1 /*
2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <string.h>
12
13 #include <openssl/opensslconf.h>
14 #include <openssl/bio.h>
15 #include <openssl/crypto.h>
16 #include <openssl/ssl.h>
17 #include <openssl/ocsp.h>
18 #include <openssl/srp.h>
19 #include <openssl/txt_db.h>
20 #include <openssl/aes.h>
21 #include <openssl/rand.h>
22 #include <openssl/x509v3.h>
23
24 #include "ssltestlib.h"
25 #include "testutil.h"
26 #include "testutil/output.h"
27 #include "internal/nelem.h"
28 #include "internal/ktls.h"
29 #include "../ssl/ssl_local.h"
30
31 #ifndef OPENSSL_NO_TLS1_3
32
33 static SSL_SESSION *clientpsk = NULL;
34 static SSL_SESSION *serverpsk = NULL;
35 static const char *pskid = "Identity";
36 static const char *srvid;
37
38 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
39 size_t *idlen, SSL_SESSION **sess);
40 static int find_session_cb(SSL *ssl, const unsigned char *identity,
41 size_t identity_len, SSL_SESSION **sess);
42
43 static int use_session_cb_cnt = 0;
44 static int find_session_cb_cnt = 0;
45
46 static SSL_SESSION *create_a_psk(SSL *ssl);
47 #endif
48
49 static char *certsdir = NULL;
50 static char *cert = NULL;
51 static char *privkey = NULL;
52 static char *srpvfile = NULL;
53 static char *tmpfilename = NULL;
54
55 #define LOG_BUFFER_SIZE 2048
56 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
57 static size_t server_log_buffer_index = 0;
58 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
59 static size_t client_log_buffer_index = 0;
60 static int error_writing_log = 0;
61
62 #ifndef OPENSSL_NO_OCSP
63 static const unsigned char orespder[] = "Dummy OCSP Response";
64 static int ocsp_server_called = 0;
65 static int ocsp_client_called = 0;
66
67 static int cdummyarg = 1;
68 static X509 *ocspcert = NULL;
69 #endif
70
71 #define NUM_EXTRA_CERTS 40
72 #define CLIENT_VERSION_LEN 2
73
74 /*
75 * This structure is used to validate that the correct number of log messages
76 * of various types are emitted when emitting secret logs.
77 */
78 struct sslapitest_log_counts {
79 unsigned int rsa_key_exchange_count;
80 unsigned int master_secret_count;
81 unsigned int client_early_secret_count;
82 unsigned int client_handshake_secret_count;
83 unsigned int server_handshake_secret_count;
84 unsigned int client_application_secret_count;
85 unsigned int server_application_secret_count;
86 unsigned int early_exporter_secret_count;
87 unsigned int exporter_secret_count;
88 };
89
90
91 static unsigned char serverinfov1[] = {
92 0xff, 0xff, /* Dummy extension type */
93 0x00, 0x01, /* Extension length is 1 byte */
94 0xff /* Dummy extension data */
95 };
96
97 static unsigned char serverinfov2[] = {
98 0x00, 0x00, 0x00,
99 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
100 0xff, 0xff, /* Dummy extension type */
101 0x00, 0x01, /* Extension length is 1 byte */
102 0xff /* Dummy extension data */
103 };
104
hostname_cb(SSL * s,int * al,void * arg)105 static int hostname_cb(SSL *s, int *al, void *arg)
106 {
107 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
108
109 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
110 || strcmp(hostname, "altgoodhost") == 0))
111 return SSL_TLSEXT_ERR_OK;
112
113 return SSL_TLSEXT_ERR_NOACK;
114 }
115
client_keylog_callback(const SSL * ssl,const char * line)116 static void client_keylog_callback(const SSL *ssl, const char *line)
117 {
118 int line_length = strlen(line);
119
120 /* If the log doesn't fit, error out. */
121 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
122 TEST_info("Client log too full");
123 error_writing_log = 1;
124 return;
125 }
126
127 strcat(client_log_buffer, line);
128 client_log_buffer_index += line_length;
129 client_log_buffer[client_log_buffer_index++] = '\n';
130 }
131
server_keylog_callback(const SSL * ssl,const char * line)132 static void server_keylog_callback(const SSL *ssl, const char *line)
133 {
134 int line_length = strlen(line);
135
136 /* If the log doesn't fit, error out. */
137 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
138 TEST_info("Server log too full");
139 error_writing_log = 1;
140 return;
141 }
142
143 strcat(server_log_buffer, line);
144 server_log_buffer_index += line_length;
145 server_log_buffer[server_log_buffer_index++] = '\n';
146 }
147
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)148 static int compare_hex_encoded_buffer(const char *hex_encoded,
149 size_t hex_length,
150 const uint8_t *raw,
151 size_t raw_length)
152 {
153 size_t i, j;
154 char hexed[3];
155
156 if (!TEST_size_t_eq(raw_length * 2, hex_length))
157 return 1;
158
159 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
160 sprintf(hexed, "%02x", raw[i]);
161 if (!TEST_int_eq(hexed[0], hex_encoded[j])
162 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
163 return 1;
164 }
165
166 return 0;
167 }
168
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)169 static int test_keylog_output(char *buffer, const SSL *ssl,
170 const SSL_SESSION *session,
171 struct sslapitest_log_counts *expected)
172 {
173 char *token = NULL;
174 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
175 size_t client_random_size = SSL3_RANDOM_SIZE;
176 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
177 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
178 unsigned int rsa_key_exchange_count = 0;
179 unsigned int master_secret_count = 0;
180 unsigned int client_early_secret_count = 0;
181 unsigned int client_handshake_secret_count = 0;
182 unsigned int server_handshake_secret_count = 0;
183 unsigned int client_application_secret_count = 0;
184 unsigned int server_application_secret_count = 0;
185 unsigned int early_exporter_secret_count = 0;
186 unsigned int exporter_secret_count = 0;
187
188 for (token = strtok(buffer, " \n"); token != NULL;
189 token = strtok(NULL, " \n")) {
190 if (strcmp(token, "RSA") == 0) {
191 /*
192 * Premaster secret. Tokens should be: 16 ASCII bytes of
193 * hex-encoded encrypted secret, then the hex-encoded pre-master
194 * secret.
195 */
196 if (!TEST_ptr(token = strtok(NULL, " \n")))
197 return 0;
198 if (!TEST_size_t_eq(strlen(token), 16))
199 return 0;
200 if (!TEST_ptr(token = strtok(NULL, " \n")))
201 return 0;
202 /*
203 * We can't sensibly check the log because the premaster secret is
204 * transient, and OpenSSL doesn't keep hold of it once the master
205 * secret is generated.
206 */
207 rsa_key_exchange_count++;
208 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
209 /*
210 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
211 * client random, then the hex-encoded master secret.
212 */
213 client_random_size = SSL_get_client_random(ssl,
214 actual_client_random,
215 SSL3_RANDOM_SIZE);
216 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
217 return 0;
218
219 if (!TEST_ptr(token = strtok(NULL, " \n")))
220 return 0;
221 if (!TEST_size_t_eq(strlen(token), 64))
222 return 0;
223 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
224 actual_client_random,
225 client_random_size)))
226 return 0;
227
228 if (!TEST_ptr(token = strtok(NULL, " \n")))
229 return 0;
230 master_key_size = SSL_SESSION_get_master_key(session,
231 actual_master_key,
232 master_key_size);
233 if (!TEST_size_t_ne(master_key_size, 0))
234 return 0;
235 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
236 actual_master_key,
237 master_key_size)))
238 return 0;
239 master_secret_count++;
240 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
241 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
242 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
243 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
244 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
245 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
246 || strcmp(token, "EXPORTER_SECRET") == 0) {
247 /*
248 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
249 * client random, and then the hex-encoded secret. In this case,
250 * we treat all of these secrets identically and then just
251 * distinguish between them when counting what we saw.
252 */
253 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
254 client_early_secret_count++;
255 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
256 client_handshake_secret_count++;
257 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
258 server_handshake_secret_count++;
259 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
260 client_application_secret_count++;
261 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
262 server_application_secret_count++;
263 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
264 early_exporter_secret_count++;
265 else if (strcmp(token, "EXPORTER_SECRET") == 0)
266 exporter_secret_count++;
267
268 client_random_size = SSL_get_client_random(ssl,
269 actual_client_random,
270 SSL3_RANDOM_SIZE);
271 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
272 return 0;
273
274 if (!TEST_ptr(token = strtok(NULL, " \n")))
275 return 0;
276 if (!TEST_size_t_eq(strlen(token), 64))
277 return 0;
278 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
279 actual_client_random,
280 client_random_size)))
281 return 0;
282
283 if (!TEST_ptr(token = strtok(NULL, " \n")))
284 return 0;
285
286 /*
287 * TODO(TLS1.3): test that application traffic secrets are what
288 * we expect */
289 } else {
290 TEST_info("Unexpected token %s\n", token);
291 return 0;
292 }
293 }
294
295 /* Got what we expected? */
296 if (!TEST_size_t_eq(rsa_key_exchange_count,
297 expected->rsa_key_exchange_count)
298 || !TEST_size_t_eq(master_secret_count,
299 expected->master_secret_count)
300 || !TEST_size_t_eq(client_early_secret_count,
301 expected->client_early_secret_count)
302 || !TEST_size_t_eq(client_handshake_secret_count,
303 expected->client_handshake_secret_count)
304 || !TEST_size_t_eq(server_handshake_secret_count,
305 expected->server_handshake_secret_count)
306 || !TEST_size_t_eq(client_application_secret_count,
307 expected->client_application_secret_count)
308 || !TEST_size_t_eq(server_application_secret_count,
309 expected->server_application_secret_count)
310 || !TEST_size_t_eq(early_exporter_secret_count,
311 expected->early_exporter_secret_count)
312 || !TEST_size_t_eq(exporter_secret_count,
313 expected->exporter_secret_count))
314 return 0;
315 return 1;
316 }
317
318 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
test_keylog(void)319 static int test_keylog(void)
320 {
321 SSL_CTX *cctx = NULL, *sctx = NULL;
322 SSL *clientssl = NULL, *serverssl = NULL;
323 int testresult = 0;
324 struct sslapitest_log_counts expected = {0};
325
326 /* Clean up logging space */
327 memset(client_log_buffer, 0, sizeof(client_log_buffer));
328 memset(server_log_buffer, 0, sizeof(server_log_buffer));
329 client_log_buffer_index = 0;
330 server_log_buffer_index = 0;
331 error_writing_log = 0;
332
333 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
334 TLS_client_method(),
335 TLS1_VERSION, TLS_MAX_VERSION,
336 &sctx, &cctx, cert, privkey)))
337 return 0;
338
339 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
340 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
341 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
342
343 /* We also want to ensure that we use RSA-based key exchange. */
344 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
345 goto end;
346
347 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
348 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
349 goto end;
350 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
351 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
352 == client_keylog_callback))
353 goto end;
354 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
355 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
356 == server_keylog_callback))
357 goto end;
358
359 /* Now do a handshake and check that the logs have been written to. */
360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
361 &clientssl, NULL, NULL))
362 || !TEST_true(create_ssl_connection(serverssl, clientssl,
363 SSL_ERROR_NONE))
364 || !TEST_false(error_writing_log)
365 || !TEST_int_gt(client_log_buffer_index, 0)
366 || !TEST_int_gt(server_log_buffer_index, 0))
367 goto end;
368
369 /*
370 * Now we want to test that our output data was vaguely sensible. We
371 * do that by using strtok and confirming that we have more or less the
372 * data we expect. For both client and server, we expect to see one master
373 * secret. The client should also see a RSA key exchange.
374 */
375 expected.rsa_key_exchange_count = 1;
376 expected.master_secret_count = 1;
377 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
378 SSL_get_session(clientssl), &expected)))
379 goto end;
380
381 expected.rsa_key_exchange_count = 0;
382 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
383 SSL_get_session(serverssl), &expected)))
384 goto end;
385
386 testresult = 1;
387
388 end:
389 SSL_free(serverssl);
390 SSL_free(clientssl);
391 SSL_CTX_free(sctx);
392 SSL_CTX_free(cctx);
393
394 return testresult;
395 }
396 #endif
397
398 #ifndef OPENSSL_NO_TLS1_3
test_keylog_no_master_key(void)399 static int test_keylog_no_master_key(void)
400 {
401 SSL_CTX *cctx = NULL, *sctx = NULL;
402 SSL *clientssl = NULL, *serverssl = NULL;
403 SSL_SESSION *sess = NULL;
404 int testresult = 0;
405 struct sslapitest_log_counts expected = {0};
406 unsigned char buf[1];
407 size_t readbytes, written;
408
409 /* Clean up logging space */
410 memset(client_log_buffer, 0, sizeof(client_log_buffer));
411 memset(server_log_buffer, 0, sizeof(server_log_buffer));
412 client_log_buffer_index = 0;
413 server_log_buffer_index = 0;
414 error_writing_log = 0;
415
416 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
417 TLS1_VERSION, TLS_MAX_VERSION,
418 &sctx, &cctx, cert, privkey))
419 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
420 SSL3_RT_MAX_PLAIN_LENGTH)))
421 return 0;
422
423 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
424 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
425 goto end;
426
427 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
428 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
429 == client_keylog_callback))
430 goto end;
431
432 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
433 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
434 == server_keylog_callback))
435 goto end;
436
437 /* Now do a handshake and check that the logs have been written to. */
438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
439 &clientssl, NULL, NULL))
440 || !TEST_true(create_ssl_connection(serverssl, clientssl,
441 SSL_ERROR_NONE))
442 || !TEST_false(error_writing_log))
443 goto end;
444
445 /*
446 * Now we want to test that our output data was vaguely sensible. For this
447 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
448 * TLSv1.3, but we do expect both client and server to emit keys.
449 */
450 expected.client_handshake_secret_count = 1;
451 expected.server_handshake_secret_count = 1;
452 expected.client_application_secret_count = 1;
453 expected.server_application_secret_count = 1;
454 expected.exporter_secret_count = 1;
455 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
456 SSL_get_session(clientssl), &expected))
457 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
458 SSL_get_session(serverssl),
459 &expected)))
460 goto end;
461
462 /* Terminate old session and resume with early data. */
463 sess = SSL_get1_session(clientssl);
464 SSL_shutdown(clientssl);
465 SSL_shutdown(serverssl);
466 SSL_free(serverssl);
467 SSL_free(clientssl);
468 serverssl = clientssl = NULL;
469
470 /* Reset key log */
471 memset(client_log_buffer, 0, sizeof(client_log_buffer));
472 memset(server_log_buffer, 0, sizeof(server_log_buffer));
473 client_log_buffer_index = 0;
474 server_log_buffer_index = 0;
475
476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
477 &clientssl, NULL, NULL))
478 || !TEST_true(SSL_set_session(clientssl, sess))
479 /* Here writing 0 length early data is enough. */
480 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
481 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
482 &readbytes),
483 SSL_READ_EARLY_DATA_ERROR)
484 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
485 SSL_EARLY_DATA_ACCEPTED)
486 || !TEST_true(create_ssl_connection(serverssl, clientssl,
487 SSL_ERROR_NONE))
488 || !TEST_true(SSL_session_reused(clientssl)))
489 goto end;
490
491 /* In addition to the previous entries, expect early secrets. */
492 expected.client_early_secret_count = 1;
493 expected.early_exporter_secret_count = 1;
494 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
495 SSL_get_session(clientssl), &expected))
496 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
497 SSL_get_session(serverssl),
498 &expected)))
499 goto end;
500
501 testresult = 1;
502
503 end:
504 SSL_SESSION_free(sess);
505 SSL_free(serverssl);
506 SSL_free(clientssl);
507 SSL_CTX_free(sctx);
508 SSL_CTX_free(cctx);
509
510 return testresult;
511 }
512 #endif
513
514 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)515 static int full_client_hello_callback(SSL *s, int *al, void *arg)
516 {
517 int *ctr = arg;
518 const unsigned char *p;
519 int *exts;
520 /* We only configure two ciphers, but the SCSV is added automatically. */
521 #ifdef OPENSSL_NO_EC
522 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
523 #else
524 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
525 0x2c, 0x00, 0xff};
526 #endif
527 const int expected_extensions[] = {
528 #ifndef OPENSSL_NO_EC
529 11, 10,
530 #endif
531 35, 22, 23, 13};
532 size_t len;
533
534 /* Make sure we can defer processing and get called back. */
535 if ((*ctr)++ == 0)
536 return SSL_CLIENT_HELLO_RETRY;
537
538 len = SSL_client_hello_get0_ciphers(s, &p);
539 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
540 || !TEST_size_t_eq(
541 SSL_client_hello_get0_compression_methods(s, &p), 1)
542 || !TEST_int_eq(*p, 0))
543 return SSL_CLIENT_HELLO_ERROR;
544 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
545 return SSL_CLIENT_HELLO_ERROR;
546 if (len != OSSL_NELEM(expected_extensions) ||
547 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
548 printf("ClientHello callback expected extensions mismatch\n");
549 OPENSSL_free(exts);
550 return SSL_CLIENT_HELLO_ERROR;
551 }
552 OPENSSL_free(exts);
553 return SSL_CLIENT_HELLO_SUCCESS;
554 }
555
test_client_hello_cb(void)556 static int test_client_hello_cb(void)
557 {
558 SSL_CTX *cctx = NULL, *sctx = NULL;
559 SSL *clientssl = NULL, *serverssl = NULL;
560 int testctr = 0, testresult = 0;
561
562 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
563 TLS1_VERSION, TLS_MAX_VERSION,
564 &sctx, &cctx, cert, privkey)))
565 goto end;
566 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
567
568 /* The gimpy cipher list we configure can't do TLS 1.3. */
569 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
570
571 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
572 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
573 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
574 &clientssl, NULL, NULL))
575 || !TEST_false(create_ssl_connection(serverssl, clientssl,
576 SSL_ERROR_WANT_CLIENT_HELLO_CB))
577 /*
578 * Passing a -1 literal is a hack since
579 * the real value was lost.
580 * */
581 || !TEST_int_eq(SSL_get_error(serverssl, -1),
582 SSL_ERROR_WANT_CLIENT_HELLO_CB)
583 || !TEST_true(create_ssl_connection(serverssl, clientssl,
584 SSL_ERROR_NONE)))
585 goto end;
586
587 testresult = 1;
588
589 end:
590 SSL_free(serverssl);
591 SSL_free(clientssl);
592 SSL_CTX_free(sctx);
593 SSL_CTX_free(cctx);
594
595 return testresult;
596 }
597
598 /*
599 * Very focused test to exercise a single case in the server-side state
600 * machine, when the ChangeCipherState message needs to actually change
601 * from one cipher to a different cipher (i.e., not changing from null
602 * encryption to real encryption).
603 */
test_ccs_change_cipher(void)604 static int test_ccs_change_cipher(void)
605 {
606 SSL_CTX *cctx = NULL, *sctx = NULL;
607 SSL *clientssl = NULL, *serverssl = NULL;
608 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
609 int testresult = 0;
610 int i;
611 unsigned char buf;
612 size_t readbytes;
613
614 /*
615 * Create a conection so we can resume and potentially (but not) use
616 * a different cipher in the second connection.
617 */
618 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
619 TLS_client_method(),
620 TLS1_VERSION, TLS1_2_VERSION,
621 &sctx, &cctx, cert, privkey))
622 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
623 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
624 NULL, NULL))
625 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
626 || !TEST_true(create_ssl_connection(serverssl, clientssl,
627 SSL_ERROR_NONE))
628 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
629 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
630 goto end;
631
632 shutdown_ssl_connection(serverssl, clientssl);
633 serverssl = clientssl = NULL;
634
635 /* Resume, preferring a different cipher. Our server will force the
636 * same cipher to be used as the initial handshake. */
637 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
638 NULL, NULL))
639 || !TEST_true(SSL_set_session(clientssl, sess))
640 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
641 || !TEST_true(create_ssl_connection(serverssl, clientssl,
642 SSL_ERROR_NONE))
643 || !TEST_true(SSL_session_reused(clientssl))
644 || !TEST_true(SSL_session_reused(serverssl))
645 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
646 || !TEST_ptr_eq(sesspre, sesspost)
647 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
648 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
649 goto end;
650 shutdown_ssl_connection(serverssl, clientssl);
651 serverssl = clientssl = NULL;
652
653 /*
654 * Now create a fresh connection and try to renegotiate a different
655 * cipher on it.
656 */
657 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
658 NULL, NULL))
659 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
660 || !TEST_true(create_ssl_connection(serverssl, clientssl,
661 SSL_ERROR_NONE))
662 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
663 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
664 || !TEST_true(SSL_renegotiate(clientssl))
665 || !TEST_true(SSL_renegotiate_pending(clientssl)))
666 goto end;
667 /* Actually drive the renegotiation. */
668 for (i = 0; i < 3; i++) {
669 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
670 if (!TEST_ulong_eq(readbytes, 0))
671 goto end;
672 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
673 SSL_ERROR_WANT_READ)) {
674 goto end;
675 }
676 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
677 if (!TEST_ulong_eq(readbytes, 0))
678 goto end;
679 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
680 SSL_ERROR_WANT_READ)) {
681 goto end;
682 }
683 }
684 /* sesspre and sesspost should be different since the cipher changed. */
685 if (!TEST_false(SSL_renegotiate_pending(clientssl))
686 || !TEST_false(SSL_session_reused(clientssl))
687 || !TEST_false(SSL_session_reused(serverssl))
688 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
689 || !TEST_ptr_ne(sesspre, sesspost)
690 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
691 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
692 goto end;
693
694 shutdown_ssl_connection(serverssl, clientssl);
695 serverssl = clientssl = NULL;
696
697 testresult = 1;
698
699 end:
700 SSL_free(serverssl);
701 SSL_free(clientssl);
702 SSL_CTX_free(sctx);
703 SSL_CTX_free(cctx);
704 SSL_SESSION_free(sess);
705
706 return testresult;
707 }
708 #endif
709
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)710 static int execute_test_large_message(const SSL_METHOD *smeth,
711 const SSL_METHOD *cmeth,
712 int min_version, int max_version,
713 int read_ahead)
714 {
715 SSL_CTX *cctx = NULL, *sctx = NULL;
716 SSL *clientssl = NULL, *serverssl = NULL;
717 int testresult = 0;
718 int i;
719 BIO *certbio = NULL;
720 X509 *chaincert = NULL;
721 int certlen;
722
723 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
724 goto end;
725 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
726 BIO_free(certbio);
727 certbio = NULL;
728 if (!TEST_ptr(chaincert))
729 goto end;
730
731 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
732 &sctx, &cctx, cert, privkey)))
733 goto end;
734
735 if (read_ahead) {
736 /*
737 * Test that read_ahead works correctly when dealing with large
738 * records
739 */
740 SSL_CTX_set_read_ahead(cctx, 1);
741 }
742
743 /*
744 * We assume the supplied certificate is big enough so that if we add
745 * NUM_EXTRA_CERTS it will make the overall message large enough. The
746 * default buffer size is requested to be 16k, but due to the way BUF_MEM
747 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
748 * test we need to have a message larger than that.
749 */
750 certlen = i2d_X509(chaincert, NULL);
751 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
752 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
753 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
754 if (!X509_up_ref(chaincert))
755 goto end;
756 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
757 X509_free(chaincert);
758 goto end;
759 }
760 }
761
762 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
763 NULL, NULL))
764 || !TEST_true(create_ssl_connection(serverssl, clientssl,
765 SSL_ERROR_NONE)))
766 goto end;
767
768 /*
769 * Calling SSL_clear() first is not required but this tests that SSL_clear()
770 * doesn't leak (when using enable-crypto-mdebug).
771 */
772 if (!TEST_true(SSL_clear(serverssl)))
773 goto end;
774
775 testresult = 1;
776 end:
777 X509_free(chaincert);
778 SSL_free(serverssl);
779 SSL_free(clientssl);
780 SSL_CTX_free(sctx);
781 SSL_CTX_free(cctx);
782
783 return testresult;
784 }
785
786 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
787 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
788 /* sock must be connected */
ktls_chk_platform(int sock)789 static int ktls_chk_platform(int sock)
790 {
791 if (!ktls_enable(sock))
792 return 0;
793 return 1;
794 }
795
ping_pong_query(SSL * clientssl,SSL * serverssl)796 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
797 {
798 static char count = 1;
799 unsigned char cbuf[16000] = {0};
800 unsigned char sbuf[16000];
801 size_t err = 0;
802 char crec_wseq_before[SEQ_NUM_SIZE];
803 char crec_wseq_after[SEQ_NUM_SIZE];
804 char crec_rseq_before[SEQ_NUM_SIZE];
805 char crec_rseq_after[SEQ_NUM_SIZE];
806 char srec_wseq_before[SEQ_NUM_SIZE];
807 char srec_wseq_after[SEQ_NUM_SIZE];
808 char srec_rseq_before[SEQ_NUM_SIZE];
809 char srec_rseq_after[SEQ_NUM_SIZE];
810
811 cbuf[0] = count++;
812 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
813 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
814 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
815 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
816
817 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
818 goto end;
819
820 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
821 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
822 goto end;
823 }
824 }
825
826 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
827 goto end;
828
829 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
830 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
831 goto end;
832 }
833 }
834
835 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
836 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
837 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
838 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
839
840 /* verify the payload */
841 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
842 goto end;
843
844 /*
845 * If ktls is used then kernel sequences are used instead of
846 * OpenSSL sequences
847 */
848 if (!BIO_get_ktls_send(clientssl->wbio)) {
849 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
850 crec_wseq_after, SEQ_NUM_SIZE))
851 goto end;
852 } else {
853 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
854 crec_wseq_after, SEQ_NUM_SIZE))
855 goto end;
856 }
857
858 if (!BIO_get_ktls_send(serverssl->wbio)) {
859 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
860 srec_wseq_after, SEQ_NUM_SIZE))
861 goto end;
862 } else {
863 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
864 srec_wseq_after, SEQ_NUM_SIZE))
865 goto end;
866 }
867
868 if (!BIO_get_ktls_recv(clientssl->wbio)) {
869 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
870 crec_rseq_after, SEQ_NUM_SIZE))
871 goto end;
872 } else {
873 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
874 crec_rseq_after, SEQ_NUM_SIZE))
875 goto end;
876 }
877
878 if (!BIO_get_ktls_recv(serverssl->wbio)) {
879 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
880 srec_rseq_after, SEQ_NUM_SIZE))
881 goto end;
882 } else {
883 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
884 srec_rseq_after, SEQ_NUM_SIZE))
885 goto end;
886 }
887
888 return 1;
889 end:
890 return 0;
891 }
892
execute_test_ktls(int cis_ktls,int sis_ktls,int tls_version,const char * cipher)893 static int execute_test_ktls(int cis_ktls, int sis_ktls,
894 int tls_version, const char *cipher)
895 {
896 SSL_CTX *cctx = NULL, *sctx = NULL;
897 SSL *clientssl = NULL, *serverssl = NULL;
898 int ktls_used = 0, testresult = 0;
899 int cfd = -1, sfd = -1;
900 int rx_supported;
901
902 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
903 goto end;
904
905 /* Skip this test if the platform does not support ktls */
906 if (!ktls_chk_platform(cfd)) {
907 TEST_info("Kernel does not support KTLS");
908 testresult = 1;
909 goto end;
910 }
911
912 /* Create a session based on SHA-256 */
913 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
914 TLS_client_method(),
915 tls_version, tls_version,
916 &sctx, &cctx, cert, privkey)))
917 goto end;
918
919 if (tls_version == TLS1_3_VERSION) {
920 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
921 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
922 goto end;
923 } else {
924 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
925 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
926 goto end;
927 }
928
929 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
930 &clientssl, sfd, cfd)))
931 goto end;
932
933 if (cis_ktls) {
934 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
935 goto end;
936 }
937
938 if (sis_ktls) {
939 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
940 goto end;
941 }
942
943 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
944 goto end;
945
946 /*
947 * The running kernel may not support a given cipher suite
948 * or direction, so just check that KTLS isn't used when it
949 * isn't enabled.
950 */
951 if (!cis_ktls) {
952 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
953 goto end;
954 } else {
955 if (BIO_get_ktls_send(clientssl->wbio))
956 ktls_used = 1;
957 }
958
959 if (!sis_ktls) {
960 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
961 goto end;
962 } else {
963 if (BIO_get_ktls_send(serverssl->wbio))
964 ktls_used = 1;
965 }
966
967 #if defined(OPENSSL_NO_KTLS_RX)
968 rx_supported = 0;
969 #else
970 rx_supported = (tls_version != TLS1_3_VERSION);
971 #endif
972 if (!cis_ktls || !rx_supported) {
973 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
974 goto end;
975 } else {
976 if (BIO_get_ktls_send(clientssl->rbio))
977 ktls_used = 1;
978 }
979
980 if (!sis_ktls || !rx_supported) {
981 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
982 goto end;
983 } else {
984 if (BIO_get_ktls_send(serverssl->rbio))
985 ktls_used = 1;
986 }
987
988 if ((cis_ktls || sis_ktls) && !ktls_used) {
989 TEST_info("KTLS not supported for %s cipher %s",
990 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
991 "TLS 1.2", cipher);
992 testresult = 1;
993 goto end;
994 }
995
996 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
997 goto end;
998
999 testresult = 1;
1000 end:
1001 if (clientssl) {
1002 SSL_shutdown(clientssl);
1003 SSL_free(clientssl);
1004 }
1005 if (serverssl) {
1006 SSL_shutdown(serverssl);
1007 SSL_free(serverssl);
1008 }
1009 SSL_CTX_free(sctx);
1010 SSL_CTX_free(cctx);
1011 serverssl = clientssl = NULL;
1012 if (cfd != -1)
1013 close(cfd);
1014 if (sfd != -1)
1015 close(sfd);
1016 return testresult;
1017 }
1018
1019 #define SENDFILE_SZ (16 * 4096)
1020 #define SENDFILE_CHUNK (4 * 4096)
1021 #define min(a,b) ((a) > (b) ? (b) : (a))
1022
execute_test_ktls_sendfile(int tls_version,const char * cipher)1023 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1024 {
1025 SSL_CTX *cctx = NULL, *sctx = NULL;
1026 SSL *clientssl = NULL, *serverssl = NULL;
1027 unsigned char *buf, *buf_dst;
1028 BIO *out = NULL, *in = NULL;
1029 int cfd = -1, sfd = -1, ffd, err;
1030 ssize_t chunk_size = 0;
1031 off_t chunk_off = 0;
1032 int testresult = 0;
1033 FILE *ffdp;
1034
1035 buf = OPENSSL_zalloc(SENDFILE_SZ);
1036 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1037 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1038 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1039 goto end;
1040
1041 /* Skip this test if the platform does not support ktls */
1042 if (!ktls_chk_platform(sfd)) {
1043 TEST_info("Kernel does not support KTLS");
1044 testresult = 1;
1045 goto end;
1046 }
1047
1048 /* Create a session based on SHA-256 */
1049 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1050 TLS_client_method(),
1051 tls_version, tls_version,
1052 &sctx, &cctx, cert, privkey)))
1053 goto end;
1054
1055 if (tls_version == TLS1_3_VERSION) {
1056 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1057 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1058 goto end;
1059 } else {
1060 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1061 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1062 goto end;
1063 }
1064
1065 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1066 &clientssl, sfd, cfd)))
1067 goto end;
1068
1069 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1070 goto end;
1071
1072 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1073 SSL_ERROR_NONE)))
1074 goto end;
1075
1076 if (!BIO_get_ktls_send(serverssl->wbio)) {
1077 TEST_info("Failed to enable KTLS for %s cipher %s",
1078 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1079 "TLS 1.2", cipher);
1080 testresult = 1;
1081 goto end;
1082 }
1083
1084 RAND_bytes(buf, SENDFILE_SZ);
1085
1086 out = BIO_new_file(tmpfilename, "wb");
1087 if (!TEST_ptr(out))
1088 goto end;
1089
1090 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1091 goto end;
1092
1093 BIO_free(out);
1094 out = NULL;
1095 in = BIO_new_file(tmpfilename, "rb");
1096 BIO_get_fp(in, &ffdp);
1097 ffd = fileno(ffdp);
1098
1099 while (chunk_off < SENDFILE_SZ) {
1100 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1101 while ((err = SSL_sendfile(serverssl,
1102 ffd,
1103 chunk_off,
1104 chunk_size,
1105 0)) != chunk_size) {
1106 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1107 goto end;
1108 }
1109 while ((err = SSL_read(clientssl,
1110 buf_dst + chunk_off,
1111 chunk_size)) != chunk_size) {
1112 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1113 goto end;
1114 }
1115
1116 /* verify the payload */
1117 if (!TEST_mem_eq(buf_dst + chunk_off,
1118 chunk_size,
1119 buf + chunk_off,
1120 chunk_size))
1121 goto end;
1122
1123 chunk_off += chunk_size;
1124 }
1125
1126 testresult = 1;
1127 end:
1128 if (clientssl) {
1129 SSL_shutdown(clientssl);
1130 SSL_free(clientssl);
1131 }
1132 if (serverssl) {
1133 SSL_shutdown(serverssl);
1134 SSL_free(serverssl);
1135 }
1136 SSL_CTX_free(sctx);
1137 SSL_CTX_free(cctx);
1138 serverssl = clientssl = NULL;
1139 BIO_free(out);
1140 BIO_free(in);
1141 if (cfd != -1)
1142 close(cfd);
1143 if (sfd != -1)
1144 close(sfd);
1145 OPENSSL_free(buf);
1146 OPENSSL_free(buf_dst);
1147 return testresult;
1148 }
1149
1150 static struct ktls_test_cipher {
1151 int tls_version;
1152 const char *cipher;
1153 } ktls_test_ciphers[] = {
1154 # if !defined(OPENSSL_NO_TLS1_2)
1155 # ifdef OPENSSL_KTLS_AES_GCM_128
1156 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1157 # endif
1158 # ifdef OPENSSL_KTLS_AES_CCM_128
1159 { TLS1_2_VERSION, "AES128-CCM"},
1160 # endif
1161 # ifdef OPENSSL_KTLS_AES_GCM_256
1162 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1163 # endif
1164 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1165 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1166 # endif
1167 # endif
1168 # if !defined(OPENSSL_NO_TLS1_3)
1169 # ifdef OPENSSL_KTLS_AES_GCM_128
1170 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1171 # endif
1172 # ifdef OPENSSL_KTLS_AES_CCM_128
1173 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1174 # endif
1175 # ifdef OPENSSL_KTLS_AES_GCM_256
1176 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1177 # endif
1178 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1179 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1180 # endif
1181 # endif
1182 };
1183
1184 #define NUM_KTLS_TEST_CIPHERS \
1185 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1186
test_ktls(int test)1187 static int test_ktls(int test)
1188 {
1189 struct ktls_test_cipher *cipher;
1190 int cis_ktls, sis_ktls;
1191
1192 OPENSSL_assert(test / 4 < NUM_KTLS_TEST_CIPHERS);
1193 cipher = &ktls_test_ciphers[test / 4];
1194
1195 cis_ktls = (test & 1) != 0;
1196 sis_ktls = (test & 2) != 0;
1197
1198 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1199 cipher->cipher);
1200 }
1201
test_ktls_sendfile(int tst)1202 static int test_ktls_sendfile(int tst)
1203 {
1204 struct ktls_test_cipher *cipher;
1205
1206 OPENSSL_assert(tst < NUM_KTLS_TEST_CIPHERS);
1207 cipher = &ktls_test_ciphers[tst];
1208
1209 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1210 }
1211 #endif
1212
test_large_message_tls(void)1213 static int test_large_message_tls(void)
1214 {
1215 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1216 TLS1_VERSION, TLS_MAX_VERSION,
1217 0);
1218 }
1219
test_large_message_tls_read_ahead(void)1220 static int test_large_message_tls_read_ahead(void)
1221 {
1222 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1223 TLS1_VERSION, TLS_MAX_VERSION,
1224 1);
1225 }
1226
1227 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)1228 static int test_large_message_dtls(void)
1229 {
1230 /*
1231 * read_ahead is not relevant to DTLS because DTLS always acts as if
1232 * read_ahead is set.
1233 */
1234 return execute_test_large_message(DTLS_server_method(),
1235 DTLS_client_method(),
1236 DTLS1_VERSION, DTLS_MAX_VERSION,
1237 0);
1238 }
1239 #endif
1240
1241 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)1242 static int ocsp_server_cb(SSL *s, void *arg)
1243 {
1244 int *argi = (int *)arg;
1245 unsigned char *copy = NULL;
1246 STACK_OF(OCSP_RESPID) *ids = NULL;
1247 OCSP_RESPID *id = NULL;
1248
1249 if (*argi == 2) {
1250 /* In this test we are expecting exactly 1 OCSP_RESPID */
1251 SSL_get_tlsext_status_ids(s, &ids);
1252 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1253 return SSL_TLSEXT_ERR_ALERT_FATAL;
1254
1255 id = sk_OCSP_RESPID_value(ids, 0);
1256 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1257 return SSL_TLSEXT_ERR_ALERT_FATAL;
1258 } else if (*argi != 1) {
1259 return SSL_TLSEXT_ERR_ALERT_FATAL;
1260 }
1261
1262 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1263 return SSL_TLSEXT_ERR_ALERT_FATAL;
1264
1265 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
1266 ocsp_server_called = 1;
1267 return SSL_TLSEXT_ERR_OK;
1268 }
1269
ocsp_client_cb(SSL * s,void * arg)1270 static int ocsp_client_cb(SSL *s, void *arg)
1271 {
1272 int *argi = (int *)arg;
1273 const unsigned char *respderin;
1274 size_t len;
1275
1276 if (*argi != 1 && *argi != 2)
1277 return 0;
1278
1279 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1280 if (!TEST_mem_eq(orespder, len, respderin, len))
1281 return 0;
1282
1283 ocsp_client_called = 1;
1284 return 1;
1285 }
1286
test_tlsext_status_type(void)1287 static int test_tlsext_status_type(void)
1288 {
1289 SSL_CTX *cctx = NULL, *sctx = NULL;
1290 SSL *clientssl = NULL, *serverssl = NULL;
1291 int testresult = 0;
1292 STACK_OF(OCSP_RESPID) *ids = NULL;
1293 OCSP_RESPID *id = NULL;
1294 BIO *certbio = NULL;
1295
1296 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1297 TLS1_VERSION, TLS_MAX_VERSION,
1298 &sctx, &cctx, cert, privkey))
1299 return 0;
1300
1301 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1302 goto end;
1303
1304 /* First just do various checks getting and setting tlsext_status_type */
1305
1306 clientssl = SSL_new(cctx);
1307 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1308 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1309 TLSEXT_STATUSTYPE_ocsp))
1310 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1311 TLSEXT_STATUSTYPE_ocsp))
1312 goto end;
1313
1314 SSL_free(clientssl);
1315 clientssl = NULL;
1316
1317 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1318 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1319 goto end;
1320
1321 clientssl = SSL_new(cctx);
1322 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1323 goto end;
1324 SSL_free(clientssl);
1325 clientssl = NULL;
1326
1327 /*
1328 * Now actually do a handshake and check OCSP information is exchanged and
1329 * the callbacks get called
1330 */
1331 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1332 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1333 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1334 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1335 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1336 &clientssl, NULL, NULL))
1337 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1338 SSL_ERROR_NONE))
1339 || !TEST_true(ocsp_client_called)
1340 || !TEST_true(ocsp_server_called))
1341 goto end;
1342 SSL_free(serverssl);
1343 SSL_free(clientssl);
1344 serverssl = NULL;
1345 clientssl = NULL;
1346
1347 /* Try again but this time force the server side callback to fail */
1348 ocsp_client_called = 0;
1349 ocsp_server_called = 0;
1350 cdummyarg = 0;
1351 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1352 &clientssl, NULL, NULL))
1353 /* This should fail because the callback will fail */
1354 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1355 SSL_ERROR_NONE))
1356 || !TEST_false(ocsp_client_called)
1357 || !TEST_false(ocsp_server_called))
1358 goto end;
1359 SSL_free(serverssl);
1360 SSL_free(clientssl);
1361 serverssl = NULL;
1362 clientssl = NULL;
1363
1364 /*
1365 * This time we'll get the client to send an OCSP_RESPID that it will
1366 * accept.
1367 */
1368 ocsp_client_called = 0;
1369 ocsp_server_called = 0;
1370 cdummyarg = 2;
1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL)))
1373 goto end;
1374
1375 /*
1376 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1377 * specific one. We'll use the server cert.
1378 */
1379 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1380 || !TEST_ptr(id = OCSP_RESPID_new())
1381 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1382 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1383 NULL, NULL, NULL))
1384 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1385 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1386 goto end;
1387 id = NULL;
1388 SSL_set_tlsext_status_ids(clientssl, ids);
1389 /* Control has been transferred */
1390 ids = NULL;
1391
1392 BIO_free(certbio);
1393 certbio = NULL;
1394
1395 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1396 SSL_ERROR_NONE))
1397 || !TEST_true(ocsp_client_called)
1398 || !TEST_true(ocsp_server_called))
1399 goto end;
1400
1401 testresult = 1;
1402
1403 end:
1404 SSL_free(serverssl);
1405 SSL_free(clientssl);
1406 SSL_CTX_free(sctx);
1407 SSL_CTX_free(cctx);
1408 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1409 OCSP_RESPID_free(id);
1410 BIO_free(certbio);
1411 X509_free(ocspcert);
1412 ocspcert = NULL;
1413
1414 return testresult;
1415 }
1416 #endif
1417
1418 #if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
1419 static int new_called, remove_called, get_called;
1420
new_session_cb(SSL * ssl,SSL_SESSION * sess)1421 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1422 {
1423 new_called++;
1424 /*
1425 * sess has been up-refed for us, but we don't actually need it so free it
1426 * immediately.
1427 */
1428 SSL_SESSION_free(sess);
1429 return 1;
1430 }
1431
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)1432 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1433 {
1434 remove_called++;
1435 }
1436
1437 static SSL_SESSION *get_sess_val = NULL;
1438
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)1439 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1440 int *copy)
1441 {
1442 get_called++;
1443 *copy = 1;
1444 return get_sess_val;
1445 }
1446
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache)1447 static int execute_test_session(int maxprot, int use_int_cache,
1448 int use_ext_cache)
1449 {
1450 SSL_CTX *sctx = NULL, *cctx = NULL;
1451 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1452 SSL *serverssl2 = NULL, *clientssl2 = NULL;
1453 # ifndef OPENSSL_NO_TLS1_1
1454 SSL *serverssl3 = NULL, *clientssl3 = NULL;
1455 # endif
1456 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
1457 int testresult = 0, numnewsesstick = 1;
1458
1459 new_called = remove_called = 0;
1460
1461 /* TLSv1.3 sends 2 NewSessionTickets */
1462 if (maxprot == TLS1_3_VERSION)
1463 numnewsesstick = 2;
1464
1465 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1466 TLS1_VERSION, TLS_MAX_VERSION,
1467 &sctx, &cctx, cert, privkey)))
1468 return 0;
1469
1470 /*
1471 * Only allow the max protocol version so we can force a connection failure
1472 * later
1473 */
1474 SSL_CTX_set_min_proto_version(cctx, maxprot);
1475 SSL_CTX_set_max_proto_version(cctx, maxprot);
1476
1477 /* Set up session cache */
1478 if (use_ext_cache) {
1479 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1480 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1481 }
1482 if (use_int_cache) {
1483 /* Also covers instance where both are set */
1484 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1485 } else {
1486 SSL_CTX_set_session_cache_mode(cctx,
1487 SSL_SESS_CACHE_CLIENT
1488 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1489 }
1490
1491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1492 NULL, NULL))
1493 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1494 SSL_ERROR_NONE))
1495 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
1496 goto end;
1497
1498 /* Should fail because it should already be in the cache */
1499 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
1500 goto end;
1501 if (use_ext_cache
1502 && (!TEST_int_eq(new_called, numnewsesstick)
1503
1504 || !TEST_int_eq(remove_called, 0)))
1505 goto end;
1506
1507 new_called = remove_called = 0;
1508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1509 &clientssl2, NULL, NULL))
1510 || !TEST_true(SSL_set_session(clientssl2, sess1))
1511 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1512 SSL_ERROR_NONE))
1513 || !TEST_true(SSL_session_reused(clientssl2)))
1514 goto end;
1515
1516 if (maxprot == TLS1_3_VERSION) {
1517 /*
1518 * In TLSv1.3 we should have created a new session even though we have
1519 * resumed. Since we attempted a resume we should also have removed the
1520 * old ticket from the cache so that we try to only use tickets once.
1521 */
1522 if (use_ext_cache
1523 && (!TEST_int_eq(new_called, 1)
1524 || !TEST_int_eq(remove_called, 1)))
1525 goto end;
1526 } else {
1527 /*
1528 * In TLSv1.2 we expect to have resumed so no sessions added or
1529 * removed.
1530 */
1531 if (use_ext_cache
1532 && (!TEST_int_eq(new_called, 0)
1533 || !TEST_int_eq(remove_called, 0)))
1534 goto end;
1535 }
1536
1537 SSL_SESSION_free(sess1);
1538 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1539 goto end;
1540 shutdown_ssl_connection(serverssl2, clientssl2);
1541 serverssl2 = clientssl2 = NULL;
1542
1543 new_called = remove_called = 0;
1544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1545 &clientssl2, NULL, NULL))
1546 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1547 SSL_ERROR_NONE)))
1548 goto end;
1549
1550 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
1551 goto end;
1552
1553 if (use_ext_cache
1554 && (!TEST_int_eq(new_called, numnewsesstick)
1555 || !TEST_int_eq(remove_called, 0)))
1556 goto end;
1557
1558 new_called = remove_called = 0;
1559 /*
1560 * This should clear sess2 from the cache because it is a "bad" session.
1561 * See SSL_set_session() documentation.
1562 */
1563 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
1564 goto end;
1565 if (use_ext_cache
1566 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1567 goto end;
1568 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
1569 goto end;
1570
1571 if (use_int_cache) {
1572 /* Should succeeded because it should not already be in the cache */
1573 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1574 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
1575 goto end;
1576 }
1577
1578 new_called = remove_called = 0;
1579 /* This shouldn't be in the cache so should fail */
1580 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
1581 goto end;
1582
1583 if (use_ext_cache
1584 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1585 goto end;
1586
1587 # if !defined(OPENSSL_NO_TLS1_1)
1588 new_called = remove_called = 0;
1589 /* Force a connection failure */
1590 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
1591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1592 &clientssl3, NULL, NULL))
1593 || !TEST_true(SSL_set_session(clientssl3, sess1))
1594 /* This should fail because of the mismatched protocol versions */
1595 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1596 SSL_ERROR_NONE)))
1597 goto end;
1598
1599 /* We should have automatically removed the session from the cache */
1600 if (use_ext_cache
1601 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
1602 goto end;
1603
1604 /* Should succeed because it should not already be in the cache */
1605 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
1606 goto end;
1607 # endif
1608
1609 /* Now do some tests for server side caching */
1610 if (use_ext_cache) {
1611 SSL_CTX_sess_set_new_cb(cctx, NULL);
1612 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1613 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1614 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1615 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1616 get_sess_val = NULL;
1617 }
1618
1619 SSL_CTX_set_session_cache_mode(cctx, 0);
1620 /* Internal caching is the default on the server side */
1621 if (!use_int_cache)
1622 SSL_CTX_set_session_cache_mode(sctx,
1623 SSL_SESS_CACHE_SERVER
1624 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1625
1626 SSL_free(serverssl1);
1627 SSL_free(clientssl1);
1628 serverssl1 = clientssl1 = NULL;
1629 SSL_free(serverssl2);
1630 SSL_free(clientssl2);
1631 serverssl2 = clientssl2 = NULL;
1632 SSL_SESSION_free(sess1);
1633 sess1 = NULL;
1634 SSL_SESSION_free(sess2);
1635 sess2 = NULL;
1636
1637 SSL_CTX_set_max_proto_version(sctx, maxprot);
1638 if (maxprot == TLS1_2_VERSION)
1639 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1640 new_called = remove_called = get_called = 0;
1641 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1642 NULL, NULL))
1643 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1644 SSL_ERROR_NONE))
1645 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1646 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1647 goto end;
1648
1649 if (use_int_cache) {
1650 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1651 /*
1652 * In TLSv1.3 it should not have been added to the internal cache,
1653 * except in the case where we also have an external cache (in that
1654 * case it gets added to the cache in order to generate remove
1655 * events after timeout).
1656 */
1657 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1658 goto end;
1659 } else {
1660 /* Should fail because it should already be in the cache */
1661 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1662 goto end;
1663 }
1664 }
1665
1666 if (use_ext_cache) {
1667 SSL_SESSION *tmp = sess2;
1668
1669 if (!TEST_int_eq(new_called, numnewsesstick)
1670 || !TEST_int_eq(remove_called, 0)
1671 || !TEST_int_eq(get_called, 0))
1672 goto end;
1673 /*
1674 * Delete the session from the internal cache to force a lookup from
1675 * the external cache. We take a copy first because
1676 * SSL_CTX_remove_session() also marks the session as non-resumable.
1677 */
1678 if (use_int_cache && maxprot != TLS1_3_VERSION) {
1679 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1680 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1681 goto end;
1682 SSL_SESSION_free(sess2);
1683 }
1684 sess2 = tmp;
1685 }
1686
1687 new_called = remove_called = get_called = 0;
1688 get_sess_val = sess2;
1689 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1690 &clientssl2, NULL, NULL))
1691 || !TEST_true(SSL_set_session(clientssl2, sess1))
1692 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1693 SSL_ERROR_NONE))
1694 || !TEST_true(SSL_session_reused(clientssl2)))
1695 goto end;
1696
1697 if (use_ext_cache) {
1698 if (!TEST_int_eq(remove_called, 0))
1699 goto end;
1700
1701 if (maxprot == TLS1_3_VERSION) {
1702 if (!TEST_int_eq(new_called, 1)
1703 || !TEST_int_eq(get_called, 0))
1704 goto end;
1705 } else {
1706 if (!TEST_int_eq(new_called, 0)
1707 || !TEST_int_eq(get_called, 1))
1708 goto end;
1709 }
1710 }
1711
1712 testresult = 1;
1713
1714 end:
1715 SSL_free(serverssl1);
1716 SSL_free(clientssl1);
1717 SSL_free(serverssl2);
1718 SSL_free(clientssl2);
1719 # ifndef OPENSSL_NO_TLS1_1
1720 SSL_free(serverssl3);
1721 SSL_free(clientssl3);
1722 # endif
1723 SSL_SESSION_free(sess1);
1724 SSL_SESSION_free(sess2);
1725 SSL_CTX_free(sctx);
1726 SSL_CTX_free(cctx);
1727
1728 return testresult;
1729 }
1730 #endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
1731
test_session_with_only_int_cache(void)1732 static int test_session_with_only_int_cache(void)
1733 {
1734 #ifndef OPENSSL_NO_TLS1_3
1735 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1736 return 0;
1737 #endif
1738
1739 #ifndef OPENSSL_NO_TLS1_2
1740 return execute_test_session(TLS1_2_VERSION, 1, 0);
1741 #else
1742 return 1;
1743 #endif
1744 }
1745
test_session_with_only_ext_cache(void)1746 static int test_session_with_only_ext_cache(void)
1747 {
1748 #ifndef OPENSSL_NO_TLS1_3
1749 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1750 return 0;
1751 #endif
1752
1753 #ifndef OPENSSL_NO_TLS1_2
1754 return execute_test_session(TLS1_2_VERSION, 0, 1);
1755 #else
1756 return 1;
1757 #endif
1758 }
1759
test_session_with_both_cache(void)1760 static int test_session_with_both_cache(void)
1761 {
1762 #ifndef OPENSSL_NO_TLS1_3
1763 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1764 return 0;
1765 #endif
1766
1767 #ifndef OPENSSL_NO_TLS1_2
1768 return execute_test_session(TLS1_2_VERSION, 1, 1);
1769 #else
1770 return 1;
1771 #endif
1772 }
1773
1774 #ifndef OPENSSL_NO_TLS1_3
1775 static SSL_SESSION *sesscache[6];
1776 static int do_cache;
1777
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)1778 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1779 {
1780 if (do_cache) {
1781 sesscache[new_called] = sess;
1782 } else {
1783 /* We don't need the reference to the session, so free it */
1784 SSL_SESSION_free(sess);
1785 }
1786 new_called++;
1787
1788 return 1;
1789 }
1790
post_handshake_verify(SSL * sssl,SSL * cssl)1791 static int post_handshake_verify(SSL *sssl, SSL *cssl)
1792 {
1793 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1794 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1795 return 0;
1796
1797 /* Start handshake on the server and client */
1798 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1799 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1800 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1801 || !TEST_true(create_ssl_connection(sssl, cssl,
1802 SSL_ERROR_NONE)))
1803 return 0;
1804
1805 return 1;
1806 }
1807
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)1808 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
1809 SSL_CTX **cctx)
1810 {
1811 int sess_id_ctx = 1;
1812
1813 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1814 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1815 cctx, cert, privkey))
1816 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1817 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1818 (void *)&sess_id_ctx,
1819 sizeof(sess_id_ctx))))
1820 return 0;
1821
1822 if (stateful)
1823 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1824
1825 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1826 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1827 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1828
1829 return 1;
1830 }
1831
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)1832 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1833 {
1834 SSL *serverssl = NULL, *clientssl = NULL;
1835 int i;
1836
1837 /* Test that we can resume with all the tickets we got given */
1838 for (i = 0; i < idx * 2; i++) {
1839 new_called = 0;
1840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1841 &clientssl, NULL, NULL))
1842 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1843 goto end;
1844
1845 SSL_set_post_handshake_auth(clientssl, 1);
1846
1847 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1848 SSL_ERROR_NONE)))
1849 goto end;
1850
1851 /*
1852 * Following a successful resumption we only get 1 ticket. After a
1853 * failed one we should get idx tickets.
1854 */
1855 if (succ) {
1856 if (!TEST_true(SSL_session_reused(clientssl))
1857 || !TEST_int_eq(new_called, 1))
1858 goto end;
1859 } else {
1860 if (!TEST_false(SSL_session_reused(clientssl))
1861 || !TEST_int_eq(new_called, idx))
1862 goto end;
1863 }
1864
1865 new_called = 0;
1866 /* After a post-handshake authentication we should get 1 new ticket */
1867 if (succ
1868 && (!post_handshake_verify(serverssl, clientssl)
1869 || !TEST_int_eq(new_called, 1)))
1870 goto end;
1871
1872 SSL_shutdown(clientssl);
1873 SSL_shutdown(serverssl);
1874 SSL_free(serverssl);
1875 SSL_free(clientssl);
1876 serverssl = clientssl = NULL;
1877 SSL_SESSION_free(sesscache[i]);
1878 sesscache[i] = NULL;
1879 }
1880
1881 return 1;
1882
1883 end:
1884 SSL_free(clientssl);
1885 SSL_free(serverssl);
1886 return 0;
1887 }
1888
test_tickets(int stateful,int idx)1889 static int test_tickets(int stateful, int idx)
1890 {
1891 SSL_CTX *sctx = NULL, *cctx = NULL;
1892 SSL *serverssl = NULL, *clientssl = NULL;
1893 int testresult = 0;
1894 size_t j;
1895
1896 /* idx is the test number, but also the number of tickets we want */
1897
1898 new_called = 0;
1899 do_cache = 1;
1900
1901 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1902 goto end;
1903
1904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1905 &clientssl, NULL, NULL)))
1906 goto end;
1907
1908 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1909 SSL_ERROR_NONE))
1910 /* Check we got the number of tickets we were expecting */
1911 || !TEST_int_eq(idx, new_called))
1912 goto end;
1913
1914 SSL_shutdown(clientssl);
1915 SSL_shutdown(serverssl);
1916 SSL_free(serverssl);
1917 SSL_free(clientssl);
1918 SSL_CTX_free(sctx);
1919 SSL_CTX_free(cctx);
1920 clientssl = serverssl = NULL;
1921 sctx = cctx = NULL;
1922
1923 /*
1924 * Now we try to resume with the tickets we previously created. The
1925 * resumption attempt is expected to fail (because we're now using a new
1926 * SSL_CTX). We should see idx number of tickets issued again.
1927 */
1928
1929 /* Stop caching sessions - just count them */
1930 do_cache = 0;
1931
1932 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1933 goto end;
1934
1935 if (!check_resumption(idx, sctx, cctx, 0))
1936 goto end;
1937
1938 /* Start again with caching sessions */
1939 new_called = 0;
1940 do_cache = 1;
1941 SSL_CTX_free(sctx);
1942 SSL_CTX_free(cctx);
1943 sctx = cctx = NULL;
1944
1945 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
1946 goto end;
1947
1948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1949 &clientssl, NULL, NULL)))
1950 goto end;
1951
1952 SSL_set_post_handshake_auth(clientssl, 1);
1953
1954 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1955 SSL_ERROR_NONE))
1956 /* Check we got the number of tickets we were expecting */
1957 || !TEST_int_eq(idx, new_called))
1958 goto end;
1959
1960 /* After a post-handshake authentication we should get new tickets issued */
1961 if (!post_handshake_verify(serverssl, clientssl)
1962 || !TEST_int_eq(idx * 2, new_called))
1963 goto end;
1964
1965 SSL_shutdown(clientssl);
1966 SSL_shutdown(serverssl);
1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1969 serverssl = clientssl = NULL;
1970
1971 /* Stop caching sessions - just count them */
1972 do_cache = 0;
1973
1974 /*
1975 * Check we can resume with all the tickets we created. This time around the
1976 * resumptions should all be successful.
1977 */
1978 if (!check_resumption(idx, sctx, cctx, 1))
1979 goto end;
1980
1981 testresult = 1;
1982
1983 end:
1984 SSL_free(serverssl);
1985 SSL_free(clientssl);
1986 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
1987 SSL_SESSION_free(sesscache[j]);
1988 sesscache[j] = NULL;
1989 }
1990 SSL_CTX_free(sctx);
1991 SSL_CTX_free(cctx);
1992
1993 return testresult;
1994 }
1995
test_stateless_tickets(int idx)1996 static int test_stateless_tickets(int idx)
1997 {
1998 return test_tickets(0, idx);
1999 }
2000
test_stateful_tickets(int idx)2001 static int test_stateful_tickets(int idx)
2002 {
2003 return test_tickets(1, idx);
2004 }
2005
test_psk_tickets(void)2006 static int test_psk_tickets(void)
2007 {
2008 SSL_CTX *sctx = NULL, *cctx = NULL;
2009 SSL *serverssl = NULL, *clientssl = NULL;
2010 int testresult = 0;
2011 int sess_id_ctx = 1;
2012
2013 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2014 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2015 &cctx, NULL, NULL))
2016 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2017 (void *)&sess_id_ctx,
2018 sizeof(sess_id_ctx))))
2019 goto end;
2020
2021 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2022 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2023 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2024 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2025 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2026 use_session_cb_cnt = 0;
2027 find_session_cb_cnt = 0;
2028 srvid = pskid;
2029 new_called = 0;
2030
2031 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2032 NULL, NULL)))
2033 goto end;
2034 clientpsk = serverpsk = create_a_psk(clientssl);
2035 if (!TEST_ptr(clientpsk))
2036 goto end;
2037 SSL_SESSION_up_ref(clientpsk);
2038
2039 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2040 SSL_ERROR_NONE))
2041 || !TEST_int_eq(1, find_session_cb_cnt)
2042 || !TEST_int_eq(1, use_session_cb_cnt)
2043 /* We should always get 1 ticket when using external PSK */
2044 || !TEST_int_eq(1, new_called))
2045 goto end;
2046
2047 testresult = 1;
2048
2049 end:
2050 SSL_free(serverssl);
2051 SSL_free(clientssl);
2052 SSL_CTX_free(sctx);
2053 SSL_CTX_free(cctx);
2054 SSL_SESSION_free(clientpsk);
2055 SSL_SESSION_free(serverpsk);
2056 clientpsk = serverpsk = NULL;
2057
2058 return testresult;
2059 }
2060 #endif
2061
2062 #define USE_NULL 0
2063 #define USE_BIO_1 1
2064 #define USE_BIO_2 2
2065 #define USE_DEFAULT 3
2066
2067 #define CONNTYPE_CONNECTION_SUCCESS 0
2068 #define CONNTYPE_CONNECTION_FAIL 1
2069 #define CONNTYPE_NO_CONNECTION 2
2070
2071 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2072 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2073 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2074 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2075 #else
2076 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2077 #endif
2078
2079 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2080 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2081 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2082
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)2083 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2084 {
2085 switch (type) {
2086 case USE_NULL:
2087 *res = NULL;
2088 break;
2089 case USE_BIO_1:
2090 *res = bio1;
2091 break;
2092 case USE_BIO_2:
2093 *res = bio2;
2094 break;
2095 }
2096 }
2097
2098
2099 /*
2100 * Tests calls to SSL_set_bio() under various conditions.
2101 *
2102 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2103 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2104 * then do more tests where we create a successful connection first using our
2105 * standard connection setup functions, and then call SSL_set_bio() with
2106 * various combinations of valid BIOs or NULL. We then repeat these tests
2107 * following a failed connection. In this last case we are looking to check that
2108 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2109 */
test_ssl_set_bio(int idx)2110 static int test_ssl_set_bio(int idx)
2111 {
2112 SSL_CTX *sctx = NULL, *cctx = NULL;
2113 BIO *bio1 = NULL;
2114 BIO *bio2 = NULL;
2115 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2116 SSL *serverssl = NULL, *clientssl = NULL;
2117 int initrbio, initwbio, newrbio, newwbio, conntype;
2118 int testresult = 0;
2119
2120 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2121 initrbio = idx % 3;
2122 idx /= 3;
2123 initwbio = idx % 3;
2124 idx /= 3;
2125 newrbio = idx % 3;
2126 idx /= 3;
2127 newwbio = idx % 3;
2128 conntype = CONNTYPE_NO_CONNECTION;
2129 } else {
2130 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2131 initrbio = initwbio = USE_DEFAULT;
2132 newrbio = idx % 2;
2133 idx /= 2;
2134 newwbio = idx % 2;
2135 idx /= 2;
2136 conntype = idx % 2;
2137 }
2138
2139 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2140 TLS1_VERSION, TLS_MAX_VERSION,
2141 &sctx, &cctx, cert, privkey)))
2142 goto end;
2143
2144 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2145 /*
2146 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2147 * because we reduced the number of tests in the definition of
2148 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2149 * mismatched protocol versions we will force a connection failure.
2150 */
2151 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2152 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2153 }
2154
2155 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2156 NULL, NULL)))
2157 goto end;
2158
2159 if (initrbio == USE_BIO_1
2160 || initwbio == USE_BIO_1
2161 || newrbio == USE_BIO_1
2162 || newwbio == USE_BIO_1) {
2163 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2164 goto end;
2165 }
2166
2167 if (initrbio == USE_BIO_2
2168 || initwbio == USE_BIO_2
2169 || newrbio == USE_BIO_2
2170 || newwbio == USE_BIO_2) {
2171 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2172 goto end;
2173 }
2174
2175 if (initrbio != USE_DEFAULT) {
2176 setupbio(&irbio, bio1, bio2, initrbio);
2177 setupbio(&iwbio, bio1, bio2, initwbio);
2178 SSL_set_bio(clientssl, irbio, iwbio);
2179
2180 /*
2181 * We want to maintain our own refs to these BIO, so do an up ref for
2182 * each BIO that will have ownership transferred in the SSL_set_bio()
2183 * call
2184 */
2185 if (irbio != NULL)
2186 BIO_up_ref(irbio);
2187 if (iwbio != NULL && iwbio != irbio)
2188 BIO_up_ref(iwbio);
2189 }
2190
2191 if (conntype != CONNTYPE_NO_CONNECTION
2192 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2193 SSL_ERROR_NONE)
2194 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2195 goto end;
2196
2197 setupbio(&nrbio, bio1, bio2, newrbio);
2198 setupbio(&nwbio, bio1, bio2, newwbio);
2199
2200 /*
2201 * We will (maybe) transfer ownership again so do more up refs.
2202 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2203 * already been set!
2204 */
2205 if (nrbio != NULL
2206 && nrbio != irbio
2207 && (nwbio != iwbio || nrbio != nwbio))
2208 BIO_up_ref(nrbio);
2209 if (nwbio != NULL
2210 && nwbio != nrbio
2211 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
2212 BIO_up_ref(nwbio);
2213
2214 SSL_set_bio(clientssl, nrbio, nwbio);
2215
2216 testresult = 1;
2217
2218 end:
2219 BIO_free(bio1);
2220 BIO_free(bio2);
2221
2222 /*
2223 * This test is checking that the ref counting for SSL_set_bio is correct.
2224 * If we get here and we did too many frees then we will fail in the above
2225 * functions. If we haven't done enough then this will only be detected in
2226 * a crypto-mdebug build
2227 */
2228 SSL_free(serverssl);
2229 SSL_free(clientssl);
2230 SSL_CTX_free(sctx);
2231 SSL_CTX_free(cctx);
2232 return testresult;
2233 }
2234
2235 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
2236
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)2237 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
2238 {
2239 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
2240 SSL_CTX *ctx;
2241 SSL *ssl = NULL;
2242 int testresult = 0;
2243
2244 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2245 || !TEST_ptr(ssl = SSL_new(ctx))
2246 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2247 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
2248 goto end;
2249
2250 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2251
2252 /*
2253 * If anything goes wrong here then we could leak memory, so this will
2254 * be caught in a crypto-mdebug build
2255 */
2256 BIO_push(sslbio, membio1);
2257
2258 /* Verify changing the rbio/wbio directly does not cause leaks */
2259 if (change_bio != NO_BIO_CHANGE) {
2260 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2261 ssl = NULL;
2262 goto end;
2263 }
2264 if (change_bio == CHANGE_RBIO)
2265 SSL_set0_rbio(ssl, membio2);
2266 else
2267 SSL_set0_wbio(ssl, membio2);
2268 }
2269 ssl = NULL;
2270
2271 if (pop_ssl)
2272 BIO_pop(sslbio);
2273 else
2274 BIO_pop(membio1);
2275
2276 testresult = 1;
2277 end:
2278 BIO_free(membio1);
2279 BIO_free(sslbio);
2280 SSL_free(ssl);
2281 SSL_CTX_free(ctx);
2282
2283 return testresult;
2284 }
2285
test_ssl_bio_pop_next_bio(void)2286 static int test_ssl_bio_pop_next_bio(void)
2287 {
2288 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
2289 }
2290
test_ssl_bio_pop_ssl_bio(void)2291 static int test_ssl_bio_pop_ssl_bio(void)
2292 {
2293 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
2294 }
2295
test_ssl_bio_change_rbio(void)2296 static int test_ssl_bio_change_rbio(void)
2297 {
2298 return execute_test_ssl_bio(0, CHANGE_RBIO);
2299 }
2300
test_ssl_bio_change_wbio(void)2301 static int test_ssl_bio_change_wbio(void)
2302 {
2303 return execute_test_ssl_bio(0, CHANGE_WBIO);
2304 }
2305
2306 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
2307 typedef struct {
2308 /* The list of sig algs */
2309 const int *list;
2310 /* The length of the list */
2311 size_t listlen;
2312 /* A sigalgs list in string format */
2313 const char *liststr;
2314 /* Whether setting the list should succeed */
2315 int valid;
2316 /* Whether creating a connection with the list should succeed */
2317 int connsuccess;
2318 } sigalgs_list;
2319
2320 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
2321 # ifndef OPENSSL_NO_EC
2322 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2323 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
2324 # endif
2325 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2326 static const int invalidlist2[] = {NID_sha256, NID_undef};
2327 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2328 static const int invalidlist4[] = {NID_sha256};
2329 static const sigalgs_list testsigalgs[] = {
2330 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
2331 # ifndef OPENSSL_NO_EC
2332 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2333 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
2334 # endif
2335 {NULL, 0, "RSA+SHA256", 1, 1},
2336 # ifndef OPENSSL_NO_EC
2337 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2338 {NULL, 0, "ECDSA+SHA512", 1, 0},
2339 # endif
2340 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2341 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2342 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2343 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2344 {NULL, 0, "RSA", 0, 0},
2345 {NULL, 0, "SHA256", 0, 0},
2346 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
2347 {NULL, 0, "Invalid", 0, 0}
2348 };
2349
test_set_sigalgs(int idx)2350 static int test_set_sigalgs(int idx)
2351 {
2352 SSL_CTX *cctx = NULL, *sctx = NULL;
2353 SSL *clientssl = NULL, *serverssl = NULL;
2354 int testresult = 0;
2355 const sigalgs_list *curr;
2356 int testctx;
2357
2358 /* Should never happen */
2359 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
2360 return 0;
2361
2362 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2363 curr = testctx ? &testsigalgs[idx]
2364 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2365
2366 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2367 TLS1_VERSION, TLS_MAX_VERSION,
2368 &sctx, &cctx, cert, privkey)))
2369 return 0;
2370
2371 /*
2372 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2373 * for TLSv1.2 for now until we add a new API.
2374 */
2375 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2376
2377 if (testctx) {
2378 int ret;
2379
2380 if (curr->list != NULL)
2381 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2382 else
2383 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2384
2385 if (!ret) {
2386 if (curr->valid)
2387 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
2388 else
2389 testresult = 1;
2390 goto end;
2391 }
2392 if (!curr->valid) {
2393 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
2394 goto end;
2395 }
2396 }
2397
2398 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2399 &clientssl, NULL, NULL)))
2400 goto end;
2401
2402 if (!testctx) {
2403 int ret;
2404
2405 if (curr->list != NULL)
2406 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2407 else
2408 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2409 if (!ret) {
2410 if (curr->valid)
2411 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
2412 else
2413 testresult = 1;
2414 goto end;
2415 }
2416 if (!curr->valid)
2417 goto end;
2418 }
2419
2420 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2421 SSL_ERROR_NONE),
2422 curr->connsuccess))
2423 goto end;
2424
2425 testresult = 1;
2426
2427 end:
2428 SSL_free(serverssl);
2429 SSL_free(clientssl);
2430 SSL_CTX_free(sctx);
2431 SSL_CTX_free(cctx);
2432
2433 return testresult;
2434 }
2435 #endif
2436
2437 #ifndef OPENSSL_NO_TLS1_3
2438 static int psk_client_cb_cnt = 0;
2439 static int psk_server_cb_cnt = 0;
2440
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)2441 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2442 size_t *idlen, SSL_SESSION **sess)
2443 {
2444 switch (++use_session_cb_cnt) {
2445 case 1:
2446 /* The first call should always have a NULL md */
2447 if (md != NULL)
2448 return 0;
2449 break;
2450
2451 case 2:
2452 /* The second call should always have an md */
2453 if (md == NULL)
2454 return 0;
2455 break;
2456
2457 default:
2458 /* We should only be called a maximum of twice */
2459 return 0;
2460 }
2461
2462 if (clientpsk != NULL)
2463 SSL_SESSION_up_ref(clientpsk);
2464
2465 *sess = clientpsk;
2466 *id = (const unsigned char *)pskid;
2467 *idlen = strlen(pskid);
2468
2469 return 1;
2470 }
2471
2472 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)2473 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2474 unsigned int max_id_len,
2475 unsigned char *psk,
2476 unsigned int max_psk_len)
2477 {
2478 unsigned int psklen = 0;
2479
2480 psk_client_cb_cnt++;
2481
2482 if (strlen(pskid) + 1 > max_id_len)
2483 return 0;
2484
2485 /* We should only ever be called a maximum of twice per connection */
2486 if (psk_client_cb_cnt > 2)
2487 return 0;
2488
2489 if (clientpsk == NULL)
2490 return 0;
2491
2492 /* We'll reuse the PSK we set up for TLSv1.3 */
2493 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2494 return 0;
2495 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2496 strncpy(id, pskid, max_id_len);
2497
2498 return psklen;
2499 }
2500 #endif /* OPENSSL_NO_PSK */
2501
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)2502 static int find_session_cb(SSL *ssl, const unsigned char *identity,
2503 size_t identity_len, SSL_SESSION **sess)
2504 {
2505 find_session_cb_cnt++;
2506
2507 /* We should only ever be called a maximum of twice per connection */
2508 if (find_session_cb_cnt > 2)
2509 return 0;
2510
2511 if (serverpsk == NULL)
2512 return 0;
2513
2514 /* Identity should match that set by the client */
2515 if (strlen(srvid) != identity_len
2516 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2517 /* No PSK found, continue but without a PSK */
2518 *sess = NULL;
2519 return 1;
2520 }
2521
2522 SSL_SESSION_up_ref(serverpsk);
2523 *sess = serverpsk;
2524
2525 return 1;
2526 }
2527
2528 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)2529 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2530 unsigned char *psk, unsigned int max_psk_len)
2531 {
2532 unsigned int psklen = 0;
2533
2534 psk_server_cb_cnt++;
2535
2536 /* We should only ever be called a maximum of twice per connection */
2537 if (find_session_cb_cnt > 2)
2538 return 0;
2539
2540 if (serverpsk == NULL)
2541 return 0;
2542
2543 /* Identity should match that set by the client */
2544 if (strcmp(srvid, identity) != 0) {
2545 return 0;
2546 }
2547
2548 /* We'll reuse the PSK we set up for TLSv1.3 */
2549 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2550 return 0;
2551 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2552
2553 return psklen;
2554 }
2555 #endif /* OPENSSL_NO_PSK */
2556
2557 #define MSG1 "Hello"
2558 #define MSG2 "World."
2559 #define MSG3 "This"
2560 #define MSG4 "is"
2561 #define MSG5 "a"
2562 #define MSG6 "test"
2563 #define MSG7 "message."
2564
2565 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
2566 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2567 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2568 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2569 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
2570
2571
create_a_psk(SSL * ssl)2572 static SSL_SESSION *create_a_psk(SSL *ssl)
2573 {
2574 const SSL_CIPHER *cipher = NULL;
2575 const unsigned char key[] = {
2576 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2577 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2578 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2579 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2580 0x2c, 0x2d, 0x2e, 0x2f
2581 };
2582 SSL_SESSION *sess = NULL;
2583
2584 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2585 sess = SSL_SESSION_new();
2586 if (!TEST_ptr(sess)
2587 || !TEST_ptr(cipher)
2588 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2589 sizeof(key)))
2590 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2591 || !TEST_true(
2592 SSL_SESSION_set_protocol_version(sess,
2593 TLS1_3_VERSION))) {
2594 SSL_SESSION_free(sess);
2595 return NULL;
2596 }
2597 return sess;
2598 }
2599
2600 /*
2601 * Helper method to setup objects for early data test. Caller frees objects on
2602 * error.
2603 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx)2604 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
2605 SSL **serverssl, SSL_SESSION **sess, int idx)
2606 {
2607 if (*sctx == NULL
2608 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2609 TLS_client_method(),
2610 TLS1_VERSION, TLS_MAX_VERSION,
2611 sctx, cctx, cert, privkey)))
2612 return 0;
2613
2614 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
2615 return 0;
2616
2617 if (idx == 1) {
2618 /* When idx == 1 we repeat the tests with read_ahead set */
2619 SSL_CTX_set_read_ahead(*cctx, 1);
2620 SSL_CTX_set_read_ahead(*sctx, 1);
2621 } else if (idx == 2) {
2622 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2623 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2624 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2625 use_session_cb_cnt = 0;
2626 find_session_cb_cnt = 0;
2627 srvid = pskid;
2628 }
2629
2630 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
2631 NULL, NULL)))
2632 return 0;
2633
2634 /*
2635 * For one of the run throughs (doesn't matter which one), we'll try sending
2636 * some SNI data in the initial ClientHello. This will be ignored (because
2637 * there is no SNI cb set up by the server), so it should not impact
2638 * early_data.
2639 */
2640 if (idx == 1
2641 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2642 return 0;
2643
2644 if (idx == 2) {
2645 clientpsk = create_a_psk(*clientssl);
2646 if (!TEST_ptr(clientpsk)
2647 /*
2648 * We just choose an arbitrary value for max_early_data which
2649 * should be big enough for testing purposes.
2650 */
2651 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2652 0x100))
2653 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2654 SSL_SESSION_free(clientpsk);
2655 clientpsk = NULL;
2656 return 0;
2657 }
2658 serverpsk = clientpsk;
2659
2660 if (sess != NULL) {
2661 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2662 SSL_SESSION_free(clientpsk);
2663 SSL_SESSION_free(serverpsk);
2664 clientpsk = serverpsk = NULL;
2665 return 0;
2666 }
2667 *sess = clientpsk;
2668 }
2669 return 1;
2670 }
2671
2672 if (sess == NULL)
2673 return 1;
2674
2675 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2676 SSL_ERROR_NONE)))
2677 return 0;
2678
2679 *sess = SSL_get1_session(*clientssl);
2680 SSL_shutdown(*clientssl);
2681 SSL_shutdown(*serverssl);
2682 SSL_free(*serverssl);
2683 SSL_free(*clientssl);
2684 *serverssl = *clientssl = NULL;
2685
2686 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2687 clientssl, NULL, NULL))
2688 || !TEST_true(SSL_set_session(*clientssl, *sess)))
2689 return 0;
2690
2691 return 1;
2692 }
2693
test_early_data_read_write(int idx)2694 static int test_early_data_read_write(int idx)
2695 {
2696 SSL_CTX *cctx = NULL, *sctx = NULL;
2697 SSL *clientssl = NULL, *serverssl = NULL;
2698 int testresult = 0;
2699 SSL_SESSION *sess = NULL;
2700 unsigned char buf[20], data[1024];
2701 size_t readbytes, written, eoedlen, rawread, rawwritten;
2702 BIO *rbio;
2703
2704 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2705 &serverssl, &sess, idx)))
2706 goto end;
2707
2708 /* Write and read some early data */
2709 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2710 &written))
2711 || !TEST_size_t_eq(written, strlen(MSG1))
2712 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2713 sizeof(buf), &readbytes),
2714 SSL_READ_EARLY_DATA_SUCCESS)
2715 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2716 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2717 SSL_EARLY_DATA_ACCEPTED))
2718 goto end;
2719
2720 /*
2721 * Server should be able to write data, and client should be able to
2722 * read it.
2723 */
2724 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2725 &written))
2726 || !TEST_size_t_eq(written, strlen(MSG2))
2727 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2728 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
2729 goto end;
2730
2731 /* Even after reading normal data, client should be able write early data */
2732 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2733 &written))
2734 || !TEST_size_t_eq(written, strlen(MSG3)))
2735 goto end;
2736
2737 /* Server should still be able read early data after writing data */
2738 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2739 &readbytes),
2740 SSL_READ_EARLY_DATA_SUCCESS)
2741 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
2742 goto end;
2743
2744 /* Write more data from server and read it from client */
2745 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2746 &written))
2747 || !TEST_size_t_eq(written, strlen(MSG4))
2748 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2749 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
2750 goto end;
2751
2752 /*
2753 * If client writes normal data it should mean writing early data is no
2754 * longer possible.
2755 */
2756 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2757 || !TEST_size_t_eq(written, strlen(MSG5))
2758 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2759 SSL_EARLY_DATA_ACCEPTED))
2760 goto end;
2761
2762 /*
2763 * At this point the client has written EndOfEarlyData, ClientFinished and
2764 * normal (fully protected) data. We are going to cause a delay between the
2765 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2766 * in the read BIO, and then just put back the EndOfEarlyData message.
2767 */
2768 rbio = SSL_get_rbio(serverssl);
2769 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2770 || !TEST_size_t_lt(rawread, sizeof(data))
2771 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
2772 goto end;
2773
2774 /* Record length is in the 4th and 5th bytes of the record header */
2775 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
2776 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2777 || !TEST_size_t_eq(rawwritten, eoedlen))
2778 goto end;
2779
2780 /* Server should be told that there is no more early data */
2781 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2782 &readbytes),
2783 SSL_READ_EARLY_DATA_FINISH)
2784 || !TEST_size_t_eq(readbytes, 0))
2785 goto end;
2786
2787 /*
2788 * Server has not finished init yet, so should still be able to write early
2789 * data.
2790 */
2791 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2792 &written))
2793 || !TEST_size_t_eq(written, strlen(MSG6)))
2794 goto end;
2795
2796 /* Push the ClientFinished and the normal data back into the server rbio */
2797 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2798 &rawwritten))
2799 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
2800 goto end;
2801
2802 /* Server should be able to read normal data */
2803 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2804 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2805 goto end;
2806
2807 /* Client and server should not be able to write/read early data now */
2808 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2809 &written)))
2810 goto end;
2811 ERR_clear_error();
2812 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2813 &readbytes),
2814 SSL_READ_EARLY_DATA_ERROR))
2815 goto end;
2816 ERR_clear_error();
2817
2818 /* Client should be able to read the data sent by the server */
2819 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2820 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
2821 goto end;
2822
2823 /*
2824 * Make sure we process the two NewSessionTickets. These arrive
2825 * post-handshake. We attempt reads which we do not expect to return any
2826 * data.
2827 */
2828 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2829 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2830 &readbytes)))
2831 goto end;
2832
2833 /* Server should be able to write normal data */
2834 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2835 || !TEST_size_t_eq(written, strlen(MSG7))
2836 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2837 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
2838 goto end;
2839
2840 SSL_SESSION_free(sess);
2841 sess = SSL_get1_session(clientssl);
2842 use_session_cb_cnt = 0;
2843 find_session_cb_cnt = 0;
2844
2845 SSL_shutdown(clientssl);
2846 SSL_shutdown(serverssl);
2847 SSL_free(serverssl);
2848 SSL_free(clientssl);
2849 serverssl = clientssl = NULL;
2850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2851 &clientssl, NULL, NULL))
2852 || !TEST_true(SSL_set_session(clientssl, sess)))
2853 goto end;
2854
2855 /* Write and read some early data */
2856 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2857 &written))
2858 || !TEST_size_t_eq(written, strlen(MSG1))
2859 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2860 &readbytes),
2861 SSL_READ_EARLY_DATA_SUCCESS)
2862 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
2863 goto end;
2864
2865 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2866 || !TEST_int_gt(SSL_accept(serverssl), 0))
2867 goto end;
2868
2869 /* Client and server should not be able to write/read early data now */
2870 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2871 &written)))
2872 goto end;
2873 ERR_clear_error();
2874 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2875 &readbytes),
2876 SSL_READ_EARLY_DATA_ERROR))
2877 goto end;
2878 ERR_clear_error();
2879
2880 /* Client and server should be able to write/read normal data */
2881 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2882 || !TEST_size_t_eq(written, strlen(MSG5))
2883 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2884 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
2885 goto end;
2886
2887 testresult = 1;
2888
2889 end:
2890 SSL_SESSION_free(sess);
2891 SSL_SESSION_free(clientpsk);
2892 SSL_SESSION_free(serverpsk);
2893 clientpsk = serverpsk = NULL;
2894 SSL_free(serverssl);
2895 SSL_free(clientssl);
2896 SSL_CTX_free(sctx);
2897 SSL_CTX_free(cctx);
2898 return testresult;
2899 }
2900
2901 static int allow_ed_cb_called = 0;
2902
allow_early_data_cb(SSL * s,void * arg)2903 static int allow_early_data_cb(SSL *s, void *arg)
2904 {
2905 int *usecb = (int *)arg;
2906
2907 allow_ed_cb_called++;
2908
2909 if (*usecb == 1)
2910 return 0;
2911
2912 return 1;
2913 }
2914
2915 /*
2916 * idx == 0: Standard early_data setup
2917 * idx == 1: early_data setup using read_ahead
2918 * usecb == 0: Don't use a custom early data callback
2919 * usecb == 1: Use a custom early data callback and reject the early data
2920 * usecb == 2: Use a custom early data callback and accept the early data
2921 * confopt == 0: Configure anti-replay directly
2922 * confopt == 1: Configure anti-replay using SSL_CONF
2923 */
test_early_data_replay_int(int idx,int usecb,int confopt)2924 static int test_early_data_replay_int(int idx, int usecb, int confopt)
2925 {
2926 SSL_CTX *cctx = NULL, *sctx = NULL;
2927 SSL *clientssl = NULL, *serverssl = NULL;
2928 int testresult = 0;
2929 SSL_SESSION *sess = NULL;
2930 size_t readbytes, written;
2931 unsigned char buf[20];
2932
2933 allow_ed_cb_called = 0;
2934
2935 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2936 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2937 &cctx, cert, privkey)))
2938 return 0;
2939
2940 if (usecb > 0) {
2941 if (confopt == 0) {
2942 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2943 } else {
2944 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2945
2946 if (!TEST_ptr(confctx))
2947 goto end;
2948 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2949 | SSL_CONF_FLAG_SERVER);
2950 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2951 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2952 2)) {
2953 SSL_CONF_CTX_free(confctx);
2954 goto end;
2955 }
2956 SSL_CONF_CTX_free(confctx);
2957 }
2958 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2959 }
2960
2961 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2962 &serverssl, &sess, idx)))
2963 goto end;
2964
2965 /*
2966 * The server is configured to accept early data. Create a connection to
2967 * "use up" the ticket
2968 */
2969 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2970 || !TEST_true(SSL_session_reused(clientssl)))
2971 goto end;
2972
2973 SSL_shutdown(clientssl);
2974 SSL_shutdown(serverssl);
2975 SSL_free(serverssl);
2976 SSL_free(clientssl);
2977 serverssl = clientssl = NULL;
2978
2979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2980 &clientssl, NULL, NULL))
2981 || !TEST_true(SSL_set_session(clientssl, sess)))
2982 goto end;
2983
2984 /* Write and read some early data */
2985 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2986 &written))
2987 || !TEST_size_t_eq(written, strlen(MSG1)))
2988 goto end;
2989
2990 if (usecb <= 1) {
2991 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2992 &readbytes),
2993 SSL_READ_EARLY_DATA_FINISH)
2994 /*
2995 * The ticket was reused, so the we should have rejected the
2996 * early data
2997 */
2998 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2999 SSL_EARLY_DATA_REJECTED))
3000 goto end;
3001 } else {
3002 /* In this case the callback decides to accept the early data */
3003 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3004 &readbytes),
3005 SSL_READ_EARLY_DATA_SUCCESS)
3006 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3007 /*
3008 * Server will have sent its flight so client can now send
3009 * end of early data and complete its half of the handshake
3010 */
3011 || !TEST_int_gt(SSL_connect(clientssl), 0)
3012 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3013 &readbytes),
3014 SSL_READ_EARLY_DATA_FINISH)
3015 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3016 SSL_EARLY_DATA_ACCEPTED))
3017 goto end;
3018 }
3019
3020 /* Complete the connection */
3021 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3022 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3023 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3024 goto end;
3025
3026 testresult = 1;
3027
3028 end:
3029 SSL_SESSION_free(sess);
3030 SSL_SESSION_free(clientpsk);
3031 SSL_SESSION_free(serverpsk);
3032 clientpsk = serverpsk = NULL;
3033 SSL_free(serverssl);
3034 SSL_free(clientssl);
3035 SSL_CTX_free(sctx);
3036 SSL_CTX_free(cctx);
3037 return testresult;
3038 }
3039
test_early_data_replay(int idx)3040 static int test_early_data_replay(int idx)
3041 {
3042 int ret = 1, usecb, confopt;
3043
3044 for (usecb = 0; usecb < 3; usecb++) {
3045 for (confopt = 0; confopt < 2; confopt++)
3046 ret &= test_early_data_replay_int(idx, usecb, confopt);
3047 }
3048
3049 return ret;
3050 }
3051
3052 /*
3053 * Helper function to test that a server attempting to read early data can
3054 * handle a connection from a client where the early data should be skipped.
3055 * testtype: 0 == No HRR
3056 * testtype: 1 == HRR
3057 * testtype: 2 == HRR, invalid early_data sent after HRR
3058 * testtype: 3 == recv_max_early_data set to 0
3059 */
early_data_skip_helper(int testtype,int idx)3060 static int early_data_skip_helper(int testtype, int idx)
3061 {
3062 SSL_CTX *cctx = NULL, *sctx = NULL;
3063 SSL *clientssl = NULL, *serverssl = NULL;
3064 int testresult = 0;
3065 SSL_SESSION *sess = NULL;
3066 unsigned char buf[20];
3067 size_t readbytes, written;
3068
3069 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3070 &serverssl, &sess, idx)))
3071 goto end;
3072
3073 if (testtype == 1 || testtype == 2) {
3074 /* Force an HRR to occur */
3075 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3076 goto end;
3077 } else if (idx == 2) {
3078 /*
3079 * We force early_data rejection by ensuring the PSK identity is
3080 * unrecognised
3081 */
3082 srvid = "Dummy Identity";
3083 } else {
3084 /*
3085 * Deliberately corrupt the creation time. We take 20 seconds off the
3086 * time. It could be any value as long as it is not within tolerance.
3087 * This should mean the ticket is rejected.
3088 */
3089 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3090 goto end;
3091 }
3092
3093 if (testtype == 3
3094 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3095 goto end;
3096
3097 /* Write some early data */
3098 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3099 &written))
3100 || !TEST_size_t_eq(written, strlen(MSG1)))
3101 goto end;
3102
3103 /* Server should reject the early data */
3104 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3105 &readbytes),
3106 SSL_READ_EARLY_DATA_FINISH)
3107 || !TEST_size_t_eq(readbytes, 0)
3108 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3109 SSL_EARLY_DATA_REJECTED))
3110 goto end;
3111
3112 switch (testtype) {
3113 case 0:
3114 /* Nothing to do */
3115 break;
3116
3117 case 1:
3118 /*
3119 * Finish off the handshake. We perform the same writes and reads as
3120 * further down but we expect them to fail due to the incomplete
3121 * handshake.
3122 */
3123 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3124 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3125 &readbytes)))
3126 goto end;
3127 break;
3128
3129 case 2:
3130 {
3131 BIO *wbio = SSL_get_wbio(clientssl);
3132 /* A record that will appear as bad early_data */
3133 const unsigned char bad_early_data[] = {
3134 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3135 };
3136
3137 /*
3138 * We force the client to attempt a write. This will fail because
3139 * we're still in the handshake. It will cause the second
3140 * ClientHello to be sent.
3141 */
3142 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3143 &written)))
3144 goto end;
3145
3146 /*
3147 * Inject some early_data after the second ClientHello. This should
3148 * cause the server to fail
3149 */
3150 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3151 sizeof(bad_early_data), &written)))
3152 goto end;
3153 }
3154 /* fallthrough */
3155
3156 case 3:
3157 /*
3158 * This client has sent more early_data than we are willing to skip
3159 * (case 3) or sent invalid early_data (case 2) so the connection should
3160 * abort.
3161 */
3162 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3163 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3164 goto end;
3165
3166 /* Connection has failed - nothing more to do */
3167 testresult = 1;
3168 goto end;
3169
3170 default:
3171 TEST_error("Invalid test type");
3172 goto end;
3173 }
3174
3175 /*
3176 * Should be able to send normal data despite rejection of early data. The
3177 * early_data should be skipped.
3178 */
3179 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3180 || !TEST_size_t_eq(written, strlen(MSG2))
3181 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3182 SSL_EARLY_DATA_REJECTED)
3183 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3184 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3185 goto end;
3186
3187 testresult = 1;
3188
3189 end:
3190 SSL_SESSION_free(clientpsk);
3191 SSL_SESSION_free(serverpsk);
3192 clientpsk = serverpsk = NULL;
3193 SSL_SESSION_free(sess);
3194 SSL_free(serverssl);
3195 SSL_free(clientssl);
3196 SSL_CTX_free(sctx);
3197 SSL_CTX_free(cctx);
3198 return testresult;
3199 }
3200
3201 /*
3202 * Test that a server attempting to read early data can handle a connection
3203 * from a client where the early data is not acceptable.
3204 */
test_early_data_skip(int idx)3205 static int test_early_data_skip(int idx)
3206 {
3207 return early_data_skip_helper(0, idx);
3208 }
3209
3210 /*
3211 * Test that a server attempting to read early data can handle a connection
3212 * from a client where an HRR occurs.
3213 */
test_early_data_skip_hrr(int idx)3214 static int test_early_data_skip_hrr(int idx)
3215 {
3216 return early_data_skip_helper(1, idx);
3217 }
3218
3219 /*
3220 * Test that a server attempting to read early data can handle a connection
3221 * from a client where an HRR occurs and correctly fails if early_data is sent
3222 * after the HRR
3223 */
test_early_data_skip_hrr_fail(int idx)3224 static int test_early_data_skip_hrr_fail(int idx)
3225 {
3226 return early_data_skip_helper(2, idx);
3227 }
3228
3229 /*
3230 * Test that a server attempting to read early data will abort if it tries to
3231 * skip over too much.
3232 */
test_early_data_skip_abort(int idx)3233 static int test_early_data_skip_abort(int idx)
3234 {
3235 return early_data_skip_helper(3, idx);
3236 }
3237
3238 /*
3239 * Test that a server attempting to read early data can handle a connection
3240 * from a client that doesn't send any.
3241 */
test_early_data_not_sent(int idx)3242 static int test_early_data_not_sent(int idx)
3243 {
3244 SSL_CTX *cctx = NULL, *sctx = NULL;
3245 SSL *clientssl = NULL, *serverssl = NULL;
3246 int testresult = 0;
3247 SSL_SESSION *sess = NULL;
3248 unsigned char buf[20];
3249 size_t readbytes, written;
3250
3251 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3252 &serverssl, &sess, idx)))
3253 goto end;
3254
3255 /* Write some data - should block due to handshake with server */
3256 SSL_set_connect_state(clientssl);
3257 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3258 goto end;
3259
3260 /* Server should detect that early data has not been sent */
3261 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3262 &readbytes),
3263 SSL_READ_EARLY_DATA_FINISH)
3264 || !TEST_size_t_eq(readbytes, 0)
3265 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3266 SSL_EARLY_DATA_NOT_SENT)
3267 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3268 SSL_EARLY_DATA_NOT_SENT))
3269 goto end;
3270
3271 /* Continue writing the message we started earlier */
3272 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3273 || !TEST_size_t_eq(written, strlen(MSG1))
3274 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3275 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3276 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3277 || !TEST_size_t_eq(written, strlen(MSG2)))
3278 goto end;
3279
3280 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3281 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3282 goto end;
3283
3284 testresult = 1;
3285
3286 end:
3287 SSL_SESSION_free(sess);
3288 SSL_SESSION_free(clientpsk);
3289 SSL_SESSION_free(serverpsk);
3290 clientpsk = serverpsk = NULL;
3291 SSL_free(serverssl);
3292 SSL_free(clientssl);
3293 SSL_CTX_free(sctx);
3294 SSL_CTX_free(cctx);
3295 return testresult;
3296 }
3297
3298 static const char *servalpn;
3299
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)3300 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3301 unsigned char *outlen, const unsigned char *in,
3302 unsigned int inlen, void *arg)
3303 {
3304 unsigned int protlen = 0;
3305 const unsigned char *prot;
3306
3307 for (prot = in; prot < in + inlen; prot += protlen) {
3308 protlen = *prot++;
3309 if (in + inlen < prot + protlen)
3310 return SSL_TLSEXT_ERR_NOACK;
3311
3312 if (protlen == strlen(servalpn)
3313 && memcmp(prot, servalpn, protlen) == 0) {
3314 *out = prot;
3315 *outlen = protlen;
3316 return SSL_TLSEXT_ERR_OK;
3317 }
3318 }
3319
3320 return SSL_TLSEXT_ERR_NOACK;
3321 }
3322
3323 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)3324 static int test_early_data_psk(int idx)
3325 {
3326 SSL_CTX *cctx = NULL, *sctx = NULL;
3327 SSL *clientssl = NULL, *serverssl = NULL;
3328 int testresult = 0;
3329 SSL_SESSION *sess = NULL;
3330 unsigned char alpnlist[] = {
3331 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3332 'l', 'p', 'n'
3333 };
3334 #define GOODALPNLEN 9
3335 #define BADALPNLEN 8
3336 #define GOODALPN (alpnlist)
3337 #define BADALPN (alpnlist + GOODALPNLEN)
3338 int err = 0;
3339 unsigned char buf[20];
3340 size_t readbytes, written;
3341 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
3342 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3343
3344 /* We always set this up with a final parameter of "2" for PSK */
3345 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3346 &serverssl, &sess, 2)))
3347 goto end;
3348
3349 servalpn = "goodalpn";
3350
3351 /*
3352 * Note: There is no test for inconsistent SNI with late client detection.
3353 * This is because servers do not acknowledge SNI even if they are using
3354 * it in a resumption handshake - so it is not actually possible for a
3355 * client to detect a problem.
3356 */
3357 switch (idx) {
3358 case 0:
3359 /* Set inconsistent SNI (early client detection) */
3360 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3361 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3362 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3363 goto end;
3364 break;
3365
3366 case 1:
3367 /* Set inconsistent ALPN (early client detection) */
3368 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3369 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
3370 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3371 GOODALPNLEN))
3372 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3373 BADALPNLEN)))
3374 goto end;
3375 break;
3376
3377 case 2:
3378 /*
3379 * Set invalid protocol version. Technically this affects PSKs without
3380 * early_data too, but we test it here because it is similar to the
3381 * SNI/ALPN consistency tests.
3382 */
3383 err = SSL_R_BAD_PSK;
3384 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3385 goto end;
3386 break;
3387
3388 case 3:
3389 /*
3390 * Set inconsistent SNI (server side). In this case the connection
3391 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3392 * is associated with each handshake - not the session. Therefore it
3393 * should not matter that we used a different server name last time.
3394 */
3395 SSL_SESSION_free(serverpsk);
3396 serverpsk = SSL_SESSION_dup(clientpsk);
3397 if (!TEST_ptr(serverpsk)
3398 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3399 goto end;
3400 /* Fall through */
3401 case 4:
3402 /* Set consistent SNI */
3403 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3404 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3405 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3406 hostname_cb)))
3407 goto end;
3408 break;
3409
3410 case 5:
3411 /*
3412 * Set inconsistent ALPN (server detected). In this case the connection
3413 * will succeed but reject early_data.
3414 */
3415 servalpn = "badalpn";
3416 edstatus = SSL_EARLY_DATA_REJECTED;
3417 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3418 /* Fall through */
3419 case 6:
3420 /*
3421 * Set consistent ALPN.
3422 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3423 * accepts a list of protos (each one length prefixed).
3424 * SSL_set1_alpn_selected accepts a single protocol (not length
3425 * prefixed)
3426 */
3427 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3428 GOODALPNLEN - 1))
3429 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3430 GOODALPNLEN)))
3431 goto end;
3432
3433 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3434 break;
3435
3436 case 7:
3437 /* Set inconsistent ALPN (late client detection) */
3438 SSL_SESSION_free(serverpsk);
3439 serverpsk = SSL_SESSION_dup(clientpsk);
3440 if (!TEST_ptr(serverpsk)
3441 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3442 BADALPN + 1,
3443 BADALPNLEN - 1))
3444 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3445 GOODALPN + 1,
3446 GOODALPNLEN - 1))
3447 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3448 sizeof(alpnlist))))
3449 goto end;
3450 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3451 edstatus = SSL_EARLY_DATA_ACCEPTED;
3452 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3453 /* SSL_connect() call should fail */
3454 connectres = -1;
3455 break;
3456
3457 default:
3458 TEST_error("Bad test index");
3459 goto end;
3460 }
3461
3462 SSL_set_connect_state(clientssl);
3463 if (err != 0) {
3464 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3465 &written))
3466 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3467 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3468 goto end;
3469 } else {
3470 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3471 &written)))
3472 goto end;
3473
3474 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3475 &readbytes), readearlyres)
3476 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3477 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3478 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3479 || !TEST_int_eq(SSL_connect(clientssl), connectres))
3480 goto end;
3481 }
3482
3483 testresult = 1;
3484
3485 end:
3486 SSL_SESSION_free(sess);
3487 SSL_SESSION_free(clientpsk);
3488 SSL_SESSION_free(serverpsk);
3489 clientpsk = serverpsk = NULL;
3490 SSL_free(serverssl);
3491 SSL_free(clientssl);
3492 SSL_CTX_free(sctx);
3493 SSL_CTX_free(cctx);
3494 return testresult;
3495 }
3496
3497 /*
3498 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3499 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3500 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3501 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3502 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3503 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3504 */
test_early_data_psk_with_all_ciphers(int idx)3505 static int test_early_data_psk_with_all_ciphers(int idx)
3506 {
3507 SSL_CTX *cctx = NULL, *sctx = NULL;
3508 SSL *clientssl = NULL, *serverssl = NULL;
3509 int testresult = 0;
3510 SSL_SESSION *sess = NULL;
3511 unsigned char buf[20];
3512 size_t readbytes, written;
3513 const SSL_CIPHER *cipher;
3514 const char *cipher_str[] = {
3515 TLS1_3_RFC_AES_128_GCM_SHA256,
3516 TLS1_3_RFC_AES_256_GCM_SHA384,
3517 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3518 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3519 # else
3520 NULL,
3521 # endif
3522 TLS1_3_RFC_AES_128_CCM_SHA256,
3523 TLS1_3_RFC_AES_128_CCM_8_SHA256
3524 };
3525 const unsigned char *cipher_bytes[] = {
3526 TLS13_AES_128_GCM_SHA256_BYTES,
3527 TLS13_AES_256_GCM_SHA384_BYTES,
3528 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3529 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3530 # else
3531 NULL,
3532 # endif
3533 TLS13_AES_128_CCM_SHA256_BYTES,
3534 TLS13_AES_128_CCM_8_SHA256_BYTES
3535 };
3536
3537 if (cipher_str[idx] == NULL)
3538 return 1;
3539
3540 /* We always set this up with a final parameter of "2" for PSK */
3541 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3542 &serverssl, &sess, 2)))
3543 goto end;
3544
3545 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3546 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3547 goto end;
3548
3549 /*
3550 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3551 * and assigns to both client and server with incremented reference
3552 * and the same instance is updated in 'sess'.
3553 * So updating ciphersuite in 'sess' which will get reflected in
3554 * PSK handshake using psk use sess and find sess cb.
3555 */
3556 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3557 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3558 goto end;
3559
3560 SSL_set_connect_state(clientssl);
3561 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3562 &written)))
3563 goto end;
3564
3565 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3566 &readbytes),
3567 SSL_READ_EARLY_DATA_SUCCESS)
3568 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3569 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3570 SSL_EARLY_DATA_ACCEPTED)
3571 || !TEST_int_eq(SSL_connect(clientssl), 1)
3572 || !TEST_int_eq(SSL_accept(serverssl), 1))
3573 goto end;
3574
3575 /* Send some normal data from client to server */
3576 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3577 || !TEST_size_t_eq(written, strlen(MSG2)))
3578 goto end;
3579
3580 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3581 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3582 goto end;
3583
3584 testresult = 1;
3585 end:
3586 SSL_SESSION_free(sess);
3587 SSL_SESSION_free(clientpsk);
3588 SSL_SESSION_free(serverpsk);
3589 clientpsk = serverpsk = NULL;
3590 if (clientssl != NULL)
3591 SSL_shutdown(clientssl);
3592 if (serverssl != NULL)
3593 SSL_shutdown(serverssl);
3594 SSL_free(serverssl);
3595 SSL_free(clientssl);
3596 SSL_CTX_free(sctx);
3597 SSL_CTX_free(cctx);
3598 return testresult;
3599 }
3600
3601 /*
3602 * Test that a server that doesn't try to read early data can handle a
3603 * client sending some.
3604 */
test_early_data_not_expected(int idx)3605 static int test_early_data_not_expected(int idx)
3606 {
3607 SSL_CTX *cctx = NULL, *sctx = NULL;
3608 SSL *clientssl = NULL, *serverssl = NULL;
3609 int testresult = 0;
3610 SSL_SESSION *sess = NULL;
3611 unsigned char buf[20];
3612 size_t readbytes, written;
3613
3614 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3615 &serverssl, &sess, idx)))
3616 goto end;
3617
3618 /* Write some early data */
3619 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3620 &written)))
3621 goto end;
3622
3623 /*
3624 * Server should skip over early data and then block waiting for client to
3625 * continue handshake
3626 */
3627 if (!TEST_int_le(SSL_accept(serverssl), 0)
3628 || !TEST_int_gt(SSL_connect(clientssl), 0)
3629 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3630 SSL_EARLY_DATA_REJECTED)
3631 || !TEST_int_gt(SSL_accept(serverssl), 0)
3632 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3633 SSL_EARLY_DATA_REJECTED))
3634 goto end;
3635
3636 /* Send some normal data from client to server */
3637 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3638 || !TEST_size_t_eq(written, strlen(MSG2)))
3639 goto end;
3640
3641 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3642 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3643 goto end;
3644
3645 testresult = 1;
3646
3647 end:
3648 SSL_SESSION_free(sess);
3649 SSL_SESSION_free(clientpsk);
3650 SSL_SESSION_free(serverpsk);
3651 clientpsk = serverpsk = NULL;
3652 SSL_free(serverssl);
3653 SSL_free(clientssl);
3654 SSL_CTX_free(sctx);
3655 SSL_CTX_free(cctx);
3656 return testresult;
3657 }
3658
3659
3660 # ifndef OPENSSL_NO_TLS1_2
3661 /*
3662 * Test that a server attempting to read early data can handle a connection
3663 * from a TLSv1.2 client.
3664 */
test_early_data_tls1_2(int idx)3665 static int test_early_data_tls1_2(int idx)
3666 {
3667 SSL_CTX *cctx = NULL, *sctx = NULL;
3668 SSL *clientssl = NULL, *serverssl = NULL;
3669 int testresult = 0;
3670 unsigned char buf[20];
3671 size_t readbytes, written;
3672
3673 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3674 &serverssl, NULL, idx)))
3675 goto end;
3676
3677 /* Write some data - should block due to handshake with server */
3678 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3679 SSL_set_connect_state(clientssl);
3680 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
3681 goto end;
3682
3683 /*
3684 * Server should do TLSv1.2 handshake. First it will block waiting for more
3685 * messages from client after ServerDone. Then SSL_read_early_data should
3686 * finish and detect that early data has not been sent
3687 */
3688 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3689 &readbytes),
3690 SSL_READ_EARLY_DATA_ERROR))
3691 goto end;
3692
3693 /*
3694 * Continue writing the message we started earlier. Will still block waiting
3695 * for the CCS/Finished from server
3696 */
3697 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3698 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3699 &readbytes),
3700 SSL_READ_EARLY_DATA_FINISH)
3701 || !TEST_size_t_eq(readbytes, 0)
3702 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3703 SSL_EARLY_DATA_NOT_SENT))
3704 goto end;
3705
3706 /* Continue writing the message we started earlier */
3707 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3708 || !TEST_size_t_eq(written, strlen(MSG1))
3709 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3710 SSL_EARLY_DATA_NOT_SENT)
3711 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3712 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3713 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3714 || !TEST_size_t_eq(written, strlen(MSG2))
3715 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3716 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3717 goto end;
3718
3719 testresult = 1;
3720
3721 end:
3722 SSL_SESSION_free(clientpsk);
3723 SSL_SESSION_free(serverpsk);
3724 clientpsk = serverpsk = NULL;
3725 SSL_free(serverssl);
3726 SSL_free(clientssl);
3727 SSL_CTX_free(sctx);
3728 SSL_CTX_free(cctx);
3729
3730 return testresult;
3731 }
3732 # endif /* OPENSSL_NO_TLS1_2 */
3733
3734 /*
3735 * Test configuring the TLSv1.3 ciphersuites
3736 *
3737 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3738 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3739 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3740 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3741 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3742 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3743 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3744 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3745 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3746 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3747 */
test_set_ciphersuite(int idx)3748 static int test_set_ciphersuite(int idx)
3749 {
3750 SSL_CTX *cctx = NULL, *sctx = NULL;
3751 SSL *clientssl = NULL, *serverssl = NULL;
3752 int testresult = 0;
3753
3754 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3755 TLS1_VERSION, TLS_MAX_VERSION,
3756 &sctx, &cctx, cert, privkey))
3757 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3758 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3759 goto end;
3760
3761 if (idx >=4 && idx <= 7) {
3762 /* SSL_CTX explicit cipher list */
3763 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3764 goto end;
3765 }
3766
3767 if (idx == 0 || idx == 4) {
3768 /* Default ciphersuite */
3769 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3770 "TLS_AES_128_GCM_SHA256")))
3771 goto end;
3772 } else if (idx == 1 || idx == 5) {
3773 /* Non default ciphersuite */
3774 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3775 "TLS_AES_128_CCM_SHA256")))
3776 goto end;
3777 }
3778
3779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3780 &clientssl, NULL, NULL)))
3781 goto end;
3782
3783 if (idx == 8 || idx == 9) {
3784 /* SSL explicit cipher list */
3785 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3786 goto end;
3787 }
3788
3789 if (idx == 2 || idx == 6 || idx == 8) {
3790 /* Default ciphersuite */
3791 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3792 "TLS_AES_128_GCM_SHA256")))
3793 goto end;
3794 } else if (idx == 3 || idx == 7 || idx == 9) {
3795 /* Non default ciphersuite */
3796 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3797 "TLS_AES_128_CCM_SHA256")))
3798 goto end;
3799 }
3800
3801 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3802 goto end;
3803
3804 testresult = 1;
3805
3806 end:
3807 SSL_free(serverssl);
3808 SSL_free(clientssl);
3809 SSL_CTX_free(sctx);
3810 SSL_CTX_free(cctx);
3811
3812 return testresult;
3813 }
3814
test_ciphersuite_change(void)3815 static int test_ciphersuite_change(void)
3816 {
3817 SSL_CTX *cctx = NULL, *sctx = NULL;
3818 SSL *clientssl = NULL, *serverssl = NULL;
3819 SSL_SESSION *clntsess = NULL;
3820 int testresult = 0;
3821 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3822
3823 /* Create a session based on SHA-256 */
3824 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3825 TLS1_VERSION, TLS_MAX_VERSION,
3826 &sctx, &cctx, cert, privkey))
3827 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3828 "TLS_AES_128_GCM_SHA256"))
3829 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3830 &clientssl, NULL, NULL))
3831 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3832 SSL_ERROR_NONE)))
3833 goto end;
3834
3835 clntsess = SSL_get1_session(clientssl);
3836 /* Save for later */
3837 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3838 SSL_shutdown(clientssl);
3839 SSL_shutdown(serverssl);
3840 SSL_free(serverssl);
3841 SSL_free(clientssl);
3842 serverssl = clientssl = NULL;
3843
3844 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3845 /* Check we can resume a session with a different SHA-256 ciphersuite */
3846 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3847 "TLS_CHACHA20_POLY1305_SHA256"))
3848 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3849 NULL, NULL))
3850 || !TEST_true(SSL_set_session(clientssl, clntsess))
3851 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3852 SSL_ERROR_NONE))
3853 || !TEST_true(SSL_session_reused(clientssl)))
3854 goto end;
3855
3856 SSL_SESSION_free(clntsess);
3857 clntsess = SSL_get1_session(clientssl);
3858 SSL_shutdown(clientssl);
3859 SSL_shutdown(serverssl);
3860 SSL_free(serverssl);
3861 SSL_free(clientssl);
3862 serverssl = clientssl = NULL;
3863 # endif
3864
3865 /*
3866 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
3867 * succeeds but does not resume.
3868 */
3869 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3871 NULL, NULL))
3872 || !TEST_true(SSL_set_session(clientssl, clntsess))
3873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3874 SSL_ERROR_SSL))
3875 || !TEST_false(SSL_session_reused(clientssl)))
3876 goto end;
3877
3878 SSL_SESSION_free(clntsess);
3879 clntsess = NULL;
3880 SSL_shutdown(clientssl);
3881 SSL_shutdown(serverssl);
3882 SSL_free(serverssl);
3883 SSL_free(clientssl);
3884 serverssl = clientssl = NULL;
3885
3886 /* Create a session based on SHA384 */
3887 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
3888 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3889 &clientssl, NULL, NULL))
3890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3891 SSL_ERROR_NONE)))
3892 goto end;
3893
3894 clntsess = SSL_get1_session(clientssl);
3895 SSL_shutdown(clientssl);
3896 SSL_shutdown(serverssl);
3897 SSL_free(serverssl);
3898 SSL_free(clientssl);
3899 serverssl = clientssl = NULL;
3900
3901 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3902 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3903 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3904 "TLS_AES_256_GCM_SHA384"))
3905 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3906 NULL, NULL))
3907 || !TEST_true(SSL_set_session(clientssl, clntsess))
3908 /*
3909 * We use SSL_ERROR_WANT_READ below so that we can pause the
3910 * connection after the initial ClientHello has been sent to
3911 * enable us to make some session changes.
3912 */
3913 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3914 SSL_ERROR_WANT_READ)))
3915 goto end;
3916
3917 /* Trick the client into thinking this session is for a different digest */
3918 clntsess->cipher = aes_128_gcm_sha256;
3919 clntsess->cipher_id = clntsess->cipher->id;
3920
3921 /*
3922 * Continue the previously started connection. Server has selected a SHA-384
3923 * ciphersuite, but client thinks the session is for SHA-256, so it should
3924 * bail out.
3925 */
3926 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3927 SSL_ERROR_SSL))
3928 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3929 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3930 goto end;
3931
3932 testresult = 1;
3933
3934 end:
3935 SSL_SESSION_free(clntsess);
3936 SSL_free(serverssl);
3937 SSL_free(clientssl);
3938 SSL_CTX_free(sctx);
3939 SSL_CTX_free(cctx);
3940
3941 return testresult;
3942 }
3943
3944 /*
3945 * Test TLSv1.3 Cipher Suite
3946 * Test 0 = Set TLS1.3 cipher on context
3947 * Test 1 = Set TLS1.3 cipher on SSL
3948 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3949 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3950 */
test_tls13_ciphersuite(int idx)3951 static int test_tls13_ciphersuite(int idx)
3952 {
3953 SSL_CTX *sctx = NULL, *cctx = NULL;
3954 SSL *serverssl = NULL, *clientssl = NULL;
3955 static const char *t13_ciphers[] = {
3956 TLS1_3_RFC_AES_128_GCM_SHA256,
3957 TLS1_3_RFC_AES_256_GCM_SHA384,
3958 TLS1_3_RFC_AES_128_CCM_SHA256,
3959 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3960 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3961 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3962 # endif
3963 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3964 };
3965 const char *t13_cipher = NULL;
3966 const char *t12_cipher = NULL;
3967 const char *negotiated_scipher;
3968 const char *negotiated_ccipher;
3969 int set_at_ctx = 0;
3970 int set_at_ssl = 0;
3971 int testresult = 0;
3972 int max_ver;
3973 size_t i;
3974
3975 switch (idx) {
3976 case 0:
3977 set_at_ctx = 1;
3978 break;
3979 case 1:
3980 set_at_ssl = 1;
3981 break;
3982 case 2:
3983 set_at_ctx = 1;
3984 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3985 break;
3986 case 3:
3987 set_at_ssl = 1;
3988 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3989 break;
3990 }
3991
3992 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3993 # ifdef OPENSSL_NO_TLS1_2
3994 if (max_ver == TLS1_2_VERSION)
3995 continue;
3996 # endif
3997 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3998 t13_cipher = t13_ciphers[i];
3999 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4000 TLS_client_method(),
4001 TLS1_VERSION, max_ver,
4002 &sctx, &cctx, cert, privkey)))
4003 goto end;
4004
4005 if (set_at_ctx) {
4006 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4007 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4008 goto end;
4009 if (t12_cipher != NULL) {
4010 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4011 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4012 t12_cipher)))
4013 goto end;
4014 }
4015 }
4016
4017 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4018 &clientssl, NULL, NULL)))
4019 goto end;
4020
4021 if (set_at_ssl) {
4022 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4023 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4024 goto end;
4025 if (t12_cipher != NULL) {
4026 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4027 || !TEST_true(SSL_set_cipher_list(clientssl,
4028 t12_cipher)))
4029 goto end;
4030 }
4031 }
4032
4033 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4034 SSL_ERROR_NONE)))
4035 goto end;
4036
4037 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4038 serverssl));
4039 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4040 clientssl));
4041 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4042 goto end;
4043
4044 /*
4045 * TEST_strn_eq is used below because t13_cipher can contain
4046 * multiple ciphersuites
4047 */
4048 if (max_ver == TLS1_3_VERSION
4049 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4050 strlen(negotiated_scipher)))
4051 goto end;
4052
4053 # ifndef OPENSSL_NO_TLS1_2
4054 /* Below validation is not done when t12_cipher is NULL */
4055 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4056 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4057 goto end;
4058 # endif
4059
4060 SSL_free(serverssl);
4061 serverssl = NULL;
4062 SSL_free(clientssl);
4063 clientssl = NULL;
4064 SSL_CTX_free(sctx);
4065 sctx = NULL;
4066 SSL_CTX_free(cctx);
4067 cctx = NULL;
4068 }
4069 }
4070
4071 testresult = 1;
4072 end:
4073 SSL_free(serverssl);
4074 SSL_free(clientssl);
4075 SSL_CTX_free(sctx);
4076 SSL_CTX_free(cctx);
4077 return testresult;
4078 }
4079
4080 /*
4081 * Test TLSv1.3 PSKs
4082 * Test 0 = Test new style callbacks
4083 * Test 1 = Test both new and old style callbacks
4084 * Test 2 = Test old style callbacks
4085 * Test 3 = Test old style callbacks with no certificate
4086 */
test_tls13_psk(int idx)4087 static int test_tls13_psk(int idx)
4088 {
4089 SSL_CTX *sctx = NULL, *cctx = NULL;
4090 SSL *serverssl = NULL, *clientssl = NULL;
4091 const SSL_CIPHER *cipher = NULL;
4092 const unsigned char key[] = {
4093 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4094 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
4095 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4096 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
4097 };
4098 int testresult = 0;
4099
4100 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4101 TLS1_VERSION, TLS_MAX_VERSION,
4102 &sctx, &cctx, idx == 3 ? NULL : cert,
4103 idx == 3 ? NULL : privkey)))
4104 goto end;
4105
4106 if (idx != 3) {
4107 /*
4108 * We use a ciphersuite with SHA256 to ease testing old style PSK
4109 * callbacks which will always default to SHA256. This should not be
4110 * necessary if we have no cert/priv key. In that case the server should
4111 * prefer SHA256 automatically.
4112 */
4113 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4114 "TLS_AES_128_GCM_SHA256")))
4115 goto end;
4116 }
4117
4118 /*
4119 * Test 0: New style callbacks only
4120 * Test 1: New and old style callbacks (only the new ones should be used)
4121 * Test 2: Old style callbacks only
4122 */
4123 if (idx == 0 || idx == 1) {
4124 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4125 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4126 }
4127 #ifndef OPENSSL_NO_PSK
4128 if (idx >= 1) {
4129 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4130 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4131 }
4132 #endif
4133 srvid = pskid;
4134 use_session_cb_cnt = 0;
4135 find_session_cb_cnt = 0;
4136 psk_client_cb_cnt = 0;
4137 psk_server_cb_cnt = 0;
4138
4139 if (idx != 3) {
4140 /*
4141 * Check we can create a connection if callback decides not to send a
4142 * PSK
4143 */
4144 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4145 NULL, NULL))
4146 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4147 SSL_ERROR_NONE))
4148 || !TEST_false(SSL_session_reused(clientssl))
4149 || !TEST_false(SSL_session_reused(serverssl)))
4150 goto end;
4151
4152 if (idx == 0 || idx == 1) {
4153 if (!TEST_true(use_session_cb_cnt == 1)
4154 || !TEST_true(find_session_cb_cnt == 0)
4155 /*
4156 * If no old style callback then below should be 0
4157 * otherwise 1
4158 */
4159 || !TEST_true(psk_client_cb_cnt == idx)
4160 || !TEST_true(psk_server_cb_cnt == 0))
4161 goto end;
4162 } else {
4163 if (!TEST_true(use_session_cb_cnt == 0)
4164 || !TEST_true(find_session_cb_cnt == 0)
4165 || !TEST_true(psk_client_cb_cnt == 1)
4166 || !TEST_true(psk_server_cb_cnt == 0))
4167 goto end;
4168 }
4169
4170 shutdown_ssl_connection(serverssl, clientssl);
4171 serverssl = clientssl = NULL;
4172 use_session_cb_cnt = psk_client_cb_cnt = 0;
4173 }
4174
4175 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4176 NULL, NULL)))
4177 goto end;
4178
4179 /* Create the PSK */
4180 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
4181 clientpsk = SSL_SESSION_new();
4182 if (!TEST_ptr(clientpsk)
4183 || !TEST_ptr(cipher)
4184 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4185 sizeof(key)))
4186 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4187 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4188 TLS1_3_VERSION))
4189 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
4190 goto end;
4191 serverpsk = clientpsk;
4192
4193 /* Check we can create a connection and the PSK is used */
4194 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4195 || !TEST_true(SSL_session_reused(clientssl))
4196 || !TEST_true(SSL_session_reused(serverssl)))
4197 goto end;
4198
4199 if (idx == 0 || idx == 1) {
4200 if (!TEST_true(use_session_cb_cnt == 1)
4201 || !TEST_true(find_session_cb_cnt == 1)
4202 || !TEST_true(psk_client_cb_cnt == 0)
4203 || !TEST_true(psk_server_cb_cnt == 0))
4204 goto end;
4205 } else {
4206 if (!TEST_true(use_session_cb_cnt == 0)
4207 || !TEST_true(find_session_cb_cnt == 0)
4208 || !TEST_true(psk_client_cb_cnt == 1)
4209 || !TEST_true(psk_server_cb_cnt == 1))
4210 goto end;
4211 }
4212
4213 shutdown_ssl_connection(serverssl, clientssl);
4214 serverssl = clientssl = NULL;
4215 use_session_cb_cnt = find_session_cb_cnt = 0;
4216 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4217
4218 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4219 NULL, NULL)))
4220 goto end;
4221
4222 /* Force an HRR */
4223 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4224 goto end;
4225
4226 /*
4227 * Check we can create a connection, the PSK is used and the callbacks are
4228 * called twice.
4229 */
4230 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4231 || !TEST_true(SSL_session_reused(clientssl))
4232 || !TEST_true(SSL_session_reused(serverssl)))
4233 goto end;
4234
4235 if (idx == 0 || idx == 1) {
4236 if (!TEST_true(use_session_cb_cnt == 2)
4237 || !TEST_true(find_session_cb_cnt == 2)
4238 || !TEST_true(psk_client_cb_cnt == 0)
4239 || !TEST_true(psk_server_cb_cnt == 0))
4240 goto end;
4241 } else {
4242 if (!TEST_true(use_session_cb_cnt == 0)
4243 || !TEST_true(find_session_cb_cnt == 0)
4244 || !TEST_true(psk_client_cb_cnt == 2)
4245 || !TEST_true(psk_server_cb_cnt == 2))
4246 goto end;
4247 }
4248
4249 shutdown_ssl_connection(serverssl, clientssl);
4250 serverssl = clientssl = NULL;
4251 use_session_cb_cnt = find_session_cb_cnt = 0;
4252 psk_client_cb_cnt = psk_server_cb_cnt = 0;
4253
4254 if (idx != 3) {
4255 /*
4256 * Check that if the server rejects the PSK we can still connect, but with
4257 * a full handshake
4258 */
4259 srvid = "Dummy Identity";
4260 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4261 NULL, NULL))
4262 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4263 SSL_ERROR_NONE))
4264 || !TEST_false(SSL_session_reused(clientssl))
4265 || !TEST_false(SSL_session_reused(serverssl)))
4266 goto end;
4267
4268 if (idx == 0 || idx == 1) {
4269 if (!TEST_true(use_session_cb_cnt == 1)
4270 || !TEST_true(find_session_cb_cnt == 1)
4271 || !TEST_true(psk_client_cb_cnt == 0)
4272 /*
4273 * If no old style callback then below should be 0
4274 * otherwise 1
4275 */
4276 || !TEST_true(psk_server_cb_cnt == idx))
4277 goto end;
4278 } else {
4279 if (!TEST_true(use_session_cb_cnt == 0)
4280 || !TEST_true(find_session_cb_cnt == 0)
4281 || !TEST_true(psk_client_cb_cnt == 1)
4282 || !TEST_true(psk_server_cb_cnt == 1))
4283 goto end;
4284 }
4285
4286 shutdown_ssl_connection(serverssl, clientssl);
4287 serverssl = clientssl = NULL;
4288 }
4289 testresult = 1;
4290
4291 end:
4292 SSL_SESSION_free(clientpsk);
4293 SSL_SESSION_free(serverpsk);
4294 clientpsk = serverpsk = NULL;
4295 SSL_free(serverssl);
4296 SSL_free(clientssl);
4297 SSL_CTX_free(sctx);
4298 SSL_CTX_free(cctx);
4299 return testresult;
4300 }
4301
4302 static unsigned char cookie_magic_value[] = "cookie magic";
4303
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)4304 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4305 unsigned int *cookie_len)
4306 {
4307 /*
4308 * Not suitable as a real cookie generation function but good enough for
4309 * testing!
4310 */
4311 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4312 *cookie_len = sizeof(cookie_magic_value) - 1;
4313
4314 return 1;
4315 }
4316
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)4317 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4318 unsigned int cookie_len)
4319 {
4320 if (cookie_len == sizeof(cookie_magic_value) - 1
4321 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4322 return 1;
4323
4324 return 0;
4325 }
4326
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)4327 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4328 size_t *cookie_len)
4329 {
4330 unsigned int temp;
4331 int res = generate_cookie_callback(ssl, cookie, &temp);
4332 *cookie_len = temp;
4333 return res;
4334 }
4335
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)4336 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4337 size_t cookie_len)
4338 {
4339 return verify_cookie_callback(ssl, cookie, cookie_len);
4340 }
4341
test_stateless(void)4342 static int test_stateless(void)
4343 {
4344 SSL_CTX *sctx = NULL, *cctx = NULL;
4345 SSL *serverssl = NULL, *clientssl = NULL;
4346 int testresult = 0;
4347
4348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4349 TLS1_VERSION, TLS_MAX_VERSION,
4350 &sctx, &cctx, cert, privkey)))
4351 goto end;
4352
4353 /* The arrival of CCS messages can confuse the test */
4354 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4355
4356 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4357 NULL, NULL))
4358 /* Send the first ClientHello */
4359 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4360 SSL_ERROR_WANT_READ))
4361 /*
4362 * This should fail with a -1 return because we have no callbacks
4363 * set up
4364 */
4365 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4366 goto end;
4367
4368 /* Fatal error so abandon the connection from this client */
4369 SSL_free(clientssl);
4370 clientssl = NULL;
4371
4372 /* Set up the cookie generation and verification callbacks */
4373 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4374 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
4375
4376 /*
4377 * Create a new connection from the client (we can reuse the server SSL
4378 * object).
4379 */
4380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4381 NULL, NULL))
4382 /* Send the first ClientHello */
4383 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4384 SSL_ERROR_WANT_READ))
4385 /* This should fail because there is no cookie */
4386 || !TEST_int_eq(SSL_stateless(serverssl), 0))
4387 goto end;
4388
4389 /* Abandon the connection from this client */
4390 SSL_free(clientssl);
4391 clientssl = NULL;
4392
4393 /*
4394 * Now create a connection from a new client but with the same server SSL
4395 * object
4396 */
4397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4398 NULL, NULL))
4399 /* Send the first ClientHello */
4400 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4401 SSL_ERROR_WANT_READ))
4402 /* This should fail because there is no cookie */
4403 || !TEST_int_eq(SSL_stateless(serverssl), 0)
4404 /* Send the second ClientHello */
4405 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4406 SSL_ERROR_WANT_READ))
4407 /* This should succeed because a cookie is now present */
4408 || !TEST_int_eq(SSL_stateless(serverssl), 1)
4409 /* Complete the connection */
4410 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4411 SSL_ERROR_NONE)))
4412 goto end;
4413
4414 shutdown_ssl_connection(serverssl, clientssl);
4415 serverssl = clientssl = NULL;
4416 testresult = 1;
4417
4418 end:
4419 SSL_free(serverssl);
4420 SSL_free(clientssl);
4421 SSL_CTX_free(sctx);
4422 SSL_CTX_free(cctx);
4423 return testresult;
4424
4425 }
4426 #endif /* OPENSSL_NO_TLS1_3 */
4427
4428 static int clntaddoldcb = 0;
4429 static int clntparseoldcb = 0;
4430 static int srvaddoldcb = 0;
4431 static int srvparseoldcb = 0;
4432 static int clntaddnewcb = 0;
4433 static int clntparsenewcb = 0;
4434 static int srvaddnewcb = 0;
4435 static int srvparsenewcb = 0;
4436 static int snicb = 0;
4437
4438 #define TEST_EXT_TYPE1 0xff00
4439
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)4440 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4441 size_t *outlen, int *al, void *add_arg)
4442 {
4443 int *server = (int *)add_arg;
4444 unsigned char *data;
4445
4446 if (SSL_is_server(s))
4447 srvaddoldcb++;
4448 else
4449 clntaddoldcb++;
4450
4451 if (*server != SSL_is_server(s)
4452 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4453 return -1;
4454
4455 *data = 1;
4456 *out = data;
4457 *outlen = sizeof(char);
4458 return 1;
4459 }
4460
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)4461 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4462 void *add_arg)
4463 {
4464 OPENSSL_free((unsigned char *)out);
4465 }
4466
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)4467 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4468 size_t inlen, int *al, void *parse_arg)
4469 {
4470 int *server = (int *)parse_arg;
4471
4472 if (SSL_is_server(s))
4473 srvparseoldcb++;
4474 else
4475 clntparseoldcb++;
4476
4477 if (*server != SSL_is_server(s)
4478 || inlen != sizeof(char)
4479 || *in != 1)
4480 return -1;
4481
4482 return 1;
4483 }
4484
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)4485 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4486 const unsigned char **out, size_t *outlen, X509 *x,
4487 size_t chainidx, int *al, void *add_arg)
4488 {
4489 int *server = (int *)add_arg;
4490 unsigned char *data;
4491
4492 if (SSL_is_server(s))
4493 srvaddnewcb++;
4494 else
4495 clntaddnewcb++;
4496
4497 if (*server != SSL_is_server(s)
4498 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
4499 return -1;
4500
4501 *data = 1;
4502 *out = data;
4503 *outlen = sizeof(*data);
4504 return 1;
4505 }
4506
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)4507 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4508 const unsigned char *out, void *add_arg)
4509 {
4510 OPENSSL_free((unsigned char *)out);
4511 }
4512
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)4513 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4514 const unsigned char *in, size_t inlen, X509 *x,
4515 size_t chainidx, int *al, void *parse_arg)
4516 {
4517 int *server = (int *)parse_arg;
4518
4519 if (SSL_is_server(s))
4520 srvparsenewcb++;
4521 else
4522 clntparsenewcb++;
4523
4524 if (*server != SSL_is_server(s)
4525 || inlen != sizeof(char) || *in != 1)
4526 return -1;
4527
4528 return 1;
4529 }
4530
sni_cb(SSL * s,int * al,void * arg)4531 static int sni_cb(SSL *s, int *al, void *arg)
4532 {
4533 SSL_CTX *ctx = (SSL_CTX *)arg;
4534
4535 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4536 *al = SSL_AD_INTERNAL_ERROR;
4537 return SSL_TLSEXT_ERR_ALERT_FATAL;
4538 }
4539 snicb++;
4540 return SSL_TLSEXT_ERR_OK;
4541 }
4542
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)4543 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
4544 {
4545 return 1;
4546 }
4547
4548 /*
4549 * Custom call back tests.
4550 * Test 0: Old style callbacks in TLSv1.2
4551 * Test 1: New style callbacks in TLSv1.2
4552 * Test 2: New style callbacks in TLSv1.2 with SNI
4553 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4554 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
4555 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
4556 */
test_custom_exts(int tst)4557 static int test_custom_exts(int tst)
4558 {
4559 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4560 SSL *clientssl = NULL, *serverssl = NULL;
4561 int testresult = 0;
4562 static int server = 1;
4563 static int client = 0;
4564 SSL_SESSION *sess = NULL;
4565 unsigned int context;
4566
4567 #if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4568 /* Skip tests for TLSv1.2 and below in this case */
4569 if (tst < 3)
4570 return 1;
4571 #endif
4572
4573 /* Reset callback counters */
4574 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4575 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
4576 snicb = 0;
4577
4578 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4579 TLS1_VERSION, TLS_MAX_VERSION,
4580 &sctx, &cctx, cert, privkey)))
4581 goto end;
4582
4583 if (tst == 2
4584 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
4585 TLS1_VERSION, TLS_MAX_VERSION,
4586 &sctx2, NULL, cert, privkey)))
4587 goto end;
4588
4589
4590 if (tst < 3) {
4591 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4592 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
4593 if (sctx2 != NULL)
4594 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
4595 }
4596
4597 if (tst == 5) {
4598 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
4599 | SSL_EXT_TLS1_3_CERTIFICATE;
4600 SSL_CTX_set_verify(sctx,
4601 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4602 verify_cb);
4603 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
4604 SSL_FILETYPE_PEM), 1)
4605 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
4606 SSL_FILETYPE_PEM), 1)
4607 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
4608 goto end;
4609 } else if (tst == 4) {
4610 context = SSL_EXT_CLIENT_HELLO
4611 | SSL_EXT_TLS1_2_SERVER_HELLO
4612 | SSL_EXT_TLS1_3_SERVER_HELLO
4613 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4614 | SSL_EXT_TLS1_3_CERTIFICATE
4615 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4616 } else {
4617 context = SSL_EXT_CLIENT_HELLO
4618 | SSL_EXT_TLS1_2_SERVER_HELLO
4619 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4620 }
4621
4622 /* Create a client side custom extension */
4623 if (tst == 0) {
4624 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4625 old_add_cb, old_free_cb,
4626 &client, old_parse_cb,
4627 &client)))
4628 goto end;
4629 } else {
4630 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4631 new_add_cb, new_free_cb,
4632 &client, new_parse_cb, &client)))
4633 goto end;
4634 }
4635
4636 /* Should not be able to add duplicates */
4637 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4638 old_add_cb, old_free_cb,
4639 &client, old_parse_cb,
4640 &client))
4641 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4642 context, new_add_cb,
4643 new_free_cb, &client,
4644 new_parse_cb, &client)))
4645 goto end;
4646
4647 /* Create a server side custom extension */
4648 if (tst == 0) {
4649 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4650 old_add_cb, old_free_cb,
4651 &server, old_parse_cb,
4652 &server)))
4653 goto end;
4654 } else {
4655 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4656 new_add_cb, new_free_cb,
4657 &server, new_parse_cb, &server)))
4658 goto end;
4659 if (sctx2 != NULL
4660 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4661 context, new_add_cb,
4662 new_free_cb, &server,
4663 new_parse_cb, &server)))
4664 goto end;
4665 }
4666
4667 /* Should not be able to add duplicates */
4668 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4669 old_add_cb, old_free_cb,
4670 &server, old_parse_cb,
4671 &server))
4672 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4673 context, new_add_cb,
4674 new_free_cb, &server,
4675 new_parse_cb, &server)))
4676 goto end;
4677
4678 if (tst == 2) {
4679 /* Set up SNI */
4680 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4681 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4682 goto end;
4683 }
4684
4685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4686 &clientssl, NULL, NULL))
4687 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4688 SSL_ERROR_NONE)))
4689 goto end;
4690
4691 if (tst == 0) {
4692 if (clntaddoldcb != 1
4693 || clntparseoldcb != 1
4694 || srvaddoldcb != 1
4695 || srvparseoldcb != 1)
4696 goto end;
4697 } else if (tst == 1 || tst == 2 || tst == 3) {
4698 if (clntaddnewcb != 1
4699 || clntparsenewcb != 1
4700 || srvaddnewcb != 1
4701 || srvparsenewcb != 1
4702 || (tst != 2 && snicb != 0)
4703 || (tst == 2 && snicb != 1))
4704 goto end;
4705 } else if (tst == 5) {
4706 if (clntaddnewcb != 1
4707 || clntparsenewcb != 1
4708 || srvaddnewcb != 1
4709 || srvparsenewcb != 1)
4710 goto end;
4711 } else {
4712 /* In this case there 2 NewSessionTicket messages created */
4713 if (clntaddnewcb != 1
4714 || clntparsenewcb != 5
4715 || srvaddnewcb != 5
4716 || srvparsenewcb != 1)
4717 goto end;
4718 }
4719
4720 sess = SSL_get1_session(clientssl);
4721 SSL_shutdown(clientssl);
4722 SSL_shutdown(serverssl);
4723 SSL_free(serverssl);
4724 SSL_free(clientssl);
4725 serverssl = clientssl = NULL;
4726
4727 if (tst == 3 || tst == 5) {
4728 /* We don't bother with the resumption aspects for these tests */
4729 testresult = 1;
4730 goto end;
4731 }
4732
4733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4734 NULL, NULL))
4735 || !TEST_true(SSL_set_session(clientssl, sess))
4736 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4737 SSL_ERROR_NONE)))
4738 goto end;
4739
4740 /*
4741 * For a resumed session we expect to add the ClientHello extension. For the
4742 * old style callbacks we ignore it on the server side because they set
4743 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4744 * them.
4745 */
4746 if (tst == 0) {
4747 if (clntaddoldcb != 2
4748 || clntparseoldcb != 1
4749 || srvaddoldcb != 1
4750 || srvparseoldcb != 1)
4751 goto end;
4752 } else if (tst == 1 || tst == 2 || tst == 3) {
4753 if (clntaddnewcb != 2
4754 || clntparsenewcb != 2
4755 || srvaddnewcb != 2
4756 || srvparsenewcb != 2)
4757 goto end;
4758 } else {
4759 /*
4760 * No Certificate message extensions in the resumption handshake,
4761 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4762 */
4763 if (clntaddnewcb != 2
4764 || clntparsenewcb != 8
4765 || srvaddnewcb != 8
4766 || srvparsenewcb != 2)
4767 goto end;
4768 }
4769
4770 testresult = 1;
4771
4772 end:
4773 SSL_SESSION_free(sess);
4774 SSL_free(serverssl);
4775 SSL_free(clientssl);
4776 SSL_CTX_free(sctx2);
4777 SSL_CTX_free(sctx);
4778 SSL_CTX_free(cctx);
4779 return testresult;
4780 }
4781
4782 /*
4783 * Test loading of serverinfo data in various formats. test_sslmessages actually
4784 * tests to make sure the extensions appear in the handshake
4785 */
test_serverinfo(int tst)4786 static int test_serverinfo(int tst)
4787 {
4788 unsigned int version;
4789 unsigned char *sibuf;
4790 size_t sibuflen;
4791 int ret, expected, testresult = 0;
4792 SSL_CTX *ctx;
4793
4794 ctx = SSL_CTX_new(TLS_method());
4795 if (!TEST_ptr(ctx))
4796 goto end;
4797
4798 if ((tst & 0x01) == 0x01)
4799 version = SSL_SERVERINFOV2;
4800 else
4801 version = SSL_SERVERINFOV1;
4802
4803 if ((tst & 0x02) == 0x02) {
4804 sibuf = serverinfov2;
4805 sibuflen = sizeof(serverinfov2);
4806 expected = (version == SSL_SERVERINFOV2);
4807 } else {
4808 sibuf = serverinfov1;
4809 sibuflen = sizeof(serverinfov1);
4810 expected = (version == SSL_SERVERINFOV1);
4811 }
4812
4813 if ((tst & 0x04) == 0x04) {
4814 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4815 } else {
4816 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4817
4818 /*
4819 * The version variable is irrelevant in this case - it's what is in the
4820 * buffer that matters
4821 */
4822 if ((tst & 0x02) == 0x02)
4823 expected = 0;
4824 else
4825 expected = 1;
4826 }
4827
4828 if (!TEST_true(ret == expected))
4829 goto end;
4830
4831 testresult = 1;
4832
4833 end:
4834 SSL_CTX_free(ctx);
4835
4836 return testresult;
4837 }
4838
4839 /*
4840 * Test that SSL_export_keying_material() produces expected results. There are
4841 * no test vectors so all we do is test that both sides of the communication
4842 * produce the same results for different protocol versions.
4843 */
4844 #define SMALL_LABEL_LEN 10
4845 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)4846 static int test_export_key_mat(int tst)
4847 {
4848 int testresult = 0;
4849 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4850 SSL *clientssl = NULL, *serverssl = NULL;
4851 const char label[LONG_LABEL_LEN + 1] = "test label";
4852 const unsigned char context[] = "context";
4853 const unsigned char *emptycontext = NULL;
4854 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4855 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
4856 size_t labellen;
4857 const int protocols[] = {
4858 TLS1_VERSION,
4859 TLS1_1_VERSION,
4860 TLS1_2_VERSION,
4861 TLS1_3_VERSION,
4862 TLS1_3_VERSION,
4863 TLS1_3_VERSION
4864 };
4865
4866 #ifdef OPENSSL_NO_TLS1
4867 if (tst == 0)
4868 return 1;
4869 #endif
4870 #ifdef OPENSSL_NO_TLS1_1
4871 if (tst == 1)
4872 return 1;
4873 #endif
4874 #ifdef OPENSSL_NO_TLS1_2
4875 if (tst == 2)
4876 return 1;
4877 #endif
4878 #ifdef OPENSSL_NO_TLS1_3
4879 if (tst >= 3)
4880 return 1;
4881 #endif
4882 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4883 TLS1_VERSION, TLS_MAX_VERSION,
4884 &sctx, &cctx, cert, privkey)))
4885 goto end;
4886
4887 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4888 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4889 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
4890
4891 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4892 NULL)))
4893 goto end;
4894
4895 /*
4896 * Premature call of SSL_export_keying_material should just fail.
4897 */
4898 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4899 sizeof(ckeymat1), label,
4900 SMALL_LABEL_LEN + 1, context,
4901 sizeof(context) - 1, 1), 0))
4902 goto end;
4903
4904 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4905 SSL_ERROR_NONE)))
4906 goto end;
4907
4908 if (tst == 5) {
4909 /*
4910 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4911 * go over that.
4912 */
4913 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4914 sizeof(ckeymat1), label,
4915 LONG_LABEL_LEN + 1, context,
4916 sizeof(context) - 1, 1), 0))
4917 goto end;
4918
4919 testresult = 1;
4920 goto end;
4921 } else if (tst == 4) {
4922 labellen = LONG_LABEL_LEN;
4923 } else {
4924 labellen = SMALL_LABEL_LEN;
4925 }
4926
4927 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4928 sizeof(ckeymat1), label,
4929 labellen, context,
4930 sizeof(context) - 1, 1), 1)
4931 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4932 sizeof(ckeymat2), label,
4933 labellen,
4934 emptycontext,
4935 0, 1), 1)
4936 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4937 sizeof(ckeymat3), label,
4938 labellen,
4939 NULL, 0, 0), 1)
4940 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4941 sizeof(skeymat1), label,
4942 labellen,
4943 context,
4944 sizeof(context) -1, 1),
4945 1)
4946 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4947 sizeof(skeymat2), label,
4948 labellen,
4949 emptycontext,
4950 0, 1), 1)
4951 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4952 sizeof(skeymat3), label,
4953 labellen,
4954 NULL, 0, 0), 1)
4955 /*
4956 * Check that both sides created the same key material with the
4957 * same context.
4958 */
4959 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4960 sizeof(skeymat1))
4961 /*
4962 * Check that both sides created the same key material with an
4963 * empty context.
4964 */
4965 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4966 sizeof(skeymat2))
4967 /*
4968 * Check that both sides created the same key material without a
4969 * context.
4970 */
4971 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4972 sizeof(skeymat3))
4973 /* Different contexts should produce different results */
4974 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4975 sizeof(ckeymat2)))
4976 goto end;
4977
4978 /*
4979 * Check that an empty context and no context produce different results in
4980 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4981 */
4982 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4983 sizeof(ckeymat3)))
4984 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4985 sizeof(ckeymat3))))
4986 goto end;
4987
4988 testresult = 1;
4989
4990 end:
4991 SSL_free(serverssl);
4992 SSL_free(clientssl);
4993 SSL_CTX_free(sctx2);
4994 SSL_CTX_free(sctx);
4995 SSL_CTX_free(cctx);
4996
4997 return testresult;
4998 }
4999
5000 #ifndef OPENSSL_NO_TLS1_3
5001 /*
5002 * Test that SSL_export_keying_material_early() produces expected
5003 * results. There are no test vectors so all we do is test that both
5004 * sides of the communication produce the same results for different
5005 * protocol versions.
5006 */
test_export_key_mat_early(int idx)5007 static int test_export_key_mat_early(int idx)
5008 {
5009 static const char label[] = "test label";
5010 static const unsigned char context[] = "context";
5011 int testresult = 0;
5012 SSL_CTX *cctx = NULL, *sctx = NULL;
5013 SSL *clientssl = NULL, *serverssl = NULL;
5014 SSL_SESSION *sess = NULL;
5015 const unsigned char *emptycontext = NULL;
5016 unsigned char ckeymat1[80], ckeymat2[80];
5017 unsigned char skeymat1[80], skeymat2[80];
5018 unsigned char buf[1];
5019 size_t readbytes, written;
5020
5021 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5022 &sess, idx)))
5023 goto end;
5024
5025 /* Here writing 0 length early data is enough. */
5026 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5027 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5028 &readbytes),
5029 SSL_READ_EARLY_DATA_ERROR)
5030 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5031 SSL_EARLY_DATA_ACCEPTED))
5032 goto end;
5033
5034 if (!TEST_int_eq(SSL_export_keying_material_early(
5035 clientssl, ckeymat1, sizeof(ckeymat1), label,
5036 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5037 || !TEST_int_eq(SSL_export_keying_material_early(
5038 clientssl, ckeymat2, sizeof(ckeymat2), label,
5039 sizeof(label) - 1, emptycontext, 0), 1)
5040 || !TEST_int_eq(SSL_export_keying_material_early(
5041 serverssl, skeymat1, sizeof(skeymat1), label,
5042 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5043 || !TEST_int_eq(SSL_export_keying_material_early(
5044 serverssl, skeymat2, sizeof(skeymat2), label,
5045 sizeof(label) - 1, emptycontext, 0), 1)
5046 /*
5047 * Check that both sides created the same key material with the
5048 * same context.
5049 */
5050 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5051 sizeof(skeymat1))
5052 /*
5053 * Check that both sides created the same key material with an
5054 * empty context.
5055 */
5056 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5057 sizeof(skeymat2))
5058 /* Different contexts should produce different results */
5059 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5060 sizeof(ckeymat2)))
5061 goto end;
5062
5063 testresult = 1;
5064
5065 end:
5066 SSL_SESSION_free(sess);
5067 SSL_SESSION_free(clientpsk);
5068 SSL_SESSION_free(serverpsk);
5069 clientpsk = serverpsk = NULL;
5070 SSL_free(serverssl);
5071 SSL_free(clientssl);
5072 SSL_CTX_free(sctx);
5073 SSL_CTX_free(cctx);
5074
5075 return testresult;
5076 }
5077
5078 #define NUM_KEY_UPDATE_MESSAGES 40
5079 /*
5080 * Test KeyUpdate.
5081 */
test_key_update(void)5082 static int test_key_update(void)
5083 {
5084 SSL_CTX *cctx = NULL, *sctx = NULL;
5085 SSL *clientssl = NULL, *serverssl = NULL;
5086 int testresult = 0, i, j;
5087 char buf[20];
5088 static char *mess = "A test message";
5089
5090 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5091 TLS_client_method(),
5092 TLS1_3_VERSION,
5093 0,
5094 &sctx, &cctx, cert, privkey))
5095 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5096 NULL, NULL))
5097 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5098 SSL_ERROR_NONE)))
5099 goto end;
5100
5101 for (j = 0; j < 2; j++) {
5102 /* Send lots of KeyUpdate messages */
5103 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5104 if (!TEST_true(SSL_key_update(clientssl,
5105 (j == 0)
5106 ? SSL_KEY_UPDATE_NOT_REQUESTED
5107 : SSL_KEY_UPDATE_REQUESTED))
5108 || !TEST_true(SSL_do_handshake(clientssl)))
5109 goto end;
5110 }
5111
5112 /* Check that sending and receiving app data is ok */
5113 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5114 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5115 strlen(mess)))
5116 goto end;
5117
5118 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5119 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5120 strlen(mess)))
5121 goto end;
5122 }
5123
5124 testresult = 1;
5125
5126 end:
5127 SSL_free(serverssl);
5128 SSL_free(clientssl);
5129 SSL_CTX_free(sctx);
5130 SSL_CTX_free(cctx);
5131
5132 return testresult;
5133 }
5134
5135 /*
5136 * Test we can handle a KeyUpdate (update requested) message while write data
5137 * is pending.
5138 * Test 0: Client sends KeyUpdate while Server is writing
5139 * Test 1: Server sends KeyUpdate while Client is writing
5140 */
test_key_update_in_write(int tst)5141 static int test_key_update_in_write(int tst)
5142 {
5143 SSL_CTX *cctx = NULL, *sctx = NULL;
5144 SSL *clientssl = NULL, *serverssl = NULL;
5145 int testresult = 0;
5146 char buf[20];
5147 static char *mess = "A test message";
5148 BIO *bretry = BIO_new(bio_s_always_retry());
5149 BIO *tmp = NULL;
5150 SSL *peerupdate = NULL, *peerwrite = NULL;
5151
5152 if (!TEST_ptr(bretry)
5153 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5154 TLS_client_method(),
5155 TLS1_3_VERSION,
5156 0,
5157 &sctx, &cctx, cert, privkey))
5158 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5159 NULL, NULL))
5160 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5161 SSL_ERROR_NONE)))
5162 goto end;
5163
5164 peerupdate = tst == 0 ? clientssl : serverssl;
5165 peerwrite = tst == 0 ? serverssl : clientssl;
5166
5167 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5168 || !TEST_true(SSL_do_handshake(peerupdate)))
5169 goto end;
5170
5171 /* Swap the writing endpoint's write BIO to force a retry */
5172 tmp = SSL_get_wbio(peerwrite);
5173 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5174 tmp = NULL;
5175 goto end;
5176 }
5177 SSL_set0_wbio(peerwrite, bretry);
5178 bretry = NULL;
5179
5180 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5181 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5182 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5183 goto end;
5184
5185 /* Reinstate the original writing endpoint's write BIO */
5186 SSL_set0_wbio(peerwrite, tmp);
5187 tmp = NULL;
5188
5189 /* Now read some data - we will read the key update */
5190 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5191 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5192 goto end;
5193
5194 /*
5195 * Complete the write we started previously and read it from the other
5196 * endpoint
5197 */
5198 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5199 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5200 goto end;
5201
5202 /* Write more data to ensure we send the KeyUpdate message back */
5203 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5204 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5205 goto end;
5206
5207 testresult = 1;
5208
5209 end:
5210 SSL_free(serverssl);
5211 SSL_free(clientssl);
5212 SSL_CTX_free(sctx);
5213 SSL_CTX_free(cctx);
5214 BIO_free(bretry);
5215 BIO_free(tmp);
5216
5217 return testresult;
5218 }
5219 #endif /* OPENSSL_NO_TLS1_3 */
5220
test_ssl_clear(int idx)5221 static int test_ssl_clear(int idx)
5222 {
5223 SSL_CTX *cctx = NULL, *sctx = NULL;
5224 SSL *clientssl = NULL, *serverssl = NULL;
5225 int testresult = 0;
5226
5227 #ifdef OPENSSL_NO_TLS1_2
5228 if (idx == 1)
5229 return 1;
5230 #endif
5231
5232 /* Create an initial connection */
5233 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5234 TLS1_VERSION, TLS_MAX_VERSION,
5235 &sctx, &cctx, cert, privkey))
5236 || (idx == 1
5237 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5238 TLS1_2_VERSION)))
5239 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5240 &clientssl, NULL, NULL))
5241 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5242 SSL_ERROR_NONE)))
5243 goto end;
5244
5245 SSL_shutdown(clientssl);
5246 SSL_shutdown(serverssl);
5247 SSL_free(serverssl);
5248 serverssl = NULL;
5249
5250 /* Clear clientssl - we're going to reuse the object */
5251 if (!TEST_true(SSL_clear(clientssl)))
5252 goto end;
5253
5254 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5255 NULL, NULL))
5256 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5257 SSL_ERROR_NONE))
5258 || !TEST_true(SSL_session_reused(clientssl)))
5259 goto end;
5260
5261 SSL_shutdown(clientssl);
5262 SSL_shutdown(serverssl);
5263
5264 testresult = 1;
5265
5266 end:
5267 SSL_free(serverssl);
5268 SSL_free(clientssl);
5269 SSL_CTX_free(sctx);
5270 SSL_CTX_free(cctx);
5271
5272 return testresult;
5273 }
5274
5275 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)5276 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5277 {
5278 long len;
5279 unsigned char *data;
5280 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
5281 unsigned int MFL_code = 0, type = 0;
5282
5283 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5284 goto end;
5285
5286 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5287 /* Skip the record header */
5288 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5289 /* Skip the handshake message header */
5290 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5291 /* Skip client version and random */
5292 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5293 + SSL3_RANDOM_SIZE))
5294 /* Skip session id */
5295 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5296 /* Skip ciphers */
5297 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5298 /* Skip compression */
5299 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5300 /* Extensions len */
5301 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5302 goto end;
5303
5304 /* Loop through all extensions */
5305 while (PACKET_remaining(&pkt2)) {
5306 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5307 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5308 goto end;
5309
5310 if (type == TLSEXT_TYPE_max_fragment_length) {
5311 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5312 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5313 goto end;
5314
5315 *mfl_codemfl_code = MFL_code;
5316 return 1;
5317 }
5318 }
5319
5320 end:
5321 return 0;
5322 }
5323
5324 /* Maximum-Fragment-Length TLS extension mode to test */
5325 static const unsigned char max_fragment_len_test[] = {
5326 TLSEXT_max_fragment_length_512,
5327 TLSEXT_max_fragment_length_1024,
5328 TLSEXT_max_fragment_length_2048,
5329 TLSEXT_max_fragment_length_4096
5330 };
5331
test_max_fragment_len_ext(int idx_tst)5332 static int test_max_fragment_len_ext(int idx_tst)
5333 {
5334 SSL_CTX *ctx;
5335 SSL *con = NULL;
5336 int testresult = 0, MFL_mode = 0;
5337 BIO *rbio, *wbio;
5338
5339 ctx = SSL_CTX_new(TLS_method());
5340 if (!TEST_ptr(ctx))
5341 goto end;
5342
5343 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5344 ctx, max_fragment_len_test[idx_tst])))
5345 goto end;
5346
5347 con = SSL_new(ctx);
5348 if (!TEST_ptr(con))
5349 goto end;
5350
5351 rbio = BIO_new(BIO_s_mem());
5352 wbio = BIO_new(BIO_s_mem());
5353 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5354 BIO_free(rbio);
5355 BIO_free(wbio);
5356 goto end;
5357 }
5358
5359 SSL_set_bio(con, rbio, wbio);
5360 SSL_set_connect_state(con);
5361
5362 if (!TEST_int_le(SSL_connect(con), 0)) {
5363 /* This shouldn't succeed because we don't have a server! */
5364 goto end;
5365 }
5366
5367 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5368 /* no MFL in client hello */
5369 goto end;
5370 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5371 goto end;
5372
5373 testresult = 1;
5374
5375 end:
5376 SSL_free(con);
5377 SSL_CTX_free(ctx);
5378
5379 return testresult;
5380 }
5381
5382 #ifndef OPENSSL_NO_TLS1_3
test_pha_key_update(void)5383 static int test_pha_key_update(void)
5384 {
5385 SSL_CTX *cctx = NULL, *sctx = NULL;
5386 SSL *clientssl = NULL, *serverssl = NULL;
5387 int testresult = 0;
5388
5389 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5390 TLS1_VERSION, TLS_MAX_VERSION,
5391 &sctx, &cctx, cert, privkey)))
5392 return 0;
5393
5394 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5395 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5396 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5397 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5398 goto end;
5399
5400 SSL_CTX_set_post_handshake_auth(cctx, 1);
5401
5402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5403 NULL, NULL)))
5404 goto end;
5405
5406 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5407 SSL_ERROR_NONE)))
5408 goto end;
5409
5410 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5411 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5412 goto end;
5413
5414 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5415 goto end;
5416
5417 /* Start handshake on the server */
5418 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5419 goto end;
5420
5421 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5422 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5423 SSL_ERROR_NONE)))
5424 goto end;
5425
5426 SSL_shutdown(clientssl);
5427 SSL_shutdown(serverssl);
5428
5429 testresult = 1;
5430
5431 end:
5432 SSL_free(serverssl);
5433 SSL_free(clientssl);
5434 SSL_CTX_free(sctx);
5435 SSL_CTX_free(cctx);
5436 return testresult;
5437 }
5438 #endif
5439
5440 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5441
5442 static SRP_VBASE *vbase = NULL;
5443
ssl_srp_cb(SSL * s,int * ad,void * arg)5444 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5445 {
5446 int ret = SSL3_AL_FATAL;
5447 char *username;
5448 SRP_user_pwd *user = NULL;
5449
5450 username = SSL_get_srp_username(s);
5451 if (username == NULL) {
5452 *ad = SSL_AD_INTERNAL_ERROR;
5453 goto err;
5454 }
5455
5456 user = SRP_VBASE_get1_by_user(vbase, username);
5457 if (user == NULL) {
5458 *ad = SSL_AD_INTERNAL_ERROR;
5459 goto err;
5460 }
5461
5462 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5463 user->info) <= 0) {
5464 *ad = SSL_AD_INTERNAL_ERROR;
5465 goto err;
5466 }
5467
5468 ret = 0;
5469
5470 err:
5471 SRP_user_pwd_free(user);
5472 return ret;
5473 }
5474
create_new_vfile(char * userid,char * password,const char * filename)5475 static int create_new_vfile(char *userid, char *password, const char *filename)
5476 {
5477 char *gNid = NULL;
5478 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5479 TXT_DB *db = NULL;
5480 int ret = 0;
5481 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5482 size_t i;
5483
5484 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5485 goto end;
5486
5487 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5488 &row[DB_srpverifier], NULL, NULL);
5489 if (!TEST_ptr(gNid))
5490 goto end;
5491
5492 /*
5493 * The only way to create an empty TXT_DB is to provide a BIO with no data
5494 * in it!
5495 */
5496 db = TXT_DB_read(dummy, DB_NUMBER);
5497 if (!TEST_ptr(db))
5498 goto end;
5499
5500 out = BIO_new_file(filename, "w");
5501 if (!TEST_ptr(out))
5502 goto end;
5503
5504 row[DB_srpid] = OPENSSL_strdup(userid);
5505 row[DB_srptype] = OPENSSL_strdup("V");
5506 row[DB_srpgN] = OPENSSL_strdup(gNid);
5507
5508 if (!TEST_ptr(row[DB_srpid])
5509 || !TEST_ptr(row[DB_srptype])
5510 || !TEST_ptr(row[DB_srpgN])
5511 || !TEST_true(TXT_DB_insert(db, row)))
5512 goto end;
5513
5514 row = NULL;
5515
5516 if (!TXT_DB_write(out, db))
5517 goto end;
5518
5519 ret = 1;
5520 end:
5521 if (row != NULL) {
5522 for (i = 0; i < DB_NUMBER; i++)
5523 OPENSSL_free(row[i]);
5524 }
5525 OPENSSL_free(row);
5526 BIO_free(dummy);
5527 BIO_free(out);
5528 TXT_DB_free(db);
5529
5530 return ret;
5531 }
5532
create_new_vbase(char * userid,char * password)5533 static int create_new_vbase(char *userid, char *password)
5534 {
5535 BIGNUM *verifier = NULL, *salt = NULL;
5536 const SRP_gN *lgN = NULL;
5537 SRP_user_pwd *user_pwd = NULL;
5538 int ret = 0;
5539
5540 lgN = SRP_get_default_gN(NULL);
5541 if (!TEST_ptr(lgN))
5542 goto end;
5543
5544 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5545 lgN->N, lgN->g)))
5546 goto end;
5547
5548 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5549 if (!TEST_ptr(user_pwd))
5550 goto end;
5551
5552 user_pwd->N = lgN->N;
5553 user_pwd->g = lgN->g;
5554 user_pwd->id = OPENSSL_strdup(userid);
5555 if (!TEST_ptr(user_pwd->id))
5556 goto end;
5557
5558 user_pwd->v = verifier;
5559 user_pwd->s = salt;
5560 verifier = salt = NULL;
5561
5562 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5563 goto end;
5564 user_pwd = NULL;
5565
5566 ret = 1;
5567 end:
5568 SRP_user_pwd_free(user_pwd);
5569 BN_free(salt);
5570 BN_free(verifier);
5571
5572 return ret;
5573 }
5574
5575 /*
5576 * SRP tests
5577 *
5578 * Test 0: Simple successful SRP connection, new vbase
5579 * Test 1: Connection failure due to bad password, new vbase
5580 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5581 * Test 3: Connection failure due to bad password, vbase loaded from existing
5582 * file
5583 * Test 4: Simple successful SRP connection, vbase loaded from new file
5584 * Test 5: Connection failure due to bad password, vbase loaded from new file
5585 */
test_srp(int tst)5586 static int test_srp(int tst)
5587 {
5588 char *userid = "test", *password = "password", *tstsrpfile;
5589 SSL_CTX *cctx = NULL, *sctx = NULL;
5590 SSL *clientssl = NULL, *serverssl = NULL;
5591 int ret, testresult = 0;
5592
5593 vbase = SRP_VBASE_new(NULL);
5594 if (!TEST_ptr(vbase))
5595 goto end;
5596
5597 if (tst == 0 || tst == 1) {
5598 if (!TEST_true(create_new_vbase(userid, password)))
5599 goto end;
5600 } else {
5601 if (tst == 4 || tst == 5) {
5602 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5603 goto end;
5604 tstsrpfile = tmpfilename;
5605 } else {
5606 tstsrpfile = srpvfile;
5607 }
5608 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5609 goto end;
5610 }
5611
5612 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5613 TLS1_VERSION, TLS_MAX_VERSION,
5614 &sctx, &cctx, cert, privkey)))
5615 goto end;
5616
5617 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5618 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5619 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5620 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5621 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5622 goto end;
5623
5624 if (tst % 2 == 1) {
5625 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5626 goto end;
5627 } else {
5628 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5629 goto end;
5630 }
5631
5632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5633 NULL, NULL)))
5634 goto end;
5635
5636 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5637 if (ret) {
5638 if (!TEST_true(tst % 2 == 0))
5639 goto end;
5640 } else {
5641 if (!TEST_true(tst % 2 == 1))
5642 goto end;
5643 }
5644
5645 testresult = 1;
5646
5647 end:
5648 SRP_VBASE_free(vbase);
5649 vbase = NULL;
5650 SSL_free(serverssl);
5651 SSL_free(clientssl);
5652 SSL_CTX_free(sctx);
5653 SSL_CTX_free(cctx);
5654
5655 return testresult;
5656 }
5657 #endif
5658
5659 static int info_cb_failed = 0;
5660 static int info_cb_offset = 0;
5661 static int info_cb_this_state = -1;
5662
5663 static struct info_cb_states_st {
5664 int where;
5665 const char *statestr;
5666 } info_cb_states[][60] = {
5667 {
5668 /* TLSv1.2 server followed by resumption */
5669 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5670 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5671 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5672 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5673 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5674 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5675 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5676 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5677 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5678 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5679 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5680 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5681 {SSL_CB_EXIT, NULL}, {0, NULL},
5682 }, {
5683 /* TLSv1.2 client followed by resumption */
5684 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5685 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5686 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5687 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5688 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5689 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5690 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5691 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5692 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5693 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5694 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5695 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5696 }, {
5697 /* TLSv1.3 server followed by resumption */
5698 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5699 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5700 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5701 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5702 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
5703 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5704 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5705 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5706 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5707 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5708 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5709 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5710 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5711 }, {
5712 /* TLSv1.3 client followed by resumption */
5713 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5714 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5715 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5716 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5717 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5719 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5720 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5721 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5722 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5723 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5724 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5725 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5726 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5727 {SSL_CB_EXIT, NULL}, {0, NULL},
5728 }, {
5729 /* TLSv1.3 server, early_data */
5730 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5731 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5732 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5733 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5734 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5735 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
5736 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5737 {SSL_CB_EXIT, NULL}, {0, NULL},
5738 }, {
5739 /* TLSv1.3 client, early_data */
5740 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5741 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5742 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5743 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5744 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5745 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5746 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5747 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5748 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5749 }, {
5750 {0, NULL},
5751 }
5752 };
5753
sslapi_info_callback(const SSL * s,int where,int ret)5754 static void sslapi_info_callback(const SSL *s, int where, int ret)
5755 {
5756 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5757
5758 /* We do not ever expect a connection to fail in this test */
5759 if (!TEST_false(ret == 0)) {
5760 info_cb_failed = 1;
5761 return;
5762 }
5763
5764 /*
5765 * Do some sanity checks. We never expect these things to happen in this
5766 * test
5767 */
5768 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5769 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5770 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5771 info_cb_failed = 1;
5772 return;
5773 }
5774
5775 /* Now check we're in the right state */
5776 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5777 info_cb_failed = 1;
5778 return;
5779 }
5780 if ((where & SSL_CB_LOOP) != 0
5781 && !TEST_int_eq(strcmp(SSL_state_string(s),
5782 state[info_cb_this_state].statestr), 0)) {
5783 info_cb_failed = 1;
5784 return;
5785 }
5786
5787 /*
5788 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5789 */
5790 if ((where & SSL_CB_HANDSHAKE_DONE)
5791 && SSL_in_init((SSL *)s) != 0) {
5792 info_cb_failed = 1;
5793 return;
5794 }
5795 }
5796
5797 /*
5798 * Test the info callback gets called when we expect it to.
5799 *
5800 * Test 0: TLSv1.2, server
5801 * Test 1: TLSv1.2, client
5802 * Test 2: TLSv1.3, server
5803 * Test 3: TLSv1.3, client
5804 * Test 4: TLSv1.3, server, early_data
5805 * Test 5: TLSv1.3, client, early_data
5806 */
test_info_callback(int tst)5807 static int test_info_callback(int tst)
5808 {
5809 SSL_CTX *cctx = NULL, *sctx = NULL;
5810 SSL *clientssl = NULL, *serverssl = NULL;
5811 SSL_SESSION *clntsess = NULL;
5812 int testresult = 0;
5813 int tlsvers;
5814
5815 if (tst < 2) {
5816 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
5817 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5818 || !defined(OPENSSL_NO_DH))
5819 tlsvers = TLS1_2_VERSION;
5820 #else
5821 return 1;
5822 #endif
5823 } else {
5824 #ifndef OPENSSL_NO_TLS1_3
5825 tlsvers = TLS1_3_VERSION;
5826 #else
5827 return 1;
5828 #endif
5829 }
5830
5831 /* Reset globals */
5832 info_cb_failed = 0;
5833 info_cb_this_state = -1;
5834 info_cb_offset = tst;
5835
5836 #ifndef OPENSSL_NO_TLS1_3
5837 if (tst >= 4) {
5838 SSL_SESSION *sess = NULL;
5839 size_t written, readbytes;
5840 unsigned char buf[80];
5841
5842 /* early_data tests */
5843 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5844 &serverssl, &sess, 0)))
5845 goto end;
5846
5847 /* We don't actually need this reference */
5848 SSL_SESSION_free(sess);
5849
5850 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5851 sslapi_info_callback);
5852
5853 /* Write and read some early data and then complete the connection */
5854 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5855 &written))
5856 || !TEST_size_t_eq(written, strlen(MSG1))
5857 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5858 sizeof(buf), &readbytes),
5859 SSL_READ_EARLY_DATA_SUCCESS)
5860 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5861 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5862 SSL_EARLY_DATA_ACCEPTED)
5863 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5864 SSL_ERROR_NONE))
5865 || !TEST_false(info_cb_failed))
5866 goto end;
5867
5868 testresult = 1;
5869 goto end;
5870 }
5871 #endif
5872
5873 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5874 TLS_client_method(),
5875 tlsvers, tlsvers, &sctx, &cctx, cert,
5876 privkey)))
5877 goto end;
5878
5879 /*
5880 * For even numbered tests we check the server callbacks. For odd numbers we
5881 * check the client.
5882 */
5883 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5884 sslapi_info_callback);
5885
5886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5887 &clientssl, NULL, NULL))
5888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5889 SSL_ERROR_NONE))
5890 || !TEST_false(info_cb_failed))
5891 goto end;
5892
5893
5894
5895 clntsess = SSL_get1_session(clientssl);
5896 SSL_shutdown(clientssl);
5897 SSL_shutdown(serverssl);
5898 SSL_free(serverssl);
5899 SSL_free(clientssl);
5900 serverssl = clientssl = NULL;
5901
5902 /* Now do a resumption */
5903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5904 NULL))
5905 || !TEST_true(SSL_set_session(clientssl, clntsess))
5906 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5907 SSL_ERROR_NONE))
5908 || !TEST_true(SSL_session_reused(clientssl))
5909 || !TEST_false(info_cb_failed))
5910 goto end;
5911
5912 testresult = 1;
5913
5914 end:
5915 SSL_free(serverssl);
5916 SSL_free(clientssl);
5917 SSL_SESSION_free(clntsess);
5918 SSL_CTX_free(sctx);
5919 SSL_CTX_free(cctx);
5920 return testresult;
5921 }
5922
test_ssl_pending(int tst)5923 static int test_ssl_pending(int tst)
5924 {
5925 SSL_CTX *cctx = NULL, *sctx = NULL;
5926 SSL *clientssl = NULL, *serverssl = NULL;
5927 int testresult = 0;
5928 char msg[] = "A test message";
5929 char buf[5];
5930 size_t written, readbytes;
5931
5932 if (tst == 0) {
5933 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5934 TLS_client_method(),
5935 TLS1_VERSION, TLS_MAX_VERSION,
5936 &sctx, &cctx, cert, privkey)))
5937 goto end;
5938 } else {
5939 #ifndef OPENSSL_NO_DTLS
5940 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5941 DTLS_client_method(),
5942 DTLS1_VERSION, DTLS_MAX_VERSION,
5943 &sctx, &cctx, cert, privkey)))
5944 goto end;
5945 #else
5946 return 1;
5947 #endif
5948 }
5949
5950 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5951 NULL, NULL))
5952 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5953 SSL_ERROR_NONE)))
5954 goto end;
5955
5956 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5957 || !TEST_false(SSL_has_pending(clientssl))
5958 || !TEST_int_eq(SSL_pending(serverssl), 0)
5959 || !TEST_false(SSL_has_pending(serverssl))
5960 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
5961 || !TEST_size_t_eq(written, sizeof(msg))
5962 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5963 || !TEST_size_t_eq(readbytes, sizeof(buf))
5964 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5965 || !TEST_true(SSL_has_pending(clientssl)))
5966 goto end;
5967
5968 testresult = 1;
5969
5970 end:
5971 SSL_free(serverssl);
5972 SSL_free(clientssl);
5973 SSL_CTX_free(sctx);
5974 SSL_CTX_free(cctx);
5975
5976 return testresult;
5977 }
5978
5979 static struct {
5980 unsigned int maxprot;
5981 const char *clntciphers;
5982 const char *clnttls13ciphers;
5983 const char *srvrciphers;
5984 const char *srvrtls13ciphers;
5985 const char *shared;
5986 } shared_ciphers_data[] = {
5987 /*
5988 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5989 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5990 */
5991 #if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
5992 {
5993 TLS1_2_VERSION,
5994 "AES128-SHA:AES256-SHA",
5995 NULL,
5996 "AES256-SHA:DHE-RSA-AES128-SHA",
5997 NULL,
5998 "AES256-SHA"
5999 },
6000 {
6001 TLS1_2_VERSION,
6002 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6003 NULL,
6004 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6005 NULL,
6006 "AES128-SHA:AES256-SHA"
6007 },
6008 {
6009 TLS1_2_VERSION,
6010 "AES128-SHA:AES256-SHA",
6011 NULL,
6012 "AES128-SHA:DHE-RSA-AES128-SHA",
6013 NULL,
6014 "AES128-SHA"
6015 },
6016 #endif
6017 /*
6018 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6019 * enabled.
6020 */
6021 #if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6022 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
6023 {
6024 TLS1_3_VERSION,
6025 "AES128-SHA:AES256-SHA",
6026 NULL,
6027 "AES256-SHA:AES128-SHA256",
6028 NULL,
6029 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6030 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6031 },
6032 #endif
6033 #ifndef OPENSSL_NO_TLS1_3
6034 {
6035 TLS1_3_VERSION,
6036 "AES128-SHA",
6037 "TLS_AES_256_GCM_SHA384",
6038 "AES256-SHA",
6039 "TLS_AES_256_GCM_SHA384",
6040 "TLS_AES_256_GCM_SHA384"
6041 },
6042 #endif
6043 };
6044
test_ssl_get_shared_ciphers(int tst)6045 static int test_ssl_get_shared_ciphers(int tst)
6046 {
6047 SSL_CTX *cctx = NULL, *sctx = NULL;
6048 SSL *clientssl = NULL, *serverssl = NULL;
6049 int testresult = 0;
6050 char buf[1024];
6051
6052 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6053 TLS_client_method(),
6054 TLS1_VERSION,
6055 shared_ciphers_data[tst].maxprot,
6056 &sctx, &cctx, cert, privkey)))
6057 goto end;
6058
6059 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6060 shared_ciphers_data[tst].clntciphers))
6061 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6062 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6063 shared_ciphers_data[tst].clnttls13ciphers)))
6064 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6065 shared_ciphers_data[tst].srvrciphers))
6066 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6067 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6068 shared_ciphers_data[tst].srvrtls13ciphers))))
6069 goto end;
6070
6071
6072 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6073 NULL, NULL))
6074 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6075 SSL_ERROR_NONE)))
6076 goto end;
6077
6078 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6079 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6080 TEST_info("Shared ciphers are: %s\n", buf);
6081 goto end;
6082 }
6083
6084 testresult = 1;
6085
6086 end:
6087 SSL_free(serverssl);
6088 SSL_free(clientssl);
6089 SSL_CTX_free(sctx);
6090 SSL_CTX_free(cctx);
6091
6092 return testresult;
6093 }
6094
6095 static const char *appdata = "Hello World";
6096 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6097 static int tick_key_renew = 0;
6098 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6099
gen_tick_cb(SSL * s,void * arg)6100 static int gen_tick_cb(SSL *s, void *arg)
6101 {
6102 gen_tick_called = 1;
6103
6104 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6105 strlen(appdata));
6106 }
6107
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)6108 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6109 const unsigned char *keyname,
6110 size_t keyname_length,
6111 SSL_TICKET_STATUS status,
6112 void *arg)
6113 {
6114 void *tickdata;
6115 size_t tickdlen;
6116
6117 dec_tick_called = 1;
6118
6119 if (status == SSL_TICKET_EMPTY)
6120 return SSL_TICKET_RETURN_IGNORE_RENEW;
6121
6122 if (!TEST_true(status == SSL_TICKET_SUCCESS
6123 || status == SSL_TICKET_SUCCESS_RENEW))
6124 return SSL_TICKET_RETURN_ABORT;
6125
6126 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6127 &tickdlen))
6128 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6129 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
6130 return SSL_TICKET_RETURN_ABORT;
6131
6132 if (tick_key_cb_called) {
6133 /* Don't change what the ticket key callback wanted to do */
6134 switch (status) {
6135 case SSL_TICKET_NO_DECRYPT:
6136 return SSL_TICKET_RETURN_IGNORE_RENEW;
6137
6138 case SSL_TICKET_SUCCESS:
6139 return SSL_TICKET_RETURN_USE;
6140
6141 case SSL_TICKET_SUCCESS_RENEW:
6142 return SSL_TICKET_RETURN_USE_RENEW;
6143
6144 default:
6145 return SSL_TICKET_RETURN_ABORT;
6146 }
6147 }
6148 return tick_dec_ret;
6149
6150 }
6151
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)6152 static int tick_key_cb(SSL *s, unsigned char key_name[16],
6153 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6154 HMAC_CTX *hctx, int enc)
6155 {
6156 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6157 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6158
6159 tick_key_cb_called = 1;
6160 memset(iv, 0, AES_BLOCK_SIZE);
6161 memset(key_name, 0, 16);
6162 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6163 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6164 EVP_sha256(), NULL))
6165 return -1;
6166
6167 return tick_key_renew ? 2 : 1;
6168 }
6169
6170 /*
6171 * Test the various ticket callbacks
6172 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6173 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6174 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6175 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6176 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6177 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6178 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6179 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6180 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
6181 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
6182 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
6183 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
6184 */
test_ticket_callbacks(int tst)6185 static int test_ticket_callbacks(int tst)
6186 {
6187 SSL_CTX *cctx = NULL, *sctx = NULL;
6188 SSL *clientssl = NULL, *serverssl = NULL;
6189 SSL_SESSION *clntsess = NULL;
6190 int testresult = 0;
6191
6192 #ifdef OPENSSL_NO_TLS1_2
6193 if (tst % 2 == 0)
6194 return 1;
6195 #endif
6196 #ifdef OPENSSL_NO_TLS1_3
6197 if (tst % 2 == 1)
6198 return 1;
6199 #endif
6200
6201 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
6202
6203 /* Which tests the ticket key callback should request renewal for */
6204 if (tst == 10 || tst == 11)
6205 tick_key_renew = 1;
6206 else
6207 tick_key_renew = 0;
6208
6209 /* Which tests the decrypt ticket callback should request renewal for */
6210 switch (tst) {
6211 case 0:
6212 case 1:
6213 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6214 break;
6215
6216 case 2:
6217 case 3:
6218 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6219 break;
6220
6221 case 4:
6222 case 5:
6223 tick_dec_ret = SSL_TICKET_RETURN_USE;
6224 break;
6225
6226 case 6:
6227 case 7:
6228 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6229 break;
6230
6231 default:
6232 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6233 }
6234
6235 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6236 TLS_client_method(),
6237 TLS1_VERSION,
6238 ((tst % 2) == 0) ? TLS1_2_VERSION
6239 : TLS1_3_VERSION,
6240 &sctx, &cctx, cert, privkey)))
6241 goto end;
6242
6243 /*
6244 * We only want sessions to resume from tickets - not the session cache. So
6245 * switch the cache off.
6246 */
6247 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6248 goto end;
6249
6250 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6251 NULL)))
6252 goto end;
6253
6254 if (tst >= 8
6255 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6256 goto end;
6257
6258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6259 NULL, NULL))
6260 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6261 SSL_ERROR_NONE)))
6262 goto end;
6263
6264 /*
6265 * The decrypt ticket key callback in TLSv1.2 should be called even though
6266 * we have no ticket yet, because it gets called with a status of
6267 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6268 * actually send any ticket data). This does not happen in TLSv1.3 because
6269 * it is not valid to send empty ticket data in TLSv1.3.
6270 */
6271 if (!TEST_int_eq(gen_tick_called, 1)
6272 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
6273 goto end;
6274
6275 gen_tick_called = dec_tick_called = 0;
6276
6277 clntsess = SSL_get1_session(clientssl);
6278 SSL_shutdown(clientssl);
6279 SSL_shutdown(serverssl);
6280 SSL_free(serverssl);
6281 SSL_free(clientssl);
6282 serverssl = clientssl = NULL;
6283
6284 /* Now do a resumption */
6285 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6286 NULL))
6287 || !TEST_true(SSL_set_session(clientssl, clntsess))
6288 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6289 SSL_ERROR_NONE)))
6290 goto end;
6291
6292 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6293 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6294 if (!TEST_false(SSL_session_reused(clientssl)))
6295 goto end;
6296 } else {
6297 if (!TEST_true(SSL_session_reused(clientssl)))
6298 goto end;
6299 }
6300
6301 if (!TEST_int_eq(gen_tick_called,
6302 (tick_key_renew
6303 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6304 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6305 ? 1 : 0)
6306 || !TEST_int_eq(dec_tick_called, 1))
6307 goto end;
6308
6309 testresult = 1;
6310
6311 end:
6312 SSL_SESSION_free(clntsess);
6313 SSL_free(serverssl);
6314 SSL_free(clientssl);
6315 SSL_CTX_free(sctx);
6316 SSL_CTX_free(cctx);
6317
6318 return testresult;
6319 }
6320
6321 /*
6322 * Test bi-directional shutdown.
6323 * Test 0: TLSv1.2
6324 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6325 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6326 * Test 3: TLSv1.3, pending NewSessionTicket messages
6327 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6328 * sends key update, client reads it
6329 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6330 * sends CertificateRequest, client reads and ignores it
6331 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
6332 * doesn't read it
6333 */
test_shutdown(int tst)6334 static int test_shutdown(int tst)
6335 {
6336 SSL_CTX *cctx = NULL, *sctx = NULL;
6337 SSL *clientssl = NULL, *serverssl = NULL;
6338 int testresult = 0;
6339 char msg[] = "A test message";
6340 char buf[80];
6341 size_t written, readbytes;
6342 SSL_SESSION *sess;
6343
6344 #ifdef OPENSSL_NO_TLS1_2
6345 if (tst <= 1)
6346 return 1;
6347 #endif
6348 #ifdef OPENSSL_NO_TLS1_3
6349 if (tst >= 2)
6350 return 1;
6351 #endif
6352
6353 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6354 TLS_client_method(),
6355 TLS1_VERSION,
6356 (tst <= 1) ? TLS1_2_VERSION
6357 : TLS1_3_VERSION,
6358 &sctx, &cctx, cert, privkey)))
6359 goto end;
6360
6361 if (tst == 5)
6362 SSL_CTX_set_post_handshake_auth(cctx, 1);
6363
6364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6365 NULL, NULL)))
6366 goto end;
6367
6368 if (tst == 3) {
6369 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
6370 SSL_ERROR_NONE, 1))
6371 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6372 || !TEST_false(SSL_SESSION_is_resumable(sess)))
6373 goto end;
6374 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6375 SSL_ERROR_NONE))
6376 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6377 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
6378 goto end;
6379 }
6380
6381 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6382 goto end;
6383
6384 if (tst >= 4) {
6385 /*
6386 * Reading on the server after the client has sent close_notify should
6387 * fail and provide SSL_ERROR_ZERO_RETURN
6388 */
6389 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6390 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6391 SSL_ERROR_ZERO_RETURN)
6392 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6393 SSL_RECEIVED_SHUTDOWN)
6394 /*
6395 * Even though we're shutdown on receive we should still be
6396 * able to write.
6397 */
6398 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6399 goto end;
6400 if (tst == 4
6401 && !TEST_true(SSL_key_update(serverssl,
6402 SSL_KEY_UPDATE_REQUESTED)))
6403 goto end;
6404 if (tst == 5) {
6405 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6406 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6407 goto end;
6408 }
6409 if ((tst == 4 || tst == 5)
6410 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6411 goto end;
6412 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
6413 goto end;
6414 if (tst == 4 || tst == 5) {
6415 /* Should still be able to read data from server */
6416 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6417 &readbytes))
6418 || !TEST_size_t_eq(readbytes, sizeof(msg))
6419 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6420 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6421 &readbytes))
6422 || !TEST_size_t_eq(readbytes, sizeof(msg))
6423 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6424 goto end;
6425 }
6426 }
6427
6428 /* Writing on the client after sending close_notify shouldn't be possible */
6429 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
6430 goto end;
6431
6432 if (tst < 4) {
6433 /*
6434 * For these tests the client has sent close_notify but it has not yet
6435 * been received by the server. The server has not sent close_notify
6436 * yet.
6437 */
6438 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
6439 /*
6440 * Writing on the server after sending close_notify shouldn't
6441 * be possible.
6442 */
6443 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
6444 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
6445 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6446 || !TEST_true(SSL_SESSION_is_resumable(sess))
6447 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6448 goto end;
6449 } else if (tst == 4 || tst == 5) {
6450 /*
6451 * In this test the client has sent close_notify and it has been
6452 * received by the server which has responded with a close_notify. The
6453 * client needs to read the close_notify sent by the server.
6454 */
6455 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6456 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6457 || !TEST_true(SSL_SESSION_is_resumable(sess)))
6458 goto end;
6459 } else {
6460 /*
6461 * tst == 6
6462 *
6463 * The client has sent close_notify and is expecting a close_notify
6464 * back, but instead there is application data first. The shutdown
6465 * should fail with a fatal error.
6466 */
6467 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6468 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6469 goto end;
6470 }
6471
6472 testresult = 1;
6473
6474 end:
6475 SSL_free(serverssl);
6476 SSL_free(clientssl);
6477 SSL_CTX_free(sctx);
6478 SSL_CTX_free(cctx);
6479
6480 return testresult;
6481 }
6482
6483 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6484 static int cert_cb_cnt;
6485
cert_cb(SSL * s,void * arg)6486 static int cert_cb(SSL *s, void *arg)
6487 {
6488 SSL_CTX *ctx = (SSL_CTX *)arg;
6489 BIO *in = NULL;
6490 EVP_PKEY *pkey = NULL;
6491 X509 *x509 = NULL, *rootx = NULL;
6492 STACK_OF(X509) *chain = NULL;
6493 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6494 int ret = 0;
6495
6496 if (cert_cb_cnt == 0) {
6497 /* Suspend the handshake */
6498 cert_cb_cnt++;
6499 return -1;
6500 } else if (cert_cb_cnt == 1) {
6501 /*
6502 * Update the SSL_CTX, set the certificate and private key and then
6503 * continue the handshake normally.
6504 */
6505 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6506 return 0;
6507
6508 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6509 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6510 SSL_FILETYPE_PEM))
6511 || !TEST_true(SSL_check_private_key(s)))
6512 return 0;
6513 cert_cb_cnt++;
6514 return 1;
6515 } else if (cert_cb_cnt == 3) {
6516 int rv;
6517
6518 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6519 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6520 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6521 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6522 goto out;
6523 chain = sk_X509_new_null();
6524 if (!TEST_ptr(chain))
6525 goto out;
6526 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6527 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6528 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6529 || !TEST_true(sk_X509_push(chain, rootx)))
6530 goto out;
6531 rootx = NULL;
6532 BIO_free(in);
6533 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6534 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6535 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6536 goto out;
6537 BIO_free(in);
6538 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6539 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
6540 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6541 goto out;
6542 rv = SSL_check_chain(s, x509, pkey, chain);
6543 /*
6544 * If the cert doesn't show as valid here (e.g., because we don't
6545 * have any shared sigalgs), then we will not set it, and there will
6546 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6547 * will cause tls_choose_sigalgs() to fail the connection.
6548 */
6549 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6550 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
6551 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6552 goto out;
6553 }
6554
6555 ret = 1;
6556 }
6557
6558 /* Abort the handshake */
6559 out:
6560 OPENSSL_free(ecdsacert);
6561 OPENSSL_free(ecdsakey);
6562 OPENSSL_free(rootfile);
6563 BIO_free(in);
6564 EVP_PKEY_free(pkey);
6565 X509_free(x509);
6566 X509_free(rootx);
6567 sk_X509_pop_free(chain, X509_free);
6568 return ret;
6569 }
6570
6571 /*
6572 * Test the certificate callback.
6573 * Test 0: Callback fails
6574 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6575 * Test 2: Success - SSL_set_SSL_CTX() in the callback
6576 * Test 3: Success - Call SSL_check_chain from the callback
6577 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6578 * chain
6579 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
6580 */
test_cert_cb_int(int prot,int tst)6581 static int test_cert_cb_int(int prot, int tst)
6582 {
6583 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6584 SSL *clientssl = NULL, *serverssl = NULL;
6585 int testresult = 0, ret;
6586
6587 #ifdef OPENSSL_NO_EC
6588 /* We use an EC cert in these tests, so we skip in a no-ec build */
6589 if (tst >= 3)
6590 return 1;
6591 #endif
6592
6593 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6594 TLS_client_method(),
6595 TLS1_VERSION,
6596 prot,
6597 &sctx, &cctx, NULL, NULL)))
6598 goto end;
6599
6600 if (tst == 0)
6601 cert_cb_cnt = -1;
6602 else if (tst >= 3)
6603 cert_cb_cnt = 3;
6604 else
6605 cert_cb_cnt = 0;
6606
6607 if (tst == 2)
6608 snictx = SSL_CTX_new(TLS_server_method());
6609 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6610
6611 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6612 NULL, NULL)))
6613 goto end;
6614
6615 if (tst == 4) {
6616 /*
6617 * We cause SSL_check_chain() to fail by specifying sig_algs that
6618 * the chain doesn't meet (the root uses an RSA cert)
6619 */
6620 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6621 "ecdsa_secp256r1_sha256")))
6622 goto end;
6623 } else if (tst == 5) {
6624 /*
6625 * We cause SSL_check_chain() to fail by specifying sig_algs that
6626 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6627 */
6628 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6629 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6630 goto end;
6631 }
6632
6633 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6634 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
6635 || (tst > 0
6636 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
6637 goto end;
6638 }
6639
6640 testresult = 1;
6641
6642 end:
6643 SSL_free(serverssl);
6644 SSL_free(clientssl);
6645 SSL_CTX_free(sctx);
6646 SSL_CTX_free(cctx);
6647 SSL_CTX_free(snictx);
6648
6649 return testresult;
6650 }
6651 #endif
6652
test_cert_cb(int tst)6653 static int test_cert_cb(int tst)
6654 {
6655 int testresult = 1;
6656
6657 #ifndef OPENSSL_NO_TLS1_2
6658 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6659 #endif
6660 #ifndef OPENSSL_NO_TLS1_3
6661 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6662 #endif
6663
6664 return testresult;
6665 }
6666
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)6667 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6668 {
6669 X509 *xcert, *peer;
6670 EVP_PKEY *privpkey;
6671 BIO *in = NULL;
6672
6673 /* Check that SSL_get_peer_certificate() returns something sensible */
6674 peer = SSL_get_peer_certificate(ssl);
6675 if (!TEST_ptr(peer))
6676 return 0;
6677 X509_free(peer);
6678
6679 in = BIO_new_file(cert, "r");
6680 if (!TEST_ptr(in))
6681 return 0;
6682
6683 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6684 BIO_free(in);
6685 if (!TEST_ptr(xcert))
6686 return 0;
6687
6688 in = BIO_new_file(privkey, "r");
6689 if (!TEST_ptr(in)) {
6690 X509_free(xcert);
6691 return 0;
6692 }
6693
6694 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6695 BIO_free(in);
6696 if (!TEST_ptr(privpkey)) {
6697 X509_free(xcert);
6698 return 0;
6699 }
6700
6701 *x509 = xcert;
6702 *pkey = privpkey;
6703
6704 return 1;
6705 }
6706
test_client_cert_cb(int tst)6707 static int test_client_cert_cb(int tst)
6708 {
6709 SSL_CTX *cctx = NULL, *sctx = NULL;
6710 SSL *clientssl = NULL, *serverssl = NULL;
6711 int testresult = 0;
6712
6713 #ifdef OPENSSL_NO_TLS1_2
6714 if (tst == 0)
6715 return 1;
6716 #endif
6717 #ifdef OPENSSL_NO_TLS1_3
6718 if (tst == 1)
6719 return 1;
6720 #endif
6721
6722 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6723 TLS_client_method(),
6724 TLS1_VERSION,
6725 tst == 0 ? TLS1_2_VERSION
6726 : TLS1_3_VERSION,
6727 &sctx, &cctx, cert, privkey)))
6728 goto end;
6729
6730 /*
6731 * Test that setting a client_cert_cb results in a client certificate being
6732 * sent.
6733 */
6734 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6735 SSL_CTX_set_verify(sctx,
6736 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6737 verify_cb);
6738
6739 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6740 NULL, NULL))
6741 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6742 SSL_ERROR_NONE)))
6743 goto end;
6744
6745 testresult = 1;
6746
6747 end:
6748 SSL_free(serverssl);
6749 SSL_free(clientssl);
6750 SSL_CTX_free(sctx);
6751 SSL_CTX_free(cctx);
6752
6753 return testresult;
6754 }
6755
6756 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6757 /*
6758 * Test setting certificate authorities on both client and server.
6759 *
6760 * Test 0: SSL_CTX_set0_CA_list() only
6761 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6762 * Test 2: Only SSL_CTX_set_client_CA_list()
6763 */
test_ca_names_int(int prot,int tst)6764 static int test_ca_names_int(int prot, int tst)
6765 {
6766 SSL_CTX *cctx = NULL, *sctx = NULL;
6767 SSL *clientssl = NULL, *serverssl = NULL;
6768 int testresult = 0;
6769 size_t i;
6770 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6771 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6772 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6773 const STACK_OF(X509_NAME) *sktmp = NULL;
6774
6775 for (i = 0; i < OSSL_NELEM(name); i++) {
6776 name[i] = X509_NAME_new();
6777 if (!TEST_ptr(name[i])
6778 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6779 MBSTRING_ASC,
6780 (unsigned char *)
6781 strnames[i],
6782 -1, -1, 0)))
6783 goto end;
6784 }
6785
6786 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6787 TLS_client_method(),
6788 TLS1_VERSION,
6789 prot,
6790 &sctx, &cctx, cert, privkey)))
6791 goto end;
6792
6793 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6794
6795 if (tst == 0 || tst == 1) {
6796 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6797 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6798 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6799 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6800 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6801 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6802 goto end;
6803
6804 SSL_CTX_set0_CA_list(sctx, sk1);
6805 SSL_CTX_set0_CA_list(cctx, sk2);
6806 sk1 = sk2 = NULL;
6807 }
6808 if (tst == 1 || tst == 2) {
6809 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6810 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6811 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6812 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6813 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6814 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6815 goto end;
6816
6817 SSL_CTX_set_client_CA_list(sctx, sk1);
6818 SSL_CTX_set_client_CA_list(cctx, sk2);
6819 sk1 = sk2 = NULL;
6820 }
6821
6822 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6823 NULL, NULL))
6824 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6825 SSL_ERROR_NONE)))
6826 goto end;
6827
6828 /*
6829 * We only expect certificate authorities to have been sent to the server
6830 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6831 */
6832 sktmp = SSL_get0_peer_CA_list(serverssl);
6833 if (prot == TLS1_3_VERSION
6834 && (tst == 0 || tst == 1)) {
6835 if (!TEST_ptr(sktmp)
6836 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6837 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6838 name[0]), 0)
6839 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6840 name[1]), 0))
6841 goto end;
6842 } else if (!TEST_ptr_null(sktmp)) {
6843 goto end;
6844 }
6845
6846 /*
6847 * In all tests we expect certificate authorities to have been sent to the
6848 * client. However, SSL_set_client_CA_list() should override
6849 * SSL_set0_CA_list()
6850 */
6851 sktmp = SSL_get0_peer_CA_list(clientssl);
6852 if (!TEST_ptr(sktmp)
6853 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6854 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6855 name[tst == 0 ? 0 : 2]), 0)
6856 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6857 name[tst == 0 ? 1 : 3]), 0))
6858 goto end;
6859
6860 testresult = 1;
6861
6862 end:
6863 SSL_free(serverssl);
6864 SSL_free(clientssl);
6865 SSL_CTX_free(sctx);
6866 SSL_CTX_free(cctx);
6867 for (i = 0; i < OSSL_NELEM(name); i++)
6868 X509_NAME_free(name[i]);
6869 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6870 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6871
6872 return testresult;
6873 }
6874 #endif
6875
test_ca_names(int tst)6876 static int test_ca_names(int tst)
6877 {
6878 int testresult = 1;
6879
6880 #ifndef OPENSSL_NO_TLS1_2
6881 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6882 #endif
6883 #ifndef OPENSSL_NO_TLS1_3
6884 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6885 #endif
6886
6887 return testresult;
6888 }
6889
6890 /*
6891 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
6892 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
6893 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
6894 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
6895 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
6896 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
6897 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
6898 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
6899 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
6900 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
6901 */
test_servername(int tst)6902 static int test_servername(int tst)
6903 {
6904 SSL_CTX *cctx = NULL, *sctx = NULL;
6905 SSL *clientssl = NULL, *serverssl = NULL;
6906 int testresult = 0;
6907 SSL_SESSION *sess = NULL;
6908 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
6909
6910 #ifdef OPENSSL_NO_TLS1_2
6911 if (tst <= 4)
6912 return 1;
6913 #endif
6914 #ifdef OPENSSL_NO_TLS1_3
6915 if (tst >= 5)
6916 return 1;
6917 #endif
6918
6919 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6920 TLS_client_method(),
6921 TLS1_VERSION,
6922 (tst <= 4) ? TLS1_2_VERSION
6923 : TLS1_3_VERSION,
6924 &sctx, &cctx, cert, privkey))
6925 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6926 NULL, NULL)))
6927 goto end;
6928
6929 if (tst != 1 && tst != 6) {
6930 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
6931 hostname_cb)))
6932 goto end;
6933 }
6934
6935 if (tst != 3 && tst != 8) {
6936 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
6937 goto end;
6938 sexpectedhost = cexpectedhost = "goodhost";
6939 }
6940
6941 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
6942 goto end;
6943
6944 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
6945 cexpectedhost)
6946 || !TEST_str_eq(SSL_get_servername(serverssl,
6947 TLSEXT_NAMETYPE_host_name),
6948 sexpectedhost))
6949 goto end;
6950
6951 /* Now repeat with a resumption handshake */
6952
6953 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
6954 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
6955 || !TEST_true(SSL_SESSION_is_resumable(sess))
6956 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
6957 goto end;
6958
6959 SSL_free(clientssl);
6960 SSL_free(serverssl);
6961 clientssl = serverssl = NULL;
6962
6963 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6964 NULL)))
6965 goto end;
6966
6967 if (!TEST_true(SSL_set_session(clientssl, sess)))
6968 goto end;
6969
6970 sexpectedhost = cexpectedhost = "goodhost";
6971 if (tst == 2 || tst == 7) {
6972 /* Set an inconsistent hostname */
6973 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
6974 goto end;
6975 /*
6976 * In TLSv1.2 we expect the hostname from the original handshake, in
6977 * TLSv1.3 we expect the hostname from this handshake
6978 */
6979 if (tst == 7)
6980 sexpectedhost = cexpectedhost = "altgoodhost";
6981
6982 if (!TEST_str_eq(SSL_get_servername(clientssl,
6983 TLSEXT_NAMETYPE_host_name),
6984 "altgoodhost"))
6985 goto end;
6986 } else if (tst == 4 || tst == 9) {
6987 /*
6988 * A TLSv1.3 session does not associate a session with a servername,
6989 * but a TLSv1.2 session does.
6990 */
6991 if (tst == 9)
6992 sexpectedhost = cexpectedhost = NULL;
6993
6994 if (!TEST_str_eq(SSL_get_servername(clientssl,
6995 TLSEXT_NAMETYPE_host_name),
6996 cexpectedhost))
6997 goto end;
6998 } else {
6999 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7000 goto end;
7001 /*
7002 * In a TLSv1.2 resumption where the hostname was not acknowledged
7003 * we expect the hostname on the server to be empty. On the client we
7004 * return what was requested in this case.
7005 *
7006 * Similarly if the client didn't set a hostname on an original TLSv1.2
7007 * session but is now, the server hostname will be empty, but the client
7008 * is as we set it.
7009 */
7010 if (tst == 1 || tst == 3)
7011 sexpectedhost = NULL;
7012
7013 if (!TEST_str_eq(SSL_get_servername(clientssl,
7014 TLSEXT_NAMETYPE_host_name),
7015 "goodhost"))
7016 goto end;
7017 }
7018
7019 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7020 goto end;
7021
7022 if (!TEST_true(SSL_session_reused(clientssl))
7023 || !TEST_true(SSL_session_reused(serverssl))
7024 || !TEST_str_eq(SSL_get_servername(clientssl,
7025 TLSEXT_NAMETYPE_host_name),
7026 cexpectedhost)
7027 || !TEST_str_eq(SSL_get_servername(serverssl,
7028 TLSEXT_NAMETYPE_host_name),
7029 sexpectedhost))
7030 goto end;
7031
7032 testresult = 1;
7033
7034 end:
7035 SSL_SESSION_free(sess);
7036 SSL_free(serverssl);
7037 SSL_free(clientssl);
7038 SSL_CTX_free(sctx);
7039 SSL_CTX_free(cctx);
7040
7041 return testresult;
7042 }
7043
7044 #ifndef OPENSSL_NO_TLS1_2
test_ssl_dup(void)7045 static int test_ssl_dup(void)
7046 {
7047 SSL_CTX *cctx = NULL, *sctx = NULL;
7048 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
7049 int testresult = 0;
7050 BIO *rbio = NULL, *wbio = NULL;
7051
7052 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
7053 TLS_client_method(),
7054 0,
7055 0,
7056 &sctx, &cctx, cert, privkey)))
7057 goto end;
7058
7059 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7060 NULL, NULL)))
7061 goto end;
7062
7063 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
7064 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
7065 goto end;
7066
7067 client2ssl = SSL_dup(clientssl);
7068 rbio = SSL_get_rbio(clientssl);
7069 if (!TEST_ptr(rbio)
7070 || !TEST_true(BIO_up_ref(rbio)))
7071 goto end;
7072 SSL_set0_rbio(client2ssl, rbio);
7073 rbio = NULL;
7074
7075 wbio = SSL_get_wbio(clientssl);
7076 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
7077 goto end;
7078 SSL_set0_wbio(client2ssl, wbio);
7079 rbio = NULL;
7080
7081 if (!TEST_ptr(client2ssl)
7082 /* Handshake not started so pointers should be different */
7083 || !TEST_ptr_ne(clientssl, client2ssl))
7084 goto end;
7085
7086 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
7087 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
7088 goto end;
7089
7090 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
7091 goto end;
7092
7093 SSL_free(clientssl);
7094 clientssl = SSL_dup(client2ssl);
7095 if (!TEST_ptr(clientssl)
7096 /* Handshake has finished so pointers should be the same */
7097 || !TEST_ptr_eq(clientssl, client2ssl))
7098 goto end;
7099
7100 testresult = 1;
7101
7102 end:
7103 SSL_free(serverssl);
7104 SSL_free(clientssl);
7105 SSL_free(client2ssl);
7106 SSL_CTX_free(sctx);
7107 SSL_CTX_free(cctx);
7108
7109 return testresult;
7110 }
7111 #endif
7112
7113 #ifndef OPENSSL_NO_TLS1_3
7114 /*
7115 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
7116 * that it works even without a certificate configured for the original
7117 * SSL_CTX
7118 */
test_sni_tls13(void)7119 static int test_sni_tls13(void)
7120 {
7121 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
7122 SSL *clientssl = NULL, *serverssl = NULL;
7123 int testresult = 0;
7124
7125 /* Reset callback counter */
7126 snicb = 0;
7127
7128 /* Create an initial SSL_CTX with no certificate configured */
7129 sctx = SSL_CTX_new(TLS_server_method());
7130 if (!TEST_ptr(sctx))
7131 goto end;
7132 /* Require TLSv1.3 as a minimum */
7133 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
7134 TLS1_3_VERSION, 0, &sctx2, &cctx, cert,
7135 privkey)))
7136 goto end;
7137
7138 /* Set up SNI */
7139 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
7140 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
7141 goto end;
7142
7143 /*
7144 * Connection should still succeed because the final SSL_CTX has the right
7145 * certificates configured.
7146 */
7147 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7148 &clientssl, NULL, NULL))
7149 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7150 SSL_ERROR_NONE)))
7151 goto end;
7152
7153 /* We should have had the SNI callback called exactly once */
7154 if (!TEST_int_eq(snicb, 1))
7155 goto end;
7156
7157 testresult = 1;
7158
7159 end:
7160 SSL_free(serverssl);
7161 SSL_free(clientssl);
7162 SSL_CTX_free(sctx2);
7163 SSL_CTX_free(sctx);
7164 SSL_CTX_free(cctx);
7165 return testresult;
7166 }
7167 #endif
7168 /*
7169 * Test that setting an ALPN does not violate RFC
7170 */
test_set_alpn(void)7171 static int test_set_alpn(void)
7172 {
7173 SSL_CTX *ctx = NULL;
7174 SSL *ssl = NULL;
7175 int testresult = 0;
7176
7177 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
7178 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
7179 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
7180 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
7181 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
7182 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
7183
7184 /* Create an initial SSL_CTX with no certificate configured */
7185 ctx = SSL_CTX_new(TLS_server_method());
7186 if (!TEST_ptr(ctx))
7187 goto end;
7188
7189 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
7190 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
7191 goto end;
7192 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
7193 goto end;
7194 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
7195 goto end;
7196 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
7197 goto end;
7198 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
7199 goto end;
7200 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
7201 goto end;
7202 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
7203 goto end;
7204 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
7205 goto end;
7206 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
7207 goto end;
7208
7209 ssl = SSL_new(ctx);
7210 if (!TEST_ptr(ssl))
7211 goto end;
7212
7213 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
7214 goto end;
7215 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
7216 goto end;
7217 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
7218 goto end;
7219 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
7220 goto end;
7221 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
7222 goto end;
7223 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
7224 goto end;
7225 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
7226 goto end;
7227 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
7228 goto end;
7229 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
7230 goto end;
7231
7232 testresult = 1;
7233
7234 end:
7235 SSL_free(ssl);
7236 SSL_CTX_free(ctx);
7237 return testresult;
7238 }
7239
test_inherit_verify_param(void)7240 static int test_inherit_verify_param(void)
7241 {
7242 int testresult = 0;
7243
7244 SSL_CTX *ctx = NULL;
7245 X509_VERIFY_PARAM *cp = NULL;
7246 SSL *ssl = NULL;
7247 X509_VERIFY_PARAM *sp = NULL;
7248 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
7249
7250 ctx = SSL_CTX_new(TLS_server_method());
7251 if (!TEST_ptr(ctx))
7252 goto end;
7253
7254 cp = SSL_CTX_get0_param(ctx);
7255 if (!TEST_ptr(cp))
7256 goto end;
7257 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
7258 goto end;
7259
7260 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
7261
7262 ssl = SSL_new(ctx);
7263 if (!TEST_ptr(ssl))
7264 goto end;
7265
7266 sp = SSL_get0_param(ssl);
7267 if (!TEST_ptr(sp))
7268 goto end;
7269 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
7270 goto end;
7271
7272 testresult = 1;
7273
7274 end:
7275 SSL_free(ssl);
7276 SSL_CTX_free(ctx);
7277
7278 return testresult;
7279 }
7280
setup_tests(void)7281 int setup_tests(void)
7282 {
7283 if (!TEST_ptr(certsdir = test_get_argument(0))
7284 || !TEST_ptr(srpvfile = test_get_argument(1))
7285 || !TEST_ptr(tmpfilename = test_get_argument(2)))
7286 return 0;
7287
7288 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7289 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
7290 TEST_error("not supported in this build");
7291 return 0;
7292 #else
7293 int i, mcount, rcount, fcount;
7294
7295 for (i = 0; i < 4; i++)
7296 test_export_key_mat(i);
7297 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7298 test_printf_stdout("malloc %d realloc %d free %d\n",
7299 mcount, rcount, fcount);
7300 return 1;
7301 #endif
7302 }
7303
7304 cert = test_mk_file_path(certsdir, "servercert.pem");
7305 if (cert == NULL)
7306 return 0;
7307
7308 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7309 if (privkey == NULL) {
7310 OPENSSL_free(cert);
7311 return 0;
7312 }
7313
7314 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
7315 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7316 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
7317 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
7318 # endif
7319 #endif
7320 ADD_TEST(test_large_message_tls);
7321 ADD_TEST(test_large_message_tls_read_ahead);
7322 #ifndef OPENSSL_NO_DTLS
7323 ADD_TEST(test_large_message_dtls);
7324 #endif
7325 #ifndef OPENSSL_NO_OCSP
7326 ADD_TEST(test_tlsext_status_type);
7327 #endif
7328 ADD_TEST(test_session_with_only_int_cache);
7329 ADD_TEST(test_session_with_only_ext_cache);
7330 ADD_TEST(test_session_with_both_cache);
7331 #ifndef OPENSSL_NO_TLS1_3
7332 ADD_ALL_TESTS(test_stateful_tickets, 3);
7333 ADD_ALL_TESTS(test_stateless_tickets, 3);
7334 ADD_TEST(test_psk_tickets);
7335 #endif
7336 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
7337 ADD_TEST(test_ssl_bio_pop_next_bio);
7338 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7339 ADD_TEST(test_ssl_bio_change_rbio);
7340 ADD_TEST(test_ssl_bio_change_wbio);
7341 #if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
7342 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
7343 ADD_TEST(test_keylog);
7344 #endif
7345 #ifndef OPENSSL_NO_TLS1_3
7346 ADD_TEST(test_keylog_no_master_key);
7347 #endif
7348 #ifndef OPENSSL_NO_TLS1_2
7349 ADD_TEST(test_client_hello_cb);
7350 ADD_TEST(test_ccs_change_cipher);
7351 #endif
7352 #ifndef OPENSSL_NO_TLS1_3
7353 ADD_ALL_TESTS(test_early_data_read_write, 3);
7354 /*
7355 * We don't do replay tests for external PSK. Replay protection isn't used
7356 * in that scenario.
7357 */
7358 ADD_ALL_TESTS(test_early_data_replay, 2);
7359 ADD_ALL_TESTS(test_early_data_skip, 3);
7360 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
7361 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
7362 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
7363 ADD_ALL_TESTS(test_early_data_not_sent, 3);
7364 ADD_ALL_TESTS(test_early_data_psk, 8);
7365 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
7366 ADD_ALL_TESTS(test_early_data_not_expected, 3);
7367 # ifndef OPENSSL_NO_TLS1_2
7368 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
7369 # endif
7370 #endif
7371 #ifndef OPENSSL_NO_TLS1_3
7372 ADD_ALL_TESTS(test_set_ciphersuite, 10);
7373 ADD_TEST(test_ciphersuite_change);
7374 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7375 #ifdef OPENSSL_NO_PSK
7376 ADD_ALL_TESTS(test_tls13_psk, 1);
7377 #else
7378 ADD_ALL_TESTS(test_tls13_psk, 4);
7379 #endif /* OPENSSL_NO_PSK */
7380 ADD_ALL_TESTS(test_custom_exts, 6);
7381 ADD_TEST(test_stateless);
7382 ADD_TEST(test_pha_key_update);
7383 #else
7384 ADD_ALL_TESTS(test_custom_exts, 3);
7385 #endif
7386 ADD_ALL_TESTS(test_serverinfo, 8);
7387 ADD_ALL_TESTS(test_export_key_mat, 6);
7388 #ifndef OPENSSL_NO_TLS1_3
7389 ADD_ALL_TESTS(test_export_key_mat_early, 3);
7390 ADD_TEST(test_key_update);
7391 ADD_ALL_TESTS(test_key_update_in_write, 2);
7392 #endif
7393 ADD_ALL_TESTS(test_ssl_clear, 2);
7394 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
7395 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7396 ADD_ALL_TESTS(test_srp, 6);
7397 #endif
7398 ADD_ALL_TESTS(test_info_callback, 6);
7399 ADD_ALL_TESTS(test_ssl_pending, 2);
7400 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
7401 ADD_ALL_TESTS(test_ticket_callbacks, 12);
7402 ADD_ALL_TESTS(test_shutdown, 7);
7403 ADD_ALL_TESTS(test_cert_cb, 6);
7404 ADD_ALL_TESTS(test_client_cert_cb, 2);
7405 ADD_ALL_TESTS(test_ca_names, 3);
7406 ADD_ALL_TESTS(test_servername, 10);
7407 #ifndef OPENSSL_NO_TLS1_2
7408 ADD_TEST(test_ssl_dup);
7409 #endif
7410 #ifndef OPENSSL_NO_TLS1_3
7411 ADD_TEST(test_sni_tls13);
7412 #endif
7413 ADD_TEST(test_set_alpn);
7414 ADD_TEST(test_inherit_verify_param);
7415 return 1;
7416 }
7417
cleanup_tests(void)7418 void cleanup_tests(void)
7419 {
7420 OPENSSL_free(cert);
7421 OPENSSL_free(privkey);
7422 bio_s_mempacket_test_free();
7423 bio_s_always_retry_free();
7424 }
7425