1 /*
2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "filterprov.h"
45
46 #undef OSSL_NO_USABLE_TLS1_3
47 #if defined(OPENSSL_NO_TLS1_3) \
48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 /*
50 * If we don't have ec or dh then there are no built-in groups that are usable
51 * with TLSv1.3
52 */
53 # define OSSL_NO_USABLE_TLS1_3
54 #endif
55
56 /* Defined in tls-provider.c */
57 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58 const OSSL_DISPATCH *in,
59 const OSSL_DISPATCH **out,
60 void **provctx);
61
62 static OSSL_LIB_CTX *libctx = NULL;
63 static OSSL_PROVIDER *defctxnull = NULL;
64
65 #ifndef OSSL_NO_USABLE_TLS1_3
66
67 static SSL_SESSION *clientpsk = NULL;
68 static SSL_SESSION *serverpsk = NULL;
69 static const char *pskid = "Identity";
70 static const char *srvid;
71
72 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73 size_t *idlen, SSL_SESSION **sess);
74 static int find_session_cb(SSL *ssl, const unsigned char *identity,
75 size_t identity_len, SSL_SESSION **sess);
76
77 static int use_session_cb_cnt = 0;
78 static int find_session_cb_cnt = 0;
79
80 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
81 #endif
82
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
98 static char *dhfile = NULL;
99
100 static int is_fips = 0;
101
102 #define LOG_BUFFER_SIZE 2048
103 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104 static size_t server_log_buffer_index = 0;
105 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t client_log_buffer_index = 0;
107 static int error_writing_log = 0;
108
109 #ifndef OPENSSL_NO_OCSP
110 static const unsigned char orespder[] = "Dummy OCSP Response";
111 static int ocsp_server_called = 0;
112 static int ocsp_client_called = 0;
113
114 static int cdummyarg = 1;
115 static X509 *ocspcert = NULL;
116 #endif
117
118 #define NUM_EXTRA_CERTS 40
119 #define CLIENT_VERSION_LEN 2
120
121 /*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125 struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
135 };
136
137
hostname_cb(SSL * s,int * al,void * arg)138 static int hostname_cb(SSL *s, int *al, void *arg)
139 {
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147 }
148
client_keylog_callback(const SSL * ssl,const char * line)149 static void client_keylog_callback(const SSL *ssl, const char *line)
150 {
151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
163 }
164
server_keylog_callback(const SSL * ssl,const char * line)165 static void server_keylog_callback(const SSL *ssl, const char *line)
166 {
167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
179 }
180
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)181 static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
184 size_t raw_length)
185 {
186 size_t i, j;
187 char hexed[3];
188
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
190 return 1;
191
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 sprintf(hexed, "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
196 return 1;
197 }
198
199 return 0;
200 }
201
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)202 static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
205 {
206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
220
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 return 0;
231 if (!TEST_size_t_eq(strlen(token), 16))
232 return 0;
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
234 return 0;
235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
250 return 0;
251
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 return 0;
254 if (!TEST_size_t_eq(strlen(token), 64))
255 return 0;
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
259 return 0;
260
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
262 return 0;
263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
266 if (!TEST_size_t_ne(master_key_size, 0))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
271 return 0;
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
305 return 0;
306
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
308 return 0;
309 if (!TEST_size_t_eq(strlen(token), 64))
310 return 0;
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
314 return 0;
315
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 return 0;
318 } else {
319 TEST_info("Unexpected token %s\n", token);
320 return 0;
321 }
322 }
323
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
343 return 0;
344 return 1;
345 }
346
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
test_keylog(void)348 static int test_keylog(void)
349 {
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
353 struct sslapitest_log_counts expected;
354
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
364 TLS_client_method(),
365 TLS1_VERSION, 0,
366 &sctx, &cctx, cert, privkey)))
367 return 0;
368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
375 goto end;
376
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
379 goto end;
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
383 goto end;
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
387 goto end;
388
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
397 goto end;
398
399 /*
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
404 */
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
409 goto end;
410
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
414 goto end;
415
416 testresult = 1;
417
418 end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425 }
426 #endif
427
428 #ifndef OSSL_NO_USABLE_TLS1_3
test_keylog_no_master_key(void)429 static int test_keylog_no_master_key(void)
430 {
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
434 int testresult = 0;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
438
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
452 return 0;
453
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
456 goto end;
457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
461 goto end;
462
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
466 goto end;
467
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
474 goto end;
475
476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
480 */
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
491 goto end;
492
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
532 testresult = 1;
533
534 end:
535 SSL_SESSION_free(sess);
536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542 }
543 #endif
544
verify_retry_cb(X509_STORE_CTX * ctx,void * arg)545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546 {
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
561 return res;
562 }
563
test_client_cert_verify_cb(void)564 static int test_client_cert_verify_cb(void)
565 {
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620 end:
621 X509_free(crt1);
622 X509_free(crt2);
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641 }
642
test_ssl_build_cert_chain(void)643 static int test_ssl_build_cert_chain(void)
644 {
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664 end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670 }
671
get_password_cb(char * buf,int size,int rw_flag,void * userdata)672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673 {
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681 }
682
test_ssl_ctx_build_cert_chain(void)683 static int test_ssl_ctx_build_cert_chain(void)
684 {
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703 end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708 }
709
710 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)711 static int full_client_hello_callback(SSL *s, int *al, void *arg)
712 {
713 int *ctr = arg;
714 const unsigned char *p;
715 int *exts;
716 /* We only configure two ciphers, but the SCSV is added automatically. */
717 #ifdef OPENSSL_NO_EC
718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719 #else
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
721 0x2c, 0x00, 0xff};
722 #endif
723 const int expected_extensions[] = {
724 #ifndef OPENSSL_NO_EC
725 11, 10,
726 #endif
727 35, 22, 23, 13};
728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
732 return SSL_CLIENT_HELLO_RETRY;
733
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
745 OPENSSL_free(exts);
746 return SSL_CLIENT_HELLO_ERROR;
747 }
748 OPENSSL_free(exts);
749 return SSL_CLIENT_HELLO_SUCCESS;
750 }
751
test_client_hello_cb(void)752 static int test_client_hello_cb(void)
753 {
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
761 goto end;
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
763
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
766
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
781 goto end;
782
783 testresult = 1;
784
785 end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792 }
793
test_no_ems(void)794 static int test_no_ems(void)
795 {
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0;
799
800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
814 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
815 printf("Creating SSL connection failed\n");
816 goto end;
817 }
818
819 if (SSL_get_extms_support(serverssl)) {
820 printf("Server reports Extended Master Secret support\n");
821 goto end;
822 }
823
824 if (SSL_get_extms_support(clientssl)) {
825 printf("Client reports Extended Master Secret support\n");
826 goto end;
827 }
828 testresult = 1;
829
830 end:
831 SSL_free(serverssl);
832 SSL_free(clientssl);
833 SSL_CTX_free(sctx);
834 SSL_CTX_free(cctx);
835
836 return testresult;
837 }
838
839 /*
840 * Very focused test to exercise a single case in the server-side state
841 * machine, when the ChangeCipherState message needs to actually change
842 * from one cipher to a different cipher (i.e., not changing from null
843 * encryption to real encryption).
844 */
test_ccs_change_cipher(void)845 static int test_ccs_change_cipher(void)
846 {
847 SSL_CTX *cctx = NULL, *sctx = NULL;
848 SSL *clientssl = NULL, *serverssl = NULL;
849 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
850 int testresult = 0;
851 int i;
852 unsigned char buf;
853 size_t readbytes;
854
855 /*
856 * Create a conection so we can resume and potentially (but not) use
857 * a different cipher in the second connection.
858 */
859 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
860 TLS_client_method(),
861 TLS1_VERSION, TLS1_2_VERSION,
862 &sctx, &cctx, cert, privkey))
863 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
865 NULL, NULL))
866 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
867 || !TEST_true(create_ssl_connection(serverssl, clientssl,
868 SSL_ERROR_NONE))
869 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
870 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
871 goto end;
872
873 shutdown_ssl_connection(serverssl, clientssl);
874 serverssl = clientssl = NULL;
875
876 /* Resume, preferring a different cipher. Our server will force the
877 * same cipher to be used as the initial handshake. */
878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
879 NULL, NULL))
880 || !TEST_true(SSL_set_session(clientssl, sess))
881 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
883 SSL_ERROR_NONE))
884 || !TEST_true(SSL_session_reused(clientssl))
885 || !TEST_true(SSL_session_reused(serverssl))
886 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
887 || !TEST_ptr_eq(sesspre, sesspost)
888 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
889 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
890 goto end;
891 shutdown_ssl_connection(serverssl, clientssl);
892 serverssl = clientssl = NULL;
893
894 /*
895 * Now create a fresh connection and try to renegotiate a different
896 * cipher on it.
897 */
898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
899 NULL, NULL))
900 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
901 || !TEST_true(create_ssl_connection(serverssl, clientssl,
902 SSL_ERROR_NONE))
903 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
904 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
905 || !TEST_true(SSL_renegotiate(clientssl))
906 || !TEST_true(SSL_renegotiate_pending(clientssl)))
907 goto end;
908 /* Actually drive the renegotiation. */
909 for (i = 0; i < 3; i++) {
910 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
911 if (!TEST_ulong_eq(readbytes, 0))
912 goto end;
913 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
914 SSL_ERROR_WANT_READ)) {
915 goto end;
916 }
917 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
918 if (!TEST_ulong_eq(readbytes, 0))
919 goto end;
920 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
921 SSL_ERROR_WANT_READ)) {
922 goto end;
923 }
924 }
925 /* sesspre and sesspost should be different since the cipher changed. */
926 if (!TEST_false(SSL_renegotiate_pending(clientssl))
927 || !TEST_false(SSL_session_reused(clientssl))
928 || !TEST_false(SSL_session_reused(serverssl))
929 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
930 || !TEST_ptr_ne(sesspre, sesspost)
931 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
932 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
933 goto end;
934
935 shutdown_ssl_connection(serverssl, clientssl);
936 serverssl = clientssl = NULL;
937
938 testresult = 1;
939
940 end:
941 SSL_free(serverssl);
942 SSL_free(clientssl);
943 SSL_CTX_free(sctx);
944 SSL_CTX_free(cctx);
945 SSL_SESSION_free(sess);
946
947 return testresult;
948 }
949 #endif
950
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)951 static int execute_test_large_message(const SSL_METHOD *smeth,
952 const SSL_METHOD *cmeth,
953 int min_version, int max_version,
954 int read_ahead)
955 {
956 SSL_CTX *cctx = NULL, *sctx = NULL;
957 SSL *clientssl = NULL, *serverssl = NULL;
958 int testresult = 0;
959 int i;
960 BIO *certbio = NULL;
961 X509 *chaincert = NULL;
962 int certlen;
963
964 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
965 goto end;
966
967 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
968 goto end;
969
970 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
971 goto end;
972 BIO_free(certbio);
973 certbio = NULL;
974
975 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
976 max_version, &sctx, &cctx, cert,
977 privkey)))
978 goto end;
979
980 #ifdef OPENSSL_NO_DTLS1_2
981 if (smeth == DTLS_server_method()) {
982 /*
983 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
984 * level 0
985 */
986 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
987 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
988 "DEFAULT:@SECLEVEL=0")))
989 goto end;
990 }
991 #endif
992
993 if (read_ahead) {
994 /*
995 * Test that read_ahead works correctly when dealing with large
996 * records
997 */
998 SSL_CTX_set_read_ahead(cctx, 1);
999 }
1000
1001 /*
1002 * We assume the supplied certificate is big enough so that if we add
1003 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1004 * default buffer size is requested to be 16k, but due to the way BUF_MEM
1005 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1006 * test we need to have a message larger than that.
1007 */
1008 certlen = i2d_X509(chaincert, NULL);
1009 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1010 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
1011 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
1012 if (!X509_up_ref(chaincert))
1013 goto end;
1014 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
1015 X509_free(chaincert);
1016 goto end;
1017 }
1018 }
1019
1020 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1021 NULL, NULL))
1022 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1023 SSL_ERROR_NONE)))
1024 goto end;
1025
1026 /*
1027 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1028 * doesn't leak.
1029 */
1030 if (!TEST_true(SSL_clear(serverssl)))
1031 goto end;
1032
1033 testresult = 1;
1034 end:
1035 BIO_free(certbio);
1036 X509_free(chaincert);
1037 SSL_free(serverssl);
1038 SSL_free(clientssl);
1039 SSL_CTX_free(sctx);
1040 SSL_CTX_free(cctx);
1041
1042 return testresult;
1043 }
1044
1045 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1046 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1047 /* sock must be connected */
ktls_chk_platform(int sock)1048 static int ktls_chk_platform(int sock)
1049 {
1050 if (!ktls_enable(sock))
1051 return 0;
1052 return 1;
1053 }
1054
ping_pong_query(SSL * clientssl,SSL * serverssl)1055 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1056 {
1057 static char count = 1;
1058 unsigned char cbuf[16000] = {0};
1059 unsigned char sbuf[16000];
1060 size_t err = 0;
1061 char crec_wseq_before[SEQ_NUM_SIZE];
1062 char crec_wseq_after[SEQ_NUM_SIZE];
1063 char crec_rseq_before[SEQ_NUM_SIZE];
1064 char crec_rseq_after[SEQ_NUM_SIZE];
1065 char srec_wseq_before[SEQ_NUM_SIZE];
1066 char srec_wseq_after[SEQ_NUM_SIZE];
1067 char srec_rseq_before[SEQ_NUM_SIZE];
1068 char srec_rseq_after[SEQ_NUM_SIZE];
1069
1070 cbuf[0] = count++;
1071 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1072 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1074 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1075
1076 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1077 goto end;
1078
1079 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1080 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1081 goto end;
1082 }
1083 }
1084
1085 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1086 goto end;
1087
1088 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1089 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1090 goto end;
1091 }
1092 }
1093
1094 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1095 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1096 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1097 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1098
1099 /* verify the payload */
1100 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1101 goto end;
1102
1103 /*
1104 * If ktls is used then kernel sequences are used instead of
1105 * OpenSSL sequences
1106 */
1107 if (!BIO_get_ktls_send(clientssl->wbio)) {
1108 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1109 crec_wseq_after, SEQ_NUM_SIZE))
1110 goto end;
1111 } else {
1112 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1113 crec_wseq_after, SEQ_NUM_SIZE))
1114 goto end;
1115 }
1116
1117 if (!BIO_get_ktls_send(serverssl->wbio)) {
1118 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1119 srec_wseq_after, SEQ_NUM_SIZE))
1120 goto end;
1121 } else {
1122 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1123 srec_wseq_after, SEQ_NUM_SIZE))
1124 goto end;
1125 }
1126
1127 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1128 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1129 crec_rseq_after, SEQ_NUM_SIZE))
1130 goto end;
1131 } else {
1132 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1133 crec_rseq_after, SEQ_NUM_SIZE))
1134 goto end;
1135 }
1136
1137 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1138 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1139 srec_rseq_after, SEQ_NUM_SIZE))
1140 goto end;
1141 } else {
1142 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1143 srec_rseq_after, SEQ_NUM_SIZE))
1144 goto end;
1145 }
1146
1147 return 1;
1148 end:
1149 return 0;
1150 }
1151
execute_test_ktls(int cis_ktls,int sis_ktls,int tls_version,const char * cipher)1152 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1153 int tls_version, const char *cipher)
1154 {
1155 SSL_CTX *cctx = NULL, *sctx = NULL;
1156 SSL *clientssl = NULL, *serverssl = NULL;
1157 int ktls_used = 0, testresult = 0;
1158 int cfd = -1, sfd = -1;
1159 int rx_supported;
1160
1161 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1162 goto end;
1163
1164 /* Skip this test if the platform does not support ktls */
1165 if (!ktls_chk_platform(cfd)) {
1166 testresult = TEST_skip("Kernel does not support KTLS");
1167 goto end;
1168 }
1169
1170 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1171 testresult = TEST_skip("CHACHA is not supported in FIPS");
1172 goto end;
1173 }
1174
1175 /* Create a session based on SHA-256 */
1176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1177 TLS_client_method(),
1178 tls_version, tls_version,
1179 &sctx, &cctx, cert, privkey)))
1180 goto end;
1181
1182 if (tls_version == TLS1_3_VERSION) {
1183 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1184 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1185 goto end;
1186 } else {
1187 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1188 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1189 goto end;
1190 }
1191
1192 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1193 &clientssl, sfd, cfd)))
1194 goto end;
1195
1196 if (cis_ktls) {
1197 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1198 goto end;
1199 }
1200
1201 if (sis_ktls) {
1202 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1203 goto end;
1204 }
1205
1206 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1207 goto end;
1208
1209 /*
1210 * The running kernel may not support a given cipher suite
1211 * or direction, so just check that KTLS isn't used when it
1212 * isn't enabled.
1213 */
1214 if (!cis_ktls) {
1215 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1216 goto end;
1217 } else {
1218 if (BIO_get_ktls_send(clientssl->wbio))
1219 ktls_used = 1;
1220 }
1221
1222 if (!sis_ktls) {
1223 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1224 goto end;
1225 } else {
1226 if (BIO_get_ktls_send(serverssl->wbio))
1227 ktls_used = 1;
1228 }
1229
1230 #if defined(OPENSSL_NO_KTLS_RX)
1231 rx_supported = 0;
1232 #else
1233 rx_supported = (tls_version != TLS1_3_VERSION);
1234 #endif
1235 if (!cis_ktls || !rx_supported) {
1236 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1237 goto end;
1238 } else {
1239 if (BIO_get_ktls_send(clientssl->rbio))
1240 ktls_used = 1;
1241 }
1242
1243 if (!sis_ktls || !rx_supported) {
1244 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1245 goto end;
1246 } else {
1247 if (BIO_get_ktls_send(serverssl->rbio))
1248 ktls_used = 1;
1249 }
1250
1251 if ((cis_ktls || sis_ktls) && !ktls_used) {
1252 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1253 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1254 "TLS 1.2", cipher);
1255 goto end;
1256 }
1257
1258 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1259 goto end;
1260
1261 testresult = 1;
1262 end:
1263 if (clientssl) {
1264 SSL_shutdown(clientssl);
1265 SSL_free(clientssl);
1266 }
1267 if (serverssl) {
1268 SSL_shutdown(serverssl);
1269 SSL_free(serverssl);
1270 }
1271 SSL_CTX_free(sctx);
1272 SSL_CTX_free(cctx);
1273 serverssl = clientssl = NULL;
1274 if (cfd != -1)
1275 close(cfd);
1276 if (sfd != -1)
1277 close(sfd);
1278 return testresult;
1279 }
1280
1281 #define SENDFILE_SZ (16 * 4096)
1282 #define SENDFILE_CHUNK (4 * 4096)
1283 #define min(a,b) ((a) > (b) ? (b) : (a))
1284
execute_test_ktls_sendfile(int tls_version,const char * cipher)1285 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1286 {
1287 SSL_CTX *cctx = NULL, *sctx = NULL;
1288 SSL *clientssl = NULL, *serverssl = NULL;
1289 unsigned char *buf, *buf_dst;
1290 BIO *out = NULL, *in = NULL;
1291 int cfd = -1, sfd = -1, ffd, err;
1292 ssize_t chunk_size = 0;
1293 off_t chunk_off = 0;
1294 int testresult = 0;
1295 FILE *ffdp;
1296
1297 buf = OPENSSL_zalloc(SENDFILE_SZ);
1298 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1299 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1300 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1301 goto end;
1302
1303 /* Skip this test if the platform does not support ktls */
1304 if (!ktls_chk_platform(sfd)) {
1305 testresult = TEST_skip("Kernel does not support KTLS");
1306 goto end;
1307 }
1308
1309 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1310 testresult = TEST_skip("CHACHA is not supported in FIPS");
1311 goto end;
1312 }
1313
1314 /* Create a session based on SHA-256 */
1315 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1316 TLS_client_method(),
1317 tls_version, tls_version,
1318 &sctx, &cctx, cert, privkey)))
1319 goto end;
1320
1321 if (tls_version == TLS1_3_VERSION) {
1322 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1323 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1324 goto end;
1325 } else {
1326 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1327 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1328 goto end;
1329 }
1330
1331 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1332 &clientssl, sfd, cfd)))
1333 goto end;
1334
1335 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1336 goto end;
1337
1338 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1339 SSL_ERROR_NONE)))
1340 goto end;
1341
1342 if (!BIO_get_ktls_send(serverssl->wbio)) {
1343 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1344 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1345 "TLS 1.2", cipher);
1346 goto end;
1347 }
1348
1349 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1350 goto end;
1351
1352 out = BIO_new_file(tmpfilename, "wb");
1353 if (!TEST_ptr(out))
1354 goto end;
1355
1356 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1357 goto end;
1358
1359 BIO_free(out);
1360 out = NULL;
1361 in = BIO_new_file(tmpfilename, "rb");
1362 BIO_get_fp(in, &ffdp);
1363 ffd = fileno(ffdp);
1364
1365 while (chunk_off < SENDFILE_SZ) {
1366 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1367 while ((err = SSL_sendfile(serverssl,
1368 ffd,
1369 chunk_off,
1370 chunk_size,
1371 0)) != chunk_size) {
1372 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1373 goto end;
1374 }
1375 while ((err = SSL_read(clientssl,
1376 buf_dst + chunk_off,
1377 chunk_size)) != chunk_size) {
1378 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1379 goto end;
1380 }
1381
1382 /* verify the payload */
1383 if (!TEST_mem_eq(buf_dst + chunk_off,
1384 chunk_size,
1385 buf + chunk_off,
1386 chunk_size))
1387 goto end;
1388
1389 chunk_off += chunk_size;
1390 }
1391
1392 testresult = 1;
1393 end:
1394 if (clientssl) {
1395 SSL_shutdown(clientssl);
1396 SSL_free(clientssl);
1397 }
1398 if (serverssl) {
1399 SSL_shutdown(serverssl);
1400 SSL_free(serverssl);
1401 }
1402 SSL_CTX_free(sctx);
1403 SSL_CTX_free(cctx);
1404 serverssl = clientssl = NULL;
1405 BIO_free(out);
1406 BIO_free(in);
1407 if (cfd != -1)
1408 close(cfd);
1409 if (sfd != -1)
1410 close(sfd);
1411 OPENSSL_free(buf);
1412 OPENSSL_free(buf_dst);
1413 return testresult;
1414 }
1415
1416 static struct ktls_test_cipher {
1417 int tls_version;
1418 const char *cipher;
1419 } ktls_test_ciphers[] = {
1420 # if !defined(OPENSSL_NO_TLS1_2)
1421 # ifdef OPENSSL_KTLS_AES_GCM_128
1422 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1423 # endif
1424 # ifdef OPENSSL_KTLS_AES_CCM_128
1425 { TLS1_2_VERSION, "AES128-CCM"},
1426 # endif
1427 # ifdef OPENSSL_KTLS_AES_GCM_256
1428 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1429 # endif
1430 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1431 # ifndef OPENSSL_NO_EC
1432 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1433 # endif
1434 # endif
1435 # endif
1436 # if !defined(OSSL_NO_USABLE_TLS1_3)
1437 # ifdef OPENSSL_KTLS_AES_GCM_128
1438 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1439 # endif
1440 # ifdef OPENSSL_KTLS_AES_CCM_128
1441 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1442 # endif
1443 # ifdef OPENSSL_KTLS_AES_GCM_256
1444 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1445 # endif
1446 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1447 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1448 # endif
1449 # endif
1450 };
1451
1452 #define NUM_KTLS_TEST_CIPHERS \
1453 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1454
test_ktls(int test)1455 static int test_ktls(int test)
1456 {
1457 struct ktls_test_cipher *cipher;
1458 int cis_ktls, sis_ktls;
1459
1460 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1461 cipher = &ktls_test_ciphers[test / 4];
1462
1463 cis_ktls = (test & 1) != 0;
1464 sis_ktls = (test & 2) != 0;
1465
1466 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1467 cipher->cipher);
1468 }
1469
test_ktls_sendfile(int tst)1470 static int test_ktls_sendfile(int tst)
1471 {
1472 struct ktls_test_cipher *cipher;
1473
1474 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1475 cipher = &ktls_test_ciphers[tst];
1476
1477 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1478 }
1479 #endif
1480
test_large_message_tls(void)1481 static int test_large_message_tls(void)
1482 {
1483 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1484 TLS1_VERSION, 0, 0);
1485 }
1486
test_large_message_tls_read_ahead(void)1487 static int test_large_message_tls_read_ahead(void)
1488 {
1489 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1490 TLS1_VERSION, 0, 1);
1491 }
1492
1493 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)1494 static int test_large_message_dtls(void)
1495 {
1496 # ifdef OPENSSL_NO_DTLS1_2
1497 /* Not supported in the FIPS provider */
1498 if (is_fips)
1499 return 1;
1500 # endif
1501 /*
1502 * read_ahead is not relevant to DTLS because DTLS always acts as if
1503 * read_ahead is set.
1504 */
1505 return execute_test_large_message(DTLS_server_method(),
1506 DTLS_client_method(),
1507 DTLS1_VERSION, 0, 0);
1508 }
1509 #endif
1510
1511 /*
1512 * Test we can successfully send the maximum amount of application data. We
1513 * test each protocol version individually, each with and without EtM enabled.
1514 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1515 * simpler this way. We also test all combinations with and without the
1516 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1517 * underlying buffer.
1518 */
test_large_app_data(int tst)1519 static int test_large_app_data(int tst)
1520 {
1521 SSL_CTX *cctx = NULL, *sctx = NULL;
1522 SSL *clientssl = NULL, *serverssl = NULL;
1523 int testresult = 0, prot;
1524 unsigned char *msg, *buf = NULL;
1525 size_t written, readbytes;
1526 const SSL_METHOD *smeth = TLS_server_method();
1527 const SSL_METHOD *cmeth = TLS_client_method();
1528
1529 switch (tst >> 2) {
1530 case 0:
1531 #ifndef OSSL_NO_USABLE_TLS1_3
1532 prot = TLS1_3_VERSION;
1533 break;
1534 #else
1535 return 1;
1536 #endif
1537
1538 case 1:
1539 #ifndef OPENSSL_NO_TLS1_2
1540 prot = TLS1_2_VERSION;
1541 break;
1542 #else
1543 return 1;
1544 #endif
1545
1546 case 2:
1547 #ifndef OPENSSL_NO_TLS1_1
1548 prot = TLS1_1_VERSION;
1549 break;
1550 #else
1551 return 1;
1552 #endif
1553
1554 case 3:
1555 #ifndef OPENSSL_NO_TLS1
1556 prot = TLS1_VERSION;
1557 break;
1558 #else
1559 return 1;
1560 #endif
1561
1562 case 4:
1563 #ifndef OPENSSL_NO_SSL3
1564 prot = SSL3_VERSION;
1565 break;
1566 #else
1567 return 1;
1568 #endif
1569
1570 case 5:
1571 #ifndef OPENSSL_NO_DTLS1_2
1572 prot = DTLS1_2_VERSION;
1573 smeth = DTLS_server_method();
1574 cmeth = DTLS_client_method();
1575 break;
1576 #else
1577 return 1;
1578 #endif
1579
1580 case 6:
1581 #ifndef OPENSSL_NO_DTLS1
1582 prot = DTLS1_VERSION;
1583 smeth = DTLS_server_method();
1584 cmeth = DTLS_client_method();
1585 break;
1586 #else
1587 return 1;
1588 #endif
1589
1590 default:
1591 /* Shouldn't happen */
1592 return 0;
1593 }
1594
1595 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1596 return 1;
1597
1598 /* Maximal sized message of zeros */
1599 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1600 if (!TEST_ptr(msg))
1601 goto end;
1602
1603 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1604 if (!TEST_ptr(buf))
1605 goto end;
1606 /* Set whole buffer to all bits set */
1607 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1608
1609 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1610 &sctx, &cctx, cert, privkey)))
1611 goto end;
1612
1613 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1614 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1615 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1616 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1617 "DEFAULT:@SECLEVEL=0")))
1618 goto end;
1619 }
1620
1621 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1622 &clientssl, NULL, NULL)))
1623 goto end;
1624
1625 if ((tst & 1) != 0) {
1626 /* Setting this option gives us a minimally sized underlying buffer */
1627 if (!TEST_true(SSL_set_options(serverssl,
1628 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1629 || !TEST_true(SSL_set_options(clientssl,
1630 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1631 goto end;
1632 }
1633
1634 if ((tst & 2) != 0) {
1635 /*
1636 * Setting this option means the MAC is added before encryption
1637 * giving us a larger record for the encryption process
1638 */
1639 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1640 || !TEST_true(SSL_set_options(clientssl,
1641 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1642 goto end;
1643 }
1644
1645 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1646 goto end;
1647
1648 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1649 &written))
1650 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1651 goto end;
1652
1653 /* We provide a buffer slightly larger than what we are actually expecting */
1654 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1655 &readbytes)))
1656 goto end;
1657
1658 if (!TEST_mem_eq(msg, written, buf, readbytes))
1659 goto end;
1660
1661 testresult = 1;
1662 end:
1663 OPENSSL_free(msg);
1664 OPENSSL_free(buf);
1665 SSL_free(serverssl);
1666 SSL_free(clientssl);
1667 SSL_CTX_free(sctx);
1668 SSL_CTX_free(cctx);
1669 return testresult;
1670 }
1671
execute_cleanse_plaintext(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version)1672 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1673 const SSL_METHOD *cmeth,
1674 int min_version, int max_version)
1675 {
1676 size_t i;
1677 SSL_CTX *cctx = NULL, *sctx = NULL;
1678 SSL *clientssl = NULL, *serverssl = NULL;
1679 int testresult = 0;
1680 SSL3_RECORD *rr;
1681 void *zbuf;
1682
1683 static unsigned char cbuf[16000];
1684 static unsigned char sbuf[16000];
1685
1686 if (!TEST_true(create_ssl_ctx_pair(libctx,
1687 smeth, cmeth,
1688 min_version, max_version,
1689 &sctx, &cctx, cert,
1690 privkey)))
1691 goto end;
1692
1693 #ifdef OPENSSL_NO_DTLS1_2
1694 if (smeth == DTLS_server_method()) {
1695 # ifdef OPENSSL_NO_DTLS1_2
1696 /* Not supported in the FIPS provider */
1697 if (is_fips) {
1698 testresult = 1;
1699 goto end;
1700 };
1701 # endif
1702 /*
1703 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1704 * level 0
1705 */
1706 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1707 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1708 "DEFAULT:@SECLEVEL=0")))
1709 goto end;
1710 }
1711 #endif
1712
1713 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1714 NULL, NULL)))
1715 goto end;
1716
1717 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1718 goto end;
1719
1720 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1721 SSL_ERROR_NONE)))
1722 goto end;
1723
1724 for (i = 0; i < sizeof(cbuf); i++) {
1725 cbuf[i] = i & 0xff;
1726 }
1727
1728 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1729 goto end;
1730
1731 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1732 goto end;
1733
1734 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1735 goto end;
1736
1737 /*
1738 * Since we called SSL_peek(), we know the data in the record
1739 * layer is a plaintext record. We can gather the pointer to check
1740 * for zeroization after SSL_read().
1741 */
1742 rr = serverssl->rlayer.rrec;
1743 zbuf = &rr->data[rr->off];
1744 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1745 goto end;
1746
1747 /*
1748 * After SSL_peek() the plaintext must still be stored in the
1749 * record.
1750 */
1751 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1752 goto end;
1753
1754 memset(sbuf, 0, sizeof(sbuf));
1755 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1756 goto end;
1757
1758 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1759 goto end;
1760
1761 /* Check if rbuf is cleansed */
1762 memset(cbuf, 0, sizeof(cbuf));
1763 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1764 goto end;
1765
1766 testresult = 1;
1767 end:
1768 SSL_free(serverssl);
1769 SSL_free(clientssl);
1770 SSL_CTX_free(sctx);
1771 SSL_CTX_free(cctx);
1772
1773 return testresult;
1774 }
1775
test_cleanse_plaintext(void)1776 static int test_cleanse_plaintext(void)
1777 {
1778 #if !defined(OPENSSL_NO_TLS1_2)
1779 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1780 TLS_client_method(),
1781 TLS1_2_VERSION,
1782 TLS1_2_VERSION)))
1783 return 0;
1784
1785 #endif
1786
1787 #if !defined(OSSL_NO_USABLE_TLS1_3)
1788 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1789 TLS_client_method(),
1790 TLS1_3_VERSION,
1791 TLS1_3_VERSION)))
1792 return 0;
1793 #endif
1794
1795 #if !defined(OPENSSL_NO_DTLS)
1796
1797 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1798 DTLS_client_method(),
1799 DTLS1_VERSION,
1800 0)))
1801 return 0;
1802 #endif
1803 return 1;
1804 }
1805
1806 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)1807 static int ocsp_server_cb(SSL *s, void *arg)
1808 {
1809 int *argi = (int *)arg;
1810 unsigned char *copy = NULL;
1811 STACK_OF(OCSP_RESPID) *ids = NULL;
1812 OCSP_RESPID *id = NULL;
1813
1814 if (*argi == 2) {
1815 /* In this test we are expecting exactly 1 OCSP_RESPID */
1816 SSL_get_tlsext_status_ids(s, &ids);
1817 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1818 return SSL_TLSEXT_ERR_ALERT_FATAL;
1819
1820 id = sk_OCSP_RESPID_value(ids, 0);
1821 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1822 return SSL_TLSEXT_ERR_ALERT_FATAL;
1823 } else if (*argi != 1) {
1824 return SSL_TLSEXT_ERR_ALERT_FATAL;
1825 }
1826
1827 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1828 return SSL_TLSEXT_ERR_ALERT_FATAL;
1829
1830 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1831 sizeof(orespder)))) {
1832 OPENSSL_free(copy);
1833 return SSL_TLSEXT_ERR_ALERT_FATAL;
1834 }
1835 ocsp_server_called = 1;
1836 return SSL_TLSEXT_ERR_OK;
1837 }
1838
ocsp_client_cb(SSL * s,void * arg)1839 static int ocsp_client_cb(SSL *s, void *arg)
1840 {
1841 int *argi = (int *)arg;
1842 const unsigned char *respderin;
1843 size_t len;
1844
1845 if (*argi != 1 && *argi != 2)
1846 return 0;
1847
1848 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1849 if (!TEST_mem_eq(orespder, len, respderin, len))
1850 return 0;
1851
1852 ocsp_client_called = 1;
1853 return 1;
1854 }
1855
test_tlsext_status_type(void)1856 static int test_tlsext_status_type(void)
1857 {
1858 SSL_CTX *cctx = NULL, *sctx = NULL;
1859 SSL *clientssl = NULL, *serverssl = NULL;
1860 int testresult = 0;
1861 STACK_OF(OCSP_RESPID) *ids = NULL;
1862 OCSP_RESPID *id = NULL;
1863 BIO *certbio = NULL;
1864
1865 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1866 TLS1_VERSION, 0,
1867 &sctx, &cctx, cert, privkey))
1868 return 0;
1869
1870 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1871 goto end;
1872
1873 /* First just do various checks getting and setting tlsext_status_type */
1874
1875 clientssl = SSL_new(cctx);
1876 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1877 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1878 TLSEXT_STATUSTYPE_ocsp))
1879 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1880 TLSEXT_STATUSTYPE_ocsp))
1881 goto end;
1882
1883 SSL_free(clientssl);
1884 clientssl = NULL;
1885
1886 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1887 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1888 goto end;
1889
1890 clientssl = SSL_new(cctx);
1891 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1892 goto end;
1893 SSL_free(clientssl);
1894 clientssl = NULL;
1895
1896 /*
1897 * Now actually do a handshake and check OCSP information is exchanged and
1898 * the callbacks get called
1899 */
1900 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1901 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1902 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1903 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1905 &clientssl, NULL, NULL))
1906 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1907 SSL_ERROR_NONE))
1908 || !TEST_true(ocsp_client_called)
1909 || !TEST_true(ocsp_server_called))
1910 goto end;
1911 SSL_free(serverssl);
1912 SSL_free(clientssl);
1913 serverssl = NULL;
1914 clientssl = NULL;
1915
1916 /* Try again but this time force the server side callback to fail */
1917 ocsp_client_called = 0;
1918 ocsp_server_called = 0;
1919 cdummyarg = 0;
1920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1921 &clientssl, NULL, NULL))
1922 /* This should fail because the callback will fail */
1923 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1924 SSL_ERROR_NONE))
1925 || !TEST_false(ocsp_client_called)
1926 || !TEST_false(ocsp_server_called))
1927 goto end;
1928 SSL_free(serverssl);
1929 SSL_free(clientssl);
1930 serverssl = NULL;
1931 clientssl = NULL;
1932
1933 /*
1934 * This time we'll get the client to send an OCSP_RESPID that it will
1935 * accept.
1936 */
1937 ocsp_client_called = 0;
1938 ocsp_server_called = 0;
1939 cdummyarg = 2;
1940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1941 &clientssl, NULL, NULL)))
1942 goto end;
1943
1944 /*
1945 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1946 * specific one. We'll use the server cert.
1947 */
1948 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1949 || !TEST_ptr(id = OCSP_RESPID_new())
1950 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1951 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1952 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1953 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1954 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1955 goto end;
1956 id = NULL;
1957 SSL_set_tlsext_status_ids(clientssl, ids);
1958 /* Control has been transferred */
1959 ids = NULL;
1960
1961 BIO_free(certbio);
1962 certbio = NULL;
1963
1964 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1965 SSL_ERROR_NONE))
1966 || !TEST_true(ocsp_client_called)
1967 || !TEST_true(ocsp_server_called))
1968 goto end;
1969
1970 testresult = 1;
1971
1972 end:
1973 SSL_free(serverssl);
1974 SSL_free(clientssl);
1975 SSL_CTX_free(sctx);
1976 SSL_CTX_free(cctx);
1977 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1978 OCSP_RESPID_free(id);
1979 BIO_free(certbio);
1980 X509_free(ocspcert);
1981 ocspcert = NULL;
1982
1983 return testresult;
1984 }
1985 #endif
1986
1987 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1988 static int new_called, remove_called, get_called;
1989
new_session_cb(SSL * ssl,SSL_SESSION * sess)1990 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1991 {
1992 new_called++;
1993 /*
1994 * sess has been up-refed for us, but we don't actually need it so free it
1995 * immediately.
1996 */
1997 SSL_SESSION_free(sess);
1998 return 1;
1999 }
2000
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)2001 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2002 {
2003 remove_called++;
2004 }
2005
2006 static SSL_SESSION *get_sess_val = NULL;
2007
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)2008 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2009 int *copy)
2010 {
2011 get_called++;
2012 *copy = 1;
2013 return get_sess_val;
2014 }
2015
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache,long s_options)2016 static int execute_test_session(int maxprot, int use_int_cache,
2017 int use_ext_cache, long s_options)
2018 {
2019 SSL_CTX *sctx = NULL, *cctx = NULL;
2020 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2021 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2022 # ifndef OPENSSL_NO_TLS1_1
2023 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2024 # endif
2025 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2026 int testresult = 0, numnewsesstick = 1;
2027
2028 new_called = remove_called = 0;
2029
2030 /* TLSv1.3 sends 2 NewSessionTickets */
2031 if (maxprot == TLS1_3_VERSION)
2032 numnewsesstick = 2;
2033
2034 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2035 TLS_client_method(), TLS1_VERSION, 0,
2036 &sctx, &cctx, cert, privkey)))
2037 return 0;
2038
2039 /*
2040 * Only allow the max protocol version so we can force a connection failure
2041 * later
2042 */
2043 SSL_CTX_set_min_proto_version(cctx, maxprot);
2044 SSL_CTX_set_max_proto_version(cctx, maxprot);
2045
2046 /* Set up session cache */
2047 if (use_ext_cache) {
2048 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2049 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2050 }
2051 if (use_int_cache) {
2052 /* Also covers instance where both are set */
2053 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2054 } else {
2055 SSL_CTX_set_session_cache_mode(cctx,
2056 SSL_SESS_CACHE_CLIENT
2057 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2058 }
2059
2060 if (s_options) {
2061 SSL_CTX_set_options(sctx, s_options);
2062 }
2063
2064 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2065 NULL, NULL))
2066 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2067 SSL_ERROR_NONE))
2068 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2069 goto end;
2070
2071 /* Should fail because it should already be in the cache */
2072 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2073 goto end;
2074 if (use_ext_cache
2075 && (!TEST_int_eq(new_called, numnewsesstick)
2076
2077 || !TEST_int_eq(remove_called, 0)))
2078 goto end;
2079
2080 new_called = remove_called = 0;
2081 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2082 &clientssl2, NULL, NULL))
2083 || !TEST_true(SSL_set_session(clientssl2, sess1))
2084 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2085 SSL_ERROR_NONE))
2086 || !TEST_true(SSL_session_reused(clientssl2)))
2087 goto end;
2088
2089 if (maxprot == TLS1_3_VERSION) {
2090 /*
2091 * In TLSv1.3 we should have created a new session even though we have
2092 * resumed. Since we attempted a resume we should also have removed the
2093 * old ticket from the cache so that we try to only use tickets once.
2094 */
2095 if (use_ext_cache
2096 && (!TEST_int_eq(new_called, 1)
2097 || !TEST_int_eq(remove_called, 1)))
2098 goto end;
2099 } else {
2100 /*
2101 * In TLSv1.2 we expect to have resumed so no sessions added or
2102 * removed.
2103 */
2104 if (use_ext_cache
2105 && (!TEST_int_eq(new_called, 0)
2106 || !TEST_int_eq(remove_called, 0)))
2107 goto end;
2108 }
2109
2110 SSL_SESSION_free(sess1);
2111 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2112 goto end;
2113 shutdown_ssl_connection(serverssl2, clientssl2);
2114 serverssl2 = clientssl2 = NULL;
2115
2116 new_called = remove_called = 0;
2117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2118 &clientssl2, NULL, NULL))
2119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2120 SSL_ERROR_NONE)))
2121 goto end;
2122
2123 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2124 goto end;
2125
2126 if (use_ext_cache
2127 && (!TEST_int_eq(new_called, numnewsesstick)
2128 || !TEST_int_eq(remove_called, 0)))
2129 goto end;
2130
2131 new_called = remove_called = 0;
2132 /*
2133 * This should clear sess2 from the cache because it is a "bad" session.
2134 * See SSL_set_session() documentation.
2135 */
2136 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2137 goto end;
2138 if (use_ext_cache
2139 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2140 goto end;
2141 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2142 goto end;
2143
2144 if (use_int_cache) {
2145 /* Should succeeded because it should not already be in the cache */
2146 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2147 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2148 goto end;
2149 }
2150
2151 new_called = remove_called = 0;
2152 /* This shouldn't be in the cache so should fail */
2153 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2154 goto end;
2155
2156 if (use_ext_cache
2157 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2158 goto end;
2159
2160 # if !defined(OPENSSL_NO_TLS1_1)
2161 new_called = remove_called = 0;
2162 /* Force a connection failure */
2163 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2165 &clientssl3, NULL, NULL))
2166 || !TEST_true(SSL_set_session(clientssl3, sess1))
2167 /* This should fail because of the mismatched protocol versions */
2168 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2169 SSL_ERROR_NONE)))
2170 goto end;
2171
2172 /* We should have automatically removed the session from the cache */
2173 if (use_ext_cache
2174 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2175 goto end;
2176
2177 /* Should succeed because it should not already be in the cache */
2178 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2179 goto end;
2180 # endif
2181
2182 /* Now do some tests for server side caching */
2183 if (use_ext_cache) {
2184 SSL_CTX_sess_set_new_cb(cctx, NULL);
2185 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2186 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2187 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2188 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2189 get_sess_val = NULL;
2190 }
2191
2192 SSL_CTX_set_session_cache_mode(cctx, 0);
2193 /* Internal caching is the default on the server side */
2194 if (!use_int_cache)
2195 SSL_CTX_set_session_cache_mode(sctx,
2196 SSL_SESS_CACHE_SERVER
2197 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2198
2199 SSL_free(serverssl1);
2200 SSL_free(clientssl1);
2201 serverssl1 = clientssl1 = NULL;
2202 SSL_free(serverssl2);
2203 SSL_free(clientssl2);
2204 serverssl2 = clientssl2 = NULL;
2205 SSL_SESSION_free(sess1);
2206 sess1 = NULL;
2207 SSL_SESSION_free(sess2);
2208 sess2 = NULL;
2209
2210 SSL_CTX_set_max_proto_version(sctx, maxprot);
2211 if (maxprot == TLS1_2_VERSION)
2212 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2213 new_called = remove_called = get_called = 0;
2214 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2215 NULL, NULL))
2216 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2217 SSL_ERROR_NONE))
2218 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2219 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2220 goto end;
2221
2222 if (use_int_cache) {
2223 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2224 /*
2225 * In TLSv1.3 it should not have been added to the internal cache,
2226 * except in the case where we also have an external cache (in that
2227 * case it gets added to the cache in order to generate remove
2228 * events after timeout).
2229 */
2230 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2231 goto end;
2232 } else {
2233 /* Should fail because it should already be in the cache */
2234 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2235 goto end;
2236 }
2237 }
2238
2239 if (use_ext_cache) {
2240 SSL_SESSION *tmp = sess2;
2241
2242 if (!TEST_int_eq(new_called, numnewsesstick)
2243 || !TEST_int_eq(remove_called, 0)
2244 || !TEST_int_eq(get_called, 0))
2245 goto end;
2246 /*
2247 * Delete the session from the internal cache to force a lookup from
2248 * the external cache. We take a copy first because
2249 * SSL_CTX_remove_session() also marks the session as non-resumable.
2250 */
2251 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2252 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2253 || !TEST_true(sess2->owner != NULL)
2254 || !TEST_true(tmp->owner == NULL)
2255 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2256 goto end;
2257 SSL_SESSION_free(sess2);
2258 }
2259 sess2 = tmp;
2260 }
2261
2262 new_called = remove_called = get_called = 0;
2263 get_sess_val = sess2;
2264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2265 &clientssl2, NULL, NULL))
2266 || !TEST_true(SSL_set_session(clientssl2, sess1))
2267 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2268 SSL_ERROR_NONE))
2269 || !TEST_true(SSL_session_reused(clientssl2)))
2270 goto end;
2271
2272 if (use_ext_cache) {
2273 if (!TEST_int_eq(remove_called, 0))
2274 goto end;
2275
2276 if (maxprot == TLS1_3_VERSION) {
2277 if (!TEST_int_eq(new_called, 1)
2278 || !TEST_int_eq(get_called, 0))
2279 goto end;
2280 } else {
2281 if (!TEST_int_eq(new_called, 0)
2282 || !TEST_int_eq(get_called, 1))
2283 goto end;
2284 }
2285 }
2286 /*
2287 * Make a small cache, force out all other sessions but
2288 * sess2, try to add sess1, which should succeed. Then
2289 * make sure it's there by checking the owners. Despite
2290 * the timeouts, sess1 should have kicked out sess2
2291 */
2292
2293 /* Make sess1 expire before sess2 */
2294 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2295 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2296 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2297 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2298 goto end;
2299
2300 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2301 goto end;
2302
2303 /* Don't care about results - cache should only be sess2 at end */
2304 SSL_CTX_add_session(sctx, sess1);
2305 SSL_CTX_add_session(sctx, sess2);
2306
2307 /* Now add sess1, and make sure it remains, despite timeout */
2308 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2309 || !TEST_ptr(sess1->owner)
2310 || !TEST_ptr_null(sess2->owner))
2311 goto end;
2312
2313 testresult = 1;
2314
2315 end:
2316 SSL_free(serverssl1);
2317 SSL_free(clientssl1);
2318 SSL_free(serverssl2);
2319 SSL_free(clientssl2);
2320 # ifndef OPENSSL_NO_TLS1_1
2321 SSL_free(serverssl3);
2322 SSL_free(clientssl3);
2323 # endif
2324 SSL_SESSION_free(sess1);
2325 SSL_SESSION_free(sess2);
2326 SSL_CTX_free(sctx);
2327 SSL_CTX_free(cctx);
2328
2329 return testresult;
2330 }
2331 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2332
test_session_with_only_int_cache(void)2333 static int test_session_with_only_int_cache(void)
2334 {
2335 #ifndef OSSL_NO_USABLE_TLS1_3
2336 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2337 return 0;
2338 #endif
2339
2340 #ifndef OPENSSL_NO_TLS1_2
2341 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2342 #else
2343 return 1;
2344 #endif
2345 }
2346
test_session_with_only_ext_cache(void)2347 static int test_session_with_only_ext_cache(void)
2348 {
2349 #ifndef OSSL_NO_USABLE_TLS1_3
2350 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2351 return 0;
2352 #endif
2353
2354 #ifndef OPENSSL_NO_TLS1_2
2355 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2356 #else
2357 return 1;
2358 #endif
2359 }
2360
test_session_with_both_cache(void)2361 static int test_session_with_both_cache(void)
2362 {
2363 #ifndef OSSL_NO_USABLE_TLS1_3
2364 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2365 return 0;
2366 #endif
2367
2368 #ifndef OPENSSL_NO_TLS1_2
2369 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2370 #else
2371 return 1;
2372 #endif
2373 }
2374
test_session_wo_ca_names(void)2375 static int test_session_wo_ca_names(void)
2376 {
2377 #ifndef OSSL_NO_USABLE_TLS1_3
2378 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2379 return 0;
2380 #endif
2381
2382 #ifndef OPENSSL_NO_TLS1_2
2383 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2384 #else
2385 return 1;
2386 #endif
2387 }
2388
2389
2390 #ifndef OSSL_NO_USABLE_TLS1_3
2391 static SSL_SESSION *sesscache[6];
2392 static int do_cache;
2393
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)2394 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2395 {
2396 if (do_cache) {
2397 sesscache[new_called] = sess;
2398 } else {
2399 /* We don't need the reference to the session, so free it */
2400 SSL_SESSION_free(sess);
2401 }
2402 new_called++;
2403
2404 return 1;
2405 }
2406
post_handshake_verify(SSL * sssl,SSL * cssl)2407 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2408 {
2409 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2410 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2411 return 0;
2412
2413 /* Start handshake on the server and client */
2414 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2415 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2416 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2417 || !TEST_true(create_ssl_connection(sssl, cssl,
2418 SSL_ERROR_NONE)))
2419 return 0;
2420
2421 return 1;
2422 }
2423
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)2424 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2425 SSL_CTX **cctx)
2426 {
2427 int sess_id_ctx = 1;
2428
2429 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2430 TLS_client_method(), TLS1_VERSION, 0,
2431 sctx, cctx, cert, privkey))
2432 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2433 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2434 (void *)&sess_id_ctx,
2435 sizeof(sess_id_ctx))))
2436 return 0;
2437
2438 if (stateful)
2439 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2440
2441 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2442 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2443 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2444
2445 return 1;
2446 }
2447
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)2448 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2449 {
2450 SSL *serverssl = NULL, *clientssl = NULL;
2451 int i;
2452
2453 /* Test that we can resume with all the tickets we got given */
2454 for (i = 0; i < idx * 2; i++) {
2455 new_called = 0;
2456 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2457 &clientssl, NULL, NULL))
2458 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2459 goto end;
2460
2461 SSL_set_post_handshake_auth(clientssl, 1);
2462
2463 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2464 SSL_ERROR_NONE)))
2465 goto end;
2466
2467 /*
2468 * Following a successful resumption we only get 1 ticket. After a
2469 * failed one we should get idx tickets.
2470 */
2471 if (succ) {
2472 if (!TEST_true(SSL_session_reused(clientssl))
2473 || !TEST_int_eq(new_called, 1))
2474 goto end;
2475 } else {
2476 if (!TEST_false(SSL_session_reused(clientssl))
2477 || !TEST_int_eq(new_called, idx))
2478 goto end;
2479 }
2480
2481 new_called = 0;
2482 /* After a post-handshake authentication we should get 1 new ticket */
2483 if (succ
2484 && (!post_handshake_verify(serverssl, clientssl)
2485 || !TEST_int_eq(new_called, 1)))
2486 goto end;
2487
2488 SSL_shutdown(clientssl);
2489 SSL_shutdown(serverssl);
2490 SSL_free(serverssl);
2491 SSL_free(clientssl);
2492 serverssl = clientssl = NULL;
2493 SSL_SESSION_free(sesscache[i]);
2494 sesscache[i] = NULL;
2495 }
2496
2497 return 1;
2498
2499 end:
2500 SSL_free(clientssl);
2501 SSL_free(serverssl);
2502 return 0;
2503 }
2504
test_tickets(int stateful,int idx)2505 static int test_tickets(int stateful, int idx)
2506 {
2507 SSL_CTX *sctx = NULL, *cctx = NULL;
2508 SSL *serverssl = NULL, *clientssl = NULL;
2509 int testresult = 0;
2510 size_t j;
2511
2512 /* idx is the test number, but also the number of tickets we want */
2513
2514 new_called = 0;
2515 do_cache = 1;
2516
2517 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2518 goto end;
2519
2520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2521 &clientssl, NULL, NULL)))
2522 goto end;
2523
2524 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2525 SSL_ERROR_NONE))
2526 /* Check we got the number of tickets we were expecting */
2527 || !TEST_int_eq(idx, new_called))
2528 goto end;
2529
2530 SSL_shutdown(clientssl);
2531 SSL_shutdown(serverssl);
2532 SSL_free(serverssl);
2533 SSL_free(clientssl);
2534 SSL_CTX_free(sctx);
2535 SSL_CTX_free(cctx);
2536 clientssl = serverssl = NULL;
2537 sctx = cctx = NULL;
2538
2539 /*
2540 * Now we try to resume with the tickets we previously created. The
2541 * resumption attempt is expected to fail (because we're now using a new
2542 * SSL_CTX). We should see idx number of tickets issued again.
2543 */
2544
2545 /* Stop caching sessions - just count them */
2546 do_cache = 0;
2547
2548 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2549 goto end;
2550
2551 if (!check_resumption(idx, sctx, cctx, 0))
2552 goto end;
2553
2554 /* Start again with caching sessions */
2555 new_called = 0;
2556 do_cache = 1;
2557 SSL_CTX_free(sctx);
2558 SSL_CTX_free(cctx);
2559 sctx = cctx = NULL;
2560
2561 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2562 goto end;
2563
2564 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2565 &clientssl, NULL, NULL)))
2566 goto end;
2567
2568 SSL_set_post_handshake_auth(clientssl, 1);
2569
2570 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2571 SSL_ERROR_NONE))
2572 /* Check we got the number of tickets we were expecting */
2573 || !TEST_int_eq(idx, new_called))
2574 goto end;
2575
2576 /* After a post-handshake authentication we should get new tickets issued */
2577 if (!post_handshake_verify(serverssl, clientssl)
2578 || !TEST_int_eq(idx * 2, new_called))
2579 goto end;
2580
2581 SSL_shutdown(clientssl);
2582 SSL_shutdown(serverssl);
2583 SSL_free(serverssl);
2584 SSL_free(clientssl);
2585 serverssl = clientssl = NULL;
2586
2587 /* Stop caching sessions - just count them */
2588 do_cache = 0;
2589
2590 /*
2591 * Check we can resume with all the tickets we created. This time around the
2592 * resumptions should all be successful.
2593 */
2594 if (!check_resumption(idx, sctx, cctx, 1))
2595 goto end;
2596
2597 testresult = 1;
2598
2599 end:
2600 SSL_free(serverssl);
2601 SSL_free(clientssl);
2602 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2603 SSL_SESSION_free(sesscache[j]);
2604 sesscache[j] = NULL;
2605 }
2606 SSL_CTX_free(sctx);
2607 SSL_CTX_free(cctx);
2608
2609 return testresult;
2610 }
2611
test_stateless_tickets(int idx)2612 static int test_stateless_tickets(int idx)
2613 {
2614 return test_tickets(0, idx);
2615 }
2616
test_stateful_tickets(int idx)2617 static int test_stateful_tickets(int idx)
2618 {
2619 return test_tickets(1, idx);
2620 }
2621
test_psk_tickets(void)2622 static int test_psk_tickets(void)
2623 {
2624 SSL_CTX *sctx = NULL, *cctx = NULL;
2625 SSL *serverssl = NULL, *clientssl = NULL;
2626 int testresult = 0;
2627 int sess_id_ctx = 1;
2628
2629 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2630 TLS_client_method(), TLS1_VERSION, 0,
2631 &sctx, &cctx, NULL, NULL))
2632 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2633 (void *)&sess_id_ctx,
2634 sizeof(sess_id_ctx))))
2635 goto end;
2636
2637 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2638 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2639 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2640 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2641 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2642 use_session_cb_cnt = 0;
2643 find_session_cb_cnt = 0;
2644 srvid = pskid;
2645 new_called = 0;
2646
2647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2648 NULL, NULL)))
2649 goto end;
2650 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2651 if (!TEST_ptr(clientpsk))
2652 goto end;
2653 SSL_SESSION_up_ref(clientpsk);
2654
2655 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2656 SSL_ERROR_NONE))
2657 || !TEST_int_eq(1, find_session_cb_cnt)
2658 || !TEST_int_eq(1, use_session_cb_cnt)
2659 /* We should always get 1 ticket when using external PSK */
2660 || !TEST_int_eq(1, new_called))
2661 goto end;
2662
2663 testresult = 1;
2664
2665 end:
2666 SSL_free(serverssl);
2667 SSL_free(clientssl);
2668 SSL_CTX_free(sctx);
2669 SSL_CTX_free(cctx);
2670 SSL_SESSION_free(clientpsk);
2671 SSL_SESSION_free(serverpsk);
2672 clientpsk = serverpsk = NULL;
2673
2674 return testresult;
2675 }
2676
test_extra_tickets(int idx)2677 static int test_extra_tickets(int idx)
2678 {
2679 SSL_CTX *sctx = NULL, *cctx = NULL;
2680 SSL *serverssl = NULL, *clientssl = NULL;
2681 BIO *bretry = BIO_new(bio_s_always_retry());
2682 BIO *tmp = NULL;
2683 int testresult = 0;
2684 int stateful = 0;
2685 size_t nbytes;
2686 unsigned char c, buf[1];
2687
2688 new_called = 0;
2689 do_cache = 1;
2690
2691 if (idx >= 3) {
2692 idx -= 3;
2693 stateful = 1;
2694 }
2695
2696 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2697 goto end;
2698 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2699 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2700 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2701
2702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2703 &clientssl, NULL, NULL)))
2704 goto end;
2705
2706 /*
2707 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2708 * incremented by both client and server.
2709 */
2710 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2711 SSL_ERROR_NONE))
2712 /* Check we got the number of tickets we were expecting */
2713 || !TEST_int_eq(idx * 2, new_called)
2714 || !TEST_true(SSL_new_session_ticket(serverssl))
2715 || !TEST_true(SSL_new_session_ticket(serverssl))
2716 || !TEST_int_eq(idx * 2, new_called))
2717 goto end;
2718
2719 /* Now try a (real) write to actually send the tickets */
2720 c = '1';
2721 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2722 || !TEST_size_t_eq(1, nbytes)
2723 || !TEST_int_eq(idx * 2 + 2, new_called)
2724 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2725 || !TEST_int_eq(idx * 2 + 4, new_called)
2726 || !TEST_int_eq(sizeof(buf), nbytes)
2727 || !TEST_int_eq(c, buf[0])
2728 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2729 goto end;
2730
2731 /* Try with only requesting one new ticket, too */
2732 c = '2';
2733 new_called = 0;
2734 if (!TEST_true(SSL_new_session_ticket(serverssl))
2735 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2736 || !TEST_size_t_eq(sizeof(c), nbytes)
2737 || !TEST_int_eq(1, new_called)
2738 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2739 || !TEST_int_eq(2, new_called)
2740 || !TEST_size_t_eq(sizeof(buf), nbytes)
2741 || !TEST_int_eq(c, buf[0]))
2742 goto end;
2743
2744 /* Do it again but use dummy writes to drive the ticket generation */
2745 c = '3';
2746 new_called = 0;
2747 if (!TEST_true(SSL_new_session_ticket(serverssl))
2748 || !TEST_true(SSL_new_session_ticket(serverssl))
2749 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2750 || !TEST_size_t_eq(0, nbytes)
2751 || !TEST_int_eq(2, new_called)
2752 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2753 || !TEST_int_eq(4, new_called))
2754 goto end;
2755
2756 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2757 c = '4';
2758 new_called = 0;
2759 if (!TEST_true(SSL_new_session_ticket(serverssl))
2760 || !TEST_true(SSL_new_session_ticket(serverssl))
2761 || !TEST_true(SSL_do_handshake(serverssl))
2762 || !TEST_int_eq(2, new_called)
2763 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2764 || !TEST_int_eq(4, new_called))
2765 goto end;
2766
2767 /*
2768 * Use the always-retry BIO to exercise the logic that forces ticket
2769 * generation to wait until a record boundary.
2770 */
2771 c = '5';
2772 new_called = 0;
2773 tmp = SSL_get_wbio(serverssl);
2774 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2775 tmp = NULL;
2776 goto end;
2777 }
2778 SSL_set0_wbio(serverssl, bretry);
2779 bretry = NULL;
2780 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2781 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2782 || !TEST_size_t_eq(nbytes, 0))
2783 goto end;
2784 /* Restore a BIO that will let the write succeed */
2785 SSL_set0_wbio(serverssl, tmp);
2786 tmp = NULL;
2787 /*
2788 * These calls should just queue the request and not send anything
2789 * even if we explicitly try to hit the state machine.
2790 */
2791 if (!TEST_true(SSL_new_session_ticket(serverssl))
2792 || !TEST_true(SSL_new_session_ticket(serverssl))
2793 || !TEST_int_eq(0, new_called)
2794 || !TEST_true(SSL_do_handshake(serverssl))
2795 || !TEST_int_eq(0, new_called))
2796 goto end;
2797 /* Re-do the write; still no tickets sent */
2798 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2799 || !TEST_size_t_eq(1, nbytes)
2800 || !TEST_int_eq(0, new_called)
2801 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2802 || !TEST_int_eq(0, new_called)
2803 || !TEST_int_eq(sizeof(buf), nbytes)
2804 || !TEST_int_eq(c, buf[0])
2805 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2806 goto end;
2807 /* Even trying to hit the state machine now will still not send tickets */
2808 if (!TEST_true(SSL_do_handshake(serverssl))
2809 || !TEST_int_eq(0, new_called))
2810 goto end;
2811 /* Now the *next* write should send the tickets */
2812 c = '6';
2813 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2814 || !TEST_size_t_eq(1, nbytes)
2815 || !TEST_int_eq(2, new_called)
2816 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2817 || !TEST_int_eq(4, new_called)
2818 || !TEST_int_eq(sizeof(buf), nbytes)
2819 || !TEST_int_eq(c, buf[0])
2820 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2821 goto end;
2822
2823 SSL_shutdown(clientssl);
2824 SSL_shutdown(serverssl);
2825 testresult = 1;
2826
2827 end:
2828 BIO_free(bretry);
2829 BIO_free(tmp);
2830 SSL_free(serverssl);
2831 SSL_free(clientssl);
2832 SSL_CTX_free(sctx);
2833 SSL_CTX_free(cctx);
2834 clientssl = serverssl = NULL;
2835 sctx = cctx = NULL;
2836 return testresult;
2837 }
2838 #endif
2839
2840 #define USE_NULL 0
2841 #define USE_BIO_1 1
2842 #define USE_BIO_2 2
2843 #define USE_DEFAULT 3
2844
2845 #define CONNTYPE_CONNECTION_SUCCESS 0
2846 #define CONNTYPE_CONNECTION_FAIL 1
2847 #define CONNTYPE_NO_CONNECTION 2
2848
2849 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2850 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2851 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2852 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2853 #else
2854 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2855 #endif
2856
2857 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2858 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2859 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2860
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)2861 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2862 {
2863 switch (type) {
2864 case USE_NULL:
2865 *res = NULL;
2866 break;
2867 case USE_BIO_1:
2868 *res = bio1;
2869 break;
2870 case USE_BIO_2:
2871 *res = bio2;
2872 break;
2873 }
2874 }
2875
2876
2877 /*
2878 * Tests calls to SSL_set_bio() under various conditions.
2879 *
2880 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2881 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2882 * then do more tests where we create a successful connection first using our
2883 * standard connection setup functions, and then call SSL_set_bio() with
2884 * various combinations of valid BIOs or NULL. We then repeat these tests
2885 * following a failed connection. In this last case we are looking to check that
2886 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2887 */
test_ssl_set_bio(int idx)2888 static int test_ssl_set_bio(int idx)
2889 {
2890 SSL_CTX *sctx = NULL, *cctx = NULL;
2891 BIO *bio1 = NULL;
2892 BIO *bio2 = NULL;
2893 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2894 SSL *serverssl = NULL, *clientssl = NULL;
2895 int initrbio, initwbio, newrbio, newwbio, conntype;
2896 int testresult = 0;
2897
2898 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2899 initrbio = idx % 3;
2900 idx /= 3;
2901 initwbio = idx % 3;
2902 idx /= 3;
2903 newrbio = idx % 3;
2904 idx /= 3;
2905 newwbio = idx % 3;
2906 conntype = CONNTYPE_NO_CONNECTION;
2907 } else {
2908 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2909 initrbio = initwbio = USE_DEFAULT;
2910 newrbio = idx % 2;
2911 idx /= 2;
2912 newwbio = idx % 2;
2913 idx /= 2;
2914 conntype = idx % 2;
2915 }
2916
2917 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2918 TLS_client_method(), TLS1_VERSION, 0,
2919 &sctx, &cctx, cert, privkey)))
2920 goto end;
2921
2922 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2923 /*
2924 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2925 * because we reduced the number of tests in the definition of
2926 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2927 * mismatched protocol versions we will force a connection failure.
2928 */
2929 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2930 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2931 }
2932
2933 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2934 NULL, NULL)))
2935 goto end;
2936
2937 if (initrbio == USE_BIO_1
2938 || initwbio == USE_BIO_1
2939 || newrbio == USE_BIO_1
2940 || newwbio == USE_BIO_1) {
2941 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2942 goto end;
2943 }
2944
2945 if (initrbio == USE_BIO_2
2946 || initwbio == USE_BIO_2
2947 || newrbio == USE_BIO_2
2948 || newwbio == USE_BIO_2) {
2949 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2950 goto end;
2951 }
2952
2953 if (initrbio != USE_DEFAULT) {
2954 setupbio(&irbio, bio1, bio2, initrbio);
2955 setupbio(&iwbio, bio1, bio2, initwbio);
2956 SSL_set_bio(clientssl, irbio, iwbio);
2957
2958 /*
2959 * We want to maintain our own refs to these BIO, so do an up ref for
2960 * each BIO that will have ownership transferred in the SSL_set_bio()
2961 * call
2962 */
2963 if (irbio != NULL)
2964 BIO_up_ref(irbio);
2965 if (iwbio != NULL && iwbio != irbio)
2966 BIO_up_ref(iwbio);
2967 }
2968
2969 if (conntype != CONNTYPE_NO_CONNECTION
2970 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2971 SSL_ERROR_NONE)
2972 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2973 goto end;
2974
2975 setupbio(&nrbio, bio1, bio2, newrbio);
2976 setupbio(&nwbio, bio1, bio2, newwbio);
2977
2978 /*
2979 * We will (maybe) transfer ownership again so do more up refs.
2980 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2981 * already been set!
2982 */
2983 if (nrbio != NULL
2984 && nrbio != irbio
2985 && (nwbio != iwbio || nrbio != nwbio))
2986 BIO_up_ref(nrbio);
2987 if (nwbio != NULL
2988 && nwbio != nrbio
2989 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2990 BIO_up_ref(nwbio);
2991
2992 SSL_set_bio(clientssl, nrbio, nwbio);
2993
2994 testresult = 1;
2995
2996 end:
2997 BIO_free(bio1);
2998 BIO_free(bio2);
2999
3000 /*
3001 * This test is checking that the ref counting for SSL_set_bio is correct.
3002 * If we get here and we did too many frees then we will fail in the above
3003 * functions.
3004 */
3005 SSL_free(serverssl);
3006 SSL_free(clientssl);
3007 SSL_CTX_free(sctx);
3008 SSL_CTX_free(cctx);
3009 return testresult;
3010 }
3011
3012 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3013
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)3014 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3015 {
3016 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3017 SSL_CTX *ctx;
3018 SSL *ssl = NULL;
3019 int testresult = 0;
3020
3021 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3022 || !TEST_ptr(ssl = SSL_new(ctx))
3023 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3024 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3025 goto end;
3026
3027 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3028
3029 /*
3030 * If anything goes wrong here then we could leak memory.
3031 */
3032 BIO_push(sslbio, membio1);
3033
3034 /* Verify changing the rbio/wbio directly does not cause leaks */
3035 if (change_bio != NO_BIO_CHANGE) {
3036 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3037 ssl = NULL;
3038 goto end;
3039 }
3040 if (change_bio == CHANGE_RBIO)
3041 SSL_set0_rbio(ssl, membio2);
3042 else
3043 SSL_set0_wbio(ssl, membio2);
3044 }
3045 ssl = NULL;
3046
3047 if (pop_ssl)
3048 BIO_pop(sslbio);
3049 else
3050 BIO_pop(membio1);
3051
3052 testresult = 1;
3053 end:
3054 BIO_free(membio1);
3055 BIO_free(sslbio);
3056 SSL_free(ssl);
3057 SSL_CTX_free(ctx);
3058
3059 return testresult;
3060 }
3061
test_ssl_bio_pop_next_bio(void)3062 static int test_ssl_bio_pop_next_bio(void)
3063 {
3064 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3065 }
3066
test_ssl_bio_pop_ssl_bio(void)3067 static int test_ssl_bio_pop_ssl_bio(void)
3068 {
3069 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3070 }
3071
test_ssl_bio_change_rbio(void)3072 static int test_ssl_bio_change_rbio(void)
3073 {
3074 return execute_test_ssl_bio(0, CHANGE_RBIO);
3075 }
3076
test_ssl_bio_change_wbio(void)3077 static int test_ssl_bio_change_wbio(void)
3078 {
3079 return execute_test_ssl_bio(0, CHANGE_WBIO);
3080 }
3081
3082 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3083 typedef struct {
3084 /* The list of sig algs */
3085 const int *list;
3086 /* The length of the list */
3087 size_t listlen;
3088 /* A sigalgs list in string format */
3089 const char *liststr;
3090 /* Whether setting the list should succeed */
3091 int valid;
3092 /* Whether creating a connection with the list should succeed */
3093 int connsuccess;
3094 } sigalgs_list;
3095
3096 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3097 # ifndef OPENSSL_NO_EC
3098 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3099 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3100 # endif
3101 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3102 static const int invalidlist2[] = {NID_sha256, NID_undef};
3103 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3104 static const int invalidlist4[] = {NID_sha256};
3105 static const sigalgs_list testsigalgs[] = {
3106 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3107 # ifndef OPENSSL_NO_EC
3108 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3109 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3110 # endif
3111 {NULL, 0, "RSA+SHA256", 1, 1},
3112 # ifndef OPENSSL_NO_EC
3113 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3114 {NULL, 0, "ECDSA+SHA512", 1, 0},
3115 # endif
3116 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3117 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3118 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3119 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3120 {NULL, 0, "RSA", 0, 0},
3121 {NULL, 0, "SHA256", 0, 0},
3122 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3123 {NULL, 0, "Invalid", 0, 0}
3124 };
3125
test_set_sigalgs(int idx)3126 static int test_set_sigalgs(int idx)
3127 {
3128 SSL_CTX *cctx = NULL, *sctx = NULL;
3129 SSL *clientssl = NULL, *serverssl = NULL;
3130 int testresult = 0;
3131 const sigalgs_list *curr;
3132 int testctx;
3133
3134 /* Should never happen */
3135 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3136 return 0;
3137
3138 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3139 curr = testctx ? &testsigalgs[idx]
3140 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3141
3142 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3143 TLS_client_method(), TLS1_VERSION, 0,
3144 &sctx, &cctx, cert, privkey)))
3145 return 0;
3146
3147 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3148
3149 if (testctx) {
3150 int ret;
3151
3152 if (curr->list != NULL)
3153 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3154 else
3155 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3156
3157 if (!ret) {
3158 if (curr->valid)
3159 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3160 else
3161 testresult = 1;
3162 goto end;
3163 }
3164 if (!curr->valid) {
3165 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3166 goto end;
3167 }
3168 }
3169
3170 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3171 &clientssl, NULL, NULL)))
3172 goto end;
3173
3174 if (!testctx) {
3175 int ret;
3176
3177 if (curr->list != NULL)
3178 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3179 else
3180 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3181 if (!ret) {
3182 if (curr->valid)
3183 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3184 else
3185 testresult = 1;
3186 goto end;
3187 }
3188 if (!curr->valid)
3189 goto end;
3190 }
3191
3192 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3193 SSL_ERROR_NONE),
3194 curr->connsuccess))
3195 goto end;
3196
3197 testresult = 1;
3198
3199 end:
3200 SSL_free(serverssl);
3201 SSL_free(clientssl);
3202 SSL_CTX_free(sctx);
3203 SSL_CTX_free(cctx);
3204
3205 return testresult;
3206 }
3207 #endif
3208
3209 #ifndef OSSL_NO_USABLE_TLS1_3
3210 static int psk_client_cb_cnt = 0;
3211 static int psk_server_cb_cnt = 0;
3212
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)3213 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3214 size_t *idlen, SSL_SESSION **sess)
3215 {
3216 switch (++use_session_cb_cnt) {
3217 case 1:
3218 /* The first call should always have a NULL md */
3219 if (md != NULL)
3220 return 0;
3221 break;
3222
3223 case 2:
3224 /* The second call should always have an md */
3225 if (md == NULL)
3226 return 0;
3227 break;
3228
3229 default:
3230 /* We should only be called a maximum of twice */
3231 return 0;
3232 }
3233
3234 if (clientpsk != NULL)
3235 SSL_SESSION_up_ref(clientpsk);
3236
3237 *sess = clientpsk;
3238 *id = (const unsigned char *)pskid;
3239 *idlen = strlen(pskid);
3240
3241 return 1;
3242 }
3243
3244 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)3245 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3246 unsigned int max_id_len,
3247 unsigned char *psk,
3248 unsigned int max_psk_len)
3249 {
3250 unsigned int psklen = 0;
3251
3252 psk_client_cb_cnt++;
3253
3254 if (strlen(pskid) + 1 > max_id_len)
3255 return 0;
3256
3257 /* We should only ever be called a maximum of twice per connection */
3258 if (psk_client_cb_cnt > 2)
3259 return 0;
3260
3261 if (clientpsk == NULL)
3262 return 0;
3263
3264 /* We'll reuse the PSK we set up for TLSv1.3 */
3265 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3266 return 0;
3267 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3268 strncpy(id, pskid, max_id_len);
3269
3270 return psklen;
3271 }
3272 #endif /* OPENSSL_NO_PSK */
3273
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)3274 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3275 size_t identity_len, SSL_SESSION **sess)
3276 {
3277 find_session_cb_cnt++;
3278
3279 /* We should only ever be called a maximum of twice per connection */
3280 if (find_session_cb_cnt > 2)
3281 return 0;
3282
3283 if (serverpsk == NULL)
3284 return 0;
3285
3286 /* Identity should match that set by the client */
3287 if (strlen(srvid) != identity_len
3288 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3289 /* No PSK found, continue but without a PSK */
3290 *sess = NULL;
3291 return 1;
3292 }
3293
3294 SSL_SESSION_up_ref(serverpsk);
3295 *sess = serverpsk;
3296
3297 return 1;
3298 }
3299
3300 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)3301 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3302 unsigned char *psk, unsigned int max_psk_len)
3303 {
3304 unsigned int psklen = 0;
3305
3306 psk_server_cb_cnt++;
3307
3308 /* We should only ever be called a maximum of twice per connection */
3309 if (find_session_cb_cnt > 2)
3310 return 0;
3311
3312 if (serverpsk == NULL)
3313 return 0;
3314
3315 /* Identity should match that set by the client */
3316 if (strcmp(srvid, identity) != 0) {
3317 return 0;
3318 }
3319
3320 /* We'll reuse the PSK we set up for TLSv1.3 */
3321 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3322 return 0;
3323 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3324
3325 return psklen;
3326 }
3327 #endif /* OPENSSL_NO_PSK */
3328
3329 #define MSG1 "Hello"
3330 #define MSG2 "World."
3331 #define MSG3 "This"
3332 #define MSG4 "is"
3333 #define MSG5 "a"
3334 #define MSG6 "test"
3335 #define MSG7 "message."
3336
3337 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3338 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3339 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3340 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3341 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3342
3343
create_a_psk(SSL * ssl,size_t mdsize)3344 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3345 {
3346 const SSL_CIPHER *cipher = NULL;
3347 const unsigned char key[] = {
3348 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3349 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3350 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3351 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3352 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3353 };
3354 SSL_SESSION *sess = NULL;
3355
3356 if (mdsize == SHA384_DIGEST_LENGTH) {
3357 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3358 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3359 /*
3360 * Any ciphersuite using SHA256 will do - it will be compatible with
3361 * the actual ciphersuite selected as long as it too is based on SHA256
3362 */
3363 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3364 } else {
3365 /* Should not happen */
3366 return NULL;
3367 }
3368 sess = SSL_SESSION_new();
3369 if (!TEST_ptr(sess)
3370 || !TEST_ptr(cipher)
3371 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3372 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3373 || !TEST_true(
3374 SSL_SESSION_set_protocol_version(sess,
3375 TLS1_3_VERSION))) {
3376 SSL_SESSION_free(sess);
3377 return NULL;
3378 }
3379 return sess;
3380 }
3381
3382 /*
3383 * Helper method to setup objects for early data test. Caller frees objects on
3384 * error.
3385 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx,size_t mdsize)3386 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3387 SSL **serverssl, SSL_SESSION **sess, int idx,
3388 size_t mdsize)
3389 {
3390 if (*sctx == NULL
3391 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3392 TLS_client_method(),
3393 TLS1_VERSION, 0,
3394 sctx, cctx, cert, privkey)))
3395 return 0;
3396
3397 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3398 return 0;
3399
3400 if (idx == 1) {
3401 /* When idx == 1 we repeat the tests with read_ahead set */
3402 SSL_CTX_set_read_ahead(*cctx, 1);
3403 SSL_CTX_set_read_ahead(*sctx, 1);
3404 } else if (idx == 2) {
3405 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3406 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3407 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3408 use_session_cb_cnt = 0;
3409 find_session_cb_cnt = 0;
3410 srvid = pskid;
3411 }
3412
3413 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3414 NULL, NULL)))
3415 return 0;
3416
3417 /*
3418 * For one of the run throughs (doesn't matter which one), we'll try sending
3419 * some SNI data in the initial ClientHello. This will be ignored (because
3420 * there is no SNI cb set up by the server), so it should not impact
3421 * early_data.
3422 */
3423 if (idx == 1
3424 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3425 return 0;
3426
3427 if (idx == 2) {
3428 clientpsk = create_a_psk(*clientssl, mdsize);
3429 if (!TEST_ptr(clientpsk)
3430 /*
3431 * We just choose an arbitrary value for max_early_data which
3432 * should be big enough for testing purposes.
3433 */
3434 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3435 0x100))
3436 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3437 SSL_SESSION_free(clientpsk);
3438 clientpsk = NULL;
3439 return 0;
3440 }
3441 serverpsk = clientpsk;
3442
3443 if (sess != NULL) {
3444 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3445 SSL_SESSION_free(clientpsk);
3446 SSL_SESSION_free(serverpsk);
3447 clientpsk = serverpsk = NULL;
3448 return 0;
3449 }
3450 *sess = clientpsk;
3451 }
3452 return 1;
3453 }
3454
3455 if (sess == NULL)
3456 return 1;
3457
3458 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3459 SSL_ERROR_NONE)))
3460 return 0;
3461
3462 *sess = SSL_get1_session(*clientssl);
3463 SSL_shutdown(*clientssl);
3464 SSL_shutdown(*serverssl);
3465 SSL_free(*serverssl);
3466 SSL_free(*clientssl);
3467 *serverssl = *clientssl = NULL;
3468
3469 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3470 clientssl, NULL, NULL))
3471 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3472 return 0;
3473
3474 return 1;
3475 }
3476
test_early_data_read_write(int idx)3477 static int test_early_data_read_write(int idx)
3478 {
3479 SSL_CTX *cctx = NULL, *sctx = NULL;
3480 SSL *clientssl = NULL, *serverssl = NULL;
3481 int testresult = 0;
3482 SSL_SESSION *sess = NULL;
3483 unsigned char buf[20], data[1024];
3484 size_t readbytes, written, eoedlen, rawread, rawwritten;
3485 BIO *rbio;
3486
3487 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3488 &serverssl, &sess, idx,
3489 SHA384_DIGEST_LENGTH)))
3490 goto end;
3491
3492 /* Write and read some early data */
3493 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3494 &written))
3495 || !TEST_size_t_eq(written, strlen(MSG1))
3496 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3497 sizeof(buf), &readbytes),
3498 SSL_READ_EARLY_DATA_SUCCESS)
3499 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3500 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3501 SSL_EARLY_DATA_ACCEPTED))
3502 goto end;
3503
3504 /*
3505 * Server should be able to write data, and client should be able to
3506 * read it.
3507 */
3508 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3509 &written))
3510 || !TEST_size_t_eq(written, strlen(MSG2))
3511 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3512 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3513 goto end;
3514
3515 /* Even after reading normal data, client should be able write early data */
3516 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3517 &written))
3518 || !TEST_size_t_eq(written, strlen(MSG3)))
3519 goto end;
3520
3521 /* Server should still be able read early data after writing data */
3522 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3523 &readbytes),
3524 SSL_READ_EARLY_DATA_SUCCESS)
3525 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3526 goto end;
3527
3528 /* Write more data from server and read it from client */
3529 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3530 &written))
3531 || !TEST_size_t_eq(written, strlen(MSG4))
3532 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3533 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3534 goto end;
3535
3536 /*
3537 * If client writes normal data it should mean writing early data is no
3538 * longer possible.
3539 */
3540 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3541 || !TEST_size_t_eq(written, strlen(MSG5))
3542 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3543 SSL_EARLY_DATA_ACCEPTED))
3544 goto end;
3545
3546 /*
3547 * At this point the client has written EndOfEarlyData, ClientFinished and
3548 * normal (fully protected) data. We are going to cause a delay between the
3549 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3550 * in the read BIO, and then just put back the EndOfEarlyData message.
3551 */
3552 rbio = SSL_get_rbio(serverssl);
3553 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3554 || !TEST_size_t_lt(rawread, sizeof(data))
3555 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3556 goto end;
3557
3558 /* Record length is in the 4th and 5th bytes of the record header */
3559 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3560 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3561 || !TEST_size_t_eq(rawwritten, eoedlen))
3562 goto end;
3563
3564 /* Server should be told that there is no more early data */
3565 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3566 &readbytes),
3567 SSL_READ_EARLY_DATA_FINISH)
3568 || !TEST_size_t_eq(readbytes, 0))
3569 goto end;
3570
3571 /*
3572 * Server has not finished init yet, so should still be able to write early
3573 * data.
3574 */
3575 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3576 &written))
3577 || !TEST_size_t_eq(written, strlen(MSG6)))
3578 goto end;
3579
3580 /* Push the ClientFinished and the normal data back into the server rbio */
3581 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3582 &rawwritten))
3583 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3584 goto end;
3585
3586 /* Server should be able to read normal data */
3587 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3588 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3589 goto end;
3590
3591 /* Client and server should not be able to write/read early data now */
3592 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3593 &written)))
3594 goto end;
3595 ERR_clear_error();
3596 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3597 &readbytes),
3598 SSL_READ_EARLY_DATA_ERROR))
3599 goto end;
3600 ERR_clear_error();
3601
3602 /* Client should be able to read the data sent by the server */
3603 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3604 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3605 goto end;
3606
3607 /*
3608 * Make sure we process the two NewSessionTickets. These arrive
3609 * post-handshake. We attempt reads which we do not expect to return any
3610 * data.
3611 */
3612 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3613 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3614 &readbytes)))
3615 goto end;
3616
3617 /* Server should be able to write normal data */
3618 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3619 || !TEST_size_t_eq(written, strlen(MSG7))
3620 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3621 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3622 goto end;
3623
3624 SSL_SESSION_free(sess);
3625 sess = SSL_get1_session(clientssl);
3626 use_session_cb_cnt = 0;
3627 find_session_cb_cnt = 0;
3628
3629 SSL_shutdown(clientssl);
3630 SSL_shutdown(serverssl);
3631 SSL_free(serverssl);
3632 SSL_free(clientssl);
3633 serverssl = clientssl = NULL;
3634 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3635 &clientssl, NULL, NULL))
3636 || !TEST_true(SSL_set_session(clientssl, sess)))
3637 goto end;
3638
3639 /* Write and read some early data */
3640 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3641 &written))
3642 || !TEST_size_t_eq(written, strlen(MSG1))
3643 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3644 &readbytes),
3645 SSL_READ_EARLY_DATA_SUCCESS)
3646 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3647 goto end;
3648
3649 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3650 || !TEST_int_gt(SSL_accept(serverssl), 0))
3651 goto end;
3652
3653 /* Client and server should not be able to write/read early data now */
3654 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3655 &written)))
3656 goto end;
3657 ERR_clear_error();
3658 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3659 &readbytes),
3660 SSL_READ_EARLY_DATA_ERROR))
3661 goto end;
3662 ERR_clear_error();
3663
3664 /* Client and server should be able to write/read normal data */
3665 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3666 || !TEST_size_t_eq(written, strlen(MSG5))
3667 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3668 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3669 goto end;
3670
3671 testresult = 1;
3672
3673 end:
3674 SSL_SESSION_free(sess);
3675 SSL_SESSION_free(clientpsk);
3676 SSL_SESSION_free(serverpsk);
3677 clientpsk = serverpsk = NULL;
3678 SSL_free(serverssl);
3679 SSL_free(clientssl);
3680 SSL_CTX_free(sctx);
3681 SSL_CTX_free(cctx);
3682 return testresult;
3683 }
3684
3685 static int allow_ed_cb_called = 0;
3686
allow_early_data_cb(SSL * s,void * arg)3687 static int allow_early_data_cb(SSL *s, void *arg)
3688 {
3689 int *usecb = (int *)arg;
3690
3691 allow_ed_cb_called++;
3692
3693 if (*usecb == 1)
3694 return 0;
3695
3696 return 1;
3697 }
3698
3699 /*
3700 * idx == 0: Standard early_data setup
3701 * idx == 1: early_data setup using read_ahead
3702 * usecb == 0: Don't use a custom early data callback
3703 * usecb == 1: Use a custom early data callback and reject the early data
3704 * usecb == 2: Use a custom early data callback and accept the early data
3705 * confopt == 0: Configure anti-replay directly
3706 * confopt == 1: Configure anti-replay using SSL_CONF
3707 */
test_early_data_replay_int(int idx,int usecb,int confopt)3708 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3709 {
3710 SSL_CTX *cctx = NULL, *sctx = NULL;
3711 SSL *clientssl = NULL, *serverssl = NULL;
3712 int testresult = 0;
3713 SSL_SESSION *sess = NULL;
3714 size_t readbytes, written;
3715 unsigned char buf[20];
3716
3717 allow_ed_cb_called = 0;
3718
3719 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3720 TLS_client_method(), TLS1_VERSION, 0,
3721 &sctx, &cctx, cert, privkey)))
3722 return 0;
3723
3724 if (usecb > 0) {
3725 if (confopt == 0) {
3726 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3727 } else {
3728 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3729
3730 if (!TEST_ptr(confctx))
3731 goto end;
3732 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3733 | SSL_CONF_FLAG_SERVER);
3734 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3735 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3736 2)) {
3737 SSL_CONF_CTX_free(confctx);
3738 goto end;
3739 }
3740 SSL_CONF_CTX_free(confctx);
3741 }
3742 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3743 }
3744
3745 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3746 &serverssl, &sess, idx,
3747 SHA384_DIGEST_LENGTH)))
3748 goto end;
3749
3750 /*
3751 * The server is configured to accept early data. Create a connection to
3752 * "use up" the ticket
3753 */
3754 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3755 || !TEST_true(SSL_session_reused(clientssl)))
3756 goto end;
3757
3758 SSL_shutdown(clientssl);
3759 SSL_shutdown(serverssl);
3760 SSL_free(serverssl);
3761 SSL_free(clientssl);
3762 serverssl = clientssl = NULL;
3763
3764 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3765 &clientssl, NULL, NULL))
3766 || !TEST_true(SSL_set_session(clientssl, sess)))
3767 goto end;
3768
3769 /* Write and read some early data */
3770 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3771 &written))
3772 || !TEST_size_t_eq(written, strlen(MSG1)))
3773 goto end;
3774
3775 if (usecb <= 1) {
3776 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3777 &readbytes),
3778 SSL_READ_EARLY_DATA_FINISH)
3779 /*
3780 * The ticket was reused, so the we should have rejected the
3781 * early data
3782 */
3783 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3784 SSL_EARLY_DATA_REJECTED))
3785 goto end;
3786 } else {
3787 /* In this case the callback decides to accept the early data */
3788 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3789 &readbytes),
3790 SSL_READ_EARLY_DATA_SUCCESS)
3791 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3792 /*
3793 * Server will have sent its flight so client can now send
3794 * end of early data and complete its half of the handshake
3795 */
3796 || !TEST_int_gt(SSL_connect(clientssl), 0)
3797 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3798 &readbytes),
3799 SSL_READ_EARLY_DATA_FINISH)
3800 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3801 SSL_EARLY_DATA_ACCEPTED))
3802 goto end;
3803 }
3804
3805 /* Complete the connection */
3806 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3807 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3808 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3809 goto end;
3810
3811 testresult = 1;
3812
3813 end:
3814 SSL_SESSION_free(sess);
3815 SSL_SESSION_free(clientpsk);
3816 SSL_SESSION_free(serverpsk);
3817 clientpsk = serverpsk = NULL;
3818 SSL_free(serverssl);
3819 SSL_free(clientssl);
3820 SSL_CTX_free(sctx);
3821 SSL_CTX_free(cctx);
3822 return testresult;
3823 }
3824
test_early_data_replay(int idx)3825 static int test_early_data_replay(int idx)
3826 {
3827 int ret = 1, usecb, confopt;
3828
3829 for (usecb = 0; usecb < 3; usecb++) {
3830 for (confopt = 0; confopt < 2; confopt++)
3831 ret &= test_early_data_replay_int(idx, usecb, confopt);
3832 }
3833
3834 return ret;
3835 }
3836
3837 static const char *ciphersuites[] = {
3838 "TLS_AES_128_CCM_8_SHA256",
3839 "TLS_AES_128_GCM_SHA256",
3840 "TLS_AES_256_GCM_SHA384",
3841 "TLS_AES_128_CCM_SHA256",
3842 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3843 "TLS_CHACHA20_POLY1305_SHA256"
3844 #endif
3845 };
3846
3847 /*
3848 * Helper function to test that a server attempting to read early data can
3849 * handle a connection from a client where the early data should be skipped.
3850 * testtype: 0 == No HRR
3851 * testtype: 1 == HRR
3852 * testtype: 2 == HRR, invalid early_data sent after HRR
3853 * testtype: 3 == recv_max_early_data set to 0
3854 */
early_data_skip_helper(int testtype,int cipher,int idx)3855 static int early_data_skip_helper(int testtype, int cipher, int idx)
3856 {
3857 SSL_CTX *cctx = NULL, *sctx = NULL;
3858 SSL *clientssl = NULL, *serverssl = NULL;
3859 int testresult = 0;
3860 SSL_SESSION *sess = NULL;
3861 unsigned char buf[20];
3862 size_t readbytes, written;
3863
3864 if (is_fips && cipher == 4)
3865 return 1;
3866
3867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3868 TLS_client_method(),
3869 TLS1_VERSION, 0,
3870 &sctx, &cctx, cert, privkey)))
3871 goto end;
3872
3873 if (cipher == 0) {
3874 SSL_CTX_set_security_level(sctx, 0);
3875 SSL_CTX_set_security_level(cctx, 0);
3876 }
3877
3878 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3879 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3880 goto end;
3881
3882 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3883 &serverssl, &sess, idx,
3884 cipher == 2 ? SHA384_DIGEST_LENGTH
3885 : SHA256_DIGEST_LENGTH)))
3886 goto end;
3887
3888 if (testtype == 1 || testtype == 2) {
3889 /* Force an HRR to occur */
3890 #if defined(OPENSSL_NO_EC)
3891 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3892 goto end;
3893 #else
3894 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3895 goto end;
3896 #endif
3897 } else if (idx == 2) {
3898 /*
3899 * We force early_data rejection by ensuring the PSK identity is
3900 * unrecognised
3901 */
3902 srvid = "Dummy Identity";
3903 } else {
3904 /*
3905 * Deliberately corrupt the creation time. We take 20 seconds off the
3906 * time. It could be any value as long as it is not within tolerance.
3907 * This should mean the ticket is rejected.
3908 */
3909 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3910 goto end;
3911 }
3912
3913 if (testtype == 3
3914 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3915 goto end;
3916
3917 /* Write some early data */
3918 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3919 &written))
3920 || !TEST_size_t_eq(written, strlen(MSG1)))
3921 goto end;
3922
3923 /* Server should reject the early data */
3924 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3925 &readbytes),
3926 SSL_READ_EARLY_DATA_FINISH)
3927 || !TEST_size_t_eq(readbytes, 0)
3928 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3929 SSL_EARLY_DATA_REJECTED))
3930 goto end;
3931
3932 switch (testtype) {
3933 case 0:
3934 /* Nothing to do */
3935 break;
3936
3937 case 1:
3938 /*
3939 * Finish off the handshake. We perform the same writes and reads as
3940 * further down but we expect them to fail due to the incomplete
3941 * handshake.
3942 */
3943 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3944 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3945 &readbytes)))
3946 goto end;
3947 break;
3948
3949 case 2:
3950 {
3951 BIO *wbio = SSL_get_wbio(clientssl);
3952 /* A record that will appear as bad early_data */
3953 const unsigned char bad_early_data[] = {
3954 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3955 };
3956
3957 /*
3958 * We force the client to attempt a write. This will fail because
3959 * we're still in the handshake. It will cause the second
3960 * ClientHello to be sent.
3961 */
3962 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3963 &written)))
3964 goto end;
3965
3966 /*
3967 * Inject some early_data after the second ClientHello. This should
3968 * cause the server to fail
3969 */
3970 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3971 sizeof(bad_early_data), &written)))
3972 goto end;
3973 }
3974 /* fallthrough */
3975
3976 case 3:
3977 /*
3978 * This client has sent more early_data than we are willing to skip
3979 * (case 3) or sent invalid early_data (case 2) so the connection should
3980 * abort.
3981 */
3982 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3983 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3984 goto end;
3985
3986 /* Connection has failed - nothing more to do */
3987 testresult = 1;
3988 goto end;
3989
3990 default:
3991 TEST_error("Invalid test type");
3992 goto end;
3993 }
3994
3995 ERR_clear_error();
3996 /*
3997 * Should be able to send normal data despite rejection of early data. The
3998 * early_data should be skipped.
3999 */
4000 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4001 || !TEST_size_t_eq(written, strlen(MSG2))
4002 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4003 SSL_EARLY_DATA_REJECTED)
4004 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4005 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4006 goto end;
4007
4008 /*
4009 * Failure to decrypt early data records should not leave spurious errors
4010 * on the error stack
4011 */
4012 if (!TEST_long_eq(ERR_peek_error(), 0))
4013 goto end;
4014
4015 testresult = 1;
4016
4017 end:
4018 SSL_SESSION_free(clientpsk);
4019 SSL_SESSION_free(serverpsk);
4020 clientpsk = serverpsk = NULL;
4021 SSL_SESSION_free(sess);
4022 SSL_free(serverssl);
4023 SSL_free(clientssl);
4024 SSL_CTX_free(sctx);
4025 SSL_CTX_free(cctx);
4026 return testresult;
4027 }
4028
4029 /*
4030 * Test that a server attempting to read early data can handle a connection
4031 * from a client where the early data is not acceptable.
4032 */
test_early_data_skip(int idx)4033 static int test_early_data_skip(int idx)
4034 {
4035 return early_data_skip_helper(0,
4036 idx % OSSL_NELEM(ciphersuites),
4037 idx / OSSL_NELEM(ciphersuites));
4038 }
4039
4040 /*
4041 * Test that a server attempting to read early data can handle a connection
4042 * from a client where an HRR occurs.
4043 */
test_early_data_skip_hrr(int idx)4044 static int test_early_data_skip_hrr(int idx)
4045 {
4046 return early_data_skip_helper(1,
4047 idx % OSSL_NELEM(ciphersuites),
4048 idx / OSSL_NELEM(ciphersuites));
4049 }
4050
4051 /*
4052 * Test that a server attempting to read early data can handle a connection
4053 * from a client where an HRR occurs and correctly fails if early_data is sent
4054 * after the HRR
4055 */
test_early_data_skip_hrr_fail(int idx)4056 static int test_early_data_skip_hrr_fail(int idx)
4057 {
4058 return early_data_skip_helper(2,
4059 idx % OSSL_NELEM(ciphersuites),
4060 idx / OSSL_NELEM(ciphersuites));
4061 }
4062
4063 /*
4064 * Test that a server attempting to read early data will abort if it tries to
4065 * skip over too much.
4066 */
test_early_data_skip_abort(int idx)4067 static int test_early_data_skip_abort(int idx)
4068 {
4069 return early_data_skip_helper(3,
4070 idx % OSSL_NELEM(ciphersuites),
4071 idx / OSSL_NELEM(ciphersuites));
4072 }
4073
4074 /*
4075 * Test that a server attempting to read early data can handle a connection
4076 * from a client that doesn't send any.
4077 */
test_early_data_not_sent(int idx)4078 static int test_early_data_not_sent(int idx)
4079 {
4080 SSL_CTX *cctx = NULL, *sctx = NULL;
4081 SSL *clientssl = NULL, *serverssl = NULL;
4082 int testresult = 0;
4083 SSL_SESSION *sess = NULL;
4084 unsigned char buf[20];
4085 size_t readbytes, written;
4086
4087 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4088 &serverssl, &sess, idx,
4089 SHA384_DIGEST_LENGTH)))
4090 goto end;
4091
4092 /* Write some data - should block due to handshake with server */
4093 SSL_set_connect_state(clientssl);
4094 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4095 goto end;
4096
4097 /* Server should detect that early data has not been sent */
4098 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4099 &readbytes),
4100 SSL_READ_EARLY_DATA_FINISH)
4101 || !TEST_size_t_eq(readbytes, 0)
4102 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4103 SSL_EARLY_DATA_NOT_SENT)
4104 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4105 SSL_EARLY_DATA_NOT_SENT))
4106 goto end;
4107
4108 /* Continue writing the message we started earlier */
4109 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4110 || !TEST_size_t_eq(written, strlen(MSG1))
4111 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4112 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4113 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4114 || !TEST_size_t_eq(written, strlen(MSG2)))
4115 goto end;
4116
4117 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4118 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4119 goto end;
4120
4121 testresult = 1;
4122
4123 end:
4124 SSL_SESSION_free(sess);
4125 SSL_SESSION_free(clientpsk);
4126 SSL_SESSION_free(serverpsk);
4127 clientpsk = serverpsk = NULL;
4128 SSL_free(serverssl);
4129 SSL_free(clientssl);
4130 SSL_CTX_free(sctx);
4131 SSL_CTX_free(cctx);
4132 return testresult;
4133 }
4134
4135 static const char *servalpn;
4136
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)4137 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4138 unsigned char *outlen, const unsigned char *in,
4139 unsigned int inlen, void *arg)
4140 {
4141 unsigned int protlen = 0;
4142 const unsigned char *prot;
4143
4144 for (prot = in; prot < in + inlen; prot += protlen) {
4145 protlen = *prot++;
4146 if (in + inlen < prot + protlen)
4147 return SSL_TLSEXT_ERR_NOACK;
4148
4149 if (protlen == strlen(servalpn)
4150 && memcmp(prot, servalpn, protlen) == 0) {
4151 *out = prot;
4152 *outlen = protlen;
4153 return SSL_TLSEXT_ERR_OK;
4154 }
4155 }
4156
4157 return SSL_TLSEXT_ERR_NOACK;
4158 }
4159
4160 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)4161 static int test_early_data_psk(int idx)
4162 {
4163 SSL_CTX *cctx = NULL, *sctx = NULL;
4164 SSL *clientssl = NULL, *serverssl = NULL;
4165 int testresult = 0;
4166 SSL_SESSION *sess = NULL;
4167 unsigned char alpnlist[] = {
4168 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4169 'l', 'p', 'n'
4170 };
4171 #define GOODALPNLEN 9
4172 #define BADALPNLEN 8
4173 #define GOODALPN (alpnlist)
4174 #define BADALPN (alpnlist + GOODALPNLEN)
4175 int err = 0;
4176 unsigned char buf[20];
4177 size_t readbytes, written;
4178 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4179 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4180
4181 /* We always set this up with a final parameter of "2" for PSK */
4182 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4183 &serverssl, &sess, 2,
4184 SHA384_DIGEST_LENGTH)))
4185 goto end;
4186
4187 servalpn = "goodalpn";
4188
4189 /*
4190 * Note: There is no test for inconsistent SNI with late client detection.
4191 * This is because servers do not acknowledge SNI even if they are using
4192 * it in a resumption handshake - so it is not actually possible for a
4193 * client to detect a problem.
4194 */
4195 switch (idx) {
4196 case 0:
4197 /* Set inconsistent SNI (early client detection) */
4198 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4199 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4200 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4201 goto end;
4202 break;
4203
4204 case 1:
4205 /* Set inconsistent ALPN (early client detection) */
4206 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4207 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4208 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4209 GOODALPNLEN))
4210 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4211 BADALPNLEN)))
4212 goto end;
4213 break;
4214
4215 case 2:
4216 /*
4217 * Set invalid protocol version. Technically this affects PSKs without
4218 * early_data too, but we test it here because it is similar to the
4219 * SNI/ALPN consistency tests.
4220 */
4221 err = SSL_R_BAD_PSK;
4222 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4223 goto end;
4224 break;
4225
4226 case 3:
4227 /*
4228 * Set inconsistent SNI (server side). In this case the connection
4229 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4230 * is associated with each handshake - not the session. Therefore it
4231 * should not matter that we used a different server name last time.
4232 */
4233 SSL_SESSION_free(serverpsk);
4234 serverpsk = SSL_SESSION_dup(clientpsk);
4235 if (!TEST_ptr(serverpsk)
4236 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4237 goto end;
4238 /* Fall through */
4239 case 4:
4240 /* Set consistent SNI */
4241 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4242 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4243 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4244 hostname_cb)))
4245 goto end;
4246 break;
4247
4248 case 5:
4249 /*
4250 * Set inconsistent ALPN (server detected). In this case the connection
4251 * will succeed but reject early_data.
4252 */
4253 servalpn = "badalpn";
4254 edstatus = SSL_EARLY_DATA_REJECTED;
4255 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4256 /* Fall through */
4257 case 6:
4258 /*
4259 * Set consistent ALPN.
4260 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4261 * accepts a list of protos (each one length prefixed).
4262 * SSL_set1_alpn_selected accepts a single protocol (not length
4263 * prefixed)
4264 */
4265 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4266 GOODALPNLEN - 1))
4267 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4268 GOODALPNLEN)))
4269 goto end;
4270
4271 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4272 break;
4273
4274 case 7:
4275 /* Set inconsistent ALPN (late client detection) */
4276 SSL_SESSION_free(serverpsk);
4277 serverpsk = SSL_SESSION_dup(clientpsk);
4278 if (!TEST_ptr(serverpsk)
4279 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4280 BADALPN + 1,
4281 BADALPNLEN - 1))
4282 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4283 GOODALPN + 1,
4284 GOODALPNLEN - 1))
4285 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4286 sizeof(alpnlist))))
4287 goto end;
4288 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4289 edstatus = SSL_EARLY_DATA_ACCEPTED;
4290 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4291 /* SSL_connect() call should fail */
4292 connectres = -1;
4293 break;
4294
4295 default:
4296 TEST_error("Bad test index");
4297 goto end;
4298 }
4299
4300 SSL_set_connect_state(clientssl);
4301 if (err != 0) {
4302 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4303 &written))
4304 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4305 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4306 goto end;
4307 } else {
4308 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4309 &written)))
4310 goto end;
4311
4312 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4313 &readbytes), readearlyres)
4314 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4315 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4316 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4317 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4318 goto end;
4319 }
4320
4321 testresult = 1;
4322
4323 end:
4324 SSL_SESSION_free(sess);
4325 SSL_SESSION_free(clientpsk);
4326 SSL_SESSION_free(serverpsk);
4327 clientpsk = serverpsk = NULL;
4328 SSL_free(serverssl);
4329 SSL_free(clientssl);
4330 SSL_CTX_free(sctx);
4331 SSL_CTX_free(cctx);
4332 return testresult;
4333 }
4334
4335 /*
4336 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4337 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4338 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4339 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4340 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4341 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4342 */
test_early_data_psk_with_all_ciphers(int idx)4343 static int test_early_data_psk_with_all_ciphers(int idx)
4344 {
4345 SSL_CTX *cctx = NULL, *sctx = NULL;
4346 SSL *clientssl = NULL, *serverssl = NULL;
4347 int testresult = 0;
4348 SSL_SESSION *sess = NULL;
4349 unsigned char buf[20];
4350 size_t readbytes, written;
4351 const SSL_CIPHER *cipher;
4352 const char *cipher_str[] = {
4353 TLS1_3_RFC_AES_128_GCM_SHA256,
4354 TLS1_3_RFC_AES_256_GCM_SHA384,
4355 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4356 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4357 # else
4358 NULL,
4359 # endif
4360 TLS1_3_RFC_AES_128_CCM_SHA256,
4361 TLS1_3_RFC_AES_128_CCM_8_SHA256
4362 };
4363 const unsigned char *cipher_bytes[] = {
4364 TLS13_AES_128_GCM_SHA256_BYTES,
4365 TLS13_AES_256_GCM_SHA384_BYTES,
4366 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4367 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4368 # else
4369 NULL,
4370 # endif
4371 TLS13_AES_128_CCM_SHA256_BYTES,
4372 TLS13_AES_128_CCM_8_SHA256_BYTES
4373 };
4374
4375 if (cipher_str[idx] == NULL)
4376 return 1;
4377 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4378 if (idx == 2 && is_fips == 1)
4379 return 1;
4380
4381 /* We always set this up with a final parameter of "2" for PSK */
4382 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4383 &serverssl, &sess, 2,
4384 SHA384_DIGEST_LENGTH)))
4385 goto end;
4386
4387 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4388 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4389 goto end;
4390
4391 /*
4392 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4393 * and assigns to both client and server with incremented reference
4394 * and the same instance is updated in 'sess'.
4395 * So updating ciphersuite in 'sess' which will get reflected in
4396 * PSK handshake using psk use sess and find sess cb.
4397 */
4398 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4399 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4400 goto end;
4401
4402 SSL_set_connect_state(clientssl);
4403 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4404 &written)))
4405 goto end;
4406
4407 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4408 &readbytes),
4409 SSL_READ_EARLY_DATA_SUCCESS)
4410 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4411 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4412 SSL_EARLY_DATA_ACCEPTED)
4413 || !TEST_int_eq(SSL_connect(clientssl), 1)
4414 || !TEST_int_eq(SSL_accept(serverssl), 1))
4415 goto end;
4416
4417 /* Send some normal data from client to server */
4418 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4419 || !TEST_size_t_eq(written, strlen(MSG2)))
4420 goto end;
4421
4422 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4423 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4424 goto end;
4425
4426 testresult = 1;
4427 end:
4428 SSL_SESSION_free(sess);
4429 SSL_SESSION_free(clientpsk);
4430 SSL_SESSION_free(serverpsk);
4431 clientpsk = serverpsk = NULL;
4432 if (clientssl != NULL)
4433 SSL_shutdown(clientssl);
4434 if (serverssl != NULL)
4435 SSL_shutdown(serverssl);
4436 SSL_free(serverssl);
4437 SSL_free(clientssl);
4438 SSL_CTX_free(sctx);
4439 SSL_CTX_free(cctx);
4440 return testresult;
4441 }
4442
4443 /*
4444 * Test that a server that doesn't try to read early data can handle a
4445 * client sending some.
4446 */
test_early_data_not_expected(int idx)4447 static int test_early_data_not_expected(int idx)
4448 {
4449 SSL_CTX *cctx = NULL, *sctx = NULL;
4450 SSL *clientssl = NULL, *serverssl = NULL;
4451 int testresult = 0;
4452 SSL_SESSION *sess = NULL;
4453 unsigned char buf[20];
4454 size_t readbytes, written;
4455
4456 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4457 &serverssl, &sess, idx,
4458 SHA384_DIGEST_LENGTH)))
4459 goto end;
4460
4461 /* Write some early data */
4462 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4463 &written)))
4464 goto end;
4465
4466 /*
4467 * Server should skip over early data and then block waiting for client to
4468 * continue handshake
4469 */
4470 if (!TEST_int_le(SSL_accept(serverssl), 0)
4471 || !TEST_int_gt(SSL_connect(clientssl), 0)
4472 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4473 SSL_EARLY_DATA_REJECTED)
4474 || !TEST_int_gt(SSL_accept(serverssl), 0)
4475 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4476 SSL_EARLY_DATA_REJECTED))
4477 goto end;
4478
4479 /* Send some normal data from client to server */
4480 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4481 || !TEST_size_t_eq(written, strlen(MSG2)))
4482 goto end;
4483
4484 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4485 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4486 goto end;
4487
4488 testresult = 1;
4489
4490 end:
4491 SSL_SESSION_free(sess);
4492 SSL_SESSION_free(clientpsk);
4493 SSL_SESSION_free(serverpsk);
4494 clientpsk = serverpsk = NULL;
4495 SSL_free(serverssl);
4496 SSL_free(clientssl);
4497 SSL_CTX_free(sctx);
4498 SSL_CTX_free(cctx);
4499 return testresult;
4500 }
4501
4502
4503 # ifndef OPENSSL_NO_TLS1_2
4504 /*
4505 * Test that a server attempting to read early data can handle a connection
4506 * from a TLSv1.2 client.
4507 */
test_early_data_tls1_2(int idx)4508 static int test_early_data_tls1_2(int idx)
4509 {
4510 SSL_CTX *cctx = NULL, *sctx = NULL;
4511 SSL *clientssl = NULL, *serverssl = NULL;
4512 int testresult = 0;
4513 unsigned char buf[20];
4514 size_t readbytes, written;
4515
4516 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4517 &serverssl, NULL, idx,
4518 SHA384_DIGEST_LENGTH)))
4519 goto end;
4520
4521 /* Write some data - should block due to handshake with server */
4522 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4523 SSL_set_connect_state(clientssl);
4524 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4525 goto end;
4526
4527 /*
4528 * Server should do TLSv1.2 handshake. First it will block waiting for more
4529 * messages from client after ServerDone. Then SSL_read_early_data should
4530 * finish and detect that early data has not been sent
4531 */
4532 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4533 &readbytes),
4534 SSL_READ_EARLY_DATA_ERROR))
4535 goto end;
4536
4537 /*
4538 * Continue writing the message we started earlier. Will still block waiting
4539 * for the CCS/Finished from server
4540 */
4541 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4542 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4543 &readbytes),
4544 SSL_READ_EARLY_DATA_FINISH)
4545 || !TEST_size_t_eq(readbytes, 0)
4546 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4547 SSL_EARLY_DATA_NOT_SENT))
4548 goto end;
4549
4550 /* Continue writing the message we started earlier */
4551 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4552 || !TEST_size_t_eq(written, strlen(MSG1))
4553 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4554 SSL_EARLY_DATA_NOT_SENT)
4555 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4556 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4557 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4558 || !TEST_size_t_eq(written, strlen(MSG2))
4559 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4560 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4561 goto end;
4562
4563 testresult = 1;
4564
4565 end:
4566 SSL_SESSION_free(clientpsk);
4567 SSL_SESSION_free(serverpsk);
4568 clientpsk = serverpsk = NULL;
4569 SSL_free(serverssl);
4570 SSL_free(clientssl);
4571 SSL_CTX_free(sctx);
4572 SSL_CTX_free(cctx);
4573
4574 return testresult;
4575 }
4576 # endif /* OPENSSL_NO_TLS1_2 */
4577
4578 /*
4579 * Test configuring the TLSv1.3 ciphersuites
4580 *
4581 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4582 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4583 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4584 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4585 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4586 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4587 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4588 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4589 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4590 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4591 */
test_set_ciphersuite(int idx)4592 static int test_set_ciphersuite(int idx)
4593 {
4594 SSL_CTX *cctx = NULL, *sctx = NULL;
4595 SSL *clientssl = NULL, *serverssl = NULL;
4596 int testresult = 0;
4597
4598 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4599 TLS_client_method(), TLS1_VERSION, 0,
4600 &sctx, &cctx, cert, privkey))
4601 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4602 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4603 goto end;
4604
4605 if (idx >=4 && idx <= 7) {
4606 /* SSL_CTX explicit cipher list */
4607 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4608 goto end;
4609 }
4610
4611 if (idx == 0 || idx == 4) {
4612 /* Default ciphersuite */
4613 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4614 "TLS_AES_128_GCM_SHA256")))
4615 goto end;
4616 } else if (idx == 1 || idx == 5) {
4617 /* Non default ciphersuite */
4618 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4619 "TLS_AES_128_CCM_SHA256")))
4620 goto end;
4621 }
4622
4623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4624 &clientssl, NULL, NULL)))
4625 goto end;
4626
4627 if (idx == 8 || idx == 9) {
4628 /* SSL explicit cipher list */
4629 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4630 goto end;
4631 }
4632
4633 if (idx == 2 || idx == 6 || idx == 8) {
4634 /* Default ciphersuite */
4635 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4636 "TLS_AES_128_GCM_SHA256")))
4637 goto end;
4638 } else if (idx == 3 || idx == 7 || idx == 9) {
4639 /* Non default ciphersuite */
4640 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4641 "TLS_AES_128_CCM_SHA256")))
4642 goto end;
4643 }
4644
4645 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4646 goto end;
4647
4648 testresult = 1;
4649
4650 end:
4651 SSL_free(serverssl);
4652 SSL_free(clientssl);
4653 SSL_CTX_free(sctx);
4654 SSL_CTX_free(cctx);
4655
4656 return testresult;
4657 }
4658
test_ciphersuite_change(void)4659 static int test_ciphersuite_change(void)
4660 {
4661 SSL_CTX *cctx = NULL, *sctx = NULL;
4662 SSL *clientssl = NULL, *serverssl = NULL;
4663 SSL_SESSION *clntsess = NULL;
4664 int testresult = 0;
4665 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4666
4667 /* Create a session based on SHA-256 */
4668 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4669 TLS_client_method(), TLS1_VERSION, 0,
4670 &sctx, &cctx, cert, privkey))
4671 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4672 "TLS_AES_128_GCM_SHA256:"
4673 "TLS_AES_256_GCM_SHA384:"
4674 "TLS_AES_128_CCM_SHA256"))
4675 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4676 "TLS_AES_128_GCM_SHA256"))
4677 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4678 &clientssl, NULL, NULL))
4679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4680 SSL_ERROR_NONE)))
4681 goto end;
4682
4683 clntsess = SSL_get1_session(clientssl);
4684 /* Save for later */
4685 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4686 SSL_shutdown(clientssl);
4687 SSL_shutdown(serverssl);
4688 SSL_free(serverssl);
4689 SSL_free(clientssl);
4690 serverssl = clientssl = NULL;
4691
4692 /* Check we can resume a session with a different SHA-256 ciphersuite */
4693 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4694 "TLS_AES_128_CCM_SHA256"))
4695 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4696 &clientssl, NULL, NULL))
4697 || !TEST_true(SSL_set_session(clientssl, clntsess))
4698 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4699 SSL_ERROR_NONE))
4700 || !TEST_true(SSL_session_reused(clientssl)))
4701 goto end;
4702
4703 SSL_SESSION_free(clntsess);
4704 clntsess = SSL_get1_session(clientssl);
4705 SSL_shutdown(clientssl);
4706 SSL_shutdown(serverssl);
4707 SSL_free(serverssl);
4708 SSL_free(clientssl);
4709 serverssl = clientssl = NULL;
4710
4711 /*
4712 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4713 * succeeds but does not resume.
4714 */
4715 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4716 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4717 NULL, NULL))
4718 || !TEST_true(SSL_set_session(clientssl, clntsess))
4719 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4720 SSL_ERROR_SSL))
4721 || !TEST_false(SSL_session_reused(clientssl)))
4722 goto end;
4723
4724 SSL_SESSION_free(clntsess);
4725 clntsess = NULL;
4726 SSL_shutdown(clientssl);
4727 SSL_shutdown(serverssl);
4728 SSL_free(serverssl);
4729 SSL_free(clientssl);
4730 serverssl = clientssl = NULL;
4731
4732 /* Create a session based on SHA384 */
4733 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4734 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4735 &clientssl, NULL, NULL))
4736 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4737 SSL_ERROR_NONE)))
4738 goto end;
4739
4740 clntsess = SSL_get1_session(clientssl);
4741 SSL_shutdown(clientssl);
4742 SSL_shutdown(serverssl);
4743 SSL_free(serverssl);
4744 SSL_free(clientssl);
4745 serverssl = clientssl = NULL;
4746
4747 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4748 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4749 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4750 "TLS_AES_256_GCM_SHA384"))
4751 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4752 NULL, NULL))
4753 || !TEST_true(SSL_set_session(clientssl, clntsess))
4754 /*
4755 * We use SSL_ERROR_WANT_READ below so that we can pause the
4756 * connection after the initial ClientHello has been sent to
4757 * enable us to make some session changes.
4758 */
4759 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4760 SSL_ERROR_WANT_READ)))
4761 goto end;
4762
4763 /* Trick the client into thinking this session is for a different digest */
4764 clntsess->cipher = aes_128_gcm_sha256;
4765 clntsess->cipher_id = clntsess->cipher->id;
4766
4767 /*
4768 * Continue the previously started connection. Server has selected a SHA-384
4769 * ciphersuite, but client thinks the session is for SHA-256, so it should
4770 * bail out.
4771 */
4772 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4773 SSL_ERROR_SSL))
4774 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4775 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4776 goto end;
4777
4778 testresult = 1;
4779
4780 end:
4781 SSL_SESSION_free(clntsess);
4782 SSL_free(serverssl);
4783 SSL_free(clientssl);
4784 SSL_CTX_free(sctx);
4785 SSL_CTX_free(cctx);
4786
4787 return testresult;
4788 }
4789
4790 /*
4791 * Test TLSv1.3 Key exchange
4792 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4793 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4794 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4795 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4796 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4797 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4798 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4799 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4800 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4801 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4802 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4803 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4804 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4805 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4806 */
4807 # ifndef OPENSSL_NO_EC
4808 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4809 NID_secp521r1, NID_X25519, NID_X448};
4810 # endif
4811 # ifndef OPENSSL_NO_DH
4812 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4813 NID_ffdhe6144, NID_ffdhe8192};
4814 # endif
test_key_exchange(int idx)4815 static int test_key_exchange(int idx)
4816 {
4817 SSL_CTX *sctx = NULL, *cctx = NULL;
4818 SSL *serverssl = NULL, *clientssl = NULL;
4819 int testresult = 0;
4820 int kexch_alg;
4821 int *kexch_groups = &kexch_alg;
4822 int kexch_groups_size = 1;
4823 int max_version = TLS1_3_VERSION;
4824 char *kexch_name0 = NULL;
4825
4826 switch (idx) {
4827 # ifndef OPENSSL_NO_EC
4828 # ifndef OPENSSL_NO_TLS1_2
4829 case 12:
4830 max_version = TLS1_2_VERSION;
4831 # endif
4832 /* Fall through */
4833 case 0:
4834 kexch_groups = ecdhe_kexch_groups;
4835 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4836 kexch_name0 = "secp256r1";
4837 break;
4838 case 1:
4839 kexch_alg = NID_X9_62_prime256v1;
4840 kexch_name0 = "secp256r1";
4841 break;
4842 case 2:
4843 kexch_alg = NID_secp384r1;
4844 kexch_name0 = "secp384r1";
4845 break;
4846 case 3:
4847 kexch_alg = NID_secp521r1;
4848 kexch_name0 = "secp521r1";
4849 break;
4850 case 4:
4851 kexch_alg = NID_X25519;
4852 kexch_name0 = "x25519";
4853 break;
4854 case 5:
4855 kexch_alg = NID_X448;
4856 kexch_name0 = "x448";
4857 break;
4858 # endif
4859 # ifndef OPENSSL_NO_DH
4860 # ifndef OPENSSL_NO_TLS1_2
4861 case 13:
4862 max_version = TLS1_2_VERSION;
4863 kexch_name0 = "ffdhe2048";
4864 # endif
4865 /* Fall through */
4866 case 6:
4867 kexch_groups = ffdhe_kexch_groups;
4868 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4869 kexch_name0 = "ffdhe2048";
4870 break;
4871 case 7:
4872 kexch_alg = NID_ffdhe2048;
4873 kexch_name0 = "ffdhe2048";
4874 break;
4875 case 8:
4876 kexch_alg = NID_ffdhe3072;
4877 kexch_name0 = "ffdhe3072";
4878 break;
4879 case 9:
4880 kexch_alg = NID_ffdhe4096;
4881 kexch_name0 = "ffdhe4096";
4882 break;
4883 case 10:
4884 kexch_alg = NID_ffdhe6144;
4885 kexch_name0 = "ffdhe6144";
4886 break;
4887 case 11:
4888 kexch_alg = NID_ffdhe8192;
4889 kexch_name0 = "ffdhe8192";
4890 break;
4891 # endif
4892 default:
4893 /* We're skipping this test */
4894 return 1;
4895 }
4896
4897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4898 TLS_client_method(), TLS1_VERSION,
4899 max_version, &sctx, &cctx, cert,
4900 privkey)))
4901 goto end;
4902
4903 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4904 TLS1_3_RFC_AES_128_GCM_SHA256)))
4905 goto end;
4906
4907 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4908 TLS1_3_RFC_AES_128_GCM_SHA256)))
4909 goto end;
4910
4911 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4912 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4913 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4914 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4915 goto end;
4916
4917 /*
4918 * Must include an EC ciphersuite so that we send supported groups in
4919 * TLSv1.2
4920 */
4921 # ifndef OPENSSL_NO_TLS1_2
4922 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4923 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4924 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4925 goto end;
4926 # endif
4927
4928 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4929 NULL, NULL)))
4930 goto end;
4931
4932 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4933 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4934 goto end;
4935
4936 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4937 goto end;
4938
4939 /*
4940 * If Handshake succeeds the negotiated kexch alg should be the first one in
4941 * configured, except in the case of FFDHE groups (idx 13), which are
4942 * TLSv1.3 only so we expect no shared group to exist.
4943 */
4944 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4945 idx == 13 ? 0 : kexch_groups[0]))
4946 goto end;
4947
4948 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4949 kexch_name0))
4950 goto end;
4951
4952 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4953 if (idx != 13) {
4954 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4955 goto end;
4956 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4957 goto end;
4958 }
4959
4960 testresult = 1;
4961 end:
4962 SSL_free(serverssl);
4963 SSL_free(clientssl);
4964 SSL_CTX_free(sctx);
4965 SSL_CTX_free(cctx);
4966 return testresult;
4967 }
4968
4969 # if !defined(OPENSSL_NO_TLS1_2) \
4970 && !defined(OPENSSL_NO_EC) \
4971 && !defined(OPENSSL_NO_DH)
set_ssl_groups(SSL * serverssl,SSL * clientssl,int clientmulti,int isecdhe,int idx)4972 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4973 int isecdhe, int idx)
4974 {
4975 int kexch_alg;
4976 int *kexch_groups = &kexch_alg;
4977 int numec, numff;
4978
4979 numec = OSSL_NELEM(ecdhe_kexch_groups);
4980 numff = OSSL_NELEM(ffdhe_kexch_groups);
4981 if (isecdhe)
4982 kexch_alg = ecdhe_kexch_groups[idx];
4983 else
4984 kexch_alg = ffdhe_kexch_groups[idx];
4985
4986 if (clientmulti) {
4987 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4988 return 0;
4989 if (isecdhe) {
4990 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4991 numec)))
4992 return 0;
4993 } else {
4994 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4995 numff)))
4996 return 0;
4997 }
4998 } else {
4999 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5000 return 0;
5001 if (isecdhe) {
5002 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5003 numec)))
5004 return 0;
5005 } else {
5006 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5007 numff)))
5008 return 0;
5009 }
5010 }
5011 return 1;
5012 }
5013
5014 /*-
5015 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5016 * Run through both the ECDHE and FFDHE group lists used in the previous
5017 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5018 * confirming the expected result; then perform a resumption handshake
5019 * while offering the same group list, and another resumption handshake
5020 * offering a different group list. The returned value should be the
5021 * negotiated group for the initial handshake; for TLS 1.3 resumption
5022 * handshakes the returned value will be negotiated on the resumption
5023 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5024 * be cached in the session from the original handshake, regardless of what
5025 * was offered in the resumption ClientHello.
5026 *
5027 * Using E for the number of EC groups and F for the number of FF groups:
5028 * E tests of ECDHE with TLS 1.3, server only has one group
5029 * F tests of FFDHE with TLS 1.3, server only has one group
5030 * E tests of ECDHE with TLS 1.2, server only has one group
5031 * F tests of FFDHE with TLS 1.2, server only has one group
5032 * E tests of ECDHE with TLS 1.3, client sends only one group
5033 * F tests of FFDHE with TLS 1.3, client sends only one group
5034 * E tests of ECDHE with TLS 1.2, client sends only one group
5035 * F tests of FFDHE with TLS 1.2, client sends only one group
5036 */
test_negotiated_group(int idx)5037 static int test_negotiated_group(int idx)
5038 {
5039 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5040 int expectednid;
5041 SSL_CTX *sctx = NULL, *cctx = NULL;
5042 SSL *serverssl = NULL, *clientssl = NULL;
5043 SSL_SESSION *origsess = NULL;
5044 int testresult = 0;
5045 int kexch_alg;
5046 int max_version = TLS1_3_VERSION;
5047
5048 numec = OSSL_NELEM(ecdhe_kexch_groups);
5049 numff = OSSL_NELEM(ffdhe_kexch_groups);
5050 numgroups = numec + numff;
5051 clientmulti = (idx < 2 * numgroups);
5052 idx = idx % (2 * numgroups);
5053 istls13 = (idx < numgroups);
5054 idx = idx % numgroups;
5055 isecdhe = (idx < numec);
5056 if (!isecdhe)
5057 idx -= numec;
5058 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5059 if (isecdhe)
5060 kexch_alg = ecdhe_kexch_groups[idx];
5061 else
5062 kexch_alg = ffdhe_kexch_groups[idx];
5063 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5064 if (!istls13 && !isecdhe)
5065 expectednid = NID_undef;
5066 else
5067 expectednid = kexch_alg;
5068
5069 if (!istls13)
5070 max_version = TLS1_2_VERSION;
5071
5072 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5073 TLS_client_method(), TLS1_VERSION,
5074 max_version, &sctx, &cctx, cert,
5075 privkey)))
5076 goto end;
5077
5078 /*
5079 * Force (EC)DHE ciphers for TLS 1.2.
5080 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5081 */
5082 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5083 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5084 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5085 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5086 goto end;
5087 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5088 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5089 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5090 goto end;
5091
5092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5093 NULL, NULL)))
5094 goto end;
5095
5096 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5097 idx)))
5098 goto end;
5099
5100 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5101 goto end;
5102
5103 /* Initial handshake; always the configured one */
5104 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5105 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5106 goto end;
5107
5108 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5109 goto end;
5110
5111 SSL_shutdown(clientssl);
5112 SSL_shutdown(serverssl);
5113 SSL_free(serverssl);
5114 SSL_free(clientssl);
5115 serverssl = clientssl = NULL;
5116
5117 /* First resumption attempt; use the same config as initial handshake */
5118 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5119 NULL, NULL))
5120 || !TEST_true(SSL_set_session(clientssl, origsess))
5121 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5122 isecdhe, idx)))
5123 goto end;
5124
5125 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5126 || !TEST_true(SSL_session_reused(clientssl)))
5127 goto end;
5128
5129 /* Still had better agree, since nothing changed... */
5130 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5131 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5132 goto end;
5133
5134 SSL_shutdown(clientssl);
5135 SSL_shutdown(serverssl);
5136 SSL_free(serverssl);
5137 SSL_free(clientssl);
5138 serverssl = clientssl = NULL;
5139
5140 /*-
5141 * Second resumption attempt
5142 * The party that picks one group changes it, which we effectuate by
5143 * changing 'idx' and updating what we expect.
5144 */
5145 if (idx == 0)
5146 idx = 1;
5147 else
5148 idx--;
5149 if (istls13) {
5150 if (isecdhe)
5151 expectednid = ecdhe_kexch_groups[idx];
5152 else
5153 expectednid = ffdhe_kexch_groups[idx];
5154 /* Verify that we are changing what we expect. */
5155 if (!TEST_int_ne(expectednid, kexch_alg))
5156 goto end;
5157 } else {
5158 /* TLS 1.2 only supports named groups for ECDHE. */
5159 if (isecdhe)
5160 expectednid = kexch_alg;
5161 else
5162 expectednid = 0;
5163 }
5164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5165 NULL, NULL))
5166 || !TEST_true(SSL_set_session(clientssl, origsess))
5167 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5168 isecdhe, idx)))
5169 goto end;
5170
5171 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5172 || !TEST_true(SSL_session_reused(clientssl)))
5173 goto end;
5174
5175 /* Check that we get what we expected */
5176 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5177 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5178 goto end;
5179
5180 testresult = 1;
5181 end:
5182 SSL_free(serverssl);
5183 SSL_free(clientssl);
5184 SSL_CTX_free(sctx);
5185 SSL_CTX_free(cctx);
5186 SSL_SESSION_free(origsess);
5187 return testresult;
5188 }
5189 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5190
5191 /*
5192 * Test TLSv1.3 Cipher Suite
5193 * Test 0 = Set TLS1.3 cipher on context
5194 * Test 1 = Set TLS1.3 cipher on SSL
5195 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5196 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5197 */
test_tls13_ciphersuite(int idx)5198 static int test_tls13_ciphersuite(int idx)
5199 {
5200 SSL_CTX *sctx = NULL, *cctx = NULL;
5201 SSL *serverssl = NULL, *clientssl = NULL;
5202 static const struct {
5203 const char *ciphername;
5204 int fipscapable;
5205 } t13_ciphers[] = {
5206 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
5207 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
5208 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5209 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5210 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5211 { TLS1_3_RFC_AES_256_GCM_SHA384
5212 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5213 # endif
5214 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5215 };
5216 const char *t13_cipher = NULL;
5217 const char *t12_cipher = NULL;
5218 const char *negotiated_scipher;
5219 const char *negotiated_ccipher;
5220 int set_at_ctx = 0;
5221 int set_at_ssl = 0;
5222 int testresult = 0;
5223 int max_ver;
5224 size_t i;
5225
5226 switch (idx) {
5227 case 0:
5228 set_at_ctx = 1;
5229 break;
5230 case 1:
5231 set_at_ssl = 1;
5232 break;
5233 case 2:
5234 set_at_ctx = 1;
5235 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5236 break;
5237 case 3:
5238 set_at_ssl = 1;
5239 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5240 break;
5241 }
5242
5243 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5244 # ifdef OPENSSL_NO_TLS1_2
5245 if (max_ver == TLS1_2_VERSION)
5246 continue;
5247 # endif
5248 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5249 if (is_fips && !t13_ciphers[i].fipscapable)
5250 continue;
5251 t13_cipher = t13_ciphers[i].ciphername;
5252 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5253 TLS_client_method(),
5254 TLS1_VERSION, max_ver,
5255 &sctx, &cctx, cert, privkey)))
5256 goto end;
5257
5258 if (set_at_ctx) {
5259 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5260 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5261 goto end;
5262 if (t12_cipher != NULL) {
5263 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5264 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5265 t12_cipher)))
5266 goto end;
5267 }
5268 }
5269
5270 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5271 &clientssl, NULL, NULL)))
5272 goto end;
5273
5274 if (set_at_ssl) {
5275 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5276 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5277 goto end;
5278 if (t12_cipher != NULL) {
5279 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5280 || !TEST_true(SSL_set_cipher_list(clientssl,
5281 t12_cipher)))
5282 goto end;
5283 }
5284 }
5285
5286 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5287 SSL_ERROR_NONE)))
5288 goto end;
5289
5290 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5291 serverssl));
5292 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5293 clientssl));
5294 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5295 goto end;
5296
5297 /*
5298 * TEST_strn_eq is used below because t13_cipher can contain
5299 * multiple ciphersuites
5300 */
5301 if (max_ver == TLS1_3_VERSION
5302 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5303 strlen(negotiated_scipher)))
5304 goto end;
5305
5306 # ifndef OPENSSL_NO_TLS1_2
5307 /* Below validation is not done when t12_cipher is NULL */
5308 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5309 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5310 goto end;
5311 # endif
5312
5313 SSL_free(serverssl);
5314 serverssl = NULL;
5315 SSL_free(clientssl);
5316 clientssl = NULL;
5317 SSL_CTX_free(sctx);
5318 sctx = NULL;
5319 SSL_CTX_free(cctx);
5320 cctx = NULL;
5321 }
5322 }
5323
5324 testresult = 1;
5325 end:
5326 SSL_free(serverssl);
5327 SSL_free(clientssl);
5328 SSL_CTX_free(sctx);
5329 SSL_CTX_free(cctx);
5330 return testresult;
5331 }
5332
5333 /*
5334 * Test TLSv1.3 PSKs
5335 * Test 0 = Test new style callbacks
5336 * Test 1 = Test both new and old style callbacks
5337 * Test 2 = Test old style callbacks
5338 * Test 3 = Test old style callbacks with no certificate
5339 */
test_tls13_psk(int idx)5340 static int test_tls13_psk(int idx)
5341 {
5342 SSL_CTX *sctx = NULL, *cctx = NULL;
5343 SSL *serverssl = NULL, *clientssl = NULL;
5344 const SSL_CIPHER *cipher = NULL;
5345 const unsigned char key[] = {
5346 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5347 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5348 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5349 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5350 };
5351 int testresult = 0;
5352
5353 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5354 TLS_client_method(), TLS1_VERSION, 0,
5355 &sctx, &cctx, idx == 3 ? NULL : cert,
5356 idx == 3 ? NULL : privkey)))
5357 goto end;
5358
5359 if (idx != 3) {
5360 /*
5361 * We use a ciphersuite with SHA256 to ease testing old style PSK
5362 * callbacks which will always default to SHA256. This should not be
5363 * necessary if we have no cert/priv key. In that case the server should
5364 * prefer SHA256 automatically.
5365 */
5366 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5367 "TLS_AES_128_GCM_SHA256")))
5368 goto end;
5369 } else {
5370 /*
5371 * As noted above the server should prefer SHA256 automatically. However
5372 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5373 * code works even if we are testing with only the FIPS provider loaded.
5374 */
5375 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5376 "TLS_AES_256_GCM_SHA384:"
5377 "TLS_AES_128_GCM_SHA256")))
5378 goto end;
5379 }
5380
5381 /*
5382 * Test 0: New style callbacks only
5383 * Test 1: New and old style callbacks (only the new ones should be used)
5384 * Test 2: Old style callbacks only
5385 */
5386 if (idx == 0 || idx == 1) {
5387 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5388 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5389 }
5390 #ifndef OPENSSL_NO_PSK
5391 if (idx >= 1) {
5392 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5393 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5394 }
5395 #endif
5396 srvid = pskid;
5397 use_session_cb_cnt = 0;
5398 find_session_cb_cnt = 0;
5399 psk_client_cb_cnt = 0;
5400 psk_server_cb_cnt = 0;
5401
5402 if (idx != 3) {
5403 /*
5404 * Check we can create a connection if callback decides not to send a
5405 * PSK
5406 */
5407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5408 NULL, NULL))
5409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5410 SSL_ERROR_NONE))
5411 || !TEST_false(SSL_session_reused(clientssl))
5412 || !TEST_false(SSL_session_reused(serverssl)))
5413 goto end;
5414
5415 if (idx == 0 || idx == 1) {
5416 if (!TEST_true(use_session_cb_cnt == 1)
5417 || !TEST_true(find_session_cb_cnt == 0)
5418 /*
5419 * If no old style callback then below should be 0
5420 * otherwise 1
5421 */
5422 || !TEST_true(psk_client_cb_cnt == idx)
5423 || !TEST_true(psk_server_cb_cnt == 0))
5424 goto end;
5425 } else {
5426 if (!TEST_true(use_session_cb_cnt == 0)
5427 || !TEST_true(find_session_cb_cnt == 0)
5428 || !TEST_true(psk_client_cb_cnt == 1)
5429 || !TEST_true(psk_server_cb_cnt == 0))
5430 goto end;
5431 }
5432
5433 shutdown_ssl_connection(serverssl, clientssl);
5434 serverssl = clientssl = NULL;
5435 use_session_cb_cnt = psk_client_cb_cnt = 0;
5436 }
5437
5438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5439 NULL, NULL)))
5440 goto end;
5441
5442 /* Create the PSK */
5443 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5444 clientpsk = SSL_SESSION_new();
5445 if (!TEST_ptr(clientpsk)
5446 || !TEST_ptr(cipher)
5447 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5448 sizeof(key)))
5449 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5450 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5451 TLS1_3_VERSION))
5452 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5453 goto end;
5454 serverpsk = clientpsk;
5455
5456 /* Check we can create a connection and the PSK is used */
5457 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5458 || !TEST_true(SSL_session_reused(clientssl))
5459 || !TEST_true(SSL_session_reused(serverssl)))
5460 goto end;
5461
5462 if (idx == 0 || idx == 1) {
5463 if (!TEST_true(use_session_cb_cnt == 1)
5464 || !TEST_true(find_session_cb_cnt == 1)
5465 || !TEST_true(psk_client_cb_cnt == 0)
5466 || !TEST_true(psk_server_cb_cnt == 0))
5467 goto end;
5468 } else {
5469 if (!TEST_true(use_session_cb_cnt == 0)
5470 || !TEST_true(find_session_cb_cnt == 0)
5471 || !TEST_true(psk_client_cb_cnt == 1)
5472 || !TEST_true(psk_server_cb_cnt == 1))
5473 goto end;
5474 }
5475
5476 shutdown_ssl_connection(serverssl, clientssl);
5477 serverssl = clientssl = NULL;
5478 use_session_cb_cnt = find_session_cb_cnt = 0;
5479 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5480
5481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5482 NULL, NULL)))
5483 goto end;
5484
5485 /* Force an HRR */
5486 #if defined(OPENSSL_NO_EC)
5487 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5488 goto end;
5489 #else
5490 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5491 goto end;
5492 #endif
5493
5494 /*
5495 * Check we can create a connection, the PSK is used and the callbacks are
5496 * called twice.
5497 */
5498 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5499 || !TEST_true(SSL_session_reused(clientssl))
5500 || !TEST_true(SSL_session_reused(serverssl)))
5501 goto end;
5502
5503 if (idx == 0 || idx == 1) {
5504 if (!TEST_true(use_session_cb_cnt == 2)
5505 || !TEST_true(find_session_cb_cnt == 2)
5506 || !TEST_true(psk_client_cb_cnt == 0)
5507 || !TEST_true(psk_server_cb_cnt == 0))
5508 goto end;
5509 } else {
5510 if (!TEST_true(use_session_cb_cnt == 0)
5511 || !TEST_true(find_session_cb_cnt == 0)
5512 || !TEST_true(psk_client_cb_cnt == 2)
5513 || !TEST_true(psk_server_cb_cnt == 2))
5514 goto end;
5515 }
5516
5517 shutdown_ssl_connection(serverssl, clientssl);
5518 serverssl = clientssl = NULL;
5519 use_session_cb_cnt = find_session_cb_cnt = 0;
5520 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5521
5522 if (idx != 3) {
5523 /*
5524 * Check that if the server rejects the PSK we can still connect, but with
5525 * a full handshake
5526 */
5527 srvid = "Dummy Identity";
5528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5529 NULL, NULL))
5530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5531 SSL_ERROR_NONE))
5532 || !TEST_false(SSL_session_reused(clientssl))
5533 || !TEST_false(SSL_session_reused(serverssl)))
5534 goto end;
5535
5536 if (idx == 0 || idx == 1) {
5537 if (!TEST_true(use_session_cb_cnt == 1)
5538 || !TEST_true(find_session_cb_cnt == 1)
5539 || !TEST_true(psk_client_cb_cnt == 0)
5540 /*
5541 * If no old style callback then below should be 0
5542 * otherwise 1
5543 */
5544 || !TEST_true(psk_server_cb_cnt == idx))
5545 goto end;
5546 } else {
5547 if (!TEST_true(use_session_cb_cnt == 0)
5548 || !TEST_true(find_session_cb_cnt == 0)
5549 || !TEST_true(psk_client_cb_cnt == 1)
5550 || !TEST_true(psk_server_cb_cnt == 1))
5551 goto end;
5552 }
5553
5554 shutdown_ssl_connection(serverssl, clientssl);
5555 serverssl = clientssl = NULL;
5556 }
5557 testresult = 1;
5558
5559 end:
5560 SSL_SESSION_free(clientpsk);
5561 SSL_SESSION_free(serverpsk);
5562 clientpsk = serverpsk = NULL;
5563 SSL_free(serverssl);
5564 SSL_free(clientssl);
5565 SSL_CTX_free(sctx);
5566 SSL_CTX_free(cctx);
5567 return testresult;
5568 }
5569
5570 static unsigned char cookie_magic_value[] = "cookie magic";
5571
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)5572 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5573 unsigned int *cookie_len)
5574 {
5575 /*
5576 * Not suitable as a real cookie generation function but good enough for
5577 * testing!
5578 */
5579 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5580 *cookie_len = sizeof(cookie_magic_value) - 1;
5581
5582 return 1;
5583 }
5584
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)5585 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5586 unsigned int cookie_len)
5587 {
5588 if (cookie_len == sizeof(cookie_magic_value) - 1
5589 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5590 return 1;
5591
5592 return 0;
5593 }
5594
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)5595 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5596 size_t *cookie_len)
5597 {
5598 unsigned int temp;
5599 int res = generate_cookie_callback(ssl, cookie, &temp);
5600 *cookie_len = temp;
5601 return res;
5602 }
5603
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)5604 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5605 size_t cookie_len)
5606 {
5607 return verify_cookie_callback(ssl, cookie, cookie_len);
5608 }
5609
test_stateless(void)5610 static int test_stateless(void)
5611 {
5612 SSL_CTX *sctx = NULL, *cctx = NULL;
5613 SSL *serverssl = NULL, *clientssl = NULL;
5614 int testresult = 0;
5615
5616 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5617 TLS_client_method(), TLS1_VERSION, 0,
5618 &sctx, &cctx, cert, privkey)))
5619 goto end;
5620
5621 /* The arrival of CCS messages can confuse the test */
5622 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5623
5624 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5625 NULL, NULL))
5626 /* Send the first ClientHello */
5627 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5628 SSL_ERROR_WANT_READ))
5629 /*
5630 * This should fail with a -1 return because we have no callbacks
5631 * set up
5632 */
5633 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5634 goto end;
5635
5636 /* Fatal error so abandon the connection from this client */
5637 SSL_free(clientssl);
5638 clientssl = NULL;
5639
5640 /* Set up the cookie generation and verification callbacks */
5641 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5642 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5643
5644 /*
5645 * Create a new connection from the client (we can reuse the server SSL
5646 * object).
5647 */
5648 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5649 NULL, NULL))
5650 /* Send the first ClientHello */
5651 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5652 SSL_ERROR_WANT_READ))
5653 /* This should fail because there is no cookie */
5654 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5655 goto end;
5656
5657 /* Abandon the connection from this client */
5658 SSL_free(clientssl);
5659 clientssl = NULL;
5660
5661 /*
5662 * Now create a connection from a new client but with the same server SSL
5663 * object
5664 */
5665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5666 NULL, NULL))
5667 /* Send the first ClientHello */
5668 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5669 SSL_ERROR_WANT_READ))
5670 /* This should fail because there is no cookie */
5671 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5672 /* Send the second ClientHello */
5673 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5674 SSL_ERROR_WANT_READ))
5675 /* This should succeed because a cookie is now present */
5676 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5677 /* Complete the connection */
5678 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5679 SSL_ERROR_NONE)))
5680 goto end;
5681
5682 shutdown_ssl_connection(serverssl, clientssl);
5683 serverssl = clientssl = NULL;
5684 testresult = 1;
5685
5686 end:
5687 SSL_free(serverssl);
5688 SSL_free(clientssl);
5689 SSL_CTX_free(sctx);
5690 SSL_CTX_free(cctx);
5691 return testresult;
5692
5693 }
5694 #endif /* OSSL_NO_USABLE_TLS1_3 */
5695
5696 static int clntaddoldcb = 0;
5697 static int clntparseoldcb = 0;
5698 static int srvaddoldcb = 0;
5699 static int srvparseoldcb = 0;
5700 static int clntaddnewcb = 0;
5701 static int clntparsenewcb = 0;
5702 static int srvaddnewcb = 0;
5703 static int srvparsenewcb = 0;
5704 static int snicb = 0;
5705
5706 #define TEST_EXT_TYPE1 0xff00
5707
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)5708 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5709 size_t *outlen, int *al, void *add_arg)
5710 {
5711 int *server = (int *)add_arg;
5712 unsigned char *data;
5713
5714 if (SSL_is_server(s))
5715 srvaddoldcb++;
5716 else
5717 clntaddoldcb++;
5718
5719 if (*server != SSL_is_server(s)
5720 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5721 return -1;
5722
5723 *data = 1;
5724 *out = data;
5725 *outlen = sizeof(char);
5726 return 1;
5727 }
5728
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)5729 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5730 void *add_arg)
5731 {
5732 OPENSSL_free((unsigned char *)out);
5733 }
5734
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)5735 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5736 size_t inlen, int *al, void *parse_arg)
5737 {
5738 int *server = (int *)parse_arg;
5739
5740 if (SSL_is_server(s))
5741 srvparseoldcb++;
5742 else
5743 clntparseoldcb++;
5744
5745 if (*server != SSL_is_server(s)
5746 || inlen != sizeof(char)
5747 || *in != 1)
5748 return -1;
5749
5750 return 1;
5751 }
5752
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)5753 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5754 const unsigned char **out, size_t *outlen, X509 *x,
5755 size_t chainidx, int *al, void *add_arg)
5756 {
5757 int *server = (int *)add_arg;
5758 unsigned char *data;
5759
5760 if (SSL_is_server(s))
5761 srvaddnewcb++;
5762 else
5763 clntaddnewcb++;
5764
5765 if (*server != SSL_is_server(s)
5766 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5767 return -1;
5768
5769 *data = 1;
5770 *out = data;
5771 *outlen = sizeof(*data);
5772 return 1;
5773 }
5774
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)5775 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5776 const unsigned char *out, void *add_arg)
5777 {
5778 OPENSSL_free((unsigned char *)out);
5779 }
5780
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)5781 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5782 const unsigned char *in, size_t inlen, X509 *x,
5783 size_t chainidx, int *al, void *parse_arg)
5784 {
5785 int *server = (int *)parse_arg;
5786
5787 if (SSL_is_server(s))
5788 srvparsenewcb++;
5789 else
5790 clntparsenewcb++;
5791
5792 if (*server != SSL_is_server(s)
5793 || inlen != sizeof(char) || *in != 1)
5794 return -1;
5795
5796 return 1;
5797 }
5798
sni_cb(SSL * s,int * al,void * arg)5799 static int sni_cb(SSL *s, int *al, void *arg)
5800 {
5801 SSL_CTX *ctx = (SSL_CTX *)arg;
5802
5803 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5804 *al = SSL_AD_INTERNAL_ERROR;
5805 return SSL_TLSEXT_ERR_ALERT_FATAL;
5806 }
5807 snicb++;
5808 return SSL_TLSEXT_ERR_OK;
5809 }
5810
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)5811 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5812 {
5813 return 1;
5814 }
5815
5816 /*
5817 * Custom call back tests.
5818 * Test 0: Old style callbacks in TLSv1.2
5819 * Test 1: New style callbacks in TLSv1.2
5820 * Test 2: New style callbacks in TLSv1.2 with SNI
5821 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5822 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5823 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5824 */
test_custom_exts(int tst)5825 static int test_custom_exts(int tst)
5826 {
5827 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5828 SSL *clientssl = NULL, *serverssl = NULL;
5829 int testresult = 0;
5830 static int server = 1;
5831 static int client = 0;
5832 SSL_SESSION *sess = NULL;
5833 unsigned int context;
5834
5835 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5836 /* Skip tests for TLSv1.2 and below in this case */
5837 if (tst < 3)
5838 return 1;
5839 #endif
5840
5841 /* Reset callback counters */
5842 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5843 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5844 snicb = 0;
5845
5846 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5847 TLS_client_method(), TLS1_VERSION, 0,
5848 &sctx, &cctx, cert, privkey)))
5849 goto end;
5850
5851 if (tst == 2
5852 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5853 TLS1_VERSION, 0,
5854 &sctx2, NULL, cert, privkey)))
5855 goto end;
5856
5857
5858 if (tst < 3) {
5859 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5860 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5861 if (sctx2 != NULL)
5862 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5863 }
5864
5865 if (tst == 5) {
5866 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5867 | SSL_EXT_TLS1_3_CERTIFICATE;
5868 SSL_CTX_set_verify(sctx,
5869 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5870 verify_cb);
5871 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5872 SSL_FILETYPE_PEM), 1)
5873 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5874 SSL_FILETYPE_PEM), 1)
5875 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5876 goto end;
5877 } else if (tst == 4) {
5878 context = SSL_EXT_CLIENT_HELLO
5879 | SSL_EXT_TLS1_2_SERVER_HELLO
5880 | SSL_EXT_TLS1_3_SERVER_HELLO
5881 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5882 | SSL_EXT_TLS1_3_CERTIFICATE
5883 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5884 } else {
5885 context = SSL_EXT_CLIENT_HELLO
5886 | SSL_EXT_TLS1_2_SERVER_HELLO
5887 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5888 }
5889
5890 /* Create a client side custom extension */
5891 if (tst == 0) {
5892 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5893 old_add_cb, old_free_cb,
5894 &client, old_parse_cb,
5895 &client)))
5896 goto end;
5897 } else {
5898 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5899 new_add_cb, new_free_cb,
5900 &client, new_parse_cb, &client)))
5901 goto end;
5902 }
5903
5904 /* Should not be able to add duplicates */
5905 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5906 old_add_cb, old_free_cb,
5907 &client, old_parse_cb,
5908 &client))
5909 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5910 context, new_add_cb,
5911 new_free_cb, &client,
5912 new_parse_cb, &client)))
5913 goto end;
5914
5915 /* Create a server side custom extension */
5916 if (tst == 0) {
5917 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5918 old_add_cb, old_free_cb,
5919 &server, old_parse_cb,
5920 &server)))
5921 goto end;
5922 } else {
5923 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5924 new_add_cb, new_free_cb,
5925 &server, new_parse_cb, &server)))
5926 goto end;
5927 if (sctx2 != NULL
5928 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5929 context, new_add_cb,
5930 new_free_cb, &server,
5931 new_parse_cb, &server)))
5932 goto end;
5933 }
5934
5935 /* Should not be able to add duplicates */
5936 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5937 old_add_cb, old_free_cb,
5938 &server, old_parse_cb,
5939 &server))
5940 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5941 context, new_add_cb,
5942 new_free_cb, &server,
5943 new_parse_cb, &server)))
5944 goto end;
5945
5946 if (tst == 2) {
5947 /* Set up SNI */
5948 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5949 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5950 goto end;
5951 }
5952
5953 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5954 &clientssl, NULL, NULL))
5955 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5956 SSL_ERROR_NONE)))
5957 goto end;
5958
5959 if (tst == 0) {
5960 if (clntaddoldcb != 1
5961 || clntparseoldcb != 1
5962 || srvaddoldcb != 1
5963 || srvparseoldcb != 1)
5964 goto end;
5965 } else if (tst == 1 || tst == 2 || tst == 3) {
5966 if (clntaddnewcb != 1
5967 || clntparsenewcb != 1
5968 || srvaddnewcb != 1
5969 || srvparsenewcb != 1
5970 || (tst != 2 && snicb != 0)
5971 || (tst == 2 && snicb != 1))
5972 goto end;
5973 } else if (tst == 5) {
5974 if (clntaddnewcb != 1
5975 || clntparsenewcb != 1
5976 || srvaddnewcb != 1
5977 || srvparsenewcb != 1)
5978 goto end;
5979 } else {
5980 /* In this case there 2 NewSessionTicket messages created */
5981 if (clntaddnewcb != 1
5982 || clntparsenewcb != 5
5983 || srvaddnewcb != 5
5984 || srvparsenewcb != 1)
5985 goto end;
5986 }
5987
5988 sess = SSL_get1_session(clientssl);
5989 SSL_shutdown(clientssl);
5990 SSL_shutdown(serverssl);
5991 SSL_free(serverssl);
5992 SSL_free(clientssl);
5993 serverssl = clientssl = NULL;
5994
5995 if (tst == 3 || tst == 5) {
5996 /* We don't bother with the resumption aspects for these tests */
5997 testresult = 1;
5998 goto end;
5999 }
6000
6001 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6002 NULL, NULL))
6003 || !TEST_true(SSL_set_session(clientssl, sess))
6004 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6005 SSL_ERROR_NONE)))
6006 goto end;
6007
6008 /*
6009 * For a resumed session we expect to add the ClientHello extension. For the
6010 * old style callbacks we ignore it on the server side because they set
6011 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6012 * them.
6013 */
6014 if (tst == 0) {
6015 if (clntaddoldcb != 2
6016 || clntparseoldcb != 1
6017 || srvaddoldcb != 1
6018 || srvparseoldcb != 1)
6019 goto end;
6020 } else if (tst == 1 || tst == 2 || tst == 3) {
6021 if (clntaddnewcb != 2
6022 || clntparsenewcb != 2
6023 || srvaddnewcb != 2
6024 || srvparsenewcb != 2)
6025 goto end;
6026 } else {
6027 /*
6028 * No Certificate message extensions in the resumption handshake,
6029 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6030 */
6031 if (clntaddnewcb != 2
6032 || clntparsenewcb != 8
6033 || srvaddnewcb != 8
6034 || srvparsenewcb != 2)
6035 goto end;
6036 }
6037
6038 testresult = 1;
6039
6040 end:
6041 SSL_SESSION_free(sess);
6042 SSL_free(serverssl);
6043 SSL_free(clientssl);
6044 SSL_CTX_free(sctx2);
6045 SSL_CTX_free(sctx);
6046 SSL_CTX_free(cctx);
6047 return testresult;
6048 }
6049
6050 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6051
6052 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6053 | SSL_EXT_CLIENT_HELLO \
6054 | SSL_EXT_TLS1_2_SERVER_HELLO \
6055 | SSL_EXT_IGNORE_ON_RESUMPTION)
6056
6057 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6058 | SSL_EXT_TLS1_2_SERVER_HELLO \
6059 | SSL_EXT_CLIENT_HELLO)
6060
6061 #define SERVERINFO_CUSTOM \
6062 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6063 0x00, 0x03, \
6064 0x04, 0x05, 0x06 \
6065
6066 static const unsigned char serverinfo_custom_tls13[] = {
6067 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6068 SERVERINFO_CUSTOM
6069 };
6070 static const unsigned char serverinfo_custom_v2[] = {
6071 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6072 SERVERINFO_CUSTOM
6073 };
6074 static const unsigned char serverinfo_custom_v1[] = {
6075 SERVERINFO_CUSTOM
6076 };
6077 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6078 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6079 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6080
serverinfo_custom_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6081 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6082 unsigned int context,
6083 const unsigned char *in,
6084 size_t inlen, X509 *x,
6085 size_t chainidx, int *al,
6086 void *parse_arg)
6087 {
6088 const size_t len = serverinfo_custom_v1_len;
6089 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6090 int *p_cb_result = (int*)parse_arg;
6091 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6092 return 1;
6093 }
6094
test_serverinfo_custom(const int idx)6095 static int test_serverinfo_custom(const int idx)
6096 {
6097 SSL_CTX *sctx = NULL, *cctx = NULL;
6098 SSL *clientssl = NULL, *serverssl = NULL;
6099 int testresult = 0;
6100 int cb_result = 0;
6101
6102 /*
6103 * Following variables are set in the switch statement
6104 * according to the test iteration.
6105 * Default values do not make much sense: test would fail with them.
6106 */
6107 int serverinfo_version = 0;
6108 int protocol_version = 0;
6109 unsigned int extension_context = 0;
6110 const unsigned char *si = NULL;
6111 size_t si_len = 0;
6112
6113 const int call_use_serverinfo_ex = idx > 0;
6114 switch (idx) {
6115 case 0: /* FALLTHROUGH */
6116 case 1:
6117 serverinfo_version = SSL_SERVERINFOV1;
6118 protocol_version = TLS1_2_VERSION;
6119 extension_context = SYNTHV1CONTEXT;
6120 si = serverinfo_custom_v1;
6121 si_len = serverinfo_custom_v1_len;
6122 break;
6123 case 2:
6124 serverinfo_version = SSL_SERVERINFOV2;
6125 protocol_version = TLS1_2_VERSION;
6126 extension_context = SYNTHV1CONTEXT;
6127 si = serverinfo_custom_v2;
6128 si_len = serverinfo_custom_v2_len;
6129 break;
6130 case 3:
6131 serverinfo_version = SSL_SERVERINFOV2;
6132 protocol_version = TLS1_3_VERSION;
6133 extension_context = TLS13CONTEXT;
6134 si = serverinfo_custom_tls13;
6135 si_len = serverinfo_custom_tls13_len;
6136 break;
6137 }
6138
6139 if (!TEST_true(create_ssl_ctx_pair(libctx,
6140 TLS_method(),
6141 TLS_method(),
6142 protocol_version,
6143 protocol_version,
6144 &sctx, &cctx, cert, privkey)))
6145 goto end;
6146
6147 if (call_use_serverinfo_ex) {
6148 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6149 si, si_len)))
6150 goto end;
6151 } else {
6152 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6153 goto end;
6154 }
6155
6156 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6157 extension_context,
6158 NULL, NULL, NULL,
6159 serverinfo_custom_parse_cb,
6160 &cb_result))
6161 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6162 NULL, NULL))
6163 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6164 SSL_ERROR_NONE))
6165 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6166 goto end;
6167
6168 if (!TEST_true(cb_result))
6169 goto end;
6170
6171 testresult = 1;
6172
6173 end:
6174 SSL_free(serverssl);
6175 SSL_free(clientssl);
6176 SSL_CTX_free(sctx);
6177 SSL_CTX_free(cctx);
6178
6179 return testresult;
6180 }
6181 #endif
6182
6183 /*
6184 * Test that SSL_export_keying_material() produces expected results. There are
6185 * no test vectors so all we do is test that both sides of the communication
6186 * produce the same results for different protocol versions.
6187 */
6188 #define SMALL_LABEL_LEN 10
6189 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)6190 static int test_export_key_mat(int tst)
6191 {
6192 int testresult = 0;
6193 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6194 SSL *clientssl = NULL, *serverssl = NULL;
6195 const char label[LONG_LABEL_LEN + 1] = "test label";
6196 const unsigned char context[] = "context";
6197 const unsigned char *emptycontext = NULL;
6198 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6199 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6200 size_t labellen;
6201 const int protocols[] = {
6202 TLS1_VERSION,
6203 TLS1_1_VERSION,
6204 TLS1_2_VERSION,
6205 TLS1_3_VERSION,
6206 TLS1_3_VERSION,
6207 TLS1_3_VERSION
6208 };
6209
6210 #ifdef OPENSSL_NO_TLS1
6211 if (tst == 0)
6212 return 1;
6213 #endif
6214 #ifdef OPENSSL_NO_TLS1_1
6215 if (tst == 1)
6216 return 1;
6217 #endif
6218 if (is_fips && (tst == 0 || tst == 1))
6219 return 1;
6220 #ifdef OPENSSL_NO_TLS1_2
6221 if (tst == 2)
6222 return 1;
6223 #endif
6224 #ifdef OSSL_NO_USABLE_TLS1_3
6225 if (tst >= 3)
6226 return 1;
6227 #endif
6228 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6229 TLS_client_method(), TLS1_VERSION, 0,
6230 &sctx, &cctx, cert, privkey)))
6231 goto end;
6232
6233 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6234 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6235 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6236 if ((protocols[tst] < TLS1_2_VERSION) &&
6237 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6238 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6239 goto end;
6240
6241 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6242 NULL)))
6243 goto end;
6244
6245 /*
6246 * Premature call of SSL_export_keying_material should just fail.
6247 */
6248 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6249 sizeof(ckeymat1), label,
6250 SMALL_LABEL_LEN + 1, context,
6251 sizeof(context) - 1, 1), 0))
6252 goto end;
6253
6254 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6255 SSL_ERROR_NONE)))
6256 goto end;
6257
6258 if (tst == 5) {
6259 /*
6260 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6261 * go over that.
6262 */
6263 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6264 sizeof(ckeymat1), label,
6265 LONG_LABEL_LEN + 1, context,
6266 sizeof(context) - 1, 1), 0))
6267 goto end;
6268
6269 testresult = 1;
6270 goto end;
6271 } else if (tst == 4) {
6272 labellen = LONG_LABEL_LEN;
6273 } else {
6274 labellen = SMALL_LABEL_LEN;
6275 }
6276
6277 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6278 sizeof(ckeymat1), label,
6279 labellen, context,
6280 sizeof(context) - 1, 1), 1)
6281 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6282 sizeof(ckeymat2), label,
6283 labellen,
6284 emptycontext,
6285 0, 1), 1)
6286 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6287 sizeof(ckeymat3), label,
6288 labellen,
6289 NULL, 0, 0), 1)
6290 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6291 sizeof(skeymat1), label,
6292 labellen,
6293 context,
6294 sizeof(context) -1, 1),
6295 1)
6296 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6297 sizeof(skeymat2), label,
6298 labellen,
6299 emptycontext,
6300 0, 1), 1)
6301 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6302 sizeof(skeymat3), label,
6303 labellen,
6304 NULL, 0, 0), 1)
6305 /*
6306 * Check that both sides created the same key material with the
6307 * same context.
6308 */
6309 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6310 sizeof(skeymat1))
6311 /*
6312 * Check that both sides created the same key material with an
6313 * empty context.
6314 */
6315 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6316 sizeof(skeymat2))
6317 /*
6318 * Check that both sides created the same key material without a
6319 * context.
6320 */
6321 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6322 sizeof(skeymat3))
6323 /* Different contexts should produce different results */
6324 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6325 sizeof(ckeymat2)))
6326 goto end;
6327
6328 /*
6329 * Check that an empty context and no context produce different results in
6330 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6331 */
6332 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6333 sizeof(ckeymat3)))
6334 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6335 sizeof(ckeymat3))))
6336 goto end;
6337
6338 testresult = 1;
6339
6340 end:
6341 SSL_free(serverssl);
6342 SSL_free(clientssl);
6343 SSL_CTX_free(sctx2);
6344 SSL_CTX_free(sctx);
6345 SSL_CTX_free(cctx);
6346
6347 return testresult;
6348 }
6349
6350 #ifndef OSSL_NO_USABLE_TLS1_3
6351 /*
6352 * Test that SSL_export_keying_material_early() produces expected
6353 * results. There are no test vectors so all we do is test that both
6354 * sides of the communication produce the same results for different
6355 * protocol versions.
6356 */
test_export_key_mat_early(int idx)6357 static int test_export_key_mat_early(int idx)
6358 {
6359 static const char label[] = "test label";
6360 static const unsigned char context[] = "context";
6361 int testresult = 0;
6362 SSL_CTX *cctx = NULL, *sctx = NULL;
6363 SSL *clientssl = NULL, *serverssl = NULL;
6364 SSL_SESSION *sess = NULL;
6365 const unsigned char *emptycontext = NULL;
6366 unsigned char ckeymat1[80], ckeymat2[80];
6367 unsigned char skeymat1[80], skeymat2[80];
6368 unsigned char buf[1];
6369 size_t readbytes, written;
6370
6371 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6372 &sess, idx, SHA384_DIGEST_LENGTH)))
6373 goto end;
6374
6375 /* Here writing 0 length early data is enough. */
6376 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6377 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6378 &readbytes),
6379 SSL_READ_EARLY_DATA_ERROR)
6380 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6381 SSL_EARLY_DATA_ACCEPTED))
6382 goto end;
6383
6384 if (!TEST_int_eq(SSL_export_keying_material_early(
6385 clientssl, ckeymat1, sizeof(ckeymat1), label,
6386 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6387 || !TEST_int_eq(SSL_export_keying_material_early(
6388 clientssl, ckeymat2, sizeof(ckeymat2), label,
6389 sizeof(label) - 1, emptycontext, 0), 1)
6390 || !TEST_int_eq(SSL_export_keying_material_early(
6391 serverssl, skeymat1, sizeof(skeymat1), label,
6392 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6393 || !TEST_int_eq(SSL_export_keying_material_early(
6394 serverssl, skeymat2, sizeof(skeymat2), label,
6395 sizeof(label) - 1, emptycontext, 0), 1)
6396 /*
6397 * Check that both sides created the same key material with the
6398 * same context.
6399 */
6400 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6401 sizeof(skeymat1))
6402 /*
6403 * Check that both sides created the same key material with an
6404 * empty context.
6405 */
6406 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6407 sizeof(skeymat2))
6408 /* Different contexts should produce different results */
6409 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6410 sizeof(ckeymat2)))
6411 goto end;
6412
6413 testresult = 1;
6414
6415 end:
6416 SSL_SESSION_free(sess);
6417 SSL_SESSION_free(clientpsk);
6418 SSL_SESSION_free(serverpsk);
6419 clientpsk = serverpsk = NULL;
6420 SSL_free(serverssl);
6421 SSL_free(clientssl);
6422 SSL_CTX_free(sctx);
6423 SSL_CTX_free(cctx);
6424
6425 return testresult;
6426 }
6427
6428 #define NUM_KEY_UPDATE_MESSAGES 40
6429 /*
6430 * Test KeyUpdate.
6431 */
test_key_update(void)6432 static int test_key_update(void)
6433 {
6434 SSL_CTX *cctx = NULL, *sctx = NULL;
6435 SSL *clientssl = NULL, *serverssl = NULL;
6436 int testresult = 0, i, j;
6437 char buf[20];
6438 static char *mess = "A test message";
6439
6440 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6441 TLS_client_method(),
6442 TLS1_3_VERSION,
6443 0,
6444 &sctx, &cctx, cert, privkey))
6445 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6446 NULL, NULL))
6447 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6448 SSL_ERROR_NONE)))
6449 goto end;
6450
6451 for (j = 0; j < 2; j++) {
6452 /* Send lots of KeyUpdate messages */
6453 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6454 if (!TEST_true(SSL_key_update(clientssl,
6455 (j == 0)
6456 ? SSL_KEY_UPDATE_NOT_REQUESTED
6457 : SSL_KEY_UPDATE_REQUESTED))
6458 || !TEST_true(SSL_do_handshake(clientssl)))
6459 goto end;
6460 }
6461
6462 /* Check that sending and receiving app data is ok */
6463 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6464 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6465 strlen(mess)))
6466 goto end;
6467
6468 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6469 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6470 strlen(mess)))
6471 goto end;
6472 }
6473
6474 testresult = 1;
6475
6476 end:
6477 SSL_free(serverssl);
6478 SSL_free(clientssl);
6479 SSL_CTX_free(sctx);
6480 SSL_CTX_free(cctx);
6481
6482 return testresult;
6483 }
6484
6485 /*
6486 * Test we can handle a KeyUpdate (update requested) message while
6487 * write data is pending in peer.
6488 * Test 0: Client sends KeyUpdate while Server is writing
6489 * Test 1: Server sends KeyUpdate while Client is writing
6490 */
test_key_update_peer_in_write(int tst)6491 static int test_key_update_peer_in_write(int tst)
6492 {
6493 SSL_CTX *cctx = NULL, *sctx = NULL;
6494 SSL *clientssl = NULL, *serverssl = NULL;
6495 int testresult = 0;
6496 char buf[20];
6497 static char *mess = "A test message";
6498 BIO *bretry = BIO_new(bio_s_always_retry());
6499 BIO *tmp = NULL;
6500 SSL *peerupdate = NULL, *peerwrite = NULL;
6501
6502 if (!TEST_ptr(bretry)
6503 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6504 TLS_client_method(),
6505 TLS1_3_VERSION,
6506 0,
6507 &sctx, &cctx, cert, privkey))
6508 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6509 NULL, NULL))
6510 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6511 SSL_ERROR_NONE)))
6512 goto end;
6513
6514 peerupdate = tst == 0 ? clientssl : serverssl;
6515 peerwrite = tst == 0 ? serverssl : clientssl;
6516
6517 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6518 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6519 goto end;
6520
6521 /* Swap the writing endpoint's write BIO to force a retry */
6522 tmp = SSL_get_wbio(peerwrite);
6523 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6524 tmp = NULL;
6525 goto end;
6526 }
6527 SSL_set0_wbio(peerwrite, bretry);
6528 bretry = NULL;
6529
6530 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6531 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6532 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6533 goto end;
6534
6535 /* Reinstate the original writing endpoint's write BIO */
6536 SSL_set0_wbio(peerwrite, tmp);
6537 tmp = NULL;
6538
6539 /* Now read some data - we will read the key update */
6540 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6541 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6542 goto end;
6543
6544 /*
6545 * Complete the write we started previously and read it from the other
6546 * endpoint
6547 */
6548 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6549 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6550 goto end;
6551
6552 /* Write more data to ensure we send the KeyUpdate message back */
6553 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6554 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6555 goto end;
6556
6557 testresult = 1;
6558
6559 end:
6560 SSL_free(serverssl);
6561 SSL_free(clientssl);
6562 SSL_CTX_free(sctx);
6563 SSL_CTX_free(cctx);
6564 BIO_free(bretry);
6565 BIO_free(tmp);
6566
6567 return testresult;
6568 }
6569
6570 /*
6571 * Test we can handle a KeyUpdate (update requested) message while
6572 * peer read data is pending after peer accepted keyupdate(the msg header
6573 * had been read 5 bytes).
6574 * Test 0: Client sends KeyUpdate while Server is reading
6575 * Test 1: Server sends KeyUpdate while Client is reading
6576 */
test_key_update_peer_in_read(int tst)6577 static int test_key_update_peer_in_read(int tst)
6578 {
6579 SSL_CTX *cctx = NULL, *sctx = NULL;
6580 SSL *clientssl = NULL, *serverssl = NULL;
6581 int testresult = 0;
6582 char prbuf[515], lwbuf[515] = {0};
6583 static char *mess = "A test message";
6584 BIO *lbio = NULL, *pbio = NULL;
6585 SSL *local = NULL, *peer = NULL;
6586
6587 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6588 TLS_client_method(),
6589 TLS1_3_VERSION,
6590 0,
6591 &sctx, &cctx, cert, privkey))
6592 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6593 NULL, NULL))
6594 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6595 SSL_ERROR_NONE)))
6596 goto end;
6597
6598 local = tst == 0 ? clientssl : serverssl;
6599 peer = tst == 0 ? serverssl : clientssl;
6600
6601 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6602 goto end;
6603
6604 SSL_set_bio(local, lbio, lbio);
6605 SSL_set_bio(peer, pbio, pbio);
6606
6607 /*
6608 * we first write keyupdate msg then appdata in local
6609 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6610 * lwbuf app data msg size + key updata msg size > 512(the size of
6611 * the bio pair buffer)
6612 */
6613 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6614 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6615 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6616 goto end;
6617
6618 /*
6619 * first read keyupdate msg in peer in peer
6620 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6621 */
6622 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6623 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6624 goto end;
6625
6626 /* Now write some data in peer - we will write the key update */
6627 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6628 goto end;
6629
6630 /*
6631 * write data in local previously that we will complete
6632 * read data in peer previously that we will complete
6633 */
6634 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6635 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6636 goto end;
6637
6638 /* check that sending and receiving appdata ok */
6639 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6640 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6641 goto end;
6642
6643 testresult = 1;
6644
6645 end:
6646 SSL_free(serverssl);
6647 SSL_free(clientssl);
6648 SSL_CTX_free(sctx);
6649 SSL_CTX_free(cctx);
6650
6651 return testresult;
6652 }
6653
6654 /*
6655 * Test we can't send a KeyUpdate (update requested) message while
6656 * local write data is pending.
6657 * Test 0: Client sends KeyUpdate while Client is writing
6658 * Test 1: Server sends KeyUpdate while Server is writing
6659 */
test_key_update_local_in_write(int tst)6660 static int test_key_update_local_in_write(int tst)
6661 {
6662 SSL_CTX *cctx = NULL, *sctx = NULL;
6663 SSL *clientssl = NULL, *serverssl = NULL;
6664 int testresult = 0;
6665 char buf[20];
6666 static char *mess = "A test message";
6667 BIO *bretry = BIO_new(bio_s_always_retry());
6668 BIO *tmp = NULL;
6669 SSL *local = NULL, *peer = NULL;
6670
6671 if (!TEST_ptr(bretry)
6672 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6673 TLS_client_method(),
6674 TLS1_3_VERSION,
6675 0,
6676 &sctx, &cctx, cert, privkey))
6677 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6678 NULL, NULL))
6679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6680 SSL_ERROR_NONE)))
6681 goto end;
6682
6683 local = tst == 0 ? clientssl : serverssl;
6684 peer = tst == 0 ? serverssl : clientssl;
6685
6686 /* Swap the writing endpoint's write BIO to force a retry */
6687 tmp = SSL_get_wbio(local);
6688 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6689 tmp = NULL;
6690 goto end;
6691 }
6692 SSL_set0_wbio(local, bretry);
6693 bretry = NULL;
6694
6695 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6696 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6697 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6698 goto end;
6699
6700 /* Reinstate the original writing endpoint's write BIO */
6701 SSL_set0_wbio(local, tmp);
6702 tmp = NULL;
6703
6704 /* SSL_key_update will fail, because writing in local*/
6705 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6706 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6707 goto end;
6708
6709 ERR_clear_error();
6710 /* write data in local previously that we will complete */
6711 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6712 goto end;
6713
6714 /* SSL_key_update will succeed because there is no pending write data */
6715 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6716 || !TEST_int_eq(SSL_do_handshake(local), 1))
6717 goto end;
6718
6719 /*
6720 * we write some appdata in local
6721 * read data in peer - we will read the keyupdate msg
6722 */
6723 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6724 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6725 goto end;
6726
6727 /* Write more peer more data to ensure we send the keyupdate message back */
6728 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6729 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6730 goto end;
6731
6732 testresult = 1;
6733
6734 end:
6735 SSL_free(serverssl);
6736 SSL_free(clientssl);
6737 SSL_CTX_free(sctx);
6738 SSL_CTX_free(cctx);
6739 BIO_free(bretry);
6740 BIO_free(tmp);
6741
6742 return testresult;
6743 }
6744
6745 /*
6746 * Test we can handle a KeyUpdate (update requested) message while
6747 * local read data is pending(the msg header had been read 5 bytes).
6748 * Test 0: Client sends KeyUpdate while Client is reading
6749 * Test 1: Server sends KeyUpdate while Server is reading
6750 */
test_key_update_local_in_read(int tst)6751 static int test_key_update_local_in_read(int tst)
6752 {
6753 SSL_CTX *cctx = NULL, *sctx = NULL;
6754 SSL *clientssl = NULL, *serverssl = NULL;
6755 int testresult = 0;
6756 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6757 static char *mess = "A test message";
6758 BIO *lbio = NULL, *pbio = NULL;
6759 SSL *local = NULL, *peer = NULL;
6760
6761 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6762 TLS_client_method(),
6763 TLS1_3_VERSION,
6764 0,
6765 &sctx, &cctx, cert, privkey))
6766 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6767 NULL, NULL))
6768 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6769 SSL_ERROR_NONE)))
6770 goto end;
6771
6772 local = tst == 0 ? clientssl : serverssl;
6773 peer = tst == 0 ? serverssl : clientssl;
6774
6775 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6776 goto end;
6777
6778 SSL_set_bio(local, lbio, lbio);
6779 SSL_set_bio(peer, pbio, pbio);
6780
6781 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6782 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6783 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6784 goto end;
6785
6786 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6787 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6788 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6789 goto end;
6790
6791 /* SSL_do_handshake will send keyupdate msg */
6792 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6793 || !TEST_int_eq(SSL_do_handshake(local), 1))
6794 goto end;
6795
6796 /*
6797 * write data in peer previously that we will complete
6798 * read data in local previously that we will complete
6799 */
6800 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6801 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6802 goto end;
6803
6804 /*
6805 * write data in local
6806 * read data in peer - we will read the key update
6807 */
6808 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6809 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6810 goto end;
6811
6812 /* Write more peer data to ensure we send the keyupdate message back */
6813 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6814 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6815 goto end;
6816
6817 testresult = 1;
6818
6819 end:
6820 SSL_free(serverssl);
6821 SSL_free(clientssl);
6822 SSL_CTX_free(sctx);
6823 SSL_CTX_free(cctx);
6824
6825 return testresult;
6826 }
6827 #endif /* OSSL_NO_USABLE_TLS1_3 */
6828
test_ssl_clear(int idx)6829 static int test_ssl_clear(int idx)
6830 {
6831 SSL_CTX *cctx = NULL, *sctx = NULL;
6832 SSL *clientssl = NULL, *serverssl = NULL;
6833 int testresult = 0;
6834
6835 #ifdef OPENSSL_NO_TLS1_2
6836 if (idx == 1)
6837 return 1;
6838 #endif
6839
6840 /* Create an initial connection */
6841 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6842 TLS_client_method(), TLS1_VERSION, 0,
6843 &sctx, &cctx, cert, privkey))
6844 || (idx == 1
6845 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6846 TLS1_2_VERSION)))
6847 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6848 &clientssl, NULL, NULL))
6849 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6850 SSL_ERROR_NONE)))
6851 goto end;
6852
6853 SSL_shutdown(clientssl);
6854 SSL_shutdown(serverssl);
6855 SSL_free(serverssl);
6856 serverssl = NULL;
6857
6858 /* Clear clientssl - we're going to reuse the object */
6859 if (!TEST_true(SSL_clear(clientssl)))
6860 goto end;
6861
6862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6863 NULL, NULL))
6864 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6865 SSL_ERROR_NONE))
6866 || !TEST_true(SSL_session_reused(clientssl)))
6867 goto end;
6868
6869 SSL_shutdown(clientssl);
6870 SSL_shutdown(serverssl);
6871
6872 testresult = 1;
6873
6874 end:
6875 SSL_free(serverssl);
6876 SSL_free(clientssl);
6877 SSL_CTX_free(sctx);
6878 SSL_CTX_free(cctx);
6879
6880 return testresult;
6881 }
6882
6883 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)6884 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6885 {
6886 long len;
6887 unsigned char *data;
6888 PACKET pkt, pkt2, pkt3;
6889 unsigned int MFL_code = 0, type = 0;
6890
6891 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6892 goto end;
6893
6894 memset(&pkt, 0, sizeof(pkt));
6895 memset(&pkt2, 0, sizeof(pkt2));
6896 memset(&pkt3, 0, sizeof(pkt3));
6897
6898 if (!TEST_long_gt(len, 0)
6899 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6900 /* Skip the record header */
6901 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6902 /* Skip the handshake message header */
6903 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6904 /* Skip client version and random */
6905 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6906 + SSL3_RANDOM_SIZE))
6907 /* Skip session id */
6908 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6909 /* Skip ciphers */
6910 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6911 /* Skip compression */
6912 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6913 /* Extensions len */
6914 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6915 goto end;
6916
6917 /* Loop through all extensions */
6918 while (PACKET_remaining(&pkt2)) {
6919 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6920 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6921 goto end;
6922
6923 if (type == TLSEXT_TYPE_max_fragment_length) {
6924 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6925 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6926 goto end;
6927
6928 *mfl_codemfl_code = MFL_code;
6929 return 1;
6930 }
6931 }
6932
6933 end:
6934 return 0;
6935 }
6936
6937 /* Maximum-Fragment-Length TLS extension mode to test */
6938 static const unsigned char max_fragment_len_test[] = {
6939 TLSEXT_max_fragment_length_512,
6940 TLSEXT_max_fragment_length_1024,
6941 TLSEXT_max_fragment_length_2048,
6942 TLSEXT_max_fragment_length_4096
6943 };
6944
test_max_fragment_len_ext(int idx_tst)6945 static int test_max_fragment_len_ext(int idx_tst)
6946 {
6947 SSL_CTX *ctx = NULL;
6948 SSL *con = NULL;
6949 int testresult = 0, MFL_mode = 0;
6950 BIO *rbio, *wbio;
6951
6952 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6953 TLS1_VERSION, 0, NULL, &ctx, NULL,
6954 NULL)))
6955 return 0;
6956
6957 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6958 ctx, max_fragment_len_test[idx_tst])))
6959 goto end;
6960
6961 con = SSL_new(ctx);
6962 if (!TEST_ptr(con))
6963 goto end;
6964
6965 rbio = BIO_new(BIO_s_mem());
6966 wbio = BIO_new(BIO_s_mem());
6967 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6968 BIO_free(rbio);
6969 BIO_free(wbio);
6970 goto end;
6971 }
6972
6973 SSL_set_bio(con, rbio, wbio);
6974
6975 if (!TEST_int_le(SSL_connect(con), 0)) {
6976 /* This shouldn't succeed because we don't have a server! */
6977 goto end;
6978 }
6979
6980 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6981 /* no MFL in client hello */
6982 goto end;
6983 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6984 goto end;
6985
6986 testresult = 1;
6987
6988 end:
6989 SSL_free(con);
6990 SSL_CTX_free(ctx);
6991
6992 return testresult;
6993 }
6994
6995 #ifndef OSSL_NO_USABLE_TLS1_3
test_pha_key_update(void)6996 static int test_pha_key_update(void)
6997 {
6998 SSL_CTX *cctx = NULL, *sctx = NULL;
6999 SSL *clientssl = NULL, *serverssl = NULL;
7000 int testresult = 0;
7001
7002 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7003 TLS_client_method(), TLS1_VERSION, 0,
7004 &sctx, &cctx, cert, privkey)))
7005 return 0;
7006
7007 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7008 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7009 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7010 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7011 goto end;
7012
7013 SSL_CTX_set_post_handshake_auth(cctx, 1);
7014
7015 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7016 NULL, NULL)))
7017 goto end;
7018
7019 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7020 SSL_ERROR_NONE)))
7021 goto end;
7022
7023 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7024 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7025 goto end;
7026
7027 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7028 goto end;
7029
7030 /* Start handshake on the server */
7031 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7032 goto end;
7033
7034 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7035 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7036 SSL_ERROR_NONE)))
7037 goto end;
7038
7039 SSL_shutdown(clientssl);
7040 SSL_shutdown(serverssl);
7041
7042 testresult = 1;
7043
7044 end:
7045 SSL_free(serverssl);
7046 SSL_free(clientssl);
7047 SSL_CTX_free(sctx);
7048 SSL_CTX_free(cctx);
7049 return testresult;
7050 }
7051 #endif
7052
7053 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7054
7055 static SRP_VBASE *vbase = NULL;
7056
ssl_srp_cb(SSL * s,int * ad,void * arg)7057 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7058 {
7059 int ret = SSL3_AL_FATAL;
7060 char *username;
7061 SRP_user_pwd *user = NULL;
7062
7063 username = SSL_get_srp_username(s);
7064 if (username == NULL) {
7065 *ad = SSL_AD_INTERNAL_ERROR;
7066 goto err;
7067 }
7068
7069 user = SRP_VBASE_get1_by_user(vbase, username);
7070 if (user == NULL) {
7071 *ad = SSL_AD_INTERNAL_ERROR;
7072 goto err;
7073 }
7074
7075 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7076 user->info) <= 0) {
7077 *ad = SSL_AD_INTERNAL_ERROR;
7078 goto err;
7079 }
7080
7081 ret = 0;
7082
7083 err:
7084 SRP_user_pwd_free(user);
7085 return ret;
7086 }
7087
create_new_vfile(char * userid,char * password,const char * filename)7088 static int create_new_vfile(char *userid, char *password, const char *filename)
7089 {
7090 char *gNid = NULL;
7091 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7092 TXT_DB *db = NULL;
7093 int ret = 0;
7094 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7095 size_t i;
7096
7097 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7098 goto end;
7099
7100 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7101 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7102 if (!TEST_ptr(gNid))
7103 goto end;
7104
7105 /*
7106 * The only way to create an empty TXT_DB is to provide a BIO with no data
7107 * in it!
7108 */
7109 db = TXT_DB_read(dummy, DB_NUMBER);
7110 if (!TEST_ptr(db))
7111 goto end;
7112
7113 out = BIO_new_file(filename, "w");
7114 if (!TEST_ptr(out))
7115 goto end;
7116
7117 row[DB_srpid] = OPENSSL_strdup(userid);
7118 row[DB_srptype] = OPENSSL_strdup("V");
7119 row[DB_srpgN] = OPENSSL_strdup(gNid);
7120
7121 if (!TEST_ptr(row[DB_srpid])
7122 || !TEST_ptr(row[DB_srptype])
7123 || !TEST_ptr(row[DB_srpgN])
7124 || !TEST_true(TXT_DB_insert(db, row)))
7125 goto end;
7126
7127 row = NULL;
7128
7129 if (TXT_DB_write(out, db) <= 0)
7130 goto end;
7131
7132 ret = 1;
7133 end:
7134 if (row != NULL) {
7135 for (i = 0; i < DB_NUMBER; i++)
7136 OPENSSL_free(row[i]);
7137 }
7138 OPENSSL_free(row);
7139 BIO_free(dummy);
7140 BIO_free(out);
7141 TXT_DB_free(db);
7142
7143 return ret;
7144 }
7145
create_new_vbase(char * userid,char * password)7146 static int create_new_vbase(char *userid, char *password)
7147 {
7148 BIGNUM *verifier = NULL, *salt = NULL;
7149 const SRP_gN *lgN = NULL;
7150 SRP_user_pwd *user_pwd = NULL;
7151 int ret = 0;
7152
7153 lgN = SRP_get_default_gN(NULL);
7154 if (!TEST_ptr(lgN))
7155 goto end;
7156
7157 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7158 lgN->N, lgN->g, libctx, NULL)))
7159 goto end;
7160
7161 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7162 if (!TEST_ptr(user_pwd))
7163 goto end;
7164
7165 user_pwd->N = lgN->N;
7166 user_pwd->g = lgN->g;
7167 user_pwd->id = OPENSSL_strdup(userid);
7168 if (!TEST_ptr(user_pwd->id))
7169 goto end;
7170
7171 user_pwd->v = verifier;
7172 user_pwd->s = salt;
7173 verifier = salt = NULL;
7174
7175 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7176 goto end;
7177 user_pwd = NULL;
7178
7179 ret = 1;
7180 end:
7181 SRP_user_pwd_free(user_pwd);
7182 BN_free(salt);
7183 BN_free(verifier);
7184
7185 return ret;
7186 }
7187
7188 /*
7189 * SRP tests
7190 *
7191 * Test 0: Simple successful SRP connection, new vbase
7192 * Test 1: Connection failure due to bad password, new vbase
7193 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7194 * Test 3: Connection failure due to bad password, vbase loaded from existing
7195 * file
7196 * Test 4: Simple successful SRP connection, vbase loaded from new file
7197 * Test 5: Connection failure due to bad password, vbase loaded from new file
7198 */
test_srp(int tst)7199 static int test_srp(int tst)
7200 {
7201 char *userid = "test", *password = "password", *tstsrpfile;
7202 SSL_CTX *cctx = NULL, *sctx = NULL;
7203 SSL *clientssl = NULL, *serverssl = NULL;
7204 int ret, testresult = 0;
7205
7206 vbase = SRP_VBASE_new(NULL);
7207 if (!TEST_ptr(vbase))
7208 goto end;
7209
7210 if (tst == 0 || tst == 1) {
7211 if (!TEST_true(create_new_vbase(userid, password)))
7212 goto end;
7213 } else {
7214 if (tst == 4 || tst == 5) {
7215 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7216 goto end;
7217 tstsrpfile = tmpfilename;
7218 } else {
7219 tstsrpfile = srpvfile;
7220 }
7221 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7222 goto end;
7223 }
7224
7225 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7226 TLS_client_method(), TLS1_VERSION, 0,
7227 &sctx, &cctx, cert, privkey)))
7228 goto end;
7229
7230 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7231 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7232 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7233 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7234 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7235 goto end;
7236
7237 if (tst % 2 == 1) {
7238 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7239 goto end;
7240 } else {
7241 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7242 goto end;
7243 }
7244
7245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7246 NULL, NULL)))
7247 goto end;
7248
7249 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7250 if (ret) {
7251 if (!TEST_true(tst % 2 == 0))
7252 goto end;
7253 } else {
7254 if (!TEST_true(tst % 2 == 1))
7255 goto end;
7256 }
7257
7258 testresult = 1;
7259
7260 end:
7261 SRP_VBASE_free(vbase);
7262 vbase = NULL;
7263 SSL_free(serverssl);
7264 SSL_free(clientssl);
7265 SSL_CTX_free(sctx);
7266 SSL_CTX_free(cctx);
7267
7268 return testresult;
7269 }
7270 #endif
7271
7272 static int info_cb_failed = 0;
7273 static int info_cb_offset = 0;
7274 static int info_cb_this_state = -1;
7275
7276 static struct info_cb_states_st {
7277 int where;
7278 const char *statestr;
7279 } info_cb_states[][60] = {
7280 {
7281 /* TLSv1.2 server followed by resumption */
7282 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7283 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7284 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7285 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7286 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7287 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7288 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7289 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7290 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7291 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7292 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7293 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7294 {SSL_CB_EXIT, NULL}, {0, NULL},
7295 }, {
7296 /* TLSv1.2 client followed by resumption */
7297 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7298 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7299 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7300 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7301 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7302 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7303 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7304 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7305 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7306 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7307 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7308 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7309 }, {
7310 /* TLSv1.3 server followed by resumption */
7311 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7312 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7313 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7314 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7315 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7316 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7317 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7318 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7319 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7320 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7321 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7322 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7323 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7324 }, {
7325 /* TLSv1.3 client followed by resumption */
7326 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7327 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7328 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7329 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7330 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7331 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7332 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7333 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7334 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7335 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7336 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7337 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7338 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7339 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7340 {SSL_CB_EXIT, NULL}, {0, NULL},
7341 }, {
7342 /* TLSv1.3 server, early_data */
7343 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7344 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7345 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7346 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7347 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7348 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7349 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7350 {SSL_CB_EXIT, NULL}, {0, NULL},
7351 }, {
7352 /* TLSv1.3 client, early_data */
7353 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7354 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7355 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7356 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7357 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7358 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7359 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7360 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7361 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7362 }, {
7363 {0, NULL},
7364 }
7365 };
7366
sslapi_info_callback(const SSL * s,int where,int ret)7367 static void sslapi_info_callback(const SSL *s, int where, int ret)
7368 {
7369 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7370
7371 /* We do not ever expect a connection to fail in this test */
7372 if (!TEST_false(ret == 0)) {
7373 info_cb_failed = 1;
7374 return;
7375 }
7376
7377 /*
7378 * Do some sanity checks. We never expect these things to happen in this
7379 * test
7380 */
7381 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7382 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7383 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7384 info_cb_failed = 1;
7385 return;
7386 }
7387
7388 /* Now check we're in the right state */
7389 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7390 info_cb_failed = 1;
7391 return;
7392 }
7393 if ((where & SSL_CB_LOOP) != 0
7394 && !TEST_int_eq(strcmp(SSL_state_string(s),
7395 state[info_cb_this_state].statestr), 0)) {
7396 info_cb_failed = 1;
7397 return;
7398 }
7399
7400 /*
7401 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7402 */
7403 if ((where & SSL_CB_HANDSHAKE_DONE)
7404 && SSL_in_init((SSL *)s) != 0) {
7405 info_cb_failed = 1;
7406 return;
7407 }
7408 }
7409
7410 /*
7411 * Test the info callback gets called when we expect it to.
7412 *
7413 * Test 0: TLSv1.2, server
7414 * Test 1: TLSv1.2, client
7415 * Test 2: TLSv1.3, server
7416 * Test 3: TLSv1.3, client
7417 * Test 4: TLSv1.3, server, early_data
7418 * Test 5: TLSv1.3, client, early_data
7419 */
test_info_callback(int tst)7420 static int test_info_callback(int tst)
7421 {
7422 SSL_CTX *cctx = NULL, *sctx = NULL;
7423 SSL *clientssl = NULL, *serverssl = NULL;
7424 SSL_SESSION *clntsess = NULL;
7425 int testresult = 0;
7426 int tlsvers;
7427
7428 if (tst < 2) {
7429 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7430 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7431 || !defined(OPENSSL_NO_DH))
7432 tlsvers = TLS1_2_VERSION;
7433 #else
7434 return 1;
7435 #endif
7436 } else {
7437 #ifndef OSSL_NO_USABLE_TLS1_3
7438 tlsvers = TLS1_3_VERSION;
7439 #else
7440 return 1;
7441 #endif
7442 }
7443
7444 /* Reset globals */
7445 info_cb_failed = 0;
7446 info_cb_this_state = -1;
7447 info_cb_offset = tst;
7448
7449 #ifndef OSSL_NO_USABLE_TLS1_3
7450 if (tst >= 4) {
7451 SSL_SESSION *sess = NULL;
7452 size_t written, readbytes;
7453 unsigned char buf[80];
7454
7455 /* early_data tests */
7456 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7457 &serverssl, &sess, 0,
7458 SHA384_DIGEST_LENGTH)))
7459 goto end;
7460
7461 /* We don't actually need this reference */
7462 SSL_SESSION_free(sess);
7463
7464 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7465 sslapi_info_callback);
7466
7467 /* Write and read some early data and then complete the connection */
7468 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7469 &written))
7470 || !TEST_size_t_eq(written, strlen(MSG1))
7471 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7472 sizeof(buf), &readbytes),
7473 SSL_READ_EARLY_DATA_SUCCESS)
7474 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7475 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7476 SSL_EARLY_DATA_ACCEPTED)
7477 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7478 SSL_ERROR_NONE))
7479 || !TEST_false(info_cb_failed))
7480 goto end;
7481
7482 testresult = 1;
7483 goto end;
7484 }
7485 #endif
7486
7487 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7488 TLS_client_method(),
7489 tlsvers, tlsvers, &sctx, &cctx, cert,
7490 privkey)))
7491 goto end;
7492
7493 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7494 goto end;
7495
7496 /*
7497 * For even numbered tests we check the server callbacks. For odd numbers we
7498 * check the client.
7499 */
7500 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7501 sslapi_info_callback);
7502
7503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7504 &clientssl, NULL, NULL))
7505 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7506 SSL_ERROR_NONE))
7507 || !TEST_false(info_cb_failed))
7508 goto end;
7509
7510
7511
7512 clntsess = SSL_get1_session(clientssl);
7513 SSL_shutdown(clientssl);
7514 SSL_shutdown(serverssl);
7515 SSL_free(serverssl);
7516 SSL_free(clientssl);
7517 serverssl = clientssl = NULL;
7518
7519 /* Now do a resumption */
7520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7521 NULL))
7522 || !TEST_true(SSL_set_session(clientssl, clntsess))
7523 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7524 SSL_ERROR_NONE))
7525 || !TEST_true(SSL_session_reused(clientssl))
7526 || !TEST_false(info_cb_failed))
7527 goto end;
7528
7529 testresult = 1;
7530
7531 end:
7532 SSL_free(serverssl);
7533 SSL_free(clientssl);
7534 SSL_SESSION_free(clntsess);
7535 SSL_CTX_free(sctx);
7536 SSL_CTX_free(cctx);
7537 return testresult;
7538 }
7539
test_ssl_pending(int tst)7540 static int test_ssl_pending(int tst)
7541 {
7542 SSL_CTX *cctx = NULL, *sctx = NULL;
7543 SSL *clientssl = NULL, *serverssl = NULL;
7544 int testresult = 0;
7545 char msg[] = "A test message";
7546 char buf[5];
7547 size_t written, readbytes;
7548
7549 if (tst == 0) {
7550 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7551 TLS_client_method(),
7552 TLS1_VERSION, 0,
7553 &sctx, &cctx, cert, privkey)))
7554 goto end;
7555 } else {
7556 #ifndef OPENSSL_NO_DTLS
7557 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7558 DTLS_client_method(),
7559 DTLS1_VERSION, 0,
7560 &sctx, &cctx, cert, privkey)))
7561 goto end;
7562
7563 # ifdef OPENSSL_NO_DTLS1_2
7564 /* Not supported in the FIPS provider */
7565 if (is_fips) {
7566 testresult = 1;
7567 goto end;
7568 };
7569 /*
7570 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7571 * level 0
7572 */
7573 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7574 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7575 "DEFAULT:@SECLEVEL=0")))
7576 goto end;
7577 # endif
7578 #else
7579 return 1;
7580 #endif
7581 }
7582
7583 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7584 NULL, NULL))
7585 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7586 SSL_ERROR_NONE)))
7587 goto end;
7588
7589 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7590 || !TEST_false(SSL_has_pending(clientssl))
7591 || !TEST_int_eq(SSL_pending(serverssl), 0)
7592 || !TEST_false(SSL_has_pending(serverssl))
7593 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7594 || !TEST_size_t_eq(written, sizeof(msg))
7595 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7596 || !TEST_size_t_eq(readbytes, sizeof(buf))
7597 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7598 || !TEST_true(SSL_has_pending(clientssl)))
7599 goto end;
7600
7601 testresult = 1;
7602
7603 end:
7604 SSL_free(serverssl);
7605 SSL_free(clientssl);
7606 SSL_CTX_free(sctx);
7607 SSL_CTX_free(cctx);
7608
7609 return testresult;
7610 }
7611
7612 static struct {
7613 unsigned int maxprot;
7614 const char *clntciphers;
7615 const char *clnttls13ciphers;
7616 const char *srvrciphers;
7617 const char *srvrtls13ciphers;
7618 const char *shared;
7619 const char *fipsshared;
7620 } shared_ciphers_data[] = {
7621 /*
7622 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7623 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7624 */
7625 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7626 {
7627 TLS1_2_VERSION,
7628 "AES128-SHA:AES256-SHA",
7629 NULL,
7630 "AES256-SHA:DHE-RSA-AES128-SHA",
7631 NULL,
7632 "AES256-SHA",
7633 "AES256-SHA"
7634 },
7635 # if !defined(OPENSSL_NO_CHACHA) \
7636 && !defined(OPENSSL_NO_POLY1305) \
7637 && !defined(OPENSSL_NO_EC)
7638 {
7639 TLS1_2_VERSION,
7640 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7641 NULL,
7642 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7643 NULL,
7644 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7645 "AES128-SHA"
7646 },
7647 # endif
7648 {
7649 TLS1_2_VERSION,
7650 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7651 NULL,
7652 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7653 NULL,
7654 "AES128-SHA:AES256-SHA",
7655 "AES128-SHA:AES256-SHA"
7656 },
7657 {
7658 TLS1_2_VERSION,
7659 "AES128-SHA:AES256-SHA",
7660 NULL,
7661 "AES128-SHA:DHE-RSA-AES128-SHA",
7662 NULL,
7663 "AES128-SHA",
7664 "AES128-SHA"
7665 },
7666 #endif
7667 /*
7668 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7669 * enabled.
7670 */
7671 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7672 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7673 {
7674 TLS1_3_VERSION,
7675 "AES128-SHA:AES256-SHA",
7676 NULL,
7677 "AES256-SHA:AES128-SHA256",
7678 NULL,
7679 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7680 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7681 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7682 },
7683 #endif
7684 #ifndef OSSL_NO_USABLE_TLS1_3
7685 {
7686 TLS1_3_VERSION,
7687 "AES128-SHA",
7688 "TLS_AES_256_GCM_SHA384",
7689 "AES256-SHA",
7690 "TLS_AES_256_GCM_SHA384",
7691 "TLS_AES_256_GCM_SHA384",
7692 "TLS_AES_256_GCM_SHA384"
7693 },
7694 #endif
7695 };
7696
int_test_ssl_get_shared_ciphers(int tst,int clnt)7697 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7698 {
7699 SSL_CTX *cctx = NULL, *sctx = NULL;
7700 SSL *clientssl = NULL, *serverssl = NULL;
7701 int testresult = 0;
7702 char buf[1024];
7703 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7704
7705 if (!TEST_ptr(tmplibctx))
7706 goto end;
7707
7708 /*
7709 * Regardless of whether we're testing with the FIPS provider loaded into
7710 * libctx, we want one peer to always use the full set of ciphersuites
7711 * available. Therefore we use a separate libctx with the default provider
7712 * loaded into it. We run the same tests twice - once with the client side
7713 * having the full set of ciphersuites and once with the server side.
7714 */
7715 if (clnt) {
7716 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7717 if (!TEST_ptr(cctx))
7718 goto end;
7719 } else {
7720 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7721 if (!TEST_ptr(sctx))
7722 goto end;
7723 }
7724
7725 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7726 TLS_client_method(),
7727 TLS1_VERSION,
7728 shared_ciphers_data[tst].maxprot,
7729 &sctx, &cctx, cert, privkey)))
7730 goto end;
7731
7732 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7733 shared_ciphers_data[tst].clntciphers))
7734 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7735 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7736 shared_ciphers_data[tst].clnttls13ciphers)))
7737 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7738 shared_ciphers_data[tst].srvrciphers))
7739 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7740 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7741 shared_ciphers_data[tst].srvrtls13ciphers))))
7742 goto end;
7743
7744
7745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7746 NULL, NULL))
7747 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7748 SSL_ERROR_NONE)))
7749 goto end;
7750
7751 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7752 || !TEST_int_eq(strcmp(buf,
7753 is_fips
7754 ? shared_ciphers_data[tst].fipsshared
7755 : shared_ciphers_data[tst].shared),
7756 0)) {
7757 TEST_info("Shared ciphers are: %s\n", buf);
7758 goto end;
7759 }
7760
7761 testresult = 1;
7762
7763 end:
7764 SSL_free(serverssl);
7765 SSL_free(clientssl);
7766 SSL_CTX_free(sctx);
7767 SSL_CTX_free(cctx);
7768 OSSL_LIB_CTX_free(tmplibctx);
7769
7770 return testresult;
7771 }
7772
test_ssl_get_shared_ciphers(int tst)7773 static int test_ssl_get_shared_ciphers(int tst)
7774 {
7775 return int_test_ssl_get_shared_ciphers(tst, 0)
7776 && int_test_ssl_get_shared_ciphers(tst, 1);
7777 }
7778
7779
7780 static const char *appdata = "Hello World";
7781 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7782 static int tick_key_renew = 0;
7783 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7784
gen_tick_cb(SSL * s,void * arg)7785 static int gen_tick_cb(SSL *s, void *arg)
7786 {
7787 gen_tick_called = 1;
7788
7789 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7790 strlen(appdata));
7791 }
7792
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)7793 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7794 const unsigned char *keyname,
7795 size_t keyname_length,
7796 SSL_TICKET_STATUS status,
7797 void *arg)
7798 {
7799 void *tickdata;
7800 size_t tickdlen;
7801
7802 dec_tick_called = 1;
7803
7804 if (status == SSL_TICKET_EMPTY)
7805 return SSL_TICKET_RETURN_IGNORE_RENEW;
7806
7807 if (!TEST_true(status == SSL_TICKET_SUCCESS
7808 || status == SSL_TICKET_SUCCESS_RENEW))
7809 return SSL_TICKET_RETURN_ABORT;
7810
7811 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7812 &tickdlen))
7813 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7814 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7815 return SSL_TICKET_RETURN_ABORT;
7816
7817 if (tick_key_cb_called) {
7818 /* Don't change what the ticket key callback wanted to do */
7819 switch (status) {
7820 case SSL_TICKET_NO_DECRYPT:
7821 return SSL_TICKET_RETURN_IGNORE_RENEW;
7822
7823 case SSL_TICKET_SUCCESS:
7824 return SSL_TICKET_RETURN_USE;
7825
7826 case SSL_TICKET_SUCCESS_RENEW:
7827 return SSL_TICKET_RETURN_USE_RENEW;
7828
7829 default:
7830 return SSL_TICKET_RETURN_ABORT;
7831 }
7832 }
7833 return tick_dec_ret;
7834
7835 }
7836
7837 #ifndef OPENSSL_NO_DEPRECATED_3_0
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)7838 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7839 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7840 HMAC_CTX *hctx, int enc)
7841 {
7842 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7843 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7844 EVP_CIPHER *aes128cbc;
7845 EVP_MD *sha256;
7846 int ret;
7847
7848 tick_key_cb_called = 1;
7849
7850 if (tick_key_renew == -1)
7851 return 0;
7852
7853 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7854 if (!TEST_ptr(aes128cbc))
7855 return 0;
7856 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7857 if (!TEST_ptr(sha256)) {
7858 EVP_CIPHER_free(aes128cbc);
7859 return 0;
7860 }
7861
7862 memset(iv, 0, AES_BLOCK_SIZE);
7863 memset(key_name, 0, 16);
7864 if (aes128cbc == NULL
7865 || sha256 == NULL
7866 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7867 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7868 NULL))
7869 ret = -1;
7870 else
7871 ret = tick_key_renew ? 2 : 1;
7872
7873 EVP_CIPHER_free(aes128cbc);
7874 EVP_MD_free(sha256);
7875
7876 return ret;
7877 }
7878 #endif
7879
tick_key_evp_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int enc)7880 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7881 unsigned char iv[EVP_MAX_IV_LENGTH],
7882 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7883 {
7884 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7885 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7886 OSSL_PARAM params[2];
7887 EVP_CIPHER *aes128cbc;
7888 int ret;
7889
7890 tick_key_cb_called = 1;
7891
7892 if (tick_key_renew == -1)
7893 return 0;
7894
7895 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7896 if (!TEST_ptr(aes128cbc))
7897 return 0;
7898
7899 memset(iv, 0, AES_BLOCK_SIZE);
7900 memset(key_name, 0, 16);
7901 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7902 "SHA256", 0);
7903 params[1] = OSSL_PARAM_construct_end();
7904 if (aes128cbc == NULL
7905 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7906 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7907 params))
7908 ret = -1;
7909 else
7910 ret = tick_key_renew ? 2 : 1;
7911
7912 EVP_CIPHER_free(aes128cbc);
7913
7914 return ret;
7915 }
7916
7917 /*
7918 * Test the various ticket callbacks
7919 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7920 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7921 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7922 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7923 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7924 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7925 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7926 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7927 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7928 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7929 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7930 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7931 * Test 12: TLSv1.2, old ticket key callback, no ticket
7932 * Test 13: TLSv1.3, old ticket key callback, no ticket
7933 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7934 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7935 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7936 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7937 * Test 18: TLSv1.2, ticket key callback, no ticket
7938 * Test 19: TLSv1.3, ticket key callback, no ticket
7939 */
test_ticket_callbacks(int tst)7940 static int test_ticket_callbacks(int tst)
7941 {
7942 SSL_CTX *cctx = NULL, *sctx = NULL;
7943 SSL *clientssl = NULL, *serverssl = NULL;
7944 SSL_SESSION *clntsess = NULL;
7945 int testresult = 0;
7946
7947 #ifdef OPENSSL_NO_TLS1_2
7948 if (tst % 2 == 0)
7949 return 1;
7950 #endif
7951 #ifdef OSSL_NO_USABLE_TLS1_3
7952 if (tst % 2 == 1)
7953 return 1;
7954 #endif
7955 #ifdef OPENSSL_NO_DEPRECATED_3_0
7956 if (tst >= 8 && tst <= 13)
7957 return 1;
7958 #endif
7959
7960 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7961
7962 /* Which tests the ticket key callback should request renewal for */
7963
7964 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
7965 tick_key_renew = 1;
7966 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7967 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
7968 else
7969 tick_key_renew = 0;
7970
7971 /* Which tests the decrypt ticket callback should request renewal for */
7972 switch (tst) {
7973 case 0:
7974 case 1:
7975 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7976 break;
7977
7978 case 2:
7979 case 3:
7980 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7981 break;
7982
7983 case 4:
7984 case 5:
7985 tick_dec_ret = SSL_TICKET_RETURN_USE;
7986 break;
7987
7988 case 6:
7989 case 7:
7990 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7991 break;
7992
7993 default:
7994 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7995 }
7996
7997 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7998 TLS_client_method(),
7999 TLS1_VERSION,
8000 ((tst % 2) == 0) ? TLS1_2_VERSION
8001 : TLS1_3_VERSION,
8002 &sctx, &cctx, cert, privkey)))
8003 goto end;
8004
8005 /*
8006 * We only want sessions to resume from tickets - not the session cache. So
8007 * switch the cache off.
8008 */
8009 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8010 goto end;
8011
8012 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8013 NULL)))
8014 goto end;
8015
8016 if (tst >= 14) {
8017 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8018 goto end;
8019 #ifndef OPENSSL_NO_DEPRECATED_3_0
8020 } else if (tst >= 8) {
8021 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8022 goto end;
8023 #endif
8024 }
8025
8026 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8027 NULL, NULL))
8028 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8029 SSL_ERROR_NONE)))
8030 goto end;
8031
8032 /*
8033 * The decrypt ticket key callback in TLSv1.2 should be called even though
8034 * we have no ticket yet, because it gets called with a status of
8035 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8036 * actually send any ticket data). This does not happen in TLSv1.3 because
8037 * it is not valid to send empty ticket data in TLSv1.3.
8038 */
8039 if (!TEST_int_eq(gen_tick_called, 1)
8040 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8041 goto end;
8042
8043 gen_tick_called = dec_tick_called = 0;
8044
8045 clntsess = SSL_get1_session(clientssl);
8046 SSL_shutdown(clientssl);
8047 SSL_shutdown(serverssl);
8048 SSL_free(serverssl);
8049 SSL_free(clientssl);
8050 serverssl = clientssl = NULL;
8051
8052 /* Now do a resumption */
8053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8054 NULL))
8055 || !TEST_true(SSL_set_session(clientssl, clntsess))
8056 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8057 SSL_ERROR_NONE)))
8058 goto end;
8059
8060 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8061 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8062 || tick_key_renew == -1) {
8063 if (!TEST_false(SSL_session_reused(clientssl)))
8064 goto end;
8065 } else {
8066 if (!TEST_true(SSL_session_reused(clientssl)))
8067 goto end;
8068 }
8069
8070 if (!TEST_int_eq(gen_tick_called,
8071 (tick_key_renew
8072 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8073 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8074 ? 1 : 0)
8075 /* There is no ticket to decrypt in tests 13 and 19 */
8076 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8077 goto end;
8078
8079 testresult = 1;
8080
8081 end:
8082 SSL_SESSION_free(clntsess);
8083 SSL_free(serverssl);
8084 SSL_free(clientssl);
8085 SSL_CTX_free(sctx);
8086 SSL_CTX_free(cctx);
8087
8088 return testresult;
8089 }
8090
8091 /*
8092 * Test incorrect shutdown.
8093 * Test 0: client does not shutdown properly,
8094 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8095 * server should get SSL_ERROR_SSL
8096 * Test 1: client does not shutdown properly,
8097 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8098 * server should get SSL_ERROR_ZERO_RETURN
8099 */
test_incorrect_shutdown(int tst)8100 static int test_incorrect_shutdown(int tst)
8101 {
8102 SSL_CTX *cctx = NULL, *sctx = NULL;
8103 SSL *clientssl = NULL, *serverssl = NULL;
8104 int testresult = 0;
8105 char buf[80];
8106 BIO *c2s;
8107
8108 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8109 TLS_client_method(), 0, 0,
8110 &sctx, &cctx, cert, privkey)))
8111 goto end;
8112
8113 if (tst == 1)
8114 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8115
8116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8117 NULL, NULL)))
8118 goto end;
8119
8120 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8121 SSL_ERROR_NONE)))
8122 goto end;
8123
8124 c2s = SSL_get_rbio(serverssl);
8125 BIO_set_mem_eof_return(c2s, 0);
8126
8127 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8128 goto end;
8129
8130 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8131 goto end;
8132 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8133 goto end;
8134
8135 testresult = 1;
8136
8137 end:
8138 SSL_free(serverssl);
8139 SSL_free(clientssl);
8140 SSL_CTX_free(sctx);
8141 SSL_CTX_free(cctx);
8142
8143 return testresult;
8144 }
8145
8146 /*
8147 * Test bi-directional shutdown.
8148 * Test 0: TLSv1.2
8149 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8150 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8151 * Test 3: TLSv1.3, pending NewSessionTicket messages
8152 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8153 * sends key update, client reads it
8154 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8155 * sends CertificateRequest, client reads and ignores it
8156 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8157 * doesn't read it
8158 */
test_shutdown(int tst)8159 static int test_shutdown(int tst)
8160 {
8161 SSL_CTX *cctx = NULL, *sctx = NULL;
8162 SSL *clientssl = NULL, *serverssl = NULL;
8163 int testresult = 0;
8164 char msg[] = "A test message";
8165 char buf[80];
8166 size_t written, readbytes;
8167 SSL_SESSION *sess;
8168
8169 #ifdef OPENSSL_NO_TLS1_2
8170 if (tst <= 1)
8171 return 1;
8172 #endif
8173 #ifdef OSSL_NO_USABLE_TLS1_3
8174 if (tst >= 2)
8175 return 1;
8176 #endif
8177
8178 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8179 TLS_client_method(),
8180 TLS1_VERSION,
8181 (tst <= 1) ? TLS1_2_VERSION
8182 : TLS1_3_VERSION,
8183 &sctx, &cctx, cert, privkey)))
8184 goto end;
8185
8186 if (tst == 5)
8187 SSL_CTX_set_post_handshake_auth(cctx, 1);
8188
8189 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8190 NULL, NULL)))
8191 goto end;
8192
8193 if (tst == 3) {
8194 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8195 SSL_ERROR_NONE, 1))
8196 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8197 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8198 goto end;
8199 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8200 SSL_ERROR_NONE))
8201 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8202 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8203 goto end;
8204 }
8205
8206 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8207 goto end;
8208
8209 if (tst >= 4) {
8210 /*
8211 * Reading on the server after the client has sent close_notify should
8212 * fail and provide SSL_ERROR_ZERO_RETURN
8213 */
8214 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8215 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8216 SSL_ERROR_ZERO_RETURN)
8217 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8218 SSL_RECEIVED_SHUTDOWN)
8219 /*
8220 * Even though we're shutdown on receive we should still be
8221 * able to write.
8222 */
8223 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8224 goto end;
8225 if (tst == 4
8226 && !TEST_true(SSL_key_update(serverssl,
8227 SSL_KEY_UPDATE_REQUESTED)))
8228 goto end;
8229 if (tst == 5) {
8230 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8231 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8232 goto end;
8233 }
8234 if ((tst == 4 || tst == 5)
8235 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8236 goto end;
8237 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8238 goto end;
8239 if (tst == 4 || tst == 5) {
8240 /* Should still be able to read data from server */
8241 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8242 &readbytes))
8243 || !TEST_size_t_eq(readbytes, sizeof(msg))
8244 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8245 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8246 &readbytes))
8247 || !TEST_size_t_eq(readbytes, sizeof(msg))
8248 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8249 goto end;
8250 }
8251 }
8252
8253 /* Writing on the client after sending close_notify shouldn't be possible */
8254 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8255 goto end;
8256
8257 if (tst < 4) {
8258 /*
8259 * For these tests the client has sent close_notify but it has not yet
8260 * been received by the server. The server has not sent close_notify
8261 * yet.
8262 */
8263 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8264 /*
8265 * Writing on the server after sending close_notify shouldn't
8266 * be possible.
8267 */
8268 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8269 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8270 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8271 || !TEST_true(SSL_SESSION_is_resumable(sess))
8272 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8273 goto end;
8274 } else if (tst == 4 || tst == 5) {
8275 /*
8276 * In this test the client has sent close_notify and it has been
8277 * received by the server which has responded with a close_notify. The
8278 * client needs to read the close_notify sent by the server.
8279 */
8280 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8281 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8282 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8283 goto end;
8284 } else {
8285 /*
8286 * tst == 6
8287 *
8288 * The client has sent close_notify and is expecting a close_notify
8289 * back, but instead there is application data first. The shutdown
8290 * should fail with a fatal error.
8291 */
8292 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8293 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8294 goto end;
8295 }
8296
8297 testresult = 1;
8298
8299 end:
8300 SSL_free(serverssl);
8301 SSL_free(clientssl);
8302 SSL_CTX_free(sctx);
8303 SSL_CTX_free(cctx);
8304
8305 return testresult;
8306 }
8307
8308 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8309 static int cert_cb_cnt;
8310
cert_cb(SSL * s,void * arg)8311 static int cert_cb(SSL *s, void *arg)
8312 {
8313 SSL_CTX *ctx = (SSL_CTX *)arg;
8314 BIO *in = NULL;
8315 EVP_PKEY *pkey = NULL;
8316 X509 *x509 = NULL, *rootx = NULL;
8317 STACK_OF(X509) *chain = NULL;
8318 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8319 int ret = 0;
8320
8321 if (cert_cb_cnt == 0) {
8322 /* Suspend the handshake */
8323 cert_cb_cnt++;
8324 return -1;
8325 } else if (cert_cb_cnt == 1) {
8326 /*
8327 * Update the SSL_CTX, set the certificate and private key and then
8328 * continue the handshake normally.
8329 */
8330 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8331 return 0;
8332
8333 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8334 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8335 SSL_FILETYPE_PEM))
8336 || !TEST_true(SSL_check_private_key(s)))
8337 return 0;
8338 cert_cb_cnt++;
8339 return 1;
8340 } else if (cert_cb_cnt == 3) {
8341 int rv;
8342
8343 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8344 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8345 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8346 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8347 goto out;
8348 chain = sk_X509_new_null();
8349 if (!TEST_ptr(chain))
8350 goto out;
8351 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8352 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8353 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8354 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8355 || !TEST_true(sk_X509_push(chain, rootx)))
8356 goto out;
8357 rootx = NULL;
8358 BIO_free(in);
8359 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8360 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8361 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8362 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8363 goto out;
8364 BIO_free(in);
8365 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8366 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8367 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8368 NULL, NULL,
8369 libctx, NULL)))
8370 goto out;
8371 rv = SSL_check_chain(s, x509, pkey, chain);
8372 /*
8373 * If the cert doesn't show as valid here (e.g., because we don't
8374 * have any shared sigalgs), then we will not set it, and there will
8375 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8376 * will cause tls_choose_sigalgs() to fail the connection.
8377 */
8378 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8379 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8380 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8381 goto out;
8382 }
8383
8384 ret = 1;
8385 }
8386
8387 /* Abort the handshake */
8388 out:
8389 OPENSSL_free(ecdsacert);
8390 OPENSSL_free(ecdsakey);
8391 OPENSSL_free(rootfile);
8392 BIO_free(in);
8393 EVP_PKEY_free(pkey);
8394 X509_free(x509);
8395 X509_free(rootx);
8396 sk_X509_pop_free(chain, X509_free);
8397 return ret;
8398 }
8399
8400 /*
8401 * Test the certificate callback.
8402 * Test 0: Callback fails
8403 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8404 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8405 * Test 3: Success - Call SSL_check_chain from the callback
8406 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8407 * chain
8408 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8409 */
test_cert_cb_int(int prot,int tst)8410 static int test_cert_cb_int(int prot, int tst)
8411 {
8412 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8413 SSL *clientssl = NULL, *serverssl = NULL;
8414 int testresult = 0, ret;
8415
8416 #ifdef OPENSSL_NO_EC
8417 /* We use an EC cert in these tests, so we skip in a no-ec build */
8418 if (tst >= 3)
8419 return 1;
8420 #endif
8421
8422 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8423 TLS_client_method(),
8424 TLS1_VERSION,
8425 prot,
8426 &sctx, &cctx, NULL, NULL)))
8427 goto end;
8428
8429 if (tst == 0)
8430 cert_cb_cnt = -1;
8431 else if (tst >= 3)
8432 cert_cb_cnt = 3;
8433 else
8434 cert_cb_cnt = 0;
8435
8436 if (tst == 2) {
8437 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8438 if (!TEST_ptr(snictx))
8439 goto end;
8440 }
8441
8442 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8443
8444 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8445 NULL, NULL)))
8446 goto end;
8447
8448 if (tst == 4) {
8449 /*
8450 * We cause SSL_check_chain() to fail by specifying sig_algs that
8451 * the chain doesn't meet (the root uses an RSA cert)
8452 */
8453 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8454 "ecdsa_secp256r1_sha256")))
8455 goto end;
8456 } else if (tst == 5) {
8457 /*
8458 * We cause SSL_check_chain() to fail by specifying sig_algs that
8459 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8460 */
8461 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8462 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8463 goto end;
8464 }
8465
8466 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8467 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8468 || (tst > 0
8469 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8470 goto end;
8471 }
8472
8473 testresult = 1;
8474
8475 end:
8476 SSL_free(serverssl);
8477 SSL_free(clientssl);
8478 SSL_CTX_free(sctx);
8479 SSL_CTX_free(cctx);
8480 SSL_CTX_free(snictx);
8481
8482 return testresult;
8483 }
8484 #endif
8485
test_cert_cb(int tst)8486 static int test_cert_cb(int tst)
8487 {
8488 int testresult = 1;
8489
8490 #ifndef OPENSSL_NO_TLS1_2
8491 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8492 #endif
8493 #ifndef OSSL_NO_USABLE_TLS1_3
8494 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8495 #endif
8496
8497 return testresult;
8498 }
8499
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)8500 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8501 {
8502 X509 *xcert;
8503 EVP_PKEY *privpkey;
8504 BIO *in = NULL;
8505 BIO *priv_in = NULL;
8506
8507 /* Check that SSL_get0_peer_certificate() returns something sensible */
8508 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8509 return 0;
8510
8511 in = BIO_new_file(cert, "r");
8512 if (!TEST_ptr(in))
8513 return 0;
8514
8515 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8516 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8517 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8518 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8519 NULL, NULL,
8520 libctx, NULL)))
8521 goto err;
8522
8523 *x509 = xcert;
8524 *pkey = privpkey;
8525
8526 BIO_free(in);
8527 BIO_free(priv_in);
8528 return 1;
8529 err:
8530 X509_free(xcert);
8531 BIO_free(in);
8532 BIO_free(priv_in);
8533 return 0;
8534 }
8535
test_client_cert_cb(int tst)8536 static int test_client_cert_cb(int tst)
8537 {
8538 SSL_CTX *cctx = NULL, *sctx = NULL;
8539 SSL *clientssl = NULL, *serverssl = NULL;
8540 int testresult = 0;
8541
8542 #ifdef OPENSSL_NO_TLS1_2
8543 if (tst == 0)
8544 return 1;
8545 #endif
8546 #ifdef OSSL_NO_USABLE_TLS1_3
8547 if (tst == 1)
8548 return 1;
8549 #endif
8550
8551 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8552 TLS_client_method(),
8553 TLS1_VERSION,
8554 tst == 0 ? TLS1_2_VERSION
8555 : TLS1_3_VERSION,
8556 &sctx, &cctx, cert, privkey)))
8557 goto end;
8558
8559 /*
8560 * Test that setting a client_cert_cb results in a client certificate being
8561 * sent.
8562 */
8563 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8564 SSL_CTX_set_verify(sctx,
8565 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8566 verify_cb);
8567
8568 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8569 NULL, NULL))
8570 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8571 SSL_ERROR_NONE)))
8572 goto end;
8573
8574 testresult = 1;
8575
8576 end:
8577 SSL_free(serverssl);
8578 SSL_free(clientssl);
8579 SSL_CTX_free(sctx);
8580 SSL_CTX_free(cctx);
8581
8582 return testresult;
8583 }
8584
8585 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8586 /*
8587 * Test setting certificate authorities on both client and server.
8588 *
8589 * Test 0: SSL_CTX_set0_CA_list() only
8590 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8591 * Test 2: Only SSL_CTX_set_client_CA_list()
8592 */
test_ca_names_int(int prot,int tst)8593 static int test_ca_names_int(int prot, int tst)
8594 {
8595 SSL_CTX *cctx = NULL, *sctx = NULL;
8596 SSL *clientssl = NULL, *serverssl = NULL;
8597 int testresult = 0;
8598 size_t i;
8599 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8600 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8601 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8602 const STACK_OF(X509_NAME) *sktmp = NULL;
8603
8604 for (i = 0; i < OSSL_NELEM(name); i++) {
8605 name[i] = X509_NAME_new();
8606 if (!TEST_ptr(name[i])
8607 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8608 MBSTRING_ASC,
8609 (unsigned char *)
8610 strnames[i],
8611 -1, -1, 0)))
8612 goto end;
8613 }
8614
8615 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8616 TLS_client_method(),
8617 TLS1_VERSION,
8618 prot,
8619 &sctx, &cctx, cert, privkey)))
8620 goto end;
8621
8622 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8623
8624 if (tst == 0 || tst == 1) {
8625 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8626 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8627 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8628 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8629 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8630 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8631 goto end;
8632
8633 SSL_CTX_set0_CA_list(sctx, sk1);
8634 SSL_CTX_set0_CA_list(cctx, sk2);
8635 sk1 = sk2 = NULL;
8636 }
8637 if (tst == 1 || tst == 2) {
8638 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8639 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8640 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8641 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8642 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8643 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8644 goto end;
8645
8646 SSL_CTX_set_client_CA_list(sctx, sk1);
8647 SSL_CTX_set_client_CA_list(cctx, sk2);
8648 sk1 = sk2 = NULL;
8649 }
8650
8651 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8652 NULL, NULL))
8653 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8654 SSL_ERROR_NONE)))
8655 goto end;
8656
8657 /*
8658 * We only expect certificate authorities to have been sent to the server
8659 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8660 */
8661 sktmp = SSL_get0_peer_CA_list(serverssl);
8662 if (prot == TLS1_3_VERSION
8663 && (tst == 0 || tst == 1)) {
8664 if (!TEST_ptr(sktmp)
8665 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8666 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8667 name[0]), 0)
8668 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8669 name[1]), 0))
8670 goto end;
8671 } else if (!TEST_ptr_null(sktmp)) {
8672 goto end;
8673 }
8674
8675 /*
8676 * In all tests we expect certificate authorities to have been sent to the
8677 * client. However, SSL_set_client_CA_list() should override
8678 * SSL_set0_CA_list()
8679 */
8680 sktmp = SSL_get0_peer_CA_list(clientssl);
8681 if (!TEST_ptr(sktmp)
8682 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8683 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8684 name[tst == 0 ? 0 : 2]), 0)
8685 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8686 name[tst == 0 ? 1 : 3]), 0))
8687 goto end;
8688
8689 testresult = 1;
8690
8691 end:
8692 SSL_free(serverssl);
8693 SSL_free(clientssl);
8694 SSL_CTX_free(sctx);
8695 SSL_CTX_free(cctx);
8696 for (i = 0; i < OSSL_NELEM(name); i++)
8697 X509_NAME_free(name[i]);
8698 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8699 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8700
8701 return testresult;
8702 }
8703 #endif
8704
test_ca_names(int tst)8705 static int test_ca_names(int tst)
8706 {
8707 int testresult = 1;
8708
8709 #ifndef OPENSSL_NO_TLS1_2
8710 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8711 #endif
8712 #ifndef OSSL_NO_USABLE_TLS1_3
8713 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8714 #endif
8715
8716 return testresult;
8717 }
8718
8719 #ifndef OPENSSL_NO_TLS1_2
8720 static const char *multiblock_cipherlist_data[]=
8721 {
8722 "AES128-SHA",
8723 "AES128-SHA256",
8724 "AES256-SHA",
8725 "AES256-SHA256",
8726 };
8727
8728 /* Reduce the fragment size - so the multiblock test buffer can be small */
8729 # define MULTIBLOCK_FRAGSIZE 512
8730
test_multiblock_write(int test_index)8731 static int test_multiblock_write(int test_index)
8732 {
8733 static const char *fetchable_ciphers[]=
8734 {
8735 "AES-128-CBC-HMAC-SHA1",
8736 "AES-128-CBC-HMAC-SHA256",
8737 "AES-256-CBC-HMAC-SHA1",
8738 "AES-256-CBC-HMAC-SHA256"
8739 };
8740 const char *cipherlist = multiblock_cipherlist_data[test_index];
8741 const SSL_METHOD *smeth = TLS_server_method();
8742 const SSL_METHOD *cmeth = TLS_client_method();
8743 int min_version = TLS1_VERSION;
8744 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8745 SSL_CTX *cctx = NULL, *sctx = NULL;
8746 SSL *clientssl = NULL, *serverssl = NULL;
8747 int testresult = 0;
8748
8749 /*
8750 * Choose a buffer large enough to perform a multi-block operation
8751 * i.e: write_len >= 4 * frag_size
8752 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8753 */
8754 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8755 unsigned char buf[sizeof(msg)], *p = buf;
8756 size_t readbytes, written, len;
8757 EVP_CIPHER *ciph = NULL;
8758
8759 /*
8760 * Check if the cipher exists before attempting to use it since it only has
8761 * a hardware specific implementation.
8762 */
8763 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8764 if (ciph == NULL) {
8765 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8766 return 1;
8767 }
8768 EVP_CIPHER_free(ciph);
8769
8770 /* Set up a buffer with some data that will be sent to the client */
8771 RAND_bytes(msg, sizeof(msg));
8772
8773 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8774 max_version, &sctx, &cctx, cert,
8775 privkey)))
8776 goto end;
8777
8778 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8779 goto end;
8780
8781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8782 NULL, NULL)))
8783 goto end;
8784
8785 /* settings to force it to use AES-CBC-HMAC_SHA */
8786 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8787 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8788 goto end;
8789
8790 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8791 goto end;
8792
8793 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8794 || !TEST_size_t_eq(written, sizeof(msg)))
8795 goto end;
8796
8797 len = written;
8798 while (len > 0) {
8799 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8800 goto end;
8801 p += readbytes;
8802 len -= readbytes;
8803 }
8804 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8805 goto end;
8806
8807 testresult = 1;
8808 end:
8809 SSL_free(serverssl);
8810 SSL_free(clientssl);
8811 SSL_CTX_free(sctx);
8812 SSL_CTX_free(cctx);
8813
8814 return testresult;
8815 }
8816 #endif /* OPENSSL_NO_TLS1_2 */
8817
test_session_timeout(int test)8818 static int test_session_timeout(int test)
8819 {
8820 /*
8821 * Test session ordering and timeout
8822 * Can't explicitly test performance of the new code,
8823 * but can test to see if the ordering of the sessions
8824 * are correct, and they they are removed as expected
8825 */
8826 SSL_SESSION *early = NULL;
8827 SSL_SESSION *middle = NULL;
8828 SSL_SESSION *late = NULL;
8829 SSL_CTX *ctx;
8830 int testresult = 0;
8831 long now = (long)time(NULL);
8832 #define TIMEOUT 10
8833
8834 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8835 || !TEST_ptr(early = SSL_SESSION_new())
8836 || !TEST_ptr(middle = SSL_SESSION_new())
8837 || !TEST_ptr(late = SSL_SESSION_new()))
8838 goto end;
8839
8840 /* assign unique session ids */
8841 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8842 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8843 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8844 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8845 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8846 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8847
8848 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8849 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8850 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8851 goto end;
8852
8853 /* Make sure they are all added */
8854 if (!TEST_ptr(early->prev)
8855 || !TEST_ptr(middle->prev)
8856 || !TEST_ptr(late->prev))
8857 goto end;
8858
8859 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8860 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8861 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8862 goto end;
8863
8864 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8865 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8866 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8867 goto end;
8868
8869 /* Make sure they are all still there */
8870 if (!TEST_ptr(early->prev)
8871 || !TEST_ptr(middle->prev)
8872 || !TEST_ptr(late->prev))
8873 goto end;
8874
8875 /* Make sure they are in the expected order */
8876 if (!TEST_ptr_eq(late->next, middle)
8877 || !TEST_ptr_eq(middle->next, early)
8878 || !TEST_ptr_eq(early->prev, middle)
8879 || !TEST_ptr_eq(middle->prev, late))
8880 goto end;
8881
8882 /* This should remove "early" */
8883 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8884 if (!TEST_ptr_null(early->prev)
8885 || !TEST_ptr(middle->prev)
8886 || !TEST_ptr(late->prev))
8887 goto end;
8888
8889 /* This should remove "middle" */
8890 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8891 if (!TEST_ptr_null(early->prev)
8892 || !TEST_ptr_null(middle->prev)
8893 || !TEST_ptr(late->prev))
8894 goto end;
8895
8896 /* This should remove "late" */
8897 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8898 if (!TEST_ptr_null(early->prev)
8899 || !TEST_ptr_null(middle->prev)
8900 || !TEST_ptr_null(late->prev))
8901 goto end;
8902
8903 /* Add them back in again */
8904 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8905 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8906 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8907 goto end;
8908
8909 /* Make sure they are all added */
8910 if (!TEST_ptr(early->prev)
8911 || !TEST_ptr(middle->prev)
8912 || !TEST_ptr(late->prev))
8913 goto end;
8914
8915 /* This should remove all of them */
8916 SSL_CTX_flush_sessions(ctx, 0);
8917 if (!TEST_ptr_null(early->prev)
8918 || !TEST_ptr_null(middle->prev)
8919 || !TEST_ptr_null(late->prev))
8920 goto end;
8921
8922 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8923 | SSL_CTX_get_session_cache_mode(ctx));
8924
8925 /* make sure |now| is NOT equal to the current time */
8926 now -= 10;
8927 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8928 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8929 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8930 goto end;
8931
8932 testresult = 1;
8933 end:
8934 SSL_CTX_free(ctx);
8935 SSL_SESSION_free(early);
8936 SSL_SESSION_free(middle);
8937 SSL_SESSION_free(late);
8938 return testresult;
8939 }
8940
8941 /*
8942 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8943 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8944 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8945 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8946 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8947 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8948 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8949 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8950 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8951 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8952 */
test_servername(int tst)8953 static int test_servername(int tst)
8954 {
8955 SSL_CTX *cctx = NULL, *sctx = NULL;
8956 SSL *clientssl = NULL, *serverssl = NULL;
8957 int testresult = 0;
8958 SSL_SESSION *sess = NULL;
8959 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8960
8961 #ifdef OPENSSL_NO_TLS1_2
8962 if (tst <= 4)
8963 return 1;
8964 #endif
8965 #ifdef OSSL_NO_USABLE_TLS1_3
8966 if (tst >= 5)
8967 return 1;
8968 #endif
8969
8970 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8971 TLS_client_method(),
8972 TLS1_VERSION,
8973 (tst <= 4) ? TLS1_2_VERSION
8974 : TLS1_3_VERSION,
8975 &sctx, &cctx, cert, privkey))
8976 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8977 NULL, NULL)))
8978 goto end;
8979
8980 if (tst != 1 && tst != 6) {
8981 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8982 hostname_cb)))
8983 goto end;
8984 }
8985
8986 if (tst != 3 && tst != 8) {
8987 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8988 goto end;
8989 sexpectedhost = cexpectedhost = "goodhost";
8990 }
8991
8992 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8993 goto end;
8994
8995 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8996 cexpectedhost)
8997 || !TEST_str_eq(SSL_get_servername(serverssl,
8998 TLSEXT_NAMETYPE_host_name),
8999 sexpectedhost))
9000 goto end;
9001
9002 /* Now repeat with a resumption handshake */
9003
9004 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9005 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9006 || !TEST_true(SSL_SESSION_is_resumable(sess))
9007 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9008 goto end;
9009
9010 SSL_free(clientssl);
9011 SSL_free(serverssl);
9012 clientssl = serverssl = NULL;
9013
9014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9015 NULL)))
9016 goto end;
9017
9018 if (!TEST_true(SSL_set_session(clientssl, sess)))
9019 goto end;
9020
9021 sexpectedhost = cexpectedhost = "goodhost";
9022 if (tst == 2 || tst == 7) {
9023 /* Set an inconsistent hostname */
9024 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9025 goto end;
9026 /*
9027 * In TLSv1.2 we expect the hostname from the original handshake, in
9028 * TLSv1.3 we expect the hostname from this handshake
9029 */
9030 if (tst == 7)
9031 sexpectedhost = cexpectedhost = "altgoodhost";
9032
9033 if (!TEST_str_eq(SSL_get_servername(clientssl,
9034 TLSEXT_NAMETYPE_host_name),
9035 "altgoodhost"))
9036 goto end;
9037 } else if (tst == 4 || tst == 9) {
9038 /*
9039 * A TLSv1.3 session does not associate a session with a servername,
9040 * but a TLSv1.2 session does.
9041 */
9042 if (tst == 9)
9043 sexpectedhost = cexpectedhost = NULL;
9044
9045 if (!TEST_str_eq(SSL_get_servername(clientssl,
9046 TLSEXT_NAMETYPE_host_name),
9047 cexpectedhost))
9048 goto end;
9049 } else {
9050 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9051 goto end;
9052 /*
9053 * In a TLSv1.2 resumption where the hostname was not acknowledged
9054 * we expect the hostname on the server to be empty. On the client we
9055 * return what was requested in this case.
9056 *
9057 * Similarly if the client didn't set a hostname on an original TLSv1.2
9058 * session but is now, the server hostname will be empty, but the client
9059 * is as we set it.
9060 */
9061 if (tst == 1 || tst == 3)
9062 sexpectedhost = NULL;
9063
9064 if (!TEST_str_eq(SSL_get_servername(clientssl,
9065 TLSEXT_NAMETYPE_host_name),
9066 "goodhost"))
9067 goto end;
9068 }
9069
9070 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9071 goto end;
9072
9073 if (!TEST_true(SSL_session_reused(clientssl))
9074 || !TEST_true(SSL_session_reused(serverssl))
9075 || !TEST_str_eq(SSL_get_servername(clientssl,
9076 TLSEXT_NAMETYPE_host_name),
9077 cexpectedhost)
9078 || !TEST_str_eq(SSL_get_servername(serverssl,
9079 TLSEXT_NAMETYPE_host_name),
9080 sexpectedhost))
9081 goto end;
9082
9083 testresult = 1;
9084
9085 end:
9086 SSL_SESSION_free(sess);
9087 SSL_free(serverssl);
9088 SSL_free(clientssl);
9089 SSL_CTX_free(sctx);
9090 SSL_CTX_free(cctx);
9091
9092 return testresult;
9093 }
9094
9095 #if !defined(OPENSSL_NO_EC) \
9096 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9097 /*
9098 * Test that if signature algorithms are not available, then we do not offer or
9099 * accept them.
9100 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9101 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9102 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9103 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9104 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9105 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9106 */
test_sigalgs_available(int idx)9107 static int test_sigalgs_available(int idx)
9108 {
9109 SSL_CTX *cctx = NULL, *sctx = NULL;
9110 SSL *clientssl = NULL, *serverssl = NULL;
9111 int testresult = 0;
9112 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9113 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9114 OSSL_PROVIDER *filterprov = NULL;
9115 int sig, hash;
9116
9117 if (!TEST_ptr(tmpctx))
9118 goto end;
9119
9120 if (idx != 0 && idx != 3) {
9121 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9122 filter_provider_init)))
9123 goto end;
9124
9125 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9126 if (!TEST_ptr(filterprov))
9127 goto end;
9128
9129 if (idx < 3) {
9130 /*
9131 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9132 * or accepted for the peer that uses this libctx. Note that libssl
9133 * *requires* SHA2-256 to be available so we cannot disable that. We
9134 * also need SHA1 for our certificate.
9135 */
9136 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9137 "SHA2-256:SHA1")))
9138 goto end;
9139 } else {
9140 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9141 "ECDSA"))
9142 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9143 "EC:X25519:X448")))
9144 goto end;
9145 }
9146
9147 if (idx == 1 || idx == 4)
9148 clientctx = tmpctx;
9149 else
9150 serverctx = tmpctx;
9151 }
9152
9153 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9154 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9155 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9156 goto end;
9157
9158 if (idx != 5) {
9159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9160 TLS_client_method(),
9161 TLS1_VERSION,
9162 0,
9163 &sctx, &cctx, cert, privkey)))
9164 goto end;
9165 } else {
9166 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9167 TLS_client_method(),
9168 TLS1_VERSION,
9169 0,
9170 &sctx, &cctx, cert2, privkey2)))
9171 goto end;
9172 }
9173
9174 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9175 if (idx < 4) {
9176 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9177 "ECDHE-RSA-AES128-GCM-SHA256")))
9178 goto end;
9179 } else {
9180 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9181 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9182 goto end;
9183 }
9184
9185 if (idx < 3) {
9186 if (!SSL_CTX_set1_sigalgs_list(cctx,
9187 "rsa_pss_rsae_sha384"
9188 ":rsa_pss_rsae_sha256")
9189 || !SSL_CTX_set1_sigalgs_list(sctx,
9190 "rsa_pss_rsae_sha384"
9191 ":rsa_pss_rsae_sha256"))
9192 goto end;
9193 } else {
9194 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9195 || !SSL_CTX_set1_sigalgs_list(sctx,
9196 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9197 goto end;
9198 }
9199
9200 if (idx != 5
9201 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9202 SSL_FILETYPE_PEM), 1)
9203 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9204 privkey2,
9205 SSL_FILETYPE_PEM), 1)
9206 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9207 goto end;
9208
9209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9210 NULL, NULL)))
9211 goto end;
9212
9213 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9214 goto end;
9215
9216 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9217 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9218 NULL, NULL),
9219 (idx == 0 || idx == 3) ? 2 : 1))
9220 goto end;
9221
9222 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9223 goto end;
9224
9225 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9226 : NID_rsassaPss))
9227 goto end;
9228
9229 testresult = filter_provider_check_clean_finish();
9230
9231 end:
9232 SSL_free(serverssl);
9233 SSL_free(clientssl);
9234 SSL_CTX_free(sctx);
9235 SSL_CTX_free(cctx);
9236 OSSL_PROVIDER_unload(filterprov);
9237 OSSL_LIB_CTX_free(tmpctx);
9238
9239 return testresult;
9240 }
9241 #endif /*
9242 * !defined(OPENSSL_NO_EC) \
9243 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9244 */
9245
9246 #ifndef OPENSSL_NO_TLS1_3
9247 /* This test can run in TLSv1.3 even if ec and dh are disabled */
test_pluggable_group(int idx)9248 static int test_pluggable_group(int idx)
9249 {
9250 SSL_CTX *cctx = NULL, *sctx = NULL;
9251 SSL *clientssl = NULL, *serverssl = NULL;
9252 int testresult = 0;
9253 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9254 /* Check that we are not impacted by a provider without any groups */
9255 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9256 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9257
9258 if (!TEST_ptr(tlsprov))
9259 goto end;
9260
9261 if (legacyprov == NULL) {
9262 /*
9263 * In this case we assume we've been built with "no-legacy" and skip
9264 * this test (there is no OPENSSL_NO_LEGACY)
9265 */
9266 testresult = 1;
9267 goto end;
9268 }
9269
9270 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9271 TLS_client_method(),
9272 TLS1_3_VERSION,
9273 TLS1_3_VERSION,
9274 &sctx, &cctx, cert, privkey))
9275 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9276 NULL, NULL)))
9277 goto end;
9278
9279 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9280 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9281 goto end;
9282
9283 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9284 goto end;
9285
9286 if (!TEST_str_eq(group_name,
9287 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9288 goto end;
9289
9290 testresult = 1;
9291
9292 end:
9293 SSL_free(serverssl);
9294 SSL_free(clientssl);
9295 SSL_CTX_free(sctx);
9296 SSL_CTX_free(cctx);
9297 OSSL_PROVIDER_unload(tlsprov);
9298 OSSL_PROVIDER_unload(legacyprov);
9299
9300 return testresult;
9301 }
9302 #endif
9303
9304 #ifndef OPENSSL_NO_TLS1_2
test_ssl_dup(void)9305 static int test_ssl_dup(void)
9306 {
9307 SSL_CTX *cctx = NULL, *sctx = NULL;
9308 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9309 int testresult = 0;
9310 BIO *rbio = NULL, *wbio = NULL;
9311
9312 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9313 TLS_client_method(),
9314 0,
9315 0,
9316 &sctx, &cctx, cert, privkey)))
9317 goto end;
9318
9319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9320 NULL, NULL)))
9321 goto end;
9322
9323 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9324 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9325 goto end;
9326
9327 client2ssl = SSL_dup(clientssl);
9328 rbio = SSL_get_rbio(clientssl);
9329 if (!TEST_ptr(rbio)
9330 || !TEST_true(BIO_up_ref(rbio)))
9331 goto end;
9332 SSL_set0_rbio(client2ssl, rbio);
9333 rbio = NULL;
9334
9335 wbio = SSL_get_wbio(clientssl);
9336 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9337 goto end;
9338 SSL_set0_wbio(client2ssl, wbio);
9339 rbio = NULL;
9340
9341 if (!TEST_ptr(client2ssl)
9342 /* Handshake not started so pointers should be different */
9343 || !TEST_ptr_ne(clientssl, client2ssl))
9344 goto end;
9345
9346 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9347 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9348 goto end;
9349
9350 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9351 goto end;
9352
9353 SSL_free(clientssl);
9354 clientssl = SSL_dup(client2ssl);
9355 if (!TEST_ptr(clientssl)
9356 /* Handshake has finished so pointers should be the same */
9357 || !TEST_ptr_eq(clientssl, client2ssl))
9358 goto end;
9359
9360 testresult = 1;
9361
9362 end:
9363 SSL_free(serverssl);
9364 SSL_free(clientssl);
9365 SSL_free(client2ssl);
9366 SSL_CTX_free(sctx);
9367 SSL_CTX_free(cctx);
9368
9369 return testresult;
9370 }
9371
9372 # ifndef OPENSSL_NO_DH
9373
9374 static EVP_PKEY *tmp_dh_params = NULL;
9375
9376 /* Helper function for the test_set_tmp_dh() tests */
get_tmp_dh_params(void)9377 static EVP_PKEY *get_tmp_dh_params(void)
9378 {
9379 if (tmp_dh_params == NULL) {
9380 BIGNUM *p = NULL;
9381 OSSL_PARAM_BLD *tmpl = NULL;
9382 EVP_PKEY_CTX *pctx = NULL;
9383 OSSL_PARAM *params = NULL;
9384 EVP_PKEY *dhpkey = NULL;
9385
9386 p = BN_get_rfc3526_prime_2048(NULL);
9387 if (!TEST_ptr(p))
9388 goto end;
9389
9390 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9391 if (!TEST_ptr(pctx)
9392 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9393 goto end;
9394
9395 tmpl = OSSL_PARAM_BLD_new();
9396 if (!TEST_ptr(tmpl)
9397 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9398 OSSL_PKEY_PARAM_FFC_P,
9399 p))
9400 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9401 OSSL_PKEY_PARAM_FFC_G,
9402 2)))
9403 goto end;
9404
9405 params = OSSL_PARAM_BLD_to_param(tmpl);
9406 if (!TEST_ptr(params)
9407 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9408 EVP_PKEY_KEY_PARAMETERS,
9409 params), 1))
9410 goto end;
9411
9412 tmp_dh_params = dhpkey;
9413 end:
9414 BN_free(p);
9415 EVP_PKEY_CTX_free(pctx);
9416 OSSL_PARAM_BLD_free(tmpl);
9417 OSSL_PARAM_free(params);
9418 }
9419
9420 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9421 return NULL;
9422
9423 return tmp_dh_params;
9424 }
9425
9426 # ifndef OPENSSL_NO_DEPRECATED_3_0
9427 /* Callback used by test_set_tmp_dh() */
tmp_dh_callback(SSL * s,int is_export,int keylen)9428 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9429 {
9430 EVP_PKEY *dhpkey = get_tmp_dh_params();
9431 DH *ret = NULL;
9432
9433 if (!TEST_ptr(dhpkey))
9434 return NULL;
9435
9436 /*
9437 * libssl does not free the returned DH, so we free it now knowing that even
9438 * after we free dhpkey, there will still be a reference to the owning
9439 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9440 * of time we need it for.
9441 */
9442 ret = EVP_PKEY_get1_DH(dhpkey);
9443 DH_free(ret);
9444
9445 EVP_PKEY_free(dhpkey);
9446
9447 return ret;
9448 }
9449 # endif
9450
9451 /*
9452 * Test the various methods for setting temporary DH parameters
9453 *
9454 * Test 0: Default (no auto) setting
9455 * Test 1: Explicit SSL_CTX auto off
9456 * Test 2: Explicit SSL auto off
9457 * Test 3: Explicit SSL_CTX auto on
9458 * Test 4: Explicit SSL auto on
9459 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9460 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9461 *
9462 * The following are testing deprecated APIs, so we only run them if available
9463 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9464 * Test 8: Explicit SSL auto off, custom DH params via DH
9465 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9466 * Test 10: Explicit SSL auto off, custom DH params via callback
9467 */
test_set_tmp_dh(int idx)9468 static int test_set_tmp_dh(int idx)
9469 {
9470 SSL_CTX *cctx = NULL, *sctx = NULL;
9471 SSL *clientssl = NULL, *serverssl = NULL;
9472 int testresult = 0;
9473 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9474 int expected = (idx <= 2) ? 0 : 1;
9475 EVP_PKEY *dhpkey = NULL;
9476 # ifndef OPENSSL_NO_DEPRECATED_3_0
9477 DH *dh = NULL;
9478 # else
9479
9480 if (idx >= 7)
9481 return 1;
9482 # endif
9483
9484 if (idx >= 5 && idx <= 8) {
9485 dhpkey = get_tmp_dh_params();
9486 if (!TEST_ptr(dhpkey))
9487 goto end;
9488 }
9489 # ifndef OPENSSL_NO_DEPRECATED_3_0
9490 if (idx == 7 || idx == 8) {
9491 dh = EVP_PKEY_get1_DH(dhpkey);
9492 if (!TEST_ptr(dh))
9493 goto end;
9494 }
9495 # endif
9496
9497 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9498 TLS_client_method(),
9499 0,
9500 0,
9501 &sctx, &cctx, cert, privkey)))
9502 goto end;
9503
9504 if ((idx & 1) == 1) {
9505 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9506 goto end;
9507 }
9508
9509 if (idx == 5) {
9510 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9511 goto end;
9512 dhpkey = NULL;
9513 }
9514 # ifndef OPENSSL_NO_DEPRECATED_3_0
9515 else if (idx == 7) {
9516 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9517 goto end;
9518 } else if (idx == 9) {
9519 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9520 }
9521 # endif
9522
9523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9524 NULL, NULL)))
9525 goto end;
9526
9527 if ((idx & 1) == 0 && idx != 0) {
9528 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9529 goto end;
9530 }
9531 if (idx == 6) {
9532 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9533 goto end;
9534 dhpkey = NULL;
9535 }
9536 # ifndef OPENSSL_NO_DEPRECATED_3_0
9537 else if (idx == 8) {
9538 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9539 goto end;
9540 } else if (idx == 10) {
9541 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9542 }
9543 # endif
9544
9545 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9546 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9547 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9548 goto end;
9549
9550 /*
9551 * If autoon then we should succeed. Otherwise we expect failure because
9552 * there are no parameters
9553 */
9554 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9555 SSL_ERROR_NONE), expected))
9556 goto end;
9557
9558 testresult = 1;
9559
9560 end:
9561 # ifndef OPENSSL_NO_DEPRECATED_3_0
9562 DH_free(dh);
9563 # endif
9564 SSL_free(serverssl);
9565 SSL_free(clientssl);
9566 SSL_CTX_free(sctx);
9567 SSL_CTX_free(cctx);
9568 EVP_PKEY_free(dhpkey);
9569
9570 return testresult;
9571 }
9572
9573 /*
9574 * Test the auto DH keys are appropriately sized
9575 */
test_dh_auto(int idx)9576 static int test_dh_auto(int idx)
9577 {
9578 SSL_CTX *cctx = NULL, *sctx = NULL;
9579 SSL *clientssl = NULL, *serverssl = NULL;
9580 int testresult = 0;
9581 EVP_PKEY *tmpkey = NULL;
9582 char *thiscert = NULL, *thiskey = NULL;
9583 size_t expdhsize = 0;
9584 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9585
9586 switch (idx) {
9587 case 0:
9588 /* The FIPS provider doesn't support this DH size - so we ignore it */
9589 if (is_fips)
9590 return 1;
9591 thiscert = cert1024;
9592 thiskey = privkey1024;
9593 expdhsize = 1024;
9594 break;
9595 case 1:
9596 /* 2048 bit prime */
9597 thiscert = cert;
9598 thiskey = privkey;
9599 expdhsize = 2048;
9600 break;
9601 case 2:
9602 thiscert = cert3072;
9603 thiskey = privkey3072;
9604 expdhsize = 3072;
9605 break;
9606 case 3:
9607 thiscert = cert4096;
9608 thiskey = privkey4096;
9609 expdhsize = 4096;
9610 break;
9611 case 4:
9612 thiscert = cert8192;
9613 thiskey = privkey8192;
9614 expdhsize = 8192;
9615 break;
9616 /* No certificate cases */
9617 case 5:
9618 /* The FIPS provider doesn't support this DH size - so we ignore it */
9619 if (is_fips)
9620 return 1;
9621 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9622 expdhsize = 1024;
9623 break;
9624 case 6:
9625 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9626 expdhsize = 3072;
9627 break;
9628 default:
9629 TEST_error("Invalid text index");
9630 goto end;
9631 }
9632
9633 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9634 TLS_client_method(),
9635 0,
9636 0,
9637 &sctx, &cctx, thiscert, thiskey)))
9638 goto end;
9639
9640 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9641 NULL, NULL)))
9642 goto end;
9643
9644 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9645 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9646 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9647 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9648 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9649 goto end;
9650
9651 /*
9652 * Send the server's first flight. At this point the server has created the
9653 * temporary DH key but hasn't finished using it yet. Once used it is
9654 * removed, so we cannot test it.
9655 */
9656 if (!TEST_int_le(SSL_connect(clientssl), 0)
9657 || !TEST_int_le(SSL_accept(serverssl), 0))
9658 goto end;
9659
9660 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9661 goto end;
9662 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9663 goto end;
9664
9665 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9666 goto end;
9667
9668 testresult = 1;
9669
9670 end:
9671 SSL_free(serverssl);
9672 SSL_free(clientssl);
9673 SSL_CTX_free(sctx);
9674 SSL_CTX_free(cctx);
9675 EVP_PKEY_free(tmpkey);
9676
9677 return testresult;
9678
9679 }
9680 # endif /* OPENSSL_NO_DH */
9681 #endif /* OPENSSL_NO_TLS1_2 */
9682
9683 #ifndef OSSL_NO_USABLE_TLS1_3
9684 /*
9685 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9686 * that it works even without a certificate configured for the original
9687 * SSL_CTX
9688 */
test_sni_tls13(void)9689 static int test_sni_tls13(void)
9690 {
9691 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9692 SSL *clientssl = NULL, *serverssl = NULL;
9693 int testresult = 0;
9694
9695 /* Reset callback counter */
9696 snicb = 0;
9697
9698 /* Create an initial SSL_CTX with no certificate configured */
9699 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9700 if (!TEST_ptr(sctx))
9701 goto end;
9702 /* Require TLSv1.3 as a minimum */
9703 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9704 TLS_client_method(), TLS1_3_VERSION, 0,
9705 &sctx2, &cctx, cert, privkey)))
9706 goto end;
9707
9708 /* Set up SNI */
9709 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9710 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9711 goto end;
9712
9713 /*
9714 * Connection should still succeed because the final SSL_CTX has the right
9715 * certificates configured.
9716 */
9717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9718 &clientssl, NULL, NULL))
9719 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9720 SSL_ERROR_NONE)))
9721 goto end;
9722
9723 /* We should have had the SNI callback called exactly once */
9724 if (!TEST_int_eq(snicb, 1))
9725 goto end;
9726
9727 testresult = 1;
9728
9729 end:
9730 SSL_free(serverssl);
9731 SSL_free(clientssl);
9732 SSL_CTX_free(sctx2);
9733 SSL_CTX_free(sctx);
9734 SSL_CTX_free(cctx);
9735 return testresult;
9736 }
9737
9738 /*
9739 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9740 * 0 = TLSv1.2
9741 * 1 = TLSv1.3
9742 */
test_ticket_lifetime(int idx)9743 static int test_ticket_lifetime(int idx)
9744 {
9745 SSL_CTX *cctx = NULL, *sctx = NULL;
9746 SSL *clientssl = NULL, *serverssl = NULL;
9747 int testresult = 0;
9748 int version = TLS1_3_VERSION;
9749
9750 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9751 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9752
9753 if (idx == 0) {
9754 #ifdef OPENSSL_NO_TLS1_2
9755 return TEST_skip("TLS 1.2 is disabled.");
9756 #else
9757 version = TLS1_2_VERSION;
9758 #endif
9759 }
9760
9761 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9762 TLS_client_method(), version, version,
9763 &sctx, &cctx, cert, privkey)))
9764 goto end;
9765
9766 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9767 &clientssl, NULL, NULL)))
9768 goto end;
9769
9770 /*
9771 * Set the timeout to be more than 1 week
9772 * make sure the returned value is the default
9773 */
9774 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9775 SSL_get_default_timeout(serverssl)))
9776 goto end;
9777
9778 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9779 goto end;
9780
9781 if (idx == 0) {
9782 /* TLSv1.2 uses the set value */
9783 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9784 goto end;
9785 } else {
9786 /* TLSv1.3 uses the limited value */
9787 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9788 goto end;
9789 }
9790 testresult = 1;
9791
9792 end:
9793 SSL_free(serverssl);
9794 SSL_free(clientssl);
9795 SSL_CTX_free(sctx);
9796 SSL_CTX_free(cctx);
9797 return testresult;
9798 }
9799 #endif
9800 /*
9801 * Test that setting an ALPN does not violate RFC
9802 */
test_set_alpn(void)9803 static int test_set_alpn(void)
9804 {
9805 SSL_CTX *ctx = NULL;
9806 SSL *ssl = NULL;
9807 int testresult = 0;
9808
9809 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9810 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9811 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9812 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9813 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9814 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9815
9816 /* Create an initial SSL_CTX with no certificate configured */
9817 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9818 if (!TEST_ptr(ctx))
9819 goto end;
9820
9821 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9822 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9823 goto end;
9824 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9825 goto end;
9826 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9827 goto end;
9828 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9829 goto end;
9830 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9831 goto end;
9832 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9833 goto end;
9834 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9835 goto end;
9836 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9837 goto end;
9838 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9839 goto end;
9840
9841 ssl = SSL_new(ctx);
9842 if (!TEST_ptr(ssl))
9843 goto end;
9844
9845 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9846 goto end;
9847 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9848 goto end;
9849 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9850 goto end;
9851 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9852 goto end;
9853 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9854 goto end;
9855 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9856 goto end;
9857 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9858 goto end;
9859 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9860 goto end;
9861 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9862 goto end;
9863
9864 testresult = 1;
9865
9866 end:
9867 SSL_free(ssl);
9868 SSL_CTX_free(ctx);
9869 return testresult;
9870 }
9871
9872 /*
9873 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9874 */
test_set_verify_cert_store_ssl_ctx(void)9875 static int test_set_verify_cert_store_ssl_ctx(void)
9876 {
9877 SSL_CTX *ctx = NULL;
9878 int testresult = 0;
9879 X509_STORE *store = NULL, *new_store = NULL,
9880 *cstore = NULL, *new_cstore = NULL;
9881
9882 /* Create an initial SSL_CTX. */
9883 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9884 if (!TEST_ptr(ctx))
9885 goto end;
9886
9887 /* Retrieve verify store pointer. */
9888 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9889 goto end;
9890
9891 /* Retrieve chain store pointer. */
9892 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9893 goto end;
9894
9895 /* We haven't set any yet, so this should be NULL. */
9896 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9897 goto end;
9898
9899 /* Create stores. We use separate stores so pointers are different. */
9900 new_store = X509_STORE_new();
9901 if (!TEST_ptr(new_store))
9902 goto end;
9903
9904 new_cstore = X509_STORE_new();
9905 if (!TEST_ptr(new_cstore))
9906 goto end;
9907
9908 /* Set stores. */
9909 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9910 goto end;
9911
9912 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9913 goto end;
9914
9915 /* Should be able to retrieve the same pointer. */
9916 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9917 goto end;
9918
9919 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9920 goto end;
9921
9922 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9923 goto end;
9924
9925 /* Should be able to unset again. */
9926 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9927 goto end;
9928
9929 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9930 goto end;
9931
9932 /* Should now be NULL. */
9933 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9934 goto end;
9935
9936 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9937 goto end;
9938
9939 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9940 goto end;
9941
9942 testresult = 1;
9943
9944 end:
9945 X509_STORE_free(new_store);
9946 X509_STORE_free(new_cstore);
9947 SSL_CTX_free(ctx);
9948 return testresult;
9949 }
9950
9951 /*
9952 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9953 */
test_set_verify_cert_store_ssl(void)9954 static int test_set_verify_cert_store_ssl(void)
9955 {
9956 SSL_CTX *ctx = NULL;
9957 SSL *ssl = NULL;
9958 int testresult = 0;
9959 X509_STORE *store = NULL, *new_store = NULL,
9960 *cstore = NULL, *new_cstore = NULL;
9961
9962 /* Create an initial SSL_CTX. */
9963 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9964 if (!TEST_ptr(ctx))
9965 goto end;
9966
9967 /* Create an SSL object. */
9968 ssl = SSL_new(ctx);
9969 if (!TEST_ptr(ssl))
9970 goto end;
9971
9972 /* Retrieve verify store pointer. */
9973 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9974 goto end;
9975
9976 /* Retrieve chain store pointer. */
9977 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9978 goto end;
9979
9980 /* We haven't set any yet, so this should be NULL. */
9981 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9982 goto end;
9983
9984 /* Create stores. We use separate stores so pointers are different. */
9985 new_store = X509_STORE_new();
9986 if (!TEST_ptr(new_store))
9987 goto end;
9988
9989 new_cstore = X509_STORE_new();
9990 if (!TEST_ptr(new_cstore))
9991 goto end;
9992
9993 /* Set stores. */
9994 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9995 goto end;
9996
9997 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9998 goto end;
9999
10000 /* Should be able to retrieve the same pointer. */
10001 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10002 goto end;
10003
10004 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10005 goto end;
10006
10007 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10008 goto end;
10009
10010 /* Should be able to unset again. */
10011 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10012 goto end;
10013
10014 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10015 goto end;
10016
10017 /* Should now be NULL. */
10018 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10019 goto end;
10020
10021 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10022 goto end;
10023
10024 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10025 goto end;
10026
10027 testresult = 1;
10028
10029 end:
10030 X509_STORE_free(new_store);
10031 X509_STORE_free(new_cstore);
10032 SSL_free(ssl);
10033 SSL_CTX_free(ctx);
10034 return testresult;
10035 }
10036
10037
test_inherit_verify_param(void)10038 static int test_inherit_verify_param(void)
10039 {
10040 int testresult = 0;
10041
10042 SSL_CTX *ctx = NULL;
10043 X509_VERIFY_PARAM *cp = NULL;
10044 SSL *ssl = NULL;
10045 X509_VERIFY_PARAM *sp = NULL;
10046 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10047
10048 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10049 if (!TEST_ptr(ctx))
10050 goto end;
10051
10052 cp = SSL_CTX_get0_param(ctx);
10053 if (!TEST_ptr(cp))
10054 goto end;
10055 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10056 goto end;
10057
10058 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10059
10060 ssl = SSL_new(ctx);
10061 if (!TEST_ptr(ssl))
10062 goto end;
10063
10064 sp = SSL_get0_param(ssl);
10065 if (!TEST_ptr(sp))
10066 goto end;
10067 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10068 goto end;
10069
10070 testresult = 1;
10071
10072 end:
10073 SSL_free(ssl);
10074 SSL_CTX_free(ctx);
10075
10076 return testresult;
10077 }
10078
test_load_dhfile(void)10079 static int test_load_dhfile(void)
10080 {
10081 #ifndef OPENSSL_NO_DH
10082 int testresult = 0;
10083
10084 SSL_CTX *ctx = NULL;
10085 SSL_CONF_CTX *cctx = NULL;
10086
10087 if (dhfile == NULL)
10088 return 1;
10089
10090 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10091 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10092 goto end;
10093
10094 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10095 SSL_CONF_CTX_set_flags(cctx,
10096 SSL_CONF_FLAG_CERTIFICATE
10097 | SSL_CONF_FLAG_SERVER
10098 | SSL_CONF_FLAG_FILE);
10099
10100 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10101 goto end;
10102
10103 testresult = 1;
10104 end:
10105 SSL_CONF_CTX_free(cctx);
10106 SSL_CTX_free(ctx);
10107
10108 return testresult;
10109 #else
10110 return TEST_skip("DH not supported by this build");
10111 #endif
10112 }
10113
10114 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10115 /*
10116 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10117 * support this yet. The only pipeline capable cipher that we have is in the
10118 * dasync engine (providers don't support this yet), so we have to use
10119 * deprecated APIs for this test.
10120 *
10121 * Test 0: Client has pipelining enabled, server does not
10122 * Test 1: Server has pipelining enabled, client does not
10123 * Test 2: Client has pipelining enabled, server does not: not enough data to
10124 * fill all the pipelines
10125 * Test 3: Client has pipelining enabled, server does not: not enough data to
10126 * fill all the pipelines by more than a full pipeline's worth
10127 * Test 4: Client has pipelining enabled, server does not: more data than all
10128 * the available pipelines can take
10129 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10130 */
test_pipelining(int idx)10131 static int test_pipelining(int idx)
10132 {
10133 SSL_CTX *cctx = NULL, *sctx = NULL;
10134 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10135 int testresult = 0, numreads;
10136 /* A 55 byte message */
10137 unsigned char *msg = (unsigned char *)
10138 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10139 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10140 size_t expectedreads;
10141 unsigned char *buf = NULL;
10142 ENGINE *e;
10143
10144 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10145 return 0;
10146
10147 if (!TEST_true(ENGINE_init(e))) {
10148 ENGINE_free(e);
10149 return 0;
10150 }
10151
10152 if (!TEST_true(ENGINE_register_ciphers(e)))
10153 goto end;
10154
10155 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10156 TLS_client_method(), 0,
10157 TLS1_2_VERSION, &sctx, &cctx, cert,
10158 privkey)))
10159 goto end;
10160
10161 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10162 &clientssl, NULL, NULL)))
10163 goto end;
10164
10165 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10166 goto end;
10167
10168 /* peera is always configured for pipelining, while peerb is not. */
10169 if (idx == 1) {
10170 peera = serverssl;
10171 peerb = clientssl;
10172
10173 } else {
10174 peera = clientssl;
10175 peerb = serverssl;
10176 }
10177
10178 if (idx == 5) {
10179 numpipes = 2;
10180 /* Maximum allowed fragment size */
10181 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10182 msglen = fragsize * numpipes;
10183 msg = OPENSSL_malloc(msglen);
10184 if (!TEST_ptr(msg))
10185 goto end;
10186 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10187 goto end;
10188 } else if (idx == 4) {
10189 msglen = 55;
10190 } else {
10191 msglen = 50;
10192 }
10193 if (idx == 2)
10194 msglen -= 2; /* Send 2 less bytes */
10195 else if (idx == 3)
10196 msglen -= 12; /* Send 12 less bytes */
10197
10198 buf = OPENSSL_malloc(msglen);
10199 if (!TEST_ptr(buf))
10200 goto end;
10201
10202 if (idx == 5) {
10203 /*
10204 * Test that setting a split send fragment longer than the maximum
10205 * allowed fails
10206 */
10207 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10208 goto end;
10209 }
10210
10211 /*
10212 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10213 * (50 bytes in total). This is a ridiculously small number of bytes -
10214 * but sufficient for our purposes
10215 */
10216 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10217 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10218 goto end;
10219
10220 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10221 goto end;
10222
10223 /* Write some data from peera to peerb */
10224 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10225 || !TEST_size_t_eq(written, msglen))
10226 goto end;
10227
10228 /*
10229 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10230 * have been used - except in test 3 where only |numpipes - 1| pipelines
10231 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10232 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10233 * expect this to be read in |numpipes| or |numpipes - 1| separate
10234 * SSL_read_ex calls. In the case of test 4, there is then one additional
10235 * read for left over data that couldn't fit in the previous pipelines
10236 */
10237 for (offset = 0, numreads = 0;
10238 offset < msglen;
10239 offset += readbytes, numreads++) {
10240 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10241 msglen - offset, &readbytes)))
10242 goto end;
10243 }
10244
10245 expectedreads = idx == 4 ? numpipes + 1
10246 : (idx == 3 ? numpipes - 1 : numpipes);
10247 if (!TEST_mem_eq(msg, msglen, buf, offset)
10248 || !TEST_int_eq(numreads, expectedreads))
10249 goto end;
10250
10251 /*
10252 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10253 * chunks to exercise the read pipelining code on peera.
10254 */
10255 for (offset = 0; offset < msglen; offset += fragsize) {
10256 size_t sendlen = msglen - offset;
10257
10258 if (sendlen > fragsize)
10259 sendlen = fragsize;
10260 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10261 || !TEST_size_t_eq(written, sendlen))
10262 goto end;
10263 }
10264
10265 /*
10266 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10267 * separate chunks (depending on which test we are running). If the
10268 * pipelining is working then we expect peera to read up to numpipes chunks
10269 * and process them in parallel, giving back the complete result in a single
10270 * call to SSL_read_ex
10271 */
10272 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10273 || !TEST_size_t_le(readbytes, msglen))
10274 goto end;
10275
10276 if (idx == 4) {
10277 size_t readbytes2;
10278
10279 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10280 msglen - readbytes, &readbytes2)))
10281 goto end;
10282 readbytes += readbytes2;
10283 if (!TEST_size_t_le(readbytes, msglen))
10284 goto end;
10285 }
10286
10287 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10288 goto end;
10289
10290 testresult = 1;
10291 end:
10292 SSL_free(serverssl);
10293 SSL_free(clientssl);
10294 SSL_CTX_free(sctx);
10295 SSL_CTX_free(cctx);
10296 ENGINE_unregister_ciphers(e);
10297 ENGINE_finish(e);
10298 ENGINE_free(e);
10299 OPENSSL_free(buf);
10300 if (idx == 5)
10301 OPENSSL_free(msg);
10302 return testresult;
10303 }
10304 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10305
10306 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10307
setup_tests(void)10308 int setup_tests(void)
10309 {
10310 char *modulename;
10311 char *configfile;
10312
10313 libctx = OSSL_LIB_CTX_new();
10314 if (!TEST_ptr(libctx))
10315 return 0;
10316
10317 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10318
10319 /*
10320 * Verify that the default and fips providers in the default libctx are not
10321 * available
10322 */
10323 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10324 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10325 return 0;
10326
10327 if (!test_skip_common_options()) {
10328 TEST_error("Error parsing test options\n");
10329 return 0;
10330 }
10331
10332 if (!TEST_ptr(certsdir = test_get_argument(0))
10333 || !TEST_ptr(srpvfile = test_get_argument(1))
10334 || !TEST_ptr(tmpfilename = test_get_argument(2))
10335 || !TEST_ptr(modulename = test_get_argument(3))
10336 || !TEST_ptr(configfile = test_get_argument(4))
10337 || !TEST_ptr(dhfile = test_get_argument(5)))
10338 return 0;
10339
10340 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10341 return 0;
10342
10343 /* Check we have the expected provider available */
10344 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10345 return 0;
10346
10347 /* Check the default provider is not available */
10348 if (strcmp(modulename, "default") != 0
10349 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10350 return 0;
10351
10352 if (strcmp(modulename, "fips") == 0)
10353 is_fips = 1;
10354
10355 /*
10356 * We add, but don't load the test "tls-provider". We'll load it when we
10357 * need it.
10358 */
10359 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10360 tls_provider_init)))
10361 return 0;
10362
10363
10364 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10365 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10366 TEST_error("not supported in this build");
10367 return 0;
10368 #else
10369 int i, mcount, rcount, fcount;
10370
10371 for (i = 0; i < 4; i++)
10372 test_export_key_mat(i);
10373 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10374 test_printf_stdout("malloc %d realloc %d free %d\n",
10375 mcount, rcount, fcount);
10376 return 1;
10377 #endif
10378 }
10379
10380 cert = test_mk_file_path(certsdir, "servercert.pem");
10381 if (cert == NULL)
10382 goto err;
10383
10384 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10385 if (privkey == NULL)
10386 goto err;
10387
10388 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10389 if (cert2 == NULL)
10390 goto err;
10391
10392 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10393 if (privkey2 == NULL)
10394 goto err;
10395
10396 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10397 if (cert1024 == NULL)
10398 goto err;
10399
10400 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10401 if (privkey1024 == NULL)
10402 goto err;
10403
10404 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10405 if (cert3072 == NULL)
10406 goto err;
10407
10408 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10409 if (privkey3072 == NULL)
10410 goto err;
10411
10412 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10413 if (cert4096 == NULL)
10414 goto err;
10415
10416 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10417 if (privkey4096 == NULL)
10418 goto err;
10419
10420 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10421 if (cert8192 == NULL)
10422 goto err;
10423
10424 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10425 if (privkey8192 == NULL)
10426 goto err;
10427
10428 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10429 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10430 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10431 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
10432 # endif
10433 #endif
10434 ADD_TEST(test_large_message_tls);
10435 ADD_TEST(test_large_message_tls_read_ahead);
10436 #ifndef OPENSSL_NO_DTLS
10437 ADD_TEST(test_large_message_dtls);
10438 #endif
10439 ADD_ALL_TESTS(test_large_app_data, 28);
10440 ADD_TEST(test_cleanse_plaintext);
10441 #ifndef OPENSSL_NO_OCSP
10442 ADD_TEST(test_tlsext_status_type);
10443 #endif
10444 ADD_TEST(test_session_with_only_int_cache);
10445 ADD_TEST(test_session_with_only_ext_cache);
10446 ADD_TEST(test_session_with_both_cache);
10447 ADD_TEST(test_session_wo_ca_names);
10448 #ifndef OSSL_NO_USABLE_TLS1_3
10449 ADD_ALL_TESTS(test_stateful_tickets, 3);
10450 ADD_ALL_TESTS(test_stateless_tickets, 3);
10451 ADD_TEST(test_psk_tickets);
10452 ADD_ALL_TESTS(test_extra_tickets, 6);
10453 #endif
10454 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10455 ADD_TEST(test_ssl_bio_pop_next_bio);
10456 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10457 ADD_TEST(test_ssl_bio_change_rbio);
10458 ADD_TEST(test_ssl_bio_change_wbio);
10459 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10460 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
10461 ADD_TEST(test_keylog);
10462 #endif
10463 #ifndef OSSL_NO_USABLE_TLS1_3
10464 ADD_TEST(test_keylog_no_master_key);
10465 #endif
10466 ADD_TEST(test_client_cert_verify_cb);
10467 ADD_TEST(test_ssl_build_cert_chain);
10468 ADD_TEST(test_ssl_ctx_build_cert_chain);
10469 #ifndef OPENSSL_NO_TLS1_2
10470 ADD_TEST(test_client_hello_cb);
10471 ADD_TEST(test_no_ems);
10472 ADD_TEST(test_ccs_change_cipher);
10473 #endif
10474 #ifndef OSSL_NO_USABLE_TLS1_3
10475 ADD_ALL_TESTS(test_early_data_read_write, 6);
10476 /*
10477 * We don't do replay tests for external PSK. Replay protection isn't used
10478 * in that scenario.
10479 */
10480 ADD_ALL_TESTS(test_early_data_replay, 2);
10481 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
10482 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
10483 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
10484 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
10485 ADD_ALL_TESTS(test_early_data_not_sent, 3);
10486 ADD_ALL_TESTS(test_early_data_psk, 8);
10487 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
10488 ADD_ALL_TESTS(test_early_data_not_expected, 3);
10489 # ifndef OPENSSL_NO_TLS1_2
10490 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
10491 # endif
10492 #endif
10493 #ifndef OSSL_NO_USABLE_TLS1_3
10494 ADD_ALL_TESTS(test_set_ciphersuite, 10);
10495 ADD_TEST(test_ciphersuite_change);
10496 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10497 # ifdef OPENSSL_NO_PSK
10498 ADD_ALL_TESTS(test_tls13_psk, 1);
10499 # else
10500 ADD_ALL_TESTS(test_tls13_psk, 4);
10501 # endif /* OPENSSL_NO_PSK */
10502 # ifndef OPENSSL_NO_TLS1_2
10503 /* Test with both TLSv1.3 and 1.2 versions */
10504 ADD_ALL_TESTS(test_key_exchange, 14);
10505 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10506 ADD_ALL_TESTS(test_negotiated_group,
10507 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10508 + OSSL_NELEM(ffdhe_kexch_groups)));
10509 # endif
10510 # else
10511 /* Test with only TLSv1.3 versions */
10512 ADD_ALL_TESTS(test_key_exchange, 12);
10513 # endif
10514 ADD_ALL_TESTS(test_custom_exts, 6);
10515 ADD_TEST(test_stateless);
10516 ADD_TEST(test_pha_key_update);
10517 #else
10518 ADD_ALL_TESTS(test_custom_exts, 3);
10519 #endif
10520 ADD_ALL_TESTS(test_export_key_mat, 6);
10521 #ifndef OSSL_NO_USABLE_TLS1_3
10522 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10523 ADD_TEST(test_key_update);
10524 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10525 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10526 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10527 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10528 #endif
10529 ADD_ALL_TESTS(test_ssl_clear, 2);
10530 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10531 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10532 ADD_ALL_TESTS(test_srp, 6);
10533 #endif
10534 ADD_ALL_TESTS(test_info_callback, 6);
10535 ADD_ALL_TESTS(test_ssl_pending, 2);
10536 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10537 ADD_ALL_TESTS(test_ticket_callbacks, 20);
10538 ADD_ALL_TESTS(test_shutdown, 7);
10539 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10540 ADD_ALL_TESTS(test_cert_cb, 6);
10541 ADD_ALL_TESTS(test_client_cert_cb, 2);
10542 ADD_ALL_TESTS(test_ca_names, 3);
10543 #ifndef OPENSSL_NO_TLS1_2
10544 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10545 #endif
10546 ADD_ALL_TESTS(test_servername, 10);
10547 #if !defined(OPENSSL_NO_EC) \
10548 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10549 ADD_ALL_TESTS(test_sigalgs_available, 6);
10550 #endif
10551 #ifndef OPENSSL_NO_TLS1_3
10552 ADD_ALL_TESTS(test_pluggable_group, 2);
10553 #endif
10554 #ifndef OPENSSL_NO_TLS1_2
10555 ADD_TEST(test_ssl_dup);
10556 # ifndef OPENSSL_NO_DH
10557 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10558 ADD_ALL_TESTS(test_dh_auto, 7);
10559 # endif
10560 #endif
10561 #ifndef OSSL_NO_USABLE_TLS1_3
10562 ADD_TEST(test_sni_tls13);
10563 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10564 #endif
10565 ADD_TEST(test_inherit_verify_param);
10566 ADD_TEST(test_set_alpn);
10567 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10568 ADD_TEST(test_set_verify_cert_store_ssl);
10569 ADD_ALL_TESTS(test_session_timeout, 1);
10570 ADD_TEST(test_load_dhfile);
10571 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10572 ADD_ALL_TESTS(test_serverinfo_custom, 4);
10573 #endif
10574 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10575 ADD_ALL_TESTS(test_pipelining, 6);
10576 #endif
10577 return 1;
10578
10579 err:
10580 OPENSSL_free(cert);
10581 OPENSSL_free(privkey);
10582 OPENSSL_free(cert2);
10583 OPENSSL_free(privkey2);
10584 return 0;
10585 }
10586
cleanup_tests(void)10587 void cleanup_tests(void)
10588 {
10589 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10590 EVP_PKEY_free(tmp_dh_params);
10591 #endif
10592 OPENSSL_free(cert);
10593 OPENSSL_free(privkey);
10594 OPENSSL_free(cert2);
10595 OPENSSL_free(privkey2);
10596 OPENSSL_free(cert1024);
10597 OPENSSL_free(privkey1024);
10598 OPENSSL_free(cert3072);
10599 OPENSSL_free(privkey3072);
10600 OPENSSL_free(cert4096);
10601 OPENSSL_free(privkey4096);
10602 OPENSSL_free(cert8192);
10603 OPENSSL_free(privkey8192);
10604 bio_s_mempacket_test_free();
10605 bio_s_always_retry_free();
10606 OSSL_PROVIDER_unload(defctxnull);
10607 OSSL_LIB_CTX_free(libctx);
10608 }
10609