VirtualBox

source: vbox/trunk/src/libs/openssl-3.0.3/test/sslapitest.c@ 95218

最後變更 在這個檔案從95218是 94404,由 vboxsync 提交於 3 年 前

libs/openssl: Update to 3.0.2 and switch to it, bugref:10128
檔案大小: 327.5 KB
 
1/*
2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
18#include <stdio.h>
19#include <string.h>
20
21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
25#include <openssl/ocsp.h>
26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
28#include <openssl/aes.h>
29#include <openssl/rand.h>
30#include <openssl/core_names.h>
31#include <openssl/core_dispatch.h>
32#include <openssl/provider.h>
33#include <openssl/param_build.h>
34#include <openssl/x509v3.h>
35#include <openssl/dh.h>
36
37#include "helpers/ssltestlib.h"
38#include "testutil.h"
39#include "testutil/output.h"
40#include "internal/nelem.h"
41#include "internal/ktls.h"
42#include "../ssl/ssl_local.h"
43#include "filterprov.h"
44
45#undef OSSL_NO_USABLE_TLS1_3
46#if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48/*
49 * If we don't have ec or dh then there are no built-in groups that are usable
50 * with TLSv1.3
51 */
52# define OSSL_NO_USABLE_TLS1_3
53#endif
54
55/* Defined in tls-provider.c */
56int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
59 void **provctx);
60
61static OSSL_LIB_CTX *libctx = NULL;
62static OSSL_PROVIDER *defctxnull = NULL;
63
64#ifndef OSSL_NO_USABLE_TLS1_3
65
66static SSL_SESSION *clientpsk = NULL;
67static SSL_SESSION *serverpsk = NULL;
68static const char *pskid = "Identity";
69static const char *srvid;
70
71static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
75
76static int use_session_cb_cnt = 0;
77static int find_session_cb_cnt = 0;
78
79static SSL_SESSION *create_a_psk(SSL *ssl);
80#endif
81
82static char *certsdir = NULL;
83static char *cert = NULL;
84static char *privkey = NULL;
85static char *cert2 = NULL;
86static char *privkey2 = NULL;
87static char *cert1024 = NULL;
88static char *privkey1024 = NULL;
89static char *cert3072 = NULL;
90static char *privkey3072 = NULL;
91static char *cert4096 = NULL;
92static char *privkey4096 = NULL;
93static char *cert8192 = NULL;
94static char *privkey8192 = NULL;
95static char *srpvfile = NULL;
96static char *tmpfilename = NULL;
97
98static int is_fips = 0;
99
100#define LOG_BUFFER_SIZE 2048
101static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
102static size_t server_log_buffer_index = 0;
103static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104static size_t client_log_buffer_index = 0;
105static int error_writing_log = 0;
106
107#ifndef OPENSSL_NO_OCSP
108static const unsigned char orespder[] = "Dummy OCSP Response";
109static int ocsp_server_called = 0;
110static int ocsp_client_called = 0;
111
112static int cdummyarg = 1;
113static X509 *ocspcert = NULL;
114#endif
115
116#define NUM_EXTRA_CERTS 40
117#define CLIENT_VERSION_LEN 2
118
119/*
120 * This structure is used to validate that the correct number of log messages
121 * of various types are emitted when emitting secret logs.
122 */
123struct sslapitest_log_counts {
124 unsigned int rsa_key_exchange_count;
125 unsigned int master_secret_count;
126 unsigned int client_early_secret_count;
127 unsigned int client_handshake_secret_count;
128 unsigned int server_handshake_secret_count;
129 unsigned int client_application_secret_count;
130 unsigned int server_application_secret_count;
131 unsigned int early_exporter_secret_count;
132 unsigned int exporter_secret_count;
133};
134
135
136static unsigned char serverinfov1[] = {
137 0xff, 0xff, /* Dummy extension type */
138 0x00, 0x01, /* Extension length is 1 byte */
139 0xff /* Dummy extension data */
140};
141
142static unsigned char serverinfov2[] = {
143 0x00, 0x00, 0x00,
144 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
145 0xff, 0xff, /* Dummy extension type */
146 0x00, 0x01, /* Extension length is 1 byte */
147 0xff /* Dummy extension data */
148};
149
150static int hostname_cb(SSL *s, int *al, void *arg)
151{
152 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
153
154 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
155 || strcmp(hostname, "altgoodhost") == 0))
156 return SSL_TLSEXT_ERR_OK;
157
158 return SSL_TLSEXT_ERR_NOACK;
159}
160
161static void client_keylog_callback(const SSL *ssl, const char *line)
162{
163 int line_length = strlen(line);
164
165 /* If the log doesn't fit, error out. */
166 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
167 TEST_info("Client log too full");
168 error_writing_log = 1;
169 return;
170 }
171
172 strcat(client_log_buffer, line);
173 client_log_buffer_index += line_length;
174 client_log_buffer[client_log_buffer_index++] = '\n';
175}
176
177static void server_keylog_callback(const SSL *ssl, const char *line)
178{
179 int line_length = strlen(line);
180
181 /* If the log doesn't fit, error out. */
182 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
183 TEST_info("Server log too full");
184 error_writing_log = 1;
185 return;
186 }
187
188 strcat(server_log_buffer, line);
189 server_log_buffer_index += line_length;
190 server_log_buffer[server_log_buffer_index++] = '\n';
191}
192
193static int compare_hex_encoded_buffer(const char *hex_encoded,
194 size_t hex_length,
195 const uint8_t *raw,
196 size_t raw_length)
197{
198 size_t i, j;
199 char hexed[3];
200
201 if (!TEST_size_t_eq(raw_length * 2, hex_length))
202 return 1;
203
204 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
205 sprintf(hexed, "%02x", raw[i]);
206 if (!TEST_int_eq(hexed[0], hex_encoded[j])
207 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
208 return 1;
209 }
210
211 return 0;
212}
213
214static int test_keylog_output(char *buffer, const SSL *ssl,
215 const SSL_SESSION *session,
216 struct sslapitest_log_counts *expected)
217{
218 char *token = NULL;
219 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
220 size_t client_random_size = SSL3_RANDOM_SIZE;
221 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
222 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
223 unsigned int rsa_key_exchange_count = 0;
224 unsigned int master_secret_count = 0;
225 unsigned int client_early_secret_count = 0;
226 unsigned int client_handshake_secret_count = 0;
227 unsigned int server_handshake_secret_count = 0;
228 unsigned int client_application_secret_count = 0;
229 unsigned int server_application_secret_count = 0;
230 unsigned int early_exporter_secret_count = 0;
231 unsigned int exporter_secret_count = 0;
232
233 for (token = strtok(buffer, " \n"); token != NULL;
234 token = strtok(NULL, " \n")) {
235 if (strcmp(token, "RSA") == 0) {
236 /*
237 * Premaster secret. Tokens should be: 16 ASCII bytes of
238 * hex-encoded encrypted secret, then the hex-encoded pre-master
239 * secret.
240 */
241 if (!TEST_ptr(token = strtok(NULL, " \n")))
242 return 0;
243 if (!TEST_size_t_eq(strlen(token), 16))
244 return 0;
245 if (!TEST_ptr(token = strtok(NULL, " \n")))
246 return 0;
247 /*
248 * We can't sensibly check the log because the premaster secret is
249 * transient, and OpenSSL doesn't keep hold of it once the master
250 * secret is generated.
251 */
252 rsa_key_exchange_count++;
253 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
254 /*
255 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
256 * client random, then the hex-encoded master secret.
257 */
258 client_random_size = SSL_get_client_random(ssl,
259 actual_client_random,
260 SSL3_RANDOM_SIZE);
261 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
262 return 0;
263
264 if (!TEST_ptr(token = strtok(NULL, " \n")))
265 return 0;
266 if (!TEST_size_t_eq(strlen(token), 64))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
269 actual_client_random,
270 client_random_size)))
271 return 0;
272
273 if (!TEST_ptr(token = strtok(NULL, " \n")))
274 return 0;
275 master_key_size = SSL_SESSION_get_master_key(session,
276 actual_master_key,
277 master_key_size);
278 if (!TEST_size_t_ne(master_key_size, 0))
279 return 0;
280 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
281 actual_master_key,
282 master_key_size)))
283 return 0;
284 master_secret_count++;
285 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
289 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
290 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
291 || strcmp(token, "EXPORTER_SECRET") == 0) {
292 /*
293 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
294 * client random, and then the hex-encoded secret. In this case,
295 * we treat all of these secrets identically and then just
296 * distinguish between them when counting what we saw.
297 */
298 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
299 client_early_secret_count++;
300 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 client_handshake_secret_count++;
302 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
303 server_handshake_secret_count++;
304 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
305 client_application_secret_count++;
306 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
307 server_application_secret_count++;
308 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
309 early_exporter_secret_count++;
310 else if (strcmp(token, "EXPORTER_SECRET") == 0)
311 exporter_secret_count++;
312
313 client_random_size = SSL_get_client_random(ssl,
314 actual_client_random,
315 SSL3_RANDOM_SIZE);
316 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
317 return 0;
318
319 if (!TEST_ptr(token = strtok(NULL, " \n")))
320 return 0;
321 if (!TEST_size_t_eq(strlen(token), 64))
322 return 0;
323 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
324 actual_client_random,
325 client_random_size)))
326 return 0;
327
328 if (!TEST_ptr(token = strtok(NULL, " \n")))
329 return 0;
330 } else {
331 TEST_info("Unexpected token %s\n", token);
332 return 0;
333 }
334 }
335
336 /* Got what we expected? */
337 if (!TEST_size_t_eq(rsa_key_exchange_count,
338 expected->rsa_key_exchange_count)
339 || !TEST_size_t_eq(master_secret_count,
340 expected->master_secret_count)
341 || !TEST_size_t_eq(client_early_secret_count,
342 expected->client_early_secret_count)
343 || !TEST_size_t_eq(client_handshake_secret_count,
344 expected->client_handshake_secret_count)
345 || !TEST_size_t_eq(server_handshake_secret_count,
346 expected->server_handshake_secret_count)
347 || !TEST_size_t_eq(client_application_secret_count,
348 expected->client_application_secret_count)
349 || !TEST_size_t_eq(server_application_secret_count,
350 expected->server_application_secret_count)
351 || !TEST_size_t_eq(early_exporter_secret_count,
352 expected->early_exporter_secret_count)
353 || !TEST_size_t_eq(exporter_secret_count,
354 expected->exporter_secret_count))
355 return 0;
356 return 1;
357}
358
359#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
360static int test_keylog(void)
361{
362 SSL_CTX *cctx = NULL, *sctx = NULL;
363 SSL *clientssl = NULL, *serverssl = NULL;
364 int testresult = 0;
365 struct sslapitest_log_counts expected;
366
367 /* Clean up logging space */
368 memset(&expected, 0, sizeof(expected));
369 memset(client_log_buffer, 0, sizeof(client_log_buffer));
370 memset(server_log_buffer, 0, sizeof(server_log_buffer));
371 client_log_buffer_index = 0;
372 server_log_buffer_index = 0;
373 error_writing_log = 0;
374
375 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
376 TLS_client_method(),
377 TLS1_VERSION, 0,
378 &sctx, &cctx, cert, privkey)))
379 return 0;
380
381 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
382 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
383 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
384
385 /* We also want to ensure that we use RSA-based key exchange. */
386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
387 goto end;
388
389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
391 goto end;
392 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
394 == client_keylog_callback))
395 goto end;
396 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
397 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
398 == server_keylog_callback))
399 goto end;
400
401 /* Now do a handshake and check that the logs have been written to. */
402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
403 &clientssl, NULL, NULL))
404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
405 SSL_ERROR_NONE))
406 || !TEST_false(error_writing_log)
407 || !TEST_int_gt(client_log_buffer_index, 0)
408 || !TEST_int_gt(server_log_buffer_index, 0))
409 goto end;
410
411 /*
412 * Now we want to test that our output data was vaguely sensible. We
413 * do that by using strtok and confirming that we have more or less the
414 * data we expect. For both client and server, we expect to see one master
415 * secret. The client should also see a RSA key exchange.
416 */
417 expected.rsa_key_exchange_count = 1;
418 expected.master_secret_count = 1;
419 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
420 SSL_get_session(clientssl), &expected)))
421 goto end;
422
423 expected.rsa_key_exchange_count = 0;
424 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl), &expected)))
426 goto end;
427
428 testresult = 1;
429
430end:
431 SSL_free(serverssl);
432 SSL_free(clientssl);
433 SSL_CTX_free(sctx);
434 SSL_CTX_free(cctx);
435
436 return testresult;
437}
438#endif
439
440#ifndef OSSL_NO_USABLE_TLS1_3
441static int test_keylog_no_master_key(void)
442{
443 SSL_CTX *cctx = NULL, *sctx = NULL;
444 SSL *clientssl = NULL, *serverssl = NULL;
445 SSL_SESSION *sess = NULL;
446 int testresult = 0;
447 struct sslapitest_log_counts expected;
448 unsigned char buf[1];
449 size_t readbytes, written;
450
451 /* Clean up logging space */
452 memset(&expected, 0, sizeof(expected));
453 memset(client_log_buffer, 0, sizeof(client_log_buffer));
454 memset(server_log_buffer, 0, sizeof(server_log_buffer));
455 client_log_buffer_index = 0;
456 server_log_buffer_index = 0;
457 error_writing_log = 0;
458
459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
460 TLS_client_method(), TLS1_VERSION, 0,
461 &sctx, &cctx, cert, privkey))
462 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
463 SSL3_RT_MAX_PLAIN_LENGTH)))
464 return 0;
465
466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
467 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
468 goto end;
469
470 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
472 == client_keylog_callback))
473 goto end;
474
475 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
476 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
477 == server_keylog_callback))
478 goto end;
479
480 /* Now do a handshake and check that the logs have been written to. */
481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
482 &clientssl, NULL, NULL))
483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
484 SSL_ERROR_NONE))
485 || !TEST_false(error_writing_log))
486 goto end;
487
488 /*
489 * Now we want to test that our output data was vaguely sensible. For this
490 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
491 * TLSv1.3, but we do expect both client and server to emit keys.
492 */
493 expected.client_handshake_secret_count = 1;
494 expected.server_handshake_secret_count = 1;
495 expected.client_application_secret_count = 1;
496 expected.server_application_secret_count = 1;
497 expected.exporter_secret_count = 1;
498 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
499 SSL_get_session(clientssl), &expected))
500 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
501 SSL_get_session(serverssl),
502 &expected)))
503 goto end;
504
505 /* Terminate old session and resume with early data. */
506 sess = SSL_get1_session(clientssl);
507 SSL_shutdown(clientssl);
508 SSL_shutdown(serverssl);
509 SSL_free(serverssl);
510 SSL_free(clientssl);
511 serverssl = clientssl = NULL;
512
513 /* Reset key log */
514 memset(client_log_buffer, 0, sizeof(client_log_buffer));
515 memset(server_log_buffer, 0, sizeof(server_log_buffer));
516 client_log_buffer_index = 0;
517 server_log_buffer_index = 0;
518
519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
520 &clientssl, NULL, NULL))
521 || !TEST_true(SSL_set_session(clientssl, sess))
522 /* Here writing 0 length early data is enough. */
523 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
524 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
525 &readbytes),
526 SSL_READ_EARLY_DATA_ERROR)
527 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
528 SSL_EARLY_DATA_ACCEPTED)
529 || !TEST_true(create_ssl_connection(serverssl, clientssl,
530 SSL_ERROR_NONE))
531 || !TEST_true(SSL_session_reused(clientssl)))
532 goto end;
533
534 /* In addition to the previous entries, expect early secrets. */
535 expected.client_early_secret_count = 1;
536 expected.early_exporter_secret_count = 1;
537 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
538 SSL_get_session(clientssl), &expected))
539 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
540 SSL_get_session(serverssl),
541 &expected)))
542 goto end;
543
544 testresult = 1;
545
546end:
547 SSL_SESSION_free(sess);
548 SSL_free(serverssl);
549 SSL_free(clientssl);
550 SSL_CTX_free(sctx);
551 SSL_CTX_free(cctx);
552
553 return testresult;
554}
555#endif
556
557static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
558{
559 int res = X509_verify_cert(ctx);
560 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
561 SSL *ssl;
562
563 /* this should not happen but check anyway */
564 if (idx < 0
565 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
566 return 0;
567
568 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
569 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
570 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
571 return SSL_set_retry_verify(ssl);
572
573 return res;
574}
575
576static int test_client_cert_verify_cb(void)
577{
578 /* server key, cert, chain, and root */
579 char *skey = test_mk_file_path(certsdir, "leaf.key");
580 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
581 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
582 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
583 char *root = test_mk_file_path(certsdir, "rootCA.pem");
584 X509 *crt1 = NULL, *crt2 = NULL;
585 STACK_OF(X509) *server_chain;
586 SSL_CTX *cctx = NULL, *sctx = NULL;
587 SSL *clientssl = NULL, *serverssl = NULL;
588 int testresult = 0;
589
590 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
591 TLS_client_method(), TLS1_VERSION, 0,
592 &sctx, &cctx, NULL, NULL)))
593 goto end;
594 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
595 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
596 SSL_FILETYPE_PEM), 1)
597 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
598 goto end;
599 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
600 goto end;
601 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
602 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
604 &clientssl, NULL, NULL)))
605 goto end;
606
607 /* attempt SSL_connect() with incomplete server chain */
608 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
609 SSL_ERROR_WANT_RETRY_VERIFY)))
610 goto end;
611
612 /* application provides intermediate certs needed to verify server cert */
613 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
614 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
615 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
616 goto end;
617 /* add certs in reverse order to demonstrate real chain building */
618 if (!TEST_true(sk_X509_push(server_chain, crt1)))
619 goto end;
620 crt1 = NULL;
621 if (!TEST_true(sk_X509_push(server_chain, crt2)))
622 goto end;
623 crt2 = NULL;
624
625 /* continue SSL_connect(), must now succeed with completed server chain */
626 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
627 SSL_ERROR_NONE)))
628 goto end;
629
630 testresult = 1;
631
632end:
633 X509_free(crt1);
634 X509_free(crt2);
635 if (clientssl != NULL) {
636 SSL_shutdown(clientssl);
637 SSL_free(clientssl);
638 }
639 if (serverssl != NULL) {
640 SSL_shutdown(serverssl);
641 SSL_free(serverssl);
642 }
643 SSL_CTX_free(sctx);
644 SSL_CTX_free(cctx);
645
646 OPENSSL_free(skey);
647 OPENSSL_free(leaf);
648 OPENSSL_free(int2);
649 OPENSSL_free(int1);
650 OPENSSL_free(root);
651
652 return testresult;
653}
654
655static int test_ssl_build_cert_chain(void)
656{
657 int ret = 0;
658 SSL_CTX *ssl_ctx = NULL;
659 SSL *ssl = NULL;
660 char *skey = test_mk_file_path(certsdir, "leaf.key");
661 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
662
663 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
664 goto end;
665 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
666 goto end;
667 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
668 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
669 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
670 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
671 goto end;
672 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
673 | SSL_BUILD_CHAIN_FLAG_CHECK)))
674 goto end;
675 ret = 1;
676end:
677 SSL_free(ssl);
678 SSL_CTX_free(ssl_ctx);
679 OPENSSL_free(leaf_chain);
680 OPENSSL_free(skey);
681 return ret;
682}
683
684static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
685{
686 static const char pass[] = "testpass";
687
688 if (!TEST_int_eq(size, PEM_BUFSIZE))
689 return -1;
690
691 memcpy(buf, pass, sizeof(pass) - 1);
692 return sizeof(pass) - 1;
693}
694
695static int test_ssl_ctx_build_cert_chain(void)
696{
697 int ret = 0;
698 SSL_CTX *ctx = NULL;
699 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
700 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
701
702 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
703 goto end;
704 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
705 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
706 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
707 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
708 SSL_FILETYPE_PEM), 1)
709 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
710 goto end;
711 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
712 | SSL_BUILD_CHAIN_FLAG_CHECK)))
713 goto end;
714 ret = 1;
715end:
716 SSL_CTX_free(ctx);
717 OPENSSL_free(leaf_chain);
718 OPENSSL_free(skey);
719 return ret;
720}
721
722#ifndef OPENSSL_NO_TLS1_2
723static int full_client_hello_callback(SSL *s, int *al, void *arg)
724{
725 int *ctr = arg;
726 const unsigned char *p;
727 int *exts;
728 /* We only configure two ciphers, but the SCSV is added automatically. */
729#ifdef OPENSSL_NO_EC
730 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
731#else
732 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
733 0x2c, 0x00, 0xff};
734#endif
735 const int expected_extensions[] = {
736#ifndef OPENSSL_NO_EC
737 11, 10,
738#endif
739 35, 22, 23, 13};
740 size_t len;
741
742 /* Make sure we can defer processing and get called back. */
743 if ((*ctr)++ == 0)
744 return SSL_CLIENT_HELLO_RETRY;
745
746 len = SSL_client_hello_get0_ciphers(s, &p);
747 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
748 || !TEST_size_t_eq(
749 SSL_client_hello_get0_compression_methods(s, &p), 1)
750 || !TEST_int_eq(*p, 0))
751 return SSL_CLIENT_HELLO_ERROR;
752 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
753 return SSL_CLIENT_HELLO_ERROR;
754 if (len != OSSL_NELEM(expected_extensions) ||
755 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
756 printf("ClientHello callback expected extensions mismatch\n");
757 OPENSSL_free(exts);
758 return SSL_CLIENT_HELLO_ERROR;
759 }
760 OPENSSL_free(exts);
761 return SSL_CLIENT_HELLO_SUCCESS;
762}
763
764static int test_client_hello_cb(void)
765{
766 SSL_CTX *cctx = NULL, *sctx = NULL;
767 SSL *clientssl = NULL, *serverssl = NULL;
768 int testctr = 0, testresult = 0;
769
770 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
771 TLS_client_method(), TLS1_VERSION, 0,
772 &sctx, &cctx, cert, privkey)))
773 goto end;
774 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
775
776 /* The gimpy cipher list we configure can't do TLS 1.3. */
777 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
778
779 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
780 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
781 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
782 &clientssl, NULL, NULL))
783 || !TEST_false(create_ssl_connection(serverssl, clientssl,
784 SSL_ERROR_WANT_CLIENT_HELLO_CB))
785 /*
786 * Passing a -1 literal is a hack since
787 * the real value was lost.
788 * */
789 || !TEST_int_eq(SSL_get_error(serverssl, -1),
790 SSL_ERROR_WANT_CLIENT_HELLO_CB)
791 || !TEST_true(create_ssl_connection(serverssl, clientssl,
792 SSL_ERROR_NONE)))
793 goto end;
794
795 testresult = 1;
796
797end:
798 SSL_free(serverssl);
799 SSL_free(clientssl);
800 SSL_CTX_free(sctx);
801 SSL_CTX_free(cctx);
802
803 return testresult;
804}
805
806static int test_no_ems(void)
807{
808 SSL_CTX *cctx = NULL, *sctx = NULL;
809 SSL *clientssl = NULL, *serverssl = NULL;
810 int testresult = 0;
811
812 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
813 TLS1_VERSION, TLS1_2_VERSION,
814 &sctx, &cctx, cert, privkey)) {
815 printf("Unable to create SSL_CTX pair\n");
816 goto end;
817 }
818
819 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
820
821 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
822 printf("Unable to create SSL objects\n");
823 goto end;
824 }
825
826 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
827 printf("Creating SSL connection failed\n");
828 goto end;
829 }
830
831 if (SSL_get_extms_support(serverssl)) {
832 printf("Server reports Extended Master Secret support\n");
833 goto end;
834 }
835
836 if (SSL_get_extms_support(clientssl)) {
837 printf("Client reports Extended Master Secret support\n");
838 goto end;
839 }
840 testresult = 1;
841
842end:
843 SSL_free(serverssl);
844 SSL_free(clientssl);
845 SSL_CTX_free(sctx);
846 SSL_CTX_free(cctx);
847
848 return testresult;
849}
850
851/*
852 * Very focused test to exercise a single case in the server-side state
853 * machine, when the ChangeCipherState message needs to actually change
854 * from one cipher to a different cipher (i.e., not changing from null
855 * encryption to real encryption).
856 */
857static int test_ccs_change_cipher(void)
858{
859 SSL_CTX *cctx = NULL, *sctx = NULL;
860 SSL *clientssl = NULL, *serverssl = NULL;
861 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
862 int testresult = 0;
863 int i;
864 unsigned char buf;
865 size_t readbytes;
866
867 /*
868 * Create a conection so we can resume and potentially (but not) use
869 * a different cipher in the second connection.
870 */
871 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
872 TLS_client_method(),
873 TLS1_VERSION, TLS1_2_VERSION,
874 &sctx, &cctx, cert, privkey))
875 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
876 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
877 NULL, NULL))
878 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
879 || !TEST_true(create_ssl_connection(serverssl, clientssl,
880 SSL_ERROR_NONE))
881 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
882 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
883 goto end;
884
885 shutdown_ssl_connection(serverssl, clientssl);
886 serverssl = clientssl = NULL;
887
888 /* Resume, preferring a different cipher. Our server will force the
889 * same cipher to be used as the initial handshake. */
890 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
891 NULL, NULL))
892 || !TEST_true(SSL_set_session(clientssl, sess))
893 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
894 || !TEST_true(create_ssl_connection(serverssl, clientssl,
895 SSL_ERROR_NONE))
896 || !TEST_true(SSL_session_reused(clientssl))
897 || !TEST_true(SSL_session_reused(serverssl))
898 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
899 || !TEST_ptr_eq(sesspre, sesspost)
900 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
901 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
902 goto end;
903 shutdown_ssl_connection(serverssl, clientssl);
904 serverssl = clientssl = NULL;
905
906 /*
907 * Now create a fresh connection and try to renegotiate a different
908 * cipher on it.
909 */
910 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
911 NULL, NULL))
912 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
913 || !TEST_true(create_ssl_connection(serverssl, clientssl,
914 SSL_ERROR_NONE))
915 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
916 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
917 || !TEST_true(SSL_renegotiate(clientssl))
918 || !TEST_true(SSL_renegotiate_pending(clientssl)))
919 goto end;
920 /* Actually drive the renegotiation. */
921 for (i = 0; i < 3; i++) {
922 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
923 if (!TEST_ulong_eq(readbytes, 0))
924 goto end;
925 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
926 SSL_ERROR_WANT_READ)) {
927 goto end;
928 }
929 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
930 if (!TEST_ulong_eq(readbytes, 0))
931 goto end;
932 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
933 SSL_ERROR_WANT_READ)) {
934 goto end;
935 }
936 }
937 /* sesspre and sesspost should be different since the cipher changed. */
938 if (!TEST_false(SSL_renegotiate_pending(clientssl))
939 || !TEST_false(SSL_session_reused(clientssl))
940 || !TEST_false(SSL_session_reused(serverssl))
941 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
942 || !TEST_ptr_ne(sesspre, sesspost)
943 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
944 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
945 goto end;
946
947 shutdown_ssl_connection(serverssl, clientssl);
948 serverssl = clientssl = NULL;
949
950 testresult = 1;
951
952end:
953 SSL_free(serverssl);
954 SSL_free(clientssl);
955 SSL_CTX_free(sctx);
956 SSL_CTX_free(cctx);
957 SSL_SESSION_free(sess);
958
959 return testresult;
960}
961#endif
962
963static int execute_test_large_message(const SSL_METHOD *smeth,
964 const SSL_METHOD *cmeth,
965 int min_version, int max_version,
966 int read_ahead)
967{
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
970 int testresult = 0;
971 int i;
972 BIO *certbio = NULL;
973 X509 *chaincert = NULL;
974 int certlen;
975
976 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
977 goto end;
978
979 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
980 goto end;
981
982 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
983 goto end;
984 BIO_free(certbio);
985 certbio = NULL;
986
987 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
988 max_version, &sctx, &cctx, cert,
989 privkey)))
990 goto end;
991
992#ifdef OPENSSL_NO_DTLS1_2
993 if (smeth == DTLS_server_method()) {
994 /*
995 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
996 * level 0
997 */
998 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
999 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1000 "DEFAULT:@SECLEVEL=0")))
1001 goto end;
1002 }
1003#endif
1004
1005 if (read_ahead) {
1006 /*
1007 * Test that read_ahead works correctly when dealing with large
1008 * records
1009 */
1010 SSL_CTX_set_read_ahead(cctx, 1);
1011 }
1012
1013 /*
1014 * We assume the supplied certificate is big enough so that if we add
1015 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1016 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1017 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1018 * test we need to have a message larger than that.
1019 */
1020 certlen = i2d_X509(chaincert, NULL);
1021 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1022 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1023 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1024 if (!X509_up_ref(chaincert))
1025 goto end;
1026 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1027 X509_free(chaincert);
1028 goto end;
1029 }
1030 }
1031
1032 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1033 NULL, NULL))
1034 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1035 SSL_ERROR_NONE)))
1036 goto end;
1037
1038 /*
1039 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1040 * doesn't leak.
1041 */
1042 if (!TEST_true(SSL_clear(serverssl)))
1043 goto end;
1044
1045 testresult = 1;
1046 end:
1047 BIO_free(certbio);
1048 X509_free(chaincert);
1049 SSL_free(serverssl);
1050 SSL_free(clientssl);
1051 SSL_CTX_free(sctx);
1052 SSL_CTX_free(cctx);
1053
1054 return testresult;
1055}
1056
1057#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1058 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1059/* sock must be connected */
1060static int ktls_chk_platform(int sock)
1061{
1062 if (!ktls_enable(sock))
1063 return 0;
1064 return 1;
1065}
1066
1067static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1068{
1069 static char count = 1;
1070 unsigned char cbuf[16000] = {0};
1071 unsigned char sbuf[16000];
1072 size_t err = 0;
1073 char crec_wseq_before[SEQ_NUM_SIZE];
1074 char crec_wseq_after[SEQ_NUM_SIZE];
1075 char crec_rseq_before[SEQ_NUM_SIZE];
1076 char crec_rseq_after[SEQ_NUM_SIZE];
1077 char srec_wseq_before[SEQ_NUM_SIZE];
1078 char srec_wseq_after[SEQ_NUM_SIZE];
1079 char srec_rseq_before[SEQ_NUM_SIZE];
1080 char srec_rseq_after[SEQ_NUM_SIZE];
1081
1082 cbuf[0] = count++;
1083 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1084 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1085 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1087
1088 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1089 goto end;
1090
1091 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1092 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1093 goto end;
1094 }
1095 }
1096
1097 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1098 goto end;
1099
1100 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1101 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1102 goto end;
1103 }
1104 }
1105
1106 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1107 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1108 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1109 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1110
1111 /* verify the payload */
1112 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1113 goto end;
1114
1115 /*
1116 * If ktls is used then kernel sequences are used instead of
1117 * OpenSSL sequences
1118 */
1119 if (!BIO_get_ktls_send(clientssl->wbio)) {
1120 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1121 crec_wseq_after, SEQ_NUM_SIZE))
1122 goto end;
1123 } else {
1124 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1125 crec_wseq_after, SEQ_NUM_SIZE))
1126 goto end;
1127 }
1128
1129 if (!BIO_get_ktls_send(serverssl->wbio)) {
1130 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1131 srec_wseq_after, SEQ_NUM_SIZE))
1132 goto end;
1133 } else {
1134 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1135 srec_wseq_after, SEQ_NUM_SIZE))
1136 goto end;
1137 }
1138
1139 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1140 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1141 crec_rseq_after, SEQ_NUM_SIZE))
1142 goto end;
1143 } else {
1144 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1145 crec_rseq_after, SEQ_NUM_SIZE))
1146 goto end;
1147 }
1148
1149 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1150 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1151 srec_rseq_after, SEQ_NUM_SIZE))
1152 goto end;
1153 } else {
1154 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1155 srec_rseq_after, SEQ_NUM_SIZE))
1156 goto end;
1157 }
1158
1159 return 1;
1160end:
1161 return 0;
1162}
1163
1164static int execute_test_ktls(int cis_ktls, int sis_ktls,
1165 int tls_version, const char *cipher)
1166{
1167 SSL_CTX *cctx = NULL, *sctx = NULL;
1168 SSL *clientssl = NULL, *serverssl = NULL;
1169 int ktls_used = 0, testresult = 0;
1170 int cfd = -1, sfd = -1;
1171 int rx_supported;
1172
1173 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1174 goto end;
1175
1176 /* Skip this test if the platform does not support ktls */
1177 if (!ktls_chk_platform(cfd)) {
1178 testresult = TEST_skip("Kernel does not support KTLS");
1179 goto end;
1180 }
1181
1182 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1183 testresult = TEST_skip("CHACHA is not supported in FIPS");
1184 goto end;
1185 }
1186
1187 /* Create a session based on SHA-256 */
1188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1189 TLS_client_method(),
1190 tls_version, tls_version,
1191 &sctx, &cctx, cert, privkey)))
1192 goto end;
1193
1194 if (tls_version == TLS1_3_VERSION) {
1195 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1196 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1197 goto end;
1198 } else {
1199 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1200 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1201 goto end;
1202 }
1203
1204 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1205 &clientssl, sfd, cfd)))
1206 goto end;
1207
1208 if (cis_ktls) {
1209 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1210 goto end;
1211 }
1212
1213 if (sis_ktls) {
1214 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1215 goto end;
1216 }
1217
1218 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1219 goto end;
1220
1221 /*
1222 * The running kernel may not support a given cipher suite
1223 * or direction, so just check that KTLS isn't used when it
1224 * isn't enabled.
1225 */
1226 if (!cis_ktls) {
1227 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1228 goto end;
1229 } else {
1230 if (BIO_get_ktls_send(clientssl->wbio))
1231 ktls_used = 1;
1232 }
1233
1234 if (!sis_ktls) {
1235 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1236 goto end;
1237 } else {
1238 if (BIO_get_ktls_send(serverssl->wbio))
1239 ktls_used = 1;
1240 }
1241
1242#if defined(OPENSSL_NO_KTLS_RX)
1243 rx_supported = 0;
1244#else
1245 rx_supported = (tls_version != TLS1_3_VERSION);
1246#endif
1247 if (!cis_ktls || !rx_supported) {
1248 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1249 goto end;
1250 } else {
1251 if (BIO_get_ktls_send(clientssl->rbio))
1252 ktls_used = 1;
1253 }
1254
1255 if (!sis_ktls || !rx_supported) {
1256 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1257 goto end;
1258 } else {
1259 if (BIO_get_ktls_send(serverssl->rbio))
1260 ktls_used = 1;
1261 }
1262
1263 if ((cis_ktls || sis_ktls) && !ktls_used) {
1264 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1265 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1266 "TLS 1.2", cipher);
1267 goto end;
1268 }
1269
1270 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1271 goto end;
1272
1273 testresult = 1;
1274end:
1275 if (clientssl) {
1276 SSL_shutdown(clientssl);
1277 SSL_free(clientssl);
1278 }
1279 if (serverssl) {
1280 SSL_shutdown(serverssl);
1281 SSL_free(serverssl);
1282 }
1283 SSL_CTX_free(sctx);
1284 SSL_CTX_free(cctx);
1285 serverssl = clientssl = NULL;
1286 if (cfd != -1)
1287 close(cfd);
1288 if (sfd != -1)
1289 close(sfd);
1290 return testresult;
1291}
1292
1293#define SENDFILE_SZ (16 * 4096)
1294#define SENDFILE_CHUNK (4 * 4096)
1295#define min(a,b) ((a) > (b) ? (b) : (a))
1296
1297static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1298{
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
1303 int cfd = -1, sfd = -1, ffd, err;
1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1306 int testresult = 0;
1307 FILE *ffdp;
1308
1309 buf = OPENSSL_zalloc(SENDFILE_SZ);
1310 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1311 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1312 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1313 goto end;
1314
1315 /* Skip this test if the platform does not support ktls */
1316 if (!ktls_chk_platform(sfd)) {
1317 testresult = TEST_skip("Kernel does not support KTLS");
1318 goto end;
1319 }
1320
1321 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1322 testresult = TEST_skip("CHACHA is not supported in FIPS");
1323 goto end;
1324 }
1325
1326 /* Create a session based on SHA-256 */
1327 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1328 TLS_client_method(),
1329 tls_version, tls_version,
1330 &sctx, &cctx, cert, privkey)))
1331 goto end;
1332
1333 if (tls_version == TLS1_3_VERSION) {
1334 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1335 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1336 goto end;
1337 } else {
1338 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1339 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1340 goto end;
1341 }
1342
1343 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1344 &clientssl, sfd, cfd)))
1345 goto end;
1346
1347 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1348 goto end;
1349
1350 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1351 SSL_ERROR_NONE)))
1352 goto end;
1353
1354 if (!BIO_get_ktls_send(serverssl->wbio)) {
1355 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1356 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1357 "TLS 1.2", cipher);
1358 goto end;
1359 }
1360
1361 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1362 goto end;
1363
1364 out = BIO_new_file(tmpfilename, "wb");
1365 if (!TEST_ptr(out))
1366 goto end;
1367
1368 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1369 goto end;
1370
1371 BIO_free(out);
1372 out = NULL;
1373 in = BIO_new_file(tmpfilename, "rb");
1374 BIO_get_fp(in, &ffdp);
1375 ffd = fileno(ffdp);
1376
1377 while (chunk_off < SENDFILE_SZ) {
1378 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1379 while ((err = SSL_sendfile(serverssl,
1380 ffd,
1381 chunk_off,
1382 chunk_size,
1383 0)) != chunk_size) {
1384 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1385 goto end;
1386 }
1387 while ((err = SSL_read(clientssl,
1388 buf_dst + chunk_off,
1389 chunk_size)) != chunk_size) {
1390 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1391 goto end;
1392 }
1393
1394 /* verify the payload */
1395 if (!TEST_mem_eq(buf_dst + chunk_off,
1396 chunk_size,
1397 buf + chunk_off,
1398 chunk_size))
1399 goto end;
1400
1401 chunk_off += chunk_size;
1402 }
1403
1404 testresult = 1;
1405end:
1406 if (clientssl) {
1407 SSL_shutdown(clientssl);
1408 SSL_free(clientssl);
1409 }
1410 if (serverssl) {
1411 SSL_shutdown(serverssl);
1412 SSL_free(serverssl);
1413 }
1414 SSL_CTX_free(sctx);
1415 SSL_CTX_free(cctx);
1416 serverssl = clientssl = NULL;
1417 BIO_free(out);
1418 BIO_free(in);
1419 if (cfd != -1)
1420 close(cfd);
1421 if (sfd != -1)
1422 close(sfd);
1423 OPENSSL_free(buf);
1424 OPENSSL_free(buf_dst);
1425 return testresult;
1426}
1427
1428static struct ktls_test_cipher {
1429 int tls_version;
1430 const char *cipher;
1431} ktls_test_ciphers[] = {
1432# if !defined(OPENSSL_NO_TLS1_2)
1433# ifdef OPENSSL_KTLS_AES_GCM_128
1434 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1435# endif
1436# ifdef OPENSSL_KTLS_AES_CCM_128
1437 { TLS1_2_VERSION, "AES128-CCM"},
1438# endif
1439# ifdef OPENSSL_KTLS_AES_GCM_256
1440 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1441# endif
1442# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1443 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1444# endif
1445# endif
1446# if !defined(OSSL_NO_USABLE_TLS1_3)
1447# ifdef OPENSSL_KTLS_AES_GCM_128
1448 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1449# endif
1450# ifdef OPENSSL_KTLS_AES_CCM_128
1451 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1452# endif
1453# ifdef OPENSSL_KTLS_AES_GCM_256
1454 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1455# endif
1456# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1457 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1458# endif
1459# endif
1460};
1461
1462#define NUM_KTLS_TEST_CIPHERS \
1463 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1464
1465static int test_ktls(int test)
1466{
1467 struct ktls_test_cipher *cipher;
1468 int cis_ktls, sis_ktls;
1469
1470 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1471 cipher = &ktls_test_ciphers[test / 4];
1472
1473 cis_ktls = (test & 1) != 0;
1474 sis_ktls = (test & 2) != 0;
1475
1476 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1477 cipher->cipher);
1478}
1479
1480static int test_ktls_sendfile(int tst)
1481{
1482 struct ktls_test_cipher *cipher;
1483
1484 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1485 cipher = &ktls_test_ciphers[tst];
1486
1487 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1488}
1489#endif
1490
1491static int test_large_message_tls(void)
1492{
1493 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1494 TLS1_VERSION, 0, 0);
1495}
1496
1497static int test_large_message_tls_read_ahead(void)
1498{
1499 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1500 TLS1_VERSION, 0, 1);
1501}
1502
1503#ifndef OPENSSL_NO_DTLS
1504static int test_large_message_dtls(void)
1505{
1506# ifdef OPENSSL_NO_DTLS1_2
1507 /* Not supported in the FIPS provider */
1508 if (is_fips)
1509 return 1;
1510# endif
1511 /*
1512 * read_ahead is not relevant to DTLS because DTLS always acts as if
1513 * read_ahead is set.
1514 */
1515 return execute_test_large_message(DTLS_server_method(),
1516 DTLS_client_method(),
1517 DTLS1_VERSION, 0, 0);
1518}
1519#endif
1520
1521static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1522 const SSL_METHOD *cmeth,
1523 int min_version, int max_version)
1524{
1525 size_t i;
1526 SSL_CTX *cctx = NULL, *sctx = NULL;
1527 SSL *clientssl = NULL, *serverssl = NULL;
1528 int testresult = 0;
1529 SSL3_RECORD *rr;
1530 void *zbuf;
1531
1532 static unsigned char cbuf[16000];
1533 static unsigned char sbuf[16000];
1534
1535 if (!TEST_true(create_ssl_ctx_pair(libctx,
1536 smeth, cmeth,
1537 min_version, max_version,
1538 &sctx, &cctx, cert,
1539 privkey)))
1540 goto end;
1541
1542#ifdef OPENSSL_NO_DTLS1_2
1543 if (smeth == DTLS_server_method()) {
1544# ifdef OPENSSL_NO_DTLS1_2
1545 /* Not supported in the FIPS provider */
1546 if (is_fips) {
1547 testresult = 1;
1548 goto end;
1549 };
1550# endif
1551 /*
1552 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1553 * level 0
1554 */
1555 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1556 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1557 "DEFAULT:@SECLEVEL=0")))
1558 goto end;
1559 }
1560#endif
1561
1562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1563 NULL, NULL)))
1564 goto end;
1565
1566 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1567 goto end;
1568
1569 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1570 SSL_ERROR_NONE)))
1571 goto end;
1572
1573 for (i = 0; i < sizeof(cbuf); i++) {
1574 cbuf[i] = i & 0xff;
1575 }
1576
1577 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1578 goto end;
1579
1580 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1581 goto end;
1582
1583 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1584 goto end;
1585
1586 /*
1587 * Since we called SSL_peek(), we know the data in the record
1588 * layer is a plaintext record. We can gather the pointer to check
1589 * for zeroization after SSL_read().
1590 */
1591 rr = serverssl->rlayer.rrec;
1592 zbuf = &rr->data[rr->off];
1593 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1594 goto end;
1595
1596 /*
1597 * After SSL_peek() the plaintext must still be stored in the
1598 * record.
1599 */
1600 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1601 goto end;
1602
1603 memset(sbuf, 0, sizeof(sbuf));
1604 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1605 goto end;
1606
1607 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1608 goto end;
1609
1610 /* Check if rbuf is cleansed */
1611 memset(cbuf, 0, sizeof(cbuf));
1612 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1613 goto end;
1614
1615 testresult = 1;
1616 end:
1617 SSL_free(serverssl);
1618 SSL_free(clientssl);
1619 SSL_CTX_free(sctx);
1620 SSL_CTX_free(cctx);
1621
1622 return testresult;
1623}
1624
1625static int test_cleanse_plaintext(void)
1626{
1627#if !defined(OPENSSL_NO_TLS1_2)
1628 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1629 TLS_client_method(),
1630 TLS1_2_VERSION,
1631 TLS1_2_VERSION)))
1632 return 0;
1633
1634#endif
1635
1636#if !defined(OSSL_NO_USABLE_TLS1_3)
1637 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1638 TLS_client_method(),
1639 TLS1_3_VERSION,
1640 TLS1_3_VERSION)))
1641 return 0;
1642#endif
1643
1644#if !defined(OPENSSL_NO_DTLS)
1645
1646 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1647 DTLS_client_method(),
1648 DTLS1_VERSION,
1649 0)))
1650 return 0;
1651#endif
1652 return 1;
1653}
1654
1655#ifndef OPENSSL_NO_OCSP
1656static int ocsp_server_cb(SSL *s, void *arg)
1657{
1658 int *argi = (int *)arg;
1659 unsigned char *copy = NULL;
1660 STACK_OF(OCSP_RESPID) *ids = NULL;
1661 OCSP_RESPID *id = NULL;
1662
1663 if (*argi == 2) {
1664 /* In this test we are expecting exactly 1 OCSP_RESPID */
1665 SSL_get_tlsext_status_ids(s, &ids);
1666 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1667 return SSL_TLSEXT_ERR_ALERT_FATAL;
1668
1669 id = sk_OCSP_RESPID_value(ids, 0);
1670 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1671 return SSL_TLSEXT_ERR_ALERT_FATAL;
1672 } else if (*argi != 1) {
1673 return SSL_TLSEXT_ERR_ALERT_FATAL;
1674 }
1675
1676 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1677 return SSL_TLSEXT_ERR_ALERT_FATAL;
1678
1679 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1680 sizeof(orespder)))) {
1681 OPENSSL_free(copy);
1682 return SSL_TLSEXT_ERR_ALERT_FATAL;
1683 }
1684 ocsp_server_called = 1;
1685 return SSL_TLSEXT_ERR_OK;
1686}
1687
1688static int ocsp_client_cb(SSL *s, void *arg)
1689{
1690 int *argi = (int *)arg;
1691 const unsigned char *respderin;
1692 size_t len;
1693
1694 if (*argi != 1 && *argi != 2)
1695 return 0;
1696
1697 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1698 if (!TEST_mem_eq(orespder, len, respderin, len))
1699 return 0;
1700
1701 ocsp_client_called = 1;
1702 return 1;
1703}
1704
1705static int test_tlsext_status_type(void)
1706{
1707 SSL_CTX *cctx = NULL, *sctx = NULL;
1708 SSL *clientssl = NULL, *serverssl = NULL;
1709 int testresult = 0;
1710 STACK_OF(OCSP_RESPID) *ids = NULL;
1711 OCSP_RESPID *id = NULL;
1712 BIO *certbio = NULL;
1713
1714 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1715 TLS1_VERSION, 0,
1716 &sctx, &cctx, cert, privkey))
1717 return 0;
1718
1719 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1720 goto end;
1721
1722 /* First just do various checks getting and setting tlsext_status_type */
1723
1724 clientssl = SSL_new(cctx);
1725 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1726 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1727 TLSEXT_STATUSTYPE_ocsp))
1728 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1729 TLSEXT_STATUSTYPE_ocsp))
1730 goto end;
1731
1732 SSL_free(clientssl);
1733 clientssl = NULL;
1734
1735 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1736 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1737 goto end;
1738
1739 clientssl = SSL_new(cctx);
1740 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1741 goto end;
1742 SSL_free(clientssl);
1743 clientssl = NULL;
1744
1745 /*
1746 * Now actually do a handshake and check OCSP information is exchanged and
1747 * the callbacks get called
1748 */
1749 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1750 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1751 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1752 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1754 &clientssl, NULL, NULL))
1755 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1756 SSL_ERROR_NONE))
1757 || !TEST_true(ocsp_client_called)
1758 || !TEST_true(ocsp_server_called))
1759 goto end;
1760 SSL_free(serverssl);
1761 SSL_free(clientssl);
1762 serverssl = NULL;
1763 clientssl = NULL;
1764
1765 /* Try again but this time force the server side callback to fail */
1766 ocsp_client_called = 0;
1767 ocsp_server_called = 0;
1768 cdummyarg = 0;
1769 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1770 &clientssl, NULL, NULL))
1771 /* This should fail because the callback will fail */
1772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1773 SSL_ERROR_NONE))
1774 || !TEST_false(ocsp_client_called)
1775 || !TEST_false(ocsp_server_called))
1776 goto end;
1777 SSL_free(serverssl);
1778 SSL_free(clientssl);
1779 serverssl = NULL;
1780 clientssl = NULL;
1781
1782 /*
1783 * This time we'll get the client to send an OCSP_RESPID that it will
1784 * accept.
1785 */
1786 ocsp_client_called = 0;
1787 ocsp_server_called = 0;
1788 cdummyarg = 2;
1789 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1790 &clientssl, NULL, NULL)))
1791 goto end;
1792
1793 /*
1794 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1795 * specific one. We'll use the server cert.
1796 */
1797 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1798 || !TEST_ptr(id = OCSP_RESPID_new())
1799 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1800 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1801 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1802 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1803 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1804 goto end;
1805 id = NULL;
1806 SSL_set_tlsext_status_ids(clientssl, ids);
1807 /* Control has been transferred */
1808 ids = NULL;
1809
1810 BIO_free(certbio);
1811 certbio = NULL;
1812
1813 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1814 SSL_ERROR_NONE))
1815 || !TEST_true(ocsp_client_called)
1816 || !TEST_true(ocsp_server_called))
1817 goto end;
1818
1819 testresult = 1;
1820
1821 end:
1822 SSL_free(serverssl);
1823 SSL_free(clientssl);
1824 SSL_CTX_free(sctx);
1825 SSL_CTX_free(cctx);
1826 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1827 OCSP_RESPID_free(id);
1828 BIO_free(certbio);
1829 X509_free(ocspcert);
1830 ocspcert = NULL;
1831
1832 return testresult;
1833}
1834#endif
1835
1836#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1837static int new_called, remove_called, get_called;
1838
1839static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1840{
1841 new_called++;
1842 /*
1843 * sess has been up-refed for us, but we don't actually need it so free it
1844 * immediately.
1845 */
1846 SSL_SESSION_free(sess);
1847 return 1;
1848}
1849
1850static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1851{
1852 remove_called++;
1853}
1854
1855static SSL_SESSION *get_sess_val = NULL;
1856
1857static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1858 int *copy)
1859{
1860 get_called++;
1861 *copy = 1;
1862 return get_sess_val;
1863}
1864
1865static int execute_test_session(int maxprot, int use_int_cache,
1866 int use_ext_cache, long s_options)
1867{
1868 SSL_CTX *sctx = NULL, *cctx = NULL;
1869 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1870 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1871# ifndef OPENSSL_NO_TLS1_1
1872 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1873# endif
1874 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1875 int testresult = 0, numnewsesstick = 1;
1876
1877 new_called = remove_called = 0;
1878
1879 /* TLSv1.3 sends 2 NewSessionTickets */
1880 if (maxprot == TLS1_3_VERSION)
1881 numnewsesstick = 2;
1882
1883 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1884 TLS_client_method(), TLS1_VERSION, 0,
1885 &sctx, &cctx, cert, privkey)))
1886 return 0;
1887
1888 /*
1889 * Only allow the max protocol version so we can force a connection failure
1890 * later
1891 */
1892 SSL_CTX_set_min_proto_version(cctx, maxprot);
1893 SSL_CTX_set_max_proto_version(cctx, maxprot);
1894
1895 /* Set up session cache */
1896 if (use_ext_cache) {
1897 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1898 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1899 }
1900 if (use_int_cache) {
1901 /* Also covers instance where both are set */
1902 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1903 } else {
1904 SSL_CTX_set_session_cache_mode(cctx,
1905 SSL_SESS_CACHE_CLIENT
1906 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1907 }
1908
1909 if (s_options) {
1910 SSL_CTX_set_options(sctx, s_options);
1911 }
1912
1913 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1914 NULL, NULL))
1915 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1916 SSL_ERROR_NONE))
1917 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1918 goto end;
1919
1920 /* Should fail because it should already be in the cache */
1921 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1922 goto end;
1923 if (use_ext_cache
1924 && (!TEST_int_eq(new_called, numnewsesstick)
1925
1926 || !TEST_int_eq(remove_called, 0)))
1927 goto end;
1928
1929 new_called = remove_called = 0;
1930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1931 &clientssl2, NULL, NULL))
1932 || !TEST_true(SSL_set_session(clientssl2, sess1))
1933 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1934 SSL_ERROR_NONE))
1935 || !TEST_true(SSL_session_reused(clientssl2)))
1936 goto end;
1937
1938 if (maxprot == TLS1_3_VERSION) {
1939 /*
1940 * In TLSv1.3 we should have created a new session even though we have
1941 * resumed. Since we attempted a resume we should also have removed the
1942 * old ticket from the cache so that we try to only use tickets once.
1943 */
1944 if (use_ext_cache
1945 && (!TEST_int_eq(new_called, 1)
1946 || !TEST_int_eq(remove_called, 1)))
1947 goto end;
1948 } else {
1949 /*
1950 * In TLSv1.2 we expect to have resumed so no sessions added or
1951 * removed.
1952 */
1953 if (use_ext_cache
1954 && (!TEST_int_eq(new_called, 0)
1955 || !TEST_int_eq(remove_called, 0)))
1956 goto end;
1957 }
1958
1959 SSL_SESSION_free(sess1);
1960 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1961 goto end;
1962 shutdown_ssl_connection(serverssl2, clientssl2);
1963 serverssl2 = clientssl2 = NULL;
1964
1965 new_called = remove_called = 0;
1966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1967 &clientssl2, NULL, NULL))
1968 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1969 SSL_ERROR_NONE)))
1970 goto end;
1971
1972 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1973 goto end;
1974
1975 if (use_ext_cache
1976 && (!TEST_int_eq(new_called, numnewsesstick)
1977 || !TEST_int_eq(remove_called, 0)))
1978 goto end;
1979
1980 new_called = remove_called = 0;
1981 /*
1982 * This should clear sess2 from the cache because it is a "bad" session.
1983 * See SSL_set_session() documentation.
1984 */
1985 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1986 goto end;
1987 if (use_ext_cache
1988 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1989 goto end;
1990 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1991 goto end;
1992
1993 if (use_int_cache) {
1994 /* Should succeeded because it should not already be in the cache */
1995 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1996 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1997 goto end;
1998 }
1999
2000 new_called = remove_called = 0;
2001 /* This shouldn't be in the cache so should fail */
2002 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2003 goto end;
2004
2005 if (use_ext_cache
2006 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2007 goto end;
2008
2009# if !defined(OPENSSL_NO_TLS1_1)
2010 new_called = remove_called = 0;
2011 /* Force a connection failure */
2012 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2014 &clientssl3, NULL, NULL))
2015 || !TEST_true(SSL_set_session(clientssl3, sess1))
2016 /* This should fail because of the mismatched protocol versions */
2017 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2018 SSL_ERROR_NONE)))
2019 goto end;
2020
2021 /* We should have automatically removed the session from the cache */
2022 if (use_ext_cache
2023 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2024 goto end;
2025
2026 /* Should succeed because it should not already be in the cache */
2027 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2028 goto end;
2029# endif
2030
2031 /* Now do some tests for server side caching */
2032 if (use_ext_cache) {
2033 SSL_CTX_sess_set_new_cb(cctx, NULL);
2034 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2035 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2036 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2037 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2038 get_sess_val = NULL;
2039 }
2040
2041 SSL_CTX_set_session_cache_mode(cctx, 0);
2042 /* Internal caching is the default on the server side */
2043 if (!use_int_cache)
2044 SSL_CTX_set_session_cache_mode(sctx,
2045 SSL_SESS_CACHE_SERVER
2046 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2047
2048 SSL_free(serverssl1);
2049 SSL_free(clientssl1);
2050 serverssl1 = clientssl1 = NULL;
2051 SSL_free(serverssl2);
2052 SSL_free(clientssl2);
2053 serverssl2 = clientssl2 = NULL;
2054 SSL_SESSION_free(sess1);
2055 sess1 = NULL;
2056 SSL_SESSION_free(sess2);
2057 sess2 = NULL;
2058
2059 SSL_CTX_set_max_proto_version(sctx, maxprot);
2060 if (maxprot == TLS1_2_VERSION)
2061 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2062 new_called = remove_called = get_called = 0;
2063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2064 NULL, NULL))
2065 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2066 SSL_ERROR_NONE))
2067 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2068 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2069 goto end;
2070
2071 if (use_int_cache) {
2072 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2073 /*
2074 * In TLSv1.3 it should not have been added to the internal cache,
2075 * except in the case where we also have an external cache (in that
2076 * case it gets added to the cache in order to generate remove
2077 * events after timeout).
2078 */
2079 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2080 goto end;
2081 } else {
2082 /* Should fail because it should already be in the cache */
2083 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2084 goto end;
2085 }
2086 }
2087
2088 if (use_ext_cache) {
2089 SSL_SESSION *tmp = sess2;
2090
2091 if (!TEST_int_eq(new_called, numnewsesstick)
2092 || !TEST_int_eq(remove_called, 0)
2093 || !TEST_int_eq(get_called, 0))
2094 goto end;
2095 /*
2096 * Delete the session from the internal cache to force a lookup from
2097 * the external cache. We take a copy first because
2098 * SSL_CTX_remove_session() also marks the session as non-resumable.
2099 */
2100 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2101 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2102 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2103 goto end;
2104 SSL_SESSION_free(sess2);
2105 }
2106 sess2 = tmp;
2107 }
2108
2109 new_called = remove_called = get_called = 0;
2110 get_sess_val = sess2;
2111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2112 &clientssl2, NULL, NULL))
2113 || !TEST_true(SSL_set_session(clientssl2, sess1))
2114 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2115 SSL_ERROR_NONE))
2116 || !TEST_true(SSL_session_reused(clientssl2)))
2117 goto end;
2118
2119 if (use_ext_cache) {
2120 if (!TEST_int_eq(remove_called, 0))
2121 goto end;
2122
2123 if (maxprot == TLS1_3_VERSION) {
2124 if (!TEST_int_eq(new_called, 1)
2125 || !TEST_int_eq(get_called, 0))
2126 goto end;
2127 } else {
2128 if (!TEST_int_eq(new_called, 0)
2129 || !TEST_int_eq(get_called, 1))
2130 goto end;
2131 }
2132 }
2133
2134 testresult = 1;
2135
2136 end:
2137 SSL_free(serverssl1);
2138 SSL_free(clientssl1);
2139 SSL_free(serverssl2);
2140 SSL_free(clientssl2);
2141# ifndef OPENSSL_NO_TLS1_1
2142 SSL_free(serverssl3);
2143 SSL_free(clientssl3);
2144# endif
2145 SSL_SESSION_free(sess1);
2146 SSL_SESSION_free(sess2);
2147 SSL_CTX_free(sctx);
2148 SSL_CTX_free(cctx);
2149
2150 return testresult;
2151}
2152#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2153
2154static int test_session_with_only_int_cache(void)
2155{
2156#ifndef OSSL_NO_USABLE_TLS1_3
2157 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2158 return 0;
2159#endif
2160
2161#ifndef OPENSSL_NO_TLS1_2
2162 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2163#else
2164 return 1;
2165#endif
2166}
2167
2168static int test_session_with_only_ext_cache(void)
2169{
2170#ifndef OSSL_NO_USABLE_TLS1_3
2171 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2172 return 0;
2173#endif
2174
2175#ifndef OPENSSL_NO_TLS1_2
2176 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2177#else
2178 return 1;
2179#endif
2180}
2181
2182static int test_session_with_both_cache(void)
2183{
2184#ifndef OSSL_NO_USABLE_TLS1_3
2185 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2186 return 0;
2187#endif
2188
2189#ifndef OPENSSL_NO_TLS1_2
2190 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2191#else
2192 return 1;
2193#endif
2194}
2195
2196static int test_session_wo_ca_names(void)
2197{
2198#ifndef OSSL_NO_USABLE_TLS1_3
2199 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2200 return 0;
2201#endif
2202
2203#ifndef OPENSSL_NO_TLS1_2
2204 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2205#else
2206 return 1;
2207#endif
2208}
2209
2210
2211#ifndef OSSL_NO_USABLE_TLS1_3
2212static SSL_SESSION *sesscache[6];
2213static int do_cache;
2214
2215static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2216{
2217 if (do_cache) {
2218 sesscache[new_called] = sess;
2219 } else {
2220 /* We don't need the reference to the session, so free it */
2221 SSL_SESSION_free(sess);
2222 }
2223 new_called++;
2224
2225 return 1;
2226}
2227
2228static int post_handshake_verify(SSL *sssl, SSL *cssl)
2229{
2230 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2231 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2232 return 0;
2233
2234 /* Start handshake on the server and client */
2235 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2236 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2237 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2238 || !TEST_true(create_ssl_connection(sssl, cssl,
2239 SSL_ERROR_NONE)))
2240 return 0;
2241
2242 return 1;
2243}
2244
2245static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2246 SSL_CTX **cctx)
2247{
2248 int sess_id_ctx = 1;
2249
2250 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2251 TLS_client_method(), TLS1_VERSION, 0,
2252 sctx, cctx, cert, privkey))
2253 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2254 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2255 (void *)&sess_id_ctx,
2256 sizeof(sess_id_ctx))))
2257 return 0;
2258
2259 if (stateful)
2260 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2261
2262 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2263 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2264 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2265
2266 return 1;
2267}
2268
2269static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2270{
2271 SSL *serverssl = NULL, *clientssl = NULL;
2272 int i;
2273
2274 /* Test that we can resume with all the tickets we got given */
2275 for (i = 0; i < idx * 2; i++) {
2276 new_called = 0;
2277 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2278 &clientssl, NULL, NULL))
2279 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2280 goto end;
2281
2282 SSL_set_post_handshake_auth(clientssl, 1);
2283
2284 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2285 SSL_ERROR_NONE)))
2286 goto end;
2287
2288 /*
2289 * Following a successful resumption we only get 1 ticket. After a
2290 * failed one we should get idx tickets.
2291 */
2292 if (succ) {
2293 if (!TEST_true(SSL_session_reused(clientssl))
2294 || !TEST_int_eq(new_called, 1))
2295 goto end;
2296 } else {
2297 if (!TEST_false(SSL_session_reused(clientssl))
2298 || !TEST_int_eq(new_called, idx))
2299 goto end;
2300 }
2301
2302 new_called = 0;
2303 /* After a post-handshake authentication we should get 1 new ticket */
2304 if (succ
2305 && (!post_handshake_verify(serverssl, clientssl)
2306 || !TEST_int_eq(new_called, 1)))
2307 goto end;
2308
2309 SSL_shutdown(clientssl);
2310 SSL_shutdown(serverssl);
2311 SSL_free(serverssl);
2312 SSL_free(clientssl);
2313 serverssl = clientssl = NULL;
2314 SSL_SESSION_free(sesscache[i]);
2315 sesscache[i] = NULL;
2316 }
2317
2318 return 1;
2319
2320 end:
2321 SSL_free(clientssl);
2322 SSL_free(serverssl);
2323 return 0;
2324}
2325
2326static int test_tickets(int stateful, int idx)
2327{
2328 SSL_CTX *sctx = NULL, *cctx = NULL;
2329 SSL *serverssl = NULL, *clientssl = NULL;
2330 int testresult = 0;
2331 size_t j;
2332
2333 /* idx is the test number, but also the number of tickets we want */
2334
2335 new_called = 0;
2336 do_cache = 1;
2337
2338 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2339 goto end;
2340
2341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2342 &clientssl, NULL, NULL)))
2343 goto end;
2344
2345 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2346 SSL_ERROR_NONE))
2347 /* Check we got the number of tickets we were expecting */
2348 || !TEST_int_eq(idx, new_called))
2349 goto end;
2350
2351 SSL_shutdown(clientssl);
2352 SSL_shutdown(serverssl);
2353 SSL_free(serverssl);
2354 SSL_free(clientssl);
2355 SSL_CTX_free(sctx);
2356 SSL_CTX_free(cctx);
2357 clientssl = serverssl = NULL;
2358 sctx = cctx = NULL;
2359
2360 /*
2361 * Now we try to resume with the tickets we previously created. The
2362 * resumption attempt is expected to fail (because we're now using a new
2363 * SSL_CTX). We should see idx number of tickets issued again.
2364 */
2365
2366 /* Stop caching sessions - just count them */
2367 do_cache = 0;
2368
2369 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2370 goto end;
2371
2372 if (!check_resumption(idx, sctx, cctx, 0))
2373 goto end;
2374
2375 /* Start again with caching sessions */
2376 new_called = 0;
2377 do_cache = 1;
2378 SSL_CTX_free(sctx);
2379 SSL_CTX_free(cctx);
2380 sctx = cctx = NULL;
2381
2382 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2383 goto end;
2384
2385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2386 &clientssl, NULL, NULL)))
2387 goto end;
2388
2389 SSL_set_post_handshake_auth(clientssl, 1);
2390
2391 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2392 SSL_ERROR_NONE))
2393 /* Check we got the number of tickets we were expecting */
2394 || !TEST_int_eq(idx, new_called))
2395 goto end;
2396
2397 /* After a post-handshake authentication we should get new tickets issued */
2398 if (!post_handshake_verify(serverssl, clientssl)
2399 || !TEST_int_eq(idx * 2, new_called))
2400 goto end;
2401
2402 SSL_shutdown(clientssl);
2403 SSL_shutdown(serverssl);
2404 SSL_free(serverssl);
2405 SSL_free(clientssl);
2406 serverssl = clientssl = NULL;
2407
2408 /* Stop caching sessions - just count them */
2409 do_cache = 0;
2410
2411 /*
2412 * Check we can resume with all the tickets we created. This time around the
2413 * resumptions should all be successful.
2414 */
2415 if (!check_resumption(idx, sctx, cctx, 1))
2416 goto end;
2417
2418 testresult = 1;
2419
2420 end:
2421 SSL_free(serverssl);
2422 SSL_free(clientssl);
2423 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2424 SSL_SESSION_free(sesscache[j]);
2425 sesscache[j] = NULL;
2426 }
2427 SSL_CTX_free(sctx);
2428 SSL_CTX_free(cctx);
2429
2430 return testresult;
2431}
2432
2433static int test_stateless_tickets(int idx)
2434{
2435 return test_tickets(0, idx);
2436}
2437
2438static int test_stateful_tickets(int idx)
2439{
2440 return test_tickets(1, idx);
2441}
2442
2443static int test_psk_tickets(void)
2444{
2445 SSL_CTX *sctx = NULL, *cctx = NULL;
2446 SSL *serverssl = NULL, *clientssl = NULL;
2447 int testresult = 0;
2448 int sess_id_ctx = 1;
2449
2450 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2451 TLS_client_method(), TLS1_VERSION, 0,
2452 &sctx, &cctx, NULL, NULL))
2453 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2454 (void *)&sess_id_ctx,
2455 sizeof(sess_id_ctx))))
2456 goto end;
2457
2458 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2459 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2460 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2461 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2462 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2463 use_session_cb_cnt = 0;
2464 find_session_cb_cnt = 0;
2465 srvid = pskid;
2466 new_called = 0;
2467
2468 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2469 NULL, NULL)))
2470 goto end;
2471 clientpsk = serverpsk = create_a_psk(clientssl);
2472 if (!TEST_ptr(clientpsk))
2473 goto end;
2474 SSL_SESSION_up_ref(clientpsk);
2475
2476 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2477 SSL_ERROR_NONE))
2478 || !TEST_int_eq(1, find_session_cb_cnt)
2479 || !TEST_int_eq(1, use_session_cb_cnt)
2480 /* We should always get 1 ticket when using external PSK */
2481 || !TEST_int_eq(1, new_called))
2482 goto end;
2483
2484 testresult = 1;
2485
2486 end:
2487 SSL_free(serverssl);
2488 SSL_free(clientssl);
2489 SSL_CTX_free(sctx);
2490 SSL_CTX_free(cctx);
2491 SSL_SESSION_free(clientpsk);
2492 SSL_SESSION_free(serverpsk);
2493 clientpsk = serverpsk = NULL;
2494
2495 return testresult;
2496}
2497
2498static int test_extra_tickets(int idx)
2499{
2500 SSL_CTX *sctx = NULL, *cctx = NULL;
2501 SSL *serverssl = NULL, *clientssl = NULL;
2502 BIO *bretry = BIO_new(bio_s_always_retry());
2503 BIO *tmp = NULL;
2504 int testresult = 0;
2505 int stateful = 0;
2506 size_t nbytes;
2507 unsigned char c, buf[1];
2508
2509 new_called = 0;
2510 do_cache = 1;
2511
2512 if (idx >= 3) {
2513 idx -= 3;
2514 stateful = 1;
2515 }
2516
2517 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2518 goto end;
2519 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2520 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2521 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2522
2523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2524 &clientssl, NULL, NULL)))
2525 goto end;
2526
2527 /*
2528 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2529 * incremented by both client and server.
2530 */
2531 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2532 SSL_ERROR_NONE))
2533 /* Check we got the number of tickets we were expecting */
2534 || !TEST_int_eq(idx * 2, new_called)
2535 || !TEST_true(SSL_new_session_ticket(serverssl))
2536 || !TEST_true(SSL_new_session_ticket(serverssl))
2537 || !TEST_int_eq(idx * 2, new_called))
2538 goto end;
2539
2540 /* Now try a (real) write to actually send the tickets */
2541 c = '1';
2542 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2543 || !TEST_size_t_eq(1, nbytes)
2544 || !TEST_int_eq(idx * 2 + 2, new_called)
2545 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2546 || !TEST_int_eq(idx * 2 + 4, new_called)
2547 || !TEST_int_eq(sizeof(buf), nbytes)
2548 || !TEST_int_eq(c, buf[0])
2549 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2550 goto end;
2551
2552 /* Try with only requesting one new ticket, too */
2553 c = '2';
2554 new_called = 0;
2555 if (!TEST_true(SSL_new_session_ticket(serverssl))
2556 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2557 || !TEST_size_t_eq(sizeof(c), nbytes)
2558 || !TEST_int_eq(1, new_called)
2559 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2560 || !TEST_int_eq(2, new_called)
2561 || !TEST_size_t_eq(sizeof(buf), nbytes)
2562 || !TEST_int_eq(c, buf[0]))
2563 goto end;
2564
2565 /* Do it again but use dummy writes to drive the ticket generation */
2566 c = '3';
2567 new_called = 0;
2568 if (!TEST_true(SSL_new_session_ticket(serverssl))
2569 || !TEST_true(SSL_new_session_ticket(serverssl))
2570 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2571 || !TEST_size_t_eq(0, nbytes)
2572 || !TEST_int_eq(2, new_called)
2573 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2574 || !TEST_int_eq(4, new_called))
2575 goto end;
2576
2577 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2578 c = '4';
2579 new_called = 0;
2580 if (!TEST_true(SSL_new_session_ticket(serverssl))
2581 || !TEST_true(SSL_new_session_ticket(serverssl))
2582 || !TEST_true(SSL_do_handshake(serverssl))
2583 || !TEST_int_eq(2, new_called)
2584 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2585 || !TEST_int_eq(4, new_called))
2586 goto end;
2587
2588 /*
2589 * Use the always-retry BIO to exercise the logic that forces ticket
2590 * generation to wait until a record boundary.
2591 */
2592 c = '5';
2593 new_called = 0;
2594 tmp = SSL_get_wbio(serverssl);
2595 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2596 tmp = NULL;
2597 goto end;
2598 }
2599 SSL_set0_wbio(serverssl, bretry);
2600 bretry = NULL;
2601 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2602 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2603 || !TEST_size_t_eq(nbytes, 0))
2604 goto end;
2605 /* Restore a BIO that will let the write succeed */
2606 SSL_set0_wbio(serverssl, tmp);
2607 tmp = NULL;
2608 /*
2609 * These calls should just queue the request and not send anything
2610 * even if we explicitly try to hit the state machine.
2611 */
2612 if (!TEST_true(SSL_new_session_ticket(serverssl))
2613 || !TEST_true(SSL_new_session_ticket(serverssl))
2614 || !TEST_int_eq(0, new_called)
2615 || !TEST_true(SSL_do_handshake(serverssl))
2616 || !TEST_int_eq(0, new_called))
2617 goto end;
2618 /* Re-do the write; still no tickets sent */
2619 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2620 || !TEST_size_t_eq(1, nbytes)
2621 || !TEST_int_eq(0, new_called)
2622 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2623 || !TEST_int_eq(0, new_called)
2624 || !TEST_int_eq(sizeof(buf), nbytes)
2625 || !TEST_int_eq(c, buf[0])
2626 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2627 goto end;
2628 /* Even trying to hit the state machine now will still not send tickets */
2629 if (!TEST_true(SSL_do_handshake(serverssl))
2630 || !TEST_int_eq(0, new_called))
2631 goto end;
2632 /* Now the *next* write should send the tickets */
2633 c = '6';
2634 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2635 || !TEST_size_t_eq(1, nbytes)
2636 || !TEST_int_eq(2, new_called)
2637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2638 || !TEST_int_eq(4, new_called)
2639 || !TEST_int_eq(sizeof(buf), nbytes)
2640 || !TEST_int_eq(c, buf[0])
2641 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2642 goto end;
2643
2644 SSL_shutdown(clientssl);
2645 SSL_shutdown(serverssl);
2646 testresult = 1;
2647
2648 end:
2649 BIO_free(bretry);
2650 BIO_free(tmp);
2651 SSL_free(serverssl);
2652 SSL_free(clientssl);
2653 SSL_CTX_free(sctx);
2654 SSL_CTX_free(cctx);
2655 clientssl = serverssl = NULL;
2656 sctx = cctx = NULL;
2657 return testresult;
2658}
2659#endif
2660
2661#define USE_NULL 0
2662#define USE_BIO_1 1
2663#define USE_BIO_2 2
2664#define USE_DEFAULT 3
2665
2666#define CONNTYPE_CONNECTION_SUCCESS 0
2667#define CONNTYPE_CONNECTION_FAIL 1
2668#define CONNTYPE_NO_CONNECTION 2
2669
2670#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2671#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2672#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2673# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2674#else
2675# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2676#endif
2677
2678#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2679 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2680 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2681
2682static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2683{
2684 switch (type) {
2685 case USE_NULL:
2686 *res = NULL;
2687 break;
2688 case USE_BIO_1:
2689 *res = bio1;
2690 break;
2691 case USE_BIO_2:
2692 *res = bio2;
2693 break;
2694 }
2695}
2696
2697
2698/*
2699 * Tests calls to SSL_set_bio() under various conditions.
2700 *
2701 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2702 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2703 * then do more tests where we create a successful connection first using our
2704 * standard connection setup functions, and then call SSL_set_bio() with
2705 * various combinations of valid BIOs or NULL. We then repeat these tests
2706 * following a failed connection. In this last case we are looking to check that
2707 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2708 */
2709static int test_ssl_set_bio(int idx)
2710{
2711 SSL_CTX *sctx = NULL, *cctx = NULL;
2712 BIO *bio1 = NULL;
2713 BIO *bio2 = NULL;
2714 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2715 SSL *serverssl = NULL, *clientssl = NULL;
2716 int initrbio, initwbio, newrbio, newwbio, conntype;
2717 int testresult = 0;
2718
2719 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2720 initrbio = idx % 3;
2721 idx /= 3;
2722 initwbio = idx % 3;
2723 idx /= 3;
2724 newrbio = idx % 3;
2725 idx /= 3;
2726 newwbio = idx % 3;
2727 conntype = CONNTYPE_NO_CONNECTION;
2728 } else {
2729 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2730 initrbio = initwbio = USE_DEFAULT;
2731 newrbio = idx % 2;
2732 idx /= 2;
2733 newwbio = idx % 2;
2734 idx /= 2;
2735 conntype = idx % 2;
2736 }
2737
2738 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2739 TLS_client_method(), TLS1_VERSION, 0,
2740 &sctx, &cctx, cert, privkey)))
2741 goto end;
2742
2743 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2744 /*
2745 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2746 * because we reduced the number of tests in the definition of
2747 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2748 * mismatched protocol versions we will force a connection failure.
2749 */
2750 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2751 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2752 }
2753
2754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2755 NULL, NULL)))
2756 goto end;
2757
2758 if (initrbio == USE_BIO_1
2759 || initwbio == USE_BIO_1
2760 || newrbio == USE_BIO_1
2761 || newwbio == USE_BIO_1) {
2762 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2763 goto end;
2764 }
2765
2766 if (initrbio == USE_BIO_2
2767 || initwbio == USE_BIO_2
2768 || newrbio == USE_BIO_2
2769 || newwbio == USE_BIO_2) {
2770 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2771 goto end;
2772 }
2773
2774 if (initrbio != USE_DEFAULT) {
2775 setupbio(&irbio, bio1, bio2, initrbio);
2776 setupbio(&iwbio, bio1, bio2, initwbio);
2777 SSL_set_bio(clientssl, irbio, iwbio);
2778
2779 /*
2780 * We want to maintain our own refs to these BIO, so do an up ref for
2781 * each BIO that will have ownership transferred in the SSL_set_bio()
2782 * call
2783 */
2784 if (irbio != NULL)
2785 BIO_up_ref(irbio);
2786 if (iwbio != NULL && iwbio != irbio)
2787 BIO_up_ref(iwbio);
2788 }
2789
2790 if (conntype != CONNTYPE_NO_CONNECTION
2791 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2792 SSL_ERROR_NONE)
2793 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2794 goto end;
2795
2796 setupbio(&nrbio, bio1, bio2, newrbio);
2797 setupbio(&nwbio, bio1, bio2, newwbio);
2798
2799 /*
2800 * We will (maybe) transfer ownership again so do more up refs.
2801 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2802 * already been set!
2803 */
2804 if (nrbio != NULL
2805 && nrbio != irbio
2806 && (nwbio != iwbio || nrbio != nwbio))
2807 BIO_up_ref(nrbio);
2808 if (nwbio != NULL
2809 && nwbio != nrbio
2810 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2811 BIO_up_ref(nwbio);
2812
2813 SSL_set_bio(clientssl, nrbio, nwbio);
2814
2815 testresult = 1;
2816
2817 end:
2818 BIO_free(bio1);
2819 BIO_free(bio2);
2820
2821 /*
2822 * This test is checking that the ref counting for SSL_set_bio is correct.
2823 * If we get here and we did too many frees then we will fail in the above
2824 * functions.
2825 */
2826 SSL_free(serverssl);
2827 SSL_free(clientssl);
2828 SSL_CTX_free(sctx);
2829 SSL_CTX_free(cctx);
2830 return testresult;
2831}
2832
2833typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2834
2835static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2836{
2837 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2838 SSL_CTX *ctx;
2839 SSL *ssl = NULL;
2840 int testresult = 0;
2841
2842 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
2843 || !TEST_ptr(ssl = SSL_new(ctx))
2844 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2845 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2846 goto end;
2847
2848 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2849
2850 /*
2851 * If anything goes wrong here then we could leak memory.
2852 */
2853 BIO_push(sslbio, membio1);
2854
2855 /* Verify changing the rbio/wbio directly does not cause leaks */
2856 if (change_bio != NO_BIO_CHANGE) {
2857 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2858 ssl = NULL;
2859 goto end;
2860 }
2861 if (change_bio == CHANGE_RBIO)
2862 SSL_set0_rbio(ssl, membio2);
2863 else
2864 SSL_set0_wbio(ssl, membio2);
2865 }
2866 ssl = NULL;
2867
2868 if (pop_ssl)
2869 BIO_pop(sslbio);
2870 else
2871 BIO_pop(membio1);
2872
2873 testresult = 1;
2874 end:
2875 BIO_free(membio1);
2876 BIO_free(sslbio);
2877 SSL_free(ssl);
2878 SSL_CTX_free(ctx);
2879
2880 return testresult;
2881}
2882
2883static int test_ssl_bio_pop_next_bio(void)
2884{
2885 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2886}
2887
2888static int test_ssl_bio_pop_ssl_bio(void)
2889{
2890 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2891}
2892
2893static int test_ssl_bio_change_rbio(void)
2894{
2895 return execute_test_ssl_bio(0, CHANGE_RBIO);
2896}
2897
2898static int test_ssl_bio_change_wbio(void)
2899{
2900 return execute_test_ssl_bio(0, CHANGE_WBIO);
2901}
2902
2903#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
2904typedef struct {
2905 /* The list of sig algs */
2906 const int *list;
2907 /* The length of the list */
2908 size_t listlen;
2909 /* A sigalgs list in string format */
2910 const char *liststr;
2911 /* Whether setting the list should succeed */
2912 int valid;
2913 /* Whether creating a connection with the list should succeed */
2914 int connsuccess;
2915} sigalgs_list;
2916
2917static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2918# ifndef OPENSSL_NO_EC
2919static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2920static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2921# endif
2922static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2923static const int invalidlist2[] = {NID_sha256, NID_undef};
2924static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2925static const int invalidlist4[] = {NID_sha256};
2926static const sigalgs_list testsigalgs[] = {
2927 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2928# ifndef OPENSSL_NO_EC
2929 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2930 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2931# endif
2932 {NULL, 0, "RSA+SHA256", 1, 1},
2933# ifndef OPENSSL_NO_EC
2934 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2935 {NULL, 0, "ECDSA+SHA512", 1, 0},
2936# endif
2937 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2938 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2939 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2940 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2941 {NULL, 0, "RSA", 0, 0},
2942 {NULL, 0, "SHA256", 0, 0},
2943 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2944 {NULL, 0, "Invalid", 0, 0}
2945};
2946
2947static int test_set_sigalgs(int idx)
2948{
2949 SSL_CTX *cctx = NULL, *sctx = NULL;
2950 SSL *clientssl = NULL, *serverssl = NULL;
2951 int testresult = 0;
2952 const sigalgs_list *curr;
2953 int testctx;
2954
2955 /* Should never happen */
2956 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2957 return 0;
2958
2959 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2960 curr = testctx ? &testsigalgs[idx]
2961 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2962
2963 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2964 TLS_client_method(), TLS1_VERSION, 0,
2965 &sctx, &cctx, cert, privkey)))
2966 return 0;
2967
2968 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2969
2970 if (testctx) {
2971 int ret;
2972
2973 if (curr->list != NULL)
2974 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2975 else
2976 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2977
2978 if (!ret) {
2979 if (curr->valid)
2980 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2981 else
2982 testresult = 1;
2983 goto end;
2984 }
2985 if (!curr->valid) {
2986 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2987 goto end;
2988 }
2989 }
2990
2991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2992 &clientssl, NULL, NULL)))
2993 goto end;
2994
2995 if (!testctx) {
2996 int ret;
2997
2998 if (curr->list != NULL)
2999 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3000 else
3001 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3002 if (!ret) {
3003 if (curr->valid)
3004 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3005 else
3006 testresult = 1;
3007 goto end;
3008 }
3009 if (!curr->valid)
3010 goto end;
3011 }
3012
3013 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3014 SSL_ERROR_NONE),
3015 curr->connsuccess))
3016 goto end;
3017
3018 testresult = 1;
3019
3020 end:
3021 SSL_free(serverssl);
3022 SSL_free(clientssl);
3023 SSL_CTX_free(sctx);
3024 SSL_CTX_free(cctx);
3025
3026 return testresult;
3027}
3028#endif
3029
3030#ifndef OSSL_NO_USABLE_TLS1_3
3031static int psk_client_cb_cnt = 0;
3032static int psk_server_cb_cnt = 0;
3033
3034static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3035 size_t *idlen, SSL_SESSION **sess)
3036{
3037 switch (++use_session_cb_cnt) {
3038 case 1:
3039 /* The first call should always have a NULL md */
3040 if (md != NULL)
3041 return 0;
3042 break;
3043
3044 case 2:
3045 /* The second call should always have an md */
3046 if (md == NULL)
3047 return 0;
3048 break;
3049
3050 default:
3051 /* We should only be called a maximum of twice */
3052 return 0;
3053 }
3054
3055 if (clientpsk != NULL)
3056 SSL_SESSION_up_ref(clientpsk);
3057
3058 *sess = clientpsk;
3059 *id = (const unsigned char *)pskid;
3060 *idlen = strlen(pskid);
3061
3062 return 1;
3063}
3064
3065#ifndef OPENSSL_NO_PSK
3066static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3067 unsigned int max_id_len,
3068 unsigned char *psk,
3069 unsigned int max_psk_len)
3070{
3071 unsigned int psklen = 0;
3072
3073 psk_client_cb_cnt++;
3074
3075 if (strlen(pskid) + 1 > max_id_len)
3076 return 0;
3077
3078 /* We should only ever be called a maximum of twice per connection */
3079 if (psk_client_cb_cnt > 2)
3080 return 0;
3081
3082 if (clientpsk == NULL)
3083 return 0;
3084
3085 /* We'll reuse the PSK we set up for TLSv1.3 */
3086 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3087 return 0;
3088 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3089 strncpy(id, pskid, max_id_len);
3090
3091 return psklen;
3092}
3093#endif /* OPENSSL_NO_PSK */
3094
3095static int find_session_cb(SSL *ssl, const unsigned char *identity,
3096 size_t identity_len, SSL_SESSION **sess)
3097{
3098 find_session_cb_cnt++;
3099
3100 /* We should only ever be called a maximum of twice per connection */
3101 if (find_session_cb_cnt > 2)
3102 return 0;
3103
3104 if (serverpsk == NULL)
3105 return 0;
3106
3107 /* Identity should match that set by the client */
3108 if (strlen(srvid) != identity_len
3109 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3110 /* No PSK found, continue but without a PSK */
3111 *sess = NULL;
3112 return 1;
3113 }
3114
3115 SSL_SESSION_up_ref(serverpsk);
3116 *sess = serverpsk;
3117
3118 return 1;
3119}
3120
3121#ifndef OPENSSL_NO_PSK
3122static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3123 unsigned char *psk, unsigned int max_psk_len)
3124{
3125 unsigned int psklen = 0;
3126
3127 psk_server_cb_cnt++;
3128
3129 /* We should only ever be called a maximum of twice per connection */
3130 if (find_session_cb_cnt > 2)
3131 return 0;
3132
3133 if (serverpsk == NULL)
3134 return 0;
3135
3136 /* Identity should match that set by the client */
3137 if (strcmp(srvid, identity) != 0) {
3138 return 0;
3139 }
3140
3141 /* We'll reuse the PSK we set up for TLSv1.3 */
3142 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3143 return 0;
3144 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3145
3146 return psklen;
3147}
3148#endif /* OPENSSL_NO_PSK */
3149
3150#define MSG1 "Hello"
3151#define MSG2 "World."
3152#define MSG3 "This"
3153#define MSG4 "is"
3154#define MSG5 "a"
3155#define MSG6 "test"
3156#define MSG7 "message."
3157
3158#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3159#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3160#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3161#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3162#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3163
3164
3165static SSL_SESSION *create_a_psk(SSL *ssl)
3166{
3167 const SSL_CIPHER *cipher = NULL;
3168 const unsigned char key[] = {
3169 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3170 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3171 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3172 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3173 0x2c, 0x2d, 0x2e, 0x2f
3174 };
3175 SSL_SESSION *sess = NULL;
3176
3177 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3178 sess = SSL_SESSION_new();
3179 if (!TEST_ptr(sess)
3180 || !TEST_ptr(cipher)
3181 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3182 sizeof(key)))
3183 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3184 || !TEST_true(
3185 SSL_SESSION_set_protocol_version(sess,
3186 TLS1_3_VERSION))) {
3187 SSL_SESSION_free(sess);
3188 return NULL;
3189 }
3190 return sess;
3191}
3192
3193/*
3194 * Helper method to setup objects for early data test. Caller frees objects on
3195 * error.
3196 */
3197static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3198 SSL **serverssl, SSL_SESSION **sess, int idx)
3199{
3200 if (*sctx == NULL
3201 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3202 TLS_client_method(),
3203 TLS1_VERSION, 0,
3204 sctx, cctx, cert, privkey)))
3205 return 0;
3206
3207 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3208 return 0;
3209
3210 if (idx == 1) {
3211 /* When idx == 1 we repeat the tests with read_ahead set */
3212 SSL_CTX_set_read_ahead(*cctx, 1);
3213 SSL_CTX_set_read_ahead(*sctx, 1);
3214 } else if (idx == 2) {
3215 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3216 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3217 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3218 use_session_cb_cnt = 0;
3219 find_session_cb_cnt = 0;
3220 srvid = pskid;
3221 }
3222
3223 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3224 NULL, NULL)))
3225 return 0;
3226
3227 /*
3228 * For one of the run throughs (doesn't matter which one), we'll try sending
3229 * some SNI data in the initial ClientHello. This will be ignored (because
3230 * there is no SNI cb set up by the server), so it should not impact
3231 * early_data.
3232 */
3233 if (idx == 1
3234 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3235 return 0;
3236
3237 if (idx == 2) {
3238 clientpsk = create_a_psk(*clientssl);
3239 if (!TEST_ptr(clientpsk)
3240 /*
3241 * We just choose an arbitrary value for max_early_data which
3242 * should be big enough for testing purposes.
3243 */
3244 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3245 0x100))
3246 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3247 SSL_SESSION_free(clientpsk);
3248 clientpsk = NULL;
3249 return 0;
3250 }
3251 serverpsk = clientpsk;
3252
3253 if (sess != NULL) {
3254 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3255 SSL_SESSION_free(clientpsk);
3256 SSL_SESSION_free(serverpsk);
3257 clientpsk = serverpsk = NULL;
3258 return 0;
3259 }
3260 *sess = clientpsk;
3261 }
3262 return 1;
3263 }
3264
3265 if (sess == NULL)
3266 return 1;
3267
3268 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3269 SSL_ERROR_NONE)))
3270 return 0;
3271
3272 *sess = SSL_get1_session(*clientssl);
3273 SSL_shutdown(*clientssl);
3274 SSL_shutdown(*serverssl);
3275 SSL_free(*serverssl);
3276 SSL_free(*clientssl);
3277 *serverssl = *clientssl = NULL;
3278
3279 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3280 clientssl, NULL, NULL))
3281 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3282 return 0;
3283
3284 return 1;
3285}
3286
3287static int test_early_data_read_write(int idx)
3288{
3289 SSL_CTX *cctx = NULL, *sctx = NULL;
3290 SSL *clientssl = NULL, *serverssl = NULL;
3291 int testresult = 0;
3292 SSL_SESSION *sess = NULL;
3293 unsigned char buf[20], data[1024];
3294 size_t readbytes, written, eoedlen, rawread, rawwritten;
3295 BIO *rbio;
3296
3297 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3298 &serverssl, &sess, idx)))
3299 goto end;
3300
3301 /* Write and read some early data */
3302 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3303 &written))
3304 || !TEST_size_t_eq(written, strlen(MSG1))
3305 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3306 sizeof(buf), &readbytes),
3307 SSL_READ_EARLY_DATA_SUCCESS)
3308 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3309 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3310 SSL_EARLY_DATA_ACCEPTED))
3311 goto end;
3312
3313 /*
3314 * Server should be able to write data, and client should be able to
3315 * read it.
3316 */
3317 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3318 &written))
3319 || !TEST_size_t_eq(written, strlen(MSG2))
3320 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3321 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3322 goto end;
3323
3324 /* Even after reading normal data, client should be able write early data */
3325 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3326 &written))
3327 || !TEST_size_t_eq(written, strlen(MSG3)))
3328 goto end;
3329
3330 /* Server should still be able read early data after writing data */
3331 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3332 &readbytes),
3333 SSL_READ_EARLY_DATA_SUCCESS)
3334 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3335 goto end;
3336
3337 /* Write more data from server and read it from client */
3338 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3339 &written))
3340 || !TEST_size_t_eq(written, strlen(MSG4))
3341 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3342 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3343 goto end;
3344
3345 /*
3346 * If client writes normal data it should mean writing early data is no
3347 * longer possible.
3348 */
3349 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3350 || !TEST_size_t_eq(written, strlen(MSG5))
3351 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3352 SSL_EARLY_DATA_ACCEPTED))
3353 goto end;
3354
3355 /*
3356 * At this point the client has written EndOfEarlyData, ClientFinished and
3357 * normal (fully protected) data. We are going to cause a delay between the
3358 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3359 * in the read BIO, and then just put back the EndOfEarlyData message.
3360 */
3361 rbio = SSL_get_rbio(serverssl);
3362 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3363 || !TEST_size_t_lt(rawread, sizeof(data))
3364 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3365 goto end;
3366
3367 /* Record length is in the 4th and 5th bytes of the record header */
3368 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3369 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3370 || !TEST_size_t_eq(rawwritten, eoedlen))
3371 goto end;
3372
3373 /* Server should be told that there is no more early data */
3374 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3375 &readbytes),
3376 SSL_READ_EARLY_DATA_FINISH)
3377 || !TEST_size_t_eq(readbytes, 0))
3378 goto end;
3379
3380 /*
3381 * Server has not finished init yet, so should still be able to write early
3382 * data.
3383 */
3384 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3385 &written))
3386 || !TEST_size_t_eq(written, strlen(MSG6)))
3387 goto end;
3388
3389 /* Push the ClientFinished and the normal data back into the server rbio */
3390 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3391 &rawwritten))
3392 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3393 goto end;
3394
3395 /* Server should be able to read normal data */
3396 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3397 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3398 goto end;
3399
3400 /* Client and server should not be able to write/read early data now */
3401 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3402 &written)))
3403 goto end;
3404 ERR_clear_error();
3405 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3406 &readbytes),
3407 SSL_READ_EARLY_DATA_ERROR))
3408 goto end;
3409 ERR_clear_error();
3410
3411 /* Client should be able to read the data sent by the server */
3412 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3413 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3414 goto end;
3415
3416 /*
3417 * Make sure we process the two NewSessionTickets. These arrive
3418 * post-handshake. We attempt reads which we do not expect to return any
3419 * data.
3420 */
3421 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3422 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3423 &readbytes)))
3424 goto end;
3425
3426 /* Server should be able to write normal data */
3427 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3428 || !TEST_size_t_eq(written, strlen(MSG7))
3429 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3430 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3431 goto end;
3432
3433 SSL_SESSION_free(sess);
3434 sess = SSL_get1_session(clientssl);
3435 use_session_cb_cnt = 0;
3436 find_session_cb_cnt = 0;
3437
3438 SSL_shutdown(clientssl);
3439 SSL_shutdown(serverssl);
3440 SSL_free(serverssl);
3441 SSL_free(clientssl);
3442 serverssl = clientssl = NULL;
3443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3444 &clientssl, NULL, NULL))
3445 || !TEST_true(SSL_set_session(clientssl, sess)))
3446 goto end;
3447
3448 /* Write and read some early data */
3449 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3450 &written))
3451 || !TEST_size_t_eq(written, strlen(MSG1))
3452 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3453 &readbytes),
3454 SSL_READ_EARLY_DATA_SUCCESS)
3455 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3456 goto end;
3457
3458 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3459 || !TEST_int_gt(SSL_accept(serverssl), 0))
3460 goto end;
3461
3462 /* Client and server should not be able to write/read early data now */
3463 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3464 &written)))
3465 goto end;
3466 ERR_clear_error();
3467 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3468 &readbytes),
3469 SSL_READ_EARLY_DATA_ERROR))
3470 goto end;
3471 ERR_clear_error();
3472
3473 /* Client and server should be able to write/read normal data */
3474 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3475 || !TEST_size_t_eq(written, strlen(MSG5))
3476 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3477 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3478 goto end;
3479
3480 testresult = 1;
3481
3482 end:
3483 SSL_SESSION_free(sess);
3484 SSL_SESSION_free(clientpsk);
3485 SSL_SESSION_free(serverpsk);
3486 clientpsk = serverpsk = NULL;
3487 SSL_free(serverssl);
3488 SSL_free(clientssl);
3489 SSL_CTX_free(sctx);
3490 SSL_CTX_free(cctx);
3491 return testresult;
3492}
3493
3494static int allow_ed_cb_called = 0;
3495
3496static int allow_early_data_cb(SSL *s, void *arg)
3497{
3498 int *usecb = (int *)arg;
3499
3500 allow_ed_cb_called++;
3501
3502 if (*usecb == 1)
3503 return 0;
3504
3505 return 1;
3506}
3507
3508/*
3509 * idx == 0: Standard early_data setup
3510 * idx == 1: early_data setup using read_ahead
3511 * usecb == 0: Don't use a custom early data callback
3512 * usecb == 1: Use a custom early data callback and reject the early data
3513 * usecb == 2: Use a custom early data callback and accept the early data
3514 * confopt == 0: Configure anti-replay directly
3515 * confopt == 1: Configure anti-replay using SSL_CONF
3516 */
3517static int test_early_data_replay_int(int idx, int usecb, int confopt)
3518{
3519 SSL_CTX *cctx = NULL, *sctx = NULL;
3520 SSL *clientssl = NULL, *serverssl = NULL;
3521 int testresult = 0;
3522 SSL_SESSION *sess = NULL;
3523 size_t readbytes, written;
3524 unsigned char buf[20];
3525
3526 allow_ed_cb_called = 0;
3527
3528 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3529 TLS_client_method(), TLS1_VERSION, 0,
3530 &sctx, &cctx, cert, privkey)))
3531 return 0;
3532
3533 if (usecb > 0) {
3534 if (confopt == 0) {
3535 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3536 } else {
3537 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3538
3539 if (!TEST_ptr(confctx))
3540 goto end;
3541 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3542 | SSL_CONF_FLAG_SERVER);
3543 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3544 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3545 2)) {
3546 SSL_CONF_CTX_free(confctx);
3547 goto end;
3548 }
3549 SSL_CONF_CTX_free(confctx);
3550 }
3551 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3552 }
3553
3554 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3555 &serverssl, &sess, idx)))
3556 goto end;
3557
3558 /*
3559 * The server is configured to accept early data. Create a connection to
3560 * "use up" the ticket
3561 */
3562 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3563 || !TEST_true(SSL_session_reused(clientssl)))
3564 goto end;
3565
3566 SSL_shutdown(clientssl);
3567 SSL_shutdown(serverssl);
3568 SSL_free(serverssl);
3569 SSL_free(clientssl);
3570 serverssl = clientssl = NULL;
3571
3572 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3573 &clientssl, NULL, NULL))
3574 || !TEST_true(SSL_set_session(clientssl, sess)))
3575 goto end;
3576
3577 /* Write and read some early data */
3578 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3579 &written))
3580 || !TEST_size_t_eq(written, strlen(MSG1)))
3581 goto end;
3582
3583 if (usecb <= 1) {
3584 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3585 &readbytes),
3586 SSL_READ_EARLY_DATA_FINISH)
3587 /*
3588 * The ticket was reused, so the we should have rejected the
3589 * early data
3590 */
3591 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3592 SSL_EARLY_DATA_REJECTED))
3593 goto end;
3594 } else {
3595 /* In this case the callback decides to accept the early data */
3596 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3597 &readbytes),
3598 SSL_READ_EARLY_DATA_SUCCESS)
3599 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3600 /*
3601 * Server will have sent its flight so client can now send
3602 * end of early data and complete its half of the handshake
3603 */
3604 || !TEST_int_gt(SSL_connect(clientssl), 0)
3605 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3606 &readbytes),
3607 SSL_READ_EARLY_DATA_FINISH)
3608 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3609 SSL_EARLY_DATA_ACCEPTED))
3610 goto end;
3611 }
3612
3613 /* Complete the connection */
3614 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3615 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3616 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3617 goto end;
3618
3619 testresult = 1;
3620
3621 end:
3622 SSL_SESSION_free(sess);
3623 SSL_SESSION_free(clientpsk);
3624 SSL_SESSION_free(serverpsk);
3625 clientpsk = serverpsk = NULL;
3626 SSL_free(serverssl);
3627 SSL_free(clientssl);
3628 SSL_CTX_free(sctx);
3629 SSL_CTX_free(cctx);
3630 return testresult;
3631}
3632
3633static int test_early_data_replay(int idx)
3634{
3635 int ret = 1, usecb, confopt;
3636
3637 for (usecb = 0; usecb < 3; usecb++) {
3638 for (confopt = 0; confopt < 2; confopt++)
3639 ret &= test_early_data_replay_int(idx, usecb, confopt);
3640 }
3641
3642 return ret;
3643}
3644
3645/*
3646 * Helper function to test that a server attempting to read early data can
3647 * handle a connection from a client where the early data should be skipped.
3648 * testtype: 0 == No HRR
3649 * testtype: 1 == HRR
3650 * testtype: 2 == HRR, invalid early_data sent after HRR
3651 * testtype: 3 == recv_max_early_data set to 0
3652 */
3653static int early_data_skip_helper(int testtype, int idx)
3654{
3655 SSL_CTX *cctx = NULL, *sctx = NULL;
3656 SSL *clientssl = NULL, *serverssl = NULL;
3657 int testresult = 0;
3658 SSL_SESSION *sess = NULL;
3659 unsigned char buf[20];
3660 size_t readbytes, written;
3661
3662 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3663 &serverssl, &sess, idx)))
3664 goto end;
3665
3666 if (testtype == 1 || testtype == 2) {
3667 /* Force an HRR to occur */
3668#if defined(OPENSSL_NO_EC)
3669 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3670 goto end;
3671#else
3672 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3673 goto end;
3674#endif
3675 } else if (idx == 2) {
3676 /*
3677 * We force early_data rejection by ensuring the PSK identity is
3678 * unrecognised
3679 */
3680 srvid = "Dummy Identity";
3681 } else {
3682 /*
3683 * Deliberately corrupt the creation time. We take 20 seconds off the
3684 * time. It could be any value as long as it is not within tolerance.
3685 * This should mean the ticket is rejected.
3686 */
3687 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3688 goto end;
3689 }
3690
3691 if (testtype == 3
3692 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3693 goto end;
3694
3695 /* Write some early data */
3696 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3697 &written))
3698 || !TEST_size_t_eq(written, strlen(MSG1)))
3699 goto end;
3700
3701 /* Server should reject the early data */
3702 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3703 &readbytes),
3704 SSL_READ_EARLY_DATA_FINISH)
3705 || !TEST_size_t_eq(readbytes, 0)
3706 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3707 SSL_EARLY_DATA_REJECTED))
3708 goto end;
3709
3710 switch (testtype) {
3711 case 0:
3712 /* Nothing to do */
3713 break;
3714
3715 case 1:
3716 /*
3717 * Finish off the handshake. We perform the same writes and reads as
3718 * further down but we expect them to fail due to the incomplete
3719 * handshake.
3720 */
3721 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3722 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3723 &readbytes)))
3724 goto end;
3725 break;
3726
3727 case 2:
3728 {
3729 BIO *wbio = SSL_get_wbio(clientssl);
3730 /* A record that will appear as bad early_data */
3731 const unsigned char bad_early_data[] = {
3732 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3733 };
3734
3735 /*
3736 * We force the client to attempt a write. This will fail because
3737 * we're still in the handshake. It will cause the second
3738 * ClientHello to be sent.
3739 */
3740 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3741 &written)))
3742 goto end;
3743
3744 /*
3745 * Inject some early_data after the second ClientHello. This should
3746 * cause the server to fail
3747 */
3748 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3749 sizeof(bad_early_data), &written)))
3750 goto end;
3751 }
3752 /* fallthrough */
3753
3754 case 3:
3755 /*
3756 * This client has sent more early_data than we are willing to skip
3757 * (case 3) or sent invalid early_data (case 2) so the connection should
3758 * abort.
3759 */
3760 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3761 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3762 goto end;
3763
3764 /* Connection has failed - nothing more to do */
3765 testresult = 1;
3766 goto end;
3767
3768 default:
3769 TEST_error("Invalid test type");
3770 goto end;
3771 }
3772
3773 /*
3774 * Should be able to send normal data despite rejection of early data. The
3775 * early_data should be skipped.
3776 */
3777 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3778 || !TEST_size_t_eq(written, strlen(MSG2))
3779 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3780 SSL_EARLY_DATA_REJECTED)
3781 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3782 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3783 goto end;
3784
3785 testresult = 1;
3786
3787 end:
3788 SSL_SESSION_free(clientpsk);
3789 SSL_SESSION_free(serverpsk);
3790 clientpsk = serverpsk = NULL;
3791 SSL_SESSION_free(sess);
3792 SSL_free(serverssl);
3793 SSL_free(clientssl);
3794 SSL_CTX_free(sctx);
3795 SSL_CTX_free(cctx);
3796 return testresult;
3797}
3798
3799/*
3800 * Test that a server attempting to read early data can handle a connection
3801 * from a client where the early data is not acceptable.
3802 */
3803static int test_early_data_skip(int idx)
3804{
3805 return early_data_skip_helper(0, idx);
3806}
3807
3808/*
3809 * Test that a server attempting to read early data can handle a connection
3810 * from a client where an HRR occurs.
3811 */
3812static int test_early_data_skip_hrr(int idx)
3813{
3814 return early_data_skip_helper(1, idx);
3815}
3816
3817/*
3818 * Test that a server attempting to read early data can handle a connection
3819 * from a client where an HRR occurs and correctly fails if early_data is sent
3820 * after the HRR
3821 */
3822static int test_early_data_skip_hrr_fail(int idx)
3823{
3824 return early_data_skip_helper(2, idx);
3825}
3826
3827/*
3828 * Test that a server attempting to read early data will abort if it tries to
3829 * skip over too much.
3830 */
3831static int test_early_data_skip_abort(int idx)
3832{
3833 return early_data_skip_helper(3, idx);
3834}
3835
3836/*
3837 * Test that a server attempting to read early data can handle a connection
3838 * from a client that doesn't send any.
3839 */
3840static int test_early_data_not_sent(int idx)
3841{
3842 SSL_CTX *cctx = NULL, *sctx = NULL;
3843 SSL *clientssl = NULL, *serverssl = NULL;
3844 int testresult = 0;
3845 SSL_SESSION *sess = NULL;
3846 unsigned char buf[20];
3847 size_t readbytes, written;
3848
3849 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3850 &serverssl, &sess, idx)))
3851 goto end;
3852
3853 /* Write some data - should block due to handshake with server */
3854 SSL_set_connect_state(clientssl);
3855 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3856 goto end;
3857
3858 /* Server should detect that early data has not been sent */
3859 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3860 &readbytes),
3861 SSL_READ_EARLY_DATA_FINISH)
3862 || !TEST_size_t_eq(readbytes, 0)
3863 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3864 SSL_EARLY_DATA_NOT_SENT)
3865 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3866 SSL_EARLY_DATA_NOT_SENT))
3867 goto end;
3868
3869 /* Continue writing the message we started earlier */
3870 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3871 || !TEST_size_t_eq(written, strlen(MSG1))
3872 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3873 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3874 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3875 || !TEST_size_t_eq(written, strlen(MSG2)))
3876 goto end;
3877
3878 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3879 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3880 goto end;
3881
3882 testresult = 1;
3883
3884 end:
3885 SSL_SESSION_free(sess);
3886 SSL_SESSION_free(clientpsk);
3887 SSL_SESSION_free(serverpsk);
3888 clientpsk = serverpsk = NULL;
3889 SSL_free(serverssl);
3890 SSL_free(clientssl);
3891 SSL_CTX_free(sctx);
3892 SSL_CTX_free(cctx);
3893 return testresult;
3894}
3895
3896static const char *servalpn;
3897
3898static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3899 unsigned char *outlen, const unsigned char *in,
3900 unsigned int inlen, void *arg)
3901{
3902 unsigned int protlen = 0;
3903 const unsigned char *prot;
3904
3905 for (prot = in; prot < in + inlen; prot += protlen) {
3906 protlen = *prot++;
3907 if (in + inlen < prot + protlen)
3908 return SSL_TLSEXT_ERR_NOACK;
3909
3910 if (protlen == strlen(servalpn)
3911 && memcmp(prot, servalpn, protlen) == 0) {
3912 *out = prot;
3913 *outlen = protlen;
3914 return SSL_TLSEXT_ERR_OK;
3915 }
3916 }
3917
3918 return SSL_TLSEXT_ERR_NOACK;
3919}
3920
3921/* Test that a PSK can be used to send early_data */
3922static int test_early_data_psk(int idx)
3923{
3924 SSL_CTX *cctx = NULL, *sctx = NULL;
3925 SSL *clientssl = NULL, *serverssl = NULL;
3926 int testresult = 0;
3927 SSL_SESSION *sess = NULL;
3928 unsigned char alpnlist[] = {
3929 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3930 'l', 'p', 'n'
3931 };
3932#define GOODALPNLEN 9
3933#define BADALPNLEN 8
3934#define GOODALPN (alpnlist)
3935#define BADALPN (alpnlist + GOODALPNLEN)
3936 int err = 0;
3937 unsigned char buf[20];
3938 size_t readbytes, written;
3939 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3940 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3941
3942 /* We always set this up with a final parameter of "2" for PSK */
3943 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3944 &serverssl, &sess, 2)))
3945 goto end;
3946
3947 servalpn = "goodalpn";
3948
3949 /*
3950 * Note: There is no test for inconsistent SNI with late client detection.
3951 * This is because servers do not acknowledge SNI even if they are using
3952 * it in a resumption handshake - so it is not actually possible for a
3953 * client to detect a problem.
3954 */
3955 switch (idx) {
3956 case 0:
3957 /* Set inconsistent SNI (early client detection) */
3958 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3959 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3960 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3961 goto end;
3962 break;
3963
3964 case 1:
3965 /* Set inconsistent ALPN (early client detection) */
3966 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3967 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3968 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3969 GOODALPNLEN))
3970 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3971 BADALPNLEN)))
3972 goto end;
3973 break;
3974
3975 case 2:
3976 /*
3977 * Set invalid protocol version. Technically this affects PSKs without
3978 * early_data too, but we test it here because it is similar to the
3979 * SNI/ALPN consistency tests.
3980 */
3981 err = SSL_R_BAD_PSK;
3982 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3983 goto end;
3984 break;
3985
3986 case 3:
3987 /*
3988 * Set inconsistent SNI (server side). In this case the connection
3989 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3990 * is associated with each handshake - not the session. Therefore it
3991 * should not matter that we used a different server name last time.
3992 */
3993 SSL_SESSION_free(serverpsk);
3994 serverpsk = SSL_SESSION_dup(clientpsk);
3995 if (!TEST_ptr(serverpsk)
3996 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3997 goto end;
3998 /* Fall through */
3999 case 4:
4000 /* Set consistent SNI */
4001 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4002 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4003 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4004 hostname_cb)))
4005 goto end;
4006 break;
4007
4008 case 5:
4009 /*
4010 * Set inconsistent ALPN (server detected). In this case the connection
4011 * will succeed but reject early_data.
4012 */
4013 servalpn = "badalpn";
4014 edstatus = SSL_EARLY_DATA_REJECTED;
4015 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4016 /* Fall through */
4017 case 6:
4018 /*
4019 * Set consistent ALPN.
4020 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4021 * accepts a list of protos (each one length prefixed).
4022 * SSL_set1_alpn_selected accepts a single protocol (not length
4023 * prefixed)
4024 */
4025 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4026 GOODALPNLEN - 1))
4027 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4028 GOODALPNLEN)))
4029 goto end;
4030
4031 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4032 break;
4033
4034 case 7:
4035 /* Set inconsistent ALPN (late client detection) */
4036 SSL_SESSION_free(serverpsk);
4037 serverpsk = SSL_SESSION_dup(clientpsk);
4038 if (!TEST_ptr(serverpsk)
4039 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4040 BADALPN + 1,
4041 BADALPNLEN - 1))
4042 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4043 GOODALPN + 1,
4044 GOODALPNLEN - 1))
4045 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4046 sizeof(alpnlist))))
4047 goto end;
4048 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4049 edstatus = SSL_EARLY_DATA_ACCEPTED;
4050 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4051 /* SSL_connect() call should fail */
4052 connectres = -1;
4053 break;
4054
4055 default:
4056 TEST_error("Bad test index");
4057 goto end;
4058 }
4059
4060 SSL_set_connect_state(clientssl);
4061 if (err != 0) {
4062 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4063 &written))
4064 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4065 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4066 goto end;
4067 } else {
4068 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4069 &written)))
4070 goto end;
4071
4072 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4073 &readbytes), readearlyres)
4074 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4075 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4076 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4077 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4078 goto end;
4079 }
4080
4081 testresult = 1;
4082
4083 end:
4084 SSL_SESSION_free(sess);
4085 SSL_SESSION_free(clientpsk);
4086 SSL_SESSION_free(serverpsk);
4087 clientpsk = serverpsk = NULL;
4088 SSL_free(serverssl);
4089 SSL_free(clientssl);
4090 SSL_CTX_free(sctx);
4091 SSL_CTX_free(cctx);
4092 return testresult;
4093}
4094
4095/*
4096 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4097 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4098 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4099 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4100 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4101 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4102 */
4103static int test_early_data_psk_with_all_ciphers(int idx)
4104{
4105 SSL_CTX *cctx = NULL, *sctx = NULL;
4106 SSL *clientssl = NULL, *serverssl = NULL;
4107 int testresult = 0;
4108 SSL_SESSION *sess = NULL;
4109 unsigned char buf[20];
4110 size_t readbytes, written;
4111 const SSL_CIPHER *cipher;
4112 const char *cipher_str[] = {
4113 TLS1_3_RFC_AES_128_GCM_SHA256,
4114 TLS1_3_RFC_AES_256_GCM_SHA384,
4115# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4116 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4117# else
4118 NULL,
4119# endif
4120 TLS1_3_RFC_AES_128_CCM_SHA256,
4121 TLS1_3_RFC_AES_128_CCM_8_SHA256
4122 };
4123 const unsigned char *cipher_bytes[] = {
4124 TLS13_AES_128_GCM_SHA256_BYTES,
4125 TLS13_AES_256_GCM_SHA384_BYTES,
4126# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4127 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4128# else
4129 NULL,
4130# endif
4131 TLS13_AES_128_CCM_SHA256_BYTES,
4132 TLS13_AES_128_CCM_8_SHA256_BYTES
4133 };
4134
4135 if (cipher_str[idx] == NULL)
4136 return 1;
4137 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4138 if (idx == 2 && is_fips == 1)
4139 return 1;
4140
4141 /* We always set this up with a final parameter of "2" for PSK */
4142 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4143 &serverssl, &sess, 2)))
4144 goto end;
4145
4146 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4147 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4148 goto end;
4149
4150 /*
4151 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4152 * and assigns to both client and server with incremented reference
4153 * and the same instance is updated in 'sess'.
4154 * So updating ciphersuite in 'sess' which will get reflected in
4155 * PSK handshake using psk use sess and find sess cb.
4156 */
4157 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4158 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4159 goto end;
4160
4161 SSL_set_connect_state(clientssl);
4162 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4163 &written)))
4164 goto end;
4165
4166 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4167 &readbytes),
4168 SSL_READ_EARLY_DATA_SUCCESS)
4169 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4170 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4171 SSL_EARLY_DATA_ACCEPTED)
4172 || !TEST_int_eq(SSL_connect(clientssl), 1)
4173 || !TEST_int_eq(SSL_accept(serverssl), 1))
4174 goto end;
4175
4176 /* Send some normal data from client to server */
4177 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4178 || !TEST_size_t_eq(written, strlen(MSG2)))
4179 goto end;
4180
4181 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4182 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4183 goto end;
4184
4185 testresult = 1;
4186 end:
4187 SSL_SESSION_free(sess);
4188 SSL_SESSION_free(clientpsk);
4189 SSL_SESSION_free(serverpsk);
4190 clientpsk = serverpsk = NULL;
4191 if (clientssl != NULL)
4192 SSL_shutdown(clientssl);
4193 if (serverssl != NULL)
4194 SSL_shutdown(serverssl);
4195 SSL_free(serverssl);
4196 SSL_free(clientssl);
4197 SSL_CTX_free(sctx);
4198 SSL_CTX_free(cctx);
4199 return testresult;
4200}
4201
4202/*
4203 * Test that a server that doesn't try to read early data can handle a
4204 * client sending some.
4205 */
4206static int test_early_data_not_expected(int idx)
4207{
4208 SSL_CTX *cctx = NULL, *sctx = NULL;
4209 SSL *clientssl = NULL, *serverssl = NULL;
4210 int testresult = 0;
4211 SSL_SESSION *sess = NULL;
4212 unsigned char buf[20];
4213 size_t readbytes, written;
4214
4215 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4216 &serverssl, &sess, idx)))
4217 goto end;
4218
4219 /* Write some early data */
4220 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4221 &written)))
4222 goto end;
4223
4224 /*
4225 * Server should skip over early data and then block waiting for client to
4226 * continue handshake
4227 */
4228 if (!TEST_int_le(SSL_accept(serverssl), 0)
4229 || !TEST_int_gt(SSL_connect(clientssl), 0)
4230 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4231 SSL_EARLY_DATA_REJECTED)
4232 || !TEST_int_gt(SSL_accept(serverssl), 0)
4233 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4234 SSL_EARLY_DATA_REJECTED))
4235 goto end;
4236
4237 /* Send some normal data from client to server */
4238 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4239 || !TEST_size_t_eq(written, strlen(MSG2)))
4240 goto end;
4241
4242 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4243 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4244 goto end;
4245
4246 testresult = 1;
4247
4248 end:
4249 SSL_SESSION_free(sess);
4250 SSL_SESSION_free(clientpsk);
4251 SSL_SESSION_free(serverpsk);
4252 clientpsk = serverpsk = NULL;
4253 SSL_free(serverssl);
4254 SSL_free(clientssl);
4255 SSL_CTX_free(sctx);
4256 SSL_CTX_free(cctx);
4257 return testresult;
4258}
4259
4260
4261# ifndef OPENSSL_NO_TLS1_2
4262/*
4263 * Test that a server attempting to read early data can handle a connection
4264 * from a TLSv1.2 client.
4265 */
4266static int test_early_data_tls1_2(int idx)
4267{
4268 SSL_CTX *cctx = NULL, *sctx = NULL;
4269 SSL *clientssl = NULL, *serverssl = NULL;
4270 int testresult = 0;
4271 unsigned char buf[20];
4272 size_t readbytes, written;
4273
4274 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4275 &serverssl, NULL, idx)))
4276 goto end;
4277
4278 /* Write some data - should block due to handshake with server */
4279 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4280 SSL_set_connect_state(clientssl);
4281 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4282 goto end;
4283
4284 /*
4285 * Server should do TLSv1.2 handshake. First it will block waiting for more
4286 * messages from client after ServerDone. Then SSL_read_early_data should
4287 * finish and detect that early data has not been sent
4288 */
4289 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4290 &readbytes),
4291 SSL_READ_EARLY_DATA_ERROR))
4292 goto end;
4293
4294 /*
4295 * Continue writing the message we started earlier. Will still block waiting
4296 * for the CCS/Finished from server
4297 */
4298 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4299 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4300 &readbytes),
4301 SSL_READ_EARLY_DATA_FINISH)
4302 || !TEST_size_t_eq(readbytes, 0)
4303 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4304 SSL_EARLY_DATA_NOT_SENT))
4305 goto end;
4306
4307 /* Continue writing the message we started earlier */
4308 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4309 || !TEST_size_t_eq(written, strlen(MSG1))
4310 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4311 SSL_EARLY_DATA_NOT_SENT)
4312 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4313 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4314 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4315 || !TEST_size_t_eq(written, strlen(MSG2))
4316 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4317 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4318 goto end;
4319
4320 testresult = 1;
4321
4322 end:
4323 SSL_SESSION_free(clientpsk);
4324 SSL_SESSION_free(serverpsk);
4325 clientpsk = serverpsk = NULL;
4326 SSL_free(serverssl);
4327 SSL_free(clientssl);
4328 SSL_CTX_free(sctx);
4329 SSL_CTX_free(cctx);
4330
4331 return testresult;
4332}
4333# endif /* OPENSSL_NO_TLS1_2 */
4334
4335/*
4336 * Test configuring the TLSv1.3 ciphersuites
4337 *
4338 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4339 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4340 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4341 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4342 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4343 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4344 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4345 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4346 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4347 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4348 */
4349static int test_set_ciphersuite(int idx)
4350{
4351 SSL_CTX *cctx = NULL, *sctx = NULL;
4352 SSL *clientssl = NULL, *serverssl = NULL;
4353 int testresult = 0;
4354
4355 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4356 TLS_client_method(), TLS1_VERSION, 0,
4357 &sctx, &cctx, cert, privkey))
4358 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4359 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4360 goto end;
4361
4362 if (idx >=4 && idx <= 7) {
4363 /* SSL_CTX explicit cipher list */
4364 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4365 goto end;
4366 }
4367
4368 if (idx == 0 || idx == 4) {
4369 /* Default ciphersuite */
4370 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4371 "TLS_AES_128_GCM_SHA256")))
4372 goto end;
4373 } else if (idx == 1 || idx == 5) {
4374 /* Non default ciphersuite */
4375 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4376 "TLS_AES_128_CCM_SHA256")))
4377 goto end;
4378 }
4379
4380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4381 &clientssl, NULL, NULL)))
4382 goto end;
4383
4384 if (idx == 8 || idx == 9) {
4385 /* SSL explicit cipher list */
4386 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4387 goto end;
4388 }
4389
4390 if (idx == 2 || idx == 6 || idx == 8) {
4391 /* Default ciphersuite */
4392 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4393 "TLS_AES_128_GCM_SHA256")))
4394 goto end;
4395 } else if (idx == 3 || idx == 7 || idx == 9) {
4396 /* Non default ciphersuite */
4397 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4398 "TLS_AES_128_CCM_SHA256")))
4399 goto end;
4400 }
4401
4402 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4403 goto end;
4404
4405 testresult = 1;
4406
4407 end:
4408 SSL_free(serverssl);
4409 SSL_free(clientssl);
4410 SSL_CTX_free(sctx);
4411 SSL_CTX_free(cctx);
4412
4413 return testresult;
4414}
4415
4416static int test_ciphersuite_change(void)
4417{
4418 SSL_CTX *cctx = NULL, *sctx = NULL;
4419 SSL *clientssl = NULL, *serverssl = NULL;
4420 SSL_SESSION *clntsess = NULL;
4421 int testresult = 0;
4422 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4423
4424 /* Create a session based on SHA-256 */
4425 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4426 TLS_client_method(), TLS1_VERSION, 0,
4427 &sctx, &cctx, cert, privkey))
4428 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4429 "TLS_AES_128_GCM_SHA256:"
4430 "TLS_AES_256_GCM_SHA384:"
4431 "TLS_AES_128_CCM_SHA256"))
4432 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4433 "TLS_AES_128_GCM_SHA256"))
4434 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4435 &clientssl, NULL, NULL))
4436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4437 SSL_ERROR_NONE)))
4438 goto end;
4439
4440 clntsess = SSL_get1_session(clientssl);
4441 /* Save for later */
4442 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4443 SSL_shutdown(clientssl);
4444 SSL_shutdown(serverssl);
4445 SSL_free(serverssl);
4446 SSL_free(clientssl);
4447 serverssl = clientssl = NULL;
4448
4449 /* Check we can resume a session with a different SHA-256 ciphersuite */
4450 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4451 "TLS_AES_128_CCM_SHA256"))
4452 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4453 &clientssl, NULL, NULL))
4454 || !TEST_true(SSL_set_session(clientssl, clntsess))
4455 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4456 SSL_ERROR_NONE))
4457 || !TEST_true(SSL_session_reused(clientssl)))
4458 goto end;
4459
4460 SSL_SESSION_free(clntsess);
4461 clntsess = SSL_get1_session(clientssl);
4462 SSL_shutdown(clientssl);
4463 SSL_shutdown(serverssl);
4464 SSL_free(serverssl);
4465 SSL_free(clientssl);
4466 serverssl = clientssl = NULL;
4467
4468 /*
4469 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4470 * succeeds but does not resume.
4471 */
4472 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4473 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4474 NULL, NULL))
4475 || !TEST_true(SSL_set_session(clientssl, clntsess))
4476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4477 SSL_ERROR_SSL))
4478 || !TEST_false(SSL_session_reused(clientssl)))
4479 goto end;
4480
4481 SSL_SESSION_free(clntsess);
4482 clntsess = NULL;
4483 SSL_shutdown(clientssl);
4484 SSL_shutdown(serverssl);
4485 SSL_free(serverssl);
4486 SSL_free(clientssl);
4487 serverssl = clientssl = NULL;
4488
4489 /* Create a session based on SHA384 */
4490 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4491 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4492 &clientssl, NULL, NULL))
4493 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4494 SSL_ERROR_NONE)))
4495 goto end;
4496
4497 clntsess = SSL_get1_session(clientssl);
4498 SSL_shutdown(clientssl);
4499 SSL_shutdown(serverssl);
4500 SSL_free(serverssl);
4501 SSL_free(clientssl);
4502 serverssl = clientssl = NULL;
4503
4504 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4505 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4506 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4507 "TLS_AES_256_GCM_SHA384"))
4508 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4509 NULL, NULL))
4510 || !TEST_true(SSL_set_session(clientssl, clntsess))
4511 /*
4512 * We use SSL_ERROR_WANT_READ below so that we can pause the
4513 * connection after the initial ClientHello has been sent to
4514 * enable us to make some session changes.
4515 */
4516 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4517 SSL_ERROR_WANT_READ)))
4518 goto end;
4519
4520 /* Trick the client into thinking this session is for a different digest */
4521 clntsess->cipher = aes_128_gcm_sha256;
4522 clntsess->cipher_id = clntsess->cipher->id;
4523
4524 /*
4525 * Continue the previously started connection. Server has selected a SHA-384
4526 * ciphersuite, but client thinks the session is for SHA-256, so it should
4527 * bail out.
4528 */
4529 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4530 SSL_ERROR_SSL))
4531 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4532 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4533 goto end;
4534
4535 testresult = 1;
4536
4537 end:
4538 SSL_SESSION_free(clntsess);
4539 SSL_free(serverssl);
4540 SSL_free(clientssl);
4541 SSL_CTX_free(sctx);
4542 SSL_CTX_free(cctx);
4543
4544 return testresult;
4545}
4546
4547/*
4548 * Test TLSv1.3 Key exchange
4549 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4550 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4551 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4552 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4553 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4554 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4555 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4556 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4557 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4558 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4559 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4560 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4561 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4562 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4563 */
4564# ifndef OPENSSL_NO_EC
4565static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4566 NID_secp521r1, NID_X25519, NID_X448};
4567# endif
4568# ifndef OPENSSL_NO_DH
4569static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4570 NID_ffdhe6144, NID_ffdhe8192};
4571# endif
4572static int test_key_exchange(int idx)
4573{
4574 SSL_CTX *sctx = NULL, *cctx = NULL;
4575 SSL *serverssl = NULL, *clientssl = NULL;
4576 int testresult = 0;
4577 int kexch_alg;
4578 int *kexch_groups = &kexch_alg;
4579 int kexch_groups_size = 1;
4580 int max_version = TLS1_3_VERSION;
4581 char *kexch_name0 = NULL;
4582
4583 switch (idx) {
4584# ifndef OPENSSL_NO_EC
4585# ifndef OPENSSL_NO_TLS1_2
4586 case 12:
4587 max_version = TLS1_2_VERSION;
4588# endif
4589 /* Fall through */
4590 case 0:
4591 kexch_groups = ecdhe_kexch_groups;
4592 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4593 kexch_name0 = "secp256r1";
4594 break;
4595 case 1:
4596 kexch_alg = NID_X9_62_prime256v1;
4597 kexch_name0 = "secp256r1";
4598 break;
4599 case 2:
4600 kexch_alg = NID_secp384r1;
4601 kexch_name0 = "secp384r1";
4602 break;
4603 case 3:
4604 kexch_alg = NID_secp521r1;
4605 kexch_name0 = "secp521r1";
4606 break;
4607 case 4:
4608 kexch_alg = NID_X25519;
4609 kexch_name0 = "x25519";
4610 break;
4611 case 5:
4612 kexch_alg = NID_X448;
4613 kexch_name0 = "x448";
4614 break;
4615# endif
4616# ifndef OPENSSL_NO_DH
4617# ifndef OPENSSL_NO_TLS1_2
4618 case 13:
4619 max_version = TLS1_2_VERSION;
4620 kexch_name0 = "ffdhe2048";
4621# endif
4622 /* Fall through */
4623 case 6:
4624 kexch_groups = ffdhe_kexch_groups;
4625 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4626 kexch_name0 = "ffdhe2048";
4627 break;
4628 case 7:
4629 kexch_alg = NID_ffdhe2048;
4630 kexch_name0 = "ffdhe2048";
4631 break;
4632 case 8:
4633 kexch_alg = NID_ffdhe3072;
4634 kexch_name0 = "ffdhe3072";
4635 break;
4636 case 9:
4637 kexch_alg = NID_ffdhe4096;
4638 kexch_name0 = "ffdhe4096";
4639 break;
4640 case 10:
4641 kexch_alg = NID_ffdhe6144;
4642 kexch_name0 = "ffdhe6144";
4643 break;
4644 case 11:
4645 kexch_alg = NID_ffdhe8192;
4646 kexch_name0 = "ffdhe8192";
4647 break;
4648# endif
4649 default:
4650 /* We're skipping this test */
4651 return 1;
4652 }
4653
4654 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4655 TLS_client_method(), TLS1_VERSION,
4656 max_version, &sctx, &cctx, cert,
4657 privkey)))
4658 goto end;
4659
4660 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4661 TLS1_3_RFC_AES_128_GCM_SHA256)))
4662 goto end;
4663
4664 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4665 TLS1_3_RFC_AES_128_GCM_SHA256)))
4666 goto end;
4667
4668 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4669 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4670 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4671 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4672 goto end;
4673
4674 /*
4675 * Must include an EC ciphersuite so that we send supported groups in
4676 * TLSv1.2
4677 */
4678# ifndef OPENSSL_NO_TLS1_2
4679 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4680 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4681 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4682 goto end;
4683# endif
4684
4685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4686 NULL, NULL)))
4687 goto end;
4688
4689 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4690 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4691 goto end;
4692
4693 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4694 goto end;
4695
4696 /*
4697 * If Handshake succeeds the negotiated kexch alg should be the first one in
4698 * configured, except in the case of FFDHE groups (idx 13), which are
4699 * TLSv1.3 only so we expect no shared group to exist.
4700 */
4701 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4702 idx == 13 ? 0 : kexch_groups[0]))
4703 goto end;
4704
4705 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4706 kexch_name0))
4707 goto end;
4708
4709 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4710 if (idx != 13) {
4711 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4712 goto end;
4713 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4714 goto end;
4715 }
4716
4717 testresult = 1;
4718 end:
4719 SSL_free(serverssl);
4720 SSL_free(clientssl);
4721 SSL_CTX_free(sctx);
4722 SSL_CTX_free(cctx);
4723 return testresult;
4724}
4725
4726# if !defined(OPENSSL_NO_TLS1_2) \
4727 && !defined(OPENSSL_NO_EC) \
4728 && !defined(OPENSSL_NO_DH)
4729static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4730 int isecdhe, int idx)
4731{
4732 int kexch_alg;
4733 int *kexch_groups = &kexch_alg;
4734 int numec, numff;
4735
4736 numec = OSSL_NELEM(ecdhe_kexch_groups);
4737 numff = OSSL_NELEM(ffdhe_kexch_groups);
4738 if (isecdhe)
4739 kexch_alg = ecdhe_kexch_groups[idx];
4740 else
4741 kexch_alg = ffdhe_kexch_groups[idx];
4742
4743 if (clientmulti) {
4744 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4745 return 0;
4746 if (isecdhe) {
4747 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4748 numec)))
4749 return 0;
4750 } else {
4751 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4752 numff)))
4753 return 0;
4754 }
4755 } else {
4756 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4757 return 0;
4758 if (isecdhe) {
4759 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4760 numec)))
4761 return 0;
4762 } else {
4763 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4764 numff)))
4765 return 0;
4766 }
4767 }
4768 return 1;
4769}
4770
4771/*-
4772 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4773 * Run through both the ECDHE and FFDHE group lists used in the previous
4774 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4775 * confirming the expected result; then perform a resumption handshake
4776 * while offering the same group list, and another resumption handshake
4777 * offering a different group list. The returned value should be the
4778 * negotiated group for the initial handshake; for TLS 1.3 resumption
4779 * handshakes the returned value will be negotiated on the resumption
4780 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4781 * be cached in the session from the original handshake, regardless of what
4782 * was offered in the resumption ClientHello.
4783 *
4784 * Using E for the number of EC groups and F for the number of FF groups:
4785 * E tests of ECDHE with TLS 1.3, server only has one group
4786 * F tests of FFDHE with TLS 1.3, server only has one group
4787 * E tests of ECDHE with TLS 1.2, server only has one group
4788 * F tests of FFDHE with TLS 1.2, server only has one group
4789 * E tests of ECDHE with TLS 1.3, client sends only one group
4790 * F tests of FFDHE with TLS 1.3, client sends only one group
4791 * E tests of ECDHE with TLS 1.2, client sends only one group
4792 * F tests of FFDHE with TLS 1.2, client sends only one group
4793 */
4794static int test_negotiated_group(int idx)
4795{
4796 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4797 int expectednid;
4798 SSL_CTX *sctx = NULL, *cctx = NULL;
4799 SSL *serverssl = NULL, *clientssl = NULL;
4800 SSL_SESSION *origsess = NULL;
4801 int testresult = 0;
4802 int kexch_alg;
4803 int max_version = TLS1_3_VERSION;
4804
4805 numec = OSSL_NELEM(ecdhe_kexch_groups);
4806 numff = OSSL_NELEM(ffdhe_kexch_groups);
4807 numgroups = numec + numff;
4808 clientmulti = (idx < 2 * numgroups);
4809 idx = idx % (2 * numgroups);
4810 istls13 = (idx < numgroups);
4811 idx = idx % numgroups;
4812 isecdhe = (idx < numec);
4813 if (!isecdhe)
4814 idx -= numec;
4815 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4816 if (isecdhe)
4817 kexch_alg = ecdhe_kexch_groups[idx];
4818 else
4819 kexch_alg = ffdhe_kexch_groups[idx];
4820 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4821 if (!istls13 && !isecdhe)
4822 expectednid = NID_undef;
4823 else
4824 expectednid = kexch_alg;
4825
4826 if (!istls13)
4827 max_version = TLS1_2_VERSION;
4828
4829 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4830 TLS_client_method(), TLS1_VERSION,
4831 max_version, &sctx, &cctx, cert,
4832 privkey)))
4833 goto end;
4834
4835 /*
4836 * Force (EC)DHE ciphers for TLS 1.2.
4837 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4838 */
4839 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4840 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4841 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4842 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4843 goto end;
4844 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4845 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4846 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4847 goto end;
4848
4849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4850 NULL, NULL)))
4851 goto end;
4852
4853 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4854 idx)))
4855 goto end;
4856
4857 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4858 goto end;
4859
4860 /* Initial handshake; always the configured one */
4861 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4862 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4863 goto end;
4864
4865 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4866 goto end;
4867
4868 SSL_shutdown(clientssl);
4869 SSL_shutdown(serverssl);
4870 SSL_free(serverssl);
4871 SSL_free(clientssl);
4872 serverssl = clientssl = NULL;
4873
4874 /* First resumption attempt; use the same config as initial handshake */
4875 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4876 NULL, NULL))
4877 || !TEST_true(SSL_set_session(clientssl, origsess))
4878 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4879 isecdhe, idx)))
4880 goto end;
4881
4882 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4883 || !TEST_true(SSL_session_reused(clientssl)))
4884 goto end;
4885
4886 /* Still had better agree, since nothing changed... */
4887 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4888 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4889 goto end;
4890
4891 SSL_shutdown(clientssl);
4892 SSL_shutdown(serverssl);
4893 SSL_free(serverssl);
4894 SSL_free(clientssl);
4895 serverssl = clientssl = NULL;
4896
4897 /*-
4898 * Second resumption attempt
4899 * The party that picks one group changes it, which we effectuate by
4900 * changing 'idx' and updating what we expect.
4901 */
4902 if (idx == 0)
4903 idx = 1;
4904 else
4905 idx--;
4906 if (istls13) {
4907 if (isecdhe)
4908 expectednid = ecdhe_kexch_groups[idx];
4909 else
4910 expectednid = ffdhe_kexch_groups[idx];
4911 /* Verify that we are changing what we expect. */
4912 if (!TEST_int_ne(expectednid, kexch_alg))
4913 goto end;
4914 } else {
4915 /* TLS 1.2 only supports named groups for ECDHE. */
4916 if (isecdhe)
4917 expectednid = kexch_alg;
4918 else
4919 expectednid = 0;
4920 }
4921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4922 NULL, NULL))
4923 || !TEST_true(SSL_set_session(clientssl, origsess))
4924 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4925 isecdhe, idx)))
4926 goto end;
4927
4928 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4929 || !TEST_true(SSL_session_reused(clientssl)))
4930 goto end;
4931
4932 /* Check that we get what we expected */
4933 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4934 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4935 goto end;
4936
4937 testresult = 1;
4938 end:
4939 SSL_free(serverssl);
4940 SSL_free(clientssl);
4941 SSL_CTX_free(sctx);
4942 SSL_CTX_free(cctx);
4943 SSL_SESSION_free(origsess);
4944 return testresult;
4945}
4946# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4947
4948/*
4949 * Test TLSv1.3 Cipher Suite
4950 * Test 0 = Set TLS1.3 cipher on context
4951 * Test 1 = Set TLS1.3 cipher on SSL
4952 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4953 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4954 */
4955static int test_tls13_ciphersuite(int idx)
4956{
4957 SSL_CTX *sctx = NULL, *cctx = NULL;
4958 SSL *serverssl = NULL, *clientssl = NULL;
4959 static const struct {
4960 const char *ciphername;
4961 int fipscapable;
4962 } t13_ciphers[] = {
4963 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4964 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4965 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
4966# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4967 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4968 { TLS1_3_RFC_AES_256_GCM_SHA384
4969 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4970# endif
4971 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
4972 };
4973 const char *t13_cipher = NULL;
4974 const char *t12_cipher = NULL;
4975 const char *negotiated_scipher;
4976 const char *negotiated_ccipher;
4977 int set_at_ctx = 0;
4978 int set_at_ssl = 0;
4979 int testresult = 0;
4980 int max_ver;
4981 size_t i;
4982
4983 switch (idx) {
4984 case 0:
4985 set_at_ctx = 1;
4986 break;
4987 case 1:
4988 set_at_ssl = 1;
4989 break;
4990 case 2:
4991 set_at_ctx = 1;
4992 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4993 break;
4994 case 3:
4995 set_at_ssl = 1;
4996 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
4997 break;
4998 }
4999
5000 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5001# ifdef OPENSSL_NO_TLS1_2
5002 if (max_ver == TLS1_2_VERSION)
5003 continue;
5004# endif
5005 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5006 if (is_fips && !t13_ciphers[i].fipscapable)
5007 continue;
5008 t13_cipher = t13_ciphers[i].ciphername;
5009 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5010 TLS_client_method(),
5011 TLS1_VERSION, max_ver,
5012 &sctx, &cctx, cert, privkey)))
5013 goto end;
5014
5015 if (set_at_ctx) {
5016 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5017 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5018 goto end;
5019 if (t12_cipher != NULL) {
5020 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5021 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5022 t12_cipher)))
5023 goto end;
5024 }
5025 }
5026
5027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5028 &clientssl, NULL, NULL)))
5029 goto end;
5030
5031 if (set_at_ssl) {
5032 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5033 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5034 goto end;
5035 if (t12_cipher != NULL) {
5036 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5037 || !TEST_true(SSL_set_cipher_list(clientssl,
5038 t12_cipher)))
5039 goto end;
5040 }
5041 }
5042
5043 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5044 SSL_ERROR_NONE)))
5045 goto end;
5046
5047 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5048 serverssl));
5049 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5050 clientssl));
5051 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5052 goto end;
5053
5054 /*
5055 * TEST_strn_eq is used below because t13_cipher can contain
5056 * multiple ciphersuites
5057 */
5058 if (max_ver == TLS1_3_VERSION
5059 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5060 strlen(negotiated_scipher)))
5061 goto end;
5062
5063# ifndef OPENSSL_NO_TLS1_2
5064 /* Below validation is not done when t12_cipher is NULL */
5065 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5066 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5067 goto end;
5068# endif
5069
5070 SSL_free(serverssl);
5071 serverssl = NULL;
5072 SSL_free(clientssl);
5073 clientssl = NULL;
5074 SSL_CTX_free(sctx);
5075 sctx = NULL;
5076 SSL_CTX_free(cctx);
5077 cctx = NULL;
5078 }
5079 }
5080
5081 testresult = 1;
5082 end:
5083 SSL_free(serverssl);
5084 SSL_free(clientssl);
5085 SSL_CTX_free(sctx);
5086 SSL_CTX_free(cctx);
5087 return testresult;
5088}
5089
5090/*
5091 * Test TLSv1.3 PSKs
5092 * Test 0 = Test new style callbacks
5093 * Test 1 = Test both new and old style callbacks
5094 * Test 2 = Test old style callbacks
5095 * Test 3 = Test old style callbacks with no certificate
5096 */
5097static int test_tls13_psk(int idx)
5098{
5099 SSL_CTX *sctx = NULL, *cctx = NULL;
5100 SSL *serverssl = NULL, *clientssl = NULL;
5101 const SSL_CIPHER *cipher = NULL;
5102 const unsigned char key[] = {
5103 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5104 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5105 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5106 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5107 };
5108 int testresult = 0;
5109
5110 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5111 TLS_client_method(), TLS1_VERSION, 0,
5112 &sctx, &cctx, idx == 3 ? NULL : cert,
5113 idx == 3 ? NULL : privkey)))
5114 goto end;
5115
5116 if (idx != 3) {
5117 /*
5118 * We use a ciphersuite with SHA256 to ease testing old style PSK
5119 * callbacks which will always default to SHA256. This should not be
5120 * necessary if we have no cert/priv key. In that case the server should
5121 * prefer SHA256 automatically.
5122 */
5123 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5124 "TLS_AES_128_GCM_SHA256")))
5125 goto end;
5126 } else {
5127 /*
5128 * As noted above the server should prefer SHA256 automatically. However
5129 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5130 * code works even if we are testing with only the FIPS provider loaded.
5131 */
5132 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5133 "TLS_AES_256_GCM_SHA384:"
5134 "TLS_AES_128_GCM_SHA256")))
5135 goto end;
5136 }
5137
5138 /*
5139 * Test 0: New style callbacks only
5140 * Test 1: New and old style callbacks (only the new ones should be used)
5141 * Test 2: Old style callbacks only
5142 */
5143 if (idx == 0 || idx == 1) {
5144 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5145 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5146 }
5147#ifndef OPENSSL_NO_PSK
5148 if (idx >= 1) {
5149 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5150 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5151 }
5152#endif
5153 srvid = pskid;
5154 use_session_cb_cnt = 0;
5155 find_session_cb_cnt = 0;
5156 psk_client_cb_cnt = 0;
5157 psk_server_cb_cnt = 0;
5158
5159 if (idx != 3) {
5160 /*
5161 * Check we can create a connection if callback decides not to send a
5162 * PSK
5163 */
5164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5165 NULL, NULL))
5166 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5167 SSL_ERROR_NONE))
5168 || !TEST_false(SSL_session_reused(clientssl))
5169 || !TEST_false(SSL_session_reused(serverssl)))
5170 goto end;
5171
5172 if (idx == 0 || idx == 1) {
5173 if (!TEST_true(use_session_cb_cnt == 1)
5174 || !TEST_true(find_session_cb_cnt == 0)
5175 /*
5176 * If no old style callback then below should be 0
5177 * otherwise 1
5178 */
5179 || !TEST_true(psk_client_cb_cnt == idx)
5180 || !TEST_true(psk_server_cb_cnt == 0))
5181 goto end;
5182 } else {
5183 if (!TEST_true(use_session_cb_cnt == 0)
5184 || !TEST_true(find_session_cb_cnt == 0)
5185 || !TEST_true(psk_client_cb_cnt == 1)
5186 || !TEST_true(psk_server_cb_cnt == 0))
5187 goto end;
5188 }
5189
5190 shutdown_ssl_connection(serverssl, clientssl);
5191 serverssl = clientssl = NULL;
5192 use_session_cb_cnt = psk_client_cb_cnt = 0;
5193 }
5194
5195 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5196 NULL, NULL)))
5197 goto end;
5198
5199 /* Create the PSK */
5200 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5201 clientpsk = SSL_SESSION_new();
5202 if (!TEST_ptr(clientpsk)
5203 || !TEST_ptr(cipher)
5204 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5205 sizeof(key)))
5206 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5207 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5208 TLS1_3_VERSION))
5209 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5210 goto end;
5211 serverpsk = clientpsk;
5212
5213 /* Check we can create a connection and the PSK is used */
5214 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5215 || !TEST_true(SSL_session_reused(clientssl))
5216 || !TEST_true(SSL_session_reused(serverssl)))
5217 goto end;
5218
5219 if (idx == 0 || idx == 1) {
5220 if (!TEST_true(use_session_cb_cnt == 1)
5221 || !TEST_true(find_session_cb_cnt == 1)
5222 || !TEST_true(psk_client_cb_cnt == 0)
5223 || !TEST_true(psk_server_cb_cnt == 0))
5224 goto end;
5225 } else {
5226 if (!TEST_true(use_session_cb_cnt == 0)
5227 || !TEST_true(find_session_cb_cnt == 0)
5228 || !TEST_true(psk_client_cb_cnt == 1)
5229 || !TEST_true(psk_server_cb_cnt == 1))
5230 goto end;
5231 }
5232
5233 shutdown_ssl_connection(serverssl, clientssl);
5234 serverssl = clientssl = NULL;
5235 use_session_cb_cnt = find_session_cb_cnt = 0;
5236 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5237
5238 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5239 NULL, NULL)))
5240 goto end;
5241
5242 /* Force an HRR */
5243#if defined(OPENSSL_NO_EC)
5244 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5245 goto end;
5246#else
5247 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5248 goto end;
5249#endif
5250
5251 /*
5252 * Check we can create a connection, the PSK is used and the callbacks are
5253 * called twice.
5254 */
5255 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5256 || !TEST_true(SSL_session_reused(clientssl))
5257 || !TEST_true(SSL_session_reused(serverssl)))
5258 goto end;
5259
5260 if (idx == 0 || idx == 1) {
5261 if (!TEST_true(use_session_cb_cnt == 2)
5262 || !TEST_true(find_session_cb_cnt == 2)
5263 || !TEST_true(psk_client_cb_cnt == 0)
5264 || !TEST_true(psk_server_cb_cnt == 0))
5265 goto end;
5266 } else {
5267 if (!TEST_true(use_session_cb_cnt == 0)
5268 || !TEST_true(find_session_cb_cnt == 0)
5269 || !TEST_true(psk_client_cb_cnt == 2)
5270 || !TEST_true(psk_server_cb_cnt == 2))
5271 goto end;
5272 }
5273
5274 shutdown_ssl_connection(serverssl, clientssl);
5275 serverssl = clientssl = NULL;
5276 use_session_cb_cnt = find_session_cb_cnt = 0;
5277 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5278
5279 if (idx != 3) {
5280 /*
5281 * Check that if the server rejects the PSK we can still connect, but with
5282 * a full handshake
5283 */
5284 srvid = "Dummy Identity";
5285 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5286 NULL, NULL))
5287 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5288 SSL_ERROR_NONE))
5289 || !TEST_false(SSL_session_reused(clientssl))
5290 || !TEST_false(SSL_session_reused(serverssl)))
5291 goto end;
5292
5293 if (idx == 0 || idx == 1) {
5294 if (!TEST_true(use_session_cb_cnt == 1)
5295 || !TEST_true(find_session_cb_cnt == 1)
5296 || !TEST_true(psk_client_cb_cnt == 0)
5297 /*
5298 * If no old style callback then below should be 0
5299 * otherwise 1
5300 */
5301 || !TEST_true(psk_server_cb_cnt == idx))
5302 goto end;
5303 } else {
5304 if (!TEST_true(use_session_cb_cnt == 0)
5305 || !TEST_true(find_session_cb_cnt == 0)
5306 || !TEST_true(psk_client_cb_cnt == 1)
5307 || !TEST_true(psk_server_cb_cnt == 1))
5308 goto end;
5309 }
5310
5311 shutdown_ssl_connection(serverssl, clientssl);
5312 serverssl = clientssl = NULL;
5313 }
5314 testresult = 1;
5315
5316 end:
5317 SSL_SESSION_free(clientpsk);
5318 SSL_SESSION_free(serverpsk);
5319 clientpsk = serverpsk = NULL;
5320 SSL_free(serverssl);
5321 SSL_free(clientssl);
5322 SSL_CTX_free(sctx);
5323 SSL_CTX_free(cctx);
5324 return testresult;
5325}
5326
5327static unsigned char cookie_magic_value[] = "cookie magic";
5328
5329static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5330 unsigned int *cookie_len)
5331{
5332 /*
5333 * Not suitable as a real cookie generation function but good enough for
5334 * testing!
5335 */
5336 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5337 *cookie_len = sizeof(cookie_magic_value) - 1;
5338
5339 return 1;
5340}
5341
5342static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5343 unsigned int cookie_len)
5344{
5345 if (cookie_len == sizeof(cookie_magic_value) - 1
5346 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5347 return 1;
5348
5349 return 0;
5350}
5351
5352static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5353 size_t *cookie_len)
5354{
5355 unsigned int temp;
5356 int res = generate_cookie_callback(ssl, cookie, &temp);
5357 *cookie_len = temp;
5358 return res;
5359}
5360
5361static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5362 size_t cookie_len)
5363{
5364 return verify_cookie_callback(ssl, cookie, cookie_len);
5365}
5366
5367static int test_stateless(void)
5368{
5369 SSL_CTX *sctx = NULL, *cctx = NULL;
5370 SSL *serverssl = NULL, *clientssl = NULL;
5371 int testresult = 0;
5372
5373 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5374 TLS_client_method(), TLS1_VERSION, 0,
5375 &sctx, &cctx, cert, privkey)))
5376 goto end;
5377
5378 /* The arrival of CCS messages can confuse the test */
5379 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5380
5381 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5382 NULL, NULL))
5383 /* Send the first ClientHello */
5384 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5385 SSL_ERROR_WANT_READ))
5386 /*
5387 * This should fail with a -1 return because we have no callbacks
5388 * set up
5389 */
5390 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5391 goto end;
5392
5393 /* Fatal error so abandon the connection from this client */
5394 SSL_free(clientssl);
5395 clientssl = NULL;
5396
5397 /* Set up the cookie generation and verification callbacks */
5398 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5399 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5400
5401 /*
5402 * Create a new connection from the client (we can reuse the server SSL
5403 * object).
5404 */
5405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5406 NULL, NULL))
5407 /* Send the first ClientHello */
5408 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5409 SSL_ERROR_WANT_READ))
5410 /* This should fail because there is no cookie */
5411 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5412 goto end;
5413
5414 /* Abandon the connection from this client */
5415 SSL_free(clientssl);
5416 clientssl = NULL;
5417
5418 /*
5419 * Now create a connection from a new client but with the same server SSL
5420 * object
5421 */
5422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5423 NULL, NULL))
5424 /* Send the first ClientHello */
5425 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5426 SSL_ERROR_WANT_READ))
5427 /* This should fail because there is no cookie */
5428 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5429 /* Send the second ClientHello */
5430 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5431 SSL_ERROR_WANT_READ))
5432 /* This should succeed because a cookie is now present */
5433 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5434 /* Complete the connection */
5435 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5436 SSL_ERROR_NONE)))
5437 goto end;
5438
5439 shutdown_ssl_connection(serverssl, clientssl);
5440 serverssl = clientssl = NULL;
5441 testresult = 1;
5442
5443 end:
5444 SSL_free(serverssl);
5445 SSL_free(clientssl);
5446 SSL_CTX_free(sctx);
5447 SSL_CTX_free(cctx);
5448 return testresult;
5449
5450}
5451#endif /* OSSL_NO_USABLE_TLS1_3 */
5452
5453static int clntaddoldcb = 0;
5454static int clntparseoldcb = 0;
5455static int srvaddoldcb = 0;
5456static int srvparseoldcb = 0;
5457static int clntaddnewcb = 0;
5458static int clntparsenewcb = 0;
5459static int srvaddnewcb = 0;
5460static int srvparsenewcb = 0;
5461static int snicb = 0;
5462
5463#define TEST_EXT_TYPE1 0xff00
5464
5465static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5466 size_t *outlen, int *al, void *add_arg)
5467{
5468 int *server = (int *)add_arg;
5469 unsigned char *data;
5470
5471 if (SSL_is_server(s))
5472 srvaddoldcb++;
5473 else
5474 clntaddoldcb++;
5475
5476 if (*server != SSL_is_server(s)
5477 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5478 return -1;
5479
5480 *data = 1;
5481 *out = data;
5482 *outlen = sizeof(char);
5483 return 1;
5484}
5485
5486static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5487 void *add_arg)
5488{
5489 OPENSSL_free((unsigned char *)out);
5490}
5491
5492static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5493 size_t inlen, int *al, void *parse_arg)
5494{
5495 int *server = (int *)parse_arg;
5496
5497 if (SSL_is_server(s))
5498 srvparseoldcb++;
5499 else
5500 clntparseoldcb++;
5501
5502 if (*server != SSL_is_server(s)
5503 || inlen != sizeof(char)
5504 || *in != 1)
5505 return -1;
5506
5507 return 1;
5508}
5509
5510static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5511 const unsigned char **out, size_t *outlen, X509 *x,
5512 size_t chainidx, int *al, void *add_arg)
5513{
5514 int *server = (int *)add_arg;
5515 unsigned char *data;
5516
5517 if (SSL_is_server(s))
5518 srvaddnewcb++;
5519 else
5520 clntaddnewcb++;
5521
5522 if (*server != SSL_is_server(s)
5523 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5524 return -1;
5525
5526 *data = 1;
5527 *out = data;
5528 *outlen = sizeof(*data);
5529 return 1;
5530}
5531
5532static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5533 const unsigned char *out, void *add_arg)
5534{
5535 OPENSSL_free((unsigned char *)out);
5536}
5537
5538static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5539 const unsigned char *in, size_t inlen, X509 *x,
5540 size_t chainidx, int *al, void *parse_arg)
5541{
5542 int *server = (int *)parse_arg;
5543
5544 if (SSL_is_server(s))
5545 srvparsenewcb++;
5546 else
5547 clntparsenewcb++;
5548
5549 if (*server != SSL_is_server(s)
5550 || inlen != sizeof(char) || *in != 1)
5551 return -1;
5552
5553 return 1;
5554}
5555
5556static int sni_cb(SSL *s, int *al, void *arg)
5557{
5558 SSL_CTX *ctx = (SSL_CTX *)arg;
5559
5560 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5561 *al = SSL_AD_INTERNAL_ERROR;
5562 return SSL_TLSEXT_ERR_ALERT_FATAL;
5563 }
5564 snicb++;
5565 return SSL_TLSEXT_ERR_OK;
5566}
5567
5568static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5569{
5570 return 1;
5571}
5572
5573/*
5574 * Custom call back tests.
5575 * Test 0: Old style callbacks in TLSv1.2
5576 * Test 1: New style callbacks in TLSv1.2
5577 * Test 2: New style callbacks in TLSv1.2 with SNI
5578 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5579 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5580 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5581 */
5582static int test_custom_exts(int tst)
5583{
5584 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5585 SSL *clientssl = NULL, *serverssl = NULL;
5586 int testresult = 0;
5587 static int server = 1;
5588 static int client = 0;
5589 SSL_SESSION *sess = NULL;
5590 unsigned int context;
5591
5592#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5593 /* Skip tests for TLSv1.2 and below in this case */
5594 if (tst < 3)
5595 return 1;
5596#endif
5597
5598 /* Reset callback counters */
5599 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5600 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5601 snicb = 0;
5602
5603 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5604 TLS_client_method(), TLS1_VERSION, 0,
5605 &sctx, &cctx, cert, privkey)))
5606 goto end;
5607
5608 if (tst == 2
5609 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5610 TLS1_VERSION, 0,
5611 &sctx2, NULL, cert, privkey)))
5612 goto end;
5613
5614
5615 if (tst < 3) {
5616 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5617 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5618 if (sctx2 != NULL)
5619 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5620 }
5621
5622 if (tst == 5) {
5623 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5624 | SSL_EXT_TLS1_3_CERTIFICATE;
5625 SSL_CTX_set_verify(sctx,
5626 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5627 verify_cb);
5628 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5629 SSL_FILETYPE_PEM), 1)
5630 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5631 SSL_FILETYPE_PEM), 1)
5632 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5633 goto end;
5634 } else if (tst == 4) {
5635 context = SSL_EXT_CLIENT_HELLO
5636 | SSL_EXT_TLS1_2_SERVER_HELLO
5637 | SSL_EXT_TLS1_3_SERVER_HELLO
5638 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5639 | SSL_EXT_TLS1_3_CERTIFICATE
5640 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5641 } else {
5642 context = SSL_EXT_CLIENT_HELLO
5643 | SSL_EXT_TLS1_2_SERVER_HELLO
5644 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5645 }
5646
5647 /* Create a client side custom extension */
5648 if (tst == 0) {
5649 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5650 old_add_cb, old_free_cb,
5651 &client, old_parse_cb,
5652 &client)))
5653 goto end;
5654 } else {
5655 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5656 new_add_cb, new_free_cb,
5657 &client, new_parse_cb, &client)))
5658 goto end;
5659 }
5660
5661 /* Should not be able to add duplicates */
5662 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5663 old_add_cb, old_free_cb,
5664 &client, old_parse_cb,
5665 &client))
5666 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5667 context, new_add_cb,
5668 new_free_cb, &client,
5669 new_parse_cb, &client)))
5670 goto end;
5671
5672 /* Create a server side custom extension */
5673 if (tst == 0) {
5674 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5675 old_add_cb, old_free_cb,
5676 &server, old_parse_cb,
5677 &server)))
5678 goto end;
5679 } else {
5680 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5681 new_add_cb, new_free_cb,
5682 &server, new_parse_cb, &server)))
5683 goto end;
5684 if (sctx2 != NULL
5685 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5686 context, new_add_cb,
5687 new_free_cb, &server,
5688 new_parse_cb, &server)))
5689 goto end;
5690 }
5691
5692 /* Should not be able to add duplicates */
5693 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5694 old_add_cb, old_free_cb,
5695 &server, old_parse_cb,
5696 &server))
5697 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5698 context, new_add_cb,
5699 new_free_cb, &server,
5700 new_parse_cb, &server)))
5701 goto end;
5702
5703 if (tst == 2) {
5704 /* Set up SNI */
5705 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5706 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5707 goto end;
5708 }
5709
5710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5711 &clientssl, NULL, NULL))
5712 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5713 SSL_ERROR_NONE)))
5714 goto end;
5715
5716 if (tst == 0) {
5717 if (clntaddoldcb != 1
5718 || clntparseoldcb != 1
5719 || srvaddoldcb != 1
5720 || srvparseoldcb != 1)
5721 goto end;
5722 } else if (tst == 1 || tst == 2 || tst == 3) {
5723 if (clntaddnewcb != 1
5724 || clntparsenewcb != 1
5725 || srvaddnewcb != 1
5726 || srvparsenewcb != 1
5727 || (tst != 2 && snicb != 0)
5728 || (tst == 2 && snicb != 1))
5729 goto end;
5730 } else if (tst == 5) {
5731 if (clntaddnewcb != 1
5732 || clntparsenewcb != 1
5733 || srvaddnewcb != 1
5734 || srvparsenewcb != 1)
5735 goto end;
5736 } else {
5737 /* In this case there 2 NewSessionTicket messages created */
5738 if (clntaddnewcb != 1
5739 || clntparsenewcb != 5
5740 || srvaddnewcb != 5
5741 || srvparsenewcb != 1)
5742 goto end;
5743 }
5744
5745 sess = SSL_get1_session(clientssl);
5746 SSL_shutdown(clientssl);
5747 SSL_shutdown(serverssl);
5748 SSL_free(serverssl);
5749 SSL_free(clientssl);
5750 serverssl = clientssl = NULL;
5751
5752 if (tst == 3 || tst == 5) {
5753 /* We don't bother with the resumption aspects for these tests */
5754 testresult = 1;
5755 goto end;
5756 }
5757
5758 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5759 NULL, NULL))
5760 || !TEST_true(SSL_set_session(clientssl, sess))
5761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5762 SSL_ERROR_NONE)))
5763 goto end;
5764
5765 /*
5766 * For a resumed session we expect to add the ClientHello extension. For the
5767 * old style callbacks we ignore it on the server side because they set
5768 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5769 * them.
5770 */
5771 if (tst == 0) {
5772 if (clntaddoldcb != 2
5773 || clntparseoldcb != 1
5774 || srvaddoldcb != 1
5775 || srvparseoldcb != 1)
5776 goto end;
5777 } else if (tst == 1 || tst == 2 || tst == 3) {
5778 if (clntaddnewcb != 2
5779 || clntparsenewcb != 2
5780 || srvaddnewcb != 2
5781 || srvparsenewcb != 2)
5782 goto end;
5783 } else {
5784 /*
5785 * No Certificate message extensions in the resumption handshake,
5786 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5787 */
5788 if (clntaddnewcb != 2
5789 || clntparsenewcb != 8
5790 || srvaddnewcb != 8
5791 || srvparsenewcb != 2)
5792 goto end;
5793 }
5794
5795 testresult = 1;
5796
5797end:
5798 SSL_SESSION_free(sess);
5799 SSL_free(serverssl);
5800 SSL_free(clientssl);
5801 SSL_CTX_free(sctx2);
5802 SSL_CTX_free(sctx);
5803 SSL_CTX_free(cctx);
5804 return testresult;
5805}
5806
5807/*
5808 * Test loading of serverinfo data in various formats. test_sslmessages actually
5809 * tests to make sure the extensions appear in the handshake
5810 */
5811static int test_serverinfo(int tst)
5812{
5813 unsigned int version;
5814 unsigned char *sibuf;
5815 size_t sibuflen;
5816 int ret, expected, testresult = 0;
5817 SSL_CTX *ctx;
5818
5819 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
5820 if (!TEST_ptr(ctx))
5821 goto end;
5822
5823 if ((tst & 0x01) == 0x01)
5824 version = SSL_SERVERINFOV2;
5825 else
5826 version = SSL_SERVERINFOV1;
5827
5828 if ((tst & 0x02) == 0x02) {
5829 sibuf = serverinfov2;
5830 sibuflen = sizeof(serverinfov2);
5831 expected = (version == SSL_SERVERINFOV2);
5832 } else {
5833 sibuf = serverinfov1;
5834 sibuflen = sizeof(serverinfov1);
5835 expected = (version == SSL_SERVERINFOV1);
5836 }
5837
5838 if ((tst & 0x04) == 0x04) {
5839 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5840 } else {
5841 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5842
5843 /*
5844 * The version variable is irrelevant in this case - it's what is in the
5845 * buffer that matters
5846 */
5847 if ((tst & 0x02) == 0x02)
5848 expected = 0;
5849 else
5850 expected = 1;
5851 }
5852
5853 if (!TEST_true(ret == expected))
5854 goto end;
5855
5856 testresult = 1;
5857
5858 end:
5859 SSL_CTX_free(ctx);
5860
5861 return testresult;
5862}
5863
5864/*
5865 * Test that SSL_export_keying_material() produces expected results. There are
5866 * no test vectors so all we do is test that both sides of the communication
5867 * produce the same results for different protocol versions.
5868 */
5869#define SMALL_LABEL_LEN 10
5870#define LONG_LABEL_LEN 249
5871static int test_export_key_mat(int tst)
5872{
5873 int testresult = 0;
5874 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5875 SSL *clientssl = NULL, *serverssl = NULL;
5876 const char label[LONG_LABEL_LEN + 1] = "test label";
5877 const unsigned char context[] = "context";
5878 const unsigned char *emptycontext = NULL;
5879 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5880 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
5881 size_t labellen;
5882 const int protocols[] = {
5883 TLS1_VERSION,
5884 TLS1_1_VERSION,
5885 TLS1_2_VERSION,
5886 TLS1_3_VERSION,
5887 TLS1_3_VERSION,
5888 TLS1_3_VERSION
5889 };
5890
5891#ifdef OPENSSL_NO_TLS1
5892 if (tst == 0)
5893 return 1;
5894#endif
5895#ifdef OPENSSL_NO_TLS1_1
5896 if (tst == 1)
5897 return 1;
5898#endif
5899 if (is_fips && (tst == 0 || tst == 1))
5900 return 1;
5901#ifdef OPENSSL_NO_TLS1_2
5902 if (tst == 2)
5903 return 1;
5904#endif
5905#ifdef OSSL_NO_USABLE_TLS1_3
5906 if (tst >= 3)
5907 return 1;
5908#endif
5909 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5910 TLS_client_method(), TLS1_VERSION, 0,
5911 &sctx, &cctx, cert, privkey)))
5912 goto end;
5913
5914 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5915 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5916 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
5917 if ((protocols[tst] < TLS1_2_VERSION) &&
5918 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5919 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5920 goto end;
5921
5922 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5923 NULL)))
5924 goto end;
5925
5926 /*
5927 * Premature call of SSL_export_keying_material should just fail.
5928 */
5929 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5930 sizeof(ckeymat1), label,
5931 SMALL_LABEL_LEN + 1, context,
5932 sizeof(context) - 1, 1), 0))
5933 goto end;
5934
5935 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5936 SSL_ERROR_NONE)))
5937 goto end;
5938
5939 if (tst == 5) {
5940 /*
5941 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5942 * go over that.
5943 */
5944 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5945 sizeof(ckeymat1), label,
5946 LONG_LABEL_LEN + 1, context,
5947 sizeof(context) - 1, 1), 0))
5948 goto end;
5949
5950 testresult = 1;
5951 goto end;
5952 } else if (tst == 4) {
5953 labellen = LONG_LABEL_LEN;
5954 } else {
5955 labellen = SMALL_LABEL_LEN;
5956 }
5957
5958 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5959 sizeof(ckeymat1), label,
5960 labellen, context,
5961 sizeof(context) - 1, 1), 1)
5962 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5963 sizeof(ckeymat2), label,
5964 labellen,
5965 emptycontext,
5966 0, 1), 1)
5967 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5968 sizeof(ckeymat3), label,
5969 labellen,
5970 NULL, 0, 0), 1)
5971 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5972 sizeof(skeymat1), label,
5973 labellen,
5974 context,
5975 sizeof(context) -1, 1),
5976 1)
5977 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5978 sizeof(skeymat2), label,
5979 labellen,
5980 emptycontext,
5981 0, 1), 1)
5982 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5983 sizeof(skeymat3), label,
5984 labellen,
5985 NULL, 0, 0), 1)
5986 /*
5987 * Check that both sides created the same key material with the
5988 * same context.
5989 */
5990 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5991 sizeof(skeymat1))
5992 /*
5993 * Check that both sides created the same key material with an
5994 * empty context.
5995 */
5996 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5997 sizeof(skeymat2))
5998 /*
5999 * Check that both sides created the same key material without a
6000 * context.
6001 */
6002 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6003 sizeof(skeymat3))
6004 /* Different contexts should produce different results */
6005 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6006 sizeof(ckeymat2)))
6007 goto end;
6008
6009 /*
6010 * Check that an empty context and no context produce different results in
6011 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6012 */
6013 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6014 sizeof(ckeymat3)))
6015 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6016 sizeof(ckeymat3))))
6017 goto end;
6018
6019 testresult = 1;
6020
6021 end:
6022 SSL_free(serverssl);
6023 SSL_free(clientssl);
6024 SSL_CTX_free(sctx2);
6025 SSL_CTX_free(sctx);
6026 SSL_CTX_free(cctx);
6027
6028 return testresult;
6029}
6030
6031#ifndef OSSL_NO_USABLE_TLS1_3
6032/*
6033 * Test that SSL_export_keying_material_early() produces expected
6034 * results. There are no test vectors so all we do is test that both
6035 * sides of the communication produce the same results for different
6036 * protocol versions.
6037 */
6038static int test_export_key_mat_early(int idx)
6039{
6040 static const char label[] = "test label";
6041 static const unsigned char context[] = "context";
6042 int testresult = 0;
6043 SSL_CTX *cctx = NULL, *sctx = NULL;
6044 SSL *clientssl = NULL, *serverssl = NULL;
6045 SSL_SESSION *sess = NULL;
6046 const unsigned char *emptycontext = NULL;
6047 unsigned char ckeymat1[80], ckeymat2[80];
6048 unsigned char skeymat1[80], skeymat2[80];
6049 unsigned char buf[1];
6050 size_t readbytes, written;
6051
6052 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6053 &sess, idx)))
6054 goto end;
6055
6056 /* Here writing 0 length early data is enough. */
6057 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6058 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6059 &readbytes),
6060 SSL_READ_EARLY_DATA_ERROR)
6061 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6062 SSL_EARLY_DATA_ACCEPTED))
6063 goto end;
6064
6065 if (!TEST_int_eq(SSL_export_keying_material_early(
6066 clientssl, ckeymat1, sizeof(ckeymat1), label,
6067 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6068 || !TEST_int_eq(SSL_export_keying_material_early(
6069 clientssl, ckeymat2, sizeof(ckeymat2), label,
6070 sizeof(label) - 1, emptycontext, 0), 1)
6071 || !TEST_int_eq(SSL_export_keying_material_early(
6072 serverssl, skeymat1, sizeof(skeymat1), label,
6073 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6074 || !TEST_int_eq(SSL_export_keying_material_early(
6075 serverssl, skeymat2, sizeof(skeymat2), label,
6076 sizeof(label) - 1, emptycontext, 0), 1)
6077 /*
6078 * Check that both sides created the same key material with the
6079 * same context.
6080 */
6081 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6082 sizeof(skeymat1))
6083 /*
6084 * Check that both sides created the same key material with an
6085 * empty context.
6086 */
6087 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6088 sizeof(skeymat2))
6089 /* Different contexts should produce different results */
6090 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6091 sizeof(ckeymat2)))
6092 goto end;
6093
6094 testresult = 1;
6095
6096 end:
6097 SSL_SESSION_free(sess);
6098 SSL_SESSION_free(clientpsk);
6099 SSL_SESSION_free(serverpsk);
6100 clientpsk = serverpsk = NULL;
6101 SSL_free(serverssl);
6102 SSL_free(clientssl);
6103 SSL_CTX_free(sctx);
6104 SSL_CTX_free(cctx);
6105
6106 return testresult;
6107}
6108
6109#define NUM_KEY_UPDATE_MESSAGES 40
6110/*
6111 * Test KeyUpdate.
6112 */
6113static int test_key_update(void)
6114{
6115 SSL_CTX *cctx = NULL, *sctx = NULL;
6116 SSL *clientssl = NULL, *serverssl = NULL;
6117 int testresult = 0, i, j;
6118 char buf[20];
6119 static char *mess = "A test message";
6120
6121 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6122 TLS_client_method(),
6123 TLS1_3_VERSION,
6124 0,
6125 &sctx, &cctx, cert, privkey))
6126 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6127 NULL, NULL))
6128 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6129 SSL_ERROR_NONE)))
6130 goto end;
6131
6132 for (j = 0; j < 2; j++) {
6133 /* Send lots of KeyUpdate messages */
6134 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6135 if (!TEST_true(SSL_key_update(clientssl,
6136 (j == 0)
6137 ? SSL_KEY_UPDATE_NOT_REQUESTED
6138 : SSL_KEY_UPDATE_REQUESTED))
6139 || !TEST_true(SSL_do_handshake(clientssl)))
6140 goto end;
6141 }
6142
6143 /* Check that sending and receiving app data is ok */
6144 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6145 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6146 strlen(mess)))
6147 goto end;
6148
6149 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6150 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6151 strlen(mess)))
6152 goto end;
6153 }
6154
6155 testresult = 1;
6156
6157 end:
6158 SSL_free(serverssl);
6159 SSL_free(clientssl);
6160 SSL_CTX_free(sctx);
6161 SSL_CTX_free(cctx);
6162
6163 return testresult;
6164}
6165
6166/*
6167 * Test we can handle a KeyUpdate (update requested) message while
6168 * write data is pending in peer.
6169 * Test 0: Client sends KeyUpdate while Server is writing
6170 * Test 1: Server sends KeyUpdate while Client is writing
6171 */
6172static int test_key_update_peer_in_write(int tst)
6173{
6174 SSL_CTX *cctx = NULL, *sctx = NULL;
6175 SSL *clientssl = NULL, *serverssl = NULL;
6176 int testresult = 0;
6177 char buf[20];
6178 static char *mess = "A test message";
6179 BIO *bretry = BIO_new(bio_s_always_retry());
6180 BIO *tmp = NULL;
6181 SSL *peerupdate = NULL, *peerwrite = NULL;
6182
6183 if (!TEST_ptr(bretry)
6184 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6185 TLS_client_method(),
6186 TLS1_3_VERSION,
6187 0,
6188 &sctx, &cctx, cert, privkey))
6189 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6190 NULL, NULL))
6191 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6192 SSL_ERROR_NONE)))
6193 goto end;
6194
6195 peerupdate = tst == 0 ? clientssl : serverssl;
6196 peerwrite = tst == 0 ? serverssl : clientssl;
6197
6198 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6199 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6200 goto end;
6201
6202 /* Swap the writing endpoint's write BIO to force a retry */
6203 tmp = SSL_get_wbio(peerwrite);
6204 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6205 tmp = NULL;
6206 goto end;
6207 }
6208 SSL_set0_wbio(peerwrite, bretry);
6209 bretry = NULL;
6210
6211 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6212 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6213 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6214 goto end;
6215
6216 /* Reinstate the original writing endpoint's write BIO */
6217 SSL_set0_wbio(peerwrite, tmp);
6218 tmp = NULL;
6219
6220 /* Now read some data - we will read the key update */
6221 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6222 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6223 goto end;
6224
6225 /*
6226 * Complete the write we started previously and read it from the other
6227 * endpoint
6228 */
6229 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6230 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6231 goto end;
6232
6233 /* Write more data to ensure we send the KeyUpdate message back */
6234 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6235 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6236 goto end;
6237
6238 testresult = 1;
6239
6240 end:
6241 SSL_free(serverssl);
6242 SSL_free(clientssl);
6243 SSL_CTX_free(sctx);
6244 SSL_CTX_free(cctx);
6245 BIO_free(bretry);
6246 BIO_free(tmp);
6247
6248 return testresult;
6249}
6250
6251/*
6252 * Test we can handle a KeyUpdate (update requested) message while
6253 * peer read data is pending after peer accepted keyupdate(the msg header
6254 * had been read 5 bytes).
6255 * Test 0: Client sends KeyUpdate while Server is reading
6256 * Test 1: Server sends KeyUpdate while Client is reading
6257 */
6258static int test_key_update_peer_in_read(int tst)
6259{
6260 SSL_CTX *cctx = NULL, *sctx = NULL;
6261 SSL *clientssl = NULL, *serverssl = NULL;
6262 int testresult = 0;
6263 char prbuf[515], lwbuf[515] = {0};
6264 static char *mess = "A test message";
6265 BIO *lbio = NULL, *pbio = NULL;
6266 SSL *local = NULL, *peer = NULL;
6267
6268 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6269 TLS_client_method(),
6270 TLS1_3_VERSION,
6271 0,
6272 &sctx, &cctx, cert, privkey))
6273 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6274 NULL, NULL))
6275 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6276 SSL_ERROR_NONE)))
6277 goto end;
6278
6279 local = tst == 0 ? clientssl : serverssl;
6280 peer = tst == 0 ? serverssl : clientssl;
6281
6282 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6283 goto end;
6284
6285 SSL_set_bio(local, lbio, lbio);
6286 SSL_set_bio(peer, pbio, pbio);
6287
6288 /*
6289 * we first write keyupdate msg then appdata in local
6290 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6291 * lwbuf app data msg size + key updata msg size > 512(the size of
6292 * the bio pair buffer)
6293 */
6294 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6295 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6296 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6297 goto end;
6298
6299 /*
6300 * first read keyupdate msg in peer in peer
6301 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6302 */
6303 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6304 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6305 goto end;
6306
6307 /* Now write some data in peer - we will write the key update */
6308 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6309 goto end;
6310
6311 /*
6312 * write data in local previously that we will complete
6313 * read data in peer previously that we will complete
6314 */
6315 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6316 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6317 goto end;
6318
6319 /* check that sending and receiving appdata ok */
6320 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6321 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6322 goto end;
6323
6324 testresult = 1;
6325
6326 end:
6327 SSL_free(serverssl);
6328 SSL_free(clientssl);
6329 SSL_CTX_free(sctx);
6330 SSL_CTX_free(cctx);
6331
6332 return testresult;
6333}
6334
6335/*
6336 * Test we can't send a KeyUpdate (update requested) message while
6337 * local write data is pending.
6338 * Test 0: Client sends KeyUpdate while Client is writing
6339 * Test 1: Server sends KeyUpdate while Server is writing
6340 */
6341static int test_key_update_local_in_write(int tst)
6342{
6343 SSL_CTX *cctx = NULL, *sctx = NULL;
6344 SSL *clientssl = NULL, *serverssl = NULL;
6345 int testresult = 0;
6346 char buf[20];
6347 static char *mess = "A test message";
6348 BIO *bretry = BIO_new(bio_s_always_retry());
6349 BIO *tmp = NULL;
6350 SSL *local = NULL, *peer = NULL;
6351
6352 if (!TEST_ptr(bretry)
6353 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6354 TLS_client_method(),
6355 TLS1_3_VERSION,
6356 0,
6357 &sctx, &cctx, cert, privkey))
6358 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6359 NULL, NULL))
6360 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6361 SSL_ERROR_NONE)))
6362 goto end;
6363
6364 local = tst == 0 ? clientssl : serverssl;
6365 peer = tst == 0 ? serverssl : clientssl;
6366
6367 /* Swap the writing endpoint's write BIO to force a retry */
6368 tmp = SSL_get_wbio(local);
6369 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6370 tmp = NULL;
6371 goto end;
6372 }
6373 SSL_set0_wbio(local, bretry);
6374 bretry = NULL;
6375
6376 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6377 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6378 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6379 goto end;
6380
6381 /* Reinstate the original writing endpoint's write BIO */
6382 SSL_set0_wbio(local, tmp);
6383 tmp = NULL;
6384
6385 /* SSL_key_update will fail, because writing in local*/
6386 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6387 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6388 goto end;
6389
6390 ERR_clear_error();
6391 /* write data in local previously that we will complete */
6392 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6393 goto end;
6394
6395 /* SSL_key_update will succeed because there is no pending write data */
6396 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6397 || !TEST_int_eq(SSL_do_handshake(local), 1))
6398 goto end;
6399
6400 /*
6401 * we write some appdata in local
6402 * read data in peer - we will read the keyupdate msg
6403 */
6404 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6405 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6406 goto end;
6407
6408 /* Write more peer more data to ensure we send the keyupdate message back */
6409 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6410 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6411 goto end;
6412
6413 testresult = 1;
6414
6415 end:
6416 SSL_free(serverssl);
6417 SSL_free(clientssl);
6418 SSL_CTX_free(sctx);
6419 SSL_CTX_free(cctx);
6420 BIO_free(bretry);
6421 BIO_free(tmp);
6422
6423 return testresult;
6424}
6425
6426/*
6427 * Test we can handle a KeyUpdate (update requested) message while
6428 * local read data is pending(the msg header had been read 5 bytes).
6429 * Test 0: Client sends KeyUpdate while Client is reading
6430 * Test 1: Server sends KeyUpdate while Server is reading
6431 */
6432static int test_key_update_local_in_read(int tst)
6433{
6434 SSL_CTX *cctx = NULL, *sctx = NULL;
6435 SSL *clientssl = NULL, *serverssl = NULL;
6436 int testresult = 0;
6437 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6438 static char *mess = "A test message";
6439 BIO *lbio = NULL, *pbio = NULL;
6440 SSL *local = NULL, *peer = NULL;
6441
6442 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6443 TLS_client_method(),
6444 TLS1_3_VERSION,
6445 0,
6446 &sctx, &cctx, cert, privkey))
6447 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6448 NULL, NULL))
6449 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6450 SSL_ERROR_NONE)))
6451 goto end;
6452
6453 local = tst == 0 ? clientssl : serverssl;
6454 peer = tst == 0 ? serverssl : clientssl;
6455
6456 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6457 goto end;
6458
6459 SSL_set_bio(local, lbio, lbio);
6460 SSL_set_bio(peer, pbio, pbio);
6461
6462 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6463 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6464 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6465 goto end;
6466
6467 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6468 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6469 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6470 goto end;
6471
6472 /* SSL_do_handshake will send keyupdate msg */
6473 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6474 || !TEST_int_eq(SSL_do_handshake(local), 1))
6475 goto end;
6476
6477 /*
6478 * write data in peer previously that we will complete
6479 * read data in local previously that we will complete
6480 */
6481 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6482 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6483 goto end;
6484
6485 /*
6486 * write data in local
6487 * read data in peer - we will read the key update
6488 */
6489 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6490 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6491 goto end;
6492
6493 /* Write more peer data to ensure we send the keyupdate message back */
6494 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6495 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6496 goto end;
6497
6498 testresult = 1;
6499
6500 end:
6501 SSL_free(serverssl);
6502 SSL_free(clientssl);
6503 SSL_CTX_free(sctx);
6504 SSL_CTX_free(cctx);
6505
6506 return testresult;
6507}
6508#endif /* OSSL_NO_USABLE_TLS1_3 */
6509
6510static int test_ssl_clear(int idx)
6511{
6512 SSL_CTX *cctx = NULL, *sctx = NULL;
6513 SSL *clientssl = NULL, *serverssl = NULL;
6514 int testresult = 0;
6515
6516#ifdef OPENSSL_NO_TLS1_2
6517 if (idx == 1)
6518 return 1;
6519#endif
6520
6521 /* Create an initial connection */
6522 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6523 TLS_client_method(), TLS1_VERSION, 0,
6524 &sctx, &cctx, cert, privkey))
6525 || (idx == 1
6526 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6527 TLS1_2_VERSION)))
6528 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6529 &clientssl, NULL, NULL))
6530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6531 SSL_ERROR_NONE)))
6532 goto end;
6533
6534 SSL_shutdown(clientssl);
6535 SSL_shutdown(serverssl);
6536 SSL_free(serverssl);
6537 serverssl = NULL;
6538
6539 /* Clear clientssl - we're going to reuse the object */
6540 if (!TEST_true(SSL_clear(clientssl)))
6541 goto end;
6542
6543 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6544 NULL, NULL))
6545 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6546 SSL_ERROR_NONE))
6547 || !TEST_true(SSL_session_reused(clientssl)))
6548 goto end;
6549
6550 SSL_shutdown(clientssl);
6551 SSL_shutdown(serverssl);
6552
6553 testresult = 1;
6554
6555 end:
6556 SSL_free(serverssl);
6557 SSL_free(clientssl);
6558 SSL_CTX_free(sctx);
6559 SSL_CTX_free(cctx);
6560
6561 return testresult;
6562}
6563
6564/* Parse CH and retrieve any MFL extension value if present */
6565static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6566{
6567 long len;
6568 unsigned char *data;
6569 PACKET pkt, pkt2, pkt3;
6570 unsigned int MFL_code = 0, type = 0;
6571
6572 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6573 goto end;
6574
6575 memset(&pkt, 0, sizeof(pkt));
6576 memset(&pkt2, 0, sizeof(pkt2));
6577 memset(&pkt3, 0, sizeof(pkt3));
6578
6579 if (!TEST_long_gt(len, 0)
6580 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6581 /* Skip the record header */
6582 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6583 /* Skip the handshake message header */
6584 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6585 /* Skip client version and random */
6586 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6587 + SSL3_RANDOM_SIZE))
6588 /* Skip session id */
6589 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6590 /* Skip ciphers */
6591 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6592 /* Skip compression */
6593 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6594 /* Extensions len */
6595 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6596 goto end;
6597
6598 /* Loop through all extensions */
6599 while (PACKET_remaining(&pkt2)) {
6600 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6601 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6602 goto end;
6603
6604 if (type == TLSEXT_TYPE_max_fragment_length) {
6605 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6606 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6607 goto end;
6608
6609 *mfl_codemfl_code = MFL_code;
6610 return 1;
6611 }
6612 }
6613
6614 end:
6615 return 0;
6616}
6617
6618/* Maximum-Fragment-Length TLS extension mode to test */
6619static const unsigned char max_fragment_len_test[] = {
6620 TLSEXT_max_fragment_length_512,
6621 TLSEXT_max_fragment_length_1024,
6622 TLSEXT_max_fragment_length_2048,
6623 TLSEXT_max_fragment_length_4096
6624};
6625
6626static int test_max_fragment_len_ext(int idx_tst)
6627{
6628 SSL_CTX *ctx = NULL;
6629 SSL *con = NULL;
6630 int testresult = 0, MFL_mode = 0;
6631 BIO *rbio, *wbio;
6632
6633 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6634 TLS1_VERSION, 0, NULL, &ctx, NULL,
6635 NULL)))
6636 return 0;
6637
6638 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6639 ctx, max_fragment_len_test[idx_tst])))
6640 goto end;
6641
6642 con = SSL_new(ctx);
6643 if (!TEST_ptr(con))
6644 goto end;
6645
6646 rbio = BIO_new(BIO_s_mem());
6647 wbio = BIO_new(BIO_s_mem());
6648 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6649 BIO_free(rbio);
6650 BIO_free(wbio);
6651 goto end;
6652 }
6653
6654 SSL_set_bio(con, rbio, wbio);
6655
6656 if (!TEST_int_le(SSL_connect(con), 0)) {
6657 /* This shouldn't succeed because we don't have a server! */
6658 goto end;
6659 }
6660
6661 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6662 /* no MFL in client hello */
6663 goto end;
6664 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6665 goto end;
6666
6667 testresult = 1;
6668
6669end:
6670 SSL_free(con);
6671 SSL_CTX_free(ctx);
6672
6673 return testresult;
6674}
6675
6676#ifndef OSSL_NO_USABLE_TLS1_3
6677static int test_pha_key_update(void)
6678{
6679 SSL_CTX *cctx = NULL, *sctx = NULL;
6680 SSL *clientssl = NULL, *serverssl = NULL;
6681 int testresult = 0;
6682
6683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6684 TLS_client_method(), TLS1_VERSION, 0,
6685 &sctx, &cctx, cert, privkey)))
6686 return 0;
6687
6688 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6689 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6690 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6691 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6692 goto end;
6693
6694 SSL_CTX_set_post_handshake_auth(cctx, 1);
6695
6696 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6697 NULL, NULL)))
6698 goto end;
6699
6700 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6701 SSL_ERROR_NONE)))
6702 goto end;
6703
6704 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6705 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6706 goto end;
6707
6708 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6709 goto end;
6710
6711 /* Start handshake on the server */
6712 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6713 goto end;
6714
6715 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6716 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6717 SSL_ERROR_NONE)))
6718 goto end;
6719
6720 SSL_shutdown(clientssl);
6721 SSL_shutdown(serverssl);
6722
6723 testresult = 1;
6724
6725 end:
6726 SSL_free(serverssl);
6727 SSL_free(clientssl);
6728 SSL_CTX_free(sctx);
6729 SSL_CTX_free(cctx);
6730 return testresult;
6731}
6732#endif
6733
6734#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6735
6736static SRP_VBASE *vbase = NULL;
6737
6738static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6739{
6740 int ret = SSL3_AL_FATAL;
6741 char *username;
6742 SRP_user_pwd *user = NULL;
6743
6744 username = SSL_get_srp_username(s);
6745 if (username == NULL) {
6746 *ad = SSL_AD_INTERNAL_ERROR;
6747 goto err;
6748 }
6749
6750 user = SRP_VBASE_get1_by_user(vbase, username);
6751 if (user == NULL) {
6752 *ad = SSL_AD_INTERNAL_ERROR;
6753 goto err;
6754 }
6755
6756 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6757 user->info) <= 0) {
6758 *ad = SSL_AD_INTERNAL_ERROR;
6759 goto err;
6760 }
6761
6762 ret = 0;
6763
6764 err:
6765 SRP_user_pwd_free(user);
6766 return ret;
6767}
6768
6769static int create_new_vfile(char *userid, char *password, const char *filename)
6770{
6771 char *gNid = NULL;
6772 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6773 TXT_DB *db = NULL;
6774 int ret = 0;
6775 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6776 size_t i;
6777
6778 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6779 goto end;
6780
6781 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
6782 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
6783 if (!TEST_ptr(gNid))
6784 goto end;
6785
6786 /*
6787 * The only way to create an empty TXT_DB is to provide a BIO with no data
6788 * in it!
6789 */
6790 db = TXT_DB_read(dummy, DB_NUMBER);
6791 if (!TEST_ptr(db))
6792 goto end;
6793
6794 out = BIO_new_file(filename, "w");
6795 if (!TEST_ptr(out))
6796 goto end;
6797
6798 row[DB_srpid] = OPENSSL_strdup(userid);
6799 row[DB_srptype] = OPENSSL_strdup("V");
6800 row[DB_srpgN] = OPENSSL_strdup(gNid);
6801
6802 if (!TEST_ptr(row[DB_srpid])
6803 || !TEST_ptr(row[DB_srptype])
6804 || !TEST_ptr(row[DB_srpgN])
6805 || !TEST_true(TXT_DB_insert(db, row)))
6806 goto end;
6807
6808 row = NULL;
6809
6810 if (TXT_DB_write(out, db) <= 0)
6811 goto end;
6812
6813 ret = 1;
6814 end:
6815 if (row != NULL) {
6816 for (i = 0; i < DB_NUMBER; i++)
6817 OPENSSL_free(row[i]);
6818 }
6819 OPENSSL_free(row);
6820 BIO_free(dummy);
6821 BIO_free(out);
6822 TXT_DB_free(db);
6823
6824 return ret;
6825}
6826
6827static int create_new_vbase(char *userid, char *password)
6828{
6829 BIGNUM *verifier = NULL, *salt = NULL;
6830 const SRP_gN *lgN = NULL;
6831 SRP_user_pwd *user_pwd = NULL;
6832 int ret = 0;
6833
6834 lgN = SRP_get_default_gN(NULL);
6835 if (!TEST_ptr(lgN))
6836 goto end;
6837
6838 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
6839 lgN->N, lgN->g, libctx, NULL)))
6840 goto end;
6841
6842 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6843 if (!TEST_ptr(user_pwd))
6844 goto end;
6845
6846 user_pwd->N = lgN->N;
6847 user_pwd->g = lgN->g;
6848 user_pwd->id = OPENSSL_strdup(userid);
6849 if (!TEST_ptr(user_pwd->id))
6850 goto end;
6851
6852 user_pwd->v = verifier;
6853 user_pwd->s = salt;
6854 verifier = salt = NULL;
6855
6856 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6857 goto end;
6858 user_pwd = NULL;
6859
6860 ret = 1;
6861end:
6862 SRP_user_pwd_free(user_pwd);
6863 BN_free(salt);
6864 BN_free(verifier);
6865
6866 return ret;
6867}
6868
6869/*
6870 * SRP tests
6871 *
6872 * Test 0: Simple successful SRP connection, new vbase
6873 * Test 1: Connection failure due to bad password, new vbase
6874 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6875 * Test 3: Connection failure due to bad password, vbase loaded from existing
6876 * file
6877 * Test 4: Simple successful SRP connection, vbase loaded from new file
6878 * Test 5: Connection failure due to bad password, vbase loaded from new file
6879 */
6880static int test_srp(int tst)
6881{
6882 char *userid = "test", *password = "password", *tstsrpfile;
6883 SSL_CTX *cctx = NULL, *sctx = NULL;
6884 SSL *clientssl = NULL, *serverssl = NULL;
6885 int ret, testresult = 0;
6886
6887 vbase = SRP_VBASE_new(NULL);
6888 if (!TEST_ptr(vbase))
6889 goto end;
6890
6891 if (tst == 0 || tst == 1) {
6892 if (!TEST_true(create_new_vbase(userid, password)))
6893 goto end;
6894 } else {
6895 if (tst == 4 || tst == 5) {
6896 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6897 goto end;
6898 tstsrpfile = tmpfilename;
6899 } else {
6900 tstsrpfile = srpvfile;
6901 }
6902 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6903 goto end;
6904 }
6905
6906 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6907 TLS_client_method(), TLS1_VERSION, 0,
6908 &sctx, &cctx, cert, privkey)))
6909 goto end;
6910
6911 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6912 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6913 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6914 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6915 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6916 goto end;
6917
6918 if (tst % 2 == 1) {
6919 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6920 goto end;
6921 } else {
6922 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6923 goto end;
6924 }
6925
6926 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6927 NULL, NULL)))
6928 goto end;
6929
6930 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6931 if (ret) {
6932 if (!TEST_true(tst % 2 == 0))
6933 goto end;
6934 } else {
6935 if (!TEST_true(tst % 2 == 1))
6936 goto end;
6937 }
6938
6939 testresult = 1;
6940
6941 end:
6942 SRP_VBASE_free(vbase);
6943 vbase = NULL;
6944 SSL_free(serverssl);
6945 SSL_free(clientssl);
6946 SSL_CTX_free(sctx);
6947 SSL_CTX_free(cctx);
6948
6949 return testresult;
6950}
6951#endif
6952
6953static int info_cb_failed = 0;
6954static int info_cb_offset = 0;
6955static int info_cb_this_state = -1;
6956
6957static struct info_cb_states_st {
6958 int where;
6959 const char *statestr;
6960} info_cb_states[][60] = {
6961 {
6962 /* TLSv1.2 server followed by resumption */
6963 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6964 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6965 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6966 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6967 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6968 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6969 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6970 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6971 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
6972 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6973 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6974 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6975 {SSL_CB_EXIT, NULL}, {0, NULL},
6976 }, {
6977 /* TLSv1.2 client followed by resumption */
6978 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6979 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6980 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6981 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6982 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6983 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6984 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6985 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6986 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6987 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6988 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6989 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6990 }, {
6991 /* TLSv1.3 server followed by resumption */
6992 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6993 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6994 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6995 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6996 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
6997 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6998 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6999 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7000 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7001 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7002 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7003 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7004 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7005 }, {
7006 /* TLSv1.3 client followed by resumption */
7007 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7008 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7009 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7010 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7011 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7012 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7013 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7014 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7015 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7016 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7017 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7018 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7019 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7020 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7021 {SSL_CB_EXIT, NULL}, {0, NULL},
7022 }, {
7023 /* TLSv1.3 server, early_data */
7024 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7025 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7026 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7027 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7028 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7029 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7030 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7031 {SSL_CB_EXIT, NULL}, {0, NULL},
7032 }, {
7033 /* TLSv1.3 client, early_data */
7034 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7035 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7036 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7037 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7038 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7039 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7040 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7041 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7042 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7043 }, {
7044 {0, NULL},
7045 }
7046};
7047
7048static void sslapi_info_callback(const SSL *s, int where, int ret)
7049{
7050 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7051
7052 /* We do not ever expect a connection to fail in this test */
7053 if (!TEST_false(ret == 0)) {
7054 info_cb_failed = 1;
7055 return;
7056 }
7057
7058 /*
7059 * Do some sanity checks. We never expect these things to happen in this
7060 * test
7061 */
7062 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7063 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7064 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7065 info_cb_failed = 1;
7066 return;
7067 }
7068
7069 /* Now check we're in the right state */
7070 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7071 info_cb_failed = 1;
7072 return;
7073 }
7074 if ((where & SSL_CB_LOOP) != 0
7075 && !TEST_int_eq(strcmp(SSL_state_string(s),
7076 state[info_cb_this_state].statestr), 0)) {
7077 info_cb_failed = 1;
7078 return;
7079 }
7080
7081 /*
7082 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7083 */
7084 if ((where & SSL_CB_HANDSHAKE_DONE)
7085 && SSL_in_init((SSL *)s) != 0) {
7086 info_cb_failed = 1;
7087 return;
7088 }
7089}
7090
7091/*
7092 * Test the info callback gets called when we expect it to.
7093 *
7094 * Test 0: TLSv1.2, server
7095 * Test 1: TLSv1.2, client
7096 * Test 2: TLSv1.3, server
7097 * Test 3: TLSv1.3, client
7098 * Test 4: TLSv1.3, server, early_data
7099 * Test 5: TLSv1.3, client, early_data
7100 */
7101static int test_info_callback(int tst)
7102{
7103 SSL_CTX *cctx = NULL, *sctx = NULL;
7104 SSL *clientssl = NULL, *serverssl = NULL;
7105 SSL_SESSION *clntsess = NULL;
7106 int testresult = 0;
7107 int tlsvers;
7108
7109 if (tst < 2) {
7110/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7111#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7112 || !defined(OPENSSL_NO_DH))
7113 tlsvers = TLS1_2_VERSION;
7114#else
7115 return 1;
7116#endif
7117 } else {
7118#ifndef OSSL_NO_USABLE_TLS1_3
7119 tlsvers = TLS1_3_VERSION;
7120#else
7121 return 1;
7122#endif
7123 }
7124
7125 /* Reset globals */
7126 info_cb_failed = 0;
7127 info_cb_this_state = -1;
7128 info_cb_offset = tst;
7129
7130#ifndef OSSL_NO_USABLE_TLS1_3
7131 if (tst >= 4) {
7132 SSL_SESSION *sess = NULL;
7133 size_t written, readbytes;
7134 unsigned char buf[80];
7135
7136 /* early_data tests */
7137 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7138 &serverssl, &sess, 0)))
7139 goto end;
7140
7141 /* We don't actually need this reference */
7142 SSL_SESSION_free(sess);
7143
7144 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7145 sslapi_info_callback);
7146
7147 /* Write and read some early data and then complete the connection */
7148 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7149 &written))
7150 || !TEST_size_t_eq(written, strlen(MSG1))
7151 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7152 sizeof(buf), &readbytes),
7153 SSL_READ_EARLY_DATA_SUCCESS)
7154 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7155 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7156 SSL_EARLY_DATA_ACCEPTED)
7157 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7158 SSL_ERROR_NONE))
7159 || !TEST_false(info_cb_failed))
7160 goto end;
7161
7162 testresult = 1;
7163 goto end;
7164 }
7165#endif
7166
7167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7168 TLS_client_method(),
7169 tlsvers, tlsvers, &sctx, &cctx, cert,
7170 privkey)))
7171 goto end;
7172
7173 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7174 goto end;
7175
7176 /*
7177 * For even numbered tests we check the server callbacks. For odd numbers we
7178 * check the client.
7179 */
7180 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7181 sslapi_info_callback);
7182
7183 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7184 &clientssl, NULL, NULL))
7185 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7186 SSL_ERROR_NONE))
7187 || !TEST_false(info_cb_failed))
7188 goto end;
7189
7190
7191
7192 clntsess = SSL_get1_session(clientssl);
7193 SSL_shutdown(clientssl);
7194 SSL_shutdown(serverssl);
7195 SSL_free(serverssl);
7196 SSL_free(clientssl);
7197 serverssl = clientssl = NULL;
7198
7199 /* Now do a resumption */
7200 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7201 NULL))
7202 || !TEST_true(SSL_set_session(clientssl, clntsess))
7203 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7204 SSL_ERROR_NONE))
7205 || !TEST_true(SSL_session_reused(clientssl))
7206 || !TEST_false(info_cb_failed))
7207 goto end;
7208
7209 testresult = 1;
7210
7211 end:
7212 SSL_free(serverssl);
7213 SSL_free(clientssl);
7214 SSL_SESSION_free(clntsess);
7215 SSL_CTX_free(sctx);
7216 SSL_CTX_free(cctx);
7217 return testresult;
7218}
7219
7220static int test_ssl_pending(int tst)
7221{
7222 SSL_CTX *cctx = NULL, *sctx = NULL;
7223 SSL *clientssl = NULL, *serverssl = NULL;
7224 int testresult = 0;
7225 char msg[] = "A test message";
7226 char buf[5];
7227 size_t written, readbytes;
7228
7229 if (tst == 0) {
7230 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7231 TLS_client_method(),
7232 TLS1_VERSION, 0,
7233 &sctx, &cctx, cert, privkey)))
7234 goto end;
7235 } else {
7236#ifndef OPENSSL_NO_DTLS
7237 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7238 DTLS_client_method(),
7239 DTLS1_VERSION, 0,
7240 &sctx, &cctx, cert, privkey)))
7241 goto end;
7242
7243# ifdef OPENSSL_NO_DTLS1_2
7244 /* Not supported in the FIPS provider */
7245 if (is_fips) {
7246 testresult = 1;
7247 goto end;
7248 };
7249 /*
7250 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7251 * level 0
7252 */
7253 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7254 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7255 "DEFAULT:@SECLEVEL=0")))
7256 goto end;
7257# endif
7258#else
7259 return 1;
7260#endif
7261 }
7262
7263 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7264 NULL, NULL))
7265 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7266 SSL_ERROR_NONE)))
7267 goto end;
7268
7269 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7270 || !TEST_false(SSL_has_pending(clientssl))
7271 || !TEST_int_eq(SSL_pending(serverssl), 0)
7272 || !TEST_false(SSL_has_pending(serverssl))
7273 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7274 || !TEST_size_t_eq(written, sizeof(msg))
7275 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7276 || !TEST_size_t_eq(readbytes, sizeof(buf))
7277 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7278 || !TEST_true(SSL_has_pending(clientssl)))
7279 goto end;
7280
7281 testresult = 1;
7282
7283 end:
7284 SSL_free(serverssl);
7285 SSL_free(clientssl);
7286 SSL_CTX_free(sctx);
7287 SSL_CTX_free(cctx);
7288
7289 return testresult;
7290}
7291
7292static struct {
7293 unsigned int maxprot;
7294 const char *clntciphers;
7295 const char *clnttls13ciphers;
7296 const char *srvrciphers;
7297 const char *srvrtls13ciphers;
7298 const char *shared;
7299 const char *fipsshared;
7300} shared_ciphers_data[] = {
7301/*
7302 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7303 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7304 */
7305#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7306 {
7307 TLS1_2_VERSION,
7308 "AES128-SHA:AES256-SHA",
7309 NULL,
7310 "AES256-SHA:DHE-RSA-AES128-SHA",
7311 NULL,
7312 "AES256-SHA",
7313 "AES256-SHA"
7314 },
7315# if !defined(OPENSSL_NO_CHACHA) \
7316 && !defined(OPENSSL_NO_POLY1305) \
7317 && !defined(OPENSSL_NO_EC)
7318 {
7319 TLS1_2_VERSION,
7320 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7321 NULL,
7322 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7323 NULL,
7324 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7325 "AES128-SHA"
7326 },
7327# endif
7328 {
7329 TLS1_2_VERSION,
7330 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7331 NULL,
7332 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7333 NULL,
7334 "AES128-SHA:AES256-SHA",
7335 "AES128-SHA:AES256-SHA"
7336 },
7337 {
7338 TLS1_2_VERSION,
7339 "AES128-SHA:AES256-SHA",
7340 NULL,
7341 "AES128-SHA:DHE-RSA-AES128-SHA",
7342 NULL,
7343 "AES128-SHA",
7344 "AES128-SHA"
7345 },
7346#endif
7347/*
7348 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7349 * enabled.
7350 */
7351#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7352 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7353 {
7354 TLS1_3_VERSION,
7355 "AES128-SHA:AES256-SHA",
7356 NULL,
7357 "AES256-SHA:AES128-SHA256",
7358 NULL,
7359 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7360 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7361 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7362 },
7363#endif
7364#ifndef OSSL_NO_USABLE_TLS1_3
7365 {
7366 TLS1_3_VERSION,
7367 "AES128-SHA",
7368 "TLS_AES_256_GCM_SHA384",
7369 "AES256-SHA",
7370 "TLS_AES_256_GCM_SHA384",
7371 "TLS_AES_256_GCM_SHA384",
7372 "TLS_AES_256_GCM_SHA384"
7373 },
7374#endif
7375};
7376
7377static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7378{
7379 SSL_CTX *cctx = NULL, *sctx = NULL;
7380 SSL *clientssl = NULL, *serverssl = NULL;
7381 int testresult = 0;
7382 char buf[1024];
7383 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7384
7385 if (!TEST_ptr(tmplibctx))
7386 goto end;
7387
7388 /*
7389 * Regardless of whether we're testing with the FIPS provider loaded into
7390 * libctx, we want one peer to always use the full set of ciphersuites
7391 * available. Therefore we use a separate libctx with the default provider
7392 * loaded into it. We run the same tests twice - once with the client side
7393 * having the full set of ciphersuites and once with the server side.
7394 */
7395 if (clnt) {
7396 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7397 if (!TEST_ptr(cctx))
7398 goto end;
7399 } else {
7400 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7401 if (!TEST_ptr(sctx))
7402 goto end;
7403 }
7404
7405 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7406 TLS_client_method(),
7407 TLS1_VERSION,
7408 shared_ciphers_data[tst].maxprot,
7409 &sctx, &cctx, cert, privkey)))
7410 goto end;
7411
7412 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7413 shared_ciphers_data[tst].clntciphers))
7414 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7415 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7416 shared_ciphers_data[tst].clnttls13ciphers)))
7417 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7418 shared_ciphers_data[tst].srvrciphers))
7419 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7420 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7421 shared_ciphers_data[tst].srvrtls13ciphers))))
7422 goto end;
7423
7424
7425 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7426 NULL, NULL))
7427 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7428 SSL_ERROR_NONE)))
7429 goto end;
7430
7431 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7432 || !TEST_int_eq(strcmp(buf,
7433 is_fips
7434 ? shared_ciphers_data[tst].fipsshared
7435 : shared_ciphers_data[tst].shared),
7436 0)) {
7437 TEST_info("Shared ciphers are: %s\n", buf);
7438 goto end;
7439 }
7440
7441 testresult = 1;
7442
7443 end:
7444 SSL_free(serverssl);
7445 SSL_free(clientssl);
7446 SSL_CTX_free(sctx);
7447 SSL_CTX_free(cctx);
7448 OSSL_LIB_CTX_free(tmplibctx);
7449
7450 return testresult;
7451}
7452
7453static int test_ssl_get_shared_ciphers(int tst)
7454{
7455 return int_test_ssl_get_shared_ciphers(tst, 0)
7456 && int_test_ssl_get_shared_ciphers(tst, 1);
7457}
7458
7459
7460static const char *appdata = "Hello World";
7461static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7462static int tick_key_renew = 0;
7463static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7464
7465static int gen_tick_cb(SSL *s, void *arg)
7466{
7467 gen_tick_called = 1;
7468
7469 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7470 strlen(appdata));
7471}
7472
7473static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7474 const unsigned char *keyname,
7475 size_t keyname_length,
7476 SSL_TICKET_STATUS status,
7477 void *arg)
7478{
7479 void *tickdata;
7480 size_t tickdlen;
7481
7482 dec_tick_called = 1;
7483
7484 if (status == SSL_TICKET_EMPTY)
7485 return SSL_TICKET_RETURN_IGNORE_RENEW;
7486
7487 if (!TEST_true(status == SSL_TICKET_SUCCESS
7488 || status == SSL_TICKET_SUCCESS_RENEW))
7489 return SSL_TICKET_RETURN_ABORT;
7490
7491 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7492 &tickdlen))
7493 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7494 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7495 return SSL_TICKET_RETURN_ABORT;
7496
7497 if (tick_key_cb_called) {
7498 /* Don't change what the ticket key callback wanted to do */
7499 switch (status) {
7500 case SSL_TICKET_NO_DECRYPT:
7501 return SSL_TICKET_RETURN_IGNORE_RENEW;
7502
7503 case SSL_TICKET_SUCCESS:
7504 return SSL_TICKET_RETURN_USE;
7505
7506 case SSL_TICKET_SUCCESS_RENEW:
7507 return SSL_TICKET_RETURN_USE_RENEW;
7508
7509 default:
7510 return SSL_TICKET_RETURN_ABORT;
7511 }
7512 }
7513 return tick_dec_ret;
7514
7515}
7516
7517#ifndef OPENSSL_NO_DEPRECATED_3_0
7518static int tick_key_cb(SSL *s, unsigned char key_name[16],
7519 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7520 HMAC_CTX *hctx, int enc)
7521{
7522 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7523 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7524 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7525 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7526 int ret;
7527
7528 tick_key_cb_called = 1;
7529 memset(iv, 0, AES_BLOCK_SIZE);
7530 memset(key_name, 0, 16);
7531 if (aes128cbc == NULL
7532 || sha256 == NULL
7533 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7534 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7535 NULL))
7536 ret = -1;
7537 else
7538 ret = tick_key_renew ? 2 : 1;
7539
7540 EVP_CIPHER_free(aes128cbc);
7541 EVP_MD_free(sha256);
7542
7543 return ret;
7544}
7545#endif
7546
7547static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7548 unsigned char iv[EVP_MAX_IV_LENGTH],
7549 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7550{
7551 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7552 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7553 OSSL_PARAM params[2];
7554 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7555 int ret;
7556
7557 tick_key_cb_called = 1;
7558 memset(iv, 0, AES_BLOCK_SIZE);
7559 memset(key_name, 0, 16);
7560 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7561 "SHA256", 0);
7562 params[1] = OSSL_PARAM_construct_end();
7563 if (aes128cbc == NULL
7564 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7565 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7566 params))
7567 ret = -1;
7568 else
7569 ret = tick_key_renew ? 2 : 1;
7570
7571 EVP_CIPHER_free(aes128cbc);
7572
7573 return ret;
7574}
7575
7576/*
7577 * Test the various ticket callbacks
7578 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7579 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7580 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7581 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7582 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7583 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7584 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7585 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7586 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7587 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7588 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7589 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7590 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7591 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7592 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7593 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
7594 */
7595static int test_ticket_callbacks(int tst)
7596{
7597 SSL_CTX *cctx = NULL, *sctx = NULL;
7598 SSL *clientssl = NULL, *serverssl = NULL;
7599 SSL_SESSION *clntsess = NULL;
7600 int testresult = 0;
7601
7602#ifdef OPENSSL_NO_TLS1_2
7603 if (tst % 2 == 0)
7604 return 1;
7605#endif
7606#ifdef OSSL_NO_USABLE_TLS1_3
7607 if (tst % 2 == 1)
7608 return 1;
7609#endif
7610#ifdef OPENSSL_NO_DEPRECATED_3_0
7611 if (tst >= 8 && tst <= 11)
7612 return 1;
7613#endif
7614
7615 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7616
7617 /* Which tests the ticket key callback should request renewal for */
7618 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
7619 tick_key_renew = 1;
7620 else
7621 tick_key_renew = 0;
7622
7623 /* Which tests the decrypt ticket callback should request renewal for */
7624 switch (tst) {
7625 case 0:
7626 case 1:
7627 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7628 break;
7629
7630 case 2:
7631 case 3:
7632 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7633 break;
7634
7635 case 4:
7636 case 5:
7637 tick_dec_ret = SSL_TICKET_RETURN_USE;
7638 break;
7639
7640 case 6:
7641 case 7:
7642 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7643 break;
7644
7645 default:
7646 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7647 }
7648
7649 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7650 TLS_client_method(),
7651 TLS1_VERSION,
7652 ((tst % 2) == 0) ? TLS1_2_VERSION
7653 : TLS1_3_VERSION,
7654 &sctx, &cctx, cert, privkey)))
7655 goto end;
7656
7657 /*
7658 * We only want sessions to resume from tickets - not the session cache. So
7659 * switch the cache off.
7660 */
7661 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7662 goto end;
7663
7664 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7665 NULL)))
7666 goto end;
7667
7668 if (tst >= 12) {
7669 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7670 goto end;
7671#ifndef OPENSSL_NO_DEPRECATED_3_0
7672 } else if (tst >= 8) {
7673 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7674 goto end;
7675#endif
7676 }
7677
7678 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7679 NULL, NULL))
7680 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7681 SSL_ERROR_NONE)))
7682 goto end;
7683
7684 /*
7685 * The decrypt ticket key callback in TLSv1.2 should be called even though
7686 * we have no ticket yet, because it gets called with a status of
7687 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7688 * actually send any ticket data). This does not happen in TLSv1.3 because
7689 * it is not valid to send empty ticket data in TLSv1.3.
7690 */
7691 if (!TEST_int_eq(gen_tick_called, 1)
7692 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7693 goto end;
7694
7695 gen_tick_called = dec_tick_called = 0;
7696
7697 clntsess = SSL_get1_session(clientssl);
7698 SSL_shutdown(clientssl);
7699 SSL_shutdown(serverssl);
7700 SSL_free(serverssl);
7701 SSL_free(clientssl);
7702 serverssl = clientssl = NULL;
7703
7704 /* Now do a resumption */
7705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7706 NULL))
7707 || !TEST_true(SSL_set_session(clientssl, clntsess))
7708 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7709 SSL_ERROR_NONE)))
7710 goto end;
7711
7712 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7713 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7714 if (!TEST_false(SSL_session_reused(clientssl)))
7715 goto end;
7716 } else {
7717 if (!TEST_true(SSL_session_reused(clientssl)))
7718 goto end;
7719 }
7720
7721 if (!TEST_int_eq(gen_tick_called,
7722 (tick_key_renew
7723 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7724 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7725 ? 1 : 0)
7726 || !TEST_int_eq(dec_tick_called, 1))
7727 goto end;
7728
7729 testresult = 1;
7730
7731 end:
7732 SSL_SESSION_free(clntsess);
7733 SSL_free(serverssl);
7734 SSL_free(clientssl);
7735 SSL_CTX_free(sctx);
7736 SSL_CTX_free(cctx);
7737
7738 return testresult;
7739}
7740
7741/*
7742 * Test incorrect shutdown.
7743 * Test 0: client does not shutdown properly,
7744 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7745 * server should get SSL_ERROR_SSL
7746 * Test 1: client does not shutdown properly,
7747 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7748 * server should get SSL_ERROR_ZERO_RETURN
7749 */
7750static int test_incorrect_shutdown(int tst)
7751{
7752 SSL_CTX *cctx = NULL, *sctx = NULL;
7753 SSL *clientssl = NULL, *serverssl = NULL;
7754 int testresult = 0;
7755 char buf[80];
7756 BIO *c2s;
7757
7758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7759 TLS_client_method(), 0, 0,
7760 &sctx, &cctx, cert, privkey)))
7761 goto end;
7762
7763 if (tst == 1)
7764 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7765
7766 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7767 NULL, NULL)))
7768 goto end;
7769
7770 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7771 SSL_ERROR_NONE)))
7772 goto end;
7773
7774 c2s = SSL_get_rbio(serverssl);
7775 BIO_set_mem_eof_return(c2s, 0);
7776
7777 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7778 goto end;
7779
7780 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7781 goto end;
7782 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7783 goto end;
7784
7785 testresult = 1;
7786
7787 end:
7788 SSL_free(serverssl);
7789 SSL_free(clientssl);
7790 SSL_CTX_free(sctx);
7791 SSL_CTX_free(cctx);
7792
7793 return testresult;
7794}
7795
7796/*
7797 * Test bi-directional shutdown.
7798 * Test 0: TLSv1.2
7799 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7800 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7801 * Test 3: TLSv1.3, pending NewSessionTicket messages
7802 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7803 * sends key update, client reads it
7804 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7805 * sends CertificateRequest, client reads and ignores it
7806 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
7807 * doesn't read it
7808 */
7809static int test_shutdown(int tst)
7810{
7811 SSL_CTX *cctx = NULL, *sctx = NULL;
7812 SSL *clientssl = NULL, *serverssl = NULL;
7813 int testresult = 0;
7814 char msg[] = "A test message";
7815 char buf[80];
7816 size_t written, readbytes;
7817 SSL_SESSION *sess;
7818
7819#ifdef OPENSSL_NO_TLS1_2
7820 if (tst <= 1)
7821 return 1;
7822#endif
7823#ifdef OSSL_NO_USABLE_TLS1_3
7824 if (tst >= 2)
7825 return 1;
7826#endif
7827
7828 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7829 TLS_client_method(),
7830 TLS1_VERSION,
7831 (tst <= 1) ? TLS1_2_VERSION
7832 : TLS1_3_VERSION,
7833 &sctx, &cctx, cert, privkey)))
7834 goto end;
7835
7836 if (tst == 5)
7837 SSL_CTX_set_post_handshake_auth(cctx, 1);
7838
7839 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7840 NULL, NULL)))
7841 goto end;
7842
7843 if (tst == 3) {
7844 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
7845 SSL_ERROR_NONE, 1))
7846 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7847 || !TEST_false(SSL_SESSION_is_resumable(sess)))
7848 goto end;
7849 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7850 SSL_ERROR_NONE))
7851 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7852 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
7853 goto end;
7854 }
7855
7856 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7857 goto end;
7858
7859 if (tst >= 4) {
7860 /*
7861 * Reading on the server after the client has sent close_notify should
7862 * fail and provide SSL_ERROR_ZERO_RETURN
7863 */
7864 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7865 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7866 SSL_ERROR_ZERO_RETURN)
7867 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7868 SSL_RECEIVED_SHUTDOWN)
7869 /*
7870 * Even though we're shutdown on receive we should still be
7871 * able to write.
7872 */
7873 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7874 goto end;
7875 if (tst == 4
7876 && !TEST_true(SSL_key_update(serverssl,
7877 SSL_KEY_UPDATE_REQUESTED)))
7878 goto end;
7879 if (tst == 5) {
7880 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7881 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7882 goto end;
7883 }
7884 if ((tst == 4 || tst == 5)
7885 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7886 goto end;
7887 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
7888 goto end;
7889 if (tst == 4 || tst == 5) {
7890 /* Should still be able to read data from server */
7891 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7892 &readbytes))
7893 || !TEST_size_t_eq(readbytes, sizeof(msg))
7894 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7895 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7896 &readbytes))
7897 || !TEST_size_t_eq(readbytes, sizeof(msg))
7898 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7899 goto end;
7900 }
7901 }
7902
7903 /* Writing on the client after sending close_notify shouldn't be possible */
7904 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
7905 goto end;
7906
7907 if (tst < 4) {
7908 /*
7909 * For these tests the client has sent close_notify but it has not yet
7910 * been received by the server. The server has not sent close_notify
7911 * yet.
7912 */
7913 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
7914 /*
7915 * Writing on the server after sending close_notify shouldn't
7916 * be possible.
7917 */
7918 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7919 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
7920 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7921 || !TEST_true(SSL_SESSION_is_resumable(sess))
7922 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7923 goto end;
7924 } else if (tst == 4 || tst == 5) {
7925 /*
7926 * In this test the client has sent close_notify and it has been
7927 * received by the server which has responded with a close_notify. The
7928 * client needs to read the close_notify sent by the server.
7929 */
7930 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7931 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7932 || !TEST_true(SSL_SESSION_is_resumable(sess)))
7933 goto end;
7934 } else {
7935 /*
7936 * tst == 6
7937 *
7938 * The client has sent close_notify and is expecting a close_notify
7939 * back, but instead there is application data first. The shutdown
7940 * should fail with a fatal error.
7941 */
7942 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7943 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7944 goto end;
7945 }
7946
7947 testresult = 1;
7948
7949 end:
7950 SSL_free(serverssl);
7951 SSL_free(clientssl);
7952 SSL_CTX_free(sctx);
7953 SSL_CTX_free(cctx);
7954
7955 return testresult;
7956}
7957
7958#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
7959static int cert_cb_cnt;
7960
7961static int cert_cb(SSL *s, void *arg)
7962{
7963 SSL_CTX *ctx = (SSL_CTX *)arg;
7964 BIO *in = NULL;
7965 EVP_PKEY *pkey = NULL;
7966 X509 *x509 = NULL, *rootx = NULL;
7967 STACK_OF(X509) *chain = NULL;
7968 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7969 int ret = 0;
7970
7971 if (cert_cb_cnt == 0) {
7972 /* Suspend the handshake */
7973 cert_cb_cnt++;
7974 return -1;
7975 } else if (cert_cb_cnt == 1) {
7976 /*
7977 * Update the SSL_CTX, set the certificate and private key and then
7978 * continue the handshake normally.
7979 */
7980 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7981 return 0;
7982
7983 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7984 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7985 SSL_FILETYPE_PEM))
7986 || !TEST_true(SSL_check_private_key(s)))
7987 return 0;
7988 cert_cb_cnt++;
7989 return 1;
7990 } else if (cert_cb_cnt == 3) {
7991 int rv;
7992
7993 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7994 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7995 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7996 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7997 goto out;
7998 chain = sk_X509_new_null();
7999 if (!TEST_ptr(chain))
8000 goto out;
8001 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8002 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8003 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8004 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8005 || !TEST_true(sk_X509_push(chain, rootx)))
8006 goto out;
8007 rootx = NULL;
8008 BIO_free(in);
8009 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8010 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8011 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8012 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8013 goto out;
8014 BIO_free(in);
8015 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8016 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8017 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8018 NULL, NULL,
8019 libctx, NULL)))
8020 goto out;
8021 rv = SSL_check_chain(s, x509, pkey, chain);
8022 /*
8023 * If the cert doesn't show as valid here (e.g., because we don't
8024 * have any shared sigalgs), then we will not set it, and there will
8025 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8026 * will cause tls_choose_sigalgs() to fail the connection.
8027 */
8028 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8029 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8030 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8031 goto out;
8032 }
8033
8034 ret = 1;
8035 }
8036
8037 /* Abort the handshake */
8038 out:
8039 OPENSSL_free(ecdsacert);
8040 OPENSSL_free(ecdsakey);
8041 OPENSSL_free(rootfile);
8042 BIO_free(in);
8043 EVP_PKEY_free(pkey);
8044 X509_free(x509);
8045 X509_free(rootx);
8046 sk_X509_pop_free(chain, X509_free);
8047 return ret;
8048}
8049
8050/*
8051 * Test the certificate callback.
8052 * Test 0: Callback fails
8053 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8054 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8055 * Test 3: Success - Call SSL_check_chain from the callback
8056 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8057 * chain
8058 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8059 */
8060static int test_cert_cb_int(int prot, int tst)
8061{
8062 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8063 SSL *clientssl = NULL, *serverssl = NULL;
8064 int testresult = 0, ret;
8065
8066#ifdef OPENSSL_NO_EC
8067 /* We use an EC cert in these tests, so we skip in a no-ec build */
8068 if (tst >= 3)
8069 return 1;
8070#endif
8071
8072 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8073 TLS_client_method(),
8074 TLS1_VERSION,
8075 prot,
8076 &sctx, &cctx, NULL, NULL)))
8077 goto end;
8078
8079 if (tst == 0)
8080 cert_cb_cnt = -1;
8081 else if (tst >= 3)
8082 cert_cb_cnt = 3;
8083 else
8084 cert_cb_cnt = 0;
8085
8086 if (tst == 2) {
8087 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8088 if (!TEST_ptr(snictx))
8089 goto end;
8090 }
8091
8092 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8093
8094 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8095 NULL, NULL)))
8096 goto end;
8097
8098 if (tst == 4) {
8099 /*
8100 * We cause SSL_check_chain() to fail by specifying sig_algs that
8101 * the chain doesn't meet (the root uses an RSA cert)
8102 */
8103 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8104 "ecdsa_secp256r1_sha256")))
8105 goto end;
8106 } else if (tst == 5) {
8107 /*
8108 * We cause SSL_check_chain() to fail by specifying sig_algs that
8109 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8110 */
8111 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8112 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8113 goto end;
8114 }
8115
8116 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8117 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8118 || (tst > 0
8119 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8120 goto end;
8121 }
8122
8123 testresult = 1;
8124
8125 end:
8126 SSL_free(serverssl);
8127 SSL_free(clientssl);
8128 SSL_CTX_free(sctx);
8129 SSL_CTX_free(cctx);
8130 SSL_CTX_free(snictx);
8131
8132 return testresult;
8133}
8134#endif
8135
8136static int test_cert_cb(int tst)
8137{
8138 int testresult = 1;
8139
8140#ifndef OPENSSL_NO_TLS1_2
8141 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8142#endif
8143#ifndef OSSL_NO_USABLE_TLS1_3
8144 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8145#endif
8146
8147 return testresult;
8148}
8149
8150static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8151{
8152 X509 *xcert;
8153 EVP_PKEY *privpkey;
8154 BIO *in = NULL;
8155 BIO *priv_in = NULL;
8156
8157 /* Check that SSL_get0_peer_certificate() returns something sensible */
8158 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8159 return 0;
8160
8161 in = BIO_new_file(cert, "r");
8162 if (!TEST_ptr(in))
8163 return 0;
8164
8165 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8166 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8167 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8168 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8169 NULL, NULL,
8170 libctx, NULL)))
8171 goto err;
8172
8173 *x509 = xcert;
8174 *pkey = privpkey;
8175
8176 BIO_free(in);
8177 BIO_free(priv_in);
8178 return 1;
8179err:
8180 X509_free(xcert);
8181 BIO_free(in);
8182 BIO_free(priv_in);
8183 return 0;
8184}
8185
8186static int test_client_cert_cb(int tst)
8187{
8188 SSL_CTX *cctx = NULL, *sctx = NULL;
8189 SSL *clientssl = NULL, *serverssl = NULL;
8190 int testresult = 0;
8191
8192#ifdef OPENSSL_NO_TLS1_2
8193 if (tst == 0)
8194 return 1;
8195#endif
8196#ifdef OSSL_NO_USABLE_TLS1_3
8197 if (tst == 1)
8198 return 1;
8199#endif
8200
8201 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8202 TLS_client_method(),
8203 TLS1_VERSION,
8204 tst == 0 ? TLS1_2_VERSION
8205 : TLS1_3_VERSION,
8206 &sctx, &cctx, cert, privkey)))
8207 goto end;
8208
8209 /*
8210 * Test that setting a client_cert_cb results in a client certificate being
8211 * sent.
8212 */
8213 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8214 SSL_CTX_set_verify(sctx,
8215 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8216 verify_cb);
8217
8218 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8219 NULL, NULL))
8220 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8221 SSL_ERROR_NONE)))
8222 goto end;
8223
8224 testresult = 1;
8225
8226 end:
8227 SSL_free(serverssl);
8228 SSL_free(clientssl);
8229 SSL_CTX_free(sctx);
8230 SSL_CTX_free(cctx);
8231
8232 return testresult;
8233}
8234
8235#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8236/*
8237 * Test setting certificate authorities on both client and server.
8238 *
8239 * Test 0: SSL_CTX_set0_CA_list() only
8240 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8241 * Test 2: Only SSL_CTX_set_client_CA_list()
8242 */
8243static int test_ca_names_int(int prot, int tst)
8244{
8245 SSL_CTX *cctx = NULL, *sctx = NULL;
8246 SSL *clientssl = NULL, *serverssl = NULL;
8247 int testresult = 0;
8248 size_t i;
8249 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8250 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8251 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8252 const STACK_OF(X509_NAME) *sktmp = NULL;
8253
8254 for (i = 0; i < OSSL_NELEM(name); i++) {
8255 name[i] = X509_NAME_new();
8256 if (!TEST_ptr(name[i])
8257 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8258 MBSTRING_ASC,
8259 (unsigned char *)
8260 strnames[i],
8261 -1, -1, 0)))
8262 goto end;
8263 }
8264
8265 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8266 TLS_client_method(),
8267 TLS1_VERSION,
8268 prot,
8269 &sctx, &cctx, cert, privkey)))
8270 goto end;
8271
8272 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8273
8274 if (tst == 0 || tst == 1) {
8275 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8276 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8277 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8278 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8279 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8280 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8281 goto end;
8282
8283 SSL_CTX_set0_CA_list(sctx, sk1);
8284 SSL_CTX_set0_CA_list(cctx, sk2);
8285 sk1 = sk2 = NULL;
8286 }
8287 if (tst == 1 || tst == 2) {
8288 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8289 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8290 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8291 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8292 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8293 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8294 goto end;
8295
8296 SSL_CTX_set_client_CA_list(sctx, sk1);
8297 SSL_CTX_set_client_CA_list(cctx, sk2);
8298 sk1 = sk2 = NULL;
8299 }
8300
8301 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8302 NULL, NULL))
8303 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8304 SSL_ERROR_NONE)))
8305 goto end;
8306
8307 /*
8308 * We only expect certificate authorities to have been sent to the server
8309 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8310 */
8311 sktmp = SSL_get0_peer_CA_list(serverssl);
8312 if (prot == TLS1_3_VERSION
8313 && (tst == 0 || tst == 1)) {
8314 if (!TEST_ptr(sktmp)
8315 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8316 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8317 name[0]), 0)
8318 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8319 name[1]), 0))
8320 goto end;
8321 } else if (!TEST_ptr_null(sktmp)) {
8322 goto end;
8323 }
8324
8325 /*
8326 * In all tests we expect certificate authorities to have been sent to the
8327 * client. However, SSL_set_client_CA_list() should override
8328 * SSL_set0_CA_list()
8329 */
8330 sktmp = SSL_get0_peer_CA_list(clientssl);
8331 if (!TEST_ptr(sktmp)
8332 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8333 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8334 name[tst == 0 ? 0 : 2]), 0)
8335 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8336 name[tst == 0 ? 1 : 3]), 0))
8337 goto end;
8338
8339 testresult = 1;
8340
8341 end:
8342 SSL_free(serverssl);
8343 SSL_free(clientssl);
8344 SSL_CTX_free(sctx);
8345 SSL_CTX_free(cctx);
8346 for (i = 0; i < OSSL_NELEM(name); i++)
8347 X509_NAME_free(name[i]);
8348 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8349 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8350
8351 return testresult;
8352}
8353#endif
8354
8355static int test_ca_names(int tst)
8356{
8357 int testresult = 1;
8358
8359#ifndef OPENSSL_NO_TLS1_2
8360 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8361#endif
8362#ifndef OSSL_NO_USABLE_TLS1_3
8363 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8364#endif
8365
8366 return testresult;
8367}
8368
8369#ifndef OPENSSL_NO_TLS1_2
8370static const char *multiblock_cipherlist_data[]=
8371{
8372 "AES128-SHA",
8373 "AES128-SHA256",
8374 "AES256-SHA",
8375 "AES256-SHA256",
8376};
8377
8378/* Reduce the fragment size - so the multiblock test buffer can be small */
8379# define MULTIBLOCK_FRAGSIZE 512
8380
8381static int test_multiblock_write(int test_index)
8382{
8383 static const char *fetchable_ciphers[]=
8384 {
8385 "AES-128-CBC-HMAC-SHA1",
8386 "AES-128-CBC-HMAC-SHA256",
8387 "AES-256-CBC-HMAC-SHA1",
8388 "AES-256-CBC-HMAC-SHA256"
8389 };
8390 const char *cipherlist = multiblock_cipherlist_data[test_index];
8391 const SSL_METHOD *smeth = TLS_server_method();
8392 const SSL_METHOD *cmeth = TLS_client_method();
8393 int min_version = TLS1_VERSION;
8394 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8395 SSL_CTX *cctx = NULL, *sctx = NULL;
8396 SSL *clientssl = NULL, *serverssl = NULL;
8397 int testresult = 0;
8398
8399 /*
8400 * Choose a buffer large enough to perform a multi-block operation
8401 * i.e: write_len >= 4 * frag_size
8402 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8403 */
8404 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8405 unsigned char buf[sizeof(msg)], *p = buf;
8406 size_t readbytes, written, len;
8407 EVP_CIPHER *ciph = NULL;
8408
8409 /*
8410 * Check if the cipher exists before attempting to use it since it only has
8411 * a hardware specific implementation.
8412 */
8413 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8414 if (ciph == NULL) {
8415 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8416 return 1;
8417 }
8418 EVP_CIPHER_free(ciph);
8419
8420 /* Set up a buffer with some data that will be sent to the client */
8421 RAND_bytes(msg, sizeof(msg));
8422
8423 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8424 max_version, &sctx, &cctx, cert,
8425 privkey)))
8426 goto end;
8427
8428 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8429 goto end;
8430
8431 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8432 NULL, NULL)))
8433 goto end;
8434
8435 /* settings to force it to use AES-CBC-HMAC_SHA */
8436 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8437 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8438 goto end;
8439
8440 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8441 goto end;
8442
8443 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8444 || !TEST_size_t_eq(written, sizeof(msg)))
8445 goto end;
8446
8447 len = written;
8448 while (len > 0) {
8449 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8450 goto end;
8451 p += readbytes;
8452 len -= readbytes;
8453 }
8454 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8455 goto end;
8456
8457 testresult = 1;
8458end:
8459 SSL_free(serverssl);
8460 SSL_free(clientssl);
8461 SSL_CTX_free(sctx);
8462 SSL_CTX_free(cctx);
8463
8464 return testresult;
8465}
8466#endif /* OPENSSL_NO_TLS1_2 */
8467
8468static int test_session_timeout(int test)
8469{
8470 /*
8471 * Test session ordering and timeout
8472 * Can't explicitly test performance of the new code,
8473 * but can test to see if the ordering of the sessions
8474 * are correct, and they they are removed as expected
8475 */
8476 SSL_SESSION *early = NULL;
8477 SSL_SESSION *middle = NULL;
8478 SSL_SESSION *late = NULL;
8479 SSL_CTX *ctx;
8480 int testresult = 0;
8481 long now = (long)time(NULL);
8482#define TIMEOUT 10
8483
8484 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8485 || !TEST_ptr(early = SSL_SESSION_new())
8486 || !TEST_ptr(middle = SSL_SESSION_new())
8487 || !TEST_ptr(late = SSL_SESSION_new()))
8488 goto end;
8489
8490 /* assign unique session ids */
8491 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8492 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8493 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8494 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8495 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8496 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8497
8498 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8499 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8500 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8501 goto end;
8502
8503 /* Make sure they are all added */
8504 if (!TEST_ptr(early->prev)
8505 || !TEST_ptr(middle->prev)
8506 || !TEST_ptr(late->prev))
8507 goto end;
8508
8509 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8510 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8511 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8512 goto end;
8513
8514 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8515 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8516 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8517 goto end;
8518
8519 /* Make sure they are all still there */
8520 if (!TEST_ptr(early->prev)
8521 || !TEST_ptr(middle->prev)
8522 || !TEST_ptr(late->prev))
8523 goto end;
8524
8525 /* Make sure they are in the expected order */
8526 if (!TEST_ptr_eq(late->next, middle)
8527 || !TEST_ptr_eq(middle->next, early)
8528 || !TEST_ptr_eq(early->prev, middle)
8529 || !TEST_ptr_eq(middle->prev, late))
8530 goto end;
8531
8532 /* This should remove "early" */
8533 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8534 if (!TEST_ptr_null(early->prev)
8535 || !TEST_ptr(middle->prev)
8536 || !TEST_ptr(late->prev))
8537 goto end;
8538
8539 /* This should remove "middle" */
8540 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8541 if (!TEST_ptr_null(early->prev)
8542 || !TEST_ptr_null(middle->prev)
8543 || !TEST_ptr(late->prev))
8544 goto end;
8545
8546 /* This should remove "late" */
8547 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8548 if (!TEST_ptr_null(early->prev)
8549 || !TEST_ptr_null(middle->prev)
8550 || !TEST_ptr_null(late->prev))
8551 goto end;
8552
8553 /* Add them back in again */
8554 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8555 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8556 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8557 goto end;
8558
8559 /* Make sure they are all added */
8560 if (!TEST_ptr(early->prev)
8561 || !TEST_ptr(middle->prev)
8562 || !TEST_ptr(late->prev))
8563 goto end;
8564
8565 /* This should remove all of them */
8566 SSL_CTX_flush_sessions(ctx, 0);
8567 if (!TEST_ptr_null(early->prev)
8568 || !TEST_ptr_null(middle->prev)
8569 || !TEST_ptr_null(late->prev))
8570 goto end;
8571
8572 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8573 | SSL_CTX_get_session_cache_mode(ctx));
8574
8575 /* make sure |now| is NOT equal to the current time */
8576 now -= 10;
8577 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8578 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8579 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8580 goto end;
8581
8582 testresult = 1;
8583 end:
8584 SSL_CTX_free(ctx);
8585 SSL_SESSION_free(early);
8586 SSL_SESSION_free(middle);
8587 SSL_SESSION_free(late);
8588 return testresult;
8589}
8590
8591/*
8592 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8593 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8594 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8595 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8596 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8597 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8598 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8599 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8600 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8601 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8602 */
8603static int test_servername(int tst)
8604{
8605 SSL_CTX *cctx = NULL, *sctx = NULL;
8606 SSL *clientssl = NULL, *serverssl = NULL;
8607 int testresult = 0;
8608 SSL_SESSION *sess = NULL;
8609 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8610
8611#ifdef OPENSSL_NO_TLS1_2
8612 if (tst <= 4)
8613 return 1;
8614#endif
8615#ifdef OSSL_NO_USABLE_TLS1_3
8616 if (tst >= 5)
8617 return 1;
8618#endif
8619
8620 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8621 TLS_client_method(),
8622 TLS1_VERSION,
8623 (tst <= 4) ? TLS1_2_VERSION
8624 : TLS1_3_VERSION,
8625 &sctx, &cctx, cert, privkey))
8626 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8627 NULL, NULL)))
8628 goto end;
8629
8630 if (tst != 1 && tst != 6) {
8631 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8632 hostname_cb)))
8633 goto end;
8634 }
8635
8636 if (tst != 3 && tst != 8) {
8637 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8638 goto end;
8639 sexpectedhost = cexpectedhost = "goodhost";
8640 }
8641
8642 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8643 goto end;
8644
8645 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8646 cexpectedhost)
8647 || !TEST_str_eq(SSL_get_servername(serverssl,
8648 TLSEXT_NAMETYPE_host_name),
8649 sexpectedhost))
8650 goto end;
8651
8652 /* Now repeat with a resumption handshake */
8653
8654 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8655 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8656 || !TEST_true(SSL_SESSION_is_resumable(sess))
8657 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8658 goto end;
8659
8660 SSL_free(clientssl);
8661 SSL_free(serverssl);
8662 clientssl = serverssl = NULL;
8663
8664 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8665 NULL)))
8666 goto end;
8667
8668 if (!TEST_true(SSL_set_session(clientssl, sess)))
8669 goto end;
8670
8671 sexpectedhost = cexpectedhost = "goodhost";
8672 if (tst == 2 || tst == 7) {
8673 /* Set an inconsistent hostname */
8674 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8675 goto end;
8676 /*
8677 * In TLSv1.2 we expect the hostname from the original handshake, in
8678 * TLSv1.3 we expect the hostname from this handshake
8679 */
8680 if (tst == 7)
8681 sexpectedhost = cexpectedhost = "altgoodhost";
8682
8683 if (!TEST_str_eq(SSL_get_servername(clientssl,
8684 TLSEXT_NAMETYPE_host_name),
8685 "altgoodhost"))
8686 goto end;
8687 } else if (tst == 4 || tst == 9) {
8688 /*
8689 * A TLSv1.3 session does not associate a session with a servername,
8690 * but a TLSv1.2 session does.
8691 */
8692 if (tst == 9)
8693 sexpectedhost = cexpectedhost = NULL;
8694
8695 if (!TEST_str_eq(SSL_get_servername(clientssl,
8696 TLSEXT_NAMETYPE_host_name),
8697 cexpectedhost))
8698 goto end;
8699 } else {
8700 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8701 goto end;
8702 /*
8703 * In a TLSv1.2 resumption where the hostname was not acknowledged
8704 * we expect the hostname on the server to be empty. On the client we
8705 * return what was requested in this case.
8706 *
8707 * Similarly if the client didn't set a hostname on an original TLSv1.2
8708 * session but is now, the server hostname will be empty, but the client
8709 * is as we set it.
8710 */
8711 if (tst == 1 || tst == 3)
8712 sexpectedhost = NULL;
8713
8714 if (!TEST_str_eq(SSL_get_servername(clientssl,
8715 TLSEXT_NAMETYPE_host_name),
8716 "goodhost"))
8717 goto end;
8718 }
8719
8720 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8721 goto end;
8722
8723 if (!TEST_true(SSL_session_reused(clientssl))
8724 || !TEST_true(SSL_session_reused(serverssl))
8725 || !TEST_str_eq(SSL_get_servername(clientssl,
8726 TLSEXT_NAMETYPE_host_name),
8727 cexpectedhost)
8728 || !TEST_str_eq(SSL_get_servername(serverssl,
8729 TLSEXT_NAMETYPE_host_name),
8730 sexpectedhost))
8731 goto end;
8732
8733 testresult = 1;
8734
8735 end:
8736 SSL_SESSION_free(sess);
8737 SSL_free(serverssl);
8738 SSL_free(clientssl);
8739 SSL_CTX_free(sctx);
8740 SSL_CTX_free(cctx);
8741
8742 return testresult;
8743}
8744
8745#if !defined(OPENSSL_NO_EC) \
8746 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8747/*
8748 * Test that if signature algorithms are not available, then we do not offer or
8749 * accept them.
8750 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8751 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8752 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8753 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8754 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8755 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8756 */
8757static int test_sigalgs_available(int idx)
8758{
8759 SSL_CTX *cctx = NULL, *sctx = NULL;
8760 SSL *clientssl = NULL, *serverssl = NULL;
8761 int testresult = 0;
8762 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8763 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
8764 OSSL_PROVIDER *filterprov = NULL;
8765 int sig, hash;
8766
8767 if (!TEST_ptr(tmpctx))
8768 goto end;
8769
8770 if (idx != 0 && idx != 3) {
8771 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8772 filter_provider_init)))
8773 goto end;
8774
8775 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8776 if (!TEST_ptr(filterprov))
8777 goto end;
8778
8779 if (idx < 3) {
8780 /*
8781 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8782 * or accepted for the peer that uses this libctx. Note that libssl
8783 * *requires* SHA2-256 to be available so we cannot disable that. We
8784 * also need SHA1 for our certificate.
8785 */
8786 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8787 "SHA2-256:SHA1")))
8788 goto end;
8789 } else {
8790 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8791 "ECDSA"))
8792 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8793 "EC:X25519:X448")))
8794 goto end;
8795 }
8796
8797 if (idx == 1 || idx == 4)
8798 clientctx = tmpctx;
8799 else
8800 serverctx = tmpctx;
8801 }
8802
8803 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8804 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
8805 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8806 goto end;
8807
8808 if (idx != 5) {
8809 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8810 TLS_client_method(),
8811 TLS1_VERSION,
8812 0,
8813 &sctx, &cctx, cert, privkey)))
8814 goto end;
8815 } else {
8816 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8817 TLS_client_method(),
8818 TLS1_VERSION,
8819 0,
8820 &sctx, &cctx, cert2, privkey2)))
8821 goto end;
8822 }
8823
8824 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8825 if (idx < 4) {
8826 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8827 "ECDHE-RSA-AES128-GCM-SHA256")))
8828 goto end;
8829 } else {
8830 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8831 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8832 goto end;
8833 }
8834
8835 if (idx < 3) {
8836 if (!SSL_CTX_set1_sigalgs_list(cctx,
8837 "rsa_pss_rsae_sha384"
8838 ":rsa_pss_rsae_sha256")
8839 || !SSL_CTX_set1_sigalgs_list(sctx,
8840 "rsa_pss_rsae_sha384"
8841 ":rsa_pss_rsae_sha256"))
8842 goto end;
8843 } else {
8844 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8845 || !SSL_CTX_set1_sigalgs_list(sctx,
8846 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8847 goto end;
8848 }
8849
8850 if (idx != 5
8851 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8852 SSL_FILETYPE_PEM), 1)
8853 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8854 privkey2,
8855 SSL_FILETYPE_PEM), 1)
8856 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
8857 goto end;
8858
8859 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8860 NULL, NULL)))
8861 goto end;
8862
8863 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8864 goto end;
8865
8866 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8867 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8868 NULL, NULL),
8869 (idx == 0 || idx == 3) ? 2 : 1))
8870 goto end;
8871
8872 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8873 goto end;
8874
8875 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8876 : NID_rsassaPss))
8877 goto end;
8878
8879 testresult = filter_provider_check_clean_finish();
8880
8881 end:
8882 SSL_free(serverssl);
8883 SSL_free(clientssl);
8884 SSL_CTX_free(sctx);
8885 SSL_CTX_free(cctx);
8886 OSSL_PROVIDER_unload(filterprov);
8887 OSSL_LIB_CTX_free(tmpctx);
8888
8889 return testresult;
8890}
8891#endif /*
8892 * !defined(OPENSSL_NO_EC) \
8893 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8894 */
8895
8896#ifndef OPENSSL_NO_TLS1_3
8897/* This test can run in TLSv1.3 even if ec and dh are disabled */
8898static int test_pluggable_group(int idx)
8899{
8900 SSL_CTX *cctx = NULL, *sctx = NULL;
8901 SSL *clientssl = NULL, *serverssl = NULL;
8902 int testresult = 0;
8903 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8904 /* Check that we are not impacted by a provider without any groups */
8905 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
8906 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
8907
8908 if (!TEST_ptr(tlsprov))
8909 goto end;
8910
8911 if (legacyprov == NULL) {
8912 /*
8913 * In this case we assume we've been built with "no-legacy" and skip
8914 * this test (there is no OPENSSL_NO_LEGACY)
8915 */
8916 testresult = 1;
8917 goto end;
8918 }
8919
8920 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8921 TLS_client_method(),
8922 TLS1_3_VERSION,
8923 TLS1_3_VERSION,
8924 &sctx, &cctx, cert, privkey))
8925 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8926 NULL, NULL)))
8927 goto end;
8928
8929 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8930 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
8931 goto end;
8932
8933 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8934 goto end;
8935
8936 if (!TEST_str_eq(group_name,
8937 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8938 goto end;
8939
8940 testresult = 1;
8941
8942 end:
8943 SSL_free(serverssl);
8944 SSL_free(clientssl);
8945 SSL_CTX_free(sctx);
8946 SSL_CTX_free(cctx);
8947 OSSL_PROVIDER_unload(tlsprov);
8948 OSSL_PROVIDER_unload(legacyprov);
8949
8950 return testresult;
8951}
8952#endif
8953
8954#ifndef OPENSSL_NO_TLS1_2
8955static int test_ssl_dup(void)
8956{
8957 SSL_CTX *cctx = NULL, *sctx = NULL;
8958 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8959 int testresult = 0;
8960 BIO *rbio = NULL, *wbio = NULL;
8961
8962 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8963 TLS_client_method(),
8964 0,
8965 0,
8966 &sctx, &cctx, cert, privkey)))
8967 goto end;
8968
8969 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8970 NULL, NULL)))
8971 goto end;
8972
8973 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8974 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8975 goto end;
8976
8977 client2ssl = SSL_dup(clientssl);
8978 rbio = SSL_get_rbio(clientssl);
8979 if (!TEST_ptr(rbio)
8980 || !TEST_true(BIO_up_ref(rbio)))
8981 goto end;
8982 SSL_set0_rbio(client2ssl, rbio);
8983 rbio = NULL;
8984
8985 wbio = SSL_get_wbio(clientssl);
8986 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8987 goto end;
8988 SSL_set0_wbio(client2ssl, wbio);
8989 rbio = NULL;
8990
8991 if (!TEST_ptr(client2ssl)
8992 /* Handshake not started so pointers should be different */
8993 || !TEST_ptr_ne(clientssl, client2ssl))
8994 goto end;
8995
8996 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8997 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8998 goto end;
8999
9000 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9001 goto end;
9002
9003 SSL_free(clientssl);
9004 clientssl = SSL_dup(client2ssl);
9005 if (!TEST_ptr(clientssl)
9006 /* Handshake has finished so pointers should be the same */
9007 || !TEST_ptr_eq(clientssl, client2ssl))
9008 goto end;
9009
9010 testresult = 1;
9011
9012 end:
9013 SSL_free(serverssl);
9014 SSL_free(clientssl);
9015 SSL_free(client2ssl);
9016 SSL_CTX_free(sctx);
9017 SSL_CTX_free(cctx);
9018
9019 return testresult;
9020}
9021
9022# ifndef OPENSSL_NO_DH
9023
9024static EVP_PKEY *tmp_dh_params = NULL;
9025
9026/* Helper function for the test_set_tmp_dh() tests */
9027static EVP_PKEY *get_tmp_dh_params(void)
9028{
9029 if (tmp_dh_params == NULL) {
9030 BIGNUM *p = NULL;
9031 OSSL_PARAM_BLD *tmpl = NULL;
9032 EVP_PKEY_CTX *pctx = NULL;
9033 OSSL_PARAM *params = NULL;
9034 EVP_PKEY *dhpkey = NULL;
9035
9036 p = BN_get_rfc3526_prime_2048(NULL);
9037 if (!TEST_ptr(p))
9038 goto end;
9039
9040 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9041 if (!TEST_ptr(pctx)
9042 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9043 goto end;
9044
9045 tmpl = OSSL_PARAM_BLD_new();
9046 if (!TEST_ptr(tmpl)
9047 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9048 OSSL_PKEY_PARAM_FFC_P,
9049 p))
9050 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9051 OSSL_PKEY_PARAM_FFC_G,
9052 2)))
9053 goto end;
9054
9055 params = OSSL_PARAM_BLD_to_param(tmpl);
9056 if (!TEST_ptr(params)
9057 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9058 EVP_PKEY_KEY_PARAMETERS,
9059 params), 1))
9060 goto end;
9061
9062 tmp_dh_params = dhpkey;
9063 end:
9064 BN_free(p);
9065 EVP_PKEY_CTX_free(pctx);
9066 OSSL_PARAM_BLD_free(tmpl);
9067 OSSL_PARAM_free(params);
9068 }
9069
9070 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9071 return NULL;
9072
9073 return tmp_dh_params;
9074}
9075
9076# ifndef OPENSSL_NO_DEPRECATED_3_0
9077/* Callback used by test_set_tmp_dh() */
9078static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9079{
9080 EVP_PKEY *dhpkey = get_tmp_dh_params();
9081 DH *ret = NULL;
9082
9083 if (!TEST_ptr(dhpkey))
9084 return NULL;
9085
9086 /*
9087 * libssl does not free the returned DH, so we free it now knowing that even
9088 * after we free dhpkey, there will still be a reference to the owning
9089 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9090 * of time we need it for.
9091 */
9092 ret = EVP_PKEY_get1_DH(dhpkey);
9093 DH_free(ret);
9094
9095 EVP_PKEY_free(dhpkey);
9096
9097 return ret;
9098}
9099# endif
9100
9101/*
9102 * Test the various methods for setting temporary DH parameters
9103 *
9104 * Test 0: Default (no auto) setting
9105 * Test 1: Explicit SSL_CTX auto off
9106 * Test 2: Explicit SSL auto off
9107 * Test 3: Explicit SSL_CTX auto on
9108 * Test 4: Explicit SSL auto on
9109 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9110 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9111 *
9112 * The following are testing deprecated APIs, so we only run them if available
9113 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9114 * Test 8: Explicit SSL auto off, custom DH params via DH
9115 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9116 * Test 10: Explicit SSL auto off, custom DH params via callback
9117 */
9118static int test_set_tmp_dh(int idx)
9119{
9120 SSL_CTX *cctx = NULL, *sctx = NULL;
9121 SSL *clientssl = NULL, *serverssl = NULL;
9122 int testresult = 0;
9123 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9124 int expected = (idx <= 2) ? 0 : 1;
9125 EVP_PKEY *dhpkey = NULL;
9126# ifndef OPENSSL_NO_DEPRECATED_3_0
9127 DH *dh = NULL;
9128# else
9129
9130 if (idx >= 7)
9131 return 1;
9132# endif
9133
9134 if (idx >= 5 && idx <= 8) {
9135 dhpkey = get_tmp_dh_params();
9136 if (!TEST_ptr(dhpkey))
9137 goto end;
9138 }
9139# ifndef OPENSSL_NO_DEPRECATED_3_0
9140 if (idx == 7 || idx == 8) {
9141 dh = EVP_PKEY_get1_DH(dhpkey);
9142 if (!TEST_ptr(dh))
9143 goto end;
9144 }
9145# endif
9146
9147 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9148 TLS_client_method(),
9149 0,
9150 0,
9151 &sctx, &cctx, cert, privkey)))
9152 goto end;
9153
9154 if ((idx & 1) == 1) {
9155 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9156 goto end;
9157 }
9158
9159 if (idx == 5) {
9160 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9161 goto end;
9162 dhpkey = NULL;
9163 }
9164# ifndef OPENSSL_NO_DEPRECATED_3_0
9165 else if (idx == 7) {
9166 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9167 goto end;
9168 } else if (idx == 9) {
9169 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9170 }
9171# endif
9172
9173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9174 NULL, NULL)))
9175 goto end;
9176
9177 if ((idx & 1) == 0 && idx != 0) {
9178 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9179 goto end;
9180 }
9181 if (idx == 6) {
9182 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9183 goto end;
9184 dhpkey = NULL;
9185 }
9186# ifndef OPENSSL_NO_DEPRECATED_3_0
9187 else if (idx == 8) {
9188 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9189 goto end;
9190 } else if (idx == 10) {
9191 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9192 }
9193# endif
9194
9195 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9196 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9197 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9198 goto end;
9199
9200 /*
9201 * If autoon then we should succeed. Otherwise we expect failure because
9202 * there are no parameters
9203 */
9204 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9205 SSL_ERROR_NONE), expected))
9206 goto end;
9207
9208 testresult = 1;
9209
9210 end:
9211# ifndef OPENSSL_NO_DEPRECATED_3_0
9212 DH_free(dh);
9213# endif
9214 SSL_free(serverssl);
9215 SSL_free(clientssl);
9216 SSL_CTX_free(sctx);
9217 SSL_CTX_free(cctx);
9218 EVP_PKEY_free(dhpkey);
9219
9220 return testresult;
9221}
9222
9223/*
9224 * Test the auto DH keys are appropriately sized
9225 */
9226static int test_dh_auto(int idx)
9227{
9228 SSL_CTX *cctx = NULL, *sctx = NULL;
9229 SSL *clientssl = NULL, *serverssl = NULL;
9230 int testresult = 0;
9231 EVP_PKEY *tmpkey = NULL;
9232 char *thiscert = NULL, *thiskey = NULL;
9233 size_t expdhsize = 0;
9234 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9235
9236 switch (idx) {
9237 case 0:
9238 /* The FIPS provider doesn't support this DH size - so we ignore it */
9239 if (is_fips)
9240 return 1;
9241 thiscert = cert1024;
9242 thiskey = privkey1024;
9243 expdhsize = 1024;
9244 break;
9245 case 1:
9246 /* 2048 bit prime */
9247 thiscert = cert;
9248 thiskey = privkey;
9249 expdhsize = 2048;
9250 break;
9251 case 2:
9252 thiscert = cert3072;
9253 thiskey = privkey3072;
9254 expdhsize = 3072;
9255 break;
9256 case 3:
9257 thiscert = cert4096;
9258 thiskey = privkey4096;
9259 expdhsize = 4096;
9260 break;
9261 case 4:
9262 thiscert = cert8192;
9263 thiskey = privkey8192;
9264 expdhsize = 8192;
9265 break;
9266 /* No certificate cases */
9267 case 5:
9268 /* The FIPS provider doesn't support this DH size - so we ignore it */
9269 if (is_fips)
9270 return 1;
9271 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9272 expdhsize = 1024;
9273 break;
9274 case 6:
9275 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9276 expdhsize = 3072;
9277 break;
9278 default:
9279 TEST_error("Invalid text index");
9280 goto end;
9281 }
9282
9283 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9284 TLS_client_method(),
9285 0,
9286 0,
9287 &sctx, &cctx, thiscert, thiskey)))
9288 goto end;
9289
9290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9291 NULL, NULL)))
9292 goto end;
9293
9294 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9295 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9296 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9297 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9298 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9299 goto end;
9300
9301 /*
9302 * Send the server's first flight. At this point the server has created the
9303 * temporary DH key but hasn't finished using it yet. Once used it is
9304 * removed, so we cannot test it.
9305 */
9306 if (!TEST_int_le(SSL_connect(clientssl), 0)
9307 || !TEST_int_le(SSL_accept(serverssl), 0))
9308 goto end;
9309
9310 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9311 goto end;
9312 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9313 goto end;
9314
9315 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9316 goto end;
9317
9318 testresult = 1;
9319
9320 end:
9321 SSL_free(serverssl);
9322 SSL_free(clientssl);
9323 SSL_CTX_free(sctx);
9324 SSL_CTX_free(cctx);
9325 EVP_PKEY_free(tmpkey);
9326
9327 return testresult;
9328
9329}
9330# endif /* OPENSSL_NO_DH */
9331#endif /* OPENSSL_NO_TLS1_2 */
9332
9333#ifndef OSSL_NO_USABLE_TLS1_3
9334/*
9335 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9336 * that it works even without a certificate configured for the original
9337 * SSL_CTX
9338 */
9339static int test_sni_tls13(void)
9340{
9341 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9342 SSL *clientssl = NULL, *serverssl = NULL;
9343 int testresult = 0;
9344
9345 /* Reset callback counter */
9346 snicb = 0;
9347
9348 /* Create an initial SSL_CTX with no certificate configured */
9349 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9350 if (!TEST_ptr(sctx))
9351 goto end;
9352 /* Require TLSv1.3 as a minimum */
9353 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9354 TLS_client_method(), TLS1_3_VERSION, 0,
9355 &sctx2, &cctx, cert, privkey)))
9356 goto end;
9357
9358 /* Set up SNI */
9359 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9360 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9361 goto end;
9362
9363 /*
9364 * Connection should still succeed because the final SSL_CTX has the right
9365 * certificates configured.
9366 */
9367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9368 &clientssl, NULL, NULL))
9369 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9370 SSL_ERROR_NONE)))
9371 goto end;
9372
9373 /* We should have had the SNI callback called exactly once */
9374 if (!TEST_int_eq(snicb, 1))
9375 goto end;
9376
9377 testresult = 1;
9378
9379end:
9380 SSL_free(serverssl);
9381 SSL_free(clientssl);
9382 SSL_CTX_free(sctx2);
9383 SSL_CTX_free(sctx);
9384 SSL_CTX_free(cctx);
9385 return testresult;
9386}
9387#endif
9388/*
9389 * Test that setting an ALPN does not violate RFC
9390 */
9391static int test_set_alpn(void)
9392{
9393 SSL_CTX *ctx = NULL;
9394 SSL *ssl = NULL;
9395 int testresult = 0;
9396
9397 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9398 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9399 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9400 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9401 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9402 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9403
9404 /* Create an initial SSL_CTX with no certificate configured */
9405 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9406 if (!TEST_ptr(ctx))
9407 goto end;
9408
9409 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9410 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9411 goto end;
9412 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9413 goto end;
9414 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9415 goto end;
9416 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9417 goto end;
9418 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9419 goto end;
9420 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9421 goto end;
9422 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9423 goto end;
9424 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9425 goto end;
9426 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9427 goto end;
9428
9429 ssl = SSL_new(ctx);
9430 if (!TEST_ptr(ssl))
9431 goto end;
9432
9433 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9434 goto end;
9435 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9436 goto end;
9437 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9438 goto end;
9439 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9440 goto end;
9441 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9442 goto end;
9443 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9444 goto end;
9445 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9446 goto end;
9447 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9448 goto end;
9449 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9450 goto end;
9451
9452 testresult = 1;
9453
9454end:
9455 SSL_free(ssl);
9456 SSL_CTX_free(ctx);
9457 return testresult;
9458}
9459
9460static int test_inherit_verify_param(void)
9461{
9462 int testresult = 0;
9463
9464 SSL_CTX *ctx = NULL;
9465 X509_VERIFY_PARAM *cp = NULL;
9466 SSL *ssl = NULL;
9467 X509_VERIFY_PARAM *sp = NULL;
9468 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9469
9470 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9471 if (!TEST_ptr(ctx))
9472 goto end;
9473
9474 cp = SSL_CTX_get0_param(ctx);
9475 if (!TEST_ptr(cp))
9476 goto end;
9477 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9478 goto end;
9479
9480 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9481
9482 ssl = SSL_new(ctx);
9483 if (!TEST_ptr(ssl))
9484 goto end;
9485
9486 sp = SSL_get0_param(ssl);
9487 if (!TEST_ptr(sp))
9488 goto end;
9489 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9490 goto end;
9491
9492 testresult = 1;
9493
9494 end:
9495 SSL_free(ssl);
9496 SSL_CTX_free(ctx);
9497
9498 return testresult;
9499}
9500
9501OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
9502
9503int setup_tests(void)
9504{
9505 char *modulename;
9506 char *configfile;
9507
9508 libctx = OSSL_LIB_CTX_new();
9509 if (!TEST_ptr(libctx))
9510 return 0;
9511
9512 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9513
9514 /*
9515 * Verify that the default and fips providers in the default libctx are not
9516 * available
9517 */
9518 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9519 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9520 return 0;
9521
9522 if (!test_skip_common_options()) {
9523 TEST_error("Error parsing test options\n");
9524 return 0;
9525 }
9526
9527 if (!TEST_ptr(certsdir = test_get_argument(0))
9528 || !TEST_ptr(srpvfile = test_get_argument(1))
9529 || !TEST_ptr(tmpfilename = test_get_argument(2))
9530 || !TEST_ptr(modulename = test_get_argument(3))
9531 || !TEST_ptr(configfile = test_get_argument(4)))
9532 return 0;
9533
9534 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
9535 return 0;
9536
9537 /* Check we have the expected provider available */
9538 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9539 return 0;
9540
9541 /* Check the default provider is not available */
9542 if (strcmp(modulename, "default") != 0
9543 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
9544 return 0;
9545
9546 if (strcmp(modulename, "fips") == 0)
9547 is_fips = 1;
9548
9549 /*
9550 * We add, but don't load the test "tls-provider". We'll load it when we
9551 * need it.
9552 */
9553 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9554 tls_provider_init)))
9555 return 0;
9556
9557
9558 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9559#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9560 TEST_error("not supported in this build");
9561 return 0;
9562#else
9563 int i, mcount, rcount, fcount;
9564
9565 for (i = 0; i < 4; i++)
9566 test_export_key_mat(i);
9567 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9568 test_printf_stdout("malloc %d realloc %d free %d\n",
9569 mcount, rcount, fcount);
9570 return 1;
9571#endif
9572 }
9573
9574 cert = test_mk_file_path(certsdir, "servercert.pem");
9575 if (cert == NULL)
9576 goto err;
9577
9578 privkey = test_mk_file_path(certsdir, "serverkey.pem");
9579 if (privkey == NULL)
9580 goto err;
9581
9582 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9583 if (cert2 == NULL)
9584 goto err;
9585
9586 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9587 if (privkey2 == NULL)
9588 goto err;
9589
9590 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9591 if (cert1024 == NULL)
9592 goto err;
9593
9594 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9595 if (privkey1024 == NULL)
9596 goto err;
9597
9598 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9599 if (cert3072 == NULL)
9600 goto err;
9601
9602 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9603 if (privkey3072 == NULL)
9604 goto err;
9605
9606 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9607 if (cert4096 == NULL)
9608 goto err;
9609
9610 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9611 if (privkey4096 == NULL)
9612 goto err;
9613
9614 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9615 if (cert8192 == NULL)
9616 goto err;
9617
9618 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9619 if (privkey8192 == NULL)
9620 goto err;
9621
9622#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
9623# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9624 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9625 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
9626# endif
9627#endif
9628 ADD_TEST(test_large_message_tls);
9629 ADD_TEST(test_large_message_tls_read_ahead);
9630#ifndef OPENSSL_NO_DTLS
9631 ADD_TEST(test_large_message_dtls);
9632#endif
9633 ADD_TEST(test_cleanse_plaintext);
9634#ifndef OPENSSL_NO_OCSP
9635 ADD_TEST(test_tlsext_status_type);
9636#endif
9637 ADD_TEST(test_session_with_only_int_cache);
9638 ADD_TEST(test_session_with_only_ext_cache);
9639 ADD_TEST(test_session_with_both_cache);
9640 ADD_TEST(test_session_wo_ca_names);
9641#ifndef OSSL_NO_USABLE_TLS1_3
9642 ADD_ALL_TESTS(test_stateful_tickets, 3);
9643 ADD_ALL_TESTS(test_stateless_tickets, 3);
9644 ADD_TEST(test_psk_tickets);
9645 ADD_ALL_TESTS(test_extra_tickets, 6);
9646#endif
9647 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9648 ADD_TEST(test_ssl_bio_pop_next_bio);
9649 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9650 ADD_TEST(test_ssl_bio_change_rbio);
9651 ADD_TEST(test_ssl_bio_change_wbio);
9652#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
9653 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
9654 ADD_TEST(test_keylog);
9655#endif
9656#ifndef OSSL_NO_USABLE_TLS1_3
9657 ADD_TEST(test_keylog_no_master_key);
9658#endif
9659 ADD_TEST(test_client_cert_verify_cb);
9660 ADD_TEST(test_ssl_build_cert_chain);
9661 ADD_TEST(test_ssl_ctx_build_cert_chain);
9662#ifndef OPENSSL_NO_TLS1_2
9663 ADD_TEST(test_client_hello_cb);
9664 ADD_TEST(test_no_ems);
9665 ADD_TEST(test_ccs_change_cipher);
9666#endif
9667#ifndef OSSL_NO_USABLE_TLS1_3
9668 ADD_ALL_TESTS(test_early_data_read_write, 3);
9669 /*
9670 * We don't do replay tests for external PSK. Replay protection isn't used
9671 * in that scenario.
9672 */
9673 ADD_ALL_TESTS(test_early_data_replay, 2);
9674 ADD_ALL_TESTS(test_early_data_skip, 3);
9675 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
9676 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
9677 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
9678 ADD_ALL_TESTS(test_early_data_not_sent, 3);
9679 ADD_ALL_TESTS(test_early_data_psk, 8);
9680 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
9681 ADD_ALL_TESTS(test_early_data_not_expected, 3);
9682# ifndef OPENSSL_NO_TLS1_2
9683 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
9684# endif
9685#endif
9686#ifndef OSSL_NO_USABLE_TLS1_3
9687 ADD_ALL_TESTS(test_set_ciphersuite, 10);
9688 ADD_TEST(test_ciphersuite_change);
9689 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9690# ifdef OPENSSL_NO_PSK
9691 ADD_ALL_TESTS(test_tls13_psk, 1);
9692# else
9693 ADD_ALL_TESTS(test_tls13_psk, 4);
9694# endif /* OPENSSL_NO_PSK */
9695# ifndef OPENSSL_NO_TLS1_2
9696 /* Test with both TLSv1.3 and 1.2 versions */
9697 ADD_ALL_TESTS(test_key_exchange, 14);
9698# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9699 ADD_ALL_TESTS(test_negotiated_group,
9700 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9701 + OSSL_NELEM(ffdhe_kexch_groups)));
9702# endif
9703# else
9704 /* Test with only TLSv1.3 versions */
9705 ADD_ALL_TESTS(test_key_exchange, 12);
9706# endif
9707 ADD_ALL_TESTS(test_custom_exts, 6);
9708 ADD_TEST(test_stateless);
9709 ADD_TEST(test_pha_key_update);
9710#else
9711 ADD_ALL_TESTS(test_custom_exts, 3);
9712#endif
9713 ADD_ALL_TESTS(test_serverinfo, 8);
9714 ADD_ALL_TESTS(test_export_key_mat, 6);
9715#ifndef OSSL_NO_USABLE_TLS1_3
9716 ADD_ALL_TESTS(test_export_key_mat_early, 3);
9717 ADD_TEST(test_key_update);
9718 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9719 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9720 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9721 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
9722#endif
9723 ADD_ALL_TESTS(test_ssl_clear, 2);
9724 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
9725#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9726 ADD_ALL_TESTS(test_srp, 6);
9727#endif
9728 ADD_ALL_TESTS(test_info_callback, 6);
9729 ADD_ALL_TESTS(test_ssl_pending, 2);
9730 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
9731 ADD_ALL_TESTS(test_ticket_callbacks, 16);
9732 ADD_ALL_TESTS(test_shutdown, 7);
9733 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
9734 ADD_ALL_TESTS(test_cert_cb, 6);
9735 ADD_ALL_TESTS(test_client_cert_cb, 2);
9736 ADD_ALL_TESTS(test_ca_names, 3);
9737#ifndef OPENSSL_NO_TLS1_2
9738 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9739#endif
9740 ADD_ALL_TESTS(test_servername, 10);
9741#if !defined(OPENSSL_NO_EC) \
9742 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9743 ADD_ALL_TESTS(test_sigalgs_available, 6);
9744#endif
9745#ifndef OPENSSL_NO_TLS1_3
9746 ADD_ALL_TESTS(test_pluggable_group, 2);
9747#endif
9748#ifndef OPENSSL_NO_TLS1_2
9749 ADD_TEST(test_ssl_dup);
9750# ifndef OPENSSL_NO_DH
9751 ADD_ALL_TESTS(test_set_tmp_dh, 11);
9752 ADD_ALL_TESTS(test_dh_auto, 7);
9753# endif
9754#endif
9755#ifndef OSSL_NO_USABLE_TLS1_3
9756 ADD_TEST(test_sni_tls13);
9757#endif
9758 ADD_TEST(test_inherit_verify_param);
9759 ADD_TEST(test_set_alpn);
9760 ADD_ALL_TESTS(test_session_timeout, 1);
9761 return 1;
9762
9763 err:
9764 OPENSSL_free(cert);
9765 OPENSSL_free(privkey);
9766 OPENSSL_free(cert2);
9767 OPENSSL_free(privkey2);
9768 return 0;
9769}
9770
9771void cleanup_tests(void)
9772{
9773# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
9774 EVP_PKEY_free(tmp_dh_params);
9775#endif
9776 OPENSSL_free(cert);
9777 OPENSSL_free(privkey);
9778 OPENSSL_free(cert2);
9779 OPENSSL_free(privkey2);
9780 OPENSSL_free(cert1024);
9781 OPENSSL_free(privkey1024);
9782 OPENSSL_free(cert3072);
9783 OPENSSL_free(privkey3072);
9784 OPENSSL_free(cert4096);
9785 OPENSSL_free(privkey4096);
9786 OPENSSL_free(cert8192);
9787 OPENSSL_free(privkey8192);
9788 bio_s_mempacket_test_free();
9789 bio_s_always_retry_free();
9790 OSSL_PROVIDER_unload(defctxnull);
9791 OSSL_LIB_CTX_free(libctx);
9792}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette