VirtualBox

source: vbox/trunk/src/libs/openssl-3.3.2/test/sslapitest.c

最後變更 在這個檔案是 108206,由 vboxsync 提交於 4 週 前

openssl-3.3.2: Exported all files to OSE and removed .scm-settings ​bugref:10757
  • 屬性 svn:eol-style 設為 native
  • 屬性 svn:keywords 設為 Author Date Id Revision
檔案大小: 417.6 KB
 
1/*
2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
18#include <stdio.h>
19#include <string.h>
20
21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
25#include <openssl/ocsp.h>
26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
28#include <openssl/aes.h>
29#include <openssl/rand.h>
30#include <openssl/core_names.h>
31#include <openssl/core_dispatch.h>
32#include <openssl/provider.h>
33#include <openssl/param_build.h>
34#include <openssl/x509v3.h>
35#include <openssl/dh.h>
36#include <openssl/engine.h>
37
38#include "helpers/ssltestlib.h"
39#include "testutil.h"
40#include "testutil/output.h"
41#include "internal/nelem.h"
42#include "internal/tlsgroups.h"
43#include "internal/ktls.h"
44#include "../ssl/ssl_local.h"
45#include "../ssl/record/methods/recmethod_local.h"
46#include "filterprov.h"
47
48#undef OSSL_NO_USABLE_TLS1_3
49#if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51/*
52 * If we don't have ec or dh then there are no built-in groups that are usable
53 * with TLSv1.3
54 */
55# define OSSL_NO_USABLE_TLS1_3
56#endif
57
58/* Defined in tls-provider.c */
59int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
62 void **provctx);
63
64static OSSL_LIB_CTX *libctx = NULL;
65static OSSL_PROVIDER *defctxnull = NULL;
66
67#ifndef OSSL_NO_USABLE_TLS1_3
68
69static SSL_SESSION *clientpsk = NULL;
70static SSL_SESSION *serverpsk = NULL;
71static const char *pskid = "Identity";
72static const char *srvid;
73
74static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
78
79static int use_session_cb_cnt = 0;
80static int find_session_cb_cnt = 0;
81#endif
82
83static char *certsdir = NULL;
84static char *cert = NULL;
85static char *privkey = NULL;
86static char *cert2 = NULL;
87static char *privkey2 = NULL;
88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
98static char *dhfile = NULL;
99
100static int is_fips = 0;
101static int fips_ems_check = 0;
102
103#define LOG_BUFFER_SIZE 2048
104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105static size_t server_log_buffer_index = 0;
106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107static size_t client_log_buffer_index = 0;
108static int error_writing_log = 0;
109
110#ifndef OPENSSL_NO_OCSP
111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
117#endif
118
119#define CLIENT_VERSION_LEN 2
120
121/*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
135};
136
137
138static int hostname_cb(SSL *s, int *al, void *arg)
139{
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147}
148
149static void client_keylog_callback(const SSL *ssl, const char *line)
150{
151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
163}
164
165static void server_keylog_callback(const SSL *ssl, const char *line)
166{
167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
179}
180
181static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
184 size_t raw_length)
185{
186 size_t i, j;
187 char hexed[3];
188
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
190 return 1;
191
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 sprintf(hexed, "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
196 return 1;
197 }
198
199 return 0;
200}
201
202static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
205{
206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
220
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 return 0;
231 if (!TEST_size_t_eq(strlen(token), 16))
232 return 0;
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
234 return 0;
235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
250 return 0;
251
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 return 0;
254 if (!TEST_size_t_eq(strlen(token), 64))
255 return 0;
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
259 return 0;
260
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
262 return 0;
263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
266 if (!TEST_size_t_ne(master_key_size, 0))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
271 return 0;
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
305 return 0;
306
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
308 return 0;
309 if (!TEST_size_t_eq(strlen(token), 64))
310 return 0;
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
314 return 0;
315
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 return 0;
318 } else {
319 TEST_info("Unexpected token %s\n", token);
320 return 0;
321 }
322 }
323
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
343 return 0;
344 return 1;
345}
346
347#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
348static int test_keylog(void)
349{
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
353 struct sslapitest_log_counts expected;
354
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
364 TLS_client_method(),
365 TLS1_VERSION, 0,
366 &sctx, &cctx, cert, privkey)))
367 return 0;
368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
375 goto end;
376
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
379 goto end;
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
383 goto end;
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
387 goto end;
388
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
397 goto end;
398
399 /*
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
404 */
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
409 goto end;
410
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
414 goto end;
415
416 testresult = 1;
417
418end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425}
426#endif
427
428#ifndef OSSL_NO_USABLE_TLS1_3
429static int test_keylog_no_master_key(void)
430{
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
434 int testresult = 0;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
438
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
452 return 0;
453
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
456 goto end;
457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
461 goto end;
462
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
466 goto end;
467
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
474 goto end;
475
476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
480 */
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
491 goto end;
492
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
532 testresult = 1;
533
534end:
535 SSL_SESSION_free(sess);
536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542}
543#endif
544
545static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546{
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
561 return res;
562}
563
564static int test_client_cert_verify_cb(void)
565{
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620end:
621 X509_free(crt1);
622 X509_free(crt2);
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641}
642
643static int test_ssl_build_cert_chain(void)
644{
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670}
671
672static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673{
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681}
682
683static int test_ssl_ctx_build_cert_chain(void)
684{
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708}
709
710#ifndef OPENSSL_NO_TLS1_2
711static int full_client_hello_callback(SSL *s, int *al, void *arg)
712{
713 int *ctr = arg;
714 const unsigned char *p;
715 int *exts;
716 /* We only configure two ciphers, but the SCSV is added automatically. */
717#ifdef OPENSSL_NO_EC
718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719#else
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
721 0x2c, 0x00, 0xff};
722#endif
723 const int expected_extensions[] = {
724#ifndef OPENSSL_NO_EC
725 11, 10,
726#endif
727 35, 22, 23, 13};
728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
732 return SSL_CLIENT_HELLO_RETRY;
733
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
745 OPENSSL_free(exts);
746 return SSL_CLIENT_HELLO_ERROR;
747 }
748 OPENSSL_free(exts);
749 return SSL_CLIENT_HELLO_SUCCESS;
750}
751
752static int test_client_hello_cb(void)
753{
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
761 goto end;
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
763
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
766
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
781 goto end;
782
783 testresult = 1;
784
785end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792}
793
794static int test_no_ems(void)
795{
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0, status;
799
800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
814 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
815 if (fips_ems_check) {
816 if (status == 1) {
817 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
818 goto end;
819 }
820 } else {
821 if (!status) {
822 printf("Creating SSL connection failed\n");
823 goto end;
824 }
825 if (SSL_get_extms_support(serverssl)) {
826 printf("Server reports Extended Master Secret support\n");
827 goto end;
828 }
829 if (SSL_get_extms_support(clientssl)) {
830 printf("Client reports Extended Master Secret support\n");
831 goto end;
832 }
833 }
834 testresult = 1;
835
836end:
837 SSL_free(serverssl);
838 SSL_free(clientssl);
839 SSL_CTX_free(sctx);
840 SSL_CTX_free(cctx);
841
842 return testresult;
843}
844
845/*
846 * Very focused test to exercise a single case in the server-side state
847 * machine, when the ChangeCipherState message needs to actually change
848 * from one cipher to a different cipher (i.e., not changing from null
849 * encryption to real encryption).
850 */
851static int test_ccs_change_cipher(void)
852{
853 SSL_CTX *cctx = NULL, *sctx = NULL;
854 SSL *clientssl = NULL, *serverssl = NULL;
855 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
856 int testresult = 0;
857 int i;
858 unsigned char buf;
859 size_t readbytes;
860
861 /*
862 * Create a connection so we can resume and potentially (but not) use
863 * a different cipher in the second connection.
864 */
865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
866 TLS_client_method(),
867 TLS1_VERSION, TLS1_2_VERSION,
868 &sctx, &cctx, cert, privkey))
869 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
871 NULL, NULL))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 SSL_ERROR_NONE))
875 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
876 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
877 goto end;
878
879 shutdown_ssl_connection(serverssl, clientssl);
880 serverssl = clientssl = NULL;
881
882 /* Resume, preferring a different cipher. Our server will force the
883 * same cipher to be used as the initial handshake. */
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
885 NULL, NULL))
886 || !TEST_true(SSL_set_session(clientssl, sess))
887 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
889 SSL_ERROR_NONE))
890 || !TEST_true(SSL_session_reused(clientssl))
891 || !TEST_true(SSL_session_reused(serverssl))
892 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
893 || !TEST_ptr_eq(sesspre, sesspost)
894 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
895 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
896 goto end;
897 shutdown_ssl_connection(serverssl, clientssl);
898 serverssl = clientssl = NULL;
899
900 /*
901 * Now create a fresh connection and try to renegotiate a different
902 * cipher on it.
903 */
904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
905 NULL, NULL))
906 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
908 SSL_ERROR_NONE))
909 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
910 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
911 || !TEST_true(SSL_renegotiate(clientssl))
912 || !TEST_true(SSL_renegotiate_pending(clientssl)))
913 goto end;
914 /* Actually drive the renegotiation. */
915 for (i = 0; i < 3; i++) {
916 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
917 if (!TEST_ulong_eq(readbytes, 0))
918 goto end;
919 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
920 SSL_ERROR_WANT_READ)) {
921 goto end;
922 }
923 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
925 goto end;
926 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
927 SSL_ERROR_WANT_READ)) {
928 goto end;
929 }
930 }
931 /* sesspre and sesspost should be different since the cipher changed. */
932 if (!TEST_false(SSL_renegotiate_pending(clientssl))
933 || !TEST_false(SSL_session_reused(clientssl))
934 || !TEST_false(SSL_session_reused(serverssl))
935 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
936 || !TEST_ptr_ne(sesspre, sesspost)
937 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
938 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
939 goto end;
940
941 shutdown_ssl_connection(serverssl, clientssl);
942 serverssl = clientssl = NULL;
943
944 testresult = 1;
945
946end:
947 SSL_free(serverssl);
948 SSL_free(clientssl);
949 SSL_CTX_free(sctx);
950 SSL_CTX_free(cctx);
951 SSL_SESSION_free(sess);
952
953 return testresult;
954}
955#endif
956
957static int execute_test_large_message(const SSL_METHOD *smeth,
958 const SSL_METHOD *cmeth,
959 int min_version, int max_version,
960 int read_ahead)
961{
962 SSL_CTX *cctx = NULL, *sctx = NULL;
963 SSL *clientssl = NULL, *serverssl = NULL;
964 int testresult = 0;
965
966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
968 privkey)))
969 goto end;
970
971#ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
973 /*
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
975 * level 0
976 */
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
980 goto end;
981 }
982#endif
983
984 if (read_ahead) {
985 /*
986 * Test that read_ahead works correctly when dealing with large
987 * records
988 */
989 SSL_CTX_set_read_ahead(cctx, 1);
990 }
991
992 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
993 goto end;
994
995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
996 NULL, NULL))
997 || !TEST_true(create_ssl_connection(serverssl, clientssl,
998 SSL_ERROR_NONE)))
999 goto end;
1000
1001 /*
1002 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1003 * doesn't leak.
1004 */
1005 if (!TEST_true(SSL_clear(serverssl)))
1006 goto end;
1007
1008 testresult = 1;
1009 end:
1010 SSL_free(serverssl);
1011 SSL_free(clientssl);
1012 SSL_CTX_free(sctx);
1013 SSL_CTX_free(cctx);
1014
1015 return testresult;
1016}
1017
1018#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1019 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1020/* sock must be connected */
1021static int ktls_chk_platform(int sock)
1022{
1023 if (!ktls_enable(sock))
1024 return 0;
1025 return 1;
1026}
1027
1028static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1029{
1030 static char count = 1;
1031 unsigned char cbuf[16000] = {0};
1032 unsigned char sbuf[16000];
1033 size_t err = 0;
1034 char crec_wseq_before[SEQ_NUM_SIZE];
1035 char crec_wseq_after[SEQ_NUM_SIZE];
1036 char crec_rseq_before[SEQ_NUM_SIZE];
1037 char crec_rseq_after[SEQ_NUM_SIZE];
1038 char srec_wseq_before[SEQ_NUM_SIZE];
1039 char srec_wseq_after[SEQ_NUM_SIZE];
1040 char srec_rseq_before[SEQ_NUM_SIZE];
1041 char srec_rseq_after[SEQ_NUM_SIZE];
1042 SSL_CONNECTION *clientsc, *serversc;
1043
1044 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1045 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1046 goto end;
1047
1048 cbuf[0] = count++;
1049 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1051 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1052 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1053
1054 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1055 goto end;
1056
1057 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1058 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1059 goto end;
1060 }
1061 }
1062
1063 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1064 goto end;
1065
1066 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1067 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1068 goto end;
1069 }
1070 }
1071
1072 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1074 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1075 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1076
1077 /* verify the payload */
1078 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1079 goto end;
1080
1081 /*
1082 * If ktls is used then kernel sequences are used instead of
1083 * OpenSSL sequences
1084 */
1085 if (!BIO_get_ktls_send(clientsc->wbio)) {
1086 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1087 crec_wseq_after, SEQ_NUM_SIZE))
1088 goto end;
1089 } else {
1090 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1091 crec_wseq_after, SEQ_NUM_SIZE))
1092 goto end;
1093 }
1094
1095 if (!BIO_get_ktls_send(serversc->wbio)) {
1096 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1097 srec_wseq_after, SEQ_NUM_SIZE))
1098 goto end;
1099 } else {
1100 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1101 srec_wseq_after, SEQ_NUM_SIZE))
1102 goto end;
1103 }
1104
1105 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1106 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1107 crec_rseq_after, SEQ_NUM_SIZE))
1108 goto end;
1109 } else {
1110 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1111 crec_rseq_after, SEQ_NUM_SIZE))
1112 goto end;
1113 }
1114
1115 if (!BIO_get_ktls_recv(serversc->wbio)) {
1116 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1117 srec_rseq_after, SEQ_NUM_SIZE))
1118 goto end;
1119 } else {
1120 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1121 srec_rseq_after, SEQ_NUM_SIZE))
1122 goto end;
1123 }
1124
1125 return 1;
1126end:
1127 return 0;
1128}
1129
1130static int execute_test_ktls(int cis_ktls, int sis_ktls,
1131 int tls_version, const char *cipher)
1132{
1133 SSL_CTX *cctx = NULL, *sctx = NULL;
1134 SSL *clientssl = NULL, *serverssl = NULL;
1135 int ktls_used = 0, testresult = 0;
1136 int cfd = -1, sfd = -1;
1137 int rx_supported;
1138 SSL_CONNECTION *clientsc, *serversc;
1139 unsigned char *buf = NULL;
1140 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1141 int ret;
1142 size_t offset = 0, i;
1143
1144 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1145 goto end;
1146
1147 /* Skip this test if the platform does not support ktls */
1148 if (!ktls_chk_platform(cfd)) {
1149 testresult = TEST_skip("Kernel does not support KTLS");
1150 goto end;
1151 }
1152
1153 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1154 testresult = TEST_skip("CHACHA is not supported in FIPS");
1155 goto end;
1156 }
1157
1158 /* Create a session based on SHA-256 */
1159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1160 TLS_client_method(),
1161 tls_version, tls_version,
1162 &sctx, &cctx, cert, privkey)))
1163 goto end;
1164
1165 if (tls_version == TLS1_3_VERSION) {
1166 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1167 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1168 goto end;
1169 } else {
1170 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1171 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1172 goto end;
1173 }
1174
1175 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
1177 goto end;
1178
1179 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1180 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1181 goto end;
1182
1183 if (cis_ktls) {
1184 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1185 goto end;
1186 }
1187
1188 if (sis_ktls) {
1189 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1190 goto end;
1191 }
1192
1193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1194 goto end;
1195
1196 /*
1197 * The running kernel may not support a given cipher suite
1198 * or direction, so just check that KTLS isn't used when it
1199 * isn't enabled.
1200 */
1201 if (!cis_ktls) {
1202 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1203 goto end;
1204 } else {
1205 if (BIO_get_ktls_send(clientsc->wbio))
1206 ktls_used = 1;
1207 }
1208
1209 if (!sis_ktls) {
1210 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1211 goto end;
1212 } else {
1213 if (BIO_get_ktls_send(serversc->wbio))
1214 ktls_used = 1;
1215 }
1216
1217#if defined(OPENSSL_NO_KTLS_RX)
1218 rx_supported = 0;
1219#else
1220 rx_supported = 1;
1221#endif
1222 if (!cis_ktls || !rx_supported) {
1223 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1224 goto end;
1225 } else {
1226 if (BIO_get_ktls_send(clientsc->rbio))
1227 ktls_used = 1;
1228 }
1229
1230 if (!sis_ktls || !rx_supported) {
1231 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1232 goto end;
1233 } else {
1234 if (BIO_get_ktls_send(serversc->rbio))
1235 ktls_used = 1;
1236 }
1237
1238 if ((cis_ktls || sis_ktls) && !ktls_used) {
1239 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1240 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1241 "TLS 1.2", cipher);
1242 goto end;
1243 }
1244
1245 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1246 goto end;
1247
1248 buf = OPENSSL_zalloc(bufsz);
1249 if (!TEST_ptr(buf))
1250 goto end;
1251
1252 /*
1253 * Write some data that exceeds the maximum record length. KTLS may choose
1254 * to coalesce this data into a single buffer when we read it again.
1255 */
1256 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1257 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1258 goto end;
1259 }
1260
1261 /* Now check that we can read all the data we wrote */
1262 do {
1263 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1264 if (ret <= 0) {
1265 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1266 goto end;
1267 } else {
1268 offset += ret;
1269 }
1270 } while (offset < bufsz);
1271
1272 if (!TEST_true(offset == bufsz))
1273 goto end;
1274 for (i = 0; i < bufsz; i++)
1275 if (!TEST_true(buf[i] == 0))
1276 goto end;
1277
1278 testresult = 1;
1279end:
1280 OPENSSL_free(buf);
1281 if (clientssl) {
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1284 }
1285 if (serverssl) {
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1288 }
1289 SSL_CTX_free(sctx);
1290 SSL_CTX_free(cctx);
1291 serverssl = clientssl = NULL;
1292 if (cfd != -1)
1293 close(cfd);
1294 if (sfd != -1)
1295 close(sfd);
1296 return testresult;
1297}
1298
1299#define SENDFILE_SZ (16 * 4096)
1300#define SENDFILE_CHUNK (4 * 4096)
1301#define min(a,b) ((a) > (b) ? (b) : (a))
1302
1303static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1304 int zerocopy)
1305{
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1313 int testresult = 0;
1314 FILE *ffdp;
1315 SSL_CONNECTION *serversc;
1316
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1321 goto end;
1322
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
1325 testresult = TEST_skip("Kernel does not support KTLS");
1326 goto end;
1327 }
1328
1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1331 goto end;
1332 }
1333
1334 /* Create a session based on SHA-256 */
1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1336 TLS_client_method(),
1337 tls_version, tls_version,
1338 &sctx, &cctx, cert, privkey)))
1339 goto end;
1340
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1344 goto end;
1345 } else {
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1348 goto end;
1349 }
1350
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1353 goto end;
1354
1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1356 goto end;
1357
1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1359 goto end;
1360
1361 if (zerocopy) {
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1364 goto end;
1365 }
1366
1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1368 SSL_ERROR_NONE)))
1369 goto end;
1370
1371 if (!BIO_get_ktls_send(serversc->wbio)) {
1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1374 "TLS 1.2", cipher);
1375 goto end;
1376 }
1377
1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1379 goto end;
1380
1381 out = BIO_new_file(tmpfilename, "wb");
1382 if (!TEST_ptr(out))
1383 goto end;
1384
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1386 goto end;
1387
1388 BIO_free(out);
1389 out = NULL;
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1392 ffd = fileno(ffdp);
1393
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1397 ffd,
1398 chunk_off,
1399 chunk_size,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1402 goto end;
1403 }
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1408 goto end;
1409 }
1410
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1413 chunk_size,
1414 buf + chunk_off,
1415 chunk_size))
1416 goto end;
1417
1418 chunk_off += chunk_size;
1419 }
1420
1421 testresult = 1;
1422end:
1423 if (clientssl) {
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1426 }
1427 if (serverssl) {
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1430 }
1431 SSL_CTX_free(sctx);
1432 SSL_CTX_free(cctx);
1433 serverssl = clientssl = NULL;
1434 BIO_free(out);
1435 BIO_free(in);
1436 if (cfd != -1)
1437 close(cfd);
1438 if (sfd != -1)
1439 close(sfd);
1440 OPENSSL_free(buf);
1441 OPENSSL_free(buf_dst);
1442 return testresult;
1443}
1444
1445static struct ktls_test_cipher {
1446 int tls_version;
1447 const char *cipher;
1448} ktls_test_ciphers[] = {
1449# if !defined(OPENSSL_NO_TLS1_2)
1450# ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1452# endif
1453# ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1455# endif
1456# ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1458# endif
1459# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1460# ifndef OPENSSL_NO_EC
1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1462# endif
1463# endif
1464# endif
1465# if !defined(OSSL_NO_USABLE_TLS1_3)
1466# ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1468# endif
1469# ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1471# endif
1472# ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1474# endif
1475# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1477# endif
1478# endif
1479};
1480
1481#define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1483
1484static int test_ktls(int test)
1485{
1486 struct ktls_test_cipher *cipher;
1487 int cis_ktls, sis_ktls;
1488
1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1490 cipher = &ktls_test_ciphers[test / 4];
1491
1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
1494
1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1496 cipher->cipher);
1497}
1498
1499static int test_ktls_sendfile(int test)
1500{
1501 struct ktls_test_cipher *cipher;
1502 int tst = test >> 1;
1503
1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1505 cipher = &ktls_test_ciphers[tst];
1506
1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1508 test & 1);
1509}
1510#endif
1511
1512static int test_large_message_tls(void)
1513{
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1515 TLS1_VERSION, 0, 0);
1516}
1517
1518static int test_large_message_tls_read_ahead(void)
1519{
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1521 TLS1_VERSION, 0, 1);
1522}
1523
1524#ifndef OPENSSL_NO_DTLS
1525static int test_large_message_dtls(void)
1526{
1527# ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1529 if (is_fips)
1530 return 1;
1531# endif
1532 /*
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1535 */
1536 return execute_test_large_message(DTLS_server_method(),
1537 DTLS_client_method(),
1538 DTLS1_VERSION, 0, 0);
1539}
1540#endif
1541
1542/*
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1549 */
1550static int test_large_app_data(int tst)
1551{
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
1559
1560 switch (tst >> 2) {
1561 case 0:
1562#ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1564 break;
1565#else
1566 return 1;
1567#endif
1568
1569 case 1:
1570#ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1572 break;
1573#else
1574 return 1;
1575#endif
1576
1577 case 2:
1578#ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1580 break;
1581#else
1582 return 1;
1583#endif
1584
1585 case 3:
1586#ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1588 break;
1589#else
1590 return 1;
1591#endif
1592
1593 case 4:
1594#ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1596 break;
1597#else
1598 return 1;
1599#endif
1600
1601 case 5:
1602#ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1606 break;
1607#else
1608 return 1;
1609#endif
1610
1611 case 6:
1612#ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1616 break;
1617#else
1618 return 1;
1619#endif
1620
1621 default:
1622 /* Shouldn't happen */
1623 return 0;
1624 }
1625
1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1627 return 1;
1628
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1631 if (!TEST_ptr(msg))
1632 goto end;
1633
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1635 if (!TEST_ptr(buf))
1636 goto end;
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1639
1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1641 &sctx, &cctx, cert, privkey)))
1642 goto end;
1643
1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1649 goto end;
1650 }
1651
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1654 goto end;
1655
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1662 goto end;
1663 }
1664
1665 if ((tst & 2) != 0) {
1666 /*
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1669 */
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1673 goto end;
1674 }
1675
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1677 goto end;
1678
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1680 &written))
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1682 goto end;
1683
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1686 &readbytes)))
1687 goto end;
1688
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1690 goto end;
1691
1692 testresult = 1;
1693end:
1694 OPENSSL_free(msg);
1695 OPENSSL_free(buf);
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1698 SSL_CTX_free(sctx);
1699 SSL_CTX_free(cctx);
1700 return testresult;
1701}
1702
1703#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1704 || !defined(OPENSSL_NO_DTLS)
1705static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1706 const SSL_METHOD *cmeth,
1707 int min_version, int max_version)
1708{
1709 size_t i;
1710 SSL_CTX *cctx = NULL, *sctx = NULL;
1711 SSL *clientssl = NULL, *serverssl = NULL;
1712 int testresult = 0;
1713 const unsigned char *zbuf;
1714 SSL_CONNECTION *serversc;
1715 TLS_RECORD *rr;
1716
1717 static unsigned char cbuf[16000];
1718 static unsigned char sbuf[16000];
1719
1720 if (!TEST_true(create_ssl_ctx_pair(libctx,
1721 smeth, cmeth,
1722 min_version, max_version,
1723 &sctx, &cctx, cert,
1724 privkey)))
1725 goto end;
1726
1727# ifdef OPENSSL_NO_DTLS1_2
1728 if (smeth == DTLS_server_method()) {
1729 /* Not supported in the FIPS provider */
1730 if (is_fips) {
1731 testresult = 1;
1732 goto end;
1733 };
1734 /*
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1736 * level 0
1737 */
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1741 goto end;
1742 }
1743# endif
1744
1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1746 NULL, NULL)))
1747 goto end;
1748
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1750 goto end;
1751
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1753 SSL_ERROR_NONE)))
1754 goto end;
1755
1756 for (i = 0; i < sizeof(cbuf); i++) {
1757 cbuf[i] = i & 0xff;
1758 }
1759
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1761 goto end;
1762
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1764 goto end;
1765
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1767 goto end;
1768
1769 /*
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1773 */
1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1775 goto end;
1776 rr = serversc->rlayer.tlsrecs;
1777
1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1780 goto end;
1781
1782 /*
1783 * After SSL_peek() the plaintext must still be stored in the
1784 * record.
1785 */
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1791 goto end;
1792
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1794 goto end;
1795
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1799 goto end;
1800
1801 testresult = 1;
1802 end:
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1805 SSL_CTX_free(sctx);
1806 SSL_CTX_free(cctx);
1807
1808 return testresult;
1809}
1810#endif /*
1811 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1812 * || !defined(OPENSSL_NO_DTLS)
1813 */
1814
1815static int test_cleanse_plaintext(void)
1816{
1817#if !defined(OPENSSL_NO_TLS1_2)
1818 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1819 TLS_client_method(),
1820 TLS1_2_VERSION,
1821 TLS1_2_VERSION)))
1822 return 0;
1823
1824#endif
1825
1826#if !defined(OSSL_NO_USABLE_TLS1_3)
1827 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1828 TLS_client_method(),
1829 TLS1_3_VERSION,
1830 TLS1_3_VERSION)))
1831 return 0;
1832#endif
1833
1834#if !defined(OPENSSL_NO_DTLS)
1835
1836 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1837 DTLS_client_method(),
1838 DTLS1_VERSION,
1839 0)))
1840 return 0;
1841#endif
1842 return 1;
1843}
1844
1845#ifndef OPENSSL_NO_OCSP
1846static int ocsp_server_cb(SSL *s, void *arg)
1847{
1848 int *argi = (int *)arg;
1849 unsigned char *copy = NULL;
1850 STACK_OF(OCSP_RESPID) *ids = NULL;
1851 OCSP_RESPID *id = NULL;
1852
1853 if (*argi == 2) {
1854 /* In this test we are expecting exactly 1 OCSP_RESPID */
1855 SSL_get_tlsext_status_ids(s, &ids);
1856 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858
1859 id = sk_OCSP_RESPID_value(ids, 0);
1860 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 } else if (*argi != 1) {
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1864 }
1865
1866 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1868
1869 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1870 sizeof(orespder)))) {
1871 OPENSSL_free(copy);
1872 return SSL_TLSEXT_ERR_ALERT_FATAL;
1873 }
1874 ocsp_server_called = 1;
1875 return SSL_TLSEXT_ERR_OK;
1876}
1877
1878static int ocsp_client_cb(SSL *s, void *arg)
1879{
1880 int *argi = (int *)arg;
1881 const unsigned char *respderin;
1882 size_t len;
1883
1884 if (*argi != 1 && *argi != 2)
1885 return 0;
1886
1887 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1888 if (!TEST_mem_eq(orespder, len, respderin, len))
1889 return 0;
1890
1891 ocsp_client_called = 1;
1892 return 1;
1893}
1894
1895static int test_tlsext_status_type(void)
1896{
1897 SSL_CTX *cctx = NULL, *sctx = NULL;
1898 SSL *clientssl = NULL, *serverssl = NULL;
1899 int testresult = 0;
1900 STACK_OF(OCSP_RESPID) *ids = NULL;
1901 OCSP_RESPID *id = NULL;
1902 BIO *certbio = NULL;
1903
1904 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1905 TLS1_VERSION, 0,
1906 &sctx, &cctx, cert, privkey))
1907 return 0;
1908
1909 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1910 goto end;
1911
1912 /* First just do various checks getting and setting tlsext_status_type */
1913
1914 clientssl = SSL_new(cctx);
1915 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1916 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1917 TLSEXT_STATUSTYPE_ocsp))
1918 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1919 TLSEXT_STATUSTYPE_ocsp))
1920 goto end;
1921
1922 SSL_free(clientssl);
1923 clientssl = NULL;
1924
1925 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1926 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1927 goto end;
1928
1929 clientssl = SSL_new(cctx);
1930 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1931 goto end;
1932 SSL_free(clientssl);
1933 clientssl = NULL;
1934
1935 /*
1936 * Now actually do a handshake and check OCSP information is exchanged and
1937 * the callbacks get called
1938 */
1939 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1940 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1941 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1942 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1946 SSL_ERROR_NONE))
1947 || !TEST_true(ocsp_client_called)
1948 || !TEST_true(ocsp_server_called))
1949 goto end;
1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1952 serverssl = NULL;
1953 clientssl = NULL;
1954
1955 /* Try again but this time force the server side callback to fail */
1956 ocsp_client_called = 0;
1957 ocsp_server_called = 0;
1958 cdummyarg = 0;
1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 /* This should fail because the callback will fail */
1962 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1963 SSL_ERROR_NONE))
1964 || !TEST_false(ocsp_client_called)
1965 || !TEST_false(ocsp_server_called))
1966 goto end;
1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1969 serverssl = NULL;
1970 clientssl = NULL;
1971
1972 /*
1973 * This time we'll get the client to send an OCSP_RESPID that it will
1974 * accept.
1975 */
1976 ocsp_client_called = 0;
1977 ocsp_server_called = 0;
1978 cdummyarg = 2;
1979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1980 &clientssl, NULL, NULL)))
1981 goto end;
1982
1983 /*
1984 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1985 * specific one. We'll use the server cert.
1986 */
1987 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1988 || !TEST_ptr(id = OCSP_RESPID_new())
1989 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1990 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1991 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1992 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1993 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1994 goto end;
1995 id = NULL;
1996 SSL_set_tlsext_status_ids(clientssl, ids);
1997 /* Control has been transferred */
1998 ids = NULL;
1999
2000 BIO_free(certbio);
2001 certbio = NULL;
2002
2003 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2004 SSL_ERROR_NONE))
2005 || !TEST_true(ocsp_client_called)
2006 || !TEST_true(ocsp_server_called))
2007 goto end;
2008
2009 testresult = 1;
2010
2011 end:
2012 SSL_free(serverssl);
2013 SSL_free(clientssl);
2014 SSL_CTX_free(sctx);
2015 SSL_CTX_free(cctx);
2016 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2017 OCSP_RESPID_free(id);
2018 BIO_free(certbio);
2019 X509_free(ocspcert);
2020 ocspcert = NULL;
2021
2022 return testresult;
2023}
2024#endif
2025
2026#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2027static int new_called, remove_called, get_called;
2028
2029static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2030{
2031 new_called++;
2032 /*
2033 * sess has been up-refed for us, but we don't actually need it so free it
2034 * immediately.
2035 */
2036 SSL_SESSION_free(sess);
2037 return 1;
2038}
2039
2040static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2041{
2042 remove_called++;
2043}
2044
2045static SSL_SESSION *get_sess_val = NULL;
2046
2047static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2048 int *copy)
2049{
2050 get_called++;
2051 *copy = 1;
2052 return get_sess_val;
2053}
2054
2055static int execute_test_session(int maxprot, int use_int_cache,
2056 int use_ext_cache, long s_options)
2057{
2058 SSL_CTX *sctx = NULL, *cctx = NULL;
2059 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2060 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2061# ifndef OPENSSL_NO_TLS1_1
2062 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2063# endif
2064 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2065 int testresult = 0, numnewsesstick = 1;
2066
2067 new_called = remove_called = 0;
2068
2069 /* TLSv1.3 sends 2 NewSessionTickets */
2070 if (maxprot == TLS1_3_VERSION)
2071 numnewsesstick = 2;
2072
2073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2074 TLS_client_method(), TLS1_VERSION, 0,
2075 &sctx, &cctx, cert, privkey)))
2076 return 0;
2077
2078 /*
2079 * Only allow the max protocol version so we can force a connection failure
2080 * later
2081 */
2082 SSL_CTX_set_min_proto_version(cctx, maxprot);
2083 SSL_CTX_set_max_proto_version(cctx, maxprot);
2084
2085 /* Set up session cache */
2086 if (use_ext_cache) {
2087 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2088 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2089 }
2090 if (use_int_cache) {
2091 /* Also covers instance where both are set */
2092 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2093 } else {
2094 SSL_CTX_set_session_cache_mode(cctx,
2095 SSL_SESS_CACHE_CLIENT
2096 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2097 }
2098
2099 if (s_options) {
2100 SSL_CTX_set_options(sctx, s_options);
2101 }
2102
2103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2104 NULL, NULL))
2105 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2106 SSL_ERROR_NONE))
2107 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2108 goto end;
2109
2110 /* Should fail because it should already be in the cache */
2111 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2112 goto end;
2113 if (use_ext_cache
2114 && (!TEST_int_eq(new_called, numnewsesstick)
2115
2116 || !TEST_int_eq(remove_called, 0)))
2117 goto end;
2118
2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl2, sess1))
2123 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2124 SSL_ERROR_NONE))
2125 || !TEST_true(SSL_session_reused(clientssl2)))
2126 goto end;
2127
2128 if (maxprot == TLS1_3_VERSION) {
2129 /*
2130 * In TLSv1.3 we should have created a new session even though we have
2131 * resumed. Since we attempted a resume we should also have removed the
2132 * old ticket from the cache so that we try to only use tickets once.
2133 */
2134 if (use_ext_cache
2135 && (!TEST_int_eq(new_called, 1)
2136 || !TEST_int_eq(remove_called, 1)))
2137 goto end;
2138 } else {
2139 /*
2140 * In TLSv1.2 we expect to have resumed so no sessions added or
2141 * removed.
2142 */
2143 if (use_ext_cache
2144 && (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(remove_called, 0)))
2146 goto end;
2147 }
2148
2149 SSL_SESSION_free(sess1);
2150 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2151 goto end;
2152 shutdown_ssl_connection(serverssl2, clientssl2);
2153 serverssl2 = clientssl2 = NULL;
2154
2155 new_called = remove_called = 0;
2156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2157 &clientssl2, NULL, NULL))
2158 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2159 SSL_ERROR_NONE)))
2160 goto end;
2161
2162 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2163 goto end;
2164
2165 if (use_ext_cache
2166 && (!TEST_int_eq(new_called, numnewsesstick)
2167 || !TEST_int_eq(remove_called, 0)))
2168 goto end;
2169
2170 new_called = remove_called = 0;
2171 /*
2172 * This should clear sess2 from the cache because it is a "bad" session.
2173 * See SSL_set_session() documentation.
2174 */
2175 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2176 goto end;
2177 if (use_ext_cache
2178 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2179 goto end;
2180 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2181 goto end;
2182
2183 if (use_int_cache) {
2184 /* Should succeeded because it should not already be in the cache */
2185 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2186 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2187 goto end;
2188 }
2189
2190 new_called = remove_called = 0;
2191 /* This shouldn't be in the cache so should fail */
2192 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2193 goto end;
2194
2195 if (use_ext_cache
2196 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2197 goto end;
2198
2199# if !defined(OPENSSL_NO_TLS1_1)
2200 new_called = remove_called = 0;
2201 /* Force a connection failure */
2202 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2204 &clientssl3, NULL, NULL))
2205 || !TEST_true(SSL_set_session(clientssl3, sess1))
2206 /* This should fail because of the mismatched protocol versions */
2207 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2208 SSL_ERROR_NONE)))
2209 goto end;
2210
2211 /* We should have automatically removed the session from the cache */
2212 if (use_ext_cache
2213 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2214 goto end;
2215
2216 /* Should succeed because it should not already be in the cache */
2217 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2218 goto end;
2219# endif
2220
2221 /* Now do some tests for server side caching */
2222 if (use_ext_cache) {
2223 SSL_CTX_sess_set_new_cb(cctx, NULL);
2224 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2225 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2226 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2227 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2228 get_sess_val = NULL;
2229 }
2230
2231 SSL_CTX_set_session_cache_mode(cctx, 0);
2232 /* Internal caching is the default on the server side */
2233 if (!use_int_cache)
2234 SSL_CTX_set_session_cache_mode(sctx,
2235 SSL_SESS_CACHE_SERVER
2236 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2237
2238 SSL_free(serverssl1);
2239 SSL_free(clientssl1);
2240 serverssl1 = clientssl1 = NULL;
2241 SSL_free(serverssl2);
2242 SSL_free(clientssl2);
2243 serverssl2 = clientssl2 = NULL;
2244 SSL_SESSION_free(sess1);
2245 sess1 = NULL;
2246 SSL_SESSION_free(sess2);
2247 sess2 = NULL;
2248
2249 SSL_CTX_set_max_proto_version(sctx, maxprot);
2250 if (maxprot == TLS1_2_VERSION)
2251 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2252 new_called = remove_called = get_called = 0;
2253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2254 NULL, NULL))
2255 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2256 SSL_ERROR_NONE))
2257 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2258 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2259 goto end;
2260
2261 if (use_int_cache) {
2262 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2263 /*
2264 * In TLSv1.3 it should not have been added to the internal cache,
2265 * except in the case where we also have an external cache (in that
2266 * case it gets added to the cache in order to generate remove
2267 * events after timeout).
2268 */
2269 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2270 goto end;
2271 } else {
2272 /* Should fail because it should already be in the cache */
2273 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2274 goto end;
2275 }
2276 }
2277
2278 if (use_ext_cache) {
2279 SSL_SESSION *tmp = sess2;
2280
2281 if (!TEST_int_eq(new_called, numnewsesstick)
2282 || !TEST_int_eq(remove_called, 0)
2283 || !TEST_int_eq(get_called, 0))
2284 goto end;
2285 /*
2286 * Delete the session from the internal cache to force a lookup from
2287 * the external cache. We take a copy first because
2288 * SSL_CTX_remove_session() also marks the session as non-resumable.
