1 /*
2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13 #include <openssl/bio.h>
14 #include <openssl/crypto.h>
15 #include <openssl/ssl.h>
16 #include <openssl/ocsp.h>
17 #include <openssl/srp.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/aes.h>
20
21 #include "ssltestlib.h"
22 #include "testutil.h"
23 #include "testutil/output.h"
24 #include "internal/nelem.h"
25 #include "../ssl/ssl_local.h"
26
27 #ifndef OPENSSL_NO_TLS1_3
28
29 static SSL_SESSION *clientpsk = NULL;
30 static SSL_SESSION *serverpsk = NULL;
31 static const char *pskid = "Identity";
32 static const char *srvid;
33
34 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
35 size_t *idlen, SSL_SESSION **sess);
36 static int find_session_cb(SSL *ssl, const unsigned char *identity,
37 size_t identity_len, SSL_SESSION **sess);
38
39 static int use_session_cb_cnt = 0;
40 static int find_session_cb_cnt = 0;
41
42 static SSL_SESSION *create_a_psk(SSL *ssl);
43 #endif
44
45 static char *certsdir = NULL;
46 static char *cert = NULL;
47 static char *privkey = NULL;
48 static char *srpvfile = NULL;
49 static char *tmpfilename = NULL;
50
51 #define LOG_BUFFER_SIZE 2048
52 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
53 static size_t server_log_buffer_index = 0;
54 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
55 static size_t client_log_buffer_index = 0;
56 static int error_writing_log = 0;
57
58 #ifndef OPENSSL_NO_OCSP
59 static const unsigned char orespder[] = "Dummy OCSP Response";
60 static int ocsp_server_called = 0;
61 static int ocsp_client_called = 0;
62
63 static int cdummyarg = 1;
64 static X509 *ocspcert = NULL;
65 #endif
66
67 #define NUM_EXTRA_CERTS 40
68 #define CLIENT_VERSION_LEN 2
69
70 /*
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
73 */
74 struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
77 unsigned int client_early_secret_count;
78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
82 unsigned int early_exporter_secret_count;
83 unsigned int exporter_secret_count;
84 };
85
86
87 static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
91 };
92
93 static unsigned char serverinfov2[] = {
94 0x00, 0x00, 0x00,
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
99 };
100
hostname_cb(SSL * s,int * al,void * arg)101 static int hostname_cb(SSL *s, int *al, void *arg)
102 {
103 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
104
105 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
106 || strcmp(hostname, "altgoodhost") == 0))
107 return SSL_TLSEXT_ERR_OK;
108
109 return SSL_TLSEXT_ERR_NOACK;
110 }
111
client_keylog_callback(const SSL * ssl,const char * line)112 static void client_keylog_callback(const SSL *ssl, const char *line)
113 {
114 int line_length = strlen(line);
115
116 /* If the log doesn't fit, error out. */
117 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
118 TEST_info("Client log too full");
119 error_writing_log = 1;
120 return;
121 }
122
123 strcat(client_log_buffer, line);
124 client_log_buffer_index += line_length;
125 client_log_buffer[client_log_buffer_index++] = '\n';
126 }
127
server_keylog_callback(const SSL * ssl,const char * line)128 static void server_keylog_callback(const SSL *ssl, const char *line)
129 {
130 int line_length = strlen(line);
131
132 /* If the log doesn't fit, error out. */
133 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
134 TEST_info("Server log too full");
135 error_writing_log = 1;
136 return;
137 }
138
139 strcat(server_log_buffer, line);
140 server_log_buffer_index += line_length;
141 server_log_buffer[server_log_buffer_index++] = '\n';
142 }
143
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)144 static int compare_hex_encoded_buffer(const char *hex_encoded,
145 size_t hex_length,
146 const uint8_t *raw,
147 size_t raw_length)
148 {
149 size_t i, j;
150 char hexed[3];
151
152 if (!TEST_size_t_eq(raw_length * 2, hex_length))
153 return 1;
154
155 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
156 sprintf(hexed, "%02x", raw[i]);
157 if (!TEST_int_eq(hexed[0], hex_encoded[j])
158 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
159 return 1;
160 }
161
162 return 0;
163 }
164
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)165 static int test_keylog_output(char *buffer, const SSL *ssl,
166 const SSL_SESSION *session,
167 struct sslapitest_log_counts *expected)
168 {
169 char *token = NULL;
170 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
171 size_t client_random_size = SSL3_RANDOM_SIZE;
172 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
173 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
174 unsigned int rsa_key_exchange_count = 0;
175 unsigned int master_secret_count = 0;
176 unsigned int client_early_secret_count = 0;
177 unsigned int client_handshake_secret_count = 0;
178 unsigned int server_handshake_secret_count = 0;
179 unsigned int client_application_secret_count = 0;
180 unsigned int server_application_secret_count = 0;
181 unsigned int early_exporter_secret_count = 0;
182 unsigned int exporter_secret_count = 0;
183
184 for (token = strtok(buffer, " \n"); token != NULL;
185 token = strtok(NULL, " \n")) {
186 if (strcmp(token, "RSA") == 0) {
187 /*
188 * Premaster secret. Tokens should be: 16 ASCII bytes of
189 * hex-encoded encrypted secret, then the hex-encoded pre-master
190 * secret.
191 */
192 if (!TEST_ptr(token = strtok(NULL, " \n")))
193 return 0;
194 if (!TEST_size_t_eq(strlen(token), 16))
195 return 0;
196 if (!TEST_ptr(token = strtok(NULL, " \n")))
197 return 0;
198 /*
199 * We can't sensibly check the log because the premaster secret is
200 * transient, and OpenSSL doesn't keep hold of it once the master
201 * secret is generated.
202 */
203 rsa_key_exchange_count++;
204 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
205 /*
206 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
207 * client random, then the hex-encoded master secret.
208 */
209 client_random_size = SSL_get_client_random(ssl,
210 actual_client_random,
211 SSL3_RANDOM_SIZE);
212 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
213 return 0;
214
215 if (!TEST_ptr(token = strtok(NULL, " \n")))
216 return 0;
217 if (!TEST_size_t_eq(strlen(token), 64))
218 return 0;
219 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
220 actual_client_random,
221 client_random_size)))
222 return 0;
223
224 if (!TEST_ptr(token = strtok(NULL, " \n")))
225 return 0;
226 master_key_size = SSL_SESSION_get_master_key(session,
227 actual_master_key,
228 master_key_size);
229 if (!TEST_size_t_ne(master_key_size, 0))
230 return 0;
231 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
232 actual_master_key,
233 master_key_size)))
234 return 0;
235 master_secret_count++;
236 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
237 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
238 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
239 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
240 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
241 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
242 || strcmp(token, "EXPORTER_SECRET") == 0) {
243 /*
244 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, and then the hex-encoded secret. In this case,
246 * we treat all of these secrets identically and then just
247 * distinguish between them when counting what we saw.
248 */
249 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
250 client_early_secret_count++;
251 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
252 client_handshake_secret_count++;
253 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
254 server_handshake_secret_count++;
255 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
256 client_application_secret_count++;
257 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
258 server_application_secret_count++;
259 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
260 early_exporter_secret_count++;
261 else if (strcmp(token, "EXPORTER_SECRET") == 0)
262 exporter_secret_count++;
263
264 client_random_size = SSL_get_client_random(ssl,
265 actual_client_random,
266 SSL3_RANDOM_SIZE);
267 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
268 return 0;
269
270 if (!TEST_ptr(token = strtok(NULL, " \n")))
271 return 0;
272 if (!TEST_size_t_eq(strlen(token), 64))
273 return 0;
274 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
275 actual_client_random,
276 client_random_size)))
277 return 0;
278
279 if (!TEST_ptr(token = strtok(NULL, " \n")))
280 return 0;
281
282 /*
283 * TODO(TLS1.3): test that application traffic secrets are what
284 * we expect */
285 } else {
286 TEST_info("Unexpected token %s\n", token);
287 return 0;
288 }
289 }
290
291 /* Got what we expected? */
292 if (!TEST_size_t_eq(rsa_key_exchange_count,
293 expected->rsa_key_exchange_count)
294 || !TEST_size_t_eq(master_secret_count,
295 expected->master_secret_count)
296 || !TEST_size_t_eq(client_early_secret_count,
297 expected->client_early_secret_count)
298 || !TEST_size_t_eq(client_handshake_secret_count,
299 expected->client_handshake_secret_count)
300 || !TEST_size_t_eq(server_handshake_secret_count,
301 expected->server_handshake_secret_count)
302 || !TEST_size_t_eq(client_application_secret_count,
303 expected->client_application_secret_count)
304 || !TEST_size_t_eq(server_application_secret_count,
305 expected->server_application_secret_count)
306 || !TEST_size_t_eq(early_exporter_secret_count,
307 expected->early_exporter_secret_count)
308 || !TEST_size_t_eq(exporter_secret_count,
309 expected->exporter_secret_count))
310 return 0;
311 return 1;
312 }
313
314 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
test_keylog(void)315 static int test_keylog(void)
316 {
317 SSL_CTX *cctx = NULL, *sctx = NULL;
318 SSL *clientssl = NULL, *serverssl = NULL;
319 int testresult = 0;
320 struct sslapitest_log_counts expected = {0};
321
322 /* Clean up logging space */
323 memset(client_log_buffer, 0, sizeof(client_log_buffer));
324 memset(server_log_buffer, 0, sizeof(server_log_buffer));
325 client_log_buffer_index = 0;
326 server_log_buffer_index = 0;
327 error_writing_log = 0;
328
329 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
330 TLS_client_method(),
331 TLS1_VERSION, TLS_MAX_VERSION,
332 &sctx, &cctx, cert, privkey)))
333 return 0;
334
335 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
336 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
337 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
338
339 /* We also want to ensure that we use RSA-based key exchange. */
340 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
341 goto end;
342
343 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
344 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
345 goto end;
346 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
347 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
348 == client_keylog_callback))
349 goto end;
350 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
351 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
352 == server_keylog_callback))
353 goto end;
354
355 /* Now do a handshake and check that the logs have been written to. */
356 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
357 &clientssl, NULL, NULL))
358 || !TEST_true(create_ssl_connection(serverssl, clientssl,
359 SSL_ERROR_NONE))
360 || !TEST_false(error_writing_log)
361 || !TEST_int_gt(client_log_buffer_index, 0)
362 || !TEST_int_gt(server_log_buffer_index, 0))
363 goto end;
364
365 /*
366 * Now we want to test that our output data was vaguely sensible. We
367 * do that by using strtok and confirming that we have more or less the
368 * data we expect. For both client and server, we expect to see one master
369 * secret. The client should also see a RSA key exchange.
370 */
371 expected.rsa_key_exchange_count = 1;
372 expected.master_secret_count = 1;
373 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
374 SSL_get_session(clientssl), &expected)))
375 goto end;
376
377 expected.rsa_key_exchange_count = 0;
378 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
379 SSL_get_session(serverssl), &expected)))
380 goto end;
381
382 testresult = 1;
383
384 end:
385 SSL_free(serverssl);
386 SSL_free(clientssl);
387 SSL_CTX_free(sctx);
388 SSL_CTX_free(cctx);
389
390 return testresult;
391 }
392 #endif
393
394 #ifndef OPENSSL_NO_TLS1_3
test_keylog_no_master_key(void)395 static int test_keylog_no_master_key(void)
396 {
397 SSL_CTX *cctx = NULL, *sctx = NULL;
398 SSL *clientssl = NULL, *serverssl = NULL;
399 SSL_SESSION *sess = NULL;
400 int testresult = 0;
401 struct sslapitest_log_counts expected = {0};
402 unsigned char buf[1];
403 size_t readbytes, written;
404
405 /* Clean up logging space */
406 memset(client_log_buffer, 0, sizeof(client_log_buffer));
407 memset(server_log_buffer, 0, sizeof(server_log_buffer));
408 client_log_buffer_index = 0;
409 server_log_buffer_index = 0;
410 error_writing_log = 0;
411
412 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
413 TLS1_VERSION, TLS_MAX_VERSION,
414 &sctx, &cctx, cert, privkey))
415 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
416 SSL3_RT_MAX_PLAIN_LENGTH)))
417 return 0;
418
419 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
420 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
421 goto end;
422
423 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
424 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
425 == client_keylog_callback))
426 goto end;
427
428 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
429 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
430 == server_keylog_callback))
431 goto end;
432
433 /* Now do a handshake and check that the logs have been written to. */
434 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
435 &clientssl, NULL, NULL))
436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
437 SSL_ERROR_NONE))
438 || !TEST_false(error_writing_log))
439 goto end;
440
441 /*
442 * Now we want to test that our output data was vaguely sensible. For this
443 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
444 * TLSv1.3, but we do expect both client and server to emit keys.
445 */
446 expected.client_handshake_secret_count = 1;
447 expected.server_handshake_secret_count = 1;
448 expected.client_application_secret_count = 1;
449 expected.server_application_secret_count = 1;
450 expected.exporter_secret_count = 1;
451 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
452 SSL_get_session(clientssl), &expected))
453 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
454 SSL_get_session(serverssl),
455 &expected)))
456 goto end;
457
458 /* Terminate old session and resume with early data. */
459 sess = SSL_get1_session(clientssl);
460 SSL_shutdown(clientssl);
461 SSL_shutdown(serverssl);
462 SSL_free(serverssl);
463 SSL_free(clientssl);
464 serverssl = clientssl = NULL;
465
466 /* Reset key log */
467 memset(client_log_buffer, 0, sizeof(client_log_buffer));
468 memset(server_log_buffer, 0, sizeof(server_log_buffer));
469 client_log_buffer_index = 0;
470 server_log_buffer_index = 0;
471
472 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
473 &clientssl, NULL, NULL))
474 || !TEST_true(SSL_set_session(clientssl, sess))
475 /* Here writing 0 length early data is enough. */
476 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
477 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
478 &readbytes),
479 SSL_READ_EARLY_DATA_ERROR)
480 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
481 SSL_EARLY_DATA_ACCEPTED)
482 || !TEST_true(create_ssl_connection(serverssl, clientssl,
483 SSL_ERROR_NONE))
484 || !TEST_true(SSL_session_reused(clientssl)))
485 goto end;
486
487 /* In addition to the previous entries, expect early secrets. */
488 expected.client_early_secret_count = 1;
489 expected.early_exporter_secret_count = 1;
490 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
491 SSL_get_session(clientssl), &expected))
492 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
493 SSL_get_session(serverssl),
494 &expected)))
495 goto end;
496
497 testresult = 1;
498
499 end:
500 SSL_SESSION_free(sess);
501 SSL_free(serverssl);
502 SSL_free(clientssl);
503 SSL_CTX_free(sctx);
504 SSL_CTX_free(cctx);
505
506 return testresult;
507 }
508 #endif
509
510 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)511 static int full_client_hello_callback(SSL *s, int *al, void *arg)
512 {
513 int *ctr = arg;
514 const unsigned char *p;
515 int *exts;
516 /* We only configure two ciphers, but the SCSV is added automatically. */
517 #ifdef OPENSSL_NO_EC
518 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
519 #else
520 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
521 0x2c, 0x00, 0xff};
522 #endif
523 const int expected_extensions[] = {
524 #ifndef OPENSSL_NO_EC
525 11, 10,
526 #endif
527 35, 22, 23, 13};
528 size_t len;
529
530 /* Make sure we can defer processing and get called back. */
531 if ((*ctr)++ == 0)
532 return SSL_CLIENT_HELLO_RETRY;
533
534 len = SSL_client_hello_get0_ciphers(s, &p);
535 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
536 || !TEST_size_t_eq(
537 SSL_client_hello_get0_compression_methods(s, &p), 1)
538 || !TEST_int_eq(*p, 0))
539 return SSL_CLIENT_HELLO_ERROR;
540 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
541 return SSL_CLIENT_HELLO_ERROR;
542 if (len != OSSL_NELEM(expected_extensions) ||
543 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
544 printf("ClientHello callback expected extensions mismatch\n");
545 OPENSSL_free(exts);
546 return SSL_CLIENT_HELLO_ERROR;
547 }
548 OPENSSL_free(exts);
549 return SSL_CLIENT_HELLO_SUCCESS;
550 }
551
test_client_hello_cb(void)552 static int test_client_hello_cb(void)
553 {
554 SSL_CTX *cctx = NULL, *sctx = NULL;
555 SSL *clientssl = NULL, *serverssl = NULL;
556 int testctr = 0, testresult = 0;
557
558 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
559 TLS1_VERSION, TLS_MAX_VERSION,
560 &sctx, &cctx, cert, privkey)))
561 goto end;
562 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
563
564 /* The gimpy cipher list we configure can't do TLS 1.3. */
565 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
566
567 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
568 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
569 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
570 &clientssl, NULL, NULL))
571 || !TEST_false(create_ssl_connection(serverssl, clientssl,
572 SSL_ERROR_WANT_CLIENT_HELLO_CB))
573 /*
574 * Passing a -1 literal is a hack since
575 * the real value was lost.
576 * */
577 || !TEST_int_eq(SSL_get_error(serverssl, -1),
578 SSL_ERROR_WANT_CLIENT_HELLO_CB)
579 || !TEST_true(create_ssl_connection(serverssl, clientssl,
580 SSL_ERROR_NONE)))
581 goto end;
582
583 testresult = 1;
584
585 end:
586 SSL_free(serverssl);
587 SSL_free(clientssl);
588 SSL_CTX_free(sctx);
589 SSL_CTX_free(cctx);
590
591 return testresult;
592 }
593 #endif
594
595 /*
596 * Very focused test to exercise a single case in the server-side state
597 * machine, when the ChangeCipherState message needs to actually change
598 * from one cipher to a different cipher (i.e., not changing from null
599 * encryption to real encryption).
600 */
test_ccs_change_cipher(void)601 static int test_ccs_change_cipher(void)
602 {
603 SSL_CTX *cctx = NULL, *sctx = NULL;
604 SSL *clientssl = NULL, *serverssl = NULL;
605 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
606 int testresult = 0;
607 int i;
608 unsigned char buf;
609 size_t readbytes;
610
611 /*
612 * Create a conection so we can resume and potentially (but not) use
613 * a different cipher in the second connection.
614 */
615 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
616 TLS_client_method(),
617 TLS1_VERSION, TLS1_2_VERSION,
618 &sctx, &cctx, cert, privkey))
619 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
620 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
621 NULL, NULL))
622 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
623 || !TEST_true(create_ssl_connection(serverssl, clientssl,
624 SSL_ERROR_NONE))
625 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
626 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
627 goto end;
628
629 shutdown_ssl_connection(serverssl, clientssl);
630 serverssl = clientssl = NULL;
631
632 /* Resume, preferring a different cipher. Our server will force the
633 * same cipher to be used as the initial handshake. */
634 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
635 NULL, NULL))
636 || !TEST_true(SSL_set_session(clientssl, sess))
637 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
638 || !TEST_true(create_ssl_connection(serverssl, clientssl,
639 SSL_ERROR_NONE))
640 || !TEST_true(SSL_session_reused(clientssl))
641 || !TEST_true(SSL_session_reused(serverssl))
642 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
643 || !TEST_ptr_eq(sesspre, sesspost)
644 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
645 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
646 goto end;
647 shutdown_ssl_connection(serverssl, clientssl);
648 serverssl = clientssl = NULL;
649
650 /*
651 * Now create a fresh connection and try to renegotiate a different
652 * cipher on it.
653 */
654 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
655 NULL, NULL))
656 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
657 || !TEST_true(create_ssl_connection(serverssl, clientssl,
658 SSL_ERROR_NONE))
659 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
660 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
661 || !TEST_true(SSL_renegotiate(clientssl))
662 || !TEST_true(SSL_renegotiate_pending(clientssl)))
663 goto end;
664 /* Actually drive the renegotiation. */
665 for (i = 0; i < 3; i++) {
666 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
667 if (!TEST_ulong_eq(readbytes, 0))
668 goto end;
669 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
670 SSL_ERROR_WANT_READ)) {
671 goto end;
672 }
673 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
674 if (!TEST_ulong_eq(readbytes, 0))
675 goto end;
676 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
677 SSL_ERROR_WANT_READ)) {
678 goto end;
679 }
680 }
681 /* sesspre and sesspost should be different since the cipher changed. */
682 if (!TEST_false(SSL_renegotiate_pending(clientssl))
683 || !TEST_false(SSL_session_reused(clientssl))
684 || !TEST_false(SSL_session_reused(serverssl))
685 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
686 || !TEST_ptr_ne(sesspre, sesspost)
687 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
688 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
689 goto end;
690
691 shutdown_ssl_connection(serverssl, clientssl);
692 serverssl = clientssl = NULL;
693
694 testresult = 1;
695
696 end:
697 SSL_free(serverssl);
698 SSL_free(clientssl);
699 SSL_CTX_free(sctx);
700 SSL_CTX_free(cctx);
701 SSL_SESSION_free(sess);
702
703 return testresult;
704 }
705
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)706 static int execute_test_large_message(const SSL_METHOD *smeth,
707 const SSL_METHOD *cmeth,
708 int min_version, int max_version,
709 int read_ahead)
710 {
711 SSL_CTX *cctx = NULL, *sctx = NULL;
712 SSL *clientssl = NULL, *serverssl = NULL;
713 int testresult = 0;
714 int i;
715 BIO *certbio = NULL;
716 X509 *chaincert = NULL;
717 int certlen;
718
719 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
720 goto end;
721 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
722 BIO_free(certbio);
723 certbio = NULL;
724 if (!TEST_ptr(chaincert))
725 goto end;
726
727 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
728 &sctx, &cctx, cert, privkey)))
729 goto end;
730
731 if (read_ahead) {
732 /*
733 * Test that read_ahead works correctly when dealing with large
734 * records
735 */
736 SSL_CTX_set_read_ahead(cctx, 1);
737 }
738
739 /*
740 * We assume the supplied certificate is big enough so that if we add
741 * NUM_EXTRA_CERTS it will make the overall message large enough. The
742 * default buffer size is requested to be 16k, but due to the way BUF_MEM
743 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
744 * test we need to have a message larger than that.
745 */
746 certlen = i2d_X509(chaincert, NULL);
747 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
748 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
749 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
750 if (!X509_up_ref(chaincert))
751 goto end;
752 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
753 X509_free(chaincert);
754 goto end;
755 }
756 }
757
758 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
759 NULL, NULL))
760 || !TEST_true(create_ssl_connection(serverssl, clientssl,
761 SSL_ERROR_NONE)))
762 goto end;
763
764 /*
765 * Calling SSL_clear() first is not required but this tests that SSL_clear()
766 * doesn't leak (when using enable-crypto-mdebug).
767 */
768 if (!TEST_true(SSL_clear(serverssl)))
769 goto end;
770
771 testresult = 1;
772 end:
773 X509_free(chaincert);
774 SSL_free(serverssl);
775 SSL_free(clientssl);
776 SSL_CTX_free(sctx);
777 SSL_CTX_free(cctx);
778
779 return testresult;
780 }
781
test_large_message_tls(void)782 static int test_large_message_tls(void)
783 {
784 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
785 TLS1_VERSION, TLS_MAX_VERSION,
786 0);
787 }
788
test_large_message_tls_read_ahead(void)789 static int test_large_message_tls_read_ahead(void)
790 {
791 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
792 TLS1_VERSION, TLS_MAX_VERSION,
793 1);
794 }
795
796 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)797 static int test_large_message_dtls(void)
798 {
799 /*
800 * read_ahead is not relevant to DTLS because DTLS always acts as if
801 * read_ahead is set.
802 */
803 return execute_test_large_message(DTLS_server_method(),
804 DTLS_client_method(),
805 DTLS1_VERSION, DTLS_MAX_VERSION,
806 0);
807 }
808 #endif
809
810 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)811 static int ocsp_server_cb(SSL *s, void *arg)
812 {
813 int *argi = (int *)arg;
814 unsigned char *copy = NULL;
815 STACK_OF(OCSP_RESPID) *ids = NULL;
816 OCSP_RESPID *id = NULL;
817
818 if (*argi == 2) {
819 /* In this test we are expecting exactly 1 OCSP_RESPID */
820 SSL_get_tlsext_status_ids(s, &ids);
821 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
822 return SSL_TLSEXT_ERR_ALERT_FATAL;
823
824 id = sk_OCSP_RESPID_value(ids, 0);
825 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
826 return SSL_TLSEXT_ERR_ALERT_FATAL;
827 } else if (*argi != 1) {
828 return SSL_TLSEXT_ERR_ALERT_FATAL;
829 }
830
831 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
832 return SSL_TLSEXT_ERR_ALERT_FATAL;
833
834 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
835 ocsp_server_called = 1;
836 return SSL_TLSEXT_ERR_OK;
837 }
838
ocsp_client_cb(SSL * s,void * arg)839 static int ocsp_client_cb(SSL *s, void *arg)
840 {
841 int *argi = (int *)arg;
842 const unsigned char *respderin;
843 size_t len;
844
845 if (*argi != 1 && *argi != 2)
846 return 0;
847
848 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
849 if (!TEST_mem_eq(orespder, len, respderin, len))
850 return 0;
851
852 ocsp_client_called = 1;
853 return 1;
854 }
855
test_tlsext_status_type(void)856 static int test_tlsext_status_type(void)
857 {
858 SSL_CTX *cctx = NULL, *sctx = NULL;
859 SSL *clientssl = NULL, *serverssl = NULL;
860 int testresult = 0;
861 STACK_OF(OCSP_RESPID) *ids = NULL;
862 OCSP_RESPID *id = NULL;
863 BIO *certbio = NULL;
864
865 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
866 TLS1_VERSION, TLS_MAX_VERSION,
867 &sctx, &cctx, cert, privkey))
868 return 0;
869
870 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
871 goto end;
872
873 /* First just do various checks getting and setting tlsext_status_type */
874
875 clientssl = SSL_new(cctx);
876 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
877 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
878 TLSEXT_STATUSTYPE_ocsp))
879 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
880 TLSEXT_STATUSTYPE_ocsp))
881 goto end;
882
883 SSL_free(clientssl);
884 clientssl = NULL;
885
886 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
887 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
888 goto end;
889
890 clientssl = SSL_new(cctx);
891 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
892 goto end;
893 SSL_free(clientssl);
894 clientssl = NULL;
895
896 /*
897 * Now actually do a handshake and check OCSP information is exchanged and
898 * the callbacks get called
899 */
900 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
901 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
902 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
903 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
905 &clientssl, NULL, NULL))
906 || !TEST_true(create_ssl_connection(serverssl, clientssl,
907 SSL_ERROR_NONE))
908 || !TEST_true(ocsp_client_called)
909 || !TEST_true(ocsp_server_called))
910 goto end;
911 SSL_free(serverssl);
912 SSL_free(clientssl);
913 serverssl = NULL;
914 clientssl = NULL;
915
916 /* Try again but this time force the server side callback to fail */
917 ocsp_client_called = 0;
918 ocsp_server_called = 0;
919 cdummyarg = 0;
920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
921 &clientssl, NULL, NULL))
922 /* This should fail because the callback will fail */
923 || !TEST_false(create_ssl_connection(serverssl, clientssl,
924 SSL_ERROR_NONE))
925 || !TEST_false(ocsp_client_called)
926 || !TEST_false(ocsp_server_called))
927 goto end;
928 SSL_free(serverssl);
929 SSL_free(clientssl);
930 serverssl = NULL;
931 clientssl = NULL;
932
933 /*
934 * This time we'll get the client to send an OCSP_RESPID that it will
935 * accept.
936 */
937 ocsp_client_called = 0;
938 ocsp_server_called = 0;
939 cdummyarg = 2;
940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
941 &clientssl, NULL, NULL)))
942 goto end;
943
944 /*
945 * We'll just use any old cert for this test - it doesn't have to be an OCSP
946 * specific one. We'll use the server cert.
947 */
948 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
949 || !TEST_ptr(id = OCSP_RESPID_new())
950 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
951 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
952 NULL, NULL, NULL))
953 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
954 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
955 goto end;
956 id = NULL;
957 SSL_set_tlsext_status_ids(clientssl, ids);
958 /* Control has been transferred */
959 ids = NULL;
960
961 BIO_free(certbio);
962 certbio = NULL;
963
964 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
965 SSL_ERROR_NONE))
966 || !TEST_true(ocsp_client_called)
967 || !TEST_true(ocsp_server_called))
968 goto end;
969
970 testresult = 1;
971
972 end:
973 SSL_free(serverssl);
974 SSL_free(clientssl);
975 SSL_CTX_free(sctx);
976 SSL_CTX_free(cctx);
977 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
978 OCSP_RESPID_free(id);
979 BIO_free(certbio);
980 X509_free(ocspcert);
981 ocspcert = NULL;
982
983 return testresult;
984 }
985 #endif
986
987 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
988 static int new_called, remove_called, get_called;
989
new_session_cb(SSL * ssl,SSL_SESSION * sess)990 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
991 {
992 new_called++;
993 /*
994 * sess has been up-refed for us, but we don't actually need it so free it
995 * immediately.
996 */
997 SSL_SESSION_free(sess);
998 return 1;
999 }
1000
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)1001 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1002 {
1003 remove_called++;
1004 }
1005
1006 static SSL_SESSION *get_sess_val = NULL;
1007
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)1008 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1009 int *copy)
1010 {
1011 get_called++;
1012 *copy = 1;
1013 return get_sess_val;
1014 }
1015
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache)1016 static int execute_test_session(int maxprot, int use_int_cache,
1017 int use_ext_cache)
1018 {
1019 SSL_CTX *sctx = NULL, *cctx = NULL;
1020 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1021 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1022 # ifndef OPENSSL_NO_TLS1_1
1023 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1024 # endif
1025 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1026 int testresult = 0, numnewsesstick = 1;
1027
1028 new_called = remove_called = 0;
1029
1030 /* TLSv1.3 sends 2 NewSessionTickets */
1031 if (maxprot == TLS1_3_VERSION)
1032 numnewsesstick = 2;
1033
1034 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1035 TLS1_VERSION, TLS_MAX_VERSION,
1036 &sctx, &cctx, cert, privkey)))
1037 return 0;
1038
1039 /*
1040 * Only allow the max protocol version so we can force a connection failure
1041 * later
1042 */
1043 SSL_CTX_set_min_proto_version(cctx, maxprot);
1044 SSL_CTX_set_max_proto_version(cctx, maxprot);
1045
1046 /* Set up session cache */
1047 if (use_ext_cache) {
1048 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1049 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1050 }
1051 if (use_int_cache) {
1052 /* Also covers instance where both are set */
1053 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1054 } else {
1055 SSL_CTX_set_session_cache_mode(cctx,
1056 SSL_SESS_CACHE_CLIENT
1057 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1058 }
1059
1060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1061 NULL, NULL))
1062 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1063 SSL_ERROR_NONE))
1064 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1065 goto end;
1066
1067 /* Should fail because it should already be in the cache */
1068 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1069 goto end;
1070 if (use_ext_cache
1071 && (!TEST_int_eq(new_called, numnewsesstick)
1072
1073 || !TEST_int_eq(remove_called, 0)))
1074 goto end;
1075
1076 new_called = remove_called = 0;
1077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1078 &clientssl2, NULL, NULL))
1079 || !TEST_true(SSL_set_session(clientssl2, sess1))
1080 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1081 SSL_ERROR_NONE))
1082 || !TEST_true(SSL_session_reused(clientssl2)))
1083 goto end;
1084
1085 if (maxprot == TLS1_3_VERSION) {
1086 /*
1087 * In TLSv1.3 we should have created a new session even though we have
1088 * resumed. Since we attempted a resume we should also have removed the
1089 * old ticket from the cache so that we try to only use tickets once.
1090 */
1091 if (use_ext_cache
1092 && (!TEST_int_eq(new_called, 1)
1093 || !TEST_int_eq(remove_called, 1)))
1094 goto end;
1095 } else {
1096 /*
1097 * In TLSv1.2 we expect to have resumed so no sessions added or
1098 * removed.
1099 */
1100 if (use_ext_cache
1101 && (!TEST_int_eq(new_called, 0)
1102 || !TEST_int_eq(remove_called, 0)))
1103 goto end;
1104 }
1105
1106 SSL_SESSION_free(sess1);
1107 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1108 goto end;
1109 shutdown_ssl_connection(serverssl2, clientssl2);
1110 serverssl2 = clientssl2 = NULL;
1111
1112 new_called = remove_called = 0;
1113 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1114 &clientssl2, NULL, NULL))
1115 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1116 SSL_ERROR_NONE)))
1117 goto end;
1118
1119 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1120 goto end;
1121
1122 if (use_ext_cache
1123 && (!TEST_int_eq(new_called, numnewsesstick)
1124 || !TEST_int_eq(remove_called, 0)))
1125 goto end;
1126
1127 new_called = remove_called = 0;
1128 /*
1129 * This should clear sess2 from the cache because it is a "bad" session.
1130 * See SSL_set_session() documentation.
1131 */
1132 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1133 goto end;
1134 if (use_ext_cache
1135 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1136 goto end;
1137 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1138 goto end;
1139
1140 if (use_int_cache) {
1141 /* Should succeeded because it should not already be in the cache */
1142 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1143 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1144 goto end;
1145 }
1146
1147 new_called = remove_called = 0;
1148 /* This shouldn't be in the cache so should fail */
1149 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1150 goto end;
1151
1152 if (use_ext_cache
1153 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1154 goto end;
1155
1156 # if !defined(OPENSSL_NO_TLS1_1)
1157 new_called = remove_called = 0;
1158 /* Force a connection failure */
1159 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1160 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1161 &clientssl3, NULL, NULL))
1162 || !TEST_true(SSL_set_session(clientssl3, sess1))
1163 /* This should fail because of the mismatched protocol versions */
1164 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1165 SSL_ERROR_NONE)))
1166 goto end;
1167
1168 /* We should have automatically removed the session from the cache */
1169 if (use_ext_cache
1170 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1171 goto end;
1172
1173 /* Should succeed because it should not already be in the cache */
1174 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1175 goto end;
1176 # endif
1177
1178 /* Now do some tests for server side caching */
1179 if (use_ext_cache) {
1180 SSL_CTX_sess_set_new_cb(cctx, NULL);
1181 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1182 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1183 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1184 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1185 get_sess_val = NULL;
1186 }
1187
1188 SSL_CTX_set_session_cache_mode(cctx, 0);
1189 /* Internal caching is the default on the server side */
1190 if (!use_int_cache)
1191 SSL_CTX_set_session_cache_mode(sctx,
1192 SSL_SESS_CACHE_SERVER
1193 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1194
1195 SSL_free(serverssl1);
1196 SSL_free(clientssl1);
1197 serverssl1 = clientssl1 = NULL;
1198 SSL_free(serverssl2);
1199 SSL_free(clientssl2);
1200 serverssl2 = clientssl2 = NULL;
1201 SSL_SESSION_free(sess1);
1202 sess1 = NULL;
1203 SSL_SESSION_free(sess2);
1204 sess2 = NULL;
1205
1206 SSL_CTX_set_max_proto_version(sctx, maxprot);
1207 if (maxprot == TLS1_2_VERSION)
1208 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1209 new_called = remove_called = get_called = 0;
1210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1211 NULL, NULL))
1212 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1213 SSL_ERROR_NONE))
1214 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1215 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1216 goto end;
1217
1218 if (use_int_cache) {
1219 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1220 /*
1221 * In TLSv1.3 it should not have been added to the internal cache,
1222 * except in the case where we also have an external cache (in that
1223 * case it gets added to the cache in order to generate remove
1224 * events after timeout).
1225 */
1226 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1227 goto end;
1228 } else {
1229 /* Should fail because it should already be in the cache */
1230 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1231 goto end;
1232 }
1233 }
1234
1235 if (use_ext_cache) {
1236 SSL_SESSION *tmp = sess2;
1237
1238 if (!TEST_int_eq(new_called, numnewsesstick)
1239 || !TEST_int_eq(remove_called, 0)
1240 || !TEST_int_eq(get_called, 0))
1241 goto end;
1242 /*
1243 * Delete the session from the internal cache to force a lookup from
1244 * the external cache. We take a copy first because
1245 * SSL_CTX_remove_session() also marks the session as non-resumable.
1246 */
1247 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1248 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1249 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1250 goto end;
1251 SSL_SESSION_free(sess2);
1252 }
1253 sess2 = tmp;
1254 }
1255
1256 new_called = remove_called = get_called = 0;
1257 get_sess_val = sess2;
1258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1259 &clientssl2, NULL, NULL))
1260 || !TEST_true(SSL_set_session(clientssl2, sess1))
1261 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1262 SSL_ERROR_NONE))
1263 || !TEST_true(SSL_session_reused(clientssl2)))
1264 goto end;
1265
1266 if (use_ext_cache) {
1267 if (!TEST_int_eq(remove_called, 0))
1268 goto end;
1269
1270 if (maxprot == TLS1_3_VERSION) {
1271 if (!TEST_int_eq(new_called, 1)
1272 || !TEST_int_eq(get_called, 0))
1273 goto end;
1274 } else {
1275 if (!TEST_int_eq(new_called, 0)
1276 || !TEST_int_eq(get_called, 1))
1277 goto end;
1278 }
1279 }
1280
1281 testresult = 1;
1282
1283 end:
1284 SSL_free(serverssl1);
1285 SSL_free(clientssl1);
1286 SSL_free(serverssl2);
1287 SSL_free(clientssl2);
1288 # ifndef OPENSSL_NO_TLS1_1
1289 SSL_free(serverssl3);
1290 SSL_free(clientssl3);
1291 # endif
1292 SSL_SESSION_free(sess1);
1293 SSL_SESSION_free(sess2);
1294 SSL_CTX_free(sctx);
1295 SSL_CTX_free(cctx);
1296
1297 return testresult;
1298 }
1299 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1300
test_session_with_only_int_cache(void)1301 static int test_session_with_only_int_cache(void)
1302 {
1303 #ifndef OPENSSL_NO_TLS1_3
1304 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1305 return 0;
1306 #endif
1307
1308 #ifndef OPENSSL_NO_TLS1_2
1309 return execute_test_session(TLS1_2_VERSION, 1, 0);
1310 #else
1311 return 1;
1312 #endif
1313 }
1314
test_session_with_only_ext_cache(void)1315 static int test_session_with_only_ext_cache(void)
1316 {
1317 #ifndef OPENSSL_NO_TLS1_3
1318 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1319 return 0;
1320 #endif
1321
1322 #ifndef OPENSSL_NO_TLS1_2
1323 return execute_test_session(TLS1_2_VERSION, 0, 1);
1324 #else
1325 return 1;
1326 #endif
1327 }
1328
test_session_with_both_cache(void)1329 static int test_session_with_both_cache(void)
1330 {
1331 #ifndef OPENSSL_NO_TLS1_3
1332 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1333 return 0;
1334 #endif
1335
1336 #ifndef OPENSSL_NO_TLS1_2
1337 return execute_test_session(TLS1_2_VERSION, 1, 1);
1338 #else
1339 return 1;
1340 #endif
1341 }
1342
1343 #ifndef OPENSSL_NO_TLS1_3
1344 static SSL_SESSION *sesscache[6];
1345 static int do_cache;
1346
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)1347 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1348 {
1349 if (do_cache) {
1350 sesscache[new_called] = sess;
1351 } else {
1352 /* We don't need the reference to the session, so free it */
1353 SSL_SESSION_free(sess);
1354 }
1355 new_called++;
1356
1357 return 1;
1358 }
1359
post_handshake_verify(SSL * sssl,SSL * cssl)1360 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1361 {
1362 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1363 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1364 return 0;
1365
1366 /* Start handshake on the server and client */
1367 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1368 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1369 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1370 || !TEST_true(create_ssl_connection(sssl, cssl,
1371 SSL_ERROR_NONE)))
1372 return 0;
1373
1374 return 1;
1375 }
1376
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)1377 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1378 SSL_CTX **cctx)
1379 {
1380 int sess_id_ctx = 1;
1381
1382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1383 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1384 cctx, cert, privkey))
1385 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1386 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1387 (void *)&sess_id_ctx,
1388 sizeof(sess_id_ctx))))
1389 return 0;
1390
1391 if (stateful)
1392 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1393
1394 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1395 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1396 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1397
1398 return 1;
1399 }
1400
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)1401 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1402 {
1403 SSL *serverssl = NULL, *clientssl = NULL;
1404 int i;
1405
1406 /* Test that we can resume with all the tickets we got given */
1407 for (i = 0; i < idx * 2; i++) {
1408 new_called = 0;
1409 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1410 &clientssl, NULL, NULL))
1411 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1412 goto end;
1413
1414 SSL_set_post_handshake_auth(clientssl, 1);
1415
1416 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1417 SSL_ERROR_NONE)))
1418 goto end;
1419
1420 /*
1421 * Following a successful resumption we only get 1 ticket. After a
1422 * failed one we should get idx tickets.
1423 */
1424 if (succ) {
1425 if (!TEST_true(SSL_session_reused(clientssl))
1426 || !TEST_int_eq(new_called, 1))
1427 goto end;
1428 } else {
1429 if (!TEST_false(SSL_session_reused(clientssl))
1430 || !TEST_int_eq(new_called, idx))
1431 goto end;
1432 }
1433
1434 new_called = 0;
1435 /* After a post-handshake authentication we should get 1 new ticket */
1436 if (succ
1437 && (!post_handshake_verify(serverssl, clientssl)
1438 || !TEST_int_eq(new_called, 1)))
1439 goto end;
1440
1441 SSL_shutdown(clientssl);
1442 SSL_shutdown(serverssl);
1443 SSL_free(serverssl);
1444 SSL_free(clientssl);
1445 serverssl = clientssl = NULL;
1446 SSL_SESSION_free(sesscache[i]);
1447 sesscache[i] = NULL;
1448 }
1449
1450 return 1;
1451
1452 end:
1453 SSL_free(clientssl);
1454 SSL_free(serverssl);
1455 return 0;
1456 }
1457
test_tickets(int stateful,int idx)1458 static int test_tickets(int stateful, int idx)
1459 {
1460 SSL_CTX *sctx = NULL, *cctx = NULL;
1461 SSL *serverssl = NULL, *clientssl = NULL;
1462 int testresult = 0;
1463 size_t j;
1464
1465 /* idx is the test number, but also the number of tickets we want */
1466
1467 new_called = 0;
1468 do_cache = 1;
1469
1470 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1471 goto end;
1472
1473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1474 &clientssl, NULL, NULL)))
1475 goto end;
1476
1477 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1478 SSL_ERROR_NONE))
1479 /* Check we got the number of tickets we were expecting */
1480 || !TEST_int_eq(idx, new_called))
1481 goto end;
1482
1483 SSL_shutdown(clientssl);
1484 SSL_shutdown(serverssl);
1485 SSL_free(serverssl);
1486 SSL_free(clientssl);
1487 SSL_CTX_free(sctx);
1488 SSL_CTX_free(cctx);
1489 clientssl = serverssl = NULL;
1490 sctx = cctx = NULL;
1491
1492 /*
1493 * Now we try to resume with the tickets we previously created. The
1494 * resumption attempt is expected to fail (because we're now using a new
1495 * SSL_CTX). We should see idx number of tickets issued again.
1496 */
1497
1498 /* Stop caching sessions - just count them */
1499 do_cache = 0;
1500
1501 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1502 goto end;
1503
1504 if (!check_resumption(idx, sctx, cctx, 0))
1505 goto end;
1506
1507 /* Start again with caching sessions */
1508 new_called = 0;
1509 do_cache = 1;
1510 SSL_CTX_free(sctx);
1511 SSL_CTX_free(cctx);
1512 sctx = cctx = NULL;
1513
1514 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1515 goto end;
1516
1517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1518 &clientssl, NULL, NULL)))
1519 goto end;
1520
1521 SSL_set_post_handshake_auth(clientssl, 1);
1522
1523 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1524 SSL_ERROR_NONE))
1525 /* Check we got the number of tickets we were expecting */
1526 || !TEST_int_eq(idx, new_called))
1527 goto end;
1528
1529 /* After a post-handshake authentication we should get new tickets issued */
1530 if (!post_handshake_verify(serverssl, clientssl)
1531 || !TEST_int_eq(idx * 2, new_called))
1532 goto end;
1533
1534 SSL_shutdown(clientssl);
1535 SSL_shutdown(serverssl);
1536 SSL_free(serverssl);
1537 SSL_free(clientssl);
1538 serverssl = clientssl = NULL;
1539
1540 /* Stop caching sessions - just count them */
1541 do_cache = 0;
1542
1543 /*
1544 * Check we can resume with all the tickets we created. This time around the
1545 * resumptions should all be successful.
1546 */
1547 if (!check_resumption(idx, sctx, cctx, 1))
1548 goto end;
1549
1550 testresult = 1;
1551
1552 end:
1553 SSL_free(serverssl);
1554 SSL_free(clientssl);
1555 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1556 SSL_SESSION_free(sesscache[j]);
1557 sesscache[j] = NULL;
1558 }
1559 SSL_CTX_free(sctx);
1560 SSL_CTX_free(cctx);
1561
1562 return testresult;
1563 }
1564
test_stateless_tickets(int idx)1565 static int test_stateless_tickets(int idx)
1566 {
1567 return test_tickets(0, idx);
1568 }
1569
test_stateful_tickets(int idx)1570 static int test_stateful_tickets(int idx)
1571 {
1572 return test_tickets(1, idx);
1573 }
1574
test_psk_tickets(void)1575 static int test_psk_tickets(void)
1576 {
1577 SSL_CTX *sctx = NULL, *cctx = NULL;
1578 SSL *serverssl = NULL, *clientssl = NULL;
1579 int testresult = 0;
1580 int sess_id_ctx = 1;
1581
1582 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1583 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1584 &cctx, NULL, NULL))
1585 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1586 (void *)&sess_id_ctx,
1587 sizeof(sess_id_ctx))))
1588 goto end;
1589
1590 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1591 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1592 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1593 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1594 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1595 use_session_cb_cnt = 0;
1596 find_session_cb_cnt = 0;
1597 srvid = pskid;
1598 new_called = 0;
1599
1600 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1601 NULL, NULL)))
1602 goto end;
1603 clientpsk = serverpsk = create_a_psk(clientssl);
1604 if (!TEST_ptr(clientpsk))
1605 goto end;
1606 SSL_SESSION_up_ref(clientpsk);
1607
1608 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1609 SSL_ERROR_NONE))
1610 || !TEST_int_eq(1, find_session_cb_cnt)
1611 || !TEST_int_eq(1, use_session_cb_cnt)
1612 /* We should always get 1 ticket when using external PSK */
1613 || !TEST_int_eq(1, new_called))
1614 goto end;
1615
1616 testresult = 1;
1617
1618 end:
1619 SSL_free(serverssl);
1620 SSL_free(clientssl);
1621 SSL_CTX_free(sctx);
1622 SSL_CTX_free(cctx);
1623 SSL_SESSION_free(clientpsk);
1624 SSL_SESSION_free(serverpsk);
1625 clientpsk = serverpsk = NULL;
1626
1627 return testresult;
1628 }
1629 #endif
1630
1631 #define USE_NULL 0
1632 #define USE_BIO_1 1
1633 #define USE_BIO_2 2
1634 #define USE_DEFAULT 3
1635
1636 #define CONNTYPE_CONNECTION_SUCCESS 0
1637 #define CONNTYPE_CONNECTION_FAIL 1
1638 #define CONNTYPE_NO_CONNECTION 2
1639
1640 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1641 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1642 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1643 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1644 #else
1645 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1646 #endif
1647
1648 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1649 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1650 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
1651
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)1652 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1653 {
1654 switch (type) {
1655 case USE_NULL:
1656 *res = NULL;
1657 break;
1658 case USE_BIO_1:
1659 *res = bio1;
1660 break;
1661 case USE_BIO_2:
1662 *res = bio2;
1663 break;
1664 }
1665 }
1666
1667
1668 /*
1669 * Tests calls to SSL_set_bio() under various conditions.
