VirtualBox

source: vbox/trunk/src/libs/openssl-3.1.5/test/sslapitest.c@ 105770

Last change on this file since 105770 was 104078, checked in by vboxsync, 8 months ago

openssl-3.1.5: Applied and adjusted our OpenSSL changes to 3.1.4. bugref:10638

File size: 364.2 KB
Line 
1/*
2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
18#include <stdio.h>
19#include <string.h>
20
21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
25#include <openssl/ocsp.h>
26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
28#include <openssl/aes.h>
29#include <openssl/rand.h>
30#include <openssl/core_names.h>
31#include <openssl/core_dispatch.h>
32#include <openssl/provider.h>
33#include <openssl/param_build.h>
34#include <openssl/x509v3.h>
35#include <openssl/dh.h>
36#include <openssl/engine.h>
37
38#include "helpers/ssltestlib.h"
39#include "testutil.h"
40#include "testutil/output.h"
41#include "internal/nelem.h"
42#include "internal/ktls.h"
43#include "../ssl/ssl_local.h"
44#include "filterprov.h"
45
46#undef OSSL_NO_USABLE_TLS1_3
47#if defined(OPENSSL_NO_TLS1_3) \
48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49/*
50 * If we don't have ec or dh then there are no built-in groups that are usable
51 * with TLSv1.3
52 */
53# define OSSL_NO_USABLE_TLS1_3
54#endif
55
56/* Defined in tls-provider.c */
57int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58 const OSSL_DISPATCH *in,
59 const OSSL_DISPATCH **out,
60 void **provctx);
61
62static OSSL_LIB_CTX *libctx = NULL;
63static OSSL_PROVIDER *defctxnull = NULL;
64
65#ifndef OSSL_NO_USABLE_TLS1_3
66
67static SSL_SESSION *clientpsk = NULL;
68static SSL_SESSION *serverpsk = NULL;
69static const char *pskid = "Identity";
70static const char *srvid;
71
72static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73 size_t *idlen, SSL_SESSION **sess);
74static int find_session_cb(SSL *ssl, const unsigned char *identity,
75 size_t identity_len, SSL_SESSION **sess);
76
77static int use_session_cb_cnt = 0;
78static int find_session_cb_cnt = 0;
79
80static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
81#endif
82
83static char *certsdir = NULL;
84static char *cert = NULL;
85static char *privkey = NULL;
86static char *cert2 = NULL;
87static char *privkey2 = NULL;
88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
98static char *dhfile = NULL;
99
100static int is_fips = 0;
101static int fips_ems_check = 0;
102
103#define LOG_BUFFER_SIZE 2048
104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105static size_t server_log_buffer_index = 0;
106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107static size_t client_log_buffer_index = 0;
108static int error_writing_log = 0;
109
110#ifndef OPENSSL_NO_OCSP
111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
117#endif
118
119#define NUM_EXTRA_CERTS 40
120#define CLIENT_VERSION_LEN 2
121
122/*
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
125 */
126struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
129 unsigned int client_early_secret_count;
130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
134 unsigned int early_exporter_secret_count;
135 unsigned int exporter_secret_count;
136};
137
138
139static int hostname_cb(SSL *s, int *al, void *arg)
140{
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
146
147 return SSL_TLSEXT_ERR_NOACK;
148}
149
150static void client_keylog_callback(const SSL *ssl, const char *line)
151{
152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
163 client_log_buffer[client_log_buffer_index++] = '\n';
164}
165
166static void server_keylog_callback(const SSL *ssl, const char *line)
167{
168 int line_length = strlen(line);
169
170 /* If the log doesn't fit, error out. */
171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
172 TEST_info("Server log too full");
173 error_writing_log = 1;
174 return;
175 }
176
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
179 server_log_buffer[server_log_buffer_index++] = '\n';
180}
181
182static int compare_hex_encoded_buffer(const char *hex_encoded,
183 size_t hex_length,
184 const uint8_t *raw,
185 size_t raw_length)
186{
187 size_t i, j;
188 char hexed[3];
189
190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
191 return 1;
192
193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
194 sprintf(hexed, "%02x", raw[i]);
195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
197 return 1;
198 }
199
200 return 0;
201}
202
203static int test_keylog_output(char *buffer, const SSL *ssl,
204 const SSL_SESSION *session,
205 struct sslapitest_log_counts *expected)
206{
207 char *token = NULL;
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
214 unsigned int client_early_secret_count = 0;
215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
219 unsigned int early_exporter_secret_count = 0;
220 unsigned int exporter_secret_count = 0;
221
222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
224 if (strcmp(token, "RSA") == 0) {
225 /*
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
227 * hex-encoded encrypted secret, then the hex-encoded pre-master
228 * secret.
229 */
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 return 0;
232 if (!TEST_size_t_eq(strlen(token), 16))
233 return 0;
234 if (!TEST_ptr(token = strtok(NULL, " \n")))
235 return 0;
236 /*
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
240 */
241 rsa_key_exchange_count++;
242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
243 /*
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, then the hex-encoded master secret.
246 */
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
249 SSL3_RANDOM_SIZE);
250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
251 return 0;
252
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 return 0;
255 if (!TEST_size_t_eq(strlen(token), 64))
256 return 0;
257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 master_key_size = SSL_SESSION_get_master_key(session,
265 actual_master_key,
266 master_key_size);
267 if (!TEST_size_t_ne(master_key_size, 0))
268 return 0;
269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
270 actual_master_key,
271 master_key_size)))
272 return 0;
273 master_secret_count++;
274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
280 || strcmp(token, "EXPORTER_SECRET") == 0) {
281 /*
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
286 */
287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
301
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
304 SSL3_RANDOM_SIZE);
305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
306 return 0;
307
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 return 0;
310 if (!TEST_size_t_eq(strlen(token), 64))
311 return 0;
312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
315 return 0;
316
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
318 return 0;
319 } else {
320 TEST_info("Unexpected token %s\n", token);
321 return 0;
322 }
323 }
324
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
344 return 0;
345 return 1;
346}
347
348#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
349static int test_keylog(void)
350{
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
354 struct sslapitest_log_counts expected;
355
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
365 TLS_client_method(),
366 TLS1_VERSION, 0,
367 &sctx, &cctx, cert, privkey)))
368 return 0;
369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
376 goto end;
377
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
380 goto end;
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
384 goto end;
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
388 goto end;
389
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
398 goto end;
399
400 /*
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see an RSA key exchange.
405 */
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
410 goto end;
411
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
415 goto end;
416
417 testresult = 1;
418
419end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426}
427#endif
428
429#ifndef OSSL_NO_USABLE_TLS1_3
430static int test_keylog_no_master_key(void)
431{
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
435 int testresult = 0;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
439
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
453 return 0;
454
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
457 goto end;
458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
462 goto end;
463
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
467 goto end;
468
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
475 goto end;
476
477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
481 */
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
492 goto end;
493
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
533 testresult = 1;
534
535end:
536 SSL_SESSION_free(sess);
537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543}
544#endif
545
546static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547{
548 int res = X509_verify_cert(ctx);
549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
550 SSL *ssl;
551
552 /* this should not happen but check anyway */
553 if (idx < 0
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
555 return 0;
556
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
561
562 return res;
563}
564
565static int test_client_cert_verify_cb(void)
566{
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
577 int testresult = 0;
578
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
582 goto end;
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 goto end;
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 goto end;
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
594 goto end;
595
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
599 goto end;
600
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 goto end;
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
608 goto end;
609 crt1 = NULL;
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
611 goto end;
612 crt2 = NULL;
613
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
617 goto end;
618
619 testresult = 1;
620
621end:
622 X509_free(crt1);
623 X509_free(crt2);
624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
626 SSL_free(clientssl);
627 }
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
630 SSL_free(serverssl);
631 }
632 SSL_CTX_free(sctx);
633 SSL_CTX_free(cctx);
634
635 OPENSSL_free(skey);
636 OPENSSL_free(leaf);
637 OPENSSL_free(int2);
638 OPENSSL_free(int1);
639 OPENSSL_free(root);
640
641 return testresult;
642}
643
644static int test_ssl_build_cert_chain(void)
645{
646 int ret = 0;
647 SSL_CTX *ssl_ctx = NULL;
648 SSL *ssl = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 goto end;
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 goto end;
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 goto end;
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
663 goto end;
664 ret = 1;
665end:
666 SSL_free(ssl);
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
669 OPENSSL_free(skey);
670 return ret;
671}
672
673static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674{
675 static const char pass[] = "testpass";
676
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
678 return -1;
679
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
682}
683
684static int test_ssl_ctx_build_cert_chain(void)
685{
686 int ret = 0;
687 SSL_CTX *ctx = NULL;
688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 goto end;
693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 goto end;
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
702 goto end;
703 ret = 1;
704end:
705 SSL_CTX_free(ctx);
706 OPENSSL_free(leaf_chain);
707 OPENSSL_free(skey);
708 return ret;
709}
710
711#ifndef OPENSSL_NO_TLS1_2
712static int full_client_hello_callback(SSL *s, int *al, void *arg)
713{
714 int *ctr = arg;
715 const unsigned char *p;
716 int *exts;
717 /* We only configure two ciphers, but the SCSV is added automatically. */
718#ifdef OPENSSL_NO_EC
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
720#else
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 0x2c, 0x00, 0xff};
723#endif
724 const int expected_extensions[] = {
725#ifndef OPENSSL_NO_EC
726 11, 10,
727#endif
728 35, 22, 23, 13};
729 size_t len;
730
731 /* Make sure we can defer processing and get called back. */
732 if ((*ctr)++ == 0)
733 return SSL_CLIENT_HELLO_RETRY;
734
735 len = SSL_client_hello_get0_ciphers(s, &p);
736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
737 || !TEST_size_t_eq(
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
739 || !TEST_int_eq(*p, 0))
740 return SSL_CLIENT_HELLO_ERROR;
741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
742 return SSL_CLIENT_HELLO_ERROR;
743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
745 printf("ClientHello callback expected extensions mismatch\n");
746 OPENSSL_free(exts);
747 return SSL_CLIENT_HELLO_ERROR;
748 }
749 OPENSSL_free(exts);
750 return SSL_CLIENT_HELLO_SUCCESS;
751}
752
753static int test_client_hello_cb(void)
754{
755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
758
759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
761 &sctx, &cctx, cert, privkey)))
762 goto end;
763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
764
765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
767
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 /*
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
777 * */
778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
781 SSL_ERROR_NONE)))
782 goto end;
783
784 testresult = 1;
785
786end:
787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 SSL_CTX_free(sctx);
790 SSL_CTX_free(cctx);
791
792 return testresult;
793}
794
795static int test_no_ems(void)
796{
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
799 int testresult = 0, status;
800
801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
805 goto end;
806 }
807
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
812 goto end;
813 }
814
815 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
816 if (fips_ems_check) {
817 if (status == 1) {
818 printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
819 goto end;
820 }
821 } else {
822 if (!status) {
823 printf("Creating SSL connection failed\n");
824 goto end;
825 }
826 if (SSL_get_extms_support(serverssl)) {
827 printf("Server reports Extended Master Secret support\n");
828 goto end;
829 }
830 if (SSL_get_extms_support(clientssl)) {
831 printf("Client reports Extended Master Secret support\n");
832 goto end;
833 }
834 }
835 testresult = 1;
836
837end:
838 SSL_free(serverssl);
839 SSL_free(clientssl);
840 SSL_CTX_free(sctx);
841 SSL_CTX_free(cctx);
842
843 return testresult;
844}
845
846/*
847 * Very focused test to exercise a single case in the server-side state
848 * machine, when the ChangeCipherState message needs to actually change
849 * from one cipher to a different cipher (i.e., not changing from null
850 * encryption to real encryption).
851 */
852static int test_ccs_change_cipher(void)
853{
854 SSL_CTX *cctx = NULL, *sctx = NULL;
855 SSL *clientssl = NULL, *serverssl = NULL;
856 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
857 int testresult = 0;
858 int i;
859 unsigned char buf;
860 size_t readbytes;
861
862 /*
863 * Create a connection so we can resume and potentially (but not) use
864 * a different cipher in the second connection.
865 */
866 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
867 TLS_client_method(),
868 TLS1_VERSION, TLS1_2_VERSION,
869 &sctx, &cctx, cert, privkey))
870 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
871 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
872 NULL, NULL))
873 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
874 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 SSL_ERROR_NONE))
876 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
877 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
878 goto end;
879
880 shutdown_ssl_connection(serverssl, clientssl);
881 serverssl = clientssl = NULL;
882
883 /* Resume, preferring a different cipher. Our server will force the
884 * same cipher to be used as the initial handshake. */
885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
886 NULL, NULL))
887 || !TEST_true(SSL_set_session(clientssl, sess))
888 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
889 || !TEST_true(create_ssl_connection(serverssl, clientssl,
890 SSL_ERROR_NONE))
891 || !TEST_true(SSL_session_reused(clientssl))
892 || !TEST_true(SSL_session_reused(serverssl))
893 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
894 || !TEST_ptr_eq(sesspre, sesspost)
895 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
896 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
897 goto end;
898 shutdown_ssl_connection(serverssl, clientssl);
899 serverssl = clientssl = NULL;
900
901 /*
902 * Now create a fresh connection and try to renegotiate a different
903 * cipher on it.
904 */
905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
906 NULL, NULL))
907 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
908 || !TEST_true(create_ssl_connection(serverssl, clientssl,
909 SSL_ERROR_NONE))
910 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
911 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
912 || !TEST_true(SSL_renegotiate(clientssl))
913 || !TEST_true(SSL_renegotiate_pending(clientssl)))
914 goto end;
915 /* Actually drive the renegotiation. */
916 for (i = 0; i < 3; i++) {
917 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
918 if (!TEST_ulong_eq(readbytes, 0))
919 goto end;
920 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
921 SSL_ERROR_WANT_READ)) {
922 goto end;
923 }
924 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
925 if (!TEST_ulong_eq(readbytes, 0))
926 goto end;
927 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
928 SSL_ERROR_WANT_READ)) {
929 goto end;
930 }
931 }
932 /* sesspre and sesspost should be different since the cipher changed. */
933 if (!TEST_false(SSL_renegotiate_pending(clientssl))
934 || !TEST_false(SSL_session_reused(clientssl))
935 || !TEST_false(SSL_session_reused(serverssl))
936 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
937 || !TEST_ptr_ne(sesspre, sesspost)
938 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
939 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
940 goto end;
941
942 shutdown_ssl_connection(serverssl, clientssl);
943 serverssl = clientssl = NULL;
944
945 testresult = 1;
946
947end:
948 SSL_free(serverssl);
949 SSL_free(clientssl);
950 SSL_CTX_free(sctx);
951 SSL_CTX_free(cctx);
952 SSL_SESSION_free(sess);
953
954 return testresult;
955}
956#endif
957
958static int add_large_cert_chain(SSL_CTX *sctx)
959{
960 BIO *certbio = NULL;
961 X509 *chaincert = NULL;
962 int certlen;
963 int ret = 0;
964 int i;
965
966 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
967 goto end;
968
969 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
970 goto end;
971
972 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
973 goto end;
974 BIO_free(certbio);
975 certbio = NULL;
976
977 /*
978 * We assume the supplied certificate is big enough so that if we add
979 * NUM_EXTRA_CERTS it will make the overall message large enough. The
980 * default buffer size is requested to be 16k, but due to the way BUF_MEM
981 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
982 * test we need to have a message larger than that.
983 */
984 certlen = i2d_X509(chaincert, NULL);
985 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
986 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
987 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
988 if (!X509_up_ref(chaincert))
989 goto end;
990 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
991 X509_free(chaincert);
992 goto end;
993 }
994 }
995
996 ret = 1;
997 end:
998 BIO_free(certbio);
999 X509_free(chaincert);
1000 return ret;
1001}
1002
1003static int execute_test_large_message(const SSL_METHOD *smeth,
1004 const SSL_METHOD *cmeth,
1005 int min_version, int max_version,
1006 int read_ahead)
1007{
1008 SSL_CTX *cctx = NULL, *sctx = NULL;
1009 SSL *clientssl = NULL, *serverssl = NULL;
1010 int testresult = 0;
1011
1012 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
1013 max_version, &sctx, &cctx, cert,
1014 privkey)))
1015 goto end;
1016
1017#ifdef OPENSSL_NO_DTLS1_2
1018 if (smeth == DTLS_server_method()) {
1019 /*
1020 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1021 * level 0
1022 */
1023 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1024 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1025 "DEFAULT:@SECLEVEL=0")))
1026 goto end;
1027 }
1028#endif
1029
1030 if (read_ahead) {
1031 /*
1032 * Test that read_ahead works correctly when dealing with large
1033 * records
1034 */
1035 SSL_CTX_set_read_ahead(cctx, 1);
1036 }
1037
1038 if (!add_large_cert_chain(sctx))
1039 goto end;
1040
1041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1042 NULL, NULL))
1043 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1044 SSL_ERROR_NONE)))
1045 goto end;
1046
1047 /*
1048 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1049 * doesn't leak.
1050 */
1051 if (!TEST_true(SSL_clear(serverssl)))
1052 goto end;
1053
1054 testresult = 1;
1055 end:
1056 SSL_free(serverssl);
1057 SSL_free(clientssl);
1058 SSL_CTX_free(sctx);
1059 SSL_CTX_free(cctx);
1060
1061 return testresult;
1062}
1063
1064#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1065 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1066/* sock must be connected */
1067static int ktls_chk_platform(int sock)
1068{
1069 if (!ktls_enable(sock))
1070 return 0;
1071 return 1;
1072}
1073
1074static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1075{
1076 static char count = 1;
1077 unsigned char cbuf[16000] = {0};
1078 unsigned char sbuf[16000];
1079 size_t err = 0;
1080 char crec_wseq_before[SEQ_NUM_SIZE];
1081 char crec_wseq_after[SEQ_NUM_SIZE];
1082 char crec_rseq_before[SEQ_NUM_SIZE];
1083 char crec_rseq_after[SEQ_NUM_SIZE];
1084 char srec_wseq_before[SEQ_NUM_SIZE];
1085 char srec_wseq_after[SEQ_NUM_SIZE];
1086 char srec_rseq_before[SEQ_NUM_SIZE];
1087 char srec_rseq_after[SEQ_NUM_SIZE];
1088
1089 cbuf[0] = count++;
1090 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1091 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1092 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1093 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1094
1095 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1096 goto end;
1097
1098 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1099 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1100 goto end;
1101 }
1102 }
1103
1104 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1105 goto end;
1106
1107 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1108 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1109 goto end;
1110 }
1111 }
1112
1113 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1114 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1115 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1116 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1117
1118 /* verify the payload */
1119 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1120 goto end;
1121
1122 /*
1123 * If ktls is used then kernel sequences are used instead of
1124 * OpenSSL sequences
1125 */
1126 if (!BIO_get_ktls_send(clientssl->wbio)) {
1127 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1128 crec_wseq_after, SEQ_NUM_SIZE))
1129 goto end;
1130 } else {
1131 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1132 crec_wseq_after, SEQ_NUM_SIZE))
1133 goto end;
1134 }
1135
1136 if (!BIO_get_ktls_send(serverssl->wbio)) {
1137 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1138 srec_wseq_after, SEQ_NUM_SIZE))
1139 goto end;
1140 } else {
1141 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1142 srec_wseq_after, SEQ_NUM_SIZE))
1143 goto end;
1144 }
1145
1146 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1147 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1148 crec_rseq_after, SEQ_NUM_SIZE))
1149 goto end;
1150 } else {
1151 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1152 crec_rseq_after, SEQ_NUM_SIZE))
1153 goto end;
1154 }
1155
1156 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1157 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1158 srec_rseq_after, SEQ_NUM_SIZE))
1159 goto end;
1160 } else {
1161 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1162 srec_rseq_after, SEQ_NUM_SIZE))
1163 goto end;
1164 }
1165
1166 return 1;
1167end:
1168 return 0;
1169}
1170
1171static int execute_test_ktls(int cis_ktls, int sis_ktls,
1172 int tls_version, const char *cipher)
1173{
1174 SSL_CTX *cctx = NULL, *sctx = NULL;
1175 SSL *clientssl = NULL, *serverssl = NULL;
1176 int ktls_used = 0, testresult = 0;
1177 int cfd = -1, sfd = -1;
1178 int rx_supported;
1179
1180 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1181 goto end;
1182
1183 /* Skip this test if the platform does not support ktls */
1184 if (!ktls_chk_platform(cfd)) {
1185 testresult = TEST_skip("Kernel does not support KTLS");
1186 goto end;
1187 }
1188
1189 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1190 testresult = TEST_skip("CHACHA is not supported in FIPS");
1191 goto end;
1192 }
1193
1194 /* Create a session based on SHA-256 */
1195 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1196 TLS_client_method(),
1197 tls_version, tls_version,
1198 &sctx, &cctx, cert, privkey)))
1199 goto end;
1200
1201 if (tls_version == TLS1_3_VERSION) {
1202 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1203 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1204 goto end;
1205 } else {
1206 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1207 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1208 goto end;
1209 }
1210
1211 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1212 &clientssl, sfd, cfd)))
1213 goto end;
1214
1215 if (cis_ktls) {
1216 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1217 goto end;
1218 }
1219
1220 if (sis_ktls) {
1221 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1222 goto end;
1223 }
1224
1225 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1226 goto end;
1227
1228 /*
1229 * The running kernel may not support a given cipher suite
1230 * or direction, so just check that KTLS isn't used when it
1231 * isn't enabled.
1232 */
1233 if (!cis_ktls) {
1234 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1235 goto end;
1236 } else {
1237 if (BIO_get_ktls_send(clientssl->wbio))
1238 ktls_used = 1;
1239 }
1240
1241 if (!sis_ktls) {
1242 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1243 goto end;
1244 } else {
1245 if (BIO_get_ktls_send(serverssl->wbio))
1246 ktls_used = 1;
1247 }
1248
1249#if defined(OPENSSL_NO_KTLS_RX)
1250 rx_supported = 0;
1251#else
1252 rx_supported = (tls_version != TLS1_3_VERSION);
1253#endif
1254 if (!cis_ktls || !rx_supported) {
1255 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1256 goto end;
1257 } else {
1258 if (BIO_get_ktls_send(clientssl->rbio))
1259 ktls_used = 1;
1260 }
1261
1262 if (!sis_ktls || !rx_supported) {
1263 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1264 goto end;
1265 } else {
1266 if (BIO_get_ktls_send(serverssl->rbio))
1267 ktls_used = 1;
1268 }
1269
1270 if ((cis_ktls || sis_ktls) && !ktls_used) {
1271 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1272 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1273 "TLS 1.2", cipher);
1274 goto end;
1275 }
1276
1277 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1278 goto end;
1279
1280 testresult = 1;
1281end:
1282 if (clientssl) {
1283 SSL_shutdown(clientssl);
1284 SSL_free(clientssl);
1285 }
1286 if (serverssl) {
1287 SSL_shutdown(serverssl);
1288 SSL_free(serverssl);
1289 }
1290 SSL_CTX_free(sctx);
1291 SSL_CTX_free(cctx);
1292 serverssl = clientssl = NULL;
1293 if (cfd != -1)
1294 close(cfd);
1295 if (sfd != -1)
1296 close(sfd);
1297 return testresult;
1298}
1299
1300#define SENDFILE_SZ (16 * 4096)
1301#define SENDFILE_CHUNK (4 * 4096)
1302#define min(a,b) ((a) > (b) ? (b) : (a))
1303
1304static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1305{
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1313 int testresult = 0;
1314 FILE *ffdp;
1315
1316 buf = OPENSSL_zalloc(SENDFILE_SZ);
1317 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1318 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1319 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1320 goto end;
1321
1322 /* Skip this test if the platform does not support ktls */
1323 if (!ktls_chk_platform(sfd)) {
1324 testresult = TEST_skip("Kernel does not support KTLS");
1325 goto end;
1326 }
1327
1328 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1329 testresult = TEST_skip("CHACHA is not supported in FIPS");
1330 goto end;
1331 }
1332
1333 /* Create a session based on SHA-256 */
1334 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1335 TLS_client_method(),
1336 tls_version, tls_version,
1337 &sctx, &cctx, cert, privkey)))
1338 goto end;
1339
1340 if (tls_version == TLS1_3_VERSION) {
1341 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1342 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1343 goto end;
1344 } else {
1345 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1346 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1347 goto end;
1348 }
1349
1350 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1351 &clientssl, sfd, cfd)))
1352 goto end;
1353
1354 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1355 goto end;
1356
1357 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1358 SSL_ERROR_NONE)))
1359 goto end;
1360
1361 if (!BIO_get_ktls_send(serverssl->wbio)) {
1362 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1363 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1364 "TLS 1.2", cipher);
1365 goto end;
1366 }
1367
1368 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1369 goto end;
1370
1371 out = BIO_new_file(tmpfilename, "wb");
1372 if (!TEST_ptr(out))
1373 goto end;
1374
1375 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1376 goto end;
1377
1378 BIO_free(out);
1379 out = NULL;
1380 in = BIO_new_file(tmpfilename, "rb");
1381 BIO_get_fp(in, &ffdp);
1382 ffd = fileno(ffdp);
1383
1384 while (chunk_off < SENDFILE_SZ) {
1385 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1386 while ((err = SSL_sendfile(serverssl,
1387 ffd,
1388 chunk_off,
1389 chunk_size,
1390 0)) != chunk_size) {
1391 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1392 goto end;
1393 }
1394 while ((err = SSL_read(clientssl,
1395 buf_dst + chunk_off,
1396 chunk_size)) != chunk_size) {
1397 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1398 goto end;
1399 }
1400
1401 /* verify the payload */
1402 if (!TEST_mem_eq(buf_dst + chunk_off,
1403 chunk_size,
1404 buf + chunk_off,
1405 chunk_size))
1406 goto end;
1407
1408 chunk_off += chunk_size;
1409 }
1410
1411 testresult = 1;
1412end:
1413 if (clientssl) {
1414 SSL_shutdown(clientssl);
1415 SSL_free(clientssl);
1416 }
1417 if (serverssl) {
1418 SSL_shutdown(serverssl);
1419 SSL_free(serverssl);
1420 }
1421 SSL_CTX_free(sctx);
1422 SSL_CTX_free(cctx);
1423 serverssl = clientssl = NULL;
1424 BIO_free(out);
1425 BIO_free(in);
1426 if (cfd != -1)
1427 close(cfd);
1428 if (sfd != -1)
1429 close(sfd);
1430 OPENSSL_free(buf);
1431 OPENSSL_free(buf_dst);
1432 return testresult;
1433}
1434
1435static struct ktls_test_cipher {
1436 int tls_version;
1437 const char *cipher;
1438} ktls_test_ciphers[] = {
1439# if !defined(OPENSSL_NO_TLS1_2)
1440# ifdef OPENSSL_KTLS_AES_GCM_128
1441 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1442# endif
1443# ifdef OPENSSL_KTLS_AES_CCM_128
1444 { TLS1_2_VERSION, "AES128-CCM"},
1445# endif
1446# ifdef OPENSSL_KTLS_AES_GCM_256
1447 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1448# endif
1449# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1450# ifndef OPENSSL_NO_EC
1451 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1452# endif
1453# endif
1454# endif
1455# if !defined(OSSL_NO_USABLE_TLS1_3)
1456# ifdef OPENSSL_KTLS_AES_GCM_128
1457 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1458# endif
1459# ifdef OPENSSL_KTLS_AES_CCM_128
1460 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1461# endif
1462# ifdef OPENSSL_KTLS_AES_GCM_256
1463 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1464# endif
1465# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1466 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1467# endif
1468# endif
1469};
1470
1471#define NUM_KTLS_TEST_CIPHERS \
1472 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1473
1474static int test_ktls(int test)
1475{
1476 struct ktls_test_cipher *cipher;
1477 int cis_ktls, sis_ktls;
1478
1479 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1480 cipher = &ktls_test_ciphers[test / 4];
1481
1482 cis_ktls = (test & 1) != 0;
1483 sis_ktls = (test & 2) != 0;
1484
1485 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1486 cipher->cipher);
1487}
1488
1489static int test_ktls_sendfile(int tst)
1490{
1491 struct ktls_test_cipher *cipher;
1492
1493 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1494 cipher = &ktls_test_ciphers[tst];
1495
1496 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1497}
1498#endif
1499
1500static int test_large_message_tls(void)
1501{
1502 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1503 TLS1_VERSION, 0, 0);
1504}
1505
1506static int test_large_message_tls_read_ahead(void)
1507{
1508 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1509 TLS1_VERSION, 0, 1);
1510}
1511
1512#ifndef OPENSSL_NO_DTLS
1513static int test_large_message_dtls(void)
1514{
1515# ifdef OPENSSL_NO_DTLS1_2
1516 /* Not supported in the FIPS provider */
1517 if (is_fips)
1518 return 1;
1519# endif
1520 /*
1521 * read_ahead is not relevant to DTLS because DTLS always acts as if
1522 * read_ahead is set.
1523 */
1524 return execute_test_large_message(DTLS_server_method(),
1525 DTLS_client_method(),
1526 DTLS1_VERSION, 0, 0);
1527}
1528#endif
1529
1530/*
1531 * Test we can successfully send the maximum amount of application data. We
1532 * test each protocol version individually, each with and without EtM enabled.
1533 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1534 * simpler this way. We also test all combinations with and without the
1535 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1536 * underlying buffer.
1537 */
1538static int test_large_app_data(int tst)
1539{
1540 SSL_CTX *cctx = NULL, *sctx = NULL;
1541 SSL *clientssl = NULL, *serverssl = NULL;
1542 int testresult = 0, prot;
1543 unsigned char *msg, *buf = NULL;
1544 size_t written, readbytes;
1545 const SSL_METHOD *smeth = TLS_server_method();
1546 const SSL_METHOD *cmeth = TLS_client_method();
1547
1548 switch (tst >> 2) {
1549 case 0:
1550#ifndef OSSL_NO_USABLE_TLS1_3
1551 prot = TLS1_3_VERSION;
1552 break;
1553#else
1554 return 1;
1555#endif
1556
1557 case 1:
1558#ifndef OPENSSL_NO_TLS1_2
1559 prot = TLS1_2_VERSION;
1560 break;
1561#else
1562 return 1;
1563#endif
1564
1565 case 2:
1566#ifndef OPENSSL_NO_TLS1_1
1567 prot = TLS1_1_VERSION;
1568 break;
1569#else
1570 return 1;
1571#endif
1572
1573 case 3:
1574#ifndef OPENSSL_NO_TLS1
1575 prot = TLS1_VERSION;
1576 break;
1577#else
1578 return 1;
1579#endif
1580
1581 case 4:
1582#ifndef OPENSSL_NO_SSL3
1583 prot = SSL3_VERSION;
1584 break;
1585#else
1586 return 1;
1587#endif
1588
1589 case 5:
1590#ifndef OPENSSL_NO_DTLS1_2
1591 prot = DTLS1_2_VERSION;
1592 smeth = DTLS_server_method();
1593 cmeth = DTLS_client_method();
1594 break;
1595#else
1596 return 1;
1597#endif
1598
1599 case 6:
1600#ifndef OPENSSL_NO_DTLS1
1601 prot = DTLS1_VERSION;
1602 smeth = DTLS_server_method();
1603 cmeth = DTLS_client_method();
1604 break;
1605#else
1606 return 1;
1607#endif
1608
1609 default:
1610 /* Shouldn't happen */
1611 return 0;
1612 }
1613
1614 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1615 return 1;
1616
1617 /* Maximal sized message of zeros */
1618 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1619 if (!TEST_ptr(msg))
1620 goto end;
1621
1622 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1623 if (!TEST_ptr(buf))
1624 goto end;
1625 /* Set whole buffer to all bits set */
1626 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1627
1628 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1629 &sctx, &cctx, cert, privkey)))
1630 goto end;
1631
1632 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1633 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1634 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1635 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1636 "DEFAULT:@SECLEVEL=0")))
1637 goto end;
1638 }
1639
1640 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1641 &clientssl, NULL, NULL)))
1642 goto end;
1643
1644 if ((tst & 1) != 0) {
1645 /* Setting this option gives us a minimally sized underlying buffer */
1646 if (!TEST_true(SSL_set_options(serverssl,
1647 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1648 || !TEST_true(SSL_set_options(clientssl,
1649 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1650 goto end;
1651 }
1652
1653 if ((tst & 2) != 0) {
1654 /*
1655 * Setting this option means the MAC is added before encryption
1656 * giving us a larger record for the encryption process
1657 */
1658 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1659 || !TEST_true(SSL_set_options(clientssl,
1660 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1661 goto end;
1662 }
1663
1664 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1665 goto end;
1666
1667 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1668 &written))
1669 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1670 goto end;
1671
1672 /* We provide a buffer slightly larger than what we are actually expecting */
1673 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1674 &readbytes)))
1675 goto end;
1676
1677 if (!TEST_mem_eq(msg, written, buf, readbytes))
1678 goto end;
1679
1680 testresult = 1;
1681end:
1682 OPENSSL_free(msg);
1683 OPENSSL_free(buf);
1684 SSL_free(serverssl);
1685 SSL_free(clientssl);
1686 SSL_CTX_free(sctx);
1687 SSL_CTX_free(cctx);
1688 return testresult;
1689}
1690
1691#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1692 || !defined(OPENSSL_NO_DTLS)
1693static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1694 const SSL_METHOD *cmeth,
1695 int min_version, int max_version)
1696{
1697 size_t i;
1698 SSL_CTX *cctx = NULL, *sctx = NULL;
1699 SSL *clientssl = NULL, *serverssl = NULL;
1700 int testresult = 0;
1701 SSL3_RECORD *rr;
1702 void *zbuf;
1703
1704 static unsigned char cbuf[16000];
1705 static unsigned char sbuf[16000];
1706
1707 if (!TEST_true(create_ssl_ctx_pair(libctx,
1708 smeth, cmeth,
1709 min_version, max_version,
1710 &sctx, &cctx, cert,
1711 privkey)))
1712 goto end;
1713
1714# ifdef OPENSSL_NO_DTLS1_2
1715 if (smeth == DTLS_server_method()) {
1716 /* Not supported in the FIPS provider */
1717 if (is_fips) {
1718 testresult = 1;
1719 goto end;
1720 };
1721 /*
1722 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1723 * level 0
1724 */
1725 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1726 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1727 "DEFAULT:@SECLEVEL=0")))
1728 goto end;
1729 }
1730# endif
1731
1732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1733 NULL, NULL)))
1734 goto end;
1735
1736 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1737 goto end;
1738
1739 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1740 SSL_ERROR_NONE)))
1741 goto end;
1742
1743 for (i = 0; i < sizeof(cbuf); i++) {
1744 cbuf[i] = i & 0xff;
1745 }
1746
1747 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1748 goto end;
1749
1750 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1751 goto end;
1752
1753 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1754 goto end;
1755
1756 /*
1757 * Since we called SSL_peek(), we know the data in the record
1758 * layer is a plaintext record. We can gather the pointer to check
1759 * for zeroization after SSL_read().
1760 */
1761 rr = serverssl->rlayer.rrec;
1762 zbuf = &rr->data[rr->off];
1763 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1764 goto end;
1765
1766 /*
1767 * After SSL_peek() the plaintext must still be stored in the
1768 * record.