2289 */
2290 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2291 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2292 || !TEST_true(sess2->owner != NULL)
2293 || !TEST_true(tmp->owner == NULL)
2294 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2295 goto end;
2296 SSL_SESSION_free(sess2);
2297 }
2298 sess2 = tmp;
2299 }
2300
2301 new_called = remove_called = get_called = 0;
2302 get_sess_val = sess2;
2303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2304 &clientssl2, NULL, NULL))
2305 || !TEST_true(SSL_set_session(clientssl2, sess1))
2306 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2307 SSL_ERROR_NONE))
2308 || !TEST_true(SSL_session_reused(clientssl2)))
2309 goto end;
2310
2311 if (use_ext_cache) {
2312 if (!TEST_int_eq(remove_called, 0))
2313 goto end;
2314
2315 if (maxprot == TLS1_3_VERSION) {
2316 if (!TEST_int_eq(new_called, 1)
2317 || !TEST_int_eq(get_called, 0))
2318 goto end;
2319 } else {
2320 if (!TEST_int_eq(new_called, 0)
2321 || !TEST_int_eq(get_called, 1))
2322 goto end;
2323 }
2324 }
2325 /*
2326 * Make a small cache, force out all other sessions but
2327 * sess2, try to add sess1, which should succeed. Then
2328 * make sure it's there by checking the owners. Despite
2329 * the timeouts, sess1 should have kicked out sess2
2330 */
2331
2332 /* Make sess1 expire before sess2 */
2333 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2334 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2335 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2336 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2337 goto end;
2338
2339 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2340 goto end;
2341
2342 /* Don't care about results - cache should only be sess2 at end */
2343 SSL_CTX_add_session(sctx, sess1);
2344 SSL_CTX_add_session(sctx, sess2);
2345
2346 /* Now add sess1, and make sure it remains, despite timeout */
2347 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2348 || !TEST_ptr(sess1->owner)
2349 || !TEST_ptr_null(sess2->owner))
2350 goto end;
2351
2352 testresult = 1;
2353
2354 end:
2355 SSL_free(serverssl1);
2356 SSL_free(clientssl1);
2357 SSL_free(serverssl2);
2358 SSL_free(clientssl2);
2359# ifndef OPENSSL_NO_TLS1_1
2360 SSL_free(serverssl3);
2361 SSL_free(clientssl3);
2362# endif
2363 SSL_SESSION_free(sess1);
2364 SSL_SESSION_free(sess2);
2365 SSL_CTX_free(sctx);
2366 SSL_CTX_free(cctx);
2367
2368 return testresult;
2369}
2370#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2371
2372static int test_session_with_only_int_cache(void)
2373{
2374#ifndef OSSL_NO_USABLE_TLS1_3
2375 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2376 return 0;
2377#endif
2378
2379#ifndef OPENSSL_NO_TLS1_2
2380 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2381#else
2382 return 1;
2383#endif
2384}
2385
2386static int test_session_with_only_ext_cache(void)
2387{
2388#ifndef OSSL_NO_USABLE_TLS1_3
2389 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2390 return 0;
2391#endif
2392
2393#ifndef OPENSSL_NO_TLS1_2
2394 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2395#else
2396 return 1;
2397#endif
2398}
2399
2400static int test_session_with_both_cache(void)
2401{
2402#ifndef OSSL_NO_USABLE_TLS1_3
2403 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2404 return 0;
2405#endif
2406
2407#ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2409#else
2410 return 1;
2411#endif
2412}
2413
2414static int test_session_wo_ca_names(void)
2415{
2416#ifndef OSSL_NO_USABLE_TLS1_3
2417 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2418 return 0;
2419#endif
2420
2421#ifndef OPENSSL_NO_TLS1_2
2422 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2423#else
2424 return 1;
2425#endif
2426}
2427
2428#ifndef OSSL_NO_USABLE_TLS1_3
2429static SSL_SESSION *sesscache[6];
2430static int do_cache;
2431
2432static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2433{
2434 if (do_cache) {
2435 sesscache[new_called] = sess;
2436 } else {
2437 /* We don't need the reference to the session, so free it */
2438 SSL_SESSION_free(sess);
2439 }
2440 new_called++;
2441
2442 return 1;
2443}
2444
2445static int post_handshake_verify(SSL *sssl, SSL *cssl)
2446{
2447 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2448 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2449 return 0;
2450
2451 /* Start handshake on the server and client */
2452 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2453 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2454 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2455 || !TEST_true(create_ssl_connection(sssl, cssl,
2456 SSL_ERROR_NONE)))
2457 return 0;
2458
2459 return 1;
2460}
2461
2462static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2463 SSL_CTX **cctx)
2464{
2465 int sess_id_ctx = 1;
2466
2467 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2468 TLS_client_method(), TLS1_VERSION, 0,
2469 sctx, cctx, cert, privkey))
2470 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2471 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2472 (void *)&sess_id_ctx,
2473 sizeof(sess_id_ctx))))
2474 return 0;
2475
2476 if (stateful)
2477 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2478
2479 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2480 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2481 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2482
2483 return 1;
2484}
2485
2486static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2487{
2488 SSL *serverssl = NULL, *clientssl = NULL;
2489 int i;
2490
2491 /* Test that we can resume with all the tickets we got given */
2492 for (i = 0; i < idx * 2; i++) {
2493 new_called = 0;
2494 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2495 &clientssl, NULL, NULL))
2496 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2497 goto end;
2498
2499 SSL_set_post_handshake_auth(clientssl, 1);
2500
2501 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2502 SSL_ERROR_NONE)))
2503 goto end;
2504
2505 /*
2506 * Following a successful resumption we only get 1 ticket. After a
2507 * failed one we should get idx tickets.
2508 */
2509 if (succ) {
2510 if (!TEST_true(SSL_session_reused(clientssl))
2511 || !TEST_int_eq(new_called, 1))
2512 goto end;
2513 } else {
2514 if (!TEST_false(SSL_session_reused(clientssl))
2515 || !TEST_int_eq(new_called, idx))
2516 goto end;
2517 }
2518
2519 new_called = 0;
2520 /* After a post-handshake authentication we should get 1 new ticket */
2521 if (succ
2522 && (!post_handshake_verify(serverssl, clientssl)
2523 || !TEST_int_eq(new_called, 1)))
2524 goto end;
2525
2526 SSL_shutdown(clientssl);
2527 SSL_shutdown(serverssl);
2528 SSL_free(serverssl);
2529 SSL_free(clientssl);
2530 serverssl = clientssl = NULL;
2531 SSL_SESSION_free(sesscache[i]);
2532 sesscache[i] = NULL;
2533 }
2534
2535 return 1;
2536
2537 end:
2538 SSL_free(clientssl);
2539 SSL_free(serverssl);
2540 return 0;
2541}
2542
2543static int test_tickets(int stateful, int idx)
2544{
2545 SSL_CTX *sctx = NULL, *cctx = NULL;
2546 SSL *serverssl = NULL, *clientssl = NULL;
2547 int testresult = 0;
2548 size_t j;
2549
2550 /* idx is the test number, but also the number of tickets we want */
2551
2552 new_called = 0;
2553 do_cache = 1;
2554
2555 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2556 goto end;
2557
2558 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2559 &clientssl, NULL, NULL)))
2560 goto end;
2561
2562 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2563 SSL_ERROR_NONE))
2564 /* Check we got the number of tickets we were expecting */
2565 || !TEST_int_eq(idx, new_called))
2566 goto end;
2567
2568 SSL_shutdown(clientssl);
2569 SSL_shutdown(serverssl);
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2572 SSL_CTX_free(sctx);
2573 SSL_CTX_free(cctx);
2574 clientssl = serverssl = NULL;
2575 sctx = cctx = NULL;
2576
2577 /*
2578 * Now we try to resume with the tickets we previously created. The
2579 * resumption attempt is expected to fail (because we're now using a new
2580 * SSL_CTX). We should see idx number of tickets issued again.
2581 */
2582
2583 /* Stop caching sessions - just count them */
2584 do_cache = 0;
2585
2586 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2587 goto end;
2588
2589 if (!check_resumption(idx, sctx, cctx, 0))
2590 goto end;
2591
2592 /* Start again with caching sessions */
2593 new_called = 0;
2594 do_cache = 1;
2595 SSL_CTX_free(sctx);
2596 SSL_CTX_free(cctx);
2597 sctx = cctx = NULL;
2598
2599 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2600 goto end;
2601
2602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2603 &clientssl, NULL, NULL)))
2604 goto end;
2605
2606 SSL_set_post_handshake_auth(clientssl, 1);
2607
2608 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2609 SSL_ERROR_NONE))
2610 /* Check we got the number of tickets we were expecting */
2611 || !TEST_int_eq(idx, new_called))
2612 goto end;
2613
2614 /* After a post-handshake authentication we should get new tickets issued */
2615 if (!post_handshake_verify(serverssl, clientssl)
2616 || !TEST_int_eq(idx * 2, new_called))
2617 goto end;
2618
2619 SSL_shutdown(clientssl);
2620 SSL_shutdown(serverssl);
2621 SSL_free(serverssl);
2622 SSL_free(clientssl);
2623 serverssl = clientssl = NULL;
2624
2625 /* Stop caching sessions - just count them */
2626 do_cache = 0;
2627
2628 /*
2629 * Check we can resume with all the tickets we created. This time around the
2630 * resumptions should all be successful.
2631 */
2632 if (!check_resumption(idx, sctx, cctx, 1))
2633 goto end;
2634
2635 testresult = 1;
2636
2637 end:
2638 SSL_free(serverssl);
2639 SSL_free(clientssl);
2640 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2641 SSL_SESSION_free(sesscache[j]);
2642 sesscache[j] = NULL;
2643 }
2644 SSL_CTX_free(sctx);
2645 SSL_CTX_free(cctx);
2646
2647 return testresult;
2648}
2649
2650static int test_stateless_tickets(int idx)
2651{
2652 return test_tickets(0, idx);
2653}
2654
2655static int test_stateful_tickets(int idx)
2656{
2657 return test_tickets(1, idx);
2658}
2659
2660static int test_psk_tickets(void)
2661{
2662 SSL_CTX *sctx = NULL, *cctx = NULL;
2663 SSL *serverssl = NULL, *clientssl = NULL;
2664 int testresult = 0;
2665 int sess_id_ctx = 1;
2666
2667 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2668 TLS_client_method(), TLS1_VERSION, 0,
2669 &sctx, &cctx, NULL, NULL))
2670 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2671 (void *)&sess_id_ctx,
2672 sizeof(sess_id_ctx))))
2673 goto end;
2674
2675 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2676 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2677 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2678 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2679 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2680 use_session_cb_cnt = 0;
2681 find_session_cb_cnt = 0;
2682 srvid = pskid;
2683 new_called = 0;
2684
2685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2686 NULL, NULL)))
2687 goto end;
2688 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2689 if (!TEST_ptr(clientpsk))
2690 goto end;
2691 SSL_SESSION_up_ref(clientpsk);
2692
2693 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2694 SSL_ERROR_NONE))
2695 || !TEST_int_eq(1, find_session_cb_cnt)
2696 || !TEST_int_eq(1, use_session_cb_cnt)
2697 /* We should always get 1 ticket when using external PSK */
2698 || !TEST_int_eq(1, new_called))
2699 goto end;
2700
2701 testresult = 1;
2702
2703 end:
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2706 SSL_CTX_free(sctx);
2707 SSL_CTX_free(cctx);
2708 SSL_SESSION_free(clientpsk);
2709 SSL_SESSION_free(serverpsk);
2710 clientpsk = serverpsk = NULL;
2711
2712 return testresult;
2713}
2714
2715static int test_extra_tickets(int idx)
2716{
2717 SSL_CTX *sctx = NULL, *cctx = NULL;
2718 SSL *serverssl = NULL, *clientssl = NULL;
2719 BIO *bretry = BIO_new(bio_s_always_retry());
2720 BIO *tmp = NULL;
2721 int testresult = 0;
2722 int stateful = 0;
2723 size_t nbytes;
2724 unsigned char c, buf[1];
2725
2726 new_called = 0;
2727 do_cache = 1;
2728
2729 if (idx >= 3) {
2730 idx -= 3;
2731 stateful = 1;
2732 }
2733
2734 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2735 goto end;
2736 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2737 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2738 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2739
2740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2741 &clientssl, NULL, NULL)))
2742 goto end;
2743
2744 /*
2745 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2746 * incremented by both client and server.
2747 */
2748 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2749 SSL_ERROR_NONE))
2750 /* Check we got the number of tickets we were expecting */
2751 || !TEST_int_eq(idx * 2, new_called)
2752 || !TEST_true(SSL_new_session_ticket(serverssl))
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_int_eq(idx * 2, new_called))
2755 goto end;
2756
2757 /* Now try a (real) write to actually send the tickets */
2758 c = '1';
2759 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2760 || !TEST_size_t_eq(1, nbytes)
2761 || !TEST_int_eq(idx * 2 + 2, new_called)
2762 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2763 || !TEST_int_eq(idx * 2 + 4, new_called)
2764 || !TEST_int_eq(sizeof(buf), nbytes)
2765 || !TEST_int_eq(c, buf[0])
2766 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2767 goto end;
2768
2769 /* Try with only requesting one new ticket, too */
2770 c = '2';
2771 new_called = 0;
2772 if (!TEST_true(SSL_new_session_ticket(serverssl))
2773 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2774 || !TEST_size_t_eq(sizeof(c), nbytes)
2775 || !TEST_int_eq(1, new_called)
2776 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_size_t_eq(sizeof(buf), nbytes)
2779 || !TEST_int_eq(c, buf[0]))
2780 goto end;
2781
2782 /* Do it again but use dummy writes to drive the ticket generation */
2783 c = '3';
2784 new_called = 0;
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2788 || !TEST_size_t_eq(0, nbytes)
2789 || !TEST_int_eq(2, new_called)
2790 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2791 || !TEST_int_eq(4, new_called))
2792 goto end;
2793
2794 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2795 c = '4';
2796 new_called = 0;
2797 if (!TEST_true(SSL_new_session_ticket(serverssl))
2798 || !TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_do_handshake(serverssl))
2800 || !TEST_int_eq(2, new_called)
2801 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2802 || !TEST_int_eq(4, new_called))
2803 goto end;
2804
2805 /*
2806 * Use the always-retry BIO to exercise the logic that forces ticket
2807 * generation to wait until a record boundary.
2808 */
2809 c = '5';
2810 new_called = 0;
2811 tmp = SSL_get_wbio(serverssl);
2812 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2813 tmp = NULL;
2814 goto end;
2815 }
2816 SSL_set0_wbio(serverssl, bretry);
2817 bretry = NULL;
2818 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2819 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2820 || !TEST_size_t_eq(nbytes, 0))
2821 goto end;
2822 /* Restore a BIO that will let the write succeed */
2823 SSL_set0_wbio(serverssl, tmp);
2824 tmp = NULL;
2825 /*
2826 * These calls should just queue the request and not send anything
2827 * even if we explicitly try to hit the state machine.
2828 */
2829 if (!TEST_true(SSL_new_session_ticket(serverssl))
2830 || !TEST_true(SSL_new_session_ticket(serverssl))
2831 || !TEST_int_eq(0, new_called)
2832 || !TEST_true(SSL_do_handshake(serverssl))
2833 || !TEST_int_eq(0, new_called))
2834 goto end;
2835 /* Re-do the write; still no tickets sent */
2836 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2837 || !TEST_size_t_eq(1, nbytes)
2838 || !TEST_int_eq(0, new_called)
2839 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2840 || !TEST_int_eq(0, new_called)
2841 || !TEST_int_eq(sizeof(buf), nbytes)
2842 || !TEST_int_eq(c, buf[0])
2843 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2844 goto end;
2845 /* Even trying to hit the state machine now will still not send tickets */
2846 if (!TEST_true(SSL_do_handshake(serverssl))
2847 || !TEST_int_eq(0, new_called))
2848 goto end;
2849 /* Now the *next* write should send the tickets */
2850 c = '6';
2851 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2852 || !TEST_size_t_eq(1, nbytes)
2853 || !TEST_int_eq(2, new_called)
2854 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2855 || !TEST_int_eq(4, new_called)
2856 || !TEST_int_eq(sizeof(buf), nbytes)
2857 || !TEST_int_eq(c, buf[0])
2858 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2859 goto end;
2860
2861 SSL_shutdown(clientssl);
2862 SSL_shutdown(serverssl);
2863 testresult = 1;
2864
2865 end:
2866 BIO_free(bretry);
2867 BIO_free(tmp);
2868 SSL_free(serverssl);
2869 SSL_free(clientssl);
2870 SSL_CTX_free(sctx);
2871 SSL_CTX_free(cctx);
2872 clientssl = serverssl = NULL;
2873 sctx = cctx = NULL;
2874 return testresult;
2875}
2876#endif
2877
2878#define USE_NULL 0
2879#define USE_BIO_1 1
2880#define USE_BIO_2 2
2881#define USE_DEFAULT 3
2882
2883#define CONNTYPE_CONNECTION_SUCCESS 0
2884#define CONNTYPE_CONNECTION_FAIL 1
2885#define CONNTYPE_NO_CONNECTION 2
2886
2887#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2888#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2889#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2890# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2891#else
2892# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2893#endif
2894
2895#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2896 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2897 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2898
2899static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2900{
2901 switch (type) {
2902 case USE_NULL:
2903 *res = NULL;
2904 break;
2905 case USE_BIO_1:
2906 *res = bio1;
2907 break;
2908 case USE_BIO_2:
2909 *res = bio2;
2910 break;
2911 }
2912}
2913
2914
2915/*
2916 * Tests calls to SSL_set_bio() under various conditions.
2917 *
2918 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2919 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2920 * then do more tests where we create a successful connection first using our
2921 * standard connection setup functions, and then call SSL_set_bio() with
2922 * various combinations of valid BIOs or NULL. We then repeat these tests
2923 * following a failed connection. In this last case we are looking to check that
2924 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2925 */
2926static int test_ssl_set_bio(int idx)
2927{
2928 SSL_CTX *sctx = NULL, *cctx = NULL;
2929 BIO *bio1 = NULL;
2930 BIO *bio2 = NULL;
2931 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2932 SSL *serverssl = NULL, *clientssl = NULL;
2933 int initrbio, initwbio, newrbio, newwbio, conntype;
2934 int testresult = 0;
2935
2936 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2937 initrbio = idx % 3;
2938 idx /= 3;
2939 initwbio = idx % 3;
2940 idx /= 3;
2941 newrbio = idx % 3;
2942 idx /= 3;
2943 newwbio = idx % 3;
2944 conntype = CONNTYPE_NO_CONNECTION;
2945 } else {
2946 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2947 initrbio = initwbio = USE_DEFAULT;
2948 newrbio = idx % 2;
2949 idx /= 2;
2950 newwbio = idx % 2;
2951 idx /= 2;
2952 conntype = idx % 2;
2953 }
2954
2955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2956 TLS_client_method(), TLS1_VERSION, 0,
2957 &sctx, &cctx, cert, privkey)))
2958 goto end;
2959
2960 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2961 /*
2962 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2963 * because we reduced the number of tests in the definition of
2964 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2965 * mismatched protocol versions we will force a connection failure.
2966 */
2967 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2968 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2969 }
2970
2971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2972 NULL, NULL)))
2973 goto end;
2974
2975 if (initrbio == USE_BIO_1
2976 || initwbio == USE_BIO_1
2977 || newrbio == USE_BIO_1
2978 || newwbio == USE_BIO_1) {
2979 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2980 goto end;
2981 }
2982
2983 if (initrbio == USE_BIO_2
2984 || initwbio == USE_BIO_2
2985 || newrbio == USE_BIO_2
2986 || newwbio == USE_BIO_2) {
2987 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2988 goto end;
2989 }
2990
2991 if (initrbio != USE_DEFAULT) {
2992 setupbio(&irbio, bio1, bio2, initrbio);
2993 setupbio(&iwbio, bio1, bio2, initwbio);
2994 SSL_set_bio(clientssl, irbio, iwbio);
2995
2996 /*
2997 * We want to maintain our own refs to these BIO, so do an up ref for
2998 * each BIO that will have ownership transferred in the SSL_set_bio()
2999 * call
3000 */
3001 if (irbio != NULL)
3002 BIO_up_ref(irbio);
3003 if (iwbio != NULL && iwbio != irbio)
3004 BIO_up_ref(iwbio);
3005 }
3006
3007 if (conntype != CONNTYPE_NO_CONNECTION
3008 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3009 SSL_ERROR_NONE)
3010 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3011 goto end;
3012
3013 setupbio(&nrbio, bio1, bio2, newrbio);
3014 setupbio(&nwbio, bio1, bio2, newwbio);
3015
3016 /*
3017 * We will (maybe) transfer ownership again so do more up refs.
3018 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3019 * already been set!
3020 */
3021 if (nrbio != NULL
3022 && nrbio != irbio
3023 && (nwbio != iwbio || nrbio != nwbio))
3024 BIO_up_ref(nrbio);
3025 if (nwbio != NULL
3026 && nwbio != nrbio
3027 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3028 BIO_up_ref(nwbio);
3029
3030 SSL_set_bio(clientssl, nrbio, nwbio);
3031
3032 testresult = 1;
3033
3034 end:
3035 BIO_free(bio1);
3036 BIO_free(bio2);
3037
3038 /*
3039 * This test is checking that the ref counting for SSL_set_bio is correct.
3040 * If we get here and we did too many frees then we will fail in the above
3041 * functions.
3042 */
3043 SSL_free(serverssl);
3044 SSL_free(clientssl);
3045 SSL_CTX_free(sctx);
3046 SSL_CTX_free(cctx);
3047 return testresult;
3048}
3049
3050typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3051
3052static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3053{
3054 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3055 SSL_CTX *ctx;
3056 SSL *ssl = NULL;
3057 int testresult = 0;
3058
3059 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3060 || !TEST_ptr(ssl = SSL_new(ctx))
3061 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3062 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3063 goto end;
3064
3065 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3066
3067 /*
3068 * If anything goes wrong here then we could leak memory.
3069 */
3070 BIO_push(sslbio, membio1);
3071
3072 /* Verify changing the rbio/wbio directly does not cause leaks */
3073 if (change_bio != NO_BIO_CHANGE) {
3074 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3075 ssl = NULL;
3076 goto end;
3077 }
3078 if (change_bio == CHANGE_RBIO)
3079 SSL_set0_rbio(ssl, membio2);
3080 else
3081 SSL_set0_wbio(ssl, membio2);
3082 }
3083 ssl = NULL;
3084
3085 if (pop_ssl)
3086 BIO_pop(sslbio);
3087 else
3088 BIO_pop(membio1);
3089
3090 testresult = 1;
3091 end:
3092 BIO_free(membio1);
3093 BIO_free(sslbio);
3094 SSL_free(ssl);
3095 SSL_CTX_free(ctx);
3096
3097 return testresult;
3098}
3099
3100static int test_ssl_bio_pop_next_bio(void)
3101{
3102 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3103}
3104
3105static int test_ssl_bio_pop_ssl_bio(void)
3106{
3107 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3108}
3109
3110static int test_ssl_bio_change_rbio(void)
3111{
3112 return execute_test_ssl_bio(0, CHANGE_RBIO);
3113}
3114
3115static int test_ssl_bio_change_wbio(void)
3116{
3117 return execute_test_ssl_bio(0, CHANGE_WBIO);
3118}
3119
3120#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3121typedef struct {
3122 /* The list of sig algs */
3123 const int *list;
3124 /* The length of the list */
3125 size_t listlen;
3126 /* A sigalgs list in string format */
3127 const char *liststr;
3128 /* Whether setting the list should succeed */
3129 int valid;
3130 /* Whether creating a connection with the list should succeed */
3131 int connsuccess;
3132} sigalgs_list;
3133
3134static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3135# ifndef OPENSSL_NO_EC
3136static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3137static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3138# endif
3139static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3140static const int invalidlist2[] = {NID_sha256, NID_undef};
3141static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3142static const int invalidlist4[] = {NID_sha256};
3143static const sigalgs_list testsigalgs[] = {
3144 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3145# ifndef OPENSSL_NO_EC
3146 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3147 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3148# endif
3149 {NULL, 0, "RSA+SHA256", 1, 1},
3150 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
3151# ifndef OPENSSL_NO_EC
3152 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3153 {NULL, 0, "ECDSA+SHA512", 1, 0},
3154# endif
3155 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3156 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3157 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3158 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3159 {NULL, 0, "RSA", 0, 0},
3160 {NULL, 0, "SHA256", 0, 0},
3161 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3162 {NULL, 0, "Invalid", 0, 0}
3163};
3164
3165static int test_set_sigalgs(int idx)
3166{
3167 SSL_CTX *cctx = NULL, *sctx = NULL;
3168 SSL *clientssl = NULL, *serverssl = NULL;
3169 int testresult = 0;
3170 const sigalgs_list *curr;
3171 int testctx;
3172
3173 /* Should never happen */
3174 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3175 return 0;
3176
3177 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3178 curr = testctx ? &testsigalgs[idx]
3179 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3180
3181 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3182 TLS_client_method(), TLS1_VERSION, 0,
3183 &sctx, &cctx, cert, privkey)))
3184 return 0;
3185
3186 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3187
3188 if (testctx) {
3189 int ret;
3190
3191 if (curr->list != NULL)
3192 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3193 else
3194 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3195
3196 if (!ret) {
3197 if (curr->valid)
3198 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3199 else
3200 testresult = 1;
3201 goto end;
3202 }
3203 if (!curr->valid) {
3204 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3205 goto end;
3206 }
3207 }
3208
3209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3210 &clientssl, NULL, NULL)))
3211 goto end;
3212
3213 if (!testctx) {
3214 int ret;
3215
3216 if (curr->list != NULL)
3217 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3218 else
3219 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3220 if (!ret) {
3221 if (curr->valid)
3222 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3223 else
3224 testresult = 1;
3225 goto end;
3226 }
3227 if (!curr->valid)
3228 goto end;
3229 }
3230
3231 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3232 SSL_ERROR_NONE),
3233 curr->connsuccess))
3234 goto end;
3235
3236 testresult = 1;
3237
3238 end:
3239 SSL_free(serverssl);
3240 SSL_free(clientssl);
3241 SSL_CTX_free(sctx);
3242 SSL_CTX_free(cctx);
3243
3244 return testresult;
3245}
3246#endif
3247
3248#ifndef OSSL_NO_USABLE_TLS1_3
3249static int psk_client_cb_cnt = 0;
3250static int psk_server_cb_cnt = 0;
3251
3252static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3253 size_t *idlen, SSL_SESSION **sess)
3254{
3255 switch (++use_session_cb_cnt) {
3256 case 1:
3257 /* The first call should always have a NULL md */
3258 if (md != NULL)
3259 return 0;
3260 break;
3261
3262 case 2:
3263 /* The second call should always have an md */
3264 if (md == NULL)
3265 return 0;
3266 break;
3267
3268 default:
3269 /* We should only be called a maximum of twice */
3270 return 0;
3271 }
3272
3273 if (clientpsk != NULL)
3274 SSL_SESSION_up_ref(clientpsk);
3275
3276 *sess = clientpsk;
3277 *id = (const unsigned char *)pskid;
3278 *idlen = strlen(pskid);
3279
3280 return 1;
3281}
3282
3283#ifndef OPENSSL_NO_PSK
3284static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3285 unsigned int max_id_len,
3286 unsigned char *psk,
3287 unsigned int max_psk_len)
3288{
3289 unsigned int psklen = 0;
3290
3291 psk_client_cb_cnt++;
3292
3293 if (strlen(pskid) + 1 > max_id_len)
3294 return 0;
3295
3296 /* We should only ever be called a maximum of twice per connection */
3297 if (psk_client_cb_cnt > 2)
3298 return 0;
3299
3300 if (clientpsk == NULL)
3301 return 0;
3302
3303 /* We'll reuse the PSK we set up for TLSv1.3 */
3304 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3305 return 0;
3306 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3307 strncpy(id, pskid, max_id_len);
3308
3309 return psklen;
3310}
3311#endif /* OPENSSL_NO_PSK */
3312
3313static int find_session_cb(SSL *ssl, const unsigned char *identity,
3314 size_t identity_len, SSL_SESSION **sess)
3315{
3316 find_session_cb_cnt++;
3317
3318 /* We should only ever be called a maximum of twice per connection */
3319 if (find_session_cb_cnt > 2)
3320 return 0;
3321
3322 if (serverpsk == NULL)
3323 return 0;
3324
3325 /* Identity should match that set by the client */
3326 if (strlen(srvid) != identity_len
3327 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3328 /* No PSK found, continue but without a PSK */
3329 *sess = NULL;
3330 return 1;
3331 }
3332
3333 SSL_SESSION_up_ref(serverpsk);
3334 *sess = serverpsk;
3335
3336 return 1;
3337}
3338
3339#ifndef OPENSSL_NO_PSK
3340static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3341 unsigned char *psk, unsigned int max_psk_len)
3342{
3343 unsigned int psklen = 0;
3344
3345 psk_server_cb_cnt++;
3346
3347 /* We should only ever be called a maximum of twice per connection */
3348 if (find_session_cb_cnt > 2)
3349 return 0;
3350
3351 if (serverpsk == NULL)
3352 return 0;
3353
3354 /* Identity should match that set by the client */
3355 if (strcmp(srvid, identity) != 0) {
3356 return 0;
3357 }
3358
3359 /* We'll reuse the PSK we set up for TLSv1.3 */
3360 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3361 return 0;
3362 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3363
3364 return psklen;
3365}
3366#endif /* OPENSSL_NO_PSK */
3367
3368#define MSG1 "Hello"
3369#define MSG2 "World."
3370#define MSG3 "This"
3371#define MSG4 "is"
3372#define MSG5 "a"
3373#define MSG6 "test"
3374#define MSG7 "message."
3375
3376static int artificial_ticket_time = 0;
3377
3378static int sub_session_time(SSL_SESSION *sess)
3379{
3380 OSSL_TIME tick_time;
3381
3382 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3383 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3384
3385 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3386}
3387
3388static int ed_gen_cb(SSL *s, void *arg)
3389{
3390 SSL_SESSION *sess = SSL_get0_session(s);
3391
3392 if (sess == NULL)
3393 return 0;
3394
3395 /*
3396 * Artificially give the ticket some age. Just do it for the number of
3397 * tickets we've been told to do.
3398 */
3399 if (artificial_ticket_time == 0)
3400 return 1;
3401 artificial_ticket_time--;
3402
3403 return sub_session_time(sess);
3404}
3405
3406/*
3407 * Helper method to setup objects for early data test. Caller frees objects on
3408 * error.
3409 */
3410static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3411 SSL **serverssl, SSL_SESSION **sess, int idx,
3412 size_t mdsize)
3413{
3414 int artificial = (artificial_ticket_time > 0);
3415
3416 if (*sctx == NULL
3417 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3418 TLS_client_method(),
3419 TLS1_VERSION, 0,
3420 sctx, cctx, cert, privkey)))
3421 return 0;
3422
3423 if (artificial)
3424 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3425
3426 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3427 return 0;
3428
3429 if (idx == 1) {
3430 /* When idx == 1 we repeat the tests with read_ahead set */
3431 SSL_CTX_set_read_ahead(*cctx, 1);
3432 SSL_CTX_set_read_ahead(*sctx, 1);
3433 } else if (idx == 2) {
3434 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3435 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3436 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3437 use_session_cb_cnt = 0;
3438 find_session_cb_cnt = 0;
3439 srvid = pskid;
3440 }
3441
3442 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3443 NULL, NULL)))
3444 return 0;
3445
3446 /*
3447 * For one of the run throughs (doesn't matter which one), we'll try sending
3448 * some SNI data in the initial ClientHello. This will be ignored (because
3449 * there is no SNI cb set up by the server), so it should not impact
3450 * early_data.
3451 */
3452 if (idx == 1
3453 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3454 return 0;
3455
3456 if (idx == 2) {
3457 clientpsk = create_a_psk(*clientssl, mdsize);
3458 if (!TEST_ptr(clientpsk)
3459 /*
3460 * We just choose an arbitrary value for max_early_data which
3461 * should be big enough for testing purposes.
3462 */
3463 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3464 0x100))
3465 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3466 SSL_SESSION_free(clientpsk);
3467 clientpsk = NULL;
3468 return 0;
3469 }
3470 serverpsk = clientpsk;
3471
3472 if (sess != NULL) {
3473 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3474 SSL_SESSION_free(clientpsk);
3475 SSL_SESSION_free(serverpsk);
3476 clientpsk = serverpsk = NULL;
3477 return 0;
3478 }
3479 *sess = clientpsk;
3480 }
3481 return 1;
3482 }
3483
3484 if (sess == NULL)
3485 return 1;
3486
3487 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3488 SSL_ERROR_NONE)))
3489 return 0;
3490
3491 *sess = SSL_get1_session(*clientssl);
3492 SSL_shutdown(*clientssl);
3493 SSL_shutdown(*serverssl);
3494 SSL_free(*serverssl);
3495 SSL_free(*clientssl);
3496 *serverssl = *clientssl = NULL;
3497
3498 /*
3499 * Artificially give the ticket some age to match the artificial age we
3500 * gave it on the server side
3501 */
3502 if (artificial
3503 && !TEST_true(sub_session_time(*sess)))
3504 return 0;
3505
3506 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3507 clientssl, NULL, NULL))
3508 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3509 return 0;
3510
3511 return 1;
3512}
3513
3514static int check_early_data_timeout(OSSL_TIME timer)
3515{
3516 int res = 0;
3517
3518 /*
3519 * Early data is time sensitive. We have an approx 8 second allowance
3520 * between writing the early data and reading it. If we exceed that time
3521 * then this test will fail. This can sometimes (rarely) occur in normal CI
3522 * operation. We can try and detect this and just ignore the result of this
3523 * test if it has taken too long. We assume anything over 7 seconds is too
3524 * long
3525 */
3526 timer = ossl_time_subtract(ossl_time_now(), timer);
3527 if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3528 res = TEST_skip("Test took too long, ignoring result");
3529
3530 return res;
3531}
3532
3533static int test_early_data_read_write(int idx)
3534{
3535 SSL_CTX *cctx = NULL, *sctx = NULL;
3536 SSL *clientssl = NULL, *serverssl = NULL;
3537 int testresult = 0;
3538 SSL_SESSION *sess = NULL;
3539 unsigned char buf[20], data[1024];
3540 size_t readbytes, written, eoedlen, rawread, rawwritten;
3541 BIO *rbio;
3542 OSSL_TIME timer;
3543
3544 /* Artificially give the next 2 tickets some age for non PSK sessions */
3545 if (idx != 2)
3546 artificial_ticket_time = 2;
3547 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3548 &serverssl, &sess, idx,
3549 SHA384_DIGEST_LENGTH))) {
3550 artificial_ticket_time = 0;
3551 goto end;
3552 }
3553 artificial_ticket_time = 0;
3554
3555 /* Write and read some early data */
3556 timer = ossl_time_now();
3557 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3558 &written))
3559 || !TEST_size_t_eq(written, strlen(MSG1)))
3560 goto end;
3561
3562 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3563 &readbytes),
3564 SSL_READ_EARLY_DATA_SUCCESS)) {
3565 testresult = check_early_data_timeout(timer);
3566 goto end;
3567 }
3568
3569 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3570 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3571 SSL_EARLY_DATA_ACCEPTED))
3572 goto end;
3573
3574 /*
3575 * Server should be able to write data, and client should be able to
3576 * read it.
3577 */
3578 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3579 &written))
3580 || !TEST_size_t_eq(written, strlen(MSG2))
3581 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3582 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3583 goto end;
3584
3585 /* Even after reading normal data, client should be able write early data */
3586 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3587 &written))
3588 || !TEST_size_t_eq(written, strlen(MSG3)))
3589 goto end;
3590
3591 /* Server should still be able read early data after writing data */
3592 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3593 &readbytes),
3594 SSL_READ_EARLY_DATA_SUCCESS)
3595 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3596 goto end;
3597
3598 /* Write more data from server and read it from client */
3599 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3600 &written))
3601 || !TEST_size_t_eq(written, strlen(MSG4))
3602 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3603 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3604 goto end;
3605
3606 /*
3607 * If client writes normal data it should mean writing early data is no
3608 * longer possible.
3609 */
3610 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3611 || !TEST_size_t_eq(written, strlen(MSG5))
3612 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3613 SSL_EARLY_DATA_ACCEPTED))
3614 goto end;
3615
3616 /*
3617 * At this point the client has written EndOfEarlyData, ClientFinished and
3618 * normal (fully protected) data. We are going to cause a delay between the
3619 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3620 * in the read BIO, and then just put back the EndOfEarlyData message.
3621 */
3622 rbio = SSL_get_rbio(serverssl);
3623 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3624 || !TEST_size_t_lt(rawread, sizeof(data))
3625 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3626 goto end;
3627
3628 /* Record length is in the 4th and 5th bytes of the record header */
3629 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3630 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3631 || !TEST_size_t_eq(rawwritten, eoedlen))
3632 goto end;
3633
3634 /* Server should be told that there is no more early data */
3635 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3636 &readbytes),
3637 SSL_READ_EARLY_DATA_FINISH)
3638 || !TEST_size_t_eq(readbytes, 0))
3639 goto end;
3640
3641 /*
3642 * Server has not finished init yet, so should still be able to write early
3643 * data.
3644 */
3645 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3646 &written))
3647 || !TEST_size_t_eq(written, strlen(MSG6)))
3648 goto end;
3649
3650 /* Push the ClientFinished and the normal data back into the server rbio */
3651 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3652 &rawwritten))
3653 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3654 goto end;
3655
3656 /* Server should be able to read normal data */
3657 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3658 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3659 goto end;
3660
3661 /* Client and server should not be able to write/read early data now */
3662 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3663 &written)))
3664 goto end;
3665 ERR_clear_error();
3666 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3667 &readbytes),
3668 SSL_READ_EARLY_DATA_ERROR))
3669 goto end;
3670 ERR_clear_error();
3671
3672 /* Client should be able to read the data sent by the server */
3673 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3674 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3675 goto end;
3676
3677 /*
3678 * Make sure we process the two NewSessionTickets. These arrive
3679 * post-handshake. We attempt reads which we do not expect to return any
3680 * data.
3681 */
3682 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3683 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3684 &readbytes)))
3685 goto end;
3686
3687 /* Server should be able to write normal data */
3688 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3689 || !TEST_size_t_eq(written, strlen(MSG7))
3690 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3692 goto end;
3693
3694 SSL_SESSION_free(sess);
3695 sess = SSL_get1_session(clientssl);
3696 use_session_cb_cnt = 0;
3697 find_session_cb_cnt = 0;
3698
3699 SSL_shutdown(clientssl);
3700 SSL_shutdown(serverssl);
3701 SSL_free(serverssl);
3702 SSL_free(clientssl);
3703 serverssl = clientssl = NULL;
3704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3705 &clientssl, NULL, NULL))
3706 || !TEST_true(SSL_set_session(clientssl, sess)))
3707 goto end;
3708
3709 /* Write and read some early data */
3710 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3711 &written))
3712 || !TEST_size_t_eq(written, strlen(MSG1))
3713 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3714 &readbytes),
3715 SSL_READ_EARLY_DATA_SUCCESS)
3716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3717 goto end;
3718
3719 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3720 || !TEST_int_gt(SSL_accept(serverssl), 0))
3721 goto end;
3722
3723 /* Client and server should not be able to write/read early data now */
3724 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3725 &written)))
3726 goto end;
3727 ERR_clear_error();
3728 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3729 &readbytes),
3730 SSL_READ_EARLY_DATA_ERROR))
3731 goto end;
3732 ERR_clear_error();
3733
3734 /* Client and server should be able to write/read normal data */
3735 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3736 || !TEST_size_t_eq(written, strlen(MSG5))
3737 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3738 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3739 goto end;
3740
3741 testresult = 1;
3742
3743 end:
3744 SSL_SESSION_free(sess);
3745 SSL_SESSION_free(clientpsk);
3746 SSL_SESSION_free(serverpsk);
3747 clientpsk = serverpsk = NULL;
3748 SSL_free(serverssl);
3749 SSL_free(clientssl);
3750 SSL_CTX_free(sctx);
3751 SSL_CTX_free(cctx);
3752 return testresult;
3753}
3754
3755static int allow_ed_cb_called = 0;
3756
3757static int allow_early_data_cb(SSL *s, void *arg)
3758{
3759 int *usecb = (int *)arg;
3760
3761 allow_ed_cb_called++;
3762
3763 if (*usecb == 1)
3764 return 0;
3765
3766 return 1;
3767}
3768
3769/*
3770 * idx == 0: Standard early_data setup
3771 * idx == 1: early_data setup using read_ahead
3772 * usecb == 0: Don't use a custom early data callback
3773 * usecb == 1: Use a custom early data callback and reject the early data
3774 * usecb == 2: Use a custom early data callback and accept the early data
3775 * confopt == 0: Configure anti-replay directly
3776 * confopt == 1: Configure anti-replay using SSL_CONF
3777 */
3778static int test_early_data_replay_int(int idx, int usecb, int confopt)
3779{
3780 SSL_CTX *cctx = NULL, *sctx = NULL;
3781 SSL *clientssl = NULL, *serverssl = NULL;
3782 int testresult = 0;
3783 SSL_SESSION *sess = NULL;
3784 size_t readbytes, written;
3785 unsigned char buf[20];
3786 OSSL_TIME timer;
3787
3788 allow_ed_cb_called = 0;
3789
3790 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3791 TLS_client_method(), TLS1_VERSION, 0,
3792 &sctx, &cctx, cert, privkey)))
3793 return 0;
3794
3795 if (usecb > 0) {
3796 if (confopt == 0) {
3797 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3798 } else {
3799 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3800
3801 if (!TEST_ptr(confctx))
3802 goto end;
3803 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3804 | SSL_CONF_FLAG_SERVER);
3805 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3806 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3807 2)) {
3808 SSL_CONF_CTX_free(confctx);
3809 goto end;
3810 }
3811 SSL_CONF_CTX_free(confctx);
3812 }
3813 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3814 }
3815
3816 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3817 &serverssl, &sess, idx,
3818 SHA384_DIGEST_LENGTH)))
3819 goto end;
3820
3821 /*
3822 * The server is configured to accept early data. Create a connection to
3823 * "use up" the ticket
3824 */
3825 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3826 || !TEST_true(SSL_session_reused(clientssl)))
3827 goto end;
3828
3829 SSL_shutdown(clientssl);
3830 SSL_shutdown(serverssl);
3831 SSL_free(serverssl);
3832 SSL_free(clientssl);
3833 serverssl = clientssl = NULL;
3834
3835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3836 &clientssl, NULL, NULL))
3837 || !TEST_true(SSL_set_session(clientssl, sess)))
3838 goto end;
3839
3840 /* Write and read some early data */
3841 timer = ossl_time_now();
3842 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3843 &written))
3844 || !TEST_size_t_eq(written, strlen(MSG1)))
3845 goto end;
3846
3847 if (usecb <= 1) {
3848 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3849 &readbytes),
3850 SSL_READ_EARLY_DATA_FINISH)
3851 /*
3852 * The ticket was reused, so the we should have rejected the
3853 * early data
3854 */
3855 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3856 SSL_EARLY_DATA_REJECTED))
3857 goto end;
3858 } else {
3859 /* In this case the callback decides to accept the early data */
3860 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3861 &readbytes),
3862 SSL_READ_EARLY_DATA_SUCCESS)) {
3863 testresult = check_early_data_timeout(timer);
3864 goto end;
3865 }
3866 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3867 /*
3868 * Server will have sent its flight so client can now send
3869 * end of early data and complete its half of the handshake
3870 */
3871 || !TEST_int_gt(SSL_connect(clientssl), 0)
3872 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3873 &readbytes),
3874 SSL_READ_EARLY_DATA_FINISH)
3875 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3876 SSL_EARLY_DATA_ACCEPTED))
3877 goto end;
3878 }
3879
3880 /* Complete the connection */
3881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3882 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3883 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3884 goto end;
3885
3886 testresult = 1;
3887
3888 end:
3889 SSL_SESSION_free(sess);
3890 SSL_SESSION_free(clientpsk);
3891 SSL_SESSION_free(serverpsk);
3892 clientpsk = serverpsk = NULL;
3893 SSL_free(serverssl);
3894 SSL_free(clientssl);
3895 SSL_CTX_free(sctx);
3896 SSL_CTX_free(cctx);
3897 return testresult;
3898}
3899
3900static int test_early_data_replay(int idx)
3901{
3902 int ret = 1, usecb, confopt;
3903
3904 for (usecb = 0; usecb < 3; usecb++) {
3905 for (confopt = 0; confopt < 2; confopt++)
3906 ret &= test_early_data_replay_int(idx, usecb, confopt);
3907 }
3908
3909 return ret;
3910}
3911
3912static const char *ciphersuites[] = {
3913 "TLS_AES_128_CCM_8_SHA256",
3914 "TLS_AES_128_GCM_SHA256",
3915 "TLS_AES_256_GCM_SHA384",
3916 "TLS_AES_128_CCM_SHA256",
3917#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3918 "TLS_CHACHA20_POLY1305_SHA256"
3919#endif
3920};
3921
3922/*
3923 * Helper function to test that a server attempting to read early data can
3924 * handle a connection from a client where the early data should be skipped.
