921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9922 &clientssl, NULL, NULL))
9923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9924 SSL_ERROR_NONE)))
9925 goto end;
9926
9927 /* We should have had the SNI callback called exactly once */
9928 if (!TEST_int_eq(snicb, 1))
9929 goto end;
9930
9931 testresult = 1;
9932
9933 end:
9934 SSL_free(serverssl);
9935 SSL_free(clientssl);
9936 SSL_CTX_free(sctx2);
9937 SSL_CTX_free(sctx);
9938 SSL_CTX_free(cctx);
9939 return testresult;
9940 }
9941
9942 /*
9943 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9944 * 0 = TLSv1.2
9945 * 1 = TLSv1.3
9946 */
9947 static int test_ticket_lifetime(int idx)
9948 {
9949 SSL_CTX *cctx = NULL, *sctx = NULL;
9950 SSL *clientssl = NULL, *serverssl = NULL;
9951 int testresult = 0;
9952 int version = TLS1_3_VERSION;
9953
9954 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9955 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9956
9957 if (idx == 0) {
9958 #ifdef OPENSSL_NO_TLS1_2
9959 return TEST_skip("TLS 1.2 is disabled.");
9960 #else
9961 version = TLS1_2_VERSION;
9962 #endif
9963 }
9964
9965 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9966 TLS_client_method(), version, version,
9967 &sctx, &cctx, cert, privkey)))
9968 goto end;
9969
9970 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9971 &clientssl, NULL, NULL)))
9972 goto end;
9973
9974 /*
9975 * Set the timeout to be more than 1 week
9976 * make sure the returned value is the default
9977 */
9978 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9979 SSL_get_default_timeout(serverssl)))
9980 goto end;
9981
9982 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9983 goto end;
9984
9985 if (idx == 0) {
9986 /* TLSv1.2 uses the set value */
9987 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9988 goto end;
9989 } else {
9990 /* TLSv1.3 uses the limited value */
9991 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9992 goto end;
9993 }
9994 testresult = 1;
9995
9996 end:
9997 SSL_free(serverssl);
9998 SSL_free(clientssl);
9999 SSL_CTX_free(sctx);
10000 SSL_CTX_free(cctx);
10001 return testresult;
10002 }
10003 #endif
10004 /*
10005 * Test that setting an ALPN does not violate RFC
10006 */
10007 static int test_set_alpn(void)
10008 {
10009 SSL_CTX *ctx = NULL;
10010 SSL *ssl = NULL;
10011 int testresult = 0;
10012
10013 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10014 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10015 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10016 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10017 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10018 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10019
10020 /* Create an initial SSL_CTX with no certificate configured */
10021 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10022 if (!TEST_ptr(ctx))
10023 goto end;
10024
10025 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10026 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10027 goto end;
10028 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10029 goto end;
10030 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10031 goto end;
10032 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10033 goto end;
10034 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10035 goto end;
10036 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10037 goto end;
10038 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10039 goto end;
10040 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10041 goto end;
10042 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10043 goto end;
10044
10045 ssl = SSL_new(ctx);
10046 if (!TEST_ptr(ssl))
10047 goto end;
10048
10049 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10050 goto end;
10051 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10052 goto end;
10053 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10054 goto end;
10055 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10056 goto end;
10057 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10058 goto end;
10059 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10060 goto end;
10061 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10062 goto end;
10063 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10064 goto end;
10065 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10066 goto end;
10067
10068 testresult = 1;
10069
10070 end:
10071 SSL_free(ssl);
10072 SSL_CTX_free(ctx);
10073 return testresult;
10074 }
10075
10076 /*
10077 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10078 */
10079 static int test_set_verify_cert_store_ssl_ctx(void)
10080 {
10081 SSL_CTX *ctx = NULL;
10082 int testresult = 0;
10083 X509_STORE *store = NULL, *new_store = NULL,
10084 *cstore = NULL, *new_cstore = NULL;
10085
10086 /* Create an initial SSL_CTX. */
10087 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10088 if (!TEST_ptr(ctx))
10089 goto end;
10090
10091 /* Retrieve verify store pointer. */
10092 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10093 goto end;
10094
10095 /* Retrieve chain store pointer. */
10096 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10097 goto end;
10098
10099 /* We haven't set any yet, so this should be NULL. */
10100 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10101 goto end;
10102
10103 /* Create stores. We use separate stores so pointers are different. */
10104 new_store = X509_STORE_new();
10105 if (!TEST_ptr(new_store))
10106 goto end;
10107
10108 new_cstore = X509_STORE_new();
10109 if (!TEST_ptr(new_cstore))
10110 goto end;
10111
10112 /* Set stores. */
10113 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10114 goto end;
10115
10116 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10117 goto end;
10118
10119 /* Should be able to retrieve the same pointer. */
10120 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10121 goto end;
10122
10123 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10124 goto end;
10125
10126 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10127 goto end;
10128
10129 /* Should be able to unset again. */
10130 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10131 goto end;
10132
10133 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10134 goto end;
10135
10136 /* Should now be NULL. */
10137 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10138 goto end;
10139
10140 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10141 goto end;
10142
10143 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10144 goto end;
10145
10146 testresult = 1;
10147
10148 end:
10149 X509_STORE_free(new_store);
10150 X509_STORE_free(new_cstore);
10151 SSL_CTX_free(ctx);
10152 return testresult;
10153 }
10154
10155 /*
10156 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10157 */
10158 static int test_set_verify_cert_store_ssl(void)
10159 {
10160 SSL_CTX *ctx = NULL;
10161 SSL *ssl = NULL;
10162 int testresult = 0;
10163 X509_STORE *store = NULL, *new_store = NULL,
10164 *cstore = NULL, *new_cstore = NULL;
10165
10166 /* Create an initial SSL_CTX. */
10167 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10168 if (!TEST_ptr(ctx))
10169 goto end;
10170
10171 /* Create an SSL object. */
10172 ssl = SSL_new(ctx);
10173 if (!TEST_ptr(ssl))
10174 goto end;
10175
10176 /* Retrieve verify store pointer. */
10177 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10178 goto end;
10179
10180 /* Retrieve chain store pointer. */
10181 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10182 goto end;
10183
10184 /* We haven't set any yet, so this should be NULL. */
10185 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10186 goto end;
10187
10188 /* Create stores. We use separate stores so pointers are different. */
10189 new_store = X509_STORE_new();
10190 if (!TEST_ptr(new_store))
10191 goto end;
10192
10193 new_cstore = X509_STORE_new();
10194 if (!TEST_ptr(new_cstore))
10195 goto end;
10196
10197 /* Set stores. */
10198 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10199 goto end;
10200
10201 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10202 goto end;
10203
10204 /* Should be able to retrieve the same pointer. */
10205 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10206 goto end;
10207
10208 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10209 goto end;
10210
10211 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10212 goto end;
10213
10214 /* Should be able to unset again. */
10215 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10216 goto end;
10217
10218 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10219 goto end;
10220
10221 /* Should now be NULL. */
10222 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10223 goto end;
10224
10225 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10226 goto end;
10227
10228 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10229 goto end;
10230
10231 testresult = 1;
10232
10233 end:
10234 X509_STORE_free(new_store);
10235 X509_STORE_free(new_cstore);
10236 SSL_free(ssl);
10237 SSL_CTX_free(ctx);
10238 return testresult;
10239 }
10240
10241
10242 static int test_inherit_verify_param(void)
10243 {
10244 int testresult = 0;
10245
10246 SSL_CTX *ctx = NULL;
10247 X509_VERIFY_PARAM *cp = NULL;
10248 SSL *ssl = NULL;
10249 X509_VERIFY_PARAM *sp = NULL;
10250 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10251
10252 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10253 if (!TEST_ptr(ctx))
10254 goto end;
10255
10256 cp = SSL_CTX_get0_param(ctx);
10257 if (!TEST_ptr(cp))
10258 goto end;
10259 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10260 goto end;
10261
10262 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10263
10264 ssl = SSL_new(ctx);
10265 if (!TEST_ptr(ssl))
10266 goto end;
10267
10268 sp = SSL_get0_param(ssl);
10269 if (!TEST_ptr(sp))
10270 goto end;
10271 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10272 goto end;
10273
10274 testresult = 1;
10275
10276 end:
10277 SSL_free(ssl);
10278 SSL_CTX_free(ctx);
10279
10280 return testresult;
10281 }
10282
10283 static int test_load_dhfile(void)
10284 {
10285 #ifndef OPENSSL_NO_DH
10286 int testresult = 0;
10287
10288 SSL_CTX *ctx = NULL;
10289 SSL_CONF_CTX *cctx = NULL;
10290
10291 if (dhfile == NULL)
10292 return 1;
10293
10294 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10295 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10296 goto end;
10297
10298 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10299 SSL_CONF_CTX_set_flags(cctx,
10300 SSL_CONF_FLAG_CERTIFICATE
10301 | SSL_CONF_FLAG_SERVER
10302 | SSL_CONF_FLAG_FILE);
10303
10304 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10305 goto end;
10306
10307 testresult = 1;
10308 end:
10309 SSL_CONF_CTX_free(cctx);
10310 SSL_CTX_free(ctx);
10311
10312 return testresult;
10313 #else
10314 return TEST_skip("DH not supported by this build");
10315 #endif
10316 }
10317
10318 #ifndef OSSL_NO_USABLE_TLS1_3
10319 /* Test that read_ahead works across a key change */
10320 static int test_read_ahead_key_change(void)
10321 {
10322 SSL_CTX *cctx = NULL, *sctx = NULL;
10323 SSL *clientssl = NULL, *serverssl = NULL;
10324 int testresult = 0;
10325 char *msg = "Hello World";
10326 size_t written, readbytes;
10327 char buf[80];
10328 int i;
10329
10330 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10331 TLS_client_method(), TLS1_3_VERSION, 0,
10332 &sctx, &cctx, cert, privkey)))
10333 goto end;
10334
10335 SSL_CTX_set_read_ahead(sctx, 1);
10336
10337 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10338 &clientssl, NULL, NULL)))
10339 goto end;
10340
10341 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10342 goto end;
10343
10344 /* Write some data, send a key update, write more data */
10345 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10346 || !TEST_size_t_eq(written, strlen(msg)))
10347 goto end;
10348
10349 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10350 goto end;
10351
10352 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10353 || !TEST_size_t_eq(written, strlen(msg)))
10354 goto end;
10355
10356 /*
10357 * Since read_ahead is on the first read below should read the record with
10358 * the first app data, the second record with the key update message, and
10359 * the third record with the app data all in one go. We should be able to
10360 * still process the read_ahead data correctly even though it crosses
10361 * epochs
10362 */
10363 for (i = 0; i < 2; i++) {
10364 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10365 &readbytes)))
10366 goto end;
10367
10368 buf[readbytes] = '\0';
10369 if (!TEST_str_eq(buf, msg))
10370 goto end;
10371 }
10372
10373 testresult = 1;
10374
10375 end:
10376 SSL_free(serverssl);
10377 SSL_free(clientssl);
10378 SSL_CTX_free(sctx);
10379 SSL_CTX_free(cctx);
10380 return testresult;
10381 }
10382
10383 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10384 {
10385 int *called = arg;
10386
10387 switch ((*called)++) {
10388 case 0:
10389 /* Add some padding to first record */
10390 return 512;
10391 case 1:
10392 /* Maximally pad the second record */
10393 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10394 case 2:
10395 /*
10396 * Exceeding the maximum padding should be fine. It should just pad to
10397 * the maximum anyway
10398 */
10399 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10400 case 3:
10401 /*
10402 * Very large padding should also be ok. Should just pad to the maximum
10403 * allowed
10404 */
10405 return SIZE_MAX;
10406 default:
10407 return 0;
10408 }
10409 }
10410
10411 /*
10412 * Test that setting record padding in TLSv1.3 works as expected
10413 * Test 0: Record padding callback on the SSL_CTX
10414 * Test 1: Record padding callback on the SSL
10415 * Test 2: Record block padding on the SSL_CTX
10416 * Test 3: Record block padding on the SSL
10417 */
10418 static int test_tls13_record_padding(int idx)
10419 {
10420 SSL_CTX *cctx = NULL, *sctx = NULL;
10421 SSL *clientssl = NULL, *serverssl = NULL;
10422 int testresult = 0;
10423 char *msg = "Hello World";
10424 size_t written, readbytes;
10425 char buf[80];
10426 int i;
10427 int called = 0;
10428
10429 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10430 TLS_client_method(), TLS1_3_VERSION, 0,
10431 &sctx, &cctx, cert, privkey)))
10432 goto end;
10433
10434 if (idx == 0) {
10435 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10436 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10437 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10438 goto end;
10439 } else if (idx == 2) {
10440 /* Exceeding the max plain length should fail */
10441 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10442 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10443 goto end;
10444 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10445 goto end;
10446 }
10447
10448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10449 &clientssl, NULL, NULL)))
10450 goto end;
10451
10452 if (idx == 1) {
10453 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10454 SSL_set_record_padding_callback_arg(clientssl, &called);
10455 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10456 goto end;
10457 } else if (idx == 3) {
10458 /* Exceeding the max plain length should fail */
10459 if (!TEST_false(SSL_set_block_padding(clientssl,
10460 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10461 goto end;
10462 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10463 goto end;
10464 }
10465
10466 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10467 goto end;
10468
10469 called = 0;
10470 /*
10471 * Write some data, then check we can read it. Do this four times to check
10472 * we can continue to write and read padded data after the initial record
10473 * padding has been added. We don't actually check that the padding has
10474 * been applied to the record - just that we can continue to communicate
10475 * normally and that the callback has been called (if appropriate).
10476 */
10477 for (i = 0; i < 4; i++) {
10478 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10479 || !TEST_size_t_eq(written, strlen(msg)))
10480 goto end;
10481
10482 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10483 &readbytes))
10484 || !TEST_size_t_eq(written, readbytes))
10485 goto end;
10486
10487 buf[readbytes] = '\0';
10488 if (!TEST_str_eq(buf, msg))
10489 goto end;
10490 }
10491
10492 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10493 goto end;
10494
10495 testresult = 1;
10496 end:
10497 SSL_free(serverssl);
10498 SSL_free(clientssl);
10499 SSL_CTX_free(sctx);
10500 SSL_CTX_free(cctx);
10501 return testresult;
10502 }
10503 #endif /* OSSL_NO_USABLE_TLS1_3 */
10504
10505 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10506 /*
10507 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10508 * support this yet. The only pipeline capable cipher that we have is in the
10509 * dasync engine (providers don't support this yet), so we have to use
10510 * deprecated APIs for this test.
10511 *
10512 * Test 0: Client has pipelining enabled, server does not
10513 * Test 1: Server has pipelining enabled, client does not
10514 * Test 2: Client has pipelining enabled, server does not: not enough data to
10515 * fill all the pipelines
10516 * Test 3: Client has pipelining enabled, server does not: not enough data to
10517 * fill all the pipelines by more than a full pipeline's worth
10518 * Test 4: Client has pipelining enabled, server does not: more data than all
10519 * the available pipelines can take
10520 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10521 */
10522 static int test_pipelining(int idx)
10523 {
10524 SSL_CTX *cctx = NULL, *sctx = NULL;
10525 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10526 int testresult = 0, numreads;
10527 /* A 55 byte message */
10528 unsigned char *msg = (unsigned char *)
10529 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10530 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10531 size_t expectedreads;
10532 unsigned char *buf = NULL;
10533 ENGINE *e;
10534
10535 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10536 return 0;
10537
10538 if (!TEST_true(ENGINE_init(e))) {
10539 ENGINE_free(e);
10540 return 0;
10541 }
10542
10543 if (!TEST_true(ENGINE_register_ciphers(e)))
10544 goto end;
10545
10546 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10547 TLS_client_method(), 0,
10548 TLS1_2_VERSION, &sctx, &cctx, cert,
10549 privkey)))
10550 goto end;
10551
10552 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10553 &clientssl, NULL, NULL)))
10554 goto end;
10555
10556 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10557 goto end;
10558
10559 /* peera is always configured for pipelining, while peerb is not. */
10560 if (idx == 1) {
10561 peera = serverssl;
10562 peerb = clientssl;
10563
10564 } else {
10565 peera = clientssl;
10566 peerb = serverssl;
10567 }
10568
10569 if (idx == 5) {
10570 numpipes = 2;
10571 /* Maximum allowed fragment size */
10572 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10573 msglen = fragsize * numpipes;
10574 msg = OPENSSL_malloc(msglen);
10575 if (!TEST_ptr(msg))
10576 goto end;
10577 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10578 goto end;
10579 } else if (idx == 4) {
10580 msglen = 55;
10581 } else {
10582 msglen = 50;
10583 }
10584 if (idx == 2)
10585 msglen -= 2; /* Send 2 less bytes */
10586 else if (idx == 3)
10587 msglen -= 12; /* Send 12 less bytes */
10588
10589 buf = OPENSSL_malloc(msglen);
10590 if (!TEST_ptr(buf))
10591 goto end;
10592
10593 if (idx == 5) {
10594 /*
10595 * Test that setting a split send fragment longer than the maximum
10596 * allowed fails
10597 */
10598 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10599 goto end;
10600 }
10601
10602 /*
10603 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10604 * (50 bytes in total). This is a ridiculously small number of bytes -
10605 * but sufficient for our purposes
10606 */
10607 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10608 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10609 goto end;
10610
10611 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10612 goto end;
10613
10614 /* Write some data from peera to peerb */
10615 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10616 || !TEST_size_t_eq(written, msglen))
10617 goto end;
10618
10619 /*
10620 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10621 * have been used - except in test 3 where only |numpipes - 1| pipelines
10622 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10623 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10624 * expect this to be read in |numpipes| or |numpipes - 1| separate
10625 * SSL_read_ex calls. In the case of test 4, there is then one additional
10626 * read for left over data that couldn't fit in the previous pipelines
10627 */
10628 for (offset = 0, numreads = 0;
10629 offset < msglen;
10630 offset += readbytes, numreads++) {
10631 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10632 msglen - offset, &readbytes)))
10633 goto end;
10634 }
10635
10636 expectedreads = idx == 4 ? numpipes + 1
10637 : (idx == 3 ? numpipes - 1 : numpipes);
10638 if (!TEST_mem_eq(msg, msglen, buf, offset)
10639 || !TEST_int_eq(numreads, expectedreads))
10640 goto end;
10641
10642 /*
10643 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10644 * chunks to exercise the read pipelining code on peera.
10645 */
10646 for (offset = 0; offset < msglen; offset += fragsize) {
10647 size_t sendlen = msglen - offset;
10648
10649 if (sendlen > fragsize)
10650 sendlen = fragsize;
10651 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10652 || !TEST_size_t_eq(written, sendlen))
10653 goto end;
10654 }
10655
10656 /*
10657 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10658 * separate chunks (depending on which test we are running). If the
10659 * pipelining is working then we expect peera to read up to numpipes chunks
10660 * and process them in parallel, giving back the complete result in a single
10661 * call to SSL_read_ex
10662 */
10663 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10664 || !TEST_size_t_le(readbytes, msglen))
10665 goto end;
10666
10667 if (idx == 4) {
10668 size_t readbytes2;
10669
10670 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10671 msglen - readbytes, &readbytes2)))
10672 goto end;
10673 readbytes += readbytes2;
10674 if (!TEST_size_t_le(readbytes, msglen))
10675 goto end;
10676 }
10677
10678 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10679 goto end;
10680
10681 testresult = 1;
10682 end:
10683 SSL_free(serverssl);
10684 SSL_free(clientssl);
10685 SSL_CTX_free(sctx);
10686 SSL_CTX_free(cctx);
10687 ENGINE_unregister_ciphers(e);
10688 ENGINE_finish(e);
10689 ENGINE_free(e);
10690 OPENSSL_free(buf);
10691 if (idx == 5)
10692 OPENSSL_free(msg);
10693 return testresult;
10694 }
10695 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10696
10697 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10698
10699 int setup_tests(void)
10700 {
10701 char *modulename;
10702 char *configfile;
10703
10704 libctx = OSSL_LIB_CTX_new();
10705 if (!TEST_ptr(libctx))
10706 return 0;
10707
10708 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10709
10710 /*
10711 * Verify that the default and fips providers in the default libctx are not
10712 * available
10713 */
10714 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10715 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10716 return 0;
10717
10718 if (!test_skip_common_options()) {
10719 TEST_error("Error parsing test options\n");
10720 return 0;
10721 }
10722
10723 if (!TEST_ptr(certsdir = test_get_argument(0))
10724 || !TEST_ptr(srpvfile = test_get_argument(1))
10725 || !TEST_ptr(tmpfilename = test_get_argument(2))
10726 || !TEST_ptr(modulename = test_get_argument(3))
10727 || !TEST_ptr(configfile = test_get_argument(4))
10728 || !TEST_ptr(dhfile = test_get_argument(5)))
10729 return 0;
10730
10731 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10732 return 0;
10733
10734 /* Check we have the expected provider available */
10735 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10736 return 0;
10737
10738 /* Check the default provider is not available */
10739 if (strcmp(modulename, "default") != 0
10740 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10741 return 0;
10742
10743 if (strcmp(modulename, "fips") == 0)
10744 is_fips = 1;
10745
10746 /*
10747 * We add, but don't load the test "tls-provider". We'll load it when we
10748 * need it.
10749 */
10750 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10751 tls_provider_init)))
10752 return 0;
10753
10754
10755 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10756 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10757 TEST_error("not supported in this build");
10758 return 0;
10759 #else
10760 int i, mcount, rcount, fcount;
10761
10762 for (i = 0; i < 4; i++)
10763 test_export_key_mat(i);
10764 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10765 test_printf_stdout("malloc %d realloc %d free %d\n",
10766 mcount, rcount, fcount);
10767 return 1;
10768 #endif
10769 }
10770
10771 cert = test_mk_file_path(certsdir, "servercert.pem");
10772 if (cert == NULL)
10773 goto err;
10774
10775 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10776 if (privkey == NULL)
10777 goto err;
10778
10779 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10780 if (cert2 == NULL)
10781 goto err;
10782
10783 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10784 if (privkey2 == NULL)
10785 goto err;
10786
10787 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10788 if (cert1024 == NULL)
10789 goto err;
10790
10791 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10792 if (privkey1024 == NULL)
10793 goto err;
10794
10795 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10796 if (cert3072 == NULL)
10797 goto err;
10798
10799 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10800 if (privkey3072 == NULL)
10801 goto err;
10802
10803 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10804 if (cert4096 == NULL)
10805 goto err;
10806
10807 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10808 if (privkey4096 == NULL)
10809 goto err;
10810
10811 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10812 if (cert8192 == NULL)
10813 goto err;
10814
10815 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10816 if (privkey8192 == NULL)
10817 goto err;
10818
10819 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10820 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10821 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10822 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
10823 # endif
10824 #endif
10825 ADD_TEST(test_large_message_tls);
10826 ADD_TEST(test_large_message_tls_read_ahead);
10827 #ifndef OPENSSL_NO_DTLS
10828 ADD_TEST(test_large_message_dtls);
10829 #endif
10830 ADD_ALL_TESTS(test_large_app_data, 28);
10831 ADD_TEST(test_cleanse_plaintext);
10832 #ifndef OPENSSL_NO_OCSP
10833 ADD_TEST(test_tlsext_status_type);
10834 #endif
10835 ADD_TEST(test_session_with_only_int_cache);
10836 ADD_TEST(test_session_with_only_ext_cache);
10837 ADD_TEST(test_session_with_both_cache);
10838 ADD_TEST(test_session_wo_ca_names);
10839 #ifndef OSSL_NO_USABLE_TLS1_3
10840 ADD_ALL_TESTS(test_stateful_tickets, 3);
10841 ADD_ALL_TESTS(test_stateless_tickets, 3);
10842 ADD_TEST(test_psk_tickets);
10843 ADD_ALL_TESTS(test_extra_tickets, 6);
10844 #endif
10845 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10846 ADD_TEST(test_ssl_bio_pop_next_bio);
10847 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10848 ADD_TEST(test_ssl_bio_change_rbio);
10849 ADD_TEST(test_ssl_bio_change_wbio);
10850 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10851 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
10852 ADD_TEST(test_keylog);
10853 #endif
10854 #ifndef OSSL_NO_USABLE_TLS1_3
10855 ADD_TEST(test_keylog_no_master_key);
10856 #endif
10857 ADD_TEST(test_client_cert_verify_cb);
10858 ADD_TEST(test_ssl_build_cert_chain);
10859 ADD_TEST(test_ssl_ctx_build_cert_chain);
10860 #ifndef OPENSSL_NO_TLS1_2
10861 ADD_TEST(test_client_hello_cb);
10862 ADD_TEST(test_no_ems);
10863 ADD_TEST(test_ccs_change_cipher);
10864 #endif
10865 #ifndef OSSL_NO_USABLE_TLS1_3
10866 ADD_ALL_TESTS(test_early_data_read_write, 3);
10867 /*
10868 * We don't do replay tests for external PSK. Replay protection isn't used
10869 * in that scenario.
10870 */
10871 ADD_ALL_TESTS(test_early_data_replay, 2);
10872 ADD_ALL_TESTS(test_early_data_skip, 3);
10873 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
10874 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
10875 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
10876 ADD_ALL_TESTS(test_early_data_not_sent, 3);
10877 ADD_ALL_TESTS(test_early_data_psk, 8);
10878 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
10879 ADD_ALL_TESTS(test_early_data_not_expected, 3);
10880 # ifndef OPENSSL_NO_TLS1_2
10881 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
10882 # endif
10883 #endif
10884 #ifndef OSSL_NO_USABLE_TLS1_3
10885 ADD_ALL_TESTS(test_set_ciphersuite, 10);
10886 ADD_TEST(test_ciphersuite_change);
10887 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10888 # ifdef OPENSSL_NO_PSK
10889 ADD_ALL_TESTS(test_tls13_psk, 1);
10890 # else
10891 ADD_ALL_TESTS(test_tls13_psk, 4);
10892 # endif /* OPENSSL_NO_PSK */
10893 # ifndef OPENSSL_NO_TLS1_2
10894 /* Test with both TLSv1.3 and 1.2 versions */
10895 ADD_ALL_TESTS(test_key_exchange, 14);
10896 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10897 ADD_ALL_TESTS(test_negotiated_group,
10898 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10899 + OSSL_NELEM(ffdhe_kexch_groups)));
10900 # endif
10901 # else
10902 /* Test with only TLSv1.3 versions */
10903 ADD_ALL_TESTS(test_key_exchange, 12);
10904 # endif
10905 ADD_ALL_TESTS(test_custom_exts, 6);
10906 ADD_TEST(test_stateless);
10907 ADD_TEST(test_pha_key_update);
10908 #else
10909 ADD_ALL_TESTS(test_custom_exts, 3);
10910 #endif
10911 ADD_ALL_TESTS(test_export_key_mat, 6);
10912 #ifndef OSSL_NO_USABLE_TLS1_3
10913 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10914 ADD_TEST(test_key_update);
10915 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10916 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10917 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10918 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10919 #endif
10920 ADD_ALL_TESTS(test_ssl_clear, 2);
10921 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10922 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10923 ADD_ALL_TESTS(test_srp, 6);
10924 #endif
10925 #if !defined(OPENSSL_NO_COMP_ALG)
10926 /* Add compression case */
10927 ADD_ALL_TESTS(test_info_callback, 8);
10928 #else
10929 ADD_ALL_TESTS(test_info_callback, 6);
10930 #endif
10931 ADD_ALL_TESTS(test_ssl_pending, 2);
10932 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10933 ADD_ALL_TESTS(test_ticket_callbacks, 20);
10934 ADD_ALL_TESTS(test_shutdown, 7);
10935 ADD_TEST(test_async_shutdown);
10936 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10937 ADD_ALL_TESTS(test_cert_cb, 6);
10938 ADD_ALL_TESTS(test_client_cert_cb, 2);
10939 ADD_ALL_TESTS(test_ca_names, 3);
10940 #ifndef OPENSSL_NO_TLS1_2
10941 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10942 #endif
10943 ADD_ALL_TESTS(test_servername, 10);
10944 #if !defined(OPENSSL_NO_EC) \
10945 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10946 ADD_ALL_TESTS(test_sigalgs_available, 6);
10947 #endif
10948 #ifndef OPENSSL_NO_TLS1_3
10949 ADD_ALL_TESTS(test_pluggable_group, 2);
10950 ADD_ALL_TESTS(test_pluggable_signature, 2);
10951 #endif
10952 #ifndef OPENSSL_NO_TLS1_2
10953 ADD_TEST(test_ssl_dup);
10954 # ifndef OPENSSL_NO_DH
10955 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10956 ADD_ALL_TESTS(test_dh_auto, 7);
10957 # endif
10958 #endif
10959 #ifndef OSSL_NO_USABLE_TLS1_3
10960 ADD_TEST(test_sni_tls13);
10961 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10962 #endif
10963 ADD_TEST(test_inherit_verify_param);
10964 ADD_TEST(test_set_alpn);
10965 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10966 ADD_TEST(test_set_verify_cert_store_ssl);
10967 ADD_ALL_TESTS(test_session_timeout, 1);
10968 ADD_TEST(test_load_dhfile);
10969 #ifndef OSSL_NO_USABLE_TLS1_3
10970 ADD_TEST(test_read_ahead_key_change);
10971 ADD_ALL_TESTS(test_tls13_record_padding, 4);
10972 #endif
10973 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10974 ADD_ALL_TESTS(test_serverinfo_custom, 4);
10975 #endif
10976 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10977 ADD_ALL_TESTS(test_pipelining, 6);
10978 #endif
10979 return 1;
10980
10981 err:
10982 OPENSSL_free(cert);
10983 OPENSSL_free(privkey);
10984 OPENSSL_free(cert2);
10985 OPENSSL_free(privkey2);
10986 return 0;
10987 }
10988
10989 void cleanup_tests(void)
10990 {
10991 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10992 EVP_PKEY_free(tmp_dh_params);
10993 #endif
10994 OPENSSL_free(cert);
10995 OPENSSL_free(privkey);
10996 OPENSSL_free(cert2);
10997 OPENSSL_free(privkey2);
10998 OPENSSL_free(cert1024);
10999 OPENSSL_free(privkey1024);
11000 OPENSSL_free(cert3072);
11001 OPENSSL_free(privkey3072);
11002 OPENSSL_free(cert4096);
11003 OPENSSL_free(privkey4096);
11004 OPENSSL_free(cert8192);
11005 OPENSSL_free(privkey8192);
11006 bio_s_mempacket_test_free();
11007 bio_s_always_retry_free();
11008 OSSL_PROVIDER_unload(defctxnull);
11009 OSSL_LIB_CTX_free(libctx);
11010 }
A mirror of the official openssl repository