1769 */
1770 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1771 goto end;
1772
1773 memset(sbuf, 0, sizeof(sbuf));
1774 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1775 goto end;
1776
1777 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1778 goto end;
1779
1780 /* Check if rbuf is cleansed */
1781 memset(cbuf, 0, sizeof(cbuf));
1782 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1783 goto end;
1784
1785 testresult = 1;
1786 end:
1787 SSL_free(serverssl);
1788 SSL_free(clientssl);
1789 SSL_CTX_free(sctx);
1790 SSL_CTX_free(cctx);
1791
1792 return testresult;
1793}
1794#endif /*
1795 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1796 * || !defined(OPENSSL_NO_DTLS)
1797 */
1798
1799static int test_cleanse_plaintext(void)
1800{
1801#if !defined(OPENSSL_NO_TLS1_2)
1802 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1803 TLS_client_method(),
1804 TLS1_2_VERSION,
1805 TLS1_2_VERSION)))
1806 return 0;
1807
1808#endif
1809
1810#if !defined(OSSL_NO_USABLE_TLS1_3)
1811 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1812 TLS_client_method(),
1813 TLS1_3_VERSION,
1814 TLS1_3_VERSION)))
1815 return 0;
1816#endif
1817
1818#if !defined(OPENSSL_NO_DTLS)
1819
1820 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1821 DTLS_client_method(),
1822 DTLS1_VERSION,
1823 0)))
1824 return 0;
1825#endif
1826 return 1;
1827}
1828
1829#ifndef OPENSSL_NO_OCSP
1830static int ocsp_server_cb(SSL *s, void *arg)
1831{
1832 int *argi = (int *)arg;
1833 unsigned char *copy = NULL;
1834 STACK_OF(OCSP_RESPID) *ids = NULL;
1835 OCSP_RESPID *id = NULL;
1836
1837 if (*argi == 2) {
1838 /* In this test we are expecting exactly 1 OCSP_RESPID */
1839 SSL_get_tlsext_status_ids(s, &ids);
1840 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1841 return SSL_TLSEXT_ERR_ALERT_FATAL;
1842
1843 id = sk_OCSP_RESPID_value(ids, 0);
1844 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1845 return SSL_TLSEXT_ERR_ALERT_FATAL;
1846 } else if (*argi != 1) {
1847 return SSL_TLSEXT_ERR_ALERT_FATAL;
1848 }
1849
1850 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1851 return SSL_TLSEXT_ERR_ALERT_FATAL;
1852
1853 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1854 sizeof(orespder)))) {
1855 OPENSSL_free(copy);
1856 return SSL_TLSEXT_ERR_ALERT_FATAL;
1857 }
1858 ocsp_server_called = 1;
1859 return SSL_TLSEXT_ERR_OK;
1860}
1861
1862static int ocsp_client_cb(SSL *s, void *arg)
1863{
1864 int *argi = (int *)arg;
1865 const unsigned char *respderin;
1866 size_t len;
1867
1868 if (*argi != 1 && *argi != 2)
1869 return 0;
1870
1871 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1872 if (!TEST_mem_eq(orespder, len, respderin, len))
1873 return 0;
1874
1875 ocsp_client_called = 1;
1876 return 1;
1877}
1878
1879static int test_tlsext_status_type(void)
1880{
1881 SSL_CTX *cctx = NULL, *sctx = NULL;
1882 SSL *clientssl = NULL, *serverssl = NULL;
1883 int testresult = 0;
1884 STACK_OF(OCSP_RESPID) *ids = NULL;
1885 OCSP_RESPID *id = NULL;
1886 BIO *certbio = NULL;
1887
1888 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1889 TLS1_VERSION, 0,
1890 &sctx, &cctx, cert, privkey))
1891 return 0;
1892
1893 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1894 goto end;
1895
1896 /* First just do various checks getting and setting tlsext_status_type */
1897
1898 clientssl = SSL_new(cctx);
1899 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1900 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1901 TLSEXT_STATUSTYPE_ocsp))
1902 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1903 TLSEXT_STATUSTYPE_ocsp))
1904 goto end;
1905
1906 SSL_free(clientssl);
1907 clientssl = NULL;
1908
1909 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1910 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1911 goto end;
1912
1913 clientssl = SSL_new(cctx);
1914 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1915 goto end;
1916 SSL_free(clientssl);
1917 clientssl = NULL;
1918
1919 /*
1920 * Now actually do a handshake and check OCSP information is exchanged and
1921 * the callbacks get called
1922 */
1923 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1924 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1925 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1926 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1928 &clientssl, NULL, NULL))
1929 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1930 SSL_ERROR_NONE))
1931 || !TEST_true(ocsp_client_called)
1932 || !TEST_true(ocsp_server_called))
1933 goto end;
1934 SSL_free(serverssl);
1935 SSL_free(clientssl);
1936 serverssl = NULL;
1937 clientssl = NULL;
1938
1939 /* Try again but this time force the server side callback to fail */
1940 ocsp_client_called = 0;
1941 ocsp_server_called = 0;
1942 cdummyarg = 0;
1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 /* This should fail because the callback will fail */
1946 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1947 SSL_ERROR_NONE))
1948 || !TEST_false(ocsp_client_called)
1949 || !TEST_false(ocsp_server_called))
1950 goto end;
1951 SSL_free(serverssl);
1952 SSL_free(clientssl);
1953 serverssl = NULL;
1954 clientssl = NULL;
1955
1956 /*
1957 * This time we'll get the client to send an OCSP_RESPID that it will
1958 * accept.
1959 */
1960 ocsp_client_called = 0;
1961 ocsp_server_called = 0;
1962 cdummyarg = 2;
1963 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1964 &clientssl, NULL, NULL)))
1965 goto end;
1966
1967 /*
1968 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1969 * specific one. We'll use the server cert.
1970 */
1971 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1972 || !TEST_ptr(id = OCSP_RESPID_new())
1973 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1974 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1975 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1976 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1977 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1978 goto end;
1979 id = NULL;
1980 SSL_set_tlsext_status_ids(clientssl, ids);
1981 /* Control has been transferred */
1982 ids = NULL;
1983
1984 BIO_free(certbio);
1985 certbio = NULL;
1986
1987 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1988 SSL_ERROR_NONE))
1989 || !TEST_true(ocsp_client_called)
1990 || !TEST_true(ocsp_server_called))
1991 goto end;
1992
1993 testresult = 1;
1994
1995 end:
1996 SSL_free(serverssl);
1997 SSL_free(clientssl);
1998 SSL_CTX_free(sctx);
1999 SSL_CTX_free(cctx);
2000 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2001 OCSP_RESPID_free(id);
2002 BIO_free(certbio);
2003 X509_free(ocspcert);
2004 ocspcert = NULL;
2005
2006 return testresult;
2007}
2008#endif
2009
2010#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2011static int new_called, remove_called, get_called;
2012
2013static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2014{
2015 new_called++;
2016 /*
2017 * sess has been up-refed for us, but we don't actually need it so free it
2018 * immediately.
2019 */
2020 SSL_SESSION_free(sess);
2021 return 1;
2022}
2023
2024static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2025{
2026 remove_called++;
2027}
2028
2029static SSL_SESSION *get_sess_val = NULL;
2030
2031static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2032 int *copy)
2033{
2034 get_called++;
2035 *copy = 1;
2036 return get_sess_val;
2037}
2038
2039static int execute_test_session(int maxprot, int use_int_cache,
2040 int use_ext_cache, long s_options)
2041{
2042 SSL_CTX *sctx = NULL, *cctx = NULL;
2043 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2044 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2045# ifndef OPENSSL_NO_TLS1_1
2046 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2047# endif
2048 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2049 int testresult = 0, numnewsesstick = 1;
2050
2051 new_called = remove_called = 0;
2052
2053 /* TLSv1.3 sends 2 NewSessionTickets */
2054 if (maxprot == TLS1_3_VERSION)
2055 numnewsesstick = 2;
2056
2057 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2058 TLS_client_method(), TLS1_VERSION, 0,
2059 &sctx, &cctx, cert, privkey)))
2060 return 0;
2061
2062 /*
2063 * Only allow the max protocol version so we can force a connection failure
2064 * later
2065 */
2066 SSL_CTX_set_min_proto_version(cctx, maxprot);
2067 SSL_CTX_set_max_proto_version(cctx, maxprot);
2068
2069 /* Set up session cache */
2070 if (use_ext_cache) {
2071 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2072 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2073 }
2074 if (use_int_cache) {
2075 /* Also covers instance where both are set */
2076 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2077 } else {
2078 SSL_CTX_set_session_cache_mode(cctx,
2079 SSL_SESS_CACHE_CLIENT
2080 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2081 }
2082
2083 if (s_options) {
2084 SSL_CTX_set_options(sctx, s_options);
2085 }
2086
2087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2088 NULL, NULL))
2089 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2090 SSL_ERROR_NONE))
2091 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2092 goto end;
2093
2094 /* Should fail because it should already be in the cache */
2095 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2096 goto end;
2097 if (use_ext_cache
2098 && (!TEST_int_eq(new_called, numnewsesstick)
2099
2100 || !TEST_int_eq(remove_called, 0)))
2101 goto end;
2102
2103 new_called = remove_called = 0;
2104 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2105 &clientssl2, NULL, NULL))
2106 || !TEST_true(SSL_set_session(clientssl2, sess1))
2107 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2108 SSL_ERROR_NONE))
2109 || !TEST_true(SSL_session_reused(clientssl2)))
2110 goto end;
2111
2112 if (maxprot == TLS1_3_VERSION) {
2113 /*
2114 * In TLSv1.3 we should have created a new session even though we have
2115 * resumed. Since we attempted a resume we should also have removed the
2116 * old ticket from the cache so that we try to only use tickets once.
2117 */
2118 if (use_ext_cache
2119 && (!TEST_int_eq(new_called, 1)
2120 || !TEST_int_eq(remove_called, 1)))
2121 goto end;
2122 } else {
2123 /*
2124 * In TLSv1.2 we expect to have resumed so no sessions added or
2125 * removed.
2126 */
2127 if (use_ext_cache
2128 && (!TEST_int_eq(new_called, 0)
2129 || !TEST_int_eq(remove_called, 0)))
2130 goto end;
2131 }
2132
2133 SSL_SESSION_free(sess1);
2134 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2135 goto end;
2136 shutdown_ssl_connection(serverssl2, clientssl2);
2137 serverssl2 = clientssl2 = NULL;
2138
2139 new_called = remove_called = 0;
2140 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2141 &clientssl2, NULL, NULL))
2142 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2143 SSL_ERROR_NONE)))
2144 goto end;
2145
2146 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2147 goto end;
2148
2149 if (use_ext_cache
2150 && (!TEST_int_eq(new_called, numnewsesstick)
2151 || !TEST_int_eq(remove_called, 0)))
2152 goto end;
2153
2154 new_called = remove_called = 0;
2155 /*
2156 * This should clear sess2 from the cache because it is a "bad" session.
2157 * See SSL_set_session() documentation.
2158 */
2159 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2160 goto end;
2161 if (use_ext_cache
2162 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2163 goto end;
2164 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2165 goto end;
2166
2167 if (use_int_cache) {
2168 /* Should succeeded because it should not already be in the cache */
2169 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2170 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2171 goto end;
2172 }
2173
2174 new_called = remove_called = 0;
2175 /* This shouldn't be in the cache so should fail */
2176 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2177 goto end;
2178
2179 if (use_ext_cache
2180 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2181 goto end;
2182
2183# if !defined(OPENSSL_NO_TLS1_1)
2184 new_called = remove_called = 0;
2185 /* Force a connection failure */
2186 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2188 &clientssl3, NULL, NULL))
2189 || !TEST_true(SSL_set_session(clientssl3, sess1))
2190 /* This should fail because of the mismatched protocol versions */
2191 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2192 SSL_ERROR_NONE)))
2193 goto end;
2194
2195 /* We should have automatically removed the session from the cache */
2196 if (use_ext_cache
2197 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2198 goto end;
2199
2200 /* Should succeed because it should not already be in the cache */
2201 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2202 goto end;
2203# endif
2204
2205 /* Now do some tests for server side caching */
2206 if (use_ext_cache) {
2207 SSL_CTX_sess_set_new_cb(cctx, NULL);
2208 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2209 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2210 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2211 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2212 get_sess_val = NULL;
2213 }
2214
2215 SSL_CTX_set_session_cache_mode(cctx, 0);
2216 /* Internal caching is the default on the server side */
2217 if (!use_int_cache)
2218 SSL_CTX_set_session_cache_mode(sctx,
2219 SSL_SESS_CACHE_SERVER
2220 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2221
2222 SSL_free(serverssl1);
2223 SSL_free(clientssl1);
2224 serverssl1 = clientssl1 = NULL;
2225 SSL_free(serverssl2);
2226 SSL_free(clientssl2);
2227 serverssl2 = clientssl2 = NULL;
2228 SSL_SESSION_free(sess1);
2229 sess1 = NULL;
2230 SSL_SESSION_free(sess2);
2231 sess2 = NULL;
2232
2233 SSL_CTX_set_max_proto_version(sctx, maxprot);
2234 if (maxprot == TLS1_2_VERSION)
2235 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2236 new_called = remove_called = get_called = 0;
2237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2238 NULL, NULL))
2239 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2240 SSL_ERROR_NONE))
2241 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2242 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2243 goto end;
2244
2245 if (use_int_cache) {
2246 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2247 /*
2248 * In TLSv1.3 it should not have been added to the internal cache,
2249 * except in the case where we also have an external cache (in that
2250 * case it gets added to the cache in order to generate remove
2251 * events after timeout).
2252 */
2253 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2254 goto end;
2255 } else {
2256 /* Should fail because it should already be in the cache */
2257 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2258 goto end;
2259 }
2260 }
2261
2262 if (use_ext_cache) {
2263 SSL_SESSION *tmp = sess2;
2264
2265 if (!TEST_int_eq(new_called, numnewsesstick)
2266 || !TEST_int_eq(remove_called, 0)
2267 || !TEST_int_eq(get_called, 0))
2268 goto end;
2269 /*
2270 * Delete the session from the internal cache to force a lookup from
2271 * the external cache. We take a copy first because
2272 * SSL_CTX_remove_session() also marks the session as non-resumable.
2273 */
2274 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2275 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2276 || !TEST_true(sess2->owner != NULL)
2277 || !TEST_true(tmp->owner == NULL)
2278 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2279 goto end;
2280 SSL_SESSION_free(sess2);
2281 }
2282 sess2 = tmp;
2283 }
2284
2285 new_called = remove_called = get_called = 0;
2286 get_sess_val = sess2;
2287 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2288 &clientssl2, NULL, NULL))
2289 || !TEST_true(SSL_set_session(clientssl2, sess1))
2290 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2291 SSL_ERROR_NONE))
2292 || !TEST_true(SSL_session_reused(clientssl2)))
2293 goto end;
2294
2295 if (use_ext_cache) {
2296 if (!TEST_int_eq(remove_called, 0))
2297 goto end;
2298
2299 if (maxprot == TLS1_3_VERSION) {
2300 if (!TEST_int_eq(new_called, 1)
2301 || !TEST_int_eq(get_called, 0))
2302 goto end;
2303 } else {
2304 if (!TEST_int_eq(new_called, 0)
2305 || !TEST_int_eq(get_called, 1))
2306 goto end;
2307 }
2308 }
2309 /*
2310 * Make a small cache, force out all other sessions but
2311 * sess2, try to add sess1, which should succeed. Then
2312 * make sure it's there by checking the owners. Despite
2313 * the timeouts, sess1 should have kicked out sess2
2314 */
2315
2316 /* Make sess1 expire before sess2 */
2317 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2318 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2319 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2320 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2321 goto end;
2322
2323 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2324 goto end;
2325
2326 /* Don't care about results - cache should only be sess2 at end */
2327 SSL_CTX_add_session(sctx, sess1);
2328 SSL_CTX_add_session(sctx, sess2);
2329
2330 /* Now add sess1, and make sure it remains, despite timeout */
2331 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2332 || !TEST_ptr(sess1->owner)
2333 || !TEST_ptr_null(sess2->owner))
2334 goto end;
2335
2336 testresult = 1;
2337
2338 end:
2339 SSL_free(serverssl1);
2340 SSL_free(clientssl1);
2341 SSL_free(serverssl2);
2342 SSL_free(clientssl2);
2343# ifndef OPENSSL_NO_TLS1_1
2344 SSL_free(serverssl3);
2345 SSL_free(clientssl3);
2346# endif
2347 SSL_SESSION_free(sess1);
2348 SSL_SESSION_free(sess2);
2349 SSL_CTX_free(sctx);
2350 SSL_CTX_free(cctx);
2351
2352 return testresult;
2353}
2354#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2355
2356static int test_session_with_only_int_cache(void)
2357{
2358#ifndef OSSL_NO_USABLE_TLS1_3
2359 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2360 return 0;
2361#endif
2362
2363#ifndef OPENSSL_NO_TLS1_2
2364 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2365#else
2366 return 1;
2367#endif
2368}
2369
2370static int test_session_with_only_ext_cache(void)
2371{
2372#ifndef OSSL_NO_USABLE_TLS1_3
2373 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2374 return 0;
2375#endif
2376
2377#ifndef OPENSSL_NO_TLS1_2
2378 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2379#else
2380 return 1;
2381#endif
2382}
2383
2384static int test_session_with_both_cache(void)
2385{
2386#ifndef OSSL_NO_USABLE_TLS1_3
2387 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2388 return 0;
2389#endif
2390
2391#ifndef OPENSSL_NO_TLS1_2
2392 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2393#else
2394 return 1;
2395#endif
2396}
2397
2398static int test_session_wo_ca_names(void)
2399{
2400#ifndef OSSL_NO_USABLE_TLS1_3
2401 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2402 return 0;
2403#endif
2404
2405#ifndef OPENSSL_NO_TLS1_2
2406 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2407#else
2408 return 1;
2409#endif
2410}
2411
2412
2413#ifndef OSSL_NO_USABLE_TLS1_3
2414static SSL_SESSION *sesscache[6];
2415static int do_cache;
2416
2417static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2418{
2419 if (do_cache) {
2420 sesscache[new_called] = sess;
2421 } else {
2422 /* We don't need the reference to the session, so free it */
2423 SSL_SESSION_free(sess);
2424 }
2425 new_called++;
2426
2427 return 1;
2428}
2429
2430static int post_handshake_verify(SSL *sssl, SSL *cssl)
2431{
2432 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2433 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2434 return 0;
2435
2436 /* Start handshake on the server and client */
2437 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2438 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2439 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2440 || !TEST_true(create_ssl_connection(sssl, cssl,
2441 SSL_ERROR_NONE)))
2442 return 0;
2443
2444 return 1;
2445}
2446
2447static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2448 SSL_CTX **cctx)
2449{
2450 int sess_id_ctx = 1;
2451
2452 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2453 TLS_client_method(), TLS1_VERSION, 0,
2454 sctx, cctx, cert, privkey))
2455 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2456 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2457 (void *)&sess_id_ctx,
2458 sizeof(sess_id_ctx))))
2459 return 0;
2460
2461 if (stateful)
2462 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2463
2464 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2465 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2466 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2467
2468 return 1;
2469}
2470
2471static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2472{
2473 SSL *serverssl = NULL, *clientssl = NULL;
2474 int i;
2475
2476 /* Test that we can resume with all the tickets we got given */
2477 for (i = 0; i < idx * 2; i++) {
2478 new_called = 0;
2479 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2480 &clientssl, NULL, NULL))
2481 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2482 goto end;
2483
2484 SSL_set_post_handshake_auth(clientssl, 1);
2485
2486 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2487 SSL_ERROR_NONE)))
2488 goto end;
2489
2490 /*
2491 * Following a successful resumption we only get 1 ticket. After a
2492 * failed one we should get idx tickets.
2493 */
2494 if (succ) {
2495 if (!TEST_true(SSL_session_reused(clientssl))
2496 || !TEST_int_eq(new_called, 1))
2497 goto end;
2498 } else {
2499 if (!TEST_false(SSL_session_reused(clientssl))
2500 || !TEST_int_eq(new_called, idx))
2501 goto end;
2502 }
2503
2504 new_called = 0;
2505 /* After a post-handshake authentication we should get 1 new ticket */
2506 if (succ
2507 && (!post_handshake_verify(serverssl, clientssl)
2508 || !TEST_int_eq(new_called, 1)))
2509 goto end;
2510
2511 SSL_shutdown(clientssl);
2512 SSL_shutdown(serverssl);
2513 SSL_free(serverssl);
2514 SSL_free(clientssl);
2515 serverssl = clientssl = NULL;
2516 SSL_SESSION_free(sesscache[i]);
2517 sesscache[i] = NULL;
2518 }
2519
2520 return 1;
2521
2522 end:
2523 SSL_free(clientssl);
2524 SSL_free(serverssl);
2525 return 0;
2526}
2527
2528static int test_tickets(int stateful, int idx)
2529{
2530 SSL_CTX *sctx = NULL, *cctx = NULL;
2531 SSL *serverssl = NULL, *clientssl = NULL;
2532 int testresult = 0;
2533 size_t j;
2534
2535 /* idx is the test number, but also the number of tickets we want */
2536
2537 new_called = 0;
2538 do_cache = 1;
2539
2540 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2541 goto end;
2542
2543 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2544 &clientssl, NULL, NULL)))
2545 goto end;
2546
2547 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2548 SSL_ERROR_NONE))
2549 /* Check we got the number of tickets we were expecting */
2550 || !TEST_int_eq(idx, new_called))
2551 goto end;
2552
2553 SSL_shutdown(clientssl);
2554 SSL_shutdown(serverssl);
2555 SSL_free(serverssl);
2556 SSL_free(clientssl);
2557 SSL_CTX_free(sctx);
2558 SSL_CTX_free(cctx);
2559 clientssl = serverssl = NULL;
2560 sctx = cctx = NULL;
2561
2562 /*
2563 * Now we try to resume with the tickets we previously created. The
2564 * resumption attempt is expected to fail (because we're now using a new
2565 * SSL_CTX). We should see idx number of tickets issued again.
2566 */
2567
2568 /* Stop caching sessions - just count them */
2569 do_cache = 0;
2570
2571 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2572 goto end;
2573
2574 if (!check_resumption(idx, sctx, cctx, 0))
2575 goto end;
2576
2577 /* Start again with caching sessions */
2578 new_called = 0;
2579 do_cache = 1;
2580 SSL_CTX_free(sctx);
2581 SSL_CTX_free(cctx);
2582 sctx = cctx = NULL;
2583
2584 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2585 goto end;
2586
2587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2588 &clientssl, NULL, NULL)))
2589 goto end;
2590
2591 SSL_set_post_handshake_auth(clientssl, 1);
2592
2593 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2594 SSL_ERROR_NONE))
2595 /* Check we got the number of tickets we were expecting */
2596 || !TEST_int_eq(idx, new_called))
2597 goto end;
2598
2599 /* After a post-handshake authentication we should get new tickets issued */
2600 if (!post_handshake_verify(serverssl, clientssl)
2601 || !TEST_int_eq(idx * 2, new_called))
2602 goto end;
2603
2604 SSL_shutdown(clientssl);
2605 SSL_shutdown(serverssl);
2606 SSL_free(serverssl);
2607 SSL_free(clientssl);
2608 serverssl = clientssl = NULL;
2609
2610 /* Stop caching sessions - just count them */
2611 do_cache = 0;
2612
2613 /*
2614 * Check we can resume with all the tickets we created. This time around the
2615 * resumptions should all be successful.
2616 */
2617 if (!check_resumption(idx, sctx, cctx, 1))
2618 goto end;
2619
2620 testresult = 1;
2621
2622 end:
2623 SSL_free(serverssl);
2624 SSL_free(clientssl);
2625 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2626 SSL_SESSION_free(sesscache[j]);
2627 sesscache[j] = NULL;
2628 }
2629 SSL_CTX_free(sctx);
2630 SSL_CTX_free(cctx);
2631
2632 return testresult;
2633}
2634
2635static int test_stateless_tickets(int idx)
2636{
2637 return test_tickets(0, idx);
2638}
2639
2640static int test_stateful_tickets(int idx)
2641{
2642 return test_tickets(1, idx);
2643}
2644
2645static int test_psk_tickets(void)
2646{
2647 SSL_CTX *sctx = NULL, *cctx = NULL;
2648 SSL *serverssl = NULL, *clientssl = NULL;
2649 int testresult = 0;
2650 int sess_id_ctx = 1;
2651
2652 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2653 TLS_client_method(), TLS1_VERSION, 0,
2654 &sctx, &cctx, NULL, NULL))
2655 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2656 (void *)&sess_id_ctx,
2657 sizeof(sess_id_ctx))))
2658 goto end;
2659
2660 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2661 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2662 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2663 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2664 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2665 use_session_cb_cnt = 0;
2666 find_session_cb_cnt = 0;
2667 srvid = pskid;
2668 new_called = 0;
2669
2670 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2671 NULL, NULL)))
2672 goto end;
2673 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2674 if (!TEST_ptr(clientpsk))
2675 goto end;
2676 SSL_SESSION_up_ref(clientpsk);
2677
2678 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2679 SSL_ERROR_NONE))
2680 || !TEST_int_eq(1, find_session_cb_cnt)
2681 || !TEST_int_eq(1, use_session_cb_cnt)
2682 /* We should always get 1 ticket when using external PSK */
2683 || !TEST_int_eq(1, new_called))
2684 goto end;
2685
2686 testresult = 1;
2687
2688 end:
2689 SSL_free(serverssl);
2690 SSL_free(clientssl);
2691 SSL_CTX_free(sctx);
2692 SSL_CTX_free(cctx);
2693 SSL_SESSION_free(clientpsk);
2694 SSL_SESSION_free(serverpsk);
2695 clientpsk = serverpsk = NULL;
2696
2697 return testresult;
2698}
2699
2700static int test_extra_tickets(int idx)
2701{
2702 SSL_CTX *sctx = NULL, *cctx = NULL;
2703 SSL *serverssl = NULL, *clientssl = NULL;
2704 BIO *bretry = BIO_new(bio_s_always_retry());
2705 BIO *tmp = NULL;
2706 int testresult = 0;
2707 int stateful = 0;
2708 size_t nbytes;
2709 unsigned char c, buf[1];
2710
2711 new_called = 0;
2712 do_cache = 1;
2713
2714 if (idx >= 3) {
2715 idx -= 3;
2716 stateful = 1;
2717 }
2718
2719 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2720 goto end;
2721 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2722 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2723 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2724
2725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2726 &clientssl, NULL, NULL)))
2727 goto end;
2728
2729 /*
2730 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2731 * incremented by both client and server.
2732 */
2733 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2734 SSL_ERROR_NONE))
2735 /* Check we got the number of tickets we were expecting */
2736 || !TEST_int_eq(idx * 2, new_called)
2737 || !TEST_true(SSL_new_session_ticket(serverssl))
2738 || !TEST_true(SSL_new_session_ticket(serverssl))
2739 || !TEST_int_eq(idx * 2, new_called))
2740 goto end;
2741
2742 /* Now try a (real) write to actually send the tickets */
2743 c = '1';
2744 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2745 || !TEST_size_t_eq(1, nbytes)
2746 || !TEST_int_eq(idx * 2 + 2, new_called)
2747 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2748 || !TEST_int_eq(idx * 2 + 4, new_called)
2749 || !TEST_int_eq(sizeof(buf), nbytes)
2750 || !TEST_int_eq(c, buf[0])
2751 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2752 goto end;
2753
2754 /* Try with only requesting one new ticket, too */
2755 c = '2';
2756 new_called = 0;
2757 if (!TEST_true(SSL_new_session_ticket(serverssl))
2758 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2759 || !TEST_size_t_eq(sizeof(c), nbytes)
2760 || !TEST_int_eq(1, new_called)
2761 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2762 || !TEST_int_eq(2, new_called)
2763 || !TEST_size_t_eq(sizeof(buf), nbytes)
2764 || !TEST_int_eq(c, buf[0]))
2765 goto end;
2766
2767 /* Do it again but use dummy writes to drive the ticket generation */
2768 c = '3';
2769 new_called = 0;
2770 if (!TEST_true(SSL_new_session_ticket(serverssl))
2771 || !TEST_true(SSL_new_session_ticket(serverssl))
2772 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2773 || !TEST_size_t_eq(0, nbytes)
2774 || !TEST_int_eq(2, new_called)
2775 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2776 || !TEST_int_eq(4, new_called))
2777 goto end;
2778
2779 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2780 c = '4';
2781 new_called = 0;
2782 if (!TEST_true(SSL_new_session_ticket(serverssl))
2783 || !TEST_true(SSL_new_session_ticket(serverssl))
2784 || !TEST_true(SSL_do_handshake(serverssl))
2785 || !TEST_int_eq(2, new_called)
2786 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2787 || !TEST_int_eq(4, new_called))
2788 goto end;
2789
2790 /*
2791 * Use the always-retry BIO to exercise the logic that forces ticket
2792 * generation to wait until a record boundary.
2793 */
2794 c = '5';
2795 new_called = 0;
2796 tmp = SSL_get_wbio(serverssl);
2797 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2798 tmp = NULL;
2799 goto end;
2800 }
2801 SSL_set0_wbio(serverssl, bretry);
2802 bretry = NULL;
2803 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2804 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2805 || !TEST_size_t_eq(nbytes, 0))
2806 goto end;
2807 /* Restore a BIO that will let the write succeed */
2808 SSL_set0_wbio(serverssl, tmp);
2809 tmp = NULL;
2810 /*
2811 * These calls should just queue the request and not send anything
2812 * even if we explicitly try to hit the state machine.
2813 */
2814 if (!TEST_true(SSL_new_session_ticket(serverssl))
2815 || !TEST_true(SSL_new_session_ticket(serverssl))
2816 || !TEST_int_eq(0, new_called)
2817 || !TEST_true(SSL_do_handshake(serverssl))
2818 || !TEST_int_eq(0, new_called))
2819 goto end;
2820 /* Re-do the write; still no tickets sent */
2821 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2822 || !TEST_size_t_eq(1, nbytes)
2823 || !TEST_int_eq(0, new_called)
2824 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2825 || !TEST_int_eq(0, new_called)
2826 || !TEST_int_eq(sizeof(buf), nbytes)
2827 || !TEST_int_eq(c, buf[0])
2828 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2829 goto end;
2830 /* Even trying to hit the state machine now will still not send tickets */
2831 if (!TEST_true(SSL_do_handshake(serverssl))
2832 || !TEST_int_eq(0, new_called))
2833 goto end;
2834 /* Now the *next* write should send the tickets */
2835 c = '6';
2836 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2837 || !TEST_size_t_eq(1, nbytes)
2838 || !TEST_int_eq(2, new_called)
2839 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2840 || !TEST_int_eq(4, new_called)
2841 || !TEST_int_eq(sizeof(buf), nbytes)
2842 || !TEST_int_eq(c, buf[0])
2843 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2844 goto end;
2845
2846 SSL_shutdown(clientssl);
2847 SSL_shutdown(serverssl);
2848 testresult = 1;
2849
2850 end:
2851 BIO_free(bretry);
2852 BIO_free(tmp);
2853 SSL_free(serverssl);
2854 SSL_free(clientssl);
2855 SSL_CTX_free(sctx);
2856 SSL_CTX_free(cctx);
2857 clientssl = serverssl = NULL;
2858 sctx = cctx = NULL;
2859 return testresult;
2860}
2861#endif
2862
2863#define USE_NULL 0
2864#define USE_BIO_1 1
2865#define USE_BIO_2 2
2866#define USE_DEFAULT 3
2867
2868#define CONNTYPE_CONNECTION_SUCCESS 0
2869#define CONNTYPE_CONNECTION_FAIL 1
2870#define CONNTYPE_NO_CONNECTION 2
2871
2872#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2873#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2874#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2875# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2876#else
2877# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2878#endif
2879
2880#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2881 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2882 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2883
2884static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2885{
2886 switch (type) {
2887 case USE_NULL:
2888 *res = NULL;
2889 break;
2890 case USE_BIO_1:
2891 *res = bio1;
2892 break;
2893 case USE_BIO_2:
2894 *res = bio2;
2895 break;
2896 }
2897}
2898
2899
2900/*
2901 * Tests calls to SSL_set_bio() under various conditions.
2902 *
2903 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2904 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2905 * then do more tests where we create a successful connection first using our
2906 * standard connection setup functions, and then call SSL_set_bio() with
2907 * various combinations of valid BIOs or NULL. We then repeat these tests
2908 * following a failed connection. In this last case we are looking to check that
2909 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2910 */
2911static int test_ssl_set_bio(int idx)
2912{
2913 SSL_CTX *sctx = NULL, *cctx = NULL;
2914 BIO *bio1 = NULL;
2915 BIO *bio2 = NULL;
2916 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2917 SSL *serverssl = NULL, *clientssl = NULL;
2918 int initrbio, initwbio, newrbio, newwbio, conntype;
2919 int testresult = 0;
2920
2921 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2922 initrbio = idx % 3;
2923 idx /= 3;
2924 initwbio = idx % 3;
2925 idx /= 3;
2926 newrbio = idx % 3;
2927 idx /= 3;
2928 newwbio = idx % 3;
2929 conntype = CONNTYPE_NO_CONNECTION;
2930 } else {
2931 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2932 initrbio = initwbio = USE_DEFAULT;
2933 newrbio = idx % 2;
2934 idx /= 2;
2935 newwbio = idx % 2;
2936 idx /= 2;
2937 conntype = idx % 2;
2938 }
2939
2940 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2941 TLS_client_method(), TLS1_VERSION, 0,
2942 &sctx, &cctx, cert, privkey)))
2943 goto end;
2944
2945 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2946 /*
2947 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2948 * because we reduced the number of tests in the definition of
2949 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2950 * mismatched protocol versions we will force a connection failure.
2951 */
2952 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2953 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2954 }
2955
2956 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2957 NULL, NULL)))
2958 goto end;
2959
2960 if (initrbio == USE_BIO_1
2961 || initwbio == USE_BIO_1
2962 || newrbio == USE_BIO_1
2963 || newwbio == USE_BIO_1) {
2964 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2965 goto end;
2966 }
2967
2968 if (initrbio == USE_BIO_2
2969 || initwbio == USE_BIO_2
2970 || newrbio == USE_BIO_2
2971 || newwbio == USE_BIO_2) {
2972 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2973 goto end;
2974 }
2975
2976 if (initrbio != USE_DEFAULT) {
2977 setupbio(&irbio, bio1, bio2, initrbio);
2978 setupbio(&iwbio, bio1, bio2, initwbio);
2979 SSL_set_bio(clientssl, irbio, iwbio);
2980
2981 /*
2982 * We want to maintain our own refs to these BIO, so do an up ref for
2983 * each BIO that will have ownership transferred in the SSL_set_bio()
2984 * call
2985 */
2986 if (irbio != NULL)
2987 BIO_up_ref(irbio);
2988 if (iwbio != NULL && iwbio != irbio)
2989 BIO_up_ref(iwbio);
2990 }
2991
2992 if (conntype != CONNTYPE_NO_CONNECTION
2993 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2994 SSL_ERROR_NONE)
2995 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2996 goto end;
2997
2998 setupbio(&nrbio, bio1, bio2, newrbio);
2999 setupbio(&nwbio, bio1, bio2, newwbio);
3000
3001 /*
3002 * We will (maybe) transfer ownership again so do more up refs.
3003 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3004 * already been set!
3005 */
3006 if (nrbio != NULL
3007 && nrbio != irbio
3008 && (nwbio != iwbio || nrbio != nwbio))
3009 BIO_up_ref(nrbio);
3010 if (nwbio != NULL
3011 && nwbio != nrbio
3012 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3013 BIO_up_ref(nwbio);
3014
3015 SSL_set_bio(clientssl, nrbio, nwbio);
3016
3017 testresult = 1;
3018
3019 end:
3020 BIO_free(bio1);
3021 BIO_free(bio2);
3022
3023 /*
3024 * This test is checking that the ref counting for SSL_set_bio is correct.
3025 * If we get here and we did too many frees then we will fail in the above
3026 * functions.
3027 */
3028 SSL_free(serverssl);
3029 SSL_free(clientssl);
3030 SSL_CTX_free(sctx);
3031 SSL_CTX_free(cctx);
3032 return testresult;
3033}
3034
3035typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3036
3037static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3038{
3039 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3040 SSL_CTX *ctx;
3041 SSL *ssl = NULL;
3042 int testresult = 0;
3043
3044 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3045 || !TEST_ptr(ssl = SSL_new(ctx))
3046 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3047 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3048 goto end;
3049
3050 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3051
3052 /*
3053 * If anything goes wrong here then we could leak memory.
3054 */
3055 BIO_push(sslbio, membio1);
3056
3057 /* Verify changing the rbio/wbio directly does not cause leaks */
3058 if (change_bio != NO_BIO_CHANGE) {
3059 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3060 ssl = NULL;
3061 goto end;
3062 }
3063 if (change_bio == CHANGE_RBIO)
3064 SSL_set0_rbio(ssl, membio2);
3065 else
3066 SSL_set0_wbio(ssl, membio2);
3067 }
3068 ssl = NULL;
3069
3070 if (pop_ssl)
3071 BIO_pop(sslbio);
3072 else
3073 BIO_pop(membio1);
3074
3075 testresult = 1;
3076 end:
3077 BIO_free(membio1);
3078 BIO_free(sslbio);
3079 SSL_free(ssl);
3080 SSL_CTX_free(ctx);
3081
3082 return testresult;
3083}
3084
3085static int test_ssl_bio_pop_next_bio(void)
3086{
3087 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3088}
3089
3090static int test_ssl_bio_pop_ssl_bio(void)
3091{
3092 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3093}
3094
3095static int test_ssl_bio_change_rbio(void)
3096{
3097 return execute_test_ssl_bio(0, CHANGE_RBIO);
3098}
3099
3100static int test_ssl_bio_change_wbio(void)
3101{
3102 return execute_test_ssl_bio(0, CHANGE_WBIO);
3103}
3104
3105#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3106typedef struct {
3107 /* The list of sig algs */
3108 const int *list;
3109 /* The length of the list */
3110 size_t listlen;
3111 /* A sigalgs list in string format */
3112 const char *liststr;
3113 /* Whether setting the list should succeed */
3114 int valid;
3115 /* Whether creating a connection with the list should succeed */
3116 int connsuccess;
3117} sigalgs_list;
3118
3119static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3120# ifndef OPENSSL_NO_EC
3121static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3122static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3123# endif
3124static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3125static const int invalidlist2[] = {NID_sha256, NID_undef};
3126static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3127static const int invalidlist4[] = {NID_sha256};
3128static const sigalgs_list testsigalgs[] = {
3129 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3130# ifndef OPENSSL_NO_EC
3131 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3132 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3133# endif
3134 {NULL, 0, "RSA+SHA256", 1, 1},
3135# ifndef OPENSSL_NO_EC
3136 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3137 {NULL, 0, "ECDSA+SHA512", 1, 0},
3138# endif
3139 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3140 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3141 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3142 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3143 {NULL, 0, "RSA", 0, 0},
3144 {NULL, 0, "SHA256", 0, 0},
3145 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3146 {NULL, 0, "Invalid", 0, 0}
3147};
3148
3149static int test_set_sigalgs(int idx)
3150{
3151 SSL_CTX *cctx = NULL, *sctx = NULL;
3152 SSL *clientssl = NULL, *serverssl = NULL;
3153 int testresult = 0;
3154 const sigalgs_list *curr;
3155 int testctx;
3156
3157 /* Should never happen */
3158 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3159 return 0;
3160
3161 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3162 curr = testctx ? &testsigalgs[idx]
3163 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3164
3165 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3166 TLS_client_method(), TLS1_VERSION, 0,
3167 &sctx, &cctx, cert, privkey)))
3168 return 0;
3169
3170 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3171
3172 if (testctx) {
3173 int ret;
3174
3175 if (curr->list != NULL)
3176 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3177 else
3178 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3179
3180 if (!ret) {
3181 if (curr->valid)
3182 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3183 else
3184 testresult = 1;
3185 goto end;
3186 }
3187 if (!curr->valid) {
3188 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3189 goto end;
3190 }
3191 }
3192
3193 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3194 &clientssl, NULL, NULL)))
3195 goto end;
3196
3197 if (!testctx) {
3198 int ret;
3199
3200 if (curr->list != NULL)
3201 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3202 else
3203 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3204 if (!ret) {
3205 if (curr->valid)
3206 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3207 else
3208 testresult = 1;
3209 goto end;
3210 }
3211 if (!curr->valid)
3212 goto end;
3213 }
3214
3215 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3216 SSL_ERROR_NONE),
3217 curr->connsuccess))
3218 goto end;
3219
3220 testresult = 1;
3221
3222 end:
3223 SSL_free(serverssl);
3224 SSL_free(clientssl);
3225 SSL_CTX_free(sctx);
3226 SSL_CTX_free(cctx);
3227
3228 return testresult;
3229}
3230#endif
3231
3232#ifndef OSSL_NO_USABLE_TLS1_3
3233static int psk_client_cb_cnt = 0;
3234static int psk_server_cb_cnt = 0;
3235
3236static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3237 size_t *idlen, SSL_SESSION **sess)
3238{
3239 switch (++use_session_cb_cnt) {
3240 case 1:
3241 /* The first call should always have a NULL md */
3242 if (md != NULL)
3243 return 0;
3244 break;
3245
3246 case 2:
3247 /* The second call should always have an md */
3248 if (md == NULL)
3249 return 0;
3250 break;
3251
3252 default:
3253 /* We should only be called a maximum of twice */
3254 return 0;
3255 }
3256
3257 if (clientpsk != NULL)
3258 SSL_SESSION_up_ref(clientpsk);
3259
3260 *sess = clientpsk;
3261 *id = (const unsigned char *)pskid;
3262 *idlen = strlen(pskid);
3263
3264 return 1;
3265}
3266
3267#ifndef OPENSSL_NO_PSK
3268static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3269 unsigned int max_id_len,
3270 unsigned char *psk,
3271 unsigned int max_psk_len)
3272{
3273 unsigned int psklen = 0;
3274
3275 psk_client_cb_cnt++;
3276
3277 if (strlen(pskid) + 1 > max_id_len)
3278 return 0;
3279
3280 /* We should only ever be called a maximum of twice per connection */
3281 if (psk_client_cb_cnt > 2)
3282 return 0;
3283
3284 if (clientpsk == NULL)
3285 return 0;
3286
3287 /* We'll reuse the PSK we set up for TLSv1.3 */
3288 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3289 return 0;
3290 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3291 strncpy(id, pskid, max_id_len);
3292
3293 return psklen;
3294}
3295#endif /* OPENSSL_NO_PSK */
3296
3297static int find_session_cb(SSL *ssl, const unsigned char *identity,
3298 size_t identity_len, SSL_SESSION **sess)
3299{
3300 find_session_cb_cnt++;
3301
3302 /* We should only ever be called a maximum of twice per connection */
3303 if (find_session_cb_cnt > 2)
3304 return 0;
3305
3306 if (serverpsk == NULL)
3307 return 0;
3308
3309 /* Identity should match that set by the client */
3310 if (strlen(srvid) != identity_len
3311 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3312 /* No PSK found, continue but without a PSK */
3313 *sess = NULL;
3314 return 1;
3315 }
3316
3317 SSL_SESSION_up_ref(serverpsk);
3318 *sess = serverpsk;
3319
3320 return 1;
3321}
3322
3323#ifndef OPENSSL_NO_PSK
3324static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3325 unsigned char *psk, unsigned int max_psk_len)
3326{
3327 unsigned int psklen = 0;
3328
3329 psk_server_cb_cnt++;
3330
3331 /* We should only ever be called a maximum of twice per connection */
3332 if (find_session_cb_cnt > 2)
3333 return 0;
3334
3335 if (serverpsk == NULL)
3336 return 0;
3337
3338 /* Identity should match that set by the client */
3339 if (strcmp(srvid, identity) != 0) {
3340 return 0;
3341 }
3342
3343 /* We'll reuse the PSK we set up for TLSv1.3 */
3344 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3345 return 0;
3346 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3347
3348 return psklen;
3349}
3350#endif /* OPENSSL_NO_PSK */
3351
3352#define MSG1 "Hello"
3353#define MSG2 "World."
3354#define MSG3 "This"
3355#define MSG4 "is"
3356#define MSG5 "a"
3357#define MSG6 "test"
3358#define MSG7 "message."
3359
3360#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3361#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3362#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3363#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3364#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3365
3366
3367static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3368{
3369 const SSL_CIPHER *cipher = NULL;
3370 const unsigned char key[] = {
3371 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3372 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3373 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3374 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3375 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3376 };
3377 SSL_SESSION *sess = NULL;
3378
3379 if (mdsize == SHA384_DIGEST_LENGTH) {
3380 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3381 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3382 /*
3383 * Any ciphersuite using SHA256 will do - it will be compatible with
3384 * the actual ciphersuite selected as long as it too is based on SHA256
3385 */
3386 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3387 } else {
3388 /* Should not happen */
3389 return NULL;
3390 }
3391 sess = SSL_SESSION_new();
3392 if (!TEST_ptr(sess)
3393 || !TEST_ptr(cipher)
3394 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3395 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3396 || !TEST_true(
3397 SSL_SESSION_set_protocol_version(sess,
3398 TLS1_3_VERSION))) {
3399 SSL_SESSION_free(sess);
3400 return NULL;
3401 }
3402 return sess;
3403}
3404
3405/*
3406 * Helper method to setup objects for early data test. Caller frees objects on
3407 * error.
3408 */
3409static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3410 SSL **serverssl, SSL_SESSION **sess, int idx,
3411 size_t mdsize)
3412{
3413 if (*sctx == NULL
3414 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3415 TLS_client_method(),
3416 TLS1_VERSION, 0,
3417 sctx, cctx, cert, privkey)))
3418 return 0;
3419
3420 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3421 return 0;
3422
3423 if (idx == 1) {
3424 /* When idx == 1 we repeat the tests with read_ahead set */
3425 SSL_CTX_set_read_ahead(*cctx, 1);
3426 SSL_CTX_set_read_ahead(*sctx, 1);
3427 } else if (idx == 2) {
3428 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3429 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3430 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3431 use_session_cb_cnt = 0;
3432 find_session_cb_cnt = 0;
3433 srvid = pskid;
3434 }
3435
3436 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3437 NULL, NULL)))
3438 return 0;
3439
3440 /*
3441 * For one of the run throughs (doesn't matter which one), we'll try sending
3442 * some SNI data in the initial ClientHello. This will be ignored (because
3443 * there is no SNI cb set up by the server), so it should not impact
3444 * early_data.
3445 */
3446 if (idx == 1
3447 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3448 return 0;
3449
3450 if (idx == 2) {
3451 clientpsk = create_a_psk(*clientssl, mdsize);
3452 if (!TEST_ptr(clientpsk)
3453 /*
3454 * We just choose an arbitrary value for max_early_data which
3455 * should be big enough for testing purposes.
3456 */
3457 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3458 0x100))
3459 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460 SSL_SESSION_free(clientpsk);
3461 clientpsk = NULL;
3462 return 0;
3463 }
3464 serverpsk = clientpsk;
3465
3466 if (sess != NULL) {
3467 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3468 SSL_SESSION_free(clientpsk);
3469 SSL_SESSION_free(serverpsk);
3470 clientpsk = serverpsk = NULL;
3471 return 0;
3472 }
3473 *sess = clientpsk;
3474 }
3475 return 1;
3476 }
3477
3478 if (sess == NULL)
3479 return 1;
3480
3481 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3482 SSL_ERROR_NONE)))
3483 return 0;
3484
3485 *sess = SSL_get1_session(*clientssl);
3486 SSL_shutdown(*clientssl);
3487 SSL_shutdown(*serverssl);
3488 SSL_free(*serverssl);
3489 SSL_free(*clientssl);
3490 *serverssl = *clientssl = NULL;
3491
3492 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3493 clientssl, NULL, NULL))
3494 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3495 return 0;
3496
3497 return 1;
3498}
3499
3500static int test_early_data_read_write(int idx)
3501{
3502 SSL_CTX *cctx = NULL, *sctx = NULL;
3503 SSL *clientssl = NULL, *serverssl = NULL;
3504 int testresult = 0;
3505 SSL_SESSION *sess = NULL;
3506 unsigned char buf[20], data[1024];
3507 size_t readbytes, written, eoedlen, rawread, rawwritten;
3508 BIO *rbio;
3509
3510 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3511 &serverssl, &sess, idx,
3512 SHA384_DIGEST_LENGTH)))
3513 goto end;
3514
3515 /* Write and read some early data */
3516 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3517 &written))
3518 || !TEST_size_t_eq(written, strlen(MSG1))
3519 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3520 sizeof(buf), &readbytes),
3521 SSL_READ_EARLY_DATA_SUCCESS)
3522 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3523 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3524 SSL_EARLY_DATA_ACCEPTED))
3525 goto end;
3526
3527 /*
3528 * Server should be able to write data, and client should be able to
3529 * read it.
3530 */
3531 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3532 &written))
3533 || !TEST_size_t_eq(written, strlen(MSG2))
3534 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3535 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3536 goto end;
3537
3538 /* Even after reading normal data, client should be able write early data */
3539 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3540 &written))
3541 || !TEST_size_t_eq(written, strlen(MSG3)))
3542 goto end;
3543
3544 /* Server should still be able read early data after writing data */
3545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3546 &readbytes),
3547 SSL_READ_EARLY_DATA_SUCCESS)
3548 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3549 goto end;
3550
3551 /* Write more data from server and read it from client */
3552 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3553 &written))
3554 || !TEST_size_t_eq(written, strlen(MSG4))
3555 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3556 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3557 goto end;
3558
3559 /*
3560 * If client writes normal data it should mean writing early data is no
3561 * longer possible.
3562 */
3563 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3564 || !TEST_size_t_eq(written, strlen(MSG5))
3565 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3566 SSL_EARLY_DATA_ACCEPTED))
3567 goto end;
3568
3569 /*
3570 * At this point the client has written EndOfEarlyData, ClientFinished and
3571 * normal (fully protected) data. We are going to cause a delay between the
3572 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3573 * in the read BIO, and then just put back the EndOfEarlyData message.
3574 */
3575 rbio = SSL_get_rbio(serverssl);
3576 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3577 || !TEST_size_t_lt(rawread, sizeof(data))
3578 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3579 goto end;
3580
3581 /* Record length is in the 4th and 5th bytes of the record header */
3582 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3583 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3584 || !TEST_size_t_eq(rawwritten, eoedlen))
3585 goto end;
3586
3587 /* Server should be told that there is no more early data */
3588 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3589 &readbytes),
3590 SSL_READ_EARLY_DATA_FINISH)
3591 || !TEST_size_t_eq(readbytes, 0))
3592 goto end;
3593
3594 /*
3595 * Server has not finished init yet, so should still be able to write early
3596 * data.
3597 */
3598 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3599 &written))
3600 || !TEST_size_t_eq(written, strlen(MSG6)))
3601 goto end;
3602
3603 /* Push the ClientFinished and the normal data back into the server rbio */
3604 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3605 &rawwritten))
3606 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3607 goto end;
3608
3609 /* Server should be able to read normal data */
3610 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3611 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3612 goto end;
3613
3614 /* Client and server should not be able to write/read early data now */
3615 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3616 &written)))
3617 goto end;
3618 ERR_clear_error();
3619 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3620 &readbytes),
3621 SSL_READ_EARLY_DATA_ERROR))
3622 goto end;
3623 ERR_clear_error();
3624
3625 /* Client should be able to read the data sent by the server */
3626 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3627 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3628 goto end;
3629
3630 /*
3631 * Make sure we process the two NewSessionTickets. These arrive
3632 * post-handshake. We attempt reads which we do not expect to return any
3633 * data.
3634 */
3635 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3636 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3637 &readbytes)))
3638 goto end;
3639
3640 /* Server should be able to write normal data */
3641 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3642 || !TEST_size_t_eq(written, strlen(MSG7))
3643 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3644 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3645 goto end;
3646
3647 SSL_SESSION_free(sess);
3648 sess = SSL_get1_session(clientssl);
3649 use_session_cb_cnt = 0;
3650 find_session_cb_cnt = 0;
3651
3652 SSL_shutdown(clientssl);
3653 SSL_shutdown(serverssl);
3654 SSL_free(serverssl);
3655 SSL_free(clientssl);
3656 serverssl = clientssl = NULL;
3657 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3658 &clientssl, NULL, NULL))
3659 || !TEST_true(SSL_set_session(clientssl, sess)))
3660 goto end;
3661
3662 /* Write and read some early data */
3663 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3664 &written))
3665 || !TEST_size_t_eq(written, strlen(MSG1))
3666 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3667 &readbytes),
3668 SSL_READ_EARLY_DATA_SUCCESS)
3669 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3670 goto end;
3671
3672 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3673 || !TEST_int_gt(SSL_accept(serverssl), 0))
3674 goto end;
3675
3676 /* Client and server should not be able to write/read early data now */
3677 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3678 &written)))
3679 goto end;
3680 ERR_clear_error();
3681 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3682 &readbytes),
3683 SSL_READ_EARLY_DATA_ERROR))
3684 goto end;
3685 ERR_clear_error();
3686
3687 /* Client and server should be able to write/read normal data */
3688 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3689 || !TEST_size_t_eq(written, strlen(MSG5))
3690 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3692 goto end;
3693
3694 testresult = 1;
3695
3696 end:
3697 SSL_SESSION_free(sess);
3698 SSL_SESSION_free(clientpsk);
3699 SSL_SESSION_free(serverpsk);
3700 clientpsk = serverpsk = NULL;
3701 SSL_free(serverssl);
3702 SSL_free(clientssl);
3703 SSL_CTX_free(sctx);
3704 SSL_CTX_free(cctx);
3705 return testresult;
3706}
3707
3708static int allow_ed_cb_called = 0;
3709
3710static int allow_early_data_cb(SSL *s, void *arg)
3711{
3712 int *usecb = (int *)arg;
3713
3714 allow_ed_cb_called++;
3715
3716 if (*usecb == 1)
3717 return 0;
3718
3719 return 1;
3720}
3721
3722/*
3723 * idx == 0: Standard early_data setup
3724 * idx == 1: early_data setup using read_ahead
3725 * usecb == 0: Don't use a custom early data callback
3726 * usecb == 1: Use a custom early data callback and reject the early data
3727 * usecb == 2: Use a custom early data callback and accept the early data
3728 * confopt == 0: Configure anti-replay directly
3729 * confopt == 1: Configure anti-replay using SSL_CONF
3730 */
3731static int test_early_data_replay_int(int idx, int usecb, int confopt)
3732{
3733 SSL_CTX *cctx = NULL, *sctx = NULL;
3734 SSL *clientssl = NULL, *serverssl = NULL;
3735 int testresult = 0;
3736 SSL_SESSION *sess = NULL;
3737 size_t readbytes, written;
3738 unsigned char buf[20];
3739
3740 allow_ed_cb_called = 0;
3741
3742 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3743 TLS_client_method(), TLS1_VERSION, 0,
3744 &sctx, &cctx, cert, privkey)))
3745 return 0;
3746
3747 if (usecb > 0) {
3748 if (confopt == 0) {
3749 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3750 } else {
3751 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3752
3753 if (!TEST_ptr(confctx))
3754 goto end;
3755 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3756 | SSL_CONF_FLAG_SERVER);
3757 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3758 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3759 2)) {
3760 SSL_CONF_CTX_free(confctx);
3761 goto end;
3762 }
3763 SSL_CONF_CTX_free(confctx);
3764 }
3765 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3766 }
3767
3768 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3769 &serverssl, &sess, idx,
3770 SHA384_DIGEST_LENGTH)))
3771 goto end;
3772
3773 /*
3774 * The server is configured to accept early data. Create a connection to
3775 * "use up" the ticket
3776 */
3777 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3778 || !TEST_true(SSL_session_reused(clientssl)))
3779 goto end;
3780
3781 SSL_shutdown(clientssl);
3782 SSL_shutdown(serverssl);
3783 SSL_free(serverssl);
3784 SSL_free(clientssl);
3785 serverssl = clientssl = NULL;
3786
3787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3788 &clientssl, NULL, NULL))
3789 || !TEST_true(SSL_set_session(clientssl, sess)))
3790 goto end;
3791
3792 /* Write and read some early data */
3793 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3794 &written))
3795 || !TEST_size_t_eq(written, strlen(MSG1)))
3796 goto end;
3797
3798 if (usecb <= 1) {
3799 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3800 &readbytes),
3801 SSL_READ_EARLY_DATA_FINISH)
3802 /*
3803 * The ticket was reused, so the we should have rejected the
3804 * early data
3805 */
3806 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3807 SSL_EARLY_DATA_REJECTED))
3808 goto end;
3809 } else {
3810 /* In this case the callback decides to accept the early data */
3811 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3812 &readbytes),
3813 SSL_READ_EARLY_DATA_SUCCESS)
3814 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3815 /*
3816 * Server will have sent its flight so client can now send
3817 * end of early data and complete its half of the handshake
3818 */
3819 || !TEST_int_gt(SSL_connect(clientssl), 0)
3820 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3821 &readbytes),
3822 SSL_READ_EARLY_DATA_FINISH)
3823 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3824 SSL_EARLY_DATA_ACCEPTED))
3825 goto end;
3826 }
3827
3828 /* Complete the connection */
3829 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3830 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3831 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3832 goto end;
3833
3834 testresult = 1;
3835
3836 end:
3837 SSL_SESSION_free(sess);
3838 SSL_SESSION_free(clientpsk);
3839 SSL_SESSION_free(serverpsk);
3840 clientpsk = serverpsk = NULL;
3841 SSL_free(serverssl);
3842 SSL_free(clientssl);
3843 SSL_CTX_free(sctx);
3844 SSL_CTX_free(cctx);
3845 return testresult;
3846}
3847
3848static int test_early_data_replay(int idx)
3849{
3850 int ret = 1, usecb, confopt;
3851
3852 for (usecb = 0; usecb < 3; usecb++) {
3853 for (confopt = 0; confopt < 2; confopt++)
3854 ret &= test_early_data_replay_int(idx, usecb, confopt);
3855 }
3856
3857 return ret;
3858}
3859
3860static const char *ciphersuites[] = {
3861 "TLS_AES_128_CCM_8_SHA256",
3862 "TLS_AES_128_GCM_SHA256",
3863 "TLS_AES_256_GCM_SHA384",
3864 "TLS_AES_128_CCM_SHA256",
3865#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3866 "TLS_CHACHA20_POLY1305_SHA256"
3867#endif
3868};
3869
3870/*
3871 * Helper function to test that a server attempting to read early data can
3872 * handle a connection from a client where the early data should be skipped.
3873 * testtype: 0 == No HRR
3874 * testtype: 1 == HRR
3875 * testtype: 2 == HRR, invalid early_data sent after HRR
3876 * testtype: 3 == recv_max_early_data set to 0
3877 */
3878static int early_data_skip_helper(int testtype, int cipher, int idx)
3879{
3880 SSL_CTX *cctx = NULL, *sctx = NULL;
3881 SSL *clientssl = NULL, *serverssl = NULL;
3882 int testresult = 0;
3883 SSL_SESSION *sess = NULL;
3884 unsigned char buf[20];
3885 size_t readbytes, written;
3886
3887 if (is_fips && cipher == 4)
3888 return 1;
3889
3890 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3891 TLS_client_method(),
3892 TLS1_VERSION, 0,
3893 &sctx, &cctx, cert, privkey)))
3894 goto end;
3895
3896 if (cipher == 0) {
3897 SSL_CTX_set_security_level(sctx, 0);
3898 SSL_CTX_set_security_level(cctx, 0);
3899 }
3900
3901 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3902 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3903 goto end;
3904
3905 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3906 &serverssl, &sess, idx,
3907 cipher == 2 ? SHA384_DIGEST_LENGTH
3908 : SHA256_DIGEST_LENGTH)))
3909 goto end;
3910
3911 if (testtype == 1 || testtype == 2) {
3912 /* Force an HRR to occur */
3913#if defined(OPENSSL_NO_EC)
3914 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3915 goto end;
3916#else
3917 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3918 goto end;
3919#endif
3920 } else if (idx == 2) {
3921 /*
3922 * We force early_data rejection by ensuring the PSK identity is
3923 * unrecognised
3924 */
3925 srvid = "Dummy Identity";
3926 } else {
3927 /*
3928 * Deliberately corrupt the creation time. We take 20 seconds off the
3929 * time. It could be any value as long as it is not within tolerance.
3930 * This should mean the ticket is rejected.
3931 */
3932 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3933 goto end;
3934 }
3935
3936 if (testtype == 3
3937 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3938 goto end;
3939
3940 /* Write some early data */
3941 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3942 &written))
3943 || !TEST_size_t_eq(written, strlen(MSG1)))
3944 goto end;
3945
3946 /* Server should reject the early data */
3947 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3948 &readbytes),
3949 SSL_READ_EARLY_DATA_FINISH)
3950 || !TEST_size_t_eq(readbytes, 0)
3951 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3952 SSL_EARLY_DATA_REJECTED))
3953 goto end;
3954
3955 switch (testtype) {
3956 case 0:
3957 /* Nothing to do */
3958 break;
3959
3960 case 1:
3961 /*
3962 * Finish off the handshake. We perform the same writes and reads as
3963 * further down but we expect them to fail due to the incomplete
3964 * handshake.
3965 */
3966 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3967 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3968 &readbytes)))
3969 goto end;
3970 break;
3971
3972 case 2:
3973 {
3974 BIO *wbio = SSL_get_wbio(clientssl);
3975 /* A record that will appear as bad early_data */
3976 const unsigned char bad_early_data[] = {
3977 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3978 };
3979
3980 /*
3981 * We force the client to attempt a write. This will fail because
3982 * we're still in the handshake. It will cause the second
3983 * ClientHello to be sent.
3984 */
3985 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3986 &written)))
3987 goto end;
3988
3989 /*
3990 * Inject some early_data after the second ClientHello. This should
3991 * cause the server to fail
3992 */
3993 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3994 sizeof(bad_early_data), &written)))
3995 goto end;
3996 }
3997 /* fallthrough */
3998
3999 case 3:
4000 /*
4001 * This client has sent more early_data than we are willing to skip
4002 * (case 3) or sent invalid early_data (case 2) so the connection should
4003 * abort.
4004 */
4005 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4006 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4007 goto end;
4008
4009 /* Connection has failed - nothing more to do */
4010 testresult = 1;
4011 goto end;
4012
4013 default:
4014 TEST_error("Invalid test type");
4015 goto end;
4016 }
4017
4018 ERR_clear_error();
4019 /*
4020 * Should be able to send normal data despite rejection of early data. The
4021 * early_data should be skipped.
4022 */
4023 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4024 || !TEST_size_t_eq(written, strlen(MSG2))
4025 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4026 SSL_EARLY_DATA_REJECTED)
4027 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4028 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4029 goto end;
4030
4031 /*
4032 * Failure to decrypt early data records should not leave spurious errors
4033 * on the error stack
4034 */
4035 if (!TEST_long_eq(ERR_peek_error(), 0))
4036 goto end;
4037
4038 testresult = 1;
4039
4040 end:
4041 SSL_SESSION_free(clientpsk);
4042 SSL_SESSION_free(serverpsk);
4043 clientpsk = serverpsk = NULL;
4044 SSL_SESSION_free(sess);
4045 SSL_free(serverssl);
4046 SSL_free(clientssl);
4047 SSL_CTX_free(sctx);
4048 SSL_CTX_free(cctx);
4049 return testresult;
4050}
4051
4052/*
4053 * Test that a server attempting to read early data can handle a connection
4054 * from a client where the early data is not acceptable.
4055 */
4056static int test_early_data_skip(int idx)
4057{
4058 return early_data_skip_helper(0,
4059 idx % OSSL_NELEM(ciphersuites),
4060 idx / OSSL_NELEM(ciphersuites));
4061}
4062
4063/*
4064 * Test that a server attempting to read early data can handle a connection
4065 * from a client where an HRR occurs.
4066 */
4067static int test_early_data_skip_hrr(int idx)
4068{
4069 return early_data_skip_helper(1,
4070 idx % OSSL_NELEM(ciphersuites),
4071 idx / OSSL_NELEM(ciphersuites));
4072}
4073
4074/*
4075 * Test that a server attempting to read early data can handle a connection
4076 * from a client where an HRR occurs and correctly fails if early_data is sent
4077 * after the HRR
4078 */
4079static int test_early_data_skip_hrr_fail(int idx)
4080{
4081 return early_data_skip_helper(2,
4082 idx % OSSL_NELEM(ciphersuites),
4083 idx / OSSL_NELEM(ciphersuites));
4084}
4085
4086/*
4087 * Test that a server attempting to read early data will abort if it tries to
4088 * skip over too much.
4089 */
4090static int test_early_data_skip_abort(int idx)
4091{
4092 return early_data_skip_helper(3,
4093 idx % OSSL_NELEM(ciphersuites),
4094 idx / OSSL_NELEM(ciphersuites));
4095}
4096
4097/*
4098 * Test that a server attempting to read early data can handle a connection
4099 * from a client that doesn't send any.
4100 */
4101static int test_early_data_not_sent(int idx)
4102{
4103 SSL_CTX *cctx = NULL, *sctx = NULL;
4104 SSL *clientssl = NULL, *serverssl = NULL;
4105 int testresult = 0;
4106 SSL_SESSION *sess = NULL;
4107 unsigned char buf[20];
4108 size_t readbytes, written;
4109
4110 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4111 &serverssl, &sess, idx,
4112 SHA384_DIGEST_LENGTH)))
4113 goto end;
4114
4115 /* Write some data - should block due to handshake with server */
4116 SSL_set_connect_state(clientssl);
4117 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4118 goto end;
4119
4120 /* Server should detect that early data has not been sent */
4121 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4122 &readbytes),
4123 SSL_READ_EARLY_DATA_FINISH)
4124 || !TEST_size_t_eq(readbytes, 0)
4125 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4126 SSL_EARLY_DATA_NOT_SENT)
4127 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4128 SSL_EARLY_DATA_NOT_SENT))
4129 goto end;
4130
4131 /* Continue writing the message we started earlier */
4132 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4133 || !TEST_size_t_eq(written, strlen(MSG1))
4134 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4135 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4136 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4137 || !TEST_size_t_eq(written, strlen(MSG2)))
4138 goto end;
4139
4140 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4141 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4142 goto end;
4143
4144 testresult = 1;
4145
4146 end:
4147 SSL_SESSION_free(sess);
4148 SSL_SESSION_free(clientpsk);
4149 SSL_SESSION_free(serverpsk);
4150 clientpsk = serverpsk = NULL;
4151 SSL_free(serverssl);
4152 SSL_free(clientssl);
4153 SSL_CTX_free(sctx);
4154 SSL_CTX_free(cctx);
4155 return testresult;
4156}
4157
4158static const char *servalpn;
4159
4160static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4161 unsigned char *outlen, const unsigned char *in,
4162 unsigned int inlen, void *arg)
4163{
4164 unsigned int protlen = 0;
4165 const unsigned char *prot;
4166
4167 for (prot = in; prot < in + inlen; prot += protlen) {
4168 protlen = *prot++;
4169 if (in + inlen < prot + protlen)
4170 return SSL_TLSEXT_ERR_NOACK;
4171
4172 if (protlen == strlen(servalpn)
4173 && memcmp(prot, servalpn, protlen) == 0) {
4174 *out = prot;
4175 *outlen = protlen;
4176 return SSL_TLSEXT_ERR_OK;
4177 }
4178 }
4179
4180 return SSL_TLSEXT_ERR_NOACK;
4181}
4182
4183/* Test that a PSK can be used to send early_data */
4184static int test_early_data_psk(int idx)
4185{
4186 SSL_CTX *cctx = NULL, *sctx = NULL;
4187 SSL *clientssl = NULL, *serverssl = NULL;
4188 int testresult = 0;
4189 SSL_SESSION *sess = NULL;
4190 unsigned char alpnlist[] = {
4191 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4192 'l', 'p', 'n'
4193 };
4194#define GOODALPNLEN 9
4195#define BADALPNLEN 8
4196#define GOODALPN (alpnlist)
4197#define BADALPN (alpnlist + GOODALPNLEN)
4198 int err = 0;
4199 unsigned char buf[20];
4200 size_t readbytes, written;
4201 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4202 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4203
4204 /* We always set this up with a final parameter of "2" for PSK */
4205 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4206 &serverssl, &sess, 2,
4207 SHA384_DIGEST_LENGTH)))
4208 goto end;
4209
4210 servalpn = "goodalpn";
4211
4212 /*
4213 * Note: There is no test for inconsistent SNI with late client detection.
4214 * This is because servers do not acknowledge SNI even if they are using
4215 * it in a resumption handshake - so it is not actually possible for a
4216 * client to detect a problem.
4217 */
4218 switch (idx) {
4219 case 0:
4220 /* Set inconsistent SNI (early client detection) */
4221 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4222 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4223 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4224 goto end;
4225 break;
4226
4227 case 1:
4228 /* Set inconsistent ALPN (early client detection) */
4229 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4230 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4231 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4232 GOODALPNLEN))
4233 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4234 BADALPNLEN)))
4235 goto end;
4236 break;
4237
4238 case 2:
4239 /*
4240 * Set invalid protocol version. Technically this affects PSKs without
4241 * early_data too, but we test it here because it is similar to the
4242 * SNI/ALPN consistency tests.
4243 */
4244 err = SSL_R_BAD_PSK;
4245 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4246 goto end;
4247 break;
4248
4249 case 3:
4250 /*
4251 * Set inconsistent SNI (server side). In this case the connection
4252 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4253 * is associated with each handshake - not the session. Therefore it
4254 * should not matter that we used a different server name last time.
4255 */
4256 SSL_SESSION_free(serverpsk);
4257 serverpsk = SSL_SESSION_dup(clientpsk);
4258 if (!TEST_ptr(serverpsk)
4259 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4260 goto end;
4261 /* Fall through */
4262 case 4:
4263 /* Set consistent SNI */
4264 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4265 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4266 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4267 hostname_cb)))
4268 goto end;
4269 break;
4270
4271 case 5:
4272 /*
4273 * Set inconsistent ALPN (server detected). In this case the connection
4274 * will succeed but reject early_data.
4275 */
4276 servalpn = "badalpn";
4277 edstatus = SSL_EARLY_DATA_REJECTED;
4278 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4279 /* Fall through */
4280 case 6:
4281 /*
4282 * Set consistent ALPN.
4283 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4284 * accepts a list of protos (each one length prefixed).
4285 * SSL_set1_alpn_selected accepts a single protocol (not length
4286 * prefixed)
4287 */
4288 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4289 GOODALPNLEN - 1))
4290 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4291 GOODALPNLEN)))
4292 goto end;
4293
4294 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4295 break;
4296
4297 case 7:
4298 /* Set inconsistent ALPN (late client detection) */
4299 SSL_SESSION_free(serverpsk);
4300 serverpsk = SSL_SESSION_dup(clientpsk);
4301 if (!TEST_ptr(serverpsk)
4302 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4303 BADALPN + 1,
4304 BADALPNLEN - 1))
4305 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4306 GOODALPN + 1,
4307 GOODALPNLEN - 1))
4308 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4309 sizeof(alpnlist))))
4310 goto end;
4311 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4312 edstatus = SSL_EARLY_DATA_ACCEPTED;
4313 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4314 /* SSL_connect() call should fail */
4315 connectres = -1;
4316 break;
4317
4318 default:
4319 TEST_error("Bad test index");
4320 goto end;
4321 }
4322
4323 SSL_set_connect_state(clientssl);
4324 if (err != 0) {
4325 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4326 &written))
4327 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4328 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4329 goto end;
4330 } else {
4331 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4332 &written)))
4333 goto end;
4334
4335 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4336 &readbytes), readearlyres)
4337 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4338 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4339 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4340 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4341 goto end;
4342 }
4343
4344 testresult = 1;
4345
4346 end:
4347 SSL_SESSION_free(sess);
4348 SSL_SESSION_free(clientpsk);
4349 SSL_SESSION_free(serverpsk);
4350 clientpsk = serverpsk = NULL;
4351 SSL_free(serverssl);
4352 SSL_free(clientssl);
4353 SSL_CTX_free(sctx);
4354 SSL_CTX_free(cctx);
4355 return testresult;
4356}
4357
4358/*
4359 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4360 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4361 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4362 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4363 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4364 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4365 */
4366static int test_early_data_psk_with_all_ciphers(int idx)
4367{
4368 SSL_CTX *cctx = NULL, *sctx = NULL;
4369 SSL *clientssl = NULL, *serverssl = NULL;
4370 int testresult = 0;
4371 SSL_SESSION *sess = NULL;
4372 unsigned char buf[20];
4373 size_t readbytes, written;
4374 const SSL_CIPHER *cipher;
4375 const char *cipher_str[] = {
4376 TLS1_3_RFC_AES_128_GCM_SHA256,
4377 TLS1_3_RFC_AES_256_GCM_SHA384,
4378# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4379 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4380# else
4381 NULL,
4382# endif
4383 TLS1_3_RFC_AES_128_CCM_SHA256,
4384 TLS1_3_RFC_AES_128_CCM_8_SHA256
4385 };
4386 const unsigned char *cipher_bytes[] = {
4387 TLS13_AES_128_GCM_SHA256_BYTES,
4388 TLS13_AES_256_GCM_SHA384_BYTES,
4389# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4390 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4391# else
4392 NULL,
4393# endif
4394 TLS13_AES_128_CCM_SHA256_BYTES,
4395 TLS13_AES_128_CCM_8_SHA256_BYTES
4396 };
4397
4398 if (cipher_str[idx] == NULL)
4399 return 1;
4400 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4401 if (idx == 2 && is_fips == 1)
4402 return 1;
4403
4404 /* We always set this up with a final parameter of "2" for PSK */
4405 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4406 &serverssl, &sess, 2,
4407 SHA384_DIGEST_LENGTH)))
4408 goto end;
4409
4410 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4411 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4412 goto end;
4413
4414 /*
4415 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4416 * and assigns to both client and server with incremented reference
4417 * and the same instance is updated in 'sess'.