3925 * testtype: 0 == No HRR
3926 * testtype: 1 == HRR
3927 * testtype: 2 == HRR, invalid early_data sent after HRR
3928 * testtype: 3 == recv_max_early_data set to 0
3929 */
3930static int early_data_skip_helper(int testtype, int cipher, int idx)
3931{
3932 SSL_CTX *cctx = NULL, *sctx = NULL;
3933 SSL *clientssl = NULL, *serverssl = NULL;
3934 int testresult = 0;
3935 SSL_SESSION *sess = NULL;
3936 unsigned char buf[20];
3937 size_t readbytes, written;
3938
3939 if (is_fips && cipher == 4)
3940 return 1;
3941
3942 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3943 TLS_client_method(),
3944 TLS1_VERSION, 0,
3945 &sctx, &cctx, cert, privkey)))
3946 goto end;
3947
3948 if (cipher == 0) {
3949 SSL_CTX_set_security_level(sctx, 0);
3950 SSL_CTX_set_security_level(cctx, 0);
3951 }
3952
3953 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3954 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3955 goto end;
3956
3957 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3958 &serverssl, &sess, idx,
3959 cipher == 2 ? SHA384_DIGEST_LENGTH
3960 : SHA256_DIGEST_LENGTH)))
3961 goto end;
3962
3963 if (testtype == 1 || testtype == 2) {
3964 /* Force an HRR to occur */
3965#if defined(OPENSSL_NO_EC)
3966 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3967 goto end;
3968#else
3969 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3970 goto end;
3971#endif
3972 } else if (idx == 2) {
3973 /*
3974 * We force early_data rejection by ensuring the PSK identity is
3975 * unrecognised
3976 */
3977 srvid = "Dummy Identity";
3978 } else {
3979 /*
3980 * Deliberately corrupt the creation time. We take 20 seconds off the
3981 * time. It could be any value as long as it is not within tolerance.
3982 * This should mean the ticket is rejected.
3983 */
3984 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3985 goto end;
3986 }
3987
3988 if (testtype == 3
3989 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3990 goto end;
3991
3992 /* Write some early data */
3993 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3994 &written))
3995 || !TEST_size_t_eq(written, strlen(MSG1)))
3996 goto end;
3997
3998 /* Server should reject the early data */
3999 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4000 &readbytes),
4001 SSL_READ_EARLY_DATA_FINISH)
4002 || !TEST_size_t_eq(readbytes, 0)
4003 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4004 SSL_EARLY_DATA_REJECTED))
4005 goto end;
4006
4007 switch (testtype) {
4008 case 0:
4009 /* Nothing to do */
4010 break;
4011
4012 case 1:
4013 /*
4014 * Finish off the handshake. We perform the same writes and reads as
4015 * further down but we expect them to fail due to the incomplete
4016 * handshake.
4017 */
4018 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4019 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4020 &readbytes)))
4021 goto end;
4022 break;
4023
4024 case 2:
4025 {
4026 BIO *wbio = SSL_get_wbio(clientssl);
4027 /* A record that will appear as bad early_data */
4028 const unsigned char bad_early_data[] = {
4029 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4030 };
4031
4032 /*
4033 * We force the client to attempt a write. This will fail because
4034 * we're still in the handshake. It will cause the second
4035 * ClientHello to be sent.
4036 */
4037 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4038 &written)))
4039 goto end;
4040
4041 /*
4042 * Inject some early_data after the second ClientHello. This should
4043 * cause the server to fail
4044 */
4045 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4046 sizeof(bad_early_data), &written)))
4047 goto end;
4048 }
4049 /* fallthrough */
4050
4051 case 3:
4052 /*
4053 * This client has sent more early_data than we are willing to skip
4054 * (case 3) or sent invalid early_data (case 2) so the connection should
4055 * abort.
4056 */
4057 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4058 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4059 goto end;
4060
4061 /* Connection has failed - nothing more to do */
4062 testresult = 1;
4063 goto end;
4064
4065 default:
4066 TEST_error("Invalid test type");
4067 goto end;
4068 }
4069
4070 ERR_clear_error();
4071 /*
4072 * Should be able to send normal data despite rejection of early data. The
4073 * early_data should be skipped.
4074 */
4075 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4076 || !TEST_size_t_eq(written, strlen(MSG2))
4077 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4078 SSL_EARLY_DATA_REJECTED)
4079 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4080 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4081 goto end;
4082
4083 /*
4084 * Failure to decrypt early data records should not leave spurious errors
4085 * on the error stack
4086 */
4087 if (!TEST_long_eq(ERR_peek_error(), 0))
4088 goto end;
4089
4090 testresult = 1;
4091
4092 end:
4093 SSL_SESSION_free(clientpsk);
4094 SSL_SESSION_free(serverpsk);
4095 clientpsk = serverpsk = NULL;
4096 SSL_SESSION_free(sess);
4097 SSL_free(serverssl);
4098 SSL_free(clientssl);
4099 SSL_CTX_free(sctx);
4100 SSL_CTX_free(cctx);
4101 return testresult;
4102}
4103
4104/*
4105 * Test that a server attempting to read early data can handle a connection
4106 * from a client where the early data is not acceptable.
4107 */
4108static int test_early_data_skip(int idx)
4109{
4110 return early_data_skip_helper(0,
4111 idx % OSSL_NELEM(ciphersuites),
4112 idx / OSSL_NELEM(ciphersuites));
4113}
4114
4115/*
4116 * Test that a server attempting to read early data can handle a connection
4117 * from a client where an HRR occurs.
4118 */
4119static int test_early_data_skip_hrr(int idx)
4120{
4121 return early_data_skip_helper(1,
4122 idx % OSSL_NELEM(ciphersuites),
4123 idx / OSSL_NELEM(ciphersuites));
4124}
4125
4126/*
4127 * Test that a server attempting to read early data can handle a connection
4128 * from a client where an HRR occurs and correctly fails if early_data is sent
4129 * after the HRR
4130 */
4131static int test_early_data_skip_hrr_fail(int idx)
4132{
4133 return early_data_skip_helper(2,
4134 idx % OSSL_NELEM(ciphersuites),
4135 idx / OSSL_NELEM(ciphersuites));
4136}
4137
4138/*
4139 * Test that a server attempting to read early data will abort if it tries to
4140 * skip over too much.
4141 */
4142static int test_early_data_skip_abort(int idx)
4143{
4144 return early_data_skip_helper(3,
4145 idx % OSSL_NELEM(ciphersuites),
4146 idx / OSSL_NELEM(ciphersuites));
4147}
4148
4149/*
4150 * Test that a server attempting to read early data can handle a connection
4151 * from a client that doesn't send any.
4152 */
4153static int test_early_data_not_sent(int idx)
4154{
4155 SSL_CTX *cctx = NULL, *sctx = NULL;
4156 SSL *clientssl = NULL, *serverssl = NULL;
4157 int testresult = 0;
4158 SSL_SESSION *sess = NULL;
4159 unsigned char buf[20];
4160 size_t readbytes, written;
4161
4162 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4163 &serverssl, &sess, idx,
4164 SHA384_DIGEST_LENGTH)))
4165 goto end;
4166
4167 /* Write some data - should block due to handshake with server */
4168 SSL_set_connect_state(clientssl);
4169 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4170 goto end;
4171
4172 /* Server should detect that early data has not been sent */
4173 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4174 &readbytes),
4175 SSL_READ_EARLY_DATA_FINISH)
4176 || !TEST_size_t_eq(readbytes, 0)
4177 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4178 SSL_EARLY_DATA_NOT_SENT)
4179 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4180 SSL_EARLY_DATA_NOT_SENT))
4181 goto end;
4182
4183 /* Continue writing the message we started earlier */
4184 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4185 || !TEST_size_t_eq(written, strlen(MSG1))
4186 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4187 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4188 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4189 || !TEST_size_t_eq(written, strlen(MSG2)))
4190 goto end;
4191
4192 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4193 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4194 goto end;
4195
4196 testresult = 1;
4197
4198 end:
4199 SSL_SESSION_free(sess);
4200 SSL_SESSION_free(clientpsk);
4201 SSL_SESSION_free(serverpsk);
4202 clientpsk = serverpsk = NULL;
4203 SSL_free(serverssl);
4204 SSL_free(clientssl);
4205 SSL_CTX_free(sctx);
4206 SSL_CTX_free(cctx);
4207 return testresult;
4208}
4209
4210static const char *servalpn;
4211
4212static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4213 unsigned char *outlen, const unsigned char *in,
4214 unsigned int inlen, void *arg)
4215{
4216 unsigned int protlen = 0;
4217 const unsigned char *prot;
4218
4219 for (prot = in; prot < in + inlen; prot += protlen) {
4220 protlen = *prot++;
4221 if (in + inlen < prot + protlen)
4222 return SSL_TLSEXT_ERR_NOACK;
4223
4224 if (protlen == strlen(servalpn)
4225 && memcmp(prot, servalpn, protlen) == 0) {
4226 *out = prot;
4227 *outlen = protlen;
4228 return SSL_TLSEXT_ERR_OK;
4229 }
4230 }
4231
4232 return SSL_TLSEXT_ERR_NOACK;
4233}
4234
4235/* Test that a PSK can be used to send early_data */
4236static int test_early_data_psk(int idx)
4237{
4238 SSL_CTX *cctx = NULL, *sctx = NULL;
4239 SSL *clientssl = NULL, *serverssl = NULL;
4240 int testresult = 0;
4241 SSL_SESSION *sess = NULL;
4242 unsigned char alpnlist[] = {
4243 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4244 'l', 'p', 'n'
4245 };
4246#define GOODALPNLEN 9
4247#define BADALPNLEN 8
4248#define GOODALPN (alpnlist)
4249#define BADALPN (alpnlist + GOODALPNLEN)
4250 int err = 0;
4251 unsigned char buf[20];
4252 size_t readbytes, written;
4253 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4254 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4255
4256 /* We always set this up with a final parameter of "2" for PSK */
4257 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4258 &serverssl, &sess, 2,
4259 SHA384_DIGEST_LENGTH)))
4260 goto end;
4261
4262 servalpn = "goodalpn";
4263
4264 /*
4265 * Note: There is no test for inconsistent SNI with late client detection.
4266 * This is because servers do not acknowledge SNI even if they are using
4267 * it in a resumption handshake - so it is not actually possible for a
4268 * client to detect a problem.
4269 */
4270 switch (idx) {
4271 case 0:
4272 /* Set inconsistent SNI (early client detection) */
4273 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4274 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4275 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4276 goto end;
4277 break;
4278
4279 case 1:
4280 /* Set inconsistent ALPN (early client detection) */
4281 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4282 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4283 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4284 GOODALPNLEN))
4285 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4286 BADALPNLEN)))
4287 goto end;
4288 break;
4289
4290 case 2:
4291 /*
4292 * Set invalid protocol version. Technically this affects PSKs without
4293 * early_data too, but we test it here because it is similar to the
4294 * SNI/ALPN consistency tests.
4295 */
4296 err = SSL_R_BAD_PSK;
4297 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4298 goto end;
4299 break;
4300
4301 case 3:
4302 /*
4303 * Set inconsistent SNI (server side). In this case the connection
4304 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4305 * is associated with each handshake - not the session. Therefore it
4306 * should not matter that we used a different server name last time.
4307 */
4308 SSL_SESSION_free(serverpsk);
4309 serverpsk = SSL_SESSION_dup(clientpsk);
4310 if (!TEST_ptr(serverpsk)
4311 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4312 goto end;
4313 /* Fall through */
4314 case 4:
4315 /* Set consistent SNI */
4316 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4317 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4318 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4319 hostname_cb)))
4320 goto end;
4321 break;
4322
4323 case 5:
4324 /*
4325 * Set inconsistent ALPN (server detected). In this case the connection
4326 * will succeed but reject early_data.
4327 */
4328 servalpn = "badalpn";
4329 edstatus = SSL_EARLY_DATA_REJECTED;
4330 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4331 /* Fall through */
4332 case 6:
4333 /*
4334 * Set consistent ALPN.
4335 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4336 * accepts a list of protos (each one length prefixed).
4337 * SSL_set1_alpn_selected accepts a single protocol (not length
4338 * prefixed)
4339 */
4340 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4341 GOODALPNLEN - 1))
4342 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4343 GOODALPNLEN)))
4344 goto end;
4345
4346 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4347 break;
4348
4349 case 7:
4350 /* Set inconsistent ALPN (late client detection) */
4351 SSL_SESSION_free(serverpsk);
4352 serverpsk = SSL_SESSION_dup(clientpsk);
4353 if (!TEST_ptr(serverpsk)
4354 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4355 BADALPN + 1,
4356 BADALPNLEN - 1))
4357 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4358 GOODALPN + 1,
4359 GOODALPNLEN - 1))
4360 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4361 sizeof(alpnlist))))
4362 goto end;
4363 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4364 edstatus = SSL_EARLY_DATA_ACCEPTED;
4365 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4366 /* SSL_connect() call should fail */
4367 connectres = -1;
4368 break;
4369
4370 default:
4371 TEST_error("Bad test index");
4372 goto end;
4373 }
4374
4375 SSL_set_connect_state(clientssl);
4376 if (err != 0) {
4377 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4378 &written))
4379 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4380 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4381 goto end;
4382 } else {
4383 OSSL_TIME timer = ossl_time_now();
4384
4385 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4386 &written)))
4387 goto end;
4388
4389 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4390 &readbytes), readearlyres)) {
4391 testresult = check_early_data_timeout(timer);
4392 goto end;
4393 }
4394
4395 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4396 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4397 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4398 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4399 goto end;
4400 }
4401
4402 testresult = 1;
4403
4404 end:
4405 SSL_SESSION_free(sess);
4406 SSL_SESSION_free(clientpsk);
4407 SSL_SESSION_free(serverpsk);
4408 clientpsk = serverpsk = NULL;
4409 SSL_free(serverssl);
4410 SSL_free(clientssl);
4411 SSL_CTX_free(sctx);
4412 SSL_CTX_free(cctx);
4413 return testresult;
4414}
4415
4416/*
4417 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4418 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4419 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4420 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4421 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4422 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4423 */
4424static int test_early_data_psk_with_all_ciphers(int idx)
4425{
4426 SSL_CTX *cctx = NULL, *sctx = NULL;
4427 SSL *clientssl = NULL, *serverssl = NULL;
4428 int testresult = 0;
4429 SSL_SESSION *sess = NULL;
4430 unsigned char buf[20];
4431 size_t readbytes, written;
4432 const SSL_CIPHER *cipher;
4433 OSSL_TIME timer;
4434 const char *cipher_str[] = {
4435 TLS1_3_RFC_AES_128_GCM_SHA256,
4436 TLS1_3_RFC_AES_256_GCM_SHA384,
4437# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4438 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4439# else
4440 NULL,
4441# endif
4442 TLS1_3_RFC_AES_128_CCM_SHA256,
4443 TLS1_3_RFC_AES_128_CCM_8_SHA256
4444 };
4445 const unsigned char *cipher_bytes[] = {
4446 TLS13_AES_128_GCM_SHA256_BYTES,
4447 TLS13_AES_256_GCM_SHA384_BYTES,
4448# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4449 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4450# else
4451 NULL,
4452# endif
4453 TLS13_AES_128_CCM_SHA256_BYTES,
4454 TLS13_AES_128_CCM_8_SHA256_BYTES
4455 };
4456
4457 if (cipher_str[idx] == NULL)
4458 return 1;
4459 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4460 if (idx == 2 && is_fips == 1)
4461 return 1;
4462
4463 /* We always set this up with a final parameter of "2" for PSK */
4464 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4465 &serverssl, &sess, 2,
4466 SHA384_DIGEST_LENGTH)))
4467 goto end;
4468
4469 if (idx == 4) {
4470 /* CCM8 ciphers are considered low security due to their short tag */
4471 SSL_set_security_level(clientssl, 0);
4472 SSL_set_security_level(serverssl, 0);
4473 }
4474
4475 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4476 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4477 goto end;
4478
4479 /*
4480 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4481 * and assigns to both client and server with incremented reference
4482 * and the same instance is updated in 'sess'.
4483 * So updating ciphersuite in 'sess' which will get reflected in
4484 * PSK handshake using psk use sess and find sess cb.
4485 */
4486 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4487 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4488 goto end;
4489
4490 SSL_set_connect_state(clientssl);
4491 timer = ossl_time_now();
4492 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4493 &written)))
4494 goto end;
4495
4496 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4497 &readbytes),
4498 SSL_READ_EARLY_DATA_SUCCESS)) {
4499 testresult = check_early_data_timeout(timer);
4500 goto end;
4501 }
4502
4503 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4505 SSL_EARLY_DATA_ACCEPTED)
4506 || !TEST_int_eq(SSL_connect(clientssl), 1)
4507 || !TEST_int_eq(SSL_accept(serverssl), 1))
4508 goto end;
4509
4510 /* Send some normal data from client to server */
4511 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4512 || !TEST_size_t_eq(written, strlen(MSG2)))
4513 goto end;
4514
4515 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4516 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4517 goto end;
4518
4519 testresult = 1;
4520 end:
4521 SSL_SESSION_free(sess);
4522 SSL_SESSION_free(clientpsk);
4523 SSL_SESSION_free(serverpsk);
4524 clientpsk = serverpsk = NULL;
4525 if (clientssl != NULL)
4526 SSL_shutdown(clientssl);
4527 if (serverssl != NULL)
4528 SSL_shutdown(serverssl);
4529 SSL_free(serverssl);
4530 SSL_free(clientssl);
4531 SSL_CTX_free(sctx);
4532 SSL_CTX_free(cctx);
4533 return testresult;
4534}
4535
4536/*
4537 * Test that a server that doesn't try to read early data can handle a
4538 * client sending some.
4539 */
4540static int test_early_data_not_expected(int idx)
4541{
4542 SSL_CTX *cctx = NULL, *sctx = NULL;
4543 SSL *clientssl = NULL, *serverssl = NULL;
4544 int testresult = 0;
4545 SSL_SESSION *sess = NULL;
4546 unsigned char buf[20];
4547 size_t readbytes, written;
4548
4549 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4550 &serverssl, &sess, idx,
4551 SHA384_DIGEST_LENGTH)))
4552 goto end;
4553
4554 /* Write some early data */
4555 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4556 &written)))
4557 goto end;
4558
4559 /*
4560 * Server should skip over early data and then block waiting for client to
4561 * continue handshake
4562 */
4563 if (!TEST_int_le(SSL_accept(serverssl), 0)
4564 || !TEST_int_gt(SSL_connect(clientssl), 0)
4565 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4566 SSL_EARLY_DATA_REJECTED)
4567 || !TEST_int_gt(SSL_accept(serverssl), 0)
4568 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4569 SSL_EARLY_DATA_REJECTED))
4570 goto end;
4571
4572 /* Send some normal data from client to server */
4573 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4574 || !TEST_size_t_eq(written, strlen(MSG2)))
4575 goto end;
4576
4577 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4578 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4579 goto end;
4580
4581 testresult = 1;
4582
4583 end:
4584 SSL_SESSION_free(sess);
4585 SSL_SESSION_free(clientpsk);
4586 SSL_SESSION_free(serverpsk);
4587 clientpsk = serverpsk = NULL;
4588 SSL_free(serverssl);
4589 SSL_free(clientssl);
4590 SSL_CTX_free(sctx);
4591 SSL_CTX_free(cctx);
4592 return testresult;
4593}
4594
4595
4596# ifndef OPENSSL_NO_TLS1_2
4597/*
4598 * Test that a server attempting to read early data can handle a connection
4599 * from a TLSv1.2 client.
4600 */
4601static int test_early_data_tls1_2(int idx)
4602{
4603 SSL_CTX *cctx = NULL, *sctx = NULL;
4604 SSL *clientssl = NULL, *serverssl = NULL;
4605 int testresult = 0;
4606 unsigned char buf[20];
4607 size_t readbytes, written;
4608
4609 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4610 &serverssl, NULL, idx,
4611 SHA384_DIGEST_LENGTH)))
4612 goto end;
4613
4614 /* Write some data - should block due to handshake with server */
4615 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4616 SSL_set_connect_state(clientssl);
4617 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4618 goto end;
4619
4620 /*
4621 * Server should do TLSv1.2 handshake. First it will block waiting for more
4622 * messages from client after ServerDone. Then SSL_read_early_data should
4623 * finish and detect that early data has not been sent
4624 */
4625 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4626 &readbytes),
4627 SSL_READ_EARLY_DATA_ERROR))
4628 goto end;
4629
4630 /*
4631 * Continue writing the message we started earlier. Will still block waiting
4632 * for the CCS/Finished from server
4633 */
4634 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4635 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4636 &readbytes),
4637 SSL_READ_EARLY_DATA_FINISH)
4638 || !TEST_size_t_eq(readbytes, 0)
4639 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4640 SSL_EARLY_DATA_NOT_SENT))
4641 goto end;
4642
4643 /* Continue writing the message we started earlier */
4644 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4645 || !TEST_size_t_eq(written, strlen(MSG1))
4646 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4647 SSL_EARLY_DATA_NOT_SENT)
4648 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4649 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4650 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4651 || !TEST_size_t_eq(written, strlen(MSG2))
4652 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4653 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4654 goto end;
4655
4656 testresult = 1;
4657
4658 end:
4659 SSL_SESSION_free(clientpsk);
4660 SSL_SESSION_free(serverpsk);
4661 clientpsk = serverpsk = NULL;
4662 SSL_free(serverssl);
4663 SSL_free(clientssl);
4664 SSL_CTX_free(sctx);
4665 SSL_CTX_free(cctx);
4666
4667 return testresult;
4668}
4669# endif /* OPENSSL_NO_TLS1_2 */
4670
4671/*
4672 * Test configuring the TLSv1.3 ciphersuites
4673 *
4674 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4675 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4676 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4677 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4678 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4679 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4680 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4681 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4682 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4683 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4684 */
4685static int test_set_ciphersuite(int idx)
4686{
4687 SSL_CTX *cctx = NULL, *sctx = NULL;
4688 SSL *clientssl = NULL, *serverssl = NULL;
4689 int testresult = 0;
4690
4691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4692 TLS_client_method(), TLS1_VERSION, 0,
4693 &sctx, &cctx, cert, privkey))
4694 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4695 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4696 goto end;
4697
4698 if (idx >=4 && idx <= 7) {
4699 /* SSL_CTX explicit cipher list */
4700 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4701 goto end;
4702 }
4703
4704 if (idx == 0 || idx == 4) {
4705 /* Default ciphersuite */
4706 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4707 "TLS_AES_128_GCM_SHA256")))
4708 goto end;
4709 } else if (idx == 1 || idx == 5) {
4710 /* Non default ciphersuite */
4711 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4712 "TLS_AES_128_CCM_SHA256")))
4713 goto end;
4714 }
4715
4716 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4717 &clientssl, NULL, NULL)))
4718 goto end;
4719
4720 if (idx == 8 || idx == 9) {
4721 /* SSL explicit cipher list */
4722 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4723 goto end;
4724 }
4725
4726 if (idx == 2 || idx == 6 || idx == 8) {
4727 /* Default ciphersuite */
4728 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4729 "TLS_AES_128_GCM_SHA256")))
4730 goto end;
4731 } else if (idx == 3 || idx == 7 || idx == 9) {
4732 /* Non default ciphersuite */
4733 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4734 "TLS_AES_128_CCM_SHA256")))
4735 goto end;
4736 }
4737
4738 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4739 goto end;
4740
4741 testresult = 1;
4742
4743 end:
4744 SSL_free(serverssl);
4745 SSL_free(clientssl);
4746 SSL_CTX_free(sctx);
4747 SSL_CTX_free(cctx);
4748
4749 return testresult;
4750}
4751
4752static int test_ciphersuite_change(void)
4753{
4754 SSL_CTX *cctx = NULL, *sctx = NULL;
4755 SSL *clientssl = NULL, *serverssl = NULL;
4756 SSL_SESSION *clntsess = NULL;
4757 int testresult = 0;
4758 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4759
4760 /* Create a session based on SHA-256 */
4761 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4762 TLS_client_method(), TLS1_VERSION, 0,
4763 &sctx, &cctx, cert, privkey))
4764 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4765 "TLS_AES_128_GCM_SHA256:"
4766 "TLS_AES_256_GCM_SHA384:"
4767 "TLS_AES_128_CCM_SHA256"))
4768 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4769 "TLS_AES_128_GCM_SHA256")))
4770 goto end;
4771
4772 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4773 NULL, NULL))
4774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4775 SSL_ERROR_NONE)))
4776 goto end;
4777
4778 clntsess = SSL_get1_session(clientssl);
4779 /* Save for later */
4780 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4781 SSL_shutdown(clientssl);
4782 SSL_shutdown(serverssl);
4783 SSL_free(serverssl);
4784 SSL_free(clientssl);
4785 serverssl = clientssl = NULL;
4786
4787 /* Check we can resume a session with a different SHA-256 ciphersuite */
4788 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4789 "TLS_AES_128_CCM_SHA256"))
4790 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4791 &clientssl, NULL, NULL))
4792 || !TEST_true(SSL_set_session(clientssl, clntsess))
4793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4794 SSL_ERROR_NONE))
4795 || !TEST_true(SSL_session_reused(clientssl)))
4796 goto end;
4797
4798 SSL_SESSION_free(clntsess);
4799 clntsess = SSL_get1_session(clientssl);
4800 SSL_shutdown(clientssl);
4801 SSL_shutdown(serverssl);
4802 SSL_free(serverssl);
4803 SSL_free(clientssl);
4804 serverssl = clientssl = NULL;
4805
4806 /*
4807 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4808 * succeeds but does not resume.
4809 */
4810 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4811 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4812 NULL, NULL))
4813 || !TEST_true(SSL_set_session(clientssl, clntsess))
4814 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4815 SSL_ERROR_SSL))
4816 || !TEST_false(SSL_session_reused(clientssl)))
4817 goto end;
4818
4819 SSL_SESSION_free(clntsess);
4820 clntsess = NULL;
4821 SSL_shutdown(clientssl);
4822 SSL_shutdown(serverssl);
4823 SSL_free(serverssl);
4824 SSL_free(clientssl);
4825 serverssl = clientssl = NULL;
4826
4827 /* Create a session based on SHA384 */
4828 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4829 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4830 &clientssl, NULL, NULL))
4831 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4832 SSL_ERROR_NONE)))
4833 goto end;
4834
4835 clntsess = SSL_get1_session(clientssl);
4836 SSL_shutdown(clientssl);
4837 SSL_shutdown(serverssl);
4838 SSL_free(serverssl);
4839 SSL_free(clientssl);
4840 serverssl = clientssl = NULL;
4841
4842 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4843 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4844 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4845 "TLS_AES_256_GCM_SHA384"))
4846 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4847 NULL, NULL))
4848 || !TEST_true(SSL_set_session(clientssl, clntsess))
4849 /*
4850 * We use SSL_ERROR_WANT_READ below so that we can pause the
4851 * connection after the initial ClientHello has been sent to
4852 * enable us to make some session changes.
4853 */
4854 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4855 SSL_ERROR_WANT_READ)))
4856 goto end;
4857
4858 /* Trick the client into thinking this session is for a different digest */
4859 clntsess->cipher = aes_128_gcm_sha256;
4860 clntsess->cipher_id = clntsess->cipher->id;
4861
4862 /*
4863 * Continue the previously started connection. Server has selected a SHA-384
4864 * ciphersuite, but client thinks the session is for SHA-256, so it should
4865 * bail out.
4866 */
4867 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4868 SSL_ERROR_SSL))
4869 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4870 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4871 goto end;
4872
4873 testresult = 1;
4874
4875 end:
4876 SSL_SESSION_free(clntsess);
4877 SSL_free(serverssl);
4878 SSL_free(clientssl);
4879 SSL_CTX_free(sctx);
4880 SSL_CTX_free(cctx);
4881
4882 return testresult;
4883}
4884
4885/*
4886 * Test TLSv1.3 Key exchange
4887 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4888 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4889 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4890 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4891 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4892 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4893 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4894 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4895 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4896 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4897 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4898 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4899 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4900 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4901 */
4902# ifndef OPENSSL_NO_EC
4903static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4904 NID_secp521r1,
4905# ifndef OPENSSL_NO_ECX
4906 NID_X25519, NID_X448
4907# endif
4908 };
4909# endif
4910# ifndef OPENSSL_NO_DH
4911static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4912 NID_ffdhe6144, NID_ffdhe8192};
4913# endif
4914static int test_key_exchange(int idx)
4915{
4916 SSL_CTX *sctx = NULL, *cctx = NULL;
4917 SSL *serverssl = NULL, *clientssl = NULL;
4918 int testresult = 0;
4919 int kexch_alg;
4920 int *kexch_groups = &kexch_alg;
4921 int kexch_groups_size = 1;
4922 int max_version = TLS1_3_VERSION;
4923 char *kexch_name0 = NULL;
4924
4925 switch (idx) {
4926# ifndef OPENSSL_NO_EC
4927# ifndef OPENSSL_NO_TLS1_2
4928 case 12:
4929 max_version = TLS1_2_VERSION;
4930# endif
4931 /* Fall through */
4932 case 0:
4933 kexch_groups = ecdhe_kexch_groups;
4934 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4935 kexch_name0 = "secp256r1";
4936 break;
4937 case 1:
4938 kexch_alg = NID_X9_62_prime256v1;
4939 kexch_name0 = "secp256r1";
4940 break;
4941 case 2:
4942 kexch_alg = NID_secp384r1;
4943 kexch_name0 = "secp384r1";
4944 break;
4945 case 3:
4946 kexch_alg = NID_secp521r1;
4947 kexch_name0 = "secp521r1";
4948 break;
4949# ifndef OPENSSL_NO_ECX
4950 case 4:
4951 if (is_fips)
4952 return TEST_skip("X25519 might not be supported by fips provider.");
4953 kexch_alg = NID_X25519;
4954 kexch_name0 = "x25519";
4955 break;
4956 case 5:
4957 if (is_fips)
4958 return TEST_skip("X448 might not be supported by fips provider.");
4959 kexch_alg = NID_X448;
4960 kexch_name0 = "x448";
4961 break;
4962# endif
4963# endif
4964# ifndef OPENSSL_NO_DH
4965# ifndef OPENSSL_NO_TLS1_2
4966 case 13:
4967 max_version = TLS1_2_VERSION;
4968 kexch_name0 = "ffdhe2048";
4969# endif
4970 /* Fall through */
4971 case 6:
4972 kexch_groups = ffdhe_kexch_groups;
4973 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4974 kexch_name0 = "ffdhe2048";
4975 break;
4976 case 7:
4977 kexch_alg = NID_ffdhe2048;
4978 kexch_name0 = "ffdhe2048";
4979 break;
4980 case 8:
4981 kexch_alg = NID_ffdhe3072;
4982 kexch_name0 = "ffdhe3072";
4983 break;
4984 case 9:
4985 kexch_alg = NID_ffdhe4096;
4986 kexch_name0 = "ffdhe4096";
4987 break;
4988 case 10:
4989 kexch_alg = NID_ffdhe6144;
4990 kexch_name0 = "ffdhe6144";
4991 break;
4992 case 11:
4993 kexch_alg = NID_ffdhe8192;
4994 kexch_name0 = "ffdhe8192";
4995 break;
4996# endif
4997 default:
4998 /* We're skipping this test */
4999 return 1;
5000 }
5001
5002 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5003 TLS_client_method(), TLS1_VERSION,
5004 max_version, &sctx, &cctx, cert,
5005 privkey)))
5006 goto end;
5007
5008 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5009 TLS1_3_RFC_AES_128_GCM_SHA256)))
5010 goto end;
5011
5012 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5013 TLS1_3_RFC_AES_128_GCM_SHA256)))
5014 goto end;
5015
5016 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5017 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5018 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5019 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5020 goto end;
5021
5022 /*
5023 * Must include an EC ciphersuite so that we send supported groups in
5024 * TLSv1.2
5025 */
5026# ifndef OPENSSL_NO_TLS1_2
5027 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5028 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5029 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5030 goto end;
5031# endif
5032
5033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5034 NULL, NULL)))
5035 goto end;
5036
5037 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5038 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5039 goto end;
5040
5041 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5042 goto end;
5043
5044 /*
5045 * If Handshake succeeds the negotiated kexch alg should be the first one in
5046 * configured, except in the case of FFDHE groups (idx 13), which are
5047 * TLSv1.3 only so we expect no shared group to exist.
5048 */
5049 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5050 idx == 13 ? 0 : kexch_groups[0]))
5051 goto end;
5052
5053 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5054 kexch_name0))
5055 goto end;
5056
5057 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5058 if (idx != 13) {
5059 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5060 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5061 goto end;
5062 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5063 goto end;
5064 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5065 goto end;
5066 }
5067
5068 testresult = 1;
5069 end:
5070 SSL_free(serverssl);
5071 SSL_free(clientssl);
5072 SSL_CTX_free(sctx);
5073 SSL_CTX_free(cctx);
5074 return testresult;
5075}
5076
5077# if !defined(OPENSSL_NO_TLS1_2) \
5078 && !defined(OPENSSL_NO_EC) \
5079 && !defined(OPENSSL_NO_DH)
5080static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5081 int isecdhe, int idx)
5082{
5083 int kexch_alg;
5084 int *kexch_groups = &kexch_alg;
5085 int numec, numff;
5086
5087 numec = OSSL_NELEM(ecdhe_kexch_groups);
5088 numff = OSSL_NELEM(ffdhe_kexch_groups);
5089 if (isecdhe)
5090 kexch_alg = ecdhe_kexch_groups[idx];
5091 else
5092 kexch_alg = ffdhe_kexch_groups[idx];
5093
5094 if (clientmulti) {
5095 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5096 return 0;
5097 if (isecdhe) {
5098 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5099 numec)))
5100 return 0;
5101 } else {
5102 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5103 numff)))
5104 return 0;
5105 }
5106 } else {
5107 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5108 return 0;
5109 if (isecdhe) {
5110 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5111 numec)))
5112 return 0;
5113 } else {
5114 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5115 numff)))
5116 return 0;
5117 }
5118 }
5119 return 1;
5120}
5121
5122/*-
5123 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5124 * Run through both the ECDHE and FFDHE group lists used in the previous
5125 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5126 * confirming the expected result; then perform a resumption handshake
5127 * while offering the same group list, and another resumption handshake
5128 * offering a different group list. The returned value should be the
5129 * negotiated group for the initial handshake; for TLS 1.3 resumption
5130 * handshakes the returned value will be negotiated on the resumption
5131 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5132 * be cached in the session from the original handshake, regardless of what
5133 * was offered in the resumption ClientHello.
5134 *
5135 * Using E for the number of EC groups and F for the number of FF groups:
5136 * E tests of ECDHE with TLS 1.3, server only has one group
5137 * F tests of FFDHE with TLS 1.3, server only has one group
5138 * E tests of ECDHE with TLS 1.2, server only has one group
5139 * F tests of FFDHE with TLS 1.2, server only has one group
5140 * E tests of ECDHE with TLS 1.3, client sends only one group
5141 * F tests of FFDHE with TLS 1.3, client sends only one group
5142 * E tests of ECDHE with TLS 1.2, client sends only one group
5143 * F tests of FFDHE with TLS 1.2, client sends only one group
5144 */
5145static int test_negotiated_group(int idx)
5146{
5147 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5148 int expectednid;
5149 SSL_CTX *sctx = NULL, *cctx = NULL;
5150 SSL *serverssl = NULL, *clientssl = NULL;
5151 SSL_SESSION *origsess = NULL;
5152 int testresult = 0;
5153 int kexch_alg;
5154 int max_version = TLS1_3_VERSION;
5155
5156 numec = OSSL_NELEM(ecdhe_kexch_groups);
5157 numff = OSSL_NELEM(ffdhe_kexch_groups);
5158 numgroups = numec + numff;
5159 clientmulti = (idx < 2 * numgroups);
5160 idx = idx % (2 * numgroups);
5161 istls13 = (idx < numgroups);
5162 idx = idx % numgroups;
5163 isecdhe = (idx < numec);
5164 if (!isecdhe)
5165 idx -= numec;
5166 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5167 if (isecdhe)
5168 kexch_alg = ecdhe_kexch_groups[idx];
5169 else
5170 kexch_alg = ffdhe_kexch_groups[idx];
5171 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5172 if (!istls13 && !isecdhe)
5173 expectednid = NID_undef;
5174 else
5175 expectednid = kexch_alg;
5176
5177 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5178 return TEST_skip("X25519 and X448 might not be available in fips provider.");
5179
5180 if (!istls13)
5181 max_version = TLS1_2_VERSION;
5182
5183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5184 TLS_client_method(), TLS1_VERSION,
5185 max_version, &sctx, &cctx, cert,
5186 privkey)))
5187 goto end;
5188
5189 /*
5190 * Force (EC)DHE ciphers for TLS 1.2.
5191 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5192 */
5193 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5194 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5195 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5196 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5197 goto end;
5198 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5199 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5200 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5201 goto end;
5202
5203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5204 NULL, NULL)))
5205 goto end;
5206
5207 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5208 idx)))
5209 goto end;
5210
5211 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5212 goto end;
5213
5214 /* Initial handshake; always the configured one */
5215 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5216 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5217 goto end;
5218
5219 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5220 goto end;
5221
5222 SSL_shutdown(clientssl);
5223 SSL_shutdown(serverssl);
5224 SSL_free(serverssl);
5225 SSL_free(clientssl);
5226 serverssl = clientssl = NULL;
5227
5228 /* First resumption attempt; use the same config as initial handshake */
5229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5230 NULL, NULL))
5231 || !TEST_true(SSL_set_session(clientssl, origsess))
5232 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5233 isecdhe, idx)))
5234 goto end;
5235
5236 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5237 || !TEST_true(SSL_session_reused(clientssl)))
5238 goto end;
5239
5240 /* Still had better agree, since nothing changed... */
5241 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5242 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5243 goto end;
5244
5245 SSL_shutdown(clientssl);
5246 SSL_shutdown(serverssl);
5247 SSL_free(serverssl);
5248 SSL_free(clientssl);
5249 serverssl = clientssl = NULL;
5250
5251 /*-
5252 * Second resumption attempt
5253 * The party that picks one group changes it, which we effectuate by
5254 * changing 'idx' and updating what we expect.
5255 */
5256 if (idx == 0)
5257 idx = 1;
5258 else
5259 idx--;
5260 if (istls13) {
5261 if (isecdhe)
5262 expectednid = ecdhe_kexch_groups[idx];
5263 else
5264 expectednid = ffdhe_kexch_groups[idx];
5265 /* Verify that we are changing what we expect. */
5266 if (!TEST_int_ne(expectednid, kexch_alg))
5267 goto end;
5268 } else {
5269 /* TLS 1.2 only supports named groups for ECDHE. */
5270 if (isecdhe)
5271 expectednid = kexch_alg;
5272 else
5273 expectednid = 0;
5274 }
5275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5276 NULL, NULL))
5277 || !TEST_true(SSL_set_session(clientssl, origsess))
5278 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5279 isecdhe, idx)))
5280 goto end;
5281
5282 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5283 || !TEST_true(SSL_session_reused(clientssl)))
5284 goto end;
5285
5286 /* Check that we get what we expected */
5287 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5288 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5289 goto end;
5290
5291 testresult = 1;
5292 end:
5293 SSL_free(serverssl);
5294 SSL_free(clientssl);
5295 SSL_CTX_free(sctx);
5296 SSL_CTX_free(cctx);
5297 SSL_SESSION_free(origsess);
5298 return testresult;
5299}
5300# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5301
5302/*
5303 * Test TLSv1.3 Cipher Suite
5304 * Test 0 = Set TLS1.3 cipher on context
5305 * Test 1 = Set TLS1.3 cipher on SSL
5306 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5307 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5308 */
5309static int test_tls13_ciphersuite(int idx)
5310{
5311 SSL_CTX *sctx = NULL, *cctx = NULL;
5312 SSL *serverssl = NULL, *clientssl = NULL;
5313 static const struct {
5314 const char *ciphername;
5315 int fipscapable;
5316 int low_security;
5317 } t13_ciphers[] = {
5318 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5319 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5320 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5321# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5322 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5323 { TLS1_3_RFC_AES_256_GCM_SHA384
5324 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5325# endif
5326 /* CCM8 ciphers are considered low security due to their short tag */
5327 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5328 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5329 };
5330 const char *t13_cipher = NULL;
5331 const char *t12_cipher = NULL;
5332 const char *negotiated_scipher;
5333 const char *negotiated_ccipher;
5334 int set_at_ctx = 0;
5335 int set_at_ssl = 0;
5336 int testresult = 0;
5337 int max_ver;
5338 size_t i;
5339
5340 switch (idx) {
5341 case 0:
5342 set_at_ctx = 1;
5343 break;
5344 case 1:
5345 set_at_ssl = 1;
5346 break;
5347 case 2:
5348 set_at_ctx = 1;
5349 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5350 break;
5351 case 3:
5352 set_at_ssl = 1;
5353 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5354 break;
5355 }
5356
5357 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5358# ifdef OPENSSL_NO_TLS1_2
5359 if (max_ver == TLS1_2_VERSION)
5360 continue;
5361# endif
5362 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5363 if (is_fips && !t13_ciphers[i].fipscapable)
5364 continue;
5365 t13_cipher = t13_ciphers[i].ciphername;
5366 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5367 TLS_client_method(),
5368 TLS1_VERSION, max_ver,
5369 &sctx, &cctx, cert, privkey)))
5370 goto end;
5371
5372 if (t13_ciphers[i].low_security) {
5373 SSL_CTX_set_security_level(sctx, 0);
5374 SSL_CTX_set_security_level(cctx, 0);
5375 }
5376
5377 if (set_at_ctx) {
5378 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5379 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5380 goto end;
5381 if (t12_cipher != NULL) {
5382 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5383 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5384 t12_cipher)))
5385 goto end;
5386 }
5387 }
5388
5389 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5390 &clientssl, NULL, NULL)))
5391 goto end;
5392
5393 if (set_at_ssl) {
5394 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5395 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5396 goto end;
5397 if (t12_cipher != NULL) {
5398 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5399 || !TEST_true(SSL_set_cipher_list(clientssl,
5400 t12_cipher)))
5401 goto end;
5402 }
5403 }
5404
5405 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5406 SSL_ERROR_NONE)))
5407 goto end;
5408
5409 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5410 serverssl));
5411 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5412 clientssl));
5413 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5414 goto end;
5415
5416 /*
5417 * TEST_strn_eq is used below because t13_cipher can contain
5418 * multiple ciphersuites
5419 */
5420 if (max_ver == TLS1_3_VERSION
5421 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5422 strlen(negotiated_scipher)))
5423 goto end;
5424
5425# ifndef OPENSSL_NO_TLS1_2
5426 /* Below validation is not done when t12_cipher is NULL */
5427 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5428 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5429 goto end;
5430# endif
5431
5432 SSL_free(serverssl);
5433 serverssl = NULL;
5434 SSL_free(clientssl);
5435 clientssl = NULL;
5436 SSL_CTX_free(sctx);
5437 sctx = NULL;
5438 SSL_CTX_free(cctx);
5439 cctx = NULL;
5440 }
5441 }
5442
5443 testresult = 1;
5444 end:
5445 SSL_free(serverssl);
5446 SSL_free(clientssl);
5447 SSL_CTX_free(sctx);
5448 SSL_CTX_free(cctx);
5449 return testresult;
5450}
5451
5452/*
5453 * Test TLSv1.3 PSKs
5454 * Test 0 = Test new style callbacks
5455 * Test 1 = Test both new and old style callbacks
5456 * Test 2 = Test old style callbacks
5457 * Test 3 = Test old style callbacks with no certificate
5458 */
5459static int test_tls13_psk(int idx)
5460{
5461 SSL_CTX *sctx = NULL, *cctx = NULL;
5462 SSL *serverssl = NULL, *clientssl = NULL;
5463 const SSL_CIPHER *cipher = NULL;
5464 const unsigned char key[] = {
5465 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5466 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5467 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5468 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5469 };
5470 int testresult = 0;
5471
5472 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5473 TLS_client_method(), TLS1_VERSION, 0,
5474 &sctx, &cctx, idx == 3 ? NULL : cert,
5475 idx == 3 ? NULL : privkey)))
5476 goto end;
5477
5478 if (idx != 3) {
5479 /*
5480 * We use a ciphersuite with SHA256 to ease testing old style PSK
5481 * callbacks which will always default to SHA256. This should not be
5482 * necessary if we have no cert/priv key. In that case the server should
5483 * prefer SHA256 automatically.
5484 */
5485 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5486 "TLS_AES_128_GCM_SHA256")))
5487 goto end;
5488 } else {
5489 /*
5490 * As noted above the server should prefer SHA256 automatically. However
5491 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5492 * code works even if we are testing with only the FIPS provider loaded.
5493 */
5494 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5495 "TLS_AES_256_GCM_SHA384:"
5496 "TLS_AES_128_GCM_SHA256")))
5497 goto end;
5498 }
5499
5500 /*
5501 * Test 0: New style callbacks only
5502 * Test 1: New and old style callbacks (only the new ones should be used)
5503 * Test 2: Old style callbacks only
5504 */
5505 if (idx == 0 || idx == 1) {
5506 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5507 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5508 }
5509#ifndef OPENSSL_NO_PSK
5510 if (idx >= 1) {
5511 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5512 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5513 }
5514#endif
5515 srvid = pskid;
5516 use_session_cb_cnt = 0;
5517 find_session_cb_cnt = 0;
5518 psk_client_cb_cnt = 0;
5519 psk_server_cb_cnt = 0;
5520
5521 if (idx != 3) {
5522 /*
5523 * Check we can create a connection if callback decides not to send a
5524 * PSK
5525 */
5526 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5527 NULL, NULL))
5528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5529 SSL_ERROR_NONE))
5530 || !TEST_false(SSL_session_reused(clientssl))
5531 || !TEST_false(SSL_session_reused(serverssl)))
5532 goto end;
5533
5534 if (idx == 0 || idx == 1) {
5535 if (!TEST_true(use_session_cb_cnt == 1)
5536 || !TEST_true(find_session_cb_cnt == 0)
5537 /*
5538 * If no old style callback then below should be 0
5539 * otherwise 1
5540 */
5541 || !TEST_true(psk_client_cb_cnt == idx)
5542 || !TEST_true(psk_server_cb_cnt == 0))
5543 goto end;
5544 } else {
5545 if (!TEST_true(use_session_cb_cnt == 0)
5546 || !TEST_true(find_session_cb_cnt == 0)
5547 || !TEST_true(psk_client_cb_cnt == 1)
5548 || !TEST_true(psk_server_cb_cnt == 0))
5549 goto end;
5550 }
5551
5552 shutdown_ssl_connection(serverssl, clientssl);
5553 serverssl = clientssl = NULL;
5554 use_session_cb_cnt = psk_client_cb_cnt = 0;
5555 }
5556
5557 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5558 NULL, NULL)))
5559 goto end;
5560
5561 /* Create the PSK */
5562 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5563 clientpsk = SSL_SESSION_new();
5564 if (!TEST_ptr(clientpsk)
5565 || !TEST_ptr(cipher)
5566 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5567 sizeof(key)))
5568 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5569 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5570 TLS1_3_VERSION))
5571 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5572 goto end;
5573 serverpsk = clientpsk;
5574
5575 /* Check we can create a connection and the PSK is used */
5576 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5577 || !TEST_true(SSL_session_reused(clientssl))
5578 || !TEST_true(SSL_session_reused(serverssl)))
5579 goto end;
5580
5581 if (idx == 0 || idx == 1) {
5582 if (!TEST_true(use_session_cb_cnt == 1)
5583 || !TEST_true(find_session_cb_cnt == 1)
5584 || !TEST_true(psk_client_cb_cnt == 0)
5585 || !TEST_true(psk_server_cb_cnt == 0))
5586 goto end;
5587 } else {
5588 if (!TEST_true(use_session_cb_cnt == 0)
5589 || !TEST_true(find_session_cb_cnt == 0)
5590 || !TEST_true(psk_client_cb_cnt == 1)
5591 || !TEST_true(psk_server_cb_cnt == 1))
5592 goto end;
5593 }
5594
5595 shutdown_ssl_connection(serverssl, clientssl);
5596 serverssl = clientssl = NULL;
5597 use_session_cb_cnt = find_session_cb_cnt = 0;
5598 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5599
5600 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5601 NULL, NULL)))
5602 goto end;
5603
5604 /* Force an HRR */
5605#if defined(OPENSSL_NO_EC)
5606 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5607 goto end;
5608#else
5609 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5610 goto end;
5611#endif
5612
5613 /*
5614 * Check we can create a connection, the PSK is used and the callbacks are
5615 * called twice.
5616 */
5617 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5618 || !TEST_true(SSL_session_reused(clientssl))
5619 || !TEST_true(SSL_session_reused(serverssl)))
5620 goto end;
5621
5622 if (idx == 0 || idx == 1) {
5623 if (!TEST_true(use_session_cb_cnt == 2)
5624 || !TEST_true(find_session_cb_cnt == 2)
5625 || !TEST_true(psk_client_cb_cnt == 0)
5626 || !TEST_true(psk_server_cb_cnt == 0))
5627 goto end;
5628 } else {
5629 if (!TEST_true(use_session_cb_cnt == 0)
5630 || !TEST_true(find_session_cb_cnt == 0)
5631 || !TEST_true(psk_client_cb_cnt == 2)
5632 || !TEST_true(psk_server_cb_cnt == 2))
5633 goto end;
5634 }
5635
5636 shutdown_ssl_connection(serverssl, clientssl);
5637 serverssl = clientssl = NULL;
5638 use_session_cb_cnt = find_session_cb_cnt = 0;
5639 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5640
5641 if (idx != 3) {
5642 /*
5643 * Check that if the server rejects the PSK we can still connect, but with
5644 * a full handshake
5645 */
5646 srvid = "Dummy Identity";
5647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5648 NULL, NULL))
5649 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5650 SSL_ERROR_NONE))
5651 || !TEST_false(SSL_session_reused(clientssl))
5652 || !TEST_false(SSL_session_reused(serverssl)))
5653 goto end;
5654
5655 if (idx == 0 || idx == 1) {
5656 if (!TEST_true(use_session_cb_cnt == 1)
5657 || !TEST_true(find_session_cb_cnt == 1)
5658 || !TEST_true(psk_client_cb_cnt == 0)
5659 /*
5660 * If no old style callback then below should be 0
5661 * otherwise 1
5662 */
5663 || !TEST_true(psk_server_cb_cnt == idx))
5664 goto end;
5665 } else {
5666 if (!TEST_true(use_session_cb_cnt == 0)
5667 || !TEST_true(find_session_cb_cnt == 0)
5668 || !TEST_true(psk_client_cb_cnt == 1)
5669 || !TEST_true(psk_server_cb_cnt == 1))
5670 goto end;
5671 }
5672
5673 shutdown_ssl_connection(serverssl, clientssl);
5674 serverssl = clientssl = NULL;
5675 }
5676 testresult = 1;
5677
5678 end:
5679 SSL_SESSION_free(clientpsk);
5680 SSL_SESSION_free(serverpsk);
5681 clientpsk = serverpsk = NULL;
5682 SSL_free(serverssl);
5683 SSL_free(clientssl);
5684 SSL_CTX_free(sctx);
5685 SSL_CTX_free(cctx);
5686 return testresult;
5687}
5688
5689#ifndef OSSL_NO_USABLE_TLS1_3
5690/*
5691 * Test TLS1.3 connection establishment succeeds with various configurations of
5692 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5693 * The verification of whether the right KEX mode is chosen is not covered by
5694 * this test but by `test_tls13kexmodes`.
5695 *
5696 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5697 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5698 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5699 */
5700static int test_tls13_no_dhe_kex(const int idx)
5701{
5702 SSL_CTX *sctx = NULL, *cctx = NULL;
5703 SSL *serverssl = NULL, *clientssl = NULL;
5704 int testresult = 0;
5705 size_t j;
5706 SSL_SESSION *saved_session;
5707
5708 int server_allow_no_dhe = (idx & 1) != 0;
5709 int server_prefer_no_dhe = (idx & 2) != 0;
5710 int client_allow_no_dhe = (idx & 4) != 0;
5711
5712 uint64_t server_options = 0
5713 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5714 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5715
5716 uint64_t client_options = 0
5717 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5718
5719 new_called = 0;
5720 do_cache = 1;
5721
5722 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5723 TLS_client_method(), TLS1_3_VERSION, 0,
5724 &sctx, &cctx, cert, privkey)))
5725 goto end;
5726
5727 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5728 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5729
5730 SSL_CTX_set_options(sctx, server_options);
5731 SSL_CTX_set_options(cctx, client_options);
5732
5733 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5734
5735 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5736 &clientssl, NULL, NULL)))
5737 goto end;
5738
5739 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5740 SSL_ERROR_NONE))
5741 /* Check we got the number of tickets we were expecting */
5742 || !TEST_int_eq(2, new_called))
5743 goto end;
5744
5745 /* We'll reuse the last ticket. */
5746 saved_session = sesscache[new_called - 1];
5747
5748 SSL_shutdown(clientssl);
5749 SSL_shutdown(serverssl);
5750 SSL_free(serverssl);
5751 SSL_free(clientssl);
5752 SSL_CTX_free(cctx);
5753 clientssl = serverssl = NULL;
5754 cctx = NULL;
5755
5756 /*
5757 * Now we resume with the last ticket we created.
5758 */
5759
5760 /* The server context already exists, so we only create the client. */
5761 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5762 TLS_client_method(), TLS1_3_VERSION, 0,
5763 NULL, &cctx, cert, privkey)))
5764 goto end;
5765
5766 SSL_CTX_set_options(cctx, client_options);
5767
5768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5769 &clientssl, NULL, NULL))
5770 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5771 goto end;
5772
5773 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5774 SSL_ERROR_NONE)))
5775 goto end;
5776
5777 /*
5778 * Make sure, the session was resumed.
5779 */
5780 if (!TEST_true(SSL_session_reused(clientssl)))
5781 goto end;
5782
5783 SSL_shutdown(clientssl);
5784 SSL_shutdown(serverssl);
5785
5786 testresult = 1;
5787
5788 end:
5789 SSL_free(serverssl);
5790 SSL_free(clientssl);
5791 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5792 SSL_SESSION_free(sesscache[j]);
5793 sesscache[j] = NULL;
5794 }
5795 SSL_CTX_free(sctx);
5796 SSL_CTX_free(cctx);
5797
5798 return testresult;
5799}
5800#endif /* OSSL_NO_USABLE_TLS1_3 */
5801
5802static unsigned char cookie_magic_value[] = "cookie magic";
5803
5804static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5805 unsigned int *cookie_len)
5806{
5807 /*
5808 * Not suitable as a real cookie generation function but good enough for
5809 * testing!
5810 */
5811 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5812 *cookie_len = sizeof(cookie_magic_value) - 1;
5813
5814 return 1;
5815}
5816
5817static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5818 unsigned int cookie_len)
5819{
5820 if (cookie_len == sizeof(cookie_magic_value) - 1
5821 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5822 return 1;
5823
5824 return 0;
5825}
5826
5827static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5828 size_t *cookie_len)
5829{
5830 unsigned int temp;
5831 int res = generate_cookie_callback(ssl, cookie, &temp);
5832 *cookie_len = temp;
5833 return res;
5834}
5835
5836static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5837 size_t cookie_len)
5838{
5839 return verify_cookie_callback(ssl, cookie, cookie_len);
5840}
5841
5842static int test_stateless(void)
5843{
5844 SSL_CTX *sctx = NULL, *cctx = NULL;
5845 SSL *serverssl = NULL, *clientssl = NULL;
5846 int testresult = 0;
5847
5848 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5849 TLS_client_method(), TLS1_VERSION, 0,
5850 &sctx, &cctx, cert, privkey)))
5851 goto end;
5852
5853 /* The arrival of CCS messages can confuse the test */
5854 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5855
5856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5857 NULL, NULL))
5858 /* Send the first ClientHello */
5859 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5860 SSL_ERROR_WANT_READ))
5861 /*
5862 * This should fail with a -1 return because we have no callbacks
5863 * set up
5864 */
5865 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5866 goto end;
5867
5868 /* Fatal error so abandon the connection from this client */
5869 SSL_free(clientssl);
5870 clientssl = NULL;
5871
5872 /* Set up the cookie generation and verification callbacks */
5873 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5874 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5875
5876 /*
5877 * Create a new connection from the client (we can reuse the server SSL
5878 * object).
5879 */
5880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5881 NULL, NULL))
5882 /* Send the first ClientHello */
5883 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5884 SSL_ERROR_WANT_READ))
5885 /* This should fail because there is no cookie */
5886 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5887 goto end;
5888
5889 /* Abandon the connection from this client */
5890 SSL_free(clientssl);
5891 clientssl = NULL;
5892
5893 /*
5894 * Now create a connection from a new client but with the same server SSL
5895 * object
5896 */
5897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5898 NULL, NULL))
5899 /* Send the first ClientHello */
5900 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5901 SSL_ERROR_WANT_READ))
5902 /* This should fail because there is no cookie */
5903 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5904 /* Send the second ClientHello */
5905 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5906 SSL_ERROR_WANT_READ))
5907 /* This should succeed because a cookie is now present */
5908 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5909 /* Complete the connection */
5910 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5911 SSL_ERROR_NONE)))
5912 goto end;
5913
5914 shutdown_ssl_connection(serverssl, clientssl);
5915 serverssl = clientssl = NULL;
5916 testresult = 1;
5917
5918 end:
5919 SSL_free(serverssl);
5920 SSL_free(clientssl);
5921 SSL_CTX_free(sctx);
5922 SSL_CTX_free(cctx);
5923 return testresult;
5924
5925}
5926#endif /* OSSL_NO_USABLE_TLS1_3 */
5927
5928static int clntaddoldcb = 0;
5929static int clntparseoldcb = 0;
5930static int srvaddoldcb = 0;
5931static int srvparseoldcb = 0;
5932static int clntaddnewcb = 0;
5933static int clntparsenewcb = 0;
5934static int srvaddnewcb = 0;
5935static int srvparsenewcb = 0;
5936static int snicb = 0;
5937
5938#define TEST_EXT_TYPE1 0xff00
5939
5940static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5941 size_t *outlen, int *al, void *add_arg)
5942{
5943 int *server = (int *)add_arg;
5944 unsigned char *data;
5945
5946 if (SSL_is_server(s))
5947 srvaddoldcb++;
5948 else
5949 clntaddoldcb++;
5950
5951 if (*server != SSL_is_server(s)
5952 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5953 return -1;
5954
5955 *data = 1;
5956 *out = data;
5957 *outlen = sizeof(char);
5958 return 1;
5959}
5960
5961static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5962 void *add_arg)
5963{
5964 OPENSSL_free((unsigned char *)out);
5965}
5966
5967static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5968 size_t inlen, int *al, void *parse_arg)
5969{
5970 int *server = (int *)parse_arg;
5971
5972 if (SSL_is_server(s))
5973 srvparseoldcb++;
5974 else
5975 clntparseoldcb++;
5976
5977 if (*server != SSL_is_server(s)
5978 || inlen != sizeof(char)
5979 || *in != 1)
5980 return -1;
5981
5982 return 1;
5983}
5984
5985static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5986 const unsigned char **out, size_t *outlen, X509 *x,
5987 size_t chainidx, int *al, void *add_arg)
5988{
5989 int *server = (int *)add_arg;
5990 unsigned char *data;
5991
5992 if (SSL_is_server(s))
5993 srvaddnewcb++;
5994 else
5995 clntaddnewcb++;
5996
5997 if (*server != SSL_is_server(s)
5998 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5999 return -1;
6000
6001 *data = 1;
6002 *out = data;
6003 *outlen = sizeof(*data);
6004 return 1;
6005}
6006
6007static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6008 const unsigned char *out, void *add_arg)
6009{
6010 OPENSSL_free((unsigned char *)out);
6011}
6012
6013static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6014 const unsigned char *in, size_t inlen, X509 *x,
6015 size_t chainidx, int *al, void *parse_arg)
6016{
6017 int *server = (int *)parse_arg;
6018
6019 if (SSL_is_server(s))
6020 srvparsenewcb++;
6021 else
6022 clntparsenewcb++;
6023
6024 if (*server != SSL_is_server(s)
6025 || inlen != sizeof(char) || *in != 1)
6026 return -1;
6027
6028 return 1;
6029}
6030
6031static int sni_cb(SSL *s, int *al, void *arg)
6032{
6033 SSL_CTX *ctx = (SSL_CTX *)arg;
6034
6035 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6036 *al = SSL_AD_INTERNAL_ERROR;
6037 return SSL_TLSEXT_ERR_ALERT_FATAL;
6038 }
6039 snicb++;
6040 return SSL_TLSEXT_ERR_OK;
6041}
6042
6043static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6044{
6045 return 1;
6046}
6047
6048/*
6049 * Custom call back tests.
6050 * Test 0: Old style callbacks in TLSv1.2
6051 * Test 1: New style callbacks in TLSv1.2
6052 * Test 2: New style callbacks in TLSv1.2 with SNI
6053 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6054 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6055 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6056 */
6057static int test_custom_exts(int tst)
6058{
6059 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6060 SSL *clientssl = NULL, *serverssl = NULL;
6061 int testresult = 0;
6062 static int server = 1;
6063 static int client = 0;
6064 SSL_SESSION *sess = NULL;
6065 unsigned int context;
6066
6067#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6068 /* Skip tests for TLSv1.2 and below in this case */
6069 if (tst < 3)
6070 return 1;
6071#endif
6072
6073 /* Reset callback counters */
6074 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6075 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6076 snicb = 0;
6077
6078 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6079 TLS_client_method(), TLS1_VERSION, 0,
6080 &sctx, &cctx, cert, privkey)))
6081 goto end;
6082
6083 if (tst == 2
6084 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6085 TLS1_VERSION, 0,
6086 &sctx2, NULL, cert, privkey)))
6087 goto end;
6088
6089
6090 if (tst < 3) {
6091 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6092 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6093 if (sctx2 != NULL)
6094 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6095 }
6096
6097 if (tst == 5) {
6098 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6099 | SSL_EXT_TLS1_3_CERTIFICATE;
6100 SSL_CTX_set_verify(sctx,
6101 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6102 verify_cb);
6103 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6104 SSL_FILETYPE_PEM), 1)
6105 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6106 SSL_FILETYPE_PEM), 1)
6107 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6108 goto end;
6109 } else if (tst == 4) {
6110 context = SSL_EXT_CLIENT_HELLO
6111 | SSL_EXT_TLS1_2_SERVER_HELLO
6112 | SSL_EXT_TLS1_3_SERVER_HELLO
6113 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6114 | SSL_EXT_TLS1_3_CERTIFICATE
6115 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6116 } else {
6117 context = SSL_EXT_CLIENT_HELLO
6118 | SSL_EXT_TLS1_2_SERVER_HELLO
6119 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6120 }
6121
6122 /* Create a client side custom extension */
6123 if (tst == 0) {
6124 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6125 old_add_cb, old_free_cb,
6126 &client, old_parse_cb,
6127 &client)))
6128 goto end;
6129 } else {
6130 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6131 new_add_cb, new_free_cb,
6132 &client, new_parse_cb, &client)))
6133 goto end;
6134 }
6135
6136 /* Should not be able to add duplicates */
6137 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6138 old_add_cb, old_free_cb,
6139 &client, old_parse_cb,
6140 &client))
6141 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6142 context, new_add_cb,
6143 new_free_cb, &client,
6144 new_parse_cb, &client)))
6145 goto end;
6146
6147 /* Create a server side custom extension */
6148 if (tst == 0) {
6149 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6150 old_add_cb, old_free_cb,
6151 &server, old_parse_cb,
6152 &server)))
6153 goto end;
6154 } else {
6155 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6156 new_add_cb, new_free_cb,
6157 &server, new_parse_cb, &server)))
6158 goto end;
6159 if (sctx2 != NULL
6160 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6161 context, new_add_cb,
6162 new_free_cb, &server,
6163 new_parse_cb, &server)))
6164 goto end;
6165 }
6166
6167 /* Should not be able to add duplicates */
6168 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6169 old_add_cb, old_free_cb,
6170 &server, old_parse_cb,
6171 &server))
6172 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6173 context, new_add_cb,
6174 new_free_cb, &server,
6175 new_parse_cb, &server)))
6176 goto end;
6177
6178 if (tst == 2) {
6179 /* Set up SNI */
6180 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6181 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6182 goto end;
6183 }
6184
6185 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6186 &clientssl, NULL, NULL))
6187 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6188 SSL_ERROR_NONE)))
6189 goto end;
6190
6191 if (tst == 0) {
6192 if (clntaddoldcb != 1
6193 || clntparseoldcb != 1
6194 || srvaddoldcb != 1
6195 || srvparseoldcb != 1)
6196 goto end;
6197 } else if (tst == 1 || tst == 2 || tst == 3) {
6198 if (clntaddnewcb != 1
6199 || clntparsenewcb != 1
6200 || srvaddnewcb != 1
6201 || srvparsenewcb != 1
6202 || (tst != 2 && snicb != 0)
6203 || (tst == 2 && snicb != 1))
6204 goto end;
6205 } else if (tst == 5) {
6206 if (clntaddnewcb != 1
6207 || clntparsenewcb != 1
6208 || srvaddnewcb != 1
6209 || srvparsenewcb != 1)
6210 goto end;
6211 } else {
6212 /* In this case there 2 NewSessionTicket messages created */
6213 if (clntaddnewcb != 1
6214 || clntparsenewcb != 5
6215 || srvaddnewcb != 5
6216 || srvparsenewcb != 1)
6217 goto end;
6218 }
6219
6220 sess = SSL_get1_session(clientssl);
6221 SSL_shutdown(clientssl);
6222 SSL_shutdown(serverssl);
6223 SSL_free(serverssl);
6224 SSL_free(clientssl);
6225 serverssl = clientssl = NULL;
6226
6227 if (tst == 3 || tst == 5) {
6228 /* We don't bother with the resumption aspects for these tests */
6229 testresult = 1;
6230 goto end;
6231 }
6232
6233 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6234 NULL, NULL))
6235 || !TEST_true(SSL_set_session(clientssl, sess))
6236 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6237 SSL_ERROR_NONE)))
6238 goto end;
6239
6240 /*
6241 * For a resumed session we expect to add the ClientHello extension. For the
6242 * old style callbacks we ignore it on the server side because they set
6243 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6244 * them.
6245 */
6246 if (tst == 0) {
6247 if (clntaddoldcb != 2
6248 || clntparseoldcb != 1
6249 || srvaddoldcb != 1
6250 || srvparseoldcb != 1)
6251 goto end;
6252 } else if (tst == 1 || tst == 2 || tst == 3) {
6253 if (clntaddnewcb != 2
6254 || clntparsenewcb != 2
6255 || srvaddnewcb != 2
6256 || srvparsenewcb != 2)
6257 goto end;
6258 } else {
6259 /*
6260 * No Certificate message extensions in the resumption handshake,
6261 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6262 */
6263 if (clntaddnewcb != 2
6264 || clntparsenewcb != 8
6265 || srvaddnewcb != 8
6266 || srvparsenewcb != 2)
6267 goto end;
6268 }
6269
6270 testresult = 1;
6271
6272end:
6273 SSL_SESSION_free(sess);
6274 SSL_free(serverssl);
6275 SSL_free(clientssl);
6276 SSL_CTX_free(sctx2);
6277 SSL_CTX_free(sctx);
6278 SSL_CTX_free(cctx);
6279 return testresult;
6280}
6281
6282#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6283
6284#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6285 | SSL_EXT_CLIENT_HELLO \
6286 | SSL_EXT_TLS1_2_SERVER_HELLO \
6287 | SSL_EXT_IGNORE_ON_RESUMPTION)
6288
6289#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6290 | SSL_EXT_TLS1_2_SERVER_HELLO \
6291 | SSL_EXT_CLIENT_HELLO)
6292
6293#define SERVERINFO_CUSTOM \
6294 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6295 0x00, 0x03, \
6296 0x04, 0x05, 0x06 \
6297
6298static const unsigned char serverinfo_custom_tls13[] = {
6299 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6300 SERVERINFO_CUSTOM
6301};
6302static const unsigned char serverinfo_custom_v2[] = {
6303 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6304 SERVERINFO_CUSTOM
6305};
6306static const unsigned char serverinfo_custom_v1[] = {
6307 SERVERINFO_CUSTOM
6308};
6309static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6310static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6311static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6312
6313static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6314 unsigned int context,
6315 const unsigned char *in,
6316 size_t inlen, X509 *x,
6317 size_t chainidx, int *al,
6318 void *parse_arg)
6319{
6320 const size_t len = serverinfo_custom_v1_len;
6321 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6322 int *p_cb_result = (int*)parse_arg;
6323 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6324 return 1;
6325}
6326
6327static int test_serverinfo_custom(const int idx)
6328{
6329 SSL_CTX *sctx = NULL, *cctx = NULL;
6330 SSL *clientssl = NULL, *serverssl = NULL;
6331 int testresult = 0;
6332 int cb_result = 0;
6333
6334 /*
6335 * Following variables are set in the switch statement
6336 * according to the test iteration.
6337 * Default values do not make much sense: test would fail with them.
6338 */
6339 int serverinfo_version = 0;
6340 int protocol_version = 0;
6341 unsigned int extension_context = 0;
6342 const unsigned char *si = NULL;
6343 size_t si_len = 0;
6344
6345 const int call_use_serverinfo_ex = idx > 0;
6346 switch (idx) {
6347 case 0: /* FALLTHROUGH */
6348 case 1:
6349 serverinfo_version = SSL_SERVERINFOV1;
6350 protocol_version = TLS1_2_VERSION;
6351 extension_context = SYNTHV1CONTEXT;
6352 si = serverinfo_custom_v1;
6353 si_len = serverinfo_custom_v1_len;
6354 break;
6355 case 2:
6356 serverinfo_version = SSL_SERVERINFOV2;
6357 protocol_version = TLS1_2_VERSION;
6358 extension_context = SYNTHV1CONTEXT;
6359 si = serverinfo_custom_v2;
6360 si_len = serverinfo_custom_v2_len;
6361 break;
6362 case 3:
6363 serverinfo_version = SSL_SERVERINFOV2;
6364 protocol_version = TLS1_3_VERSION;
6365 extension_context = TLS13CONTEXT;
6366 si = serverinfo_custom_tls13;
6367 si_len = serverinfo_custom_tls13_len;
6368 break;
6369 }
6370
6371 if (!TEST_true(create_ssl_ctx_pair(libctx,
6372 TLS_method(),
6373 TLS_method(),
6374 protocol_version,
6375 protocol_version,
6376 &sctx, &cctx, cert, privkey)))
6377 goto end;
6378
6379 if (call_use_serverinfo_ex) {
6380 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6381 si, si_len)))
6382 goto end;
6383 } else {
6384 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6385 goto end;
6386 }
6387
6388 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6389 extension_context,
6390 NULL, NULL, NULL,
6391 serverinfo_custom_parse_cb,
6392 &cb_result))
6393 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6394 NULL, NULL))
6395 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6396 SSL_ERROR_NONE))
6397 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6398 goto end;
6399
6400 if (!TEST_true(cb_result))
6401 goto end;
6402
6403 testresult = 1;
6404
6405 end:
6406 SSL_free(serverssl);
6407 SSL_free(clientssl);
6408 SSL_CTX_free(sctx);
6409 SSL_CTX_free(cctx);
6410
6411 return testresult;
6412}
6413#endif
6414
6415/*
6416 * Test that SSL_export_keying_material() produces expected results. There are
6417 * no test vectors so all we do is test that both sides of the communication
6418 * produce the same results for different protocol versions.
6419 */
6420#define SMALL_LABEL_LEN 10
6421#define LONG_LABEL_LEN 249
6422static int test_export_key_mat(int tst)
6423{
6424 int testresult = 0;
6425 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6426 SSL *clientssl = NULL, *serverssl = NULL;
6427 const char label[LONG_LABEL_LEN + 1] = "test label";
6428 const unsigned char context[] = "context";
6429 const unsigned char *emptycontext = NULL;
6430 unsigned char longcontext[1280];
6431 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6432 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6433 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6434 size_t labellen;
6435 const int protocols[] = {
6436 TLS1_VERSION,
6437 TLS1_1_VERSION,
6438 TLS1_2_VERSION,
6439 TLS1_3_VERSION,
6440 TLS1_3_VERSION,
6441 TLS1_3_VERSION
6442 };
6443
6444#ifdef OPENSSL_NO_TLS1
6445 if (tst == 0)
6446 return 1;
6447#endif
6448#ifdef OPENSSL_NO_TLS1_1
6449 if (tst == 1)
6450 return 1;
6451#endif
6452 if (is_fips && (tst == 0 || tst == 1))
6453 return 1;
6454#ifdef OPENSSL_NO_TLS1_2
6455 if (tst == 2)
6456 return 1;
6457#endif
6458#ifdef OSSL_NO_USABLE_TLS1_3
6459 if (tst >= 3)
6460 return 1;
6461#endif
6462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6463 TLS_client_method(), TLS1_VERSION, 0,
6464 &sctx, &cctx, cert, privkey)))
6465 goto end;
6466
6467 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6468 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6469 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6470 if ((protocols[tst] < TLS1_2_VERSION) &&
6471 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6472 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6473 goto end;
6474
6475 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6476 NULL)))
6477 goto end;
6478
6479 /*
6480 * Premature call of SSL_export_keying_material should just fail.
6481 */
6482 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6483 sizeof(ckeymat1), label,
6484 SMALL_LABEL_LEN + 1, context,
6485 sizeof(context) - 1, 1), 0))
6486 goto end;
6487
6488 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6489 SSL_ERROR_NONE)))
6490 goto end;
6491
6492 if (tst == 5) {
6493 /*
6494 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6495 * go over that.
6496 */
6497 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6498 sizeof(ckeymat1), label,
6499 LONG_LABEL_LEN + 1, context,
6500 sizeof(context) - 1, 1), 0))
6501 goto end;
6502
6503 testresult = 1;
6504 goto end;
6505 } else if (tst == 4) {
6506 labellen = LONG_LABEL_LEN;
6507 } else {
6508 labellen = SMALL_LABEL_LEN;
6509 }
6510
6511 memset(longcontext, 1, sizeof(longcontext));
6512
6513 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6514 sizeof(ckeymat1), label,
6515 labellen, context,
6516 sizeof(context) - 1, 1), 1)
6517 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6518 sizeof(ckeymat2), label,
6519 labellen,
6520 emptycontext,
6521 0, 1), 1)
6522 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6523 sizeof(ckeymat3), label,
6524 labellen,
6525 NULL, 0, 0), 1)
6526 || (test_longcontext
6527 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6528 ckeymat4,
6529 sizeof(ckeymat4), label,
6530 labellen,
6531 longcontext,
6532 sizeof(longcontext), 1),
6533 1))
6534 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6535 sizeof(skeymat1), label,
6536 labellen,
6537 context,
6538 sizeof(context) -1, 1),
6539 1)
6540 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6541 sizeof(skeymat2), label,
6542 labellen,
6543 emptycontext,
6544 0, 1), 1)
6545 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6546 sizeof(skeymat3), label,
6547 labellen,
6548 NULL, 0, 0), 1)
6549 || (test_longcontext
6550 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6551 sizeof(skeymat4), label,
6552 labellen,
6553 longcontext,
6554 sizeof(longcontext), 1),
6555 1))
6556 /*
6557 * Check that both sides created the same key material with the
6558 * same context.
6559 */
6560 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6561 sizeof(skeymat1))
6562 /*
6563 * Check that both sides created the same key material with an
6564 * empty context.
6565 */
6566 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6567 sizeof(skeymat2))
6568 /*
6569 * Check that both sides created the same key material without a
6570 * context.
6571 */
6572 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6573 sizeof(skeymat3))
6574 /*
6575 * Check that both sides created the same key material with a
6576 * long context.
6577 */
6578 || (test_longcontext
6579 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6580 sizeof(skeymat4)))
6581 /* Different contexts should produce different results */
6582 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6583 sizeof(ckeymat2)))
6584 goto end;
6585
6586 /*
6587 * Check that an empty context and no context produce different results in
6588 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6589 */
6590 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6591 sizeof(ckeymat3)))
6592 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6593 sizeof(ckeymat3))))
6594 goto end;
6595
6596 testresult = 1;
6597
6598 end:
6599 SSL_free(serverssl);
6600 SSL_free(clientssl);
6601 SSL_CTX_free(sctx2);
6602 SSL_CTX_free(sctx);
6603 SSL_CTX_free(cctx);
6604
6605 return testresult;
6606}
6607
6608#ifndef OSSL_NO_USABLE_TLS1_3
6609/*
6610 * Test that SSL_export_keying_material_early() produces expected
6611 * results. There are no test vectors so all we do is test that both
6612 * sides of the communication produce the same results for different
6613 * protocol versions.
6614 */
6615static int test_export_key_mat_early(int idx)
6616{
6617 static const char label[] = "test label";
6618 static const unsigned char context[] = "context";
6619 int testresult = 0;
6620 SSL_CTX *cctx = NULL, *sctx = NULL;
6621 SSL *clientssl = NULL, *serverssl = NULL;
6622 SSL_SESSION *sess = NULL;
6623 const unsigned char *emptycontext = NULL;
6624 unsigned char ckeymat1[80], ckeymat2[80];
6625 unsigned char skeymat1[80], skeymat2[80];
6626 unsigned char buf[1];
6627 size_t readbytes, written;
6628
6629 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6630 &sess, idx, SHA384_DIGEST_LENGTH)))
6631 goto end;
6632
6633 /* Here writing 0 length early data is enough. */
6634 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6635 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6636 &readbytes),
6637 SSL_READ_EARLY_DATA_ERROR)
6638 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6639 SSL_EARLY_DATA_ACCEPTED))
6640 goto end;
6641
6642 if (!TEST_int_eq(SSL_export_keying_material_early(
6643 clientssl, ckeymat1, sizeof(ckeymat1), label,
6644 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6645 || !TEST_int_eq(SSL_export_keying_material_early(
6646 clientssl, ckeymat2, sizeof(ckeymat2), label,
6647 sizeof(label) - 1, emptycontext, 0), 1)
6648 || !TEST_int_eq(SSL_export_keying_material_early(
6649 serverssl, skeymat1, sizeof(skeymat1), label,
6650 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6651 || !TEST_int_eq(SSL_export_keying_material_early(
6652 serverssl, skeymat2, sizeof(skeymat2), label,
6653 sizeof(label) - 1, emptycontext, 0), 1)
6654 /*
6655 * Check that both sides created the same key material with the
6656 * same context.
6657 */
6658 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6659 sizeof(skeymat1))
6660 /*
6661 * Check that both sides created the same key material with an
6662 * empty context.
6663 */
6664 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6665 sizeof(skeymat2))
6666 /* Different contexts should produce different results */
6667 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6668 sizeof(ckeymat2)))
6669 goto end;
6670
6671 testresult = 1;
6672
6673 end:
6674 SSL_SESSION_free(sess);
6675 SSL_SESSION_free(clientpsk);
6676 SSL_SESSION_free(serverpsk);
6677 clientpsk = serverpsk = NULL;
6678 SSL_free(serverssl);
6679 SSL_free(clientssl);
6680 SSL_CTX_free(sctx);
6681 SSL_CTX_free(cctx);
6682
6683 return testresult;
6684}
6685
6686#define NUM_KEY_UPDATE_MESSAGES 40
6687/*
6688 * Test KeyUpdate.
6689 */
6690static int test_key_update(void)
6691{
6692 SSL_CTX *cctx = NULL, *sctx = NULL;
6693 SSL *clientssl = NULL, *serverssl = NULL;
6694 int testresult = 0, i, j;
6695 char buf[20];
6696 static char *mess = "A test message";
6697
6698 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6699 TLS_client_method(),
6700 TLS1_3_VERSION,
6701 0,
6702 &sctx, &cctx, cert, privkey))
6703 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6704 NULL, NULL))
6705 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6706 SSL_ERROR_NONE)))
6707 goto end;
6708
6709 for (j = 0; j < 2; j++) {
6710 /* Send lots of KeyUpdate messages */
6711 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6712 if (!TEST_true(SSL_key_update(clientssl,
6713 (j == 0)
6714 ? SSL_KEY_UPDATE_NOT_REQUESTED
6715 : SSL_KEY_UPDATE_REQUESTED))
6716 || !TEST_true(SSL_do_handshake(clientssl)))
6717 goto end;
6718 }
6719
6720 /* Check that sending and receiving app data is ok */
6721 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6722 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6723 strlen(mess)))
6724 goto end;
6725
6726 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6727 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6728 strlen(mess)))
6729 goto end;
6730 }
6731
6732 testresult = 1;
6733
6734 end:
6735 SSL_free(serverssl);
6736 SSL_free(clientssl);
6737 SSL_CTX_free(sctx);
6738 SSL_CTX_free(cctx);
6739
6740 return testresult;
6741}
6742
6743/*
6744 * Test we can handle a KeyUpdate (update requested) message while
6745 * write data is pending in peer.
6746 * Test 0: Client sends KeyUpdate while Server is writing
6747 * Test 1: Server sends KeyUpdate while Client is writing
6748 */
6749static int test_key_update_peer_in_write(int tst)
6750{
6751 SSL_CTX *cctx = NULL, *sctx = NULL;
6752 SSL *clientssl = NULL, *serverssl = NULL;
6753 int testresult = 0;
6754 char buf[20];
6755 static char *mess = "A test message";
6756 BIO *bretry = BIO_new(bio_s_always_retry());
6757 BIO *tmp = NULL;
6758 SSL *peerupdate = NULL, *peerwrite = NULL;
6759
6760 if (!TEST_ptr(bretry)
6761 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6762 TLS_client_method(),
6763 TLS1_3_VERSION,
6764 0,
6765 &sctx, &cctx, cert, privkey))
6766 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6767 NULL, NULL))
6768 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6769 SSL_ERROR_NONE)))
6770 goto end;
6771
6772 peerupdate = tst == 0 ? clientssl : serverssl;
6773 peerwrite = tst == 0 ? serverssl : clientssl;
6774
6775 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6776 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6777 goto end;
6778
6779 /* Swap the writing endpoint's write BIO to force a retry */
6780 tmp = SSL_get_wbio(peerwrite);
6781 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6782 tmp = NULL;
6783 goto end;
6784 }
6785 SSL_set0_wbio(peerwrite, bretry);
6786 bretry = NULL;
6787
6788 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6789 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6790 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6791 || !TEST_true(SSL_want_write(peerwrite))
6792 || !TEST_true(SSL_net_write_desired(peerwrite)))
6793 goto end;
6794
6795 /* Reinstate the original writing endpoint's write BIO */
6796 SSL_set0_wbio(peerwrite, tmp);
6797 tmp = NULL;
6798
6799 /* Now read some data - we will read the key update */
6800 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6801 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6802 || !TEST_true(SSL_want_read(peerwrite))
6803 || !TEST_true(SSL_net_read_desired(peerwrite)))
6804 goto end;
6805
6806 /*
6807 * Complete the write we started previously and read it from the other
6808 * endpoint
6809 */
6810 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6811 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6812 goto end;
6813
6814 /* Write more data to ensure we send the KeyUpdate message back */
6815 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6816 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6817 goto end;
6818
6819 if (!TEST_false(SSL_net_read_desired(peerwrite))
6820 || !TEST_false(SSL_net_write_desired(peerwrite))
6821 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6822 goto end;
6823
6824 testresult = 1;
6825
6826 end:
6827 SSL_free(serverssl);
6828 SSL_free(clientssl);
6829 SSL_CTX_free(sctx);
6830 SSL_CTX_free(cctx);
6831 BIO_free(bretry);
6832 BIO_free(tmp);
6833
6834 return testresult;
6835}
6836
6837/*
6838 * Test we can handle a KeyUpdate (update requested) message while
6839 * peer read data is pending after peer accepted keyupdate(the msg header
6840 * had been read 5 bytes).
6841 * Test 0: Client sends KeyUpdate while Server is reading
6842 * Test 1: Server sends KeyUpdate while Client is reading
6843 */
6844static int test_key_update_peer_in_read(int tst)
6845{
6846 SSL_CTX *cctx = NULL, *sctx = NULL;
6847 SSL *clientssl = NULL, *serverssl = NULL;
6848 int testresult = 0;
6849 char prbuf[515], lwbuf[515] = {0};
6850 static char *mess = "A test message";
6851 BIO *lbio = NULL, *pbio = NULL;
6852 SSL *local = NULL, *peer = NULL;
6853
6854 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6855 TLS_client_method(),
6856 TLS1_3_VERSION,
6857 0,
6858 &sctx, &cctx, cert, privkey))
6859 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6860 NULL, NULL))
6861 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6862 SSL_ERROR_NONE)))
6863 goto end;
6864
6865 local = tst == 0 ? clientssl : serverssl;
6866 peer = tst == 0 ? serverssl : clientssl;
6867
6868 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6869 goto end;
6870
6871 SSL_set_bio(local, lbio, lbio);
6872 SSL_set_bio(peer, pbio, pbio);
6873
6874 /*
6875 * we first write keyupdate msg then appdata in local
6876 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6877 * lwbuf app data msg size + key updata msg size > 512(the size of
6878 * the bio pair buffer)
6879 */
6880 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6881 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6882 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6883 goto end;
6884
6885 /*
6886 * first read keyupdate msg in peer in peer
6887 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6888 */
6889 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6890 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6891 goto end;
6892
6893 /* Now write some data in peer - we will write the key update */
6894 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6895 goto end;
6896
6897 /*
6898 * write data in local previously that we will complete
6899 * read data in peer previously that we will complete
6900 */
6901 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6902 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6903 goto end;
6904
6905 /* check that sending and receiving appdata ok */
6906 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6907 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6908 goto end;
6909
6910 testresult = 1;
6911
6912 end:
6913 SSL_free(serverssl);
6914 SSL_free(clientssl);
6915 SSL_CTX_free(sctx);
6916 SSL_CTX_free(cctx);
6917
6918 return testresult;
6919}
6920
6921/*
6922 * Test we can't send a KeyUpdate (update requested) message while
6923 * local write data is pending.
6924 * Test 0: Client sends KeyUpdate while Client is writing
6925 * Test 1: Server sends KeyUpdate while Server is writing
6926 */
6927static int test_key_update_local_in_write(int tst)
6928{
6929 SSL_CTX *cctx = NULL, *sctx = NULL;
6930 SSL *clientssl = NULL, *serverssl = NULL;
6931 int testresult = 0;
6932 char buf[20];
6933 static char *mess = "A test message";
6934 BIO *bretry = BIO_new(bio_s_always_retry());
6935 BIO *tmp = NULL;
6936 SSL *local = NULL, *peer = NULL;
6937
6938 if (!TEST_ptr(bretry)
6939 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6940 TLS_client_method(),
6941 TLS1_3_VERSION,
6942 0,
6943 &sctx, &cctx, cert, privkey))
6944 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6945 NULL, NULL))
6946 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6947 SSL_ERROR_NONE)))
6948 goto end;
6949
6950 local = tst == 0 ? clientssl : serverssl;
6951 peer = tst == 0 ? serverssl : clientssl;
6952
6953 /* Swap the writing endpoint's write BIO to force a retry */
6954 tmp = SSL_get_wbio(local);
6955 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6956 tmp = NULL;
6957 goto end;
6958 }
6959 SSL_set0_wbio(local, bretry);
6960 bretry = NULL;
6961
6962 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6963 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6964 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6965 goto end;
6966
6967 /* Reinstate the original writing endpoint's write BIO */
6968 SSL_set0_wbio(local, tmp);
6969 tmp = NULL;
6970
6971 /* SSL_key_update will fail, because writing in local*/
6972 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6973 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6974 goto end;
6975
6976 ERR_clear_error();
6977 /* write data in local previously that we will complete */
6978 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6979 goto end;
6980
6981 /* SSL_key_update will succeed because there is no pending write data */
6982 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6983 || !TEST_int_eq(SSL_do_handshake(local), 1))
6984 goto end;
6985
6986 /*
6987 * we write some appdata in local
6988 * read data in peer - we will read the keyupdate msg
6989 */
6990 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6991 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6992 goto end;
6993
6994 /* Write more peer more data to ensure we send the keyupdate message back */
6995 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6996 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6997 goto end;
6998
6999 testresult = 1;
7000
7001 end:
7002 SSL_free(serverssl);
7003 SSL_free(clientssl);
7004 SSL_CTX_free(sctx);
7005 SSL_CTX_free(cctx);
7006 BIO_free(bretry);
7007 BIO_free(tmp);
7008
7009 return testresult;
7010}
7011
7012/*
7013 * Test we can handle a KeyUpdate (update requested) message while
7014 * local read data is pending(the msg header had been read 5 bytes).
7015 * Test 0: Client sends KeyUpdate while Client is reading
7016 * Test 1: Server sends KeyUpdate while Server is reading
7017 */
7018static int test_key_update_local_in_read(int tst)
7019{
7020 SSL_CTX *cctx = NULL, *sctx = NULL;
7021 SSL *clientssl = NULL, *serverssl = NULL;
7022 int testresult = 0;
7023 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
7024 static char *mess = "A test message";
7025 BIO *lbio = NULL, *pbio = NULL;
7026 SSL *local = NULL, *peer = NULL;
7027
7028 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7029 TLS_client_method(),
7030 TLS1_3_VERSION,
7031 0,
7032 &sctx, &cctx, cert, privkey))
7033 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7034 NULL, NULL))
7035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7036 SSL_ERROR_NONE)))
7037 goto end;
7038
7039 local = tst == 0 ? clientssl : serverssl;
7040 peer = tst == 0 ? serverssl : clientssl;
7041
7042 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7043 goto end;
7044
7045 SSL_set_bio(local, lbio, lbio);
7046 SSL_set_bio(peer, pbio, pbio);
7047
7048 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7049 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7050 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7051 goto end;
7052
7053 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7054 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7055 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7056 goto end;
7057
7058 /* SSL_do_handshake will send keyupdate msg */
7059 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7060 || !TEST_int_eq(SSL_do_handshake(local), 1))
7061 goto end;
7062
7063 /*
7064 * write data in peer previously that we will complete
7065 * read data in local previously that we will complete
7066 */
7067 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7068 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7069 goto end;
7070
7071 /*
7072 * write data in local
7073 * read data in peer - we will read the key update
7074 */
7075 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7076 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7077 goto end;
7078
7079 /* Write more peer data to ensure we send the keyupdate message back */
7080 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7081 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7082 goto end;
7083
7084 testresult = 1;
7085
7086 end:
7087 SSL_free(serverssl);
7088 SSL_free(clientssl);
7089 SSL_CTX_free(sctx);
7090 SSL_CTX_free(cctx);
7091
7092 return testresult;
7093}
7094#endif /* OSSL_NO_USABLE_TLS1_3 */
7095
7096/*
7097 * Test clearing a connection via SSL_clear(), or resetting it via
7098 * SSL_set_connect_state()/SSL_set_accept_state()
7099 * Test 0: SSL_set_connect_state, TLSv1.3
7100 * Test 1: SSL_set_connect_state, TLSv1.2
7101 * Test 2: SSL_set_accept_state, TLSv1.3
7102 * Test 3: SSL_set_accept_state, TLSv1.2
7103 * Test 4: SSL_clear (client), TLSv1.3
7104 * Test 5: SSL_clear (client), TLSv1.2
7105 * Test 6: SSL_clear (server), TLSv1.3
7106 * Test 7: SSL_clear (server), TLSv1.2
7107 */
7108static int test_ssl_clear(int idx)
7109{
7110 SSL_CTX *cctx = NULL, *sctx = NULL;
7111 SSL *clientssl = NULL, *serverssl = NULL;
7112 SSL *writer, *reader;
7113 int testresult = 0;
7114 int tls12test, servertest, cleartest;
7115 size_t written, readbytes;
7116 const char *msg = "Hello World";
7117 unsigned char buf[5];
7118
7119 tls12test = idx & 1;
7120 idx >>= 1;
7121 servertest = idx & 1;
7122 idx >>= 1;
7123 cleartest = idx & 1;
7124
7125#ifdef OPENSSL_NO_TLS1_2
7126 if (tls12test == 1)
7127 return TEST_skip("No TLSv1.2 in this build");
7128#endif
7129
7130 /* Create an initial connection */
7131 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7132 TLS_client_method(), TLS1_VERSION, 0,
7133 &sctx, &cctx, cert, privkey))
7134 || (tls12test
7135 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7136 TLS1_2_VERSION)))
7137 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7138 &clientssl, NULL, NULL))
7139 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7140 SSL_ERROR_NONE)))
7141 goto end;
7142
7143 if (servertest) {
7144 writer = clientssl;
7145 reader = serverssl;
7146 } else {
7147 writer = serverssl;
7148 reader = clientssl;
7149 }
7150
7151 /* Write some data */
7152 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7153 || written != strlen(msg))
7154 goto end;
7155
7156 /*
7157 * Read a partial record. The remaining buffered data should be cleared by
7158 * the subsequent clear/reset
7159 */
7160 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7161 || readbytes != sizeof(buf))
7162 goto end;
7163
7164 SSL_shutdown(clientssl);
7165 SSL_shutdown(serverssl);
7166
7167 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7168 if (servertest) {
7169 if (cleartest) {
7170 if (!TEST_true(SSL_clear(serverssl)))
7171 goto end;
7172 } else {
7173 SSL_set_accept_state(serverssl);
7174 }
7175 /*
7176 * A peculiarity of SSL_clear() is that it does not clear the session.
7177 * This is intended behaviour so that a client can create a new
7178 * connection and reuse the session. But this doesn't make much sense
7179 * on the server side - and causes incorrect behaviour due to the
7180 * handshake failing (even though the documentation does say SSL_clear()
7181 * is supposed to work on the server side). We clear the session
7182 * explicitly - although note that the documentation for
7183 * SSL_set_session() says that its only useful for clients!
7184 */
7185 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7186 goto end;
7187 SSL_free(clientssl);
7188 clientssl = NULL;
7189 } else {
7190 if (cleartest) {
7191 if (!TEST_true(SSL_clear(clientssl)))
7192 goto end;
7193 } else {
7194 SSL_set_connect_state(clientssl);
7195 }
7196 SSL_free(serverssl);
7197 serverssl = NULL;
7198 }
7199
7200 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7201 NULL, NULL))
7202 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7203 SSL_ERROR_NONE))
7204 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7205 goto end;
7206
7207 SSL_shutdown(clientssl);
7208 SSL_shutdown(serverssl);
7209
7210 testresult = 1;
7211
7212 end:
7213 SSL_free(serverssl);
7214 SSL_free(clientssl);
7215 SSL_CTX_free(sctx);
7216 SSL_CTX_free(cctx);
7217
7218 return testresult;
7219}
7220
7221/* Parse CH and retrieve any MFL extension value if present */
7222static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7223{
7224 long len;
7225 unsigned char *data;
7226 PACKET pkt, pkt2, pkt3;
7227 unsigned int MFL_code = 0, type = 0;
7228
7229 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7230 goto end;
7231
7232 memset(&pkt, 0, sizeof(pkt));
7233 memset(&pkt2, 0, sizeof(pkt2));
7234 memset(&pkt3, 0, sizeof(pkt3));
7235
7236 if (!TEST_long_gt(len, 0)
7237 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7238 /* Skip the record header */
7239 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7240 /* Skip the handshake message header */
7241 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7242 /* Skip client version and random */
7243 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7244 + SSL3_RANDOM_SIZE))
7245 /* Skip session id */
7246 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7247 /* Skip ciphers */
7248 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7249 /* Skip compression */
7250 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7251 /* Extensions len */
7252 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7253 goto end;
7254
7255 /* Loop through all extensions */
7256 while (PACKET_remaining(&pkt2)) {
7257 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7258 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7259 goto end;
7260
7261 if (type == TLSEXT_TYPE_max_fragment_length) {
7262 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7263 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7264 goto end;
7265
7266 *mfl_codemfl_code = MFL_code;
7267 return 1;
7268 }
7269 }
7270
7271 end:
7272 return 0;
7273}
7274
7275/* Maximum-Fragment-Length TLS extension mode to test */
7276static const unsigned char max_fragment_len_test[] = {
7277 TLSEXT_max_fragment_length_512,
7278 TLSEXT_max_fragment_length_1024,
7279 TLSEXT_max_fragment_length_2048,
7280 TLSEXT_max_fragment_length_4096
7281};
7282
7283static int test_max_fragment_len_ext(int idx_tst)
7284{
7285 SSL_CTX *ctx = NULL;
7286 SSL *con = NULL;
7287 int testresult = 0, MFL_mode = 0;
7288 BIO *rbio, *wbio;
7289
7290 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7291 TLS1_VERSION, 0, NULL, &ctx, NULL,
7292 NULL)))
7293 return 0;
7294
7295 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7296 ctx, max_fragment_len_test[idx_tst])))
7297 goto end;
7298
7299 con = SSL_new(ctx);
7300 if (!TEST_ptr(con))
7301 goto end;
7302
7303 rbio = BIO_new(BIO_s_mem());
7304 wbio = BIO_new(BIO_s_mem());
7305 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7306 BIO_free(rbio);
7307 BIO_free(wbio);
7308 goto end;
7309 }
7310
7311 SSL_set_bio(con, rbio, wbio);
7312
7313 if (!TEST_int_le(SSL_connect(con), 0)) {
7314 /* This shouldn't succeed because we don't have a server! */
7315 goto end;
7316 }
7317
7318 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7319 /* no MFL in client hello */
7320 goto end;
7321 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7322 goto end;
7323
7324 testresult = 1;
7325
7326end:
7327 SSL_free(con);
7328 SSL_CTX_free(ctx);
7329
7330 return testresult;
7331}
7332
7333#ifndef OSSL_NO_USABLE_TLS1_3
7334static int test_pha_key_update(void)
7335{
7336 SSL_CTX *cctx = NULL, *sctx = NULL;
7337 SSL *clientssl = NULL, *serverssl = NULL;
7338 int testresult = 0;
7339
7340 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7341 TLS_client_method(), TLS1_VERSION, 0,
7342 &sctx, &cctx, cert, privkey)))
7343 return 0;
7344
7345 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7346 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7347 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7348 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7349 goto end;
7350
7351 SSL_CTX_set_post_handshake_auth(cctx, 1);
7352
7353 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7354 NULL, NULL)))
7355 goto end;
7356
7357 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7358 SSL_ERROR_NONE)))
7359 goto end;
7360
7361 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7362 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7363 goto end;
7364
7365 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7366 goto end;
7367
7368 /* Start handshake on the server */
7369 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7370 goto end;
7371
7372 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7373 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7374 SSL_ERROR_NONE)))
7375 goto end;
7376
7377 SSL_shutdown(clientssl);
7378 SSL_shutdown(serverssl);
7379
7380 testresult = 1;
7381
7382 end:
7383 SSL_free(serverssl);
7384 SSL_free(clientssl);
7385 SSL_CTX_free(sctx);
7386 SSL_CTX_free(cctx);
7387 return testresult;
7388}
7389#endif
7390
7391#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7392
7393static SRP_VBASE *vbase = NULL;
7394
7395static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7396{
7397 int ret = SSL3_AL_FATAL;
7398 char *username;
7399 SRP_user_pwd *user = NULL;
7400
7401 username = SSL_get_srp_username(s);
7402 if (username == NULL) {
7403 *ad = SSL_AD_INTERNAL_ERROR;
7404 goto err;
7405 }
7406
7407 user = SRP_VBASE_get1_by_user(vbase, username);
7408 if (user == NULL) {
7409 *ad = SSL_AD_INTERNAL_ERROR;
7410 goto err;
7411 }
7412
7413 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7414 user->info) <= 0) {
7415 *ad = SSL_AD_INTERNAL_ERROR;
7416 goto err;
7417 }
7418
7419 ret = 0;
7420
7421 err:
7422 SRP_user_pwd_free(user);
7423 return ret;
7424}
7425
7426static int create_new_vfile(char *userid, char *password, const char *filename)
7427{
7428 char *gNid = NULL;
7429 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7430 TXT_DB *db = NULL;
7431 int ret = 0;
7432 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7433 size_t i;
7434
7435 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7436 goto end;
7437
7438 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7439 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7440 if (!TEST_ptr(gNid))
7441 goto end;
7442
7443 /*
7444 * The only way to create an empty TXT_DB is to provide a BIO with no data
7445 * in it!
7446 */
7447 db = TXT_DB_read(dummy, DB_NUMBER);
7448 if (!TEST_ptr(db))
7449 goto end;
7450
7451 out = BIO_new_file(filename, "w");
7452 if (!TEST_ptr(out))
7453 goto end;
7454
7455 row[DB_srpid] = OPENSSL_strdup(userid);
7456 row[DB_srptype] = OPENSSL_strdup("V");
7457 row[DB_srpgN] = OPENSSL_strdup(gNid);
7458
7459 if (!TEST_ptr(row[DB_srpid])
7460 || !TEST_ptr(row[DB_srptype])
7461 || !TEST_ptr(row[DB_srpgN])
7462 || !TEST_true(TXT_DB_insert(db, row)))
7463 goto end;
7464
7465 row = NULL;
7466
7467 if (TXT_DB_write(out, db) <= 0)
7468 goto end;
7469
7470 ret = 1;
7471 end:
7472 if (row != NULL) {
7473 for (i = 0; i < DB_NUMBER; i++)
7474 OPENSSL_free(row[i]);
7475 }
7476 OPENSSL_free(row);
7477 BIO_free(dummy);
7478 BIO_free(out);
7479 TXT_DB_free(db);
7480
7481 return ret;
7482}
7483
7484static int create_new_vbase(char *userid, char *password)
7485{
7486 BIGNUM *verifier = NULL, *salt = NULL;
7487 const SRP_gN *lgN = NULL;
7488 SRP_user_pwd *user_pwd = NULL;
7489 int ret = 0;
7490
7491 lgN = SRP_get_default_gN(NULL);
7492 if (!TEST_ptr(lgN))
7493 goto end;
7494
7495 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7496 lgN->N, lgN->g, libctx, NULL)))
7497 goto end;
7498
7499 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7500 if (!TEST_ptr(user_pwd))
7501 goto end;
7502
7503 user_pwd->N = lgN->N;
7504 user_pwd->g = lgN->g;
7505 user_pwd->id = OPENSSL_strdup(userid);
7506 if (!TEST_ptr(user_pwd->id))
7507 goto end;
7508
7509 user_pwd->v = verifier;
7510 user_pwd->s = salt;
7511 verifier = salt = NULL;
7512
7513 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7514 goto end;
7515 user_pwd = NULL;
7516
7517 ret = 1;
7518end:
7519 SRP_user_pwd_free(user_pwd);
7520 BN_free(salt);
7521 BN_free(verifier);
7522
7523 return ret;
7524}
7525
7526/*
7527 * SRP tests
7528 *
7529 * Test 0: Simple successful SRP connection, new vbase
7530 * Test 1: Connection failure due to bad password, new vbase
7531 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7532 * Test 3: Connection failure due to bad password, vbase loaded from existing
7533 * file
7534 * Test 4: Simple successful SRP connection, vbase loaded from new file
7535 * Test 5: Connection failure due to bad password, vbase loaded from new file
7536 */
7537static int test_srp(int tst)
7538{
7539 char *userid = "test", *password = "password", *tstsrpfile;
7540 SSL_CTX *cctx = NULL, *sctx = NULL;
7541 SSL *clientssl = NULL, *serverssl = NULL;
7542 int ret, testresult = 0;
7543
7544 vbase = SRP_VBASE_new(NULL);
7545 if (!TEST_ptr(vbase))
7546 goto end;
7547
7548 if (tst == 0 || tst == 1) {
7549 if (!TEST_true(create_new_vbase(userid, password)))
7550 goto end;
7551 } else {
7552 if (tst == 4 || tst == 5) {
7553 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7554 goto end;
7555 tstsrpfile = tmpfilename;
7556 } else {
7557 tstsrpfile = srpvfile;
7558 }
7559 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7560 goto end;
7561 }
7562
7563 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7564 TLS_client_method(), TLS1_VERSION, 0,
7565 &sctx, &cctx, cert, privkey)))
7566 goto end;
7567
7568 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7569 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7570 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7571 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7572 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7573 goto end;
7574
7575 if (tst % 2 == 1) {
7576 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7577 goto end;
7578 } else {
7579 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7580 goto end;
7581 }
7582
7583 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7584 NULL, NULL)))
7585 goto end;
7586
7587 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7588 if (ret) {
7589 if (!TEST_true(tst % 2 == 0))
7590 goto end;
7591 } else {
7592 if (!TEST_true(tst % 2 == 1))
7593 goto end;
7594 }
7595
7596 testresult = 1;
7597
7598 end:
7599 SRP_VBASE_free(vbase);
7600 vbase = NULL;
7601 SSL_free(serverssl);
7602 SSL_free(clientssl);
7603 SSL_CTX_free(sctx);
7604 SSL_CTX_free(cctx);
7605
7606 return testresult;
7607}
7608#endif
7609
7610static int info_cb_failed = 0;
7611static int info_cb_offset = 0;
7612static int info_cb_this_state = -1;
7613
7614static struct info_cb_states_st {
7615 int where;
7616 const char *statestr;
7617} info_cb_states[][60] = {
7618 {
7619 /* TLSv1.2 server followed by resumption */
7620 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7621 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7622 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7623 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7624 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7625 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7626 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7627 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7628 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7629 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7630 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7631 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7632 {SSL_CB_EXIT, NULL}, {0, NULL},
7633 }, {
7634 /* TLSv1.2 client followed by resumption */
7635 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7636 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7637 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7638 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7639 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7640 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7641 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7642 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7643 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7644 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7645 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7646 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7647 }, {
7648 /* TLSv1.3 server followed by resumption */
7649 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7650 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7651 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7652 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7653 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7654 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7655 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7656 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7657 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7658 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7659 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7660 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7661 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7662 }, {
7663 /* TLSv1.3 client followed by resumption */
7664 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7665 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7666 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7667 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7668 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7669 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7670 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7671 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7672 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7673 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7674 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7675 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7676 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7677 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7678 {SSL_CB_EXIT, NULL}, {0, NULL},
7679 }, {
7680 /* TLSv1.3 server, early_data */
7681 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7682 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7683 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7684 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7685 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7686 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7687 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7688 {SSL_CB_EXIT, NULL}, {0, NULL},
7689 }, {
7690 /* TLSv1.3 client, early_data */
7691 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7692 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7693 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7694 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7695 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7696 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7697 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7698 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7699 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7700 }, {
7701 /* TLSv1.3 server, certificate compression, followed by resumption */
7702 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7703 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7704 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7705 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7706 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7707 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7708 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7709 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7710 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7711 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7712 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7713 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7714 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7715 }, {
7716 /* TLSv1.3 client, certificate compression, followed by resumption */
7717 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7718 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7719 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7720 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7721 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7722 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7723 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7724 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7725 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7726 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7727 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7728 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7729 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7730 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7731 {SSL_CB_EXIT, NULL}, {0, NULL},
7732 }, {
7733 {0, NULL},
7734 }
7735};
7736
7737static void sslapi_info_callback(const SSL *s, int where, int ret)
7738{
7739 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7740
7741 /* We do not ever expect a connection to fail in this test */
7742 if (!TEST_false(ret == 0)) {
7743 info_cb_failed = 1;
7744 return;
7745 }
7746
7747 /*
7748 * Do some sanity checks. We never expect these things to happen in this
7749 * test
7750 */
7751 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7752 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7753 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7754 info_cb_failed = 1;
7755 return;
7756 }
7757
7758 /* Now check we're in the right state */
7759 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7760 info_cb_failed = 1;
7761 return;
7762 }
7763 if ((where & SSL_CB_LOOP) != 0
7764 && !TEST_int_eq(strcmp(SSL_state_string(s),
7765 state[info_cb_this_state].statestr), 0)) {
7766 info_cb_failed = 1;
7767 return;
7768 }
7769
7770 /*
7771 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7772 */
7773 if ((where & SSL_CB_HANDSHAKE_DONE)
7774 && SSL_in_init((SSL *)s) != 0) {
7775 info_cb_failed = 1;
7776 return;
7777 }
7778}
7779
7780/*
7781 * Test the info callback gets called when we expect it to.
7782 *
7783 * Test 0: TLSv1.2, server
7784 * Test 1: TLSv1.2, client
7785 * Test 2: TLSv1.3, server
7786 * Test 3: TLSv1.3, client
7787 * Test 4: TLSv1.3, server, early_data
7788 * Test 5: TLSv1.3, client, early_data
7789 * Test 6: TLSv1.3, server, compressed certificate
7790 * Test 7: TLSv1.3, client, compressed certificate
7791 */
7792static int test_info_callback(int tst)
7793{
7794 SSL_CTX *cctx = NULL, *sctx = NULL;
7795 SSL *clientssl = NULL, *serverssl = NULL;
7796 SSL_SESSION *clntsess = NULL;
7797 int testresult = 0;
7798 int tlsvers;
7799
7800 if (tst < 2) {
7801/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7802#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7803 || !defined(OPENSSL_NO_DH))
7804 tlsvers = TLS1_2_VERSION;
7805#else
7806 return 1;
7807#endif
7808 } else {
7809#ifndef OSSL_NO_USABLE_TLS1_3
7810 tlsvers = TLS1_3_VERSION;
7811#else
7812 return 1;
7813#endif
7814 }
7815
7816 /* Reset globals */
7817 info_cb_failed = 0;
7818 info_cb_this_state = -1;
7819 info_cb_offset = tst;
7820
7821#ifndef OSSL_NO_USABLE_TLS1_3
7822 if (tst >= 4 && tst < 6) {
7823 SSL_SESSION *sess = NULL;
7824 size_t written, readbytes;
7825 unsigned char buf[80];
7826 OSSL_TIME timer;
7827
7828 /* early_data tests */
7829 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7830 &serverssl, &sess, 0,
7831 SHA384_DIGEST_LENGTH)))
7832 goto end;
7833
7834 /* We don't actually need this reference */
7835 SSL_SESSION_free(sess);
7836
7837 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7838 sslapi_info_callback);
7839
7840 /* Write and read some early data and then complete the connection */
7841 timer = ossl_time_now();
7842 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7843 &written))
7844 || !TEST_size_t_eq(written, strlen(MSG1)))
7845 goto end;
7846
7847 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7848 sizeof(buf), &readbytes),
7849 SSL_READ_EARLY_DATA_SUCCESS)) {
7850 testresult = check_early_data_timeout(timer);
7851 goto end;
7852 }
7853
7854 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7855 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7856 SSL_EARLY_DATA_ACCEPTED)
7857 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7858 SSL_ERROR_NONE))
7859 || !TEST_false(info_cb_failed))
7860 goto end;
7861
7862 testresult = 1;
7863 goto end;
7864 }
7865#endif
7866
7867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7868 TLS_client_method(),
7869 tlsvers, tlsvers, &sctx, &cctx, cert,
7870 privkey)))
7871 goto end;
7872
7873 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7874 goto end;
7875
7876 /*
7877 * For even numbered tests we check the server callbacks. For odd numbers we
7878 * check the client.
7879 */
7880 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7881 sslapi_info_callback);
7882 if (tst >= 6) {
7883 if (!SSL_CTX_compress_certs(sctx, 0))
7884 goto end;
7885 }
7886
7887 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7888 &clientssl, NULL, NULL))
7889 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7890 SSL_ERROR_NONE))
7891 || !TEST_false(info_cb_failed))
7892 goto end;
7893
7894
7895
7896 clntsess = SSL_get1_session(clientssl);
7897 SSL_shutdown(clientssl);
7898 SSL_shutdown(serverssl);
7899 SSL_free(serverssl);
7900 SSL_free(clientssl);
7901 serverssl = clientssl = NULL;
7902
7903 /* Now do a resumption */
7904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7905 NULL))
7906 || !TEST_true(SSL_set_session(clientssl, clntsess))
7907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7908 SSL_ERROR_NONE))
7909 || !TEST_true(SSL_session_reused(clientssl))
7910 || !TEST_false(info_cb_failed))
7911 goto end;
7912
7913 testresult = 1;
7914
7915 end:
7916 SSL_free(serverssl);
7917 SSL_free(clientssl);
7918 SSL_SESSION_free(clntsess);
7919 SSL_CTX_free(sctx);
7920 SSL_CTX_free(cctx);
7921 return testresult;
7922}
7923
7924static int test_ssl_pending(int tst)
7925{
7926 SSL_CTX *cctx = NULL, *sctx = NULL;
7927 SSL *clientssl = NULL, *serverssl = NULL;
7928 int testresult = 0;
7929 char msg[] = "A test message";
7930 char buf[5];
7931 size_t written, readbytes;
7932
7933 if (tst == 0) {
7934 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7935 TLS_client_method(),
7936 TLS1_VERSION, 0,
7937 &sctx, &cctx, cert, privkey)))
7938 goto end;
7939 } else {
7940#ifndef OPENSSL_NO_DTLS
7941 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7942 DTLS_client_method(),
7943 DTLS1_VERSION, 0,
7944 &sctx, &cctx, cert, privkey)))
7945 goto end;
7946
7947# ifdef OPENSSL_NO_DTLS1_2
7948 /* Not supported in the FIPS provider */
7949 if (is_fips) {
7950 testresult = 1;
7951 goto end;
7952 };
7953 /*
7954 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7955 * level 0
7956 */
7957 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7958 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7959 "DEFAULT:@SECLEVEL=0")))
7960 goto end;
7961# endif
7962#else
7963 return 1;
7964#endif
7965 }
7966
7967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7968 NULL, NULL))
7969 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7970 SSL_ERROR_NONE)))
7971 goto end;
7972
7973 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7974 || !TEST_false(SSL_has_pending(clientssl))
7975 || !TEST_int_eq(SSL_pending(serverssl), 0)
7976 || !TEST_false(SSL_has_pending(serverssl))
7977 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7978 || !TEST_size_t_eq(written, sizeof(msg))
7979 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7980 || !TEST_size_t_eq(readbytes, sizeof(buf))
7981 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7982 || !TEST_true(SSL_has_pending(clientssl)))
7983 goto end;
7984
7985 testresult = 1;
7986
7987 end:
7988 SSL_free(serverssl);
7989 SSL_free(clientssl);
7990 SSL_CTX_free(sctx);
7991 SSL_CTX_free(cctx);
7992
7993 return testresult;
7994}
7995
7996static struct {
7997 unsigned int maxprot;
7998 const char *clntciphers;
7999 const char *clnttls13ciphers;
8000 const char *srvrciphers;
8001 const char *srvrtls13ciphers;
8002 const char *shared;
8003 const char *fipsshared;
8004} shared_ciphers_data[] = {
8005/*
8006 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8007 * TLSv1.3 is enabled but TLSv1.2 is disabled.
8008 */
8009#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8010 {
8011 TLS1_2_VERSION,
8012 "AES128-SHA:AES256-SHA",
8013 NULL,
8014 "AES256-SHA:DHE-RSA-AES128-SHA",
8015 NULL,
8016 "AES256-SHA",
8017 "AES256-SHA"
8018 },
8019# if !defined(OPENSSL_NO_CHACHA) \
8020 && !defined(OPENSSL_NO_POLY1305) \
8021 && !defined(OPENSSL_NO_EC)
8022 {
8023 TLS1_2_VERSION,
8024 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8025 NULL,
8026 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8027 NULL,
8028 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8029 "AES128-SHA"
8030 },
8031# endif
8032 {
8033 TLS1_2_VERSION,
8034 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8035 NULL,
8036 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8037 NULL,
8038 "AES128-SHA:AES256-SHA",
8039 "AES128-SHA:AES256-SHA"
8040 },
8041 {
8042 TLS1_2_VERSION,
8043 "AES128-SHA:AES256-SHA",
8044 NULL,
8045 "AES128-SHA:DHE-RSA-AES128-SHA",
8046 NULL,
8047 "AES128-SHA",
8048 "AES128-SHA"
8049 },
8050#endif
8051/*
8052 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8053 * enabled.
8054 */
8055#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8056 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8057 {
8058 TLS1_3_VERSION,
8059 "AES128-SHA:AES256-SHA",
8060 NULL,
8061 "AES256-SHA:AES128-SHA256",
8062 NULL,
8063 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8064 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8065 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
8066 },
8067#endif
8068#ifndef OSSL_NO_USABLE_TLS1_3
8069 {
8070 TLS1_3_VERSION,
8071 "AES128-SHA",
8072 "TLS_AES_256_GCM_SHA384",
8073 "AES256-SHA",
8074 "TLS_AES_256_GCM_SHA384",
8075 "TLS_AES_256_GCM_SHA384",
8076 "TLS_AES_256_GCM_SHA384"
8077 },
8078#endif
8079};
8080
8081static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8082{
8083 SSL_CTX *cctx = NULL, *sctx = NULL;
8084 SSL *clientssl = NULL, *serverssl = NULL;
8085 int testresult = 0;
8086 char buf[1024];
8087 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8088
8089 if (!TEST_ptr(tmplibctx))
8090 goto end;
8091
8092 /*
8093 * Regardless of whether we're testing with the FIPS provider loaded into
8094 * libctx, we want one peer to always use the full set of ciphersuites
8095 * available. Therefore we use a separate libctx with the default provider
8096 * loaded into it. We run the same tests twice - once with the client side
8097 * having the full set of ciphersuites and once with the server side.
8098 */
8099 if (clnt) {
8100 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8101 if (!TEST_ptr(cctx))
8102 goto end;
8103 } else {
8104 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8105 if (!TEST_ptr(sctx))
8106 goto end;
8107 }
8108
8109 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8110 TLS_client_method(),
8111 TLS1_VERSION,
8112 shared_ciphers_data[tst].maxprot,
8113 &sctx, &cctx, cert, privkey)))
8114 goto end;
8115
8116 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8117 shared_ciphers_data[tst].clntciphers))
8118 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8119 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8120 shared_ciphers_data[tst].clnttls13ciphers)))
8121 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8122 shared_ciphers_data[tst].srvrciphers))
8123 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8124 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8125 shared_ciphers_data[tst].srvrtls13ciphers))))
8126 goto end;
8127
8128
8129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8130 NULL, NULL))
8131 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8132 SSL_ERROR_NONE)))
8133 goto end;
8134
8135 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8136 || !TEST_int_eq(strcmp(buf,
8137 is_fips
8138 ? shared_ciphers_data[tst].fipsshared
8139 : shared_ciphers_data[tst].shared),
8140 0)) {
8141 TEST_info("Shared ciphers are: %s\n", buf);
8142 goto end;
8143 }
8144
8145 testresult = 1;
8146
8147 end:
8148 SSL_free(serverssl);
8149 SSL_free(clientssl);
8150 SSL_CTX_free(sctx);
8151 SSL_CTX_free(cctx);
8152 OSSL_LIB_CTX_free(tmplibctx);
8153
8154 return testresult;
8155}
8156
8157static int test_ssl_get_shared_ciphers(int tst)
8158{
8159 return int_test_ssl_get_shared_ciphers(tst, 0)
8160 && int_test_ssl_get_shared_ciphers(tst, 1);
8161}
8162
8163
8164static const char *appdata = "Hello World";
8165static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8166static int tick_key_renew = 0;
8167static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8168
8169static int gen_tick_cb(SSL *s, void *arg)
8170{
8171 gen_tick_called = 1;
8172
8173 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8174 strlen(appdata));
8175}
8176
8177static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8178 const unsigned char *keyname,
8179 size_t keyname_length,
8180 SSL_TICKET_STATUS status,
8181 void *arg)
8182{
8183 void *tickdata;
8184 size_t tickdlen;
8185
8186 dec_tick_called = 1;
8187
8188 if (status == SSL_TICKET_EMPTY)
8189 return SSL_TICKET_RETURN_IGNORE_RENEW;
8190
8191 if (!TEST_true(status == SSL_TICKET_SUCCESS
8192 || status == SSL_TICKET_SUCCESS_RENEW))
8193 return SSL_TICKET_RETURN_ABORT;
8194
8195 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8196 &tickdlen))
8197 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8198 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8199 return SSL_TICKET_RETURN_ABORT;
8200
8201 if (tick_key_cb_called) {
8202 /* Don't change what the ticket key callback wanted to do */
8203 switch (status) {
8204 case SSL_TICKET_NO_DECRYPT:
8205 return SSL_TICKET_RETURN_IGNORE_RENEW;
8206
8207 case SSL_TICKET_SUCCESS:
8208 return SSL_TICKET_RETURN_USE;
8209
8210 case SSL_TICKET_SUCCESS_RENEW:
8211 return SSL_TICKET_RETURN_USE_RENEW;
8212
8213 default:
8214 return SSL_TICKET_RETURN_ABORT;
8215 }
8216 }
8217 return tick_dec_ret;
8218
8219}
8220
8221#ifndef OPENSSL_NO_DEPRECATED_3_0
8222static int tick_key_cb(SSL *s, unsigned char key_name[16],
8223 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8224 HMAC_CTX *hctx, int enc)
8225{
8226 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8227 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8228 EVP_CIPHER *aes128cbc;
8229 EVP_MD *sha256;
8230 int ret;
8231
8232 tick_key_cb_called = 1;
8233
8234 if (tick_key_renew == -1)
8235 return 0;
8236
8237 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8238 if (!TEST_ptr(aes128cbc))
8239 return 0;
8240 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8241 if (!TEST_ptr(sha256)) {
8242 EVP_CIPHER_free(aes128cbc);
8243 return 0;
8244 }
8245
8246 memset(iv, 0, AES_BLOCK_SIZE);
8247 memset(key_name, 0, 16);
8248 if (aes128cbc == NULL
8249 || sha256 == NULL
8250 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8251 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8252 NULL))
8253 ret = -1;
8254 else
8255 ret = tick_key_renew ? 2 : 1;
8256
8257 EVP_CIPHER_free(aes128cbc);
8258 EVP_MD_free(sha256);
8259
8260 return ret;
8261}
8262#endif
8263
8264static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8265 unsigned char iv[EVP_MAX_IV_LENGTH],
8266 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8267{
8268 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8269 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8270 OSSL_PARAM params[2];
8271 EVP_CIPHER *aes128cbc;
8272 int ret;
8273
8274 tick_key_cb_called = 1;
8275
8276 if (tick_key_renew == -1)
8277 return 0;
8278
8279 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8280 if (!TEST_ptr(aes128cbc))
8281 return 0;
8282
8283 memset(iv, 0, AES_BLOCK_SIZE);
8284 memset(key_name, 0, 16);
8285 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8286 "SHA256", 0);
8287 params[1] = OSSL_PARAM_construct_end();
8288 if (aes128cbc == NULL
8289 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8290 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8291 params))
8292 ret = -1;
8293 else
8294 ret = tick_key_renew ? 2 : 1;
8295
8296 EVP_CIPHER_free(aes128cbc);
8297
8298 return ret;
8299}
8300
8301/*
8302 * Test the various ticket callbacks
8303 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8304 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8305 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8306 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8307 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8308 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8309 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8310 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8311 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8312 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8313 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8314 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8315 * Test 12: TLSv1.2, old ticket key callback, no ticket
8316 * Test 13: TLSv1.3, old ticket key callback, no ticket
8317 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8318 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8319 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8320 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8321 * Test 18: TLSv1.2, ticket key callback, no ticket
8322 * Test 19: TLSv1.3, ticket key callback, no ticket
8323 */
8324static int test_ticket_callbacks(int tst)
8325{
8326 SSL_CTX *cctx = NULL, *sctx = NULL;
8327 SSL *clientssl = NULL, *serverssl = NULL;
8328 SSL_SESSION *clntsess = NULL;
8329 int testresult = 0;
8330
8331#ifdef OPENSSL_NO_TLS1_2
8332 if (tst % 2 == 0)
8333 return 1;
8334#endif
8335#ifdef OSSL_NO_USABLE_TLS1_3
8336 if (tst % 2 == 1)
8337 return 1;
8338#endif
8339#ifdef OPENSSL_NO_DEPRECATED_3_0
8340 if (tst >= 8 && tst <= 13)
8341 return 1;
8342#endif
8343
8344 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8345
8346 /* Which tests the ticket key callback should request renewal for */
8347
8348 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8349 tick_key_renew = 1;
8350 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8351 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8352 else
8353 tick_key_renew = 0;
8354
8355 /* Which tests the decrypt ticket callback should request renewal for */
8356 switch (tst) {
8357 case 0:
8358 case 1:
8359 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8360 break;
8361
8362 case 2:
8363 case 3:
8364 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8365 break;
8366
8367 case 4:
8368 case 5:
8369 tick_dec_ret = SSL_TICKET_RETURN_USE;
8370 break;
8371
8372 case 6:
8373 case 7:
8374 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8375 break;
8376
8377 default:
8378 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8379 }
8380
8381 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8382 TLS_client_method(),
8383 TLS1_VERSION,
8384 ((tst % 2) == 0) ? TLS1_2_VERSION
8385 : TLS1_3_VERSION,
8386 &sctx, &cctx, cert, privkey)))
8387 goto end;
8388
8389 /*
8390 * We only want sessions to resume from tickets - not the session cache. So
8391 * switch the cache off.
8392 */
8393 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8394 goto end;
8395
8396 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8397 NULL)))
8398 goto end;
8399
8400 if (tst >= 14) {
8401 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8402 goto end;
8403#ifndef OPENSSL_NO_DEPRECATED_3_0
8404 } else if (tst >= 8) {
8405 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8406 goto end;
8407#endif
8408 }
8409
8410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8411 NULL, NULL))
8412 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8413 SSL_ERROR_NONE)))
8414 goto end;
8415
8416 /*
8417 * The decrypt ticket key callback in TLSv1.2 should be called even though
8418 * we have no ticket yet, because it gets called with a status of
8419 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8420 * actually send any ticket data). This does not happen in TLSv1.3 because
8421 * it is not valid to send empty ticket data in TLSv1.3.
8422 */
8423 if (!TEST_int_eq(gen_tick_called, 1)
8424 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8425 goto end;
8426
8427 gen_tick_called = dec_tick_called = 0;
8428
8429 clntsess = SSL_get1_session(clientssl);
8430 SSL_shutdown(clientssl);
8431 SSL_shutdown(serverssl);
8432 SSL_free(serverssl);
8433 SSL_free(clientssl);
8434 serverssl = clientssl = NULL;
8435
8436 /* Now do a resumption */
8437 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8438 NULL))
8439 || !TEST_true(SSL_set_session(clientssl, clntsess))
8440 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8441 SSL_ERROR_NONE)))
8442 goto end;
8443
8444 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8445 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8446 || tick_key_renew == -1) {
8447 if (!TEST_false(SSL_session_reused(clientssl)))
8448 goto end;
8449 } else {
8450 if (!TEST_true(SSL_session_reused(clientssl)))
8451 goto end;
8452 }
8453
8454 if (!TEST_int_eq(gen_tick_called,
8455 (tick_key_renew
8456 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8457 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8458 ? 1 : 0)
8459 /* There is no ticket to decrypt in tests 13 and 19 */
8460 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8461 goto end;
8462
8463 testresult = 1;
8464
8465 end:
8466 SSL_SESSION_free(clntsess);
8467 SSL_free(serverssl);
8468 SSL_free(clientssl);
8469 SSL_CTX_free(sctx);
8470 SSL_CTX_free(cctx);
8471
8472 return testresult;
8473}
8474
8475/*
8476 * Test incorrect shutdown.
8477 * Test 0: client does not shutdown properly,
8478 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8479 * server should get SSL_ERROR_SSL
8480 * Test 1: client does not shutdown properly,
8481 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8482 * server should get SSL_ERROR_ZERO_RETURN
8483 */
8484static int test_incorrect_shutdown(int tst)
8485{
8486 SSL_CTX *cctx = NULL, *sctx = NULL;
8487 SSL *clientssl = NULL, *serverssl = NULL;
8488 int testresult = 0;
8489 char buf[80];
8490 BIO *c2s;
8491
8492 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8493 TLS_client_method(), 0, 0,
8494 &sctx, &cctx, cert, privkey)))
8495 goto end;
8496
8497 if (tst == 1)
8498 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8499
8500 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8501 NULL, NULL)))
8502 goto end;
8503
8504 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8505 SSL_ERROR_NONE)))
8506 goto end;
8507
8508 c2s = SSL_get_rbio(serverssl);
8509 BIO_set_mem_eof_return(c2s, 0);
8510
8511 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8512 goto end;
8513
8514 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8515 goto end;
8516 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8517 goto end;
8518
8519 testresult = 1;
8520
8521 end:
8522 SSL_free(serverssl);
8523 SSL_free(clientssl);
8524 SSL_CTX_free(sctx);
8525 SSL_CTX_free(cctx);
8526
8527 return testresult;
8528}
8529
8530/*
8531 * Test bi-directional shutdown.
8532 * Test 0: TLSv1.2
8533 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8534 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8535 * Test 3: TLSv1.3, pending NewSessionTicket messages
8536 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8537 * sends key update, client reads it
8538 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8539 * sends CertificateRequest, client reads and ignores it
8540 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8541 * doesn't read it
8542 */
8543static int test_shutdown(int tst)
8544{
8545 SSL_CTX *cctx = NULL, *sctx = NULL;
8546 SSL *clientssl = NULL, *serverssl = NULL;
8547 int testresult = 0;
8548 char msg[] = "A test message";
8549 char buf[80];
8550 size_t written, readbytes;
8551 SSL_SESSION *sess;
8552
8553#ifdef OPENSSL_NO_TLS1_2
8554 if (tst <= 1)
8555 return 1;
8556#endif
8557#ifdef OSSL_NO_USABLE_TLS1_3
8558 if (tst >= 2)
8559 return 1;
8560#endif
8561
8562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8563 TLS_client_method(),
8564 TLS1_VERSION,
8565 (tst <= 1) ? TLS1_2_VERSION
8566 : TLS1_3_VERSION,
8567 &sctx, &cctx, cert, privkey)))
8568 goto end;
8569
8570 if (tst == 5)
8571 SSL_CTX_set_post_handshake_auth(cctx, 1);
8572
8573 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8574 NULL, NULL)))
8575 goto end;
8576
8577 if (tst == 3) {
8578 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8579 SSL_ERROR_NONE, 1, 0))
8580 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8581 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8582 goto end;
8583 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8584 SSL_ERROR_NONE))
8585 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8586 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8587 goto end;
8588 }
8589
8590 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8591 goto end;
8592
8593 if (tst >= 4) {
8594 /*
8595 * Reading on the server after the client has sent close_notify should
8596 * fail and provide SSL_ERROR_ZERO_RETURN
8597 */
8598 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8599 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8600 SSL_ERROR_ZERO_RETURN)
8601 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8602 SSL_RECEIVED_SHUTDOWN)
8603 /*
8604 * Even though we're shutdown on receive we should still be
8605 * able to write.
8606 */
8607 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8608 goto end;
8609 if (tst == 4
8610 && !TEST_true(SSL_key_update(serverssl,
8611 SSL_KEY_UPDATE_REQUESTED)))
8612 goto end;
8613 if (tst == 5) {
8614 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8615 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8616 goto end;
8617 }
8618 if ((tst == 4 || tst == 5)
8619 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8620 goto end;
8621 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8622 goto end;
8623 if (tst == 4 || tst == 5) {
8624 /* Should still be able to read data from server */
8625 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8626 &readbytes))
8627 || !TEST_size_t_eq(readbytes, sizeof(msg))
8628 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8629 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8630 &readbytes))
8631 || !TEST_size_t_eq(readbytes, sizeof(msg))
8632 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8633 goto end;
8634 }
8635 }
8636
8637 /* Writing on the client after sending close_notify shouldn't be possible */
8638 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8639 goto end;
8640
8641 if (tst < 4) {
8642 /*
8643 * For these tests the client has sent close_notify but it has not yet
8644 * been received by the server. The server has not sent close_notify
8645 * yet.
8646 */
8647 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8648 /*
8649 * Writing on the server after sending close_notify shouldn't
8650 * be possible.
8651 */
8652 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8653 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8654 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8655 || !TEST_true(SSL_SESSION_is_resumable(sess))
8656 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8657 goto end;
8658 } else if (tst == 4 || tst == 5) {
8659 /*
8660 * In this test the client has sent close_notify and it has been
8661 * received by the server which has responded with a close_notify. The
8662 * client needs to read the close_notify sent by the server.
8663 */
8664 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8665 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8666 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8667 goto end;
8668 } else {
8669 /*
8670 * tst == 6
8671 *
8672 * The client has sent close_notify and is expecting a close_notify
8673 * back, but instead there is application data first. The shutdown
8674 * should fail with a fatal error.
8675 */
8676 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8677 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8678 goto end;
8679 }
8680
8681 testresult = 1;
8682
8683 end:
8684 SSL_free(serverssl);
8685 SSL_free(clientssl);
8686 SSL_CTX_free(sctx);
8687 SSL_CTX_free(cctx);
8688
8689 return testresult;
8690}
8691
8692/*
8693 * Test that sending close_notify alerts works correctly in the case of a
8694 * retryable write failure.
8695 */
8696static int test_async_shutdown(void)
8697{
8698 SSL_CTX *cctx = NULL, *sctx = NULL;
8699 SSL *clientssl = NULL, *serverssl = NULL;
8700 int testresult = 0;
8701 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8702
8703 if (!TEST_ptr(bretry))
8704 goto end;
8705
8706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8707 TLS_client_method(),
8708 0, 0,
8709 &sctx, &cctx, cert, privkey)))
8710 goto end;
8711
8712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8713 NULL)))
8714 goto end;
8715
8716 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8717 goto end;
8718
8719 /* Close write side of clientssl */
8720 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8721 goto end;
8722
8723 tmp = SSL_get_wbio(serverssl);
8724 if (!TEST_true(BIO_up_ref(tmp))) {
8725 tmp = NULL;
8726 goto end;
8727 }
8728 SSL_set0_wbio(serverssl, bretry);
8729 bretry = NULL;
8730
8731 /* First server shutdown should fail because of a retrable write failure */
8732 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8733 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8734 goto end;
8735
8736 /* Second server shutdown should fail for the same reason */
8737 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8738 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8739 goto end;
8740
8741 SSL_set0_wbio(serverssl, tmp);
8742 tmp = NULL;
8743
8744 /* Third server shutdown should send close_notify */
8745 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8746 goto end;
8747
8748 /* Fourth server shutdown should read close_notify from client and finish */
8749 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8750 goto end;
8751
8752 /* Client should also successfully fully shutdown */
8753 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8754 goto end;
8755
8756 testresult = 1;
8757 end:
8758 SSL_free(serverssl);
8759 SSL_free(clientssl);
8760 SSL_CTX_free(sctx);
8761 SSL_CTX_free(cctx);
8762 BIO_free(bretry);
8763 BIO_free(tmp);
8764
8765 return testresult;
8766}
8767
8768#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8769static int cert_cb_cnt;
8770
8771static int cert_cb(SSL *s, void *arg)
8772{
8773 SSL_CTX *ctx = (SSL_CTX *)arg;
8774 BIO *in = NULL;
8775 EVP_PKEY *pkey = NULL;
8776 X509 *x509 = NULL, *rootx = NULL;
8777 STACK_OF(X509) *chain = NULL;
8778 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8779 int ret = 0;
8780
8781 if (cert_cb_cnt == 0) {
8782 /* Suspend the handshake */
8783 cert_cb_cnt++;
8784 return -1;
8785 } else if (cert_cb_cnt == 1) {
8786 /*
8787 * Update the SSL_CTX, set the certificate and private key and then
8788 * continue the handshake normally.
8789 */
8790 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8791 return 0;
8792
8793 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8794 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8795 SSL_FILETYPE_PEM))
8796 || !TEST_true(SSL_check_private_key(s)))
8797 return 0;
8798 cert_cb_cnt++;
8799 return 1;
8800 } else if (cert_cb_cnt == 3) {
8801 int rv;
8802
8803 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8804 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8805 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8806 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8807 goto out;
8808 chain = sk_X509_new_null();
8809 if (!TEST_ptr(chain))
8810 goto out;
8811 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8812 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8813 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8814 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8815 || !TEST_true(sk_X509_push(chain, rootx)))
8816 goto out;
8817 rootx = NULL;
8818 BIO_free(in);
8819 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8820 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8821 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8822 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8823 goto out;
8824 BIO_free(in);
8825 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8826 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8827 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8828 NULL, NULL,
8829 libctx, NULL)))
8830 goto out;
8831 rv = SSL_check_chain(s, x509, pkey, chain);
8832 /*
8833 * If the cert doesn't show as valid here (e.g., because we don't
8834 * have any shared sigalgs), then we will not set it, and there will
8835 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8836 * will cause tls_choose_sigalgs() to fail the connection.
8837 */
8838 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8839 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8840 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8841 goto out;
8842 }
8843
8844 ret = 1;
8845 }
8846
8847 /* Abort the handshake */
8848 out:
8849 OPENSSL_free(ecdsacert);
8850 OPENSSL_free(ecdsakey);
8851 OPENSSL_free(rootfile);
8852 BIO_free(in);
8853 EVP_PKEY_free(pkey);
8854 X509_free(x509);
8855 X509_free(rootx);
8856 OSSL_STACK_OF_X509_free(chain);
8857 return ret;
8858}
8859
8860/*
8861 * Test the certificate callback.
8862 * Test 0: Callback fails
8863 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8864 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8865 * Test 3: Success - Call SSL_check_chain from the callback
8866 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8867 * chain
8868 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8869 */
8870static int test_cert_cb_int(int prot, int tst)
8871{
8872 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8873 SSL *clientssl = NULL, *serverssl = NULL;
8874 int testresult = 0, ret;
8875
8876#ifdef OPENSSL_NO_EC
8877 /* We use an EC cert in these tests, so we skip in a no-ec build */
8878 if (tst >= 3)
8879 return 1;
8880#endif
8881
8882 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8883 TLS_client_method(),
8884 TLS1_VERSION,
8885 prot,
8886 &sctx, &cctx, NULL, NULL)))
8887 goto end;
8888
8889 if (tst == 0)
8890 cert_cb_cnt = -1;
8891 else if (tst >= 3)
8892 cert_cb_cnt = 3;
8893 else
8894 cert_cb_cnt = 0;
8895
8896 if (tst == 2) {
8897 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8898 if (!TEST_ptr(snictx))
8899 goto end;
8900 }
8901
8902 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8903
8904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8905 NULL, NULL)))
8906 goto end;
8907
8908 if (tst == 4) {
8909 /*
8910 * We cause SSL_check_chain() to fail by specifying sig_algs that
8911 * the chain doesn't meet (the root uses an RSA cert)
8912 */
8913 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8914 "ecdsa_secp256r1_sha256")))
8915 goto end;
8916 } else if (tst == 5) {
8917 /*
8918 * We cause SSL_check_chain() to fail by specifying sig_algs that
8919 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8920 */
8921 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8922 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8923 goto end;
8924 }
8925
8926 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8927 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8928 || (tst > 0
8929 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8930 goto end;
8931 }
8932
8933 testresult = 1;
8934
8935 end:
8936 SSL_free(serverssl);
8937 SSL_free(clientssl);
8938 SSL_CTX_free(sctx);
8939 SSL_CTX_free(cctx);
8940 SSL_CTX_free(snictx);
8941
8942 return testresult;
8943}
8944#endif
8945
8946static int test_cert_cb(int tst)
8947{
8948 int testresult = 1;
8949
8950#ifndef OPENSSL_NO_TLS1_2
8951 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8952#endif
8953#ifndef OSSL_NO_USABLE_TLS1_3
8954 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8955#endif
8956
8957 return testresult;
8958}
8959
8960static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8961{
8962 X509 *xcert;
8963 EVP_PKEY *privpkey;
8964 BIO *in = NULL;
8965 BIO *priv_in = NULL;
8966
8967 /* Check that SSL_get0_peer_certificate() returns something sensible */
8968 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8969 return 0;
8970
8971 in = BIO_new_file(cert, "r");
8972 if (!TEST_ptr(in))
8973 return 0;
8974
8975 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8976 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8977 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8978 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8979 NULL, NULL,
8980 libctx, NULL)))
8981 goto err;
8982
8983 *x509 = xcert;
8984 *pkey = privpkey;
8985
8986 BIO_free(in);
8987 BIO_free(priv_in);
8988 return 1;
8989err:
8990 X509_free(xcert);
8991 BIO_free(in);
8992 BIO_free(priv_in);
8993 return 0;
8994}
8995
8996static int test_client_cert_cb(int tst)
8997{
8998 SSL_CTX *cctx = NULL, *sctx = NULL;
8999 SSL *clientssl = NULL, *serverssl = NULL;
9000 int testresult = 0;
9001
9002#ifdef OPENSSL_NO_TLS1_2
9003 if (tst == 0)
9004 return 1;
9005#endif
9006#ifdef OSSL_NO_USABLE_TLS1_3
9007 if (tst == 1)
9008 return 1;
9009#endif
9010
9011 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9012 TLS_client_method(),
9013 TLS1_VERSION,
9014 tst == 0 ? TLS1_2_VERSION
9015 : TLS1_3_VERSION,
9016 &sctx, &cctx, cert, privkey)))
9017 goto end;
9018
9019 /*
9020 * Test that setting a client_cert_cb results in a client certificate being
9021 * sent.
9022 */
9023 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9024 SSL_CTX_set_verify(sctx,
9025 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9026 verify_cb);
9027
9028 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9029 NULL, NULL))
9030 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9031 SSL_ERROR_NONE)))
9032 goto end;
9033
9034 testresult = 1;
9035
9036 end:
9037 SSL_free(serverssl);
9038 SSL_free(clientssl);
9039 SSL_CTX_free(sctx);
9040 SSL_CTX_free(cctx);
9041
9042 return testresult;
9043}
9044
9045#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9046/*
9047 * Test setting certificate authorities on both client and server.
9048 *
9049 * Test 0: SSL_CTX_set0_CA_list() only
9050 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9051 * Test 2: Only SSL_CTX_set_client_CA_list()
9052 */
9053static int test_ca_names_int(int prot, int tst)
9054{
9055 SSL_CTX *cctx = NULL, *sctx = NULL;
9056 SSL *clientssl = NULL, *serverssl = NULL;
9057 int testresult = 0;
9058 size_t i;
9059 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9060 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9061 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9062 const STACK_OF(X509_NAME) *sktmp = NULL;
9063
9064 for (i = 0; i < OSSL_NELEM(name); i++) {
9065 name[i] = X509_NAME_new();
9066 if (!TEST_ptr(name[i])
9067 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9068 MBSTRING_ASC,
9069 (unsigned char *)
9070 strnames[i],
9071 -1, -1, 0)))
9072 goto end;
9073 }
9074
9075 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9076 TLS_client_method(),
9077 TLS1_VERSION,
9078 prot,
9079 &sctx, &cctx, cert, privkey)))
9080 goto end;
9081
9082 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9083
9084 if (tst == 0 || tst == 1) {
9085 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9086 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9087 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9088 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9089 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9090 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9091 goto end;
9092
9093 SSL_CTX_set0_CA_list(sctx, sk1);
9094 SSL_CTX_set0_CA_list(cctx, sk2);
9095 sk1 = sk2 = NULL;
9096 }
9097 if (tst == 1 || tst == 2) {
9098 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9099 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9100 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9101 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9102 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9103 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9104 goto end;
9105
9106 SSL_CTX_set_client_CA_list(sctx, sk1);
9107 SSL_CTX_set_client_CA_list(cctx, sk2);
9108 sk1 = sk2 = NULL;
9109 }
9110
9111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9112 NULL, NULL))
9113 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9114 SSL_ERROR_NONE)))
9115 goto end;
9116
9117 /*
9118 * We only expect certificate authorities to have been sent to the server
9119 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9120 */
9121 sktmp = SSL_get0_peer_CA_list(serverssl);
9122 if (prot == TLS1_3_VERSION
9123 && (tst == 0 || tst == 1)) {
9124 if (!TEST_ptr(sktmp)
9125 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9126 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9127 name[0]), 0)
9128 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9129 name[1]), 0))
9130 goto end;
9131 } else if (!TEST_ptr_null(sktmp)) {
9132 goto end;
9133 }
9134
9135 /*
9136 * In all tests we expect certificate authorities to have been sent to the
9137 * client. However, SSL_set_client_CA_list() should override
9138 * SSL_set0_CA_list()
9139 */
9140 sktmp = SSL_get0_peer_CA_list(clientssl);
9141 if (!TEST_ptr(sktmp)
9142 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9143 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9144 name[tst == 0 ? 0 : 2]), 0)
9145 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9146 name[tst == 0 ? 1 : 3]), 0))
9147 goto end;
9148
9149 testresult = 1;
9150
9151 end:
9152 SSL_free(serverssl);
9153 SSL_free(clientssl);
9154 SSL_CTX_free(sctx);
9155 SSL_CTX_free(cctx);
9156 for (i = 0; i < OSSL_NELEM(name); i++)
9157 X509_NAME_free(name[i]);
9158 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9159 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9160
9161 return testresult;
9162}
9163#endif
9164
9165static int test_ca_names(int tst)
9166{
9167 int testresult = 1;
9168
9169#ifndef OPENSSL_NO_TLS1_2
9170 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9171#endif
9172#ifndef OSSL_NO_USABLE_TLS1_3
9173 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9174#endif
9175
9176 return testresult;
9177}
9178
9179#ifndef OPENSSL_NO_TLS1_2
9180static const char *multiblock_cipherlist_data[]=
9181{
9182 "AES128-SHA",
9183 "AES128-SHA256",
9184 "AES256-SHA",
9185 "AES256-SHA256",
9186};
9187
9188/* Reduce the fragment size - so the multiblock test buffer can be small */
9189# define MULTIBLOCK_FRAGSIZE 512
9190
9191static int test_multiblock_write(int test_index)
9192{
9193 static const char *fetchable_ciphers[]=
9194 {
9195 "AES-128-CBC-HMAC-SHA1",
9196 "AES-128-CBC-HMAC-SHA256",
9197 "AES-256-CBC-HMAC-SHA1",
9198 "AES-256-CBC-HMAC-SHA256"
9199 };
9200 const char *cipherlist = multiblock_cipherlist_data[test_index];
9201 const SSL_METHOD *smeth = TLS_server_method();
9202 const SSL_METHOD *cmeth = TLS_client_method();
9203 int min_version = TLS1_VERSION;
9204 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9205 SSL_CTX *cctx = NULL, *sctx = NULL;
9206 SSL *clientssl = NULL, *serverssl = NULL;
9207 int testresult = 0;
9208
9209 /*
9210 * Choose a buffer large enough to perform a multi-block operation
9211 * i.e: write_len >= 4 * frag_size
9212 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9213 */
9214 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9215 unsigned char buf[sizeof(msg)], *p = buf;
9216 size_t readbytes, written, len;
9217 EVP_CIPHER *ciph = NULL;
9218
9219 /*
9220 * Check if the cipher exists before attempting to use it since it only has
9221 * a hardware specific implementation.
9222 */
9223 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9224 if (ciph == NULL) {
9225 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9226 return 1;
9227 }
9228 EVP_CIPHER_free(ciph);
9229
9230 /* Set up a buffer with some data that will be sent to the client */
9231 RAND_bytes(msg, sizeof(msg));
9232
9233 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9234 max_version, &sctx, &cctx, cert,
9235 privkey)))
9236 goto end;
9237
9238 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9239 goto end;
9240
9241 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9242 NULL, NULL)))
9243 goto end;
9244
9245 /* settings to force it to use AES-CBC-HMAC_SHA */
9246 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9247 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9248 goto end;
9249
9250 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9251 goto end;
9252
9253 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9254 || !TEST_size_t_eq(written, sizeof(msg)))
9255 goto end;
9256
9257 len = written;
9258 while (len > 0) {
9259 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9260 goto end;
9261 p += readbytes;
9262 len -= readbytes;
9263 }
9264 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9265 goto end;
9266
9267 testresult = 1;
9268end:
9269 SSL_free(serverssl);
9270 SSL_free(clientssl);
9271 SSL_CTX_free(sctx);
9272 SSL_CTX_free(cctx);
9273
9274 return testresult;
9275}
9276#endif /* OPENSSL_NO_TLS1_2 */
9277
9278static int test_session_timeout(int test)
9279{
9280 /*
9281 * Test session ordering and timeout
9282 * Can't explicitly test performance of the new code,
9283 * but can test to see if the ordering of the sessions
9284 * are correct, and they are removed as expected
9285 */
9286 SSL_SESSION *early = NULL;
9287 SSL_SESSION *middle = NULL;
9288 SSL_SESSION *late = NULL;
9289 SSL_CTX *ctx;
9290 int testresult = 0;
9291 long now = (long)time(NULL);
9292#define TIMEOUT 10
9293
9294 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9295 || !TEST_ptr(early = SSL_SESSION_new())
9296 || !TEST_ptr(middle = SSL_SESSION_new())
9297 || !TEST_ptr(late = SSL_SESSION_new()))
9298 goto end;
9299
9300 /* assign unique session ids */
9301 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9302 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9303 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9304 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9305 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9306 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9307
9308 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9309 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9310 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9311 goto end;
9312
9313 /* Make sure they are all added */
9314 if (!TEST_ptr(early->prev)
9315 || !TEST_ptr(middle->prev)
9316 || !TEST_ptr(late->prev))
9317 goto end;
9318
9319 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9320 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9321 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9322 goto end;
9323
9324 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9325 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9326 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9327 goto end;
9328
9329 /* Make sure they are all still there */
9330 if (!TEST_ptr(early->prev)
9331 || !TEST_ptr(middle->prev)
9332 || !TEST_ptr(late->prev))
9333 goto end;
9334
9335 /* Make sure they are in the expected order */
9336 if (!TEST_ptr_eq(late->next, middle)
9337 || !TEST_ptr_eq(middle->next, early)
9338 || !TEST_ptr_eq(early->prev, middle)
9339 || !TEST_ptr_eq(middle->prev, late))
9340 goto end;
9341
9342 /* This should remove "early" */
9343 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9344 if (!TEST_ptr_null(early->prev)
9345 || !TEST_ptr(middle->prev)
9346 || !TEST_ptr(late->prev))
9347 goto end;
9348
9349 /* This should remove "middle" */
9350 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9351 if (!TEST_ptr_null(early->prev)
9352 || !TEST_ptr_null(middle->prev)
9353 || !TEST_ptr(late->prev))
9354 goto end;
9355
9356 /* This should remove "late" */
9357 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9358 if (!TEST_ptr_null(early->prev)
9359 || !TEST_ptr_null(middle->prev)
9360 || !TEST_ptr_null(late->prev))
9361 goto end;
9362
9363 /* Add them back in again */
9364 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9365 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9366 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9367 goto end;
9368
9369 /* Make sure they are all added */
9370 if (!TEST_ptr(early->prev)
9371 || !TEST_ptr(middle->prev)
9372 || !TEST_ptr(late->prev))
9373 goto end;
9374
9375 /* This should remove all of them */
9376 SSL_CTX_flush_sessions(ctx, 0);
9377 if (!TEST_ptr_null(early->prev)
9378 || !TEST_ptr_null(middle->prev)
9379 || !TEST_ptr_null(late->prev))
9380 goto end;
9381
9382 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9383 | SSL_CTX_get_session_cache_mode(ctx));
9384
9385 /* make sure |now| is NOT equal to the current time */
9386 now -= 10;
9387 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9388 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9389 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9390 goto end;
9391
9392 testresult = 1;
9393 end:
9394 SSL_CTX_free(ctx);
9395 SSL_SESSION_free(early);
9396 SSL_SESSION_free(middle);
9397 SSL_SESSION_free(late);
9398 return testresult;
9399}
9400
9401/*
9402 * Test that a session cache overflow works as expected
9403 * Test 0: TLSv1.3, timeout on new session later than old session
9404 * Test 1: TLSv1.2, timeout on new session later than old session
9405 * Test 2: TLSv1.3, timeout on new session earlier than old session
9406 * Test 3: TLSv1.2, timeout on new session earlier than old session
9407 */
9408#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9409static int test_session_cache_overflow(int idx)
9410{
9411 SSL_CTX *sctx = NULL, *cctx = NULL;
9412 SSL *serverssl = NULL, *clientssl = NULL;
9413 int testresult = 0;
9414 SSL_SESSION *sess = NULL;
9415
9416#ifdef OSSL_NO_USABLE_TLS1_3
9417 /* If no TLSv1.3 available then do nothing in this case */
9418 if (idx % 2 == 0)
9419 return TEST_skip("No TLSv1.3 available");
9420#endif
9421#ifdef OPENSSL_NO_TLS1_2
9422 /* If no TLSv1.2 available then do nothing in this case */
9423 if (idx % 2 == 1)
9424 return TEST_skip("No TLSv1.2 available");
9425#endif
9426
9427 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9428 TLS_client_method(), TLS1_VERSION,
9429 (idx % 2 == 0) ? TLS1_3_VERSION
9430 : TLS1_2_VERSION,
9431 &sctx, &cctx, cert, privkey))
9432 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9433 goto end;
9434
9435 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9436 get_sess_val = NULL;
9437
9438 SSL_CTX_sess_set_cache_size(sctx, 1);
9439
9440 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9441 NULL, NULL)))
9442 goto end;
9443
9444 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9445 goto end;
9446
9447 if (idx > 1) {
9448 sess = SSL_get_session(serverssl);
9449 if (!TEST_ptr(sess))
9450 goto end;
9451
9452 /*
9453 * Cause this session to have a longer timeout than the next session to
9454 * be added.
9455 */
9456 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9457 sess = NULL;
9458 goto end;
9459 }
9460 sess = NULL;
9461 }
9462
9463 SSL_shutdown(serverssl);
9464 SSL_shutdown(clientssl);
9465 SSL_free(serverssl);
9466 SSL_free(clientssl);
9467 serverssl = clientssl = NULL;
9468
9469 /*
9470 * Session cache size is 1 and we already populated the cache with a session
9471 * so the next connection should cause an overflow.
9472 */
9473
9474 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9475 NULL, NULL)))
9476 goto end;
9477
9478 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9479 goto end;
9480
9481 /*
9482 * The session we just negotiated may have been already removed from the
9483 * internal cache - but we will return it anyway from our external cache.
9484 */
9485 get_sess_val = SSL_get_session(serverssl);
9486 if (!TEST_ptr(get_sess_val))
9487 goto end;
9488 sess = SSL_get1_session(clientssl);
9489 if (!TEST_ptr(sess))
9490 goto end;
9491
9492 SSL_shutdown(serverssl);
9493 SSL_shutdown(clientssl);
9494 SSL_free(serverssl);
9495 SSL_free(clientssl);
9496 serverssl = clientssl = NULL;
9497
9498 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9499 NULL, NULL)))
9500 goto end;
9501
9502 if (!TEST_true(SSL_set_session(clientssl, sess)))
9503 goto end;
9504
9505 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9506 goto end;
9507
9508 testresult = 1;
9509
9510 end:
9511 SSL_free(serverssl);
9512 SSL_free(clientssl);
9513 SSL_CTX_free(sctx);
9514 SSL_CTX_free(cctx);
9515 SSL_SESSION_free(sess);
9516
9517 return testresult;
9518}
9519#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9520
9521/*
9522 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9523 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9524 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9525 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9526 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9527 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9528 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9529 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9530 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9531 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9532 */
9533static int test_servername(int tst)
9534{
9535 SSL_CTX *cctx = NULL, *sctx = NULL;
9536 SSL *clientssl = NULL, *serverssl = NULL;
9537 int testresult = 0;
9538 SSL_SESSION *sess = NULL;
9539 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9540
9541#ifdef OPENSSL_NO_TLS1_2
9542 if (tst <= 4)
9543 return 1;
9544#endif
9545#ifdef OSSL_NO_USABLE_TLS1_3
9546 if (tst >= 5)
9547 return 1;
9548#endif
9549
9550 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9551 TLS_client_method(),
9552 TLS1_VERSION,
9553 (tst <= 4) ? TLS1_2_VERSION
9554 : TLS1_3_VERSION,
9555 &sctx, &cctx, cert, privkey))
9556 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9557 NULL, NULL)))
9558 goto end;
9559
9560 if (tst != 1 && tst != 6) {
9561 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9562 hostname_cb)))
9563 goto end;
9564 }
9565
9566 if (tst != 3 && tst != 8) {
9567 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9568 goto end;
9569 sexpectedhost = cexpectedhost = "goodhost";
9570 }
9571
9572 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9573 goto end;
9574
9575 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9576 cexpectedhost)
9577 || !TEST_str_eq(SSL_get_servername(serverssl,
9578 TLSEXT_NAMETYPE_host_name),
9579 sexpectedhost))
9580 goto end;
9581
9582 /* Now repeat with a resumption handshake */
9583
9584 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9585 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9586 || !TEST_true(SSL_SESSION_is_resumable(sess))
9587 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9588 goto end;
9589
9590 SSL_free(clientssl);
9591 SSL_free(serverssl);
9592 clientssl = serverssl = NULL;
9593
9594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9595 NULL)))
9596 goto end;
9597
9598 if (!TEST_true(SSL_set_session(clientssl, sess)))
9599 goto end;
9600
9601 sexpectedhost = cexpectedhost = "goodhost";
9602 if (tst == 2 || tst == 7) {
9603 /* Set an inconsistent hostname */
9604 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9605 goto end;
9606 /*
9607 * In TLSv1.2 we expect the hostname from the original handshake, in
9608 * TLSv1.3 we expect the hostname from this handshake
9609 */
9610 if (tst == 7)
9611 sexpectedhost = cexpectedhost = "altgoodhost";
9612
9613 if (!TEST_str_eq(SSL_get_servername(clientssl,
9614 TLSEXT_NAMETYPE_host_name),
9615 "altgoodhost"))
9616 goto end;
9617 } else if (tst == 4 || tst == 9) {
9618 /*
9619 * A TLSv1.3 session does not associate a session with a servername,
9620 * but a TLSv1.2 session does.
9621 */
9622 if (tst == 9)
9623 sexpectedhost = cexpectedhost = NULL;
9624
9625 if (!TEST_str_eq(SSL_get_servername(clientssl,
9626 TLSEXT_NAMETYPE_host_name),
9627 cexpectedhost))
9628 goto end;
9629 } else {
9630 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9631 goto end;
9632 /*
9633 * In a TLSv1.2 resumption where the hostname was not acknowledged
9634 * we expect the hostname on the server to be empty. On the client we
9635 * return what was requested in this case.
9636 *
9637 * Similarly if the client didn't set a hostname on an original TLSv1.2
9638 * session but is now, the server hostname will be empty, but the client
9639 * is as we set it.
9640 */
9641 if (tst == 1 || tst == 3)
9642 sexpectedhost = NULL;
9643
9644 if (!TEST_str_eq(SSL_get_servername(clientssl,
9645 TLSEXT_NAMETYPE_host_name),
9646 "goodhost"))
9647 goto end;
9648 }
9649
9650 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9651 goto end;
9652
9653 if (!TEST_true(SSL_session_reused(clientssl))
9654 || !TEST_true(SSL_session_reused(serverssl))
9655 || !TEST_str_eq(SSL_get_servername(clientssl,
9656 TLSEXT_NAMETYPE_host_name),
9657 cexpectedhost)
9658 || !TEST_str_eq(SSL_get_servername(serverssl,
9659 TLSEXT_NAMETYPE_host_name),
9660 sexpectedhost))
9661 goto end;
9662
9663 testresult = 1;
9664
9665 end:
9666 SSL_SESSION_free(sess);
9667 SSL_free(serverssl);
9668 SSL_free(clientssl);
9669 SSL_CTX_free(sctx);
9670 SSL_CTX_free(cctx);
9671
9672 return testresult;
9673}
9674
9675static int test_unknown_sigalgs_groups(void)
9676{
9677 int ret = 0;
9678 SSL_CTX *ctx = NULL;
9679
9680 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9681 goto end;
9682
9683 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9684 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9685 0))
9686 goto end;
9687 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9688 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9689 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9690 goto end;
9691
9692 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9693 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9694 0))
9695 goto end;
9696 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9697 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9698 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9699 goto end;
9700
9701 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9702 "nonexistent"),
9703 0))
9704 goto end;
9705
9706 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9707 "?nonexistent1:?nonexistent2:?nonexistent3"),
9708 0))
9709 goto end;
9710
9711#ifndef OPENSSL_NO_EC
9712 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9713 "P-256:nonexistent"),
9714 0))
9715 goto end;
9716
9717 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9718 "P-384:?nonexistent:?P-521"),
9719 0))
9720 goto end;
9721 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9722 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9723 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9724 goto end;
9725#endif
9726
9727 ret = 1;
9728 end:
9729 SSL_CTX_free(ctx);
9730 return ret;
9731}
9732
9733#if !defined(OPENSSL_NO_EC) \
9734 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9735/*
9736 * Test that if signature algorithms are not available, then we do not offer or
9737 * accept them.
9738 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9739 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9740 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9741 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9742 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9743 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9744 */
9745static int test_sigalgs_available(int idx)
9746{
9747 SSL_CTX *cctx = NULL, *sctx = NULL;
9748 SSL *clientssl = NULL, *serverssl = NULL;
9749 int testresult = 0;
9750 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9751 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9752 OSSL_PROVIDER *filterprov = NULL;
9753 int sig, hash;
9754
9755 if (!TEST_ptr(tmpctx))
9756 goto end;
9757
9758 if (idx != 0 && idx != 3) {
9759 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9760 filter_provider_init)))
9761 goto end;
9762
9763 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9764 if (!TEST_ptr(filterprov))
9765 goto end;
9766
9767 if (idx < 3) {
9768 /*
9769 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9770 * or accepted for the peer that uses this libctx. Note that libssl
9771 * *requires* SHA2-256 to be available so we cannot disable that. We
9772 * also need SHA1 for our certificate.
9773 */
9774 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9775 "SHA2-256:SHA1")))
9776 goto end;
9777 } else {
9778 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9779 "ECDSA"))
9780# ifdef OPENSSL_NO_ECX
9781 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9782# else
9783 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9784 "EC:X25519:X448"))
9785# endif
9786 )
9787 goto end;
9788 }
9789
9790 if (idx == 1 || idx == 4)
9791 clientctx = tmpctx;
9792 else
9793 serverctx = tmpctx;
9794 }
9795
9796 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9797 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9798 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9799 goto end;
9800
9801 if (idx != 5) {
9802 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9803 TLS_client_method(),
9804 TLS1_VERSION,
9805 0,
9806 &sctx, &cctx, cert, privkey)))
9807 goto end;
9808 } else {
9809 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9810 TLS_client_method(),
9811 TLS1_VERSION,
9812 0,
9813 &sctx, &cctx, cert2, privkey2)))
9814 goto end;
9815 }
9816
9817 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9818 if (idx < 4) {
9819 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9820 "ECDHE-RSA-AES128-GCM-SHA256")))
9821 goto end;
9822 } else {
9823 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9824 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9825 goto end;
9826 }
9827
9828 if (idx < 3) {
9829 if (!SSL_CTX_set1_sigalgs_list(cctx,
9830 "rsa_pss_rsae_sha384"
9831 ":rsa_pss_rsae_sha256")
9832 || !SSL_CTX_set1_sigalgs_list(sctx,
9833 "rsa_pss_rsae_sha384"
9834 ":rsa_pss_rsae_sha256"))
9835 goto end;
9836 } else {
9837 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9838 || !SSL_CTX_set1_sigalgs_list(sctx,
9839 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9840 goto end;
9841 }
9842
9843 if (idx != 5
9844 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9845 SSL_FILETYPE_PEM), 1)
9846 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9847 privkey2,
9848 SSL_FILETYPE_PEM), 1)
9849 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9850 goto end;
9851
9852 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9853 NULL, NULL)))
9854 goto end;
9855
9856 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9857 goto end;
9858
9859 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9860 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9861 NULL, NULL),
9862 (idx == 0 || idx == 3) ? 2 : 1))
9863 goto end;
9864
9865 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9866 goto end;
9867
9868 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9869 : NID_rsassaPss))
9870 goto end;
9871
9872 testresult = filter_provider_check_clean_finish();
9873
9874 end:
9875 SSL_free(serverssl);
9876 SSL_free(clientssl);
9877 SSL_CTX_free(sctx);
9878 SSL_CTX_free(cctx);
9879 OSSL_PROVIDER_unload(filterprov);
9880 OSSL_LIB_CTX_free(tmpctx);
9881
9882 return testresult;
9883}
9884#endif /*
9885 * !defined(OPENSSL_NO_EC) \
9886 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9887 */
9888
9889#ifndef OPENSSL_NO_TLS1_3
9890/* This test can run in TLSv1.3 even if ec and dh are disabled */
9891static int test_pluggable_group(int idx)
9892{
9893 SSL_CTX *cctx = NULL, *sctx = NULL;
9894 SSL *clientssl = NULL, *serverssl = NULL;
9895 int testresult = 0;
9896 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9897 /* Check that we are not impacted by a provider without any groups */
9898 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9899 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9900
9901 if (!TEST_ptr(tlsprov))
9902 goto end;
9903
9904 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9905 TLS_client_method(),
9906 TLS1_3_VERSION,
9907 TLS1_3_VERSION,
9908 &sctx, &cctx, cert, privkey))
9909 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9910 NULL, NULL)))
9911 goto end;
9912
9913 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9914 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9915 /* removing a single algorithm from the list makes the test pass */
9916 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9917 goto end;
9918
9919 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9920 goto end;
9921
9922 if (!TEST_str_eq(group_name,
9923 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9924 goto end;
9925
9926 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9927 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9928 goto end;
9929
9930 testresult = 1;
9931
9932 end:
9933 SSL_free(serverssl);
9934 SSL_free(clientssl);
9935 SSL_CTX_free(sctx);
9936 SSL_CTX_free(cctx);
9937 OSSL_PROVIDER_unload(tlsprov);
9938 OSSL_PROVIDER_unload(legacyprov);
9939
9940 return testresult;
9941}
9942
9943/*
9944 * This function triggers encode, decode and sign functions
9945 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9946 * creating private key and certificate files for use in TLS testing.
9947 */
9948static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9949{
9950 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9951 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9952 EVP_PKEY *pkey = NULL;
9953 X509 *x509 = X509_new();
9954 X509_NAME *name = NULL;
9955 BIO *keybio = NULL, *certbio = NULL;
9956 int ret = 1;
9957
9958 if (!TEST_ptr(evpctx)
9959 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9960 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9961 || !TEST_ptr(pkey)
9962 || !TEST_ptr(x509)
9963 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9964 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9965 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9966 || !TEST_true(X509_set_pubkey(x509, pkey))
9967 || !TEST_ptr(name = X509_get_subject_name(x509))
9968 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9969 (unsigned char *)"CH", -1, -1, 0))
9970 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9971 (unsigned char *)"test.org", -1, -1, 0))
9972 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9973 (unsigned char *)"localhost", -1, -1, 0))
9974 || !TEST_true(X509_set_issuer_name(x509, name))
9975 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9976 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9977 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9978 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9979 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9980 ret = 0;
9981
9982 EVP_PKEY_free(pkey);
9983 X509_free(x509);
9984 EVP_PKEY_CTX_free(evpctx);
9985 BIO_free(keybio);
9986 BIO_free(certbio);
9987 return ret;
9988}
9989
9990/*
9991 * Test that signature algorithms loaded via the provider interface can
9992 * correctly establish a TLS (1.3) connection.
9993 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9994 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9995 * Test 2: Test 0 using RPK
9996 * Test 3: Test 1 using RPK
9997 */
9998static int test_pluggable_signature(int idx)
9999{
10000 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
10001 SSL_CTX *cctx = NULL, *sctx = NULL;
10002 SSL *clientssl = NULL, *serverssl = NULL;
10003 int testresult = 0;
10004 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10005 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10006 char *certfilename = "tls-prov-cert.pem";
10007 char *privkeyfilename = "tls-prov-key.pem";
10008 int sigidx = idx % 2;
10009 int rpkidx = idx / 2;
10010
10011 /* create key and certificate for the different algorithm types */
10012 if (!TEST_ptr(tlsprov)
10013 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10014 goto end;
10015
10016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10017 TLS_client_method(),
10018 TLS1_3_VERSION,
10019 TLS1_3_VERSION,
10020 &sctx, &cctx, certfilename, privkeyfilename))
10021 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10022 NULL, NULL)))
10023 goto end;
10024
10025 /* Enable RPK for server cert */
10026 if (rpkidx) {
10027 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10028 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10029 goto end;
10030 }
10031
10032 /* This is necessary to pass minimal setup w/o other groups configured */
10033 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10034 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10035 goto end;
10036
10037 /*
10038 * If this connection gets established, it must have been completed
10039 * via the tls-provider-implemented "hmacsig" algorithm, testing
10040 * both sign and verify functions during handshake.
10041 */
10042 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10043 goto end;
10044
10045 /* If using RPK, make sure we got one */
10046 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10047 goto end;
10048
10049 testresult = 1;
10050
10051 end:
10052 SSL_free(serverssl);
10053 SSL_free(clientssl);
10054 SSL_CTX_free(sctx);
10055 SSL_CTX_free(cctx);
10056 OSSL_PROVIDER_unload(tlsprov);
10057 OSSL_PROVIDER_unload(defaultprov);
10058
10059 return testresult;
10060}
10061#endif
10062
10063#ifndef OPENSSL_NO_TLS1_2
10064static int test_ssl_dup(void)
10065{
10066 SSL_CTX *cctx = NULL, *sctx = NULL;
10067 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10068 int testresult = 0;
10069 BIO *rbio = NULL, *wbio = NULL;
10070
10071 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10072 TLS_client_method(),
10073 0,
10074 0,
10075 &sctx, &cctx, cert, privkey)))
10076 goto end;
10077
10078 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10079 NULL, NULL)))
10080 goto end;
10081
10082 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10083 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10084 goto end;
10085
10086 client2ssl = SSL_dup(clientssl);
10087 rbio = SSL_get_rbio(clientssl);
10088 if (!TEST_ptr(rbio)
10089 || !TEST_true(BIO_up_ref(rbio)))
10090 goto end;
10091 SSL_set0_rbio(client2ssl, rbio);
10092 rbio = NULL;
10093
10094 wbio = SSL_get_wbio(clientssl);
10095 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10096 goto end;
10097 SSL_set0_wbio(client2ssl, wbio);
10098 rbio = NULL;
10099
10100 if (!TEST_ptr(client2ssl)
10101 /* Handshake not started so pointers should be different */
10102 || !TEST_ptr_ne(clientssl, client2ssl))
10103 goto end;
10104
10105 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10106 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10107 goto end;
10108
10109 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10110 goto end;
10111
10112 SSL_free(clientssl);
10113 clientssl = SSL_dup(client2ssl);
10114 if (!TEST_ptr(clientssl)
10115 /* Handshake has finished so pointers should be the same */
10116 || !TEST_ptr_eq(clientssl, client2ssl))
10117 goto end;
10118
10119 testresult = 1;
10120
10121 end:
10122 SSL_free(serverssl);
10123 SSL_free(clientssl);
10124 SSL_free(client2ssl);
10125 SSL_CTX_free(sctx);
10126 SSL_CTX_free(cctx);
10127
10128 return testresult;
10129}
10130
10131static int secret_cb(SSL *s, void *secretin, int *secret_len,
10132 STACK_OF(SSL_CIPHER) *peer_ciphers,
10133 const SSL_CIPHER **cipher, void *arg)
10134{
10135 int i;
10136 unsigned char *secret = secretin;
10137
10138 /* Just use a fixed master secret */
10139 for (i = 0; i < *secret_len; i++)
10140 secret[i] = 0xff;
10141
10142 /* We don't set a preferred cipher */
10143
10144 return 1;
10145}
10146
10147/*
10148 * Test the session_secret_cb which is designed for use with EAP-FAST
10149 */
10150static int test_session_secret_cb(void)
10151{
10152 SSL_CTX *cctx = NULL, *sctx = NULL;
10153 SSL *clientssl = NULL, *serverssl = NULL;
10154 SSL_SESSION *secret_sess = NULL;
10155 int testresult = 0;
10156
10157 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10158 TLS_client_method(),
10159 0,
10160 0,
10161 &sctx, &cctx, cert, privkey)))
10162 goto end;
10163
10164 /* Create an initial connection and save the session */
10165 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10166 NULL, NULL)))
10167 goto end;
10168
10169 /* session_secret_cb does not support TLSv1.3 */
10170 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10171 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10172 goto end;
10173
10174 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10175 goto end;
10176
10177 if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10178 goto end;
10179
10180 shutdown_ssl_connection(serverssl, clientssl);
10181 serverssl = clientssl = NULL;
10182
10183 /* Resume the earlier session */
10184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10185 NULL, NULL)))
10186 goto end;
10187
10188 /*
10189 * No session ids for EAP-FAST - otherwise the state machine gets very
10190 * confused.
10191 */
10192 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10193 goto end;
10194
10195 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10196 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10197 || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10198 NULL))
10199 || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10200 NULL))
10201 || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10202 goto end;
10203
10204 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10205 goto end;
10206
10207 testresult = 1;
10208
10209 end:
10210 SSL_SESSION_free(secret_sess);
10211 SSL_free(serverssl);
10212 SSL_free(clientssl);
10213 SSL_CTX_free(sctx);
10214 SSL_CTX_free(cctx);
10215
10216 return testresult;
10217}
10218
10219# ifndef OPENSSL_NO_DH
10220
10221static EVP_PKEY *tmp_dh_params = NULL;
10222
10223/* Helper function for the test_set_tmp_dh() tests */
10224static EVP_PKEY *get_tmp_dh_params(void)
10225{
10226 if (tmp_dh_params == NULL) {
10227 BIGNUM *p = NULL;
10228 OSSL_PARAM_BLD *tmpl = NULL;
10229 EVP_PKEY_CTX *pctx = NULL;
10230 OSSL_PARAM *params = NULL;
10231 EVP_PKEY *dhpkey = NULL;
10232
10233 p = BN_get_rfc3526_prime_2048(NULL);
10234 if (!TEST_ptr(p))
10235 goto end;
10236
10237 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10238 if (!TEST_ptr(pctx)
10239 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
10240 goto end;
10241
10242 tmpl = OSSL_PARAM_BLD_new();
10243 if (!TEST_ptr(tmpl)
10244 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10245 OSSL_PKEY_PARAM_FFC_P,
10246 p))
10247 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10248 OSSL_PKEY_PARAM_FFC_G,
10249 2)))
10250 goto end;
10251
10252 params = OSSL_PARAM_BLD_to_param(tmpl);
10253 if (!TEST_ptr(params)
10254 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10255 EVP_PKEY_KEY_PARAMETERS,
10256 params), 1))
10257 goto end;
10258
10259 tmp_dh_params = dhpkey;
10260 end:
10261 BN_free(p);
10262 EVP_PKEY_CTX_free(pctx);
10263 OSSL_PARAM_BLD_free(tmpl);
10264 OSSL_PARAM_free(params);
10265 }
10266
10267 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
10268 return NULL;
10269
10270 return tmp_dh_params;
10271}
10272
10273# ifndef OPENSSL_NO_DEPRECATED_3_0
10274/* Callback used by test_set_tmp_dh() */
10275static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10276{
10277 EVP_PKEY *dhpkey = get_tmp_dh_params();
10278 DH *ret = NULL;
10279
10280 if (!TEST_ptr(dhpkey))
10281 return NULL;
10282
10283 /*
10284 * libssl does not free the returned DH, so we free it now knowing that even
10285 * after we free dhpkey, there will still be a reference to the owning
10286 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10287 * of time we need it for.
10288 */
10289 ret = EVP_PKEY_get1_DH(dhpkey);
10290 DH_free(ret);
10291
10292 EVP_PKEY_free(dhpkey);
10293
10294 return ret;
10295}
10296# endif
10297
10298/*
10299 * Test the various methods for setting temporary DH parameters
10300 *
10301 * Test 0: Default (no auto) setting
10302 * Test 1: Explicit SSL_CTX auto off
10303 * Test 2: Explicit SSL auto off
10304 * Test 3: Explicit SSL_CTX auto on
10305 * Test 4: Explicit SSL auto on
10306 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10307 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10308 *
10309 * The following are testing deprecated APIs, so we only run them if available
10310 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10311 * Test 8: Explicit SSL auto off, custom DH params via DH
10312 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10313 * Test 10: Explicit SSL auto off, custom DH params via callback
10314 */
10315static int test_set_tmp_dh(int idx)
10316{
10317 SSL_CTX *cctx = NULL, *sctx = NULL;
10318 SSL *clientssl = NULL, *serverssl = NULL;
10319 int testresult = 0;
10320 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10321 int expected = (idx <= 2) ? 0 : 1;
10322 EVP_PKEY *dhpkey = NULL;
10323# ifndef OPENSSL_NO_DEPRECATED_3_0
10324 DH *dh = NULL;
10325# else
10326
10327 if (idx >= 7)
10328 return 1;
10329# endif
10330
10331 if (idx >= 5 && idx <= 8) {
10332 dhpkey = get_tmp_dh_params();
10333 if (!TEST_ptr(dhpkey))
10334 goto end;
10335 }
10336# ifndef OPENSSL_NO_DEPRECATED_3_0
10337 if (idx == 7 || idx == 8) {
10338 dh = EVP_PKEY_get1_DH(dhpkey);
10339 if (!TEST_ptr(dh))
10340 goto end;
10341 }
10342# endif
10343
10344 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10345 TLS_client_method(),
10346 0,
10347 0,
10348 &sctx, &cctx, cert, privkey)))
10349 goto end;
10350
10351 if ((idx & 1) == 1) {
10352 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10353 goto end;
10354 }
10355
10356 if (idx == 5) {
10357 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10358 goto end;
10359 dhpkey = NULL;
10360 }
10361# ifndef OPENSSL_NO_DEPRECATED_3_0
10362 else if (idx == 7) {
10363 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10364 goto end;
10365 } else if (idx == 9) {
10366 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10367 }
10368# endif
10369
10370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10371 NULL, NULL)))
10372 goto end;
10373
10374 if ((idx & 1) == 0 && idx != 0) {
10375 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10376 goto end;
10377 }
10378 if (idx == 6) {
10379 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10380 goto end;
10381 dhpkey = NULL;
10382 }
10383# ifndef OPENSSL_NO_DEPRECATED_3_0
10384 else if (idx == 8) {
10385 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10386 goto end;
10387 } else if (idx == 10) {
10388 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10389 }
10390# endif
10391
10392 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10393 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10394 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10395 goto end;
10396
10397 /*
10398 * If autoon then we should succeed. Otherwise we expect failure because
10399 * there are no parameters
10400 */
10401 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10402 SSL_ERROR_NONE), expected))
10403 goto end;
10404
10405 testresult = 1;
10406
10407 end:
10408# ifndef OPENSSL_NO_DEPRECATED_3_0
10409 DH_free(dh);
10410# endif
10411 SSL_free(serverssl);
10412 SSL_free(clientssl);
10413 SSL_CTX_free(sctx);
10414 SSL_CTX_free(cctx);
10415 EVP_PKEY_free(dhpkey);
10416
10417 return testresult;
10418}
10419
10420/*
10421 * Test the auto DH keys are appropriately sized
10422 */
10423static int test_dh_auto(int idx)
10424{
10425 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10426 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10427 SSL *clientssl = NULL, *serverssl = NULL;
10428 int testresult = 0;
10429 EVP_PKEY *tmpkey = NULL;
10430 char *thiscert = NULL, *thiskey = NULL;
10431 size_t expdhsize = 0;
10432 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10433
10434 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10435 goto end;
10436
10437 switch (idx) {
10438 case 0:
10439 /* The FIPS provider doesn't support this DH size - so we ignore it */
10440 if (is_fips) {
10441 testresult = 1;
10442 goto end;
10443 }
10444 thiscert = cert1024;
10445 thiskey = privkey1024;
10446 expdhsize = 1024;
10447 SSL_CTX_set_security_level(sctx, 1);
10448 SSL_CTX_set_security_level(cctx, 1);
10449 break;
10450 case 1:
10451 /* 2048 bit prime */
10452 thiscert = cert;
10453 thiskey = privkey;
10454 expdhsize = 2048;
10455 break;
10456 case 2:
10457 thiscert = cert3072;
10458 thiskey = privkey3072;
10459 expdhsize = 3072;
10460 break;
10461 case 3:
10462 thiscert = cert4096;
10463 thiskey = privkey4096;
10464 expdhsize = 4096;
10465 break;
10466 case 4:
10467 thiscert = cert8192;
10468 thiskey = privkey8192;
10469 expdhsize = 8192;
10470 break;
10471 /* No certificate cases */
10472 case 5:
10473 /* The FIPS provider doesn't support this DH size - so we ignore it */
10474 if (is_fips) {
10475 testresult = 1;
10476 goto end;
10477 }
10478 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10479 expdhsize = 1024;
10480 break;
10481 case 6:
10482 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10483 expdhsize = 3072;
10484 break;
10485 default:
10486 TEST_error("Invalid text index");
10487 goto end;
10488 }
10489
10490 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10491 NULL,
10492 0,
10493 0,
10494 &sctx, &cctx, thiscert, thiskey)))
10495 goto end;
10496
10497 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10498 NULL, NULL)))
10499 goto end;
10500
10501 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10502 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10503 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10504 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10505 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10506 goto end;
10507
10508 /*
10509 * Send the server's first flight. At this point the server has created the
10510 * temporary DH key but hasn't finished using it yet. Once used it is
10511 * removed, so we cannot test it.
10512 */
10513 if (!TEST_int_le(SSL_connect(clientssl), 0)
10514 || !TEST_int_le(SSL_accept(serverssl), 0))
10515 goto end;
10516
10517 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10518 goto end;
10519 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10520 goto end;
10521
10522 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10523 goto end;
10524
10525 testresult = 1;
10526
10527 end:
10528 SSL_free(serverssl);
10529 SSL_free(clientssl);
10530 SSL_CTX_free(sctx);
10531 SSL_CTX_free(cctx);
10532 EVP_PKEY_free(tmpkey);
10533
10534 return testresult;
10535
10536}
10537# endif /* OPENSSL_NO_DH */
10538#endif /* OPENSSL_NO_TLS1_2 */
10539
10540#ifndef OSSL_NO_USABLE_TLS1_3
10541/*
10542 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10543 * that it works even without a certificate configured for the original
10544 * SSL_CTX
10545 */
10546static int test_sni_tls13(void)
10547{
10548 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10549 SSL *clientssl = NULL, *serverssl = NULL;
10550 int testresult = 0;
10551
10552 /* Reset callback counter */
10553 snicb = 0;
10554
10555 /* Create an initial SSL_CTX with no certificate configured */
10556 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10557 if (!TEST_ptr(sctx))
10558 goto end;
10559 /* Require TLSv1.3 as a minimum */
10560 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10561 TLS_client_method(), TLS1_3_VERSION, 0,
10562 &sctx2, &cctx, cert, privkey)))
10563 goto end;
10564
10565 /* Set up SNI */
10566 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10567 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10568 goto end;
10569
10570 /*
10571 * Connection should still succeed because the final SSL_CTX has the right
10572 * certificates configured.
10573 */
10574 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10575 &clientssl, NULL, NULL))
10576 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10577 SSL_ERROR_NONE)))
10578 goto end;
10579
10580 /* We should have had the SNI callback called exactly once */
10581 if (!TEST_int_eq(snicb, 1))
10582 goto end;
10583
10584 testresult = 1;
10585
10586end:
10587 SSL_free(serverssl);
10588 SSL_free(clientssl);
10589 SSL_CTX_free(sctx2);
10590 SSL_CTX_free(sctx);
10591 SSL_CTX_free(cctx);
10592 return testresult;
10593}
10594
10595/*
10596 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10597 * 0 = TLSv1.2
10598 * 1 = TLSv1.3
10599 */
10600static int test_ticket_lifetime(int idx)
10601{
10602 SSL_CTX *cctx = NULL, *sctx = NULL;
10603 SSL *clientssl = NULL, *serverssl = NULL;
10604 int testresult = 0;
10605 int version = TLS1_3_VERSION;
10606
10607#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10608#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10609
10610 if (idx == 0) {
10611#ifdef OPENSSL_NO_TLS1_2
10612 return TEST_skip("TLS 1.2 is disabled.");
10613#else
10614 version = TLS1_2_VERSION;
10615#endif
10616 }
10617
10618 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10619 TLS_client_method(), version, version,
10620 &sctx, &cctx, cert, privkey)))
10621 goto end;
10622
10623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10624 &clientssl, NULL, NULL)))
10625 goto end;
10626
10627 /*
10628 * Set the timeout to be more than 1 week
10629 * make sure the returned value is the default
10630 */
10631 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10632 SSL_get_default_timeout(serverssl)))
10633 goto end;
10634
10635 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10636 goto end;
10637
10638 if (idx == 0) {
10639 /* TLSv1.2 uses the set value */
10640 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10641 goto end;
10642 } else {
10643 /* TLSv1.3 uses the limited value */
10644 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10645 goto end;
10646 }
10647 testresult = 1;
10648
10649end:
10650 SSL_free(serverssl);
10651 SSL_free(clientssl);
10652 SSL_CTX_free(sctx);
10653 SSL_CTX_free(cctx);
10654 return testresult;
10655}
10656#endif
10657/*
10658 * Test that setting an ALPN does not violate RFC
10659 */
10660static int test_set_alpn(void)
10661{
10662 SSL_CTX *ctx = NULL;
10663 SSL *ssl = NULL;
10664 int testresult = 0;
10665
10666 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10667 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10668 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10669 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10670 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10671 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10672
10673 /* Create an initial SSL_CTX with no certificate configured */
10674 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10675 if (!TEST_ptr(ctx))
10676 goto end;
10677
10678 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10679 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10680 goto end;
10681 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10682 goto end;
10683 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10684 goto end;
10685 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10686 goto end;
10687 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10688 goto end;
10689 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10690 goto end;
10691 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10692 goto end;
10693 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10694 goto end;
10695 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10696 goto end;
10697
10698 ssl = SSL_new(ctx);
10699 if (!TEST_ptr(ssl))
10700 goto end;
10701
10702 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10703 goto end;
10704 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10705 goto end;
10706 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10707 goto end;
10708 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10709 goto end;
10710 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10711 goto end;
10712 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10713 goto end;
10714 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10715 goto end;
10716 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10717 goto end;
10718 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10719 goto end;
10720
10721 testresult = 1;
10722
10723end:
10724 SSL_free(ssl);
10725 SSL_CTX_free(ctx);
10726 return testresult;
10727}
10728
10729/*
10730 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10731 */
10732static int test_set_verify_cert_store_ssl_ctx(void)
10733{
10734 SSL_CTX *ctx = NULL;
10735 int testresult = 0;
10736 X509_STORE *store = NULL, *new_store = NULL,
10737 *cstore = NULL, *new_cstore = NULL;
10738
10739 /* Create an initial SSL_CTX. */
10740 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10741 if (!TEST_ptr(ctx))
10742 goto end;
10743
10744 /* Retrieve verify store pointer. */
10745 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10746 goto end;
10747
10748 /* Retrieve chain store pointer. */
10749 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10750 goto end;
10751
10752 /* We haven't set any yet, so this should be NULL. */
10753 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10754 goto end;
10755
10756 /* Create stores. We use separate stores so pointers are different. */
10757 new_store = X509_STORE_new();
10758 if (!TEST_ptr(new_store))
10759 goto end;
10760
10761 new_cstore = X509_STORE_new();
10762 if (!TEST_ptr(new_cstore))
10763 goto end;
10764
10765 /* Set stores. */
10766 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10767 goto end;
10768
10769 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10770 goto end;
10771
10772 /* Should be able to retrieve the same pointer. */
10773 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10774 goto end;
10775
10776 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10777 goto end;
10778
10779 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10780 goto end;
10781
10782 /* Should be able to unset again. */
10783 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10784 goto end;
10785
10786 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10787 goto end;
10788
10789 /* Should now be NULL. */
10790 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10791 goto end;
10792
10793 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10794 goto end;
10795
10796 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10797 goto end;
10798
10799 testresult = 1;
10800
10801end:
10802 X509_STORE_free(new_store);
10803 X509_STORE_free(new_cstore);
10804 SSL_CTX_free(ctx);
10805 return testresult;
10806}
10807
10808/*
10809 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10810 */
10811static int test_set_verify_cert_store_ssl(void)
10812{
10813 SSL_CTX *ctx = NULL;
10814 SSL *ssl = NULL;
10815 int testresult = 0;
10816 X509_STORE *store = NULL, *new_store = NULL,
10817 *cstore = NULL, *new_cstore = NULL;
10818
10819 /* Create an initial SSL_CTX. */
10820 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10821 if (!TEST_ptr(ctx))
10822 goto end;
10823
10824 /* Create an SSL object. */
10825 ssl = SSL_new(ctx);
10826 if (!TEST_ptr(ssl))
10827 goto end;
10828
10829 /* Retrieve verify store pointer. */
10830 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10831 goto end;
10832
10833 /* Retrieve chain store pointer. */
10834 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10835 goto end;
10836
10837 /* We haven't set any yet, so this should be NULL. */
10838 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10839 goto end;
10840
10841 /* Create stores. We use separate stores so pointers are different. */
10842 new_store = X509_STORE_new();
10843 if (!TEST_ptr(new_store))
10844 goto end;
10845
10846 new_cstore = X509_STORE_new();
10847 if (!TEST_ptr(new_cstore))
10848 goto end;
10849
10850 /* Set stores. */
10851 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10852 goto end;
10853
10854 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10855 goto end;
10856
10857 /* Should be able to retrieve the same pointer. */
10858 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10859 goto end;
10860
10861 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10862 goto end;
10863
10864 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10865 goto end;
10866
10867 /* Should be able to unset again. */
10868 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10869 goto end;
10870
10871 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10872 goto end;
10873
10874 /* Should now be NULL. */
10875 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10876 goto end;
10877
10878 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10879 goto end;
10880
10881 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10882 goto end;
10883
10884 testresult = 1;
10885
10886end:
10887 X509_STORE_free(new_store);
10888 X509_STORE_free(new_cstore);
10889 SSL_free(ssl);
10890 SSL_CTX_free(ctx);
10891 return testresult;
10892}
10893
10894
10895static int test_inherit_verify_param(void)
10896{
10897 int testresult = 0;
10898
10899 SSL_CTX *ctx = NULL;
10900 X509_VERIFY_PARAM *cp = NULL;
10901 SSL *ssl = NULL;
10902 X509_VERIFY_PARAM *sp = NULL;
10903 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10904
10905 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10906 if (!TEST_ptr(ctx))
10907 goto end;
10908
10909 cp = SSL_CTX_get0_param(ctx);
10910 if (!TEST_ptr(cp))
10911 goto end;
10912 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10913 goto end;
10914
10915 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10916
10917 ssl = SSL_new(ctx);
10918 if (!TEST_ptr(ssl))
10919 goto end;
10920
10921 sp = SSL_get0_param(ssl);
10922 if (!TEST_ptr(sp))
10923 goto end;
10924 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10925 goto end;
10926
10927 testresult = 1;
10928
10929 end:
10930 SSL_free(ssl);
10931 SSL_CTX_free(ctx);
10932
10933 return testresult;
10934}
10935
10936static int test_load_dhfile(void)
10937{
10938#ifndef OPENSSL_NO_DH
10939 int testresult = 0;
10940
10941 SSL_CTX *ctx = NULL;
10942 SSL_CONF_CTX *cctx = NULL;
10943
10944 if (dhfile == NULL)
10945 return 1;
10946
10947 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10948 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10949 goto end;
10950
10951 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10952 SSL_CONF_CTX_set_flags(cctx,
10953 SSL_CONF_FLAG_CERTIFICATE
10954 | SSL_CONF_FLAG_SERVER
10955 | SSL_CONF_FLAG_FILE);
10956
10957 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10958 goto end;
10959
10960 testresult = 1;
10961end:
10962 SSL_CONF_CTX_free(cctx);
10963 SSL_CTX_free(ctx);
10964
10965 return testresult;
10966#else
10967 return TEST_skip("DH not supported by this build");
10968#endif
10969}
10970
10971#ifndef OSSL_NO_USABLE_TLS1_3
10972/* Test that read_ahead works across a key change */
10973static int test_read_ahead_key_change(void)
10974{
10975 SSL_CTX *cctx = NULL, *sctx = NULL;
10976 SSL *clientssl = NULL, *serverssl = NULL;
10977 int testresult = 0;
10978 char *msg = "Hello World";
10979 size_t written, readbytes;
10980 char buf[80];
10981 int i;
10982
10983 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10984 TLS_client_method(), TLS1_3_VERSION, 0,
10985 &sctx, &cctx, cert, privkey)))
10986 goto end;
10987
10988 SSL_CTX_set_read_ahead(sctx, 1);
10989
10990 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10991 &clientssl, NULL, NULL)))
10992 goto end;
10993
10994 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10995 goto end;
10996
10997 /* Write some data, send a key update, write more data */
10998 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10999 || !TEST_size_t_eq(written, strlen(msg)))
11000 goto end;
11001
11002 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11003 goto end;
11004
11005 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11006 || !TEST_size_t_eq(written, strlen(msg)))
11007 goto end;
11008
11009 /*
11010 * Since read_ahead is on the first read below should read the record with
11011 * the first app data, the second record with the key update message, and
11012 * the third record with the app data all in one go. We should be able to
11013 * still process the read_ahead data correctly even though it crosses
11014 * epochs
11015 */
11016 for (i = 0; i < 2; i++) {
11017 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11018 &readbytes)))
11019 goto end;
11020
11021 buf[readbytes] = '\0';
11022 if (!TEST_str_eq(buf, msg))
11023 goto end;
11024 }
11025
11026 testresult = 1;
11027
11028end:
11029 SSL_free(serverssl);
11030 SSL_free(clientssl);
11031 SSL_CTX_free(sctx);
11032 SSL_CTX_free(cctx);
11033 return testresult;
11034}
11035
11036static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11037{
11038 int *called = arg;
11039
11040 switch ((*called)++) {
11041 case 0:
11042 /* Add some padding to first record */
11043 return 512;
11044 case 1:
11045 /* Maximally pad the second record */
11046 return SSL3_RT_MAX_PLAIN_LENGTH - len;
11047 case 2:
11048 /*
11049 * Exceeding the maximum padding should be fine. It should just pad to
11050 * the maximum anyway
11051 */
11052 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11053 case 3:
11054 /*
11055 * Very large padding should also be ok. Should just pad to the maximum
11056 * allowed
11057 */
11058 return SIZE_MAX;
11059 default:
11060 return 0;
11061 }
11062}
11063
11064/*
11065 * Test that setting record padding in TLSv1.3 works as expected
11066 * Test 0: Record padding callback on the SSL_CTX
11067 * Test 1: Record padding callback on the SSL
11068 * Test 2: Record block padding on the SSL_CTX
11069 * Test 3: Record block padding on the SSL
11070 */
11071static int test_tls13_record_padding(int idx)
11072{
11073 SSL_CTX *cctx = NULL, *sctx = NULL;
11074 SSL *clientssl = NULL, *serverssl = NULL;
11075 int testresult = 0;
11076 char *msg = "Hello World";
11077 size_t written, readbytes;
11078 char buf[80];
11079 int i;
11080 int called = 0;
11081
11082 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11083 TLS_client_method(), TLS1_3_VERSION, 0,
11084 &sctx, &cctx, cert, privkey)))
11085 goto end;
11086
11087 if (idx == 0) {
11088 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11089 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11090 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11091 goto end;
11092 } else if (idx == 2) {
11093 /* Exceeding the max plain length should fail */
11094 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11095 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11096 goto end;
11097 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11098 goto end;
11099 }
11100
11101 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11102 &clientssl, NULL, NULL)))
11103 goto end;
11104
11105 if (idx == 1) {
11106 SSL_set_record_padding_callback(clientssl, record_pad_cb);
11107 SSL_set_record_padding_callback_arg(clientssl, &called);
11108 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11109 goto end;
11110 } else if (idx == 3) {
11111 /* Exceeding the max plain length should fail */
11112 if (!TEST_false(SSL_set_block_padding(clientssl,
11113 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11114 goto end;
11115 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11116 goto end;
11117 }
11118
11119 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11120 goto end;
11121
11122 called = 0;
11123 /*
11124 * Write some data, then check we can read it. Do this four times to check
11125 * we can continue to write and read padded data after the initial record
11126 * padding has been added. We don't actually check that the padding has
11127 * been applied to the record - just that we can continue to communicate
11128 * normally and that the callback has been called (if appropriate).
11129 */
11130 for (i = 0; i < 4; i++) {
11131 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11132 || !TEST_size_t_eq(written, strlen(msg)))
11133 goto end;
11134
11135 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11136 &readbytes))
11137 || !TEST_size_t_eq(written, readbytes))
11138 goto end;
11139
11140 buf[readbytes] = '\0';
11141 if (!TEST_str_eq(buf, msg))
11142 goto end;
11143 }
11144
11145 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11146 goto end;
11147
11148 testresult = 1;
11149end:
11150 SSL_free(serverssl);
11151 SSL_free(clientssl);
11152 SSL_CTX_free(sctx);
11153 SSL_CTX_free(cctx);
11154 return testresult;
11155}
11156#endif /* OSSL_NO_USABLE_TLS1_3 */
11157
11158#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11159/*
11160 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11161 * support this yet. The only pipeline capable cipher that we have is in the
11162 * dasync engine (providers don't support this yet), so we have to use
11163 * deprecated APIs for this test.
11164 *
11165 * Test 0: Client has pipelining enabled, server does not
11166 * Test 1: Server has pipelining enabled, client does not
11167 * Test 2: Client has pipelining enabled, server does not: not enough data to
11168 * fill all the pipelines
11169 * Test 3: Client has pipelining enabled, server does not: not enough data to
11170 * fill all the pipelines by more than a full pipeline's worth
11171 * Test 4: Client has pipelining enabled, server does not: more data than all
11172 * the available pipelines can take
11173 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11174 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11175 * is created)
11176 */
11177static int test_pipelining(int idx)
11178{
11179 SSL_CTX *cctx = NULL, *sctx = NULL;
11180 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11181 int testresult = 0, numreads;
11182 /* A 55 byte message */
11183 unsigned char *msg = (unsigned char *)
11184 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11185 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11186 size_t expectedreads;
11187 unsigned char *buf = NULL;
11188 ENGINE *e = NULL;
11189
11190 if (idx != 6) {
11191 e = load_dasync();
11192 if (e == NULL)
11193 return 0;
11194 }
11195
11196 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11197 TLS_client_method(), 0,
11198 TLS1_2_VERSION, &sctx, &cctx, cert,
11199 privkey)))
11200 goto end;
11201
11202 if (idx == 6) {
11203 e = load_dasync();
11204 if (e == NULL)
11205 goto end;
11206 /* Now act like test 0 */
11207 idx = 0;
11208 }
11209
11210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11211 &clientssl, NULL, NULL)))
11212 goto end;
11213
11214 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11215 goto end;
11216
11217 /* peera is always configured for pipelining, while peerb is not. */
11218 if (idx == 1) {
11219 peera = serverssl;
11220 peerb = clientssl;
11221
11222 } else {
11223 peera = clientssl;
11224 peerb = serverssl;
11225 }
11226
11227 if (idx == 5) {
11228 numpipes = 2;
11229 /* Maximum allowed fragment size */
11230 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11231 msglen = fragsize * numpipes;
11232 msg = OPENSSL_malloc(msglen);
11233 if (!TEST_ptr(msg))
11234 goto end;
11235 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11236 goto end;
11237 } else if (idx == 4) {
11238 msglen = 55;
11239 } else {
11240 msglen = 50;
11241 }
11242 if (idx == 2)
11243 msglen -= 2; /* Send 2 less bytes */
11244 else if (idx == 3)
11245 msglen -= 12; /* Send 12 less bytes */
11246
11247 buf = OPENSSL_malloc(msglen);
11248 if (!TEST_ptr(buf))
11249 goto end;
11250
11251 if (idx == 5) {
11252 /*
11253 * Test that setting a split send fragment longer than the maximum
11254 * allowed fails
11255 */
11256 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11257 goto end;
11258 }
11259
11260 /*
11261 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11262 * (50 bytes in total). This is a ridiculously small number of bytes -
11263 * but sufficient for our purposes
11264 */
11265 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11266 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11267 goto end;
11268
11269 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11270 goto end;
11271
11272 /* Write some data from peera to peerb */
11273 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11274 || !TEST_size_t_eq(written, msglen))
11275 goto end;
11276
11277 /*
11278 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11279 * have been used - except in test 3 where only |numpipes - 1| pipelines
11280 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11281 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11282 * expect this to be read in |numpipes| or |numpipes - 1| separate
11283 * SSL_read_ex calls. In the case of test 4, there is then one additional
11284 * read for left over data that couldn't fit in the previous pipelines
11285 */
11286 for (offset = 0, numreads = 0;
11287 offset < msglen;
11288 offset += readbytes, numreads++) {
11289 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11290 msglen - offset, &readbytes)))
11291 goto end;
11292 }
11293
11294 expectedreads = idx == 4 ? numpipes + 1
11295 : (idx == 3 ? numpipes - 1 : numpipes);
11296 if (!TEST_mem_eq(msg, msglen, buf, offset)
11297 || !TEST_int_eq(numreads, expectedreads))
11298 goto end;
11299
11300 /*
11301 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11302 * chunks to exercise the read pipelining code on peera.
11303 */
11304 for (offset = 0; offset < msglen; offset += fragsize) {
11305 size_t sendlen = msglen - offset;
11306
11307 if (sendlen > fragsize)
11308 sendlen = fragsize;
11309 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11310 || !TEST_size_t_eq(written, sendlen))
11311 goto end;
11312 }
11313
11314 /*
11315 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11316 * separate chunks (depending on which test we are running). If the
11317 * pipelining is working then we expect peera to read up to numpipes chunks
11318 * and process them in parallel, giving back the complete result in a single
11319 * call to SSL_read_ex
11320 */
11321 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11322 || !TEST_size_t_le(readbytes, msglen))
11323 goto end;
11324
11325 if (idx == 4) {
11326 size_t readbytes2;
11327
11328 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11329 msglen - readbytes, &readbytes2)))
11330 goto end;
11331 readbytes += readbytes2;
11332 if (!TEST_size_t_le(readbytes, msglen))
11333 goto end;
11334 }
11335
11336 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11337 goto end;
11338
11339 testresult = 1;
11340end:
11341 SSL_free(serverssl);
11342 SSL_free(clientssl);
11343 SSL_CTX_free(sctx);
11344 SSL_CTX_free(cctx);
11345 if (e != NULL) {
11346 ENGINE_unregister_ciphers(e);
11347 ENGINE_finish(e);
11348 ENGINE_free(e);
11349 }
11350 OPENSSL_free(buf);
11351 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11352 OPENSSL_free(msg);
11353 return testresult;
11354}
11355#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11356
11357static int check_version_string(SSL *s, int version)
11358{
11359 const char *verstr = NULL;
11360
11361 switch (version) {
11362 case SSL3_VERSION:
11363 verstr = "SSLv3";
11364 break;
11365 case TLS1_VERSION:
11366 verstr = "TLSv1";
11367 break;
11368 case TLS1_1_VERSION:
11369 verstr = "TLSv1.1";
11370 break;
11371 case TLS1_2_VERSION:
11372 verstr = "TLSv1.2";
11373 break;
11374 case TLS1_3_VERSION:
11375 verstr = "TLSv1.3";
11376 break;
11377 case DTLS1_VERSION:
11378 verstr = "DTLSv1";
11379 break;
11380 case DTLS1_2_VERSION:
11381 verstr = "DTLSv1.2";
11382 }
11383
11384 return TEST_str_eq(verstr, SSL_get_version(s));
11385}
11386
11387/*
11388 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11389 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11390 * test_version() in quicapitest.c which does the same thing for QUIC
11391 * connections.
11392 */
11393static int test_version(int idx)
11394{
11395 SSL_CTX *cctx = NULL, *sctx = NULL;
11396 SSL *clientssl = NULL, *serverssl = NULL;
11397 int testresult = 0, version;
11398 const SSL_METHOD *servmeth = TLS_server_method();
11399 const SSL_METHOD *clientmeth = TLS_client_method();
11400
11401 switch (idx) {
11402#if !defined(OPENSSL_NO_SSL3)
11403 case 0:
11404 version = SSL3_VERSION;
11405 break;
11406#endif
11407#if !defined(OPENSSL_NO_TLS1)
11408 case 1:
11409 version = TLS1_VERSION;
11410 break;
11411#endif
11412#if !defined(OPENSSL_NO_TLS1_2)
11413 case 2:
11414 version = TLS1_2_VERSION;
11415 break;
11416#endif
11417#if !defined(OSSL_NO_USABLE_TLS1_3)
11418 case 3:
11419 version = TLS1_3_VERSION;
11420 break;
11421#endif
11422#if !defined(OPENSSL_NO_DTLS1)
11423 case 4:
11424 version = DTLS1_VERSION;
11425 break;
11426#endif
11427#if !defined(OPENSSL_NO_DTLS1_2)
11428 case 5:
11429 version = DTLS1_2_VERSION;
11430 break;
11431#endif
11432 /*
11433 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11434 * We also don't support DTLS1_BAD_VER since we have no server support for
11435 * that.
11436 */
11437 default:
11438 TEST_skip("Unsupported protocol version");
11439 return 1;
11440 }
11441
11442 if (is_fips
11443 && (version == SSL3_VERSION
11444 || version == TLS1_VERSION
11445 || version == DTLS1_VERSION)) {
11446 TEST_skip("Protocol version not supported with FIPS");
11447 return 1;
11448 }
11449
11450#if !defined(OPENSSL_NO_DTLS)
11451 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11452 servmeth = DTLS_server_method();
11453 clientmeth = DTLS_client_method();
11454 }
11455#endif
11456
11457 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11458 version, &sctx, &cctx, cert, privkey)))
11459 goto end;
11460
11461 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11462 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11463 "DEFAULT:@SECLEVEL=0")))
11464 goto end;
11465
11466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11467 &clientssl, NULL, NULL)))
11468 goto end;
11469
11470 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11471 goto end;
11472
11473 if (!TEST_int_eq(SSL_version(serverssl), version)
11474 || !TEST_int_eq(SSL_version(clientssl), version)
11475 || !TEST_true(check_version_string(serverssl, version))
11476 || !TEST_true(check_version_string(clientssl, version)))
11477 goto end;
11478
11479 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11480 if (!TEST_true(SSL_is_dtls(serverssl))
11481 || !TEST_true(SSL_is_dtls(clientssl))
11482 || !TEST_false(SSL_is_tls(serverssl))
11483 || !TEST_false(SSL_is_tls(clientssl))
11484 || !TEST_false(SSL_is_quic(serverssl))
11485 || !TEST_false(SSL_is_quic(clientssl)))
11486 goto end;
11487 } else {
11488 if (!TEST_true(SSL_is_tls(serverssl))
11489 || !TEST_true(SSL_is_tls(clientssl))
11490 || !TEST_false(SSL_is_dtls(serverssl))
11491 || !TEST_false(SSL_is_dtls(clientssl))
11492 || !TEST_false(SSL_is_quic(serverssl))
11493 || !TEST_false(SSL_is_quic(clientssl)))
11494 goto end;
11495 }
11496
11497 testresult = 1;
11498end:
11499 SSL_free(serverssl);
11500 SSL_free(clientssl);
11501 SSL_CTX_free(sctx);
11502 SSL_CTX_free(cctx);
11503 return testresult;
11504}
11505
11506/*
11507 * Test that the SSL_rstate_string*() APIs return sane results
11508 */
11509static int test_rstate_string(void)
11510{
11511 SSL_CTX *cctx = NULL, *sctx = NULL;
11512 SSL *clientssl = NULL, *serverssl = NULL;
11513 int testresult = 0, version;
11514 const SSL_METHOD *servmeth = TLS_server_method();
11515 const SSL_METHOD *clientmeth = TLS_client_method();
11516 size_t written, readbytes;
11517 unsigned char buf[2];
11518 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11519 SSL3_RT_APPLICATION_DATA,
11520 TLS1_2_VERSION_MAJOR,
11521 0, /* To be filled in later */
11522 0,
11523 1
11524 };
11525
11526 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11527 0, &sctx, &cctx, cert, privkey)))
11528 goto end;
11529
11530 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11531 &clientssl, NULL, NULL)))
11532 goto end;
11533
11534 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11535 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11536 goto end;
11537
11538 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11539 goto end;
11540
11541 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11542 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11543 goto end;
11544
11545 /* Fill in the correct version for the record header */
11546 version = SSL_version(serverssl);
11547 if (version == TLS1_3_VERSION)
11548 version = TLS1_2_VERSION;
11549 dummyheader[2] = version & 0xff;
11550
11551 /*
11552 * Send a dummy header. If we continued to read the body as well this
11553 * would fail with a bad record mac, but we're not going to go that far.
11554 */
11555 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11556 sizeof(dummyheader), &written))
11557 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11558 goto end;
11559
11560 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11561 goto end;
11562
11563 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11564 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11565 goto end;
11566
11567 testresult = 1;
11568end:
11569 SSL_free(serverssl);
11570 SSL_free(clientssl);
11571 SSL_CTX_free(sctx);
11572 SSL_CTX_free(cctx);
11573 return testresult;
11574}
11575
11576/*
11577 * Force a write retry during handshaking. We test various combinations of
11578 * scenarios. We test a large certificate message which will fill the buffering
11579 * BIO used in the handshake. We try with client auth on and off. Finally we
11580 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11581 * to indicate retry via -1 - but sometimes BIOs don't do that.
11582 *
11583 * Test 0: Standard certificate message
11584 * Test 1: Large certificate message
11585 * Test 2: Standard cert, verify peer
11586 * Test 3: Large cert, verify peer
11587 * Test 4: Standard cert, BIO returns 0 on retry
11588 * Test 5: Large cert, BIO returns 0 on retry
11589 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11590 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11591 * Test 8-15: Repeat of above with TLSv1.2
11592 */
11593static int test_handshake_retry(int idx)
11594{
11595 SSL_CTX *cctx = NULL, *sctx = NULL;
11596 SSL *clientssl = NULL, *serverssl = NULL;
11597 int testresult = 0;
11598 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11599 int maxversion = 0;
11600
11601 if (!TEST_ptr(bretry))
11602 goto end;
11603
11604#ifndef OPENSSL_NO_TLS1_2
11605 if ((idx & 8) == 8)
11606 maxversion = TLS1_2_VERSION;
11607#else
11608 if ((idx & 8) == 8)
11609 return TEST_skip("No TLSv1.2");
11610#endif
11611
11612 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11613 TLS_client_method(), 0, maxversion,
11614 &sctx, &cctx, cert, privkey)))
11615 goto end;
11616
11617 /*
11618 * Add a large amount of data to fill the buffering BIO used by the SSL
11619 * object
11620 */
11621 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11622 goto end;
11623
11624 /*
11625 * We don't actually configure a client cert, but neither do we fail if one
11626 * isn't present.
11627 */
11628 if ((idx & 2) == 2)
11629 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11630
11631 if ((idx & 4) == 4)
11632 set_always_retry_err_val(0);
11633
11634 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11635 &clientssl, NULL, NULL)))
11636 goto end;
11637
11638 tmp = SSL_get_wbio(serverssl);
11639 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11640 tmp = NULL;
11641 goto end;
11642 }
11643 SSL_set0_wbio(serverssl, bretry);
11644 bretry = NULL;
11645
11646 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11647 goto end;
11648
11649 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11650 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11651 goto end;
11652
11653 /* Restore a BIO that will let the write succeed */
11654 SSL_set0_wbio(serverssl, tmp);
11655 tmp = NULL;
11656
11657 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11658 goto end;
11659
11660 testresult = 1;
11661end:
11662 SSL_free(serverssl);
11663 SSL_free(clientssl);
11664 SSL_CTX_free(sctx);
11665 SSL_CTX_free(cctx);
11666 BIO_free(bretry);
11667 BIO_free(tmp);
11668 set_always_retry_err_val(-1);
11669 return testresult;
11670}
11671
11672/*
11673 * Test that receiving retries when writing application data works as expected
11674 */
11675static int test_data_retry(void)
11676{
11677 SSL_CTX *cctx = NULL, *sctx = NULL;
11678 SSL *clientssl = NULL, *serverssl = NULL;
11679 int testresult = 0;
11680 unsigned char inbuf[1200], outbuf[1200];
11681 size_t i;
11682 BIO *tmp = NULL;
11683 BIO *bretry = BIO_new(bio_s_maybe_retry());
11684 size_t written, readbytes, totread = 0;
11685
11686 if (!TEST_ptr(bretry))
11687 goto end;
11688
11689 for (i = 0; i < sizeof(inbuf); i++)
11690 inbuf[i] = (unsigned char)(0xff & i);
11691 memset(outbuf, 0, sizeof(outbuf));
11692
11693 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11694 TLS_client_method(), 0, 0, &sctx, &cctx,
11695 cert, privkey)))
11696 goto end;
11697
11698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11699 NULL)))
11700 goto end;
11701
11702 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11703 goto end;
11704
11705 /* Smallest possible max send fragment is 512 */
11706 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11707 goto end;
11708
11709 tmp = SSL_get_wbio(clientssl);
11710 if (!TEST_ptr(tmp))
11711 goto end;
11712 if (!TEST_true(BIO_up_ref(tmp)))
11713 goto end;
11714 BIO_push(bretry, tmp);
11715 tmp = NULL;
11716 SSL_set0_wbio(clientssl, bretry);
11717 if (!BIO_up_ref(bretry)) {
11718 bretry = NULL;
11719 goto end;
11720 }
11721
11722 for (i = 0; i < 3; i++) {
11723 /* We expect this call to make no progress and indicate retry */
11724 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11725 goto end;
11726 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11727 goto end;
11728
11729 /* Allow one write to progress, but the next one to signal retry */
11730 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11731 NULL)))
11732 goto end;
11733
11734 if (i == 2)
11735 break;
11736
11737 /*
11738 * This call will hopefully make progress but will still indicate retry
11739 * because there is more data than will fit into a single record.
11740 */
11741 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11742 goto end;
11743 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11744 goto end;
11745 }
11746
11747 /* The final call should write the last chunk of data and succeed */
11748 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11749 goto end;
11750 /* Read all the data available */
11751 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11752 &readbytes))
11753 totread += readbytes;
11754 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11755 goto end;
11756
11757 testresult = 1;
11758end:
11759 SSL_free(serverssl);
11760 SSL_free(clientssl);
11761 SSL_CTX_free(sctx);
11762 SSL_CTX_free(cctx);
11763 BIO_free_all(bretry);
11764 BIO_free(tmp);
11765 return testresult;
11766}
11767
11768struct resume_servername_cb_data {
11769 int i;
11770 SSL_CTX *cctx;
11771 SSL_CTX *sctx;
11772 SSL_SESSION *sess;
11773 int recurse;
11774};
11775
11776/*
11777 * Servername callback. We use it here to run another complete handshake using
11778 * the same session - and mark the session as not_resuamble at the end
11779 */
11780static int resume_servername_cb(SSL *s, int *ad, void *arg)
11781{
11782 struct resume_servername_cb_data *cbdata = arg;
11783 SSL *serverssl = NULL, *clientssl = NULL;
11784 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
11785
11786 if (cbdata->recurse)
11787 return SSL_TLSEXT_ERR_ALERT_FATAL;
11788
11789 if ((cbdata->i % 3) != 1)
11790 return SSL_TLSEXT_ERR_OK;
11791
11792 cbdata->recurse = 1;
11793
11794 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
11795 &clientssl, NULL, NULL))
11796 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
11797 goto end;
11798
11799 ERR_set_mark();
11800 /*
11801 * We expect this to fail - because the servername cb will fail. This will
11802 * mark the session as not_resumable.
11803 */
11804 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
11805 ERR_clear_last_mark();
11806 goto end;
11807 }
11808 ERR_pop_to_mark();
11809
11810 ret = SSL_TLSEXT_ERR_OK;
11811 end:
11812 SSL_free(serverssl);
11813 SSL_free(clientssl);
11814 cbdata->recurse = 0;
11815 return ret;
11816}
11817/*
11818 * Test multiple resumptions and cache size handling
11819 * Test 0: TLSv1.3 (max_early_data set)
11820 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11821 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
11822 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
11823 * Test 4: TLSv1.2
11824 */
11825static int test_multi_resume(int idx)
11826{
11827 SSL_CTX *sctx = NULL, *cctx = NULL;
11828 SSL *serverssl = NULL, *clientssl = NULL;
11829 SSL_SESSION *sess = NULL;
11830 int max_version = TLS1_3_VERSION;
11831 int i, testresult = 0;
11832 struct resume_servername_cb_data cbdata;
11833
11834#if defined(OPENSSL_NO_TLS1_2)
11835 if (idx == 4)
11836 return TEST_skip("TLSv1.2 is disabled in this build");
11837#else
11838 if (idx == 4)
11839 max_version = TLS1_2_VERSION;
11840#endif
11841#if defined(OSSL_NO_USABLE_TLS1_3)
11842 if (idx != 4)
11843 return TEST_skip("No usable TLSv1.3 in this build");
11844#endif
11845
11846 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11847 TLS_client_method(), TLS1_VERSION,
11848 max_version, &sctx, &cctx, cert,
11849 privkey)))
11850 goto end;
11851
11852 /*
11853 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11854 * replay protection), or if SSL_OP_NO_TICKET is in use
11855 */
11856 if (idx == 0 || idx == 2) {
11857 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11858 goto end;
11859 }
11860 if (idx == 1 || idx == 2 || idx == 3)
11861 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11862
11863 SSL_CTX_sess_set_cache_size(sctx, 5);
11864
11865 if (idx == 3) {
11866 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
11867 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
11868 cbdata.cctx = cctx;
11869 cbdata.sctx = sctx;
11870 cbdata.recurse = 0;
11871 }
11872
11873 for (i = 0; i < 30; i++) {
11874 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11875 NULL, NULL))
11876 || !TEST_true(SSL_set_session(clientssl, sess)))
11877 goto end;
11878
11879 /*
11880 * Check simultaneous resumes. We pause the connection part way through
11881 * the handshake by (mis)using the servername_cb. The pause occurs after
11882 * session resumption has already occurred, but before any session
11883 * tickets have been issued. While paused we run another complete
11884 * handshake resuming the same session.
11885 */
11886 if (idx == 3) {
11887 cbdata.i = i;
11888 cbdata.sess = sess;
11889 }
11890
11891 /*
11892 * Recreate a bug where dynamically changing the max_early_data value
11893 * can cause sessions in the session cache which cannot be deleted.
11894 */
11895 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11896 SSL_set_max_early_data(serverssl, 0);
11897
11898 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11899 goto end;
11900
11901 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11902 if (!TEST_false(SSL_session_reused(clientssl)))
11903 goto end;
11904 } else {
11905 if (!TEST_true(SSL_session_reused(clientssl)))
11906 goto end;
11907 }
11908 SSL_SESSION_free(sess);
11909
11910 /* Do a full handshake, followed by two resumptions */
11911 if ((i % 3) == 2) {
11912 sess = NULL;
11913 } else {
11914 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11915 goto end;
11916 }
11917
11918 SSL_shutdown(clientssl);
11919 SSL_shutdown(serverssl);
11920 SSL_free(serverssl);
11921 SSL_free(clientssl);
11922 serverssl = clientssl = NULL;
11923 }
11924
11925 /* We should never exceed the session cache size limit */
11926 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11927 goto end;
11928
11929 testresult = 1;
11930 end:
11931 SSL_free(serverssl);
11932 SSL_free(clientssl);
11933 SSL_CTX_free(sctx);
11934 SSL_CTX_free(cctx);
11935 SSL_SESSION_free(sess);
11936 return testresult;
11937}
11938
11939static struct next_proto_st {
11940 int serverlen;
11941 unsigned char server[40];
11942 int clientlen;
11943 unsigned char client[40];
11944 int expected_ret;
11945 size_t selectedlen;
11946 unsigned char selected[40];
11947} next_proto_tests[] = {
11948 {
11949 4, { 3, 'a', 'b', 'c' },
11950 4, { 3, 'a', 'b', 'c' },
11951 OPENSSL_NPN_NEGOTIATED,
11952 3, { 'a', 'b', 'c' }
11953 },
11954 {
11955 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
11956 4, { 3, 'a', 'b', 'c' },
11957 OPENSSL_NPN_NEGOTIATED,
11958 3, { 'a', 'b', 'c' }
11959 },
11960 {
11961 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
11962 4, { 3, 'a', 'b', 'c' },
11963 OPENSSL_NPN_NEGOTIATED,
11964 3, { 'a', 'b', 'c' }
11965 },
11966 {
11967 4, { 3, 'a', 'b', 'c' },
11968 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
11969 OPENSSL_NPN_NEGOTIATED,
11970 3, { 'a', 'b', 'c' }
11971 },
11972 {
11973 4, { 3, 'a', 'b', 'c' },
11974 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
11975 OPENSSL_NPN_NEGOTIATED,
11976 3, { 'a', 'b', 'c' }
11977 },
11978 {
11979 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
11980 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
11981 OPENSSL_NPN_NEGOTIATED,
11982 3, { 'a', 'b', 'c' }
11983 },
11984 {
11985 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
11986 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
11987 OPENSSL_NPN_NEGOTIATED,
11988 3, { 'a', 'b', 'c' }
11989 },
11990 {
11991 4, { 3, 'b', 'c', 'd' },
11992 4, { 3, 'a', 'b', 'c' },
11993 OPENSSL_NPN_NO_OVERLAP,
11994 3, { 'a', 'b', 'c' }
11995 },
11996 {
11997 0, { 0 },
11998 4, { 3, 'a', 'b', 'c' },
11999 OPENSSL_NPN_NO_OVERLAP,
12000 3, { 'a', 'b', 'c' }
12001 },
12002 {
12003 -1, { 0 },
12004 4, { 3, 'a', 'b', 'c' },
12005 OPENSSL_NPN_NO_OVERLAP,
12006 3, { 'a', 'b', 'c' }
12007 },
12008 {
12009 4, { 3, 'a', 'b', 'c' },
12010 0, { 0 },
12011 OPENSSL_NPN_NO_OVERLAP,
12012 0, { 0 }
12013 },
12014 {
12015 4, { 3, 'a', 'b', 'c' },
12016 -1, { 0 },
12017 OPENSSL_NPN_NO_OVERLAP,
12018 0, { 0 }
12019 },
12020 {
12021 3, { 3, 'a', 'b', 'c' },
12022 4, { 3, 'a', 'b', 'c' },
12023 OPENSSL_NPN_NO_OVERLAP,
12024 3, { 'a', 'b', 'c' }
12025 },
12026 {
12027 4, { 3, 'a', 'b', 'c' },
12028 3, { 3, 'a', 'b', 'c' },
12029 OPENSSL_NPN_NO_OVERLAP,
12030 0, { 0 }
12031 }
12032};
12033
12034static int test_select_next_proto(int idx)
12035{
12036 struct next_proto_st *np = &next_proto_tests[idx];
12037 int ret = 0;
12038 unsigned char *out, *client, *server;
12039 unsigned char outlen;
12040 unsigned int clientlen, serverlen;
12041
12042 if (np->clientlen == -1) {
12043 client = NULL;
12044 clientlen = 0;
12045 } else {
12046 client = np->client;
12047 clientlen = (unsigned int)np->clientlen;
12048 }
12049 if (np->serverlen == -1) {
12050 server = NULL;
12051 serverlen = 0;
12052 } else {
12053 server = np->server;
12054 serverlen = (unsigned int)np->serverlen;
12055 }
12056
12057 if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
12058 client, clientlen),
12059 np->expected_ret))
12060 goto err;
12061
12062 if (np->selectedlen == 0) {
12063 if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
12064 goto err;
12065 } else {
12066 if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
12067 goto err;
12068 }
12069
12070 ret = 1;
12071 err:
12072 return ret;
12073}
12074
12075static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
12076static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
12077
12078#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
12079static int npn_advert_cb(SSL *ssl, const unsigned char **out,
12080 unsigned int *outlen, void *arg)
12081{
12082 int *idx = (int *)arg;
12083
12084 switch (*idx) {
12085 default:
12086 case 0:
12087 *out = fooprot;
12088 *outlen = sizeof(fooprot);
12089 return SSL_TLSEXT_ERR_OK;
12090
12091 case 1:
12092 *outlen = 0;
12093 return SSL_TLSEXT_ERR_OK;
12094
12095 case 2:
12096 return SSL_TLSEXT_ERR_NOACK;
12097 }
12098}
12099
12100static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
12101 const unsigned char *in, unsigned int inlen, void *arg)
12102{
12103 int *idx = (int *)arg;
12104
12105 switch (*idx) {
12106 case 0:
12107 case 1:
12108 *out = (unsigned char *)(fooprot + 1);
12109 *outlen = *fooprot;
12110 return SSL_TLSEXT_ERR_OK;
12111
12112 case 3:
12113 *out = (unsigned char *)(barprot + 1);
12114 *outlen = *barprot;
12115 return SSL_TLSEXT_ERR_OK;
12116
12117 case 4:
12118 *outlen = 0;
12119 return SSL_TLSEXT_ERR_OK;
12120
12121 default:
12122 case 2:
12123 return SSL_TLSEXT_ERR_ALERT_FATAL;
12124 }
12125}
12126
12127/*
12128 * Test the NPN callbacks
12129 * Test 0: advert = foo, select = foo
12130 * Test 1: advert = <empty>, select = foo
12131 * Test 2: no advert
12132 * Test 3: advert = foo, select = bar
12133 * Test 4: advert = foo, select = <empty> (should fail)
12134 */
12135static int test_npn(int idx)
12136{
12137 SSL_CTX *sctx = NULL, *cctx = NULL;
12138 SSL *serverssl = NULL, *clientssl = NULL;
12139 int testresult = 0;
12140
12141 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12142 TLS_client_method(), 0, TLS1_2_VERSION,
12143 &sctx, &cctx, cert, privkey)))
12144 goto end;
12145
12146 SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
12147 SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
12148
12149 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12150 NULL)))
12151 goto end;
12152
12153 if (idx == 4) {
12154 /* We don't allow empty selection of NPN, so this should fail */
12155 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12156 SSL_ERROR_NONE)))
12157 goto end;
12158 } else {
12159 const unsigned char *prot;
12160 unsigned int protlen;
12161
12162 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12163 SSL_ERROR_NONE)))
12164 goto end;
12165
12166 SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
12167 switch (idx) {
12168 case 0:
12169 case 1:
12170 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12171 goto end;
12172 break;
12173 case 2:
12174 if (!TEST_uint_eq(protlen, 0))
12175 goto end;
12176 break;
12177 case 3:
12178 if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
12179 goto end;
12180 break;
12181 default:
12182 TEST_error("Should not get here");
12183 goto end;
12184 }
12185 }
12186
12187 testresult = 1;
12188 end:
12189 SSL_free(serverssl);
12190 SSL_free(clientssl);
12191 SSL_CTX_free(sctx);
12192 SSL_CTX_free(cctx);
12193
12194 return testresult;
12195}
12196#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
12197
12198static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
12199 unsigned char *outlen, const unsigned char *in,
12200 unsigned int inlen, void *arg)
12201{
12202 int *idx = (int *)arg;
12203
12204 switch (*idx) {
12205 case 0:
12206 *out = (unsigned char *)(fooprot + 1);
12207 *outlen = *fooprot;
12208 return SSL_TLSEXT_ERR_OK;
12209
12210 case 2:
12211 *out = (unsigned char *)(barprot + 1);
12212 *outlen = *barprot;
12213 return SSL_TLSEXT_ERR_OK;
12214
12215 case 3:
12216 *outlen = 0;
12217 return SSL_TLSEXT_ERR_OK;
12218
12219 default:
12220 case 1:
12221 return SSL_TLSEXT_ERR_ALERT_FATAL;
12222 }
12223 return 0;
12224}
12225
12226/*
12227 * Test the ALPN callbacks
12228 * Test 0: client = foo, select = foo
12229 * Test 1: client = <empty>, select = none
12230 * Test 2: client = foo, select = bar (should fail)
12231 * Test 3: client = foo, select = <empty> (should fail)
12232 */
12233static int test_alpn(int idx)
12234{
12235 SSL_CTX *sctx = NULL, *cctx = NULL;
12236 SSL *serverssl = NULL, *clientssl = NULL;
12237 int testresult = 0;
12238 const unsigned char *prots = fooprot;
12239 unsigned int protslen = sizeof(fooprot);
12240
12241 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12242 TLS_client_method(), 0, 0,
12243 &sctx, &cctx, cert, privkey)))
12244 goto end;
12245
12246 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
12247
12248 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12249 NULL)))
12250 goto end;
12251
12252 if (idx == 1) {
12253 prots = NULL;
12254 protslen = 0;
12255 }
12256
12257 /* SSL_set_alpn_protos returns 0 for success! */
12258 if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
12259 goto end;
12260
12261 if (idx == 2 || idx == 3) {
12262 /* We don't allow empty selection of NPN, so this should fail */
12263 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12264 SSL_ERROR_NONE)))
12265 goto end;
12266 } else {
12267 const unsigned char *prot;
12268 unsigned int protlen;
12269
12270 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12271 SSL_ERROR_NONE)))
12272 goto end;
12273
12274 SSL_get0_alpn_selected(clientssl, &prot, &protlen);
12275 switch (idx) {
12276 case 0:
12277 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12278 goto end;
12279 break;
12280 case 1:
12281 if (!TEST_uint_eq(protlen, 0))
12282 goto end;
12283 break;
12284 default:
12285 TEST_error("Should not get here");
12286 goto end;
12287 }
12288 }
12289
12290 testresult = 1;
12291 end:
12292 SSL_free(serverssl);
12293 SSL_free(clientssl);
12294 SSL_CTX_free(sctx);
12295 SSL_CTX_free(cctx);
12296
12297 return testresult;
12298}
12299
12300OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
12301
12302int setup_tests(void)
12303{
12304 char *modulename;
12305 char *configfile;
12306
12307 libctx = OSSL_LIB_CTX_new();
12308 if (!TEST_ptr(libctx))
12309 return 0;
12310
12311 defctxnull = OSSL_PROVIDER_load(NULL, "null");
12312
12313 /*
12314 * Verify that the default and fips providers in the default libctx are not
12315 * available
12316 */
12317 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
12318 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
12319 return 0;
12320
12321 if (!test_skip_common_options()) {
12322 TEST_error("Error parsing test options\n");
12323 return 0;
12324 }
12325
12326 if (!TEST_ptr(certsdir = test_get_argument(0))
12327 || !TEST_ptr(srpvfile = test_get_argument(1))
12328 || !TEST_ptr(tmpfilename = test_get_argument(2))
12329 || !TEST_ptr(modulename = test_get_argument(3))
12330 || !TEST_ptr(configfile = test_get_argument(4))
12331 || !TEST_ptr(dhfile = test_get_argument(5)))
12332 return 0;
12333
12334 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
12335 return 0;
12336
12337 /* Check we have the expected provider available */
12338 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
12339 return 0;
12340
12341 /* Check the default provider is not available */
12342 if (strcmp(modulename, "default") != 0
12343 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
12344 return 0;
12345
12346 if (strcmp(modulename, "fips") == 0) {
12347 OSSL_PROVIDER *prov = NULL;
12348 OSSL_PARAM params[2];
12349
12350 is_fips = 1;
12351
12352 prov = OSSL_PROVIDER_load(libctx, "fips");
12353 if (prov != NULL) {
12354 /* Query the fips provider to check if the check ems option is enabled */
12355 params[0] =
12356 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
12357 &fips_ems_check);
12358 params[1] = OSSL_PARAM_construct_end();
12359 OSSL_PROVIDER_get_params(prov, params);
12360 OSSL_PROVIDER_unload(prov);
12361 }
12362 }
12363
12364 /*
12365 * We add, but don't load the test "tls-provider". We'll load it when we
12366 * need it.
12367 */
12368 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
12369 tls_provider_init)))
12370 return 0;
12371
12372
12373 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
12374#ifdef OPENSSL_NO_CRYPTO_MDEBUG
12375 TEST_error("not supported in this build");
12376 return 0;
12377#else
12378 int i, mcount, rcount, fcount;
12379
12380 for (i = 0; i < 4; i++)
12381 test_export_key_mat(i);
12382 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
12383 test_printf_stdout("malloc %d realloc %d free %d\n",
12384 mcount, rcount, fcount);
12385 return 1;
12386#endif
12387 }
12388
12389 cert = test_mk_file_path(certsdir, "servercert.pem");
12390 if (cert == NULL)
12391 goto err;
12392
12393 privkey = test_mk_file_path(certsdir, "serverkey.pem");
12394 if (privkey == NULL)
12395 goto err;
12396
12397 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
12398 if (cert2 == NULL)
12399 goto err;
12400
12401 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
12402 if (privkey2 == NULL)
12403 goto err;
12404
12405 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
12406 if (cert1024 == NULL)
12407 goto err;
12408
12409 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
12410 if (privkey1024 == NULL)
12411 goto err;
12412
12413 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
12414 if (cert3072 == NULL)
12415 goto err;
12416
12417 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
12418 if (privkey3072 == NULL)
12419 goto err;
12420
12421 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
12422 if (cert4096 == NULL)
12423 goto err;
12424
12425 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
12426 if (privkey4096 == NULL)
12427 goto err;
12428
12429 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
12430 if (cert8192 == NULL)
12431 goto err;
12432
12433 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
12434 if (privkey8192 == NULL)
12435 goto err;
12436
12437 if (fips_ems_check) {
12438#ifndef OPENSSL_NO_TLS1_2
12439 ADD_TEST(test_no_ems);
12440#endif
12441 return 1;
12442 }
12443#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
12444# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
12445 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
12446 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
12447# endif
12448#endif
12449 ADD_TEST(test_large_message_tls);
12450 ADD_TEST(test_large_message_tls_read_ahead);
12451#ifndef OPENSSL_NO_DTLS
12452 ADD_TEST(test_large_message_dtls);
12453#endif
12454 ADD_ALL_TESTS(test_large_app_data, 28);
12455 ADD_TEST(test_cleanse_plaintext);
12456#ifndef OPENSSL_NO_OCSP
12457 ADD_TEST(test_tlsext_status_type);
12458#endif
12459 ADD_TEST(test_session_with_only_int_cache);
12460 ADD_TEST(test_session_with_only_ext_cache);
12461 ADD_TEST(test_session_with_both_cache);
12462 ADD_TEST(test_session_wo_ca_names);
12463#ifndef OSSL_NO_USABLE_TLS1_3
12464 ADD_ALL_TESTS(test_stateful_tickets, 3);
12465 ADD_ALL_TESTS(test_stateless_tickets, 3);
12466 ADD_TEST(test_psk_tickets);
12467 ADD_ALL_TESTS(test_extra_tickets, 6);
12468#endif
12469 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
12470 ADD_TEST(test_ssl_bio_pop_next_bio);
12471 ADD_TEST(test_ssl_bio_pop_ssl_bio);
12472 ADD_TEST(test_ssl_bio_change_rbio);
12473 ADD_TEST(test_ssl_bio_change_wbio);
12474#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
12475 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
12476 ADD_TEST(test_keylog);
12477#endif
12478#ifndef OSSL_NO_USABLE_TLS1_3
12479 ADD_TEST(test_keylog_no_master_key);
12480#endif
12481 ADD_TEST(test_client_cert_verify_cb);
12482 ADD_TEST(test_ssl_build_cert_chain);
12483 ADD_TEST(test_ssl_ctx_build_cert_chain);
12484#ifndef OPENSSL_NO_TLS1_2
12485 ADD_TEST(test_client_hello_cb);
12486 ADD_TEST(test_no_ems);
12487 ADD_TEST(test_ccs_change_cipher);
12488#endif
12489#ifndef OSSL_NO_USABLE_TLS1_3
12490 ADD_ALL_TESTS(test_early_data_read_write, 6);
12491 /*
12492 * We don't do replay tests for external PSK. Replay protection isn't used
12493 * in that scenario.
12494 */
12495 ADD_ALL_TESTS(test_early_data_replay, 2);
12496 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
12497 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
12498 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
12499 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
12500 ADD_ALL_TESTS(test_early_data_not_sent, 3);
12501 ADD_ALL_TESTS(test_early_data_psk, 8);
12502 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
12503 ADD_ALL_TESTS(test_early_data_not_expected, 3);
12504# ifndef OPENSSL_NO_TLS1_2
12505 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
12506# endif
12507#endif
12508#ifndef OSSL_NO_USABLE_TLS1_3
12509 ADD_ALL_TESTS(test_set_ciphersuite, 10);
12510 ADD_TEST(test_ciphersuite_change);
12511 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
12512# ifdef OPENSSL_NO_PSK
12513 ADD_ALL_TESTS(test_tls13_psk, 1);
12514# else
12515 ADD_ALL_TESTS(test_tls13_psk, 4);
12516# endif /* OPENSSL_NO_PSK */
12517#ifndef OSSL_NO_USABLE_TLS1_3
12518 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
12519#endif /* OSSL_NO_USABLE_TLS1_3 */
12520# ifndef OPENSSL_NO_TLS1_2
12521 /* Test with both TLSv1.3 and 1.2 versions */
12522 ADD_ALL_TESTS(test_key_exchange, 14);
12523# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
12524 ADD_ALL_TESTS(test_negotiated_group,
12525 4 * (OSSL_NELEM(ecdhe_kexch_groups)
12526 + OSSL_NELEM(ffdhe_kexch_groups)));
12527# endif
12528# else
12529 /* Test with only TLSv1.3 versions */
12530 ADD_ALL_TESTS(test_key_exchange, 12);
12531# endif
12532 ADD_ALL_TESTS(test_custom_exts, 6);
12533 ADD_TEST(test_stateless);
12534 ADD_TEST(test_pha_key_update);
12535#else
12536 ADD_ALL_TESTS(test_custom_exts, 3);
12537#endif
12538 ADD_ALL_TESTS(test_export_key_mat, 6);
12539#ifndef OSSL_NO_USABLE_TLS1_3
12540 ADD_ALL_TESTS(test_export_key_mat_early, 3);
12541 ADD_TEST(test_key_update);
12542 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
12543 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
12544 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
12545 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
12546#endif
12547 ADD_ALL_TESTS(test_ssl_clear, 8);
12548 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
12549#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
12550 ADD_ALL_TESTS(test_srp, 6);
12551#endif
12552#if !defined(OPENSSL_NO_COMP_ALG)
12553 /* Add compression case */
12554 ADD_ALL_TESTS(test_info_callback, 8);
12555#else
12556 ADD_ALL_TESTS(test_info_callback, 6);
12557#endif
12558 ADD_ALL_TESTS(test_ssl_pending, 2);
12559 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
12560 ADD_ALL_TESTS(test_ticket_callbacks, 20);
12561 ADD_ALL_TESTS(test_shutdown, 7);
12562 ADD_TEST(test_async_shutdown);
12563 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
12564 ADD_ALL_TESTS(test_cert_cb, 6);
12565 ADD_ALL_TESTS(test_client_cert_cb, 2);
12566 ADD_ALL_TESTS(test_ca_names, 3);
12567#ifndef OPENSSL_NO_TLS1_2
12568 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
12569#endif
12570 ADD_ALL_TESTS(test_servername, 10);
12571 ADD_TEST(test_unknown_sigalgs_groups);
12572#if !defined(OPENSSL_NO_EC) \
12573 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
12574 ADD_ALL_TESTS(test_sigalgs_available, 6);
12575#endif
12576#ifndef OPENSSL_NO_TLS1_3
12577 ADD_ALL_TESTS(test_pluggable_group, 2);
12578 ADD_ALL_TESTS(test_pluggable_signature, 4);
12579#endif
12580#ifndef OPENSSL_NO_TLS1_2
12581 ADD_TEST(test_ssl_dup);
12582 ADD_TEST(test_session_secret_cb);
12583# ifndef OPENSSL_NO_DH
12584 ADD_ALL_TESTS(test_set_tmp_dh, 11);
12585 ADD_ALL_TESTS(test_dh_auto, 7);
12586# endif
12587#endif
12588#ifndef OSSL_NO_USABLE_TLS1_3
12589 ADD_TEST(test_sni_tls13);
12590 ADD_ALL_TESTS(test_ticket_lifetime, 2);
12591#endif
12592 ADD_TEST(test_inherit_verify_param);
12593 ADD_TEST(test_set_alpn);
12594 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
12595 ADD_TEST(test_set_verify_cert_store_ssl);
12596 ADD_ALL_TESTS(test_session_timeout, 1);
12597#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
12598 ADD_ALL_TESTS(test_session_cache_overflow, 4);
12599#endif
12600 ADD_TEST(test_load_dhfile);
12601#ifndef OSSL_NO_USABLE_TLS1_3
12602 ADD_TEST(test_read_ahead_key_change);
12603 ADD_ALL_TESTS(test_tls13_record_padding, 4);
12604#endif
12605#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
12606 ADD_ALL_TESTS(test_serverinfo_custom, 4);
12607#endif
12608#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
12609 ADD_ALL_TESTS(test_pipelining, 7);
12610#endif
12611 ADD_ALL_TESTS(test_version, 6);
12612 ADD_TEST(test_rstate_string);
12613 ADD_ALL_TESTS(test_handshake_retry, 16);
12614 ADD_TEST(test_data_retry);
12615 ADD_ALL_TESTS(test_multi_resume, 5);
12616 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
12617#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
12618 ADD_ALL_TESTS(test_npn, 5);
12619#endif
12620 ADD_ALL_TESTS(test_alpn, 4);
12621 return 1;
12622
12623 err:
12624 OPENSSL_free(cert);
12625 OPENSSL_free(privkey);
12626 OPENSSL_free(cert2);
12627 OPENSSL_free(privkey2);
12628 return 0;
12629}
12630
12631void cleanup_tests(void)
12632{
12633# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
12634 EVP_PKEY_free(tmp_dh_params);
12635#endif
12636 OPENSSL_free(cert);
12637 OPENSSL_free(privkey);
12638 OPENSSL_free(cert2);
12639 OPENSSL_free(privkey2);
12640 OPENSSL_free(cert1024);
12641 OPENSSL_free(privkey1024);
12642 OPENSSL_free(cert3072);
12643 OPENSSL_free(privkey3072);
12644 OPENSSL_free(cert4096);
12645 OPENSSL_free(privkey4096);
12646 OPENSSL_free(cert8192);
12647 OPENSSL_free(privkey8192);
12648 bio_s_mempacket_test_free();
12649 bio_s_always_retry_free();
12650 bio_s_maybe_retry_free();
12651 OSSL_PROVIDER_unload(defctxnull);
12652 OSSL_LIB_CTX_free(libctx);
12653}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette