VirtualBox

source: vbox/trunk/src/libs/openssl-3.1.0/test/sslapitest.c@ 99507

最後變更 在這個檔案從99507是 99366,由 vboxsync 提交於 2 年 前

openssl-3.1.0: Applied and adjusted our OpenSSL changes to 3.0.7. bugref:10418
檔案大小: 357.5 KB
 
1/*
2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
18#include <stdio.h>
19#include <string.h>
20
21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
25#include <openssl/ocsp.h>
26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
28#include <openssl/aes.h>
29#include <openssl/rand.h>
30#include <openssl/core_names.h>
31#include <openssl/core_dispatch.h>
32#include <openssl/provider.h>
33#include <openssl/param_build.h>
34#include <openssl/x509v3.h>
35#include <openssl/dh.h>
36#include <openssl/engine.h>
37
38#include "helpers/ssltestlib.h"
39#include "testutil.h"
40#include "testutil/output.h"
41#include "internal/nelem.h"
42#include "internal/ktls.h"
43#include "../ssl/ssl_local.h"
44#include "filterprov.h"
45
46#undef OSSL_NO_USABLE_TLS1_3
47#if defined(OPENSSL_NO_TLS1_3) \
48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49/*
50 * If we don't have ec or dh then there are no built-in groups that are usable
51 * with TLSv1.3
52 */
53# define OSSL_NO_USABLE_TLS1_3
54#endif
55
56/* Defined in tls-provider.c */
57int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58 const OSSL_DISPATCH *in,
59 const OSSL_DISPATCH **out,
60 void **provctx);
61
62static OSSL_LIB_CTX *libctx = NULL;
63static OSSL_PROVIDER *defctxnull = NULL;
64
65#ifndef OSSL_NO_USABLE_TLS1_3
66
67static SSL_SESSION *clientpsk = NULL;
68static SSL_SESSION *serverpsk = NULL;
69static const char *pskid = "Identity";
70static const char *srvid;
71
72static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73 size_t *idlen, SSL_SESSION **sess);
74static int find_session_cb(SSL *ssl, const unsigned char *identity,
75 size_t identity_len, SSL_SESSION **sess);
76
77static int use_session_cb_cnt = 0;
78static int find_session_cb_cnt = 0;
79
80static SSL_SESSION *create_a_psk(SSL *ssl);
81#endif
82
83static char *certsdir = NULL;
84static char *cert = NULL;
85static char *privkey = NULL;
86static char *cert2 = NULL;
87static char *privkey2 = NULL;
88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
98static char *dhfile = NULL;
99
100static int is_fips = 0;
101static int fips_ems_check = 0;
102
103#define LOG_BUFFER_SIZE 2048
104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105static size_t server_log_buffer_index = 0;
106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107static size_t client_log_buffer_index = 0;
108static int error_writing_log = 0;
109
110#ifndef OPENSSL_NO_OCSP
111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
117#endif
118
119#define NUM_EXTRA_CERTS 40
120#define CLIENT_VERSION_LEN 2
121
122/*
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
125 */
126struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
129 unsigned int client_early_secret_count;
130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
134 unsigned int early_exporter_secret_count;
135 unsigned int exporter_secret_count;
136};
137
138
139static int hostname_cb(SSL *s, int *al, void *arg)
140{
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
146
147 return SSL_TLSEXT_ERR_NOACK;
148}
149
150static void client_keylog_callback(const SSL *ssl, const char *line)
151{
152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
163 client_log_buffer[client_log_buffer_index++] = '\n';
164}
165
166static void server_keylog_callback(const SSL *ssl, const char *line)
167{
168 int line_length = strlen(line);
169
170 /* If the log doesn't fit, error out. */
171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
172 TEST_info("Server log too full");
173 error_writing_log = 1;
174 return;
175 }
176
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
179 server_log_buffer[server_log_buffer_index++] = '\n';
180}
181
182static int compare_hex_encoded_buffer(const char *hex_encoded,
183 size_t hex_length,
184 const uint8_t *raw,
185 size_t raw_length)
186{
187 size_t i, j;
188 char hexed[3];
189
190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
191 return 1;
192
193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
194 sprintf(hexed, "%02x", raw[i]);
195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
197 return 1;
198 }
199
200 return 0;
201}
202
203static int test_keylog_output(char *buffer, const SSL *ssl,
204 const SSL_SESSION *session,
205 struct sslapitest_log_counts *expected)
206{
207 char *token = NULL;
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
214 unsigned int client_early_secret_count = 0;
215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
219 unsigned int early_exporter_secret_count = 0;
220 unsigned int exporter_secret_count = 0;
221
222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
224 if (strcmp(token, "RSA") == 0) {
225 /*
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
227 * hex-encoded encrypted secret, then the hex-encoded pre-master
228 * secret.
229 */
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 return 0;
232 if (!TEST_size_t_eq(strlen(token), 16))
233 return 0;
234 if (!TEST_ptr(token = strtok(NULL, " \n")))
235 return 0;
236 /*
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
240 */
241 rsa_key_exchange_count++;
242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
243 /*
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, then the hex-encoded master secret.
246 */
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
249 SSL3_RANDOM_SIZE);
250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
251 return 0;
252
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 return 0;
255 if (!TEST_size_t_eq(strlen(token), 64))
256 return 0;
257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 master_key_size = SSL_SESSION_get_master_key(session,
265 actual_master_key,
266 master_key_size);
267 if (!TEST_size_t_ne(master_key_size, 0))
268 return 0;
269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
270 actual_master_key,
271 master_key_size)))
272 return 0;
273 master_secret_count++;
274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
280 || strcmp(token, "EXPORTER_SECRET") == 0) {
281 /*
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
286 */
287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
301
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
304 SSL3_RANDOM_SIZE);
305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
306 return 0;
307
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 return 0;
310 if (!TEST_size_t_eq(strlen(token), 64))
311 return 0;
312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
315 return 0;
316
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
318 return 0;
319 } else {
320 TEST_info("Unexpected token %s\n", token);
321 return 0;
322 }
323 }
324
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
344 return 0;
345 return 1;
346}
347
348#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
349static int test_keylog(void)
350{
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
354 struct sslapitest_log_counts expected;
355
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
365 TLS_client_method(),
366 TLS1_VERSION, 0,
367 &sctx, &cctx, cert, privkey)))
368 return 0;
369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
376 goto end;
377
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
380 goto end;
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
384 goto end;
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
388 goto end;
389
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
398 goto end;
399
400 /*
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see an RSA key exchange.
405 */
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
410 goto end;
411
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
415 goto end;
416
417 testresult = 1;
418
419end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426}
427#endif
428
429#ifndef OSSL_NO_USABLE_TLS1_3
430static int test_keylog_no_master_key(void)
431{
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
435 int testresult = 0;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
439
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
453 return 0;
454
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
457 goto end;
458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
462 goto end;
463
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
467 goto end;
468
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
475 goto end;
476
477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
481 */
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
492 goto end;
493
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
533 testresult = 1;
534
535end:
536 SSL_SESSION_free(sess);
537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543}
544#endif
545
546static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547{
548 int res = X509_verify_cert(ctx);
549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
550 SSL *ssl;
551
552 /* this should not happen but check anyway */
553 if (idx < 0
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
555 return 0;
556
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
561
562 return res;
563}
564
565static int test_client_cert_verify_cb(void)
566{
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
577 int testresult = 0;
578
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
582 goto end;
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 goto end;
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 goto end;
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
594 goto end;
595
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
599 goto end;
600
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 goto end;
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
608 goto end;
609 crt1 = NULL;
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
611 goto end;
612 crt2 = NULL;
613
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
617 goto end;
618
619 testresult = 1;
620
621end:
622 X509_free(crt1);
623 X509_free(crt2);
624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
626 SSL_free(clientssl);
627 }
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
630 SSL_free(serverssl);
631 }
632 SSL_CTX_free(sctx);
633 SSL_CTX_free(cctx);
634
635 OPENSSL_free(skey);
636 OPENSSL_free(leaf);
637 OPENSSL_free(int2);
638 OPENSSL_free(int1);
639 OPENSSL_free(root);
640
641 return testresult;
642}
643
644static int test_ssl_build_cert_chain(void)
645{
646 int ret = 0;
647 SSL_CTX *ssl_ctx = NULL;
648 SSL *ssl = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 goto end;
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 goto end;
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 goto end;
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
663 goto end;
664 ret = 1;
665end:
666 SSL_free(ssl);
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
669 OPENSSL_free(skey);
670 return ret;
671}
672
673static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674{
675 static const char pass[] = "testpass";
676
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
678 return -1;
679
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
682}
683
684static int test_ssl_ctx_build_cert_chain(void)
685{
686 int ret = 0;
687 SSL_CTX *ctx = NULL;
688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 goto end;
693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 goto end;
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
702 goto end;
703 ret = 1;
704end:
705 SSL_CTX_free(ctx);
706 OPENSSL_free(leaf_chain);
707 OPENSSL_free(skey);
708 return ret;
709}
710
711#ifndef OPENSSL_NO_TLS1_2
712static int full_client_hello_callback(SSL *s, int *al, void *arg)
713{
714 int *ctr = arg;
715 const unsigned char *p;
716 int *exts;
717 /* We only configure two ciphers, but the SCSV is added automatically. */
718#ifdef OPENSSL_NO_EC
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
720#else
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 0x2c, 0x00, 0xff};
723#endif
724 const int expected_extensions[] = {
725#ifndef OPENSSL_NO_EC
726 11, 10,
727#endif
728 35, 22, 23, 13};
729 size_t len;
730
731 /* Make sure we can defer processing and get called back. */
732 if ((*ctr)++ == 0)
733 return SSL_CLIENT_HELLO_RETRY;
734
735 len = SSL_client_hello_get0_ciphers(s, &p);
736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
737 || !TEST_size_t_eq(
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
739 || !TEST_int_eq(*p, 0))
740 return SSL_CLIENT_HELLO_ERROR;
741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
742 return SSL_CLIENT_HELLO_ERROR;
743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
745 printf("ClientHello callback expected extensions mismatch\n");
746 OPENSSL_free(exts);
747 return SSL_CLIENT_HELLO_ERROR;
748 }
749 OPENSSL_free(exts);
750 return SSL_CLIENT_HELLO_SUCCESS;
751}
752
753static int test_client_hello_cb(void)
754{
755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
758
759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
761 &sctx, &cctx, cert, privkey)))
762 goto end;
763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
764
765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
767
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 /*
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
777 * */
778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
781 SSL_ERROR_NONE)))
782 goto end;
783
784 testresult = 1;
785
786end:
787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 SSL_CTX_free(sctx);
790 SSL_CTX_free(cctx);
791
792 return testresult;
793}
794
795static int test_no_ems(void)
796{
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
799 int testresult = 0, status;
800
801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
805 goto end;
806 }
807
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
812 goto end;
813 }
814
815 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
816 if (fips_ems_check) {
817 if (status == 1) {
818 printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
819 goto end;
820 }
821 } else {
822 if (!status) {
823 printf("Creating SSL connection failed\n");
824 goto end;
825 }
826 if (SSL_get_extms_support(serverssl)) {
827 printf("Server reports Extended Master Secret support\n");
828 goto end;
829 }
830 if (SSL_get_extms_support(clientssl)) {
831 printf("Client reports Extended Master Secret support\n");
832 goto end;
833 }
834 }
835 testresult = 1;
836
837end:
838 SSL_free(serverssl);
839 SSL_free(clientssl);
840 SSL_CTX_free(sctx);
841 SSL_CTX_free(cctx);
842
843 return testresult;
844}
845
846/*
847 * Very focused test to exercise a single case in the server-side state
848 * machine, when the ChangeCipherState message needs to actually change
849 * from one cipher to a different cipher (i.e., not changing from null
850 * encryption to real encryption).
851 */
852static int test_ccs_change_cipher(void)
853{
854 SSL_CTX *cctx = NULL, *sctx = NULL;
855 SSL *clientssl = NULL, *serverssl = NULL;
856 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
857 int testresult = 0;
858 int i;
859 unsigned char buf;
860 size_t readbytes;
861
862 /*
863 * Create a connection so we can resume and potentially (but not) use
864 * a different cipher in the second connection.
865 */
866 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
867 TLS_client_method(),
868 TLS1_VERSION, TLS1_2_VERSION,
869 &sctx, &cctx, cert, privkey))
870 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
871 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
872 NULL, NULL))
873 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
874 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 SSL_ERROR_NONE))
876 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
877 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
878 goto end;
879
880 shutdown_ssl_connection(serverssl, clientssl);
881 serverssl = clientssl = NULL;
882
883 /* Resume, preferring a different cipher. Our server will force the
884 * same cipher to be used as the initial handshake. */
885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
886 NULL, NULL))
887 || !TEST_true(SSL_set_session(clientssl, sess))
888 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
889 || !TEST_true(create_ssl_connection(serverssl, clientssl,
890 SSL_ERROR_NONE))
891 || !TEST_true(SSL_session_reused(clientssl))
892 || !TEST_true(SSL_session_reused(serverssl))
893 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
894 || !TEST_ptr_eq(sesspre, sesspost)
895 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
896 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
897 goto end;
898 shutdown_ssl_connection(serverssl, clientssl);
899 serverssl = clientssl = NULL;
900
901 /*
902 * Now create a fresh connection and try to renegotiate a different
903 * cipher on it.
904 */
905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
906 NULL, NULL))
907 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
908 || !TEST_true(create_ssl_connection(serverssl, clientssl,
909 SSL_ERROR_NONE))
910 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
911 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
912 || !TEST_true(SSL_renegotiate(clientssl))
913 || !TEST_true(SSL_renegotiate_pending(clientssl)))
914 goto end;
915 /* Actually drive the renegotiation. */
916 for (i = 0; i < 3; i++) {
917 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
918 if (!TEST_ulong_eq(readbytes, 0))
919 goto end;
920 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
921 SSL_ERROR_WANT_READ)) {
922 goto end;
923 }
924 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
925 if (!TEST_ulong_eq(readbytes, 0))
926 goto end;
927 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
928 SSL_ERROR_WANT_READ)) {
929 goto end;
930 }
931 }
932 /* sesspre and sesspost should be different since the cipher changed. */
933 if (!TEST_false(SSL_renegotiate_pending(clientssl))
934 || !TEST_false(SSL_session_reused(clientssl))
935 || !TEST_false(SSL_session_reused(serverssl))
936 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
937 || !TEST_ptr_ne(sesspre, sesspost)
938 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
939 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
940 goto end;
941
942 shutdown_ssl_connection(serverssl, clientssl);
943 serverssl = clientssl = NULL;
944
945 testresult = 1;
946
947end:
948 SSL_free(serverssl);
949 SSL_free(clientssl);
950 SSL_CTX_free(sctx);
951 SSL_CTX_free(cctx);
952 SSL_SESSION_free(sess);
953
954 return testresult;
955}
956#endif
957
958static int execute_test_large_message(const SSL_METHOD *smeth,
959 const SSL_METHOD *cmeth,
960 int min_version, int max_version,
961 int read_ahead)
962{
963 SSL_CTX *cctx = NULL, *sctx = NULL;
964 SSL *clientssl = NULL, *serverssl = NULL;
965 int testresult = 0;
966 int i;
967 BIO *certbio = NULL;
968 X509 *chaincert = NULL;
969 int certlen;
970
971 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
972 goto end;
973
974 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
975 goto end;
976
977 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
978 goto end;
979 BIO_free(certbio);
980 certbio = NULL;
981
982 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
983 max_version, &sctx, &cctx, cert,
984 privkey)))
985 goto end;
986
987#ifdef OPENSSL_NO_DTLS1_2
988 if (smeth == DTLS_server_method()) {
989 /*
990 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
991 * level 0
992 */
993 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
994 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
995 "DEFAULT:@SECLEVEL=0")))
996 goto end;
997 }
998#endif
999
1000 if (read_ahead) {
1001 /*
1002 * Test that read_ahead works correctly when dealing with large
1003 * records
1004 */
1005 SSL_CTX_set_read_ahead(cctx, 1);
1006 }
1007
1008 /*
1009 * We assume the supplied certificate is big enough so that if we add
1010 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1011 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1012 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1013 * test we need to have a message larger than that.
1014 */
1015 certlen = i2d_X509(chaincert, NULL);
1016 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1017 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1018 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1019 if (!X509_up_ref(chaincert))
1020 goto end;
1021 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1022 X509_free(chaincert);
1023 goto end;
1024 }
1025 }
1026
1027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1028 NULL, NULL))
1029 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1030 SSL_ERROR_NONE)))
1031 goto end;
1032
1033 /*
1034 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1035 * doesn't leak.
1036 */
1037 if (!TEST_true(SSL_clear(serverssl)))
1038 goto end;
1039
1040 testresult = 1;
1041 end:
1042 BIO_free(certbio);
1043 X509_free(chaincert);
1044 SSL_free(serverssl);
1045 SSL_free(clientssl);
1046 SSL_CTX_free(sctx);
1047 SSL_CTX_free(cctx);
1048
1049 return testresult;
1050}
1051
1052#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1053 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1054/* sock must be connected */
1055static int ktls_chk_platform(int sock)
1056{
1057 if (!ktls_enable(sock))
1058 return 0;
1059 return 1;
1060}
1061
1062static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1063{
1064 static char count = 1;
1065 unsigned char cbuf[16000] = {0};
1066 unsigned char sbuf[16000];
1067 size_t err = 0;
1068 char crec_wseq_before[SEQ_NUM_SIZE];
1069 char crec_wseq_after[SEQ_NUM_SIZE];
1070 char crec_rseq_before[SEQ_NUM_SIZE];
1071 char crec_rseq_after[SEQ_NUM_SIZE];
1072 char srec_wseq_before[SEQ_NUM_SIZE];
1073 char srec_wseq_after[SEQ_NUM_SIZE];
1074 char srec_rseq_before[SEQ_NUM_SIZE];
1075 char srec_rseq_after[SEQ_NUM_SIZE];
1076
1077 cbuf[0] = count++;
1078 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1079 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1080 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1081 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1082
1083 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1084 goto end;
1085
1086 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1087 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1088 goto end;
1089 }
1090 }
1091
1092 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1093 goto end;
1094
1095 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1096 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1097 goto end;
1098 }
1099 }
1100
1101 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1102 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1103 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1104 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1105
1106 /* verify the payload */
1107 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1108 goto end;
1109
1110 /*
1111 * If ktls is used then kernel sequences are used instead of
1112 * OpenSSL sequences
1113 */
1114 if (!BIO_get_ktls_send(clientssl->wbio)) {
1115 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1116 crec_wseq_after, SEQ_NUM_SIZE))
1117 goto end;
1118 } else {
1119 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1120 crec_wseq_after, SEQ_NUM_SIZE))
1121 goto end;
1122 }
1123
1124 if (!BIO_get_ktls_send(serverssl->wbio)) {
1125 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1126 srec_wseq_after, SEQ_NUM_SIZE))
1127 goto end;
1128 } else {
1129 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1130 srec_wseq_after, SEQ_NUM_SIZE))
1131 goto end;
1132 }
1133
1134 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1135 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1136 crec_rseq_after, SEQ_NUM_SIZE))
1137 goto end;
1138 } else {
1139 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1140 crec_rseq_after, SEQ_NUM_SIZE))
1141 goto end;
1142 }
1143
1144 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1145 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1146 srec_rseq_after, SEQ_NUM_SIZE))
1147 goto end;
1148 } else {
1149 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1150 srec_rseq_after, SEQ_NUM_SIZE))
1151 goto end;
1152 }
1153
1154 return 1;
1155end:
1156 return 0;
1157}
1158
1159static int execute_test_ktls(int cis_ktls, int sis_ktls,
1160 int tls_version, const char *cipher)
1161{
1162 SSL_CTX *cctx = NULL, *sctx = NULL;
1163 SSL *clientssl = NULL, *serverssl = NULL;
1164 int ktls_used = 0, testresult = 0;
1165 int cfd = -1, sfd = -1;
1166 int rx_supported;
1167
1168 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1169 goto end;
1170
1171 /* Skip this test if the platform does not support ktls */
1172 if (!ktls_chk_platform(cfd)) {
1173 testresult = TEST_skip("Kernel does not support KTLS");
1174 goto end;
1175 }
1176
1177 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1178 testresult = TEST_skip("CHACHA is not supported in FIPS");
1179 goto end;
1180 }
1181
1182 /* Create a session based on SHA-256 */
1183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1184 TLS_client_method(),
1185 tls_version, tls_version,
1186 &sctx, &cctx, cert, privkey)))
1187 goto end;
1188
1189 if (tls_version == TLS1_3_VERSION) {
1190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1191 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1192 goto end;
1193 } else {
1194 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1195 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1196 goto end;
1197 }
1198
1199 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1200 &clientssl, sfd, cfd)))
1201 goto end;
1202
1203 if (cis_ktls) {
1204 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1205 goto end;
1206 }
1207
1208 if (sis_ktls) {
1209 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1210 goto end;
1211 }
1212
1213 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1214 goto end;
1215
1216 /*
1217 * The running kernel may not support a given cipher suite
1218 * or direction, so just check that KTLS isn't used when it
1219 * isn't enabled.
1220 */
1221 if (!cis_ktls) {
1222 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1223 goto end;
1224 } else {
1225 if (BIO_get_ktls_send(clientssl->wbio))
1226 ktls_used = 1;
1227 }
1228
1229 if (!sis_ktls) {
1230 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1231 goto end;
1232 } else {
1233 if (BIO_get_ktls_send(serverssl->wbio))
1234 ktls_used = 1;
1235 }
1236
1237#if defined(OPENSSL_NO_KTLS_RX)
1238 rx_supported = 0;
1239#else
1240 rx_supported = (tls_version != TLS1_3_VERSION);
1241#endif
1242 if (!cis_ktls || !rx_supported) {
1243 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1244 goto end;
1245 } else {
1246 if (BIO_get_ktls_send(clientssl->rbio))
1247 ktls_used = 1;
1248 }
1249
1250 if (!sis_ktls || !rx_supported) {
1251 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1252 goto end;
1253 } else {
1254 if (BIO_get_ktls_send(serverssl->rbio))
1255 ktls_used = 1;
1256 }
1257
1258 if ((cis_ktls || sis_ktls) && !ktls_used) {
1259 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1260 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1261 "TLS 1.2", cipher);
1262 goto end;
1263 }
1264
1265 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1266 goto end;
1267
1268 testresult = 1;
1269end:
1270 if (clientssl) {
1271 SSL_shutdown(clientssl);
1272 SSL_free(clientssl);
1273 }
1274 if (serverssl) {
1275 SSL_shutdown(serverssl);
1276 SSL_free(serverssl);
1277 }
1278 SSL_CTX_free(sctx);
1279 SSL_CTX_free(cctx);
1280 serverssl = clientssl = NULL;
1281 if (cfd != -1)
1282 close(cfd);
1283 if (sfd != -1)
1284 close(sfd);
1285 return testresult;
1286}
1287
1288#define SENDFILE_SZ (16 * 4096)
1289#define SENDFILE_CHUNK (4 * 4096)
1290#define min(a,b) ((a) > (b) ? (b) : (a))
1291
1292static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1293{
1294 SSL_CTX *cctx = NULL, *sctx = NULL;
1295 SSL *clientssl = NULL, *serverssl = NULL;
1296 unsigned char *buf, *buf_dst;
1297 BIO *out = NULL, *in = NULL;
1298 int cfd = -1, sfd = -1, ffd, err;
1299 ssize_t chunk_size = 0;
1300 off_t chunk_off = 0;
1301 int testresult = 0;
1302 FILE *ffdp;
1303
1304 buf = OPENSSL_zalloc(SENDFILE_SZ);
1305 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1306 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1307 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1308 goto end;
1309
1310 /* Skip this test if the platform does not support ktls */
1311 if (!ktls_chk_platform(sfd)) {
1312 testresult = TEST_skip("Kernel does not support KTLS");
1313 goto end;
1314 }
1315
1316 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1317 testresult = TEST_skip("CHACHA is not supported in FIPS");
1318 goto end;
1319 }
1320
1321 /* Create a session based on SHA-256 */
1322 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1323 TLS_client_method(),
1324 tls_version, tls_version,
1325 &sctx, &cctx, cert, privkey)))
1326 goto end;
1327
1328 if (tls_version == TLS1_3_VERSION) {
1329 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1330 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1331 goto end;
1332 } else {
1333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1334 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1335 goto end;
1336 }
1337
1338 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1339 &clientssl, sfd, cfd)))
1340 goto end;
1341
1342 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1343 goto end;
1344
1345 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1346 SSL_ERROR_NONE)))
1347 goto end;
1348
1349 if (!BIO_get_ktls_send(serverssl->wbio)) {
1350 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1351 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1352 "TLS 1.2", cipher);
1353 goto end;
1354 }
1355
1356 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1357 goto end;
1358
1359 out = BIO_new_file(tmpfilename, "wb");
1360 if (!TEST_ptr(out))
1361 goto end;
1362
1363 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1364 goto end;
1365
1366 BIO_free(out);
1367 out = NULL;
1368 in = BIO_new_file(tmpfilename, "rb");
1369 BIO_get_fp(in, &ffdp);
1370 ffd = fileno(ffdp);
1371
1372 while (chunk_off < SENDFILE_SZ) {
1373 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1374 while ((err = SSL_sendfile(serverssl,
1375 ffd,
1376 chunk_off,
1377 chunk_size,
1378 0)) != chunk_size) {
1379 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1380 goto end;
1381 }
1382 while ((err = SSL_read(clientssl,
1383 buf_dst + chunk_off,
1384 chunk_size)) != chunk_size) {
1385 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1386 goto end;
1387 }
1388
1389 /* verify the payload */
1390 if (!TEST_mem_eq(buf_dst + chunk_off,
1391 chunk_size,
1392 buf + chunk_off,
1393 chunk_size))
1394 goto end;
1395
1396 chunk_off += chunk_size;
1397 }
1398
1399 testresult = 1;
1400end:
1401 if (clientssl) {
1402 SSL_shutdown(clientssl);
1403 SSL_free(clientssl);
1404 }
1405 if (serverssl) {
1406 SSL_shutdown(serverssl);
1407 SSL_free(serverssl);
1408 }
1409 SSL_CTX_free(sctx);
1410 SSL_CTX_free(cctx);
1411 serverssl = clientssl = NULL;
1412 BIO_free(out);
1413 BIO_free(in);
1414 if (cfd != -1)
1415 close(cfd);
1416 if (sfd != -1)
1417 close(sfd);
1418 OPENSSL_free(buf);
1419 OPENSSL_free(buf_dst);
1420 return testresult;
1421}
1422
1423static struct ktls_test_cipher {
1424 int tls_version;
1425 const char *cipher;
1426} ktls_test_ciphers[] = {
1427# if !defined(OPENSSL_NO_TLS1_2)
1428# ifdef OPENSSL_KTLS_AES_GCM_128
1429 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1430# endif
1431# ifdef OPENSSL_KTLS_AES_CCM_128
1432 { TLS1_2_VERSION, "AES128-CCM"},
1433# endif
1434# ifdef OPENSSL_KTLS_AES_GCM_256
1435 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1436# endif
1437# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1438# ifndef OPENSSL_NO_EC
1439 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1440# endif
1441# endif
1442# endif
1443# if !defined(OSSL_NO_USABLE_TLS1_3)
1444# ifdef OPENSSL_KTLS_AES_GCM_128
1445 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1446# endif
1447# ifdef OPENSSL_KTLS_AES_CCM_128
1448 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1449# endif
1450# ifdef OPENSSL_KTLS_AES_GCM_256
1451 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1452# endif
1453# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1454 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1455# endif
1456# endif
1457};
1458
1459#define NUM_KTLS_TEST_CIPHERS \
1460 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1461
1462static int test_ktls(int test)
1463{
1464 struct ktls_test_cipher *cipher;
1465 int cis_ktls, sis_ktls;
1466
1467 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1468 cipher = &ktls_test_ciphers[test / 4];
1469
1470 cis_ktls = (test & 1) != 0;
1471 sis_ktls = (test & 2) != 0;
1472
1473 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1474 cipher->cipher);
1475}
1476
1477static int test_ktls_sendfile(int tst)
1478{
1479 struct ktls_test_cipher *cipher;
1480
1481 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1482 cipher = &ktls_test_ciphers[tst];
1483
1484 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1485}
1486#endif
1487
1488static int test_large_message_tls(void)
1489{
1490 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1491 TLS1_VERSION, 0, 0);
1492}
1493
1494static int test_large_message_tls_read_ahead(void)
1495{
1496 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1497 TLS1_VERSION, 0, 1);
1498}
1499
1500#ifndef OPENSSL_NO_DTLS
1501static int test_large_message_dtls(void)
1502{
1503# ifdef OPENSSL_NO_DTLS1_2
1504 /* Not supported in the FIPS provider */
1505 if (is_fips)
1506 return 1;
1507# endif
1508 /*
1509 * read_ahead is not relevant to DTLS because DTLS always acts as if
1510 * read_ahead is set.
1511 */
1512 return execute_test_large_message(DTLS_server_method(),
1513 DTLS_client_method(),
1514 DTLS1_VERSION, 0, 0);
1515}
1516#endif
1517
1518/*
1519 * Test we can successfully send the maximum amount of application data. We
1520 * test each protocol version individually, each with and without EtM enabled.
1521 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1522 * simpler this way. We also test all combinations with and without the
1523 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1524 * underlying buffer.
1525 */
1526static int test_large_app_data(int tst)
1527{
1528 SSL_CTX *cctx = NULL, *sctx = NULL;
1529 SSL *clientssl = NULL, *serverssl = NULL;
1530 int testresult = 0, prot;
1531 unsigned char *msg, *buf = NULL;
1532 size_t written, readbytes;
1533 const SSL_METHOD *smeth = TLS_server_method();
1534 const SSL_METHOD *cmeth = TLS_client_method();
1535
1536 switch (tst >> 2) {
1537 case 0:
1538#ifndef OSSL_NO_USABLE_TLS1_3
1539 prot = TLS1_3_VERSION;
1540 break;
1541#else
1542 return 1;
1543#endif
1544
1545 case 1:
1546#ifndef OPENSSL_NO_TLS1_2
1547 prot = TLS1_2_VERSION;
1548 break;
1549#else
1550 return 1;
1551#endif
1552
1553 case 2:
1554#ifndef OPENSSL_NO_TLS1_1
1555 prot = TLS1_1_VERSION;
1556 break;
1557#else
1558 return 1;
1559#endif
1560
1561 case 3:
1562#ifndef OPENSSL_NO_TLS1
1563 prot = TLS1_VERSION;
1564 break;
1565#else
1566 return 1;
1567#endif
1568
1569 case 4:
1570#ifndef OPENSSL_NO_SSL3
1571 prot = SSL3_VERSION;
1572 break;
1573#else
1574 return 1;
1575#endif
1576
1577 case 5:
1578#ifndef OPENSSL_NO_DTLS1_2
1579 prot = DTLS1_2_VERSION;
1580 smeth = DTLS_server_method();
1581 cmeth = DTLS_client_method();
1582 break;
1583#else
1584 return 1;
1585#endif
1586
1587 case 6:
1588#ifndef OPENSSL_NO_DTLS1
1589 prot = DTLS1_VERSION;
1590 smeth = DTLS_server_method();
1591 cmeth = DTLS_client_method();
1592 break;
1593#else
1594 return 1;
1595#endif
1596
1597 default:
1598 /* Shouldn't happen */
1599 return 0;
1600 }
1601
1602 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1603 return 1;
1604
1605 /* Maximal sized message of zeros */
1606 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1607 if (!TEST_ptr(msg))
1608 goto end;
1609
1610 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1611 if (!TEST_ptr(buf))
1612 goto end;
1613 /* Set whole buffer to all bits set */
1614 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1615
1616 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1617 &sctx, &cctx, cert, privkey)))
1618 goto end;
1619
1620 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1621 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1622 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1623 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1624 "DEFAULT:@SECLEVEL=0")))
1625 goto end;
1626 }
1627
1628 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1629 &clientssl, NULL, NULL)))
1630 goto end;
1631
1632 if ((tst & 1) != 0) {
1633 /* Setting this option gives us a minimally sized underlying buffer */
1634 if (!TEST_true(SSL_set_options(serverssl,
1635 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1636 || !TEST_true(SSL_set_options(clientssl,
1637 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1638 goto end;
1639 }
1640
1641 if ((tst & 2) != 0) {
1642 /*
1643 * Setting this option means the MAC is added before encryption
1644 * giving us a larger record for the encryption process
1645 */
1646 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1647 || !TEST_true(SSL_set_options(clientssl,
1648 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1649 goto end;
1650 }
1651
1652 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1653 goto end;
1654
1655 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1656 &written))
1657 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1658 goto end;
1659
1660 /* We provide a buffer slightly larger than what we are actually expecting */
1661 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1662 &readbytes)))
1663 goto end;
1664
1665 if (!TEST_mem_eq(msg, written, buf, readbytes))
1666 goto end;
1667
1668 testresult = 1;
1669end:
1670 OPENSSL_free(msg);
1671 OPENSSL_free(buf);
1672 SSL_free(serverssl);
1673 SSL_free(clientssl);
1674 SSL_CTX_free(sctx);
1675 SSL_CTX_free(cctx);
1676 return testresult;
1677}
1678
1679static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1680 const SSL_METHOD *cmeth,
1681 int min_version, int max_version)
1682{
1683 size_t i;
1684 SSL_CTX *cctx = NULL, *sctx = NULL;
1685 SSL *clientssl = NULL, *serverssl = NULL;
1686 int testresult = 0;
1687 SSL3_RECORD *rr;
1688 void *zbuf;
1689
1690 static unsigned char cbuf[16000];
1691 static unsigned char sbuf[16000];
1692
1693 if (!TEST_true(create_ssl_ctx_pair(libctx,
1694 smeth, cmeth,
1695 min_version, max_version,
1696 &sctx, &cctx, cert,
1697 privkey)))
1698 goto end;
1699
1700#ifdef OPENSSL_NO_DTLS1_2
1701 if (smeth == DTLS_server_method()) {
1702# ifdef OPENSSL_NO_DTLS1_2
1703 /* Not supported in the FIPS provider */
1704 if (is_fips) {
1705 testresult = 1;
1706 goto end;
1707 };
1708# endif
1709 /*
1710 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1711 * level 0
1712 */
1713 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1714 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1715 "DEFAULT:@SECLEVEL=0")))
1716 goto end;
1717 }
1718#endif
1719
1720 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1721 NULL, NULL)))
1722 goto end;
1723
1724 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1725 goto end;
1726
1727 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1728 SSL_ERROR_NONE)))
1729 goto end;
1730
1731 for (i = 0; i < sizeof(cbuf); i++) {
1732 cbuf[i] = i & 0xff;
1733 }
1734
1735 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1736 goto end;
1737
1738 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1739 goto end;
1740
1741 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1742 goto end;
1743
1744 /*
1745 * Since we called SSL_peek(), we know the data in the record
1746 * layer is a plaintext record. We can gather the pointer to check
1747 * for zeroization after SSL_read().
1748 */
1749 rr = serverssl->rlayer.rrec;
1750 zbuf = &rr->data[rr->off];
1751 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1752 goto end;
1753
1754 /*
1755 * After SSL_peek() the plaintext must still be stored in the
1756 * record.
1757 */
1758 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1759 goto end;
1760
1761 memset(sbuf, 0, sizeof(sbuf));
1762 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1763 goto end;
1764
1765 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1766 goto end;
1767
1768 /* Check if rbuf is cleansed */
1769 memset(cbuf, 0, sizeof(cbuf));
1770 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1771 goto end;
1772
1773 testresult = 1;
1774 end:
1775 SSL_free(serverssl);
1776 SSL_free(clientssl);
1777 SSL_CTX_free(sctx);
1778 SSL_CTX_free(cctx);
1779
1780 return testresult;
1781}
1782
1783static int test_cleanse_plaintext(void)
1784{
1785#if !defined(OPENSSL_NO_TLS1_2)
1786 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1787 TLS_client_method(),
1788 TLS1_2_VERSION,
1789 TLS1_2_VERSION)))
1790 return 0;
1791
1792#endif
1793
1794#if !defined(OSSL_NO_USABLE_TLS1_3)
1795 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1796 TLS_client_method(),
1797 TLS1_3_VERSION,
1798 TLS1_3_VERSION)))
1799 return 0;
1800#endif
1801
1802#if !defined(OPENSSL_NO_DTLS)
1803
1804 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1805 DTLS_client_method(),
1806 DTLS1_VERSION,
1807 0)))
1808 return 0;
1809#endif
1810 return 1;
1811}
1812
1813#ifndef OPENSSL_NO_OCSP
1814static int ocsp_server_cb(SSL *s, void *arg)
1815{
1816 int *argi = (int *)arg;
1817 unsigned char *copy = NULL;
1818 STACK_OF(OCSP_RESPID) *ids = NULL;
1819 OCSP_RESPID *id = NULL;
1820
1821 if (*argi == 2) {
1822 /* In this test we are expecting exactly 1 OCSP_RESPID */
1823 SSL_get_tlsext_status_ids(s, &ids);
1824 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1825 return SSL_TLSEXT_ERR_ALERT_FATAL;
1826
1827 id = sk_OCSP_RESPID_value(ids, 0);
1828 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1829 return SSL_TLSEXT_ERR_ALERT_FATAL;
1830 } else if (*argi != 1) {
1831 return SSL_TLSEXT_ERR_ALERT_FATAL;
1832 }
1833
1834 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1835 return SSL_TLSEXT_ERR_ALERT_FATAL;
1836
1837 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1838 sizeof(orespder)))) {
1839 OPENSSL_free(copy);
1840 return SSL_TLSEXT_ERR_ALERT_FATAL;
1841 }
1842 ocsp_server_called = 1;
1843 return SSL_TLSEXT_ERR_OK;
1844}
1845
1846static int ocsp_client_cb(SSL *s, void *arg)
1847{
1848 int *argi = (int *)arg;
1849 const unsigned char *respderin;
1850 size_t len;
1851
1852 if (*argi != 1 && *argi != 2)
1853 return 0;
1854
1855 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1856 if (!TEST_mem_eq(orespder, len, respderin, len))
1857 return 0;
1858
1859 ocsp_client_called = 1;
1860 return 1;
1861}
1862
1863static int test_tlsext_status_type(void)
1864{
1865 SSL_CTX *cctx = NULL, *sctx = NULL;
1866 SSL *clientssl = NULL, *serverssl = NULL;
1867 int testresult = 0;
1868 STACK_OF(OCSP_RESPID) *ids = NULL;
1869 OCSP_RESPID *id = NULL;
1870 BIO *certbio = NULL;
1871
1872 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1873 TLS1_VERSION, 0,
1874 &sctx, &cctx, cert, privkey))
1875 return 0;
1876
1877 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1878 goto end;
1879
1880 /* First just do various checks getting and setting tlsext_status_type */
1881
1882 clientssl = SSL_new(cctx);
1883 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1884 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1885 TLSEXT_STATUSTYPE_ocsp))
1886 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1887 TLSEXT_STATUSTYPE_ocsp))
1888 goto end;
1889
1890 SSL_free(clientssl);
1891 clientssl = NULL;
1892
1893 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1894 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1895 goto end;
1896
1897 clientssl = SSL_new(cctx);
1898 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1899 goto end;
1900 SSL_free(clientssl);
1901 clientssl = NULL;
1902
1903 /*
1904 * Now actually do a handshake and check OCSP information is exchanged and
1905 * the callbacks get called
1906 */
1907 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1908 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1909 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1910 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1912 &clientssl, NULL, NULL))
1913 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1914 SSL_ERROR_NONE))
1915 || !TEST_true(ocsp_client_called)
1916 || !TEST_true(ocsp_server_called))
1917 goto end;
1918 SSL_free(serverssl);
1919 SSL_free(clientssl);
1920 serverssl = NULL;
1921 clientssl = NULL;
1922
1923 /* Try again but this time force the server side callback to fail */
1924 ocsp_client_called = 0;
1925 ocsp_server_called = 0;
1926 cdummyarg = 0;
1927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1928 &clientssl, NULL, NULL))
1929 /* This should fail because the callback will fail */
1930 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1931 SSL_ERROR_NONE))
1932 || !TEST_false(ocsp_client_called)
1933 || !TEST_false(ocsp_server_called))
1934 goto end;
1935 SSL_free(serverssl);
1936 SSL_free(clientssl);
1937 serverssl = NULL;
1938 clientssl = NULL;
1939
1940 /*
1941 * This time we'll get the client to send an OCSP_RESPID that it will
1942 * accept.
1943 */
1944 ocsp_client_called = 0;
1945 ocsp_server_called = 0;
1946 cdummyarg = 2;
1947 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1948 &clientssl, NULL, NULL)))
1949 goto end;
1950
1951 /*
1952 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1953 * specific one. We'll use the server cert.
1954 */
1955 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1956 || !TEST_ptr(id = OCSP_RESPID_new())
1957 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1958 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1959 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1960 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1961 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1962 goto end;
1963 id = NULL;
1964 SSL_set_tlsext_status_ids(clientssl, ids);
1965 /* Control has been transferred */
1966 ids = NULL;
1967
1968 BIO_free(certbio);
1969 certbio = NULL;
1970
1971 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1972 SSL_ERROR_NONE))
1973 || !TEST_true(ocsp_client_called)
1974 || !TEST_true(ocsp_server_called))
1975 goto end;
1976
1977 testresult = 1;
1978
1979 end:
1980 SSL_free(serverssl);
1981 SSL_free(clientssl);
1982 SSL_CTX_free(sctx);
1983 SSL_CTX_free(cctx);
1984 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1985 OCSP_RESPID_free(id);
1986 BIO_free(certbio);
1987 X509_free(ocspcert);
1988 ocspcert = NULL;
1989
1990 return testresult;
1991}
1992#endif
1993
1994#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1995static int new_called, remove_called, get_called;
1996
1997static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1998{
1999 new_called++;
2000 /*
2001 * sess has been up-refed for us, but we don't actually need it so free it
2002 * immediately.
2003 */
2004 SSL_SESSION_free(sess);
2005 return 1;
2006}
2007
2008static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2009{
2010 remove_called++;
2011}
2012
2013static SSL_SESSION *get_sess_val = NULL;
2014
2015static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2016 int *copy)
2017{
2018 get_called++;
2019 *copy = 1;
2020 return get_sess_val;
2021}
2022
2023static int execute_test_session(int maxprot, int use_int_cache,
2024 int use_ext_cache, long s_options)
2025{
2026 SSL_CTX *sctx = NULL, *cctx = NULL;
2027 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2028 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2029# ifndef OPENSSL_NO_TLS1_1
2030 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2031# endif
2032 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2033 int testresult = 0, numnewsesstick = 1;
2034
2035 new_called = remove_called = 0;
2036
2037 /* TLSv1.3 sends 2 NewSessionTickets */
2038 if (maxprot == TLS1_3_VERSION)
2039 numnewsesstick = 2;
2040
2041 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2042 TLS_client_method(), TLS1_VERSION, 0,
2043 &sctx, &cctx, cert, privkey)))
2044 return 0;
2045
2046 /*
2047 * Only allow the max protocol version so we can force a connection failure
2048 * later
2049 */
2050 SSL_CTX_set_min_proto_version(cctx, maxprot);
2051 SSL_CTX_set_max_proto_version(cctx, maxprot);
2052
2053 /* Set up session cache */
2054 if (use_ext_cache) {
2055 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2056 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2057 }
2058 if (use_int_cache) {
2059 /* Also covers instance where both are set */
2060 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2061 } else {
2062 SSL_CTX_set_session_cache_mode(cctx,
2063 SSL_SESS_CACHE_CLIENT
2064 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2065 }
2066
2067 if (s_options) {
2068 SSL_CTX_set_options(sctx, s_options);
2069 }
2070
2071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2072 NULL, NULL))
2073 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2074 SSL_ERROR_NONE))
2075 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2076 goto end;
2077
2078 /* Should fail because it should already be in the cache */
2079 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2080 goto end;
2081 if (use_ext_cache
2082 && (!TEST_int_eq(new_called, numnewsesstick)
2083
2084 || !TEST_int_eq(remove_called, 0)))
2085 goto end;
2086
2087 new_called = remove_called = 0;
2088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2089 &clientssl2, NULL, NULL))
2090 || !TEST_true(SSL_set_session(clientssl2, sess1))
2091 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2092 SSL_ERROR_NONE))
2093 || !TEST_true(SSL_session_reused(clientssl2)))
2094 goto end;
2095
2096 if (maxprot == TLS1_3_VERSION) {
2097 /*
2098 * In TLSv1.3 we should have created a new session even though we have
2099 * resumed. Since we attempted a resume we should also have removed the
2100 * old ticket from the cache so that we try to only use tickets once.
2101 */
2102 if (use_ext_cache
2103 && (!TEST_int_eq(new_called, 1)
2104 || !TEST_int_eq(remove_called, 1)))
2105 goto end;
2106 } else {
2107 /*
2108 * In TLSv1.2 we expect to have resumed so no sessions added or
2109 * removed.
2110 */
2111 if (use_ext_cache
2112 && (!TEST_int_eq(new_called, 0)
2113 || !TEST_int_eq(remove_called, 0)))
2114 goto end;
2115 }
2116
2117 SSL_SESSION_free(sess1);
2118 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2119 goto end;
2120 shutdown_ssl_connection(serverssl2, clientssl2);
2121 serverssl2 = clientssl2 = NULL;
2122
2123 new_called = remove_called = 0;
2124 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2125 &clientssl2, NULL, NULL))
2126 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2127 SSL_ERROR_NONE)))
2128 goto end;
2129
2130 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2131 goto end;
2132
2133 if (use_ext_cache
2134 && (!TEST_int_eq(new_called, numnewsesstick)
2135 || !TEST_int_eq(remove_called, 0)))
2136 goto end;
2137
2138 new_called = remove_called = 0;
2139 /*
2140 * This should clear sess2 from the cache because it is a "bad" session.
2141 * See SSL_set_session() documentation.
2142 */
2143 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2144 goto end;
2145 if (use_ext_cache
2146 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2147 goto end;
2148 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2149 goto end;
2150
2151 if (use_int_cache) {
2152 /* Should succeeded because it should not already be in the cache */
2153 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2154 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2155 goto end;
2156 }
2157
2158 new_called = remove_called = 0;
2159 /* This shouldn't be in the cache so should fail */
2160 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2161 goto end;
2162
2163 if (use_ext_cache
2164 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2165 goto end;
2166
2167# if !defined(OPENSSL_NO_TLS1_1)
2168 new_called = remove_called = 0;
2169 /* Force a connection failure */
2170 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2171 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2172 &clientssl3, NULL, NULL))
2173 || !TEST_true(SSL_set_session(clientssl3, sess1))
2174 /* This should fail because of the mismatched protocol versions */
2175 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2176 SSL_ERROR_NONE)))
2177 goto end;
2178
2179 /* We should have automatically removed the session from the cache */
2180 if (use_ext_cache
2181 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2182 goto end;
2183
2184 /* Should succeed because it should not already be in the cache */
2185 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2186 goto end;
2187# endif
2188
2189 /* Now do some tests for server side caching */
2190 if (use_ext_cache) {
2191 SSL_CTX_sess_set_new_cb(cctx, NULL);
2192 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2193 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2194 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2195 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2196 get_sess_val = NULL;
2197 }
2198
2199 SSL_CTX_set_session_cache_mode(cctx, 0);
2200 /* Internal caching is the default on the server side */
2201 if (!use_int_cache)
2202 SSL_CTX_set_session_cache_mode(sctx,
2203 SSL_SESS_CACHE_SERVER
2204 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2205
2206 SSL_free(serverssl1);
2207 SSL_free(clientssl1);
2208 serverssl1 = clientssl1 = NULL;
2209 SSL_free(serverssl2);
2210 SSL_free(clientssl2);
2211 serverssl2 = clientssl2 = NULL;
2212 SSL_SESSION_free(sess1);
2213 sess1 = NULL;
2214 SSL_SESSION_free(sess2);
2215 sess2 = NULL;
2216
2217 SSL_CTX_set_max_proto_version(sctx, maxprot);
2218 if (maxprot == TLS1_2_VERSION)
2219 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2220 new_called = remove_called = get_called = 0;
2221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2222 NULL, NULL))
2223 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2224 SSL_ERROR_NONE))
2225 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2226 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2227 goto end;
2228
2229 if (use_int_cache) {
2230 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2231 /*
2232 * In TLSv1.3 it should not have been added to the internal cache,
2233 * except in the case where we also have an external cache (in that
2234 * case it gets added to the cache in order to generate remove
2235 * events after timeout).
2236 */
2237 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2238 goto end;
2239 } else {
2240 /* Should fail because it should already be in the cache */
2241 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2242 goto end;
2243 }
2244 }
2245
2246 if (use_ext_cache) {
2247 SSL_SESSION *tmp = sess2;
2248
2249 if (!TEST_int_eq(new_called, numnewsesstick)
2250 || !TEST_int_eq(remove_called, 0)
2251 || !TEST_int_eq(get_called, 0))
2252 goto end;
2253 /*
2254 * Delete the session from the internal cache to force a lookup from
2255 * the external cache. We take a copy first because
2256 * SSL_CTX_remove_session() also marks the session as non-resumable.
2257 */
2258 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2259 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2260 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2261 goto end;
2262 SSL_SESSION_free(sess2);
2263 }
2264 sess2 = tmp;
2265 }
2266
2267 new_called = remove_called = get_called = 0;
2268 get_sess_val = sess2;
2269 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2270 &clientssl2, NULL, NULL))
2271 || !TEST_true(SSL_set_session(clientssl2, sess1))
2272 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2273 SSL_ERROR_NONE))
2274 || !TEST_true(SSL_session_reused(clientssl2)))
2275 goto end;
2276
2277 if (use_ext_cache) {
2278 if (!TEST_int_eq(remove_called, 0))
2279 goto end;
2280
2281 if (maxprot == TLS1_3_VERSION) {
2282 if (!TEST_int_eq(new_called, 1)
2283 || !TEST_int_eq(get_called, 0))
2284 goto end;
2285 } else {
2286 if (!TEST_int_eq(new_called, 0)
2287 || !TEST_int_eq(get_called, 1))
2288 goto end;
2289 }
2290 }
2291 /*
2292 * Make a small cache, force out all other sessions but
2293 * sess2, try to add sess1, which should succeed. Then
2294 * make sure it's there by checking the owners. Despite
2295 * the timeouts, sess1 should have kicked out sess2
2296 */
2297
2298 /* Make sess1 expire before sess2 */
2299 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2300 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2301 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2302 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2303 goto end;
2304
2305 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2306 goto end;
2307
2308 /* Don't care about results - cache should only be sess2 at end */
2309 SSL_CTX_add_session(sctx, sess1);
2310 SSL_CTX_add_session(sctx, sess2);
2311
2312 /* Now add sess1, and make sure it remains, despite timeout */
2313 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2314 || !TEST_ptr(sess1->owner)
2315 || !TEST_ptr_null(sess2->owner))
2316 goto end;
2317
2318 testresult = 1;
2319
2320 end:
2321 SSL_free(serverssl1);
2322 SSL_free(clientssl1);
2323 SSL_free(serverssl2);
2324 SSL_free(clientssl2);
2325# ifndef OPENSSL_NO_TLS1_1
2326 SSL_free(serverssl3);
2327 SSL_free(clientssl3);
2328# endif
2329 SSL_SESSION_free(sess1);
2330 SSL_SESSION_free(sess2);
2331 SSL_CTX_free(sctx);
2332 SSL_CTX_free(cctx);
2333
2334 return testresult;
2335}
2336#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2337
2338static int test_session_with_only_int_cache(void)
2339{
2340#ifndef OSSL_NO_USABLE_TLS1_3
2341 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2342 return 0;
2343#endif
2344
2345#ifndef OPENSSL_NO_TLS1_2
2346 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2347#else
2348 return 1;
2349#endif
2350}
2351
2352static int test_session_with_only_ext_cache(void)
2353{
2354#ifndef OSSL_NO_USABLE_TLS1_3
2355 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2356 return 0;
2357#endif
2358
2359#ifndef OPENSSL_NO_TLS1_2
2360 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2361#else
2362 return 1;
2363#endif
2364}
2365
2366static int test_session_with_both_cache(void)
2367{
2368#ifndef OSSL_NO_USABLE_TLS1_3
2369 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2370 return 0;
2371#endif
2372
2373#ifndef OPENSSL_NO_TLS1_2
2374 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2375#else
2376 return 1;
2377#endif
2378}
2379
2380static int test_session_wo_ca_names(void)
2381{
2382#ifndef OSSL_NO_USABLE_TLS1_3
2383 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2384 return 0;
2385#endif
2386
2387#ifndef OPENSSL_NO_TLS1_2
2388 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2389#else
2390 return 1;
2391#endif
2392}
2393
2394
2395#ifndef OSSL_NO_USABLE_TLS1_3
2396static SSL_SESSION *sesscache[6];
2397static int do_cache;
2398
2399static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2400{
2401 if (do_cache) {
2402 sesscache[new_called] = sess;
2403 } else {
2404 /* We don't need the reference to the session, so free it */
2405 SSL_SESSION_free(sess);
2406 }
2407 new_called++;
2408
2409 return 1;
2410}
2411
2412static int post_handshake_verify(SSL *sssl, SSL *cssl)
2413{
2414 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2415 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2416 return 0;
2417
2418 /* Start handshake on the server and client */
2419 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2420 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2421 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2422 || !TEST_true(create_ssl_connection(sssl, cssl,
2423 SSL_ERROR_NONE)))
2424 return 0;
2425
2426 return 1;
2427}
2428
2429static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2430 SSL_CTX **cctx)
2431{
2432 int sess_id_ctx = 1;
2433
2434 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2435 TLS_client_method(), TLS1_VERSION, 0,
2436 sctx, cctx, cert, privkey))
2437 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2438 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2439 (void *)&sess_id_ctx,
2440 sizeof(sess_id_ctx))))
2441 return 0;
2442
2443 if (stateful)
2444 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2445
2446 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2447 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2448 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2449
2450 return 1;
2451}
2452
2453static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2454{
2455 SSL *serverssl = NULL, *clientssl = NULL;
2456 int i;
2457
2458 /* Test that we can resume with all the tickets we got given */
2459 for (i = 0; i < idx * 2; i++) {
2460 new_called = 0;
2461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2462 &clientssl, NULL, NULL))
2463 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2464 goto end;
2465
2466 SSL_set_post_handshake_auth(clientssl, 1);
2467
2468 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2469 SSL_ERROR_NONE)))
2470 goto end;
2471
2472 /*
2473 * Following a successful resumption we only get 1 ticket. After a
2474 * failed one we should get idx tickets.
2475 */
2476 if (succ) {
2477 if (!TEST_true(SSL_session_reused(clientssl))
2478 || !TEST_int_eq(new_called, 1))
2479 goto end;
2480 } else {
2481 if (!TEST_false(SSL_session_reused(clientssl))
2482 || !TEST_int_eq(new_called, idx))
2483 goto end;
2484 }
2485
2486 new_called = 0;
2487 /* After a post-handshake authentication we should get 1 new ticket */
2488 if (succ
2489 && (!post_handshake_verify(serverssl, clientssl)
2490 || !TEST_int_eq(new_called, 1)))
2491 goto end;
2492
2493 SSL_shutdown(clientssl);
2494 SSL_shutdown(serverssl);
2495 SSL_free(serverssl);
2496 SSL_free(clientssl);
2497 serverssl = clientssl = NULL;
2498 SSL_SESSION_free(sesscache[i]);
2499 sesscache[i] = NULL;
2500 }
2501
2502 return 1;
2503
2504 end:
2505 SSL_free(clientssl);
2506 SSL_free(serverssl);
2507 return 0;
2508}
2509
2510static int test_tickets(int stateful, int idx)
2511{
2512 SSL_CTX *sctx = NULL, *cctx = NULL;
2513 SSL *serverssl = NULL, *clientssl = NULL;
2514 int testresult = 0;
2515 size_t j;
2516
2517 /* idx is the test number, but also the number of tickets we want */
2518
2519 new_called = 0;
2520 do_cache = 1;
2521
2522 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2523 goto end;
2524
2525 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2526 &clientssl, NULL, NULL)))
2527 goto end;
2528
2529 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2530 SSL_ERROR_NONE))
2531 /* Check we got the number of tickets we were expecting */
2532 || !TEST_int_eq(idx, new_called))
2533 goto end;
2534
2535 SSL_shutdown(clientssl);
2536 SSL_shutdown(serverssl);
2537 SSL_free(serverssl);
2538 SSL_free(clientssl);
2539 SSL_CTX_free(sctx);
2540 SSL_CTX_free(cctx);
2541 clientssl = serverssl = NULL;
2542 sctx = cctx = NULL;
2543
2544 /*
2545 * Now we try to resume with the tickets we previously created. The
2546 * resumption attempt is expected to fail (because we're now using a new
2547 * SSL_CTX). We should see idx number of tickets issued again.
2548 */
2549
2550 /* Stop caching sessions - just count them */
2551 do_cache = 0;
2552
2553 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2554 goto end;
2555
2556 if (!check_resumption(idx, sctx, cctx, 0))
2557 goto end;
2558
2559 /* Start again with caching sessions */
2560 new_called = 0;
2561 do_cache = 1;
2562 SSL_CTX_free(sctx);
2563 SSL_CTX_free(cctx);
2564 sctx = cctx = NULL;
2565
2566 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2567 goto end;
2568
2569 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2570 &clientssl, NULL, NULL)))
2571 goto end;
2572
2573 SSL_set_post_handshake_auth(clientssl, 1);
2574
2575 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2576 SSL_ERROR_NONE))
2577 /* Check we got the number of tickets we were expecting */
2578 || !TEST_int_eq(idx, new_called))
2579 goto end;
2580
2581 /* After a post-handshake authentication we should get new tickets issued */
2582 if (!post_handshake_verify(serverssl, clientssl)
2583 || !TEST_int_eq(idx * 2, new_called))
2584 goto end;
2585
2586 SSL_shutdown(clientssl);
2587 SSL_shutdown(serverssl);
2588 SSL_free(serverssl);
2589 SSL_free(clientssl);
2590 serverssl = clientssl = NULL;
2591
2592 /* Stop caching sessions - just count them */
2593 do_cache = 0;
2594
2595 /*
2596 * Check we can resume with all the tickets we created. This time around the
2597 * resumptions should all be successful.
2598 */
2599 if (!check_resumption(idx, sctx, cctx, 1))
2600 goto end;
2601
2602 testresult = 1;
2603
2604 end:
2605 SSL_free(serverssl);
2606 SSL_free(clientssl);
2607 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2608 SSL_SESSION_free(sesscache[j]);
2609 sesscache[j] = NULL;
2610 }
2611 SSL_CTX_free(sctx);
2612 SSL_CTX_free(cctx);
2613
2614 return testresult;
2615}
2616
2617static int test_stateless_tickets(int idx)
2618{
2619 return test_tickets(0, idx);
2620}
2621
2622static int test_stateful_tickets(int idx)
2623{
2624 return test_tickets(1, idx);
2625}
2626
2627static int test_psk_tickets(void)
2628{
2629 SSL_CTX *sctx = NULL, *cctx = NULL;
2630 SSL *serverssl = NULL, *clientssl = NULL;
2631 int testresult = 0;
2632 int sess_id_ctx = 1;
2633
2634 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2635 TLS_client_method(), TLS1_VERSION, 0,
2636 &sctx, &cctx, NULL, NULL))
2637 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2638 (void *)&sess_id_ctx,
2639 sizeof(sess_id_ctx))))
2640 goto end;
2641
2642 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2643 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2644 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2645 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2646 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2647 use_session_cb_cnt = 0;
2648 find_session_cb_cnt = 0;
2649 srvid = pskid;
2650 new_called = 0;
2651
2652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2653 NULL, NULL)))
2654 goto end;
2655 clientpsk = serverpsk = create_a_psk(clientssl);
2656 if (!TEST_ptr(clientpsk))
2657 goto end;
2658 SSL_SESSION_up_ref(clientpsk);
2659
2660 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2661 SSL_ERROR_NONE))
2662 || !TEST_int_eq(1, find_session_cb_cnt)
2663 || !TEST_int_eq(1, use_session_cb_cnt)
2664 /* We should always get 1 ticket when using external PSK */
2665 || !TEST_int_eq(1, new_called))
2666 goto end;
2667
2668 testresult = 1;
2669
2670 end:
2671 SSL_free(serverssl);
2672 SSL_free(clientssl);
2673 SSL_CTX_free(sctx);
2674 SSL_CTX_free(cctx);
2675 SSL_SESSION_free(clientpsk);
2676 SSL_SESSION_free(serverpsk);
2677 clientpsk = serverpsk = NULL;
2678
2679 return testresult;
2680}
2681
2682static int test_extra_tickets(int idx)
2683{
2684 SSL_CTX *sctx = NULL, *cctx = NULL;
2685 SSL *serverssl = NULL, *clientssl = NULL;
2686 BIO *bretry = BIO_new(bio_s_always_retry());
2687 BIO *tmp = NULL;
2688 int testresult = 0;
2689 int stateful = 0;
2690 size_t nbytes;
2691 unsigned char c, buf[1];
2692
2693 new_called = 0;
2694 do_cache = 1;
2695
2696 if (idx >= 3) {
2697 idx -= 3;
2698 stateful = 1;
2699 }
2700
2701 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2702 goto end;
2703 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2704 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2705 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2706
2707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2708 &clientssl, NULL, NULL)))
2709 goto end;
2710
2711 /*
2712 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2713 * incremented by both client and server.
2714 */
2715 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2716 SSL_ERROR_NONE))
2717 /* Check we got the number of tickets we were expecting */
2718 || !TEST_int_eq(idx * 2, new_called)
2719 || !TEST_true(SSL_new_session_ticket(serverssl))
2720 || !TEST_true(SSL_new_session_ticket(serverssl))
2721 || !TEST_int_eq(idx * 2, new_called))
2722 goto end;
2723
2724 /* Now try a (real) write to actually send the tickets */
2725 c = '1';
2726 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2727 || !TEST_size_t_eq(1, nbytes)
2728 || !TEST_int_eq(idx * 2 + 2, new_called)
2729 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2730 || !TEST_int_eq(idx * 2 + 4, new_called)
2731 || !TEST_int_eq(sizeof(buf), nbytes)
2732 || !TEST_int_eq(c, buf[0])
2733 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2734 goto end;
2735
2736 /* Try with only requesting one new ticket, too */
2737 c = '2';
2738 new_called = 0;
2739 if (!TEST_true(SSL_new_session_ticket(serverssl))
2740 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2741 || !TEST_size_t_eq(sizeof(c), nbytes)
2742 || !TEST_int_eq(1, new_called)
2743 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2744 || !TEST_int_eq(2, new_called)
2745 || !TEST_size_t_eq(sizeof(buf), nbytes)
2746 || !TEST_int_eq(c, buf[0]))
2747 goto end;
2748
2749 /* Do it again but use dummy writes to drive the ticket generation */
2750 c = '3';
2751 new_called = 0;
2752 if (!TEST_true(SSL_new_session_ticket(serverssl))
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2755 || !TEST_size_t_eq(0, nbytes)
2756 || !TEST_int_eq(2, new_called)
2757 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2758 || !TEST_int_eq(4, new_called))
2759 goto end;
2760
2761 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2762 c = '4';
2763 new_called = 0;
2764 if (!TEST_true(SSL_new_session_ticket(serverssl))
2765 || !TEST_true(SSL_new_session_ticket(serverssl))
2766 || !TEST_true(SSL_do_handshake(serverssl))
2767 || !TEST_int_eq(2, new_called)
2768 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2769 || !TEST_int_eq(4, new_called))
2770 goto end;
2771
2772 /*
2773 * Use the always-retry BIO to exercise the logic that forces ticket
2774 * generation to wait until a record boundary.
2775 */
2776 c = '5';
2777 new_called = 0;
2778 tmp = SSL_get_wbio(serverssl);
2779 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2780 tmp = NULL;
2781 goto end;
2782 }
2783 SSL_set0_wbio(serverssl, bretry);
2784 bretry = NULL;
2785 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2786 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2787 || !TEST_size_t_eq(nbytes, 0))
2788 goto end;
2789 /* Restore a BIO that will let the write succeed */
2790 SSL_set0_wbio(serverssl, tmp);
2791 tmp = NULL;
2792 /*
2793 * These calls should just queue the request and not send anything
2794 * even if we explicitly try to hit the state machine.
2795 */
2796 if (!TEST_true(SSL_new_session_ticket(serverssl))
2797 || !TEST_true(SSL_new_session_ticket(serverssl))
2798 || !TEST_int_eq(0, new_called)
2799 || !TEST_true(SSL_do_handshake(serverssl))
2800 || !TEST_int_eq(0, new_called))
2801 goto end;
2802 /* Re-do the write; still no tickets sent */
2803 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2804 || !TEST_size_t_eq(1, nbytes)
2805 || !TEST_int_eq(0, new_called)
2806 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2807 || !TEST_int_eq(0, new_called)
2808 || !TEST_int_eq(sizeof(buf), nbytes)
2809 || !TEST_int_eq(c, buf[0])
2810 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2811 goto end;
2812 /* Even trying to hit the state machine now will still not send tickets */
2813 if (!TEST_true(SSL_do_handshake(serverssl))
2814 || !TEST_int_eq(0, new_called))
2815 goto end;
2816 /* Now the *next* write should send the tickets */
2817 c = '6';
2818 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2819 || !TEST_size_t_eq(1, nbytes)
2820 || !TEST_int_eq(2, new_called)
2821 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2822 || !TEST_int_eq(4, new_called)
2823 || !TEST_int_eq(sizeof(buf), nbytes)
2824 || !TEST_int_eq(c, buf[0])
2825 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2826 goto end;
2827
2828 SSL_shutdown(clientssl);
2829 SSL_shutdown(serverssl);
2830 testresult = 1;
2831
2832 end:
2833 BIO_free(bretry);
2834 BIO_free(tmp);
2835 SSL_free(serverssl);
2836 SSL_free(clientssl);
2837 SSL_CTX_free(sctx);
2838 SSL_CTX_free(cctx);
2839 clientssl = serverssl = NULL;
2840 sctx = cctx = NULL;
2841 return testresult;
2842}
2843#endif
2844
2845#define USE_NULL 0
2846#define USE_BIO_1 1
2847#define USE_BIO_2 2
2848#define USE_DEFAULT 3
2849
2850#define CONNTYPE_CONNECTION_SUCCESS 0
2851#define CONNTYPE_CONNECTION_FAIL 1
2852#define CONNTYPE_NO_CONNECTION 2
2853
2854#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2855#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2856#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2857# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2858#else
2859# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2860#endif
2861
2862#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2863 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2864 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2865
2866static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2867{
2868 switch (type) {
2869 case USE_NULL:
2870 *res = NULL;
2871 break;
2872 case USE_BIO_1:
2873 *res = bio1;
2874 break;
2875 case USE_BIO_2:
2876 *res = bio2;
2877 break;
2878 }
2879}
2880
2881
2882/*
2883 * Tests calls to SSL_set_bio() under various conditions.
2884 *
2885 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2886 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2887 * then do more tests where we create a successful connection first using our
2888 * standard connection setup functions, and then call SSL_set_bio() with
2889 * various combinations of valid BIOs or NULL. We then repeat these tests
2890 * following a failed connection. In this last case we are looking to check that
2891 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2892 */
2893static int test_ssl_set_bio(int idx)
2894{
2895 SSL_CTX *sctx = NULL, *cctx = NULL;
2896 BIO *bio1 = NULL;
2897 BIO *bio2 = NULL;
2898 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2899 SSL *serverssl = NULL, *clientssl = NULL;
2900 int initrbio, initwbio, newrbio, newwbio, conntype;
2901 int testresult = 0;
2902
2903 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2904 initrbio = idx % 3;
2905 idx /= 3;
2906 initwbio = idx % 3;
2907 idx /= 3;
2908 newrbio = idx % 3;
2909 idx /= 3;
2910 newwbio = idx % 3;
2911 conntype = CONNTYPE_NO_CONNECTION;
2912 } else {
2913 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2914 initrbio = initwbio = USE_DEFAULT;
2915 newrbio = idx % 2;
2916 idx /= 2;
2917 newwbio = idx % 2;
2918 idx /= 2;
2919 conntype = idx % 2;
2920 }
2921
2922 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2923 TLS_client_method(), TLS1_VERSION, 0,
2924 &sctx, &cctx, cert, privkey)))
2925 goto end;
2926
2927 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2928 /*
2929 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2930 * because we reduced the number of tests in the definition of
2931 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2932 * mismatched protocol versions we will force a connection failure.
2933 */
2934 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2935 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2936 }
2937
2938 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2939 NULL, NULL)))
2940 goto end;
2941
2942 if (initrbio == USE_BIO_1
2943 || initwbio == USE_BIO_1
2944 || newrbio == USE_BIO_1
2945 || newwbio == USE_BIO_1) {
2946 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2947 goto end;
2948 }
2949
2950 if (initrbio == USE_BIO_2
2951 || initwbio == USE_BIO_2
2952 || newrbio == USE_BIO_2
2953 || newwbio == USE_BIO_2) {
2954 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2955 goto end;
2956 }
2957
2958 if (initrbio != USE_DEFAULT) {
2959 setupbio(&irbio, bio1, bio2, initrbio);
2960 setupbio(&iwbio, bio1, bio2, initwbio);
2961 SSL_set_bio(clientssl, irbio, iwbio);
2962
2963 /*
2964 * We want to maintain our own refs to these BIO, so do an up ref for
2965 * each BIO that will have ownership transferred in the SSL_set_bio()
2966 * call
2967 */
2968 if (irbio != NULL)
2969 BIO_up_ref(irbio);
2970 if (iwbio != NULL && iwbio != irbio)
2971 BIO_up_ref(iwbio);
2972 }
2973
2974 if (conntype != CONNTYPE_NO_CONNECTION
2975 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2976 SSL_ERROR_NONE)
2977 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2978 goto end;
2979
2980 setupbio(&nrbio, bio1, bio2, newrbio);
2981 setupbio(&nwbio, bio1, bio2, newwbio);
2982
2983 /*
2984 * We will (maybe) transfer ownership again so do more up refs.
2985 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2986 * already been set!
2987 */
2988 if (nrbio != NULL
2989 && nrbio != irbio
2990 && (nwbio != iwbio || nrbio != nwbio))
2991 BIO_up_ref(nrbio);
2992 if (nwbio != NULL
2993 && nwbio != nrbio
2994 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2995 BIO_up_ref(nwbio);
2996
2997 SSL_set_bio(clientssl, nrbio, nwbio);
2998
2999 testresult = 1;
3000
3001 end:
3002 BIO_free(bio1);
3003 BIO_free(bio2);
3004
3005 /*
3006 * This test is checking that the ref counting for SSL_set_bio is correct.
3007 * If we get here and we did too many frees then we will fail in the above
3008 * functions.
3009 */
3010 SSL_free(serverssl);
3011 SSL_free(clientssl);
3012 SSL_CTX_free(sctx);
3013 SSL_CTX_free(cctx);
3014 return testresult;
3015}
3016
3017typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3018
3019static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3020{
3021 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3022 SSL_CTX *ctx;
3023 SSL *ssl = NULL;
3024 int testresult = 0;
3025
3026 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3027 || !TEST_ptr(ssl = SSL_new(ctx))
3028 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3029 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3030 goto end;
3031
3032 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3033
3034 /*
3035 * If anything goes wrong here then we could leak memory.
3036 */
3037 BIO_push(sslbio, membio1);
3038
3039 /* Verify changing the rbio/wbio directly does not cause leaks */
3040 if (change_bio != NO_BIO_CHANGE) {
3041 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3042 ssl = NULL;
3043 goto end;
3044 }
3045 if (change_bio == CHANGE_RBIO)
3046 SSL_set0_rbio(ssl, membio2);
3047 else
3048 SSL_set0_wbio(ssl, membio2);
3049 }
3050 ssl = NULL;
3051
3052 if (pop_ssl)
3053 BIO_pop(sslbio);
3054 else
3055 BIO_pop(membio1);
3056
3057 testresult = 1;
3058 end:
3059 BIO_free(membio1);
3060 BIO_free(sslbio);
3061 SSL_free(ssl);
3062 SSL_CTX_free(ctx);
3063
3064 return testresult;
3065}
3066
3067static int test_ssl_bio_pop_next_bio(void)
3068{
3069 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3070}
3071
3072static int test_ssl_bio_pop_ssl_bio(void)
3073{
3074 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3075}
3076
3077static int test_ssl_bio_change_rbio(void)
3078{
3079 return execute_test_ssl_bio(0, CHANGE_RBIO);
3080}
3081
3082static int test_ssl_bio_change_wbio(void)
3083{
3084 return execute_test_ssl_bio(0, CHANGE_WBIO);
3085}
3086
3087#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3088typedef struct {
3089 /* The list of sig algs */
3090 const int *list;
3091 /* The length of the list */
3092 size_t listlen;
3093 /* A sigalgs list in string format */
3094 const char *liststr;
3095 /* Whether setting the list should succeed */
3096 int valid;
3097 /* Whether creating a connection with the list should succeed */
3098 int connsuccess;
3099} sigalgs_list;
3100
3101static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3102# ifndef OPENSSL_NO_EC
3103static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3104static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3105# endif
3106static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3107static const int invalidlist2[] = {NID_sha256, NID_undef};
3108static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3109static const int invalidlist4[] = {NID_sha256};
3110static const sigalgs_list testsigalgs[] = {
3111 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3112# ifndef OPENSSL_NO_EC
3113 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3114 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3115# endif
3116 {NULL, 0, "RSA+SHA256", 1, 1},
3117# ifndef OPENSSL_NO_EC
3118 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3119 {NULL, 0, "ECDSA+SHA512", 1, 0},
3120# endif
3121 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3122 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3123 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3124 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3125 {NULL, 0, "RSA", 0, 0},
3126 {NULL, 0, "SHA256", 0, 0},
3127 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3128 {NULL, 0, "Invalid", 0, 0}
3129};
3130
3131static int test_set_sigalgs(int idx)
3132{
3133 SSL_CTX *cctx = NULL, *sctx = NULL;
3134 SSL *clientssl = NULL, *serverssl = NULL;
3135 int testresult = 0;
3136 const sigalgs_list *curr;
3137 int testctx;
3138
3139 /* Should never happen */
3140 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3141 return 0;
3142
3143 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3144 curr = testctx ? &testsigalgs[idx]
3145 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3146
3147 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3148 TLS_client_method(), TLS1_VERSION, 0,
3149 &sctx, &cctx, cert, privkey)))
3150 return 0;
3151
3152 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3153
3154 if (testctx) {
3155 int ret;
3156
3157 if (curr->list != NULL)
3158 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3159 else
3160 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3161
3162 if (!ret) {
3163 if (curr->valid)
3164 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3165 else
3166 testresult = 1;
3167 goto end;
3168 }
3169 if (!curr->valid) {
3170 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3171 goto end;
3172 }
3173 }
3174
3175 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3176 &clientssl, NULL, NULL)))
3177 goto end;
3178
3179 if (!testctx) {
3180 int ret;
3181
3182 if (curr->list != NULL)
3183 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3184 else
3185 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3186 if (!ret) {
3187 if (curr->valid)
3188 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3189 else
3190 testresult = 1;
3191 goto end;
3192 }
3193 if (!curr->valid)
3194 goto end;
3195 }
3196
3197 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3198 SSL_ERROR_NONE),
3199 curr->connsuccess))
3200 goto end;
3201
3202 testresult = 1;
3203
3204 end:
3205 SSL_free(serverssl);
3206 SSL_free(clientssl);
3207 SSL_CTX_free(sctx);
3208 SSL_CTX_free(cctx);
3209
3210 return testresult;
3211}
3212#endif
3213
3214#ifndef OSSL_NO_USABLE_TLS1_3
3215static int psk_client_cb_cnt = 0;
3216static int psk_server_cb_cnt = 0;
3217
3218static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3219 size_t *idlen, SSL_SESSION **sess)
3220{
3221 switch (++use_session_cb_cnt) {
3222 case 1:
3223 /* The first call should always have a NULL md */
3224 if (md != NULL)
3225 return 0;
3226 break;
3227
3228 case 2:
3229 /* The second call should always have an md */
3230 if (md == NULL)
3231 return 0;
3232 break;
3233
3234 default:
3235 /* We should only be called a maximum of twice */
3236 return 0;
3237 }
3238
3239 if (clientpsk != NULL)
3240 SSL_SESSION_up_ref(clientpsk);
3241
3242 *sess = clientpsk;
3243 *id = (const unsigned char *)pskid;
3244 *idlen = strlen(pskid);
3245
3246 return 1;
3247}
3248
3249#ifndef OPENSSL_NO_PSK
3250static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3251 unsigned int max_id_len,
3252 unsigned char *psk,
3253 unsigned int max_psk_len)
3254{
3255 unsigned int psklen = 0;
3256
3257 psk_client_cb_cnt++;
3258
3259 if (strlen(pskid) + 1 > max_id_len)
3260 return 0;
3261
3262 /* We should only ever be called a maximum of twice per connection */
3263 if (psk_client_cb_cnt > 2)
3264 return 0;
3265
3266 if (clientpsk == NULL)
3267 return 0;
3268
3269 /* We'll reuse the PSK we set up for TLSv1.3 */
3270 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3271 return 0;
3272 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3273 strncpy(id, pskid, max_id_len);
3274
3275 return psklen;
3276}
3277#endif /* OPENSSL_NO_PSK */
3278
3279static int find_session_cb(SSL *ssl, const unsigned char *identity,
3280 size_t identity_len, SSL_SESSION **sess)
3281{
3282 find_session_cb_cnt++;
3283
3284 /* We should only ever be called a maximum of twice per connection */
3285 if (find_session_cb_cnt > 2)
3286 return 0;
3287
3288 if (serverpsk == NULL)
3289 return 0;
3290
3291 /* Identity should match that set by the client */
3292 if (strlen(srvid) != identity_len
3293 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3294 /* No PSK found, continue but without a PSK */
3295 *sess = NULL;
3296 return 1;
3297 }
3298
3299 SSL_SESSION_up_ref(serverpsk);
3300 *sess = serverpsk;
3301
3302 return 1;
3303}
3304
3305#ifndef OPENSSL_NO_PSK
3306static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3307 unsigned char *psk, unsigned int max_psk_len)
3308{
3309 unsigned int psklen = 0;
3310
3311 psk_server_cb_cnt++;
3312
3313 /* We should only ever be called a maximum of twice per connection */
3314 if (find_session_cb_cnt > 2)
3315 return 0;
3316
3317 if (serverpsk == NULL)
3318 return 0;
3319
3320 /* Identity should match that set by the client */
3321 if (strcmp(srvid, identity) != 0) {
3322 return 0;
3323 }
3324
3325 /* We'll reuse the PSK we set up for TLSv1.3 */
3326 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3327 return 0;
3328 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3329
3330 return psklen;
3331}
3332#endif /* OPENSSL_NO_PSK */
3333
3334#define MSG1 "Hello"
3335#define MSG2 "World."
3336#define MSG3 "This"
3337#define MSG4 "is"
3338#define MSG5 "a"
3339#define MSG6 "test"
3340#define MSG7 "message."
3341
3342#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3343#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3344#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3345#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3346#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3347
3348
3349static SSL_SESSION *create_a_psk(SSL *ssl)
3350{
3351 const SSL_CIPHER *cipher = NULL;
3352 const unsigned char key[] = {
3353 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3354 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3355 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3356 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3357 0x2c, 0x2d, 0x2e, 0x2f
3358 };
3359 SSL_SESSION *sess = NULL;
3360
3361 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3362 sess = SSL_SESSION_new();
3363 if (!TEST_ptr(sess)
3364 || !TEST_ptr(cipher)
3365 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3366 sizeof(key)))
3367 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3368 || !TEST_true(
3369 SSL_SESSION_set_protocol_version(sess,
3370 TLS1_3_VERSION))) {
3371 SSL_SESSION_free(sess);
3372 return NULL;
3373 }
3374 return sess;
3375}
3376
3377/*
3378 * Helper method to setup objects for early data test. Caller frees objects on
3379 * error.
3380 */
3381static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3382 SSL **serverssl, SSL_SESSION **sess, int idx)
3383{
3384 if (*sctx == NULL
3385 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3386 TLS_client_method(),
3387 TLS1_VERSION, 0,
3388 sctx, cctx, cert, privkey)))
3389 return 0;
3390
3391 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3392 return 0;
3393
3394 if (idx == 1) {
3395 /* When idx == 1 we repeat the tests with read_ahead set */
3396 SSL_CTX_set_read_ahead(*cctx, 1);
3397 SSL_CTX_set_read_ahead(*sctx, 1);
3398 } else if (idx == 2) {
3399 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3400 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3401 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3402 use_session_cb_cnt = 0;
3403 find_session_cb_cnt = 0;
3404 srvid = pskid;
3405 }
3406
3407 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3408 NULL, NULL)))
3409 return 0;
3410
3411 /*
3412 * For one of the run throughs (doesn't matter which one), we'll try sending
3413 * some SNI data in the initial ClientHello. This will be ignored (because
3414 * there is no SNI cb set up by the server), so it should not impact
3415 * early_data.
3416 */
3417 if (idx == 1
3418 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3419 return 0;
3420
3421 if (idx == 2) {
3422 clientpsk = create_a_psk(*clientssl);
3423 if (!TEST_ptr(clientpsk)
3424 /*
3425 * We just choose an arbitrary value for max_early_data which
3426 * should be big enough for testing purposes.
3427 */
3428 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3429 0x100))
3430 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3431 SSL_SESSION_free(clientpsk);
3432 clientpsk = NULL;
3433 return 0;
3434 }
3435 serverpsk = clientpsk;
3436
3437 if (sess != NULL) {
3438 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3439 SSL_SESSION_free(clientpsk);
3440 SSL_SESSION_free(serverpsk);
3441 clientpsk = serverpsk = NULL;
3442 return 0;
3443 }
3444 *sess = clientpsk;
3445 }
3446 return 1;
3447 }
3448
3449 if (sess == NULL)
3450 return 1;
3451
3452 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3453 SSL_ERROR_NONE)))
3454 return 0;
3455
3456 *sess = SSL_get1_session(*clientssl);
3457 SSL_shutdown(*clientssl);
3458 SSL_shutdown(*serverssl);
3459 SSL_free(*serverssl);
3460 SSL_free(*clientssl);
3461 *serverssl = *clientssl = NULL;
3462
3463 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3464 clientssl, NULL, NULL))
3465 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3466 return 0;
3467
3468 return 1;
3469}
3470
3471static int test_early_data_read_write(int idx)
3472{
3473 SSL_CTX *cctx = NULL, *sctx = NULL;
3474 SSL *clientssl = NULL, *serverssl = NULL;
3475 int testresult = 0;
3476 SSL_SESSION *sess = NULL;
3477 unsigned char buf[20], data[1024];
3478 size_t readbytes, written, eoedlen, rawread, rawwritten;
3479 BIO *rbio;
3480
3481 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3482 &serverssl, &sess, idx)))
3483 goto end;
3484
3485 /* Write and read some early data */
3486 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3487 &written))
3488 || !TEST_size_t_eq(written, strlen(MSG1))
3489 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3490 sizeof(buf), &readbytes),
3491 SSL_READ_EARLY_DATA_SUCCESS)
3492 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3493 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3494 SSL_EARLY_DATA_ACCEPTED))
3495 goto end;
3496
3497 /*
3498 * Server should be able to write data, and client should be able to
3499 * read it.
3500 */
3501 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3502 &written))
3503 || !TEST_size_t_eq(written, strlen(MSG2))
3504 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3505 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3506 goto end;
3507
3508 /* Even after reading normal data, client should be able write early data */
3509 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3510 &written))
3511 || !TEST_size_t_eq(written, strlen(MSG3)))
3512 goto end;
3513
3514 /* Server should still be able read early data after writing data */
3515 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3516 &readbytes),
3517 SSL_READ_EARLY_DATA_SUCCESS)
3518 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3519 goto end;
3520
3521 /* Write more data from server and read it from client */
3522 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3523 &written))
3524 || !TEST_size_t_eq(written, strlen(MSG4))
3525 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3526 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3527 goto end;
3528
3529 /*
3530 * If client writes normal data it should mean writing early data is no
3531 * longer possible.
3532 */
3533 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3534 || !TEST_size_t_eq(written, strlen(MSG5))
3535 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3536 SSL_EARLY_DATA_ACCEPTED))
3537 goto end;
3538
3539 /*
3540 * At this point the client has written EndOfEarlyData, ClientFinished and
3541 * normal (fully protected) data. We are going to cause a delay between the
3542 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3543 * in the read BIO, and then just put back the EndOfEarlyData message.
3544 */
3545 rbio = SSL_get_rbio(serverssl);
3546 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3547 || !TEST_size_t_lt(rawread, sizeof(data))
3548 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3549 goto end;
3550
3551 /* Record length is in the 4th and 5th bytes of the record header */
3552 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3553 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3554 || !TEST_size_t_eq(rawwritten, eoedlen))
3555 goto end;
3556
3557 /* Server should be told that there is no more early data */
3558 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3559 &readbytes),
3560 SSL_READ_EARLY_DATA_FINISH)
3561 || !TEST_size_t_eq(readbytes, 0))
3562 goto end;
3563
3564 /*
3565 * Server has not finished init yet, so should still be able to write early
3566 * data.
3567 */
3568 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3569 &written))
3570 || !TEST_size_t_eq(written, strlen(MSG6)))
3571 goto end;
3572
3573 /* Push the ClientFinished and the normal data back into the server rbio */
3574 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3575 &rawwritten))
3576 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3577 goto end;
3578
3579 /* Server should be able to read normal data */
3580 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3581 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3582 goto end;
3583
3584 /* Client and server should not be able to write/read early data now */
3585 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3586 &written)))
3587 goto end;
3588 ERR_clear_error();
3589 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3590 &readbytes),
3591 SSL_READ_EARLY_DATA_ERROR))
3592 goto end;
3593 ERR_clear_error();
3594
3595 /* Client should be able to read the data sent by the server */
3596 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3597 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3598 goto end;
3599
3600 /*
3601 * Make sure we process the two NewSessionTickets. These arrive
3602 * post-handshake. We attempt reads which we do not expect to return any
3603 * data.
3604 */
3605 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3606 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3607 &readbytes)))
3608 goto end;
3609
3610 /* Server should be able to write normal data */
3611 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3612 || !TEST_size_t_eq(written, strlen(MSG7))
3613 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3614 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3615 goto end;
3616
3617 SSL_SESSION_free(sess);
3618 sess = SSL_get1_session(clientssl);
3619 use_session_cb_cnt = 0;
3620 find_session_cb_cnt = 0;
3621
3622 SSL_shutdown(clientssl);
3623 SSL_shutdown(serverssl);
3624 SSL_free(serverssl);
3625 SSL_free(clientssl);
3626 serverssl = clientssl = NULL;
3627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3628 &clientssl, NULL, NULL))
3629 || !TEST_true(SSL_set_session(clientssl, sess)))
3630 goto end;
3631
3632 /* Write and read some early data */
3633 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3634 &written))
3635 || !TEST_size_t_eq(written, strlen(MSG1))
3636 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3637 &readbytes),
3638 SSL_READ_EARLY_DATA_SUCCESS)
3639 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3640 goto end;
3641
3642 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3643 || !TEST_int_gt(SSL_accept(serverssl), 0))
3644 goto end;
3645
3646 /* Client and server should not be able to write/read early data now */
3647 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3648 &written)))
3649 goto end;
3650 ERR_clear_error();
3651 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3652 &readbytes),
3653 SSL_READ_EARLY_DATA_ERROR))
3654 goto end;
3655 ERR_clear_error();
3656
3657 /* Client and server should be able to write/read normal data */
3658 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3659 || !TEST_size_t_eq(written, strlen(MSG5))
3660 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3661 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3662 goto end;
3663
3664 testresult = 1;
3665
3666 end:
3667 SSL_SESSION_free(sess);
3668 SSL_SESSION_free(clientpsk);
3669 SSL_SESSION_free(serverpsk);
3670 clientpsk = serverpsk = NULL;
3671 SSL_free(serverssl);
3672 SSL_free(clientssl);
3673 SSL_CTX_free(sctx);
3674 SSL_CTX_free(cctx);
3675 return testresult;
3676}
3677
3678static int allow_ed_cb_called = 0;
3679
3680static int allow_early_data_cb(SSL *s, void *arg)
3681{
3682 int *usecb = (int *)arg;
3683
3684 allow_ed_cb_called++;
3685
3686 if (*usecb == 1)
3687 return 0;
3688
3689 return 1;
3690}
3691
3692/*
3693 * idx == 0: Standard early_data setup
3694 * idx == 1: early_data setup using read_ahead
3695 * usecb == 0: Don't use a custom early data callback
3696 * usecb == 1: Use a custom early data callback and reject the early data
3697 * usecb == 2: Use a custom early data callback and accept the early data
3698 * confopt == 0: Configure anti-replay directly
3699 * confopt == 1: Configure anti-replay using SSL_CONF
3700 */
3701static int test_early_data_replay_int(int idx, int usecb, int confopt)
3702{
3703 SSL_CTX *cctx = NULL, *sctx = NULL;
3704 SSL *clientssl = NULL, *serverssl = NULL;
3705 int testresult = 0;
3706 SSL_SESSION *sess = NULL;
3707 size_t readbytes, written;
3708 unsigned char buf[20];
3709
3710 allow_ed_cb_called = 0;
3711
3712 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3713 TLS_client_method(), TLS1_VERSION, 0,
3714 &sctx, &cctx, cert, privkey)))
3715 return 0;
3716
3717 if (usecb > 0) {
3718 if (confopt == 0) {
3719 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3720 } else {
3721 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3722
3723 if (!TEST_ptr(confctx))
3724 goto end;
3725 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3726 | SSL_CONF_FLAG_SERVER);
3727 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3728 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3729 2)) {
3730 SSL_CONF_CTX_free(confctx);
3731 goto end;
3732 }
3733 SSL_CONF_CTX_free(confctx);
3734 }
3735 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3736 }
3737
3738 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3739 &serverssl, &sess, idx)))
3740 goto end;
3741
3742 /*
3743 * The server is configured to accept early data. Create a connection to
3744 * "use up" the ticket
3745 */
3746 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3747 || !TEST_true(SSL_session_reused(clientssl)))
3748 goto end;
3749
3750 SSL_shutdown(clientssl);
3751 SSL_shutdown(serverssl);
3752 SSL_free(serverssl);
3753 SSL_free(clientssl);
3754 serverssl = clientssl = NULL;
3755
3756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3757 &clientssl, NULL, NULL))
3758 || !TEST_true(SSL_set_session(clientssl, sess)))
3759 goto end;
3760
3761 /* Write and read some early data */
3762 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3763 &written))
3764 || !TEST_size_t_eq(written, strlen(MSG1)))
3765 goto end;
3766
3767 if (usecb <= 1) {
3768 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3769 &readbytes),
3770 SSL_READ_EARLY_DATA_FINISH)
3771 /*
3772 * The ticket was reused, so the we should have rejected the
3773 * early data
3774 */
3775 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3776 SSL_EARLY_DATA_REJECTED))
3777 goto end;
3778 } else {
3779 /* In this case the callback decides to accept the early data */
3780 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3781 &readbytes),
3782 SSL_READ_EARLY_DATA_SUCCESS)
3783 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3784 /*
3785 * Server will have sent its flight so client can now send
3786 * end of early data and complete its half of the handshake
3787 */
3788 || !TEST_int_gt(SSL_connect(clientssl), 0)
3789 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3790 &readbytes),
3791 SSL_READ_EARLY_DATA_FINISH)
3792 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3793 SSL_EARLY_DATA_ACCEPTED))
3794 goto end;
3795 }
3796
3797 /* Complete the connection */
3798 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3799 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3800 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3801 goto end;
3802
3803 testresult = 1;
3804
3805 end:
3806 SSL_SESSION_free(sess);
3807 SSL_SESSION_free(clientpsk);
3808 SSL_SESSION_free(serverpsk);
3809 clientpsk = serverpsk = NULL;
3810 SSL_free(serverssl);
3811 SSL_free(clientssl);
3812 SSL_CTX_free(sctx);
3813 SSL_CTX_free(cctx);
3814 return testresult;
3815}
3816
3817static int test_early_data_replay(int idx)
3818{
3819 int ret = 1, usecb, confopt;
3820
3821 for (usecb = 0; usecb < 3; usecb++) {
3822 for (confopt = 0; confopt < 2; confopt++)
3823 ret &= test_early_data_replay_int(idx, usecb, confopt);
3824 }
3825
3826 return ret;
3827}
3828
3829/*
3830 * Helper function to test that a server attempting to read early data can
3831 * handle a connection from a client where the early data should be skipped.
3832 * testtype: 0 == No HRR
3833 * testtype: 1 == HRR
3834 * testtype: 2 == HRR, invalid early_data sent after HRR
3835 * testtype: 3 == recv_max_early_data set to 0
3836 */
3837static int early_data_skip_helper(int testtype, int idx)
3838{
3839 SSL_CTX *cctx = NULL, *sctx = NULL;
3840 SSL *clientssl = NULL, *serverssl = NULL;
3841 int testresult = 0;
3842 SSL_SESSION *sess = NULL;
3843 unsigned char buf[20];
3844 size_t readbytes, written;
3845
3846 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3847 &serverssl, &sess, idx)))
3848 goto end;
3849
3850 if (testtype == 1 || testtype == 2) {
3851 /* Force an HRR to occur */
3852#if defined(OPENSSL_NO_EC)
3853 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3854 goto end;
3855#else
3856 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3857 goto end;
3858#endif
3859 } else if (idx == 2) {
3860 /*
3861 * We force early_data rejection by ensuring the PSK identity is
3862 * unrecognised
3863 */
3864 srvid = "Dummy Identity";
3865 } else {
3866 /*
3867 * Deliberately corrupt the creation time. We take 20 seconds off the
3868 * time. It could be any value as long as it is not within tolerance.
3869 * This should mean the ticket is rejected.
3870 */
3871 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3872 goto end;
3873 }
3874
3875 if (testtype == 3
3876 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3877 goto end;
3878
3879 /* Write some early data */
3880 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3881 &written))
3882 || !TEST_size_t_eq(written, strlen(MSG1)))
3883 goto end;
3884
3885 /* Server should reject the early data */
3886 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3887 &readbytes),
3888 SSL_READ_EARLY_DATA_FINISH)
3889 || !TEST_size_t_eq(readbytes, 0)
3890 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3891 SSL_EARLY_DATA_REJECTED))
3892 goto end;
3893
3894 switch (testtype) {
3895 case 0:
3896 /* Nothing to do */
3897 break;
3898
3899 case 1:
3900 /*
3901 * Finish off the handshake. We perform the same writes and reads as
3902 * further down but we expect them to fail due to the incomplete
3903 * handshake.
3904 */
3905 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3906 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3907 &readbytes)))
3908 goto end;
3909 break;
3910
3911 case 2:
3912 {
3913 BIO *wbio = SSL_get_wbio(clientssl);
3914 /* A record that will appear as bad early_data */
3915 const unsigned char bad_early_data[] = {
3916 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3917 };
3918
3919 /*
3920 * We force the client to attempt a write. This will fail because
3921 * we're still in the handshake. It will cause the second
3922 * ClientHello to be sent.
3923 */
3924 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3925 &written)))
3926 goto end;
3927
3928 /*
3929 * Inject some early_data after the second ClientHello. This should
3930 * cause the server to fail
3931 */
3932 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3933 sizeof(bad_early_data), &written)))
3934 goto end;
3935 }
3936 /* fallthrough */
3937
3938 case 3:
3939 /*
3940 * This client has sent more early_data than we are willing to skip
3941 * (case 3) or sent invalid early_data (case 2) so the connection should
3942 * abort.
3943 */
3944 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3945 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3946 goto end;
3947
3948 /* Connection has failed - nothing more to do */
3949 testresult = 1;
3950 goto end;
3951
3952 default:
3953 TEST_error("Invalid test type");
3954 goto end;
3955 }
3956
3957 /*
3958 * Should be able to send normal data despite rejection of early data. The
3959 * early_data should be skipped.
3960 */
3961 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3962 || !TEST_size_t_eq(written, strlen(MSG2))
3963 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3964 SSL_EARLY_DATA_REJECTED)
3965 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3966 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3967 goto end;
3968
3969 testresult = 1;
3970
3971 end:
3972 SSL_SESSION_free(clientpsk);
3973 SSL_SESSION_free(serverpsk);
3974 clientpsk = serverpsk = NULL;
3975 SSL_SESSION_free(sess);
3976 SSL_free(serverssl);
3977 SSL_free(clientssl);
3978 SSL_CTX_free(sctx);
3979 SSL_CTX_free(cctx);
3980 return testresult;
3981}
3982
3983/*
3984 * Test that a server attempting to read early data can handle a connection
3985 * from a client where the early data is not acceptable.
3986 */
3987static int test_early_data_skip(int idx)
3988{
3989 return early_data_skip_helper(0, idx);
3990}
3991
3992/*
3993 * Test that a server attempting to read early data can handle a connection
3994 * from a client where an HRR occurs.
3995 */
3996static int test_early_data_skip_hrr(int idx)
3997{
3998 return early_data_skip_helper(1, idx);
3999}
4000
4001/*
4002 * Test that a server attempting to read early data can handle a connection
4003 * from a client where an HRR occurs and correctly fails if early_data is sent
4004 * after the HRR
4005 */
4006static int test_early_data_skip_hrr_fail(int idx)
4007{
4008 return early_data_skip_helper(2, idx);
4009}
4010
4011/*
4012 * Test that a server attempting to read early data will abort if it tries to
4013 * skip over too much.
4014 */
4015static int test_early_data_skip_abort(int idx)
4016{
4017 return early_data_skip_helper(3, idx);
4018}
4019
4020/*
4021 * Test that a server attempting to read early data can handle a connection
4022 * from a client that doesn't send any.
4023 */
4024static int test_early_data_not_sent(int idx)
4025{
4026 SSL_CTX *cctx = NULL, *sctx = NULL;
4027 SSL *clientssl = NULL, *serverssl = NULL;
4028 int testresult = 0;
4029 SSL_SESSION *sess = NULL;
4030 unsigned char buf[20];
4031 size_t readbytes, written;
4032
4033 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4034 &serverssl, &sess, idx)))
4035 goto end;
4036
4037 /* Write some data - should block due to handshake with server */
4038 SSL_set_connect_state(clientssl);
4039 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4040 goto end;
4041
4042 /* Server should detect that early data has not been sent */
4043 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4044 &readbytes),
4045 SSL_READ_EARLY_DATA_FINISH)
4046 || !TEST_size_t_eq(readbytes, 0)
4047 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4048 SSL_EARLY_DATA_NOT_SENT)
4049 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4050 SSL_EARLY_DATA_NOT_SENT))
4051 goto end;
4052
4053 /* Continue writing the message we started earlier */
4054 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4055 || !TEST_size_t_eq(written, strlen(MSG1))
4056 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4057 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4058 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4059 || !TEST_size_t_eq(written, strlen(MSG2)))
4060 goto end;
4061
4062 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4063 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4064 goto end;
4065
4066 testresult = 1;
4067
4068 end:
4069 SSL_SESSION_free(sess);
4070 SSL_SESSION_free(clientpsk);
4071 SSL_SESSION_free(serverpsk);
4072 clientpsk = serverpsk = NULL;
4073 SSL_free(serverssl);
4074 SSL_free(clientssl);
4075 SSL_CTX_free(sctx);
4076 SSL_CTX_free(cctx);
4077 return testresult;
4078}
4079
4080static const char *servalpn;
4081
4082static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4083 unsigned char *outlen, const unsigned char *in,
4084 unsigned int inlen, void *arg)
4085{
4086 unsigned int protlen = 0;
4087 const unsigned char *prot;
4088
4089 for (prot = in; prot < in + inlen; prot += protlen) {
4090 protlen = *prot++;
4091 if (in + inlen < prot + protlen)
4092 return SSL_TLSEXT_ERR_NOACK;
4093
4094 if (protlen == strlen(servalpn)
4095 && memcmp(prot, servalpn, protlen) == 0) {
4096 *out = prot;
4097 *outlen = protlen;
4098 return SSL_TLSEXT_ERR_OK;
4099 }
4100 }
4101
4102 return SSL_TLSEXT_ERR_NOACK;
4103}
4104
4105/* Test that a PSK can be used to send early_data */
4106static int test_early_data_psk(int idx)
4107{
4108 SSL_CTX *cctx = NULL, *sctx = NULL;
4109 SSL *clientssl = NULL, *serverssl = NULL;
4110 int testresult = 0;
4111 SSL_SESSION *sess = NULL;
4112 unsigned char alpnlist[] = {
4113 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4114 'l', 'p', 'n'
4115 };
4116#define GOODALPNLEN 9
4117#define BADALPNLEN 8
4118#define GOODALPN (alpnlist)
4119#define BADALPN (alpnlist + GOODALPNLEN)
4120 int err = 0;
4121 unsigned char buf[20];
4122 size_t readbytes, written;
4123 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4124 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4125
4126 /* We always set this up with a final parameter of "2" for PSK */
4127 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4128 &serverssl, &sess, 2)))
4129 goto end;
4130
4131 servalpn = "goodalpn";
4132
4133 /*
4134 * Note: There is no test for inconsistent SNI with late client detection.
4135 * This is because servers do not acknowledge SNI even if they are using
4136 * it in a resumption handshake - so it is not actually possible for a
4137 * client to detect a problem.
4138 */
4139 switch (idx) {
4140 case 0:
4141 /* Set inconsistent SNI (early client detection) */
4142 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4143 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4144 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4145 goto end;
4146 break;
4147
4148 case 1:
4149 /* Set inconsistent ALPN (early client detection) */
4150 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4151 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4152 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4153 GOODALPNLEN))
4154 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4155 BADALPNLEN)))
4156 goto end;
4157 break;
4158
4159 case 2:
4160 /*
4161 * Set invalid protocol version. Technically this affects PSKs without
4162 * early_data too, but we test it here because it is similar to the
4163 * SNI/ALPN consistency tests.
4164 */
4165 err = SSL_R_BAD_PSK;
4166 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4167 goto end;
4168 break;
4169
4170 case 3:
4171 /*
4172 * Set inconsistent SNI (server side). In this case the connection
4173 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4174 * is associated with each handshake - not the session. Therefore it
4175 * should not matter that we used a different server name last time.
4176 */
4177 SSL_SESSION_free(serverpsk);
4178 serverpsk = SSL_SESSION_dup(clientpsk);
4179 if (!TEST_ptr(serverpsk)
4180 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4181 goto end;
4182 /* Fall through */
4183 case 4:
4184 /* Set consistent SNI */
4185 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4186 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4187 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4188 hostname_cb)))
4189 goto end;
4190 break;
4191
4192 case 5:
4193 /*
4194 * Set inconsistent ALPN (server detected). In this case the connection
4195 * will succeed but reject early_data.
4196 */
4197 servalpn = "badalpn";
4198 edstatus = SSL_EARLY_DATA_REJECTED;
4199 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4200 /* Fall through */
4201 case 6:
4202 /*
4203 * Set consistent ALPN.
4204 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4205 * accepts a list of protos (each one length prefixed).
4206 * SSL_set1_alpn_selected accepts a single protocol (not length
4207 * prefixed)
4208 */
4209 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4210 GOODALPNLEN - 1))
4211 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4212 GOODALPNLEN)))
4213 goto end;
4214
4215 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4216 break;
4217
4218 case 7:
4219 /* Set inconsistent ALPN (late client detection) */
4220 SSL_SESSION_free(serverpsk);
4221 serverpsk = SSL_SESSION_dup(clientpsk);
4222 if (!TEST_ptr(serverpsk)
4223 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4224 BADALPN + 1,
4225 BADALPNLEN - 1))
4226 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4227 GOODALPN + 1,
4228 GOODALPNLEN - 1))
4229 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4230 sizeof(alpnlist))))
4231 goto end;
4232 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4233 edstatus = SSL_EARLY_DATA_ACCEPTED;
4234 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4235 /* SSL_connect() call should fail */
4236 connectres = -1;
4237 break;
4238
4239 default:
4240 TEST_error("Bad test index");
4241 goto end;
4242 }
4243
4244 SSL_set_connect_state(clientssl);
4245 if (err != 0) {
4246 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4247 &written))
4248 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4249 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4250 goto end;
4251 } else {
4252 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4253 &written)))
4254 goto end;
4255
4256 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4257 &readbytes), readearlyres)
4258 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4259 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4260 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4261 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4262 goto end;
4263 }
4264
4265 testresult = 1;
4266
4267 end:
4268 SSL_SESSION_free(sess);
4269 SSL_SESSION_free(clientpsk);
4270 SSL_SESSION_free(serverpsk);
4271 clientpsk = serverpsk = NULL;
4272 SSL_free(serverssl);
4273 SSL_free(clientssl);
4274 SSL_CTX_free(sctx);
4275 SSL_CTX_free(cctx);
4276 return testresult;
4277}
4278
4279/*
4280 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4281 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4282 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4283 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4284 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4285 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4286 */
4287static int test_early_data_psk_with_all_ciphers(int idx)
4288{
4289 SSL_CTX *cctx = NULL, *sctx = NULL;
4290 SSL *clientssl = NULL, *serverssl = NULL;
4291 int testresult = 0;
4292 SSL_SESSION *sess = NULL;
4293 unsigned char buf[20];
4294 size_t readbytes, written;
4295 const SSL_CIPHER *cipher;
4296 const char *cipher_str[] = {
4297 TLS1_3_RFC_AES_128_GCM_SHA256,
4298 TLS1_3_RFC_AES_256_GCM_SHA384,
4299# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4300 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4301# else
4302 NULL,
4303# endif
4304 TLS1_3_RFC_AES_128_CCM_SHA256,
4305 TLS1_3_RFC_AES_128_CCM_8_SHA256
4306 };
4307 const unsigned char *cipher_bytes[] = {
4308 TLS13_AES_128_GCM_SHA256_BYTES,
4309 TLS13_AES_256_GCM_SHA384_BYTES,
4310# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4311 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4312# else
4313 NULL,
4314# endif
4315 TLS13_AES_128_CCM_SHA256_BYTES,
4316 TLS13_AES_128_CCM_8_SHA256_BYTES
4317 };
4318
4319 if (cipher_str[idx] == NULL)
4320 return 1;
4321 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4322 if (idx == 2 && is_fips == 1)
4323 return 1;
4324
4325 /* We always set this up with a final parameter of "2" for PSK */
4326 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4327 &serverssl, &sess, 2)))
4328 goto end;
4329
4330 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4331 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4332 goto end;
4333
4334 /*
4335 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4336 * and assigns to both client and server with incremented reference
4337 * and the same instance is updated in 'sess'.
4338 * So updating ciphersuite in 'sess' which will get reflected in
4339 * PSK handshake using psk use sess and find sess cb.
4340 */
4341 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4342 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4343 goto end;
4344
4345 SSL_set_connect_state(clientssl);
4346 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4347 &written)))
4348 goto end;
4349
4350 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4351 &readbytes),
4352 SSL_READ_EARLY_DATA_SUCCESS)
4353 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4354 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4355 SSL_EARLY_DATA_ACCEPTED)
4356 || !TEST_int_eq(SSL_connect(clientssl), 1)
4357 || !TEST_int_eq(SSL_accept(serverssl), 1))
4358 goto end;
4359
4360 /* Send some normal data from client to server */
4361 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4362 || !TEST_size_t_eq(written, strlen(MSG2)))
4363 goto end;
4364
4365 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4366 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4367 goto end;
4368
4369 testresult = 1;
4370 end:
4371 SSL_SESSION_free(sess);
4372 SSL_SESSION_free(clientpsk);
4373 SSL_SESSION_free(serverpsk);
4374 clientpsk = serverpsk = NULL;
4375 if (clientssl != NULL)
4376 SSL_shutdown(clientssl);
4377 if (serverssl != NULL)
4378 SSL_shutdown(serverssl);
4379 SSL_free(serverssl);
4380 SSL_free(clientssl);
4381 SSL_CTX_free(sctx);
4382 SSL_CTX_free(cctx);
4383 return testresult;
4384}
4385
4386/*
4387 * Test that a server that doesn't try to read early data can handle a
4388 * client sending some.
4389 */
4390static int test_early_data_not_expected(int idx)
4391{
4392 SSL_CTX *cctx = NULL, *sctx = NULL;
4393 SSL *clientssl = NULL, *serverssl = NULL;
4394 int testresult = 0;
4395 SSL_SESSION *sess = NULL;
4396 unsigned char buf[20];
4397 size_t readbytes, written;
4398
4399 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4400 &serverssl, &sess, idx)))
4401 goto end;
4402
4403 /* Write some early data */
4404 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4405 &written)))
4406 goto end;
4407
4408 /*
4409 * Server should skip over early data and then block waiting for client to
4410 * continue handshake
4411 */
4412 if (!TEST_int_le(SSL_accept(serverssl), 0)
4413 || !TEST_int_gt(SSL_connect(clientssl), 0)
4414 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4415 SSL_EARLY_DATA_REJECTED)
4416 || !TEST_int_gt(SSL_accept(serverssl), 0)
4417 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4418 SSL_EARLY_DATA_REJECTED))
4419 goto end;
4420
4421 /* Send some normal data from client to server */
4422 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4423 || !TEST_size_t_eq(written, strlen(MSG2)))
4424 goto end;
4425
4426 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4427 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4428 goto end;
4429
4430 testresult = 1;
4431
4432 end:
4433 SSL_SESSION_free(sess);
4434 SSL_SESSION_free(clientpsk);
4435 SSL_SESSION_free(serverpsk);
4436 clientpsk = serverpsk = NULL;
4437 SSL_free(serverssl);
4438 SSL_free(clientssl);
4439 SSL_CTX_free(sctx);
4440 SSL_CTX_free(cctx);
4441 return testresult;
4442}
4443
4444
4445# ifndef OPENSSL_NO_TLS1_2
4446/*
4447 * Test that a server attempting to read early data can handle a connection
4448 * from a TLSv1.2 client.
4449 */
4450static int test_early_data_tls1_2(int idx)
4451{
4452 SSL_CTX *cctx = NULL, *sctx = NULL;
4453 SSL *clientssl = NULL, *serverssl = NULL;
4454 int testresult = 0;
4455 unsigned char buf[20];
4456 size_t readbytes, written;
4457
4458 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4459 &serverssl, NULL, idx)))
4460 goto end;
4461
4462 /* Write some data - should block due to handshake with server */
4463 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4464 SSL_set_connect_state(clientssl);
4465 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4466 goto end;
4467
4468 /*
4469 * Server should do TLSv1.2 handshake. First it will block waiting for more
4470 * messages from client after ServerDone. Then SSL_read_early_data should
4471 * finish and detect that early data has not been sent
4472 */
4473 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4474 &readbytes),
4475 SSL_READ_EARLY_DATA_ERROR))
4476 goto end;
4477
4478 /*
4479 * Continue writing the message we started earlier. Will still block waiting
4480 * for the CCS/Finished from server
4481 */
4482 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4483 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4484 &readbytes),
4485 SSL_READ_EARLY_DATA_FINISH)
4486 || !TEST_size_t_eq(readbytes, 0)
4487 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4488 SSL_EARLY_DATA_NOT_SENT))
4489 goto end;
4490
4491 /* Continue writing the message we started earlier */
4492 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4493 || !TEST_size_t_eq(written, strlen(MSG1))
4494 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4495 SSL_EARLY_DATA_NOT_SENT)
4496 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4497 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4498 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4499 || !TEST_size_t_eq(written, strlen(MSG2))
4500 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4501 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4502 goto end;
4503
4504 testresult = 1;
4505
4506 end:
4507 SSL_SESSION_free(clientpsk);
4508 SSL_SESSION_free(serverpsk);
4509 clientpsk = serverpsk = NULL;
4510 SSL_free(serverssl);
4511 SSL_free(clientssl);
4512 SSL_CTX_free(sctx);
4513 SSL_CTX_free(cctx);
4514
4515 return testresult;
4516}
4517# endif /* OPENSSL_NO_TLS1_2 */
4518
4519/*
4520 * Test configuring the TLSv1.3 ciphersuites
4521 *
4522 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4523 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4524 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4525 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4526 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4527 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4528 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4529 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4530 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4531 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4532 */
4533static int test_set_ciphersuite(int idx)
4534{
4535 SSL_CTX *cctx = NULL, *sctx = NULL;
4536 SSL *clientssl = NULL, *serverssl = NULL;
4537 int testresult = 0;
4538
4539 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4540 TLS_client_method(), TLS1_VERSION, 0,
4541 &sctx, &cctx, cert, privkey))
4542 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4543 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4544 goto end;
4545
4546 if (idx >=4 && idx <= 7) {
4547 /* SSL_CTX explicit cipher list */
4548 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4549 goto end;
4550 }
4551
4552 if (idx == 0 || idx == 4) {
4553 /* Default ciphersuite */
4554 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4555 "TLS_AES_128_GCM_SHA256")))
4556 goto end;
4557 } else if (idx == 1 || idx == 5) {
4558 /* Non default ciphersuite */
4559 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4560 "TLS_AES_128_CCM_SHA256")))
4561 goto end;
4562 }
4563
4564 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4565 &clientssl, NULL, NULL)))
4566 goto end;
4567
4568 if (idx == 8 || idx == 9) {
4569 /* SSL explicit cipher list */
4570 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4571 goto end;
4572 }
4573
4574 if (idx == 2 || idx == 6 || idx == 8) {
4575 /* Default ciphersuite */
4576 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4577 "TLS_AES_128_GCM_SHA256")))
4578 goto end;
4579 } else if (idx == 3 || idx == 7 || idx == 9) {
4580 /* Non default ciphersuite */
4581 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4582 "TLS_AES_128_CCM_SHA256")))
4583 goto end;
4584 }
4585
4586 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4587 goto end;
4588
4589 testresult = 1;
4590
4591 end:
4592 SSL_free(serverssl);
4593 SSL_free(clientssl);
4594 SSL_CTX_free(sctx);
4595 SSL_CTX_free(cctx);
4596
4597 return testresult;
4598}
4599
4600static int test_ciphersuite_change(void)
4601{
4602 SSL_CTX *cctx = NULL, *sctx = NULL;
4603 SSL *clientssl = NULL, *serverssl = NULL;
4604 SSL_SESSION *clntsess = NULL;
4605 int testresult = 0;
4606 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4607
4608 /* Create a session based on SHA-256 */
4609 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4610 TLS_client_method(), TLS1_VERSION, 0,
4611 &sctx, &cctx, cert, privkey))
4612 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4613 "TLS_AES_128_GCM_SHA256:"
4614 "TLS_AES_256_GCM_SHA384:"
4615 "TLS_AES_128_CCM_SHA256"))
4616 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4617 "TLS_AES_128_GCM_SHA256"))
4618 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4619 &clientssl, NULL, NULL))
4620 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4621 SSL_ERROR_NONE)))
4622 goto end;
4623
4624 clntsess = SSL_get1_session(clientssl);
4625 /* Save for later */
4626 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4627 SSL_shutdown(clientssl);
4628 SSL_shutdown(serverssl);
4629 SSL_free(serverssl);
4630 SSL_free(clientssl);
4631 serverssl = clientssl = NULL;
4632
4633 /* Check we can resume a session with a different SHA-256 ciphersuite */
4634 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4635 "TLS_AES_128_CCM_SHA256"))
4636 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4637 &clientssl, NULL, NULL))
4638 || !TEST_true(SSL_set_session(clientssl, clntsess))
4639 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4640 SSL_ERROR_NONE))
4641 || !TEST_true(SSL_session_reused(clientssl)))
4642 goto end;
4643
4644 SSL_SESSION_free(clntsess);
4645 clntsess = SSL_get1_session(clientssl);
4646 SSL_shutdown(clientssl);
4647 SSL_shutdown(serverssl);
4648 SSL_free(serverssl);
4649 SSL_free(clientssl);
4650 serverssl = clientssl = NULL;
4651
4652 /*
4653 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4654 * succeeds but does not resume.
4655 */
4656 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4657 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4658 NULL, NULL))
4659 || !TEST_true(SSL_set_session(clientssl, clntsess))
4660 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4661 SSL_ERROR_SSL))
4662 || !TEST_false(SSL_session_reused(clientssl)))
4663 goto end;
4664
4665 SSL_SESSION_free(clntsess);
4666 clntsess = NULL;
4667 SSL_shutdown(clientssl);
4668 SSL_shutdown(serverssl);
4669 SSL_free(serverssl);
4670 SSL_free(clientssl);
4671 serverssl = clientssl = NULL;
4672
4673 /* Create a session based on SHA384 */
4674 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4675 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4676 &clientssl, NULL, NULL))
4677 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4678 SSL_ERROR_NONE)))
4679 goto end;
4680
4681 clntsess = SSL_get1_session(clientssl);
4682 SSL_shutdown(clientssl);
4683 SSL_shutdown(serverssl);
4684 SSL_free(serverssl);
4685 SSL_free(clientssl);
4686 serverssl = clientssl = NULL;
4687
4688 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4689 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4690 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4691 "TLS_AES_256_GCM_SHA384"))
4692 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4693 NULL, NULL))
4694 || !TEST_true(SSL_set_session(clientssl, clntsess))
4695 /*
4696 * We use SSL_ERROR_WANT_READ below so that we can pause the
4697 * connection after the initial ClientHello has been sent to
4698 * enable us to make some session changes.
4699 */
4700 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4701 SSL_ERROR_WANT_READ)))
4702 goto end;
4703
4704 /* Trick the client into thinking this session is for a different digest */
4705 clntsess->cipher = aes_128_gcm_sha256;
4706 clntsess->cipher_id = clntsess->cipher->id;
4707
4708 /*
4709 * Continue the previously started connection. Server has selected a SHA-384
4710 * ciphersuite, but client thinks the session is for SHA-256, so it should
4711 * bail out.
4712 */
4713 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4714 SSL_ERROR_SSL))
4715 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4716 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4717 goto end;
4718
4719 testresult = 1;
4720
4721 end:
4722 SSL_SESSION_free(clntsess);
4723 SSL_free(serverssl);
4724 SSL_free(clientssl);
4725 SSL_CTX_free(sctx);
4726 SSL_CTX_free(cctx);
4727
4728 return testresult;
4729}
4730
4731/*
4732 * Test TLSv1.3 Key exchange
4733 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4734 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4735 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4736 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4737 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4738 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4739 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4740 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4741 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4742 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4743 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4744 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4745 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4746 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4747 */
4748# ifndef OPENSSL_NO_EC
4749static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4750 NID_secp521r1, NID_X25519, NID_X448};
4751# endif
4752# ifndef OPENSSL_NO_DH
4753static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4754 NID_ffdhe6144, NID_ffdhe8192};
4755# endif
4756static int test_key_exchange(int idx)
4757{
4758 SSL_CTX *sctx = NULL, *cctx = NULL;
4759 SSL *serverssl = NULL, *clientssl = NULL;
4760 int testresult = 0;
4761 int kexch_alg;
4762 int *kexch_groups = &kexch_alg;
4763 int kexch_groups_size = 1;
4764 int max_version = TLS1_3_VERSION;
4765 char *kexch_name0 = NULL;
4766
4767 switch (idx) {
4768# ifndef OPENSSL_NO_EC
4769# ifndef OPENSSL_NO_TLS1_2
4770 case 12:
4771 max_version = TLS1_2_VERSION;
4772# endif
4773 /* Fall through */
4774 case 0:
4775 kexch_groups = ecdhe_kexch_groups;
4776 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4777 kexch_name0 = "secp256r1";
4778 break;
4779 case 1:
4780 kexch_alg = NID_X9_62_prime256v1;
4781 kexch_name0 = "secp256r1";
4782 break;
4783 case 2:
4784 kexch_alg = NID_secp384r1;
4785 kexch_name0 = "secp384r1";
4786 break;
4787 case 3:
4788 kexch_alg = NID_secp521r1;
4789 kexch_name0 = "secp521r1";
4790 break;
4791 case 4:
4792 kexch_alg = NID_X25519;
4793 kexch_name0 = "x25519";
4794 break;
4795 case 5:
4796 kexch_alg = NID_X448;
4797 kexch_name0 = "x448";
4798 break;
4799# endif
4800# ifndef OPENSSL_NO_DH
4801# ifndef OPENSSL_NO_TLS1_2
4802 case 13:
4803 max_version = TLS1_2_VERSION;
4804 kexch_name0 = "ffdhe2048";
4805# endif
4806 /* Fall through */
4807 case 6:
4808 kexch_groups = ffdhe_kexch_groups;
4809 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4810 kexch_name0 = "ffdhe2048";
4811 break;
4812 case 7:
4813 kexch_alg = NID_ffdhe2048;
4814 kexch_name0 = "ffdhe2048";
4815 break;
4816 case 8:
4817 kexch_alg = NID_ffdhe3072;
4818 kexch_name0 = "ffdhe3072";
4819 break;
4820 case 9:
4821 kexch_alg = NID_ffdhe4096;
4822 kexch_name0 = "ffdhe4096";
4823 break;
4824 case 10:
4825 kexch_alg = NID_ffdhe6144;
4826 kexch_name0 = "ffdhe6144";
4827 break;
4828 case 11:
4829 kexch_alg = NID_ffdhe8192;
4830 kexch_name0 = "ffdhe8192";
4831 break;
4832# endif
4833 default:
4834 /* We're skipping this test */
4835 return 1;
4836 }
4837
4838 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4839 TLS_client_method(), TLS1_VERSION,
4840 max_version, &sctx, &cctx, cert,
4841 privkey)))
4842 goto end;
4843
4844 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4845 TLS1_3_RFC_AES_128_GCM_SHA256)))
4846 goto end;
4847
4848 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4849 TLS1_3_RFC_AES_128_GCM_SHA256)))
4850 goto end;
4851
4852 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4853 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4854 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4855 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4856 goto end;
4857
4858 /*
4859 * Must include an EC ciphersuite so that we send supported groups in
4860 * TLSv1.2
4861 */
4862# ifndef OPENSSL_NO_TLS1_2
4863 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4864 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4865 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4866 goto end;
4867# endif
4868
4869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4870 NULL, NULL)))
4871 goto end;
4872
4873 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4874 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4875 goto end;
4876
4877 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4878 goto end;
4879
4880 /*
4881 * If Handshake succeeds the negotiated kexch alg should be the first one in
4882 * configured, except in the case of FFDHE groups (idx 13), which are
4883 * TLSv1.3 only so we expect no shared group to exist.
4884 */
4885 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4886 idx == 13 ? 0 : kexch_groups[0]))
4887 goto end;
4888
4889 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4890 kexch_name0))
4891 goto end;
4892
4893 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4894 if (idx != 13) {
4895 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4896 goto end;
4897 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4898 goto end;
4899 }
4900
4901 testresult = 1;
4902 end:
4903 SSL_free(serverssl);
4904 SSL_free(clientssl);
4905 SSL_CTX_free(sctx);
4906 SSL_CTX_free(cctx);
4907 return testresult;
4908}
4909
4910# if !defined(OPENSSL_NO_TLS1_2) \
4911 && !defined(OPENSSL_NO_EC) \
4912 && !defined(OPENSSL_NO_DH)
4913static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4914 int isecdhe, int idx)
4915{
4916 int kexch_alg;
4917 int *kexch_groups = &kexch_alg;
4918 int numec, numff;
4919
4920 numec = OSSL_NELEM(ecdhe_kexch_groups);
4921 numff = OSSL_NELEM(ffdhe_kexch_groups);
4922 if (isecdhe)
4923 kexch_alg = ecdhe_kexch_groups[idx];
4924 else
4925 kexch_alg = ffdhe_kexch_groups[idx];
4926
4927 if (clientmulti) {
4928 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4929 return 0;
4930 if (isecdhe) {
4931 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4932 numec)))
4933 return 0;
4934 } else {
4935 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4936 numff)))
4937 return 0;
4938 }
4939 } else {
4940 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4941 return 0;
4942 if (isecdhe) {
4943 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4944 numec)))
4945 return 0;
4946 } else {
4947 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4948 numff)))
4949 return 0;
4950 }
4951 }
4952 return 1;
4953}
4954
4955/*-
4956 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4957 * Run through both the ECDHE and FFDHE group lists used in the previous
4958 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4959 * confirming the expected result; then perform a resumption handshake
4960 * while offering the same group list, and another resumption handshake
4961 * offering a different group list. The returned value should be the
4962 * negotiated group for the initial handshake; for TLS 1.3 resumption
4963 * handshakes the returned value will be negotiated on the resumption
4964 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4965 * be cached in the session from the original handshake, regardless of what
4966 * was offered in the resumption ClientHello.
4967 *
4968 * Using E for the number of EC groups and F for the number of FF groups:
4969 * E tests of ECDHE with TLS 1.3, server only has one group
4970 * F tests of FFDHE with TLS 1.3, server only has one group
4971 * E tests of ECDHE with TLS 1.2, server only has one group
4972 * F tests of FFDHE with TLS 1.2, server only has one group
4973 * E tests of ECDHE with TLS 1.3, client sends only one group
4974 * F tests of FFDHE with TLS 1.3, client sends only one group
4975 * E tests of ECDHE with TLS 1.2, client sends only one group
4976 * F tests of FFDHE with TLS 1.2, client sends only one group
4977 */
4978static int test_negotiated_group(int idx)
4979{
4980 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4981 int expectednid;
4982 SSL_CTX *sctx = NULL, *cctx = NULL;
4983 SSL *serverssl = NULL, *clientssl = NULL;
4984 SSL_SESSION *origsess = NULL;
4985 int testresult = 0;
4986 int kexch_alg;
4987 int max_version = TLS1_3_VERSION;
4988
4989 numec = OSSL_NELEM(ecdhe_kexch_groups);
4990 numff = OSSL_NELEM(ffdhe_kexch_groups);
4991 numgroups = numec + numff;
4992 clientmulti = (idx < 2 * numgroups);
4993 idx = idx % (2 * numgroups);
4994 istls13 = (idx < numgroups);
4995 idx = idx % numgroups;
4996 isecdhe = (idx < numec);
4997 if (!isecdhe)
4998 idx -= numec;
4999 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5000 if (isecdhe)
5001 kexch_alg = ecdhe_kexch_groups[idx];
5002 else
5003 kexch_alg = ffdhe_kexch_groups[idx];
5004 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5005 if (!istls13 && !isecdhe)
5006 expectednid = NID_undef;
5007 else
5008 expectednid = kexch_alg;
5009
5010 if (!istls13)
5011 max_version = TLS1_2_VERSION;
5012
5013 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5014 TLS_client_method(), TLS1_VERSION,
5015 max_version, &sctx, &cctx, cert,
5016 privkey)))
5017 goto end;
5018
5019 /*
5020 * Force (EC)DHE ciphers for TLS 1.2.
5021 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5022 */
5023 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5024 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5025 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5026 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5027 goto end;
5028 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5029 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5030 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5031 goto end;
5032
5033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5034 NULL, NULL)))
5035 goto end;
5036
5037 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5038 idx)))
5039 goto end;
5040
5041 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5042 goto end;
5043
5044 /* Initial handshake; always the configured one */
5045 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5046 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5047 goto end;
5048
5049 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5050 goto end;
5051
5052 SSL_shutdown(clientssl);
5053 SSL_shutdown(serverssl);
5054 SSL_free(serverssl);
5055 SSL_free(clientssl);
5056 serverssl = clientssl = NULL;
5057
5058 /* First resumption attempt; use the same config as initial handshake */
5059 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5060 NULL, NULL))
5061 || !TEST_true(SSL_set_session(clientssl, origsess))
5062 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5063 isecdhe, idx)))
5064 goto end;
5065
5066 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5067 || !TEST_true(SSL_session_reused(clientssl)))
5068 goto end;
5069
5070 /* Still had better agree, since nothing changed... */
5071 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5072 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5073 goto end;
5074
5075 SSL_shutdown(clientssl);
5076 SSL_shutdown(serverssl);
5077 SSL_free(serverssl);
5078 SSL_free(clientssl);
5079 serverssl = clientssl = NULL;
5080
5081 /*-
5082 * Second resumption attempt
5083 * The party that picks one group changes it, which we effectuate by
5084 * changing 'idx' and updating what we expect.
5085 */
5086 if (idx == 0)
5087 idx = 1;
5088 else
5089 idx--;
5090 if (istls13) {
5091 if (isecdhe)
5092 expectednid = ecdhe_kexch_groups[idx];
5093 else
5094 expectednid = ffdhe_kexch_groups[idx];
5095 /* Verify that we are changing what we expect. */
5096 if (!TEST_int_ne(expectednid, kexch_alg))
5097 goto end;
5098 } else {
5099 /* TLS 1.2 only supports named groups for ECDHE. */
5100 if (isecdhe)
5101 expectednid = kexch_alg;
5102 else
5103 expectednid = 0;
5104 }
5105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5106 NULL, NULL))
5107 || !TEST_true(SSL_set_session(clientssl, origsess))
5108 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5109 isecdhe, idx)))
5110 goto end;
5111
5112 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5113 || !TEST_true(SSL_session_reused(clientssl)))
5114 goto end;
5115
5116 /* Check that we get what we expected */
5117 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5118 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5119 goto end;
5120
5121 testresult = 1;
5122 end:
5123 SSL_free(serverssl);
5124 SSL_free(clientssl);
5125 SSL_CTX_free(sctx);
5126 SSL_CTX_free(cctx);
5127 SSL_SESSION_free(origsess);
5128 return testresult;
5129}
5130# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5131
5132/*
5133 * Test TLSv1.3 Cipher Suite
5134 * Test 0 = Set TLS1.3 cipher on context
5135 * Test 1 = Set TLS1.3 cipher on SSL
5136 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5137 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5138 */
5139static int test_tls13_ciphersuite(int idx)
5140{
5141 SSL_CTX *sctx = NULL, *cctx = NULL;
5142 SSL *serverssl = NULL, *clientssl = NULL;
5143 static const struct {
5144 const char *ciphername;
5145 int fipscapable;
5146 } t13_ciphers[] = {
5147 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
5148 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
5149 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5150# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5151 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5152 { TLS1_3_RFC_AES_256_GCM_SHA384
5153 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5154# endif
5155 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5156 };
5157 const char *t13_cipher = NULL;
5158 const char *t12_cipher = NULL;
5159 const char *negotiated_scipher;
5160 const char *negotiated_ccipher;
5161 int set_at_ctx = 0;
5162 int set_at_ssl = 0;
5163 int testresult = 0;
5164 int max_ver;
5165 size_t i;
5166
5167 switch (idx) {
5168 case 0:
5169 set_at_ctx = 1;
5170 break;
5171 case 1:
5172 set_at_ssl = 1;
5173 break;
5174 case 2:
5175 set_at_ctx = 1;
5176 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5177 break;
5178 case 3:
5179 set_at_ssl = 1;
5180 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5181 break;
5182 }
5183
5184 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5185# ifdef OPENSSL_NO_TLS1_2
5186 if (max_ver == TLS1_2_VERSION)
5187 continue;
5188# endif
5189 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5190 if (is_fips && !t13_ciphers[i].fipscapable)
5191 continue;
5192 t13_cipher = t13_ciphers[i].ciphername;
5193 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5194 TLS_client_method(),
5195 TLS1_VERSION, max_ver,
5196 &sctx, &cctx, cert, privkey)))
5197 goto end;
5198
5199 if (set_at_ctx) {
5200 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5201 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5202 goto end;
5203 if (t12_cipher != NULL) {
5204 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5205 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5206 t12_cipher)))
5207 goto end;
5208 }
5209 }
5210
5211 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5212 &clientssl, NULL, NULL)))
5213 goto end;
5214
5215 if (set_at_ssl) {
5216 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5217 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5218 goto end;
5219 if (t12_cipher != NULL) {
5220 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5221 || !TEST_true(SSL_set_cipher_list(clientssl,
5222 t12_cipher)))
5223 goto end;
5224 }
5225 }
5226
5227 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5228 SSL_ERROR_NONE)))
5229 goto end;
5230
5231 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5232 serverssl));
5233 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5234 clientssl));
5235 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5236 goto end;
5237
5238 /*
5239 * TEST_strn_eq is used below because t13_cipher can contain
5240 * multiple ciphersuites
5241 */
5242 if (max_ver == TLS1_3_VERSION
5243 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5244 strlen(negotiated_scipher)))
5245 goto end;
5246
5247# ifndef OPENSSL_NO_TLS1_2
5248 /* Below validation is not done when t12_cipher is NULL */
5249 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5250 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5251 goto end;
5252# endif
5253
5254 SSL_free(serverssl);
5255 serverssl = NULL;
5256 SSL_free(clientssl);
5257 clientssl = NULL;
5258 SSL_CTX_free(sctx);
5259 sctx = NULL;
5260 SSL_CTX_free(cctx);
5261 cctx = NULL;
5262 }
5263 }
5264
5265 testresult = 1;
5266 end:
5267 SSL_free(serverssl);
5268 SSL_free(clientssl);
5269 SSL_CTX_free(sctx);
5270 SSL_CTX_free(cctx);
5271 return testresult;
5272}
5273
5274/*
5275 * Test TLSv1.3 PSKs
5276 * Test 0 = Test new style callbacks
5277 * Test 1 = Test both new and old style callbacks
5278 * Test 2 = Test old style callbacks
5279 * Test 3 = Test old style callbacks with no certificate
5280 */
5281static int test_tls13_psk(int idx)
5282{
5283 SSL_CTX *sctx = NULL, *cctx = NULL;
5284 SSL *serverssl = NULL, *clientssl = NULL;
5285 const SSL_CIPHER *cipher = NULL;
5286 const unsigned char key[] = {
5287 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5288 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5289 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5290 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5291 };
5292 int testresult = 0;
5293
5294 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5295 TLS_client_method(), TLS1_VERSION, 0,
5296 &sctx, &cctx, idx == 3 ? NULL : cert,
5297 idx == 3 ? NULL : privkey)))
5298 goto end;
5299
5300 if (idx != 3) {
5301 /*
5302 * We use a ciphersuite with SHA256 to ease testing old style PSK
5303 * callbacks which will always default to SHA256. This should not be
5304 * necessary if we have no cert/priv key. In that case the server should
5305 * prefer SHA256 automatically.
5306 */
5307 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5308 "TLS_AES_128_GCM_SHA256")))
5309 goto end;
5310 } else {
5311 /*
5312 * As noted above the server should prefer SHA256 automatically. However
5313 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5314 * code works even if we are testing with only the FIPS provider loaded.
5315 */
5316 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5317 "TLS_AES_256_GCM_SHA384:"
5318 "TLS_AES_128_GCM_SHA256")))
5319 goto end;
5320 }
5321
5322 /*
5323 * Test 0: New style callbacks only
5324 * Test 1: New and old style callbacks (only the new ones should be used)
5325 * Test 2: Old style callbacks only
5326 */
5327 if (idx == 0 || idx == 1) {
5328 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5329 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5330 }
5331#ifndef OPENSSL_NO_PSK
5332 if (idx >= 1) {
5333 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5334 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5335 }
5336#endif
5337 srvid = pskid;
5338 use_session_cb_cnt = 0;
5339 find_session_cb_cnt = 0;
5340 psk_client_cb_cnt = 0;
5341 psk_server_cb_cnt = 0;
5342
5343 if (idx != 3) {
5344 /*
5345 * Check we can create a connection if callback decides not to send a
5346 * PSK
5347 */
5348 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5349 NULL, NULL))
5350 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5351 SSL_ERROR_NONE))
5352 || !TEST_false(SSL_session_reused(clientssl))
5353 || !TEST_false(SSL_session_reused(serverssl)))
5354 goto end;
5355
5356 if (idx == 0 || idx == 1) {
5357 if (!TEST_true(use_session_cb_cnt == 1)
5358 || !TEST_true(find_session_cb_cnt == 0)
5359 /*
5360 * If no old style callback then below should be 0
5361 * otherwise 1
5362 */
5363 || !TEST_true(psk_client_cb_cnt == idx)
5364 || !TEST_true(psk_server_cb_cnt == 0))
5365 goto end;
5366 } else {
5367 if (!TEST_true(use_session_cb_cnt == 0)
5368 || !TEST_true(find_session_cb_cnt == 0)
5369 || !TEST_true(psk_client_cb_cnt == 1)
5370 || !TEST_true(psk_server_cb_cnt == 0))
5371 goto end;
5372 }
5373
5374 shutdown_ssl_connection(serverssl, clientssl);
5375 serverssl = clientssl = NULL;
5376 use_session_cb_cnt = psk_client_cb_cnt = 0;
5377 }
5378
5379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5380 NULL, NULL)))
5381 goto end;
5382
5383 /* Create the PSK */
5384 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5385 clientpsk = SSL_SESSION_new();
5386 if (!TEST_ptr(clientpsk)
5387 || !TEST_ptr(cipher)
5388 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5389 sizeof(key)))
5390 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5391 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5392 TLS1_3_VERSION))
5393 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5394 goto end;
5395 serverpsk = clientpsk;
5396
5397 /* Check we can create a connection and the PSK is used */
5398 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5399 || !TEST_true(SSL_session_reused(clientssl))
5400 || !TEST_true(SSL_session_reused(serverssl)))
5401 goto end;
5402
5403 if (idx == 0 || idx == 1) {
5404 if (!TEST_true(use_session_cb_cnt == 1)
5405 || !TEST_true(find_session_cb_cnt == 1)
5406 || !TEST_true(psk_client_cb_cnt == 0)
5407 || !TEST_true(psk_server_cb_cnt == 0))
5408 goto end;
5409 } else {
5410 if (!TEST_true(use_session_cb_cnt == 0)
5411 || !TEST_true(find_session_cb_cnt == 0)
5412 || !TEST_true(psk_client_cb_cnt == 1)
5413 || !TEST_true(psk_server_cb_cnt == 1))
5414 goto end;
5415 }
5416
5417 shutdown_ssl_connection(serverssl, clientssl);
5418 serverssl = clientssl = NULL;
5419 use_session_cb_cnt = find_session_cb_cnt = 0;
5420 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5421
5422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5423 NULL, NULL)))
5424 goto end;
5425
5426 /* Force an HRR */
5427#if defined(OPENSSL_NO_EC)
5428 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5429 goto end;
5430#else
5431 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5432 goto end;
5433#endif
5434
5435 /*
5436 * Check we can create a connection, the PSK is used and the callbacks are
5437 * called twice.
5438 */
5439 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5440 || !TEST_true(SSL_session_reused(clientssl))
5441 || !TEST_true(SSL_session_reused(serverssl)))
5442 goto end;
5443
5444 if (idx == 0 || idx == 1) {
5445 if (!TEST_true(use_session_cb_cnt == 2)
5446 || !TEST_true(find_session_cb_cnt == 2)
5447 || !TEST_true(psk_client_cb_cnt == 0)
5448 || !TEST_true(psk_server_cb_cnt == 0))
5449 goto end;
5450 } else {
5451 if (!TEST_true(use_session_cb_cnt == 0)
5452 || !TEST_true(find_session_cb_cnt == 0)
5453 || !TEST_true(psk_client_cb_cnt == 2)
5454 || !TEST_true(psk_server_cb_cnt == 2))
5455 goto end;
5456 }
5457
5458 shutdown_ssl_connection(serverssl, clientssl);
5459 serverssl = clientssl = NULL;
5460 use_session_cb_cnt = find_session_cb_cnt = 0;
5461 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5462
5463 if (idx != 3) {
5464 /*
5465 * Check that if the server rejects the PSK we can still connect, but with
5466 * a full handshake
5467 */
5468 srvid = "Dummy Identity";
5469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5470 NULL, NULL))
5471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5472 SSL_ERROR_NONE))
5473 || !TEST_false(SSL_session_reused(clientssl))
5474 || !TEST_false(SSL_session_reused(serverssl)))
5475 goto end;
5476
5477 if (idx == 0 || idx == 1) {
5478 if (!TEST_true(use_session_cb_cnt == 1)
5479 || !TEST_true(find_session_cb_cnt == 1)
5480 || !TEST_true(psk_client_cb_cnt == 0)
5481 /*
5482 * If no old style callback then below should be 0
5483 * otherwise 1
5484 */
5485 || !TEST_true(psk_server_cb_cnt == idx))
5486 goto end;
5487 } else {
5488 if (!TEST_true(use_session_cb_cnt == 0)
5489 || !TEST_true(find_session_cb_cnt == 0)
5490 || !TEST_true(psk_client_cb_cnt == 1)
5491 || !TEST_true(psk_server_cb_cnt == 1))
5492 goto end;
5493 }
5494
5495 shutdown_ssl_connection(serverssl, clientssl);
5496 serverssl = clientssl = NULL;
5497 }
5498 testresult = 1;
5499
5500 end:
5501 SSL_SESSION_free(clientpsk);
5502 SSL_SESSION_free(serverpsk);
5503 clientpsk = serverpsk = NULL;
5504 SSL_free(serverssl);
5505 SSL_free(clientssl);
5506 SSL_CTX_free(sctx);
5507 SSL_CTX_free(cctx);
5508 return testresult;
5509}
5510
5511static unsigned char cookie_magic_value[] = "cookie magic";
5512
5513static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5514 unsigned int *cookie_len)
5515{
5516 /*
5517 * Not suitable as a real cookie generation function but good enough for
5518 * testing!
5519 */
5520 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5521 *cookie_len = sizeof(cookie_magic_value) - 1;
5522
5523 return 1;
5524}
5525
5526static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5527 unsigned int cookie_len)
5528{
5529 if (cookie_len == sizeof(cookie_magic_value) - 1
5530 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5531 return 1;
5532
5533 return 0;
5534}
5535
5536static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5537 size_t *cookie_len)
5538{
5539 unsigned int temp;
5540 int res = generate_cookie_callback(ssl, cookie, &temp);
5541 *cookie_len = temp;
5542 return res;
5543}
5544
5545static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5546 size_t cookie_len)
5547{
5548 return verify_cookie_callback(ssl, cookie, cookie_len);
5549}
5550
5551static int test_stateless(void)
5552{
5553 SSL_CTX *sctx = NULL, *cctx = NULL;
5554 SSL *serverssl = NULL, *clientssl = NULL;
5555 int testresult = 0;
5556
5557 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5558 TLS_client_method(), TLS1_VERSION, 0,
5559 &sctx, &cctx, cert, privkey)))
5560 goto end;
5561
5562 /* The arrival of CCS messages can confuse the test */
5563 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5564
5565 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5566 NULL, NULL))
5567 /* Send the first ClientHello */
5568 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5569 SSL_ERROR_WANT_READ))
5570 /*
5571 * This should fail with a -1 return because we have no callbacks
5572 * set up
5573 */
5574 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5575 goto end;
5576
5577 /* Fatal error so abandon the connection from this client */
5578 SSL_free(clientssl);
5579 clientssl = NULL;
5580
5581 /* Set up the cookie generation and verification callbacks */
5582 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5583 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5584
5585 /*
5586 * Create a new connection from the client (we can reuse the server SSL
5587 * object).
5588 */
5589 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5590 NULL, NULL))
5591 /* Send the first ClientHello */
5592 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5593 SSL_ERROR_WANT_READ))
5594 /* This should fail because there is no cookie */
5595 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5596 goto end;
5597
5598 /* Abandon the connection from this client */
5599 SSL_free(clientssl);
5600 clientssl = NULL;
5601
5602 /*
5603 * Now create a connection from a new client but with the same server SSL
5604 * object
5605 */
5606 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5607 NULL, NULL))
5608 /* Send the first ClientHello */
5609 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5610 SSL_ERROR_WANT_READ))
5611 /* This should fail because there is no cookie */
5612 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5613 /* Send the second ClientHello */
5614 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5615 SSL_ERROR_WANT_READ))
5616 /* This should succeed because a cookie is now present */
5617 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5618 /* Complete the connection */
5619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5620 SSL_ERROR_NONE)))
5621 goto end;
5622
5623 shutdown_ssl_connection(serverssl, clientssl);
5624 serverssl = clientssl = NULL;
5625 testresult = 1;
5626
5627 end:
5628 SSL_free(serverssl);
5629 SSL_free(clientssl);
5630 SSL_CTX_free(sctx);
5631 SSL_CTX_free(cctx);
5632 return testresult;
5633
5634}
5635#endif /* OSSL_NO_USABLE_TLS1_3 */
5636
5637static int clntaddoldcb = 0;
5638static int clntparseoldcb = 0;
5639static int srvaddoldcb = 0;
5640static int srvparseoldcb = 0;
5641static int clntaddnewcb = 0;
5642static int clntparsenewcb = 0;
5643static int srvaddnewcb = 0;
5644static int srvparsenewcb = 0;
5645static int snicb = 0;
5646
5647#define TEST_EXT_TYPE1 0xff00
5648
5649static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5650 size_t *outlen, int *al, void *add_arg)
5651{
5652 int *server = (int *)add_arg;
5653 unsigned char *data;
5654
5655 if (SSL_is_server(s))
5656 srvaddoldcb++;
5657 else
5658 clntaddoldcb++;
5659
5660 if (*server != SSL_is_server(s)
5661 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5662 return -1;
5663
5664 *data = 1;
5665 *out = data;
5666 *outlen = sizeof(char);
5667 return 1;
5668}
5669
5670static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5671 void *add_arg)
5672{
5673 OPENSSL_free((unsigned char *)out);
5674}
5675
5676static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5677 size_t inlen, int *al, void *parse_arg)
5678{
5679 int *server = (int *)parse_arg;
5680
5681 if (SSL_is_server(s))
5682 srvparseoldcb++;
5683 else
5684 clntparseoldcb++;
5685
5686 if (*server != SSL_is_server(s)
5687 || inlen != sizeof(char)
5688 || *in != 1)
5689 return -1;
5690
5691 return 1;
5692}
5693
5694static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5695 const unsigned char **out, size_t *outlen, X509 *x,
5696 size_t chainidx, int *al, void *add_arg)
5697{
5698 int *server = (int *)add_arg;
5699 unsigned char *data;
5700
5701 if (SSL_is_server(s))
5702 srvaddnewcb++;
5703 else
5704 clntaddnewcb++;
5705
5706 if (*server != SSL_is_server(s)
5707 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5708 return -1;
5709
5710 *data = 1;
5711 *out = data;
5712 *outlen = sizeof(*data);
5713 return 1;
5714}
5715
5716static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5717 const unsigned char *out, void *add_arg)
5718{
5719 OPENSSL_free((unsigned char *)out);
5720}
5721
5722static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5723 const unsigned char *in, size_t inlen, X509 *x,
5724 size_t chainidx, int *al, void *parse_arg)
5725{
5726 int *server = (int *)parse_arg;
5727
5728 if (SSL_is_server(s))
5729 srvparsenewcb++;
5730 else
5731 clntparsenewcb++;
5732
5733 if (*server != SSL_is_server(s)
5734 || inlen != sizeof(char) || *in != 1)
5735 return -1;
5736
5737 return 1;
5738}
5739
5740static int sni_cb(SSL *s, int *al, void *arg)
5741{
5742 SSL_CTX *ctx = (SSL_CTX *)arg;
5743
5744 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5745 *al = SSL_AD_INTERNAL_ERROR;
5746 return SSL_TLSEXT_ERR_ALERT_FATAL;
5747 }
5748 snicb++;
5749 return SSL_TLSEXT_ERR_OK;
5750}
5751
5752static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5753{
5754 return 1;
5755}
5756
5757/*
5758 * Custom call back tests.
5759 * Test 0: Old style callbacks in TLSv1.2
5760 * Test 1: New style callbacks in TLSv1.2
5761 * Test 2: New style callbacks in TLSv1.2 with SNI
5762 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5763 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5764 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5765 */
5766static int test_custom_exts(int tst)
5767{
5768 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5769 SSL *clientssl = NULL, *serverssl = NULL;
5770 int testresult = 0;
5771 static int server = 1;
5772 static int client = 0;
5773 SSL_SESSION *sess = NULL;
5774 unsigned int context;
5775
5776#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5777 /* Skip tests for TLSv1.2 and below in this case */
5778 if (tst < 3)
5779 return 1;
5780#endif
5781
5782 /* Reset callback counters */
5783 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5784 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5785 snicb = 0;
5786
5787 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5788 TLS_client_method(), TLS1_VERSION, 0,
5789 &sctx, &cctx, cert, privkey)))
5790 goto end;
5791
5792 if (tst == 2
5793 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5794 TLS1_VERSION, 0,
5795 &sctx2, NULL, cert, privkey)))
5796 goto end;
5797
5798
5799 if (tst < 3) {
5800 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5801 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5802 if (sctx2 != NULL)
5803 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5804 }
5805
5806 if (tst == 5) {
5807 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5808 | SSL_EXT_TLS1_3_CERTIFICATE;
5809 SSL_CTX_set_verify(sctx,
5810 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5811 verify_cb);
5812 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5813 SSL_FILETYPE_PEM), 1)
5814 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5815 SSL_FILETYPE_PEM), 1)
5816 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5817 goto end;
5818 } else if (tst == 4) {
5819 context = SSL_EXT_CLIENT_HELLO
5820 | SSL_EXT_TLS1_2_SERVER_HELLO
5821 | SSL_EXT_TLS1_3_SERVER_HELLO
5822 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5823 | SSL_EXT_TLS1_3_CERTIFICATE
5824 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5825 } else {
5826 context = SSL_EXT_CLIENT_HELLO
5827 | SSL_EXT_TLS1_2_SERVER_HELLO
5828 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5829 }
5830
5831 /* Create a client side custom extension */
5832 if (tst == 0) {
5833 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5834 old_add_cb, old_free_cb,
5835 &client, old_parse_cb,
5836 &client)))
5837 goto end;
5838 } else {
5839 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5840 new_add_cb, new_free_cb,
5841 &client, new_parse_cb, &client)))
5842 goto end;
5843 }
5844
5845 /* Should not be able to add duplicates */
5846 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5847 old_add_cb, old_free_cb,
5848 &client, old_parse_cb,
5849 &client))
5850 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5851 context, new_add_cb,
5852 new_free_cb, &client,
5853 new_parse_cb, &client)))
5854 goto end;
5855
5856 /* Create a server side custom extension */
5857 if (tst == 0) {
5858 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5859 old_add_cb, old_free_cb,
5860 &server, old_parse_cb,
5861 &server)))
5862 goto end;
5863 } else {
5864 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5865 new_add_cb, new_free_cb,
5866 &server, new_parse_cb, &server)))
5867 goto end;
5868 if (sctx2 != NULL
5869 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5870 context, new_add_cb,
5871 new_free_cb, &server,
5872 new_parse_cb, &server)))
5873 goto end;
5874 }
5875
5876 /* Should not be able to add duplicates */
5877 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5878 old_add_cb, old_free_cb,
5879 &server, old_parse_cb,
5880 &server))
5881 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5882 context, new_add_cb,
5883 new_free_cb, &server,
5884 new_parse_cb, &server)))
5885 goto end;
5886
5887 if (tst == 2) {
5888 /* Set up SNI */
5889 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5890 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5891 goto end;
5892 }
5893
5894 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5895 &clientssl, NULL, NULL))
5896 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5897 SSL_ERROR_NONE)))
5898 goto end;
5899
5900 if (tst == 0) {
5901 if (clntaddoldcb != 1
5902 || clntparseoldcb != 1
5903 || srvaddoldcb != 1
5904 || srvparseoldcb != 1)
5905 goto end;
5906 } else if (tst == 1 || tst == 2 || tst == 3) {
5907 if (clntaddnewcb != 1
5908 || clntparsenewcb != 1
5909 || srvaddnewcb != 1
5910 || srvparsenewcb != 1
5911 || (tst != 2 && snicb != 0)
5912 || (tst == 2 && snicb != 1))
5913 goto end;
5914 } else if (tst == 5) {
5915 if (clntaddnewcb != 1
5916 || clntparsenewcb != 1
5917 || srvaddnewcb != 1
5918 || srvparsenewcb != 1)
5919 goto end;
5920 } else {
5921 /* In this case there 2 NewSessionTicket messages created */
5922 if (clntaddnewcb != 1
5923 || clntparsenewcb != 5
5924 || srvaddnewcb != 5
5925 || srvparsenewcb != 1)
5926 goto end;
5927 }
5928
5929 sess = SSL_get1_session(clientssl);
5930 SSL_shutdown(clientssl);
5931 SSL_shutdown(serverssl);
5932 SSL_free(serverssl);
5933 SSL_free(clientssl);
5934 serverssl = clientssl = NULL;
5935
5936 if (tst == 3 || tst == 5) {
5937 /* We don't bother with the resumption aspects for these tests */
5938 testresult = 1;
5939 goto end;
5940 }
5941
5942 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5943 NULL, NULL))
5944 || !TEST_true(SSL_set_session(clientssl, sess))
5945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5946 SSL_ERROR_NONE)))
5947 goto end;
5948
5949 /*
5950 * For a resumed session we expect to add the ClientHello extension. For the
5951 * old style callbacks we ignore it on the server side because they set
5952 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5953 * them.
5954 */
5955 if (tst == 0) {
5956 if (clntaddoldcb != 2
5957 || clntparseoldcb != 1
5958 || srvaddoldcb != 1
5959 || srvparseoldcb != 1)
5960 goto end;
5961 } else if (tst == 1 || tst == 2 || tst == 3) {
5962 if (clntaddnewcb != 2
5963 || clntparsenewcb != 2
5964 || srvaddnewcb != 2
5965 || srvparsenewcb != 2)
5966 goto end;
5967 } else {
5968 /*
5969 * No Certificate message extensions in the resumption handshake,
5970 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5971 */
5972 if (clntaddnewcb != 2
5973 || clntparsenewcb != 8
5974 || srvaddnewcb != 8
5975 || srvparsenewcb != 2)
5976 goto end;
5977 }
5978
5979 testresult = 1;
5980
5981end:
5982 SSL_SESSION_free(sess);
5983 SSL_free(serverssl);
5984 SSL_free(clientssl);
5985 SSL_CTX_free(sctx2);
5986 SSL_CTX_free(sctx);
5987 SSL_CTX_free(cctx);
5988 return testresult;
5989}
5990
5991#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5992
5993#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
5994 | SSL_EXT_CLIENT_HELLO \
5995 | SSL_EXT_TLS1_2_SERVER_HELLO \
5996 | SSL_EXT_IGNORE_ON_RESUMPTION)
5997
5998#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
5999 | SSL_EXT_TLS1_2_SERVER_HELLO \
6000 | SSL_EXT_CLIENT_HELLO)
6001
6002#define SERVERINFO_CUSTOM \
6003 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6004 0x00, 0x03, \
6005 0x04, 0x05, 0x06 \
6006
6007static const unsigned char serverinfo_custom_tls13[] = {
6008 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6009 SERVERINFO_CUSTOM
6010};
6011static const unsigned char serverinfo_custom_v2[] = {
6012 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6013 SERVERINFO_CUSTOM
6014};
6015static const unsigned char serverinfo_custom_v1[] = {
6016 SERVERINFO_CUSTOM
6017};
6018static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6019static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6020static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6021
6022static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6023 unsigned int context,
6024 const unsigned char *in,
6025 size_t inlen, X509 *x,
6026 size_t chainidx, int *al,
6027 void *parse_arg)
6028{
6029 const size_t len = serverinfo_custom_v1_len;
6030 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6031 int *p_cb_result = (int*)parse_arg;
6032 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6033 return 1;
6034}
6035
6036static int test_serverinfo_custom(const int idx)
6037{
6038 SSL_CTX *sctx = NULL, *cctx = NULL;
6039 SSL *clientssl = NULL, *serverssl = NULL;
6040 int testresult = 0;
6041 int cb_result = 0;
6042
6043 /*
6044 * Following variables are set in the switch statement
6045 * according to the test iteration.
6046 * Default values do not make much sense: test would fail with them.
6047 */
6048 int serverinfo_version = 0;
6049 int protocol_version = 0;
6050 unsigned int extension_context = 0;
6051 const unsigned char *si = NULL;
6052 size_t si_len = 0;
6053
6054 const int call_use_serverinfo_ex = idx > 0;
6055 switch (idx) {
6056 case 0: /* FALLTHROUGH */
6057 case 1:
6058 serverinfo_version = SSL_SERVERINFOV1;
6059 protocol_version = TLS1_2_VERSION;
6060 extension_context = SYNTHV1CONTEXT;
6061 si = serverinfo_custom_v1;
6062 si_len = serverinfo_custom_v1_len;
6063 break;
6064 case 2:
6065 serverinfo_version = SSL_SERVERINFOV2;
6066 protocol_version = TLS1_2_VERSION;
6067 extension_context = SYNTHV1CONTEXT;
6068 si = serverinfo_custom_v2;
6069 si_len = serverinfo_custom_v2_len;
6070 break;
6071 case 3:
6072 serverinfo_version = SSL_SERVERINFOV2;
6073 protocol_version = TLS1_3_VERSION;
6074 extension_context = TLS13CONTEXT;
6075 si = serverinfo_custom_tls13;
6076 si_len = serverinfo_custom_tls13_len;
6077 break;
6078 }
6079
6080 if (!TEST_true(create_ssl_ctx_pair(libctx,
6081 TLS_method(),
6082 TLS_method(),
6083 protocol_version,
6084 protocol_version,
6085 &sctx, &cctx, cert, privkey)))
6086 goto end;
6087
6088 if (call_use_serverinfo_ex) {
6089 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6090 si, si_len)))
6091 goto end;
6092 } else {
6093 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6094 goto end;
6095 }
6096
6097 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6098 extension_context,
6099 NULL, NULL, NULL,
6100 serverinfo_custom_parse_cb,
6101 &cb_result))
6102 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6103 NULL, NULL))
6104 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6105 SSL_ERROR_NONE))
6106 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6107 goto end;
6108
6109 if (!TEST_true(cb_result))
6110 goto end;
6111
6112 testresult = 1;
6113
6114 end:
6115 SSL_free(serverssl);
6116 SSL_free(clientssl);
6117 SSL_CTX_free(sctx);
6118 SSL_CTX_free(cctx);
6119
6120 return testresult;
6121}
6122#endif
6123
6124/*
6125 * Test that SSL_export_keying_material() produces expected results. There are
6126 * no test vectors so all we do is test that both sides of the communication
6127 * produce the same results for different protocol versions.
6128 */
6129#define SMALL_LABEL_LEN 10
6130#define LONG_LABEL_LEN 249
6131static int test_export_key_mat(int tst)
6132{
6133 int testresult = 0;
6134 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6135 SSL *clientssl = NULL, *serverssl = NULL;
6136 const char label[LONG_LABEL_LEN + 1] = "test label";
6137 const unsigned char context[] = "context";
6138 const unsigned char *emptycontext = NULL;
6139 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6140 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6141 size_t labellen;
6142 const int protocols[] = {
6143 TLS1_VERSION,
6144 TLS1_1_VERSION,
6145 TLS1_2_VERSION,
6146 TLS1_3_VERSION,
6147 TLS1_3_VERSION,
6148 TLS1_3_VERSION
6149 };
6150
6151#ifdef OPENSSL_NO_TLS1
6152 if (tst == 0)
6153 return 1;
6154#endif
6155#ifdef OPENSSL_NO_TLS1_1
6156 if (tst == 1)
6157 return 1;
6158#endif
6159 if (is_fips && (tst == 0 || tst == 1))
6160 return 1;
6161#ifdef OPENSSL_NO_TLS1_2
6162 if (tst == 2)
6163 return 1;
6164#endif
6165#ifdef OSSL_NO_USABLE_TLS1_3
6166 if (tst >= 3)
6167 return 1;
6168#endif
6169 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6170 TLS_client_method(), TLS1_VERSION, 0,
6171 &sctx, &cctx, cert, privkey)))
6172 goto end;
6173
6174 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6175 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6176 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6177 if ((protocols[tst] < TLS1_2_VERSION) &&
6178 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6179 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6180 goto end;
6181
6182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6183 NULL)))
6184 goto end;
6185
6186 /*
6187 * Premature call of SSL_export_keying_material should just fail.
6188 */
6189 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6190 sizeof(ckeymat1), label,
6191 SMALL_LABEL_LEN + 1, context,
6192 sizeof(context) - 1, 1), 0))
6193 goto end;
6194
6195 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6196 SSL_ERROR_NONE)))
6197 goto end;
6198
6199 if (tst == 5) {
6200 /*
6201 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6202 * go over that.
6203 */
6204 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6205 sizeof(ckeymat1), label,
6206 LONG_LABEL_LEN + 1, context,
6207 sizeof(context) - 1, 1), 0))
6208 goto end;
6209
6210 testresult = 1;
6211 goto end;
6212 } else if (tst == 4) {
6213 labellen = LONG_LABEL_LEN;
6214 } else {
6215 labellen = SMALL_LABEL_LEN;
6216 }
6217
6218 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6219 sizeof(ckeymat1), label,
6220 labellen, context,
6221 sizeof(context) - 1, 1), 1)
6222 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6223 sizeof(ckeymat2), label,
6224 labellen,
6225 emptycontext,
6226 0, 1), 1)
6227 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6228 sizeof(ckeymat3), label,
6229 labellen,
6230 NULL, 0, 0), 1)
6231 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6232 sizeof(skeymat1), label,
6233 labellen,
6234 context,
6235 sizeof(context) -1, 1),
6236 1)
6237 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6238 sizeof(skeymat2), label,
6239 labellen,
6240 emptycontext,
6241 0, 1), 1)
6242 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6243 sizeof(skeymat3), label,
6244 labellen,
6245 NULL, 0, 0), 1)
6246 /*
6247 * Check that both sides created the same key material with the
6248 * same context.
6249 */
6250 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6251 sizeof(skeymat1))
6252 /*
6253 * Check that both sides created the same key material with an
6254 * empty context.
6255 */
6256 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6257 sizeof(skeymat2))
6258 /*
6259 * Check that both sides created the same key material without a
6260 * context.
6261 */
6262 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6263 sizeof(skeymat3))
6264 /* Different contexts should produce different results */
6265 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6266 sizeof(ckeymat2)))
6267 goto end;
6268
6269 /*
6270 * Check that an empty context and no context produce different results in
6271 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6272 */
6273 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6274 sizeof(ckeymat3)))
6275 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6276 sizeof(ckeymat3))))
6277 goto end;
6278
6279 testresult = 1;
6280
6281 end:
6282 SSL_free(serverssl);
6283 SSL_free(clientssl);
6284 SSL_CTX_free(sctx2);
6285 SSL_CTX_free(sctx);
6286 SSL_CTX_free(cctx);
6287
6288 return testresult;
6289}
6290
6291#ifndef OSSL_NO_USABLE_TLS1_3
6292/*
6293 * Test that SSL_export_keying_material_early() produces expected
6294 * results. There are no test vectors so all we do is test that both
6295 * sides of the communication produce the same results for different
6296 * protocol versions.
6297 */
6298static int test_export_key_mat_early(int idx)
6299{
6300 static const char label[] = "test label";
6301 static const unsigned char context[] = "context";
6302 int testresult = 0;
6303 SSL_CTX *cctx = NULL, *sctx = NULL;
6304 SSL *clientssl = NULL, *serverssl = NULL;
6305 SSL_SESSION *sess = NULL;
6306 const unsigned char *emptycontext = NULL;
6307 unsigned char ckeymat1[80], ckeymat2[80];
6308 unsigned char skeymat1[80], skeymat2[80];
6309 unsigned char buf[1];
6310 size_t readbytes, written;
6311
6312 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6313 &sess, idx)))
6314 goto end;
6315
6316 /* Here writing 0 length early data is enough. */
6317 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6318 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6319 &readbytes),
6320 SSL_READ_EARLY_DATA_ERROR)
6321 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6322 SSL_EARLY_DATA_ACCEPTED))
6323 goto end;
6324
6325 if (!TEST_int_eq(SSL_export_keying_material_early(
6326 clientssl, ckeymat1, sizeof(ckeymat1), label,
6327 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6328 || !TEST_int_eq(SSL_export_keying_material_early(
6329 clientssl, ckeymat2, sizeof(ckeymat2), label,
6330 sizeof(label) - 1, emptycontext, 0), 1)
6331 || !TEST_int_eq(SSL_export_keying_material_early(
6332 serverssl, skeymat1, sizeof(skeymat1), label,
6333 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6334 || !TEST_int_eq(SSL_export_keying_material_early(
6335 serverssl, skeymat2, sizeof(skeymat2), label,
6336 sizeof(label) - 1, emptycontext, 0), 1)
6337 /*
6338 * Check that both sides created the same key material with the
6339 * same context.
6340 */
6341 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6342 sizeof(skeymat1))
6343 /*
6344 * Check that both sides created the same key material with an
6345 * empty context.
6346 */
6347 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6348 sizeof(skeymat2))
6349 /* Different contexts should produce different results */
6350 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6351 sizeof(ckeymat2)))
6352 goto end;
6353
6354 testresult = 1;
6355
6356 end:
6357 SSL_SESSION_free(sess);
6358 SSL_SESSION_free(clientpsk);
6359 SSL_SESSION_free(serverpsk);
6360 clientpsk = serverpsk = NULL;
6361 SSL_free(serverssl);
6362 SSL_free(clientssl);
6363 SSL_CTX_free(sctx);
6364 SSL_CTX_free(cctx);
6365
6366 return testresult;
6367}
6368
6369#define NUM_KEY_UPDATE_MESSAGES 40
6370/*
6371 * Test KeyUpdate.
6372 */
6373static int test_key_update(void)
6374{
6375 SSL_CTX *cctx = NULL, *sctx = NULL;
6376 SSL *clientssl = NULL, *serverssl = NULL;
6377 int testresult = 0, i, j;
6378 char buf[20];
6379 static char *mess = "A test message";
6380
6381 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6382 TLS_client_method(),
6383 TLS1_3_VERSION,
6384 0,
6385 &sctx, &cctx, cert, privkey))
6386 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6387 NULL, NULL))
6388 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6389 SSL_ERROR_NONE)))
6390 goto end;
6391
6392 for (j = 0; j < 2; j++) {
6393 /* Send lots of KeyUpdate messages */
6394 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6395 if (!TEST_true(SSL_key_update(clientssl,
6396 (j == 0)
6397 ? SSL_KEY_UPDATE_NOT_REQUESTED
6398 : SSL_KEY_UPDATE_REQUESTED))
6399 || !TEST_true(SSL_do_handshake(clientssl)))
6400 goto end;
6401 }
6402
6403 /* Check that sending and receiving app data is ok */
6404 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6405 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6406 strlen(mess)))
6407 goto end;
6408
6409 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6410 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6411 strlen(mess)))
6412 goto end;
6413 }
6414
6415 testresult = 1;
6416
6417 end:
6418 SSL_free(serverssl);
6419 SSL_free(clientssl);
6420 SSL_CTX_free(sctx);
6421 SSL_CTX_free(cctx);
6422
6423 return testresult;
6424}
6425
6426/*
6427 * Test we can handle a KeyUpdate (update requested) message while
6428 * write data is pending in peer.
6429 * Test 0: Client sends KeyUpdate while Server is writing
6430 * Test 1: Server sends KeyUpdate while Client is writing
6431 */
6432static int test_key_update_peer_in_write(int tst)
6433{
6434 SSL_CTX *cctx = NULL, *sctx = NULL;
6435 SSL *clientssl = NULL, *serverssl = NULL;
6436 int testresult = 0;
6437 char buf[20];
6438 static char *mess = "A test message";
6439 BIO *bretry = BIO_new(bio_s_always_retry());
6440 BIO *tmp = NULL;
6441 SSL *peerupdate = NULL, *peerwrite = NULL;
6442
6443 if (!TEST_ptr(bretry)
6444 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6445 TLS_client_method(),
6446 TLS1_3_VERSION,
6447 0,
6448 &sctx, &cctx, cert, privkey))
6449 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6450 NULL, NULL))
6451 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6452 SSL_ERROR_NONE)))
6453 goto end;
6454
6455 peerupdate = tst == 0 ? clientssl : serverssl;
6456 peerwrite = tst == 0 ? serverssl : clientssl;
6457
6458 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6459 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6460 goto end;
6461
6462 /* Swap the writing endpoint's write BIO to force a retry */
6463 tmp = SSL_get_wbio(peerwrite);
6464 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6465 tmp = NULL;
6466 goto end;
6467 }
6468 SSL_set0_wbio(peerwrite, bretry);
6469 bretry = NULL;
6470
6471 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6472 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6473 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6474 goto end;
6475
6476 /* Reinstate the original writing endpoint's write BIO */
6477 SSL_set0_wbio(peerwrite, tmp);
6478 tmp = NULL;
6479
6480 /* Now read some data - we will read the key update */
6481 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6482 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6483 goto end;
6484
6485 /*
6486 * Complete the write we started previously and read it from the other
6487 * endpoint
6488 */
6489 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6490 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6491 goto end;
6492
6493 /* Write more data to ensure we send the KeyUpdate message back */
6494 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6495 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6496 goto end;
6497
6498 testresult = 1;
6499
6500 end:
6501 SSL_free(serverssl);
6502 SSL_free(clientssl);
6503 SSL_CTX_free(sctx);
6504 SSL_CTX_free(cctx);
6505 BIO_free(bretry);
6506 BIO_free(tmp);
6507
6508 return testresult;
6509}
6510
6511/*
6512 * Test we can handle a KeyUpdate (update requested) message while
6513 * peer read data is pending after peer accepted keyupdate(the msg header
6514 * had been read 5 bytes).
6515 * Test 0: Client sends KeyUpdate while Server is reading
6516 * Test 1: Server sends KeyUpdate while Client is reading
6517 */
6518static int test_key_update_peer_in_read(int tst)
6519{
6520 SSL_CTX *cctx = NULL, *sctx = NULL;
6521 SSL *clientssl = NULL, *serverssl = NULL;
6522 int testresult = 0;
6523 char prbuf[515], lwbuf[515] = {0};
6524 static char *mess = "A test message";
6525 BIO *lbio = NULL, *pbio = NULL;
6526 SSL *local = NULL, *peer = NULL;
6527
6528 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6529 TLS_client_method(),
6530 TLS1_3_VERSION,
6531 0,
6532 &sctx, &cctx, cert, privkey))
6533 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6534 NULL, NULL))
6535 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6536 SSL_ERROR_NONE)))
6537 goto end;
6538
6539 local = tst == 0 ? clientssl : serverssl;
6540 peer = tst == 0 ? serverssl : clientssl;
6541
6542 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6543 goto end;
6544
6545 SSL_set_bio(local, lbio, lbio);
6546 SSL_set_bio(peer, pbio, pbio);
6547
6548 /*
6549 * we first write keyupdate msg then appdata in local
6550 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6551 * lwbuf app data msg size + key updata msg size > 512(the size of
6552 * the bio pair buffer)
6553 */
6554 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6555 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6556 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6557 goto end;
6558
6559 /*
6560 * first read keyupdate msg in peer in peer
6561 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6562 */
6563 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6564 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6565 goto end;
6566
6567 /* Now write some data in peer - we will write the key update */
6568 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6569 goto end;
6570
6571 /*
6572 * write data in local previously that we will complete
6573 * read data in peer previously that we will complete
6574 */
6575 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6576 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6577 goto end;
6578
6579 /* check that sending and receiving appdata ok */
6580 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6581 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6582 goto end;
6583
6584 testresult = 1;
6585
6586 end:
6587 SSL_free(serverssl);
6588 SSL_free(clientssl);
6589 SSL_CTX_free(sctx);
6590 SSL_CTX_free(cctx);
6591
6592 return testresult;
6593}
6594
6595/*
6596 * Test we can't send a KeyUpdate (update requested) message while
6597 * local write data is pending.
6598 * Test 0: Client sends KeyUpdate while Client is writing
6599 * Test 1: Server sends KeyUpdate while Server is writing
6600 */
6601static int test_key_update_local_in_write(int tst)
6602{
6603 SSL_CTX *cctx = NULL, *sctx = NULL;
6604 SSL *clientssl = NULL, *serverssl = NULL;
6605 int testresult = 0;
6606 char buf[20];
6607 static char *mess = "A test message";
6608 BIO *bretry = BIO_new(bio_s_always_retry());
6609 BIO *tmp = NULL;
6610 SSL *local = NULL, *peer = NULL;
6611
6612 if (!TEST_ptr(bretry)
6613 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6614 TLS_client_method(),
6615 TLS1_3_VERSION,
6616 0,
6617 &sctx, &cctx, cert, privkey))
6618 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6619 NULL, NULL))
6620 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6621 SSL_ERROR_NONE)))
6622 goto end;
6623
6624 local = tst == 0 ? clientssl : serverssl;
6625 peer = tst == 0 ? serverssl : clientssl;
6626
6627 /* Swap the writing endpoint's write BIO to force a retry */
6628 tmp = SSL_get_wbio(local);
6629 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6630 tmp = NULL;
6631 goto end;
6632 }
6633 SSL_set0_wbio(local, bretry);
6634 bretry = NULL;
6635
6636 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6637 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6638 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6639 goto end;
6640
6641 /* Reinstate the original writing endpoint's write BIO */
6642 SSL_set0_wbio(local, tmp);
6643 tmp = NULL;
6644
6645 /* SSL_key_update will fail, because writing in local*/
6646 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6647 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6648 goto end;
6649
6650 ERR_clear_error();
6651 /* write data in local previously that we will complete */
6652 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6653 goto end;
6654
6655 /* SSL_key_update will succeed because there is no pending write data */
6656 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6657 || !TEST_int_eq(SSL_do_handshake(local), 1))
6658 goto end;
6659
6660 /*
6661 * we write some appdata in local
6662 * read data in peer - we will read the keyupdate msg
6663 */
6664 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6665 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6666 goto end;
6667
6668 /* Write more peer more data to ensure we send the keyupdate message back */
6669 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6670 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6671 goto end;
6672
6673 testresult = 1;
6674
6675 end:
6676 SSL_free(serverssl);
6677 SSL_free(clientssl);
6678 SSL_CTX_free(sctx);
6679 SSL_CTX_free(cctx);
6680 BIO_free(bretry);
6681 BIO_free(tmp);
6682
6683 return testresult;
6684}
6685
6686/*
6687 * Test we can handle a KeyUpdate (update requested) message while
6688 * local read data is pending(the msg header had been read 5 bytes).
6689 * Test 0: Client sends KeyUpdate while Client is reading
6690 * Test 1: Server sends KeyUpdate while Server is reading
6691 */
6692static int test_key_update_local_in_read(int tst)
6693{
6694 SSL_CTX *cctx = NULL, *sctx = NULL;
6695 SSL *clientssl = NULL, *serverssl = NULL;
6696 int testresult = 0;
6697 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6698 static char *mess = "A test message";
6699 BIO *lbio = NULL, *pbio = NULL;
6700 SSL *local = NULL, *peer = NULL;
6701
6702 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6703 TLS_client_method(),
6704 TLS1_3_VERSION,
6705 0,
6706 &sctx, &cctx, cert, privkey))
6707 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6708 NULL, NULL))
6709 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6710 SSL_ERROR_NONE)))
6711 goto end;
6712
6713 local = tst == 0 ? clientssl : serverssl;
6714 peer = tst == 0 ? serverssl : clientssl;
6715
6716 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6717 goto end;
6718
6719 SSL_set_bio(local, lbio, lbio);
6720 SSL_set_bio(peer, pbio, pbio);
6721
6722 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6723 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6724 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6725 goto end;
6726
6727 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6728 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6729 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6730 goto end;
6731
6732 /* SSL_do_handshake will send keyupdate msg */
6733 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6734 || !TEST_int_eq(SSL_do_handshake(local), 1))
6735 goto end;
6736
6737 /*
6738 * write data in peer previously that we will complete
6739 * read data in local previously that we will complete
6740 */
6741 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6742 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6743 goto end;
6744
6745 /*
6746 * write data in local
6747 * read data in peer - we will read the key update
6748 */
6749 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6750 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6751 goto end;
6752
6753 /* Write more peer data to ensure we send the keyupdate message back */
6754 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6755 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6756 goto end;
6757
6758 testresult = 1;
6759
6760 end:
6761 SSL_free(serverssl);
6762 SSL_free(clientssl);
6763 SSL_CTX_free(sctx);
6764 SSL_CTX_free(cctx);
6765
6766 return testresult;
6767}
6768#endif /* OSSL_NO_USABLE_TLS1_3 */
6769
6770static int test_ssl_clear(int idx)
6771{
6772 SSL_CTX *cctx = NULL, *sctx = NULL;
6773 SSL *clientssl = NULL, *serverssl = NULL;
6774 int testresult = 0;
6775
6776#ifdef OPENSSL_NO_TLS1_2
6777 if (idx == 1)
6778 return 1;
6779#endif
6780
6781 /* Create an initial connection */
6782 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6783 TLS_client_method(), TLS1_VERSION, 0,
6784 &sctx, &cctx, cert, privkey))
6785 || (idx == 1
6786 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6787 TLS1_2_VERSION)))
6788 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6789 &clientssl, NULL, NULL))
6790 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6791 SSL_ERROR_NONE)))
6792 goto end;
6793
6794 SSL_shutdown(clientssl);
6795 SSL_shutdown(serverssl);
6796 SSL_free(serverssl);
6797 serverssl = NULL;
6798
6799 /* Clear clientssl - we're going to reuse the object */
6800 if (!TEST_true(SSL_clear(clientssl)))
6801 goto end;
6802
6803 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6804 NULL, NULL))
6805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6806 SSL_ERROR_NONE))
6807 || !TEST_true(SSL_session_reused(clientssl)))
6808 goto end;
6809
6810 SSL_shutdown(clientssl);
6811 SSL_shutdown(serverssl);
6812
6813 testresult = 1;
6814
6815 end:
6816 SSL_free(serverssl);
6817 SSL_free(clientssl);
6818 SSL_CTX_free(sctx);
6819 SSL_CTX_free(cctx);
6820
6821 return testresult;
6822}
6823
6824/* Parse CH and retrieve any MFL extension value if present */
6825static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6826{
6827 long len;
6828 unsigned char *data;
6829 PACKET pkt, pkt2, pkt3;
6830 unsigned int MFL_code = 0, type = 0;
6831
6832 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6833 goto end;
6834
6835 memset(&pkt, 0, sizeof(pkt));
6836 memset(&pkt2, 0, sizeof(pkt2));
6837 memset(&pkt3, 0, sizeof(pkt3));
6838
6839 if (!TEST_long_gt(len, 0)
6840 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6841 /* Skip the record header */
6842 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6843 /* Skip the handshake message header */
6844 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6845 /* Skip client version and random */
6846 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6847 + SSL3_RANDOM_SIZE))
6848 /* Skip session id */
6849 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6850 /* Skip ciphers */
6851 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6852 /* Skip compression */
6853 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6854 /* Extensions len */
6855 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6856 goto end;
6857
6858 /* Loop through all extensions */
6859 while (PACKET_remaining(&pkt2)) {
6860 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6861 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6862 goto end;
6863
6864 if (type == TLSEXT_TYPE_max_fragment_length) {
6865 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6866 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6867 goto end;
6868
6869 *mfl_codemfl_code = MFL_code;
6870 return 1;
6871 }
6872 }
6873
6874 end:
6875 return 0;
6876}
6877
6878/* Maximum-Fragment-Length TLS extension mode to test */
6879static const unsigned char max_fragment_len_test[] = {
6880 TLSEXT_max_fragment_length_512,
6881 TLSEXT_max_fragment_length_1024,
6882 TLSEXT_max_fragment_length_2048,
6883 TLSEXT_max_fragment_length_4096
6884};
6885
6886static int test_max_fragment_len_ext(int idx_tst)
6887{
6888 SSL_CTX *ctx = NULL;
6889 SSL *con = NULL;
6890 int testresult = 0, MFL_mode = 0;
6891 BIO *rbio, *wbio;
6892
6893 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6894 TLS1_VERSION, 0, NULL, &ctx, NULL,
6895 NULL)))
6896 return 0;
6897
6898 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6899 ctx, max_fragment_len_test[idx_tst])))
6900 goto end;
6901
6902 con = SSL_new(ctx);
6903 if (!TEST_ptr(con))
6904 goto end;
6905
6906 rbio = BIO_new(BIO_s_mem());
6907 wbio = BIO_new(BIO_s_mem());
6908 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6909 BIO_free(rbio);
6910 BIO_free(wbio);
6911 goto end;
6912 }
6913
6914 SSL_set_bio(con, rbio, wbio);
6915
6916 if (!TEST_int_le(SSL_connect(con), 0)) {
6917 /* This shouldn't succeed because we don't have a server! */
6918 goto end;
6919 }
6920
6921 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6922 /* no MFL in client hello */
6923 goto end;
6924 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6925 goto end;
6926
6927 testresult = 1;
6928
6929end:
6930 SSL_free(con);
6931 SSL_CTX_free(ctx);
6932
6933 return testresult;
6934}
6935
6936#ifndef OSSL_NO_USABLE_TLS1_3
6937static int test_pha_key_update(void)
6938{
6939 SSL_CTX *cctx = NULL, *sctx = NULL;
6940 SSL *clientssl = NULL, *serverssl = NULL;
6941 int testresult = 0;
6942
6943 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6944 TLS_client_method(), TLS1_VERSION, 0,
6945 &sctx, &cctx, cert, privkey)))
6946 return 0;
6947
6948 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6949 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6950 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6951 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6952 goto end;
6953
6954 SSL_CTX_set_post_handshake_auth(cctx, 1);
6955
6956 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6957 NULL, NULL)))
6958 goto end;
6959
6960 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6961 SSL_ERROR_NONE)))
6962 goto end;
6963
6964 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6965 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6966 goto end;
6967
6968 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6969 goto end;
6970
6971 /* Start handshake on the server */
6972 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6973 goto end;
6974
6975 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6976 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6977 SSL_ERROR_NONE)))
6978 goto end;
6979
6980 SSL_shutdown(clientssl);
6981 SSL_shutdown(serverssl);
6982
6983 testresult = 1;
6984
6985 end:
6986 SSL_free(serverssl);
6987 SSL_free(clientssl);
6988 SSL_CTX_free(sctx);
6989 SSL_CTX_free(cctx);
6990 return testresult;
6991}
6992#endif
6993
6994#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6995
6996static SRP_VBASE *vbase = NULL;
6997
6998static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6999{
7000 int ret = SSL3_AL_FATAL;
7001 char *username;
7002 SRP_user_pwd *user = NULL;
7003
7004 username = SSL_get_srp_username(s);
7005 if (username == NULL) {
7006 *ad = SSL_AD_INTERNAL_ERROR;
7007 goto err;
7008 }
7009
7010 user = SRP_VBASE_get1_by_user(vbase, username);
7011 if (user == NULL) {
7012 *ad = SSL_AD_INTERNAL_ERROR;
7013 goto err;
7014 }
7015
7016 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7017 user->info) <= 0) {
7018 *ad = SSL_AD_INTERNAL_ERROR;
7019 goto err;
7020 }
7021
7022 ret = 0;
7023
7024 err:
7025 SRP_user_pwd_free(user);
7026 return ret;
7027}
7028
7029static int create_new_vfile(char *userid, char *password, const char *filename)
7030{
7031 char *gNid = NULL;
7032 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7033 TXT_DB *db = NULL;
7034 int ret = 0;
7035 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7036 size_t i;
7037
7038 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7039 goto end;
7040
7041 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7042 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7043 if (!TEST_ptr(gNid))
7044 goto end;
7045
7046 /*
7047 * The only way to create an empty TXT_DB is to provide a BIO with no data
7048 * in it!
7049 */
7050 db = TXT_DB_read(dummy, DB_NUMBER);
7051 if (!TEST_ptr(db))
7052 goto end;
7053
7054 out = BIO_new_file(filename, "w");
7055 if (!TEST_ptr(out))
7056 goto end;
7057
7058 row[DB_srpid] = OPENSSL_strdup(userid);
7059 row[DB_srptype] = OPENSSL_strdup("V");
7060 row[DB_srpgN] = OPENSSL_strdup(gNid);
7061
7062 if (!TEST_ptr(row[DB_srpid])
7063 || !TEST_ptr(row[DB_srptype])
7064 || !TEST_ptr(row[DB_srpgN])
7065 || !TEST_true(TXT_DB_insert(db, row)))
7066 goto end;
7067
7068 row = NULL;
7069
7070 if (TXT_DB_write(out, db) <= 0)
7071 goto end;
7072
7073 ret = 1;
7074 end:
7075 if (row != NULL) {
7076 for (i = 0; i < DB_NUMBER; i++)
7077 OPENSSL_free(row[i]);
7078 }
7079 OPENSSL_free(row);
7080 BIO_free(dummy);
7081 BIO_free(out);
7082 TXT_DB_free(db);
7083
7084 return ret;
7085}
7086
7087static int create_new_vbase(char *userid, char *password)
7088{
7089 BIGNUM *verifier = NULL, *salt = NULL;
7090 const SRP_gN *lgN = NULL;
7091 SRP_user_pwd *user_pwd = NULL;
7092 int ret = 0;
7093
7094 lgN = SRP_get_default_gN(NULL);
7095 if (!TEST_ptr(lgN))
7096 goto end;
7097
7098 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7099 lgN->N, lgN->g, libctx, NULL)))
7100 goto end;
7101
7102 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7103 if (!TEST_ptr(user_pwd))
7104 goto end;
7105
7106 user_pwd->N = lgN->N;
7107 user_pwd->g = lgN->g;
7108 user_pwd->id = OPENSSL_strdup(userid);
7109 if (!TEST_ptr(user_pwd->id))
7110 goto end;
7111
7112 user_pwd->v = verifier;
7113 user_pwd->s = salt;
7114 verifier = salt = NULL;
7115
7116 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7117 goto end;
7118 user_pwd = NULL;
7119
7120 ret = 1;
7121end:
7122 SRP_user_pwd_free(user_pwd);
7123 BN_free(salt);
7124 BN_free(verifier);
7125
7126 return ret;
7127}
7128
7129/*
7130 * SRP tests
7131 *
7132 * Test 0: Simple successful SRP connection, new vbase
7133 * Test 1: Connection failure due to bad password, new vbase
7134 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7135 * Test 3: Connection failure due to bad password, vbase loaded from existing
7136 * file
7137 * Test 4: Simple successful SRP connection, vbase loaded from new file
7138 * Test 5: Connection failure due to bad password, vbase loaded from new file
7139 */
7140static int test_srp(int tst)
7141{
7142 char *userid = "test", *password = "password", *tstsrpfile;
7143 SSL_CTX *cctx = NULL, *sctx = NULL;
7144 SSL *clientssl = NULL, *serverssl = NULL;
7145 int ret, testresult = 0;
7146
7147 vbase = SRP_VBASE_new(NULL);
7148 if (!TEST_ptr(vbase))
7149 goto end;
7150
7151 if (tst == 0 || tst == 1) {
7152 if (!TEST_true(create_new_vbase(userid, password)))
7153 goto end;
7154 } else {
7155 if (tst == 4 || tst == 5) {
7156 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7157 goto end;
7158 tstsrpfile = tmpfilename;
7159 } else {
7160 tstsrpfile = srpvfile;
7161 }
7162 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7163 goto end;
7164 }
7165
7166 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7167 TLS_client_method(), TLS1_VERSION, 0,
7168 &sctx, &cctx, cert, privkey)))
7169 goto end;
7170
7171 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7172 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7173 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7174 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7175 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7176 goto end;
7177
7178 if (tst % 2 == 1) {
7179 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7180 goto end;
7181 } else {
7182 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7183 goto end;
7184 }
7185
7186 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7187 NULL, NULL)))
7188 goto end;
7189
7190 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7191 if (ret) {
7192 if (!TEST_true(tst % 2 == 0))
7193 goto end;
7194 } else {
7195 if (!TEST_true(tst % 2 == 1))
7196 goto end;
7197 }
7198
7199 testresult = 1;
7200
7201 end:
7202 SRP_VBASE_free(vbase);
7203 vbase = NULL;
7204 SSL_free(serverssl);
7205 SSL_free(clientssl);
7206 SSL_CTX_free(sctx);
7207 SSL_CTX_free(cctx);
7208
7209 return testresult;
7210}
7211#endif
7212
7213static int info_cb_failed = 0;
7214static int info_cb_offset = 0;
7215static int info_cb_this_state = -1;
7216
7217static struct info_cb_states_st {
7218 int where;
7219 const char *statestr;
7220} info_cb_states[][60] = {
7221 {
7222 /* TLSv1.2 server followed by resumption */
7223 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7224 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7225 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7226 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7227 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7228 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7229 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7230 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7231 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7232 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7233 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7234 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7235 {SSL_CB_EXIT, NULL}, {0, NULL},
7236 }, {
7237 /* TLSv1.2 client followed by resumption */
7238 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7239 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7240 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7241 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7242 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7243 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7244 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7245 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7246 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7247 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7248 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7249 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7250 }, {
7251 /* TLSv1.3 server followed by resumption */
7252 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7253 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7254 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7255 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7256 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7257 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7258 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7259 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7260 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7261 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7262 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7263 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7264 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7265 }, {
7266 /* TLSv1.3 client followed by resumption */
7267 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7268 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7269 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7270 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7271 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7272 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7273 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7274 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7275 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7276 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7277 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7278 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7279 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7280 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7281 {SSL_CB_EXIT, NULL}, {0, NULL},
7282 }, {
7283 /* TLSv1.3 server, early_data */
7284 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7285 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7286 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7287 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7288 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7289 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7290 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7291 {SSL_CB_EXIT, NULL}, {0, NULL},
7292 }, {
7293 /* TLSv1.3 client, early_data */
7294 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7295 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7296 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7297 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7298 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7299 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7300 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7301 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7302 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7303 }, {
7304 {0, NULL},
7305 }
7306};
7307
7308static void sslapi_info_callback(const SSL *s, int where, int ret)
7309{
7310 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7311
7312 /* We do not ever expect a connection to fail in this test */
7313 if (!TEST_false(ret == 0)) {
7314 info_cb_failed = 1;
7315 return;
7316 }
7317
7318 /*
7319 * Do some sanity checks. We never expect these things to happen in this
7320 * test
7321 */
7322 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7323 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7324 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7325 info_cb_failed = 1;
7326 return;
7327 }
7328
7329 /* Now check we're in the right state */
7330 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7331 info_cb_failed = 1;
7332 return;
7333 }
7334 if ((where & SSL_CB_LOOP) != 0
7335 && !TEST_int_eq(strcmp(SSL_state_string(s),
7336 state[info_cb_this_state].statestr), 0)) {
7337 info_cb_failed = 1;
7338 return;
7339 }
7340
7341 /*
7342 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7343 */
7344 if ((where & SSL_CB_HANDSHAKE_DONE)
7345 && SSL_in_init((SSL *)s) != 0) {
7346 info_cb_failed = 1;
7347 return;
7348 }
7349}
7350
7351/*
7352 * Test the info callback gets called when we expect it to.
7353 *
7354 * Test 0: TLSv1.2, server
7355 * Test 1: TLSv1.2, client
7356 * Test 2: TLSv1.3, server
7357 * Test 3: TLSv1.3, client
7358 * Test 4: TLSv1.3, server, early_data
7359 * Test 5: TLSv1.3, client, early_data
7360 */
7361static int test_info_callback(int tst)
7362{
7363 SSL_CTX *cctx = NULL, *sctx = NULL;
7364 SSL *clientssl = NULL, *serverssl = NULL;
7365 SSL_SESSION *clntsess = NULL;
7366 int testresult = 0;
7367 int tlsvers;
7368
7369 if (tst < 2) {
7370/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7371#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7372 || !defined(OPENSSL_NO_DH))
7373 tlsvers = TLS1_2_VERSION;
7374#else
7375 return 1;
7376#endif
7377 } else {
7378#ifndef OSSL_NO_USABLE_TLS1_3
7379 tlsvers = TLS1_3_VERSION;
7380#else
7381 return 1;
7382#endif
7383 }
7384
7385 /* Reset globals */
7386 info_cb_failed = 0;
7387 info_cb_this_state = -1;
7388 info_cb_offset = tst;
7389
7390#ifndef OSSL_NO_USABLE_TLS1_3
7391 if (tst >= 4) {
7392 SSL_SESSION *sess = NULL;
7393 size_t written, readbytes;
7394 unsigned char buf[80];
7395
7396 /* early_data tests */
7397 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7398 &serverssl, &sess, 0)))
7399 goto end;
7400
7401 /* We don't actually need this reference */
7402 SSL_SESSION_free(sess);
7403
7404 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7405 sslapi_info_callback);
7406
7407 /* Write and read some early data and then complete the connection */
7408 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7409 &written))
7410 || !TEST_size_t_eq(written, strlen(MSG1))
7411 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7412 sizeof(buf), &readbytes),
7413 SSL_READ_EARLY_DATA_SUCCESS)
7414 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7415 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7416 SSL_EARLY_DATA_ACCEPTED)
7417 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7418 SSL_ERROR_NONE))
7419 || !TEST_false(info_cb_failed))
7420 goto end;
7421
7422 testresult = 1;
7423 goto end;
7424 }
7425#endif
7426
7427 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7428 TLS_client_method(),
7429 tlsvers, tlsvers, &sctx, &cctx, cert,
7430 privkey)))
7431 goto end;
7432
7433 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7434 goto end;
7435
7436 /*
7437 * For even numbered tests we check the server callbacks. For odd numbers we
7438 * check the client.
7439 */
7440 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7441 sslapi_info_callback);
7442
7443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7444 &clientssl, NULL, NULL))
7445 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7446 SSL_ERROR_NONE))
7447 || !TEST_false(info_cb_failed))
7448 goto end;
7449
7450
7451
7452 clntsess = SSL_get1_session(clientssl);
7453 SSL_shutdown(clientssl);
7454 SSL_shutdown(serverssl);
7455 SSL_free(serverssl);
7456 SSL_free(clientssl);
7457 serverssl = clientssl = NULL;
7458
7459 /* Now do a resumption */
7460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7461 NULL))
7462 || !TEST_true(SSL_set_session(clientssl, clntsess))
7463 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7464 SSL_ERROR_NONE))
7465 || !TEST_true(SSL_session_reused(clientssl))
7466 || !TEST_false(info_cb_failed))
7467 goto end;
7468
7469 testresult = 1;
7470
7471 end:
7472 SSL_free(serverssl);
7473 SSL_free(clientssl);
7474 SSL_SESSION_free(clntsess);
7475 SSL_CTX_free(sctx);
7476 SSL_CTX_free(cctx);
7477 return testresult;
7478}
7479
7480static int test_ssl_pending(int tst)
7481{
7482 SSL_CTX *cctx = NULL, *sctx = NULL;
7483 SSL *clientssl = NULL, *serverssl = NULL;
7484 int testresult = 0;
7485 char msg[] = "A test message";
7486 char buf[5];
7487 size_t written, readbytes;
7488
7489 if (tst == 0) {
7490 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7491 TLS_client_method(),
7492 TLS1_VERSION, 0,
7493 &sctx, &cctx, cert, privkey)))
7494 goto end;
7495 } else {
7496#ifndef OPENSSL_NO_DTLS
7497 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7498 DTLS_client_method(),
7499 DTLS1_VERSION, 0,
7500 &sctx, &cctx, cert, privkey)))
7501 goto end;
7502
7503# ifdef OPENSSL_NO_DTLS1_2
7504 /* Not supported in the FIPS provider */
7505 if (is_fips) {
7506 testresult = 1;
7507 goto end;
7508 };
7509 /*
7510 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7511 * level 0
7512 */
7513 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7514 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7515 "DEFAULT:@SECLEVEL=0")))
7516 goto end;
7517# endif
7518#else
7519 return 1;
7520#endif
7521 }
7522
7523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7524 NULL, NULL))
7525 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7526 SSL_ERROR_NONE)))
7527 goto end;
7528
7529 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7530 || !TEST_false(SSL_has_pending(clientssl))
7531 || !TEST_int_eq(SSL_pending(serverssl), 0)
7532 || !TEST_false(SSL_has_pending(serverssl))
7533 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7534 || !TEST_size_t_eq(written, sizeof(msg))
7535 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7536 || !TEST_size_t_eq(readbytes, sizeof(buf))
7537 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7538 || !TEST_true(SSL_has_pending(clientssl)))
7539 goto end;
7540
7541 testresult = 1;
7542
7543 end:
7544 SSL_free(serverssl);
7545 SSL_free(clientssl);
7546 SSL_CTX_free(sctx);
7547 SSL_CTX_free(cctx);
7548
7549 return testresult;
7550}
7551
7552static struct {
7553 unsigned int maxprot;
7554 const char *clntciphers;
7555 const char *clnttls13ciphers;
7556 const char *srvrciphers;
7557 const char *srvrtls13ciphers;
7558 const char *shared;
7559 const char *fipsshared;
7560} shared_ciphers_data[] = {
7561/*
7562 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7563 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7564 */
7565#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7566 {
7567 TLS1_2_VERSION,
7568 "AES128-SHA:AES256-SHA",
7569 NULL,
7570 "AES256-SHA:DHE-RSA-AES128-SHA",
7571 NULL,
7572 "AES256-SHA",
7573 "AES256-SHA"
7574 },
7575# if !defined(OPENSSL_NO_CHACHA) \
7576 && !defined(OPENSSL_NO_POLY1305) \
7577 && !defined(OPENSSL_NO_EC)
7578 {
7579 TLS1_2_VERSION,
7580 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7581 NULL,
7582 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7583 NULL,
7584 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7585 "AES128-SHA"
7586 },
7587# endif
7588 {
7589 TLS1_2_VERSION,
7590 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7591 NULL,
7592 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7593 NULL,
7594 "AES128-SHA:AES256-SHA",
7595 "AES128-SHA:AES256-SHA"
7596 },
7597 {
7598 TLS1_2_VERSION,
7599 "AES128-SHA:AES256-SHA",
7600 NULL,
7601 "AES128-SHA:DHE-RSA-AES128-SHA",
7602 NULL,
7603 "AES128-SHA",
7604 "AES128-SHA"
7605 },
7606#endif
7607/*
7608 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7609 * enabled.
7610 */
7611#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7612 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7613 {
7614 TLS1_3_VERSION,
7615 "AES128-SHA:AES256-SHA",
7616 NULL,
7617 "AES256-SHA:AES128-SHA256",
7618 NULL,
7619 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7620 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7621 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7622 },
7623#endif
7624#ifndef OSSL_NO_USABLE_TLS1_3
7625 {
7626 TLS1_3_VERSION,
7627 "AES128-SHA",
7628 "TLS_AES_256_GCM_SHA384",
7629 "AES256-SHA",
7630 "TLS_AES_256_GCM_SHA384",
7631 "TLS_AES_256_GCM_SHA384",
7632 "TLS_AES_256_GCM_SHA384"
7633 },
7634#endif
7635};
7636
7637static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7638{
7639 SSL_CTX *cctx = NULL, *sctx = NULL;
7640 SSL *clientssl = NULL, *serverssl = NULL;
7641 int testresult = 0;
7642 char buf[1024];
7643 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7644
7645 if (!TEST_ptr(tmplibctx))
7646 goto end;
7647
7648 /*
7649 * Regardless of whether we're testing with the FIPS provider loaded into
7650 * libctx, we want one peer to always use the full set of ciphersuites
7651 * available. Therefore we use a separate libctx with the default provider
7652 * loaded into it. We run the same tests twice - once with the client side
7653 * having the full set of ciphersuites and once with the server side.
7654 */
7655 if (clnt) {
7656 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7657 if (!TEST_ptr(cctx))
7658 goto end;
7659 } else {
7660 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7661 if (!TEST_ptr(sctx))
7662 goto end;
7663 }
7664
7665 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7666 TLS_client_method(),
7667 TLS1_VERSION,
7668 shared_ciphers_data[tst].maxprot,
7669 &sctx, &cctx, cert, privkey)))
7670 goto end;
7671
7672 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7673 shared_ciphers_data[tst].clntciphers))
7674 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7675 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7676 shared_ciphers_data[tst].clnttls13ciphers)))
7677 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7678 shared_ciphers_data[tst].srvrciphers))
7679 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7680 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7681 shared_ciphers_data[tst].srvrtls13ciphers))))
7682 goto end;
7683
7684
7685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7686 NULL, NULL))
7687 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7688 SSL_ERROR_NONE)))
7689 goto end;
7690
7691 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7692 || !TEST_int_eq(strcmp(buf,
7693 is_fips
7694 ? shared_ciphers_data[tst].fipsshared
7695 : shared_ciphers_data[tst].shared),
7696 0)) {
7697 TEST_info("Shared ciphers are: %s\n", buf);
7698 goto end;
7699 }
7700
7701 testresult = 1;
7702
7703 end:
7704 SSL_free(serverssl);
7705 SSL_free(clientssl);
7706 SSL_CTX_free(sctx);
7707 SSL_CTX_free(cctx);
7708 OSSL_LIB_CTX_free(tmplibctx);
7709
7710 return testresult;
7711}
7712
7713static int test_ssl_get_shared_ciphers(int tst)
7714{
7715 return int_test_ssl_get_shared_ciphers(tst, 0)
7716 && int_test_ssl_get_shared_ciphers(tst, 1);
7717}
7718
7719
7720static const char *appdata = "Hello World";
7721static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7722static int tick_key_renew = 0;
7723static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7724
7725static int gen_tick_cb(SSL *s, void *arg)
7726{
7727 gen_tick_called = 1;
7728
7729 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7730 strlen(appdata));
7731}
7732
7733static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7734 const unsigned char *keyname,
7735 size_t keyname_length,
7736 SSL_TICKET_STATUS status,
7737 void *arg)
7738{
7739 void *tickdata;
7740 size_t tickdlen;
7741
7742 dec_tick_called = 1;
7743
7744 if (status == SSL_TICKET_EMPTY)
7745 return SSL_TICKET_RETURN_IGNORE_RENEW;
7746
7747 if (!TEST_true(status == SSL_TICKET_SUCCESS
7748 || status == SSL_TICKET_SUCCESS_RENEW))
7749 return SSL_TICKET_RETURN_ABORT;
7750
7751 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7752 &tickdlen))
7753 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7754 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7755 return SSL_TICKET_RETURN_ABORT;
7756
7757 if (tick_key_cb_called) {
7758 /* Don't change what the ticket key callback wanted to do */
7759 switch (status) {
7760 case SSL_TICKET_NO_DECRYPT:
7761 return SSL_TICKET_RETURN_IGNORE_RENEW;
7762
7763 case SSL_TICKET_SUCCESS:
7764 return SSL_TICKET_RETURN_USE;
7765
7766 case SSL_TICKET_SUCCESS_RENEW:
7767 return SSL_TICKET_RETURN_USE_RENEW;
7768
7769 default:
7770 return SSL_TICKET_RETURN_ABORT;
7771 }
7772 }
7773 return tick_dec_ret;
7774
7775}
7776
7777#ifndef OPENSSL_NO_DEPRECATED_3_0
7778static int tick_key_cb(SSL *s, unsigned char key_name[16],
7779 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7780 HMAC_CTX *hctx, int enc)
7781{
7782 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7783 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7784 EVP_CIPHER *aes128cbc;
7785 EVP_MD *sha256;
7786 int ret;
7787
7788 tick_key_cb_called = 1;
7789
7790 if (tick_key_renew == -1)
7791 return 0;
7792
7793 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7794 if (!TEST_ptr(aes128cbc))
7795 return 0;
7796 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7797 if (!TEST_ptr(sha256)) {
7798 EVP_CIPHER_free(aes128cbc);
7799 return 0;
7800 }
7801
7802 memset(iv, 0, AES_BLOCK_SIZE);
7803 memset(key_name, 0, 16);
7804 if (aes128cbc == NULL
7805 || sha256 == NULL
7806 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7807 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7808 NULL))
7809 ret = -1;
7810 else
7811 ret = tick_key_renew ? 2 : 1;
7812
7813 EVP_CIPHER_free(aes128cbc);
7814 EVP_MD_free(sha256);
7815
7816 return ret;
7817}
7818#endif
7819
7820static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7821 unsigned char iv[EVP_MAX_IV_LENGTH],
7822 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7823{
7824 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7825 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7826 OSSL_PARAM params[2];
7827 EVP_CIPHER *aes128cbc;
7828 int ret;
7829
7830 tick_key_cb_called = 1;
7831
7832 if (tick_key_renew == -1)
7833 return 0;
7834
7835 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7836 if (!TEST_ptr(aes128cbc))
7837 return 0;
7838
7839 memset(iv, 0, AES_BLOCK_SIZE);
7840 memset(key_name, 0, 16);
7841 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7842 "SHA256", 0);
7843 params[1] = OSSL_PARAM_construct_end();
7844 if (aes128cbc == NULL
7845 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7846 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7847 params))
7848 ret = -1;
7849 else
7850 ret = tick_key_renew ? 2 : 1;
7851
7852 EVP_CIPHER_free(aes128cbc);
7853
7854 return ret;
7855}
7856
7857/*
7858 * Test the various ticket callbacks
7859 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7860 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7861 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7862 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7863 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7864 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7865 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7866 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7867 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7868 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7869 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7870 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7871 * Test 12: TLSv1.2, old ticket key callback, no ticket
7872 * Test 13: TLSv1.3, old ticket key callback, no ticket
7873 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7874 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7875 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7876 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7877 * Test 18: TLSv1.2, ticket key callback, no ticket
7878 * Test 19: TLSv1.3, ticket key callback, no ticket
7879 */
7880static int test_ticket_callbacks(int tst)
7881{
7882 SSL_CTX *cctx = NULL, *sctx = NULL;
7883 SSL *clientssl = NULL, *serverssl = NULL;
7884 SSL_SESSION *clntsess = NULL;
7885 int testresult = 0;
7886
7887#ifdef OPENSSL_NO_TLS1_2
7888 if (tst % 2 == 0)
7889 return 1;
7890#endif
7891#ifdef OSSL_NO_USABLE_TLS1_3
7892 if (tst % 2 == 1)
7893 return 1;
7894#endif
7895#ifdef OPENSSL_NO_DEPRECATED_3_0
7896 if (tst >= 8 && tst <= 13)
7897 return 1;
7898#endif
7899
7900 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7901
7902 /* Which tests the ticket key callback should request renewal for */
7903
7904 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
7905 tick_key_renew = 1;
7906 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7907 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
7908 else
7909 tick_key_renew = 0;
7910
7911 /* Which tests the decrypt ticket callback should request renewal for */
7912 switch (tst) {
7913 case 0:
7914 case 1:
7915 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7916 break;
7917
7918 case 2:
7919 case 3:
7920 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7921 break;
7922
7923 case 4:
7924 case 5:
7925 tick_dec_ret = SSL_TICKET_RETURN_USE;
7926 break;
7927
7928 case 6:
7929 case 7:
7930 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7931 break;
7932
7933 default:
7934 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7935 }
7936
7937 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7938 TLS_client_method(),
7939 TLS1_VERSION,
7940 ((tst % 2) == 0) ? TLS1_2_VERSION
7941 : TLS1_3_VERSION,
7942 &sctx, &cctx, cert, privkey)))
7943 goto end;
7944
7945 /*
7946 * We only want sessions to resume from tickets - not the session cache. So
7947 * switch the cache off.
7948 */
7949 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7950 goto end;
7951
7952 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7953 NULL)))
7954 goto end;
7955
7956 if (tst >= 14) {
7957 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7958 goto end;
7959#ifndef OPENSSL_NO_DEPRECATED_3_0
7960 } else if (tst >= 8) {
7961 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7962 goto end;
7963#endif
7964 }
7965
7966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7967 NULL, NULL))
7968 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7969 SSL_ERROR_NONE)))
7970 goto end;
7971
7972 /*
7973 * The decrypt ticket key callback in TLSv1.2 should be called even though
7974 * we have no ticket yet, because it gets called with a status of
7975 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7976 * actually send any ticket data). This does not happen in TLSv1.3 because
7977 * it is not valid to send empty ticket data in TLSv1.3.
7978 */
7979 if (!TEST_int_eq(gen_tick_called, 1)
7980 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
7981 goto end;
7982
7983 gen_tick_called = dec_tick_called = 0;
7984
7985 clntsess = SSL_get1_session(clientssl);
7986 SSL_shutdown(clientssl);
7987 SSL_shutdown(serverssl);
7988 SSL_free(serverssl);
7989 SSL_free(clientssl);
7990 serverssl = clientssl = NULL;
7991
7992 /* Now do a resumption */
7993 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7994 NULL))
7995 || !TEST_true(SSL_set_session(clientssl, clntsess))
7996 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7997 SSL_ERROR_NONE)))
7998 goto end;
7999
8000 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8001 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8002 || tick_key_renew == -1) {
8003 if (!TEST_false(SSL_session_reused(clientssl)))
8004 goto end;
8005 } else {
8006 if (!TEST_true(SSL_session_reused(clientssl)))
8007 goto end;
8008 }
8009
8010 if (!TEST_int_eq(gen_tick_called,
8011 (tick_key_renew
8012 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8013 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8014 ? 1 : 0)
8015 /* There is no ticket to decrypt in tests 13 and 19 */
8016 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8017 goto end;
8018
8019 testresult = 1;
8020
8021 end:
8022 SSL_SESSION_free(clntsess);
8023 SSL_free(serverssl);
8024 SSL_free(clientssl);
8025 SSL_CTX_free(sctx);
8026 SSL_CTX_free(cctx);
8027
8028 return testresult;
8029}
8030
8031/*
8032 * Test incorrect shutdown.
8033 * Test 0: client does not shutdown properly,
8034 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8035 * server should get SSL_ERROR_SSL
8036 * Test 1: client does not shutdown properly,
8037 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8038 * server should get SSL_ERROR_ZERO_RETURN
8039 */
8040static int test_incorrect_shutdown(int tst)
8041{
8042 SSL_CTX *cctx = NULL, *sctx = NULL;
8043 SSL *clientssl = NULL, *serverssl = NULL;
8044 int testresult = 0;
8045 char buf[80];
8046 BIO *c2s;
8047
8048 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8049 TLS_client_method(), 0, 0,
8050 &sctx, &cctx, cert, privkey)))
8051 goto end;
8052
8053 if (tst == 1)
8054 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8055
8056 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8057 NULL, NULL)))
8058 goto end;
8059
8060 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8061 SSL_ERROR_NONE)))
8062 goto end;
8063
8064 c2s = SSL_get_rbio(serverssl);
8065 BIO_set_mem_eof_return(c2s, 0);
8066
8067 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8068 goto end;
8069
8070 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8071 goto end;
8072 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8073 goto end;
8074
8075 testresult = 1;
8076
8077 end:
8078 SSL_free(serverssl);
8079 SSL_free(clientssl);
8080 SSL_CTX_free(sctx);
8081 SSL_CTX_free(cctx);
8082
8083 return testresult;
8084}
8085
8086/*
8087 * Test bi-directional shutdown.
8088 * Test 0: TLSv1.2
8089 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8090 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8091 * Test 3: TLSv1.3, pending NewSessionTicket messages
8092 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8093 * sends key update, client reads it
8094 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8095 * sends CertificateRequest, client reads and ignores it
8096 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8097 * doesn't read it
8098 */
8099static int test_shutdown(int tst)
8100{
8101 SSL_CTX *cctx = NULL, *sctx = NULL;
8102 SSL *clientssl = NULL, *serverssl = NULL;
8103 int testresult = 0;
8104 char msg[] = "A test message";
8105 char buf[80];
8106 size_t written, readbytes;
8107 SSL_SESSION *sess;
8108
8109#ifdef OPENSSL_NO_TLS1_2
8110 if (tst <= 1)
8111 return 1;
8112#endif
8113#ifdef OSSL_NO_USABLE_TLS1_3
8114 if (tst >= 2)
8115 return 1;
8116#endif
8117
8118 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8119 TLS_client_method(),
8120 TLS1_VERSION,
8121 (tst <= 1) ? TLS1_2_VERSION
8122 : TLS1_3_VERSION,
8123 &sctx, &cctx, cert, privkey)))
8124 goto end;
8125
8126 if (tst == 5)
8127 SSL_CTX_set_post_handshake_auth(cctx, 1);
8128
8129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8130 NULL, NULL)))
8131 goto end;
8132
8133 if (tst == 3) {
8134 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8135 SSL_ERROR_NONE, 1))
8136 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8137 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8138 goto end;
8139 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8140 SSL_ERROR_NONE))
8141 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8142 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8143 goto end;
8144 }
8145
8146 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8147 goto end;
8148
8149 if (tst >= 4) {
8150 /*
8151 * Reading on the server after the client has sent close_notify should
8152 * fail and provide SSL_ERROR_ZERO_RETURN
8153 */
8154 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8155 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8156 SSL_ERROR_ZERO_RETURN)
8157 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8158 SSL_RECEIVED_SHUTDOWN)
8159 /*
8160 * Even though we're shutdown on receive we should still be
8161 * able to write.
8162 */
8163 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8164 goto end;
8165 if (tst == 4
8166 && !TEST_true(SSL_key_update(serverssl,
8167 SSL_KEY_UPDATE_REQUESTED)))
8168 goto end;
8169 if (tst == 5) {
8170 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8171 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8172 goto end;
8173 }
8174 if ((tst == 4 || tst == 5)
8175 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8176 goto end;
8177 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8178 goto end;
8179 if (tst == 4 || tst == 5) {
8180 /* Should still be able to read data from server */
8181 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8182 &readbytes))
8183 || !TEST_size_t_eq(readbytes, sizeof(msg))
8184 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8185 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8186 &readbytes))
8187 || !TEST_size_t_eq(readbytes, sizeof(msg))
8188 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8189 goto end;
8190 }
8191 }
8192
8193 /* Writing on the client after sending close_notify shouldn't be possible */
8194 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8195 goto end;
8196
8197 if (tst < 4) {
8198 /*
8199 * For these tests the client has sent close_notify but it has not yet
8200 * been received by the server. The server has not sent close_notify
8201 * yet.
8202 */
8203 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8204 /*
8205 * Writing on the server after sending close_notify shouldn't
8206 * be possible.
8207 */
8208 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8209 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8210 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8211 || !TEST_true(SSL_SESSION_is_resumable(sess))
8212 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8213 goto end;
8214 } else if (tst == 4 || tst == 5) {
8215 /*
8216 * In this test the client has sent close_notify and it has been
8217 * received by the server which has responded with a close_notify. The
8218 * client needs to read the close_notify sent by the server.
8219 */
8220 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8221 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8222 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8223 goto end;
8224 } else {
8225 /*
8226 * tst == 6
8227 *
8228 * The client has sent close_notify and is expecting a close_notify
8229 * back, but instead there is application data first. The shutdown
8230 * should fail with a fatal error.
8231 */
8232 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8233 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8234 goto end;
8235 }
8236
8237 testresult = 1;
8238
8239 end:
8240 SSL_free(serverssl);
8241 SSL_free(clientssl);
8242 SSL_CTX_free(sctx);
8243 SSL_CTX_free(cctx);
8244
8245 return testresult;
8246}
8247
8248#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8249static int cert_cb_cnt;
8250
8251static int cert_cb(SSL *s, void *arg)
8252{
8253 SSL_CTX *ctx = (SSL_CTX *)arg;
8254 BIO *in = NULL;
8255 EVP_PKEY *pkey = NULL;
8256 X509 *x509 = NULL, *rootx = NULL;
8257 STACK_OF(X509) *chain = NULL;
8258 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8259 int ret = 0;
8260
8261 if (cert_cb_cnt == 0) {
8262 /* Suspend the handshake */
8263 cert_cb_cnt++;
8264 return -1;
8265 } else if (cert_cb_cnt == 1) {
8266 /*
8267 * Update the SSL_CTX, set the certificate and private key and then
8268 * continue the handshake normally.
8269 */
8270 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8271 return 0;
8272
8273 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8274 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8275 SSL_FILETYPE_PEM))
8276 || !TEST_true(SSL_check_private_key(s)))
8277 return 0;
8278 cert_cb_cnt++;
8279 return 1;
8280 } else if (cert_cb_cnt == 3) {
8281 int rv;
8282
8283 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8284 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8285 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8286 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8287 goto out;
8288 chain = sk_X509_new_null();
8289 if (!TEST_ptr(chain))
8290 goto out;
8291 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8292 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8293 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8294 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8295 || !TEST_true(sk_X509_push(chain, rootx)))
8296 goto out;
8297 rootx = NULL;
8298 BIO_free(in);
8299 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8300 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8301 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8302 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8303 goto out;
8304 BIO_free(in);
8305 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8306 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8307 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8308 NULL, NULL,
8309 libctx, NULL)))
8310 goto out;
8311 rv = SSL_check_chain(s, x509, pkey, chain);
8312 /*
8313 * If the cert doesn't show as valid here (e.g., because we don't
8314 * have any shared sigalgs), then we will not set it, and there will
8315 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8316 * will cause tls_choose_sigalgs() to fail the connection.
8317 */
8318 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8319 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8320 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8321 goto out;
8322 }
8323
8324 ret = 1;
8325 }
8326
8327 /* Abort the handshake */
8328 out:
8329 OPENSSL_free(ecdsacert);
8330 OPENSSL_free(ecdsakey);
8331 OPENSSL_free(rootfile);
8332 BIO_free(in);
8333 EVP_PKEY_free(pkey);
8334 X509_free(x509);
8335 X509_free(rootx);
8336 sk_X509_pop_free(chain, X509_free);
8337 return ret;
8338}
8339
8340/*
8341 * Test the certificate callback.
8342 * Test 0: Callback fails
8343 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8344 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8345 * Test 3: Success - Call SSL_check_chain from the callback
8346 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8347 * chain
8348 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8349 */
8350static int test_cert_cb_int(int prot, int tst)
8351{
8352 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8353 SSL *clientssl = NULL, *serverssl = NULL;
8354 int testresult = 0, ret;
8355
8356#ifdef OPENSSL_NO_EC
8357 /* We use an EC cert in these tests, so we skip in a no-ec build */
8358 if (tst >= 3)
8359 return 1;
8360#endif
8361
8362 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8363 TLS_client_method(),
8364 TLS1_VERSION,
8365 prot,
8366 &sctx, &cctx, NULL, NULL)))
8367 goto end;
8368
8369 if (tst == 0)
8370 cert_cb_cnt = -1;
8371 else if (tst >= 3)
8372 cert_cb_cnt = 3;
8373 else
8374 cert_cb_cnt = 0;
8375
8376 if (tst == 2) {
8377 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8378 if (!TEST_ptr(snictx))
8379 goto end;
8380 }
8381
8382 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8383
8384 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8385 NULL, NULL)))
8386 goto end;
8387
8388 if (tst == 4) {
8389 /*
8390 * We cause SSL_check_chain() to fail by specifying sig_algs that
8391 * the chain doesn't meet (the root uses an RSA cert)
8392 */
8393 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8394 "ecdsa_secp256r1_sha256")))
8395 goto end;
8396 } else if (tst == 5) {
8397 /*
8398 * We cause SSL_check_chain() to fail by specifying sig_algs that
8399 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8400 */
8401 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8402 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8403 goto end;
8404 }
8405
8406 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8407 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8408 || (tst > 0
8409 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8410 goto end;
8411 }
8412
8413 testresult = 1;
8414
8415 end:
8416 SSL_free(serverssl);
8417 SSL_free(clientssl);
8418 SSL_CTX_free(sctx);
8419 SSL_CTX_free(cctx);
8420 SSL_CTX_free(snictx);
8421
8422 return testresult;
8423}
8424#endif
8425
8426static int test_cert_cb(int tst)
8427{
8428 int testresult = 1;
8429
8430#ifndef OPENSSL_NO_TLS1_2
8431 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8432#endif
8433#ifndef OSSL_NO_USABLE_TLS1_3
8434 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8435#endif
8436
8437 return testresult;
8438}
8439
8440static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8441{
8442 X509 *xcert;
8443 EVP_PKEY *privpkey;
8444 BIO *in = NULL;
8445 BIO *priv_in = NULL;
8446
8447 /* Check that SSL_get0_peer_certificate() returns something sensible */
8448 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8449 return 0;
8450
8451 in = BIO_new_file(cert, "r");
8452 if (!TEST_ptr(in))
8453 return 0;
8454
8455 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8456 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8457 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8458 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8459 NULL, NULL,
8460 libctx, NULL)))
8461 goto err;
8462
8463 *x509 = xcert;
8464 *pkey = privpkey;
8465
8466 BIO_free(in);
8467 BIO_free(priv_in);
8468 return 1;
8469err:
8470 X509_free(xcert);
8471 BIO_free(in);
8472 BIO_free(priv_in);
8473 return 0;
8474}
8475
8476static int test_client_cert_cb(int tst)
8477{
8478 SSL_CTX *cctx = NULL, *sctx = NULL;
8479 SSL *clientssl = NULL, *serverssl = NULL;
8480 int testresult = 0;
8481
8482#ifdef OPENSSL_NO_TLS1_2
8483 if (tst == 0)
8484 return 1;
8485#endif
8486#ifdef OSSL_NO_USABLE_TLS1_3
8487 if (tst == 1)
8488 return 1;
8489#endif
8490
8491 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8492 TLS_client_method(),
8493 TLS1_VERSION,
8494 tst == 0 ? TLS1_2_VERSION
8495 : TLS1_3_VERSION,
8496 &sctx, &cctx, cert, privkey)))
8497 goto end;
8498
8499 /*
8500 * Test that setting a client_cert_cb results in a client certificate being
8501 * sent.
8502 */
8503 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8504 SSL_CTX_set_verify(sctx,
8505 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8506 verify_cb);
8507
8508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8509 NULL, NULL))
8510 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8511 SSL_ERROR_NONE)))
8512 goto end;
8513
8514 testresult = 1;
8515
8516 end:
8517 SSL_free(serverssl);
8518 SSL_free(clientssl);
8519 SSL_CTX_free(sctx);
8520 SSL_CTX_free(cctx);
8521
8522 return testresult;
8523}
8524
8525#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8526/*
8527 * Test setting certificate authorities on both client and server.
8528 *
8529 * Test 0: SSL_CTX_set0_CA_list() only
8530 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8531 * Test 2: Only SSL_CTX_set_client_CA_list()
8532 */
8533static int test_ca_names_int(int prot, int tst)
8534{
8535 SSL_CTX *cctx = NULL, *sctx = NULL;
8536 SSL *clientssl = NULL, *serverssl = NULL;
8537 int testresult = 0;
8538 size_t i;
8539 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8540 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8541 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8542 const STACK_OF(X509_NAME) *sktmp = NULL;
8543
8544 for (i = 0; i < OSSL_NELEM(name); i++) {
8545 name[i] = X509_NAME_new();
8546 if (!TEST_ptr(name[i])
8547 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8548 MBSTRING_ASC,
8549 (unsigned char *)
8550 strnames[i],
8551 -1, -1, 0)))
8552 goto end;
8553 }
8554
8555 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8556 TLS_client_method(),
8557 TLS1_VERSION,
8558 prot,
8559 &sctx, &cctx, cert, privkey)))
8560 goto end;
8561
8562 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8563
8564 if (tst == 0 || tst == 1) {
8565 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8566 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8567 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8568 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8569 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8570 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8571 goto end;
8572
8573 SSL_CTX_set0_CA_list(sctx, sk1);
8574 SSL_CTX_set0_CA_list(cctx, sk2);
8575 sk1 = sk2 = NULL;
8576 }
8577 if (tst == 1 || tst == 2) {
8578 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8579 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8580 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8581 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8582 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8583 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8584 goto end;
8585
8586 SSL_CTX_set_client_CA_list(sctx, sk1);
8587 SSL_CTX_set_client_CA_list(cctx, sk2);
8588 sk1 = sk2 = NULL;
8589 }
8590
8591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8592 NULL, NULL))
8593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8594 SSL_ERROR_NONE)))
8595 goto end;
8596
8597 /*
8598 * We only expect certificate authorities to have been sent to the server
8599 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8600 */
8601 sktmp = SSL_get0_peer_CA_list(serverssl);
8602 if (prot == TLS1_3_VERSION
8603 && (tst == 0 || tst == 1)) {
8604 if (!TEST_ptr(sktmp)
8605 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8606 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8607 name[0]), 0)
8608 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8609 name[1]), 0))
8610 goto end;
8611 } else if (!TEST_ptr_null(sktmp)) {
8612 goto end;
8613 }
8614
8615 /*
8616 * In all tests we expect certificate authorities to have been sent to the
8617 * client. However, SSL_set_client_CA_list() should override
8618 * SSL_set0_CA_list()
8619 */
8620 sktmp = SSL_get0_peer_CA_list(clientssl);
8621 if (!TEST_ptr(sktmp)
8622 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8623 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8624 name[tst == 0 ? 0 : 2]), 0)
8625 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8626 name[tst == 0 ? 1 : 3]), 0))
8627 goto end;
8628
8629 testresult = 1;
8630
8631 end:
8632 SSL_free(serverssl);
8633 SSL_free(clientssl);
8634 SSL_CTX_free(sctx);
8635 SSL_CTX_free(cctx);
8636 for (i = 0; i < OSSL_NELEM(name); i++)
8637 X509_NAME_free(name[i]);
8638 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8639 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8640
8641 return testresult;
8642}
8643#endif
8644
8645static int test_ca_names(int tst)
8646{
8647 int testresult = 1;
8648
8649#ifndef OPENSSL_NO_TLS1_2
8650 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8651#endif
8652#ifndef OSSL_NO_USABLE_TLS1_3
8653 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8654#endif
8655
8656 return testresult;
8657}
8658
8659#ifndef OPENSSL_NO_TLS1_2
8660static const char *multiblock_cipherlist_data[]=
8661{
8662 "AES128-SHA",
8663 "AES128-SHA256",
8664 "AES256-SHA",
8665 "AES256-SHA256",
8666};
8667
8668/* Reduce the fragment size - so the multiblock test buffer can be small */
8669# define MULTIBLOCK_FRAGSIZE 512
8670
8671static int test_multiblock_write(int test_index)
8672{
8673 static const char *fetchable_ciphers[]=
8674 {
8675 "AES-128-CBC-HMAC-SHA1",
8676 "AES-128-CBC-HMAC-SHA256",
8677 "AES-256-CBC-HMAC-SHA1",
8678 "AES-256-CBC-HMAC-SHA256"
8679 };
8680 const char *cipherlist = multiblock_cipherlist_data[test_index];
8681 const SSL_METHOD *smeth = TLS_server_method();
8682 const SSL_METHOD *cmeth = TLS_client_method();
8683 int min_version = TLS1_VERSION;
8684 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8685 SSL_CTX *cctx = NULL, *sctx = NULL;
8686 SSL *clientssl = NULL, *serverssl = NULL;
8687 int testresult = 0;
8688
8689 /*
8690 * Choose a buffer large enough to perform a multi-block operation
8691 * i.e: write_len >= 4 * frag_size
8692 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8693 */
8694 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8695 unsigned char buf[sizeof(msg)], *p = buf;
8696 size_t readbytes, written, len;
8697 EVP_CIPHER *ciph = NULL;
8698
8699 /*
8700 * Check if the cipher exists before attempting to use it since it only has
8701 * a hardware specific implementation.
8702 */
8703 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8704 if (ciph == NULL) {
8705 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8706 return 1;
8707 }
8708 EVP_CIPHER_free(ciph);
8709
8710 /* Set up a buffer with some data that will be sent to the client */
8711 RAND_bytes(msg, sizeof(msg));
8712
8713 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8714 max_version, &sctx, &cctx, cert,
8715 privkey)))
8716 goto end;
8717
8718 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8719 goto end;
8720
8721 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8722 NULL, NULL)))
8723 goto end;
8724
8725 /* settings to force it to use AES-CBC-HMAC_SHA */
8726 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8727 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8728 goto end;
8729
8730 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8731 goto end;
8732
8733 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8734 || !TEST_size_t_eq(written, sizeof(msg)))
8735 goto end;
8736
8737 len = written;
8738 while (len > 0) {
8739 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8740 goto end;
8741 p += readbytes;
8742 len -= readbytes;
8743 }
8744 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8745 goto end;
8746
8747 testresult = 1;
8748end:
8749 SSL_free(serverssl);
8750 SSL_free(clientssl);
8751 SSL_CTX_free(sctx);
8752 SSL_CTX_free(cctx);
8753
8754 return testresult;
8755}
8756#endif /* OPENSSL_NO_TLS1_2 */
8757
8758static int test_session_timeout(int test)
8759{
8760 /*
8761 * Test session ordering and timeout
8762 * Can't explicitly test performance of the new code,
8763 * but can test to see if the ordering of the sessions
8764 * are correct, and they they are removed as expected
8765 */
8766 SSL_SESSION *early = NULL;
8767 SSL_SESSION *middle = NULL;
8768 SSL_SESSION *late = NULL;
8769 SSL_CTX *ctx;
8770 int testresult = 0;
8771 long now = (long)time(NULL);
8772#define TIMEOUT 10
8773
8774 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8775 || !TEST_ptr(early = SSL_SESSION_new())
8776 || !TEST_ptr(middle = SSL_SESSION_new())
8777 || !TEST_ptr(late = SSL_SESSION_new()))
8778 goto end;
8779
8780 /* assign unique session ids */
8781 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8782 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8783 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8784 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8785 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8786 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8787
8788 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8789 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8790 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8791 goto end;
8792
8793 /* Make sure they are all added */
8794 if (!TEST_ptr(early->prev)
8795 || !TEST_ptr(middle->prev)
8796 || !TEST_ptr(late->prev))
8797 goto end;
8798
8799 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8800 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8801 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8802 goto end;
8803
8804 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8805 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8806 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8807 goto end;
8808
8809 /* Make sure they are all still there */
8810 if (!TEST_ptr(early->prev)
8811 || !TEST_ptr(middle->prev)
8812 || !TEST_ptr(late->prev))
8813 goto end;
8814
8815 /* Make sure they are in the expected order */
8816 if (!TEST_ptr_eq(late->next, middle)
8817 || !TEST_ptr_eq(middle->next, early)
8818 || !TEST_ptr_eq(early->prev, middle)
8819 || !TEST_ptr_eq(middle->prev, late))
8820 goto end;
8821
8822 /* This should remove "early" */
8823 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8824 if (!TEST_ptr_null(early->prev)
8825 || !TEST_ptr(middle->prev)
8826 || !TEST_ptr(late->prev))
8827 goto end;
8828
8829 /* This should remove "middle" */
8830 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8831 if (!TEST_ptr_null(early->prev)
8832 || !TEST_ptr_null(middle->prev)
8833 || !TEST_ptr(late->prev))
8834 goto end;
8835
8836 /* This should remove "late" */
8837 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8838 if (!TEST_ptr_null(early->prev)
8839 || !TEST_ptr_null(middle->prev)
8840 || !TEST_ptr_null(late->prev))
8841 goto end;
8842
8843 /* Add them back in again */
8844 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8845 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8846 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8847 goto end;
8848
8849 /* Make sure they are all added */
8850 if (!TEST_ptr(early->prev)
8851 || !TEST_ptr(middle->prev)
8852 || !TEST_ptr(late->prev))
8853 goto end;
8854
8855 /* This should remove all of them */
8856 SSL_CTX_flush_sessions(ctx, 0);
8857 if (!TEST_ptr_null(early->prev)
8858 || !TEST_ptr_null(middle->prev)
8859 || !TEST_ptr_null(late->prev))
8860 goto end;
8861
8862 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8863 | SSL_CTX_get_session_cache_mode(ctx));
8864
8865 /* make sure |now| is NOT equal to the current time */
8866 now -= 10;
8867 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8868 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8869 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8870 goto end;
8871
8872 testresult = 1;
8873 end:
8874 SSL_CTX_free(ctx);
8875 SSL_SESSION_free(early);
8876 SSL_SESSION_free(middle);
8877 SSL_SESSION_free(late);
8878 return testresult;
8879}
8880
8881/*
8882 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8883 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8884 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8885 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8886 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8887 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8888 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8889 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8890 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8891 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8892 */
8893static int test_servername(int tst)
8894{
8895 SSL_CTX *cctx = NULL, *sctx = NULL;
8896 SSL *clientssl = NULL, *serverssl = NULL;
8897 int testresult = 0;
8898 SSL_SESSION *sess = NULL;
8899 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8900
8901#ifdef OPENSSL_NO_TLS1_2
8902 if (tst <= 4)
8903 return 1;
8904#endif
8905#ifdef OSSL_NO_USABLE_TLS1_3
8906 if (tst >= 5)
8907 return 1;
8908#endif
8909
8910 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8911 TLS_client_method(),
8912 TLS1_VERSION,
8913 (tst <= 4) ? TLS1_2_VERSION
8914 : TLS1_3_VERSION,
8915 &sctx, &cctx, cert, privkey))
8916 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8917 NULL, NULL)))
8918 goto end;
8919
8920 if (tst != 1 && tst != 6) {
8921 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8922 hostname_cb)))
8923 goto end;
8924 }
8925
8926 if (tst != 3 && tst != 8) {
8927 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8928 goto end;
8929 sexpectedhost = cexpectedhost = "goodhost";
8930 }
8931
8932 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8933 goto end;
8934
8935 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8936 cexpectedhost)
8937 || !TEST_str_eq(SSL_get_servername(serverssl,
8938 TLSEXT_NAMETYPE_host_name),
8939 sexpectedhost))
8940 goto end;
8941
8942 /* Now repeat with a resumption handshake */
8943
8944 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8945 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8946 || !TEST_true(SSL_SESSION_is_resumable(sess))
8947 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8948 goto end;
8949
8950 SSL_free(clientssl);
8951 SSL_free(serverssl);
8952 clientssl = serverssl = NULL;
8953
8954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8955 NULL)))
8956 goto end;
8957
8958 if (!TEST_true(SSL_set_session(clientssl, sess)))
8959 goto end;
8960
8961 sexpectedhost = cexpectedhost = "goodhost";
8962 if (tst == 2 || tst == 7) {
8963 /* Set an inconsistent hostname */
8964 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8965 goto end;
8966 /*
8967 * In TLSv1.2 we expect the hostname from the original handshake, in
8968 * TLSv1.3 we expect the hostname from this handshake
8969 */
8970 if (tst == 7)
8971 sexpectedhost = cexpectedhost = "altgoodhost";
8972
8973 if (!TEST_str_eq(SSL_get_servername(clientssl,
8974 TLSEXT_NAMETYPE_host_name),
8975 "altgoodhost"))
8976 goto end;
8977 } else if (tst == 4 || tst == 9) {
8978 /*
8979 * A TLSv1.3 session does not associate a session with a servername,
8980 * but a TLSv1.2 session does.
8981 */
8982 if (tst == 9)
8983 sexpectedhost = cexpectedhost = NULL;
8984
8985 if (!TEST_str_eq(SSL_get_servername(clientssl,
8986 TLSEXT_NAMETYPE_host_name),
8987 cexpectedhost))
8988 goto end;
8989 } else {
8990 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8991 goto end;
8992 /*
8993 * In a TLSv1.2 resumption where the hostname was not acknowledged
8994 * we expect the hostname on the server to be empty. On the client we
8995 * return what was requested in this case.
8996 *
8997 * Similarly if the client didn't set a hostname on an original TLSv1.2
8998 * session but is now, the server hostname will be empty, but the client
8999 * is as we set it.
9000 */
9001 if (tst == 1 || tst == 3)
9002 sexpectedhost = NULL;
9003
9004 if (!TEST_str_eq(SSL_get_servername(clientssl,
9005 TLSEXT_NAMETYPE_host_name),
9006 "goodhost"))
9007 goto end;
9008 }
9009
9010 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9011 goto end;
9012
9013 if (!TEST_true(SSL_session_reused(clientssl))
9014 || !TEST_true(SSL_session_reused(serverssl))
9015 || !TEST_str_eq(SSL_get_servername(clientssl,
9016 TLSEXT_NAMETYPE_host_name),
9017 cexpectedhost)
9018 || !TEST_str_eq(SSL_get_servername(serverssl,
9019 TLSEXT_NAMETYPE_host_name),
9020 sexpectedhost))
9021 goto end;
9022
9023 testresult = 1;
9024
9025 end:
9026 SSL_SESSION_free(sess);
9027 SSL_free(serverssl);
9028 SSL_free(clientssl);
9029 SSL_CTX_free(sctx);
9030 SSL_CTX_free(cctx);
9031
9032 return testresult;
9033}
9034
9035#if !defined(OPENSSL_NO_EC) \
9036 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9037/*
9038 * Test that if signature algorithms are not available, then we do not offer or
9039 * accept them.
9040 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9041 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9042 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9043 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9044 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9045 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9046 */
9047static int test_sigalgs_available(int idx)
9048{
9049 SSL_CTX *cctx = NULL, *sctx = NULL;
9050 SSL *clientssl = NULL, *serverssl = NULL;
9051 int testresult = 0;
9052 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9053 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9054 OSSL_PROVIDER *filterprov = NULL;
9055 int sig, hash;
9056
9057 if (!TEST_ptr(tmpctx))
9058 goto end;
9059
9060 if (idx != 0 && idx != 3) {
9061 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9062 filter_provider_init)))
9063 goto end;
9064
9065 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9066 if (!TEST_ptr(filterprov))
9067 goto end;
9068
9069 if (idx < 3) {
9070 /*
9071 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9072 * or accepted for the peer that uses this libctx. Note that libssl
9073 * *requires* SHA2-256 to be available so we cannot disable that. We
9074 * also need SHA1 for our certificate.
9075 */
9076 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9077 "SHA2-256:SHA1")))
9078 goto end;
9079 } else {
9080 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9081 "ECDSA"))
9082 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9083 "EC:X25519:X448")))
9084 goto end;
9085 }
9086
9087 if (idx == 1 || idx == 4)
9088 clientctx = tmpctx;
9089 else
9090 serverctx = tmpctx;
9091 }
9092
9093 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9094 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9095 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9096 goto end;
9097
9098 if (idx != 5) {
9099 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9100 TLS_client_method(),
9101 TLS1_VERSION,
9102 0,
9103 &sctx, &cctx, cert, privkey)))
9104 goto end;
9105 } else {
9106 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9107 TLS_client_method(),
9108 TLS1_VERSION,
9109 0,
9110 &sctx, &cctx, cert2, privkey2)))
9111 goto end;
9112 }
9113
9114 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9115 if (idx < 4) {
9116 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9117 "ECDHE-RSA-AES128-GCM-SHA256")))
9118 goto end;
9119 } else {
9120 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9121 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9122 goto end;
9123 }
9124
9125 if (idx < 3) {
9126 if (!SSL_CTX_set1_sigalgs_list(cctx,
9127 "rsa_pss_rsae_sha384"
9128 ":rsa_pss_rsae_sha256")
9129 || !SSL_CTX_set1_sigalgs_list(sctx,
9130 "rsa_pss_rsae_sha384"
9131 ":rsa_pss_rsae_sha256"))
9132 goto end;
9133 } else {
9134 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9135 || !SSL_CTX_set1_sigalgs_list(sctx,
9136 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9137 goto end;
9138 }
9139
9140 if (idx != 5
9141 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9142 SSL_FILETYPE_PEM), 1)
9143 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9144 privkey2,
9145 SSL_FILETYPE_PEM), 1)
9146 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9147 goto end;
9148
9149 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9150 NULL, NULL)))
9151 goto end;
9152
9153 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9154 goto end;
9155
9156 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9157 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9158 NULL, NULL),
9159 (idx == 0 || idx == 3) ? 2 : 1))
9160 goto end;
9161
9162 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9163 goto end;
9164
9165 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9166 : NID_rsassaPss))
9167 goto end;
9168
9169 testresult = filter_provider_check_clean_finish();
9170
9171 end:
9172 SSL_free(serverssl);
9173 SSL_free(clientssl);
9174 SSL_CTX_free(sctx);
9175 SSL_CTX_free(cctx);
9176 OSSL_PROVIDER_unload(filterprov);
9177 OSSL_LIB_CTX_free(tmpctx);
9178
9179 return testresult;
9180}
9181#endif /*
9182 * !defined(OPENSSL_NO_EC) \
9183 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9184 */
9185
9186#ifndef OPENSSL_NO_TLS1_3
9187/* This test can run in TLSv1.3 even if ec and dh are disabled */
9188static int test_pluggable_group(int idx)
9189{
9190 SSL_CTX *cctx = NULL, *sctx = NULL;
9191 SSL *clientssl = NULL, *serverssl = NULL;
9192 int testresult = 0;
9193 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9194 /* Check that we are not impacted by a provider without any groups */
9195 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9196 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9197
9198 if (!TEST_ptr(tlsprov))
9199 goto end;
9200
9201 if (legacyprov == NULL) {
9202 /*
9203 * In this case we assume we've been built with "no-legacy" and skip
9204 * this test (there is no OPENSSL_NO_LEGACY)
9205 */
9206 testresult = 1;
9207 goto end;
9208 }
9209
9210 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9211 TLS_client_method(),
9212 TLS1_3_VERSION,
9213 TLS1_3_VERSION,
9214 &sctx, &cctx, cert, privkey))
9215 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9216 NULL, NULL)))
9217 goto end;
9218
9219 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9220 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9221 goto end;
9222
9223 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9224 goto end;
9225
9226 if (!TEST_str_eq(group_name,
9227 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9228 goto end;
9229
9230 testresult = 1;
9231
9232 end:
9233 SSL_free(serverssl);
9234 SSL_free(clientssl);
9235 SSL_CTX_free(sctx);
9236 SSL_CTX_free(cctx);
9237 OSSL_PROVIDER_unload(tlsprov);
9238 OSSL_PROVIDER_unload(legacyprov);
9239
9240 return testresult;
9241}
9242#endif
9243
9244#ifndef OPENSSL_NO_TLS1_2
9245static int test_ssl_dup(void)
9246{
9247 SSL_CTX *cctx = NULL, *sctx = NULL;
9248 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9249 int testresult = 0;
9250 BIO *rbio = NULL, *wbio = NULL;
9251
9252 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9253 TLS_client_method(),
9254 0,
9255 0,
9256 &sctx, &cctx, cert, privkey)))
9257 goto end;
9258
9259 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9260 NULL, NULL)))
9261 goto end;
9262
9263 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9264 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9265 goto end;
9266
9267 client2ssl = SSL_dup(clientssl);
9268 rbio = SSL_get_rbio(clientssl);
9269 if (!TEST_ptr(rbio)
9270 || !TEST_true(BIO_up_ref(rbio)))
9271 goto end;
9272 SSL_set0_rbio(client2ssl, rbio);
9273 rbio = NULL;
9274
9275 wbio = SSL_get_wbio(clientssl);
9276 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9277 goto end;
9278 SSL_set0_wbio(client2ssl, wbio);
9279 rbio = NULL;
9280
9281 if (!TEST_ptr(client2ssl)
9282 /* Handshake not started so pointers should be different */
9283 || !TEST_ptr_ne(clientssl, client2ssl))
9284 goto end;
9285
9286 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9287 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9288 goto end;
9289
9290 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9291 goto end;
9292
9293 SSL_free(clientssl);
9294 clientssl = SSL_dup(client2ssl);
9295 if (!TEST_ptr(clientssl)
9296 /* Handshake has finished so pointers should be the same */
9297 || !TEST_ptr_eq(clientssl, client2ssl))
9298 goto end;
9299
9300 testresult = 1;
9301
9302 end:
9303 SSL_free(serverssl);
9304 SSL_free(clientssl);
9305 SSL_free(client2ssl);
9306 SSL_CTX_free(sctx);
9307 SSL_CTX_free(cctx);
9308
9309 return testresult;
9310}
9311
9312# ifndef OPENSSL_NO_DH
9313
9314static EVP_PKEY *tmp_dh_params = NULL;
9315
9316/* Helper function for the test_set_tmp_dh() tests */
9317static EVP_PKEY *get_tmp_dh_params(void)
9318{
9319 if (tmp_dh_params == NULL) {
9320 BIGNUM *p = NULL;
9321 OSSL_PARAM_BLD *tmpl = NULL;
9322 EVP_PKEY_CTX *pctx = NULL;
9323 OSSL_PARAM *params = NULL;
9324 EVP_PKEY *dhpkey = NULL;
9325
9326 p = BN_get_rfc3526_prime_2048(NULL);
9327 if (!TEST_ptr(p))
9328 goto end;
9329
9330 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9331 if (!TEST_ptr(pctx)
9332 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9333 goto end;
9334
9335 tmpl = OSSL_PARAM_BLD_new();
9336 if (!TEST_ptr(tmpl)
9337 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9338 OSSL_PKEY_PARAM_FFC_P,
9339 p))
9340 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9341 OSSL_PKEY_PARAM_FFC_G,
9342 2)))
9343 goto end;
9344
9345 params = OSSL_PARAM_BLD_to_param(tmpl);
9346 if (!TEST_ptr(params)
9347 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9348 EVP_PKEY_KEY_PARAMETERS,
9349 params), 1))
9350 goto end;
9351
9352 tmp_dh_params = dhpkey;
9353 end:
9354 BN_free(p);
9355 EVP_PKEY_CTX_free(pctx);
9356 OSSL_PARAM_BLD_free(tmpl);
9357 OSSL_PARAM_free(params);
9358 }
9359
9360 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9361 return NULL;
9362
9363 return tmp_dh_params;
9364}
9365
9366# ifndef OPENSSL_NO_DEPRECATED_3_0
9367/* Callback used by test_set_tmp_dh() */
9368static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9369{
9370 EVP_PKEY *dhpkey = get_tmp_dh_params();
9371 DH *ret = NULL;
9372
9373 if (!TEST_ptr(dhpkey))
9374 return NULL;
9375
9376 /*
9377 * libssl does not free the returned DH, so we free it now knowing that even
9378 * after we free dhpkey, there will still be a reference to the owning
9379 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9380 * of time we need it for.
9381 */
9382 ret = EVP_PKEY_get1_DH(dhpkey);
9383 DH_free(ret);
9384
9385 EVP_PKEY_free(dhpkey);
9386
9387 return ret;
9388}
9389# endif
9390
9391/*
9392 * Test the various methods for setting temporary DH parameters
9393 *
9394 * Test 0: Default (no auto) setting
9395 * Test 1: Explicit SSL_CTX auto off
9396 * Test 2: Explicit SSL auto off
9397 * Test 3: Explicit SSL_CTX auto on
9398 * Test 4: Explicit SSL auto on
9399 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9400 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9401 *
9402 * The following are testing deprecated APIs, so we only run them if available
9403 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9404 * Test 8: Explicit SSL auto off, custom DH params via DH
9405 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9406 * Test 10: Explicit SSL auto off, custom DH params via callback
9407 */
9408static int test_set_tmp_dh(int idx)
9409{
9410 SSL_CTX *cctx = NULL, *sctx = NULL;
9411 SSL *clientssl = NULL, *serverssl = NULL;
9412 int testresult = 0;
9413 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9414 int expected = (idx <= 2) ? 0 : 1;
9415 EVP_PKEY *dhpkey = NULL;
9416# ifndef OPENSSL_NO_DEPRECATED_3_0
9417 DH *dh = NULL;
9418# else
9419
9420 if (idx >= 7)
9421 return 1;
9422# endif
9423
9424 if (idx >= 5 && idx <= 8) {
9425 dhpkey = get_tmp_dh_params();
9426 if (!TEST_ptr(dhpkey))
9427 goto end;
9428 }
9429# ifndef OPENSSL_NO_DEPRECATED_3_0
9430 if (idx == 7 || idx == 8) {
9431 dh = EVP_PKEY_get1_DH(dhpkey);
9432 if (!TEST_ptr(dh))
9433 goto end;
9434 }
9435# endif
9436
9437 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9438 TLS_client_method(),
9439 0,
9440 0,
9441 &sctx, &cctx, cert, privkey)))
9442 goto end;
9443
9444 if ((idx & 1) == 1) {
9445 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9446 goto end;
9447 }
9448
9449 if (idx == 5) {
9450 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9451 goto end;
9452 dhpkey = NULL;
9453 }
9454# ifndef OPENSSL_NO_DEPRECATED_3_0
9455 else if (idx == 7) {
9456 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9457 goto end;
9458 } else if (idx == 9) {
9459 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9460 }
9461# endif
9462
9463 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9464 NULL, NULL)))
9465 goto end;
9466
9467 if ((idx & 1) == 0 && idx != 0) {
9468 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9469 goto end;
9470 }
9471 if (idx == 6) {
9472 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9473 goto end;
9474 dhpkey = NULL;
9475 }
9476# ifndef OPENSSL_NO_DEPRECATED_3_0
9477 else if (idx == 8) {
9478 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9479 goto end;
9480 } else if (idx == 10) {
9481 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9482 }
9483# endif
9484
9485 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9486 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9487 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9488 goto end;
9489
9490 /*
9491 * If autoon then we should succeed. Otherwise we expect failure because
9492 * there are no parameters
9493 */
9494 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9495 SSL_ERROR_NONE), expected))
9496 goto end;
9497
9498 testresult = 1;
9499
9500 end:
9501# ifndef OPENSSL_NO_DEPRECATED_3_0
9502 DH_free(dh);
9503# endif
9504 SSL_free(serverssl);
9505 SSL_free(clientssl);
9506 SSL_CTX_free(sctx);
9507 SSL_CTX_free(cctx);
9508 EVP_PKEY_free(dhpkey);
9509
9510 return testresult;
9511}
9512
9513/*
9514 * Test the auto DH keys are appropriately sized
9515 */
9516static int test_dh_auto(int idx)
9517{
9518 SSL_CTX *cctx = NULL, *sctx = NULL;
9519 SSL *clientssl = NULL, *serverssl = NULL;
9520 int testresult = 0;
9521 EVP_PKEY *tmpkey = NULL;
9522 char *thiscert = NULL, *thiskey = NULL;
9523 size_t expdhsize = 0;
9524 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9525
9526 switch (idx) {
9527 case 0:
9528 /* The FIPS provider doesn't support this DH size - so we ignore it */
9529 if (is_fips)
9530 return 1;
9531 thiscert = cert1024;
9532 thiskey = privkey1024;
9533 expdhsize = 1024;
9534 break;
9535 case 1:
9536 /* 2048 bit prime */
9537 thiscert = cert;
9538 thiskey = privkey;
9539 expdhsize = 2048;
9540 break;
9541 case 2:
9542 thiscert = cert3072;
9543 thiskey = privkey3072;
9544 expdhsize = 3072;
9545 break;
9546 case 3:
9547 thiscert = cert4096;
9548 thiskey = privkey4096;
9549 expdhsize = 4096;
9550 break;
9551 case 4:
9552 thiscert = cert8192;
9553 thiskey = privkey8192;
9554 expdhsize = 8192;
9555 break;
9556 /* No certificate cases */
9557 case 5:
9558 /* The FIPS provider doesn't support this DH size - so we ignore it */
9559 if (is_fips)
9560 return 1;
9561 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9562 expdhsize = 1024;
9563 break;
9564 case 6:
9565 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9566 expdhsize = 3072;
9567 break;
9568 default:
9569 TEST_error("Invalid text index");
9570 goto end;
9571 }
9572
9573 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9574 TLS_client_method(),
9575 0,
9576 0,
9577 &sctx, &cctx, thiscert, thiskey)))
9578 goto end;
9579
9580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9581 NULL, NULL)))
9582 goto end;
9583
9584 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9585 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9586 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9587 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9588 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9589 goto end;
9590
9591 /*
9592 * Send the server's first flight. At this point the server has created the
9593 * temporary DH key but hasn't finished using it yet. Once used it is
9594 * removed, so we cannot test it.
9595 */
9596 if (!TEST_int_le(SSL_connect(clientssl), 0)
9597 || !TEST_int_le(SSL_accept(serverssl), 0))
9598 goto end;
9599
9600 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9601 goto end;
9602 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9603 goto end;
9604
9605 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9606 goto end;
9607
9608 testresult = 1;
9609
9610 end:
9611 SSL_free(serverssl);
9612 SSL_free(clientssl);
9613 SSL_CTX_free(sctx);
9614 SSL_CTX_free(cctx);
9615 EVP_PKEY_free(tmpkey);
9616
9617 return testresult;
9618
9619}
9620# endif /* OPENSSL_NO_DH */
9621#endif /* OPENSSL_NO_TLS1_2 */
9622
9623#ifndef OSSL_NO_USABLE_TLS1_3
9624/*
9625 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9626 * that it works even without a certificate configured for the original
9627 * SSL_CTX
9628 */
9629static int test_sni_tls13(void)
9630{
9631 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9632 SSL *clientssl = NULL, *serverssl = NULL;
9633 int testresult = 0;
9634
9635 /* Reset callback counter */
9636 snicb = 0;
9637
9638 /* Create an initial SSL_CTX with no certificate configured */
9639 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9640 if (!TEST_ptr(sctx))
9641 goto end;
9642 /* Require TLSv1.3 as a minimum */
9643 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9644 TLS_client_method(), TLS1_3_VERSION, 0,
9645 &sctx2, &cctx, cert, privkey)))
9646 goto end;
9647
9648 /* Set up SNI */
9649 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9650 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9651 goto end;
9652
9653 /*
9654 * Connection should still succeed because the final SSL_CTX has the right
9655 * certificates configured.
9656 */
9657 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9658 &clientssl, NULL, NULL))
9659 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9660 SSL_ERROR_NONE)))
9661 goto end;
9662
9663 /* We should have had the SNI callback called exactly once */
9664 if (!TEST_int_eq(snicb, 1))
9665 goto end;
9666
9667 testresult = 1;
9668
9669end:
9670 SSL_free(serverssl);
9671 SSL_free(clientssl);
9672 SSL_CTX_free(sctx2);
9673 SSL_CTX_free(sctx);
9674 SSL_CTX_free(cctx);
9675 return testresult;
9676}
9677
9678/*
9679 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9680 * 0 = TLSv1.2
9681 * 1 = TLSv1.3
9682 */
9683static int test_ticket_lifetime(int idx)
9684{
9685 SSL_CTX *cctx = NULL, *sctx = NULL;
9686 SSL *clientssl = NULL, *serverssl = NULL;
9687 int testresult = 0;
9688 int version = TLS1_3_VERSION;
9689
9690#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9691#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9692
9693 if (idx == 0) {
9694#ifdef OPENSSL_NO_TLS1_2
9695 return TEST_skip("TLS 1.2 is disabled.");
9696#else
9697 version = TLS1_2_VERSION;
9698#endif
9699 }
9700
9701 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9702 TLS_client_method(), version, version,
9703 &sctx, &cctx, cert, privkey)))
9704 goto end;
9705
9706 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9707 &clientssl, NULL, NULL)))
9708 goto end;
9709
9710 /*
9711 * Set the timeout to be more than 1 week
9712 * make sure the returned value is the default
9713 */
9714 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9715 SSL_get_default_timeout(serverssl)))
9716 goto end;
9717
9718 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9719 goto end;
9720
9721 if (idx == 0) {
9722 /* TLSv1.2 uses the set value */
9723 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9724 goto end;
9725 } else {
9726 /* TLSv1.3 uses the limited value */
9727 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9728 goto end;
9729 }
9730 testresult = 1;
9731
9732end:
9733 SSL_free(serverssl);
9734 SSL_free(clientssl);
9735 SSL_CTX_free(sctx);
9736 SSL_CTX_free(cctx);
9737 return testresult;
9738}
9739#endif
9740/*
9741 * Test that setting an ALPN does not violate RFC
9742 */
9743static int test_set_alpn(void)
9744{
9745 SSL_CTX *ctx = NULL;
9746 SSL *ssl = NULL;
9747 int testresult = 0;
9748
9749 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9750 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9751 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9752 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9753 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9754 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9755
9756 /* Create an initial SSL_CTX with no certificate configured */
9757 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9758 if (!TEST_ptr(ctx))
9759 goto end;
9760
9761 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9762 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9763 goto end;
9764 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9765 goto end;
9766 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9767 goto end;
9768 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9769 goto end;
9770 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9771 goto end;
9772 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9773 goto end;
9774 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9775 goto end;
9776 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9777 goto end;
9778 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9779 goto end;
9780
9781 ssl = SSL_new(ctx);
9782 if (!TEST_ptr(ssl))
9783 goto end;
9784
9785 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9786 goto end;
9787 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9788 goto end;
9789 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9790 goto end;
9791 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9792 goto end;
9793 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9794 goto end;
9795 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9796 goto end;
9797 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9798 goto end;
9799 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9800 goto end;
9801 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9802 goto end;
9803
9804 testresult = 1;
9805
9806end:
9807 SSL_free(ssl);
9808 SSL_CTX_free(ctx);
9809 return testresult;
9810}
9811
9812/*
9813 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9814 */
9815static int test_set_verify_cert_store_ssl_ctx(void)
9816{
9817 SSL_CTX *ctx = NULL;
9818 int testresult = 0;
9819 X509_STORE *store = NULL, *new_store = NULL,
9820 *cstore = NULL, *new_cstore = NULL;
9821
9822 /* Create an initial SSL_CTX. */
9823 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9824 if (!TEST_ptr(ctx))
9825 goto end;
9826
9827 /* Retrieve verify store pointer. */
9828 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9829 goto end;
9830
9831 /* Retrieve chain store pointer. */
9832 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9833 goto end;
9834
9835 /* We haven't set any yet, so this should be NULL. */
9836 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9837 goto end;
9838
9839 /* Create stores. We use separate stores so pointers are different. */
9840 new_store = X509_STORE_new();
9841 if (!TEST_ptr(new_store))
9842 goto end;
9843
9844 new_cstore = X509_STORE_new();
9845 if (!TEST_ptr(new_cstore))
9846 goto end;
9847
9848 /* Set stores. */
9849 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9850 goto end;
9851
9852 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9853 goto end;
9854
9855 /* Should be able to retrieve the same pointer. */
9856 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9857 goto end;
9858
9859 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9860 goto end;
9861
9862 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9863 goto end;
9864
9865 /* Should be able to unset again. */
9866 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9867 goto end;
9868
9869 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9870 goto end;
9871
9872 /* Should now be NULL. */
9873 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9874 goto end;
9875
9876 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9877 goto end;
9878
9879 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9880 goto end;
9881
9882 testresult = 1;
9883
9884end:
9885 X509_STORE_free(new_store);
9886 X509_STORE_free(new_cstore);
9887 SSL_CTX_free(ctx);
9888 return testresult;
9889}
9890
9891/*
9892 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9893 */
9894static int test_set_verify_cert_store_ssl(void)
9895{
9896 SSL_CTX *ctx = NULL;
9897 SSL *ssl = NULL;
9898 int testresult = 0;
9899 X509_STORE *store = NULL, *new_store = NULL,
9900 *cstore = NULL, *new_cstore = NULL;
9901
9902 /* Create an initial SSL_CTX. */
9903 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9904 if (!TEST_ptr(ctx))
9905 goto end;
9906
9907 /* Create an SSL object. */
9908 ssl = SSL_new(ctx);
9909 if (!TEST_ptr(ssl))
9910 goto end;
9911
9912 /* Retrieve verify store pointer. */
9913 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9914 goto end;
9915
9916 /* Retrieve chain store pointer. */
9917 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9918 goto end;
9919
9920 /* We haven't set any yet, so this should be NULL. */
9921 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9922 goto end;
9923
9924 /* Create stores. We use separate stores so pointers are different. */
9925 new_store = X509_STORE_new();
9926 if (!TEST_ptr(new_store))
9927 goto end;
9928
9929 new_cstore = X509_STORE_new();
9930 if (!TEST_ptr(new_cstore))
9931 goto end;
9932
9933 /* Set stores. */
9934 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9935 goto end;
9936
9937 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9938 goto end;
9939
9940 /* Should be able to retrieve the same pointer. */
9941 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9942 goto end;
9943
9944 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9945 goto end;
9946
9947 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9948 goto end;
9949
9950 /* Should be able to unset again. */
9951 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9952 goto end;
9953
9954 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9955 goto end;
9956
9957 /* Should now be NULL. */
9958 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9959 goto end;
9960
9961 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9962 goto end;
9963
9964 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9965 goto end;
9966
9967 testresult = 1;
9968
9969end:
9970 X509_STORE_free(new_store);
9971 X509_STORE_free(new_cstore);
9972 SSL_free(ssl);
9973 SSL_CTX_free(ctx);
9974 return testresult;
9975}
9976
9977
9978static int test_inherit_verify_param(void)
9979{
9980 int testresult = 0;
9981
9982 SSL_CTX *ctx = NULL;
9983 X509_VERIFY_PARAM *cp = NULL;
9984 SSL *ssl = NULL;
9985 X509_VERIFY_PARAM *sp = NULL;
9986 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9987
9988 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9989 if (!TEST_ptr(ctx))
9990 goto end;
9991
9992 cp = SSL_CTX_get0_param(ctx);
9993 if (!TEST_ptr(cp))
9994 goto end;
9995 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9996 goto end;
9997
9998 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9999
10000 ssl = SSL_new(ctx);
10001 if (!TEST_ptr(ssl))
10002 goto end;
10003
10004 sp = SSL_get0_param(ssl);
10005 if (!TEST_ptr(sp))
10006 goto end;
10007 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10008 goto end;
10009
10010 testresult = 1;
10011
10012 end:
10013 SSL_free(ssl);
10014 SSL_CTX_free(ctx);
10015
10016 return testresult;
10017}
10018
10019static int test_load_dhfile(void)
10020{
10021#ifndef OPENSSL_NO_DH
10022 int testresult = 0;
10023
10024 SSL_CTX *ctx = NULL;
10025 SSL_CONF_CTX *cctx = NULL;
10026
10027 if (dhfile == NULL)
10028 return 1;
10029
10030 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10031 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10032 goto end;
10033
10034 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10035 SSL_CONF_CTX_set_flags(cctx,
10036 SSL_CONF_FLAG_CERTIFICATE
10037 | SSL_CONF_FLAG_SERVER
10038 | SSL_CONF_FLAG_FILE);
10039
10040 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10041 goto end;
10042
10043 testresult = 1;
10044end:
10045 SSL_CONF_CTX_free(cctx);
10046 SSL_CTX_free(ctx);
10047
10048 return testresult;
10049#else
10050 return TEST_skip("DH not supported by this build");
10051#endif
10052}
10053
10054#ifndef OSSL_NO_USABLE_TLS1_3
10055/* Test that read_ahead works across a key change */
10056static int test_read_ahead_key_change(void)
10057{
10058 SSL_CTX *cctx = NULL, *sctx = NULL;
10059 SSL *clientssl = NULL, *serverssl = NULL;
10060 int testresult = 0;
10061 char *msg = "Hello World";
10062 size_t written, readbytes;
10063 char buf[80];
10064 int i;
10065
10066 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10067 TLS_client_method(), TLS1_3_VERSION, 0,
10068 &sctx, &cctx, cert, privkey)))
10069 goto end;
10070
10071 SSL_CTX_set_read_ahead(sctx, 1);
10072
10073 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10074 &clientssl, NULL, NULL)))
10075 goto end;
10076
10077 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10078 goto end;
10079
10080 /* Write some data, send a key update, write more data */
10081 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10082 || !TEST_size_t_eq(written, strlen(msg)))
10083 goto end;
10084
10085 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10086 goto end;
10087
10088 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10089 || !TEST_size_t_eq(written, strlen(msg)))
10090 goto end;
10091
10092 /*
10093 * Since read_ahead is on the first read below should read the record with
10094 * the first app data, the second record with the key update message, and
10095 * the third record with the app data all in one go. We should be able to
10096 * still process the read_ahead data correctly even though it crosses
10097 * epochs
10098 */
10099 for (i = 0; i < 2; i++) {
10100 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10101 &readbytes)))
10102 goto end;
10103
10104 buf[readbytes] = '\0';
10105 if (!TEST_str_eq(buf, msg))
10106 goto end;
10107 }
10108
10109 testresult = 1;
10110
10111end:
10112 SSL_free(serverssl);
10113 SSL_free(clientssl);
10114 SSL_CTX_free(sctx);
10115 SSL_CTX_free(cctx);
10116 return testresult;
10117}
10118
10119static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10120{
10121 int *called = arg;
10122
10123 switch ((*called)++) {
10124 case 0:
10125 /* Add some padding to first record */
10126 return 512;
10127 case 1:
10128 /* Maximally pad the second record */
10129 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10130 case 2:
10131 /*
10132 * Exceeding the maximum padding should be fine. It should just pad to
10133 * the maximum anyway
10134 */
10135 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10136 case 3:
10137 /*
10138 * Very large padding should also be ok. Should just pad to the maximum
10139 * allowed
10140 */
10141 return SIZE_MAX;
10142 default:
10143 return 0;
10144 }
10145}
10146
10147/*
10148 * Test that setting record padding in TLSv1.3 works as expected
10149 * Test 0: Record padding callback on the SSL_CTX
10150 * Test 1: Record padding callback on the SSL
10151 * Test 2: Record block padding on the SSL_CTX
10152 * Test 3: Record block padding on the SSL
10153 */
10154static int test_tls13_record_padding(int idx)
10155{
10156 SSL_CTX *cctx = NULL, *sctx = NULL;
10157 SSL *clientssl = NULL, *serverssl = NULL;
10158 int testresult = 0;
10159 char *msg = "Hello World";
10160 size_t written, readbytes;
10161 char buf[80];
10162 int i;
10163 int called = 0;
10164
10165 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10166 TLS_client_method(), TLS1_3_VERSION, 0,
10167 &sctx, &cctx, cert, privkey)))
10168 goto end;
10169
10170 if (idx == 0) {
10171 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10172 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10173 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10174 goto end;
10175 } else if (idx == 2) {
10176 /* Exceeding the max plain length should fail */
10177 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10178 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10179 goto end;
10180 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10181 goto end;
10182 }
10183
10184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10185 &clientssl, NULL, NULL)))
10186 goto end;
10187
10188 if (idx == 1) {
10189 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10190 SSL_set_record_padding_callback_arg(clientssl, &called);
10191 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10192 goto end;
10193 } else if (idx == 3) {
10194 /* Exceeding the max plain length should fail */
10195 if (!TEST_false(SSL_set_block_padding(clientssl,
10196 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10197 goto end;
10198 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10199 goto end;
10200 }
10201
10202 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10203 goto end;
10204
10205 called = 0;
10206 /*
10207 * Write some data, then check we can read it. Do this four times to check
10208 * we can continue to write and read padded data after the initial record
10209 * padding has been added. We don't actually check that the padding has
10210 * been applied to the record - just that we can continue to communicate
10211 * normally and that the callback has been called (if appropriate).
10212 */
10213 for (i = 0; i < 4; i++) {
10214 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10215 || !TEST_size_t_eq(written, strlen(msg)))
10216 goto end;
10217
10218 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10219 &readbytes))
10220 || !TEST_size_t_eq(written, readbytes))
10221 goto end;
10222
10223 buf[readbytes] = '\0';
10224 if (!TEST_str_eq(buf, msg))
10225 goto end;
10226 }
10227
10228 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10229 goto end;
10230
10231 testresult = 1;
10232end:
10233 SSL_free(serverssl);
10234 SSL_free(clientssl);
10235 SSL_CTX_free(sctx);
10236 SSL_CTX_free(cctx);
10237 return testresult;
10238}
10239#endif /* OSSL_NO_USABLE_TLS1_3 */
10240
10241#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10242/*
10243 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10244 * support this yet. The only pipeline capable cipher that we have is in the
10245 * dasync engine (providers don't support this yet), so we have to use
10246 * deprecated APIs for this test.
10247 *
10248 * Test 0: Client has pipelining enabled, server does not
10249 * Test 1: Server has pipelining enabled, client does not
10250 * Test 2: Client has pipelining enabled, server does not: not enough data to
10251 * fill all the pipelines
10252 * Test 3: Client has pipelining enabled, server does not: not enough data to
10253 * fill all the pipelines by more than a full pipeline's worth
10254 * Test 4: Client has pipelining enabled, server does not: more data than all
10255 * the available pipelines can take
10256 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10257 */
10258static int test_pipelining(int idx)
10259{
10260 SSL_CTX *cctx = NULL, *sctx = NULL;
10261 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10262 int testresult = 0, numreads;
10263 /* A 55 byte message */
10264 unsigned char *msg = (unsigned char *)
10265 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10266 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10267 size_t expectedreads;
10268 unsigned char *buf = NULL;
10269 ENGINE *e;
10270
10271 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10272 return 0;
10273
10274 if (!TEST_true(ENGINE_init(e))) {
10275 ENGINE_free(e);
10276 return 0;
10277 }
10278
10279 if (!TEST_true(ENGINE_register_ciphers(e)))
10280 goto end;
10281
10282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10283 TLS_client_method(), 0,
10284 TLS1_2_VERSION, &sctx, &cctx, cert,
10285 privkey)))
10286 goto end;
10287
10288 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10289 &clientssl, NULL, NULL)))
10290 goto end;
10291
10292 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10293 goto end;
10294
10295 /* peera is always configured for pipelining, while peerb is not. */
10296 if (idx == 1) {
10297 peera = serverssl;
10298 peerb = clientssl;
10299
10300 } else {
10301 peera = clientssl;
10302 peerb = serverssl;
10303 }
10304
10305 if (idx == 5) {
10306 numpipes = 2;
10307 /* Maximum allowed fragment size */
10308 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10309 msglen = fragsize * numpipes;
10310 msg = OPENSSL_malloc(msglen);
10311 if (!TEST_ptr(msg))
10312 goto end;
10313 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10314 goto end;
10315 } else if (idx == 4) {
10316 msglen = 55;
10317 } else {
10318 msglen = 50;
10319 }
10320 if (idx == 2)
10321 msglen -= 2; /* Send 2 less bytes */
10322 else if (idx == 3)
10323 msglen -= 12; /* Send 12 less bytes */
10324
10325 buf = OPENSSL_malloc(msglen);
10326 if (!TEST_ptr(buf))
10327 goto end;
10328
10329 if (idx == 5) {
10330 /*
10331 * Test that setting a split send fragment longer than the maximum
10332 * allowed fails
10333 */
10334 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10335 goto end;
10336 }
10337
10338 /*
10339 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10340 * (50 bytes in total). This is a ridiculously small number of bytes -
10341 * but sufficient for our purposes
10342 */
10343 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10344 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10345 goto end;
10346
10347 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10348 goto end;
10349
10350 /* Write some data from peera to peerb */
10351 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10352 || !TEST_size_t_eq(written, msglen))
10353 goto end;
10354
10355 /*
10356 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10357 * have been used - except in test 3 where only |numpipes - 1| pipelines
10358 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10359 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10360 * expect this to be read in |numpipes| or |numpipes - 1| separate
10361 * SSL_read_ex calls. In the case of test 4, there is then one additional
10362 * read for left over data that couldn't fit in the previous pipelines
10363 */
10364 for (offset = 0, numreads = 0;
10365 offset < msglen;
10366 offset += readbytes, numreads++) {
10367 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10368 msglen - offset, &readbytes)))
10369 goto end;
10370 }
10371
10372 expectedreads = idx == 4 ? numpipes + 1
10373 : (idx == 3 ? numpipes - 1 : numpipes);
10374 if (!TEST_mem_eq(msg, msglen, buf, offset)
10375 || !TEST_int_eq(numreads, expectedreads))
10376 goto end;
10377
10378 /*
10379 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10380 * chunks to exercise the read pipelining code on peera.
10381 */
10382 for (offset = 0; offset < msglen; offset += fragsize) {
10383 size_t sendlen = msglen - offset;
10384
10385 if (sendlen > fragsize)
10386 sendlen = fragsize;
10387 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10388 || !TEST_size_t_eq(written, sendlen))
10389 goto end;
10390 }
10391
10392 /*
10393 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10394 * separate chunks (depending on which test we are running). If the
10395 * pipelining is working then we expect peera to read up to numpipes chunks
10396 * and process them in parallel, giving back the complete result in a single
10397 * call to SSL_read_ex
10398 */
10399 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10400 || !TEST_size_t_le(readbytes, msglen))
10401 goto end;
10402
10403 if (idx == 4) {
10404 size_t readbytes2;
10405
10406 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10407 msglen - readbytes, &readbytes2)))
10408 goto end;
10409 readbytes += readbytes2;
10410 if (!TEST_size_t_le(readbytes, msglen))
10411 goto end;
10412 }
10413
10414 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10415 goto end;
10416
10417 testresult = 1;
10418end:
10419 SSL_free(serverssl);
10420 SSL_free(clientssl);
10421 SSL_CTX_free(sctx);
10422 SSL_CTX_free(cctx);
10423 ENGINE_unregister_ciphers(e);
10424 ENGINE_finish(e);
10425 ENGINE_free(e);
10426 OPENSSL_free(buf);
10427 if (idx == 5)
10428 OPENSSL_free(msg);
10429 return testresult;
10430}
10431#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10432
10433OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10434
10435int setup_tests(void)
10436{
10437 char *modulename;
10438 char *configfile;
10439
10440 libctx = OSSL_LIB_CTX_new();
10441 if (!TEST_ptr(libctx))
10442 return 0;
10443
10444 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10445
10446 /*
10447 * Verify that the default and fips providers in the default libctx are not
10448 * available
10449 */
10450 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10451 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10452 return 0;
10453
10454 if (!test_skip_common_options()) {
10455 TEST_error("Error parsing test options\n");
10456 return 0;
10457 }
10458
10459 if (!TEST_ptr(certsdir = test_get_argument(0))
10460 || !TEST_ptr(srpvfile = test_get_argument(1))
10461 || !TEST_ptr(tmpfilename = test_get_argument(2))
10462 || !TEST_ptr(modulename = test_get_argument(3))
10463 || !TEST_ptr(configfile = test_get_argument(4))
10464 || !TEST_ptr(dhfile = test_get_argument(5)))
10465 return 0;
10466
10467 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10468 return 0;
10469
10470 /* Check we have the expected provider available */
10471 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10472 return 0;
10473
10474 /* Check the default provider is not available */
10475 if (strcmp(modulename, "default") != 0
10476 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10477 return 0;
10478
10479 if (strcmp(modulename, "fips") == 0) {
10480 OSSL_PROVIDER *prov = NULL;
10481 OSSL_PARAM params[2];
10482
10483 is_fips = 1;
10484
10485 prov = OSSL_PROVIDER_load(libctx, "fips");
10486 if (prov != NULL) {
10487 /* Query the fips provider to check if the check ems option is enabled */
10488 params[0] =
10489 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
10490 &fips_ems_check);
10491 params[1] = OSSL_PARAM_construct_end();
10492 OSSL_PROVIDER_get_params(prov, params);
10493 OSSL_PROVIDER_unload(prov);
10494 }
10495 }
10496
10497 /*
10498 * We add, but don't load the test "tls-provider". We'll load it when we
10499 * need it.
10500 */
10501 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10502 tls_provider_init)))
10503 return 0;
10504
10505
10506 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10507#ifdef OPENSSL_NO_CRYPTO_MDEBUG
10508 TEST_error("not supported in this build");
10509 return 0;
10510#else
10511 int i, mcount, rcount, fcount;
10512
10513 for (i = 0; i < 4; i++)
10514 test_export_key_mat(i);
10515 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10516 test_printf_stdout("malloc %d realloc %d free %d\n",
10517 mcount, rcount, fcount);
10518 return 1;
10519#endif
10520 }
10521
10522 cert = test_mk_file_path(certsdir, "servercert.pem");
10523 if (cert == NULL)
10524 goto err;
10525
10526 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10527 if (privkey == NULL)
10528 goto err;
10529
10530 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10531 if (cert2 == NULL)
10532 goto err;
10533
10534 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10535 if (privkey2 == NULL)
10536 goto err;
10537
10538 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10539 if (cert1024 == NULL)
10540 goto err;
10541
10542 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10543 if (privkey1024 == NULL)
10544 goto err;
10545
10546 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10547 if (cert3072 == NULL)
10548 goto err;
10549
10550 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10551 if (privkey3072 == NULL)
10552 goto err;
10553
10554 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10555 if (cert4096 == NULL)
10556 goto err;
10557
10558 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10559 if (privkey4096 == NULL)
10560 goto err;
10561
10562 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10563 if (cert8192 == NULL)
10564 goto err;
10565
10566 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10567 if (privkey8192 == NULL)
10568 goto err;
10569
10570 if (fips_ems_check) {
10571#ifndef OPENSSL_NO_TLS1_2
10572 ADD_TEST(test_no_ems);
10573#endif
10574 return 1;
10575 }
10576#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10577# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10578 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10579 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
10580# endif
10581#endif
10582 ADD_TEST(test_large_message_tls);
10583 ADD_TEST(test_large_message_tls_read_ahead);
10584#ifndef OPENSSL_NO_DTLS
10585 ADD_TEST(test_large_message_dtls);
10586#endif
10587 ADD_ALL_TESTS(test_large_app_data, 28);
10588 ADD_TEST(test_cleanse_plaintext);
10589#ifndef OPENSSL_NO_OCSP
10590 ADD_TEST(test_tlsext_status_type);
10591#endif
10592 ADD_TEST(test_session_with_only_int_cache);
10593 ADD_TEST(test_session_with_only_ext_cache);
10594 ADD_TEST(test_session_with_both_cache);
10595 ADD_TEST(test_session_wo_ca_names);
10596#ifndef OSSL_NO_USABLE_TLS1_3
10597 ADD_ALL_TESTS(test_stateful_tickets, 3);
10598 ADD_ALL_TESTS(test_stateless_tickets, 3);
10599 ADD_TEST(test_psk_tickets);
10600 ADD_ALL_TESTS(test_extra_tickets, 6);
10601#endif
10602 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10603 ADD_TEST(test_ssl_bio_pop_next_bio);
10604 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10605 ADD_TEST(test_ssl_bio_change_rbio);
10606 ADD_TEST(test_ssl_bio_change_wbio);
10607#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10608 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
10609 ADD_TEST(test_keylog);
10610#endif
10611#ifndef OSSL_NO_USABLE_TLS1_3
10612 ADD_TEST(test_keylog_no_master_key);
10613#endif
10614 ADD_TEST(test_client_cert_verify_cb);
10615 ADD_TEST(test_ssl_build_cert_chain);
10616 ADD_TEST(test_ssl_ctx_build_cert_chain);
10617#ifndef OPENSSL_NO_TLS1_2
10618 ADD_TEST(test_client_hello_cb);
10619 ADD_TEST(test_no_ems);
10620 ADD_TEST(test_ccs_change_cipher);
10621#endif
10622#ifndef OSSL_NO_USABLE_TLS1_3
10623 ADD_ALL_TESTS(test_early_data_read_write, 3);
10624 /*
10625 * We don't do replay tests for external PSK. Replay protection isn't used
10626 * in that scenario.
10627 */
10628 ADD_ALL_TESTS(test_early_data_replay, 2);
10629 ADD_ALL_TESTS(test_early_data_skip, 3);
10630 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
10631 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
10632 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
10633 ADD_ALL_TESTS(test_early_data_not_sent, 3);
10634 ADD_ALL_TESTS(test_early_data_psk, 8);
10635 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
10636 ADD_ALL_TESTS(test_early_data_not_expected, 3);
10637# ifndef OPENSSL_NO_TLS1_2
10638 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
10639# endif
10640#endif
10641#ifndef OSSL_NO_USABLE_TLS1_3
10642 ADD_ALL_TESTS(test_set_ciphersuite, 10);
10643 ADD_TEST(test_ciphersuite_change);
10644 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10645# ifdef OPENSSL_NO_PSK
10646 ADD_ALL_TESTS(test_tls13_psk, 1);
10647# else
10648 ADD_ALL_TESTS(test_tls13_psk, 4);
10649# endif /* OPENSSL_NO_PSK */
10650# ifndef OPENSSL_NO_TLS1_2
10651 /* Test with both TLSv1.3 and 1.2 versions */
10652 ADD_ALL_TESTS(test_key_exchange, 14);
10653# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10654 ADD_ALL_TESTS(test_negotiated_group,
10655 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10656 + OSSL_NELEM(ffdhe_kexch_groups)));
10657# endif
10658# else
10659 /* Test with only TLSv1.3 versions */
10660 ADD_ALL_TESTS(test_key_exchange, 12);
10661# endif
10662 ADD_ALL_TESTS(test_custom_exts, 6);
10663 ADD_TEST(test_stateless);
10664 ADD_TEST(test_pha_key_update);
10665#else
10666 ADD_ALL_TESTS(test_custom_exts, 3);
10667#endif
10668 ADD_ALL_TESTS(test_export_key_mat, 6);
10669#ifndef OSSL_NO_USABLE_TLS1_3
10670 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10671 ADD_TEST(test_key_update);
10672 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10673 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10674 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10675 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10676#endif
10677 ADD_ALL_TESTS(test_ssl_clear, 2);
10678 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10679#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10680 ADD_ALL_TESTS(test_srp, 6);
10681#endif
10682 ADD_ALL_TESTS(test_info_callback, 6);
10683 ADD_ALL_TESTS(test_ssl_pending, 2);
10684 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10685 ADD_ALL_TESTS(test_ticket_callbacks, 20);
10686 ADD_ALL_TESTS(test_shutdown, 7);
10687 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10688 ADD_ALL_TESTS(test_cert_cb, 6);
10689 ADD_ALL_TESTS(test_client_cert_cb, 2);
10690 ADD_ALL_TESTS(test_ca_names, 3);
10691#ifndef OPENSSL_NO_TLS1_2
10692 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10693#endif
10694 ADD_ALL_TESTS(test_servername, 10);
10695#if !defined(OPENSSL_NO_EC) \
10696 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10697 ADD_ALL_TESTS(test_sigalgs_available, 6);
10698#endif
10699#ifndef OPENSSL_NO_TLS1_3
10700 ADD_ALL_TESTS(test_pluggable_group, 2);
10701#endif
10702#ifndef OPENSSL_NO_TLS1_2
10703 ADD_TEST(test_ssl_dup);
10704# ifndef OPENSSL_NO_DH
10705 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10706 ADD_ALL_TESTS(test_dh_auto, 7);
10707# endif
10708#endif
10709#ifndef OSSL_NO_USABLE_TLS1_3
10710 ADD_TEST(test_sni_tls13);
10711 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10712#endif
10713 ADD_TEST(test_inherit_verify_param);
10714 ADD_TEST(test_set_alpn);
10715 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10716 ADD_TEST(test_set_verify_cert_store_ssl);
10717 ADD_ALL_TESTS(test_session_timeout, 1);
10718 ADD_TEST(test_load_dhfile);
10719#ifndef OSSL_NO_USABLE_TLS1_3
10720 ADD_TEST(test_read_ahead_key_change);
10721 ADD_ALL_TESTS(test_tls13_record_padding, 4);
10722#endif
10723#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10724 ADD_ALL_TESTS(test_serverinfo_custom, 4);
10725#endif
10726#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10727 ADD_ALL_TESTS(test_pipelining, 6);
10728#endif
10729 return 1;
10730
10731 err:
10732 OPENSSL_free(cert);
10733 OPENSSL_free(privkey);
10734 OPENSSL_free(cert2);
10735 OPENSSL_free(privkey2);
10736 return 0;
10737}
10738
10739void cleanup_tests(void)
10740{
10741# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10742 EVP_PKEY_free(tmp_dh_params);
10743#endif
10744 OPENSSL_free(cert);
10745 OPENSSL_free(privkey);
10746 OPENSSL_free(cert2);
10747 OPENSSL_free(privkey2);
10748 OPENSSL_free(cert1024);
10749 OPENSSL_free(privkey1024);
10750 OPENSSL_free(cert3072);
10751 OPENSSL_free(privkey3072);
10752 OPENSSL_free(cert4096);
10753 OPENSSL_free(privkey4096);
10754 OPENSSL_free(cert8192);
10755 OPENSSL_free(privkey8192);
10756 bio_s_mempacket_test_free();
10757 bio_s_always_retry_free();
10758 OSSL_PROVIDER_unload(defctxnull);
10759 OSSL_LIB_CTX_free(libctx);
10760}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette