]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/sslapitest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Remove tests dependence on e_os.h
[thirdparty/openssl.git] / test / sslapitest.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17
18 #include "ssltestlib.h"
19 #include "testutil.h"
20 #include <internal/nelem.h>
21 #include "../ssl/ssl_locl.h"
22
23 static char *cert = NULL;
24 static char *privkey = NULL;
25
26 #define LOG_BUFFER_SIZE 1024
27 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
28 static size_t server_log_buffer_index = 0;
29 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
30 static size_t client_log_buffer_index = 0;
31 static int error_writing_log = 0;
32
33 #ifndef OPENSSL_NO_OCSP
34 static const unsigned char orespder[] = "Dummy OCSP Response";
35 static int ocsp_server_called = 0;
36 static int ocsp_client_called = 0;
37
38 static int cdummyarg = 1;
39 static X509 *ocspcert = NULL;
40 #endif
41
42 #define NUM_EXTRA_CERTS 40
43
44 /*
45 * This structure is used to validate that the correct number of log messages
46 * of various types are emitted when emitting secret logs.
47 */
48 struct sslapitest_log_counts {
49 unsigned int rsa_key_exchange_count;
50 unsigned int master_secret_count;
51 unsigned int client_handshake_secret_count;
52 unsigned int server_handshake_secret_count;
53 unsigned int client_application_secret_count;
54 unsigned int server_application_secret_count;
55 };
56
57
58 static unsigned char serverinfov1[] = {
59 0xff, 0xff, /* Dummy extension type */
60 0x00, 0x01, /* Extension length is 1 byte */
61 0xff /* Dummy extension data */
62 };
63
64 static unsigned char serverinfov2[] = {
65 0x00, 0x00, 0x00,
66 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
67 0xff, 0xff, /* Dummy extension type */
68 0x00, 0x01, /* Extension length is 1 byte */
69 0xff /* Dummy extension data */
70 };
71
72 static void client_keylog_callback(const SSL *ssl, const char *line)
73 {
74 int line_length = strlen(line);
75
76 /* If the log doesn't fit, error out. */
77 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
78 TEST_info("Client log too full");
79 error_writing_log = 1;
80 return;
81 }
82
83 strcat(client_log_buffer, line);
84 client_log_buffer_index += line_length;
85 client_log_buffer[client_log_buffer_index++] = '\n';
86 }
87
88 static void server_keylog_callback(const SSL *ssl, const char *line)
89 {
90 int line_length = strlen(line);
91
92 /* If the log doesn't fit, error out. */
93 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
94 TEST_info("Server log too full");
95 error_writing_log = 1;
96 return;
97 }
98
99 strcat(server_log_buffer, line);
100 server_log_buffer_index += line_length;
101 server_log_buffer[server_log_buffer_index++] = '\n';
102 }
103
104 static int compare_hex_encoded_buffer(const char *hex_encoded,
105 size_t hex_length,
106 const uint8_t *raw,
107 size_t raw_length)
108 {
109 size_t i, j;
110 char hexed[3];
111
112 if (!TEST_size_t_eq(raw_length * 2, hex_length))
113 return 1;
114
115 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
116 sprintf(hexed, "%02x", raw[i]);
117 if (!TEST_int_eq(hexed[0], hex_encoded[j])
118 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
119 return 1;
120 }
121
122 return 0;
123 }
124
125 static int test_keylog_output(char *buffer, const SSL *ssl,
126 const SSL_SESSION *session,
127 struct sslapitest_log_counts *expected)
128 {
129 char *token = NULL;
130 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
131 size_t client_random_size = SSL3_RANDOM_SIZE;
132 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
133 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
134 unsigned int rsa_key_exchange_count = 0;
135 unsigned int master_secret_count = 0;
136 unsigned int client_handshake_secret_count = 0;
137 unsigned int server_handshake_secret_count = 0;
138 unsigned int client_application_secret_count = 0;
139 unsigned int server_application_secret_count = 0;
140
141 for (token = strtok(buffer, " \n"); token != NULL;
142 token = strtok(NULL, " \n")) {
143 if (strcmp(token, "RSA") == 0) {
144 /*
145 * Premaster secret. Tokens should be: 16 ASCII bytes of
146 * hex-encoded encrypted secret, then the hex-encoded pre-master
147 * secret.
148 */
149 if (!TEST_ptr(token = strtok(NULL, " \n")))
150 return 0;
151 if (!TEST_size_t_eq(strlen(token), 16))
152 return 0;
153 if (!TEST_ptr(token = strtok(NULL, " \n")))
154 return 0;
155 /*
156 * We can't sensibly check the log because the premaster secret is
157 * transient, and OpenSSL doesn't keep hold of it once the master
158 * secret is generated.
159 */
160 rsa_key_exchange_count++;
161 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
162 /*
163 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
164 * client random, then the hex-encoded master secret.
165 */
166 client_random_size = SSL_get_client_random(ssl,
167 actual_client_random,
168 SSL3_RANDOM_SIZE);
169 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
170 return 0;
171
172 if (!TEST_ptr(token = strtok(NULL, " \n")))
173 return 0;
174 if (!TEST_size_t_eq(strlen(token), 64))
175 return 0;
176 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
177 actual_client_random,
178 client_random_size)))
179 return 0;
180
181 if (!TEST_ptr(token = strtok(NULL, " \n")))
182 return 0;
183 master_key_size = SSL_SESSION_get_master_key(session,
184 actual_master_key,
185 master_key_size);
186 if (!TEST_size_t_ne(master_key_size, 0))
187 return 0;
188 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
189 actual_master_key,
190 master_key_size)))
191 return 0;
192 master_secret_count++;
193 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
194 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
196 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
197 /*
198 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, and then the hex-encoded secret. In this case,
200 * we treat all of these secrets identically and then just
201 * distinguish between them when counting what we saw.
202 */
203 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
204 client_handshake_secret_count++;
205 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 server_handshake_secret_count++;
207 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
208 client_application_secret_count++;
209 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
210 server_application_secret_count++;
211
212 client_random_size = SSL_get_client_random(ssl,
213 actual_client_random,
214 SSL3_RANDOM_SIZE);
215 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
216 return 0;
217
218 if (!TEST_ptr(token = strtok(NULL, " \n")))
219 return 0;
220 if (!TEST_size_t_eq(strlen(token), 64))
221 return 0;
222 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
223 actual_client_random,
224 client_random_size)))
225 return 0;
226
227 if (!TEST_ptr(token = strtok(NULL, " \n")))
228 return 0;
229
230 /*
231 * TODO(TLS1.3): test that application traffic secrets are what
232 * we expect */
233 } else {
234 TEST_info("Unexpected token %s\n", token);
235 return 0;
236 }
237 }
238
239 /* Got what we expected? */
240 if (!TEST_size_t_eq(rsa_key_exchange_count,
241 expected->rsa_key_exchange_count)
242 || !TEST_size_t_eq(master_secret_count,
243 expected->master_secret_count)
244 || !TEST_size_t_eq(client_handshake_secret_count,
245 expected->client_handshake_secret_count)
246 || !TEST_size_t_eq(server_handshake_secret_count,
247 expected->server_handshake_secret_count)
248 || !TEST_size_t_eq(client_application_secret_count,
249 expected->client_application_secret_count)
250 || !TEST_size_t_eq(server_application_secret_count,
251 expected->server_application_secret_count))
252 return 0;
253 return 1;
254 }
255
256 static int test_keylog(void)
257 {
258 SSL_CTX *cctx = NULL, *sctx = NULL;
259 SSL *clientssl = NULL, *serverssl = NULL;
260 int testresult = 0;
261 struct sslapitest_log_counts expected = {0};
262
263 /* Clean up logging space */
264 memset(client_log_buffer, 0, sizeof(client_log_buffer));
265 memset(server_log_buffer, 0, sizeof(server_log_buffer));
266 client_log_buffer_index = 0;
267 server_log_buffer_index = 0;
268 error_writing_log = 0;
269
270 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
271 TLS_client_method(),
272 &sctx, &cctx, cert, privkey)))
273 return 0;
274
275 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
276 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
277 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
278
279 /* We also want to ensure that we use RSA-based key exchange. */
280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
281 goto end;
282
283 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
284 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
285 goto end;
286 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
287 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
288 == client_keylog_callback))
289 goto end;
290 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
291 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
292 == server_keylog_callback))
293 goto end;
294
295 /* Now do a handshake and check that the logs have been written to. */
296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
297 &clientssl, NULL, NULL))
298 || !TEST_true(create_ssl_connection(serverssl, clientssl,
299 SSL_ERROR_NONE))
300 || !TEST_false(error_writing_log)
301 || !TEST_int_gt(client_log_buffer_index, 0)
302 || !TEST_int_gt(server_log_buffer_index, 0))
303 goto end;
304
305 /*
306 * Now we want to test that our output data was vaguely sensible. We
307 * do that by using strtok and confirming that we have more or less the
308 * data we expect. For both client and server, we expect to see one master
309 * secret. The client should also see a RSA key exchange.
310 */
311 expected.rsa_key_exchange_count = 1;
312 expected.master_secret_count = 1;
313 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
314 SSL_get_session(clientssl), &expected)))
315 goto end;
316
317 expected.rsa_key_exchange_count = 0;
318 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
319 SSL_get_session(serverssl), &expected)))
320 goto end;
321
322 testresult = 1;
323
324 end:
325 SSL_free(serverssl);
326 SSL_free(clientssl);
327 SSL_CTX_free(sctx);
328 SSL_CTX_free(cctx);
329
330 return testresult;
331 }
332
333 #ifndef OPENSSL_NO_TLS1_3
334 static int test_keylog_no_master_key(void)
335 {
336 SSL_CTX *cctx = NULL, *sctx = NULL;
337 SSL *clientssl = NULL, *serverssl = NULL;
338 int testresult = 0;
339 struct sslapitest_log_counts expected = {0};
340
341 /* Clean up logging space */
342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
347
348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
349 TLS_client_method(), &sctx,
350 &cctx, cert, privkey)))
351 return 0;
352
353 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
354 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
355 goto end;
356
357 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
358 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
359 == client_keylog_callback))
360 goto end;
361
362 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
363 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
364 == server_keylog_callback))
365 goto end;
366
367 /* Now do a handshake and check that the logs have been written to. */
368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
369 &clientssl, NULL, NULL))
370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
371 SSL_ERROR_NONE))
372 || !TEST_false(error_writing_log))
373 goto end;
374
375 /*
376 * Now we want to test that our output data was vaguely sensible. For this
377 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
378 * TLSv1.3, but we do expect both client and server to emit keys.
379 */
380 expected.client_handshake_secret_count = 1;
381 expected.server_handshake_secret_count = 1;
382 expected.client_application_secret_count = 1;
383 expected.server_application_secret_count = 1;
384 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
385 SSL_get_session(clientssl), &expected))
386 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
387 SSL_get_session(serverssl),
388 &expected)))
389 goto end;
390
391 testresult = 1;
392
393 end:
394 SSL_free(serverssl);
395 SSL_free(clientssl);
396 SSL_CTX_free(sctx);
397 SSL_CTX_free(cctx);
398
399 return testresult;
400 }
401 #endif
402
403 #ifndef OPENSSL_NO_TLS1_2
404 static int full_early_callback(SSL *s, int *al, void *arg)
405 {
406 int *ctr = arg;
407 const unsigned char *p;
408 int *exts;
409 /* We only configure two ciphers, but the SCSV is added automatically. */
410 #ifdef OPENSSL_NO_EC
411 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
412 #else
413 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
414 0x2c, 0x00, 0xff};
415 #endif
416 const int expected_extensions[] = {
417 #ifndef OPENSSL_NO_EC
418 11, 10,
419 #endif
420 35, 13, 22, 23};
421 size_t len;
422
423 /* Make sure we can defer processing and get called back. */
424 if ((*ctr)++ == 0)
425 return -1;
426
427 len = SSL_early_get0_ciphers(s, &p);
428 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
429 || !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1)
430 || !TEST_int_eq(*p, 0))
431 return 0;
432 if (!SSL_early_get1_extensions_present(s, &exts, &len))
433 return 0;
434 if (len != OSSL_NELEM(expected_extensions) ||
435 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
436 printf("Early callback expected ClientHello extensions mismatch\n");
437 OPENSSL_free(exts);
438 return 0;
439 }
440 OPENSSL_free(exts);
441 return 1;
442 }
443
444 static int test_early_cb(void)
445 {
446 SSL_CTX *cctx = NULL, *sctx = NULL;
447 SSL *clientssl = NULL, *serverssl = NULL;
448 int testctr = 0, testresult = 0;
449
450 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
451 TLS_client_method(), &sctx,
452 &cctx, cert, privkey)))
453 goto end;
454 SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr);
455
456 /* The gimpy cipher list we configure can't do TLS 1.3. */
457 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
458
459 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
460 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
461 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_false(create_ssl_connection(serverssl, clientssl,
464 SSL_ERROR_WANT_EARLY))
465 /*
466 * Passing a -1 literal is a hack since
467 * the real value was lost.
468 * */
469 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY)
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
471 SSL_ERROR_NONE)))
472 goto end;
473
474 testresult = 1;
475
476 end:
477 SSL_free(serverssl);
478 SSL_free(clientssl);
479 SSL_CTX_free(sctx);
480 SSL_CTX_free(cctx);
481
482 return testresult;
483 }
484 #endif
485
486 static int execute_test_large_message(const SSL_METHOD *smeth,
487 const SSL_METHOD *cmeth, int read_ahead)
488 {
489 SSL_CTX *cctx = NULL, *sctx = NULL;
490 SSL *clientssl = NULL, *serverssl = NULL;
491 int testresult = 0;
492 int i;
493 BIO *certbio = NULL;
494 X509 *chaincert = NULL;
495 int certlen;
496
497 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
498 goto end;
499 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
500 BIO_free(certbio);
501 certbio = NULL;
502 if (!TEST_ptr(chaincert))
503 goto end;
504
505 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
506 &cctx, cert, privkey)))
507 goto end;
508
509 if (read_ahead) {
510 /*
511 * Test that read_ahead works correctly when dealing with large
512 * records
513 */
514 SSL_CTX_set_read_ahead(cctx, 1);
515 }
516
517 /*
518 * We assume the supplied certificate is big enough so that if we add
519 * NUM_EXTRA_CERTS it will make the overall message large enough. The
520 * default buffer size is requested to be 16k, but due to the way BUF_MEM
521 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
522 * test we need to have a message larger than that.
523 */
524 certlen = i2d_X509(chaincert, NULL);
525 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
526 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
527 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
528 if (!X509_up_ref(chaincert))
529 goto end;
530 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
531 X509_free(chaincert);
532 goto end;
533 }
534 }
535
536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
537 NULL, NULL))
538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
539 SSL_ERROR_NONE)))
540 goto end;
541
542 /*
543 * Calling SSL_clear() first is not required but this tests that SSL_clear()
544 * doesn't leak (when using enable-crypto-mdebug).
545 */
546 if (!TEST_true(SSL_clear(serverssl)))
547 goto end;
548
549 testresult = 1;
550 end:
551 X509_free(chaincert);
552 SSL_free(serverssl);
553 SSL_free(clientssl);
554 SSL_CTX_free(sctx);
555 SSL_CTX_free(cctx);
556
557 return testresult;
558 }
559
560 static int test_large_message_tls(void)
561 {
562 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
563 0);
564 }
565
566 static int test_large_message_tls_read_ahead(void)
567 {
568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
569 1);
570 }
571
572 #ifndef OPENSSL_NO_DTLS
573 static int test_large_message_dtls(void)
574 {
575 /*
576 * read_ahead is not relevant to DTLS because DTLS always acts as if
577 * read_ahead is set.
578 */
579 return execute_test_large_message(DTLS_server_method(),
580 DTLS_client_method(), 0);
581 }
582 #endif
583
584 #ifndef OPENSSL_NO_OCSP
585 static int ocsp_server_cb(SSL *s, void *arg)
586 {
587 int *argi = (int *)arg;
588 unsigned char *copy = NULL;
589 STACK_OF(OCSP_RESPID) *ids = NULL;
590 OCSP_RESPID *id = NULL;
591
592 if (*argi == 2) {
593 /* In this test we are expecting exactly 1 OCSP_RESPID */
594 SSL_get_tlsext_status_ids(s, &ids);
595 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
596 return SSL_TLSEXT_ERR_ALERT_FATAL;
597
598 id = sk_OCSP_RESPID_value(ids, 0);
599 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
600 return SSL_TLSEXT_ERR_ALERT_FATAL;
601 } else if (*argi != 1) {
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
603 }
604
605 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
607
608 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
609 ocsp_server_called = 1;
610 return SSL_TLSEXT_ERR_OK;
611 }
612
613 static int ocsp_client_cb(SSL *s, void *arg)
614 {
615 int *argi = (int *)arg;
616 const unsigned char *respderin;
617 size_t len;
618
619 if (*argi != 1 && *argi != 2)
620 return 0;
621
622 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
623 if (!TEST_mem_eq(orespder, len, respderin, len))
624 return 0;
625
626 ocsp_client_called = 1;
627 return 1;
628 }
629
630 static int test_tlsext_status_type(void)
631 {
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
634 int testresult = 0;
635 STACK_OF(OCSP_RESPID) *ids = NULL;
636 OCSP_RESPID *id = NULL;
637 BIO *certbio = NULL;
638
639 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
640 &cctx, cert, privkey))
641 return 0;
642
643 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
644 goto end;
645
646 /* First just do various checks getting and setting tlsext_status_type */
647
648 clientssl = SSL_new(cctx);
649 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
650 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
651 TLSEXT_STATUSTYPE_ocsp))
652 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
653 TLSEXT_STATUSTYPE_ocsp))
654 goto end;
655
656 SSL_free(clientssl);
657 clientssl = NULL;
658
659 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
660 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
661 goto end;
662
663 clientssl = SSL_new(cctx);
664 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
665 goto end;
666 SSL_free(clientssl);
667 clientssl = NULL;
668
669 /*
670 * Now actually do a handshake and check OCSP information is exchanged and
671 * the callbacks get called
672 */
673 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
674 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
675 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
676 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
678 &clientssl, NULL, NULL))
679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
680 SSL_ERROR_NONE))
681 || !TEST_true(ocsp_client_called)
682 || !TEST_true(ocsp_server_called))
683 goto end;
684 SSL_free(serverssl);
685 SSL_free(clientssl);
686 serverssl = NULL;
687 clientssl = NULL;
688
689 /* Try again but this time force the server side callback to fail */
690 ocsp_client_called = 0;
691 ocsp_server_called = 0;
692 cdummyarg = 0;
693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
694 &clientssl, NULL, NULL))
695 /* This should fail because the callback will fail */
696 || !TEST_false(create_ssl_connection(serverssl, clientssl,
697 SSL_ERROR_NONE))
698 || !TEST_false(ocsp_client_called)
699 || !TEST_false(ocsp_server_called))
700 goto end;
701 SSL_free(serverssl);
702 SSL_free(clientssl);
703 serverssl = NULL;
704 clientssl = NULL;
705
706 /*
707 * This time we'll get the client to send an OCSP_RESPID that it will
708 * accept.
709 */
710 ocsp_client_called = 0;
711 ocsp_server_called = 0;
712 cdummyarg = 2;
713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
714 &clientssl, NULL, NULL)))
715 goto end;
716
717 /*
718 * We'll just use any old cert for this test - it doesn't have to be an OCSP
719 * specific one. We'll use the server cert.
720 */
721 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
722 || !TEST_ptr(id = OCSP_RESPID_new())
723 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
724 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
725 NULL, NULL, NULL))
726 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
727 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
728 goto end;
729 id = NULL;
730 SSL_set_tlsext_status_ids(clientssl, ids);
731 /* Control has been transferred */
732 ids = NULL;
733
734 BIO_free(certbio);
735 certbio = NULL;
736
737 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
738 SSL_ERROR_NONE))
739 || !TEST_true(ocsp_client_called)
740 || !TEST_true(ocsp_server_called))
741 goto end;
742
743 testresult = 1;
744
745 end:
746 SSL_free(serverssl);
747 SSL_free(clientssl);
748 SSL_CTX_free(sctx);
749 SSL_CTX_free(cctx);
750 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
751 OCSP_RESPID_free(id);
752 BIO_free(certbio);
753 X509_free(ocspcert);
754 ocspcert = NULL;
755
756 return testresult;
757 }
758 #endif
759
760 static int new_called = 0, remove_called = 0;
761
762 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
763 {
764 new_called++;
765 /*
766 * sess has been up-refed for us, but we don't actually need it so free it
767 * immediately.
768 */
769 SSL_SESSION_free(sess);
770 return 1;
771 }
772
773 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
774 {
775 remove_called++;
776 }
777
778 static SSL_SESSION *get_sess_val = NULL;
779
780 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
781 int *copy)
782 {
783 *copy = 1;
784 return get_sess_val;
785 }
786
787
788 static int execute_test_session(int maxprot, int use_int_cache,
789 int use_ext_cache)
790 {
791 SSL_CTX *sctx = NULL, *cctx = NULL;
792 SSL *serverssl1 = NULL, *clientssl1 = NULL;
793 SSL *serverssl2 = NULL, *clientssl2 = NULL;
794 #ifndef OPENSSL_NO_TLS1_1
795 SSL *serverssl3 = NULL, *clientssl3 = NULL;
796 #endif
797 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
798 int testresult = 0;
799
800 new_called = remove_called = 0;
801
802 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
803 TLS_client_method(), &sctx,
804 &cctx, cert, privkey)))
805 return 0;
806
807 /*
808 * Only allow the max protocol version so we can force a connection failure
809 * later
810 */
811 SSL_CTX_set_min_proto_version(cctx, maxprot);
812 SSL_CTX_set_max_proto_version(cctx, maxprot);
813
814 /* Set up session cache */
815 if (use_ext_cache) {
816 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
817 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
818 }
819 if (use_int_cache) {
820 /* Also covers instance where both are set */
821 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
822 } else {
823 SSL_CTX_set_session_cache_mode(cctx,
824 SSL_SESS_CACHE_CLIENT
825 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
826 }
827
828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
829 NULL, NULL))
830 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
831 SSL_ERROR_NONE))
832 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
833 goto end;
834
835 /* Should fail because it should already be in the cache */
836 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
837 goto end;
838 if (use_ext_cache
839 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
840 goto end;
841
842 new_called = remove_called = 0;
843 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
844 &clientssl2, NULL, NULL))
845 || !TEST_true(SSL_set_session(clientssl2, sess1))
846 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
847 SSL_ERROR_NONE))
848 || !TEST_true(SSL_session_reused(clientssl2)))
849 goto end;
850
851 if (maxprot == TLS1_3_VERSION) {
852 /*
853 * In TLSv1.3 we should have created a new session even though we have
854 * resumed. The original session should also have been removed.
855 */
856 if (use_ext_cache
857 && (!TEST_int_eq(new_called, 1)
858 || !TEST_int_eq(remove_called, 1)))
859 goto end;
860 } else {
861 /*
862 * In TLSv1.2 we expect to have resumed so no sessions added or
863 * removed.
864 */
865 if (use_ext_cache
866 && (!TEST_int_eq(new_called, 0)
867 || !TEST_int_eq(remove_called, 0)))
868 goto end;
869 }
870
871 SSL_SESSION_free(sess1);
872 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
873 goto end;
874 shutdown_ssl_connection(serverssl2, clientssl2);
875 serverssl2 = clientssl2 = NULL;
876
877 new_called = remove_called = 0;
878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
879 &clientssl2, NULL, NULL))
880 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
881 SSL_ERROR_NONE)))
882 goto end;
883
884 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
885 goto end;
886
887 if (use_ext_cache
888 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
889 goto end;
890
891 new_called = remove_called = 0;
892 /*
893 * This should clear sess2 from the cache because it is a "bad" session.
894 * See SSL_set_session() documentation.
895 */
896 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
897 goto end;
898 if (use_ext_cache
899 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
900 goto end;
901 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
902 goto end;
903
904 if (use_int_cache) {
905 /* Should succeeded because it should not already be in the cache */
906 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
907 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
908 goto end;
909 }
910
911 new_called = remove_called = 0;
912 /* This shouldn't be in the cache so should fail */
913 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
914 goto end;
915
916 if (use_ext_cache
917 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
918 goto end;
919
920 #if !defined(OPENSSL_NO_TLS1_1)
921 new_called = remove_called = 0;
922 /* Force a connection failure */
923 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
924 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
925 &clientssl3, NULL, NULL))
926 || !TEST_true(SSL_set_session(clientssl3, sess1))
927 /* This should fail because of the mismatched protocol versions */
928 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
929 SSL_ERROR_NONE)))
930 goto end;
931
932 /* We should have automatically removed the session from the cache */
933 if (use_ext_cache
934 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
935 goto end;
936
937 /* Should succeed because it should not already be in the cache */
938 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
939 goto end;
940 #endif
941
942 /* Now do some tests for server side caching */
943 if (use_ext_cache) {
944 SSL_CTX_sess_set_new_cb(cctx, NULL);
945 SSL_CTX_sess_set_remove_cb(cctx, NULL);
946 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
947 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
948 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
949 get_sess_val = NULL;
950 }
951
952 SSL_CTX_set_session_cache_mode(cctx, 0);
953 /* Internal caching is the default on the server side */
954 if (!use_int_cache)
955 SSL_CTX_set_session_cache_mode(sctx,
956 SSL_SESS_CACHE_SERVER
957 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
958
959 SSL_free(serverssl1);
960 SSL_free(clientssl1);
961 serverssl1 = clientssl1 = NULL;
962 SSL_free(serverssl2);
963 SSL_free(clientssl2);
964 serverssl2 = clientssl2 = NULL;
965 SSL_SESSION_free(sess1);
966 sess1 = NULL;
967 SSL_SESSION_free(sess2);
968 sess2 = NULL;
969
970 SSL_CTX_set_max_proto_version(sctx, maxprot);
971 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
972 new_called = remove_called = 0;
973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
974 NULL, NULL))
975 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
976 SSL_ERROR_NONE))
977 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
978 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
979 goto end;
980
981 /* Should fail because it should already be in the cache */
982 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
983 goto end;
984
985 if (use_ext_cache) {
986 SSL_SESSION *tmp = sess2;
987
988 if (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0))
989 goto end;
990 /*
991 * Delete the session from the internal cache to force a lookup from
992 * the external cache. We take a copy first because
993 * SSL_CTX_remove_session() also marks the session as non-resumable.
994 */
995 if (use_int_cache) {
996 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
997 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
998 goto end;
999 SSL_SESSION_free(sess2);
1000 }
1001 sess2 = tmp;
1002 }
1003
1004 new_called = remove_called = 0;
1005 get_sess_val = sess2;
1006 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1007 &clientssl2, NULL, NULL))
1008 || !TEST_true(SSL_set_session(clientssl2, sess1))
1009 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1010 SSL_ERROR_NONE))
1011 || !TEST_true(SSL_session_reused(clientssl2)))
1012 goto end;
1013
1014 if (use_ext_cache
1015 && (!TEST_int_eq(new_called, 0)
1016 || !TEST_int_eq(remove_called, 0)))
1017 goto end;
1018
1019 testresult = 1;
1020
1021 end:
1022 SSL_free(serverssl1);
1023 SSL_free(clientssl1);
1024 SSL_free(serverssl2);
1025 SSL_free(clientssl2);
1026 #ifndef OPENSSL_NO_TLS1_1
1027 SSL_free(serverssl3);
1028 SSL_free(clientssl3);
1029 #endif
1030 SSL_SESSION_free(sess1);
1031 SSL_SESSION_free(sess2);
1032 SSL_CTX_free(sctx);
1033 SSL_CTX_free(cctx);
1034
1035 return testresult;
1036 }
1037
1038 static int test_session_with_only_int_cache(void)
1039 {
1040 #ifndef OPENSSL_NO_TLS1_3
1041 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1042 return 0;
1043 #endif
1044
1045 #ifndef OPENSSL_NO_TLS1_2
1046 return execute_test_session(TLS1_2_VERSION, 1, 0);
1047 #else
1048 return 1;
1049 #endif
1050 }
1051
1052 static int test_session_with_only_ext_cache(void)
1053 {
1054 #ifndef OPENSSL_NO_TLS1_3
1055 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1056 return 0;
1057 #endif
1058
1059 #ifndef OPENSSL_NO_TLS1_2
1060 return execute_test_session(TLS1_2_VERSION, 0, 1);
1061 #else
1062 return 1;
1063 #endif
1064 }
1065
1066 static int test_session_with_both_cache(void)
1067 {
1068 #ifndef OPENSSL_NO_TLS1_3
1069 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1070 return 0;
1071 #endif
1072
1073 #ifndef OPENSSL_NO_TLS1_2
1074 return execute_test_session(TLS1_2_VERSION, 1, 1);
1075 #else
1076 return 1;
1077 #endif
1078 }
1079
1080 #define USE_NULL 0
1081 #define USE_BIO_1 1
1082 #define USE_BIO_2 2
1083
1084 #define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1085
1086 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1087 {
1088 switch (type) {
1089 case USE_NULL:
1090 *res = NULL;
1091 break;
1092 case USE_BIO_1:
1093 *res = bio1;
1094 break;
1095 case USE_BIO_2:
1096 *res = bio2;
1097 break;
1098 }
1099 }
1100
1101 static int test_ssl_set_bio(int idx)
1102 {
1103 SSL_CTX *ctx;
1104 BIO *bio1 = NULL;
1105 BIO *bio2 = NULL;
1106 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1107 SSL *ssl = NULL;
1108 int initrbio, initwbio, newrbio, newwbio;
1109 int testresult = 0;
1110
1111 initrbio = idx % 3;
1112 idx /= 3;
1113 initwbio = idx % 3;
1114 idx /= 3;
1115 newrbio = idx % 3;
1116 idx /= 3;
1117 newwbio = idx;
1118 if (!TEST_int_le(newwbio, 2))
1119 return 0;
1120
1121 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1122 || !TEST_ptr(ssl = SSL_new(ctx)))
1123 goto end;
1124
1125 if (initrbio == USE_BIO_1
1126 || initwbio == USE_BIO_1
1127 || newrbio == USE_BIO_1
1128 || newwbio == USE_BIO_1) {
1129 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1130 goto end;
1131 }
1132
1133 if (initrbio == USE_BIO_2
1134 || initwbio == USE_BIO_2
1135 || newrbio == USE_BIO_2
1136 || newwbio == USE_BIO_2) {
1137 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1138 goto end;
1139 }
1140
1141 setupbio(&irbio, bio1, bio2, initrbio);
1142 setupbio(&iwbio, bio1, bio2, initwbio);
1143
1144 /*
1145 * We want to maintain our own refs to these BIO, so do an up ref for each
1146 * BIO that will have ownership transferred in the SSL_set_bio() call
1147 */
1148 if (irbio != NULL)
1149 BIO_up_ref(irbio);
1150 if (iwbio != NULL && iwbio != irbio)
1151 BIO_up_ref(iwbio);
1152
1153 SSL_set_bio(ssl, irbio, iwbio);
1154
1155 setupbio(&nrbio, bio1, bio2, newrbio);
1156 setupbio(&nwbio, bio1, bio2, newwbio);
1157
1158 /*
1159 * We will (maybe) transfer ownership again so do more up refs.
1160 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1161 * already been set!
1162 */
1163 if (nrbio != NULL
1164 && nrbio != irbio
1165 && (nwbio != iwbio || nrbio != nwbio))
1166 BIO_up_ref(nrbio);
1167 if (nwbio != NULL
1168 && nwbio != nrbio
1169 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1170 BIO_up_ref(nwbio);
1171
1172 SSL_set_bio(ssl, nrbio, nwbio);
1173
1174 testresult = 1;
1175
1176 end:
1177 SSL_free(ssl);
1178 BIO_free(bio1);
1179 BIO_free(bio2);
1180
1181 /*
1182 * This test is checking that the ref counting for SSL_set_bio is correct.
1183 * If we get here and we did too many frees then we will fail in the above
1184 * functions. If we haven't done enough then this will only be detected in
1185 * a crypto-mdebug build
1186 */
1187 SSL_CTX_free(ctx);
1188 return testresult;
1189 }
1190
1191 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1192
1193 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1194 {
1195 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1196 SSL_CTX *ctx;
1197 SSL *ssl = NULL;
1198 int testresult = 0;
1199
1200 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1201 || !TEST_ptr(ssl = SSL_new(ctx))
1202 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1203 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1204 goto end;
1205
1206 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1207
1208 /*
1209 * If anything goes wrong here then we could leak memory, so this will
1210 * be caught in a crypto-mdebug build
1211 */
1212 BIO_push(sslbio, membio1);
1213
1214 /* Verify changing the rbio/wbio directly does not cause leaks */
1215 if (change_bio != NO_BIO_CHANGE) {
1216 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1217 goto end;
1218 if (change_bio == CHANGE_RBIO)
1219 SSL_set0_rbio(ssl, membio2);
1220 else
1221 SSL_set0_wbio(ssl, membio2);
1222 }
1223 ssl = NULL;
1224
1225 if (pop_ssl)
1226 BIO_pop(sslbio);
1227 else
1228 BIO_pop(membio1);
1229
1230 testresult = 1;
1231 end:
1232 BIO_free(membio1);
1233 BIO_free(sslbio);
1234 SSL_free(ssl);
1235 SSL_CTX_free(ctx);
1236
1237 return testresult;
1238 }
1239
1240 static int test_ssl_bio_pop_next_bio(void)
1241 {
1242 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1243 }
1244
1245 static int test_ssl_bio_pop_ssl_bio(void)
1246 {
1247 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1248 }
1249
1250 static int test_ssl_bio_change_rbio(void)
1251 {
1252 return execute_test_ssl_bio(0, CHANGE_RBIO);
1253 }
1254
1255 static int test_ssl_bio_change_wbio(void)
1256 {
1257 return execute_test_ssl_bio(0, CHANGE_WBIO);
1258 }
1259
1260 typedef struct {
1261 /* The list of sig algs */
1262 const int *list;
1263 /* The length of the list */
1264 size_t listlen;
1265 /* A sigalgs list in string format */
1266 const char *liststr;
1267 /* Whether setting the list should succeed */
1268 int valid;
1269 /* Whether creating a connection with the list should succeed */
1270 int connsuccess;
1271 } sigalgs_list;
1272
1273 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1274 #ifndef OPENSSL_NO_EC
1275 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1276 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1277 #endif
1278 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1279 static const int invalidlist2[] = {NID_sha256, NID_undef};
1280 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1281 static const int invalidlist4[] = {NID_sha256};
1282 static const sigalgs_list testsigalgs[] = {
1283 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1284 #ifndef OPENSSL_NO_EC
1285 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1286 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1287 #endif
1288 {NULL, 0, "RSA+SHA256", 1, 1},
1289 #ifndef OPENSSL_NO_EC
1290 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1291 {NULL, 0, "ECDSA+SHA512", 1, 0},
1292 #endif
1293 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1294 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1295 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1296 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1297 {NULL, 0, "RSA", 0, 0},
1298 {NULL, 0, "SHA256", 0, 0},
1299 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1300 {NULL, 0, "Invalid", 0, 0}
1301 };
1302
1303 static int test_set_sigalgs(int idx)
1304 {
1305 SSL_CTX *cctx = NULL, *sctx = NULL;
1306 SSL *clientssl = NULL, *serverssl = NULL;
1307 int testresult = 0;
1308 const sigalgs_list *curr;
1309 int testctx;
1310
1311 /* Should never happen */
1312 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1313 return 0;
1314
1315 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1316 curr = testctx ? &testsigalgs[idx]
1317 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1318
1319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1320 TLS_client_method(), &sctx,
1321 &cctx, cert, privkey)))
1322 return 0;
1323
1324 /*
1325 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1326 * for TLSv1.2 for now until we add a new API.
1327 */
1328 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1329
1330 if (testctx) {
1331 int ret;
1332
1333 if (curr->list != NULL)
1334 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1335 else
1336 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1337
1338 if (!ret) {
1339 if (curr->valid)
1340 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1341 else
1342 testresult = 1;
1343 goto end;
1344 }
1345 if (!curr->valid) {
1346 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1347 goto end;
1348 }
1349 }
1350
1351 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1352 &clientssl, NULL, NULL)))
1353 goto end;
1354
1355 if (!testctx) {
1356 int ret;
1357
1358 if (curr->list != NULL)
1359 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1360 else
1361 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1362 if (!ret) {
1363 if (curr->valid)
1364 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1365 else
1366 testresult = 1;
1367 goto end;
1368 }
1369 if (!curr->valid)
1370 goto end;
1371 }
1372
1373 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1374 SSL_ERROR_NONE),
1375 curr->connsuccess))
1376 goto end;
1377
1378 testresult = 1;
1379
1380 end:
1381 SSL_free(serverssl);
1382 SSL_free(clientssl);
1383 SSL_CTX_free(sctx);
1384 SSL_CTX_free(cctx);
1385
1386 return testresult;
1387 }
1388
1389 #ifndef OPENSSL_NO_TLS1_3
1390
1391 #define MSG1 "Hello"
1392 #define MSG2 "World."
1393 #define MSG3 "This"
1394 #define MSG4 "is"
1395 #define MSG5 "a"
1396 #define MSG6 "test"
1397 #define MSG7 "message."
1398
1399 /*
1400 * Helper method to setup objects for early data test. Caller frees objects on
1401 * error.
1402 */
1403 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
1404 SSL **serverssl, SSL_SESSION **sess, int idx)
1405 {
1406 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1407 TLS_client_method(), sctx,
1408 cctx, cert, privkey)))
1409 return 0;
1410
1411 /* When idx == 1 we repeat the tests with read_ahead set */
1412 if (idx > 0) {
1413 SSL_CTX_set_read_ahead(*cctx, 1);
1414 SSL_CTX_set_read_ahead(*sctx, 1);
1415 }
1416
1417 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
1418 NULL, NULL))
1419 || !TEST_true(create_ssl_connection(*serverssl, *clientssl,
1420 SSL_ERROR_NONE)))
1421 return 0;
1422
1423 *sess = SSL_get1_session(*clientssl);
1424 SSL_shutdown(*clientssl);
1425 SSL_shutdown(*serverssl);
1426 SSL_free(*serverssl);
1427 SSL_free(*clientssl);
1428 *serverssl = *clientssl = NULL;
1429
1430 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1431 clientssl, NULL, NULL))
1432 || !TEST_true(SSL_set_session(*clientssl, *sess)))
1433 return 0;
1434
1435 return 1;
1436 }
1437
1438 static int test_early_data_read_write(int idx)
1439 {
1440 SSL_CTX *cctx = NULL, *sctx = NULL;
1441 SSL *clientssl = NULL, *serverssl = NULL;
1442 int testresult = 0;
1443 SSL_SESSION *sess = NULL;
1444 unsigned char buf[20], data[1024];
1445 size_t readbytes, written, eoedlen, rawread, rawwritten;
1446 BIO *rbio;
1447
1448 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1449 &serverssl, &sess, idx)))
1450 goto end;
1451
1452 /* Write and read some early data */
1453 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1454 &written))
1455 || !TEST_size_t_eq(written, strlen(MSG1))
1456 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1457 sizeof(buf), &readbytes),
1458 SSL_READ_EARLY_DATA_SUCCESS)
1459 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1460 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1461 SSL_EARLY_DATA_ACCEPTED))
1462 goto end;
1463
1464 /*
1465 * Server should be able to write data, and client should be able to
1466 * read it.
1467 */
1468 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1469 &written))
1470 || !TEST_size_t_eq(written, strlen(MSG2))
1471 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1472 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1473 goto end;
1474
1475 /* Even after reading normal data, client should be able write early data */
1476 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1477 &written))
1478 || !TEST_size_t_eq(written, strlen(MSG3)))
1479 goto end;
1480
1481 /* Server should still be able read early data after writing data */
1482 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1483 &readbytes),
1484 SSL_READ_EARLY_DATA_SUCCESS)
1485 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
1486 goto end;
1487
1488 /* Write more data from server and read it from client */
1489 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1490 &written))
1491 || !TEST_size_t_eq(written, strlen(MSG4))
1492 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1493 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
1494 goto end;
1495
1496 /*
1497 * If client writes normal data it should mean writing early data is no
1498 * longer possible.
1499 */
1500 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1501 || !TEST_size_t_eq(written, strlen(MSG5))
1502 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1503 SSL_EARLY_DATA_ACCEPTED))
1504 goto end;
1505
1506 /*
1507 * At this point the client has written EndOfEarlyData, ClientFinished and
1508 * normal (fully protected) data. We are going to cause a delay between the
1509 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1510 * in the read BIO, and then just put back the EndOfEarlyData message.
1511 */
1512 rbio = SSL_get_rbio(serverssl);
1513 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1514 || !TEST_size_t_lt(rawread, sizeof(data))
1515 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
1516 goto end;
1517
1518 /* Record length is in the 4th and 5th bytes of the record header */
1519 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
1520 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1521 || !TEST_size_t_eq(rawwritten, eoedlen))
1522 goto end;
1523
1524 /* Server should be told that there is no more early data */
1525 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1526 &readbytes),
1527 SSL_READ_EARLY_DATA_FINISH)
1528 || !TEST_size_t_eq(readbytes, 0))
1529 goto end;
1530
1531 /*
1532 * Server has not finished init yet, so should still be able to write early
1533 * data.
1534 */
1535 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1536 &written))
1537 || !TEST_size_t_eq(written, strlen(MSG6)))
1538 goto end;
1539
1540 /* Push the ClientFinished and the normal data back into the server rbio */
1541 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1542 &rawwritten))
1543 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
1544 goto end;
1545
1546 /* Server should be able to read normal data */
1547 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1548 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1549 goto end;
1550
1551 /* Client and server should not be able to write/read early data now */
1552 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1553 &written)))
1554 goto end;
1555 ERR_clear_error();
1556 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1557 &readbytes),
1558 SSL_READ_EARLY_DATA_ERROR))
1559 goto end;
1560 ERR_clear_error();
1561
1562 /* Client should be able to read the data sent by the server */
1563 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1564 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
1565 goto end;
1566
1567 /*
1568 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1569 * We attempt a read which we do not expect to return any data.
1570 */
1571 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1572 goto end;
1573
1574 /* Server should be able to write normal data */
1575 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1576 || !TEST_size_t_eq(written, strlen(MSG7))
1577 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1578 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
1579 goto end;
1580
1581 SSL_SESSION_free(sess);
1582 sess = SSL_get1_session(clientssl);
1583
1584 SSL_shutdown(clientssl);
1585 SSL_shutdown(serverssl);
1586 SSL_free(serverssl);
1587 SSL_free(clientssl);
1588 serverssl = clientssl = NULL;
1589 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1590 &clientssl, NULL, NULL))
1591 || !TEST_true(SSL_set_session(clientssl, sess)))
1592 goto end;
1593
1594 /* Write and read some early data */
1595 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1596 &written))
1597 || !TEST_size_t_eq(written, strlen(MSG1))
1598 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1599 &readbytes),
1600 SSL_READ_EARLY_DATA_SUCCESS)
1601 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
1602 goto end;
1603
1604 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1605 || !TEST_int_gt(SSL_accept(serverssl), 0))
1606 goto end;
1607
1608 /* Client and server should not be able to write/read early data now */
1609 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1610 &written)))
1611 goto end;
1612 ERR_clear_error();
1613 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1614 &readbytes),
1615 SSL_READ_EARLY_DATA_ERROR))
1616 goto end;
1617 ERR_clear_error();
1618
1619 /* Client and server should be able to write/read normal data */
1620 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1621 || !TEST_size_t_eq(written, strlen(MSG5))
1622 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1623 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
1624 goto end;
1625
1626 testresult = 1;
1627
1628 end:
1629 SSL_SESSION_free(sess);
1630 SSL_free(serverssl);
1631 SSL_free(clientssl);
1632 SSL_CTX_free(sctx);
1633 SSL_CTX_free(cctx);
1634 return testresult;
1635 }
1636
1637 /*
1638 * Helper function to test that a server attempting to read early data can
1639 * handle a connection from a client where the early data should be skipped.
1640 */
1641 static int early_data_skip_helper(int hrr, int idx)
1642 {
1643 SSL_CTX *cctx = NULL, *sctx = NULL;
1644 SSL *clientssl = NULL, *serverssl = NULL;
1645 int testresult = 0;
1646 SSL_SESSION *sess = NULL;
1647 unsigned char buf[20];
1648 size_t readbytes, written;
1649
1650 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1651 &serverssl, &sess, idx)))
1652 goto end;
1653
1654 if (hrr) {
1655 /* Force an HRR to occur */
1656 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1657 goto end;
1658 } else {
1659 /*
1660 * Deliberately corrupt the creation time. We take 20 seconds off the
1661 * time. It could be any value as long as it is not within tolerance.
1662 * This should mean the ticket is rejected.
1663 */
1664 if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20)))
1665 goto end;
1666 }
1667
1668 /* Write some early data */
1669 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1670 &written))
1671 || !TEST_size_t_eq(written, strlen(MSG1)))
1672 goto end;
1673
1674 /* Server should reject the early data and skip over it */
1675 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1676 &readbytes),
1677 SSL_READ_EARLY_DATA_FINISH)
1678 || !TEST_size_t_eq(readbytes, 0)
1679 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1680 SSL_EARLY_DATA_REJECTED))
1681 goto end;
1682
1683 if (hrr) {
1684 /*
1685 * Finish off the handshake. We perform the same writes and reads as
1686 * further down but we expect them to fail due to the incomplete
1687 * handshake.
1688 */
1689 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1690 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1691 &readbytes)))
1692 goto end;
1693 }
1694
1695 /* Should be able to send normal data despite rejection of early data */
1696 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1697 || !TEST_size_t_eq(written, strlen(MSG2))
1698 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1699 SSL_EARLY_DATA_REJECTED)
1700 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1701 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1702 goto end;
1703
1704 testresult = 1;
1705
1706 end:
1707 SSL_SESSION_free(sess);
1708 SSL_free(serverssl);
1709 SSL_free(clientssl);
1710 SSL_CTX_free(sctx);
1711 SSL_CTX_free(cctx);
1712 return testresult;
1713 }
1714
1715 /*
1716 * Test that a server attempting to read early data can handle a connection
1717 * from a client where the early data is not acceptable.
1718 */
1719 static int test_early_data_skip(int idx)
1720 {
1721 return early_data_skip_helper(0, idx);
1722 }
1723
1724 /*
1725 * Test that a server attempting to read early data can handle a connection
1726 * from a client where an HRR occurs.
1727 */
1728 static int test_early_data_skip_hrr(int idx)
1729 {
1730 return early_data_skip_helper(1, idx);
1731 }
1732
1733 /*
1734 * Test that a server attempting to read early data can handle a connection
1735 * from a client that doesn't send any.
1736 */
1737 static int test_early_data_not_sent(int idx)
1738 {
1739 SSL_CTX *cctx = NULL, *sctx = NULL;
1740 SSL *clientssl = NULL, *serverssl = NULL;
1741 int testresult = 0;
1742 SSL_SESSION *sess = NULL;
1743 unsigned char buf[20];
1744 size_t readbytes, written;
1745
1746 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1747 &serverssl, &sess, idx)))
1748 goto end;
1749
1750 /* Write some data - should block due to handshake with server */
1751 SSL_set_connect_state(clientssl);
1752 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1753 goto end;
1754
1755 /* Server should detect that early data has not been sent */
1756 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1757 &readbytes),
1758 SSL_READ_EARLY_DATA_FINISH)
1759 || !TEST_size_t_eq(readbytes, 0)
1760 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1761 SSL_EARLY_DATA_NOT_SENT)
1762 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1763 SSL_EARLY_DATA_NOT_SENT))
1764 goto end;
1765
1766 /* Continue writing the message we started earlier */
1767 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1768 || !TEST_size_t_eq(written, strlen(MSG1))
1769 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1770 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1771 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1772 || !TEST_size_t_eq(written, strlen(MSG2)))
1773 goto end;
1774
1775 /*
1776 * Should block due to the NewSessionTicket arrival unless we're using
1777 * read_ahead
1778 */
1779 if (idx == 0) {
1780 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
1781 goto end;
1782 }
1783
1784 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1785 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1786 goto end;
1787
1788 testresult = 1;
1789
1790 end:
1791 SSL_SESSION_free(sess);
1792 SSL_free(serverssl);
1793 SSL_free(clientssl);
1794 SSL_CTX_free(sctx);
1795 SSL_CTX_free(cctx);
1796 return testresult;
1797 }
1798
1799 /*
1800 * Test that a server that doesn't try to read early data can handle a
1801 * client sending some.
1802 */
1803 static int test_early_data_not_expected(int idx)
1804 {
1805 SSL_CTX *cctx = NULL, *sctx = NULL;
1806 SSL *clientssl = NULL, *serverssl = NULL;
1807 int testresult = 0;
1808 SSL_SESSION *sess = NULL;
1809 unsigned char buf[20];
1810 size_t readbytes, written;
1811
1812
1813 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1814 &serverssl, &sess, idx)))
1815 goto end;
1816
1817 /* Write some early data */
1818 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1819 &written)))
1820 goto end;
1821
1822 /*
1823 * Server should skip over early data and then block waiting for client to
1824 * continue handshake
1825 */
1826 if (!TEST_int_le(SSL_accept(serverssl), 0)
1827 || !TEST_int_gt(SSL_connect(clientssl), 0)
1828 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1829 SSL_EARLY_DATA_REJECTED)
1830 || !TEST_int_gt(SSL_accept(serverssl), 0)
1831 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1832 SSL_EARLY_DATA_REJECTED))
1833 goto end;
1834
1835 /* Send some normal data from client to server */
1836 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1837 || !TEST_size_t_eq(written, strlen(MSG2)))
1838 goto end;
1839
1840 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1841 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1842 goto end;
1843
1844 testresult = 1;
1845
1846 end:
1847 SSL_SESSION_free(sess);
1848 SSL_free(serverssl);
1849 SSL_free(clientssl);
1850 SSL_CTX_free(sctx);
1851 SSL_CTX_free(cctx);
1852 return testresult;
1853 }
1854
1855
1856 # ifndef OPENSSL_NO_TLS1_2
1857 /*
1858 * Test that a server attempting to read early data can handle a connection
1859 * from a TLSv1.2 client.
1860 */
1861 static int test_early_data_tls1_2(int idx)
1862 {
1863 SSL_CTX *cctx = NULL, *sctx = NULL;
1864 SSL *clientssl = NULL, *serverssl = NULL;
1865 int testresult = 0;
1866 unsigned char buf[20];
1867 size_t readbytes, written;
1868
1869 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1870 TLS_client_method(), &sctx,
1871 &cctx, cert, privkey)))
1872 goto end;
1873
1874 /* When idx == 1 we repeat the tests with read_ahead set */
1875 if (idx > 0) {
1876 SSL_CTX_set_read_ahead(cctx, 1);
1877 SSL_CTX_set_read_ahead(sctx, 1);
1878 }
1879
1880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1881 &clientssl, NULL, NULL)))
1882 goto end;
1883
1884 /* Write some data - should block due to handshake with server */
1885 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
1886 SSL_set_connect_state(clientssl);
1887 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
1888 goto end;
1889
1890 /*
1891 * Server should do TLSv1.2 handshake. First it will block waiting for more
1892 * messages from client after ServerDone. Then SSL_read_early_data should
1893 * finish and detect that early data has not been sent
1894 */
1895 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1896 &readbytes),
1897 SSL_READ_EARLY_DATA_ERROR))
1898 goto end;
1899
1900 /*
1901 * Continue writing the message we started earlier. Will still block waiting
1902 * for the CCS/Finished from server
1903 */
1904 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1905 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1906 &readbytes),
1907 SSL_READ_EARLY_DATA_FINISH)
1908 || !TEST_size_t_eq(readbytes, 0)
1909 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1910 SSL_EARLY_DATA_NOT_SENT))
1911 goto end;
1912
1913 /* Continue writing the message we started earlier */
1914 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1915 || !TEST_size_t_eq(written, strlen(MSG1))
1916 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1917 SSL_EARLY_DATA_NOT_SENT)
1918 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1919 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1920 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
1921 || !TEST_size_t_eq(written, strlen(MSG2))
1922 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
1923 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
1924 goto end;
1925
1926 testresult = 1;
1927
1928 end:
1929 SSL_free(serverssl);
1930 SSL_free(clientssl);
1931 SSL_CTX_free(sctx);
1932 SSL_CTX_free(cctx);
1933
1934 return testresult;
1935 }
1936 # endif /* OPENSSL_NO_TLS1_2 */
1937
1938 static int test_ciphersuite_change(void)
1939 {
1940 SSL_CTX *cctx = NULL, *sctx = NULL;
1941 SSL *clientssl = NULL, *serverssl = NULL;
1942 SSL_SESSION *clntsess = NULL;
1943 int testresult = 0;
1944 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
1945
1946 /* Create a session based on SHA-256 */
1947 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1948 TLS_client_method(), &sctx,
1949 &cctx, cert, privkey))
1950 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1951 "TLS13-AES-128-GCM-SHA256"))
1952 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1953 &clientssl, NULL, NULL))
1954 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1955 SSL_ERROR_NONE)))
1956 goto end;
1957
1958 clntsess = SSL_get1_session(clientssl);
1959 /* Save for later */
1960 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
1961 SSL_shutdown(clientssl);
1962 SSL_shutdown(serverssl);
1963 SSL_free(serverssl);
1964 SSL_free(clientssl);
1965 serverssl = clientssl = NULL;
1966
1967 /* Check we can resume a session with a different SHA-256 ciphersuite */
1968 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
1969 "TLS13-CHACHA20-POLY1305-SHA256"))
1970 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1971 NULL, NULL))
1972 || !TEST_true(SSL_set_session(clientssl, clntsess))
1973 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1974 SSL_ERROR_NONE))
1975 || !TEST_true(SSL_session_reused(clientssl)))
1976 goto end;
1977
1978 SSL_SESSION_free(clntsess);
1979 clntsess = SSL_get1_session(clientssl);
1980 SSL_shutdown(clientssl);
1981 SSL_shutdown(serverssl);
1982 SSL_free(serverssl);
1983 SSL_free(clientssl);
1984 serverssl = clientssl = NULL;
1985
1986 /*
1987 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
1988 * succeeds but does not resume.
1989 */
1990 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
1991 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1992 NULL, NULL))
1993 || !TEST_true(SSL_set_session(clientssl, clntsess))
1994 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1995 SSL_ERROR_SSL))
1996 || !TEST_false(SSL_session_reused(clientssl)))
1997 goto end;
1998
1999 SSL_SESSION_free(clntsess);
2000 clntsess = NULL;
2001 SSL_shutdown(clientssl);
2002 SSL_shutdown(serverssl);
2003 SSL_free(serverssl);
2004 SSL_free(clientssl);
2005 serverssl = clientssl = NULL;
2006
2007 /* Create a session based on SHA384 */
2008 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2009 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2010 &clientssl, NULL, NULL))
2011 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2012 SSL_ERROR_NONE)))
2013 goto end;
2014
2015 clntsess = SSL_get1_session(clientssl);
2016 SSL_shutdown(clientssl);
2017 SSL_shutdown(serverssl);
2018 SSL_free(serverssl);
2019 SSL_free(clientssl);
2020 serverssl = clientssl = NULL;
2021
2022 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2023 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
2024 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2025 "TLS13-AES-256-GCM-SHA384"))
2026 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2027 NULL, NULL))
2028 || !TEST_true(SSL_set_session(clientssl, clntsess))
2029 /*
2030 * We use SSL_ERROR_WANT_READ below so that we can pause the
2031 * connection after the initial ClientHello has been sent to
2032 * enable us to make some session changes.
2033 */
2034 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2035 SSL_ERROR_WANT_READ)))
2036 goto end;
2037
2038 /* Trick the client into thinking this session is for a different digest */
2039 clntsess->cipher = aes_128_gcm_sha256;
2040 clntsess->cipher_id = clntsess->cipher->id;
2041
2042 /*
2043 * Continue the previously started connection. Server has selected a SHA-384
2044 * ciphersuite, but client thinks the session is for SHA-256, so it should
2045 * bail out.
2046 */
2047 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2048 SSL_ERROR_SSL))
2049 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2050 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2051 goto end;
2052
2053 testresult = 1;
2054
2055 end:
2056 SSL_SESSION_free(clntsess);
2057 SSL_free(serverssl);
2058 SSL_free(clientssl);
2059 SSL_CTX_free(sctx);
2060 SSL_CTX_free(cctx);
2061
2062 return testresult;
2063 }
2064
2065
2066 static SSL_SESSION *psk = NULL;
2067 static const char *pskid = "Identity";
2068 static const char *srvid;
2069
2070 static int use_session_cb_cnt = 0;
2071 static int find_session_cb_cnt = 0;
2072
2073 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2074 size_t *idlen, SSL_SESSION **sess)
2075 {
2076 switch (++use_session_cb_cnt) {
2077 case 1:
2078 /* The first call should always have a NULL md */
2079 if (md != NULL)
2080 return 0;
2081 break;
2082
2083 case 2:
2084 /* The second call should always have an md */
2085 if (md == NULL)
2086 return 0;
2087 break;
2088
2089 default:
2090 /* We should only be called a maximum of twice */
2091 return 0;
2092 }
2093
2094 if (psk != NULL)
2095 SSL_SESSION_up_ref(psk);
2096
2097 *sess = psk;
2098 *id = (const unsigned char *)pskid;
2099 *idlen = strlen(pskid);
2100
2101 return 1;
2102 }
2103
2104 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2105 size_t identity_len, SSL_SESSION **sess)
2106 {
2107 find_session_cb_cnt++;
2108
2109 /* We should only ever be called a maximum of twice per connection */
2110 if (find_session_cb_cnt > 2)
2111 return 0;
2112
2113 if (psk == NULL)
2114 return 0;
2115
2116 /* Identity should match that set by the client */
2117 if (strlen(srvid) != identity_len
2118 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2119 /* No PSK found, continue but without a PSK */
2120 *sess = NULL;
2121 return 1;
2122 }
2123
2124 SSL_SESSION_up_ref(psk);
2125 *sess = psk;
2126
2127 return 1;
2128 }
2129
2130 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2131
2132 static int test_tls13_psk(void)
2133 {
2134 SSL_CTX *sctx = NULL, *cctx = NULL;
2135 SSL *serverssl = NULL, *clientssl = NULL;
2136 const SSL_CIPHER *cipher = NULL;
2137 const unsigned char key[] = {
2138 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2139 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2140 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2141 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
2142 };
2143 int testresult = 0;
2144
2145 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2146 TLS_client_method(), &sctx,
2147 &cctx, cert, privkey)))
2148 goto end;
2149
2150 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2151 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2152 srvid = pskid;
2153
2154 /* Check we can create a connection if callback decides not to send a PSK */
2155 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2156 NULL, NULL))
2157 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2158 SSL_ERROR_NONE))
2159 || !TEST_false(SSL_session_reused(clientssl))
2160 || !TEST_false(SSL_session_reused(serverssl))
2161 || !TEST_true(use_session_cb_cnt == 1)
2162 || !TEST_true(find_session_cb_cnt == 0))
2163 goto end;
2164
2165 shutdown_ssl_connection(serverssl, clientssl);
2166 serverssl = clientssl = NULL;
2167 use_session_cb_cnt = 0;
2168
2169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2170 NULL, NULL)))
2171 goto end;
2172
2173 /* Create the PSK */
2174 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
2175 psk = SSL_SESSION_new();
2176 if (!TEST_ptr(psk)
2177 || !TEST_ptr(cipher)
2178 || !TEST_true(SSL_SESSION_set1_master_key(psk, key, sizeof(key)))
2179 || !TEST_true(SSL_SESSION_set_cipher(psk, cipher))
2180 || !TEST_true(SSL_SESSION_set_protocol_version(psk,
2181 TLS1_3_VERSION)))
2182 goto end;
2183
2184 /* Check we can create a connection and the PSK is used */
2185 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2186 || !TEST_true(SSL_session_reused(clientssl))
2187 || !TEST_true(SSL_session_reused(serverssl))
2188 || !TEST_true(use_session_cb_cnt == 1)
2189 || !TEST_true(find_session_cb_cnt == 1))
2190 goto end;
2191
2192 shutdown_ssl_connection(serverssl, clientssl);
2193 serverssl = clientssl = NULL;
2194 use_session_cb_cnt = find_session_cb_cnt = 0;
2195
2196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2197 NULL, NULL)))
2198 goto end;
2199
2200 /* Force an HRR */
2201 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2202 goto end;
2203
2204 /*
2205 * Check we can create a connection, the PSK is used and the callbacks are
2206 * called twice.
2207 */
2208 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2209 || !TEST_true(SSL_session_reused(clientssl))
2210 || !TEST_true(SSL_session_reused(serverssl))
2211 || !TEST_true(use_session_cb_cnt == 2)
2212 || !TEST_true(find_session_cb_cnt == 2))
2213 goto end;
2214
2215 shutdown_ssl_connection(serverssl, clientssl);
2216 serverssl = clientssl = NULL;
2217 use_session_cb_cnt = find_session_cb_cnt = 0;
2218
2219 /*
2220 * Check that if the server rejects the PSK we can still connect, but with
2221 * a full handshake
2222 */
2223 srvid = "Dummy Identity";
2224 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2225 NULL, NULL))
2226 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2227 SSL_ERROR_NONE))
2228 || !TEST_false(SSL_session_reused(clientssl))
2229 || !TEST_false(SSL_session_reused(serverssl))
2230 || !TEST_true(use_session_cb_cnt == 1)
2231 || !TEST_true(find_session_cb_cnt == 1))
2232 goto end;
2233
2234 shutdown_ssl_connection(serverssl, clientssl);
2235 serverssl = clientssl = NULL;
2236 testresult = 1;
2237
2238 end:
2239 SSL_SESSION_free(psk);
2240 SSL_free(serverssl);
2241 SSL_free(clientssl);
2242 SSL_CTX_free(sctx);
2243 SSL_CTX_free(cctx);
2244 return testresult;
2245 }
2246
2247 #endif /* OPENSSL_NO_TLS1_3 */
2248
2249 static int clntaddoldcb = 0;
2250 static int clntparseoldcb = 0;
2251 static int srvaddoldcb = 0;
2252 static int srvparseoldcb = 0;
2253 static int clntaddnewcb = 0;
2254 static int clntparsenewcb = 0;
2255 static int srvaddnewcb = 0;
2256 static int srvparsenewcb = 0;
2257 static int snicb = 0;
2258
2259 #define TEST_EXT_TYPE1 0xff00
2260
2261 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2262 size_t *outlen, int *al, void *add_arg)
2263 {
2264 int *server = (int *)add_arg;
2265 unsigned char *data;
2266
2267 if (SSL_is_server(s))
2268 srvaddoldcb++;
2269 else
2270 clntaddoldcb++;
2271
2272 if (*server != SSL_is_server(s)
2273 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2274 return -1;
2275
2276 *data = 1;
2277 *out = data;
2278 *outlen = sizeof(char);
2279 return 1;
2280 }
2281
2282 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2283 void *add_arg)
2284 {
2285 OPENSSL_free((unsigned char *)out);
2286 }
2287
2288 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2289 size_t inlen, int *al, void *parse_arg)
2290 {
2291 int *server = (int *)parse_arg;
2292
2293 if (SSL_is_server(s))
2294 srvparseoldcb++;
2295 else
2296 clntparseoldcb++;
2297
2298 if (*server != SSL_is_server(s)
2299 || inlen != sizeof(char)
2300 || *in != 1)
2301 return -1;
2302
2303 return 1;
2304 }
2305
2306 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2307 const unsigned char **out, size_t *outlen, X509 *x,
2308 size_t chainidx, int *al, void *add_arg)
2309 {
2310 int *server = (int *)add_arg;
2311 unsigned char *data;
2312
2313 if (SSL_is_server(s))
2314 srvaddnewcb++;
2315 else
2316 clntaddnewcb++;
2317
2318 if (*server != SSL_is_server(s)
2319 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
2320 return -1;
2321
2322 *data = 1;
2323 *out = data;
2324 *outlen = sizeof(*data);
2325 return 1;
2326 }
2327
2328 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2329 const unsigned char *out, void *add_arg)
2330 {
2331 OPENSSL_free((unsigned char *)out);
2332 }
2333
2334 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2335 const unsigned char *in, size_t inlen, X509 *x,
2336 size_t chainidx, int *al, void *parse_arg)
2337 {
2338 int *server = (int *)parse_arg;
2339
2340 if (SSL_is_server(s))
2341 srvparsenewcb++;
2342 else
2343 clntparsenewcb++;
2344
2345 if (*server != SSL_is_server(s)
2346 || inlen != sizeof(char) || *in != 1)
2347 return -1;
2348
2349 return 1;
2350 }
2351
2352 static int sni_cb(SSL *s, int *al, void *arg)
2353 {
2354 SSL_CTX *ctx = (SSL_CTX *)arg;
2355
2356 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2357 *al = SSL_AD_INTERNAL_ERROR;
2358 return SSL_TLSEXT_ERR_ALERT_FATAL;
2359 }
2360 snicb++;
2361 return SSL_TLSEXT_ERR_OK;
2362 }
2363
2364 /*
2365 * Custom call back tests.
2366 * Test 0: Old style callbacks in TLSv1.2
2367 * Test 1: New style callbacks in TLSv1.2
2368 * Test 2: New style callbacks in TLSv1.2 with SNI
2369 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2370 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
2371 */
2372 static int test_custom_exts(int tst)
2373 {
2374 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2375 SSL *clientssl = NULL, *serverssl = NULL;
2376 int testresult = 0;
2377 static int server = 1;
2378 static int client = 0;
2379 SSL_SESSION *sess = NULL;
2380 unsigned int context;
2381
2382 /* Reset callback counters */
2383 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2384 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
2385 snicb = 0;
2386
2387 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2388 TLS_client_method(), &sctx,
2389 &cctx, cert, privkey)))
2390 goto end;
2391
2392 if (tst == 2
2393 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2394 NULL, cert, privkey)))
2395 goto end;
2396
2397
2398 if (tst < 3) {
2399 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2400 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
2401 if (sctx2 != NULL)
2402 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
2403 }
2404
2405 if (tst == 4) {
2406 context = SSL_EXT_CLIENT_HELLO
2407 | SSL_EXT_TLS1_2_SERVER_HELLO
2408 | SSL_EXT_TLS1_3_SERVER_HELLO
2409 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2410 | SSL_EXT_TLS1_3_CERTIFICATE
2411 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2412 } else {
2413 context = SSL_EXT_CLIENT_HELLO
2414 | SSL_EXT_TLS1_2_SERVER_HELLO
2415 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2416 }
2417
2418 /* Create a client side custom extension */
2419 if (tst == 0) {
2420 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2421 old_add_cb, old_free_cb,
2422 &client, old_parse_cb,
2423 &client)))
2424 goto end;
2425 } else {
2426 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2427 new_add_cb, new_free_cb,
2428 &client, new_parse_cb, &client)))
2429 goto end;
2430 }
2431
2432 /* Should not be able to add duplicates */
2433 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2434 old_add_cb, old_free_cb,
2435 &client, old_parse_cb,
2436 &client))
2437 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2438 context, new_add_cb,
2439 new_free_cb, &client,
2440 new_parse_cb, &client)))
2441 goto end;
2442
2443 /* Create a server side custom extension */
2444 if (tst == 0) {
2445 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2446 old_add_cb, old_free_cb,
2447 &server, old_parse_cb,
2448 &server)))
2449 goto end;
2450 } else {
2451 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2452 new_add_cb, new_free_cb,
2453 &server, new_parse_cb, &server)))
2454 goto end;
2455 if (sctx2 != NULL
2456 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2457 context, new_add_cb,
2458 new_free_cb, &server,
2459 new_parse_cb, &server)))
2460 goto end;
2461 }
2462
2463 /* Should not be able to add duplicates */
2464 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2465 old_add_cb, old_free_cb,
2466 &server, old_parse_cb,
2467 &server))
2468 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2469 context, new_add_cb,
2470 new_free_cb, &server,
2471 new_parse_cb, &server)))
2472 goto end;
2473
2474 if (tst == 2) {
2475 /* Set up SNI */
2476 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2477 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2478 goto end;
2479 }
2480
2481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2482 &clientssl, NULL, NULL))
2483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2484 SSL_ERROR_NONE)))
2485 goto end;
2486
2487 if (tst == 0) {
2488 if (clntaddoldcb != 1
2489 || clntparseoldcb != 1
2490 || srvaddoldcb != 1
2491 || srvparseoldcb != 1)
2492 goto end;
2493 } else if (tst == 1 || tst == 2 || tst == 3) {
2494 if (clntaddnewcb != 1
2495 || clntparsenewcb != 1
2496 || srvaddnewcb != 1
2497 || srvparsenewcb != 1
2498 || (tst != 2 && snicb != 0)
2499 || (tst == 2 && snicb != 1))
2500 goto end;
2501 } else {
2502 if (clntaddnewcb != 1
2503 || clntparsenewcb != 4
2504 || srvaddnewcb != 4
2505 || srvparsenewcb != 1)
2506 goto end;
2507 }
2508
2509 sess = SSL_get1_session(clientssl);
2510 SSL_shutdown(clientssl);
2511 SSL_shutdown(serverssl);
2512 SSL_free(serverssl);
2513 SSL_free(clientssl);
2514 serverssl = clientssl = NULL;
2515
2516 if (tst == 3) {
2517 /* We don't bother with the resumption aspects for this test */
2518 testresult = 1;
2519 goto end;
2520 }
2521
2522 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2523 NULL, NULL))
2524 || !TEST_true(SSL_set_session(clientssl, sess))
2525 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2526 SSL_ERROR_NONE)))
2527 goto end;
2528
2529 /*
2530 * For a resumed session we expect to add the ClientHello extension. For the
2531 * old style callbacks we ignore it on the server side because they set
2532 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2533 * them.
2534 */
2535 if (tst == 0) {
2536 if (clntaddoldcb != 2
2537 || clntparseoldcb != 1
2538 || srvaddoldcb != 1
2539 || srvparseoldcb != 1)
2540 goto end;
2541 } else if (tst == 1 || tst == 2 || tst == 3) {
2542 if (clntaddnewcb != 2
2543 || clntparsenewcb != 2
2544 || srvaddnewcb != 2
2545 || srvparsenewcb != 2)
2546 goto end;
2547 } else {
2548 /* No Certificate message extensions in the resumption handshake */
2549 if (clntaddnewcb != 2
2550 || clntparsenewcb != 7
2551 || srvaddnewcb != 7
2552 || srvparsenewcb != 2)
2553 goto end;
2554 }
2555
2556 testresult = 1;
2557
2558 end:
2559 SSL_SESSION_free(sess);
2560 SSL_free(serverssl);
2561 SSL_free(clientssl);
2562 SSL_CTX_free(sctx2);
2563 SSL_CTX_free(sctx);
2564 SSL_CTX_free(cctx);
2565 return testresult;
2566 }
2567
2568 /*
2569 * Test loading of serverinfo data in various formats. test_sslmessages actually
2570 * tests to make sure the extensions appear in the handshake
2571 */
2572 static int test_serverinfo(int tst)
2573 {
2574 unsigned int version;
2575 unsigned char *sibuf;
2576 size_t sibuflen;
2577 int ret, expected, testresult = 0;
2578 SSL_CTX *ctx;
2579
2580 ctx = SSL_CTX_new(TLS_method());
2581 if (!TEST_ptr(ctx))
2582 goto end;
2583
2584 if ((tst & 0x01) == 0x01)
2585 version = SSL_SERVERINFOV2;
2586 else
2587 version = SSL_SERVERINFOV1;
2588
2589 if ((tst & 0x02) == 0x02) {
2590 sibuf = serverinfov2;
2591 sibuflen = sizeof(serverinfov2);
2592 expected = (version == SSL_SERVERINFOV2);
2593 } else {
2594 sibuf = serverinfov1;
2595 sibuflen = sizeof(serverinfov1);
2596 expected = (version == SSL_SERVERINFOV1);
2597 }
2598
2599 if ((tst & 0x04) == 0x04) {
2600 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2601 } else {
2602 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
2603
2604 /*
2605 * The version variable is irrelevant in this case - it's what is in the
2606 * buffer that matters
2607 */
2608 if ((tst & 0x02) == 0x02)
2609 expected = 0;
2610 else
2611 expected = 1;
2612 }
2613
2614 if (!TEST_true(ret == expected))
2615 goto end;
2616
2617 testresult = 1;
2618
2619 end:
2620 SSL_CTX_free(ctx);
2621
2622 return testresult;
2623 }
2624
2625 /*
2626 * Test that SSL_export_keying_material() produces expected results. There are
2627 * no test vectors so all we do is test that both sides of the communication
2628 * produce the same results for different protocol versions.
2629 */
2630 static int test_export_key_mat(int tst)
2631 {
2632 int testresult = 0;
2633 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2634 SSL *clientssl = NULL, *serverssl = NULL;
2635 const char label[] = "test label";
2636 const unsigned char context[] = "context";
2637 const unsigned char *emptycontext = NULL;
2638 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
2639 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
2640 const int protocols[] = {
2641 TLS1_VERSION,
2642 TLS1_1_VERSION,
2643 TLS1_2_VERSION,
2644 TLS1_3_VERSION
2645 };
2646
2647 #ifdef OPENSSL_NO_TLS1
2648 if (tst == 0)
2649 return 1;
2650 #endif
2651 #ifdef OPENSSL_NO_TLS1_1
2652 if (tst == 1)
2653 return 1;
2654 #endif
2655 #ifdef OPENSSL_NO_TLS1_2
2656 if (tst == 2)
2657 return 1;
2658 #endif
2659 #ifdef OPENSSL_NO_TLS1_3
2660 if (tst == 3)
2661 return 1;
2662 #endif
2663 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2664 TLS_client_method(), &sctx,
2665 &cctx, cert, privkey)))
2666 goto end;
2667
2668 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
2669 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
2670 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2671
2672 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
2673 NULL))
2674 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2675 SSL_ERROR_NONE)))
2676 goto end;
2677
2678 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
2679 sizeof(ckeymat1), label,
2680 sizeof(label) - 1, context,
2681 sizeof(context) - 1, 1), 1)
2682 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
2683 sizeof(ckeymat2), label,
2684 sizeof(label) - 1,
2685 emptycontext,
2686 0, 1), 1)
2687 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
2688 sizeof(ckeymat3), label,
2689 sizeof(label) - 1,
2690 NULL, 0, 0), 1)
2691 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
2692 sizeof(skeymat1), label,
2693 sizeof(label) - 1,
2694 context,
2695 sizeof(context) -1, 1),
2696 1)
2697 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
2698 sizeof(skeymat2), label,
2699 sizeof(label) - 1,
2700 emptycontext,
2701 0, 1), 1)
2702 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
2703 sizeof(skeymat3), label,
2704 sizeof(label) - 1,
2705 NULL, 0, 0), 1)
2706 /*
2707 * Check that both sides created the same key material with the
2708 * same context.
2709 */
2710 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
2711 sizeof(skeymat1))
2712 /*
2713 * Check that both sides created the same key material with an
2714 * empty context.
2715 */
2716 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
2717 sizeof(skeymat2))
2718 /*
2719 * Check that both sides created the same key material without a
2720 * context.
2721 */
2722 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
2723 sizeof(skeymat3))
2724 /* Different contexts should produce different results */
2725 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
2726 sizeof(ckeymat2)))
2727 goto end;
2728
2729 /*
2730 * Check that an empty context and no context produce different results in
2731 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
2732 */
2733 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2734 sizeof(ckeymat3)))
2735 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
2736 sizeof(ckeymat3))))
2737 goto end;
2738
2739 testresult = 1;
2740
2741 end:
2742 SSL_free(serverssl);
2743 SSL_free(clientssl);
2744 SSL_CTX_free(sctx2);
2745 SSL_CTX_free(sctx);
2746 SSL_CTX_free(cctx);
2747
2748 return testresult;
2749 }
2750
2751 static int test_ssl_clear(int idx)
2752 {
2753 SSL_CTX *cctx = NULL, *sctx = NULL;
2754 SSL *clientssl = NULL, *serverssl = NULL;
2755 int testresult = 0;
2756
2757 #ifdef OPENSSL_NO_TLS1_2
2758 if (idx == 1)
2759 return 1;
2760 #endif
2761
2762 /* Create an initial connection */
2763 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2764 TLS_client_method(), &sctx,
2765 &cctx, cert, privkey))
2766 || (idx == 1
2767 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
2768 TLS1_2_VERSION)))
2769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2770 &clientssl, NULL, NULL))
2771 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2772 SSL_ERROR_NONE)))
2773 goto end;
2774
2775 SSL_shutdown(clientssl);
2776 SSL_shutdown(serverssl);
2777 SSL_free(serverssl);
2778 serverssl = NULL;
2779
2780 /* Clear clientssl - we're going to reuse the object */
2781 if (!TEST_true(SSL_clear(clientssl)))
2782 goto end;
2783
2784 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2785 NULL, NULL))
2786 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2787 SSL_ERROR_NONE))
2788 || !TEST_true(SSL_session_reused(clientssl)))
2789 goto end;
2790
2791 SSL_shutdown(clientssl);
2792 SSL_shutdown(serverssl);
2793
2794 testresult = 1;
2795
2796 end:
2797 SSL_free(serverssl);
2798 SSL_free(clientssl);
2799 SSL_CTX_free(sctx);
2800 SSL_CTX_free(cctx);
2801
2802 return testresult;
2803 }
2804
2805 int setup_tests(void)
2806 {
2807 if (!TEST_ptr(cert = test_get_argument(0))
2808 || !TEST_ptr(privkey = test_get_argument(1)))
2809 return 0;
2810
2811 ADD_TEST(test_large_message_tls);
2812 ADD_TEST(test_large_message_tls_read_ahead);
2813 #ifndef OPENSSL_NO_DTLS
2814 ADD_TEST(test_large_message_dtls);
2815 #endif
2816 #ifndef OPENSSL_NO_OCSP
2817 ADD_TEST(test_tlsext_status_type);
2818 #endif
2819 ADD_TEST(test_session_with_only_int_cache);
2820 ADD_TEST(test_session_with_only_ext_cache);
2821 ADD_TEST(test_session_with_both_cache);
2822 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
2823 ADD_TEST(test_ssl_bio_pop_next_bio);
2824 ADD_TEST(test_ssl_bio_pop_ssl_bio);
2825 ADD_TEST(test_ssl_bio_change_rbio);
2826 ADD_TEST(test_ssl_bio_change_wbio);
2827 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
2828 ADD_TEST(test_keylog);
2829 #ifndef OPENSSL_NO_TLS1_3
2830 ADD_TEST(test_keylog_no_master_key);
2831 #endif
2832 #ifndef OPENSSL_NO_TLS1_2
2833 ADD_TEST(test_early_cb);
2834 #endif
2835 #ifndef OPENSSL_NO_TLS1_3
2836 ADD_ALL_TESTS(test_early_data_read_write, 2);
2837 ADD_ALL_TESTS(test_early_data_skip, 2);
2838 ADD_ALL_TESTS(test_early_data_skip_hrr, 2);
2839 ADD_ALL_TESTS(test_early_data_not_sent, 2);
2840 ADD_ALL_TESTS(test_early_data_not_expected, 2);
2841 # ifndef OPENSSL_NO_TLS1_2
2842 ADD_ALL_TESTS(test_early_data_tls1_2, 2);
2843 # endif
2844 #endif
2845 #ifndef OPENSSL_NO_TLS1_3
2846 ADD_TEST(test_ciphersuite_change);
2847 ADD_TEST(test_tls13_psk);
2848 ADD_ALL_TESTS(test_custom_exts, 5);
2849 #else
2850 ADD_ALL_TESTS(test_custom_exts, 3);
2851 #endif
2852 ADD_ALL_TESTS(test_serverinfo, 8);
2853 ADD_ALL_TESTS(test_export_key_mat, 4);
2854 ADD_ALL_TESTS(test_ssl_clear, 2);
2855 return 1;
2856 }
2857
2858 void cleanup_tests(void)
2859 {
2860 bio_s_mempacket_test_free();
2861 }
A mirror of the official openssl repository