1670 *
1671 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1672 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1673 * then do more tests where we create a successful connection first using our
1674 * standard connection setup functions, and then call SSL_set_bio() with
1675 * various combinations of valid BIOs or NULL. We then repeat these tests
1676 * following a failed connection. In this last case we are looking to check that
1677 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1678 */
test_ssl_set_bio(int idx)1679 static int test_ssl_set_bio(int idx)
1680 {
1681 SSL_CTX *sctx = NULL, *cctx = NULL;
1682 BIO *bio1 = NULL;
1683 BIO *bio2 = NULL;
1684 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
1685 SSL *serverssl = NULL, *clientssl = NULL;
1686 int initrbio, initwbio, newrbio, newwbio, conntype;
1687 int testresult = 0;
1688
1689 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1690 initrbio = idx % 3;
1691 idx /= 3;
1692 initwbio = idx % 3;
1693 idx /= 3;
1694 newrbio = idx % 3;
1695 idx /= 3;
1696 newwbio = idx % 3;
1697 conntype = CONNTYPE_NO_CONNECTION;
1698 } else {
1699 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1700 initrbio = initwbio = USE_DEFAULT;
1701 newrbio = idx % 2;
1702 idx /= 2;
1703 newwbio = idx % 2;
1704 idx /= 2;
1705 conntype = idx % 2;
1706 }
1707
1708 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1709 TLS1_VERSION, TLS_MAX_VERSION,
1710 &sctx, &cctx, cert, privkey)))
1711 goto end;
1712
1713 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1714 /*
1715 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1716 * because we reduced the number of tests in the definition of
1717 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1718 * mismatched protocol versions we will force a connection failure.
1719 */
1720 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1721 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1722 }
1723
1724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1725 NULL, NULL)))
1726 goto end;
1727
1728 if (initrbio == USE_BIO_1
1729 || initwbio == USE_BIO_1
1730 || newrbio == USE_BIO_1
1731 || newwbio == USE_BIO_1) {
1732 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
1733 goto end;
1734 }
1735
1736 if (initrbio == USE_BIO_2
1737 || initwbio == USE_BIO_2
1738 || newrbio == USE_BIO_2
1739 || newwbio == USE_BIO_2) {
1740 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
1741 goto end;
1742 }
1743
1744 if (initrbio != USE_DEFAULT) {
1745 setupbio(&irbio, bio1, bio2, initrbio);
1746 setupbio(&iwbio, bio1, bio2, initwbio);
1747 SSL_set_bio(clientssl, irbio, iwbio);
1748
1749 /*
1750 * We want to maintain our own refs to these BIO, so do an up ref for
1751 * each BIO that will have ownership transferred in the SSL_set_bio()
1752 * call
1753 */
1754 if (irbio != NULL)
1755 BIO_up_ref(irbio);
1756 if (iwbio != NULL && iwbio != irbio)
1757 BIO_up_ref(iwbio);
1758 }
1759
1760 if (conntype != CONNTYPE_NO_CONNECTION
1761 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1762 SSL_ERROR_NONE)
1763 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1764 goto end;
1765
1766 setupbio(&nrbio, bio1, bio2, newrbio);
1767 setupbio(&nwbio, bio1, bio2, newwbio);
1768
1769 /*
1770 * We will (maybe) transfer ownership again so do more up refs.
1771 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1772 * already been set!
1773 */
1774 if (nrbio != NULL
1775 && nrbio != irbio
1776 && (nwbio != iwbio || nrbio != nwbio))
1777 BIO_up_ref(nrbio);
1778 if (nwbio != NULL
1779 && nwbio != nrbio
1780 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
1781 BIO_up_ref(nwbio);
1782
1783 SSL_set_bio(clientssl, nrbio, nwbio);
1784
1785 testresult = 1;
1786
1787 end:
1788 BIO_free(bio1);
1789 BIO_free(bio2);
1790
1791 /*
1792 * This test is checking that the ref counting for SSL_set_bio is correct.
1793 * If we get here and we did too many frees then we will fail in the above
1794 * functions. If we haven't done enough then this will only be detected in
1795 * a crypto-mdebug build
1796 */
1797 SSL_free(serverssl);
1798 SSL_free(clientssl);
1799 SSL_CTX_free(sctx);
1800 SSL_CTX_free(cctx);
1801 return testresult;
1802 }
1803
1804 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
1805
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)1806 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
1807 {
1808 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
1809 SSL_CTX *ctx;
1810 SSL *ssl = NULL;
1811 int testresult = 0;
1812
1813 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1814 || !TEST_ptr(ssl = SSL_new(ctx))
1815 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1816 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
1817 goto end;
1818
1819 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1820
1821 /*
1822 * If anything goes wrong here then we could leak memory, so this will
1823 * be caught in a crypto-mdebug build
1824 */
1825 BIO_push(sslbio, membio1);
1826
1827 /* Verify changing the rbio/wbio directly does not cause leaks */
1828 if (change_bio != NO_BIO_CHANGE) {
1829 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
1830 goto end;
1831 if (change_bio == CHANGE_RBIO)
1832 SSL_set0_rbio(ssl, membio2);
1833 else
1834 SSL_set0_wbio(ssl, membio2);
1835 }
1836 ssl = NULL;
1837
1838 if (pop_ssl)
1839 BIO_pop(sslbio);
1840 else
1841 BIO_pop(membio1);
1842
1843 testresult = 1;
1844 end:
1845 BIO_free(membio1);
1846 BIO_free(sslbio);
1847 SSL_free(ssl);
1848 SSL_CTX_free(ctx);
1849
1850 return testresult;
1851 }
1852
test_ssl_bio_pop_next_bio(void)1853 static int test_ssl_bio_pop_next_bio(void)
1854 {
1855 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
1856 }
1857
test_ssl_bio_pop_ssl_bio(void)1858 static int test_ssl_bio_pop_ssl_bio(void)
1859 {
1860 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
1861 }
1862
test_ssl_bio_change_rbio(void)1863 static int test_ssl_bio_change_rbio(void)
1864 {
1865 return execute_test_ssl_bio(0, CHANGE_RBIO);
1866 }
1867
test_ssl_bio_change_wbio(void)1868 static int test_ssl_bio_change_wbio(void)
1869 {
1870 return execute_test_ssl_bio(0, CHANGE_WBIO);
1871 }
1872
1873 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
1874 typedef struct {
1875 /* The list of sig algs */
1876 const int *list;
1877 /* The length of the list */
1878 size_t listlen;
1879 /* A sigalgs list in string format */
1880 const char *liststr;
1881 /* Whether setting the list should succeed */
1882 int valid;
1883 /* Whether creating a connection with the list should succeed */
1884 int connsuccess;
1885 } sigalgs_list;
1886
1887 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
1888 # ifndef OPENSSL_NO_EC
1889 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1890 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
1891 # endif
1892 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1893 static const int invalidlist2[] = {NID_sha256, NID_undef};
1894 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1895 static const int invalidlist4[] = {NID_sha256};
1896 static const sigalgs_list testsigalgs[] = {
1897 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
1898 # ifndef OPENSSL_NO_EC
1899 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1900 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
1901 # endif
1902 {NULL, 0, "RSA+SHA256", 1, 1},
1903 # ifndef OPENSSL_NO_EC
1904 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1905 {NULL, 0, "ECDSA+SHA512", 1, 0},
1906 # endif
1907 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1908 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1909 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1910 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1911 {NULL, 0, "RSA", 0, 0},
1912 {NULL, 0, "SHA256", 0, 0},
1913 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
1914 {NULL, 0, "Invalid", 0, 0}
1915 };
1916
test_set_sigalgs(int idx)1917 static int test_set_sigalgs(int idx)
1918 {
1919 SSL_CTX *cctx = NULL, *sctx = NULL;
1920 SSL *clientssl = NULL, *serverssl = NULL;
1921 int testresult = 0;
1922 const sigalgs_list *curr;
1923 int testctx;
1924
1925 /* Should never happen */
1926 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
1927 return 0;
1928
1929 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1930 curr = testctx ? &testsigalgs[idx]
1931 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1932
1933 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1934 TLS1_VERSION, TLS_MAX_VERSION,
1935 &sctx, &cctx, cert, privkey)))
1936 return 0;
1937
1938 /*
1939 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1940 * for TLSv1.2 for now until we add a new API.
1941 */
1942 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1943
1944 if (testctx) {
1945 int ret;
1946
1947 if (curr->list != NULL)
1948 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1949 else
1950 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1951
1952 if (!ret) {
1953 if (curr->valid)
1954 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
1955 else
1956 testresult = 1;
1957 goto end;
1958 }
1959 if (!curr->valid) {
1960 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
1961 goto end;
1962 }
1963 }
1964
1965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1966 &clientssl, NULL, NULL)))
1967 goto end;
1968
1969 if (!testctx) {
1970 int ret;
1971
1972 if (curr->list != NULL)
1973 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1974 else
1975 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1976 if (!ret) {
1977 if (curr->valid)
1978 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
1979 else
1980 testresult = 1;
1981 goto end;
1982 }
1983 if (!curr->valid)
1984 goto end;
1985 }
1986
1987 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1988 SSL_ERROR_NONE),
1989 curr->connsuccess))
1990 goto end;
1991
1992 testresult = 1;
1993
1994 end:
1995 SSL_free(serverssl);
1996 SSL_free(clientssl);
1997 SSL_CTX_free(sctx);
1998 SSL_CTX_free(cctx);
1999
2000 return testresult;
2001 }
2002 #endif
2003
2004 #ifndef OPENSSL_NO_TLS1_3
2005 static int psk_client_cb_cnt = 0;
2006 static int psk_server_cb_cnt = 0;
2007
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)2008 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2009 size_t *idlen, SSL_SESSION **sess)
2010 {
2011 switch (++use_session_cb_cnt) {
2012 case 1:
2013 /* The first call should always have a NULL md */
2014 if (md != NULL)
2015 return 0;
2016 break;
2017
2018 case 2:
2019 /* The second call should always have an md */
2020 if (md == NULL)
2021 return 0;
2022 break;
2023
2024 default:
2025 /* We should only be called a maximum of twice */
2026 return 0;
2027 }
2028
2029 if (clientpsk != NULL)
2030 SSL_SESSION_up_ref(clientpsk);
2031
2032 *sess = clientpsk;
2033 *id = (const unsigned char *)pskid;
2034 *idlen = strlen(pskid);
2035
2036 return 1;
2037 }
2038
2039 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)2040 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2041 unsigned int max_id_len,
2042 unsigned char *psk,
2043 unsigned int max_psk_len)
2044 {
2045 unsigned int psklen = 0;
2046
2047 psk_client_cb_cnt++;
2048
2049 if (strlen(pskid) + 1 > max_id_len)
2050 return 0;
2051
2052 /* We should only ever be called a maximum of twice per connection */
2053 if (psk_client_cb_cnt > 2)
2054 return 0;
2055
2056 if (clientpsk == NULL)
2057 return 0;
2058
2059 /* We'll reuse the PSK we set up for TLSv1.3 */
2060 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2061 return 0;
2062 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2063 strncpy(id, pskid, max_id_len);
2064
2065 return psklen;
2066 }
2067 #endif /* OPENSSL_NO_PSK */
2068
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)2069 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2070 size_t identity_len, SSL_SESSION **sess)
2071 {
2072 find_session_cb_cnt++;
2073
2074 /* We should only ever be called a maximum of twice per connection */
2075 if (find_session_cb_cnt > 2)
2076 return 0;
2077
2078 if (serverpsk == NULL)
2079 return 0;
2080
2081 /* Identity should match that set by the client */
2082 if (strlen(srvid) != identity_len
2083 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2084 /* No PSK found, continue but without a PSK */
2085 *sess = NULL;
2086 return 1;
2087 }
2088
2089 SSL_SESSION_up_ref(serverpsk);
2090 *sess = serverpsk;
2091
2092 return 1;
2093 }
2094
2095 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)2096 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2097 unsigned char *psk, unsigned int max_psk_len)
2098 {
2099 unsigned int psklen = 0;
2100
2101 psk_server_cb_cnt++;
2102
2103 /* We should only ever be called a maximum of twice per connection */
2104 if (find_session_cb_cnt > 2)
2105 return 0;
2106
2107 if (serverpsk == NULL)
2108 return 0;
2109
2110 /* Identity should match that set by the client */
2111 if (strcmp(srvid, identity) != 0) {
2112 return 0;
2113 }
2114
2115 /* We'll reuse the PSK we set up for TLSv1.3 */
2116 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2117 return 0;
2118 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2119
2120 return psklen;
2121 }
2122 #endif /* OPENSSL_NO_PSK */
2123
2124 #define MSG1 "Hello"
2125 #define MSG2 "World."
2126 #define MSG3 "This"
2127 #define MSG4 "is"
2128 #define MSG5 "a"
2129 #define MSG6 "test"
2130 #define MSG7 "message."
2131
2132 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2133 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2134
2135
create_a_psk(SSL * ssl)2136 static SSL_SESSION *create_a_psk(SSL *ssl)
2137 {
2138 const SSL_CIPHER *cipher = NULL;
2139 const unsigned char key[] = {
2140 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2141 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2142 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2143 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2144 0x2c, 0x2d, 0x2e, 0x2f
2145 };
2146 SSL_SESSION *sess = NULL;
2147
2148 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2149 sess = SSL_SESSION_new();
2150 if (!TEST_ptr(sess)
2151 || !TEST_ptr(cipher)
2152 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2153 sizeof(key)))
2154 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2155 || !TEST_true(
2156 SSL_SESSION_set_protocol_version(sess,
2157 TLS1_3_VERSION))) {
2158 SSL_SESSION_free(sess);
2159 return NULL;
2160 }
2161 return sess;
2162 }
2163
2164 /*
2165 * Helper method to setup objects for early data test. Caller frees objects on
2166 * error.
2167 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx)2168 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2169 SSL **serverssl, SSL_SESSION **sess, int idx)
2170 {
2171 if (*sctx == NULL
2172 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2173 TLS_client_method(),
2174 TLS1_VERSION, TLS_MAX_VERSION,
2175 sctx, cctx, cert, privkey)))
2176 return 0;
2177
2178 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2179 return 0;
2180
2181 if (idx == 1) {
2182 /* When idx == 1 we repeat the tests with read_ahead set */
2183 SSL_CTX_set_read_ahead(*cctx, 1);
2184 SSL_CTX_set_read_ahead(*sctx, 1);
2185 } else if (idx == 2) {
2186 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2187 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2188 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2189 use_session_cb_cnt = 0;
2190 find_session_cb_cnt = 0;
2191 srvid = pskid;
2192 }
2193
2194 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2195 NULL, NULL)))
2196 return 0;
2197
2198 /*
2199 * For one of the run throughs (doesn't matter which one), we'll try sending
2200 * some SNI data in the initial ClientHello. This will be ignored (because
2201 * there is no SNI cb set up by the server), so it should not impact
2202 * early_data.
2203 */
2204 if (idx == 1
2205 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2206 return 0;
2207
2208 if (idx == 2) {
2209 clientpsk = create_a_psk(*clientssl);
2210 if (!TEST_ptr(clientpsk)
2211 /*
2212 * We just choose an arbitrary value for max_early_data which
2213 * should be big enough for testing purposes.
2214 */
2215 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2216 0x100))
2217 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2218 SSL_SESSION_free(clientpsk);
2219 clientpsk = NULL;
2220 return 0;
2221 }
2222 serverpsk = clientpsk;
2223
2224 if (sess != NULL) {
2225 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2226 SSL_SESSION_free(clientpsk);
2227 SSL_SESSION_free(serverpsk);
2228 clientpsk = serverpsk = NULL;
2229 return 0;
2230 }
2231 *sess = clientpsk;
2232 }
2233 return 1;
2234 }
2235
2236 if (sess == NULL)
2237 return 1;
2238
2239 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2240 SSL_ERROR_NONE)))
2241 return 0;
2242
2243 *sess = SSL_get1_session(*clientssl);
2244 SSL_shutdown(*clientssl);
2245 SSL_shutdown(*serverssl);
2246 SSL_free(*serverssl);
2247 SSL_free(*clientssl);
2248 *serverssl = *clientssl = NULL;
2249
2250 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2251 clientssl, NULL, NULL))
2252 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2253 return 0;
2254
2255 return 1;
2256 }
2257
test_early_data_read_write(int idx)2258 static int test_early_data_read_write(int idx)
2259 {
2260 SSL_CTX *cctx = NULL, *sctx = NULL;
2261 SSL *clientssl = NULL, *serverssl = NULL;
2262 int testresult = 0;
2263 SSL_SESSION *sess = NULL;
2264 unsigned char buf[20], data[1024];
2265 size_t readbytes, written, eoedlen, rawread, rawwritten;
2266 BIO *rbio;
2267
2268 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2269 &serverssl, &sess, idx)))
2270 goto end;
2271
2272 /* Write and read some early data */
2273 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2274 &written))
2275 || !TEST_size_t_eq(written, strlen(MSG1))
2276 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2277 sizeof(buf), &readbytes),
2278 SSL_READ_EARLY_DATA_SUCCESS)
2279 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2280 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2281 SSL_EARLY_DATA_ACCEPTED))
2282 goto end;
2283
2284 /*
2285 * Server should be able to write data, and client should be able to
2286 * read it.
2287 */
2288 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2289 &written))
2290 || !TEST_size_t_eq(written, strlen(MSG2))
2291 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2292 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2293 goto end;
2294
2295 /* Even after reading normal data, client should be able write early data */
2296 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2297 &written))
2298 || !TEST_size_t_eq(written, strlen(MSG3)))
2299 goto end;
2300
2301 /* Server should still be able read early data after writing data */
2302 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2303 &readbytes),
2304 SSL_READ_EARLY_DATA_SUCCESS)
2305 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2306 goto end;
2307
2308 /* Write more data from server and read it from client */
2309 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2310 &written))
2311 || !TEST_size_t_eq(written, strlen(MSG4))
2312 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2313 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2314 goto end;
2315
2316 /*
2317 * If client writes normal data it should mean writing early data is no
2318 * longer possible.
2319 */
2320 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2321 || !TEST_size_t_eq(written, strlen(MSG5))
2322 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2323 SSL_EARLY_DATA_ACCEPTED))
2324 goto end;
2325
2326 /*
2327 * At this point the client has written EndOfEarlyData, ClientFinished and
2328 * normal (fully protected) data. We are going to cause a delay between the
2329 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2330 * in the read BIO, and then just put back the EndOfEarlyData message.
2331 */
2332 rbio = SSL_get_rbio(serverssl);
2333 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2334 || !TEST_size_t_lt(rawread, sizeof(data))
2335 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2336 goto end;
2337
2338 /* Record length is in the 4th and 5th bytes of the record header */
2339 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2340 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2341 || !TEST_size_t_eq(rawwritten, eoedlen))
2342 goto end;
2343
2344 /* Server should be told that there is no more early data */
2345 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2346 &readbytes),
2347 SSL_READ_EARLY_DATA_FINISH)
2348 || !TEST_size_t_eq(readbytes, 0))
2349 goto end;
2350
2351 /*
2352 * Server has not finished init yet, so should still be able to write early
2353 * data.
2354 */
2355 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2356 &written))
2357 || !TEST_size_t_eq(written, strlen(MSG6)))
2358 goto end;
2359
2360 /* Push the ClientFinished and the normal data back into the server rbio */
2361 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2362 &rawwritten))
2363 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2364 goto end;
2365
2366 /* Server should be able to read normal data */
2367 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2368 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2369 goto end;
2370
2371 /* Client and server should not be able to write/read early data now */
2372 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2373 &written)))
2374 goto end;
2375 ERR_clear_error();
2376 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2377 &readbytes),
2378 SSL_READ_EARLY_DATA_ERROR))
2379 goto end;
2380 ERR_clear_error();
2381
2382 /* Client should be able to read the data sent by the server */
2383 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2384 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2385 goto end;
2386
2387 /*
2388 * Make sure we process the two NewSessionTickets. These arrive
2389 * post-handshake. We attempt reads which we do not expect to return any
2390 * data.
2391 */
2392 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2393 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2394 &readbytes)))
2395 goto end;
2396
2397 /* Server should be able to write normal data */
2398 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2399 || !TEST_size_t_eq(written, strlen(MSG7))
2400 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2401 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2402 goto end;
2403
2404 SSL_SESSION_free(sess);
2405 sess = SSL_get1_session(clientssl);
2406 use_session_cb_cnt = 0;
2407 find_session_cb_cnt = 0;
2408
2409 SSL_shutdown(clientssl);
2410 SSL_shutdown(serverssl);
2411 SSL_free(serverssl);
2412 SSL_free(clientssl);
2413 serverssl = clientssl = NULL;
2414 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2415 &clientssl, NULL, NULL))
2416 || !TEST_true(SSL_set_session(clientssl, sess)))
2417 goto end;
2418
2419 /* Write and read some early data */
2420 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2421 &written))
2422 || !TEST_size_t_eq(written, strlen(MSG1))
2423 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2424 &readbytes),
2425 SSL_READ_EARLY_DATA_SUCCESS)
2426 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2427 goto end;
2428
2429 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2430 || !TEST_int_gt(SSL_accept(serverssl), 0))
2431 goto end;
2432
2433 /* Client and server should not be able to write/read early data now */
2434 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2435 &written)))
2436 goto end;
2437 ERR_clear_error();
2438 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2439 &readbytes),
2440 SSL_READ_EARLY_DATA_ERROR))
2441 goto end;
2442 ERR_clear_error();
2443
2444 /* Client and server should be able to write/read normal data */
2445 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2446 || !TEST_size_t_eq(written, strlen(MSG5))
2447 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2448 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2449 goto end;
2450
2451 testresult = 1;
2452
2453 end:
2454 SSL_SESSION_free(sess);
2455 SSL_SESSION_free(clientpsk);
2456 SSL_SESSION_free(serverpsk);
2457 clientpsk = serverpsk = NULL;
2458 SSL_free(serverssl);
2459 SSL_free(clientssl);
2460 SSL_CTX_free(sctx);
2461 SSL_CTX_free(cctx);
2462 return testresult;
2463 }
2464
2465 static int allow_ed_cb_called = 0;
2466
allow_early_data_cb(SSL * s,void * arg)2467 static int allow_early_data_cb(SSL *s, void *arg)
2468 {
2469 int *usecb = (int *)arg;
2470
2471 allow_ed_cb_called++;
2472
2473 if (*usecb == 1)
2474 return 0;
2475
2476 return 1;
2477 }
2478
2479 /*
2480 * idx == 0: Standard early_data setup
2481 * idx == 1: early_data setup using read_ahead
2482 * usecb == 0: Don't use a custom early data callback
2483 * usecb == 1: Use a custom early data callback and reject the early data
2484 * usecb == 2: Use a custom early data callback and accept the early data
2485 * confopt == 0: Configure anti-replay directly
2486 * confopt == 1: Configure anti-replay using SSL_CONF
2487 */
test_early_data_replay_int(int idx,int usecb,int confopt)2488 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2489 {
2490 SSL_CTX *cctx = NULL, *sctx = NULL;
2491 SSL *clientssl = NULL, *serverssl = NULL;
2492 int testresult = 0;
2493 SSL_SESSION *sess = NULL;
2494 size_t readbytes, written;
2495 unsigned char buf[20];
2496
2497 allow_ed_cb_called = 0;
2498
2499 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2500 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2501 &cctx, cert, privkey)))
2502 return 0;
2503
2504 if (usecb > 0) {
2505 if (confopt == 0) {
2506 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2507 } else {
2508 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2509
2510 if (!TEST_ptr(confctx))
2511 goto end;
2512 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2513 | SSL_CONF_FLAG_SERVER);
2514 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2515 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2516 2)) {
2517 SSL_CONF_CTX_free(confctx);
2518 goto end;
2519 }
2520 SSL_CONF_CTX_free(confctx);
2521 }
2522 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2523 }
2524
2525 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2526 &serverssl, &sess, idx)))
2527 goto end;
2528
2529 /*
2530 * The server is configured to accept early data. Create a connection to
2531 * "use up" the ticket
2532 */
2533 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2534 || !TEST_true(SSL_session_reused(clientssl)))
2535 goto end;
2536
2537 SSL_shutdown(clientssl);
2538 SSL_shutdown(serverssl);
2539 SSL_free(serverssl);
2540 SSL_free(clientssl);
2541 serverssl = clientssl = NULL;
2542
2543 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2544 &clientssl, NULL, NULL))
2545 || !TEST_true(SSL_set_session(clientssl, sess)))
2546 goto end;
2547
2548 /* Write and read some early data */
2549 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2550 &written))
2551 || !TEST_size_t_eq(written, strlen(MSG1)))
2552 goto end;
2553
2554 if (usecb <= 1) {
2555 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2556 &readbytes),
2557 SSL_READ_EARLY_DATA_FINISH)
2558 /*
2559 * The ticket was reused, so the we should have rejected the
2560 * early data
2561 */
2562 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2563 SSL_EARLY_DATA_REJECTED))
2564 goto end;
2565 } else {
2566 /* In this case the callback decides to accept the early data */
2567 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2568 &readbytes),
2569 SSL_READ_EARLY_DATA_SUCCESS)
2570 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2571 /*
2572 * Server will have sent its flight so client can now send
2573 * end of early data and complete its half of the handshake
2574 */
2575 || !TEST_int_gt(SSL_connect(clientssl), 0)
2576 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2577 &readbytes),
2578 SSL_READ_EARLY_DATA_FINISH)
2579 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2580 SSL_EARLY_DATA_ACCEPTED))
2581 goto end;
2582 }
2583
2584 /* Complete the connection */
2585 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2586 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2587 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
2588 goto end;
2589
2590 testresult = 1;
2591
2592 end:
2593 SSL_SESSION_free(sess);
2594 SSL_SESSION_free(clientpsk);
2595 SSL_SESSION_free(serverpsk);
2596 clientpsk = serverpsk = NULL;
2597 SSL_free(serverssl);
2598 SSL_free(clientssl);
2599 SSL_CTX_free(sctx);
2600 SSL_CTX_free(cctx);
2601 return testresult;
2602 }
2603
test_early_data_replay(int idx)2604 static int test_early_data_replay(int idx)
2605 {
2606 int ret = 1, usecb, confopt;
2607
2608 for (usecb = 0; usecb < 3; usecb++) {
2609 for (confopt = 0; confopt < 2; confopt++)
2610 ret &= test_early_data_replay_int(idx, usecb, confopt);
2611 }
2612
2613 return ret;
2614 }
2615
2616 /*
2617 * Helper function to test that a server attempting to read early data can
2618 * handle a connection from a client where the early data should be skipped.
2619 * testtype: 0 == No HRR
2620 * testtype: 1 == HRR
2621 * testtype: 2 == HRR, invalid early_data sent after HRR
2622 * testtype: 3 == recv_max_early_data set to 0
2623 */
early_data_skip_helper(int testtype,int idx)2624 static int early_data_skip_helper(int testtype, int idx)
2625 {
2626 SSL_CTX *cctx = NULL, *sctx = NULL;
2627 SSL *clientssl = NULL, *serverssl = NULL;
2628 int testresult = 0;
2629 SSL_SESSION *sess = NULL;
2630 unsigned char buf[20];
2631 size_t readbytes, written;
2632
2633 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2634 &serverssl, &sess, idx)))
2635 goto end;
2636
2637 if (testtype == 1 || testtype == 2) {
2638 /* Force an HRR to occur */
2639 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2640 goto end;
2641 } else if (idx == 2) {
2642 /*
2643 * We force early_data rejection by ensuring the PSK identity is
2644 * unrecognised
2645 */
2646 srvid = "Dummy Identity";
2647 } else {
2648 /*
2649 * Deliberately corrupt the creation time. We take 20 seconds off the
2650 * time. It could be any value as long as it is not within tolerance.
2651 * This should mean the ticket is rejected.
2652 */
2653 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
2654 goto end;
2655 }
2656
2657 if (testtype == 3
2658 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2659 goto end;
2660
2661 /* Write some early data */
2662 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2663 &written))
2664 || !TEST_size_t_eq(written, strlen(MSG1)))
2665 goto end;
2666
2667 /* Server should reject the early data */
2668 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2669 &readbytes),
2670 SSL_READ_EARLY_DATA_FINISH)
2671 || !TEST_size_t_eq(readbytes, 0)
2672 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2673 SSL_EARLY_DATA_REJECTED))
2674 goto end;
2675
2676 switch (testtype) {
2677 case 0:
2678 /* Nothing to do */
2679 break;
2680
2681 case 1:
2682 /*
2683 * Finish off the handshake. We perform the same writes and reads as
2684 * further down but we expect them to fail due to the incomplete
2685 * handshake.
2686 */
2687 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2688 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2689 &readbytes)))
2690 goto end;
2691 break;
2692
2693 case 2:
2694 {
2695 BIO *wbio = SSL_get_wbio(clientssl);
2696 /* A record that will appear as bad early_data */
2697 const unsigned char bad_early_data[] = {
2698 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2699 };
2700
2701 /*
2702 * We force the client to attempt a write. This will fail because
2703 * we're still in the handshake. It will cause the second
2704 * ClientHello to be sent.
2705 */
2706 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2707 &written)))
2708 goto end;
2709
2710 /*
2711 * Inject some early_data after the second ClientHello. This should
2712 * cause the server to fail
2713 */
2714 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2715 sizeof(bad_early_data), &written)))
2716 goto end;
2717 }
2718 /* fallthrough */
2719
2720 case 3:
2721 /*
2722 * This client has sent more early_data than we are willing to skip
2723 * (case 3) or sent invalid early_data (case 2) so the connection should
2724 * abort.
2725 */
2726 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2727 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2728 goto end;
2729
2730 /* Connection has failed - nothing more to do */
2731 testresult = 1;
2732 goto end;
2733
2734 default:
2735 TEST_error("Invalid test type");
2736 goto end;
2737 }
2738
2739 /*
2740 * Should be able to send normal data despite rejection of early data. The
2741 * early_data should be skipped.
2742 */
2743 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2744 || !TEST_size_t_eq(written, strlen(MSG2))
2745 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2746 SSL_EARLY_DATA_REJECTED)
2747 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2748 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2749 goto end;
2750
2751 testresult = 1;
2752
2753 end:
2754 SSL_SESSION_free(clientpsk);
2755 SSL_SESSION_free(serverpsk);
2756 clientpsk = serverpsk = NULL;
2757 SSL_SESSION_free(sess);
2758 SSL_free(serverssl);
2759 SSL_free(clientssl);
2760 SSL_CTX_free(sctx);
2761 SSL_CTX_free(cctx);
2762 return testresult;
2763 }
2764
2765 /*
2766 * Test that a server attempting to read early data can handle a connection
2767 * from a client where the early data is not acceptable.
2768 */
test_early_data_skip(int idx)2769 static int test_early_data_skip(int idx)
2770 {
2771 return early_data_skip_helper(0, idx);
2772 }
2773
2774 /*
2775 * Test that a server attempting to read early data can handle a connection
2776 * from a client where an HRR occurs.
2777 */
test_early_data_skip_hrr(int idx)2778 static int test_early_data_skip_hrr(int idx)
2779 {
2780 return early_data_skip_helper(1, idx);
2781 }
2782
2783 /*
2784 * Test that a server attempting to read early data can handle a connection
2785 * from a client where an HRR occurs and correctly fails if early_data is sent
2786 * after the HRR
2787 */
test_early_data_skip_hrr_fail(int idx)2788 static int test_early_data_skip_hrr_fail(int idx)
2789 {
2790 return early_data_skip_helper(2, idx);
2791 }
2792
2793 /*
2794 * Test that a server attempting to read early data will abort if it tries to
2795 * skip over too much.
2796 */
test_early_data_skip_abort(int idx)2797 static int test_early_data_skip_abort(int idx)
2798 {
2799 return early_data_skip_helper(3, idx);
2800 }
2801
2802 /*
2803 * Test that a server attempting to read early data can handle a connection
2804 * from a client that doesn't send any.
2805 */
test_early_data_not_sent(int idx)2806 static int test_early_data_not_sent(int idx)
2807 {
2808 SSL_CTX *cctx = NULL, *sctx = NULL;
2809 SSL *clientssl = NULL, *serverssl = NULL;
2810 int testresult = 0;
2811 SSL_SESSION *sess = NULL;
2812 unsigned char buf[20];
2813 size_t readbytes, written;
2814
2815 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2816 &serverssl, &sess, idx)))
2817 goto end;
2818
2819 /* Write some data - should block due to handshake with server */
2820 SSL_set_connect_state(clientssl);
2821 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
2822 goto end;
2823
2824 /* Server should detect that early data has not been sent */
2825 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2826 &readbytes),
2827 SSL_READ_EARLY_DATA_FINISH)
2828 || !TEST_size_t_eq(readbytes, 0)
2829 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2830 SSL_EARLY_DATA_NOT_SENT)
2831 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2832 SSL_EARLY_DATA_NOT_SENT))
2833 goto end;
2834
2835 /* Continue writing the message we started earlier */
2836 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2837 || !TEST_size_t_eq(written, strlen(MSG1))
2838 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2839 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2840 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2841 || !TEST_size_t_eq(written, strlen(MSG2)))
2842 goto end;
2843
2844 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2845 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2846 goto end;
2847
2848 testresult = 1;
2849
2850 end:
2851 SSL_SESSION_free(sess);
2852 SSL_SESSION_free(clientpsk);
2853 SSL_SESSION_free(serverpsk);
2854 clientpsk = serverpsk = NULL;
2855 SSL_free(serverssl);
2856 SSL_free(clientssl);
2857 SSL_CTX_free(sctx);
2858 SSL_CTX_free(cctx);
2859 return testresult;
2860 }
2861
2862 static const char *servalpn;
2863
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)2864 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2865 unsigned char *outlen, const unsigned char *in,
2866 unsigned int inlen, void *arg)
2867 {
2868 unsigned int protlen = 0;
2869 const unsigned char *prot;
2870
2871 for (prot = in; prot < in + inlen; prot += protlen) {
2872 protlen = *prot++;
2873 if (in + inlen < prot + protlen)
2874 return SSL_TLSEXT_ERR_NOACK;
2875
2876 if (protlen == strlen(servalpn)
2877 && memcmp(prot, servalpn, protlen) == 0) {
2878 *out = prot;
2879 *outlen = protlen;
2880 return SSL_TLSEXT_ERR_OK;
2881 }
2882 }
2883
2884 return SSL_TLSEXT_ERR_NOACK;
2885 }
2886
2887 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)2888 static int test_early_data_psk(int idx)
2889 {
2890 SSL_CTX *cctx = NULL, *sctx = NULL;
2891 SSL *clientssl = NULL, *serverssl = NULL;
2892 int testresult = 0;
2893 SSL_SESSION *sess = NULL;
2894 unsigned char alpnlist[] = {
2895 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2896 'l', 'p', 'n'
2897 };
2898 #define GOODALPNLEN 9
2899 #define BADALPNLEN 8
2900 #define GOODALPN (alpnlist)
2901 #define BADALPN (alpnlist + GOODALPNLEN)
2902 int err = 0;
2903 unsigned char buf[20];
2904 size_t readbytes, written;
2905 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
2906 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2907
2908 /* We always set this up with a final parameter of "2" for PSK */
2909 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2910 &serverssl, &sess, 2)))
2911 goto end;
2912
2913 servalpn = "goodalpn";
2914
2915 /*
2916 * Note: There is no test for inconsistent SNI with late client detection.
2917 * This is because servers do not acknowledge SNI even if they are using
2918 * it in a resumption handshake - so it is not actually possible for a
2919 * client to detect a problem.
2920 */
2921 switch (idx) {
2922 case 0:
2923 /* Set inconsistent SNI (early client detection) */
2924 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2925 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2926 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2927 goto end;
2928 break;
2929
2930 case 1:
2931 /* Set inconsistent ALPN (early client detection) */
2932 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2933 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
2934 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2935 GOODALPNLEN))
2936 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2937 BADALPNLEN)))
2938 goto end;
2939 break;
2940
2941 case 2:
2942 /*
2943 * Set invalid protocol version. Technically this affects PSKs without
2944 * early_data too, but we test it here because it is similar to the
2945 * SNI/ALPN consistency tests.
2946 */
2947 err = SSL_R_BAD_PSK;
2948 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2949 goto end;
2950 break;
2951
2952 case 3:
2953 /*
2954 * Set inconsistent SNI (server side). In this case the connection
2955 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
2956 * is associated with each handshake - not the session. Therefore it
2957 * should not matter that we used a different server name last time.
2958 */
2959 SSL_SESSION_free(serverpsk);
2960 serverpsk = SSL_SESSION_dup(clientpsk);
2961 if (!TEST_ptr(serverpsk)
2962 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2963 goto end;
2964 /* Fall through */
2965 case 4:
2966 /* Set consistent SNI */
2967 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2968 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2969 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2970 hostname_cb)))
2971 goto end;
2972 break;
2973
2974 case 5:
2975 /*
2976 * Set inconsistent ALPN (server detected). In this case the connection
2977 * will succeed but reject early_data.
2978 */
2979 servalpn = "badalpn";
2980 edstatus = SSL_EARLY_DATA_REJECTED;
2981 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2982 /* Fall through */
2983 case 6:
2984 /*
2985 * Set consistent ALPN.
2986 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2987 * accepts a list of protos (each one length prefixed).
2988 * SSL_set1_alpn_selected accepts a single protocol (not length
2989 * prefixed)
2990 */
2991 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2992 GOODALPNLEN - 1))
2993 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2994 GOODALPNLEN)))
2995 goto end;
2996
2997 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2998 break;
2999
3000 case 7:
3001 /* Set inconsistent ALPN (late client detection) */
3002 SSL_SESSION_free(serverpsk);
3003 serverpsk = SSL_SESSION_dup(clientpsk);
3004 if (!TEST_ptr(serverpsk)
3005 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3006 BADALPN + 1,
3007 BADALPNLEN - 1))
3008 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3009 GOODALPN + 1,
3010 GOODALPNLEN - 1))
3011 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3012 sizeof(alpnlist))))
3013 goto end;
3014 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3015 edstatus = SSL_EARLY_DATA_ACCEPTED;
3016 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3017 /* SSL_connect() call should fail */
3018 connectres = -1;
3019 break;
3020
3021 default:
3022 TEST_error("Bad test index");
3023 goto end;
3024 }
3025
3026 SSL_set_connect_state(clientssl);
3027 if (err != 0) {
3028 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3029 &written))
3030 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3031 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3032 goto end;
3033 } else {
3034 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3035 &written)))
3036 goto end;
3037
3038 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3039 &readbytes), readearlyres)
3040 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3041 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3042 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3043 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3044 goto end;
3045 }
3046
3047 testresult = 1;
3048
3049 end:
3050 SSL_SESSION_free(sess);
3051 SSL_SESSION_free(clientpsk);
3052 SSL_SESSION_free(serverpsk);
3053 clientpsk = serverpsk = NULL;
3054 SSL_free(serverssl);
3055 SSL_free(clientssl);
3056 SSL_CTX_free(sctx);
3057 SSL_CTX_free(cctx);
3058 return testresult;
3059 }
3060
3061 /*
3062 * Test that a server that doesn't try to read early data can handle a
3063 * client sending some.
3064 */
test_early_data_not_expected(int idx)3065 static int test_early_data_not_expected(int idx)
3066 {
3067 SSL_CTX *cctx = NULL, *sctx = NULL;
3068 SSL *clientssl = NULL, *serverssl = NULL;
3069 int testresult = 0;
3070 SSL_SESSION *sess = NULL;
3071 unsigned char buf[20];
3072 size_t readbytes, written;
3073
3074 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3075 &serverssl, &sess, idx)))
3076 goto end;
3077
3078 /* Write some early data */
3079 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3080 &written)))
3081 goto end;
3082
3083 /*
3084 * Server should skip over early data and then block waiting for client to
3085 * continue handshake
3086 */
3087 if (!TEST_int_le(SSL_accept(serverssl), 0)
3088 || !TEST_int_gt(SSL_connect(clientssl), 0)
3089 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3090 SSL_EARLY_DATA_REJECTED)
3091 || !TEST_int_gt(SSL_accept(serverssl), 0)
3092 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3093 SSL_EARLY_DATA_REJECTED))
3094 goto end;
3095
3096 /* Send some normal data from client to server */
3097 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3098 || !TEST_size_t_eq(written, strlen(MSG2)))
3099 goto end;
3100
3101 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3102 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3103 goto end;
3104
3105 testresult = 1;
3106
3107 end:
3108 SSL_SESSION_free(sess);
3109 SSL_SESSION_free(clientpsk);
3110 SSL_SESSION_free(serverpsk);
3111 clientpsk = serverpsk = NULL;
3112 SSL_free(serverssl);
3113 SSL_free(clientssl);
3114 SSL_CTX_free(sctx);
3115 SSL_CTX_free(cctx);
3116 return testresult;
3117 }
3118
3119
3120 # ifndef OPENSSL_NO_TLS1_2
3121 /*
3122 * Test that a server attempting to read early data can handle a connection
3123 * from a TLSv1.2 client.
3124 */
test_early_data_tls1_2(int idx)3125 static int test_early_data_tls1_2(int idx)
3126 {
3127 SSL_CTX *cctx = NULL, *sctx = NULL;
3128 SSL *clientssl = NULL, *serverssl = NULL;
3129 int testresult = 0;
3130 unsigned char buf[20];
3131 size_t readbytes, written;
3132
3133 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3134 &serverssl, NULL, idx)))
3135 goto end;
3136
3137 /* Write some data - should block due to handshake with server */
3138 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3139 SSL_set_connect_state(clientssl);
3140 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3141 goto end;
3142
3143 /*
3144 * Server should do TLSv1.2 handshake. First it will block waiting for more
3145 * messages from client after ServerDone. Then SSL_read_early_data should
3146 * finish and detect that early data has not been sent
3147 */
3148 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3149 &readbytes),
3150 SSL_READ_EARLY_DATA_ERROR))
3151 goto end;
3152
3153 /*
3154 * Continue writing the message we started earlier. Will still block waiting
3155 * for the CCS/Finished from server
3156 */
3157 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3158 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3159 &readbytes),
3160 SSL_READ_EARLY_DATA_FINISH)
3161 || !TEST_size_t_eq(readbytes, 0)
3162 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3163 SSL_EARLY_DATA_NOT_SENT))
3164 goto end;
3165
3166 /* Continue writing the message we started earlier */
3167 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3168 || !TEST_size_t_eq(written, strlen(MSG1))
3169 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3170 SSL_EARLY_DATA_NOT_SENT)
3171 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3172 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3173 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3174 || !TEST_size_t_eq(written, strlen(MSG2))
3175 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3176 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3177 goto end;
3178
3179 testresult = 1;
3180
3181 end:
3182 SSL_SESSION_free(clientpsk);
3183 SSL_SESSION_free(serverpsk);
3184 clientpsk = serverpsk = NULL;
3185 SSL_free(serverssl);
3186 SSL_free(clientssl);
3187 SSL_CTX_free(sctx);
3188 SSL_CTX_free(cctx);
3189
3190 return testresult;
3191 }
3192 # endif /* OPENSSL_NO_TLS1_2 */
3193
3194 /*
3195 * Test configuring the TLSv1.3 ciphersuites
3196 *
3197 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3198 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3199 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3200 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3201 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3202 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3203 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3204 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3205 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3206 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3207 */
test_set_ciphersuite(int idx)3208 static int test_set_ciphersuite(int idx)
3209 {
3210 SSL_CTX *cctx = NULL, *sctx = NULL;
3211 SSL *clientssl = NULL, *serverssl = NULL;
3212 int testresult = 0;
3213
3214 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3215 TLS1_VERSION, TLS_MAX_VERSION,
3216 &sctx, &cctx, cert, privkey))
3217 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3218 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3219 goto end;
3220
3221 if (idx >=4 && idx <= 7) {
3222 /* SSL_CTX explicit cipher list */
3223 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3224 goto end;
3225 }
3226
3227 if (idx == 0 || idx == 4) {
3228 /* Default ciphersuite */
3229 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3230 "TLS_AES_128_GCM_SHA256")))
3231 goto end;
3232 } else if (idx == 1 || idx == 5) {
3233 /* Non default ciphersuite */
3234 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3235 "TLS_AES_128_CCM_SHA256")))
3236 goto end;
3237 }
3238
3239 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3240 &clientssl, NULL, NULL)))
3241 goto end;
3242
3243 if (idx == 8 || idx == 9) {
3244 /* SSL explicit cipher list */
3245 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3246 goto end;
3247 }
3248
3249 if (idx == 2 || idx == 6 || idx == 8) {
3250 /* Default ciphersuite */
3251 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3252 "TLS_AES_128_GCM_SHA256")))
3253 goto end;
3254 } else if (idx == 3 || idx == 7 || idx == 9) {
3255 /* Non default ciphersuite */
3256 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3257 "TLS_AES_128_CCM_SHA256")))
3258 goto end;
3259 }
3260
3261 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3262 goto end;
3263
3264 testresult = 1;
3265
3266 end:
3267 SSL_free(serverssl);
3268 SSL_free(clientssl);
3269 SSL_CTX_free(sctx);
3270 SSL_CTX_free(cctx);
3271
3272 return testresult;
3273 }
3274
test_ciphersuite_change(void)3275 static int test_ciphersuite_change(void)
3276 {
3277 SSL_CTX *cctx = NULL, *sctx = NULL;
3278 SSL *clientssl = NULL, *serverssl = NULL;
3279 SSL_SESSION *clntsess = NULL;
3280 int testresult = 0;
3281 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3282
3283 /* Create a session based on SHA-256 */
3284 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3285 TLS1_VERSION, TLS_MAX_VERSION,
3286 &sctx, &cctx, cert, privkey))
3287 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3288 "TLS_AES_128_GCM_SHA256"))
3289 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3290 &clientssl, NULL, NULL))
3291 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3292 SSL_ERROR_NONE)))
3293 goto end;
3294
3295 clntsess = SSL_get1_session(clientssl);
3296 /* Save for later */
3297 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3298 SSL_shutdown(clientssl);
3299 SSL_shutdown(serverssl);
3300 SSL_free(serverssl);
3301 SSL_free(clientssl);
3302 serverssl = clientssl = NULL;
3303
3304 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3305 /* Check we can resume a session with a different SHA-256 ciphersuite */
3306 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3307 "TLS_CHACHA20_POLY1305_SHA256"))
3308 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3309 NULL, NULL))
3310 || !TEST_true(SSL_set_session(clientssl, clntsess))
3311 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3312 SSL_ERROR_NONE))
3313 || !TEST_true(SSL_session_reused(clientssl)))
3314 goto end;
3315
3316 SSL_SESSION_free(clntsess);
3317 clntsess = SSL_get1_session(clientssl);
3318 SSL_shutdown(clientssl);
3319 SSL_shutdown(serverssl);
3320 SSL_free(serverssl);
3321 SSL_free(clientssl);
3322 serverssl = clientssl = NULL;
3323 # endif
3324
3325 /*
3326 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3327 * succeeds but does not resume.
3328 */
3329 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3330 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3331 NULL, NULL))
3332 || !TEST_true(SSL_set_session(clientssl, clntsess))
3333 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3334 SSL_ERROR_SSL))
3335 || !TEST_false(SSL_session_reused(clientssl)))
3336 goto end;
3337
3338 SSL_SESSION_free(clntsess);
3339 clntsess = NULL;
3340 SSL_shutdown(clientssl);
3341 SSL_shutdown(serverssl);
3342 SSL_free(serverssl);
3343 SSL_free(clientssl);
3344 serverssl = clientssl = NULL;
3345
3346 /* Create a session based on SHA384 */
3347 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3348 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3349 &clientssl, NULL, NULL))
3350 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3351 SSL_ERROR_NONE)))
3352 goto end;
3353
3354 clntsess = SSL_get1_session(clientssl);
3355 SSL_shutdown(clientssl);
3356 SSL_shutdown(serverssl);
3357 SSL_free(serverssl);
3358 SSL_free(clientssl);
3359 serverssl = clientssl = NULL;
3360
3361 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3362 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3363 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3364 "TLS_AES_256_GCM_SHA384"))
3365 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3366 NULL, NULL))
3367 || !TEST_true(SSL_set_session(clientssl, clntsess))
3368 /*
3369 * We use SSL_ERROR_WANT_READ below so that we can pause the
3370 * connection after the initial ClientHello has been sent to
3371 * enable us to make some session changes.
3372 */
3373 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3374 SSL_ERROR_WANT_READ)))
3375 goto end;
3376
3377 /* Trick the client into thinking this session is for a different digest */
3378 clntsess->cipher = aes_128_gcm_sha256;
3379 clntsess->cipher_id = clntsess->cipher->id;
3380
3381 /*
3382 * Continue the previously started connection. Server has selected a SHA-384
3383 * ciphersuite, but client thinks the session is for SHA-256, so it should
3384 * bail out.
3385 */
3386 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3387 SSL_ERROR_SSL))
3388 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3389 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3390 goto end;
3391
3392 testresult = 1;
3393
3394 end:
3395 SSL_SESSION_free(clntsess);
3396 SSL_free(serverssl);
3397 SSL_free(clientssl);
3398 SSL_CTX_free(sctx);
3399 SSL_CTX_free(cctx);
3400
3401 return testresult;
3402 }
3403
3404 /*
3405 * Test TLSv1.3 Cipher Suite
3406 * Test 0 = Set TLS1.3 cipher on context
3407 * Test 1 = Set TLS1.3 cipher on SSL
3408 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3409 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3410 */
test_tls13_ciphersuite(int idx)3411 static int test_tls13_ciphersuite(int idx)
3412 {
3413 SSL_CTX *sctx = NULL, *cctx = NULL;
3414 SSL *serverssl = NULL, *clientssl = NULL;
3415 static const char *t13_ciphers[] = {
3416 TLS1_3_RFC_AES_128_GCM_SHA256,
3417 TLS1_3_RFC_AES_256_GCM_SHA384,
3418 TLS1_3_RFC_AES_128_CCM_SHA256,
3419 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3420 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3421 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3422 # endif
3423 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3424 };
3425 const char *t13_cipher = NULL;
3426 const char *t12_cipher = NULL;
3427 const char *negotiated_scipher;
3428 const char *negotiated_ccipher;
3429 int set_at_ctx = 0;
3430 int set_at_ssl = 0;
3431 int testresult = 0;
3432 int max_ver;
3433 size_t i;
3434
3435 switch (idx) {
3436 case 0:
3437 set_at_ctx = 1;
3438 break;
3439 case 1:
3440 set_at_ssl = 1;
3441 break;
3442 case 2:
3443 set_at_ctx = 1;
3444 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3445 break;
3446 case 3:
3447 set_at_ssl = 1;
3448 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3449 break;
3450 }
3451
3452 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3453 # ifdef OPENSSL_NO_TLS1_2
3454 if (max_ver == TLS1_2_VERSION)
3455 continue;
3456 # endif
3457 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3458 t13_cipher = t13_ciphers[i];
3459 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3460 TLS_client_method(),
3461 TLS1_VERSION, max_ver,
3462 &sctx, &cctx, cert, privkey)))
3463 goto end;
3464
3465 if (set_at_ctx) {
3466 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3467 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3468 goto end;
3469 if (t12_cipher != NULL) {
3470 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3471 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3472 t12_cipher)))
3473 goto end;
3474 }
3475 }
3476
3477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3478 &clientssl, NULL, NULL)))
3479 goto end;
3480
3481 if (set_at_ssl) {
3482 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3483 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3484 goto end;
3485 if (t12_cipher != NULL) {
3486 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3487 || !TEST_true(SSL_set_cipher_list(clientssl,
3488 t12_cipher)))
3489 goto end;
3490 }
3491 }
3492
3493 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3494 SSL_ERROR_NONE)))
3495 goto end;
3496
3497 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3498 serverssl));
3499 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3500 clientssl));
3501 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
3502 goto end;
3503
3504 /*
3505 * TEST_strn_eq is used below because t13_cipher can contain
3506 * multiple ciphersuites
3507 */
3508 if (max_ver == TLS1_3_VERSION
3509 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
3510 strlen(negotiated_scipher)))
3511 goto end;
3512
3513 # ifndef OPENSSL_NO_TLS1_2
3514 /* Below validation is not done when t12_cipher is NULL */
3515 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
3516 && !TEST_str_eq(t12_cipher, negotiated_scipher))
3517 goto end;
3518 # endif
3519
3520 SSL_free(serverssl);
3521 serverssl = NULL;
3522 SSL_free(clientssl);
3523 clientssl = NULL;
3524 SSL_CTX_free(sctx);
3525 sctx = NULL;
3526 SSL_CTX_free(cctx);
3527 cctx = NULL;
3528 }
3529 }
3530
3531 testresult = 1;
3532 end:
3533 SSL_free(serverssl);
3534 SSL_free(clientssl);
3535 SSL_CTX_free(sctx);
3536 SSL_CTX_free(cctx);
3537 return testresult;
3538 }
3539
3540 /*
3541 * Test TLSv1.3 PSKs
3542 * Test 0 = Test new style callbacks
3543 * Test 1 = Test both new and old style callbacks
3544 * Test 2 = Test old style callbacks
3545 * Test 3 = Test old style callbacks with no certificate
3546 */
test_tls13_psk(int idx)3547 static int test_tls13_psk(int idx)
3548 {
3549 SSL_CTX *sctx = NULL, *cctx = NULL;
3550 SSL *serverssl = NULL, *clientssl = NULL;
3551 const SSL_CIPHER *cipher = NULL;
3552 const unsigned char key[] = {
3553 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3554 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3555 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3556 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
3557 };
3558 int testresult = 0;
3559
3560 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3561 TLS1_VERSION, TLS_MAX_VERSION,
3562 &sctx, &cctx, idx == 3 ? NULL : cert,
3563 idx == 3 ? NULL : privkey)))
3564 goto end;
3565
3566 if (idx != 3) {
3567 /*
3568 * We use a ciphersuite with SHA256 to ease testing old style PSK
3569 * callbacks which will always default to SHA256. This should not be
3570 * necessary if we have no cert/priv key. In that case the server should
3571 * prefer SHA256 automatically.
3572 */
3573 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3574 "TLS_AES_128_GCM_SHA256")))
3575 goto end;
3576 }
3577
3578 /*
3579 * Test 0: New style callbacks only
3580 * Test 1: New and old style callbacks (only the new ones should be used)
3581 * Test 2: Old style callbacks only
3582 */
3583 if (idx == 0 || idx == 1) {
3584 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3585 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3586 }
3587 #ifndef OPENSSL_NO_PSK
3588 if (idx >= 1) {
3589 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3590 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3591 }
3592 #endif
3593 srvid = pskid;
3594 use_session_cb_cnt = 0;
3595 find_session_cb_cnt = 0;
3596 psk_client_cb_cnt = 0;
3597 psk_server_cb_cnt = 0;
3598
3599 if (idx != 3) {
3600 /*
3601 * Check we can create a connection if callback decides not to send a
3602 * PSK
3603 */
3604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3605 NULL, NULL))
3606 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3607 SSL_ERROR_NONE))
3608 || !TEST_false(SSL_session_reused(clientssl))
3609 || !TEST_false(SSL_session_reused(serverssl)))
3610 goto end;
3611
3612 if (idx == 0 || idx == 1) {
3613 if (!TEST_true(use_session_cb_cnt == 1)
3614 || !TEST_true(find_session_cb_cnt == 0)
3615 /*
3616 * If no old style callback then below should be 0
3617 * otherwise 1
3618 */
3619 || !TEST_true(psk_client_cb_cnt == idx)
3620 || !TEST_true(psk_server_cb_cnt == 0))
3621 goto end;
3622 } else {
3623 if (!TEST_true(use_session_cb_cnt == 0)
3624 || !TEST_true(find_session_cb_cnt == 0)
3625 || !TEST_true(psk_client_cb_cnt == 1)
3626 || !TEST_true(psk_server_cb_cnt == 0))
3627 goto end;
3628 }
3629
3630 shutdown_ssl_connection(serverssl, clientssl);
3631 serverssl = clientssl = NULL;
3632 use_session_cb_cnt = psk_client_cb_cnt = 0;
3633 }
3634
3635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3636 NULL, NULL)))
3637 goto end;
3638
3639 /* Create the PSK */
3640 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
3641 clientpsk = SSL_SESSION_new();
3642 if (!TEST_ptr(clientpsk)
3643 || !TEST_ptr(cipher)
3644 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3645 sizeof(key)))
3646 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3647 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3648 TLS1_3_VERSION))
3649 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
3650 goto end;
3651 serverpsk = clientpsk;
3652
3653 /* Check we can create a connection and the PSK is used */
3654 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3655 || !TEST_true(SSL_session_reused(clientssl))
3656 || !TEST_true(SSL_session_reused(serverssl)))
3657 goto end;
3658
3659 if (idx == 0 || idx == 1) {
3660 if (!TEST_true(use_session_cb_cnt == 1)
3661 || !TEST_true(find_session_cb_cnt == 1)
3662 || !TEST_true(psk_client_cb_cnt == 0)
3663 || !TEST_true(psk_server_cb_cnt == 0))
3664 goto end;
3665 } else {
3666 if (!TEST_true(use_session_cb_cnt == 0)
3667 || !TEST_true(find_session_cb_cnt == 0)
3668 || !TEST_true(psk_client_cb_cnt == 1)
3669 || !TEST_true(psk_server_cb_cnt == 1))
3670 goto end;
3671 }
3672
3673 shutdown_ssl_connection(serverssl, clientssl);
3674 serverssl = clientssl = NULL;
3675 use_session_cb_cnt = find_session_cb_cnt = 0;
3676 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3677
3678 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3679 NULL, NULL)))
3680 goto end;
3681
3682 /* Force an HRR */
3683 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3684 goto end;
3685
3686 /*
3687 * Check we can create a connection, the PSK is used and the callbacks are
3688 * called twice.
3689 */
3690 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3691 || !TEST_true(SSL_session_reused(clientssl))
3692 || !TEST_true(SSL_session_reused(serverssl)))
3693 goto end;
3694
3695 if (idx == 0 || idx == 1) {
3696 if (!TEST_true(use_session_cb_cnt == 2)
3697 || !TEST_true(find_session_cb_cnt == 2)
3698 || !TEST_true(psk_client_cb_cnt == 0)
3699 || !TEST_true(psk_server_cb_cnt == 0))
3700 goto end;
3701 } else {
3702 if (!TEST_true(use_session_cb_cnt == 0)
3703 || !TEST_true(find_session_cb_cnt == 0)
3704 || !TEST_true(psk_client_cb_cnt == 2)
3705 || !TEST_true(psk_server_cb_cnt == 2))
3706 goto end;
3707 }
3708
3709 shutdown_ssl_connection(serverssl, clientssl);
3710 serverssl = clientssl = NULL;
3711 use_session_cb_cnt = find_session_cb_cnt = 0;
3712 psk_client_cb_cnt = psk_server_cb_cnt = 0;
3713
3714 if (idx != 3) {
3715 /*
3716 * Check that if the server rejects the PSK we can still connect, but with
3717 * a full handshake
3718 */
3719 srvid = "Dummy Identity";
3720 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3721 NULL, NULL))
3722 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3723 SSL_ERROR_NONE))
3724 || !TEST_false(SSL_session_reused(clientssl))
3725 || !TEST_false(SSL_session_reused(serverssl)))
3726 goto end;
3727
3728 if (idx == 0 || idx == 1) {
3729 if (!TEST_true(use_session_cb_cnt == 1)
3730 || !TEST_true(find_session_cb_cnt == 1)
3731 || !TEST_true(psk_client_cb_cnt == 0)
3732 /*
3733 * If no old style callback then below should be 0
3734 * otherwise 1
3735 */
3736 || !TEST_true(psk_server_cb_cnt == idx))
3737 goto end;
3738 } else {
3739 if (!TEST_true(use_session_cb_cnt == 0)
3740 || !TEST_true(find_session_cb_cnt == 0)
3741 || !TEST_true(psk_client_cb_cnt == 1)
3742 || !TEST_true(psk_server_cb_cnt == 1))
3743 goto end;
3744 }
3745
3746 shutdown_ssl_connection(serverssl, clientssl);
3747 serverssl = clientssl = NULL;
3748 }
3749 testresult = 1;
3750
3751 end:
3752 SSL_SESSION_free(clientpsk);
3753 SSL_SESSION_free(serverpsk);
3754 clientpsk = serverpsk = NULL;
3755 SSL_free(serverssl);
3756 SSL_free(clientssl);
3757 SSL_CTX_free(sctx);
3758 SSL_CTX_free(cctx);
3759 return testresult;
3760 }
3761
3762 static unsigned char cookie_magic_value[] = "cookie magic";
3763
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)3764 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3765 unsigned int *cookie_len)
3766 {
3767 /*
3768 * Not suitable as a real cookie generation function but good enough for
3769 * testing!
3770 */
3771 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3772 *cookie_len = sizeof(cookie_magic_value) - 1;
3773
3774 return 1;
3775 }
3776
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)3777 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3778 unsigned int cookie_len)
3779 {
3780 if (cookie_len == sizeof(cookie_magic_value) - 1
3781 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3782 return 1;
3783
3784 return 0;
3785 }
3786
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)3787 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3788 size_t *cookie_len)
3789 {
3790 unsigned int temp;
3791 int res = generate_cookie_callback(ssl, cookie, &temp);
3792 *cookie_len = temp;
3793 return res;
3794 }
3795
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)3796 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3797 size_t cookie_len)
3798 {
3799 return verify_cookie_callback(ssl, cookie, cookie_len);
3800 }
3801
test_stateless(void)3802 static int test_stateless(void)
3803 {
3804 SSL_CTX *sctx = NULL, *cctx = NULL;
3805 SSL *serverssl = NULL, *clientssl = NULL;
3806 int testresult = 0;
3807
3808 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3809 TLS1_VERSION, TLS_MAX_VERSION,
3810 &sctx, &cctx, cert, privkey)))
3811 goto end;
3812
3813 /* The arrival of CCS messages can confuse the test */
3814 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3815
3816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3817 NULL, NULL))
3818 /* Send the first ClientHello */
3819 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3820 SSL_ERROR_WANT_READ))
3821 /*
3822 * This should fail with a -1 return because we have no callbacks
3823 * set up
3824 */
3825 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3826 goto end;
3827
3828 /* Fatal error so abandon the connection from this client */
3829 SSL_free(clientssl);
3830 clientssl = NULL;
3831
3832 /* Set up the cookie generation and verification callbacks */
3833 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3834 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
3835
3836 /*
3837 * Create a new connection from the client (we can reuse the server SSL
3838 * object).
3839 */
3840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3841 NULL, NULL))
3842 /* Send the first ClientHello */
3843 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3844 SSL_ERROR_WANT_READ))
3845 /* This should fail because there is no cookie */
3846 || !TEST_int_eq(SSL_stateless(serverssl), 0))
3847 goto end;
3848
3849 /* Abandon the connection from this client */
3850 SSL_free(clientssl);
3851 clientssl = NULL;
3852
3853 /*
3854 * Now create a connection from a new client but with the same server SSL
3855 * object
3856 */
3857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3858 NULL, NULL))
3859 /* Send the first ClientHello */
3860 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3861 SSL_ERROR_WANT_READ))
3862 /* This should fail because there is no cookie */
3863 || !TEST_int_eq(SSL_stateless(serverssl), 0)
3864 /* Send the second ClientHello */
3865 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3866 SSL_ERROR_WANT_READ))
3867 /* This should succeed because a cookie is now present */
3868 || !TEST_int_eq(SSL_stateless(serverssl), 1)
3869 /* Complete the connection */
3870 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3871 SSL_ERROR_NONE)))
3872 goto end;
3873
3874 shutdown_ssl_connection(serverssl, clientssl);
3875 serverssl = clientssl = NULL;
3876 testresult = 1;
3877
3878 end:
3879 SSL_free(serverssl);
3880 SSL_free(clientssl);
3881 SSL_CTX_free(sctx);
3882 SSL_CTX_free(cctx);
3883 return testresult;
3884
3885 }
3886 #endif /* OPENSSL_NO_TLS1_3 */
3887
3888 static int clntaddoldcb = 0;
3889 static int clntparseoldcb = 0;
3890 static int srvaddoldcb = 0;
3891 static int srvparseoldcb = 0;
3892 static int clntaddnewcb = 0;
3893 static int clntparsenewcb = 0;
3894 static int srvaddnewcb = 0;
3895 static int srvparsenewcb = 0;
3896 static int snicb = 0;
3897
3898 #define TEST_EXT_TYPE1 0xff00
3899
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)3900 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3901 size_t *outlen, int *al, void *add_arg)
3902 {
3903 int *server = (int *)add_arg;
3904 unsigned char *data;
3905
3906 if (SSL_is_server(s))
3907 srvaddoldcb++;
3908 else
3909 clntaddoldcb++;
3910
3911 if (*server != SSL_is_server(s)
3912 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3913 return -1;
3914
3915 *data = 1;
3916 *out = data;
3917 *outlen = sizeof(char);
3918 return 1;
3919 }
3920
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)3921 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3922 void *add_arg)
3923 {
3924 OPENSSL_free((unsigned char *)out);
3925 }
3926
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)3927 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3928 size_t inlen, int *al, void *parse_arg)
3929 {
3930 int *server = (int *)parse_arg;
3931
3932 if (SSL_is_server(s))
3933 srvparseoldcb++;
3934 else
3935 clntparseoldcb++;
3936
3937 if (*server != SSL_is_server(s)
3938 || inlen != sizeof(char)
3939 || *in != 1)
3940 return -1;
3941
3942 return 1;
3943 }
3944
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)3945 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3946 const unsigned char **out, size_t *outlen, X509 *x,
3947 size_t chainidx, int *al, void *add_arg)
3948 {
3949 int *server = (int *)add_arg;
3950 unsigned char *data;
3951
3952 if (SSL_is_server(s))
3953 srvaddnewcb++;
3954 else
3955 clntaddnewcb++;
3956
3957 if (*server != SSL_is_server(s)
3958 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
3959 return -1;
3960
3961 *data = 1;
3962 *out = data;
3963 *outlen = sizeof(*data);
3964 return 1;
3965 }
3966
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)3967 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3968 const unsigned char *out, void *add_arg)
3969 {
3970 OPENSSL_free((unsigned char *)out);
3971 }
3972
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)3973 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3974 const unsigned char *in, size_t inlen, X509 *x,
3975 size_t chainidx, int *al, void *parse_arg)
3976 {
3977 int *server = (int *)parse_arg;
3978
3979 if (SSL_is_server(s))
3980 srvparsenewcb++;
3981 else
3982 clntparsenewcb++;
3983
3984 if (*server != SSL_is_server(s)
3985 || inlen != sizeof(char) || *in != 1)
3986 return -1;
3987
3988 return 1;
3989 }
3990
sni_cb(SSL * s,int * al,void * arg)3991 static int sni_cb(SSL *s, int *al, void *arg)
3992 {
3993 SSL_CTX *ctx = (SSL_CTX *)arg;
3994
3995 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3996 *al = SSL_AD_INTERNAL_ERROR;
3997 return SSL_TLSEXT_ERR_ALERT_FATAL;
3998 }
3999 snicb++;
4000 return SSL_TLSEXT_ERR_OK;
4001 }
4002
4003 /*
4004 * Custom call back tests.
4005 * Test 0: Old style callbacks in TLSv1.2
4006 * Test 1: New style callbacks in TLSv1.2
4007 * Test 2: New style callbacks in TLSv1.2 with SNI
4008 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4009 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4010 */
test_custom_exts(int tst)4011 static int test_custom_exts(int tst)
4012 {
4013 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4014 SSL *clientssl = NULL, *serverssl = NULL;
4015 int testresult = 0;
4016 static int server = 1;
4017 static int client = 0;
4018 SSL_SESSION *sess = NULL;
4019 unsigned int context;
4020
4021 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4022 /* Skip tests for TLSv1.2 and below in this case */
4023 if (tst < 3)
4024 return 1;
4025 #endif
4026
4027 /* Reset callback counters */
4028 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4029 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4030 snicb = 0;
4031
4032 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4033 TLS1_VERSION, TLS_MAX_VERSION,
4034 &sctx, &cctx, cert, privkey)))
4035 goto end;
4036
4037 if (tst == 2
4038 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4039 TLS1_VERSION, TLS_MAX_VERSION,
4040 &sctx2, NULL, cert, privkey)))
4041 goto end;
4042
4043
4044 if (tst < 3) {
4045 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4046 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4047 if (sctx2 != NULL)
4048 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4049 }
4050
4051 if (tst == 4) {
4052 context = SSL_EXT_CLIENT_HELLO
4053 | SSL_EXT_TLS1_2_SERVER_HELLO
4054 | SSL_EXT_TLS1_3_SERVER_HELLO
4055 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4056 | SSL_EXT_TLS1_3_CERTIFICATE
4057 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4058 } else {
4059 context = SSL_EXT_CLIENT_HELLO
4060 | SSL_EXT_TLS1_2_SERVER_HELLO
4061 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4062 }
4063
4064 /* Create a client side custom extension */
4065 if (tst == 0) {
4066 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4067 old_add_cb, old_free_cb,
4068 &client, old_parse_cb,
4069 &client)))
4070 goto end;
4071 } else {
4072 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4073 new_add_cb, new_free_cb,
4074 &client, new_parse_cb, &client)))
4075 goto end;
4076 }
4077
4078 /* Should not be able to add duplicates */
4079 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4080 old_add_cb, old_free_cb,
4081 &client, old_parse_cb,
4082 &client))
4083 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4084 context, new_add_cb,
4085 new_free_cb, &client,
4086 new_parse_cb, &client)))
4087 goto end;
4088
4089 /* Create a server side custom extension */
4090 if (tst == 0) {
4091 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4092 old_add_cb, old_free_cb,
4093 &server, old_parse_cb,
4094 &server)))
4095 goto end;
4096 } else {
4097 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4098 new_add_cb, new_free_cb,
4099 &server, new_parse_cb, &server)))
4100 goto end;
4101 if (sctx2 != NULL
4102 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4103 context, new_add_cb,
4104 new_free_cb, &server,
4105 new_parse_cb, &server)))
4106 goto end;
4107 }
4108
4109 /* Should not be able to add duplicates */
4110 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4111 old_add_cb, old_free_cb,
4112 &server, old_parse_cb,
4113 &server))
4114 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4115 context, new_add_cb,
4116 new_free_cb, &server,
4117 new_parse_cb, &server)))
4118 goto end;
4119
4120 if (tst == 2) {
4121 /* Set up SNI */
4122 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4123 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4124 goto end;
4125 }
4126
4127 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4128 &clientssl, NULL, NULL))
4129 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4130 SSL_ERROR_NONE)))
4131 goto end;
4132
4133 if (tst == 0) {
4134 if (clntaddoldcb != 1
4135 || clntparseoldcb != 1
4136 || srvaddoldcb != 1
4137 || srvparseoldcb != 1)
4138 goto end;
4139 } else if (tst == 1 || tst == 2 || tst == 3) {
4140 if (clntaddnewcb != 1
4141 || clntparsenewcb != 1
4142 || srvaddnewcb != 1
4143 || srvparsenewcb != 1
4144 || (tst != 2 && snicb != 0)
4145 || (tst == 2 && snicb != 1))
4146 goto end;
4147 } else {
4148 /* In this case there 2 NewSessionTicket messages created */
4149 if (clntaddnewcb != 1
4150 || clntparsenewcb != 5
4151 || srvaddnewcb != 5
4152 || srvparsenewcb != 1)
4153 goto end;
4154 }
4155
4156 sess = SSL_get1_session(clientssl);
4157 SSL_shutdown(clientssl);
4158 SSL_shutdown(serverssl);
4159 SSL_free(serverssl);
4160 SSL_free(clientssl);
4161 serverssl = clientssl = NULL;
4162
4163 if (tst == 3) {
4164 /* We don't bother with the resumption aspects for this test */
4165 testresult = 1;
4166 goto end;
4167 }
4168
4169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4170 NULL, NULL))
4171 || !TEST_true(SSL_set_session(clientssl, sess))
4172 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4173 SSL_ERROR_NONE)))
4174 goto end;
4175
4176 /*
4177 * For a resumed session we expect to add the ClientHello extension. For the
4178 * old style callbacks we ignore it on the server side because they set
4179 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4180 * them.
4181 */
4182 if (tst == 0) {
4183 if (clntaddoldcb != 2
4184 || clntparseoldcb != 1
4185 || srvaddoldcb != 1
4186 || srvparseoldcb != 1)
4187 goto end;
4188 } else if (tst == 1 || tst == 2 || tst == 3) {
4189 if (clntaddnewcb != 2
4190 || clntparsenewcb != 2
4191 || srvaddnewcb != 2
4192 || srvparsenewcb != 2)
4193 goto end;
4194 } else {
4195 /*
4196 * No Certificate message extensions in the resumption handshake,
4197 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4198 */
4199 if (clntaddnewcb != 2
4200 || clntparsenewcb != 8
4201 || srvaddnewcb != 8
4202 || srvparsenewcb != 2)
4203 goto end;
4204 }
4205
4206 testresult = 1;
4207
4208 end:
4209 SSL_SESSION_free(sess);
4210 SSL_free(serverssl);
4211 SSL_free(clientssl);
4212 SSL_CTX_free(sctx2);
4213 SSL_CTX_free(sctx);
4214 SSL_CTX_free(cctx);
4215 return testresult;
4216 }
4217
4218 /*
4219 * Test loading of serverinfo data in various formats. test_sslmessages actually
4220 * tests to make sure the extensions appear in the handshake
4221 */
test_serverinfo(int tst)4222 static int test_serverinfo(int tst)
4223 {
4224 unsigned int version;
4225 unsigned char *sibuf;
4226 size_t sibuflen;
4227 int ret, expected, testresult = 0;
4228 SSL_CTX *ctx;
4229
4230 ctx = SSL_CTX_new(TLS_method());
4231 if (!TEST_ptr(ctx))
4232 goto end;
4233
4234 if ((tst & 0x01) == 0x01)
4235 version = SSL_SERVERINFOV2;
4236 else
4237 version = SSL_SERVERINFOV1;
4238
4239 if ((tst & 0x02) == 0x02) {
4240 sibuf = serverinfov2;
4241 sibuflen = sizeof(serverinfov2);
4242 expected = (version == SSL_SERVERINFOV2);
4243 } else {
4244 sibuf = serverinfov1;
4245 sibuflen = sizeof(serverinfov1);
4246 expected = (version == SSL_SERVERINFOV1);
4247 }
4248
4249 if ((tst & 0x04) == 0x04) {
4250 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4251 } else {
4252 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4253
4254 /*
4255 * The version variable is irrelevant in this case - it's what is in the
4256 * buffer that matters
4257 */
4258 if ((tst & 0x02) == 0x02)
4259 expected = 0;
4260 else
4261 expected = 1;
4262 }
4263
4264 if (!TEST_true(ret == expected))
4265 goto end;
4266
4267 testresult = 1;
4268
4269 end:
4270 SSL_CTX_free(ctx);
4271
4272 return testresult;
4273 }
4274
4275 /*
4276 * Test that SSL_export_keying_material() produces expected results. There are
4277 * no test vectors so all we do is test that both sides of the communication
4278 * produce the same results for different protocol versions.
4279 */
4280 #define SMALL_LABEL_LEN 10
4281 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)4282 static int test_export_key_mat(int tst)
4283 {
4284 int testresult = 0;
4285 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4286 SSL *clientssl = NULL, *serverssl = NULL;
4287 const char label[LONG_LABEL_LEN + 1] = "test label";
4288 const unsigned char context[] = "context";
4289 const unsigned char *emptycontext = NULL;
4290 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4291 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4292 size_t labellen;
4293 const int protocols[] = {
4294 TLS1_VERSION,
4295 TLS1_1_VERSION,
4296 TLS1_2_VERSION,
4297 TLS1_3_VERSION,
4298 TLS1_3_VERSION,
4299 TLS1_3_VERSION
4300 };
4301
4302 #ifdef OPENSSL_NO_TLS1
4303 if (tst == 0)
4304 return 1;
4305 #endif
4306 #ifdef OPENSSL_NO_TLS1_1
4307 if (tst == 1)
4308 return 1;
4309 #endif
4310 #ifdef OPENSSL_NO_TLS1_2
4311 if (tst == 2)
4312 return 1;
4313 #endif
4314 #ifdef OPENSSL_NO_TLS1_3
4315 if (tst >= 3)
4316 return 1;
4317 #endif
4318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4319 TLS1_VERSION, TLS_MAX_VERSION,
4320 &sctx, &cctx, cert, privkey)))
4321 goto end;
4322
4323 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4324 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4325 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4326
4327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4328 NULL))
4329 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4330 SSL_ERROR_NONE)))
4331 goto end;
4332
4333 if (tst == 5) {
4334 /*
4335 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4336 * go over that.
4337 */
4338 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4339 sizeof(ckeymat1), label,
4340 LONG_LABEL_LEN + 1, context,
4341 sizeof(context) - 1, 1), 0))
4342 goto end;
4343
4344 testresult = 1;
4345 goto end;
4346 } else if (tst == 4) {
4347 labellen = LONG_LABEL_LEN;
4348 } else {
4349 labellen = SMALL_LABEL_LEN;
4350 }
4351
4352 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4353 sizeof(ckeymat1), label,
4354 labellen, context,
4355 sizeof(context) - 1, 1), 1)
4356 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4357 sizeof(ckeymat2), label,
4358 labellen,
4359 emptycontext,
4360 0, 1), 1)
4361 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4362 sizeof(ckeymat3), label,
4363 labellen,
4364 NULL, 0, 0), 1)
4365 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4366 sizeof(skeymat1), label,
4367 labellen,
4368 context,
4369 sizeof(context) -1, 1),
4370 1)
4371 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4372 sizeof(skeymat2), label,
4373 labellen,
4374 emptycontext,
4375 0, 1), 1)
4376 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4377 sizeof(skeymat3), label,
4378 labellen,
4379 NULL, 0, 0), 1)
4380 /*
4381 * Check that both sides created the same key material with the
4382 * same context.
4383 */
4384 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4385 sizeof(skeymat1))
4386 /*
4387 * Check that both sides created the same key material with an
4388 * empty context.
4389 */
4390 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4391 sizeof(skeymat2))
4392 /*
4393 * Check that both sides created the same key material without a
4394 * context.
4395 */
4396 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4397 sizeof(skeymat3))
4398 /* Different contexts should produce different results */
4399 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4400 sizeof(ckeymat2)))
4401 goto end;
4402
4403 /*
4404 * Check that an empty context and no context produce different results in
4405 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4406 */
4407 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4408 sizeof(ckeymat3)))
4409 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4410 sizeof(ckeymat3))))
4411 goto end;
4412
4413 testresult = 1;
4414
4415 end:
4416 SSL_free(serverssl);
4417 SSL_free(clientssl);
4418 SSL_CTX_free(sctx2);
4419 SSL_CTX_free(sctx);
4420 SSL_CTX_free(cctx);
4421
4422 return testresult;
4423 }
4424
4425 #ifndef OPENSSL_NO_TLS1_3
4426 /*
4427 * Test that SSL_export_keying_material_early() produces expected
4428 * results. There are no test vectors so all we do is test that both
4429 * sides of the communication produce the same results for different
4430 * protocol versions.
4431 */
test_export_key_mat_early(int idx)4432 static int test_export_key_mat_early(int idx)
4433 {
4434 static const char label[] = "test label";
4435 static const unsigned char context[] = "context";
4436 int testresult = 0;
4437 SSL_CTX *cctx = NULL, *sctx = NULL;
4438 SSL *clientssl = NULL, *serverssl = NULL;
4439 SSL_SESSION *sess = NULL;
4440 const unsigned char *emptycontext = NULL;
4441 unsigned char ckeymat1[80], ckeymat2[80];
4442 unsigned char skeymat1[80], skeymat2[80];
4443 unsigned char buf[1];
4444 size_t readbytes, written;
4445
4446 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4447 &sess, idx)))
4448 goto end;
4449
4450 /* Here writing 0 length early data is enough. */
4451 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4452 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4453 &readbytes),
4454 SSL_READ_EARLY_DATA_ERROR)
4455 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4456 SSL_EARLY_DATA_ACCEPTED))
4457 goto end;
4458
4459 if (!TEST_int_eq(SSL_export_keying_material_early(
4460 clientssl, ckeymat1, sizeof(ckeymat1), label,
4461 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4462 || !TEST_int_eq(SSL_export_keying_material_early(
4463 clientssl, ckeymat2, sizeof(ckeymat2), label,
4464 sizeof(label) - 1, emptycontext, 0), 1)
4465 || !TEST_int_eq(SSL_export_keying_material_early(
4466 serverssl, skeymat1, sizeof(skeymat1), label,
4467 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4468 || !TEST_int_eq(SSL_export_keying_material_early(
4469 serverssl, skeymat2, sizeof(skeymat2), label,
4470 sizeof(label) - 1, emptycontext, 0), 1)
4471 /*
4472 * Check that both sides created the same key material with the
4473 * same context.
4474 */
4475 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4476 sizeof(skeymat1))
4477 /*
4478 * Check that both sides created the same key material with an
4479 * empty context.
4480 */
4481 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4482 sizeof(skeymat2))
4483 /* Different contexts should produce different results */
4484 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4485 sizeof(ckeymat2)))
4486 goto end;
4487
4488 testresult = 1;
4489
4490 end:
4491 SSL_SESSION_free(sess);
4492 SSL_SESSION_free(clientpsk);
4493 SSL_SESSION_free(serverpsk);
4494 clientpsk = serverpsk = NULL;
4495 SSL_free(serverssl);
4496 SSL_free(clientssl);
4497 SSL_CTX_free(sctx);
4498 SSL_CTX_free(cctx);
4499
4500 return testresult;
4501 }
4502
4503 #define NUM_KEY_UPDATE_MESSAGES 40
4504 /*
4505 * Test KeyUpdate.
4506 */
test_key_update(void)4507 static int test_key_update(void)
4508 {
4509 SSL_CTX *cctx = NULL, *sctx = NULL;
4510 SSL *clientssl = NULL, *serverssl = NULL;
4511 int testresult = 0, i, j;
4512 char buf[20];
4513 static char *mess = "A test message";
4514
4515 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4516 TLS_client_method(),
4517 TLS1_3_VERSION,
4518 0,
4519 &sctx, &cctx, cert, privkey))
4520 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4521 NULL, NULL))
4522 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4523 SSL_ERROR_NONE)))
4524 goto end;
4525
4526 for (j = 0; j < 2; j++) {
4527 /* Send lots of KeyUpdate messages */
4528 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
4529 if (!TEST_true(SSL_key_update(clientssl,
4530 (j == 0)
4531 ? SSL_KEY_UPDATE_NOT_REQUESTED
4532 : SSL_KEY_UPDATE_REQUESTED))
4533 || !TEST_true(SSL_do_handshake(clientssl)))
4534 goto end;
4535 }
4536
4537 /* Check that sending and receiving app data is ok */
4538 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
4539 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
4540 strlen(mess)))
4541 goto end;
4542
4543 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
4544 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
4545 strlen(mess)))
4546 goto end;
4547 }
4548
4549 testresult = 1;
4550
4551 end:
4552 SSL_free(serverssl);
4553 SSL_free(clientssl);
4554 SSL_CTX_free(sctx);
4555 SSL_CTX_free(cctx);
4556
4557 return testresult;
4558 }
4559
4560 /*
4561 * Test we can handle a KeyUpdate (update requested) message while write data
4562 * is pending.
4563 * Test 0: Client sends KeyUpdate while Server is writing
4564 * Test 1: Server sends KeyUpdate while Client is writing
4565 */
test_key_update_in_write(int tst)4566 static int test_key_update_in_write(int tst)
4567 {
4568 SSL_CTX *cctx = NULL, *sctx = NULL;
4569 SSL *clientssl = NULL, *serverssl = NULL;
4570 int testresult = 0;
4571 char buf[20];
4572 static char *mess = "A test message";
4573 BIO *bretry = BIO_new(bio_s_always_retry());
4574 BIO *tmp = NULL;
4575 SSL *peerupdate = NULL, *peerwrite = NULL;
4576
4577 if (!TEST_ptr(bretry)
4578 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4579 TLS_client_method(),
4580 TLS1_3_VERSION,
4581 0,
4582 &sctx, &cctx, cert, privkey))
4583 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4584 NULL, NULL))
4585 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4586 SSL_ERROR_NONE)))
4587 goto end;
4588
4589 peerupdate = tst == 0 ? clientssl : serverssl;
4590 peerwrite = tst == 0 ? serverssl : clientssl;
4591
4592 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
4593 || !TEST_true(SSL_do_handshake(peerupdate)))
4594 goto end;
4595
4596 /* Swap the writing endpoint's write BIO to force a retry */
4597 tmp = SSL_get_wbio(peerwrite);
4598 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
4599 tmp = NULL;
4600 goto end;
4601 }
4602 SSL_set0_wbio(peerwrite, bretry);
4603 bretry = NULL;
4604
4605 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
4606 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
4607 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
4608 goto end;
4609
4610 /* Reinstate the original writing endpoint's write BIO */
4611 SSL_set0_wbio(peerwrite, tmp);
4612 tmp = NULL;
4613
4614 /* Now read some data - we will read the key update */
4615 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
4616 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
4617 goto end;
4618
4619 /*
4620 * Complete the write we started previously and read it from the other
4621 * endpoint
4622 */
4623 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4624 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4625 goto end;
4626
4627 /* Write more data to ensure we send the KeyUpdate message back */
4628 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
4629 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
4630 goto end;
4631
4632 testresult = 1;
4633
4634 end:
4635 SSL_free(serverssl);
4636 SSL_free(clientssl);
4637 SSL_CTX_free(sctx);
4638 SSL_CTX_free(cctx);
4639 BIO_free(bretry);
4640 BIO_free(tmp);
4641
4642 return testresult;
4643 }
4644 #endif /* OPENSSL_NO_TLS1_3 */
4645
test_ssl_clear(int idx)4646 static int test_ssl_clear(int idx)
4647 {
4648 SSL_CTX *cctx = NULL, *sctx = NULL;
4649 SSL *clientssl = NULL, *serverssl = NULL;
4650 int testresult = 0;
4651
4652 #ifdef OPENSSL_NO_TLS1_2
4653 if (idx == 1)
4654 return 1;
4655 #endif
4656
4657 /* Create an initial connection */
4658 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4659 TLS1_VERSION, TLS_MAX_VERSION,
4660 &sctx, &cctx, cert, privkey))
4661 || (idx == 1
4662 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4663 TLS1_2_VERSION)))
4664 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4665 &clientssl, NULL, NULL))
4666 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4667 SSL_ERROR_NONE)))
4668 goto end;
4669
4670 SSL_shutdown(clientssl);
4671 SSL_shutdown(serverssl);
4672 SSL_free(serverssl);
4673 serverssl = NULL;
4674
4675 /* Clear clientssl - we're going to reuse the object */
4676 if (!TEST_true(SSL_clear(clientssl)))
4677 goto end;
4678
4679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4680 NULL, NULL))
4681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4682 SSL_ERROR_NONE))
4683 || !TEST_true(SSL_session_reused(clientssl)))
4684 goto end;
4685
4686 SSL_shutdown(clientssl);
4687 SSL_shutdown(serverssl);
4688
4689 testresult = 1;
4690
4691 end:
4692 SSL_free(serverssl);
4693 SSL_free(clientssl);
4694 SSL_CTX_free(sctx);
4695 SSL_CTX_free(cctx);
4696
4697 return testresult;
4698 }
4699
4700 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)4701 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4702 {
4703 long len;
4704 unsigned char *data;
4705 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4706 unsigned int MFL_code = 0, type = 0;
4707
4708 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4709 goto end;
4710
4711 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4712 /* Skip the record header */
4713 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4714 /* Skip the handshake message header */
4715 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4716 /* Skip client version and random */
4717 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4718 + SSL3_RANDOM_SIZE))
4719 /* Skip session id */
4720 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4721 /* Skip ciphers */
4722 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4723 /* Skip compression */
4724 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4725 /* Extensions len */
4726 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4727 goto end;
4728
4729 /* Loop through all extensions */
4730 while (PACKET_remaining(&pkt2)) {
4731 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4732 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4733 goto end;
4734
4735 if (type == TLSEXT_TYPE_max_fragment_length) {
4736 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4737 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4738 goto end;
4739
4740 *mfl_codemfl_code = MFL_code;
4741 return 1;
4742 }
4743 }
4744
4745 end:
4746 return 0;
4747 }
4748
4749 /* Maximum-Fragment-Length TLS extension mode to test */
4750 static const unsigned char max_fragment_len_test[] = {
4751 TLSEXT_max_fragment_length_512,
4752 TLSEXT_max_fragment_length_1024,
4753 TLSEXT_max_fragment_length_2048,
4754 TLSEXT_max_fragment_length_4096
4755 };
4756
test_max_fragment_len_ext(int idx_tst)4757 static int test_max_fragment_len_ext(int idx_tst)
4758 {
4759 SSL_CTX *ctx;
4760 SSL *con = NULL;
4761 int testresult = 0, MFL_mode = 0;
4762 BIO *rbio, *wbio;
4763
4764 ctx = SSL_CTX_new(TLS_method());
4765 if (!TEST_ptr(ctx))
4766 goto end;
4767
4768 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4769 ctx, max_fragment_len_test[idx_tst])))
4770 goto end;
4771
4772 con = SSL_new(ctx);
4773 if (!TEST_ptr(con))
4774 goto end;
4775
4776 rbio = BIO_new(BIO_s_mem());
4777 wbio = BIO_new(BIO_s_mem());
4778 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4779 BIO_free(rbio);
4780 BIO_free(wbio);
4781 goto end;
4782 }
4783
4784 SSL_set_bio(con, rbio, wbio);
4785 SSL_set_connect_state(con);
4786
4787 if (!TEST_int_le(SSL_connect(con), 0)) {
4788 /* This shouldn't succeed because we don't have a server! */
4789 goto end;
4790 }
4791
4792 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4793 /* no MFL in client hello */
4794 goto end;
4795 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4796 goto end;
4797
4798 testresult = 1;
4799
4800 end:
4801 SSL_free(con);
4802 SSL_CTX_free(ctx);
4803
4804 return testresult;
4805 }
4806
4807 #ifndef OPENSSL_NO_TLS1_3
test_pha_key_update(void)4808 static int test_pha_key_update(void)
4809 {
4810 SSL_CTX *cctx = NULL, *sctx = NULL;
4811 SSL *clientssl = NULL, *serverssl = NULL;
4812 int testresult = 0;
4813
4814 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4815 TLS1_VERSION, TLS_MAX_VERSION,
4816 &sctx, &cctx, cert, privkey)))
4817 return 0;
4818
4819 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4820 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4821 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4822 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4823 goto end;
4824
4825 SSL_CTX_set_post_handshake_auth(cctx, 1);
4826
4827 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4828 NULL, NULL)))
4829 goto end;
4830
4831 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4832 SSL_ERROR_NONE)))
4833 goto end;
4834
4835 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4836 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4837 goto end;
4838
4839 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4840 goto end;
4841
4842 /* Start handshake on the server */
4843 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4844 goto end;
4845
4846 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4847 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4848 SSL_ERROR_NONE)))
4849 goto end;
4850
4851 SSL_shutdown(clientssl);
4852 SSL_shutdown(serverssl);
4853
4854 testresult = 1;
4855
4856 end:
4857 SSL_free(serverssl);
4858 SSL_free(clientssl);
4859 SSL_CTX_free(sctx);
4860 SSL_CTX_free(cctx);
4861 return testresult;
4862 }
4863 #endif
4864
4865 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4866
4867 static SRP_VBASE *vbase = NULL;
4868
ssl_srp_cb(SSL * s,int * ad,void * arg)4869 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4870 {
4871 int ret = SSL3_AL_FATAL;
4872 char *username;
4873 SRP_user_pwd *user = NULL;
4874
4875 username = SSL_get_srp_username(s);
4876 if (username == NULL) {
4877 *ad = SSL_AD_INTERNAL_ERROR;
4878 goto err;
4879 }
4880
4881 user = SRP_VBASE_get1_by_user(vbase, username);
4882 if (user == NULL) {
4883 *ad = SSL_AD_INTERNAL_ERROR;
4884 goto err;
4885 }
4886
4887 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4888 user->info) <= 0) {
4889 *ad = SSL_AD_INTERNAL_ERROR;
4890 goto err;
4891 }
4892
4893 ret = 0;
4894
4895 err:
4896 SRP_user_pwd_free(user);
4897 return ret;
4898 }
4899
create_new_vfile(char * userid,char * password,const char * filename)4900 static int create_new_vfile(char *userid, char *password, const char *filename)
4901 {
4902 char *gNid = NULL;
4903 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4904 TXT_DB *db = NULL;
4905 int ret = 0;
4906 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4907 size_t i;
4908
4909 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4910 goto end;
4911
4912 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4913 &row[DB_srpverifier], NULL, NULL);
4914 if (!TEST_ptr(gNid))
4915 goto end;
4916
4917 /*
4918 * The only way to create an empty TXT_DB is to provide a BIO with no data
4919 * in it!
4920 */
4921 db = TXT_DB_read(dummy, DB_NUMBER);
4922 if (!TEST_ptr(db))
4923 goto end;
4924
4925 out = BIO_new_file(filename, "w");
4926 if (!TEST_ptr(out))
4927 goto end;
4928
4929 row[DB_srpid] = OPENSSL_strdup(userid);
4930 row[DB_srptype] = OPENSSL_strdup("V");
4931 row[DB_srpgN] = OPENSSL_strdup(gNid);
4932
4933 if (!TEST_ptr(row[DB_srpid])
4934 || !TEST_ptr(row[DB_srptype])
4935 || !TEST_ptr(row[DB_srpgN])
4936 || !TEST_true(TXT_DB_insert(db, row)))
4937 goto end;
4938
4939 row = NULL;
4940
4941 if (!TXT_DB_write(out, db))
4942 goto end;
4943
4944 ret = 1;
4945 end:
4946 if (row != NULL) {
4947 for (i = 0; i < DB_NUMBER; i++)
4948 OPENSSL_free(row[i]);
4949 }
4950 OPENSSL_free(row);
4951 BIO_free(dummy);
4952 BIO_free(out);
4953 TXT_DB_free(db);
4954
4955 return ret;
4956 }
4957
create_new_vbase(char * userid,char * password)4958 static int create_new_vbase(char *userid, char *password)
4959 {
4960 BIGNUM *verifier = NULL, *salt = NULL;
4961 const SRP_gN *lgN = NULL;
4962 SRP_user_pwd *user_pwd = NULL;
4963 int ret = 0;
4964
4965 lgN = SRP_get_default_gN(NULL);
4966 if (!TEST_ptr(lgN))
4967 goto end;
4968
4969 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4970 lgN->N, lgN->g)))
4971 goto end;
4972
4973 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4974 if (!TEST_ptr(user_pwd))
4975 goto end;
4976
4977 user_pwd->N = lgN->N;
4978 user_pwd->g = lgN->g;
4979 user_pwd->id = OPENSSL_strdup(userid);
4980 if (!TEST_ptr(user_pwd->id))
4981 goto end;
4982
4983 user_pwd->v = verifier;
4984 user_pwd->s = salt;
4985 verifier = salt = NULL;
4986
4987 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4988 goto end;
4989 user_pwd = NULL;
4990
4991 ret = 1;
4992 end:
4993 SRP_user_pwd_free(user_pwd);
4994 BN_free(salt);
4995 BN_free(verifier);
4996
4997 return ret;
4998 }
4999
5000 /*
5001 * SRP tests
5002 *
5003 * Test 0: Simple successful SRP connection, new vbase
5004 * Test 1: Connection failure due to bad password, new vbase
5005 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5006 * Test 3: Connection failure due to bad password, vbase loaded from existing
5007 * file
5008 * Test 4: Simple successful SRP connection, vbase loaded from new file
5009 * Test 5: Connection failure due to bad password, vbase loaded from new file
5010 */
test_srp(int tst)5011 static int test_srp(int tst)
5012 {
5013 char *userid = "test", *password = "password", *tstsrpfile;
5014 SSL_CTX *cctx = NULL, *sctx = NULL;
5015 SSL *clientssl = NULL, *serverssl = NULL;
5016 int ret, testresult = 0;
5017
5018 vbase = SRP_VBASE_new(NULL);
5019 if (!TEST_ptr(vbase))
5020 goto end;
5021
5022 if (tst == 0 || tst == 1) {
5023 if (!TEST_true(create_new_vbase(userid, password)))
5024 goto end;
5025 } else {
5026 if (tst == 4 || tst == 5) {
5027 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5028 goto end;
5029 tstsrpfile = tmpfilename;
5030 } else {
5031 tstsrpfile = srpvfile;
5032 }
5033 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5034 goto end;
5035 }
5036
5037 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5038 TLS1_VERSION, TLS_MAX_VERSION,
5039 &sctx, &cctx, cert, privkey)))
5040 goto end;
5041
5042 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5043 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5044 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5045 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5046 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5047 goto end;
5048
5049 if (tst % 2 == 1) {
5050 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5051 goto end;
5052 } else {
5053 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5054 goto end;
5055 }
5056
5057 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5058 NULL, NULL)))
5059 goto end;
5060
5061 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5062 if (ret) {
5063 if (!TEST_true(tst % 2 == 0))
5064 goto end;
5065 } else {
5066 if (!TEST_true(tst % 2 == 1))
5067 goto end;
5068 }
5069
5070 testresult = 1;
5071
5072 end:
5073 SRP_VBASE_free(vbase);
5074 vbase = NULL;
5075 SSL_free(serverssl);
5076 SSL_free(clientssl);
5077 SSL_CTX_free(sctx);
5078 SSL_CTX_free(cctx);
5079
5080 return testresult;
5081 }
5082 #endif
5083
5084 static int info_cb_failed = 0;
5085 static int info_cb_offset = 0;
5086 static int info_cb_this_state = -1;
5087
5088 static struct info_cb_states_st {
5089 int where;
5090 const char *statestr;
5091 } info_cb_states[][60] = {
5092 {
5093 /* TLSv1.2 server followed by resumption */
5094 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5095 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5096 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5097 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5098 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5099 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5100 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5101 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5102 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5103 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5104 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5105 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5106 {SSL_CB_EXIT, NULL}, {0, NULL},
5107 }, {
5108 /* TLSv1.2 client followed by resumption */
5109 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5110 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5111 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5112 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5113 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5114 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5115 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5116 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5117 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5118 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5119 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5120 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5121 }, {
5122 /* TLSv1.3 server followed by resumption */
5123 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5124 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5125 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5126 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5127 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5128 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5129 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5130 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5131 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5132 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5133 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5134 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5135 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5136 }, {
5137 /* TLSv1.3 client followed by resumption */
5138 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5139 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5140 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5141 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5142 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5143 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5144 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5145 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5146 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5147 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5148 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5149 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5150 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5151 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5152 {SSL_CB_EXIT, NULL}, {0, NULL},
5153 }, {
5154 /* TLSv1.3 server, early_data */
5155 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5156 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5157 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5158 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5159 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5160 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5161 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5162 {SSL_CB_EXIT, NULL}, {0, NULL},
5163 }, {
5164 /* TLSv1.3 client, early_data */
5165 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5166 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5167 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5168 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5169 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5170 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5171 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5172 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5173 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5174 }, {
5175 {0, NULL},
5176 }
5177 };
5178
sslapi_info_callback(const SSL * s,int where,int ret)5179 static void sslapi_info_callback(const SSL *s, int where, int ret)
5180 {
5181 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5182
5183 /* We do not ever expect a connection to fail in this test */
5184 if (!TEST_false(ret == 0)) {
5185 info_cb_failed = 1;
5186 return;
5187 }
5188
5189 /*
5190 * Do some sanity checks. We never expect these things to happen in this
5191 * test
5192 */
5193 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5194 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5195 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5196 info_cb_failed = 1;
5197 return;
5198 }
5199
5200 /* Now check we're in the right state */
5201 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5202 info_cb_failed = 1;
5203 return;
5204 }
5205 if ((where & SSL_CB_LOOP) != 0
5206 && !TEST_int_eq(strcmp(SSL_state_string(s),
5207 state[info_cb_this_state].statestr), 0)) {
5208 info_cb_failed = 1;
5209 return;
5210 }
5211
5212 /*
5213 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5214 */
5215 if ((where & SSL_CB_HANDSHAKE_DONE)
5216 && SSL_in_init((SSL *)s) != 0) {
5217 info_cb_failed = 1;
5218 return;
5219 }
5220 }
5221
5222 /*
5223 * Test the info callback gets called when we expect it to.
5224 *
5225 * Test 0: TLSv1.2, server
5226 * Test 1: TLSv1.2, client
5227 * Test 2: TLSv1.3, server
5228 * Test 3: TLSv1.3, client
5229 * Test 4: TLSv1.3, server, early_data
5230 * Test 5: TLSv1.3, client, early_data
5231 */
test_info_callback(int tst)5232 static int test_info_callback(int tst)
5233 {
5234 SSL_CTX *cctx = NULL, *sctx = NULL;
5235 SSL *clientssl = NULL, *serverssl = NULL;
5236 SSL_SESSION *clntsess = NULL;
5237 int testresult = 0;
5238 int tlsvers;
5239
5240 if (tst < 2) {
5241 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5242 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5243 || !defined(OPENSSL_NO_DH))
5244 tlsvers = TLS1_2_VERSION;
5245 #else
5246 return 1;
5247 #endif
5248 } else {
5249 #ifndef OPENSSL_NO_TLS1_3
5250 tlsvers = TLS1_3_VERSION;
5251 #else
5252 return 1;
5253 #endif
5254 }
5255
5256 /* Reset globals */
5257 info_cb_failed = 0;
5258 info_cb_this_state = -1;
5259 info_cb_offset = tst;
5260
5261 #ifndef OPENSSL_NO_TLS1_3
5262 if (tst >= 4) {
5263 SSL_SESSION *sess = NULL;
5264 size_t written, readbytes;
5265 unsigned char buf[80];
5266
5267 /* early_data tests */
5268 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5269 &serverssl, &sess, 0)))
5270 goto end;
5271
5272 /* We don't actually need this reference */
5273 SSL_SESSION_free(sess);
5274
5275 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5276 sslapi_info_callback);
5277
5278 /* Write and read some early data and then complete the connection */
5279 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5280 &written))
5281 || !TEST_size_t_eq(written, strlen(MSG1))
5282 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5283 sizeof(buf), &readbytes),
5284 SSL_READ_EARLY_DATA_SUCCESS)
5285 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5286 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5287 SSL_EARLY_DATA_ACCEPTED)
5288 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5289 SSL_ERROR_NONE))
5290 || !TEST_false(info_cb_failed))
5291 goto end;
5292
5293 testresult = 1;
5294 goto end;
5295 }
5296 #endif
5297
5298 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5299 TLS_client_method(),
5300 tlsvers, tlsvers, &sctx, &cctx, cert,
5301 privkey)))
5302 goto end;
5303
5304 /*
5305 * For even numbered tests we check the server callbacks. For odd numbers we
5306 * check the client.
5307 */
5308 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5309 sslapi_info_callback);
5310
5311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5312 &clientssl, NULL, NULL))
5313 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5314 SSL_ERROR_NONE))
5315 || !TEST_false(info_cb_failed))
5316 goto end;
5317
5318
5319
5320 clntsess = SSL_get1_session(clientssl);
5321 SSL_shutdown(clientssl);
5322 SSL_shutdown(serverssl);
5323 SSL_free(serverssl);
5324 SSL_free(clientssl);
5325 serverssl = clientssl = NULL;
5326
5327 /* Now do a resumption */
5328 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5329 NULL))
5330 || !TEST_true(SSL_set_session(clientssl, clntsess))
5331 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5332 SSL_ERROR_NONE))
5333 || !TEST_true(SSL_session_reused(clientssl))
5334 || !TEST_false(info_cb_failed))
5335 goto end;
5336
5337 testresult = 1;
5338
5339 end:
5340 SSL_free(serverssl);
5341 SSL_free(clientssl);
5342 SSL_SESSION_free(clntsess);
5343 SSL_CTX_free(sctx);
5344 SSL_CTX_free(cctx);
5345 return testresult;
5346 }
5347
test_ssl_pending(int tst)5348 static int test_ssl_pending(int tst)
5349 {
5350 SSL_CTX *cctx = NULL, *sctx = NULL;
5351 SSL *clientssl = NULL, *serverssl = NULL;
5352 int testresult = 0;
5353 char msg[] = "A test message";
5354 char buf[5];
5355 size_t written, readbytes;
5356
5357 if (tst == 0) {
5358 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5359 TLS_client_method(),
5360 TLS1_VERSION, TLS_MAX_VERSION,
5361 &sctx, &cctx, cert, privkey)))
5362 goto end;
5363 } else {
5364 #ifndef OPENSSL_NO_DTLS
5365 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5366 DTLS_client_method(),
5367 DTLS1_VERSION, DTLS_MAX_VERSION,
5368 &sctx, &cctx, cert, privkey)))
5369 goto end;
5370 #else
5371 return 1;
5372 #endif
5373 }
5374
5375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5376 NULL, NULL))
5377 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5378 SSL_ERROR_NONE)))
5379 goto end;
5380
5381 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5382 || !TEST_false(SSL_has_pending(clientssl))
5383 || !TEST_int_eq(SSL_pending(serverssl), 0)
5384 || !TEST_false(SSL_has_pending(serverssl))
5385 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5386 || !TEST_size_t_eq(written, sizeof(msg))
5387 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5388 || !TEST_size_t_eq(readbytes, sizeof(buf))
5389 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5390 || !TEST_true(SSL_has_pending(clientssl)))
5391 goto end;
5392
5393 testresult = 1;
5394
5395 end:
5396 SSL_free(serverssl);
5397 SSL_free(clientssl);
5398 SSL_CTX_free(sctx);
5399 SSL_CTX_free(cctx);
5400
5401 return testresult;
5402 }
5403
5404 static struct {
5405 unsigned int maxprot;
5406 const char *clntciphers;
5407 const char *clnttls13ciphers;
5408 const char *srvrciphers;
5409 const char *srvrtls13ciphers;
5410 const char *shared;
5411 } shared_ciphers_data[] = {
5412 /*
5413 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5414 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5415 */
5416 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5417 {
5418 TLS1_2_VERSION,
5419 "AES128-SHA:AES256-SHA",
5420 NULL,
5421 "AES256-SHA:DHE-RSA-AES128-SHA",
5422 NULL,
5423 "AES256-SHA"
5424 },
5425 {
5426 TLS1_2_VERSION,
5427 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5428 NULL,
5429 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5430 NULL,
5431 "AES128-SHA:AES256-SHA"
5432 },
5433 {
5434 TLS1_2_VERSION,
5435 "AES128-SHA:AES256-SHA",
5436 NULL,
5437 "AES128-SHA:DHE-RSA-AES128-SHA",
5438 NULL,
5439 "AES128-SHA"
5440 },
5441 #endif
5442 /*
5443 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5444 * enabled.
5445 */
5446 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5447 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5448 {
5449 TLS1_3_VERSION,
5450 "AES128-SHA:AES256-SHA",
5451 NULL,
5452 "AES256-SHA:AES128-SHA256",
5453 NULL,
5454 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5455 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5456 },
5457 #endif
5458 #ifndef OPENSSL_NO_TLS1_3
5459 {
5460 TLS1_3_VERSION,
5461 "AES128-SHA",
5462 "TLS_AES_256_GCM_SHA384",
5463 "AES256-SHA",
5464 "TLS_AES_256_GCM_SHA384",
5465 "TLS_AES_256_GCM_SHA384"
5466 },
5467 #endif
5468 };
5469
test_ssl_get_shared_ciphers(int tst)5470 static int test_ssl_get_shared_ciphers(int tst)
5471 {
5472 SSL_CTX *cctx = NULL, *sctx = NULL;
5473 SSL *clientssl = NULL, *serverssl = NULL;
5474 int testresult = 0;
5475 char buf[1024];
5476
5477 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5478 TLS_client_method(),
5479 TLS1_VERSION,
5480 shared_ciphers_data[tst].maxprot,
5481 &sctx, &cctx, cert, privkey)))
5482 goto end;
5483
5484 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5485 shared_ciphers_data[tst].clntciphers))
5486 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5487 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5488 shared_ciphers_data[tst].clnttls13ciphers)))
5489 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5490 shared_ciphers_data[tst].srvrciphers))
5491 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5492 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5493 shared_ciphers_data[tst].srvrtls13ciphers))))
5494 goto end;
5495
5496
5497 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5498 NULL, NULL))
5499 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5500 SSL_ERROR_NONE)))
5501 goto end;
5502
5503 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5504 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5505 TEST_info("Shared ciphers are: %s\n", buf);
5506 goto end;
5507 }
5508
5509 testresult = 1;
5510
5511 end:
5512 SSL_free(serverssl);
5513 SSL_free(clientssl);
5514 SSL_CTX_free(sctx);
5515 SSL_CTX_free(cctx);
5516
5517 return testresult;
5518 }
5519
5520 static const char *appdata = "Hello World";
5521 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5522 static int tick_key_renew = 0;
5523 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5524
gen_tick_cb(SSL * s,void * arg)5525 static int gen_tick_cb(SSL *s, void *arg)
5526 {
5527 gen_tick_called = 1;
5528
5529 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5530 strlen(appdata));
5531 }
5532
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)5533 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5534 const unsigned char *keyname,
5535 size_t keyname_length,
5536 SSL_TICKET_STATUS status,
5537 void *arg)
5538 {
5539 void *tickdata;
5540 size_t tickdlen;
5541
5542 dec_tick_called = 1;
5543
5544 if (status == SSL_TICKET_EMPTY)
5545 return SSL_TICKET_RETURN_IGNORE_RENEW;
5546
5547 if (!TEST_true(status == SSL_TICKET_SUCCESS
5548 || status == SSL_TICKET_SUCCESS_RENEW))
5549 return SSL_TICKET_RETURN_ABORT;
5550
5551 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5552 &tickdlen))
5553 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5554 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
5555 return SSL_TICKET_RETURN_ABORT;
5556
5557 if (tick_key_cb_called) {
5558 /* Don't change what the ticket key callback wanted to do */
5559 switch (status) {
5560 case SSL_TICKET_NO_DECRYPT:
5561 return SSL_TICKET_RETURN_IGNORE_RENEW;
5562
5563 case SSL_TICKET_SUCCESS:
5564 return SSL_TICKET_RETURN_USE;
5565
5566 case SSL_TICKET_SUCCESS_RENEW:
5567 return SSL_TICKET_RETURN_USE_RENEW;
5568
5569 default:
5570 return SSL_TICKET_RETURN_ABORT;
5571 }
5572 }
5573 return tick_dec_ret;
5574
5575 }
5576
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)5577 static int tick_key_cb(SSL *s, unsigned char key_name[16],
5578 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5579 HMAC_CTX *hctx, int enc)
5580 {
5581 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5582 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5583
5584 tick_key_cb_called = 1;
5585 memset(iv, 0, AES_BLOCK_SIZE);
5586 memset(key_name, 0, 16);
5587 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5588 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5589 EVP_sha256(), NULL))
5590 return -1;
5591
5592 return tick_key_renew ? 2 : 1;
5593 }
5594
5595 /*
5596 * Test the various ticket callbacks
5597 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5598 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5599 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5600 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5601 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5602 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5603 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5604 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5605 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5606 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5607 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5608 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
5609 */
test_ticket_callbacks(int tst)5610 static int test_ticket_callbacks(int tst)
5611 {
5612 SSL_CTX *cctx = NULL, *sctx = NULL;
5613 SSL *clientssl = NULL, *serverssl = NULL;
5614 SSL_SESSION *clntsess = NULL;
5615 int testresult = 0;
5616
5617 #ifdef OPENSSL_NO_TLS1_2
5618 if (tst % 2 == 0)
5619 return 1;
5620 #endif
5621 #ifdef OPENSSL_NO_TLS1_3
5622 if (tst % 2 == 1)
5623 return 1;
5624 #endif
5625
5626 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
5627
5628 /* Which tests the ticket key callback should request renewal for */
5629 if (tst == 10 || tst == 11)
5630 tick_key_renew = 1;
5631 else
5632 tick_key_renew = 0;
5633
5634 /* Which tests the decrypt ticket callback should request renewal for */
5635 switch (tst) {
5636 case 0:
5637 case 1:
5638 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5639 break;
5640
5641 case 2:
5642 case 3:
5643 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5644 break;
5645
5646 case 4:
5647 case 5:
5648 tick_dec_ret = SSL_TICKET_RETURN_USE;
5649 break;
5650
5651 case 6:
5652 case 7:
5653 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5654 break;
5655
5656 default:
5657 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5658 }
5659
5660 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5661 TLS_client_method(),
5662 TLS1_VERSION,
5663 ((tst % 2) == 0) ? TLS1_2_VERSION
5664 : TLS1_3_VERSION,
5665 &sctx, &cctx, cert, privkey)))
5666 goto end;
5667
5668 /*
5669 * We only want sessions to resume from tickets - not the session cache. So
5670 * switch the cache off.
5671 */
5672 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5673 goto end;
5674
5675 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5676 NULL)))
5677 goto end;
5678
5679 if (tst >= 8
5680 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5681 goto end;
5682
5683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5684 NULL, NULL))
5685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5686 SSL_ERROR_NONE)))
5687 goto end;
5688
5689 /*
5690 * The decrypt ticket key callback in TLSv1.2 should be called even though
5691 * we have no ticket yet, because it gets called with a status of
5692 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5693 * actually send any ticket data). This does not happen in TLSv1.3 because
5694 * it is not valid to send empty ticket data in TLSv1.3.
5695 */
5696 if (!TEST_int_eq(gen_tick_called, 1)
5697 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
5698 goto end;
5699
5700 gen_tick_called = dec_tick_called = 0;
5701
5702 clntsess = SSL_get1_session(clientssl);
5703 SSL_shutdown(clientssl);
5704 SSL_shutdown(serverssl);
5705 SSL_free(serverssl);
5706 SSL_free(clientssl);
5707 serverssl = clientssl = NULL;
5708
5709 /* Now do a resumption */
5710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5711 NULL))
5712 || !TEST_true(SSL_set_session(clientssl, clntsess))
5713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5714 SSL_ERROR_NONE)))
5715 goto end;
5716
5717 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5718 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5719 if (!TEST_false(SSL_session_reused(clientssl)))
5720 goto end;
5721 } else {
5722 if (!TEST_true(SSL_session_reused(clientssl)))
5723 goto end;
5724 }
5725
5726 if (!TEST_int_eq(gen_tick_called,
5727 (tick_key_renew
5728 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5729 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5730 ? 1 : 0)
5731 || !TEST_int_eq(dec_tick_called, 1))
5732 goto end;
5733
5734 testresult = 1;
5735
5736 end:
5737 SSL_SESSION_free(clntsess);
5738 SSL_free(serverssl);
5739 SSL_free(clientssl);
5740 SSL_CTX_free(sctx);
5741 SSL_CTX_free(cctx);
5742
5743 return testresult;
5744 }
5745
5746 /*
5747 * Test bi-directional shutdown.
5748 * Test 0: TLSv1.2
5749 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5750 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5751 * Test 3: TLSv1.3, pending NewSessionTicket messages
5752 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5753 * sends key update, client reads it
5754 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5755 * sends CertificateRequest, client reads and ignores it
5756 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
5757 * doesn't read it
5758 */
test_shutdown(int tst)5759 static int test_shutdown(int tst)
5760 {
5761 SSL_CTX *cctx = NULL, *sctx = NULL;
5762 SSL *clientssl = NULL, *serverssl = NULL;
5763 int testresult = 0;
5764 char msg[] = "A test message";
5765 char buf[80];
5766 size_t written, readbytes;
5767 SSL_SESSION *sess;
5768
5769 #ifdef OPENSSL_NO_TLS1_2
5770 if (tst <= 1)
5771 return 1;
5772 #endif
5773 #ifdef OPENSSL_NO_TLS1_3
5774 if (tst >= 2)
5775 return 1;
5776 #endif
5777
5778 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5779 TLS_client_method(),
5780 TLS1_VERSION,
5781 (tst <= 1) ? TLS1_2_VERSION
5782 : TLS1_3_VERSION,
5783 &sctx, &cctx, cert, privkey)))
5784 goto end;
5785
5786 if (tst == 5)
5787 SSL_CTX_set_post_handshake_auth(cctx, 1);
5788
5789 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5790 NULL, NULL)))
5791 goto end;
5792
5793 if (tst == 3) {
5794 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5795 SSL_ERROR_NONE, 1))
5796 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5797 || !TEST_false(SSL_SESSION_is_resumable(sess)))
5798 goto end;
5799 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5800 SSL_ERROR_NONE))
5801 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5802 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
5803 goto end;
5804 }
5805
5806 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5807 goto end;
5808
5809 if (tst >= 4) {
5810 /*
5811 * Reading on the server after the client has sent close_notify should
5812 * fail and provide SSL_ERROR_ZERO_RETURN
5813 */
5814 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5815 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5816 SSL_ERROR_ZERO_RETURN)
5817 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5818 SSL_RECEIVED_SHUTDOWN)
5819 /*
5820 * Even though we're shutdown on receive we should still be
5821 * able to write.
5822 */
5823 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5824 goto end;
5825 if (tst == 4
5826 && !TEST_true(SSL_key_update(serverssl,
5827 SSL_KEY_UPDATE_REQUESTED)))
5828 goto end;
5829 if (tst == 5) {
5830 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5831 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5832 goto end;
5833 }
5834 if ((tst == 4 || tst == 5)
5835 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5836 goto end;
5837 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
5838 goto end;
5839 if (tst == 4 || tst == 5) {
5840 /* Should still be able to read data from server */
5841 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5842 &readbytes))
5843 || !TEST_size_t_eq(readbytes, sizeof(msg))
5844 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5845 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5846 &readbytes))
5847 || !TEST_size_t_eq(readbytes, sizeof(msg))
5848 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5849 goto end;
5850 }
5851 }
5852
5853 /* Writing on the client after sending close_notify shouldn't be possible */
5854 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
5855 goto end;
5856
5857 if (tst < 4) {
5858 /*
5859 * For these tests the client has sent close_notify but it has not yet
5860 * been received by the server. The server has not sent close_notify
5861 * yet.
5862 */
5863 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
5864 /*
5865 * Writing on the server after sending close_notify shouldn't
5866 * be possible.
5867 */
5868 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5869 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5870 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5871 || !TEST_true(SSL_SESSION_is_resumable(sess))
5872 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5873 goto end;
5874 } else if (tst == 4 || tst == 5) {
5875 /*
5876 * In this test the client has sent close_notify and it has been
5877 * received by the server which has responded with a close_notify. The
5878 * client needs to read the close_notify sent by the server.
5879 */
5880 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5881 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5882 || !TEST_true(SSL_SESSION_is_resumable(sess)))
5883 goto end;
5884 } else {
5885 /*
5886 * tst == 6
5887 *
5888 * The client has sent close_notify and is expecting a close_notify
5889 * back, but instead there is application data first. The shutdown
5890 * should fail with a fatal error.
5891 */
5892 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5893 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5894 goto end;
5895 }
5896
5897 testresult = 1;
5898
5899 end:
5900 SSL_free(serverssl);
5901 SSL_free(clientssl);
5902 SSL_CTX_free(sctx);
5903 SSL_CTX_free(cctx);
5904
5905 return testresult;
5906 }
5907
5908 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5909 static int cert_cb_cnt;
5910
cert_cb(SSL * s,void * arg)5911 static int cert_cb(SSL *s, void *arg)
5912 {
5913 SSL_CTX *ctx = (SSL_CTX *)arg;
5914 BIO *in = NULL;
5915 EVP_PKEY *pkey = NULL;
5916 X509 *x509 = NULL, *rootx = NULL;
5917 STACK_OF(X509) *chain = NULL;
5918 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
5919 int ret = 0;
5920
5921 if (cert_cb_cnt == 0) {
5922 /* Suspend the handshake */
5923 cert_cb_cnt++;
5924 return -1;
5925 } else if (cert_cb_cnt == 1) {
5926 /*
5927 * Update the SSL_CTX, set the certificate and private key and then
5928 * continue the handshake normally.
5929 */
5930 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5931 return 0;
5932
5933 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5934 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5935 SSL_FILETYPE_PEM))
5936 || !TEST_true(SSL_check_private_key(s)))
5937 return 0;
5938 cert_cb_cnt++;
5939 return 1;
5940 } else if (cert_cb_cnt == 3) {
5941 int rv;
5942
5943 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
5944 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
5945 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
5946 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
5947 goto out;
5948 chain = sk_X509_new_null();
5949 if (!TEST_ptr(chain))
5950 goto out;
5951 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
5952 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
5953 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
5954 || !TEST_true(sk_X509_push(chain, rootx)))
5955 goto out;
5956 rootx = NULL;
5957 BIO_free(in);
5958 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
5959 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
5960 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
5961 goto out;
5962 BIO_free(in);
5963 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
5964 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5965 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
5966 goto out;
5967 rv = SSL_check_chain(s, x509, pkey, chain);
5968 /*
5969 * If the cert doesn't show as valid here (e.g., because we don't
5970 * have any shared sigalgs), then we will not set it, and there will
5971 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
5972 * will cause tls_choose_sigalgs() to fail the connection.
5973 */
5974 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
5975 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
5976 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
5977 goto out;
5978 }
5979
5980 ret = 1;
5981 }
5982
5983 /* Abort the handshake */
5984 out:
5985 OPENSSL_free(ecdsacert);
5986 OPENSSL_free(ecdsakey);
5987 OPENSSL_free(rootfile);
5988 BIO_free(in);
5989 EVP_PKEY_free(pkey);
5990 X509_free(x509);
5991 X509_free(rootx);
5992 sk_X509_pop_free(chain, X509_free);
5993 return ret;
5994 }
5995
5996 /*
5997 * Test the certificate callback.
5998 * Test 0: Callback fails
5999 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6000 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6001 * Test 3: Success - Call SSL_check_chain from the callback
6002 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6003 * chain
6004 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6005 */
test_cert_cb_int(int prot,int tst)6006 static int test_cert_cb_int(int prot, int tst)
6007 {
6008 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6009 SSL *clientssl = NULL, *serverssl = NULL;
6010 int testresult = 0, ret;
6011
6012 #ifdef OPENSSL_NO_EC
6013 /* We use an EC cert in these tests, so we skip in a no-ec build */
6014 if (tst >= 3)
6015 return 1;
6016 #endif
6017
6018 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6019 TLS_client_method(),
6020 TLS1_VERSION,
6021 prot,
6022 &sctx, &cctx, NULL, NULL)))
6023 goto end;
6024
6025 if (tst == 0)
6026 cert_cb_cnt = -1;
6027 else if (tst >= 3)
6028 cert_cb_cnt = 3;
6029 else
6030 cert_cb_cnt = 0;
6031
6032 if (tst == 2)
6033 snictx = SSL_CTX_new(TLS_server_method());
6034 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6035
6036 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6037 NULL, NULL)))
6038 goto end;
6039
6040 if (tst == 4) {
6041 /*
6042 * We cause SSL_check_chain() to fail by specifying sig_algs that
6043 * the chain doesn't meet (the root uses an RSA cert)
6044 */
6045 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6046 "ecdsa_secp256r1_sha256")))
6047 goto end;
6048 } else if (tst == 5) {
6049 /*
6050 * We cause SSL_check_chain() to fail by specifying sig_algs that
6051 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6052 */
6053 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6054 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6055 goto end;
6056 }
6057
6058 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6059 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6060 || (tst > 0
6061 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6062 goto end;
6063 }
6064
6065 testresult = 1;
6066
6067 end:
6068 SSL_free(serverssl);
6069 SSL_free(clientssl);
6070 SSL_CTX_free(sctx);
6071 SSL_CTX_free(cctx);
6072 SSL_CTX_free(snictx);
6073
6074 return testresult;
6075 }
6076 #endif
6077
test_cert_cb(int tst)6078 static int test_cert_cb(int tst)
6079 {
6080 int testresult = 1;
6081
6082 #ifndef OPENSSL_NO_TLS1_2
6083 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6084 #endif
6085 #ifndef OPENSSL_NO_TLS1_3
6086 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6087 #endif
6088
6089 return testresult;
6090 }
6091
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)6092 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6093 {
6094 X509 *xcert, *peer;
6095 EVP_PKEY *privpkey;
6096 BIO *in = NULL;
6097
6098 /* Check that SSL_get_peer_certificate() returns something sensible */
6099 peer = SSL_get_peer_certificate(ssl);
6100 if (!TEST_ptr(peer))
6101 return 0;
6102 X509_free(peer);
6103
6104 in = BIO_new_file(cert, "r");
6105 if (!TEST_ptr(in))
6106 return 0;
6107
6108 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6109 BIO_free(in);
6110 if (!TEST_ptr(xcert))
6111 return 0;
6112
6113 in = BIO_new_file(privkey, "r");
6114 if (!TEST_ptr(in)) {
6115 X509_free(xcert);
6116 return 0;
6117 }
6118
6119 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6120 BIO_free(in);
6121 if (!TEST_ptr(privpkey)) {
6122 X509_free(xcert);
6123 return 0;
6124 }
6125
6126 *x509 = xcert;
6127 *pkey = privpkey;
6128
6129 return 1;
6130 }
6131
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)6132 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6133 {
6134 return 1;
6135 }
6136
test_client_cert_cb(int tst)6137 static int test_client_cert_cb(int tst)
6138 {
6139 SSL_CTX *cctx = NULL, *sctx = NULL;
6140 SSL *clientssl = NULL, *serverssl = NULL;
6141 int testresult = 0;
6142
6143 #ifdef OPENSSL_NO_TLS1_2
6144 if (tst == 0)
6145 return 1;
6146 #endif
6147 #ifdef OPENSSL_NO_TLS1_3
6148 if (tst == 1)
6149 return 1;
6150 #endif
6151
6152 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6153 TLS_client_method(),
6154 TLS1_VERSION,
6155 tst == 0 ? TLS1_2_VERSION
6156 : TLS1_3_VERSION,
6157 &sctx, &cctx, cert, privkey)))
6158 goto end;
6159
6160 /*
6161 * Test that setting a client_cert_cb results in a client certificate being
6162 * sent.
6163 */
6164 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6165 SSL_CTX_set_verify(sctx,
6166 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6167 verify_cb);
6168
6169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6170 NULL, NULL))
6171 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6172 SSL_ERROR_NONE)))
6173 goto end;
6174
6175 testresult = 1;
6176
6177 end:
6178 SSL_free(serverssl);
6179 SSL_free(clientssl);
6180 SSL_CTX_free(sctx);
6181 SSL_CTX_free(cctx);
6182
6183 return testresult;
6184 }
6185
6186 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6187 /*
6188 * Test setting certificate authorities on both client and server.
6189 *
6190 * Test 0: SSL_CTX_set0_CA_list() only
6191 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6192 * Test 2: Only SSL_CTX_set_client_CA_list()
6193 */
test_ca_names_int(int prot,int tst)6194 static int test_ca_names_int(int prot, int tst)
6195 {
6196 SSL_CTX *cctx = NULL, *sctx = NULL;
6197 SSL *clientssl = NULL, *serverssl = NULL;
6198 int testresult = 0;
6199 size_t i;
6200 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6201 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6202 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6203 const STACK_OF(X509_NAME) *sktmp = NULL;
6204
6205 for (i = 0; i < OSSL_NELEM(name); i++) {
6206 name[i] = X509_NAME_new();
6207 if (!TEST_ptr(name[i])
6208 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6209 MBSTRING_ASC,
6210 (unsigned char *)
6211 strnames[i],
6212 -1, -1, 0)))
6213 goto end;
6214 }
6215
6216 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6217 TLS_client_method(),
6218 TLS1_VERSION,
6219 prot,
6220 &sctx, &cctx, cert, privkey)))
6221 goto end;
6222
6223 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6224
6225 if (tst == 0 || tst == 1) {
6226 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6227 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6228 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6229 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6230 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6231 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6232 goto end;
6233
6234 SSL_CTX_set0_CA_list(sctx, sk1);
6235 SSL_CTX_set0_CA_list(cctx, sk2);
6236 sk1 = sk2 = NULL;
6237 }
6238 if (tst == 1 || tst == 2) {
6239 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6240 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6241 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6242 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6243 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6244 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6245 goto end;
6246
6247 SSL_CTX_set_client_CA_list(sctx, sk1);
6248 SSL_CTX_set_client_CA_list(cctx, sk2);
6249 sk1 = sk2 = NULL;
6250 }
6251
6252 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6253 NULL, NULL))
6254 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6255 SSL_ERROR_NONE)))
6256 goto end;
6257
6258 /*
6259 * We only expect certificate authorities to have been sent to the server
6260 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6261 */
6262 sktmp = SSL_get0_peer_CA_list(serverssl);
6263 if (prot == TLS1_3_VERSION
6264 && (tst == 0 || tst == 1)) {
6265 if (!TEST_ptr(sktmp)
6266 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6267 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6268 name[0]), 0)
6269 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6270 name[1]), 0))
6271 goto end;
6272 } else if (!TEST_ptr_null(sktmp)) {
6273 goto end;
6274 }
6275
6276 /*
6277 * In all tests we expect certificate authorities to have been sent to the
6278 * client. However, SSL_set_client_CA_list() should override
6279 * SSL_set0_CA_list()
6280 */
6281 sktmp = SSL_get0_peer_CA_list(clientssl);
6282 if (!TEST_ptr(sktmp)
6283 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6284 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6285 name[tst == 0 ? 0 : 2]), 0)
6286 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6287 name[tst == 0 ? 1 : 3]), 0))
6288 goto end;
6289
6290 testresult = 1;
6291
6292 end:
6293 SSL_free(serverssl);
6294 SSL_free(clientssl);
6295 SSL_CTX_free(sctx);
6296 SSL_CTX_free(cctx);
6297 for (i = 0; i < OSSL_NELEM(name); i++)
6298 X509_NAME_free(name[i]);
6299 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6300 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6301
6302 return testresult;
6303 }
6304 #endif
6305
test_ca_names(int tst)6306 static int test_ca_names(int tst)
6307 {
6308 int testresult = 1;
6309
6310 #ifndef OPENSSL_NO_TLS1_2
6311 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6312 #endif
6313 #ifndef OPENSSL_NO_TLS1_3
6314 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6315 #endif
6316
6317 return testresult;
6318 }
6319
6320 /*
6321 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
6322 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
6323 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
6324 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
6325 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
6326 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
6327 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
6328 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
6329 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
6330 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
6331 */
test_servername(int tst)6332 static int test_servername(int tst)
6333 {
6334 SSL_CTX *cctx = NULL, *sctx = NULL;
6335 SSL *clientssl = NULL, *serverssl = NULL;
6336 int testresult = 0;
6337 SSL_SESSION *sess = NULL;
6338 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
6339
6340 #ifdef OPENSSL_NO_TLS1_2
6341 if (tst <= 4)
6342 return 1;
6343 #endif
6344 #ifdef OPENSSL_NO_TLS1_3
6345 if (tst >= 5)
6346 return 1;
6347 #endif
6348
6349 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6350 TLS_client_method(),
6351 TLS1_VERSION,
6352 (tst <= 4) ? TLS1_2_VERSION
6353 : TLS1_3_VERSION,
6354 &sctx, &cctx, cert, privkey))
6355 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6356 NULL, NULL)))
6357 goto end;
6358
6359 if (tst != 1 && tst != 6) {
6360 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
6361 hostname_cb)))
6362 goto end;
6363 }
6364
6365 if (tst != 3 && tst != 8) {
6366 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6367 goto end;
6368 sexpectedhost = cexpectedhost = "goodhost";
6369 }
6370
6371 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6372 goto end;
6373
6374 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
6375 cexpectedhost)
6376 || !TEST_str_eq(SSL_get_servername(serverssl,
6377 TLSEXT_NAMETYPE_host_name),
6378 sexpectedhost))
6379 goto end;
6380
6381 /* Now repeat with a resumption handshake */
6382
6383 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
6384 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
6385 || !TEST_true(SSL_SESSION_is_resumable(sess))
6386 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
6387 goto end;
6388
6389 SSL_free(clientssl);
6390 SSL_free(serverssl);
6391 clientssl = serverssl = NULL;
6392
6393 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6394 NULL)))
6395 goto end;
6396
6397 if (!TEST_true(SSL_set_session(clientssl, sess)))
6398 goto end;
6399
6400 sexpectedhost = cexpectedhost = "goodhost";
6401 if (tst == 2 || tst == 7) {
6402 /* Set an inconsistent hostname */
6403 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
6404 goto end;
6405 /*
6406 * In TLSv1.2 we expect the hostname from the original handshake, in
6407 * TLSv1.3 we expect the hostname from this handshake
6408 */
6409 if (tst == 7)
6410 sexpectedhost = cexpectedhost = "altgoodhost";
6411
6412 if (!TEST_str_eq(SSL_get_servername(clientssl,
6413 TLSEXT_NAMETYPE_host_name),
6414 "altgoodhost"))
6415 goto end;
6416 } else if (tst == 4 || tst == 9) {
6417 /*
6418 * A TLSv1.3 session does not associate a session with a servername,
6419 * but a TLSv1.2 session does.
6420 */
6421 if (tst == 9)
6422 sexpectedhost = cexpectedhost = NULL;
6423
6424 if (!TEST_str_eq(SSL_get_servername(clientssl,
6425 TLSEXT_NAMETYPE_host_name),
6426 cexpectedhost))
6427 goto end;
6428 } else {
6429 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6430 goto end;
6431 /*
6432 * In a TLSv1.2 resumption where the hostname was not acknowledged
6433 * we expect the hostname on the server to be empty. On the client we
6434 * return what was requested in this case.
6435 *
6436 * Similarly if the client didn't set a hostname on an original TLSv1.2
6437 * session but is now, the server hostname will be empty, but the client
6438 * is as we set it.
6439 */
6440 if (tst == 1 || tst == 3)
6441 sexpectedhost = NULL;
6442
6443 if (!TEST_str_eq(SSL_get_servername(clientssl,
6444 TLSEXT_NAMETYPE_host_name),
6445 "goodhost"))
6446 goto end;
6447 }
6448
6449 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6450 goto end;
6451
6452 if (!TEST_true(SSL_session_reused(clientssl))
6453 || !TEST_true(SSL_session_reused(serverssl))
6454 || !TEST_str_eq(SSL_get_servername(clientssl,
6455 TLSEXT_NAMETYPE_host_name),
6456 cexpectedhost)
6457 || !TEST_str_eq(SSL_get_servername(serverssl,
6458 TLSEXT_NAMETYPE_host_name),
6459 sexpectedhost))
6460 goto end;
6461
6462 testresult = 1;
6463
6464 end:
6465 SSL_SESSION_free(sess);
6466 SSL_free(serverssl);
6467 SSL_free(clientssl);
6468 SSL_CTX_free(sctx);
6469 SSL_CTX_free(cctx);
6470
6471 return testresult;
6472 }
6473
setup_tests(void)6474 int setup_tests(void)
6475 {
6476 if (!TEST_ptr(certsdir = test_get_argument(0))
6477 || !TEST_ptr(srpvfile = test_get_argument(1))
6478 || !TEST_ptr(tmpfilename = test_get_argument(2)))
6479 return 0;
6480
6481 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6482 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
6483 TEST_error("not supported in this build");
6484 return 0;
6485 #else
6486 int i, mcount, rcount, fcount;
6487
6488 for (i = 0; i < 4; i++)
6489 test_export_key_mat(i);
6490 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6491 test_printf_stdout("malloc %d realloc %d free %d\n",
6492 mcount, rcount, fcount);
6493 return 1;
6494 #endif
6495 }
6496
6497 cert = test_mk_file_path(certsdir, "servercert.pem");
6498 if (cert == NULL)
6499 return 0;
6500
6501 privkey = test_mk_file_path(certsdir, "serverkey.pem");
6502 if (privkey == NULL) {
6503 OPENSSL_free(cert);
6504 return 0;
6505 }
6506
6507 ADD_TEST(test_large_message_tls);
6508 ADD_TEST(test_large_message_tls_read_ahead);
6509 #ifndef OPENSSL_NO_DTLS
6510 ADD_TEST(test_large_message_dtls);
6511 #endif
6512 #ifndef OPENSSL_NO_OCSP
6513 ADD_TEST(test_tlsext_status_type);
6514 #endif
6515 ADD_TEST(test_session_with_only_int_cache);
6516 ADD_TEST(test_session_with_only_ext_cache);
6517 ADD_TEST(test_session_with_both_cache);
6518 #ifndef OPENSSL_NO_TLS1_3
6519 ADD_ALL_TESTS(test_stateful_tickets, 3);
6520 ADD_ALL_TESTS(test_stateless_tickets, 3);
6521 ADD_TEST(test_psk_tickets);
6522 #endif
6523 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
6524 ADD_TEST(test_ssl_bio_pop_next_bio);
6525 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6526 ADD_TEST(test_ssl_bio_change_rbio);
6527 ADD_TEST(test_ssl_bio_change_wbio);
6528 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
6529 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6530 ADD_TEST(test_keylog);
6531 #endif
6532 #ifndef OPENSSL_NO_TLS1_3
6533 ADD_TEST(test_keylog_no_master_key);
6534 #endif
6535 #ifndef OPENSSL_NO_TLS1_2
6536 ADD_TEST(test_client_hello_cb);
6537 ADD_TEST(test_ccs_change_cipher);
6538 #endif
6539 #ifndef OPENSSL_NO_TLS1_3
6540 ADD_ALL_TESTS(test_early_data_read_write, 3);
6541 /*
6542 * We don't do replay tests for external PSK. Replay protection isn't used
6543 * in that scenario.
6544 */
6545 ADD_ALL_TESTS(test_early_data_replay, 2);
6546 ADD_ALL_TESTS(test_early_data_skip, 3);
6547 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
6548 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
6549 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
6550 ADD_ALL_TESTS(test_early_data_not_sent, 3);
6551 ADD_ALL_TESTS(test_early_data_psk, 8);
6552 ADD_ALL_TESTS(test_early_data_not_expected, 3);
6553 # ifndef OPENSSL_NO_TLS1_2
6554 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
6555 # endif
6556 #endif
6557 #ifndef OPENSSL_NO_TLS1_3
6558 ADD_ALL_TESTS(test_set_ciphersuite, 10);
6559 ADD_TEST(test_ciphersuite_change);
6560 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
6561 #ifdef OPENSSL_NO_PSK
6562 ADD_ALL_TESTS(test_tls13_psk, 1);
6563 #else
6564 ADD_ALL_TESTS(test_tls13_psk, 4);
6565 #endif /* OPENSSL_NO_PSK */
6566 ADD_ALL_TESTS(test_custom_exts, 5);
6567 ADD_TEST(test_stateless);
6568 ADD_TEST(test_pha_key_update);
6569 #else
6570 ADD_ALL_TESTS(test_custom_exts, 3);
6571 #endif
6572 ADD_ALL_TESTS(test_serverinfo, 8);
6573 ADD_ALL_TESTS(test_export_key_mat, 6);
6574 #ifndef OPENSSL_NO_TLS1_3
6575 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6576 ADD_TEST(test_key_update);
6577 ADD_ALL_TESTS(test_key_update_in_write, 2);
6578 #endif
6579 ADD_ALL_TESTS(test_ssl_clear, 2);
6580 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
6581 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6582 ADD_ALL_TESTS(test_srp, 6);
6583 #endif
6584 ADD_ALL_TESTS(test_info_callback, 6);
6585 ADD_ALL_TESTS(test_ssl_pending, 2);
6586 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
6587 ADD_ALL_TESTS(test_ticket_callbacks, 12);
6588 ADD_ALL_TESTS(test_shutdown, 7);
6589 ADD_ALL_TESTS(test_cert_cb, 6);
6590 ADD_ALL_TESTS(test_client_cert_cb, 2);
6591 ADD_ALL_TESTS(test_ca_names, 3);
6592 ADD_ALL_TESTS(test_servername, 10);
6593 return 1;
6594 }
6595
cleanup_tests(void)6596 void cleanup_tests(void)
6597 {
6598 OPENSSL_free(cert);
6599 OPENSSL_free(privkey);
6600 bio_s_mempacket_test_free();
6601 bio_s_always_retry_free();
6602 }
6603