VirtualBox

source: vbox/trunk/src/libs/openssl-3.0.2/test/sslapitest.c@ 94403

最後變更 在這個檔案從94403是 94320,由 vboxsync 提交於 3 年 前

libs/openssl-3.0.1: Export to OSE and fix copyright headers in Makefiles, bugref:10128
檔案大小: 326.8 KB
 
1/*
2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
18#include <stdio.h>
19#include <string.h>
20
21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
25#include <openssl/ocsp.h>
26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
28#include <openssl/aes.h>
29#include <openssl/rand.h>
30#include <openssl/core_names.h>
31#include <openssl/core_dispatch.h>
32#include <openssl/provider.h>
33#include <openssl/param_build.h>
34#include <openssl/x509v3.h>
35#include <openssl/dh.h>
36
37#include "helpers/ssltestlib.h"
38#include "testutil.h"
39#include "testutil/output.h"
40#include "internal/nelem.h"
41#include "internal/ktls.h"
42#include "../ssl/ssl_local.h"
43#include "filterprov.h"
44
45#undef OSSL_NO_USABLE_TLS1_3
46#if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48/*
49 * If we don't have ec or dh then there are no built-in groups that are usable
50 * with TLSv1.3
51 */
52# define OSSL_NO_USABLE_TLS1_3
53#endif
54
55/* Defined in tls-provider.c */
56int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
59 void **provctx);
60
61static OSSL_LIB_CTX *libctx = NULL;
62static OSSL_PROVIDER *defctxnull = NULL;
63
64#ifndef OSSL_NO_USABLE_TLS1_3
65
66static SSL_SESSION *clientpsk = NULL;
67static SSL_SESSION *serverpsk = NULL;
68static const char *pskid = "Identity";
69static const char *srvid;
70
71static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
75
76static int use_session_cb_cnt = 0;
77static int find_session_cb_cnt = 0;
78
79static SSL_SESSION *create_a_psk(SSL *ssl);
80#endif
81
82static char *certsdir = NULL;
83static char *cert = NULL;
84static char *privkey = NULL;
85static char *cert2 = NULL;
86static char *privkey2 = NULL;
87static char *cert1024 = NULL;
88static char *privkey1024 = NULL;
89static char *cert3072 = NULL;
90static char *privkey3072 = NULL;
91static char *cert4096 = NULL;
92static char *privkey4096 = NULL;
93static char *cert8192 = NULL;
94static char *privkey8192 = NULL;
95static char *srpvfile = NULL;
96static char *tmpfilename = NULL;
97
98static int is_fips = 0;
99
100#define LOG_BUFFER_SIZE 2048
101static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
102static size_t server_log_buffer_index = 0;
103static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104static size_t client_log_buffer_index = 0;
105static int error_writing_log = 0;
106
107#ifndef OPENSSL_NO_OCSP
108static const unsigned char orespder[] = "Dummy OCSP Response";
109static int ocsp_server_called = 0;
110static int ocsp_client_called = 0;
111
112static int cdummyarg = 1;
113static X509 *ocspcert = NULL;
114#endif
115
116#define NUM_EXTRA_CERTS 40
117#define CLIENT_VERSION_LEN 2
118
119/*
120 * This structure is used to validate that the correct number of log messages
121 * of various types are emitted when emitting secret logs.
122 */
123struct sslapitest_log_counts {
124 unsigned int rsa_key_exchange_count;
125 unsigned int master_secret_count;
126 unsigned int client_early_secret_count;
127 unsigned int client_handshake_secret_count;
128 unsigned int server_handshake_secret_count;
129 unsigned int client_application_secret_count;
130 unsigned int server_application_secret_count;
131 unsigned int early_exporter_secret_count;
132 unsigned int exporter_secret_count;
133};
134
135
136static unsigned char serverinfov1[] = {
137 0xff, 0xff, /* Dummy extension type */
138 0x00, 0x01, /* Extension length is 1 byte */
139 0xff /* Dummy extension data */
140};
141
142static unsigned char serverinfov2[] = {
143 0x00, 0x00, 0x00,
144 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
145 0xff, 0xff, /* Dummy extension type */
146 0x00, 0x01, /* Extension length is 1 byte */
147 0xff /* Dummy extension data */
148};
149
150static int hostname_cb(SSL *s, int *al, void *arg)
151{
152 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
153
154 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
155 || strcmp(hostname, "altgoodhost") == 0))
156 return SSL_TLSEXT_ERR_OK;
157
158 return SSL_TLSEXT_ERR_NOACK;
159}
160
161static void client_keylog_callback(const SSL *ssl, const char *line)
162{
163 int line_length = strlen(line);
164
165 /* If the log doesn't fit, error out. */
166 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
167 TEST_info("Client log too full");
168 error_writing_log = 1;
169 return;
170 }
171
172 strcat(client_log_buffer, line);
173 client_log_buffer_index += line_length;
174 client_log_buffer[client_log_buffer_index++] = '\n';
175}
176
177static void server_keylog_callback(const SSL *ssl, const char *line)
178{
179 int line_length = strlen(line);
180
181 /* If the log doesn't fit, error out. */
182 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
183 TEST_info("Server log too full");
184 error_writing_log = 1;
185 return;
186 }
187
188 strcat(server_log_buffer, line);
189 server_log_buffer_index += line_length;
190 server_log_buffer[server_log_buffer_index++] = '\n';
191}
192
193static int compare_hex_encoded_buffer(const char *hex_encoded,
194 size_t hex_length,
195 const uint8_t *raw,
196 size_t raw_length)
197{
198 size_t i, j;
199 char hexed[3];
200
201 if (!TEST_size_t_eq(raw_length * 2, hex_length))
202 return 1;
203
204 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
205 sprintf(hexed, "%02x", raw[i]);
206 if (!TEST_int_eq(hexed[0], hex_encoded[j])
207 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
208 return 1;
209 }
210
211 return 0;
212}
213
214static int test_keylog_output(char *buffer, const SSL *ssl,
215 const SSL_SESSION *session,
216 struct sslapitest_log_counts *expected)
217{
218 char *token = NULL;
219 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
220 size_t client_random_size = SSL3_RANDOM_SIZE;
221 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
222 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
223 unsigned int rsa_key_exchange_count = 0;
224 unsigned int master_secret_count = 0;
225 unsigned int client_early_secret_count = 0;
226 unsigned int client_handshake_secret_count = 0;
227 unsigned int server_handshake_secret_count = 0;
228 unsigned int client_application_secret_count = 0;
229 unsigned int server_application_secret_count = 0;
230 unsigned int early_exporter_secret_count = 0;
231 unsigned int exporter_secret_count = 0;
232
233 for (token = strtok(buffer, " \n"); token != NULL;
234 token = strtok(NULL, " \n")) {
235 if (strcmp(token, "RSA") == 0) {
236 /*
237 * Premaster secret. Tokens should be: 16 ASCII bytes of
238 * hex-encoded encrypted secret, then the hex-encoded pre-master
239 * secret.
240 */
241 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 return 0;
243 if (!TEST_size_t_eq(strlen(token), 16))
244 return 0;
245 if (!TEST_ptr(token = strtok(NULL, " \n")))
246 return 0;
247 /*
248 * We can't sensibly check the log because the premaster secret is
249 * transient, and OpenSSL doesn't keep hold of it once the master
250 * secret is generated.
251 */
252 rsa_key_exchange_count++;
253 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
254 /*
255 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
256 * client random, then the hex-encoded master secret.
257 */
258 client_random_size = SSL_get_client_random(ssl,
259 actual_client_random,
260 SSL3_RANDOM_SIZE);
261 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
262 return 0;
263
264 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 return 0;
266 if (!TEST_size_t_eq(strlen(token), 64))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
269 actual_client_random,
270 client_random_size)))
271 return 0;
272
273 if (!TEST_ptr(token = strtok(NULL, " \n")))
274 return 0;
275 master_key_size = SSL_SESSION_get_master_key(session,
276 actual_master_key,
277 master_key_size);
278 if (!TEST_size_t_ne(master_key_size, 0))
279 return 0;
280 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
281 actual_master_key,
282 master_key_size)))
283 return 0;
284 master_secret_count++;
285 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
289 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
291 || strcmp(token, "EXPORTER_SECRET") == 0) {
292 /*
293 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
294 * client random, and then the hex-encoded secret. In this case,
295 * we treat all of these secrets identically and then just
296 * distinguish between them when counting what we saw.
297 */
298 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
299 client_early_secret_count++;
300 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 client_handshake_secret_count++;
302 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
303 server_handshake_secret_count++;
304 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
305 client_application_secret_count++;
306 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
307 server_application_secret_count++;
308 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
309 early_exporter_secret_count++;
310 else if (strcmp(token, "EXPORTER_SECRET") == 0)
311 exporter_secret_count++;
312
313 client_random_size = SSL_get_client_random(ssl,
314 actual_client_random,
315 SSL3_RANDOM_SIZE);
316 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
317 return 0;
318
319 if (!TEST_ptr(token = strtok(NULL, " \n")))
320 return 0;
321 if (!TEST_size_t_eq(strlen(token), 64))
322 return 0;
323 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
324 actual_client_random,
325 client_random_size)))
326 return 0;
327
328 if (!TEST_ptr(token = strtok(NULL, " \n")))
329 return 0;
330 } else {
331 TEST_info("Unexpected token %s\n", token);
332 return 0;
333 }
334 }
335
336 /* Got what we expected? */
337 if (!TEST_size_t_eq(rsa_key_exchange_count,
338 expected->rsa_key_exchange_count)
339 || !TEST_size_t_eq(master_secret_count,
340 expected->master_secret_count)
341 || !TEST_size_t_eq(client_early_secret_count,
342 expected->client_early_secret_count)
343 || !TEST_size_t_eq(client_handshake_secret_count,
344 expected->client_handshake_secret_count)
345 || !TEST_size_t_eq(server_handshake_secret_count,
346 expected->server_handshake_secret_count)
347 || !TEST_size_t_eq(client_application_secret_count,
348 expected->client_application_secret_count)
349 || !TEST_size_t_eq(server_application_secret_count,
350 expected->server_application_secret_count)
351 || !TEST_size_t_eq(early_exporter_secret_count,
352 expected->early_exporter_secret_count)
353 || !TEST_size_t_eq(exporter_secret_count,
354 expected->exporter_secret_count))
355 return 0;
356 return 1;
357}
358
359#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
360static int test_keylog(void)
361{
362 SSL_CTX *cctx = NULL, *sctx = NULL;
363 SSL *clientssl = NULL, *serverssl = NULL;
364 int testresult = 0;
365 struct sslapitest_log_counts expected;
366
367 /* Clean up logging space */
368 memset(&expected, 0, sizeof(expected));
369 memset(client_log_buffer, 0, sizeof(client_log_buffer));
370 memset(server_log_buffer, 0, sizeof(server_log_buffer));
371 client_log_buffer_index = 0;
372 server_log_buffer_index = 0;
373 error_writing_log = 0;
374
375 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
376 TLS_client_method(),
377 TLS1_VERSION, 0,
378 &sctx, &cctx, cert, privkey)))
379 return 0;
380
381 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
382 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
383 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
384
385 /* We also want to ensure that we use RSA-based key exchange. */
386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
387 goto end;
388
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
391 goto end;
392 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
394 == client_keylog_callback))
395 goto end;
396 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
397 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
398 == server_keylog_callback))
399 goto end;
400
401 /* Now do a handshake and check that the logs have been written to. */
402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
403 &clientssl, NULL, NULL))
404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
405 SSL_ERROR_NONE))
406 || !TEST_false(error_writing_log)
407 || !TEST_int_gt(client_log_buffer_index, 0)
408 || !TEST_int_gt(server_log_buffer_index, 0))
409 goto end;
410
411 /*
412 * Now we want to test that our output data was vaguely sensible. We
413 * do that by using strtok and confirming that we have more or less the
414 * data we expect. For both client and server, we expect to see one master
415 * secret. The client should also see a RSA key exchange.
416 */
417 expected.rsa_key_exchange_count = 1;
418 expected.master_secret_count = 1;
419 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
420 SSL_get_session(clientssl), &expected)))
421 goto end;
422
423 expected.rsa_key_exchange_count = 0;
424 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl), &expected)))
426 goto end;
427
428 testresult = 1;
429
430end:
431 SSL_free(serverssl);
432 SSL_free(clientssl);
433 SSL_CTX_free(sctx);
434 SSL_CTX_free(cctx);
435
436 return testresult;
437}
438#endif
439
440#ifndef OSSL_NO_USABLE_TLS1_3
441static int test_keylog_no_master_key(void)
442{
443 SSL_CTX *cctx = NULL, *sctx = NULL;
444 SSL *clientssl = NULL, *serverssl = NULL;
445 SSL_SESSION *sess = NULL;
446 int testresult = 0;
447 struct sslapitest_log_counts expected;
448 unsigned char buf[1];
449 size_t readbytes, written;
450
451 /* Clean up logging space */
452 memset(&expected, 0, sizeof(expected));
453 memset(client_log_buffer, 0, sizeof(client_log_buffer));
454 memset(server_log_buffer, 0, sizeof(server_log_buffer));
455 client_log_buffer_index = 0;
456 server_log_buffer_index = 0;
457 error_writing_log = 0;
458
459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
460 TLS_client_method(), TLS1_VERSION, 0,
461 &sctx, &cctx, cert, privkey))
462 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
463 SSL3_RT_MAX_PLAIN_LENGTH)))
464 return 0;
465
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
467 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
468 goto end;
469
470 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
472 == client_keylog_callback))
473 goto end;
474
475 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
476 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
477 == server_keylog_callback))
478 goto end;
479
480 /* Now do a handshake and check that the logs have been written to. */
481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
482 &clientssl, NULL, NULL))
483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
484 SSL_ERROR_NONE))
485 || !TEST_false(error_writing_log))
486 goto end;
487
488 /*
489 * Now we want to test that our output data was vaguely sensible. For this
490 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
491 * TLSv1.3, but we do expect both client and server to emit keys.
492 */
493 expected.client_handshake_secret_count = 1;
494 expected.server_handshake_secret_count = 1;
495 expected.client_application_secret_count = 1;
496 expected.server_application_secret_count = 1;
497 expected.exporter_secret_count = 1;
498 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
499 SSL_get_session(clientssl), &expected))
500 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
501 SSL_get_session(serverssl),
502 &expected)))
503 goto end;
504
505 /* Terminate old session and resume with early data. */
506 sess = SSL_get1_session(clientssl);
507 SSL_shutdown(clientssl);
508 SSL_shutdown(serverssl);
509 SSL_free(serverssl);
510 SSL_free(clientssl);
511 serverssl = clientssl = NULL;
512
513 /* Reset key log */
514 memset(client_log_buffer, 0, sizeof(client_log_buffer));
515 memset(server_log_buffer, 0, sizeof(server_log_buffer));
516 client_log_buffer_index = 0;
517 server_log_buffer_index = 0;
518
519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
520 &clientssl, NULL, NULL))
521 || !TEST_true(SSL_set_session(clientssl, sess))
522 /* Here writing 0 length early data is enough. */
523 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
524 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
525 &readbytes),
526 SSL_READ_EARLY_DATA_ERROR)
527 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
528 SSL_EARLY_DATA_ACCEPTED)
529 || !TEST_true(create_ssl_connection(serverssl, clientssl,
530 SSL_ERROR_NONE))
531 || !TEST_true(SSL_session_reused(clientssl)))
532 goto end;
533
534 /* In addition to the previous entries, expect early secrets. */
535 expected.client_early_secret_count = 1;
536 expected.early_exporter_secret_count = 1;
537 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
538 SSL_get_session(clientssl), &expected))
539 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
540 SSL_get_session(serverssl),
541 &expected)))
542 goto end;
543
544 testresult = 1;
545
546end:
547 SSL_SESSION_free(sess);
548 SSL_free(serverssl);
549 SSL_free(clientssl);
550 SSL_CTX_free(sctx);
551 SSL_CTX_free(cctx);
552
553 return testresult;
554}
555#endif
556
557static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
558{
559 int res = X509_verify_cert(ctx);
560
561 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
562 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
563 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
564 return res;
565}
566
567static int test_client_cert_verify_cb(void)
568{
569 /* server key, cert, chain, and root */
570 char *skey = test_mk_file_path(certsdir, "leaf.key");
571 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
572 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
573 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
574 char *root = test_mk_file_path(certsdir, "rootCA.pem");
575 X509 *crt1 = NULL, *crt2 = NULL;
576 STACK_OF(X509) *server_chain;
577 SSL_CTX *cctx = NULL, *sctx = NULL;
578 SSL *clientssl = NULL, *serverssl = NULL;
579 int testresult = 0;
580
581 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
582 TLS_client_method(), TLS1_VERSION, 0,
583 &sctx, &cctx, NULL, NULL)))
584 goto end;
585 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
586 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
587 SSL_FILETYPE_PEM), 1)
588 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 goto end;
590 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 goto end;
592 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
593 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
595 &clientssl, NULL, NULL)))
596 goto end;
597
598 /* attempt SSL_connect() with incomplete server chain */
599 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
600 SSL_ERROR_WANT_RETRY_VERIFY)))
601 goto end;
602
603 /* application provides intermediate certs needed to verify server cert */
604 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
605 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
606 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 goto end;
608 /* add certs in reverse order to demonstrate real chain building */
609 if (!TEST_true(sk_X509_push(server_chain, crt1)))
610 goto end;
611 crt1 = NULL;
612 if (!TEST_true(sk_X509_push(server_chain, crt2)))
613 goto end;
614 crt2 = NULL;
615
616 /* continue SSL_connect(), must now succeed with completed server chain */
617 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
618 SSL_ERROR_NONE)))
619 goto end;
620
621 testresult = 1;
622
623end:
624 X509_free(crt1);
625 X509_free(crt2);
626 if (clientssl != NULL) {
627 SSL_shutdown(clientssl);
628 SSL_free(clientssl);
629 }
630 if (serverssl != NULL) {
631 SSL_shutdown(serverssl);
632 SSL_free(serverssl);
633 }
634 SSL_CTX_free(sctx);
635 SSL_CTX_free(cctx);
636
637 OPENSSL_free(skey);
638 OPENSSL_free(leaf);
639 OPENSSL_free(int2);
640 OPENSSL_free(int1);
641 OPENSSL_free(root);
642
643 return testresult;
644}
645
646static int test_ssl_build_cert_chain(void)
647{
648 int ret = 0;
649 SSL_CTX *ssl_ctx = NULL;
650 SSL *ssl = NULL;
651 char *skey = test_mk_file_path(certsdir, "leaf.key");
652 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653
654 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 goto end;
656 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 goto end;
658 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
659 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
660 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
661 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 goto end;
663 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
664 | SSL_BUILD_CHAIN_FLAG_CHECK)))
665 goto end;
666 ret = 1;
667end:
668 SSL_free(ssl);
669 SSL_CTX_free(ssl_ctx);
670 OPENSSL_free(leaf_chain);
671 OPENSSL_free(skey);
672 return ret;
673}
674
675static int test_ssl_ctx_build_cert_chain(void)
676{
677 int ret = 0;
678 SSL_CTX *ctx = NULL;
679 char *skey = test_mk_file_path(certsdir, "leaf.key");
680 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
681
682 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
683 goto end;
684 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
685 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
686 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
687 SSL_FILETYPE_PEM), 1)
688 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
689 goto end;
690 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
691 | SSL_BUILD_CHAIN_FLAG_CHECK)))
692 goto end;
693 ret = 1;
694end:
695 SSL_CTX_free(ctx);
696 OPENSSL_free(leaf_chain);
697 OPENSSL_free(skey);
698 return ret;
699}
700
701#ifndef OPENSSL_NO_TLS1_2
702static int full_client_hello_callback(SSL *s, int *al, void *arg)
703{
704 int *ctr = arg;
705 const unsigned char *p;
706 int *exts;
707 /* We only configure two ciphers, but the SCSV is added automatically. */
708#ifdef OPENSSL_NO_EC
709 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
710#else
711 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
712 0x2c, 0x00, 0xff};
713#endif
714 const int expected_extensions[] = {
715#ifndef OPENSSL_NO_EC
716 11, 10,
717#endif
718 35, 22, 23, 13};
719 size_t len;
720
721 /* Make sure we can defer processing and get called back. */
722 if ((*ctr)++ == 0)
723 return SSL_CLIENT_HELLO_RETRY;
724
725 len = SSL_client_hello_get0_ciphers(s, &p);
726 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
727 || !TEST_size_t_eq(
728 SSL_client_hello_get0_compression_methods(s, &p), 1)
729 || !TEST_int_eq(*p, 0))
730 return SSL_CLIENT_HELLO_ERROR;
731 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
732 return SSL_CLIENT_HELLO_ERROR;
733 if (len != OSSL_NELEM(expected_extensions) ||
734 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
735 printf("ClientHello callback expected extensions mismatch\n");
736 OPENSSL_free(exts);
737 return SSL_CLIENT_HELLO_ERROR;
738 }
739 OPENSSL_free(exts);
740 return SSL_CLIENT_HELLO_SUCCESS;
741}
742
743static int test_client_hello_cb(void)
744{
745 SSL_CTX *cctx = NULL, *sctx = NULL;
746 SSL *clientssl = NULL, *serverssl = NULL;
747 int testctr = 0, testresult = 0;
748
749 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
750 TLS_client_method(), TLS1_VERSION, 0,
751 &sctx, &cctx, cert, privkey)))
752 goto end;
753 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
754
755 /* The gimpy cipher list we configure can't do TLS 1.3. */
756 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
757
758 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
759 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
760 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
761 &clientssl, NULL, NULL))
762 || !TEST_false(create_ssl_connection(serverssl, clientssl,
763 SSL_ERROR_WANT_CLIENT_HELLO_CB))
764 /*
765 * Passing a -1 literal is a hack since
766 * the real value was lost.
767 * */
768 || !TEST_int_eq(SSL_get_error(serverssl, -1),
769 SSL_ERROR_WANT_CLIENT_HELLO_CB)
770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
771 SSL_ERROR_NONE)))
772 goto end;
773
774 testresult = 1;
775
776end:
777 SSL_free(serverssl);
778 SSL_free(clientssl);
779 SSL_CTX_free(sctx);
780 SSL_CTX_free(cctx);
781
782 return testresult;
783}
784
785static int test_no_ems(void)
786{
787 SSL_CTX *cctx = NULL, *sctx = NULL;
788 SSL *clientssl = NULL, *serverssl = NULL;
789 int testresult = 0;
790
791 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
792 TLS1_VERSION, TLS1_2_VERSION,
793 &sctx, &cctx, cert, privkey)) {
794 printf("Unable to create SSL_CTX pair\n");
795 goto end;
796 }
797
798 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
799
800 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
801 printf("Unable to create SSL objects\n");
802 goto end;
803 }
804
805 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
806 printf("Creating SSL connection failed\n");
807 goto end;
808 }
809
810 if (SSL_get_extms_support(serverssl)) {
811 printf("Server reports Extended Master Secret support\n");
812 goto end;
813 }
814
815 if (SSL_get_extms_support(clientssl)) {
816 printf("Client reports Extended Master Secret support\n");
817 goto end;
818 }
819 testresult = 1;
820
821end:
822 SSL_free(serverssl);
823 SSL_free(clientssl);
824 SSL_CTX_free(sctx);
825 SSL_CTX_free(cctx);
826
827 return testresult;
828}
829
830/*
831 * Very focused test to exercise a single case in the server-side state
832 * machine, when the ChangeCipherState message needs to actually change
833 * from one cipher to a different cipher (i.e., not changing from null
834 * encryption to real encryption).
835 */
836static int test_ccs_change_cipher(void)
837{
838 SSL_CTX *cctx = NULL, *sctx = NULL;
839 SSL *clientssl = NULL, *serverssl = NULL;
840 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
841 int testresult = 0;
842 int i;
843 unsigned char buf;
844 size_t readbytes;
845
846 /*
847 * Create a conection so we can resume and potentially (but not) use
848 * a different cipher in the second connection.
849 */
850 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
851 TLS_client_method(),
852 TLS1_VERSION, TLS1_2_VERSION,
853 &sctx, &cctx, cert, privkey))
854 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
855 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
856 NULL, NULL))
857 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
858 || !TEST_true(create_ssl_connection(serverssl, clientssl,
859 SSL_ERROR_NONE))
860 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
861 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
862 goto end;
863
864 shutdown_ssl_connection(serverssl, clientssl);
865 serverssl = clientssl = NULL;
866
867 /* Resume, preferring a different cipher. Our server will force the
868 * same cipher to be used as the initial handshake. */
869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
870 NULL, NULL))
871 || !TEST_true(SSL_set_session(clientssl, sess))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 SSL_ERROR_NONE))
875 || !TEST_true(SSL_session_reused(clientssl))
876 || !TEST_true(SSL_session_reused(serverssl))
877 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
878 || !TEST_ptr_eq(sesspre, sesspost)
879 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
880 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
881 goto end;
882 shutdown_ssl_connection(serverssl, clientssl);
883 serverssl = clientssl = NULL;
884
885 /*
886 * Now create a fresh connection and try to renegotiate a different
887 * cipher on it.
888 */
889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
890 NULL, NULL))
891 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
892 || !TEST_true(create_ssl_connection(serverssl, clientssl,
893 SSL_ERROR_NONE))
894 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
895 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
896 || !TEST_true(SSL_renegotiate(clientssl))
897 || !TEST_true(SSL_renegotiate_pending(clientssl)))
898 goto end;
899 /* Actually drive the renegotiation. */
900 for (i = 0; i < 3; i++) {
901 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
902 if (!TEST_ulong_eq(readbytes, 0))
903 goto end;
904 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
905 SSL_ERROR_WANT_READ)) {
906 goto end;
907 }
908 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
909 if (!TEST_ulong_eq(readbytes, 0))
910 goto end;
911 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
912 SSL_ERROR_WANT_READ)) {
913 goto end;
914 }
915 }
916 /* sesspre and sesspost should be different since the cipher changed. */
917 if (!TEST_false(SSL_renegotiate_pending(clientssl))
918 || !TEST_false(SSL_session_reused(clientssl))
919 || !TEST_false(SSL_session_reused(serverssl))
920 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
921 || !TEST_ptr_ne(sesspre, sesspost)
922 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
923 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
924 goto end;
925
926 shutdown_ssl_connection(serverssl, clientssl);
927 serverssl = clientssl = NULL;
928
929 testresult = 1;
930
931end:
932 SSL_free(serverssl);
933 SSL_free(clientssl);
934 SSL_CTX_free(sctx);
935 SSL_CTX_free(cctx);
936 SSL_SESSION_free(sess);
937
938 return testresult;
939}
940#endif
941
942static int execute_test_large_message(const SSL_METHOD *smeth,
943 const SSL_METHOD *cmeth,
944 int min_version, int max_version,
945 int read_ahead)
946{
947 SSL_CTX *cctx = NULL, *sctx = NULL;
948 SSL *clientssl = NULL, *serverssl = NULL;
949 int testresult = 0;
950 int i;
951 BIO *certbio = NULL;
952 X509 *chaincert = NULL;
953 int certlen;
954
955 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
956 goto end;
957
958 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
959 goto end;
960
961 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
962 goto end;
963 BIO_free(certbio);
964 certbio = NULL;
965
966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
968 privkey)))
969 goto end;
970
971#ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
973 /*
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
975 * level 0
976 */
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
980 goto end;
981 }
982#endif
983
984 if (read_ahead) {
985 /*
986 * Test that read_ahead works correctly when dealing with large
987 * records
988 */
989 SSL_CTX_set_read_ahead(cctx, 1);
990 }
991
992 /*
993 * We assume the supplied certificate is big enough so that if we add
994 * NUM_EXTRA_CERTS it will make the overall message large enough. The
995 * default buffer size is requested to be 16k, but due to the way BUF_MEM
996 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
997 * test we need to have a message larger than that.
998 */
999 certlen = i2d_X509(chaincert, NULL);
1000 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1001 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1002 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1003 if (!X509_up_ref(chaincert))
1004 goto end;
1005 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1006 X509_free(chaincert);
1007 goto end;
1008 }
1009 }
1010
1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1012 NULL, NULL))
1013 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1014 SSL_ERROR_NONE)))
1015 goto end;
1016
1017 /*
1018 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1019 * doesn't leak.
1020 */
1021 if (!TEST_true(SSL_clear(serverssl)))
1022 goto end;
1023
1024 testresult = 1;
1025 end:
1026 BIO_free(certbio);
1027 X509_free(chaincert);
1028 SSL_free(serverssl);
1029 SSL_free(clientssl);
1030 SSL_CTX_free(sctx);
1031 SSL_CTX_free(cctx);
1032
1033 return testresult;
1034}
1035
1036#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1037 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1038/* sock must be connected */
1039static int ktls_chk_platform(int sock)
1040{
1041 if (!ktls_enable(sock))
1042 return 0;
1043 return 1;
1044}
1045
1046static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1047{
1048 static char count = 1;
1049 unsigned char cbuf[16000] = {0};
1050 unsigned char sbuf[16000];
1051 size_t err = 0;
1052 char crec_wseq_before[SEQ_NUM_SIZE];
1053 char crec_wseq_after[SEQ_NUM_SIZE];
1054 char crec_rseq_before[SEQ_NUM_SIZE];
1055 char crec_rseq_after[SEQ_NUM_SIZE];
1056 char srec_wseq_before[SEQ_NUM_SIZE];
1057 char srec_wseq_after[SEQ_NUM_SIZE];
1058 char srec_rseq_before[SEQ_NUM_SIZE];
1059 char srec_rseq_after[SEQ_NUM_SIZE];
1060
1061 cbuf[0] = count++;
1062 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1063 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1064 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1065 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1066
1067 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1068 goto end;
1069
1070 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1071 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1072 goto end;
1073 }
1074 }
1075
1076 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1077 goto end;
1078
1079 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1080 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1081 goto end;
1082 }
1083 }
1084
1085 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1088 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1089
1090 /* verify the payload */
1091 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1092 goto end;
1093
1094 /*
1095 * If ktls is used then kernel sequences are used instead of
1096 * OpenSSL sequences
1097 */
1098 if (!BIO_get_ktls_send(clientssl->wbio)) {
1099 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1100 crec_wseq_after, SEQ_NUM_SIZE))
1101 goto end;
1102 } else {
1103 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1104 crec_wseq_after, SEQ_NUM_SIZE))
1105 goto end;
1106 }
1107
1108 if (!BIO_get_ktls_send(serverssl->wbio)) {
1109 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1110 srec_wseq_after, SEQ_NUM_SIZE))
1111 goto end;
1112 } else {
1113 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1114 srec_wseq_after, SEQ_NUM_SIZE))
1115 goto end;
1116 }
1117
1118 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1119 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1120 crec_rseq_after, SEQ_NUM_SIZE))
1121 goto end;
1122 } else {
1123 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1124 crec_rseq_after, SEQ_NUM_SIZE))
1125 goto end;
1126 }
1127
1128 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1129 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1130 srec_rseq_after, SEQ_NUM_SIZE))
1131 goto end;
1132 } else {
1133 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1134 srec_rseq_after, SEQ_NUM_SIZE))
1135 goto end;
1136 }
1137
1138 return 1;
1139end:
1140 return 0;
1141}
1142
1143static int execute_test_ktls(int cis_ktls, int sis_ktls,
1144 int tls_version, const char *cipher)
1145{
1146 SSL_CTX *cctx = NULL, *sctx = NULL;
1147 SSL *clientssl = NULL, *serverssl = NULL;
1148 int ktls_used = 0, testresult = 0;
1149 int cfd = -1, sfd = -1;
1150 int rx_supported;
1151
1152 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1153 goto end;
1154
1155 /* Skip this test if the platform does not support ktls */
1156 if (!ktls_chk_platform(cfd)) {
1157 testresult = TEST_skip("Kernel does not support KTLS");
1158 goto end;
1159 }
1160
1161 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1162 testresult = TEST_skip("CHACHA is not supported in FIPS");
1163 goto end;
1164 }
1165
1166 /* Create a session based on SHA-256 */
1167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1168 TLS_client_method(),
1169 tls_version, tls_version,
1170 &sctx, &cctx, cert, privkey)))
1171 goto end;
1172
1173 if (tls_version == TLS1_3_VERSION) {
1174 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1175 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1176 goto end;
1177 } else {
1178 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1179 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1180 goto end;
1181 }
1182
1183 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1184 &clientssl, sfd, cfd)))
1185 goto end;
1186
1187 if (cis_ktls) {
1188 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1189 goto end;
1190 }
1191
1192 if (sis_ktls) {
1193 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1194 goto end;
1195 }
1196
1197 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1198 goto end;
1199
1200 /*
1201 * The running kernel may not support a given cipher suite
1202 * or direction, so just check that KTLS isn't used when it
1203 * isn't enabled.
1204 */
1205 if (!cis_ktls) {
1206 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1207 goto end;
1208 } else {
1209 if (BIO_get_ktls_send(clientssl->wbio))
1210 ktls_used = 1;
1211 }
1212
1213 if (!sis_ktls) {
1214 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1215 goto end;
1216 } else {
1217 if (BIO_get_ktls_send(serverssl->wbio))
1218 ktls_used = 1;
1219 }
1220
1221#if defined(OPENSSL_NO_KTLS_RX)
1222 rx_supported = 0;
1223#else
1224 rx_supported = (tls_version != TLS1_3_VERSION);
1225#endif
1226 if (!cis_ktls || !rx_supported) {
1227 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1228 goto end;
1229 } else {
1230 if (BIO_get_ktls_send(clientssl->rbio))
1231 ktls_used = 1;
1232 }
1233
1234 if (!sis_ktls || !rx_supported) {
1235 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1236 goto end;
1237 } else {
1238 if (BIO_get_ktls_send(serverssl->rbio))
1239 ktls_used = 1;
1240 }
1241
1242 if ((cis_ktls || sis_ktls) && !ktls_used) {
1243 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1244 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1245 "TLS 1.2", cipher);
1246 goto end;
1247 }
1248
1249 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1250 goto end;
1251
1252 testresult = 1;
1253end:
1254 if (clientssl) {
1255 SSL_shutdown(clientssl);
1256 SSL_free(clientssl);
1257 }
1258 if (serverssl) {
1259 SSL_shutdown(serverssl);
1260 SSL_free(serverssl);
1261 }
1262 SSL_CTX_free(sctx);
1263 SSL_CTX_free(cctx);
1264 serverssl = clientssl = NULL;
1265 if (cfd != -1)
1266 close(cfd);
1267 if (sfd != -1)
1268 close(sfd);
1269 return testresult;
1270}
1271
1272#define SENDFILE_SZ (16 * 4096)
1273#define SENDFILE_CHUNK (4 * 4096)
1274#define min(a,b) ((a) > (b) ? (b) : (a))
1275
1276static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1277{
1278 SSL_CTX *cctx = NULL, *sctx = NULL;
1279 SSL *clientssl = NULL, *serverssl = NULL;
1280 unsigned char *buf, *buf_dst;
1281 BIO *out = NULL, *in = NULL;
1282 int cfd = -1, sfd = -1, ffd, err;
1283 ssize_t chunk_size = 0;
1284 off_t chunk_off = 0;
1285 int testresult = 0;
1286 FILE *ffdp;
1287
1288 buf = OPENSSL_zalloc(SENDFILE_SZ);
1289 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1290 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1291 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1292 goto end;
1293
1294 /* Skip this test if the platform does not support ktls */
1295 if (!ktls_chk_platform(sfd)) {
1296 testresult = TEST_skip("Kernel does not support KTLS");
1297 goto end;
1298 }
1299
1300 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1301 testresult = TEST_skip("CHACHA is not supported in FIPS");
1302 goto end;
1303 }
1304
1305 /* Create a session based on SHA-256 */
1306 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1307 TLS_client_method(),
1308 tls_version, tls_version,
1309 &sctx, &cctx, cert, privkey)))
1310 goto end;
1311
1312 if (tls_version == TLS1_3_VERSION) {
1313 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1314 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1315 goto end;
1316 } else {
1317 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1318 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1319 goto end;
1320 }
1321
1322 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1323 &clientssl, sfd, cfd)))
1324 goto end;
1325
1326 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1327 goto end;
1328
1329 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1330 SSL_ERROR_NONE)))
1331 goto end;
1332
1333 if (!BIO_get_ktls_send(serverssl->wbio)) {
1334 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1335 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1336 "TLS 1.2", cipher);
1337 goto end;
1338 }
1339
1340 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1341 goto end;
1342
1343 out = BIO_new_file(tmpfilename, "wb");
1344 if (!TEST_ptr(out))
1345 goto end;
1346
1347 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1348 goto end;
1349
1350 BIO_free(out);
1351 out = NULL;
1352 in = BIO_new_file(tmpfilename, "rb");
1353 BIO_get_fp(in, &ffdp);
1354 ffd = fileno(ffdp);
1355
1356 while (chunk_off < SENDFILE_SZ) {
1357 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1358 while ((err = SSL_sendfile(serverssl,
1359 ffd,
1360 chunk_off,
1361 chunk_size,
1362 0)) != chunk_size) {
1363 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1364 goto end;
1365 }
1366 while ((err = SSL_read(clientssl,
1367 buf_dst + chunk_off,
1368 chunk_size)) != chunk_size) {
1369 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1370 goto end;
1371 }
1372
1373 /* verify the payload */
1374 if (!TEST_mem_eq(buf_dst + chunk_off,
1375 chunk_size,
1376 buf + chunk_off,
1377 chunk_size))
1378 goto end;
1379
1380 chunk_off += chunk_size;
1381 }
1382
1383 testresult = 1;
1384end:
1385 if (clientssl) {
1386 SSL_shutdown(clientssl);
1387 SSL_free(clientssl);
1388 }
1389 if (serverssl) {
1390 SSL_shutdown(serverssl);
1391 SSL_free(serverssl);
1392 }
1393 SSL_CTX_free(sctx);
1394 SSL_CTX_free(cctx);
1395 serverssl = clientssl = NULL;
1396 BIO_free(out);
1397 BIO_free(in);
1398 if (cfd != -1)
1399 close(cfd);
1400 if (sfd != -1)
1401 close(sfd);
1402 OPENSSL_free(buf);
1403 OPENSSL_free(buf_dst);
1404 return testresult;
1405}
1406
1407static struct ktls_test_cipher {
1408 int tls_version;
1409 const char *cipher;
1410} ktls_test_ciphers[] = {
1411# if !defined(OPENSSL_NO_TLS1_2)
1412# ifdef OPENSSL_KTLS_AES_GCM_128
1413 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1414# endif
1415# ifdef OPENSSL_KTLS_AES_CCM_128
1416 { TLS1_2_VERSION, "AES128-CCM"},
1417# endif
1418# ifdef OPENSSL_KTLS_AES_GCM_256
1419 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1420# endif
1421# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1422 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1423# endif
1424# endif
1425# if !defined(OSSL_NO_USABLE_TLS1_3)
1426# ifdef OPENSSL_KTLS_AES_GCM_128
1427 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1428# endif
1429# ifdef OPENSSL_KTLS_AES_CCM_128
1430 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1431# endif
1432# ifdef OPENSSL_KTLS_AES_GCM_256
1433 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1434# endif
1435# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1436 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1437# endif
1438# endif
1439};
1440
1441#define NUM_KTLS_TEST_CIPHERS \
1442 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1443
1444static int test_ktls(int test)
1445{
1446 struct ktls_test_cipher *cipher;
1447 int cis_ktls, sis_ktls;
1448
1449 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1450 cipher = &ktls_test_ciphers[test / 4];
1451
1452 cis_ktls = (test & 1) != 0;
1453 sis_ktls = (test & 2) != 0;
1454
1455 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1456 cipher->cipher);
1457}
1458
1459static int test_ktls_sendfile(int tst)
1460{
1461 struct ktls_test_cipher *cipher;
1462
1463 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1464 cipher = &ktls_test_ciphers[tst];
1465
1466 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1467}
1468#endif
1469
1470static int test_large_message_tls(void)
1471{
1472 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1473 TLS1_VERSION, 0, 0);
1474}
1475
1476static int test_large_message_tls_read_ahead(void)
1477{
1478 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1479 TLS1_VERSION, 0, 1);
1480}
1481
1482#ifndef OPENSSL_NO_DTLS
1483static int test_large_message_dtls(void)
1484{
1485# ifdef OPENSSL_NO_DTLS1_2
1486 /* Not supported in the FIPS provider */
1487 if (is_fips)
1488 return 1;
1489# endif
1490 /*
1491 * read_ahead is not relevant to DTLS because DTLS always acts as if
1492 * read_ahead is set.
1493 */
1494 return execute_test_large_message(DTLS_server_method(),
1495 DTLS_client_method(),
1496 DTLS1_VERSION, 0, 0);
1497}
1498#endif
1499
1500static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1501 const SSL_METHOD *cmeth,
1502 int min_version, int max_version)
1503{
1504 size_t i;
1505 SSL_CTX *cctx = NULL, *sctx = NULL;
1506 SSL *clientssl = NULL, *serverssl = NULL;
1507 int testresult = 0;
1508 SSL3_RECORD *rr;
1509 void *zbuf;
1510
1511 static unsigned char cbuf[16000];
1512 static unsigned char sbuf[16000];
1513
1514 if (!TEST_true(create_ssl_ctx_pair(libctx,
1515 smeth, cmeth,
1516 min_version, max_version,
1517 &sctx, &cctx, cert,
1518 privkey)))
1519 goto end;
1520
1521#ifdef OPENSSL_NO_DTLS1_2
1522 if (smeth == DTLS_server_method()) {
1523# ifdef OPENSSL_NO_DTLS1_2
1524 /* Not supported in the FIPS provider */
1525 if (is_fips) {
1526 testresult = 1;
1527 goto end;
1528 };
1529# endif
1530 /*
1531 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1532 * level 0
1533 */
1534 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1535 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1536 "DEFAULT:@SECLEVEL=0")))
1537 goto end;
1538 }
1539#endif
1540
1541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1542 NULL, NULL)))
1543 goto end;
1544
1545 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1546 goto end;
1547
1548 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1549 SSL_ERROR_NONE)))
1550 goto end;
1551
1552 for (i = 0; i < sizeof(cbuf); i++) {
1553 cbuf[i] = i & 0xff;
1554 }
1555
1556 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1557 goto end;
1558
1559 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1560 goto end;
1561
1562 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1563 goto end;
1564
1565 /*
1566 * Since we called SSL_peek(), we know the data in the record
1567 * layer is a plaintext record. We can gather the pointer to check
1568 * for zeroization after SSL_read().
1569 */
1570 rr = serverssl->rlayer.rrec;
1571 zbuf = &rr->data[rr->off];
1572 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1573 goto end;
1574
1575 /*
1576 * After SSL_peek() the plaintext must still be stored in the
1577 * record.
1578 */
1579 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1580 goto end;
1581
1582 memset(sbuf, 0, sizeof(sbuf));
1583 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1584 goto end;
1585
1586 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1587 goto end;
1588
1589 /* Check if rbuf is cleansed */
1590 memset(cbuf, 0, sizeof(cbuf));
1591 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1592 goto end;
1593
1594 testresult = 1;
1595 end:
1596 SSL_free(serverssl);
1597 SSL_free(clientssl);
1598 SSL_CTX_free(sctx);
1599 SSL_CTX_free(cctx);
1600
1601 return testresult;
1602}
1603
1604static int test_cleanse_plaintext(void)
1605{
1606#if !defined(OPENSSL_NO_TLS1_2)
1607 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1608 TLS_client_method(),
1609 TLS1_2_VERSION,
1610 TLS1_2_VERSION)))
1611 return 0;
1612
1613#endif
1614
1615#if !defined(OSSL_NO_USABLE_TLS1_3)
1616 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1617 TLS_client_method(),
1618 TLS1_3_VERSION,
1619 TLS1_3_VERSION)))
1620 return 0;
1621#endif
1622
1623#if !defined(OPENSSL_NO_DTLS)
1624
1625 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1626 DTLS_client_method(),
1627 DTLS1_VERSION,
1628 0)))
1629 return 0;
1630#endif
1631 return 1;
1632}
1633
1634#ifndef OPENSSL_NO_OCSP
1635static int ocsp_server_cb(SSL *s, void *arg)
1636{
1637 int *argi = (int *)arg;
1638 unsigned char *copy = NULL;
1639 STACK_OF(OCSP_RESPID) *ids = NULL;
1640 OCSP_RESPID *id = NULL;
1641
1642 if (*argi == 2) {
1643 /* In this test we are expecting exactly 1 OCSP_RESPID */
1644 SSL_get_tlsext_status_ids(s, &ids);
1645 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1646 return SSL_TLSEXT_ERR_ALERT_FATAL;
1647
1648 id = sk_OCSP_RESPID_value(ids, 0);
1649 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1650 return SSL_TLSEXT_ERR_ALERT_FATAL;
1651 } else if (*argi != 1) {
1652 return SSL_TLSEXT_ERR_ALERT_FATAL;
1653 }
1654
1655 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1656 return SSL_TLSEXT_ERR_ALERT_FATAL;
1657
1658 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1659 sizeof(orespder)))) {
1660 OPENSSL_free(copy);
1661 return SSL_TLSEXT_ERR_ALERT_FATAL;
1662 }
1663 ocsp_server_called = 1;
1664 return SSL_TLSEXT_ERR_OK;
1665}
1666
1667static int ocsp_client_cb(SSL *s, void *arg)
1668{
1669 int *argi = (int *)arg;
1670 const unsigned char *respderin;
1671 size_t len;
1672
1673 if (*argi != 1 && *argi != 2)
1674 return 0;
1675
1676 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1677 if (!TEST_mem_eq(orespder, len, respderin, len))
1678 return 0;
1679
1680 ocsp_client_called = 1;
1681 return 1;
1682}
1683
1684static int test_tlsext_status_type(void)
1685{
1686 SSL_CTX *cctx = NULL, *sctx = NULL;
1687 SSL *clientssl = NULL, *serverssl = NULL;
1688 int testresult = 0;
1689 STACK_OF(OCSP_RESPID) *ids = NULL;
1690 OCSP_RESPID *id = NULL;
1691 BIO *certbio = NULL;
1692
1693 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1694 TLS1_VERSION, 0,
1695 &sctx, &cctx, cert, privkey))
1696 return 0;
1697
1698 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1699 goto end;
1700
1701 /* First just do various checks getting and setting tlsext_status_type */
1702
1703 clientssl = SSL_new(cctx);
1704 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1705 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1706 TLSEXT_STATUSTYPE_ocsp))
1707 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1708 TLSEXT_STATUSTYPE_ocsp))
1709 goto end;
1710
1711 SSL_free(clientssl);
1712 clientssl = NULL;
1713
1714 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1715 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1716 goto end;
1717
1718 clientssl = SSL_new(cctx);
1719 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1720 goto end;
1721 SSL_free(clientssl);
1722 clientssl = NULL;
1723
1724 /*
1725 * Now actually do a handshake and check OCSP information is exchanged and
1726 * the callbacks get called
1727 */
1728 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1729 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1730 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1731 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1733 &clientssl, NULL, NULL))
1734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1735 SSL_ERROR_NONE))
1736 || !TEST_true(ocsp_client_called)
1737 || !TEST_true(ocsp_server_called))
1738 goto end;
1739 SSL_free(serverssl);
1740 SSL_free(clientssl);
1741 serverssl = NULL;
1742 clientssl = NULL;
1743
1744 /* Try again but this time force the server side callback to fail */
1745 ocsp_client_called = 0;
1746 ocsp_server_called = 0;
1747 cdummyarg = 0;
1748 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1749 &clientssl, NULL, NULL))
1750 /* This should fail because the callback will fail */
1751 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1752 SSL_ERROR_NONE))
1753 || !TEST_false(ocsp_client_called)
1754 || !TEST_false(ocsp_server_called))
1755 goto end;
1756 SSL_free(serverssl);
1757 SSL_free(clientssl);
1758 serverssl = NULL;
1759 clientssl = NULL;
1760
1761 /*
1762 * This time we'll get the client to send an OCSP_RESPID that it will
1763 * accept.
1764 */
1765 ocsp_client_called = 0;
1766 ocsp_server_called = 0;
1767 cdummyarg = 2;
1768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1769 &clientssl, NULL, NULL)))
1770 goto end;
1771
1772 /*
1773 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1774 * specific one. We'll use the server cert.
1775 */
1776 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1777 || !TEST_ptr(id = OCSP_RESPID_new())
1778 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1779 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1780 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1781 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1782 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1783 goto end;
1784 id = NULL;
1785 SSL_set_tlsext_status_ids(clientssl, ids);
1786 /* Control has been transferred */
1787 ids = NULL;
1788
1789 BIO_free(certbio);
1790 certbio = NULL;
1791
1792 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1793 SSL_ERROR_NONE))
1794 || !TEST_true(ocsp_client_called)
1795 || !TEST_true(ocsp_server_called))
1796 goto end;
1797
1798 testresult = 1;
1799
1800 end:
1801 SSL_free(serverssl);
1802 SSL_free(clientssl);
1803 SSL_CTX_free(sctx);
1804 SSL_CTX_free(cctx);
1805 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1806 OCSP_RESPID_free(id);
1807 BIO_free(certbio);
1808 X509_free(ocspcert);
1809 ocspcert = NULL;
1810
1811 return testresult;
1812}
1813#endif
1814
1815#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1816static int new_called, remove_called, get_called;
1817
1818static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1819{
1820 new_called++;
1821 /*
1822 * sess has been up-refed for us, but we don't actually need it so free it
1823 * immediately.
1824 */
1825 SSL_SESSION_free(sess);
1826 return 1;
1827}
1828
1829static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1830{
1831 remove_called++;
1832}
1833
1834static SSL_SESSION *get_sess_val = NULL;
1835
1836static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1837 int *copy)
1838{
1839 get_called++;
1840 *copy = 1;
1841 return get_sess_val;
1842}
1843
1844static int execute_test_session(int maxprot, int use_int_cache,
1845 int use_ext_cache, long s_options)
1846{
1847 SSL_CTX *sctx = NULL, *cctx = NULL;
1848 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1849 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1850# ifndef OPENSSL_NO_TLS1_1
1851 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1852# endif
1853 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1854 int testresult = 0, numnewsesstick = 1;
1855
1856 new_called = remove_called = 0;
1857
1858 /* TLSv1.3 sends 2 NewSessionTickets */
1859 if (maxprot == TLS1_3_VERSION)
1860 numnewsesstick = 2;
1861
1862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1863 TLS_client_method(), TLS1_VERSION, 0,
1864 &sctx, &cctx, cert, privkey)))
1865 return 0;
1866
1867 /*
1868 * Only allow the max protocol version so we can force a connection failure
1869 * later
1870 */
1871 SSL_CTX_set_min_proto_version(cctx, maxprot);
1872 SSL_CTX_set_max_proto_version(cctx, maxprot);
1873
1874 /* Set up session cache */
1875 if (use_ext_cache) {
1876 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1877 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1878 }
1879 if (use_int_cache) {
1880 /* Also covers instance where both are set */
1881 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1882 } else {
1883 SSL_CTX_set_session_cache_mode(cctx,
1884 SSL_SESS_CACHE_CLIENT
1885 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1886 }
1887
1888 if (s_options) {
1889 SSL_CTX_set_options(sctx, s_options);
1890 }
1891
1892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1893 NULL, NULL))
1894 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1895 SSL_ERROR_NONE))
1896 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1897 goto end;
1898
1899 /* Should fail because it should already be in the cache */
1900 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1901 goto end;
1902 if (use_ext_cache
1903 && (!TEST_int_eq(new_called, numnewsesstick)
1904
1905 || !TEST_int_eq(remove_called, 0)))
1906 goto end;
1907
1908 new_called = remove_called = 0;
1909 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1910 &clientssl2, NULL, NULL))
1911 || !TEST_true(SSL_set_session(clientssl2, sess1))
1912 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1913 SSL_ERROR_NONE))
1914 || !TEST_true(SSL_session_reused(clientssl2)))
1915 goto end;
1916
1917 if (maxprot == TLS1_3_VERSION) {
1918 /*
1919 * In TLSv1.3 we should have created a new session even though we have
1920 * resumed. Since we attempted a resume we should also have removed the
1921 * old ticket from the cache so that we try to only use tickets once.
1922 */
1923 if (use_ext_cache
1924 && (!TEST_int_eq(new_called, 1)
1925 || !TEST_int_eq(remove_called, 1)))
1926 goto end;
1927 } else {
1928 /*
1929 * In TLSv1.2 we expect to have resumed so no sessions added or
1930 * removed.
1931 */
1932 if (use_ext_cache
1933 && (!TEST_int_eq(new_called, 0)
1934 || !TEST_int_eq(remove_called, 0)))
1935 goto end;
1936 }
1937
1938 SSL_SESSION_free(sess1);
1939 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1940 goto end;
1941 shutdown_ssl_connection(serverssl2, clientssl2);
1942 serverssl2 = clientssl2 = NULL;
1943
1944 new_called = remove_called = 0;
1945 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1946 &clientssl2, NULL, NULL))
1947 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1948 SSL_ERROR_NONE)))
1949 goto end;
1950
1951 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1952 goto end;
1953
1954 if (use_ext_cache
1955 && (!TEST_int_eq(new_called, numnewsesstick)
1956 || !TEST_int_eq(remove_called, 0)))
1957 goto end;
1958
1959 new_called = remove_called = 0;
1960 /*
1961 * This should clear sess2 from the cache because it is a "bad" session.
1962 * See SSL_set_session() documentation.
1963 */
1964 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1965 goto end;
1966 if (use_ext_cache
1967 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1968 goto end;
1969 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1970 goto end;
1971
1972 if (use_int_cache) {
1973 /* Should succeeded because it should not already be in the cache */
1974 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1975 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1976 goto end;
1977 }
1978
1979 new_called = remove_called = 0;
1980 /* This shouldn't be in the cache so should fail */
1981 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1982 goto end;
1983
1984 if (use_ext_cache
1985 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1986 goto end;
1987
1988# if !defined(OPENSSL_NO_TLS1_1)
1989 new_called = remove_called = 0;
1990 /* Force a connection failure */
1991 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1993 &clientssl3, NULL, NULL))
1994 || !TEST_true(SSL_set_session(clientssl3, sess1))
1995 /* This should fail because of the mismatched protocol versions */
1996 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1997 SSL_ERROR_NONE)))
1998 goto end;
1999
2000 /* We should have automatically removed the session from the cache */
2001 if (use_ext_cache
2002 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2003 goto end;
2004
2005 /* Should succeed because it should not already be in the cache */
2006 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2007 goto end;
2008# endif
2009
2010 /* Now do some tests for server side caching */
2011 if (use_ext_cache) {
2012 SSL_CTX_sess_set_new_cb(cctx, NULL);
2013 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2014 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2015 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2016 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2017 get_sess_val = NULL;
2018 }
2019
2020 SSL_CTX_set_session_cache_mode(cctx, 0);
2021 /* Internal caching is the default on the server side */
2022 if (!use_int_cache)
2023 SSL_CTX_set_session_cache_mode(sctx,
2024 SSL_SESS_CACHE_SERVER
2025 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2026
2027 SSL_free(serverssl1);
2028 SSL_free(clientssl1);
2029 serverssl1 = clientssl1 = NULL;
2030 SSL_free(serverssl2);
2031 SSL_free(clientssl2);
2032 serverssl2 = clientssl2 = NULL;
2033 SSL_SESSION_free(sess1);
2034 sess1 = NULL;
2035 SSL_SESSION_free(sess2);
2036 sess2 = NULL;
2037
2038 SSL_CTX_set_max_proto_version(sctx, maxprot);
2039 if (maxprot == TLS1_2_VERSION)
2040 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2041 new_called = remove_called = get_called = 0;
2042 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2043 NULL, NULL))
2044 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2045 SSL_ERROR_NONE))
2046 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2047 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2048 goto end;
2049
2050 if (use_int_cache) {
2051 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2052 /*
2053 * In TLSv1.3 it should not have been added to the internal cache,
2054 * except in the case where we also have an external cache (in that
2055 * case it gets added to the cache in order to generate remove
2056 * events after timeout).
2057 */
2058 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2059 goto end;
2060 } else {
2061 /* Should fail because it should already be in the cache */
2062 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2063 goto end;
2064 }
2065 }
2066
2067 if (use_ext_cache) {
2068 SSL_SESSION *tmp = sess2;
2069
2070 if (!TEST_int_eq(new_called, numnewsesstick)
2071 || !TEST_int_eq(remove_called, 0)
2072 || !TEST_int_eq(get_called, 0))
2073 goto end;
2074 /*
2075 * Delete the session from the internal cache to force a lookup from
2076 * the external cache. We take a copy first because
2077 * SSL_CTX_remove_session() also marks the session as non-resumable.
2078 */
2079 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2080 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2081 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2082 goto end;
2083 SSL_SESSION_free(sess2);
2084 }
2085 sess2 = tmp;
2086 }
2087
2088 new_called = remove_called = get_called = 0;
2089 get_sess_val = sess2;
2090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2091 &clientssl2, NULL, NULL))
2092 || !TEST_true(SSL_set_session(clientssl2, sess1))
2093 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2094 SSL_ERROR_NONE))
2095 || !TEST_true(SSL_session_reused(clientssl2)))
2096 goto end;
2097
2098 if (use_ext_cache) {
2099 if (!TEST_int_eq(remove_called, 0))
2100 goto end;
2101
2102 if (maxprot == TLS1_3_VERSION) {
2103 if (!TEST_int_eq(new_called, 1)
2104 || !TEST_int_eq(get_called, 0))
2105 goto end;
2106 } else {
2107 if (!TEST_int_eq(new_called, 0)
2108 || !TEST_int_eq(get_called, 1))
2109 goto end;
2110 }
2111 }
2112
2113 testresult = 1;
2114
2115 end:
2116 SSL_free(serverssl1);
2117 SSL_free(clientssl1);
2118 SSL_free(serverssl2);
2119 SSL_free(clientssl2);
2120# ifndef OPENSSL_NO_TLS1_1
2121 SSL_free(serverssl3);
2122 SSL_free(clientssl3);
2123# endif
2124 SSL_SESSION_free(sess1);
2125 SSL_SESSION_free(sess2);
2126 SSL_CTX_free(sctx);
2127 SSL_CTX_free(cctx);
2128
2129 return testresult;
2130}
2131#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2132
2133static int test_session_with_only_int_cache(void)
2134{
2135#ifndef OSSL_NO_USABLE_TLS1_3
2136 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2137 return 0;
2138#endif
2139
2140#ifndef OPENSSL_NO_TLS1_2
2141 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2142#else
2143 return 1;
2144#endif
2145}
2146
2147static int test_session_with_only_ext_cache(void)
2148{
2149#ifndef OSSL_NO_USABLE_TLS1_3
2150 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2151 return 0;
2152#endif
2153
2154#ifndef OPENSSL_NO_TLS1_2
2155 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2156#else
2157 return 1;
2158#endif
2159}
2160
2161static int test_session_with_both_cache(void)
2162{
2163#ifndef OSSL_NO_USABLE_TLS1_3
2164 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2165 return 0;
2166#endif
2167
2168#ifndef OPENSSL_NO_TLS1_2
2169 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2170#else
2171 return 1;
2172#endif
2173}
2174
2175static int test_session_wo_ca_names(void)
2176{
2177#ifndef OSSL_NO_USABLE_TLS1_3
2178 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2179 return 0;
2180#endif
2181
2182#ifndef OPENSSL_NO_TLS1_2
2183 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2184#else
2185 return 1;
2186#endif
2187}
2188
2189
2190#ifndef OSSL_NO_USABLE_TLS1_3
2191static SSL_SESSION *sesscache[6];
2192static int do_cache;
2193
2194static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2195{
2196 if (do_cache) {
2197 sesscache[new_called] = sess;
2198 } else {
2199 /* We don't need the reference to the session, so free it */
2200 SSL_SESSION_free(sess);
2201 }
2202 new_called++;
2203
2204 return 1;
2205}
2206
2207static int post_handshake_verify(SSL *sssl, SSL *cssl)
2208{
2209 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2210 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2211 return 0;
2212
2213 /* Start handshake on the server and client */
2214 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2215 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2216 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2217 || !TEST_true(create_ssl_connection(sssl, cssl,
2218 SSL_ERROR_NONE)))
2219 return 0;
2220
2221 return 1;
2222}
2223
2224static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2225 SSL_CTX **cctx)
2226{
2227 int sess_id_ctx = 1;
2228
2229 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2230 TLS_client_method(), TLS1_VERSION, 0,
2231 sctx, cctx, cert, privkey))
2232 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2233 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2234 (void *)&sess_id_ctx,
2235 sizeof(sess_id_ctx))))
2236 return 0;
2237
2238 if (stateful)
2239 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2240
2241 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2242 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2243 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2244
2245 return 1;
2246}
2247
2248static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2249{
2250 SSL *serverssl = NULL, *clientssl = NULL;
2251 int i;
2252
2253 /* Test that we can resume with all the tickets we got given */
2254 for (i = 0; i < idx * 2; i++) {
2255 new_called = 0;
2256 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2257 &clientssl, NULL, NULL))
2258 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2259 goto end;
2260
2261 SSL_set_post_handshake_auth(clientssl, 1);
2262
2263 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2264 SSL_ERROR_NONE)))
2265 goto end;
2266
2267 /*
2268 * Following a successful resumption we only get 1 ticket. After a
2269 * failed one we should get idx tickets.
2270 */
2271 if (succ) {
2272 if (!TEST_true(SSL_session_reused(clientssl))
2273 || !TEST_int_eq(new_called, 1))
2274 goto end;
2275 } else {
2276 if (!TEST_false(SSL_session_reused(clientssl))
2277 || !TEST_int_eq(new_called, idx))
2278 goto end;
2279 }
2280
2281 new_called = 0;
2282 /* After a post-handshake authentication we should get 1 new ticket */
2283 if (succ
2284 && (!post_handshake_verify(serverssl, clientssl)
2285 || !TEST_int_eq(new_called, 1)))
2286 goto end;
2287
2288 SSL_shutdown(clientssl);
2289 SSL_shutdown(serverssl);
2290 SSL_free(serverssl);
2291 SSL_free(clientssl);
2292 serverssl = clientssl = NULL;
2293 SSL_SESSION_free(sesscache[i]);
2294 sesscache[i] = NULL;
2295 }
2296
2297 return 1;
2298
2299 end:
2300 SSL_free(clientssl);
2301 SSL_free(serverssl);
2302 return 0;
2303}
2304
2305static int test_tickets(int stateful, int idx)
2306{
2307 SSL_CTX *sctx = NULL, *cctx = NULL;
2308 SSL *serverssl = NULL, *clientssl = NULL;
2309 int testresult = 0;
2310 size_t j;
2311
2312 /* idx is the test number, but also the number of tickets we want */
2313
2314 new_called = 0;
2315 do_cache = 1;
2316
2317 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2318 goto end;
2319
2320 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2321 &clientssl, NULL, NULL)))
2322 goto end;
2323
2324 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2325 SSL_ERROR_NONE))
2326 /* Check we got the number of tickets we were expecting */
2327 || !TEST_int_eq(idx, new_called))
2328 goto end;
2329
2330 SSL_shutdown(clientssl);
2331 SSL_shutdown(serverssl);
2332 SSL_free(serverssl);
2333 SSL_free(clientssl);
2334 SSL_CTX_free(sctx);
2335 SSL_CTX_free(cctx);
2336 clientssl = serverssl = NULL;
2337 sctx = cctx = NULL;
2338
2339 /*
2340 * Now we try to resume with the tickets we previously created. The
2341 * resumption attempt is expected to fail (because we're now using a new
2342 * SSL_CTX). We should see idx number of tickets issued again.
2343 */
2344
2345 /* Stop caching sessions - just count them */
2346 do_cache = 0;
2347
2348 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2349 goto end;
2350
2351 if (!check_resumption(idx, sctx, cctx, 0))
2352 goto end;
2353
2354 /* Start again with caching sessions */
2355 new_called = 0;
2356 do_cache = 1;
2357 SSL_CTX_free(sctx);
2358 SSL_CTX_free(cctx);
2359 sctx = cctx = NULL;
2360
2361 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2362 goto end;
2363
2364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2365 &clientssl, NULL, NULL)))
2366 goto end;
2367
2368 SSL_set_post_handshake_auth(clientssl, 1);
2369
2370 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2371 SSL_ERROR_NONE))
2372 /* Check we got the number of tickets we were expecting */
2373 || !TEST_int_eq(idx, new_called))
2374 goto end;
2375
2376 /* After a post-handshake authentication we should get new tickets issued */
2377 if (!post_handshake_verify(serverssl, clientssl)
2378 || !TEST_int_eq(idx * 2, new_called))
2379 goto end;
2380
2381 SSL_shutdown(clientssl);
2382 SSL_shutdown(serverssl);
2383 SSL_free(serverssl);
2384 SSL_free(clientssl);
2385 serverssl = clientssl = NULL;
2386
2387 /* Stop caching sessions - just count them */
2388 do_cache = 0;
2389
2390 /*
2391 * Check we can resume with all the tickets we created. This time around the
2392 * resumptions should all be successful.
2393 */
2394 if (!check_resumption(idx, sctx, cctx, 1))
2395 goto end;
2396
2397 testresult = 1;
2398
2399 end:
2400 SSL_free(serverssl);
2401 SSL_free(clientssl);
2402 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2403 SSL_SESSION_free(sesscache[j]);
2404 sesscache[j] = NULL;
2405 }
2406 SSL_CTX_free(sctx);
2407 SSL_CTX_free(cctx);
2408
2409 return testresult;
2410}
2411
2412static int test_stateless_tickets(int idx)
2413{
2414 return test_tickets(0, idx);
2415}
2416
2417static int test_stateful_tickets(int idx)
2418{
2419 return test_tickets(1, idx);
2420}
2421
2422static int test_psk_tickets(void)
2423{
2424 SSL_CTX *sctx = NULL, *cctx = NULL;
2425 SSL *serverssl = NULL, *clientssl = NULL;
2426 int testresult = 0;
2427 int sess_id_ctx = 1;
2428
2429 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2430 TLS_client_method(), TLS1_VERSION, 0,
2431 &sctx, &cctx, NULL, NULL))
2432 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2433 (void *)&sess_id_ctx,
2434 sizeof(sess_id_ctx))))
2435 goto end;
2436
2437 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2438 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2439 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2440 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2441 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2442 use_session_cb_cnt = 0;
2443 find_session_cb_cnt = 0;
2444 srvid = pskid;
2445 new_called = 0;
2446
2447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2448 NULL, NULL)))
2449 goto end;
2450 clientpsk = serverpsk = create_a_psk(clientssl);
2451 if (!TEST_ptr(clientpsk))
2452 goto end;
2453 SSL_SESSION_up_ref(clientpsk);
2454
2455 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2456 SSL_ERROR_NONE))
2457 || !TEST_int_eq(1, find_session_cb_cnt)
2458 || !TEST_int_eq(1, use_session_cb_cnt)
2459 /* We should always get 1 ticket when using external PSK */
2460 || !TEST_int_eq(1, new_called))
2461 goto end;
2462
2463 testresult = 1;
2464
2465 end:
2466 SSL_free(serverssl);
2467 SSL_free(clientssl);
2468 SSL_CTX_free(sctx);
2469 SSL_CTX_free(cctx);
2470 SSL_SESSION_free(clientpsk);
2471 SSL_SESSION_free(serverpsk);
2472 clientpsk = serverpsk = NULL;
2473
2474 return testresult;
2475}
2476
2477static int test_extra_tickets(int idx)
2478{
2479 SSL_CTX *sctx = NULL, *cctx = NULL;
2480 SSL *serverssl = NULL, *clientssl = NULL;
2481 BIO *bretry = BIO_new(bio_s_always_retry());
2482 BIO *tmp = NULL;
2483 int testresult = 0;
2484 int stateful = 0;
2485 size_t nbytes;
2486 unsigned char c, buf[1];
2487
2488 new_called = 0;
2489 do_cache = 1;
2490
2491 if (idx >= 3) {
2492 idx -= 3;
2493 stateful = 1;
2494 }
2495
2496 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2497 goto end;
2498 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2499 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2500 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2501
2502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2503 &clientssl, NULL, NULL)))
2504 goto end;
2505
2506 /*
2507 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2508 * incremented by both client and server.
2509 */
2510 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2511 SSL_ERROR_NONE))
2512 /* Check we got the number of tickets we were expecting */
2513 || !TEST_int_eq(idx * 2, new_called)
2514 || !TEST_true(SSL_new_session_ticket(serverssl))
2515 || !TEST_true(SSL_new_session_ticket(serverssl))
2516 || !TEST_int_eq(idx * 2, new_called))
2517 goto end;
2518
2519 /* Now try a (real) write to actually send the tickets */
2520 c = '1';
2521 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2522 || !TEST_size_t_eq(1, nbytes)
2523 || !TEST_int_eq(idx * 2 + 2, new_called)
2524 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2525 || !TEST_int_eq(idx * 2 + 4, new_called)
2526 || !TEST_int_eq(sizeof(buf), nbytes)
2527 || !TEST_int_eq(c, buf[0])
2528 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2529 goto end;
2530
2531 /* Try with only requesting one new ticket, too */
2532 c = '2';
2533 new_called = 0;
2534 if (!TEST_true(SSL_new_session_ticket(serverssl))
2535 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2536 || !TEST_size_t_eq(sizeof(c), nbytes)
2537 || !TEST_int_eq(1, new_called)
2538 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2539 || !TEST_int_eq(2, new_called)
2540 || !TEST_size_t_eq(sizeof(buf), nbytes)
2541 || !TEST_int_eq(c, buf[0]))
2542 goto end;
2543
2544 /* Do it again but use dummy writes to drive the ticket generation */
2545 c = '3';
2546 new_called = 0;
2547 if (!TEST_true(SSL_new_session_ticket(serverssl))
2548 || !TEST_true(SSL_new_session_ticket(serverssl))
2549 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2550 || !TEST_size_t_eq(0, nbytes)
2551 || !TEST_int_eq(2, new_called)
2552 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2553 || !TEST_int_eq(4, new_called))
2554 goto end;
2555
2556 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2557 c = '4';
2558 new_called = 0;
2559 if (!TEST_true(SSL_new_session_ticket(serverssl))
2560 || !TEST_true(SSL_new_session_ticket(serverssl))
2561 || !TEST_true(SSL_do_handshake(serverssl))
2562 || !TEST_int_eq(2, new_called)
2563 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2564 || !TEST_int_eq(4, new_called))
2565 goto end;
2566
2567 /*
2568 * Use the always-retry BIO to exercise the logic that forces ticket
2569 * generation to wait until a record boundary.
2570 */
2571 c = '5';
2572 new_called = 0;
2573 tmp = SSL_get_wbio(serverssl);
2574 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2575 tmp = NULL;
2576 goto end;
2577 }
2578 SSL_set0_wbio(serverssl, bretry);
2579 bretry = NULL;
2580 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2581 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2582 || !TEST_size_t_eq(nbytes, 0))
2583 goto end;
2584 /* Restore a BIO that will let the write succeed */
2585 SSL_set0_wbio(serverssl, tmp);
2586 tmp = NULL;
2587 /*
2588 * These calls should just queue the request and not send anything
2589 * even if we explicitly try to hit the state machine.
2590 */
2591 if (!TEST_true(SSL_new_session_ticket(serverssl))
2592 || !TEST_true(SSL_new_session_ticket(serverssl))
2593 || !TEST_int_eq(0, new_called)
2594 || !TEST_true(SSL_do_handshake(serverssl))
2595 || !TEST_int_eq(0, new_called))
2596 goto end;
2597 /* Re-do the write; still no tickets sent */
2598 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2599 || !TEST_size_t_eq(1, nbytes)
2600 || !TEST_int_eq(0, new_called)
2601 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2602 || !TEST_int_eq(0, new_called)
2603 || !TEST_int_eq(sizeof(buf), nbytes)
2604 || !TEST_int_eq(c, buf[0])
2605 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2606 goto end;
2607 /* Even trying to hit the state machine now will still not send tickets */
2608 if (!TEST_true(SSL_do_handshake(serverssl))
2609 || !TEST_int_eq(0, new_called))
2610 goto end;
2611 /* Now the *next* write should send the tickets */
2612 c = '6';
2613 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2614 || !TEST_size_t_eq(1, nbytes)
2615 || !TEST_int_eq(2, new_called)
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2617 || !TEST_int_eq(4, new_called)
2618 || !TEST_int_eq(sizeof(buf), nbytes)
2619 || !TEST_int_eq(c, buf[0])
2620 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2621 goto end;
2622
2623 SSL_shutdown(clientssl);
2624 SSL_shutdown(serverssl);
2625 testresult = 1;
2626
2627 end:
2628 BIO_free(bretry);
2629 BIO_free(tmp);
2630 SSL_free(serverssl);
2631 SSL_free(clientssl);
2632 SSL_CTX_free(sctx);
2633 SSL_CTX_free(cctx);
2634 clientssl = serverssl = NULL;
2635 sctx = cctx = NULL;
2636 return testresult;
2637}
2638#endif
2639
2640#define USE_NULL 0
2641#define USE_BIO_1 1
2642#define USE_BIO_2 2
2643#define USE_DEFAULT 3
2644
2645#define CONNTYPE_CONNECTION_SUCCESS 0
2646#define CONNTYPE_CONNECTION_FAIL 1
2647#define CONNTYPE_NO_CONNECTION 2
2648
2649#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2650#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2651#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2652# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2653#else
2654# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2655#endif
2656
2657#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2658 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2659 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2660
2661static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2662{
2663 switch (type) {
2664 case USE_NULL:
2665 *res = NULL;
2666 break;
2667 case USE_BIO_1:
2668 *res = bio1;
2669 break;
2670 case USE_BIO_2:
2671 *res = bio2;
2672 break;
2673 }
2674}
2675
2676
2677/*
2678 * Tests calls to SSL_set_bio() under various conditions.
2679 *
2680 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2681 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2682 * then do more tests where we create a successful connection first using our
2683 * standard connection setup functions, and then call SSL_set_bio() with
2684 * various combinations of valid BIOs or NULL. We then repeat these tests
2685 * following a failed connection. In this last case we are looking to check that
2686 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2687 */
2688static int test_ssl_set_bio(int idx)
2689{
2690 SSL_CTX *sctx = NULL, *cctx = NULL;
2691 BIO *bio1 = NULL;
2692 BIO *bio2 = NULL;
2693 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2694 SSL *serverssl = NULL, *clientssl = NULL;
2695 int initrbio, initwbio, newrbio, newwbio, conntype;
2696 int testresult = 0;
2697
2698 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2699 initrbio = idx % 3;
2700 idx /= 3;
2701 initwbio = idx % 3;
2702 idx /= 3;
2703 newrbio = idx % 3;
2704 idx /= 3;
2705 newwbio = idx % 3;
2706 conntype = CONNTYPE_NO_CONNECTION;
2707 } else {
2708 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2709 initrbio = initwbio = USE_DEFAULT;
2710 newrbio = idx % 2;
2711 idx /= 2;
2712 newwbio = idx % 2;
2713 idx /= 2;
2714 conntype = idx % 2;
2715 }
2716
2717 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2718 TLS_client_method(), TLS1_VERSION, 0,
2719 &sctx, &cctx, cert, privkey)))
2720 goto end;
2721
2722 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2723 /*
2724 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2725 * because we reduced the number of tests in the definition of
2726 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2727 * mismatched protocol versions we will force a connection failure.
2728 */
2729 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2730 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2731 }
2732
2733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2734 NULL, NULL)))
2735 goto end;
2736
2737 if (initrbio == USE_BIO_1
2738 || initwbio == USE_BIO_1
2739 || newrbio == USE_BIO_1
2740 || newwbio == USE_BIO_1) {
2741 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2742 goto end;
2743 }
2744
2745 if (initrbio == USE_BIO_2
2746 || initwbio == USE_BIO_2
2747 || newrbio == USE_BIO_2
2748 || newwbio == USE_BIO_2) {
2749 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2750 goto end;
2751 }
2752
2753 if (initrbio != USE_DEFAULT) {
2754 setupbio(&irbio, bio1, bio2, initrbio);
2755 setupbio(&iwbio, bio1, bio2, initwbio);
2756 SSL_set_bio(clientssl, irbio, iwbio);
2757
2758 /*
2759 * We want to maintain our own refs to these BIO, so do an up ref for
2760 * each BIO that will have ownership transferred in the SSL_set_bio()
2761 * call
2762 */
2763 if (irbio != NULL)
2764 BIO_up_ref(irbio);
2765 if (iwbio != NULL && iwbio != irbio)
2766 BIO_up_ref(iwbio);
2767 }
2768
2769 if (conntype != CONNTYPE_NO_CONNECTION
2770 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2771 SSL_ERROR_NONE)
2772 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2773 goto end;
2774
2775 setupbio(&nrbio, bio1, bio2, newrbio);
2776 setupbio(&nwbio, bio1, bio2, newwbio);
2777
2778 /*
2779 * We will (maybe) transfer ownership again so do more up refs.
2780 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2781 * already been set!
2782 */
2783 if (nrbio != NULL
2784 && nrbio != irbio
2785 && (nwbio != iwbio || nrbio != nwbio))
2786 BIO_up_ref(nrbio);
2787 if (nwbio != NULL
2788 && nwbio != nrbio
2789 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2790 BIO_up_ref(nwbio);
2791
2792 SSL_set_bio(clientssl, nrbio, nwbio);
2793
2794 testresult = 1;
2795
2796 end:
2797 BIO_free(bio1);
2798 BIO_free(bio2);
2799
2800 /*
2801 * This test is checking that the ref counting for SSL_set_bio is correct.
2802 * If we get here and we did too many frees then we will fail in the above
2803 * functions.
2804 */
2805 SSL_free(serverssl);
2806 SSL_free(clientssl);
2807 SSL_CTX_free(sctx);
2808 SSL_CTX_free(cctx);
2809 return testresult;
2810}
2811
2812typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2813
2814static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2815{
2816 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2817 SSL_CTX *ctx;
2818 SSL *ssl = NULL;
2819 int testresult = 0;
2820
2821 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2822 || !TEST_ptr(ssl = SSL_new(ctx))
2823 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2824 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2825 goto end;
2826
2827 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2828
2829 /*
2830 * If anything goes wrong here then we could leak memory.
2831 */
2832 BIO_push(sslbio, membio1);
2833
2834 /* Verify changing the rbio/wbio directly does not cause leaks */
2835 if (change_bio != NO_BIO_CHANGE) {
2836 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2837 ssl = NULL;
2838 goto end;
2839 }
2840 if (change_bio == CHANGE_RBIO)
2841 SSL_set0_rbio(ssl, membio2);
2842 else
2843 SSL_set0_wbio(ssl, membio2);
2844 }
2845 ssl = NULL;
2846
2847 if (pop_ssl)
2848 BIO_pop(sslbio);
2849 else
2850 BIO_pop(membio1);
2851
2852 testresult = 1;
2853 end:
2854 BIO_free(membio1);
2855 BIO_free(sslbio);
2856 SSL_free(ssl);
2857 SSL_CTX_free(ctx);
2858
2859 return testresult;
2860}
2861
2862static int test_ssl_bio_pop_next_bio(void)
2863{
2864 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2865}
2866
2867static int test_ssl_bio_pop_ssl_bio(void)
2868{
2869 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2870}
2871
2872static int test_ssl_bio_change_rbio(void)
2873{
2874 return execute_test_ssl_bio(0, CHANGE_RBIO);
2875}
2876
2877static int test_ssl_bio_change_wbio(void)
2878{
2879 return execute_test_ssl_bio(0, CHANGE_WBIO);
2880}
2881
2882#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2883typedef struct {
2884 /* The list of sig algs */
2885 const int *list;
2886 /* The length of the list */
2887 size_t listlen;
2888 /* A sigalgs list in string format */
2889 const char *liststr;
2890 /* Whether setting the list should succeed */
2891 int valid;
2892 /* Whether creating a connection with the list should succeed */
2893 int connsuccess;
2894} sigalgs_list;
2895
2896static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2897# ifndef OPENSSL_NO_EC
2898static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2899static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2900# endif
2901static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2902static const int invalidlist2[] = {NID_sha256, NID_undef};
2903static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2904static const int invalidlist4[] = {NID_sha256};
2905static const sigalgs_list testsigalgs[] = {
2906 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2907# ifndef OPENSSL_NO_EC
2908 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2909 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2910# endif
2911 {NULL, 0, "RSA+SHA256", 1, 1},
2912# ifndef OPENSSL_NO_EC
2913 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2914 {NULL, 0, "ECDSA+SHA512", 1, 0},
2915# endif
2916 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2917 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2918 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2919 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2920 {NULL, 0, "RSA", 0, 0},
2921 {NULL, 0, "SHA256", 0, 0},
2922 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2923 {NULL, 0, "Invalid", 0, 0}
2924};
2925
2926static int test_set_sigalgs(int idx)
2927{
2928 SSL_CTX *cctx = NULL, *sctx = NULL;
2929 SSL *clientssl = NULL, *serverssl = NULL;
2930 int testresult = 0;
2931 const sigalgs_list *curr;
2932 int testctx;
2933
2934 /* Should never happen */
2935 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2936 return 0;
2937
2938 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2939 curr = testctx ? &testsigalgs[idx]
2940 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2941
2942 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2943 TLS_client_method(), TLS1_VERSION, 0,
2944 &sctx, &cctx, cert, privkey)))
2945 return 0;
2946
2947 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2948
2949 if (testctx) {
2950 int ret;
2951
2952 if (curr->list != NULL)
2953 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2954 else
2955 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2956
2957 if (!ret) {
2958 if (curr->valid)
2959 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2960 else
2961 testresult = 1;
2962 goto end;
2963 }
2964 if (!curr->valid) {
2965 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2966 goto end;
2967 }
2968 }
2969
2970 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2971 &clientssl, NULL, NULL)))
2972 goto end;
2973
2974 if (!testctx) {
2975 int ret;
2976
2977 if (curr->list != NULL)
2978 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2979 else
2980 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2981 if (!ret) {
2982 if (curr->valid)
2983 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2984 else
2985 testresult = 1;
2986 goto end;
2987 }
2988 if (!curr->valid)
2989 goto end;
2990 }
2991
2992 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2993 SSL_ERROR_NONE),
2994 curr->connsuccess))
2995 goto end;
2996
2997 testresult = 1;
2998
2999 end:
3000 SSL_free(serverssl);
3001 SSL_free(clientssl);
3002 SSL_CTX_free(sctx);
3003 SSL_CTX_free(cctx);
3004
3005 return testresult;
3006}
3007#endif
3008
3009#ifndef OSSL_NO_USABLE_TLS1_3
3010static int psk_client_cb_cnt = 0;
3011static int psk_server_cb_cnt = 0;
3012
3013static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3014 size_t *idlen, SSL_SESSION **sess)
3015{
3016 switch (++use_session_cb_cnt) {
3017 case 1:
3018 /* The first call should always have a NULL md */
3019 if (md != NULL)
3020 return 0;
3021 break;
3022
3023 case 2:
3024 /* The second call should always have an md */
3025 if (md == NULL)
3026 return 0;
3027 break;
3028
3029 default:
3030 /* We should only be called a maximum of twice */
3031 return 0;
3032 }
3033
3034 if (clientpsk != NULL)
3035 SSL_SESSION_up_ref(clientpsk);
3036
3037 *sess = clientpsk;
3038 *id = (const unsigned char *)pskid;
3039 *idlen = strlen(pskid);
3040
3041 return 1;
3042}
3043
3044#ifndef OPENSSL_NO_PSK
3045static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3046 unsigned int max_id_len,
3047 unsigned char *psk,
3048 unsigned int max_psk_len)
3049{
3050 unsigned int psklen = 0;
3051
3052 psk_client_cb_cnt++;
3053
3054 if (strlen(pskid) + 1 > max_id_len)
3055 return 0;
3056
3057 /* We should only ever be called a maximum of twice per connection */
3058 if (psk_client_cb_cnt > 2)
3059 return 0;
3060
3061 if (clientpsk == NULL)
3062 return 0;
3063
3064 /* We'll reuse the PSK we set up for TLSv1.3 */
3065 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3066 return 0;
3067 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3068 strncpy(id, pskid, max_id_len);
3069
3070 return psklen;
3071}
3072#endif /* OPENSSL_NO_PSK */
3073
3074static int find_session_cb(SSL *ssl, const unsigned char *identity,
3075 size_t identity_len, SSL_SESSION **sess)
3076{
3077 find_session_cb_cnt++;
3078
3079 /* We should only ever be called a maximum of twice per connection */
3080 if (find_session_cb_cnt > 2)
3081 return 0;
3082
3083 if (serverpsk == NULL)
3084 return 0;
3085
3086 /* Identity should match that set by the client */
3087 if (strlen(srvid) != identity_len
3088 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3089 /* No PSK found, continue but without a PSK */
3090 *sess = NULL;
3091 return 1;
3092 }
3093
3094 SSL_SESSION_up_ref(serverpsk);
3095 *sess = serverpsk;
3096
3097 return 1;
3098}
3099
3100#ifndef OPENSSL_NO_PSK
3101static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3102 unsigned char *psk, unsigned int max_psk_len)
3103{
3104 unsigned int psklen = 0;
3105
3106 psk_server_cb_cnt++;
3107
3108 /* We should only ever be called a maximum of twice per connection */
3109 if (find_session_cb_cnt > 2)
3110 return 0;
3111
3112 if (serverpsk == NULL)
3113 return 0;
3114
3115 /* Identity should match that set by the client */
3116 if (strcmp(srvid, identity) != 0) {
3117 return 0;
3118 }
3119
3120 /* We'll reuse the PSK we set up for TLSv1.3 */
3121 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3122 return 0;
3123 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3124
3125 return psklen;
3126}
3127#endif /* OPENSSL_NO_PSK */
3128
3129#define MSG1 "Hello"
3130#define MSG2 "World."
3131#define MSG3 "This"
3132#define MSG4 "is"
3133#define MSG5 "a"
3134#define MSG6 "test"
3135#define MSG7 "message."
3136
3137#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3138#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3139#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3140#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3141#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3142
3143
3144static SSL_SESSION *create_a_psk(SSL *ssl)
3145{
3146 const SSL_CIPHER *cipher = NULL;
3147 const unsigned char key[] = {
3148 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3149 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3150 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3151 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3152 0x2c, 0x2d, 0x2e, 0x2f
3153 };
3154 SSL_SESSION *sess = NULL;
3155
3156 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3157 sess = SSL_SESSION_new();
3158 if (!TEST_ptr(sess)
3159 || !TEST_ptr(cipher)
3160 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3161 sizeof(key)))
3162 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3163 || !TEST_true(
3164 SSL_SESSION_set_protocol_version(sess,
3165 TLS1_3_VERSION))) {
3166 SSL_SESSION_free(sess);
3167 return NULL;
3168 }
3169 return sess;
3170}
3171
3172/*
3173 * Helper method to setup objects for early data test. Caller frees objects on
3174 * error.
3175 */
3176static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3177 SSL **serverssl, SSL_SESSION **sess, int idx)
3178{
3179 if (*sctx == NULL
3180 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3181 TLS_client_method(),
3182 TLS1_VERSION, 0,
3183 sctx, cctx, cert, privkey)))
3184 return 0;
3185
3186 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3187 return 0;
3188
3189 if (idx == 1) {
3190 /* When idx == 1 we repeat the tests with read_ahead set */
3191 SSL_CTX_set_read_ahead(*cctx, 1);
3192 SSL_CTX_set_read_ahead(*sctx, 1);
3193 } else if (idx == 2) {
3194 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3195 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3196 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3197 use_session_cb_cnt = 0;
3198 find_session_cb_cnt = 0;
3199 srvid = pskid;
3200 }
3201
3202 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3203 NULL, NULL)))
3204 return 0;
3205
3206 /*
3207 * For one of the run throughs (doesn't matter which one), we'll try sending
3208 * some SNI data in the initial ClientHello. This will be ignored (because
3209 * there is no SNI cb set up by the server), so it should not impact
3210 * early_data.
3211 */
3212 if (idx == 1
3213 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3214 return 0;
3215
3216 if (idx == 2) {
3217 clientpsk = create_a_psk(*clientssl);
3218 if (!TEST_ptr(clientpsk)
3219 /*
3220 * We just choose an arbitrary value for max_early_data which
3221 * should be big enough for testing purposes.
3222 */
3223 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3224 0x100))
3225 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3226 SSL_SESSION_free(clientpsk);
3227 clientpsk = NULL;
3228 return 0;
3229 }
3230 serverpsk = clientpsk;
3231
3232 if (sess != NULL) {
3233 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3234 SSL_SESSION_free(clientpsk);
3235 SSL_SESSION_free(serverpsk);
3236 clientpsk = serverpsk = NULL;
3237 return 0;
3238 }
3239 *sess = clientpsk;
3240 }
3241 return 1;
3242 }
3243
3244 if (sess == NULL)
3245 return 1;
3246
3247 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3248 SSL_ERROR_NONE)))
3249 return 0;
3250
3251 *sess = SSL_get1_session(*clientssl);
3252 SSL_shutdown(*clientssl);
3253 SSL_shutdown(*serverssl);
3254 SSL_free(*serverssl);
3255 SSL_free(*clientssl);
3256 *serverssl = *clientssl = NULL;
3257
3258 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3259 clientssl, NULL, NULL))
3260 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3261 return 0;
3262
3263 return 1;
3264}
3265
3266static int test_early_data_read_write(int idx)
3267{
3268 SSL_CTX *cctx = NULL, *sctx = NULL;
3269 SSL *clientssl = NULL, *serverssl = NULL;
3270 int testresult = 0;
3271 SSL_SESSION *sess = NULL;
3272 unsigned char buf[20], data[1024];
3273 size_t readbytes, written, eoedlen, rawread, rawwritten;
3274 BIO *rbio;
3275
3276 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3277 &serverssl, &sess, idx)))
3278 goto end;
3279
3280 /* Write and read some early data */
3281 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3282 &written))
3283 || !TEST_size_t_eq(written, strlen(MSG1))
3284 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3285 sizeof(buf), &readbytes),
3286 SSL_READ_EARLY_DATA_SUCCESS)
3287 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3288 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3289 SSL_EARLY_DATA_ACCEPTED))
3290 goto end;
3291
3292 /*
3293 * Server should be able to write data, and client should be able to
3294 * read it.
3295 */
3296 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3297 &written))
3298 || !TEST_size_t_eq(written, strlen(MSG2))
3299 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3300 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3301 goto end;
3302
3303 /* Even after reading normal data, client should be able write early data */
3304 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3305 &written))
3306 || !TEST_size_t_eq(written, strlen(MSG3)))
3307 goto end;
3308
3309 /* Server should still be able read early data after writing data */
3310 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3311 &readbytes),
3312 SSL_READ_EARLY_DATA_SUCCESS)
3313 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3314 goto end;
3315
3316 /* Write more data from server and read it from client */
3317 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3318 &written))
3319 || !TEST_size_t_eq(written, strlen(MSG4))
3320 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3321 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3322 goto end;
3323
3324 /*
3325 * If client writes normal data it should mean writing early data is no
3326 * longer possible.
3327 */
3328 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3329 || !TEST_size_t_eq(written, strlen(MSG5))
3330 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3331 SSL_EARLY_DATA_ACCEPTED))
3332 goto end;
3333
3334 /*
3335 * At this point the client has written EndOfEarlyData, ClientFinished and
3336 * normal (fully protected) data. We are going to cause a delay between the
3337 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3338 * in the read BIO, and then just put back the EndOfEarlyData message.
3339 */
3340 rbio = SSL_get_rbio(serverssl);
3341 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3342 || !TEST_size_t_lt(rawread, sizeof(data))
3343 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3344 goto end;
3345
3346 /* Record length is in the 4th and 5th bytes of the record header */
3347 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3348 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3349 || !TEST_size_t_eq(rawwritten, eoedlen))
3350 goto end;
3351
3352 /* Server should be told that there is no more early data */
3353 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3354 &readbytes),
3355 SSL_READ_EARLY_DATA_FINISH)
3356 || !TEST_size_t_eq(readbytes, 0))
3357 goto end;
3358
3359 /*
3360 * Server has not finished init yet, so should still be able to write early
3361 * data.
3362 */
3363 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3364 &written))
3365 || !TEST_size_t_eq(written, strlen(MSG6)))
3366 goto end;
3367
3368 /* Push the ClientFinished and the normal data back into the server rbio */
3369 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3370 &rawwritten))
3371 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3372 goto end;
3373
3374 /* Server should be able to read normal data */
3375 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3376 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3377 goto end;
3378
3379 /* Client and server should not be able to write/read early data now */
3380 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3381 &written)))
3382 goto end;
3383 ERR_clear_error();
3384 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3385 &readbytes),
3386 SSL_READ_EARLY_DATA_ERROR))
3387 goto end;
3388 ERR_clear_error();
3389
3390 /* Client should be able to read the data sent by the server */
3391 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3392 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3393 goto end;
3394
3395 /*
3396 * Make sure we process the two NewSessionTickets. These arrive
3397 * post-handshake. We attempt reads which we do not expect to return any
3398 * data.
3399 */
3400 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3401 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3402 &readbytes)))
3403 goto end;
3404
3405 /* Server should be able to write normal data */
3406 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3407 || !TEST_size_t_eq(written, strlen(MSG7))
3408 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3409 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3410 goto end;
3411
3412 SSL_SESSION_free(sess);
3413 sess = SSL_get1_session(clientssl);
3414 use_session_cb_cnt = 0;
3415 find_session_cb_cnt = 0;
3416
3417 SSL_shutdown(clientssl);
3418 SSL_shutdown(serverssl);
3419 SSL_free(serverssl);
3420 SSL_free(clientssl);
3421 serverssl = clientssl = NULL;
3422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3423 &clientssl, NULL, NULL))
3424 || !TEST_true(SSL_set_session(clientssl, sess)))
3425 goto end;
3426
3427 /* Write and read some early data */
3428 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3429 &written))
3430 || !TEST_size_t_eq(written, strlen(MSG1))
3431 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3432 &readbytes),
3433 SSL_READ_EARLY_DATA_SUCCESS)
3434 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3435 goto end;
3436
3437 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3438 || !TEST_int_gt(SSL_accept(serverssl), 0))
3439 goto end;
3440
3441 /* Client and server should not be able to write/read early data now */
3442 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3443 &written)))
3444 goto end;
3445 ERR_clear_error();
3446 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3447 &readbytes),
3448 SSL_READ_EARLY_DATA_ERROR))
3449 goto end;
3450 ERR_clear_error();
3451
3452 /* Client and server should be able to write/read normal data */
3453 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3454 || !TEST_size_t_eq(written, strlen(MSG5))
3455 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3456 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3457 goto end;
3458
3459 testresult = 1;
3460
3461 end:
3462 SSL_SESSION_free(sess);
3463 SSL_SESSION_free(clientpsk);
3464 SSL_SESSION_free(serverpsk);
3465 clientpsk = serverpsk = NULL;
3466 SSL_free(serverssl);
3467 SSL_free(clientssl);
3468 SSL_CTX_free(sctx);
3469 SSL_CTX_free(cctx);
3470 return testresult;
3471}
3472
3473static int allow_ed_cb_called = 0;
3474
3475static int allow_early_data_cb(SSL *s, void *arg)
3476{
3477 int *usecb = (int *)arg;
3478
3479 allow_ed_cb_called++;
3480
3481 if (*usecb == 1)
3482 return 0;
3483
3484 return 1;
3485}
3486
3487/*
3488 * idx == 0: Standard early_data setup
3489 * idx == 1: early_data setup using read_ahead
3490 * usecb == 0: Don't use a custom early data callback
3491 * usecb == 1: Use a custom early data callback and reject the early data
3492 * usecb == 2: Use a custom early data callback and accept the early data
3493 * confopt == 0: Configure anti-replay directly
3494 * confopt == 1: Configure anti-replay using SSL_CONF
3495 */
3496static int test_early_data_replay_int(int idx, int usecb, int confopt)
3497{
3498 SSL_CTX *cctx = NULL, *sctx = NULL;
3499 SSL *clientssl = NULL, *serverssl = NULL;
3500 int testresult = 0;
3501 SSL_SESSION *sess = NULL;
3502 size_t readbytes, written;
3503 unsigned char buf[20];
3504
3505 allow_ed_cb_called = 0;
3506
3507 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3508 TLS_client_method(), TLS1_VERSION, 0,
3509 &sctx, &cctx, cert, privkey)))
3510 return 0;
3511
3512 if (usecb > 0) {
3513 if (confopt == 0) {
3514 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3515 } else {
3516 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3517
3518 if (!TEST_ptr(confctx))
3519 goto end;
3520 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3521 | SSL_CONF_FLAG_SERVER);
3522 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3523 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3524 2)) {
3525 SSL_CONF_CTX_free(confctx);
3526 goto end;
3527 }
3528 SSL_CONF_CTX_free(confctx);
3529 }
3530 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3531 }
3532
3533 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3534 &serverssl, &sess, idx)))
3535 goto end;
3536
3537 /*
3538 * The server is configured to accept early data. Create a connection to
3539 * "use up" the ticket
3540 */
3541 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3542 || !TEST_true(SSL_session_reused(clientssl)))
3543 goto end;
3544
3545 SSL_shutdown(clientssl);
3546 SSL_shutdown(serverssl);
3547 SSL_free(serverssl);
3548 SSL_free(clientssl);
3549 serverssl = clientssl = NULL;
3550
3551 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3552 &clientssl, NULL, NULL))
3553 || !TEST_true(SSL_set_session(clientssl, sess)))
3554 goto end;
3555
3556 /* Write and read some early data */
3557 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3558 &written))
3559 || !TEST_size_t_eq(written, strlen(MSG1)))
3560 goto end;
3561
3562 if (usecb <= 1) {
3563 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3564 &readbytes),
3565 SSL_READ_EARLY_DATA_FINISH)
3566 /*
3567 * The ticket was reused, so the we should have rejected the
3568 * early data
3569 */
3570 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3571 SSL_EARLY_DATA_REJECTED))
3572 goto end;
3573 } else {
3574 /* In this case the callback decides to accept the early data */
3575 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3576 &readbytes),
3577 SSL_READ_EARLY_DATA_SUCCESS)
3578 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3579 /*
3580 * Server will have sent its flight so client can now send
3581 * end of early data and complete its half of the handshake
3582 */
3583 || !TEST_int_gt(SSL_connect(clientssl), 0)
3584 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3585 &readbytes),
3586 SSL_READ_EARLY_DATA_FINISH)
3587 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3588 SSL_EARLY_DATA_ACCEPTED))
3589 goto end;
3590 }
3591
3592 /* Complete the connection */
3593 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3594 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3595 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3596 goto end;
3597
3598 testresult = 1;
3599
3600 end:
3601 SSL_SESSION_free(sess);
3602 SSL_SESSION_free(clientpsk);
3603 SSL_SESSION_free(serverpsk);
3604 clientpsk = serverpsk = NULL;
3605 SSL_free(serverssl);
3606 SSL_free(clientssl);
3607 SSL_CTX_free(sctx);
3608 SSL_CTX_free(cctx);
3609 return testresult;
3610}
3611
3612static int test_early_data_replay(int idx)
3613{
3614 int ret = 1, usecb, confopt;
3615
3616 for (usecb = 0; usecb < 3; usecb++) {
3617 for (confopt = 0; confopt < 2; confopt++)
3618 ret &= test_early_data_replay_int(idx, usecb, confopt);
3619 }
3620
3621 return ret;
3622}
3623
3624/*
3625 * Helper function to test that a server attempting to read early data can
3626 * handle a connection from a client where the early data should be skipped.
3627 * testtype: 0 == No HRR
3628 * testtype: 1 == HRR
3629 * testtype: 2 == HRR, invalid early_data sent after HRR
3630 * testtype: 3 == recv_max_early_data set to 0
3631 */
3632static int early_data_skip_helper(int testtype, int idx)
3633{
3634 SSL_CTX *cctx = NULL, *sctx = NULL;
3635 SSL *clientssl = NULL, *serverssl = NULL;
3636 int testresult = 0;
3637 SSL_SESSION *sess = NULL;
3638 unsigned char buf[20];
3639 size_t readbytes, written;
3640
3641 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3642 &serverssl, &sess, idx)))
3643 goto end;
3644
3645 if (testtype == 1 || testtype == 2) {
3646 /* Force an HRR to occur */
3647#if defined(OPENSSL_NO_EC)
3648 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3649 goto end;
3650#else
3651 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3652 goto end;
3653#endif
3654 } else if (idx == 2) {
3655 /*
3656 * We force early_data rejection by ensuring the PSK identity is
3657 * unrecognised
3658 */
3659 srvid = "Dummy Identity";
3660 } else {
3661 /*
3662 * Deliberately corrupt the creation time. We take 20 seconds off the
3663 * time. It could be any value as long as it is not within tolerance.
3664 * This should mean the ticket is rejected.
3665 */
3666 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3667 goto end;
3668 }
3669
3670 if (testtype == 3
3671 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3672 goto end;
3673
3674 /* Write some early data */
3675 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3676 &written))
3677 || !TEST_size_t_eq(written, strlen(MSG1)))
3678 goto end;
3679
3680 /* Server should reject the early data */
3681 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3682 &readbytes),
3683 SSL_READ_EARLY_DATA_FINISH)
3684 || !TEST_size_t_eq(readbytes, 0)
3685 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3686 SSL_EARLY_DATA_REJECTED))
3687 goto end;
3688
3689 switch (testtype) {
3690 case 0:
3691 /* Nothing to do */
3692 break;
3693
3694 case 1:
3695 /*
3696 * Finish off the handshake. We perform the same writes and reads as
3697 * further down but we expect them to fail due to the incomplete
3698 * handshake.
3699 */
3700 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3701 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3702 &readbytes)))
3703 goto end;
3704 break;
3705
3706 case 2:
3707 {
3708 BIO *wbio = SSL_get_wbio(clientssl);
3709 /* A record that will appear as bad early_data */
3710 const unsigned char bad_early_data[] = {
3711 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3712 };
3713
3714 /*
3715 * We force the client to attempt a write. This will fail because
3716 * we're still in the handshake. It will cause the second
3717 * ClientHello to be sent.
3718 */
3719 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3720 &written)))
3721 goto end;
3722
3723 /*
3724 * Inject some early_data after the second ClientHello. This should
3725 * cause the server to fail
3726 */
3727 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3728 sizeof(bad_early_data), &written)))
3729 goto end;
3730 }
3731 /* fallthrough */
3732
3733 case 3:
3734 /*
3735 * This client has sent more early_data than we are willing to skip
3736 * (case 3) or sent invalid early_data (case 2) so the connection should
3737 * abort.
3738 */
3739 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3740 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3741 goto end;
3742
3743 /* Connection has failed - nothing more to do */
3744 testresult = 1;
3745 goto end;
3746
3747 default:
3748 TEST_error("Invalid test type");
3749 goto end;
3750 }
3751
3752 /*
3753 * Should be able to send normal data despite rejection of early data. The
3754 * early_data should be skipped.
3755 */
3756 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3757 || !TEST_size_t_eq(written, strlen(MSG2))
3758 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3759 SSL_EARLY_DATA_REJECTED)
3760 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3761 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3762 goto end;
3763
3764 testresult = 1;
3765
3766 end:
3767 SSL_SESSION_free(clientpsk);
3768 SSL_SESSION_free(serverpsk);
3769 clientpsk = serverpsk = NULL;
3770 SSL_SESSION_free(sess);
3771 SSL_free(serverssl);
3772 SSL_free(clientssl);
3773 SSL_CTX_free(sctx);
3774 SSL_CTX_free(cctx);
3775 return testresult;
3776}
3777
3778/*
3779 * Test that a server attempting to read early data can handle a connection
3780 * from a client where the early data is not acceptable.
3781 */
3782static int test_early_data_skip(int idx)
3783{
3784 return early_data_skip_helper(0, idx);
3785}
3786
3787/*
3788 * Test that a server attempting to read early data can handle a connection
3789 * from a client where an HRR occurs.
3790 */
3791static int test_early_data_skip_hrr(int idx)
3792{
3793 return early_data_skip_helper(1, idx);
3794}
3795
3796/*
3797 * Test that a server attempting to read early data can handle a connection
3798 * from a client where an HRR occurs and correctly fails if early_data is sent
3799 * after the HRR
3800 */
3801static int test_early_data_skip_hrr_fail(int idx)
3802{
3803 return early_data_skip_helper(2, idx);
3804}
3805
3806/*
3807 * Test that a server attempting to read early data will abort if it tries to
3808 * skip over too much.
3809 */
3810static int test_early_data_skip_abort(int idx)
3811{
3812 return early_data_skip_helper(3, idx);
3813}
3814
3815/*
3816 * Test that a server attempting to read early data can handle a connection
3817 * from a client that doesn't send any.
3818 */
3819static int test_early_data_not_sent(int idx)
3820{
3821 SSL_CTX *cctx = NULL, *sctx = NULL;
3822 SSL *clientssl = NULL, *serverssl = NULL;
3823 int testresult = 0;
3824 SSL_SESSION *sess = NULL;
3825 unsigned char buf[20];
3826 size_t readbytes, written;
3827
3828 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3829 &serverssl, &sess, idx)))
3830 goto end;
3831
3832 /* Write some data - should block due to handshake with server */
3833 SSL_set_connect_state(clientssl);
3834 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3835 goto end;
3836
3837 /* Server should detect that early data has not been sent */
3838 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3839 &readbytes),
3840 SSL_READ_EARLY_DATA_FINISH)
3841 || !TEST_size_t_eq(readbytes, 0)
3842 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3843 SSL_EARLY_DATA_NOT_SENT)
3844 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3845 SSL_EARLY_DATA_NOT_SENT))
3846 goto end;
3847
3848 /* Continue writing the message we started earlier */
3849 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3850 || !TEST_size_t_eq(written, strlen(MSG1))
3851 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3852 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3853 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3854 || !TEST_size_t_eq(written, strlen(MSG2)))
3855 goto end;
3856
3857 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3858 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3859 goto end;
3860
3861 testresult = 1;
3862
3863 end:
3864 SSL_SESSION_free(sess);
3865 SSL_SESSION_free(clientpsk);
3866 SSL_SESSION_free(serverpsk);
3867 clientpsk = serverpsk = NULL;
3868 SSL_free(serverssl);
3869 SSL_free(clientssl);
3870 SSL_CTX_free(sctx);
3871 SSL_CTX_free(cctx);
3872 return testresult;
3873}
3874
3875static const char *servalpn;
3876
3877static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3878 unsigned char *outlen, const unsigned char *in,
3879 unsigned int inlen, void *arg)
3880{
3881 unsigned int protlen = 0;
3882 const unsigned char *prot;
3883
3884 for (prot = in; prot < in + inlen; prot += protlen) {
3885 protlen = *prot++;
3886 if (in + inlen < prot + protlen)
3887 return SSL_TLSEXT_ERR_NOACK;
3888
3889 if (protlen == strlen(servalpn)
3890 && memcmp(prot, servalpn, protlen) == 0) {
3891 *out = prot;
3892 *outlen = protlen;
3893 return SSL_TLSEXT_ERR_OK;
3894 }
3895 }
3896
3897 return SSL_TLSEXT_ERR_NOACK;
3898}
3899
3900/* Test that a PSK can be used to send early_data */
3901static int test_early_data_psk(int idx)
3902{
3903 SSL_CTX *cctx = NULL, *sctx = NULL;
3904 SSL *clientssl = NULL, *serverssl = NULL;
3905 int testresult = 0;
3906 SSL_SESSION *sess = NULL;
3907 unsigned char alpnlist[] = {
3908 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3909 'l', 'p', 'n'
3910 };
3911#define GOODALPNLEN 9
3912#define BADALPNLEN 8
3913#define GOODALPN (alpnlist)
3914#define BADALPN (alpnlist + GOODALPNLEN)
3915 int err = 0;
3916 unsigned char buf[20];
3917 size_t readbytes, written;
3918 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3919 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3920
3921 /* We always set this up with a final parameter of "2" for PSK */
3922 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3923 &serverssl, &sess, 2)))
3924 goto end;
3925
3926 servalpn = "goodalpn";
3927
3928 /*
3929 * Note: There is no test for inconsistent SNI with late client detection.
3930 * This is because servers do not acknowledge SNI even if they are using
3931 * it in a resumption handshake - so it is not actually possible for a
3932 * client to detect a problem.
3933 */
3934 switch (idx) {
3935 case 0:
3936 /* Set inconsistent SNI (early client detection) */
3937 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3938 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3939 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3940 goto end;
3941 break;
3942
3943 case 1:
3944 /* Set inconsistent ALPN (early client detection) */
3945 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3946 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3947 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3948 GOODALPNLEN))
3949 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3950 BADALPNLEN)))
3951 goto end;
3952 break;
3953
3954 case 2:
3955 /*
3956 * Set invalid protocol version. Technically this affects PSKs without
3957 * early_data too, but we test it here because it is similar to the
3958 * SNI/ALPN consistency tests.
3959 */
3960 err = SSL_R_BAD_PSK;
3961 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3962 goto end;
3963 break;
3964
3965 case 3:
3966 /*
3967 * Set inconsistent SNI (server side). In this case the connection
3968 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3969 * is associated with each handshake - not the session. Therefore it
3970 * should not matter that we used a different server name last time.
3971 */
3972 SSL_SESSION_free(serverpsk);
3973 serverpsk = SSL_SESSION_dup(clientpsk);
3974 if (!TEST_ptr(serverpsk)
3975 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3976 goto end;
3977 /* Fall through */
3978 case 4:
3979 /* Set consistent SNI */
3980 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3981 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3982 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3983 hostname_cb)))
3984 goto end;
3985 break;
3986
3987 case 5:
3988 /*
3989 * Set inconsistent ALPN (server detected). In this case the connection
3990 * will succeed but reject early_data.
3991 */
3992 servalpn = "badalpn";
3993 edstatus = SSL_EARLY_DATA_REJECTED;
3994 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3995 /* Fall through */
3996 case 6:
3997 /*
3998 * Set consistent ALPN.
3999 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4000 * accepts a list of protos (each one length prefixed).
4001 * SSL_set1_alpn_selected accepts a single protocol (not length
4002 * prefixed)
4003 */
4004 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4005 GOODALPNLEN - 1))
4006 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4007 GOODALPNLEN)))
4008 goto end;
4009
4010 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4011 break;
4012
4013 case 7:
4014 /* Set inconsistent ALPN (late client detection) */
4015 SSL_SESSION_free(serverpsk);
4016 serverpsk = SSL_SESSION_dup(clientpsk);
4017 if (!TEST_ptr(serverpsk)
4018 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4019 BADALPN + 1,
4020 BADALPNLEN - 1))
4021 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4022 GOODALPN + 1,
4023 GOODALPNLEN - 1))
4024 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4025 sizeof(alpnlist))))
4026 goto end;
4027 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4028 edstatus = SSL_EARLY_DATA_ACCEPTED;
4029 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4030 /* SSL_connect() call should fail */
4031 connectres = -1;
4032 break;
4033
4034 default:
4035 TEST_error("Bad test index");
4036 goto end;
4037 }
4038
4039 SSL_set_connect_state(clientssl);
4040 if (err != 0) {
4041 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4042 &written))
4043 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4044 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4045 goto end;
4046 } else {
4047 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4048 &written)))
4049 goto end;
4050
4051 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4052 &readbytes), readearlyres)
4053 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4054 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4055 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4056 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4057 goto end;
4058 }
4059
4060 testresult = 1;
4061
4062 end:
4063 SSL_SESSION_free(sess);
4064 SSL_SESSION_free(clientpsk);
4065 SSL_SESSION_free(serverpsk);
4066 clientpsk = serverpsk = NULL;
4067 SSL_free(serverssl);
4068 SSL_free(clientssl);
4069 SSL_CTX_free(sctx);
4070 SSL_CTX_free(cctx);
4071 return testresult;
4072}
4073
4074/*
4075 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4076 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4077 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4078 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4079 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4080 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4081 */
4082static int test_early_data_psk_with_all_ciphers(int idx)
4083{
4084 SSL_CTX *cctx = NULL, *sctx = NULL;
4085 SSL *clientssl = NULL, *serverssl = NULL;
4086 int testresult = 0;
4087 SSL_SESSION *sess = NULL;
4088 unsigned char buf[20];
4089 size_t readbytes, written;
4090 const SSL_CIPHER *cipher;
4091 const char *cipher_str[] = {
4092 TLS1_3_RFC_AES_128_GCM_SHA256,
4093 TLS1_3_RFC_AES_256_GCM_SHA384,
4094# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4095 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4096# else
4097 NULL,
4098# endif
4099 TLS1_3_RFC_AES_128_CCM_SHA256,
4100 TLS1_3_RFC_AES_128_CCM_8_SHA256
4101 };
4102 const unsigned char *cipher_bytes[] = {
4103 TLS13_AES_128_GCM_SHA256_BYTES,
4104 TLS13_AES_256_GCM_SHA384_BYTES,
4105# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4106 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4107# else
4108 NULL,
4109# endif
4110 TLS13_AES_128_CCM_SHA256_BYTES,
4111 TLS13_AES_128_CCM_8_SHA256_BYTES
4112 };
4113
4114 if (cipher_str[idx] == NULL)
4115 return 1;
4116 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4117 if (idx == 2 && is_fips == 1)
4118 return 1;
4119
4120 /* We always set this up with a final parameter of "2" for PSK */
4121 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4122 &serverssl, &sess, 2)))
4123 goto end;
4124
4125 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4126 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4127 goto end;
4128
4129 /*
4130 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4131 * and assigns to both client and server with incremented reference
4132 * and the same instance is updated in 'sess'.
4133 * So updating ciphersuite in 'sess' which will get reflected in
4134 * PSK handshake using psk use sess and find sess cb.
4135 */
4136 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4137 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4138 goto end;
4139
4140 SSL_set_connect_state(clientssl);
4141 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4142 &written)))
4143 goto end;
4144
4145 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4146 &readbytes),
4147 SSL_READ_EARLY_DATA_SUCCESS)
4148 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4149 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4150 SSL_EARLY_DATA_ACCEPTED)
4151 || !TEST_int_eq(SSL_connect(clientssl), 1)
4152 || !TEST_int_eq(SSL_accept(serverssl), 1))
4153 goto end;
4154
4155 /* Send some normal data from client to server */
4156 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4157 || !TEST_size_t_eq(written, strlen(MSG2)))
4158 goto end;
4159
4160 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4161 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4162 goto end;
4163
4164 testresult = 1;
4165 end:
4166 SSL_SESSION_free(sess);
4167 SSL_SESSION_free(clientpsk);
4168 SSL_SESSION_free(serverpsk);
4169 clientpsk = serverpsk = NULL;
4170 if (clientssl != NULL)
4171 SSL_shutdown(clientssl);
4172 if (serverssl != NULL)
4173 SSL_shutdown(serverssl);
4174 SSL_free(serverssl);
4175 SSL_free(clientssl);
4176 SSL_CTX_free(sctx);
4177 SSL_CTX_free(cctx);
4178 return testresult;
4179}
4180
4181/*
4182 * Test that a server that doesn't try to read early data can handle a
4183 * client sending some.
4184 */
4185static int test_early_data_not_expected(int idx)
4186{
4187 SSL_CTX *cctx = NULL, *sctx = NULL;
4188 SSL *clientssl = NULL, *serverssl = NULL;
4189 int testresult = 0;
4190 SSL_SESSION *sess = NULL;
4191 unsigned char buf[20];
4192 size_t readbytes, written;
4193
4194 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4195 &serverssl, &sess, idx)))
4196 goto end;
4197
4198 /* Write some early data */
4199 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4200 &written)))
4201 goto end;
4202
4203 /*
4204 * Server should skip over early data and then block waiting for client to
4205 * continue handshake
4206 */
4207 if (!TEST_int_le(SSL_accept(serverssl), 0)
4208 || !TEST_int_gt(SSL_connect(clientssl), 0)
4209 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4210 SSL_EARLY_DATA_REJECTED)
4211 || !TEST_int_gt(SSL_accept(serverssl), 0)
4212 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4213 SSL_EARLY_DATA_REJECTED))
4214 goto end;
4215
4216 /* Send some normal data from client to server */
4217 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4218 || !TEST_size_t_eq(written, strlen(MSG2)))
4219 goto end;
4220
4221 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4222 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4223 goto end;
4224
4225 testresult = 1;
4226
4227 end:
4228 SSL_SESSION_free(sess);
4229 SSL_SESSION_free(clientpsk);
4230 SSL_SESSION_free(serverpsk);
4231 clientpsk = serverpsk = NULL;
4232 SSL_free(serverssl);
4233 SSL_free(clientssl);
4234 SSL_CTX_free(sctx);
4235 SSL_CTX_free(cctx);
4236 return testresult;
4237}
4238
4239
4240# ifndef OPENSSL_NO_TLS1_2
4241/*
4242 * Test that a server attempting to read early data can handle a connection
4243 * from a TLSv1.2 client.
4244 */
4245static int test_early_data_tls1_2(int idx)
4246{
4247 SSL_CTX *cctx = NULL, *sctx = NULL;
4248 SSL *clientssl = NULL, *serverssl = NULL;
4249 int testresult = 0;
4250 unsigned char buf[20];
4251 size_t readbytes, written;
4252
4253 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4254 &serverssl, NULL, idx)))
4255 goto end;
4256
4257 /* Write some data - should block due to handshake with server */
4258 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4259 SSL_set_connect_state(clientssl);
4260 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4261 goto end;
4262
4263 /*
4264 * Server should do TLSv1.2 handshake. First it will block waiting for more
4265 * messages from client after ServerDone. Then SSL_read_early_data should
4266 * finish and detect that early data has not been sent
4267 */
4268 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4269 &readbytes),
4270 SSL_READ_EARLY_DATA_ERROR))
4271 goto end;
4272
4273 /*
4274 * Continue writing the message we started earlier. Will still block waiting
4275 * for the CCS/Finished from server
4276 */
4277 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4278 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4279 &readbytes),
4280 SSL_READ_EARLY_DATA_FINISH)
4281 || !TEST_size_t_eq(readbytes, 0)
4282 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4283 SSL_EARLY_DATA_NOT_SENT))
4284 goto end;
4285
4286 /* Continue writing the message we started earlier */
4287 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4288 || !TEST_size_t_eq(written, strlen(MSG1))
4289 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4290 SSL_EARLY_DATA_NOT_SENT)
4291 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4292 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4293 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4294 || !TEST_size_t_eq(written, strlen(MSG2))
4295 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4296 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4297 goto end;
4298
4299 testresult = 1;
4300
4301 end:
4302 SSL_SESSION_free(clientpsk);
4303 SSL_SESSION_free(serverpsk);
4304 clientpsk = serverpsk = NULL;
4305 SSL_free(serverssl);
4306 SSL_free(clientssl);
4307 SSL_CTX_free(sctx);
4308 SSL_CTX_free(cctx);
4309
4310 return testresult;
4311}
4312# endif /* OPENSSL_NO_TLS1_2 */
4313
4314/*
4315 * Test configuring the TLSv1.3 ciphersuites
4316 *
4317 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4318 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4319 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4320 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4321 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4322 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4323 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4324 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4325 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4326 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4327 */
4328static int test_set_ciphersuite(int idx)
4329{
4330 SSL_CTX *cctx = NULL, *sctx = NULL;
4331 SSL *clientssl = NULL, *serverssl = NULL;
4332 int testresult = 0;
4333
4334 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4335 TLS_client_method(), TLS1_VERSION, 0,
4336 &sctx, &cctx, cert, privkey))
4337 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4338 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4339 goto end;
4340
4341 if (idx >=4 && idx <= 7) {
4342 /* SSL_CTX explicit cipher list */
4343 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4344 goto end;
4345 }
4346
4347 if (idx == 0 || idx == 4) {
4348 /* Default ciphersuite */
4349 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4350 "TLS_AES_128_GCM_SHA256")))
4351 goto end;
4352 } else if (idx == 1 || idx == 5) {
4353 /* Non default ciphersuite */
4354 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4355 "TLS_AES_128_CCM_SHA256")))
4356 goto end;
4357 }
4358
4359 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4360 &clientssl, NULL, NULL)))
4361 goto end;
4362
4363 if (idx == 8 || idx == 9) {
4364 /* SSL explicit cipher list */
4365 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4366 goto end;
4367 }
4368
4369 if (idx == 2 || idx == 6 || idx == 8) {
4370 /* Default ciphersuite */
4371 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4372 "TLS_AES_128_GCM_SHA256")))
4373 goto end;
4374 } else if (idx == 3 || idx == 7 || idx == 9) {
4375 /* Non default ciphersuite */
4376 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4377 "TLS_AES_128_CCM_SHA256")))
4378 goto end;
4379 }
4380
4381 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4382 goto end;
4383
4384 testresult = 1;
4385
4386 end:
4387 SSL_free(serverssl);
4388 SSL_free(clientssl);
4389 SSL_CTX_free(sctx);
4390 SSL_CTX_free(cctx);
4391
4392 return testresult;
4393}
4394
4395static int test_ciphersuite_change(void)
4396{
4397 SSL_CTX *cctx = NULL, *sctx = NULL;
4398 SSL *clientssl = NULL, *serverssl = NULL;
4399 SSL_SESSION *clntsess = NULL;
4400 int testresult = 0;
4401 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4402
4403 /* Create a session based on SHA-256 */
4404 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4405 TLS_client_method(), TLS1_VERSION, 0,
4406 &sctx, &cctx, cert, privkey))
4407 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4408 "TLS_AES_128_GCM_SHA256:"
4409 "TLS_AES_256_GCM_SHA384:"
4410 "TLS_AES_128_CCM_SHA256"))
4411 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4412 "TLS_AES_128_GCM_SHA256"))
4413 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4414 &clientssl, NULL, NULL))
4415 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4416 SSL_ERROR_NONE)))
4417 goto end;
4418
4419 clntsess = SSL_get1_session(clientssl);
4420 /* Save for later */
4421 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4422 SSL_shutdown(clientssl);
4423 SSL_shutdown(serverssl);
4424 SSL_free(serverssl);
4425 SSL_free(clientssl);
4426 serverssl = clientssl = NULL;
4427
4428 /* Check we can resume a session with a different SHA-256 ciphersuite */
4429 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4430 "TLS_AES_128_CCM_SHA256"))
4431 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4432 &clientssl, NULL, NULL))
4433 || !TEST_true(SSL_set_session(clientssl, clntsess))
4434 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4435 SSL_ERROR_NONE))
4436 || !TEST_true(SSL_session_reused(clientssl)))
4437 goto end;
4438
4439 SSL_SESSION_free(clntsess);
4440 clntsess = SSL_get1_session(clientssl);
4441 SSL_shutdown(clientssl);
4442 SSL_shutdown(serverssl);
4443 SSL_free(serverssl);
4444 SSL_free(clientssl);
4445 serverssl = clientssl = NULL;
4446
4447 /*
4448 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4449 * succeeds but does not resume.
4450 */
4451 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4452 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4453 NULL, NULL))
4454 || !TEST_true(SSL_set_session(clientssl, clntsess))
4455 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4456 SSL_ERROR_SSL))
4457 || !TEST_false(SSL_session_reused(clientssl)))
4458 goto end;
4459
4460 SSL_SESSION_free(clntsess);
4461 clntsess = NULL;
4462 SSL_shutdown(clientssl);
4463 SSL_shutdown(serverssl);
4464 SSL_free(serverssl);
4465 SSL_free(clientssl);
4466 serverssl = clientssl = NULL;
4467
4468 /* Create a session based on SHA384 */
4469 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4470 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4471 &clientssl, NULL, NULL))
4472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4473 SSL_ERROR_NONE)))
4474 goto end;
4475
4476 clntsess = SSL_get1_session(clientssl);
4477 SSL_shutdown(clientssl);
4478 SSL_shutdown(serverssl);
4479 SSL_free(serverssl);
4480 SSL_free(clientssl);
4481 serverssl = clientssl = NULL;
4482
4483 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4484 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4485 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4486 "TLS_AES_256_GCM_SHA384"))
4487 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4488 NULL, NULL))
4489 || !TEST_true(SSL_set_session(clientssl, clntsess))
4490 /*
4491 * We use SSL_ERROR_WANT_READ below so that we can pause the
4492 * connection after the initial ClientHello has been sent to
4493 * enable us to make some session changes.
4494 */
4495 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4496 SSL_ERROR_WANT_READ)))
4497 goto end;
4498
4499 /* Trick the client into thinking this session is for a different digest */
4500 clntsess->cipher = aes_128_gcm_sha256;
4501 clntsess->cipher_id = clntsess->cipher->id;
4502
4503 /*
4504 * Continue the previously started connection. Server has selected a SHA-384
4505 * ciphersuite, but client thinks the session is for SHA-256, so it should
4506 * bail out.
4507 */
4508 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4509 SSL_ERROR_SSL))
4510 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4511 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4512 goto end;
4513
4514 testresult = 1;
4515
4516 end:
4517 SSL_SESSION_free(clntsess);
4518 SSL_free(serverssl);
4519 SSL_free(clientssl);
4520 SSL_CTX_free(sctx);
4521 SSL_CTX_free(cctx);
4522
4523 return testresult;
4524}
4525
4526/*
4527 * Test TLSv1.3 Key exchange
4528 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4529 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4530 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4531 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4532 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4533 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4534 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4535 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4536 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4537 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4538 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4539 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4540 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4541 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4542 */
4543# ifndef OPENSSL_NO_EC
4544static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4545 NID_secp521r1, NID_X25519, NID_X448};
4546# endif
4547# ifndef OPENSSL_NO_DH
4548static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4549 NID_ffdhe6144, NID_ffdhe8192};
4550# endif
4551static int test_key_exchange(int idx)
4552{
4553 SSL_CTX *sctx = NULL, *cctx = NULL;
4554 SSL *serverssl = NULL, *clientssl = NULL;
4555 int testresult = 0;
4556 int kexch_alg;
4557 int *kexch_groups = &kexch_alg;
4558 int kexch_groups_size = 1;
4559 int max_version = TLS1_3_VERSION;
4560 char *kexch_name0 = NULL;
4561
4562 switch (idx) {
4563# ifndef OPENSSL_NO_EC
4564# ifndef OPENSSL_NO_TLS1_2
4565 case 12:
4566 max_version = TLS1_2_VERSION;
4567# endif
4568 /* Fall through */
4569 case 0:
4570 kexch_groups = ecdhe_kexch_groups;
4571 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4572 kexch_name0 = "secp256r1";
4573 break;
4574 case 1:
4575 kexch_alg = NID_X9_62_prime256v1;
4576 kexch_name0 = "secp256r1";
4577 break;
4578 case 2:
4579 kexch_alg = NID_secp384r1;
4580 kexch_name0 = "secp384r1";
4581 break;
4582 case 3:
4583 kexch_alg = NID_secp521r1;
4584 kexch_name0 = "secp521r1";
4585 break;
4586 case 4:
4587 kexch_alg = NID_X25519;
4588 kexch_name0 = "x25519";
4589 break;
4590 case 5:
4591 kexch_alg = NID_X448;
4592 kexch_name0 = "x448";
4593 break;
4594# endif
4595# ifndef OPENSSL_NO_DH
4596# ifndef OPENSSL_NO_TLS1_2
4597 case 13:
4598 max_version = TLS1_2_VERSION;
4599 kexch_name0 = "ffdhe2048";
4600# endif
4601 /* Fall through */
4602 case 6:
4603 kexch_groups = ffdhe_kexch_groups;
4604 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4605 kexch_name0 = "ffdhe2048";
4606 break;
4607 case 7:
4608 kexch_alg = NID_ffdhe2048;
4609 kexch_name0 = "ffdhe2048";
4610 break;
4611 case 8:
4612 kexch_alg = NID_ffdhe3072;
4613 kexch_name0 = "ffdhe3072";
4614 break;
4615 case 9:
4616 kexch_alg = NID_ffdhe4096;
4617 kexch_name0 = "ffdhe4096";
4618 break;
4619 case 10:
4620 kexch_alg = NID_ffdhe6144;
4621 kexch_name0 = "ffdhe6144";
4622 break;
4623 case 11:
4624 kexch_alg = NID_ffdhe8192;
4625 kexch_name0 = "ffdhe8192";
4626 break;
4627# endif
4628 default:
4629 /* We're skipping this test */
4630 return 1;
4631 }
4632
4633 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4634 TLS_client_method(), TLS1_VERSION,
4635 max_version, &sctx, &cctx, cert,
4636 privkey)))
4637 goto end;
4638
4639 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4640 TLS1_3_RFC_AES_128_GCM_SHA256)))
4641 goto end;
4642
4643 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4644 TLS1_3_RFC_AES_128_GCM_SHA256)))
4645 goto end;
4646
4647 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4648 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4649 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4650 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4651 goto end;
4652
4653 /*
4654 * Must include an EC ciphersuite so that we send supported groups in
4655 * TLSv1.2
4656 */
4657# ifndef OPENSSL_NO_TLS1_2
4658 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4659 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4660 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4661 goto end;
4662# endif
4663
4664 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4665 NULL, NULL)))
4666 goto end;
4667
4668 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4669 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4670 goto end;
4671
4672 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4673 goto end;
4674
4675 /*
4676 * If Handshake succeeds the negotiated kexch alg should be the first one in
4677 * configured, except in the case of FFDHE groups (idx 13), which are
4678 * TLSv1.3 only so we expect no shared group to exist.
4679 */
4680 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4681 idx == 13 ? 0 : kexch_groups[0]))
4682 goto end;
4683
4684 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4685 kexch_name0))
4686 goto end;
4687
4688 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4689 if (idx != 13) {
4690 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4691 goto end;
4692 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4693 goto end;
4694 }
4695
4696 testresult = 1;
4697 end:
4698 SSL_free(serverssl);
4699 SSL_free(clientssl);
4700 SSL_CTX_free(sctx);
4701 SSL_CTX_free(cctx);
4702 return testresult;
4703}
4704
4705# if !defined(OPENSSL_NO_TLS1_2) \
4706 && !defined(OPENSSL_NO_EC) \
4707 && !defined(OPENSSL_NO_DH)
4708static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4709 int isecdhe, int idx)
4710{
4711 int kexch_alg;
4712 int *kexch_groups = &kexch_alg;
4713 int numec, numff;
4714
4715 numec = OSSL_NELEM(ecdhe_kexch_groups);
4716 numff = OSSL_NELEM(ffdhe_kexch_groups);
4717 if (isecdhe)
4718 kexch_alg = ecdhe_kexch_groups[idx];
4719 else
4720 kexch_alg = ffdhe_kexch_groups[idx];
4721
4722 if (clientmulti) {
4723 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4724 return 0;
4725 if (isecdhe) {
4726 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4727 numec)))
4728 return 0;
4729 } else {
4730 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4731 numff)))
4732 return 0;
4733 }
4734 } else {
4735 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4736 return 0;
4737 if (isecdhe) {
4738 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4739 numec)))
4740 return 0;
4741 } else {
4742 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4743 numff)))
4744 return 0;
4745 }
4746 }
4747 return 1;
4748}
4749
4750/*-
4751 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4752 * Run through both the ECDHE and FFDHE group lists used in the previous
4753 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4754 * confirming the expected result; then perform a resumption handshake
4755 * while offering the same group list, and another resumption handshake
4756 * offering a different group list. The returned value should be the
4757 * negotiated group for the initial handshake; for TLS 1.3 resumption
4758 * handshakes the returned value will be negotiated on the resumption
4759 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4760 * be cached in the session from the original handshake, regardless of what
4761 * was offered in the resumption ClientHello.
4762 *
4763 * Using E for the number of EC groups and F for the number of FF groups:
4764 * E tests of ECDHE with TLS 1.3, server only has one group
4765 * F tests of FFDHE with TLS 1.3, server only has one group
4766 * E tests of ECDHE with TLS 1.2, server only has one group
4767 * F tests of FFDHE with TLS 1.2, server only has one group
4768 * E tests of ECDHE with TLS 1.3, client sends only one group
4769 * F tests of FFDHE with TLS 1.3, client sends only one group
4770 * E tests of ECDHE with TLS 1.2, client sends only one group
4771 * F tests of FFDHE with TLS 1.2, client sends only one group
4772 */
4773static int test_negotiated_group(int idx)
4774{
4775 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4776 int expectednid;
4777 SSL_CTX *sctx = NULL, *cctx = NULL;
4778 SSL *serverssl = NULL, *clientssl = NULL;
4779 SSL_SESSION *origsess = NULL;
4780 int testresult = 0;
4781 int kexch_alg;
4782 int max_version = TLS1_3_VERSION;
4783
4784 numec = OSSL_NELEM(ecdhe_kexch_groups);
4785 numff = OSSL_NELEM(ffdhe_kexch_groups);
4786 numgroups = numec + numff;
4787 clientmulti = (idx < 2 * numgroups);
4788 idx = idx % (2 * numgroups);
4789 istls13 = (idx < numgroups);
4790 idx = idx % numgroups;
4791 isecdhe = (idx < numec);
4792 if (!isecdhe)
4793 idx -= numec;
4794 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4795 if (isecdhe)
4796 kexch_alg = ecdhe_kexch_groups[idx];
4797 else
4798 kexch_alg = ffdhe_kexch_groups[idx];
4799 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4800 if (!istls13 && !isecdhe)
4801 expectednid = NID_undef;
4802 else
4803 expectednid = kexch_alg;
4804
4805 if (!istls13)
4806 max_version = TLS1_2_VERSION;
4807
4808 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4809 TLS_client_method(), TLS1_VERSION,
4810 max_version, &sctx, &cctx, cert,
4811 privkey)))
4812 goto end;
4813
4814 /*
4815 * Force (EC)DHE ciphers for TLS 1.2.
4816 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4817 */
4818 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4819 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4820 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4821 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4822 goto end;
4823 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4824 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4825 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4826 goto end;
4827
4828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4829 NULL, NULL)))
4830 goto end;
4831
4832 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4833 idx)))
4834 goto end;
4835
4836 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4837 goto end;
4838
4839 /* Initial handshake; always the configured one */
4840 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4841 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4842 goto end;
4843
4844 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4845 goto end;
4846
4847 SSL_shutdown(clientssl);
4848 SSL_shutdown(serverssl);
4849 SSL_free(serverssl);
4850 SSL_free(clientssl);
4851 serverssl = clientssl = NULL;
4852
4853 /* First resumption attempt; use the same config as initial handshake */
4854 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4855 NULL, NULL))
4856 || !TEST_true(SSL_set_session(clientssl, origsess))
4857 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4858 isecdhe, idx)))
4859 goto end;
4860
4861 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4862 || !TEST_true(SSL_session_reused(clientssl)))
4863 goto end;
4864
4865 /* Still had better agree, since nothing changed... */
4866 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4867 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4868 goto end;
4869
4870 SSL_shutdown(clientssl);
4871 SSL_shutdown(serverssl);
4872 SSL_free(serverssl);
4873 SSL_free(clientssl);
4874 serverssl = clientssl = NULL;
4875
4876 /*-
4877 * Second resumption attempt
4878 * The party that picks one group changes it, which we effectuate by
4879 * changing 'idx' and updating what we expect.
4880 */
4881 if (idx == 0)
4882 idx = 1;
4883 else
4884 idx--;
4885 if (istls13) {
4886 if (isecdhe)
4887 expectednid = ecdhe_kexch_groups[idx];
4888 else
4889 expectednid = ffdhe_kexch_groups[idx];
4890 /* Verify that we are changing what we expect. */
4891 if (!TEST_int_ne(expectednid, kexch_alg))
4892 goto end;
4893 } else {
4894 /* TLS 1.2 only supports named groups for ECDHE. */
4895 if (isecdhe)
4896 expectednid = kexch_alg;
4897 else
4898 expectednid = 0;
4899 }
4900 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4901 NULL, NULL))
4902 || !TEST_true(SSL_set_session(clientssl, origsess))
4903 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4904 isecdhe, idx)))
4905 goto end;
4906
4907 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4908 || !TEST_true(SSL_session_reused(clientssl)))
4909 goto end;
4910
4911 /* Check that we get what we expected */
4912 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4913 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4914 goto end;
4915
4916 testresult = 1;
4917 end:
4918 SSL_free(serverssl);
4919 SSL_free(clientssl);
4920 SSL_CTX_free(sctx);
4921 SSL_CTX_free(cctx);
4922 SSL_SESSION_free(origsess);
4923 return testresult;
4924}
4925# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4926
4927/*
4928 * Test TLSv1.3 Cipher Suite
4929 * Test 0 = Set TLS1.3 cipher on context
4930 * Test 1 = Set TLS1.3 cipher on SSL
4931 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4932 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4933 */
4934static int test_tls13_ciphersuite(int idx)
4935{
4936 SSL_CTX *sctx = NULL, *cctx = NULL;
4937 SSL *serverssl = NULL, *clientssl = NULL;
4938 static const struct {
4939 const char *ciphername;
4940 int fipscapable;
4941 } t13_ciphers[] = {
4942 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4943 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4944 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4945# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4946 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4947 { TLS1_3_RFC_AES_256_GCM_SHA384
4948 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4949# endif
4950 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4951 };
4952 const char *t13_cipher = NULL;
4953 const char *t12_cipher = NULL;
4954 const char *negotiated_scipher;
4955 const char *negotiated_ccipher;
4956 int set_at_ctx = 0;
4957 int set_at_ssl = 0;
4958 int testresult = 0;
4959 int max_ver;
4960 size_t i;
4961
4962 switch (idx) {
4963 case 0:
4964 set_at_ctx = 1;
4965 break;
4966 case 1:
4967 set_at_ssl = 1;
4968 break;
4969 case 2:
4970 set_at_ctx = 1;
4971 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4972 break;
4973 case 3:
4974 set_at_ssl = 1;
4975 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4976 break;
4977 }
4978
4979 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4980# ifdef OPENSSL_NO_TLS1_2
4981 if (max_ver == TLS1_2_VERSION)
4982 continue;
4983# endif
4984 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4985 if (is_fips && !t13_ciphers[i].fipscapable)
4986 continue;
4987 t13_cipher = t13_ciphers[i].ciphername;
4988 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4989 TLS_client_method(),
4990 TLS1_VERSION, max_ver,
4991 &sctx, &cctx, cert, privkey)))
4992 goto end;
4993
4994 if (set_at_ctx) {
4995 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4996 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4997 goto end;
4998 if (t12_cipher != NULL) {
4999 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5000 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5001 t12_cipher)))
5002 goto end;
5003 }
5004 }
5005
5006 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5007 &clientssl, NULL, NULL)))
5008 goto end;
5009
5010 if (set_at_ssl) {
5011 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5012 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5013 goto end;
5014 if (t12_cipher != NULL) {
5015 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5016 || !TEST_true(SSL_set_cipher_list(clientssl,
5017 t12_cipher)))
5018 goto end;
5019 }
5020 }
5021
5022 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5023 SSL_ERROR_NONE)))
5024 goto end;
5025
5026 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5027 serverssl));
5028 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5029 clientssl));
5030 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5031 goto end;
5032
5033 /*
5034 * TEST_strn_eq is used below because t13_cipher can contain
5035 * multiple ciphersuites
5036 */
5037 if (max_ver == TLS1_3_VERSION
5038 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5039 strlen(negotiated_scipher)))
5040 goto end;
5041
5042# ifndef OPENSSL_NO_TLS1_2
5043 /* Below validation is not done when t12_cipher is NULL */
5044 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5045 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5046 goto end;
5047# endif
5048
5049 SSL_free(serverssl);
5050 serverssl = NULL;
5051 SSL_free(clientssl);
5052 clientssl = NULL;
5053 SSL_CTX_free(sctx);
5054 sctx = NULL;
5055 SSL_CTX_free(cctx);
5056 cctx = NULL;
5057 }
5058 }
5059
5060 testresult = 1;
5061 end:
5062 SSL_free(serverssl);
5063 SSL_free(clientssl);
5064 SSL_CTX_free(sctx);
5065 SSL_CTX_free(cctx);
5066 return testresult;
5067}
5068
5069/*
5070 * Test TLSv1.3 PSKs
5071 * Test 0 = Test new style callbacks
5072 * Test 1 = Test both new and old style callbacks
5073 * Test 2 = Test old style callbacks
5074 * Test 3 = Test old style callbacks with no certificate
5075 */
5076static int test_tls13_psk(int idx)
5077{
5078 SSL_CTX *sctx = NULL, *cctx = NULL;
5079 SSL *serverssl = NULL, *clientssl = NULL;
5080 const SSL_CIPHER *cipher = NULL;
5081 const unsigned char key[] = {
5082 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5083 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5084 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5085 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5086 };
5087 int testresult = 0;
5088
5089 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5090 TLS_client_method(), TLS1_VERSION, 0,
5091 &sctx, &cctx, idx == 3 ? NULL : cert,
5092 idx == 3 ? NULL : privkey)))
5093 goto end;
5094
5095 if (idx != 3) {
5096 /*
5097 * We use a ciphersuite with SHA256 to ease testing old style PSK
5098 * callbacks which will always default to SHA256. This should not be
5099 * necessary if we have no cert/priv key. In that case the server should
5100 * prefer SHA256 automatically.
5101 */
5102 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5103 "TLS_AES_128_GCM_SHA256")))
5104 goto end;
5105 } else {
5106 /*
5107 * As noted above the server should prefer SHA256 automatically. However
5108 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5109 * code works even if we are testing with only the FIPS provider loaded.
5110 */
5111 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5112 "TLS_AES_256_GCM_SHA384:"
5113 "TLS_AES_128_GCM_SHA256")))
5114 goto end;
5115 }
5116
5117 /*
5118 * Test 0: New style callbacks only
5119 * Test 1: New and old style callbacks (only the new ones should be used)
5120 * Test 2: Old style callbacks only
5121 */
5122 if (idx == 0 || idx == 1) {
5123 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5124 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5125 }
5126#ifndef OPENSSL_NO_PSK
5127 if (idx >= 1) {
5128 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5129 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5130 }
5131#endif
5132 srvid = pskid;
5133 use_session_cb_cnt = 0;
5134 find_session_cb_cnt = 0;
5135 psk_client_cb_cnt = 0;
5136 psk_server_cb_cnt = 0;
5137
5138 if (idx != 3) {
5139 /*
5140 * Check we can create a connection if callback decides not to send a
5141 * PSK
5142 */
5143 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5144 NULL, NULL))
5145 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5146 SSL_ERROR_NONE))
5147 || !TEST_false(SSL_session_reused(clientssl))
5148 || !TEST_false(SSL_session_reused(serverssl)))
5149 goto end;
5150
5151 if (idx == 0 || idx == 1) {
5152 if (!TEST_true(use_session_cb_cnt == 1)
5153 || !TEST_true(find_session_cb_cnt == 0)
5154 /*
5155 * If no old style callback then below should be 0
5156 * otherwise 1
5157 */
5158 || !TEST_true(psk_client_cb_cnt == idx)
5159 || !TEST_true(psk_server_cb_cnt == 0))
5160 goto end;
5161 } else {
5162 if (!TEST_true(use_session_cb_cnt == 0)
5163 || !TEST_true(find_session_cb_cnt == 0)
5164 || !TEST_true(psk_client_cb_cnt == 1)
5165 || !TEST_true(psk_server_cb_cnt == 0))
5166 goto end;
5167 }
5168
5169 shutdown_ssl_connection(serverssl, clientssl);
5170 serverssl = clientssl = NULL;
5171 use_session_cb_cnt = psk_client_cb_cnt = 0;
5172 }
5173
5174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5175 NULL, NULL)))
5176 goto end;
5177
5178 /* Create the PSK */
5179 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5180 clientpsk = SSL_SESSION_new();
5181 if (!TEST_ptr(clientpsk)
5182 || !TEST_ptr(cipher)
5183 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5184 sizeof(key)))
5185 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5186 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5187 TLS1_3_VERSION))
5188 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5189 goto end;
5190 serverpsk = clientpsk;
5191
5192 /* Check we can create a connection and the PSK is used */
5193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5194 || !TEST_true(SSL_session_reused(clientssl))
5195 || !TEST_true(SSL_session_reused(serverssl)))
5196 goto end;
5197
5198 if (idx == 0 || idx == 1) {
5199 if (!TEST_true(use_session_cb_cnt == 1)
5200 || !TEST_true(find_session_cb_cnt == 1)
5201 || !TEST_true(psk_client_cb_cnt == 0)
5202 || !TEST_true(psk_server_cb_cnt == 0))
5203 goto end;
5204 } else {
5205 if (!TEST_true(use_session_cb_cnt == 0)
5206 || !TEST_true(find_session_cb_cnt == 0)
5207 || !TEST_true(psk_client_cb_cnt == 1)
5208 || !TEST_true(psk_server_cb_cnt == 1))
5209 goto end;
5210 }
5211
5212 shutdown_ssl_connection(serverssl, clientssl);
5213 serverssl = clientssl = NULL;
5214 use_session_cb_cnt = find_session_cb_cnt = 0;
5215 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5216
5217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5218 NULL, NULL)))
5219 goto end;
5220
5221 /* Force an HRR */
5222#if defined(OPENSSL_NO_EC)
5223 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5224 goto end;
5225#else
5226 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5227 goto end;
5228#endif
5229
5230 /*
5231 * Check we can create a connection, the PSK is used and the callbacks are
5232 * called twice.
5233 */
5234 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5235 || !TEST_true(SSL_session_reused(clientssl))
5236 || !TEST_true(SSL_session_reused(serverssl)))
5237 goto end;
5238
5239 if (idx == 0 || idx == 1) {
5240 if (!TEST_true(use_session_cb_cnt == 2)
5241 || !TEST_true(find_session_cb_cnt == 2)
5242 || !TEST_true(psk_client_cb_cnt == 0)
5243 || !TEST_true(psk_server_cb_cnt == 0))
5244 goto end;
5245 } else {
5246 if (!TEST_true(use_session_cb_cnt == 0)
5247 || !TEST_true(find_session_cb_cnt == 0)
5248 || !TEST_true(psk_client_cb_cnt == 2)
5249 || !TEST_true(psk_server_cb_cnt == 2))
5250 goto end;
5251 }
5252
5253 shutdown_ssl_connection(serverssl, clientssl);
5254 serverssl = clientssl = NULL;
5255 use_session_cb_cnt = find_session_cb_cnt = 0;
5256 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5257
5258 if (idx != 3) {
5259 /*
5260 * Check that if the server rejects the PSK we can still connect, but with
5261 * a full handshake
5262 */
5263 srvid = "Dummy Identity";
5264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5265 NULL, NULL))
5266 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5267 SSL_ERROR_NONE))
5268 || !TEST_false(SSL_session_reused(clientssl))
5269 || !TEST_false(SSL_session_reused(serverssl)))
5270 goto end;
5271
5272 if (idx == 0 || idx == 1) {
5273 if (!TEST_true(use_session_cb_cnt == 1)
5274 || !TEST_true(find_session_cb_cnt == 1)
5275 || !TEST_true(psk_client_cb_cnt == 0)
5276 /*
5277 * If no old style callback then below should be 0
5278 * otherwise 1
5279 */
5280 || !TEST_true(psk_server_cb_cnt == idx))
5281 goto end;
5282 } else {
5283 if (!TEST_true(use_session_cb_cnt == 0)
5284 || !TEST_true(find_session_cb_cnt == 0)
5285 || !TEST_true(psk_client_cb_cnt == 1)
5286 || !TEST_true(psk_server_cb_cnt == 1))
5287 goto end;
5288 }
5289
5290 shutdown_ssl_connection(serverssl, clientssl);
5291 serverssl = clientssl = NULL;
5292 }
5293 testresult = 1;
5294
5295 end:
5296 SSL_SESSION_free(clientpsk);
5297 SSL_SESSION_free(serverpsk);
5298 clientpsk = serverpsk = NULL;
5299 SSL_free(serverssl);
5300 SSL_free(clientssl);
5301 SSL_CTX_free(sctx);
5302 SSL_CTX_free(cctx);
5303 return testresult;
5304}
5305
5306static unsigned char cookie_magic_value[] = "cookie magic";
5307
5308static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5309 unsigned int *cookie_len)
5310{
5311 /*
5312 * Not suitable as a real cookie generation function but good enough for
5313 * testing!
5314 */
5315 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5316 *cookie_len = sizeof(cookie_magic_value) - 1;
5317
5318 return 1;
5319}
5320
5321static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5322 unsigned int cookie_len)
5323{
5324 if (cookie_len == sizeof(cookie_magic_value) - 1
5325 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5326 return 1;
5327
5328 return 0;
5329}
5330
5331static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5332 size_t *cookie_len)
5333{
5334 unsigned int temp;
5335 int res = generate_cookie_callback(ssl, cookie, &temp);
5336 *cookie_len = temp;
5337 return res;
5338}
5339
5340static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5341 size_t cookie_len)
5342{
5343 return verify_cookie_callback(ssl, cookie, cookie_len);
5344}
5345
5346static int test_stateless(void)
5347{
5348 SSL_CTX *sctx = NULL, *cctx = NULL;
5349 SSL *serverssl = NULL, *clientssl = NULL;
5350 int testresult = 0;
5351
5352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5353 TLS_client_method(), TLS1_VERSION, 0,
5354 &sctx, &cctx, cert, privkey)))
5355 goto end;
5356
5357 /* The arrival of CCS messages can confuse the test */
5358 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5359
5360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5361 NULL, NULL))
5362 /* Send the first ClientHello */
5363 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5364 SSL_ERROR_WANT_READ))
5365 /*
5366 * This should fail with a -1 return because we have no callbacks
5367 * set up
5368 */
5369 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5370 goto end;
5371
5372 /* Fatal error so abandon the connection from this client */
5373 SSL_free(clientssl);
5374 clientssl = NULL;
5375
5376 /* Set up the cookie generation and verification callbacks */
5377 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5378 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5379
5380 /*
5381 * Create a new connection from the client (we can reuse the server SSL
5382 * object).
5383 */
5384 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5385 NULL, NULL))
5386 /* Send the first ClientHello */
5387 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5388 SSL_ERROR_WANT_READ))
5389 /* This should fail because there is no cookie */
5390 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5391 goto end;
5392
5393 /* Abandon the connection from this client */
5394 SSL_free(clientssl);
5395 clientssl = NULL;
5396
5397 /*
5398 * Now create a connection from a new client but with the same server SSL
5399 * object
5400 */
5401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5402 NULL, NULL))
5403 /* Send the first ClientHello */
5404 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5405 SSL_ERROR_WANT_READ))
5406 /* This should fail because there is no cookie */
5407 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5408 /* Send the second ClientHello */
5409 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5410 SSL_ERROR_WANT_READ))
5411 /* This should succeed because a cookie is now present */
5412 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5413 /* Complete the connection */
5414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5415 SSL_ERROR_NONE)))
5416 goto end;
5417
5418 shutdown_ssl_connection(serverssl, clientssl);
5419 serverssl = clientssl = NULL;
5420 testresult = 1;
5421
5422 end:
5423 SSL_free(serverssl);
5424 SSL_free(clientssl);
5425 SSL_CTX_free(sctx);
5426 SSL_CTX_free(cctx);
5427 return testresult;
5428
5429}
5430#endif /* OSSL_NO_USABLE_TLS1_3 */
5431
5432static int clntaddoldcb = 0;
5433static int clntparseoldcb = 0;
5434static int srvaddoldcb = 0;
5435static int srvparseoldcb = 0;
5436static int clntaddnewcb = 0;
5437static int clntparsenewcb = 0;
5438static int srvaddnewcb = 0;
5439static int srvparsenewcb = 0;
5440static int snicb = 0;
5441
5442#define TEST_EXT_TYPE1 0xff00
5443
5444static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5445 size_t *outlen, int *al, void *add_arg)
5446{
5447 int *server = (int *)add_arg;
5448 unsigned char *data;
5449
5450 if (SSL_is_server(s))
5451 srvaddoldcb++;
5452 else
5453 clntaddoldcb++;
5454
5455 if (*server != SSL_is_server(s)
5456 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5457 return -1;
5458
5459 *data = 1;
5460 *out = data;
5461 *outlen = sizeof(char);
5462 return 1;
5463}
5464
5465static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5466 void *add_arg)
5467{
5468 OPENSSL_free((unsigned char *)out);
5469}
5470
5471static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5472 size_t inlen, int *al, void *parse_arg)
5473{
5474 int *server = (int *)parse_arg;
5475
5476 if (SSL_is_server(s))
5477 srvparseoldcb++;
5478 else
5479 clntparseoldcb++;
5480
5481 if (*server != SSL_is_server(s)
5482 || inlen != sizeof(char)
5483 || *in != 1)
5484 return -1;
5485
5486 return 1;
5487}
5488
5489static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5490 const unsigned char **out, size_t *outlen, X509 *x,
5491 size_t chainidx, int *al, void *add_arg)
5492{
5493 int *server = (int *)add_arg;
5494 unsigned char *data;
5495
5496 if (SSL_is_server(s))
5497 srvaddnewcb++;
5498 else
5499 clntaddnewcb++;
5500
5501 if (*server != SSL_is_server(s)
5502 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5503 return -1;
5504
5505 *data = 1;
5506 *out = data;
5507 *outlen = sizeof(*data);
5508 return 1;
5509}
5510
5511static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5512 const unsigned char *out, void *add_arg)
5513{
5514 OPENSSL_free((unsigned char *)out);
5515}
5516
5517static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5518 const unsigned char *in, size_t inlen, X509 *x,
5519 size_t chainidx, int *al, void *parse_arg)
5520{
5521 int *server = (int *)parse_arg;
5522
5523 if (SSL_is_server(s))
5524 srvparsenewcb++;
5525 else
5526 clntparsenewcb++;
5527
5528 if (*server != SSL_is_server(s)
5529 || inlen != sizeof(char) || *in != 1)
5530 return -1;
5531
5532 return 1;
5533}
5534
5535static int sni_cb(SSL *s, int *al, void *arg)
5536{
5537 SSL_CTX *ctx = (SSL_CTX *)arg;
5538
5539 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5540 *al = SSL_AD_INTERNAL_ERROR;
5541 return SSL_TLSEXT_ERR_ALERT_FATAL;
5542 }
5543 snicb++;
5544 return SSL_TLSEXT_ERR_OK;
5545}
5546
5547static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5548{
5549 return 1;
5550}
5551
5552/*
5553 * Custom call back tests.
5554 * Test 0: Old style callbacks in TLSv1.2
5555 * Test 1: New style callbacks in TLSv1.2
5556 * Test 2: New style callbacks in TLSv1.2 with SNI
5557 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5558 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5559 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5560 */
5561static int test_custom_exts(int tst)
5562{
5563 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5564 SSL *clientssl = NULL, *serverssl = NULL;
5565 int testresult = 0;
5566 static int server = 1;
5567 static int client = 0;
5568 SSL_SESSION *sess = NULL;
5569 unsigned int context;
5570
5571#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5572 /* Skip tests for TLSv1.2 and below in this case */
5573 if (tst < 3)
5574 return 1;
5575#endif
5576
5577 /* Reset callback counters */
5578 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5579 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5580 snicb = 0;
5581
5582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5583 TLS_client_method(), TLS1_VERSION, 0,
5584 &sctx, &cctx, cert, privkey)))
5585 goto end;
5586
5587 if (tst == 2
5588 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5589 TLS1_VERSION, 0,
5590 &sctx2, NULL, cert, privkey)))
5591 goto end;
5592
5593
5594 if (tst < 3) {
5595 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5596 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5597 if (sctx2 != NULL)
5598 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5599 }
5600
5601 if (tst == 5) {
5602 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5603 | SSL_EXT_TLS1_3_CERTIFICATE;
5604 SSL_CTX_set_verify(sctx,
5605 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5606 verify_cb);
5607 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5608 SSL_FILETYPE_PEM), 1)
5609 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5610 SSL_FILETYPE_PEM), 1)
5611 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5612 goto end;
5613 } else if (tst == 4) {
5614 context = SSL_EXT_CLIENT_HELLO
5615 | SSL_EXT_TLS1_2_SERVER_HELLO
5616 | SSL_EXT_TLS1_3_SERVER_HELLO
5617 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5618 | SSL_EXT_TLS1_3_CERTIFICATE
5619 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5620 } else {
5621 context = SSL_EXT_CLIENT_HELLO
5622 | SSL_EXT_TLS1_2_SERVER_HELLO
5623 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5624 }
5625
5626 /* Create a client side custom extension */
5627 if (tst == 0) {
5628 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5629 old_add_cb, old_free_cb,
5630 &client, old_parse_cb,
5631 &client)))
5632 goto end;
5633 } else {
5634 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5635 new_add_cb, new_free_cb,
5636 &client, new_parse_cb, &client)))
5637 goto end;
5638 }
5639
5640 /* Should not be able to add duplicates */
5641 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5642 old_add_cb, old_free_cb,
5643 &client, old_parse_cb,
5644 &client))
5645 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5646 context, new_add_cb,
5647 new_free_cb, &client,
5648 new_parse_cb, &client)))
5649 goto end;
5650
5651 /* Create a server side custom extension */
5652 if (tst == 0) {
5653 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5654 old_add_cb, old_free_cb,
5655 &server, old_parse_cb,
5656 &server)))
5657 goto end;
5658 } else {
5659 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5660 new_add_cb, new_free_cb,
5661 &server, new_parse_cb, &server)))
5662 goto end;
5663 if (sctx2 != NULL
5664 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5665 context, new_add_cb,
5666 new_free_cb, &server,
5667 new_parse_cb, &server)))
5668 goto end;
5669 }
5670
5671 /* Should not be able to add duplicates */
5672 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5673 old_add_cb, old_free_cb,
5674 &server, old_parse_cb,
5675 &server))
5676 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5677 context, new_add_cb,
5678 new_free_cb, &server,
5679 new_parse_cb, &server)))
5680 goto end;
5681
5682 if (tst == 2) {
5683 /* Set up SNI */
5684 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5685 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5686 goto end;
5687 }
5688
5689 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5690 &clientssl, NULL, NULL))
5691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5692 SSL_ERROR_NONE)))
5693 goto end;
5694
5695 if (tst == 0) {
5696 if (clntaddoldcb != 1
5697 || clntparseoldcb != 1
5698 || srvaddoldcb != 1
5699 || srvparseoldcb != 1)
5700 goto end;
5701 } else if (tst == 1 || tst == 2 || tst == 3) {
5702 if (clntaddnewcb != 1
5703 || clntparsenewcb != 1
5704 || srvaddnewcb != 1
5705 || srvparsenewcb != 1
5706 || (tst != 2 && snicb != 0)
5707 || (tst == 2 && snicb != 1))
5708 goto end;
5709 } else if (tst == 5) {
5710 if (clntaddnewcb != 1
5711 || clntparsenewcb != 1
5712 || srvaddnewcb != 1
5713 || srvparsenewcb != 1)
5714 goto end;
5715 } else {
5716 /* In this case there 2 NewSessionTicket messages created */
5717 if (clntaddnewcb != 1
5718 || clntparsenewcb != 5
5719 || srvaddnewcb != 5
5720 || srvparsenewcb != 1)
5721 goto end;
5722 }
5723
5724 sess = SSL_get1_session(clientssl);
5725 SSL_shutdown(clientssl);
5726 SSL_shutdown(serverssl);
5727 SSL_free(serverssl);
5728 SSL_free(clientssl);
5729 serverssl = clientssl = NULL;
5730
5731 if (tst == 3 || tst == 5) {
5732 /* We don't bother with the resumption aspects for these tests */
5733 testresult = 1;
5734 goto end;
5735 }
5736
5737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5738 NULL, NULL))
5739 || !TEST_true(SSL_set_session(clientssl, sess))
5740 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5741 SSL_ERROR_NONE)))
5742 goto end;
5743
5744 /*
5745 * For a resumed session we expect to add the ClientHello extension. For the
5746 * old style callbacks we ignore it on the server side because they set
5747 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5748 * them.
5749 */
5750 if (tst == 0) {
5751 if (clntaddoldcb != 2
5752 || clntparseoldcb != 1
5753 || srvaddoldcb != 1
5754 || srvparseoldcb != 1)
5755 goto end;
5756 } else if (tst == 1 || tst == 2 || tst == 3) {
5757 if (clntaddnewcb != 2
5758 || clntparsenewcb != 2
5759 || srvaddnewcb != 2
5760 || srvparsenewcb != 2)
5761 goto end;
5762 } else {
5763 /*
5764 * No Certificate message extensions in the resumption handshake,
5765 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5766 */
5767 if (clntaddnewcb != 2
5768 || clntparsenewcb != 8
5769 || srvaddnewcb != 8
5770 || srvparsenewcb != 2)
5771 goto end;
5772 }
5773
5774 testresult = 1;
5775
5776end:
5777 SSL_SESSION_free(sess);
5778 SSL_free(serverssl);
5779 SSL_free(clientssl);
5780 SSL_CTX_free(sctx2);
5781 SSL_CTX_free(sctx);
5782 SSL_CTX_free(cctx);
5783 return testresult;
5784}
5785
5786/*
5787 * Test loading of serverinfo data in various formats. test_sslmessages actually
5788 * tests to make sure the extensions appear in the handshake
5789 */
5790static int test_serverinfo(int tst)
5791{
5792 unsigned int version;
5793 unsigned char *sibuf;
5794 size_t sibuflen;
5795 int ret, expected, testresult = 0;
5796 SSL_CTX *ctx;
5797
5798 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5799 if (!TEST_ptr(ctx))
5800 goto end;
5801
5802 if ((tst & 0x01) == 0x01)
5803 version = SSL_SERVERINFOV2;
5804 else
5805 version = SSL_SERVERINFOV1;
5806
5807 if ((tst & 0x02) == 0x02) {
5808 sibuf = serverinfov2;
5809 sibuflen = sizeof(serverinfov2);
5810 expected = (version == SSL_SERVERINFOV2);
5811 } else {
5812 sibuf = serverinfov1;
5813 sibuflen = sizeof(serverinfov1);
5814 expected = (version == SSL_SERVERINFOV1);
5815 }
5816
5817 if ((tst & 0x04) == 0x04) {
5818 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5819 } else {
5820 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5821
5822 /*
5823 * The version variable is irrelevant in this case - it's what is in the
5824 * buffer that matters
5825 */
5826 if ((tst & 0x02) == 0x02)
5827 expected = 0;
5828 else
5829 expected = 1;
5830 }
5831
5832 if (!TEST_true(ret == expected))
5833 goto end;
5834
5835 testresult = 1;
5836
5837 end:
5838 SSL_CTX_free(ctx);
5839
5840 return testresult;
5841}
5842
5843/*
5844 * Test that SSL_export_keying_material() produces expected results. There are
5845 * no test vectors so all we do is test that both sides of the communication
5846 * produce the same results for different protocol versions.
5847 */
5848#define SMALL_LABEL_LEN 10
5849#define LONG_LABEL_LEN 249
5850static int test_export_key_mat(int tst)
5851{
5852 int testresult = 0;
5853 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5854 SSL *clientssl = NULL, *serverssl = NULL;
5855 const char label[LONG_LABEL_LEN + 1] = "test label";
5856 const unsigned char context[] = "context";
5857 const unsigned char *emptycontext = NULL;
5858 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5859 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5860 size_t labellen;
5861 const int protocols[] = {
5862 TLS1_VERSION,
5863 TLS1_1_VERSION,
5864 TLS1_2_VERSION,
5865 TLS1_3_VERSION,
5866 TLS1_3_VERSION,
5867 TLS1_3_VERSION
5868 };
5869
5870#ifdef OPENSSL_NO_TLS1
5871 if (tst == 0)
5872 return 1;
5873#endif
5874#ifdef OPENSSL_NO_TLS1_1
5875 if (tst == 1)
5876 return 1;
5877#endif
5878 if (is_fips && (tst == 0 || tst == 1))
5879 return 1;
5880#ifdef OPENSSL_NO_TLS1_2
5881 if (tst == 2)
5882 return 1;
5883#endif
5884#ifdef OSSL_NO_USABLE_TLS1_3
5885 if (tst >= 3)
5886 return 1;
5887#endif
5888 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5889 TLS_client_method(), TLS1_VERSION, 0,
5890 &sctx, &cctx, cert, privkey)))
5891 goto end;
5892
5893 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5894 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5895 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5896 if ((protocols[tst] < TLS1_2_VERSION) &&
5897 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5898 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5899 goto end;
5900
5901 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5902 NULL)))
5903 goto end;
5904
5905 /*
5906 * Premature call of SSL_export_keying_material should just fail.
5907 */
5908 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5909 sizeof(ckeymat1), label,
5910 SMALL_LABEL_LEN + 1, context,
5911 sizeof(context) - 1, 1), 0))
5912 goto end;
5913
5914 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5915 SSL_ERROR_NONE)))
5916 goto end;
5917
5918 if (tst == 5) {
5919 /*
5920 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5921 * go over that.
5922 */
5923 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5924 sizeof(ckeymat1), label,
5925 LONG_LABEL_LEN + 1, context,
5926 sizeof(context) - 1, 1), 0))
5927 goto end;
5928
5929 testresult = 1;
5930 goto end;
5931 } else if (tst == 4) {
5932 labellen = LONG_LABEL_LEN;
5933 } else {
5934 labellen = SMALL_LABEL_LEN;
5935 }
5936
5937 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5938 sizeof(ckeymat1), label,
5939 labellen, context,
5940 sizeof(context) - 1, 1), 1)
5941 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5942 sizeof(ckeymat2), label,
5943 labellen,
5944 emptycontext,
5945 0, 1), 1)
5946 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5947 sizeof(ckeymat3), label,
5948 labellen,
5949 NULL, 0, 0), 1)
5950 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5951 sizeof(skeymat1), label,
5952 labellen,
5953 context,
5954 sizeof(context) -1, 1),
5955 1)
5956 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5957 sizeof(skeymat2), label,
5958 labellen,
5959 emptycontext,
5960 0, 1), 1)
5961 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5962 sizeof(skeymat3), label,
5963 labellen,
5964 NULL, 0, 0), 1)
5965 /*
5966 * Check that both sides created the same key material with the
5967 * same context.
5968 */
5969 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5970 sizeof(skeymat1))
5971 /*
5972 * Check that both sides created the same key material with an
5973 * empty context.
5974 */
5975 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5976 sizeof(skeymat2))
5977 /*
5978 * Check that both sides created the same key material without a
5979 * context.
5980 */
5981 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5982 sizeof(skeymat3))
5983 /* Different contexts should produce different results */
5984 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5985 sizeof(ckeymat2)))
5986 goto end;
5987
5988 /*
5989 * Check that an empty context and no context produce different results in
5990 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5991 */
5992 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
5993 sizeof(ckeymat3)))
5994 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5995 sizeof(ckeymat3))))
5996 goto end;
5997
5998 testresult = 1;
5999
6000 end:
6001 SSL_free(serverssl);
6002 SSL_free(clientssl);
6003 SSL_CTX_free(sctx2);
6004 SSL_CTX_free(sctx);
6005 SSL_CTX_free(cctx);
6006
6007 return testresult;
6008}
6009
6010#ifndef OSSL_NO_USABLE_TLS1_3
6011/*
6012 * Test that SSL_export_keying_material_early() produces expected
6013 * results. There are no test vectors so all we do is test that both
6014 * sides of the communication produce the same results for different
6015 * protocol versions.
6016 */
6017static int test_export_key_mat_early(int idx)
6018{
6019 static const char label[] = "test label";
6020 static const unsigned char context[] = "context";
6021 int testresult = 0;
6022 SSL_CTX *cctx = NULL, *sctx = NULL;
6023 SSL *clientssl = NULL, *serverssl = NULL;
6024 SSL_SESSION *sess = NULL;
6025 const unsigned char *emptycontext = NULL;
6026 unsigned char ckeymat1[80], ckeymat2[80];
6027 unsigned char skeymat1[80], skeymat2[80];
6028 unsigned char buf[1];
6029 size_t readbytes, written;
6030
6031 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6032 &sess, idx)))
6033 goto end;
6034
6035 /* Here writing 0 length early data is enough. */
6036 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6037 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6038 &readbytes),
6039 SSL_READ_EARLY_DATA_ERROR)
6040 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6041 SSL_EARLY_DATA_ACCEPTED))
6042 goto end;
6043
6044 if (!TEST_int_eq(SSL_export_keying_material_early(
6045 clientssl, ckeymat1, sizeof(ckeymat1), label,
6046 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6047 || !TEST_int_eq(SSL_export_keying_material_early(
6048 clientssl, ckeymat2, sizeof(ckeymat2), label,
6049 sizeof(label) - 1, emptycontext, 0), 1)
6050 || !TEST_int_eq(SSL_export_keying_material_early(
6051 serverssl, skeymat1, sizeof(skeymat1), label,
6052 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6053 || !TEST_int_eq(SSL_export_keying_material_early(
6054 serverssl, skeymat2, sizeof(skeymat2), label,
6055 sizeof(label) - 1, emptycontext, 0), 1)
6056 /*
6057 * Check that both sides created the same key material with the
6058 * same context.
6059 */
6060 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6061 sizeof(skeymat1))
6062 /*
6063 * Check that both sides created the same key material with an
6064 * empty context.
6065 */
6066 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6067 sizeof(skeymat2))
6068 /* Different contexts should produce different results */
6069 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6070 sizeof(ckeymat2)))
6071 goto end;
6072
6073 testresult = 1;
6074
6075 end:
6076 SSL_SESSION_free(sess);
6077 SSL_SESSION_free(clientpsk);
6078 SSL_SESSION_free(serverpsk);
6079 clientpsk = serverpsk = NULL;
6080 SSL_free(serverssl);
6081 SSL_free(clientssl);
6082 SSL_CTX_free(sctx);
6083 SSL_CTX_free(cctx);
6084
6085 return testresult;
6086}
6087
6088#define NUM_KEY_UPDATE_MESSAGES 40
6089/*
6090 * Test KeyUpdate.
6091 */
6092static int test_key_update(void)
6093{
6094 SSL_CTX *cctx = NULL, *sctx = NULL;
6095 SSL *clientssl = NULL, *serverssl = NULL;
6096 int testresult = 0, i, j;
6097 char buf[20];
6098 static char *mess = "A test message";
6099
6100 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6101 TLS_client_method(),
6102 TLS1_3_VERSION,
6103 0,
6104 &sctx, &cctx, cert, privkey))
6105 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6106 NULL, NULL))
6107 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6108 SSL_ERROR_NONE)))
6109 goto end;
6110
6111 for (j = 0; j < 2; j++) {
6112 /* Send lots of KeyUpdate messages */
6113 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6114 if (!TEST_true(SSL_key_update(clientssl,
6115 (j == 0)
6116 ? SSL_KEY_UPDATE_NOT_REQUESTED
6117 : SSL_KEY_UPDATE_REQUESTED))
6118 || !TEST_true(SSL_do_handshake(clientssl)))
6119 goto end;
6120 }
6121
6122 /* Check that sending and receiving app data is ok */
6123 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6124 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6125 strlen(mess)))
6126 goto end;
6127
6128 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6129 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6130 strlen(mess)))
6131 goto end;
6132 }
6133
6134 testresult = 1;
6135
6136 end:
6137 SSL_free(serverssl);
6138 SSL_free(clientssl);
6139 SSL_CTX_free(sctx);
6140 SSL_CTX_free(cctx);
6141
6142 return testresult;
6143}
6144
6145/*
6146 * Test we can handle a KeyUpdate (update requested) message while
6147 * write data is pending in peer.
6148 * Test 0: Client sends KeyUpdate while Server is writing
6149 * Test 1: Server sends KeyUpdate while Client is writing
6150 */
6151static int test_key_update_peer_in_write(int tst)
6152{
6153 SSL_CTX *cctx = NULL, *sctx = NULL;
6154 SSL *clientssl = NULL, *serverssl = NULL;
6155 int testresult = 0;
6156 char buf[20];
6157 static char *mess = "A test message";
6158 BIO *bretry = BIO_new(bio_s_always_retry());
6159 BIO *tmp = NULL;
6160 SSL *peerupdate = NULL, *peerwrite = NULL;
6161
6162 if (!TEST_ptr(bretry)
6163 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6164 TLS_client_method(),
6165 TLS1_3_VERSION,
6166 0,
6167 &sctx, &cctx, cert, privkey))
6168 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6169 NULL, NULL))
6170 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6171 SSL_ERROR_NONE)))
6172 goto end;
6173
6174 peerupdate = tst == 0 ? clientssl : serverssl;
6175 peerwrite = tst == 0 ? serverssl : clientssl;
6176
6177 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6178 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6179 goto end;
6180
6181 /* Swap the writing endpoint's write BIO to force a retry */
6182 tmp = SSL_get_wbio(peerwrite);
6183 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6184 tmp = NULL;
6185 goto end;
6186 }
6187 SSL_set0_wbio(peerwrite, bretry);
6188 bretry = NULL;
6189
6190 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6191 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6192 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6193 goto end;
6194
6195 /* Reinstate the original writing endpoint's write BIO */
6196 SSL_set0_wbio(peerwrite, tmp);
6197 tmp = NULL;
6198
6199 /* Now read some data - we will read the key update */
6200 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6201 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6202 goto end;
6203
6204 /*
6205 * Complete the write we started previously and read it from the other
6206 * endpoint
6207 */
6208 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6209 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6210 goto end;
6211
6212 /* Write more data to ensure we send the KeyUpdate message back */
6213 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6214 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6215 goto end;
6216
6217 testresult = 1;
6218
6219 end:
6220 SSL_free(serverssl);
6221 SSL_free(clientssl);
6222 SSL_CTX_free(sctx);
6223 SSL_CTX_free(cctx);
6224 BIO_free(bretry);
6225 BIO_free(tmp);
6226
6227 return testresult;
6228}
6229
6230/*
6231 * Test we can handle a KeyUpdate (update requested) message while
6232 * peer read data is pending after peer accepted keyupdate(the msg header
6233 * had been read 5 bytes).
6234 * Test 0: Client sends KeyUpdate while Server is reading
6235 * Test 1: Server sends KeyUpdate while Client is reading
6236 */
6237static int test_key_update_peer_in_read(int tst)
6238{
6239 SSL_CTX *cctx = NULL, *sctx = NULL;
6240 SSL *clientssl = NULL, *serverssl = NULL;
6241 int testresult = 0;
6242 char prbuf[515], lwbuf[515] = {0};
6243 static char *mess = "A test message";
6244 BIO *lbio = NULL, *pbio = NULL;
6245 SSL *local = NULL, *peer = NULL;
6246
6247 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6248 TLS_client_method(),
6249 TLS1_3_VERSION,
6250 0,
6251 &sctx, &cctx, cert, privkey))
6252 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6253 NULL, NULL))
6254 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6255 SSL_ERROR_NONE)))
6256 goto end;
6257
6258 local = tst == 0 ? clientssl : serverssl;
6259 peer = tst == 0 ? serverssl : clientssl;
6260
6261 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6262 goto end;
6263
6264 SSL_set_bio(local, lbio, lbio);
6265 SSL_set_bio(peer, pbio, pbio);
6266
6267 /*
6268 * we first write keyupdate msg then appdata in local
6269 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6270 * lwbuf app data msg size + key updata msg size > 512(the size of
6271 * the bio pair buffer)
6272 */
6273 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6274 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6275 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6276 goto end;
6277
6278 /*
6279 * first read keyupdate msg in peer in peer
6280 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6281 */
6282 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6283 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6284 goto end;
6285
6286 /* Now write some data in peer - we will write the key update */
6287 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6288 goto end;
6289
6290 /*
6291 * write data in local previously that we will complete
6292 * read data in peer previously that we will complete
6293 */
6294 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6295 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6296 goto end;
6297
6298 /* check that sending and receiving appdata ok */
6299 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6300 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6301 goto end;
6302
6303 testresult = 1;
6304
6305 end:
6306 SSL_free(serverssl);
6307 SSL_free(clientssl);
6308 SSL_CTX_free(sctx);
6309 SSL_CTX_free(cctx);
6310
6311 return testresult;
6312}
6313
6314/*
6315 * Test we can't send a KeyUpdate (update requested) message while
6316 * local write data is pending.
6317 * Test 0: Client sends KeyUpdate while Client is writing
6318 * Test 1: Server sends KeyUpdate while Server is writing
6319 */
6320static int test_key_update_local_in_write(int tst)
6321{
6322 SSL_CTX *cctx = NULL, *sctx = NULL;
6323 SSL *clientssl = NULL, *serverssl = NULL;
6324 int testresult = 0;
6325 char buf[20];
6326 static char *mess = "A test message";
6327 BIO *bretry = BIO_new(bio_s_always_retry());
6328 BIO *tmp = NULL;
6329 SSL *local = NULL, *peer = NULL;
6330
6331 if (!TEST_ptr(bretry)
6332 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6333 TLS_client_method(),
6334 TLS1_3_VERSION,
6335 0,
6336 &sctx, &cctx, cert, privkey))
6337 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6338 NULL, NULL))
6339 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6340 SSL_ERROR_NONE)))
6341 goto end;
6342
6343 local = tst == 0 ? clientssl : serverssl;
6344 peer = tst == 0 ? serverssl : clientssl;
6345
6346 /* Swap the writing endpoint's write BIO to force a retry */
6347 tmp = SSL_get_wbio(local);
6348 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6349 tmp = NULL;
6350 goto end;
6351 }
6352 SSL_set0_wbio(local, bretry);
6353 bretry = NULL;
6354
6355 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6356 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6357 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6358 goto end;
6359
6360 /* Reinstate the original writing endpoint's write BIO */
6361 SSL_set0_wbio(local, tmp);
6362 tmp = NULL;
6363
6364 /* SSL_key_update will fail, because writing in local*/
6365 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6366 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6367 goto end;
6368
6369 ERR_clear_error();
6370 /* write data in local previously that we will complete */
6371 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6372 goto end;
6373
6374 /* SSL_key_update will succeed because there is no pending write data */
6375 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6376 || !TEST_int_eq(SSL_do_handshake(local), 1))
6377 goto end;
6378
6379 /*
6380 * we write some appdata in local
6381 * read data in peer - we will read the keyupdate msg
6382 */
6383 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6384 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6385 goto end;
6386
6387 /* Write more peer more data to ensure we send the keyupdate message back */
6388 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6389 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6390 goto end;
6391
6392 testresult = 1;
6393
6394 end:
6395 SSL_free(serverssl);
6396 SSL_free(clientssl);
6397 SSL_CTX_free(sctx);
6398 SSL_CTX_free(cctx);
6399 BIO_free(bretry);
6400 BIO_free(tmp);
6401
6402 return testresult;
6403}
6404
6405/*
6406 * Test we can handle a KeyUpdate (update requested) message while
6407 * local read data is pending(the msg header had been read 5 bytes).
6408 * Test 0: Client sends KeyUpdate while Client is reading
6409 * Test 1: Server sends KeyUpdate while Server is reading
6410 */
6411static int test_key_update_local_in_read(int tst)
6412{
6413 SSL_CTX *cctx = NULL, *sctx = NULL;
6414 SSL *clientssl = NULL, *serverssl = NULL;
6415 int testresult = 0;
6416 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6417 static char *mess = "A test message";
6418 BIO *lbio = NULL, *pbio = NULL;
6419 SSL *local = NULL, *peer = NULL;
6420
6421 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6422 TLS_client_method(),
6423 TLS1_3_VERSION,
6424 0,
6425 &sctx, &cctx, cert, privkey))
6426 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6427 NULL, NULL))
6428 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6429 SSL_ERROR_NONE)))
6430 goto end;
6431
6432 local = tst == 0 ? clientssl : serverssl;
6433 peer = tst == 0 ? serverssl : clientssl;
6434
6435 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6436 goto end;
6437
6438 SSL_set_bio(local, lbio, lbio);
6439 SSL_set_bio(peer, pbio, pbio);
6440
6441 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6442 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6443 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6444 goto end;
6445
6446 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6447 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6448 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6449 goto end;
6450
6451 /* SSL_do_handshake will send keyupdate msg */
6452 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6453 || !TEST_int_eq(SSL_do_handshake(local), 1))
6454 goto end;
6455
6456 /*
6457 * write data in peer previously that we will complete
6458 * read data in local previously that we will complete
6459 */
6460 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6461 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6462 goto end;
6463
6464 /*
6465 * write data in local
6466 * read data in peer - we will read the key update
6467 */
6468 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6469 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6470 goto end;
6471
6472 /* Write more peer data to ensure we send the keyupdate message back */
6473 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6474 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6475 goto end;
6476
6477 testresult = 1;
6478
6479 end:
6480 SSL_free(serverssl);
6481 SSL_free(clientssl);
6482 SSL_CTX_free(sctx);
6483 SSL_CTX_free(cctx);
6484
6485 return testresult;
6486}
6487#endif /* OSSL_NO_USABLE_TLS1_3 */
6488
6489static int test_ssl_clear(int idx)
6490{
6491 SSL_CTX *cctx = NULL, *sctx = NULL;
6492 SSL *clientssl = NULL, *serverssl = NULL;
6493 int testresult = 0;
6494
6495#ifdef OPENSSL_NO_TLS1_2
6496 if (idx == 1)
6497 return 1;
6498#endif
6499
6500 /* Create an initial connection */
6501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6502 TLS_client_method(), TLS1_VERSION, 0,
6503 &sctx, &cctx, cert, privkey))
6504 || (idx == 1
6505 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6506 TLS1_2_VERSION)))
6507 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6508 &clientssl, NULL, NULL))
6509 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6510 SSL_ERROR_NONE)))
6511 goto end;
6512
6513 SSL_shutdown(clientssl);
6514 SSL_shutdown(serverssl);
6515 SSL_free(serverssl);
6516 serverssl = NULL;
6517
6518 /* Clear clientssl - we're going to reuse the object */
6519 if (!TEST_true(SSL_clear(clientssl)))
6520 goto end;
6521
6522 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6523 NULL, NULL))
6524 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6525 SSL_ERROR_NONE))
6526 || !TEST_true(SSL_session_reused(clientssl)))
6527 goto end;
6528
6529 SSL_shutdown(clientssl);
6530 SSL_shutdown(serverssl);
6531
6532 testresult = 1;
6533
6534 end:
6535 SSL_free(serverssl);
6536 SSL_free(clientssl);
6537 SSL_CTX_free(sctx);
6538 SSL_CTX_free(cctx);
6539
6540 return testresult;
6541}
6542
6543/* Parse CH and retrieve any MFL extension value if present */
6544static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6545{
6546 long len;
6547 unsigned char *data;
6548 PACKET pkt, pkt2, pkt3;
6549 unsigned int MFL_code = 0, type = 0;
6550
6551 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6552 goto end;
6553
6554 memset(&pkt, 0, sizeof(pkt));
6555 memset(&pkt2, 0, sizeof(pkt2));
6556 memset(&pkt3, 0, sizeof(pkt3));
6557
6558 if (!TEST_long_gt(len, 0)
6559 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6560 /* Skip the record header */
6561 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6562 /* Skip the handshake message header */
6563 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6564 /* Skip client version and random */
6565 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6566 + SSL3_RANDOM_SIZE))
6567 /* Skip session id */
6568 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6569 /* Skip ciphers */
6570 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6571 /* Skip compression */
6572 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6573 /* Extensions len */
6574 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6575 goto end;
6576
6577 /* Loop through all extensions */
6578 while (PACKET_remaining(&pkt2)) {
6579 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6580 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6581 goto end;
6582
6583 if (type == TLSEXT_TYPE_max_fragment_length) {
6584 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6585 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6586 goto end;
6587
6588 *mfl_codemfl_code = MFL_code;
6589 return 1;
6590 }
6591 }
6592
6593 end:
6594 return 0;
6595}
6596
6597/* Maximum-Fragment-Length TLS extension mode to test */
6598static const unsigned char max_fragment_len_test[] = {
6599 TLSEXT_max_fragment_length_512,
6600 TLSEXT_max_fragment_length_1024,
6601 TLSEXT_max_fragment_length_2048,
6602 TLSEXT_max_fragment_length_4096
6603};
6604
6605static int test_max_fragment_len_ext(int idx_tst)
6606{
6607 SSL_CTX *ctx = NULL;
6608 SSL *con = NULL;
6609 int testresult = 0, MFL_mode = 0;
6610 BIO *rbio, *wbio;
6611
6612 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6613 TLS1_VERSION, 0, NULL, &ctx, NULL,
6614 NULL)))
6615 return 0;
6616
6617 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6618 ctx, max_fragment_len_test[idx_tst])))
6619 goto end;
6620
6621 con = SSL_new(ctx);
6622 if (!TEST_ptr(con))
6623 goto end;
6624
6625 rbio = BIO_new(BIO_s_mem());
6626 wbio = BIO_new(BIO_s_mem());
6627 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6628 BIO_free(rbio);
6629 BIO_free(wbio);
6630 goto end;
6631 }
6632
6633 SSL_set_bio(con, rbio, wbio);
6634
6635 if (!TEST_int_le(SSL_connect(con), 0)) {
6636 /* This shouldn't succeed because we don't have a server! */
6637 goto end;
6638 }
6639
6640 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6641 /* no MFL in client hello */
6642 goto end;
6643 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6644 goto end;
6645
6646 testresult = 1;
6647
6648end:
6649 SSL_free(con);
6650 SSL_CTX_free(ctx);
6651
6652 return testresult;
6653}
6654
6655#ifndef OSSL_NO_USABLE_TLS1_3
6656static int test_pha_key_update(void)
6657{
6658 SSL_CTX *cctx = NULL, *sctx = NULL;
6659 SSL *clientssl = NULL, *serverssl = NULL;
6660 int testresult = 0;
6661
6662 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6663 TLS_client_method(), TLS1_VERSION, 0,
6664 &sctx, &cctx, cert, privkey)))
6665 return 0;
6666
6667 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6668 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6669 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6670 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6671 goto end;
6672
6673 SSL_CTX_set_post_handshake_auth(cctx, 1);
6674
6675 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6676 NULL, NULL)))
6677 goto end;
6678
6679 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6680 SSL_ERROR_NONE)))
6681 goto end;
6682
6683 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6684 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6685 goto end;
6686
6687 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6688 goto end;
6689
6690 /* Start handshake on the server */
6691 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6692 goto end;
6693
6694 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6695 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6696 SSL_ERROR_NONE)))
6697 goto end;
6698
6699 SSL_shutdown(clientssl);
6700 SSL_shutdown(serverssl);
6701
6702 testresult = 1;
6703
6704 end:
6705 SSL_free(serverssl);
6706 SSL_free(clientssl);
6707 SSL_CTX_free(sctx);
6708 SSL_CTX_free(cctx);
6709 return testresult;
6710}
6711#endif
6712
6713#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6714
6715static SRP_VBASE *vbase = NULL;
6716
6717static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6718{
6719 int ret = SSL3_AL_FATAL;
6720 char *username;
6721 SRP_user_pwd *user = NULL;
6722
6723 username = SSL_get_srp_username(s);
6724 if (username == NULL) {
6725 *ad = SSL_AD_INTERNAL_ERROR;
6726 goto err;
6727 }
6728
6729 user = SRP_VBASE_get1_by_user(vbase, username);
6730 if (user == NULL) {
6731 *ad = SSL_AD_INTERNAL_ERROR;
6732 goto err;
6733 }
6734
6735 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6736 user->info) <= 0) {
6737 *ad = SSL_AD_INTERNAL_ERROR;
6738 goto err;
6739 }
6740
6741 ret = 0;
6742
6743 err:
6744 SRP_user_pwd_free(user);
6745 return ret;
6746}
6747
6748static int create_new_vfile(char *userid, char *password, const char *filename)
6749{
6750 char *gNid = NULL;
6751 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6752 TXT_DB *db = NULL;
6753 int ret = 0;
6754 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6755 size_t i;
6756
6757 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6758 goto end;
6759
6760 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6761 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6762 if (!TEST_ptr(gNid))
6763 goto end;
6764
6765 /*
6766 * The only way to create an empty TXT_DB is to provide a BIO with no data
6767 * in it!
6768 */
6769 db = TXT_DB_read(dummy, DB_NUMBER);
6770 if (!TEST_ptr(db))
6771 goto end;
6772
6773 out = BIO_new_file(filename, "w");
6774 if (!TEST_ptr(out))
6775 goto end;
6776
6777 row[DB_srpid] = OPENSSL_strdup(userid);
6778 row[DB_srptype] = OPENSSL_strdup("V");
6779 row[DB_srpgN] = OPENSSL_strdup(gNid);
6780
6781 if (!TEST_ptr(row[DB_srpid])
6782 || !TEST_ptr(row[DB_srptype])
6783 || !TEST_ptr(row[DB_srpgN])
6784 || !TEST_true(TXT_DB_insert(db, row)))
6785 goto end;
6786
6787 row = NULL;
6788
6789 if (TXT_DB_write(out, db) <= 0)
6790 goto end;
6791
6792 ret = 1;
6793 end:
6794 if (row != NULL) {
6795 for (i = 0; i < DB_NUMBER; i++)
6796 OPENSSL_free(row[i]);
6797 }
6798 OPENSSL_free(row);
6799 BIO_free(dummy);
6800 BIO_free(out);
6801 TXT_DB_free(db);
6802
6803 return ret;
6804}
6805
6806static int create_new_vbase(char *userid, char *password)
6807{
6808 BIGNUM *verifier = NULL, *salt = NULL;
6809 const SRP_gN *lgN = NULL;
6810 SRP_user_pwd *user_pwd = NULL;
6811 int ret = 0;
6812
6813 lgN = SRP_get_default_gN(NULL);
6814 if (!TEST_ptr(lgN))
6815 goto end;
6816
6817 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6818 lgN->N, lgN->g, libctx, NULL)))
6819 goto end;
6820
6821 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6822 if (!TEST_ptr(user_pwd))
6823 goto end;
6824
6825 user_pwd->N = lgN->N;
6826 user_pwd->g = lgN->g;
6827 user_pwd->id = OPENSSL_strdup(userid);
6828 if (!TEST_ptr(user_pwd->id))
6829 goto end;
6830
6831 user_pwd->v = verifier;
6832 user_pwd->s = salt;
6833 verifier = salt = NULL;
6834
6835 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6836 goto end;
6837 user_pwd = NULL;
6838
6839 ret = 1;
6840end:
6841 SRP_user_pwd_free(user_pwd);
6842 BN_free(salt);
6843 BN_free(verifier);
6844
6845 return ret;
6846}
6847
6848/*
6849 * SRP tests
6850 *
6851 * Test 0: Simple successful SRP connection, new vbase
6852 * Test 1: Connection failure due to bad password, new vbase
6853 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6854 * Test 3: Connection failure due to bad password, vbase loaded from existing
6855 * file
6856 * Test 4: Simple successful SRP connection, vbase loaded from new file
6857 * Test 5: Connection failure due to bad password, vbase loaded from new file
6858 */
6859static int test_srp(int tst)
6860{
6861 char *userid = "test", *password = "password", *tstsrpfile;
6862 SSL_CTX *cctx = NULL, *sctx = NULL;
6863 SSL *clientssl = NULL, *serverssl = NULL;
6864 int ret, testresult = 0;
6865
6866 vbase = SRP_VBASE_new(NULL);
6867 if (!TEST_ptr(vbase))
6868 goto end;
6869
6870 if (tst == 0 || tst == 1) {
6871 if (!TEST_true(create_new_vbase(userid, password)))
6872 goto end;
6873 } else {
6874 if (tst == 4 || tst == 5) {
6875 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6876 goto end;
6877 tstsrpfile = tmpfilename;
6878 } else {
6879 tstsrpfile = srpvfile;
6880 }
6881 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6882 goto end;
6883 }
6884
6885 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6886 TLS_client_method(), TLS1_VERSION, 0,
6887 &sctx, &cctx, cert, privkey)))
6888 goto end;
6889
6890 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6891 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6892 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6893 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6894 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6895 goto end;
6896
6897 if (tst % 2 == 1) {
6898 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6899 goto end;
6900 } else {
6901 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6902 goto end;
6903 }
6904
6905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6906 NULL, NULL)))
6907 goto end;
6908
6909 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6910 if (ret) {
6911 if (!TEST_true(tst % 2 == 0))
6912 goto end;
6913 } else {
6914 if (!TEST_true(tst % 2 == 1))
6915 goto end;
6916 }
6917
6918 testresult = 1;
6919
6920 end:
6921 SRP_VBASE_free(vbase);
6922 vbase = NULL;
6923 SSL_free(serverssl);
6924 SSL_free(clientssl);
6925 SSL_CTX_free(sctx);
6926 SSL_CTX_free(cctx);
6927
6928 return testresult;
6929}
6930#endif
6931
6932static int info_cb_failed = 0;
6933static int info_cb_offset = 0;
6934static int info_cb_this_state = -1;
6935
6936static struct info_cb_states_st {
6937 int where;
6938 const char *statestr;
6939} info_cb_states[][60] = {
6940 {
6941 /* TLSv1.2 server followed by resumption */
6942 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6943 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6944 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6945 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6946 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6947 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6948 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6949 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6950 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
6951 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6952 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6953 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6954 {SSL_CB_EXIT, NULL}, {0, NULL},
6955 }, {
6956 /* TLSv1.2 client followed by resumption */
6957 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6958 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6959 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6960 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6961 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6962 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6963 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6964 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6965 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6966 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6967 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6968 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6969 }, {
6970 /* TLSv1.3 server followed by resumption */
6971 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6972 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6973 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6974 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6975 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6976 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6977 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6978 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6979 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6980 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6981 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6982 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6983 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
6984 }, {
6985 /* TLSv1.3 client followed by resumption */
6986 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6987 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6988 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6989 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6990 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6991 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
6992 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
6993 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
6994 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6995 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6996 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6997 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6998 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6999 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7000 {SSL_CB_EXIT, NULL}, {0, NULL},
7001 }, {
7002 /* TLSv1.3 server, early_data */
7003 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7004 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7005 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7006 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7007 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7008 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7009 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7010 {SSL_CB_EXIT, NULL}, {0, NULL},
7011 }, {
7012 /* TLSv1.3 client, early_data */
7013 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7014 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7015 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7016 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7017 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7018 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7019 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7020 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7021 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7022 }, {
7023 {0, NULL},
7024 }
7025};
7026
7027static void sslapi_info_callback(const SSL *s, int where, int ret)
7028{
7029 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7030
7031 /* We do not ever expect a connection to fail in this test */
7032 if (!TEST_false(ret == 0)) {
7033 info_cb_failed = 1;
7034 return;
7035 }
7036
7037 /*
7038 * Do some sanity checks. We never expect these things to happen in this
7039 * test
7040 */
7041 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7042 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7043 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7044 info_cb_failed = 1;
7045 return;
7046 }
7047
7048 /* Now check we're in the right state */
7049 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7050 info_cb_failed = 1;
7051 return;
7052 }
7053 if ((where & SSL_CB_LOOP) != 0
7054 && !TEST_int_eq(strcmp(SSL_state_string(s),
7055 state[info_cb_this_state].statestr), 0)) {
7056 info_cb_failed = 1;
7057 return;
7058 }
7059
7060 /*
7061 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7062 */
7063 if ((where & SSL_CB_HANDSHAKE_DONE)
7064 && SSL_in_init((SSL *)s) != 0) {
7065 info_cb_failed = 1;
7066 return;
7067 }
7068}
7069
7070/*
7071 * Test the info callback gets called when we expect it to.
7072 *
7073 * Test 0: TLSv1.2, server
7074 * Test 1: TLSv1.2, client
7075 * Test 2: TLSv1.3, server
7076 * Test 3: TLSv1.3, client
7077 * Test 4: TLSv1.3, server, early_data
7078 * Test 5: TLSv1.3, client, early_data
7079 */
7080static int test_info_callback(int tst)
7081{
7082 SSL_CTX *cctx = NULL, *sctx = NULL;
7083 SSL *clientssl = NULL, *serverssl = NULL;
7084 SSL_SESSION *clntsess = NULL;
7085 int testresult = 0;
7086 int tlsvers;
7087
7088 if (tst < 2) {
7089/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7090#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7091 || !defined(OPENSSL_NO_DH))
7092 tlsvers = TLS1_2_VERSION;
7093#else
7094 return 1;
7095#endif
7096 } else {
7097#ifndef OSSL_NO_USABLE_TLS1_3
7098 tlsvers = TLS1_3_VERSION;
7099#else
7100 return 1;
7101#endif
7102 }
7103
7104 /* Reset globals */
7105 info_cb_failed = 0;
7106 info_cb_this_state = -1;
7107 info_cb_offset = tst;
7108
7109#ifndef OSSL_NO_USABLE_TLS1_3
7110 if (tst >= 4) {
7111 SSL_SESSION *sess = NULL;
7112 size_t written, readbytes;
7113 unsigned char buf[80];
7114
7115 /* early_data tests */
7116 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7117 &serverssl, &sess, 0)))
7118 goto end;
7119
7120 /* We don't actually need this reference */
7121 SSL_SESSION_free(sess);
7122
7123 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7124 sslapi_info_callback);
7125
7126 /* Write and read some early data and then complete the connection */
7127 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7128 &written))
7129 || !TEST_size_t_eq(written, strlen(MSG1))
7130 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7131 sizeof(buf), &readbytes),
7132 SSL_READ_EARLY_DATA_SUCCESS)
7133 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7134 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7135 SSL_EARLY_DATA_ACCEPTED)
7136 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7137 SSL_ERROR_NONE))
7138 || !TEST_false(info_cb_failed))
7139 goto end;
7140
7141 testresult = 1;
7142 goto end;
7143 }
7144#endif
7145
7146 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7147 TLS_client_method(),
7148 tlsvers, tlsvers, &sctx, &cctx, cert,
7149 privkey)))
7150 goto end;
7151
7152 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7153 goto end;
7154
7155 /*
7156 * For even numbered tests we check the server callbacks. For odd numbers we
7157 * check the client.
7158 */
7159 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7160 sslapi_info_callback);
7161
7162 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7163 &clientssl, NULL, NULL))
7164 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7165 SSL_ERROR_NONE))
7166 || !TEST_false(info_cb_failed))
7167 goto end;
7168
7169
7170
7171 clntsess = SSL_get1_session(clientssl);
7172 SSL_shutdown(clientssl);
7173 SSL_shutdown(serverssl);
7174 SSL_free(serverssl);
7175 SSL_free(clientssl);
7176 serverssl = clientssl = NULL;
7177
7178 /* Now do a resumption */
7179 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7180 NULL))
7181 || !TEST_true(SSL_set_session(clientssl, clntsess))
7182 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7183 SSL_ERROR_NONE))
7184 || !TEST_true(SSL_session_reused(clientssl))
7185 || !TEST_false(info_cb_failed))
7186 goto end;
7187
7188 testresult = 1;
7189
7190 end:
7191 SSL_free(serverssl);
7192 SSL_free(clientssl);
7193 SSL_SESSION_free(clntsess);
7194 SSL_CTX_free(sctx);
7195 SSL_CTX_free(cctx);
7196 return testresult;
7197}
7198
7199static int test_ssl_pending(int tst)
7200{
7201 SSL_CTX *cctx = NULL, *sctx = NULL;
7202 SSL *clientssl = NULL, *serverssl = NULL;
7203 int testresult = 0;
7204 char msg[] = "A test message";
7205 char buf[5];
7206 size_t written, readbytes;
7207
7208 if (tst == 0) {
7209 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7210 TLS_client_method(),
7211 TLS1_VERSION, 0,
7212 &sctx, &cctx, cert, privkey)))
7213 goto end;
7214 } else {
7215#ifndef OPENSSL_NO_DTLS
7216 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7217 DTLS_client_method(),
7218 DTLS1_VERSION, 0,
7219 &sctx, &cctx, cert, privkey)))
7220 goto end;
7221
7222# ifdef OPENSSL_NO_DTLS1_2
7223 /* Not supported in the FIPS provider */
7224 if (is_fips) {
7225 testresult = 1;
7226 goto end;
7227 };
7228 /*
7229 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7230 * level 0
7231 */
7232 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7233 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7234 "DEFAULT:@SECLEVEL=0")))
7235 goto end;
7236# endif
7237#else
7238 return 1;
7239#endif
7240 }
7241
7242 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7243 NULL, NULL))
7244 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7245 SSL_ERROR_NONE)))
7246 goto end;
7247
7248 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7249 || !TEST_false(SSL_has_pending(clientssl))
7250 || !TEST_int_eq(SSL_pending(serverssl), 0)
7251 || !TEST_false(SSL_has_pending(serverssl))
7252 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7253 || !TEST_size_t_eq(written, sizeof(msg))
7254 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7255 || !TEST_size_t_eq(readbytes, sizeof(buf))
7256 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7257 || !TEST_true(SSL_has_pending(clientssl)))
7258 goto end;
7259
7260 testresult = 1;
7261
7262 end:
7263 SSL_free(serverssl);
7264 SSL_free(clientssl);
7265 SSL_CTX_free(sctx);
7266 SSL_CTX_free(cctx);
7267
7268 return testresult;
7269}
7270
7271static struct {
7272 unsigned int maxprot;
7273 const char *clntciphers;
7274 const char *clnttls13ciphers;
7275 const char *srvrciphers;
7276 const char *srvrtls13ciphers;
7277 const char *shared;
7278 const char *fipsshared;
7279} shared_ciphers_data[] = {
7280/*
7281 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7282 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7283 */
7284#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7285 {
7286 TLS1_2_VERSION,
7287 "AES128-SHA:AES256-SHA",
7288 NULL,
7289 "AES256-SHA:DHE-RSA-AES128-SHA",
7290 NULL,
7291 "AES256-SHA",
7292 "AES256-SHA"
7293 },
7294# if !defined(OPENSSL_NO_CHACHA) \
7295 && !defined(OPENSSL_NO_POLY1305) \
7296 && !defined(OPENSSL_NO_EC)
7297 {
7298 TLS1_2_VERSION,
7299 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7300 NULL,
7301 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7302 NULL,
7303 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7304 "AES128-SHA"
7305 },
7306# endif
7307 {
7308 TLS1_2_VERSION,
7309 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7310 NULL,
7311 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7312 NULL,
7313 "AES128-SHA:AES256-SHA",
7314 "AES128-SHA:AES256-SHA"
7315 },
7316 {
7317 TLS1_2_VERSION,
7318 "AES128-SHA:AES256-SHA",
7319 NULL,
7320 "AES128-SHA:DHE-RSA-AES128-SHA",
7321 NULL,
7322 "AES128-SHA",
7323 "AES128-SHA"
7324 },
7325#endif
7326/*
7327 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7328 * enabled.
7329 */
7330#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7331 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7332 {
7333 TLS1_3_VERSION,
7334 "AES128-SHA:AES256-SHA",
7335 NULL,
7336 "AES256-SHA:AES128-SHA256",
7337 NULL,
7338 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7339 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7340 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7341 },
7342#endif
7343#ifndef OSSL_NO_USABLE_TLS1_3
7344 {
7345 TLS1_3_VERSION,
7346 "AES128-SHA",
7347 "TLS_AES_256_GCM_SHA384",
7348 "AES256-SHA",
7349 "TLS_AES_256_GCM_SHA384",
7350 "TLS_AES_256_GCM_SHA384",
7351 "TLS_AES_256_GCM_SHA384"
7352 },
7353#endif
7354};
7355
7356static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7357{
7358 SSL_CTX *cctx = NULL, *sctx = NULL;
7359 SSL *clientssl = NULL, *serverssl = NULL;
7360 int testresult = 0;
7361 char buf[1024];
7362 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7363
7364 if (!TEST_ptr(tmplibctx))
7365 goto end;
7366
7367 /*
7368 * Regardless of whether we're testing with the FIPS provider loaded into
7369 * libctx, we want one peer to always use the full set of ciphersuites
7370 * available. Therefore we use a separate libctx with the default provider
7371 * loaded into it. We run the same tests twice - once with the client side
7372 * having the full set of ciphersuites and once with the server side.
7373 */
7374 if (clnt) {
7375 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7376 if (!TEST_ptr(cctx))
7377 goto end;
7378 } else {
7379 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7380 if (!TEST_ptr(sctx))
7381 goto end;
7382 }
7383
7384 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7385 TLS_client_method(),
7386 TLS1_VERSION,
7387 shared_ciphers_data[tst].maxprot,
7388 &sctx, &cctx, cert, privkey)))
7389 goto end;
7390
7391 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7392 shared_ciphers_data[tst].clntciphers))
7393 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7394 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7395 shared_ciphers_data[tst].clnttls13ciphers)))
7396 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7397 shared_ciphers_data[tst].srvrciphers))
7398 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7399 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7400 shared_ciphers_data[tst].srvrtls13ciphers))))
7401 goto end;
7402
7403
7404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7405 NULL, NULL))
7406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7407 SSL_ERROR_NONE)))
7408 goto end;
7409
7410 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7411 || !TEST_int_eq(strcmp(buf,
7412 is_fips
7413 ? shared_ciphers_data[tst].fipsshared
7414 : shared_ciphers_data[tst].shared),
7415 0)) {
7416 TEST_info("Shared ciphers are: %s\n", buf);
7417 goto end;
7418 }
7419
7420 testresult = 1;
7421
7422 end:
7423 SSL_free(serverssl);
7424 SSL_free(clientssl);
7425 SSL_CTX_free(sctx);
7426 SSL_CTX_free(cctx);
7427 OSSL_LIB_CTX_free(tmplibctx);
7428
7429 return testresult;
7430}
7431
7432static int test_ssl_get_shared_ciphers(int tst)
7433{
7434 return int_test_ssl_get_shared_ciphers(tst, 0)
7435 && int_test_ssl_get_shared_ciphers(tst, 1);
7436}
7437
7438
7439static const char *appdata = "Hello World";
7440static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7441static int tick_key_renew = 0;
7442static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7443
7444static int gen_tick_cb(SSL *s, void *arg)
7445{
7446 gen_tick_called = 1;
7447
7448 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7449 strlen(appdata));
7450}
7451
7452static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7453 const unsigned char *keyname,
7454 size_t keyname_length,
7455 SSL_TICKET_STATUS status,
7456 void *arg)
7457{
7458 void *tickdata;
7459 size_t tickdlen;
7460
7461 dec_tick_called = 1;
7462
7463 if (status == SSL_TICKET_EMPTY)
7464 return SSL_TICKET_RETURN_IGNORE_RENEW;
7465
7466 if (!TEST_true(status == SSL_TICKET_SUCCESS
7467 || status == SSL_TICKET_SUCCESS_RENEW))
7468 return SSL_TICKET_RETURN_ABORT;
7469
7470 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7471 &tickdlen))
7472 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7473 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7474 return SSL_TICKET_RETURN_ABORT;
7475
7476 if (tick_key_cb_called) {
7477 /* Don't change what the ticket key callback wanted to do */
7478 switch (status) {
7479 case SSL_TICKET_NO_DECRYPT:
7480 return SSL_TICKET_RETURN_IGNORE_RENEW;
7481
7482 case SSL_TICKET_SUCCESS:
7483 return SSL_TICKET_RETURN_USE;
7484
7485 case SSL_TICKET_SUCCESS_RENEW:
7486 return SSL_TICKET_RETURN_USE_RENEW;
7487
7488 default:
7489 return SSL_TICKET_RETURN_ABORT;
7490 }
7491 }
7492 return tick_dec_ret;
7493
7494}
7495
7496#ifndef OPENSSL_NO_DEPRECATED_3_0
7497static int tick_key_cb(SSL *s, unsigned char key_name[16],
7498 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7499 HMAC_CTX *hctx, int enc)
7500{
7501 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7502 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7503 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7504 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7505 int ret;
7506
7507 tick_key_cb_called = 1;
7508 memset(iv, 0, AES_BLOCK_SIZE);
7509 memset(key_name, 0, 16);
7510 if (aes128cbc == NULL
7511 || sha256 == NULL
7512 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7513 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7514 NULL))
7515 ret = -1;
7516 else
7517 ret = tick_key_renew ? 2 : 1;
7518
7519 EVP_CIPHER_free(aes128cbc);
7520 EVP_MD_free(sha256);
7521
7522 return ret;
7523}
7524#endif
7525
7526static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7527 unsigned char iv[EVP_MAX_IV_LENGTH],
7528 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7529{
7530 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7531 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7532 OSSL_PARAM params[2];
7533 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7534 int ret;
7535
7536 tick_key_cb_called = 1;
7537 memset(iv, 0, AES_BLOCK_SIZE);
7538 memset(key_name, 0, 16);
7539 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7540 "SHA256", 0);
7541 params[1] = OSSL_PARAM_construct_end();
7542 if (aes128cbc == NULL
7543 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7544 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7545 params))
7546 ret = -1;
7547 else
7548 ret = tick_key_renew ? 2 : 1;
7549
7550 EVP_CIPHER_free(aes128cbc);
7551
7552 return ret;
7553}
7554
7555/*
7556 * Test the various ticket callbacks
7557 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7558 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7559 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7560 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7561 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7562 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7563 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7564 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7565 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7566 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7567 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7568 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7569 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7570 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7571 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7572 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7573 */
7574static int test_ticket_callbacks(int tst)
7575{
7576 SSL_CTX *cctx = NULL, *sctx = NULL;
7577 SSL *clientssl = NULL, *serverssl = NULL;
7578 SSL_SESSION *clntsess = NULL;
7579 int testresult = 0;
7580
7581#ifdef OPENSSL_NO_TLS1_2
7582 if (tst % 2 == 0)
7583 return 1;
7584#endif
7585#ifdef OSSL_NO_USABLE_TLS1_3
7586 if (tst % 2 == 1)
7587 return 1;
7588#endif
7589#ifdef OPENSSL_NO_DEPRECATED_3_0
7590 if (tst >= 8 && tst <= 11)
7591 return 1;
7592#endif
7593
7594 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7595
7596 /* Which tests the ticket key callback should request renewal for */
7597 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7598 tick_key_renew = 1;
7599 else
7600 tick_key_renew = 0;
7601
7602 /* Which tests the decrypt ticket callback should request renewal for */
7603 switch (tst) {
7604 case 0:
7605 case 1:
7606 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7607 break;
7608
7609 case 2:
7610 case 3:
7611 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7612 break;
7613
7614 case 4:
7615 case 5:
7616 tick_dec_ret = SSL_TICKET_RETURN_USE;
7617 break;
7618
7619 case 6:
7620 case 7:
7621 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7622 break;
7623
7624 default:
7625 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7626 }
7627
7628 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7629 TLS_client_method(),
7630 TLS1_VERSION,
7631 ((tst % 2) == 0) ? TLS1_2_VERSION
7632 : TLS1_3_VERSION,
7633 &sctx, &cctx, cert, privkey)))
7634 goto end;
7635
7636 /*
7637 * We only want sessions to resume from tickets - not the session cache. So
7638 * switch the cache off.
7639 */
7640 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7641 goto end;
7642
7643 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7644 NULL)))
7645 goto end;
7646
7647 if (tst >= 12) {
7648 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7649 goto end;
7650#ifndef OPENSSL_NO_DEPRECATED_3_0
7651 } else if (tst >= 8) {
7652 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7653 goto end;
7654#endif
7655 }
7656
7657 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7658 NULL, NULL))
7659 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7660 SSL_ERROR_NONE)))
7661 goto end;
7662
7663 /*
7664 * The decrypt ticket key callback in TLSv1.2 should be called even though
7665 * we have no ticket yet, because it gets called with a status of
7666 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7667 * actually send any ticket data). This does not happen in TLSv1.3 because
7668 * it is not valid to send empty ticket data in TLSv1.3.
7669 */
7670 if (!TEST_int_eq(gen_tick_called, 1)
7671 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7672 goto end;
7673
7674 gen_tick_called = dec_tick_called = 0;
7675
7676 clntsess = SSL_get1_session(clientssl);
7677 SSL_shutdown(clientssl);
7678 SSL_shutdown(serverssl);
7679 SSL_free(serverssl);
7680 SSL_free(clientssl);
7681 serverssl = clientssl = NULL;
7682
7683 /* Now do a resumption */
7684 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7685 NULL))
7686 || !TEST_true(SSL_set_session(clientssl, clntsess))
7687 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7688 SSL_ERROR_NONE)))
7689 goto end;
7690
7691 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7692 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7693 if (!TEST_false(SSL_session_reused(clientssl)))
7694 goto end;
7695 } else {
7696 if (!TEST_true(SSL_session_reused(clientssl)))
7697 goto end;
7698 }
7699
7700 if (!TEST_int_eq(gen_tick_called,
7701 (tick_key_renew
7702 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7703 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7704 ? 1 : 0)
7705 || !TEST_int_eq(dec_tick_called, 1))
7706 goto end;
7707
7708 testresult = 1;
7709
7710 end:
7711 SSL_SESSION_free(clntsess);
7712 SSL_free(serverssl);
7713 SSL_free(clientssl);
7714 SSL_CTX_free(sctx);
7715 SSL_CTX_free(cctx);
7716
7717 return testresult;
7718}
7719
7720/*
7721 * Test incorrect shutdown.
7722 * Test 0: client does not shutdown properly,
7723 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7724 * server should get SSL_ERROR_SSL
7725 * Test 1: client does not shutdown properly,
7726 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7727 * server should get SSL_ERROR_ZERO_RETURN
7728 */
7729static int test_incorrect_shutdown(int tst)
7730{
7731 SSL_CTX *cctx = NULL, *sctx = NULL;
7732 SSL *clientssl = NULL, *serverssl = NULL;
7733 int testresult = 0;
7734 char buf[80];
7735 BIO *c2s;
7736
7737 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7738 TLS_client_method(), 0, 0,
7739 &sctx, &cctx, cert, privkey)))
7740 goto end;
7741
7742 if (tst == 1)
7743 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7744
7745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7746 NULL, NULL)))
7747 goto end;
7748
7749 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7750 SSL_ERROR_NONE)))
7751 goto end;
7752
7753 c2s = SSL_get_rbio(serverssl);
7754 BIO_set_mem_eof_return(c2s, 0);
7755
7756 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7757 goto end;
7758
7759 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7760 goto end;
7761 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7762 goto end;
7763
7764 testresult = 1;
7765
7766 end:
7767 SSL_free(serverssl);
7768 SSL_free(clientssl);
7769 SSL_CTX_free(sctx);
7770 SSL_CTX_free(cctx);
7771
7772 return testresult;
7773}
7774
7775/*
7776 * Test bi-directional shutdown.
7777 * Test 0: TLSv1.2
7778 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7779 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7780 * Test 3: TLSv1.3, pending NewSessionTicket messages
7781 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7782 * sends key update, client reads it
7783 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7784 * sends CertificateRequest, client reads and ignores it
7785 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7786 * doesn't read it
7787 */
7788static int test_shutdown(int tst)
7789{
7790 SSL_CTX *cctx = NULL, *sctx = NULL;
7791 SSL *clientssl = NULL, *serverssl = NULL;
7792 int testresult = 0;
7793 char msg[] = "A test message";
7794 char buf[80];
7795 size_t written, readbytes;
7796 SSL_SESSION *sess;
7797
7798#ifdef OPENSSL_NO_TLS1_2
7799 if (tst <= 1)
7800 return 1;
7801#endif
7802#ifdef OSSL_NO_USABLE_TLS1_3
7803 if (tst >= 2)
7804 return 1;
7805#endif
7806
7807 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7808 TLS_client_method(),
7809 TLS1_VERSION,
7810 (tst <= 1) ? TLS1_2_VERSION
7811 : TLS1_3_VERSION,
7812 &sctx, &cctx, cert, privkey)))
7813 goto end;
7814
7815 if (tst == 5)
7816 SSL_CTX_set_post_handshake_auth(cctx, 1);
7817
7818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7819 NULL, NULL)))
7820 goto end;
7821
7822 if (tst == 3) {
7823 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7824 SSL_ERROR_NONE, 1))
7825 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7826 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7827 goto end;
7828 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7829 SSL_ERROR_NONE))
7830 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7831 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7832 goto end;
7833 }
7834
7835 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7836 goto end;
7837
7838 if (tst >= 4) {
7839 /*
7840 * Reading on the server after the client has sent close_notify should
7841 * fail and provide SSL_ERROR_ZERO_RETURN
7842 */
7843 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7844 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7845 SSL_ERROR_ZERO_RETURN)
7846 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7847 SSL_RECEIVED_SHUTDOWN)
7848 /*
7849 * Even though we're shutdown on receive we should still be
7850 * able to write.
7851 */
7852 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7853 goto end;
7854 if (tst == 4
7855 && !TEST_true(SSL_key_update(serverssl,
7856 SSL_KEY_UPDATE_REQUESTED)))
7857 goto end;
7858 if (tst == 5) {
7859 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7860 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7861 goto end;
7862 }
7863 if ((tst == 4 || tst == 5)
7864 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7865 goto end;
7866 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7867 goto end;
7868 if (tst == 4 || tst == 5) {
7869 /* Should still be able to read data from server */
7870 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7871 &readbytes))
7872 || !TEST_size_t_eq(readbytes, sizeof(msg))
7873 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7874 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7875 &readbytes))
7876 || !TEST_size_t_eq(readbytes, sizeof(msg))
7877 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7878 goto end;
7879 }
7880 }
7881
7882 /* Writing on the client after sending close_notify shouldn't be possible */
7883 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7884 goto end;
7885
7886 if (tst < 4) {
7887 /*
7888 * For these tests the client has sent close_notify but it has not yet
7889 * been received by the server. The server has not sent close_notify
7890 * yet.
7891 */
7892 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7893 /*
7894 * Writing on the server after sending close_notify shouldn't
7895 * be possible.
7896 */
7897 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7898 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7899 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7900 || !TEST_true(SSL_SESSION_is_resumable(sess))
7901 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7902 goto end;
7903 } else if (tst == 4 || tst == 5) {
7904 /*
7905 * In this test the client has sent close_notify and it has been
7906 * received by the server which has responded with a close_notify. The
7907 * client needs to read the close_notify sent by the server.
7908 */
7909 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7910 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7911 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7912 goto end;
7913 } else {
7914 /*
7915 * tst == 6
7916 *
7917 * The client has sent close_notify and is expecting a close_notify
7918 * back, but instead there is application data first. The shutdown
7919 * should fail with a fatal error.
7920 */
7921 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7922 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7923 goto end;
7924 }
7925
7926 testresult = 1;
7927
7928 end:
7929 SSL_free(serverssl);
7930 SSL_free(clientssl);
7931 SSL_CTX_free(sctx);
7932 SSL_CTX_free(cctx);
7933
7934 return testresult;
7935}
7936
7937#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7938static int cert_cb_cnt;
7939
7940static int cert_cb(SSL *s, void *arg)
7941{
7942 SSL_CTX *ctx = (SSL_CTX *)arg;
7943 BIO *in = NULL;
7944 EVP_PKEY *pkey = NULL;
7945 X509 *x509 = NULL, *rootx = NULL;
7946 STACK_OF(X509) *chain = NULL;
7947 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7948 int ret = 0;
7949
7950 if (cert_cb_cnt == 0) {
7951 /* Suspend the handshake */
7952 cert_cb_cnt++;
7953 return -1;
7954 } else if (cert_cb_cnt == 1) {
7955 /*
7956 * Update the SSL_CTX, set the certificate and private key and then
7957 * continue the handshake normally.
7958 */
7959 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7960 return 0;
7961
7962 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7963 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7964 SSL_FILETYPE_PEM))
7965 || !TEST_true(SSL_check_private_key(s)))
7966 return 0;
7967 cert_cb_cnt++;
7968 return 1;
7969 } else if (cert_cb_cnt == 3) {
7970 int rv;
7971
7972 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7973 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7974 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7975 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7976 goto out;
7977 chain = sk_X509_new_null();
7978 if (!TEST_ptr(chain))
7979 goto out;
7980 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7981 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
7982 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
7983 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
7984 || !TEST_true(sk_X509_push(chain, rootx)))
7985 goto out;
7986 rootx = NULL;
7987 BIO_free(in);
7988 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7989 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
7990 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
7991 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7992 goto out;
7993 BIO_free(in);
7994 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7995 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
7996 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7997 NULL, NULL,
7998 libctx, NULL)))
7999 goto out;
8000 rv = SSL_check_chain(s, x509, pkey, chain);
8001 /*
8002 * If the cert doesn't show as valid here (e.g., because we don't
8003 * have any shared sigalgs), then we will not set it, and there will
8004 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8005 * will cause tls_choose_sigalgs() to fail the connection.
8006 */
8007 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8008 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8009 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8010 goto out;
8011 }
8012
8013 ret = 1;
8014 }
8015
8016 /* Abort the handshake */
8017 out:
8018 OPENSSL_free(ecdsacert);
8019 OPENSSL_free(ecdsakey);
8020 OPENSSL_free(rootfile);
8021 BIO_free(in);
8022 EVP_PKEY_free(pkey);
8023 X509_free(x509);
8024 X509_free(rootx);
8025 sk_X509_pop_free(chain, X509_free);
8026 return ret;
8027}
8028
8029/*
8030 * Test the certificate callback.
8031 * Test 0: Callback fails
8032 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8033 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8034 * Test 3: Success - Call SSL_check_chain from the callback
8035 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8036 * chain
8037 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8038 */
8039static int test_cert_cb_int(int prot, int tst)
8040{
8041 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8042 SSL *clientssl = NULL, *serverssl = NULL;
8043 int testresult = 0, ret;
8044
8045#ifdef OPENSSL_NO_EC
8046 /* We use an EC cert in these tests, so we skip in a no-ec build */
8047 if (tst >= 3)
8048 return 1;
8049#endif
8050
8051 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8052 TLS_client_method(),
8053 TLS1_VERSION,
8054 prot,
8055 &sctx, &cctx, NULL, NULL)))
8056 goto end;
8057
8058 if (tst == 0)
8059 cert_cb_cnt = -1;
8060 else if (tst >= 3)
8061 cert_cb_cnt = 3;
8062 else
8063 cert_cb_cnt = 0;
8064
8065 if (tst == 2)
8066 snictx = SSL_CTX_new(TLS_server_method());
8067 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8068
8069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8070 NULL, NULL)))
8071 goto end;
8072
8073 if (tst == 4) {
8074 /*
8075 * We cause SSL_check_chain() to fail by specifying sig_algs that
8076 * the chain doesn't meet (the root uses an RSA cert)
8077 */
8078 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8079 "ecdsa_secp256r1_sha256")))
8080 goto end;
8081 } else if (tst == 5) {
8082 /*
8083 * We cause SSL_check_chain() to fail by specifying sig_algs that
8084 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8085 */
8086 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8087 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8088 goto end;
8089 }
8090
8091 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8092 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8093 || (tst > 0
8094 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8095 goto end;
8096 }
8097
8098 testresult = 1;
8099
8100 end:
8101 SSL_free(serverssl);
8102 SSL_free(clientssl);
8103 SSL_CTX_free(sctx);
8104 SSL_CTX_free(cctx);
8105 SSL_CTX_free(snictx);
8106
8107 return testresult;
8108}
8109#endif
8110
8111static int test_cert_cb(int tst)
8112{
8113 int testresult = 1;
8114
8115#ifndef OPENSSL_NO_TLS1_2
8116 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8117#endif
8118#ifndef OSSL_NO_USABLE_TLS1_3
8119 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8120#endif
8121
8122 return testresult;
8123}
8124
8125static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8126{
8127 X509 *xcert;
8128 EVP_PKEY *privpkey;
8129 BIO *in = NULL;
8130 BIO *priv_in = NULL;
8131
8132 /* Check that SSL_get0_peer_certificate() returns something sensible */
8133 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8134 return 0;
8135
8136 in = BIO_new_file(cert, "r");
8137 if (!TEST_ptr(in))
8138 return 0;
8139
8140 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8141 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8142 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8143 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8144 NULL, NULL,
8145 libctx, NULL)))
8146 goto err;
8147
8148 *x509 = xcert;
8149 *pkey = privpkey;
8150
8151 BIO_free(in);
8152 BIO_free(priv_in);
8153 return 1;
8154err:
8155 X509_free(xcert);
8156 BIO_free(in);
8157 BIO_free(priv_in);
8158 return 0;
8159}
8160
8161static int test_client_cert_cb(int tst)
8162{
8163 SSL_CTX *cctx = NULL, *sctx = NULL;
8164 SSL *clientssl = NULL, *serverssl = NULL;
8165 int testresult = 0;
8166
8167#ifdef OPENSSL_NO_TLS1_2
8168 if (tst == 0)
8169 return 1;
8170#endif
8171#ifdef OSSL_NO_USABLE_TLS1_3
8172 if (tst == 1)
8173 return 1;
8174#endif
8175
8176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8177 TLS_client_method(),
8178 TLS1_VERSION,
8179 tst == 0 ? TLS1_2_VERSION
8180 : TLS1_3_VERSION,
8181 &sctx, &cctx, cert, privkey)))
8182 goto end;
8183
8184 /*
8185 * Test that setting a client_cert_cb results in a client certificate being
8186 * sent.
8187 */
8188 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8189 SSL_CTX_set_verify(sctx,
8190 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8191 verify_cb);
8192
8193 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8194 NULL, NULL))
8195 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8196 SSL_ERROR_NONE)))
8197 goto end;
8198
8199 testresult = 1;
8200
8201 end:
8202 SSL_free(serverssl);
8203 SSL_free(clientssl);
8204 SSL_CTX_free(sctx);
8205 SSL_CTX_free(cctx);
8206
8207 return testresult;
8208}
8209
8210#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8211/*
8212 * Test setting certificate authorities on both client and server.
8213 *
8214 * Test 0: SSL_CTX_set0_CA_list() only
8215 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8216 * Test 2: Only SSL_CTX_set_client_CA_list()
8217 */
8218static int test_ca_names_int(int prot, int tst)
8219{
8220 SSL_CTX *cctx = NULL, *sctx = NULL;
8221 SSL *clientssl = NULL, *serverssl = NULL;
8222 int testresult = 0;
8223 size_t i;
8224 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8225 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8226 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8227 const STACK_OF(X509_NAME) *sktmp = NULL;
8228
8229 for (i = 0; i < OSSL_NELEM(name); i++) {
8230 name[i] = X509_NAME_new();
8231 if (!TEST_ptr(name[i])
8232 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8233 MBSTRING_ASC,
8234 (unsigned char *)
8235 strnames[i],
8236 -1, -1, 0)))
8237 goto end;
8238 }
8239
8240 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8241 TLS_client_method(),
8242 TLS1_VERSION,
8243 prot,
8244 &sctx, &cctx, cert, privkey)))
8245 goto end;
8246
8247 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8248
8249 if (tst == 0 || tst == 1) {
8250 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8251 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8252 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8253 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8254 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8255 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8256 goto end;
8257
8258 SSL_CTX_set0_CA_list(sctx, sk1);
8259 SSL_CTX_set0_CA_list(cctx, sk2);
8260 sk1 = sk2 = NULL;
8261 }
8262 if (tst == 1 || tst == 2) {
8263 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8264 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8265 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8266 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8267 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8268 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8269 goto end;
8270
8271 SSL_CTX_set_client_CA_list(sctx, sk1);
8272 SSL_CTX_set_client_CA_list(cctx, sk2);
8273 sk1 = sk2 = NULL;
8274 }
8275
8276 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8277 NULL, NULL))
8278 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8279 SSL_ERROR_NONE)))
8280 goto end;
8281
8282 /*
8283 * We only expect certificate authorities to have been sent to the server
8284 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8285 */
8286 sktmp = SSL_get0_peer_CA_list(serverssl);
8287 if (prot == TLS1_3_VERSION
8288 && (tst == 0 || tst == 1)) {
8289 if (!TEST_ptr(sktmp)
8290 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8291 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8292 name[0]), 0)
8293 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8294 name[1]), 0))
8295 goto end;
8296 } else if (!TEST_ptr_null(sktmp)) {
8297 goto end;
8298 }
8299
8300 /*
8301 * In all tests we expect certificate authorities to have been sent to the
8302 * client. However, SSL_set_client_CA_list() should override
8303 * SSL_set0_CA_list()
8304 */
8305 sktmp = SSL_get0_peer_CA_list(clientssl);
8306 if (!TEST_ptr(sktmp)
8307 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8308 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8309 name[tst == 0 ? 0 : 2]), 0)
8310 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8311 name[tst == 0 ? 1 : 3]), 0))
8312 goto end;
8313
8314 testresult = 1;
8315
8316 end:
8317 SSL_free(serverssl);
8318 SSL_free(clientssl);
8319 SSL_CTX_free(sctx);
8320 SSL_CTX_free(cctx);
8321 for (i = 0; i < OSSL_NELEM(name); i++)
8322 X509_NAME_free(name[i]);
8323 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8324 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8325
8326 return testresult;
8327}
8328#endif
8329
8330static int test_ca_names(int tst)
8331{
8332 int testresult = 1;
8333
8334#ifndef OPENSSL_NO_TLS1_2
8335 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8336#endif
8337#ifndef OSSL_NO_USABLE_TLS1_3
8338 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8339#endif
8340
8341 return testresult;
8342}
8343
8344#ifndef OPENSSL_NO_TLS1_2
8345static const char *multiblock_cipherlist_data[]=
8346{
8347 "AES128-SHA",
8348 "AES128-SHA256",
8349 "AES256-SHA",
8350 "AES256-SHA256",
8351};
8352
8353/* Reduce the fragment size - so the multiblock test buffer can be small */
8354# define MULTIBLOCK_FRAGSIZE 512
8355
8356static int test_multiblock_write(int test_index)
8357{
8358 static const char *fetchable_ciphers[]=
8359 {
8360 "AES-128-CBC-HMAC-SHA1",
8361 "AES-128-CBC-HMAC-SHA256",
8362 "AES-256-CBC-HMAC-SHA1",
8363 "AES-256-CBC-HMAC-SHA256"
8364 };
8365 const char *cipherlist = multiblock_cipherlist_data[test_index];
8366 const SSL_METHOD *smeth = TLS_server_method();
8367 const SSL_METHOD *cmeth = TLS_client_method();
8368 int min_version = TLS1_VERSION;
8369 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8370 SSL_CTX *cctx = NULL, *sctx = NULL;
8371 SSL *clientssl = NULL, *serverssl = NULL;
8372 int testresult = 0;
8373
8374 /*
8375 * Choose a buffer large enough to perform a multi-block operation
8376 * i.e: write_len >= 4 * frag_size
8377 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8378 */
8379 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8380 unsigned char buf[sizeof(msg)], *p = buf;
8381 size_t readbytes, written, len;
8382 EVP_CIPHER *ciph = NULL;
8383
8384 /*
8385 * Check if the cipher exists before attempting to use it since it only has
8386 * a hardware specific implementation.
8387 */
8388 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8389 if (ciph == NULL) {
8390 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8391 return 1;
8392 }
8393 EVP_CIPHER_free(ciph);
8394
8395 /* Set up a buffer with some data that will be sent to the client */
8396 RAND_bytes(msg, sizeof(msg));
8397
8398 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8399 max_version, &sctx, &cctx, cert,
8400 privkey)))
8401 goto end;
8402
8403 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8404 goto end;
8405
8406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8407 NULL, NULL)))
8408 goto end;
8409
8410 /* settings to force it to use AES-CBC-HMAC_SHA */
8411 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8412 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8413 goto end;
8414
8415 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8416 goto end;
8417
8418 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8419 || !TEST_size_t_eq(written, sizeof(msg)))
8420 goto end;
8421
8422 len = written;
8423 while (len > 0) {
8424 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8425 goto end;
8426 p += readbytes;
8427 len -= readbytes;
8428 }
8429 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8430 goto end;
8431
8432 testresult = 1;
8433end:
8434 SSL_free(serverssl);
8435 SSL_free(clientssl);
8436 SSL_CTX_free(sctx);
8437 SSL_CTX_free(cctx);
8438
8439 return testresult;
8440}
8441#endif /* OPENSSL_NO_TLS1_2 */
8442
8443static int test_session_timeout(int test)
8444{
8445 /*
8446 * Test session ordering and timeout
8447 * Can't explicitly test performance of the new code,
8448 * but can test to see if the ordering of the sessions
8449 * are correct, and they they are removed as expected
8450 */
8451 SSL_SESSION *early = NULL;
8452 SSL_SESSION *middle = NULL;
8453 SSL_SESSION *late = NULL;
8454 SSL_CTX *ctx;
8455 int testresult = 0;
8456 long now = (long)time(NULL);
8457#define TIMEOUT 10
8458
8459 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8460 || !TEST_ptr(early = SSL_SESSION_new())
8461 || !TEST_ptr(middle = SSL_SESSION_new())
8462 || !TEST_ptr(late = SSL_SESSION_new()))
8463 goto end;
8464
8465 /* assign unique session ids */
8466 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8467 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8468 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8469 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8470 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8471 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8472
8473 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8474 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8475 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8476 goto end;
8477
8478 /* Make sure they are all added */
8479 if (!TEST_ptr(early->prev)
8480 || !TEST_ptr(middle->prev)
8481 || !TEST_ptr(late->prev))
8482 goto end;
8483
8484 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8485 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8486 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8487 goto end;
8488
8489 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8490 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8491 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8492 goto end;
8493
8494 /* Make sure they are all still there */
8495 if (!TEST_ptr(early->prev)
8496 || !TEST_ptr(middle->prev)
8497 || !TEST_ptr(late->prev))
8498 goto end;
8499
8500 /* Make sure they are in the expected order */
8501 if (!TEST_ptr_eq(late->next, middle)
8502 || !TEST_ptr_eq(middle->next, early)
8503 || !TEST_ptr_eq(early->prev, middle)
8504 || !TEST_ptr_eq(middle->prev, late))
8505 goto end;
8506
8507 /* This should remove "early" */
8508 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8509 if (!TEST_ptr_null(early->prev)
8510 || !TEST_ptr(middle->prev)
8511 || !TEST_ptr(late->prev))
8512 goto end;
8513
8514 /* This should remove "middle" */
8515 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8516 if (!TEST_ptr_null(early->prev)
8517 || !TEST_ptr_null(middle->prev)
8518 || !TEST_ptr(late->prev))
8519 goto end;
8520
8521 /* This should remove "late" */
8522 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8523 if (!TEST_ptr_null(early->prev)
8524 || !TEST_ptr_null(middle->prev)
8525 || !TEST_ptr_null(late->prev))
8526 goto end;
8527
8528 /* Add them back in again */
8529 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8530 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8531 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8532 goto end;
8533
8534 /* Make sure they are all added */
8535 if (!TEST_ptr(early->prev)
8536 || !TEST_ptr(middle->prev)
8537 || !TEST_ptr(late->prev))
8538 goto end;
8539
8540 /* This should remove all of them */
8541 SSL_CTX_flush_sessions(ctx, 0);
8542 if (!TEST_ptr_null(early->prev)
8543 || !TEST_ptr_null(middle->prev)
8544 || !TEST_ptr_null(late->prev))
8545 goto end;
8546
8547 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8548 | SSL_CTX_get_session_cache_mode(ctx));
8549
8550 /* make sure |now| is NOT equal to the current time */
8551 now -= 10;
8552 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8553 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8554 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8555 goto end;
8556
8557 testresult = 1;
8558 end:
8559 SSL_CTX_free(ctx);
8560 SSL_SESSION_free(early);
8561 SSL_SESSION_free(middle);
8562 SSL_SESSION_free(late);
8563 return testresult;
8564}
8565
8566/*
8567 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8568 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8569 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8570 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8571 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8572 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8573 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8574 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8575 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8576 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8577 */
8578static int test_servername(int tst)
8579{
8580 SSL_CTX *cctx = NULL, *sctx = NULL;
8581 SSL *clientssl = NULL, *serverssl = NULL;
8582 int testresult = 0;
8583 SSL_SESSION *sess = NULL;
8584 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8585
8586#ifdef OPENSSL_NO_TLS1_2
8587 if (tst <= 4)
8588 return 1;
8589#endif
8590#ifdef OSSL_NO_USABLE_TLS1_3
8591 if (tst >= 5)
8592 return 1;
8593#endif
8594
8595 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8596 TLS_client_method(),
8597 TLS1_VERSION,
8598 (tst <= 4) ? TLS1_2_VERSION
8599 : TLS1_3_VERSION,
8600 &sctx, &cctx, cert, privkey))
8601 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8602 NULL, NULL)))
8603 goto end;
8604
8605 if (tst != 1 && tst != 6) {
8606 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8607 hostname_cb)))
8608 goto end;
8609 }
8610
8611 if (tst != 3 && tst != 8) {
8612 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8613 goto end;
8614 sexpectedhost = cexpectedhost = "goodhost";
8615 }
8616
8617 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8618 goto end;
8619
8620 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8621 cexpectedhost)
8622 || !TEST_str_eq(SSL_get_servername(serverssl,
8623 TLSEXT_NAMETYPE_host_name),
8624 sexpectedhost))
8625 goto end;
8626
8627 /* Now repeat with a resumption handshake */
8628
8629 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8630 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8631 || !TEST_true(SSL_SESSION_is_resumable(sess))
8632 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8633 goto end;
8634
8635 SSL_free(clientssl);
8636 SSL_free(serverssl);
8637 clientssl = serverssl = NULL;
8638
8639 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8640 NULL)))
8641 goto end;
8642
8643 if (!TEST_true(SSL_set_session(clientssl, sess)))
8644 goto end;
8645
8646 sexpectedhost = cexpectedhost = "goodhost";
8647 if (tst == 2 || tst == 7) {
8648 /* Set an inconsistent hostname */
8649 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8650 goto end;
8651 /*
8652 * In TLSv1.2 we expect the hostname from the original handshake, in
8653 * TLSv1.3 we expect the hostname from this handshake
8654 */
8655 if (tst == 7)
8656 sexpectedhost = cexpectedhost = "altgoodhost";
8657
8658 if (!TEST_str_eq(SSL_get_servername(clientssl,
8659 TLSEXT_NAMETYPE_host_name),
8660 "altgoodhost"))
8661 goto end;
8662 } else if (tst == 4 || tst == 9) {
8663 /*
8664 * A TLSv1.3 session does not associate a session with a servername,
8665 * but a TLSv1.2 session does.
8666 */
8667 if (tst == 9)
8668 sexpectedhost = cexpectedhost = NULL;
8669
8670 if (!TEST_str_eq(SSL_get_servername(clientssl,
8671 TLSEXT_NAMETYPE_host_name),
8672 cexpectedhost))
8673 goto end;
8674 } else {
8675 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8676 goto end;
8677 /*
8678 * In a TLSv1.2 resumption where the hostname was not acknowledged
8679 * we expect the hostname on the server to be empty. On the client we
8680 * return what was requested in this case.
8681 *
8682 * Similarly if the client didn't set a hostname on an original TLSv1.2
8683 * session but is now, the server hostname will be empty, but the client
8684 * is as we set it.
8685 */
8686 if (tst == 1 || tst == 3)
8687 sexpectedhost = NULL;
8688
8689 if (!TEST_str_eq(SSL_get_servername(clientssl,
8690 TLSEXT_NAMETYPE_host_name),
8691 "goodhost"))
8692 goto end;
8693 }
8694
8695 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8696 goto end;
8697
8698 if (!TEST_true(SSL_session_reused(clientssl))
8699 || !TEST_true(SSL_session_reused(serverssl))
8700 || !TEST_str_eq(SSL_get_servername(clientssl,
8701 TLSEXT_NAMETYPE_host_name),
8702 cexpectedhost)
8703 || !TEST_str_eq(SSL_get_servername(serverssl,
8704 TLSEXT_NAMETYPE_host_name),
8705 sexpectedhost))
8706 goto end;
8707
8708 testresult = 1;
8709
8710 end:
8711 SSL_SESSION_free(sess);
8712 SSL_free(serverssl);
8713 SSL_free(clientssl);
8714 SSL_CTX_free(sctx);
8715 SSL_CTX_free(cctx);
8716
8717 return testresult;
8718}
8719
8720#if !defined(OPENSSL_NO_EC) \
8721 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8722/*
8723 * Test that if signature algorithms are not available, then we do not offer or
8724 * accept them.
8725 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8726 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8727 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8728 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8729 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8730 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8731 */
8732static int test_sigalgs_available(int idx)
8733{
8734 SSL_CTX *cctx = NULL, *sctx = NULL;
8735 SSL *clientssl = NULL, *serverssl = NULL;
8736 int testresult = 0;
8737 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8738 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8739 OSSL_PROVIDER *filterprov = NULL;
8740 int sig, hash;
8741
8742 if (!TEST_ptr(tmpctx))
8743 goto end;
8744
8745 if (idx != 0 && idx != 3) {
8746 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8747 filter_provider_init)))
8748 goto end;
8749
8750 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8751 if (!TEST_ptr(filterprov))
8752 goto end;
8753
8754 if (idx < 3) {
8755 /*
8756 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8757 * or accepted for the peer that uses this libctx. Note that libssl
8758 * *requires* SHA2-256 to be available so we cannot disable that. We
8759 * also need SHA1 for our certificate.
8760 */
8761 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8762 "SHA2-256:SHA1")))
8763 goto end;
8764 } else {
8765 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8766 "ECDSA"))
8767 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8768 "EC:X25519:X448")))
8769 goto end;
8770 }
8771
8772 if (idx == 1 || idx == 4)
8773 clientctx = tmpctx;
8774 else
8775 serverctx = tmpctx;
8776 }
8777
8778 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8779 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8780 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8781 goto end;
8782
8783 if (idx != 5) {
8784 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8785 TLS_client_method(),
8786 TLS1_VERSION,
8787 0,
8788 &sctx, &cctx, cert, privkey)))
8789 goto end;
8790 } else {
8791 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8792 TLS_client_method(),
8793 TLS1_VERSION,
8794 0,
8795 &sctx, &cctx, cert2, privkey2)))
8796 goto end;
8797 }
8798
8799 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8800 if (idx < 4) {
8801 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8802 "ECDHE-RSA-AES128-GCM-SHA256")))
8803 goto end;
8804 } else {
8805 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8806 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8807 goto end;
8808 }
8809
8810 if (idx < 3) {
8811 if (!SSL_CTX_set1_sigalgs_list(cctx,
8812 "rsa_pss_rsae_sha384"
8813 ":rsa_pss_rsae_sha256")
8814 || !SSL_CTX_set1_sigalgs_list(sctx,
8815 "rsa_pss_rsae_sha384"
8816 ":rsa_pss_rsae_sha256"))
8817 goto end;
8818 } else {
8819 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8820 || !SSL_CTX_set1_sigalgs_list(sctx,
8821 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8822 goto end;
8823 }
8824
8825 if (idx != 5
8826 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8827 SSL_FILETYPE_PEM), 1)
8828 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8829 privkey2,
8830 SSL_FILETYPE_PEM), 1)
8831 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8832 goto end;
8833
8834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8835 NULL, NULL)))
8836 goto end;
8837
8838 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8839 goto end;
8840
8841 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8842 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8843 NULL, NULL),
8844 (idx == 0 || idx == 3) ? 2 : 1))
8845 goto end;
8846
8847 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8848 goto end;
8849
8850 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8851 : NID_rsassaPss))
8852 goto end;
8853
8854 testresult = filter_provider_check_clean_finish();
8855
8856 end:
8857 SSL_free(serverssl);
8858 SSL_free(clientssl);
8859 SSL_CTX_free(sctx);
8860 SSL_CTX_free(cctx);
8861 OSSL_PROVIDER_unload(filterprov);
8862 OSSL_LIB_CTX_free(tmpctx);
8863
8864 return testresult;
8865}
8866#endif /*
8867 * !defined(OPENSSL_NO_EC) \
8868 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8869 */
8870
8871#ifndef OPENSSL_NO_TLS1_3
8872/* This test can run in TLSv1.3 even if ec and dh are disabled */
8873static int test_pluggable_group(int idx)
8874{
8875 SSL_CTX *cctx = NULL, *sctx = NULL;
8876 SSL *clientssl = NULL, *serverssl = NULL;
8877 int testresult = 0;
8878 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8879 /* Check that we are not impacted by a provider without any groups */
8880 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8881 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8882
8883 if (!TEST_ptr(tlsprov))
8884 goto end;
8885
8886 if (legacyprov == NULL) {
8887 /*
8888 * In this case we assume we've been built with "no-legacy" and skip
8889 * this test (there is no OPENSSL_NO_LEGACY)
8890 */
8891 testresult = 1;
8892 goto end;
8893 }
8894
8895 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8896 TLS_client_method(),
8897 TLS1_3_VERSION,
8898 TLS1_3_VERSION,
8899 &sctx, &cctx, cert, privkey))
8900 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8901 NULL, NULL)))
8902 goto end;
8903
8904 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8905 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8906 goto end;
8907
8908 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8909 goto end;
8910
8911 if (!TEST_str_eq(group_name,
8912 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8913 goto end;
8914
8915 testresult = 1;
8916
8917 end:
8918 SSL_free(serverssl);
8919 SSL_free(clientssl);
8920 SSL_CTX_free(sctx);
8921 SSL_CTX_free(cctx);
8922 OSSL_PROVIDER_unload(tlsprov);
8923 OSSL_PROVIDER_unload(legacyprov);
8924
8925 return testresult;
8926}
8927#endif
8928
8929#ifndef OPENSSL_NO_TLS1_2
8930static int test_ssl_dup(void)
8931{
8932 SSL_CTX *cctx = NULL, *sctx = NULL;
8933 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8934 int testresult = 0;
8935 BIO *rbio = NULL, *wbio = NULL;
8936
8937 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8938 TLS_client_method(),
8939 0,
8940 0,
8941 &sctx, &cctx, cert, privkey)))
8942 goto end;
8943
8944 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8945 NULL, NULL)))
8946 goto end;
8947
8948 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8949 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8950 goto end;
8951
8952 client2ssl = SSL_dup(clientssl);
8953 rbio = SSL_get_rbio(clientssl);
8954 if (!TEST_ptr(rbio)
8955 || !TEST_true(BIO_up_ref(rbio)))
8956 goto end;
8957 SSL_set0_rbio(client2ssl, rbio);
8958 rbio = NULL;
8959
8960 wbio = SSL_get_wbio(clientssl);
8961 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8962 goto end;
8963 SSL_set0_wbio(client2ssl, wbio);
8964 rbio = NULL;
8965
8966 if (!TEST_ptr(client2ssl)
8967 /* Handshake not started so pointers should be different */
8968 || !TEST_ptr_ne(clientssl, client2ssl))
8969 goto end;
8970
8971 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8972 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8973 goto end;
8974
8975 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8976 goto end;
8977
8978 SSL_free(clientssl);
8979 clientssl = SSL_dup(client2ssl);
8980 if (!TEST_ptr(clientssl)
8981 /* Handshake has finished so pointers should be the same */
8982 || !TEST_ptr_eq(clientssl, client2ssl))
8983 goto end;
8984
8985 testresult = 1;
8986
8987 end:
8988 SSL_free(serverssl);
8989 SSL_free(clientssl);
8990 SSL_free(client2ssl);
8991 SSL_CTX_free(sctx);
8992 SSL_CTX_free(cctx);
8993
8994 return testresult;
8995}
8996
8997# ifndef OPENSSL_NO_DH
8998
8999static EVP_PKEY *tmp_dh_params = NULL;
9000
9001/* Helper function for the test_set_tmp_dh() tests */
9002static EVP_PKEY *get_tmp_dh_params(void)
9003{
9004 if (tmp_dh_params == NULL) {
9005 BIGNUM *p = NULL;
9006 OSSL_PARAM_BLD *tmpl = NULL;
9007 EVP_PKEY_CTX *pctx = NULL;
9008 OSSL_PARAM *params = NULL;
9009 EVP_PKEY *dhpkey = NULL;
9010
9011 p = BN_get_rfc3526_prime_2048(NULL);
9012 if (!TEST_ptr(p))
9013 goto end;
9014
9015 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9016 if (!TEST_ptr(pctx)
9017 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9018 goto end;
9019
9020 tmpl = OSSL_PARAM_BLD_new();
9021 if (!TEST_ptr(tmpl)
9022 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9023 OSSL_PKEY_PARAM_FFC_P,
9024 p))
9025 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9026 OSSL_PKEY_PARAM_FFC_G,
9027 2)))
9028 goto end;
9029
9030 params = OSSL_PARAM_BLD_to_param(tmpl);
9031 if (!TEST_ptr(params)
9032 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9033 EVP_PKEY_KEY_PARAMETERS,
9034 params), 1))
9035 goto end;
9036
9037 tmp_dh_params = dhpkey;
9038 end:
9039 BN_free(p);
9040 EVP_PKEY_CTX_free(pctx);
9041 OSSL_PARAM_BLD_free(tmpl);
9042 OSSL_PARAM_free(params);
9043 }
9044
9045 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9046 return NULL;
9047
9048 return tmp_dh_params;
9049}
9050
9051# ifndef OPENSSL_NO_DEPRECATED_3_0
9052/* Callback used by test_set_tmp_dh() */
9053static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9054{
9055 EVP_PKEY *dhpkey = get_tmp_dh_params();
9056 DH *ret = NULL;
9057
9058 if (!TEST_ptr(dhpkey))
9059 return NULL;
9060
9061 /*
9062 * libssl does not free the returned DH, so we free it now knowing that even
9063 * after we free dhpkey, there will still be a reference to the owning
9064 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9065 * of time we need it for.
9066 */
9067 ret = EVP_PKEY_get1_DH(dhpkey);
9068 DH_free(ret);
9069
9070 EVP_PKEY_free(dhpkey);
9071
9072 return ret;
9073}
9074# endif
9075
9076/*
9077 * Test the various methods for setting temporary DH parameters
9078 *
9079 * Test 0: Default (no auto) setting
9080 * Test 1: Explicit SSL_CTX auto off
9081 * Test 2: Explicit SSL auto off
9082 * Test 3: Explicit SSL_CTX auto on
9083 * Test 4: Explicit SSL auto on
9084 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9085 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9086 *
9087 * The following are testing deprecated APIs, so we only run them if available
9088 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9089 * Test 8: Explicit SSL auto off, custom DH params via DH
9090 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9091 * Test 10: Explicit SSL auto off, custom DH params via callback
9092 */
9093static int test_set_tmp_dh(int idx)
9094{
9095 SSL_CTX *cctx = NULL, *sctx = NULL;
9096 SSL *clientssl = NULL, *serverssl = NULL;
9097 int testresult = 0;
9098 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9099 int expected = (idx <= 2) ? 0 : 1;
9100 EVP_PKEY *dhpkey = NULL;
9101# ifndef OPENSSL_NO_DEPRECATED_3_0
9102 DH *dh = NULL;
9103# else
9104
9105 if (idx >= 7)
9106 return 1;
9107# endif
9108
9109 if (idx >= 5 && idx <= 8) {
9110 dhpkey = get_tmp_dh_params();
9111 if (!TEST_ptr(dhpkey))
9112 goto end;
9113 }
9114# ifndef OPENSSL_NO_DEPRECATED_3_0
9115 if (idx == 7 || idx == 8) {
9116 dh = EVP_PKEY_get1_DH(dhpkey);
9117 if (!TEST_ptr(dh))
9118 goto end;
9119 }
9120# endif
9121
9122 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9123 TLS_client_method(),
9124 0,
9125 0,
9126 &sctx, &cctx, cert, privkey)))
9127 goto end;
9128
9129 if ((idx & 1) == 1) {
9130 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9131 goto end;
9132 }
9133
9134 if (idx == 5) {
9135 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9136 goto end;
9137 dhpkey = NULL;
9138 }
9139# ifndef OPENSSL_NO_DEPRECATED_3_0
9140 else if (idx == 7) {
9141 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9142 goto end;
9143 } else if (idx == 9) {
9144 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9145 }
9146# endif
9147
9148 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9149 NULL, NULL)))
9150 goto end;
9151
9152 if ((idx & 1) == 0 && idx != 0) {
9153 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9154 goto end;
9155 }
9156 if (idx == 6) {
9157 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9158 goto end;
9159 dhpkey = NULL;
9160 }
9161# ifndef OPENSSL_NO_DEPRECATED_3_0
9162 else if (idx == 8) {
9163 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9164 goto end;
9165 } else if (idx == 10) {
9166 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9167 }
9168# endif
9169
9170 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9171 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9172 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9173 goto end;
9174
9175 /*
9176 * If autoon then we should succeed. Otherwise we expect failure because
9177 * there are no parameters
9178 */
9179 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9180 SSL_ERROR_NONE), expected))
9181 goto end;
9182
9183 testresult = 1;
9184
9185 end:
9186# ifndef OPENSSL_NO_DEPRECATED_3_0
9187 DH_free(dh);
9188# endif
9189 SSL_free(serverssl);
9190 SSL_free(clientssl);
9191 SSL_CTX_free(sctx);
9192 SSL_CTX_free(cctx);
9193 EVP_PKEY_free(dhpkey);
9194
9195 return testresult;
9196}
9197
9198/*
9199 * Test the auto DH keys are appropriately sized
9200 */
9201static int test_dh_auto(int idx)
9202{
9203 SSL_CTX *cctx = NULL, *sctx = NULL;
9204 SSL *clientssl = NULL, *serverssl = NULL;
9205 int testresult = 0;
9206 EVP_PKEY *tmpkey = NULL;
9207 char *thiscert = NULL, *thiskey = NULL;
9208 size_t expdhsize = 0;
9209 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9210
9211 switch (idx) {
9212 case 0:
9213 /* The FIPS provider doesn't support this DH size - so we ignore it */
9214 if (is_fips)
9215 return 1;
9216 thiscert = cert1024;
9217 thiskey = privkey1024;
9218 expdhsize = 1024;
9219 break;
9220 case 1:
9221 /* 2048 bit prime */
9222 thiscert = cert;
9223 thiskey = privkey;
9224 expdhsize = 2048;
9225 break;
9226 case 2:
9227 thiscert = cert3072;
9228 thiskey = privkey3072;
9229 expdhsize = 3072;
9230 break;
9231 case 3:
9232 thiscert = cert4096;
9233 thiskey = privkey4096;
9234 expdhsize = 4096;
9235 break;
9236 case 4:
9237 thiscert = cert8192;
9238 thiskey = privkey8192;
9239 expdhsize = 8192;
9240 break;
9241 /* No certificate cases */
9242 case 5:
9243 /* The FIPS provider doesn't support this DH size - so we ignore it */
9244 if (is_fips)
9245 return 1;
9246 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9247 expdhsize = 1024;
9248 break;
9249 case 6:
9250 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9251 expdhsize = 3072;
9252 break;
9253 default:
9254 TEST_error("Invalid text index");
9255 goto end;
9256 }
9257
9258 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9259 TLS_client_method(),
9260 0,
9261 0,
9262 &sctx, &cctx, thiscert, thiskey)))
9263 goto end;
9264
9265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9266 NULL, NULL)))
9267 goto end;
9268
9269 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9270 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9271 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9272 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9273 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9274 goto end;
9275
9276 /*
9277 * Send the server's first flight. At this point the server has created the
9278 * temporary DH key but hasn't finished using it yet. Once used it is
9279 * removed, so we cannot test it.
9280 */
9281 if (!TEST_int_le(SSL_connect(clientssl), 0)
9282 || !TEST_int_le(SSL_accept(serverssl), 0))
9283 goto end;
9284
9285 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9286 goto end;
9287 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9288 goto end;
9289
9290 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9291 goto end;
9292
9293 testresult = 1;
9294
9295 end:
9296 SSL_free(serverssl);
9297 SSL_free(clientssl);
9298 SSL_CTX_free(sctx);
9299 SSL_CTX_free(cctx);
9300 EVP_PKEY_free(tmpkey);
9301
9302 return testresult;
9303
9304}
9305# endif /* OPENSSL_NO_DH */
9306#endif /* OPENSSL_NO_TLS1_2 */
9307
9308#ifndef OSSL_NO_USABLE_TLS1_3
9309/*
9310 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9311 * that it works even without a certificate configured for the original
9312 * SSL_CTX
9313 */
9314static int test_sni_tls13(void)
9315{
9316 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9317 SSL *clientssl = NULL, *serverssl = NULL;
9318 int testresult = 0;
9319
9320 /* Reset callback counter */
9321 snicb = 0;
9322
9323 /* Create an initial SSL_CTX with no certificate configured */
9324 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9325 if (!TEST_ptr(sctx))
9326 goto end;
9327 /* Require TLSv1.3 as a minimum */
9328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9329 TLS_client_method(), TLS1_3_VERSION, 0,
9330 &sctx2, &cctx, cert, privkey)))
9331 goto end;
9332
9333 /* Set up SNI */
9334 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9335 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9336 goto end;
9337
9338 /*
9339 * Connection should still succeed because the final SSL_CTX has the right
9340 * certificates configured.
9341 */
9342 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9343 &clientssl, NULL, NULL))
9344 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9345 SSL_ERROR_NONE)))
9346 goto end;
9347
9348 /* We should have had the SNI callback called exactly once */
9349 if (!TEST_int_eq(snicb, 1))
9350 goto end;
9351
9352 testresult = 1;
9353
9354end:
9355 SSL_free(serverssl);
9356 SSL_free(clientssl);
9357 SSL_CTX_free(sctx2);
9358 SSL_CTX_free(sctx);
9359 SSL_CTX_free(cctx);
9360 return testresult;
9361}
9362#endif
9363/*
9364 * Test that setting an ALPN does not violate RFC
9365 */
9366static int test_set_alpn(void)
9367{
9368 SSL_CTX *ctx = NULL;
9369 SSL *ssl = NULL;
9370 int testresult = 0;
9371
9372 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9373 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9374 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9375 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9376 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9377 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9378
9379 /* Create an initial SSL_CTX with no certificate configured */
9380 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9381 if (!TEST_ptr(ctx))
9382 goto end;
9383
9384 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9385 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9386 goto end;
9387 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9388 goto end;
9389 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9390 goto end;
9391 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9392 goto end;
9393 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9394 goto end;
9395 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9396 goto end;
9397 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9398 goto end;
9399 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9400 goto end;
9401 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9402 goto end;
9403
9404 ssl = SSL_new(ctx);
9405 if (!TEST_ptr(ssl))
9406 goto end;
9407
9408 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9409 goto end;
9410 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9411 goto end;
9412 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9413 goto end;
9414 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9415 goto end;
9416 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9417 goto end;
9418 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9419 goto end;
9420 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9421 goto end;
9422 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9423 goto end;
9424 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9425 goto end;
9426
9427 testresult = 1;
9428
9429end:
9430 SSL_free(ssl);
9431 SSL_CTX_free(ctx);
9432 return testresult;
9433}
9434
9435static int test_inherit_verify_param(void)
9436{
9437 int testresult = 0;
9438
9439 SSL_CTX *ctx = NULL;
9440 X509_VERIFY_PARAM *cp = NULL;
9441 SSL *ssl = NULL;
9442 X509_VERIFY_PARAM *sp = NULL;
9443 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9444
9445 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9446 if (!TEST_ptr(ctx))
9447 goto end;
9448
9449 cp = SSL_CTX_get0_param(ctx);
9450 if (!TEST_ptr(cp))
9451 goto end;
9452 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9453 goto end;
9454
9455 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9456
9457 ssl = SSL_new(ctx);
9458 if (!TEST_ptr(ssl))
9459 goto end;
9460
9461 sp = SSL_get0_param(ssl);
9462 if (!TEST_ptr(sp))
9463 goto end;
9464 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9465 goto end;
9466
9467 testresult = 1;
9468
9469 end:
9470 SSL_free(ssl);
9471 SSL_CTX_free(ctx);
9472
9473 return testresult;
9474}
9475
9476OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9477
9478int setup_tests(void)
9479{
9480 char *modulename;
9481 char *configfile;
9482
9483 libctx = OSSL_LIB_CTX_new();
9484 if (!TEST_ptr(libctx))
9485 return 0;
9486
9487 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9488
9489 /*
9490 * Verify that the default and fips providers in the default libctx are not
9491 * available
9492 */
9493 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9494 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9495 return 0;
9496
9497 if (!test_skip_common_options()) {
9498 TEST_error("Error parsing test options\n");
9499 return 0;
9500 }
9501
9502 if (!TEST_ptr(certsdir = test_get_argument(0))
9503 || !TEST_ptr(srpvfile = test_get_argument(1))
9504 || !TEST_ptr(tmpfilename = test_get_argument(2))
9505 || !TEST_ptr(modulename = test_get_argument(3))
9506 || !TEST_ptr(configfile = test_get_argument(4)))
9507 return 0;
9508
9509 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9510 return 0;
9511
9512 /* Check we have the expected provider available */
9513 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9514 return 0;
9515
9516 /* Check the default provider is not available */
9517 if (strcmp(modulename, "default") != 0
9518 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9519 return 0;
9520
9521 if (strcmp(modulename, "fips") == 0)
9522 is_fips = 1;
9523
9524 /*
9525 * We add, but don't load the test "tls-provider". We'll load it when we
9526 * need it.
9527 */
9528 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9529 tls_provider_init)))
9530 return 0;
9531
9532
9533 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9534#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9535 TEST_error("not supported in this build");
9536 return 0;
9537#else
9538 int i, mcount, rcount, fcount;
9539
9540 for (i = 0; i < 4; i++)
9541 test_export_key_mat(i);
9542 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9543 test_printf_stdout("malloc %d realloc %d free %d\n",
9544 mcount, rcount, fcount);
9545 return 1;
9546#endif
9547 }
9548
9549 cert = test_mk_file_path(certsdir, "servercert.pem");
9550 if (cert == NULL)
9551 goto err;
9552
9553 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9554 if (privkey == NULL)
9555 goto err;
9556
9557 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9558 if (cert2 == NULL)
9559 goto err;
9560
9561 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9562 if (privkey2 == NULL)
9563 goto err;
9564
9565 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9566 if (cert1024 == NULL)
9567 goto err;
9568
9569 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9570 if (privkey1024 == NULL)
9571 goto err;
9572
9573 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9574 if (cert3072 == NULL)
9575 goto err;
9576
9577 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9578 if (privkey3072 == NULL)
9579 goto err;
9580
9581 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9582 if (cert4096 == NULL)
9583 goto err;
9584
9585 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9586 if (privkey4096 == NULL)
9587 goto err;
9588
9589 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9590 if (cert8192 == NULL)
9591 goto err;
9592
9593 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9594 if (privkey8192 == NULL)
9595 goto err;
9596
9597#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9598# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9599 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9600 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9601# endif
9602#endif
9603 ADD_TEST(test_large_message_tls);
9604 ADD_TEST(test_large_message_tls_read_ahead);
9605#ifndef OPENSSL_NO_DTLS
9606 ADD_TEST(test_large_message_dtls);
9607#endif
9608 ADD_TEST(test_cleanse_plaintext);
9609#ifndef OPENSSL_NO_OCSP
9610 ADD_TEST(test_tlsext_status_type);
9611#endif
9612 ADD_TEST(test_session_with_only_int_cache);
9613 ADD_TEST(test_session_with_only_ext_cache);
9614 ADD_TEST(test_session_with_both_cache);
9615 ADD_TEST(test_session_wo_ca_names);
9616#ifndef OSSL_NO_USABLE_TLS1_3
9617 ADD_ALL_TESTS(test_stateful_tickets, 3);
9618 ADD_ALL_TESTS(test_stateless_tickets, 3);
9619 ADD_TEST(test_psk_tickets);
9620 ADD_ALL_TESTS(test_extra_tickets, 6);
9621#endif
9622 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9623 ADD_TEST(test_ssl_bio_pop_next_bio);
9624 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9625 ADD_TEST(test_ssl_bio_change_rbio);
9626 ADD_TEST(test_ssl_bio_change_wbio);
9627#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9628 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9629 ADD_TEST(test_keylog);
9630#endif
9631#ifndef OSSL_NO_USABLE_TLS1_3
9632 ADD_TEST(test_keylog_no_master_key);
9633#endif
9634 ADD_TEST(test_client_cert_verify_cb);
9635 ADD_TEST(test_ssl_build_cert_chain);
9636 ADD_TEST(test_ssl_ctx_build_cert_chain);
9637#ifndef OPENSSL_NO_TLS1_2
9638 ADD_TEST(test_client_hello_cb);
9639 ADD_TEST(test_no_ems);
9640 ADD_TEST(test_ccs_change_cipher);
9641#endif
9642#ifndef OSSL_NO_USABLE_TLS1_3
9643 ADD_ALL_TESTS(test_early_data_read_write, 3);
9644 /*
9645 * We don't do replay tests for external PSK. Replay protection isn't used
9646 * in that scenario.
9647 */
9648 ADD_ALL_TESTS(test_early_data_replay, 2);
9649 ADD_ALL_TESTS(test_early_data_skip, 3);
9650 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9651 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9652 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9653 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9654 ADD_ALL_TESTS(test_early_data_psk, 8);
9655 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9656 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9657# ifndef OPENSSL_NO_TLS1_2
9658 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9659# endif
9660#endif
9661#ifndef OSSL_NO_USABLE_TLS1_3
9662 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9663 ADD_TEST(test_ciphersuite_change);
9664 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9665# ifdef OPENSSL_NO_PSK
9666 ADD_ALL_TESTS(test_tls13_psk, 1);
9667# else
9668 ADD_ALL_TESTS(test_tls13_psk, 4);
9669# endif /* OPENSSL_NO_PSK */
9670# ifndef OPENSSL_NO_TLS1_2
9671 /* Test with both TLSv1.3 and 1.2 versions */
9672 ADD_ALL_TESTS(test_key_exchange, 14);
9673# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9674 ADD_ALL_TESTS(test_negotiated_group,
9675 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9676 + OSSL_NELEM(ffdhe_kexch_groups)));
9677# endif
9678# else
9679 /* Test with only TLSv1.3 versions */
9680 ADD_ALL_TESTS(test_key_exchange, 12);
9681# endif
9682 ADD_ALL_TESTS(test_custom_exts, 6);
9683 ADD_TEST(test_stateless);
9684 ADD_TEST(test_pha_key_update);
9685#else
9686 ADD_ALL_TESTS(test_custom_exts, 3);
9687#endif
9688 ADD_ALL_TESTS(test_serverinfo, 8);
9689 ADD_ALL_TESTS(test_export_key_mat, 6);
9690#ifndef OSSL_NO_USABLE_TLS1_3
9691 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9692 ADD_TEST(test_key_update);
9693 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9694 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9695 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9696 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
9697#endif
9698 ADD_ALL_TESTS(test_ssl_clear, 2);
9699 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9700#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9701 ADD_ALL_TESTS(test_srp, 6);
9702#endif
9703 ADD_ALL_TESTS(test_info_callback, 6);
9704 ADD_ALL_TESTS(test_ssl_pending, 2);
9705 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9706 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9707 ADD_ALL_TESTS(test_shutdown, 7);
9708 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9709 ADD_ALL_TESTS(test_cert_cb, 6);
9710 ADD_ALL_TESTS(test_client_cert_cb, 2);
9711 ADD_ALL_TESTS(test_ca_names, 3);
9712#ifndef OPENSSL_NO_TLS1_2
9713 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9714#endif
9715 ADD_ALL_TESTS(test_servername, 10);
9716#if !defined(OPENSSL_NO_EC) \
9717 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9718 ADD_ALL_TESTS(test_sigalgs_available, 6);
9719#endif
9720#ifndef OPENSSL_NO_TLS1_3
9721 ADD_ALL_TESTS(test_pluggable_group, 2);
9722#endif
9723#ifndef OPENSSL_NO_TLS1_2
9724 ADD_TEST(test_ssl_dup);
9725# ifndef OPENSSL_NO_DH
9726 ADD_ALL_TESTS(test_set_tmp_dh, 11);
9727 ADD_ALL_TESTS(test_dh_auto, 7);
9728# endif
9729#endif
9730#ifndef OSSL_NO_USABLE_TLS1_3
9731 ADD_TEST(test_sni_tls13);
9732#endif
9733 ADD_TEST(test_inherit_verify_param);
9734 ADD_TEST(test_set_alpn);
9735 ADD_ALL_TESTS(test_session_timeout, 1);
9736 return 1;
9737
9738 err:
9739 OPENSSL_free(cert);
9740 OPENSSL_free(privkey);
9741 OPENSSL_free(cert2);
9742 OPENSSL_free(privkey2);
9743 return 0;
9744}
9745
9746void cleanup_tests(void)
9747{
9748# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9749 EVP_PKEY_free(tmp_dh_params);
9750#endif
9751 OPENSSL_free(cert);
9752 OPENSSL_free(privkey);
9753 OPENSSL_free(cert2);
9754 OPENSSL_free(privkey2);
9755 OPENSSL_free(cert1024);
9756 OPENSSL_free(privkey1024);
9757 OPENSSL_free(cert3072);
9758 OPENSSL_free(privkey3072);
9759 OPENSSL_free(cert4096);
9760 OPENSSL_free(privkey4096);
9761 OPENSSL_free(cert8192);
9762 OPENSSL_free(privkey8192);
9763 bio_s_mempacket_test_free();
9764 bio_s_always_retry_free();
9765 OSSL_PROVIDER_unload(defctxnull);
9766 OSSL_LIB_CTX_free(libctx);
9767}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette