1 /*
2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 #define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "internal/ssl_unwrap.h"
45 #include "../ssl/ssl_local.h"
46 #include "../ssl/record/methods/recmethod_local.h"
47 #include "filterprov.h"
48
49 #undef OSSL_NO_USABLE_TLS1_3
50 #if defined(OPENSSL_NO_TLS1_3) \
51 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
52 /*
53 * If we don't have ec or dh then there are no built-in groups that are usable
54 * with TLSv1.3
55 */
56 #define OSSL_NO_USABLE_TLS1_3
57 #endif
58
59 /* Defined in tls-provider.c */
60 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
61 const OSSL_DISPATCH *in,
62 const OSSL_DISPATCH **out,
63 void **provctx);
64
65 static OSSL_LIB_CTX *libctx = NULL;
66 static OSSL_PROVIDER *defctxnull = NULL;
67
68 #ifndef OSSL_NO_USABLE_TLS1_3
69
70 static SSL_SESSION *clientpsk = NULL;
71 static SSL_SESSION *serverpsk = NULL;
72 static const char *pskid = "Identity";
73 static const char *srvid;
74
75 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
76 size_t *idlen, SSL_SESSION **sess);
77 static int find_session_cb(SSL *ssl, const unsigned char *identity,
78 size_t identity_len, SSL_SESSION **sess);
79
80 static int use_session_cb_cnt = 0;
81 static int find_session_cb_cnt = 0;
82 static int end_of_early_data = 0;
83 #endif
84
85 static char *certsdir = NULL;
86 static char *cert = NULL;
87 static char *privkey = NULL;
88 static char *cert2 = NULL;
89 static char *privkey2 = NULL;
90 static char *cert1024 = NULL;
91 static char *privkey1024 = NULL;
92 static char *cert3072 = NULL;
93 static char *privkey3072 = NULL;
94 static char *cert4096 = NULL;
95 static char *privkey4096 = NULL;
96 static char *cert8192 = NULL;
97 static char *privkey8192 = NULL;
98 static char *srpvfile = NULL;
99 static char *tmpfilename = NULL;
100 static char *dhfile = NULL;
101 static char *datadir = NULL;
102
103 static int is_fips = 0;
104 static int fips_ems_check = 0;
105
106 #define LOG_BUFFER_SIZE 2048
107 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = { 0 };
108 static size_t server_log_buffer_index = 0;
109 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = { 0 };
110 static size_t client_log_buffer_index = 0;
111 static int error_writing_log = 0;
112
113 #ifndef OPENSSL_NO_OCSP
114 static const unsigned char orespder[] = "Dummy OCSP Response";
115 static int ocsp_server_called = 0;
116 static int ocsp_client_called = 0;
117
118 static int cdummyarg = 1;
119 static X509 *ocspcert = NULL;
120 #endif
121
122 #define CLIENT_VERSION_LEN 2
123
124 /* The ssltrace test assumes some options are switched on/off */
125 #if !defined(OPENSSL_NO_SSL_TRACE) \
126 && defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD) \
127 && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH) \
128 && !defined(OPENSSL_NO_ML_DSA) && !defined(OPENSSL_NO_ML_KEM) \
129 && !defined(OPENSSL_NO_TLS1_3)
130 #define DO_SSL_TRACE_TEST
131 #endif
132
133 /*
134 * This structure is used to validate that the correct number of log messages
135 * of various types are emitted when emitting secret logs.
136 */
137 struct sslapitest_log_counts {
138 unsigned int rsa_key_exchange_count;
139 unsigned int master_secret_count;
140 unsigned int client_early_secret_count;
141 unsigned int client_handshake_secret_count;
142 unsigned int server_handshake_secret_count;
143 unsigned int client_application_secret_count;
144 unsigned int server_application_secret_count;
145 unsigned int early_exporter_secret_count;
146 unsigned int exporter_secret_count;
147 };
148
hostname_cb(SSL * s,int * al,void * arg)149 static int hostname_cb(SSL *s, int *al, void *arg)
150 {
151 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
152
153 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0 || strcmp(hostname, "altgoodhost") == 0))
154 return SSL_TLSEXT_ERR_OK;
155
156 return SSL_TLSEXT_ERR_NOACK;
157 }
158
client_keylog_callback(const SSL * ssl,const char * line)159 static void client_keylog_callback(const SSL *ssl, const char *line)
160 {
161 int line_length = strlen(line);
162
163 /* If the log doesn't fit, error out. */
164 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
165 TEST_info("Client log too full");
166 error_writing_log = 1;
167 return;
168 }
169
170 strcat(client_log_buffer, line);
171 client_log_buffer_index += line_length;
172 client_log_buffer[client_log_buffer_index++] = '\n';
173 }
174
server_keylog_callback(const SSL * ssl,const char * line)175 static void server_keylog_callback(const SSL *ssl, const char *line)
176 {
177 int line_length = strlen(line);
178
179 /* If the log doesn't fit, error out. */
180 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
181 TEST_info("Server log too full");
182 error_writing_log = 1;
183 return;
184 }
185
186 strcat(server_log_buffer, line);
187 server_log_buffer_index += line_length;
188 server_log_buffer[server_log_buffer_index++] = '\n';
189 }
190
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)191 static int compare_hex_encoded_buffer(const char *hex_encoded,
192 size_t hex_length,
193 const uint8_t *raw,
194 size_t raw_length)
195 {
196 size_t i, j;
197 char hexed[3];
198
199 if (!TEST_size_t_eq(raw_length * 2, hex_length))
200 return 1;
201
202 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
203 BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]);
204 if (!TEST_int_eq(hexed[0], hex_encoded[j])
205 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
206 return 1;
207 }
208
209 return 0;
210 }
211
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)212 static int test_keylog_output(char *buffer, const SSL *ssl,
213 const SSL_SESSION *session,
214 struct sslapitest_log_counts *expected)
215 {
216 char *token = NULL;
217 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = { 0 };
218 size_t client_random_size = SSL3_RANDOM_SIZE;
219 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = { 0 };
220 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
221 unsigned int rsa_key_exchange_count = 0;
222 unsigned int master_secret_count = 0;
223 unsigned int client_early_secret_count = 0;
224 unsigned int client_handshake_secret_count = 0;
225 unsigned int server_handshake_secret_count = 0;
226 unsigned int client_application_secret_count = 0;
227 unsigned int server_application_secret_count = 0;
228 unsigned int early_exporter_secret_count = 0;
229 unsigned int exporter_secret_count = 0;
230
231 for (token = strtok(buffer, " \n"); token != NULL;
232 token = strtok(NULL, " \n")) {
233 if (strcmp(token, "RSA") == 0) {
234 /*
235 * Premaster secret. Tokens should be: 16 ASCII bytes of
236 * hex-encoded encrypted secret, then the hex-encoded pre-master
237 * secret.
238 */
239 if (!TEST_ptr(token = strtok(NULL, " \n")))
240 return 0;
241 if (!TEST_size_t_eq(strlen(token), 16))
242 return 0;
243 if (!TEST_ptr(token = strtok(NULL, " \n")))
244 return 0;
245 /*
246 * We can't sensibly check the log because the premaster secret is
247 * transient, and OpenSSL doesn't keep hold of it once the master
248 * secret is generated.
249 */
250 rsa_key_exchange_count++;
251 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
252 /*
253 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
254 * client random, then the hex-encoded master secret.
255 */
256 client_random_size = SSL_get_client_random(ssl,
257 actual_client_random,
258 SSL3_RANDOM_SIZE);
259 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 if (!TEST_size_t_eq(strlen(token), 64))
265 return 0;
266 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267 actual_client_random,
268 client_random_size)))
269 return 0;
270
271 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 return 0;
273 master_key_size = SSL_SESSION_get_master_key(session,
274 actual_master_key,
275 master_key_size);
276 if (!TEST_size_t_ne(master_key_size, 0))
277 return 0;
278 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
279 actual_master_key,
280 master_key_size)))
281 return 0;
282 master_secret_count++;
283 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
284 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
285 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
287 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
288 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
289 || strcmp(token, "EXPORTER_SECRET") == 0) {
290 /*
291 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
292 * client random, and then the hex-encoded secret. In this case,
293 * we treat all of these secrets identically and then just
294 * distinguish between them when counting what we saw.
295 */
296 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
297 client_early_secret_count++;
298 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
299 client_handshake_secret_count++;
300 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 server_handshake_secret_count++;
302 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
303 client_application_secret_count++;
304 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
305 server_application_secret_count++;
306 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
307 early_exporter_secret_count++;
308 else if (strcmp(token, "EXPORTER_SECRET") == 0)
309 exporter_secret_count++;
310
311 client_random_size = SSL_get_client_random(ssl,
312 actual_client_random,
313 SSL3_RANDOM_SIZE);
314 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
315 return 0;
316
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
318 return 0;
319 if (!TEST_size_t_eq(strlen(token), 64))
320 return 0;
321 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
322 actual_client_random,
323 client_random_size)))
324 return 0;
325
326 if (!TEST_ptr(token = strtok(NULL, " \n")))
327 return 0;
328 } else {
329 TEST_info("Unexpected token %s\n", token);
330 return 0;
331 }
332 }
333
334 /* Got what we expected? */
335 if (!TEST_size_t_eq(rsa_key_exchange_count,
336 expected->rsa_key_exchange_count)
337 || !TEST_size_t_eq(master_secret_count,
338 expected->master_secret_count)
339 || !TEST_size_t_eq(client_early_secret_count,
340 expected->client_early_secret_count)
341 || !TEST_size_t_eq(client_handshake_secret_count,
342 expected->client_handshake_secret_count)
343 || !TEST_size_t_eq(server_handshake_secret_count,
344 expected->server_handshake_secret_count)
345 || !TEST_size_t_eq(client_application_secret_count,
346 expected->client_application_secret_count)
347 || !TEST_size_t_eq(server_application_secret_count,
348 expected->server_application_secret_count)
349 || !TEST_size_t_eq(early_exporter_secret_count,
350 expected->early_exporter_secret_count)
351 || !TEST_size_t_eq(exporter_secret_count,
352 expected->exporter_secret_count))
353 return 0;
354 return 1;
355 }
356
357 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
test_keylog(void)358 static int test_keylog(void)
359 {
360 SSL_CTX *cctx = NULL, *sctx = NULL;
361 SSL *clientssl = NULL, *serverssl = NULL;
362 int testresult = 0;
363 struct sslapitest_log_counts expected;
364
365 /* Clean up logging space */
366 memset(&expected, 0, sizeof(expected));
367 memset(client_log_buffer, 0, sizeof(client_log_buffer));
368 memset(server_log_buffer, 0, sizeof(server_log_buffer));
369 client_log_buffer_index = 0;
370 server_log_buffer_index = 0;
371 error_writing_log = 0;
372
373 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
374 TLS_client_method(),
375 TLS1_VERSION, 0,
376 &sctx, &cctx, cert, privkey)))
377 return 0;
378
379 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
380 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
381 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
382
383 /* We also want to ensure that we use RSA-based key exchange. */
384 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
385 goto end;
386
387 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
388 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
389 goto end;
390 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
391 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
392 == client_keylog_callback))
393 goto end;
394 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
395 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
396 == server_keylog_callback))
397 goto end;
398
399 /* Now do a handshake and check that the logs have been written to. */
400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
401 &clientssl, NULL, NULL))
402 || !TEST_true(create_ssl_connection(serverssl, clientssl,
403 SSL_ERROR_NONE))
404 || !TEST_false(error_writing_log)
405 || !TEST_int_gt(client_log_buffer_index, 0)
406 || !TEST_int_gt(server_log_buffer_index, 0))
407 goto end;
408
409 /*
410 * Now we want to test that our output data was vaguely sensible. We
411 * do that by using strtok and confirming that we have more or less the
412 * data we expect. For both client and server, we expect to see one master
413 * secret. The client should also see an RSA key exchange.
414 */
415 expected.rsa_key_exchange_count = 1;
416 expected.master_secret_count = 1;
417 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
418 SSL_get_session(clientssl), &expected)))
419 goto end;
420
421 expected.rsa_key_exchange_count = 0;
422 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
423 SSL_get_session(serverssl), &expected)))
424 goto end;
425
426 testresult = 1;
427
428 end:
429 SSL_free(serverssl);
430 SSL_free(clientssl);
431 SSL_CTX_free(sctx);
432 SSL_CTX_free(cctx);
433
434 return testresult;
435 }
436 #endif
437
438 #ifndef OSSL_NO_USABLE_TLS1_3
test_keylog_no_master_key(void)439 static int test_keylog_no_master_key(void)
440 {
441 SSL_CTX *cctx = NULL, *sctx = NULL;
442 SSL *clientssl = NULL, *serverssl = NULL;
443 SSL_SESSION *sess = NULL;
444 int testresult = 0;
445 struct sslapitest_log_counts expected;
446 unsigned char buf[1];
447 size_t readbytes, written;
448
449 /* Clean up logging space */
450 memset(&expected, 0, sizeof(expected));
451 memset(client_log_buffer, 0, sizeof(client_log_buffer));
452 memset(server_log_buffer, 0, sizeof(server_log_buffer));
453 client_log_buffer_index = 0;
454 server_log_buffer_index = 0;
455 error_writing_log = 0;
456
457 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
458 TLS_client_method(), TLS1_VERSION, 0,
459 &sctx, &cctx, cert, privkey))
460 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
461 SSL3_RT_MAX_PLAIN_LENGTH)))
462 return 0;
463
464 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
465 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
466 goto end;
467
468 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
469 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
470 == client_keylog_callback))
471 goto end;
472
473 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
474 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
475 == server_keylog_callback))
476 goto end;
477
478 /* Now do a handshake and check that the logs have been written to. */
479 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
480 &clientssl, NULL, NULL))
481 || !TEST_true(create_ssl_connection(serverssl, clientssl,
482 SSL_ERROR_NONE))
483 || !TEST_false(error_writing_log))
484 goto end;
485
486 /*
487 * Now we want to test that our output data was vaguely sensible. For this
488 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
489 * TLSv1.3, but we do expect both client and server to emit keys.
490 */
491 expected.client_handshake_secret_count = 1;
492 expected.server_handshake_secret_count = 1;
493 expected.client_application_secret_count = 1;
494 expected.server_application_secret_count = 1;
495 expected.exporter_secret_count = 1;
496 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
497 SSL_get_session(clientssl), &expected))
498 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
499 SSL_get_session(serverssl),
500 &expected)))
501 goto end;
502
503 /* Terminate old session and resume with early data. */
504 sess = SSL_get1_session(clientssl);
505 SSL_shutdown(clientssl);
506 SSL_shutdown(serverssl);
507 SSL_free(serverssl);
508 SSL_free(clientssl);
509 serverssl = clientssl = NULL;
510
511 /* Reset key log */
512 memset(client_log_buffer, 0, sizeof(client_log_buffer));
513 memset(server_log_buffer, 0, sizeof(server_log_buffer));
514 client_log_buffer_index = 0;
515 server_log_buffer_index = 0;
516
517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
518 &clientssl, NULL, NULL))
519 || !TEST_true(SSL_set_session(clientssl, sess))
520 /* Here writing 0 length early data is enough. */
521 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
522 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
523 &readbytes),
524 SSL_READ_EARLY_DATA_ERROR)
525 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
526 SSL_EARLY_DATA_ACCEPTED)
527 || !TEST_true(create_ssl_connection(serverssl, clientssl,
528 SSL_ERROR_NONE))
529 || !TEST_true(SSL_session_reused(clientssl)))
530 goto end;
531
532 /* In addition to the previous entries, expect early secrets. */
533 expected.client_early_secret_count = 1;
534 expected.early_exporter_secret_count = 1;
535 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
536 SSL_get_session(clientssl), &expected))
537 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
538 SSL_get_session(serverssl),
539 &expected)))
540 goto end;
541
542 testresult = 1;
543
544 end:
545 SSL_SESSION_free(sess);
546 SSL_free(serverssl);
547 SSL_free(clientssl);
548 SSL_CTX_free(sctx);
549 SSL_CTX_free(cctx);
550
551 return testresult;
552 }
553 #endif
554
verify_retry_cb(X509_STORE_CTX * ctx,void * arg)555 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
556 {
557 int res = X509_verify_cert(ctx);
558 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
559 SSL *ssl;
560
561 /* this should not happen but check anyway */
562 if (idx < 0
563 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
564 return 0;
565
566 if (res == 0 && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
567 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
568 return SSL_set_retry_verify(ssl);
569
570 return res;
571 }
572
test_client_cert_verify_cb(void)573 static int test_client_cert_verify_cb(void)
574 {
575 /* server key, cert, chain, and root */
576 char *skey = test_mk_file_path(certsdir, "leaf.key");
577 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
578 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
579 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
580 char *root = test_mk_file_path(certsdir, "rootCA.pem");
581 X509 *crt1 = NULL, *crt2 = NULL;
582 STACK_OF(X509) *server_chain;
583 SSL_CTX *cctx = NULL, *sctx = NULL;
584 SSL *clientssl = NULL, *serverssl = NULL;
585 int testresult = 0;
586
587 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
588 TLS_client_method(), TLS1_VERSION, 0,
589 &sctx, &cctx, NULL, NULL)))
590 goto end;
591 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
592 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
593 SSL_FILETYPE_PEM),
594 1)
595 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
596 goto end;
597 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
598 goto end;
599 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
600 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
602 &clientssl, NULL, NULL)))
603 goto end;
604
605 /* attempt SSL_connect() with incomplete server chain */
606 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
607 SSL_ERROR_WANT_RETRY_VERIFY)))
608 goto end;
609
610 /* application provides intermediate certs needed to verify server cert */
611 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
612 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
613 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
614 goto end;
615 /* add certs in reverse order to demonstrate real chain building */
616 if (!TEST_true(sk_X509_push(server_chain, crt1)))
617 goto end;
618 crt1 = NULL;
619 if (!TEST_true(sk_X509_push(server_chain, crt2)))
620 goto end;
621 crt2 = NULL;
622
623 /* continue SSL_connect(), must now succeed with completed server chain */
624 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625 SSL_ERROR_NONE)))
626 goto end;
627
628 testresult = 1;
629
630 end:
631 X509_free(crt1);
632 X509_free(crt2);
633 if (clientssl != NULL) {
634 SSL_shutdown(clientssl);
635 SSL_free(clientssl);
636 }
637 if (serverssl != NULL) {
638 SSL_shutdown(serverssl);
639 SSL_free(serverssl);
640 }
641 SSL_CTX_free(sctx);
642 SSL_CTX_free(cctx);
643
644 OPENSSL_free(skey);
645 OPENSSL_free(leaf);
646 OPENSSL_free(int2);
647 OPENSSL_free(int1);
648 OPENSSL_free(root);
649
650 return testresult;
651 }
652
test_ssl_build_cert_chain(void)653 static int test_ssl_build_cert_chain(void)
654 {
655 int ret = 0;
656 SSL_CTX *ssl_ctx = NULL;
657 SSL *ssl = NULL;
658 char *skey = test_mk_file_path(certsdir, "leaf.key");
659 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
660
661 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
662 goto end;
663 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
664 goto end;
665 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
666 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
667 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
668 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
669 goto end;
670 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_CHECK)))
671 goto end;
672 ret = 1;
673 end:
674 SSL_free(ssl);
675 SSL_CTX_free(ssl_ctx);
676 OPENSSL_free(leaf_chain);
677 OPENSSL_free(skey);
678 return ret;
679 }
680
get_password_cb(char * buf,int size,int rw_flag,void * userdata)681 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
682 {
683 static const char pass[] = "testpass";
684
685 if (!TEST_int_eq(size, PEM_BUFSIZE))
686 return -1;
687
688 memcpy(buf, pass, sizeof(pass) - 1);
689 return sizeof(pass) - 1;
690 }
691
test_ssl_ctx_build_cert_chain(void)692 static int test_ssl_ctx_build_cert_chain(void)
693 {
694 int ret = 0;
695 SSL_CTX *ctx = NULL;
696 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
697 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
698
699 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
700 goto end;
701 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
702 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
703 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
704 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
705 SSL_FILETYPE_PEM),
706 1)
707 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
708 goto end;
709 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_CHECK)))
710 goto end;
711 ret = 1;
712 end:
713 SSL_CTX_free(ctx);
714 OPENSSL_free(leaf_chain);
715 OPENSSL_free(skey);
716 return ret;
717 }
718
719 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)720 static int full_client_hello_callback(SSL *s, int *al, void *arg)
721 {
722 int *ctr = arg;
723 const unsigned char *p;
724 int *exts;
725 #ifdef OPENSSL_NO_EC
726 const unsigned char expected_ciphers[] = { 0x00, 0x9d };
727 #else
728 const unsigned char expected_ciphers[] = { 0x00, 0x9d, 0xc0,
729 0x2c };
730 #endif
731 const int expected_extensions[] = {
732 65281,
733 #ifndef OPENSSL_NO_EC
734 11, 10,
735 #endif
736 35, 22, 23, 13
737 };
738 size_t len;
739
740 /* Make sure we can defer processing and get called back. */
741 if ((*ctr)++ == 0)
742 return SSL_CLIENT_HELLO_RETRY;
743
744 len = SSL_client_hello_get0_ciphers(s, &p);
745 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
746 || !TEST_size_t_eq(
747 SSL_client_hello_get0_compression_methods(s, &p), 1)
748 || !TEST_int_eq(*p, 0))
749 return SSL_CLIENT_HELLO_ERROR;
750 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
751 return SSL_CLIENT_HELLO_ERROR;
752 if (len != OSSL_NELEM(expected_extensions) || memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
753 printf("ClientHello callback expected extensions mismatch\n");
754 OPENSSL_free(exts);
755 return SSL_CLIENT_HELLO_ERROR;
756 }
757 OPENSSL_free(exts);
758 return SSL_CLIENT_HELLO_SUCCESS;
759 }
760
test_client_hello_cb(void)761 static int test_client_hello_cb(void)
762 {
763 SSL_CTX *cctx = NULL, *sctx = NULL;
764 SSL *clientssl = NULL, *serverssl = NULL;
765 int testctr = 0, testresult = 0;
766
767 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
768 TLS_client_method(), TLS1_VERSION, 0,
769 &sctx, &cctx, cert, privkey)))
770 goto end;
771 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
772
773 /* The gimpy cipher list we configure can't do TLS 1.3. */
774 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
775 /* Avoid problems where the default seclevel has been changed */
776 SSL_CTX_set_security_level(cctx, 2);
777 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
778 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
779 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 || !TEST_false(create_ssl_connection(serverssl, clientssl,
782 SSL_ERROR_WANT_CLIENT_HELLO_CB))
783 /*
784 * Passing a -1 literal is a hack since
785 * the real value was lost.
786 * */
787 || !TEST_int_eq(SSL_get_error(serverssl, -1),
788 SSL_ERROR_WANT_CLIENT_HELLO_CB)
789 || !TEST_true(create_ssl_connection(serverssl, clientssl,
790 SSL_ERROR_NONE)))
791 goto end;
792
793 testresult = 1;
794
795 end:
796 SSL_free(serverssl);
797 SSL_free(clientssl);
798 SSL_CTX_free(sctx);
799 SSL_CTX_free(cctx);
800
801 return testresult;
802 }
803
test_no_ems(void)804 static int test_no_ems(void)
805 {
806 SSL_CTX *cctx = NULL, *sctx = NULL;
807 SSL *clientssl = NULL, *serverssl = NULL;
808 int testresult = 0, status;
809
810 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
811 TLS1_VERSION, TLS1_2_VERSION,
812 &sctx, &cctx, cert, privkey)) {
813 printf("Unable to create SSL_CTX pair\n");
814 goto end;
815 }
816
817 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
818
819 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
820 printf("Unable to create SSL objects\n");
821 goto end;
822 }
823
824 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
825 if (fips_ems_check) {
826 if (status == 1) {
827 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
828 goto end;
829 }
830 } else {
831 if (!status) {
832 printf("Creating SSL connection failed\n");
833 goto end;
834 }
835 if (SSL_get_extms_support(serverssl)) {
836 printf("Server reports Extended Master Secret support\n");
837 goto end;
838 }
839 if (SSL_get_extms_support(clientssl)) {
840 printf("Client reports Extended Master Secret support\n");
841 goto end;
842 }
843 }
844 testresult = 1;
845
846 end:
847 SSL_free(serverssl);
848 SSL_free(clientssl);
849 SSL_CTX_free(sctx);
850 SSL_CTX_free(cctx);
851
852 return testresult;
853 }
854
855 /*
856 * Very focused test to exercise a single case in the server-side state
857 * machine, when the ChangeCipherState message needs to actually change
858 * from one cipher to a different cipher (i.e., not changing from null
859 * encryption to real encryption).
860 */
test_ccs_change_cipher(void)861 static int test_ccs_change_cipher(void)
862 {
863 SSL_CTX *cctx = NULL, *sctx = NULL;
864 SSL *clientssl = NULL, *serverssl = NULL;
865 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
866 int testresult = 0;
867 int i;
868 unsigned char buf;
869 size_t readbytes;
870
871 /*
872 * Create a connection so we can resume and potentially (but not) use
873 * a different cipher in the second connection.
874 */
875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
876 TLS_client_method(),
877 TLS1_VERSION, TLS1_2_VERSION,
878 &sctx, &cctx, cert, privkey))
879 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
880 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
881 NULL, NULL))
882 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl, clientssl,
884 SSL_ERROR_NONE))
885 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
886 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
887 goto end;
888
889 shutdown_ssl_connection(serverssl, clientssl);
890 serverssl = clientssl = NULL;
891
892 /* Resume, preferring a different cipher. Our server will force the
893 * same cipher to be used as the initial handshake. */
894 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
895 NULL, NULL))
896 || !TEST_true(SSL_set_session(clientssl, sess))
897 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
898 || !TEST_true(create_ssl_connection(serverssl, clientssl,
899 SSL_ERROR_NONE))
900 || !TEST_true(SSL_session_reused(clientssl))
901 || !TEST_true(SSL_session_reused(serverssl))
902 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
903 || !TEST_ptr_eq(sesspre, sesspost)
904 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
905 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
906 goto end;
907 shutdown_ssl_connection(serverssl, clientssl);
908 serverssl = clientssl = NULL;
909
910 /*
911 * Now create a fresh connection and try to renegotiate a different
912 * cipher on it.
913 */
914 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
915 NULL, NULL))
916 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
917 || !TEST_true(create_ssl_connection(serverssl, clientssl,
918 SSL_ERROR_NONE))
919 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
920 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
921 || !TEST_true(SSL_renegotiate(clientssl))
922 || !TEST_true(SSL_renegotiate_pending(clientssl)))
923 goto end;
924 /* Actually drive the renegotiation. */
925 for (i = 0; i < 3; i++) {
926 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
927 if (!TEST_ulong_eq(readbytes, 0))
928 goto end;
929 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
930 SSL_ERROR_WANT_READ)) {
931 goto end;
932 }
933 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
934 if (!TEST_ulong_eq(readbytes, 0))
935 goto end;
936 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
937 SSL_ERROR_WANT_READ)) {
938 goto end;
939 }
940 }
941 /* sesspre and sesspost should be different since the cipher changed. */
942 if (!TEST_false(SSL_renegotiate_pending(clientssl))
943 || !TEST_false(SSL_session_reused(clientssl))
944 || !TEST_false(SSL_session_reused(serverssl))
945 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
946 || !TEST_ptr_ne(sesspre, sesspost)
947 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
948 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
949 goto end;
950
951 shutdown_ssl_connection(serverssl, clientssl);
952 serverssl = clientssl = NULL;
953
954 testresult = 1;
955
956 end:
957 SSL_free(serverssl);
958 SSL_free(clientssl);
959 SSL_CTX_free(sctx);
960 SSL_CTX_free(cctx);
961 SSL_SESSION_free(sess);
962
963 return testresult;
964 }
965 #endif
966
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)967 static int execute_test_large_message(const SSL_METHOD *smeth,
968 const SSL_METHOD *cmeth,
969 int min_version, int max_version,
970 int read_ahead)
971 {
972 SSL_CTX *cctx = NULL, *sctx = NULL;
973 SSL *clientssl = NULL, *serverssl = NULL;
974 int testresult = 0;
975
976 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977 max_version, &sctx, &cctx, cert,
978 privkey)))
979 goto end;
980
981 #ifdef OPENSSL_NO_DTLS1_2
982 if (smeth == DTLS_server_method()) {
983 /*
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
985 * level 0
986 */
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989 "DEFAULT:@SECLEVEL=0")))
990 goto end;
991 }
992 #endif
993
994 if (read_ahead) {
995 /*
996 * Test that read_ahead works correctly when dealing with large
997 * records
998 */
999 SSL_CTX_set_read_ahead(cctx, 1);
1000 }
1001
1002 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
1003 goto end;
1004
1005 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1006 NULL, NULL))
1007 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1008 SSL_ERROR_NONE)))
1009 goto end;
1010
1011 /*
1012 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1013 * doesn't leak.
1014 */
1015 if (!TEST_true(SSL_clear(serverssl)))
1016 goto end;
1017
1018 testresult = 1;
1019 end:
1020 SSL_free(serverssl);
1021 SSL_free(clientssl);
1022 SSL_CTX_free(sctx);
1023 SSL_CTX_free(cctx);
1024
1025 return testresult;
1026 }
1027
1028 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1029 /* sock must be connected */
ktls_chk_platform(int sock)1030 static int ktls_chk_platform(int sock)
1031 {
1032 if (!ktls_enable(sock))
1033 return 0;
1034 return 1;
1035 }
1036
ping_pong_query(SSL * clientssl,SSL * serverssl)1037 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1038 {
1039 static char count = 1;
1040 unsigned char cbuf[16000] = { 0 };
1041 unsigned char sbuf[16000];
1042 size_t err = 0;
1043 char crec_wseq_before[SEQ_NUM_SIZE];
1044 char crec_wseq_after[SEQ_NUM_SIZE];
1045 char crec_rseq_before[SEQ_NUM_SIZE];
1046 char crec_rseq_after[SEQ_NUM_SIZE];
1047 char srec_wseq_before[SEQ_NUM_SIZE];
1048 char srec_wseq_after[SEQ_NUM_SIZE];
1049 char srec_rseq_before[SEQ_NUM_SIZE];
1050 char srec_rseq_after[SEQ_NUM_SIZE];
1051 SSL_CONNECTION *clientsc, *serversc;
1052
1053 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1054 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1055 goto end;
1056
1057 cbuf[0] = count++;
1058 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1059 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1060 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1061 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1062
1063 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1064 goto end;
1065
1066 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1067 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1068 goto end;
1069 }
1070 }
1071
1072 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1073 goto end;
1074
1075 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1076 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1077 goto end;
1078 }
1079 }
1080
1081 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1082 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1083 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1084 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1085
1086 /* verify the payload */
1087 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1088 goto end;
1089
1090 /*
1091 * If ktls is used then kernel sequences are used instead of
1092 * OpenSSL sequences
1093 */
1094 if (!BIO_get_ktls_send(clientsc->wbio)) {
1095 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1096 crec_wseq_after, SEQ_NUM_SIZE))
1097 goto end;
1098 } else {
1099 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1100 crec_wseq_after, SEQ_NUM_SIZE))
1101 goto end;
1102 }
1103
1104 if (!BIO_get_ktls_send(serversc->wbio)) {
1105 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1106 srec_wseq_after, SEQ_NUM_SIZE))
1107 goto end;
1108 } else {
1109 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1110 srec_wseq_after, SEQ_NUM_SIZE))
1111 goto end;
1112 }
1113
1114 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1115 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1116 crec_rseq_after, SEQ_NUM_SIZE))
1117 goto end;
1118 } else {
1119 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1120 crec_rseq_after, SEQ_NUM_SIZE))
1121 goto end;
1122 }
1123
1124 if (!BIO_get_ktls_recv(serversc->wbio)) {
1125 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1126 srec_rseq_after, SEQ_NUM_SIZE))
1127 goto end;
1128 } else {
1129 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1130 srec_rseq_after, SEQ_NUM_SIZE))
1131 goto end;
1132 }
1133
1134 return 1;
1135 end:
1136 return 0;
1137 }
1138
execute_test_ktls(int cis_ktls,int sis_ktls,int tls_version,const char * cipher)1139 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1140 int tls_version, const char *cipher)
1141 {
1142 SSL_CTX *cctx = NULL, *sctx = NULL;
1143 SSL *clientssl = NULL, *serverssl = NULL;
1144 int ktls_used = 0, testresult = 0;
1145 int cfd = -1, sfd = -1;
1146 int rx_supported;
1147 SSL_CONNECTION *clientsc, *serversc;
1148 unsigned char *buf = NULL;
1149 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1150 int ret;
1151 size_t offset = 0, i;
1152
1153 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1154 goto end;
1155
1156 /* Skip this test if the platform does not support ktls */
1157 if (!ktls_chk_platform(cfd)) {
1158 testresult = TEST_skip("Kernel does not support KTLS");
1159 goto end;
1160 }
1161
1162 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1163 testresult = TEST_skip("CHACHA is not supported in FIPS");
1164 goto end;
1165 }
1166
1167 /* Create a session based on SHA-256 */
1168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1169 TLS_client_method(),
1170 tls_version, tls_version,
1171 &sctx, &cctx, cert, privkey)))
1172 goto end;
1173
1174 if (tls_version == TLS1_3_VERSION) {
1175 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1176 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1177 goto end;
1178 } else {
1179 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1180 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1181 goto end;
1182 }
1183
1184 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1185 &clientssl, sfd, cfd)))
1186 goto end;
1187
1188 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1189 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1190 goto end;
1191
1192 if (cis_ktls) {
1193 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1194 goto end;
1195 }
1196
1197 if (sis_ktls) {
1198 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1199 goto end;
1200 }
1201
1202 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1203 goto end;
1204
1205 /*
1206 * The running kernel may not support a given cipher suite
1207 * or direction, so just check that KTLS isn't used when it
1208 * isn't enabled.
1209 */
1210 if (!cis_ktls) {
1211 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1212 goto end;
1213 } else {
1214 if (BIO_get_ktls_send(clientsc->wbio))
1215 ktls_used = 1;
1216 }
1217
1218 if (!sis_ktls) {
1219 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1220 goto end;
1221 } else {
1222 if (BIO_get_ktls_send(serversc->wbio))
1223 ktls_used = 1;
1224 }
1225
1226 #if defined(OPENSSL_NO_KTLS_RX)
1227 rx_supported = 0;
1228 #else
1229 rx_supported = 1;
1230 #endif
1231 if (!cis_ktls || !rx_supported) {
1232 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1233 goto end;
1234 } else {
1235 if (BIO_get_ktls_send(clientsc->rbio))
1236 ktls_used = 1;
1237 }
1238
1239 if (!sis_ktls || !rx_supported) {
1240 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1241 goto end;
1242 } else {
1243 if (BIO_get_ktls_send(serversc->rbio))
1244 ktls_used = 1;
1245 }
1246
1247 if ((cis_ktls || sis_ktls) && !ktls_used) {
1248 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1249 tls_version == TLS1_3_VERSION ? "TLS 1.3" : "TLS 1.2", cipher);
1250 goto end;
1251 }
1252
1253 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1254 goto end;
1255
1256 buf = OPENSSL_zalloc(bufsz);
1257 if (!TEST_ptr(buf))
1258 goto end;
1259
1260 /*
1261 * Write some data that exceeds the maximum record length. KTLS may choose
1262 * to coalesce this data into a single buffer when we read it again.
1263 */
1264 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1265 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1266 goto end;
1267 }
1268
1269 /* Now check that we can read all the data we wrote */
1270 do {
1271 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1272 if (ret <= 0) {
1273 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1274 goto end;
1275 } else {
1276 offset += ret;
1277 }
1278 } while (offset < bufsz);
1279
1280 if (!TEST_true(offset == bufsz))
1281 goto end;
1282 for (i = 0; i < bufsz; i++)
1283 if (!TEST_true(buf[i] == 0))
1284 goto end;
1285
1286 testresult = 1;
1287 end:
1288 OPENSSL_free(buf);
1289 if (clientssl) {
1290 SSL_shutdown(clientssl);
1291 SSL_free(clientssl);
1292 }
1293 if (serverssl) {
1294 SSL_shutdown(serverssl);
1295 SSL_free(serverssl);
1296 }
1297 SSL_CTX_free(sctx);
1298 SSL_CTX_free(cctx);
1299 serverssl = clientssl = NULL;
1300 if (cfd != -1)
1301 close(cfd);
1302 if (sfd != -1)
1303 close(sfd);
1304 return testresult;
1305 }
1306
1307 #define SENDFILE_SZ (16 * 4096)
1308 #define SENDFILE_CHUNK (4 * 4096)
1309 #define min(a, b) ((a) > (b) ? (b) : (a))
1310
execute_test_ktls_sendfile(int tls_version,const char * cipher,int zerocopy)1311 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1312 int zerocopy)
1313 {
1314 SSL_CTX *cctx = NULL, *sctx = NULL;
1315 SSL *clientssl = NULL, *serverssl = NULL;
1316 unsigned char *buf, *buf_dst;
1317 BIO *out = NULL, *in = NULL;
1318 int cfd = -1, sfd = -1, ffd, err;
1319 ssize_t chunk_size = 0;
1320 off_t chunk_off = 0;
1321 int testresult = 0;
1322 FILE *ffdp;
1323 SSL_CONNECTION *serversc;
1324
1325 buf = OPENSSL_zalloc(SENDFILE_SZ);
1326 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1327 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1328 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1329 goto end;
1330
1331 /* Skip this test if the platform does not support ktls */
1332 if (!ktls_chk_platform(sfd)) {
1333 testresult = TEST_skip("Kernel does not support KTLS");
1334 goto end;
1335 }
1336
1337 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1338 testresult = TEST_skip("CHACHA is not supported in FIPS");
1339 goto end;
1340 }
1341
1342 /* Create a session based on SHA-256 */
1343 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1344 TLS_client_method(),
1345 tls_version, tls_version,
1346 &sctx, &cctx, cert, privkey)))
1347 goto end;
1348
1349 if (tls_version == TLS1_3_VERSION) {
1350 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1351 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1352 goto end;
1353 } else {
1354 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1355 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1356 goto end;
1357 }
1358
1359 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1360 &clientssl, sfd, cfd)))
1361 goto end;
1362
1363 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1364 goto end;
1365
1366 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1367 goto end;
1368
1369 if (zerocopy) {
1370 if (!TEST_true(SSL_set_options(serverssl,
1371 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1372 goto end;
1373 }
1374
1375 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1376 SSL_ERROR_NONE)))
1377 goto end;
1378
1379 if (!BIO_get_ktls_send(serversc->wbio)) {
1380 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1381 tls_version == TLS1_3_VERSION ? "TLS 1.3" : "TLS 1.2", cipher);
1382 goto end;
1383 }
1384
1385 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1386 goto end;
1387
1388 out = BIO_new_file(tmpfilename, "wb");
1389 if (!TEST_ptr(out))
1390 goto end;
1391
1392 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1393 goto end;
1394
1395 BIO_free(out);
1396 out = NULL;
1397 in = BIO_new_file(tmpfilename, "rb");
1398 BIO_get_fp(in, &ffdp);
1399 ffd = fileno(ffdp);
1400
1401 while (chunk_off < SENDFILE_SZ) {
1402 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1403 while ((err = SSL_sendfile(serverssl,
1404 ffd,
1405 chunk_off,
1406 chunk_size,
1407 0))
1408 != chunk_size) {
1409 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1410 goto end;
1411 }
1412 while ((err = SSL_read(clientssl,
1413 buf_dst + chunk_off,
1414 chunk_size))
1415 != chunk_size) {
1416 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1417 goto end;
1418 }
1419
1420 /* verify the payload */
1421 if (!TEST_mem_eq(buf_dst + chunk_off,
1422 chunk_size,
1423 buf + chunk_off,
1424 chunk_size))
1425 goto end;
1426
1427 chunk_off += chunk_size;
1428 }
1429
1430 testresult = 1;
1431 end:
1432 if (clientssl) {
1433 SSL_shutdown(clientssl);
1434 SSL_free(clientssl);
1435 }
1436 if (serverssl) {
1437 SSL_shutdown(serverssl);
1438 SSL_free(serverssl);
1439 }
1440 SSL_CTX_free(sctx);
1441 SSL_CTX_free(cctx);
1442 serverssl = clientssl = NULL;
1443 BIO_free(out);
1444 BIO_free(in);
1445 if (cfd != -1)
1446 close(cfd);
1447 if (sfd != -1)
1448 close(sfd);
1449 OPENSSL_free(buf);
1450 OPENSSL_free(buf_dst);
1451 return testresult;
1452 }
1453
1454 static struct ktls_test_cipher {
1455 int tls_version;
1456 const char *cipher;
1457 } ktls_test_ciphers[] = {
1458 #if !defined(OPENSSL_NO_TLS1_2)
1459 #ifdef OPENSSL_KTLS_AES_GCM_128
1460 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1461 #endif
1462 #ifdef OPENSSL_KTLS_AES_CCM_128
1463 { TLS1_2_VERSION, "AES128-CCM" },
1464 #endif
1465 #ifdef OPENSSL_KTLS_AES_GCM_256
1466 { TLS1_2_VERSION, "AES256-GCM-SHA384" },
1467 #endif
1468 #ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1469 #ifndef OPENSSL_NO_EC
1470 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305" },
1471 #endif
1472 #endif
1473 #endif
1474 #if !defined(OSSL_NO_USABLE_TLS1_3)
1475 #ifdef OPENSSL_KTLS_AES_GCM_128
1476 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1477 #endif
1478 #ifdef OPENSSL_KTLS_AES_CCM_128
1479 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1480 #endif
1481 #ifdef OPENSSL_KTLS_AES_GCM_256
1482 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1483 #endif
1484 #ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1485 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1486 #endif
1487 #endif
1488 };
1489
1490 #define NUM_KTLS_TEST_CIPHERS OSSL_NELEM(ktls_test_ciphers)
1491
test_ktls(int test)1492 static int test_ktls(int test)
1493 {
1494 struct ktls_test_cipher *cipher;
1495 int cis_ktls, sis_ktls;
1496
1497 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1498 cipher = &ktls_test_ciphers[test / 4];
1499
1500 cis_ktls = (test & 1) != 0;
1501 sis_ktls = (test & 2) != 0;
1502
1503 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1504 cipher->cipher);
1505 }
1506
test_ktls_sendfile(int test)1507 static int test_ktls_sendfile(int test)
1508 {
1509 struct ktls_test_cipher *cipher;
1510 int tst = test >> 1;
1511
1512 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1513 cipher = &ktls_test_ciphers[tst];
1514
1515 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1516 test & 1);
1517 }
1518 #endif
1519
test_large_message_tls(void)1520 static int test_large_message_tls(void)
1521 {
1522 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1523 TLS1_VERSION, 0, 0);
1524 }
1525
test_large_message_tls_read_ahead(void)1526 static int test_large_message_tls_read_ahead(void)
1527 {
1528 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1529 TLS1_VERSION, 0, 1);
1530 }
1531
1532 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)1533 static int test_large_message_dtls(void)
1534 {
1535 #ifdef OPENSSL_NO_DTLS1_2
1536 /* Not supported in the FIPS provider */
1537 if (is_fips)
1538 return 1;
1539 #endif
1540 /*
1541 * read_ahead is not relevant to DTLS because DTLS always acts as if
1542 * read_ahead is set.
1543 */
1544 return execute_test_large_message(DTLS_server_method(),
1545 DTLS_client_method(),
1546 DTLS1_VERSION, 0, 0);
1547 }
1548 #endif
1549
1550 /*
1551 * Test we can successfully send the maximum amount of application data. We
1552 * test each protocol version individually, each with and without EtM enabled.
1553 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1554 * simpler this way. We also test all combinations with and without the
1555 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1556 * underlying buffer.
1557 */
test_large_app_data(int tst)1558 static int test_large_app_data(int tst)
1559 {
1560 SSL_CTX *cctx = NULL, *sctx = NULL;
1561 SSL *clientssl = NULL, *serverssl = NULL;
1562 int testresult = 0, prot;
1563 unsigned char *msg, *buf = NULL;
1564 size_t written, readbytes;
1565 const SSL_METHOD *smeth = TLS_server_method();
1566 const SSL_METHOD *cmeth = TLS_client_method();
1567
1568 switch (tst >> 2) {
1569 case 0:
1570 #ifndef OSSL_NO_USABLE_TLS1_3
1571 prot = TLS1_3_VERSION;
1572 break;
1573 #else
1574 return TEST_skip("TLS 1.3 not supported");
1575 #endif
1576
1577 case 1:
1578 #ifndef OPENSSL_NO_TLS1_2
1579 prot = TLS1_2_VERSION;
1580 break;
1581 #else
1582 return TEST_skip("TLS 1.2 not supported");
1583 #endif
1584
1585 case 2:
1586 #ifndef OPENSSL_NO_TLS1_1
1587 prot = TLS1_1_VERSION;
1588 break;
1589 #else
1590 return TEST_skip("TLS 1.1 not supported");
1591 #endif
1592
1593 case 3:
1594 #ifndef OPENSSL_NO_TLS1
1595 prot = TLS1_VERSION;
1596 break;
1597 #else
1598 return TEST_skip("TLS 1 not supported");
1599 #endif
1600
1601 case 4:
1602 #ifndef OPENSSL_NO_SSL3
1603 prot = SSL3_VERSION;
1604 break;
1605 #else
1606 return TEST_skip("SSL 3 not supported");
1607 #endif
1608
1609 case 5:
1610 #ifndef OPENSSL_NO_DTLS1_2
1611 prot = DTLS1_2_VERSION;
1612 smeth = DTLS_server_method();
1613 cmeth = DTLS_client_method();
1614 break;
1615 #else
1616 return TEST_skip("DTLS 1.2 not supported");
1617 #endif
1618
1619 case 6:
1620 #ifndef OPENSSL_NO_DTLS1
1621 if (is_fips)
1622 return TEST_skip("DTLS 1 not supported by FIPS provider");
1623 prot = DTLS1_VERSION;
1624 smeth = DTLS_server_method();
1625 cmeth = DTLS_client_method();
1626 break;
1627 #else
1628 return TEST_skip("DTLS 1 not supported");
1629 #endif
1630
1631 default:
1632 /* Shouldn't happen */
1633 return 0;
1634 }
1635
1636 if (is_fips && prot < TLS1_2_VERSION)
1637 return TEST_skip("TLS versions < 1.2 not supported by FIPS provider");
1638
1639 /* Maximal sized message of zeros */
1640 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1641 if (!TEST_ptr(msg))
1642 goto end;
1643
1644 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1645 if (!TEST_ptr(buf))
1646 goto end;
1647 /* Set whole buffer to all bits set */
1648 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1649
1650 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1651 &sctx, &cctx, cert, privkey)))
1652 goto end;
1653
1654 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1655 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1656 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1657 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1658 "DEFAULT:@SECLEVEL=0")))
1659 goto end;
1660 }
1661
1662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1663 &clientssl, NULL, NULL)))
1664 goto end;
1665
1666 if ((tst & 1) != 0) {
1667 /* Setting this option gives us a minimally sized underlying buffer */
1668 if (!TEST_true(SSL_set_options(serverssl,
1669 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1670 || !TEST_true(SSL_set_options(clientssl,
1671 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1672 goto end;
1673 }
1674
1675 if ((tst & 2) != 0) {
1676 /*
1677 * Setting this option means the MAC is added before encryption
1678 * giving us a larger record for the encryption process
1679 */
1680 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1681 || !TEST_true(SSL_set_options(clientssl,
1682 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1683 goto end;
1684 }
1685
1686 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1687 goto end;
1688
1689 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1690 &written))
1691 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1692 goto end;
1693
1694 /* We provide a buffer slightly larger than what we are actually expecting */
1695 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1696 &readbytes)))
1697 goto end;
1698
1699 if (!TEST_mem_eq(msg, written, buf, readbytes))
1700 goto end;
1701
1702 testresult = 1;
1703 end:
1704 OPENSSL_free(msg);
1705 OPENSSL_free(buf);
1706 SSL_free(serverssl);
1707 SSL_free(clientssl);
1708 SSL_CTX_free(sctx);
1709 SSL_CTX_free(cctx);
1710 return testresult;
1711 }
1712
1713 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1714 || !defined(OPENSSL_NO_DTLS)
execute_cleanse_plaintext(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version)1715 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1716 const SSL_METHOD *cmeth,
1717 int min_version, int max_version)
1718 {
1719 size_t i;
1720 SSL_CTX *cctx = NULL, *sctx = NULL;
1721 SSL *clientssl = NULL, *serverssl = NULL;
1722 int testresult = 0;
1723 const unsigned char *zbuf;
1724 SSL_CONNECTION *serversc;
1725 TLS_RECORD *rr;
1726
1727 static unsigned char cbuf[16000];
1728 static unsigned char sbuf[16000];
1729
1730 if (!TEST_true(create_ssl_ctx_pair(libctx,
1731 smeth, cmeth,
1732 min_version, max_version,
1733 &sctx, &cctx, cert,
1734 privkey)))
1735 goto end;
1736
1737 #ifdef OPENSSL_NO_DTLS1_2
1738 if (smeth == DTLS_server_method()) {
1739 /* Not supported in the FIPS provider */
1740 if (is_fips) {
1741 testresult = 1;
1742 goto end;
1743 };
1744 /*
1745 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1746 * level 0
1747 */
1748 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1749 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1750 "DEFAULT:@SECLEVEL=0")))
1751 goto end;
1752 }
1753 #endif
1754
1755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1756 NULL, NULL)))
1757 goto end;
1758
1759 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1760 goto end;
1761
1762 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1763 SSL_ERROR_NONE)))
1764 goto end;
1765
1766 for (i = 0; i < sizeof(cbuf); i++) {
1767 cbuf[i] = i & 0xff;
1768 }
1769
1770 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1771 goto end;
1772
1773 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1774 goto end;
1775
1776 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1777 goto end;
1778
1779 /*
1780 * Since we called SSL_peek(), we know the data in the record
1781 * layer is a plaintext record. We can gather the pointer to check
1782 * for zeroization after SSL_read().
1783 */
1784 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1785 goto end;
1786 rr = serversc->rlayer.tlsrecs;
1787
1788 zbuf = &rr->data[rr->off];
1789 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1790 goto end;
1791
1792 /*
1793 * After SSL_peek() the plaintext must still be stored in the
1794 * record.
1795 */
1796 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1797 goto end;
1798
1799 memset(sbuf, 0, sizeof(sbuf));
1800 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1801 goto end;
1802
1803 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1804 goto end;
1805
1806 /* Check if rbuf is cleansed */
1807 memset(cbuf, 0, sizeof(cbuf));
1808 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1809 goto end;
1810
1811 testresult = 1;
1812 end:
1813 SSL_free(serverssl);
1814 SSL_free(clientssl);
1815 SSL_CTX_free(sctx);
1816 SSL_CTX_free(cctx);
1817
1818 return testresult;
1819 }
1820 #endif /* \
1821 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1822 * || !defined(OPENSSL_NO_DTLS) \
1823 */
1824
test_cleanse_plaintext(void)1825 static int test_cleanse_plaintext(void)
1826 {
1827 #if !defined(OPENSSL_NO_TLS1_2)
1828 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1829 TLS_client_method(),
1830 TLS1_2_VERSION,
1831 TLS1_2_VERSION)))
1832 return 0;
1833
1834 #endif
1835
1836 #if !defined(OSSL_NO_USABLE_TLS1_3)
1837 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1838 TLS_client_method(),
1839 TLS1_3_VERSION,
1840 TLS1_3_VERSION)))
1841 return 0;
1842 #endif
1843
1844 #if !defined(OPENSSL_NO_DTLS)
1845
1846 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1847 DTLS_client_method(),
1848 DTLS1_VERSION,
1849 0)))
1850 return 0;
1851 #endif
1852 return 1;
1853 }
1854
1855 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)1856 static int ocsp_server_cb(SSL *s, void *arg)
1857 {
1858 int *argi = (int *)arg;
1859 unsigned char *copy = NULL;
1860 STACK_OF(OCSP_RESPID) *ids = NULL;
1861 OCSP_RESPID *id = NULL;
1862
1863 if (*argi == 2) {
1864 /* In this test we are expecting exactly 1 OCSP_RESPID */
1865 SSL_get_tlsext_status_ids(s, &ids);
1866 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1868
1869 id = sk_OCSP_RESPID_value(ids, 0);
1870 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1871 return SSL_TLSEXT_ERR_ALERT_FATAL;
1872 } else if (*argi != 1) {
1873 return SSL_TLSEXT_ERR_ALERT_FATAL;
1874 }
1875
1876 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1877 return SSL_TLSEXT_ERR_ALERT_FATAL;
1878
1879 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1880 sizeof(orespder)))) {
1881 OPENSSL_free(copy);
1882 return SSL_TLSEXT_ERR_ALERT_FATAL;
1883 }
1884 ocsp_server_called = 1;
1885 return SSL_TLSEXT_ERR_OK;
1886 }
1887
ocsp_client_cb(SSL * s,void * arg)1888 static int ocsp_client_cb(SSL *s, void *arg)
1889 {
1890 int *argi = (int *)arg;
1891 const unsigned char *respderin;
1892 size_t len;
1893
1894 if (*argi != 1 && *argi != 2)
1895 return 0;
1896
1897 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1898 if (!TEST_mem_eq(orespder, len, respderin, len))
1899 return 0;
1900
1901 ocsp_client_called = 1;
1902 return 1;
1903 }
1904
test_tlsext_status_type(void)1905 static int test_tlsext_status_type(void)
1906 {
1907 SSL_CTX *cctx = NULL, *sctx = NULL;
1908 SSL *clientssl = NULL, *serverssl = NULL;
1909 int testresult = 0;
1910 STACK_OF(OCSP_RESPID) *ids = NULL;
1911 OCSP_RESPID *id = NULL;
1912 BIO *certbio = NULL;
1913
1914 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1915 TLS1_VERSION, 0,
1916 &sctx, &cctx, cert, privkey))
1917 return 0;
1918
1919 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1920 goto end;
1921
1922 /* First just do various checks getting and setting tlsext_status_type */
1923
1924 clientssl = SSL_new(cctx);
1925 if (!TEST_ptr(clientssl))
1926 goto end;
1927 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1928 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1929 TLSEXT_STATUSTYPE_ocsp))
1930 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1931 TLSEXT_STATUSTYPE_ocsp))
1932 goto end;
1933
1934 SSL_free(clientssl);
1935 clientssl = NULL;
1936
1937 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1938 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1939 goto end;
1940
1941 clientssl = SSL_new(cctx);
1942 if (!TEST_ptr(clientssl))
1943 goto end;
1944 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1945 goto end;
1946 SSL_free(clientssl);
1947 clientssl = NULL;
1948
1949 /*
1950 * Now actually do a handshake and check OCSP information is exchanged and
1951 * the callbacks get called
1952 */
1953 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1954 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1955 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1956 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1958 &clientssl, NULL, NULL))
1959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1960 SSL_ERROR_NONE))
1961 || !TEST_true(ocsp_client_called)
1962 || !TEST_true(ocsp_server_called))
1963 goto end;
1964 SSL_free(serverssl);
1965 SSL_free(clientssl);
1966 serverssl = NULL;
1967 clientssl = NULL;
1968
1969 /* Try again but this time force the server side callback to fail */
1970 ocsp_client_called = 0;
1971 ocsp_server_called = 0;
1972 cdummyarg = 0;
1973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1974 &clientssl, NULL, NULL))
1975 /* This should fail because the callback will fail */
1976 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1977 SSL_ERROR_NONE))
1978 || !TEST_false(ocsp_client_called)
1979 || !TEST_false(ocsp_server_called))
1980 goto end;
1981 SSL_free(serverssl);
1982 SSL_free(clientssl);
1983 serverssl = NULL;
1984 clientssl = NULL;
1985
1986 /*
1987 * This time we'll get the client to send an OCSP_RESPID that it will
1988 * accept.
1989 */
1990 ocsp_client_called = 0;
1991 ocsp_server_called = 0;
1992 cdummyarg = 2;
1993 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1994 &clientssl, NULL, NULL)))
1995 goto end;
1996
1997 /*
1998 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1999 * specific one. We'll use the server cert.
2000 */
2001 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
2002 || !TEST_ptr(id = OCSP_RESPID_new())
2003 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
2004 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
2005 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
2006 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
2007 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
2008 goto end;
2009 id = NULL;
2010 SSL_set_tlsext_status_ids(clientssl, ids);
2011 /* Control has been transferred */
2012 ids = NULL;
2013
2014 BIO_free(certbio);
2015 certbio = NULL;
2016
2017 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2018 SSL_ERROR_NONE))
2019 || !TEST_true(ocsp_client_called)
2020 || !TEST_true(ocsp_server_called))
2021 goto end;
2022
2023 testresult = 1;
2024
2025 end:
2026 SSL_free(serverssl);
2027 SSL_free(clientssl);
2028 SSL_CTX_free(sctx);
2029 SSL_CTX_free(cctx);
2030 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2031 OCSP_RESPID_free(id);
2032 BIO_free(certbio);
2033 X509_free(ocspcert);
2034 ocspcert = NULL;
2035
2036 return testresult;
2037 }
2038 #endif
2039
2040 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2041 static int new_called, remove_called, get_called;
2042
new_session_cb(SSL * ssl,SSL_SESSION * sess)2043 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2044 {
2045 new_called++;
2046 /*
2047 * sess has been up-refed for us, but we don't actually need it so free it
2048 * immediately.
2049 */
2050 SSL_SESSION_free(sess);
2051 return 1;
2052 }
2053
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)2054 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2055 {
2056 remove_called++;
2057 }
2058
2059 static SSL_SESSION *get_sess_val = NULL;
2060
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)2061 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2062 int *copy)
2063 {
2064 get_called++;
2065 *copy = 1;
2066 return get_sess_val;
2067 }
2068
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache,long s_options)2069 static int execute_test_session(int maxprot, int use_int_cache,
2070 int use_ext_cache, long s_options)
2071 {
2072 SSL_CTX *sctx = NULL, *cctx = NULL;
2073 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2074 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2075 #ifndef OPENSSL_NO_TLS1_1
2076 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2077 #endif
2078 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2079 int testresult = 0, numnewsesstick = 1;
2080
2081 new_called = remove_called = 0;
2082
2083 /* TLSv1.3 sends 2 NewSessionTickets */
2084 if (maxprot == TLS1_3_VERSION)
2085 numnewsesstick = 2;
2086
2087 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2088 TLS_client_method(), TLS1_VERSION, 0,
2089 &sctx, &cctx, cert, privkey)))
2090 return 0;
2091
2092 /*
2093 * Only allow the max protocol version so we can force a connection failure
2094 * later
2095 */
2096 SSL_CTX_set_min_proto_version(cctx, maxprot);
2097 SSL_CTX_set_max_proto_version(cctx, maxprot);
2098
2099 /* Set up session cache */
2100 if (use_ext_cache) {
2101 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2102 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2103 }
2104 if (use_int_cache) {
2105 /* Also covers instance where both are set */
2106 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2107 } else {
2108 SSL_CTX_set_session_cache_mode(cctx,
2109 SSL_SESS_CACHE_CLIENT
2110 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2111 }
2112
2113 if (s_options) {
2114 SSL_CTX_set_options(sctx, s_options);
2115 }
2116
2117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2118 NULL, NULL))
2119 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2120 SSL_ERROR_NONE))
2121 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2122 goto end;
2123
2124 /* Should fail because it should already be in the cache */
2125 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2126 goto end;
2127 if (use_ext_cache
2128 && (!TEST_int_eq(new_called, numnewsesstick)
2129
2130 || !TEST_int_eq(remove_called, 0)))
2131 goto end;
2132
2133 new_called = remove_called = 0;
2134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2135 &clientssl2, NULL, NULL))
2136 || !TEST_true(SSL_set_session(clientssl2, sess1))
2137 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2138 SSL_ERROR_NONE))
2139 || !TEST_true(SSL_session_reused(clientssl2)))
2140 goto end;
2141
2142 if (maxprot == TLS1_3_VERSION) {
2143 /*
2144 * In TLSv1.3 we should have created a new session even though we have
2145 * resumed. Since we attempted a resume we should also have removed the
2146 * old ticket from the cache so that we try to only use tickets once.
2147 */
2148 if (use_ext_cache
2149 && (!TEST_int_eq(new_called, 1)
2150 || !TEST_int_eq(remove_called, 1)))
2151 goto end;
2152 } else {
2153 /*
2154 * In TLSv1.2 we expect to have resumed so no sessions added or
2155 * removed.
2156 */
2157 if (use_ext_cache
2158 && (!TEST_int_eq(new_called, 0)
2159 || !TEST_int_eq(remove_called, 0)))
2160 goto end;
2161 }
2162
2163 SSL_SESSION_free(sess1);
2164 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2165 goto end;
2166 shutdown_ssl_connection(serverssl2, clientssl2);
2167 serverssl2 = clientssl2 = NULL;
2168
2169 new_called = remove_called = 0;
2170 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2171 &clientssl2, NULL, NULL))
2172 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2173 SSL_ERROR_NONE)))
2174 goto end;
2175
2176 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2177 goto end;
2178
2179 if (use_ext_cache
2180 && (!TEST_int_eq(new_called, numnewsesstick)
2181 || !TEST_int_eq(remove_called, 0)))
2182 goto end;
2183
2184 new_called = remove_called = 0;
2185 /*
2186 * This should clear sess2 from the cache because it is a "bad" session.
2187 * See SSL_set_session() documentation.
2188 */
2189 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2190 goto end;
2191 if (use_ext_cache
2192 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2193 goto end;
2194 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2195 goto end;
2196
2197 if (use_int_cache) {
2198 /* Should succeeded because it should not already be in the cache */
2199 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2200 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2201 goto end;
2202 }
2203
2204 new_called = remove_called = 0;
2205 /* This shouldn't be in the cache so should fail */
2206 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2207 goto end;
2208
2209 if (use_ext_cache
2210 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2211 goto end;
2212
2213 #if !defined(OPENSSL_NO_TLS1_1)
2214 new_called = remove_called = 0;
2215 /* Force a connection failure */
2216 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2218 &clientssl3, NULL, NULL))
2219 || !TEST_true(SSL_set_session(clientssl3, sess1))
2220 /* This should fail because of the mismatched protocol versions */
2221 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2222 SSL_ERROR_NONE)))
2223 goto end;
2224
2225 /* We should have automatically removed the session from the cache */
2226 if (use_ext_cache
2227 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2228 goto end;
2229
2230 /* Should succeed because it should not already be in the cache */
2231 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2232 goto end;
2233 #endif
2234
2235 /* Now do some tests for server side caching */
2236 if (use_ext_cache) {
2237 SSL_CTX_sess_set_new_cb(cctx, NULL);
2238 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2239 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2240 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2241 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2242 get_sess_val = NULL;
2243 }
2244
2245 SSL_CTX_set_session_cache_mode(cctx, 0);
2246 /* Internal caching is the default on the server side */
2247 if (!use_int_cache)
2248 SSL_CTX_set_session_cache_mode(sctx,
2249 SSL_SESS_CACHE_SERVER
2250 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2251
2252 SSL_free(serverssl1);
2253 SSL_free(clientssl1);
2254 serverssl1 = clientssl1 = NULL;
2255 SSL_free(serverssl2);
2256 SSL_free(clientssl2);
2257 serverssl2 = clientssl2 = NULL;
2258 SSL_SESSION_free(sess1);
2259 sess1 = NULL;
2260 SSL_SESSION_free(sess2);
2261 sess2 = NULL;
2262
2263 SSL_CTX_set_max_proto_version(sctx, maxprot);
2264 if (maxprot == TLS1_2_VERSION)
2265 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2266 new_called = remove_called = get_called = 0;
2267 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2268 NULL, NULL))
2269 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2270 SSL_ERROR_NONE))
2271 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2272 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2273 goto end;
2274
2275 if (use_int_cache) {
2276 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2277 /*
2278 * In TLSv1.3 it should not have been added to the internal cache,
2279 * except in the case where we also have an external cache (in that
2280 * case it gets added to the cache in order to generate remove
2281 * events after timeout).
2282 */
2283 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2284 goto end;
2285 } else {
2286 /* Should fail because it should already be in the cache */
2287 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2288 goto end;
2289 }
2290 }
2291
2292 if (use_ext_cache) {
2293 SSL_SESSION *tmp = sess2;
2294
2295 if (!TEST_int_eq(new_called, numnewsesstick)
2296 || !TEST_int_eq(remove_called, 0)
2297 || !TEST_int_eq(get_called, 0))
2298 goto end;
2299 /*
2300 * Delete the session from the internal cache to force a lookup from
2301 * the external cache. We take a copy first because
2302 * SSL_CTX_remove_session() also marks the session as non-resumable.
2303 */
2304 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2305 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2306 || !TEST_true(sess2->owner != NULL)
2307 || !TEST_true(tmp->owner == NULL)
2308 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2309 goto end;
2310 SSL_SESSION_free(sess2);
2311 }
2312 sess2 = tmp;
2313 }
2314
2315 new_called = remove_called = get_called = 0;
2316 get_sess_val = sess2;
2317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2318 &clientssl2, NULL, NULL))
2319 || !TEST_true(SSL_set_session(clientssl2, sess1))
2320 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2321 SSL_ERROR_NONE))
2322 || !TEST_true(SSL_session_reused(clientssl2)))
2323 goto end;
2324
2325 if (use_ext_cache) {
2326 if (!TEST_int_eq(remove_called, 0))
2327 goto end;
2328
2329 if (maxprot == TLS1_3_VERSION) {
2330 if (!TEST_int_eq(new_called, 1)
2331 || !TEST_int_eq(get_called, 0))
2332 goto end;
2333 } else {
2334 if (!TEST_int_eq(new_called, 0)
2335 || !TEST_int_eq(get_called, 1))
2336 goto end;
2337 }
2338 }
2339 /*
2340 * Make a small cache, force out all other sessions but
2341 * sess2, try to add sess1, which should succeed. Then
2342 * make sure it's there by checking the owners. Despite
2343 * the timeouts, sess1 should have kicked out sess2
2344 */
2345
2346 /* Make sess1 expire before sess2 */
2347 if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0)
2348 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2349 || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0)
2350 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2351 goto end;
2352
2353 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2354 goto end;
2355
2356 /* Don't care about results - cache should only be sess2 at end */
2357 SSL_CTX_add_session(sctx, sess1);
2358 SSL_CTX_add_session(sctx, sess2);
2359
2360 /* Now add sess1, and make sure it remains, despite timeout */
2361 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2362 || !TEST_ptr(sess1->owner)
2363 || !TEST_ptr_null(sess2->owner))
2364 goto end;
2365
2366 testresult = 1;
2367
2368 end:
2369 SSL_free(serverssl1);
2370 SSL_free(clientssl1);
2371 SSL_free(serverssl2);
2372 SSL_free(clientssl2);
2373 #ifndef OPENSSL_NO_TLS1_1
2374 SSL_free(serverssl3);
2375 SSL_free(clientssl3);
2376 #endif
2377 SSL_SESSION_free(sess1);
2378 SSL_SESSION_free(sess2);
2379 SSL_CTX_free(sctx);
2380 SSL_CTX_free(cctx);
2381
2382 return testresult;
2383 }
2384 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2385
test_session_with_only_int_cache(void)2386 static int test_session_with_only_int_cache(void)
2387 {
2388 #ifndef OSSL_NO_USABLE_TLS1_3
2389 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2390 return 0;
2391 #endif
2392
2393 #ifndef OPENSSL_NO_TLS1_2
2394 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2395 #else
2396 return 1;
2397 #endif
2398 }
2399
test_session_with_only_ext_cache(void)2400 static int test_session_with_only_ext_cache(void)
2401 {
2402 #ifndef OSSL_NO_USABLE_TLS1_3
2403 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2404 return 0;
2405 #endif
2406
2407 #ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2409 #else
2410 return 1;
2411 #endif
2412 }
2413
test_session_with_both_cache(void)2414 static int test_session_with_both_cache(void)
2415 {
2416 #ifndef OSSL_NO_USABLE_TLS1_3
2417 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2418 return 0;
2419 #endif
2420
2421 #ifndef OPENSSL_NO_TLS1_2
2422 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2423 #else
2424 return 1;
2425 #endif
2426 }
2427
test_session_wo_ca_names(void)2428 static int test_session_wo_ca_names(void)
2429 {
2430 #ifndef OSSL_NO_USABLE_TLS1_3
2431 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2432 return 0;
2433 #endif
2434
2435 #ifndef OPENSSL_NO_TLS1_2
2436 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2437 #else
2438 return 1;
2439 #endif
2440 }
2441
2442 #ifndef OSSL_NO_USABLE_TLS1_3
2443 static SSL_SESSION *sesscache[6];
2444 static int do_cache;
2445
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)2446 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2447 {
2448 if (do_cache) {
2449 sesscache[new_called] = sess;
2450 } else {
2451 /* We don't need the reference to the session, so free it */
2452 SSL_SESSION_free(sess);
2453 }
2454 new_called++;
2455
2456 return 1;
2457 }
2458
post_handshake_verify(SSL * sssl,SSL * cssl)2459 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2460 {
2461 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2462 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2463 return 0;
2464
2465 /* Start handshake on the server and client */
2466 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2467 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2468 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2469 || !TEST_true(create_ssl_connection(sssl, cssl,
2470 SSL_ERROR_NONE)))
2471 return 0;
2472
2473 return 1;
2474 }
2475
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)2476 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2477 SSL_CTX **cctx)
2478 {
2479 int sess_id_ctx = 1;
2480
2481 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2482 TLS_client_method(), TLS1_VERSION, 0,
2483 sctx, cctx, cert, privkey))
2484 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2485 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2486 (void *)&sess_id_ctx,
2487 sizeof(sess_id_ctx))))
2488 return 0;
2489
2490 if (stateful)
2491 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2492
2493 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2494 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2495
2496 return 1;
2497 }
2498
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)2499 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2500 {
2501 SSL *serverssl = NULL, *clientssl = NULL;
2502 int i;
2503
2504 /* Test that we can resume with all the tickets we got given */
2505 for (i = 0; i < idx * 2; i++) {
2506 new_called = 0;
2507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2508 &clientssl, NULL, NULL))
2509 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2510 goto end;
2511
2512 SSL_set_post_handshake_auth(clientssl, 1);
2513
2514 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2515 SSL_ERROR_NONE)))
2516 goto end;
2517
2518 /*
2519 * Following a successful resumption we only get 1 ticket. After a
2520 * failed one we should get idx tickets.
2521 */
2522 if (succ) {
2523 if (!TEST_true(SSL_session_reused(clientssl))
2524 || !TEST_int_eq(new_called, 1))
2525 goto end;
2526 } else {
2527 if (!TEST_false(SSL_session_reused(clientssl))
2528 || !TEST_int_eq(new_called, idx))
2529 goto end;
2530 }
2531
2532 new_called = 0;
2533 /* After a post-handshake authentication we should get 1 new ticket */
2534 if (succ
2535 && (!post_handshake_verify(serverssl, clientssl)
2536 || !TEST_int_eq(new_called, 1)))
2537 goto end;
2538
2539 SSL_shutdown(clientssl);
2540 SSL_shutdown(serverssl);
2541 SSL_free(serverssl);
2542 SSL_free(clientssl);
2543 serverssl = clientssl = NULL;
2544 SSL_SESSION_free(sesscache[i]);
2545 sesscache[i] = NULL;
2546 }
2547
2548 return 1;
2549
2550 end:
2551 SSL_free(clientssl);
2552 SSL_free(serverssl);
2553 return 0;
2554 }
2555
test_tickets(int stateful,int idx)2556 static int test_tickets(int stateful, int idx)
2557 {
2558 SSL_CTX *sctx = NULL, *cctx = NULL;
2559 SSL *serverssl = NULL, *clientssl = NULL;
2560 int testresult = 0;
2561 size_t j;
2562
2563 /* idx is the test number, but also the number of tickets we want */
2564
2565 new_called = 0;
2566 do_cache = 1;
2567
2568 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2569 goto end;
2570
2571 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2572 &clientssl, NULL, NULL)))
2573 goto end;
2574
2575 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2576 SSL_ERROR_NONE))
2577 /* Check we got the number of tickets we were expecting */
2578 || !TEST_int_eq(idx, new_called))
2579 goto end;
2580
2581 SSL_shutdown(clientssl);
2582 SSL_shutdown(serverssl);
2583 SSL_free(serverssl);
2584 SSL_free(clientssl);
2585 SSL_CTX_free(sctx);
2586 SSL_CTX_free(cctx);
2587 clientssl = serverssl = NULL;
2588 sctx = cctx = NULL;
2589
2590 /*
2591 * Now we try to resume with the tickets we previously created. The
2592 * resumption attempt is expected to fail (because we're now using a new
2593 * SSL_CTX). We should see idx number of tickets issued again.
2594 */
2595
2596 /* Stop caching sessions - just count them */
2597 do_cache = 0;
2598
2599 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2600 goto end;
2601
2602 if (!check_resumption(idx, sctx, cctx, 0))
2603 goto end;
2604
2605 /* Start again with caching sessions */
2606 new_called = 0;
2607 do_cache = 1;
2608 SSL_CTX_free(sctx);
2609 SSL_CTX_free(cctx);
2610 sctx = cctx = NULL;
2611
2612 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2613 goto end;
2614
2615 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2616 &clientssl, NULL, NULL)))
2617 goto end;
2618
2619 SSL_set_post_handshake_auth(clientssl, 1);
2620
2621 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2622 SSL_ERROR_NONE))
2623 /* Check we got the number of tickets we were expecting */
2624 || !TEST_int_eq(idx, new_called))
2625 goto end;
2626
2627 /* After a post-handshake authentication we should get new tickets issued */
2628 if (!post_handshake_verify(serverssl, clientssl)
2629 || !TEST_int_eq(idx * 2, new_called))
2630 goto end;
2631
2632 SSL_shutdown(clientssl);
2633 SSL_shutdown(serverssl);
2634 SSL_free(serverssl);
2635 SSL_free(clientssl);
2636 serverssl = clientssl = NULL;
2637
2638 /* Stop caching sessions - just count them */
2639 do_cache = 0;
2640
2641 /*
2642 * Check we can resume with all the tickets we created. This time around the
2643 * resumptions should all be successful.
2644 */
2645 if (!check_resumption(idx, sctx, cctx, 1))
2646 goto end;
2647
2648 testresult = 1;
2649
2650 end:
2651 SSL_free(serverssl);
2652 SSL_free(clientssl);
2653 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2654 SSL_SESSION_free(sesscache[j]);
2655 sesscache[j] = NULL;
2656 }
2657 SSL_CTX_free(sctx);
2658 SSL_CTX_free(cctx);
2659
2660 return testresult;
2661 }
2662
test_stateless_tickets(int idx)2663 static int test_stateless_tickets(int idx)
2664 {
2665 return test_tickets(0, idx);
2666 }
2667
test_stateful_tickets(int idx)2668 static int test_stateful_tickets(int idx)
2669 {
2670 return test_tickets(1, idx);
2671 }
2672
test_psk_tickets(void)2673 static int test_psk_tickets(void)
2674 {
2675 SSL_CTX *sctx = NULL, *cctx = NULL;
2676 SSL *serverssl = NULL, *clientssl = NULL;
2677 int testresult = 0;
2678 int sess_id_ctx = 1;
2679
2680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2681 TLS_client_method(), TLS1_VERSION, 0,
2682 &sctx, &cctx, NULL, NULL))
2683 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2684 (void *)&sess_id_ctx,
2685 sizeof(sess_id_ctx))))
2686 goto end;
2687
2688 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2689 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2690 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2691 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2692 use_session_cb_cnt = 0;
2693 find_session_cb_cnt = 0;
2694 srvid = pskid;
2695 new_called = 0;
2696
2697 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2698 NULL, NULL)))
2699 goto end;
2700 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2701 if (!TEST_ptr(clientpsk) || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2702 goto end;
2703
2704 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2705 SSL_ERROR_NONE))
2706 || !TEST_int_eq(1, find_session_cb_cnt)
2707 || !TEST_int_eq(1, use_session_cb_cnt)
2708 /* We should always get 1 ticket when using external PSK */
2709 || !TEST_int_eq(1, new_called))
2710 goto end;
2711
2712 testresult = 1;
2713
2714 end:
2715 SSL_free(serverssl);
2716 SSL_free(clientssl);
2717 SSL_CTX_free(sctx);
2718 SSL_CTX_free(cctx);
2719 SSL_SESSION_free(clientpsk);
2720 SSL_SESSION_free(serverpsk);
2721 clientpsk = serverpsk = NULL;
2722
2723 return testresult;
2724 }
2725
test_extra_tickets(int idx)2726 static int test_extra_tickets(int idx)
2727 {
2728 SSL_CTX *sctx = NULL, *cctx = NULL;
2729 SSL *serverssl = NULL, *clientssl = NULL;
2730 BIO *bretry = BIO_new(bio_s_always_retry());
2731 BIO *tmp = NULL;
2732 int testresult = 0;
2733 int stateful = 0;
2734 size_t nbytes;
2735 unsigned char c, buf[1];
2736
2737 new_called = 0;
2738 do_cache = 1;
2739
2740 if (idx >= 3) {
2741 idx -= 3;
2742 stateful = 1;
2743 }
2744
2745 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2746 goto end;
2747 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2748 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2749 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2750
2751 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2752 &clientssl, NULL, NULL)))
2753 goto end;
2754
2755 /*
2756 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2757 * incremented by both client and server.
2758 */
2759 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2760 SSL_ERROR_NONE))
2761 /* Check we got the number of tickets we were expecting */
2762 || !TEST_int_eq(idx * 2, new_called)
2763 || !TEST_true(SSL_new_session_ticket(serverssl))
2764 || !TEST_true(SSL_new_session_ticket(serverssl))
2765 || !TEST_int_eq(idx * 2, new_called))
2766 goto end;
2767
2768 /* Now try a (real) write to actually send the tickets */
2769 c = '1';
2770 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2771 || !TEST_size_t_eq(1, nbytes)
2772 || !TEST_int_eq(idx * 2 + 2, new_called)
2773 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2774 || !TEST_int_eq(idx * 2 + 4, new_called)
2775 || !TEST_int_eq(sizeof(buf), nbytes)
2776 || !TEST_int_eq(c, buf[0])
2777 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2778 goto end;
2779
2780 /* Try with only requesting one new ticket, too */
2781 c = '2';
2782 new_called = 0;
2783 if (!TEST_true(SSL_new_session_ticket(serverssl))
2784 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2785 || !TEST_size_t_eq(sizeof(c), nbytes)
2786 || !TEST_int_eq(1, new_called)
2787 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2788 || !TEST_int_eq(2, new_called)
2789 || !TEST_size_t_eq(sizeof(buf), nbytes)
2790 || !TEST_int_eq(c, buf[0]))
2791 goto end;
2792
2793 /* Do it again but use dummy writes to drive the ticket generation */
2794 c = '3';
2795 new_called = 0;
2796 if (!TEST_true(SSL_new_session_ticket(serverssl))
2797 || !TEST_true(SSL_new_session_ticket(serverssl))
2798 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2799 || !TEST_size_t_eq(0, nbytes)
2800 || !TEST_int_eq(2, new_called)
2801 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2802 || !TEST_int_eq(4, new_called))
2803 goto end;
2804
2805 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2806 c = '4';
2807 new_called = 0;
2808 if (!TEST_true(SSL_new_session_ticket(serverssl))
2809 || !TEST_true(SSL_new_session_ticket(serverssl))
2810 || !TEST_true(SSL_do_handshake(serverssl))
2811 || !TEST_int_eq(2, new_called)
2812 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2813 || !TEST_int_eq(4, new_called))
2814 goto end;
2815
2816 /*
2817 * Use the always-retry BIO to exercise the logic that forces ticket
2818 * generation to wait until a record boundary.
2819 */
2820 c = '5';
2821 new_called = 0;
2822 tmp = SSL_get_wbio(serverssl);
2823 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2824 tmp = NULL;
2825 goto end;
2826 }
2827 SSL_set0_wbio(serverssl, bretry);
2828 bretry = NULL;
2829 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2830 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2831 || !TEST_size_t_eq(nbytes, 0))
2832 goto end;
2833 /* Restore a BIO that will let the write succeed */
2834 SSL_set0_wbio(serverssl, tmp);
2835 tmp = NULL;
2836 /*
2837 * These calls should just queue the request and not send anything
2838 * even if we explicitly try to hit the state machine.
2839 */
2840 if (!TEST_true(SSL_new_session_ticket(serverssl))
2841 || !TEST_true(SSL_new_session_ticket(serverssl))
2842 || !TEST_int_eq(0, new_called)
2843 || !TEST_true(SSL_do_handshake(serverssl))
2844 || !TEST_int_eq(0, new_called))
2845 goto end;
2846 /* Re-do the write; still no tickets sent */
2847 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2848 || !TEST_size_t_eq(1, nbytes)
2849 || !TEST_int_eq(0, new_called)
2850 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2851 || !TEST_int_eq(0, new_called)
2852 || !TEST_int_eq(sizeof(buf), nbytes)
2853 || !TEST_int_eq(c, buf[0])
2854 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2855 goto end;
2856 /* Even trying to hit the state machine now will still not send tickets */
2857 if (!TEST_true(SSL_do_handshake(serverssl))
2858 || !TEST_int_eq(0, new_called))
2859 goto end;
2860 /* Now the *next* write should send the tickets */
2861 c = '6';
2862 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2863 || !TEST_size_t_eq(1, nbytes)
2864 || !TEST_int_eq(2, new_called)
2865 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2866 || !TEST_int_eq(4, new_called)
2867 || !TEST_int_eq(sizeof(buf), nbytes)
2868 || !TEST_int_eq(c, buf[0])
2869 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2870 goto end;
2871
2872 SSL_shutdown(clientssl);
2873 SSL_shutdown(serverssl);
2874 testresult = 1;
2875
2876 end:
2877 BIO_free(bretry);
2878 BIO_free(tmp);
2879 SSL_free(serverssl);
2880 SSL_free(clientssl);
2881 SSL_CTX_free(sctx);
2882 SSL_CTX_free(cctx);
2883 clientssl = serverssl = NULL;
2884 sctx = cctx = NULL;
2885 return testresult;
2886 }
2887 #endif
2888
2889 #define USE_NULL 0
2890 #define USE_BIO_1 1
2891 #define USE_BIO_2 2
2892 #define USE_DEFAULT 3
2893
2894 #define CONNTYPE_CONNECTION_SUCCESS 0
2895 #define CONNTYPE_CONNECTION_FAIL 1
2896 #define CONNTYPE_NO_CONNECTION 2
2897
2898 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2899 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2900 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2901 #define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2902 #else
2903 #define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2904 #endif
2905
2906 #define TOTAL_SSL_SET_BIO_TESTS \
2907 TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2908 +TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2909 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2910
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)2911 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2912 {
2913 switch (type) {
2914 case USE_NULL:
2915 *res = NULL;
2916 break;
2917 case USE_BIO_1:
2918 *res = bio1;
2919 break;
2920 case USE_BIO_2:
2921 *res = bio2;
2922 break;
2923 }
2924 }
2925
2926 /*
2927 * Tests calls to SSL_set_bio() under various conditions.
2928 *
2929 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2930 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2931 * then do more tests where we create a successful connection first using our
2932 * standard connection setup functions, and then call SSL_set_bio() with
2933 * various combinations of valid BIOs or NULL. We then repeat these tests
2934 * following a failed connection. In this last case we are looking to check that
2935 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2936 */
test_ssl_set_bio(int idx)2937 static int test_ssl_set_bio(int idx)
2938 {
2939 SSL_CTX *sctx = NULL, *cctx = NULL;
2940 BIO *bio1 = NULL;
2941 BIO *bio2 = NULL;
2942 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2943 SSL *serverssl = NULL, *clientssl = NULL;
2944 int initrbio, initwbio, newrbio, newwbio, conntype;
2945 int testresult = 0;
2946
2947 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2948 initrbio = idx % 3;
2949 idx /= 3;
2950 initwbio = idx % 3;
2951 idx /= 3;
2952 newrbio = idx % 3;
2953 idx /= 3;
2954 newwbio = idx % 3;
2955 conntype = CONNTYPE_NO_CONNECTION;
2956 } else {
2957 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2958 initrbio = initwbio = USE_DEFAULT;
2959 newrbio = idx % 2;
2960 idx /= 2;
2961 newwbio = idx % 2;
2962 idx /= 2;
2963 conntype = idx % 2;
2964 }
2965
2966 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2967 TLS_client_method(), TLS1_VERSION, 0,
2968 &sctx, &cctx, cert, privkey)))
2969 goto end;
2970
2971 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2972 /*
2973 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2974 * because we reduced the number of tests in the definition of
2975 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2976 * mismatched protocol versions we will force a connection failure.
2977 */
2978 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2979 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2980 }
2981
2982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2983 NULL, NULL)))
2984 goto end;
2985
2986 if (initrbio == USE_BIO_1
2987 || initwbio == USE_BIO_1
2988 || newrbio == USE_BIO_1
2989 || newwbio == USE_BIO_1) {
2990 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2991 goto end;
2992 }
2993
2994 if (initrbio == USE_BIO_2
2995 || initwbio == USE_BIO_2
2996 || newrbio == USE_BIO_2
2997 || newwbio == USE_BIO_2) {
2998 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2999 goto end;
3000 }
3001
3002 if (initrbio != USE_DEFAULT) {
3003 setupbio(&irbio, bio1, bio2, initrbio);
3004 setupbio(&iwbio, bio1, bio2, initwbio);
3005 SSL_set_bio(clientssl, irbio, iwbio);
3006
3007 /*
3008 * We want to maintain our own refs to these BIO, so do an up ref for
3009 * each BIO that will have ownership transferred in the SSL_set_bio()
3010 * call
3011 */
3012 if (irbio != NULL && !BIO_up_ref(irbio))
3013 goto end;
3014 if (iwbio != NULL && iwbio != irbio && !BIO_up_ref(iwbio)) {
3015 BIO_free(irbio);
3016 goto end;
3017 }
3018 }
3019
3020 if (conntype != CONNTYPE_NO_CONNECTION
3021 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3022 SSL_ERROR_NONE)
3023 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3024 goto end;
3025
3026 setupbio(&nrbio, bio1, bio2, newrbio);
3027 setupbio(&nwbio, bio1, bio2, newwbio);
3028
3029 /*
3030 * We will (maybe) transfer ownership again so do more up refs.
3031 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3032 * already been set!
3033 */
3034 if (nrbio != NULL
3035 && nrbio != irbio
3036 && (nwbio != iwbio || nrbio != nwbio))
3037 if (!TEST_true(BIO_up_ref(nrbio)))
3038 goto end;
3039 if (nwbio != NULL
3040 && nwbio != nrbio
3041 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3042 if (!TEST_true(BIO_up_ref(nwbio))) {
3043 if (nrbio != irbio
3044 && (nwbio != iwbio || nrbio != nwbio))
3045 BIO_free(nrbio);
3046 goto end;
3047 }
3048
3049 SSL_set_bio(clientssl, nrbio, nwbio);
3050
3051 testresult = 1;
3052
3053 end:
3054 BIO_free(bio1);
3055 BIO_free(bio2);
3056
3057 /*
3058 * This test is checking that the ref counting for SSL_set_bio is correct.
3059 * If we get here and we did too many frees then we will fail in the above
3060 * functions.
3061 */
3062 SSL_free(serverssl);
3063 SSL_free(clientssl);
3064 SSL_CTX_free(sctx);
3065 SSL_CTX_free(cctx);
3066 return testresult;
3067 }
3068
3069 typedef enum { NO_BIO_CHANGE,
3070 CHANGE_RBIO,
3071 CHANGE_WBIO } bio_change_t;
3072
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)3073 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3074 {
3075 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3076 SSL_CTX *ctx;
3077 SSL *ssl = NULL;
3078 int testresult = 0;
3079
3080 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3081 || !TEST_ptr(ssl = SSL_new(ctx))
3082 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3083 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3084 goto end;
3085
3086 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3087
3088 /*
3089 * If anything goes wrong here then we could leak memory.
3090 */
3091 BIO_push(sslbio, membio1);
3092
3093 /* Verify changing the rbio/wbio directly does not cause leaks */
3094 if (change_bio != NO_BIO_CHANGE) {
3095 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3096 ssl = NULL;
3097 goto end;
3098 }
3099 if (change_bio == CHANGE_RBIO)
3100 SSL_set0_rbio(ssl, membio2);
3101 else
3102 SSL_set0_wbio(ssl, membio2);
3103 }
3104 ssl = NULL;
3105
3106 if (pop_ssl)
3107 BIO_pop(sslbio);
3108 else
3109 BIO_pop(membio1);
3110
3111 testresult = 1;
3112 end:
3113 BIO_free(membio1);
3114 BIO_free(sslbio);
3115 SSL_free(ssl);
3116 SSL_CTX_free(ctx);
3117
3118 return testresult;
3119 }
3120
test_ssl_bio_pop_next_bio(void)3121 static int test_ssl_bio_pop_next_bio(void)
3122 {
3123 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3124 }
3125
test_ssl_bio_pop_ssl_bio(void)3126 static int test_ssl_bio_pop_ssl_bio(void)
3127 {
3128 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3129 }
3130
test_ssl_bio_change_rbio(void)3131 static int test_ssl_bio_change_rbio(void)
3132 {
3133 return execute_test_ssl_bio(0, CHANGE_RBIO);
3134 }
3135
test_ssl_bio_change_wbio(void)3136 static int test_ssl_bio_change_wbio(void)
3137 {
3138 return execute_test_ssl_bio(0, CHANGE_WBIO);
3139 }
3140
3141 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3142 typedef struct {
3143 /* The list of sig algs */
3144 const int *list;
3145 /* The length of the list */
3146 size_t listlen;
3147 /* A sigalgs list in string format */
3148 const char *liststr;
3149 /* Whether setting the list should succeed */
3150 int valid;
3151 /* Whether creating a connection with the list should succeed */
3152 int connsuccess;
3153 } sigalgs_list;
3154
3155 static const int validlist1[] = { NID_sha256, EVP_PKEY_RSA };
3156 #ifndef OPENSSL_NO_EC
3157 static const int validlist2[] = { NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC };
3158 static const int validlist3[] = { NID_sha512, EVP_PKEY_EC };
3159 #endif
3160 static const int invalidlist1[] = { NID_undef, EVP_PKEY_RSA };
3161 static const int invalidlist2[] = { NID_sha256, NID_undef };
3162 static const int invalidlist3[] = { NID_sha256, EVP_PKEY_RSA, NID_sha256 };
3163 static const int invalidlist4[] = { NID_sha256 };
3164 static const sigalgs_list testsigalgs[] = {
3165 { validlist1, OSSL_NELEM(validlist1), NULL, 1, 1 },
3166 #ifndef OPENSSL_NO_EC
3167 { validlist2, OSSL_NELEM(validlist2), NULL, 1, 1 },
3168 { validlist3, OSSL_NELEM(validlist3), NULL, 1, 0 },
3169 #endif
3170 { NULL, 0, "RSA+SHA256", 1, 1 },
3171 { NULL, 0, "RSA+SHA256:?Invalid", 1, 1 },
3172 #ifndef OPENSSL_NO_EC
3173 { NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1 },
3174 { NULL, 0, "ECDSA+SHA512", 1, 0 },
3175 #endif
3176 { invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0 },
3177 { invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0 },
3178 { invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0 },
3179 { invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0 },
3180 { NULL, 0, "RSA", 0, 0 },
3181 { NULL, 0, "SHA256", 0, 0 },
3182 { NULL, 0, "RSA+SHA256:SHA256", 0, 0 },
3183 { NULL, 0, "Invalid", 0, 0 }
3184 };
3185
test_set_sigalgs(int idx)3186 static int test_set_sigalgs(int idx)
3187 {
3188 SSL_CTX *cctx = NULL, *sctx = NULL;
3189 SSL *clientssl = NULL, *serverssl = NULL;
3190 int testresult = 0;
3191 const sigalgs_list *curr;
3192 int testctx;
3193
3194 /* Should never happen */
3195 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3196 return 0;
3197
3198 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3199 curr = testctx ? &testsigalgs[idx]
3200 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3201
3202 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3203 TLS_client_method(), TLS1_VERSION, 0,
3204 &sctx, &cctx, cert, privkey)))
3205 return 0;
3206
3207 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3208
3209 if (testctx) {
3210 int ret;
3211
3212 if (curr->list != NULL)
3213 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3214 else
3215 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3216
3217 if (!ret) {
3218 if (curr->valid)
3219 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3220 else
3221 testresult = 1;
3222 goto end;
3223 }
3224 if (!curr->valid) {
3225 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3226 goto end;
3227 }
3228 }
3229
3230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3231 &clientssl, NULL, NULL)))
3232 goto end;
3233
3234 if (!testctx) {
3235 int ret;
3236
3237 if (curr->list != NULL)
3238 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3239 else
3240 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3241 if (!ret) {
3242 if (curr->valid)
3243 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3244 else
3245 testresult = 1;
3246 goto end;
3247 }
3248 if (!curr->valid)
3249 goto end;
3250 }
3251
3252 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3253 SSL_ERROR_NONE),
3254 curr->connsuccess))
3255 goto end;
3256
3257 testresult = 1;
3258
3259 end:
3260 SSL_free(serverssl);
3261 SSL_free(clientssl);
3262 SSL_CTX_free(sctx);
3263 SSL_CTX_free(cctx);
3264
3265 return testresult;
3266 }
3267 #endif
3268
3269 #ifndef OSSL_NO_USABLE_TLS1_3
3270 static int psk_client_cb_cnt = 0;
3271 static int psk_server_cb_cnt = 0;
3272
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)3273 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3274 size_t *idlen, SSL_SESSION **sess)
3275 {
3276 switch (++use_session_cb_cnt) {
3277 case 1:
3278 /* The first call should always have a NULL md */
3279 if (md != NULL)
3280 return 0;
3281 break;
3282
3283 case 2:
3284 /* The second call should always have an md */
3285 if (md == NULL)
3286 return 0;
3287 break;
3288
3289 default:
3290 /* We should only be called a maximum of twice */
3291 return 0;
3292 }
3293
3294 if (clientpsk != NULL && !SSL_SESSION_up_ref(clientpsk))
3295 return 0;
3296
3297 *sess = clientpsk;
3298 *id = (const unsigned char *)pskid;
3299 *idlen = strlen(pskid);
3300
3301 return 1;
3302 }
3303
3304 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)3305 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3306 unsigned int max_id_len,
3307 unsigned char *psk,
3308 unsigned int max_psk_len)
3309 {
3310 unsigned int psklen = 0;
3311
3312 psk_client_cb_cnt++;
3313
3314 if (strlen(pskid) + 1 > max_id_len)
3315 return 0;
3316
3317 /* We should only ever be called a maximum of twice per connection */
3318 if (psk_client_cb_cnt > 2)
3319 return 0;
3320
3321 if (clientpsk == NULL)
3322 return 0;
3323
3324 /* We'll reuse the PSK we set up for TLSv1.3 */
3325 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3326 return 0;
3327 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3328 strncpy(id, pskid, max_id_len);
3329
3330 return psklen;
3331 }
3332 #endif /* OPENSSL_NO_PSK */
3333
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)3334 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3335 size_t identity_len, SSL_SESSION **sess)
3336 {
3337 find_session_cb_cnt++;
3338
3339 /* We should only ever be called a maximum of twice per connection */
3340 if (find_session_cb_cnt > 2)
3341 return 0;
3342
3343 if (serverpsk == NULL)
3344 return 0;
3345
3346 /* Identity should match that set by the client */
3347 if (strlen(srvid) != identity_len
3348 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3349 /* No PSK found, continue but without a PSK */
3350 *sess = NULL;
3351 return 1;
3352 }
3353
3354 if (!SSL_SESSION_up_ref(serverpsk))
3355 return 0;
3356
3357 *sess = serverpsk;
3358
3359 return 1;
3360 }
3361
3362 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)3363 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3364 unsigned char *psk, unsigned int max_psk_len)
3365 {
3366 unsigned int psklen = 0;
3367
3368 psk_server_cb_cnt++;
3369
3370 /* We should only ever be called a maximum of twice per connection */
3371 if (find_session_cb_cnt > 2)
3372 return 0;
3373
3374 if (serverpsk == NULL)
3375 return 0;
3376
3377 /* Identity should match that set by the client */
3378 if (strcmp(srvid, identity) != 0) {
3379 return 0;
3380 }
3381
3382 /* We'll reuse the PSK we set up for TLSv1.3 */
3383 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3384 return 0;
3385 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3386
3387 return psklen;
3388 }
3389 #endif /* OPENSSL_NO_PSK */
3390
3391 #define MSG1 "Hello"
3392 #define MSG2 "World."
3393 #define MSG3 "This"
3394 #define MSG4 "is"
3395 #define MSG5 "a"
3396 #define MSG6 "test"
3397 #define MSG7 "message."
3398
3399 static int artificial_ticket_time = 0;
3400
sub_session_time(SSL_SESSION * sess)3401 static int sub_session_time(SSL_SESSION *sess)
3402 {
3403 OSSL_TIME tick_time;
3404
3405 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3406 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3407
3408 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3409 }
3410
ed_gen_cb(SSL * s,void * arg)3411 static int ed_gen_cb(SSL *s, void *arg)
3412 {
3413 SSL_SESSION *sess = SSL_get0_session(s);
3414
3415 if (sess == NULL)
3416 return 0;
3417
3418 /*
3419 * Artificially give the ticket some age. Just do it for the number of
3420 * tickets we've been told to do.
3421 */
3422 if (artificial_ticket_time == 0)
3423 return 1;
3424 artificial_ticket_time--;
3425
3426 return sub_session_time(sess);
3427 }
3428
3429 /*
3430 * Helper method to setup objects for early data test. Caller frees objects on
3431 * error.
3432 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx,size_t mdsize)3433 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3434 SSL **serverssl, SSL_SESSION **sess, int idx,
3435 size_t mdsize)
3436 {
3437 int artificial = (artificial_ticket_time > 0);
3438
3439 if (*sctx == NULL
3440 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3441 TLS_client_method(),
3442 TLS1_VERSION, 0,
3443 sctx, cctx, cert, privkey)))
3444 return 0;
3445
3446 if (artificial)
3447 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3448
3449 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3450 return 0;
3451
3452 if (idx == 1) {
3453 /* When idx == 1 we repeat the tests with read_ahead set */
3454 SSL_CTX_set_read_ahead(*cctx, 1);
3455 SSL_CTX_set_read_ahead(*sctx, 1);
3456 } else if (idx == 2) {
3457 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3458 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3459 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3460 use_session_cb_cnt = 0;
3461 find_session_cb_cnt = 0;
3462 srvid = pskid;
3463 }
3464
3465 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3466 NULL, NULL)))
3467 return 0;
3468
3469 /*
3470 * For one of the run throughs (doesn't matter which one), we'll try sending
3471 * some SNI data in the initial ClientHello. This will be ignored (because
3472 * there is no SNI cb set up by the server), so it should not impact
3473 * early_data.
3474 */
3475 if (idx == 1
3476 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3477 return 0;
3478
3479 if (idx == 2) {
3480 clientpsk = create_a_psk(*clientssl, mdsize);
3481 if (!TEST_ptr(clientpsk)
3482 /*
3483 * We just choose an arbitrary value for max_early_data which
3484 * should be big enough for testing purposes.
3485 */
3486 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3487 0x100))
3488 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3489 SSL_SESSION_free(clientpsk);
3490 clientpsk = NULL;
3491 return 0;
3492 }
3493 serverpsk = clientpsk;
3494
3495 if (sess != NULL) {
3496 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3497 SSL_SESSION_free(clientpsk);
3498 SSL_SESSION_free(serverpsk);
3499 clientpsk = serverpsk = NULL;
3500 return 0;
3501 }
3502 *sess = clientpsk;
3503 }
3504 return 1;
3505 }
3506
3507 if (sess == NULL)
3508 return 1;
3509
3510 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3511 SSL_ERROR_NONE)))
3512 return 0;
3513
3514 *sess = SSL_get1_session(*clientssl);
3515 SSL_shutdown(*clientssl);
3516 SSL_shutdown(*serverssl);
3517 SSL_free(*serverssl);
3518 SSL_free(*clientssl);
3519 *serverssl = *clientssl = NULL;
3520
3521 /*
3522 * Artificially give the ticket some age to match the artificial age we
3523 * gave it on the server side
3524 */
3525 if (artificial
3526 && !TEST_true(sub_session_time(*sess)))
3527 return 0;
3528
3529 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3530 clientssl, NULL, NULL))
3531 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3532 return 0;
3533
3534 return 1;
3535 }
3536
check_early_data_timeout(OSSL_TIME timer)3537 static int check_early_data_timeout(OSSL_TIME timer)
3538 {
3539 int res = 0;
3540
3541 /*
3542 * Early data is time sensitive. We have an approx 8 second allowance
3543 * between writing the early data and reading it. If we exceed that time
3544 * then this test will fail. This can sometimes (rarely) occur in normal CI
3545 * operation. We can try and detect this and just ignore the result of this
3546 * test if it has taken too long. We assume anything over 7 seconds is too
3547 * long
3548 */
3549 timer = ossl_time_subtract(ossl_time_now(), timer);
3550 if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3551 res = TEST_skip("Test took too long, ignoring result");
3552
3553 return res;
3554 }
3555
test_early_data_read_write(int idx)3556 static int test_early_data_read_write(int idx)
3557 {
3558 SSL_CTX *cctx = NULL, *sctx = NULL;
3559 SSL *clientssl = NULL, *serverssl = NULL;
3560 int testresult = 0;
3561 SSL_SESSION *sess = NULL;
3562 unsigned char buf[20], data[1024];
3563 size_t readbytes, written, eoedlen, rawread, rawwritten;
3564 BIO *rbio;
3565 OSSL_TIME timer;
3566
3567 /* Artificially give the next 2 tickets some age for non PSK sessions */
3568 if (idx != 2)
3569 artificial_ticket_time = 2;
3570 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3571 &serverssl, &sess, idx,
3572 SHA384_DIGEST_LENGTH))) {
3573 artificial_ticket_time = 0;
3574 goto end;
3575 }
3576 artificial_ticket_time = 0;
3577
3578 /* Write and read some early data */
3579 timer = ossl_time_now();
3580 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3581 &written))
3582 || !TEST_size_t_eq(written, strlen(MSG1)))
3583 goto end;
3584
3585 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3586 &readbytes),
3587 SSL_READ_EARLY_DATA_SUCCESS)) {
3588 testresult = check_early_data_timeout(timer);
3589 goto end;
3590 }
3591
3592 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3593 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3594 SSL_EARLY_DATA_ACCEPTED))
3595 goto end;
3596
3597 /*
3598 * Server should be able to write data, and client should be able to
3599 * read it.
3600 */
3601 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3602 &written))
3603 || !TEST_size_t_eq(written, strlen(MSG2))
3604 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3605 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3606 goto end;
3607
3608 /* Even after reading normal data, client should be able write early data */
3609 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3610 &written))
3611 || !TEST_size_t_eq(written, strlen(MSG3)))
3612 goto end;
3613
3614 /* Server should still be able read early data after writing data */
3615 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3616 &readbytes),
3617 SSL_READ_EARLY_DATA_SUCCESS)
3618 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3619 goto end;
3620
3621 /* Write more data from server and read it from client */
3622 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3623 &written))
3624 || !TEST_size_t_eq(written, strlen(MSG4))
3625 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3626 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3627 goto end;
3628
3629 /*
3630 * If client writes normal data it should mean writing early data is no
3631 * longer possible.
3632 */
3633 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3634 || !TEST_size_t_eq(written, strlen(MSG5))
3635 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3636 SSL_EARLY_DATA_ACCEPTED))
3637 goto end;
3638
3639 /*
3640 * At this point the client has written EndOfEarlyData, ClientFinished and
3641 * normal (fully protected) data. We are going to cause a delay between the
3642 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3643 * in the read BIO, and then just put back the EndOfEarlyData message.
3644 */
3645 rbio = SSL_get_rbio(serverssl);
3646 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3647 || !TEST_size_t_lt(rawread, sizeof(data))
3648 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3649 goto end;
3650
3651 /* Record length is in the 4th and 5th bytes of the record header */
3652 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3653 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3654 || !TEST_size_t_eq(rawwritten, eoedlen))
3655 goto end;
3656
3657 /* Server should be told that there is no more early data */
3658 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3659 &readbytes),
3660 SSL_READ_EARLY_DATA_FINISH)
3661 || !TEST_size_t_eq(readbytes, 0))
3662 goto end;
3663
3664 /*
3665 * Server has not finished init yet, so should still be able to write early
3666 * data.
3667 */
3668 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3669 &written))
3670 || !TEST_size_t_eq(written, strlen(MSG6)))
3671 goto end;
3672
3673 /* Push the ClientFinished and the normal data back into the server rbio */
3674 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3675 &rawwritten))
3676 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3677 goto end;
3678
3679 /* Server should be able to read normal data */
3680 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3681 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3682 goto end;
3683
3684 /* Client and server should not be able to write/read early data now */
3685 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3686 &written)))
3687 goto end;
3688 ERR_clear_error();
3689 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3690 &readbytes),
3691 SSL_READ_EARLY_DATA_ERROR))
3692 goto end;
3693 ERR_clear_error();
3694
3695 /* Client should be able to read the data sent by the server */
3696 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3697 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3698 goto end;
3699
3700 /*
3701 * Make sure we process the two NewSessionTickets. These arrive
3702 * post-handshake. We attempt reads which we do not expect to return any
3703 * data.
3704 */
3705 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3706 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3707 &readbytes)))
3708 goto end;
3709
3710 /* Server should be able to write normal data */
3711 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3712 || !TEST_size_t_eq(written, strlen(MSG7))
3713 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3714 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3715 goto end;
3716
3717 SSL_SESSION_free(sess);
3718 sess = SSL_get1_session(clientssl);
3719 use_session_cb_cnt = 0;
3720 find_session_cb_cnt = 0;
3721
3722 SSL_shutdown(clientssl);
3723 SSL_shutdown(serverssl);
3724 SSL_free(serverssl);
3725 SSL_free(clientssl);
3726 serverssl = clientssl = NULL;
3727 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3728 &clientssl, NULL, NULL))
3729 || !TEST_true(SSL_set_session(clientssl, sess)))
3730 goto end;
3731
3732 /* Write and read some early data */
3733 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3734 &written))
3735 || !TEST_size_t_eq(written, strlen(MSG1))
3736 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3737 &readbytes),
3738 SSL_READ_EARLY_DATA_SUCCESS)
3739 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3740 goto end;
3741
3742 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3743 || !TEST_int_gt(SSL_accept(serverssl), 0))
3744 goto end;
3745
3746 /* Client and server should not be able to write/read early data now */
3747 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3748 &written)))
3749 goto end;
3750 ERR_clear_error();
3751 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3752 &readbytes),
3753 SSL_READ_EARLY_DATA_ERROR))
3754 goto end;
3755 ERR_clear_error();
3756
3757 /* Client and server should be able to write/read normal data */
3758 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3759 || !TEST_size_t_eq(written, strlen(MSG5))
3760 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3761 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3762 goto end;
3763
3764 testresult = 1;
3765
3766 end:
3767 SSL_SESSION_free(sess);
3768 SSL_SESSION_free(clientpsk);
3769 SSL_SESSION_free(serverpsk);
3770 clientpsk = serverpsk = NULL;
3771 SSL_free(serverssl);
3772 SSL_free(clientssl);
3773 SSL_CTX_free(sctx);
3774 SSL_CTX_free(cctx);
3775 return testresult;
3776 }
3777
3778 static int allow_ed_cb_called = 0;
3779
allow_early_data_cb(SSL * s,void * arg)3780 static int allow_early_data_cb(SSL *s, void *arg)
3781 {
3782 int *usecb = (int *)arg;
3783
3784 allow_ed_cb_called++;
3785
3786 if (*usecb == 1)
3787 return 0;
3788
3789 return 1;
3790 }
3791
3792 /*
3793 * idx == 0: Standard early_data setup
3794 * idx == 1: early_data setup using read_ahead
3795 * usecb == 0: Don't use a custom early data callback
3796 * usecb == 1: Use a custom early data callback and reject the early data
3797 * usecb == 2: Use a custom early data callback and accept the early data
3798 * confopt == 0: Configure anti-replay directly
3799 * confopt == 1: Configure anti-replay using SSL_CONF
3800 */
test_early_data_replay_int(int idx,int usecb,int confopt)3801 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3802 {
3803 SSL_CTX *cctx = NULL, *sctx = NULL;
3804 SSL *clientssl = NULL, *serverssl = NULL;
3805 int testresult = 0;
3806 SSL_SESSION *sess = NULL;
3807 size_t readbytes, written;
3808 unsigned char buf[20];
3809 OSSL_TIME timer;
3810
3811 allow_ed_cb_called = 0;
3812
3813 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3814 TLS_client_method(), TLS1_VERSION, 0,
3815 &sctx, &cctx, cert, privkey)))
3816 return 0;
3817
3818 if (usecb > 0) {
3819 if (confopt == 0) {
3820 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3821 } else {
3822 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3823
3824 if (!TEST_ptr(confctx))
3825 goto end;
3826 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_SERVER);
3827 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3828 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3829 2)) {
3830 SSL_CONF_CTX_free(confctx);
3831 goto end;
3832 }
3833 SSL_CONF_CTX_free(confctx);
3834 }
3835 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3836 }
3837
3838 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3839 &serverssl, &sess, idx,
3840 SHA384_DIGEST_LENGTH)))
3841 goto end;
3842
3843 /*
3844 * The server is configured to accept early data. Create a connection to
3845 * "use up" the ticket
3846 */
3847 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3848 || !TEST_true(SSL_session_reused(clientssl)))
3849 goto end;
3850
3851 SSL_shutdown(clientssl);
3852 SSL_shutdown(serverssl);
3853 SSL_free(serverssl);
3854 SSL_free(clientssl);
3855 serverssl = clientssl = NULL;
3856
3857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3858 &clientssl, NULL, NULL))
3859 || !TEST_true(SSL_set_session(clientssl, sess)))
3860 goto end;
3861
3862 /* Write and read some early data */
3863 timer = ossl_time_now();
3864 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3865 &written))
3866 || !TEST_size_t_eq(written, strlen(MSG1)))
3867 goto end;
3868
3869 if (usecb <= 1) {
3870 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3871 &readbytes),
3872 SSL_READ_EARLY_DATA_FINISH)
3873 /*
3874 * The ticket was reused, so the we should have rejected the
3875 * early data
3876 */
3877 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3878 SSL_EARLY_DATA_REJECTED))
3879 goto end;
3880 } else {
3881 /* In this case the callback decides to accept the early data */
3882 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3883 &readbytes),
3884 SSL_READ_EARLY_DATA_SUCCESS)) {
3885 testresult = check_early_data_timeout(timer);
3886 goto end;
3887 }
3888 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3889 /*
3890 * Server will have sent its flight so client can now send
3891 * end of early data and complete its half of the handshake
3892 */
3893 || !TEST_int_gt(SSL_connect(clientssl), 0)
3894 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3895 &readbytes),
3896 SSL_READ_EARLY_DATA_FINISH)
3897 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3898 SSL_EARLY_DATA_ACCEPTED))
3899 goto end;
3900 }
3901
3902 /* Complete the connection */
3903 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3904 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3905 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3906 goto end;
3907
3908 testresult = 1;
3909
3910 end:
3911 SSL_SESSION_free(sess);
3912 SSL_SESSION_free(clientpsk);
3913 SSL_SESSION_free(serverpsk);
3914 clientpsk = serverpsk = NULL;
3915 SSL_free(serverssl);
3916 SSL_free(clientssl);
3917 SSL_CTX_free(sctx);
3918 SSL_CTX_free(cctx);
3919 return testresult;
3920 }
3921
test_early_data_replay(int idx)3922 static int test_early_data_replay(int idx)
3923 {
3924 int ret = 1, usecb, confopt;
3925
3926 for (usecb = 0; usecb < 3; usecb++) {
3927 for (confopt = 0; confopt < 2; confopt++)
3928 ret &= test_early_data_replay_int(idx, usecb, confopt);
3929 }
3930
3931 return ret;
3932 }
3933
3934 static const char *ciphersuites[] = {
3935 "TLS_AES_128_CCM_8_SHA256",
3936 "TLS_AES_128_GCM_SHA256",
3937 "TLS_AES_256_GCM_SHA384",
3938 "TLS_AES_128_CCM_SHA256",
3939 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3940 "TLS_CHACHA20_POLY1305_SHA256",
3941 #else
3942 NULL,
3943 #endif
3944 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
3945 "TLS_SHA256_SHA256",
3946 "TLS_SHA384_SHA384"
3947 #endif
3948 };
3949
3950 /*
3951 * Helper function to test that a server attempting to read early data can
3952 * handle a connection from a client where the early data should be skipped.
3953 * testtype: 0 == No HRR
3954 * testtype: 1 == HRR
3955 * testtype: 2 == HRR, invalid early_data sent after HRR
3956 * testtype: 3 == recv_max_early_data set to 0
3957 */
early_data_skip_helper(int testtype,int cipher,int idx)3958 static int early_data_skip_helper(int testtype, int cipher, int idx)
3959 {
3960 SSL_CTX *cctx = NULL, *sctx = NULL;
3961 SSL *clientssl = NULL, *serverssl = NULL;
3962 int testresult = 0;
3963 SSL_SESSION *sess = NULL;
3964 unsigned char buf[20];
3965 size_t readbytes, written;
3966
3967 if (is_fips && cipher >= 4)
3968 return 1;
3969
3970 if (ciphersuites[cipher] == NULL)
3971 return TEST_skip("Cipher not supported");
3972
3973 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3974 TLS_client_method(),
3975 TLS1_VERSION, 0,
3976 &sctx, &cctx, cert, privkey)))
3977 goto end;
3978
3979 if (cipher == 0 || cipher == 5 || cipher == 6) {
3980 SSL_CTX_set_security_level(sctx, 0);
3981 SSL_CTX_set_security_level(cctx, 0);
3982 }
3983
3984 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3985 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3986 goto end;
3987
3988 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3989 &serverssl, &sess, idx,
3990 (cipher == 2 || cipher == 6)
3991 ? SHA384_DIGEST_LENGTH
3992 : SHA256_DIGEST_LENGTH)))
3993 goto end;
3994
3995 if (testtype == 1 || testtype == 2) {
3996 /* Force an HRR to occur */
3997 #if defined(OPENSSL_NO_EC)
3998 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3999 goto end;
4000 #else
4001 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
4002 goto end;
4003 #endif
4004 } else if (idx == 2) {
4005 /*
4006 * We force early_data rejection by ensuring the PSK identity is
4007 * unrecognised
4008 */
4009 srvid = "Dummy Identity";
4010 } else {
4011 /*
4012 * Deliberately corrupt the creation time. We take 20 seconds off the
4013 * time. It could be any value as long as it is not within tolerance.
4014 * This should mean the ticket is rejected.
4015 */
4016 if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20)))
4017 goto end;
4018 }
4019
4020 if (testtype == 3
4021 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4022 goto end;
4023
4024 /* Write some early data */
4025 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4026 &written))
4027 || !TEST_size_t_eq(written, strlen(MSG1)))
4028 goto end;
4029
4030 /* Server should reject the early data */
4031 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4032 &readbytes),
4033 SSL_READ_EARLY_DATA_FINISH)
4034 || !TEST_size_t_eq(readbytes, 0)
4035 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4036 SSL_EARLY_DATA_REJECTED))
4037 goto end;
4038
4039 switch (testtype) {
4040 case 0:
4041 /* Nothing to do */
4042 break;
4043
4044 case 1:
4045 /*
4046 * Finish off the handshake. We perform the same writes and reads as
4047 * further down but we expect them to fail due to the incomplete
4048 * handshake.
4049 */
4050 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4051 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4052 &readbytes)))
4053 goto end;
4054 break;
4055
4056 case 2: {
4057 BIO *wbio = SSL_get_wbio(clientssl);
4058 /* A record that will appear as bad early_data */
4059 const unsigned char bad_early_data[] = {
4060 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4061 };
4062
4063 /*
4064 * We force the client to attempt a write. This will fail because
4065 * we're still in the handshake. It will cause the second
4066 * ClientHello to be sent.
4067 */
4068 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4069 &written)))
4070 goto end;
4071
4072 /*
4073 * Inject some early_data after the second ClientHello. This should
4074 * cause the server to fail
4075 */
4076 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4077 sizeof(bad_early_data), &written)))
4078 goto end;
4079 }
4080 /* FALLTHROUGH */
4081
4082 case 3:
4083 /*
4084 * This client has sent more early_data than we are willing to skip
4085 * (case 3) or sent invalid early_data (case 2) so the connection should
4086 * abort.
4087 */
4088 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4089 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4090 goto end;
4091
4092 /* Connection has failed - nothing more to do */
4093 testresult = 1;
4094 goto end;
4095
4096 default:
4097 TEST_error("Invalid test type");
4098 goto end;
4099 }
4100
4101 ERR_clear_error();
4102 /*
4103 * Should be able to send normal data despite rejection of early data. The
4104 * early_data should be skipped.
4105 */
4106 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4107 || !TEST_size_t_eq(written, strlen(MSG2))
4108 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4109 SSL_EARLY_DATA_REJECTED)
4110 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4111 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4112 goto end;
4113
4114 /*
4115 * Failure to decrypt early data records should not leave spurious errors
4116 * on the error stack
4117 */
4118 if (!TEST_long_eq(ERR_peek_error(), 0))
4119 goto end;
4120
4121 testresult = 1;
4122
4123 end:
4124 SSL_SESSION_free(clientpsk);
4125 SSL_SESSION_free(serverpsk);
4126 clientpsk = serverpsk = NULL;
4127 SSL_SESSION_free(sess);
4128 SSL_free(serverssl);
4129 SSL_free(clientssl);
4130 SSL_CTX_free(sctx);
4131 SSL_CTX_free(cctx);
4132 return testresult;
4133 }
4134
4135 /*
4136 * Test that a server attempting to read early data can handle a connection
4137 * from a client where the early data is not acceptable.
4138 */
test_early_data_skip(int idx)4139 static int test_early_data_skip(int idx)
4140 {
4141 return early_data_skip_helper(0,
4142 idx % OSSL_NELEM(ciphersuites),
4143 idx / OSSL_NELEM(ciphersuites));
4144 }
4145
4146 /*
4147 * Test that a server attempting to read early data can handle a connection
4148 * from a client where an HRR occurs.
4149 */
test_early_data_skip_hrr(int idx)4150 static int test_early_data_skip_hrr(int idx)
4151 {
4152 return early_data_skip_helper(1,
4153 idx % OSSL_NELEM(ciphersuites),
4154 idx / OSSL_NELEM(ciphersuites));
4155 }
4156
4157 /*
4158 * Test that a server attempting to read early data can handle a connection
4159 * from a client where an HRR occurs and correctly fails if early_data is sent
4160 * after the HRR
4161 */
test_early_data_skip_hrr_fail(int idx)4162 static int test_early_data_skip_hrr_fail(int idx)
4163 {
4164 return early_data_skip_helper(2,
4165 idx % OSSL_NELEM(ciphersuites),
4166 idx / OSSL_NELEM(ciphersuites));
4167 }
4168
4169 /*
4170 * Test that a server attempting to read early data will abort if it tries to
4171 * skip over too much.
4172 */
test_early_data_skip_abort(int idx)4173 static int test_early_data_skip_abort(int idx)
4174 {
4175 return early_data_skip_helper(3,
4176 idx % OSSL_NELEM(ciphersuites),
4177 idx / OSSL_NELEM(ciphersuites));
4178 }
4179
4180 /*
4181 * Test that a server attempting to read early data can handle a connection
4182 * from a client that doesn't send any.
4183 */
test_early_data_not_sent(int idx)4184 static int test_early_data_not_sent(int idx)
4185 {
4186 SSL_CTX *cctx = NULL, *sctx = NULL;
4187 SSL *clientssl = NULL, *serverssl = NULL;
4188 int testresult = 0;
4189 SSL_SESSION *sess = NULL;
4190 unsigned char buf[20];
4191 size_t readbytes, written;
4192
4193 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4194 &serverssl, &sess, idx,
4195 SHA384_DIGEST_LENGTH)))
4196 goto end;
4197
4198 /* Write some data - should block due to handshake with server */
4199 SSL_set_connect_state(clientssl);
4200 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4201 goto end;
4202
4203 /* Server should detect that early data has not been sent */
4204 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4205 &readbytes),
4206 SSL_READ_EARLY_DATA_FINISH)
4207 || !TEST_size_t_eq(readbytes, 0)
4208 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4209 SSL_EARLY_DATA_NOT_SENT)
4210 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4211 SSL_EARLY_DATA_NOT_SENT))
4212 goto end;
4213
4214 /* Continue writing the message we started earlier */
4215 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4216 || !TEST_size_t_eq(written, strlen(MSG1))
4217 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4218 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4219 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4220 || !TEST_size_t_eq(written, strlen(MSG2)))
4221 goto end;
4222
4223 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4224 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4225 goto end;
4226
4227 testresult = 1;
4228
4229 end:
4230 SSL_SESSION_free(sess);
4231 SSL_SESSION_free(clientpsk);
4232 SSL_SESSION_free(serverpsk);
4233 clientpsk = serverpsk = NULL;
4234 SSL_free(serverssl);
4235 SSL_free(clientssl);
4236 SSL_CTX_free(sctx);
4237 SSL_CTX_free(cctx);
4238 return testresult;
4239 }
4240
4241 static const char *servalpn;
4242
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)4243 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4244 unsigned char *outlen, const unsigned char *in,
4245 unsigned int inlen, void *arg)
4246 {
4247 unsigned int protlen = 0;
4248 const unsigned char *prot;
4249
4250 for (prot = in; prot < in + inlen; prot += protlen) {
4251 protlen = *prot++;
4252 if (in + inlen < prot + protlen)
4253 return SSL_TLSEXT_ERR_NOACK;
4254
4255 if (protlen == strlen(servalpn)
4256 && memcmp(prot, servalpn, protlen) == 0) {
4257 *out = prot;
4258 *outlen = protlen;
4259 return SSL_TLSEXT_ERR_OK;
4260 }
4261 }
4262
4263 return SSL_TLSEXT_ERR_NOACK;
4264 }
4265
4266 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)4267 static int test_early_data_psk(int idx)
4268 {
4269 SSL_CTX *cctx = NULL, *sctx = NULL;
4270 SSL *clientssl = NULL, *serverssl = NULL;
4271 int testresult = 0;
4272 SSL_SESSION *sess = NULL;
4273 unsigned char alpnlist[] = {
4274 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4275 'l', 'p', 'n'
4276 };
4277 #define GOODALPNLEN 9
4278 #define BADALPNLEN 8
4279 #define GOODALPN (alpnlist)
4280 #define BADALPN (alpnlist + GOODALPNLEN)
4281 int err = 0;
4282 unsigned char buf[20];
4283 size_t readbytes, written;
4284 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4285 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4286
4287 /* We always set this up with a final parameter of "2" for PSK */
4288 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4289 &serverssl, &sess, 2,
4290 SHA384_DIGEST_LENGTH)))
4291 goto end;
4292
4293 servalpn = "goodalpn";
4294
4295 /*
4296 * Note: There is no test for inconsistent SNI with late client detection.
4297 * This is because servers do not acknowledge SNI even if they are using
4298 * it in a resumption handshake - so it is not actually possible for a
4299 * client to detect a problem.
4300 */
4301 switch (idx) {
4302 case 0:
4303 /* Set inconsistent SNI (early client detection) */
4304 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4305 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4306 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4307 goto end;
4308 break;
4309
4310 case 1:
4311 /* Set inconsistent ALPN (early client detection) */
4312 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4313 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4314 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4315 GOODALPNLEN))
4316 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4317 BADALPNLEN)))
4318 goto end;
4319 break;
4320
4321 case 2:
4322 /*
4323 * Set invalid protocol version. Technically this affects PSKs without
4324 * early_data too, but we test it here because it is similar to the
4325 * SNI/ALPN consistency tests.
4326 */
4327 err = SSL_R_BAD_PSK;
4328 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4329 goto end;
4330 break;
4331
4332 case 3:
4333 /*
4334 * Set inconsistent SNI (server side). In this case the connection
4335 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4336 * is associated with each handshake - not the session. Therefore it
4337 * should not matter that we used a different server name last time.
4338 */
4339 SSL_SESSION_free(serverpsk);
4340 serverpsk = SSL_SESSION_dup(clientpsk);
4341 if (!TEST_ptr(serverpsk)
4342 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4343 goto end;
4344 /* Fall through */
4345 case 4:
4346 /* Set consistent SNI */
4347 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4348 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4349 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4350 hostname_cb)))
4351 goto end;
4352 break;
4353
4354 case 5:
4355 /*
4356 * Set inconsistent ALPN (server detected). In this case the connection
4357 * will succeed but reject early_data.
4358 */
4359 servalpn = "badalpn";
4360 edstatus = SSL_EARLY_DATA_REJECTED;
4361 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4362 /* Fall through */
4363 case 6:
4364 /*
4365 * Set consistent ALPN.
4366 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4367 * accepts a list of protos (each one length prefixed).
4368 * SSL_set1_alpn_selected accepts a single protocol (not length
4369 * prefixed)
4370 */
4371 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4372 GOODALPNLEN - 1))
4373 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4374 GOODALPNLEN)))
4375 goto end;
4376
4377 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4378 break;
4379
4380 case 7:
4381 /* Set inconsistent ALPN (late client detection) */
4382 SSL_SESSION_free(serverpsk);
4383 serverpsk = SSL_SESSION_dup(clientpsk);
4384 if (!TEST_ptr(serverpsk)
4385 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4386 BADALPN + 1,
4387 BADALPNLEN - 1))
4388 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4389 GOODALPN + 1,
4390 GOODALPNLEN - 1))
4391 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4392 sizeof(alpnlist))))
4393 goto end;
4394 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4395 edstatus = SSL_EARLY_DATA_ACCEPTED;
4396 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4397 /* SSL_connect() call should fail */
4398 connectres = -1;
4399 break;
4400
4401 default:
4402 TEST_error("Bad test index");
4403 goto end;
4404 }
4405
4406 SSL_set_connect_state(clientssl);
4407 if (err != 0) {
4408 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4409 &written))
4410 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4411 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4412 goto end;
4413 } else {
4414 OSSL_TIME timer = ossl_time_now();
4415
4416 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4417 &written)))
4418 goto end;
4419
4420 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4421 &readbytes),
4422 readearlyres)) {
4423 testresult = check_early_data_timeout(timer);
4424 goto end;
4425 }
4426
4427 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4428 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4429 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4430 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4431 goto end;
4432 }
4433
4434 testresult = 1;
4435
4436 end:
4437 SSL_SESSION_free(sess);
4438 SSL_SESSION_free(clientpsk);
4439 SSL_SESSION_free(serverpsk);
4440 clientpsk = serverpsk = NULL;
4441 SSL_free(serverssl);
4442 SSL_free(clientssl);
4443 SSL_CTX_free(sctx);
4444 SSL_CTX_free(cctx);
4445 return testresult;
4446 }
4447
4448 /*
4449 * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
4450 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4451 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4452 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4453 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4454 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4455 * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
4456 * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
4457 */
test_early_data_psk_with_all_ciphers(int idx)4458 static int test_early_data_psk_with_all_ciphers(int idx)
4459 {
4460 SSL_CTX *cctx = NULL, *sctx = NULL;
4461 SSL *clientssl = NULL, *serverssl = NULL;
4462 int testresult = 0;
4463 SSL_SESSION *sess = NULL;
4464 unsigned char buf[20];
4465 size_t readbytes, written;
4466 const SSL_CIPHER *cipher;
4467 OSSL_TIME timer;
4468 const char *cipher_str[] = {
4469 TLS1_3_RFC_AES_128_GCM_SHA256,
4470 TLS1_3_RFC_AES_256_GCM_SHA384,
4471 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4472 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4473 #else
4474 NULL,
4475 #endif
4476 TLS1_3_RFC_AES_128_CCM_SHA256,
4477 TLS1_3_RFC_AES_128_CCM_8_SHA256,
4478 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4479 TLS1_3_RFC_SHA256_SHA256,
4480 TLS1_3_RFC_SHA384_SHA384
4481 #else
4482 NULL,
4483 NULL
4484 #endif
4485 };
4486 const unsigned char *cipher_bytes[] = {
4487 TLS13_AES_128_GCM_SHA256_BYTES,
4488 TLS13_AES_256_GCM_SHA384_BYTES,
4489 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4490 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4491 #else
4492 NULL,
4493 #endif
4494 TLS13_AES_128_CCM_SHA256_BYTES,
4495 TLS13_AES_128_CCM_8_SHA256_BYTES,
4496 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4497 TLS13_SHA256_SHA256_BYTES,
4498 TLS13_SHA384_SHA384_BYTES
4499 #else
4500 NULL,
4501 NULL
4502 #endif
4503 };
4504
4505 if (cipher_str[idx] == NULL)
4506 return 1;
4507 /*
4508 * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
4509 * as currently FIPS module does not support them.
4510 */
4511 if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
4512 return 1;
4513
4514 /* We always set this up with a final parameter of "2" for PSK */
4515 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4516 &serverssl, &sess, 2,
4517 SHA384_DIGEST_LENGTH)))
4518 goto end;
4519
4520 if (idx == 4 || idx == 5 || idx == 6) {
4521 /*
4522 * CCM8 ciphers are considered low security due to their short tag.
4523 * Integrity-only cipher do not provide any confidentiality.
4524 */
4525 SSL_set_security_level(clientssl, 0);
4526 SSL_set_security_level(serverssl, 0);
4527 }
4528
4529 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4530 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4531 goto end;
4532
4533 /*
4534 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4535 * and assigns to both client and server with incremented reference
4536 * and the same instance is updated in 'sess'.
4537 * So updating ciphersuite in 'sess' which will get reflected in
4538 * PSK handshake using psk use sess and find sess cb.
4539 */
4540 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4541 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4542 goto end;
4543
4544 SSL_set_connect_state(clientssl);
4545 timer = ossl_time_now();
4546 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4547 &written)))
4548 goto end;
4549
4550 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4551 &readbytes),
4552 SSL_READ_EARLY_DATA_SUCCESS)) {
4553 testresult = check_early_data_timeout(timer);
4554 goto end;
4555 }
4556
4557 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4558 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4559 SSL_EARLY_DATA_ACCEPTED)
4560 || !TEST_int_eq(SSL_connect(clientssl), 1)
4561 || !TEST_int_eq(SSL_accept(serverssl), 1))
4562 goto end;
4563
4564 /* Send some normal data from client to server */
4565 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4566 || !TEST_size_t_eq(written, strlen(MSG2)))
4567 goto end;
4568
4569 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4570 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4571 goto end;
4572
4573 testresult = 1;
4574 end:
4575 SSL_SESSION_free(sess);
4576 SSL_SESSION_free(clientpsk);
4577 SSL_SESSION_free(serverpsk);
4578 clientpsk = serverpsk = NULL;
4579 if (clientssl != NULL)
4580 SSL_shutdown(clientssl);
4581 if (serverssl != NULL)
4582 SSL_shutdown(serverssl);
4583 SSL_free(serverssl);
4584 SSL_free(clientssl);
4585 SSL_CTX_free(sctx);
4586 SSL_CTX_free(cctx);
4587 return testresult;
4588 }
4589
4590 /*
4591 * Test that a server that doesn't try to read early data can handle a
4592 * client sending some.
4593 */
test_early_data_not_expected(int idx)4594 static int test_early_data_not_expected(int idx)
4595 {
4596 SSL_CTX *cctx = NULL, *sctx = NULL;
4597 SSL *clientssl = NULL, *serverssl = NULL;
4598 int testresult = 0;
4599 SSL_SESSION *sess = NULL;
4600 unsigned char buf[20];
4601 size_t readbytes, written;
4602
4603 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4604 &serverssl, &sess, idx,
4605 SHA384_DIGEST_LENGTH)))
4606 goto end;
4607
4608 /* Write some early data */
4609 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4610 &written)))
4611 goto end;
4612
4613 /*
4614 * Server should skip over early data and then block waiting for client to
4615 * continue handshake
4616 */
4617 if (!TEST_int_le(SSL_accept(serverssl), 0)
4618 || !TEST_int_gt(SSL_connect(clientssl), 0)
4619 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4620 SSL_EARLY_DATA_REJECTED)
4621 || !TEST_int_gt(SSL_accept(serverssl), 0)
4622 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4623 SSL_EARLY_DATA_REJECTED))
4624 goto end;
4625
4626 /* Send some normal data from client to server */
4627 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4628 || !TEST_size_t_eq(written, strlen(MSG2)))
4629 goto end;
4630
4631 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4632 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4633 goto end;
4634
4635 testresult = 1;
4636
4637 end:
4638 SSL_SESSION_free(sess);
4639 SSL_SESSION_free(clientpsk);
4640 SSL_SESSION_free(serverpsk);
4641 clientpsk = serverpsk = NULL;
4642 SSL_free(serverssl);
4643 SSL_free(clientssl);
4644 SSL_CTX_free(sctx);
4645 SSL_CTX_free(cctx);
4646 return testresult;
4647 }
4648
4649 #ifndef OPENSSL_NO_TLS1_2
4650 /*
4651 * Test that a server attempting to read early data can handle a connection
4652 * from a TLSv1.2 client.
4653 */
test_early_data_tls1_2(int idx)4654 static int test_early_data_tls1_2(int idx)
4655 {
4656 SSL_CTX *cctx = NULL, *sctx = NULL;
4657 SSL *clientssl = NULL, *serverssl = NULL;
4658 int testresult = 0;
4659 unsigned char buf[20];
4660 size_t readbytes, written;
4661
4662 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4663 &serverssl, NULL, idx,
4664 SHA384_DIGEST_LENGTH)))
4665 goto end;
4666
4667 /* Write some data - should block due to handshake with server */
4668 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4669 SSL_set_connect_state(clientssl);
4670 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4671 goto end;
4672
4673 /*
4674 * Server should do TLSv1.2 handshake. First it will block waiting for more
4675 * messages from client after ServerDone. Then SSL_read_early_data should
4676 * finish and detect that early data has not been sent
4677 */
4678 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4679 &readbytes),
4680 SSL_READ_EARLY_DATA_ERROR))
4681 goto end;
4682
4683 /*
4684 * Continue writing the message we started earlier. Will still block waiting
4685 * for the CCS/Finished from server
4686 */
4687 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4688 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4689 &readbytes),
4690 SSL_READ_EARLY_DATA_FINISH)
4691 || !TEST_size_t_eq(readbytes, 0)
4692 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4693 SSL_EARLY_DATA_NOT_SENT))
4694 goto end;
4695
4696 /* Continue writing the message we started earlier */
4697 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4698 || !TEST_size_t_eq(written, strlen(MSG1))
4699 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4700 SSL_EARLY_DATA_NOT_SENT)
4701 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4702 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4703 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4704 || !TEST_size_t_eq(written, strlen(MSG2))
4705 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4706 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4707 goto end;
4708
4709 testresult = 1;
4710
4711 end:
4712 SSL_SESSION_free(clientpsk);
4713 SSL_SESSION_free(serverpsk);
4714 clientpsk = serverpsk = NULL;
4715 SSL_free(serverssl);
4716 SSL_free(clientssl);
4717 SSL_CTX_free(sctx);
4718 SSL_CTX_free(cctx);
4719
4720 return testresult;
4721 }
4722 #endif /* OPENSSL_NO_TLS1_2 */
4723
4724 /*
4725 * Test configuring the TLSv1.3 ciphersuites
4726 *
4727 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4728 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4729 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4730 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4731 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4732 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4733 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4734 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4735 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4736 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4737 */
test_set_ciphersuite(int idx)4738 static int test_set_ciphersuite(int idx)
4739 {
4740 SSL_CTX *cctx = NULL, *sctx = NULL;
4741 SSL *clientssl = NULL, *serverssl = NULL;
4742 int testresult = 0;
4743
4744 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4745 TLS_client_method(), TLS1_VERSION, 0,
4746 &sctx, &cctx, cert, privkey))
4747 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4748 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4749 goto end;
4750
4751 if (idx >= 4 && idx <= 7) {
4752 /* SSL_CTX explicit cipher list */
4753 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4754 goto end;
4755 }
4756
4757 if (idx == 0 || idx == 4) {
4758 /* Default ciphersuite */
4759 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4760 "TLS_AES_128_GCM_SHA256")))
4761 goto end;
4762 } else if (idx == 1 || idx == 5) {
4763 /* Non default ciphersuite */
4764 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4765 "TLS_AES_128_CCM_SHA256")))
4766 goto end;
4767 }
4768
4769 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4770 &clientssl, NULL, NULL)))
4771 goto end;
4772
4773 if (idx == 8 || idx == 9) {
4774 /* SSL explicit cipher list */
4775 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4776 goto end;
4777 }
4778
4779 if (idx == 2 || idx == 6 || idx == 8) {
4780 /* Default ciphersuite */
4781 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4782 "TLS_AES_128_GCM_SHA256")))
4783 goto end;
4784 } else if (idx == 3 || idx == 7 || idx == 9) {
4785 /* Non default ciphersuite */
4786 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4787 "TLS_AES_128_CCM_SHA256")))
4788 goto end;
4789 }
4790
4791 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4792 goto end;
4793
4794 testresult = 1;
4795
4796 end:
4797 SSL_free(serverssl);
4798 SSL_free(clientssl);
4799 SSL_CTX_free(sctx);
4800 SSL_CTX_free(cctx);
4801
4802 return testresult;
4803 }
4804
test_ciphersuite_change(void)4805 static int test_ciphersuite_change(void)
4806 {
4807 SSL_CTX *cctx = NULL, *sctx = NULL;
4808 SSL *clientssl = NULL, *serverssl = NULL;
4809 SSL_SESSION *clntsess = NULL;
4810 int testresult = 0;
4811 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4812
4813 /* Create a session based on SHA-256 */
4814 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4815 TLS_client_method(), TLS1_VERSION, 0,
4816 &sctx, &cctx, cert, privkey))
4817 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4818 "TLS_AES_128_GCM_SHA256:"
4819 "TLS_AES_256_GCM_SHA384:"
4820 "TLS_AES_128_CCM_SHA256"))
4821 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4822 "TLS_AES_128_GCM_SHA256")))
4823 goto end;
4824
4825 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4826 NULL, NULL))
4827 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4828 SSL_ERROR_NONE)))
4829 goto end;
4830
4831 clntsess = SSL_get1_session(clientssl);
4832 /* Save for later */
4833 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4834 SSL_shutdown(clientssl);
4835 SSL_shutdown(serverssl);
4836 SSL_free(serverssl);
4837 SSL_free(clientssl);
4838 serverssl = clientssl = NULL;
4839
4840 /* Check we can resume a session with a different SHA-256 ciphersuite */
4841 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4842 "TLS_AES_128_CCM_SHA256"))
4843 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4844 &clientssl, NULL, NULL))
4845 || !TEST_true(SSL_set_session(clientssl, clntsess))
4846 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4847 SSL_ERROR_NONE))
4848 || !TEST_true(SSL_session_reused(clientssl)))
4849 goto end;
4850
4851 SSL_SESSION_free(clntsess);
4852 clntsess = SSL_get1_session(clientssl);
4853 SSL_shutdown(clientssl);
4854 SSL_shutdown(serverssl);
4855 SSL_free(serverssl);
4856 SSL_free(clientssl);
4857 serverssl = clientssl = NULL;
4858
4859 /*
4860 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4861 * succeeds but does not resume.
4862 */
4863 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4865 NULL, NULL))
4866 || !TEST_true(SSL_set_session(clientssl, clntsess))
4867 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4868 SSL_ERROR_SSL))
4869 || !TEST_false(SSL_session_reused(clientssl)))
4870 goto end;
4871
4872 SSL_SESSION_free(clntsess);
4873 clntsess = NULL;
4874 SSL_shutdown(clientssl);
4875 SSL_shutdown(serverssl);
4876 SSL_free(serverssl);
4877 SSL_free(clientssl);
4878 serverssl = clientssl = NULL;
4879
4880 /* Create a session based on SHA384 */
4881 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4882 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4883 &clientssl, NULL, NULL))
4884 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4885 SSL_ERROR_NONE)))
4886 goto end;
4887
4888 clntsess = SSL_get1_session(clientssl);
4889 SSL_shutdown(clientssl);
4890 SSL_shutdown(serverssl);
4891 SSL_free(serverssl);
4892 SSL_free(clientssl);
4893 serverssl = clientssl = NULL;
4894
4895 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4896 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4897 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4898 "TLS_AES_256_GCM_SHA384"))
4899 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4900 NULL, NULL))
4901 || !TEST_true(SSL_set_session(clientssl, clntsess))
4902 /*
4903 * We use SSL_ERROR_WANT_READ below so that we can pause the
4904 * connection after the initial ClientHello has been sent to
4905 * enable us to make some session changes.
4906 */
4907 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4908 SSL_ERROR_WANT_READ)))
4909 goto end;
4910
4911 /* Trick the client into thinking this session is for a different digest */
4912 clntsess->cipher = aes_128_gcm_sha256;
4913 clntsess->cipher_id = clntsess->cipher->id;
4914
4915 /*
4916 * Continue the previously started connection. Server has selected a SHA-384
4917 * ciphersuite, but client thinks the session is for SHA-256, so it should
4918 * bail out.
4919 */
4920 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4921 SSL_ERROR_SSL))
4922 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4923 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4924 goto end;
4925
4926 testresult = 1;
4927
4928 end:
4929 SSL_SESSION_free(clntsess);
4930 SSL_free(serverssl);
4931 SSL_free(clientssl);
4932 SSL_CTX_free(sctx);
4933 SSL_CTX_free(cctx);
4934
4935 return testresult;
4936 }
4937
4938 /*
4939 * Test TLSv1.3 Key exchange
4940 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4941 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4942 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4943 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4944 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4945 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4946 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4947 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4948 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4949 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4950 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4951 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4952 * Test 12 = Test all ML-KEM with TLSv1.3 client and server
4953 * Test 13 = Test MLKEM512
4954 * Test 14 = Test MLKEM768
4955 * Test 15 = Test MLKEM1024
4956 * Test 16 = Test X25519MLKEM768
4957 * Test 17 = Test SecP256r1MLKEM768
4958 * Test 18 = Test SecP384r1MLKEM1024
4959 * Test 19 = Test all ML-KEM with TLSv1.2 client and server
4960 * Test 20 = Test all FFDHE with TLSv1.2 client and server
4961 * Test 21 = Test all ECDHE with TLSv1.2 client and server
4962 */
4963 #ifndef OPENSSL_NO_EC
4964 static int ecdhe_kexch_groups[] = { NID_X9_62_prime256v1, NID_secp384r1,
4965 NID_secp521r1,
4966 #ifndef OPENSSL_NO_ECX
4967 NID_X25519, NID_X448
4968 #endif
4969 };
4970 #endif
4971 #ifndef OPENSSL_NO_DH
4972 static int ffdhe_kexch_groups[] = { NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4973 NID_ffdhe6144, NID_ffdhe8192 };
4974 #endif
test_key_exchange(int idx)4975 static int test_key_exchange(int idx)
4976 {
4977 SSL_CTX *sctx = NULL, *cctx = NULL;
4978 SSL *serverssl = NULL, *clientssl = NULL;
4979 int testresult = 0;
4980 int kexch_alg = NID_undef;
4981 int *kexch_groups = &kexch_alg;
4982 int kexch_groups_size = 1;
4983 int max_version = TLS1_3_VERSION;
4984 char *kexch_name0 = NULL;
4985 const char *kexch_names = NULL;
4986 int shared_group0;
4987
4988 switch (idx) {
4989 #ifndef OPENSSL_NO_EC
4990 #ifndef OPENSSL_NO_TLS1_2
4991 case 21:
4992 max_version = TLS1_2_VERSION;
4993 #endif
4994 /* Fall through */
4995 case 0:
4996 kexch_groups = ecdhe_kexch_groups;
4997 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4998 kexch_name0 = "secp256r1";
4999 break;
5000 case 1:
5001 kexch_alg = NID_X9_62_prime256v1;
5002 kexch_name0 = "secp256r1";
5003 break;
5004 case 2:
5005 kexch_alg = NID_secp384r1;
5006 kexch_name0 = "secp384r1";
5007 break;
5008 case 3:
5009 kexch_alg = NID_secp521r1;
5010 kexch_name0 = "secp521r1";
5011 break;
5012 #ifndef OPENSSL_NO_ECX
5013 case 4:
5014 if (is_fips)
5015 return TEST_skip("X25519 might not be supported by fips provider.");
5016 kexch_alg = NID_X25519;
5017 kexch_name0 = "x25519";
5018 break;
5019 case 5:
5020 if (is_fips)
5021 return TEST_skip("X448 might not be supported by fips provider.");
5022 kexch_alg = NID_X448;
5023 kexch_name0 = "x448";
5024 break;
5025 #endif
5026 #endif
5027 #ifndef OPENSSL_NO_DH
5028 #ifndef OPENSSL_NO_TLS1_2
5029 case 20:
5030 max_version = TLS1_2_VERSION;
5031 kexch_name0 = "ffdhe2048";
5032 #endif
5033 /* Fall through */
5034 case 6:
5035 kexch_groups = ffdhe_kexch_groups;
5036 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
5037 kexch_name0 = "ffdhe2048";
5038 break;
5039 case 7:
5040 kexch_alg = NID_ffdhe2048;
5041 kexch_name0 = "ffdhe2048";
5042 break;
5043 case 8:
5044 kexch_alg = NID_ffdhe3072;
5045 kexch_name0 = "ffdhe3072";
5046 break;
5047 case 9:
5048 kexch_alg = NID_ffdhe4096;
5049 kexch_name0 = "ffdhe4096";
5050 break;
5051 case 10:
5052 kexch_alg = NID_ffdhe6144;
5053 kexch_name0 = "ffdhe6144";
5054 break;
5055 case 11:
5056 kexch_alg = NID_ffdhe8192;
5057 kexch_name0 = "ffdhe8192";
5058 break;
5059 #endif
5060 #ifndef OPENSSL_NO_ML_KEM
5061 #if !defined(OPENSSL_NO_TLS1_2)
5062 case 19:
5063 max_version = TLS1_2_VERSION;
5064 #if !defined(OPENSSL_NO_EC)
5065 /* Set at least one EC group so the handshake completes */
5066 kexch_names = "MLKEM512:MLKEM768:MLKEM1024:secp256r1";
5067 #elif !defined(OPENSSL_NO_DH)
5068 kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5069 #else
5070 /* With neither EC nor DH TLS 1.2 can't happen */
5071 return 1;
5072 #endif
5073 #endif
5074 /* Fall through */
5075 case 12:
5076 kexch_groups = NULL;
5077 if (kexch_names == NULL)
5078 kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5079 kexch_name0 = "MLKEM512";
5080 break;
5081 case 13:
5082 kexch_groups = NULL;
5083 kexch_name0 = "MLKEM512";
5084 kexch_names = kexch_name0;
5085 break;
5086 case 14:
5087 kexch_groups = NULL;
5088 kexch_name0 = "MLKEM768";
5089 kexch_names = kexch_name0;
5090 break;
5091 case 15:
5092 kexch_groups = NULL;
5093 kexch_name0 = "MLKEM1024";
5094 kexch_names = kexch_name0;
5095 break;
5096 #ifndef OPENSSL_NO_EC
5097 #ifndef OPENSSL_NO_ECX
5098 case 16:
5099 kexch_groups = NULL;
5100 kexch_name0 = "X25519MLKEM768";
5101 kexch_names = kexch_name0;
5102 break;
5103 #endif
5104 case 17:
5105 kexch_groups = NULL;
5106 kexch_name0 = "SecP256r1MLKEM768";
5107 kexch_names = kexch_name0;
5108 break;
5109 case 18:
5110 kexch_groups = NULL;
5111 kexch_name0 = "SecP384r1MLKEM1024";
5112 kexch_names = kexch_name0;
5113 break;
5114 #endif
5115 #endif
5116 default:
5117 /* We're skipping this test */
5118 return 1;
5119 }
5120
5121 if (is_fips && fips_provider_version_lt(libctx, 3, 5, 0)
5122 && idx >= 12 && idx <= 19)
5123 return TEST_skip("ML-KEM not supported in this version of fips provider");
5124
5125 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5126 TLS_client_method(), TLS1_VERSION,
5127 max_version, &sctx, &cctx, cert,
5128 privkey)))
5129 goto end;
5130
5131 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5132 TLS1_3_RFC_AES_128_GCM_SHA256)))
5133 goto end;
5134
5135 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5136 TLS1_3_RFC_AES_128_GCM_SHA256)))
5137 goto end;
5138
5139 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5140 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5141 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5142 goto end;
5143
5144 /*
5145 * Must include an EC ciphersuite so that we send supported groups in
5146 * TLSv1.2
5147 */
5148 #ifndef OPENSSL_NO_TLS1_2
5149 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5150 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5151 goto end;
5152 #endif
5153
5154 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5155 NULL, NULL)))
5156 goto end;
5157
5158 if (kexch_groups != NULL) {
5159 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5160 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5161 goto end;
5162 } else {
5163 if (!TEST_true(SSL_set1_groups_list(serverssl, kexch_names))
5164 || !TEST_true(SSL_set1_groups_list(clientssl, kexch_names)))
5165 goto end;
5166 }
5167
5168 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5169 goto end;
5170
5171 /*
5172 * If the handshake succeeds the negotiated kexch alg should be the first
5173 * one in configured, except in the case of "all" FFDHE and "all" ML-KEM
5174 * groups (idx == 19, 20), which are TLSv1.3 only so we expect no shared
5175 * group to exist.
5176 */
5177 shared_group0 = SSL_get_shared_group(serverssl, 0);
5178 switch (idx) {
5179 case 19:
5180 #if !defined(OPENSSL_NO_EC)
5181 /* MLKEM + TLS 1.2 and no DH => "secp526r1" */
5182 if (!TEST_int_eq(shared_group0, NID_X9_62_prime256v1))
5183 goto end;
5184 break;
5185 #endif
5186 /* Fall through */
5187 case 20:
5188 if (!TEST_int_eq(shared_group0, 0))
5189 goto end;
5190 break;
5191 default:
5192 if (kexch_groups != NULL
5193 && !TEST_int_eq(shared_group0, kexch_groups[0]))
5194 goto end;
5195 if (!TEST_str_eq(SSL_group_to_name(serverssl, shared_group0),
5196 kexch_name0))
5197 goto end;
5198 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5199 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5200 goto end;
5201 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), shared_group0))
5202 goto end;
5203 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), shared_group0))
5204 goto end;
5205 break;
5206 }
5207
5208 testresult = 1;
5209 end:
5210 SSL_free(serverssl);
5211 SSL_free(clientssl);
5212 SSL_CTX_free(sctx);
5213 SSL_CTX_free(cctx);
5214 return testresult;
5215 }
5216
5217 #if !defined(OPENSSL_NO_TLS1_2) \
5218 && !defined(OPENSSL_NO_EC) \
5219 && !defined(OPENSSL_NO_DH)
set_ssl_groups(SSL * serverssl,SSL * clientssl,int clientmulti,int isecdhe,int idx)5220 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5221 int isecdhe, int idx)
5222 {
5223 int kexch_alg;
5224 int *kexch_groups = &kexch_alg;
5225 int numec, numff;
5226
5227 numec = OSSL_NELEM(ecdhe_kexch_groups);
5228 numff = OSSL_NELEM(ffdhe_kexch_groups);
5229 if (isecdhe)
5230 kexch_alg = ecdhe_kexch_groups[idx];
5231 else
5232 kexch_alg = ffdhe_kexch_groups[idx];
5233
5234 if (clientmulti) {
5235 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5236 return 0;
5237 if (isecdhe) {
5238 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5239 numec)))
5240 return 0;
5241 } else {
5242 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5243 numff)))
5244 return 0;
5245 }
5246 } else {
5247 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5248 return 0;
5249 if (isecdhe) {
5250 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5251 numec)))
5252 return 0;
5253 } else {
5254 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5255 numff)))
5256 return 0;
5257 }
5258 }
5259 return 1;
5260 }
5261
5262 /*-
5263 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5264 * Run through both the ECDHE and FFDHE group lists used in the previous
5265 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5266 * confirming the expected result; then perform a resumption handshake
5267 * while offering the same group list, and another resumption handshake
5268 * offering a different group list. The returned value should be the
5269 * negotiated group for the initial handshake; for TLS 1.3 resumption
5270 * handshakes the returned value will be negotiated on the resumption
5271 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5272 * be cached in the session from the original handshake, regardless of what
5273 * was offered in the resumption ClientHello.
5274 *
5275 * Using E for the number of EC groups and F for the number of FF groups:
5276 * E tests of ECDHE with TLS 1.3, server only has one group
5277 * F tests of FFDHE with TLS 1.3, server only has one group
5278 * E tests of ECDHE with TLS 1.2, server only has one group
5279 * F tests of FFDHE with TLS 1.2, server only has one group
5280 * E tests of ECDHE with TLS 1.3, client sends only one group
5281 * F tests of FFDHE with TLS 1.3, client sends only one group
5282 * E tests of ECDHE with TLS 1.2, client sends only one group
5283 * F tests of FFDHE with TLS 1.2, client sends only one group
5284 */
test_negotiated_group(int idx)5285 static int test_negotiated_group(int idx)
5286 {
5287 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5288 int expectednid;
5289 SSL_CTX *sctx = NULL, *cctx = NULL;
5290 SSL *serverssl = NULL, *clientssl = NULL;
5291 SSL_SESSION *origsess = NULL;
5292 int testresult = 0;
5293 int kexch_alg;
5294 int max_version = TLS1_3_VERSION;
5295
5296 numec = OSSL_NELEM(ecdhe_kexch_groups);
5297 numff = OSSL_NELEM(ffdhe_kexch_groups);
5298 numgroups = numec + numff;
5299 clientmulti = (idx < 2 * numgroups);
5300 idx = idx % (2 * numgroups);
5301 istls13 = (idx < numgroups);
5302 idx = idx % numgroups;
5303 isecdhe = (idx < numec);
5304 if (!isecdhe)
5305 idx -= numec;
5306 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5307 if (isecdhe)
5308 kexch_alg = ecdhe_kexch_groups[idx];
5309 else
5310 kexch_alg = ffdhe_kexch_groups[idx];
5311 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5312 if (!istls13 && !isecdhe)
5313 expectednid = NID_undef;
5314 else
5315 expectednid = kexch_alg;
5316
5317 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5318 return TEST_skip("X25519 and X448 might not be available in fips provider.");
5319
5320 if (!istls13)
5321 max_version = TLS1_2_VERSION;
5322
5323 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5324 TLS_client_method(), TLS1_VERSION,
5325 max_version, &sctx, &cctx, cert,
5326 privkey)))
5327 goto end;
5328
5329 /*
5330 * Force (EC)DHE ciphers for TLS 1.2.
5331 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5332 */
5333 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5334 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5335 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5336 goto end;
5337 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5338 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5339 goto end;
5340
5341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5342 NULL, NULL)))
5343 goto end;
5344
5345 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5346 idx)))
5347 goto end;
5348
5349 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5350 goto end;
5351
5352 /* Initial handshake; always the configured one */
5353 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5354 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5355 goto end;
5356
5357 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5358 goto end;
5359
5360 SSL_shutdown(clientssl);
5361 SSL_shutdown(serverssl);
5362 SSL_free(serverssl);
5363 SSL_free(clientssl);
5364 serverssl = clientssl = NULL;
5365
5366 /* First resumption attempt; use the same config as initial handshake */
5367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5368 NULL, NULL))
5369 || !TEST_true(SSL_set_session(clientssl, origsess))
5370 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5371 isecdhe, idx)))
5372 goto end;
5373
5374 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5375 || !TEST_true(SSL_session_reused(clientssl)))
5376 goto end;
5377
5378 /* Still had better agree, since nothing changed... */
5379 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5380 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5381 goto end;
5382
5383 SSL_shutdown(clientssl);
5384 SSL_shutdown(serverssl);
5385 SSL_free(serverssl);
5386 SSL_free(clientssl);
5387 serverssl = clientssl = NULL;
5388
5389 /*-
5390 * Second resumption attempt
5391 * The party that picks one group changes it, which we effectuate by
5392 * changing 'idx' and updating what we expect.
5393 */
5394 if (idx == 0)
5395 idx = 1;
5396 else
5397 idx--;
5398 if (istls13) {
5399 if (isecdhe)
5400 expectednid = ecdhe_kexch_groups[idx];
5401 else
5402 expectednid = ffdhe_kexch_groups[idx];
5403 /* Verify that we are changing what we expect. */
5404 if (!TEST_int_ne(expectednid, kexch_alg))
5405 goto end;
5406 } else {
5407 /* TLS 1.2 only supports named groups for ECDHE. */
5408 if (isecdhe)
5409 expectednid = kexch_alg;
5410 else
5411 expectednid = 0;
5412 }
5413 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5414 NULL, NULL))
5415 || !TEST_true(SSL_set_session(clientssl, origsess))
5416 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5417 isecdhe, idx)))
5418 goto end;
5419
5420 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5421 || !TEST_true(SSL_session_reused(clientssl)))
5422 goto end;
5423
5424 /* Check that we get what we expected */
5425 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5426 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5427 goto end;
5428
5429 testresult = 1;
5430 end:
5431 SSL_free(serverssl);
5432 SSL_free(clientssl);
5433 SSL_CTX_free(sctx);
5434 SSL_CTX_free(cctx);
5435 SSL_SESSION_free(origsess);
5436 return testresult;
5437 }
5438 #endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5439
5440 /*
5441 * Test TLSv1.3 Cipher Suite
5442 * Test 0 = Set TLS1.3 cipher on context
5443 * Test 1 = Set TLS1.3 cipher on SSL
5444 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5445 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5446 */
test_tls13_ciphersuite(int idx)5447 static int test_tls13_ciphersuite(int idx)
5448 {
5449 SSL_CTX *sctx = NULL, *cctx = NULL;
5450 SSL *serverssl = NULL, *clientssl = NULL;
5451 static const struct {
5452 const char *ciphername;
5453 int fipscapable;
5454 int low_security;
5455 } t13_ciphers[] = {
5456 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5457 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5458 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5459 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5460 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5461 { TLS1_3_RFC_AES_256_GCM_SHA384
5462 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
5463 0, 0 },
5464 #endif
5465 /* CCM8 ciphers are considered low security due to their short tag */
5466 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5467 ":" TLS1_3_RFC_AES_128_CCM_SHA256,
5468 1, 1 },
5469 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
5470 /* Integrity-only cipher do not provide any confidentiality */
5471 { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
5472 { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
5473 #endif
5474 };
5475 const char *t13_cipher = NULL;
5476 const char *t12_cipher = NULL;
5477 const char *negotiated_scipher;
5478 const char *negotiated_ccipher;
5479 int set_at_ctx = 0;
5480 int set_at_ssl = 0;
5481 int testresult = 0;
5482 int max_ver;
5483 size_t i;
5484
5485 switch (idx) {
5486 case 0:
5487 set_at_ctx = 1;
5488 break;
5489 case 1:
5490 set_at_ssl = 1;
5491 break;
5492 case 2:
5493 set_at_ctx = 1;
5494 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5495 break;
5496 case 3:
5497 set_at_ssl = 1;
5498 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5499 break;
5500 }
5501
5502 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5503 #ifdef OPENSSL_NO_TLS1_2
5504 if (max_ver == TLS1_2_VERSION)
5505 continue;
5506 #endif
5507 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5508 if (is_fips && !t13_ciphers[i].fipscapable)
5509 continue;
5510 t13_cipher = t13_ciphers[i].ciphername;
5511 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5512 TLS_client_method(),
5513 TLS1_VERSION, max_ver,
5514 &sctx, &cctx, cert, privkey)))
5515 goto end;
5516
5517 if (t13_ciphers[i].low_security) {
5518 SSL_CTX_set_security_level(sctx, 0);
5519 SSL_CTX_set_security_level(cctx, 0);
5520 }
5521
5522 if (set_at_ctx) {
5523 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5524 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5525 goto end;
5526 if (t12_cipher != NULL) {
5527 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5528 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5529 t12_cipher)))
5530 goto end;
5531 }
5532 }
5533
5534 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5535 &clientssl, NULL, NULL)))
5536 goto end;
5537
5538 if (set_at_ssl) {
5539 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5540 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5541 goto end;
5542 if (t12_cipher != NULL) {
5543 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5544 || !TEST_true(SSL_set_cipher_list(clientssl,
5545 t12_cipher)))
5546 goto end;
5547 }
5548 }
5549
5550 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5551 SSL_ERROR_NONE)))
5552 goto end;
5553
5554 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5555 serverssl));
5556 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5557 clientssl));
5558 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5559 goto end;
5560
5561 /*
5562 * TEST_strn_eq is used below because t13_cipher can contain
5563 * multiple ciphersuites
5564 */
5565 if (max_ver == TLS1_3_VERSION
5566 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5567 strlen(negotiated_scipher)))
5568 goto end;
5569
5570 #ifndef OPENSSL_NO_TLS1_2
5571 /* Below validation is not done when t12_cipher is NULL */
5572 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5573 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5574 goto end;
5575 #endif
5576
5577 SSL_free(serverssl);
5578 serverssl = NULL;
5579 SSL_free(clientssl);
5580 clientssl = NULL;
5581 SSL_CTX_free(sctx);
5582 sctx = NULL;
5583 SSL_CTX_free(cctx);
5584 cctx = NULL;
5585 }
5586 }
5587
5588 testresult = 1;
5589 end:
5590 SSL_free(serverssl);
5591 SSL_free(clientssl);
5592 SSL_CTX_free(sctx);
5593 SSL_CTX_free(cctx);
5594 return testresult;
5595 }
5596
5597 /*
5598 * Test TLSv1.3 PSKs
5599 * Test 0 = Test new style callbacks
5600 * Test 1 = Test both new and old style callbacks
5601 * Test 2 = Test old style callbacks
5602 * Test 3 = Test old style callbacks with no certificate
5603 */
test_tls13_psk(int idx)5604 static int test_tls13_psk(int idx)
5605 {
5606 SSL_CTX *sctx = NULL, *cctx = NULL;
5607 SSL *serverssl = NULL, *clientssl = NULL;
5608 const SSL_CIPHER *cipher = NULL;
5609 const unsigned char key[] = {
5610 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5611 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5612 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5613 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5614 };
5615 int testresult = 0;
5616
5617 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5618 TLS_client_method(), TLS1_VERSION, 0,
5619 &sctx, &cctx, idx == 3 ? NULL : cert,
5620 idx == 3 ? NULL : privkey)))
5621 goto end;
5622
5623 if (idx != 3) {
5624 /*
5625 * We use a ciphersuite with SHA256 to ease testing old style PSK
5626 * callbacks which will always default to SHA256. This should not be
5627 * necessary if we have no cert/priv key. In that case the server should
5628 * prefer SHA256 automatically.
5629 */
5630 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5631 "TLS_AES_128_GCM_SHA256")))
5632 goto end;
5633 } else {
5634 /*
5635 * As noted above the server should prefer SHA256 automatically. However
5636 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5637 * code works even if we are testing with only the FIPS provider loaded.
5638 */
5639 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5640 "TLS_AES_256_GCM_SHA384:"
5641 "TLS_AES_128_GCM_SHA256")))
5642 goto end;
5643 }
5644
5645 /*
5646 * Test 0: New style callbacks only
5647 * Test 1: New and old style callbacks (only the new ones should be used)
5648 * Test 2: Old style callbacks only
5649 */
5650 if (idx == 0 || idx == 1) {
5651 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5652 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5653 }
5654 #ifndef OPENSSL_NO_PSK
5655 if (idx >= 1) {
5656 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5657 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5658 }
5659 #endif
5660 srvid = pskid;
5661 use_session_cb_cnt = 0;
5662 find_session_cb_cnt = 0;
5663 psk_client_cb_cnt = 0;
5664 psk_server_cb_cnt = 0;
5665
5666 if (idx != 3) {
5667 /*
5668 * Check we can create a connection if callback decides not to send a
5669 * PSK
5670 */
5671 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5672 NULL, NULL))
5673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5674 SSL_ERROR_NONE))
5675 || !TEST_false(SSL_session_reused(clientssl))
5676 || !TEST_false(SSL_session_reused(serverssl)))
5677 goto end;
5678
5679 if (idx == 0 || idx == 1) {
5680 if (!TEST_true(use_session_cb_cnt == 1)
5681 || !TEST_true(find_session_cb_cnt == 0)
5682 /*
5683 * If no old style callback then below should be 0
5684 * otherwise 1
5685 */
5686 || !TEST_true(psk_client_cb_cnt == idx)
5687 || !TEST_true(psk_server_cb_cnt == 0))
5688 goto end;
5689 } else {
5690 if (!TEST_true(use_session_cb_cnt == 0)
5691 || !TEST_true(find_session_cb_cnt == 0)
5692 || !TEST_true(psk_client_cb_cnt == 1)
5693 || !TEST_true(psk_server_cb_cnt == 0))
5694 goto end;
5695 }
5696
5697 shutdown_ssl_connection(serverssl, clientssl);
5698 serverssl = clientssl = NULL;
5699 use_session_cb_cnt = psk_client_cb_cnt = 0;
5700 }
5701
5702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5703 NULL, NULL)))
5704 goto end;
5705
5706 /* Create the PSK */
5707 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5708 clientpsk = SSL_SESSION_new();
5709 if (!TEST_ptr(clientpsk)
5710 || !TEST_ptr(cipher)
5711 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5712 sizeof(key)))
5713 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5714 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5715 TLS1_3_VERSION))
5716 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5717 goto end;
5718 serverpsk = clientpsk;
5719
5720 /* Check we can create a connection and the PSK is used */
5721 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5722 || !TEST_true(SSL_session_reused(clientssl))
5723 || !TEST_true(SSL_session_reused(serverssl)))
5724 goto end;
5725
5726 if (idx == 0 || idx == 1) {
5727 if (!TEST_true(use_session_cb_cnt == 1)
5728 || !TEST_true(find_session_cb_cnt == 1)
5729 || !TEST_true(psk_client_cb_cnt == 0)
5730 || !TEST_true(psk_server_cb_cnt == 0))
5731 goto end;
5732 } else {
5733 if (!TEST_true(use_session_cb_cnt == 0)
5734 || !TEST_true(find_session_cb_cnt == 0)
5735 || !TEST_true(psk_client_cb_cnt == 1)
5736 || !TEST_true(psk_server_cb_cnt == 1))
5737 goto end;
5738 }
5739
5740 shutdown_ssl_connection(serverssl, clientssl);
5741 serverssl = clientssl = NULL;
5742 use_session_cb_cnt = find_session_cb_cnt = 0;
5743 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5744
5745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5746 NULL, NULL)))
5747 goto end;
5748
5749 /* Force an HRR */
5750 #if defined(OPENSSL_NO_EC)
5751 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5752 goto end;
5753 #else
5754 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5755 goto end;
5756 #endif
5757
5758 /*
5759 * Check we can create a connection, the PSK is used and the callbacks are
5760 * called twice.
5761 */
5762 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5763 || !TEST_true(SSL_session_reused(clientssl))
5764 || !TEST_true(SSL_session_reused(serverssl)))
5765 goto end;
5766
5767 if (idx == 0 || idx == 1) {
5768 if (!TEST_true(use_session_cb_cnt == 2)
5769 || !TEST_true(find_session_cb_cnt == 2)
5770 || !TEST_true(psk_client_cb_cnt == 0)
5771 || !TEST_true(psk_server_cb_cnt == 0))
5772 goto end;
5773 } else {
5774 if (!TEST_true(use_session_cb_cnt == 0)
5775 || !TEST_true(find_session_cb_cnt == 0)
5776 || !TEST_true(psk_client_cb_cnt == 2)
5777 || !TEST_true(psk_server_cb_cnt == 2))
5778 goto end;
5779 }
5780
5781 shutdown_ssl_connection(serverssl, clientssl);
5782 serverssl = clientssl = NULL;
5783 use_session_cb_cnt = find_session_cb_cnt = 0;
5784 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5785
5786 if (idx != 3) {
5787 /*
5788 * Check that if the server rejects the PSK we can still connect, but with
5789 * a full handshake
5790 */
5791 srvid = "Dummy Identity";
5792 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5793 NULL, NULL))
5794 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5795 SSL_ERROR_NONE))
5796 || !TEST_false(SSL_session_reused(clientssl))
5797 || !TEST_false(SSL_session_reused(serverssl)))
5798 goto end;
5799
5800 if (idx == 0 || idx == 1) {
5801 if (!TEST_true(use_session_cb_cnt == 1)
5802 || !TEST_true(find_session_cb_cnt == 1)
5803 || !TEST_true(psk_client_cb_cnt == 0)
5804 /*
5805 * If no old style callback then below should be 0
5806 * otherwise 1
5807 */
5808 || !TEST_true(psk_server_cb_cnt == idx))
5809 goto end;
5810 } else {
5811 if (!TEST_true(use_session_cb_cnt == 0)
5812 || !TEST_true(find_session_cb_cnt == 0)
5813 || !TEST_true(psk_client_cb_cnt == 1)
5814 || !TEST_true(psk_server_cb_cnt == 1))
5815 goto end;
5816 }
5817
5818 shutdown_ssl_connection(serverssl, clientssl);
5819 serverssl = clientssl = NULL;
5820 }
5821 testresult = 1;
5822
5823 end:
5824 SSL_SESSION_free(clientpsk);
5825 SSL_SESSION_free(serverpsk);
5826 clientpsk = serverpsk = NULL;
5827 SSL_free(serverssl);
5828 SSL_free(clientssl);
5829 SSL_CTX_free(sctx);
5830 SSL_CTX_free(cctx);
5831 return testresult;
5832 }
5833
5834 #ifndef OSSL_NO_USABLE_TLS1_3
5835 /*
5836 * Test TLS1.3 connection establishment succeeds with various configurations of
5837 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5838 * The verification of whether the right KEX mode is chosen is not covered by
5839 * this test but by `test_tls13kexmodes`.
5840 *
5841 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5842 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5843 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5844 */
test_tls13_no_dhe_kex(const int idx)5845 static int test_tls13_no_dhe_kex(const int idx)
5846 {
5847 SSL_CTX *sctx = NULL, *cctx = NULL;
5848 SSL *serverssl = NULL, *clientssl = NULL;
5849 int testresult = 0;
5850 size_t j;
5851 SSL_SESSION *saved_session;
5852
5853 int server_allow_no_dhe = (idx & 1) != 0;
5854 int server_prefer_no_dhe = (idx & 2) != 0;
5855 int client_allow_no_dhe = (idx & 4) != 0;
5856
5857 uint64_t server_options = 0
5858 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5859 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5860
5861 uint64_t client_options = 0
5862 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5863
5864 new_called = 0;
5865 do_cache = 1;
5866
5867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5868 TLS_client_method(), TLS1_3_VERSION, 0,
5869 &sctx, &cctx, cert, privkey)))
5870 goto end;
5871
5872 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5873
5874 SSL_CTX_set_options(sctx, server_options);
5875 SSL_CTX_set_options(cctx, client_options);
5876
5877 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5878
5879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5880 &clientssl, NULL, NULL)))
5881 goto end;
5882
5883 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5884 SSL_ERROR_NONE))
5885 /* Check we got the number of tickets we were expecting */
5886 || !TEST_int_eq(2, new_called))
5887 goto end;
5888
5889 /* We'll reuse the last ticket. */
5890 saved_session = sesscache[new_called - 1];
5891
5892 SSL_shutdown(clientssl);
5893 SSL_shutdown(serverssl);
5894 SSL_free(serverssl);
5895 SSL_free(clientssl);
5896 SSL_CTX_free(cctx);
5897 clientssl = serverssl = NULL;
5898 cctx = NULL;
5899
5900 /*
5901 * Now we resume with the last ticket we created.
5902 */
5903
5904 /* The server context already exists, so we only create the client. */
5905 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5906 TLS_client_method(), TLS1_3_VERSION, 0,
5907 NULL, &cctx, cert, privkey)))
5908 goto end;
5909
5910 SSL_CTX_set_options(cctx, client_options);
5911
5912 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5913 &clientssl, NULL, NULL))
5914 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5915 goto end;
5916
5917 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5918 SSL_ERROR_NONE)))
5919 goto end;
5920
5921 /*
5922 * Make sure, the session was resumed.
5923 */
5924 if (!TEST_true(SSL_session_reused(clientssl)))
5925 goto end;
5926
5927 SSL_shutdown(clientssl);
5928 SSL_shutdown(serverssl);
5929
5930 testresult = 1;
5931
5932 end:
5933 SSL_free(serverssl);
5934 SSL_free(clientssl);
5935 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5936 SSL_SESSION_free(sesscache[j]);
5937 sesscache[j] = NULL;
5938 }
5939 SSL_CTX_free(sctx);
5940 SSL_CTX_free(cctx);
5941
5942 return testresult;
5943 }
5944 #endif /* OSSL_NO_USABLE_TLS1_3 */
5945
5946 static unsigned char cookie_magic_value[] = "cookie magic";
5947
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)5948 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5949 unsigned int *cookie_len)
5950 {
5951 /*
5952 * Not suitable as a real cookie generation function but good enough for
5953 * testing!
5954 */
5955 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5956 *cookie_len = sizeof(cookie_magic_value) - 1;
5957
5958 return 1;
5959 }
5960
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)5961 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5962 unsigned int cookie_len)
5963 {
5964 if (cookie_len == sizeof(cookie_magic_value) - 1
5965 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5966 return 1;
5967
5968 return 0;
5969 }
5970
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)5971 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5972 size_t *cookie_len)
5973 {
5974 unsigned int temp;
5975 int res = generate_cookie_callback(ssl, cookie, &temp);
5976 *cookie_len = temp;
5977 return res;
5978 }
5979
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)5980 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5981 size_t cookie_len)
5982 {
5983 return verify_cookie_callback(ssl, cookie, cookie_len);
5984 }
5985
test_stateless(void)5986 static int test_stateless(void)
5987 {
5988 SSL_CTX *sctx = NULL, *cctx = NULL;
5989 SSL *serverssl = NULL, *clientssl = NULL;
5990 int testresult = 0;
5991
5992 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5993 TLS_client_method(), TLS1_VERSION, 0,
5994 &sctx, &cctx, cert, privkey)))
5995 goto end;
5996
5997 /* The arrival of CCS messages can confuse the test */
5998 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5999
6000 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6001 NULL, NULL))
6002 /* Send the first ClientHello */
6003 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6004 SSL_ERROR_WANT_READ))
6005 /*
6006 * This should fail with a -1 return because we have no callbacks
6007 * set up
6008 */
6009 || !TEST_int_eq(SSL_stateless(serverssl), -1))
6010 goto end;
6011
6012 /* Fatal error so abandon the connection from this client */
6013 SSL_free(clientssl);
6014 clientssl = NULL;
6015
6016 /* Set up the cookie generation and verification callbacks */
6017 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
6018 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
6019
6020 /*
6021 * Create a new connection from the client (we can reuse the server SSL
6022 * object).
6023 */
6024 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6025 NULL, NULL))
6026 /* Send the first ClientHello */
6027 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6028 SSL_ERROR_WANT_READ))
6029 /* This should fail because there is no cookie */
6030 || !TEST_int_eq(SSL_stateless(serverssl), 0))
6031 goto end;
6032
6033 /* Abandon the connection from this client */
6034 SSL_free(clientssl);
6035 clientssl = NULL;
6036
6037 /*
6038 * Now create a connection from a new client but with the same server SSL
6039 * object
6040 */
6041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6042 NULL, NULL))
6043 /* Send the first ClientHello */
6044 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6045 SSL_ERROR_WANT_READ))
6046 /* This should fail because there is no cookie */
6047 || !TEST_int_eq(SSL_stateless(serverssl), 0)
6048 /* Send the second ClientHello */
6049 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6050 SSL_ERROR_WANT_READ))
6051 /* This should succeed because a cookie is now present */
6052 || !TEST_int_eq(SSL_stateless(serverssl), 1)
6053 /* Complete the connection */
6054 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6055 SSL_ERROR_NONE)))
6056 goto end;
6057
6058 shutdown_ssl_connection(serverssl, clientssl);
6059 serverssl = clientssl = NULL;
6060 testresult = 1;
6061
6062 end:
6063 SSL_free(serverssl);
6064 SSL_free(clientssl);
6065 SSL_CTX_free(sctx);
6066 SSL_CTX_free(cctx);
6067 return testresult;
6068 }
6069 #endif /* OSSL_NO_USABLE_TLS1_3 */
6070
6071 static int clntaddoldcb = 0;
6072 static int clntparseoldcb = 0;
6073 static int srvaddoldcb = 0;
6074 static int srvparseoldcb = 0;
6075 static int clntaddnewcb = 0;
6076 static int clntparsenewcb = 0;
6077 static int srvaddnewcb = 0;
6078 static int srvparsenewcb = 0;
6079 static int snicb = 0;
6080
6081 #define TEST_EXT_TYPE1 0xff00
6082
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)6083 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
6084 size_t *outlen, int *al, void *add_arg)
6085 {
6086 int *server = (int *)add_arg;
6087 unsigned char *data;
6088
6089 if (SSL_is_server(s))
6090 srvaddoldcb++;
6091 else
6092 clntaddoldcb++;
6093
6094 if (*server != SSL_is_server(s)
6095 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6096 return -1;
6097
6098 *data = 1;
6099 *out = data;
6100 *outlen = sizeof(char);
6101 return 1;
6102 }
6103
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)6104 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
6105 void *add_arg)
6106 {
6107 OPENSSL_free((unsigned char *)out);
6108 }
6109
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)6110 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
6111 size_t inlen, int *al, void *parse_arg)
6112 {
6113 int *server = (int *)parse_arg;
6114
6115 if (SSL_is_server(s))
6116 srvparseoldcb++;
6117 else
6118 clntparseoldcb++;
6119
6120 if (*server != SSL_is_server(s)
6121 || inlen != sizeof(char)
6122 || *in != 1)
6123 return -1;
6124
6125 return 1;
6126 }
6127
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)6128 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
6129 const unsigned char **out, size_t *outlen, X509 *x,
6130 size_t chainidx, int *al, void *add_arg)
6131 {
6132 int *server = (int *)add_arg;
6133 unsigned char *data;
6134
6135 if (SSL_is_server(s))
6136 srvaddnewcb++;
6137 else
6138 clntaddnewcb++;
6139
6140 if (*server != SSL_is_server(s)
6141 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6142 return -1;
6143
6144 *data = 1;
6145 *out = data;
6146 *outlen = sizeof(*data);
6147 return 1;
6148 }
6149
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)6150 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6151 const unsigned char *out, void *add_arg)
6152 {
6153 OPENSSL_free((unsigned char *)out);
6154 }
6155
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6156 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6157 const unsigned char *in, size_t inlen, X509 *x,
6158 size_t chainidx, int *al, void *parse_arg)
6159 {
6160 int *server = (int *)parse_arg;
6161
6162 if (SSL_is_server(s))
6163 srvparsenewcb++;
6164 else
6165 clntparsenewcb++;
6166
6167 if (*server != SSL_is_server(s)
6168 || inlen != sizeof(char) || *in != 1)
6169 return -1;
6170
6171 return 1;
6172 }
6173
sni_cb(SSL * s,int * al,void * arg)6174 static int sni_cb(SSL *s, int *al, void *arg)
6175 {
6176 SSL_CTX *ctx = (SSL_CTX *)arg;
6177
6178 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6179 *al = SSL_AD_INTERNAL_ERROR;
6180 return SSL_TLSEXT_ERR_ALERT_FATAL;
6181 }
6182 snicb++;
6183 return SSL_TLSEXT_ERR_OK;
6184 }
6185
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)6186 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6187 {
6188 return 1;
6189 }
6190
6191 /*
6192 * Custom call back tests.
6193 * Test 0: Old style callbacks in TLSv1.2
6194 * Test 1: New style callbacks in TLSv1.2
6195 * Test 2: New style callbacks in TLSv1.2 with SNI
6196 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6197 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6198 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6199 */
test_custom_exts(int tst)6200 static int test_custom_exts(int tst)
6201 {
6202 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6203 SSL *clientssl = NULL, *serverssl = NULL;
6204 int testresult = 0;
6205 static int server = 1;
6206 static int client = 0;
6207 SSL_SESSION *sess = NULL;
6208 unsigned int context;
6209
6210 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6211 /* Skip tests for TLSv1.2 and below in this case */
6212 if (tst < 3)
6213 return 1;
6214 #endif
6215
6216 /* Reset callback counters */
6217 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6218 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6219 snicb = 0;
6220
6221 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6222 TLS_client_method(), TLS1_VERSION, 0,
6223 &sctx, &cctx, cert, privkey)))
6224 goto end;
6225
6226 if (tst == 2
6227 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6228 TLS1_VERSION, 0,
6229 &sctx2, NULL, cert, privkey)))
6230 goto end;
6231
6232 if (tst < 3) {
6233 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6234 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6235 if (sctx2 != NULL)
6236 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6237 }
6238
6239 if (tst == 5) {
6240 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6241 | SSL_EXT_TLS1_3_CERTIFICATE;
6242 SSL_CTX_set_verify(sctx,
6243 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6244 verify_cb);
6245 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6246 SSL_FILETYPE_PEM),
6247 1)
6248 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6249 SSL_FILETYPE_PEM),
6250 1)
6251 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6252 goto end;
6253 } else if (tst == 4) {
6254 context = SSL_EXT_CLIENT_HELLO
6255 | SSL_EXT_TLS1_2_SERVER_HELLO
6256 | SSL_EXT_TLS1_3_SERVER_HELLO
6257 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6258 | SSL_EXT_TLS1_3_CERTIFICATE
6259 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6260 } else {
6261 context = SSL_EXT_CLIENT_HELLO
6262 | SSL_EXT_TLS1_2_SERVER_HELLO
6263 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6264 }
6265
6266 /* Create a client side custom extension */
6267 if (tst == 0) {
6268 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6269 old_add_cb, old_free_cb,
6270 &client, old_parse_cb,
6271 &client)))
6272 goto end;
6273 } else {
6274 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6275 new_add_cb, new_free_cb,
6276 &client, new_parse_cb, &client)))
6277 goto end;
6278 }
6279
6280 /* Should not be able to add duplicates */
6281 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6282 old_add_cb, old_free_cb,
6283 &client, old_parse_cb,
6284 &client))
6285 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6286 context, new_add_cb,
6287 new_free_cb, &client,
6288 new_parse_cb, &client)))
6289 goto end;
6290
6291 /* Create a server side custom extension */
6292 if (tst == 0) {
6293 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6294 old_add_cb, old_free_cb,
6295 &server, old_parse_cb,
6296 &server)))
6297 goto end;
6298 } else {
6299 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6300 new_add_cb, new_free_cb,
6301 &server, new_parse_cb, &server)))
6302 goto end;
6303 if (sctx2 != NULL
6304 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6305 context, new_add_cb,
6306 new_free_cb, &server,
6307 new_parse_cb, &server)))
6308 goto end;
6309 }
6310
6311 /* Should not be able to add duplicates */
6312 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6313 old_add_cb, old_free_cb,
6314 &server, old_parse_cb,
6315 &server))
6316 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6317 context, new_add_cb,
6318 new_free_cb, &server,
6319 new_parse_cb, &server)))
6320 goto end;
6321
6322 if (tst == 2) {
6323 /* Set up SNI */
6324 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6325 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6326 goto end;
6327 }
6328
6329 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6330 &clientssl, NULL, NULL))
6331 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6332 SSL_ERROR_NONE)))
6333 goto end;
6334
6335 if (tst == 0) {
6336 if (clntaddoldcb != 1
6337 || clntparseoldcb != 1
6338 || srvaddoldcb != 1
6339 || srvparseoldcb != 1)
6340 goto end;
6341 } else if (tst == 1 || tst == 2 || tst == 3) {
6342 if (clntaddnewcb != 1
6343 || clntparsenewcb != 1
6344 || srvaddnewcb != 1
6345 || srvparsenewcb != 1
6346 || (tst != 2 && snicb != 0)
6347 || (tst == 2 && snicb != 1))
6348 goto end;
6349 } else if (tst == 5) {
6350 if (clntaddnewcb != 1
6351 || clntparsenewcb != 1
6352 || srvaddnewcb != 1
6353 || srvparsenewcb != 1)
6354 goto end;
6355 } else {
6356 /* In this case there 2 NewSessionTicket messages created */
6357 if (clntaddnewcb != 1
6358 || clntparsenewcb != 5
6359 || srvaddnewcb != 5
6360 || srvparsenewcb != 1)
6361 goto end;
6362 }
6363
6364 sess = SSL_get1_session(clientssl);
6365 SSL_shutdown(clientssl);
6366 SSL_shutdown(serverssl);
6367 SSL_free(serverssl);
6368 SSL_free(clientssl);
6369 serverssl = clientssl = NULL;
6370
6371 if (tst == 3 || tst == 5) {
6372 /* We don't bother with the resumption aspects for these tests */
6373 testresult = 1;
6374 goto end;
6375 }
6376
6377 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6378 NULL, NULL))
6379 || !TEST_true(SSL_set_session(clientssl, sess))
6380 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6381 SSL_ERROR_NONE)))
6382 goto end;
6383
6384 /*
6385 * For a resumed session we expect to add the ClientHello extension. For the
6386 * old style callbacks we ignore it on the server side because they set
6387 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6388 * them.
6389 */
6390 if (tst == 0) {
6391 if (clntaddoldcb != 2
6392 || clntparseoldcb != 1
6393 || srvaddoldcb != 1
6394 || srvparseoldcb != 1)
6395 goto end;
6396 } else if (tst == 1 || tst == 2 || tst == 3) {
6397 if (clntaddnewcb != 2
6398 || clntparsenewcb != 2
6399 || srvaddnewcb != 2
6400 || srvparsenewcb != 2)
6401 goto end;
6402 } else {
6403 /*
6404 * No Certificate message extensions in the resumption handshake,
6405 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6406 */
6407 if (clntaddnewcb != 2
6408 || clntparsenewcb != 8
6409 || srvaddnewcb != 8
6410 || srvparsenewcb != 2)
6411 goto end;
6412 }
6413
6414 testresult = 1;
6415
6416 end:
6417 SSL_SESSION_free(sess);
6418 SSL_free(serverssl);
6419 SSL_free(clientssl);
6420 SSL_CTX_free(sctx2);
6421 SSL_CTX_free(sctx);
6422 SSL_CTX_free(cctx);
6423 return testresult;
6424 }
6425
6426 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6427
6428 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6429 | SSL_EXT_CLIENT_HELLO \
6430 | SSL_EXT_TLS1_2_SERVER_HELLO \
6431 | SSL_EXT_IGNORE_ON_RESUMPTION)
6432
6433 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6434 | SSL_EXT_TLS1_2_SERVER_HELLO \
6435 | SSL_EXT_CLIENT_HELLO)
6436
6437 #define SERVERINFO_CUSTOM \
6438 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6439 0x00, 0x03, \
6440 0x04, 0x05, 0x06
6441
6442 static const unsigned char serverinfo_custom_tls13[] = {
6443 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6444 SERVERINFO_CUSTOM
6445 };
6446 static const unsigned char serverinfo_custom_v2[] = {
6447 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6448 SERVERINFO_CUSTOM
6449 };
6450 static const unsigned char serverinfo_custom_v1[] = {
6451 SERVERINFO_CUSTOM
6452 };
6453 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6454 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6455 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6456
serverinfo_custom_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6457 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6458 unsigned int context,
6459 const unsigned char *in,
6460 size_t inlen, X509 *x,
6461 size_t chainidx, int *al,
6462 void *parse_arg)
6463 {
6464 const size_t len = serverinfo_custom_v1_len;
6465 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6466 int *p_cb_result = (int *)parse_arg;
6467 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6468 return 1;
6469 }
6470
test_serverinfo_custom(const int idx)6471 static int test_serverinfo_custom(const int idx)
6472 {
6473 SSL_CTX *sctx = NULL, *cctx = NULL;
6474 SSL *clientssl = NULL, *serverssl = NULL;
6475 int testresult = 0;
6476 int cb_result = 0;
6477
6478 /*
6479 * Following variables are set in the switch statement
6480 * according to the test iteration.
6481 * Default values do not make much sense: test would fail with them.
6482 */
6483 int serverinfo_version = 0;
6484 int protocol_version = 0;
6485 unsigned int extension_context = 0;
6486 const unsigned char *si = NULL;
6487 size_t si_len = 0;
6488
6489 const int call_use_serverinfo_ex = idx > 0;
6490 switch (idx) {
6491 case 0: /* FALLTHROUGH */
6492 case 1:
6493 serverinfo_version = SSL_SERVERINFOV1;
6494 protocol_version = TLS1_2_VERSION;
6495 extension_context = SYNTHV1CONTEXT;
6496 si = serverinfo_custom_v1;
6497 si_len = serverinfo_custom_v1_len;
6498 break;
6499 case 2:
6500 serverinfo_version = SSL_SERVERINFOV2;
6501 protocol_version = TLS1_2_VERSION;
6502 extension_context = SYNTHV1CONTEXT;
6503 si = serverinfo_custom_v2;
6504 si_len = serverinfo_custom_v2_len;
6505 break;
6506 case 3:
6507 serverinfo_version = SSL_SERVERINFOV2;
6508 protocol_version = TLS1_3_VERSION;
6509 extension_context = TLS13CONTEXT;
6510 si = serverinfo_custom_tls13;
6511 si_len = serverinfo_custom_tls13_len;
6512 break;
6513 }
6514
6515 if (!TEST_true(create_ssl_ctx_pair(libctx,
6516 TLS_method(),
6517 TLS_method(),
6518 protocol_version,
6519 protocol_version,
6520 &sctx, &cctx, cert, privkey)))
6521 goto end;
6522
6523 if (call_use_serverinfo_ex) {
6524 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6525 si, si_len)))
6526 goto end;
6527 } else {
6528 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6529 goto end;
6530 }
6531
6532 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6533 extension_context,
6534 NULL, NULL, NULL,
6535 serverinfo_custom_parse_cb,
6536 &cb_result))
6537 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6538 NULL, NULL))
6539 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6540 SSL_ERROR_NONE))
6541 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6542 goto end;
6543
6544 if (!TEST_true(cb_result))
6545 goto end;
6546
6547 testresult = 1;
6548
6549 end:
6550 SSL_free(serverssl);
6551 SSL_free(clientssl);
6552 SSL_CTX_free(sctx);
6553 SSL_CTX_free(cctx);
6554
6555 return testresult;
6556 }
6557 #endif
6558
6559 /*
6560 * Test that SSL_export_keying_material() produces expected results. There are
6561 * no test vectors so all we do is test that both sides of the communication
6562 * produce the same results for different protocol versions.
6563 */
6564 #define SMALL_LABEL_LEN 10
6565 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)6566 static int test_export_key_mat(int tst)
6567 {
6568 int testresult = 0;
6569 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6570 SSL *clientssl = NULL, *serverssl = NULL;
6571 const char label[LONG_LABEL_LEN + 1] = "test label";
6572 const unsigned char context[] = "context";
6573 const unsigned char *emptycontext = NULL;
6574 unsigned char longcontext[1280];
6575 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6576 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6577 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6578 size_t labellen;
6579 const int protocols[] = {
6580 TLS1_VERSION,
6581 TLS1_1_VERSION,
6582 TLS1_2_VERSION,
6583 TLS1_3_VERSION,
6584 TLS1_3_VERSION,
6585 TLS1_3_VERSION
6586 };
6587
6588 #ifdef OPENSSL_NO_TLS1
6589 if (tst == 0)
6590 return 1;
6591 #endif
6592 #ifdef OPENSSL_NO_TLS1_1
6593 if (tst == 1)
6594 return 1;
6595 #endif
6596 if (is_fips && (tst == 0 || tst == 1))
6597 return 1;
6598 #ifdef OPENSSL_NO_TLS1_2
6599 if (tst == 2)
6600 return 1;
6601 #endif
6602 #ifdef OSSL_NO_USABLE_TLS1_3
6603 if (tst >= 3)
6604 return 1;
6605 #endif
6606 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6607 TLS_client_method(), TLS1_VERSION, 0,
6608 &sctx, &cctx, cert, privkey)))
6609 goto end;
6610
6611 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6612 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6613 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6614 if ((protocols[tst] < TLS1_2_VERSION) && (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0") || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6615 goto end;
6616
6617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6618 NULL)))
6619 goto end;
6620
6621 /*
6622 * Premature call of SSL_export_keying_material should just fail.
6623 */
6624 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6625 sizeof(ckeymat1), label,
6626 SMALL_LABEL_LEN + 1, context,
6627 sizeof(context) - 1, 1),
6628 0))
6629 goto end;
6630
6631 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6632 SSL_ERROR_NONE)))
6633 goto end;
6634
6635 if (tst == 5) {
6636 /*
6637 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6638 * go over that.
6639 */
6640 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6641 sizeof(ckeymat1), label,
6642 LONG_LABEL_LEN + 1, context,
6643 sizeof(context) - 1, 1),
6644 0))
6645 goto end;
6646
6647 testresult = 1;
6648 goto end;
6649 } else if (tst == 4) {
6650 labellen = LONG_LABEL_LEN;
6651 } else {
6652 labellen = SMALL_LABEL_LEN;
6653 }
6654
6655 memset(longcontext, 1, sizeof(longcontext));
6656
6657 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6658 sizeof(ckeymat1), label,
6659 labellen, context,
6660 sizeof(context) - 1, 1),
6661 1)
6662 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6663 sizeof(ckeymat2), label,
6664 labellen,
6665 emptycontext,
6666 0, 1),
6667 1)
6668 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6669 sizeof(ckeymat3), label,
6670 labellen,
6671 NULL, 0, 0),
6672 1)
6673 || (test_longcontext
6674 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6675 ckeymat4,
6676 sizeof(ckeymat4), label,
6677 labellen,
6678 longcontext,
6679 sizeof(longcontext), 1),
6680 1))
6681 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6682 sizeof(skeymat1), label,
6683 labellen,
6684 context,
6685 sizeof(context) - 1, 1),
6686 1)
6687 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6688 sizeof(skeymat2), label,
6689 labellen,
6690 emptycontext,
6691 0, 1),
6692 1)
6693 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6694 sizeof(skeymat3), label,
6695 labellen,
6696 NULL, 0, 0),
6697 1)
6698 || (test_longcontext
6699 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6700 sizeof(skeymat4), label,
6701 labellen,
6702 longcontext,
6703 sizeof(longcontext), 1),
6704 1))
6705 /*
6706 * Check that both sides created the same key material with the
6707 * same context.
6708 */
6709 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6710 sizeof(skeymat1))
6711 /*
6712 * Check that both sides created the same key material with an
6713 * empty context.
6714 */
6715 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6716 sizeof(skeymat2))
6717 /*
6718 * Check that both sides created the same key material without a
6719 * context.
6720 */
6721 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6722 sizeof(skeymat3))
6723 /*
6724 * Check that both sides created the same key material with a
6725 * long context.
6726 */
6727 || (test_longcontext
6728 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6729 sizeof(skeymat4)))
6730 /* Different contexts should produce different results */
6731 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6732 sizeof(ckeymat2)))
6733 goto end;
6734
6735 /*
6736 * Check that an empty context and no context produce different results in
6737 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6738 */
6739 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3)))
6740 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3))))
6741 goto end;
6742
6743 testresult = 1;
6744
6745 end:
6746 SSL_free(serverssl);
6747 SSL_free(clientssl);
6748 SSL_CTX_free(sctx2);
6749 SSL_CTX_free(sctx);
6750 SSL_CTX_free(cctx);
6751
6752 return testresult;
6753 }
6754
6755 #ifndef OSSL_NO_USABLE_TLS1_3
6756 /*
6757 * Test that SSL_export_keying_material_early() produces expected
6758 * results. There are no test vectors so all we do is test that both
6759 * sides of the communication produce the same results for different
6760 * protocol versions.
6761 */
test_export_key_mat_early(int idx)6762 static int test_export_key_mat_early(int idx)
6763 {
6764 static const char label[] = "test label";
6765 static const unsigned char context[] = "context";
6766 int testresult = 0;
6767 SSL_CTX *cctx = NULL, *sctx = NULL;
6768 SSL *clientssl = NULL, *serverssl = NULL;
6769 SSL_SESSION *sess = NULL;
6770 const unsigned char *emptycontext = NULL;
6771 unsigned char ckeymat1[80], ckeymat2[80];
6772 unsigned char skeymat1[80], skeymat2[80];
6773 unsigned char buf[1];
6774 size_t readbytes, written;
6775
6776 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6777 &sess, idx, SHA384_DIGEST_LENGTH)))
6778 goto end;
6779
6780 /* Here writing 0 length early data is enough. */
6781 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6782 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6783 &readbytes),
6784 SSL_READ_EARLY_DATA_ERROR)
6785 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6786 SSL_EARLY_DATA_ACCEPTED))
6787 goto end;
6788
6789 if (!TEST_int_eq(SSL_export_keying_material_early(
6790 clientssl, ckeymat1, sizeof(ckeymat1), label,
6791 sizeof(label) - 1, context, sizeof(context) - 1),
6792 1)
6793 || !TEST_int_eq(SSL_export_keying_material_early(
6794 clientssl, ckeymat2, sizeof(ckeymat2), label,
6795 sizeof(label) - 1, emptycontext, 0),
6796 1)
6797 || !TEST_int_eq(SSL_export_keying_material_early(
6798 serverssl, skeymat1, sizeof(skeymat1), label,
6799 sizeof(label) - 1, context, sizeof(context) - 1),
6800 1)
6801 || !TEST_int_eq(SSL_export_keying_material_early(
6802 serverssl, skeymat2, sizeof(skeymat2), label,
6803 sizeof(label) - 1, emptycontext, 0),
6804 1)
6805 /*
6806 * Check that both sides created the same key material with the
6807 * same context.
6808 */
6809 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6810 sizeof(skeymat1))
6811 /*
6812 * Check that both sides created the same key material with an
6813 * empty context.
6814 */
6815 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6816 sizeof(skeymat2))
6817 /* Different contexts should produce different results */
6818 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6819 sizeof(ckeymat2)))
6820 goto end;
6821
6822 testresult = 1;
6823
6824 end:
6825 SSL_SESSION_free(sess);
6826 SSL_SESSION_free(clientpsk);
6827 SSL_SESSION_free(serverpsk);
6828 clientpsk = serverpsk = NULL;
6829 SSL_free(serverssl);
6830 SSL_free(clientssl);
6831 SSL_CTX_free(sctx);
6832 SSL_CTX_free(cctx);
6833
6834 return testresult;
6835 }
6836
6837 #define NUM_KEY_UPDATE_MESSAGES 40
6838 /*
6839 * Test KeyUpdate.
6840 */
test_key_update(void)6841 static int test_key_update(void)
6842 {
6843 SSL_CTX *cctx = NULL, *sctx = NULL;
6844 SSL *clientssl = NULL, *serverssl = NULL;
6845 int testresult = 0, i, j;
6846 char buf[20];
6847 static char *mess = "A test message";
6848
6849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6850 TLS_client_method(),
6851 TLS1_3_VERSION,
6852 0,
6853 &sctx, &cctx, cert, privkey))
6854 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6855 NULL, NULL))
6856 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6857 SSL_ERROR_NONE)))
6858 goto end;
6859
6860 for (j = 0; j < 2; j++) {
6861 /* Send lots of KeyUpdate messages */
6862 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6863 if (!TEST_true(SSL_key_update(clientssl,
6864 (j == 0)
6865 ? SSL_KEY_UPDATE_NOT_REQUESTED
6866 : SSL_KEY_UPDATE_REQUESTED))
6867 || !TEST_true(SSL_do_handshake(clientssl)))
6868 goto end;
6869 }
6870
6871 /* Check that sending and receiving app data is ok */
6872 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6873 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6874 strlen(mess)))
6875 goto end;
6876
6877 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6878 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6879 strlen(mess)))
6880 goto end;
6881 }
6882
6883 testresult = 1;
6884
6885 end:
6886 SSL_free(serverssl);
6887 SSL_free(clientssl);
6888 SSL_CTX_free(sctx);
6889 SSL_CTX_free(cctx);
6890
6891 return testresult;
6892 }
6893
6894 /*
6895 * Test we can handle a KeyUpdate (update requested) message while
6896 * write data is pending in peer.
6897 * Test 0: Client sends KeyUpdate while Server is writing
6898 * Test 1: Server sends KeyUpdate while Client is writing
6899 */
test_key_update_peer_in_write(int tst)6900 static int test_key_update_peer_in_write(int tst)
6901 {
6902 SSL_CTX *cctx = NULL, *sctx = NULL;
6903 SSL *clientssl = NULL, *serverssl = NULL;
6904 int testresult = 0;
6905 char buf[20];
6906 static char *mess = "A test message";
6907 BIO *bretry = BIO_new(bio_s_always_retry());
6908 BIO *tmp = NULL;
6909 SSL *peerupdate = NULL, *peerwrite = NULL;
6910
6911 if (!TEST_ptr(bretry)
6912 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6913 TLS_client_method(),
6914 TLS1_3_VERSION,
6915 0,
6916 &sctx, &cctx, cert, privkey))
6917 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6918 NULL, NULL))
6919 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6920 SSL_ERROR_NONE)))
6921 goto end;
6922
6923 peerupdate = tst == 0 ? clientssl : serverssl;
6924 peerwrite = tst == 0 ? serverssl : clientssl;
6925
6926 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6927 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6928 goto end;
6929
6930 /* Swap the writing endpoint's write BIO to force a retry */
6931 tmp = SSL_get_wbio(peerwrite);
6932 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6933 tmp = NULL;
6934 goto end;
6935 }
6936 SSL_set0_wbio(peerwrite, bretry);
6937 bretry = NULL;
6938
6939 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6940 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6941 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6942 || !TEST_true(SSL_want_write(peerwrite))
6943 || !TEST_true(SSL_net_write_desired(peerwrite)))
6944 goto end;
6945
6946 /* Reinstate the original writing endpoint's write BIO */
6947 SSL_set0_wbio(peerwrite, tmp);
6948 tmp = NULL;
6949
6950 /* Now read some data - we will read the key update */
6951 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6952 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6953 || !TEST_true(SSL_want_read(peerwrite))
6954 || !TEST_true(SSL_net_read_desired(peerwrite)))
6955 goto end;
6956
6957 /*
6958 * Complete the write we started previously and read it from the other
6959 * endpoint
6960 */
6961 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6962 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6963 goto end;
6964
6965 /* Write more data to ensure we send the KeyUpdate message back */
6966 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6967 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6968 goto end;
6969
6970 if (!TEST_false(SSL_net_read_desired(peerwrite))
6971 || !TEST_false(SSL_net_write_desired(peerwrite))
6972 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6973 goto end;
6974
6975 testresult = 1;
6976
6977 end:
6978 SSL_free(serverssl);
6979 SSL_free(clientssl);
6980 SSL_CTX_free(sctx);
6981 SSL_CTX_free(cctx);
6982 BIO_free(bretry);
6983 BIO_free(tmp);
6984
6985 return testresult;
6986 }
6987
6988 /*
6989 * Test we can handle a KeyUpdate (update requested) message while
6990 * peer read data is pending after peer accepted keyupdate(the msg header
6991 * had been read 5 bytes).
6992 * Test 0: Client sends KeyUpdate while Server is reading
6993 * Test 1: Server sends KeyUpdate while Client is reading
6994 */
test_key_update_peer_in_read(int tst)6995 static int test_key_update_peer_in_read(int tst)
6996 {
6997 SSL_CTX *cctx = NULL, *sctx = NULL;
6998 SSL *clientssl = NULL, *serverssl = NULL;
6999 int testresult = 0;
7000 char prbuf[515], lwbuf[515] = { 0 };
7001 static char *mess = "A test message";
7002 BIO *lbio = NULL, *pbio = NULL;
7003 SSL *local = NULL, *peer = NULL;
7004
7005 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7006 TLS_client_method(),
7007 TLS1_3_VERSION,
7008 0,
7009 &sctx, &cctx, cert, privkey))
7010 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7011 NULL, NULL))
7012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7013 SSL_ERROR_NONE)))
7014 goto end;
7015
7016 local = tst == 0 ? clientssl : serverssl;
7017 peer = tst == 0 ? serverssl : clientssl;
7018
7019 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7020 goto end;
7021
7022 SSL_set_bio(local, lbio, lbio);
7023 SSL_set_bio(peer, pbio, pbio);
7024
7025 /*
7026 * we first write keyupdate msg then appdata in local
7027 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
7028 * lwbuf app data msg size + key updata msg size > 512(the size of
7029 * the bio pair buffer)
7030 */
7031 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7032 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
7033 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7034 goto end;
7035
7036 /*
7037 * first read keyupdate msg in peer in peer
7038 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
7039 */
7040 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
7041 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
7042 goto end;
7043
7044 /* Now write some data in peer - we will write the key update */
7045 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
7046 goto end;
7047
7048 /*
7049 * write data in local previously that we will complete
7050 * read data in peer previously that we will complete
7051 */
7052 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
7053 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
7054 goto end;
7055
7056 /* check that sending and receiving appdata ok */
7057 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7058 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7059 goto end;
7060
7061 testresult = 1;
7062
7063 end:
7064 SSL_free(serverssl);
7065 SSL_free(clientssl);
7066 SSL_CTX_free(sctx);
7067 SSL_CTX_free(cctx);
7068
7069 return testresult;
7070 }
7071
7072 /*
7073 * Test we can't send a KeyUpdate (update requested) message while
7074 * local write data is pending.
7075 * Test 0: Client sends KeyUpdate while Client is writing
7076 * Test 1: Server sends KeyUpdate while Server is writing
7077 */
test_key_update_local_in_write(int tst)7078 static int test_key_update_local_in_write(int tst)
7079 {
7080 SSL_CTX *cctx = NULL, *sctx = NULL;
7081 SSL *clientssl = NULL, *serverssl = NULL;
7082 int testresult = 0;
7083 char buf[20];
7084 static char *mess = "A test message";
7085 BIO *bretry = BIO_new(bio_s_always_retry());
7086 BIO *tmp = NULL;
7087 SSL *local = NULL, *peer = NULL;
7088
7089 if (!TEST_ptr(bretry)
7090 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7091 TLS_client_method(),
7092 TLS1_3_VERSION,
7093 0,
7094 &sctx, &cctx, cert, privkey))
7095 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7096 NULL, NULL))
7097 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7098 SSL_ERROR_NONE)))
7099 goto end;
7100
7101 local = tst == 0 ? clientssl : serverssl;
7102 peer = tst == 0 ? serverssl : clientssl;
7103
7104 /* Swap the writing endpoint's write BIO to force a retry */
7105 tmp = SSL_get_wbio(local);
7106 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
7107 tmp = NULL;
7108 goto end;
7109 }
7110 SSL_set0_wbio(local, bretry);
7111 bretry = NULL;
7112
7113 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
7114 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
7115 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7116 goto end;
7117
7118 /* Reinstate the original writing endpoint's write BIO */
7119 SSL_set0_wbio(local, tmp);
7120 tmp = NULL;
7121
7122 /* SSL_key_update will fail, because writing in local*/
7123 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7124 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
7125 goto end;
7126
7127 ERR_clear_error();
7128 /* write data in local previously that we will complete */
7129 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
7130 goto end;
7131
7132 /* SSL_key_update will succeed because there is no pending write data */
7133 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7134 || !TEST_int_eq(SSL_do_handshake(local), 1))
7135 goto end;
7136
7137 /*
7138 * we write some appdata in local
7139 * read data in peer - we will read the keyupdate msg
7140 */
7141 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7142 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
7143 goto end;
7144
7145 /* Write more peer more data to ensure we send the keyupdate message back */
7146 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7147 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
7148 goto end;
7149
7150 testresult = 1;
7151
7152 end:
7153 SSL_free(serverssl);
7154 SSL_free(clientssl);
7155 SSL_CTX_free(sctx);
7156 SSL_CTX_free(cctx);
7157 BIO_free(bretry);
7158 BIO_free(tmp);
7159
7160 return testresult;
7161 }
7162
7163 /*
7164 * Test we can handle a KeyUpdate (update requested) message while
7165 * local read data is pending(the msg header had been read 5 bytes).
7166 * Test 0: Client sends KeyUpdate while Client is reading
7167 * Test 1: Server sends KeyUpdate while Server is reading
7168 */
test_key_update_local_in_read(int tst)7169 static int test_key_update_local_in_read(int tst)
7170 {
7171 SSL_CTX *cctx = NULL, *sctx = NULL;
7172 SSL *clientssl = NULL, *serverssl = NULL;
7173 int testresult = 0;
7174 char lrbuf[515], pwbuf[515] = { 0 }, prbuf[20];
7175 static char *mess = "A test message";
7176 BIO *lbio = NULL, *pbio = NULL;
7177 SSL *local = NULL, *peer = NULL;
7178
7179 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7180 TLS_client_method(),
7181 TLS1_3_VERSION,
7182 0,
7183 &sctx, &cctx, cert, privkey))
7184 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7185 NULL, NULL))
7186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7187 SSL_ERROR_NONE)))
7188 goto end;
7189
7190 local = tst == 0 ? clientssl : serverssl;
7191 peer = tst == 0 ? serverssl : clientssl;
7192
7193 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7194 goto end;
7195
7196 SSL_set_bio(local, lbio, lbio);
7197 SSL_set_bio(peer, pbio, pbio);
7198
7199 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7200 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7201 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7202 goto end;
7203
7204 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7205 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7206 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7207 goto end;
7208
7209 /* SSL_do_handshake will send keyupdate msg */
7210 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7211 || !TEST_int_eq(SSL_do_handshake(local), 1))
7212 goto end;
7213
7214 /*
7215 * write data in peer previously that we will complete
7216 * read data in local previously that we will complete
7217 */
7218 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7219 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7220 goto end;
7221
7222 /*
7223 * write data in local
7224 * read data in peer - we will read the key update
7225 */
7226 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7227 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7228 goto end;
7229
7230 /* Write more peer data to ensure we send the keyupdate message back */
7231 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7232 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7233 goto end;
7234
7235 testresult = 1;
7236
7237 end:
7238 SSL_free(serverssl);
7239 SSL_free(clientssl);
7240 SSL_CTX_free(sctx);
7241 SSL_CTX_free(cctx);
7242
7243 return testresult;
7244 }
7245 #endif /* OSSL_NO_USABLE_TLS1_3 */
7246
7247 /*
7248 * Test clearing a connection via SSL_clear(), or resetting it via
7249 * SSL_set_connect_state()/SSL_set_accept_state()
7250 * Test 0: SSL_set_connect_state, TLSv1.3
7251 * Test 1: SSL_set_connect_state, TLSv1.2
7252 * Test 2: SSL_set_accept_state, TLSv1.3
7253 * Test 3: SSL_set_accept_state, TLSv1.2
7254 * Test 4: SSL_clear (client), TLSv1.3
7255 * Test 5: SSL_clear (client), TLSv1.2
7256 * Test 6: SSL_clear (server), TLSv1.3
7257 * Test 7: SSL_clear (server), TLSv1.2
7258 */
test_ssl_clear(int idx)7259 static int test_ssl_clear(int idx)
7260 {
7261 SSL_CTX *cctx = NULL, *sctx = NULL;
7262 SSL *clientssl = NULL, *serverssl = NULL;
7263 SSL *writer, *reader;
7264 int testresult = 0;
7265 int tls12test, servertest, cleartest;
7266 size_t written, readbytes;
7267 const char *msg = "Hello World";
7268 unsigned char buf[5];
7269
7270 tls12test = idx & 1;
7271 idx >>= 1;
7272 servertest = idx & 1;
7273 idx >>= 1;
7274 cleartest = idx & 1;
7275
7276 #ifdef OPENSSL_NO_TLS1_2
7277 if (tls12test == 1)
7278 return TEST_skip("No TLSv1.2 in this build");
7279 #endif
7280
7281 /* Create an initial connection */
7282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7283 TLS_client_method(), TLS1_VERSION, 0,
7284 &sctx, &cctx, cert, privkey))
7285 || (tls12test
7286 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7287 TLS1_2_VERSION)))
7288 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7289 &clientssl, NULL, NULL))
7290 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7291 SSL_ERROR_NONE)))
7292 goto end;
7293
7294 if (servertest) {
7295 writer = clientssl;
7296 reader = serverssl;
7297 } else {
7298 writer = serverssl;
7299 reader = clientssl;
7300 }
7301
7302 /* Write some data */
7303 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7304 || written != strlen(msg))
7305 goto end;
7306
7307 /*
7308 * Read a partial record. The remaining buffered data should be cleared by
7309 * the subsequent clear/reset
7310 */
7311 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7312 || readbytes != sizeof(buf))
7313 goto end;
7314
7315 SSL_shutdown(clientssl);
7316 SSL_shutdown(serverssl);
7317
7318 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7319 if (servertest) {
7320 if (cleartest) {
7321 if (!TEST_true(SSL_clear(serverssl)))
7322 goto end;
7323 } else {
7324 SSL_set_accept_state(serverssl);
7325 }
7326 SSL_free(clientssl);
7327 clientssl = NULL;
7328 } else {
7329 if (cleartest) {
7330 if (!TEST_true(SSL_clear(clientssl)))
7331 goto end;
7332 } else {
7333 SSL_set_connect_state(clientssl);
7334 }
7335 SSL_free(serverssl);
7336 serverssl = NULL;
7337 }
7338
7339 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7340 NULL, NULL))
7341 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7342 SSL_ERROR_NONE))
7343 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7344 goto end;
7345
7346 SSL_shutdown(clientssl);
7347 SSL_shutdown(serverssl);
7348
7349 testresult = 1;
7350
7351 end:
7352 SSL_free(serverssl);
7353 SSL_free(clientssl);
7354 SSL_CTX_free(sctx);
7355 SSL_CTX_free(cctx);
7356
7357 return testresult;
7358 }
7359
7360 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)7361 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7362 {
7363 long len;
7364 unsigned char *data;
7365 PACKET pkt, pkt2, pkt3;
7366 unsigned int MFL_code = 0, type = 0;
7367
7368 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **)&data), 0))
7369 goto end;
7370
7371 memset(&pkt, 0, sizeof(pkt));
7372 memset(&pkt2, 0, sizeof(pkt2));
7373 memset(&pkt3, 0, sizeof(pkt3));
7374
7375 if (!TEST_long_gt(len, 0)
7376 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7377 /* Skip the record header */
7378 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7379 /* Skip the handshake message header */
7380 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7381 /* Skip client version and random */
7382 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN + SSL3_RANDOM_SIZE))
7383 /* Skip session id */
7384 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7385 /* Skip ciphers */
7386 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7387 /* Skip compression */
7388 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7389 /* Extensions len */
7390 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7391 goto end;
7392
7393 /* Loop through all extensions */
7394 while (PACKET_remaining(&pkt2)) {
7395 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7396 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7397 goto end;
7398
7399 if (type == TLSEXT_TYPE_max_fragment_length) {
7400 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7401 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7402 goto end;
7403
7404 *mfl_codemfl_code = MFL_code;
7405 return 1;
7406 }
7407 }
7408
7409 end:
7410 return 0;
7411 }
7412
7413 /* Maximum-Fragment-Length TLS extension mode to test */
7414 static const unsigned char max_fragment_len_test[] = {
7415 TLSEXT_max_fragment_length_512,
7416 TLSEXT_max_fragment_length_1024,
7417 TLSEXT_max_fragment_length_2048,
7418 TLSEXT_max_fragment_length_4096
7419 };
7420
test_max_fragment_len_ext(int idx_tst)7421 static int test_max_fragment_len_ext(int idx_tst)
7422 {
7423 SSL_CTX *ctx = NULL;
7424 SSL *con = NULL;
7425 int testresult = 0, MFL_mode = 0;
7426 BIO *rbio, *wbio;
7427
7428 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7429 TLS1_VERSION, 0, NULL, &ctx, NULL,
7430 NULL)))
7431 return 0;
7432
7433 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7434 ctx, max_fragment_len_test[idx_tst])))
7435 goto end;
7436
7437 con = SSL_new(ctx);
7438 if (!TEST_ptr(con))
7439 goto end;
7440
7441 rbio = BIO_new(BIO_s_mem());
7442 wbio = BIO_new(BIO_s_mem());
7443 if (!TEST_ptr(rbio) || !TEST_ptr(wbio)) {
7444 BIO_free(rbio);
7445 BIO_free(wbio);
7446 goto end;
7447 }
7448
7449 SSL_set_bio(con, rbio, wbio);
7450
7451 if (!TEST_int_le(SSL_connect(con), 0)) {
7452 /* This shouldn't succeed because we don't have a server! */
7453 goto end;
7454 }
7455
7456 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7457 /* no MFL in client hello */
7458 goto end;
7459 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7460 goto end;
7461
7462 testresult = 1;
7463
7464 end:
7465 SSL_free(con);
7466 SSL_CTX_free(ctx);
7467
7468 return testresult;
7469 }
7470
7471 #ifndef OSSL_NO_USABLE_TLS1_3
test_pha_key_update(void)7472 static int test_pha_key_update(void)
7473 {
7474 SSL_CTX *cctx = NULL, *sctx = NULL;
7475 SSL *clientssl = NULL, *serverssl = NULL;
7476 int testresult = 0;
7477
7478 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7479 TLS_client_method(), TLS1_VERSION, 0,
7480 &sctx, &cctx, cert, privkey)))
7481 return 0;
7482
7483 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7484 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7485 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7486 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7487 goto end;
7488
7489 SSL_CTX_set_post_handshake_auth(cctx, 1);
7490
7491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7492 NULL, NULL)))
7493 goto end;
7494
7495 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7496 SSL_ERROR_NONE)))
7497 goto end;
7498
7499 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7500 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7501 goto end;
7502
7503 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7504 goto end;
7505
7506 /* Start handshake on the server */
7507 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7508 goto end;
7509
7510 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7511 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7512 SSL_ERROR_NONE)))
7513 goto end;
7514
7515 SSL_shutdown(clientssl);
7516 SSL_shutdown(serverssl);
7517
7518 testresult = 1;
7519
7520 end:
7521 SSL_free(serverssl);
7522 SSL_free(clientssl);
7523 SSL_CTX_free(sctx);
7524 SSL_CTX_free(cctx);
7525 return testresult;
7526 }
7527 #endif
7528
7529 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7530
7531 static SRP_VBASE *vbase = NULL;
7532
ssl_srp_cb(SSL * s,int * ad,void * arg)7533 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7534 {
7535 int ret = SSL3_AL_FATAL;
7536 char *username;
7537 SRP_user_pwd *user = NULL;
7538
7539 username = SSL_get_srp_username(s);
7540 if (username == NULL) {
7541 *ad = SSL_AD_INTERNAL_ERROR;
7542 goto err;
7543 }
7544
7545 user = SRP_VBASE_get1_by_user(vbase, username);
7546 if (user == NULL) {
7547 *ad = SSL_AD_INTERNAL_ERROR;
7548 goto err;
7549 }
7550
7551 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7552 user->info)
7553 <= 0) {
7554 *ad = SSL_AD_INTERNAL_ERROR;
7555 goto err;
7556 }
7557
7558 ret = 0;
7559
7560 err:
7561 SRP_user_pwd_free(user);
7562 return ret;
7563 }
7564
create_new_vfile(char * userid,char * password,const char * filename)7565 static int create_new_vfile(char *userid, char *password, const char *filename)
7566 {
7567 char *gNid = NULL;
7568 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7569 TXT_DB *db = NULL;
7570 int ret = 0;
7571 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7572 size_t i;
7573
7574 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7575 goto end;
7576
7577 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7578 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7579 if (!TEST_ptr(gNid))
7580 goto end;
7581
7582 /*
7583 * The only way to create an empty TXT_DB is to provide a BIO with no data
7584 * in it!
7585 */
7586 db = TXT_DB_read(dummy, DB_NUMBER);
7587 if (!TEST_ptr(db))
7588 goto end;
7589
7590 out = BIO_new_file(filename, "w");
7591 if (!TEST_ptr(out))
7592 goto end;
7593
7594 row[DB_srpid] = OPENSSL_strdup(userid);
7595 row[DB_srptype] = OPENSSL_strdup("V");
7596 row[DB_srpgN] = OPENSSL_strdup(gNid);
7597
7598 if (!TEST_ptr(row[DB_srpid])
7599 || !TEST_ptr(row[DB_srptype])
7600 || !TEST_ptr(row[DB_srpgN])
7601 || !TEST_true(TXT_DB_insert(db, row)))
7602 goto end;
7603
7604 row = NULL;
7605
7606 if (TXT_DB_write(out, db) <= 0)
7607 goto end;
7608
7609 ret = 1;
7610 end:
7611 if (row != NULL) {
7612 for (i = 0; i < DB_NUMBER; i++)
7613 OPENSSL_free(row[i]);
7614 }
7615 OPENSSL_free(row);
7616 BIO_free(dummy);
7617 BIO_free(out);
7618 TXT_DB_free(db);
7619
7620 return ret;
7621 }
7622
create_new_vbase(char * userid,char * password)7623 static int create_new_vbase(char *userid, char *password)
7624 {
7625 BIGNUM *verifier = NULL, *salt = NULL;
7626 const SRP_gN *lgN = NULL;
7627 SRP_user_pwd *user_pwd = NULL;
7628 int ret = 0;
7629
7630 lgN = SRP_get_default_gN(NULL);
7631 if (!TEST_ptr(lgN))
7632 goto end;
7633
7634 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7635 lgN->N, lgN->g, libctx, NULL)))
7636 goto end;
7637
7638 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7639 if (!TEST_ptr(user_pwd))
7640 goto end;
7641
7642 user_pwd->N = lgN->N;
7643 user_pwd->g = lgN->g;
7644 user_pwd->id = OPENSSL_strdup(userid);
7645 if (!TEST_ptr(user_pwd->id))
7646 goto end;
7647
7648 user_pwd->v = verifier;
7649 user_pwd->s = salt;
7650 verifier = salt = NULL;
7651
7652 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7653 goto end;
7654 user_pwd = NULL;
7655
7656 ret = 1;
7657 end:
7658 SRP_user_pwd_free(user_pwd);
7659 BN_free(salt);
7660 BN_free(verifier);
7661
7662 return ret;
7663 }
7664
7665 /*
7666 * SRP tests
7667 *
7668 * Test 0: Simple successful SRP connection, new vbase
7669 * Test 1: Connection failure due to bad password, new vbase
7670 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7671 * Test 3: Connection failure due to bad password, vbase loaded from existing
7672 * file
7673 * Test 4: Simple successful SRP connection, vbase loaded from new file
7674 * Test 5: Connection failure due to bad password, vbase loaded from new file
7675 */
test_srp(int tst)7676 static int test_srp(int tst)
7677 {
7678 char *userid = "test", *password = "password", *tstsrpfile;
7679 SSL_CTX *cctx = NULL, *sctx = NULL;
7680 SSL *clientssl = NULL, *serverssl = NULL;
7681 int ret, testresult = 0;
7682
7683 vbase = SRP_VBASE_new(NULL);
7684 if (!TEST_ptr(vbase))
7685 goto end;
7686
7687 if (tst == 0 || tst == 1) {
7688 if (!TEST_true(create_new_vbase(userid, password)))
7689 goto end;
7690 } else {
7691 if (tst == 4 || tst == 5) {
7692 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7693 goto end;
7694 tstsrpfile = tmpfilename;
7695 } else {
7696 tstsrpfile = srpvfile;
7697 }
7698 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7699 goto end;
7700 }
7701
7702 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7703 TLS_client_method(), TLS1_VERSION, 0,
7704 &sctx, &cctx, cert, privkey)))
7705 goto end;
7706
7707 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7708 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7709 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7710 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7711 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7712 goto end;
7713
7714 if (tst % 2 == 1) {
7715 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7716 goto end;
7717 } else {
7718 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7719 goto end;
7720 }
7721
7722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7723 NULL, NULL)))
7724 goto end;
7725
7726 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7727 if (ret) {
7728 if (!TEST_true(tst % 2 == 0))
7729 goto end;
7730 } else {
7731 if (!TEST_true(tst % 2 == 1))
7732 goto end;
7733 }
7734
7735 testresult = 1;
7736
7737 end:
7738 SRP_VBASE_free(vbase);
7739 vbase = NULL;
7740 SSL_free(serverssl);
7741 SSL_free(clientssl);
7742 SSL_CTX_free(sctx);
7743 SSL_CTX_free(cctx);
7744
7745 return testresult;
7746 }
7747 #endif
7748
7749 static int info_cb_failed = 0;
7750 static int info_cb_offset = 0;
7751 static int info_cb_this_state = -1;
7752
7753 static struct info_cb_states_st {
7754 int where;
7755 const char *statestr;
7756 } info_cb_states[][60] = {
7757 {
7758 /* TLSv1.2 server followed by resumption */
7759 { SSL_CB_HANDSHAKE_START, NULL },
7760 { SSL_CB_LOOP, "PINIT" },
7761 { SSL_CB_LOOP, "PINIT" },
7762 { SSL_CB_LOOP, "TRCH" },
7763 { SSL_CB_LOOP, "TWSH" },
7764 { SSL_CB_LOOP, "TWSC" },
7765 { SSL_CB_LOOP, "TWSKE" },
7766 { SSL_CB_LOOP, "TWSD" },
7767 { SSL_CB_EXIT, NULL },
7768 { SSL_CB_LOOP, "TWSD" },
7769 { SSL_CB_LOOP, "TRCKE" },
7770 { SSL_CB_LOOP, "TRCCS" },
7771 { SSL_CB_LOOP, "TRFIN" },
7772 { SSL_CB_LOOP, "TWST" },
7773 { SSL_CB_LOOP, "TWCCS" },
7774 { SSL_CB_LOOP, "TWFIN" },
7775 { SSL_CB_HANDSHAKE_DONE, NULL },
7776 { SSL_CB_EXIT, NULL },
7777 { SSL_CB_ALERT, NULL },
7778 { SSL_CB_HANDSHAKE_START, NULL },
7779 { SSL_CB_LOOP, "PINIT" },
7780 { SSL_CB_LOOP, "PINIT" },
7781 { SSL_CB_LOOP, "TRCH" },
7782 { SSL_CB_LOOP, "TWSH" },
7783 { SSL_CB_LOOP, "TWCCS" },
7784 { SSL_CB_LOOP, "TWFIN" },
7785 { SSL_CB_EXIT, NULL },
7786 { SSL_CB_LOOP, "TWFIN" },
7787 { SSL_CB_LOOP, "TRCCS" },
7788 { SSL_CB_LOOP, "TRFIN" },
7789 { SSL_CB_HANDSHAKE_DONE, NULL },
7790 { SSL_CB_EXIT, NULL },
7791 { 0, NULL },
7792 },
7793 {
7794 /* TLSv1.2 client followed by resumption */
7795 { SSL_CB_HANDSHAKE_START, NULL },
7796 { SSL_CB_LOOP, "PINIT" },
7797 { SSL_CB_LOOP, "TWCH" },
7798 { SSL_CB_EXIT, NULL },
7799 { SSL_CB_LOOP, "TWCH" },
7800 { SSL_CB_LOOP, "TRSH" },
7801 { SSL_CB_LOOP, "TRSC" },
7802 { SSL_CB_LOOP, "TRSKE" },
7803 { SSL_CB_LOOP, "TRSD" },
7804 { SSL_CB_LOOP, "TWCKE" },
7805 { SSL_CB_LOOP, "TWCCS" },
7806 { SSL_CB_LOOP, "TWFIN" },
7807 { SSL_CB_EXIT, NULL },
7808 { SSL_CB_LOOP, "TWFIN" },
7809 { SSL_CB_LOOP, "TRST" },
7810 { SSL_CB_LOOP, "TRCCS" },
7811 { SSL_CB_LOOP, "TRFIN" },
7812 { SSL_CB_HANDSHAKE_DONE, NULL },
7813 { SSL_CB_EXIT, NULL },
7814 { SSL_CB_ALERT, NULL },
7815 { SSL_CB_HANDSHAKE_START, NULL },
7816 { SSL_CB_LOOP, "PINIT" },
7817 { SSL_CB_LOOP, "TWCH" },
7818 { SSL_CB_EXIT, NULL },
7819 { SSL_CB_LOOP, "TWCH" },
7820 { SSL_CB_LOOP, "TRSH" },
7821 { SSL_CB_LOOP, "TRCCS" },
7822 { SSL_CB_LOOP, "TRFIN" },
7823 { SSL_CB_LOOP, "TWCCS" },
7824 { SSL_CB_LOOP, "TWFIN" },
7825 { SSL_CB_HANDSHAKE_DONE, NULL },
7826 { SSL_CB_EXIT, NULL },
7827 { 0, NULL },
7828 },
7829 {
7830 /* TLSv1.3 server followed by resumption */
7831 { SSL_CB_HANDSHAKE_START, NULL },
7832 { SSL_CB_LOOP, "PINIT" },
7833 { SSL_CB_LOOP, "PINIT" },
7834 { SSL_CB_LOOP, "TRCH" },
7835 { SSL_CB_LOOP, "TWSH" },
7836 { SSL_CB_LOOP, "TWCCS" },
7837 { SSL_CB_LOOP, "TWEE" },
7838 { SSL_CB_LOOP, "TWSC" },
7839 { SSL_CB_LOOP, "TWSCV" },
7840 { SSL_CB_LOOP, "TWFIN" },
7841 { SSL_CB_LOOP, "TED" },
7842 { SSL_CB_EXIT, NULL },
7843 { SSL_CB_LOOP, "TED" },
7844 { SSL_CB_LOOP, "TRFIN" },
7845 { SSL_CB_HANDSHAKE_DONE, NULL },
7846 { SSL_CB_LOOP, "TWST" },
7847 { SSL_CB_LOOP, "TWST" },
7848 { SSL_CB_EXIT, NULL },
7849 { SSL_CB_ALERT, NULL },
7850 { SSL_CB_HANDSHAKE_START, NULL },
7851 { SSL_CB_LOOP, "PINIT" },
7852 { SSL_CB_LOOP, "PINIT" },
7853 { SSL_CB_LOOP, "TRCH" },
7854 { SSL_CB_LOOP, "TWSH" },
7855 { SSL_CB_LOOP, "TWCCS" },
7856 { SSL_CB_LOOP, "TWEE" },
7857 { SSL_CB_LOOP, "TWFIN" },
7858 { SSL_CB_LOOP, "TED" },
7859 { SSL_CB_EXIT, NULL },
7860 { SSL_CB_LOOP, "TED" },
7861 { SSL_CB_LOOP, "TRFIN" },
7862 { SSL_CB_HANDSHAKE_DONE, NULL },
7863 { SSL_CB_LOOP, "TWST" },
7864 { SSL_CB_EXIT, NULL },
7865 { 0, NULL },
7866 },
7867 {
7868 /* TLSv1.3 client followed by resumption */
7869 { SSL_CB_HANDSHAKE_START, NULL },
7870 { SSL_CB_LOOP, "PINIT" },
7871 { SSL_CB_LOOP, "TWCH" },
7872 { SSL_CB_EXIT, NULL },
7873 { SSL_CB_LOOP, "TWCH" },
7874 { SSL_CB_LOOP, "TRSH" },
7875 { SSL_CB_LOOP, "TREE" },
7876 { SSL_CB_LOOP, "TRSC" },
7877 { SSL_CB_LOOP, "TRSCV" },
7878 { SSL_CB_LOOP, "TRFIN" },
7879 { SSL_CB_LOOP, "TWCCS" },
7880 { SSL_CB_LOOP, "TWFIN" },
7881 { SSL_CB_HANDSHAKE_DONE, NULL },
7882 { SSL_CB_EXIT, NULL },
7883 { SSL_CB_LOOP, "SSLOK" },
7884 { SSL_CB_LOOP, "SSLOK" },
7885 { SSL_CB_LOOP, "TRST" },
7886 { SSL_CB_EXIT, NULL },
7887 { SSL_CB_LOOP, "SSLOK" },
7888 { SSL_CB_LOOP, "SSLOK" },
7889 { SSL_CB_LOOP, "TRST" },
7890 { SSL_CB_EXIT, NULL },
7891 { SSL_CB_ALERT, NULL },
7892 { SSL_CB_HANDSHAKE_START, NULL },
7893 { SSL_CB_LOOP, "PINIT" },
7894 { SSL_CB_LOOP, "TWCH" },
7895 { SSL_CB_EXIT, NULL },
7896 { SSL_CB_LOOP, "TWCH" },
7897 { SSL_CB_LOOP, "TRSH" },
7898 { SSL_CB_LOOP, "TREE" },
7899 { SSL_CB_LOOP, "TRFIN" },
7900 { SSL_CB_LOOP, "TWCCS" },
7901 { SSL_CB_LOOP, "TWFIN" },
7902 { SSL_CB_HANDSHAKE_DONE, NULL },
7903 { SSL_CB_EXIT, NULL },
7904 { SSL_CB_LOOP, "SSLOK" },
7905 { SSL_CB_LOOP, "SSLOK" },
7906 { SSL_CB_LOOP, "TRST" },
7907 { SSL_CB_EXIT, NULL },
7908 { 0, NULL },
7909 },
7910 {
7911 /* TLSv1.3 server, early_data */
7912 { SSL_CB_HANDSHAKE_START, NULL },
7913 { SSL_CB_LOOP, "PINIT" },
7914 { SSL_CB_LOOP, "PINIT" },
7915 { SSL_CB_LOOP, "TRCH" },
7916 { SSL_CB_LOOP, "TWSH" },
7917 { SSL_CB_LOOP, "TWCCS" },
7918 { SSL_CB_LOOP, "TWEE" },
7919 { SSL_CB_LOOP, "TWFIN" },
7920 { SSL_CB_HANDSHAKE_DONE, NULL },
7921 { SSL_CB_EXIT, NULL },
7922 { SSL_CB_HANDSHAKE_START, NULL },
7923 { SSL_CB_LOOP, "TED" },
7924 { SSL_CB_LOOP, "TED" },
7925 { SSL_CB_LOOP, "TWEOED" },
7926 { SSL_CB_LOOP, "TRFIN" },
7927 { SSL_CB_HANDSHAKE_DONE, NULL },
7928 { SSL_CB_LOOP, "TWST" },
7929 { SSL_CB_EXIT, NULL },
7930 { 0, NULL },
7931 },
7932 {
7933 /* TLSv1.3 client, early_data */
7934 { SSL_CB_HANDSHAKE_START, NULL },
7935 { SSL_CB_LOOP, "PINIT" },
7936 { SSL_CB_LOOP, "TWCH" },
7937 { SSL_CB_LOOP, "TWCCS" },
7938 { SSL_CB_HANDSHAKE_DONE, NULL },
7939 { SSL_CB_EXIT, NULL },
7940 { SSL_CB_HANDSHAKE_START, NULL },
7941 { SSL_CB_LOOP, "TED" },
7942 { SSL_CB_LOOP, "TED" },
7943 { SSL_CB_LOOP, "TRSH" },
7944 { SSL_CB_LOOP, "TREE" },
7945 { SSL_CB_LOOP, "TRFIN" },
7946 { SSL_CB_LOOP, "TPEDE" },
7947 { SSL_CB_LOOP, "TWEOED" },
7948 { SSL_CB_LOOP, "TWFIN" },
7949 { SSL_CB_HANDSHAKE_DONE, NULL },
7950 { SSL_CB_EXIT, NULL },
7951 { SSL_CB_LOOP, "SSLOK" },
7952 { SSL_CB_LOOP, "SSLOK" },
7953 { SSL_CB_LOOP, "TRST" },
7954 { SSL_CB_EXIT, NULL },
7955 { 0, NULL },
7956 },
7957 {
7958 /* TLSv1.3 server, certificate compression, followed by resumption */
7959 { SSL_CB_HANDSHAKE_START, NULL },
7960 { SSL_CB_LOOP, "PINIT" },
7961 { SSL_CB_LOOP, "PINIT" },
7962 { SSL_CB_LOOP, "TRCH" },
7963 { SSL_CB_LOOP, "TWSH" },
7964 { SSL_CB_LOOP, "TWCCS" },
7965 { SSL_CB_LOOP, "TWEE" },
7966 { SSL_CB_LOOP, "TWSCC" },
7967 { SSL_CB_LOOP, "TWSCV" },
7968 { SSL_CB_LOOP, "TWFIN" },
7969 { SSL_CB_LOOP, "TED" },
7970 { SSL_CB_EXIT, NULL },
7971 { SSL_CB_LOOP, "TED" },
7972 { SSL_CB_LOOP, "TRFIN" },
7973 { SSL_CB_HANDSHAKE_DONE, NULL },
7974 { SSL_CB_LOOP, "TWST" },
7975 { SSL_CB_LOOP, "TWST" },
7976 { SSL_CB_EXIT, NULL },
7977 { SSL_CB_ALERT, NULL },
7978 { SSL_CB_HANDSHAKE_START, NULL },
7979 { SSL_CB_LOOP, "PINIT" },
7980 { SSL_CB_LOOP, "PINIT" },
7981 { SSL_CB_LOOP, "TRCH" },
7982 { SSL_CB_LOOP, "TWSH" },
7983 { SSL_CB_LOOP, "TWCCS" },
7984 { SSL_CB_LOOP, "TWEE" },
7985 { SSL_CB_LOOP, "TWFIN" },
7986 { SSL_CB_LOOP, "TED" },
7987 { SSL_CB_EXIT, NULL },
7988 { SSL_CB_LOOP, "TED" },
7989 { SSL_CB_LOOP, "TRFIN" },
7990 { SSL_CB_HANDSHAKE_DONE, NULL },
7991 { SSL_CB_LOOP, "TWST" },
7992 { SSL_CB_EXIT, NULL },
7993 { 0, NULL },
7994 },
7995 {
7996 /* TLSv1.3 client, certificate compression, followed by resumption */
7997 { SSL_CB_HANDSHAKE_START, NULL },
7998 { SSL_CB_LOOP, "PINIT" },
7999 { SSL_CB_LOOP, "TWCH" },
8000 { SSL_CB_EXIT, NULL },
8001 { SSL_CB_LOOP, "TWCH" },
8002 { SSL_CB_LOOP, "TRSH" },
8003 { SSL_CB_LOOP, "TREE" },
8004 { SSL_CB_LOOP, "TRSCC" },
8005 { SSL_CB_LOOP, "TRSCV" },
8006 { SSL_CB_LOOP, "TRFIN" },
8007 { SSL_CB_LOOP, "TWCCS" },
8008 { SSL_CB_LOOP, "TWFIN" },
8009 { SSL_CB_HANDSHAKE_DONE, NULL },
8010 { SSL_CB_EXIT, NULL },
8011 { SSL_CB_LOOP, "SSLOK" },
8012 { SSL_CB_LOOP, "SSLOK" },
8013 { SSL_CB_LOOP, "TRST" },
8014 { SSL_CB_EXIT, NULL },
8015 { SSL_CB_LOOP, "SSLOK" },
8016 { SSL_CB_LOOP, "SSLOK" },
8017 { SSL_CB_LOOP, "TRST" },
8018 { SSL_CB_EXIT, NULL },
8019 { SSL_CB_ALERT, NULL },
8020 { SSL_CB_HANDSHAKE_START, NULL },
8021 { SSL_CB_LOOP, "PINIT" },
8022 { SSL_CB_LOOP, "TWCH" },
8023 { SSL_CB_EXIT, NULL },
8024 { SSL_CB_LOOP, "TWCH" },
8025 { SSL_CB_LOOP, "TRSH" },
8026 { SSL_CB_LOOP, "TREE" },
8027 { SSL_CB_LOOP, "TRFIN" },
8028 { SSL_CB_LOOP, "TWCCS" },
8029 { SSL_CB_LOOP, "TWFIN" },
8030 { SSL_CB_HANDSHAKE_DONE, NULL },
8031 { SSL_CB_EXIT, NULL },
8032 { SSL_CB_LOOP, "SSLOK" },
8033 { SSL_CB_LOOP, "SSLOK" },
8034 { SSL_CB_LOOP, "TRST" },
8035 { SSL_CB_EXIT, NULL },
8036 { 0, NULL },
8037 },
8038 {
8039 { 0, NULL },
8040 }
8041 };
8042
sslapi_info_callback(const SSL * s,int where,int ret)8043 static void sslapi_info_callback(const SSL *s, int where, int ret)
8044 {
8045 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
8046
8047 /* We do not ever expect a connection to fail in this test */
8048 if (!TEST_false(ret == 0)) {
8049 info_cb_failed = 1;
8050 return;
8051 }
8052
8053 /*
8054 * Do some sanity checks. We never expect these things to happen in this
8055 * test
8056 */
8057 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
8058 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
8059 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
8060 info_cb_failed = 1;
8061 return;
8062 }
8063
8064 /* Now check we're in the right state */
8065 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
8066 info_cb_failed = 1;
8067 return;
8068 }
8069 if ((where & SSL_CB_LOOP) != 0
8070 && !TEST_int_eq(strcmp(SSL_state_string(s),
8071 state[info_cb_this_state].statestr),
8072 0)) {
8073 info_cb_failed = 1;
8074 return;
8075 }
8076
8077 /*
8078 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
8079 */
8080 if ((where & SSL_CB_HANDSHAKE_DONE)
8081 && SSL_in_init((SSL *)s) != 0) {
8082 info_cb_failed = 1;
8083 return;
8084 }
8085 }
8086
8087 /*
8088 * Test the info callback gets called when we expect it to.
8089 *
8090 * Test 0: TLSv1.2, server
8091 * Test 1: TLSv1.2, client
8092 * Test 2: TLSv1.3, server
8093 * Test 3: TLSv1.3, client
8094 * Test 4: TLSv1.3, server, early_data
8095 * Test 5: TLSv1.3, client, early_data
8096 * Test 6: TLSv1.3, server, compressed certificate
8097 * Test 7: TLSv1.3, client, compressed certificate
8098 */
test_info_callback(int tst)8099 static int test_info_callback(int tst)
8100 {
8101 SSL_CTX *cctx = NULL, *sctx = NULL;
8102 SSL *clientssl = NULL, *serverssl = NULL;
8103 SSL_SESSION *clntsess = NULL;
8104 int testresult = 0;
8105 int tlsvers;
8106
8107 if (tst < 2) {
8108 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
8109 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH))
8110 tlsvers = TLS1_2_VERSION;
8111 #else
8112 return 1;
8113 #endif
8114 } else {
8115 #ifndef OSSL_NO_USABLE_TLS1_3
8116 tlsvers = TLS1_3_VERSION;
8117 #else
8118 return 1;
8119 #endif
8120 }
8121
8122 /* Reset globals */
8123 info_cb_failed = 0;
8124 info_cb_this_state = -1;
8125 info_cb_offset = tst;
8126
8127 #ifndef OSSL_NO_USABLE_TLS1_3
8128 if (tst >= 4 && tst < 6) {
8129 SSL_SESSION *sess = NULL;
8130 size_t written, readbytes;
8131 unsigned char buf[80];
8132 OSSL_TIME timer;
8133
8134 /* early_data tests */
8135 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
8136 &serverssl, &sess, 0,
8137 SHA384_DIGEST_LENGTH)))
8138 goto end;
8139
8140 /* We don't actually need this reference */
8141 SSL_SESSION_free(sess);
8142
8143 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
8144 sslapi_info_callback);
8145
8146 /* Write and read some early data and then complete the connection */
8147 timer = ossl_time_now();
8148 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
8149 &written))
8150 || !TEST_size_t_eq(written, strlen(MSG1)))
8151 goto end;
8152
8153 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
8154 sizeof(buf), &readbytes),
8155 SSL_READ_EARLY_DATA_SUCCESS)) {
8156 testresult = check_early_data_timeout(timer);
8157 goto end;
8158 }
8159
8160 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
8161 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
8162 SSL_EARLY_DATA_ACCEPTED)
8163 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8164 SSL_ERROR_NONE))
8165 || !TEST_false(info_cb_failed))
8166 goto end;
8167
8168 testresult = 1;
8169 goto end;
8170 }
8171 #endif
8172
8173 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8174 TLS_client_method(),
8175 tlsvers, tlsvers, &sctx, &cctx, cert,
8176 privkey)))
8177 goto end;
8178
8179 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8180 goto end;
8181
8182 /*
8183 * For even numbered tests we check the server callbacks. For odd numbers we
8184 * check the client.
8185 */
8186 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
8187 sslapi_info_callback);
8188 if (tst >= 6) {
8189 if (!SSL_CTX_compress_certs(sctx, 0))
8190 goto end;
8191 }
8192
8193 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8194 &clientssl, NULL, NULL))
8195 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8196 SSL_ERROR_NONE))
8197 || !TEST_false(info_cb_failed))
8198 goto end;
8199
8200 clntsess = SSL_get1_session(clientssl);
8201 SSL_shutdown(clientssl);
8202 SSL_shutdown(serverssl);
8203 SSL_free(serverssl);
8204 SSL_free(clientssl);
8205 serverssl = clientssl = NULL;
8206
8207 /* Now do a resumption */
8208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8209 NULL))
8210 || !TEST_true(SSL_set_session(clientssl, clntsess))
8211 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8212 SSL_ERROR_NONE))
8213 || !TEST_true(SSL_session_reused(clientssl))
8214 || !TEST_false(info_cb_failed))
8215 goto end;
8216
8217 testresult = 1;
8218
8219 end:
8220 SSL_free(serverssl);
8221 SSL_free(clientssl);
8222 SSL_SESSION_free(clntsess);
8223 SSL_CTX_free(sctx);
8224 SSL_CTX_free(cctx);
8225 return testresult;
8226 }
8227
test_ssl_pending(int tst)8228 static int test_ssl_pending(int tst)
8229 {
8230 SSL_CTX *cctx = NULL, *sctx = NULL;
8231 SSL *clientssl = NULL, *serverssl = NULL;
8232 int testresult = 0;
8233 char msg[] = "A test message";
8234 char buf[5];
8235 size_t written, readbytes;
8236
8237 if (tst == 0) {
8238 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8239 TLS_client_method(),
8240 TLS1_VERSION, 0,
8241 &sctx, &cctx, cert, privkey)))
8242 goto end;
8243 } else {
8244 #ifndef OPENSSL_NO_DTLS
8245 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
8246 DTLS_client_method(),
8247 DTLS1_VERSION, 0,
8248 &sctx, &cctx, cert, privkey)))
8249 goto end;
8250
8251 #ifdef OPENSSL_NO_DTLS1_2
8252 /* Not supported in the FIPS provider */
8253 if (is_fips) {
8254 testresult = 1;
8255 goto end;
8256 };
8257 /*
8258 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
8259 * level 0
8260 */
8261 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
8262 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
8263 "DEFAULT:@SECLEVEL=0")))
8264 goto end;
8265 #endif
8266 #else
8267 return 1;
8268 #endif
8269 }
8270
8271 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8272 NULL, NULL))
8273 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8274 SSL_ERROR_NONE)))
8275 goto end;
8276
8277 if (!TEST_int_eq(SSL_pending(clientssl), 0)
8278 || !TEST_false(SSL_has_pending(clientssl))
8279 || !TEST_int_eq(SSL_pending(serverssl), 0)
8280 || !TEST_false(SSL_has_pending(serverssl))
8281 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8282 || !TEST_size_t_eq(written, sizeof(msg))
8283 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
8284 || !TEST_size_t_eq(readbytes, sizeof(buf))
8285 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
8286 || !TEST_true(SSL_has_pending(clientssl)))
8287 goto end;
8288
8289 testresult = 1;
8290
8291 end:
8292 SSL_free(serverssl);
8293 SSL_free(clientssl);
8294 SSL_CTX_free(sctx);
8295 SSL_CTX_free(cctx);
8296
8297 return testresult;
8298 }
8299
8300 static struct {
8301 unsigned int maxprot;
8302 const char *clntciphers;
8303 const char *clnttls13ciphers;
8304 const char *srvrciphers;
8305 const char *srvrtls13ciphers;
8306 const char *shared;
8307 const char *fipsshared;
8308 } shared_ciphers_data[] = {
8309 /*
8310 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8311 * TLSv1.3 is enabled but TLSv1.2 is disabled.
8312 */
8313 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8314 { TLS1_2_VERSION,
8315 "AES128-SHA:AES256-SHA",
8316 NULL,
8317 "AES256-SHA:DHE-RSA-AES128-SHA",
8318 NULL,
8319 "AES256-SHA",
8320 "AES256-SHA" },
8321 #if !defined(OPENSSL_NO_CHACHA) \
8322 && !defined(OPENSSL_NO_POLY1305) \
8323 && !defined(OPENSSL_NO_EC)
8324 { TLS1_2_VERSION,
8325 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8326 NULL,
8327 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8328 NULL,
8329 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8330 "AES128-SHA" },
8331 #endif
8332 { TLS1_2_VERSION,
8333 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8334 NULL,
8335 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8336 NULL,
8337 "AES128-SHA:AES256-SHA",
8338 "AES128-SHA:AES256-SHA" },
8339 { TLS1_2_VERSION,
8340 "AES128-SHA:AES256-SHA",
8341 NULL,
8342 "AES128-SHA:DHE-RSA-AES128-SHA",
8343 NULL,
8344 "AES128-SHA",
8345 "AES128-SHA" },
8346 #endif
8347 /*
8348 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8349 * enabled.
8350 */
8351 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8352 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8353 { TLS1_3_VERSION,
8354 "AES128-SHA:AES256-SHA",
8355 NULL,
8356 "AES256-SHA:AES128-SHA256",
8357 NULL,
8358 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8359 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8360 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" },
8361 #endif
8362 #ifndef OSSL_NO_USABLE_TLS1_3
8363 { TLS1_3_VERSION,
8364 "AES128-SHA",
8365 "TLS_AES_256_GCM_SHA384",
8366 "AES256-SHA",
8367 "TLS_AES_256_GCM_SHA384",
8368 "TLS_AES_256_GCM_SHA384",
8369 "TLS_AES_256_GCM_SHA384" },
8370 #endif
8371 };
8372
int_test_ssl_get_shared_ciphers(int tst,int clnt)8373 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8374 {
8375 SSL_CTX *cctx = NULL, *sctx = NULL;
8376 SSL *clientssl = NULL, *serverssl = NULL;
8377 int testresult = 0;
8378 char buf[1024];
8379 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8380
8381 if (!TEST_ptr(tmplibctx))
8382 goto end;
8383
8384 /*
8385 * Regardless of whether we're testing with the FIPS provider loaded into
8386 * libctx, we want one peer to always use the full set of ciphersuites
8387 * available. Therefore we use a separate libctx with the default provider
8388 * loaded into it. We run the same tests twice - once with the client side
8389 * having the full set of ciphersuites and once with the server side.
8390 */
8391 if (clnt) {
8392 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8393 if (!TEST_ptr(cctx))
8394 goto end;
8395 } else {
8396 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8397 if (!TEST_ptr(sctx))
8398 goto end;
8399 }
8400
8401 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8402 TLS_client_method(),
8403 TLS1_VERSION,
8404 shared_ciphers_data[tst].maxprot,
8405 &sctx, &cctx, cert, privkey)))
8406 goto end;
8407
8408 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8409 shared_ciphers_data[tst].clntciphers))
8410 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8411 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8412 shared_ciphers_data[tst].clnttls13ciphers)))
8413 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8414 shared_ciphers_data[tst].srvrciphers))
8415 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8416 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8417 shared_ciphers_data[tst].srvrtls13ciphers))))
8418 goto end;
8419
8420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8421 NULL, NULL))
8422 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8423 SSL_ERROR_NONE)))
8424 goto end;
8425
8426 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8427 || !TEST_int_eq(strcmp(buf,
8428 is_fips
8429 ? shared_ciphers_data[tst].fipsshared
8430 : shared_ciphers_data[tst].shared),
8431 0)) {
8432 TEST_info("Shared ciphers are: %s\n", buf);
8433 goto end;
8434 }
8435
8436 testresult = 1;
8437
8438 end:
8439 SSL_free(serverssl);
8440 SSL_free(clientssl);
8441 SSL_CTX_free(sctx);
8442 SSL_CTX_free(cctx);
8443 OSSL_LIB_CTX_free(tmplibctx);
8444
8445 return testresult;
8446 }
8447
test_ssl_get_shared_ciphers(int tst)8448 static int test_ssl_get_shared_ciphers(int tst)
8449 {
8450 return int_test_ssl_get_shared_ciphers(tst, 0)
8451 && int_test_ssl_get_shared_ciphers(tst, 1);
8452 }
8453
8454 static const char *appdata = "Hello World";
8455 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8456 static int tick_key_renew = 0;
8457 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8458
gen_tick_cb(SSL * s,void * arg)8459 static int gen_tick_cb(SSL *s, void *arg)
8460 {
8461 gen_tick_called = 1;
8462
8463 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8464 strlen(appdata));
8465 }
8466
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)8467 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8468 const unsigned char *keyname,
8469 size_t keyname_length,
8470 SSL_TICKET_STATUS status,
8471 void *arg)
8472 {
8473 void *tickdata;
8474 size_t tickdlen;
8475
8476 dec_tick_called = 1;
8477
8478 if (status == SSL_TICKET_EMPTY)
8479 return SSL_TICKET_RETURN_IGNORE_RENEW;
8480
8481 if (!TEST_true(status == SSL_TICKET_SUCCESS
8482 || status == SSL_TICKET_SUCCESS_RENEW))
8483 return SSL_TICKET_RETURN_ABORT;
8484
8485 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8486 &tickdlen))
8487 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8488 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8489 return SSL_TICKET_RETURN_ABORT;
8490
8491 if (tick_key_cb_called) {
8492 /* Don't change what the ticket key callback wanted to do */
8493 switch (status) {
8494 case SSL_TICKET_NO_DECRYPT:
8495 return SSL_TICKET_RETURN_IGNORE_RENEW;
8496
8497 case SSL_TICKET_SUCCESS:
8498 return SSL_TICKET_RETURN_USE;
8499
8500 case SSL_TICKET_SUCCESS_RENEW:
8501 return SSL_TICKET_RETURN_USE_RENEW;
8502
8503 default:
8504 return SSL_TICKET_RETURN_ABORT;
8505 }
8506 }
8507 return tick_dec_ret;
8508 }
8509
8510 #ifndef OPENSSL_NO_DEPRECATED_3_0
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)8511 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8512 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8513 HMAC_CTX *hctx, int enc)
8514 {
8515 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8516 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8517 EVP_CIPHER *aes128cbc;
8518 EVP_MD *sha256;
8519 int ret;
8520
8521 tick_key_cb_called = 1;
8522
8523 if (tick_key_renew == -1)
8524 return 0;
8525
8526 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8527 if (!TEST_ptr(aes128cbc))
8528 return 0;
8529 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8530 if (!TEST_ptr(sha256)) {
8531 EVP_CIPHER_free(aes128cbc);
8532 return 0;
8533 }
8534
8535 memset(iv, 0, AES_BLOCK_SIZE);
8536 memset(key_name, 0, 16);
8537 if (aes128cbc == NULL
8538 || sha256 == NULL
8539 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8540 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8541 NULL))
8542 ret = -1;
8543 else
8544 ret = tick_key_renew ? 2 : 1;
8545
8546 EVP_CIPHER_free(aes128cbc);
8547 EVP_MD_free(sha256);
8548
8549 return ret;
8550 }
8551 #endif
8552
tick_key_evp_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int enc)8553 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8554 unsigned char iv[EVP_MAX_IV_LENGTH],
8555 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8556 {
8557 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8558 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8559 OSSL_PARAM params[2];
8560 EVP_CIPHER *aes128cbc;
8561 int ret;
8562
8563 tick_key_cb_called = 1;
8564
8565 if (tick_key_renew == -1)
8566 return 0;
8567
8568 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8569 if (!TEST_ptr(aes128cbc))
8570 return 0;
8571
8572 memset(iv, 0, AES_BLOCK_SIZE);
8573 memset(key_name, 0, 16);
8574 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8575 "SHA256", 0);
8576 params[1] = OSSL_PARAM_construct_end();
8577 if (aes128cbc == NULL
8578 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8579 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8580 params))
8581 ret = -1;
8582 else
8583 ret = tick_key_renew ? 2 : 1;
8584
8585 EVP_CIPHER_free(aes128cbc);
8586
8587 return ret;
8588 }
8589
8590 /*
8591 * Test the various ticket callbacks
8592 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8593 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8594 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8595 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8596 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8597 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8598 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8599 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8600 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8601 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8602 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8603 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8604 * Test 12: TLSv1.2, old ticket key callback, no ticket
8605 * Test 13: TLSv1.3, old ticket key callback, no ticket
8606 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8607 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8608 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8609 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8610 * Test 18: TLSv1.2, ticket key callback, no ticket
8611 * Test 19: TLSv1.3, ticket key callback, no ticket
8612 */
test_ticket_callbacks(int tst)8613 static int test_ticket_callbacks(int tst)
8614 {
8615 SSL_CTX *cctx = NULL, *sctx = NULL;
8616 SSL *clientssl = NULL, *serverssl = NULL;
8617 SSL_SESSION *clntsess = NULL;
8618 int testresult = 0;
8619
8620 #ifdef OPENSSL_NO_TLS1_2
8621 if (tst % 2 == 0)
8622 return 1;
8623 #endif
8624 #ifdef OSSL_NO_USABLE_TLS1_3
8625 if (tst % 2 == 1)
8626 return 1;
8627 #endif
8628 #ifdef OPENSSL_NO_DEPRECATED_3_0
8629 if (tst >= 8 && tst <= 13)
8630 return 1;
8631 #endif
8632
8633 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8634
8635 /* Which tests the ticket key callback should request renewal for */
8636
8637 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8638 tick_key_renew = 1;
8639 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8640 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8641 else
8642 tick_key_renew = 0;
8643
8644 /* Which tests the decrypt ticket callback should request renewal for */
8645 switch (tst) {
8646 case 0:
8647 case 1:
8648 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8649 break;
8650
8651 case 2:
8652 case 3:
8653 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8654 break;
8655
8656 case 4:
8657 case 5:
8658 tick_dec_ret = SSL_TICKET_RETURN_USE;
8659 break;
8660
8661 case 6:
8662 case 7:
8663 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8664 break;
8665
8666 default:
8667 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8668 }
8669
8670 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8671 TLS_client_method(),
8672 TLS1_VERSION,
8673 ((tst % 2) == 0) ? TLS1_2_VERSION
8674 : TLS1_3_VERSION,
8675 &sctx, &cctx, cert, privkey)))
8676 goto end;
8677
8678 /*
8679 * We only want sessions to resume from tickets - not the session cache. So
8680 * switch the cache off.
8681 */
8682 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8683 goto end;
8684
8685 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8686 NULL)))
8687 goto end;
8688
8689 if (tst >= 14) {
8690 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8691 goto end;
8692 #ifndef OPENSSL_NO_DEPRECATED_3_0
8693 } else if (tst >= 8) {
8694 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8695 goto end;
8696 #endif
8697 }
8698
8699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8700 NULL, NULL))
8701 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8702 SSL_ERROR_NONE)))
8703 goto end;
8704
8705 /*
8706 * The decrypt ticket key callback in TLSv1.2 should be called even though
8707 * we have no ticket yet, because it gets called with a status of
8708 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8709 * actually send any ticket data). This does not happen in TLSv1.3 because
8710 * it is not valid to send empty ticket data in TLSv1.3.
8711 */
8712 if (!TEST_int_eq(gen_tick_called, 1)
8713 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8714 goto end;
8715
8716 gen_tick_called = dec_tick_called = 0;
8717
8718 clntsess = SSL_get1_session(clientssl);
8719 SSL_shutdown(clientssl);
8720 SSL_shutdown(serverssl);
8721 SSL_free(serverssl);
8722 SSL_free(clientssl);
8723 serverssl = clientssl = NULL;
8724
8725 /* Now do a resumption */
8726 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8727 NULL))
8728 || !TEST_true(SSL_set_session(clientssl, clntsess))
8729 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8730 SSL_ERROR_NONE)))
8731 goto end;
8732
8733 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8734 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8735 || tick_key_renew == -1) {
8736 if (!TEST_false(SSL_session_reused(clientssl)))
8737 goto end;
8738 } else {
8739 if (!TEST_true(SSL_session_reused(clientssl)))
8740 goto end;
8741 }
8742
8743 if (!TEST_int_eq(gen_tick_called,
8744 (tick_key_renew
8745 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8746 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8747 ? 1
8748 : 0)
8749 /* There is no ticket to decrypt in tests 13 and 19 */
8750 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8751 goto end;
8752
8753 testresult = 1;
8754
8755 end:
8756 SSL_SESSION_free(clntsess);
8757 SSL_free(serverssl);
8758 SSL_free(clientssl);
8759 SSL_CTX_free(sctx);
8760 SSL_CTX_free(cctx);
8761
8762 return testresult;
8763 }
8764
8765 /*
8766 * Test incorrect shutdown.
8767 * Test 0: client does not shutdown properly,
8768 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8769 * server should get SSL_ERROR_SSL
8770 * Test 1: client does not shutdown properly,
8771 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8772 * server should get SSL_ERROR_ZERO_RETURN
8773 */
test_incorrect_shutdown(int tst)8774 static int test_incorrect_shutdown(int tst)
8775 {
8776 SSL_CTX *cctx = NULL, *sctx = NULL;
8777 SSL *clientssl = NULL, *serverssl = NULL;
8778 int testresult = 0;
8779 char buf[80];
8780 BIO *c2s;
8781
8782 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8783 TLS_client_method(), 0, 0,
8784 &sctx, &cctx, cert, privkey)))
8785 goto end;
8786
8787 if (tst == 1)
8788 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8789
8790 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8791 NULL, NULL)))
8792 goto end;
8793
8794 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8795 SSL_ERROR_NONE)))
8796 goto end;
8797
8798 c2s = SSL_get_rbio(serverssl);
8799 BIO_set_mem_eof_return(c2s, 0);
8800
8801 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8802 goto end;
8803
8804 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
8805 goto end;
8806 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN))
8807 goto end;
8808
8809 testresult = 1;
8810
8811 end:
8812 SSL_free(serverssl);
8813 SSL_free(clientssl);
8814 SSL_CTX_free(sctx);
8815 SSL_CTX_free(cctx);
8816
8817 return testresult;
8818 }
8819
8820 /*
8821 * Test bi-directional shutdown.
8822 * Test 0: TLSv1.2
8823 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8824 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8825 * Test 3: TLSv1.3, pending NewSessionTicket messages
8826 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8827 * sends key update, client reads it
8828 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8829 * sends CertificateRequest, client reads and ignores it
8830 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8831 * doesn't read it
8832 */
test_shutdown(int tst)8833 static int test_shutdown(int tst)
8834 {
8835 SSL_CTX *cctx = NULL, *sctx = NULL;
8836 SSL *clientssl = NULL, *serverssl = NULL;
8837 int testresult = 0;
8838 char msg[] = "A test message";
8839 char buf[80];
8840 size_t written, readbytes;
8841 SSL_SESSION *sess;
8842
8843 #ifdef OPENSSL_NO_TLS1_2
8844 if (tst <= 1)
8845 return 1;
8846 #endif
8847 #ifdef OSSL_NO_USABLE_TLS1_3
8848 if (tst >= 2)
8849 return 1;
8850 #endif
8851
8852 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8853 TLS_client_method(),
8854 TLS1_VERSION,
8855 (tst <= 1) ? TLS1_2_VERSION
8856 : TLS1_3_VERSION,
8857 &sctx, &cctx, cert, privkey)))
8858 goto end;
8859
8860 if (tst == 5)
8861 SSL_CTX_set_post_handshake_auth(cctx, 1);
8862
8863 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8864 NULL, NULL)))
8865 goto end;
8866
8867 if (tst == 3) {
8868 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8869 SSL_ERROR_NONE, 1, 0))
8870 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8871 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8872 goto end;
8873 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8874 SSL_ERROR_NONE))
8875 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8876 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8877 goto end;
8878 }
8879
8880 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8881 goto end;
8882
8883 if (tst >= 4) {
8884 /*
8885 * Reading on the server after the client has sent close_notify should
8886 * fail and provide SSL_ERROR_ZERO_RETURN
8887 */
8888 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8889 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8890 SSL_ERROR_ZERO_RETURN)
8891 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8892 SSL_RECEIVED_SHUTDOWN)
8893 /*
8894 * Even though we're shutdown on receive we should still be
8895 * able to write.
8896 */
8897 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8898 goto end;
8899 if (tst == 4
8900 && !TEST_true(SSL_key_update(serverssl,
8901 SSL_KEY_UPDATE_REQUESTED)))
8902 goto end;
8903 if (tst == 5) {
8904 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8905 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8906 goto end;
8907 }
8908 if ((tst == 4 || tst == 5)
8909 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8910 goto end;
8911 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8912 goto end;
8913 if (tst == 4 || tst == 5) {
8914 /* Should still be able to read data from server */
8915 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8916 &readbytes))
8917 || !TEST_size_t_eq(readbytes, sizeof(msg))
8918 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8919 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8920 &readbytes))
8921 || !TEST_size_t_eq(readbytes, sizeof(msg))
8922 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8923 goto end;
8924 }
8925 }
8926
8927 /* Writing on the client after sending close_notify shouldn't be possible */
8928 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8929 goto end;
8930
8931 if (tst < 4) {
8932 /*
8933 * For these tests the client has sent close_notify but it has not yet
8934 * been received by the server. The server has not sent close_notify
8935 * yet.
8936 */
8937 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8938 /*
8939 * Writing on the server after sending close_notify shouldn't
8940 * be possible.
8941 */
8942 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8943 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8944 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8945 || !TEST_true(SSL_SESSION_is_resumable(sess))
8946 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8947 goto end;
8948 } else if (tst == 4 || tst == 5) {
8949 /*
8950 * In this test the client has sent close_notify and it has been
8951 * received by the server which has responded with a close_notify. The
8952 * client needs to read the close_notify sent by the server.
8953 */
8954 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8955 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8956 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8957 goto end;
8958 } else {
8959 /*
8960 * tst == 6
8961 *
8962 * The client has sent close_notify and is expecting a close_notify
8963 * back, but instead there is application data first. The shutdown
8964 * should fail with a fatal error.
8965 */
8966 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8967 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8968 goto end;
8969 }
8970
8971 testresult = 1;
8972
8973 end:
8974 SSL_free(serverssl);
8975 SSL_free(clientssl);
8976 SSL_CTX_free(sctx);
8977 SSL_CTX_free(cctx);
8978
8979 return testresult;
8980 }
8981
8982 /*
8983 * Test that sending close_notify alerts works correctly in the case of a
8984 * retryable write failure.
8985 */
test_async_shutdown(void)8986 static int test_async_shutdown(void)
8987 {
8988 SSL_CTX *cctx = NULL, *sctx = NULL;
8989 SSL *clientssl = NULL, *serverssl = NULL;
8990 int testresult = 0;
8991 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8992
8993 if (!TEST_ptr(bretry))
8994 goto end;
8995
8996 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8997 TLS_client_method(),
8998 0, 0,
8999 &sctx, &cctx, cert, privkey)))
9000 goto end;
9001
9002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9003 NULL)))
9004 goto end;
9005
9006 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9007 goto end;
9008
9009 /* Close write side of clientssl */
9010 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
9011 goto end;
9012
9013 tmp = SSL_get_wbio(serverssl);
9014 if (!TEST_true(BIO_up_ref(tmp))) {
9015 tmp = NULL;
9016 goto end;
9017 }
9018 SSL_set0_wbio(serverssl, bretry);
9019 bretry = NULL;
9020
9021 /* First server shutdown should fail because of a retrable write failure */
9022 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
9023 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
9024 goto end;
9025
9026 /* Second server shutdown should fail for the same reason */
9027 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
9028 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
9029 goto end;
9030
9031 SSL_set0_wbio(serverssl, tmp);
9032 tmp = NULL;
9033
9034 /* Third server shutdown should send close_notify */
9035 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
9036 goto end;
9037
9038 /* Fourth server shutdown should read close_notify from client and finish */
9039 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
9040 goto end;
9041
9042 /* Client should also successfully fully shutdown */
9043 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
9044 goto end;
9045
9046 testresult = 1;
9047 end:
9048 SSL_free(serverssl);
9049 SSL_free(clientssl);
9050 SSL_CTX_free(sctx);
9051 SSL_CTX_free(cctx);
9052 BIO_free(bretry);
9053 BIO_free(tmp);
9054
9055 return testresult;
9056 }
9057
9058 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9059 static int cert_cb_cnt;
9060
load_chain(const char * file,EVP_PKEY ** pkey,X509 ** x509,STACK_OF (X509)* chain)9061 static int load_chain(const char *file, EVP_PKEY **pkey, X509 **x509,
9062 STACK_OF(X509) *chain)
9063 {
9064 char *path = test_mk_file_path(certsdir, file);
9065 BIO *in = NULL;
9066 X509 *x = NULL;
9067 int ok = 0;
9068
9069 if (path == NULL)
9070 return 0;
9071 if ((in = BIO_new(BIO_s_file())) == NULL
9072 || BIO_read_filename(in, path) <= 0)
9073 goto out;
9074 if (pkey == NULL) {
9075 if ((x = X509_new_ex(libctx, NULL)) == NULL
9076 || PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
9077 goto out;
9078 if (chain == NULL)
9079 *x509 = x;
9080 else if (!sk_X509_push(chain, x))
9081 goto out;
9082 } else if (PEM_read_bio_PrivateKey_ex(in, pkey, NULL, NULL,
9083 libctx, NULL)
9084 == NULL) {
9085 goto out;
9086 }
9087
9088 x = NULL;
9089 ok = 1;
9090 out:
9091 X509_free(x);
9092 BIO_free(in);
9093 OPENSSL_free(path);
9094 return ok;
9095 }
9096
cert_cb(SSL * s,void * arg)9097 static int cert_cb(SSL *s, void *arg)
9098 {
9099 SSL_CTX *ctx = (SSL_CTX *)arg;
9100 EVP_PKEY *pkey = NULL;
9101 X509 *x509 = NULL, *x = NULL;
9102 STACK_OF(X509) *chain = NULL;
9103 int ret = 0;
9104
9105 if (cert_cb_cnt == 0) {
9106 /* Suspend the handshake */
9107 cert_cb_cnt++;
9108 return -1;
9109 } else if (cert_cb_cnt == 1) {
9110 /*
9111 * Update the SSL_CTX, set the certificate and private key and then
9112 * continue the handshake normally.
9113 */
9114 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
9115 return 0;
9116
9117 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
9118 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
9119 SSL_FILETYPE_PEM))
9120 || !TEST_true(SSL_check_private_key(s)))
9121 return 0;
9122 cert_cb_cnt++;
9123 return 1;
9124 } else if (cert_cb_cnt == 3) {
9125 int rv;
9126
9127 chain = sk_X509_new_null();
9128 if (!TEST_ptr(chain)
9129 || !TEST_true(load_chain("ca-cert.pem", NULL, NULL, chain))
9130 || !TEST_true(load_chain("root-cert.pem", NULL, NULL, chain))
9131 || !TEST_true(load_chain("p256-ee-rsa-ca-cert.pem", NULL,
9132 &x509, NULL))
9133 || !TEST_true(load_chain("p256-ee-rsa-ca-key.pem", &pkey,
9134 NULL, NULL)))
9135 goto out;
9136 rv = SSL_check_chain(s, x509, pkey, chain);
9137 /*
9138 * If the cert doesn't show as valid here (e.g., because we don't
9139 * have any shared sigalgs), then we will not set it, and there will
9140 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
9141 * will cause tls_choose_sigalgs() to fail the connection.
9142 */
9143 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
9144 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
9145 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
9146 goto out;
9147 }
9148
9149 ret = 1;
9150 }
9151
9152 /* Abort the handshake */
9153 out:
9154 EVP_PKEY_free(pkey);
9155 X509_free(x509);
9156 X509_free(x);
9157 OSSL_STACK_OF_X509_free(chain);
9158 return ret;
9159 }
9160
9161 /*
9162 * Test the certificate callback.
9163 * Test 0: Callback fails
9164 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
9165 * Test 2: Success - SSL_set_SSL_CTX() in the callback
9166 * Test 3: Success - Call SSL_check_chain from the callback
9167 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
9168 * chain
9169 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
9170 */
test_cert_cb_int(int prot,int tst)9171 static int test_cert_cb_int(int prot, int tst)
9172 {
9173 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
9174 SSL *clientssl = NULL, *serverssl = NULL;
9175 int testresult = 0, ret;
9176
9177 #ifdef OPENSSL_NO_EC
9178 /* We use an EC cert in these tests, so we skip in a no-ec build */
9179 if (tst >= 3)
9180 return 1;
9181 #endif
9182
9183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9184 TLS_client_method(),
9185 prot,
9186 prot,
9187 &sctx, &cctx, NULL, NULL)))
9188 goto end;
9189
9190 if (tst == 0)
9191 cert_cb_cnt = -1;
9192 else if (tst >= 3)
9193 cert_cb_cnt = 3;
9194 else
9195 cert_cb_cnt = 0;
9196
9197 if (tst == 2) {
9198 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9199 if (!TEST_ptr(snictx))
9200 goto end;
9201 }
9202
9203 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
9204
9205 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9206 NULL, NULL)))
9207 goto end;
9208
9209 if (tst == 4) {
9210 /*
9211 * We cause SSL_check_chain() to fail by specifying sig_algs that
9212 * the chain doesn't meet (the root uses an RSA cert)
9213 */
9214 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9215 "ecdsa_secp256r1_sha256")))
9216 goto end;
9217 } else if (tst == 5) {
9218 /*
9219 * We cause SSL_check_chain() to fail by specifying sig_algs that
9220 * the ee cert doesn't meet (the ee uses an ECDSA cert)
9221 */
9222 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9223 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
9224 goto end;
9225 }
9226
9227 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
9228 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
9229 || (tst > 0
9230 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
9231 goto end;
9232 }
9233
9234 testresult = 1;
9235
9236 end:
9237 SSL_free(serverssl);
9238 SSL_free(clientssl);
9239 SSL_CTX_free(sctx);
9240 SSL_CTX_free(cctx);
9241 SSL_CTX_free(snictx);
9242
9243 return testresult;
9244 }
9245 #endif
9246
test_cert_cb(int tst)9247 static int test_cert_cb(int tst)
9248 {
9249 int testresult = 1;
9250
9251 #ifndef OPENSSL_NO_TLS1_2
9252 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
9253 #endif
9254 #ifndef OSSL_NO_USABLE_TLS1_3
9255 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
9256 #endif
9257
9258 return testresult;
9259 }
9260
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)9261 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
9262 {
9263 X509 *xcert;
9264 EVP_PKEY *privpkey;
9265 BIO *in = NULL;
9266 BIO *priv_in = NULL;
9267
9268 /* Check that SSL_get0_peer_certificate() returns something sensible */
9269 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
9270 return 0;
9271
9272 in = BIO_new_file(cert, "r");
9273 if (!TEST_ptr(in))
9274 return 0;
9275
9276 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
9277 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
9278 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
9279 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
9280 NULL, NULL,
9281 libctx, NULL)))
9282 goto err;
9283
9284 *x509 = xcert;
9285 *pkey = privpkey;
9286
9287 BIO_free(in);
9288 BIO_free(priv_in);
9289 return 1;
9290 err:
9291 X509_free(xcert);
9292 BIO_free(in);
9293 BIO_free(priv_in);
9294 return 0;
9295 }
9296
test_client_cert_cb(int tst)9297 static int test_client_cert_cb(int tst)
9298 {
9299 SSL_CTX *cctx = NULL, *sctx = NULL;
9300 SSL *clientssl = NULL, *serverssl = NULL;
9301 int testresult = 0;
9302
9303 #ifdef OPENSSL_NO_TLS1_2
9304 if (tst == 0)
9305 return 1;
9306 #endif
9307 #ifdef OSSL_NO_USABLE_TLS1_3
9308 if (tst == 1)
9309 return 1;
9310 #endif
9311
9312 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9313 TLS_client_method(),
9314 TLS1_VERSION,
9315 tst == 0 ? TLS1_2_VERSION
9316 : TLS1_3_VERSION,
9317 &sctx, &cctx, cert, privkey)))
9318 goto end;
9319
9320 /*
9321 * Test that setting a client_cert_cb results in a client certificate being
9322 * sent.
9323 */
9324 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9325 SSL_CTX_set_verify(sctx,
9326 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9327 verify_cb);
9328
9329 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9330 NULL, NULL))
9331 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9332 SSL_ERROR_NONE)))
9333 goto end;
9334
9335 testresult = 1;
9336
9337 end:
9338 SSL_free(serverssl);
9339 SSL_free(clientssl);
9340 SSL_CTX_free(sctx);
9341 SSL_CTX_free(cctx);
9342
9343 return testresult;
9344 }
9345
9346 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9347 /*
9348 * Test setting certificate authorities on both client and server.
9349 *
9350 * Test 0: SSL_CTX_set0_CA_list() only
9351 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9352 * Test 2: Only SSL_CTX_set_client_CA_list()
9353 */
test_ca_names_int(int prot,int tst)9354 static int test_ca_names_int(int prot, int tst)
9355 {
9356 SSL_CTX *cctx = NULL, *sctx = NULL;
9357 SSL *clientssl = NULL, *serverssl = NULL;
9358 int testresult = 0;
9359 size_t i;
9360 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9361 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9362 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9363 const STACK_OF(X509_NAME) *sktmp = NULL;
9364
9365 for (i = 0; i < OSSL_NELEM(name); i++) {
9366 name[i] = X509_NAME_new();
9367 if (!TEST_ptr(name[i])
9368 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9369 MBSTRING_ASC,
9370 (unsigned char *)
9371 strnames[i],
9372 -1, -1, 0)))
9373 goto end;
9374 }
9375
9376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9377 TLS_client_method(),
9378 TLS1_VERSION,
9379 prot,
9380 &sctx, &cctx, cert, privkey)))
9381 goto end;
9382
9383 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9384
9385 if (tst == 0 || tst == 1) {
9386 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9387 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9388 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9389 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9390 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9391 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9392 goto end;
9393
9394 SSL_CTX_set0_CA_list(sctx, sk1);
9395 SSL_CTX_set0_CA_list(cctx, sk2);
9396 sk1 = sk2 = NULL;
9397 }
9398 if (tst == 1 || tst == 2) {
9399 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9400 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9401 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9402 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9403 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9404 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9405 goto end;
9406
9407 SSL_CTX_set_client_CA_list(sctx, sk1);
9408 SSL_CTX_set_client_CA_list(cctx, sk2);
9409 sk1 = sk2 = NULL;
9410 }
9411
9412 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9413 NULL, NULL))
9414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9415 SSL_ERROR_NONE)))
9416 goto end;
9417
9418 /*
9419 * We only expect certificate authorities to have been sent to the server
9420 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9421 */
9422 sktmp = SSL_get0_peer_CA_list(serverssl);
9423 if (prot == TLS1_3_VERSION
9424 && (tst == 0 || tst == 1)) {
9425 if (!TEST_ptr(sktmp)
9426 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9427 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9428 name[0]),
9429 0)
9430 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9431 name[1]),
9432 0))
9433 goto end;
9434 } else if (!TEST_ptr_null(sktmp)) {
9435 goto end;
9436 }
9437
9438 /*
9439 * In all tests we expect certificate authorities to have been sent to the
9440 * client. However, SSL_set_client_CA_list() should override
9441 * SSL_set0_CA_list()
9442 */
9443 sktmp = SSL_get0_peer_CA_list(clientssl);
9444 if (!TEST_ptr(sktmp)
9445 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9446 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9447 name[tst == 0 ? 0 : 2]),
9448 0)
9449 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9450 name[tst == 0 ? 1 : 3]),
9451 0))
9452 goto end;
9453
9454 testresult = 1;
9455
9456 end:
9457 SSL_free(serverssl);
9458 SSL_free(clientssl);
9459 SSL_CTX_free(sctx);
9460 SSL_CTX_free(cctx);
9461 for (i = 0; i < OSSL_NELEM(name); i++)
9462 X509_NAME_free(name[i]);
9463 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9464 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9465
9466 return testresult;
9467 }
9468 #endif
9469
test_ca_names(int tst)9470 static int test_ca_names(int tst)
9471 {
9472 int testresult = 1;
9473
9474 #ifndef OPENSSL_NO_TLS1_2
9475 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9476 #endif
9477 #ifndef OSSL_NO_USABLE_TLS1_3
9478 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9479 #endif
9480
9481 return testresult;
9482 }
9483
9484 #ifndef OPENSSL_NO_TLS1_2
9485 static const char *multiblock_cipherlist_data[] = {
9486 "AES128-SHA",
9487 "AES128-SHA256",
9488 "AES256-SHA",
9489 "AES256-SHA256",
9490 };
9491
9492 /* Reduce the fragment size - so the multiblock test buffer can be small */
9493 #define MULTIBLOCK_FRAGSIZE 512
9494
test_multiblock_write(int test_index)9495 static int test_multiblock_write(int test_index)
9496 {
9497 static const char *fetchable_ciphers[] = {
9498 "AES-128-CBC-HMAC-SHA1",
9499 "AES-128-CBC-HMAC-SHA256",
9500 "AES-256-CBC-HMAC-SHA1",
9501 "AES-256-CBC-HMAC-SHA256"
9502 };
9503 const char *cipherlist = multiblock_cipherlist_data[test_index];
9504 const SSL_METHOD *smeth = TLS_server_method();
9505 const SSL_METHOD *cmeth = TLS_client_method();
9506 int min_version = TLS1_VERSION;
9507 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9508 SSL_CTX *cctx = NULL, *sctx = NULL;
9509 SSL *clientssl = NULL, *serverssl = NULL;
9510 int testresult = 0;
9511
9512 /*
9513 * Choose a buffer large enough to perform a multi-block operation
9514 * i.e: write_len >= 4 * frag_size
9515 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9516 */
9517 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9518 unsigned char buf[sizeof(msg)], *p = buf;
9519 size_t readbytes, written, len;
9520 EVP_CIPHER *ciph = NULL;
9521
9522 /*
9523 * Check if the cipher exists before attempting to use it since it only has
9524 * a hardware specific implementation.
9525 */
9526 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9527 if (ciph == NULL) {
9528 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9529 return 1;
9530 }
9531 EVP_CIPHER_free(ciph);
9532
9533 /* Set up a buffer with some data that will be sent to the client */
9534 RAND_bytes(msg, sizeof(msg));
9535
9536 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9537 max_version, &sctx, &cctx, cert,
9538 privkey)))
9539 goto end;
9540
9541 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9542 goto end;
9543
9544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9545 NULL, NULL)))
9546 goto end;
9547
9548 /* settings to force it to use AES-CBC-HMAC_SHA */
9549 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9550 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9551 goto end;
9552
9553 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9554 goto end;
9555
9556 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9557 || !TEST_size_t_eq(written, sizeof(msg)))
9558 goto end;
9559
9560 len = written;
9561 while (len > 0) {
9562 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9563 goto end;
9564 p += readbytes;
9565 len -= readbytes;
9566 }
9567 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9568 goto end;
9569
9570 testresult = 1;
9571 end:
9572 SSL_free(serverssl);
9573 SSL_free(clientssl);
9574 SSL_CTX_free(sctx);
9575 SSL_CTX_free(cctx);
9576
9577 return testresult;
9578 }
9579 #endif /* OPENSSL_NO_TLS1_2 */
9580
test_session_timeout(int test)9581 static int test_session_timeout(int test)
9582 {
9583 /*
9584 * Test session ordering and timeout
9585 * Can't explicitly test performance of the new code,
9586 * but can test to see if the ordering of the sessions
9587 * are correct, and they are removed as expected
9588 */
9589 SSL_SESSION *early = NULL;
9590 SSL_SESSION *middle = NULL;
9591 SSL_SESSION *late = NULL;
9592 SSL_CTX *ctx;
9593 int testresult = 0;
9594 time_t now = time(NULL);
9595 #define TIMEOUT 10
9596
9597 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9598 || !TEST_ptr(early = SSL_SESSION_new())
9599 || !TEST_ptr(middle = SSL_SESSION_new())
9600 || !TEST_ptr(late = SSL_SESSION_new()))
9601 goto end;
9602
9603 /* assign unique session ids */
9604 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9605 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9606 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9607 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9608 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9609 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9610
9611 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9612 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9613 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9614 goto end;
9615
9616 /* Make sure they are all added */
9617 if (!TEST_ptr(early->prev)
9618 || !TEST_ptr(middle->prev)
9619 || !TEST_ptr(late->prev))
9620 goto end;
9621
9622 if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0)
9623 || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0)
9624 || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0))
9625 goto end;
9626
9627 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9628 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9629 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9630 goto end;
9631
9632 /* Make sure they are all still there */
9633 if (!TEST_ptr(early->prev)
9634 || !TEST_ptr(middle->prev)
9635 || !TEST_ptr(late->prev))
9636 goto end;
9637
9638 /* Make sure they are in the expected order */
9639 if (!TEST_ptr_eq(late->next, middle)
9640 || !TEST_ptr_eq(middle->next, early)
9641 || !TEST_ptr_eq(early->prev, middle)
9642 || !TEST_ptr_eq(middle->prev, late))
9643 goto end;
9644
9645 /* This should remove "early" */
9646 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT - 1);
9647 if (!TEST_ptr_null(early->prev)
9648 || !TEST_ptr(middle->prev)
9649 || !TEST_ptr(late->prev))
9650 goto end;
9651
9652 /* This should remove "middle" */
9653 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 1);
9654 if (!TEST_ptr_null(early->prev)
9655 || !TEST_ptr_null(middle->prev)
9656 || !TEST_ptr(late->prev))
9657 goto end;
9658
9659 /* This should remove "late" */
9660 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 11);
9661 if (!TEST_ptr_null(early->prev)
9662 || !TEST_ptr_null(middle->prev)
9663 || !TEST_ptr_null(late->prev))
9664 goto end;
9665
9666 /* Add them back in again */
9667 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9668 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9669 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9670 goto end;
9671
9672 /* Make sure they are all added */
9673 if (!TEST_ptr(early->prev)
9674 || !TEST_ptr(middle->prev)
9675 || !TEST_ptr(late->prev))
9676 goto end;
9677
9678 /* This should remove all of them */
9679 SSL_CTX_flush_sessions_ex(ctx, 0);
9680 if (!TEST_ptr_null(early->prev)
9681 || !TEST_ptr_null(middle->prev)
9682 || !TEST_ptr_null(late->prev))
9683 goto end;
9684
9685 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME | SSL_CTX_get_session_cache_mode(ctx));
9686
9687 /* make sure |now| is NOT equal to the current time */
9688 now -= 10;
9689 if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0)
9690 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9691 || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now))
9692 goto end;
9693
9694 testresult = 1;
9695 end:
9696 SSL_CTX_free(ctx);
9697 SSL_SESSION_free(early);
9698 SSL_SESSION_free(middle);
9699 SSL_SESSION_free(late);
9700 return testresult;
9701 }
9702
9703 /*
9704 * Test that a session cache overflow works as expected
9705 * Test 0: TLSv1.3, timeout on new session later than old session
9706 * Test 1: TLSv1.2, timeout on new session later than old session
9707 * Test 2: TLSv1.3, timeout on new session earlier than old session
9708 * Test 3: TLSv1.2, timeout on new session earlier than old session
9709 */
9710 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
test_session_cache_overflow(int idx)9711 static int test_session_cache_overflow(int idx)
9712 {
9713 SSL_CTX *sctx = NULL, *cctx = NULL;
9714 SSL *serverssl = NULL, *clientssl = NULL;
9715 int testresult = 0;
9716 SSL_SESSION *sess = NULL;
9717
9718 #ifdef OSSL_NO_USABLE_TLS1_3
9719 /* If no TLSv1.3 available then do nothing in this case */
9720 if (idx % 2 == 0)
9721 return TEST_skip("No TLSv1.3 available");
9722 #endif
9723 #ifdef OPENSSL_NO_TLS1_2
9724 /* If no TLSv1.2 available then do nothing in this case */
9725 if (idx % 2 == 1)
9726 return TEST_skip("No TLSv1.2 available");
9727 #endif
9728
9729 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9730 TLS_client_method(), TLS1_VERSION,
9731 (idx % 2 == 0) ? TLS1_3_VERSION
9732 : TLS1_2_VERSION,
9733 &sctx, &cctx, cert, privkey))
9734 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9735 goto end;
9736
9737 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9738 get_sess_val = NULL;
9739
9740 SSL_CTX_sess_set_cache_size(sctx, 1);
9741
9742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9743 NULL, NULL)))
9744 goto end;
9745
9746 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9747 goto end;
9748
9749 if (idx > 1) {
9750 sess = SSL_get_session(serverssl);
9751 if (!TEST_ptr(sess))
9752 goto end;
9753
9754 /*
9755 * Cause this session to have a longer timeout than the next session to
9756 * be added.
9757 */
9758 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9759 sess = NULL;
9760 goto end;
9761 }
9762 sess = NULL;
9763 }
9764
9765 SSL_shutdown(serverssl);
9766 SSL_shutdown(clientssl);
9767 SSL_free(serverssl);
9768 SSL_free(clientssl);
9769 serverssl = clientssl = NULL;
9770
9771 /*
9772 * Session cache size is 1 and we already populated the cache with a session
9773 * so the next connection should cause an overflow.
9774 */
9775
9776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9777 NULL, NULL)))
9778 goto end;
9779
9780 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9781 goto end;
9782
9783 /*
9784 * The session we just negotiated may have been already removed from the
9785 * internal cache - but we will return it anyway from our external cache.
9786 */
9787 get_sess_val = SSL_get_session(serverssl);
9788 if (!TEST_ptr(get_sess_val))
9789 goto end;
9790 sess = SSL_get1_session(clientssl);
9791 if (!TEST_ptr(sess))
9792 goto end;
9793
9794 SSL_shutdown(serverssl);
9795 SSL_shutdown(clientssl);
9796 SSL_free(serverssl);
9797 SSL_free(clientssl);
9798 serverssl = clientssl = NULL;
9799
9800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9801 NULL, NULL)))
9802 goto end;
9803
9804 if (!TEST_true(SSL_set_session(clientssl, sess)))
9805 goto end;
9806
9807 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9808 goto end;
9809
9810 testresult = 1;
9811
9812 end:
9813 SSL_free(serverssl);
9814 SSL_free(clientssl);
9815 SSL_CTX_free(sctx);
9816 SSL_CTX_free(cctx);
9817 SSL_SESSION_free(sess);
9818
9819 return testresult;
9820 }
9821 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9822
9823 /*
9824 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9825 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9826 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9827 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9828 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9829 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9830 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9831 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9832 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9833 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9834 */
test_servername(int tst)9835 static int test_servername(int tst)
9836 {
9837 SSL_CTX *cctx = NULL, *sctx = NULL;
9838 SSL *clientssl = NULL, *serverssl = NULL;
9839 int testresult = 0;
9840 SSL_SESSION *sess = NULL;
9841 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9842
9843 #ifdef OPENSSL_NO_TLS1_2
9844 if (tst <= 4)
9845 return 1;
9846 #endif
9847 #ifdef OSSL_NO_USABLE_TLS1_3
9848 if (tst >= 5)
9849 return 1;
9850 #endif
9851
9852 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9853 TLS_client_method(),
9854 TLS1_VERSION,
9855 (tst <= 4) ? TLS1_2_VERSION
9856 : TLS1_3_VERSION,
9857 &sctx, &cctx, cert, privkey))
9858 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9859 NULL, NULL)))
9860 goto end;
9861
9862 if (tst != 1 && tst != 6) {
9863 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9864 hostname_cb)))
9865 goto end;
9866 }
9867
9868 if (tst != 3 && tst != 8) {
9869 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9870 goto end;
9871 sexpectedhost = cexpectedhost = "goodhost";
9872 }
9873
9874 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9875 goto end;
9876
9877 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9878 cexpectedhost)
9879 || !TEST_str_eq(SSL_get_servername(serverssl,
9880 TLSEXT_NAMETYPE_host_name),
9881 sexpectedhost))
9882 goto end;
9883
9884 /* Now repeat with a resumption handshake */
9885
9886 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9887 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9888 || !TEST_true(SSL_SESSION_is_resumable(sess))
9889 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9890 goto end;
9891
9892 SSL_free(clientssl);
9893 SSL_free(serverssl);
9894 clientssl = serverssl = NULL;
9895
9896 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9897 NULL)))
9898 goto end;
9899
9900 if (!TEST_true(SSL_set_session(clientssl, sess)))
9901 goto end;
9902
9903 sexpectedhost = cexpectedhost = "goodhost";
9904 if (tst == 2 || tst == 7) {
9905 /* Set an inconsistent hostname */
9906 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9907 goto end;
9908 /*
9909 * In TLSv1.2 we expect the hostname from the original handshake, in
9910 * TLSv1.3 we expect the hostname from this handshake
9911 */
9912 if (tst == 7)
9913 sexpectedhost = cexpectedhost = "altgoodhost";
9914
9915 if (!TEST_str_eq(SSL_get_servername(clientssl,
9916 TLSEXT_NAMETYPE_host_name),
9917 "altgoodhost"))
9918 goto end;
9919 } else if (tst == 4 || tst == 9) {
9920 /*
9921 * A TLSv1.3 session does not associate a session with a servername,
9922 * but a TLSv1.2 session does.
9923 */
9924 if (tst == 9)
9925 sexpectedhost = cexpectedhost = NULL;
9926
9927 if (!TEST_str_eq(SSL_get_servername(clientssl,
9928 TLSEXT_NAMETYPE_host_name),
9929 cexpectedhost))
9930 goto end;
9931 } else {
9932 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9933 goto end;
9934 /*
9935 * In a TLSv1.2 resumption where the hostname was not acknowledged
9936 * we expect the hostname on the server to be empty. On the client we
9937 * return what was requested in this case.
9938 *
9939 * Similarly if the client didn't set a hostname on an original TLSv1.2
9940 * session but is now, the server hostname will be empty, but the client
9941 * is as we set it.
9942 */
9943 if (tst == 1 || tst == 3)
9944 sexpectedhost = NULL;
9945
9946 if (!TEST_str_eq(SSL_get_servername(clientssl,
9947 TLSEXT_NAMETYPE_host_name),
9948 "goodhost"))
9949 goto end;
9950 }
9951
9952 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9953 goto end;
9954
9955 if (!TEST_true(SSL_session_reused(clientssl))
9956 || !TEST_true(SSL_session_reused(serverssl))
9957 || !TEST_str_eq(SSL_get_servername(clientssl,
9958 TLSEXT_NAMETYPE_host_name),
9959 cexpectedhost)
9960 || !TEST_str_eq(SSL_get_servername(serverssl,
9961 TLSEXT_NAMETYPE_host_name),
9962 sexpectedhost))
9963 goto end;
9964
9965 testresult = 1;
9966
9967 end:
9968 SSL_SESSION_free(sess);
9969 SSL_free(serverssl);
9970 SSL_free(clientssl);
9971 SSL_CTX_free(sctx);
9972 SSL_CTX_free(cctx);
9973
9974 return testresult;
9975 }
9976
test_unknown_sigalgs_groups(void)9977 static int test_unknown_sigalgs_groups(void)
9978 {
9979 int ret = 0;
9980 SSL_CTX *ctx = NULL;
9981
9982 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9983 goto end;
9984
9985 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9986 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9987 0))
9988 goto end;
9989 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9990 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9991 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9992 goto end;
9993
9994 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9995 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9996 0))
9997 goto end;
9998 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9999 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
10000 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
10001 goto end;
10002
10003 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
10004 "nonexistent"),
10005 0))
10006 goto end;
10007
10008 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
10009 "?nonexistent1:?nonexistent2:?nonexistent3"),
10010 0))
10011 goto end;
10012
10013 #ifndef OPENSSL_NO_EC
10014 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
10015 "P-256:nonexistent"),
10016 0))
10017 goto end;
10018
10019 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
10020 "P-384:?nonexistent:?P-521"),
10021 0))
10022 goto end;
10023 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
10024 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
10025 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
10026 goto end;
10027 #endif
10028
10029 ret = 1;
10030 end:
10031 SSL_CTX_free(ctx);
10032 return ret;
10033 }
10034
10035 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
test_configuration_of_groups(void)10036 static int test_configuration_of_groups(void)
10037 {
10038 int ret = 0;
10039 SSL_CTX *ctx = NULL;
10040 size_t groups_len;
10041
10042 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
10043 goto end;
10044 groups_len = ctx->ext.supportedgroups_len;
10045
10046 if (!TEST_size_t_gt(groups_len, 0)
10047 || !TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT"), 0)
10048 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len))
10049 goto end;
10050
10051 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT:-?P-256"), 0)
10052 #if !defined(OPENSSL_NO_EC)
10053 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len - 1)
10054 #else
10055 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len)
10056 #endif
10057 )
10058 goto end;
10059
10060 #if !defined(OPENSSL_NO_EC)
10061 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "?P-256:?P-521:-?P-256"), 0)
10062 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, 1)
10063 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp521r1))
10064 goto end;
10065 #endif
10066
10067 ret = 1;
10068
10069 end:
10070 SSL_CTX_free(ctx);
10071 return ret;
10072 }
10073 #endif
10074
10075 #if !defined(OPENSSL_NO_EC) \
10076 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10077 /*
10078 * Test that if signature algorithms are not available, then we do not offer or
10079 * accept them.
10080 * Test 0: Two RSA sig algs available: both RSA sig algs shared
10081 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
10082 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
10083 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
10084 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
10085 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
10086 */
test_sigalgs_available(int idx)10087 static int test_sigalgs_available(int idx)
10088 {
10089 SSL_CTX *cctx = NULL, *sctx = NULL;
10090 SSL *clientssl = NULL, *serverssl = NULL;
10091 int testresult = 0;
10092 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
10093 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
10094 OSSL_PROVIDER *filterprov = NULL;
10095 int sig, hash, numshared, numshared_expected, hash_expected, sig_expected;
10096 const char *sigalg_name, *signame_expected;
10097
10098 if (!TEST_ptr(tmpctx))
10099 goto end;
10100
10101 if (idx != 0 && idx != 3) {
10102 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
10103 filter_provider_init)))
10104 goto end;
10105
10106 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
10107 if (!TEST_ptr(filterprov))
10108 goto end;
10109
10110 if (idx < 3) {
10111 /*
10112 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
10113 * or accepted for the peer that uses this libctx. Note that libssl
10114 * *requires* SHA2-256 to be available so we cannot disable that. We
10115 * also need SHA1 for our certificate.
10116 */
10117 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
10118 "SHA2-256:SHA1")))
10119 goto end;
10120 } else {
10121 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
10122 "ECDSA"))
10123 #ifdef OPENSSL_NO_ECX
10124 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
10125 #else
10126 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
10127 "EC:X25519:X448"))
10128 #endif
10129 )
10130 goto end;
10131 }
10132
10133 if (idx == 1 || idx == 4)
10134 clientctx = tmpctx;
10135 else
10136 serverctx = tmpctx;
10137 }
10138
10139 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
10140 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
10141 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
10142 goto end;
10143
10144 /* Avoid MLKEM groups that depend on possibly filtered-out digests */
10145 if (!TEST_true(SSL_CTX_set1_groups_list(cctx,
10146 "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072"))
10147 || !TEST_true(SSL_CTX_set1_groups_list(sctx,
10148 "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072")))
10149 goto end;
10150
10151 if (idx != 5) {
10152 /* RSA first server key */
10153 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10154 TLS_client_method(),
10155 TLS1_VERSION,
10156 0,
10157 &sctx, &cctx, cert, privkey)))
10158 goto end;
10159 } else {
10160 /* ECDSA P-256 first server key */
10161 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10162 TLS_client_method(),
10163 TLS1_VERSION,
10164 0,
10165 &sctx, &cctx, cert2, privkey2)))
10166 goto end;
10167 }
10168
10169 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
10170 if (idx < 4) {
10171 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10172 "ECDHE-RSA-AES128-GCM-SHA256")))
10173 goto end;
10174 } else {
10175 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10176 "ECDHE-ECDSA-AES128-GCM-SHA256")))
10177 goto end;
10178 }
10179
10180 if (idx < 3) {
10181 if (!SSL_CTX_set1_sigalgs_list(cctx,
10182 "rsa_pss_rsae_sha384"
10183 ":rsa_pss_rsae_sha256")
10184 || !SSL_CTX_set1_sigalgs_list(sctx,
10185 "rsa_pss_rsae_sha384"
10186 ":rsa_pss_rsae_sha256"))
10187 goto end;
10188 } else {
10189 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
10190 || !SSL_CTX_set1_sigalgs_list(sctx,
10191 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
10192 goto end;
10193 }
10194
10195 /* ECDSA P-256 second server key, unless already first */
10196 if (idx != 5
10197 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
10198 SSL_FILETYPE_PEM),
10199 1)
10200 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10201 privkey2,
10202 SSL_FILETYPE_PEM),
10203 1)
10204 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
10205 goto end;
10206
10207 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10208 NULL, NULL)))
10209 goto end;
10210
10211 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10212 goto end;
10213
10214 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
10215 numshared = SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash,
10216 NULL, NULL, NULL);
10217 numshared_expected = 1;
10218 hash_expected = NID_sha256;
10219 sig_expected = NID_rsassaPss;
10220 signame_expected = "rsa_pss_rsae_sha256";
10221 switch (idx) {
10222 case 0:
10223 hash_expected = NID_sha384;
10224 signame_expected = "rsa_pss_rsae_sha384";
10225 /* FALLTHROUGH */
10226 case 3:
10227 numshared_expected = 2;
10228 break;
10229 case 4:
10230 case 5:
10231 sig_expected = EVP_PKEY_EC;
10232 signame_expected = "ecdsa_secp256r1_sha256";
10233 break;
10234 }
10235 if (!TEST_int_eq(numshared, numshared_expected)
10236 || !TEST_int_eq(hash, hash_expected)
10237 || !TEST_int_eq(sig, sig_expected)
10238 || !TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10239 || !TEST_ptr(sigalg_name)
10240 || !TEST_str_eq(sigalg_name, signame_expected))
10241 goto end;
10242
10243 testresult = filter_provider_check_clean_finish();
10244
10245 end:
10246 SSL_free(serverssl);
10247 SSL_free(clientssl);
10248 SSL_CTX_free(sctx);
10249 SSL_CTX_free(cctx);
10250 OSSL_PROVIDER_unload(filterprov);
10251 OSSL_LIB_CTX_free(tmpctx);
10252
10253 return testresult;
10254 }
10255 #endif /* \
10256 * !defined(OPENSSL_NO_EC) \
10257 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) \
10258 */
10259
10260 #ifndef OPENSSL_NO_TLS1_3
10261 /* This test can run in TLSv1.3 even if ec and dh are disabled */
test_pluggable_group(int idx)10262 static int test_pluggable_group(int idx)
10263 {
10264 SSL_CTX *cctx = NULL, *sctx = NULL;
10265 SSL *clientssl = NULL, *serverssl = NULL;
10266 int testresult = 0;
10267 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10268 /* Check that we are not impacted by a provider without any groups */
10269 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
10270 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
10271
10272 if (!TEST_ptr(tlsprov))
10273 goto end;
10274
10275 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10276 TLS_client_method(),
10277 TLS1_3_VERSION,
10278 TLS1_3_VERSION,
10279 &sctx, &cctx, cert, privkey))
10280 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10281 NULL, NULL)))
10282 goto end;
10283
10284 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
10285 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
10286 /* removing a single algorithm from the list makes the test pass */
10287 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
10288 goto end;
10289
10290 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10291 goto end;
10292
10293 if (!TEST_str_eq(group_name,
10294 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
10295 goto end;
10296
10297 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
10298 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
10299 goto end;
10300
10301 testresult = 1;
10302
10303 end:
10304 SSL_free(serverssl);
10305 SSL_free(clientssl);
10306 SSL_CTX_free(sctx);
10307 SSL_CTX_free(cctx);
10308 OSSL_PROVIDER_unload(tlsprov);
10309 OSSL_PROVIDER_unload(legacyprov);
10310
10311 return testresult;
10312 }
10313
10314 /*
10315 * This function triggers encode, decode and sign functions
10316 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
10317 * creating private key and certificate files for use in TLS testing.
10318 */
create_cert_key(int idx,char * certfilename,char * privkeyfilename)10319 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
10320 {
10321 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
10322 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
10323 EVP_PKEY *pkey = NULL;
10324 X509 *x509 = X509_new();
10325 X509_NAME *name = NULL;
10326 BIO *keybio = NULL, *certbio = NULL;
10327 int ret = 1;
10328
10329 if (!TEST_ptr(evpctx)
10330 || !TEST_int_gt(EVP_PKEY_keygen_init(evpctx), 0)
10331 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
10332 || !TEST_ptr(pkey)
10333 || !TEST_ptr(x509)
10334 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
10335 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
10336 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
10337 || !TEST_true(X509_set_pubkey(x509, pkey))
10338 || !TEST_ptr(name = X509_get_subject_name(x509))
10339 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
10340 (unsigned char *)"CH", -1, -1, 0))
10341 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
10342 (unsigned char *)"test.org", -1, -1, 0))
10343 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
10344 (unsigned char *)"localhost", -1, -1, 0))
10345 || !TEST_true(X509_set_issuer_name(x509, name))
10346 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
10347 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
10348 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
10349 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
10350 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
10351 ret = 0;
10352
10353 EVP_PKEY_free(pkey);
10354 X509_free(x509);
10355 EVP_PKEY_CTX_free(evpctx);
10356 BIO_free(keybio);
10357 BIO_free(certbio);
10358 return ret;
10359 }
10360
10361 /*
10362 * Test that signature algorithms loaded via the provider interface can
10363 * correctly establish a TLS (1.3) connection.
10364 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
10365 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
10366 * Test 2: Signature algorithm with built-in hashing configured via SSL_CONF_cmd
10367 * Test 3: Test 0 using RPK
10368 * Test 4: Test 1 using RPK
10369 * Test 5: Test 2 using RPK
10370 */
test_pluggable_signature(int idx)10371 static int test_pluggable_signature(int idx)
10372 {
10373 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
10374 SSL_CTX *cctx = NULL, *sctx = NULL;
10375 SSL *clientssl = NULL, *serverssl = NULL;
10376 int testresult = 0;
10377 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10378 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10379 char *certfilename = "tls-prov-cert.pem";
10380 char *privkeyfilename = "tls-prov-key.pem";
10381 const char *sigalg_name = NULL, *expected_sigalg_name;
10382 int sigidx = idx % 3;
10383 int rpkidx = idx / 3;
10384 int do_conf_cmd = 0;
10385
10386 if (sigidx == 2) {
10387 sigidx = 0;
10388 do_conf_cmd = 1;
10389 }
10390
10391 /* See create_cert_key() above */
10392 expected_sigalg_name = (sigidx == 0) ? "xorhmacsig" : "xorhmacsha2sig";
10393
10394 /* create key and certificate for the different algorithm types */
10395 if (!TEST_ptr(tlsprov)
10396 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10397 goto end;
10398
10399 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10400 TLS_client_method(),
10401 TLS1_3_VERSION,
10402 TLS1_3_VERSION,
10403 &sctx, &cctx, NULL, NULL)))
10404 goto end;
10405
10406 if (do_conf_cmd) {
10407 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
10408
10409 if (!TEST_ptr(confctx))
10410 goto end;
10411 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE | SSL_CONF_FLAG_SHOW_ERRORS);
10412 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
10413 if (!TEST_int_gt(SSL_CONF_cmd(confctx, "Certificate", certfilename), 0)
10414 || !TEST_int_gt(SSL_CONF_cmd(confctx, "PrivateKey", privkeyfilename), 0)
10415 || !TEST_true(SSL_CONF_CTX_finish(confctx))) {
10416 SSL_CONF_CTX_free(confctx);
10417 goto end;
10418 }
10419 SSL_CONF_CTX_free(confctx);
10420 } else {
10421 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, certfilename,
10422 SSL_FILETYPE_PEM),
10423 1)
10424 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10425 privkeyfilename,
10426 SSL_FILETYPE_PEM),
10427 1))
10428 goto end;
10429 }
10430 if (!TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
10431 goto end;
10432
10433 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10434 NULL, NULL)))
10435 goto end;
10436
10437 /* Enable RPK for server cert */
10438 if (rpkidx) {
10439 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10440 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10441 goto end;
10442 }
10443
10444 /* This is necessary to pass minimal setup w/o other groups configured */
10445 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10446 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10447 goto end;
10448
10449 /*
10450 * If this connection gets established, it must have been completed
10451 * via the tls-provider-implemented "hmacsig" algorithm, testing
10452 * both sign and verify functions during handshake.
10453 */
10454 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10455 goto end;
10456
10457 /* If using RPK, make sure we got one */
10458 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10459 goto end;
10460
10461 if (!TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10462 || !TEST_str_eq(sigalg_name, expected_sigalg_name)
10463 || !TEST_ptr(sigalg_name))
10464 goto end;
10465
10466 testresult = 1;
10467
10468 end:
10469 SSL_free(serverssl);
10470 SSL_free(clientssl);
10471 SSL_CTX_free(sctx);
10472 SSL_CTX_free(cctx);
10473 OSSL_PROVIDER_unload(tlsprov);
10474 OSSL_PROVIDER_unload(defaultprov);
10475
10476 return testresult;
10477 }
10478 #endif
10479
10480 #ifndef OPENSSL_NO_TLS1_2
test_ssl_dup(void)10481 static int test_ssl_dup(void)
10482 {
10483 SSL_CTX *cctx = NULL, *sctx = NULL;
10484 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10485 int testresult = 0;
10486 BIO *rbio = NULL, *wbio = NULL;
10487
10488 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10489 TLS_client_method(),
10490 0,
10491 0,
10492 &sctx, &cctx, cert, privkey)))
10493 goto end;
10494
10495 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10496 NULL, NULL)))
10497 goto end;
10498
10499 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10500 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10501 goto end;
10502
10503 client2ssl = SSL_dup(clientssl);
10504 rbio = SSL_get_rbio(clientssl);
10505 if (!TEST_ptr(rbio)
10506 || !TEST_true(BIO_up_ref(rbio)))
10507 goto end;
10508 SSL_set0_rbio(client2ssl, rbio);
10509 rbio = NULL;
10510
10511 wbio = SSL_get_wbio(clientssl);
10512 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10513 goto end;
10514 SSL_set0_wbio(client2ssl, wbio);
10515 rbio = NULL;
10516
10517 if (!TEST_ptr(client2ssl)
10518 /* Handshake not started so pointers should be different */
10519 || !TEST_ptr_ne(clientssl, client2ssl))
10520 goto end;
10521
10522 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10523 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10524 goto end;
10525
10526 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10527 goto end;
10528
10529 SSL_free(clientssl);
10530 clientssl = SSL_dup(client2ssl);
10531 if (!TEST_ptr(clientssl)
10532 /* Handshake has finished so pointers should be the same */
10533 || !TEST_ptr_eq(clientssl, client2ssl))
10534 goto end;
10535
10536 testresult = 1;
10537
10538 end:
10539 SSL_free(serverssl);
10540 SSL_free(clientssl);
10541 SSL_free(client2ssl);
10542 SSL_CTX_free(sctx);
10543 SSL_CTX_free(cctx);
10544
10545 return testresult;
10546 }
10547
secret_cb(SSL * s,void * secretin,int * secret_len,STACK_OF (SSL_CIPHER)* peer_ciphers,const SSL_CIPHER ** cipher,void * arg)10548 static int secret_cb(SSL *s, void *secretin, int *secret_len,
10549 STACK_OF(SSL_CIPHER) *peer_ciphers,
10550 const SSL_CIPHER **cipher, void *arg)
10551 {
10552 int i;
10553 unsigned char *secret = secretin;
10554
10555 /* Just use a fixed master secret */
10556 for (i = 0; i < *secret_len; i++)
10557 secret[i] = 0xff;
10558
10559 /* We don't set a preferred cipher */
10560
10561 return 1;
10562 }
10563
10564 /*
10565 * Test the session_secret_cb which is designed for use with EAP-FAST
10566 */
test_session_secret_cb(void)10567 static int test_session_secret_cb(void)
10568 {
10569 SSL_CTX *cctx = NULL, *sctx = NULL;
10570 SSL *clientssl = NULL, *serverssl = NULL;
10571 SSL_SESSION *secret_sess = NULL;
10572 int testresult = 0;
10573
10574 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10575 TLS_client_method(),
10576 0,
10577 0,
10578 &sctx, &cctx, cert, privkey)))
10579 goto end;
10580
10581 /* Create an initial connection and save the session */
10582 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10583 NULL, NULL)))
10584 goto end;
10585
10586 /* session_secret_cb does not support TLSv1.3 */
10587 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10588 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10589 goto end;
10590
10591 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10592 goto end;
10593
10594 if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10595 goto end;
10596
10597 shutdown_ssl_connection(serverssl, clientssl);
10598 serverssl = clientssl = NULL;
10599
10600 /* Resume the earlier session */
10601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10602 NULL, NULL)))
10603 goto end;
10604
10605 /*
10606 * No session ids for EAP-FAST - otherwise the state machine gets very
10607 * confused.
10608 */
10609 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10610 goto end;
10611
10612 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10613 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10614 || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10615 NULL))
10616 || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10617 NULL))
10618 || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10619 goto end;
10620
10621 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10622 goto end;
10623
10624 testresult = 1;
10625
10626 end:
10627 SSL_SESSION_free(secret_sess);
10628 SSL_free(serverssl);
10629 SSL_free(clientssl);
10630 SSL_CTX_free(sctx);
10631 SSL_CTX_free(cctx);
10632
10633 return testresult;
10634 }
10635
10636 #ifndef OPENSSL_NO_DH
10637
10638 static EVP_PKEY *tmp_dh_params = NULL;
10639
10640 /* Helper function for the test_set_tmp_dh() tests */
get_tmp_dh_params(void)10641 static EVP_PKEY *get_tmp_dh_params(void)
10642 {
10643 if (tmp_dh_params == NULL) {
10644 BIGNUM *p = NULL;
10645 OSSL_PARAM_BLD *tmpl = NULL;
10646 EVP_PKEY_CTX *pctx = NULL;
10647 OSSL_PARAM *params = NULL;
10648 EVP_PKEY *dhpkey = NULL;
10649
10650 p = BN_get_rfc3526_prime_2048(NULL);
10651 if (!TEST_ptr(p))
10652 goto end;
10653
10654 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10655 if (!TEST_ptr(pctx)
10656 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
10657 goto end;
10658
10659 tmpl = OSSL_PARAM_BLD_new();
10660 if (!TEST_ptr(tmpl)
10661 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10662 OSSL_PKEY_PARAM_FFC_P,
10663 p))
10664 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10665 OSSL_PKEY_PARAM_FFC_G,
10666 2)))
10667 goto end;
10668
10669 params = OSSL_PARAM_BLD_to_param(tmpl);
10670 if (!TEST_ptr(params)
10671 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10672 EVP_PKEY_KEY_PARAMETERS,
10673 params),
10674 1))
10675 goto end;
10676
10677 tmp_dh_params = dhpkey;
10678 end:
10679 BN_free(p);
10680 EVP_PKEY_CTX_free(pctx);
10681 OSSL_PARAM_BLD_free(tmpl);
10682 OSSL_PARAM_free(params);
10683 }
10684
10685 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
10686 return NULL;
10687
10688 return tmp_dh_params;
10689 }
10690
10691 #ifndef OPENSSL_NO_DEPRECATED_3_0
10692 /* Callback used by test_set_tmp_dh() */
tmp_dh_callback(SSL * s,int is_export,int keylen)10693 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10694 {
10695 EVP_PKEY *dhpkey = get_tmp_dh_params();
10696 DH *ret = NULL;
10697
10698 if (!TEST_ptr(dhpkey))
10699 return NULL;
10700
10701 /*
10702 * libssl does not free the returned DH, so we free it now knowing that even
10703 * after we free dhpkey, there will still be a reference to the owning
10704 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10705 * of time we need it for.
10706 */
10707 ret = EVP_PKEY_get1_DH(dhpkey);
10708 DH_free(ret);
10709
10710 EVP_PKEY_free(dhpkey);
10711
10712 return ret;
10713 }
10714 #endif
10715
10716 /*
10717 * Test the various methods for setting temporary DH parameters
10718 *
10719 * Test 0: Default (no auto) setting
10720 * Test 1: Explicit SSL_CTX auto off
10721 * Test 2: Explicit SSL auto off
10722 * Test 3: Explicit SSL_CTX auto on
10723 * Test 4: Explicit SSL auto on
10724 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10725 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10726 *
10727 * The following are testing deprecated APIs, so we only run them if available
10728 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10729 * Test 8: Explicit SSL auto off, custom DH params via DH
10730 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10731 * Test 10: Explicit SSL auto off, custom DH params via callback
10732 */
test_set_tmp_dh(int idx)10733 static int test_set_tmp_dh(int idx)
10734 {
10735 SSL_CTX *cctx = NULL, *sctx = NULL;
10736 SSL *clientssl = NULL, *serverssl = NULL;
10737 int testresult = 0;
10738 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10739 int expected = (idx <= 2) ? 0 : 1;
10740 EVP_PKEY *dhpkey = NULL;
10741 #ifndef OPENSSL_NO_DEPRECATED_3_0
10742 DH *dh = NULL;
10743 #else
10744
10745 if (idx >= 7)
10746 return 1;
10747 #endif
10748
10749 if (idx >= 5 && idx <= 8) {
10750 dhpkey = get_tmp_dh_params();
10751 if (!TEST_ptr(dhpkey))
10752 goto end;
10753 }
10754 #ifndef OPENSSL_NO_DEPRECATED_3_0
10755 if (idx == 7 || idx == 8) {
10756 dh = EVP_PKEY_get1_DH(dhpkey);
10757 if (!TEST_ptr(dh))
10758 goto end;
10759 }
10760 #endif
10761
10762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10763 TLS_client_method(),
10764 0,
10765 0,
10766 &sctx, &cctx, cert, privkey)))
10767 goto end;
10768
10769 if ((idx & 1) == 1) {
10770 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10771 goto end;
10772 }
10773
10774 if (idx == 5) {
10775 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10776 goto end;
10777 dhpkey = NULL;
10778 }
10779 #ifndef OPENSSL_NO_DEPRECATED_3_0
10780 else if (idx == 7) {
10781 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10782 goto end;
10783 } else if (idx == 9) {
10784 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10785 }
10786 #endif
10787
10788 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10789 NULL, NULL)))
10790 goto end;
10791
10792 if ((idx & 1) == 0 && idx != 0) {
10793 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10794 goto end;
10795 }
10796 if (idx == 6) {
10797 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10798 goto end;
10799 dhpkey = NULL;
10800 }
10801 #ifndef OPENSSL_NO_DEPRECATED_3_0
10802 else if (idx == 8) {
10803 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10804 goto end;
10805 } else if (idx == 10) {
10806 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10807 }
10808 #endif
10809
10810 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10811 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10812 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10813 goto end;
10814
10815 /*
10816 * If autoon then we should succeed. Otherwise we expect failure because
10817 * there are no parameters
10818 */
10819 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10820 SSL_ERROR_NONE),
10821 expected))
10822 goto end;
10823
10824 testresult = 1;
10825
10826 end:
10827 #ifndef OPENSSL_NO_DEPRECATED_3_0
10828 DH_free(dh);
10829 #endif
10830 SSL_free(serverssl);
10831 SSL_free(clientssl);
10832 SSL_CTX_free(sctx);
10833 SSL_CTX_free(cctx);
10834 EVP_PKEY_free(dhpkey);
10835
10836 return testresult;
10837 }
10838
10839 /*
10840 * Test the auto DH keys are appropriately sized
10841 */
test_dh_auto(int idx)10842 static int test_dh_auto(int idx)
10843 {
10844 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10845 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10846 SSL *clientssl = NULL, *serverssl = NULL;
10847 int testresult = 0;
10848 EVP_PKEY *tmpkey = NULL;
10849 char *thiscert = NULL, *thiskey = NULL;
10850 size_t expdhsize = 0;
10851 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10852
10853 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10854 goto end;
10855
10856 switch (idx) {
10857 case 0:
10858 /* The FIPS provider doesn't support this DH size - so we ignore it */
10859 if (is_fips) {
10860 testresult = 1;
10861 goto end;
10862 }
10863 thiscert = cert1024;
10864 thiskey = privkey1024;
10865 expdhsize = 1024;
10866 SSL_CTX_set_security_level(sctx, 1);
10867 SSL_CTX_set_security_level(cctx, 1);
10868 break;
10869 case 1:
10870 /* 2048 bit prime */
10871 thiscert = cert;
10872 thiskey = privkey;
10873 expdhsize = 2048;
10874 break;
10875 case 2:
10876 thiscert = cert3072;
10877 thiskey = privkey3072;
10878 expdhsize = 3072;
10879 break;
10880 case 3:
10881 thiscert = cert4096;
10882 thiskey = privkey4096;
10883 expdhsize = 4096;
10884 break;
10885 case 4:
10886 thiscert = cert8192;
10887 thiskey = privkey8192;
10888 expdhsize = 8192;
10889 break;
10890 /* No certificate cases */
10891 case 5:
10892 /* The FIPS provider doesn't support this DH size - so we ignore it */
10893 if (is_fips) {
10894 testresult = 1;
10895 goto end;
10896 }
10897 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10898 expdhsize = 1024;
10899 break;
10900 case 6:
10901 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10902 expdhsize = 3072;
10903 break;
10904 default:
10905 TEST_error("Invalid text index");
10906 goto end;
10907 }
10908
10909 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10910 NULL,
10911 0,
10912 0,
10913 &sctx, &cctx, thiscert, thiskey)))
10914 goto end;
10915
10916 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10917 NULL, NULL)))
10918 goto end;
10919
10920 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10921 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10922 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10923 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10924 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10925 goto end;
10926
10927 /*
10928 * Send the server's first flight. At this point the server has created the
10929 * temporary DH key but hasn't finished using it yet. Once used it is
10930 * removed, so we cannot test it.
10931 */
10932 if (!TEST_int_le(SSL_connect(clientssl), 0)
10933 || !TEST_int_le(SSL_accept(serverssl), 0))
10934 goto end;
10935
10936 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10937 goto end;
10938 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10939 goto end;
10940
10941 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10942 goto end;
10943
10944 testresult = 1;
10945
10946 end:
10947 SSL_free(serverssl);
10948 SSL_free(clientssl);
10949 SSL_CTX_free(sctx);
10950 SSL_CTX_free(cctx);
10951 EVP_PKEY_free(tmpkey);
10952
10953 return testresult;
10954 }
10955 #endif /* OPENSSL_NO_DH */
10956 #endif /* OPENSSL_NO_TLS1_2 */
10957
10958 #ifndef OSSL_NO_USABLE_TLS1_3
10959 /*
10960 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10961 * that it works even without a certificate configured for the original
10962 * SSL_CTX
10963 */
test_sni_tls13(void)10964 static int test_sni_tls13(void)
10965 {
10966 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10967 SSL *clientssl = NULL, *serverssl = NULL;
10968 int testresult = 0;
10969
10970 /* Reset callback counter */
10971 snicb = 0;
10972
10973 /* Create an initial SSL_CTX with no certificate configured */
10974 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10975 if (!TEST_ptr(sctx))
10976 goto end;
10977 /* Require TLSv1.3 as a minimum */
10978 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10979 TLS_client_method(), TLS1_3_VERSION, 0,
10980 &sctx2, &cctx, cert, privkey)))
10981 goto end;
10982
10983 /* Set up SNI */
10984 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10985 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10986 goto end;
10987
10988 /*
10989 * Connection should still succeed because the final SSL_CTX has the right
10990 * certificates configured.
10991 */
10992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10993 &clientssl, NULL, NULL))
10994 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10995 SSL_ERROR_NONE)))
10996 goto end;
10997
10998 /* We should have had the SNI callback called exactly once */
10999 if (!TEST_int_eq(snicb, 1))
11000 goto end;
11001
11002 testresult = 1;
11003
11004 end:
11005 SSL_free(serverssl);
11006 SSL_free(clientssl);
11007 SSL_CTX_free(sctx2);
11008 SSL_CTX_free(sctx);
11009 SSL_CTX_free(cctx);
11010 return testresult;
11011 }
11012
11013 /*
11014 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
11015 * 0 = TLSv1.2
11016 * 1 = TLSv1.3
11017 */
test_ticket_lifetime(int idx)11018 static int test_ticket_lifetime(int idx)
11019 {
11020 SSL_CTX *cctx = NULL, *sctx = NULL;
11021 SSL *clientssl = NULL, *serverssl = NULL;
11022 int testresult = 0;
11023 int version = TLS1_3_VERSION;
11024
11025 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
11026 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
11027
11028 if (idx == 0) {
11029 #ifdef OPENSSL_NO_TLS1_2
11030 return TEST_skip("TLS 1.2 is disabled.");
11031 #else
11032 version = TLS1_2_VERSION;
11033 #endif
11034 }
11035
11036 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11037 TLS_client_method(), version, version,
11038 &sctx, &cctx, cert, privkey)))
11039 goto end;
11040
11041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11042 &clientssl, NULL, NULL)))
11043 goto end;
11044
11045 /*
11046 * Set the timeout to be more than 1 week
11047 * make sure the returned value is the default
11048 */
11049 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
11050 SSL_get_default_timeout(serverssl)))
11051 goto end;
11052
11053 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11054 goto end;
11055
11056 if (idx == 0) {
11057 /* TLSv1.2 uses the set value */
11058 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
11059 goto end;
11060 } else {
11061 /* TLSv1.3 uses the limited value */
11062 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
11063 goto end;
11064 }
11065 testresult = 1;
11066
11067 end:
11068 SSL_free(serverssl);
11069 SSL_free(clientssl);
11070 SSL_CTX_free(sctx);
11071 SSL_CTX_free(cctx);
11072 return testresult;
11073 }
11074 #endif
11075 /*
11076 * Test that setting an ALPN does not violate RFC
11077 */
test_set_alpn(void)11078 static int test_set_alpn(void)
11079 {
11080 SSL_CTX *ctx = NULL;
11081 SSL *ssl = NULL;
11082 int testresult = 0;
11083
11084 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
11085 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
11086 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
11087 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00 };
11088 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd' };
11089 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd' };
11090
11091 /* Create an initial SSL_CTX with no certificate configured */
11092 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11093 if (!TEST_ptr(ctx))
11094 goto end;
11095
11096 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
11097 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
11098 goto end;
11099 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
11100 goto end;
11101 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
11102 goto end;
11103 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
11104 goto end;
11105 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
11106 goto end;
11107 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
11108 goto end;
11109 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
11110 goto end;
11111 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
11112 goto end;
11113 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
11114 goto end;
11115
11116 ssl = SSL_new(ctx);
11117 if (!TEST_ptr(ssl))
11118 goto end;
11119
11120 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
11121 goto end;
11122 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
11123 goto end;
11124 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
11125 goto end;
11126 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
11127 goto end;
11128 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
11129 goto end;
11130 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
11131 goto end;
11132 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
11133 goto end;
11134 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
11135 goto end;
11136 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
11137 goto end;
11138
11139 testresult = 1;
11140
11141 end:
11142 SSL_free(ssl);
11143 SSL_CTX_free(ctx);
11144 return testresult;
11145 }
11146
11147 /*
11148 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
11149 */
test_set_verify_cert_store_ssl_ctx(void)11150 static int test_set_verify_cert_store_ssl_ctx(void)
11151 {
11152 SSL_CTX *ctx = NULL;
11153 int testresult = 0;
11154 X509_STORE *store = NULL, *new_store = NULL,
11155 *cstore = NULL, *new_cstore = NULL;
11156
11157 /* Create an initial SSL_CTX. */
11158 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11159 if (!TEST_ptr(ctx))
11160 goto end;
11161
11162 /* Retrieve verify store pointer. */
11163 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11164 goto end;
11165
11166 /* Retrieve chain store pointer. */
11167 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11168 goto end;
11169
11170 /* We haven't set any yet, so this should be NULL. */
11171 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11172 goto end;
11173
11174 /* Create stores. We use separate stores so pointers are different. */
11175 new_store = X509_STORE_new();
11176 if (!TEST_ptr(new_store))
11177 goto end;
11178
11179 new_cstore = X509_STORE_new();
11180 if (!TEST_ptr(new_cstore))
11181 goto end;
11182
11183 /* Set stores. */
11184 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
11185 goto end;
11186
11187 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
11188 goto end;
11189
11190 /* Should be able to retrieve the same pointer. */
11191 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11192 goto end;
11193
11194 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11195 goto end;
11196
11197 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11198 goto end;
11199
11200 /* Should be able to unset again. */
11201 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
11202 goto end;
11203
11204 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
11205 goto end;
11206
11207 /* Should now be NULL. */
11208 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11209 goto end;
11210
11211 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11212 goto end;
11213
11214 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11215 goto end;
11216
11217 testresult = 1;
11218
11219 end:
11220 X509_STORE_free(new_store);
11221 X509_STORE_free(new_cstore);
11222 SSL_CTX_free(ctx);
11223 return testresult;
11224 }
11225
11226 /*
11227 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
11228 */
test_set_verify_cert_store_ssl(void)11229 static int test_set_verify_cert_store_ssl(void)
11230 {
11231 SSL_CTX *ctx = NULL;
11232 SSL *ssl = NULL;
11233 int testresult = 0;
11234 X509_STORE *store = NULL, *new_store = NULL,
11235 *cstore = NULL, *new_cstore = NULL;
11236
11237 /* Create an initial SSL_CTX. */
11238 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11239 if (!TEST_ptr(ctx))
11240 goto end;
11241
11242 /* Create an SSL object. */
11243 ssl = SSL_new(ctx);
11244 if (!TEST_ptr(ssl))
11245 goto end;
11246
11247 /* Retrieve verify store pointer. */
11248 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11249 goto end;
11250
11251 /* Retrieve chain store pointer. */
11252 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11253 goto end;
11254
11255 /* We haven't set any yet, so this should be NULL. */
11256 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11257 goto end;
11258
11259 /* Create stores. We use separate stores so pointers are different. */
11260 new_store = X509_STORE_new();
11261 if (!TEST_ptr(new_store))
11262 goto end;
11263
11264 new_cstore = X509_STORE_new();
11265 if (!TEST_ptr(new_cstore))
11266 goto end;
11267
11268 /* Set stores. */
11269 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
11270 goto end;
11271
11272 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
11273 goto end;
11274
11275 /* Should be able to retrieve the same pointer. */
11276 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11277 goto end;
11278
11279 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11280 goto end;
11281
11282 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11283 goto end;
11284
11285 /* Should be able to unset again. */
11286 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
11287 goto end;
11288
11289 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
11290 goto end;
11291
11292 /* Should now be NULL. */
11293 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11294 goto end;
11295
11296 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11297 goto end;
11298
11299 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11300 goto end;
11301
11302 testresult = 1;
11303
11304 end:
11305 X509_STORE_free(new_store);
11306 X509_STORE_free(new_cstore);
11307 SSL_free(ssl);
11308 SSL_CTX_free(ctx);
11309 return testresult;
11310 }
11311
test_inherit_verify_param(void)11312 static int test_inherit_verify_param(void)
11313 {
11314 int testresult = 0;
11315
11316 SSL_CTX *ctx = NULL;
11317 X509_VERIFY_PARAM *cp = NULL;
11318 SSL *ssl = NULL;
11319 X509_VERIFY_PARAM *sp = NULL;
11320 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
11321
11322 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11323 if (!TEST_ptr(ctx))
11324 goto end;
11325
11326 cp = SSL_CTX_get0_param(ctx);
11327 if (!TEST_ptr(cp))
11328 goto end;
11329 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
11330 goto end;
11331
11332 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
11333
11334 ssl = SSL_new(ctx);
11335 if (!TEST_ptr(ssl))
11336 goto end;
11337
11338 sp = SSL_get0_param(ssl);
11339 if (!TEST_ptr(sp))
11340 goto end;
11341 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
11342 goto end;
11343
11344 testresult = 1;
11345
11346 end:
11347 SSL_free(ssl);
11348 SSL_CTX_free(ctx);
11349
11350 return testresult;
11351 }
11352
test_load_dhfile(void)11353 static int test_load_dhfile(void)
11354 {
11355 #ifndef OPENSSL_NO_DH
11356 int testresult = 0;
11357
11358 SSL_CTX *ctx = NULL;
11359 SSL_CONF_CTX *cctx = NULL;
11360
11361 if (dhfile == NULL)
11362 return 1;
11363
11364 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
11365 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
11366 goto end;
11367
11368 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
11369 SSL_CONF_CTX_set_flags(cctx,
11370 SSL_CONF_FLAG_CERTIFICATE
11371 | SSL_CONF_FLAG_SERVER
11372 | SSL_CONF_FLAG_FILE);
11373
11374 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
11375 goto end;
11376
11377 testresult = 1;
11378 end:
11379 SSL_CONF_CTX_free(cctx);
11380 SSL_CTX_free(ctx);
11381
11382 return testresult;
11383 #else
11384 return TEST_skip("DH not supported by this build");
11385 #endif
11386 }
11387
11388 #ifndef OSSL_NO_USABLE_TLS1_3
11389 /* Test that read_ahead works across a key change */
test_read_ahead_key_change(void)11390 static int test_read_ahead_key_change(void)
11391 {
11392 SSL_CTX *cctx = NULL, *sctx = NULL;
11393 SSL *clientssl = NULL, *serverssl = NULL;
11394 int testresult = 0;
11395 char *msg = "Hello World";
11396 size_t written, readbytes;
11397 char buf[80];
11398 int i;
11399
11400 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11401 TLS_client_method(), TLS1_3_VERSION, 0,
11402 &sctx, &cctx, cert, privkey)))
11403 goto end;
11404
11405 SSL_CTX_set_read_ahead(sctx, 1);
11406
11407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11408 &clientssl, NULL, NULL)))
11409 goto end;
11410
11411 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11412 goto end;
11413
11414 /* Write some data, send a key update, write more data */
11415 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11416 || !TEST_size_t_eq(written, strlen(msg)))
11417 goto end;
11418
11419 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11420 goto end;
11421
11422 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11423 || !TEST_size_t_eq(written, strlen(msg)))
11424 goto end;
11425
11426 /*
11427 * Since read_ahead is on the first read below should read the record with
11428 * the first app data, the second record with the key update message, and
11429 * the third record with the app data all in one go. We should be able to
11430 * still process the read_ahead data correctly even though it crosses
11431 * epochs
11432 */
11433 for (i = 0; i < 2; i++) {
11434 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11435 &readbytes)))
11436 goto end;
11437
11438 buf[readbytes] = '\0';
11439 if (!TEST_str_eq(buf, msg))
11440 goto end;
11441 }
11442
11443 testresult = 1;
11444
11445 end:
11446 SSL_free(serverssl);
11447 SSL_free(clientssl);
11448 SSL_CTX_free(sctx);
11449 SSL_CTX_free(cctx);
11450 return testresult;
11451 }
11452
record_pad_cb(SSL * s,int type,size_t len,void * arg)11453 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11454 {
11455 int *called = arg;
11456
11457 switch ((*called)++) {
11458 case 0:
11459 /* Add some padding to first record */
11460 return 512;
11461 case 1:
11462 /* Maximally pad the second record */
11463 return SSL3_RT_MAX_PLAIN_LENGTH - len;
11464 case 2:
11465 /*
11466 * Exceeding the maximum padding should be fine. It should just pad to
11467 * the maximum anyway
11468 */
11469 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11470 case 3:
11471 /*
11472 * Very large padding should also be ok. Should just pad to the maximum
11473 * allowed
11474 */
11475 return SIZE_MAX;
11476 default:
11477 return 0;
11478 }
11479 }
11480
11481 /*
11482 * Test that setting record padding in TLSv1.3 works as expected
11483 * Test 0: Record padding callback on the SSL_CTX
11484 * Test 1: Record padding callback on the SSL
11485 * Test 2: Record block padding on the SSL_CTX
11486 * Test 3: Record block padding on the SSL
11487 * Test 4: Extended record block padding on the SSL_CTX
11488 * Test 5: Extended record block padding on the SSL
11489 */
test_tls13_record_padding(int idx)11490 static int test_tls13_record_padding(int idx)
11491 {
11492 SSL_CTX *cctx = NULL, *sctx = NULL;
11493 SSL *clientssl = NULL, *serverssl = NULL;
11494 int testresult = 0;
11495 char *msg = "Hello World";
11496 size_t written, readbytes;
11497 char buf[80];
11498 int i;
11499 int called = 0;
11500
11501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11502 TLS_client_method(), TLS1_3_VERSION, 0,
11503 &sctx, &cctx, cert, privkey)))
11504 goto end;
11505
11506 if (idx == 0) {
11507 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11508 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11509 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11510 goto end;
11511 } else if (idx == 2) {
11512 /* Exceeding the max plain length should fail */
11513 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11514 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11515 goto end;
11516 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11517 goto end;
11518 } else if (idx == 4) {
11519 /* pad only handshake/alert messages */
11520 if (!TEST_true(SSL_CTX_set_block_padding_ex(cctx, 0, 512)))
11521 goto end;
11522 }
11523
11524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11525 &clientssl, NULL, NULL)))
11526 goto end;
11527
11528 if (idx == 1) {
11529 SSL_set_record_padding_callback(clientssl, record_pad_cb);
11530 SSL_set_record_padding_callback_arg(clientssl, &called);
11531 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11532 goto end;
11533 } else if (idx == 3) {
11534 /* Exceeding the max plain length should fail */
11535 if (!TEST_false(SSL_set_block_padding(clientssl,
11536 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11537 goto end;
11538 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11539 goto end;
11540 } else if (idx == 5) {
11541 /* Exceeding the max plain length should fail */
11542 if (!TEST_false(SSL_set_block_padding_ex(clientssl, 0,
11543 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11544 goto end;
11545 /* pad server and client handshake only */
11546 if (!TEST_true(SSL_set_block_padding_ex(clientssl, 0, 512)))
11547 goto end;
11548 if (!TEST_true(SSL_set_block_padding_ex(serverssl, 0, 512)))
11549 goto end;
11550 }
11551
11552 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11553 goto end;
11554
11555 called = 0;
11556 /*
11557 * Write some data, then check we can read it. Do this four times to check
11558 * we can continue to write and read padded data after the initial record
11559 * padding has been added. We don't actually check that the padding has
11560 * been applied to the record - just that we can continue to communicate
11561 * normally and that the callback has been called (if appropriate).
11562 */
11563 for (i = 0; i < 4; i++) {
11564 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11565 || !TEST_size_t_eq(written, strlen(msg)))
11566 goto end;
11567
11568 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11569 &readbytes))
11570 || !TEST_size_t_eq(written, readbytes))
11571 goto end;
11572
11573 buf[readbytes] = '\0';
11574 if (!TEST_str_eq(buf, msg))
11575 goto end;
11576 }
11577
11578 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11579 goto end;
11580
11581 testresult = 1;
11582 end:
11583 SSL_free(serverssl);
11584 SSL_free(clientssl);
11585 SSL_CTX_free(sctx);
11586 SSL_CTX_free(cctx);
11587 return testresult;
11588 }
11589 #endif /* OSSL_NO_USABLE_TLS1_3 */
11590
11591 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11592 /*
11593 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11594 * support this yet. The only pipeline capable cipher that we have is in the
11595 * dasync engine (providers don't support this yet), so we have to use
11596 * deprecated APIs for this test.
11597 *
11598 * Test 0: Client has pipelining enabled, server does not
11599 * Test 1: Server has pipelining enabled, client does not
11600 * Test 2: Client has pipelining enabled, server does not: not enough data to
11601 * fill all the pipelines
11602 * Test 3: Client has pipelining enabled, server does not: not enough data to
11603 * fill all the pipelines by more than a full pipeline's worth
11604 * Test 4: Client has pipelining enabled, server does not: more data than all
11605 * the available pipelines can take
11606 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11607 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11608 * is created)
11609 */
test_pipelining(int idx)11610 static int test_pipelining(int idx)
11611 {
11612 SSL_CTX *cctx = NULL, *sctx = NULL;
11613 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11614 int testresult = 0, numreads;
11615 /* A 55 byte message */
11616 unsigned char *msg = (unsigned char *)"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11617 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11618 size_t expectedreads;
11619 unsigned char *buf = NULL;
11620 ENGINE *e = NULL;
11621
11622 if (idx != 6) {
11623 e = load_dasync();
11624 if (e == NULL)
11625 return 0;
11626 }
11627
11628 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11629 TLS_client_method(), 0,
11630 TLS1_2_VERSION, &sctx, &cctx, cert,
11631 privkey)))
11632 goto end;
11633
11634 if (idx == 6) {
11635 e = load_dasync();
11636 if (e == NULL)
11637 goto end;
11638 /* Now act like test 0 */
11639 idx = 0;
11640 }
11641
11642 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11643 &clientssl, NULL, NULL)))
11644 goto end;
11645
11646 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11647 goto end;
11648
11649 /* peera is always configured for pipelining, while peerb is not. */
11650 if (idx == 1) {
11651 peera = serverssl;
11652 peerb = clientssl;
11653
11654 } else {
11655 peera = clientssl;
11656 peerb = serverssl;
11657 }
11658
11659 if (idx == 5) {
11660 numpipes = 2;
11661 /* Maximum allowed fragment size */
11662 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11663 msglen = fragsize * numpipes;
11664 msg = OPENSSL_malloc(msglen);
11665 if (!TEST_ptr(msg))
11666 goto end;
11667 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11668 goto end;
11669 } else if (idx == 4) {
11670 msglen = 55;
11671 } else {
11672 msglen = 50;
11673 }
11674 if (idx == 2)
11675 msglen -= 2; /* Send 2 less bytes */
11676 else if (idx == 3)
11677 msglen -= 12; /* Send 12 less bytes */
11678
11679 buf = OPENSSL_malloc(msglen);
11680 if (!TEST_ptr(buf))
11681 goto end;
11682
11683 if (idx == 5) {
11684 /*
11685 * Test that setting a split send fragment longer than the maximum
11686 * allowed fails
11687 */
11688 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11689 goto end;
11690 }
11691
11692 /*
11693 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11694 * (50 bytes in total). This is a ridiculously small number of bytes -
11695 * but sufficient for our purposes
11696 */
11697 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11698 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11699 goto end;
11700
11701 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11702 goto end;
11703
11704 /* Write some data from peera to peerb */
11705 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11706 || !TEST_size_t_eq(written, msglen))
11707 goto end;
11708
11709 /*
11710 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11711 * have been used - except in test 3 where only |numpipes - 1| pipelines
11712 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11713 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11714 * expect this to be read in |numpipes| or |numpipes - 1| separate
11715 * SSL_read_ex calls. In the case of test 4, there is then one additional
11716 * read for left over data that couldn't fit in the previous pipelines
11717 */
11718 for (offset = 0, numreads = 0;
11719 offset < msglen;
11720 offset += readbytes, numreads++) {
11721 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11722 msglen - offset, &readbytes)))
11723 goto end;
11724 }
11725
11726 expectedreads = idx == 4 ? numpipes + 1
11727 : (idx == 3 ? numpipes - 1 : numpipes);
11728 if (!TEST_mem_eq(msg, msglen, buf, offset)
11729 || !TEST_int_eq(numreads, expectedreads))
11730 goto end;
11731
11732 /*
11733 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11734 * chunks to exercise the read pipelining code on peera.
11735 */
11736 for (offset = 0; offset < msglen; offset += fragsize) {
11737 size_t sendlen = msglen - offset;
11738
11739 if (sendlen > fragsize)
11740 sendlen = fragsize;
11741 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11742 || !TEST_size_t_eq(written, sendlen))
11743 goto end;
11744 }
11745
11746 /*
11747 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11748 * separate chunks (depending on which test we are running). If the
11749 * pipelining is working then we expect peera to read up to numpipes chunks
11750 * and process them in parallel, giving back the complete result in a single
11751 * call to SSL_read_ex
11752 */
11753 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11754 || !TEST_size_t_le(readbytes, msglen))
11755 goto end;
11756
11757 if (idx == 4) {
11758 size_t readbytes2;
11759
11760 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11761 msglen - readbytes, &readbytes2)))
11762 goto end;
11763 readbytes += readbytes2;
11764 if (!TEST_size_t_le(readbytes, msglen))
11765 goto end;
11766 }
11767
11768 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11769 goto end;
11770
11771 testresult = 1;
11772 end:
11773 SSL_free(serverssl);
11774 SSL_free(clientssl);
11775 SSL_CTX_free(sctx);
11776 SSL_CTX_free(cctx);
11777 if (e != NULL) {
11778 ENGINE_unregister_ciphers(e);
11779 ENGINE_finish(e);
11780 ENGINE_free(e);
11781 }
11782 OPENSSL_free(buf);
11783 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11784 OPENSSL_free(msg);
11785 return testresult;
11786 }
11787 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11788
check_version_string(SSL * s,int version)11789 static int check_version_string(SSL *s, int version)
11790 {
11791 const char *verstr = NULL;
11792
11793 switch (version) {
11794 case SSL3_VERSION:
11795 verstr = "SSLv3";
11796 break;
11797 case TLS1_VERSION:
11798 verstr = "TLSv1";
11799 break;
11800 case TLS1_1_VERSION:
11801 verstr = "TLSv1.1";
11802 break;
11803 case TLS1_2_VERSION:
11804 verstr = "TLSv1.2";
11805 break;
11806 case TLS1_3_VERSION:
11807 verstr = "TLSv1.3";
11808 break;
11809 case DTLS1_VERSION:
11810 verstr = "DTLSv1";
11811 break;
11812 case DTLS1_2_VERSION:
11813 verstr = "DTLSv1.2";
11814 }
11815
11816 return TEST_str_eq(verstr, SSL_get_version(s));
11817 }
11818
11819 /*
11820 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11821 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11822 * test_version() in quicapitest.c which does the same thing for QUIC
11823 * connections.
11824 */
test_version(int idx)11825 static int test_version(int idx)
11826 {
11827 SSL_CTX *cctx = NULL, *sctx = NULL;
11828 SSL *clientssl = NULL, *serverssl = NULL;
11829 int testresult = 0, version;
11830 const SSL_METHOD *servmeth = TLS_server_method();
11831 const SSL_METHOD *clientmeth = TLS_client_method();
11832
11833 switch (idx) {
11834 #if !defined(OPENSSL_NO_SSL3)
11835 case 0:
11836 version = SSL3_VERSION;
11837 break;
11838 #endif
11839 #if !defined(OPENSSL_NO_TLS1)
11840 case 1:
11841 version = TLS1_VERSION;
11842 break;
11843 #endif
11844 #if !defined(OPENSSL_NO_TLS1_2)
11845 case 2:
11846 version = TLS1_2_VERSION;
11847 break;
11848 #endif
11849 #if !defined(OSSL_NO_USABLE_TLS1_3)
11850 case 3:
11851 version = TLS1_3_VERSION;
11852 break;
11853 #endif
11854 #if !defined(OPENSSL_NO_DTLS1)
11855 case 4:
11856 version = DTLS1_VERSION;
11857 break;
11858 #endif
11859 #if !defined(OPENSSL_NO_DTLS1_2)
11860 case 5:
11861 version = DTLS1_2_VERSION;
11862 break;
11863 #endif
11864 /*
11865 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11866 * We also don't support DTLS1_BAD_VER since we have no server support for
11867 * that.
11868 */
11869 default:
11870 TEST_skip("Unsupported protocol version");
11871 return 1;
11872 }
11873
11874 if (is_fips
11875 && (version == SSL3_VERSION
11876 || version == TLS1_VERSION
11877 || version == DTLS1_VERSION)) {
11878 TEST_skip("Protocol version not supported with FIPS");
11879 return 1;
11880 }
11881
11882 #if !defined(OPENSSL_NO_DTLS)
11883 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11884 servmeth = DTLS_server_method();
11885 clientmeth = DTLS_client_method();
11886 }
11887 #endif
11888
11889 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11890 version, &sctx, &cctx, cert, privkey)))
11891 goto end;
11892
11893 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11894 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11895 "DEFAULT:@SECLEVEL=0")))
11896 goto end;
11897
11898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11899 &clientssl, NULL, NULL)))
11900 goto end;
11901
11902 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11903 goto end;
11904
11905 if (!TEST_int_eq(SSL_version(serverssl), version)
11906 || !TEST_int_eq(SSL_version(clientssl), version)
11907 || !TEST_true(check_version_string(serverssl, version))
11908 || !TEST_true(check_version_string(clientssl, version)))
11909 goto end;
11910
11911 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11912 if (!TEST_true(SSL_is_dtls(serverssl))
11913 || !TEST_true(SSL_is_dtls(clientssl))
11914 || !TEST_false(SSL_is_tls(serverssl))
11915 || !TEST_false(SSL_is_tls(clientssl))
11916 || !TEST_false(SSL_is_quic(serverssl))
11917 || !TEST_false(SSL_is_quic(clientssl)))
11918 goto end;
11919 } else {
11920 if (!TEST_true(SSL_is_tls(serverssl))
11921 || !TEST_true(SSL_is_tls(clientssl))
11922 || !TEST_false(SSL_is_dtls(serverssl))
11923 || !TEST_false(SSL_is_dtls(clientssl))
11924 || !TEST_false(SSL_is_quic(serverssl))
11925 || !TEST_false(SSL_is_quic(clientssl)))
11926 goto end;
11927 }
11928
11929 testresult = 1;
11930 end:
11931 SSL_free(serverssl);
11932 SSL_free(clientssl);
11933 SSL_CTX_free(sctx);
11934 SSL_CTX_free(cctx);
11935 return testresult;
11936 }
11937
11938 /*
11939 * Test that the SSL_rstate_string*() APIs return sane results
11940 */
test_rstate_string(void)11941 static int test_rstate_string(void)
11942 {
11943 SSL_CTX *cctx = NULL, *sctx = NULL;
11944 SSL *clientssl = NULL, *serverssl = NULL;
11945 int testresult = 0, version;
11946 const SSL_METHOD *servmeth = TLS_server_method();
11947 const SSL_METHOD *clientmeth = TLS_client_method();
11948 size_t written, readbytes;
11949 unsigned char buf[2];
11950 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11951 SSL3_RT_APPLICATION_DATA,
11952 TLS1_2_VERSION_MAJOR,
11953 0, /* To be filled in later */
11954 0,
11955 1
11956 };
11957
11958 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11959 0, &sctx, &cctx, cert, privkey)))
11960 goto end;
11961
11962 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11963 &clientssl, NULL, NULL)))
11964 goto end;
11965
11966 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11967 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11968 goto end;
11969
11970 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11971 goto end;
11972
11973 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11974 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11975 goto end;
11976
11977 /* Fill in the correct version for the record header */
11978 version = SSL_version(serverssl);
11979 if (version == TLS1_3_VERSION)
11980 version = TLS1_2_VERSION;
11981 dummyheader[2] = version & 0xff;
11982
11983 /*
11984 * Send a dummy header. If we continued to read the body as well this
11985 * would fail with a bad record mac, but we're not going to go that far.
11986 */
11987 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11988 sizeof(dummyheader), &written))
11989 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11990 goto end;
11991
11992 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11993 goto end;
11994
11995 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11996 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11997 goto end;
11998
11999 testresult = 1;
12000 end:
12001 SSL_free(serverssl);
12002 SSL_free(clientssl);
12003 SSL_CTX_free(sctx);
12004 SSL_CTX_free(cctx);
12005 return testresult;
12006 }
12007
12008 /*
12009 * Force a write retry during handshaking. We test various combinations of
12010 * scenarios. We test a large certificate message which will fill the buffering
12011 * BIO used in the handshake. We try with client auth on and off. Finally we
12012 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
12013 * to indicate retry via -1 - but sometimes BIOs don't do that.
12014 *
12015 * Test 0: Standard certificate message
12016 * Test 1: Large certificate message
12017 * Test 2: Standard cert, verify peer
12018 * Test 3: Large cert, verify peer
12019 * Test 4: Standard cert, BIO returns 0 on retry
12020 * Test 5: Large cert, BIO returns 0 on retry
12021 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
12022 * Test 7: Large cert, verify peer, BIO returns 0 on retry
12023 * Test 8-15: Repeat of above with TLSv1.2
12024 */
test_handshake_retry(int idx)12025 static int test_handshake_retry(int idx)
12026 {
12027 SSL_CTX *cctx = NULL, *sctx = NULL;
12028 SSL *clientssl = NULL, *serverssl = NULL;
12029 int testresult = 0;
12030 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
12031 int maxversion = 0;
12032
12033 if (!TEST_ptr(bretry))
12034 goto end;
12035
12036 #ifndef OPENSSL_NO_TLS1_2
12037 if ((idx & 8) == 8)
12038 maxversion = TLS1_2_VERSION;
12039 #else
12040 if ((idx & 8) == 8)
12041 return TEST_skip("No TLSv1.2");
12042 #endif
12043
12044 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12045 TLS_client_method(), 0, maxversion,
12046 &sctx, &cctx, cert, privkey)))
12047 goto end;
12048
12049 /*
12050 * Add a large amount of data to fill the buffering BIO used by the SSL
12051 * object
12052 */
12053 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
12054 goto end;
12055
12056 /*
12057 * We don't actually configure a client cert, but neither do we fail if one
12058 * isn't present.
12059 */
12060 if ((idx & 2) == 2)
12061 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
12062
12063 if ((idx & 4) == 4)
12064 set_always_retry_err_val(0);
12065
12066 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12067 &clientssl, NULL, NULL)))
12068 goto end;
12069
12070 tmp = SSL_get_wbio(serverssl);
12071 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
12072 tmp = NULL;
12073 goto end;
12074 }
12075 SSL_set0_wbio(serverssl, bretry);
12076 bretry = NULL;
12077
12078 if (!TEST_int_eq(SSL_connect(clientssl), -1))
12079 goto end;
12080
12081 if (!TEST_int_eq(SSL_accept(serverssl), -1)
12082 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
12083 goto end;
12084
12085 /* Restore a BIO that will let the write succeed */
12086 SSL_set0_wbio(serverssl, tmp);
12087 tmp = NULL;
12088
12089 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12090 goto end;
12091
12092 testresult = 1;
12093 end:
12094 SSL_free(serverssl);
12095 SSL_free(clientssl);
12096 SSL_CTX_free(sctx);
12097 SSL_CTX_free(cctx);
12098 BIO_free(bretry);
12099 BIO_free(tmp);
12100 set_always_retry_err_val(-1);
12101 return testresult;
12102 }
12103
12104 /*
12105 * Test that receiving retries when writing application data works as expected
12106 */
test_data_retry(void)12107 static int test_data_retry(void)
12108 {
12109 SSL_CTX *cctx = NULL, *sctx = NULL;
12110 SSL *clientssl = NULL, *serverssl = NULL;
12111 int testresult = 0;
12112 unsigned char inbuf[1200], outbuf[1200];
12113 size_t i;
12114 BIO *tmp = NULL;
12115 BIO *bretry = BIO_new(bio_s_maybe_retry());
12116 size_t written, readbytes, totread = 0;
12117
12118 if (!TEST_ptr(bretry))
12119 goto end;
12120
12121 for (i = 0; i < sizeof(inbuf); i++)
12122 inbuf[i] = (unsigned char)(0xff & i);
12123 memset(outbuf, 0, sizeof(outbuf));
12124
12125 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12126 TLS_client_method(), 0, 0, &sctx, &cctx,
12127 cert, privkey)))
12128 goto end;
12129
12130 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12131 NULL)))
12132 goto end;
12133
12134 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12135 goto end;
12136
12137 /* Smallest possible max send fragment is 512 */
12138 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
12139 goto end;
12140
12141 tmp = SSL_get_wbio(clientssl);
12142 if (!TEST_ptr(tmp))
12143 goto end;
12144 if (!TEST_true(BIO_up_ref(tmp)))
12145 goto end;
12146 BIO_push(bretry, tmp);
12147 tmp = NULL;
12148 SSL_set0_wbio(clientssl, bretry);
12149 if (!BIO_up_ref(bretry)) {
12150 bretry = NULL;
12151 goto end;
12152 }
12153
12154 for (i = 0; i < 3; i++) {
12155 /* We expect this call to make no progress and indicate retry */
12156 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12157 goto end;
12158 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12159 goto end;
12160
12161 /* Allow one write to progress, but the next one to signal retry */
12162 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
12163 NULL)))
12164 goto end;
12165
12166 if (i == 2)
12167 break;
12168
12169 /*
12170 * This call will hopefully make progress but will still indicate retry
12171 * because there is more data than will fit into a single record.
12172 */
12173 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12174 goto end;
12175 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12176 goto end;
12177 }
12178
12179 /* The final call should write the last chunk of data and succeed */
12180 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12181 goto end;
12182 /* Read all the data available */
12183 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
12184 &readbytes))
12185 totread += readbytes;
12186 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
12187 goto end;
12188
12189 testresult = 1;
12190 end:
12191 SSL_free(serverssl);
12192 SSL_free(clientssl);
12193 SSL_CTX_free(sctx);
12194 SSL_CTX_free(cctx);
12195 BIO_free_all(bretry);
12196 BIO_free(tmp);
12197 return testresult;
12198 }
12199
12200 struct resume_servername_cb_data {
12201 int i;
12202 SSL_CTX *cctx;
12203 SSL_CTX *sctx;
12204 SSL_SESSION *sess;
12205 int recurse;
12206 };
12207
12208 /*
12209 * Servername callback. We use it here to run another complete handshake using
12210 * the same session - and mark the session as not_resuamble at the end
12211 */
resume_servername_cb(SSL * s,int * ad,void * arg)12212 static int resume_servername_cb(SSL *s, int *ad, void *arg)
12213 {
12214 struct resume_servername_cb_data *cbdata = arg;
12215 SSL *serverssl = NULL, *clientssl = NULL;
12216 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
12217
12218 if (cbdata->recurse)
12219 return SSL_TLSEXT_ERR_ALERT_FATAL;
12220
12221 if ((cbdata->i % 3) != 1)
12222 return SSL_TLSEXT_ERR_OK;
12223
12224 cbdata->recurse = 1;
12225
12226 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
12227 &clientssl, NULL, NULL))
12228 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
12229 goto end;
12230
12231 ERR_set_mark();
12232 /*
12233 * We expect this to fail - because the servername cb will fail. This will
12234 * mark the session as not_resumable.
12235 */
12236 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
12237 ERR_clear_last_mark();
12238 goto end;
12239 }
12240 ERR_pop_to_mark();
12241
12242 ret = SSL_TLSEXT_ERR_OK;
12243 end:
12244 SSL_free(serverssl);
12245 SSL_free(clientssl);
12246 cbdata->recurse = 0;
12247 return ret;
12248 }
12249 /*
12250 * Test multiple resumptions and cache size handling
12251 * Test 0: TLSv1.3 (max_early_data set)
12252 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
12253 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
12254 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
12255 * Test 4: TLSv1.2
12256 */
test_multi_resume(int idx)12257 static int test_multi_resume(int idx)
12258 {
12259 SSL_CTX *sctx = NULL, *cctx = NULL;
12260 SSL *serverssl = NULL, *clientssl = NULL;
12261 SSL_SESSION *sess = NULL;
12262 int max_version = TLS1_3_VERSION;
12263 int i, testresult = 0;
12264 struct resume_servername_cb_data cbdata;
12265
12266 #if defined(OPENSSL_NO_TLS1_2)
12267 if (idx == 4)
12268 return TEST_skip("TLSv1.2 is disabled in this build");
12269 #else
12270 if (idx == 4)
12271 max_version = TLS1_2_VERSION;
12272 #endif
12273 #if defined(OSSL_NO_USABLE_TLS1_3)
12274 if (idx != 4)
12275 return TEST_skip("No usable TLSv1.3 in this build");
12276 #endif
12277
12278 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12279 TLS_client_method(), TLS1_VERSION,
12280 max_version, &sctx, &cctx, cert,
12281 privkey)))
12282 goto end;
12283
12284 /*
12285 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
12286 * replay protection), or if SSL_OP_NO_TICKET is in use
12287 */
12288 if (idx == 0 || idx == 2) {
12289 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
12290 goto end;
12291 }
12292 if (idx == 1 || idx == 2 || idx == 3)
12293 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
12294
12295 SSL_CTX_sess_set_cache_size(sctx, 5);
12296
12297 if (idx == 3) {
12298 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
12299 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
12300 cbdata.cctx = cctx;
12301 cbdata.sctx = sctx;
12302 cbdata.recurse = 0;
12303 }
12304
12305 for (i = 0; i < 30; i++) {
12306 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
12307 NULL, NULL))
12308 || !TEST_true(SSL_set_session(clientssl, sess)))
12309 goto end;
12310
12311 /*
12312 * Check simultaneous resumes. We pause the connection part way through
12313 * the handshake by (mis)using the servername_cb. The pause occurs after
12314 * session resumption has already occurred, but before any session
12315 * tickets have been issued. While paused we run another complete
12316 * handshake resuming the same session.
12317 */
12318 if (idx == 3) {
12319 cbdata.i = i;
12320 cbdata.sess = sess;
12321 }
12322
12323 /*
12324 * Recreate a bug where dynamically changing the max_early_data value
12325 * can cause sessions in the session cache which cannot be deleted.
12326 */
12327 if ((idx == 0 || idx == 2) && (i % 3) == 2)
12328 SSL_set_max_early_data(serverssl, 0);
12329
12330 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12331 goto end;
12332
12333 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
12334 if (!TEST_false(SSL_session_reused(clientssl)))
12335 goto end;
12336 } else {
12337 if (!TEST_true(SSL_session_reused(clientssl)))
12338 goto end;
12339 }
12340 SSL_SESSION_free(sess);
12341
12342 /* Do a full handshake, followed by two resumptions */
12343 if ((i % 3) == 2) {
12344 sess = NULL;
12345 } else {
12346 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
12347 goto end;
12348 }
12349
12350 SSL_shutdown(clientssl);
12351 SSL_shutdown(serverssl);
12352 SSL_free(serverssl);
12353 SSL_free(clientssl);
12354 serverssl = clientssl = NULL;
12355 }
12356
12357 /* We should never exceed the session cache size limit */
12358 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
12359 goto end;
12360
12361 testresult = 1;
12362 end:
12363 SSL_free(serverssl);
12364 SSL_free(clientssl);
12365 SSL_CTX_free(sctx);
12366 SSL_CTX_free(cctx);
12367 SSL_SESSION_free(sess);
12368 return testresult;
12369 }
12370
12371 static struct next_proto_st {
12372 int serverlen;
12373 unsigned char server[40];
12374 int clientlen;
12375 unsigned char client[40];
12376 int expected_ret;
12377 size_t selectedlen;
12378 unsigned char selected[40];
12379 } next_proto_tests[] = {
12380 { 4, { 3, 'a', 'b', 'c' },
12381 4, { 3, 'a', 'b', 'c' },
12382 OPENSSL_NPN_NEGOTIATED,
12383 3, { 'a', 'b', 'c' } },
12384 { 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
12385 4, { 3, 'a', 'b', 'c' },
12386 OPENSSL_NPN_NEGOTIATED,
12387 3, { 'a', 'b', 'c' } },
12388 { 7, {
12389 2,
12390 'a',
12391 'b',
12392 3,
12393 'a',
12394 'b',
12395 'c',
12396 },
12397 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } },
12398 { 4, { 3, 'a', 'b', 'c' }, 7, {
12399 3,
12400 'a',
12401 'b',
12402 'c',
12403 2,
12404 'a',
12405 'b',
12406 },
12407 OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } },
12408 { 4, { 3, 'a', 'b', 'c' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'b', 'c', 'd' }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 0, { 0 }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { -1, { 0 }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'a', 'b', 'c' }, 0, { 0 }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }, { 4, { 3, 'a', 'b', 'c' }, -1, { 0 }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }, { 3, { 3, 'a', 'b', 'c' }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'a', 'b', 'c' }, 3, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }
12409 };
12410
test_select_next_proto(int idx)12411 static int test_select_next_proto(int idx)
12412 {
12413 struct next_proto_st *np = &next_proto_tests[idx];
12414 int ret = 0;
12415 unsigned char *out, *client, *server;
12416 unsigned char outlen;
12417 unsigned int clientlen, serverlen;
12418
12419 if (np->clientlen == -1) {
12420 client = NULL;
12421 clientlen = 0;
12422 } else {
12423 client = np->client;
12424 clientlen = (unsigned int)np->clientlen;
12425 }
12426 if (np->serverlen == -1) {
12427 server = NULL;
12428 serverlen = 0;
12429 } else {
12430 server = np->server;
12431 serverlen = (unsigned int)np->serverlen;
12432 }
12433
12434 if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
12435 client, clientlen),
12436 np->expected_ret))
12437 goto err;
12438
12439 if (np->selectedlen == 0) {
12440 if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
12441 goto err;
12442 } else {
12443 if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
12444 goto err;
12445 }
12446
12447 ret = 1;
12448 err:
12449 return ret;
12450 }
12451
12452 static const unsigned char fooprot[] = { 3, 'f', 'o', 'o' };
12453 static const unsigned char barprot[] = { 3, 'b', 'a', 'r' };
12454
12455 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
npn_advert_cb(SSL * ssl,const unsigned char ** out,unsigned int * outlen,void * arg)12456 static int npn_advert_cb(SSL *ssl, const unsigned char **out,
12457 unsigned int *outlen, void *arg)
12458 {
12459 int *idx = (int *)arg;
12460
12461 switch (*idx) {
12462 default:
12463 case 0:
12464 *out = fooprot;
12465 *outlen = sizeof(fooprot);
12466 return SSL_TLSEXT_ERR_OK;
12467
12468 case 1:
12469 *out = NULL;
12470 *outlen = 0;
12471 return SSL_TLSEXT_ERR_OK;
12472
12473 case 2:
12474 return SSL_TLSEXT_ERR_NOACK;
12475 }
12476 }
12477
npn_select_cb(SSL * s,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)12478 static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
12479 const unsigned char *in, unsigned int inlen, void *arg)
12480 {
12481 int *idx = (int *)arg;
12482
12483 switch (*idx) {
12484 case 0:
12485 case 1:
12486 *out = (unsigned char *)(fooprot + 1);
12487 *outlen = *fooprot;
12488 return SSL_TLSEXT_ERR_OK;
12489
12490 case 3:
12491 *out = (unsigned char *)(barprot + 1);
12492 *outlen = *barprot;
12493 return SSL_TLSEXT_ERR_OK;
12494
12495 case 4:
12496 *outlen = 0;
12497 return SSL_TLSEXT_ERR_OK;
12498
12499 default:
12500 case 2:
12501 return SSL_TLSEXT_ERR_ALERT_FATAL;
12502 }
12503 }
12504
12505 /*
12506 * Test the NPN callbacks
12507 * Test 0: advert = foo, select = foo
12508 * Test 1: advert = <empty>, select = foo
12509 * Test 2: no advert
12510 * Test 3: advert = foo, select = bar
12511 * Test 4: advert = foo, select = <empty> (should fail)
12512 */
test_npn(int idx)12513 static int test_npn(int idx)
12514 {
12515 SSL_CTX *sctx = NULL, *cctx = NULL;
12516 SSL *serverssl = NULL, *clientssl = NULL;
12517 int testresult = 0;
12518
12519 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12520 TLS_client_method(), 0, TLS1_2_VERSION,
12521 &sctx, &cctx, cert, privkey)))
12522 goto end;
12523
12524 SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
12525 SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
12526
12527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12528 NULL)))
12529 goto end;
12530
12531 if (idx == 4) {
12532 /* We don't allow empty selection of NPN, so this should fail */
12533 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12534 SSL_ERROR_NONE)))
12535 goto end;
12536 } else {
12537 const unsigned char *prot;
12538 unsigned int protlen;
12539
12540 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12541 SSL_ERROR_NONE)))
12542 goto end;
12543
12544 SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
12545 switch (idx) {
12546 case 0:
12547 case 1:
12548 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12549 goto end;
12550 break;
12551 case 2:
12552 if (!TEST_uint_eq(protlen, 0))
12553 goto end;
12554 break;
12555 case 3:
12556 if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
12557 goto end;
12558 break;
12559 default:
12560 TEST_error("Should not get here");
12561 goto end;
12562 }
12563 }
12564
12565 testresult = 1;
12566 end:
12567 SSL_free(serverssl);
12568 SSL_free(clientssl);
12569 SSL_CTX_free(sctx);
12570 SSL_CTX_free(cctx);
12571
12572 return testresult;
12573 }
12574 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
12575
alpn_select_cb2(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)12576 static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
12577 unsigned char *outlen, const unsigned char *in,
12578 unsigned int inlen, void *arg)
12579 {
12580 int *idx = (int *)arg;
12581
12582 switch (*idx) {
12583 case 0:
12584 *out = (unsigned char *)(fooprot + 1);
12585 *outlen = *fooprot;
12586 return SSL_TLSEXT_ERR_OK;
12587
12588 case 2:
12589 *out = (unsigned char *)(barprot + 1);
12590 *outlen = *barprot;
12591 return SSL_TLSEXT_ERR_OK;
12592
12593 case 3:
12594 *outlen = 0;
12595 return SSL_TLSEXT_ERR_OK;
12596
12597 default:
12598 case 1:
12599 return SSL_TLSEXT_ERR_ALERT_FATAL;
12600 }
12601 return 0;
12602 }
12603
12604 /*
12605 * Test the ALPN callbacks
12606 * Test 0: client = foo, select = foo
12607 * Test 1: client = <empty>, select = none
12608 * Test 2: client = foo, select = bar (should fail)
12609 * Test 3: client = foo, select = <empty> (should fail)
12610 */
test_alpn(int idx)12611 static int test_alpn(int idx)
12612 {
12613 SSL_CTX *sctx = NULL, *cctx = NULL;
12614 SSL *serverssl = NULL, *clientssl = NULL;
12615 int testresult = 0;
12616 const unsigned char *prots = fooprot;
12617 unsigned int protslen = sizeof(fooprot);
12618
12619 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12620 TLS_client_method(), 0, 0,
12621 &sctx, &cctx, cert, privkey)))
12622 goto end;
12623
12624 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
12625
12626 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12627 NULL)))
12628 goto end;
12629
12630 if (idx == 1) {
12631 prots = NULL;
12632 protslen = 0;
12633 }
12634
12635 /* SSL_set_alpn_protos returns 0 for success! */
12636 if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
12637 goto end;
12638
12639 if (idx == 2 || idx == 3) {
12640 /* We don't allow empty selection of NPN, so this should fail */
12641 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12642 SSL_ERROR_NONE)))
12643 goto end;
12644 } else {
12645 const unsigned char *prot;
12646 unsigned int protlen;
12647
12648 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12649 SSL_ERROR_NONE)))
12650 goto end;
12651
12652 SSL_get0_alpn_selected(clientssl, &prot, &protlen);
12653 switch (idx) {
12654 case 0:
12655 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12656 goto end;
12657 break;
12658 case 1:
12659 if (!TEST_uint_eq(protlen, 0))
12660 goto end;
12661 break;
12662 default:
12663 TEST_error("Should not get here");
12664 goto end;
12665 }
12666 }
12667
12668 testresult = 1;
12669 end:
12670 SSL_free(serverssl);
12671 SSL_free(clientssl);
12672 SSL_CTX_free(sctx);
12673 SSL_CTX_free(cctx);
12674
12675 return testresult;
12676 }
12677
12678 #if !defined(OSSL_NO_USABLE_TLS1_3)
12679 struct quic_tls_test_data {
12680 struct quic_tls_test_data *peer;
12681 uint32_t renc_level;
12682 uint32_t wenc_level;
12683 unsigned char rcd_data[4][2048];
12684 size_t rcd_data_len[4];
12685 unsigned char rsecret[3][48];
12686 size_t rsecret_len[3];
12687 unsigned char wsecret[3][48];
12688 size_t wsecret_len[3];
12689 unsigned char params[3];
12690 size_t params_len;
12691 int alert;
12692 int err;
12693 int forcefail;
12694 int sm_count;
12695 };
12696
12697 static int clientquicdata = 0xff, serverquicdata = 0xfe;
12698
check_app_data(SSL * s)12699 static int check_app_data(SSL *s)
12700 {
12701 int *data, *comparedata;
12702
12703 /* Check app data works */
12704 data = (int *)SSL_get_app_data(s);
12705 comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata;
12706
12707 if (!TEST_true(comparedata == data))
12708 return 0;
12709
12710 return 1;
12711 }
12712
crypto_send_cb(SSL * s,const unsigned char * buf,size_t buf_len,size_t * consumed,void * arg)12713 static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
12714 size_t *consumed, void *arg)
12715 {
12716 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12717 struct quic_tls_test_data *peer = data->peer;
12718 size_t max_len = sizeof(peer->rcd_data[data->wenc_level])
12719 - peer->rcd_data_len[data->wenc_level];
12720
12721 if (!check_app_data(s)) {
12722 data->err = 1;
12723 return 0;
12724 }
12725
12726 if (buf_len > max_len)
12727 buf_len = max_len;
12728
12729 if (buf_len == 0) {
12730 *consumed = 0;
12731 return 1;
12732 }
12733
12734 memcpy(peer->rcd_data[data->wenc_level]
12735 + peer->rcd_data_len[data->wenc_level],
12736 buf, buf_len);
12737 peer->rcd_data_len[data->wenc_level] += buf_len;
12738
12739 *consumed = buf_len;
12740 return 1;
12741 }
crypto_recv_rcd_cb(SSL * s,const unsigned char ** buf,size_t * bytes_read,void * arg)12742 static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf,
12743 size_t *bytes_read, void *arg)
12744 {
12745 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12746
12747 if (!check_app_data(s)) {
12748 data->err = 1;
12749 return 0;
12750 }
12751
12752 *bytes_read = data->rcd_data_len[data->renc_level];
12753 *buf = data->rcd_data[data->renc_level];
12754 return 1;
12755 }
12756
crypto_release_rcd_cb(SSL * s,size_t bytes_read,void * arg)12757 static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg)
12758 {
12759 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12760
12761 if (!check_app_data(s)) {
12762 data->err = 1;
12763 return 0;
12764 }
12765
12766 /* See if we need to force a failure in this callback */
12767 if (data->forcefail) {
12768 data->forcefail = 0;
12769 data->err = 1;
12770 return 0;
12771 }
12772
12773 if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level])
12774 || !TEST_size_t_gt(bytes_read, 0)) {
12775 data->err = 1;
12776 return 0;
12777 }
12778 data->rcd_data_len[data->renc_level] = 0;
12779
12780 return 1;
12781 }
12782
12783 struct secret_yield_entry {
12784 uint8_t recorded;
12785 int prot_level;
12786 int direction;
12787 int sm_generation;
12788 SSL *ssl;
12789 };
12790
12791 static struct secret_yield_entry secret_history[16];
12792 static int secret_history_idx = 0;
12793 /*
12794 * Note, this enum needs to match the direction values passed
12795 * to yield_secret_cb
12796 */
12797 typedef enum {
12798 LAST_DIR_READ = 0,
12799 LAST_DIR_WRITE = 1,
12800 LAST_DIR_UNSET = 2
12801 } last_dir_history_state;
12802
check_secret_history(SSL * s)12803 static int check_secret_history(SSL *s)
12804 {
12805 int i;
12806 int ret = 0;
12807 last_dir_history_state last_state = LAST_DIR_UNSET;
12808 int last_prot_level = 0;
12809 int last_generation = 0;
12810
12811 TEST_info("Checking history for %p\n", (void *)s);
12812 for (i = 0; secret_history[i].recorded == 1; i++) {
12813 if (secret_history[i].ssl != s)
12814 continue;
12815 TEST_info("Got %s(%d) secret for level %d, last level %d, last state %d, gen %d\n",
12816 secret_history[i].direction == 1 ? "Write" : "Read", secret_history[i].direction,
12817 secret_history[i].prot_level, last_prot_level, last_state,
12818 secret_history[i].sm_generation);
12819
12820 if (last_state == LAST_DIR_UNSET) {
12821 last_prot_level = secret_history[i].prot_level;
12822 last_state = secret_history[i].direction;
12823 last_generation = secret_history[i].sm_generation;
12824 continue;
12825 }
12826
12827 switch (secret_history[i].direction) {
12828 case 1:
12829 /*
12830 * write case
12831 * NOTE: There is an odd corner case here. It may occur that
12832 * in a single iteration of the state machine, the read key is yielded
12833 * prior to the write key for the same level. This is undesirable
12834 * for quic, but it is ok, as the general implementation of every 3rd
12835 * party quic stack while preferring write keys before read, allows
12836 * for read before write if both keys are yielded in the same call
12837 * to SSL_do_handshake, as the tls adaptation code for that quic stack
12838 * can then cache keys until both are available, so we allow read before
12839 * write here iff they occur in the same iteration of SSL_do_handshake
12840 * as represented by the recorded sm_generation value.
12841 */
12842 if (last_prot_level == secret_history[i].prot_level
12843 && last_state == LAST_DIR_READ) {
12844 if (last_generation == secret_history[i].sm_generation) {
12845 TEST_info("Read before write key in same SSL state machine iteration is ok");
12846 } else {
12847 TEST_error("Got read key before write key");
12848 goto end;
12849 }
12850 }
12851 /* FALLTHROUGH */
12852 case 0:
12853 /*
12854 * Read case
12855 */
12856 break;
12857 default:
12858 TEST_error("Unknown direction");
12859 goto end;
12860 }
12861 last_prot_level = secret_history[i].prot_level;
12862 last_state = secret_history[i].direction;
12863 last_generation = secret_history[i].sm_generation;
12864 }
12865
12866 ret = 1;
12867 end:
12868 return ret;
12869 }
12870
yield_secret_cb(SSL * s,uint32_t prot_level,int direction,const unsigned char * secret,size_t secret_len,void * arg)12871 static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
12872 const unsigned char *secret, size_t secret_len,
12873 void *arg)
12874 {
12875 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12876
12877 if (!check_app_data(s))
12878 goto err;
12879
12880 if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY
12881 || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
12882 goto err;
12883
12884 switch (direction) {
12885 case 0: /* read */
12886 if (!TEST_size_t_le(secret_len, sizeof(data->rsecret)))
12887 goto err;
12888 data->renc_level = prot_level;
12889 memcpy(data->rsecret[prot_level - 1], secret, secret_len);
12890 data->rsecret_len[prot_level - 1] = secret_len;
12891 break;
12892
12893 case 1: /* write */
12894 if (!TEST_size_t_le(secret_len, sizeof(data->wsecret)))
12895 goto err;
12896 data->wenc_level = prot_level;
12897 memcpy(data->wsecret[prot_level - 1], secret, secret_len);
12898 data->wsecret_len[prot_level - 1] = secret_len;
12899 break;
12900
12901 default:
12902 goto err;
12903 }
12904
12905 secret_history[secret_history_idx].direction = direction;
12906 secret_history[secret_history_idx].prot_level = (int)prot_level;
12907 secret_history[secret_history_idx].recorded = 1;
12908 secret_history[secret_history_idx].ssl = s;
12909 secret_history[secret_history_idx].sm_generation = data->sm_count;
12910 secret_history_idx++;
12911 return 1;
12912 err:
12913 data->err = 1;
12914 return 0;
12915 }
12916
yield_secret_cb_fail(SSL * s,uint32_t prot_level,int direction,const unsigned char * secret,size_t secret_len,void * arg)12917 static int yield_secret_cb_fail(SSL *s, uint32_t prot_level, int direction,
12918 const unsigned char *secret, size_t secret_len,
12919 void *arg)
12920 {
12921 (void)s;
12922 (void)prot_level;
12923 (void)direction;
12924 (void)secret;
12925 (void)secret_len;
12926 (void)arg;
12927 /*
12928 * This callback is to test double free in quic tls
12929 */
12930 return 0;
12931 }
12932
got_transport_params_cb(SSL * s,const unsigned char * params,size_t params_len,void * arg)12933 static int got_transport_params_cb(SSL *s, const unsigned char *params,
12934 size_t params_len,
12935 void *arg)
12936 {
12937 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12938
12939 if (!check_app_data(s)) {
12940 data->err = 1;
12941 return 0;
12942 }
12943
12944 if (!TEST_size_t_le(params_len, sizeof(data->params))) {
12945 data->err = 1;
12946 return 0;
12947 }
12948
12949 memcpy(data->params, params, params_len);
12950 data->params_len = params_len;
12951
12952 return 1;
12953 }
12954
alert_cb(SSL * s,unsigned char alert_code,void * arg)12955 static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
12956 {
12957 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12958
12959 if (!check_app_data(s)) {
12960 data->err = 1;
12961 return 0;
12962 }
12963
12964 data->alert = 1;
12965 return 1;
12966 }
12967
12968 /*
12969 * Test the QUIC TLS API
12970 * Test 0: Normal run
12971 * Test 1: Force a failure
12972 * Test 3: Use a CCM based ciphersuite
12973 * Test 4: fail yield_secret_cb to see double free
12974 * Test 5: Normal run with SNI
12975 */
test_quic_tls(int idx)12976 static int test_quic_tls(int idx)
12977 {
12978 SSL_CTX *sctx = NULL, *sctx2 = NULL, *cctx = NULL;
12979 SSL *serverssl = NULL, *clientssl = NULL;
12980 int testresult = 0;
12981 OSSL_DISPATCH qtdis[] = {
12982 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb },
12983 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
12984 (void (*)(void))crypto_recv_rcd_cb },
12985 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
12986 (void (*)(void))crypto_release_rcd_cb },
12987 { OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
12988 (void (*)(void))yield_secret_cb },
12989 { OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
12990 (void (*)(void))got_transport_params_cb },
12991 { OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb },
12992 { 0, NULL }
12993 };
12994 struct quic_tls_test_data sdata, cdata;
12995 const unsigned char cparams[] = {
12996 0xff, 0x01, 0x00
12997 };
12998 const unsigned char sparams[] = {
12999 0xfe, 0x01, 0x00
13000 };
13001 int i;
13002
13003 if (idx == 4)
13004 qtdis[3].function = (void (*)(void))yield_secret_cb_fail;
13005
13006 snicb = 0;
13007 memset(secret_history, 0, sizeof(secret_history));
13008 secret_history_idx = 0;
13009 memset(&sdata, 0, sizeof(sdata));
13010 memset(&cdata, 0, sizeof(cdata));
13011 sdata.peer = &cdata;
13012 cdata.peer = &sdata;
13013 if (idx == 1)
13014 sdata.forcefail = 1;
13015
13016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13017 TLS_client_method(), TLS1_3_VERSION, 0,
13018 &sctx, &cctx, cert, privkey)))
13019 goto end;
13020
13021 if (idx == 5) {
13022 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
13023 TLS1_3_VERSION, 0,
13024 &sctx2, NULL, cert, privkey)))
13025 goto end;
13026
13027 /* Set up SNI */
13028 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
13029 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
13030 goto end;
13031 }
13032
13033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13034 NULL)))
13035 goto end;
13036
13037 /* Reset the BIOs we set in create_ssl_objects. We should not need them */
13038 SSL_set_bio(serverssl, NULL, NULL);
13039 SSL_set_bio(clientssl, NULL, NULL);
13040
13041 if (idx == 2) {
13042 if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256"))
13043 || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256")))
13044 goto end;
13045 }
13046
13047 if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
13048 || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
13049 goto end;
13050
13051 if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
13052 || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
13053 || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
13054 sizeof(cparams)))
13055 || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
13056 sizeof(sparams))))
13057 goto end;
13058
13059 if (idx != 1 && idx != 4) {
13060 if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13061 &cdata.sm_count, &sdata.sm_count)))
13062 goto end;
13063 } else {
13064 /* We expect this connection to fail */
13065 if (!TEST_false(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13066 &cdata.sm_count, &sdata.sm_count)))
13067 goto end;
13068 testresult = 1;
13069 sdata.err = 0;
13070 goto end;
13071 }
13072
13073 /* We should have had the SNI callback called exactly once */
13074 if (idx == 5) {
13075 if (!TEST_int_eq(snicb, 1))
13076 goto end;
13077 }
13078
13079 /* Check no problems during the handshake */
13080 if (!TEST_false(sdata.alert)
13081 || !TEST_false(cdata.alert)
13082 || !TEST_false(sdata.err)
13083 || !TEST_false(cdata.err))
13084 goto end;
13085
13086 /* Check the secrets all match */
13087 for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
13088 i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
13089 i++) {
13090 if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
13091 cdata.rsecret[i], cdata.rsecret_len[i]))
13092 goto end;
13093 }
13094
13095 /*
13096 * Check that our secret history yields write secrets before read secrets
13097 */
13098 if (!TEST_int_eq(check_secret_history(serverssl), 1))
13099 goto end;
13100 if (!TEST_int_eq(check_secret_history(clientssl), 1))
13101 goto end;
13102
13103 /* Check the transport params */
13104 if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13105 || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13106 sizeof(sparams)))
13107 goto end;
13108
13109 /* Check the encryption levels are what we expect them to be */
13110 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13111 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13112 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13113 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13114 goto end;
13115
13116 testresult = 1;
13117 end:
13118 SSL_free(serverssl);
13119 SSL_free(clientssl);
13120 SSL_CTX_free(sctx2);
13121 SSL_CTX_free(sctx);
13122 SSL_CTX_free(cctx);
13123
13124 /* Check that we didn't suddenly hit an unexpected failure during cleanup */
13125 if (!TEST_false(sdata.err) || !TEST_false(cdata.err))
13126 testresult = 0;
13127
13128 return testresult;
13129 }
13130
assert_no_end_of_early_data(int write_p,int version,int content_type,const void * buf,size_t msglen,SSL * ssl,void * arg)13131 static void assert_no_end_of_early_data(int write_p, int version, int content_type,
13132 const void *buf, size_t msglen, SSL *ssl, void *arg)
13133 {
13134 const unsigned char *msg = buf;
13135
13136 if (content_type == SSL3_RT_HANDSHAKE && msg[0] == SSL3_MT_END_OF_EARLY_DATA)
13137 end_of_early_data = 1;
13138 }
13139
test_quic_tls_early_data(void)13140 static int test_quic_tls_early_data(void)
13141 {
13142 SSL_CTX *sctx = NULL, *cctx = NULL;
13143 SSL *serverssl = NULL, *clientssl = NULL;
13144 int testresult = 0;
13145 SSL_SESSION *sess = NULL;
13146 const OSSL_DISPATCH qtdis[] = {
13147 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb },
13148 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
13149 (void (*)(void))crypto_recv_rcd_cb },
13150 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
13151 (void (*)(void))crypto_release_rcd_cb },
13152 { OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
13153 (void (*)(void))yield_secret_cb },
13154 { OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
13155 (void (*)(void))got_transport_params_cb },
13156 { OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb },
13157 { 0, NULL }
13158 };
13159 struct quic_tls_test_data sdata, cdata;
13160 const unsigned char cparams[] = {
13161 0xff, 0x01, 0x00
13162 };
13163 const unsigned char sparams[] = {
13164 0xfe, 0x01, 0x00
13165 };
13166 int i;
13167
13168 memset(secret_history, 0, sizeof(secret_history));
13169 secret_history_idx = 0;
13170 memset(&sdata, 0, sizeof(sdata));
13171 memset(&cdata, 0, sizeof(cdata));
13172 sdata.peer = &cdata;
13173 cdata.peer = &sdata;
13174 end_of_early_data = 0;
13175
13176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13177 TLS_client_method(), TLS1_3_VERSION, 0,
13178 &sctx, &cctx, cert, privkey)))
13179 goto end;
13180
13181 SSL_CTX_set_max_early_data(sctx, 0xffffffff);
13182 SSL_CTX_set_max_early_data(cctx, 0xffffffff);
13183
13184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13185 NULL)))
13186 goto end;
13187
13188 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13189 goto end;
13190
13191 sess = SSL_get1_session(clientssl);
13192 SSL_shutdown(clientssl);
13193 SSL_shutdown(serverssl);
13194 SSL_free(serverssl);
13195 SSL_free(clientssl);
13196 serverssl = clientssl = NULL;
13197
13198 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
13199 &clientssl, NULL, NULL))
13200 || !TEST_true(SSL_set_session(clientssl, sess)))
13201 goto end;
13202
13203 /* Reset the BIOs we set in create_ssl_objects. We should not need them */
13204 SSL_set_bio(serverssl, NULL, NULL);
13205 SSL_set_bio(clientssl, NULL, NULL);
13206
13207 if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
13208 || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
13209 goto end;
13210
13211 if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
13212 || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
13213 || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
13214 sizeof(cparams)))
13215 || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
13216 sizeof(sparams))))
13217 goto end;
13218
13219 /*
13220 * Reset our secret history so we get the record of the second connection
13221 */
13222 memset(secret_history, 0, sizeof(secret_history));
13223 secret_history_idx = 0;
13224
13225 SSL_set_quic_tls_early_data_enabled(serverssl, 1);
13226 SSL_set_quic_tls_early_data_enabled(clientssl, 1);
13227
13228 SSL_set_msg_callback(serverssl, assert_no_end_of_early_data);
13229 SSL_set_msg_callback(clientssl, assert_no_end_of_early_data);
13230
13231 if (!TEST_int_eq(SSL_connect(clientssl), -1)
13232 || !TEST_int_eq(SSL_accept(serverssl), -1)
13233 || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)
13234 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ)
13235 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
13236 goto end;
13237
13238 /* Check the encryption levels are what we expect them to be */
13239 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE)
13240 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13241 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
13242 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY))
13243 goto end;
13244
13245 sdata.sm_count = 0;
13246 cdata.sm_count = 0;
13247 if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13248 &cdata.sm_count, &sdata.sm_count)))
13249 goto end;
13250
13251 /* Check no problems during the handshake */
13252 if (!TEST_false(sdata.alert)
13253 || !TEST_false(cdata.alert)
13254 || !TEST_false(sdata.err)
13255 || !TEST_false(cdata.err))
13256 goto end;
13257
13258 /* Check the secrets all match */
13259 for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
13260 i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
13261 i++) {
13262 if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
13263 cdata.rsecret[i], cdata.rsecret_len[i]))
13264 goto end;
13265 }
13266
13267 if (!TEST_int_eq(check_secret_history(serverssl), 1))
13268 goto end;
13269 if (!TEST_int_eq(check_secret_history(clientssl), 1))
13270 goto end;
13271
13272 /* Check the transport params */
13273 if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13274 || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13275 sizeof(sparams)))
13276 goto end;
13277
13278 /* Check the encryption levels are what we expect them to be */
13279 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13280 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13281 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13282 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13283 goto end;
13284
13285 /* Check there is no EndOfEearlyData in handshake */
13286 if (!TEST_int_eq(end_of_early_data, 0))
13287 goto end;
13288
13289 testresult = 1;
13290 end:
13291 SSL_SESSION_free(sess);
13292 SSL_SESSION_free(clientpsk);
13293 SSL_SESSION_free(serverpsk);
13294 clientpsk = serverpsk = NULL;
13295 SSL_free(serverssl);
13296 SSL_free(clientssl);
13297 SSL_CTX_free(sctx);
13298 SSL_CTX_free(cctx);
13299
13300 return testresult;
13301 }
13302 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
13303
test_no_renegotiation(int idx)13304 static int test_no_renegotiation(int idx)
13305 {
13306 SSL_CTX *sctx = NULL, *cctx = NULL;
13307 SSL *serverssl = NULL, *clientssl = NULL;
13308 int testresult = 0, ret;
13309 int max_proto;
13310 const SSL_METHOD *sm, *cm;
13311 unsigned char buf[5];
13312
13313 if (idx == 0) {
13314 #ifndef OPENSSL_NO_TLS1_2
13315 max_proto = TLS1_2_VERSION;
13316 sm = TLS_server_method();
13317 cm = TLS_client_method();
13318 #else
13319 return TEST_skip("TLSv1.2 is disabled in this build");
13320 #endif
13321 } else {
13322 #ifndef OPENSSL_NO_DTLS1_2
13323 max_proto = DTLS1_2_VERSION;
13324 sm = DTLS_server_method();
13325 cm = DTLS_client_method();
13326 #else
13327 return TEST_skip("DTLSv1.2 is disabled in this build");
13328 #endif
13329 }
13330 if (!TEST_true(create_ssl_ctx_pair(libctx, sm, cm, 0, max_proto,
13331 &sctx, &cctx, cert, privkey)))
13332 goto end;
13333
13334 SSL_CTX_set_options(sctx, SSL_OP_NO_RENEGOTIATION);
13335
13336 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13337 NULL)))
13338 goto end;
13339
13340 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13341 goto end;
13342
13343 if (!TEST_true(SSL_renegotiate(clientssl))
13344 || !TEST_int_le(ret = SSL_connect(clientssl), 0)
13345 || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ))
13346 goto end;
13347
13348 /*
13349 * We've not sent any application data, so we expect this to fail. It should
13350 * also read the renegotiation attempt, and send back a no_renegotiation
13351 * warning alert because we have renegotiation disabled.
13352 */
13353 if (!TEST_int_le(ret = SSL_read(serverssl, buf, sizeof(buf)), 0))
13354 goto end;
13355 if (!TEST_int_eq(SSL_get_error(serverssl, ret), SSL_ERROR_WANT_READ))
13356 goto end;
13357
13358 /*
13359 * The client should now see the no_renegotiation warning and fail the
13360 * connection
13361 */
13362 if (!TEST_int_le(ret = SSL_connect(clientssl), 0)
13363 || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_SSL)
13364 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_RENEGOTIATION))
13365 goto end;
13366
13367 testresult = 1;
13368 end:
13369 SSL_free(serverssl);
13370 SSL_free(clientssl);
13371 SSL_CTX_free(sctx);
13372 SSL_CTX_free(cctx);
13373
13374 return testresult;
13375 }
13376
13377 #if defined(DO_SSL_TRACE_TEST)
13378 /*
13379 * Tests that the SSL_trace() msg_callback works as expected with a PQ Groups.
13380 */
test_ssl_trace(void)13381 static int test_ssl_trace(void)
13382 {
13383 SSL_CTX *sctx = NULL, *cctx = NULL;
13384 SSL *serverssl = NULL, *clientssl = NULL;
13385 int testresult = 0;
13386 BIO *bio = NULL;
13387 char *reffile = NULL;
13388 char *grouplist = "MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768"
13389 ":SecP384r1MLKEM1024:secp521r1:secp384r1:secp256r1";
13390
13391 if (!fips_provider_version_ge(libctx, 3, 5, 0))
13392 return TEST_skip("FIPS provider does not support MLKEM algorithms");
13393
13394 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13395 TLS_client_method(),
13396 TLS1_3_VERSION, TLS1_3_VERSION,
13397 &sctx, &cctx, cert, privkey))
13398 || !TEST_ptr(bio = BIO_new(BIO_s_mem()))
13399 || !TEST_true(SSL_CTX_set1_groups_list(sctx, grouplist))
13400 || !TEST_true(SSL_CTX_set1_groups_list(cctx, grouplist))
13401 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
13402 "TLS_AES_128_GCM_SHA256"))
13403 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
13404 "TLS_AES_128_GCM_SHA256"))
13405 #ifdef SSL_OP_LEGACY_EC_POINT_FORMATS
13406 || !TEST_true(SSL_CTX_set_options(cctx, SSL_OP_LEGACY_EC_POINT_FORMATS))
13407 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_LEGACY_EC_POINT_FORMATS))
13408 #endif
13409 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
13410 NULL, NULL)))
13411 goto err;
13412
13413 SSL_set_msg_callback(clientssl, SSL_trace);
13414 SSL_set_msg_callback_arg(clientssl, bio);
13415
13416 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13417 goto err;
13418
13419 /* Skip the comparison of the trace when the fips provider is used. */
13420 if (is_fips) {
13421 /* Check whether there was something written. */
13422 if (!TEST_int_gt(BIO_pending(bio), 0))
13423 goto err;
13424 } else {
13425
13426 #ifdef OPENSSL_NO_ZLIB
13427 reffile = test_mk_file_path(datadir, "ssltraceref.txt");
13428 #else
13429 reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt");
13430 #endif
13431 if (!TEST_true(compare_with_reference_file(bio, reffile)))
13432 goto err;
13433 }
13434
13435 testresult = 1;
13436 err:
13437 BIO_free(bio);
13438 SSL_free(serverssl);
13439 SSL_free(clientssl);
13440 SSL_CTX_free(sctx);
13441 SSL_CTX_free(cctx);
13442 OPENSSL_free(reffile);
13443
13444 return testresult;
13445 }
13446 #endif
13447
13448 /*
13449 * Test that SSL_CTX_set1_groups() when called with a list where the first
13450 * entry is unsupported, will send a key_share that uses the next usable entry.
13451 */
test_ssl_set_groups_unsupported_keyshare(int idx)13452 static int test_ssl_set_groups_unsupported_keyshare(int idx)
13453 {
13454 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
13455 int testresult = 0;
13456 SSL_CTX *sctx = NULL, *cctx = NULL;
13457 SSL *serverssl = NULL, *clientssl = NULL;
13458 int client_groups[] = {
13459 NID_brainpoolP256r1tls13,
13460 NID_sect163k1,
13461 NID_secp384r1,
13462 NID_ffdhe2048,
13463 };
13464
13465 switch (idx) {
13466 case 1:
13467 client_groups[0] = NID_id_tc26_gost_3410_2012_512_paramSetC;
13468 if (sizeof(unsigned long) == 4) {
13469 return TEST_skip("SSL_CTX_set1_groups() is broken on 32-bit systems with TLS"
13470 " group IDs > 0x20, see https://github.com/openssl/openssl/issues/29196");
13471 }
13472 break;
13473 }
13474
13475 if (!TEST_true(create_ssl_ctx_pair(libctx,
13476 TLS_server_method(),
13477 TLS_client_method(),
13478 0, 0,
13479 &sctx,
13480 &cctx,
13481 cert,
13482 privkey)))
13483 goto end;
13484
13485 if (!TEST_true(SSL_CTX_set1_groups(cctx,
13486 client_groups,
13487 OSSL_NELEM(client_groups))))
13488 goto end;
13489
13490 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13491 NULL)))
13492 goto end;
13493
13494 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13495 goto end;
13496
13497 testresult = 1;
13498 end:
13499 SSL_free(serverssl);
13500 SSL_free(clientssl);
13501 SSL_CTX_free(sctx);
13502 SSL_CTX_free(cctx);
13503
13504 return testresult;
13505 #else /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
13506 return TEST_skip("No EC and DH support.");
13507 #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
13508 }
13509
13510 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
13511
setup_tests(void)13512 int setup_tests(void)
13513 {
13514 char *modulename;
13515 char *configfile;
13516
13517 libctx = OSSL_LIB_CTX_new();
13518 if (!TEST_ptr(libctx))
13519 return 0;
13520
13521 defctxnull = OSSL_PROVIDER_load(NULL, "null");
13522
13523 /*
13524 * Verify that the default and fips providers in the default libctx are not
13525 * available
13526 */
13527 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
13528 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
13529 return 0;
13530
13531 if (!test_skip_common_options()) {
13532 TEST_error("Error parsing test options\n");
13533 return 0;
13534 }
13535
13536 if (!TEST_ptr(certsdir = test_get_argument(0))
13537 || !TEST_ptr(srpvfile = test_get_argument(1))
13538 || !TEST_ptr(tmpfilename = test_get_argument(2))
13539 || !TEST_ptr(modulename = test_get_argument(3))
13540 || !TEST_ptr(configfile = test_get_argument(4))
13541 || !TEST_ptr(dhfile = test_get_argument(5)))
13542 return 0;
13543
13544 datadir = test_get_argument(6);
13545
13546 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
13547 return 0;
13548
13549 /* Check we have the expected provider available */
13550 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
13551 return 0;
13552
13553 /* Check the default provider is not available */
13554 if (strcmp(modulename, "default") != 0
13555 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
13556 return 0;
13557
13558 if (strcmp(modulename, "fips") == 0) {
13559 OSSL_PROVIDER *prov = NULL;
13560 OSSL_PARAM params[2];
13561
13562 is_fips = 1;
13563
13564 prov = OSSL_PROVIDER_load(libctx, "fips");
13565 if (prov != NULL) {
13566 /* Query the fips provider to check if the check ems option is enabled */
13567 params[0] = OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
13568 &fips_ems_check);
13569 params[1] = OSSL_PARAM_construct_end();
13570 OSSL_PROVIDER_get_params(prov, params);
13571 OSSL_PROVIDER_unload(prov);
13572 }
13573 }
13574
13575 /*
13576 * We add, but don't load the test "tls-provider". We'll load it when we
13577 * need it.
13578 */
13579 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
13580 tls_provider_init)))
13581 return 0;
13582
13583 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
13584 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
13585 TEST_error("not supported in this build");
13586 return 0;
13587 #else
13588 int i, mcount, rcount, fcount;
13589
13590 for (i = 0; i < 4; i++)
13591 test_export_key_mat(i);
13592 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
13593 test_printf_stdout("malloc %d realloc %d free %d\n",
13594 mcount, rcount, fcount);
13595 return 1;
13596 #endif
13597 }
13598
13599 cert = test_mk_file_path(certsdir, "servercert.pem");
13600 if (cert == NULL)
13601 goto err;
13602
13603 privkey = test_mk_file_path(certsdir, "serverkey.pem");
13604 if (privkey == NULL)
13605 goto err;
13606
13607 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
13608 if (cert2 == NULL)
13609 goto err;
13610
13611 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
13612 if (privkey2 == NULL)
13613 goto err;
13614
13615 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
13616 if (cert1024 == NULL)
13617 goto err;
13618
13619 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
13620 if (privkey1024 == NULL)
13621 goto err;
13622
13623 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
13624 if (cert3072 == NULL)
13625 goto err;
13626
13627 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
13628 if (privkey3072 == NULL)
13629 goto err;
13630
13631 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
13632 if (cert4096 == NULL)
13633 goto err;
13634
13635 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
13636 if (privkey4096 == NULL)
13637 goto err;
13638
13639 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
13640 if (cert8192 == NULL)
13641 goto err;
13642
13643 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
13644 if (privkey8192 == NULL)
13645 goto err;
13646
13647 if (fips_ems_check) {
13648 #ifndef OPENSSL_NO_TLS1_2
13649 ADD_TEST(test_no_ems);
13650 #endif
13651 return 1;
13652 }
13653 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
13654 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
13655 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
13656 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
13657 #endif
13658 #endif
13659 ADD_TEST(test_large_message_tls);
13660 ADD_TEST(test_large_message_tls_read_ahead);
13661 #ifndef OPENSSL_NO_DTLS
13662 ADD_TEST(test_large_message_dtls);
13663 #endif
13664 ADD_ALL_TESTS(test_large_app_data, 28);
13665 ADD_TEST(test_cleanse_plaintext);
13666 #ifndef OPENSSL_NO_OCSP
13667 ADD_TEST(test_tlsext_status_type);
13668 #endif
13669 ADD_TEST(test_session_with_only_int_cache);
13670 ADD_TEST(test_session_with_only_ext_cache);
13671 ADD_TEST(test_session_with_both_cache);
13672 ADD_TEST(test_session_wo_ca_names);
13673 #ifndef OSSL_NO_USABLE_TLS1_3
13674 ADD_ALL_TESTS(test_stateful_tickets, 3);
13675 ADD_ALL_TESTS(test_stateless_tickets, 3);
13676 ADD_TEST(test_psk_tickets);
13677 ADD_ALL_TESTS(test_extra_tickets, 6);
13678 #endif
13679 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
13680 ADD_TEST(test_ssl_bio_pop_next_bio);
13681 ADD_TEST(test_ssl_bio_pop_ssl_bio);
13682 ADD_TEST(test_ssl_bio_change_rbio);
13683 ADD_TEST(test_ssl_bio_change_wbio);
13684 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
13685 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
13686 ADD_TEST(test_keylog);
13687 #endif
13688 #ifndef OSSL_NO_USABLE_TLS1_3
13689 ADD_TEST(test_keylog_no_master_key);
13690 #endif
13691 ADD_TEST(test_client_cert_verify_cb);
13692 ADD_TEST(test_ssl_build_cert_chain);
13693 ADD_TEST(test_ssl_ctx_build_cert_chain);
13694 #ifndef OPENSSL_NO_TLS1_2
13695 ADD_TEST(test_client_hello_cb);
13696 ADD_TEST(test_no_ems);
13697 ADD_TEST(test_ccs_change_cipher);
13698 #endif
13699 #ifndef OSSL_NO_USABLE_TLS1_3
13700 ADD_ALL_TESTS(test_early_data_read_write, 6);
13701 /*
13702 * We don't do replay tests for external PSK. Replay protection isn't used
13703 * in that scenario.
13704 */
13705 ADD_ALL_TESTS(test_early_data_replay, 2);
13706 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
13707 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
13708 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
13709 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
13710 ADD_ALL_TESTS(test_early_data_not_sent, 3);
13711 ADD_ALL_TESTS(test_early_data_psk, 8);
13712 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
13713 ADD_ALL_TESTS(test_early_data_not_expected, 3);
13714 #ifndef OPENSSL_NO_TLS1_2
13715 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
13716 #endif
13717 #endif
13718 #ifndef OSSL_NO_USABLE_TLS1_3
13719 ADD_ALL_TESTS(test_set_ciphersuite, 10);
13720 ADD_TEST(test_ciphersuite_change);
13721 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
13722 #ifdef OPENSSL_NO_PSK
13723 ADD_ALL_TESTS(test_tls13_psk, 1);
13724 #else
13725 ADD_ALL_TESTS(test_tls13_psk, 4);
13726 #endif /* OPENSSL_NO_PSK */
13727 #ifndef OSSL_NO_USABLE_TLS1_3
13728 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
13729 #endif /* OSSL_NO_USABLE_TLS1_3 */
13730 #ifndef OPENSSL_NO_TLS1_2
13731 /* Test with both TLSv1.3 and 1.2 versions */
13732 ADD_ALL_TESTS(test_key_exchange, 21);
13733 #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
13734 ADD_ALL_TESTS(test_negotiated_group,
13735 4 * (OSSL_NELEM(ecdhe_kexch_groups) + OSSL_NELEM(ffdhe_kexch_groups)));
13736 #endif
13737 #else
13738 /* Test with only TLSv1.3 versions */
13739 ADD_ALL_TESTS(test_key_exchange, 18);
13740 #endif
13741 ADD_ALL_TESTS(test_custom_exts, 6);
13742 ADD_TEST(test_stateless);
13743 ADD_TEST(test_pha_key_update);
13744 #else
13745 ADD_ALL_TESTS(test_custom_exts, 3);
13746 #endif
13747 ADD_ALL_TESTS(test_export_key_mat, 6);
13748 #ifndef OSSL_NO_USABLE_TLS1_3
13749 ADD_ALL_TESTS(test_export_key_mat_early, 3);
13750 ADD_TEST(test_key_update);
13751 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
13752 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
13753 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
13754 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
13755 #endif
13756 ADD_ALL_TESTS(test_ssl_clear, 8);
13757 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
13758 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
13759 ADD_ALL_TESTS(test_srp, 6);
13760 #endif
13761 #if !defined(OPENSSL_NO_COMP_ALG)
13762 /* Add compression case */
13763 ADD_ALL_TESTS(test_info_callback, 8);
13764 #else
13765 ADD_ALL_TESTS(test_info_callback, 6);
13766 #endif
13767 ADD_ALL_TESTS(test_ssl_pending, 2);
13768 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
13769 ADD_ALL_TESTS(test_ticket_callbacks, 20);
13770 ADD_ALL_TESTS(test_shutdown, 7);
13771 ADD_TEST(test_async_shutdown);
13772 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
13773 ADD_ALL_TESTS(test_cert_cb, 6);
13774 ADD_ALL_TESTS(test_client_cert_cb, 2);
13775 ADD_ALL_TESTS(test_ca_names, 3);
13776 #ifndef OPENSSL_NO_TLS1_2
13777 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
13778 #endif
13779 ADD_ALL_TESTS(test_servername, 10);
13780 ADD_TEST(test_unknown_sigalgs_groups);
13781 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
13782 ADD_TEST(test_configuration_of_groups);
13783 #endif
13784 #if !defined(OPENSSL_NO_EC) \
13785 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
13786 ADD_ALL_TESTS(test_sigalgs_available, 6);
13787 #endif
13788 #ifndef OPENSSL_NO_TLS1_3
13789 ADD_ALL_TESTS(test_pluggable_group, 2);
13790 ADD_ALL_TESTS(test_pluggable_signature, 6);
13791 #endif
13792 #ifndef OPENSSL_NO_TLS1_2
13793 ADD_TEST(test_ssl_dup);
13794 ADD_TEST(test_session_secret_cb);
13795 #ifndef OPENSSL_NO_DH
13796 ADD_ALL_TESTS(test_set_tmp_dh, 11);
13797 ADD_ALL_TESTS(test_dh_auto, 7);
13798 #endif
13799 #endif
13800 #ifndef OSSL_NO_USABLE_TLS1_3
13801 ADD_TEST(test_sni_tls13);
13802 ADD_ALL_TESTS(test_ticket_lifetime, 2);
13803 #endif
13804 ADD_TEST(test_inherit_verify_param);
13805 ADD_TEST(test_set_alpn);
13806 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
13807 ADD_TEST(test_set_verify_cert_store_ssl);
13808 ADD_ALL_TESTS(test_session_timeout, 1);
13809 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
13810 ADD_ALL_TESTS(test_session_cache_overflow, 4);
13811 #endif
13812 ADD_TEST(test_load_dhfile);
13813 #ifndef OSSL_NO_USABLE_TLS1_3
13814 ADD_TEST(test_read_ahead_key_change);
13815 ADD_ALL_TESTS(test_tls13_record_padding, 6);
13816 #endif
13817 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
13818 ADD_ALL_TESTS(test_serverinfo_custom, 4);
13819 #endif
13820 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
13821 ADD_ALL_TESTS(test_pipelining, 7);
13822 #endif
13823 ADD_ALL_TESTS(test_version, 6);
13824 ADD_TEST(test_rstate_string);
13825 ADD_ALL_TESTS(test_handshake_retry, 16);
13826 ADD_TEST(test_data_retry);
13827 ADD_ALL_TESTS(test_multi_resume, 5);
13828 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
13829 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
13830 ADD_ALL_TESTS(test_npn, 5);
13831 #endif
13832 ADD_ALL_TESTS(test_alpn, 4);
13833 #if !defined(OSSL_NO_USABLE_TLS1_3)
13834 ADD_ALL_TESTS(test_quic_tls, 6);
13835 ADD_TEST(test_quic_tls_early_data);
13836 #endif
13837 ADD_ALL_TESTS(test_no_renegotiation, 2);
13838 #if defined(DO_SSL_TRACE_TEST)
13839 if (datadir != NULL)
13840 ADD_TEST(test_ssl_trace);
13841 #endif
13842 ADD_ALL_TESTS(test_ssl_set_groups_unsupported_keyshare, 2);
13843 return 1;
13844
13845 err:
13846 OPENSSL_free(cert);
13847 OPENSSL_free(privkey);
13848 OPENSSL_free(cert2);
13849 OPENSSL_free(privkey2);
13850 return 0;
13851 }
13852
cleanup_tests(void)13853 void cleanup_tests(void)
13854 {
13855 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
13856 EVP_PKEY_free(tmp_dh_params);
13857 #endif
13858 OPENSSL_free(cert);
13859 OPENSSL_free(privkey);
13860 OPENSSL_free(cert2);
13861 OPENSSL_free(privkey2);
13862 OPENSSL_free(cert1024);
13863 OPENSSL_free(privkey1024);
13864 OPENSSL_free(cert3072);
13865 OPENSSL_free(privkey3072);
13866 OPENSSL_free(cert4096);
13867 OPENSSL_free(privkey4096);
13868 OPENSSL_free(cert8192);
13869 OPENSSL_free(privkey8192);
13870 bio_s_mempacket_test_free();
13871 bio_s_always_retry_free();
13872 bio_s_maybe_retry_free();
13873 OSSL_PROVIDER_unload(defctxnull);
13874 OSSL_LIB_CTX_free(libctx);
13875 }
13876