4418 * So updating ciphersuite in 'sess' which will get reflected in
4419 * PSK handshake using psk use sess and find sess cb.
4420 */
4421 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4422 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4423 goto end;
4424
4425 SSL_set_connect_state(clientssl);
4426 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4427 &written)))
4428 goto end;
4429
4430 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4431 &readbytes),
4432 SSL_READ_EARLY_DATA_SUCCESS)
4433 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4434 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4435 SSL_EARLY_DATA_ACCEPTED)
4436 || !TEST_int_eq(SSL_connect(clientssl), 1)
4437 || !TEST_int_eq(SSL_accept(serverssl), 1))
4438 goto end;
4439
4440 /* Send some normal data from client to server */
4441 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4442 || !TEST_size_t_eq(written, strlen(MSG2)))
4443 goto end;
4444
4445 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4446 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4447 goto end;
4448
4449 testresult = 1;
4450 end:
4451 SSL_SESSION_free(sess);
4452 SSL_SESSION_free(clientpsk);
4453 SSL_SESSION_free(serverpsk);
4454 clientpsk = serverpsk = NULL;
4455 if (clientssl != NULL)
4456 SSL_shutdown(clientssl);
4457 if (serverssl != NULL)
4458 SSL_shutdown(serverssl);
4459 SSL_free(serverssl);
4460 SSL_free(clientssl);
4461 SSL_CTX_free(sctx);
4462 SSL_CTX_free(cctx);
4463 return testresult;
4464}
4465
4466/*
4467 * Test that a server that doesn't try to read early data can handle a
4468 * client sending some.
4469 */
4470static int test_early_data_not_expected(int idx)
4471{
4472 SSL_CTX *cctx = NULL, *sctx = NULL;
4473 SSL *clientssl = NULL, *serverssl = NULL;
4474 int testresult = 0;
4475 SSL_SESSION *sess = NULL;
4476 unsigned char buf[20];
4477 size_t readbytes, written;
4478
4479 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4480 &serverssl, &sess, idx,
4481 SHA384_DIGEST_LENGTH)))
4482 goto end;
4483
4484 /* Write some early data */
4485 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4486 &written)))
4487 goto end;
4488
4489 /*
4490 * Server should skip over early data and then block waiting for client to
4491 * continue handshake
4492 */
4493 if (!TEST_int_le(SSL_accept(serverssl), 0)
4494 || !TEST_int_gt(SSL_connect(clientssl), 0)
4495 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4496 SSL_EARLY_DATA_REJECTED)
4497 || !TEST_int_gt(SSL_accept(serverssl), 0)
4498 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4499 SSL_EARLY_DATA_REJECTED))
4500 goto end;
4501
4502 /* Send some normal data from client to server */
4503 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4504 || !TEST_size_t_eq(written, strlen(MSG2)))
4505 goto end;
4506
4507 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4508 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4509 goto end;
4510
4511 testresult = 1;
4512
4513 end:
4514 SSL_SESSION_free(sess);
4515 SSL_SESSION_free(clientpsk);
4516 SSL_SESSION_free(serverpsk);
4517 clientpsk = serverpsk = NULL;
4518 SSL_free(serverssl);
4519 SSL_free(clientssl);
4520 SSL_CTX_free(sctx);
4521 SSL_CTX_free(cctx);
4522 return testresult;
4523}
4524
4525
4526# ifndef OPENSSL_NO_TLS1_2
4527/*
4528 * Test that a server attempting to read early data can handle a connection
4529 * from a TLSv1.2 client.
4530 */
4531static int test_early_data_tls1_2(int idx)
4532{
4533 SSL_CTX *cctx = NULL, *sctx = NULL;
4534 SSL *clientssl = NULL, *serverssl = NULL;
4535 int testresult = 0;
4536 unsigned char buf[20];
4537 size_t readbytes, written;
4538
4539 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4540 &serverssl, NULL, idx,
4541 SHA384_DIGEST_LENGTH)))
4542 goto end;
4543
4544 /* Write some data - should block due to handshake with server */
4545 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4546 SSL_set_connect_state(clientssl);
4547 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4548 goto end;
4549
4550 /*
4551 * Server should do TLSv1.2 handshake. First it will block waiting for more
4552 * messages from client after ServerDone. Then SSL_read_early_data should
4553 * finish and detect that early data has not been sent
4554 */
4555 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4556 &readbytes),
4557 SSL_READ_EARLY_DATA_ERROR))
4558 goto end;
4559
4560 /*
4561 * Continue writing the message we started earlier. Will still block waiting
4562 * for the CCS/Finished from server
4563 */
4564 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4565 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4566 &readbytes),
4567 SSL_READ_EARLY_DATA_FINISH)
4568 || !TEST_size_t_eq(readbytes, 0)
4569 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4570 SSL_EARLY_DATA_NOT_SENT))
4571 goto end;
4572
4573 /* Continue writing the message we started earlier */
4574 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4575 || !TEST_size_t_eq(written, strlen(MSG1))
4576 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4577 SSL_EARLY_DATA_NOT_SENT)
4578 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4579 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4580 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4581 || !TEST_size_t_eq(written, strlen(MSG2))
4582 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4583 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4584 goto end;
4585
4586 testresult = 1;
4587
4588 end:
4589 SSL_SESSION_free(clientpsk);
4590 SSL_SESSION_free(serverpsk);
4591 clientpsk = serverpsk = NULL;
4592 SSL_free(serverssl);
4593 SSL_free(clientssl);
4594 SSL_CTX_free(sctx);
4595 SSL_CTX_free(cctx);
4596
4597 return testresult;
4598}
4599# endif /* OPENSSL_NO_TLS1_2 */
4600
4601/*
4602 * Test configuring the TLSv1.3 ciphersuites
4603 *
4604 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4605 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4606 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4607 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4608 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4609 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4610 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4611 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4612 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4613 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4614 */
4615static int test_set_ciphersuite(int idx)
4616{
4617 SSL_CTX *cctx = NULL, *sctx = NULL;
4618 SSL *clientssl = NULL, *serverssl = NULL;
4619 int testresult = 0;
4620
4621 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4622 TLS_client_method(), TLS1_VERSION, 0,
4623 &sctx, &cctx, cert, privkey))
4624 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4625 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4626 goto end;
4627
4628 if (idx >=4 && idx <= 7) {
4629 /* SSL_CTX explicit cipher list */
4630 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4631 goto end;
4632 }
4633
4634 if (idx == 0 || idx == 4) {
4635 /* Default ciphersuite */
4636 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4637 "TLS_AES_128_GCM_SHA256")))
4638 goto end;
4639 } else if (idx == 1 || idx == 5) {
4640 /* Non default ciphersuite */
4641 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4642 "TLS_AES_128_CCM_SHA256")))
4643 goto end;
4644 }
4645
4646 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4647 &clientssl, NULL, NULL)))
4648 goto end;
4649
4650 if (idx == 8 || idx == 9) {
4651 /* SSL explicit cipher list */
4652 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4653 goto end;
4654 }
4655
4656 if (idx == 2 || idx == 6 || idx == 8) {
4657 /* Default ciphersuite */
4658 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4659 "TLS_AES_128_GCM_SHA256")))
4660 goto end;
4661 } else if (idx == 3 || idx == 7 || idx == 9) {
4662 /* Non default ciphersuite */
4663 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4664 "TLS_AES_128_CCM_SHA256")))
4665 goto end;
4666 }
4667
4668 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4669 goto end;
4670
4671 testresult = 1;
4672
4673 end:
4674 SSL_free(serverssl);
4675 SSL_free(clientssl);
4676 SSL_CTX_free(sctx);
4677 SSL_CTX_free(cctx);
4678
4679 return testresult;
4680}
4681
4682static int test_ciphersuite_change(void)
4683{
4684 SSL_CTX *cctx = NULL, *sctx = NULL;
4685 SSL *clientssl = NULL, *serverssl = NULL;
4686 SSL_SESSION *clntsess = NULL;
4687 int testresult = 0;
4688 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4689
4690 /* Create a session based on SHA-256 */
4691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4692 TLS_client_method(), TLS1_VERSION, 0,
4693 &sctx, &cctx, cert, privkey))
4694 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4695 "TLS_AES_128_GCM_SHA256:"
4696 "TLS_AES_256_GCM_SHA384:"
4697 "TLS_AES_128_CCM_SHA256"))
4698 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4699 "TLS_AES_128_GCM_SHA256"))
4700 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4701 &clientssl, NULL, NULL))
4702 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4703 SSL_ERROR_NONE)))
4704 goto end;
4705
4706 clntsess = SSL_get1_session(clientssl);
4707 /* Save for later */
4708 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4709 SSL_shutdown(clientssl);
4710 SSL_shutdown(serverssl);
4711 SSL_free(serverssl);
4712 SSL_free(clientssl);
4713 serverssl = clientssl = NULL;
4714
4715 /* Check we can resume a session with a different SHA-256 ciphersuite */
4716 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4717 "TLS_AES_128_CCM_SHA256"))
4718 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4719 &clientssl, NULL, NULL))
4720 || !TEST_true(SSL_set_session(clientssl, clntsess))
4721 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4722 SSL_ERROR_NONE))
4723 || !TEST_true(SSL_session_reused(clientssl)))
4724 goto end;
4725
4726 SSL_SESSION_free(clntsess);
4727 clntsess = SSL_get1_session(clientssl);
4728 SSL_shutdown(clientssl);
4729 SSL_shutdown(serverssl);
4730 SSL_free(serverssl);
4731 SSL_free(clientssl);
4732 serverssl = clientssl = NULL;
4733
4734 /*
4735 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4736 * succeeds but does not resume.
4737 */
4738 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4739 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4740 NULL, NULL))
4741 || !TEST_true(SSL_set_session(clientssl, clntsess))
4742 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4743 SSL_ERROR_SSL))
4744 || !TEST_false(SSL_session_reused(clientssl)))
4745 goto end;
4746
4747 SSL_SESSION_free(clntsess);
4748 clntsess = NULL;
4749 SSL_shutdown(clientssl);
4750 SSL_shutdown(serverssl);
4751 SSL_free(serverssl);
4752 SSL_free(clientssl);
4753 serverssl = clientssl = NULL;
4754
4755 /* Create a session based on SHA384 */
4756 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4757 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4758 &clientssl, NULL, NULL))
4759 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4760 SSL_ERROR_NONE)))
4761 goto end;
4762
4763 clntsess = SSL_get1_session(clientssl);
4764 SSL_shutdown(clientssl);
4765 SSL_shutdown(serverssl);
4766 SSL_free(serverssl);
4767 SSL_free(clientssl);
4768 serverssl = clientssl = NULL;
4769
4770 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4771 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4772 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4773 "TLS_AES_256_GCM_SHA384"))
4774 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4775 NULL, NULL))
4776 || !TEST_true(SSL_set_session(clientssl, clntsess))
4777 /*
4778 * We use SSL_ERROR_WANT_READ below so that we can pause the
4779 * connection after the initial ClientHello has been sent to
4780 * enable us to make some session changes.
4781 */
4782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4783 SSL_ERROR_WANT_READ)))
4784 goto end;
4785
4786 /* Trick the client into thinking this session is for a different digest */
4787 clntsess->cipher = aes_128_gcm_sha256;
4788 clntsess->cipher_id = clntsess->cipher->id;
4789
4790 /*
4791 * Continue the previously started connection. Server has selected a SHA-384
4792 * ciphersuite, but client thinks the session is for SHA-256, so it should
4793 * bail out.
4794 */
4795 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4796 SSL_ERROR_SSL))
4797 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4798 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4799 goto end;
4800
4801 testresult = 1;
4802
4803 end:
4804 SSL_SESSION_free(clntsess);
4805 SSL_free(serverssl);
4806 SSL_free(clientssl);
4807 SSL_CTX_free(sctx);
4808 SSL_CTX_free(cctx);
4809
4810 return testresult;
4811}
4812
4813/*
4814 * Test TLSv1.3 Key exchange
4815 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4816 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4817 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4818 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4819 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4820 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4821 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4822 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4823 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4824 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4825 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4826 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4827 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4828 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4829 */
4830# ifndef OPENSSL_NO_EC
4831static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4832 NID_secp521r1, NID_X25519, NID_X448};
4833# endif
4834# ifndef OPENSSL_NO_DH
4835static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4836 NID_ffdhe6144, NID_ffdhe8192};
4837# endif
4838static int test_key_exchange(int idx)
4839{
4840 SSL_CTX *sctx = NULL, *cctx = NULL;
4841 SSL *serverssl = NULL, *clientssl = NULL;
4842 int testresult = 0;
4843 int kexch_alg;
4844 int *kexch_groups = &kexch_alg;
4845 int kexch_groups_size = 1;
4846 int max_version = TLS1_3_VERSION;
4847 char *kexch_name0 = NULL;
4848
4849 switch (idx) {
4850# ifndef OPENSSL_NO_EC
4851# ifndef OPENSSL_NO_TLS1_2
4852 case 12:
4853 max_version = TLS1_2_VERSION;
4854# endif
4855 /* Fall through */
4856 case 0:
4857 kexch_groups = ecdhe_kexch_groups;
4858 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4859 kexch_name0 = "secp256r1";
4860 break;
4861 case 1:
4862 kexch_alg = NID_X9_62_prime256v1;
4863 kexch_name0 = "secp256r1";
4864 break;
4865 case 2:
4866 kexch_alg = NID_secp384r1;
4867 kexch_name0 = "secp384r1";
4868 break;
4869 case 3:
4870 kexch_alg = NID_secp521r1;
4871 kexch_name0 = "secp521r1";
4872 break;
4873 case 4:
4874 kexch_alg = NID_X25519;
4875 kexch_name0 = "x25519";
4876 break;
4877 case 5:
4878 kexch_alg = NID_X448;
4879 kexch_name0 = "x448";
4880 break;
4881# endif
4882# ifndef OPENSSL_NO_DH
4883# ifndef OPENSSL_NO_TLS1_2
4884 case 13:
4885 max_version = TLS1_2_VERSION;
4886 kexch_name0 = "ffdhe2048";
4887# endif
4888 /* Fall through */
4889 case 6:
4890 kexch_groups = ffdhe_kexch_groups;
4891 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4892 kexch_name0 = "ffdhe2048";
4893 break;
4894 case 7:
4895 kexch_alg = NID_ffdhe2048;
4896 kexch_name0 = "ffdhe2048";
4897 break;
4898 case 8:
4899 kexch_alg = NID_ffdhe3072;
4900 kexch_name0 = "ffdhe3072";
4901 break;
4902 case 9:
4903 kexch_alg = NID_ffdhe4096;
4904 kexch_name0 = "ffdhe4096";
4905 break;
4906 case 10:
4907 kexch_alg = NID_ffdhe6144;
4908 kexch_name0 = "ffdhe6144";
4909 break;
4910 case 11:
4911 kexch_alg = NID_ffdhe8192;
4912 kexch_name0 = "ffdhe8192";
4913 break;
4914# endif
4915 default:
4916 /* We're skipping this test */
4917 return 1;
4918 }
4919
4920 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4921 TLS_client_method(), TLS1_VERSION,
4922 max_version, &sctx, &cctx, cert,
4923 privkey)))
4924 goto end;
4925
4926 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4927 TLS1_3_RFC_AES_128_GCM_SHA256)))
4928 goto end;
4929
4930 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4931 TLS1_3_RFC_AES_128_GCM_SHA256)))
4932 goto end;
4933
4934 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4935 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4936 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4937 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4938 goto end;
4939
4940 /*
4941 * Must include an EC ciphersuite so that we send supported groups in
4942 * TLSv1.2
4943 */
4944# ifndef OPENSSL_NO_TLS1_2
4945 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4946 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4947 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4948 goto end;
4949# endif
4950
4951 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4952 NULL, NULL)))
4953 goto end;
4954
4955 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4956 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4957 goto end;
4958
4959 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4960 goto end;
4961
4962 /*
4963 * If Handshake succeeds the negotiated kexch alg should be the first one in
4964 * configured, except in the case of FFDHE groups (idx 13), which are
4965 * TLSv1.3 only so we expect no shared group to exist.
4966 */
4967 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4968 idx == 13 ? 0 : kexch_groups[0]))
4969 goto end;
4970
4971 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4972 kexch_name0))
4973 goto end;
4974
4975 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4976 if (idx != 13) {
4977 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4978 goto end;
4979 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4980 goto end;
4981 }
4982
4983 testresult = 1;
4984 end:
4985 SSL_free(serverssl);
4986 SSL_free(clientssl);
4987 SSL_CTX_free(sctx);
4988 SSL_CTX_free(cctx);
4989 return testresult;
4990}
4991
4992# if !defined(OPENSSL_NO_TLS1_2) \
4993 && !defined(OPENSSL_NO_EC) \
4994 && !defined(OPENSSL_NO_DH)
4995static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4996 int isecdhe, int idx)
4997{
4998 int kexch_alg;
4999 int *kexch_groups = &kexch_alg;
5000 int numec, numff;
5001
5002 numec = OSSL_NELEM(ecdhe_kexch_groups);
5003 numff = OSSL_NELEM(ffdhe_kexch_groups);
5004 if (isecdhe)
5005 kexch_alg = ecdhe_kexch_groups[idx];
5006 else
5007 kexch_alg = ffdhe_kexch_groups[idx];
5008
5009 if (clientmulti) {
5010 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5011 return 0;
5012 if (isecdhe) {
5013 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5014 numec)))
5015 return 0;
5016 } else {
5017 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5018 numff)))
5019 return 0;
5020 }
5021 } else {
5022 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5023 return 0;
5024 if (isecdhe) {
5025 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5026 numec)))
5027 return 0;
5028 } else {
5029 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5030 numff)))
5031 return 0;
5032 }
5033 }
5034 return 1;
5035}
5036
5037/*-
5038 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5039 * Run through both the ECDHE and FFDHE group lists used in the previous
5040 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5041 * confirming the expected result; then perform a resumption handshake
5042 * while offering the same group list, and another resumption handshake
5043 * offering a different group list. The returned value should be the
5044 * negotiated group for the initial handshake; for TLS 1.3 resumption
5045 * handshakes the returned value will be negotiated on the resumption
5046 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5047 * be cached in the session from the original handshake, regardless of what
5048 * was offered in the resumption ClientHello.
5049 *
5050 * Using E for the number of EC groups and F for the number of FF groups:
5051 * E tests of ECDHE with TLS 1.3, server only has one group
5052 * F tests of FFDHE with TLS 1.3, server only has one group
5053 * E tests of ECDHE with TLS 1.2, server only has one group
5054 * F tests of FFDHE with TLS 1.2, server only has one group
5055 * E tests of ECDHE with TLS 1.3, client sends only one group
5056 * F tests of FFDHE with TLS 1.3, client sends only one group
5057 * E tests of ECDHE with TLS 1.2, client sends only one group
5058 * F tests of FFDHE with TLS 1.2, client sends only one group
5059 */
5060static int test_negotiated_group(int idx)
5061{
5062 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5063 int expectednid;
5064 SSL_CTX *sctx = NULL, *cctx = NULL;
5065 SSL *serverssl = NULL, *clientssl = NULL;
5066 SSL_SESSION *origsess = NULL;
5067 int testresult = 0;
5068 int kexch_alg;
5069 int max_version = TLS1_3_VERSION;
5070
5071 numec = OSSL_NELEM(ecdhe_kexch_groups);
5072 numff = OSSL_NELEM(ffdhe_kexch_groups);
5073 numgroups = numec + numff;
5074 clientmulti = (idx < 2 * numgroups);
5075 idx = idx % (2 * numgroups);
5076 istls13 = (idx < numgroups);
5077 idx = idx % numgroups;
5078 isecdhe = (idx < numec);
5079 if (!isecdhe)
5080 idx -= numec;
5081 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5082 if (isecdhe)
5083 kexch_alg = ecdhe_kexch_groups[idx];
5084 else
5085 kexch_alg = ffdhe_kexch_groups[idx];
5086 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5087 if (!istls13 && !isecdhe)
5088 expectednid = NID_undef;
5089 else
5090 expectednid = kexch_alg;
5091
5092 if (!istls13)
5093 max_version = TLS1_2_VERSION;
5094
5095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5096 TLS_client_method(), TLS1_VERSION,
5097 max_version, &sctx, &cctx, cert,
5098 privkey)))
5099 goto end;
5100
5101 /*
5102 * Force (EC)DHE ciphers for TLS 1.2.
5103 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5104 */
5105 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5106 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5107 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5108 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5109 goto end;
5110 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5111 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5112 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5113 goto end;
5114
5115 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5116 NULL, NULL)))
5117 goto end;
5118
5119 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5120 idx)))
5121 goto end;
5122
5123 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5124 goto end;
5125
5126 /* Initial handshake; always the configured one */
5127 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5128 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5129 goto end;
5130
5131 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5132 goto end;
5133
5134 SSL_shutdown(clientssl);
5135 SSL_shutdown(serverssl);
5136 SSL_free(serverssl);
5137 SSL_free(clientssl);
5138 serverssl = clientssl = NULL;
5139
5140 /* First resumption attempt; use the same config as initial handshake */
5141 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5142 NULL, NULL))
5143 || !TEST_true(SSL_set_session(clientssl, origsess))
5144 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5145 isecdhe, idx)))
5146 goto end;
5147
5148 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5149 || !TEST_true(SSL_session_reused(clientssl)))
5150 goto end;
5151
5152 /* Still had better agree, since nothing changed... */
5153 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5154 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5155 goto end;
5156
5157 SSL_shutdown(clientssl);
5158 SSL_shutdown(serverssl);
5159 SSL_free(serverssl);
5160 SSL_free(clientssl);
5161 serverssl = clientssl = NULL;
5162
5163 /*-
5164 * Second resumption attempt
5165 * The party that picks one group changes it, which we effectuate by
5166 * changing 'idx' and updating what we expect.
5167 */
5168 if (idx == 0)
5169 idx = 1;
5170 else
5171 idx--;
5172 if (istls13) {
5173 if (isecdhe)
5174 expectednid = ecdhe_kexch_groups[idx];
5175 else
5176 expectednid = ffdhe_kexch_groups[idx];
5177 /* Verify that we are changing what we expect. */
5178 if (!TEST_int_ne(expectednid, kexch_alg))
5179 goto end;
5180 } else {
5181 /* TLS 1.2 only supports named groups for ECDHE. */
5182 if (isecdhe)
5183 expectednid = kexch_alg;
5184 else
5185 expectednid = 0;
5186 }
5187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5188 NULL, NULL))
5189 || !TEST_true(SSL_set_session(clientssl, origsess))
5190 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5191 isecdhe, idx)))
5192 goto end;
5193
5194 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5195 || !TEST_true(SSL_session_reused(clientssl)))
5196 goto end;
5197
5198 /* Check that we get what we expected */
5199 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5200 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5201 goto end;
5202
5203 testresult = 1;
5204 end:
5205 SSL_free(serverssl);
5206 SSL_free(clientssl);
5207 SSL_CTX_free(sctx);
5208 SSL_CTX_free(cctx);
5209 SSL_SESSION_free(origsess);
5210 return testresult;
5211}
5212# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5213
5214/*
5215 * Test TLSv1.3 Cipher Suite
5216 * Test 0 = Set TLS1.3 cipher on context
5217 * Test 1 = Set TLS1.3 cipher on SSL
5218 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5219 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5220 */
5221static int test_tls13_ciphersuite(int idx)
5222{
5223 SSL_CTX *sctx = NULL, *cctx = NULL;
5224 SSL *serverssl = NULL, *clientssl = NULL;
5225 static const struct {
5226 const char *ciphername;
5227 int fipscapable;
5228 } t13_ciphers[] = {
5229 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
5230 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
5231 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5232# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5233 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5234 { TLS1_3_RFC_AES_256_GCM_SHA384
5235 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5236# endif
5237 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5238 };
5239 const char *t13_cipher = NULL;
5240 const char *t12_cipher = NULL;
5241 const char *negotiated_scipher;
5242 const char *negotiated_ccipher;
5243 int set_at_ctx = 0;
5244 int set_at_ssl = 0;
5245 int testresult = 0;
5246 int max_ver;
5247 size_t i;
5248
5249 switch (idx) {
5250 case 0:
5251 set_at_ctx = 1;
5252 break;
5253 case 1:
5254 set_at_ssl = 1;
5255 break;
5256 case 2:
5257 set_at_ctx = 1;
5258 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5259 break;
5260 case 3:
5261 set_at_ssl = 1;
5262 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5263 break;
5264 }
5265
5266 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5267# ifdef OPENSSL_NO_TLS1_2
5268 if (max_ver == TLS1_2_VERSION)
5269 continue;
5270# endif
5271 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5272 if (is_fips && !t13_ciphers[i].fipscapable)
5273 continue;
5274 t13_cipher = t13_ciphers[i].ciphername;
5275 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5276 TLS_client_method(),
5277 TLS1_VERSION, max_ver,
5278 &sctx, &cctx, cert, privkey)))
5279 goto end;
5280
5281 if (set_at_ctx) {
5282 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5283 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5284 goto end;
5285 if (t12_cipher != NULL) {
5286 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5287 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5288 t12_cipher)))
5289 goto end;
5290 }
5291 }
5292
5293 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5294 &clientssl, NULL, NULL)))
5295 goto end;
5296
5297 if (set_at_ssl) {
5298 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5299 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5300 goto end;
5301 if (t12_cipher != NULL) {
5302 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5303 || !TEST_true(SSL_set_cipher_list(clientssl,
5304 t12_cipher)))
5305 goto end;
5306 }
5307 }
5308
5309 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5310 SSL_ERROR_NONE)))
5311 goto end;
5312
5313 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5314 serverssl));
5315 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5316 clientssl));
5317 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5318 goto end;
5319
5320 /*
5321 * TEST_strn_eq is used below because t13_cipher can contain
5322 * multiple ciphersuites
5323 */
5324 if (max_ver == TLS1_3_VERSION
5325 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5326 strlen(negotiated_scipher)))
5327 goto end;
5328
5329# ifndef OPENSSL_NO_TLS1_2
5330 /* Below validation is not done when t12_cipher is NULL */
5331 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5332 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5333 goto end;
5334# endif
5335
5336 SSL_free(serverssl);
5337 serverssl = NULL;
5338 SSL_free(clientssl);
5339 clientssl = NULL;
5340 SSL_CTX_free(sctx);
5341 sctx = NULL;
5342 SSL_CTX_free(cctx);
5343 cctx = NULL;
5344 }
5345 }
5346
5347 testresult = 1;
5348 end:
5349 SSL_free(serverssl);
5350 SSL_free(clientssl);
5351 SSL_CTX_free(sctx);
5352 SSL_CTX_free(cctx);
5353 return testresult;
5354}
5355
5356/*
5357 * Test TLSv1.3 PSKs
5358 * Test 0 = Test new style callbacks
5359 * Test 1 = Test both new and old style callbacks
5360 * Test 2 = Test old style callbacks
5361 * Test 3 = Test old style callbacks with no certificate
5362 */
5363static int test_tls13_psk(int idx)
5364{
5365 SSL_CTX *sctx = NULL, *cctx = NULL;
5366 SSL *serverssl = NULL, *clientssl = NULL;
5367 const SSL_CIPHER *cipher = NULL;
5368 const unsigned char key[] = {
5369 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5370 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5371 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5372 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5373 };
5374 int testresult = 0;
5375
5376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5377 TLS_client_method(), TLS1_VERSION, 0,
5378 &sctx, &cctx, idx == 3 ? NULL : cert,
5379 idx == 3 ? NULL : privkey)))
5380 goto end;
5381
5382 if (idx != 3) {
5383 /*
5384 * We use a ciphersuite with SHA256 to ease testing old style PSK
5385 * callbacks which will always default to SHA256. This should not be
5386 * necessary if we have no cert/priv key. In that case the server should
5387 * prefer SHA256 automatically.
5388 */
5389 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5390 "TLS_AES_128_GCM_SHA256")))
5391 goto end;
5392 } else {
5393 /*
5394 * As noted above the server should prefer SHA256 automatically. However
5395 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5396 * code works even if we are testing with only the FIPS provider loaded.
5397 */
5398 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5399 "TLS_AES_256_GCM_SHA384:"
5400 "TLS_AES_128_GCM_SHA256")))
5401 goto end;
5402 }
5403
5404 /*
5405 * Test 0: New style callbacks only
5406 * Test 1: New and old style callbacks (only the new ones should be used)
5407 * Test 2: Old style callbacks only
5408 */
5409 if (idx == 0 || idx == 1) {
5410 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5411 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5412 }
5413#ifndef OPENSSL_NO_PSK
5414 if (idx >= 1) {
5415 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5416 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5417 }
5418#endif
5419 srvid = pskid;
5420 use_session_cb_cnt = 0;
5421 find_session_cb_cnt = 0;
5422 psk_client_cb_cnt = 0;
5423 psk_server_cb_cnt = 0;
5424
5425 if (idx != 3) {
5426 /*
5427 * Check we can create a connection if callback decides not to send a
5428 * PSK
5429 */
5430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5431 NULL, NULL))
5432 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5433 SSL_ERROR_NONE))
5434 || !TEST_false(SSL_session_reused(clientssl))
5435 || !TEST_false(SSL_session_reused(serverssl)))
5436 goto end;
5437
5438 if (idx == 0 || idx == 1) {
5439 if (!TEST_true(use_session_cb_cnt == 1)
5440 || !TEST_true(find_session_cb_cnt == 0)
5441 /*
5442 * If no old style callback then below should be 0
5443 * otherwise 1
5444 */
5445 || !TEST_true(psk_client_cb_cnt == idx)
5446 || !TEST_true(psk_server_cb_cnt == 0))
5447 goto end;
5448 } else {
5449 if (!TEST_true(use_session_cb_cnt == 0)
5450 || !TEST_true(find_session_cb_cnt == 0)
5451 || !TEST_true(psk_client_cb_cnt == 1)
5452 || !TEST_true(psk_server_cb_cnt == 0))
5453 goto end;
5454 }
5455
5456 shutdown_ssl_connection(serverssl, clientssl);
5457 serverssl = clientssl = NULL;
5458 use_session_cb_cnt = psk_client_cb_cnt = 0;
5459 }
5460
5461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5462 NULL, NULL)))
5463 goto end;
5464
5465 /* Create the PSK */
5466 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5467 clientpsk = SSL_SESSION_new();
5468 if (!TEST_ptr(clientpsk)
5469 || !TEST_ptr(cipher)
5470 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5471 sizeof(key)))
5472 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5473 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5474 TLS1_3_VERSION))
5475 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5476 goto end;
5477 serverpsk = clientpsk;
5478
5479 /* Check we can create a connection and the PSK is used */
5480 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5481 || !TEST_true(SSL_session_reused(clientssl))
5482 || !TEST_true(SSL_session_reused(serverssl)))
5483 goto end;
5484
5485 if (idx == 0 || idx == 1) {
5486 if (!TEST_true(use_session_cb_cnt == 1)
5487 || !TEST_true(find_session_cb_cnt == 1)
5488 || !TEST_true(psk_client_cb_cnt == 0)
5489 || !TEST_true(psk_server_cb_cnt == 0))
5490 goto end;
5491 } else {
5492 if (!TEST_true(use_session_cb_cnt == 0)
5493 || !TEST_true(find_session_cb_cnt == 0)
5494 || !TEST_true(psk_client_cb_cnt == 1)
5495 || !TEST_true(psk_server_cb_cnt == 1))
5496 goto end;
5497 }
5498
5499 shutdown_ssl_connection(serverssl, clientssl);
5500 serverssl = clientssl = NULL;
5501 use_session_cb_cnt = find_session_cb_cnt = 0;
5502 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5503
5504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5505 NULL, NULL)))
5506 goto end;
5507
5508 /* Force an HRR */
5509#if defined(OPENSSL_NO_EC)
5510 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5511 goto end;
5512#else
5513 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5514 goto end;
5515#endif
5516
5517 /*
5518 * Check we can create a connection, the PSK is used and the callbacks are
5519 * called twice.
5520 */
5521 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5522 || !TEST_true(SSL_session_reused(clientssl))
5523 || !TEST_true(SSL_session_reused(serverssl)))
5524 goto end;
5525
5526 if (idx == 0 || idx == 1) {
5527 if (!TEST_true(use_session_cb_cnt == 2)
5528 || !TEST_true(find_session_cb_cnt == 2)
5529 || !TEST_true(psk_client_cb_cnt == 0)
5530 || !TEST_true(psk_server_cb_cnt == 0))
5531 goto end;
5532 } else {
5533 if (!TEST_true(use_session_cb_cnt == 0)
5534 || !TEST_true(find_session_cb_cnt == 0)
5535 || !TEST_true(psk_client_cb_cnt == 2)
5536 || !TEST_true(psk_server_cb_cnt == 2))
5537 goto end;
5538 }
5539
5540 shutdown_ssl_connection(serverssl, clientssl);
5541 serverssl = clientssl = NULL;
5542 use_session_cb_cnt = find_session_cb_cnt = 0;
5543 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5544
5545 if (idx != 3) {
5546 /*
5547 * Check that if the server rejects the PSK we can still connect, but with
5548 * a full handshake
5549 */
5550 srvid = "Dummy Identity";
5551 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5552 NULL, NULL))
5553 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5554 SSL_ERROR_NONE))
5555 || !TEST_false(SSL_session_reused(clientssl))
5556 || !TEST_false(SSL_session_reused(serverssl)))
5557 goto end;
5558
5559 if (idx == 0 || idx == 1) {
5560 if (!TEST_true(use_session_cb_cnt == 1)
5561 || !TEST_true(find_session_cb_cnt == 1)
5562 || !TEST_true(psk_client_cb_cnt == 0)
5563 /*
5564 * If no old style callback then below should be 0
5565 * otherwise 1
5566 */
5567 || !TEST_true(psk_server_cb_cnt == idx))
5568 goto end;
5569 } else {
5570 if (!TEST_true(use_session_cb_cnt == 0)
5571 || !TEST_true(find_session_cb_cnt == 0)
5572 || !TEST_true(psk_client_cb_cnt == 1)
5573 || !TEST_true(psk_server_cb_cnt == 1))
5574 goto end;
5575 }
5576
5577 shutdown_ssl_connection(serverssl, clientssl);
5578 serverssl = clientssl = NULL;
5579 }
5580 testresult = 1;
5581
5582 end:
5583 SSL_SESSION_free(clientpsk);
5584 SSL_SESSION_free(serverpsk);
5585 clientpsk = serverpsk = NULL;
5586 SSL_free(serverssl);
5587 SSL_free(clientssl);
5588 SSL_CTX_free(sctx);
5589 SSL_CTX_free(cctx);
5590 return testresult;
5591}
5592
5593static unsigned char cookie_magic_value[] = "cookie magic";
5594
5595static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5596 unsigned int *cookie_len)
5597{
5598 /*
5599 * Not suitable as a real cookie generation function but good enough for
5600 * testing!
5601 */
5602 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5603 *cookie_len = sizeof(cookie_magic_value) - 1;
5604
5605 return 1;
5606}
5607
5608static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5609 unsigned int cookie_len)
5610{
5611 if (cookie_len == sizeof(cookie_magic_value) - 1
5612 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5613 return 1;
5614
5615 return 0;
5616}
5617
5618static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5619 size_t *cookie_len)
5620{
5621 unsigned int temp;
5622 int res = generate_cookie_callback(ssl, cookie, &temp);
5623 *cookie_len = temp;
5624 return res;
5625}
5626
5627static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5628 size_t cookie_len)
5629{
5630 return verify_cookie_callback(ssl, cookie, cookie_len);
5631}
5632
5633static int test_stateless(void)
5634{
5635 SSL_CTX *sctx = NULL, *cctx = NULL;
5636 SSL *serverssl = NULL, *clientssl = NULL;
5637 int testresult = 0;
5638
5639 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5640 TLS_client_method(), TLS1_VERSION, 0,
5641 &sctx, &cctx, cert, privkey)))
5642 goto end;
5643
5644 /* The arrival of CCS messages can confuse the test */
5645 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5646
5647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5648 NULL, NULL))
5649 /* Send the first ClientHello */
5650 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5651 SSL_ERROR_WANT_READ))
5652 /*
5653 * This should fail with a -1 return because we have no callbacks
5654 * set up
5655 */
5656 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5657 goto end;
5658
5659 /* Fatal error so abandon the connection from this client */
5660 SSL_free(clientssl);
5661 clientssl = NULL;
5662
5663 /* Set up the cookie generation and verification callbacks */
5664 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5665 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5666
5667 /*
5668 * Create a new connection from the client (we can reuse the server SSL
5669 * object).
5670 */
5671 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5672 NULL, NULL))
5673 /* Send the first ClientHello */
5674 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5675 SSL_ERROR_WANT_READ))
5676 /* This should fail because there is no cookie */
5677 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5678 goto end;
5679
5680 /* Abandon the connection from this client */
5681 SSL_free(clientssl);
5682 clientssl = NULL;
5683
5684 /*
5685 * Now create a connection from a new client but with the same server SSL
5686 * object
5687 */
5688 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5689 NULL, NULL))
5690 /* Send the first ClientHello */
5691 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5692 SSL_ERROR_WANT_READ))
5693 /* This should fail because there is no cookie */
5694 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5695 /* Send the second ClientHello */
5696 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5697 SSL_ERROR_WANT_READ))
5698 /* This should succeed because a cookie is now present */
5699 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5700 /* Complete the connection */
5701 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5702 SSL_ERROR_NONE)))
5703 goto end;
5704
5705 shutdown_ssl_connection(serverssl, clientssl);
5706 serverssl = clientssl = NULL;
5707 testresult = 1;
5708
5709 end:
5710 SSL_free(serverssl);
5711 SSL_free(clientssl);
5712 SSL_CTX_free(sctx);
5713 SSL_CTX_free(cctx);
5714 return testresult;
5715
5716}
5717#endif /* OSSL_NO_USABLE_TLS1_3 */
5718
5719static int clntaddoldcb = 0;
5720static int clntparseoldcb = 0;
5721static int srvaddoldcb = 0;
5722static int srvparseoldcb = 0;
5723static int clntaddnewcb = 0;
5724static int clntparsenewcb = 0;
5725static int srvaddnewcb = 0;
5726static int srvparsenewcb = 0;
5727static int snicb = 0;
5728
5729#define TEST_EXT_TYPE1 0xff00
5730
5731static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5732 size_t *outlen, int *al, void *add_arg)
5733{
5734 int *server = (int *)add_arg;
5735 unsigned char *data;
5736
5737 if (SSL_is_server(s))
5738 srvaddoldcb++;
5739 else
5740 clntaddoldcb++;
5741
5742 if (*server != SSL_is_server(s)
5743 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5744 return -1;
5745
5746 *data = 1;
5747 *out = data;
5748 *outlen = sizeof(char);
5749 return 1;
5750}
5751
5752static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5753 void *add_arg)
5754{
5755 OPENSSL_free((unsigned char *)out);
5756}
5757
5758static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5759 size_t inlen, int *al, void *parse_arg)
5760{
5761 int *server = (int *)parse_arg;
5762
5763 if (SSL_is_server(s))
5764 srvparseoldcb++;
5765 else
5766 clntparseoldcb++;
5767
5768 if (*server != SSL_is_server(s)
5769 || inlen != sizeof(char)
5770 || *in != 1)
5771 return -1;
5772
5773 return 1;
5774}
5775
5776static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5777 const unsigned char **out, size_t *outlen, X509 *x,
5778 size_t chainidx, int *al, void *add_arg)
5779{
5780 int *server = (int *)add_arg;
5781 unsigned char *data;
5782
5783 if (SSL_is_server(s))
5784 srvaddnewcb++;
5785 else
5786 clntaddnewcb++;
5787
5788 if (*server != SSL_is_server(s)
5789 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5790 return -1;
5791
5792 *data = 1;
5793 *out = data;
5794 *outlen = sizeof(*data);
5795 return 1;
5796}
5797
5798static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5799 const unsigned char *out, void *add_arg)
5800{
5801 OPENSSL_free((unsigned char *)out);
5802}
5803
5804static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5805 const unsigned char *in, size_t inlen, X509 *x,
5806 size_t chainidx, int *al, void *parse_arg)
5807{
5808 int *server = (int *)parse_arg;
5809
5810 if (SSL_is_server(s))
5811 srvparsenewcb++;
5812 else
5813 clntparsenewcb++;
5814
5815 if (*server != SSL_is_server(s)
5816 || inlen != sizeof(char) || *in != 1)
5817 return -1;
5818
5819 return 1;
5820}
5821
5822static int sni_cb(SSL *s, int *al, void *arg)
5823{
5824 SSL_CTX *ctx = (SSL_CTX *)arg;
5825
5826 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5827 *al = SSL_AD_INTERNAL_ERROR;
5828 return SSL_TLSEXT_ERR_ALERT_FATAL;
5829 }
5830 snicb++;
5831 return SSL_TLSEXT_ERR_OK;
5832}
5833
5834static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5835{
5836 return 1;
5837}
5838
5839/*
5840 * Custom call back tests.
5841 * Test 0: Old style callbacks in TLSv1.2
5842 * Test 1: New style callbacks in TLSv1.2
5843 * Test 2: New style callbacks in TLSv1.2 with SNI
5844 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5845 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5846 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5847 */
5848static int test_custom_exts(int tst)
5849{
5850 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5851 SSL *clientssl = NULL, *serverssl = NULL;
5852 int testresult = 0;
5853 static int server = 1;
5854 static int client = 0;
5855 SSL_SESSION *sess = NULL;
5856 unsigned int context;
5857
5858#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5859 /* Skip tests for TLSv1.2 and below in this case */
5860 if (tst < 3)
5861 return 1;
5862#endif
5863
5864 /* Reset callback counters */
5865 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5866 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5867 snicb = 0;
5868
5869 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5870 TLS_client_method(), TLS1_VERSION, 0,
5871 &sctx, &cctx, cert, privkey)))
5872 goto end;
5873
5874 if (tst == 2
5875 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5876 TLS1_VERSION, 0,
5877 &sctx2, NULL, cert, privkey)))
5878 goto end;
5879
5880
5881 if (tst < 3) {
5882 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5883 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5884 if (sctx2 != NULL)
5885 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5886 }
5887
5888 if (tst == 5) {
5889 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5890 | SSL_EXT_TLS1_3_CERTIFICATE;
5891 SSL_CTX_set_verify(sctx,
5892 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5893 verify_cb);
5894 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5895 SSL_FILETYPE_PEM), 1)
5896 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5897 SSL_FILETYPE_PEM), 1)
5898 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5899 goto end;
5900 } else if (tst == 4) {
5901 context = SSL_EXT_CLIENT_HELLO
5902 | SSL_EXT_TLS1_2_SERVER_HELLO
5903 | SSL_EXT_TLS1_3_SERVER_HELLO
5904 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5905 | SSL_EXT_TLS1_3_CERTIFICATE
5906 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5907 } else {
5908 context = SSL_EXT_CLIENT_HELLO
5909 | SSL_EXT_TLS1_2_SERVER_HELLO
5910 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5911 }
5912
5913 /* Create a client side custom extension */
5914 if (tst == 0) {
5915 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5916 old_add_cb, old_free_cb,
5917 &client, old_parse_cb,
5918 &client)))
5919 goto end;
5920 } else {
5921 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5922 new_add_cb, new_free_cb,
5923 &client, new_parse_cb, &client)))
5924 goto end;
5925 }
5926
5927 /* Should not be able to add duplicates */
5928 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5929 old_add_cb, old_free_cb,
5930 &client, old_parse_cb,
5931 &client))
5932 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5933 context, new_add_cb,
5934 new_free_cb, &client,
5935 new_parse_cb, &client)))
5936 goto end;
5937
5938 /* Create a server side custom extension */
5939 if (tst == 0) {
5940 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5941 old_add_cb, old_free_cb,
5942 &server, old_parse_cb,
5943 &server)))
5944 goto end;
5945 } else {
5946 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5947 new_add_cb, new_free_cb,
5948 &server, new_parse_cb, &server)))
5949 goto end;
5950 if (sctx2 != NULL
5951 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5952 context, new_add_cb,
5953 new_free_cb, &server,
5954 new_parse_cb, &server)))
5955 goto end;
5956 }
5957
5958 /* Should not be able to add duplicates */
5959 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5960 old_add_cb, old_free_cb,
5961 &server, old_parse_cb,
5962 &server))
5963 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5964 context, new_add_cb,
5965 new_free_cb, &server,
5966 new_parse_cb, &server)))
5967 goto end;
5968
5969 if (tst == 2) {
5970 /* Set up SNI */
5971 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5972 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5973 goto end;
5974 }
5975
5976 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5977 &clientssl, NULL, NULL))
5978 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5979 SSL_ERROR_NONE)))
5980 goto end;
5981
5982 if (tst == 0) {
5983 if (clntaddoldcb != 1
5984 || clntparseoldcb != 1
5985 || srvaddoldcb != 1
5986 || srvparseoldcb != 1)
5987 goto end;
5988 } else if (tst == 1 || tst == 2 || tst == 3) {
5989 if (clntaddnewcb != 1
5990 || clntparsenewcb != 1
5991 || srvaddnewcb != 1
5992 || srvparsenewcb != 1
5993 || (tst != 2 && snicb != 0)
5994 || (tst == 2 && snicb != 1))
5995 goto end;
5996 } else if (tst == 5) {
5997 if (clntaddnewcb != 1
5998 || clntparsenewcb != 1
5999 || srvaddnewcb != 1
6000 || srvparsenewcb != 1)
6001 goto end;
6002 } else {
6003 /* In this case there 2 NewSessionTicket messages created */
6004 if (clntaddnewcb != 1
6005 || clntparsenewcb != 5
6006 || srvaddnewcb != 5
6007 || srvparsenewcb != 1)
6008 goto end;
6009 }
6010
6011 sess = SSL_get1_session(clientssl);
6012 SSL_shutdown(clientssl);
6013 SSL_shutdown(serverssl);
6014 SSL_free(serverssl);
6015 SSL_free(clientssl);
6016 serverssl = clientssl = NULL;
6017
6018 if (tst == 3 || tst == 5) {
6019 /* We don't bother with the resumption aspects for these tests */
6020 testresult = 1;
6021 goto end;
6022 }
6023
6024 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6025 NULL, NULL))
6026 || !TEST_true(SSL_set_session(clientssl, sess))
6027 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6028 SSL_ERROR_NONE)))
6029 goto end;
6030
6031 /*
6032 * For a resumed session we expect to add the ClientHello extension. For the
6033 * old style callbacks we ignore it on the server side because they set
6034 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6035 * them.
6036 */
6037 if (tst == 0) {
6038 if (clntaddoldcb != 2
6039 || clntparseoldcb != 1
6040 || srvaddoldcb != 1
6041 || srvparseoldcb != 1)
6042 goto end;
6043 } else if (tst == 1 || tst == 2 || tst == 3) {
6044 if (clntaddnewcb != 2
6045 || clntparsenewcb != 2
6046 || srvaddnewcb != 2
6047 || srvparsenewcb != 2)
6048 goto end;
6049 } else {
6050 /*
6051 * No Certificate message extensions in the resumption handshake,
6052 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6053 */
6054 if (clntaddnewcb != 2
6055 || clntparsenewcb != 8
6056 || srvaddnewcb != 8
6057 || srvparsenewcb != 2)
6058 goto end;
6059 }
6060
6061 testresult = 1;
6062
6063end:
6064 SSL_SESSION_free(sess);
6065 SSL_free(serverssl);
6066 SSL_free(clientssl);
6067 SSL_CTX_free(sctx2);
6068 SSL_CTX_free(sctx);
6069 SSL_CTX_free(cctx);
6070 return testresult;
6071}
6072
6073#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6074
6075#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6076 | SSL_EXT_CLIENT_HELLO \
6077 | SSL_EXT_TLS1_2_SERVER_HELLO \
6078 | SSL_EXT_IGNORE_ON_RESUMPTION)
6079
6080#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6081 | SSL_EXT_TLS1_2_SERVER_HELLO \
6082 | SSL_EXT_CLIENT_HELLO)
6083
6084#define SERVERINFO_CUSTOM \
6085 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6086 0x00, 0x03, \
6087 0x04, 0x05, 0x06 \
6088
6089static const unsigned char serverinfo_custom_tls13[] = {
6090 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6091 SERVERINFO_CUSTOM
6092};
6093static const unsigned char serverinfo_custom_v2[] = {
6094 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6095 SERVERINFO_CUSTOM
6096};
6097static const unsigned char serverinfo_custom_v1[] = {
6098 SERVERINFO_CUSTOM
6099};
6100static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6101static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6102static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6103
6104static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6105 unsigned int context,
6106 const unsigned char *in,
6107 size_t inlen, X509 *x,
6108 size_t chainidx, int *al,
6109 void *parse_arg)
6110{
6111 const size_t len = serverinfo_custom_v1_len;
6112 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6113 int *p_cb_result = (int*)parse_arg;
6114 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6115 return 1;
6116}
6117
6118static int test_serverinfo_custom(const int idx)
6119{
6120 SSL_CTX *sctx = NULL, *cctx = NULL;
6121 SSL *clientssl = NULL, *serverssl = NULL;
6122 int testresult = 0;
6123 int cb_result = 0;
6124
6125 /*
6126 * Following variables are set in the switch statement
6127 * according to the test iteration.
6128 * Default values do not make much sense: test would fail with them.
6129 */
6130 int serverinfo_version = 0;
6131 int protocol_version = 0;
6132 unsigned int extension_context = 0;
6133 const unsigned char *si = NULL;
6134 size_t si_len = 0;
6135
6136 const int call_use_serverinfo_ex = idx > 0;
6137 switch (idx) {
6138 case 0: /* FALLTHROUGH */
6139 case 1:
6140 serverinfo_version = SSL_SERVERINFOV1;
6141 protocol_version = TLS1_2_VERSION;
6142 extension_context = SYNTHV1CONTEXT;
6143 si = serverinfo_custom_v1;
6144 si_len = serverinfo_custom_v1_len;
6145 break;
6146 case 2:
6147 serverinfo_version = SSL_SERVERINFOV2;
6148 protocol_version = TLS1_2_VERSION;
6149 extension_context = SYNTHV1CONTEXT;
6150 si = serverinfo_custom_v2;
6151 si_len = serverinfo_custom_v2_len;
6152 break;
6153 case 3:
6154 serverinfo_version = SSL_SERVERINFOV2;
6155 protocol_version = TLS1_3_VERSION;
6156 extension_context = TLS13CONTEXT;
6157 si = serverinfo_custom_tls13;
6158 si_len = serverinfo_custom_tls13_len;
6159 break;
6160 }
6161
6162 if (!TEST_true(create_ssl_ctx_pair(libctx,
6163 TLS_method(),
6164 TLS_method(),
6165 protocol_version,
6166 protocol_version,
6167 &sctx, &cctx, cert, privkey)))
6168 goto end;
6169
6170 if (call_use_serverinfo_ex) {
6171 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6172 si, si_len)))
6173 goto end;
6174 } else {
6175 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6176 goto end;
6177 }
6178
6179 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6180 extension_context,
6181 NULL, NULL, NULL,
6182 serverinfo_custom_parse_cb,
6183 &cb_result))
6184 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6185 NULL, NULL))
6186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6187 SSL_ERROR_NONE))
6188 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6189 goto end;
6190
6191 if (!TEST_true(cb_result))
6192 goto end;
6193
6194 testresult = 1;
6195
6196 end:
6197 SSL_free(serverssl);
6198 SSL_free(clientssl);
6199 SSL_CTX_free(sctx);
6200 SSL_CTX_free(cctx);
6201
6202 return testresult;
6203}
6204#endif
6205
6206/*
6207 * Test that SSL_export_keying_material() produces expected results. There are
6208 * no test vectors so all we do is test that both sides of the communication
6209 * produce the same results for different protocol versions.
6210 */
6211#define SMALL_LABEL_LEN 10
6212#define LONG_LABEL_LEN 249
6213static int test_export_key_mat(int tst)
6214{
6215 int testresult = 0;
6216 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6217 SSL *clientssl = NULL, *serverssl = NULL;
6218 const char label[LONG_LABEL_LEN + 1] = "test label";
6219 const unsigned char context[] = "context";
6220 const unsigned char *emptycontext = NULL;
6221 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6222 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6223 size_t labellen;
6224 const int protocols[] = {
6225 TLS1_VERSION,
6226 TLS1_1_VERSION,
6227 TLS1_2_VERSION,
6228 TLS1_3_VERSION,
6229 TLS1_3_VERSION,
6230 TLS1_3_VERSION
6231 };
6232
6233#ifdef OPENSSL_NO_TLS1
6234 if (tst == 0)
6235 return 1;
6236#endif
6237#ifdef OPENSSL_NO_TLS1_1
6238 if (tst == 1)
6239 return 1;
6240#endif
6241 if (is_fips && (tst == 0 || tst == 1))
6242 return 1;
6243#ifdef OPENSSL_NO_TLS1_2
6244 if (tst == 2)
6245 return 1;
6246#endif
6247#ifdef OSSL_NO_USABLE_TLS1_3
6248 if (tst >= 3)
6249 return 1;
6250#endif
6251 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6252 TLS_client_method(), TLS1_VERSION, 0,
6253 &sctx, &cctx, cert, privkey)))
6254 goto end;
6255
6256 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6257 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6258 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6259 if ((protocols[tst] < TLS1_2_VERSION) &&
6260 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6261 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6262 goto end;
6263
6264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6265 NULL)))
6266 goto end;
6267
6268 /*
6269 * Premature call of SSL_export_keying_material should just fail.
6270 */
6271 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6272 sizeof(ckeymat1), label,
6273 SMALL_LABEL_LEN + 1, context,
6274 sizeof(context) - 1, 1), 0))
6275 goto end;
6276
6277 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6278 SSL_ERROR_NONE)))
6279 goto end;
6280
6281 if (tst == 5) {
6282 /*
6283 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6284 * go over that.
6285 */
6286 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6287 sizeof(ckeymat1), label,
6288 LONG_LABEL_LEN + 1, context,
6289 sizeof(context) - 1, 1), 0))
6290 goto end;
6291
6292 testresult = 1;
6293 goto end;
6294 } else if (tst == 4) {
6295 labellen = LONG_LABEL_LEN;
6296 } else {
6297 labellen = SMALL_LABEL_LEN;
6298 }
6299
6300 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6301 sizeof(ckeymat1), label,
6302 labellen, context,
6303 sizeof(context) - 1, 1), 1)
6304 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6305 sizeof(ckeymat2), label,
6306 labellen,
6307 emptycontext,
6308 0, 1), 1)
6309 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6310 sizeof(ckeymat3), label,
6311 labellen,
6312 NULL, 0, 0), 1)
6313 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6314 sizeof(skeymat1), label,
6315 labellen,
6316 context,
6317 sizeof(context) -1, 1),
6318 1)
6319 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6320 sizeof(skeymat2), label,
6321 labellen,
6322 emptycontext,
6323 0, 1), 1)
6324 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6325 sizeof(skeymat3), label,
6326 labellen,
6327 NULL, 0, 0), 1)
6328 /*
6329 * Check that both sides created the same key material with the
6330 * same context.
6331 */
6332 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6333 sizeof(skeymat1))
6334 /*
6335 * Check that both sides created the same key material with an
6336 * empty context.
6337 */
6338 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6339 sizeof(skeymat2))
6340 /*
6341 * Check that both sides created the same key material without a
6342 * context.
6343 */
6344 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6345 sizeof(skeymat3))
6346 /* Different contexts should produce different results */
6347 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6348 sizeof(ckeymat2)))
6349 goto end;
6350
6351 /*
6352 * Check that an empty context and no context produce different results in
6353 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6354 */
6355 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6356 sizeof(ckeymat3)))
6357 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6358 sizeof(ckeymat3))))
6359 goto end;
6360
6361 testresult = 1;
6362
6363 end:
6364 SSL_free(serverssl);
6365 SSL_free(clientssl);
6366 SSL_CTX_free(sctx2);
6367 SSL_CTX_free(sctx);
6368 SSL_CTX_free(cctx);
6369
6370 return testresult;
6371}
6372
6373#ifndef OSSL_NO_USABLE_TLS1_3
6374/*
6375 * Test that SSL_export_keying_material_early() produces expected
6376 * results. There are no test vectors so all we do is test that both
6377 * sides of the communication produce the same results for different
6378 * protocol versions.
6379 */
6380static int test_export_key_mat_early(int idx)
6381{
6382 static const char label[] = "test label";
6383 static const unsigned char context[] = "context";
6384 int testresult = 0;
6385 SSL_CTX *cctx = NULL, *sctx = NULL;
6386 SSL *clientssl = NULL, *serverssl = NULL;
6387 SSL_SESSION *sess = NULL;
6388 const unsigned char *emptycontext = NULL;
6389 unsigned char ckeymat1[80], ckeymat2[80];
6390 unsigned char skeymat1[80], skeymat2[80];
6391 unsigned char buf[1];
6392 size_t readbytes, written;
6393
6394 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6395 &sess, idx, SHA384_DIGEST_LENGTH)))
6396 goto end;
6397
6398 /* Here writing 0 length early data is enough. */
6399 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6400 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6401 &readbytes),
6402 SSL_READ_EARLY_DATA_ERROR)
6403 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6404 SSL_EARLY_DATA_ACCEPTED))
6405 goto end;
6406
6407 if (!TEST_int_eq(SSL_export_keying_material_early(
6408 clientssl, ckeymat1, sizeof(ckeymat1), label,
6409 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6410 || !TEST_int_eq(SSL_export_keying_material_early(
6411 clientssl, ckeymat2, sizeof(ckeymat2), label,
6412 sizeof(label) - 1, emptycontext, 0), 1)
6413 || !TEST_int_eq(SSL_export_keying_material_early(
6414 serverssl, skeymat1, sizeof(skeymat1), label,
6415 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6416 || !TEST_int_eq(SSL_export_keying_material_early(
6417 serverssl, skeymat2, sizeof(skeymat2), label,
6418 sizeof(label) - 1, emptycontext, 0), 1)
6419 /*
6420 * Check that both sides created the same key material with the
6421 * same context.
6422 */
6423 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6424 sizeof(skeymat1))
6425 /*
6426 * Check that both sides created the same key material with an
6427 * empty context.
6428 */
6429 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6430 sizeof(skeymat2))
6431 /* Different contexts should produce different results */
6432 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6433 sizeof(ckeymat2)))
6434 goto end;
6435
6436 testresult = 1;
6437
6438 end:
6439 SSL_SESSION_free(sess);
6440 SSL_SESSION_free(clientpsk);
6441 SSL_SESSION_free(serverpsk);
6442 clientpsk = serverpsk = NULL;
6443 SSL_free(serverssl);
6444 SSL_free(clientssl);
6445 SSL_CTX_free(sctx);
6446 SSL_CTX_free(cctx);
6447
6448 return testresult;
6449}
6450
6451#define NUM_KEY_UPDATE_MESSAGES 40
6452/*
6453 * Test KeyUpdate.
6454 */
6455static int test_key_update(void)
6456{
6457 SSL_CTX *cctx = NULL, *sctx = NULL;
6458 SSL *clientssl = NULL, *serverssl = NULL;
6459 int testresult = 0, i, j;
6460 char buf[20];
6461 static char *mess = "A test message";
6462
6463 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6464 TLS_client_method(),
6465 TLS1_3_VERSION,
6466 0,
6467 &sctx, &cctx, cert, privkey))
6468 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6469 NULL, NULL))
6470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6471 SSL_ERROR_NONE)))
6472 goto end;
6473
6474 for (j = 0; j < 2; j++) {
6475 /* Send lots of KeyUpdate messages */
6476 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6477 if (!TEST_true(SSL_key_update(clientssl,
6478 (j == 0)
6479 ? SSL_KEY_UPDATE_NOT_REQUESTED
6480 : SSL_KEY_UPDATE_REQUESTED))
6481 || !TEST_true(SSL_do_handshake(clientssl)))
6482 goto end;
6483 }
6484
6485 /* Check that sending and receiving app data is ok */
6486 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6487 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6488 strlen(mess)))
6489 goto end;
6490
6491 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6492 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6493 strlen(mess)))
6494 goto end;
6495 }
6496
6497 testresult = 1;
6498
6499 end:
6500 SSL_free(serverssl);
6501 SSL_free(clientssl);
6502 SSL_CTX_free(sctx);
6503 SSL_CTX_free(cctx);
6504
6505 return testresult;
6506}
6507
6508/*
6509 * Test we can handle a KeyUpdate (update requested) message while
6510 * write data is pending in peer.
6511 * Test 0: Client sends KeyUpdate while Server is writing
6512 * Test 1: Server sends KeyUpdate while Client is writing
6513 */
6514static int test_key_update_peer_in_write(int tst)
6515{
6516 SSL_CTX *cctx = NULL, *sctx = NULL;
6517 SSL *clientssl = NULL, *serverssl = NULL;
6518 int testresult = 0;
6519 char buf[20];
6520 static char *mess = "A test message";
6521 BIO *bretry = BIO_new(bio_s_always_retry());
6522 BIO *tmp = NULL;
6523 SSL *peerupdate = NULL, *peerwrite = NULL;
6524
6525 if (!TEST_ptr(bretry)
6526 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6527 TLS_client_method(),
6528 TLS1_3_VERSION,
6529 0,
6530 &sctx, &cctx, cert, privkey))
6531 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6532 NULL, NULL))
6533 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6534 SSL_ERROR_NONE)))
6535 goto end;
6536
6537 peerupdate = tst == 0 ? clientssl : serverssl;
6538 peerwrite = tst == 0 ? serverssl : clientssl;
6539
6540 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6541 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6542 goto end;
6543
6544 /* Swap the writing endpoint's write BIO to force a retry */
6545 tmp = SSL_get_wbio(peerwrite);
6546 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6547 tmp = NULL;
6548 goto end;
6549 }
6550 SSL_set0_wbio(peerwrite, bretry);
6551 bretry = NULL;
6552
6553 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6554 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6555 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6556 goto end;
6557
6558 /* Reinstate the original writing endpoint's write BIO */
6559 SSL_set0_wbio(peerwrite, tmp);
6560 tmp = NULL;
6561
6562 /* Now read some data - we will read the key update */
6563 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6564 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6565 goto end;
6566
6567 /*
6568 * Complete the write we started previously and read it from the other
6569 * endpoint
6570 */
6571 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6572 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6573 goto end;
6574
6575 /* Write more data to ensure we send the KeyUpdate message back */
6576 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6577 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6578 goto end;
6579
6580 testresult = 1;
6581
6582 end:
6583 SSL_free(serverssl);
6584 SSL_free(clientssl);
6585 SSL_CTX_free(sctx);
6586 SSL_CTX_free(cctx);
6587 BIO_free(bretry);
6588 BIO_free(tmp);
6589
6590 return testresult;
6591}
6592
6593/*
6594 * Test we can handle a KeyUpdate (update requested) message while
6595 * peer read data is pending after peer accepted keyupdate(the msg header
6596 * had been read 5 bytes).
6597 * Test 0: Client sends KeyUpdate while Server is reading
6598 * Test 1: Server sends KeyUpdate while Client is reading
6599 */
6600static int test_key_update_peer_in_read(int tst)
6601{
6602 SSL_CTX *cctx = NULL, *sctx = NULL;
6603 SSL *clientssl = NULL, *serverssl = NULL;
6604 int testresult = 0;
6605 char prbuf[515], lwbuf[515] = {0};
6606 static char *mess = "A test message";
6607 BIO *lbio = NULL, *pbio = NULL;
6608 SSL *local = NULL, *peer = NULL;
6609
6610 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6611 TLS_client_method(),
6612 TLS1_3_VERSION,
6613 0,
6614 &sctx, &cctx, cert, privkey))
6615 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6616 NULL, NULL))
6617 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6618 SSL_ERROR_NONE)))
6619 goto end;
6620
6621 local = tst == 0 ? clientssl : serverssl;
6622 peer = tst == 0 ? serverssl : clientssl;
6623
6624 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6625 goto end;
6626
6627 SSL_set_bio(local, lbio, lbio);
6628 SSL_set_bio(peer, pbio, pbio);
6629
6630 /*
6631 * we first write keyupdate msg then appdata in local
6632 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6633 * lwbuf app data msg size + key updata msg size > 512(the size of
6634 * the bio pair buffer)
6635 */
6636 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6637 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6638 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6639 goto end;
6640
6641 /*
6642 * first read keyupdate msg in peer in peer
6643 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6644 */
6645 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6646 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6647 goto end;
6648
6649 /* Now write some data in peer - we will write the key update */
6650 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6651 goto end;
6652
6653 /*
6654 * write data in local previously that we will complete
6655 * read data in peer previously that we will complete
6656 */
6657 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6658 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6659 goto end;
6660
6661 /* check that sending and receiving appdata ok */
6662 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6663 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6664 goto end;
6665
6666 testresult = 1;
6667
6668 end:
6669 SSL_free(serverssl);
6670 SSL_free(clientssl);
6671 SSL_CTX_free(sctx);
6672 SSL_CTX_free(cctx);
6673
6674 return testresult;
6675}
6676
6677/*
6678 * Test we can't send a KeyUpdate (update requested) message while
6679 * local write data is pending.
6680 * Test 0: Client sends KeyUpdate while Client is writing
6681 * Test 1: Server sends KeyUpdate while Server is writing
6682 */
6683static int test_key_update_local_in_write(int tst)
6684{
6685 SSL_CTX *cctx = NULL, *sctx = NULL;
6686 SSL *clientssl = NULL, *serverssl = NULL;
6687 int testresult = 0;
6688 char buf[20];
6689 static char *mess = "A test message";
6690 BIO *bretry = BIO_new(bio_s_always_retry());
6691 BIO *tmp = NULL;
6692 SSL *local = NULL, *peer = NULL;
6693
6694 if (!TEST_ptr(bretry)
6695 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6696 TLS_client_method(),
6697 TLS1_3_VERSION,
6698 0,
6699 &sctx, &cctx, cert, privkey))
6700 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6701 NULL, NULL))
6702 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6703 SSL_ERROR_NONE)))
6704 goto end;
6705
6706 local = tst == 0 ? clientssl : serverssl;
6707 peer = tst == 0 ? serverssl : clientssl;
6708
6709 /* Swap the writing endpoint's write BIO to force a retry */
6710 tmp = SSL_get_wbio(local);
6711 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6712 tmp = NULL;
6713 goto end;
6714 }
6715 SSL_set0_wbio(local, bretry);
6716 bretry = NULL;
6717
6718 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6719 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6720 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6721 goto end;
6722
6723 /* Reinstate the original writing endpoint's write BIO */
6724 SSL_set0_wbio(local, tmp);
6725 tmp = NULL;
6726
6727 /* SSL_key_update will fail, because writing in local*/
6728 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6729 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6730 goto end;
6731
6732 ERR_clear_error();
6733 /* write data in local previously that we will complete */
6734 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6735 goto end;
6736
6737 /* SSL_key_update will succeed because there is no pending write data */
6738 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6739 || !TEST_int_eq(SSL_do_handshake(local), 1))
6740 goto end;
6741
6742 /*
6743 * we write some appdata in local
6744 * read data in peer - we will read the keyupdate msg
6745 */
6746 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6747 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6748 goto end;
6749
6750 /* Write more peer more data to ensure we send the keyupdate message back */
6751 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6752 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6753 goto end;
6754
6755 testresult = 1;
6756
6757 end:
6758 SSL_free(serverssl);
6759 SSL_free(clientssl);
6760 SSL_CTX_free(sctx);
6761 SSL_CTX_free(cctx);
6762 BIO_free(bretry);
6763 BIO_free(tmp);
6764
6765 return testresult;
6766}
6767
6768/*
6769 * Test we can handle a KeyUpdate (update requested) message while
6770 * local read data is pending(the msg header had been read 5 bytes).
6771 * Test 0: Client sends KeyUpdate while Client is reading
6772 * Test 1: Server sends KeyUpdate while Server is reading
6773 */
6774static int test_key_update_local_in_read(int tst)
6775{
6776 SSL_CTX *cctx = NULL, *sctx = NULL;
6777 SSL *clientssl = NULL, *serverssl = NULL;
6778 int testresult = 0;
6779 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6780 static char *mess = "A test message";
6781 BIO *lbio = NULL, *pbio = NULL;
6782 SSL *local = NULL, *peer = NULL;
6783
6784 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6785 TLS_client_method(),
6786 TLS1_3_VERSION,
6787 0,
6788 &sctx, &cctx, cert, privkey))
6789 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6790 NULL, NULL))
6791 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6792 SSL_ERROR_NONE)))
6793 goto end;
6794
6795 local = tst == 0 ? clientssl : serverssl;
6796 peer = tst == 0 ? serverssl : clientssl;
6797
6798 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6799 goto end;
6800
6801 SSL_set_bio(local, lbio, lbio);
6802 SSL_set_bio(peer, pbio, pbio);
6803
6804 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6805 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6806 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6807 goto end;
6808
6809 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6810 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6811 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6812 goto end;
6813
6814 /* SSL_do_handshake will send keyupdate msg */
6815 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6816 || !TEST_int_eq(SSL_do_handshake(local), 1))
6817 goto end;
6818
6819 /*
6820 * write data in peer previously that we will complete
6821 * read data in local previously that we will complete
6822 */
6823 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6824 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6825 goto end;
6826
6827 /*
6828 * write data in local
6829 * read data in peer - we will read the key update
6830 */
6831 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6832 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6833 goto end;
6834
6835 /* Write more peer data to ensure we send the keyupdate message back */
6836 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6837 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6838 goto end;
6839
6840 testresult = 1;
6841
6842 end:
6843 SSL_free(serverssl);
6844 SSL_free(clientssl);
6845 SSL_CTX_free(sctx);
6846 SSL_CTX_free(cctx);
6847
6848 return testresult;
6849}
6850#endif /* OSSL_NO_USABLE_TLS1_3 */
6851
6852static int test_ssl_clear(int idx)
6853{
6854 SSL_CTX *cctx = NULL, *sctx = NULL;
6855 SSL *clientssl = NULL, *serverssl = NULL;
6856 int testresult = 0;
6857
6858#ifdef OPENSSL_NO_TLS1_2
6859 if (idx == 1)
6860 return 1;
6861#endif
6862
6863 /* Create an initial connection */
6864 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6865 TLS_client_method(), TLS1_VERSION, 0,
6866 &sctx, &cctx, cert, privkey))
6867 || (idx == 1
6868 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6869 TLS1_2_VERSION)))
6870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6871 &clientssl, NULL, NULL))
6872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6873 SSL_ERROR_NONE)))
6874 goto end;
6875
6876 SSL_shutdown(clientssl);
6877 SSL_shutdown(serverssl);
6878 SSL_free(serverssl);
6879 serverssl = NULL;
6880
6881 /* Clear clientssl - we're going to reuse the object */
6882 if (!TEST_true(SSL_clear(clientssl)))
6883 goto end;
6884
6885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6886 NULL, NULL))
6887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6888 SSL_ERROR_NONE))
6889 || !TEST_true(SSL_session_reused(clientssl)))
6890 goto end;
6891
6892 SSL_shutdown(clientssl);
6893 SSL_shutdown(serverssl);
6894
6895 testresult = 1;
6896
6897 end:
6898 SSL_free(serverssl);
6899 SSL_free(clientssl);
6900 SSL_CTX_free(sctx);
6901 SSL_CTX_free(cctx);
6902
6903 return testresult;
6904}
6905
6906/* Parse CH and retrieve any MFL extension value if present */
6907static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6908{
6909 long len;
6910 unsigned char *data;
6911 PACKET pkt, pkt2, pkt3;
6912 unsigned int MFL_code = 0, type = 0;
6913
6914 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6915 goto end;
6916
6917 memset(&pkt, 0, sizeof(pkt));
6918 memset(&pkt2, 0, sizeof(pkt2));
6919 memset(&pkt3, 0, sizeof(pkt3));
6920
6921 if (!TEST_long_gt(len, 0)
6922 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6923 /* Skip the record header */
6924 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6925 /* Skip the handshake message header */
6926 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6927 /* Skip client version and random */
6928 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6929 + SSL3_RANDOM_SIZE))
6930 /* Skip session id */
6931 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6932 /* Skip ciphers */
6933 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6934 /* Skip compression */
6935 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6936 /* Extensions len */
6937 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6938 goto end;
6939
6940 /* Loop through all extensions */
6941 while (PACKET_remaining(&pkt2)) {
6942 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6943 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6944 goto end;
6945
6946 if (type == TLSEXT_TYPE_max_fragment_length) {
6947 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6948 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6949 goto end;
6950
6951 *mfl_codemfl_code = MFL_code;
6952 return 1;
6953 }
6954 }
6955
6956 end:
6957 return 0;
6958}
6959
6960/* Maximum-Fragment-Length TLS extension mode to test */
6961static const unsigned char max_fragment_len_test[] = {
6962 TLSEXT_max_fragment_length_512,
6963 TLSEXT_max_fragment_length_1024,
6964 TLSEXT_max_fragment_length_2048,
6965 TLSEXT_max_fragment_length_4096
6966};
6967
6968static int test_max_fragment_len_ext(int idx_tst)
6969{
6970 SSL_CTX *ctx = NULL;
6971 SSL *con = NULL;
6972 int testresult = 0, MFL_mode = 0;
6973 BIO *rbio, *wbio;
6974
6975 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6976 TLS1_VERSION, 0, NULL, &ctx, NULL,
6977 NULL)))
6978 return 0;
6979
6980 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6981 ctx, max_fragment_len_test[idx_tst])))
6982 goto end;
6983
6984 con = SSL_new(ctx);
6985 if (!TEST_ptr(con))
6986 goto end;
6987
6988 rbio = BIO_new(BIO_s_mem());
6989 wbio = BIO_new(BIO_s_mem());
6990 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6991 BIO_free(rbio);
6992 BIO_free(wbio);
6993 goto end;
6994 }
6995
6996 SSL_set_bio(con, rbio, wbio);
6997
6998 if (!TEST_int_le(SSL_connect(con), 0)) {
6999 /* This shouldn't succeed because we don't have a server! */
7000 goto end;
7001 }
7002
7003 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7004 /* no MFL in client hello */
7005 goto end;
7006 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7007 goto end;
7008
7009 testresult = 1;
7010
7011end:
7012 SSL_free(con);
7013 SSL_CTX_free(ctx);
7014
7015 return testresult;
7016}
7017
7018#ifndef OSSL_NO_USABLE_TLS1_3
7019static int test_pha_key_update(void)
7020{
7021 SSL_CTX *cctx = NULL, *sctx = NULL;
7022 SSL *clientssl = NULL, *serverssl = NULL;
7023 int testresult = 0;
7024
7025 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7026 TLS_client_method(), TLS1_VERSION, 0,
7027 &sctx, &cctx, cert, privkey)))
7028 return 0;
7029
7030 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7031 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7032 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7033 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7034 goto end;
7035
7036 SSL_CTX_set_post_handshake_auth(cctx, 1);
7037
7038 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7039 NULL, NULL)))
7040 goto end;
7041
7042 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7043 SSL_ERROR_NONE)))
7044 goto end;
7045
7046 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7047 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7048 goto end;
7049
7050 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7051 goto end;
7052
7053 /* Start handshake on the server */
7054 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7055 goto end;
7056
7057 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7058 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7059 SSL_ERROR_NONE)))
7060 goto end;
7061
7062 SSL_shutdown(clientssl);
7063 SSL_shutdown(serverssl);
7064
7065 testresult = 1;
7066
7067 end:
7068 SSL_free(serverssl);
7069 SSL_free(clientssl);
7070 SSL_CTX_free(sctx);
7071 SSL_CTX_free(cctx);
7072 return testresult;
7073}
7074#endif
7075
7076#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7077
7078static SRP_VBASE *vbase = NULL;
7079
7080static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7081{
7082 int ret = SSL3_AL_FATAL;
7083 char *username;
7084 SRP_user_pwd *user = NULL;
7085
7086 username = SSL_get_srp_username(s);
7087 if (username == NULL) {
7088 *ad = SSL_AD_INTERNAL_ERROR;
7089 goto err;
7090 }
7091
7092 user = SRP_VBASE_get1_by_user(vbase, username);
7093 if (user == NULL) {
7094 *ad = SSL_AD_INTERNAL_ERROR;
7095 goto err;
7096 }
7097
7098 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7099 user->info) <= 0) {
7100 *ad = SSL_AD_INTERNAL_ERROR;
7101 goto err;
7102 }
7103
7104 ret = 0;
7105
7106 err:
7107 SRP_user_pwd_free(user);
7108 return ret;
7109}
7110
7111static int create_new_vfile(char *userid, char *password, const char *filename)
7112{
7113 char *gNid = NULL;
7114 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7115 TXT_DB *db = NULL;
7116 int ret = 0;
7117 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7118 size_t i;
7119
7120 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7121 goto end;
7122
7123 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7124 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7125 if (!TEST_ptr(gNid))
7126 goto end;
7127
7128 /*
7129 * The only way to create an empty TXT_DB is to provide a BIO with no data
7130 * in it!
7131 */
7132 db = TXT_DB_read(dummy, DB_NUMBER);
7133 if (!TEST_ptr(db))
7134 goto end;
7135
7136 out = BIO_new_file(filename, "w");
7137 if (!TEST_ptr(out))
7138 goto end;
7139
7140 row[DB_srpid] = OPENSSL_strdup(userid);
7141 row[DB_srptype] = OPENSSL_strdup("V");
7142 row[DB_srpgN] = OPENSSL_strdup(gNid);
7143
7144 if (!TEST_ptr(row[DB_srpid])
7145 || !TEST_ptr(row[DB_srptype])
7146 || !TEST_ptr(row[DB_srpgN])
7147 || !TEST_true(TXT_DB_insert(db, row)))
7148 goto end;
7149
7150 row = NULL;
7151
7152 if (TXT_DB_write(out, db) <= 0)
7153 goto end;
7154
7155 ret = 1;
7156 end:
7157 if (row != NULL) {
7158 for (i = 0; i < DB_NUMBER; i++)
7159 OPENSSL_free(row[i]);
7160 }
7161 OPENSSL_free(row);
7162 BIO_free(dummy);
7163 BIO_free(out);
7164 TXT_DB_free(db);
7165
7166 return ret;
7167}
7168
7169static int create_new_vbase(char *userid, char *password)
7170{
7171 BIGNUM *verifier = NULL, *salt = NULL;
7172 const SRP_gN *lgN = NULL;
7173 SRP_user_pwd *user_pwd = NULL;
7174 int ret = 0;
7175
7176 lgN = SRP_get_default_gN(NULL);
7177 if (!TEST_ptr(lgN))
7178 goto end;
7179
7180 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7181 lgN->N, lgN->g, libctx, NULL)))
7182 goto end;
7183
7184 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7185 if (!TEST_ptr(user_pwd))
7186 goto end;
7187
7188 user_pwd->N = lgN->N;
7189 user_pwd->g = lgN->g;
7190 user_pwd->id = OPENSSL_strdup(userid);
7191 if (!TEST_ptr(user_pwd->id))
7192 goto end;
7193
7194 user_pwd->v = verifier;
7195 user_pwd->s = salt;
7196 verifier = salt = NULL;
7197
7198 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7199 goto end;
7200 user_pwd = NULL;
7201
7202 ret = 1;
7203end:
7204 SRP_user_pwd_free(user_pwd);
7205 BN_free(salt);
7206 BN_free(verifier);
7207
7208 return ret;
7209}
7210
7211/*
7212 * SRP tests
7213 *
7214 * Test 0: Simple successful SRP connection, new vbase
7215 * Test 1: Connection failure due to bad password, new vbase
7216 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7217 * Test 3: Connection failure due to bad password, vbase loaded from existing
7218 * file
7219 * Test 4: Simple successful SRP connection, vbase loaded from new file
7220 * Test 5: Connection failure due to bad password, vbase loaded from new file
7221 */
7222static int test_srp(int tst)
7223{
7224 char *userid = "test", *password = "password", *tstsrpfile;
7225 SSL_CTX *cctx = NULL, *sctx = NULL;
7226 SSL *clientssl = NULL, *serverssl = NULL;
7227 int ret, testresult = 0;
7228
7229 vbase = SRP_VBASE_new(NULL);
7230 if (!TEST_ptr(vbase))
7231 goto end;
7232
7233 if (tst == 0 || tst == 1) {
7234 if (!TEST_true(create_new_vbase(userid, password)))
7235 goto end;
7236 } else {
7237 if (tst == 4 || tst == 5) {
7238 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7239 goto end;
7240 tstsrpfile = tmpfilename;
7241 } else {
7242 tstsrpfile = srpvfile;
7243 }
7244 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7245 goto end;
7246 }
7247
7248 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7249 TLS_client_method(), TLS1_VERSION, 0,
7250 &sctx, &cctx, cert, privkey)))
7251 goto end;
7252
7253 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7254 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7255 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7256 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7257 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7258 goto end;
7259
7260 if (tst % 2 == 1) {
7261 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7262 goto end;
7263 } else {
7264 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7265 goto end;
7266 }
7267
7268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7269 NULL, NULL)))
7270 goto end;
7271
7272 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7273 if (ret) {
7274 if (!TEST_true(tst % 2 == 0))
7275 goto end;
7276 } else {
7277 if (!TEST_true(tst % 2 == 1))
7278 goto end;
7279 }
7280
7281 testresult = 1;
7282
7283 end:
7284 SRP_VBASE_free(vbase);
7285 vbase = NULL;
7286 SSL_free(serverssl);
7287 SSL_free(clientssl);
7288 SSL_CTX_free(sctx);
7289 SSL_CTX_free(cctx);
7290
7291 return testresult;
7292}
7293#endif
7294
7295static int info_cb_failed = 0;
7296static int info_cb_offset = 0;
7297static int info_cb_this_state = -1;
7298
7299static struct info_cb_states_st {
7300 int where;
7301 const char *statestr;
7302} info_cb_states[][60] = {
7303 {
7304 /* TLSv1.2 server followed by resumption */
7305 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7306 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7307 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7308 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7309 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7310 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7311 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7312 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7313 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7314 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7315 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7316 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7317 {SSL_CB_EXIT, NULL}, {0, NULL},
7318 }, {
7319 /* TLSv1.2 client followed by resumption */
7320 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7321 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7322 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7323 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7324 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7325 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7326 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7327 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7328 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7329 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7330 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7331 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7332 }, {
7333 /* TLSv1.3 server followed by resumption */
7334 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7335 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7336 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7337 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7338 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7339 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7340 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7341 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7342 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7343 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7344 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7345 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7346 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7347 }, {
7348 /* TLSv1.3 client followed by resumption */
7349 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7350 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7351 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7352 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7353 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7354 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7355 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7356 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7357 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7358 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7359 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7360 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7361 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7362 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7363 {SSL_CB_EXIT, NULL}, {0, NULL},
7364 }, {
7365 /* TLSv1.3 server, early_data */
7366 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7367 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7368 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7369 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7370 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7371 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7372 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7373 {SSL_CB_EXIT, NULL}, {0, NULL},
7374 }, {
7375 /* TLSv1.3 client, early_data */
7376 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7377 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7378 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7379 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7380 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7381 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7382 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7383 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7384 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7385 }, {
7386 {0, NULL},
7387 }
7388};
7389
7390static void sslapi_info_callback(const SSL *s, int where, int ret)
7391{
7392 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7393
7394 /* We do not ever expect a connection to fail in this test */
7395 if (!TEST_false(ret == 0)) {
7396 info_cb_failed = 1;
7397 return;
7398 }
7399
7400 /*
7401 * Do some sanity checks. We never expect these things to happen in this
7402 * test
7403 */
7404 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7405 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7406 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7407 info_cb_failed = 1;
7408 return;
7409 }
7410
7411 /* Now check we're in the right state */
7412 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7413 info_cb_failed = 1;
7414 return;
7415 }
7416 if ((where & SSL_CB_LOOP) != 0
7417 && !TEST_int_eq(strcmp(SSL_state_string(s),
7418 state[info_cb_this_state].statestr), 0)) {
7419 info_cb_failed = 1;
7420 return;
7421 }
7422
7423 /*
7424 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7425 */
7426 if ((where & SSL_CB_HANDSHAKE_DONE)
7427 && SSL_in_init((SSL *)s) != 0) {
7428 info_cb_failed = 1;
7429 return;
7430 }
7431}
7432
7433/*
7434 * Test the info callback gets called when we expect it to.
7435 *
7436 * Test 0: TLSv1.2, server
7437 * Test 1: TLSv1.2, client
7438 * Test 2: TLSv1.3, server
7439 * Test 3: TLSv1.3, client
7440 * Test 4: TLSv1.3, server, early_data
7441 * Test 5: TLSv1.3, client, early_data
7442 */
7443static int test_info_callback(int tst)
7444{
7445 SSL_CTX *cctx = NULL, *sctx = NULL;
7446 SSL *clientssl = NULL, *serverssl = NULL;
7447 SSL_SESSION *clntsess = NULL;
7448 int testresult = 0;
7449 int tlsvers;
7450
7451 if (tst < 2) {
7452/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7453#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7454 || !defined(OPENSSL_NO_DH))
7455 tlsvers = TLS1_2_VERSION;
7456#else
7457 return 1;
7458#endif
7459 } else {
7460#ifndef OSSL_NO_USABLE_TLS1_3
7461 tlsvers = TLS1_3_VERSION;
7462#else
7463 return 1;
7464#endif
7465 }
7466
7467 /* Reset globals */
7468 info_cb_failed = 0;
7469 info_cb_this_state = -1;
7470 info_cb_offset = tst;
7471
7472#ifndef OSSL_NO_USABLE_TLS1_3
7473 if (tst >= 4) {
7474 SSL_SESSION *sess = NULL;
7475 size_t written, readbytes;
7476 unsigned char buf[80];
7477
7478 /* early_data tests */
7479 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7480 &serverssl, &sess, 0,
7481 SHA384_DIGEST_LENGTH)))
7482 goto end;
7483
7484 /* We don't actually need this reference */
7485 SSL_SESSION_free(sess);
7486
7487 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7488 sslapi_info_callback);
7489
7490 /* Write and read some early data and then complete the connection */
7491 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7492 &written))
7493 || !TEST_size_t_eq(written, strlen(MSG1))
7494 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7495 sizeof(buf), &readbytes),
7496 SSL_READ_EARLY_DATA_SUCCESS)
7497 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7498 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7499 SSL_EARLY_DATA_ACCEPTED)
7500 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7501 SSL_ERROR_NONE))
7502 || !TEST_false(info_cb_failed))
7503 goto end;
7504
7505 testresult = 1;
7506 goto end;
7507 }
7508#endif
7509
7510 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7511 TLS_client_method(),
7512 tlsvers, tlsvers, &sctx, &cctx, cert,
7513 privkey)))
7514 goto end;
7515
7516 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7517 goto end;
7518
7519 /*
7520 * For even numbered tests we check the server callbacks. For odd numbers we
7521 * check the client.
7522 */
7523 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7524 sslapi_info_callback);
7525
7526 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7527 &clientssl, NULL, NULL))
7528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7529 SSL_ERROR_NONE))
7530 || !TEST_false(info_cb_failed))
7531 goto end;
7532
7533
7534
7535 clntsess = SSL_get1_session(clientssl);
7536 SSL_shutdown(clientssl);
7537 SSL_shutdown(serverssl);
7538 SSL_free(serverssl);
7539 SSL_free(clientssl);
7540 serverssl = clientssl = NULL;
7541
7542 /* Now do a resumption */
7543 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7544 NULL))
7545 || !TEST_true(SSL_set_session(clientssl, clntsess))
7546 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7547 SSL_ERROR_NONE))
7548 || !TEST_true(SSL_session_reused(clientssl))
7549 || !TEST_false(info_cb_failed))
7550 goto end;
7551
7552 testresult = 1;
7553
7554 end:
7555 SSL_free(serverssl);
7556 SSL_free(clientssl);
7557 SSL_SESSION_free(clntsess);
7558 SSL_CTX_free(sctx);
7559 SSL_CTX_free(cctx);
7560 return testresult;
7561}
7562
7563static int test_ssl_pending(int tst)
7564{
7565 SSL_CTX *cctx = NULL, *sctx = NULL;
7566 SSL *clientssl = NULL, *serverssl = NULL;
7567 int testresult = 0;
7568 char msg[] = "A test message";
7569 char buf[5];
7570 size_t written, readbytes;
7571
7572 if (tst == 0) {
7573 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7574 TLS_client_method(),
7575 TLS1_VERSION, 0,
7576 &sctx, &cctx, cert, privkey)))
7577 goto end;
7578 } else {
7579#ifndef OPENSSL_NO_DTLS
7580 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7581 DTLS_client_method(),
7582 DTLS1_VERSION, 0,
7583 &sctx, &cctx, cert, privkey)))
7584 goto end;
7585
7586# ifdef OPENSSL_NO_DTLS1_2
7587 /* Not supported in the FIPS provider */
7588 if (is_fips) {
7589 testresult = 1;
7590 goto end;
7591 };
7592 /*
7593 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7594 * level 0
7595 */
7596 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7597 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7598 "DEFAULT:@SECLEVEL=0")))
7599 goto end;
7600# endif
7601#else
7602 return 1;
7603#endif
7604 }
7605
7606 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7607 NULL, NULL))
7608 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7609 SSL_ERROR_NONE)))
7610 goto end;
7611
7612 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7613 || !TEST_false(SSL_has_pending(clientssl))
7614 || !TEST_int_eq(SSL_pending(serverssl), 0)
7615 || !TEST_false(SSL_has_pending(serverssl))
7616 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7617 || !TEST_size_t_eq(written, sizeof(msg))
7618 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7619 || !TEST_size_t_eq(readbytes, sizeof(buf))
7620 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7621 || !TEST_true(SSL_has_pending(clientssl)))
7622 goto end;
7623
7624 testresult = 1;
7625
7626 end:
7627 SSL_free(serverssl);
7628 SSL_free(clientssl);
7629 SSL_CTX_free(sctx);
7630 SSL_CTX_free(cctx);
7631
7632 return testresult;
7633}
7634
7635static struct {
7636 unsigned int maxprot;
7637 const char *clntciphers;
7638 const char *clnttls13ciphers;
7639 const char *srvrciphers;
7640 const char *srvrtls13ciphers;
7641 const char *shared;
7642 const char *fipsshared;
7643} shared_ciphers_data[] = {
7644/*
7645 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7646 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7647 */
7648#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7649 {
7650 TLS1_2_VERSION,
7651 "AES128-SHA:AES256-SHA",
7652 NULL,
7653 "AES256-SHA:DHE-RSA-AES128-SHA",
7654 NULL,
7655 "AES256-SHA",
7656 "AES256-SHA"
7657 },
7658# if !defined(OPENSSL_NO_CHACHA) \
7659 && !defined(OPENSSL_NO_POLY1305) \
7660 && !defined(OPENSSL_NO_EC)
7661 {
7662 TLS1_2_VERSION,
7663 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7664 NULL,
7665 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7666 NULL,
7667 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7668 "AES128-SHA"
7669 },
7670# endif
7671 {
7672 TLS1_2_VERSION,
7673 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7674 NULL,
7675 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7676 NULL,
7677 "AES128-SHA:AES256-SHA",
7678 "AES128-SHA:AES256-SHA"
7679 },
7680 {
7681 TLS1_2_VERSION,
7682 "AES128-SHA:AES256-SHA",
7683 NULL,
7684 "AES128-SHA:DHE-RSA-AES128-SHA",
7685 NULL,
7686 "AES128-SHA",
7687 "AES128-SHA"
7688 },
7689#endif
7690/*
7691 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7692 * enabled.
7693 */
7694#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7695 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7696 {
7697 TLS1_3_VERSION,
7698 "AES128-SHA:AES256-SHA",
7699 NULL,
7700 "AES256-SHA:AES128-SHA256",
7701 NULL,
7702 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7703 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7704 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7705 },
7706#endif
7707#ifndef OSSL_NO_USABLE_TLS1_3
7708 {
7709 TLS1_3_VERSION,
7710 "AES128-SHA",
7711 "TLS_AES_256_GCM_SHA384",
7712 "AES256-SHA",
7713 "TLS_AES_256_GCM_SHA384",
7714 "TLS_AES_256_GCM_SHA384",
7715 "TLS_AES_256_GCM_SHA384"
7716 },
7717#endif
7718};
7719
7720static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7721{
7722 SSL_CTX *cctx = NULL, *sctx = NULL;
7723 SSL *clientssl = NULL, *serverssl = NULL;
7724 int testresult = 0;
7725 char buf[1024];
7726 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7727
7728 if (!TEST_ptr(tmplibctx))
7729 goto end;
7730
7731 /*
7732 * Regardless of whether we're testing with the FIPS provider loaded into
7733 * libctx, we want one peer to always use the full set of ciphersuites
7734 * available. Therefore we use a separate libctx with the default provider
7735 * loaded into it. We run the same tests twice - once with the client side
7736 * having the full set of ciphersuites and once with the server side.
7737 */
7738 if (clnt) {
7739 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7740 if (!TEST_ptr(cctx))
7741 goto end;
7742 } else {
7743 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7744 if (!TEST_ptr(sctx))
7745 goto end;
7746 }
7747
7748 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7749 TLS_client_method(),
7750 TLS1_VERSION,
7751 shared_ciphers_data[tst].maxprot,
7752 &sctx, &cctx, cert, privkey)))
7753 goto end;
7754
7755 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7756 shared_ciphers_data[tst].clntciphers))
7757 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7758 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7759 shared_ciphers_data[tst].clnttls13ciphers)))
7760 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7761 shared_ciphers_data[tst].srvrciphers))
7762 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7763 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7764 shared_ciphers_data[tst].srvrtls13ciphers))))
7765 goto end;
7766
7767
7768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7769 NULL, NULL))
7770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7771 SSL_ERROR_NONE)))
7772 goto end;
7773
7774 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7775 || !TEST_int_eq(strcmp(buf,
7776 is_fips
7777 ? shared_ciphers_data[tst].fipsshared
7778 : shared_ciphers_data[tst].shared),
7779 0)) {
7780 TEST_info("Shared ciphers are: %s\n", buf);
7781 goto end;
7782 }
7783
7784 testresult = 1;
7785
7786 end:
7787 SSL_free(serverssl);
7788 SSL_free(clientssl);
7789 SSL_CTX_free(sctx);
7790 SSL_CTX_free(cctx);
7791 OSSL_LIB_CTX_free(tmplibctx);
7792
7793 return testresult;
7794}
7795
7796static int test_ssl_get_shared_ciphers(int tst)
7797{
7798 return int_test_ssl_get_shared_ciphers(tst, 0)
7799 && int_test_ssl_get_shared_ciphers(tst, 1);
7800}
7801
7802
7803static const char *appdata = "Hello World";
7804static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7805static int tick_key_renew = 0;
7806static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7807
7808static int gen_tick_cb(SSL *s, void *arg)
7809{
7810 gen_tick_called = 1;
7811
7812 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7813 strlen(appdata));
7814}
7815
7816static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7817 const unsigned char *keyname,
7818 size_t keyname_length,
7819 SSL_TICKET_STATUS status,
7820 void *arg)
7821{
7822 void *tickdata;
7823 size_t tickdlen;
7824
7825 dec_tick_called = 1;
7826
7827 if (status == SSL_TICKET_EMPTY)
7828 return SSL_TICKET_RETURN_IGNORE_RENEW;
7829
7830 if (!TEST_true(status == SSL_TICKET_SUCCESS
7831 || status == SSL_TICKET_SUCCESS_RENEW))
7832 return SSL_TICKET_RETURN_ABORT;
7833
7834 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7835 &tickdlen))
7836 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7837 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7838 return SSL_TICKET_RETURN_ABORT;
7839
7840 if (tick_key_cb_called) {
7841 /* Don't change what the ticket key callback wanted to do */
7842 switch (status) {
7843 case SSL_TICKET_NO_DECRYPT:
7844 return SSL_TICKET_RETURN_IGNORE_RENEW;
7845
7846 case SSL_TICKET_SUCCESS:
7847 return SSL_TICKET_RETURN_USE;
7848
7849 case SSL_TICKET_SUCCESS_RENEW:
7850 return SSL_TICKET_RETURN_USE_RENEW;
7851
7852 default:
7853 return SSL_TICKET_RETURN_ABORT;
7854 }
7855 }
7856 return tick_dec_ret;
7857
7858}
7859
7860#ifndef OPENSSL_NO_DEPRECATED_3_0
7861static int tick_key_cb(SSL *s, unsigned char key_name[16],
7862 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7863 HMAC_CTX *hctx, int enc)
7864{
7865 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7866 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7867 EVP_CIPHER *aes128cbc;
7868 EVP_MD *sha256;
7869 int ret;
7870
7871 tick_key_cb_called = 1;
7872
7873 if (tick_key_renew == -1)
7874 return 0;
7875
7876 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7877 if (!TEST_ptr(aes128cbc))
7878 return 0;
7879 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7880 if (!TEST_ptr(sha256)) {
7881 EVP_CIPHER_free(aes128cbc);
7882 return 0;
7883 }
7884
7885 memset(iv, 0, AES_BLOCK_SIZE);
7886 memset(key_name, 0, 16);
7887 if (aes128cbc == NULL
7888 || sha256 == NULL
7889 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7890 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7891 NULL))
7892 ret = -1;
7893 else
7894 ret = tick_key_renew ? 2 : 1;
7895
7896 EVP_CIPHER_free(aes128cbc);
7897 EVP_MD_free(sha256);
7898
7899 return ret;
7900}
7901#endif
7902
7903static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7904 unsigned char iv[EVP_MAX_IV_LENGTH],
7905 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7906{
7907 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7908 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7909 OSSL_PARAM params[2];
7910 EVP_CIPHER *aes128cbc;
7911 int ret;
7912
7913 tick_key_cb_called = 1;
7914
7915 if (tick_key_renew == -1)
7916 return 0;
7917
7918 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7919 if (!TEST_ptr(aes128cbc))
7920 return 0;
7921
7922 memset(iv, 0, AES_BLOCK_SIZE);
7923 memset(key_name, 0, 16);
7924 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7925 "SHA256", 0);
7926 params[1] = OSSL_PARAM_construct_end();
7927 if (aes128cbc == NULL
7928 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7929 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7930 params))
7931 ret = -1;
7932 else
7933 ret = tick_key_renew ? 2 : 1;
7934
7935 EVP_CIPHER_free(aes128cbc);
7936
7937 return ret;
7938}
7939
7940/*
7941 * Test the various ticket callbacks
7942 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7943 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7944 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7945 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7946 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7947 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7948 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7949 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7950 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7951 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7952 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7953 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7954 * Test 12: TLSv1.2, old ticket key callback, no ticket
7955 * Test 13: TLSv1.3, old ticket key callback, no ticket
7956 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7957 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7958 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7959 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7960 * Test 18: TLSv1.2, ticket key callback, no ticket
7961 * Test 19: TLSv1.3, ticket key callback, no ticket
7962 */
7963static int test_ticket_callbacks(int tst)
7964{
7965 SSL_CTX *cctx = NULL, *sctx = NULL;
7966 SSL *clientssl = NULL, *serverssl = NULL;
7967 SSL_SESSION *clntsess = NULL;
7968 int testresult = 0;
7969
7970#ifdef OPENSSL_NO_TLS1_2
7971 if (tst % 2 == 0)
7972 return 1;
7973#endif
7974#ifdef OSSL_NO_USABLE_TLS1_3
7975 if (tst % 2 == 1)
7976 return 1;
7977#endif
7978#ifdef OPENSSL_NO_DEPRECATED_3_0
7979 if (tst >= 8 && tst <= 13)
7980 return 1;
7981#endif
7982
7983 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7984
7985 /* Which tests the ticket key callback should request renewal for */
7986
7987 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
7988 tick_key_renew = 1;
7989 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7990 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
7991 else
7992 tick_key_renew = 0;
7993
7994 /* Which tests the decrypt ticket callback should request renewal for */
7995 switch (tst) {
7996 case 0:
7997 case 1:
7998 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7999 break;
8000
8001 case 2:
8002 case 3:
8003 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8004 break;
8005
8006 case 4:
8007 case 5:
8008 tick_dec_ret = SSL_TICKET_RETURN_USE;
8009 break;
8010
8011 case 6:
8012 case 7:
8013 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8014 break;
8015
8016 default:
8017 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8018 }
8019
8020 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8021 TLS_client_method(),
8022 TLS1_VERSION,
8023 ((tst % 2) == 0) ? TLS1_2_VERSION
8024 : TLS1_3_VERSION,
8025 &sctx, &cctx, cert, privkey)))
8026 goto end;
8027
8028 /*
8029 * We only want sessions to resume from tickets - not the session cache. So
8030 * switch the cache off.
8031 */
8032 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8033 goto end;
8034
8035 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8036 NULL)))
8037 goto end;
8038
8039 if (tst >= 14) {
8040 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8041 goto end;
8042#ifndef OPENSSL_NO_DEPRECATED_3_0
8043 } else if (tst >= 8) {
8044 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8045 goto end;
8046#endif
8047 }
8048
8049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8050 NULL, NULL))
8051 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8052 SSL_ERROR_NONE)))
8053 goto end;
8054
8055 /*
8056 * The decrypt ticket key callback in TLSv1.2 should be called even though
8057 * we have no ticket yet, because it gets called with a status of
8058 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8059 * actually send any ticket data). This does not happen in TLSv1.3 because
8060 * it is not valid to send empty ticket data in TLSv1.3.
8061 */
8062 if (!TEST_int_eq(gen_tick_called, 1)
8063 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8064 goto end;
8065
8066 gen_tick_called = dec_tick_called = 0;
8067
8068 clntsess = SSL_get1_session(clientssl);
8069 SSL_shutdown(clientssl);
8070 SSL_shutdown(serverssl);
8071 SSL_free(serverssl);
8072 SSL_free(clientssl);
8073 serverssl = clientssl = NULL;
8074
8075 /* Now do a resumption */
8076 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8077 NULL))
8078 || !TEST_true(SSL_set_session(clientssl, clntsess))
8079 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8080 SSL_ERROR_NONE)))
8081 goto end;
8082
8083 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8084 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8085 || tick_key_renew == -1) {
8086 if (!TEST_false(SSL_session_reused(clientssl)))
8087 goto end;
8088 } else {
8089 if (!TEST_true(SSL_session_reused(clientssl)))
8090 goto end;
8091 }
8092
8093 if (!TEST_int_eq(gen_tick_called,
8094 (tick_key_renew
8095 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8096 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8097 ? 1 : 0)
8098 /* There is no ticket to decrypt in tests 13 and 19 */
8099 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8100 goto end;
8101
8102 testresult = 1;
8103
8104 end:
8105 SSL_SESSION_free(clntsess);
8106 SSL_free(serverssl);
8107 SSL_free(clientssl);
8108 SSL_CTX_free(sctx);
8109 SSL_CTX_free(cctx);
8110
8111 return testresult;
8112}
8113
8114/*
8115 * Test incorrect shutdown.
8116 * Test 0: client does not shutdown properly,
8117 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8118 * server should get SSL_ERROR_SSL
8119 * Test 1: client does not shutdown properly,
8120 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8121 * server should get SSL_ERROR_ZERO_RETURN
8122 */
8123static int test_incorrect_shutdown(int tst)
8124{
8125 SSL_CTX *cctx = NULL, *sctx = NULL;
8126 SSL *clientssl = NULL, *serverssl = NULL;
8127 int testresult = 0;
8128 char buf[80];
8129 BIO *c2s;
8130
8131 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8132 TLS_client_method(), 0, 0,
8133 &sctx, &cctx, cert, privkey)))
8134 goto end;
8135
8136 if (tst == 1)
8137 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8138
8139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8140 NULL, NULL)))
8141 goto end;
8142
8143 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8144 SSL_ERROR_NONE)))
8145 goto end;
8146
8147 c2s = SSL_get_rbio(serverssl);
8148 BIO_set_mem_eof_return(c2s, 0);
8149
8150 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8151 goto end;
8152
8153 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8154 goto end;
8155 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8156 goto end;
8157
8158 testresult = 1;
8159
8160 end:
8161 SSL_free(serverssl);
8162 SSL_free(clientssl);
8163 SSL_CTX_free(sctx);
8164 SSL_CTX_free(cctx);
8165
8166 return testresult;
8167}
8168
8169/*
8170 * Test bi-directional shutdown.
8171 * Test 0: TLSv1.2
8172 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8173 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8174 * Test 3: TLSv1.3, pending NewSessionTicket messages
8175 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8176 * sends key update, client reads it
8177 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8178 * sends CertificateRequest, client reads and ignores it
8179 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8180 * doesn't read it
8181 */
8182static int test_shutdown(int tst)
8183{
8184 SSL_CTX *cctx = NULL, *sctx = NULL;
8185 SSL *clientssl = NULL, *serverssl = NULL;
8186 int testresult = 0;
8187 char msg[] = "A test message";
8188 char buf[80];
8189 size_t written, readbytes;
8190 SSL_SESSION *sess;
8191
8192#ifdef OPENSSL_NO_TLS1_2
8193 if (tst <= 1)
8194 return 1;
8195#endif
8196#ifdef OSSL_NO_USABLE_TLS1_3
8197 if (tst >= 2)
8198 return 1;
8199#endif
8200
8201 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8202 TLS_client_method(),
8203 TLS1_VERSION,
8204 (tst <= 1) ? TLS1_2_VERSION
8205 : TLS1_3_VERSION,
8206 &sctx, &cctx, cert, privkey)))
8207 goto end;
8208
8209 if (tst == 5)
8210 SSL_CTX_set_post_handshake_auth(cctx, 1);
8211
8212 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8213 NULL, NULL)))
8214 goto end;
8215
8216 if (tst == 3) {
8217 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8218 SSL_ERROR_NONE, 1))
8219 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8220 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8221 goto end;
8222 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8223 SSL_ERROR_NONE))
8224 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8225 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8226 goto end;
8227 }
8228
8229 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8230 goto end;
8231
8232 if (tst >= 4) {
8233 /*
8234 * Reading on the server after the client has sent close_notify should
8235 * fail and provide SSL_ERROR_ZERO_RETURN
8236 */
8237 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8238 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8239 SSL_ERROR_ZERO_RETURN)
8240 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8241 SSL_RECEIVED_SHUTDOWN)
8242 /*
8243 * Even though we're shutdown on receive we should still be
8244 * able to write.
8245 */
8246 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8247 goto end;
8248 if (tst == 4
8249 && !TEST_true(SSL_key_update(serverssl,
8250 SSL_KEY_UPDATE_REQUESTED)))
8251 goto end;
8252 if (tst == 5) {
8253 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8254 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8255 goto end;
8256 }
8257 if ((tst == 4 || tst == 5)
8258 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8259 goto end;
8260 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8261 goto end;
8262 if (tst == 4 || tst == 5) {
8263 /* Should still be able to read data from server */
8264 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8265 &readbytes))
8266 || !TEST_size_t_eq(readbytes, sizeof(msg))
8267 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8268 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8269 &readbytes))
8270 || !TEST_size_t_eq(readbytes, sizeof(msg))
8271 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8272 goto end;
8273 }
8274 }
8275
8276 /* Writing on the client after sending close_notify shouldn't be possible */
8277 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8278 goto end;
8279
8280 if (tst < 4) {
8281 /*
8282 * For these tests the client has sent close_notify but it has not yet
8283 * been received by the server. The server has not sent close_notify
8284 * yet.
8285 */
8286 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8287 /*
8288 * Writing on the server after sending close_notify shouldn't
8289 * be possible.
8290 */
8291 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8292 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8293 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8294 || !TEST_true(SSL_SESSION_is_resumable(sess))
8295 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8296 goto end;
8297 } else if (tst == 4 || tst == 5) {
8298 /*
8299 * In this test the client has sent close_notify and it has been
8300 * received by the server which has responded with a close_notify. The
8301 * client needs to read the close_notify sent by the server.
8302 */
8303 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8304 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8305 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8306 goto end;
8307 } else {
8308 /*
8309 * tst == 6
8310 *
8311 * The client has sent close_notify and is expecting a close_notify
8312 * back, but instead there is application data first. The shutdown
8313 * should fail with a fatal error.
8314 */
8315 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8316 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8317 goto end;
8318 }
8319
8320 testresult = 1;
8321
8322 end:
8323 SSL_free(serverssl);
8324 SSL_free(clientssl);
8325 SSL_CTX_free(sctx);
8326 SSL_CTX_free(cctx);
8327
8328 return testresult;
8329}
8330
8331#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8332static int cert_cb_cnt;
8333
8334static int cert_cb(SSL *s, void *arg)
8335{
8336 SSL_CTX *ctx = (SSL_CTX *)arg;
8337 BIO *in = NULL;
8338 EVP_PKEY *pkey = NULL;
8339 X509 *x509 = NULL, *rootx = NULL;
8340 STACK_OF(X509) *chain = NULL;
8341 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8342 int ret = 0;
8343
8344 if (cert_cb_cnt == 0) {
8345 /* Suspend the handshake */
8346 cert_cb_cnt++;
8347 return -1;
8348 } else if (cert_cb_cnt == 1) {
8349 /*
8350 * Update the SSL_CTX, set the certificate and private key and then
8351 * continue the handshake normally.
8352 */
8353 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8354 return 0;
8355
8356 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8357 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8358 SSL_FILETYPE_PEM))
8359 || !TEST_true(SSL_check_private_key(s)))
8360 return 0;
8361 cert_cb_cnt++;
8362 return 1;
8363 } else if (cert_cb_cnt == 3) {
8364 int rv;
8365
8366 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8367 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8368 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8369 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8370 goto out;
8371 chain = sk_X509_new_null();
8372 if (!TEST_ptr(chain))
8373 goto out;
8374 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8375 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8376 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8377 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8378 || !TEST_true(sk_X509_push(chain, rootx)))
8379 goto out;
8380 rootx = NULL;
8381 BIO_free(in);
8382 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8383 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8384 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8385 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8386 goto out;
8387 BIO_free(in);
8388 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8389 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8390 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8391 NULL, NULL,
8392 libctx, NULL)))
8393 goto out;
8394 rv = SSL_check_chain(s, x509, pkey, chain);
8395 /*
8396 * If the cert doesn't show as valid here (e.g., because we don't
8397 * have any shared sigalgs), then we will not set it, and there will
8398 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8399 * will cause tls_choose_sigalgs() to fail the connection.
8400 */
8401 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8402 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8403 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8404 goto out;
8405 }
8406
8407 ret = 1;
8408 }
8409
8410 /* Abort the handshake */
8411 out:
8412 OPENSSL_free(ecdsacert);
8413 OPENSSL_free(ecdsakey);
8414 OPENSSL_free(rootfile);
8415 BIO_free(in);
8416 EVP_PKEY_free(pkey);
8417 X509_free(x509);
8418 X509_free(rootx);
8419 sk_X509_pop_free(chain, X509_free);
8420 return ret;
8421}
8422
8423/*
8424 * Test the certificate callback.
8425 * Test 0: Callback fails
8426 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8427 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8428 * Test 3: Success - Call SSL_check_chain from the callback
8429 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8430 * chain
8431 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8432 */
8433static int test_cert_cb_int(int prot, int tst)
8434{
8435 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8436 SSL *clientssl = NULL, *serverssl = NULL;
8437 int testresult = 0, ret;
8438
8439#ifdef OPENSSL_NO_EC
8440 /* We use an EC cert in these tests, so we skip in a no-ec build */
8441 if (tst >= 3)
8442 return 1;
8443#endif
8444
8445 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8446 TLS_client_method(),
8447 TLS1_VERSION,
8448 prot,
8449 &sctx, &cctx, NULL, NULL)))
8450 goto end;
8451
8452 if (tst == 0)
8453 cert_cb_cnt = -1;
8454 else if (tst >= 3)
8455 cert_cb_cnt = 3;
8456 else
8457 cert_cb_cnt = 0;
8458
8459 if (tst == 2) {
8460 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8461 if (!TEST_ptr(snictx))
8462 goto end;
8463 }
8464
8465 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8466
8467 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8468 NULL, NULL)))
8469 goto end;
8470
8471 if (tst == 4) {
8472 /*
8473 * We cause SSL_check_chain() to fail by specifying sig_algs that
8474 * the chain doesn't meet (the root uses an RSA cert)
8475 */
8476 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8477 "ecdsa_secp256r1_sha256")))
8478 goto end;
8479 } else if (tst == 5) {
8480 /*
8481 * We cause SSL_check_chain() to fail by specifying sig_algs that
8482 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8483 */
8484 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8485 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8486 goto end;
8487 }
8488
8489 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8490 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8491 || (tst > 0
8492 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8493 goto end;
8494 }
8495
8496 testresult = 1;
8497
8498 end:
8499 SSL_free(serverssl);
8500 SSL_free(clientssl);
8501 SSL_CTX_free(sctx);
8502 SSL_CTX_free(cctx);
8503 SSL_CTX_free(snictx);
8504
8505 return testresult;
8506}
8507#endif
8508
8509static int test_cert_cb(int tst)
8510{
8511 int testresult = 1;
8512
8513#ifndef OPENSSL_NO_TLS1_2
8514 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8515#endif
8516#ifndef OSSL_NO_USABLE_TLS1_3
8517 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8518#endif
8519
8520 return testresult;
8521}
8522
8523static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8524{
8525 X509 *xcert;
8526 EVP_PKEY *privpkey;
8527 BIO *in = NULL;
8528 BIO *priv_in = NULL;
8529
8530 /* Check that SSL_get0_peer_certificate() returns something sensible */
8531 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8532 return 0;
8533
8534 in = BIO_new_file(cert, "r");
8535 if (!TEST_ptr(in))
8536 return 0;
8537
8538 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8539 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8540 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8541 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8542 NULL, NULL,
8543 libctx, NULL)))
8544 goto err;
8545
8546 *x509 = xcert;
8547 *pkey = privpkey;
8548
8549 BIO_free(in);
8550 BIO_free(priv_in);
8551 return 1;
8552err:
8553 X509_free(xcert);
8554 BIO_free(in);
8555 BIO_free(priv_in);
8556 return 0;
8557}
8558
8559static int test_client_cert_cb(int tst)
8560{
8561 SSL_CTX *cctx = NULL, *sctx = NULL;
8562 SSL *clientssl = NULL, *serverssl = NULL;
8563 int testresult = 0;
8564
8565#ifdef OPENSSL_NO_TLS1_2
8566 if (tst == 0)
8567 return 1;
8568#endif
8569#ifdef OSSL_NO_USABLE_TLS1_3
8570 if (tst == 1)
8571 return 1;
8572#endif
8573
8574 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8575 TLS_client_method(),
8576 TLS1_VERSION,
8577 tst == 0 ? TLS1_2_VERSION
8578 : TLS1_3_VERSION,
8579 &sctx, &cctx, cert, privkey)))
8580 goto end;
8581
8582 /*
8583 * Test that setting a client_cert_cb results in a client certificate being
8584 * sent.
8585 */
8586 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8587 SSL_CTX_set_verify(sctx,
8588 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8589 verify_cb);
8590
8591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8592 NULL, NULL))
8593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8594 SSL_ERROR_NONE)))
8595 goto end;
8596
8597 testresult = 1;
8598
8599 end:
8600 SSL_free(serverssl);
8601 SSL_free(clientssl);
8602 SSL_CTX_free(sctx);
8603 SSL_CTX_free(cctx);
8604
8605 return testresult;
8606}
8607
8608#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8609/*
8610 * Test setting certificate authorities on both client and server.
8611 *
8612 * Test 0: SSL_CTX_set0_CA_list() only
8613 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8614 * Test 2: Only SSL_CTX_set_client_CA_list()
8615 */
8616static int test_ca_names_int(int prot, int tst)
8617{
8618 SSL_CTX *cctx = NULL, *sctx = NULL;
8619 SSL *clientssl = NULL, *serverssl = NULL;
8620 int testresult = 0;
8621 size_t i;
8622 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8623 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8624 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8625 const STACK_OF(X509_NAME) *sktmp = NULL;
8626
8627 for (i = 0; i < OSSL_NELEM(name); i++) {
8628 name[i] = X509_NAME_new();
8629 if (!TEST_ptr(name[i])
8630 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8631 MBSTRING_ASC,
8632 (unsigned char *)
8633 strnames[i],
8634 -1, -1, 0)))
8635 goto end;
8636 }
8637
8638 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8639 TLS_client_method(),
8640 TLS1_VERSION,
8641 prot,
8642 &sctx, &cctx, cert, privkey)))
8643 goto end;
8644
8645 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8646
8647 if (tst == 0 || tst == 1) {
8648 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8649 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8650 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8651 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8652 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8653 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8654 goto end;
8655
8656 SSL_CTX_set0_CA_list(sctx, sk1);
8657 SSL_CTX_set0_CA_list(cctx, sk2);
8658 sk1 = sk2 = NULL;
8659 }
8660 if (tst == 1 || tst == 2) {
8661 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8662 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8663 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8664 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8665 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8666 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8667 goto end;
8668
8669 SSL_CTX_set_client_CA_list(sctx, sk1);
8670 SSL_CTX_set_client_CA_list(cctx, sk2);
8671 sk1 = sk2 = NULL;
8672 }
8673
8674 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8675 NULL, NULL))
8676 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8677 SSL_ERROR_NONE)))
8678 goto end;
8679
8680 /*
8681 * We only expect certificate authorities to have been sent to the server
8682 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8683 */
8684 sktmp = SSL_get0_peer_CA_list(serverssl);
8685 if (prot == TLS1_3_VERSION
8686 && (tst == 0 || tst == 1)) {
8687 if (!TEST_ptr(sktmp)
8688 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8689 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8690 name[0]), 0)
8691 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8692 name[1]), 0))
8693 goto end;
8694 } else if (!TEST_ptr_null(sktmp)) {
8695 goto end;
8696 }
8697
8698 /*
8699 * In all tests we expect certificate authorities to have been sent to the
8700 * client. However, SSL_set_client_CA_list() should override
8701 * SSL_set0_CA_list()
8702 */
8703 sktmp = SSL_get0_peer_CA_list(clientssl);
8704 if (!TEST_ptr(sktmp)
8705 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8706 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8707 name[tst == 0 ? 0 : 2]), 0)
8708 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8709 name[tst == 0 ? 1 : 3]), 0))
8710 goto end;
8711
8712 testresult = 1;
8713
8714 end:
8715 SSL_free(serverssl);
8716 SSL_free(clientssl);
8717 SSL_CTX_free(sctx);
8718 SSL_CTX_free(cctx);
8719 for (i = 0; i < OSSL_NELEM(name); i++)
8720 X509_NAME_free(name[i]);
8721 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8722 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8723
8724 return testresult;
8725}
8726#endif
8727
8728static int test_ca_names(int tst)
8729{
8730 int testresult = 1;
8731
8732#ifndef OPENSSL_NO_TLS1_2
8733 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8734#endif
8735#ifndef OSSL_NO_USABLE_TLS1_3
8736 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8737#endif
8738
8739 return testresult;
8740}
8741
8742#ifndef OPENSSL_NO_TLS1_2
8743static const char *multiblock_cipherlist_data[]=
8744{
8745 "AES128-SHA",
8746 "AES128-SHA256",
8747 "AES256-SHA",
8748 "AES256-SHA256",
8749};
8750
8751/* Reduce the fragment size - so the multiblock test buffer can be small */
8752# define MULTIBLOCK_FRAGSIZE 512
8753
8754static int test_multiblock_write(int test_index)
8755{
8756 static const char *fetchable_ciphers[]=
8757 {
8758 "AES-128-CBC-HMAC-SHA1",
8759 "AES-128-CBC-HMAC-SHA256",
8760 "AES-256-CBC-HMAC-SHA1",
8761 "AES-256-CBC-HMAC-SHA256"
8762 };
8763 const char *cipherlist = multiblock_cipherlist_data[test_index];
8764 const SSL_METHOD *smeth = TLS_server_method();
8765 const SSL_METHOD *cmeth = TLS_client_method();
8766 int min_version = TLS1_VERSION;
8767 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8768 SSL_CTX *cctx = NULL, *sctx = NULL;
8769 SSL *clientssl = NULL, *serverssl = NULL;
8770 int testresult = 0;
8771
8772 /*
8773 * Choose a buffer large enough to perform a multi-block operation
8774 * i.e: write_len >= 4 * frag_size
8775 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8776 */
8777 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8778 unsigned char buf[sizeof(msg)], *p = buf;
8779 size_t readbytes, written, len;
8780 EVP_CIPHER *ciph = NULL;
8781
8782 /*
8783 * Check if the cipher exists before attempting to use it since it only has
8784 * a hardware specific implementation.
8785 */
8786 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8787 if (ciph == NULL) {
8788 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8789 return 1;
8790 }
8791 EVP_CIPHER_free(ciph);
8792
8793 /* Set up a buffer with some data that will be sent to the client */
8794 RAND_bytes(msg, sizeof(msg));
8795
8796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8797 max_version, &sctx, &cctx, cert,
8798 privkey)))
8799 goto end;
8800
8801 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8802 goto end;
8803
8804 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8805 NULL, NULL)))
8806 goto end;
8807
8808 /* settings to force it to use AES-CBC-HMAC_SHA */
8809 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8810 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8811 goto end;
8812
8813 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8814 goto end;
8815
8816 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8817 || !TEST_size_t_eq(written, sizeof(msg)))
8818 goto end;
8819
8820 len = written;
8821 while (len > 0) {
8822 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8823 goto end;
8824 p += readbytes;
8825 len -= readbytes;
8826 }
8827 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8828 goto end;
8829
8830 testresult = 1;
8831end:
8832 SSL_free(serverssl);
8833 SSL_free(clientssl);
8834 SSL_CTX_free(sctx);
8835 SSL_CTX_free(cctx);
8836
8837 return testresult;
8838}
8839#endif /* OPENSSL_NO_TLS1_2 */
8840
8841static int test_session_timeout(int test)
8842{
8843 /*
8844 * Test session ordering and timeout
8845 * Can't explicitly test performance of the new code,
8846 * but can test to see if the ordering of the sessions
8847 * are correct, and they they are removed as expected
8848 */
8849 SSL_SESSION *early = NULL;
8850 SSL_SESSION *middle = NULL;
8851 SSL_SESSION *late = NULL;
8852 SSL_CTX *ctx;
8853 int testresult = 0;
8854 long now = (long)time(NULL);
8855#define TIMEOUT 10
8856
8857 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8858 || !TEST_ptr(early = SSL_SESSION_new())
8859 || !TEST_ptr(middle = SSL_SESSION_new())
8860 || !TEST_ptr(late = SSL_SESSION_new()))
8861 goto end;
8862
8863 /* assign unique session ids */
8864 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8865 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8866 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8867 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8868 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8869 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8870
8871 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8872 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8873 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8874 goto end;
8875
8876 /* Make sure they are all added */
8877 if (!TEST_ptr(early->prev)
8878 || !TEST_ptr(middle->prev)
8879 || !TEST_ptr(late->prev))
8880 goto end;
8881
8882 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8883 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8884 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8885 goto end;
8886
8887 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8888 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8889 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8890 goto end;
8891
8892 /* Make sure they are all still there */
8893 if (!TEST_ptr(early->prev)
8894 || !TEST_ptr(middle->prev)
8895 || !TEST_ptr(late->prev))
8896 goto end;
8897
8898 /* Make sure they are in the expected order */
8899 if (!TEST_ptr_eq(late->next, middle)
8900 || !TEST_ptr_eq(middle->next, early)
8901 || !TEST_ptr_eq(early->prev, middle)
8902 || !TEST_ptr_eq(middle->prev, late))
8903 goto end;
8904
8905 /* This should remove "early" */
8906 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8907 if (!TEST_ptr_null(early->prev)
8908 || !TEST_ptr(middle->prev)
8909 || !TEST_ptr(late->prev))
8910 goto end;
8911
8912 /* This should remove "middle" */
8913 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8914 if (!TEST_ptr_null(early->prev)
8915 || !TEST_ptr_null(middle->prev)
8916 || !TEST_ptr(late->prev))
8917 goto end;
8918
8919 /* This should remove "late" */
8920 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8921 if (!TEST_ptr_null(early->prev)
8922 || !TEST_ptr_null(middle->prev)
8923 || !TEST_ptr_null(late->prev))
8924 goto end;
8925
8926 /* Add them back in again */
8927 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8928 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8929 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8930 goto end;
8931
8932 /* Make sure they are all added */
8933 if (!TEST_ptr(early->prev)
8934 || !TEST_ptr(middle->prev)
8935 || !TEST_ptr(late->prev))
8936 goto end;
8937
8938 /* This should remove all of them */
8939 SSL_CTX_flush_sessions(ctx, 0);
8940 if (!TEST_ptr_null(early->prev)
8941 || !TEST_ptr_null(middle->prev)
8942 || !TEST_ptr_null(late->prev))
8943 goto end;
8944
8945 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8946 | SSL_CTX_get_session_cache_mode(ctx));
8947
8948 /* make sure |now| is NOT equal to the current time */
8949 now -= 10;
8950 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8951 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8952 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8953 goto end;
8954
8955 testresult = 1;
8956 end:
8957 SSL_CTX_free(ctx);
8958 SSL_SESSION_free(early);
8959 SSL_SESSION_free(middle);
8960 SSL_SESSION_free(late);
8961 return testresult;
8962}
8963
8964/*
8965 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8966 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8967 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8968 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8969 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8970 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8971 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8972 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8973 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8974 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8975 */
8976static int test_servername(int tst)
8977{
8978 SSL_CTX *cctx = NULL, *sctx = NULL;
8979 SSL *clientssl = NULL, *serverssl = NULL;
8980 int testresult = 0;
8981 SSL_SESSION *sess = NULL;
8982 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8983
8984#ifdef OPENSSL_NO_TLS1_2
8985 if (tst <= 4)
8986 return 1;
8987#endif
8988#ifdef OSSL_NO_USABLE_TLS1_3
8989 if (tst >= 5)
8990 return 1;
8991#endif
8992
8993 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8994 TLS_client_method(),
8995 TLS1_VERSION,
8996 (tst <= 4) ? TLS1_2_VERSION
8997 : TLS1_3_VERSION,
8998 &sctx, &cctx, cert, privkey))
8999 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9000 NULL, NULL)))
9001 goto end;
9002
9003 if (tst != 1 && tst != 6) {
9004 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9005 hostname_cb)))
9006 goto end;
9007 }
9008
9009 if (tst != 3 && tst != 8) {
9010 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9011 goto end;
9012 sexpectedhost = cexpectedhost = "goodhost";
9013 }
9014
9015 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9016 goto end;
9017
9018 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9019 cexpectedhost)
9020 || !TEST_str_eq(SSL_get_servername(serverssl,
9021 TLSEXT_NAMETYPE_host_name),
9022 sexpectedhost))
9023 goto end;
9024
9025 /* Now repeat with a resumption handshake */
9026
9027 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9028 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9029 || !TEST_true(SSL_SESSION_is_resumable(sess))
9030 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9031 goto end;
9032
9033 SSL_free(clientssl);
9034 SSL_free(serverssl);
9035 clientssl = serverssl = NULL;
9036
9037 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9038 NULL)))
9039 goto end;
9040
9041 if (!TEST_true(SSL_set_session(clientssl, sess)))
9042 goto end;
9043
9044 sexpectedhost = cexpectedhost = "goodhost";
9045 if (tst == 2 || tst == 7) {
9046 /* Set an inconsistent hostname */
9047 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9048 goto end;
9049 /*
9050 * In TLSv1.2 we expect the hostname from the original handshake, in
9051 * TLSv1.3 we expect the hostname from this handshake
9052 */
9053 if (tst == 7)
9054 sexpectedhost = cexpectedhost = "altgoodhost";
9055
9056 if (!TEST_str_eq(SSL_get_servername(clientssl,
9057 TLSEXT_NAMETYPE_host_name),
9058 "altgoodhost"))
9059 goto end;
9060 } else if (tst == 4 || tst == 9) {
9061 /*
9062 * A TLSv1.3 session does not associate a session with a servername,
9063 * but a TLSv1.2 session does.
9064 */
9065 if (tst == 9)
9066 sexpectedhost = cexpectedhost = NULL;
9067
9068 if (!TEST_str_eq(SSL_get_servername(clientssl,
9069 TLSEXT_NAMETYPE_host_name),
9070 cexpectedhost))
9071 goto end;
9072 } else {
9073 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9074 goto end;
9075 /*
9076 * In a TLSv1.2 resumption where the hostname was not acknowledged
9077 * we expect the hostname on the server to be empty. On the client we
9078 * return what was requested in this case.
9079 *
9080 * Similarly if the client didn't set a hostname on an original TLSv1.2
9081 * session but is now, the server hostname will be empty, but the client
9082 * is as we set it.
9083 */
9084 if (tst == 1 || tst == 3)
9085 sexpectedhost = NULL;
9086
9087 if (!TEST_str_eq(SSL_get_servername(clientssl,
9088 TLSEXT_NAMETYPE_host_name),
9089 "goodhost"))
9090 goto end;
9091 }
9092
9093 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9094 goto end;
9095
9096 if (!TEST_true(SSL_session_reused(clientssl))
9097 || !TEST_true(SSL_session_reused(serverssl))
9098 || !TEST_str_eq(SSL_get_servername(clientssl,
9099 TLSEXT_NAMETYPE_host_name),
9100 cexpectedhost)
9101 || !TEST_str_eq(SSL_get_servername(serverssl,
9102 TLSEXT_NAMETYPE_host_name),
9103 sexpectedhost))
9104 goto end;
9105
9106 testresult = 1;
9107
9108 end:
9109 SSL_SESSION_free(sess);
9110 SSL_free(serverssl);
9111 SSL_free(clientssl);
9112 SSL_CTX_free(sctx);
9113 SSL_CTX_free(cctx);
9114
9115 return testresult;
9116}
9117
9118#if !defined(OPENSSL_NO_EC) \
9119 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9120/*
9121 * Test that if signature algorithms are not available, then we do not offer or
9122 * accept them.
9123 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9124 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9125 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9126 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9127 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9128 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9129 */
9130static int test_sigalgs_available(int idx)
9131{
9132 SSL_CTX *cctx = NULL, *sctx = NULL;
9133 SSL *clientssl = NULL, *serverssl = NULL;
9134 int testresult = 0;
9135 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9136 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9137 OSSL_PROVIDER *filterprov = NULL;
9138 int sig, hash;
9139
9140 if (!TEST_ptr(tmpctx))
9141 goto end;
9142
9143 if (idx != 0 && idx != 3) {
9144 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9145 filter_provider_init)))
9146 goto end;
9147
9148 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9149 if (!TEST_ptr(filterprov))
9150 goto end;
9151
9152 if (idx < 3) {
9153 /*
9154 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9155 * or accepted for the peer that uses this libctx. Note that libssl
9156 * *requires* SHA2-256 to be available so we cannot disable that. We
9157 * also need SHA1 for our certificate.
9158 */
9159 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9160 "SHA2-256:SHA1")))
9161 goto end;
9162 } else {
9163 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9164 "ECDSA"))
9165 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9166 "EC:X25519:X448")))
9167 goto end;
9168 }
9169
9170 if (idx == 1 || idx == 4)
9171 clientctx = tmpctx;
9172 else
9173 serverctx = tmpctx;
9174 }
9175
9176 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9177 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9178 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9179 goto end;
9180
9181 if (idx != 5) {
9182 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9183 TLS_client_method(),
9184 TLS1_VERSION,
9185 0,
9186 &sctx, &cctx, cert, privkey)))
9187 goto end;
9188 } else {
9189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9190 TLS_client_method(),
9191 TLS1_VERSION,
9192 0,
9193 &sctx, &cctx, cert2, privkey2)))
9194 goto end;
9195 }
9196
9197 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9198 if (idx < 4) {
9199 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9200 "ECDHE-RSA-AES128-GCM-SHA256")))
9201 goto end;
9202 } else {
9203 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9204 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9205 goto end;
9206 }
9207
9208 if (idx < 3) {
9209 if (!SSL_CTX_set1_sigalgs_list(cctx,
9210 "rsa_pss_rsae_sha384"
9211 ":rsa_pss_rsae_sha256")
9212 || !SSL_CTX_set1_sigalgs_list(sctx,
9213 "rsa_pss_rsae_sha384"
9214 ":rsa_pss_rsae_sha256"))
9215 goto end;
9216 } else {
9217 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9218 || !SSL_CTX_set1_sigalgs_list(sctx,
9219 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9220 goto end;
9221 }
9222
9223 if (idx != 5
9224 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9225 SSL_FILETYPE_PEM), 1)
9226 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9227 privkey2,
9228 SSL_FILETYPE_PEM), 1)
9229 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9230 goto end;
9231
9232 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9233 NULL, NULL)))
9234 goto end;
9235
9236 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9237 goto end;
9238
9239 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9240 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9241 NULL, NULL),
9242 (idx == 0 || idx == 3) ? 2 : 1))
9243 goto end;
9244
9245 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9246 goto end;
9247
9248 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9249 : NID_rsassaPss))
9250 goto end;
9251
9252 testresult = filter_provider_check_clean_finish();
9253
9254 end:
9255 SSL_free(serverssl);
9256 SSL_free(clientssl);
9257 SSL_CTX_free(sctx);
9258 SSL_CTX_free(cctx);
9259 OSSL_PROVIDER_unload(filterprov);
9260 OSSL_LIB_CTX_free(tmpctx);
9261
9262 return testresult;
9263}
9264#endif /*
9265 * !defined(OPENSSL_NO_EC) \
9266 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9267 */
9268
9269#ifndef OPENSSL_NO_TLS1_3
9270/* This test can run in TLSv1.3 even if ec and dh are disabled */
9271static int test_pluggable_group(int idx)
9272{
9273 SSL_CTX *cctx = NULL, *sctx = NULL;
9274 SSL *clientssl = NULL, *serverssl = NULL;
9275 int testresult = 0;
9276 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9277 /* Check that we are not impacted by a provider without any groups */
9278 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9279 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9280
9281 if (!TEST_ptr(tlsprov))
9282 goto end;
9283
9284 if (legacyprov == NULL) {
9285 /*
9286 * In this case we assume we've been built with "no-legacy" and skip
9287 * this test (there is no OPENSSL_NO_LEGACY)
9288 */
9289 testresult = 1;
9290 goto end;
9291 }
9292
9293 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9294 TLS_client_method(),
9295 TLS1_3_VERSION,
9296 TLS1_3_VERSION,
9297 &sctx, &cctx, cert, privkey))
9298 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9299 NULL, NULL)))
9300 goto end;
9301
9302 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9303 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9304 goto end;
9305
9306 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9307 goto end;
9308
9309 if (!TEST_str_eq(group_name,
9310 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9311 goto end;
9312
9313 testresult = 1;
9314
9315 end:
9316 SSL_free(serverssl);
9317 SSL_free(clientssl);
9318 SSL_CTX_free(sctx);
9319 SSL_CTX_free(cctx);
9320 OSSL_PROVIDER_unload(tlsprov);
9321 OSSL_PROVIDER_unload(legacyprov);
9322
9323 return testresult;
9324}
9325#endif
9326
9327#ifndef OPENSSL_NO_TLS1_2
9328static int test_ssl_dup(void)
9329{
9330 SSL_CTX *cctx = NULL, *sctx = NULL;
9331 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9332 int testresult = 0;
9333 BIO *rbio = NULL, *wbio = NULL;
9334
9335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9336 TLS_client_method(),
9337 0,
9338 0,
9339 &sctx, &cctx, cert, privkey)))
9340 goto end;
9341
9342 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9343 NULL, NULL)))
9344 goto end;
9345
9346 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9347 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9348 goto end;
9349
9350 client2ssl = SSL_dup(clientssl);
9351 rbio = SSL_get_rbio(clientssl);
9352 if (!TEST_ptr(rbio)
9353 || !TEST_true(BIO_up_ref(rbio)))
9354 goto end;
9355 SSL_set0_rbio(client2ssl, rbio);
9356 rbio = NULL;
9357
9358 wbio = SSL_get_wbio(clientssl);
9359 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9360 goto end;
9361 SSL_set0_wbio(client2ssl, wbio);
9362 rbio = NULL;
9363
9364 if (!TEST_ptr(client2ssl)
9365 /* Handshake not started so pointers should be different */
9366 || !TEST_ptr_ne(clientssl, client2ssl))
9367 goto end;
9368
9369 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9370 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9371 goto end;
9372
9373 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9374 goto end;
9375
9376 SSL_free(clientssl);
9377 clientssl = SSL_dup(client2ssl);
9378 if (!TEST_ptr(clientssl)
9379 /* Handshake has finished so pointers should be the same */
9380 || !TEST_ptr_eq(clientssl, client2ssl))
9381 goto end;
9382
9383 testresult = 1;
9384
9385 end:
9386 SSL_free(serverssl);
9387 SSL_free(clientssl);
9388 SSL_free(client2ssl);
9389 SSL_CTX_free(sctx);
9390 SSL_CTX_free(cctx);
9391
9392 return testresult;
9393}
9394
9395# ifndef OPENSSL_NO_DH
9396
9397static EVP_PKEY *tmp_dh_params = NULL;
9398
9399/* Helper function for the test_set_tmp_dh() tests */
9400static EVP_PKEY *get_tmp_dh_params(void)
9401{
9402 if (tmp_dh_params == NULL) {
9403 BIGNUM *p = NULL;
9404 OSSL_PARAM_BLD *tmpl = NULL;
9405 EVP_PKEY_CTX *pctx = NULL;
9406 OSSL_PARAM *params = NULL;
9407 EVP_PKEY *dhpkey = NULL;
9408
9409 p = BN_get_rfc3526_prime_2048(NULL);
9410 if (!TEST_ptr(p))
9411 goto end;
9412
9413 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9414 if (!TEST_ptr(pctx)
9415 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9416 goto end;
9417
9418 tmpl = OSSL_PARAM_BLD_new();
9419 if (!TEST_ptr(tmpl)
9420 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9421 OSSL_PKEY_PARAM_FFC_P,
9422 p))
9423 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9424 OSSL_PKEY_PARAM_FFC_G,
9425 2)))
9426 goto end;
9427
9428 params = OSSL_PARAM_BLD_to_param(tmpl);
9429 if (!TEST_ptr(params)
9430 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9431 EVP_PKEY_KEY_PARAMETERS,
9432 params), 1))
9433 goto end;
9434
9435 tmp_dh_params = dhpkey;
9436 end:
9437 BN_free(p);
9438 EVP_PKEY_CTX_free(pctx);
9439 OSSL_PARAM_BLD_free(tmpl);
9440 OSSL_PARAM_free(params);
9441 }
9442
9443 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9444 return NULL;
9445
9446 return tmp_dh_params;
9447}
9448
9449# ifndef OPENSSL_NO_DEPRECATED_3_0
9450/* Callback used by test_set_tmp_dh() */
9451static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9452{
9453 EVP_PKEY *dhpkey = get_tmp_dh_params();
9454 DH *ret = NULL;
9455
9456 if (!TEST_ptr(dhpkey))
9457 return NULL;
9458
9459 /*
9460 * libssl does not free the returned DH, so we free it now knowing that even
9461 * after we free dhpkey, there will still be a reference to the owning
9462 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9463 * of time we need it for.
9464 */
9465 ret = EVP_PKEY_get1_DH(dhpkey);
9466 DH_free(ret);
9467
9468 EVP_PKEY_free(dhpkey);
9469
9470 return ret;
9471}
9472# endif
9473
9474/*
9475 * Test the various methods for setting temporary DH parameters
9476 *
9477 * Test 0: Default (no auto) setting
9478 * Test 1: Explicit SSL_CTX auto off
9479 * Test 2: Explicit SSL auto off
9480 * Test 3: Explicit SSL_CTX auto on
9481 * Test 4: Explicit SSL auto on
9482 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9483 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9484 *
9485 * The following are testing deprecated APIs, so we only run them if available
9486 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9487 * Test 8: Explicit SSL auto off, custom DH params via DH
9488 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9489 * Test 10: Explicit SSL auto off, custom DH params via callback
9490 */
9491static int test_set_tmp_dh(int idx)
9492{
9493 SSL_CTX *cctx = NULL, *sctx = NULL;
9494 SSL *clientssl = NULL, *serverssl = NULL;
9495 int testresult = 0;
9496 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9497 int expected = (idx <= 2) ? 0 : 1;
9498 EVP_PKEY *dhpkey = NULL;
9499# ifndef OPENSSL_NO_DEPRECATED_3_0
9500 DH *dh = NULL;
9501# else
9502
9503 if (idx >= 7)
9504 return 1;
9505# endif
9506
9507 if (idx >= 5 && idx <= 8) {
9508 dhpkey = get_tmp_dh_params();
9509 if (!TEST_ptr(dhpkey))
9510 goto end;
9511 }
9512# ifndef OPENSSL_NO_DEPRECATED_3_0
9513 if (idx == 7 || idx == 8) {
9514 dh = EVP_PKEY_get1_DH(dhpkey);
9515 if (!TEST_ptr(dh))
9516 goto end;
9517 }
9518# endif
9519
9520 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9521 TLS_client_method(),
9522 0,
9523 0,
9524 &sctx, &cctx, cert, privkey)))
9525 goto end;
9526
9527 if ((idx & 1) == 1) {
9528 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9529 goto end;
9530 }
9531
9532 if (idx == 5) {
9533 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9534 goto end;
9535 dhpkey = NULL;
9536 }
9537# ifndef OPENSSL_NO_DEPRECATED_3_0
9538 else if (idx == 7) {
9539 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9540 goto end;
9541 } else if (idx == 9) {
9542 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9543 }
9544# endif
9545
9546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9547 NULL, NULL)))
9548 goto end;
9549
9550 if ((idx & 1) == 0 && idx != 0) {
9551 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9552 goto end;
9553 }
9554 if (idx == 6) {
9555 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9556 goto end;
9557 dhpkey = NULL;
9558 }
9559# ifndef OPENSSL_NO_DEPRECATED_3_0
9560 else if (idx == 8) {
9561 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9562 goto end;
9563 } else if (idx == 10) {
9564 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9565 }
9566# endif
9567
9568 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9569 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9570 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9571 goto end;
9572
9573 /*
9574 * If autoon then we should succeed. Otherwise we expect failure because
9575 * there are no parameters
9576 */
9577 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9578 SSL_ERROR_NONE), expected))
9579 goto end;
9580
9581 testresult = 1;
9582
9583 end:
9584# ifndef OPENSSL_NO_DEPRECATED_3_0
9585 DH_free(dh);
9586# endif
9587 SSL_free(serverssl);
9588 SSL_free(clientssl);
9589 SSL_CTX_free(sctx);
9590 SSL_CTX_free(cctx);
9591 EVP_PKEY_free(dhpkey);
9592
9593 return testresult;
9594}
9595
9596/*
9597 * Test the auto DH keys are appropriately sized
9598 */
9599static int test_dh_auto(int idx)
9600{
9601 SSL_CTX *cctx = NULL, *sctx = NULL;
9602 SSL *clientssl = NULL, *serverssl = NULL;
9603 int testresult = 0;
9604 EVP_PKEY *tmpkey = NULL;
9605 char *thiscert = NULL, *thiskey = NULL;
9606 size_t expdhsize = 0;
9607 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9608
9609 switch (idx) {
9610 case 0:
9611 /* The FIPS provider doesn't support this DH size - so we ignore it */
9612 if (is_fips)
9613 return 1;
9614 thiscert = cert1024;
9615 thiskey = privkey1024;
9616 expdhsize = 1024;
9617 break;
9618 case 1:
9619 /* 2048 bit prime */
9620 thiscert = cert;
9621 thiskey = privkey;
9622 expdhsize = 2048;
9623 break;
9624 case 2:
9625 thiscert = cert3072;
9626 thiskey = privkey3072;
9627 expdhsize = 3072;
9628 break;
9629 case 3:
9630 thiscert = cert4096;
9631 thiskey = privkey4096;
9632 expdhsize = 4096;
9633 break;
9634 case 4:
9635 thiscert = cert8192;
9636 thiskey = privkey8192;
9637 expdhsize = 8192;
9638 break;
9639 /* No certificate cases */
9640 case 5:
9641 /* The FIPS provider doesn't support this DH size - so we ignore it */
9642 if (is_fips)
9643 return 1;
9644 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9645 expdhsize = 1024;
9646 break;
9647 case 6:
9648 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9649 expdhsize = 3072;
9650 break;
9651 default:
9652 TEST_error("Invalid text index");
9653 goto end;
9654 }
9655
9656 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9657 TLS_client_method(),
9658 0,
9659 0,
9660 &sctx, &cctx, thiscert, thiskey)))
9661 goto end;
9662
9663 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9664 NULL, NULL)))
9665 goto end;
9666
9667 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9668 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9669 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9670 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9671 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9672 goto end;
9673
9674 /*
9675 * Send the server's first flight. At this point the server has created the
9676 * temporary DH key but hasn't finished using it yet. Once used it is
9677 * removed, so we cannot test it.
9678 */
9679 if (!TEST_int_le(SSL_connect(clientssl), 0)
9680 || !TEST_int_le(SSL_accept(serverssl), 0))
9681 goto end;
9682
9683 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9684 goto end;
9685 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9686 goto end;
9687
9688 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9689 goto end;
9690
9691 testresult = 1;
9692
9693 end:
9694 SSL_free(serverssl);
9695 SSL_free(clientssl);
9696 SSL_CTX_free(sctx);
9697 SSL_CTX_free(cctx);
9698 EVP_PKEY_free(tmpkey);
9699
9700 return testresult;
9701
9702}
9703# endif /* OPENSSL_NO_DH */
9704#endif /* OPENSSL_NO_TLS1_2 */
9705
9706#ifndef OSSL_NO_USABLE_TLS1_3
9707/*
9708 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9709 * that it works even without a certificate configured for the original
9710 * SSL_CTX
9711 */
9712static int test_sni_tls13(void)
9713{
9714 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9715 SSL *clientssl = NULL, *serverssl = NULL;
9716 int testresult = 0;
9717
9718 /* Reset callback counter */
9719 snicb = 0;
9720
9721 /* Create an initial SSL_CTX with no certificate configured */
9722 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9723 if (!TEST_ptr(sctx))
9724 goto end;
9725 /* Require TLSv1.3 as a minimum */
9726 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9727 TLS_client_method(), TLS1_3_VERSION, 0,
9728 &sctx2, &cctx, cert, privkey)))
9729 goto end;
9730
9731 /* Set up SNI */
9732 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9733 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9734 goto end;
9735
9736 /*
9737 * Connection should still succeed because the final SSL_CTX has the right
9738 * certificates configured.
9739 */
9740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9741 &clientssl, NULL, NULL))
9742 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9743 SSL_ERROR_NONE)))
9744 goto end;
9745
9746 /* We should have had the SNI callback called exactly once */
9747 if (!TEST_int_eq(snicb, 1))
9748 goto end;
9749
9750 testresult = 1;
9751
9752end:
9753 SSL_free(serverssl);
9754 SSL_free(clientssl);
9755 SSL_CTX_free(sctx2);
9756 SSL_CTX_free(sctx);
9757 SSL_CTX_free(cctx);
9758 return testresult;
9759}
9760
9761/*
9762 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9763 * 0 = TLSv1.2
9764 * 1 = TLSv1.3
9765 */
9766static int test_ticket_lifetime(int idx)
9767{
9768 SSL_CTX *cctx = NULL, *sctx = NULL;
9769 SSL *clientssl = NULL, *serverssl = NULL;
9770 int testresult = 0;
9771 int version = TLS1_3_VERSION;
9772
9773#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9774#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9775
9776 if (idx == 0) {
9777#ifdef OPENSSL_NO_TLS1_2
9778 return TEST_skip("TLS 1.2 is disabled.");
9779#else
9780 version = TLS1_2_VERSION;
9781#endif
9782 }
9783
9784 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9785 TLS_client_method(), version, version,
9786 &sctx, &cctx, cert, privkey)))
9787 goto end;
9788
9789 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9790 &clientssl, NULL, NULL)))
9791 goto end;
9792
9793 /*
9794 * Set the timeout to be more than 1 week
9795 * make sure the returned value is the default
9796 */
9797 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9798 SSL_get_default_timeout(serverssl)))
9799 goto end;
9800
9801 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9802 goto end;
9803
9804 if (idx == 0) {
9805 /* TLSv1.2 uses the set value */
9806 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9807 goto end;
9808 } else {
9809 /* TLSv1.3 uses the limited value */
9810 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9811 goto end;
9812 }
9813 testresult = 1;
9814
9815end:
9816 SSL_free(serverssl);
9817 SSL_free(clientssl);
9818 SSL_CTX_free(sctx);
9819 SSL_CTX_free(cctx);
9820 return testresult;
9821}
9822#endif
9823/*
9824 * Test that setting an ALPN does not violate RFC
9825 */
9826static int test_set_alpn(void)
9827{
9828 SSL_CTX *ctx = NULL;
9829 SSL *ssl = NULL;
9830 int testresult = 0;
9831
9832 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9833 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9834 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9835 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9836 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9837 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9838
9839 /* Create an initial SSL_CTX with no certificate configured */
9840 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9841 if (!TEST_ptr(ctx))
9842 goto end;
9843
9844 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9845 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9846 goto end;
9847 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9848 goto end;
9849 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9850 goto end;
9851 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9852 goto end;
9853 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9854 goto end;
9855 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9856 goto end;
9857 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9858 goto end;
9859 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9860 goto end;
9861 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9862 goto end;
9863
9864 ssl = SSL_new(ctx);
9865 if (!TEST_ptr(ssl))
9866 goto end;
9867
9868 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9869 goto end;
9870 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9871 goto end;
9872 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9873 goto end;
9874 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9875 goto end;
9876 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9877 goto end;
9878 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9879 goto end;
9880 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9881 goto end;
9882 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9883 goto end;
9884 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9885 goto end;
9886
9887 testresult = 1;
9888
9889end:
9890 SSL_free(ssl);
9891 SSL_CTX_free(ctx);
9892 return testresult;
9893}
9894
9895/*
9896 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9897 */
9898static int test_set_verify_cert_store_ssl_ctx(void)
9899{
9900 SSL_CTX *ctx = NULL;
9901 int testresult = 0;
9902 X509_STORE *store = NULL, *new_store = NULL,
9903 *cstore = NULL, *new_cstore = NULL;
9904
9905 /* Create an initial SSL_CTX. */
9906 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9907 if (!TEST_ptr(ctx))
9908 goto end;
9909
9910 /* Retrieve verify store pointer. */
9911 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9912 goto end;
9913
9914 /* Retrieve chain store pointer. */
9915 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9916 goto end;
9917
9918 /* We haven't set any yet, so this should be NULL. */
9919 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9920 goto end;
9921
9922 /* Create stores. We use separate stores so pointers are different. */
9923 new_store = X509_STORE_new();
9924 if (!TEST_ptr(new_store))
9925 goto end;
9926
9927 new_cstore = X509_STORE_new();
9928 if (!TEST_ptr(new_cstore))
9929 goto end;
9930
9931 /* Set stores. */
9932 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9933 goto end;
9934
9935 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9936 goto end;
9937
9938 /* Should be able to retrieve the same pointer. */
9939 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9940 goto end;
9941
9942 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9943 goto end;
9944
9945 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9946 goto end;
9947
9948 /* Should be able to unset again. */
9949 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9950 goto end;
9951
9952 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9953 goto end;
9954
9955 /* Should now be NULL. */
9956 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9957 goto end;
9958
9959 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9960 goto end;
9961
9962 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9963 goto end;
9964
9965 testresult = 1;
9966
9967end:
9968 X509_STORE_free(new_store);
9969 X509_STORE_free(new_cstore);
9970 SSL_CTX_free(ctx);
9971 return testresult;
9972}
9973
9974/*
9975 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9976 */
9977static int test_set_verify_cert_store_ssl(void)
9978{
9979 SSL_CTX *ctx = NULL;
9980 SSL *ssl = NULL;
9981 int testresult = 0;
9982 X509_STORE *store = NULL, *new_store = NULL,
9983 *cstore = NULL, *new_cstore = NULL;
9984
9985 /* Create an initial SSL_CTX. */
9986 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9987 if (!TEST_ptr(ctx))
9988 goto end;
9989
9990 /* Create an SSL object. */
9991 ssl = SSL_new(ctx);
9992 if (!TEST_ptr(ssl))
9993 goto end;
9994
9995 /* Retrieve verify store pointer. */
9996 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9997 goto end;
9998
9999 /* Retrieve chain store pointer. */
10000 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10001 goto end;
10002
10003 /* We haven't set any yet, so this should be NULL. */
10004 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10005 goto end;
10006
10007 /* Create stores. We use separate stores so pointers are different. */
10008 new_store = X509_STORE_new();
10009 if (!TEST_ptr(new_store))
10010 goto end;
10011
10012 new_cstore = X509_STORE_new();
10013 if (!TEST_ptr(new_cstore))
10014 goto end;
10015
10016 /* Set stores. */
10017 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10018 goto end;
10019
10020 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10021 goto end;
10022
10023 /* Should be able to retrieve the same pointer. */
10024 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10025 goto end;
10026
10027 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10028 goto end;
10029
10030 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10031 goto end;
10032
10033 /* Should be able to unset again. */
10034 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10035 goto end;
10036
10037 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10038 goto end;
10039
10040 /* Should now be NULL. */
10041 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10042 goto end;
10043
10044 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10045 goto end;
10046
10047 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10048 goto end;
10049
10050 testresult = 1;
10051
10052end:
10053 X509_STORE_free(new_store);
10054 X509_STORE_free(new_cstore);
10055 SSL_free(ssl);
10056 SSL_CTX_free(ctx);
10057 return testresult;
10058}
10059
10060
10061static int test_inherit_verify_param(void)
10062{
10063 int testresult = 0;
10064
10065 SSL_CTX *ctx = NULL;
10066 X509_VERIFY_PARAM *cp = NULL;
10067 SSL *ssl = NULL;
10068 X509_VERIFY_PARAM *sp = NULL;
10069 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10070
10071 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10072 if (!TEST_ptr(ctx))
10073 goto end;
10074
10075 cp = SSL_CTX_get0_param(ctx);
10076 if (!TEST_ptr(cp))
10077 goto end;
10078 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10079 goto end;
10080
10081 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10082
10083 ssl = SSL_new(ctx);
10084 if (!TEST_ptr(ssl))
10085 goto end;
10086
10087 sp = SSL_get0_param(ssl);
10088 if (!TEST_ptr(sp))
10089 goto end;
10090 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10091 goto end;
10092
10093 testresult = 1;
10094
10095 end:
10096 SSL_free(ssl);
10097 SSL_CTX_free(ctx);
10098
10099 return testresult;
10100}
10101
10102static int test_load_dhfile(void)
10103{
10104#ifndef OPENSSL_NO_DH
10105 int testresult = 0;
10106
10107 SSL_CTX *ctx = NULL;
10108 SSL_CONF_CTX *cctx = NULL;
10109
10110 if (dhfile == NULL)
10111 return 1;
10112
10113 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10114 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10115 goto end;
10116
10117 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10118 SSL_CONF_CTX_set_flags(cctx,
10119 SSL_CONF_FLAG_CERTIFICATE
10120 | SSL_CONF_FLAG_SERVER
10121 | SSL_CONF_FLAG_FILE);
10122
10123 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10124 goto end;
10125
10126 testresult = 1;
10127end:
10128 SSL_CONF_CTX_free(cctx);
10129 SSL_CTX_free(ctx);
10130
10131 return testresult;
10132#else
10133 return TEST_skip("DH not supported by this build");
10134#endif
10135}
10136
10137#ifndef OSSL_NO_USABLE_TLS1_3
10138/* Test that read_ahead works across a key change */
10139static int test_read_ahead_key_change(void)
10140{
10141 SSL_CTX *cctx = NULL, *sctx = NULL;
10142 SSL *clientssl = NULL, *serverssl = NULL;
10143 int testresult = 0;
10144 char *msg = "Hello World";
10145 size_t written, readbytes;
10146 char buf[80];
10147 int i;
10148
10149 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10150 TLS_client_method(), TLS1_3_VERSION, 0,
10151 &sctx, &cctx, cert, privkey)))
10152 goto end;
10153
10154 SSL_CTX_set_read_ahead(sctx, 1);
10155
10156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10157 &clientssl, NULL, NULL)))
10158 goto end;
10159
10160 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10161 goto end;
10162
10163 /* Write some data, send a key update, write more data */
10164 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10165 || !TEST_size_t_eq(written, strlen(msg)))
10166 goto end;
10167
10168 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10169 goto end;
10170
10171 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10172 || !TEST_size_t_eq(written, strlen(msg)))
10173 goto end;
10174
10175 /*
10176 * Since read_ahead is on the first read below should read the record with
10177 * the first app data, the second record with the key update message, and
10178 * the third record with the app data all in one go. We should be able to
10179 * still process the read_ahead data correctly even though it crosses
10180 * epochs
10181 */
10182 for (i = 0; i < 2; i++) {
10183 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10184 &readbytes)))
10185 goto end;
10186
10187 buf[readbytes] = '\0';
10188 if (!TEST_str_eq(buf, msg))
10189 goto end;
10190 }
10191
10192 testresult = 1;
10193
10194end:
10195 SSL_free(serverssl);
10196 SSL_free(clientssl);
10197 SSL_CTX_free(sctx);
10198 SSL_CTX_free(cctx);
10199 return testresult;
10200}
10201
10202static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10203{
10204 int *called = arg;
10205
10206 switch ((*called)++) {
10207 case 0:
10208 /* Add some padding to first record */
10209 return 512;
10210 case 1:
10211 /* Maximally pad the second record */
10212 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10213 case 2:
10214 /*
10215 * Exceeding the maximum padding should be fine. It should just pad to
10216 * the maximum anyway
10217 */
10218 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10219 case 3:
10220 /*
10221 * Very large padding should also be ok. Should just pad to the maximum
10222 * allowed
10223 */
10224 return SIZE_MAX;
10225 default:
10226 return 0;
10227 }
10228}
10229
10230/*
10231 * Test that setting record padding in TLSv1.3 works as expected
10232 * Test 0: Record padding callback on the SSL_CTX
10233 * Test 1: Record padding callback on the SSL
10234 * Test 2: Record block padding on the SSL_CTX
10235 * Test 3: Record block padding on the SSL
10236 */
10237static int test_tls13_record_padding(int idx)
10238{
10239 SSL_CTX *cctx = NULL, *sctx = NULL;
10240 SSL *clientssl = NULL, *serverssl = NULL;
10241 int testresult = 0;
10242 char *msg = "Hello World";
10243 size_t written, readbytes;
10244 char buf[80];
10245 int i;
10246 int called = 0;
10247
10248 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10249 TLS_client_method(), TLS1_3_VERSION, 0,
10250 &sctx, &cctx, cert, privkey)))
10251 goto end;
10252
10253 if (idx == 0) {
10254 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10255 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10256 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10257 goto end;
10258 } else if (idx == 2) {
10259 /* Exceeding the max plain length should fail */
10260 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10261 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10262 goto end;
10263 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10264 goto end;
10265 }
10266
10267 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10268 &clientssl, NULL, NULL)))
10269 goto end;
10270
10271 if (idx == 1) {
10272 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10273 SSL_set_record_padding_callback_arg(clientssl, &called);
10274 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10275 goto end;
10276 } else if (idx == 3) {
10277 /* Exceeding the max plain length should fail */
10278 if (!TEST_false(SSL_set_block_padding(clientssl,
10279 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10280 goto end;
10281 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10282 goto end;
10283 }
10284
10285 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10286 goto end;
10287
10288 called = 0;
10289 /*
10290 * Write some data, then check we can read it. Do this four times to check
10291 * we can continue to write and read padded data after the initial record
10292 * padding has been added. We don't actually check that the padding has
10293 * been applied to the record - just that we can continue to communicate
10294 * normally and that the callback has been called (if appropriate).
10295 */
10296 for (i = 0; i < 4; i++) {
10297 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10298 || !TEST_size_t_eq(written, strlen(msg)))
10299 goto end;
10300
10301 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10302 &readbytes))
10303 || !TEST_size_t_eq(written, readbytes))
10304 goto end;
10305
10306 buf[readbytes] = '\0';
10307 if (!TEST_str_eq(buf, msg))
10308 goto end;
10309 }
10310
10311 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10312 goto end;
10313
10314 testresult = 1;
10315end:
10316 SSL_free(serverssl);
10317 SSL_free(clientssl);
10318 SSL_CTX_free(sctx);
10319 SSL_CTX_free(cctx);
10320 return testresult;
10321}
10322#endif /* OSSL_NO_USABLE_TLS1_3 */
10323
10324#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10325
10326static ENGINE *load_dasync(void)
10327{
10328 ENGINE *e;
10329
10330 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10331 return NULL;
10332
10333 if (!TEST_true(ENGINE_init(e))) {
10334 ENGINE_free(e);
10335 return NULL;
10336 }
10337
10338 if (!TEST_true(ENGINE_register_ciphers(e))) {
10339 ENGINE_free(e);
10340 return NULL;
10341 }
10342
10343 return e;
10344}
10345
10346/*
10347 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10348 * support this yet. The only pipeline capable cipher that we have is in the
10349 * dasync engine (providers don't support this yet), so we have to use
10350 * deprecated APIs for this test.
10351 *
10352 * Test 0: Client has pipelining enabled, server does not
10353 * Test 1: Server has pipelining enabled, client does not
10354 * Test 2: Client has pipelining enabled, server does not: not enough data to
10355 * fill all the pipelines
10356 * Test 3: Client has pipelining enabled, server does not: not enough data to
10357 * fill all the pipelines by more than a full pipeline's worth
10358 * Test 4: Client has pipelining enabled, server does not: more data than all
10359 * the available pipelines can take
10360 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10361 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10362 * is created)
10363 */
10364static int test_pipelining(int idx)
10365{
10366 SSL_CTX *cctx = NULL, *sctx = NULL;
10367 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10368 int testresult = 0, numreads;
10369 /* A 55 byte message */
10370 unsigned char *msg = (unsigned char *)
10371 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10372 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10373 size_t expectedreads;
10374 unsigned char *buf = NULL;
10375 ENGINE *e = NULL;
10376
10377 if (idx != 6) {
10378 e = load_dasync();
10379 if (e == NULL)
10380 return 0;
10381 }
10382
10383 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10384 TLS_client_method(), 0,
10385 TLS1_2_VERSION, &sctx, &cctx, cert,
10386 privkey)))
10387 goto end;
10388
10389 if (idx == 6) {
10390 e = load_dasync();
10391 if (e == NULL)
10392 goto end;
10393 /* Now act like test 0 */
10394 idx = 0;
10395 }
10396
10397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10398 &clientssl, NULL, NULL)))
10399 goto end;
10400
10401 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10402 goto end;
10403
10404 /* peera is always configured for pipelining, while peerb is not. */
10405 if (idx == 1) {
10406 peera = serverssl;
10407 peerb = clientssl;
10408
10409 } else {
10410 peera = clientssl;
10411 peerb = serverssl;
10412 }
10413
10414 if (idx == 5) {
10415 numpipes = 2;
10416 /* Maximum allowed fragment size */
10417 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10418 msglen = fragsize * numpipes;
10419 msg = OPENSSL_malloc(msglen);
10420 if (!TEST_ptr(msg))
10421 goto end;
10422 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10423 goto end;
10424 } else if (idx == 4) {
10425 msglen = 55;
10426 } else {
10427 msglen = 50;
10428 }
10429 if (idx == 2)
10430 msglen -= 2; /* Send 2 less bytes */
10431 else if (idx == 3)
10432 msglen -= 12; /* Send 12 less bytes */
10433
10434 buf = OPENSSL_malloc(msglen);
10435 if (!TEST_ptr(buf))
10436 goto end;
10437
10438 if (idx == 5) {
10439 /*
10440 * Test that setting a split send fragment longer than the maximum
10441 * allowed fails
10442 */
10443 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10444 goto end;
10445 }
10446
10447 /*
10448 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10449 * (50 bytes in total). This is a ridiculously small number of bytes -
10450 * but sufficient for our purposes
10451 */
10452 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10453 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10454 goto end;
10455
10456 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10457 goto end;
10458
10459 /* Write some data from peera to peerb */
10460 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10461 || !TEST_size_t_eq(written, msglen))
10462 goto end;
10463
10464 /*
10465 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10466 * have been used - except in test 3 where only |numpipes - 1| pipelines
10467 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10468 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10469 * expect this to be read in |numpipes| or |numpipes - 1| separate
10470 * SSL_read_ex calls. In the case of test 4, there is then one additional
10471 * read for left over data that couldn't fit in the previous pipelines
10472 */
10473 for (offset = 0, numreads = 0;
10474 offset < msglen;
10475 offset += readbytes, numreads++) {
10476 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10477 msglen - offset, &readbytes)))
10478 goto end;
10479 }
10480
10481 expectedreads = idx == 4 ? numpipes + 1
10482 : (idx == 3 ? numpipes - 1 : numpipes);
10483 if (!TEST_mem_eq(msg, msglen, buf, offset)
10484 || !TEST_int_eq(numreads, expectedreads))
10485 goto end;
10486
10487 /*
10488 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10489 * chunks to exercise the read pipelining code on peera.
10490 */
10491 for (offset = 0; offset < msglen; offset += fragsize) {
10492 size_t sendlen = msglen - offset;
10493
10494 if (sendlen > fragsize)
10495 sendlen = fragsize;
10496 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10497 || !TEST_size_t_eq(written, sendlen))
10498 goto end;
10499 }
10500
10501 /*
10502 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10503 * separate chunks (depending on which test we are running). If the
10504 * pipelining is working then we expect peera to read up to numpipes chunks
10505 * and process them in parallel, giving back the complete result in a single
10506 * call to SSL_read_ex
10507 */
10508 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10509 || !TEST_size_t_le(readbytes, msglen))
10510 goto end;
10511
10512 if (idx == 4) {
10513 size_t readbytes2;
10514
10515 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10516 msglen - readbytes, &readbytes2)))
10517 goto end;
10518 readbytes += readbytes2;
10519 if (!TEST_size_t_le(readbytes, msglen))
10520 goto end;
10521 }
10522
10523 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10524 goto end;
10525
10526 testresult = 1;
10527end:
10528 SSL_free(serverssl);
10529 SSL_free(clientssl);
10530 SSL_CTX_free(sctx);
10531 SSL_CTX_free(cctx);
10532 if (e != NULL) {
10533 ENGINE_unregister_ciphers(e);
10534 ENGINE_finish(e);
10535 ENGINE_free(e);
10536 }
10537 OPENSSL_free(buf);
10538 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
10539 OPENSSL_free(msg);
10540 return testresult;
10541}
10542#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10543
10544/*
10545 * Force a write retry during handshaking. We test various combinations of
10546 * scenarios. We test a large certificate message which will fill the buffering
10547 * BIO used in the handshake. We try with client auth on and off. Finally we
10548 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
10549 * to indicate retry via -1 - but sometimes BIOs don't do that.
10550 *
10551 * Test 0: Standard certificate message
10552 * Test 1: Large certificate message
10553 * Test 2: Standard cert, verify peer
10554 * Test 3: Large cert, verify peer
10555 * Test 4: Standard cert, BIO returns 0 on retry
10556 * Test 5: Large cert, BIO returns 0 on retry
10557 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
10558 * Test 7: Large cert, verify peer, BIO returns 0 on retry
10559 * Test 8-15: Repeat of above with TLSv1.2
10560 */
10561static int test_handshake_retry(int idx)
10562{
10563 SSL_CTX *cctx = NULL, *sctx = NULL;
10564 SSL *clientssl = NULL, *serverssl = NULL;
10565 int testresult = 0;
10566 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
10567 int maxversion = 0;
10568
10569 if (!TEST_ptr(bretry))
10570 goto end;
10571
10572#ifndef OPENSSL_NO_TLS1_2
10573 if ((idx & 8) == 8)
10574 maxversion = TLS1_2_VERSION;
10575#else
10576 if ((idx & 8) == 8)
10577 return TEST_skip("No TLSv1.2");
10578#endif
10579
10580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10581 TLS_client_method(), 0, maxversion,
10582 &sctx, &cctx, cert, privkey)))
10583 goto end;
10584
10585 /*
10586 * Add a large amount of data to fill the buffering BIO used by the SSL
10587 * object
10588 */
10589 if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
10590 goto end;
10591
10592 /*
10593 * We don't actually configure a client cert, but neither do we fail if one
10594 * isn't present.
10595 */
10596 if ((idx & 2) == 2)
10597 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
10598
10599 if ((idx & 4) == 4)
10600 set_always_retry_err_val(0);
10601
10602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10603 &clientssl, NULL, NULL)))
10604 goto end;
10605
10606 tmp = SSL_get_wbio(serverssl);
10607 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
10608 tmp = NULL;
10609 goto end;
10610 }
10611 SSL_set0_wbio(serverssl, bretry);
10612 bretry = NULL;
10613
10614 if (!TEST_int_eq(SSL_connect(clientssl), -1))
10615 goto end;
10616
10617 if (!TEST_int_eq(SSL_accept(serverssl), -1)
10618 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
10619 goto end;
10620
10621 /* Restore a BIO that will let the write succeed */
10622 SSL_set0_wbio(serverssl, tmp);
10623 tmp = NULL;
10624
10625 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10626 goto end;
10627
10628 testresult = 1;
10629end:
10630 SSL_free(serverssl);
10631 SSL_free(clientssl);
10632 SSL_CTX_free(sctx);
10633 SSL_CTX_free(cctx);
10634 BIO_free(bretry);
10635 BIO_free(tmp);
10636 set_always_retry_err_val(-1);
10637 return testresult;
10638}
10639
10640OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10641
10642int setup_tests(void)
10643{
10644 char *modulename;
10645 char *configfile;
10646
10647 libctx = OSSL_LIB_CTX_new();
10648 if (!TEST_ptr(libctx))
10649 return 0;
10650
10651 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10652
10653 /*
10654 * Verify that the default and fips providers in the default libctx are not
10655 * available
10656 */
10657 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10658 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10659 return 0;
10660
10661 if (!test_skip_common_options()) {
10662 TEST_error("Error parsing test options\n");
10663 return 0;
10664 }
10665
10666 if (!TEST_ptr(certsdir = test_get_argument(0))
10667 || !TEST_ptr(srpvfile = test_get_argument(1))
10668 || !TEST_ptr(tmpfilename = test_get_argument(2))
10669 || !TEST_ptr(modulename = test_get_argument(3))
10670 || !TEST_ptr(configfile = test_get_argument(4))
10671 || !TEST_ptr(dhfile = test_get_argument(5)))
10672 return 0;
10673
10674 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10675 return 0;
10676
10677 /* Check we have the expected provider available */
10678 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10679 return 0;
10680
10681 /* Check the default provider is not available */
10682 if (strcmp(modulename, "default") != 0
10683 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10684 return 0;
10685
10686 if (strcmp(modulename, "fips") == 0) {
10687 OSSL_PROVIDER *prov = NULL;
10688 OSSL_PARAM params[2];
10689
10690 is_fips = 1;
10691
10692 prov = OSSL_PROVIDER_load(libctx, "fips");
10693 if (prov != NULL) {
10694 /* Query the fips provider to check if the check ems option is enabled */
10695 params[0] =
10696 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
10697 &fips_ems_check);
10698 params[1] = OSSL_PARAM_construct_end();
10699 OSSL_PROVIDER_get_params(prov, params);
10700 OSSL_PROVIDER_unload(prov);
10701 }
10702 }
10703
10704 /*
10705 * We add, but don't load the test "tls-provider". We'll load it when we
10706 * need it.
10707 */
10708 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10709 tls_provider_init)))
10710 return 0;
10711
10712
10713 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10714#ifdef OPENSSL_NO_CRYPTO_MDEBUG
10715 TEST_error("not supported in this build");
10716 return 0;
10717#else
10718 int i, mcount, rcount, fcount;
10719
10720 for (i = 0; i < 4; i++)
10721 test_export_key_mat(i);
10722 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10723 test_printf_stdout("malloc %d realloc %d free %d\n",
10724 mcount, rcount, fcount);
10725 return 1;
10726#endif
10727 }
10728
10729 cert = test_mk_file_path(certsdir, "servercert.pem");
10730 if (cert == NULL)
10731 goto err;
10732
10733 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10734 if (privkey == NULL)
10735 goto err;
10736
10737 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10738 if (cert2 == NULL)
10739 goto err;
10740
10741 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10742 if (privkey2 == NULL)
10743 goto err;
10744
10745 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10746 if (cert1024 == NULL)
10747 goto err;
10748
10749 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10750 if (privkey1024 == NULL)
10751 goto err;
10752
10753 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10754 if (cert3072 == NULL)
10755 goto err;
10756
10757 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10758 if (privkey3072 == NULL)
10759 goto err;
10760
10761 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10762 if (cert4096 == NULL)
10763 goto err;
10764
10765 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10766 if (privkey4096 == NULL)
10767 goto err;
10768
10769 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10770 if (cert8192 == NULL)
10771 goto err;
10772
10773 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10774 if (privkey8192 == NULL)
10775 goto err;
10776
10777 if (fips_ems_check) {
10778#ifndef OPENSSL_NO_TLS1_2
10779 ADD_TEST(test_no_ems);
10780#endif
10781 return 1;
10782 }
10783#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10784# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10785 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10786 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
10787# endif
10788#endif
10789 ADD_TEST(test_large_message_tls);
10790 ADD_TEST(test_large_message_tls_read_ahead);
10791#ifndef OPENSSL_NO_DTLS
10792 ADD_TEST(test_large_message_dtls);
10793#endif
10794 ADD_ALL_TESTS(test_large_app_data, 28);
10795 ADD_TEST(test_cleanse_plaintext);
10796#ifndef OPENSSL_NO_OCSP
10797 ADD_TEST(test_tlsext_status_type);
10798#endif
10799 ADD_TEST(test_session_with_only_int_cache);
10800 ADD_TEST(test_session_with_only_ext_cache);
10801 ADD_TEST(test_session_with_both_cache);
10802 ADD_TEST(test_session_wo_ca_names);
10803#ifndef OSSL_NO_USABLE_TLS1_3
10804 ADD_ALL_TESTS(test_stateful_tickets, 3);
10805 ADD_ALL_TESTS(test_stateless_tickets, 3);
10806 ADD_TEST(test_psk_tickets);
10807 ADD_ALL_TESTS(test_extra_tickets, 6);
10808#endif
10809 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10810 ADD_TEST(test_ssl_bio_pop_next_bio);
10811 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10812 ADD_TEST(test_ssl_bio_change_rbio);
10813 ADD_TEST(test_ssl_bio_change_wbio);
10814#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10815 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
10816 ADD_TEST(test_keylog);
10817#endif
10818#ifndef OSSL_NO_USABLE_TLS1_3
10819 ADD_TEST(test_keylog_no_master_key);
10820#endif
10821 ADD_TEST(test_client_cert_verify_cb);
10822 ADD_TEST(test_ssl_build_cert_chain);
10823 ADD_TEST(test_ssl_ctx_build_cert_chain);
10824#ifndef OPENSSL_NO_TLS1_2
10825 ADD_TEST(test_client_hello_cb);
10826 ADD_TEST(test_no_ems);
10827 ADD_TEST(test_ccs_change_cipher);
10828#endif
10829#ifndef OSSL_NO_USABLE_TLS1_3
10830 ADD_ALL_TESTS(test_early_data_read_write, 6);
10831 /*
10832 * We don't do replay tests for external PSK. Replay protection isn't used
10833 * in that scenario.
10834 */
10835 ADD_ALL_TESTS(test_early_data_replay, 2);
10836 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
10837 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
10838 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
10839 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
10840 ADD_ALL_TESTS(test_early_data_not_sent, 3);
10841 ADD_ALL_TESTS(test_early_data_psk, 8);
10842 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
10843 ADD_ALL_TESTS(test_early_data_not_expected, 3);
10844# ifndef OPENSSL_NO_TLS1_2
10845 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
10846# endif
10847#endif
10848#ifndef OSSL_NO_USABLE_TLS1_3
10849 ADD_ALL_TESTS(test_set_ciphersuite, 10);
10850 ADD_TEST(test_ciphersuite_change);
10851 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10852# ifdef OPENSSL_NO_PSK
10853 ADD_ALL_TESTS(test_tls13_psk, 1);
10854# else
10855 ADD_ALL_TESTS(test_tls13_psk, 4);
10856# endif /* OPENSSL_NO_PSK */
10857# ifndef OPENSSL_NO_TLS1_2
10858 /* Test with both TLSv1.3 and 1.2 versions */
10859 ADD_ALL_TESTS(test_key_exchange, 14);
10860# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10861 ADD_ALL_TESTS(test_negotiated_group,
10862 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10863 + OSSL_NELEM(ffdhe_kexch_groups)));
10864# endif
10865# else
10866 /* Test with only TLSv1.3 versions */
10867 ADD_ALL_TESTS(test_key_exchange, 12);
10868# endif
10869 ADD_ALL_TESTS(test_custom_exts, 6);
10870 ADD_TEST(test_stateless);
10871 ADD_TEST(test_pha_key_update);
10872#else
10873 ADD_ALL_TESTS(test_custom_exts, 3);
10874#endif
10875 ADD_ALL_TESTS(test_export_key_mat, 6);
10876#ifndef OSSL_NO_USABLE_TLS1_3
10877 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10878 ADD_TEST(test_key_update);
10879 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10880 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10881 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10882 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10883#endif
10884 ADD_ALL_TESTS(test_ssl_clear, 2);
10885 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10886#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10887 ADD_ALL_TESTS(test_srp, 6);
10888#endif
10889 ADD_ALL_TESTS(test_info_callback, 6);
10890 ADD_ALL_TESTS(test_ssl_pending, 2);
10891 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10892 ADD_ALL_TESTS(test_ticket_callbacks, 20);
10893 ADD_ALL_TESTS(test_shutdown, 7);
10894 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10895 ADD_ALL_TESTS(test_cert_cb, 6);
10896 ADD_ALL_TESTS(test_client_cert_cb, 2);
10897 ADD_ALL_TESTS(test_ca_names, 3);
10898#ifndef OPENSSL_NO_TLS1_2
10899 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10900#endif
10901 ADD_ALL_TESTS(test_servername, 10);
10902#if !defined(OPENSSL_NO_EC) \
10903 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10904 ADD_ALL_TESTS(test_sigalgs_available, 6);
10905#endif
10906#ifndef OPENSSL_NO_TLS1_3
10907 ADD_ALL_TESTS(test_pluggable_group, 2);
10908#endif
10909#ifndef OPENSSL_NO_TLS1_2
10910 ADD_TEST(test_ssl_dup);
10911# ifndef OPENSSL_NO_DH
10912 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10913 ADD_ALL_TESTS(test_dh_auto, 7);
10914# endif
10915#endif
10916#ifndef OSSL_NO_USABLE_TLS1_3
10917 ADD_TEST(test_sni_tls13);
10918 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10919#endif
10920 ADD_TEST(test_inherit_verify_param);
10921 ADD_TEST(test_set_alpn);
10922 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10923 ADD_TEST(test_set_verify_cert_store_ssl);
10924 ADD_ALL_TESTS(test_session_timeout, 1);
10925 ADD_TEST(test_load_dhfile);
10926#ifndef OSSL_NO_USABLE_TLS1_3
10927 ADD_TEST(test_read_ahead_key_change);
10928 ADD_ALL_TESTS(test_tls13_record_padding, 4);
10929#endif
10930#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10931 ADD_ALL_TESTS(test_serverinfo_custom, 4);
10932#endif
10933#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10934 ADD_ALL_TESTS(test_pipelining, 7);
10935#endif
10936 ADD_ALL_TESTS(test_handshake_retry, 16);
10937 return 1;
10938
10939 err:
10940 OPENSSL_free(cert);
10941 OPENSSL_free(privkey);
10942 OPENSSL_free(cert2);
10943 OPENSSL_free(privkey2);
10944 return 0;
10945}
10946
10947void cleanup_tests(void)
10948{
10949# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10950 EVP_PKEY_free(tmp_dh_params);
10951#endif
10952 OPENSSL_free(cert);
10953 OPENSSL_free(privkey);
10954 OPENSSL_free(cert2);
10955 OPENSSL_free(privkey2);
10956 OPENSSL_free(cert1024);
10957 OPENSSL_free(privkey1024);
10958 OPENSSL_free(cert3072);
10959 OPENSSL_free(privkey3072);
10960 OPENSSL_free(cert4096);
10961 OPENSSL_free(privkey4096);
10962 OPENSSL_free(cert8192);
10963 OPENSSL_free(privkey8192);
10964 bio_s_mempacket_test_free();
10965 bio_s_always_retry_free();
10966 OSSL_PROVIDER_unload(defctxnull);
10967 OSSL_LIB_CTX_free(libctx);
10968}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette