]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add a test for session cache handling
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "../ssl/ssl_local.h"
45 #include "../ssl/record/methods/recmethod_local.h"
46 #include "filterprov.h"
47
48 #undef OSSL_NO_USABLE_TLS1_3
49 #if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51 /*
52 * If we don't have ec or dh then there are no built-in groups that are usable
53 * with TLSv1.3
54 */
55 # define OSSL_NO_USABLE_TLS1_3
56 #endif
57
58 /* Defined in tls-provider.c */
59 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
62 void **provctx);
63
64 static OSSL_LIB_CTX *libctx = NULL;
65 static OSSL_PROVIDER *defctxnull = NULL;
66
67 #ifndef OSSL_NO_USABLE_TLS1_3
68
69 static SSL_SESSION *clientpsk = NULL;
70 static SSL_SESSION *serverpsk = NULL;
71 static const char *pskid = "Identity";
72 static const char *srvid;
73
74 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76 static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
78
79 static int use_session_cb_cnt = 0;
80 static int find_session_cb_cnt = 0;
81 #endif
82
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
98 static char *dhfile = NULL;
99
100 static int is_fips = 0;
101 static int fips_ems_check = 0;
102
103 #define LOG_BUFFER_SIZE 2048
104 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105 static size_t server_log_buffer_index = 0;
106 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t client_log_buffer_index = 0;
108 static int error_writing_log = 0;
109
110 #ifndef OPENSSL_NO_OCSP
111 static const unsigned char orespder[] = "Dummy OCSP Response";
112 static int ocsp_server_called = 0;
113 static int ocsp_client_called = 0;
114
115 static int cdummyarg = 1;
116 static X509 *ocspcert = NULL;
117 #endif
118
119 #define CLIENT_VERSION_LEN 2
120
121 /*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125 struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
135 };
136
137
138 static int hostname_cb(SSL *s, int *al, void *arg)
139 {
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147 }
148
149 static void client_keylog_callback(const SSL *ssl, const char *line)
150 {
151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
163 }
164
165 static void server_keylog_callback(const SSL *ssl, const char *line)
166 {
167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
179 }
180
181 static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
184 size_t raw_length)
185 {
186 size_t i, j;
187 char hexed[3];
188
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
190 return 1;
191
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 sprintf(hexed, "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
196 return 1;
197 }
198
199 return 0;
200 }
201
202 static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
205 {
206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
220
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 return 0;
231 if (!TEST_size_t_eq(strlen(token), 16))
232 return 0;
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
234 return 0;
235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
250 return 0;
251
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 return 0;
254 if (!TEST_size_t_eq(strlen(token), 64))
255 return 0;
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
259 return 0;
260
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
262 return 0;
263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
266 if (!TEST_size_t_ne(master_key_size, 0))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
271 return 0;
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
305 return 0;
306
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
308 return 0;
309 if (!TEST_size_t_eq(strlen(token), 64))
310 return 0;
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
314 return 0;
315
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 return 0;
318 } else {
319 TEST_info("Unexpected token %s\n", token);
320 return 0;
321 }
322 }
323
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
343 return 0;
344 return 1;
345 }
346
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
348 static int test_keylog(void)
349 {
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
353 struct sslapitest_log_counts expected;
354
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
364 TLS_client_method(),
365 TLS1_VERSION, 0,
366 &sctx, &cctx, cert, privkey)))
367 return 0;
368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
375 goto end;
376
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
379 goto end;
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
383 goto end;
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
387 goto end;
388
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
397 goto end;
398
399 /*
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
404 */
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
409 goto end;
410
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
414 goto end;
415
416 testresult = 1;
417
418 end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425 }
426 #endif
427
428 #ifndef OSSL_NO_USABLE_TLS1_3
429 static int test_keylog_no_master_key(void)
430 {
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
434 int testresult = 0;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
438
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
452 return 0;
453
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
456 goto end;
457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
461 goto end;
462
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
466 goto end;
467
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
474 goto end;
475
476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
480 */
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
491 goto end;
492
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
532 testresult = 1;
533
534 end:
535 SSL_SESSION_free(sess);
536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542 }
543 #endif
544
545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546 {
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
561 return res;
562 }
563
564 static int test_client_cert_verify_cb(void)
565 {
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620 end:
621 X509_free(crt1);
622 X509_free(crt2);
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641 }
642
643 static int test_ssl_build_cert_chain(void)
644 {
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664 end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670 }
671
672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673 {
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681 }
682
683 static int test_ssl_ctx_build_cert_chain(void)
684 {
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703 end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708 }
709
710 #ifndef OPENSSL_NO_TLS1_2
711 static int full_client_hello_callback(SSL *s, int *al, void *arg)
712 {
713 int *ctr = arg;
714 const unsigned char *p;
715 int *exts;
716 /* We only configure two ciphers, but the SCSV is added automatically. */
717 #ifdef OPENSSL_NO_EC
718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719 #else
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
721 0x2c, 0x00, 0xff};
722 #endif
723 const int expected_extensions[] = {
724 #ifndef OPENSSL_NO_EC
725 11, 10,
726 #endif
727 35, 22, 23, 13};
728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
732 return SSL_CLIENT_HELLO_RETRY;
733
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
745 OPENSSL_free(exts);
746 return SSL_CLIENT_HELLO_ERROR;
747 }
748 OPENSSL_free(exts);
749 return SSL_CLIENT_HELLO_SUCCESS;
750 }
751
752 static int test_client_hello_cb(void)
753 {
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
761 goto end;
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
763
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
766
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
781 goto end;
782
783 testresult = 1;
784
785 end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792 }
793
794 static int test_no_ems(void)
795 {
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0, status;
799
800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
814 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
815 if (fips_ems_check) {
816 if (status == 1) {
817 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
818 goto end;
819 }
820 } else {
821 if (!status) {
822 printf("Creating SSL connection failed\n");
823 goto end;
824 }
825 if (SSL_get_extms_support(serverssl)) {
826 printf("Server reports Extended Master Secret support\n");
827 goto end;
828 }
829 if (SSL_get_extms_support(clientssl)) {
830 printf("Client reports Extended Master Secret support\n");
831 goto end;
832 }
833 }
834 testresult = 1;
835
836 end:
837 SSL_free(serverssl);
838 SSL_free(clientssl);
839 SSL_CTX_free(sctx);
840 SSL_CTX_free(cctx);
841
842 return testresult;
843 }
844
845 /*
846 * Very focused test to exercise a single case in the server-side state
847 * machine, when the ChangeCipherState message needs to actually change
848 * from one cipher to a different cipher (i.e., not changing from null
849 * encryption to real encryption).
850 */
851 static int test_ccs_change_cipher(void)
852 {
853 SSL_CTX *cctx = NULL, *sctx = NULL;
854 SSL *clientssl = NULL, *serverssl = NULL;
855 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
856 int testresult = 0;
857 int i;
858 unsigned char buf;
859 size_t readbytes;
860
861 /*
862 * Create a connection so we can resume and potentially (but not) use
863 * a different cipher in the second connection.
864 */
865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
866 TLS_client_method(),
867 TLS1_VERSION, TLS1_2_VERSION,
868 &sctx, &cctx, cert, privkey))
869 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
871 NULL, NULL))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 SSL_ERROR_NONE))
875 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
876 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
877 goto end;
878
879 shutdown_ssl_connection(serverssl, clientssl);
880 serverssl = clientssl = NULL;
881
882 /* Resume, preferring a different cipher. Our server will force the
883 * same cipher to be used as the initial handshake. */
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
885 NULL, NULL))
886 || !TEST_true(SSL_set_session(clientssl, sess))
887 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
889 SSL_ERROR_NONE))
890 || !TEST_true(SSL_session_reused(clientssl))
891 || !TEST_true(SSL_session_reused(serverssl))
892 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
893 || !TEST_ptr_eq(sesspre, sesspost)
894 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
895 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
896 goto end;
897 shutdown_ssl_connection(serverssl, clientssl);
898 serverssl = clientssl = NULL;
899
900 /*
901 * Now create a fresh connection and try to renegotiate a different
902 * cipher on it.
903 */
904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
905 NULL, NULL))
906 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
908 SSL_ERROR_NONE))
909 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
910 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
911 || !TEST_true(SSL_renegotiate(clientssl))
912 || !TEST_true(SSL_renegotiate_pending(clientssl)))
913 goto end;
914 /* Actually drive the renegotiation. */
915 for (i = 0; i < 3; i++) {
916 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
917 if (!TEST_ulong_eq(readbytes, 0))
918 goto end;
919 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
920 SSL_ERROR_WANT_READ)) {
921 goto end;
922 }
923 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
925 goto end;
926 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
927 SSL_ERROR_WANT_READ)) {
928 goto end;
929 }
930 }
931 /* sesspre and sesspost should be different since the cipher changed. */
932 if (!TEST_false(SSL_renegotiate_pending(clientssl))
933 || !TEST_false(SSL_session_reused(clientssl))
934 || !TEST_false(SSL_session_reused(serverssl))
935 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
936 || !TEST_ptr_ne(sesspre, sesspost)
937 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
938 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
939 goto end;
940
941 shutdown_ssl_connection(serverssl, clientssl);
942 serverssl = clientssl = NULL;
943
944 testresult = 1;
945
946 end:
947 SSL_free(serverssl);
948 SSL_free(clientssl);
949 SSL_CTX_free(sctx);
950 SSL_CTX_free(cctx);
951 SSL_SESSION_free(sess);
952
953 return testresult;
954 }
955 #endif
956
957 static int execute_test_large_message(const SSL_METHOD *smeth,
958 const SSL_METHOD *cmeth,
959 int min_version, int max_version,
960 int read_ahead)
961 {
962 SSL_CTX *cctx = NULL, *sctx = NULL;
963 SSL *clientssl = NULL, *serverssl = NULL;
964 int testresult = 0;
965
966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
968 privkey)))
969 goto end;
970
971 #ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
973 /*
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
975 * level 0
976 */
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
980 goto end;
981 }
982 #endif
983
984 if (read_ahead) {
985 /*
986 * Test that read_ahead works correctly when dealing with large
987 * records
988 */
989 SSL_CTX_set_read_ahead(cctx, 1);
990 }
991
992 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
993 goto end;
994
995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
996 NULL, NULL))
997 || !TEST_true(create_ssl_connection(serverssl, clientssl,
998 SSL_ERROR_NONE)))
999 goto end;
1000
1001 /*
1002 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1003 * doesn't leak.
1004 */
1005 if (!TEST_true(SSL_clear(serverssl)))
1006 goto end;
1007
1008 testresult = 1;
1009 end:
1010 SSL_free(serverssl);
1011 SSL_free(clientssl);
1012 SSL_CTX_free(sctx);
1013 SSL_CTX_free(cctx);
1014
1015 return testresult;
1016 }
1017
1018 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1019 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1020 /* sock must be connected */
1021 static int ktls_chk_platform(int sock)
1022 {
1023 if (!ktls_enable(sock))
1024 return 0;
1025 return 1;
1026 }
1027
1028 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1029 {
1030 static char count = 1;
1031 unsigned char cbuf[16000] = {0};
1032 unsigned char sbuf[16000];
1033 size_t err = 0;
1034 char crec_wseq_before[SEQ_NUM_SIZE];
1035 char crec_wseq_after[SEQ_NUM_SIZE];
1036 char crec_rseq_before[SEQ_NUM_SIZE];
1037 char crec_rseq_after[SEQ_NUM_SIZE];
1038 char srec_wseq_before[SEQ_NUM_SIZE];
1039 char srec_wseq_after[SEQ_NUM_SIZE];
1040 char srec_rseq_before[SEQ_NUM_SIZE];
1041 char srec_rseq_after[SEQ_NUM_SIZE];
1042 SSL_CONNECTION *clientsc, *serversc;
1043
1044 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1045 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1046 goto end;
1047
1048 cbuf[0] = count++;
1049 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1051 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1052 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1053
1054 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1055 goto end;
1056
1057 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1058 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1059 goto end;
1060 }
1061 }
1062
1063 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1064 goto end;
1065
1066 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1067 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1068 goto end;
1069 }
1070 }
1071
1072 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1074 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1075 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1076
1077 /* verify the payload */
1078 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1079 goto end;
1080
1081 /*
1082 * If ktls is used then kernel sequences are used instead of
1083 * OpenSSL sequences
1084 */
1085 if (!BIO_get_ktls_send(clientsc->wbio)) {
1086 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1087 crec_wseq_after, SEQ_NUM_SIZE))
1088 goto end;
1089 } else {
1090 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1091 crec_wseq_after, SEQ_NUM_SIZE))
1092 goto end;
1093 }
1094
1095 if (!BIO_get_ktls_send(serversc->wbio)) {
1096 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1097 srec_wseq_after, SEQ_NUM_SIZE))
1098 goto end;
1099 } else {
1100 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1101 srec_wseq_after, SEQ_NUM_SIZE))
1102 goto end;
1103 }
1104
1105 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1106 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1107 crec_rseq_after, SEQ_NUM_SIZE))
1108 goto end;
1109 } else {
1110 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1111 crec_rseq_after, SEQ_NUM_SIZE))
1112 goto end;
1113 }
1114
1115 if (!BIO_get_ktls_recv(serversc->wbio)) {
1116 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1117 srec_rseq_after, SEQ_NUM_SIZE))
1118 goto end;
1119 } else {
1120 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1121 srec_rseq_after, SEQ_NUM_SIZE))
1122 goto end;
1123 }
1124
1125 return 1;
1126 end:
1127 return 0;
1128 }
1129
1130 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1131 int tls_version, const char *cipher)
1132 {
1133 SSL_CTX *cctx = NULL, *sctx = NULL;
1134 SSL *clientssl = NULL, *serverssl = NULL;
1135 int ktls_used = 0, testresult = 0;
1136 int cfd = -1, sfd = -1;
1137 int rx_supported;
1138 SSL_CONNECTION *clientsc, *serversc;
1139 unsigned char *buf = NULL;
1140 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1141 int ret;
1142 size_t offset = 0, i;
1143
1144 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1145 goto end;
1146
1147 /* Skip this test if the platform does not support ktls */
1148 if (!ktls_chk_platform(cfd)) {
1149 testresult = TEST_skip("Kernel does not support KTLS");
1150 goto end;
1151 }
1152
1153 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1154 testresult = TEST_skip("CHACHA is not supported in FIPS");
1155 goto end;
1156 }
1157
1158 /* Create a session based on SHA-256 */
1159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1160 TLS_client_method(),
1161 tls_version, tls_version,
1162 &sctx, &cctx, cert, privkey)))
1163 goto end;
1164
1165 if (tls_version == TLS1_3_VERSION) {
1166 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1167 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1168 goto end;
1169 } else {
1170 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1171 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1172 goto end;
1173 }
1174
1175 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
1177 goto end;
1178
1179 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1180 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1181 goto end;
1182
1183 if (cis_ktls) {
1184 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1185 goto end;
1186 }
1187
1188 if (sis_ktls) {
1189 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1190 goto end;
1191 }
1192
1193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1194 goto end;
1195
1196 /*
1197 * The running kernel may not support a given cipher suite
1198 * or direction, so just check that KTLS isn't used when it
1199 * isn't enabled.
1200 */
1201 if (!cis_ktls) {
1202 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1203 goto end;
1204 } else {
1205 if (BIO_get_ktls_send(clientsc->wbio))
1206 ktls_used = 1;
1207 }
1208
1209 if (!sis_ktls) {
1210 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1211 goto end;
1212 } else {
1213 if (BIO_get_ktls_send(serversc->wbio))
1214 ktls_used = 1;
1215 }
1216
1217 #if defined(OPENSSL_NO_KTLS_RX)
1218 rx_supported = 0;
1219 #else
1220 rx_supported = 1;
1221 #endif
1222 if (!cis_ktls || !rx_supported) {
1223 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1224 goto end;
1225 } else {
1226 if (BIO_get_ktls_send(clientsc->rbio))
1227 ktls_used = 1;
1228 }
1229
1230 if (!sis_ktls || !rx_supported) {
1231 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1232 goto end;
1233 } else {
1234 if (BIO_get_ktls_send(serversc->rbio))
1235 ktls_used = 1;
1236 }
1237
1238 if ((cis_ktls || sis_ktls) && !ktls_used) {
1239 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1240 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1241 "TLS 1.2", cipher);
1242 goto end;
1243 }
1244
1245 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1246 goto end;
1247
1248 buf = OPENSSL_zalloc(bufsz);
1249 if (!TEST_ptr(buf))
1250 goto end;
1251
1252 /*
1253 * Write some data that exceeds the maximum record length. KTLS may choose
1254 * to coalesce this data into a single buffer when we read it again.
1255 */
1256 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1257 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1258 goto end;
1259 }
1260
1261 /* Now check that we can read all the data we wrote */
1262 do {
1263 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1264 if (ret <= 0) {
1265 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1266 goto end;
1267 } else {
1268 offset += ret;
1269 }
1270 } while (offset < bufsz);
1271
1272 if (!TEST_true(offset == bufsz))
1273 goto end;
1274 for (i = 0; i < bufsz; i++)
1275 if (!TEST_true(buf[i] == 0))
1276 goto end;
1277
1278 testresult = 1;
1279 end:
1280 OPENSSL_free(buf);
1281 if (clientssl) {
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1284 }
1285 if (serverssl) {
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1288 }
1289 SSL_CTX_free(sctx);
1290 SSL_CTX_free(cctx);
1291 serverssl = clientssl = NULL;
1292 if (cfd != -1)
1293 close(cfd);
1294 if (sfd != -1)
1295 close(sfd);
1296 return testresult;
1297 }
1298
1299 #define SENDFILE_SZ (16 * 4096)
1300 #define SENDFILE_CHUNK (4 * 4096)
1301 #define min(a,b) ((a) > (b) ? (b) : (a))
1302
1303 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1304 int zerocopy)
1305 {
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1313 int testresult = 0;
1314 FILE *ffdp;
1315 SSL_CONNECTION *serversc;
1316
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1321 goto end;
1322
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
1325 testresult = TEST_skip("Kernel does not support KTLS");
1326 goto end;
1327 }
1328
1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1331 goto end;
1332 }
1333
1334 /* Create a session based on SHA-256 */
1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1336 TLS_client_method(),
1337 tls_version, tls_version,
1338 &sctx, &cctx, cert, privkey)))
1339 goto end;
1340
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1344 goto end;
1345 } else {
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1348 goto end;
1349 }
1350
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1353 goto end;
1354
1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1356 goto end;
1357
1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1359 goto end;
1360
1361 if (zerocopy) {
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1364 goto end;
1365 }
1366
1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1368 SSL_ERROR_NONE)))
1369 goto end;
1370
1371 if (!BIO_get_ktls_send(serversc->wbio)) {
1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1374 "TLS 1.2", cipher);
1375 goto end;
1376 }
1377
1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1379 goto end;
1380
1381 out = BIO_new_file(tmpfilename, "wb");
1382 if (!TEST_ptr(out))
1383 goto end;
1384
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1386 goto end;
1387
1388 BIO_free(out);
1389 out = NULL;
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1392 ffd = fileno(ffdp);
1393
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1397 ffd,
1398 chunk_off,
1399 chunk_size,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1402 goto end;
1403 }
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1408 goto end;
1409 }
1410
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1413 chunk_size,
1414 buf + chunk_off,
1415 chunk_size))
1416 goto end;
1417
1418 chunk_off += chunk_size;
1419 }
1420
1421 testresult = 1;
1422 end:
1423 if (clientssl) {
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1426 }
1427 if (serverssl) {
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1430 }
1431 SSL_CTX_free(sctx);
1432 SSL_CTX_free(cctx);
1433 serverssl = clientssl = NULL;
1434 BIO_free(out);
1435 BIO_free(in);
1436 if (cfd != -1)
1437 close(cfd);
1438 if (sfd != -1)
1439 close(sfd);
1440 OPENSSL_free(buf);
1441 OPENSSL_free(buf_dst);
1442 return testresult;
1443 }
1444
1445 static struct ktls_test_cipher {
1446 int tls_version;
1447 const char *cipher;
1448 } ktls_test_ciphers[] = {
1449 # if !defined(OPENSSL_NO_TLS1_2)
1450 # ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1452 # endif
1453 # ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1455 # endif
1456 # ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1458 # endif
1459 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1460 # ifndef OPENSSL_NO_EC
1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1462 # endif
1463 # endif
1464 # endif
1465 # if !defined(OSSL_NO_USABLE_TLS1_3)
1466 # ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1468 # endif
1469 # ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1471 # endif
1472 # ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1474 # endif
1475 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1477 # endif
1478 # endif
1479 };
1480
1481 #define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1483
1484 static int test_ktls(int test)
1485 {
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1488
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1491
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1494
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1496 cipher->cipher);
1497 }
1498
1499 static int test_ktls_sendfile(int test)
1500 {
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1503
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1506
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1508 test & 1);
1509 }
1510 #endif
1511
1512 static int test_large_message_tls(void)
1513 {
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1516 }
1517
1518 static int test_large_message_tls_read_ahead(void)
1519 {
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1522 }
1523
1524 #ifndef OPENSSL_NO_DTLS
1525 static int test_large_message_dtls(void)
1526 {
1527 # ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1529 if (is_fips)
1530 return 1;
1531 # endif
1532 /*
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1535 */
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1539 }
1540 #endif
1541
1542 /*
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1549 */
1550 static int test_large_app_data(int tst)
1551 {
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1559
1560 switch (tst >> 2) {
1561 case 0:
1562 #ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1564 break;
1565 #else
1566 return 1;
1567 #endif
1568
1569 case 1:
1570 #ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1572 break;
1573 #else
1574 return 1;
1575 #endif
1576
1577 case 2:
1578 #ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1580 break;
1581 #else
1582 return 1;
1583 #endif
1584
1585 case 3:
1586 #ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1588 break;
1589 #else
1590 return 1;
1591 #endif
1592
1593 case 4:
1594 #ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1596 break;
1597 #else
1598 return 1;
1599 #endif
1600
1601 case 5:
1602 #ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1606 break;
1607 #else
1608 return 1;
1609 #endif
1610
1611 case 6:
1612 #ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1616 break;
1617 #else
1618 return 1;
1619 #endif
1620
1621 default:
1622 /* Shouldn't happen */
1623 return 0;
1624 }
1625
1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1627 return 1;
1628
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1631 if (!TEST_ptr(msg))
1632 goto end;
1633
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1635 if (!TEST_ptr(buf))
1636 goto end;
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1639
1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1641 &sctx, &cctx, cert, privkey)))
1642 goto end;
1643
1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1649 goto end;
1650 }
1651
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1654 goto end;
1655
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1662 goto end;
1663 }
1664
1665 if ((tst & 2) != 0) {
1666 /*
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1669 */
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1673 goto end;
1674 }
1675
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1677 goto end;
1678
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1680 &written))
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1682 goto end;
1683
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1686 &readbytes)))
1687 goto end;
1688
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1690 goto end;
1691
1692 testresult = 1;
1693 end:
1694 OPENSSL_free(msg);
1695 OPENSSL_free(buf);
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1698 SSL_CTX_free(sctx);
1699 SSL_CTX_free(cctx);
1700 return testresult;
1701 }
1702
1703 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1704 || !defined(OPENSSL_NO_DTLS)
1705 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1706 const SSL_METHOD *cmeth,
1707 int min_version, int max_version)
1708 {
1709 size_t i;
1710 SSL_CTX *cctx = NULL, *sctx = NULL;
1711 SSL *clientssl = NULL, *serverssl = NULL;
1712 int testresult = 0;
1713 const unsigned char *zbuf;
1714 SSL_CONNECTION *serversc;
1715 TLS_RECORD *rr;
1716
1717 static unsigned char cbuf[16000];
1718 static unsigned char sbuf[16000];
1719
1720 if (!TEST_true(create_ssl_ctx_pair(libctx,
1721 smeth, cmeth,
1722 min_version, max_version,
1723 &sctx, &cctx, cert,
1724 privkey)))
1725 goto end;
1726
1727 # ifdef OPENSSL_NO_DTLS1_2
1728 if (smeth == DTLS_server_method()) {
1729 /* Not supported in the FIPS provider */
1730 if (is_fips) {
1731 testresult = 1;
1732 goto end;
1733 };
1734 /*
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1736 * level 0
1737 */
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1741 goto end;
1742 }
1743 # endif
1744
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1746 NULL, NULL)))
1747 goto end;
1748
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1750 goto end;
1751
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1753 SSL_ERROR_NONE)))
1754 goto end;
1755
1756 for (i = 0; i < sizeof(cbuf); i++) {
1757 cbuf[i] = i & 0xff;
1758 }
1759
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1761 goto end;
1762
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1764 goto end;
1765
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1767 goto end;
1768
1769 /*
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1773 */
1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1775 goto end;
1776 rr = serversc->rlayer.tlsrecs;
1777
1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1780 goto end;
1781
1782 /*
1783 * After SSL_peek() the plaintext must still be stored in the
1784 * record.
1785 */
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1791 goto end;
1792
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1794 goto end;
1795
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1799 goto end;
1800
1801 testresult = 1;
1802 end:
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1805 SSL_CTX_free(sctx);
1806 SSL_CTX_free(cctx);
1807
1808 return testresult;
1809 }
1810 #endif /*
1811 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1812 * || !defined(OPENSSL_NO_DTLS)
1813 */
1814
1815 static int test_cleanse_plaintext(void)
1816 {
1817 #if !defined(OPENSSL_NO_TLS1_2)
1818 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1819 TLS_client_method(),
1820 TLS1_2_VERSION,
1821 TLS1_2_VERSION)))
1822 return 0;
1823
1824 #endif
1825
1826 #if !defined(OSSL_NO_USABLE_TLS1_3)
1827 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1828 TLS_client_method(),
1829 TLS1_3_VERSION,
1830 TLS1_3_VERSION)))
1831 return 0;
1832 #endif
1833
1834 #if !defined(OPENSSL_NO_DTLS)
1835
1836 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1837 DTLS_client_method(),
1838 DTLS1_VERSION,
1839 0)))
1840 return 0;
1841 #endif
1842 return 1;
1843 }
1844
1845 #ifndef OPENSSL_NO_OCSP
1846 static int ocsp_server_cb(SSL *s, void *arg)
1847 {
1848 int *argi = (int *)arg;
1849 unsigned char *copy = NULL;
1850 STACK_OF(OCSP_RESPID) *ids = NULL;
1851 OCSP_RESPID *id = NULL;
1852
1853 if (*argi == 2) {
1854 /* In this test we are expecting exactly 1 OCSP_RESPID */
1855 SSL_get_tlsext_status_ids(s, &ids);
1856 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858
1859 id = sk_OCSP_RESPID_value(ids, 0);
1860 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 } else if (*argi != 1) {
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1864 }
1865
1866 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1868
1869 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1870 sizeof(orespder)))) {
1871 OPENSSL_free(copy);
1872 return SSL_TLSEXT_ERR_ALERT_FATAL;
1873 }
1874 ocsp_server_called = 1;
1875 return SSL_TLSEXT_ERR_OK;
1876 }
1877
1878 static int ocsp_client_cb(SSL *s, void *arg)
1879 {
1880 int *argi = (int *)arg;
1881 const unsigned char *respderin;
1882 size_t len;
1883
1884 if (*argi != 1 && *argi != 2)
1885 return 0;
1886
1887 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1888 if (!TEST_mem_eq(orespder, len, respderin, len))
1889 return 0;
1890
1891 ocsp_client_called = 1;
1892 return 1;
1893 }
1894
1895 static int test_tlsext_status_type(void)
1896 {
1897 SSL_CTX *cctx = NULL, *sctx = NULL;
1898 SSL *clientssl = NULL, *serverssl = NULL;
1899 int testresult = 0;
1900 STACK_OF(OCSP_RESPID) *ids = NULL;
1901 OCSP_RESPID *id = NULL;
1902 BIO *certbio = NULL;
1903
1904 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1905 TLS1_VERSION, 0,
1906 &sctx, &cctx, cert, privkey))
1907 return 0;
1908
1909 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1910 goto end;
1911
1912 /* First just do various checks getting and setting tlsext_status_type */
1913
1914 clientssl = SSL_new(cctx);
1915 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1916 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1917 TLSEXT_STATUSTYPE_ocsp))
1918 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1919 TLSEXT_STATUSTYPE_ocsp))
1920 goto end;
1921
1922 SSL_free(clientssl);
1923 clientssl = NULL;
1924
1925 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1926 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1927 goto end;
1928
1929 clientssl = SSL_new(cctx);
1930 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1931 goto end;
1932 SSL_free(clientssl);
1933 clientssl = NULL;
1934
1935 /*
1936 * Now actually do a handshake and check OCSP information is exchanged and
1937 * the callbacks get called
1938 */
1939 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1940 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1941 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1942 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1946 SSL_ERROR_NONE))
1947 || !TEST_true(ocsp_client_called)
1948 || !TEST_true(ocsp_server_called))
1949 goto end;
1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1952 serverssl = NULL;
1953 clientssl = NULL;
1954
1955 /* Try again but this time force the server side callback to fail */
1956 ocsp_client_called = 0;
1957 ocsp_server_called = 0;
1958 cdummyarg = 0;
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 /* This should fail because the callback will fail */
1962 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1963 SSL_ERROR_NONE))
1964 || !TEST_false(ocsp_client_called)
1965 || !TEST_false(ocsp_server_called))
1966 goto end;
1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1969 serverssl = NULL;
1970 clientssl = NULL;
1971
1972 /*
1973 * This time we'll get the client to send an OCSP_RESPID that it will
1974 * accept.
1975 */
1976 ocsp_client_called = 0;
1977 ocsp_server_called = 0;
1978 cdummyarg = 2;
1979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1980 &clientssl, NULL, NULL)))
1981 goto end;
1982
1983 /*
1984 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1985 * specific one. We'll use the server cert.
1986 */
1987 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1988 || !TEST_ptr(id = OCSP_RESPID_new())
1989 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1990 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1991 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1992 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1993 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1994 goto end;
1995 id = NULL;
1996 SSL_set_tlsext_status_ids(clientssl, ids);
1997 /* Control has been transferred */
1998 ids = NULL;
1999
2000 BIO_free(certbio);
2001 certbio = NULL;
2002
2003 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2004 SSL_ERROR_NONE))
2005 || !TEST_true(ocsp_client_called)
2006 || !TEST_true(ocsp_server_called))
2007 goto end;
2008
2009 testresult = 1;
2010
2011 end:
2012 SSL_free(serverssl);
2013 SSL_free(clientssl);
2014 SSL_CTX_free(sctx);
2015 SSL_CTX_free(cctx);
2016 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2017 OCSP_RESPID_free(id);
2018 BIO_free(certbio);
2019 X509_free(ocspcert);
2020 ocspcert = NULL;
2021
2022 return testresult;
2023 }
2024 #endif
2025
2026 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2027 static int new_called, remove_called, get_called;
2028
2029 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2030 {
2031 new_called++;
2032 /*
2033 * sess has been up-refed for us, but we don't actually need it so free it
2034 * immediately.
2035 */
2036 SSL_SESSION_free(sess);
2037 return 1;
2038 }
2039
2040 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2041 {
2042 remove_called++;
2043 }
2044
2045 static SSL_SESSION *get_sess_val = NULL;
2046
2047 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2048 int *copy)
2049 {
2050 get_called++;
2051 *copy = 1;
2052 return get_sess_val;
2053 }
2054
2055 static int execute_test_session(int maxprot, int use_int_cache,
2056 int use_ext_cache, long s_options)
2057 {
2058 SSL_CTX *sctx = NULL, *cctx = NULL;
2059 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2060 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2061 # ifndef OPENSSL_NO_TLS1_1
2062 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2063 # endif
2064 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2065 int testresult = 0, numnewsesstick = 1;
2066
2067 new_called = remove_called = 0;
2068
2069 /* TLSv1.3 sends 2 NewSessionTickets */
2070 if (maxprot == TLS1_3_VERSION)
2071 numnewsesstick = 2;
2072
2073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2074 TLS_client_method(), TLS1_VERSION, 0,
2075 &sctx, &cctx, cert, privkey)))
2076 return 0;
2077
2078 /*
2079 * Only allow the max protocol version so we can force a connection failure
2080 * later
2081 */
2082 SSL_CTX_set_min_proto_version(cctx, maxprot);
2083 SSL_CTX_set_max_proto_version(cctx, maxprot);
2084
2085 /* Set up session cache */
2086 if (use_ext_cache) {
2087 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2088 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2089 }
2090 if (use_int_cache) {
2091 /* Also covers instance where both are set */
2092 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2093 } else {
2094 SSL_CTX_set_session_cache_mode(cctx,
2095 SSL_SESS_CACHE_CLIENT
2096 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2097 }
2098
2099 if (s_options) {
2100 SSL_CTX_set_options(sctx, s_options);
2101 }
2102
2103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2104 NULL, NULL))
2105 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2106 SSL_ERROR_NONE))
2107 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2108 goto end;
2109
2110 /* Should fail because it should already be in the cache */
2111 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2112 goto end;
2113 if (use_ext_cache
2114 && (!TEST_int_eq(new_called, numnewsesstick)
2115
2116 || !TEST_int_eq(remove_called, 0)))
2117 goto end;
2118
2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl2, sess1))
2123 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2124 SSL_ERROR_NONE))
2125 || !TEST_true(SSL_session_reused(clientssl2)))
2126 goto end;
2127
2128 if (maxprot == TLS1_3_VERSION) {
2129 /*
2130 * In TLSv1.3 we should have created a new session even though we have
2131 * resumed. Since we attempted a resume we should also have removed the
2132 * old ticket from the cache so that we try to only use tickets once.
2133 */
2134 if (use_ext_cache
2135 && (!TEST_int_eq(new_called, 1)
2136 || !TEST_int_eq(remove_called, 1)))
2137 goto end;
2138 } else {
2139 /*
2140 * In TLSv1.2 we expect to have resumed so no sessions added or
2141 * removed.
2142 */
2143 if (use_ext_cache
2144 && (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(remove_called, 0)))
2146 goto end;
2147 }
2148
2149 SSL_SESSION_free(sess1);
2150 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2151 goto end;
2152 shutdown_ssl_connection(serverssl2, clientssl2);
2153 serverssl2 = clientssl2 = NULL;
2154
2155 new_called = remove_called = 0;
2156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2157 &clientssl2, NULL, NULL))
2158 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2159 SSL_ERROR_NONE)))
2160 goto end;
2161
2162 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2163 goto end;
2164
2165 if (use_ext_cache
2166 && (!TEST_int_eq(new_called, numnewsesstick)
2167 || !TEST_int_eq(remove_called, 0)))
2168 goto end;
2169
2170 new_called = remove_called = 0;
2171 /*
2172 * This should clear sess2 from the cache because it is a "bad" session.
2173 * See SSL_set_session() documentation.
2174 */
2175 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2176 goto end;
2177 if (use_ext_cache
2178 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2179 goto end;
2180 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2181 goto end;
2182
2183 if (use_int_cache) {
2184 /* Should succeeded because it should not already be in the cache */
2185 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2186 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2187 goto end;
2188 }
2189
2190 new_called = remove_called = 0;
2191 /* This shouldn't be in the cache so should fail */
2192 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2193 goto end;
2194
2195 if (use_ext_cache
2196 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2197 goto end;
2198
2199 # if !defined(OPENSSL_NO_TLS1_1)
2200 new_called = remove_called = 0;
2201 /* Force a connection failure */
2202 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2204 &clientssl3, NULL, NULL))
2205 || !TEST_true(SSL_set_session(clientssl3, sess1))
2206 /* This should fail because of the mismatched protocol versions */
2207 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2208 SSL_ERROR_NONE)))
2209 goto end;
2210
2211 /* We should have automatically removed the session from the cache */
2212 if (use_ext_cache
2213 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2214 goto end;
2215
2216 /* Should succeed because it should not already be in the cache */
2217 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2218 goto end;
2219 # endif
2220
2221 /* Now do some tests for server side caching */
2222 if (use_ext_cache) {
2223 SSL_CTX_sess_set_new_cb(cctx, NULL);
2224 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2225 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2226 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2227 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2228 get_sess_val = NULL;
2229 }
2230
2231 SSL_CTX_set_session_cache_mode(cctx, 0);
2232 /* Internal caching is the default on the server side */
2233 if (!use_int_cache)
2234 SSL_CTX_set_session_cache_mode(sctx,
2235 SSL_SESS_CACHE_SERVER
2236 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2237
2238 SSL_free(serverssl1);
2239 SSL_free(clientssl1);
2240 serverssl1 = clientssl1 = NULL;
2241 SSL_free(serverssl2);
2242 SSL_free(clientssl2);
2243 serverssl2 = clientssl2 = NULL;
2244 SSL_SESSION_free(sess1);
2245 sess1 = NULL;
2246 SSL_SESSION_free(sess2);
2247 sess2 = NULL;
2248
2249 SSL_CTX_set_max_proto_version(sctx, maxprot);
2250 if (maxprot == TLS1_2_VERSION)
2251 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2252 new_called = remove_called = get_called = 0;
2253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2254 NULL, NULL))
2255 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2256 SSL_ERROR_NONE))
2257 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2258 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2259 goto end;
2260
2261 if (use_int_cache) {
2262 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2263 /*
2264 * In TLSv1.3 it should not have been added to the internal cache,
2265 * except in the case where we also have an external cache (in that
2266 * case it gets added to the cache in order to generate remove
2267 * events after timeout).
2268 */
2269 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2270 goto end;
2271 } else {
2272 /* Should fail because it should already be in the cache */
2273 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2274 goto end;
2275 }
2276 }
2277
2278 if (use_ext_cache) {
2279 SSL_SESSION *tmp = sess2;
2280
2281 if (!TEST_int_eq(new_called, numnewsesstick)
2282 || !TEST_int_eq(remove_called, 0)
2283 || !TEST_int_eq(get_called, 0))
2284 goto end;
2285 /*
2286 * Delete the session from the internal cache to force a lookup from
2287 * the external cache. We take a copy first because
2288 * SSL_CTX_remove_session() also marks the session as non-resumable.
2289 */
2290 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2291 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2292 || !TEST_true(sess2->owner != NULL)
2293 || !TEST_true(tmp->owner == NULL)
2294 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2295 goto end;
2296 SSL_SESSION_free(sess2);
2297 }
2298 sess2 = tmp;
2299 }
2300
2301 new_called = remove_called = get_called = 0;
2302 get_sess_val = sess2;
2303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2304 &clientssl2, NULL, NULL))
2305 || !TEST_true(SSL_set_session(clientssl2, sess1))
2306 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2307 SSL_ERROR_NONE))
2308 || !TEST_true(SSL_session_reused(clientssl2)))
2309 goto end;
2310
2311 if (use_ext_cache) {
2312 if (!TEST_int_eq(remove_called, 0))
2313 goto end;
2314
2315 if (maxprot == TLS1_3_VERSION) {
2316 if (!TEST_int_eq(new_called, 1)
2317 || !TEST_int_eq(get_called, 0))
2318 goto end;
2319 } else {
2320 if (!TEST_int_eq(new_called, 0)
2321 || !TEST_int_eq(get_called, 1))
2322 goto end;
2323 }
2324 }
2325 /*
2326 * Make a small cache, force out all other sessions but
2327 * sess2, try to add sess1, which should succeed. Then
2328 * make sure it's there by checking the owners. Despite
2329 * the timeouts, sess1 should have kicked out sess2
2330 */
2331
2332 /* Make sess1 expire before sess2 */
2333 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2334 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2335 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2336 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2337 goto end;
2338
2339 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2340 goto end;
2341
2342 /* Don't care about results - cache should only be sess2 at end */
2343 SSL_CTX_add_session(sctx, sess1);
2344 SSL_CTX_add_session(sctx, sess2);
2345
2346 /* Now add sess1, and make sure it remains, despite timeout */
2347 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2348 || !TEST_ptr(sess1->owner)
2349 || !TEST_ptr_null(sess2->owner))
2350 goto end;
2351
2352 testresult = 1;
2353
2354 end:
2355 SSL_free(serverssl1);
2356 SSL_free(clientssl1);
2357 SSL_free(serverssl2);
2358 SSL_free(clientssl2);
2359 # ifndef OPENSSL_NO_TLS1_1
2360 SSL_free(serverssl3);
2361 SSL_free(clientssl3);
2362 # endif
2363 SSL_SESSION_free(sess1);
2364 SSL_SESSION_free(sess2);
2365 SSL_CTX_free(sctx);
2366 SSL_CTX_free(cctx);
2367
2368 return testresult;
2369 }
2370 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2371
2372 static int test_session_with_only_int_cache(void)
2373 {
2374 #ifndef OSSL_NO_USABLE_TLS1_3
2375 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2376 return 0;
2377 #endif
2378
2379 #ifndef OPENSSL_NO_TLS1_2
2380 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2381 #else
2382 return 1;
2383 #endif
2384 }
2385
2386 static int test_session_with_only_ext_cache(void)
2387 {
2388 #ifndef OSSL_NO_USABLE_TLS1_3
2389 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2390 return 0;
2391 #endif
2392
2393 #ifndef OPENSSL_NO_TLS1_2
2394 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2395 #else
2396 return 1;
2397 #endif
2398 }
2399
2400 static int test_session_with_both_cache(void)
2401 {
2402 #ifndef OSSL_NO_USABLE_TLS1_3
2403 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2404 return 0;
2405 #endif
2406
2407 #ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2409 #else
2410 return 1;
2411 #endif
2412 }
2413
2414 static int test_session_wo_ca_names(void)
2415 {
2416 #ifndef OSSL_NO_USABLE_TLS1_3
2417 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2418 return 0;
2419 #endif
2420
2421 #ifndef OPENSSL_NO_TLS1_2
2422 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2423 #else
2424 return 1;
2425 #endif
2426 }
2427
2428
2429 #ifndef OSSL_NO_USABLE_TLS1_3
2430 static SSL_SESSION *sesscache[6];
2431 static int do_cache;
2432
2433 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2434 {
2435 if (do_cache) {
2436 sesscache[new_called] = sess;
2437 } else {
2438 /* We don't need the reference to the session, so free it */
2439 SSL_SESSION_free(sess);
2440 }
2441 new_called++;
2442
2443 return 1;
2444 }
2445
2446 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2447 {
2448 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2449 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2450 return 0;
2451
2452 /* Start handshake on the server and client */
2453 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2454 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2455 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2456 || !TEST_true(create_ssl_connection(sssl, cssl,
2457 SSL_ERROR_NONE)))
2458 return 0;
2459
2460 return 1;
2461 }
2462
2463 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2464 SSL_CTX **cctx)
2465 {
2466 int sess_id_ctx = 1;
2467
2468 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2469 TLS_client_method(), TLS1_VERSION, 0,
2470 sctx, cctx, cert, privkey))
2471 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2472 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2473 (void *)&sess_id_ctx,
2474 sizeof(sess_id_ctx))))
2475 return 0;
2476
2477 if (stateful)
2478 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2479
2480 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2481 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2482 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2483
2484 return 1;
2485 }
2486
2487 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2488 {
2489 SSL *serverssl = NULL, *clientssl = NULL;
2490 int i;
2491
2492 /* Test that we can resume with all the tickets we got given */
2493 for (i = 0; i < idx * 2; i++) {
2494 new_called = 0;
2495 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2496 &clientssl, NULL, NULL))
2497 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2498 goto end;
2499
2500 SSL_set_post_handshake_auth(clientssl, 1);
2501
2502 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2503 SSL_ERROR_NONE)))
2504 goto end;
2505
2506 /*
2507 * Following a successful resumption we only get 1 ticket. After a
2508 * failed one we should get idx tickets.
2509 */
2510 if (succ) {
2511 if (!TEST_true(SSL_session_reused(clientssl))
2512 || !TEST_int_eq(new_called, 1))
2513 goto end;
2514 } else {
2515 if (!TEST_false(SSL_session_reused(clientssl))
2516 || !TEST_int_eq(new_called, idx))
2517 goto end;
2518 }
2519
2520 new_called = 0;
2521 /* After a post-handshake authentication we should get 1 new ticket */
2522 if (succ
2523 && (!post_handshake_verify(serverssl, clientssl)
2524 || !TEST_int_eq(new_called, 1)))
2525 goto end;
2526
2527 SSL_shutdown(clientssl);
2528 SSL_shutdown(serverssl);
2529 SSL_free(serverssl);
2530 SSL_free(clientssl);
2531 serverssl = clientssl = NULL;
2532 SSL_SESSION_free(sesscache[i]);
2533 sesscache[i] = NULL;
2534 }
2535
2536 return 1;
2537
2538 end:
2539 SSL_free(clientssl);
2540 SSL_free(serverssl);
2541 return 0;
2542 }
2543
2544 static int test_tickets(int stateful, int idx)
2545 {
2546 SSL_CTX *sctx = NULL, *cctx = NULL;
2547 SSL *serverssl = NULL, *clientssl = NULL;
2548 int testresult = 0;
2549 size_t j;
2550
2551 /* idx is the test number, but also the number of tickets we want */
2552
2553 new_called = 0;
2554 do_cache = 1;
2555
2556 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2557 goto end;
2558
2559 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2560 &clientssl, NULL, NULL)))
2561 goto end;
2562
2563 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2564 SSL_ERROR_NONE))
2565 /* Check we got the number of tickets we were expecting */
2566 || !TEST_int_eq(idx, new_called))
2567 goto end;
2568
2569 SSL_shutdown(clientssl);
2570 SSL_shutdown(serverssl);
2571 SSL_free(serverssl);
2572 SSL_free(clientssl);
2573 SSL_CTX_free(sctx);
2574 SSL_CTX_free(cctx);
2575 clientssl = serverssl = NULL;
2576 sctx = cctx = NULL;
2577
2578 /*
2579 * Now we try to resume with the tickets we previously created. The
2580 * resumption attempt is expected to fail (because we're now using a new
2581 * SSL_CTX). We should see idx number of tickets issued again.
2582 */
2583
2584 /* Stop caching sessions - just count them */
2585 do_cache = 0;
2586
2587 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2588 goto end;
2589
2590 if (!check_resumption(idx, sctx, cctx, 0))
2591 goto end;
2592
2593 /* Start again with caching sessions */
2594 new_called = 0;
2595 do_cache = 1;
2596 SSL_CTX_free(sctx);
2597 SSL_CTX_free(cctx);
2598 sctx = cctx = NULL;
2599
2600 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2601 goto end;
2602
2603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2604 &clientssl, NULL, NULL)))
2605 goto end;
2606
2607 SSL_set_post_handshake_auth(clientssl, 1);
2608
2609 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2610 SSL_ERROR_NONE))
2611 /* Check we got the number of tickets we were expecting */
2612 || !TEST_int_eq(idx, new_called))
2613 goto end;
2614
2615 /* After a post-handshake authentication we should get new tickets issued */
2616 if (!post_handshake_verify(serverssl, clientssl)
2617 || !TEST_int_eq(idx * 2, new_called))
2618 goto end;
2619
2620 SSL_shutdown(clientssl);
2621 SSL_shutdown(serverssl);
2622 SSL_free(serverssl);
2623 SSL_free(clientssl);
2624 serverssl = clientssl = NULL;
2625
2626 /* Stop caching sessions - just count them */
2627 do_cache = 0;
2628
2629 /*
2630 * Check we can resume with all the tickets we created. This time around the
2631 * resumptions should all be successful.
2632 */
2633 if (!check_resumption(idx, sctx, cctx, 1))
2634 goto end;
2635
2636 testresult = 1;
2637
2638 end:
2639 SSL_free(serverssl);
2640 SSL_free(clientssl);
2641 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2642 SSL_SESSION_free(sesscache[j]);
2643 sesscache[j] = NULL;
2644 }
2645 SSL_CTX_free(sctx);
2646 SSL_CTX_free(cctx);
2647
2648 return testresult;
2649 }
2650
2651 static int test_stateless_tickets(int idx)
2652 {
2653 return test_tickets(0, idx);
2654 }
2655
2656 static int test_stateful_tickets(int idx)
2657 {
2658 return test_tickets(1, idx);
2659 }
2660
2661 static int test_psk_tickets(void)
2662 {
2663 SSL_CTX *sctx = NULL, *cctx = NULL;
2664 SSL *serverssl = NULL, *clientssl = NULL;
2665 int testresult = 0;
2666 int sess_id_ctx = 1;
2667
2668 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2669 TLS_client_method(), TLS1_VERSION, 0,
2670 &sctx, &cctx, NULL, NULL))
2671 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2672 (void *)&sess_id_ctx,
2673 sizeof(sess_id_ctx))))
2674 goto end;
2675
2676 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2677 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2678 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2679 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2680 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2681 use_session_cb_cnt = 0;
2682 find_session_cb_cnt = 0;
2683 srvid = pskid;
2684 new_called = 0;
2685
2686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2687 NULL, NULL)))
2688 goto end;
2689 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2690 if (!TEST_ptr(clientpsk))
2691 goto end;
2692 SSL_SESSION_up_ref(clientpsk);
2693
2694 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2695 SSL_ERROR_NONE))
2696 || !TEST_int_eq(1, find_session_cb_cnt)
2697 || !TEST_int_eq(1, use_session_cb_cnt)
2698 /* We should always get 1 ticket when using external PSK */
2699 || !TEST_int_eq(1, new_called))
2700 goto end;
2701
2702 testresult = 1;
2703
2704 end:
2705 SSL_free(serverssl);
2706 SSL_free(clientssl);
2707 SSL_CTX_free(sctx);
2708 SSL_CTX_free(cctx);
2709 SSL_SESSION_free(clientpsk);
2710 SSL_SESSION_free(serverpsk);
2711 clientpsk = serverpsk = NULL;
2712
2713 return testresult;
2714 }
2715
2716 static int test_extra_tickets(int idx)
2717 {
2718 SSL_CTX *sctx = NULL, *cctx = NULL;
2719 SSL *serverssl = NULL, *clientssl = NULL;
2720 BIO *bretry = BIO_new(bio_s_always_retry());
2721 BIO *tmp = NULL;
2722 int testresult = 0;
2723 int stateful = 0;
2724 size_t nbytes;
2725 unsigned char c, buf[1];
2726
2727 new_called = 0;
2728 do_cache = 1;
2729
2730 if (idx >= 3) {
2731 idx -= 3;
2732 stateful = 1;
2733 }
2734
2735 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2736 goto end;
2737 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2738 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2739 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2740
2741 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2742 &clientssl, NULL, NULL)))
2743 goto end;
2744
2745 /*
2746 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2747 * incremented by both client and server.
2748 */
2749 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2750 SSL_ERROR_NONE))
2751 /* Check we got the number of tickets we were expecting */
2752 || !TEST_int_eq(idx * 2, new_called)
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_true(SSL_new_session_ticket(serverssl))
2755 || !TEST_int_eq(idx * 2, new_called))
2756 goto end;
2757
2758 /* Now try a (real) write to actually send the tickets */
2759 c = '1';
2760 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2761 || !TEST_size_t_eq(1, nbytes)
2762 || !TEST_int_eq(idx * 2 + 2, new_called)
2763 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2764 || !TEST_int_eq(idx * 2 + 4, new_called)
2765 || !TEST_int_eq(sizeof(buf), nbytes)
2766 || !TEST_int_eq(c, buf[0])
2767 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2768 goto end;
2769
2770 /* Try with only requesting one new ticket, too */
2771 c = '2';
2772 new_called = 0;
2773 if (!TEST_true(SSL_new_session_ticket(serverssl))
2774 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2775 || !TEST_size_t_eq(sizeof(c), nbytes)
2776 || !TEST_int_eq(1, new_called)
2777 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2778 || !TEST_int_eq(2, new_called)
2779 || !TEST_size_t_eq(sizeof(buf), nbytes)
2780 || !TEST_int_eq(c, buf[0]))
2781 goto end;
2782
2783 /* Do it again but use dummy writes to drive the ticket generation */
2784 c = '3';
2785 new_called = 0;
2786 if (!TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_new_session_ticket(serverssl))
2788 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2789 || !TEST_size_t_eq(0, nbytes)
2790 || !TEST_int_eq(2, new_called)
2791 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2792 || !TEST_int_eq(4, new_called))
2793 goto end;
2794
2795 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2796 c = '4';
2797 new_called = 0;
2798 if (!TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_new_session_ticket(serverssl))
2800 || !TEST_true(SSL_do_handshake(serverssl))
2801 || !TEST_int_eq(2, new_called)
2802 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2803 || !TEST_int_eq(4, new_called))
2804 goto end;
2805
2806 /*
2807 * Use the always-retry BIO to exercise the logic that forces ticket
2808 * generation to wait until a record boundary.
2809 */
2810 c = '5';
2811 new_called = 0;
2812 tmp = SSL_get_wbio(serverssl);
2813 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2814 tmp = NULL;
2815 goto end;
2816 }
2817 SSL_set0_wbio(serverssl, bretry);
2818 bretry = NULL;
2819 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2820 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2821 || !TEST_size_t_eq(nbytes, 0))
2822 goto end;
2823 /* Restore a BIO that will let the write succeed */
2824 SSL_set0_wbio(serverssl, tmp);
2825 tmp = NULL;
2826 /*
2827 * These calls should just queue the request and not send anything
2828 * even if we explicitly try to hit the state machine.
2829 */
2830 if (!TEST_true(SSL_new_session_ticket(serverssl))
2831 || !TEST_true(SSL_new_session_ticket(serverssl))
2832 || !TEST_int_eq(0, new_called)
2833 || !TEST_true(SSL_do_handshake(serverssl))
2834 || !TEST_int_eq(0, new_called))
2835 goto end;
2836 /* Re-do the write; still no tickets sent */
2837 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2838 || !TEST_size_t_eq(1, nbytes)
2839 || !TEST_int_eq(0, new_called)
2840 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2841 || !TEST_int_eq(0, new_called)
2842 || !TEST_int_eq(sizeof(buf), nbytes)
2843 || !TEST_int_eq(c, buf[0])
2844 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2845 goto end;
2846 /* Even trying to hit the state machine now will still not send tickets */
2847 if (!TEST_true(SSL_do_handshake(serverssl))
2848 || !TEST_int_eq(0, new_called))
2849 goto end;
2850 /* Now the *next* write should send the tickets */
2851 c = '6';
2852 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2853 || !TEST_size_t_eq(1, nbytes)
2854 || !TEST_int_eq(2, new_called)
2855 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2856 || !TEST_int_eq(4, new_called)
2857 || !TEST_int_eq(sizeof(buf), nbytes)
2858 || !TEST_int_eq(c, buf[0])
2859 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2860 goto end;
2861
2862 SSL_shutdown(clientssl);
2863 SSL_shutdown(serverssl);
2864 testresult = 1;
2865
2866 end:
2867 BIO_free(bretry);
2868 BIO_free(tmp);
2869 SSL_free(serverssl);
2870 SSL_free(clientssl);
2871 SSL_CTX_free(sctx);
2872 SSL_CTX_free(cctx);
2873 clientssl = serverssl = NULL;
2874 sctx = cctx = NULL;
2875 return testresult;
2876 }
2877 #endif
2878
2879 #define USE_NULL 0
2880 #define USE_BIO_1 1
2881 #define USE_BIO_2 2
2882 #define USE_DEFAULT 3
2883
2884 #define CONNTYPE_CONNECTION_SUCCESS 0
2885 #define CONNTYPE_CONNECTION_FAIL 1
2886 #define CONNTYPE_NO_CONNECTION 2
2887
2888 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2889 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2890 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2891 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2892 #else
2893 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2894 #endif
2895
2896 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2897 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2898 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2899
2900 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2901 {
2902 switch (type) {
2903 case USE_NULL:
2904 *res = NULL;
2905 break;
2906 case USE_BIO_1:
2907 *res = bio1;
2908 break;
2909 case USE_BIO_2:
2910 *res = bio2;
2911 break;
2912 }
2913 }
2914
2915
2916 /*
2917 * Tests calls to SSL_set_bio() under various conditions.
2918 *
2919 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2920 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2921 * then do more tests where we create a successful connection first using our
2922 * standard connection setup functions, and then call SSL_set_bio() with
2923 * various combinations of valid BIOs or NULL. We then repeat these tests
2924 * following a failed connection. In this last case we are looking to check that
2925 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2926 */
2927 static int test_ssl_set_bio(int idx)
2928 {
2929 SSL_CTX *sctx = NULL, *cctx = NULL;
2930 BIO *bio1 = NULL;
2931 BIO *bio2 = NULL;
2932 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2933 SSL *serverssl = NULL, *clientssl = NULL;
2934 int initrbio, initwbio, newrbio, newwbio, conntype;
2935 int testresult = 0;
2936
2937 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2938 initrbio = idx % 3;
2939 idx /= 3;
2940 initwbio = idx % 3;
2941 idx /= 3;
2942 newrbio = idx % 3;
2943 idx /= 3;
2944 newwbio = idx % 3;
2945 conntype = CONNTYPE_NO_CONNECTION;
2946 } else {
2947 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2948 initrbio = initwbio = USE_DEFAULT;
2949 newrbio = idx % 2;
2950 idx /= 2;
2951 newwbio = idx % 2;
2952 idx /= 2;
2953 conntype = idx % 2;
2954 }
2955
2956 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2957 TLS_client_method(), TLS1_VERSION, 0,
2958 &sctx, &cctx, cert, privkey)))
2959 goto end;
2960
2961 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2962 /*
2963 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2964 * because we reduced the number of tests in the definition of
2965 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2966 * mismatched protocol versions we will force a connection failure.
2967 */
2968 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2969 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2970 }
2971
2972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2973 NULL, NULL)))
2974 goto end;
2975
2976 if (initrbio == USE_BIO_1
2977 || initwbio == USE_BIO_1
2978 || newrbio == USE_BIO_1
2979 || newwbio == USE_BIO_1) {
2980 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2981 goto end;
2982 }
2983
2984 if (initrbio == USE_BIO_2
2985 || initwbio == USE_BIO_2
2986 || newrbio == USE_BIO_2
2987 || newwbio == USE_BIO_2) {
2988 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2989 goto end;
2990 }
2991
2992 if (initrbio != USE_DEFAULT) {
2993 setupbio(&irbio, bio1, bio2, initrbio);
2994 setupbio(&iwbio, bio1, bio2, initwbio);
2995 SSL_set_bio(clientssl, irbio, iwbio);
2996
2997 /*
2998 * We want to maintain our own refs to these BIO, so do an up ref for
2999 * each BIO that will have ownership transferred in the SSL_set_bio()
3000 * call
3001 */
3002 if (irbio != NULL)
3003 BIO_up_ref(irbio);
3004 if (iwbio != NULL && iwbio != irbio)
3005 BIO_up_ref(iwbio);
3006 }
3007
3008 if (conntype != CONNTYPE_NO_CONNECTION
3009 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3010 SSL_ERROR_NONE)
3011 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3012 goto end;
3013
3014 setupbio(&nrbio, bio1, bio2, newrbio);
3015 setupbio(&nwbio, bio1, bio2, newwbio);
3016
3017 /*
3018 * We will (maybe) transfer ownership again so do more up refs.
3019 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3020 * already been set!
3021 */
3022 if (nrbio != NULL
3023 && nrbio != irbio
3024 && (nwbio != iwbio || nrbio != nwbio))
3025 BIO_up_ref(nrbio);
3026 if (nwbio != NULL
3027 && nwbio != nrbio
3028 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3029 BIO_up_ref(nwbio);
3030
3031 SSL_set_bio(clientssl, nrbio, nwbio);
3032
3033 testresult = 1;
3034
3035 end:
3036 BIO_free(bio1);
3037 BIO_free(bio2);
3038
3039 /*
3040 * This test is checking that the ref counting for SSL_set_bio is correct.
3041 * If we get here and we did too many frees then we will fail in the above
3042 * functions.
3043 */
3044 SSL_free(serverssl);
3045 SSL_free(clientssl);
3046 SSL_CTX_free(sctx);
3047 SSL_CTX_free(cctx);
3048 return testresult;
3049 }
3050
3051 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3052
3053 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3054 {
3055 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3056 SSL_CTX *ctx;
3057 SSL *ssl = NULL;
3058 int testresult = 0;
3059
3060 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3061 || !TEST_ptr(ssl = SSL_new(ctx))
3062 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3063 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3064 goto end;
3065
3066 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3067
3068 /*
3069 * If anything goes wrong here then we could leak memory.
3070 */
3071 BIO_push(sslbio, membio1);
3072
3073 /* Verify changing the rbio/wbio directly does not cause leaks */
3074 if (change_bio != NO_BIO_CHANGE) {
3075 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3076 ssl = NULL;
3077 goto end;
3078 }
3079 if (change_bio == CHANGE_RBIO)
3080 SSL_set0_rbio(ssl, membio2);
3081 else
3082 SSL_set0_wbio(ssl, membio2);
3083 }
3084 ssl = NULL;
3085
3086 if (pop_ssl)
3087 BIO_pop(sslbio);
3088 else
3089 BIO_pop(membio1);
3090
3091 testresult = 1;
3092 end:
3093 BIO_free(membio1);
3094 BIO_free(sslbio);
3095 SSL_free(ssl);
3096 SSL_CTX_free(ctx);
3097
3098 return testresult;
3099 }
3100
3101 static int test_ssl_bio_pop_next_bio(void)
3102 {
3103 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3104 }
3105
3106 static int test_ssl_bio_pop_ssl_bio(void)
3107 {
3108 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3109 }
3110
3111 static int test_ssl_bio_change_rbio(void)
3112 {
3113 return execute_test_ssl_bio(0, CHANGE_RBIO);
3114 }
3115
3116 static int test_ssl_bio_change_wbio(void)
3117 {
3118 return execute_test_ssl_bio(0, CHANGE_WBIO);
3119 }
3120
3121 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3122 typedef struct {
3123 /* The list of sig algs */
3124 const int *list;
3125 /* The length of the list */
3126 size_t listlen;
3127 /* A sigalgs list in string format */
3128 const char *liststr;
3129 /* Whether setting the list should succeed */
3130 int valid;
3131 /* Whether creating a connection with the list should succeed */
3132 int connsuccess;
3133 } sigalgs_list;
3134
3135 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3136 # ifndef OPENSSL_NO_EC
3137 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3138 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3139 # endif
3140 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3141 static const int invalidlist2[] = {NID_sha256, NID_undef};
3142 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3143 static const int invalidlist4[] = {NID_sha256};
3144 static const sigalgs_list testsigalgs[] = {
3145 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3146 # ifndef OPENSSL_NO_EC
3147 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3148 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3149 # endif
3150 {NULL, 0, "RSA+SHA256", 1, 1},
3151 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
3152 # ifndef OPENSSL_NO_EC
3153 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3154 {NULL, 0, "ECDSA+SHA512", 1, 0},
3155 # endif
3156 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3157 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3158 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3159 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3160 {NULL, 0, "RSA", 0, 0},
3161 {NULL, 0, "SHA256", 0, 0},
3162 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3163 {NULL, 0, "Invalid", 0, 0}
3164 };
3165
3166 static int test_set_sigalgs(int idx)
3167 {
3168 SSL_CTX *cctx = NULL, *sctx = NULL;
3169 SSL *clientssl = NULL, *serverssl = NULL;
3170 int testresult = 0;
3171 const sigalgs_list *curr;
3172 int testctx;
3173
3174 /* Should never happen */
3175 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3176 return 0;
3177
3178 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3179 curr = testctx ? &testsigalgs[idx]
3180 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3181
3182 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3183 TLS_client_method(), TLS1_VERSION, 0,
3184 &sctx, &cctx, cert, privkey)))
3185 return 0;
3186
3187 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3188
3189 if (testctx) {
3190 int ret;
3191
3192 if (curr->list != NULL)
3193 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3194 else
3195 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3196
3197 if (!ret) {
3198 if (curr->valid)
3199 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3200 else
3201 testresult = 1;
3202 goto end;
3203 }
3204 if (!curr->valid) {
3205 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3206 goto end;
3207 }
3208 }
3209
3210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3211 &clientssl, NULL, NULL)))
3212 goto end;
3213
3214 if (!testctx) {
3215 int ret;
3216
3217 if (curr->list != NULL)
3218 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3219 else
3220 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3221 if (!ret) {
3222 if (curr->valid)
3223 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3224 else
3225 testresult = 1;
3226 goto end;
3227 }
3228 if (!curr->valid)
3229 goto end;
3230 }
3231
3232 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3233 SSL_ERROR_NONE),
3234 curr->connsuccess))
3235 goto end;
3236
3237 testresult = 1;
3238
3239 end:
3240 SSL_free(serverssl);
3241 SSL_free(clientssl);
3242 SSL_CTX_free(sctx);
3243 SSL_CTX_free(cctx);
3244
3245 return testresult;
3246 }
3247 #endif
3248
3249 #ifndef OSSL_NO_USABLE_TLS1_3
3250 static int psk_client_cb_cnt = 0;
3251 static int psk_server_cb_cnt = 0;
3252
3253 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3254 size_t *idlen, SSL_SESSION **sess)
3255 {
3256 switch (++use_session_cb_cnt) {
3257 case 1:
3258 /* The first call should always have a NULL md */
3259 if (md != NULL)
3260 return 0;
3261 break;
3262
3263 case 2:
3264 /* The second call should always have an md */
3265 if (md == NULL)
3266 return 0;
3267 break;
3268
3269 default:
3270 /* We should only be called a maximum of twice */
3271 return 0;
3272 }
3273
3274 if (clientpsk != NULL)
3275 SSL_SESSION_up_ref(clientpsk);
3276
3277 *sess = clientpsk;
3278 *id = (const unsigned char *)pskid;
3279 *idlen = strlen(pskid);
3280
3281 return 1;
3282 }
3283
3284 #ifndef OPENSSL_NO_PSK
3285 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3286 unsigned int max_id_len,
3287 unsigned char *psk,
3288 unsigned int max_psk_len)
3289 {
3290 unsigned int psklen = 0;
3291
3292 psk_client_cb_cnt++;
3293
3294 if (strlen(pskid) + 1 > max_id_len)
3295 return 0;
3296
3297 /* We should only ever be called a maximum of twice per connection */
3298 if (psk_client_cb_cnt > 2)
3299 return 0;
3300
3301 if (clientpsk == NULL)
3302 return 0;
3303
3304 /* We'll reuse the PSK we set up for TLSv1.3 */
3305 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3306 return 0;
3307 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3308 strncpy(id, pskid, max_id_len);
3309
3310 return psklen;
3311 }
3312 #endif /* OPENSSL_NO_PSK */
3313
3314 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3315 size_t identity_len, SSL_SESSION **sess)
3316 {
3317 find_session_cb_cnt++;
3318
3319 /* We should only ever be called a maximum of twice per connection */
3320 if (find_session_cb_cnt > 2)
3321 return 0;
3322
3323 if (serverpsk == NULL)
3324 return 0;
3325
3326 /* Identity should match that set by the client */
3327 if (strlen(srvid) != identity_len
3328 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3329 /* No PSK found, continue but without a PSK */
3330 *sess = NULL;
3331 return 1;
3332 }
3333
3334 SSL_SESSION_up_ref(serverpsk);
3335 *sess = serverpsk;
3336
3337 return 1;
3338 }
3339
3340 #ifndef OPENSSL_NO_PSK
3341 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3342 unsigned char *psk, unsigned int max_psk_len)
3343 {
3344 unsigned int psklen = 0;
3345
3346 psk_server_cb_cnt++;
3347
3348 /* We should only ever be called a maximum of twice per connection */
3349 if (find_session_cb_cnt > 2)
3350 return 0;
3351
3352 if (serverpsk == NULL)
3353 return 0;
3354
3355 /* Identity should match that set by the client */
3356 if (strcmp(srvid, identity) != 0) {
3357 return 0;
3358 }
3359
3360 /* We'll reuse the PSK we set up for TLSv1.3 */
3361 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3362 return 0;
3363 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3364
3365 return psklen;
3366 }
3367 #endif /* OPENSSL_NO_PSK */
3368
3369 #define MSG1 "Hello"
3370 #define MSG2 "World."
3371 #define MSG3 "This"
3372 #define MSG4 "is"
3373 #define MSG5 "a"
3374 #define MSG6 "test"
3375 #define MSG7 "message."
3376
3377 static int artificial_ticket_time = 0;
3378
3379 static int ed_gen_cb(SSL *s, void *arg)
3380 {
3381 SSL_SESSION *sess = SSL_get0_session(s);
3382
3383 if (sess == NULL)
3384 return 0;
3385
3386 /*
3387 * Artificially give the ticket some age. Just do it for the number of
3388 * tickets we've been told to do.
3389 */
3390 if (artificial_ticket_time == 0)
3391 return 1;
3392 artificial_ticket_time--;
3393
3394 if (SSL_SESSION_set_time_ex(sess, SSL_SESSION_get_time_ex(sess) - 10) == 0)
3395 return 0;
3396
3397 return 1;
3398 }
3399
3400 /*
3401 * Helper method to setup objects for early data test. Caller frees objects on
3402 * error.
3403 */
3404 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3405 SSL **serverssl, SSL_SESSION **sess, int idx,
3406 size_t mdsize)
3407 {
3408 int artificial = (artificial_ticket_time > 0);
3409
3410 if (*sctx == NULL
3411 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3412 TLS_client_method(),
3413 TLS1_VERSION, 0,
3414 sctx, cctx, cert, privkey)))
3415 return 0;
3416
3417 if (artificial)
3418 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3419
3420 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3421 return 0;
3422
3423 if (idx == 1) {
3424 /* When idx == 1 we repeat the tests with read_ahead set */
3425 SSL_CTX_set_read_ahead(*cctx, 1);
3426 SSL_CTX_set_read_ahead(*sctx, 1);
3427 } else if (idx == 2) {
3428 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3429 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3430 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3431 use_session_cb_cnt = 0;
3432 find_session_cb_cnt = 0;
3433 srvid = pskid;
3434 }
3435
3436 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3437 NULL, NULL)))
3438 return 0;
3439
3440 /*
3441 * For one of the run throughs (doesn't matter which one), we'll try sending
3442 * some SNI data in the initial ClientHello. This will be ignored (because
3443 * there is no SNI cb set up by the server), so it should not impact
3444 * early_data.
3445 */
3446 if (idx == 1
3447 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3448 return 0;
3449
3450 if (idx == 2) {
3451 clientpsk = create_a_psk(*clientssl, mdsize);
3452 if (!TEST_ptr(clientpsk)
3453 /*
3454 * We just choose an arbitrary value for max_early_data which
3455 * should be big enough for testing purposes.
3456 */
3457 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3458 0x100))
3459 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460 SSL_SESSION_free(clientpsk);
3461 clientpsk = NULL;
3462 return 0;
3463 }
3464 serverpsk = clientpsk;
3465
3466 if (sess != NULL) {
3467 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3468 SSL_SESSION_free(clientpsk);
3469 SSL_SESSION_free(serverpsk);
3470 clientpsk = serverpsk = NULL;
3471 return 0;
3472 }
3473 *sess = clientpsk;
3474 }
3475 return 1;
3476 }
3477
3478 if (sess == NULL)
3479 return 1;
3480
3481 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3482 SSL_ERROR_NONE)))
3483 return 0;
3484
3485 *sess = SSL_get1_session(*clientssl);
3486 SSL_shutdown(*clientssl);
3487 SSL_shutdown(*serverssl);
3488 SSL_free(*serverssl);
3489 SSL_free(*clientssl);
3490 *serverssl = *clientssl = NULL;
3491
3492 /*
3493 * Artificially give the ticket some age to match the artificial age we
3494 * gave it on the server side
3495 */
3496 if (artificial
3497 && !TEST_time_t_gt(SSL_SESSION_set_time_ex(*sess,
3498 SSL_SESSION_get_time_ex(*sess) - 10), 0))
3499 return 0;
3500
3501 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3502 clientssl, NULL, NULL))
3503 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3504 return 0;
3505
3506 return 1;
3507 }
3508
3509 static int test_early_data_read_write(int idx)
3510 {
3511 SSL_CTX *cctx = NULL, *sctx = NULL;
3512 SSL *clientssl = NULL, *serverssl = NULL;
3513 int testresult = 0;
3514 SSL_SESSION *sess = NULL;
3515 unsigned char buf[20], data[1024];
3516 size_t readbytes, written, eoedlen, rawread, rawwritten;
3517 BIO *rbio;
3518
3519 /* Artificially give the next 2 tickets some age for non PSK sessions */
3520 if (idx != 2)
3521 artificial_ticket_time = 2;
3522 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3523 &serverssl, &sess, idx,
3524 SHA384_DIGEST_LENGTH))) {
3525 artificial_ticket_time = 0;
3526 goto end;
3527 }
3528 artificial_ticket_time = 0;
3529
3530 /* Write and read some early data */
3531 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3532 &written))
3533 || !TEST_size_t_eq(written, strlen(MSG1))
3534 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3535 sizeof(buf), &readbytes),
3536 SSL_READ_EARLY_DATA_SUCCESS)
3537 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3538 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3539 SSL_EARLY_DATA_ACCEPTED))
3540 goto end;
3541
3542 /*
3543 * Server should be able to write data, and client should be able to
3544 * read it.
3545 */
3546 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3547 &written))
3548 || !TEST_size_t_eq(written, strlen(MSG2))
3549 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3550 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3551 goto end;
3552
3553 /* Even after reading normal data, client should be able write early data */
3554 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3555 &written))
3556 || !TEST_size_t_eq(written, strlen(MSG3)))
3557 goto end;
3558
3559 /* Server should still be able read early data after writing data */
3560 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3561 &readbytes),
3562 SSL_READ_EARLY_DATA_SUCCESS)
3563 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3564 goto end;
3565
3566 /* Write more data from server and read it from client */
3567 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3568 &written))
3569 || !TEST_size_t_eq(written, strlen(MSG4))
3570 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3571 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3572 goto end;
3573
3574 /*
3575 * If client writes normal data it should mean writing early data is no
3576 * longer possible.
3577 */
3578 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3579 || !TEST_size_t_eq(written, strlen(MSG5))
3580 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3581 SSL_EARLY_DATA_ACCEPTED))
3582 goto end;
3583
3584 /*
3585 * At this point the client has written EndOfEarlyData, ClientFinished and
3586 * normal (fully protected) data. We are going to cause a delay between the
3587 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3588 * in the read BIO, and then just put back the EndOfEarlyData message.
3589 */
3590 rbio = SSL_get_rbio(serverssl);
3591 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3592 || !TEST_size_t_lt(rawread, sizeof(data))
3593 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3594 goto end;
3595
3596 /* Record length is in the 4th and 5th bytes of the record header */
3597 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3598 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3599 || !TEST_size_t_eq(rawwritten, eoedlen))
3600 goto end;
3601
3602 /* Server should be told that there is no more early data */
3603 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3604 &readbytes),
3605 SSL_READ_EARLY_DATA_FINISH)
3606 || !TEST_size_t_eq(readbytes, 0))
3607 goto end;
3608
3609 /*
3610 * Server has not finished init yet, so should still be able to write early
3611 * data.
3612 */
3613 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3614 &written))
3615 || !TEST_size_t_eq(written, strlen(MSG6)))
3616 goto end;
3617
3618 /* Push the ClientFinished and the normal data back into the server rbio */
3619 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3620 &rawwritten))
3621 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3622 goto end;
3623
3624 /* Server should be able to read normal data */
3625 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3626 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3627 goto end;
3628
3629 /* Client and server should not be able to write/read early data now */
3630 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3631 &written)))
3632 goto end;
3633 ERR_clear_error();
3634 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3635 &readbytes),
3636 SSL_READ_EARLY_DATA_ERROR))
3637 goto end;
3638 ERR_clear_error();
3639
3640 /* Client should be able to read the data sent by the server */
3641 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3642 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3643 goto end;
3644
3645 /*
3646 * Make sure we process the two NewSessionTickets. These arrive
3647 * post-handshake. We attempt reads which we do not expect to return any
3648 * data.
3649 */
3650 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3651 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3652 &readbytes)))
3653 goto end;
3654
3655 /* Server should be able to write normal data */
3656 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3657 || !TEST_size_t_eq(written, strlen(MSG7))
3658 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3659 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3660 goto end;
3661
3662 SSL_SESSION_free(sess);
3663 sess = SSL_get1_session(clientssl);
3664 use_session_cb_cnt = 0;
3665 find_session_cb_cnt = 0;
3666
3667 SSL_shutdown(clientssl);
3668 SSL_shutdown(serverssl);
3669 SSL_free(serverssl);
3670 SSL_free(clientssl);
3671 serverssl = clientssl = NULL;
3672 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3673 &clientssl, NULL, NULL))
3674 || !TEST_true(SSL_set_session(clientssl, sess)))
3675 goto end;
3676
3677 /* Write and read some early data */
3678 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3679 &written))
3680 || !TEST_size_t_eq(written, strlen(MSG1))
3681 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3682 &readbytes),
3683 SSL_READ_EARLY_DATA_SUCCESS)
3684 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3685 goto end;
3686
3687 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3688 || !TEST_int_gt(SSL_accept(serverssl), 0))
3689 goto end;
3690
3691 /* Client and server should not be able to write/read early data now */
3692 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3693 &written)))
3694 goto end;
3695 ERR_clear_error();
3696 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3697 &readbytes),
3698 SSL_READ_EARLY_DATA_ERROR))
3699 goto end;
3700 ERR_clear_error();
3701
3702 /* Client and server should be able to write/read normal data */
3703 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3704 || !TEST_size_t_eq(written, strlen(MSG5))
3705 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3706 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3707 goto end;
3708
3709 testresult = 1;
3710
3711 end:
3712 SSL_SESSION_free(sess);
3713 SSL_SESSION_free(clientpsk);
3714 SSL_SESSION_free(serverpsk);
3715 clientpsk = serverpsk = NULL;
3716 SSL_free(serverssl);
3717 SSL_free(clientssl);
3718 SSL_CTX_free(sctx);
3719 SSL_CTX_free(cctx);
3720 return testresult;
3721 }
3722
3723 static int allow_ed_cb_called = 0;
3724
3725 static int allow_early_data_cb(SSL *s, void *arg)
3726 {
3727 int *usecb = (int *)arg;
3728
3729 allow_ed_cb_called++;
3730
3731 if (*usecb == 1)
3732 return 0;
3733
3734 return 1;
3735 }
3736
3737 /*
3738 * idx == 0: Standard early_data setup
3739 * idx == 1: early_data setup using read_ahead
3740 * usecb == 0: Don't use a custom early data callback
3741 * usecb == 1: Use a custom early data callback and reject the early data
3742 * usecb == 2: Use a custom early data callback and accept the early data
3743 * confopt == 0: Configure anti-replay directly
3744 * confopt == 1: Configure anti-replay using SSL_CONF
3745 */
3746 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3747 {
3748 SSL_CTX *cctx = NULL, *sctx = NULL;
3749 SSL *clientssl = NULL, *serverssl = NULL;
3750 int testresult = 0;
3751 SSL_SESSION *sess = NULL;
3752 size_t readbytes, written;
3753 unsigned char buf[20];
3754
3755 allow_ed_cb_called = 0;
3756
3757 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3758 TLS_client_method(), TLS1_VERSION, 0,
3759 &sctx, &cctx, cert, privkey)))
3760 return 0;
3761
3762 if (usecb > 0) {
3763 if (confopt == 0) {
3764 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3765 } else {
3766 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3767
3768 if (!TEST_ptr(confctx))
3769 goto end;
3770 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3771 | SSL_CONF_FLAG_SERVER);
3772 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3773 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3774 2)) {
3775 SSL_CONF_CTX_free(confctx);
3776 goto end;
3777 }
3778 SSL_CONF_CTX_free(confctx);
3779 }
3780 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3781 }
3782
3783 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3784 &serverssl, &sess, idx,
3785 SHA384_DIGEST_LENGTH)))
3786 goto end;
3787
3788 /*
3789 * The server is configured to accept early data. Create a connection to
3790 * "use up" the ticket
3791 */
3792 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3793 || !TEST_true(SSL_session_reused(clientssl)))
3794 goto end;
3795
3796 SSL_shutdown(clientssl);
3797 SSL_shutdown(serverssl);
3798 SSL_free(serverssl);
3799 SSL_free(clientssl);
3800 serverssl = clientssl = NULL;
3801
3802 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3803 &clientssl, NULL, NULL))
3804 || !TEST_true(SSL_set_session(clientssl, sess)))
3805 goto end;
3806
3807 /* Write and read some early data */
3808 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3809 &written))
3810 || !TEST_size_t_eq(written, strlen(MSG1)))
3811 goto end;
3812
3813 if (usecb <= 1) {
3814 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3815 &readbytes),
3816 SSL_READ_EARLY_DATA_FINISH)
3817 /*
3818 * The ticket was reused, so the we should have rejected the
3819 * early data
3820 */
3821 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3822 SSL_EARLY_DATA_REJECTED))
3823 goto end;
3824 } else {
3825 /* In this case the callback decides to accept the early data */
3826 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3827 &readbytes),
3828 SSL_READ_EARLY_DATA_SUCCESS)
3829 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3830 /*
3831 * Server will have sent its flight so client can now send
3832 * end of early data and complete its half of the handshake
3833 */
3834 || !TEST_int_gt(SSL_connect(clientssl), 0)
3835 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3836 &readbytes),
3837 SSL_READ_EARLY_DATA_FINISH)
3838 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3839 SSL_EARLY_DATA_ACCEPTED))
3840 goto end;
3841 }
3842
3843 /* Complete the connection */
3844 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3845 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3846 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3847 goto end;
3848
3849 testresult = 1;
3850
3851 end:
3852 SSL_SESSION_free(sess);
3853 SSL_SESSION_free(clientpsk);
3854 SSL_SESSION_free(serverpsk);
3855 clientpsk = serverpsk = NULL;
3856 SSL_free(serverssl);
3857 SSL_free(clientssl);
3858 SSL_CTX_free(sctx);
3859 SSL_CTX_free(cctx);
3860 return testresult;
3861 }
3862
3863 static int test_early_data_replay(int idx)
3864 {
3865 int ret = 1, usecb, confopt;
3866
3867 for (usecb = 0; usecb < 3; usecb++) {
3868 for (confopt = 0; confopt < 2; confopt++)
3869 ret &= test_early_data_replay_int(idx, usecb, confopt);
3870 }
3871
3872 return ret;
3873 }
3874
3875 static const char *ciphersuites[] = {
3876 "TLS_AES_128_CCM_8_SHA256",
3877 "TLS_AES_128_GCM_SHA256",
3878 "TLS_AES_256_GCM_SHA384",
3879 "TLS_AES_128_CCM_SHA256",
3880 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3881 "TLS_CHACHA20_POLY1305_SHA256"
3882 #endif
3883 };
3884
3885 /*
3886 * Helper function to test that a server attempting to read early data can
3887 * handle a connection from a client where the early data should be skipped.
3888 * testtype: 0 == No HRR
3889 * testtype: 1 == HRR
3890 * testtype: 2 == HRR, invalid early_data sent after HRR
3891 * testtype: 3 == recv_max_early_data set to 0
3892 */
3893 static int early_data_skip_helper(int testtype, int cipher, int idx)
3894 {
3895 SSL_CTX *cctx = NULL, *sctx = NULL;
3896 SSL *clientssl = NULL, *serverssl = NULL;
3897 int testresult = 0;
3898 SSL_SESSION *sess = NULL;
3899 unsigned char buf[20];
3900 size_t readbytes, written;
3901
3902 if (is_fips && cipher == 4)
3903 return 1;
3904
3905 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3906 TLS_client_method(),
3907 TLS1_VERSION, 0,
3908 &sctx, &cctx, cert, privkey)))
3909 goto end;
3910
3911 if (cipher == 0) {
3912 SSL_CTX_set_security_level(sctx, 0);
3913 SSL_CTX_set_security_level(cctx, 0);
3914 }
3915
3916 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3917 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3918 goto end;
3919
3920 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3921 &serverssl, &sess, idx,
3922 cipher == 2 ? SHA384_DIGEST_LENGTH
3923 : SHA256_DIGEST_LENGTH)))
3924 goto end;
3925
3926 if (testtype == 1 || testtype == 2) {
3927 /* Force an HRR to occur */
3928 #if defined(OPENSSL_NO_EC)
3929 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3930 goto end;
3931 #else
3932 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3933 goto end;
3934 #endif
3935 } else if (idx == 2) {
3936 /*
3937 * We force early_data rejection by ensuring the PSK identity is
3938 * unrecognised
3939 */
3940 srvid = "Dummy Identity";
3941 } else {
3942 /*
3943 * Deliberately corrupt the creation time. We take 20 seconds off the
3944 * time. It could be any value as long as it is not within tolerance.
3945 * This should mean the ticket is rejected.
3946 */
3947 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3948 goto end;
3949 }
3950
3951 if (testtype == 3
3952 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3953 goto end;
3954
3955 /* Write some early data */
3956 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3957 &written))
3958 || !TEST_size_t_eq(written, strlen(MSG1)))
3959 goto end;
3960
3961 /* Server should reject the early data */
3962 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3963 &readbytes),
3964 SSL_READ_EARLY_DATA_FINISH)
3965 || !TEST_size_t_eq(readbytes, 0)
3966 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3967 SSL_EARLY_DATA_REJECTED))
3968 goto end;
3969
3970 switch (testtype) {
3971 case 0:
3972 /* Nothing to do */
3973 break;
3974
3975 case 1:
3976 /*
3977 * Finish off the handshake. We perform the same writes and reads as
3978 * further down but we expect them to fail due to the incomplete
3979 * handshake.
3980 */
3981 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3982 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3983 &readbytes)))
3984 goto end;
3985 break;
3986
3987 case 2:
3988 {
3989 BIO *wbio = SSL_get_wbio(clientssl);
3990 /* A record that will appear as bad early_data */
3991 const unsigned char bad_early_data[] = {
3992 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3993 };
3994
3995 /*
3996 * We force the client to attempt a write. This will fail because
3997 * we're still in the handshake. It will cause the second
3998 * ClientHello to be sent.
3999 */
4000 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4001 &written)))
4002 goto end;
4003
4004 /*
4005 * Inject some early_data after the second ClientHello. This should
4006 * cause the server to fail
4007 */
4008 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4009 sizeof(bad_early_data), &written)))
4010 goto end;
4011 }
4012 /* fallthrough */
4013
4014 case 3:
4015 /*
4016 * This client has sent more early_data than we are willing to skip
4017 * (case 3) or sent invalid early_data (case 2) so the connection should
4018 * abort.
4019 */
4020 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4021 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4022 goto end;
4023
4024 /* Connection has failed - nothing more to do */
4025 testresult = 1;
4026 goto end;
4027
4028 default:
4029 TEST_error("Invalid test type");
4030 goto end;
4031 }
4032
4033 ERR_clear_error();
4034 /*
4035 * Should be able to send normal data despite rejection of early data. The
4036 * early_data should be skipped.
4037 */
4038 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4039 || !TEST_size_t_eq(written, strlen(MSG2))
4040 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4041 SSL_EARLY_DATA_REJECTED)
4042 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4043 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4044 goto end;
4045
4046 /*
4047 * Failure to decrypt early data records should not leave spurious errors
4048 * on the error stack
4049 */
4050 if (!TEST_long_eq(ERR_peek_error(), 0))
4051 goto end;
4052
4053 testresult = 1;
4054
4055 end:
4056 SSL_SESSION_free(clientpsk);
4057 SSL_SESSION_free(serverpsk);
4058 clientpsk = serverpsk = NULL;
4059 SSL_SESSION_free(sess);
4060 SSL_free(serverssl);
4061 SSL_free(clientssl);
4062 SSL_CTX_free(sctx);
4063 SSL_CTX_free(cctx);
4064 return testresult;
4065 }
4066
4067 /*
4068 * Test that a server attempting to read early data can handle a connection
4069 * from a client where the early data is not acceptable.
4070 */
4071 static int test_early_data_skip(int idx)
4072 {
4073 return early_data_skip_helper(0,
4074 idx % OSSL_NELEM(ciphersuites),
4075 idx / OSSL_NELEM(ciphersuites));
4076 }
4077
4078 /*
4079 * Test that a server attempting to read early data can handle a connection
4080 * from a client where an HRR occurs.
4081 */
4082 static int test_early_data_skip_hrr(int idx)
4083 {
4084 return early_data_skip_helper(1,
4085 idx % OSSL_NELEM(ciphersuites),
4086 idx / OSSL_NELEM(ciphersuites));
4087 }
4088
4089 /*
4090 * Test that a server attempting to read early data can handle a connection
4091 * from a client where an HRR occurs and correctly fails if early_data is sent
4092 * after the HRR
4093 */
4094 static int test_early_data_skip_hrr_fail(int idx)
4095 {
4096 return early_data_skip_helper(2,
4097 idx % OSSL_NELEM(ciphersuites),
4098 idx / OSSL_NELEM(ciphersuites));
4099 }
4100
4101 /*
4102 * Test that a server attempting to read early data will abort if it tries to
4103 * skip over too much.
4104 */
4105 static int test_early_data_skip_abort(int idx)
4106 {
4107 return early_data_skip_helper(3,
4108 idx % OSSL_NELEM(ciphersuites),
4109 idx / OSSL_NELEM(ciphersuites));
4110 }
4111
4112 /*
4113 * Test that a server attempting to read early data can handle a connection
4114 * from a client that doesn't send any.
4115 */
4116 static int test_early_data_not_sent(int idx)
4117 {
4118 SSL_CTX *cctx = NULL, *sctx = NULL;
4119 SSL *clientssl = NULL, *serverssl = NULL;
4120 int testresult = 0;
4121 SSL_SESSION *sess = NULL;
4122 unsigned char buf[20];
4123 size_t readbytes, written;
4124
4125 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4126 &serverssl, &sess, idx,
4127 SHA384_DIGEST_LENGTH)))
4128 goto end;
4129
4130 /* Write some data - should block due to handshake with server */
4131 SSL_set_connect_state(clientssl);
4132 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4133 goto end;
4134
4135 /* Server should detect that early data has not been sent */
4136 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4137 &readbytes),
4138 SSL_READ_EARLY_DATA_FINISH)
4139 || !TEST_size_t_eq(readbytes, 0)
4140 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4141 SSL_EARLY_DATA_NOT_SENT)
4142 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4143 SSL_EARLY_DATA_NOT_SENT))
4144 goto end;
4145
4146 /* Continue writing the message we started earlier */
4147 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4148 || !TEST_size_t_eq(written, strlen(MSG1))
4149 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4150 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4151 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4152 || !TEST_size_t_eq(written, strlen(MSG2)))
4153 goto end;
4154
4155 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4156 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4157 goto end;
4158
4159 testresult = 1;
4160
4161 end:
4162 SSL_SESSION_free(sess);
4163 SSL_SESSION_free(clientpsk);
4164 SSL_SESSION_free(serverpsk);
4165 clientpsk = serverpsk = NULL;
4166 SSL_free(serverssl);
4167 SSL_free(clientssl);
4168 SSL_CTX_free(sctx);
4169 SSL_CTX_free(cctx);
4170 return testresult;
4171 }
4172
4173 static const char *servalpn;
4174
4175 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4176 unsigned char *outlen, const unsigned char *in,
4177 unsigned int inlen, void *arg)
4178 {
4179 unsigned int protlen = 0;
4180 const unsigned char *prot;
4181
4182 for (prot = in; prot < in + inlen; prot += protlen) {
4183 protlen = *prot++;
4184 if (in + inlen < prot + protlen)
4185 return SSL_TLSEXT_ERR_NOACK;
4186
4187 if (protlen == strlen(servalpn)
4188 && memcmp(prot, servalpn, protlen) == 0) {
4189 *out = prot;
4190 *outlen = protlen;
4191 return SSL_TLSEXT_ERR_OK;
4192 }
4193 }
4194
4195 return SSL_TLSEXT_ERR_NOACK;
4196 }
4197
4198 /* Test that a PSK can be used to send early_data */
4199 static int test_early_data_psk(int idx)
4200 {
4201 SSL_CTX *cctx = NULL, *sctx = NULL;
4202 SSL *clientssl = NULL, *serverssl = NULL;
4203 int testresult = 0;
4204 SSL_SESSION *sess = NULL;
4205 unsigned char alpnlist[] = {
4206 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4207 'l', 'p', 'n'
4208 };
4209 #define GOODALPNLEN 9
4210 #define BADALPNLEN 8
4211 #define GOODALPN (alpnlist)
4212 #define BADALPN (alpnlist + GOODALPNLEN)
4213 int err = 0;
4214 unsigned char buf[20];
4215 size_t readbytes, written;
4216 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4217 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4218
4219 /* We always set this up with a final parameter of "2" for PSK */
4220 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4221 &serverssl, &sess, 2,
4222 SHA384_DIGEST_LENGTH)))
4223 goto end;
4224
4225 servalpn = "goodalpn";
4226
4227 /*
4228 * Note: There is no test for inconsistent SNI with late client detection.
4229 * This is because servers do not acknowledge SNI even if they are using
4230 * it in a resumption handshake - so it is not actually possible for a
4231 * client to detect a problem.
4232 */
4233 switch (idx) {
4234 case 0:
4235 /* Set inconsistent SNI (early client detection) */
4236 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4237 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4238 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4239 goto end;
4240 break;
4241
4242 case 1:
4243 /* Set inconsistent ALPN (early client detection) */
4244 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4245 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4246 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4247 GOODALPNLEN))
4248 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4249 BADALPNLEN)))
4250 goto end;
4251 break;
4252
4253 case 2:
4254 /*
4255 * Set invalid protocol version. Technically this affects PSKs without
4256 * early_data too, but we test it here because it is similar to the
4257 * SNI/ALPN consistency tests.
4258 */
4259 err = SSL_R_BAD_PSK;
4260 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4261 goto end;
4262 break;
4263
4264 case 3:
4265 /*
4266 * Set inconsistent SNI (server side). In this case the connection
4267 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4268 * is associated with each handshake - not the session. Therefore it
4269 * should not matter that we used a different server name last time.
4270 */
4271 SSL_SESSION_free(serverpsk);
4272 serverpsk = SSL_SESSION_dup(clientpsk);
4273 if (!TEST_ptr(serverpsk)
4274 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4275 goto end;
4276 /* Fall through */
4277 case 4:
4278 /* Set consistent SNI */
4279 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4280 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4281 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4282 hostname_cb)))
4283 goto end;
4284 break;
4285
4286 case 5:
4287 /*
4288 * Set inconsistent ALPN (server detected). In this case the connection
4289 * will succeed but reject early_data.
4290 */
4291 servalpn = "badalpn";
4292 edstatus = SSL_EARLY_DATA_REJECTED;
4293 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4294 /* Fall through */
4295 case 6:
4296 /*
4297 * Set consistent ALPN.
4298 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4299 * accepts a list of protos (each one length prefixed).
4300 * SSL_set1_alpn_selected accepts a single protocol (not length
4301 * prefixed)
4302 */
4303 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4304 GOODALPNLEN - 1))
4305 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4306 GOODALPNLEN)))
4307 goto end;
4308
4309 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4310 break;
4311
4312 case 7:
4313 /* Set inconsistent ALPN (late client detection) */
4314 SSL_SESSION_free(serverpsk);
4315 serverpsk = SSL_SESSION_dup(clientpsk);
4316 if (!TEST_ptr(serverpsk)
4317 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4318 BADALPN + 1,
4319 BADALPNLEN - 1))
4320 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4321 GOODALPN + 1,
4322 GOODALPNLEN - 1))
4323 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4324 sizeof(alpnlist))))
4325 goto end;
4326 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4327 edstatus = SSL_EARLY_DATA_ACCEPTED;
4328 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4329 /* SSL_connect() call should fail */
4330 connectres = -1;
4331 break;
4332
4333 default:
4334 TEST_error("Bad test index");
4335 goto end;
4336 }
4337
4338 SSL_set_connect_state(clientssl);
4339 if (err != 0) {
4340 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4341 &written))
4342 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4343 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4344 goto end;
4345 } else {
4346 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4347 &written)))
4348 goto end;
4349
4350 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4351 &readbytes), readearlyres)
4352 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4353 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4354 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4355 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4356 goto end;
4357 }
4358
4359 testresult = 1;
4360
4361 end:
4362 SSL_SESSION_free(sess);
4363 SSL_SESSION_free(clientpsk);
4364 SSL_SESSION_free(serverpsk);
4365 clientpsk = serverpsk = NULL;
4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4368 SSL_CTX_free(sctx);
4369 SSL_CTX_free(cctx);
4370 return testresult;
4371 }
4372
4373 /*
4374 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4375 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4376 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4377 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4378 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4379 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4380 */
4381 static int test_early_data_psk_with_all_ciphers(int idx)
4382 {
4383 SSL_CTX *cctx = NULL, *sctx = NULL;
4384 SSL *clientssl = NULL, *serverssl = NULL;
4385 int testresult = 0;
4386 SSL_SESSION *sess = NULL;
4387 unsigned char buf[20];
4388 size_t readbytes, written;
4389 const SSL_CIPHER *cipher;
4390 const char *cipher_str[] = {
4391 TLS1_3_RFC_AES_128_GCM_SHA256,
4392 TLS1_3_RFC_AES_256_GCM_SHA384,
4393 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4394 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4395 # else
4396 NULL,
4397 # endif
4398 TLS1_3_RFC_AES_128_CCM_SHA256,
4399 TLS1_3_RFC_AES_128_CCM_8_SHA256
4400 };
4401 const unsigned char *cipher_bytes[] = {
4402 TLS13_AES_128_GCM_SHA256_BYTES,
4403 TLS13_AES_256_GCM_SHA384_BYTES,
4404 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4405 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4406 # else
4407 NULL,
4408 # endif
4409 TLS13_AES_128_CCM_SHA256_BYTES,
4410 TLS13_AES_128_CCM_8_SHA256_BYTES
4411 };
4412
4413 if (cipher_str[idx] == NULL)
4414 return 1;
4415 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4416 if (idx == 2 && is_fips == 1)
4417 return 1;
4418
4419 /* We always set this up with a final parameter of "2" for PSK */
4420 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4421 &serverssl, &sess, 2,
4422 SHA384_DIGEST_LENGTH)))
4423 goto end;
4424
4425 if (idx == 4) {
4426 /* CCM8 ciphers are considered low security due to their short tag */
4427 SSL_set_security_level(clientssl, 0);
4428 SSL_set_security_level(serverssl, 0);
4429 }
4430
4431 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4432 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4433 goto end;
4434
4435 /*
4436 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4437 * and assigns to both client and server with incremented reference
4438 * and the same instance is updated in 'sess'.
4439 * So updating ciphersuite in 'sess' which will get reflected in
4440 * PSK handshake using psk use sess and find sess cb.
4441 */
4442 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4443 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4444 goto end;
4445
4446 SSL_set_connect_state(clientssl);
4447 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4448 &written)))
4449 goto end;
4450
4451 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4452 &readbytes),
4453 SSL_READ_EARLY_DATA_SUCCESS)
4454 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4455 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4456 SSL_EARLY_DATA_ACCEPTED)
4457 || !TEST_int_eq(SSL_connect(clientssl), 1)
4458 || !TEST_int_eq(SSL_accept(serverssl), 1))
4459 goto end;
4460
4461 /* Send some normal data from client to server */
4462 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4463 || !TEST_size_t_eq(written, strlen(MSG2)))
4464 goto end;
4465
4466 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4467 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4468 goto end;
4469
4470 testresult = 1;
4471 end:
4472 SSL_SESSION_free(sess);
4473 SSL_SESSION_free(clientpsk);
4474 SSL_SESSION_free(serverpsk);
4475 clientpsk = serverpsk = NULL;
4476 if (clientssl != NULL)
4477 SSL_shutdown(clientssl);
4478 if (serverssl != NULL)
4479 SSL_shutdown(serverssl);
4480 SSL_free(serverssl);
4481 SSL_free(clientssl);
4482 SSL_CTX_free(sctx);
4483 SSL_CTX_free(cctx);
4484 return testresult;
4485 }
4486
4487 /*
4488 * Test that a server that doesn't try to read early data can handle a
4489 * client sending some.
4490 */
4491 static int test_early_data_not_expected(int idx)
4492 {
4493 SSL_CTX *cctx = NULL, *sctx = NULL;
4494 SSL *clientssl = NULL, *serverssl = NULL;
4495 int testresult = 0;
4496 SSL_SESSION *sess = NULL;
4497 unsigned char buf[20];
4498 size_t readbytes, written;
4499
4500 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4501 &serverssl, &sess, idx,
4502 SHA384_DIGEST_LENGTH)))
4503 goto end;
4504
4505 /* Write some early data */
4506 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4507 &written)))
4508 goto end;
4509
4510 /*
4511 * Server should skip over early data and then block waiting for client to
4512 * continue handshake
4513 */
4514 if (!TEST_int_le(SSL_accept(serverssl), 0)
4515 || !TEST_int_gt(SSL_connect(clientssl), 0)
4516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4517 SSL_EARLY_DATA_REJECTED)
4518 || !TEST_int_gt(SSL_accept(serverssl), 0)
4519 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4520 SSL_EARLY_DATA_REJECTED))
4521 goto end;
4522
4523 /* Send some normal data from client to server */
4524 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4525 || !TEST_size_t_eq(written, strlen(MSG2)))
4526 goto end;
4527
4528 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4529 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4530 goto end;
4531
4532 testresult = 1;
4533
4534 end:
4535 SSL_SESSION_free(sess);
4536 SSL_SESSION_free(clientpsk);
4537 SSL_SESSION_free(serverpsk);
4538 clientpsk = serverpsk = NULL;
4539 SSL_free(serverssl);
4540 SSL_free(clientssl);
4541 SSL_CTX_free(sctx);
4542 SSL_CTX_free(cctx);
4543 return testresult;
4544 }
4545
4546
4547 # ifndef OPENSSL_NO_TLS1_2
4548 /*
4549 * Test that a server attempting to read early data can handle a connection
4550 * from a TLSv1.2 client.
4551 */
4552 static int test_early_data_tls1_2(int idx)
4553 {
4554 SSL_CTX *cctx = NULL, *sctx = NULL;
4555 SSL *clientssl = NULL, *serverssl = NULL;
4556 int testresult = 0;
4557 unsigned char buf[20];
4558 size_t readbytes, written;
4559
4560 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4561 &serverssl, NULL, idx,
4562 SHA384_DIGEST_LENGTH)))
4563 goto end;
4564
4565 /* Write some data - should block due to handshake with server */
4566 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4567 SSL_set_connect_state(clientssl);
4568 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4569 goto end;
4570
4571 /*
4572 * Server should do TLSv1.2 handshake. First it will block waiting for more
4573 * messages from client after ServerDone. Then SSL_read_early_data should
4574 * finish and detect that early data has not been sent
4575 */
4576 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4577 &readbytes),
4578 SSL_READ_EARLY_DATA_ERROR))
4579 goto end;
4580
4581 /*
4582 * Continue writing the message we started earlier. Will still block waiting
4583 * for the CCS/Finished from server
4584 */
4585 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4586 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4587 &readbytes),
4588 SSL_READ_EARLY_DATA_FINISH)
4589 || !TEST_size_t_eq(readbytes, 0)
4590 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4591 SSL_EARLY_DATA_NOT_SENT))
4592 goto end;
4593
4594 /* Continue writing the message we started earlier */
4595 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4596 || !TEST_size_t_eq(written, strlen(MSG1))
4597 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4598 SSL_EARLY_DATA_NOT_SENT)
4599 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4600 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4601 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4602 || !TEST_size_t_eq(written, strlen(MSG2))
4603 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4604 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4605 goto end;
4606
4607 testresult = 1;
4608
4609 end:
4610 SSL_SESSION_free(clientpsk);
4611 SSL_SESSION_free(serverpsk);
4612 clientpsk = serverpsk = NULL;
4613 SSL_free(serverssl);
4614 SSL_free(clientssl);
4615 SSL_CTX_free(sctx);
4616 SSL_CTX_free(cctx);
4617
4618 return testresult;
4619 }
4620 # endif /* OPENSSL_NO_TLS1_2 */
4621
4622 /*
4623 * Test configuring the TLSv1.3 ciphersuites
4624 *
4625 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4626 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4627 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4628 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4629 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4630 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4631 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4632 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4633 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4634 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4635 */
4636 static int test_set_ciphersuite(int idx)
4637 {
4638 SSL_CTX *cctx = NULL, *sctx = NULL;
4639 SSL *clientssl = NULL, *serverssl = NULL;
4640 int testresult = 0;
4641
4642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4643 TLS_client_method(), TLS1_VERSION, 0,
4644 &sctx, &cctx, cert, privkey))
4645 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4646 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4647 goto end;
4648
4649 if (idx >=4 && idx <= 7) {
4650 /* SSL_CTX explicit cipher list */
4651 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4652 goto end;
4653 }
4654
4655 if (idx == 0 || idx == 4) {
4656 /* Default ciphersuite */
4657 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4658 "TLS_AES_128_GCM_SHA256")))
4659 goto end;
4660 } else if (idx == 1 || idx == 5) {
4661 /* Non default ciphersuite */
4662 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4663 "TLS_AES_128_CCM_SHA256")))
4664 goto end;
4665 }
4666
4667 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4668 &clientssl, NULL, NULL)))
4669 goto end;
4670
4671 if (idx == 8 || idx == 9) {
4672 /* SSL explicit cipher list */
4673 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4674 goto end;
4675 }
4676
4677 if (idx == 2 || idx == 6 || idx == 8) {
4678 /* Default ciphersuite */
4679 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4680 "TLS_AES_128_GCM_SHA256")))
4681 goto end;
4682 } else if (idx == 3 || idx == 7 || idx == 9) {
4683 /* Non default ciphersuite */
4684 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4685 "TLS_AES_128_CCM_SHA256")))
4686 goto end;
4687 }
4688
4689 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4690 goto end;
4691
4692 testresult = 1;
4693
4694 end:
4695 SSL_free(serverssl);
4696 SSL_free(clientssl);
4697 SSL_CTX_free(sctx);
4698 SSL_CTX_free(cctx);
4699
4700 return testresult;
4701 }
4702
4703 static int test_ciphersuite_change(void)
4704 {
4705 SSL_CTX *cctx = NULL, *sctx = NULL;
4706 SSL *clientssl = NULL, *serverssl = NULL;
4707 SSL_SESSION *clntsess = NULL;
4708 int testresult = 0;
4709 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4710
4711 /* Create a session based on SHA-256 */
4712 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4713 TLS_client_method(), TLS1_VERSION, 0,
4714 &sctx, &cctx, cert, privkey))
4715 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4716 "TLS_AES_128_GCM_SHA256:"
4717 "TLS_AES_256_GCM_SHA384:"
4718 "TLS_AES_128_CCM_SHA256"))
4719 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4720 "TLS_AES_128_GCM_SHA256")))
4721 goto end;
4722
4723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4724 NULL, NULL))
4725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4726 SSL_ERROR_NONE)))
4727 goto end;
4728
4729 clntsess = SSL_get1_session(clientssl);
4730 /* Save for later */
4731 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4732 SSL_shutdown(clientssl);
4733 SSL_shutdown(serverssl);
4734 SSL_free(serverssl);
4735 SSL_free(clientssl);
4736 serverssl = clientssl = NULL;
4737
4738 /* Check we can resume a session with a different SHA-256 ciphersuite */
4739 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4740 "TLS_AES_128_CCM_SHA256"))
4741 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4742 &clientssl, NULL, NULL))
4743 || !TEST_true(SSL_set_session(clientssl, clntsess))
4744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4745 SSL_ERROR_NONE))
4746 || !TEST_true(SSL_session_reused(clientssl)))
4747 goto end;
4748
4749 SSL_SESSION_free(clntsess);
4750 clntsess = SSL_get1_session(clientssl);
4751 SSL_shutdown(clientssl);
4752 SSL_shutdown(serverssl);
4753 SSL_free(serverssl);
4754 SSL_free(clientssl);
4755 serverssl = clientssl = NULL;
4756
4757 /*
4758 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4759 * succeeds but does not resume.
4760 */
4761 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4762 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4763 NULL, NULL))
4764 || !TEST_true(SSL_set_session(clientssl, clntsess))
4765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4766 SSL_ERROR_SSL))
4767 || !TEST_false(SSL_session_reused(clientssl)))
4768 goto end;
4769
4770 SSL_SESSION_free(clntsess);
4771 clntsess = NULL;
4772 SSL_shutdown(clientssl);
4773 SSL_shutdown(serverssl);
4774 SSL_free(serverssl);
4775 SSL_free(clientssl);
4776 serverssl = clientssl = NULL;
4777
4778 /* Create a session based on SHA384 */
4779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4780 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4781 &clientssl, NULL, NULL))
4782 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4783 SSL_ERROR_NONE)))
4784 goto end;
4785
4786 clntsess = SSL_get1_session(clientssl);
4787 SSL_shutdown(clientssl);
4788 SSL_shutdown(serverssl);
4789 SSL_free(serverssl);
4790 SSL_free(clientssl);
4791 serverssl = clientssl = NULL;
4792
4793 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4794 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4795 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4796 "TLS_AES_256_GCM_SHA384"))
4797 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4798 NULL, NULL))
4799 || !TEST_true(SSL_set_session(clientssl, clntsess))
4800 /*
4801 * We use SSL_ERROR_WANT_READ below so that we can pause the
4802 * connection after the initial ClientHello has been sent to
4803 * enable us to make some session changes.
4804 */
4805 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4806 SSL_ERROR_WANT_READ)))
4807 goto end;
4808
4809 /* Trick the client into thinking this session is for a different digest */
4810 clntsess->cipher = aes_128_gcm_sha256;
4811 clntsess->cipher_id = clntsess->cipher->id;
4812
4813 /*
4814 * Continue the previously started connection. Server has selected a SHA-384
4815 * ciphersuite, but client thinks the session is for SHA-256, so it should
4816 * bail out.
4817 */
4818 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4819 SSL_ERROR_SSL))
4820 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4821 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4822 goto end;
4823
4824 testresult = 1;
4825
4826 end:
4827 SSL_SESSION_free(clntsess);
4828 SSL_free(serverssl);
4829 SSL_free(clientssl);
4830 SSL_CTX_free(sctx);
4831 SSL_CTX_free(cctx);
4832
4833 return testresult;
4834 }
4835
4836 /*
4837 * Test TLSv1.3 Key exchange
4838 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4839 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4840 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4841 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4842 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4843 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4844 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4845 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4846 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4847 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4848 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4849 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4850 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4851 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4852 */
4853 # ifndef OPENSSL_NO_EC
4854 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4855 NID_secp521r1,
4856 # ifndef OPENSSL_NO_ECX
4857 NID_X25519, NID_X448
4858 # endif
4859 };
4860 # endif
4861 # ifndef OPENSSL_NO_DH
4862 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4863 NID_ffdhe6144, NID_ffdhe8192};
4864 # endif
4865 static int test_key_exchange(int idx)
4866 {
4867 SSL_CTX *sctx = NULL, *cctx = NULL;
4868 SSL *serverssl = NULL, *clientssl = NULL;
4869 int testresult = 0;
4870 int kexch_alg;
4871 int *kexch_groups = &kexch_alg;
4872 int kexch_groups_size = 1;
4873 int max_version = TLS1_3_VERSION;
4874 char *kexch_name0 = NULL;
4875
4876 switch (idx) {
4877 # ifndef OPENSSL_NO_EC
4878 # ifndef OPENSSL_NO_TLS1_2
4879 case 12:
4880 max_version = TLS1_2_VERSION;
4881 # endif
4882 /* Fall through */
4883 case 0:
4884 kexch_groups = ecdhe_kexch_groups;
4885 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4886 kexch_name0 = "secp256r1";
4887 break;
4888 case 1:
4889 kexch_alg = NID_X9_62_prime256v1;
4890 kexch_name0 = "secp256r1";
4891 break;
4892 case 2:
4893 kexch_alg = NID_secp384r1;
4894 kexch_name0 = "secp384r1";
4895 break;
4896 case 3:
4897 kexch_alg = NID_secp521r1;
4898 kexch_name0 = "secp521r1";
4899 break;
4900 # ifndef OPENSSL_NO_ECX
4901 case 4:
4902 kexch_alg = NID_X25519;
4903 kexch_name0 = "x25519";
4904 break;
4905 case 5:
4906 kexch_alg = NID_X448;
4907 kexch_name0 = "x448";
4908 break;
4909 # endif
4910 # endif
4911 # ifndef OPENSSL_NO_DH
4912 # ifndef OPENSSL_NO_TLS1_2
4913 case 13:
4914 max_version = TLS1_2_VERSION;
4915 kexch_name0 = "ffdhe2048";
4916 # endif
4917 /* Fall through */
4918 case 6:
4919 kexch_groups = ffdhe_kexch_groups;
4920 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4921 kexch_name0 = "ffdhe2048";
4922 break;
4923 case 7:
4924 kexch_alg = NID_ffdhe2048;
4925 kexch_name0 = "ffdhe2048";
4926 break;
4927 case 8:
4928 kexch_alg = NID_ffdhe3072;
4929 kexch_name0 = "ffdhe3072";
4930 break;
4931 case 9:
4932 kexch_alg = NID_ffdhe4096;
4933 kexch_name0 = "ffdhe4096";
4934 break;
4935 case 10:
4936 kexch_alg = NID_ffdhe6144;
4937 kexch_name0 = "ffdhe6144";
4938 break;
4939 case 11:
4940 kexch_alg = NID_ffdhe8192;
4941 kexch_name0 = "ffdhe8192";
4942 break;
4943 # endif
4944 default:
4945 /* We're skipping this test */
4946 return 1;
4947 }
4948
4949 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4950 TLS_client_method(), TLS1_VERSION,
4951 max_version, &sctx, &cctx, cert,
4952 privkey)))
4953 goto end;
4954
4955 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4956 TLS1_3_RFC_AES_128_GCM_SHA256)))
4957 goto end;
4958
4959 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4960 TLS1_3_RFC_AES_128_GCM_SHA256)))
4961 goto end;
4962
4963 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4964 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4965 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4966 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4967 goto end;
4968
4969 /*
4970 * Must include an EC ciphersuite so that we send supported groups in
4971 * TLSv1.2
4972 */
4973 # ifndef OPENSSL_NO_TLS1_2
4974 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4975 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4976 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4977 goto end;
4978 # endif
4979
4980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4981 NULL, NULL)))
4982 goto end;
4983
4984 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4985 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4986 goto end;
4987
4988 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4989 goto end;
4990
4991 /*
4992 * If Handshake succeeds the negotiated kexch alg should be the first one in
4993 * configured, except in the case of FFDHE groups (idx 13), which are
4994 * TLSv1.3 only so we expect no shared group to exist.
4995 */
4996 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4997 idx == 13 ? 0 : kexch_groups[0]))
4998 goto end;
4999
5000 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5001 kexch_name0))
5002 goto end;
5003
5004 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5005 if (idx != 13) {
5006 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5007 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5008 goto end;
5009 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5010 goto end;
5011 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5012 goto end;
5013 }
5014
5015 testresult = 1;
5016 end:
5017 SSL_free(serverssl);
5018 SSL_free(clientssl);
5019 SSL_CTX_free(sctx);
5020 SSL_CTX_free(cctx);
5021 return testresult;
5022 }
5023
5024 # if !defined(OPENSSL_NO_TLS1_2) \
5025 && !defined(OPENSSL_NO_EC) \
5026 && !defined(OPENSSL_NO_DH)
5027 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5028 int isecdhe, int idx)
5029 {
5030 int kexch_alg;
5031 int *kexch_groups = &kexch_alg;
5032 int numec, numff;
5033
5034 numec = OSSL_NELEM(ecdhe_kexch_groups);
5035 numff = OSSL_NELEM(ffdhe_kexch_groups);
5036 if (isecdhe)
5037 kexch_alg = ecdhe_kexch_groups[idx];
5038 else
5039 kexch_alg = ffdhe_kexch_groups[idx];
5040
5041 if (clientmulti) {
5042 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5043 return 0;
5044 if (isecdhe) {
5045 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5046 numec)))
5047 return 0;
5048 } else {
5049 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5050 numff)))
5051 return 0;
5052 }
5053 } else {
5054 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5055 return 0;
5056 if (isecdhe) {
5057 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5058 numec)))
5059 return 0;
5060 } else {
5061 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5062 numff)))
5063 return 0;
5064 }
5065 }
5066 return 1;
5067 }
5068
5069 /*-
5070 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5071 * Run through both the ECDHE and FFDHE group lists used in the previous
5072 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5073 * confirming the expected result; then perform a resumption handshake
5074 * while offering the same group list, and another resumption handshake
5075 * offering a different group list. The returned value should be the
5076 * negotiated group for the initial handshake; for TLS 1.3 resumption
5077 * handshakes the returned value will be negotiated on the resumption
5078 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5079 * be cached in the session from the original handshake, regardless of what
5080 * was offered in the resumption ClientHello.
5081 *
5082 * Using E for the number of EC groups and F for the number of FF groups:
5083 * E tests of ECDHE with TLS 1.3, server only has one group
5084 * F tests of FFDHE with TLS 1.3, server only has one group
5085 * E tests of ECDHE with TLS 1.2, server only has one group
5086 * F tests of FFDHE with TLS 1.2, server only has one group
5087 * E tests of ECDHE with TLS 1.3, client sends only one group
5088 * F tests of FFDHE with TLS 1.3, client sends only one group
5089 * E tests of ECDHE with TLS 1.2, client sends only one group
5090 * F tests of FFDHE with TLS 1.2, client sends only one group
5091 */
5092 static int test_negotiated_group(int idx)
5093 {
5094 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5095 int expectednid;
5096 SSL_CTX *sctx = NULL, *cctx = NULL;
5097 SSL *serverssl = NULL, *clientssl = NULL;
5098 SSL_SESSION *origsess = NULL;
5099 int testresult = 0;
5100 int kexch_alg;
5101 int max_version = TLS1_3_VERSION;
5102
5103 numec = OSSL_NELEM(ecdhe_kexch_groups);
5104 numff = OSSL_NELEM(ffdhe_kexch_groups);
5105 numgroups = numec + numff;
5106 clientmulti = (idx < 2 * numgroups);
5107 idx = idx % (2 * numgroups);
5108 istls13 = (idx < numgroups);
5109 idx = idx % numgroups;
5110 isecdhe = (idx < numec);
5111 if (!isecdhe)
5112 idx -= numec;
5113 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5114 if (isecdhe)
5115 kexch_alg = ecdhe_kexch_groups[idx];
5116 else
5117 kexch_alg = ffdhe_kexch_groups[idx];
5118 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5119 if (!istls13 && !isecdhe)
5120 expectednid = NID_undef;
5121 else
5122 expectednid = kexch_alg;
5123
5124 if (!istls13)
5125 max_version = TLS1_2_VERSION;
5126
5127 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5128 TLS_client_method(), TLS1_VERSION,
5129 max_version, &sctx, &cctx, cert,
5130 privkey)))
5131 goto end;
5132
5133 /*
5134 * Force (EC)DHE ciphers for TLS 1.2.
5135 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5136 */
5137 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5138 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5139 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5140 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5141 goto end;
5142 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5143 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5144 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5145 goto end;
5146
5147 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5148 NULL, NULL)))
5149 goto end;
5150
5151 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5152 idx)))
5153 goto end;
5154
5155 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5156 goto end;
5157
5158 /* Initial handshake; always the configured one */
5159 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5160 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5161 goto end;
5162
5163 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5164 goto end;
5165
5166 SSL_shutdown(clientssl);
5167 SSL_shutdown(serverssl);
5168 SSL_free(serverssl);
5169 SSL_free(clientssl);
5170 serverssl = clientssl = NULL;
5171
5172 /* First resumption attempt; use the same config as initial handshake */
5173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5174 NULL, NULL))
5175 || !TEST_true(SSL_set_session(clientssl, origsess))
5176 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5177 isecdhe, idx)))
5178 goto end;
5179
5180 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5181 || !TEST_true(SSL_session_reused(clientssl)))
5182 goto end;
5183
5184 /* Still had better agree, since nothing changed... */
5185 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5186 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5187 goto end;
5188
5189 SSL_shutdown(clientssl);
5190 SSL_shutdown(serverssl);
5191 SSL_free(serverssl);
5192 SSL_free(clientssl);
5193 serverssl = clientssl = NULL;
5194
5195 /*-
5196 * Second resumption attempt
5197 * The party that picks one group changes it, which we effectuate by
5198 * changing 'idx' and updating what we expect.
5199 */
5200 if (idx == 0)
5201 idx = 1;
5202 else
5203 idx--;
5204 if (istls13) {
5205 if (isecdhe)
5206 expectednid = ecdhe_kexch_groups[idx];
5207 else
5208 expectednid = ffdhe_kexch_groups[idx];
5209 /* Verify that we are changing what we expect. */
5210 if (!TEST_int_ne(expectednid, kexch_alg))
5211 goto end;
5212 } else {
5213 /* TLS 1.2 only supports named groups for ECDHE. */
5214 if (isecdhe)
5215 expectednid = kexch_alg;
5216 else
5217 expectednid = 0;
5218 }
5219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5220 NULL, NULL))
5221 || !TEST_true(SSL_set_session(clientssl, origsess))
5222 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5223 isecdhe, idx)))
5224 goto end;
5225
5226 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5227 || !TEST_true(SSL_session_reused(clientssl)))
5228 goto end;
5229
5230 /* Check that we get what we expected */
5231 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5232 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5233 goto end;
5234
5235 testresult = 1;
5236 end:
5237 SSL_free(serverssl);
5238 SSL_free(clientssl);
5239 SSL_CTX_free(sctx);
5240 SSL_CTX_free(cctx);
5241 SSL_SESSION_free(origsess);
5242 return testresult;
5243 }
5244 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5245
5246 /*
5247 * Test TLSv1.3 Cipher Suite
5248 * Test 0 = Set TLS1.3 cipher on context
5249 * Test 1 = Set TLS1.3 cipher on SSL
5250 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5251 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5252 */
5253 static int test_tls13_ciphersuite(int idx)
5254 {
5255 SSL_CTX *sctx = NULL, *cctx = NULL;
5256 SSL *serverssl = NULL, *clientssl = NULL;
5257 static const struct {
5258 const char *ciphername;
5259 int fipscapable;
5260 int low_security;
5261 } t13_ciphers[] = {
5262 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5263 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5264 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5265 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5266 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5267 { TLS1_3_RFC_AES_256_GCM_SHA384
5268 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5269 # endif
5270 /* CCM8 ciphers are considered low security due to their short tag */
5271 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5272 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5273 };
5274 const char *t13_cipher = NULL;
5275 const char *t12_cipher = NULL;
5276 const char *negotiated_scipher;
5277 const char *negotiated_ccipher;
5278 int set_at_ctx = 0;
5279 int set_at_ssl = 0;
5280 int testresult = 0;
5281 int max_ver;
5282 size_t i;
5283
5284 switch (idx) {
5285 case 0:
5286 set_at_ctx = 1;
5287 break;
5288 case 1:
5289 set_at_ssl = 1;
5290 break;
5291 case 2:
5292 set_at_ctx = 1;
5293 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5294 break;
5295 case 3:
5296 set_at_ssl = 1;
5297 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5298 break;
5299 }
5300
5301 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5302 # ifdef OPENSSL_NO_TLS1_2
5303 if (max_ver == TLS1_2_VERSION)
5304 continue;
5305 # endif
5306 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5307 if (is_fips && !t13_ciphers[i].fipscapable)
5308 continue;
5309 t13_cipher = t13_ciphers[i].ciphername;
5310 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5311 TLS_client_method(),
5312 TLS1_VERSION, max_ver,
5313 &sctx, &cctx, cert, privkey)))
5314 goto end;
5315
5316 if (t13_ciphers[i].low_security) {
5317 SSL_CTX_set_security_level(sctx, 0);
5318 SSL_CTX_set_security_level(cctx, 0);
5319 }
5320
5321 if (set_at_ctx) {
5322 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5323 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5324 goto end;
5325 if (t12_cipher != NULL) {
5326 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5327 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5328 t12_cipher)))
5329 goto end;
5330 }
5331 }
5332
5333 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5334 &clientssl, NULL, NULL)))
5335 goto end;
5336
5337 if (set_at_ssl) {
5338 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5339 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5340 goto end;
5341 if (t12_cipher != NULL) {
5342 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5343 || !TEST_true(SSL_set_cipher_list(clientssl,
5344 t12_cipher)))
5345 goto end;
5346 }
5347 }
5348
5349 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5350 SSL_ERROR_NONE)))
5351 goto end;
5352
5353 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5354 serverssl));
5355 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5356 clientssl));
5357 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5358 goto end;
5359
5360 /*
5361 * TEST_strn_eq is used below because t13_cipher can contain
5362 * multiple ciphersuites
5363 */
5364 if (max_ver == TLS1_3_VERSION
5365 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5366 strlen(negotiated_scipher)))
5367 goto end;
5368
5369 # ifndef OPENSSL_NO_TLS1_2
5370 /* Below validation is not done when t12_cipher is NULL */
5371 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5372 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5373 goto end;
5374 # endif
5375
5376 SSL_free(serverssl);
5377 serverssl = NULL;
5378 SSL_free(clientssl);
5379 clientssl = NULL;
5380 SSL_CTX_free(sctx);
5381 sctx = NULL;
5382 SSL_CTX_free(cctx);
5383 cctx = NULL;
5384 }
5385 }
5386
5387 testresult = 1;
5388 end:
5389 SSL_free(serverssl);
5390 SSL_free(clientssl);
5391 SSL_CTX_free(sctx);
5392 SSL_CTX_free(cctx);
5393 return testresult;
5394 }
5395
5396 /*
5397 * Test TLSv1.3 PSKs
5398 * Test 0 = Test new style callbacks
5399 * Test 1 = Test both new and old style callbacks
5400 * Test 2 = Test old style callbacks
5401 * Test 3 = Test old style callbacks with no certificate
5402 */
5403 static int test_tls13_psk(int idx)
5404 {
5405 SSL_CTX *sctx = NULL, *cctx = NULL;
5406 SSL *serverssl = NULL, *clientssl = NULL;
5407 const SSL_CIPHER *cipher = NULL;
5408 const unsigned char key[] = {
5409 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5410 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5411 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5412 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5413 };
5414 int testresult = 0;
5415
5416 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5417 TLS_client_method(), TLS1_VERSION, 0,
5418 &sctx, &cctx, idx == 3 ? NULL : cert,
5419 idx == 3 ? NULL : privkey)))
5420 goto end;
5421
5422 if (idx != 3) {
5423 /*
5424 * We use a ciphersuite with SHA256 to ease testing old style PSK
5425 * callbacks which will always default to SHA256. This should not be
5426 * necessary if we have no cert/priv key. In that case the server should
5427 * prefer SHA256 automatically.
5428 */
5429 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5430 "TLS_AES_128_GCM_SHA256")))
5431 goto end;
5432 } else {
5433 /*
5434 * As noted above the server should prefer SHA256 automatically. However
5435 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5436 * code works even if we are testing with only the FIPS provider loaded.
5437 */
5438 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5439 "TLS_AES_256_GCM_SHA384:"
5440 "TLS_AES_128_GCM_SHA256")))
5441 goto end;
5442 }
5443
5444 /*
5445 * Test 0: New style callbacks only
5446 * Test 1: New and old style callbacks (only the new ones should be used)
5447 * Test 2: Old style callbacks only
5448 */
5449 if (idx == 0 || idx == 1) {
5450 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5451 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5452 }
5453 #ifndef OPENSSL_NO_PSK
5454 if (idx >= 1) {
5455 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5456 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5457 }
5458 #endif
5459 srvid = pskid;
5460 use_session_cb_cnt = 0;
5461 find_session_cb_cnt = 0;
5462 psk_client_cb_cnt = 0;
5463 psk_server_cb_cnt = 0;
5464
5465 if (idx != 3) {
5466 /*
5467 * Check we can create a connection if callback decides not to send a
5468 * PSK
5469 */
5470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5471 NULL, NULL))
5472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5473 SSL_ERROR_NONE))
5474 || !TEST_false(SSL_session_reused(clientssl))
5475 || !TEST_false(SSL_session_reused(serverssl)))
5476 goto end;
5477
5478 if (idx == 0 || idx == 1) {
5479 if (!TEST_true(use_session_cb_cnt == 1)
5480 || !TEST_true(find_session_cb_cnt == 0)
5481 /*
5482 * If no old style callback then below should be 0
5483 * otherwise 1
5484 */
5485 || !TEST_true(psk_client_cb_cnt == idx)
5486 || !TEST_true(psk_server_cb_cnt == 0))
5487 goto end;
5488 } else {
5489 if (!TEST_true(use_session_cb_cnt == 0)
5490 || !TEST_true(find_session_cb_cnt == 0)
5491 || !TEST_true(psk_client_cb_cnt == 1)
5492 || !TEST_true(psk_server_cb_cnt == 0))
5493 goto end;
5494 }
5495
5496 shutdown_ssl_connection(serverssl, clientssl);
5497 serverssl = clientssl = NULL;
5498 use_session_cb_cnt = psk_client_cb_cnt = 0;
5499 }
5500
5501 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5502 NULL, NULL)))
5503 goto end;
5504
5505 /* Create the PSK */
5506 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5507 clientpsk = SSL_SESSION_new();
5508 if (!TEST_ptr(clientpsk)
5509 || !TEST_ptr(cipher)
5510 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5511 sizeof(key)))
5512 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5513 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5514 TLS1_3_VERSION))
5515 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5516 goto end;
5517 serverpsk = clientpsk;
5518
5519 /* Check we can create a connection and the PSK is used */
5520 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5521 || !TEST_true(SSL_session_reused(clientssl))
5522 || !TEST_true(SSL_session_reused(serverssl)))
5523 goto end;
5524
5525 if (idx == 0 || idx == 1) {
5526 if (!TEST_true(use_session_cb_cnt == 1)
5527 || !TEST_true(find_session_cb_cnt == 1)
5528 || !TEST_true(psk_client_cb_cnt == 0)
5529 || !TEST_true(psk_server_cb_cnt == 0))
5530 goto end;
5531 } else {
5532 if (!TEST_true(use_session_cb_cnt == 0)
5533 || !TEST_true(find_session_cb_cnt == 0)
5534 || !TEST_true(psk_client_cb_cnt == 1)
5535 || !TEST_true(psk_server_cb_cnt == 1))
5536 goto end;
5537 }
5538
5539 shutdown_ssl_connection(serverssl, clientssl);
5540 serverssl = clientssl = NULL;
5541 use_session_cb_cnt = find_session_cb_cnt = 0;
5542 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5543
5544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5545 NULL, NULL)))
5546 goto end;
5547
5548 /* Force an HRR */
5549 #if defined(OPENSSL_NO_EC)
5550 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5551 goto end;
5552 #else
5553 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5554 goto end;
5555 #endif
5556
5557 /*
5558 * Check we can create a connection, the PSK is used and the callbacks are
5559 * called twice.
5560 */
5561 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5562 || !TEST_true(SSL_session_reused(clientssl))
5563 || !TEST_true(SSL_session_reused(serverssl)))
5564 goto end;
5565
5566 if (idx == 0 || idx == 1) {
5567 if (!TEST_true(use_session_cb_cnt == 2)
5568 || !TEST_true(find_session_cb_cnt == 2)
5569 || !TEST_true(psk_client_cb_cnt == 0)
5570 || !TEST_true(psk_server_cb_cnt == 0))
5571 goto end;
5572 } else {
5573 if (!TEST_true(use_session_cb_cnt == 0)
5574 || !TEST_true(find_session_cb_cnt == 0)
5575 || !TEST_true(psk_client_cb_cnt == 2)
5576 || !TEST_true(psk_server_cb_cnt == 2))
5577 goto end;
5578 }
5579
5580 shutdown_ssl_connection(serverssl, clientssl);
5581 serverssl = clientssl = NULL;
5582 use_session_cb_cnt = find_session_cb_cnt = 0;
5583 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5584
5585 if (idx != 3) {
5586 /*
5587 * Check that if the server rejects the PSK we can still connect, but with
5588 * a full handshake
5589 */
5590 srvid = "Dummy Identity";
5591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5592 NULL, NULL))
5593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5594 SSL_ERROR_NONE))
5595 || !TEST_false(SSL_session_reused(clientssl))
5596 || !TEST_false(SSL_session_reused(serverssl)))
5597 goto end;
5598
5599 if (idx == 0 || idx == 1) {
5600 if (!TEST_true(use_session_cb_cnt == 1)
5601 || !TEST_true(find_session_cb_cnt == 1)
5602 || !TEST_true(psk_client_cb_cnt == 0)
5603 /*
5604 * If no old style callback then below should be 0
5605 * otherwise 1
5606 */
5607 || !TEST_true(psk_server_cb_cnt == idx))
5608 goto end;
5609 } else {
5610 if (!TEST_true(use_session_cb_cnt == 0)
5611 || !TEST_true(find_session_cb_cnt == 0)
5612 || !TEST_true(psk_client_cb_cnt == 1)
5613 || !TEST_true(psk_server_cb_cnt == 1))
5614 goto end;
5615 }
5616
5617 shutdown_ssl_connection(serverssl, clientssl);
5618 serverssl = clientssl = NULL;
5619 }
5620 testresult = 1;
5621
5622 end:
5623 SSL_SESSION_free(clientpsk);
5624 SSL_SESSION_free(serverpsk);
5625 clientpsk = serverpsk = NULL;
5626 SSL_free(serverssl);
5627 SSL_free(clientssl);
5628 SSL_CTX_free(sctx);
5629 SSL_CTX_free(cctx);
5630 return testresult;
5631 }
5632
5633 #ifndef OSSL_NO_USABLE_TLS1_3
5634 /*
5635 * Test TLS1.3 connection establishment succeeds with various configurations of
5636 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5637 * The verification of whether the right KEX mode is chosen is not covered by
5638 * this test but by `test_tls13kexmodes`.
5639 *
5640 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5641 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5642 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5643 */
5644 static int test_tls13_no_dhe_kex(const int idx)
5645 {
5646 SSL_CTX *sctx = NULL, *cctx = NULL;
5647 SSL *serverssl = NULL, *clientssl = NULL;
5648 int testresult = 0;
5649 size_t j;
5650 SSL_SESSION *saved_session;
5651
5652 int server_allow_no_dhe = (idx & 1) != 0;
5653 int server_prefer_no_dhe = (idx & 2) != 0;
5654 int client_allow_no_dhe = (idx & 4) != 0;
5655
5656 uint64_t server_options = 0
5657 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5658 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5659
5660 uint64_t client_options = 0
5661 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5662
5663 new_called = 0;
5664 do_cache = 1;
5665
5666 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5667 TLS_client_method(), TLS1_3_VERSION, 0,
5668 &sctx, &cctx, cert, privkey)))
5669 goto end;
5670
5671 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5672 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5673
5674 SSL_CTX_set_options(sctx, server_options);
5675 SSL_CTX_set_options(cctx, client_options);
5676
5677 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5678
5679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5680 &clientssl, NULL, NULL)))
5681 goto end;
5682
5683 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5684 SSL_ERROR_NONE))
5685 /* Check we got the number of tickets we were expecting */
5686 || !TEST_int_eq(2, new_called))
5687 goto end;
5688
5689 /* We'll reuse the last ticket. */
5690 saved_session = sesscache[new_called - 1];
5691
5692 SSL_shutdown(clientssl);
5693 SSL_shutdown(serverssl);
5694 SSL_free(serverssl);
5695 SSL_free(clientssl);
5696 SSL_CTX_free(cctx);
5697 clientssl = serverssl = NULL;
5698 cctx = NULL;
5699
5700 /*
5701 * Now we resume with the last ticket we created.
5702 */
5703
5704 /* The server context already exists, so we only create the client. */
5705 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5706 TLS_client_method(), TLS1_3_VERSION, 0,
5707 NULL, &cctx, cert, privkey)))
5708 goto end;
5709
5710 SSL_CTX_set_options(cctx, client_options);
5711
5712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5713 &clientssl, NULL, NULL))
5714 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5715 goto end;
5716
5717 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5718 SSL_ERROR_NONE)))
5719 goto end;
5720
5721 /*
5722 * Make sure, the session was resumed.
5723 */
5724 if (!TEST_true(SSL_session_reused(clientssl)))
5725 goto end;
5726
5727 SSL_shutdown(clientssl);
5728 SSL_shutdown(serverssl);
5729
5730 testresult = 1;
5731
5732 end:
5733 SSL_free(serverssl);
5734 SSL_free(clientssl);
5735 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5736 SSL_SESSION_free(sesscache[j]);
5737 sesscache[j] = NULL;
5738 }
5739 SSL_CTX_free(sctx);
5740 SSL_CTX_free(cctx);
5741
5742 return testresult;
5743 }
5744 #endif /* OSSL_NO_USABLE_TLS1_3 */
5745
5746 static unsigned char cookie_magic_value[] = "cookie magic";
5747
5748 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5749 unsigned int *cookie_len)
5750 {
5751 /*
5752 * Not suitable as a real cookie generation function but good enough for
5753 * testing!
5754 */
5755 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5756 *cookie_len = sizeof(cookie_magic_value) - 1;
5757
5758 return 1;
5759 }
5760
5761 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5762 unsigned int cookie_len)
5763 {
5764 if (cookie_len == sizeof(cookie_magic_value) - 1
5765 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5766 return 1;
5767
5768 return 0;
5769 }
5770
5771 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5772 size_t *cookie_len)
5773 {
5774 unsigned int temp;
5775 int res = generate_cookie_callback(ssl, cookie, &temp);
5776 *cookie_len = temp;
5777 return res;
5778 }
5779
5780 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5781 size_t cookie_len)
5782 {
5783 return verify_cookie_callback(ssl, cookie, cookie_len);
5784 }
5785
5786 static int test_stateless(void)
5787 {
5788 SSL_CTX *sctx = NULL, *cctx = NULL;
5789 SSL *serverssl = NULL, *clientssl = NULL;
5790 int testresult = 0;
5791
5792 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5793 TLS_client_method(), TLS1_VERSION, 0,
5794 &sctx, &cctx, cert, privkey)))
5795 goto end;
5796
5797 /* The arrival of CCS messages can confuse the test */
5798 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5799
5800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5801 NULL, NULL))
5802 /* Send the first ClientHello */
5803 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5804 SSL_ERROR_WANT_READ))
5805 /*
5806 * This should fail with a -1 return because we have no callbacks
5807 * set up
5808 */
5809 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5810 goto end;
5811
5812 /* Fatal error so abandon the connection from this client */
5813 SSL_free(clientssl);
5814 clientssl = NULL;
5815
5816 /* Set up the cookie generation and verification callbacks */
5817 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5818 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5819
5820 /*
5821 * Create a new connection from the client (we can reuse the server SSL
5822 * object).
5823 */
5824 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5825 NULL, NULL))
5826 /* Send the first ClientHello */
5827 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5828 SSL_ERROR_WANT_READ))
5829 /* This should fail because there is no cookie */
5830 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5831 goto end;
5832
5833 /* Abandon the connection from this client */
5834 SSL_free(clientssl);
5835 clientssl = NULL;
5836
5837 /*
5838 * Now create a connection from a new client but with the same server SSL
5839 * object
5840 */
5841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5842 NULL, NULL))
5843 /* Send the first ClientHello */
5844 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5845 SSL_ERROR_WANT_READ))
5846 /* This should fail because there is no cookie */
5847 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5848 /* Send the second ClientHello */
5849 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5850 SSL_ERROR_WANT_READ))
5851 /* This should succeed because a cookie is now present */
5852 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5853 /* Complete the connection */
5854 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5855 SSL_ERROR_NONE)))
5856 goto end;
5857
5858 shutdown_ssl_connection(serverssl, clientssl);
5859 serverssl = clientssl = NULL;
5860 testresult = 1;
5861
5862 end:
5863 SSL_free(serverssl);
5864 SSL_free(clientssl);
5865 SSL_CTX_free(sctx);
5866 SSL_CTX_free(cctx);
5867 return testresult;
5868
5869 }
5870 #endif /* OSSL_NO_USABLE_TLS1_3 */
5871
5872 static int clntaddoldcb = 0;
5873 static int clntparseoldcb = 0;
5874 static int srvaddoldcb = 0;
5875 static int srvparseoldcb = 0;
5876 static int clntaddnewcb = 0;
5877 static int clntparsenewcb = 0;
5878 static int srvaddnewcb = 0;
5879 static int srvparsenewcb = 0;
5880 static int snicb = 0;
5881
5882 #define TEST_EXT_TYPE1 0xff00
5883
5884 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5885 size_t *outlen, int *al, void *add_arg)
5886 {
5887 int *server = (int *)add_arg;
5888 unsigned char *data;
5889
5890 if (SSL_is_server(s))
5891 srvaddoldcb++;
5892 else
5893 clntaddoldcb++;
5894
5895 if (*server != SSL_is_server(s)
5896 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5897 return -1;
5898
5899 *data = 1;
5900 *out = data;
5901 *outlen = sizeof(char);
5902 return 1;
5903 }
5904
5905 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5906 void *add_arg)
5907 {
5908 OPENSSL_free((unsigned char *)out);
5909 }
5910
5911 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5912 size_t inlen, int *al, void *parse_arg)
5913 {
5914 int *server = (int *)parse_arg;
5915
5916 if (SSL_is_server(s))
5917 srvparseoldcb++;
5918 else
5919 clntparseoldcb++;
5920
5921 if (*server != SSL_is_server(s)
5922 || inlen != sizeof(char)
5923 || *in != 1)
5924 return -1;
5925
5926 return 1;
5927 }
5928
5929 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5930 const unsigned char **out, size_t *outlen, X509 *x,
5931 size_t chainidx, int *al, void *add_arg)
5932 {
5933 int *server = (int *)add_arg;
5934 unsigned char *data;
5935
5936 if (SSL_is_server(s))
5937 srvaddnewcb++;
5938 else
5939 clntaddnewcb++;
5940
5941 if (*server != SSL_is_server(s)
5942 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5943 return -1;
5944
5945 *data = 1;
5946 *out = data;
5947 *outlen = sizeof(*data);
5948 return 1;
5949 }
5950
5951 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5952 const unsigned char *out, void *add_arg)
5953 {
5954 OPENSSL_free((unsigned char *)out);
5955 }
5956
5957 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5958 const unsigned char *in, size_t inlen, X509 *x,
5959 size_t chainidx, int *al, void *parse_arg)
5960 {
5961 int *server = (int *)parse_arg;
5962
5963 if (SSL_is_server(s))
5964 srvparsenewcb++;
5965 else
5966 clntparsenewcb++;
5967
5968 if (*server != SSL_is_server(s)
5969 || inlen != sizeof(char) || *in != 1)
5970 return -1;
5971
5972 return 1;
5973 }
5974
5975 static int sni_cb(SSL *s, int *al, void *arg)
5976 {
5977 SSL_CTX *ctx = (SSL_CTX *)arg;
5978
5979 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5980 *al = SSL_AD_INTERNAL_ERROR;
5981 return SSL_TLSEXT_ERR_ALERT_FATAL;
5982 }
5983 snicb++;
5984 return SSL_TLSEXT_ERR_OK;
5985 }
5986
5987 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5988 {
5989 return 1;
5990 }
5991
5992 /*
5993 * Custom call back tests.
5994 * Test 0: Old style callbacks in TLSv1.2
5995 * Test 1: New style callbacks in TLSv1.2
5996 * Test 2: New style callbacks in TLSv1.2 with SNI
5997 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5998 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5999 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6000 */
6001 static int test_custom_exts(int tst)
6002 {
6003 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6004 SSL *clientssl = NULL, *serverssl = NULL;
6005 int testresult = 0;
6006 static int server = 1;
6007 static int client = 0;
6008 SSL_SESSION *sess = NULL;
6009 unsigned int context;
6010
6011 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6012 /* Skip tests for TLSv1.2 and below in this case */
6013 if (tst < 3)
6014 return 1;
6015 #endif
6016
6017 /* Reset callback counters */
6018 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6019 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6020 snicb = 0;
6021
6022 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6023 TLS_client_method(), TLS1_VERSION, 0,
6024 &sctx, &cctx, cert, privkey)))
6025 goto end;
6026
6027 if (tst == 2
6028 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6029 TLS1_VERSION, 0,
6030 &sctx2, NULL, cert, privkey)))
6031 goto end;
6032
6033
6034 if (tst < 3) {
6035 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6036 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6037 if (sctx2 != NULL)
6038 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6039 }
6040
6041 if (tst == 5) {
6042 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6043 | SSL_EXT_TLS1_3_CERTIFICATE;
6044 SSL_CTX_set_verify(sctx,
6045 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6046 verify_cb);
6047 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6048 SSL_FILETYPE_PEM), 1)
6049 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6050 SSL_FILETYPE_PEM), 1)
6051 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6052 goto end;
6053 } else if (tst == 4) {
6054 context = SSL_EXT_CLIENT_HELLO
6055 | SSL_EXT_TLS1_2_SERVER_HELLO
6056 | SSL_EXT_TLS1_3_SERVER_HELLO
6057 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6058 | SSL_EXT_TLS1_3_CERTIFICATE
6059 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6060 } else {
6061 context = SSL_EXT_CLIENT_HELLO
6062 | SSL_EXT_TLS1_2_SERVER_HELLO
6063 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6064 }
6065
6066 /* Create a client side custom extension */
6067 if (tst == 0) {
6068 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6069 old_add_cb, old_free_cb,
6070 &client, old_parse_cb,
6071 &client)))
6072 goto end;
6073 } else {
6074 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6075 new_add_cb, new_free_cb,
6076 &client, new_parse_cb, &client)))
6077 goto end;
6078 }
6079
6080 /* Should not be able to add duplicates */
6081 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6082 old_add_cb, old_free_cb,
6083 &client, old_parse_cb,
6084 &client))
6085 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6086 context, new_add_cb,
6087 new_free_cb, &client,
6088 new_parse_cb, &client)))
6089 goto end;
6090
6091 /* Create a server side custom extension */
6092 if (tst == 0) {
6093 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6094 old_add_cb, old_free_cb,
6095 &server, old_parse_cb,
6096 &server)))
6097 goto end;
6098 } else {
6099 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6100 new_add_cb, new_free_cb,
6101 &server, new_parse_cb, &server)))
6102 goto end;
6103 if (sctx2 != NULL
6104 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6105 context, new_add_cb,
6106 new_free_cb, &server,
6107 new_parse_cb, &server)))
6108 goto end;
6109 }
6110
6111 /* Should not be able to add duplicates */
6112 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6113 old_add_cb, old_free_cb,
6114 &server, old_parse_cb,
6115 &server))
6116 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6117 context, new_add_cb,
6118 new_free_cb, &server,
6119 new_parse_cb, &server)))
6120 goto end;
6121
6122 if (tst == 2) {
6123 /* Set up SNI */
6124 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6125 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6126 goto end;
6127 }
6128
6129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6130 &clientssl, NULL, NULL))
6131 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6132 SSL_ERROR_NONE)))
6133 goto end;
6134
6135 if (tst == 0) {
6136 if (clntaddoldcb != 1
6137 || clntparseoldcb != 1
6138 || srvaddoldcb != 1
6139 || srvparseoldcb != 1)
6140 goto end;
6141 } else if (tst == 1 || tst == 2 || tst == 3) {
6142 if (clntaddnewcb != 1
6143 || clntparsenewcb != 1
6144 || srvaddnewcb != 1
6145 || srvparsenewcb != 1
6146 || (tst != 2 && snicb != 0)
6147 || (tst == 2 && snicb != 1))
6148 goto end;
6149 } else if (tst == 5) {
6150 if (clntaddnewcb != 1
6151 || clntparsenewcb != 1
6152 || srvaddnewcb != 1
6153 || srvparsenewcb != 1)
6154 goto end;
6155 } else {
6156 /* In this case there 2 NewSessionTicket messages created */
6157 if (clntaddnewcb != 1
6158 || clntparsenewcb != 5
6159 || srvaddnewcb != 5
6160 || srvparsenewcb != 1)
6161 goto end;
6162 }
6163
6164 sess = SSL_get1_session(clientssl);
6165 SSL_shutdown(clientssl);
6166 SSL_shutdown(serverssl);
6167 SSL_free(serverssl);
6168 SSL_free(clientssl);
6169 serverssl = clientssl = NULL;
6170
6171 if (tst == 3 || tst == 5) {
6172 /* We don't bother with the resumption aspects for these tests */
6173 testresult = 1;
6174 goto end;
6175 }
6176
6177 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6178 NULL, NULL))
6179 || !TEST_true(SSL_set_session(clientssl, sess))
6180 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6181 SSL_ERROR_NONE)))
6182 goto end;
6183
6184 /*
6185 * For a resumed session we expect to add the ClientHello extension. For the
6186 * old style callbacks we ignore it on the server side because they set
6187 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6188 * them.
6189 */
6190 if (tst == 0) {
6191 if (clntaddoldcb != 2
6192 || clntparseoldcb != 1
6193 || srvaddoldcb != 1
6194 || srvparseoldcb != 1)
6195 goto end;
6196 } else if (tst == 1 || tst == 2 || tst == 3) {
6197 if (clntaddnewcb != 2
6198 || clntparsenewcb != 2
6199 || srvaddnewcb != 2
6200 || srvparsenewcb != 2)
6201 goto end;
6202 } else {
6203 /*
6204 * No Certificate message extensions in the resumption handshake,
6205 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6206 */
6207 if (clntaddnewcb != 2
6208 || clntparsenewcb != 8
6209 || srvaddnewcb != 8
6210 || srvparsenewcb != 2)
6211 goto end;
6212 }
6213
6214 testresult = 1;
6215
6216 end:
6217 SSL_SESSION_free(sess);
6218 SSL_free(serverssl);
6219 SSL_free(clientssl);
6220 SSL_CTX_free(sctx2);
6221 SSL_CTX_free(sctx);
6222 SSL_CTX_free(cctx);
6223 return testresult;
6224 }
6225
6226 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6227
6228 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6229 | SSL_EXT_CLIENT_HELLO \
6230 | SSL_EXT_TLS1_2_SERVER_HELLO \
6231 | SSL_EXT_IGNORE_ON_RESUMPTION)
6232
6233 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6234 | SSL_EXT_TLS1_2_SERVER_HELLO \
6235 | SSL_EXT_CLIENT_HELLO)
6236
6237 #define SERVERINFO_CUSTOM \
6238 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6239 0x00, 0x03, \
6240 0x04, 0x05, 0x06 \
6241
6242 static const unsigned char serverinfo_custom_tls13[] = {
6243 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6244 SERVERINFO_CUSTOM
6245 };
6246 static const unsigned char serverinfo_custom_v2[] = {
6247 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6248 SERVERINFO_CUSTOM
6249 };
6250 static const unsigned char serverinfo_custom_v1[] = {
6251 SERVERINFO_CUSTOM
6252 };
6253 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6254 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6255 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6256
6257 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6258 unsigned int context,
6259 const unsigned char *in,
6260 size_t inlen, X509 *x,
6261 size_t chainidx, int *al,
6262 void *parse_arg)
6263 {
6264 const size_t len = serverinfo_custom_v1_len;
6265 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6266 int *p_cb_result = (int*)parse_arg;
6267 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6268 return 1;
6269 }
6270
6271 static int test_serverinfo_custom(const int idx)
6272 {
6273 SSL_CTX *sctx = NULL, *cctx = NULL;
6274 SSL *clientssl = NULL, *serverssl = NULL;
6275 int testresult = 0;
6276 int cb_result = 0;
6277
6278 /*
6279 * Following variables are set in the switch statement
6280 * according to the test iteration.
6281 * Default values do not make much sense: test would fail with them.
6282 */
6283 int serverinfo_version = 0;
6284 int protocol_version = 0;
6285 unsigned int extension_context = 0;
6286 const unsigned char *si = NULL;
6287 size_t si_len = 0;
6288
6289 const int call_use_serverinfo_ex = idx > 0;
6290 switch (idx) {
6291 case 0: /* FALLTHROUGH */
6292 case 1:
6293 serverinfo_version = SSL_SERVERINFOV1;
6294 protocol_version = TLS1_2_VERSION;
6295 extension_context = SYNTHV1CONTEXT;
6296 si = serverinfo_custom_v1;
6297 si_len = serverinfo_custom_v1_len;
6298 break;
6299 case 2:
6300 serverinfo_version = SSL_SERVERINFOV2;
6301 protocol_version = TLS1_2_VERSION;
6302 extension_context = SYNTHV1CONTEXT;
6303 si = serverinfo_custom_v2;
6304 si_len = serverinfo_custom_v2_len;
6305 break;
6306 case 3:
6307 serverinfo_version = SSL_SERVERINFOV2;
6308 protocol_version = TLS1_3_VERSION;
6309 extension_context = TLS13CONTEXT;
6310 si = serverinfo_custom_tls13;
6311 si_len = serverinfo_custom_tls13_len;
6312 break;
6313 }
6314
6315 if (!TEST_true(create_ssl_ctx_pair(libctx,
6316 TLS_method(),
6317 TLS_method(),
6318 protocol_version,
6319 protocol_version,
6320 &sctx, &cctx, cert, privkey)))
6321 goto end;
6322
6323 if (call_use_serverinfo_ex) {
6324 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6325 si, si_len)))
6326 goto end;
6327 } else {
6328 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6329 goto end;
6330 }
6331
6332 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6333 extension_context,
6334 NULL, NULL, NULL,
6335 serverinfo_custom_parse_cb,
6336 &cb_result))
6337 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6338 NULL, NULL))
6339 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6340 SSL_ERROR_NONE))
6341 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6342 goto end;
6343
6344 if (!TEST_true(cb_result))
6345 goto end;
6346
6347 testresult = 1;
6348
6349 end:
6350 SSL_free(serverssl);
6351 SSL_free(clientssl);
6352 SSL_CTX_free(sctx);
6353 SSL_CTX_free(cctx);
6354
6355 return testresult;
6356 }
6357 #endif
6358
6359 /*
6360 * Test that SSL_export_keying_material() produces expected results. There are
6361 * no test vectors so all we do is test that both sides of the communication
6362 * produce the same results for different protocol versions.
6363 */
6364 #define SMALL_LABEL_LEN 10
6365 #define LONG_LABEL_LEN 249
6366 static int test_export_key_mat(int tst)
6367 {
6368 int testresult = 0;
6369 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6370 SSL *clientssl = NULL, *serverssl = NULL;
6371 const char label[LONG_LABEL_LEN + 1] = "test label";
6372 const unsigned char context[] = "context";
6373 const unsigned char *emptycontext = NULL;
6374 unsigned char longcontext[1280];
6375 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6376 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6377 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6378 size_t labellen;
6379 const int protocols[] = {
6380 TLS1_VERSION,
6381 TLS1_1_VERSION,
6382 TLS1_2_VERSION,
6383 TLS1_3_VERSION,
6384 TLS1_3_VERSION,
6385 TLS1_3_VERSION
6386 };
6387
6388 #ifdef OPENSSL_NO_TLS1
6389 if (tst == 0)
6390 return 1;
6391 #endif
6392 #ifdef OPENSSL_NO_TLS1_1
6393 if (tst == 1)
6394 return 1;
6395 #endif
6396 if (is_fips && (tst == 0 || tst == 1))
6397 return 1;
6398 #ifdef OPENSSL_NO_TLS1_2
6399 if (tst == 2)
6400 return 1;
6401 #endif
6402 #ifdef OSSL_NO_USABLE_TLS1_3
6403 if (tst >= 3)
6404 return 1;
6405 #endif
6406 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6407 TLS_client_method(), TLS1_VERSION, 0,
6408 &sctx, &cctx, cert, privkey)))
6409 goto end;
6410
6411 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6412 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6413 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6414 if ((protocols[tst] < TLS1_2_VERSION) &&
6415 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6416 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6417 goto end;
6418
6419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6420 NULL)))
6421 goto end;
6422
6423 /*
6424 * Premature call of SSL_export_keying_material should just fail.
6425 */
6426 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6427 sizeof(ckeymat1), label,
6428 SMALL_LABEL_LEN + 1, context,
6429 sizeof(context) - 1, 1), 0))
6430 goto end;
6431
6432 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6433 SSL_ERROR_NONE)))
6434 goto end;
6435
6436 if (tst == 5) {
6437 /*
6438 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6439 * go over that.
6440 */
6441 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6442 sizeof(ckeymat1), label,
6443 LONG_LABEL_LEN + 1, context,
6444 sizeof(context) - 1, 1), 0))
6445 goto end;
6446
6447 testresult = 1;
6448 goto end;
6449 } else if (tst == 4) {
6450 labellen = LONG_LABEL_LEN;
6451 } else {
6452 labellen = SMALL_LABEL_LEN;
6453 }
6454
6455 memset(longcontext, 1, sizeof(longcontext));
6456
6457 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6458 sizeof(ckeymat1), label,
6459 labellen, context,
6460 sizeof(context) - 1, 1), 1)
6461 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6462 sizeof(ckeymat2), label,
6463 labellen,
6464 emptycontext,
6465 0, 1), 1)
6466 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6467 sizeof(ckeymat3), label,
6468 labellen,
6469 NULL, 0, 0), 1)
6470 || (test_longcontext
6471 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6472 ckeymat4,
6473 sizeof(ckeymat4), label,
6474 labellen,
6475 longcontext,
6476 sizeof(longcontext), 1),
6477 1))
6478 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6479 sizeof(skeymat1), label,
6480 labellen,
6481 context,
6482 sizeof(context) -1, 1),
6483 1)
6484 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6485 sizeof(skeymat2), label,
6486 labellen,
6487 emptycontext,
6488 0, 1), 1)
6489 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6490 sizeof(skeymat3), label,
6491 labellen,
6492 NULL, 0, 0), 1)
6493 || (test_longcontext
6494 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6495 sizeof(skeymat4), label,
6496 labellen,
6497 longcontext,
6498 sizeof(longcontext), 1),
6499 1))
6500 /*
6501 * Check that both sides created the same key material with the
6502 * same context.
6503 */
6504 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6505 sizeof(skeymat1))
6506 /*
6507 * Check that both sides created the same key material with an
6508 * empty context.
6509 */
6510 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6511 sizeof(skeymat2))
6512 /*
6513 * Check that both sides created the same key material without a
6514 * context.
6515 */
6516 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6517 sizeof(skeymat3))
6518 /*
6519 * Check that both sides created the same key material with a
6520 * long context.
6521 */
6522 || (test_longcontext
6523 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6524 sizeof(skeymat4)))
6525 /* Different contexts should produce different results */
6526 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6527 sizeof(ckeymat2)))
6528 goto end;
6529
6530 /*
6531 * Check that an empty context and no context produce different results in
6532 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6533 */
6534 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6535 sizeof(ckeymat3)))
6536 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6537 sizeof(ckeymat3))))
6538 goto end;
6539
6540 testresult = 1;
6541
6542 end:
6543 SSL_free(serverssl);
6544 SSL_free(clientssl);
6545 SSL_CTX_free(sctx2);
6546 SSL_CTX_free(sctx);
6547 SSL_CTX_free(cctx);
6548
6549 return testresult;
6550 }
6551
6552 #ifndef OSSL_NO_USABLE_TLS1_3
6553 /*
6554 * Test that SSL_export_keying_material_early() produces expected
6555 * results. There are no test vectors so all we do is test that both
6556 * sides of the communication produce the same results for different
6557 * protocol versions.
6558 */
6559 static int test_export_key_mat_early(int idx)
6560 {
6561 static const char label[] = "test label";
6562 static const unsigned char context[] = "context";
6563 int testresult = 0;
6564 SSL_CTX *cctx = NULL, *sctx = NULL;
6565 SSL *clientssl = NULL, *serverssl = NULL;
6566 SSL_SESSION *sess = NULL;
6567 const unsigned char *emptycontext = NULL;
6568 unsigned char ckeymat1[80], ckeymat2[80];
6569 unsigned char skeymat1[80], skeymat2[80];
6570 unsigned char buf[1];
6571 size_t readbytes, written;
6572
6573 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6574 &sess, idx, SHA384_DIGEST_LENGTH)))
6575 goto end;
6576
6577 /* Here writing 0 length early data is enough. */
6578 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6579 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6580 &readbytes),
6581 SSL_READ_EARLY_DATA_ERROR)
6582 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6583 SSL_EARLY_DATA_ACCEPTED))
6584 goto end;
6585
6586 if (!TEST_int_eq(SSL_export_keying_material_early(
6587 clientssl, ckeymat1, sizeof(ckeymat1), label,
6588 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6589 || !TEST_int_eq(SSL_export_keying_material_early(
6590 clientssl, ckeymat2, sizeof(ckeymat2), label,
6591 sizeof(label) - 1, emptycontext, 0), 1)
6592 || !TEST_int_eq(SSL_export_keying_material_early(
6593 serverssl, skeymat1, sizeof(skeymat1), label,
6594 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6595 || !TEST_int_eq(SSL_export_keying_material_early(
6596 serverssl, skeymat2, sizeof(skeymat2), label,
6597 sizeof(label) - 1, emptycontext, 0), 1)
6598 /*
6599 * Check that both sides created the same key material with the
6600 * same context.
6601 */
6602 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6603 sizeof(skeymat1))
6604 /*
6605 * Check that both sides created the same key material with an
6606 * empty context.
6607 */
6608 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6609 sizeof(skeymat2))
6610 /* Different contexts should produce different results */
6611 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6612 sizeof(ckeymat2)))
6613 goto end;
6614
6615 testresult = 1;
6616
6617 end:
6618 SSL_SESSION_free(sess);
6619 SSL_SESSION_free(clientpsk);
6620 SSL_SESSION_free(serverpsk);
6621 clientpsk = serverpsk = NULL;
6622 SSL_free(serverssl);
6623 SSL_free(clientssl);
6624 SSL_CTX_free(sctx);
6625 SSL_CTX_free(cctx);
6626
6627 return testresult;
6628 }
6629
6630 #define NUM_KEY_UPDATE_MESSAGES 40
6631 /*
6632 * Test KeyUpdate.
6633 */
6634 static int test_key_update(void)
6635 {
6636 SSL_CTX *cctx = NULL, *sctx = NULL;
6637 SSL *clientssl = NULL, *serverssl = NULL;
6638 int testresult = 0, i, j;
6639 char buf[20];
6640 static char *mess = "A test message";
6641
6642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6643 TLS_client_method(),
6644 TLS1_3_VERSION,
6645 0,
6646 &sctx, &cctx, cert, privkey))
6647 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6648 NULL, NULL))
6649 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6650 SSL_ERROR_NONE)))
6651 goto end;
6652
6653 for (j = 0; j < 2; j++) {
6654 /* Send lots of KeyUpdate messages */
6655 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6656 if (!TEST_true(SSL_key_update(clientssl,
6657 (j == 0)
6658 ? SSL_KEY_UPDATE_NOT_REQUESTED
6659 : SSL_KEY_UPDATE_REQUESTED))
6660 || !TEST_true(SSL_do_handshake(clientssl)))
6661 goto end;
6662 }
6663
6664 /* Check that sending and receiving app data is ok */
6665 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6666 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6667 strlen(mess)))
6668 goto end;
6669
6670 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6671 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6672 strlen(mess)))
6673 goto end;
6674 }
6675
6676 testresult = 1;
6677
6678 end:
6679 SSL_free(serverssl);
6680 SSL_free(clientssl);
6681 SSL_CTX_free(sctx);
6682 SSL_CTX_free(cctx);
6683
6684 return testresult;
6685 }
6686
6687 /*
6688 * Test we can handle a KeyUpdate (update requested) message while
6689 * write data is pending in peer.
6690 * Test 0: Client sends KeyUpdate while Server is writing
6691 * Test 1: Server sends KeyUpdate while Client is writing
6692 */
6693 static int test_key_update_peer_in_write(int tst)
6694 {
6695 SSL_CTX *cctx = NULL, *sctx = NULL;
6696 SSL *clientssl = NULL, *serverssl = NULL;
6697 int testresult = 0;
6698 char buf[20];
6699 static char *mess = "A test message";
6700 BIO *bretry = BIO_new(bio_s_always_retry());
6701 BIO *tmp = NULL;
6702 SSL *peerupdate = NULL, *peerwrite = NULL;
6703
6704 if (!TEST_ptr(bretry)
6705 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6706 TLS_client_method(),
6707 TLS1_3_VERSION,
6708 0,
6709 &sctx, &cctx, cert, privkey))
6710 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6711 NULL, NULL))
6712 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6713 SSL_ERROR_NONE)))
6714 goto end;
6715
6716 peerupdate = tst == 0 ? clientssl : serverssl;
6717 peerwrite = tst == 0 ? serverssl : clientssl;
6718
6719 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6720 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6721 goto end;
6722
6723 /* Swap the writing endpoint's write BIO to force a retry */
6724 tmp = SSL_get_wbio(peerwrite);
6725 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6726 tmp = NULL;
6727 goto end;
6728 }
6729 SSL_set0_wbio(peerwrite, bretry);
6730 bretry = NULL;
6731
6732 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6733 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6734 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6735 || !TEST_true(SSL_want_write(peerwrite))
6736 || !TEST_true(SSL_net_write_desired(peerwrite)))
6737 goto end;
6738
6739 /* Reinstate the original writing endpoint's write BIO */
6740 SSL_set0_wbio(peerwrite, tmp);
6741 tmp = NULL;
6742
6743 /* Now read some data - we will read the key update */
6744 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6745 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6746 || !TEST_true(SSL_want_read(peerwrite))
6747 || !TEST_true(SSL_net_read_desired(peerwrite)))
6748 goto end;
6749
6750 /*
6751 * Complete the write we started previously and read it from the other
6752 * endpoint
6753 */
6754 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6755 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6756 goto end;
6757
6758 /* Write more data to ensure we send the KeyUpdate message back */
6759 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6760 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6761 goto end;
6762
6763 if (!TEST_false(SSL_net_read_desired(peerwrite))
6764 || !TEST_false(SSL_net_write_desired(peerwrite))
6765 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6766 goto end;
6767
6768 testresult = 1;
6769
6770 end:
6771 SSL_free(serverssl);
6772 SSL_free(clientssl);
6773 SSL_CTX_free(sctx);
6774 SSL_CTX_free(cctx);
6775 BIO_free(bretry);
6776 BIO_free(tmp);
6777
6778 return testresult;
6779 }
6780
6781 /*
6782 * Test we can handle a KeyUpdate (update requested) message while
6783 * peer read data is pending after peer accepted keyupdate(the msg header
6784 * had been read 5 bytes).
6785 * Test 0: Client sends KeyUpdate while Server is reading
6786 * Test 1: Server sends KeyUpdate while Client is reading
6787 */
6788 static int test_key_update_peer_in_read(int tst)
6789 {
6790 SSL_CTX *cctx = NULL, *sctx = NULL;
6791 SSL *clientssl = NULL, *serverssl = NULL;
6792 int testresult = 0;
6793 char prbuf[515], lwbuf[515] = {0};
6794 static char *mess = "A test message";
6795 BIO *lbio = NULL, *pbio = NULL;
6796 SSL *local = NULL, *peer = NULL;
6797
6798 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6799 TLS_client_method(),
6800 TLS1_3_VERSION,
6801 0,
6802 &sctx, &cctx, cert, privkey))
6803 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6804 NULL, NULL))
6805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6806 SSL_ERROR_NONE)))
6807 goto end;
6808
6809 local = tst == 0 ? clientssl : serverssl;
6810 peer = tst == 0 ? serverssl : clientssl;
6811
6812 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6813 goto end;
6814
6815 SSL_set_bio(local, lbio, lbio);
6816 SSL_set_bio(peer, pbio, pbio);
6817
6818 /*
6819 * we first write keyupdate msg then appdata in local
6820 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6821 * lwbuf app data msg size + key updata msg size > 512(the size of
6822 * the bio pair buffer)
6823 */
6824 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6825 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6826 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6827 goto end;
6828
6829 /*
6830 * first read keyupdate msg in peer in peer
6831 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6832 */
6833 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6834 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6835 goto end;
6836
6837 /* Now write some data in peer - we will write the key update */
6838 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6839 goto end;
6840
6841 /*
6842 * write data in local previously that we will complete
6843 * read data in peer previously that we will complete
6844 */
6845 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6846 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6847 goto end;
6848
6849 /* check that sending and receiving appdata ok */
6850 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6851 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6852 goto end;
6853
6854 testresult = 1;
6855
6856 end:
6857 SSL_free(serverssl);
6858 SSL_free(clientssl);
6859 SSL_CTX_free(sctx);
6860 SSL_CTX_free(cctx);
6861
6862 return testresult;
6863 }
6864
6865 /*
6866 * Test we can't send a KeyUpdate (update requested) message while
6867 * local write data is pending.
6868 * Test 0: Client sends KeyUpdate while Client is writing
6869 * Test 1: Server sends KeyUpdate while Server is writing
6870 */
6871 static int test_key_update_local_in_write(int tst)
6872 {
6873 SSL_CTX *cctx = NULL, *sctx = NULL;
6874 SSL *clientssl = NULL, *serverssl = NULL;
6875 int testresult = 0;
6876 char buf[20];
6877 static char *mess = "A test message";
6878 BIO *bretry = BIO_new(bio_s_always_retry());
6879 BIO *tmp = NULL;
6880 SSL *local = NULL, *peer = NULL;
6881
6882 if (!TEST_ptr(bretry)
6883 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6884 TLS_client_method(),
6885 TLS1_3_VERSION,
6886 0,
6887 &sctx, &cctx, cert, privkey))
6888 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6889 NULL, NULL))
6890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6891 SSL_ERROR_NONE)))
6892 goto end;
6893
6894 local = tst == 0 ? clientssl : serverssl;
6895 peer = tst == 0 ? serverssl : clientssl;
6896
6897 /* Swap the writing endpoint's write BIO to force a retry */
6898 tmp = SSL_get_wbio(local);
6899 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6900 tmp = NULL;
6901 goto end;
6902 }
6903 SSL_set0_wbio(local, bretry);
6904 bretry = NULL;
6905
6906 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6907 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6908 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6909 goto end;
6910
6911 /* Reinstate the original writing endpoint's write BIO */
6912 SSL_set0_wbio(local, tmp);
6913 tmp = NULL;
6914
6915 /* SSL_key_update will fail, because writing in local*/
6916 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6917 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6918 goto end;
6919
6920 ERR_clear_error();
6921 /* write data in local previously that we will complete */
6922 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6923 goto end;
6924
6925 /* SSL_key_update will succeed because there is no pending write data */
6926 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6927 || !TEST_int_eq(SSL_do_handshake(local), 1))
6928 goto end;
6929
6930 /*
6931 * we write some appdata in local
6932 * read data in peer - we will read the keyupdate msg
6933 */
6934 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6935 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6936 goto end;
6937
6938 /* Write more peer more data to ensure we send the keyupdate message back */
6939 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6940 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6941 goto end;
6942
6943 testresult = 1;
6944
6945 end:
6946 SSL_free(serverssl);
6947 SSL_free(clientssl);
6948 SSL_CTX_free(sctx);
6949 SSL_CTX_free(cctx);
6950 BIO_free(bretry);
6951 BIO_free(tmp);
6952
6953 return testresult;
6954 }
6955
6956 /*
6957 * Test we can handle a KeyUpdate (update requested) message while
6958 * local read data is pending(the msg header had been read 5 bytes).
6959 * Test 0: Client sends KeyUpdate while Client is reading
6960 * Test 1: Server sends KeyUpdate while Server is reading
6961 */
6962 static int test_key_update_local_in_read(int tst)
6963 {
6964 SSL_CTX *cctx = NULL, *sctx = NULL;
6965 SSL *clientssl = NULL, *serverssl = NULL;
6966 int testresult = 0;
6967 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6968 static char *mess = "A test message";
6969 BIO *lbio = NULL, *pbio = NULL;
6970 SSL *local = NULL, *peer = NULL;
6971
6972 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6973 TLS_client_method(),
6974 TLS1_3_VERSION,
6975 0,
6976 &sctx, &cctx, cert, privkey))
6977 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6978 NULL, NULL))
6979 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6980 SSL_ERROR_NONE)))
6981 goto end;
6982
6983 local = tst == 0 ? clientssl : serverssl;
6984 peer = tst == 0 ? serverssl : clientssl;
6985
6986 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6987 goto end;
6988
6989 SSL_set_bio(local, lbio, lbio);
6990 SSL_set_bio(peer, pbio, pbio);
6991
6992 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6993 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6994 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6995 goto end;
6996
6997 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6998 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6999 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7000 goto end;
7001
7002 /* SSL_do_handshake will send keyupdate msg */
7003 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7004 || !TEST_int_eq(SSL_do_handshake(local), 1))
7005 goto end;
7006
7007 /*
7008 * write data in peer previously that we will complete
7009 * read data in local previously that we will complete
7010 */
7011 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7012 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7013 goto end;
7014
7015 /*
7016 * write data in local
7017 * read data in peer - we will read the key update
7018 */
7019 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7020 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7021 goto end;
7022
7023 /* Write more peer data to ensure we send the keyupdate message back */
7024 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7025 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7026 goto end;
7027
7028 testresult = 1;
7029
7030 end:
7031 SSL_free(serverssl);
7032 SSL_free(clientssl);
7033 SSL_CTX_free(sctx);
7034 SSL_CTX_free(cctx);
7035
7036 return testresult;
7037 }
7038 #endif /* OSSL_NO_USABLE_TLS1_3 */
7039
7040 /*
7041 * Test clearing a connection via SSL_clear(), or resetting it via
7042 * SSL_set_connect_state()/SSL_set_accept_state()
7043 * Test 0: SSL_set_connect_state, TLSv1.3
7044 * Test 1: SSL_set_connect_state, TLSv1.2
7045 * Test 2: SSL_set_accept_state, TLSv1.3
7046 * Test 3: SSL_set_accept_state, TLSv1.2
7047 * Test 4: SSL_clear (client), TLSv1.3
7048 * Test 5: SSL_clear (client), TLSv1.2
7049 * Test 6: SSL_clear (server), TLSv1.3
7050 * Test 7: SSL_clear (server), TLSv1.2
7051 */
7052 static int test_ssl_clear(int idx)
7053 {
7054 SSL_CTX *cctx = NULL, *sctx = NULL;
7055 SSL *clientssl = NULL, *serverssl = NULL;
7056 SSL *writer, *reader;
7057 int testresult = 0;
7058 int tls12test, servertest, cleartest;
7059 size_t written, readbytes;
7060 const char *msg = "Hello World";
7061 unsigned char buf[5];
7062
7063 tls12test = idx & 1;
7064 idx >>= 1;
7065 servertest = idx & 1;
7066 idx >>= 1;
7067 cleartest = idx & 1;
7068
7069 #ifdef OPENSSL_NO_TLS1_2
7070 if (tls12test == 1)
7071 return TEST_skip("No TLSv1.2 in this build");
7072 #endif
7073
7074 /* Create an initial connection */
7075 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7076 TLS_client_method(), TLS1_VERSION, 0,
7077 &sctx, &cctx, cert, privkey))
7078 || (tls12test
7079 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7080 TLS1_2_VERSION)))
7081 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7082 &clientssl, NULL, NULL))
7083 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7084 SSL_ERROR_NONE)))
7085 goto end;
7086
7087 if (servertest) {
7088 writer = clientssl;
7089 reader = serverssl;
7090 } else {
7091 writer = serverssl;
7092 reader = clientssl;
7093 }
7094
7095 /* Write some data */
7096 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7097 || written != strlen(msg))
7098 goto end;
7099
7100 /*
7101 * Read a partial record. The remaining buffered data should be cleared by
7102 * the subsequent clear/reset
7103 */
7104 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7105 || readbytes != sizeof(buf))
7106 goto end;
7107
7108 SSL_shutdown(clientssl);
7109 SSL_shutdown(serverssl);
7110
7111 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7112 if (servertest) {
7113 if (cleartest) {
7114 if (!TEST_true(SSL_clear(serverssl)))
7115 goto end;
7116 } else {
7117 SSL_set_accept_state(serverssl);
7118 }
7119 /*
7120 * A peculiarity of SSL_clear() is that it does not clear the session.
7121 * This is intended behaviour so that a client can create a new
7122 * connection and reuse the session. But this doesn't make much sense
7123 * on the server side - and causes incorrect behaviour due to the
7124 * handshake failing (even though the documentation does say SSL_clear()
7125 * is supposed to work on the server side). We clear the session
7126 * explicitly - although note that the documentation for
7127 * SSL_set_session() says that its only useful for clients!
7128 */
7129 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7130 goto end;
7131 SSL_free(clientssl);
7132 clientssl = NULL;
7133 } else {
7134 if (cleartest) {
7135 if (!TEST_true(SSL_clear(clientssl)))
7136 goto end;
7137 } else {
7138 SSL_set_connect_state(clientssl);
7139 }
7140 SSL_free(serverssl);
7141 serverssl = NULL;
7142 }
7143
7144 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7145 NULL, NULL))
7146 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7147 SSL_ERROR_NONE))
7148 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7149 goto end;
7150
7151 SSL_shutdown(clientssl);
7152 SSL_shutdown(serverssl);
7153
7154 testresult = 1;
7155
7156 end:
7157 SSL_free(serverssl);
7158 SSL_free(clientssl);
7159 SSL_CTX_free(sctx);
7160 SSL_CTX_free(cctx);
7161
7162 return testresult;
7163 }
7164
7165 /* Parse CH and retrieve any MFL extension value if present */
7166 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7167 {
7168 long len;
7169 unsigned char *data;
7170 PACKET pkt, pkt2, pkt3;
7171 unsigned int MFL_code = 0, type = 0;
7172
7173 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7174 goto end;
7175
7176 memset(&pkt, 0, sizeof(pkt));
7177 memset(&pkt2, 0, sizeof(pkt2));
7178 memset(&pkt3, 0, sizeof(pkt3));
7179
7180 if (!TEST_long_gt(len, 0)
7181 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7182 /* Skip the record header */
7183 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7184 /* Skip the handshake message header */
7185 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7186 /* Skip client version and random */
7187 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7188 + SSL3_RANDOM_SIZE))
7189 /* Skip session id */
7190 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7191 /* Skip ciphers */
7192 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7193 /* Skip compression */
7194 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7195 /* Extensions len */
7196 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7197 goto end;
7198
7199 /* Loop through all extensions */
7200 while (PACKET_remaining(&pkt2)) {
7201 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7202 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7203 goto end;
7204
7205 if (type == TLSEXT_TYPE_max_fragment_length) {
7206 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7207 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7208 goto end;
7209
7210 *mfl_codemfl_code = MFL_code;
7211 return 1;
7212 }
7213 }
7214
7215 end:
7216 return 0;
7217 }
7218
7219 /* Maximum-Fragment-Length TLS extension mode to test */
7220 static const unsigned char max_fragment_len_test[] = {
7221 TLSEXT_max_fragment_length_512,
7222 TLSEXT_max_fragment_length_1024,
7223 TLSEXT_max_fragment_length_2048,
7224 TLSEXT_max_fragment_length_4096
7225 };
7226
7227 static int test_max_fragment_len_ext(int idx_tst)
7228 {
7229 SSL_CTX *ctx = NULL;
7230 SSL *con = NULL;
7231 int testresult = 0, MFL_mode = 0;
7232 BIO *rbio, *wbio;
7233
7234 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7235 TLS1_VERSION, 0, NULL, &ctx, NULL,
7236 NULL)))
7237 return 0;
7238
7239 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7240 ctx, max_fragment_len_test[idx_tst])))
7241 goto end;
7242
7243 con = SSL_new(ctx);
7244 if (!TEST_ptr(con))
7245 goto end;
7246
7247 rbio = BIO_new(BIO_s_mem());
7248 wbio = BIO_new(BIO_s_mem());
7249 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7250 BIO_free(rbio);
7251 BIO_free(wbio);
7252 goto end;
7253 }
7254
7255 SSL_set_bio(con, rbio, wbio);
7256
7257 if (!TEST_int_le(SSL_connect(con), 0)) {
7258 /* This shouldn't succeed because we don't have a server! */
7259 goto end;
7260 }
7261
7262 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7263 /* no MFL in client hello */
7264 goto end;
7265 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7266 goto end;
7267
7268 testresult = 1;
7269
7270 end:
7271 SSL_free(con);
7272 SSL_CTX_free(ctx);
7273
7274 return testresult;
7275 }
7276
7277 #ifndef OSSL_NO_USABLE_TLS1_3
7278 static int test_pha_key_update(void)
7279 {
7280 SSL_CTX *cctx = NULL, *sctx = NULL;
7281 SSL *clientssl = NULL, *serverssl = NULL;
7282 int testresult = 0;
7283
7284 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7285 TLS_client_method(), TLS1_VERSION, 0,
7286 &sctx, &cctx, cert, privkey)))
7287 return 0;
7288
7289 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7290 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7291 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7292 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7293 goto end;
7294
7295 SSL_CTX_set_post_handshake_auth(cctx, 1);
7296
7297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7298 NULL, NULL)))
7299 goto end;
7300
7301 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7302 SSL_ERROR_NONE)))
7303 goto end;
7304
7305 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7306 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7307 goto end;
7308
7309 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7310 goto end;
7311
7312 /* Start handshake on the server */
7313 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7314 goto end;
7315
7316 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7317 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7318 SSL_ERROR_NONE)))
7319 goto end;
7320
7321 SSL_shutdown(clientssl);
7322 SSL_shutdown(serverssl);
7323
7324 testresult = 1;
7325
7326 end:
7327 SSL_free(serverssl);
7328 SSL_free(clientssl);
7329 SSL_CTX_free(sctx);
7330 SSL_CTX_free(cctx);
7331 return testresult;
7332 }
7333 #endif
7334
7335 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7336
7337 static SRP_VBASE *vbase = NULL;
7338
7339 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7340 {
7341 int ret = SSL3_AL_FATAL;
7342 char *username;
7343 SRP_user_pwd *user = NULL;
7344
7345 username = SSL_get_srp_username(s);
7346 if (username == NULL) {
7347 *ad = SSL_AD_INTERNAL_ERROR;
7348 goto err;
7349 }
7350
7351 user = SRP_VBASE_get1_by_user(vbase, username);
7352 if (user == NULL) {
7353 *ad = SSL_AD_INTERNAL_ERROR;
7354 goto err;
7355 }
7356
7357 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7358 user->info) <= 0) {
7359 *ad = SSL_AD_INTERNAL_ERROR;
7360 goto err;
7361 }
7362
7363 ret = 0;
7364
7365 err:
7366 SRP_user_pwd_free(user);
7367 return ret;
7368 }
7369
7370 static int create_new_vfile(char *userid, char *password, const char *filename)
7371 {
7372 char *gNid = NULL;
7373 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7374 TXT_DB *db = NULL;
7375 int ret = 0;
7376 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7377 size_t i;
7378
7379 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7380 goto end;
7381
7382 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7383 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7384 if (!TEST_ptr(gNid))
7385 goto end;
7386
7387 /*
7388 * The only way to create an empty TXT_DB is to provide a BIO with no data
7389 * in it!
7390 */
7391 db = TXT_DB_read(dummy, DB_NUMBER);
7392 if (!TEST_ptr(db))
7393 goto end;
7394
7395 out = BIO_new_file(filename, "w");
7396 if (!TEST_ptr(out))
7397 goto end;
7398
7399 row[DB_srpid] = OPENSSL_strdup(userid);
7400 row[DB_srptype] = OPENSSL_strdup("V");
7401 row[DB_srpgN] = OPENSSL_strdup(gNid);
7402
7403 if (!TEST_ptr(row[DB_srpid])
7404 || !TEST_ptr(row[DB_srptype])
7405 || !TEST_ptr(row[DB_srpgN])
7406 || !TEST_true(TXT_DB_insert(db, row)))
7407 goto end;
7408
7409 row = NULL;
7410
7411 if (TXT_DB_write(out, db) <= 0)
7412 goto end;
7413
7414 ret = 1;
7415 end:
7416 if (row != NULL) {
7417 for (i = 0; i < DB_NUMBER; i++)
7418 OPENSSL_free(row[i]);
7419 }
7420 OPENSSL_free(row);
7421 BIO_free(dummy);
7422 BIO_free(out);
7423 TXT_DB_free(db);
7424
7425 return ret;
7426 }
7427
7428 static int create_new_vbase(char *userid, char *password)
7429 {
7430 BIGNUM *verifier = NULL, *salt = NULL;
7431 const SRP_gN *lgN = NULL;
7432 SRP_user_pwd *user_pwd = NULL;
7433 int ret = 0;
7434
7435 lgN = SRP_get_default_gN(NULL);
7436 if (!TEST_ptr(lgN))
7437 goto end;
7438
7439 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7440 lgN->N, lgN->g, libctx, NULL)))
7441 goto end;
7442
7443 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7444 if (!TEST_ptr(user_pwd))
7445 goto end;
7446
7447 user_pwd->N = lgN->N;
7448 user_pwd->g = lgN->g;
7449 user_pwd->id = OPENSSL_strdup(userid);
7450 if (!TEST_ptr(user_pwd->id))
7451 goto end;
7452
7453 user_pwd->v = verifier;
7454 user_pwd->s = salt;
7455 verifier = salt = NULL;
7456
7457 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7458 goto end;
7459 user_pwd = NULL;
7460
7461 ret = 1;
7462 end:
7463 SRP_user_pwd_free(user_pwd);
7464 BN_free(salt);
7465 BN_free(verifier);
7466
7467 return ret;
7468 }
7469
7470 /*
7471 * SRP tests
7472 *
7473 * Test 0: Simple successful SRP connection, new vbase
7474 * Test 1: Connection failure due to bad password, new vbase
7475 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7476 * Test 3: Connection failure due to bad password, vbase loaded from existing
7477 * file
7478 * Test 4: Simple successful SRP connection, vbase loaded from new file
7479 * Test 5: Connection failure due to bad password, vbase loaded from new file
7480 */
7481 static int test_srp(int tst)
7482 {
7483 char *userid = "test", *password = "password", *tstsrpfile;
7484 SSL_CTX *cctx = NULL, *sctx = NULL;
7485 SSL *clientssl = NULL, *serverssl = NULL;
7486 int ret, testresult = 0;
7487
7488 vbase = SRP_VBASE_new(NULL);
7489 if (!TEST_ptr(vbase))
7490 goto end;
7491
7492 if (tst == 0 || tst == 1) {
7493 if (!TEST_true(create_new_vbase(userid, password)))
7494 goto end;
7495 } else {
7496 if (tst == 4 || tst == 5) {
7497 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7498 goto end;
7499 tstsrpfile = tmpfilename;
7500 } else {
7501 tstsrpfile = srpvfile;
7502 }
7503 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7504 goto end;
7505 }
7506
7507 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7508 TLS_client_method(), TLS1_VERSION, 0,
7509 &sctx, &cctx, cert, privkey)))
7510 goto end;
7511
7512 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7513 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7514 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7515 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7516 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7517 goto end;
7518
7519 if (tst % 2 == 1) {
7520 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7521 goto end;
7522 } else {
7523 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7524 goto end;
7525 }
7526
7527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7528 NULL, NULL)))
7529 goto end;
7530
7531 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7532 if (ret) {
7533 if (!TEST_true(tst % 2 == 0))
7534 goto end;
7535 } else {
7536 if (!TEST_true(tst % 2 == 1))
7537 goto end;
7538 }
7539
7540 testresult = 1;
7541
7542 end:
7543 SRP_VBASE_free(vbase);
7544 vbase = NULL;
7545 SSL_free(serverssl);
7546 SSL_free(clientssl);
7547 SSL_CTX_free(sctx);
7548 SSL_CTX_free(cctx);
7549
7550 return testresult;
7551 }
7552 #endif
7553
7554 static int info_cb_failed = 0;
7555 static int info_cb_offset = 0;
7556 static int info_cb_this_state = -1;
7557
7558 static struct info_cb_states_st {
7559 int where;
7560 const char *statestr;
7561 } info_cb_states[][60] = {
7562 {
7563 /* TLSv1.2 server followed by resumption */
7564 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7565 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7566 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7567 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7568 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7569 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7570 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7571 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7572 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7573 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7574 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7575 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7576 {SSL_CB_EXIT, NULL}, {0, NULL},
7577 }, {
7578 /* TLSv1.2 client followed by resumption */
7579 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7580 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7581 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7582 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7583 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7584 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7585 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7586 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7587 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7588 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7589 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7590 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7591 }, {
7592 /* TLSv1.3 server followed by resumption */
7593 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7594 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7595 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7596 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7597 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7598 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7599 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7600 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7601 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7602 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7603 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7604 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7605 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7606 }, {
7607 /* TLSv1.3 client followed by resumption */
7608 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7609 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7610 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7611 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7612 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7613 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7614 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7615 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7616 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7617 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7618 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7619 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7620 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7621 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7622 {SSL_CB_EXIT, NULL}, {0, NULL},
7623 }, {
7624 /* TLSv1.3 server, early_data */
7625 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7626 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7627 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7628 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7629 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7630 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7631 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7632 {SSL_CB_EXIT, NULL}, {0, NULL},
7633 }, {
7634 /* TLSv1.3 client, early_data */
7635 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7636 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7637 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7638 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7639 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7640 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7641 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7642 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7643 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7644 }, {
7645 /* TLSv1.3 server, certificate compression, followed by resumption */
7646 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7647 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7648 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7649 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7650 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7651 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7652 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7653 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7654 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7655 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7656 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7657 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7658 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7659 }, {
7660 /* TLSv1.3 client, certificate compression, followed by resumption */
7661 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7662 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7663 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7664 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7665 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7666 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7667 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7668 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7669 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7670 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7671 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7672 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7673 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7674 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7675 {SSL_CB_EXIT, NULL}, {0, NULL},
7676 }, {
7677 {0, NULL},
7678 }
7679 };
7680
7681 static void sslapi_info_callback(const SSL *s, int where, int ret)
7682 {
7683 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7684
7685 /* We do not ever expect a connection to fail in this test */
7686 if (!TEST_false(ret == 0)) {
7687 info_cb_failed = 1;
7688 return;
7689 }
7690
7691 /*
7692 * Do some sanity checks. We never expect these things to happen in this
7693 * test
7694 */
7695 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7696 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7697 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7698 info_cb_failed = 1;
7699 return;
7700 }
7701
7702 /* Now check we're in the right state */
7703 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7704 info_cb_failed = 1;
7705 return;
7706 }
7707 if ((where & SSL_CB_LOOP) != 0
7708 && !TEST_int_eq(strcmp(SSL_state_string(s),
7709 state[info_cb_this_state].statestr), 0)) {
7710 info_cb_failed = 1;
7711 return;
7712 }
7713
7714 /*
7715 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7716 */
7717 if ((where & SSL_CB_HANDSHAKE_DONE)
7718 && SSL_in_init((SSL *)s) != 0) {
7719 info_cb_failed = 1;
7720 return;
7721 }
7722 }
7723
7724 /*
7725 * Test the info callback gets called when we expect it to.
7726 *
7727 * Test 0: TLSv1.2, server
7728 * Test 1: TLSv1.2, client
7729 * Test 2: TLSv1.3, server
7730 * Test 3: TLSv1.3, client
7731 * Test 4: TLSv1.3, server, early_data
7732 * Test 5: TLSv1.3, client, early_data
7733 * Test 6: TLSv1.3, server, compressed certificate
7734 * Test 7: TLSv1.3, client, compressed certificate
7735 */
7736 static int test_info_callback(int tst)
7737 {
7738 SSL_CTX *cctx = NULL, *sctx = NULL;
7739 SSL *clientssl = NULL, *serverssl = NULL;
7740 SSL_SESSION *clntsess = NULL;
7741 int testresult = 0;
7742 int tlsvers;
7743
7744 if (tst < 2) {
7745 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7746 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7747 || !defined(OPENSSL_NO_DH))
7748 tlsvers = TLS1_2_VERSION;
7749 #else
7750 return 1;
7751 #endif
7752 } else {
7753 #ifndef OSSL_NO_USABLE_TLS1_3
7754 tlsvers = TLS1_3_VERSION;
7755 #else
7756 return 1;
7757 #endif
7758 }
7759
7760 /* Reset globals */
7761 info_cb_failed = 0;
7762 info_cb_this_state = -1;
7763 info_cb_offset = tst;
7764
7765 #ifndef OSSL_NO_USABLE_TLS1_3
7766 if (tst >= 4 && tst < 6) {
7767 SSL_SESSION *sess = NULL;
7768 size_t written, readbytes;
7769 unsigned char buf[80];
7770
7771 /* early_data tests */
7772 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7773 &serverssl, &sess, 0,
7774 SHA384_DIGEST_LENGTH)))
7775 goto end;
7776
7777 /* We don't actually need this reference */
7778 SSL_SESSION_free(sess);
7779
7780 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7781 sslapi_info_callback);
7782
7783 /* Write and read some early data and then complete the connection */
7784 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7785 &written))
7786 || !TEST_size_t_eq(written, strlen(MSG1))
7787 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7788 sizeof(buf), &readbytes),
7789 SSL_READ_EARLY_DATA_SUCCESS)
7790 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7791 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7792 SSL_EARLY_DATA_ACCEPTED)
7793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7794 SSL_ERROR_NONE))
7795 || !TEST_false(info_cb_failed))
7796 goto end;
7797
7798 testresult = 1;
7799 goto end;
7800 }
7801 #endif
7802
7803 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7804 TLS_client_method(),
7805 tlsvers, tlsvers, &sctx, &cctx, cert,
7806 privkey)))
7807 goto end;
7808
7809 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7810 goto end;
7811
7812 /*
7813 * For even numbered tests we check the server callbacks. For odd numbers we
7814 * check the client.
7815 */
7816 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7817 sslapi_info_callback);
7818 if (tst >= 6) {
7819 if (!SSL_CTX_compress_certs(sctx, 0))
7820 goto end;
7821 }
7822
7823 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7824 &clientssl, NULL, NULL))
7825 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7826 SSL_ERROR_NONE))
7827 || !TEST_false(info_cb_failed))
7828 goto end;
7829
7830
7831
7832 clntsess = SSL_get1_session(clientssl);
7833 SSL_shutdown(clientssl);
7834 SSL_shutdown(serverssl);
7835 SSL_free(serverssl);
7836 SSL_free(clientssl);
7837 serverssl = clientssl = NULL;
7838
7839 /* Now do a resumption */
7840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7841 NULL))
7842 || !TEST_true(SSL_set_session(clientssl, clntsess))
7843 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7844 SSL_ERROR_NONE))
7845 || !TEST_true(SSL_session_reused(clientssl))
7846 || !TEST_false(info_cb_failed))
7847 goto end;
7848
7849 testresult = 1;
7850
7851 end:
7852 SSL_free(serverssl);
7853 SSL_free(clientssl);
7854 SSL_SESSION_free(clntsess);
7855 SSL_CTX_free(sctx);
7856 SSL_CTX_free(cctx);
7857 return testresult;
7858 }
7859
7860 static int test_ssl_pending(int tst)
7861 {
7862 SSL_CTX *cctx = NULL, *sctx = NULL;
7863 SSL *clientssl = NULL, *serverssl = NULL;
7864 int testresult = 0;
7865 char msg[] = "A test message";
7866 char buf[5];
7867 size_t written, readbytes;
7868
7869 if (tst == 0) {
7870 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7871 TLS_client_method(),
7872 TLS1_VERSION, 0,
7873 &sctx, &cctx, cert, privkey)))
7874 goto end;
7875 } else {
7876 #ifndef OPENSSL_NO_DTLS
7877 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7878 DTLS_client_method(),
7879 DTLS1_VERSION, 0,
7880 &sctx, &cctx, cert, privkey)))
7881 goto end;
7882
7883 # ifdef OPENSSL_NO_DTLS1_2
7884 /* Not supported in the FIPS provider */
7885 if (is_fips) {
7886 testresult = 1;
7887 goto end;
7888 };
7889 /*
7890 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7891 * level 0
7892 */
7893 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7894 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7895 "DEFAULT:@SECLEVEL=0")))
7896 goto end;
7897 # endif
7898 #else
7899 return 1;
7900 #endif
7901 }
7902
7903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7904 NULL, NULL))
7905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7906 SSL_ERROR_NONE)))
7907 goto end;
7908
7909 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7910 || !TEST_false(SSL_has_pending(clientssl))
7911 || !TEST_int_eq(SSL_pending(serverssl), 0)
7912 || !TEST_false(SSL_has_pending(serverssl))
7913 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7914 || !TEST_size_t_eq(written, sizeof(msg))
7915 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7916 || !TEST_size_t_eq(readbytes, sizeof(buf))
7917 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7918 || !TEST_true(SSL_has_pending(clientssl)))
7919 goto end;
7920
7921 testresult = 1;
7922
7923 end:
7924 SSL_free(serverssl);
7925 SSL_free(clientssl);
7926 SSL_CTX_free(sctx);
7927 SSL_CTX_free(cctx);
7928
7929 return testresult;
7930 }
7931
7932 static struct {
7933 unsigned int maxprot;
7934 const char *clntciphers;
7935 const char *clnttls13ciphers;
7936 const char *srvrciphers;
7937 const char *srvrtls13ciphers;
7938 const char *shared;
7939 const char *fipsshared;
7940 } shared_ciphers_data[] = {
7941 /*
7942 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7943 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7944 */
7945 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7946 {
7947 TLS1_2_VERSION,
7948 "AES128-SHA:AES256-SHA",
7949 NULL,
7950 "AES256-SHA:DHE-RSA-AES128-SHA",
7951 NULL,
7952 "AES256-SHA",
7953 "AES256-SHA"
7954 },
7955 # if !defined(OPENSSL_NO_CHACHA) \
7956 && !defined(OPENSSL_NO_POLY1305) \
7957 && !defined(OPENSSL_NO_EC)
7958 {
7959 TLS1_2_VERSION,
7960 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7961 NULL,
7962 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7963 NULL,
7964 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7965 "AES128-SHA"
7966 },
7967 # endif
7968 {
7969 TLS1_2_VERSION,
7970 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7971 NULL,
7972 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7973 NULL,
7974 "AES128-SHA:AES256-SHA",
7975 "AES128-SHA:AES256-SHA"
7976 },
7977 {
7978 TLS1_2_VERSION,
7979 "AES128-SHA:AES256-SHA",
7980 NULL,
7981 "AES128-SHA:DHE-RSA-AES128-SHA",
7982 NULL,
7983 "AES128-SHA",
7984 "AES128-SHA"
7985 },
7986 #endif
7987 /*
7988 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7989 * enabled.
7990 */
7991 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7992 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7993 {
7994 TLS1_3_VERSION,
7995 "AES128-SHA:AES256-SHA",
7996 NULL,
7997 "AES256-SHA:AES128-SHA256",
7998 NULL,
7999 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8000 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8001 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
8002 },
8003 #endif
8004 #ifndef OSSL_NO_USABLE_TLS1_3
8005 {
8006 TLS1_3_VERSION,
8007 "AES128-SHA",
8008 "TLS_AES_256_GCM_SHA384",
8009 "AES256-SHA",
8010 "TLS_AES_256_GCM_SHA384",
8011 "TLS_AES_256_GCM_SHA384",
8012 "TLS_AES_256_GCM_SHA384"
8013 },
8014 #endif
8015 };
8016
8017 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8018 {
8019 SSL_CTX *cctx = NULL, *sctx = NULL;
8020 SSL *clientssl = NULL, *serverssl = NULL;
8021 int testresult = 0;
8022 char buf[1024];
8023 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8024
8025 if (!TEST_ptr(tmplibctx))
8026 goto end;
8027
8028 /*
8029 * Regardless of whether we're testing with the FIPS provider loaded into
8030 * libctx, we want one peer to always use the full set of ciphersuites
8031 * available. Therefore we use a separate libctx with the default provider
8032 * loaded into it. We run the same tests twice - once with the client side
8033 * having the full set of ciphersuites and once with the server side.
8034 */
8035 if (clnt) {
8036 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8037 if (!TEST_ptr(cctx))
8038 goto end;
8039 } else {
8040 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8041 if (!TEST_ptr(sctx))
8042 goto end;
8043 }
8044
8045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8046 TLS_client_method(),
8047 TLS1_VERSION,
8048 shared_ciphers_data[tst].maxprot,
8049 &sctx, &cctx, cert, privkey)))
8050 goto end;
8051
8052 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8053 shared_ciphers_data[tst].clntciphers))
8054 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8055 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8056 shared_ciphers_data[tst].clnttls13ciphers)))
8057 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8058 shared_ciphers_data[tst].srvrciphers))
8059 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8060 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8061 shared_ciphers_data[tst].srvrtls13ciphers))))
8062 goto end;
8063
8064
8065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8066 NULL, NULL))
8067 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8068 SSL_ERROR_NONE)))
8069 goto end;
8070
8071 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8072 || !TEST_int_eq(strcmp(buf,
8073 is_fips
8074 ? shared_ciphers_data[tst].fipsshared
8075 : shared_ciphers_data[tst].shared),
8076 0)) {
8077 TEST_info("Shared ciphers are: %s\n", buf);
8078 goto end;
8079 }
8080
8081 testresult = 1;
8082
8083 end:
8084 SSL_free(serverssl);
8085 SSL_free(clientssl);
8086 SSL_CTX_free(sctx);
8087 SSL_CTX_free(cctx);
8088 OSSL_LIB_CTX_free(tmplibctx);
8089
8090 return testresult;
8091 }
8092
8093 static int test_ssl_get_shared_ciphers(int tst)
8094 {
8095 return int_test_ssl_get_shared_ciphers(tst, 0)
8096 && int_test_ssl_get_shared_ciphers(tst, 1);
8097 }
8098
8099
8100 static const char *appdata = "Hello World";
8101 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8102 static int tick_key_renew = 0;
8103 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8104
8105 static int gen_tick_cb(SSL *s, void *arg)
8106 {
8107 gen_tick_called = 1;
8108
8109 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8110 strlen(appdata));
8111 }
8112
8113 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8114 const unsigned char *keyname,
8115 size_t keyname_length,
8116 SSL_TICKET_STATUS status,
8117 void *arg)
8118 {
8119 void *tickdata;
8120 size_t tickdlen;
8121
8122 dec_tick_called = 1;
8123
8124 if (status == SSL_TICKET_EMPTY)
8125 return SSL_TICKET_RETURN_IGNORE_RENEW;
8126
8127 if (!TEST_true(status == SSL_TICKET_SUCCESS
8128 || status == SSL_TICKET_SUCCESS_RENEW))
8129 return SSL_TICKET_RETURN_ABORT;
8130
8131 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8132 &tickdlen))
8133 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8134 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8135 return SSL_TICKET_RETURN_ABORT;
8136
8137 if (tick_key_cb_called) {
8138 /* Don't change what the ticket key callback wanted to do */
8139 switch (status) {
8140 case SSL_TICKET_NO_DECRYPT:
8141 return SSL_TICKET_RETURN_IGNORE_RENEW;
8142
8143 case SSL_TICKET_SUCCESS:
8144 return SSL_TICKET_RETURN_USE;
8145
8146 case SSL_TICKET_SUCCESS_RENEW:
8147 return SSL_TICKET_RETURN_USE_RENEW;
8148
8149 default:
8150 return SSL_TICKET_RETURN_ABORT;
8151 }
8152 }
8153 return tick_dec_ret;
8154
8155 }
8156
8157 #ifndef OPENSSL_NO_DEPRECATED_3_0
8158 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8159 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8160 HMAC_CTX *hctx, int enc)
8161 {
8162 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8163 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8164 EVP_CIPHER *aes128cbc;
8165 EVP_MD *sha256;
8166 int ret;
8167
8168 tick_key_cb_called = 1;
8169
8170 if (tick_key_renew == -1)
8171 return 0;
8172
8173 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8174 if (!TEST_ptr(aes128cbc))
8175 return 0;
8176 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8177 if (!TEST_ptr(sha256)) {
8178 EVP_CIPHER_free(aes128cbc);
8179 return 0;
8180 }
8181
8182 memset(iv, 0, AES_BLOCK_SIZE);
8183 memset(key_name, 0, 16);
8184 if (aes128cbc == NULL
8185 || sha256 == NULL
8186 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8187 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8188 NULL))
8189 ret = -1;
8190 else
8191 ret = tick_key_renew ? 2 : 1;
8192
8193 EVP_CIPHER_free(aes128cbc);
8194 EVP_MD_free(sha256);
8195
8196 return ret;
8197 }
8198 #endif
8199
8200 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8201 unsigned char iv[EVP_MAX_IV_LENGTH],
8202 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8203 {
8204 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8205 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8206 OSSL_PARAM params[2];
8207 EVP_CIPHER *aes128cbc;
8208 int ret;
8209
8210 tick_key_cb_called = 1;
8211
8212 if (tick_key_renew == -1)
8213 return 0;
8214
8215 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8216 if (!TEST_ptr(aes128cbc))
8217 return 0;
8218
8219 memset(iv, 0, AES_BLOCK_SIZE);
8220 memset(key_name, 0, 16);
8221 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8222 "SHA256", 0);
8223 params[1] = OSSL_PARAM_construct_end();
8224 if (aes128cbc == NULL
8225 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8226 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8227 params))
8228 ret = -1;
8229 else
8230 ret = tick_key_renew ? 2 : 1;
8231
8232 EVP_CIPHER_free(aes128cbc);
8233
8234 return ret;
8235 }
8236
8237 /*
8238 * Test the various ticket callbacks
8239 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8240 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8241 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8242 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8243 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8244 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8245 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8246 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8247 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8248 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8249 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8250 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8251 * Test 12: TLSv1.2, old ticket key callback, no ticket
8252 * Test 13: TLSv1.3, old ticket key callback, no ticket
8253 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8254 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8255 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8256 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8257 * Test 18: TLSv1.2, ticket key callback, no ticket
8258 * Test 19: TLSv1.3, ticket key callback, no ticket
8259 */
8260 static int test_ticket_callbacks(int tst)
8261 {
8262 SSL_CTX *cctx = NULL, *sctx = NULL;
8263 SSL *clientssl = NULL, *serverssl = NULL;
8264 SSL_SESSION *clntsess = NULL;
8265 int testresult = 0;
8266
8267 #ifdef OPENSSL_NO_TLS1_2
8268 if (tst % 2 == 0)
8269 return 1;
8270 #endif
8271 #ifdef OSSL_NO_USABLE_TLS1_3
8272 if (tst % 2 == 1)
8273 return 1;
8274 #endif
8275 #ifdef OPENSSL_NO_DEPRECATED_3_0
8276 if (tst >= 8 && tst <= 13)
8277 return 1;
8278 #endif
8279
8280 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8281
8282 /* Which tests the ticket key callback should request renewal for */
8283
8284 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8285 tick_key_renew = 1;
8286 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8287 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8288 else
8289 tick_key_renew = 0;
8290
8291 /* Which tests the decrypt ticket callback should request renewal for */
8292 switch (tst) {
8293 case 0:
8294 case 1:
8295 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8296 break;
8297
8298 case 2:
8299 case 3:
8300 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8301 break;
8302
8303 case 4:
8304 case 5:
8305 tick_dec_ret = SSL_TICKET_RETURN_USE;
8306 break;
8307
8308 case 6:
8309 case 7:
8310 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8311 break;
8312
8313 default:
8314 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8315 }
8316
8317 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8318 TLS_client_method(),
8319 TLS1_VERSION,
8320 ((tst % 2) == 0) ? TLS1_2_VERSION
8321 : TLS1_3_VERSION,
8322 &sctx, &cctx, cert, privkey)))
8323 goto end;
8324
8325 /*
8326 * We only want sessions to resume from tickets - not the session cache. So
8327 * switch the cache off.
8328 */
8329 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8330 goto end;
8331
8332 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8333 NULL)))
8334 goto end;
8335
8336 if (tst >= 14) {
8337 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8338 goto end;
8339 #ifndef OPENSSL_NO_DEPRECATED_3_0
8340 } else if (tst >= 8) {
8341 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8342 goto end;
8343 #endif
8344 }
8345
8346 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8347 NULL, NULL))
8348 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8349 SSL_ERROR_NONE)))
8350 goto end;
8351
8352 /*
8353 * The decrypt ticket key callback in TLSv1.2 should be called even though
8354 * we have no ticket yet, because it gets called with a status of
8355 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8356 * actually send any ticket data). This does not happen in TLSv1.3 because
8357 * it is not valid to send empty ticket data in TLSv1.3.
8358 */
8359 if (!TEST_int_eq(gen_tick_called, 1)
8360 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8361 goto end;
8362
8363 gen_tick_called = dec_tick_called = 0;
8364
8365 clntsess = SSL_get1_session(clientssl);
8366 SSL_shutdown(clientssl);
8367 SSL_shutdown(serverssl);
8368 SSL_free(serverssl);
8369 SSL_free(clientssl);
8370 serverssl = clientssl = NULL;
8371
8372 /* Now do a resumption */
8373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8374 NULL))
8375 || !TEST_true(SSL_set_session(clientssl, clntsess))
8376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8377 SSL_ERROR_NONE)))
8378 goto end;
8379
8380 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8381 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8382 || tick_key_renew == -1) {
8383 if (!TEST_false(SSL_session_reused(clientssl)))
8384 goto end;
8385 } else {
8386 if (!TEST_true(SSL_session_reused(clientssl)))
8387 goto end;
8388 }
8389
8390 if (!TEST_int_eq(gen_tick_called,
8391 (tick_key_renew
8392 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8393 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8394 ? 1 : 0)
8395 /* There is no ticket to decrypt in tests 13 and 19 */
8396 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8397 goto end;
8398
8399 testresult = 1;
8400
8401 end:
8402 SSL_SESSION_free(clntsess);
8403 SSL_free(serverssl);
8404 SSL_free(clientssl);
8405 SSL_CTX_free(sctx);
8406 SSL_CTX_free(cctx);
8407
8408 return testresult;
8409 }
8410
8411 /*
8412 * Test incorrect shutdown.
8413 * Test 0: client does not shutdown properly,
8414 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8415 * server should get SSL_ERROR_SSL
8416 * Test 1: client does not shutdown properly,
8417 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8418 * server should get SSL_ERROR_ZERO_RETURN
8419 */
8420 static int test_incorrect_shutdown(int tst)
8421 {
8422 SSL_CTX *cctx = NULL, *sctx = NULL;
8423 SSL *clientssl = NULL, *serverssl = NULL;
8424 int testresult = 0;
8425 char buf[80];
8426 BIO *c2s;
8427
8428 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8429 TLS_client_method(), 0, 0,
8430 &sctx, &cctx, cert, privkey)))
8431 goto end;
8432
8433 if (tst == 1)
8434 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8435
8436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8437 NULL, NULL)))
8438 goto end;
8439
8440 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8441 SSL_ERROR_NONE)))
8442 goto end;
8443
8444 c2s = SSL_get_rbio(serverssl);
8445 BIO_set_mem_eof_return(c2s, 0);
8446
8447 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8448 goto end;
8449
8450 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8451 goto end;
8452 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8453 goto end;
8454
8455 testresult = 1;
8456
8457 end:
8458 SSL_free(serverssl);
8459 SSL_free(clientssl);
8460 SSL_CTX_free(sctx);
8461 SSL_CTX_free(cctx);
8462
8463 return testresult;
8464 }
8465
8466 /*
8467 * Test bi-directional shutdown.
8468 * Test 0: TLSv1.2
8469 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8470 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8471 * Test 3: TLSv1.3, pending NewSessionTicket messages
8472 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8473 * sends key update, client reads it
8474 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8475 * sends CertificateRequest, client reads and ignores it
8476 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8477 * doesn't read it
8478 */
8479 static int test_shutdown(int tst)
8480 {
8481 SSL_CTX *cctx = NULL, *sctx = NULL;
8482 SSL *clientssl = NULL, *serverssl = NULL;
8483 int testresult = 0;
8484 char msg[] = "A test message";
8485 char buf[80];
8486 size_t written, readbytes;
8487 SSL_SESSION *sess;
8488
8489 #ifdef OPENSSL_NO_TLS1_2
8490 if (tst <= 1)
8491 return 1;
8492 #endif
8493 #ifdef OSSL_NO_USABLE_TLS1_3
8494 if (tst >= 2)
8495 return 1;
8496 #endif
8497
8498 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8499 TLS_client_method(),
8500 TLS1_VERSION,
8501 (tst <= 1) ? TLS1_2_VERSION
8502 : TLS1_3_VERSION,
8503 &sctx, &cctx, cert, privkey)))
8504 goto end;
8505
8506 if (tst == 5)
8507 SSL_CTX_set_post_handshake_auth(cctx, 1);
8508
8509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8510 NULL, NULL)))
8511 goto end;
8512
8513 if (tst == 3) {
8514 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8515 SSL_ERROR_NONE, 1, 0))
8516 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8517 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8518 goto end;
8519 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8520 SSL_ERROR_NONE))
8521 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8522 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8523 goto end;
8524 }
8525
8526 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8527 goto end;
8528
8529 if (tst >= 4) {
8530 /*
8531 * Reading on the server after the client has sent close_notify should
8532 * fail and provide SSL_ERROR_ZERO_RETURN
8533 */
8534 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8535 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8536 SSL_ERROR_ZERO_RETURN)
8537 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8538 SSL_RECEIVED_SHUTDOWN)
8539 /*
8540 * Even though we're shutdown on receive we should still be
8541 * able to write.
8542 */
8543 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8544 goto end;
8545 if (tst == 4
8546 && !TEST_true(SSL_key_update(serverssl,
8547 SSL_KEY_UPDATE_REQUESTED)))
8548 goto end;
8549 if (tst == 5) {
8550 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8551 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8552 goto end;
8553 }
8554 if ((tst == 4 || tst == 5)
8555 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8556 goto end;
8557 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8558 goto end;
8559 if (tst == 4 || tst == 5) {
8560 /* Should still be able to read data from server */
8561 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8562 &readbytes))
8563 || !TEST_size_t_eq(readbytes, sizeof(msg))
8564 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8565 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8566 &readbytes))
8567 || !TEST_size_t_eq(readbytes, sizeof(msg))
8568 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8569 goto end;
8570 }
8571 }
8572
8573 /* Writing on the client after sending close_notify shouldn't be possible */
8574 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8575 goto end;
8576
8577 if (tst < 4) {
8578 /*
8579 * For these tests the client has sent close_notify but it has not yet
8580 * been received by the server. The server has not sent close_notify
8581 * yet.
8582 */
8583 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8584 /*
8585 * Writing on the server after sending close_notify shouldn't
8586 * be possible.
8587 */
8588 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8589 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8590 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8591 || !TEST_true(SSL_SESSION_is_resumable(sess))
8592 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8593 goto end;
8594 } else if (tst == 4 || tst == 5) {
8595 /*
8596 * In this test the client has sent close_notify and it has been
8597 * received by the server which has responded with a close_notify. The
8598 * client needs to read the close_notify sent by the server.
8599 */
8600 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8601 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8602 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8603 goto end;
8604 } else {
8605 /*
8606 * tst == 6
8607 *
8608 * The client has sent close_notify and is expecting a close_notify
8609 * back, but instead there is application data first. The shutdown
8610 * should fail with a fatal error.
8611 */
8612 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8613 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8614 goto end;
8615 }
8616
8617 testresult = 1;
8618
8619 end:
8620 SSL_free(serverssl);
8621 SSL_free(clientssl);
8622 SSL_CTX_free(sctx);
8623 SSL_CTX_free(cctx);
8624
8625 return testresult;
8626 }
8627
8628 /*
8629 * Test that sending close_notify alerts works correctly in the case of a
8630 * retryable write failure.
8631 */
8632 static int test_async_shutdown(void)
8633 {
8634 SSL_CTX *cctx = NULL, *sctx = NULL;
8635 SSL *clientssl = NULL, *serverssl = NULL;
8636 int testresult = 0;
8637 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8638
8639 if (!TEST_ptr(bretry))
8640 goto end;
8641
8642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8643 TLS_client_method(),
8644 0, 0,
8645 &sctx, &cctx, cert, privkey)))
8646 goto end;
8647
8648 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8649 NULL)))
8650 goto end;
8651
8652 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8653 goto end;
8654
8655 /* Close write side of clientssl */
8656 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8657 goto end;
8658
8659 tmp = SSL_get_wbio(serverssl);
8660 if (!TEST_true(BIO_up_ref(tmp))) {
8661 tmp = NULL;
8662 goto end;
8663 }
8664 SSL_set0_wbio(serverssl, bretry);
8665 bretry = NULL;
8666
8667 /* First server shutdown should fail because of a retrable write failure */
8668 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8669 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8670 goto end;
8671
8672 /* Second server shutdown should fail for the same reason */
8673 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8674 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8675 goto end;
8676
8677 SSL_set0_wbio(serverssl, tmp);
8678 tmp = NULL;
8679
8680 /* Third server shutdown should send close_notify */
8681 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8682 goto end;
8683
8684 /* Fourth server shutdown should read close_notify from client and finish */
8685 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8686 goto end;
8687
8688 /* Client should also successfully fully shutdown */
8689 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8690 goto end;
8691
8692 testresult = 1;
8693 end:
8694 SSL_free(serverssl);
8695 SSL_free(clientssl);
8696 SSL_CTX_free(sctx);
8697 SSL_CTX_free(cctx);
8698 BIO_free(bretry);
8699 BIO_free(tmp);
8700
8701 return testresult;
8702 }
8703
8704 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8705 static int cert_cb_cnt;
8706
8707 static int cert_cb(SSL *s, void *arg)
8708 {
8709 SSL_CTX *ctx = (SSL_CTX *)arg;
8710 BIO *in = NULL;
8711 EVP_PKEY *pkey = NULL;
8712 X509 *x509 = NULL, *rootx = NULL;
8713 STACK_OF(X509) *chain = NULL;
8714 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8715 int ret = 0;
8716
8717 if (cert_cb_cnt == 0) {
8718 /* Suspend the handshake */
8719 cert_cb_cnt++;
8720 return -1;
8721 } else if (cert_cb_cnt == 1) {
8722 /*
8723 * Update the SSL_CTX, set the certificate and private key and then
8724 * continue the handshake normally.
8725 */
8726 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8727 return 0;
8728
8729 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8730 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8731 SSL_FILETYPE_PEM))
8732 || !TEST_true(SSL_check_private_key(s)))
8733 return 0;
8734 cert_cb_cnt++;
8735 return 1;
8736 } else if (cert_cb_cnt == 3) {
8737 int rv;
8738
8739 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8740 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8741 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8742 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8743 goto out;
8744 chain = sk_X509_new_null();
8745 if (!TEST_ptr(chain))
8746 goto out;
8747 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8748 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8749 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8750 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8751 || !TEST_true(sk_X509_push(chain, rootx)))
8752 goto out;
8753 rootx = NULL;
8754 BIO_free(in);
8755 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8756 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8757 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8758 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8759 goto out;
8760 BIO_free(in);
8761 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8762 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8763 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8764 NULL, NULL,
8765 libctx, NULL)))
8766 goto out;
8767 rv = SSL_check_chain(s, x509, pkey, chain);
8768 /*
8769 * If the cert doesn't show as valid here (e.g., because we don't
8770 * have any shared sigalgs), then we will not set it, and there will
8771 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8772 * will cause tls_choose_sigalgs() to fail the connection.
8773 */
8774 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8775 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8776 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8777 goto out;
8778 }
8779
8780 ret = 1;
8781 }
8782
8783 /* Abort the handshake */
8784 out:
8785 OPENSSL_free(ecdsacert);
8786 OPENSSL_free(ecdsakey);
8787 OPENSSL_free(rootfile);
8788 BIO_free(in);
8789 EVP_PKEY_free(pkey);
8790 X509_free(x509);
8791 X509_free(rootx);
8792 OSSL_STACK_OF_X509_free(chain);
8793 return ret;
8794 }
8795
8796 /*
8797 * Test the certificate callback.
8798 * Test 0: Callback fails
8799 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8800 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8801 * Test 3: Success - Call SSL_check_chain from the callback
8802 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8803 * chain
8804 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8805 */
8806 static int test_cert_cb_int(int prot, int tst)
8807 {
8808 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8809 SSL *clientssl = NULL, *serverssl = NULL;
8810 int testresult = 0, ret;
8811
8812 #ifdef OPENSSL_NO_EC
8813 /* We use an EC cert in these tests, so we skip in a no-ec build */
8814 if (tst >= 3)
8815 return 1;
8816 #endif
8817
8818 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8819 TLS_client_method(),
8820 TLS1_VERSION,
8821 prot,
8822 &sctx, &cctx, NULL, NULL)))
8823 goto end;
8824
8825 if (tst == 0)
8826 cert_cb_cnt = -1;
8827 else if (tst >= 3)
8828 cert_cb_cnt = 3;
8829 else
8830 cert_cb_cnt = 0;
8831
8832 if (tst == 2) {
8833 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8834 if (!TEST_ptr(snictx))
8835 goto end;
8836 }
8837
8838 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8839
8840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8841 NULL, NULL)))
8842 goto end;
8843
8844 if (tst == 4) {
8845 /*
8846 * We cause SSL_check_chain() to fail by specifying sig_algs that
8847 * the chain doesn't meet (the root uses an RSA cert)
8848 */
8849 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8850 "ecdsa_secp256r1_sha256")))
8851 goto end;
8852 } else if (tst == 5) {
8853 /*
8854 * We cause SSL_check_chain() to fail by specifying sig_algs that
8855 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8856 */
8857 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8858 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8859 goto end;
8860 }
8861
8862 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8863 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8864 || (tst > 0
8865 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8866 goto end;
8867 }
8868
8869 testresult = 1;
8870
8871 end:
8872 SSL_free(serverssl);
8873 SSL_free(clientssl);
8874 SSL_CTX_free(sctx);
8875 SSL_CTX_free(cctx);
8876 SSL_CTX_free(snictx);
8877
8878 return testresult;
8879 }
8880 #endif
8881
8882 static int test_cert_cb(int tst)
8883 {
8884 int testresult = 1;
8885
8886 #ifndef OPENSSL_NO_TLS1_2
8887 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8888 #endif
8889 #ifndef OSSL_NO_USABLE_TLS1_3
8890 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8891 #endif
8892
8893 return testresult;
8894 }
8895
8896 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8897 {
8898 X509 *xcert;
8899 EVP_PKEY *privpkey;
8900 BIO *in = NULL;
8901 BIO *priv_in = NULL;
8902
8903 /* Check that SSL_get0_peer_certificate() returns something sensible */
8904 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8905 return 0;
8906
8907 in = BIO_new_file(cert, "r");
8908 if (!TEST_ptr(in))
8909 return 0;
8910
8911 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8912 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8913 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8914 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8915 NULL, NULL,
8916 libctx, NULL)))
8917 goto err;
8918
8919 *x509 = xcert;
8920 *pkey = privpkey;
8921
8922 BIO_free(in);
8923 BIO_free(priv_in);
8924 return 1;
8925 err:
8926 X509_free(xcert);
8927 BIO_free(in);
8928 BIO_free(priv_in);
8929 return 0;
8930 }
8931
8932 static int test_client_cert_cb(int tst)
8933 {
8934 SSL_CTX *cctx = NULL, *sctx = NULL;
8935 SSL *clientssl = NULL, *serverssl = NULL;
8936 int testresult = 0;
8937
8938 #ifdef OPENSSL_NO_TLS1_2
8939 if (tst == 0)
8940 return 1;
8941 #endif
8942 #ifdef OSSL_NO_USABLE_TLS1_3
8943 if (tst == 1)
8944 return 1;
8945 #endif
8946
8947 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8948 TLS_client_method(),
8949 TLS1_VERSION,
8950 tst == 0 ? TLS1_2_VERSION
8951 : TLS1_3_VERSION,
8952 &sctx, &cctx, cert, privkey)))
8953 goto end;
8954
8955 /*
8956 * Test that setting a client_cert_cb results in a client certificate being
8957 * sent.
8958 */
8959 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8960 SSL_CTX_set_verify(sctx,
8961 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8962 verify_cb);
8963
8964 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8965 NULL, NULL))
8966 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8967 SSL_ERROR_NONE)))
8968 goto end;
8969
8970 testresult = 1;
8971
8972 end:
8973 SSL_free(serverssl);
8974 SSL_free(clientssl);
8975 SSL_CTX_free(sctx);
8976 SSL_CTX_free(cctx);
8977
8978 return testresult;
8979 }
8980
8981 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8982 /*
8983 * Test setting certificate authorities on both client and server.
8984 *
8985 * Test 0: SSL_CTX_set0_CA_list() only
8986 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8987 * Test 2: Only SSL_CTX_set_client_CA_list()
8988 */
8989 static int test_ca_names_int(int prot, int tst)
8990 {
8991 SSL_CTX *cctx = NULL, *sctx = NULL;
8992 SSL *clientssl = NULL, *serverssl = NULL;
8993 int testresult = 0;
8994 size_t i;
8995 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8996 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8997 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8998 const STACK_OF(X509_NAME) *sktmp = NULL;
8999
9000 for (i = 0; i < OSSL_NELEM(name); i++) {
9001 name[i] = X509_NAME_new();
9002 if (!TEST_ptr(name[i])
9003 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9004 MBSTRING_ASC,
9005 (unsigned char *)
9006 strnames[i],
9007 -1, -1, 0)))
9008 goto end;
9009 }
9010
9011 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9012 TLS_client_method(),
9013 TLS1_VERSION,
9014 prot,
9015 &sctx, &cctx, cert, privkey)))
9016 goto end;
9017
9018 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9019
9020 if (tst == 0 || tst == 1) {
9021 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9022 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9023 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9024 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9025 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9026 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9027 goto end;
9028
9029 SSL_CTX_set0_CA_list(sctx, sk1);
9030 SSL_CTX_set0_CA_list(cctx, sk2);
9031 sk1 = sk2 = NULL;
9032 }
9033 if (tst == 1 || tst == 2) {
9034 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9035 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9036 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9037 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9038 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9039 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9040 goto end;
9041
9042 SSL_CTX_set_client_CA_list(sctx, sk1);
9043 SSL_CTX_set_client_CA_list(cctx, sk2);
9044 sk1 = sk2 = NULL;
9045 }
9046
9047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9048 NULL, NULL))
9049 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9050 SSL_ERROR_NONE)))
9051 goto end;
9052
9053 /*
9054 * We only expect certificate authorities to have been sent to the server
9055 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9056 */
9057 sktmp = SSL_get0_peer_CA_list(serverssl);
9058 if (prot == TLS1_3_VERSION
9059 && (tst == 0 || tst == 1)) {
9060 if (!TEST_ptr(sktmp)
9061 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9062 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9063 name[0]), 0)
9064 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9065 name[1]), 0))
9066 goto end;
9067 } else if (!TEST_ptr_null(sktmp)) {
9068 goto end;
9069 }
9070
9071 /*
9072 * In all tests we expect certificate authorities to have been sent to the
9073 * client. However, SSL_set_client_CA_list() should override
9074 * SSL_set0_CA_list()
9075 */
9076 sktmp = SSL_get0_peer_CA_list(clientssl);
9077 if (!TEST_ptr(sktmp)
9078 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9079 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9080 name[tst == 0 ? 0 : 2]), 0)
9081 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9082 name[tst == 0 ? 1 : 3]), 0))
9083 goto end;
9084
9085 testresult = 1;
9086
9087 end:
9088 SSL_free(serverssl);
9089 SSL_free(clientssl);
9090 SSL_CTX_free(sctx);
9091 SSL_CTX_free(cctx);
9092 for (i = 0; i < OSSL_NELEM(name); i++)
9093 X509_NAME_free(name[i]);
9094 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9095 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9096
9097 return testresult;
9098 }
9099 #endif
9100
9101 static int test_ca_names(int tst)
9102 {
9103 int testresult = 1;
9104
9105 #ifndef OPENSSL_NO_TLS1_2
9106 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9107 #endif
9108 #ifndef OSSL_NO_USABLE_TLS1_3
9109 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9110 #endif
9111
9112 return testresult;
9113 }
9114
9115 #ifndef OPENSSL_NO_TLS1_2
9116 static const char *multiblock_cipherlist_data[]=
9117 {
9118 "AES128-SHA",
9119 "AES128-SHA256",
9120 "AES256-SHA",
9121 "AES256-SHA256",
9122 };
9123
9124 /* Reduce the fragment size - so the multiblock test buffer can be small */
9125 # define MULTIBLOCK_FRAGSIZE 512
9126
9127 static int test_multiblock_write(int test_index)
9128 {
9129 static const char *fetchable_ciphers[]=
9130 {
9131 "AES-128-CBC-HMAC-SHA1",
9132 "AES-128-CBC-HMAC-SHA256",
9133 "AES-256-CBC-HMAC-SHA1",
9134 "AES-256-CBC-HMAC-SHA256"
9135 };
9136 const char *cipherlist = multiblock_cipherlist_data[test_index];
9137 const SSL_METHOD *smeth = TLS_server_method();
9138 const SSL_METHOD *cmeth = TLS_client_method();
9139 int min_version = TLS1_VERSION;
9140 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9141 SSL_CTX *cctx = NULL, *sctx = NULL;
9142 SSL *clientssl = NULL, *serverssl = NULL;
9143 int testresult = 0;
9144
9145 /*
9146 * Choose a buffer large enough to perform a multi-block operation
9147 * i.e: write_len >= 4 * frag_size
9148 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9149 */
9150 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9151 unsigned char buf[sizeof(msg)], *p = buf;
9152 size_t readbytes, written, len;
9153 EVP_CIPHER *ciph = NULL;
9154
9155 /*
9156 * Check if the cipher exists before attempting to use it since it only has
9157 * a hardware specific implementation.
9158 */
9159 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9160 if (ciph == NULL) {
9161 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9162 return 1;
9163 }
9164 EVP_CIPHER_free(ciph);
9165
9166 /* Set up a buffer with some data that will be sent to the client */
9167 RAND_bytes(msg, sizeof(msg));
9168
9169 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9170 max_version, &sctx, &cctx, cert,
9171 privkey)))
9172 goto end;
9173
9174 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9175 goto end;
9176
9177 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9178 NULL, NULL)))
9179 goto end;
9180
9181 /* settings to force it to use AES-CBC-HMAC_SHA */
9182 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9183 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9184 goto end;
9185
9186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9187 goto end;
9188
9189 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9190 || !TEST_size_t_eq(written, sizeof(msg)))
9191 goto end;
9192
9193 len = written;
9194 while (len > 0) {
9195 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9196 goto end;
9197 p += readbytes;
9198 len -= readbytes;
9199 }
9200 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9201 goto end;
9202
9203 testresult = 1;
9204 end:
9205 SSL_free(serverssl);
9206 SSL_free(clientssl);
9207 SSL_CTX_free(sctx);
9208 SSL_CTX_free(cctx);
9209
9210 return testresult;
9211 }
9212 #endif /* OPENSSL_NO_TLS1_2 */
9213
9214 static int test_session_timeout(int test)
9215 {
9216 /*
9217 * Test session ordering and timeout
9218 * Can't explicitly test performance of the new code,
9219 * but can test to see if the ordering of the sessions
9220 * are correct, and they are removed as expected
9221 */
9222 SSL_SESSION *early = NULL;
9223 SSL_SESSION *middle = NULL;
9224 SSL_SESSION *late = NULL;
9225 SSL_CTX *ctx;
9226 int testresult = 0;
9227 long now = (long)time(NULL);
9228 #define TIMEOUT 10
9229
9230 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9231 || !TEST_ptr(early = SSL_SESSION_new())
9232 || !TEST_ptr(middle = SSL_SESSION_new())
9233 || !TEST_ptr(late = SSL_SESSION_new()))
9234 goto end;
9235
9236 /* assign unique session ids */
9237 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9238 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9239 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9240 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9241 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9242 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9243
9244 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9245 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9246 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9247 goto end;
9248
9249 /* Make sure they are all added */
9250 if (!TEST_ptr(early->prev)
9251 || !TEST_ptr(middle->prev)
9252 || !TEST_ptr(late->prev))
9253 goto end;
9254
9255 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9256 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9257 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9258 goto end;
9259
9260 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9261 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9262 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9263 goto end;
9264
9265 /* Make sure they are all still there */
9266 if (!TEST_ptr(early->prev)
9267 || !TEST_ptr(middle->prev)
9268 || !TEST_ptr(late->prev))
9269 goto end;
9270
9271 /* Make sure they are in the expected order */
9272 if (!TEST_ptr_eq(late->next, middle)
9273 || !TEST_ptr_eq(middle->next, early)
9274 || !TEST_ptr_eq(early->prev, middle)
9275 || !TEST_ptr_eq(middle->prev, late))
9276 goto end;
9277
9278 /* This should remove "early" */
9279 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9280 if (!TEST_ptr_null(early->prev)
9281 || !TEST_ptr(middle->prev)
9282 || !TEST_ptr(late->prev))
9283 goto end;
9284
9285 /* This should remove "middle" */
9286 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9287 if (!TEST_ptr_null(early->prev)
9288 || !TEST_ptr_null(middle->prev)
9289 || !TEST_ptr(late->prev))
9290 goto end;
9291
9292 /* This should remove "late" */
9293 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9294 if (!TEST_ptr_null(early->prev)
9295 || !TEST_ptr_null(middle->prev)
9296 || !TEST_ptr_null(late->prev))
9297 goto end;
9298
9299 /* Add them back in again */
9300 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9301 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9302 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9303 goto end;
9304
9305 /* Make sure they are all added */
9306 if (!TEST_ptr(early->prev)
9307 || !TEST_ptr(middle->prev)
9308 || !TEST_ptr(late->prev))
9309 goto end;
9310
9311 /* This should remove all of them */
9312 SSL_CTX_flush_sessions(ctx, 0);
9313 if (!TEST_ptr_null(early->prev)
9314 || !TEST_ptr_null(middle->prev)
9315 || !TEST_ptr_null(late->prev))
9316 goto end;
9317
9318 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9319 | SSL_CTX_get_session_cache_mode(ctx));
9320
9321 /* make sure |now| is NOT equal to the current time */
9322 now -= 10;
9323 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9324 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9325 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9326 goto end;
9327
9328 testresult = 1;
9329 end:
9330 SSL_CTX_free(ctx);
9331 SSL_SESSION_free(early);
9332 SSL_SESSION_free(middle);
9333 SSL_SESSION_free(late);
9334 return testresult;
9335 }
9336
9337 /*
9338 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9339 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9340 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9341 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9342 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9343 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9344 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9345 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9346 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9347 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9348 */
9349 static int test_servername(int tst)
9350 {
9351 SSL_CTX *cctx = NULL, *sctx = NULL;
9352 SSL *clientssl = NULL, *serverssl = NULL;
9353 int testresult = 0;
9354 SSL_SESSION *sess = NULL;
9355 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9356
9357 #ifdef OPENSSL_NO_TLS1_2
9358 if (tst <= 4)
9359 return 1;
9360 #endif
9361 #ifdef OSSL_NO_USABLE_TLS1_3
9362 if (tst >= 5)
9363 return 1;
9364 #endif
9365
9366 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9367 TLS_client_method(),
9368 TLS1_VERSION,
9369 (tst <= 4) ? TLS1_2_VERSION
9370 : TLS1_3_VERSION,
9371 &sctx, &cctx, cert, privkey))
9372 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9373 NULL, NULL)))
9374 goto end;
9375
9376 if (tst != 1 && tst != 6) {
9377 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9378 hostname_cb)))
9379 goto end;
9380 }
9381
9382 if (tst != 3 && tst != 8) {
9383 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9384 goto end;
9385 sexpectedhost = cexpectedhost = "goodhost";
9386 }
9387
9388 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9389 goto end;
9390
9391 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9392 cexpectedhost)
9393 || !TEST_str_eq(SSL_get_servername(serverssl,
9394 TLSEXT_NAMETYPE_host_name),
9395 sexpectedhost))
9396 goto end;
9397
9398 /* Now repeat with a resumption handshake */
9399
9400 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9401 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9402 || !TEST_true(SSL_SESSION_is_resumable(sess))
9403 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9404 goto end;
9405
9406 SSL_free(clientssl);
9407 SSL_free(serverssl);
9408 clientssl = serverssl = NULL;
9409
9410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9411 NULL)))
9412 goto end;
9413
9414 if (!TEST_true(SSL_set_session(clientssl, sess)))
9415 goto end;
9416
9417 sexpectedhost = cexpectedhost = "goodhost";
9418 if (tst == 2 || tst == 7) {
9419 /* Set an inconsistent hostname */
9420 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9421 goto end;
9422 /*
9423 * In TLSv1.2 we expect the hostname from the original handshake, in
9424 * TLSv1.3 we expect the hostname from this handshake
9425 */
9426 if (tst == 7)
9427 sexpectedhost = cexpectedhost = "altgoodhost";
9428
9429 if (!TEST_str_eq(SSL_get_servername(clientssl,
9430 TLSEXT_NAMETYPE_host_name),
9431 "altgoodhost"))
9432 goto end;
9433 } else if (tst == 4 || tst == 9) {
9434 /*
9435 * A TLSv1.3 session does not associate a session with a servername,
9436 * but a TLSv1.2 session does.
9437 */
9438 if (tst == 9)
9439 sexpectedhost = cexpectedhost = NULL;
9440
9441 if (!TEST_str_eq(SSL_get_servername(clientssl,
9442 TLSEXT_NAMETYPE_host_name),
9443 cexpectedhost))
9444 goto end;
9445 } else {
9446 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9447 goto end;
9448 /*
9449 * In a TLSv1.2 resumption where the hostname was not acknowledged
9450 * we expect the hostname on the server to be empty. On the client we
9451 * return what was requested in this case.
9452 *
9453 * Similarly if the client didn't set a hostname on an original TLSv1.2
9454 * session but is now, the server hostname will be empty, but the client
9455 * is as we set it.
9456 */
9457 if (tst == 1 || tst == 3)
9458 sexpectedhost = NULL;
9459
9460 if (!TEST_str_eq(SSL_get_servername(clientssl,
9461 TLSEXT_NAMETYPE_host_name),
9462 "goodhost"))
9463 goto end;
9464 }
9465
9466 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9467 goto end;
9468
9469 if (!TEST_true(SSL_session_reused(clientssl))
9470 || !TEST_true(SSL_session_reused(serverssl))
9471 || !TEST_str_eq(SSL_get_servername(clientssl,
9472 TLSEXT_NAMETYPE_host_name),
9473 cexpectedhost)
9474 || !TEST_str_eq(SSL_get_servername(serverssl,
9475 TLSEXT_NAMETYPE_host_name),
9476 sexpectedhost))
9477 goto end;
9478
9479 testresult = 1;
9480
9481 end:
9482 SSL_SESSION_free(sess);
9483 SSL_free(serverssl);
9484 SSL_free(clientssl);
9485 SSL_CTX_free(sctx);
9486 SSL_CTX_free(cctx);
9487
9488 return testresult;
9489 }
9490
9491 static int test_unknown_sigalgs_groups(void)
9492 {
9493 int ret = 0;
9494 SSL_CTX *ctx = NULL;
9495
9496 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9497 goto end;
9498
9499 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9500 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9501 0))
9502 goto end;
9503 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9504 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9505 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9506 goto end;
9507
9508 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9509 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9510 0))
9511 goto end;
9512 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9513 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9514 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9515 goto end;
9516
9517 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9518 "nonexistent"),
9519 0))
9520 goto end;
9521
9522 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9523 "?nonexistent1:?nonexistent2:?nonexistent3"),
9524 0))
9525 goto end;
9526
9527 #ifndef OPENSSL_NO_EC
9528 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9529 "P-256:nonexistent"),
9530 0))
9531 goto end;
9532
9533 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9534 "P-384:?nonexistent:?P-521"),
9535 0))
9536 goto end;
9537 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9538 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9539 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9540 goto end;
9541 #endif
9542
9543 ret = 1;
9544 end:
9545 SSL_CTX_free(ctx);
9546 return ret;
9547 }
9548
9549 #if !defined(OPENSSL_NO_EC) \
9550 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9551 /*
9552 * Test that if signature algorithms are not available, then we do not offer or
9553 * accept them.
9554 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9555 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9556 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9557 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9558 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9559 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9560 */
9561 static int test_sigalgs_available(int idx)
9562 {
9563 SSL_CTX *cctx = NULL, *sctx = NULL;
9564 SSL *clientssl = NULL, *serverssl = NULL;
9565 int testresult = 0;
9566 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9567 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9568 OSSL_PROVIDER *filterprov = NULL;
9569 int sig, hash;
9570
9571 if (!TEST_ptr(tmpctx))
9572 goto end;
9573
9574 if (idx != 0 && idx != 3) {
9575 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9576 filter_provider_init)))
9577 goto end;
9578
9579 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9580 if (!TEST_ptr(filterprov))
9581 goto end;
9582
9583 if (idx < 3) {
9584 /*
9585 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9586 * or accepted for the peer that uses this libctx. Note that libssl
9587 * *requires* SHA2-256 to be available so we cannot disable that. We
9588 * also need SHA1 for our certificate.
9589 */
9590 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9591 "SHA2-256:SHA1")))
9592 goto end;
9593 } else {
9594 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9595 "ECDSA"))
9596 # ifdef OPENSSL_NO_ECX
9597 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9598 # else
9599 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9600 "EC:X25519:X448"))
9601 # endif
9602 )
9603 goto end;
9604 }
9605
9606 if (idx == 1 || idx == 4)
9607 clientctx = tmpctx;
9608 else
9609 serverctx = tmpctx;
9610 }
9611
9612 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9613 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9614 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9615 goto end;
9616
9617 if (idx != 5) {
9618 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9619 TLS_client_method(),
9620 TLS1_VERSION,
9621 0,
9622 &sctx, &cctx, cert, privkey)))
9623 goto end;
9624 } else {
9625 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9626 TLS_client_method(),
9627 TLS1_VERSION,
9628 0,
9629 &sctx, &cctx, cert2, privkey2)))
9630 goto end;
9631 }
9632
9633 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9634 if (idx < 4) {
9635 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9636 "ECDHE-RSA-AES128-GCM-SHA256")))
9637 goto end;
9638 } else {
9639 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9640 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9641 goto end;
9642 }
9643
9644 if (idx < 3) {
9645 if (!SSL_CTX_set1_sigalgs_list(cctx,
9646 "rsa_pss_rsae_sha384"
9647 ":rsa_pss_rsae_sha256")
9648 || !SSL_CTX_set1_sigalgs_list(sctx,
9649 "rsa_pss_rsae_sha384"
9650 ":rsa_pss_rsae_sha256"))
9651 goto end;
9652 } else {
9653 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9654 || !SSL_CTX_set1_sigalgs_list(sctx,
9655 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9656 goto end;
9657 }
9658
9659 if (idx != 5
9660 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9661 SSL_FILETYPE_PEM), 1)
9662 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9663 privkey2,
9664 SSL_FILETYPE_PEM), 1)
9665 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9666 goto end;
9667
9668 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9669 NULL, NULL)))
9670 goto end;
9671
9672 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9673 goto end;
9674
9675 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9676 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9677 NULL, NULL),
9678 (idx == 0 || idx == 3) ? 2 : 1))
9679 goto end;
9680
9681 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9682 goto end;
9683
9684 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9685 : NID_rsassaPss))
9686 goto end;
9687
9688 testresult = filter_provider_check_clean_finish();
9689
9690 end:
9691 SSL_free(serverssl);
9692 SSL_free(clientssl);
9693 SSL_CTX_free(sctx);
9694 SSL_CTX_free(cctx);
9695 OSSL_PROVIDER_unload(filterprov);
9696 OSSL_LIB_CTX_free(tmpctx);
9697
9698 return testresult;
9699 }
9700 #endif /*
9701 * !defined(OPENSSL_NO_EC) \
9702 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9703 */
9704
9705 #ifndef OPENSSL_NO_TLS1_3
9706 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9707 static int test_pluggable_group(int idx)
9708 {
9709 SSL_CTX *cctx = NULL, *sctx = NULL;
9710 SSL *clientssl = NULL, *serverssl = NULL;
9711 int testresult = 0;
9712 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9713 /* Check that we are not impacted by a provider without any groups */
9714 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9715 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9716
9717 if (!TEST_ptr(tlsprov))
9718 goto end;
9719
9720 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9721 TLS_client_method(),
9722 TLS1_3_VERSION,
9723 TLS1_3_VERSION,
9724 &sctx, &cctx, cert, privkey))
9725 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9726 NULL, NULL)))
9727 goto end;
9728
9729 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9730 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9731 /* removing a single algorithm from the list makes the test pass */
9732 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9733 goto end;
9734
9735 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9736 goto end;
9737
9738 if (!TEST_str_eq(group_name,
9739 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9740 goto end;
9741
9742 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9743 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9744 goto end;
9745
9746 testresult = 1;
9747
9748 end:
9749 SSL_free(serverssl);
9750 SSL_free(clientssl);
9751 SSL_CTX_free(sctx);
9752 SSL_CTX_free(cctx);
9753 OSSL_PROVIDER_unload(tlsprov);
9754 OSSL_PROVIDER_unload(legacyprov);
9755
9756 return testresult;
9757 }
9758
9759 /*
9760 * This function triggers encode, decode and sign functions
9761 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9762 * creating private key and certificate files for use in TLS testing.
9763 */
9764 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9765 {
9766 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9767 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9768 EVP_PKEY *pkey = NULL;
9769 X509 *x509 = X509_new();
9770 X509_NAME *name = NULL;
9771 BIO *keybio = NULL, *certbio = NULL;
9772 int ret = 1;
9773
9774 if (!TEST_ptr(evpctx)
9775 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9776 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9777 || !TEST_ptr(pkey)
9778 || !TEST_ptr(x509)
9779 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9780 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9781 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9782 || !TEST_true(X509_set_pubkey(x509, pkey))
9783 || !TEST_ptr(name = X509_get_subject_name(x509))
9784 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9785 (unsigned char *)"CH", -1, -1, 0))
9786 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9787 (unsigned char *)"test.org", -1, -1, 0))
9788 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9789 (unsigned char *)"localhost", -1, -1, 0))
9790 || !TEST_true(X509_set_issuer_name(x509, name))
9791 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9792 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9793 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9794 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9795 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9796 ret = 0;
9797
9798 EVP_PKEY_free(pkey);
9799 X509_free(x509);
9800 EVP_PKEY_CTX_free(evpctx);
9801 BIO_free(keybio);
9802 BIO_free(certbio);
9803 return ret;
9804 }
9805
9806 /*
9807 * Test that signature algorithms loaded via the provider interface can
9808 * correctly establish a TLS (1.3) connection.
9809 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9810 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9811 * Test 2: Test 0 using RPK
9812 * Test 3: Test 1 using RPK
9813 */
9814 static int test_pluggable_signature(int idx)
9815 {
9816 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
9817 SSL_CTX *cctx = NULL, *sctx = NULL;
9818 SSL *clientssl = NULL, *serverssl = NULL;
9819 int testresult = 0;
9820 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9821 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9822 char *certfilename = "tls-prov-cert.pem";
9823 char *privkeyfilename = "tls-prov-key.pem";
9824 int sigidx = idx % 2;
9825 int rpkidx = idx / 2;
9826
9827 /* create key and certificate for the different algorithm types */
9828 if (!TEST_ptr(tlsprov)
9829 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
9830 goto end;
9831
9832 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9833 TLS_client_method(),
9834 TLS1_3_VERSION,
9835 TLS1_3_VERSION,
9836 &sctx, &cctx, certfilename, privkeyfilename))
9837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9838 NULL, NULL)))
9839 goto end;
9840
9841 /* Enable RPK for server cert */
9842 if (rpkidx) {
9843 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9844 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9845 goto end;
9846 }
9847
9848 /* This is necessary to pass minimal setup w/o other groups configured */
9849 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9850 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9851 goto end;
9852
9853 /*
9854 * If this connection gets established, it must have been completed
9855 * via the tls-provider-implemented "hmacsig" algorithm, testing
9856 * both sign and verify functions during handshake.
9857 */
9858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9859 goto end;
9860
9861 /* If using RPK, make sure we got one */
9862 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9863 goto end;
9864
9865 testresult = 1;
9866
9867 end:
9868 SSL_free(serverssl);
9869 SSL_free(clientssl);
9870 SSL_CTX_free(sctx);
9871 SSL_CTX_free(cctx);
9872 OSSL_PROVIDER_unload(tlsprov);
9873 OSSL_PROVIDER_unload(defaultprov);
9874
9875 return testresult;
9876 }
9877 #endif
9878
9879 #ifndef OPENSSL_NO_TLS1_2
9880 static int test_ssl_dup(void)
9881 {
9882 SSL_CTX *cctx = NULL, *sctx = NULL;
9883 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9884 int testresult = 0;
9885 BIO *rbio = NULL, *wbio = NULL;
9886
9887 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9888 TLS_client_method(),
9889 0,
9890 0,
9891 &sctx, &cctx, cert, privkey)))
9892 goto end;
9893
9894 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9895 NULL, NULL)))
9896 goto end;
9897
9898 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9899 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9900 goto end;
9901
9902 client2ssl = SSL_dup(clientssl);
9903 rbio = SSL_get_rbio(clientssl);
9904 if (!TEST_ptr(rbio)
9905 || !TEST_true(BIO_up_ref(rbio)))
9906 goto end;
9907 SSL_set0_rbio(client2ssl, rbio);
9908 rbio = NULL;
9909
9910 wbio = SSL_get_wbio(clientssl);
9911 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9912 goto end;
9913 SSL_set0_wbio(client2ssl, wbio);
9914 rbio = NULL;
9915
9916 if (!TEST_ptr(client2ssl)
9917 /* Handshake not started so pointers should be different */
9918 || !TEST_ptr_ne(clientssl, client2ssl))
9919 goto end;
9920
9921 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9922 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9923 goto end;
9924
9925 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9926 goto end;
9927
9928 SSL_free(clientssl);
9929 clientssl = SSL_dup(client2ssl);
9930 if (!TEST_ptr(clientssl)
9931 /* Handshake has finished so pointers should be the same */
9932 || !TEST_ptr_eq(clientssl, client2ssl))
9933 goto end;
9934
9935 testresult = 1;
9936
9937 end:
9938 SSL_free(serverssl);
9939 SSL_free(clientssl);
9940 SSL_free(client2ssl);
9941 SSL_CTX_free(sctx);
9942 SSL_CTX_free(cctx);
9943
9944 return testresult;
9945 }
9946
9947 # ifndef OPENSSL_NO_DH
9948
9949 static EVP_PKEY *tmp_dh_params = NULL;
9950
9951 /* Helper function for the test_set_tmp_dh() tests */
9952 static EVP_PKEY *get_tmp_dh_params(void)
9953 {
9954 if (tmp_dh_params == NULL) {
9955 BIGNUM *p = NULL;
9956 OSSL_PARAM_BLD *tmpl = NULL;
9957 EVP_PKEY_CTX *pctx = NULL;
9958 OSSL_PARAM *params = NULL;
9959 EVP_PKEY *dhpkey = NULL;
9960
9961 p = BN_get_rfc3526_prime_2048(NULL);
9962 if (!TEST_ptr(p))
9963 goto end;
9964
9965 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9966 if (!TEST_ptr(pctx)
9967 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9968 goto end;
9969
9970 tmpl = OSSL_PARAM_BLD_new();
9971 if (!TEST_ptr(tmpl)
9972 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9973 OSSL_PKEY_PARAM_FFC_P,
9974 p))
9975 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9976 OSSL_PKEY_PARAM_FFC_G,
9977 2)))
9978 goto end;
9979
9980 params = OSSL_PARAM_BLD_to_param(tmpl);
9981 if (!TEST_ptr(params)
9982 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9983 EVP_PKEY_KEY_PARAMETERS,
9984 params), 1))
9985 goto end;
9986
9987 tmp_dh_params = dhpkey;
9988 end:
9989 BN_free(p);
9990 EVP_PKEY_CTX_free(pctx);
9991 OSSL_PARAM_BLD_free(tmpl);
9992 OSSL_PARAM_free(params);
9993 }
9994
9995 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9996 return NULL;
9997
9998 return tmp_dh_params;
9999 }
10000
10001 # ifndef OPENSSL_NO_DEPRECATED_3_0
10002 /* Callback used by test_set_tmp_dh() */
10003 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10004 {
10005 EVP_PKEY *dhpkey = get_tmp_dh_params();
10006 DH *ret = NULL;
10007
10008 if (!TEST_ptr(dhpkey))
10009 return NULL;
10010
10011 /*
10012 * libssl does not free the returned DH, so we free it now knowing that even
10013 * after we free dhpkey, there will still be a reference to the owning
10014 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10015 * of time we need it for.
10016 */
10017 ret = EVP_PKEY_get1_DH(dhpkey);
10018 DH_free(ret);
10019
10020 EVP_PKEY_free(dhpkey);
10021
10022 return ret;
10023 }
10024 # endif
10025
10026 /*
10027 * Test the various methods for setting temporary DH parameters
10028 *
10029 * Test 0: Default (no auto) setting
10030 * Test 1: Explicit SSL_CTX auto off
10031 * Test 2: Explicit SSL auto off
10032 * Test 3: Explicit SSL_CTX auto on
10033 * Test 4: Explicit SSL auto on
10034 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10035 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10036 *
10037 * The following are testing deprecated APIs, so we only run them if available
10038 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10039 * Test 8: Explicit SSL auto off, custom DH params via DH
10040 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10041 * Test 10: Explicit SSL auto off, custom DH params via callback
10042 */
10043 static int test_set_tmp_dh(int idx)
10044 {
10045 SSL_CTX *cctx = NULL, *sctx = NULL;
10046 SSL *clientssl = NULL, *serverssl = NULL;
10047 int testresult = 0;
10048 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10049 int expected = (idx <= 2) ? 0 : 1;
10050 EVP_PKEY *dhpkey = NULL;
10051 # ifndef OPENSSL_NO_DEPRECATED_3_0
10052 DH *dh = NULL;
10053 # else
10054
10055 if (idx >= 7)
10056 return 1;
10057 # endif
10058
10059 if (idx >= 5 && idx <= 8) {
10060 dhpkey = get_tmp_dh_params();
10061 if (!TEST_ptr(dhpkey))
10062 goto end;
10063 }
10064 # ifndef OPENSSL_NO_DEPRECATED_3_0
10065 if (idx == 7 || idx == 8) {
10066 dh = EVP_PKEY_get1_DH(dhpkey);
10067 if (!TEST_ptr(dh))
10068 goto end;
10069 }
10070 # endif
10071
10072 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10073 TLS_client_method(),
10074 0,
10075 0,
10076 &sctx, &cctx, cert, privkey)))
10077 goto end;
10078
10079 if ((idx & 1) == 1) {
10080 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10081 goto end;
10082 }
10083
10084 if (idx == 5) {
10085 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10086 goto end;
10087 dhpkey = NULL;
10088 }
10089 # ifndef OPENSSL_NO_DEPRECATED_3_0
10090 else if (idx == 7) {
10091 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10092 goto end;
10093 } else if (idx == 9) {
10094 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10095 }
10096 # endif
10097
10098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10099 NULL, NULL)))
10100 goto end;
10101
10102 if ((idx & 1) == 0 && idx != 0) {
10103 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10104 goto end;
10105 }
10106 if (idx == 6) {
10107 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10108 goto end;
10109 dhpkey = NULL;
10110 }
10111 # ifndef OPENSSL_NO_DEPRECATED_3_0
10112 else if (idx == 8) {
10113 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10114 goto end;
10115 } else if (idx == 10) {
10116 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10117 }
10118 # endif
10119
10120 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10121 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10122 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10123 goto end;
10124
10125 /*
10126 * If autoon then we should succeed. Otherwise we expect failure because
10127 * there are no parameters
10128 */
10129 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10130 SSL_ERROR_NONE), expected))
10131 goto end;
10132
10133 testresult = 1;
10134
10135 end:
10136 # ifndef OPENSSL_NO_DEPRECATED_3_0
10137 DH_free(dh);
10138 # endif
10139 SSL_free(serverssl);
10140 SSL_free(clientssl);
10141 SSL_CTX_free(sctx);
10142 SSL_CTX_free(cctx);
10143 EVP_PKEY_free(dhpkey);
10144
10145 return testresult;
10146 }
10147
10148 /*
10149 * Test the auto DH keys are appropriately sized
10150 */
10151 static int test_dh_auto(int idx)
10152 {
10153 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10154 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10155 SSL *clientssl = NULL, *serverssl = NULL;
10156 int testresult = 0;
10157 EVP_PKEY *tmpkey = NULL;
10158 char *thiscert = NULL, *thiskey = NULL;
10159 size_t expdhsize = 0;
10160 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10161
10162 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10163 goto end;
10164
10165 switch (idx) {
10166 case 0:
10167 /* The FIPS provider doesn't support this DH size - so we ignore it */
10168 if (is_fips) {
10169 testresult = 1;
10170 goto end;
10171 }
10172 thiscert = cert1024;
10173 thiskey = privkey1024;
10174 expdhsize = 1024;
10175 SSL_CTX_set_security_level(sctx, 1);
10176 SSL_CTX_set_security_level(cctx, 1);
10177 break;
10178 case 1:
10179 /* 2048 bit prime */
10180 thiscert = cert;
10181 thiskey = privkey;
10182 expdhsize = 2048;
10183 break;
10184 case 2:
10185 thiscert = cert3072;
10186 thiskey = privkey3072;
10187 expdhsize = 3072;
10188 break;
10189 case 3:
10190 thiscert = cert4096;
10191 thiskey = privkey4096;
10192 expdhsize = 4096;
10193 break;
10194 case 4:
10195 thiscert = cert8192;
10196 thiskey = privkey8192;
10197 expdhsize = 8192;
10198 break;
10199 /* No certificate cases */
10200 case 5:
10201 /* The FIPS provider doesn't support this DH size - so we ignore it */
10202 if (is_fips) {
10203 testresult = 1;
10204 goto end;
10205 }
10206 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10207 expdhsize = 1024;
10208 break;
10209 case 6:
10210 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10211 expdhsize = 3072;
10212 break;
10213 default:
10214 TEST_error("Invalid text index");
10215 goto end;
10216 }
10217
10218 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10219 NULL,
10220 0,
10221 0,
10222 &sctx, &cctx, thiscert, thiskey)))
10223 goto end;
10224
10225 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10226 NULL, NULL)))
10227 goto end;
10228
10229 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10230 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10231 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10232 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10233 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10234 goto end;
10235
10236 /*
10237 * Send the server's first flight. At this point the server has created the
10238 * temporary DH key but hasn't finished using it yet. Once used it is
10239 * removed, so we cannot test it.
10240 */
10241 if (!TEST_int_le(SSL_connect(clientssl), 0)
10242 || !TEST_int_le(SSL_accept(serverssl), 0))
10243 goto end;
10244
10245 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10246 goto end;
10247 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10248 goto end;
10249
10250 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10251 goto end;
10252
10253 testresult = 1;
10254
10255 end:
10256 SSL_free(serverssl);
10257 SSL_free(clientssl);
10258 SSL_CTX_free(sctx);
10259 SSL_CTX_free(cctx);
10260 EVP_PKEY_free(tmpkey);
10261
10262 return testresult;
10263
10264 }
10265 # endif /* OPENSSL_NO_DH */
10266 #endif /* OPENSSL_NO_TLS1_2 */
10267
10268 #ifndef OSSL_NO_USABLE_TLS1_3
10269 /*
10270 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10271 * that it works even without a certificate configured for the original
10272 * SSL_CTX
10273 */
10274 static int test_sni_tls13(void)
10275 {
10276 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10277 SSL *clientssl = NULL, *serverssl = NULL;
10278 int testresult = 0;
10279
10280 /* Reset callback counter */
10281 snicb = 0;
10282
10283 /* Create an initial SSL_CTX with no certificate configured */
10284 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10285 if (!TEST_ptr(sctx))
10286 goto end;
10287 /* Require TLSv1.3 as a minimum */
10288 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10289 TLS_client_method(), TLS1_3_VERSION, 0,
10290 &sctx2, &cctx, cert, privkey)))
10291 goto end;
10292
10293 /* Set up SNI */
10294 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10295 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10296 goto end;
10297
10298 /*
10299 * Connection should still succeed because the final SSL_CTX has the right
10300 * certificates configured.
10301 */
10302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10303 &clientssl, NULL, NULL))
10304 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10305 SSL_ERROR_NONE)))
10306 goto end;
10307
10308 /* We should have had the SNI callback called exactly once */
10309 if (!TEST_int_eq(snicb, 1))
10310 goto end;
10311
10312 testresult = 1;
10313
10314 end:
10315 SSL_free(serverssl);
10316 SSL_free(clientssl);
10317 SSL_CTX_free(sctx2);
10318 SSL_CTX_free(sctx);
10319 SSL_CTX_free(cctx);
10320 return testresult;
10321 }
10322
10323 /*
10324 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10325 * 0 = TLSv1.2
10326 * 1 = TLSv1.3
10327 */
10328 static int test_ticket_lifetime(int idx)
10329 {
10330 SSL_CTX *cctx = NULL, *sctx = NULL;
10331 SSL *clientssl = NULL, *serverssl = NULL;
10332 int testresult = 0;
10333 int version = TLS1_3_VERSION;
10334
10335 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10336 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10337
10338 if (idx == 0) {
10339 #ifdef OPENSSL_NO_TLS1_2
10340 return TEST_skip("TLS 1.2 is disabled.");
10341 #else
10342 version = TLS1_2_VERSION;
10343 #endif
10344 }
10345
10346 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10347 TLS_client_method(), version, version,
10348 &sctx, &cctx, cert, privkey)))
10349 goto end;
10350
10351 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10352 &clientssl, NULL, NULL)))
10353 goto end;
10354
10355 /*
10356 * Set the timeout to be more than 1 week
10357 * make sure the returned value is the default
10358 */
10359 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10360 SSL_get_default_timeout(serverssl)))
10361 goto end;
10362
10363 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10364 goto end;
10365
10366 if (idx == 0) {
10367 /* TLSv1.2 uses the set value */
10368 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10369 goto end;
10370 } else {
10371 /* TLSv1.3 uses the limited value */
10372 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10373 goto end;
10374 }
10375 testresult = 1;
10376
10377 end:
10378 SSL_free(serverssl);
10379 SSL_free(clientssl);
10380 SSL_CTX_free(sctx);
10381 SSL_CTX_free(cctx);
10382 return testresult;
10383 }
10384 #endif
10385 /*
10386 * Test that setting an ALPN does not violate RFC
10387 */
10388 static int test_set_alpn(void)
10389 {
10390 SSL_CTX *ctx = NULL;
10391 SSL *ssl = NULL;
10392 int testresult = 0;
10393
10394 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10395 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10396 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10397 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10398 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10399 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10400
10401 /* Create an initial SSL_CTX with no certificate configured */
10402 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10403 if (!TEST_ptr(ctx))
10404 goto end;
10405
10406 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10407 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10408 goto end;
10409 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10410 goto end;
10411 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10412 goto end;
10413 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10414 goto end;
10415 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10416 goto end;
10417 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10418 goto end;
10419 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10420 goto end;
10421 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10422 goto end;
10423 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10424 goto end;
10425
10426 ssl = SSL_new(ctx);
10427 if (!TEST_ptr(ssl))
10428 goto end;
10429
10430 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10431 goto end;
10432 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10433 goto end;
10434 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10435 goto end;
10436 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10437 goto end;
10438 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10439 goto end;
10440 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10441 goto end;
10442 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10443 goto end;
10444 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10445 goto end;
10446 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10447 goto end;
10448
10449 testresult = 1;
10450
10451 end:
10452 SSL_free(ssl);
10453 SSL_CTX_free(ctx);
10454 return testresult;
10455 }
10456
10457 /*
10458 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10459 */
10460 static int test_set_verify_cert_store_ssl_ctx(void)
10461 {
10462 SSL_CTX *ctx = NULL;
10463 int testresult = 0;
10464 X509_STORE *store = NULL, *new_store = NULL,
10465 *cstore = NULL, *new_cstore = NULL;
10466
10467 /* Create an initial SSL_CTX. */
10468 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10469 if (!TEST_ptr(ctx))
10470 goto end;
10471
10472 /* Retrieve verify store pointer. */
10473 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10474 goto end;
10475
10476 /* Retrieve chain store pointer. */
10477 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10478 goto end;
10479
10480 /* We haven't set any yet, so this should be NULL. */
10481 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10482 goto end;
10483
10484 /* Create stores. We use separate stores so pointers are different. */
10485 new_store = X509_STORE_new();
10486 if (!TEST_ptr(new_store))
10487 goto end;
10488
10489 new_cstore = X509_STORE_new();
10490 if (!TEST_ptr(new_cstore))
10491 goto end;
10492
10493 /* Set stores. */
10494 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10495 goto end;
10496
10497 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10498 goto end;
10499
10500 /* Should be able to retrieve the same pointer. */
10501 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10502 goto end;
10503
10504 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10505 goto end;
10506
10507 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10508 goto end;
10509
10510 /* Should be able to unset again. */
10511 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10512 goto end;
10513
10514 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10515 goto end;
10516
10517 /* Should now be NULL. */
10518 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10519 goto end;
10520
10521 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10522 goto end;
10523
10524 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10525 goto end;
10526
10527 testresult = 1;
10528
10529 end:
10530 X509_STORE_free(new_store);
10531 X509_STORE_free(new_cstore);
10532 SSL_CTX_free(ctx);
10533 return testresult;
10534 }
10535
10536 /*
10537 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10538 */
10539 static int test_set_verify_cert_store_ssl(void)
10540 {
10541 SSL_CTX *ctx = NULL;
10542 SSL *ssl = NULL;
10543 int testresult = 0;
10544 X509_STORE *store = NULL, *new_store = NULL,
10545 *cstore = NULL, *new_cstore = NULL;
10546
10547 /* Create an initial SSL_CTX. */
10548 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10549 if (!TEST_ptr(ctx))
10550 goto end;
10551
10552 /* Create an SSL object. */
10553 ssl = SSL_new(ctx);
10554 if (!TEST_ptr(ssl))
10555 goto end;
10556
10557 /* Retrieve verify store pointer. */
10558 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10559 goto end;
10560
10561 /* Retrieve chain store pointer. */
10562 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10563 goto end;
10564
10565 /* We haven't set any yet, so this should be NULL. */
10566 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10567 goto end;
10568
10569 /* Create stores. We use separate stores so pointers are different. */
10570 new_store = X509_STORE_new();
10571 if (!TEST_ptr(new_store))
10572 goto end;
10573
10574 new_cstore = X509_STORE_new();
10575 if (!TEST_ptr(new_cstore))
10576 goto end;
10577
10578 /* Set stores. */
10579 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10580 goto end;
10581
10582 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10583 goto end;
10584
10585 /* Should be able to retrieve the same pointer. */
10586 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10587 goto end;
10588
10589 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10590 goto end;
10591
10592 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10593 goto end;
10594
10595 /* Should be able to unset again. */
10596 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10597 goto end;
10598
10599 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10600 goto end;
10601
10602 /* Should now be NULL. */
10603 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10604 goto end;
10605
10606 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10607 goto end;
10608
10609 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10610 goto end;
10611
10612 testresult = 1;
10613
10614 end:
10615 X509_STORE_free(new_store);
10616 X509_STORE_free(new_cstore);
10617 SSL_free(ssl);
10618 SSL_CTX_free(ctx);
10619 return testresult;
10620 }
10621
10622
10623 static int test_inherit_verify_param(void)
10624 {
10625 int testresult = 0;
10626
10627 SSL_CTX *ctx = NULL;
10628 X509_VERIFY_PARAM *cp = NULL;
10629 SSL *ssl = NULL;
10630 X509_VERIFY_PARAM *sp = NULL;
10631 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10632
10633 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10634 if (!TEST_ptr(ctx))
10635 goto end;
10636
10637 cp = SSL_CTX_get0_param(ctx);
10638 if (!TEST_ptr(cp))
10639 goto end;
10640 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10641 goto end;
10642
10643 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10644
10645 ssl = SSL_new(ctx);
10646 if (!TEST_ptr(ssl))
10647 goto end;
10648
10649 sp = SSL_get0_param(ssl);
10650 if (!TEST_ptr(sp))
10651 goto end;
10652 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10653 goto end;
10654
10655 testresult = 1;
10656
10657 end:
10658 SSL_free(ssl);
10659 SSL_CTX_free(ctx);
10660
10661 return testresult;
10662 }
10663
10664 static int test_load_dhfile(void)
10665 {
10666 #ifndef OPENSSL_NO_DH
10667 int testresult = 0;
10668
10669 SSL_CTX *ctx = NULL;
10670 SSL_CONF_CTX *cctx = NULL;
10671
10672 if (dhfile == NULL)
10673 return 1;
10674
10675 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10676 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10677 goto end;
10678
10679 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10680 SSL_CONF_CTX_set_flags(cctx,
10681 SSL_CONF_FLAG_CERTIFICATE
10682 | SSL_CONF_FLAG_SERVER
10683 | SSL_CONF_FLAG_FILE);
10684
10685 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10686 goto end;
10687
10688 testresult = 1;
10689 end:
10690 SSL_CONF_CTX_free(cctx);
10691 SSL_CTX_free(ctx);
10692
10693 return testresult;
10694 #else
10695 return TEST_skip("DH not supported by this build");
10696 #endif
10697 }
10698
10699 #ifndef OSSL_NO_USABLE_TLS1_3
10700 /* Test that read_ahead works across a key change */
10701 static int test_read_ahead_key_change(void)
10702 {
10703 SSL_CTX *cctx = NULL, *sctx = NULL;
10704 SSL *clientssl = NULL, *serverssl = NULL;
10705 int testresult = 0;
10706 char *msg = "Hello World";
10707 size_t written, readbytes;
10708 char buf[80];
10709 int i;
10710
10711 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10712 TLS_client_method(), TLS1_3_VERSION, 0,
10713 &sctx, &cctx, cert, privkey)))
10714 goto end;
10715
10716 SSL_CTX_set_read_ahead(sctx, 1);
10717
10718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10719 &clientssl, NULL, NULL)))
10720 goto end;
10721
10722 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10723 goto end;
10724
10725 /* Write some data, send a key update, write more data */
10726 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10727 || !TEST_size_t_eq(written, strlen(msg)))
10728 goto end;
10729
10730 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10731 goto end;
10732
10733 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10734 || !TEST_size_t_eq(written, strlen(msg)))
10735 goto end;
10736
10737 /*
10738 * Since read_ahead is on the first read below should read the record with
10739 * the first app data, the second record with the key update message, and
10740 * the third record with the app data all in one go. We should be able to
10741 * still process the read_ahead data correctly even though it crosses
10742 * epochs
10743 */
10744 for (i = 0; i < 2; i++) {
10745 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10746 &readbytes)))
10747 goto end;
10748
10749 buf[readbytes] = '\0';
10750 if (!TEST_str_eq(buf, msg))
10751 goto end;
10752 }
10753
10754 testresult = 1;
10755
10756 end:
10757 SSL_free(serverssl);
10758 SSL_free(clientssl);
10759 SSL_CTX_free(sctx);
10760 SSL_CTX_free(cctx);
10761 return testresult;
10762 }
10763
10764 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10765 {
10766 int *called = arg;
10767
10768 switch ((*called)++) {
10769 case 0:
10770 /* Add some padding to first record */
10771 return 512;
10772 case 1:
10773 /* Maximally pad the second record */
10774 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10775 case 2:
10776 /*
10777 * Exceeding the maximum padding should be fine. It should just pad to
10778 * the maximum anyway
10779 */
10780 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10781 case 3:
10782 /*
10783 * Very large padding should also be ok. Should just pad to the maximum
10784 * allowed
10785 */
10786 return SIZE_MAX;
10787 default:
10788 return 0;
10789 }
10790 }
10791
10792 /*
10793 * Test that setting record padding in TLSv1.3 works as expected
10794 * Test 0: Record padding callback on the SSL_CTX
10795 * Test 1: Record padding callback on the SSL
10796 * Test 2: Record block padding on the SSL_CTX
10797 * Test 3: Record block padding on the SSL
10798 */
10799 static int test_tls13_record_padding(int idx)
10800 {
10801 SSL_CTX *cctx = NULL, *sctx = NULL;
10802 SSL *clientssl = NULL, *serverssl = NULL;
10803 int testresult = 0;
10804 char *msg = "Hello World";
10805 size_t written, readbytes;
10806 char buf[80];
10807 int i;
10808 int called = 0;
10809
10810 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10811 TLS_client_method(), TLS1_3_VERSION, 0,
10812 &sctx, &cctx, cert, privkey)))
10813 goto end;
10814
10815 if (idx == 0) {
10816 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10817 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10818 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10819 goto end;
10820 } else if (idx == 2) {
10821 /* Exceeding the max plain length should fail */
10822 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10823 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10824 goto end;
10825 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10826 goto end;
10827 }
10828
10829 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10830 &clientssl, NULL, NULL)))
10831 goto end;
10832
10833 if (idx == 1) {
10834 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10835 SSL_set_record_padding_callback_arg(clientssl, &called);
10836 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10837 goto end;
10838 } else if (idx == 3) {
10839 /* Exceeding the max plain length should fail */
10840 if (!TEST_false(SSL_set_block_padding(clientssl,
10841 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10842 goto end;
10843 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10844 goto end;
10845 }
10846
10847 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10848 goto end;
10849
10850 called = 0;
10851 /*
10852 * Write some data, then check we can read it. Do this four times to check
10853 * we can continue to write and read padded data after the initial record
10854 * padding has been added. We don't actually check that the padding has
10855 * been applied to the record - just that we can continue to communicate
10856 * normally and that the callback has been called (if appropriate).
10857 */
10858 for (i = 0; i < 4; i++) {
10859 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10860 || !TEST_size_t_eq(written, strlen(msg)))
10861 goto end;
10862
10863 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10864 &readbytes))
10865 || !TEST_size_t_eq(written, readbytes))
10866 goto end;
10867
10868 buf[readbytes] = '\0';
10869 if (!TEST_str_eq(buf, msg))
10870 goto end;
10871 }
10872
10873 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10874 goto end;
10875
10876 testresult = 1;
10877 end:
10878 SSL_free(serverssl);
10879 SSL_free(clientssl);
10880 SSL_CTX_free(sctx);
10881 SSL_CTX_free(cctx);
10882 return testresult;
10883 }
10884 #endif /* OSSL_NO_USABLE_TLS1_3 */
10885
10886 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10887
10888 static ENGINE *load_dasync(void)
10889 {
10890 ENGINE *e;
10891
10892 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10893 return NULL;
10894
10895 if (!TEST_true(ENGINE_init(e))) {
10896 ENGINE_free(e);
10897 return NULL;
10898 }
10899
10900 if (!TEST_true(ENGINE_register_ciphers(e))) {
10901 ENGINE_free(e);
10902 return NULL;
10903 }
10904
10905 return e;
10906 }
10907
10908 /*
10909 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10910 * support this yet. The only pipeline capable cipher that we have is in the
10911 * dasync engine (providers don't support this yet), so we have to use
10912 * deprecated APIs for this test.
10913 *
10914 * Test 0: Client has pipelining enabled, server does not
10915 * Test 1: Server has pipelining enabled, client does not
10916 * Test 2: Client has pipelining enabled, server does not: not enough data to
10917 * fill all the pipelines
10918 * Test 3: Client has pipelining enabled, server does not: not enough data to
10919 * fill all the pipelines by more than a full pipeline's worth
10920 * Test 4: Client has pipelining enabled, server does not: more data than all
10921 * the available pipelines can take
10922 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10923 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10924 * is created)
10925 */
10926 static int test_pipelining(int idx)
10927 {
10928 SSL_CTX *cctx = NULL, *sctx = NULL;
10929 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10930 int testresult = 0, numreads;
10931 /* A 55 byte message */
10932 unsigned char *msg = (unsigned char *)
10933 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10934 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10935 size_t expectedreads;
10936 unsigned char *buf = NULL;
10937 ENGINE *e = NULL;
10938
10939 if (idx != 6) {
10940 e = load_dasync();
10941 if (e == NULL)
10942 return 0;
10943 }
10944
10945 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10946 TLS_client_method(), 0,
10947 TLS1_2_VERSION, &sctx, &cctx, cert,
10948 privkey)))
10949 goto end;
10950
10951 if (idx == 6) {
10952 e = load_dasync();
10953 if (e == NULL)
10954 goto end;
10955 /* Now act like test 0 */
10956 idx = 0;
10957 }
10958
10959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10960 &clientssl, NULL, NULL)))
10961 goto end;
10962
10963 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10964 goto end;
10965
10966 /* peera is always configured for pipelining, while peerb is not. */
10967 if (idx == 1) {
10968 peera = serverssl;
10969 peerb = clientssl;
10970
10971 } else {
10972 peera = clientssl;
10973 peerb = serverssl;
10974 }
10975
10976 if (idx == 5) {
10977 numpipes = 2;
10978 /* Maximum allowed fragment size */
10979 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10980 msglen = fragsize * numpipes;
10981 msg = OPENSSL_malloc(msglen);
10982 if (!TEST_ptr(msg))
10983 goto end;
10984 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10985 goto end;
10986 } else if (idx == 4) {
10987 msglen = 55;
10988 } else {
10989 msglen = 50;
10990 }
10991 if (idx == 2)
10992 msglen -= 2; /* Send 2 less bytes */
10993 else if (idx == 3)
10994 msglen -= 12; /* Send 12 less bytes */
10995
10996 buf = OPENSSL_malloc(msglen);
10997 if (!TEST_ptr(buf))
10998 goto end;
10999
11000 if (idx == 5) {
11001 /*
11002 * Test that setting a split send fragment longer than the maximum
11003 * allowed fails
11004 */
11005 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11006 goto end;
11007 }
11008
11009 /*
11010 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11011 * (50 bytes in total). This is a ridiculously small number of bytes -
11012 * but sufficient for our purposes
11013 */
11014 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11015 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11016 goto end;
11017
11018 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11019 goto end;
11020
11021 /* Write some data from peera to peerb */
11022 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11023 || !TEST_size_t_eq(written, msglen))
11024 goto end;
11025
11026 /*
11027 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11028 * have been used - except in test 3 where only |numpipes - 1| pipelines
11029 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11030 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11031 * expect this to be read in |numpipes| or |numpipes - 1| separate
11032 * SSL_read_ex calls. In the case of test 4, there is then one additional
11033 * read for left over data that couldn't fit in the previous pipelines
11034 */
11035 for (offset = 0, numreads = 0;
11036 offset < msglen;
11037 offset += readbytes, numreads++) {
11038 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11039 msglen - offset, &readbytes)))
11040 goto end;
11041 }
11042
11043 expectedreads = idx == 4 ? numpipes + 1
11044 : (idx == 3 ? numpipes - 1 : numpipes);
11045 if (!TEST_mem_eq(msg, msglen, buf, offset)
11046 || !TEST_int_eq(numreads, expectedreads))
11047 goto end;
11048
11049 /*
11050 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11051 * chunks to exercise the read pipelining code on peera.
11052 */
11053 for (offset = 0; offset < msglen; offset += fragsize) {
11054 size_t sendlen = msglen - offset;
11055
11056 if (sendlen > fragsize)
11057 sendlen = fragsize;
11058 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11059 || !TEST_size_t_eq(written, sendlen))
11060 goto end;
11061 }
11062
11063 /*
11064 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11065 * separate chunks (depending on which test we are running). If the
11066 * pipelining is working then we expect peera to read up to numpipes chunks
11067 * and process them in parallel, giving back the complete result in a single
11068 * call to SSL_read_ex
11069 */
11070 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11071 || !TEST_size_t_le(readbytes, msglen))
11072 goto end;
11073
11074 if (idx == 4) {
11075 size_t readbytes2;
11076
11077 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11078 msglen - readbytes, &readbytes2)))
11079 goto end;
11080 readbytes += readbytes2;
11081 if (!TEST_size_t_le(readbytes, msglen))
11082 goto end;
11083 }
11084
11085 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11086 goto end;
11087
11088 testresult = 1;
11089 end:
11090 SSL_free(serverssl);
11091 SSL_free(clientssl);
11092 SSL_CTX_free(sctx);
11093 SSL_CTX_free(cctx);
11094 if (e != NULL) {
11095 ENGINE_unregister_ciphers(e);
11096 ENGINE_finish(e);
11097 ENGINE_free(e);
11098 }
11099 OPENSSL_free(buf);
11100 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11101 OPENSSL_free(msg);
11102 return testresult;
11103 }
11104 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11105
11106 static int check_version_string(SSL *s, int version)
11107 {
11108 const char *verstr = NULL;
11109
11110 switch (version) {
11111 case SSL3_VERSION:
11112 verstr = "SSLv3";
11113 break;
11114 case TLS1_VERSION:
11115 verstr = "TLSv1";
11116 break;
11117 case TLS1_1_VERSION:
11118 verstr = "TLSv1.1";
11119 break;
11120 case TLS1_2_VERSION:
11121 verstr = "TLSv1.2";
11122 break;
11123 case TLS1_3_VERSION:
11124 verstr = "TLSv1.3";
11125 break;
11126 case DTLS1_VERSION:
11127 verstr = "DTLSv1";
11128 break;
11129 case DTLS1_2_VERSION:
11130 verstr = "DTLSv1.2";
11131 }
11132
11133 return TEST_str_eq(verstr, SSL_get_version(s));
11134 }
11135
11136 /*
11137 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11138 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11139 * test_version() in quicapitest.c which does the same thing for QUIC
11140 * connections.
11141 */
11142 static int test_version(int idx)
11143 {
11144 SSL_CTX *cctx = NULL, *sctx = NULL;
11145 SSL *clientssl = NULL, *serverssl = NULL;
11146 int testresult = 0, version;
11147 const SSL_METHOD *servmeth = TLS_server_method();
11148 const SSL_METHOD *clientmeth = TLS_client_method();
11149
11150 switch (idx) {
11151 #if !defined(OPENSSL_NO_SSL3)
11152 case 0:
11153 version = SSL3_VERSION;
11154 break;
11155 #endif
11156 #if !defined(OPENSSL_NO_TLS1)
11157 case 1:
11158 version = TLS1_VERSION;
11159 break;
11160 #endif
11161 #if !defined(OPENSSL_NO_TLS1_2)
11162 case 2:
11163 version = TLS1_2_VERSION;
11164 break;
11165 #endif
11166 #if !defined(OSSL_NO_USABLE_TLS1_3)
11167 case 3:
11168 version = TLS1_3_VERSION;
11169 break;
11170 #endif
11171 #if !defined(OPENSSL_NO_DTLS1)
11172 case 4:
11173 version = DTLS1_VERSION;
11174 break;
11175 #endif
11176 #if !defined(OPENSSL_NO_DTLS1_2)
11177 case 5:
11178 version = DTLS1_2_VERSION;
11179 break;
11180 #endif
11181 /*
11182 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11183 * We also don't support DTLS1_BAD_VER since we have no server support for
11184 * that.
11185 */
11186 default:
11187 TEST_skip("Unsupported protocol version");
11188 return 1;
11189 }
11190
11191 if (is_fips
11192 && (version == SSL3_VERSION
11193 || version == TLS1_VERSION
11194 || version == DTLS1_VERSION)) {
11195 TEST_skip("Protocol version not supported with FIPS");
11196 return 1;
11197 }
11198
11199 #if !defined(OPENSSL_NO_DTLS)
11200 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11201 servmeth = DTLS_server_method();
11202 clientmeth = DTLS_client_method();
11203 }
11204 #endif
11205
11206 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11207 version, &sctx, &cctx, cert, privkey)))
11208 goto end;
11209
11210 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11211 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11212 "DEFAULT:@SECLEVEL=0")))
11213 goto end;
11214
11215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11216 &clientssl, NULL, NULL)))
11217 goto end;
11218
11219 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11220 goto end;
11221
11222 if (!TEST_int_eq(SSL_version(serverssl), version)
11223 || !TEST_int_eq(SSL_version(clientssl), version)
11224 || !TEST_true(check_version_string(serverssl, version))
11225 || !TEST_true(check_version_string(clientssl, version)))
11226 goto end;
11227
11228 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11229 if (!TEST_true(SSL_is_dtls(serverssl))
11230 || !TEST_true(SSL_is_dtls(clientssl))
11231 || !TEST_false(SSL_is_tls(serverssl))
11232 || !TEST_false(SSL_is_tls(clientssl))
11233 || !TEST_false(SSL_is_quic(serverssl))
11234 || !TEST_false(SSL_is_quic(clientssl)))
11235 goto end;
11236 } else {
11237 if (!TEST_true(SSL_is_tls(serverssl))
11238 || !TEST_true(SSL_is_tls(clientssl))
11239 || !TEST_false(SSL_is_dtls(serverssl))
11240 || !TEST_false(SSL_is_dtls(clientssl))
11241 || !TEST_false(SSL_is_quic(serverssl))
11242 || !TEST_false(SSL_is_quic(clientssl)))
11243 goto end;
11244 }
11245
11246 testresult = 1;
11247 end:
11248 SSL_free(serverssl);
11249 SSL_free(clientssl);
11250 SSL_CTX_free(sctx);
11251 SSL_CTX_free(cctx);
11252 return testresult;
11253 }
11254
11255 /*
11256 * Test that the SSL_rstate_string*() APIs return sane results
11257 */
11258 static int test_rstate_string(void)
11259 {
11260 SSL_CTX *cctx = NULL, *sctx = NULL;
11261 SSL *clientssl = NULL, *serverssl = NULL;
11262 int testresult = 0, version;
11263 const SSL_METHOD *servmeth = TLS_server_method();
11264 const SSL_METHOD *clientmeth = TLS_client_method();
11265 size_t written, readbytes;
11266 unsigned char buf[2];
11267 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11268 SSL3_RT_APPLICATION_DATA,
11269 TLS1_2_VERSION_MAJOR,
11270 0, /* To be filled in later */
11271 0,
11272 1
11273 };
11274
11275 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11276 0, &sctx, &cctx, cert, privkey)))
11277 goto end;
11278
11279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11280 &clientssl, NULL, NULL)))
11281 goto end;
11282
11283 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11284 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11285 goto end;
11286
11287 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11288 goto end;
11289
11290 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11291 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11292 goto end;
11293
11294 /* Fill in the correct version for the record header */
11295 version = SSL_version(serverssl);
11296 if (version == TLS1_3_VERSION)
11297 version = TLS1_2_VERSION;
11298 dummyheader[2] = version & 0xff;
11299
11300 /*
11301 * Send a dummy header. If we continued to read the body as well this
11302 * would fail with a bad record mac, but we're not going to go that far.
11303 */
11304 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11305 sizeof(dummyheader), &written))
11306 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11307 goto end;
11308
11309 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11310 goto end;
11311
11312 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11313 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11314 goto end;
11315
11316 testresult = 1;
11317 end:
11318 SSL_free(serverssl);
11319 SSL_free(clientssl);
11320 SSL_CTX_free(sctx);
11321 SSL_CTX_free(cctx);
11322 return testresult;
11323 }
11324
11325 /*
11326 * Force a write retry during handshaking. We test various combinations of
11327 * scenarios. We test a large certificate message which will fill the buffering
11328 * BIO used in the handshake. We try with client auth on and off. Finally we
11329 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11330 * to indicate retry via -1 - but sometimes BIOs don't do that.
11331 *
11332 * Test 0: Standard certificate message
11333 * Test 1: Large certificate message
11334 * Test 2: Standard cert, verify peer
11335 * Test 3: Large cert, verify peer
11336 * Test 4: Standard cert, BIO returns 0 on retry
11337 * Test 5: Large cert, BIO returns 0 on retry
11338 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11339 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11340 * Test 8-15: Repeat of above with TLSv1.2
11341 */
11342 static int test_handshake_retry(int idx)
11343 {
11344 SSL_CTX *cctx = NULL, *sctx = NULL;
11345 SSL *clientssl = NULL, *serverssl = NULL;
11346 int testresult = 0;
11347 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11348 int maxversion = 0;
11349
11350 if (!TEST_ptr(bretry))
11351 goto end;
11352
11353 #ifndef OPENSSL_NO_TLS1_2
11354 if ((idx & 8) == 8)
11355 maxversion = TLS1_2_VERSION;
11356 #else
11357 if ((idx & 8) == 8)
11358 return TEST_skip("No TLSv1.2");
11359 #endif
11360
11361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11362 TLS_client_method(), 0, maxversion,
11363 &sctx, &cctx, cert, privkey)))
11364 goto end;
11365
11366 /*
11367 * Add a large amount of data to fill the buffering BIO used by the SSL
11368 * object
11369 */
11370 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11371 goto end;
11372
11373 /*
11374 * We don't actually configure a client cert, but neither do we fail if one
11375 * isn't present.
11376 */
11377 if ((idx & 2) == 2)
11378 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11379
11380 if ((idx & 4) == 4)
11381 set_always_retry_err_val(0);
11382
11383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11384 &clientssl, NULL, NULL)))
11385 goto end;
11386
11387 tmp = SSL_get_wbio(serverssl);
11388 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11389 tmp = NULL;
11390 goto end;
11391 }
11392 SSL_set0_wbio(serverssl, bretry);
11393 bretry = NULL;
11394
11395 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11396 goto end;
11397
11398 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11399 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11400 goto end;
11401
11402 /* Restore a BIO that will let the write succeed */
11403 SSL_set0_wbio(serverssl, tmp);
11404 tmp = NULL;
11405
11406 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11407 goto end;
11408
11409 testresult = 1;
11410 end:
11411 SSL_free(serverssl);
11412 SSL_free(clientssl);
11413 SSL_CTX_free(sctx);
11414 SSL_CTX_free(cctx);
11415 BIO_free(bretry);
11416 BIO_free(tmp);
11417 set_always_retry_err_val(-1);
11418 return testresult;
11419 }
11420
11421 /*
11422 * Test that receiving retries when writing application data works as expected
11423 */
11424 static int test_data_retry(void)
11425 {
11426 SSL_CTX *cctx = NULL, *sctx = NULL;
11427 SSL *clientssl = NULL, *serverssl = NULL;
11428 int testresult = 0;
11429 unsigned char inbuf[1200], outbuf[1200];
11430 size_t i;
11431 BIO *tmp = NULL;
11432 BIO *bretry = BIO_new(bio_s_maybe_retry());
11433 size_t written, readbytes, totread = 0;
11434
11435 if (!TEST_ptr(bretry))
11436 goto end;
11437
11438 for (i = 0; i < sizeof(inbuf); i++)
11439 inbuf[i] = (unsigned char)(0xff & i);
11440 memset(outbuf, 0, sizeof(outbuf));
11441
11442 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11443 TLS_client_method(), 0, 0, &sctx, &cctx,
11444 cert, privkey)))
11445 goto end;
11446
11447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11448 NULL)))
11449 goto end;
11450
11451 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11452 goto end;
11453
11454 /* Smallest possible max send fragment is 512 */
11455 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11456 goto end;
11457
11458 tmp = SSL_get_wbio(clientssl);
11459 if (!TEST_ptr(tmp))
11460 goto end;
11461 if (!TEST_true(BIO_up_ref(tmp)))
11462 goto end;
11463 BIO_push(bretry, tmp);
11464 tmp = NULL;
11465 SSL_set0_wbio(clientssl, bretry);
11466 if (!BIO_up_ref(bretry)) {
11467 bretry = NULL;
11468 goto end;
11469 }
11470
11471 for (i = 0; i < 3; i++) {
11472 /* We expect this call to make no progress and indicate retry */
11473 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11474 goto end;
11475 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11476 goto end;
11477
11478 /* Allow one write to progress, but the next one to signal retry */
11479 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11480 NULL)))
11481 goto end;
11482
11483 if (i == 2)
11484 break;
11485
11486 /*
11487 * This call will hopefully make progress but will still indicate retry
11488 * because there is more data than will fit into a single record.
11489 */
11490 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11491 goto end;
11492 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11493 goto end;
11494 }
11495
11496 /* The final call should write the last chunk of data and succeed */
11497 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11498 goto end;
11499 /* Read all the data available */
11500 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11501 &readbytes))
11502 totread += readbytes;
11503 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11504 goto end;
11505
11506 testresult = 1;
11507 end:
11508 SSL_free(serverssl);
11509 SSL_free(clientssl);
11510 SSL_CTX_free(sctx);
11511 SSL_CTX_free(cctx);
11512 BIO_free_all(bretry);
11513 BIO_free(tmp);
11514 return testresult;
11515 }
11516
11517 /*
11518 * Test multiple resumptions and cache size handling
11519 * Test 0: TLSv1.3 (max_early_data set)
11520 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11521 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
11522 * Test 3: TLSv1.2
11523 */
11524 static int test_multi_resume(int idx)
11525 {
11526 SSL_CTX *sctx = NULL, *cctx = NULL;
11527 SSL *serverssl = NULL, *clientssl = NULL;
11528 SSL_SESSION *sess = NULL;
11529 int max_version = TLS1_3_VERSION;
11530 int i, testresult = 0;
11531
11532 if (idx == 3)
11533 max_version = TLS1_2_VERSION;
11534
11535 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11536 TLS_client_method(), TLS1_VERSION,
11537 max_version, &sctx, &cctx, cert,
11538 privkey)))
11539 goto end;
11540
11541 /*
11542 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11543 * replay protection), or if SSL_OP_NO_TICKET is in use
11544 */
11545 if (idx == 0 || idx == 2) {
11546 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11547 goto end;
11548 }
11549 if (idx == 1 || idx == 2)
11550 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11551
11552 SSL_CTX_sess_set_cache_size(sctx, 5);
11553
11554 for (i = 0; i < 30; i++) {
11555 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11556 NULL, NULL))
11557 || !TEST_true(SSL_set_session(clientssl, sess)))
11558 goto end;
11559
11560 /*
11561 * Recreate a bug where dynamically changing the max_early_data value
11562 * can cause sessions in the session cache which cannot be deleted.
11563 */
11564 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11565 SSL_set_max_early_data(serverssl, 0);
11566
11567 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11568 goto end;
11569
11570 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11571 if (!TEST_false(SSL_session_reused(clientssl)))
11572 goto end;
11573 } else {
11574 if (!TEST_true(SSL_session_reused(clientssl)))
11575 goto end;
11576 }
11577 SSL_SESSION_free(sess);
11578
11579 /* Do a full handshake, followed by two resumptions */
11580 if ((i % 3) == 2) {
11581 sess = NULL;
11582 } else {
11583 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11584 goto end;
11585 }
11586
11587 SSL_shutdown(clientssl);
11588 SSL_shutdown(serverssl);
11589 SSL_free(serverssl);
11590 SSL_free(clientssl);
11591 serverssl = clientssl = NULL;
11592 }
11593
11594 /* We should never exceed the session cache size limit */
11595 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11596 goto end;
11597
11598 testresult = 1;
11599 end:
11600 SSL_free(serverssl);
11601 SSL_free(clientssl);
11602 SSL_CTX_free(sctx);
11603 SSL_CTX_free(cctx);
11604 SSL_SESSION_free(sess);
11605 return testresult;
11606 }
11607
11608 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11609
11610 int setup_tests(void)
11611 {
11612 char *modulename;
11613 char *configfile;
11614
11615 libctx = OSSL_LIB_CTX_new();
11616 if (!TEST_ptr(libctx))
11617 return 0;
11618
11619 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11620
11621 /*
11622 * Verify that the default and fips providers in the default libctx are not
11623 * available
11624 */
11625 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11626 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11627 return 0;
11628
11629 if (!test_skip_common_options()) {
11630 TEST_error("Error parsing test options\n");
11631 return 0;
11632 }
11633
11634 if (!TEST_ptr(certsdir = test_get_argument(0))
11635 || !TEST_ptr(srpvfile = test_get_argument(1))
11636 || !TEST_ptr(tmpfilename = test_get_argument(2))
11637 || !TEST_ptr(modulename = test_get_argument(3))
11638 || !TEST_ptr(configfile = test_get_argument(4))
11639 || !TEST_ptr(dhfile = test_get_argument(5)))
11640 return 0;
11641
11642 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11643 return 0;
11644
11645 /* Check we have the expected provider available */
11646 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11647 return 0;
11648
11649 /* Check the default provider is not available */
11650 if (strcmp(modulename, "default") != 0
11651 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11652 return 0;
11653
11654 if (strcmp(modulename, "fips") == 0) {
11655 OSSL_PROVIDER *prov = NULL;
11656 OSSL_PARAM params[2];
11657
11658 is_fips = 1;
11659
11660 prov = OSSL_PROVIDER_load(libctx, "fips");
11661 if (prov != NULL) {
11662 /* Query the fips provider to check if the check ems option is enabled */
11663 params[0] =
11664 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11665 &fips_ems_check);
11666 params[1] = OSSL_PARAM_construct_end();
11667 OSSL_PROVIDER_get_params(prov, params);
11668 OSSL_PROVIDER_unload(prov);
11669 }
11670 }
11671
11672 /*
11673 * We add, but don't load the test "tls-provider". We'll load it when we
11674 * need it.
11675 */
11676 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11677 tls_provider_init)))
11678 return 0;
11679
11680
11681 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11682 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11683 TEST_error("not supported in this build");
11684 return 0;
11685 #else
11686 int i, mcount, rcount, fcount;
11687
11688 for (i = 0; i < 4; i++)
11689 test_export_key_mat(i);
11690 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11691 test_printf_stdout("malloc %d realloc %d free %d\n",
11692 mcount, rcount, fcount);
11693 return 1;
11694 #endif
11695 }
11696
11697 cert = test_mk_file_path(certsdir, "servercert.pem");
11698 if (cert == NULL)
11699 goto err;
11700
11701 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11702 if (privkey == NULL)
11703 goto err;
11704
11705 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11706 if (cert2 == NULL)
11707 goto err;
11708
11709 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11710 if (privkey2 == NULL)
11711 goto err;
11712
11713 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11714 if (cert1024 == NULL)
11715 goto err;
11716
11717 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11718 if (privkey1024 == NULL)
11719 goto err;
11720
11721 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11722 if (cert3072 == NULL)
11723 goto err;
11724
11725 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11726 if (privkey3072 == NULL)
11727 goto err;
11728
11729 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11730 if (cert4096 == NULL)
11731 goto err;
11732
11733 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11734 if (privkey4096 == NULL)
11735 goto err;
11736
11737 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11738 if (cert8192 == NULL)
11739 goto err;
11740
11741 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11742 if (privkey8192 == NULL)
11743 goto err;
11744
11745 if (fips_ems_check) {
11746 #ifndef OPENSSL_NO_TLS1_2
11747 ADD_TEST(test_no_ems);
11748 #endif
11749 return 1;
11750 }
11751 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11752 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11753 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11754 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
11755 # endif
11756 #endif
11757 ADD_TEST(test_large_message_tls);
11758 ADD_TEST(test_large_message_tls_read_ahead);
11759 #ifndef OPENSSL_NO_DTLS
11760 ADD_TEST(test_large_message_dtls);
11761 #endif
11762 ADD_ALL_TESTS(test_large_app_data, 28);
11763 ADD_TEST(test_cleanse_plaintext);
11764 #ifndef OPENSSL_NO_OCSP
11765 ADD_TEST(test_tlsext_status_type);
11766 #endif
11767 ADD_TEST(test_session_with_only_int_cache);
11768 ADD_TEST(test_session_with_only_ext_cache);
11769 ADD_TEST(test_session_with_both_cache);
11770 ADD_TEST(test_session_wo_ca_names);
11771 #ifndef OSSL_NO_USABLE_TLS1_3
11772 ADD_ALL_TESTS(test_stateful_tickets, 3);
11773 ADD_ALL_TESTS(test_stateless_tickets, 3);
11774 ADD_TEST(test_psk_tickets);
11775 ADD_ALL_TESTS(test_extra_tickets, 6);
11776 #endif
11777 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11778 ADD_TEST(test_ssl_bio_pop_next_bio);
11779 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11780 ADD_TEST(test_ssl_bio_change_rbio);
11781 ADD_TEST(test_ssl_bio_change_wbio);
11782 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11783 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11784 ADD_TEST(test_keylog);
11785 #endif
11786 #ifndef OSSL_NO_USABLE_TLS1_3
11787 ADD_TEST(test_keylog_no_master_key);
11788 #endif
11789 ADD_TEST(test_client_cert_verify_cb);
11790 ADD_TEST(test_ssl_build_cert_chain);
11791 ADD_TEST(test_ssl_ctx_build_cert_chain);
11792 #ifndef OPENSSL_NO_TLS1_2
11793 ADD_TEST(test_client_hello_cb);
11794 ADD_TEST(test_no_ems);
11795 ADD_TEST(test_ccs_change_cipher);
11796 #endif
11797 #ifndef OSSL_NO_USABLE_TLS1_3
11798 ADD_ALL_TESTS(test_early_data_read_write, 6);
11799 /*
11800 * We don't do replay tests for external PSK. Replay protection isn't used
11801 * in that scenario.
11802 */
11803 ADD_ALL_TESTS(test_early_data_replay, 2);
11804 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11805 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11806 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11807 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11808 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11809 ADD_ALL_TESTS(test_early_data_psk, 8);
11810 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11811 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11812 # ifndef OPENSSL_NO_TLS1_2
11813 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11814 # endif
11815 #endif
11816 #ifndef OSSL_NO_USABLE_TLS1_3
11817 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11818 ADD_TEST(test_ciphersuite_change);
11819 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11820 # ifdef OPENSSL_NO_PSK
11821 ADD_ALL_TESTS(test_tls13_psk, 1);
11822 # else
11823 ADD_ALL_TESTS(test_tls13_psk, 4);
11824 # endif /* OPENSSL_NO_PSK */
11825 #ifndef OSSL_NO_USABLE_TLS1_3
11826 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
11827 #endif /* OSSL_NO_USABLE_TLS1_3 */
11828 # ifndef OPENSSL_NO_TLS1_2
11829 /* Test with both TLSv1.3 and 1.2 versions */
11830 ADD_ALL_TESTS(test_key_exchange, 14);
11831 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11832 ADD_ALL_TESTS(test_negotiated_group,
11833 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11834 + OSSL_NELEM(ffdhe_kexch_groups)));
11835 # endif
11836 # else
11837 /* Test with only TLSv1.3 versions */
11838 ADD_ALL_TESTS(test_key_exchange, 12);
11839 # endif
11840 ADD_ALL_TESTS(test_custom_exts, 6);
11841 ADD_TEST(test_stateless);
11842 ADD_TEST(test_pha_key_update);
11843 #else
11844 ADD_ALL_TESTS(test_custom_exts, 3);
11845 #endif
11846 ADD_ALL_TESTS(test_export_key_mat, 6);
11847 #ifndef OSSL_NO_USABLE_TLS1_3
11848 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11849 ADD_TEST(test_key_update);
11850 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11851 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11852 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11853 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11854 #endif
11855 ADD_ALL_TESTS(test_ssl_clear, 8);
11856 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11857 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11858 ADD_ALL_TESTS(test_srp, 6);
11859 #endif
11860 #if !defined(OPENSSL_NO_COMP_ALG)
11861 /* Add compression case */
11862 ADD_ALL_TESTS(test_info_callback, 8);
11863 #else
11864 ADD_ALL_TESTS(test_info_callback, 6);
11865 #endif
11866 ADD_ALL_TESTS(test_ssl_pending, 2);
11867 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11868 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11869 ADD_ALL_TESTS(test_shutdown, 7);
11870 ADD_TEST(test_async_shutdown);
11871 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11872 ADD_ALL_TESTS(test_cert_cb, 6);
11873 ADD_ALL_TESTS(test_client_cert_cb, 2);
11874 ADD_ALL_TESTS(test_ca_names, 3);
11875 #ifndef OPENSSL_NO_TLS1_2
11876 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11877 #endif
11878 ADD_ALL_TESTS(test_servername, 10);
11879 ADD_TEST(test_unknown_sigalgs_groups);
11880 #if !defined(OPENSSL_NO_EC) \
11881 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11882 ADD_ALL_TESTS(test_sigalgs_available, 6);
11883 #endif
11884 #ifndef OPENSSL_NO_TLS1_3
11885 ADD_ALL_TESTS(test_pluggable_group, 2);
11886 ADD_ALL_TESTS(test_pluggable_signature, 4);
11887 #endif
11888 #ifndef OPENSSL_NO_TLS1_2
11889 ADD_TEST(test_ssl_dup);
11890 # ifndef OPENSSL_NO_DH
11891 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11892 ADD_ALL_TESTS(test_dh_auto, 7);
11893 # endif
11894 #endif
11895 #ifndef OSSL_NO_USABLE_TLS1_3
11896 ADD_TEST(test_sni_tls13);
11897 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11898 #endif
11899 ADD_TEST(test_inherit_verify_param);
11900 ADD_TEST(test_set_alpn);
11901 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11902 ADD_TEST(test_set_verify_cert_store_ssl);
11903 ADD_ALL_TESTS(test_session_timeout, 1);
11904 ADD_TEST(test_load_dhfile);
11905 #ifndef OSSL_NO_USABLE_TLS1_3
11906 ADD_TEST(test_read_ahead_key_change);
11907 ADD_ALL_TESTS(test_tls13_record_padding, 4);
11908 #endif
11909 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11910 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11911 #endif
11912 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11913 ADD_ALL_TESTS(test_pipelining, 7);
11914 #endif
11915 ADD_ALL_TESTS(test_version, 6);
11916 ADD_TEST(test_rstate_string);
11917 ADD_ALL_TESTS(test_handshake_retry, 16);
11918 ADD_TEST(test_data_retry);
11919 ADD_ALL_TESTS(test_multi_resume, 4);
11920 return 1;
11921
11922 err:
11923 OPENSSL_free(cert);
11924 OPENSSL_free(privkey);
11925 OPENSSL_free(cert2);
11926 OPENSSL_free(privkey2);
11927 return 0;
11928 }
11929
11930 void cleanup_tests(void)
11931 {
11932 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11933 EVP_PKEY_free(tmp_dh_params);
11934 #endif
11935 OPENSSL_free(cert);
11936 OPENSSL_free(privkey);
11937 OPENSSL_free(cert2);
11938 OPENSSL_free(privkey2);
11939 OPENSSL_free(cert1024);
11940 OPENSSL_free(privkey1024);
11941 OPENSSL_free(cert3072);
11942 OPENSSL_free(privkey3072);
11943 OPENSSL_free(cert4096);
11944 OPENSSL_free(privkey4096);
11945 OPENSSL_free(cert8192);
11946 OPENSSL_free(privkey8192);
11947 bio_s_mempacket_test_free();
11948 bio_s_always_retry_free();
11949 bio_s_maybe_retry_free();
11950 OSSL_PROVIDER_unload(defctxnull);
11951 OSSL_LIB_CTX_free(libctx);
11952 }
A mirror of the official openssl repository