1 /*
2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "filterprov.h"
45
46 #undef OSSL_NO_USABLE_TLS1_3
47 #if defined(OPENSSL_NO_TLS1_3) \
48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 /*
50 * If we don't have ec or dh then there are no built-in groups that are usable
51 * with TLSv1.3
52 */
53 # define OSSL_NO_USABLE_TLS1_3
54 #endif
55
56 /* Defined in tls-provider.c */
57 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58 const OSSL_DISPATCH *in,
59 const OSSL_DISPATCH **out,
60 void **provctx);
61
62 static OSSL_LIB_CTX *libctx = NULL;
63 static OSSL_PROVIDER *defctxnull = NULL;
64
65 #ifndef OSSL_NO_USABLE_TLS1_3
66
67 static SSL_SESSION *clientpsk = NULL;
68 static SSL_SESSION *serverpsk = NULL;
69 static const char *pskid = "Identity";
70 static const char *srvid;
71
72 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73 size_t *idlen, SSL_SESSION **sess);
74 static int find_session_cb(SSL *ssl, const unsigned char *identity,
75 size_t identity_len, SSL_SESSION **sess);
76
77 static int use_session_cb_cnt = 0;
78 static int find_session_cb_cnt = 0;
79
80 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
81 #endif
82
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
98 static char *dhfile = NULL;
99
100 static int is_fips = 0;
101
102 #define LOG_BUFFER_SIZE 2048
103 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104 static size_t server_log_buffer_index = 0;
105 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t client_log_buffer_index = 0;
107 static int error_writing_log = 0;
108
109 #ifndef OPENSSL_NO_OCSP
110 static const unsigned char orespder[] = "Dummy OCSP Response";
111 static int ocsp_server_called = 0;
112 static int ocsp_client_called = 0;
113
114 static int cdummyarg = 1;
115 static X509 *ocspcert = NULL;
116 #endif
117
118 #define NUM_EXTRA_CERTS 40
119 #define CLIENT_VERSION_LEN 2
120
121 /*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125 struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
135 };
136
137
hostname_cb(SSL * s,int * al,void * arg)138 static int hostname_cb(SSL *s, int *al, void *arg)
139 {
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147 }
148
client_keylog_callback(const SSL * ssl,const char * line)149 static void client_keylog_callback(const SSL *ssl, const char *line)
150 {
151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
163 }
164
server_keylog_callback(const SSL * ssl,const char * line)165 static void server_keylog_callback(const SSL *ssl, const char *line)
166 {
167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
179 }
180
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)181 static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
184 size_t raw_length)
185 {
186 size_t i, j;
187 char hexed[3];
188
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
190 return 1;
191
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 sprintf(hexed, "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
196 return 1;
197 }
198
199 return 0;
200 }
201
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)202 static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
205 {
206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
220
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 return 0;
231 if (!TEST_size_t_eq(strlen(token), 16))
232 return 0;
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
234 return 0;
235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
250 return 0;
251
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 return 0;
254 if (!TEST_size_t_eq(strlen(token), 64))
255 return 0;
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
259 return 0;
260
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
262 return 0;
263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
266 if (!TEST_size_t_ne(master_key_size, 0))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
271 return 0;
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
305 return 0;
306
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
308 return 0;
309 if (!TEST_size_t_eq(strlen(token), 64))
310 return 0;
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
314 return 0;
315
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 return 0;
318 } else {
319 TEST_info("Unexpected token %s\n", token);
320 return 0;
321 }
322 }
323
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
343 return 0;
344 return 1;
345 }
346
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
test_keylog(void)348 static int test_keylog(void)
349 {
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
353 struct sslapitest_log_counts expected;
354
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
364 TLS_client_method(),
365 TLS1_VERSION, 0,
366 &sctx, &cctx, cert, privkey)))
367 return 0;
368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
375 goto end;
376
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
379 goto end;
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
383 goto end;
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
387 goto end;
388
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
397 goto end;
398
399 /*
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
404 */
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
409 goto end;
410
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
414 goto end;
415
416 testresult = 1;
417
418 end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425 }
426 #endif
427
428 #ifndef OSSL_NO_USABLE_TLS1_3
test_keylog_no_master_key(void)429 static int test_keylog_no_master_key(void)
430 {
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
434 int testresult = 0;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
438
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
452 return 0;
453
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
456 goto end;
457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
461 goto end;
462
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
466 goto end;
467
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
474 goto end;
475
476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
480 */
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
491 goto end;
492
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
532 testresult = 1;
533
534 end:
535 SSL_SESSION_free(sess);
536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542 }
543 #endif
544
verify_retry_cb(X509_STORE_CTX * ctx,void * arg)545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546 {
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
561 return res;
562 }
563
test_client_cert_verify_cb(void)564 static int test_client_cert_verify_cb(void)
565 {
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620 end:
621 X509_free(crt1);
622 X509_free(crt2);
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641 }
642
test_ssl_build_cert_chain(void)643 static int test_ssl_build_cert_chain(void)
644 {
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664 end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670 }
671
get_password_cb(char * buf,int size,int rw_flag,void * userdata)672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673 {
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681 }
682
test_ssl_ctx_build_cert_chain(void)683 static int test_ssl_ctx_build_cert_chain(void)
684 {
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703 end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708 }
709
710 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)711 static int full_client_hello_callback(SSL *s, int *al, void *arg)
712 {
713 int *ctr = arg;
714 const unsigned char *p;
715 int *exts;
716 /* We only configure two ciphers, but the SCSV is added automatically. */
717 #ifdef OPENSSL_NO_EC
718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719 #else
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
721 0x2c, 0x00, 0xff};
722 #endif
723 const int expected_extensions[] = {
724 #ifndef OPENSSL_NO_EC
725 11, 10,
726 #endif
727 35, 22, 23, 13};
728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
732 return SSL_CLIENT_HELLO_RETRY;
733
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
745 OPENSSL_free(exts);
746 return SSL_CLIENT_HELLO_ERROR;
747 }
748 OPENSSL_free(exts);
749 return SSL_CLIENT_HELLO_SUCCESS;
750 }
751
test_client_hello_cb(void)752 static int test_client_hello_cb(void)
753 {
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
761 goto end;
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
763
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
766
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
781 goto end;
782
783 testresult = 1;
784
785 end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792 }
793
test_no_ems(void)794 static int test_no_ems(void)
795 {
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0;
799
800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
814 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
815 printf("Creating SSL connection failed\n");
816 goto end;
817 }
818
819 if (SSL_get_extms_support(serverssl)) {
820 printf("Server reports Extended Master Secret support\n");
821 goto end;
822 }
823
824 if (SSL_get_extms_support(clientssl)) {
825 printf("Client reports Extended Master Secret support\n");
826 goto end;
827 }
828 testresult = 1;
829
830 end:
831 SSL_free(serverssl);
832 SSL_free(clientssl);
833 SSL_CTX_free(sctx);
834 SSL_CTX_free(cctx);
835
836 return testresult;
837 }
838
839 /*
840 * Very focused test to exercise a single case in the server-side state
841 * machine, when the ChangeCipherState message needs to actually change
842 * from one cipher to a different cipher (i.e., not changing from null
843 * encryption to real encryption).
844 */
test_ccs_change_cipher(void)845 static int test_ccs_change_cipher(void)
846 {
847 SSL_CTX *cctx = NULL, *sctx = NULL;
848 SSL *clientssl = NULL, *serverssl = NULL;
849 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
850 int testresult = 0;
851 int i;
852 unsigned char buf;
853 size_t readbytes;
854
855 /*
856 * Create a conection so we can resume and potentially (but not) use
857 * a different cipher in the second connection.
858 */
859 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
860 TLS_client_method(),
861 TLS1_VERSION, TLS1_2_VERSION,
862 &sctx, &cctx, cert, privkey))
863 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
865 NULL, NULL))
866 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
867 || !TEST_true(create_ssl_connection(serverssl, clientssl,
868 SSL_ERROR_NONE))
869 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
870 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
871 goto end;
872
873 shutdown_ssl_connection(serverssl, clientssl);
874 serverssl = clientssl = NULL;
875
876 /* Resume, preferring a different cipher. Our server will force the
877 * same cipher to be used as the initial handshake. */
878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
879 NULL, NULL))
880 || !TEST_true(SSL_set_session(clientssl, sess))
881 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
883 SSL_ERROR_NONE))
884 || !TEST_true(SSL_session_reused(clientssl))
885 || !TEST_true(SSL_session_reused(serverssl))
886 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
887 || !TEST_ptr_eq(sesspre, sesspost)
888 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
889 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
890 goto end;
891 shutdown_ssl_connection(serverssl, clientssl);
892 serverssl = clientssl = NULL;
893
894 /*
895 * Now create a fresh connection and try to renegotiate a different
896 * cipher on it.
897 */
898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
899 NULL, NULL))
900 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
901 || !TEST_true(create_ssl_connection(serverssl, clientssl,
902 SSL_ERROR_NONE))
903 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
904 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
905 || !TEST_true(SSL_renegotiate(clientssl))
906 || !TEST_true(SSL_renegotiate_pending(clientssl)))
907 goto end;
908 /* Actually drive the renegotiation. */
909 for (i = 0; i < 3; i++) {
910 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
911 if (!TEST_ulong_eq(readbytes, 0))
912 goto end;
913 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
914 SSL_ERROR_WANT_READ)) {
915 goto end;
916 }
917 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
918 if (!TEST_ulong_eq(readbytes, 0))
919 goto end;
920 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
921 SSL_ERROR_WANT_READ)) {
922 goto end;
923 }
924 }
925 /* sesspre and sesspost should be different since the cipher changed. */
926 if (!TEST_false(SSL_renegotiate_pending(clientssl))
927 || !TEST_false(SSL_session_reused(clientssl))
928 || !TEST_false(SSL_session_reused(serverssl))
929 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
930 || !TEST_ptr_ne(sesspre, sesspost)
931 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
932 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
933 goto end;
934
935 shutdown_ssl_connection(serverssl, clientssl);
936 serverssl = clientssl = NULL;
937
938 testresult = 1;
939
940 end:
941 SSL_free(serverssl);
942 SSL_free(clientssl);
943 SSL_CTX_free(sctx);
944 SSL_CTX_free(cctx);
945 SSL_SESSION_free(sess);
946
947 return testresult;
948 }
949 #endif
950
add_large_cert_chain(SSL_CTX * sctx)951 static int add_large_cert_chain(SSL_CTX *sctx)
952 {
953 BIO *certbio = NULL;
954 X509 *chaincert = NULL;
955 int certlen;
956 int ret = 0;
957 int i;
958
959 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
960 goto end;
961
962 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
963 goto end;
964
965 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
966 goto end;
967 BIO_free(certbio);
968 certbio = NULL;
969
970 /*
971 * We assume the supplied certificate is big enough so that if we add
972 * NUM_EXTRA_CERTS it will make the overall message large enough. The
973 * default buffer size is requested to be 16k, but due to the way BUF_MEM
974 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
975 * test we need to have a message larger than that.
976 */
977 certlen = i2d_X509(chaincert, NULL);
978 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
979 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
980 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
981 if (!X509_up_ref(chaincert))
982 goto end;
983 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
984 X509_free(chaincert);
985 goto end;
986 }
987 }
988
989 ret = 1;
990 end:
991 BIO_free(certbio);
992 X509_free(chaincert);
993 return ret;
994 }
995
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)996 static int execute_test_large_message(const SSL_METHOD *smeth,
997 const SSL_METHOD *cmeth,
998 int min_version, int max_version,
999 int read_ahead)
1000 {
1001 SSL_CTX *cctx = NULL, *sctx = NULL;
1002 SSL *clientssl = NULL, *serverssl = NULL;
1003 int testresult = 0;
1004
1005 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
1006 max_version, &sctx, &cctx, cert,
1007 privkey)))
1008 goto end;
1009
1010 #ifdef OPENSSL_NO_DTLS1_2
1011 if (smeth == DTLS_server_method()) {
1012 /*
1013 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1014 * level 0
1015 */
1016 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1017 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1018 "DEFAULT:@SECLEVEL=0")))
1019 goto end;
1020 }
1021 #endif
1022
1023 if (read_ahead) {
1024 /*
1025 * Test that read_ahead works correctly when dealing with large
1026 * records
1027 */
1028 SSL_CTX_set_read_ahead(cctx, 1);
1029 }
1030
1031 if (!add_large_cert_chain(sctx))
1032 goto end;
1033
1034 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1035 NULL, NULL))
1036 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1037 SSL_ERROR_NONE)))
1038 goto end;
1039
1040 /*
1041 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1042 * doesn't leak.
1043 */
1044 if (!TEST_true(SSL_clear(serverssl)))
1045 goto end;
1046
1047 testresult = 1;
1048 end:
1049 SSL_free(serverssl);
1050 SSL_free(clientssl);
1051 SSL_CTX_free(sctx);
1052 SSL_CTX_free(cctx);
1053
1054 return testresult;
1055 }
1056
1057 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1058 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1059 /* sock must be connected */
ktls_chk_platform(int sock)1060 static int ktls_chk_platform(int sock)
1061 {
1062 if (!ktls_enable(sock))
1063 return 0;
1064 return 1;
1065 }
1066
ping_pong_query(SSL * clientssl,SSL * serverssl)1067 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1068 {
1069 static char count = 1;
1070 unsigned char cbuf[16000] = {0};
1071 unsigned char sbuf[16000];
1072 size_t err = 0;
1073 char crec_wseq_before[SEQ_NUM_SIZE];
1074 char crec_wseq_after[SEQ_NUM_SIZE];
1075 char crec_rseq_before[SEQ_NUM_SIZE];
1076 char crec_rseq_after[SEQ_NUM_SIZE];
1077 char srec_wseq_before[SEQ_NUM_SIZE];
1078 char srec_wseq_after[SEQ_NUM_SIZE];
1079 char srec_rseq_before[SEQ_NUM_SIZE];
1080 char srec_rseq_after[SEQ_NUM_SIZE];
1081
1082 cbuf[0] = count++;
1083 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1084 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1085 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1087
1088 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1089 goto end;
1090
1091 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1092 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1093 goto end;
1094 }
1095 }
1096
1097 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1098 goto end;
1099
1100 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1101 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1102 goto end;
1103 }
1104 }
1105
1106 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1107 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1108 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1109 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1110
1111 /* verify the payload */
1112 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1113 goto end;
1114
1115 /*
1116 * If ktls is used then kernel sequences are used instead of
1117 * OpenSSL sequences
1118 */
1119 if (!BIO_get_ktls_send(clientssl->wbio)) {
1120 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1121 crec_wseq_after, SEQ_NUM_SIZE))
1122 goto end;
1123 } else {
1124 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1125 crec_wseq_after, SEQ_NUM_SIZE))
1126 goto end;
1127 }
1128
1129 if (!BIO_get_ktls_send(serverssl->wbio)) {
1130 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1131 srec_wseq_after, SEQ_NUM_SIZE))
1132 goto end;
1133 } else {
1134 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1135 srec_wseq_after, SEQ_NUM_SIZE))
1136 goto end;
1137 }
1138
1139 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1140 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1141 crec_rseq_after, SEQ_NUM_SIZE))
1142 goto end;
1143 } else {
1144 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1145 crec_rseq_after, SEQ_NUM_SIZE))
1146 goto end;
1147 }
1148
1149 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1150 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1151 srec_rseq_after, SEQ_NUM_SIZE))
1152 goto end;
1153 } else {
1154 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1155 srec_rseq_after, SEQ_NUM_SIZE))
1156 goto end;
1157 }
1158
1159 return 1;
1160 end:
1161 return 0;
1162 }
1163
execute_test_ktls(int cis_ktls,int sis_ktls,int tls_version,const char * cipher)1164 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1165 int tls_version, const char *cipher)
1166 {
1167 SSL_CTX *cctx = NULL, *sctx = NULL;
1168 SSL *clientssl = NULL, *serverssl = NULL;
1169 int ktls_used = 0, testresult = 0;
1170 int cfd = -1, sfd = -1;
1171 int rx_supported;
1172
1173 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1174 goto end;
1175
1176 /* Skip this test if the platform does not support ktls */
1177 if (!ktls_chk_platform(cfd)) {
1178 testresult = TEST_skip("Kernel does not support KTLS");
1179 goto end;
1180 }
1181
1182 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1183 testresult = TEST_skip("CHACHA is not supported in FIPS");
1184 goto end;
1185 }
1186
1187 /* Create a session based on SHA-256 */
1188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1189 TLS_client_method(),
1190 tls_version, tls_version,
1191 &sctx, &cctx, cert, privkey)))
1192 goto end;
1193
1194 if (tls_version == TLS1_3_VERSION) {
1195 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1196 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1197 goto end;
1198 } else {
1199 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1200 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1201 goto end;
1202 }
1203
1204 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1205 &clientssl, sfd, cfd)))
1206 goto end;
1207
1208 if (cis_ktls) {
1209 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1210 goto end;
1211 }
1212
1213 if (sis_ktls) {
1214 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1215 goto end;
1216 }
1217
1218 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1219 goto end;
1220
1221 /*
1222 * The running kernel may not support a given cipher suite
1223 * or direction, so just check that KTLS isn't used when it
1224 * isn't enabled.
1225 */
1226 if (!cis_ktls) {
1227 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1228 goto end;
1229 } else {
1230 if (BIO_get_ktls_send(clientssl->wbio))
1231 ktls_used = 1;
1232 }
1233
1234 if (!sis_ktls) {
1235 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1236 goto end;
1237 } else {
1238 if (BIO_get_ktls_send(serverssl->wbio))
1239 ktls_used = 1;
1240 }
1241
1242 #if defined(OPENSSL_NO_KTLS_RX)
1243 rx_supported = 0;
1244 #else
1245 rx_supported = (tls_version != TLS1_3_VERSION);
1246 #endif
1247 if (!cis_ktls || !rx_supported) {
1248 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1249 goto end;
1250 } else {
1251 if (BIO_get_ktls_send(clientssl->rbio))
1252 ktls_used = 1;
1253 }
1254
1255 if (!sis_ktls || !rx_supported) {
1256 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1257 goto end;
1258 } else {
1259 if (BIO_get_ktls_send(serverssl->rbio))
1260 ktls_used = 1;
1261 }
1262
1263 if ((cis_ktls || sis_ktls) && !ktls_used) {
1264 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1265 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1266 "TLS 1.2", cipher);
1267 goto end;
1268 }
1269
1270 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1271 goto end;
1272
1273 testresult = 1;
1274 end:
1275 if (clientssl) {
1276 SSL_shutdown(clientssl);
1277 SSL_free(clientssl);
1278 }
1279 if (serverssl) {
1280 SSL_shutdown(serverssl);
1281 SSL_free(serverssl);
1282 }
1283 SSL_CTX_free(sctx);
1284 SSL_CTX_free(cctx);
1285 serverssl = clientssl = NULL;
1286 if (cfd != -1)
1287 close(cfd);
1288 if (sfd != -1)
1289 close(sfd);
1290 return testresult;
1291 }
1292
1293 #define SENDFILE_SZ (16 * 4096)
1294 #define SENDFILE_CHUNK (4 * 4096)
1295 #define min(a,b) ((a) > (b) ? (b) : (a))
1296
execute_test_ktls_sendfile(int tls_version,const char * cipher)1297 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1298 {
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
1303 int cfd = -1, sfd = -1, ffd, err;
1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1306 int testresult = 0;
1307 FILE *ffdp;
1308
1309 buf = OPENSSL_zalloc(SENDFILE_SZ);
1310 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1311 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1312 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1313 goto end;
1314
1315 /* Skip this test if the platform does not support ktls */
1316 if (!ktls_chk_platform(sfd)) {
1317 testresult = TEST_skip("Kernel does not support KTLS");
1318 goto end;
1319 }
1320
1321 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1322 testresult = TEST_skip("CHACHA is not supported in FIPS");
1323 goto end;
1324 }
1325
1326 /* Create a session based on SHA-256 */
1327 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1328 TLS_client_method(),
1329 tls_version, tls_version,
1330 &sctx, &cctx, cert, privkey)))
1331 goto end;
1332
1333 if (tls_version == TLS1_3_VERSION) {
1334 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1335 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1336 goto end;
1337 } else {
1338 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1339 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1340 goto end;
1341 }
1342
1343 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1344 &clientssl, sfd, cfd)))
1345 goto end;
1346
1347 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1348 goto end;
1349
1350 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1351 SSL_ERROR_NONE)))
1352 goto end;
1353
1354 if (!BIO_get_ktls_send(serverssl->wbio)) {
1355 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1356 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1357 "TLS 1.2", cipher);
1358 goto end;
1359 }
1360
1361 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1362 goto end;
1363
1364 out = BIO_new_file(tmpfilename, "wb");
1365 if (!TEST_ptr(out))
1366 goto end;
1367
1368 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1369 goto end;
1370
1371 BIO_free(out);
1372 out = NULL;
1373 in = BIO_new_file(tmpfilename, "rb");
1374 BIO_get_fp(in, &ffdp);
1375 ffd = fileno(ffdp);
1376
1377 while (chunk_off < SENDFILE_SZ) {
1378 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1379 while ((err = SSL_sendfile(serverssl,
1380 ffd,
1381 chunk_off,
1382 chunk_size,
1383 0)) != chunk_size) {
1384 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1385 goto end;
1386 }
1387 while ((err = SSL_read(clientssl,
1388 buf_dst + chunk_off,
1389 chunk_size)) != chunk_size) {
1390 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1391 goto end;
1392 }
1393
1394 /* verify the payload */
1395 if (!TEST_mem_eq(buf_dst + chunk_off,
1396 chunk_size,
1397 buf + chunk_off,
1398 chunk_size))
1399 goto end;
1400
1401 chunk_off += chunk_size;
1402 }
1403
1404 testresult = 1;
1405 end:
1406 if (clientssl) {
1407 SSL_shutdown(clientssl);
1408 SSL_free(clientssl);
1409 }
1410 if (serverssl) {
1411 SSL_shutdown(serverssl);
1412 SSL_free(serverssl);
1413 }
1414 SSL_CTX_free(sctx);
1415 SSL_CTX_free(cctx);
1416 serverssl = clientssl = NULL;
1417 BIO_free(out);
1418 BIO_free(in);
1419 if (cfd != -1)
1420 close(cfd);
1421 if (sfd != -1)
1422 close(sfd);
1423 OPENSSL_free(buf);
1424 OPENSSL_free(buf_dst);
1425 return testresult;
1426 }
1427
1428 static struct ktls_test_cipher {
1429 int tls_version;
1430 const char *cipher;
1431 } ktls_test_ciphers[] = {
1432 # if !defined(OPENSSL_NO_TLS1_2)
1433 # ifdef OPENSSL_KTLS_AES_GCM_128
1434 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1435 # endif
1436 # ifdef OPENSSL_KTLS_AES_CCM_128
1437 { TLS1_2_VERSION, "AES128-CCM"},
1438 # endif
1439 # ifdef OPENSSL_KTLS_AES_GCM_256
1440 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1441 # endif
1442 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1443 # ifndef OPENSSL_NO_EC
1444 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1445 # endif
1446 # endif
1447 # endif
1448 # if !defined(OSSL_NO_USABLE_TLS1_3)
1449 # ifdef OPENSSL_KTLS_AES_GCM_128
1450 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1451 # endif
1452 # ifdef OPENSSL_KTLS_AES_CCM_128
1453 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1454 # endif
1455 # ifdef OPENSSL_KTLS_AES_GCM_256
1456 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1457 # endif
1458 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1459 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1460 # endif
1461 # endif
1462 };
1463
1464 #define NUM_KTLS_TEST_CIPHERS \
1465 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1466
test_ktls(int test)1467 static int test_ktls(int test)
1468 {
1469 struct ktls_test_cipher *cipher;
1470 int cis_ktls, sis_ktls;
1471
1472 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1473 cipher = &ktls_test_ciphers[test / 4];
1474
1475 cis_ktls = (test & 1) != 0;
1476 sis_ktls = (test & 2) != 0;
1477
1478 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1479 cipher->cipher);
1480 }
1481
test_ktls_sendfile(int tst)1482 static int test_ktls_sendfile(int tst)
1483 {
1484 struct ktls_test_cipher *cipher;
1485
1486 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1487 cipher = &ktls_test_ciphers[tst];
1488
1489 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1490 }
1491 #endif
1492
test_large_message_tls(void)1493 static int test_large_message_tls(void)
1494 {
1495 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1496 TLS1_VERSION, 0, 0);
1497 }
1498
test_large_message_tls_read_ahead(void)1499 static int test_large_message_tls_read_ahead(void)
1500 {
1501 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1502 TLS1_VERSION, 0, 1);
1503 }
1504
1505 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)1506 static int test_large_message_dtls(void)
1507 {
1508 # ifdef OPENSSL_NO_DTLS1_2
1509 /* Not supported in the FIPS provider */
1510 if (is_fips)
1511 return 1;
1512 # endif
1513 /*
1514 * read_ahead is not relevant to DTLS because DTLS always acts as if
1515 * read_ahead is set.
1516 */
1517 return execute_test_large_message(DTLS_server_method(),
1518 DTLS_client_method(),
1519 DTLS1_VERSION, 0, 0);
1520 }
1521 #endif
1522
1523 /*
1524 * Test we can successfully send the maximum amount of application data. We
1525 * test each protocol version individually, each with and without EtM enabled.
1526 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1527 * simpler this way. We also test all combinations with and without the
1528 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1529 * underlying buffer.
1530 */
test_large_app_data(int tst)1531 static int test_large_app_data(int tst)
1532 {
1533 SSL_CTX *cctx = NULL, *sctx = NULL;
1534 SSL *clientssl = NULL, *serverssl = NULL;
1535 int testresult = 0, prot;
1536 unsigned char *msg, *buf = NULL;
1537 size_t written, readbytes;
1538 const SSL_METHOD *smeth = TLS_server_method();
1539 const SSL_METHOD *cmeth = TLS_client_method();
1540
1541 switch (tst >> 2) {
1542 case 0:
1543 #ifndef OSSL_NO_USABLE_TLS1_3
1544 prot = TLS1_3_VERSION;
1545 break;
1546 #else
1547 return 1;
1548 #endif
1549
1550 case 1:
1551 #ifndef OPENSSL_NO_TLS1_2
1552 prot = TLS1_2_VERSION;
1553 break;
1554 #else
1555 return 1;
1556 #endif
1557
1558 case 2:
1559 #ifndef OPENSSL_NO_TLS1_1
1560 prot = TLS1_1_VERSION;
1561 break;
1562 #else
1563 return 1;
1564 #endif
1565
1566 case 3:
1567 #ifndef OPENSSL_NO_TLS1
1568 prot = TLS1_VERSION;
1569 break;
1570 #else
1571 return 1;
1572 #endif
1573
1574 case 4:
1575 #ifndef OPENSSL_NO_SSL3
1576 prot = SSL3_VERSION;
1577 break;
1578 #else
1579 return 1;
1580 #endif
1581
1582 case 5:
1583 #ifndef OPENSSL_NO_DTLS1_2
1584 prot = DTLS1_2_VERSION;
1585 smeth = DTLS_server_method();
1586 cmeth = DTLS_client_method();
1587 break;
1588 #else
1589 return 1;
1590 #endif
1591
1592 case 6:
1593 #ifndef OPENSSL_NO_DTLS1
1594 prot = DTLS1_VERSION;
1595 smeth = DTLS_server_method();
1596 cmeth = DTLS_client_method();
1597 break;
1598 #else
1599 return 1;
1600 #endif
1601
1602 default:
1603 /* Shouldn't happen */
1604 return 0;
1605 }
1606
1607 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1608 return 1;
1609
1610 /* Maximal sized message of zeros */
1611 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1612 if (!TEST_ptr(msg))
1613 goto end;
1614
1615 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1616 if (!TEST_ptr(buf))
1617 goto end;
1618 /* Set whole buffer to all bits set */
1619 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1620
1621 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1622 &sctx, &cctx, cert, privkey)))
1623 goto end;
1624
1625 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1626 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1627 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1628 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1629 "DEFAULT:@SECLEVEL=0")))
1630 goto end;
1631 }
1632
1633 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1634 &clientssl, NULL, NULL)))
1635 goto end;
1636
1637 if ((tst & 1) != 0) {
1638 /* Setting this option gives us a minimally sized underlying buffer */
1639 if (!TEST_true(SSL_set_options(serverssl,
1640 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1641 || !TEST_true(SSL_set_options(clientssl,
1642 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1643 goto end;
1644 }
1645
1646 if ((tst & 2) != 0) {
1647 /*
1648 * Setting this option means the MAC is added before encryption
1649 * giving us a larger record for the encryption process
1650 */
1651 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1652 || !TEST_true(SSL_set_options(clientssl,
1653 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1654 goto end;
1655 }
1656
1657 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1658 goto end;
1659
1660 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1661 &written))
1662 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1663 goto end;
1664
1665 /* We provide a buffer slightly larger than what we are actually expecting */
1666 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1667 &readbytes)))
1668 goto end;
1669
1670 if (!TEST_mem_eq(msg, written, buf, readbytes))
1671 goto end;
1672
1673 testresult = 1;
1674 end:
1675 OPENSSL_free(msg);
1676 OPENSSL_free(buf);
1677 SSL_free(serverssl);
1678 SSL_free(clientssl);
1679 SSL_CTX_free(sctx);
1680 SSL_CTX_free(cctx);
1681 return testresult;
1682 }
1683
1684 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1685 || !defined(OPENSSL_NO_DTLS)
execute_cleanse_plaintext(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version)1686 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1687 const SSL_METHOD *cmeth,
1688 int min_version, int max_version)
1689 {
1690 size_t i;
1691 SSL_CTX *cctx = NULL, *sctx = NULL;
1692 SSL *clientssl = NULL, *serverssl = NULL;
1693 int testresult = 0;
1694 SSL3_RECORD *rr;
1695 void *zbuf;
1696
1697 static unsigned char cbuf[16000];
1698 static unsigned char sbuf[16000];
1699
1700 if (!TEST_true(create_ssl_ctx_pair(libctx,
1701 smeth, cmeth,
1702 min_version, max_version,
1703 &sctx, &cctx, cert,
1704 privkey)))
1705 goto end;
1706
1707 # ifdef OPENSSL_NO_DTLS1_2
1708 if (smeth == DTLS_server_method()) {
1709 /* Not supported in the FIPS provider */
1710 if (is_fips) {
1711 testresult = 1;
1712 goto end;
1713 };
1714 /*
1715 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1716 * level 0
1717 */
1718 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1719 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1720 "DEFAULT:@SECLEVEL=0")))
1721 goto end;
1722 }
1723 # endif
1724
1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1726 NULL, NULL)))
1727 goto end;
1728
1729 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1730 goto end;
1731
1732 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1733 SSL_ERROR_NONE)))
1734 goto end;
1735
1736 for (i = 0; i < sizeof(cbuf); i++) {
1737 cbuf[i] = i & 0xff;
1738 }
1739
1740 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1741 goto end;
1742
1743 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1744 goto end;
1745
1746 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1747 goto end;
1748
1749 /*
1750 * Since we called SSL_peek(), we know the data in the record
1751 * layer is a plaintext record. We can gather the pointer to check
1752 * for zeroization after SSL_read().
1753 */
1754 rr = serverssl->rlayer.rrec;
1755 zbuf = &rr->data[rr->off];
1756 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1757 goto end;
1758
1759 /*
1760 * After SSL_peek() the plaintext must still be stored in the
1761 * record.
1762 */
1763 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1764 goto end;
1765
1766 memset(sbuf, 0, sizeof(sbuf));
1767 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1768 goto end;
1769
1770 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1771 goto end;
1772
1773 /* Check if rbuf is cleansed */
1774 memset(cbuf, 0, sizeof(cbuf));
1775 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1776 goto end;
1777
1778 testresult = 1;
1779 end:
1780 SSL_free(serverssl);
1781 SSL_free(clientssl);
1782 SSL_CTX_free(sctx);
1783 SSL_CTX_free(cctx);
1784
1785 return testresult;
1786 }
1787 #endif /*
1788 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1789 * || !defined(OPENSSL_NO_DTLS)
1790 */
1791
test_cleanse_plaintext(void)1792 static int test_cleanse_plaintext(void)
1793 {
1794 #if !defined(OPENSSL_NO_TLS1_2)
1795 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1796 TLS_client_method(),
1797 TLS1_2_VERSION,
1798 TLS1_2_VERSION)))
1799 return 0;
1800
1801 #endif
1802
1803 #if !defined(OSSL_NO_USABLE_TLS1_3)
1804 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1805 TLS_client_method(),
1806 TLS1_3_VERSION,
1807 TLS1_3_VERSION)))
1808 return 0;
1809 #endif
1810
1811 #if !defined(OPENSSL_NO_DTLS)
1812
1813 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1814 DTLS_client_method(),
1815 DTLS1_VERSION,
1816 0)))
1817 return 0;
1818 #endif
1819 return 1;
1820 }
1821
1822 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)1823 static int ocsp_server_cb(SSL *s, void *arg)
1824 {
1825 int *argi = (int *)arg;
1826 unsigned char *copy = NULL;
1827 STACK_OF(OCSP_RESPID) *ids = NULL;
1828 OCSP_RESPID *id = NULL;
1829
1830 if (*argi == 2) {
1831 /* In this test we are expecting exactly 1 OCSP_RESPID */
1832 SSL_get_tlsext_status_ids(s, &ids);
1833 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1834 return SSL_TLSEXT_ERR_ALERT_FATAL;
1835
1836 id = sk_OCSP_RESPID_value(ids, 0);
1837 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1838 return SSL_TLSEXT_ERR_ALERT_FATAL;
1839 } else if (*argi != 1) {
1840 return SSL_TLSEXT_ERR_ALERT_FATAL;
1841 }
1842
1843 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1844 return SSL_TLSEXT_ERR_ALERT_FATAL;
1845
1846 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1847 sizeof(orespder)))) {
1848 OPENSSL_free(copy);
1849 return SSL_TLSEXT_ERR_ALERT_FATAL;
1850 }
1851 ocsp_server_called = 1;
1852 return SSL_TLSEXT_ERR_OK;
1853 }
1854
ocsp_client_cb(SSL * s,void * arg)1855 static int ocsp_client_cb(SSL *s, void *arg)
1856 {
1857 int *argi = (int *)arg;
1858 const unsigned char *respderin;
1859 size_t len;
1860
1861 if (*argi != 1 && *argi != 2)
1862 return 0;
1863
1864 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1865 if (!TEST_mem_eq(orespder, len, respderin, len))
1866 return 0;
1867
1868 ocsp_client_called = 1;
1869 return 1;
1870 }
1871
test_tlsext_status_type(void)1872 static int test_tlsext_status_type(void)
1873 {
1874 SSL_CTX *cctx = NULL, *sctx = NULL;
1875 SSL *clientssl = NULL, *serverssl = NULL;
1876 int testresult = 0;
1877 STACK_OF(OCSP_RESPID) *ids = NULL;
1878 OCSP_RESPID *id = NULL;
1879 BIO *certbio = NULL;
1880
1881 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1882 TLS1_VERSION, 0,
1883 &sctx, &cctx, cert, privkey))
1884 return 0;
1885
1886 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1887 goto end;
1888
1889 /* First just do various checks getting and setting tlsext_status_type */
1890
1891 clientssl = SSL_new(cctx);
1892 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1893 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1894 TLSEXT_STATUSTYPE_ocsp))
1895 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1896 TLSEXT_STATUSTYPE_ocsp))
1897 goto end;
1898
1899 SSL_free(clientssl);
1900 clientssl = NULL;
1901
1902 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1903 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1904 goto end;
1905
1906 clientssl = SSL_new(cctx);
1907 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1908 goto end;
1909 SSL_free(clientssl);
1910 clientssl = NULL;
1911
1912 /*
1913 * Now actually do a handshake and check OCSP information is exchanged and
1914 * the callbacks get called
1915 */
1916 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1917 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1918 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1919 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1921 &clientssl, NULL, NULL))
1922 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1923 SSL_ERROR_NONE))
1924 || !TEST_true(ocsp_client_called)
1925 || !TEST_true(ocsp_server_called))
1926 goto end;
1927 SSL_free(serverssl);
1928 SSL_free(clientssl);
1929 serverssl = NULL;
1930 clientssl = NULL;
1931
1932 /* Try again but this time force the server side callback to fail */
1933 ocsp_client_called = 0;
1934 ocsp_server_called = 0;
1935 cdummyarg = 0;
1936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1937 &clientssl, NULL, NULL))
1938 /* This should fail because the callback will fail */
1939 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1940 SSL_ERROR_NONE))
1941 || !TEST_false(ocsp_client_called)
1942 || !TEST_false(ocsp_server_called))
1943 goto end;
1944 SSL_free(serverssl);
1945 SSL_free(clientssl);
1946 serverssl = NULL;
1947 clientssl = NULL;
1948
1949 /*
1950 * This time we'll get the client to send an OCSP_RESPID that it will
1951 * accept.
1952 */
1953 ocsp_client_called = 0;
1954 ocsp_server_called = 0;
1955 cdummyarg = 2;
1956 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1957 &clientssl, NULL, NULL)))
1958 goto end;
1959
1960 /*
1961 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1962 * specific one. We'll use the server cert.
1963 */
1964 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1965 || !TEST_ptr(id = OCSP_RESPID_new())
1966 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1967 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1968 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1969 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1970 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1971 goto end;
1972 id = NULL;
1973 SSL_set_tlsext_status_ids(clientssl, ids);
1974 /* Control has been transferred */
1975 ids = NULL;
1976
1977 BIO_free(certbio);
1978 certbio = NULL;
1979
1980 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1981 SSL_ERROR_NONE))
1982 || !TEST_true(ocsp_client_called)
1983 || !TEST_true(ocsp_server_called))
1984 goto end;
1985
1986 testresult = 1;
1987
1988 end:
1989 SSL_free(serverssl);
1990 SSL_free(clientssl);
1991 SSL_CTX_free(sctx);
1992 SSL_CTX_free(cctx);
1993 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1994 OCSP_RESPID_free(id);
1995 BIO_free(certbio);
1996 X509_free(ocspcert);
1997 ocspcert = NULL;
1998
1999 return testresult;
2000 }
2001 #endif
2002
2003 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2004 static int new_called, remove_called, get_called;
2005
new_session_cb(SSL * ssl,SSL_SESSION * sess)2006 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2007 {
2008 new_called++;
2009 /*
2010 * sess has been up-refed for us, but we don't actually need it so free it
2011 * immediately.
2012 */
2013 SSL_SESSION_free(sess);
2014 return 1;
2015 }
2016
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)2017 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2018 {
2019 remove_called++;
2020 }
2021
2022 static SSL_SESSION *get_sess_val = NULL;
2023
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)2024 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2025 int *copy)
2026 {
2027 get_called++;
2028 *copy = 1;
2029 return get_sess_val;
2030 }
2031
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache,long s_options)2032 static int execute_test_session(int maxprot, int use_int_cache,
2033 int use_ext_cache, long s_options)
2034 {
2035 SSL_CTX *sctx = NULL, *cctx = NULL;
2036 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2037 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2038 # ifndef OPENSSL_NO_TLS1_1
2039 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2040 # endif
2041 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2042 int testresult = 0, numnewsesstick = 1;
2043
2044 new_called = remove_called = 0;
2045
2046 /* TLSv1.3 sends 2 NewSessionTickets */
2047 if (maxprot == TLS1_3_VERSION)
2048 numnewsesstick = 2;
2049
2050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2051 TLS_client_method(), TLS1_VERSION, 0,
2052 &sctx, &cctx, cert, privkey)))
2053 return 0;
2054
2055 /*
2056 * Only allow the max protocol version so we can force a connection failure
2057 * later
2058 */
2059 SSL_CTX_set_min_proto_version(cctx, maxprot);
2060 SSL_CTX_set_max_proto_version(cctx, maxprot);
2061
2062 /* Set up session cache */
2063 if (use_ext_cache) {
2064 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2065 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2066 }
2067 if (use_int_cache) {
2068 /* Also covers instance where both are set */
2069 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2070 } else {
2071 SSL_CTX_set_session_cache_mode(cctx,
2072 SSL_SESS_CACHE_CLIENT
2073 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2074 }
2075
2076 if (s_options) {
2077 SSL_CTX_set_options(sctx, s_options);
2078 }
2079
2080 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2081 NULL, NULL))
2082 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2083 SSL_ERROR_NONE))
2084 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2085 goto end;
2086
2087 /* Should fail because it should already be in the cache */
2088 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2089 goto end;
2090 if (use_ext_cache
2091 && (!TEST_int_eq(new_called, numnewsesstick)
2092
2093 || !TEST_int_eq(remove_called, 0)))
2094 goto end;
2095
2096 new_called = remove_called = 0;
2097 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2098 &clientssl2, NULL, NULL))
2099 || !TEST_true(SSL_set_session(clientssl2, sess1))
2100 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2101 SSL_ERROR_NONE))
2102 || !TEST_true(SSL_session_reused(clientssl2)))
2103 goto end;
2104
2105 if (maxprot == TLS1_3_VERSION) {
2106 /*
2107 * In TLSv1.3 we should have created a new session even though we have
2108 * resumed. Since we attempted a resume we should also have removed the
2109 * old ticket from the cache so that we try to only use tickets once.
2110 */
2111 if (use_ext_cache
2112 && (!TEST_int_eq(new_called, 1)
2113 || !TEST_int_eq(remove_called, 1)))
2114 goto end;
2115 } else {
2116 /*
2117 * In TLSv1.2 we expect to have resumed so no sessions added or
2118 * removed.
2119 */
2120 if (use_ext_cache
2121 && (!TEST_int_eq(new_called, 0)
2122 || !TEST_int_eq(remove_called, 0)))
2123 goto end;
2124 }
2125
2126 SSL_SESSION_free(sess1);
2127 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2128 goto end;
2129 shutdown_ssl_connection(serverssl2, clientssl2);
2130 serverssl2 = clientssl2 = NULL;
2131
2132 new_called = remove_called = 0;
2133 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2134 &clientssl2, NULL, NULL))
2135 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2136 SSL_ERROR_NONE)))
2137 goto end;
2138
2139 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2140 goto end;
2141
2142 if (use_ext_cache
2143 && (!TEST_int_eq(new_called, numnewsesstick)
2144 || !TEST_int_eq(remove_called, 0)))
2145 goto end;
2146
2147 new_called = remove_called = 0;
2148 /*
2149 * This should clear sess2 from the cache because it is a "bad" session.
2150 * See SSL_set_session() documentation.
2151 */
2152 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2153 goto end;
2154 if (use_ext_cache
2155 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2156 goto end;
2157 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2158 goto end;
2159
2160 if (use_int_cache) {
2161 /* Should succeeded because it should not already be in the cache */
2162 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2163 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2164 goto end;
2165 }
2166
2167 new_called = remove_called = 0;
2168 /* This shouldn't be in the cache so should fail */
2169 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2170 goto end;
2171
2172 if (use_ext_cache
2173 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2174 goto end;
2175
2176 # if !defined(OPENSSL_NO_TLS1_1)
2177 new_called = remove_called = 0;
2178 /* Force a connection failure */
2179 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2181 &clientssl3, NULL, NULL))
2182 || !TEST_true(SSL_set_session(clientssl3, sess1))
2183 /* This should fail because of the mismatched protocol versions */
2184 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2185 SSL_ERROR_NONE)))
2186 goto end;
2187
2188 /* We should have automatically removed the session from the cache */
2189 if (use_ext_cache
2190 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2191 goto end;
2192
2193 /* Should succeed because it should not already be in the cache */
2194 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2195 goto end;
2196 # endif
2197
2198 /* Now do some tests for server side caching */
2199 if (use_ext_cache) {
2200 SSL_CTX_sess_set_new_cb(cctx, NULL);
2201 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2202 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2203 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2204 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2205 get_sess_val = NULL;
2206 }
2207
2208 SSL_CTX_set_session_cache_mode(cctx, 0);
2209 /* Internal caching is the default on the server side */
2210 if (!use_int_cache)
2211 SSL_CTX_set_session_cache_mode(sctx,
2212 SSL_SESS_CACHE_SERVER
2213 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2214
2215 SSL_free(serverssl1);
2216 SSL_free(clientssl1);
2217 serverssl1 = clientssl1 = NULL;
2218 SSL_free(serverssl2);
2219 SSL_free(clientssl2);
2220 serverssl2 = clientssl2 = NULL;
2221 SSL_SESSION_free(sess1);
2222 sess1 = NULL;
2223 SSL_SESSION_free(sess2);
2224 sess2 = NULL;
2225
2226 SSL_CTX_set_max_proto_version(sctx, maxprot);
2227 if (maxprot == TLS1_2_VERSION)
2228 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2229 new_called = remove_called = get_called = 0;
2230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2231 NULL, NULL))
2232 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2233 SSL_ERROR_NONE))
2234 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2235 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2236 goto end;
2237
2238 if (use_int_cache) {
2239 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2240 /*
2241 * In TLSv1.3 it should not have been added to the internal cache,
2242 * except in the case where we also have an external cache (in that
2243 * case it gets added to the cache in order to generate remove
2244 * events after timeout).
2245 */
2246 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2247 goto end;
2248 } else {
2249 /* Should fail because it should already be in the cache */
2250 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2251 goto end;
2252 }
2253 }
2254
2255 if (use_ext_cache) {
2256 SSL_SESSION *tmp = sess2;
2257
2258 if (!TEST_int_eq(new_called, numnewsesstick)
2259 || !TEST_int_eq(remove_called, 0)
2260 || !TEST_int_eq(get_called, 0))
2261 goto end;
2262 /*
2263 * Delete the session from the internal cache to force a lookup from
2264 * the external cache. We take a copy first because
2265 * SSL_CTX_remove_session() also marks the session as non-resumable.
2266 */
2267 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2268 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2269 || !TEST_true(sess2->owner != NULL)
2270 || !TEST_true(tmp->owner == NULL)
2271 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2272 goto end;
2273 SSL_SESSION_free(sess2);
2274 }
2275 sess2 = tmp;
2276 }
2277
2278 new_called = remove_called = get_called = 0;
2279 get_sess_val = sess2;
2280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2281 &clientssl2, NULL, NULL))
2282 || !TEST_true(SSL_set_session(clientssl2, sess1))
2283 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2284 SSL_ERROR_NONE))
2285 || !TEST_true(SSL_session_reused(clientssl2)))
2286 goto end;
2287
2288 if (use_ext_cache) {
2289 if (!TEST_int_eq(remove_called, 0))
2290 goto end;
2291
2292 if (maxprot == TLS1_3_VERSION) {
2293 if (!TEST_int_eq(new_called, 1)
2294 || !TEST_int_eq(get_called, 0))
2295 goto end;
2296 } else {
2297 if (!TEST_int_eq(new_called, 0)
2298 || !TEST_int_eq(get_called, 1))
2299 goto end;
2300 }
2301 }
2302 /*
2303 * Make a small cache, force out all other sessions but
2304 * sess2, try to add sess1, which should succeed. Then
2305 * make sure it's there by checking the owners. Despite
2306 * the timeouts, sess1 should have kicked out sess2
2307 */
2308
2309 /* Make sess1 expire before sess2 */
2310 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2311 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2312 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2313 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2314 goto end;
2315
2316 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2317 goto end;
2318
2319 /* Don't care about results - cache should only be sess2 at end */
2320 SSL_CTX_add_session(sctx, sess1);
2321 SSL_CTX_add_session(sctx, sess2);
2322
2323 /* Now add sess1, and make sure it remains, despite timeout */
2324 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2325 || !TEST_ptr(sess1->owner)
2326 || !TEST_ptr_null(sess2->owner))
2327 goto end;
2328
2329 testresult = 1;
2330
2331 end:
2332 SSL_free(serverssl1);
2333 SSL_free(clientssl1);
2334 SSL_free(serverssl2);
2335 SSL_free(clientssl2);
2336 # ifndef OPENSSL_NO_TLS1_1
2337 SSL_free(serverssl3);
2338 SSL_free(clientssl3);
2339 # endif
2340 SSL_SESSION_free(sess1);
2341 SSL_SESSION_free(sess2);
2342 SSL_CTX_free(sctx);
2343 SSL_CTX_free(cctx);
2344
2345 return testresult;
2346 }
2347 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2348
test_session_with_only_int_cache(void)2349 static int test_session_with_only_int_cache(void)
2350 {
2351 #ifndef OSSL_NO_USABLE_TLS1_3
2352 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2353 return 0;
2354 #endif
2355
2356 #ifndef OPENSSL_NO_TLS1_2
2357 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2358 #else
2359 return 1;
2360 #endif
2361 }
2362
test_session_with_only_ext_cache(void)2363 static int test_session_with_only_ext_cache(void)
2364 {
2365 #ifndef OSSL_NO_USABLE_TLS1_3
2366 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2367 return 0;
2368 #endif
2369
2370 #ifndef OPENSSL_NO_TLS1_2
2371 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2372 #else
2373 return 1;
2374 #endif
2375 }
2376
test_session_with_both_cache(void)2377 static int test_session_with_both_cache(void)
2378 {
2379 #ifndef OSSL_NO_USABLE_TLS1_3
2380 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2381 return 0;
2382 #endif
2383
2384 #ifndef OPENSSL_NO_TLS1_2
2385 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2386 #else
2387 return 1;
2388 #endif
2389 }
2390
test_session_wo_ca_names(void)2391 static int test_session_wo_ca_names(void)
2392 {
2393 #ifndef OSSL_NO_USABLE_TLS1_3
2394 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2395 return 0;
2396 #endif
2397
2398 #ifndef OPENSSL_NO_TLS1_2
2399 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2400 #else
2401 return 1;
2402 #endif
2403 }
2404
2405
2406 #ifndef OSSL_NO_USABLE_TLS1_3
2407 static SSL_SESSION *sesscache[6];
2408 static int do_cache;
2409
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)2410 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2411 {
2412 if (do_cache) {
2413 sesscache[new_called] = sess;
2414 } else {
2415 /* We don't need the reference to the session, so free it */
2416 SSL_SESSION_free(sess);
2417 }
2418 new_called++;
2419
2420 return 1;
2421 }
2422
post_handshake_verify(SSL * sssl,SSL * cssl)2423 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2424 {
2425 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2426 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2427 return 0;
2428
2429 /* Start handshake on the server and client */
2430 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2431 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2432 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2433 || !TEST_true(create_ssl_connection(sssl, cssl,
2434 SSL_ERROR_NONE)))
2435 return 0;
2436
2437 return 1;
2438 }
2439
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)2440 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2441 SSL_CTX **cctx)
2442 {
2443 int sess_id_ctx = 1;
2444
2445 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2446 TLS_client_method(), TLS1_VERSION, 0,
2447 sctx, cctx, cert, privkey))
2448 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2449 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2450 (void *)&sess_id_ctx,
2451 sizeof(sess_id_ctx))))
2452 return 0;
2453
2454 if (stateful)
2455 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2456
2457 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2458 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2459 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2460
2461 return 1;
2462 }
2463
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)2464 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2465 {
2466 SSL *serverssl = NULL, *clientssl = NULL;
2467 int i;
2468
2469 /* Test that we can resume with all the tickets we got given */
2470 for (i = 0; i < idx * 2; i++) {
2471 new_called = 0;
2472 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2473 &clientssl, NULL, NULL))
2474 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2475 goto end;
2476
2477 SSL_set_post_handshake_auth(clientssl, 1);
2478
2479 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2480 SSL_ERROR_NONE)))
2481 goto end;
2482
2483 /*
2484 * Following a successful resumption we only get 1 ticket. After a
2485 * failed one we should get idx tickets.
2486 */
2487 if (succ) {
2488 if (!TEST_true(SSL_session_reused(clientssl))
2489 || !TEST_int_eq(new_called, 1))
2490 goto end;
2491 } else {
2492 if (!TEST_false(SSL_session_reused(clientssl))
2493 || !TEST_int_eq(new_called, idx))
2494 goto end;
2495 }
2496
2497 new_called = 0;
2498 /* After a post-handshake authentication we should get 1 new ticket */
2499 if (succ
2500 && (!post_handshake_verify(serverssl, clientssl)
2501 || !TEST_int_eq(new_called, 1)))
2502 goto end;
2503
2504 SSL_shutdown(clientssl);
2505 SSL_shutdown(serverssl);
2506 SSL_free(serverssl);
2507 SSL_free(clientssl);
2508 serverssl = clientssl = NULL;
2509 SSL_SESSION_free(sesscache[i]);
2510 sesscache[i] = NULL;
2511 }
2512
2513 return 1;
2514
2515 end:
2516 SSL_free(clientssl);
2517 SSL_free(serverssl);
2518 return 0;
2519 }
2520
test_tickets(int stateful,int idx)2521 static int test_tickets(int stateful, int idx)
2522 {
2523 SSL_CTX *sctx = NULL, *cctx = NULL;
2524 SSL *serverssl = NULL, *clientssl = NULL;
2525 int testresult = 0;
2526 size_t j;
2527
2528 /* idx is the test number, but also the number of tickets we want */
2529
2530 new_called = 0;
2531 do_cache = 1;
2532
2533 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2534 goto end;
2535
2536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2537 &clientssl, NULL, NULL)))
2538 goto end;
2539
2540 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2541 SSL_ERROR_NONE))
2542 /* Check we got the number of tickets we were expecting */
2543 || !TEST_int_eq(idx, new_called))
2544 goto end;
2545
2546 SSL_shutdown(clientssl);
2547 SSL_shutdown(serverssl);
2548 SSL_free(serverssl);
2549 SSL_free(clientssl);
2550 SSL_CTX_free(sctx);
2551 SSL_CTX_free(cctx);
2552 clientssl = serverssl = NULL;
2553 sctx = cctx = NULL;
2554
2555 /*
2556 * Now we try to resume with the tickets we previously created. The
2557 * resumption attempt is expected to fail (because we're now using a new
2558 * SSL_CTX). We should see idx number of tickets issued again.
2559 */
2560
2561 /* Stop caching sessions - just count them */
2562 do_cache = 0;
2563
2564 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2565 goto end;
2566
2567 if (!check_resumption(idx, sctx, cctx, 0))
2568 goto end;
2569
2570 /* Start again with caching sessions */
2571 new_called = 0;
2572 do_cache = 1;
2573 SSL_CTX_free(sctx);
2574 SSL_CTX_free(cctx);
2575 sctx = cctx = NULL;
2576
2577 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2578 goto end;
2579
2580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2581 &clientssl, NULL, NULL)))
2582 goto end;
2583
2584 SSL_set_post_handshake_auth(clientssl, 1);
2585
2586 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2587 SSL_ERROR_NONE))
2588 /* Check we got the number of tickets we were expecting */
2589 || !TEST_int_eq(idx, new_called))
2590 goto end;
2591
2592 /* After a post-handshake authentication we should get new tickets issued */
2593 if (!post_handshake_verify(serverssl, clientssl)
2594 || !TEST_int_eq(idx * 2, new_called))
2595 goto end;
2596
2597 SSL_shutdown(clientssl);
2598 SSL_shutdown(serverssl);
2599 SSL_free(serverssl);
2600 SSL_free(clientssl);
2601 serverssl = clientssl = NULL;
2602
2603 /* Stop caching sessions - just count them */
2604 do_cache = 0;
2605
2606 /*
2607 * Check we can resume with all the tickets we created. This time around the
2608 * resumptions should all be successful.
2609 */
2610 if (!check_resumption(idx, sctx, cctx, 1))
2611 goto end;
2612
2613 testresult = 1;
2614
2615 end:
2616 SSL_free(serverssl);
2617 SSL_free(clientssl);
2618 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2619 SSL_SESSION_free(sesscache[j]);
2620 sesscache[j] = NULL;
2621 }
2622 SSL_CTX_free(sctx);
2623 SSL_CTX_free(cctx);
2624
2625 return testresult;
2626 }
2627
test_stateless_tickets(int idx)2628 static int test_stateless_tickets(int idx)
2629 {
2630 return test_tickets(0, idx);
2631 }
2632
test_stateful_tickets(int idx)2633 static int test_stateful_tickets(int idx)
2634 {
2635 return test_tickets(1, idx);
2636 }
2637
test_psk_tickets(void)2638 static int test_psk_tickets(void)
2639 {
2640 SSL_CTX *sctx = NULL, *cctx = NULL;
2641 SSL *serverssl = NULL, *clientssl = NULL;
2642 int testresult = 0;
2643 int sess_id_ctx = 1;
2644
2645 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2646 TLS_client_method(), TLS1_VERSION, 0,
2647 &sctx, &cctx, NULL, NULL))
2648 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2649 (void *)&sess_id_ctx,
2650 sizeof(sess_id_ctx))))
2651 goto end;
2652
2653 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2654 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2655 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2656 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2657 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2658 use_session_cb_cnt = 0;
2659 find_session_cb_cnt = 0;
2660 srvid = pskid;
2661 new_called = 0;
2662
2663 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2664 NULL, NULL)))
2665 goto end;
2666 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2667 if (!TEST_ptr(clientpsk))
2668 goto end;
2669 SSL_SESSION_up_ref(clientpsk);
2670
2671 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2672 SSL_ERROR_NONE))
2673 || !TEST_int_eq(1, find_session_cb_cnt)
2674 || !TEST_int_eq(1, use_session_cb_cnt)
2675 /* We should always get 1 ticket when using external PSK */
2676 || !TEST_int_eq(1, new_called))
2677 goto end;
2678
2679 testresult = 1;
2680
2681 end:
2682 SSL_free(serverssl);
2683 SSL_free(clientssl);
2684 SSL_CTX_free(sctx);
2685 SSL_CTX_free(cctx);
2686 SSL_SESSION_free(clientpsk);
2687 SSL_SESSION_free(serverpsk);
2688 clientpsk = serverpsk = NULL;
2689
2690 return testresult;
2691 }
2692
test_extra_tickets(int idx)2693 static int test_extra_tickets(int idx)
2694 {
2695 SSL_CTX *sctx = NULL, *cctx = NULL;
2696 SSL *serverssl = NULL, *clientssl = NULL;
2697 BIO *bretry = BIO_new(bio_s_always_retry());
2698 BIO *tmp = NULL;
2699 int testresult = 0;
2700 int stateful = 0;
2701 size_t nbytes;
2702 unsigned char c, buf[1];
2703
2704 new_called = 0;
2705 do_cache = 1;
2706
2707 if (idx >= 3) {
2708 idx -= 3;
2709 stateful = 1;
2710 }
2711
2712 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2713 goto end;
2714 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2715 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2716 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2717
2718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2719 &clientssl, NULL, NULL)))
2720 goto end;
2721
2722 /*
2723 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2724 * incremented by both client and server.
2725 */
2726 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2727 SSL_ERROR_NONE))
2728 /* Check we got the number of tickets we were expecting */
2729 || !TEST_int_eq(idx * 2, new_called)
2730 || !TEST_true(SSL_new_session_ticket(serverssl))
2731 || !TEST_true(SSL_new_session_ticket(serverssl))
2732 || !TEST_int_eq(idx * 2, new_called))
2733 goto end;
2734
2735 /* Now try a (real) write to actually send the tickets */
2736 c = '1';
2737 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2738 || !TEST_size_t_eq(1, nbytes)
2739 || !TEST_int_eq(idx * 2 + 2, new_called)
2740 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2741 || !TEST_int_eq(idx * 2 + 4, new_called)
2742 || !TEST_int_eq(sizeof(buf), nbytes)
2743 || !TEST_int_eq(c, buf[0])
2744 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2745 goto end;
2746
2747 /* Try with only requesting one new ticket, too */
2748 c = '2';
2749 new_called = 0;
2750 if (!TEST_true(SSL_new_session_ticket(serverssl))
2751 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2752 || !TEST_size_t_eq(sizeof(c), nbytes)
2753 || !TEST_int_eq(1, new_called)
2754 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2755 || !TEST_int_eq(2, new_called)
2756 || !TEST_size_t_eq(sizeof(buf), nbytes)
2757 || !TEST_int_eq(c, buf[0]))
2758 goto end;
2759
2760 /* Do it again but use dummy writes to drive the ticket generation */
2761 c = '3';
2762 new_called = 0;
2763 if (!TEST_true(SSL_new_session_ticket(serverssl))
2764 || !TEST_true(SSL_new_session_ticket(serverssl))
2765 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2766 || !TEST_size_t_eq(0, nbytes)
2767 || !TEST_int_eq(2, new_called)
2768 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2769 || !TEST_int_eq(4, new_called))
2770 goto end;
2771
2772 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2773 c = '4';
2774 new_called = 0;
2775 if (!TEST_true(SSL_new_session_ticket(serverssl))
2776 || !TEST_true(SSL_new_session_ticket(serverssl))
2777 || !TEST_true(SSL_do_handshake(serverssl))
2778 || !TEST_int_eq(2, new_called)
2779 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2780 || !TEST_int_eq(4, new_called))
2781 goto end;
2782
2783 /*
2784 * Use the always-retry BIO to exercise the logic that forces ticket
2785 * generation to wait until a record boundary.
2786 */
2787 c = '5';
2788 new_called = 0;
2789 tmp = SSL_get_wbio(serverssl);
2790 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2791 tmp = NULL;
2792 goto end;
2793 }
2794 SSL_set0_wbio(serverssl, bretry);
2795 bretry = NULL;
2796 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2797 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2798 || !TEST_size_t_eq(nbytes, 0))
2799 goto end;
2800 /* Restore a BIO that will let the write succeed */
2801 SSL_set0_wbio(serverssl, tmp);
2802 tmp = NULL;
2803 /*
2804 * These calls should just queue the request and not send anything
2805 * even if we explicitly try to hit the state machine.
2806 */
2807 if (!TEST_true(SSL_new_session_ticket(serverssl))
2808 || !TEST_true(SSL_new_session_ticket(serverssl))
2809 || !TEST_int_eq(0, new_called)
2810 || !TEST_true(SSL_do_handshake(serverssl))
2811 || !TEST_int_eq(0, new_called))
2812 goto end;
2813 /* Re-do the write; still no tickets sent */
2814 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2815 || !TEST_size_t_eq(1, nbytes)
2816 || !TEST_int_eq(0, new_called)
2817 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2818 || !TEST_int_eq(0, new_called)
2819 || !TEST_int_eq(sizeof(buf), nbytes)
2820 || !TEST_int_eq(c, buf[0])
2821 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2822 goto end;
2823 /* Even trying to hit the state machine now will still not send tickets */
2824 if (!TEST_true(SSL_do_handshake(serverssl))
2825 || !TEST_int_eq(0, new_called))
2826 goto end;
2827 /* Now the *next* write should send the tickets */
2828 c = '6';
2829 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2830 || !TEST_size_t_eq(1, nbytes)
2831 || !TEST_int_eq(2, new_called)
2832 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2833 || !TEST_int_eq(4, new_called)
2834 || !TEST_int_eq(sizeof(buf), nbytes)
2835 || !TEST_int_eq(c, buf[0])
2836 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2837 goto end;
2838
2839 SSL_shutdown(clientssl);
2840 SSL_shutdown(serverssl);
2841 testresult = 1;
2842
2843 end:
2844 BIO_free(bretry);
2845 BIO_free(tmp);
2846 SSL_free(serverssl);
2847 SSL_free(clientssl);
2848 SSL_CTX_free(sctx);
2849 SSL_CTX_free(cctx);
2850 clientssl = serverssl = NULL;
2851 sctx = cctx = NULL;
2852 return testresult;
2853 }
2854 #endif
2855
2856 #define USE_NULL 0
2857 #define USE_BIO_1 1
2858 #define USE_BIO_2 2
2859 #define USE_DEFAULT 3
2860
2861 #define CONNTYPE_CONNECTION_SUCCESS 0
2862 #define CONNTYPE_CONNECTION_FAIL 1
2863 #define CONNTYPE_NO_CONNECTION 2
2864
2865 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2866 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2867 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2868 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2869 #else
2870 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2871 #endif
2872
2873 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2874 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2875 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2876
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)2877 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2878 {
2879 switch (type) {
2880 case USE_NULL:
2881 *res = NULL;
2882 break;
2883 case USE_BIO_1:
2884 *res = bio1;
2885 break;
2886 case USE_BIO_2:
2887 *res = bio2;
2888 break;
2889 }
2890 }
2891
2892
2893 /*
2894 * Tests calls to SSL_set_bio() under various conditions.
2895 *
2896 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2897 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2898 * then do more tests where we create a successful connection first using our
2899 * standard connection setup functions, and then call SSL_set_bio() with
2900 * various combinations of valid BIOs or NULL. We then repeat these tests
2901 * following a failed connection. In this last case we are looking to check that
2902 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2903 */
test_ssl_set_bio(int idx)2904 static int test_ssl_set_bio(int idx)
2905 {
2906 SSL_CTX *sctx = NULL, *cctx = NULL;
2907 BIO *bio1 = NULL;
2908 BIO *bio2 = NULL;
2909 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2910 SSL *serverssl = NULL, *clientssl = NULL;
2911 int initrbio, initwbio, newrbio, newwbio, conntype;
2912 int testresult = 0;
2913
2914 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2915 initrbio = idx % 3;
2916 idx /= 3;
2917 initwbio = idx % 3;
2918 idx /= 3;
2919 newrbio = idx % 3;
2920 idx /= 3;
2921 newwbio = idx % 3;
2922 conntype = CONNTYPE_NO_CONNECTION;
2923 } else {
2924 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2925 initrbio = initwbio = USE_DEFAULT;
2926 newrbio = idx % 2;
2927 idx /= 2;
2928 newwbio = idx % 2;
2929 idx /= 2;
2930 conntype = idx % 2;
2931 }
2932
2933 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2934 TLS_client_method(), TLS1_VERSION, 0,
2935 &sctx, &cctx, cert, privkey)))
2936 goto end;
2937
2938 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2939 /*
2940 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2941 * because we reduced the number of tests in the definition of
2942 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2943 * mismatched protocol versions we will force a connection failure.
2944 */
2945 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2946 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2947 }
2948
2949 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2950 NULL, NULL)))
2951 goto end;
2952
2953 if (initrbio == USE_BIO_1
2954 || initwbio == USE_BIO_1
2955 || newrbio == USE_BIO_1
2956 || newwbio == USE_BIO_1) {
2957 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2958 goto end;
2959 }
2960
2961 if (initrbio == USE_BIO_2
2962 || initwbio == USE_BIO_2
2963 || newrbio == USE_BIO_2
2964 || newwbio == USE_BIO_2) {
2965 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2966 goto end;
2967 }
2968
2969 if (initrbio != USE_DEFAULT) {
2970 setupbio(&irbio, bio1, bio2, initrbio);
2971 setupbio(&iwbio, bio1, bio2, initwbio);
2972 SSL_set_bio(clientssl, irbio, iwbio);
2973
2974 /*
2975 * We want to maintain our own refs to these BIO, so do an up ref for
2976 * each BIO that will have ownership transferred in the SSL_set_bio()
2977 * call
2978 */
2979 if (irbio != NULL)
2980 BIO_up_ref(irbio);
2981 if (iwbio != NULL && iwbio != irbio)
2982 BIO_up_ref(iwbio);
2983 }
2984
2985 if (conntype != CONNTYPE_NO_CONNECTION
2986 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2987 SSL_ERROR_NONE)
2988 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2989 goto end;
2990
2991 setupbio(&nrbio, bio1, bio2, newrbio);
2992 setupbio(&nwbio, bio1, bio2, newwbio);
2993
2994 /*
2995 * We will (maybe) transfer ownership again so do more up refs.
2996 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2997 * already been set!
2998 */
2999 if (nrbio != NULL
3000 && nrbio != irbio
3001 && (nwbio != iwbio || nrbio != nwbio))
3002 BIO_up_ref(nrbio);
3003 if (nwbio != NULL
3004 && nwbio != nrbio
3005 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3006 BIO_up_ref(nwbio);
3007
3008 SSL_set_bio(clientssl, nrbio, nwbio);
3009
3010 testresult = 1;
3011
3012 end:
3013 BIO_free(bio1);
3014 BIO_free(bio2);
3015
3016 /*
3017 * This test is checking that the ref counting for SSL_set_bio is correct.
3018 * If we get here and we did too many frees then we will fail in the above
3019 * functions.
3020 */
3021 SSL_free(serverssl);
3022 SSL_free(clientssl);
3023 SSL_CTX_free(sctx);
3024 SSL_CTX_free(cctx);
3025 return testresult;
3026 }
3027
3028 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3029
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)3030 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3031 {
3032 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3033 SSL_CTX *ctx;
3034 SSL *ssl = NULL;
3035 int testresult = 0;
3036
3037 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3038 || !TEST_ptr(ssl = SSL_new(ctx))
3039 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3040 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3041 goto end;
3042
3043 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3044
3045 /*
3046 * If anything goes wrong here then we could leak memory.
3047 */
3048 BIO_push(sslbio, membio1);
3049
3050 /* Verify changing the rbio/wbio directly does not cause leaks */
3051 if (change_bio != NO_BIO_CHANGE) {
3052 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3053 ssl = NULL;
3054 goto end;
3055 }
3056 if (change_bio == CHANGE_RBIO)
3057 SSL_set0_rbio(ssl, membio2);
3058 else
3059 SSL_set0_wbio(ssl, membio2);
3060 }
3061 ssl = NULL;
3062
3063 if (pop_ssl)
3064 BIO_pop(sslbio);
3065 else
3066 BIO_pop(membio1);
3067
3068 testresult = 1;
3069 end:
3070 BIO_free(membio1);
3071 BIO_free(sslbio);
3072 SSL_free(ssl);
3073 SSL_CTX_free(ctx);
3074
3075 return testresult;
3076 }
3077
test_ssl_bio_pop_next_bio(void)3078 static int test_ssl_bio_pop_next_bio(void)
3079 {
3080 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3081 }
3082
test_ssl_bio_pop_ssl_bio(void)3083 static int test_ssl_bio_pop_ssl_bio(void)
3084 {
3085 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3086 }
3087
test_ssl_bio_change_rbio(void)3088 static int test_ssl_bio_change_rbio(void)
3089 {
3090 return execute_test_ssl_bio(0, CHANGE_RBIO);
3091 }
3092
test_ssl_bio_change_wbio(void)3093 static int test_ssl_bio_change_wbio(void)
3094 {
3095 return execute_test_ssl_bio(0, CHANGE_WBIO);
3096 }
3097
3098 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3099 typedef struct {
3100 /* The list of sig algs */
3101 const int *list;
3102 /* The length of the list */
3103 size_t listlen;
3104 /* A sigalgs list in string format */
3105 const char *liststr;
3106 /* Whether setting the list should succeed */
3107 int valid;
3108 /* Whether creating a connection with the list should succeed */
3109 int connsuccess;
3110 } sigalgs_list;
3111
3112 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3113 # ifndef OPENSSL_NO_EC
3114 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3115 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3116 # endif
3117 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3118 static const int invalidlist2[] = {NID_sha256, NID_undef};
3119 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3120 static const int invalidlist4[] = {NID_sha256};
3121 static const sigalgs_list testsigalgs[] = {
3122 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3123 # ifndef OPENSSL_NO_EC
3124 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3125 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3126 # endif
3127 {NULL, 0, "RSA+SHA256", 1, 1},
3128 # ifndef OPENSSL_NO_EC
3129 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3130 {NULL, 0, "ECDSA+SHA512", 1, 0},
3131 # endif
3132 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3133 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3134 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3135 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3136 {NULL, 0, "RSA", 0, 0},
3137 {NULL, 0, "SHA256", 0, 0},
3138 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3139 {NULL, 0, "Invalid", 0, 0}
3140 };
3141
test_set_sigalgs(int idx)3142 static int test_set_sigalgs(int idx)
3143 {
3144 SSL_CTX *cctx = NULL, *sctx = NULL;
3145 SSL *clientssl = NULL, *serverssl = NULL;
3146 int testresult = 0;
3147 const sigalgs_list *curr;
3148 int testctx;
3149
3150 /* Should never happen */
3151 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3152 return 0;
3153
3154 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3155 curr = testctx ? &testsigalgs[idx]
3156 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3157
3158 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3159 TLS_client_method(), TLS1_VERSION, 0,
3160 &sctx, &cctx, cert, privkey)))
3161 return 0;
3162
3163 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3164
3165 if (testctx) {
3166 int ret;
3167
3168 if (curr->list != NULL)
3169 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3170 else
3171 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3172
3173 if (!ret) {
3174 if (curr->valid)
3175 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3176 else
3177 testresult = 1;
3178 goto end;
3179 }
3180 if (!curr->valid) {
3181 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3182 goto end;
3183 }
3184 }
3185
3186 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3187 &clientssl, NULL, NULL)))
3188 goto end;
3189
3190 if (!testctx) {
3191 int ret;
3192
3193 if (curr->list != NULL)
3194 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3195 else
3196 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3197 if (!ret) {
3198 if (curr->valid)
3199 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3200 else
3201 testresult = 1;
3202 goto end;
3203 }
3204 if (!curr->valid)
3205 goto end;
3206 }
3207
3208 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3209 SSL_ERROR_NONE),
3210 curr->connsuccess))
3211 goto end;
3212
3213 testresult = 1;
3214
3215 end:
3216 SSL_free(serverssl);
3217 SSL_free(clientssl);
3218 SSL_CTX_free(sctx);
3219 SSL_CTX_free(cctx);
3220
3221 return testresult;
3222 }
3223 #endif
3224
3225 #ifndef OSSL_NO_USABLE_TLS1_3
3226 static int psk_client_cb_cnt = 0;
3227 static int psk_server_cb_cnt = 0;
3228
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)3229 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3230 size_t *idlen, SSL_SESSION **sess)
3231 {
3232 switch (++use_session_cb_cnt) {
3233 case 1:
3234 /* The first call should always have a NULL md */
3235 if (md != NULL)
3236 return 0;
3237 break;
3238
3239 case 2:
3240 /* The second call should always have an md */
3241 if (md == NULL)
3242 return 0;
3243 break;
3244
3245 default:
3246 /* We should only be called a maximum of twice */
3247 return 0;
3248 }
3249
3250 if (clientpsk != NULL)
3251 SSL_SESSION_up_ref(clientpsk);
3252
3253 *sess = clientpsk;
3254 *id = (const unsigned char *)pskid;
3255 *idlen = strlen(pskid);
3256
3257 return 1;
3258 }
3259
3260 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)3261 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3262 unsigned int max_id_len,
3263 unsigned char *psk,
3264 unsigned int max_psk_len)
3265 {
3266 unsigned int psklen = 0;
3267
3268 psk_client_cb_cnt++;
3269
3270 if (strlen(pskid) + 1 > max_id_len)
3271 return 0;
3272
3273 /* We should only ever be called a maximum of twice per connection */
3274 if (psk_client_cb_cnt > 2)
3275 return 0;
3276
3277 if (clientpsk == NULL)
3278 return 0;
3279
3280 /* We'll reuse the PSK we set up for TLSv1.3 */
3281 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3282 return 0;
3283 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3284 strncpy(id, pskid, max_id_len);
3285
3286 return psklen;
3287 }
3288 #endif /* OPENSSL_NO_PSK */
3289
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)3290 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3291 size_t identity_len, SSL_SESSION **sess)
3292 {
3293 find_session_cb_cnt++;
3294
3295 /* We should only ever be called a maximum of twice per connection */
3296 if (find_session_cb_cnt > 2)
3297 return 0;
3298
3299 if (serverpsk == NULL)
3300 return 0;
3301
3302 /* Identity should match that set by the client */
3303 if (strlen(srvid) != identity_len
3304 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3305 /* No PSK found, continue but without a PSK */
3306 *sess = NULL;
3307 return 1;
3308 }
3309
3310 SSL_SESSION_up_ref(serverpsk);
3311 *sess = serverpsk;
3312
3313 return 1;
3314 }
3315
3316 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)3317 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3318 unsigned char *psk, unsigned int max_psk_len)
3319 {
3320 unsigned int psklen = 0;
3321
3322 psk_server_cb_cnt++;
3323
3324 /* We should only ever be called a maximum of twice per connection */
3325 if (find_session_cb_cnt > 2)
3326 return 0;
3327
3328 if (serverpsk == NULL)
3329 return 0;
3330
3331 /* Identity should match that set by the client */
3332 if (strcmp(srvid, identity) != 0) {
3333 return 0;
3334 }
3335
3336 /* We'll reuse the PSK we set up for TLSv1.3 */
3337 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3338 return 0;
3339 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3340
3341 return psklen;
3342 }
3343 #endif /* OPENSSL_NO_PSK */
3344
3345 #define MSG1 "Hello"
3346 #define MSG2 "World."
3347 #define MSG3 "This"
3348 #define MSG4 "is"
3349 #define MSG5 "a"
3350 #define MSG6 "test"
3351 #define MSG7 "message."
3352
3353 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3354 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3355 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3356 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3357 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3358
3359
create_a_psk(SSL * ssl,size_t mdsize)3360 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3361 {
3362 const SSL_CIPHER *cipher = NULL;
3363 const unsigned char key[] = {
3364 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3365 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3366 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3367 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3368 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3369 };
3370 SSL_SESSION *sess = NULL;
3371
3372 if (mdsize == SHA384_DIGEST_LENGTH) {
3373 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3374 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3375 /*
3376 * Any ciphersuite using SHA256 will do - it will be compatible with
3377 * the actual ciphersuite selected as long as it too is based on SHA256
3378 */
3379 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3380 } else {
3381 /* Should not happen */
3382 return NULL;
3383 }
3384 sess = SSL_SESSION_new();
3385 if (!TEST_ptr(sess)
3386 || !TEST_ptr(cipher)
3387 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3388 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3389 || !TEST_true(
3390 SSL_SESSION_set_protocol_version(sess,
3391 TLS1_3_VERSION))) {
3392 SSL_SESSION_free(sess);
3393 return NULL;
3394 }
3395 return sess;
3396 }
3397
3398 /*
3399 * Helper method to setup objects for early data test. Caller frees objects on
3400 * error.
3401 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx,size_t mdsize)3402 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3403 SSL **serverssl, SSL_SESSION **sess, int idx,
3404 size_t mdsize)
3405 {
3406 if (*sctx == NULL
3407 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3408 TLS_client_method(),
3409 TLS1_VERSION, 0,
3410 sctx, cctx, cert, privkey)))
3411 return 0;
3412
3413 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3414 return 0;
3415
3416 if (idx == 1) {
3417 /* When idx == 1 we repeat the tests with read_ahead set */
3418 SSL_CTX_set_read_ahead(*cctx, 1);
3419 SSL_CTX_set_read_ahead(*sctx, 1);
3420 } else if (idx == 2) {
3421 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3422 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3423 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3424 use_session_cb_cnt = 0;
3425 find_session_cb_cnt = 0;
3426 srvid = pskid;
3427 }
3428
3429 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3430 NULL, NULL)))
3431 return 0;
3432
3433 /*
3434 * For one of the run throughs (doesn't matter which one), we'll try sending
3435 * some SNI data in the initial ClientHello. This will be ignored (because
3436 * there is no SNI cb set up by the server), so it should not impact
3437 * early_data.
3438 */
3439 if (idx == 1
3440 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3441 return 0;
3442
3443 if (idx == 2) {
3444 clientpsk = create_a_psk(*clientssl, mdsize);
3445 if (!TEST_ptr(clientpsk)
3446 /*
3447 * We just choose an arbitrary value for max_early_data which
3448 * should be big enough for testing purposes.
3449 */
3450 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3451 0x100))
3452 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3453 SSL_SESSION_free(clientpsk);
3454 clientpsk = NULL;
3455 return 0;
3456 }
3457 serverpsk = clientpsk;
3458
3459 if (sess != NULL) {
3460 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3461 SSL_SESSION_free(clientpsk);
3462 SSL_SESSION_free(serverpsk);
3463 clientpsk = serverpsk = NULL;
3464 return 0;
3465 }
3466 *sess = clientpsk;
3467 }
3468 return 1;
3469 }
3470
3471 if (sess == NULL)
3472 return 1;
3473
3474 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3475 SSL_ERROR_NONE)))
3476 return 0;
3477
3478 *sess = SSL_get1_session(*clientssl);
3479 SSL_shutdown(*clientssl);
3480 SSL_shutdown(*serverssl);
3481 SSL_free(*serverssl);
3482 SSL_free(*clientssl);
3483 *serverssl = *clientssl = NULL;
3484
3485 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3486 clientssl, NULL, NULL))
3487 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3488 return 0;
3489
3490 return 1;
3491 }
3492
test_early_data_read_write(int idx)3493 static int test_early_data_read_write(int idx)
3494 {
3495 SSL_CTX *cctx = NULL, *sctx = NULL;
3496 SSL *clientssl = NULL, *serverssl = NULL;
3497 int testresult = 0;
3498 SSL_SESSION *sess = NULL;
3499 unsigned char buf[20], data[1024];
3500 size_t readbytes, written, eoedlen, rawread, rawwritten;
3501 BIO *rbio;
3502
3503 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3504 &serverssl, &sess, idx,
3505 SHA384_DIGEST_LENGTH)))
3506 goto end;
3507
3508 /* Write and read some early data */
3509 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3510 &written))
3511 || !TEST_size_t_eq(written, strlen(MSG1))
3512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3513 sizeof(buf), &readbytes),
3514 SSL_READ_EARLY_DATA_SUCCESS)
3515 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3517 SSL_EARLY_DATA_ACCEPTED))
3518 goto end;
3519
3520 /*
3521 * Server should be able to write data, and client should be able to
3522 * read it.
3523 */
3524 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3525 &written))
3526 || !TEST_size_t_eq(written, strlen(MSG2))
3527 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3528 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3529 goto end;
3530
3531 /* Even after reading normal data, client should be able write early data */
3532 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3533 &written))
3534 || !TEST_size_t_eq(written, strlen(MSG3)))
3535 goto end;
3536
3537 /* Server should still be able read early data after writing data */
3538 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3539 &readbytes),
3540 SSL_READ_EARLY_DATA_SUCCESS)
3541 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3542 goto end;
3543
3544 /* Write more data from server and read it from client */
3545 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3546 &written))
3547 || !TEST_size_t_eq(written, strlen(MSG4))
3548 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3549 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3550 goto end;
3551
3552 /*
3553 * If client writes normal data it should mean writing early data is no
3554 * longer possible.
3555 */
3556 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3557 || !TEST_size_t_eq(written, strlen(MSG5))
3558 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3559 SSL_EARLY_DATA_ACCEPTED))
3560 goto end;
3561
3562 /*
3563 * At this point the client has written EndOfEarlyData, ClientFinished and
3564 * normal (fully protected) data. We are going to cause a delay between the
3565 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3566 * in the read BIO, and then just put back the EndOfEarlyData message.
3567 */
3568 rbio = SSL_get_rbio(serverssl);
3569 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3570 || !TEST_size_t_lt(rawread, sizeof(data))
3571 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3572 goto end;
3573
3574 /* Record length is in the 4th and 5th bytes of the record header */
3575 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3576 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3577 || !TEST_size_t_eq(rawwritten, eoedlen))
3578 goto end;
3579
3580 /* Server should be told that there is no more early data */
3581 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3582 &readbytes),
3583 SSL_READ_EARLY_DATA_FINISH)
3584 || !TEST_size_t_eq(readbytes, 0))
3585 goto end;
3586
3587 /*
3588 * Server has not finished init yet, so should still be able to write early
3589 * data.
3590 */
3591 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3592 &written))
3593 || !TEST_size_t_eq(written, strlen(MSG6)))
3594 goto end;
3595
3596 /* Push the ClientFinished and the normal data back into the server rbio */
3597 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3598 &rawwritten))
3599 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3600 goto end;
3601
3602 /* Server should be able to read normal data */
3603 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3604 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3605 goto end;
3606
3607 /* Client and server should not be able to write/read early data now */
3608 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3609 &written)))
3610 goto end;
3611 ERR_clear_error();
3612 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3613 &readbytes),
3614 SSL_READ_EARLY_DATA_ERROR))
3615 goto end;
3616 ERR_clear_error();
3617
3618 /* Client should be able to read the data sent by the server */
3619 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3620 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3621 goto end;
3622
3623 /*
3624 * Make sure we process the two NewSessionTickets. These arrive
3625 * post-handshake. We attempt reads which we do not expect to return any
3626 * data.
3627 */
3628 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3629 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3630 &readbytes)))
3631 goto end;
3632
3633 /* Server should be able to write normal data */
3634 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3635 || !TEST_size_t_eq(written, strlen(MSG7))
3636 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3637 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3638 goto end;
3639
3640 SSL_SESSION_free(sess);
3641 sess = SSL_get1_session(clientssl);
3642 use_session_cb_cnt = 0;
3643 find_session_cb_cnt = 0;
3644
3645 SSL_shutdown(clientssl);
3646 SSL_shutdown(serverssl);
3647 SSL_free(serverssl);
3648 SSL_free(clientssl);
3649 serverssl = clientssl = NULL;
3650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3651 &clientssl, NULL, NULL))
3652 || !TEST_true(SSL_set_session(clientssl, sess)))
3653 goto end;
3654
3655 /* Write and read some early data */
3656 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3657 &written))
3658 || !TEST_size_t_eq(written, strlen(MSG1))
3659 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3660 &readbytes),
3661 SSL_READ_EARLY_DATA_SUCCESS)
3662 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3663 goto end;
3664
3665 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3666 || !TEST_int_gt(SSL_accept(serverssl), 0))
3667 goto end;
3668
3669 /* Client and server should not be able to write/read early data now */
3670 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3671 &written)))
3672 goto end;
3673 ERR_clear_error();
3674 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3675 &readbytes),
3676 SSL_READ_EARLY_DATA_ERROR))
3677 goto end;
3678 ERR_clear_error();
3679
3680 /* Client and server should be able to write/read normal data */
3681 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3682 || !TEST_size_t_eq(written, strlen(MSG5))
3683 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3684 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3685 goto end;
3686
3687 testresult = 1;
3688
3689 end:
3690 SSL_SESSION_free(sess);
3691 SSL_SESSION_free(clientpsk);
3692 SSL_SESSION_free(serverpsk);
3693 clientpsk = serverpsk = NULL;
3694 SSL_free(serverssl);
3695 SSL_free(clientssl);
3696 SSL_CTX_free(sctx);
3697 SSL_CTX_free(cctx);
3698 return testresult;
3699 }
3700
3701 static int allow_ed_cb_called = 0;
3702
allow_early_data_cb(SSL * s,void * arg)3703 static int allow_early_data_cb(SSL *s, void *arg)
3704 {
3705 int *usecb = (int *)arg;
3706
3707 allow_ed_cb_called++;
3708
3709 if (*usecb == 1)
3710 return 0;
3711
3712 return 1;
3713 }
3714
3715 /*
3716 * idx == 0: Standard early_data setup
3717 * idx == 1: early_data setup using read_ahead
3718 * usecb == 0: Don't use a custom early data callback
3719 * usecb == 1: Use a custom early data callback and reject the early data
3720 * usecb == 2: Use a custom early data callback and accept the early data
3721 * confopt == 0: Configure anti-replay directly
3722 * confopt == 1: Configure anti-replay using SSL_CONF
3723 */
test_early_data_replay_int(int idx,int usecb,int confopt)3724 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3725 {
3726 SSL_CTX *cctx = NULL, *sctx = NULL;
3727 SSL *clientssl = NULL, *serverssl = NULL;
3728 int testresult = 0;
3729 SSL_SESSION *sess = NULL;
3730 size_t readbytes, written;
3731 unsigned char buf[20];
3732
3733 allow_ed_cb_called = 0;
3734
3735 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3736 TLS_client_method(), TLS1_VERSION, 0,
3737 &sctx, &cctx, cert, privkey)))
3738 return 0;
3739
3740 if (usecb > 0) {
3741 if (confopt == 0) {
3742 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3743 } else {
3744 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3745
3746 if (!TEST_ptr(confctx))
3747 goto end;
3748 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3749 | SSL_CONF_FLAG_SERVER);
3750 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3751 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3752 2)) {
3753 SSL_CONF_CTX_free(confctx);
3754 goto end;
3755 }
3756 SSL_CONF_CTX_free(confctx);
3757 }
3758 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3759 }
3760
3761 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3762 &serverssl, &sess, idx,
3763 SHA384_DIGEST_LENGTH)))
3764 goto end;
3765
3766 /*
3767 * The server is configured to accept early data. Create a connection to
3768 * "use up" the ticket
3769 */
3770 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3771 || !TEST_true(SSL_session_reused(clientssl)))
3772 goto end;
3773
3774 SSL_shutdown(clientssl);
3775 SSL_shutdown(serverssl);
3776 SSL_free(serverssl);
3777 SSL_free(clientssl);
3778 serverssl = clientssl = NULL;
3779
3780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3781 &clientssl, NULL, NULL))
3782 || !TEST_true(SSL_set_session(clientssl, sess)))
3783 goto end;
3784
3785 /* Write and read some early data */
3786 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3787 &written))
3788 || !TEST_size_t_eq(written, strlen(MSG1)))
3789 goto end;
3790
3791 if (usecb <= 1) {
3792 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3793 &readbytes),
3794 SSL_READ_EARLY_DATA_FINISH)
3795 /*
3796 * The ticket was reused, so the we should have rejected the
3797 * early data
3798 */
3799 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3800 SSL_EARLY_DATA_REJECTED))
3801 goto end;
3802 } else {
3803 /* In this case the callback decides to accept the early data */
3804 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3805 &readbytes),
3806 SSL_READ_EARLY_DATA_SUCCESS)
3807 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3808 /*
3809 * Server will have sent its flight so client can now send
3810 * end of early data and complete its half of the handshake
3811 */
3812 || !TEST_int_gt(SSL_connect(clientssl), 0)
3813 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3814 &readbytes),
3815 SSL_READ_EARLY_DATA_FINISH)
3816 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3817 SSL_EARLY_DATA_ACCEPTED))
3818 goto end;
3819 }
3820
3821 /* Complete the connection */
3822 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3823 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3824 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3825 goto end;
3826
3827 testresult = 1;
3828
3829 end:
3830 SSL_SESSION_free(sess);
3831 SSL_SESSION_free(clientpsk);
3832 SSL_SESSION_free(serverpsk);
3833 clientpsk = serverpsk = NULL;
3834 SSL_free(serverssl);
3835 SSL_free(clientssl);
3836 SSL_CTX_free(sctx);
3837 SSL_CTX_free(cctx);
3838 return testresult;
3839 }
3840
test_early_data_replay(int idx)3841 static int test_early_data_replay(int idx)
3842 {
3843 int ret = 1, usecb, confopt;
3844
3845 for (usecb = 0; usecb < 3; usecb++) {
3846 for (confopt = 0; confopt < 2; confopt++)
3847 ret &= test_early_data_replay_int(idx, usecb, confopt);
3848 }
3849
3850 return ret;
3851 }
3852
3853 static const char *ciphersuites[] = {
3854 "TLS_AES_128_CCM_8_SHA256",
3855 "TLS_AES_128_GCM_SHA256",
3856 "TLS_AES_256_GCM_SHA384",
3857 "TLS_AES_128_CCM_SHA256",
3858 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3859 "TLS_CHACHA20_POLY1305_SHA256"
3860 #endif
3861 };
3862
3863 /*
3864 * Helper function to test that a server attempting to read early data can
3865 * handle a connection from a client where the early data should be skipped.
3866 * testtype: 0 == No HRR
3867 * testtype: 1 == HRR
3868 * testtype: 2 == HRR, invalid early_data sent after HRR
3869 * testtype: 3 == recv_max_early_data set to 0
3870 */
early_data_skip_helper(int testtype,int cipher,int idx)3871 static int early_data_skip_helper(int testtype, int cipher, int idx)
3872 {
3873 SSL_CTX *cctx = NULL, *sctx = NULL;
3874 SSL *clientssl = NULL, *serverssl = NULL;
3875 int testresult = 0;
3876 SSL_SESSION *sess = NULL;
3877 unsigned char buf[20];
3878 size_t readbytes, written;
3879
3880 if (is_fips && cipher == 4)
3881 return 1;
3882
3883 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3884 TLS_client_method(),
3885 TLS1_VERSION, 0,
3886 &sctx, &cctx, cert, privkey)))
3887 goto end;
3888
3889 if (cipher == 0) {
3890 SSL_CTX_set_security_level(sctx, 0);
3891 SSL_CTX_set_security_level(cctx, 0);
3892 }
3893
3894 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3895 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3896 goto end;
3897
3898 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3899 &serverssl, &sess, idx,
3900 cipher == 2 ? SHA384_DIGEST_LENGTH
3901 : SHA256_DIGEST_LENGTH)))
3902 goto end;
3903
3904 if (testtype == 1 || testtype == 2) {
3905 /* Force an HRR to occur */
3906 #if defined(OPENSSL_NO_EC)
3907 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3908 goto end;
3909 #else
3910 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3911 goto end;
3912 #endif
3913 } else if (idx == 2) {
3914 /*
3915 * We force early_data rejection by ensuring the PSK identity is
3916 * unrecognised
3917 */
3918 srvid = "Dummy Identity";
3919 } else {
3920 /*
3921 * Deliberately corrupt the creation time. We take 20 seconds off the
3922 * time. It could be any value as long as it is not within tolerance.
3923 * This should mean the ticket is rejected.
3924 */
3925 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3926 goto end;
3927 }
3928
3929 if (testtype == 3
3930 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3931 goto end;
3932
3933 /* Write some early data */
3934 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3935 &written))
3936 || !TEST_size_t_eq(written, strlen(MSG1)))
3937 goto end;
3938
3939 /* Server should reject the early data */
3940 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3941 &readbytes),
3942 SSL_READ_EARLY_DATA_FINISH)
3943 || !TEST_size_t_eq(readbytes, 0)
3944 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3945 SSL_EARLY_DATA_REJECTED))
3946 goto end;
3947
3948 switch (testtype) {
3949 case 0:
3950 /* Nothing to do */
3951 break;
3952
3953 case 1:
3954 /*
3955 * Finish off the handshake. We perform the same writes and reads as
3956 * further down but we expect them to fail due to the incomplete
3957 * handshake.
3958 */
3959 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3960 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3961 &readbytes)))
3962 goto end;
3963 break;
3964
3965 case 2:
3966 {
3967 BIO *wbio = SSL_get_wbio(clientssl);
3968 /* A record that will appear as bad early_data */
3969 const unsigned char bad_early_data[] = {
3970 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3971 };
3972
3973 /*
3974 * We force the client to attempt a write. This will fail because
3975 * we're still in the handshake. It will cause the second
3976 * ClientHello to be sent.
3977 */
3978 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3979 &written)))
3980 goto end;
3981
3982 /*
3983 * Inject some early_data after the second ClientHello. This should
3984 * cause the server to fail
3985 */
3986 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3987 sizeof(bad_early_data), &written)))
3988 goto end;
3989 }
3990 /* fallthrough */
3991
3992 case 3:
3993 /*
3994 * This client has sent more early_data than we are willing to skip
3995 * (case 3) or sent invalid early_data (case 2) so the connection should
3996 * abort.
3997 */
3998 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3999 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4000 goto end;
4001
4002 /* Connection has failed - nothing more to do */
4003 testresult = 1;
4004 goto end;
4005
4006 default:
4007 TEST_error("Invalid test type");
4008 goto end;
4009 }
4010
4011 ERR_clear_error();
4012 /*
4013 * Should be able to send normal data despite rejection of early data. The
4014 * early_data should be skipped.
4015 */
4016 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4017 || !TEST_size_t_eq(written, strlen(MSG2))
4018 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4019 SSL_EARLY_DATA_REJECTED)
4020 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4021 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4022 goto end;
4023
4024 /*
4025 * Failure to decrypt early data records should not leave spurious errors
4026 * on the error stack
4027 */
4028 if (!TEST_long_eq(ERR_peek_error(), 0))
4029 goto end;
4030
4031 testresult = 1;
4032
4033 end:
4034 SSL_SESSION_free(clientpsk);
4035 SSL_SESSION_free(serverpsk);
4036 clientpsk = serverpsk = NULL;
4037 SSL_SESSION_free(sess);
4038 SSL_free(serverssl);
4039 SSL_free(clientssl);
4040 SSL_CTX_free(sctx);
4041 SSL_CTX_free(cctx);
4042 return testresult;
4043 }
4044
4045 /*
4046 * Test that a server attempting to read early data can handle a connection
4047 * from a client where the early data is not acceptable.
4048 */
test_early_data_skip(int idx)4049 static int test_early_data_skip(int idx)
4050 {
4051 return early_data_skip_helper(0,
4052 idx % OSSL_NELEM(ciphersuites),
4053 idx / OSSL_NELEM(ciphersuites));
4054 }
4055
4056 /*
4057 * Test that a server attempting to read early data can handle a connection
4058 * from a client where an HRR occurs.
4059 */
test_early_data_skip_hrr(int idx)4060 static int test_early_data_skip_hrr(int idx)
4061 {
4062 return early_data_skip_helper(1,
4063 idx % OSSL_NELEM(ciphersuites),
4064 idx / OSSL_NELEM(ciphersuites));
4065 }
4066
4067 /*
4068 * Test that a server attempting to read early data can handle a connection
4069 * from a client where an HRR occurs and correctly fails if early_data is sent
4070 * after the HRR
4071 */
test_early_data_skip_hrr_fail(int idx)4072 static int test_early_data_skip_hrr_fail(int idx)
4073 {
4074 return early_data_skip_helper(2,
4075 idx % OSSL_NELEM(ciphersuites),
4076 idx / OSSL_NELEM(ciphersuites));
4077 }
4078
4079 /*
4080 * Test that a server attempting to read early data will abort if it tries to
4081 * skip over too much.
4082 */
test_early_data_skip_abort(int idx)4083 static int test_early_data_skip_abort(int idx)
4084 {
4085 return early_data_skip_helper(3,
4086 idx % OSSL_NELEM(ciphersuites),
4087 idx / OSSL_NELEM(ciphersuites));
4088 }
4089
4090 /*
4091 * Test that a server attempting to read early data can handle a connection
4092 * from a client that doesn't send any.
4093 */
test_early_data_not_sent(int idx)4094 static int test_early_data_not_sent(int idx)
4095 {
4096 SSL_CTX *cctx = NULL, *sctx = NULL;
4097 SSL *clientssl = NULL, *serverssl = NULL;
4098 int testresult = 0;
4099 SSL_SESSION *sess = NULL;
4100 unsigned char buf[20];
4101 size_t readbytes, written;
4102
4103 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4104 &serverssl, &sess, idx,
4105 SHA384_DIGEST_LENGTH)))
4106 goto end;
4107
4108 /* Write some data - should block due to handshake with server */
4109 SSL_set_connect_state(clientssl);
4110 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4111 goto end;
4112
4113 /* Server should detect that early data has not been sent */
4114 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4115 &readbytes),
4116 SSL_READ_EARLY_DATA_FINISH)
4117 || !TEST_size_t_eq(readbytes, 0)
4118 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4119 SSL_EARLY_DATA_NOT_SENT)
4120 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4121 SSL_EARLY_DATA_NOT_SENT))
4122 goto end;
4123
4124 /* Continue writing the message we started earlier */
4125 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4126 || !TEST_size_t_eq(written, strlen(MSG1))
4127 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4128 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4129 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4130 || !TEST_size_t_eq(written, strlen(MSG2)))
4131 goto end;
4132
4133 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4134 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4135 goto end;
4136
4137 testresult = 1;
4138
4139 end:
4140 SSL_SESSION_free(sess);
4141 SSL_SESSION_free(clientpsk);
4142 SSL_SESSION_free(serverpsk);
4143 clientpsk = serverpsk = NULL;
4144 SSL_free(serverssl);
4145 SSL_free(clientssl);
4146 SSL_CTX_free(sctx);
4147 SSL_CTX_free(cctx);
4148 return testresult;
4149 }
4150
4151 static const char *servalpn;
4152
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)4153 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4154 unsigned char *outlen, const unsigned char *in,
4155 unsigned int inlen, void *arg)
4156 {
4157 unsigned int protlen = 0;
4158 const unsigned char *prot;
4159
4160 for (prot = in; prot < in + inlen; prot += protlen) {
4161 protlen = *prot++;
4162 if (in + inlen < prot + protlen)
4163 return SSL_TLSEXT_ERR_NOACK;
4164
4165 if (protlen == strlen(servalpn)
4166 && memcmp(prot, servalpn, protlen) == 0) {
4167 *out = prot;
4168 *outlen = protlen;
4169 return SSL_TLSEXT_ERR_OK;
4170 }
4171 }
4172
4173 return SSL_TLSEXT_ERR_NOACK;
4174 }
4175
4176 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)4177 static int test_early_data_psk(int idx)
4178 {
4179 SSL_CTX *cctx = NULL, *sctx = NULL;
4180 SSL *clientssl = NULL, *serverssl = NULL;
4181 int testresult = 0;
4182 SSL_SESSION *sess = NULL;
4183 unsigned char alpnlist[] = {
4184 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4185 'l', 'p', 'n'
4186 };
4187 #define GOODALPNLEN 9
4188 #define BADALPNLEN 8
4189 #define GOODALPN (alpnlist)
4190 #define BADALPN (alpnlist + GOODALPNLEN)
4191 int err = 0;
4192 unsigned char buf[20];
4193 size_t readbytes, written;
4194 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4195 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4196
4197 /* We always set this up with a final parameter of "2" for PSK */
4198 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4199 &serverssl, &sess, 2,
4200 SHA384_DIGEST_LENGTH)))
4201 goto end;
4202
4203 servalpn = "goodalpn";
4204
4205 /*
4206 * Note: There is no test for inconsistent SNI with late client detection.
4207 * This is because servers do not acknowledge SNI even if they are using
4208 * it in a resumption handshake - so it is not actually possible for a
4209 * client to detect a problem.
4210 */
4211 switch (idx) {
4212 case 0:
4213 /* Set inconsistent SNI (early client detection) */
4214 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4215 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4216 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4217 goto end;
4218 break;
4219
4220 case 1:
4221 /* Set inconsistent ALPN (early client detection) */
4222 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4223 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4224 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4225 GOODALPNLEN))
4226 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4227 BADALPNLEN)))
4228 goto end;
4229 break;
4230
4231 case 2:
4232 /*
4233 * Set invalid protocol version. Technically this affects PSKs without
4234 * early_data too, but we test it here because it is similar to the
4235 * SNI/ALPN consistency tests.
4236 */
4237 err = SSL_R_BAD_PSK;
4238 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4239 goto end;
4240 break;
4241
4242 case 3:
4243 /*
4244 * Set inconsistent SNI (server side). In this case the connection
4245 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4246 * is associated with each handshake - not the session. Therefore it
4247 * should not matter that we used a different server name last time.
4248 */
4249 SSL_SESSION_free(serverpsk);
4250 serverpsk = SSL_SESSION_dup(clientpsk);
4251 if (!TEST_ptr(serverpsk)
4252 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4253 goto end;
4254 /* Fall through */
4255 case 4:
4256 /* Set consistent SNI */
4257 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4258 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4259 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4260 hostname_cb)))
4261 goto end;
4262 break;
4263
4264 case 5:
4265 /*
4266 * Set inconsistent ALPN (server detected). In this case the connection
4267 * will succeed but reject early_data.
4268 */
4269 servalpn = "badalpn";
4270 edstatus = SSL_EARLY_DATA_REJECTED;
4271 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4272 /* Fall through */
4273 case 6:
4274 /*
4275 * Set consistent ALPN.
4276 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4277 * accepts a list of protos (each one length prefixed).
4278 * SSL_set1_alpn_selected accepts a single protocol (not length
4279 * prefixed)
4280 */
4281 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4282 GOODALPNLEN - 1))
4283 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4284 GOODALPNLEN)))
4285 goto end;
4286
4287 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4288 break;
4289
4290 case 7:
4291 /* Set inconsistent ALPN (late client detection) */
4292 SSL_SESSION_free(serverpsk);
4293 serverpsk = SSL_SESSION_dup(clientpsk);
4294 if (!TEST_ptr(serverpsk)
4295 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4296 BADALPN + 1,
4297 BADALPNLEN - 1))
4298 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4299 GOODALPN + 1,
4300 GOODALPNLEN - 1))
4301 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4302 sizeof(alpnlist))))
4303 goto end;
4304 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4305 edstatus = SSL_EARLY_DATA_ACCEPTED;
4306 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4307 /* SSL_connect() call should fail */
4308 connectres = -1;
4309 break;
4310
4311 default:
4312 TEST_error("Bad test index");
4313 goto end;
4314 }
4315
4316 SSL_set_connect_state(clientssl);
4317 if (err != 0) {
4318 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4319 &written))
4320 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4321 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4322 goto end;
4323 } else {
4324 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4325 &written)))
4326 goto end;
4327
4328 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4329 &readbytes), readearlyres)
4330 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4331 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4332 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4333 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4334 goto end;
4335 }
4336
4337 testresult = 1;
4338
4339 end:
4340 SSL_SESSION_free(sess);
4341 SSL_SESSION_free(clientpsk);
4342 SSL_SESSION_free(serverpsk);
4343 clientpsk = serverpsk = NULL;
4344 SSL_free(serverssl);
4345 SSL_free(clientssl);
4346 SSL_CTX_free(sctx);
4347 SSL_CTX_free(cctx);
4348 return testresult;
4349 }
4350
4351 /*
4352 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4353 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4354 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4355 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4356 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4357 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4358 */
test_early_data_psk_with_all_ciphers(int idx)4359 static int test_early_data_psk_with_all_ciphers(int idx)
4360 {
4361 SSL_CTX *cctx = NULL, *sctx = NULL;
4362 SSL *clientssl = NULL, *serverssl = NULL;
4363 int testresult = 0;
4364 SSL_SESSION *sess = NULL;
4365 unsigned char buf[20];
4366 size_t readbytes, written;
4367 const SSL_CIPHER *cipher;
4368 const char *cipher_str[] = {
4369 TLS1_3_RFC_AES_128_GCM_SHA256,
4370 TLS1_3_RFC_AES_256_GCM_SHA384,
4371 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4372 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4373 # else
4374 NULL,
4375 # endif
4376 TLS1_3_RFC_AES_128_CCM_SHA256,
4377 TLS1_3_RFC_AES_128_CCM_8_SHA256
4378 };
4379 const unsigned char *cipher_bytes[] = {
4380 TLS13_AES_128_GCM_SHA256_BYTES,
4381 TLS13_AES_256_GCM_SHA384_BYTES,
4382 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4383 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4384 # else
4385 NULL,
4386 # endif
4387 TLS13_AES_128_CCM_SHA256_BYTES,
4388 TLS13_AES_128_CCM_8_SHA256_BYTES
4389 };
4390
4391 if (cipher_str[idx] == NULL)
4392 return 1;
4393 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4394 if (idx == 2 && is_fips == 1)
4395 return 1;
4396
4397 /* We always set this up with a final parameter of "2" for PSK */
4398 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4399 &serverssl, &sess, 2,
4400 SHA384_DIGEST_LENGTH)))
4401 goto end;
4402
4403 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4404 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4405 goto end;
4406
4407 /*
4408 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4409 * and assigns to both client and server with incremented reference
4410 * and the same instance is updated in 'sess'.
4411 * So updating ciphersuite in 'sess' which will get reflected in
4412 * PSK handshake using psk use sess and find sess cb.
4413 */
4414 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4415 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4416 goto end;
4417
4418 SSL_set_connect_state(clientssl);
4419 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4420 &written)))
4421 goto end;
4422
4423 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4424 &readbytes),
4425 SSL_READ_EARLY_DATA_SUCCESS)
4426 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4427 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4428 SSL_EARLY_DATA_ACCEPTED)
4429 || !TEST_int_eq(SSL_connect(clientssl), 1)
4430 || !TEST_int_eq(SSL_accept(serverssl), 1))
4431 goto end;
4432
4433 /* Send some normal data from client to server */
4434 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4435 || !TEST_size_t_eq(written, strlen(MSG2)))
4436 goto end;
4437
4438 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4439 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4440 goto end;
4441
4442 testresult = 1;
4443 end:
4444 SSL_SESSION_free(sess);
4445 SSL_SESSION_free(clientpsk);
4446 SSL_SESSION_free(serverpsk);
4447 clientpsk = serverpsk = NULL;
4448 if (clientssl != NULL)
4449 SSL_shutdown(clientssl);
4450 if (serverssl != NULL)
4451 SSL_shutdown(serverssl);
4452 SSL_free(serverssl);
4453 SSL_free(clientssl);
4454 SSL_CTX_free(sctx);
4455 SSL_CTX_free(cctx);
4456 return testresult;
4457 }
4458
4459 /*
4460 * Test that a server that doesn't try to read early data can handle a
4461 * client sending some.
4462 */
test_early_data_not_expected(int idx)4463 static int test_early_data_not_expected(int idx)
4464 {
4465 SSL_CTX *cctx = NULL, *sctx = NULL;
4466 SSL *clientssl = NULL, *serverssl = NULL;
4467 int testresult = 0;
4468 SSL_SESSION *sess = NULL;
4469 unsigned char buf[20];
4470 size_t readbytes, written;
4471
4472 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4473 &serverssl, &sess, idx,
4474 SHA384_DIGEST_LENGTH)))
4475 goto end;
4476
4477 /* Write some early data */
4478 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4479 &written)))
4480 goto end;
4481
4482 /*
4483 * Server should skip over early data and then block waiting for client to
4484 * continue handshake
4485 */
4486 if (!TEST_int_le(SSL_accept(serverssl), 0)
4487 || !TEST_int_gt(SSL_connect(clientssl), 0)
4488 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4489 SSL_EARLY_DATA_REJECTED)
4490 || !TEST_int_gt(SSL_accept(serverssl), 0)
4491 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4492 SSL_EARLY_DATA_REJECTED))
4493 goto end;
4494
4495 /* Send some normal data from client to server */
4496 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4497 || !TEST_size_t_eq(written, strlen(MSG2)))
4498 goto end;
4499
4500 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4501 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4502 goto end;
4503
4504 testresult = 1;
4505
4506 end:
4507 SSL_SESSION_free(sess);
4508 SSL_SESSION_free(clientpsk);
4509 SSL_SESSION_free(serverpsk);
4510 clientpsk = serverpsk = NULL;
4511 SSL_free(serverssl);
4512 SSL_free(clientssl);
4513 SSL_CTX_free(sctx);
4514 SSL_CTX_free(cctx);
4515 return testresult;
4516 }
4517
4518
4519 # ifndef OPENSSL_NO_TLS1_2
4520 /*
4521 * Test that a server attempting to read early data can handle a connection
4522 * from a TLSv1.2 client.
4523 */
test_early_data_tls1_2(int idx)4524 static int test_early_data_tls1_2(int idx)
4525 {
4526 SSL_CTX *cctx = NULL, *sctx = NULL;
4527 SSL *clientssl = NULL, *serverssl = NULL;
4528 int testresult = 0;
4529 unsigned char buf[20];
4530 size_t readbytes, written;
4531
4532 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4533 &serverssl, NULL, idx,
4534 SHA384_DIGEST_LENGTH)))
4535 goto end;
4536
4537 /* Write some data - should block due to handshake with server */
4538 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4539 SSL_set_connect_state(clientssl);
4540 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4541 goto end;
4542
4543 /*
4544 * Server should do TLSv1.2 handshake. First it will block waiting for more
4545 * messages from client after ServerDone. Then SSL_read_early_data should
4546 * finish and detect that early data has not been sent
4547 */
4548 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4549 &readbytes),
4550 SSL_READ_EARLY_DATA_ERROR))
4551 goto end;
4552
4553 /*
4554 * Continue writing the message we started earlier. Will still block waiting
4555 * for the CCS/Finished from server
4556 */
4557 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4558 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4559 &readbytes),
4560 SSL_READ_EARLY_DATA_FINISH)
4561 || !TEST_size_t_eq(readbytes, 0)
4562 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4563 SSL_EARLY_DATA_NOT_SENT))
4564 goto end;
4565
4566 /* Continue writing the message we started earlier */
4567 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4568 || !TEST_size_t_eq(written, strlen(MSG1))
4569 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4570 SSL_EARLY_DATA_NOT_SENT)
4571 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4572 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4573 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4574 || !TEST_size_t_eq(written, strlen(MSG2))
4575 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4576 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4577 goto end;
4578
4579 testresult = 1;
4580
4581 end:
4582 SSL_SESSION_free(clientpsk);
4583 SSL_SESSION_free(serverpsk);
4584 clientpsk = serverpsk = NULL;
4585 SSL_free(serverssl);
4586 SSL_free(clientssl);
4587 SSL_CTX_free(sctx);
4588 SSL_CTX_free(cctx);
4589
4590 return testresult;
4591 }
4592 # endif /* OPENSSL_NO_TLS1_2 */
4593
4594 /*
4595 * Test configuring the TLSv1.3 ciphersuites
4596 *
4597 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4598 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4599 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4600 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4601 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4602 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4603 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4604 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4605 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4606 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4607 */
test_set_ciphersuite(int idx)4608 static int test_set_ciphersuite(int idx)
4609 {
4610 SSL_CTX *cctx = NULL, *sctx = NULL;
4611 SSL *clientssl = NULL, *serverssl = NULL;
4612 int testresult = 0;
4613
4614 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4615 TLS_client_method(), TLS1_VERSION, 0,
4616 &sctx, &cctx, cert, privkey))
4617 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4618 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4619 goto end;
4620
4621 if (idx >=4 && idx <= 7) {
4622 /* SSL_CTX explicit cipher list */
4623 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4624 goto end;
4625 }
4626
4627 if (idx == 0 || idx == 4) {
4628 /* Default ciphersuite */
4629 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4630 "TLS_AES_128_GCM_SHA256")))
4631 goto end;
4632 } else if (idx == 1 || idx == 5) {
4633 /* Non default ciphersuite */
4634 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4635 "TLS_AES_128_CCM_SHA256")))
4636 goto end;
4637 }
4638
4639 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4640 &clientssl, NULL, NULL)))
4641 goto end;
4642
4643 if (idx == 8 || idx == 9) {
4644 /* SSL explicit cipher list */
4645 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4646 goto end;
4647 }
4648
4649 if (idx == 2 || idx == 6 || idx == 8) {
4650 /* Default ciphersuite */
4651 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4652 "TLS_AES_128_GCM_SHA256")))
4653 goto end;
4654 } else if (idx == 3 || idx == 7 || idx == 9) {
4655 /* Non default ciphersuite */
4656 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4657 "TLS_AES_128_CCM_SHA256")))
4658 goto end;
4659 }
4660
4661 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4662 goto end;
4663
4664 testresult = 1;
4665
4666 end:
4667 SSL_free(serverssl);
4668 SSL_free(clientssl);
4669 SSL_CTX_free(sctx);
4670 SSL_CTX_free(cctx);
4671
4672 return testresult;
4673 }
4674
test_ciphersuite_change(void)4675 static int test_ciphersuite_change(void)
4676 {
4677 SSL_CTX *cctx = NULL, *sctx = NULL;
4678 SSL *clientssl = NULL, *serverssl = NULL;
4679 SSL_SESSION *clntsess = NULL;
4680 int testresult = 0;
4681 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4682
4683 /* Create a session based on SHA-256 */
4684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4685 TLS_client_method(), TLS1_VERSION, 0,
4686 &sctx, &cctx, cert, privkey))
4687 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4688 "TLS_AES_128_GCM_SHA256:"
4689 "TLS_AES_256_GCM_SHA384:"
4690 "TLS_AES_128_CCM_SHA256"))
4691 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4692 "TLS_AES_128_GCM_SHA256"))
4693 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4694 &clientssl, NULL, NULL))
4695 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4696 SSL_ERROR_NONE)))
4697 goto end;
4698
4699 clntsess = SSL_get1_session(clientssl);
4700 /* Save for later */
4701 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4702 SSL_shutdown(clientssl);
4703 SSL_shutdown(serverssl);
4704 SSL_free(serverssl);
4705 SSL_free(clientssl);
4706 serverssl = clientssl = NULL;
4707
4708 /* Check we can resume a session with a different SHA-256 ciphersuite */
4709 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4710 "TLS_AES_128_CCM_SHA256"))
4711 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4712 &clientssl, NULL, NULL))
4713 || !TEST_true(SSL_set_session(clientssl, clntsess))
4714 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4715 SSL_ERROR_NONE))
4716 || !TEST_true(SSL_session_reused(clientssl)))
4717 goto end;
4718
4719 SSL_SESSION_free(clntsess);
4720 clntsess = SSL_get1_session(clientssl);
4721 SSL_shutdown(clientssl);
4722 SSL_shutdown(serverssl);
4723 SSL_free(serverssl);
4724 SSL_free(clientssl);
4725 serverssl = clientssl = NULL;
4726
4727 /*
4728 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4729 * succeeds but does not resume.
4730 */
4731 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4732 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4733 NULL, NULL))
4734 || !TEST_true(SSL_set_session(clientssl, clntsess))
4735 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4736 SSL_ERROR_SSL))
4737 || !TEST_false(SSL_session_reused(clientssl)))
4738 goto end;
4739
4740 SSL_SESSION_free(clntsess);
4741 clntsess = NULL;
4742 SSL_shutdown(clientssl);
4743 SSL_shutdown(serverssl);
4744 SSL_free(serverssl);
4745 SSL_free(clientssl);
4746 serverssl = clientssl = NULL;
4747
4748 /* Create a session based on SHA384 */
4749 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4750 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4751 &clientssl, NULL, NULL))
4752 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4753 SSL_ERROR_NONE)))
4754 goto end;
4755
4756 clntsess = SSL_get1_session(clientssl);
4757 SSL_shutdown(clientssl);
4758 SSL_shutdown(serverssl);
4759 SSL_free(serverssl);
4760 SSL_free(clientssl);
4761 serverssl = clientssl = NULL;
4762
4763 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4764 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4765 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4766 "TLS_AES_256_GCM_SHA384"))
4767 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4768 NULL, NULL))
4769 || !TEST_true(SSL_set_session(clientssl, clntsess))
4770 /*
4771 * We use SSL_ERROR_WANT_READ below so that we can pause the
4772 * connection after the initial ClientHello has been sent to
4773 * enable us to make some session changes.
4774 */
4775 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4776 SSL_ERROR_WANT_READ)))
4777 goto end;
4778
4779 /* Trick the client into thinking this session is for a different digest */
4780 clntsess->cipher = aes_128_gcm_sha256;
4781 clntsess->cipher_id = clntsess->cipher->id;
4782
4783 /*
4784 * Continue the previously started connection. Server has selected a SHA-384
4785 * ciphersuite, but client thinks the session is for SHA-256, so it should
4786 * bail out.
4787 */
4788 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4789 SSL_ERROR_SSL))
4790 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4791 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4792 goto end;
4793
4794 testresult = 1;
4795
4796 end:
4797 SSL_SESSION_free(clntsess);
4798 SSL_free(serverssl);
4799 SSL_free(clientssl);
4800 SSL_CTX_free(sctx);
4801 SSL_CTX_free(cctx);
4802
4803 return testresult;
4804 }
4805
4806 /*
4807 * Test TLSv1.3 Key exchange
4808 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4809 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4810 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4811 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4812 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4813 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4814 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4815 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4816 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4817 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4818 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4819 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4820 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4821 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4822 */
4823 # ifndef OPENSSL_NO_EC
4824 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4825 NID_secp521r1, NID_X25519, NID_X448};
4826 # endif
4827 # ifndef OPENSSL_NO_DH
4828 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4829 NID_ffdhe6144, NID_ffdhe8192};
4830 # endif
test_key_exchange(int idx)4831 static int test_key_exchange(int idx)
4832 {
4833 SSL_CTX *sctx = NULL, *cctx = NULL;
4834 SSL *serverssl = NULL, *clientssl = NULL;
4835 int testresult = 0;
4836 int kexch_alg;
4837 int *kexch_groups = &kexch_alg;
4838 int kexch_groups_size = 1;
4839 int max_version = TLS1_3_VERSION;
4840 char *kexch_name0 = NULL;
4841
4842 switch (idx) {
4843 # ifndef OPENSSL_NO_EC
4844 # ifndef OPENSSL_NO_TLS1_2
4845 case 12:
4846 max_version = TLS1_2_VERSION;
4847 # endif
4848 /* Fall through */
4849 case 0:
4850 kexch_groups = ecdhe_kexch_groups;
4851 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4852 kexch_name0 = "secp256r1";
4853 break;
4854 case 1:
4855 kexch_alg = NID_X9_62_prime256v1;
4856 kexch_name0 = "secp256r1";
4857 break;
4858 case 2:
4859 kexch_alg = NID_secp384r1;
4860 kexch_name0 = "secp384r1";
4861 break;
4862 case 3:
4863 kexch_alg = NID_secp521r1;
4864 kexch_name0 = "secp521r1";
4865 break;
4866 case 4:
4867 kexch_alg = NID_X25519;
4868 kexch_name0 = "x25519";
4869 break;
4870 case 5:
4871 kexch_alg = NID_X448;
4872 kexch_name0 = "x448";
4873 break;
4874 # endif
4875 # ifndef OPENSSL_NO_DH
4876 # ifndef OPENSSL_NO_TLS1_2
4877 case 13:
4878 max_version = TLS1_2_VERSION;
4879 kexch_name0 = "ffdhe2048";
4880 # endif
4881 /* Fall through */
4882 case 6:
4883 kexch_groups = ffdhe_kexch_groups;
4884 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4885 kexch_name0 = "ffdhe2048";
4886 break;
4887 case 7:
4888 kexch_alg = NID_ffdhe2048;
4889 kexch_name0 = "ffdhe2048";
4890 break;
4891 case 8:
4892 kexch_alg = NID_ffdhe3072;
4893 kexch_name0 = "ffdhe3072";
4894 break;
4895 case 9:
4896 kexch_alg = NID_ffdhe4096;
4897 kexch_name0 = "ffdhe4096";
4898 break;
4899 case 10:
4900 kexch_alg = NID_ffdhe6144;
4901 kexch_name0 = "ffdhe6144";
4902 break;
4903 case 11:
4904 kexch_alg = NID_ffdhe8192;
4905 kexch_name0 = "ffdhe8192";
4906 break;
4907 # endif
4908 default:
4909 /* We're skipping this test */
4910 return 1;
4911 }
4912
4913 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4914 TLS_client_method(), TLS1_VERSION,
4915 max_version, &sctx, &cctx, cert,
4916 privkey)))
4917 goto end;
4918
4919 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4920 TLS1_3_RFC_AES_128_GCM_SHA256)))
4921 goto end;
4922
4923 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4924 TLS1_3_RFC_AES_128_GCM_SHA256)))
4925 goto end;
4926
4927 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4928 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4929 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4930 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4931 goto end;
4932
4933 /*
4934 * Must include an EC ciphersuite so that we send supported groups in
4935 * TLSv1.2
4936 */
4937 # ifndef OPENSSL_NO_TLS1_2
4938 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4939 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4940 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4941 goto end;
4942 # endif
4943
4944 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4945 NULL, NULL)))
4946 goto end;
4947
4948 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4949 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4950 goto end;
4951
4952 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4953 goto end;
4954
4955 /*
4956 * If Handshake succeeds the negotiated kexch alg should be the first one in
4957 * configured, except in the case of FFDHE groups (idx 13), which are
4958 * TLSv1.3 only so we expect no shared group to exist.
4959 */
4960 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
4961 idx == 13 ? 0 : kexch_groups[0]))
4962 goto end;
4963
4964 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4965 kexch_name0))
4966 goto end;
4967
4968 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4969 if (idx != 13) {
4970 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4971 goto end;
4972 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4973 goto end;
4974 }
4975
4976 testresult = 1;
4977 end:
4978 SSL_free(serverssl);
4979 SSL_free(clientssl);
4980 SSL_CTX_free(sctx);
4981 SSL_CTX_free(cctx);
4982 return testresult;
4983 }
4984
4985 # if !defined(OPENSSL_NO_TLS1_2) \
4986 && !defined(OPENSSL_NO_EC) \
4987 && !defined(OPENSSL_NO_DH)
set_ssl_groups(SSL * serverssl,SSL * clientssl,int clientmulti,int isecdhe,int idx)4988 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4989 int isecdhe, int idx)
4990 {
4991 int kexch_alg;
4992 int *kexch_groups = &kexch_alg;
4993 int numec, numff;
4994
4995 numec = OSSL_NELEM(ecdhe_kexch_groups);
4996 numff = OSSL_NELEM(ffdhe_kexch_groups);
4997 if (isecdhe)
4998 kexch_alg = ecdhe_kexch_groups[idx];
4999 else
5000 kexch_alg = ffdhe_kexch_groups[idx];
5001
5002 if (clientmulti) {
5003 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5004 return 0;
5005 if (isecdhe) {
5006 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5007 numec)))
5008 return 0;
5009 } else {
5010 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5011 numff)))
5012 return 0;
5013 }
5014 } else {
5015 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5016 return 0;
5017 if (isecdhe) {
5018 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5019 numec)))
5020 return 0;
5021 } else {
5022 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5023 numff)))
5024 return 0;
5025 }
5026 }
5027 return 1;
5028 }
5029
5030 /*-
5031 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5032 * Run through both the ECDHE and FFDHE group lists used in the previous
5033 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5034 * confirming the expected result; then perform a resumption handshake
5035 * while offering the same group list, and another resumption handshake
5036 * offering a different group list. The returned value should be the
5037 * negotiated group for the initial handshake; for TLS 1.3 resumption
5038 * handshakes the returned value will be negotiated on the resumption
5039 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5040 * be cached in the session from the original handshake, regardless of what
5041 * was offered in the resumption ClientHello.
5042 *
5043 * Using E for the number of EC groups and F for the number of FF groups:
5044 * E tests of ECDHE with TLS 1.3, server only has one group
5045 * F tests of FFDHE with TLS 1.3, server only has one group
5046 * E tests of ECDHE with TLS 1.2, server only has one group
5047 * F tests of FFDHE with TLS 1.2, server only has one group
5048 * E tests of ECDHE with TLS 1.3, client sends only one group
5049 * F tests of FFDHE with TLS 1.3, client sends only one group
5050 * E tests of ECDHE with TLS 1.2, client sends only one group
5051 * F tests of FFDHE with TLS 1.2, client sends only one group
5052 */
test_negotiated_group(int idx)5053 static int test_negotiated_group(int idx)
5054 {
5055 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5056 int expectednid;
5057 SSL_CTX *sctx = NULL, *cctx = NULL;
5058 SSL *serverssl = NULL, *clientssl = NULL;
5059 SSL_SESSION *origsess = NULL;
5060 int testresult = 0;
5061 int kexch_alg;
5062 int max_version = TLS1_3_VERSION;
5063
5064 numec = OSSL_NELEM(ecdhe_kexch_groups);
5065 numff = OSSL_NELEM(ffdhe_kexch_groups);
5066 numgroups = numec + numff;
5067 clientmulti = (idx < 2 * numgroups);
5068 idx = idx % (2 * numgroups);
5069 istls13 = (idx < numgroups);
5070 idx = idx % numgroups;
5071 isecdhe = (idx < numec);
5072 if (!isecdhe)
5073 idx -= numec;
5074 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5075 if (isecdhe)
5076 kexch_alg = ecdhe_kexch_groups[idx];
5077 else
5078 kexch_alg = ffdhe_kexch_groups[idx];
5079 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5080 if (!istls13 && !isecdhe)
5081 expectednid = NID_undef;
5082 else
5083 expectednid = kexch_alg;
5084
5085 if (!istls13)
5086 max_version = TLS1_2_VERSION;
5087
5088 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5089 TLS_client_method(), TLS1_VERSION,
5090 max_version, &sctx, &cctx, cert,
5091 privkey)))
5092 goto end;
5093
5094 /*
5095 * Force (EC)DHE ciphers for TLS 1.2.
5096 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5097 */
5098 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5099 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5100 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5101 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5102 goto end;
5103 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5104 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5105 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5106 goto end;
5107
5108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5109 NULL, NULL)))
5110 goto end;
5111
5112 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5113 idx)))
5114 goto end;
5115
5116 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5117 goto end;
5118
5119 /* Initial handshake; always the configured one */
5120 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5121 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5122 goto end;
5123
5124 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5125 goto end;
5126
5127 SSL_shutdown(clientssl);
5128 SSL_shutdown(serverssl);
5129 SSL_free(serverssl);
5130 SSL_free(clientssl);
5131 serverssl = clientssl = NULL;
5132
5133 /* First resumption attempt; use the same config as initial handshake */
5134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5135 NULL, NULL))
5136 || !TEST_true(SSL_set_session(clientssl, origsess))
5137 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5138 isecdhe, idx)))
5139 goto end;
5140
5141 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5142 || !TEST_true(SSL_session_reused(clientssl)))
5143 goto end;
5144
5145 /* Still had better agree, since nothing changed... */
5146 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5147 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5148 goto end;
5149
5150 SSL_shutdown(clientssl);
5151 SSL_shutdown(serverssl);
5152 SSL_free(serverssl);
5153 SSL_free(clientssl);
5154 serverssl = clientssl = NULL;
5155
5156 /*-
5157 * Second resumption attempt
5158 * The party that picks one group changes it, which we effectuate by
5159 * changing 'idx' and updating what we expect.
5160 */
5161 if (idx == 0)
5162 idx = 1;
5163 else
5164 idx--;
5165 if (istls13) {
5166 if (isecdhe)
5167 expectednid = ecdhe_kexch_groups[idx];
5168 else
5169 expectednid = ffdhe_kexch_groups[idx];
5170 /* Verify that we are changing what we expect. */
5171 if (!TEST_int_ne(expectednid, kexch_alg))
5172 goto end;
5173 } else {
5174 /* TLS 1.2 only supports named groups for ECDHE. */
5175 if (isecdhe)
5176 expectednid = kexch_alg;
5177 else
5178 expectednid = 0;
5179 }
5180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5181 NULL, NULL))
5182 || !TEST_true(SSL_set_session(clientssl, origsess))
5183 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5184 isecdhe, idx)))
5185 goto end;
5186
5187 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5188 || !TEST_true(SSL_session_reused(clientssl)))
5189 goto end;
5190
5191 /* Check that we get what we expected */
5192 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5193 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5194 goto end;
5195
5196 testresult = 1;
5197 end:
5198 SSL_free(serverssl);
5199 SSL_free(clientssl);
5200 SSL_CTX_free(sctx);
5201 SSL_CTX_free(cctx);
5202 SSL_SESSION_free(origsess);
5203 return testresult;
5204 }
5205 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5206
5207 /*
5208 * Test TLSv1.3 Cipher Suite
5209 * Test 0 = Set TLS1.3 cipher on context
5210 * Test 1 = Set TLS1.3 cipher on SSL
5211 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5212 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5213 */
test_tls13_ciphersuite(int idx)5214 static int test_tls13_ciphersuite(int idx)
5215 {
5216 SSL_CTX *sctx = NULL, *cctx = NULL;
5217 SSL *serverssl = NULL, *clientssl = NULL;
5218 static const struct {
5219 const char *ciphername;
5220 int fipscapable;
5221 } t13_ciphers[] = {
5222 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
5223 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
5224 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5225 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5226 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5227 { TLS1_3_RFC_AES_256_GCM_SHA384
5228 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5229 # endif
5230 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5231 };
5232 const char *t13_cipher = NULL;
5233 const char *t12_cipher = NULL;
5234 const char *negotiated_scipher;
5235 const char *negotiated_ccipher;
5236 int set_at_ctx = 0;
5237 int set_at_ssl = 0;
5238 int testresult = 0;
5239 int max_ver;
5240 size_t i;
5241
5242 switch (idx) {
5243 case 0:
5244 set_at_ctx = 1;
5245 break;
5246 case 1:
5247 set_at_ssl = 1;
5248 break;
5249 case 2:
5250 set_at_ctx = 1;
5251 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5252 break;
5253 case 3:
5254 set_at_ssl = 1;
5255 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5256 break;
5257 }
5258
5259 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5260 # ifdef OPENSSL_NO_TLS1_2
5261 if (max_ver == TLS1_2_VERSION)
5262 continue;
5263 # endif
5264 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5265 if (is_fips && !t13_ciphers[i].fipscapable)
5266 continue;
5267 t13_cipher = t13_ciphers[i].ciphername;
5268 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5269 TLS_client_method(),
5270 TLS1_VERSION, max_ver,
5271 &sctx, &cctx, cert, privkey)))
5272 goto end;
5273
5274 if (set_at_ctx) {
5275 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5276 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5277 goto end;
5278 if (t12_cipher != NULL) {
5279 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5280 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5281 t12_cipher)))
5282 goto end;
5283 }
5284 }
5285
5286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5287 &clientssl, NULL, NULL)))
5288 goto end;
5289
5290 if (set_at_ssl) {
5291 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5292 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5293 goto end;
5294 if (t12_cipher != NULL) {
5295 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5296 || !TEST_true(SSL_set_cipher_list(clientssl,
5297 t12_cipher)))
5298 goto end;
5299 }
5300 }
5301
5302 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5303 SSL_ERROR_NONE)))
5304 goto end;
5305
5306 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5307 serverssl));
5308 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5309 clientssl));
5310 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5311 goto end;
5312
5313 /*
5314 * TEST_strn_eq is used below because t13_cipher can contain
5315 * multiple ciphersuites
5316 */
5317 if (max_ver == TLS1_3_VERSION
5318 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5319 strlen(negotiated_scipher)))
5320 goto end;
5321
5322 # ifndef OPENSSL_NO_TLS1_2
5323 /* Below validation is not done when t12_cipher is NULL */
5324 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5325 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5326 goto end;
5327 # endif
5328
5329 SSL_free(serverssl);
5330 serverssl = NULL;
5331 SSL_free(clientssl);
5332 clientssl = NULL;
5333 SSL_CTX_free(sctx);
5334 sctx = NULL;
5335 SSL_CTX_free(cctx);
5336 cctx = NULL;
5337 }
5338 }
5339
5340 testresult = 1;
5341 end:
5342 SSL_free(serverssl);
5343 SSL_free(clientssl);
5344 SSL_CTX_free(sctx);
5345 SSL_CTX_free(cctx);
5346 return testresult;
5347 }
5348
5349 /*
5350 * Test TLSv1.3 PSKs
5351 * Test 0 = Test new style callbacks
5352 * Test 1 = Test both new and old style callbacks
5353 * Test 2 = Test old style callbacks
5354 * Test 3 = Test old style callbacks with no certificate
5355 */
test_tls13_psk(int idx)5356 static int test_tls13_psk(int idx)
5357 {
5358 SSL_CTX *sctx = NULL, *cctx = NULL;
5359 SSL *serverssl = NULL, *clientssl = NULL;
5360 const SSL_CIPHER *cipher = NULL;
5361 const unsigned char key[] = {
5362 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5363 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5364 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5365 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5366 };
5367 int testresult = 0;
5368
5369 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5370 TLS_client_method(), TLS1_VERSION, 0,
5371 &sctx, &cctx, idx == 3 ? NULL : cert,
5372 idx == 3 ? NULL : privkey)))
5373 goto end;
5374
5375 if (idx != 3) {
5376 /*
5377 * We use a ciphersuite with SHA256 to ease testing old style PSK
5378 * callbacks which will always default to SHA256. This should not be
5379 * necessary if we have no cert/priv key. In that case the server should
5380 * prefer SHA256 automatically.
5381 */
5382 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5383 "TLS_AES_128_GCM_SHA256")))
5384 goto end;
5385 } else {
5386 /*
5387 * As noted above the server should prefer SHA256 automatically. However
5388 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5389 * code works even if we are testing with only the FIPS provider loaded.
5390 */
5391 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5392 "TLS_AES_256_GCM_SHA384:"
5393 "TLS_AES_128_GCM_SHA256")))
5394 goto end;
5395 }
5396
5397 /*
5398 * Test 0: New style callbacks only
5399 * Test 1: New and old style callbacks (only the new ones should be used)
5400 * Test 2: Old style callbacks only
5401 */
5402 if (idx == 0 || idx == 1) {
5403 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5404 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5405 }
5406 #ifndef OPENSSL_NO_PSK
5407 if (idx >= 1) {
5408 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5409 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5410 }
5411 #endif
5412 srvid = pskid;
5413 use_session_cb_cnt = 0;
5414 find_session_cb_cnt = 0;
5415 psk_client_cb_cnt = 0;
5416 psk_server_cb_cnt = 0;
5417
5418 if (idx != 3) {
5419 /*
5420 * Check we can create a connection if callback decides not to send a
5421 * PSK
5422 */
5423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5424 NULL, NULL))
5425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5426 SSL_ERROR_NONE))
5427 || !TEST_false(SSL_session_reused(clientssl))
5428 || !TEST_false(SSL_session_reused(serverssl)))
5429 goto end;
5430
5431 if (idx == 0 || idx == 1) {
5432 if (!TEST_true(use_session_cb_cnt == 1)
5433 || !TEST_true(find_session_cb_cnt == 0)
5434 /*
5435 * If no old style callback then below should be 0
5436 * otherwise 1
5437 */
5438 || !TEST_true(psk_client_cb_cnt == idx)
5439 || !TEST_true(psk_server_cb_cnt == 0))
5440 goto end;
5441 } else {
5442 if (!TEST_true(use_session_cb_cnt == 0)
5443 || !TEST_true(find_session_cb_cnt == 0)
5444 || !TEST_true(psk_client_cb_cnt == 1)
5445 || !TEST_true(psk_server_cb_cnt == 0))
5446 goto end;
5447 }
5448
5449 shutdown_ssl_connection(serverssl, clientssl);
5450 serverssl = clientssl = NULL;
5451 use_session_cb_cnt = psk_client_cb_cnt = 0;
5452 }
5453
5454 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5455 NULL, NULL)))
5456 goto end;
5457
5458 /* Create the PSK */
5459 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5460 clientpsk = SSL_SESSION_new();
5461 if (!TEST_ptr(clientpsk)
5462 || !TEST_ptr(cipher)
5463 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5464 sizeof(key)))
5465 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5466 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5467 TLS1_3_VERSION))
5468 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5469 goto end;
5470 serverpsk = clientpsk;
5471
5472 /* Check we can create a connection and the PSK is used */
5473 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5474 || !TEST_true(SSL_session_reused(clientssl))
5475 || !TEST_true(SSL_session_reused(serverssl)))
5476 goto end;
5477
5478 if (idx == 0 || idx == 1) {
5479 if (!TEST_true(use_session_cb_cnt == 1)
5480 || !TEST_true(find_session_cb_cnt == 1)
5481 || !TEST_true(psk_client_cb_cnt == 0)
5482 || !TEST_true(psk_server_cb_cnt == 0))
5483 goto end;
5484 } else {
5485 if (!TEST_true(use_session_cb_cnt == 0)
5486 || !TEST_true(find_session_cb_cnt == 0)
5487 || !TEST_true(psk_client_cb_cnt == 1)
5488 || !TEST_true(psk_server_cb_cnt == 1))
5489 goto end;
5490 }
5491
5492 shutdown_ssl_connection(serverssl, clientssl);
5493 serverssl = clientssl = NULL;
5494 use_session_cb_cnt = find_session_cb_cnt = 0;
5495 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5496
5497 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5498 NULL, NULL)))
5499 goto end;
5500
5501 /* Force an HRR */
5502 #if defined(OPENSSL_NO_EC)
5503 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5504 goto end;
5505 #else
5506 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5507 goto end;
5508 #endif
5509
5510 /*
5511 * Check we can create a connection, the PSK is used and the callbacks are
5512 * called twice.
5513 */
5514 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5515 || !TEST_true(SSL_session_reused(clientssl))
5516 || !TEST_true(SSL_session_reused(serverssl)))
5517 goto end;
5518
5519 if (idx == 0 || idx == 1) {
5520 if (!TEST_true(use_session_cb_cnt == 2)
5521 || !TEST_true(find_session_cb_cnt == 2)
5522 || !TEST_true(psk_client_cb_cnt == 0)
5523 || !TEST_true(psk_server_cb_cnt == 0))
5524 goto end;
5525 } else {
5526 if (!TEST_true(use_session_cb_cnt == 0)
5527 || !TEST_true(find_session_cb_cnt == 0)
5528 || !TEST_true(psk_client_cb_cnt == 2)
5529 || !TEST_true(psk_server_cb_cnt == 2))
5530 goto end;
5531 }
5532
5533 shutdown_ssl_connection(serverssl, clientssl);
5534 serverssl = clientssl = NULL;
5535 use_session_cb_cnt = find_session_cb_cnt = 0;
5536 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5537
5538 if (idx != 3) {
5539 /*
5540 * Check that if the server rejects the PSK we can still connect, but with
5541 * a full handshake
5542 */
5543 srvid = "Dummy Identity";
5544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5545 NULL, NULL))
5546 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5547 SSL_ERROR_NONE))
5548 || !TEST_false(SSL_session_reused(clientssl))
5549 || !TEST_false(SSL_session_reused(serverssl)))
5550 goto end;
5551
5552 if (idx == 0 || idx == 1) {
5553 if (!TEST_true(use_session_cb_cnt == 1)
5554 || !TEST_true(find_session_cb_cnt == 1)
5555 || !TEST_true(psk_client_cb_cnt == 0)
5556 /*
5557 * If no old style callback then below should be 0
5558 * otherwise 1
5559 */
5560 || !TEST_true(psk_server_cb_cnt == idx))
5561 goto end;
5562 } else {
5563 if (!TEST_true(use_session_cb_cnt == 0)
5564 || !TEST_true(find_session_cb_cnt == 0)
5565 || !TEST_true(psk_client_cb_cnt == 1)
5566 || !TEST_true(psk_server_cb_cnt == 1))
5567 goto end;
5568 }
5569
5570 shutdown_ssl_connection(serverssl, clientssl);
5571 serverssl = clientssl = NULL;
5572 }
5573 testresult = 1;
5574
5575 end:
5576 SSL_SESSION_free(clientpsk);
5577 SSL_SESSION_free(serverpsk);
5578 clientpsk = serverpsk = NULL;
5579 SSL_free(serverssl);
5580 SSL_free(clientssl);
5581 SSL_CTX_free(sctx);
5582 SSL_CTX_free(cctx);
5583 return testresult;
5584 }
5585
5586 static unsigned char cookie_magic_value[] = "cookie magic";
5587
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)5588 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5589 unsigned int *cookie_len)
5590 {
5591 /*
5592 * Not suitable as a real cookie generation function but good enough for
5593 * testing!
5594 */
5595 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5596 *cookie_len = sizeof(cookie_magic_value) - 1;
5597
5598 return 1;
5599 }
5600
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)5601 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5602 unsigned int cookie_len)
5603 {
5604 if (cookie_len == sizeof(cookie_magic_value) - 1
5605 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5606 return 1;
5607
5608 return 0;
5609 }
5610
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)5611 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5612 size_t *cookie_len)
5613 {
5614 unsigned int temp;
5615 int res = generate_cookie_callback(ssl, cookie, &temp);
5616 *cookie_len = temp;
5617 return res;
5618 }
5619
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)5620 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5621 size_t cookie_len)
5622 {
5623 return verify_cookie_callback(ssl, cookie, cookie_len);
5624 }
5625
test_stateless(void)5626 static int test_stateless(void)
5627 {
5628 SSL_CTX *sctx = NULL, *cctx = NULL;
5629 SSL *serverssl = NULL, *clientssl = NULL;
5630 int testresult = 0;
5631
5632 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5633 TLS_client_method(), TLS1_VERSION, 0,
5634 &sctx, &cctx, cert, privkey)))
5635 goto end;
5636
5637 /* The arrival of CCS messages can confuse the test */
5638 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5639
5640 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5641 NULL, NULL))
5642 /* Send the first ClientHello */
5643 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5644 SSL_ERROR_WANT_READ))
5645 /*
5646 * This should fail with a -1 return because we have no callbacks
5647 * set up
5648 */
5649 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5650 goto end;
5651
5652 /* Fatal error so abandon the connection from this client */
5653 SSL_free(clientssl);
5654 clientssl = NULL;
5655
5656 /* Set up the cookie generation and verification callbacks */
5657 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5658 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5659
5660 /*
5661 * Create a new connection from the client (we can reuse the server SSL
5662 * object).
5663 */
5664 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5665 NULL, NULL))
5666 /* Send the first ClientHello */
5667 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5668 SSL_ERROR_WANT_READ))
5669 /* This should fail because there is no cookie */
5670 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5671 goto end;
5672
5673 /* Abandon the connection from this client */
5674 SSL_free(clientssl);
5675 clientssl = NULL;
5676
5677 /*
5678 * Now create a connection from a new client but with the same server SSL
5679 * object
5680 */
5681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5682 NULL, NULL))
5683 /* Send the first ClientHello */
5684 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5685 SSL_ERROR_WANT_READ))
5686 /* This should fail because there is no cookie */
5687 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5688 /* Send the second ClientHello */
5689 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5690 SSL_ERROR_WANT_READ))
5691 /* This should succeed because a cookie is now present */
5692 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5693 /* Complete the connection */
5694 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5695 SSL_ERROR_NONE)))
5696 goto end;
5697
5698 shutdown_ssl_connection(serverssl, clientssl);
5699 serverssl = clientssl = NULL;
5700 testresult = 1;
5701
5702 end:
5703 SSL_free(serverssl);
5704 SSL_free(clientssl);
5705 SSL_CTX_free(sctx);
5706 SSL_CTX_free(cctx);
5707 return testresult;
5708
5709 }
5710 #endif /* OSSL_NO_USABLE_TLS1_3 */
5711
5712 static int clntaddoldcb = 0;
5713 static int clntparseoldcb = 0;
5714 static int srvaddoldcb = 0;
5715 static int srvparseoldcb = 0;
5716 static int clntaddnewcb = 0;
5717 static int clntparsenewcb = 0;
5718 static int srvaddnewcb = 0;
5719 static int srvparsenewcb = 0;
5720 static int snicb = 0;
5721
5722 #define TEST_EXT_TYPE1 0xff00
5723
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)5724 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5725 size_t *outlen, int *al, void *add_arg)
5726 {
5727 int *server = (int *)add_arg;
5728 unsigned char *data;
5729
5730 if (SSL_is_server(s))
5731 srvaddoldcb++;
5732 else
5733 clntaddoldcb++;
5734
5735 if (*server != SSL_is_server(s)
5736 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5737 return -1;
5738
5739 *data = 1;
5740 *out = data;
5741 *outlen = sizeof(char);
5742 return 1;
5743 }
5744
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)5745 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5746 void *add_arg)
5747 {
5748 OPENSSL_free((unsigned char *)out);
5749 }
5750
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)5751 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5752 size_t inlen, int *al, void *parse_arg)
5753 {
5754 int *server = (int *)parse_arg;
5755
5756 if (SSL_is_server(s))
5757 srvparseoldcb++;
5758 else
5759 clntparseoldcb++;
5760
5761 if (*server != SSL_is_server(s)
5762 || inlen != sizeof(char)
5763 || *in != 1)
5764 return -1;
5765
5766 return 1;
5767 }
5768
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)5769 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5770 const unsigned char **out, size_t *outlen, X509 *x,
5771 size_t chainidx, int *al, void *add_arg)
5772 {
5773 int *server = (int *)add_arg;
5774 unsigned char *data;
5775
5776 if (SSL_is_server(s))
5777 srvaddnewcb++;
5778 else
5779 clntaddnewcb++;
5780
5781 if (*server != SSL_is_server(s)
5782 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5783 return -1;
5784
5785 *data = 1;
5786 *out = data;
5787 *outlen = sizeof(*data);
5788 return 1;
5789 }
5790
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)5791 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5792 const unsigned char *out, void *add_arg)
5793 {
5794 OPENSSL_free((unsigned char *)out);
5795 }
5796
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)5797 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5798 const unsigned char *in, size_t inlen, X509 *x,
5799 size_t chainidx, int *al, void *parse_arg)
5800 {
5801 int *server = (int *)parse_arg;
5802
5803 if (SSL_is_server(s))
5804 srvparsenewcb++;
5805 else
5806 clntparsenewcb++;
5807
5808 if (*server != SSL_is_server(s)
5809 || inlen != sizeof(char) || *in != 1)
5810 return -1;
5811
5812 return 1;
5813 }
5814
sni_cb(SSL * s,int * al,void * arg)5815 static int sni_cb(SSL *s, int *al, void *arg)
5816 {
5817 SSL_CTX *ctx = (SSL_CTX *)arg;
5818
5819 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5820 *al = SSL_AD_INTERNAL_ERROR;
5821 return SSL_TLSEXT_ERR_ALERT_FATAL;
5822 }
5823 snicb++;
5824 return SSL_TLSEXT_ERR_OK;
5825 }
5826
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)5827 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5828 {
5829 return 1;
5830 }
5831
5832 /*
5833 * Custom call back tests.
5834 * Test 0: Old style callbacks in TLSv1.2
5835 * Test 1: New style callbacks in TLSv1.2
5836 * Test 2: New style callbacks in TLSv1.2 with SNI
5837 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5838 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5839 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5840 */
test_custom_exts(int tst)5841 static int test_custom_exts(int tst)
5842 {
5843 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5844 SSL *clientssl = NULL, *serverssl = NULL;
5845 int testresult = 0;
5846 static int server = 1;
5847 static int client = 0;
5848 SSL_SESSION *sess = NULL;
5849 unsigned int context;
5850
5851 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5852 /* Skip tests for TLSv1.2 and below in this case */
5853 if (tst < 3)
5854 return 1;
5855 #endif
5856
5857 /* Reset callback counters */
5858 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5859 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5860 snicb = 0;
5861
5862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5863 TLS_client_method(), TLS1_VERSION, 0,
5864 &sctx, &cctx, cert, privkey)))
5865 goto end;
5866
5867 if (tst == 2
5868 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5869 TLS1_VERSION, 0,
5870 &sctx2, NULL, cert, privkey)))
5871 goto end;
5872
5873
5874 if (tst < 3) {
5875 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5876 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5877 if (sctx2 != NULL)
5878 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5879 }
5880
5881 if (tst == 5) {
5882 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5883 | SSL_EXT_TLS1_3_CERTIFICATE;
5884 SSL_CTX_set_verify(sctx,
5885 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5886 verify_cb);
5887 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5888 SSL_FILETYPE_PEM), 1)
5889 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5890 SSL_FILETYPE_PEM), 1)
5891 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5892 goto end;
5893 } else if (tst == 4) {
5894 context = SSL_EXT_CLIENT_HELLO
5895 | SSL_EXT_TLS1_2_SERVER_HELLO
5896 | SSL_EXT_TLS1_3_SERVER_HELLO
5897 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5898 | SSL_EXT_TLS1_3_CERTIFICATE
5899 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5900 } else {
5901 context = SSL_EXT_CLIENT_HELLO
5902 | SSL_EXT_TLS1_2_SERVER_HELLO
5903 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5904 }
5905
5906 /* Create a client side custom extension */
5907 if (tst == 0) {
5908 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5909 old_add_cb, old_free_cb,
5910 &client, old_parse_cb,
5911 &client)))
5912 goto end;
5913 } else {
5914 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5915 new_add_cb, new_free_cb,
5916 &client, new_parse_cb, &client)))
5917 goto end;
5918 }
5919
5920 /* Should not be able to add duplicates */
5921 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5922 old_add_cb, old_free_cb,
5923 &client, old_parse_cb,
5924 &client))
5925 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5926 context, new_add_cb,
5927 new_free_cb, &client,
5928 new_parse_cb, &client)))
5929 goto end;
5930
5931 /* Create a server side custom extension */
5932 if (tst == 0) {
5933 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5934 old_add_cb, old_free_cb,
5935 &server, old_parse_cb,
5936 &server)))
5937 goto end;
5938 } else {
5939 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5940 new_add_cb, new_free_cb,
5941 &server, new_parse_cb, &server)))
5942 goto end;
5943 if (sctx2 != NULL
5944 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5945 context, new_add_cb,
5946 new_free_cb, &server,
5947 new_parse_cb, &server)))
5948 goto end;
5949 }
5950
5951 /* Should not be able to add duplicates */
5952 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5953 old_add_cb, old_free_cb,
5954 &server, old_parse_cb,
5955 &server))
5956 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5957 context, new_add_cb,
5958 new_free_cb, &server,
5959 new_parse_cb, &server)))
5960 goto end;
5961
5962 if (tst == 2) {
5963 /* Set up SNI */
5964 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5965 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5966 goto end;
5967 }
5968
5969 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5970 &clientssl, NULL, NULL))
5971 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5972 SSL_ERROR_NONE)))
5973 goto end;
5974
5975 if (tst == 0) {
5976 if (clntaddoldcb != 1
5977 || clntparseoldcb != 1
5978 || srvaddoldcb != 1
5979 || srvparseoldcb != 1)
5980 goto end;
5981 } else if (tst == 1 || tst == 2 || tst == 3) {
5982 if (clntaddnewcb != 1
5983 || clntparsenewcb != 1
5984 || srvaddnewcb != 1
5985 || srvparsenewcb != 1
5986 || (tst != 2 && snicb != 0)
5987 || (tst == 2 && snicb != 1))
5988 goto end;
5989 } else if (tst == 5) {
5990 if (clntaddnewcb != 1
5991 || clntparsenewcb != 1
5992 || srvaddnewcb != 1
5993 || srvparsenewcb != 1)
5994 goto end;
5995 } else {
5996 /* In this case there 2 NewSessionTicket messages created */
5997 if (clntaddnewcb != 1
5998 || clntparsenewcb != 5
5999 || srvaddnewcb != 5
6000 || srvparsenewcb != 1)
6001 goto end;
6002 }
6003
6004 sess = SSL_get1_session(clientssl);
6005 SSL_shutdown(clientssl);
6006 SSL_shutdown(serverssl);
6007 SSL_free(serverssl);
6008 SSL_free(clientssl);
6009 serverssl = clientssl = NULL;
6010
6011 if (tst == 3 || tst == 5) {
6012 /* We don't bother with the resumption aspects for these tests */
6013 testresult = 1;
6014 goto end;
6015 }
6016
6017 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6018 NULL, NULL))
6019 || !TEST_true(SSL_set_session(clientssl, sess))
6020 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6021 SSL_ERROR_NONE)))
6022 goto end;
6023
6024 /*
6025 * For a resumed session we expect to add the ClientHello extension. For the
6026 * old style callbacks we ignore it on the server side because they set
6027 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6028 * them.
6029 */
6030 if (tst == 0) {
6031 if (clntaddoldcb != 2
6032 || clntparseoldcb != 1
6033 || srvaddoldcb != 1
6034 || srvparseoldcb != 1)
6035 goto end;
6036 } else if (tst == 1 || tst == 2 || tst == 3) {
6037 if (clntaddnewcb != 2
6038 || clntparsenewcb != 2
6039 || srvaddnewcb != 2
6040 || srvparsenewcb != 2)
6041 goto end;
6042 } else {
6043 /*
6044 * No Certificate message extensions in the resumption handshake,
6045 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6046 */
6047 if (clntaddnewcb != 2
6048 || clntparsenewcb != 8
6049 || srvaddnewcb != 8
6050 || srvparsenewcb != 2)
6051 goto end;
6052 }
6053
6054 testresult = 1;
6055
6056 end:
6057 SSL_SESSION_free(sess);
6058 SSL_free(serverssl);
6059 SSL_free(clientssl);
6060 SSL_CTX_free(sctx2);
6061 SSL_CTX_free(sctx);
6062 SSL_CTX_free(cctx);
6063 return testresult;
6064 }
6065
6066 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6067
6068 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6069 | SSL_EXT_CLIENT_HELLO \
6070 | SSL_EXT_TLS1_2_SERVER_HELLO \
6071 | SSL_EXT_IGNORE_ON_RESUMPTION)
6072
6073 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6074 | SSL_EXT_TLS1_2_SERVER_HELLO \
6075 | SSL_EXT_CLIENT_HELLO)
6076
6077 #define SERVERINFO_CUSTOM \
6078 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6079 0x00, 0x03, \
6080 0x04, 0x05, 0x06 \
6081
6082 static const unsigned char serverinfo_custom_tls13[] = {
6083 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6084 SERVERINFO_CUSTOM
6085 };
6086 static const unsigned char serverinfo_custom_v2[] = {
6087 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6088 SERVERINFO_CUSTOM
6089 };
6090 static const unsigned char serverinfo_custom_v1[] = {
6091 SERVERINFO_CUSTOM
6092 };
6093 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6094 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6095 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6096
serverinfo_custom_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6097 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6098 unsigned int context,
6099 const unsigned char *in,
6100 size_t inlen, X509 *x,
6101 size_t chainidx, int *al,
6102 void *parse_arg)
6103 {
6104 const size_t len = serverinfo_custom_v1_len;
6105 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6106 int *p_cb_result = (int*)parse_arg;
6107 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6108 return 1;
6109 }
6110
test_serverinfo_custom(const int idx)6111 static int test_serverinfo_custom(const int idx)
6112 {
6113 SSL_CTX *sctx = NULL, *cctx = NULL;
6114 SSL *clientssl = NULL, *serverssl = NULL;
6115 int testresult = 0;
6116 int cb_result = 0;
6117
6118 /*
6119 * Following variables are set in the switch statement
6120 * according to the test iteration.
6121 * Default values do not make much sense: test would fail with them.
6122 */
6123 int serverinfo_version = 0;
6124 int protocol_version = 0;
6125 unsigned int extension_context = 0;
6126 const unsigned char *si = NULL;
6127 size_t si_len = 0;
6128
6129 const int call_use_serverinfo_ex = idx > 0;
6130 switch (idx) {
6131 case 0: /* FALLTHROUGH */
6132 case 1:
6133 serverinfo_version = SSL_SERVERINFOV1;
6134 protocol_version = TLS1_2_VERSION;
6135 extension_context = SYNTHV1CONTEXT;
6136 si = serverinfo_custom_v1;
6137 si_len = serverinfo_custom_v1_len;
6138 break;
6139 case 2:
6140 serverinfo_version = SSL_SERVERINFOV2;
6141 protocol_version = TLS1_2_VERSION;
6142 extension_context = SYNTHV1CONTEXT;
6143 si = serverinfo_custom_v2;
6144 si_len = serverinfo_custom_v2_len;
6145 break;
6146 case 3:
6147 serverinfo_version = SSL_SERVERINFOV2;
6148 protocol_version = TLS1_3_VERSION;
6149 extension_context = TLS13CONTEXT;
6150 si = serverinfo_custom_tls13;
6151 si_len = serverinfo_custom_tls13_len;
6152 break;
6153 }
6154
6155 if (!TEST_true(create_ssl_ctx_pair(libctx,
6156 TLS_method(),
6157 TLS_method(),
6158 protocol_version,
6159 protocol_version,
6160 &sctx, &cctx, cert, privkey)))
6161 goto end;
6162
6163 if (call_use_serverinfo_ex) {
6164 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6165 si, si_len)))
6166 goto end;
6167 } else {
6168 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6169 goto end;
6170 }
6171
6172 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6173 extension_context,
6174 NULL, NULL, NULL,
6175 serverinfo_custom_parse_cb,
6176 &cb_result))
6177 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6178 NULL, NULL))
6179 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6180 SSL_ERROR_NONE))
6181 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6182 goto end;
6183
6184 if (!TEST_true(cb_result))
6185 goto end;
6186
6187 testresult = 1;
6188
6189 end:
6190 SSL_free(serverssl);
6191 SSL_free(clientssl);
6192 SSL_CTX_free(sctx);
6193 SSL_CTX_free(cctx);
6194
6195 return testresult;
6196 }
6197 #endif
6198
6199 /*
6200 * Test that SSL_export_keying_material() produces expected results. There are
6201 * no test vectors so all we do is test that both sides of the communication
6202 * produce the same results for different protocol versions.
6203 */
6204 #define SMALL_LABEL_LEN 10
6205 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)6206 static int test_export_key_mat(int tst)
6207 {
6208 int testresult = 0;
6209 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6210 SSL *clientssl = NULL, *serverssl = NULL;
6211 const char label[LONG_LABEL_LEN + 1] = "test label";
6212 const unsigned char context[] = "context";
6213 const unsigned char *emptycontext = NULL;
6214 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6215 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6216 size_t labellen;
6217 const int protocols[] = {
6218 TLS1_VERSION,
6219 TLS1_1_VERSION,
6220 TLS1_2_VERSION,
6221 TLS1_3_VERSION,
6222 TLS1_3_VERSION,
6223 TLS1_3_VERSION
6224 };
6225
6226 #ifdef OPENSSL_NO_TLS1
6227 if (tst == 0)
6228 return 1;
6229 #endif
6230 #ifdef OPENSSL_NO_TLS1_1
6231 if (tst == 1)
6232 return 1;
6233 #endif
6234 if (is_fips && (tst == 0 || tst == 1))
6235 return 1;
6236 #ifdef OPENSSL_NO_TLS1_2
6237 if (tst == 2)
6238 return 1;
6239 #endif
6240 #ifdef OSSL_NO_USABLE_TLS1_3
6241 if (tst >= 3)
6242 return 1;
6243 #endif
6244 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6245 TLS_client_method(), TLS1_VERSION, 0,
6246 &sctx, &cctx, cert, privkey)))
6247 goto end;
6248
6249 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6250 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6251 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6252 if ((protocols[tst] < TLS1_2_VERSION) &&
6253 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6254 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6255 goto end;
6256
6257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6258 NULL)))
6259 goto end;
6260
6261 /*
6262 * Premature call of SSL_export_keying_material should just fail.
6263 */
6264 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6265 sizeof(ckeymat1), label,
6266 SMALL_LABEL_LEN + 1, context,
6267 sizeof(context) - 1, 1), 0))
6268 goto end;
6269
6270 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6271 SSL_ERROR_NONE)))
6272 goto end;
6273
6274 if (tst == 5) {
6275 /*
6276 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6277 * go over that.
6278 */
6279 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6280 sizeof(ckeymat1), label,
6281 LONG_LABEL_LEN + 1, context,
6282 sizeof(context) - 1, 1), 0))
6283 goto end;
6284
6285 testresult = 1;
6286 goto end;
6287 } else if (tst == 4) {
6288 labellen = LONG_LABEL_LEN;
6289 } else {
6290 labellen = SMALL_LABEL_LEN;
6291 }
6292
6293 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6294 sizeof(ckeymat1), label,
6295 labellen, context,
6296 sizeof(context) - 1, 1), 1)
6297 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6298 sizeof(ckeymat2), label,
6299 labellen,
6300 emptycontext,
6301 0, 1), 1)
6302 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6303 sizeof(ckeymat3), label,
6304 labellen,
6305 NULL, 0, 0), 1)
6306 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6307 sizeof(skeymat1), label,
6308 labellen,
6309 context,
6310 sizeof(context) -1, 1),
6311 1)
6312 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6313 sizeof(skeymat2), label,
6314 labellen,
6315 emptycontext,
6316 0, 1), 1)
6317 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6318 sizeof(skeymat3), label,
6319 labellen,
6320 NULL, 0, 0), 1)
6321 /*
6322 * Check that both sides created the same key material with the
6323 * same context.
6324 */
6325 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6326 sizeof(skeymat1))
6327 /*
6328 * Check that both sides created the same key material with an
6329 * empty context.
6330 */
6331 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6332 sizeof(skeymat2))
6333 /*
6334 * Check that both sides created the same key material without a
6335 * context.
6336 */
6337 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6338 sizeof(skeymat3))
6339 /* Different contexts should produce different results */
6340 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6341 sizeof(ckeymat2)))
6342 goto end;
6343
6344 /*
6345 * Check that an empty context and no context produce different results in
6346 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6347 */
6348 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6349 sizeof(ckeymat3)))
6350 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6351 sizeof(ckeymat3))))
6352 goto end;
6353
6354 testresult = 1;
6355
6356 end:
6357 SSL_free(serverssl);
6358 SSL_free(clientssl);
6359 SSL_CTX_free(sctx2);
6360 SSL_CTX_free(sctx);
6361 SSL_CTX_free(cctx);
6362
6363 return testresult;
6364 }
6365
6366 #ifndef OSSL_NO_USABLE_TLS1_3
6367 /*
6368 * Test that SSL_export_keying_material_early() produces expected
6369 * results. There are no test vectors so all we do is test that both
6370 * sides of the communication produce the same results for different
6371 * protocol versions.
6372 */
test_export_key_mat_early(int idx)6373 static int test_export_key_mat_early(int idx)
6374 {
6375 static const char label[] = "test label";
6376 static const unsigned char context[] = "context";
6377 int testresult = 0;
6378 SSL_CTX *cctx = NULL, *sctx = NULL;
6379 SSL *clientssl = NULL, *serverssl = NULL;
6380 SSL_SESSION *sess = NULL;
6381 const unsigned char *emptycontext = NULL;
6382 unsigned char ckeymat1[80], ckeymat2[80];
6383 unsigned char skeymat1[80], skeymat2[80];
6384 unsigned char buf[1];
6385 size_t readbytes, written;
6386
6387 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6388 &sess, idx, SHA384_DIGEST_LENGTH)))
6389 goto end;
6390
6391 /* Here writing 0 length early data is enough. */
6392 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6393 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6394 &readbytes),
6395 SSL_READ_EARLY_DATA_ERROR)
6396 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6397 SSL_EARLY_DATA_ACCEPTED))
6398 goto end;
6399
6400 if (!TEST_int_eq(SSL_export_keying_material_early(
6401 clientssl, ckeymat1, sizeof(ckeymat1), label,
6402 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6403 || !TEST_int_eq(SSL_export_keying_material_early(
6404 clientssl, ckeymat2, sizeof(ckeymat2), label,
6405 sizeof(label) - 1, emptycontext, 0), 1)
6406 || !TEST_int_eq(SSL_export_keying_material_early(
6407 serverssl, skeymat1, sizeof(skeymat1), label,
6408 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6409 || !TEST_int_eq(SSL_export_keying_material_early(
6410 serverssl, skeymat2, sizeof(skeymat2), label,
6411 sizeof(label) - 1, emptycontext, 0), 1)
6412 /*
6413 * Check that both sides created the same key material with the
6414 * same context.
6415 */
6416 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6417 sizeof(skeymat1))
6418 /*
6419 * Check that both sides created the same key material with an
6420 * empty context.
6421 */
6422 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6423 sizeof(skeymat2))
6424 /* Different contexts should produce different results */
6425 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6426 sizeof(ckeymat2)))
6427 goto end;
6428
6429 testresult = 1;
6430
6431 end:
6432 SSL_SESSION_free(sess);
6433 SSL_SESSION_free(clientpsk);
6434 SSL_SESSION_free(serverpsk);
6435 clientpsk = serverpsk = NULL;
6436 SSL_free(serverssl);
6437 SSL_free(clientssl);
6438 SSL_CTX_free(sctx);
6439 SSL_CTX_free(cctx);
6440
6441 return testresult;
6442 }
6443
6444 #define NUM_KEY_UPDATE_MESSAGES 40
6445 /*
6446 * Test KeyUpdate.
6447 */
test_key_update(void)6448 static int test_key_update(void)
6449 {
6450 SSL_CTX *cctx = NULL, *sctx = NULL;
6451 SSL *clientssl = NULL, *serverssl = NULL;
6452 int testresult = 0, i, j;
6453 char buf[20];
6454 static char *mess = "A test message";
6455
6456 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6457 TLS_client_method(),
6458 TLS1_3_VERSION,
6459 0,
6460 &sctx, &cctx, cert, privkey))
6461 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6462 NULL, NULL))
6463 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6464 SSL_ERROR_NONE)))
6465 goto end;
6466
6467 for (j = 0; j < 2; j++) {
6468 /* Send lots of KeyUpdate messages */
6469 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6470 if (!TEST_true(SSL_key_update(clientssl,
6471 (j == 0)
6472 ? SSL_KEY_UPDATE_NOT_REQUESTED
6473 : SSL_KEY_UPDATE_REQUESTED))
6474 || !TEST_true(SSL_do_handshake(clientssl)))
6475 goto end;
6476 }
6477
6478 /* Check that sending and receiving app data is ok */
6479 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6480 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6481 strlen(mess)))
6482 goto end;
6483
6484 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6485 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6486 strlen(mess)))
6487 goto end;
6488 }
6489
6490 testresult = 1;
6491
6492 end:
6493 SSL_free(serverssl);
6494 SSL_free(clientssl);
6495 SSL_CTX_free(sctx);
6496 SSL_CTX_free(cctx);
6497
6498 return testresult;
6499 }
6500
6501 /*
6502 * Test we can handle a KeyUpdate (update requested) message while
6503 * write data is pending in peer.
6504 * Test 0: Client sends KeyUpdate while Server is writing
6505 * Test 1: Server sends KeyUpdate while Client is writing
6506 */
test_key_update_peer_in_write(int tst)6507 static int test_key_update_peer_in_write(int tst)
6508 {
6509 SSL_CTX *cctx = NULL, *sctx = NULL;
6510 SSL *clientssl = NULL, *serverssl = NULL;
6511 int testresult = 0;
6512 char buf[20];
6513 static char *mess = "A test message";
6514 BIO *bretry = BIO_new(bio_s_always_retry());
6515 BIO *tmp = NULL;
6516 SSL *peerupdate = NULL, *peerwrite = NULL;
6517
6518 if (!TEST_ptr(bretry)
6519 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6520 TLS_client_method(),
6521 TLS1_3_VERSION,
6522 0,
6523 &sctx, &cctx, cert, privkey))
6524 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6525 NULL, NULL))
6526 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6527 SSL_ERROR_NONE)))
6528 goto end;
6529
6530 peerupdate = tst == 0 ? clientssl : serverssl;
6531 peerwrite = tst == 0 ? serverssl : clientssl;
6532
6533 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6534 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6535 goto end;
6536
6537 /* Swap the writing endpoint's write BIO to force a retry */
6538 tmp = SSL_get_wbio(peerwrite);
6539 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6540 tmp = NULL;
6541 goto end;
6542 }
6543 SSL_set0_wbio(peerwrite, bretry);
6544 bretry = NULL;
6545
6546 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6547 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6548 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6549 goto end;
6550
6551 /* Reinstate the original writing endpoint's write BIO */
6552 SSL_set0_wbio(peerwrite, tmp);
6553 tmp = NULL;
6554
6555 /* Now read some data - we will read the key update */
6556 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6557 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6558 goto end;
6559
6560 /*
6561 * Complete the write we started previously and read it from the other
6562 * endpoint
6563 */
6564 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6565 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6566 goto end;
6567
6568 /* Write more data to ensure we send the KeyUpdate message back */
6569 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6570 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6571 goto end;
6572
6573 testresult = 1;
6574
6575 end:
6576 SSL_free(serverssl);
6577 SSL_free(clientssl);
6578 SSL_CTX_free(sctx);
6579 SSL_CTX_free(cctx);
6580 BIO_free(bretry);
6581 BIO_free(tmp);
6582
6583 return testresult;
6584 }
6585
6586 /*
6587 * Test we can handle a KeyUpdate (update requested) message while
6588 * peer read data is pending after peer accepted keyupdate(the msg header
6589 * had been read 5 bytes).
6590 * Test 0: Client sends KeyUpdate while Server is reading
6591 * Test 1: Server sends KeyUpdate while Client is reading
6592 */
test_key_update_peer_in_read(int tst)6593 static int test_key_update_peer_in_read(int tst)
6594 {
6595 SSL_CTX *cctx = NULL, *sctx = NULL;
6596 SSL *clientssl = NULL, *serverssl = NULL;
6597 int testresult = 0;
6598 char prbuf[515], lwbuf[515] = {0};
6599 static char *mess = "A test message";
6600 BIO *lbio = NULL, *pbio = NULL;
6601 SSL *local = NULL, *peer = NULL;
6602
6603 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6604 TLS_client_method(),
6605 TLS1_3_VERSION,
6606 0,
6607 &sctx, &cctx, cert, privkey))
6608 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6609 NULL, NULL))
6610 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6611 SSL_ERROR_NONE)))
6612 goto end;
6613
6614 local = tst == 0 ? clientssl : serverssl;
6615 peer = tst == 0 ? serverssl : clientssl;
6616
6617 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6618 goto end;
6619
6620 SSL_set_bio(local, lbio, lbio);
6621 SSL_set_bio(peer, pbio, pbio);
6622
6623 /*
6624 * we first write keyupdate msg then appdata in local
6625 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6626 * lwbuf app data msg size + key updata msg size > 512(the size of
6627 * the bio pair buffer)
6628 */
6629 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6630 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6631 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6632 goto end;
6633
6634 /*
6635 * first read keyupdate msg in peer in peer
6636 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6637 */
6638 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6639 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6640 goto end;
6641
6642 /* Now write some data in peer - we will write the key update */
6643 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6644 goto end;
6645
6646 /*
6647 * write data in local previously that we will complete
6648 * read data in peer previously that we will complete
6649 */
6650 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6651 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6652 goto end;
6653
6654 /* check that sending and receiving appdata ok */
6655 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6656 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6657 goto end;
6658
6659 testresult = 1;
6660
6661 end:
6662 SSL_free(serverssl);
6663 SSL_free(clientssl);
6664 SSL_CTX_free(sctx);
6665 SSL_CTX_free(cctx);
6666
6667 return testresult;
6668 }
6669
6670 /*
6671 * Test we can't send a KeyUpdate (update requested) message while
6672 * local write data is pending.
6673 * Test 0: Client sends KeyUpdate while Client is writing
6674 * Test 1: Server sends KeyUpdate while Server is writing
6675 */
test_key_update_local_in_write(int tst)6676 static int test_key_update_local_in_write(int tst)
6677 {
6678 SSL_CTX *cctx = NULL, *sctx = NULL;
6679 SSL *clientssl = NULL, *serverssl = NULL;
6680 int testresult = 0;
6681 char buf[20];
6682 static char *mess = "A test message";
6683 BIO *bretry = BIO_new(bio_s_always_retry());
6684 BIO *tmp = NULL;
6685 SSL *local = NULL, *peer = NULL;
6686
6687 if (!TEST_ptr(bretry)
6688 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6689 TLS_client_method(),
6690 TLS1_3_VERSION,
6691 0,
6692 &sctx, &cctx, cert, privkey))
6693 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6694 NULL, NULL))
6695 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6696 SSL_ERROR_NONE)))
6697 goto end;
6698
6699 local = tst == 0 ? clientssl : serverssl;
6700 peer = tst == 0 ? serverssl : clientssl;
6701
6702 /* Swap the writing endpoint's write BIO to force a retry */
6703 tmp = SSL_get_wbio(local);
6704 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6705 tmp = NULL;
6706 goto end;
6707 }
6708 SSL_set0_wbio(local, bretry);
6709 bretry = NULL;
6710
6711 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6712 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6713 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6714 goto end;
6715
6716 /* Reinstate the original writing endpoint's write BIO */
6717 SSL_set0_wbio(local, tmp);
6718 tmp = NULL;
6719
6720 /* SSL_key_update will fail, because writing in local*/
6721 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6722 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6723 goto end;
6724
6725 ERR_clear_error();
6726 /* write data in local previously that we will complete */
6727 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6728 goto end;
6729
6730 /* SSL_key_update will succeed because there is no pending write data */
6731 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6732 || !TEST_int_eq(SSL_do_handshake(local), 1))
6733 goto end;
6734
6735 /*
6736 * we write some appdata in local
6737 * read data in peer - we will read the keyupdate msg
6738 */
6739 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6740 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6741 goto end;
6742
6743 /* Write more peer more data to ensure we send the keyupdate message back */
6744 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6745 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6746 goto end;
6747
6748 testresult = 1;
6749
6750 end:
6751 SSL_free(serverssl);
6752 SSL_free(clientssl);
6753 SSL_CTX_free(sctx);
6754 SSL_CTX_free(cctx);
6755 BIO_free(bretry);
6756 BIO_free(tmp);
6757
6758 return testresult;
6759 }
6760
6761 /*
6762 * Test we can handle a KeyUpdate (update requested) message while
6763 * local read data is pending(the msg header had been read 5 bytes).
6764 * Test 0: Client sends KeyUpdate while Client is reading
6765 * Test 1: Server sends KeyUpdate while Server is reading
6766 */
test_key_update_local_in_read(int tst)6767 static int test_key_update_local_in_read(int tst)
6768 {
6769 SSL_CTX *cctx = NULL, *sctx = NULL;
6770 SSL *clientssl = NULL, *serverssl = NULL;
6771 int testresult = 0;
6772 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6773 static char *mess = "A test message";
6774 BIO *lbio = NULL, *pbio = NULL;
6775 SSL *local = NULL, *peer = NULL;
6776
6777 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6778 TLS_client_method(),
6779 TLS1_3_VERSION,
6780 0,
6781 &sctx, &cctx, cert, privkey))
6782 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6783 NULL, NULL))
6784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6785 SSL_ERROR_NONE)))
6786 goto end;
6787
6788 local = tst == 0 ? clientssl : serverssl;
6789 peer = tst == 0 ? serverssl : clientssl;
6790
6791 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6792 goto end;
6793
6794 SSL_set_bio(local, lbio, lbio);
6795 SSL_set_bio(peer, pbio, pbio);
6796
6797 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6798 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6799 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6800 goto end;
6801
6802 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6803 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6804 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6805 goto end;
6806
6807 /* SSL_do_handshake will send keyupdate msg */
6808 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6809 || !TEST_int_eq(SSL_do_handshake(local), 1))
6810 goto end;
6811
6812 /*
6813 * write data in peer previously that we will complete
6814 * read data in local previously that we will complete
6815 */
6816 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6817 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6818 goto end;
6819
6820 /*
6821 * write data in local
6822 * read data in peer - we will read the key update
6823 */
6824 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6825 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6826 goto end;
6827
6828 /* Write more peer data to ensure we send the keyupdate message back */
6829 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6830 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6831 goto end;
6832
6833 testresult = 1;
6834
6835 end:
6836 SSL_free(serverssl);
6837 SSL_free(clientssl);
6838 SSL_CTX_free(sctx);
6839 SSL_CTX_free(cctx);
6840
6841 return testresult;
6842 }
6843 #endif /* OSSL_NO_USABLE_TLS1_3 */
6844
test_ssl_clear(int idx)6845 static int test_ssl_clear(int idx)
6846 {
6847 SSL_CTX *cctx = NULL, *sctx = NULL;
6848 SSL *clientssl = NULL, *serverssl = NULL;
6849 int testresult = 0;
6850
6851 #ifdef OPENSSL_NO_TLS1_2
6852 if (idx == 1)
6853 return 1;
6854 #endif
6855
6856 /* Create an initial connection */
6857 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6858 TLS_client_method(), TLS1_VERSION, 0,
6859 &sctx, &cctx, cert, privkey))
6860 || (idx == 1
6861 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6862 TLS1_2_VERSION)))
6863 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6864 &clientssl, NULL, NULL))
6865 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6866 SSL_ERROR_NONE)))
6867 goto end;
6868
6869 SSL_shutdown(clientssl);
6870 SSL_shutdown(serverssl);
6871 SSL_free(serverssl);
6872 serverssl = NULL;
6873
6874 /* Clear clientssl - we're going to reuse the object */
6875 if (!TEST_true(SSL_clear(clientssl)))
6876 goto end;
6877
6878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6879 NULL, NULL))
6880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6881 SSL_ERROR_NONE))
6882 || !TEST_true(SSL_session_reused(clientssl)))
6883 goto end;
6884
6885 SSL_shutdown(clientssl);
6886 SSL_shutdown(serverssl);
6887
6888 testresult = 1;
6889
6890 end:
6891 SSL_free(serverssl);
6892 SSL_free(clientssl);
6893 SSL_CTX_free(sctx);
6894 SSL_CTX_free(cctx);
6895
6896 return testresult;
6897 }
6898
6899 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)6900 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6901 {
6902 long len;
6903 unsigned char *data;
6904 PACKET pkt, pkt2, pkt3;
6905 unsigned int MFL_code = 0, type = 0;
6906
6907 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6908 goto end;
6909
6910 memset(&pkt, 0, sizeof(pkt));
6911 memset(&pkt2, 0, sizeof(pkt2));
6912 memset(&pkt3, 0, sizeof(pkt3));
6913
6914 if (!TEST_long_gt(len, 0)
6915 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6916 /* Skip the record header */
6917 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6918 /* Skip the handshake message header */
6919 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6920 /* Skip client version and random */
6921 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6922 + SSL3_RANDOM_SIZE))
6923 /* Skip session id */
6924 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6925 /* Skip ciphers */
6926 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6927 /* Skip compression */
6928 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6929 /* Extensions len */
6930 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6931 goto end;
6932
6933 /* Loop through all extensions */
6934 while (PACKET_remaining(&pkt2)) {
6935 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6936 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6937 goto end;
6938
6939 if (type == TLSEXT_TYPE_max_fragment_length) {
6940 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6941 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6942 goto end;
6943
6944 *mfl_codemfl_code = MFL_code;
6945 return 1;
6946 }
6947 }
6948
6949 end:
6950 return 0;
6951 }
6952
6953 /* Maximum-Fragment-Length TLS extension mode to test */
6954 static const unsigned char max_fragment_len_test[] = {
6955 TLSEXT_max_fragment_length_512,
6956 TLSEXT_max_fragment_length_1024,
6957 TLSEXT_max_fragment_length_2048,
6958 TLSEXT_max_fragment_length_4096
6959 };
6960
test_max_fragment_len_ext(int idx_tst)6961 static int test_max_fragment_len_ext(int idx_tst)
6962 {
6963 SSL_CTX *ctx = NULL;
6964 SSL *con = NULL;
6965 int testresult = 0, MFL_mode = 0;
6966 BIO *rbio, *wbio;
6967
6968 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6969 TLS1_VERSION, 0, NULL, &ctx, NULL,
6970 NULL)))
6971 return 0;
6972
6973 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6974 ctx, max_fragment_len_test[idx_tst])))
6975 goto end;
6976
6977 con = SSL_new(ctx);
6978 if (!TEST_ptr(con))
6979 goto end;
6980
6981 rbio = BIO_new(BIO_s_mem());
6982 wbio = BIO_new(BIO_s_mem());
6983 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6984 BIO_free(rbio);
6985 BIO_free(wbio);
6986 goto end;
6987 }
6988
6989 SSL_set_bio(con, rbio, wbio);
6990
6991 if (!TEST_int_le(SSL_connect(con), 0)) {
6992 /* This shouldn't succeed because we don't have a server! */
6993 goto end;
6994 }
6995
6996 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6997 /* no MFL in client hello */
6998 goto end;
6999 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7000 goto end;
7001
7002 testresult = 1;
7003
7004 end:
7005 SSL_free(con);
7006 SSL_CTX_free(ctx);
7007
7008 return testresult;
7009 }
7010
7011 #ifndef OSSL_NO_USABLE_TLS1_3
test_pha_key_update(void)7012 static int test_pha_key_update(void)
7013 {
7014 SSL_CTX *cctx = NULL, *sctx = NULL;
7015 SSL *clientssl = NULL, *serverssl = NULL;
7016 int testresult = 0;
7017
7018 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7019 TLS_client_method(), TLS1_VERSION, 0,
7020 &sctx, &cctx, cert, privkey)))
7021 return 0;
7022
7023 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7024 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7025 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7026 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7027 goto end;
7028
7029 SSL_CTX_set_post_handshake_auth(cctx, 1);
7030
7031 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7032 NULL, NULL)))
7033 goto end;
7034
7035 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7036 SSL_ERROR_NONE)))
7037 goto end;
7038
7039 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7040 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7041 goto end;
7042
7043 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7044 goto end;
7045
7046 /* Start handshake on the server */
7047 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7048 goto end;
7049
7050 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7051 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7052 SSL_ERROR_NONE)))
7053 goto end;
7054
7055 SSL_shutdown(clientssl);
7056 SSL_shutdown(serverssl);
7057
7058 testresult = 1;
7059
7060 end:
7061 SSL_free(serverssl);
7062 SSL_free(clientssl);
7063 SSL_CTX_free(sctx);
7064 SSL_CTX_free(cctx);
7065 return testresult;
7066 }
7067 #endif
7068
7069 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7070
7071 static SRP_VBASE *vbase = NULL;
7072
ssl_srp_cb(SSL * s,int * ad,void * arg)7073 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7074 {
7075 int ret = SSL3_AL_FATAL;
7076 char *username;
7077 SRP_user_pwd *user = NULL;
7078
7079 username = SSL_get_srp_username(s);
7080 if (username == NULL) {
7081 *ad = SSL_AD_INTERNAL_ERROR;
7082 goto err;
7083 }
7084
7085 user = SRP_VBASE_get1_by_user(vbase, username);
7086 if (user == NULL) {
7087 *ad = SSL_AD_INTERNAL_ERROR;
7088 goto err;
7089 }
7090
7091 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7092 user->info) <= 0) {
7093 *ad = SSL_AD_INTERNAL_ERROR;
7094 goto err;
7095 }
7096
7097 ret = 0;
7098
7099 err:
7100 SRP_user_pwd_free(user);
7101 return ret;
7102 }
7103
create_new_vfile(char * userid,char * password,const char * filename)7104 static int create_new_vfile(char *userid, char *password, const char *filename)
7105 {
7106 char *gNid = NULL;
7107 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7108 TXT_DB *db = NULL;
7109 int ret = 0;
7110 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7111 size_t i;
7112
7113 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7114 goto end;
7115
7116 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7117 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7118 if (!TEST_ptr(gNid))
7119 goto end;
7120
7121 /*
7122 * The only way to create an empty TXT_DB is to provide a BIO with no data
7123 * in it!
7124 */
7125 db = TXT_DB_read(dummy, DB_NUMBER);
7126 if (!TEST_ptr(db))
7127 goto end;
7128
7129 out = BIO_new_file(filename, "w");
7130 if (!TEST_ptr(out))
7131 goto end;
7132
7133 row[DB_srpid] = OPENSSL_strdup(userid);
7134 row[DB_srptype] = OPENSSL_strdup("V");
7135 row[DB_srpgN] = OPENSSL_strdup(gNid);
7136
7137 if (!TEST_ptr(row[DB_srpid])
7138 || !TEST_ptr(row[DB_srptype])
7139 || !TEST_ptr(row[DB_srpgN])
7140 || !TEST_true(TXT_DB_insert(db, row)))
7141 goto end;
7142
7143 row = NULL;
7144
7145 if (TXT_DB_write(out, db) <= 0)
7146 goto end;
7147
7148 ret = 1;
7149 end:
7150 if (row != NULL) {
7151 for (i = 0; i < DB_NUMBER; i++)
7152 OPENSSL_free(row[i]);
7153 }
7154 OPENSSL_free(row);
7155 BIO_free(dummy);
7156 BIO_free(out);
7157 TXT_DB_free(db);
7158
7159 return ret;
7160 }
7161
create_new_vbase(char * userid,char * password)7162 static int create_new_vbase(char *userid, char *password)
7163 {
7164 BIGNUM *verifier = NULL, *salt = NULL;
7165 const SRP_gN *lgN = NULL;
7166 SRP_user_pwd *user_pwd = NULL;
7167 int ret = 0;
7168
7169 lgN = SRP_get_default_gN(NULL);
7170 if (!TEST_ptr(lgN))
7171 goto end;
7172
7173 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7174 lgN->N, lgN->g, libctx, NULL)))
7175 goto end;
7176
7177 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7178 if (!TEST_ptr(user_pwd))
7179 goto end;
7180
7181 user_pwd->N = lgN->N;
7182 user_pwd->g = lgN->g;
7183 user_pwd->id = OPENSSL_strdup(userid);
7184 if (!TEST_ptr(user_pwd->id))
7185 goto end;
7186
7187 user_pwd->v = verifier;
7188 user_pwd->s = salt;
7189 verifier = salt = NULL;
7190
7191 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7192 goto end;
7193 user_pwd = NULL;
7194
7195 ret = 1;
7196 end:
7197 SRP_user_pwd_free(user_pwd);
7198 BN_free(salt);
7199 BN_free(verifier);
7200
7201 return ret;
7202 }
7203
7204 /*
7205 * SRP tests
7206 *
7207 * Test 0: Simple successful SRP connection, new vbase
7208 * Test 1: Connection failure due to bad password, new vbase
7209 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7210 * Test 3: Connection failure due to bad password, vbase loaded from existing
7211 * file
7212 * Test 4: Simple successful SRP connection, vbase loaded from new file
7213 * Test 5: Connection failure due to bad password, vbase loaded from new file
7214 */
test_srp(int tst)7215 static int test_srp(int tst)
7216 {
7217 char *userid = "test", *password = "password", *tstsrpfile;
7218 SSL_CTX *cctx = NULL, *sctx = NULL;
7219 SSL *clientssl = NULL, *serverssl = NULL;
7220 int ret, testresult = 0;
7221
7222 vbase = SRP_VBASE_new(NULL);
7223 if (!TEST_ptr(vbase))
7224 goto end;
7225
7226 if (tst == 0 || tst == 1) {
7227 if (!TEST_true(create_new_vbase(userid, password)))
7228 goto end;
7229 } else {
7230 if (tst == 4 || tst == 5) {
7231 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7232 goto end;
7233 tstsrpfile = tmpfilename;
7234 } else {
7235 tstsrpfile = srpvfile;
7236 }
7237 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7238 goto end;
7239 }
7240
7241 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7242 TLS_client_method(), TLS1_VERSION, 0,
7243 &sctx, &cctx, cert, privkey)))
7244 goto end;
7245
7246 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7247 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7248 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7249 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7250 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7251 goto end;
7252
7253 if (tst % 2 == 1) {
7254 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7255 goto end;
7256 } else {
7257 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7258 goto end;
7259 }
7260
7261 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7262 NULL, NULL)))
7263 goto end;
7264
7265 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7266 if (ret) {
7267 if (!TEST_true(tst % 2 == 0))
7268 goto end;
7269 } else {
7270 if (!TEST_true(tst % 2 == 1))
7271 goto end;
7272 }
7273
7274 testresult = 1;
7275
7276 end:
7277 SRP_VBASE_free(vbase);
7278 vbase = NULL;
7279 SSL_free(serverssl);
7280 SSL_free(clientssl);
7281 SSL_CTX_free(sctx);
7282 SSL_CTX_free(cctx);
7283
7284 return testresult;
7285 }
7286 #endif
7287
7288 static int info_cb_failed = 0;
7289 static int info_cb_offset = 0;
7290 static int info_cb_this_state = -1;
7291
7292 static struct info_cb_states_st {
7293 int where;
7294 const char *statestr;
7295 } info_cb_states[][60] = {
7296 {
7297 /* TLSv1.2 server followed by resumption */
7298 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7299 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7300 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7301 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7302 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7303 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7304 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7305 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7306 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7307 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7308 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7309 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7310 {SSL_CB_EXIT, NULL}, {0, NULL},
7311 }, {
7312 /* TLSv1.2 client followed by resumption */
7313 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7314 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7315 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7316 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7317 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7318 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7319 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7320 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7321 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7322 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7323 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7324 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7325 }, {
7326 /* TLSv1.3 server followed by resumption */
7327 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7328 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7329 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7330 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7331 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7332 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7333 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7334 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7335 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7336 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7337 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7338 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7339 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7340 }, {
7341 /* TLSv1.3 client followed by resumption */
7342 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7343 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7344 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7345 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7346 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7347 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7348 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7349 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7350 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7351 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7352 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7353 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7354 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7355 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7356 {SSL_CB_EXIT, NULL}, {0, NULL},
7357 }, {
7358 /* TLSv1.3 server, early_data */
7359 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7360 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7361 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7362 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7363 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7364 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7366 {SSL_CB_EXIT, NULL}, {0, NULL},
7367 }, {
7368 /* TLSv1.3 client, early_data */
7369 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7370 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7371 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7372 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7373 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7374 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7375 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7376 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7377 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7378 }, {
7379 {0, NULL},
7380 }
7381 };
7382
sslapi_info_callback(const SSL * s,int where,int ret)7383 static void sslapi_info_callback(const SSL *s, int where, int ret)
7384 {
7385 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7386
7387 /* We do not ever expect a connection to fail in this test */
7388 if (!TEST_false(ret == 0)) {
7389 info_cb_failed = 1;
7390 return;
7391 }
7392
7393 /*
7394 * Do some sanity checks. We never expect these things to happen in this
7395 * test
7396 */
7397 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7398 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7399 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7400 info_cb_failed = 1;
7401 return;
7402 }
7403
7404 /* Now check we're in the right state */
7405 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7406 info_cb_failed = 1;
7407 return;
7408 }
7409 if ((where & SSL_CB_LOOP) != 0
7410 && !TEST_int_eq(strcmp(SSL_state_string(s),
7411 state[info_cb_this_state].statestr), 0)) {
7412 info_cb_failed = 1;
7413 return;
7414 }
7415
7416 /*
7417 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7418 */
7419 if ((where & SSL_CB_HANDSHAKE_DONE)
7420 && SSL_in_init((SSL *)s) != 0) {
7421 info_cb_failed = 1;
7422 return;
7423 }
7424 }
7425
7426 /*
7427 * Test the info callback gets called when we expect it to.
7428 *
7429 * Test 0: TLSv1.2, server
7430 * Test 1: TLSv1.2, client
7431 * Test 2: TLSv1.3, server
7432 * Test 3: TLSv1.3, client
7433 * Test 4: TLSv1.3, server, early_data
7434 * Test 5: TLSv1.3, client, early_data
7435 */
test_info_callback(int tst)7436 static int test_info_callback(int tst)
7437 {
7438 SSL_CTX *cctx = NULL, *sctx = NULL;
7439 SSL *clientssl = NULL, *serverssl = NULL;
7440 SSL_SESSION *clntsess = NULL;
7441 int testresult = 0;
7442 int tlsvers;
7443
7444 if (tst < 2) {
7445 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7446 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7447 || !defined(OPENSSL_NO_DH))
7448 tlsvers = TLS1_2_VERSION;
7449 #else
7450 return 1;
7451 #endif
7452 } else {
7453 #ifndef OSSL_NO_USABLE_TLS1_3
7454 tlsvers = TLS1_3_VERSION;
7455 #else
7456 return 1;
7457 #endif
7458 }
7459
7460 /* Reset globals */
7461 info_cb_failed = 0;
7462 info_cb_this_state = -1;
7463 info_cb_offset = tst;
7464
7465 #ifndef OSSL_NO_USABLE_TLS1_3
7466 if (tst >= 4) {
7467 SSL_SESSION *sess = NULL;
7468 size_t written, readbytes;
7469 unsigned char buf[80];
7470
7471 /* early_data tests */
7472 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7473 &serverssl, &sess, 0,
7474 SHA384_DIGEST_LENGTH)))
7475 goto end;
7476
7477 /* We don't actually need this reference */
7478 SSL_SESSION_free(sess);
7479
7480 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7481 sslapi_info_callback);
7482
7483 /* Write and read some early data and then complete the connection */
7484 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7485 &written))
7486 || !TEST_size_t_eq(written, strlen(MSG1))
7487 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7488 sizeof(buf), &readbytes),
7489 SSL_READ_EARLY_DATA_SUCCESS)
7490 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7491 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7492 SSL_EARLY_DATA_ACCEPTED)
7493 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7494 SSL_ERROR_NONE))
7495 || !TEST_false(info_cb_failed))
7496 goto end;
7497
7498 testresult = 1;
7499 goto end;
7500 }
7501 #endif
7502
7503 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7504 TLS_client_method(),
7505 tlsvers, tlsvers, &sctx, &cctx, cert,
7506 privkey)))
7507 goto end;
7508
7509 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7510 goto end;
7511
7512 /*
7513 * For even numbered tests we check the server callbacks. For odd numbers we
7514 * check the client.
7515 */
7516 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7517 sslapi_info_callback);
7518
7519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7520 &clientssl, NULL, NULL))
7521 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7522 SSL_ERROR_NONE))
7523 || !TEST_false(info_cb_failed))
7524 goto end;
7525
7526
7527
7528 clntsess = SSL_get1_session(clientssl);
7529 SSL_shutdown(clientssl);
7530 SSL_shutdown(serverssl);
7531 SSL_free(serverssl);
7532 SSL_free(clientssl);
7533 serverssl = clientssl = NULL;
7534
7535 /* Now do a resumption */
7536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7537 NULL))
7538 || !TEST_true(SSL_set_session(clientssl, clntsess))
7539 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7540 SSL_ERROR_NONE))
7541 || !TEST_true(SSL_session_reused(clientssl))
7542 || !TEST_false(info_cb_failed))
7543 goto end;
7544
7545 testresult = 1;
7546
7547 end:
7548 SSL_free(serverssl);
7549 SSL_free(clientssl);
7550 SSL_SESSION_free(clntsess);
7551 SSL_CTX_free(sctx);
7552 SSL_CTX_free(cctx);
7553 return testresult;
7554 }
7555
test_ssl_pending(int tst)7556 static int test_ssl_pending(int tst)
7557 {
7558 SSL_CTX *cctx = NULL, *sctx = NULL;
7559 SSL *clientssl = NULL, *serverssl = NULL;
7560 int testresult = 0;
7561 char msg[] = "A test message";
7562 char buf[5];
7563 size_t written, readbytes;
7564
7565 if (tst == 0) {
7566 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7567 TLS_client_method(),
7568 TLS1_VERSION, 0,
7569 &sctx, &cctx, cert, privkey)))
7570 goto end;
7571 } else {
7572 #ifndef OPENSSL_NO_DTLS
7573 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7574 DTLS_client_method(),
7575 DTLS1_VERSION, 0,
7576 &sctx, &cctx, cert, privkey)))
7577 goto end;
7578
7579 # ifdef OPENSSL_NO_DTLS1_2
7580 /* Not supported in the FIPS provider */
7581 if (is_fips) {
7582 testresult = 1;
7583 goto end;
7584 };
7585 /*
7586 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7587 * level 0
7588 */
7589 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7590 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7591 "DEFAULT:@SECLEVEL=0")))
7592 goto end;
7593 # endif
7594 #else
7595 return 1;
7596 #endif
7597 }
7598
7599 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7600 NULL, NULL))
7601 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7602 SSL_ERROR_NONE)))
7603 goto end;
7604
7605 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7606 || !TEST_false(SSL_has_pending(clientssl))
7607 || !TEST_int_eq(SSL_pending(serverssl), 0)
7608 || !TEST_false(SSL_has_pending(serverssl))
7609 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7610 || !TEST_size_t_eq(written, sizeof(msg))
7611 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7612 || !TEST_size_t_eq(readbytes, sizeof(buf))
7613 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7614 || !TEST_true(SSL_has_pending(clientssl)))
7615 goto end;
7616
7617 testresult = 1;
7618
7619 end:
7620 SSL_free(serverssl);
7621 SSL_free(clientssl);
7622 SSL_CTX_free(sctx);
7623 SSL_CTX_free(cctx);
7624
7625 return testresult;
7626 }
7627
7628 static struct {
7629 unsigned int maxprot;
7630 const char *clntciphers;
7631 const char *clnttls13ciphers;
7632 const char *srvrciphers;
7633 const char *srvrtls13ciphers;
7634 const char *shared;
7635 const char *fipsshared;
7636 } shared_ciphers_data[] = {
7637 /*
7638 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7639 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7640 */
7641 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7642 {
7643 TLS1_2_VERSION,
7644 "AES128-SHA:AES256-SHA",
7645 NULL,
7646 "AES256-SHA:DHE-RSA-AES128-SHA",
7647 NULL,
7648 "AES256-SHA",
7649 "AES256-SHA"
7650 },
7651 # if !defined(OPENSSL_NO_CHACHA) \
7652 && !defined(OPENSSL_NO_POLY1305) \
7653 && !defined(OPENSSL_NO_EC)
7654 {
7655 TLS1_2_VERSION,
7656 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7657 NULL,
7658 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7659 NULL,
7660 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7661 "AES128-SHA"
7662 },
7663 # endif
7664 {
7665 TLS1_2_VERSION,
7666 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7667 NULL,
7668 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7669 NULL,
7670 "AES128-SHA:AES256-SHA",
7671 "AES128-SHA:AES256-SHA"
7672 },
7673 {
7674 TLS1_2_VERSION,
7675 "AES128-SHA:AES256-SHA",
7676 NULL,
7677 "AES128-SHA:DHE-RSA-AES128-SHA",
7678 NULL,
7679 "AES128-SHA",
7680 "AES128-SHA"
7681 },
7682 #endif
7683 /*
7684 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7685 * enabled.
7686 */
7687 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7688 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7689 {
7690 TLS1_3_VERSION,
7691 "AES128-SHA:AES256-SHA",
7692 NULL,
7693 "AES256-SHA:AES128-SHA256",
7694 NULL,
7695 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7696 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7697 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7698 },
7699 #endif
7700 #ifndef OSSL_NO_USABLE_TLS1_3
7701 {
7702 TLS1_3_VERSION,
7703 "AES128-SHA",
7704 "TLS_AES_256_GCM_SHA384",
7705 "AES256-SHA",
7706 "TLS_AES_256_GCM_SHA384",
7707 "TLS_AES_256_GCM_SHA384",
7708 "TLS_AES_256_GCM_SHA384"
7709 },
7710 #endif
7711 };
7712
int_test_ssl_get_shared_ciphers(int tst,int clnt)7713 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7714 {
7715 SSL_CTX *cctx = NULL, *sctx = NULL;
7716 SSL *clientssl = NULL, *serverssl = NULL;
7717 int testresult = 0;
7718 char buf[1024];
7719 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7720
7721 if (!TEST_ptr(tmplibctx))
7722 goto end;
7723
7724 /*
7725 * Regardless of whether we're testing with the FIPS provider loaded into
7726 * libctx, we want one peer to always use the full set of ciphersuites
7727 * available. Therefore we use a separate libctx with the default provider
7728 * loaded into it. We run the same tests twice - once with the client side
7729 * having the full set of ciphersuites and once with the server side.
7730 */
7731 if (clnt) {
7732 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7733 if (!TEST_ptr(cctx))
7734 goto end;
7735 } else {
7736 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7737 if (!TEST_ptr(sctx))
7738 goto end;
7739 }
7740
7741 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7742 TLS_client_method(),
7743 TLS1_VERSION,
7744 shared_ciphers_data[tst].maxprot,
7745 &sctx, &cctx, cert, privkey)))
7746 goto end;
7747
7748 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7749 shared_ciphers_data[tst].clntciphers))
7750 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7751 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7752 shared_ciphers_data[tst].clnttls13ciphers)))
7753 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7754 shared_ciphers_data[tst].srvrciphers))
7755 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7756 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7757 shared_ciphers_data[tst].srvrtls13ciphers))))
7758 goto end;
7759
7760
7761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7762 NULL, NULL))
7763 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7764 SSL_ERROR_NONE)))
7765 goto end;
7766
7767 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7768 || !TEST_int_eq(strcmp(buf,
7769 is_fips
7770 ? shared_ciphers_data[tst].fipsshared
7771 : shared_ciphers_data[tst].shared),
7772 0)) {
7773 TEST_info("Shared ciphers are: %s\n", buf);
7774 goto end;
7775 }
7776
7777 testresult = 1;
7778
7779 end:
7780 SSL_free(serverssl);
7781 SSL_free(clientssl);
7782 SSL_CTX_free(sctx);
7783 SSL_CTX_free(cctx);
7784 OSSL_LIB_CTX_free(tmplibctx);
7785
7786 return testresult;
7787 }
7788
test_ssl_get_shared_ciphers(int tst)7789 static int test_ssl_get_shared_ciphers(int tst)
7790 {
7791 return int_test_ssl_get_shared_ciphers(tst, 0)
7792 && int_test_ssl_get_shared_ciphers(tst, 1);
7793 }
7794
7795
7796 static const char *appdata = "Hello World";
7797 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7798 static int tick_key_renew = 0;
7799 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7800
gen_tick_cb(SSL * s,void * arg)7801 static int gen_tick_cb(SSL *s, void *arg)
7802 {
7803 gen_tick_called = 1;
7804
7805 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7806 strlen(appdata));
7807 }
7808
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)7809 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7810 const unsigned char *keyname,
7811 size_t keyname_length,
7812 SSL_TICKET_STATUS status,
7813 void *arg)
7814 {
7815 void *tickdata;
7816 size_t tickdlen;
7817
7818 dec_tick_called = 1;
7819
7820 if (status == SSL_TICKET_EMPTY)
7821 return SSL_TICKET_RETURN_IGNORE_RENEW;
7822
7823 if (!TEST_true(status == SSL_TICKET_SUCCESS
7824 || status == SSL_TICKET_SUCCESS_RENEW))
7825 return SSL_TICKET_RETURN_ABORT;
7826
7827 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7828 &tickdlen))
7829 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7830 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7831 return SSL_TICKET_RETURN_ABORT;
7832
7833 if (tick_key_cb_called) {
7834 /* Don't change what the ticket key callback wanted to do */
7835 switch (status) {
7836 case SSL_TICKET_NO_DECRYPT:
7837 return SSL_TICKET_RETURN_IGNORE_RENEW;
7838
7839 case SSL_TICKET_SUCCESS:
7840 return SSL_TICKET_RETURN_USE;
7841
7842 case SSL_TICKET_SUCCESS_RENEW:
7843 return SSL_TICKET_RETURN_USE_RENEW;
7844
7845 default:
7846 return SSL_TICKET_RETURN_ABORT;
7847 }
7848 }
7849 return tick_dec_ret;
7850
7851 }
7852
7853 #ifndef OPENSSL_NO_DEPRECATED_3_0
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)7854 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7855 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7856 HMAC_CTX *hctx, int enc)
7857 {
7858 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7859 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7860 EVP_CIPHER *aes128cbc;
7861 EVP_MD *sha256;
7862 int ret;
7863
7864 tick_key_cb_called = 1;
7865
7866 if (tick_key_renew == -1)
7867 return 0;
7868
7869 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7870 if (!TEST_ptr(aes128cbc))
7871 return 0;
7872 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7873 if (!TEST_ptr(sha256)) {
7874 EVP_CIPHER_free(aes128cbc);
7875 return 0;
7876 }
7877
7878 memset(iv, 0, AES_BLOCK_SIZE);
7879 memset(key_name, 0, 16);
7880 if (aes128cbc == NULL
7881 || sha256 == NULL
7882 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7883 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7884 NULL))
7885 ret = -1;
7886 else
7887 ret = tick_key_renew ? 2 : 1;
7888
7889 EVP_CIPHER_free(aes128cbc);
7890 EVP_MD_free(sha256);
7891
7892 return ret;
7893 }
7894 #endif
7895
tick_key_evp_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int enc)7896 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7897 unsigned char iv[EVP_MAX_IV_LENGTH],
7898 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7899 {
7900 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7901 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7902 OSSL_PARAM params[2];
7903 EVP_CIPHER *aes128cbc;
7904 int ret;
7905
7906 tick_key_cb_called = 1;
7907
7908 if (tick_key_renew == -1)
7909 return 0;
7910
7911 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7912 if (!TEST_ptr(aes128cbc))
7913 return 0;
7914
7915 memset(iv, 0, AES_BLOCK_SIZE);
7916 memset(key_name, 0, 16);
7917 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7918 "SHA256", 0);
7919 params[1] = OSSL_PARAM_construct_end();
7920 if (aes128cbc == NULL
7921 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7922 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7923 params))
7924 ret = -1;
7925 else
7926 ret = tick_key_renew ? 2 : 1;
7927
7928 EVP_CIPHER_free(aes128cbc);
7929
7930 return ret;
7931 }
7932
7933 /*
7934 * Test the various ticket callbacks
7935 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7936 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7937 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7938 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7939 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7940 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7941 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7942 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
7943 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7944 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7945 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7946 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7947 * Test 12: TLSv1.2, old ticket key callback, no ticket
7948 * Test 13: TLSv1.3, old ticket key callback, no ticket
7949 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7950 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7951 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7952 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7953 * Test 18: TLSv1.2, ticket key callback, no ticket
7954 * Test 19: TLSv1.3, ticket key callback, no ticket
7955 */
test_ticket_callbacks(int tst)7956 static int test_ticket_callbacks(int tst)
7957 {
7958 SSL_CTX *cctx = NULL, *sctx = NULL;
7959 SSL *clientssl = NULL, *serverssl = NULL;
7960 SSL_SESSION *clntsess = NULL;
7961 int testresult = 0;
7962
7963 #ifdef OPENSSL_NO_TLS1_2
7964 if (tst % 2 == 0)
7965 return 1;
7966 #endif
7967 #ifdef OSSL_NO_USABLE_TLS1_3
7968 if (tst % 2 == 1)
7969 return 1;
7970 #endif
7971 #ifdef OPENSSL_NO_DEPRECATED_3_0
7972 if (tst >= 8 && tst <= 13)
7973 return 1;
7974 #endif
7975
7976 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
7977
7978 /* Which tests the ticket key callback should request renewal for */
7979
7980 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
7981 tick_key_renew = 1;
7982 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7983 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
7984 else
7985 tick_key_renew = 0;
7986
7987 /* Which tests the decrypt ticket callback should request renewal for */
7988 switch (tst) {
7989 case 0:
7990 case 1:
7991 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7992 break;
7993
7994 case 2:
7995 case 3:
7996 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7997 break;
7998
7999 case 4:
8000 case 5:
8001 tick_dec_ret = SSL_TICKET_RETURN_USE;
8002 break;
8003
8004 case 6:
8005 case 7:
8006 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8007 break;
8008
8009 default:
8010 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8011 }
8012
8013 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8014 TLS_client_method(),
8015 TLS1_VERSION,
8016 ((tst % 2) == 0) ? TLS1_2_VERSION
8017 : TLS1_3_VERSION,
8018 &sctx, &cctx, cert, privkey)))
8019 goto end;
8020
8021 /*
8022 * We only want sessions to resume from tickets - not the session cache. So
8023 * switch the cache off.
8024 */
8025 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8026 goto end;
8027
8028 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8029 NULL)))
8030 goto end;
8031
8032 if (tst >= 14) {
8033 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8034 goto end;
8035 #ifndef OPENSSL_NO_DEPRECATED_3_0
8036 } else if (tst >= 8) {
8037 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8038 goto end;
8039 #endif
8040 }
8041
8042 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8043 NULL, NULL))
8044 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8045 SSL_ERROR_NONE)))
8046 goto end;
8047
8048 /*
8049 * The decrypt ticket key callback in TLSv1.2 should be called even though
8050 * we have no ticket yet, because it gets called with a status of
8051 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8052 * actually send any ticket data). This does not happen in TLSv1.3 because
8053 * it is not valid to send empty ticket data in TLSv1.3.
8054 */
8055 if (!TEST_int_eq(gen_tick_called, 1)
8056 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8057 goto end;
8058
8059 gen_tick_called = dec_tick_called = 0;
8060
8061 clntsess = SSL_get1_session(clientssl);
8062 SSL_shutdown(clientssl);
8063 SSL_shutdown(serverssl);
8064 SSL_free(serverssl);
8065 SSL_free(clientssl);
8066 serverssl = clientssl = NULL;
8067
8068 /* Now do a resumption */
8069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8070 NULL))
8071 || !TEST_true(SSL_set_session(clientssl, clntsess))
8072 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8073 SSL_ERROR_NONE)))
8074 goto end;
8075
8076 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8077 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8078 || tick_key_renew == -1) {
8079 if (!TEST_false(SSL_session_reused(clientssl)))
8080 goto end;
8081 } else {
8082 if (!TEST_true(SSL_session_reused(clientssl)))
8083 goto end;
8084 }
8085
8086 if (!TEST_int_eq(gen_tick_called,
8087 (tick_key_renew
8088 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8089 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8090 ? 1 : 0)
8091 /* There is no ticket to decrypt in tests 13 and 19 */
8092 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8093 goto end;
8094
8095 testresult = 1;
8096
8097 end:
8098 SSL_SESSION_free(clntsess);
8099 SSL_free(serverssl);
8100 SSL_free(clientssl);
8101 SSL_CTX_free(sctx);
8102 SSL_CTX_free(cctx);
8103
8104 return testresult;
8105 }
8106
8107 /*
8108 * Test incorrect shutdown.
8109 * Test 0: client does not shutdown properly,
8110 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8111 * server should get SSL_ERROR_SSL
8112 * Test 1: client does not shutdown properly,
8113 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8114 * server should get SSL_ERROR_ZERO_RETURN
8115 */
test_incorrect_shutdown(int tst)8116 static int test_incorrect_shutdown(int tst)
8117 {
8118 SSL_CTX *cctx = NULL, *sctx = NULL;
8119 SSL *clientssl = NULL, *serverssl = NULL;
8120 int testresult = 0;
8121 char buf[80];
8122 BIO *c2s;
8123
8124 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8125 TLS_client_method(), 0, 0,
8126 &sctx, &cctx, cert, privkey)))
8127 goto end;
8128
8129 if (tst == 1)
8130 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8131
8132 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8133 NULL, NULL)))
8134 goto end;
8135
8136 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8137 SSL_ERROR_NONE)))
8138 goto end;
8139
8140 c2s = SSL_get_rbio(serverssl);
8141 BIO_set_mem_eof_return(c2s, 0);
8142
8143 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8144 goto end;
8145
8146 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8147 goto end;
8148 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8149 goto end;
8150
8151 testresult = 1;
8152
8153 end:
8154 SSL_free(serverssl);
8155 SSL_free(clientssl);
8156 SSL_CTX_free(sctx);
8157 SSL_CTX_free(cctx);
8158
8159 return testresult;
8160 }
8161
8162 /*
8163 * Test bi-directional shutdown.
8164 * Test 0: TLSv1.2
8165 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8166 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8167 * Test 3: TLSv1.3, pending NewSessionTicket messages
8168 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8169 * sends key update, client reads it
8170 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8171 * sends CertificateRequest, client reads and ignores it
8172 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8173 * doesn't read it
8174 */
test_shutdown(int tst)8175 static int test_shutdown(int tst)
8176 {
8177 SSL_CTX *cctx = NULL, *sctx = NULL;
8178 SSL *clientssl = NULL, *serverssl = NULL;
8179 int testresult = 0;
8180 char msg[] = "A test message";
8181 char buf[80];
8182 size_t written, readbytes;
8183 SSL_SESSION *sess;
8184
8185 #ifdef OPENSSL_NO_TLS1_2
8186 if (tst <= 1)
8187 return 1;
8188 #endif
8189 #ifdef OSSL_NO_USABLE_TLS1_3
8190 if (tst >= 2)
8191 return 1;
8192 #endif
8193
8194 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8195 TLS_client_method(),
8196 TLS1_VERSION,
8197 (tst <= 1) ? TLS1_2_VERSION
8198 : TLS1_3_VERSION,
8199 &sctx, &cctx, cert, privkey)))
8200 goto end;
8201
8202 if (tst == 5)
8203 SSL_CTX_set_post_handshake_auth(cctx, 1);
8204
8205 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8206 NULL, NULL)))
8207 goto end;
8208
8209 if (tst == 3) {
8210 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8211 SSL_ERROR_NONE, 1))
8212 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8213 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8214 goto end;
8215 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8216 SSL_ERROR_NONE))
8217 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8218 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8219 goto end;
8220 }
8221
8222 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8223 goto end;
8224
8225 if (tst >= 4) {
8226 /*
8227 * Reading on the server after the client has sent close_notify should
8228 * fail and provide SSL_ERROR_ZERO_RETURN
8229 */
8230 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8231 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8232 SSL_ERROR_ZERO_RETURN)
8233 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8234 SSL_RECEIVED_SHUTDOWN)
8235 /*
8236 * Even though we're shutdown on receive we should still be
8237 * able to write.
8238 */
8239 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8240 goto end;
8241 if (tst == 4
8242 && !TEST_true(SSL_key_update(serverssl,
8243 SSL_KEY_UPDATE_REQUESTED)))
8244 goto end;
8245 if (tst == 5) {
8246 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8247 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8248 goto end;
8249 }
8250 if ((tst == 4 || tst == 5)
8251 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8252 goto end;
8253 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8254 goto end;
8255 if (tst == 4 || tst == 5) {
8256 /* Should still be able to read data from server */
8257 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8258 &readbytes))
8259 || !TEST_size_t_eq(readbytes, sizeof(msg))
8260 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8261 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8262 &readbytes))
8263 || !TEST_size_t_eq(readbytes, sizeof(msg))
8264 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8265 goto end;
8266 }
8267 }
8268
8269 /* Writing on the client after sending close_notify shouldn't be possible */
8270 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8271 goto end;
8272
8273 if (tst < 4) {
8274 /*
8275 * For these tests the client has sent close_notify but it has not yet
8276 * been received by the server. The server has not sent close_notify
8277 * yet.
8278 */
8279 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8280 /*
8281 * Writing on the server after sending close_notify shouldn't
8282 * be possible.
8283 */
8284 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8285 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8286 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8287 || !TEST_true(SSL_SESSION_is_resumable(sess))
8288 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8289 goto end;
8290 } else if (tst == 4 || tst == 5) {
8291 /*
8292 * In this test the client has sent close_notify and it has been
8293 * received by the server which has responded with a close_notify. The
8294 * client needs to read the close_notify sent by the server.
8295 */
8296 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8297 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8298 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8299 goto end;
8300 } else {
8301 /*
8302 * tst == 6
8303 *
8304 * The client has sent close_notify and is expecting a close_notify
8305 * back, but instead there is application data first. The shutdown
8306 * should fail with a fatal error.
8307 */
8308 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8309 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8310 goto end;
8311 }
8312
8313 testresult = 1;
8314
8315 end:
8316 SSL_free(serverssl);
8317 SSL_free(clientssl);
8318 SSL_CTX_free(sctx);
8319 SSL_CTX_free(cctx);
8320
8321 return testresult;
8322 }
8323
8324 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8325 static int cert_cb_cnt;
8326
cert_cb(SSL * s,void * arg)8327 static int cert_cb(SSL *s, void *arg)
8328 {
8329 SSL_CTX *ctx = (SSL_CTX *)arg;
8330 BIO *in = NULL;
8331 EVP_PKEY *pkey = NULL;
8332 X509 *x509 = NULL, *rootx = NULL;
8333 STACK_OF(X509) *chain = NULL;
8334 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8335 int ret = 0;
8336
8337 if (cert_cb_cnt == 0) {
8338 /* Suspend the handshake */
8339 cert_cb_cnt++;
8340 return -1;
8341 } else if (cert_cb_cnt == 1) {
8342 /*
8343 * Update the SSL_CTX, set the certificate and private key and then
8344 * continue the handshake normally.
8345 */
8346 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8347 return 0;
8348
8349 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8350 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8351 SSL_FILETYPE_PEM))
8352 || !TEST_true(SSL_check_private_key(s)))
8353 return 0;
8354 cert_cb_cnt++;
8355 return 1;
8356 } else if (cert_cb_cnt == 3) {
8357 int rv;
8358
8359 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8360 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8361 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8362 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8363 goto out;
8364 chain = sk_X509_new_null();
8365 if (!TEST_ptr(chain))
8366 goto out;
8367 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8368 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8369 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8370 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8371 || !TEST_true(sk_X509_push(chain, rootx)))
8372 goto out;
8373 rootx = NULL;
8374 BIO_free(in);
8375 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8376 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8377 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8378 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8379 goto out;
8380 BIO_free(in);
8381 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8382 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8383 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8384 NULL, NULL,
8385 libctx, NULL)))
8386 goto out;
8387 rv = SSL_check_chain(s, x509, pkey, chain);
8388 /*
8389 * If the cert doesn't show as valid here (e.g., because we don't
8390 * have any shared sigalgs), then we will not set it, and there will
8391 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8392 * will cause tls_choose_sigalgs() to fail the connection.
8393 */
8394 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8395 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8396 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8397 goto out;
8398 }
8399
8400 ret = 1;
8401 }
8402
8403 /* Abort the handshake */
8404 out:
8405 OPENSSL_free(ecdsacert);
8406 OPENSSL_free(ecdsakey);
8407 OPENSSL_free(rootfile);
8408 BIO_free(in);
8409 EVP_PKEY_free(pkey);
8410 X509_free(x509);
8411 X509_free(rootx);
8412 sk_X509_pop_free(chain, X509_free);
8413 return ret;
8414 }
8415
8416 /*
8417 * Test the certificate callback.
8418 * Test 0: Callback fails
8419 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8420 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8421 * Test 3: Success - Call SSL_check_chain from the callback
8422 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8423 * chain
8424 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8425 */
test_cert_cb_int(int prot,int tst)8426 static int test_cert_cb_int(int prot, int tst)
8427 {
8428 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8429 SSL *clientssl = NULL, *serverssl = NULL;
8430 int testresult = 0, ret;
8431
8432 #ifdef OPENSSL_NO_EC
8433 /* We use an EC cert in these tests, so we skip in a no-ec build */
8434 if (tst >= 3)
8435 return 1;
8436 #endif
8437
8438 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8439 TLS_client_method(),
8440 TLS1_VERSION,
8441 prot,
8442 &sctx, &cctx, NULL, NULL)))
8443 goto end;
8444
8445 if (tst == 0)
8446 cert_cb_cnt = -1;
8447 else if (tst >= 3)
8448 cert_cb_cnt = 3;
8449 else
8450 cert_cb_cnt = 0;
8451
8452 if (tst == 2) {
8453 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8454 if (!TEST_ptr(snictx))
8455 goto end;
8456 }
8457
8458 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8459
8460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8461 NULL, NULL)))
8462 goto end;
8463
8464 if (tst == 4) {
8465 /*
8466 * We cause SSL_check_chain() to fail by specifying sig_algs that
8467 * the chain doesn't meet (the root uses an RSA cert)
8468 */
8469 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8470 "ecdsa_secp256r1_sha256")))
8471 goto end;
8472 } else if (tst == 5) {
8473 /*
8474 * We cause SSL_check_chain() to fail by specifying sig_algs that
8475 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8476 */
8477 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8478 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8479 goto end;
8480 }
8481
8482 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8483 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8484 || (tst > 0
8485 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8486 goto end;
8487 }
8488
8489 testresult = 1;
8490
8491 end:
8492 SSL_free(serverssl);
8493 SSL_free(clientssl);
8494 SSL_CTX_free(sctx);
8495 SSL_CTX_free(cctx);
8496 SSL_CTX_free(snictx);
8497
8498 return testresult;
8499 }
8500 #endif
8501
test_cert_cb(int tst)8502 static int test_cert_cb(int tst)
8503 {
8504 int testresult = 1;
8505
8506 #ifndef OPENSSL_NO_TLS1_2
8507 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8508 #endif
8509 #ifndef OSSL_NO_USABLE_TLS1_3
8510 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8511 #endif
8512
8513 return testresult;
8514 }
8515
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)8516 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8517 {
8518 X509 *xcert;
8519 EVP_PKEY *privpkey;
8520 BIO *in = NULL;
8521 BIO *priv_in = NULL;
8522
8523 /* Check that SSL_get0_peer_certificate() returns something sensible */
8524 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8525 return 0;
8526
8527 in = BIO_new_file(cert, "r");
8528 if (!TEST_ptr(in))
8529 return 0;
8530
8531 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8532 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8533 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8534 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8535 NULL, NULL,
8536 libctx, NULL)))
8537 goto err;
8538
8539 *x509 = xcert;
8540 *pkey = privpkey;
8541
8542 BIO_free(in);
8543 BIO_free(priv_in);
8544 return 1;
8545 err:
8546 X509_free(xcert);
8547 BIO_free(in);
8548 BIO_free(priv_in);
8549 return 0;
8550 }
8551
test_client_cert_cb(int tst)8552 static int test_client_cert_cb(int tst)
8553 {
8554 SSL_CTX *cctx = NULL, *sctx = NULL;
8555 SSL *clientssl = NULL, *serverssl = NULL;
8556 int testresult = 0;
8557
8558 #ifdef OPENSSL_NO_TLS1_2
8559 if (tst == 0)
8560 return 1;
8561 #endif
8562 #ifdef OSSL_NO_USABLE_TLS1_3
8563 if (tst == 1)
8564 return 1;
8565 #endif
8566
8567 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8568 TLS_client_method(),
8569 TLS1_VERSION,
8570 tst == 0 ? TLS1_2_VERSION
8571 : TLS1_3_VERSION,
8572 &sctx, &cctx, cert, privkey)))
8573 goto end;
8574
8575 /*
8576 * Test that setting a client_cert_cb results in a client certificate being
8577 * sent.
8578 */
8579 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8580 SSL_CTX_set_verify(sctx,
8581 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8582 verify_cb);
8583
8584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8585 NULL, NULL))
8586 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8587 SSL_ERROR_NONE)))
8588 goto end;
8589
8590 testresult = 1;
8591
8592 end:
8593 SSL_free(serverssl);
8594 SSL_free(clientssl);
8595 SSL_CTX_free(sctx);
8596 SSL_CTX_free(cctx);
8597
8598 return testresult;
8599 }
8600
8601 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8602 /*
8603 * Test setting certificate authorities on both client and server.
8604 *
8605 * Test 0: SSL_CTX_set0_CA_list() only
8606 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8607 * Test 2: Only SSL_CTX_set_client_CA_list()
8608 */
test_ca_names_int(int prot,int tst)8609 static int test_ca_names_int(int prot, int tst)
8610 {
8611 SSL_CTX *cctx = NULL, *sctx = NULL;
8612 SSL *clientssl = NULL, *serverssl = NULL;
8613 int testresult = 0;
8614 size_t i;
8615 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8616 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8617 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8618 const STACK_OF(X509_NAME) *sktmp = NULL;
8619
8620 for (i = 0; i < OSSL_NELEM(name); i++) {
8621 name[i] = X509_NAME_new();
8622 if (!TEST_ptr(name[i])
8623 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8624 MBSTRING_ASC,
8625 (unsigned char *)
8626 strnames[i],
8627 -1, -1, 0)))
8628 goto end;
8629 }
8630
8631 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8632 TLS_client_method(),
8633 TLS1_VERSION,
8634 prot,
8635 &sctx, &cctx, cert, privkey)))
8636 goto end;
8637
8638 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8639
8640 if (tst == 0 || tst == 1) {
8641 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8642 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8643 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8644 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8645 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8646 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8647 goto end;
8648
8649 SSL_CTX_set0_CA_list(sctx, sk1);
8650 SSL_CTX_set0_CA_list(cctx, sk2);
8651 sk1 = sk2 = NULL;
8652 }
8653 if (tst == 1 || tst == 2) {
8654 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8655 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8656 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8657 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8658 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8659 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8660 goto end;
8661
8662 SSL_CTX_set_client_CA_list(sctx, sk1);
8663 SSL_CTX_set_client_CA_list(cctx, sk2);
8664 sk1 = sk2 = NULL;
8665 }
8666
8667 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8668 NULL, NULL))
8669 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8670 SSL_ERROR_NONE)))
8671 goto end;
8672
8673 /*
8674 * We only expect certificate authorities to have been sent to the server
8675 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8676 */
8677 sktmp = SSL_get0_peer_CA_list(serverssl);
8678 if (prot == TLS1_3_VERSION
8679 && (tst == 0 || tst == 1)) {
8680 if (!TEST_ptr(sktmp)
8681 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8682 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8683 name[0]), 0)
8684 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8685 name[1]), 0))
8686 goto end;
8687 } else if (!TEST_ptr_null(sktmp)) {
8688 goto end;
8689 }
8690
8691 /*
8692 * In all tests we expect certificate authorities to have been sent to the
8693 * client. However, SSL_set_client_CA_list() should override
8694 * SSL_set0_CA_list()
8695 */
8696 sktmp = SSL_get0_peer_CA_list(clientssl);
8697 if (!TEST_ptr(sktmp)
8698 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8699 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8700 name[tst == 0 ? 0 : 2]), 0)
8701 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8702 name[tst == 0 ? 1 : 3]), 0))
8703 goto end;
8704
8705 testresult = 1;
8706
8707 end:
8708 SSL_free(serverssl);
8709 SSL_free(clientssl);
8710 SSL_CTX_free(sctx);
8711 SSL_CTX_free(cctx);
8712 for (i = 0; i < OSSL_NELEM(name); i++)
8713 X509_NAME_free(name[i]);
8714 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8715 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8716
8717 return testresult;
8718 }
8719 #endif
8720
test_ca_names(int tst)8721 static int test_ca_names(int tst)
8722 {
8723 int testresult = 1;
8724
8725 #ifndef OPENSSL_NO_TLS1_2
8726 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8727 #endif
8728 #ifndef OSSL_NO_USABLE_TLS1_3
8729 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8730 #endif
8731
8732 return testresult;
8733 }
8734
8735 #ifndef OPENSSL_NO_TLS1_2
8736 static const char *multiblock_cipherlist_data[]=
8737 {
8738 "AES128-SHA",
8739 "AES128-SHA256",
8740 "AES256-SHA",
8741 "AES256-SHA256",
8742 };
8743
8744 /* Reduce the fragment size - so the multiblock test buffer can be small */
8745 # define MULTIBLOCK_FRAGSIZE 512
8746
test_multiblock_write(int test_index)8747 static int test_multiblock_write(int test_index)
8748 {
8749 static const char *fetchable_ciphers[]=
8750 {
8751 "AES-128-CBC-HMAC-SHA1",
8752 "AES-128-CBC-HMAC-SHA256",
8753 "AES-256-CBC-HMAC-SHA1",
8754 "AES-256-CBC-HMAC-SHA256"
8755 };
8756 const char *cipherlist = multiblock_cipherlist_data[test_index];
8757 const SSL_METHOD *smeth = TLS_server_method();
8758 const SSL_METHOD *cmeth = TLS_client_method();
8759 int min_version = TLS1_VERSION;
8760 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8761 SSL_CTX *cctx = NULL, *sctx = NULL;
8762 SSL *clientssl = NULL, *serverssl = NULL;
8763 int testresult = 0;
8764
8765 /*
8766 * Choose a buffer large enough to perform a multi-block operation
8767 * i.e: write_len >= 4 * frag_size
8768 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8769 */
8770 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8771 unsigned char buf[sizeof(msg)], *p = buf;
8772 size_t readbytes, written, len;
8773 EVP_CIPHER *ciph = NULL;
8774
8775 /*
8776 * Check if the cipher exists before attempting to use it since it only has
8777 * a hardware specific implementation.
8778 */
8779 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8780 if (ciph == NULL) {
8781 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8782 return 1;
8783 }
8784 EVP_CIPHER_free(ciph);
8785
8786 /* Set up a buffer with some data that will be sent to the client */
8787 RAND_bytes(msg, sizeof(msg));
8788
8789 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8790 max_version, &sctx, &cctx, cert,
8791 privkey)))
8792 goto end;
8793
8794 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8795 goto end;
8796
8797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8798 NULL, NULL)))
8799 goto end;
8800
8801 /* settings to force it to use AES-CBC-HMAC_SHA */
8802 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8803 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8804 goto end;
8805
8806 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8807 goto end;
8808
8809 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8810 || !TEST_size_t_eq(written, sizeof(msg)))
8811 goto end;
8812
8813 len = written;
8814 while (len > 0) {
8815 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8816 goto end;
8817 p += readbytes;
8818 len -= readbytes;
8819 }
8820 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8821 goto end;
8822
8823 testresult = 1;
8824 end:
8825 SSL_free(serverssl);
8826 SSL_free(clientssl);
8827 SSL_CTX_free(sctx);
8828 SSL_CTX_free(cctx);
8829
8830 return testresult;
8831 }
8832 #endif /* OPENSSL_NO_TLS1_2 */
8833
test_session_timeout(int test)8834 static int test_session_timeout(int test)
8835 {
8836 /*
8837 * Test session ordering and timeout
8838 * Can't explicitly test performance of the new code,
8839 * but can test to see if the ordering of the sessions
8840 * are correct, and they they are removed as expected
8841 */
8842 SSL_SESSION *early = NULL;
8843 SSL_SESSION *middle = NULL;
8844 SSL_SESSION *late = NULL;
8845 SSL_CTX *ctx;
8846 int testresult = 0;
8847 long now = (long)time(NULL);
8848 #define TIMEOUT 10
8849
8850 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8851 || !TEST_ptr(early = SSL_SESSION_new())
8852 || !TEST_ptr(middle = SSL_SESSION_new())
8853 || !TEST_ptr(late = SSL_SESSION_new()))
8854 goto end;
8855
8856 /* assign unique session ids */
8857 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8858 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8859 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8860 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8861 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8862 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8863
8864 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8865 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8866 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8867 goto end;
8868
8869 /* Make sure they are all added */
8870 if (!TEST_ptr(early->prev)
8871 || !TEST_ptr(middle->prev)
8872 || !TEST_ptr(late->prev))
8873 goto end;
8874
8875 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8876 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8877 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8878 goto end;
8879
8880 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8881 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8882 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8883 goto end;
8884
8885 /* Make sure they are all still there */
8886 if (!TEST_ptr(early->prev)
8887 || !TEST_ptr(middle->prev)
8888 || !TEST_ptr(late->prev))
8889 goto end;
8890
8891 /* Make sure they are in the expected order */
8892 if (!TEST_ptr_eq(late->next, middle)
8893 || !TEST_ptr_eq(middle->next, early)
8894 || !TEST_ptr_eq(early->prev, middle)
8895 || !TEST_ptr_eq(middle->prev, late))
8896 goto end;
8897
8898 /* This should remove "early" */
8899 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8900 if (!TEST_ptr_null(early->prev)
8901 || !TEST_ptr(middle->prev)
8902 || !TEST_ptr(late->prev))
8903 goto end;
8904
8905 /* This should remove "middle" */
8906 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8907 if (!TEST_ptr_null(early->prev)
8908 || !TEST_ptr_null(middle->prev)
8909 || !TEST_ptr(late->prev))
8910 goto end;
8911
8912 /* This should remove "late" */
8913 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8914 if (!TEST_ptr_null(early->prev)
8915 || !TEST_ptr_null(middle->prev)
8916 || !TEST_ptr_null(late->prev))
8917 goto end;
8918
8919 /* Add them back in again */
8920 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8921 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8922 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8923 goto end;
8924
8925 /* Make sure they are all added */
8926 if (!TEST_ptr(early->prev)
8927 || !TEST_ptr(middle->prev)
8928 || !TEST_ptr(late->prev))
8929 goto end;
8930
8931 /* This should remove all of them */
8932 SSL_CTX_flush_sessions(ctx, 0);
8933 if (!TEST_ptr_null(early->prev)
8934 || !TEST_ptr_null(middle->prev)
8935 || !TEST_ptr_null(late->prev))
8936 goto end;
8937
8938 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8939 | SSL_CTX_get_session_cache_mode(ctx));
8940
8941 /* make sure |now| is NOT equal to the current time */
8942 now -= 10;
8943 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8944 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8945 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8946 goto end;
8947
8948 testresult = 1;
8949 end:
8950 SSL_CTX_free(ctx);
8951 SSL_SESSION_free(early);
8952 SSL_SESSION_free(middle);
8953 SSL_SESSION_free(late);
8954 return testresult;
8955 }
8956
8957 /*
8958 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8959 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8960 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8961 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8962 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8963 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8964 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8965 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8966 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8967 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8968 */
test_servername(int tst)8969 static int test_servername(int tst)
8970 {
8971 SSL_CTX *cctx = NULL, *sctx = NULL;
8972 SSL *clientssl = NULL, *serverssl = NULL;
8973 int testresult = 0;
8974 SSL_SESSION *sess = NULL;
8975 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8976
8977 #ifdef OPENSSL_NO_TLS1_2
8978 if (tst <= 4)
8979 return 1;
8980 #endif
8981 #ifdef OSSL_NO_USABLE_TLS1_3
8982 if (tst >= 5)
8983 return 1;
8984 #endif
8985
8986 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8987 TLS_client_method(),
8988 TLS1_VERSION,
8989 (tst <= 4) ? TLS1_2_VERSION
8990 : TLS1_3_VERSION,
8991 &sctx, &cctx, cert, privkey))
8992 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8993 NULL, NULL)))
8994 goto end;
8995
8996 if (tst != 1 && tst != 6) {
8997 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8998 hostname_cb)))
8999 goto end;
9000 }
9001
9002 if (tst != 3 && tst != 8) {
9003 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9004 goto end;
9005 sexpectedhost = cexpectedhost = "goodhost";
9006 }
9007
9008 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9009 goto end;
9010
9011 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9012 cexpectedhost)
9013 || !TEST_str_eq(SSL_get_servername(serverssl,
9014 TLSEXT_NAMETYPE_host_name),
9015 sexpectedhost))
9016 goto end;
9017
9018 /* Now repeat with a resumption handshake */
9019
9020 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9021 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9022 || !TEST_true(SSL_SESSION_is_resumable(sess))
9023 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9024 goto end;
9025
9026 SSL_free(clientssl);
9027 SSL_free(serverssl);
9028 clientssl = serverssl = NULL;
9029
9030 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9031 NULL)))
9032 goto end;
9033
9034 if (!TEST_true(SSL_set_session(clientssl, sess)))
9035 goto end;
9036
9037 sexpectedhost = cexpectedhost = "goodhost";
9038 if (tst == 2 || tst == 7) {
9039 /* Set an inconsistent hostname */
9040 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9041 goto end;
9042 /*
9043 * In TLSv1.2 we expect the hostname from the original handshake, in
9044 * TLSv1.3 we expect the hostname from this handshake
9045 */
9046 if (tst == 7)
9047 sexpectedhost = cexpectedhost = "altgoodhost";
9048
9049 if (!TEST_str_eq(SSL_get_servername(clientssl,
9050 TLSEXT_NAMETYPE_host_name),
9051 "altgoodhost"))
9052 goto end;
9053 } else if (tst == 4 || tst == 9) {
9054 /*
9055 * A TLSv1.3 session does not associate a session with a servername,
9056 * but a TLSv1.2 session does.
9057 */
9058 if (tst == 9)
9059 sexpectedhost = cexpectedhost = NULL;
9060
9061 if (!TEST_str_eq(SSL_get_servername(clientssl,
9062 TLSEXT_NAMETYPE_host_name),
9063 cexpectedhost))
9064 goto end;
9065 } else {
9066 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9067 goto end;
9068 /*
9069 * In a TLSv1.2 resumption where the hostname was not acknowledged
9070 * we expect the hostname on the server to be empty. On the client we
9071 * return what was requested in this case.
9072 *
9073 * Similarly if the client didn't set a hostname on an original TLSv1.2
9074 * session but is now, the server hostname will be empty, but the client
9075 * is as we set it.
9076 */
9077 if (tst == 1 || tst == 3)
9078 sexpectedhost = NULL;
9079
9080 if (!TEST_str_eq(SSL_get_servername(clientssl,
9081 TLSEXT_NAMETYPE_host_name),
9082 "goodhost"))
9083 goto end;
9084 }
9085
9086 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9087 goto end;
9088
9089 if (!TEST_true(SSL_session_reused(clientssl))
9090 || !TEST_true(SSL_session_reused(serverssl))
9091 || !TEST_str_eq(SSL_get_servername(clientssl,
9092 TLSEXT_NAMETYPE_host_name),
9093 cexpectedhost)
9094 || !TEST_str_eq(SSL_get_servername(serverssl,
9095 TLSEXT_NAMETYPE_host_name),
9096 sexpectedhost))
9097 goto end;
9098
9099 testresult = 1;
9100
9101 end:
9102 SSL_SESSION_free(sess);
9103 SSL_free(serverssl);
9104 SSL_free(clientssl);
9105 SSL_CTX_free(sctx);
9106 SSL_CTX_free(cctx);
9107
9108 return testresult;
9109 }
9110
9111 #if !defined(OPENSSL_NO_EC) \
9112 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9113 /*
9114 * Test that if signature algorithms are not available, then we do not offer or
9115 * accept them.
9116 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9117 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9118 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9119 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9120 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9121 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9122 */
test_sigalgs_available(int idx)9123 static int test_sigalgs_available(int idx)
9124 {
9125 SSL_CTX *cctx = NULL, *sctx = NULL;
9126 SSL *clientssl = NULL, *serverssl = NULL;
9127 int testresult = 0;
9128 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9129 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9130 OSSL_PROVIDER *filterprov = NULL;
9131 int sig, hash;
9132
9133 if (!TEST_ptr(tmpctx))
9134 goto end;
9135
9136 if (idx != 0 && idx != 3) {
9137 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9138 filter_provider_init)))
9139 goto end;
9140
9141 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9142 if (!TEST_ptr(filterprov))
9143 goto end;
9144
9145 if (idx < 3) {
9146 /*
9147 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9148 * or accepted for the peer that uses this libctx. Note that libssl
9149 * *requires* SHA2-256 to be available so we cannot disable that. We
9150 * also need SHA1 for our certificate.
9151 */
9152 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9153 "SHA2-256:SHA1")))
9154 goto end;
9155 } else {
9156 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9157 "ECDSA"))
9158 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9159 "EC:X25519:X448")))
9160 goto end;
9161 }
9162
9163 if (idx == 1 || idx == 4)
9164 clientctx = tmpctx;
9165 else
9166 serverctx = tmpctx;
9167 }
9168
9169 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9170 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9171 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9172 goto end;
9173
9174 if (idx != 5) {
9175 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9176 TLS_client_method(),
9177 TLS1_VERSION,
9178 0,
9179 &sctx, &cctx, cert, privkey)))
9180 goto end;
9181 } else {
9182 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9183 TLS_client_method(),
9184 TLS1_VERSION,
9185 0,
9186 &sctx, &cctx, cert2, privkey2)))
9187 goto end;
9188 }
9189
9190 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9191 if (idx < 4) {
9192 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9193 "ECDHE-RSA-AES128-GCM-SHA256")))
9194 goto end;
9195 } else {
9196 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9197 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9198 goto end;
9199 }
9200
9201 if (idx < 3) {
9202 if (!SSL_CTX_set1_sigalgs_list(cctx,
9203 "rsa_pss_rsae_sha384"
9204 ":rsa_pss_rsae_sha256")
9205 || !SSL_CTX_set1_sigalgs_list(sctx,
9206 "rsa_pss_rsae_sha384"
9207 ":rsa_pss_rsae_sha256"))
9208 goto end;
9209 } else {
9210 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9211 || !SSL_CTX_set1_sigalgs_list(sctx,
9212 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9213 goto end;
9214 }
9215
9216 if (idx != 5
9217 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9218 SSL_FILETYPE_PEM), 1)
9219 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9220 privkey2,
9221 SSL_FILETYPE_PEM), 1)
9222 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9223 goto end;
9224
9225 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9226 NULL, NULL)))
9227 goto end;
9228
9229 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9230 goto end;
9231
9232 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9233 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9234 NULL, NULL),
9235 (idx == 0 || idx == 3) ? 2 : 1))
9236 goto end;
9237
9238 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9239 goto end;
9240
9241 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9242 : NID_rsassaPss))
9243 goto end;
9244
9245 testresult = filter_provider_check_clean_finish();
9246
9247 end:
9248 SSL_free(serverssl);
9249 SSL_free(clientssl);
9250 SSL_CTX_free(sctx);
9251 SSL_CTX_free(cctx);
9252 OSSL_PROVIDER_unload(filterprov);
9253 OSSL_LIB_CTX_free(tmpctx);
9254
9255 return testresult;
9256 }
9257 #endif /*
9258 * !defined(OPENSSL_NO_EC) \
9259 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9260 */
9261
9262 #ifndef OPENSSL_NO_TLS1_3
9263 /* This test can run in TLSv1.3 even if ec and dh are disabled */
test_pluggable_group(int idx)9264 static int test_pluggable_group(int idx)
9265 {
9266 SSL_CTX *cctx = NULL, *sctx = NULL;
9267 SSL *clientssl = NULL, *serverssl = NULL;
9268 int testresult = 0;
9269 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9270 /* Check that we are not impacted by a provider without any groups */
9271 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9272 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
9273
9274 if (!TEST_ptr(tlsprov))
9275 goto end;
9276
9277 if (legacyprov == NULL) {
9278 /*
9279 * In this case we assume we've been built with "no-legacy" and skip
9280 * this test (there is no OPENSSL_NO_LEGACY)
9281 */
9282 testresult = 1;
9283 goto end;
9284 }
9285
9286 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9287 TLS_client_method(),
9288 TLS1_3_VERSION,
9289 TLS1_3_VERSION,
9290 &sctx, &cctx, cert, privkey))
9291 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9292 NULL, NULL)))
9293 goto end;
9294
9295 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9296 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9297 goto end;
9298
9299 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9300 goto end;
9301
9302 if (!TEST_str_eq(group_name,
9303 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9304 goto end;
9305
9306 testresult = 1;
9307
9308 end:
9309 SSL_free(serverssl);
9310 SSL_free(clientssl);
9311 SSL_CTX_free(sctx);
9312 SSL_CTX_free(cctx);
9313 OSSL_PROVIDER_unload(tlsprov);
9314 OSSL_PROVIDER_unload(legacyprov);
9315
9316 return testresult;
9317 }
9318 #endif
9319
9320 #ifndef OPENSSL_NO_TLS1_2
test_ssl_dup(void)9321 static int test_ssl_dup(void)
9322 {
9323 SSL_CTX *cctx = NULL, *sctx = NULL;
9324 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9325 int testresult = 0;
9326 BIO *rbio = NULL, *wbio = NULL;
9327
9328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9329 TLS_client_method(),
9330 0,
9331 0,
9332 &sctx, &cctx, cert, privkey)))
9333 goto end;
9334
9335 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9336 NULL, NULL)))
9337 goto end;
9338
9339 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9340 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9341 goto end;
9342
9343 client2ssl = SSL_dup(clientssl);
9344 rbio = SSL_get_rbio(clientssl);
9345 if (!TEST_ptr(rbio)
9346 || !TEST_true(BIO_up_ref(rbio)))
9347 goto end;
9348 SSL_set0_rbio(client2ssl, rbio);
9349 rbio = NULL;
9350
9351 wbio = SSL_get_wbio(clientssl);
9352 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9353 goto end;
9354 SSL_set0_wbio(client2ssl, wbio);
9355 rbio = NULL;
9356
9357 if (!TEST_ptr(client2ssl)
9358 /* Handshake not started so pointers should be different */
9359 || !TEST_ptr_ne(clientssl, client2ssl))
9360 goto end;
9361
9362 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9363 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9364 goto end;
9365
9366 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9367 goto end;
9368
9369 SSL_free(clientssl);
9370 clientssl = SSL_dup(client2ssl);
9371 if (!TEST_ptr(clientssl)
9372 /* Handshake has finished so pointers should be the same */
9373 || !TEST_ptr_eq(clientssl, client2ssl))
9374 goto end;
9375
9376 testresult = 1;
9377
9378 end:
9379 SSL_free(serverssl);
9380 SSL_free(clientssl);
9381 SSL_free(client2ssl);
9382 SSL_CTX_free(sctx);
9383 SSL_CTX_free(cctx);
9384
9385 return testresult;
9386 }
9387
9388 # ifndef OPENSSL_NO_DH
9389
9390 static EVP_PKEY *tmp_dh_params = NULL;
9391
9392 /* Helper function for the test_set_tmp_dh() tests */
get_tmp_dh_params(void)9393 static EVP_PKEY *get_tmp_dh_params(void)
9394 {
9395 if (tmp_dh_params == NULL) {
9396 BIGNUM *p = NULL;
9397 OSSL_PARAM_BLD *tmpl = NULL;
9398 EVP_PKEY_CTX *pctx = NULL;
9399 OSSL_PARAM *params = NULL;
9400 EVP_PKEY *dhpkey = NULL;
9401
9402 p = BN_get_rfc3526_prime_2048(NULL);
9403 if (!TEST_ptr(p))
9404 goto end;
9405
9406 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9407 if (!TEST_ptr(pctx)
9408 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9409 goto end;
9410
9411 tmpl = OSSL_PARAM_BLD_new();
9412 if (!TEST_ptr(tmpl)
9413 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9414 OSSL_PKEY_PARAM_FFC_P,
9415 p))
9416 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9417 OSSL_PKEY_PARAM_FFC_G,
9418 2)))
9419 goto end;
9420
9421 params = OSSL_PARAM_BLD_to_param(tmpl);
9422 if (!TEST_ptr(params)
9423 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9424 EVP_PKEY_KEY_PARAMETERS,
9425 params), 1))
9426 goto end;
9427
9428 tmp_dh_params = dhpkey;
9429 end:
9430 BN_free(p);
9431 EVP_PKEY_CTX_free(pctx);
9432 OSSL_PARAM_BLD_free(tmpl);
9433 OSSL_PARAM_free(params);
9434 }
9435
9436 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9437 return NULL;
9438
9439 return tmp_dh_params;
9440 }
9441
9442 # ifndef OPENSSL_NO_DEPRECATED_3_0
9443 /* Callback used by test_set_tmp_dh() */
tmp_dh_callback(SSL * s,int is_export,int keylen)9444 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9445 {
9446 EVP_PKEY *dhpkey = get_tmp_dh_params();
9447 DH *ret = NULL;
9448
9449 if (!TEST_ptr(dhpkey))
9450 return NULL;
9451
9452 /*
9453 * libssl does not free the returned DH, so we free it now knowing that even
9454 * after we free dhpkey, there will still be a reference to the owning
9455 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9456 * of time we need it for.
9457 */
9458 ret = EVP_PKEY_get1_DH(dhpkey);
9459 DH_free(ret);
9460
9461 EVP_PKEY_free(dhpkey);
9462
9463 return ret;
9464 }
9465 # endif
9466
9467 /*
9468 * Test the various methods for setting temporary DH parameters
9469 *
9470 * Test 0: Default (no auto) setting
9471 * Test 1: Explicit SSL_CTX auto off
9472 * Test 2: Explicit SSL auto off
9473 * Test 3: Explicit SSL_CTX auto on
9474 * Test 4: Explicit SSL auto on
9475 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9476 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9477 *
9478 * The following are testing deprecated APIs, so we only run them if available
9479 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9480 * Test 8: Explicit SSL auto off, custom DH params via DH
9481 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9482 * Test 10: Explicit SSL auto off, custom DH params via callback
9483 */
test_set_tmp_dh(int idx)9484 static int test_set_tmp_dh(int idx)
9485 {
9486 SSL_CTX *cctx = NULL, *sctx = NULL;
9487 SSL *clientssl = NULL, *serverssl = NULL;
9488 int testresult = 0;
9489 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9490 int expected = (idx <= 2) ? 0 : 1;
9491 EVP_PKEY *dhpkey = NULL;
9492 # ifndef OPENSSL_NO_DEPRECATED_3_0
9493 DH *dh = NULL;
9494 # else
9495
9496 if (idx >= 7)
9497 return 1;
9498 # endif
9499
9500 if (idx >= 5 && idx <= 8) {
9501 dhpkey = get_tmp_dh_params();
9502 if (!TEST_ptr(dhpkey))
9503 goto end;
9504 }
9505 # ifndef OPENSSL_NO_DEPRECATED_3_0
9506 if (idx == 7 || idx == 8) {
9507 dh = EVP_PKEY_get1_DH(dhpkey);
9508 if (!TEST_ptr(dh))
9509 goto end;
9510 }
9511 # endif
9512
9513 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9514 TLS_client_method(),
9515 0,
9516 0,
9517 &sctx, &cctx, cert, privkey)))
9518 goto end;
9519
9520 if ((idx & 1) == 1) {
9521 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9522 goto end;
9523 }
9524
9525 if (idx == 5) {
9526 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9527 goto end;
9528 dhpkey = NULL;
9529 }
9530 # ifndef OPENSSL_NO_DEPRECATED_3_0
9531 else if (idx == 7) {
9532 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9533 goto end;
9534 } else if (idx == 9) {
9535 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9536 }
9537 # endif
9538
9539 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9540 NULL, NULL)))
9541 goto end;
9542
9543 if ((idx & 1) == 0 && idx != 0) {
9544 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9545 goto end;
9546 }
9547 if (idx == 6) {
9548 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9549 goto end;
9550 dhpkey = NULL;
9551 }
9552 # ifndef OPENSSL_NO_DEPRECATED_3_0
9553 else if (idx == 8) {
9554 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9555 goto end;
9556 } else if (idx == 10) {
9557 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9558 }
9559 # endif
9560
9561 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9562 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9563 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9564 goto end;
9565
9566 /*
9567 * If autoon then we should succeed. Otherwise we expect failure because
9568 * there are no parameters
9569 */
9570 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9571 SSL_ERROR_NONE), expected))
9572 goto end;
9573
9574 testresult = 1;
9575
9576 end:
9577 # ifndef OPENSSL_NO_DEPRECATED_3_0
9578 DH_free(dh);
9579 # endif
9580 SSL_free(serverssl);
9581 SSL_free(clientssl);
9582 SSL_CTX_free(sctx);
9583 SSL_CTX_free(cctx);
9584 EVP_PKEY_free(dhpkey);
9585
9586 return testresult;
9587 }
9588
9589 /*
9590 * Test the auto DH keys are appropriately sized
9591 */
test_dh_auto(int idx)9592 static int test_dh_auto(int idx)
9593 {
9594 SSL_CTX *cctx = NULL, *sctx = NULL;
9595 SSL *clientssl = NULL, *serverssl = NULL;
9596 int testresult = 0;
9597 EVP_PKEY *tmpkey = NULL;
9598 char *thiscert = NULL, *thiskey = NULL;
9599 size_t expdhsize = 0;
9600 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9601
9602 switch (idx) {
9603 case 0:
9604 /* The FIPS provider doesn't support this DH size - so we ignore it */
9605 if (is_fips)
9606 return 1;
9607 thiscert = cert1024;
9608 thiskey = privkey1024;
9609 expdhsize = 1024;
9610 break;
9611 case 1:
9612 /* 2048 bit prime */
9613 thiscert = cert;
9614 thiskey = privkey;
9615 expdhsize = 2048;
9616 break;
9617 case 2:
9618 thiscert = cert3072;
9619 thiskey = privkey3072;
9620 expdhsize = 3072;
9621 break;
9622 case 3:
9623 thiscert = cert4096;
9624 thiskey = privkey4096;
9625 expdhsize = 4096;
9626 break;
9627 case 4:
9628 thiscert = cert8192;
9629 thiskey = privkey8192;
9630 expdhsize = 8192;
9631 break;
9632 /* No certificate cases */
9633 case 5:
9634 /* The FIPS provider doesn't support this DH size - so we ignore it */
9635 if (is_fips)
9636 return 1;
9637 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9638 expdhsize = 1024;
9639 break;
9640 case 6:
9641 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9642 expdhsize = 3072;
9643 break;
9644 default:
9645 TEST_error("Invalid text index");
9646 goto end;
9647 }
9648
9649 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9650 TLS_client_method(),
9651 0,
9652 0,
9653 &sctx, &cctx, thiscert, thiskey)))
9654 goto end;
9655
9656 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9657 NULL, NULL)))
9658 goto end;
9659
9660 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9661 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9662 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9663 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9664 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9665 goto end;
9666
9667 /*
9668 * Send the server's first flight. At this point the server has created the
9669 * temporary DH key but hasn't finished using it yet. Once used it is
9670 * removed, so we cannot test it.
9671 */
9672 if (!TEST_int_le(SSL_connect(clientssl), 0)
9673 || !TEST_int_le(SSL_accept(serverssl), 0))
9674 goto end;
9675
9676 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9677 goto end;
9678 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9679 goto end;
9680
9681 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9682 goto end;
9683
9684 testresult = 1;
9685
9686 end:
9687 SSL_free(serverssl);
9688 SSL_free(clientssl);
9689 SSL_CTX_free(sctx);
9690 SSL_CTX_free(cctx);
9691 EVP_PKEY_free(tmpkey);
9692
9693 return testresult;
9694
9695 }
9696 # endif /* OPENSSL_NO_DH */
9697 #endif /* OPENSSL_NO_TLS1_2 */
9698
9699 #ifndef OSSL_NO_USABLE_TLS1_3
9700 /*
9701 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9702 * that it works even without a certificate configured for the original
9703 * SSL_CTX
9704 */
test_sni_tls13(void)9705 static int test_sni_tls13(void)
9706 {
9707 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9708 SSL *clientssl = NULL, *serverssl = NULL;
9709 int testresult = 0;
9710
9711 /* Reset callback counter */
9712 snicb = 0;
9713
9714 /* Create an initial SSL_CTX with no certificate configured */
9715 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9716 if (!TEST_ptr(sctx))
9717 goto end;
9718 /* Require TLSv1.3 as a minimum */
9719 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9720 TLS_client_method(), TLS1_3_VERSION, 0,
9721 &sctx2, &cctx, cert, privkey)))
9722 goto end;
9723
9724 /* Set up SNI */
9725 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9726 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9727 goto end;
9728
9729 /*
9730 * Connection should still succeed because the final SSL_CTX has the right
9731 * certificates configured.
9732 */
9733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9734 &clientssl, NULL, NULL))
9735 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9736 SSL_ERROR_NONE)))
9737 goto end;
9738
9739 /* We should have had the SNI callback called exactly once */
9740 if (!TEST_int_eq(snicb, 1))
9741 goto end;
9742
9743 testresult = 1;
9744
9745 end:
9746 SSL_free(serverssl);
9747 SSL_free(clientssl);
9748 SSL_CTX_free(sctx2);
9749 SSL_CTX_free(sctx);
9750 SSL_CTX_free(cctx);
9751 return testresult;
9752 }
9753
9754 /*
9755 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9756 * 0 = TLSv1.2
9757 * 1 = TLSv1.3
9758 */
test_ticket_lifetime(int idx)9759 static int test_ticket_lifetime(int idx)
9760 {
9761 SSL_CTX *cctx = NULL, *sctx = NULL;
9762 SSL *clientssl = NULL, *serverssl = NULL;
9763 int testresult = 0;
9764 int version = TLS1_3_VERSION;
9765
9766 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9767 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9768
9769 if (idx == 0) {
9770 #ifdef OPENSSL_NO_TLS1_2
9771 return TEST_skip("TLS 1.2 is disabled.");
9772 #else
9773 version = TLS1_2_VERSION;
9774 #endif
9775 }
9776
9777 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9778 TLS_client_method(), version, version,
9779 &sctx, &cctx, cert, privkey)))
9780 goto end;
9781
9782 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9783 &clientssl, NULL, NULL)))
9784 goto end;
9785
9786 /*
9787 * Set the timeout to be more than 1 week
9788 * make sure the returned value is the default
9789 */
9790 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9791 SSL_get_default_timeout(serverssl)))
9792 goto end;
9793
9794 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9795 goto end;
9796
9797 if (idx == 0) {
9798 /* TLSv1.2 uses the set value */
9799 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9800 goto end;
9801 } else {
9802 /* TLSv1.3 uses the limited value */
9803 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9804 goto end;
9805 }
9806 testresult = 1;
9807
9808 end:
9809 SSL_free(serverssl);
9810 SSL_free(clientssl);
9811 SSL_CTX_free(sctx);
9812 SSL_CTX_free(cctx);
9813 return testresult;
9814 }
9815 #endif
9816 /*
9817 * Test that setting an ALPN does not violate RFC
9818 */
test_set_alpn(void)9819 static int test_set_alpn(void)
9820 {
9821 SSL_CTX *ctx = NULL;
9822 SSL *ssl = NULL;
9823 int testresult = 0;
9824
9825 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9826 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9827 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9828 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9829 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9830 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9831
9832 /* Create an initial SSL_CTX with no certificate configured */
9833 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9834 if (!TEST_ptr(ctx))
9835 goto end;
9836
9837 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9838 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9839 goto end;
9840 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9841 goto end;
9842 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9843 goto end;
9844 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9845 goto end;
9846 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9847 goto end;
9848 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9849 goto end;
9850 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9851 goto end;
9852 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9853 goto end;
9854 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9855 goto end;
9856
9857 ssl = SSL_new(ctx);
9858 if (!TEST_ptr(ssl))
9859 goto end;
9860
9861 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9862 goto end;
9863 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9864 goto end;
9865 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9866 goto end;
9867 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9868 goto end;
9869 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9870 goto end;
9871 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9872 goto end;
9873 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9874 goto end;
9875 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9876 goto end;
9877 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9878 goto end;
9879
9880 testresult = 1;
9881
9882 end:
9883 SSL_free(ssl);
9884 SSL_CTX_free(ctx);
9885 return testresult;
9886 }
9887
9888 /*
9889 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9890 */
test_set_verify_cert_store_ssl_ctx(void)9891 static int test_set_verify_cert_store_ssl_ctx(void)
9892 {
9893 SSL_CTX *ctx = NULL;
9894 int testresult = 0;
9895 X509_STORE *store = NULL, *new_store = NULL,
9896 *cstore = NULL, *new_cstore = NULL;
9897
9898 /* Create an initial SSL_CTX. */
9899 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9900 if (!TEST_ptr(ctx))
9901 goto end;
9902
9903 /* Retrieve verify store pointer. */
9904 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9905 goto end;
9906
9907 /* Retrieve chain store pointer. */
9908 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9909 goto end;
9910
9911 /* We haven't set any yet, so this should be NULL. */
9912 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9913 goto end;
9914
9915 /* Create stores. We use separate stores so pointers are different. */
9916 new_store = X509_STORE_new();
9917 if (!TEST_ptr(new_store))
9918 goto end;
9919
9920 new_cstore = X509_STORE_new();
9921 if (!TEST_ptr(new_cstore))
9922 goto end;
9923
9924 /* Set stores. */
9925 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9926 goto end;
9927
9928 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9929 goto end;
9930
9931 /* Should be able to retrieve the same pointer. */
9932 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9933 goto end;
9934
9935 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9936 goto end;
9937
9938 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9939 goto end;
9940
9941 /* Should be able to unset again. */
9942 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9943 goto end;
9944
9945 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9946 goto end;
9947
9948 /* Should now be NULL. */
9949 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9950 goto end;
9951
9952 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9953 goto end;
9954
9955 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9956 goto end;
9957
9958 testresult = 1;
9959
9960 end:
9961 X509_STORE_free(new_store);
9962 X509_STORE_free(new_cstore);
9963 SSL_CTX_free(ctx);
9964 return testresult;
9965 }
9966
9967 /*
9968 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9969 */
test_set_verify_cert_store_ssl(void)9970 static int test_set_verify_cert_store_ssl(void)
9971 {
9972 SSL_CTX *ctx = NULL;
9973 SSL *ssl = NULL;
9974 int testresult = 0;
9975 X509_STORE *store = NULL, *new_store = NULL,
9976 *cstore = NULL, *new_cstore = NULL;
9977
9978 /* Create an initial SSL_CTX. */
9979 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9980 if (!TEST_ptr(ctx))
9981 goto end;
9982
9983 /* Create an SSL object. */
9984 ssl = SSL_new(ctx);
9985 if (!TEST_ptr(ssl))
9986 goto end;
9987
9988 /* Retrieve verify store pointer. */
9989 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9990 goto end;
9991
9992 /* Retrieve chain store pointer. */
9993 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9994 goto end;
9995
9996 /* We haven't set any yet, so this should be NULL. */
9997 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9998 goto end;
9999
10000 /* Create stores. We use separate stores so pointers are different. */
10001 new_store = X509_STORE_new();
10002 if (!TEST_ptr(new_store))
10003 goto end;
10004
10005 new_cstore = X509_STORE_new();
10006 if (!TEST_ptr(new_cstore))
10007 goto end;
10008
10009 /* Set stores. */
10010 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10011 goto end;
10012
10013 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10014 goto end;
10015
10016 /* Should be able to retrieve the same pointer. */
10017 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10018 goto end;
10019
10020 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10021 goto end;
10022
10023 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10024 goto end;
10025
10026 /* Should be able to unset again. */
10027 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10028 goto end;
10029
10030 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10031 goto end;
10032
10033 /* Should now be NULL. */
10034 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10035 goto end;
10036
10037 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10038 goto end;
10039
10040 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10041 goto end;
10042
10043 testresult = 1;
10044
10045 end:
10046 X509_STORE_free(new_store);
10047 X509_STORE_free(new_cstore);
10048 SSL_free(ssl);
10049 SSL_CTX_free(ctx);
10050 return testresult;
10051 }
10052
10053
test_inherit_verify_param(void)10054 static int test_inherit_verify_param(void)
10055 {
10056 int testresult = 0;
10057
10058 SSL_CTX *ctx = NULL;
10059 X509_VERIFY_PARAM *cp = NULL;
10060 SSL *ssl = NULL;
10061 X509_VERIFY_PARAM *sp = NULL;
10062 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10063
10064 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10065 if (!TEST_ptr(ctx))
10066 goto end;
10067
10068 cp = SSL_CTX_get0_param(ctx);
10069 if (!TEST_ptr(cp))
10070 goto end;
10071 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10072 goto end;
10073
10074 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10075
10076 ssl = SSL_new(ctx);
10077 if (!TEST_ptr(ssl))
10078 goto end;
10079
10080 sp = SSL_get0_param(ssl);
10081 if (!TEST_ptr(sp))
10082 goto end;
10083 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10084 goto end;
10085
10086 testresult = 1;
10087
10088 end:
10089 SSL_free(ssl);
10090 SSL_CTX_free(ctx);
10091
10092 return testresult;
10093 }
10094
test_load_dhfile(void)10095 static int test_load_dhfile(void)
10096 {
10097 #ifndef OPENSSL_NO_DH
10098 int testresult = 0;
10099
10100 SSL_CTX *ctx = NULL;
10101 SSL_CONF_CTX *cctx = NULL;
10102
10103 if (dhfile == NULL)
10104 return 1;
10105
10106 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10107 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10108 goto end;
10109
10110 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10111 SSL_CONF_CTX_set_flags(cctx,
10112 SSL_CONF_FLAG_CERTIFICATE
10113 | SSL_CONF_FLAG_SERVER
10114 | SSL_CONF_FLAG_FILE);
10115
10116 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10117 goto end;
10118
10119 testresult = 1;
10120 end:
10121 SSL_CONF_CTX_free(cctx);
10122 SSL_CTX_free(ctx);
10123
10124 return testresult;
10125 #else
10126 return TEST_skip("DH not supported by this build");
10127 #endif
10128 }
10129
10130 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10131
load_dasync(void)10132 static ENGINE *load_dasync(void)
10133 {
10134 ENGINE *e;
10135
10136 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10137 return NULL;
10138
10139 if (!TEST_true(ENGINE_init(e))) {
10140 ENGINE_free(e);
10141 return NULL;
10142 }
10143
10144 if (!TEST_true(ENGINE_register_ciphers(e))) {
10145 ENGINE_free(e);
10146 return NULL;
10147 }
10148
10149 return e;
10150 }
10151
10152 /*
10153 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10154 * support this yet. The only pipeline capable cipher that we have is in the
10155 * dasync engine (providers don't support this yet), so we have to use
10156 * deprecated APIs for this test.
10157 *
10158 * Test 0: Client has pipelining enabled, server does not
10159 * Test 1: Server has pipelining enabled, client does not
10160 * Test 2: Client has pipelining enabled, server does not: not enough data to
10161 * fill all the pipelines
10162 * Test 3: Client has pipelining enabled, server does not: not enough data to
10163 * fill all the pipelines by more than a full pipeline's worth
10164 * Test 4: Client has pipelining enabled, server does not: more data than all
10165 * the available pipelines can take
10166 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10167 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10168 * is created)
10169 */
test_pipelining(int idx)10170 static int test_pipelining(int idx)
10171 {
10172 SSL_CTX *cctx = NULL, *sctx = NULL;
10173 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10174 int testresult = 0, numreads;
10175 /* A 55 byte message */
10176 unsigned char *msg = (unsigned char *)
10177 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10178 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10179 size_t expectedreads;
10180 unsigned char *buf = NULL;
10181 ENGINE *e = NULL;
10182
10183 if (idx != 6) {
10184 e = load_dasync();
10185 if (e == NULL)
10186 return 0;
10187 }
10188
10189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10190 TLS_client_method(), 0,
10191 TLS1_2_VERSION, &sctx, &cctx, cert,
10192 privkey)))
10193 goto end;
10194
10195 if (idx == 6) {
10196 e = load_dasync();
10197 if (e == NULL)
10198 goto end;
10199 /* Now act like test 0 */
10200 idx = 0;
10201 }
10202
10203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10204 &clientssl, NULL, NULL)))
10205 goto end;
10206
10207 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10208 goto end;
10209
10210 /* peera is always configured for pipelining, while peerb is not. */
10211 if (idx == 1) {
10212 peera = serverssl;
10213 peerb = clientssl;
10214
10215 } else {
10216 peera = clientssl;
10217 peerb = serverssl;
10218 }
10219
10220 if (idx == 5) {
10221 numpipes = 2;
10222 /* Maximum allowed fragment size */
10223 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10224 msglen = fragsize * numpipes;
10225 msg = OPENSSL_malloc(msglen);
10226 if (!TEST_ptr(msg))
10227 goto end;
10228 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10229 goto end;
10230 } else if (idx == 4) {
10231 msglen = 55;
10232 } else {
10233 msglen = 50;
10234 }
10235 if (idx == 2)
10236 msglen -= 2; /* Send 2 less bytes */
10237 else if (idx == 3)
10238 msglen -= 12; /* Send 12 less bytes */
10239
10240 buf = OPENSSL_malloc(msglen);
10241 if (!TEST_ptr(buf))
10242 goto end;
10243
10244 if (idx == 5) {
10245 /*
10246 * Test that setting a split send fragment longer than the maximum
10247 * allowed fails
10248 */
10249 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10250 goto end;
10251 }
10252
10253 /*
10254 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10255 * (50 bytes in total). This is a ridiculously small number of bytes -
10256 * but sufficient for our purposes
10257 */
10258 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10259 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10260 goto end;
10261
10262 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10263 goto end;
10264
10265 /* Write some data from peera to peerb */
10266 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10267 || !TEST_size_t_eq(written, msglen))
10268 goto end;
10269
10270 /*
10271 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10272 * have been used - except in test 3 where only |numpipes - 1| pipelines
10273 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10274 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10275 * expect this to be read in |numpipes| or |numpipes - 1| separate
10276 * SSL_read_ex calls. In the case of test 4, there is then one additional
10277 * read for left over data that couldn't fit in the previous pipelines
10278 */
10279 for (offset = 0, numreads = 0;
10280 offset < msglen;
10281 offset += readbytes, numreads++) {
10282 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10283 msglen - offset, &readbytes)))
10284 goto end;
10285 }
10286
10287 expectedreads = idx == 4 ? numpipes + 1
10288 : (idx == 3 ? numpipes - 1 : numpipes);
10289 if (!TEST_mem_eq(msg, msglen, buf, offset)
10290 || !TEST_int_eq(numreads, expectedreads))
10291 goto end;
10292
10293 /*
10294 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10295 * chunks to exercise the read pipelining code on peera.
10296 */
10297 for (offset = 0; offset < msglen; offset += fragsize) {
10298 size_t sendlen = msglen - offset;
10299
10300 if (sendlen > fragsize)
10301 sendlen = fragsize;
10302 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10303 || !TEST_size_t_eq(written, sendlen))
10304 goto end;
10305 }
10306
10307 /*
10308 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10309 * separate chunks (depending on which test we are running). If the
10310 * pipelining is working then we expect peera to read up to numpipes chunks
10311 * and process them in parallel, giving back the complete result in a single
10312 * call to SSL_read_ex
10313 */
10314 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10315 || !TEST_size_t_le(readbytes, msglen))
10316 goto end;
10317
10318 if (idx == 4) {
10319 size_t readbytes2;
10320
10321 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10322 msglen - readbytes, &readbytes2)))
10323 goto end;
10324 readbytes += readbytes2;
10325 if (!TEST_size_t_le(readbytes, msglen))
10326 goto end;
10327 }
10328
10329 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10330 goto end;
10331
10332 testresult = 1;
10333 end:
10334 SSL_free(serverssl);
10335 SSL_free(clientssl);
10336 SSL_CTX_free(sctx);
10337 SSL_CTX_free(cctx);
10338 if (e != NULL) {
10339 ENGINE_unregister_ciphers(e);
10340 ENGINE_finish(e);
10341 ENGINE_free(e);
10342 }
10343 OPENSSL_free(buf);
10344 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
10345 OPENSSL_free(msg);
10346 return testresult;
10347 }
10348 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10349
10350 /*
10351 * Force a write retry during handshaking. We test various combinations of
10352 * scenarios. We test a large certificate message which will fill the buffering
10353 * BIO used in the handshake. We try with client auth on and off. Finally we
10354 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
10355 * to indicate retry via -1 - but sometimes BIOs don't do that.
10356 *
10357 * Test 0: Standard certificate message
10358 * Test 1: Large certificate message
10359 * Test 2: Standard cert, verify peer
10360 * Test 3: Large cert, verify peer
10361 * Test 4: Standard cert, BIO returns 0 on retry
10362 * Test 5: Large cert, BIO returns 0 on retry
10363 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
10364 * Test 7: Large cert, verify peer, BIO returns 0 on retry
10365 * Test 8-15: Repeat of above with TLSv1.2
10366 */
test_handshake_retry(int idx)10367 static int test_handshake_retry(int idx)
10368 {
10369 SSL_CTX *cctx = NULL, *sctx = NULL;
10370 SSL *clientssl = NULL, *serverssl = NULL;
10371 int testresult = 0;
10372 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
10373 int maxversion = 0;
10374
10375 if (!TEST_ptr(bretry))
10376 goto end;
10377
10378 #ifndef OPENSSL_NO_TLS1_2
10379 if ((idx & 8) == 8)
10380 maxversion = TLS1_2_VERSION;
10381 #else
10382 if ((idx & 8) == 8)
10383 return TEST_skip("No TLSv1.2");
10384 #endif
10385
10386 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10387 TLS_client_method(), 0, maxversion,
10388 &sctx, &cctx, cert, privkey)))
10389 goto end;
10390
10391 /*
10392 * Add a large amount of data to fill the buffering BIO used by the SSL
10393 * object
10394 */
10395 if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
10396 goto end;
10397
10398 /*
10399 * We don't actually configure a client cert, but neither do we fail if one
10400 * isn't present.
10401 */
10402 if ((idx & 2) == 2)
10403 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
10404
10405 if ((idx & 4) == 4)
10406 set_always_retry_err_val(0);
10407
10408 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10409 &clientssl, NULL, NULL)))
10410 goto end;
10411
10412 tmp = SSL_get_wbio(serverssl);
10413 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
10414 tmp = NULL;
10415 goto end;
10416 }
10417 SSL_set0_wbio(serverssl, bretry);
10418 bretry = NULL;
10419
10420 if (!TEST_int_eq(SSL_connect(clientssl), -1))
10421 goto end;
10422
10423 if (!TEST_int_eq(SSL_accept(serverssl), -1)
10424 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
10425 goto end;
10426
10427 /* Restore a BIO that will let the write succeed */
10428 SSL_set0_wbio(serverssl, tmp);
10429 tmp = NULL;
10430
10431 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10432 goto end;
10433
10434 testresult = 1;
10435 end:
10436 SSL_free(serverssl);
10437 SSL_free(clientssl);
10438 SSL_CTX_free(sctx);
10439 SSL_CTX_free(cctx);
10440 BIO_free(bretry);
10441 BIO_free(tmp);
10442 set_always_retry_err_val(-1);
10443 return testresult;
10444 }
10445
10446 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
10447
setup_tests(void)10448 int setup_tests(void)
10449 {
10450 char *modulename;
10451 char *configfile;
10452
10453 libctx = OSSL_LIB_CTX_new();
10454 if (!TEST_ptr(libctx))
10455 return 0;
10456
10457 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10458
10459 /*
10460 * Verify that the default and fips providers in the default libctx are not
10461 * available
10462 */
10463 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10464 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10465 return 0;
10466
10467 if (!test_skip_common_options()) {
10468 TEST_error("Error parsing test options\n");
10469 return 0;
10470 }
10471
10472 if (!TEST_ptr(certsdir = test_get_argument(0))
10473 || !TEST_ptr(srpvfile = test_get_argument(1))
10474 || !TEST_ptr(tmpfilename = test_get_argument(2))
10475 || !TEST_ptr(modulename = test_get_argument(3))
10476 || !TEST_ptr(configfile = test_get_argument(4))
10477 || !TEST_ptr(dhfile = test_get_argument(5)))
10478 return 0;
10479
10480 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
10481 return 0;
10482
10483 /* Check we have the expected provider available */
10484 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10485 return 0;
10486
10487 /* Check the default provider is not available */
10488 if (strcmp(modulename, "default") != 0
10489 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
10490 return 0;
10491
10492 if (strcmp(modulename, "fips") == 0)
10493 is_fips = 1;
10494
10495 /*
10496 * We add, but don't load the test "tls-provider". We'll load it when we
10497 * need it.
10498 */
10499 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10500 tls_provider_init)))
10501 return 0;
10502
10503
10504 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10505 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
10506 TEST_error("not supported in this build");
10507 return 0;
10508 #else
10509 int i, mcount, rcount, fcount;
10510
10511 for (i = 0; i < 4; i++)
10512 test_export_key_mat(i);
10513 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10514 test_printf_stdout("malloc %d realloc %d free %d\n",
10515 mcount, rcount, fcount);
10516 return 1;
10517 #endif
10518 }
10519
10520 cert = test_mk_file_path(certsdir, "servercert.pem");
10521 if (cert == NULL)
10522 goto err;
10523
10524 privkey = test_mk_file_path(certsdir, "serverkey.pem");
10525 if (privkey == NULL)
10526 goto err;
10527
10528 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10529 if (cert2 == NULL)
10530 goto err;
10531
10532 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10533 if (privkey2 == NULL)
10534 goto err;
10535
10536 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10537 if (cert1024 == NULL)
10538 goto err;
10539
10540 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10541 if (privkey1024 == NULL)
10542 goto err;
10543
10544 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10545 if (cert3072 == NULL)
10546 goto err;
10547
10548 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10549 if (privkey3072 == NULL)
10550 goto err;
10551
10552 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10553 if (cert4096 == NULL)
10554 goto err;
10555
10556 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10557 if (privkey4096 == NULL)
10558 goto err;
10559
10560 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10561 if (cert8192 == NULL)
10562 goto err;
10563
10564 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10565 if (privkey8192 == NULL)
10566 goto err;
10567
10568 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
10569 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
10570 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10571 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
10572 # endif
10573 #endif
10574 ADD_TEST(test_large_message_tls);
10575 ADD_TEST(test_large_message_tls_read_ahead);
10576 #ifndef OPENSSL_NO_DTLS
10577 ADD_TEST(test_large_message_dtls);
10578 #endif
10579 ADD_ALL_TESTS(test_large_app_data, 28);
10580 ADD_TEST(test_cleanse_plaintext);
10581 #ifndef OPENSSL_NO_OCSP
10582 ADD_TEST(test_tlsext_status_type);
10583 #endif
10584 ADD_TEST(test_session_with_only_int_cache);
10585 ADD_TEST(test_session_with_only_ext_cache);
10586 ADD_TEST(test_session_with_both_cache);
10587 ADD_TEST(test_session_wo_ca_names);
10588 #ifndef OSSL_NO_USABLE_TLS1_3
10589 ADD_ALL_TESTS(test_stateful_tickets, 3);
10590 ADD_ALL_TESTS(test_stateless_tickets, 3);
10591 ADD_TEST(test_psk_tickets);
10592 ADD_ALL_TESTS(test_extra_tickets, 6);
10593 #endif
10594 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
10595 ADD_TEST(test_ssl_bio_pop_next_bio);
10596 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10597 ADD_TEST(test_ssl_bio_change_rbio);
10598 ADD_TEST(test_ssl_bio_change_wbio);
10599 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
10600 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
10601 ADD_TEST(test_keylog);
10602 #endif
10603 #ifndef OSSL_NO_USABLE_TLS1_3
10604 ADD_TEST(test_keylog_no_master_key);
10605 #endif
10606 ADD_TEST(test_client_cert_verify_cb);
10607 ADD_TEST(test_ssl_build_cert_chain);
10608 ADD_TEST(test_ssl_ctx_build_cert_chain);
10609 #ifndef OPENSSL_NO_TLS1_2
10610 ADD_TEST(test_client_hello_cb);
10611 ADD_TEST(test_no_ems);
10612 ADD_TEST(test_ccs_change_cipher);
10613 #endif
10614 #ifndef OSSL_NO_USABLE_TLS1_3
10615 ADD_ALL_TESTS(test_early_data_read_write, 6);
10616 /*
10617 * We don't do replay tests for external PSK. Replay protection isn't used
10618 * in that scenario.
10619 */
10620 ADD_ALL_TESTS(test_early_data_replay, 2);
10621 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
10622 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
10623 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
10624 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
10625 ADD_ALL_TESTS(test_early_data_not_sent, 3);
10626 ADD_ALL_TESTS(test_early_data_psk, 8);
10627 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
10628 ADD_ALL_TESTS(test_early_data_not_expected, 3);
10629 # ifndef OPENSSL_NO_TLS1_2
10630 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
10631 # endif
10632 #endif
10633 #ifndef OSSL_NO_USABLE_TLS1_3
10634 ADD_ALL_TESTS(test_set_ciphersuite, 10);
10635 ADD_TEST(test_ciphersuite_change);
10636 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10637 # ifdef OPENSSL_NO_PSK
10638 ADD_ALL_TESTS(test_tls13_psk, 1);
10639 # else
10640 ADD_ALL_TESTS(test_tls13_psk, 4);
10641 # endif /* OPENSSL_NO_PSK */
10642 # ifndef OPENSSL_NO_TLS1_2
10643 /* Test with both TLSv1.3 and 1.2 versions */
10644 ADD_ALL_TESTS(test_key_exchange, 14);
10645 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10646 ADD_ALL_TESTS(test_negotiated_group,
10647 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10648 + OSSL_NELEM(ffdhe_kexch_groups)));
10649 # endif
10650 # else
10651 /* Test with only TLSv1.3 versions */
10652 ADD_ALL_TESTS(test_key_exchange, 12);
10653 # endif
10654 ADD_ALL_TESTS(test_custom_exts, 6);
10655 ADD_TEST(test_stateless);
10656 ADD_TEST(test_pha_key_update);
10657 #else
10658 ADD_ALL_TESTS(test_custom_exts, 3);
10659 #endif
10660 ADD_ALL_TESTS(test_export_key_mat, 6);
10661 #ifndef OSSL_NO_USABLE_TLS1_3
10662 ADD_ALL_TESTS(test_export_key_mat_early, 3);
10663 ADD_TEST(test_key_update);
10664 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10665 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10666 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10667 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
10668 #endif
10669 ADD_ALL_TESTS(test_ssl_clear, 2);
10670 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
10671 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10672 ADD_ALL_TESTS(test_srp, 6);
10673 #endif
10674 ADD_ALL_TESTS(test_info_callback, 6);
10675 ADD_ALL_TESTS(test_ssl_pending, 2);
10676 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
10677 ADD_ALL_TESTS(test_ticket_callbacks, 20);
10678 ADD_ALL_TESTS(test_shutdown, 7);
10679 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
10680 ADD_ALL_TESTS(test_cert_cb, 6);
10681 ADD_ALL_TESTS(test_client_cert_cb, 2);
10682 ADD_ALL_TESTS(test_ca_names, 3);
10683 #ifndef OPENSSL_NO_TLS1_2
10684 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10685 #endif
10686 ADD_ALL_TESTS(test_servername, 10);
10687 #if !defined(OPENSSL_NO_EC) \
10688 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10689 ADD_ALL_TESTS(test_sigalgs_available, 6);
10690 #endif
10691 #ifndef OPENSSL_NO_TLS1_3
10692 ADD_ALL_TESTS(test_pluggable_group, 2);
10693 #endif
10694 #ifndef OPENSSL_NO_TLS1_2
10695 ADD_TEST(test_ssl_dup);
10696 # ifndef OPENSSL_NO_DH
10697 ADD_ALL_TESTS(test_set_tmp_dh, 11);
10698 ADD_ALL_TESTS(test_dh_auto, 7);
10699 # endif
10700 #endif
10701 #ifndef OSSL_NO_USABLE_TLS1_3
10702 ADD_TEST(test_sni_tls13);
10703 ADD_ALL_TESTS(test_ticket_lifetime, 2);
10704 #endif
10705 ADD_TEST(test_inherit_verify_param);
10706 ADD_TEST(test_set_alpn);
10707 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10708 ADD_TEST(test_set_verify_cert_store_ssl);
10709 ADD_ALL_TESTS(test_session_timeout, 1);
10710 ADD_TEST(test_load_dhfile);
10711 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10712 ADD_ALL_TESTS(test_serverinfo_custom, 4);
10713 #endif
10714 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10715 ADD_ALL_TESTS(test_pipelining, 7);
10716 #endif
10717 ADD_ALL_TESTS(test_handshake_retry, 16);
10718 return 1;
10719
10720 err:
10721 OPENSSL_free(cert);
10722 OPENSSL_free(privkey);
10723 OPENSSL_free(cert2);
10724 OPENSSL_free(privkey2);
10725 return 0;
10726 }
10727
cleanup_tests(void)10728 void cleanup_tests(void)
10729 {
10730 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
10731 EVP_PKEY_free(tmp_dh_params);
10732 #endif
10733 OPENSSL_free(cert);
10734 OPENSSL_free(privkey);
10735 OPENSSL_free(cert2);
10736 OPENSSL_free(privkey2);
10737 OPENSSL_free(cert1024);
10738 OPENSSL_free(privkey1024);
10739 OPENSSL_free(cert3072);
10740 OPENSSL_free(privkey3072);
10741 OPENSSL_free(cert4096);
10742 OPENSSL_free(privkey4096);
10743 OPENSSL_free(cert8192);
10744 OPENSSL_free(privkey8192);
10745 bio_s_mempacket_test_free();
10746 bio_s_always_retry_free();
10747 OSSL_PROVIDER_unload(defctxnull);
10748 OSSL_LIB_CTX_free(libctx);
10749 }
10750