1 /*
2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "filterprov.h"
45
46 #undef OSSL_NO_USABLE_TLS1_3
47 #if defined(OPENSSL_NO_TLS1_3) \
48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 /*
50 * If we don't have ec or dh then there are no built-in groups that are usable
51 * with TLSv1.3
52 */
53 # define OSSL_NO_USABLE_TLS1_3
54 #endif
55
56 /* Defined in tls-provider.c */
57 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58 const OSSL_DISPATCH *in,
59 const OSSL_DISPATCH **out,
60 void **provctx);
61
62 static OSSL_LIB_CTX *libctx = NULL;
63 static OSSL_PROVIDER *defctxnull = NULL;
64
65 #ifndef OSSL_NO_USABLE_TLS1_3
66
67 static SSL_SESSION *clientpsk = NULL;
68 static SSL_SESSION *serverpsk = NULL;
69 static const char *pskid = "Identity";
70 static const char *srvid;
71
72 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73 size_t *idlen, SSL_SESSION **sess);
74 static int find_session_cb(SSL *ssl, const unsigned char *identity,
75 size_t identity_len, SSL_SESSION **sess);
76
77 static int use_session_cb_cnt = 0;
78 static int find_session_cb_cnt = 0;
79
80 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
81 #endif
82
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
98 static char *dhfile = NULL;
99
100 static int is_fips = 0;
101
102 #define LOG_BUFFER_SIZE 2048
103 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104 static size_t server_log_buffer_index = 0;
105 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t client_log_buffer_index = 0;
107 static int error_writing_log = 0;
108
109 #ifndef OPENSSL_NO_OCSP
110 static const unsigned char orespder[] = "Dummy OCSP Response";
111 static int ocsp_server_called = 0;
112 static int ocsp_client_called = 0;
113
114 static int cdummyarg = 1;
115 static X509 *ocspcert = NULL;
116 #endif
117
118 #define NUM_EXTRA_CERTS 40
119 #define CLIENT_VERSION_LEN 2
120
121 /*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125 struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
128 unsigned int client_early_secret_count;
129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
133 unsigned int early_exporter_secret_count;
134 unsigned int exporter_secret_count;
135 };
136
137
hostname_cb(SSL * s,int * al,void * arg)138 static int hostname_cb(SSL *s, int *al, void *arg)
139 {
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147 }
148
client_keylog_callback(const SSL * ssl,const char * line)149 static void client_keylog_callback(const SSL *ssl, const char *line)
150 {
151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
162 client_log_buffer[client_log_buffer_index++] = '\n';
163 }
164
server_keylog_callback(const SSL * ssl,const char * line)165 static void server_keylog_callback(const SSL *ssl, const char *line)
166 {
167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171 TEST_info("Server log too full");
172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
178 server_log_buffer[server_log_buffer_index++] = '\n';
179 }
180
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)181 static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
184 size_t raw_length)
185 {
186 size_t i, j;
187 char hexed[3];
188
189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
190 return 1;
191
192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193 sprintf(hexed, "%02x", raw[i]);
194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
196 return 1;
197 }
198
199 return 0;
200 }
201
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)202 static int test_keylog_output(char *buffer, const SSL *ssl,
203 const SSL_SESSION *session,
204 struct sslapitest_log_counts *expected)
205 {
206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
213 unsigned int client_early_secret_count = 0;
214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
218 unsigned int early_exporter_secret_count = 0;
219 unsigned int exporter_secret_count = 0;
220
221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
223 if (strcmp(token, "RSA") == 0) {
224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
229 if (!TEST_ptr(token = strtok(NULL, " \n")))
230 return 0;
231 if (!TEST_size_t_eq(strlen(token), 16))
232 return 0;
233 if (!TEST_ptr(token = strtok(NULL, " \n")))
234 return 0;
235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
250 return 0;
251
252 if (!TEST_ptr(token = strtok(NULL, " \n")))
253 return 0;
254 if (!TEST_size_t_eq(strlen(token), 64))
255 return 0;
256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
259 return 0;
260
261 if (!TEST_ptr(token = strtok(NULL, " \n")))
262 return 0;
263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
266 if (!TEST_size_t_ne(master_key_size, 0))
267 return 0;
268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
271 return 0;
272 master_secret_count++;
273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279 || strcmp(token, "EXPORTER_SECRET") == 0) {
280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
305 return 0;
306
307 if (!TEST_ptr(token = strtok(NULL, " \n")))
308 return 0;
309 if (!TEST_size_t_eq(strlen(token), 64))
310 return 0;
311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
314 return 0;
315
316 if (!TEST_ptr(token = strtok(NULL, " \n")))
317 return 0;
318 } else {
319 TEST_info("Unexpected token %s\n", token);
320 return 0;
321 }
322 }
323
324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
338 expected->server_application_secret_count)
339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
343 return 0;
344 return 1;
345 }
346
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
test_keylog(void)348 static int test_keylog(void)
349 {
350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
353 struct sslapitest_log_counts expected;
354
355 /* Clean up logging space */
356 memset(&expected, 0, sizeof(expected));
357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
364 TLS_client_method(),
365 TLS1_VERSION, 0,
366 &sctx, &cctx, cert, privkey)))
367 return 0;
368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
373 /* We also want to ensure that we use RSA-based key exchange. */
374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
375 goto end;
376
377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
379 goto end;
380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
383 goto end;
384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
387 goto end;
388
389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
397 goto end;
398
399 /*
400 * Now we want to test that our output data was vaguely sensible. We
401 * do that by using strtok and confirming that we have more or less the
402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see an RSA key exchange.
404 */
405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
409 goto end;
410
411 expected.rsa_key_exchange_count = 0;
412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
414 goto end;
415
416 testresult = 1;
417
418 end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425 }
426 #endif
427
428 #ifndef OSSL_NO_USABLE_TLS1_3
test_keylog_no_master_key(void)429 static int test_keylog_no_master_key(void)
430 {
431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
433 SSL_SESSION *sess = NULL;
434 int testresult = 0;
435 struct sslapitest_log_counts expected;
436 unsigned char buf[1];
437 size_t readbytes, written;
438
439 /* Clean up logging space */
440 memset(&expected, 0, sizeof(expected));
441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451 SSL3_RT_MAX_PLAIN_LENGTH)))
452 return 0;
453
454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
456 goto end;
457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
461 goto end;
462
463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
466 goto end;
467
468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
474 goto end;
475
476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479 * TLSv1.3, but we do expect both client and server to emit keys.
480 */
481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
485 expected.exporter_secret_count = 1;
486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
491 goto end;
492
493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
524 expected.early_exporter_secret_count = 1;
525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
532 testresult = 1;
533
534 end:
535 SSL_SESSION_free(sess);
536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542 }
543 #endif
544
verify_retry_cb(X509_STORE_CTX * ctx,void * arg)545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546 {
547 int res = X509_verify_cert(ctx);
548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
561 return res;
562 }
563
test_client_cert_verify_cb(void)564 static int test_client_cert_verify_cb(void)
565 {
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620 end:
621 X509_free(crt1);
622 X509_free(crt2);
623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641 }
642
test_ssl_build_cert_chain(void)643 static int test_ssl_build_cert_chain(void)
644 {
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664 end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670 }
671
get_password_cb(char * buf,int size,int rw_flag,void * userdata)672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673 {
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681 }
682
test_ssl_ctx_build_cert_chain(void)683 static int test_ssl_ctx_build_cert_chain(void)
684 {
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703 end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708 }
709
710 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)711 static int full_client_hello_callback(SSL *s, int *al, void *arg)
712 {
713 int *ctr = arg;
714 const unsigned char *p;
715 int *exts;
716 /* We only configure two ciphers, but the SCSV is added automatically. */
717 #ifdef OPENSSL_NO_EC
718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719 #else
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
721 0x2c, 0x00, 0xff};
722 #endif
723 const int expected_extensions[] = {
724 #ifndef OPENSSL_NO_EC
725 11, 10,
726 #endif
727 35, 22, 23, 13};
728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
732 return SSL_CLIENT_HELLO_RETRY;
733
734 len = SSL_client_hello_get0_ciphers(s, &p);
735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
738 || !TEST_int_eq(*p, 0))
739 return SSL_CLIENT_HELLO_ERROR;
740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744 printf("ClientHello callback expected extensions mismatch\n");
745 OPENSSL_free(exts);
746 return SSL_CLIENT_HELLO_ERROR;
747 }
748 OPENSSL_free(exts);
749 return SSL_CLIENT_HELLO_SUCCESS;
750 }
751
test_client_hello_cb(void)752 static int test_client_hello_cb(void)
753 {
754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
760 &sctx, &cctx, cert, privkey)))
761 goto end;
762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
763
764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
766
767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
781 goto end;
782
783 testresult = 1;
784
785 end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792 }
793
test_no_ems(void)794 static int test_no_ems(void)
795 {
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0;
799
800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
814 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
815 printf("Creating SSL connection failed\n");
816 goto end;
817 }
818
819 if (SSL_get_extms_support(serverssl)) {
820 printf("Server reports Extended Master Secret support\n");
821 goto end;
822 }
823
824 if (SSL_get_extms_support(clientssl)) {
825 printf("Client reports Extended Master Secret support\n");
826 goto end;
827 }
828 testresult = 1;
829
830 end:
831 SSL_free(serverssl);
832 SSL_free(clientssl);
833 SSL_CTX_free(sctx);
834 SSL_CTX_free(cctx);
835
836 return testresult;
837 }
838
839 /*
840 * Very focused test to exercise a single case in the server-side state
841 * machine, when the ChangeCipherState message needs to actually change
842 * from one cipher to a different cipher (i.e., not changing from null
843 * encryption to real encryption).
844 */
test_ccs_change_cipher(void)845 static int test_ccs_change_cipher(void)
846 {
847 SSL_CTX *cctx = NULL, *sctx = NULL;
848 SSL *clientssl = NULL, *serverssl = NULL;
849 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
850 int testresult = 0;
851 int i;
852 unsigned char buf;
853 size_t readbytes;
854
855 /*
856 * Create a conection so we can resume and potentially (but not) use
857 * a different cipher in the second connection.
858 */
859 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
860 TLS_client_method(),
861 TLS1_VERSION, TLS1_2_VERSION,
862 &sctx, &cctx, cert, privkey))
863 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
865 NULL, NULL))
866 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
867 || !TEST_true(create_ssl_connection(serverssl, clientssl,
868 SSL_ERROR_NONE))
869 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
870 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
871 goto end;
872
873 shutdown_ssl_connection(serverssl, clientssl);
874 serverssl = clientssl = NULL;
875
876 /* Resume, preferring a different cipher. Our server will force the
877 * same cipher to be used as the initial handshake. */
878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
879 NULL, NULL))
880 || !TEST_true(SSL_set_session(clientssl, sess))
881 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
883 SSL_ERROR_NONE))
884 || !TEST_true(SSL_session_reused(clientssl))
885 || !TEST_true(SSL_session_reused(serverssl))
886 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
887 || !TEST_ptr_eq(sesspre, sesspost)
888 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
889 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
890 goto end;
891 shutdown_ssl_connection(serverssl, clientssl);
892 serverssl = clientssl = NULL;
893
894 /*
895 * Now create a fresh connection and try to renegotiate a different
896 * cipher on it.
897 */
898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
899 NULL, NULL))
900 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
901 || !TEST_true(create_ssl_connection(serverssl, clientssl,
902 SSL_ERROR_NONE))
903 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
904 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
905 || !TEST_true(SSL_renegotiate(clientssl))
906 || !TEST_true(SSL_renegotiate_pending(clientssl)))
907 goto end;
908 /* Actually drive the renegotiation. */
909 for (i = 0; i < 3; i++) {
910 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
911 if (!TEST_ulong_eq(readbytes, 0))
912 goto end;
913 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
914 SSL_ERROR_WANT_READ)) {
915 goto end;
916 }
917 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
918 if (!TEST_ulong_eq(readbytes, 0))
919 goto end;
920 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
921 SSL_ERROR_WANT_READ)) {
922 goto end;
923 }
924 }
925 /* sesspre and sesspost should be different since the cipher changed. */
926 if (!TEST_false(SSL_renegotiate_pending(clientssl))
927 || !TEST_false(SSL_session_reused(clientssl))
928 || !TEST_false(SSL_session_reused(serverssl))
929 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
930 || !TEST_ptr_ne(sesspre, sesspost)
931 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
932 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
933 goto end;
934
935 shutdown_ssl_connection(serverssl, clientssl);
936 serverssl = clientssl = NULL;
937
938 testresult = 1;
939
940 end:
941 SSL_free(serverssl);
942 SSL_free(clientssl);
943 SSL_CTX_free(sctx);
944 SSL_CTX_free(cctx);
945 SSL_SESSION_free(sess);
946
947 return testresult;
948 }
949 #endif
950
add_large_cert_chain(SSL_CTX * sctx)951 static int add_large_cert_chain(SSL_CTX *sctx)
952 {
953 BIO *certbio = NULL;
954 X509 *chaincert = NULL;
955 int certlen;
956 int ret = 0;
957 int i;
958
959 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
960 goto end;
961
962 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
963 goto end;
964
965 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
966 goto end;
967 BIO_free(certbio);
968 certbio = NULL;
969
970 /*
971 * We assume the supplied certificate is big enough so that if we add
972 * NUM_EXTRA_CERTS it will make the overall message large enough. The
973 * default buffer size is requested to be 16k, but due to the way BUF_MEM
974 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
975 * test we need to have a message larger than that.
976 */
977 certlen = i2d_X509(chaincert, NULL);
978 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
979 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
980 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
981 if (!X509_up_ref(chaincert))
982 goto end;
983 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
984 X509_free(chaincert);
985 goto end;
986 }
987 }
988
989 ret = 1;
990 end:
991 BIO_free(certbio);
992 X509_free(chaincert);
993 return ret;
994 }
995
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)996 static int execute_test_large_message(const SSL_METHOD *smeth,
997 const SSL_METHOD *cmeth,
998 int min_version, int max_version,
999 int read_ahead)
1000 {
1001 SSL_CTX *cctx = NULL, *sctx = NULL;
1002 SSL *clientssl = NULL, *serverssl = NULL;
1003 int testresult = 0;
1004
1005 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
1006 max_version, &sctx, &cctx, cert,
1007 privkey)))
1008 goto end;
1009
1010 #ifdef OPENSSL_NO_DTLS1_2
1011 if (smeth == DTLS_server_method()) {
1012 /*
1013 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1014 * level 0
1015 */
1016 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1017 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1018 "DEFAULT:@SECLEVEL=0")))
1019 goto end;
1020 }
1021 #endif
1022
1023 if (read_ahead) {
1024 /*
1025 * Test that read_ahead works correctly when dealing with large
1026 * records
1027 */
1028 SSL_CTX_set_read_ahead(cctx, 1);
1029 }
1030
1031 if (!add_large_cert_chain(sctx))
1032 goto end;
1033
1034 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1035 NULL, NULL))
1036 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1037 SSL_ERROR_NONE)))
1038 goto end;
1039
1040 /*
1041 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1042 * doesn't leak.
1043 */
1044 if (!TEST_true(SSL_clear(serverssl)))
1045 goto end;
1046
1047 testresult = 1;
1048 end:
1049 SSL_free(serverssl);
1050 SSL_free(clientssl);
1051 SSL_CTX_free(sctx);
1052 SSL_CTX_free(cctx);
1053
1054 return testresult;
1055 }
1056
1057 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1058 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1059 /* sock must be connected */
ktls_chk_platform(int sock)1060 static int ktls_chk_platform(int sock)
1061 {
1062 if (!ktls_enable(sock))
1063 return 0;
1064 return 1;
1065 }
1066
ping_pong_query(SSL * clientssl,SSL * serverssl)1067 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1068 {
1069 static char count = 1;
1070 unsigned char cbuf[16000] = {0};
1071 unsigned char sbuf[16000];
1072 size_t err = 0;
1073 char crec_wseq_before[SEQ_NUM_SIZE];
1074 char crec_wseq_after[SEQ_NUM_SIZE];
1075 char crec_rseq_before[SEQ_NUM_SIZE];
1076 char crec_rseq_after[SEQ_NUM_SIZE];
1077 char srec_wseq_before[SEQ_NUM_SIZE];
1078 char srec_wseq_after[SEQ_NUM_SIZE];
1079 char srec_rseq_before[SEQ_NUM_SIZE];
1080 char srec_rseq_after[SEQ_NUM_SIZE];
1081
1082 cbuf[0] = count++;
1083 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1084 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1085 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1087
1088 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1089 goto end;
1090
1091 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1092 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1093 goto end;
1094 }
1095 }
1096
1097 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1098 goto end;
1099
1100 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1101 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1102 goto end;
1103 }
1104 }
1105
1106 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1107 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1108 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1109 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1110
1111 /* verify the payload */
1112 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1113 goto end;
1114
1115 /*
1116 * If ktls is used then kernel sequences are used instead of
1117 * OpenSSL sequences
1118 */
1119 if (!BIO_get_ktls_send(clientssl->wbio)) {
1120 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1121 crec_wseq_after, SEQ_NUM_SIZE))
1122 goto end;
1123 } else {
1124 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1125 crec_wseq_after, SEQ_NUM_SIZE))
1126 goto end;
1127 }
1128
1129 if (!BIO_get_ktls_send(serverssl->wbio)) {
1130 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1131 srec_wseq_after, SEQ_NUM_SIZE))
1132 goto end;
1133 } else {
1134 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1135 srec_wseq_after, SEQ_NUM_SIZE))
1136 goto end;
1137 }
1138
1139 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1140 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1141 crec_rseq_after, SEQ_NUM_SIZE))
1142 goto end;
1143 } else {
1144 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1145 crec_rseq_after, SEQ_NUM_SIZE))
1146 goto end;
1147 }
1148
1149 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1150 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1151 srec_rseq_after, SEQ_NUM_SIZE))
1152 goto end;
1153 } else {
1154 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1155 srec_rseq_after, SEQ_NUM_SIZE))
1156 goto end;
1157 }
1158
1159 return 1;
1160 end:
1161 return 0;
1162 }
1163
execute_test_ktls(int cis_ktls,int sis_ktls,int tls_version,const char * cipher)1164 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1165 int tls_version, const char *cipher)
1166 {
1167 SSL_CTX *cctx = NULL, *sctx = NULL;
1168 SSL *clientssl = NULL, *serverssl = NULL;
1169 int ktls_used = 0, testresult = 0;
1170 int cfd = -1, sfd = -1;
1171 int rx_supported;
1172
1173 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1174 goto end;
1175
1176 /* Skip this test if the platform does not support ktls */
1177 if (!ktls_chk_platform(cfd)) {
1178 testresult = TEST_skip("Kernel does not support KTLS");
1179 goto end;
1180 }
1181
1182 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1183 testresult = TEST_skip("CHACHA is not supported in FIPS");
1184 goto end;
1185 }
1186
1187 /* Create a session based on SHA-256 */
1188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1189 TLS_client_method(),
1190 tls_version, tls_version,
1191 &sctx, &cctx, cert, privkey)))
1192 goto end;
1193
1194 if (tls_version == TLS1_3_VERSION) {
1195 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1196 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1197 goto end;
1198 } else {
1199 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1200 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1201 goto end;
1202 }
1203
1204 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1205 &clientssl, sfd, cfd)))
1206 goto end;
1207
1208 if (cis_ktls) {
1209 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1210 goto end;
1211 }
1212
1213 if (sis_ktls) {
1214 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1215 goto end;
1216 }
1217
1218 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1219 goto end;
1220
1221 /*
1222 * The running kernel may not support a given cipher suite
1223 * or direction, so just check that KTLS isn't used when it
1224 * isn't enabled.
1225 */
1226 if (!cis_ktls) {
1227 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1228 goto end;
1229 } else {
1230 if (BIO_get_ktls_send(clientssl->wbio))
1231 ktls_used = 1;
1232 }
1233
1234 if (!sis_ktls) {
1235 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1236 goto end;
1237 } else {
1238 if (BIO_get_ktls_send(serverssl->wbio))
1239 ktls_used = 1;
1240 }
1241
1242 #if defined(OPENSSL_NO_KTLS_RX)
1243 rx_supported = 0;
1244 #else
1245 rx_supported = (tls_version != TLS1_3_VERSION);
1246 #endif
1247 if (!cis_ktls || !rx_supported) {
1248 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1249 goto end;
1250 } else {
1251 if (BIO_get_ktls_send(clientssl->rbio))
1252 ktls_used = 1;
1253 }
1254
1255 if (!sis_ktls || !rx_supported) {
1256 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1257 goto end;
1258 } else {
1259 if (BIO_get_ktls_send(serverssl->rbio))
1260 ktls_used = 1;
1261 }
1262
1263 if ((cis_ktls || sis_ktls) && !ktls_used) {
1264 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1265 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1266 "TLS 1.2", cipher);
1267 goto end;
1268 }
1269
1270 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1271 goto end;
1272
1273 testresult = 1;
1274 end:
1275 if (clientssl) {
1276 SSL_shutdown(clientssl);
1277 SSL_free(clientssl);
1278 }
1279 if (serverssl) {
1280 SSL_shutdown(serverssl);
1281 SSL_free(serverssl);
1282 }
1283 SSL_CTX_free(sctx);
1284 SSL_CTX_free(cctx);
1285 serverssl = clientssl = NULL;
1286 if (cfd != -1)
1287 close(cfd);
1288 if (sfd != -1)
1289 close(sfd);
1290 return testresult;
1291 }
1292
1293 #define SENDFILE_SZ (16 * 4096)
1294 #define SENDFILE_CHUNK (4 * 4096)
1295 #define min(a,b) ((a) > (b) ? (b) : (a))
1296
execute_test_ktls_sendfile(int tls_version,const char * cipher)1297 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1298 {
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
1303 int cfd = -1, sfd = -1, ffd, err;
1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1306 int testresult = 0;
1307 FILE *ffdp;
1308
1309 buf = OPENSSL_zalloc(SENDFILE_SZ);
1310 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1311 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1312 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1313 goto end;
1314
1315 /* Skip this test if the platform does not support ktls */
1316 if (!ktls_chk_platform(sfd)) {
1317 testresult = TEST_skip("Kernel does not support KTLS");
1318 goto end;
1319 }
1320
1321 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1322 testresult = TEST_skip("CHACHA is not supported in FIPS");
1323 goto end;
1324 }
1325
1326 /* Create a session based on SHA-256 */
1327 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1328 TLS_client_method(),
1329 tls_version, tls_version,
1330 &sctx, &cctx, cert, privkey)))
1331 goto end;
1332
1333 if (tls_version == TLS1_3_VERSION) {
1334 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1335 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1336 goto end;
1337 } else {
1338 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1339 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1340 goto end;
1341 }
1342
1343 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1344 &clientssl, sfd, cfd)))
1345 goto end;
1346
1347 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1348 goto end;
1349
1350 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1351 SSL_ERROR_NONE)))
1352 goto end;
1353
1354 if (!BIO_get_ktls_send(serverssl->wbio)) {
1355 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1356 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1357 "TLS 1.2", cipher);
1358 goto end;
1359 }
1360
1361 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1362 goto end;
1363
1364 out = BIO_new_file(tmpfilename, "wb");
1365 if (!TEST_ptr(out))
1366 goto end;
1367
1368 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1369 goto end;
1370
1371 BIO_free(out);
1372 out = NULL;
1373 in = BIO_new_file(tmpfilename, "rb");
1374 BIO_get_fp(in, &ffdp);
1375 ffd = fileno(ffdp);
1376
1377 while (chunk_off < SENDFILE_SZ) {
1378 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1379 while ((err = SSL_sendfile(serverssl,
1380 ffd,
1381 chunk_off,
1382 chunk_size,
1383 0)) != chunk_size) {
1384 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1385 goto end;
1386 }
1387 while ((err = SSL_read(clientssl,
1388 buf_dst + chunk_off,
1389 chunk_size)) != chunk_size) {
1390 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1391 goto end;
1392 }
1393
1394 /* verify the payload */
1395 if (!TEST_mem_eq(buf_dst + chunk_off,
1396 chunk_size,
1397 buf + chunk_off,
1398 chunk_size))
1399 goto end;
1400
1401 chunk_off += chunk_size;
1402 }
1403
1404 testresult = 1;
1405 end:
1406 if (clientssl) {
1407 SSL_shutdown(clientssl);
1408 SSL_free(clientssl);
1409 }
1410 if (serverssl) {
1411 SSL_shutdown(serverssl);
1412 SSL_free(serverssl);
1413 }
1414 SSL_CTX_free(sctx);
1415 SSL_CTX_free(cctx);
1416 serverssl = clientssl = NULL;
1417 BIO_free(out);
1418 BIO_free(in);
1419 if (cfd != -1)
1420 close(cfd);
1421 if (sfd != -1)
1422 close(sfd);
1423 OPENSSL_free(buf);
1424 OPENSSL_free(buf_dst);
1425 return testresult;
1426 }
1427
1428 static struct ktls_test_cipher {
1429 int tls_version;
1430 const char *cipher;
1431 } ktls_test_ciphers[] = {
1432 # if !defined(OPENSSL_NO_TLS1_2)
1433 # ifdef OPENSSL_KTLS_AES_GCM_128
1434 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1435 # endif
1436 # ifdef OPENSSL_KTLS_AES_CCM_128
1437 { TLS1_2_VERSION, "AES128-CCM"},
1438 # endif
1439 # ifdef OPENSSL_KTLS_AES_GCM_256
1440 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1441 # endif
1442 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1443 # ifndef OPENSSL_NO_EC
1444 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1445 # endif
1446 # endif
1447 # endif
1448 # if !defined(OSSL_NO_USABLE_TLS1_3)
1449 # ifdef OPENSSL_KTLS_AES_GCM_128
1450 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1451 # endif
1452 # ifdef OPENSSL_KTLS_AES_CCM_128
1453 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1454 # endif
1455 # ifdef OPENSSL_KTLS_AES_GCM_256
1456 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1457 # endif
1458 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1459 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1460 # endif
1461 # endif
1462 };
1463
1464 #define NUM_KTLS_TEST_CIPHERS \
1465 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1466
test_ktls(int test)1467 static int test_ktls(int test)
1468 {
1469 struct ktls_test_cipher *cipher;
1470 int cis_ktls, sis_ktls;
1471
1472 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1473 cipher = &ktls_test_ciphers[test / 4];
1474
1475 cis_ktls = (test & 1) != 0;
1476 sis_ktls = (test & 2) != 0;
1477
1478 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1479 cipher->cipher);
1480 }
1481
test_ktls_sendfile(int tst)1482 static int test_ktls_sendfile(int tst)
1483 {
1484 struct ktls_test_cipher *cipher;
1485
1486 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1487 cipher = &ktls_test_ciphers[tst];
1488
1489 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1490 }
1491 #endif
1492
test_large_message_tls(void)1493 static int test_large_message_tls(void)
1494 {
1495 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1496 TLS1_VERSION, 0, 0);
1497 }
1498
test_large_message_tls_read_ahead(void)1499 static int test_large_message_tls_read_ahead(void)
1500 {
1501 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1502 TLS1_VERSION, 0, 1);
1503 }
1504
1505 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)1506 static int test_large_message_dtls(void)
1507 {
1508 # ifdef OPENSSL_NO_DTLS1_2
1509 /* Not supported in the FIPS provider */
1510 if (is_fips)
1511 return 1;
1512 # endif
1513 /*
1514 * read_ahead is not relevant to DTLS because DTLS always acts as if
1515 * read_ahead is set.
1516 */
1517 return execute_test_large_message(DTLS_server_method(),
1518 DTLS_client_method(),
1519 DTLS1_VERSION, 0, 0);
1520 }
1521 #endif
1522
1523 /*
1524 * Test we can successfully send the maximum amount of application data. We
1525 * test each protocol version individually, each with and without EtM enabled.
1526 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1527 * simpler this way. We also test all combinations with and without the
1528 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1529 * underlying buffer.
1530 */
test_large_app_data(int tst)1531 static int test_large_app_data(int tst)
1532 {
1533 SSL_CTX *cctx = NULL, *sctx = NULL;
1534 SSL *clientssl = NULL, *serverssl = NULL;
1535 int testresult = 0, prot;
1536 unsigned char *msg, *buf = NULL;
1537 size_t written, readbytes;
1538 const SSL_METHOD *smeth = TLS_server_method();
1539 const SSL_METHOD *cmeth = TLS_client_method();
1540
1541 switch (tst >> 2) {
1542 case 0:
1543 #ifndef OSSL_NO_USABLE_TLS1_3
1544 prot = TLS1_3_VERSION;
1545 break;
1546 #else
1547 return 1;
1548 #endif
1549
1550 case 1:
1551 #ifndef OPENSSL_NO_TLS1_2
1552 prot = TLS1_2_VERSION;
1553 break;
1554 #else
1555 return 1;
1556 #endif
1557
1558 case 2:
1559 #ifndef OPENSSL_NO_TLS1_1
1560 prot = TLS1_1_VERSION;
1561 break;
1562 #else
1563 return 1;
1564 #endif
1565
1566 case 3:
1567 #ifndef OPENSSL_NO_TLS1
1568 prot = TLS1_VERSION;
1569 break;
1570 #else
1571 return 1;
1572 #endif
1573
1574 case 4:
1575 #ifndef OPENSSL_NO_SSL3
1576 prot = SSL3_VERSION;
1577 break;
1578 #else
1579 return 1;
1580 #endif
1581
1582 case 5:
1583 #ifndef OPENSSL_NO_DTLS1_2
1584 prot = DTLS1_2_VERSION;
1585 smeth = DTLS_server_method();
1586 cmeth = DTLS_client_method();
1587 break;
1588 #else
1589 return 1;
1590 #endif
1591
1592 case 6:
1593 #ifndef OPENSSL_NO_DTLS1
1594 prot = DTLS1_VERSION;
1595 smeth = DTLS_server_method();
1596 cmeth = DTLS_client_method();
1597 break;
1598 #else
1599 return 1;
1600 #endif
1601
1602 default:
1603 /* Shouldn't happen */
1604 return 0;
1605 }
1606
1607 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1608 return 1;
1609
1610 /* Maximal sized message of zeros */
1611 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1612 if (!TEST_ptr(msg))
1613 goto end;
1614
1615 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1616 if (!TEST_ptr(buf))
1617 goto end;
1618 /* Set whole buffer to all bits set */
1619 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1620
1621 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1622 &sctx, &cctx, cert, privkey)))
1623 goto end;
1624
1625 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1626 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1627 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1628 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1629 "DEFAULT:@SECLEVEL=0")))
1630 goto end;
1631 }
1632
1633 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1634 &clientssl, NULL, NULL)))
1635 goto end;
1636
1637 if ((tst & 1) != 0) {
1638 /* Setting this option gives us a minimally sized underlying buffer */
1639 if (!TEST_true(SSL_set_options(serverssl,
1640 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1641 || !TEST_true(SSL_set_options(clientssl,
1642 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1643 goto end;
1644 }
1645
1646 if ((tst & 2) != 0) {
1647 /*
1648 * Setting this option means the MAC is added before encryption
1649 * giving us a larger record for the encryption process
1650 */
1651 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1652 || !TEST_true(SSL_set_options(clientssl,
1653 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1654 goto end;
1655 }
1656
1657 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1658 goto end;
1659
1660 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1661 &written))
1662 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1663 goto end;
1664
1665 /* We provide a buffer slightly larger than what we are actually expecting */
1666 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1667 &readbytes)))
1668 goto end;
1669
1670 if (!TEST_mem_eq(msg, written, buf, readbytes))
1671 goto end;
1672
1673 testresult = 1;
1674 end:
1675 OPENSSL_free(msg);
1676 OPENSSL_free(buf);
1677 SSL_free(serverssl);
1678 SSL_free(clientssl);
1679 SSL_CTX_free(sctx);
1680 SSL_CTX_free(cctx);
1681 return testresult;
1682 }
1683
1684 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1685 || !defined(OPENSSL_NO_DTLS)
execute_cleanse_plaintext(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version)1686 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1687 const SSL_METHOD *cmeth,
1688 int min_version, int max_version)
1689 {
1690 size_t i;
1691 SSL_CTX *cctx = NULL, *sctx = NULL;
1692 SSL *clientssl = NULL, *serverssl = NULL;
1693 int testresult = 0;
1694 SSL3_RECORD *rr;
1695 void *zbuf;
1696
1697 static unsigned char cbuf[16000];
1698 static unsigned char sbuf[16000];
1699
1700 if (!TEST_true(create_ssl_ctx_pair(libctx,
1701 smeth, cmeth,
1702 min_version, max_version,
1703 &sctx, &cctx, cert,
1704 privkey)))
1705 goto end;
1706
1707 # ifdef OPENSSL_NO_DTLS1_2
1708 if (smeth == DTLS_server_method()) {
1709 /* Not supported in the FIPS provider */
1710 if (is_fips) {
1711 testresult = 1;
1712 goto end;
1713 };
1714 /*
1715 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1716 * level 0
1717 */
1718 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1719 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1720 "DEFAULT:@SECLEVEL=0")))
1721 goto end;
1722 }
1723 # endif
1724
1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1726 NULL, NULL)))
1727 goto end;
1728
1729 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1730 goto end;
1731
1732 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1733 SSL_ERROR_NONE)))
1734 goto end;
1735
1736 for (i = 0; i < sizeof(cbuf); i++) {
1737 cbuf[i] = i & 0xff;
1738 }
1739
1740 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1741 goto end;
1742
1743 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1744 goto end;
1745
1746 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1747 goto end;
1748
1749 /*
1750 * Since we called SSL_peek(), we know the data in the record
1751 * layer is a plaintext record. We can gather the pointer to check
1752 * for zeroization after SSL_read().
1753 */
1754 rr = serverssl->rlayer.rrec;
1755 zbuf = &rr->data[rr->off];
1756 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1757 goto end;
1758
1759 /*
1760 * After SSL_peek() the plaintext must still be stored in the
1761 * record.
1762 */
1763 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1764 goto end;
1765
1766 memset(sbuf, 0, sizeof(sbuf));
1767 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1768 goto end;
1769
1770 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1771 goto end;
1772
1773 /* Check if rbuf is cleansed */
1774 memset(cbuf, 0, sizeof(cbuf));
1775 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1776 goto end;
1777
1778 testresult = 1;
1779 end:
1780 SSL_free(serverssl);
1781 SSL_free(clientssl);
1782 SSL_CTX_free(sctx);
1783 SSL_CTX_free(cctx);
1784
1785 return testresult;
1786 }
1787 #endif /*
1788 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1789 * || !defined(OPENSSL_NO_DTLS)
1790 */
1791
test_cleanse_plaintext(void)1792 static int test_cleanse_plaintext(void)
1793 {
1794 #if !defined(OPENSSL_NO_TLS1_2)
1795 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1796 TLS_client_method(),
1797 TLS1_2_VERSION,
1798 TLS1_2_VERSION)))
1799 return 0;
1800
1801 #endif
1802
1803 #if !defined(OSSL_NO_USABLE_TLS1_3)
1804 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1805 TLS_client_method(),
1806 TLS1_3_VERSION,
1807 TLS1_3_VERSION)))
1808 return 0;
1809 #endif
1810
1811 #if !defined(OPENSSL_NO_DTLS)
1812
1813 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1814 DTLS_client_method(),
1815 DTLS1_VERSION,
1816 0)))
1817 return 0;
1818 #endif
1819 return 1;
1820 }
1821
1822 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)1823 static int ocsp_server_cb(SSL *s, void *arg)
1824 {
1825 int *argi = (int *)arg;
1826 unsigned char *copy = NULL;
1827 STACK_OF(OCSP_RESPID) *ids = NULL;
1828 OCSP_RESPID *id = NULL;
1829
1830 if (*argi == 2) {
1831 /* In this test we are expecting exactly 1 OCSP_RESPID */
1832 SSL_get_tlsext_status_ids(s, &ids);
1833 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1834 return SSL_TLSEXT_ERR_ALERT_FATAL;
1835
1836 id = sk_OCSP_RESPID_value(ids, 0);
1837 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1838 return SSL_TLSEXT_ERR_ALERT_FATAL;
1839 } else if (*argi != 1) {
1840 return SSL_TLSEXT_ERR_ALERT_FATAL;
1841 }
1842
1843 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1844 return SSL_TLSEXT_ERR_ALERT_FATAL;
1845
1846 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1847 sizeof(orespder)))) {
1848 OPENSSL_free(copy);
1849 return SSL_TLSEXT_ERR_ALERT_FATAL;
1850 }
1851 ocsp_server_called = 1;
1852 return SSL_TLSEXT_ERR_OK;
1853 }
1854
ocsp_client_cb(SSL * s,void * arg)1855 static int ocsp_client_cb(SSL *s, void *arg)
1856 {
1857 int *argi = (int *)arg;
1858 const unsigned char *respderin;
1859 size_t len;
1860
1861 if (*argi != 1 && *argi != 2)
1862 return 0;
1863
1864 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1865 if (!TEST_mem_eq(orespder, len, respderin, len))
1866 return 0;
1867
1868 ocsp_client_called = 1;
1869 return 1;
1870 }
1871
test_tlsext_status_type(void)1872 static int test_tlsext_status_type(void)
1873 {
1874 SSL_CTX *cctx = NULL, *sctx = NULL;
1875 SSL *clientssl = NULL, *serverssl = NULL;
1876 int testresult = 0;
1877 STACK_OF(OCSP_RESPID) *ids = NULL;
1878 OCSP_RESPID *id = NULL;
1879 BIO *certbio = NULL;
1880
1881 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1882 TLS1_VERSION, 0,
1883 &sctx, &cctx, cert, privkey))
1884 return 0;
1885
1886 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1887 goto end;
1888
1889 /* First just do various checks getting and setting tlsext_status_type */
1890
1891 clientssl = SSL_new(cctx);
1892 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1893 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1894 TLSEXT_STATUSTYPE_ocsp))
1895 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1896 TLSEXT_STATUSTYPE_ocsp))
1897 goto end;
1898
1899 SSL_free(clientssl);
1900 clientssl = NULL;
1901
1902 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1903 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1904 goto end;
1905
1906 clientssl = SSL_new(cctx);
1907 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1908 goto end;
1909 SSL_free(clientssl);
1910 clientssl = NULL;
1911
1912 /*
1913 * Now actually do a handshake and check OCSP information is exchanged and
1914 * the callbacks get called
1915 */
1916 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1917 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1918 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1919 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1921 &clientssl, NULL, NULL))
1922 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1923 SSL_ERROR_NONE))
1924 || !TEST_true(ocsp_client_called)
1925 || !TEST_true(ocsp_server_called))
1926 goto end;
1927 SSL_free(serverssl);
1928 SSL_free(clientssl);
1929 serverssl = NULL;
1930 clientssl = NULL;
1931
1932 /* Try again but this time force the server side callback to fail */
1933 ocsp_client_called = 0;
1934 ocsp_server_called = 0;
1935 cdummyarg = 0;
1936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1937 &clientssl, NULL, NULL))
1938 /* This should fail because the callback will fail */
1939 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1940 SSL_ERROR_NONE))
1941 || !TEST_false(ocsp_client_called)
1942 || !TEST_false(ocsp_server_called))
1943 goto end;
1944 SSL_free(serverssl);
1945 SSL_free(clientssl);
1946 serverssl = NULL;
1947 clientssl = NULL;
1948
1949 /*
1950 * This time we'll get the client to send an OCSP_RESPID that it will
1951 * accept.
1952 */
1953 ocsp_client_called = 0;
1954 ocsp_server_called = 0;
1955 cdummyarg = 2;
1956 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1957 &clientssl, NULL, NULL)))
1958 goto end;
1959
1960 /*
1961 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1962 * specific one. We'll use the server cert.
1963 */
1964 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1965 || !TEST_ptr(id = OCSP_RESPID_new())
1966 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1967 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1968 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1969 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1970 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1971 goto end;
1972 id = NULL;
1973 SSL_set_tlsext_status_ids(clientssl, ids);
1974 /* Control has been transferred */
1975 ids = NULL;
1976
1977 BIO_free(certbio);
1978 certbio = NULL;
1979
1980 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1981 SSL_ERROR_NONE))
1982 || !TEST_true(ocsp_client_called)
1983 || !TEST_true(ocsp_server_called))
1984 goto end;
1985
1986 testresult = 1;
1987
1988 end:
1989 SSL_free(serverssl);
1990 SSL_free(clientssl);
1991 SSL_CTX_free(sctx);
1992 SSL_CTX_free(cctx);
1993 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1994 OCSP_RESPID_free(id);
1995 BIO_free(certbio);
1996 X509_free(ocspcert);
1997 ocspcert = NULL;
1998
1999 return testresult;
2000 }
2001 #endif
2002
2003 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2004 static int new_called, remove_called, get_called;
2005
new_session_cb(SSL * ssl,SSL_SESSION * sess)2006 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2007 {
2008 new_called++;
2009 /*
2010 * sess has been up-refed for us, but we don't actually need it so free it
2011 * immediately.
2012 */
2013 SSL_SESSION_free(sess);
2014 return 1;
2015 }
2016
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)2017 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2018 {
2019 remove_called++;
2020 }
2021
2022 static SSL_SESSION *get_sess_val = NULL;
2023
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)2024 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2025 int *copy)
2026 {
2027 get_called++;
2028 *copy = 1;
2029 return get_sess_val;
2030 }
2031
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache,long s_options)2032 static int execute_test_session(int maxprot, int use_int_cache,
2033 int use_ext_cache, long s_options)
2034 {
2035 SSL_CTX *sctx = NULL, *cctx = NULL;
2036 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2037 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2038 # ifndef OPENSSL_NO_TLS1_1
2039 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2040 # endif
2041 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2042 int testresult = 0, numnewsesstick = 1;
2043
2044 new_called = remove_called = 0;
2045
2046 /* TLSv1.3 sends 2 NewSessionTickets */
2047 if (maxprot == TLS1_3_VERSION)
2048 numnewsesstick = 2;
2049
2050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2051 TLS_client_method(), TLS1_VERSION, 0,
2052 &sctx, &cctx, cert, privkey)))
2053 return 0;
2054
2055 /*
2056 * Only allow the max protocol version so we can force a connection failure
2057 * later
2058 */
2059 SSL_CTX_set_min_proto_version(cctx, maxprot);
2060 SSL_CTX_set_max_proto_version(cctx, maxprot);
2061
2062 /* Set up session cache */
2063 if (use_ext_cache) {
2064 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2065 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2066 }
2067 if (use_int_cache) {
2068 /* Also covers instance where both are set */
2069 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2070 } else {
2071 SSL_CTX_set_session_cache_mode(cctx,
2072 SSL_SESS_CACHE_CLIENT
2073 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2074 }
2075
2076 if (s_options) {
2077 SSL_CTX_set_options(sctx, s_options);
2078 }
2079
2080 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2081 NULL, NULL))
2082 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2083 SSL_ERROR_NONE))
2084 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2085 goto end;
2086
2087 /* Should fail because it should already be in the cache */
2088 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2089 goto end;
2090 if (use_ext_cache
2091 && (!TEST_int_eq(new_called, numnewsesstick)
2092
2093 || !TEST_int_eq(remove_called, 0)))
2094 goto end;
2095
2096 new_called = remove_called = 0;
2097 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2098 &clientssl2, NULL, NULL))
2099 || !TEST_true(SSL_set_session(clientssl2, sess1))
2100 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2101 SSL_ERROR_NONE))
2102 || !TEST_true(SSL_session_reused(clientssl2)))
2103 goto end;
2104
2105 if (maxprot == TLS1_3_VERSION) {
2106 /*
2107 * In TLSv1.3 we should have created a new session even though we have
2108 * resumed. Since we attempted a resume we should also have removed the
2109 * old ticket from the cache so that we try to only use tickets once.
2110 */
2111 if (use_ext_cache
2112 && (!TEST_int_eq(new_called, 1)
2113 || !TEST_int_eq(remove_called, 1)))
2114 goto end;
2115 } else {
2116 /*
2117 * In TLSv1.2 we expect to have resumed so no sessions added or
2118 * removed.
2119 */
2120 if (use_ext_cache
2121 && (!TEST_int_eq(new_called, 0)
2122 || !TEST_int_eq(remove_called, 0)))
2123 goto end;
2124 }
2125
2126 SSL_SESSION_free(sess1);
2127 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2128 goto end;
2129 shutdown_ssl_connection(serverssl2, clientssl2);
2130 serverssl2 = clientssl2 = NULL;
2131
2132 new_called = remove_called = 0;
2133 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2134 &clientssl2, NULL, NULL))
2135 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2136 SSL_ERROR_NONE)))
2137 goto end;
2138
2139 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2140 goto end;
2141
2142 if (use_ext_cache
2143 && (!TEST_int_eq(new_called, numnewsesstick)
2144 || !TEST_int_eq(remove_called, 0)))
2145 goto end;
2146
2147 new_called = remove_called = 0;
2148 /*
2149 * This should clear sess2 from the cache because it is a "bad" session.
2150 * See SSL_set_session() documentation.
2151 */
2152 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2153 goto end;
2154 if (use_ext_cache
2155 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2156 goto end;
2157 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2158 goto end;
2159
2160 if (use_int_cache) {
2161 /* Should succeeded because it should not already be in the cache */
2162 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2163 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2164 goto end;
2165 }
2166
2167 new_called = remove_called = 0;
2168 /* This shouldn't be in the cache so should fail */
2169 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2170 goto end;
2171
2172 if (use_ext_cache
2173 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2174 goto end;
2175
2176 # if !defined(OPENSSL_NO_TLS1_1)
2177 new_called = remove_called = 0;
2178 /* Force a connection failure */
2179 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2181 &clientssl3, NULL, NULL))
2182 || !TEST_true(SSL_set_session(clientssl3, sess1))
2183 /* This should fail because of the mismatched protocol versions */
2184 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2185 SSL_ERROR_NONE)))
2186 goto end;
2187
2188 /* We should have automatically removed the session from the cache */
2189 if (use_ext_cache
2190 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2191 goto end;
2192
2193 /* Should succeed because it should not already be in the cache */
2194 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2195 goto end;
2196 # endif
2197
2198 /* Now do some tests for server side caching */
2199 if (use_ext_cache) {
2200 SSL_CTX_sess_set_new_cb(cctx, NULL);
2201 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2202 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2203 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2204 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2205 get_sess_val = NULL;
2206 }
2207
2208 SSL_CTX_set_session_cache_mode(cctx, 0);
2209 /* Internal caching is the default on the server side */
2210 if (!use_int_cache)
2211 SSL_CTX_set_session_cache_mode(sctx,
2212 SSL_SESS_CACHE_SERVER
2213 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2214
2215 SSL_free(serverssl1);
2216 SSL_free(clientssl1);
2217 serverssl1 = clientssl1 = NULL;
2218 SSL_free(serverssl2);
2219 SSL_free(clientssl2);
2220 serverssl2 = clientssl2 = NULL;
2221 SSL_SESSION_free(sess1);
2222 sess1 = NULL;
2223 SSL_SESSION_free(sess2);
2224 sess2 = NULL;
2225
2226 SSL_CTX_set_max_proto_version(sctx, maxprot);
2227 if (maxprot == TLS1_2_VERSION)
2228 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2229 new_called = remove_called = get_called = 0;
2230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2231 NULL, NULL))
2232 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2233 SSL_ERROR_NONE))
2234 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2235 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2236 goto end;
2237
2238 if (use_int_cache) {
2239 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2240 /*
2241 * In TLSv1.3 it should not have been added to the internal cache,
2242 * except in the case where we also have an external cache (in that
2243 * case it gets added to the cache in order to generate remove
2244 * events after timeout).
2245 */
2246 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2247 goto end;
2248 } else {
2249 /* Should fail because it should already be in the cache */
2250 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2251 goto end;
2252 }
2253 }
2254
2255 if (use_ext_cache) {
2256 SSL_SESSION *tmp = sess2;
2257
2258 if (!TEST_int_eq(new_called, numnewsesstick)
2259 || !TEST_int_eq(remove_called, 0)
2260 || !TEST_int_eq(get_called, 0))
2261 goto end;
2262 /*
2263 * Delete the session from the internal cache to force a lookup from
2264 * the external cache. We take a copy first because
2265 * SSL_CTX_remove_session() also marks the session as non-resumable.
2266 */
2267 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2268 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2269 || !TEST_true(sess2->owner != NULL)
2270 || !TEST_true(tmp->owner == NULL)
2271 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2272 goto end;
2273 SSL_SESSION_free(sess2);
2274 }
2275 sess2 = tmp;
2276 }
2277
2278 new_called = remove_called = get_called = 0;
2279 get_sess_val = sess2;
2280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2281 &clientssl2, NULL, NULL))
2282 || !TEST_true(SSL_set_session(clientssl2, sess1))
2283 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2284 SSL_ERROR_NONE))
2285 || !TEST_true(SSL_session_reused(clientssl2)))
2286 goto end;
2287
2288 if (use_ext_cache) {
2289 if (!TEST_int_eq(remove_called, 0))
2290 goto end;
2291
2292 if (maxprot == TLS1_3_VERSION) {
2293 if (!TEST_int_eq(new_called, 1)
2294 || !TEST_int_eq(get_called, 0))
2295 goto end;
2296 } else {
2297 if (!TEST_int_eq(new_called, 0)
2298 || !TEST_int_eq(get_called, 1))
2299 goto end;
2300 }
2301 }
2302 /*
2303 * Make a small cache, force out all other sessions but
2304 * sess2, try to add sess1, which should succeed. Then
2305 * make sure it's there by checking the owners. Despite
2306 * the timeouts, sess1 should have kicked out sess2
2307 */
2308
2309 /* Make sess1 expire before sess2 */
2310 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2311 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2312 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2313 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2314 goto end;
2315
2316 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2317 goto end;
2318
2319 /* Don't care about results - cache should only be sess2 at end */
2320 SSL_CTX_add_session(sctx, sess1);
2321 SSL_CTX_add_session(sctx, sess2);
2322
2323 /* Now add sess1, and make sure it remains, despite timeout */
2324 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2325 || !TEST_ptr(sess1->owner)
2326 || !TEST_ptr_null(sess2->owner))
2327 goto end;
2328
2329 testresult = 1;
2330
2331 end:
2332 SSL_free(serverssl1);
2333 SSL_free(clientssl1);
2334 SSL_free(serverssl2);
2335 SSL_free(clientssl2);
2336 # ifndef OPENSSL_NO_TLS1_1
2337 SSL_free(serverssl3);
2338 SSL_free(clientssl3);
2339 # endif
2340 SSL_SESSION_free(sess1);
2341 SSL_SESSION_free(sess2);
2342 SSL_CTX_free(sctx);
2343 SSL_CTX_free(cctx);
2344
2345 return testresult;
2346 }
2347 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2348
test_session_with_only_int_cache(void)2349 static int test_session_with_only_int_cache(void)
2350 {
2351 #ifndef OSSL_NO_USABLE_TLS1_3
2352 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2353 return 0;
2354 #endif
2355
2356 #ifndef OPENSSL_NO_TLS1_2
2357 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2358 #else
2359 return 1;
2360 #endif
2361 }
2362
test_session_with_only_ext_cache(void)2363 static int test_session_with_only_ext_cache(void)
2364 {
2365 #ifndef OSSL_NO_USABLE_TLS1_3
2366 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2367 return 0;
2368 #endif
2369
2370 #ifndef OPENSSL_NO_TLS1_2
2371 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2372 #else
2373 return 1;
2374 #endif
2375 }
2376
test_session_with_both_cache(void)2377 static int test_session_with_both_cache(void)
2378 {
2379 #ifndef OSSL_NO_USABLE_TLS1_3
2380 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2381 return 0;
2382 #endif
2383
2384 #ifndef OPENSSL_NO_TLS1_2
2385 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2386 #else
2387 return 1;
2388 #endif
2389 }
2390
test_session_wo_ca_names(void)2391 static int test_session_wo_ca_names(void)
2392 {
2393 #ifndef OSSL_NO_USABLE_TLS1_3
2394 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2395 return 0;
2396 #endif
2397
2398 #ifndef OPENSSL_NO_TLS1_2
2399 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2400 #else
2401 return 1;
2402 #endif
2403 }
2404
2405 #ifndef OSSL_NO_USABLE_TLS1_3
2406 static SSL_SESSION *sesscache[6];
2407 static int do_cache;
2408
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)2409 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2410 {
2411 if (do_cache) {
2412 sesscache[new_called] = sess;
2413 } else {
2414 /* We don't need the reference to the session, so free it */
2415 SSL_SESSION_free(sess);
2416 }
2417 new_called++;
2418
2419 return 1;
2420 }
2421
post_handshake_verify(SSL * sssl,SSL * cssl)2422 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2423 {
2424 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2425 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2426 return 0;
2427
2428 /* Start handshake on the server and client */
2429 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2430 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2431 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2432 || !TEST_true(create_ssl_connection(sssl, cssl,
2433 SSL_ERROR_NONE)))
2434 return 0;
2435
2436 return 1;
2437 }
2438
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)2439 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2440 SSL_CTX **cctx)
2441 {
2442 int sess_id_ctx = 1;
2443
2444 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2445 TLS_client_method(), TLS1_VERSION, 0,
2446 sctx, cctx, cert, privkey))
2447 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2448 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2449 (void *)&sess_id_ctx,
2450 sizeof(sess_id_ctx))))
2451 return 0;
2452
2453 if (stateful)
2454 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2455
2456 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2457 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2458 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2459
2460 return 1;
2461 }
2462
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)2463 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2464 {
2465 SSL *serverssl = NULL, *clientssl = NULL;
2466 int i;
2467
2468 /* Test that we can resume with all the tickets we got given */
2469 for (i = 0; i < idx * 2; i++) {
2470 new_called = 0;
2471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2472 &clientssl, NULL, NULL))
2473 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2474 goto end;
2475
2476 SSL_set_post_handshake_auth(clientssl, 1);
2477
2478 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2479 SSL_ERROR_NONE)))
2480 goto end;
2481
2482 /*
2483 * Following a successful resumption we only get 1 ticket. After a
2484 * failed one we should get idx tickets.
2485 */
2486 if (succ) {
2487 if (!TEST_true(SSL_session_reused(clientssl))
2488 || !TEST_int_eq(new_called, 1))
2489 goto end;
2490 } else {
2491 if (!TEST_false(SSL_session_reused(clientssl))
2492 || !TEST_int_eq(new_called, idx))
2493 goto end;
2494 }
2495
2496 new_called = 0;
2497 /* After a post-handshake authentication we should get 1 new ticket */
2498 if (succ
2499 && (!post_handshake_verify(serverssl, clientssl)
2500 || !TEST_int_eq(new_called, 1)))
2501 goto end;
2502
2503 SSL_shutdown(clientssl);
2504 SSL_shutdown(serverssl);
2505 SSL_free(serverssl);
2506 SSL_free(clientssl);
2507 serverssl = clientssl = NULL;
2508 SSL_SESSION_free(sesscache[i]);
2509 sesscache[i] = NULL;
2510 }
2511
2512 return 1;
2513
2514 end:
2515 SSL_free(clientssl);
2516 SSL_free(serverssl);
2517 return 0;
2518 }
2519
test_tickets(int stateful,int idx)2520 static int test_tickets(int stateful, int idx)
2521 {
2522 SSL_CTX *sctx = NULL, *cctx = NULL;
2523 SSL *serverssl = NULL, *clientssl = NULL;
2524 int testresult = 0;
2525 size_t j;
2526
2527 /* idx is the test number, but also the number of tickets we want */
2528
2529 new_called = 0;
2530 do_cache = 1;
2531
2532 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2533 goto end;
2534
2535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2536 &clientssl, NULL, NULL)))
2537 goto end;
2538
2539 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2540 SSL_ERROR_NONE))
2541 /* Check we got the number of tickets we were expecting */
2542 || !TEST_int_eq(idx, new_called))
2543 goto end;
2544
2545 SSL_shutdown(clientssl);
2546 SSL_shutdown(serverssl);
2547 SSL_free(serverssl);
2548 SSL_free(clientssl);
2549 SSL_CTX_free(sctx);
2550 SSL_CTX_free(cctx);
2551 clientssl = serverssl = NULL;
2552 sctx = cctx = NULL;
2553
2554 /*
2555 * Now we try to resume with the tickets we previously created. The
2556 * resumption attempt is expected to fail (because we're now using a new
2557 * SSL_CTX). We should see idx number of tickets issued again.
2558 */
2559
2560 /* Stop caching sessions - just count them */
2561 do_cache = 0;
2562
2563 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2564 goto end;
2565
2566 if (!check_resumption(idx, sctx, cctx, 0))
2567 goto end;
2568
2569 /* Start again with caching sessions */
2570 new_called = 0;
2571 do_cache = 1;
2572 SSL_CTX_free(sctx);
2573 SSL_CTX_free(cctx);
2574 sctx = cctx = NULL;
2575
2576 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2577 goto end;
2578
2579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2580 &clientssl, NULL, NULL)))
2581 goto end;
2582
2583 SSL_set_post_handshake_auth(clientssl, 1);
2584
2585 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2586 SSL_ERROR_NONE))
2587 /* Check we got the number of tickets we were expecting */
2588 || !TEST_int_eq(idx, new_called))
2589 goto end;
2590
2591 /* After a post-handshake authentication we should get new tickets issued */
2592 if (!post_handshake_verify(serverssl, clientssl)
2593 || !TEST_int_eq(idx * 2, new_called))
2594 goto end;
2595
2596 SSL_shutdown(clientssl);
2597 SSL_shutdown(serverssl);
2598 SSL_free(serverssl);
2599 SSL_free(clientssl);
2600 serverssl = clientssl = NULL;
2601
2602 /* Stop caching sessions - just count them */
2603 do_cache = 0;
2604
2605 /*
2606 * Check we can resume with all the tickets we created. This time around the
2607 * resumptions should all be successful.
2608 */
2609 if (!check_resumption(idx, sctx, cctx, 1))
2610 goto end;
2611
2612 testresult = 1;
2613
2614 end:
2615 SSL_free(serverssl);
2616 SSL_free(clientssl);
2617 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2618 SSL_SESSION_free(sesscache[j]);
2619 sesscache[j] = NULL;
2620 }
2621 SSL_CTX_free(sctx);
2622 SSL_CTX_free(cctx);
2623
2624 return testresult;
2625 }
2626
test_stateless_tickets(int idx)2627 static int test_stateless_tickets(int idx)
2628 {
2629 return test_tickets(0, idx);
2630 }
2631
test_stateful_tickets(int idx)2632 static int test_stateful_tickets(int idx)
2633 {
2634 return test_tickets(1, idx);
2635 }
2636
test_psk_tickets(void)2637 static int test_psk_tickets(void)
2638 {
2639 SSL_CTX *sctx = NULL, *cctx = NULL;
2640 SSL *serverssl = NULL, *clientssl = NULL;
2641 int testresult = 0;
2642 int sess_id_ctx = 1;
2643
2644 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2645 TLS_client_method(), TLS1_VERSION, 0,
2646 &sctx, &cctx, NULL, NULL))
2647 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2648 (void *)&sess_id_ctx,
2649 sizeof(sess_id_ctx))))
2650 goto end;
2651
2652 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2653 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2654 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2655 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2656 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2657 use_session_cb_cnt = 0;
2658 find_session_cb_cnt = 0;
2659 srvid = pskid;
2660 new_called = 0;
2661
2662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2663 NULL, NULL)))
2664 goto end;
2665 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2666 if (!TEST_ptr(clientpsk))
2667 goto end;
2668 SSL_SESSION_up_ref(clientpsk);
2669
2670 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2671 SSL_ERROR_NONE))
2672 || !TEST_int_eq(1, find_session_cb_cnt)
2673 || !TEST_int_eq(1, use_session_cb_cnt)
2674 /* We should always get 1 ticket when using external PSK */
2675 || !TEST_int_eq(1, new_called))
2676 goto end;
2677
2678 testresult = 1;
2679
2680 end:
2681 SSL_free(serverssl);
2682 SSL_free(clientssl);
2683 SSL_CTX_free(sctx);
2684 SSL_CTX_free(cctx);
2685 SSL_SESSION_free(clientpsk);
2686 SSL_SESSION_free(serverpsk);
2687 clientpsk = serverpsk = NULL;
2688
2689 return testresult;
2690 }
2691
test_extra_tickets(int idx)2692 static int test_extra_tickets(int idx)
2693 {
2694 SSL_CTX *sctx = NULL, *cctx = NULL;
2695 SSL *serverssl = NULL, *clientssl = NULL;
2696 BIO *bretry = BIO_new(bio_s_always_retry());
2697 BIO *tmp = NULL;
2698 int testresult = 0;
2699 int stateful = 0;
2700 size_t nbytes;
2701 unsigned char c, buf[1];
2702
2703 new_called = 0;
2704 do_cache = 1;
2705
2706 if (idx >= 3) {
2707 idx -= 3;
2708 stateful = 1;
2709 }
2710
2711 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2712 goto end;
2713 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2714 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2715 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2716
2717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2718 &clientssl, NULL, NULL)))
2719 goto end;
2720
2721 /*
2722 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2723 * incremented by both client and server.
2724 */
2725 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2726 SSL_ERROR_NONE))
2727 /* Check we got the number of tickets we were expecting */
2728 || !TEST_int_eq(idx * 2, new_called)
2729 || !TEST_true(SSL_new_session_ticket(serverssl))
2730 || !TEST_true(SSL_new_session_ticket(serverssl))
2731 || !TEST_int_eq(idx * 2, new_called))
2732 goto end;
2733
2734 /* Now try a (real) write to actually send the tickets */
2735 c = '1';
2736 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2737 || !TEST_size_t_eq(1, nbytes)
2738 || !TEST_int_eq(idx * 2 + 2, new_called)
2739 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2740 || !TEST_int_eq(idx * 2 + 4, new_called)
2741 || !TEST_int_eq(sizeof(buf), nbytes)
2742 || !TEST_int_eq(c, buf[0])
2743 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2744 goto end;
2745
2746 /* Try with only requesting one new ticket, too */
2747 c = '2';
2748 new_called = 0;
2749 if (!TEST_true(SSL_new_session_ticket(serverssl))
2750 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2751 || !TEST_size_t_eq(sizeof(c), nbytes)
2752 || !TEST_int_eq(1, new_called)
2753 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2754 || !TEST_int_eq(2, new_called)
2755 || !TEST_size_t_eq(sizeof(buf), nbytes)
2756 || !TEST_int_eq(c, buf[0]))
2757 goto end;
2758
2759 /* Do it again but use dummy writes to drive the ticket generation */
2760 c = '3';
2761 new_called = 0;
2762 if (!TEST_true(SSL_new_session_ticket(serverssl))
2763 || !TEST_true(SSL_new_session_ticket(serverssl))
2764 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2765 || !TEST_size_t_eq(0, nbytes)
2766 || !TEST_int_eq(2, new_called)
2767 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2768 || !TEST_int_eq(4, new_called))
2769 goto end;
2770
2771 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2772 c = '4';
2773 new_called = 0;
2774 if (!TEST_true(SSL_new_session_ticket(serverssl))
2775 || !TEST_true(SSL_new_session_ticket(serverssl))
2776 || !TEST_true(SSL_do_handshake(serverssl))
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2779 || !TEST_int_eq(4, new_called))
2780 goto end;
2781
2782 /*
2783 * Use the always-retry BIO to exercise the logic that forces ticket
2784 * generation to wait until a record boundary.
2785 */
2786 c = '5';
2787 new_called = 0;
2788 tmp = SSL_get_wbio(serverssl);
2789 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2790 tmp = NULL;
2791 goto end;
2792 }
2793 SSL_set0_wbio(serverssl, bretry);
2794 bretry = NULL;
2795 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2796 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2797 || !TEST_size_t_eq(nbytes, 0))
2798 goto end;
2799 /* Restore a BIO that will let the write succeed */
2800 SSL_set0_wbio(serverssl, tmp);
2801 tmp = NULL;
2802 /*
2803 * These calls should just queue the request and not send anything
2804 * even if we explicitly try to hit the state machine.
2805 */
2806 if (!TEST_true(SSL_new_session_ticket(serverssl))
2807 || !TEST_true(SSL_new_session_ticket(serverssl))
2808 || !TEST_int_eq(0, new_called)
2809 || !TEST_true(SSL_do_handshake(serverssl))
2810 || !TEST_int_eq(0, new_called))
2811 goto end;
2812 /* Re-do the write; still no tickets sent */
2813 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2814 || !TEST_size_t_eq(1, nbytes)
2815 || !TEST_int_eq(0, new_called)
2816 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2817 || !TEST_int_eq(0, new_called)
2818 || !TEST_int_eq(sizeof(buf), nbytes)
2819 || !TEST_int_eq(c, buf[0])
2820 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2821 goto end;
2822 /* Even trying to hit the state machine now will still not send tickets */
2823 if (!TEST_true(SSL_do_handshake(serverssl))
2824 || !TEST_int_eq(0, new_called))
2825 goto end;
2826 /* Now the *next* write should send the tickets */
2827 c = '6';
2828 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2829 || !TEST_size_t_eq(1, nbytes)
2830 || !TEST_int_eq(2, new_called)
2831 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2832 || !TEST_int_eq(4, new_called)
2833 || !TEST_int_eq(sizeof(buf), nbytes)
2834 || !TEST_int_eq(c, buf[0])
2835 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2836 goto end;
2837
2838 SSL_shutdown(clientssl);
2839 SSL_shutdown(serverssl);
2840 testresult = 1;
2841
2842 end:
2843 BIO_free(bretry);
2844 BIO_free(tmp);
2845 SSL_free(serverssl);
2846 SSL_free(clientssl);
2847 SSL_CTX_free(sctx);
2848 SSL_CTX_free(cctx);
2849 clientssl = serverssl = NULL;
2850 sctx = cctx = NULL;
2851 return testresult;
2852 }
2853 #endif
2854
2855 #define USE_NULL 0
2856 #define USE_BIO_1 1
2857 #define USE_BIO_2 2
2858 #define USE_DEFAULT 3
2859
2860 #define CONNTYPE_CONNECTION_SUCCESS 0
2861 #define CONNTYPE_CONNECTION_FAIL 1
2862 #define CONNTYPE_NO_CONNECTION 2
2863
2864 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2865 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2866 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2867 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2868 #else
2869 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2870 #endif
2871
2872 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2873 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2874 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2875
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)2876 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2877 {
2878 switch (type) {
2879 case USE_NULL:
2880 *res = NULL;
2881 break;
2882 case USE_BIO_1:
2883 *res = bio1;
2884 break;
2885 case USE_BIO_2:
2886 *res = bio2;
2887 break;
2888 }
2889 }
2890
2891
2892 /*
2893 * Tests calls to SSL_set_bio() under various conditions.
2894 *
2895 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2896 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2897 * then do more tests where we create a successful connection first using our
2898 * standard connection setup functions, and then call SSL_set_bio() with
2899 * various combinations of valid BIOs or NULL. We then repeat these tests
2900 * following a failed connection. In this last case we are looking to check that
2901 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2902 */
test_ssl_set_bio(int idx)2903 static int test_ssl_set_bio(int idx)
2904 {
2905 SSL_CTX *sctx = NULL, *cctx = NULL;
2906 BIO *bio1 = NULL;
2907 BIO *bio2 = NULL;
2908 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2909 SSL *serverssl = NULL, *clientssl = NULL;
2910 int initrbio, initwbio, newrbio, newwbio, conntype;
2911 int testresult = 0;
2912
2913 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2914 initrbio = idx % 3;
2915 idx /= 3;
2916 initwbio = idx % 3;
2917 idx /= 3;
2918 newrbio = idx % 3;
2919 idx /= 3;
2920 newwbio = idx % 3;
2921 conntype = CONNTYPE_NO_CONNECTION;
2922 } else {
2923 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2924 initrbio = initwbio = USE_DEFAULT;
2925 newrbio = idx % 2;
2926 idx /= 2;
2927 newwbio = idx % 2;
2928 idx /= 2;
2929 conntype = idx % 2;
2930 }
2931
2932 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2933 TLS_client_method(), TLS1_VERSION, 0,
2934 &sctx, &cctx, cert, privkey)))
2935 goto end;
2936
2937 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2938 /*
2939 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2940 * because we reduced the number of tests in the definition of
2941 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2942 * mismatched protocol versions we will force a connection failure.
2943 */
2944 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2945 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2946 }
2947
2948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2949 NULL, NULL)))
2950 goto end;
2951
2952 if (initrbio == USE_BIO_1
2953 || initwbio == USE_BIO_1
2954 || newrbio == USE_BIO_1
2955 || newwbio == USE_BIO_1) {
2956 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2957 goto end;
2958 }
2959
2960 if (initrbio == USE_BIO_2
2961 || initwbio == USE_BIO_2
2962 || newrbio == USE_BIO_2
2963 || newwbio == USE_BIO_2) {
2964 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2965 goto end;
2966 }
2967
2968 if (initrbio != USE_DEFAULT) {
2969 setupbio(&irbio, bio1, bio2, initrbio);
2970 setupbio(&iwbio, bio1, bio2, initwbio);
2971 SSL_set_bio(clientssl, irbio, iwbio);
2972
2973 /*
2974 * We want to maintain our own refs to these BIO, so do an up ref for
2975 * each BIO that will have ownership transferred in the SSL_set_bio()
2976 * call
2977 */
2978 if (irbio != NULL)
2979 BIO_up_ref(irbio);
2980 if (iwbio != NULL && iwbio != irbio)
2981 BIO_up_ref(iwbio);
2982 }
2983
2984 if (conntype != CONNTYPE_NO_CONNECTION
2985 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2986 SSL_ERROR_NONE)
2987 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2988 goto end;
2989
2990 setupbio(&nrbio, bio1, bio2, newrbio);
2991 setupbio(&nwbio, bio1, bio2, newwbio);
2992
2993 /*
2994 * We will (maybe) transfer ownership again so do more up refs.
2995 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2996 * already been set!
2997 */
2998 if (nrbio != NULL
2999 && nrbio != irbio
3000 && (nwbio != iwbio || nrbio != nwbio))
3001 BIO_up_ref(nrbio);
3002 if (nwbio != NULL
3003 && nwbio != nrbio
3004 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3005 BIO_up_ref(nwbio);
3006
3007 SSL_set_bio(clientssl, nrbio, nwbio);
3008
3009 testresult = 1;
3010
3011 end:
3012 BIO_free(bio1);
3013 BIO_free(bio2);
3014
3015 /*
3016 * This test is checking that the ref counting for SSL_set_bio is correct.
3017 * If we get here and we did too many frees then we will fail in the above
3018 * functions.
3019 */
3020 SSL_free(serverssl);
3021 SSL_free(clientssl);
3022 SSL_CTX_free(sctx);
3023 SSL_CTX_free(cctx);
3024 return testresult;
3025 }
3026
3027 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3028
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)3029 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3030 {
3031 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3032 SSL_CTX *ctx;
3033 SSL *ssl = NULL;
3034 int testresult = 0;
3035
3036 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3037 || !TEST_ptr(ssl = SSL_new(ctx))
3038 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3039 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3040 goto end;
3041
3042 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3043
3044 /*
3045 * If anything goes wrong here then we could leak memory.
3046 */
3047 BIO_push(sslbio, membio1);
3048
3049 /* Verify changing the rbio/wbio directly does not cause leaks */
3050 if (change_bio != NO_BIO_CHANGE) {
3051 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3052 ssl = NULL;
3053 goto end;
3054 }
3055 if (change_bio == CHANGE_RBIO)
3056 SSL_set0_rbio(ssl, membio2);
3057 else
3058 SSL_set0_wbio(ssl, membio2);
3059 }
3060 ssl = NULL;
3061
3062 if (pop_ssl)
3063 BIO_pop(sslbio);
3064 else
3065 BIO_pop(membio1);
3066
3067 testresult = 1;
3068 end:
3069 BIO_free(membio1);
3070 BIO_free(sslbio);
3071 SSL_free(ssl);
3072 SSL_CTX_free(ctx);
3073
3074 return testresult;
3075 }
3076
test_ssl_bio_pop_next_bio(void)3077 static int test_ssl_bio_pop_next_bio(void)
3078 {
3079 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3080 }
3081
test_ssl_bio_pop_ssl_bio(void)3082 static int test_ssl_bio_pop_ssl_bio(void)
3083 {
3084 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3085 }
3086
test_ssl_bio_change_rbio(void)3087 static int test_ssl_bio_change_rbio(void)
3088 {
3089 return execute_test_ssl_bio(0, CHANGE_RBIO);
3090 }
3091
test_ssl_bio_change_wbio(void)3092 static int test_ssl_bio_change_wbio(void)
3093 {
3094 return execute_test_ssl_bio(0, CHANGE_WBIO);
3095 }
3096
3097 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3098 typedef struct {
3099 /* The list of sig algs */
3100 const int *list;
3101 /* The length of the list */
3102 size_t listlen;
3103 /* A sigalgs list in string format */
3104 const char *liststr;
3105 /* Whether setting the list should succeed */
3106 int valid;
3107 /* Whether creating a connection with the list should succeed */
3108 int connsuccess;
3109 } sigalgs_list;
3110
3111 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3112 # ifndef OPENSSL_NO_EC
3113 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3114 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3115 # endif
3116 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3117 static const int invalidlist2[] = {NID_sha256, NID_undef};
3118 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3119 static const int invalidlist4[] = {NID_sha256};
3120 static const sigalgs_list testsigalgs[] = {
3121 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3122 # ifndef OPENSSL_NO_EC
3123 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3124 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3125 # endif
3126 {NULL, 0, "RSA+SHA256", 1, 1},
3127 # ifndef OPENSSL_NO_EC
3128 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3129 {NULL, 0, "ECDSA+SHA512", 1, 0},
3130 # endif
3131 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3132 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3133 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3134 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3135 {NULL, 0, "RSA", 0, 0},
3136 {NULL, 0, "SHA256", 0, 0},
3137 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3138 {NULL, 0, "Invalid", 0, 0}
3139 };
3140
test_set_sigalgs(int idx)3141 static int test_set_sigalgs(int idx)
3142 {
3143 SSL_CTX *cctx = NULL, *sctx = NULL;
3144 SSL *clientssl = NULL, *serverssl = NULL;
3145 int testresult = 0;
3146 const sigalgs_list *curr;
3147 int testctx;
3148
3149 /* Should never happen */
3150 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3151 return 0;
3152
3153 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3154 curr = testctx ? &testsigalgs[idx]
3155 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3156
3157 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3158 TLS_client_method(), TLS1_VERSION, 0,
3159 &sctx, &cctx, cert, privkey)))
3160 return 0;
3161
3162 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3163
3164 if (testctx) {
3165 int ret;
3166
3167 if (curr->list != NULL)
3168 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3169 else
3170 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3171
3172 if (!ret) {
3173 if (curr->valid)
3174 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3175 else
3176 testresult = 1;
3177 goto end;
3178 }
3179 if (!curr->valid) {
3180 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3181 goto end;
3182 }
3183 }
3184
3185 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3186 &clientssl, NULL, NULL)))
3187 goto end;
3188
3189 if (!testctx) {
3190 int ret;
3191
3192 if (curr->list != NULL)
3193 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3194 else
3195 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3196 if (!ret) {
3197 if (curr->valid)
3198 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3199 else
3200 testresult = 1;
3201 goto end;
3202 }
3203 if (!curr->valid)
3204 goto end;
3205 }
3206
3207 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3208 SSL_ERROR_NONE),
3209 curr->connsuccess))
3210 goto end;
3211
3212 testresult = 1;
3213
3214 end:
3215 SSL_free(serverssl);
3216 SSL_free(clientssl);
3217 SSL_CTX_free(sctx);
3218 SSL_CTX_free(cctx);
3219
3220 return testresult;
3221 }
3222 #endif
3223
3224 #ifndef OSSL_NO_USABLE_TLS1_3
3225 static int psk_client_cb_cnt = 0;
3226 static int psk_server_cb_cnt = 0;
3227
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)3228 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3229 size_t *idlen, SSL_SESSION **sess)
3230 {
3231 switch (++use_session_cb_cnt) {
3232 case 1:
3233 /* The first call should always have a NULL md */
3234 if (md != NULL)
3235 return 0;
3236 break;
3237
3238 case 2:
3239 /* The second call should always have an md */
3240 if (md == NULL)
3241 return 0;
3242 break;
3243
3244 default:
3245 /* We should only be called a maximum of twice */
3246 return 0;
3247 }
3248
3249 if (clientpsk != NULL)
3250 SSL_SESSION_up_ref(clientpsk);
3251
3252 *sess = clientpsk;
3253 *id = (const unsigned char *)pskid;
3254 *idlen = strlen(pskid);
3255
3256 return 1;
3257 }
3258
3259 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)3260 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3261 unsigned int max_id_len,
3262 unsigned char *psk,
3263 unsigned int max_psk_len)
3264 {
3265 unsigned int psklen = 0;
3266
3267 psk_client_cb_cnt++;
3268
3269 if (strlen(pskid) + 1 > max_id_len)
3270 return 0;
3271
3272 /* We should only ever be called a maximum of twice per connection */
3273 if (psk_client_cb_cnt > 2)
3274 return 0;
3275
3276 if (clientpsk == NULL)
3277 return 0;
3278
3279 /* We'll reuse the PSK we set up for TLSv1.3 */
3280 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3281 return 0;
3282 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3283 strncpy(id, pskid, max_id_len);
3284
3285 return psklen;
3286 }
3287 #endif /* OPENSSL_NO_PSK */
3288
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)3289 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3290 size_t identity_len, SSL_SESSION **sess)
3291 {
3292 find_session_cb_cnt++;
3293
3294 /* We should only ever be called a maximum of twice per connection */
3295 if (find_session_cb_cnt > 2)
3296 return 0;
3297
3298 if (serverpsk == NULL)
3299 return 0;
3300
3301 /* Identity should match that set by the client */
3302 if (strlen(srvid) != identity_len
3303 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3304 /* No PSK found, continue but without a PSK */
3305 *sess = NULL;
3306 return 1;
3307 }
3308
3309 SSL_SESSION_up_ref(serverpsk);
3310 *sess = serverpsk;
3311
3312 return 1;
3313 }
3314
3315 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)3316 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3317 unsigned char *psk, unsigned int max_psk_len)
3318 {
3319 unsigned int psklen = 0;
3320
3321 psk_server_cb_cnt++;
3322
3323 /* We should only ever be called a maximum of twice per connection */
3324 if (find_session_cb_cnt > 2)
3325 return 0;
3326
3327 if (serverpsk == NULL)
3328 return 0;
3329
3330 /* Identity should match that set by the client */
3331 if (strcmp(srvid, identity) != 0) {
3332 return 0;
3333 }
3334
3335 /* We'll reuse the PSK we set up for TLSv1.3 */
3336 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3337 return 0;
3338 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3339
3340 return psklen;
3341 }
3342 #endif /* OPENSSL_NO_PSK */
3343
3344 #define MSG1 "Hello"
3345 #define MSG2 "World."
3346 #define MSG3 "This"
3347 #define MSG4 "is"
3348 #define MSG5 "a"
3349 #define MSG6 "test"
3350 #define MSG7 "message."
3351
3352 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3353 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3354 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3355 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3356 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3357
3358
create_a_psk(SSL * ssl,size_t mdsize)3359 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3360 {
3361 const SSL_CIPHER *cipher = NULL;
3362 const unsigned char key[] = {
3363 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3364 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3365 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3366 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3367 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3368 };
3369 SSL_SESSION *sess = NULL;
3370
3371 if (mdsize == SHA384_DIGEST_LENGTH) {
3372 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3373 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3374 /*
3375 * Any ciphersuite using SHA256 will do - it will be compatible with
3376 * the actual ciphersuite selected as long as it too is based on SHA256
3377 */
3378 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3379 } else {
3380 /* Should not happen */
3381 return NULL;
3382 }
3383 sess = SSL_SESSION_new();
3384 if (!TEST_ptr(sess)
3385 || !TEST_ptr(cipher)
3386 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3387 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3388 || !TEST_true(
3389 SSL_SESSION_set_protocol_version(sess,
3390 TLS1_3_VERSION))) {
3391 SSL_SESSION_free(sess);
3392 return NULL;
3393 }
3394 return sess;
3395 }
3396
3397 /*
3398 * Helper method to setup objects for early data test. Caller frees objects on
3399 * error.
3400 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx,size_t mdsize)3401 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3402 SSL **serverssl, SSL_SESSION **sess, int idx,
3403 size_t mdsize)
3404 {
3405 if (*sctx == NULL
3406 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3407 TLS_client_method(),
3408 TLS1_VERSION, 0,
3409 sctx, cctx, cert, privkey)))
3410 return 0;
3411
3412 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3413 return 0;
3414
3415 if (idx == 1) {
3416 /* When idx == 1 we repeat the tests with read_ahead set */
3417 SSL_CTX_set_read_ahead(*cctx, 1);
3418 SSL_CTX_set_read_ahead(*sctx, 1);
3419 } else if (idx == 2) {
3420 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3421 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3422 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3423 use_session_cb_cnt = 0;
3424 find_session_cb_cnt = 0;
3425 srvid = pskid;
3426 }
3427
3428 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3429 NULL, NULL)))
3430 return 0;
3431
3432 /*
3433 * For one of the run throughs (doesn't matter which one), we'll try sending
3434 * some SNI data in the initial ClientHello. This will be ignored (because
3435 * there is no SNI cb set up by the server), so it should not impact
3436 * early_data.
3437 */
3438 if (idx == 1
3439 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3440 return 0;
3441
3442 if (idx == 2) {
3443 clientpsk = create_a_psk(*clientssl, mdsize);
3444 if (!TEST_ptr(clientpsk)
3445 /*
3446 * We just choose an arbitrary value for max_early_data which
3447 * should be big enough for testing purposes.
3448 */
3449 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3450 0x100))
3451 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3452 SSL_SESSION_free(clientpsk);
3453 clientpsk = NULL;
3454 return 0;
3455 }
3456 serverpsk = clientpsk;
3457
3458 if (sess != NULL) {
3459 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460 SSL_SESSION_free(clientpsk);
3461 SSL_SESSION_free(serverpsk);
3462 clientpsk = serverpsk = NULL;
3463 return 0;
3464 }
3465 *sess = clientpsk;
3466 }
3467 return 1;
3468 }
3469
3470 if (sess == NULL)
3471 return 1;
3472
3473 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3474 SSL_ERROR_NONE)))
3475 return 0;
3476
3477 *sess = SSL_get1_session(*clientssl);
3478 SSL_shutdown(*clientssl);
3479 SSL_shutdown(*serverssl);
3480 SSL_free(*serverssl);
3481 SSL_free(*clientssl);
3482 *serverssl = *clientssl = NULL;
3483
3484 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3485 clientssl, NULL, NULL))
3486 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3487 return 0;
3488
3489 return 1;
3490 }
3491
check_early_data_timeout(time_t timer)3492 static int check_early_data_timeout(time_t timer)
3493 {
3494 int res = 0;
3495
3496 /*
3497 * Early data is time sensitive. We have an approx 8 second allowance
3498 * between writing the early data and reading it. If we exceed that time
3499 * then this test will fail. This can sometimes (rarely) occur in normal CI
3500 * operation. We can try and detect this and just ignore the result of this
3501 * test if it has taken too long. We assume anything over 7 seconds is too
3502 * long
3503 */
3504 timer = time(NULL) - timer;
3505 if (timer >= 7)
3506 res = TEST_skip("Test took too long, ignoring result");
3507
3508 return res;
3509 }
3510
test_early_data_read_write(int idx)3511 static int test_early_data_read_write(int idx)
3512 {
3513 SSL_CTX *cctx = NULL, *sctx = NULL;
3514 SSL *clientssl = NULL, *serverssl = NULL;
3515 int testresult = 0;
3516 SSL_SESSION *sess = NULL;
3517 unsigned char buf[20], data[1024];
3518 size_t readbytes, written, eoedlen, rawread, rawwritten;
3519 BIO *rbio;
3520 time_t timer;
3521
3522 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3523 &serverssl, &sess, idx,
3524 SHA384_DIGEST_LENGTH)))
3525 goto end;
3526
3527 /* Write and read some early data */
3528 timer = time(NULL);
3529 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3530 &written))
3531 || !TEST_size_t_eq(written, strlen(MSG1)))
3532 goto end;
3533
3534 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3535 &readbytes),
3536 SSL_READ_EARLY_DATA_SUCCESS)) {
3537 testresult = check_early_data_timeout(timer);
3538 goto end;
3539 }
3540
3541 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3542 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3543 SSL_EARLY_DATA_ACCEPTED))
3544 goto end;
3545
3546 /*
3547 * Server should be able to write data, and client should be able to
3548 * read it.
3549 */
3550 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3551 &written))
3552 || !TEST_size_t_eq(written, strlen(MSG2))
3553 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3554 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3555 goto end;
3556
3557 /* Even after reading normal data, client should be able write early data */
3558 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3559 &written))
3560 || !TEST_size_t_eq(written, strlen(MSG3)))
3561 goto end;
3562
3563 /* Server should still be able read early data after writing data */
3564 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3565 &readbytes),
3566 SSL_READ_EARLY_DATA_SUCCESS)
3567 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3568 goto end;
3569
3570 /* Write more data from server and read it from client */
3571 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3572 &written))
3573 || !TEST_size_t_eq(written, strlen(MSG4))
3574 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3575 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3576 goto end;
3577
3578 /*
3579 * If client writes normal data it should mean writing early data is no
3580 * longer possible.
3581 */
3582 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3583 || !TEST_size_t_eq(written, strlen(MSG5))
3584 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3585 SSL_EARLY_DATA_ACCEPTED))
3586 goto end;
3587
3588 /*
3589 * At this point the client has written EndOfEarlyData, ClientFinished and
3590 * normal (fully protected) data. We are going to cause a delay between the
3591 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3592 * in the read BIO, and then just put back the EndOfEarlyData message.
3593 */
3594 rbio = SSL_get_rbio(serverssl);
3595 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3596 || !TEST_size_t_lt(rawread, sizeof(data))
3597 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3598 goto end;
3599
3600 /* Record length is in the 4th and 5th bytes of the record header */
3601 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3602 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3603 || !TEST_size_t_eq(rawwritten, eoedlen))
3604 goto end;
3605
3606 /* Server should be told that there is no more early data */
3607 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3608 &readbytes),
3609 SSL_READ_EARLY_DATA_FINISH)
3610 || !TEST_size_t_eq(readbytes, 0))
3611 goto end;
3612
3613 /*
3614 * Server has not finished init yet, so should still be able to write early
3615 * data.
3616 */
3617 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3618 &written))
3619 || !TEST_size_t_eq(written, strlen(MSG6)))
3620 goto end;
3621
3622 /* Push the ClientFinished and the normal data back into the server rbio */
3623 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3624 &rawwritten))
3625 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3626 goto end;
3627
3628 /* Server should be able to read normal data */
3629 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3630 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3631 goto end;
3632
3633 /* Client and server should not be able to write/read early data now */
3634 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3635 &written)))
3636 goto end;
3637 ERR_clear_error();
3638 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3639 &readbytes),
3640 SSL_READ_EARLY_DATA_ERROR))
3641 goto end;
3642 ERR_clear_error();
3643
3644 /* Client should be able to read the data sent by the server */
3645 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3646 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3647 goto end;
3648
3649 /*
3650 * Make sure we process the two NewSessionTickets. These arrive
3651 * post-handshake. We attempt reads which we do not expect to return any
3652 * data.
3653 */
3654 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3655 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3656 &readbytes)))
3657 goto end;
3658
3659 /* Server should be able to write normal data */
3660 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3661 || !TEST_size_t_eq(written, strlen(MSG7))
3662 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3663 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3664 goto end;
3665
3666 SSL_SESSION_free(sess);
3667 sess = SSL_get1_session(clientssl);
3668 use_session_cb_cnt = 0;
3669 find_session_cb_cnt = 0;
3670
3671 SSL_shutdown(clientssl);
3672 SSL_shutdown(serverssl);
3673 SSL_free(serverssl);
3674 SSL_free(clientssl);
3675 serverssl = clientssl = NULL;
3676 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3677 &clientssl, NULL, NULL))
3678 || !TEST_true(SSL_set_session(clientssl, sess)))
3679 goto end;
3680
3681 /* Write and read some early data */
3682 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3683 &written))
3684 || !TEST_size_t_eq(written, strlen(MSG1))
3685 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3686 &readbytes),
3687 SSL_READ_EARLY_DATA_SUCCESS)
3688 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3689 goto end;
3690
3691 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3692 || !TEST_int_gt(SSL_accept(serverssl), 0))
3693 goto end;
3694
3695 /* Client and server should not be able to write/read early data now */
3696 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3697 &written)))
3698 goto end;
3699 ERR_clear_error();
3700 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3701 &readbytes),
3702 SSL_READ_EARLY_DATA_ERROR))
3703 goto end;
3704 ERR_clear_error();
3705
3706 /* Client and server should be able to write/read normal data */
3707 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3708 || !TEST_size_t_eq(written, strlen(MSG5))
3709 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3710 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3711 goto end;
3712
3713 testresult = 1;
3714
3715 end:
3716 SSL_SESSION_free(sess);
3717 SSL_SESSION_free(clientpsk);
3718 SSL_SESSION_free(serverpsk);
3719 clientpsk = serverpsk = NULL;
3720 SSL_free(serverssl);
3721 SSL_free(clientssl);
3722 SSL_CTX_free(sctx);
3723 SSL_CTX_free(cctx);
3724 return testresult;
3725 }
3726
3727 static int allow_ed_cb_called = 0;
3728
allow_early_data_cb(SSL * s,void * arg)3729 static int allow_early_data_cb(SSL *s, void *arg)
3730 {
3731 int *usecb = (int *)arg;
3732
3733 allow_ed_cb_called++;
3734
3735 if (*usecb == 1)
3736 return 0;
3737
3738 return 1;
3739 }
3740
3741 /*
3742 * idx == 0: Standard early_data setup
3743 * idx == 1: early_data setup using read_ahead
3744 * usecb == 0: Don't use a custom early data callback
3745 * usecb == 1: Use a custom early data callback and reject the early data
3746 * usecb == 2: Use a custom early data callback and accept the early data
3747 * confopt == 0: Configure anti-replay directly
3748 * confopt == 1: Configure anti-replay using SSL_CONF
3749 */
test_early_data_replay_int(int idx,int usecb,int confopt)3750 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3751 {
3752 SSL_CTX *cctx = NULL, *sctx = NULL;
3753 SSL *clientssl = NULL, *serverssl = NULL;
3754 int testresult = 0;
3755 SSL_SESSION *sess = NULL;
3756 size_t readbytes, written;
3757 unsigned char buf[20];
3758 time_t timer;
3759
3760 allow_ed_cb_called = 0;
3761
3762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3763 TLS_client_method(), TLS1_VERSION, 0,
3764 &sctx, &cctx, cert, privkey)))
3765 return 0;
3766
3767 if (usecb > 0) {
3768 if (confopt == 0) {
3769 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3770 } else {
3771 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3772
3773 if (!TEST_ptr(confctx))
3774 goto end;
3775 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3776 | SSL_CONF_FLAG_SERVER);
3777 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3778 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3779 2)) {
3780 SSL_CONF_CTX_free(confctx);
3781 goto end;
3782 }
3783 SSL_CONF_CTX_free(confctx);
3784 }
3785 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3786 }
3787
3788 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3789 &serverssl, &sess, idx,
3790 SHA384_DIGEST_LENGTH)))
3791 goto end;
3792
3793 /*
3794 * The server is configured to accept early data. Create a connection to
3795 * "use up" the ticket
3796 */
3797 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3798 || !TEST_true(SSL_session_reused(clientssl)))
3799 goto end;
3800
3801 SSL_shutdown(clientssl);
3802 SSL_shutdown(serverssl);
3803 SSL_free(serverssl);
3804 SSL_free(clientssl);
3805 serverssl = clientssl = NULL;
3806
3807 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3808 &clientssl, NULL, NULL))
3809 || !TEST_true(SSL_set_session(clientssl, sess)))
3810 goto end;
3811
3812 /* Write and read some early data */
3813 timer = time(NULL);
3814 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3815 &written))
3816 || !TEST_size_t_eq(written, strlen(MSG1)))
3817 goto end;
3818
3819 if (usecb <= 1) {
3820 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3821 &readbytes),
3822 SSL_READ_EARLY_DATA_FINISH)
3823 /*
3824 * The ticket was reused, so the we should have rejected the
3825 * early data
3826 */
3827 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3828 SSL_EARLY_DATA_REJECTED))
3829 goto end;
3830 } else {
3831 /* In this case the callback decides to accept the early data */
3832 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3833 &readbytes),
3834 SSL_READ_EARLY_DATA_SUCCESS)) {
3835 testresult = check_early_data_timeout(timer);
3836 goto end;
3837 }
3838 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3839 /*
3840 * Server will have sent its flight so client can now send
3841 * end of early data and complete its half of the handshake
3842 */
3843 || !TEST_int_gt(SSL_connect(clientssl), 0)
3844 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3845 &readbytes),
3846 SSL_READ_EARLY_DATA_FINISH)
3847 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3848 SSL_EARLY_DATA_ACCEPTED))
3849 goto end;
3850 }
3851
3852 /* Complete the connection */
3853 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3854 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3855 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3856 goto end;
3857
3858 testresult = 1;
3859
3860 end:
3861 SSL_SESSION_free(sess);
3862 SSL_SESSION_free(clientpsk);
3863 SSL_SESSION_free(serverpsk);
3864 clientpsk = serverpsk = NULL;
3865 SSL_free(serverssl);
3866 SSL_free(clientssl);
3867 SSL_CTX_free(sctx);
3868 SSL_CTX_free(cctx);
3869 return testresult;
3870 }
3871
test_early_data_replay(int idx)3872 static int test_early_data_replay(int idx)
3873 {
3874 int ret = 1, usecb, confopt;
3875
3876 for (usecb = 0; usecb < 3; usecb++) {
3877 for (confopt = 0; confopt < 2; confopt++)
3878 ret &= test_early_data_replay_int(idx, usecb, confopt);
3879 }
3880
3881 return ret;
3882 }
3883
3884 static const char *ciphersuites[] = {
3885 "TLS_AES_128_CCM_8_SHA256",
3886 "TLS_AES_128_GCM_SHA256",
3887 "TLS_AES_256_GCM_SHA384",
3888 "TLS_AES_128_CCM_SHA256",
3889 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3890 "TLS_CHACHA20_POLY1305_SHA256"
3891 #endif
3892 };
3893
3894 /*
3895 * Helper function to test that a server attempting to read early data can
3896 * handle a connection from a client where the early data should be skipped.
3897 * testtype: 0 == No HRR
3898 * testtype: 1 == HRR
3899 * testtype: 2 == HRR, invalid early_data sent after HRR
3900 * testtype: 3 == recv_max_early_data set to 0
3901 */
early_data_skip_helper(int testtype,int cipher,int idx)3902 static int early_data_skip_helper(int testtype, int cipher, int idx)
3903 {
3904 SSL_CTX *cctx = NULL, *sctx = NULL;
3905 SSL *clientssl = NULL, *serverssl = NULL;
3906 int testresult = 0;
3907 SSL_SESSION *sess = NULL;
3908 unsigned char buf[20];
3909 size_t readbytes, written;
3910
3911 if (is_fips && cipher == 4)
3912 return 1;
3913
3914 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3915 TLS_client_method(),
3916 TLS1_VERSION, 0,
3917 &sctx, &cctx, cert, privkey)))
3918 goto end;
3919
3920 if (cipher == 0) {
3921 SSL_CTX_set_security_level(sctx, 0);
3922 SSL_CTX_set_security_level(cctx, 0);
3923 }
3924
3925 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3926 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3927 goto end;
3928
3929 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3930 &serverssl, &sess, idx,
3931 cipher == 2 ? SHA384_DIGEST_LENGTH
3932 : SHA256_DIGEST_LENGTH)))
3933 goto end;
3934
3935 if (testtype == 1 || testtype == 2) {
3936 /* Force an HRR to occur */
3937 #if defined(OPENSSL_NO_EC)
3938 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3939 goto end;
3940 #else
3941 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3942 goto end;
3943 #endif
3944 } else if (idx == 2) {
3945 /*
3946 * We force early_data rejection by ensuring the PSK identity is
3947 * unrecognised
3948 */
3949 srvid = "Dummy Identity";
3950 } else {
3951 /*
3952 * Deliberately corrupt the creation time. We take 20 seconds off the
3953 * time. It could be any value as long as it is not within tolerance.
3954 * This should mean the ticket is rejected.
3955 */
3956 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3957 goto end;
3958 }
3959
3960 if (testtype == 3
3961 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3962 goto end;
3963
3964 /* Write some early data */
3965 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3966 &written))
3967 || !TEST_size_t_eq(written, strlen(MSG1)))
3968 goto end;
3969
3970 /* Server should reject the early data */
3971 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3972 &readbytes),
3973 SSL_READ_EARLY_DATA_FINISH)
3974 || !TEST_size_t_eq(readbytes, 0)
3975 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3976 SSL_EARLY_DATA_REJECTED))
3977 goto end;
3978
3979 switch (testtype) {
3980 case 0:
3981 /* Nothing to do */
3982 break;
3983
3984 case 1:
3985 /*
3986 * Finish off the handshake. We perform the same writes and reads as
3987 * further down but we expect them to fail due to the incomplete
3988 * handshake.
3989 */
3990 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3991 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3992 &readbytes)))
3993 goto end;
3994 break;
3995
3996 case 2:
3997 {
3998 BIO *wbio = SSL_get_wbio(clientssl);
3999 /* A record that will appear as bad early_data */
4000 const unsigned char bad_early_data[] = {
4001 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4002 };
4003
4004 /*
4005 * We force the client to attempt a write. This will fail because
4006 * we're still in the handshake. It will cause the second
4007 * ClientHello to be sent.
4008 */
4009 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4010 &written)))
4011 goto end;
4012
4013 /*
4014 * Inject some early_data after the second ClientHello. This should
4015 * cause the server to fail
4016 */
4017 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4018 sizeof(bad_early_data), &written)))
4019 goto end;
4020 }
4021 /* fallthrough */
4022
4023 case 3:
4024 /*
4025 * This client has sent more early_data than we are willing to skip
4026 * (case 3) or sent invalid early_data (case 2) so the connection should
4027 * abort.
4028 */
4029 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4030 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4031 goto end;
4032
4033 /* Connection has failed - nothing more to do */
4034 testresult = 1;
4035 goto end;
4036
4037 default:
4038 TEST_error("Invalid test type");
4039 goto end;
4040 }
4041
4042 ERR_clear_error();
4043 /*
4044 * Should be able to send normal data despite rejection of early data. The
4045 * early_data should be skipped.
4046 */
4047 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4048 || !TEST_size_t_eq(written, strlen(MSG2))
4049 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4050 SSL_EARLY_DATA_REJECTED)
4051 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4052 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4053 goto end;
4054
4055 /*
4056 * Failure to decrypt early data records should not leave spurious errors
4057 * on the error stack
4058 */
4059 if (!TEST_long_eq(ERR_peek_error(), 0))
4060 goto end;
4061
4062 testresult = 1;
4063
4064 end:
4065 SSL_SESSION_free(clientpsk);
4066 SSL_SESSION_free(serverpsk);
4067 clientpsk = serverpsk = NULL;
4068 SSL_SESSION_free(sess);
4069 SSL_free(serverssl);
4070 SSL_free(clientssl);
4071 SSL_CTX_free(sctx);
4072 SSL_CTX_free(cctx);
4073 return testresult;
4074 }
4075
4076 /*
4077 * Test that a server attempting to read early data can handle a connection
4078 * from a client where the early data is not acceptable.
4079 */
test_early_data_skip(int idx)4080 static int test_early_data_skip(int idx)
4081 {
4082 return early_data_skip_helper(0,
4083 idx % OSSL_NELEM(ciphersuites),
4084 idx / OSSL_NELEM(ciphersuites));
4085 }
4086
4087 /*
4088 * Test that a server attempting to read early data can handle a connection
4089 * from a client where an HRR occurs.
4090 */
test_early_data_skip_hrr(int idx)4091 static int test_early_data_skip_hrr(int idx)
4092 {
4093 return early_data_skip_helper(1,
4094 idx % OSSL_NELEM(ciphersuites),
4095 idx / OSSL_NELEM(ciphersuites));
4096 }
4097
4098 /*
4099 * Test that a server attempting to read early data can handle a connection
4100 * from a client where an HRR occurs and correctly fails if early_data is sent
4101 * after the HRR
4102 */
test_early_data_skip_hrr_fail(int idx)4103 static int test_early_data_skip_hrr_fail(int idx)
4104 {
4105 return early_data_skip_helper(2,
4106 idx % OSSL_NELEM(ciphersuites),
4107 idx / OSSL_NELEM(ciphersuites));
4108 }
4109
4110 /*
4111 * Test that a server attempting to read early data will abort if it tries to
4112 * skip over too much.
4113 */
test_early_data_skip_abort(int idx)4114 static int test_early_data_skip_abort(int idx)
4115 {
4116 return early_data_skip_helper(3,
4117 idx % OSSL_NELEM(ciphersuites),
4118 idx / OSSL_NELEM(ciphersuites));
4119 }
4120
4121 /*
4122 * Test that a server attempting to read early data can handle a connection
4123 * from a client that doesn't send any.
4124 */
test_early_data_not_sent(int idx)4125 static int test_early_data_not_sent(int idx)
4126 {
4127 SSL_CTX *cctx = NULL, *sctx = NULL;
4128 SSL *clientssl = NULL, *serverssl = NULL;
4129 int testresult = 0;
4130 SSL_SESSION *sess = NULL;
4131 unsigned char buf[20];
4132 size_t readbytes, written;
4133
4134 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4135 &serverssl, &sess, idx,
4136 SHA384_DIGEST_LENGTH)))
4137 goto end;
4138
4139 /* Write some data - should block due to handshake with server */
4140 SSL_set_connect_state(clientssl);
4141 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4142 goto end;
4143
4144 /* Server should detect that early data has not been sent */
4145 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4146 &readbytes),
4147 SSL_READ_EARLY_DATA_FINISH)
4148 || !TEST_size_t_eq(readbytes, 0)
4149 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4150 SSL_EARLY_DATA_NOT_SENT)
4151 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4152 SSL_EARLY_DATA_NOT_SENT))
4153 goto end;
4154
4155 /* Continue writing the message we started earlier */
4156 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4157 || !TEST_size_t_eq(written, strlen(MSG1))
4158 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4159 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4160 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4161 || !TEST_size_t_eq(written, strlen(MSG2)))
4162 goto end;
4163
4164 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4165 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4166 goto end;
4167
4168 testresult = 1;
4169
4170 end:
4171 SSL_SESSION_free(sess);
4172 SSL_SESSION_free(clientpsk);
4173 SSL_SESSION_free(serverpsk);
4174 clientpsk = serverpsk = NULL;
4175 SSL_free(serverssl);
4176 SSL_free(clientssl);
4177 SSL_CTX_free(sctx);
4178 SSL_CTX_free(cctx);
4179 return testresult;
4180 }
4181
4182 static const char *servalpn;
4183
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)4184 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4185 unsigned char *outlen, const unsigned char *in,
4186 unsigned int inlen, void *arg)
4187 {
4188 unsigned int protlen = 0;
4189 const unsigned char *prot;
4190
4191 for (prot = in; prot < in + inlen; prot += protlen) {
4192 protlen = *prot++;
4193 if (in + inlen < prot + protlen)
4194 return SSL_TLSEXT_ERR_NOACK;
4195
4196 if (protlen == strlen(servalpn)
4197 && memcmp(prot, servalpn, protlen) == 0) {
4198 *out = prot;
4199 *outlen = protlen;
4200 return SSL_TLSEXT_ERR_OK;
4201 }
4202 }
4203
4204 return SSL_TLSEXT_ERR_NOACK;
4205 }
4206
4207 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)4208 static int test_early_data_psk(int idx)
4209 {
4210 SSL_CTX *cctx = NULL, *sctx = NULL;
4211 SSL *clientssl = NULL, *serverssl = NULL;
4212 int testresult = 0;
4213 SSL_SESSION *sess = NULL;
4214 unsigned char alpnlist[] = {
4215 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4216 'l', 'p', 'n'
4217 };
4218 #define GOODALPNLEN 9
4219 #define BADALPNLEN 8
4220 #define GOODALPN (alpnlist)
4221 #define BADALPN (alpnlist + GOODALPNLEN)
4222 int err = 0;
4223 unsigned char buf[20];
4224 size_t readbytes, written;
4225 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4226 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4227
4228 /* We always set this up with a final parameter of "2" for PSK */
4229 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4230 &serverssl, &sess, 2,
4231 SHA384_DIGEST_LENGTH)))
4232 goto end;
4233
4234 servalpn = "goodalpn";
4235
4236 /*
4237 * Note: There is no test for inconsistent SNI with late client detection.
4238 * This is because servers do not acknowledge SNI even if they are using
4239 * it in a resumption handshake - so it is not actually possible for a
4240 * client to detect a problem.
4241 */
4242 switch (idx) {
4243 case 0:
4244 /* Set inconsistent SNI (early client detection) */
4245 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4246 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4247 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4248 goto end;
4249 break;
4250
4251 case 1:
4252 /* Set inconsistent ALPN (early client detection) */
4253 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4254 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4255 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4256 GOODALPNLEN))
4257 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4258 BADALPNLEN)))
4259 goto end;
4260 break;
4261
4262 case 2:
4263 /*
4264 * Set invalid protocol version. Technically this affects PSKs without
4265 * early_data too, but we test it here because it is similar to the
4266 * SNI/ALPN consistency tests.
4267 */
4268 err = SSL_R_BAD_PSK;
4269 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4270 goto end;
4271 break;
4272
4273 case 3:
4274 /*
4275 * Set inconsistent SNI (server side). In this case the connection
4276 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4277 * is associated with each handshake - not the session. Therefore it
4278 * should not matter that we used a different server name last time.
4279 */
4280 SSL_SESSION_free(serverpsk);
4281 serverpsk = SSL_SESSION_dup(clientpsk);
4282 if (!TEST_ptr(serverpsk)
4283 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4284 goto end;
4285 /* Fall through */
4286 case 4:
4287 /* Set consistent SNI */
4288 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4289 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4290 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4291 hostname_cb)))
4292 goto end;
4293 break;
4294
4295 case 5:
4296 /*
4297 * Set inconsistent ALPN (server detected). In this case the connection
4298 * will succeed but reject early_data.
4299 */
4300 servalpn = "badalpn";
4301 edstatus = SSL_EARLY_DATA_REJECTED;
4302 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4303 /* Fall through */
4304 case 6:
4305 /*
4306 * Set consistent ALPN.
4307 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4308 * accepts a list of protos (each one length prefixed).
4309 * SSL_set1_alpn_selected accepts a single protocol (not length
4310 * prefixed)
4311 */
4312 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4313 GOODALPNLEN - 1))
4314 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4315 GOODALPNLEN)))
4316 goto end;
4317
4318 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4319 break;
4320
4321 case 7:
4322 /* Set inconsistent ALPN (late client detection) */
4323 SSL_SESSION_free(serverpsk);
4324 serverpsk = SSL_SESSION_dup(clientpsk);
4325 if (!TEST_ptr(serverpsk)
4326 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4327 BADALPN + 1,
4328 BADALPNLEN - 1))
4329 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4330 GOODALPN + 1,
4331 GOODALPNLEN - 1))
4332 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4333 sizeof(alpnlist))))
4334 goto end;
4335 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4336 edstatus = SSL_EARLY_DATA_ACCEPTED;
4337 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4338 /* SSL_connect() call should fail */
4339 connectres = -1;
4340 break;
4341
4342 default:
4343 TEST_error("Bad test index");
4344 goto end;
4345 }
4346
4347 SSL_set_connect_state(clientssl);
4348 if (err != 0) {
4349 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4350 &written))
4351 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4352 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4353 goto end;
4354 } else {
4355 time_t timer = time(NULL);
4356
4357 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4358 &written)))
4359 goto end;
4360
4361 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4362 &readbytes), readearlyres)) {
4363 testresult = check_early_data_timeout(timer);
4364 goto end;
4365 }
4366
4367 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4368 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4369 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4370 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4371 goto end;
4372 }
4373
4374 testresult = 1;
4375
4376 end:
4377 SSL_SESSION_free(sess);
4378 SSL_SESSION_free(clientpsk);
4379 SSL_SESSION_free(serverpsk);
4380 clientpsk = serverpsk = NULL;
4381 SSL_free(serverssl);
4382 SSL_free(clientssl);
4383 SSL_CTX_free(sctx);
4384 SSL_CTX_free(cctx);
4385 return testresult;
4386 }
4387
4388 /*
4389 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4390 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4391 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4392 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4393 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4394 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4395 */
test_early_data_psk_with_all_ciphers(int idx)4396 static int test_early_data_psk_with_all_ciphers(int idx)
4397 {
4398 SSL_CTX *cctx = NULL, *sctx = NULL;
4399 SSL *clientssl = NULL, *serverssl = NULL;
4400 int testresult = 0;
4401 SSL_SESSION *sess = NULL;
4402 unsigned char buf[20];
4403 size_t readbytes, written;
4404 const SSL_CIPHER *cipher;
4405 time_t timer;
4406 const char *cipher_str[] = {
4407 TLS1_3_RFC_AES_128_GCM_SHA256,
4408 TLS1_3_RFC_AES_256_GCM_SHA384,
4409 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4410 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4411 # else
4412 NULL,
4413 # endif
4414 TLS1_3_RFC_AES_128_CCM_SHA256,
4415 TLS1_3_RFC_AES_128_CCM_8_SHA256
4416 };
4417 const unsigned char *cipher_bytes[] = {
4418 TLS13_AES_128_GCM_SHA256_BYTES,
4419 TLS13_AES_256_GCM_SHA384_BYTES,
4420 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4421 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4422 # else
4423 NULL,
4424 # endif
4425 TLS13_AES_128_CCM_SHA256_BYTES,
4426 TLS13_AES_128_CCM_8_SHA256_BYTES
4427 };
4428
4429 if (cipher_str[idx] == NULL)
4430 return 1;
4431 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4432 if (idx == 2 && is_fips == 1)
4433 return 1;
4434
4435 /* We always set this up with a final parameter of "2" for PSK */
4436 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4437 &serverssl, &sess, 2,
4438 SHA384_DIGEST_LENGTH)))
4439 goto end;
4440
4441 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4442 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4443 goto end;
4444
4445 /*
4446 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4447 * and assigns to both client and server with incremented reference
4448 * and the same instance is updated in 'sess'.
4449 * So updating ciphersuite in 'sess' which will get reflected in
4450 * PSK handshake using psk use sess and find sess cb.
4451 */
4452 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4453 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4454 goto end;
4455
4456 SSL_set_connect_state(clientssl);
4457 timer = time(NULL);
4458 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4459 &written)))
4460 goto end;
4461
4462 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4463 &readbytes),
4464 SSL_READ_EARLY_DATA_SUCCESS)) {
4465 testresult = check_early_data_timeout(timer);
4466 goto end;
4467 }
4468
4469 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4470 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4471 SSL_EARLY_DATA_ACCEPTED)
4472 || !TEST_int_eq(SSL_connect(clientssl), 1)
4473 || !TEST_int_eq(SSL_accept(serverssl), 1))
4474 goto end;
4475
4476 /* Send some normal data from client to server */
4477 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4478 || !TEST_size_t_eq(written, strlen(MSG2)))
4479 goto end;
4480
4481 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4482 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4483 goto end;
4484
4485 testresult = 1;
4486 end:
4487 SSL_SESSION_free(sess);
4488 SSL_SESSION_free(clientpsk);
4489 SSL_SESSION_free(serverpsk);
4490 clientpsk = serverpsk = NULL;
4491 if (clientssl != NULL)
4492 SSL_shutdown(clientssl);
4493 if (serverssl != NULL)
4494 SSL_shutdown(serverssl);
4495 SSL_free(serverssl);
4496 SSL_free(clientssl);
4497 SSL_CTX_free(sctx);
4498 SSL_CTX_free(cctx);
4499 return testresult;
4500 }
4501
4502 /*
4503 * Test that a server that doesn't try to read early data can handle a
4504 * client sending some.
4505 */
test_early_data_not_expected(int idx)4506 static int test_early_data_not_expected(int idx)
4507 {
4508 SSL_CTX *cctx = NULL, *sctx = NULL;
4509 SSL *clientssl = NULL, *serverssl = NULL;
4510 int testresult = 0;
4511 SSL_SESSION *sess = NULL;
4512 unsigned char buf[20];
4513 size_t readbytes, written;
4514
4515 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4516 &serverssl, &sess, idx,
4517 SHA384_DIGEST_LENGTH)))
4518 goto end;
4519
4520 /* Write some early data */
4521 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4522 &written)))
4523 goto end;
4524
4525 /*
4526 * Server should skip over early data and then block waiting for client to
4527 * continue handshake
4528 */
4529 if (!TEST_int_le(SSL_accept(serverssl), 0)
4530 || !TEST_int_gt(SSL_connect(clientssl), 0)
4531 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4532 SSL_EARLY_DATA_REJECTED)
4533 || !TEST_int_gt(SSL_accept(serverssl), 0)
4534 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4535 SSL_EARLY_DATA_REJECTED))
4536 goto end;
4537
4538 /* Send some normal data from client to server */
4539 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4540 || !TEST_size_t_eq(written, strlen(MSG2)))
4541 goto end;
4542
4543 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4544 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4545 goto end;
4546
4547 testresult = 1;
4548
4549 end:
4550 SSL_SESSION_free(sess);
4551 SSL_SESSION_free(clientpsk);
4552 SSL_SESSION_free(serverpsk);
4553 clientpsk = serverpsk = NULL;
4554 SSL_free(serverssl);
4555 SSL_free(clientssl);
4556 SSL_CTX_free(sctx);
4557 SSL_CTX_free(cctx);
4558 return testresult;
4559 }
4560
4561
4562 # ifndef OPENSSL_NO_TLS1_2
4563 /*
4564 * Test that a server attempting to read early data can handle a connection
4565 * from a TLSv1.2 client.
4566 */
test_early_data_tls1_2(int idx)4567 static int test_early_data_tls1_2(int idx)
4568 {
4569 SSL_CTX *cctx = NULL, *sctx = NULL;
4570 SSL *clientssl = NULL, *serverssl = NULL;
4571 int testresult = 0;
4572 unsigned char buf[20];
4573 size_t readbytes, written;
4574
4575 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4576 &serverssl, NULL, idx,
4577 SHA384_DIGEST_LENGTH)))
4578 goto end;
4579
4580 /* Write some data - should block due to handshake with server */
4581 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4582 SSL_set_connect_state(clientssl);
4583 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4584 goto end;
4585
4586 /*
4587 * Server should do TLSv1.2 handshake. First it will block waiting for more
4588 * messages from client after ServerDone. Then SSL_read_early_data should
4589 * finish and detect that early data has not been sent
4590 */
4591 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4592 &readbytes),
4593 SSL_READ_EARLY_DATA_ERROR))
4594 goto end;
4595
4596 /*
4597 * Continue writing the message we started earlier. Will still block waiting
4598 * for the CCS/Finished from server
4599 */
4600 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4601 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4602 &readbytes),
4603 SSL_READ_EARLY_DATA_FINISH)
4604 || !TEST_size_t_eq(readbytes, 0)
4605 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4606 SSL_EARLY_DATA_NOT_SENT))
4607 goto end;
4608
4609 /* Continue writing the message we started earlier */
4610 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4611 || !TEST_size_t_eq(written, strlen(MSG1))
4612 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4613 SSL_EARLY_DATA_NOT_SENT)
4614 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4615 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4616 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4617 || !TEST_size_t_eq(written, strlen(MSG2))
4618 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4619 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4620 goto end;
4621
4622 testresult = 1;
4623
4624 end:
4625 SSL_SESSION_free(clientpsk);
4626 SSL_SESSION_free(serverpsk);
4627 clientpsk = serverpsk = NULL;
4628 SSL_free(serverssl);
4629 SSL_free(clientssl);
4630 SSL_CTX_free(sctx);
4631 SSL_CTX_free(cctx);
4632
4633 return testresult;
4634 }
4635 # endif /* OPENSSL_NO_TLS1_2 */
4636
4637 /*
4638 * Test configuring the TLSv1.3 ciphersuites
4639 *
4640 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4641 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4642 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4643 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4644 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4645 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4646 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4647 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4648 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4649 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4650 */
test_set_ciphersuite(int idx)4651 static int test_set_ciphersuite(int idx)
4652 {
4653 SSL_CTX *cctx = NULL, *sctx = NULL;
4654 SSL *clientssl = NULL, *serverssl = NULL;
4655 int testresult = 0;
4656
4657 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4658 TLS_client_method(), TLS1_VERSION, 0,
4659 &sctx, &cctx, cert, privkey))
4660 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4661 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4662 goto end;
4663
4664 if (idx >=4 && idx <= 7) {
4665 /* SSL_CTX explicit cipher list */
4666 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4667 goto end;
4668 }
4669
4670 if (idx == 0 || idx == 4) {
4671 /* Default ciphersuite */
4672 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4673 "TLS_AES_128_GCM_SHA256")))
4674 goto end;
4675 } else if (idx == 1 || idx == 5) {
4676 /* Non default ciphersuite */
4677 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4678 "TLS_AES_128_CCM_SHA256")))
4679 goto end;
4680 }
4681
4682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4683 &clientssl, NULL, NULL)))
4684 goto end;
4685
4686 if (idx == 8 || idx == 9) {
4687 /* SSL explicit cipher list */
4688 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4689 goto end;
4690 }
4691
4692 if (idx == 2 || idx == 6 || idx == 8) {
4693 /* Default ciphersuite */
4694 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4695 "TLS_AES_128_GCM_SHA256")))
4696 goto end;
4697 } else if (idx == 3 || idx == 7 || idx == 9) {
4698 /* Non default ciphersuite */
4699 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4700 "TLS_AES_128_CCM_SHA256")))
4701 goto end;
4702 }
4703
4704 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4705 goto end;
4706
4707 testresult = 1;
4708
4709 end:
4710 SSL_free(serverssl);
4711 SSL_free(clientssl);
4712 SSL_CTX_free(sctx);
4713 SSL_CTX_free(cctx);
4714
4715 return testresult;
4716 }
4717
test_ciphersuite_change(void)4718 static int test_ciphersuite_change(void)
4719 {
4720 SSL_CTX *cctx = NULL, *sctx = NULL;
4721 SSL *clientssl = NULL, *serverssl = NULL;
4722 SSL_SESSION *clntsess = NULL;
4723 int testresult = 0;
4724 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4725
4726 /* Create a session based on SHA-256 */
4727 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4728 TLS_client_method(), TLS1_VERSION, 0,
4729 &sctx, &cctx, cert, privkey))
4730 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4731 "TLS_AES_128_GCM_SHA256:"
4732 "TLS_AES_256_GCM_SHA384:"
4733 "TLS_AES_128_CCM_SHA256"))
4734 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4735 "TLS_AES_128_GCM_SHA256"))
4736 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4737 &clientssl, NULL, NULL))
4738 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4739 SSL_ERROR_NONE)))
4740 goto end;
4741
4742 clntsess = SSL_get1_session(clientssl);
4743 /* Save for later */
4744 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4745 SSL_shutdown(clientssl);
4746 SSL_shutdown(serverssl);
4747 SSL_free(serverssl);
4748 SSL_free(clientssl);
4749 serverssl = clientssl = NULL;
4750
4751 /* Check we can resume a session with a different SHA-256 ciphersuite */
4752 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4753 "TLS_AES_128_CCM_SHA256"))
4754 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4755 &clientssl, NULL, NULL))
4756 || !TEST_true(SSL_set_session(clientssl, clntsess))
4757 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4758 SSL_ERROR_NONE))
4759 || !TEST_true(SSL_session_reused(clientssl)))
4760 goto end;
4761
4762 SSL_SESSION_free(clntsess);
4763 clntsess = SSL_get1_session(clientssl);
4764 SSL_shutdown(clientssl);
4765 SSL_shutdown(serverssl);
4766 SSL_free(serverssl);
4767 SSL_free(clientssl);
4768 serverssl = clientssl = NULL;
4769
4770 /*
4771 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4772 * succeeds but does not resume.
4773 */
4774 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4775 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4776 NULL, NULL))
4777 || !TEST_true(SSL_set_session(clientssl, clntsess))
4778 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4779 SSL_ERROR_SSL))
4780 || !TEST_false(SSL_session_reused(clientssl)))
4781 goto end;
4782
4783 SSL_SESSION_free(clntsess);
4784 clntsess = NULL;
4785 SSL_shutdown(clientssl);
4786 SSL_shutdown(serverssl);
4787 SSL_free(serverssl);
4788 SSL_free(clientssl);
4789 serverssl = clientssl = NULL;
4790
4791 /* Create a session based on SHA384 */
4792 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4793 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4794 &clientssl, NULL, NULL))
4795 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4796 SSL_ERROR_NONE)))
4797 goto end;
4798
4799 clntsess = SSL_get1_session(clientssl);
4800 SSL_shutdown(clientssl);
4801 SSL_shutdown(serverssl);
4802 SSL_free(serverssl);
4803 SSL_free(clientssl);
4804 serverssl = clientssl = NULL;
4805
4806 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4807 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4808 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4809 "TLS_AES_256_GCM_SHA384"))
4810 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4811 NULL, NULL))
4812 || !TEST_true(SSL_set_session(clientssl, clntsess))
4813 /*
4814 * We use SSL_ERROR_WANT_READ below so that we can pause the
4815 * connection after the initial ClientHello has been sent to
4816 * enable us to make some session changes.
4817 */
4818 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4819 SSL_ERROR_WANT_READ)))
4820 goto end;
4821
4822 /* Trick the client into thinking this session is for a different digest */
4823 clntsess->cipher = aes_128_gcm_sha256;
4824 clntsess->cipher_id = clntsess->cipher->id;
4825
4826 /*
4827 * Continue the previously started connection. Server has selected a SHA-384
4828 * ciphersuite, but client thinks the session is for SHA-256, so it should
4829 * bail out.
4830 */
4831 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4832 SSL_ERROR_SSL))
4833 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4834 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4835 goto end;
4836
4837 testresult = 1;
4838
4839 end:
4840 SSL_SESSION_free(clntsess);
4841 SSL_free(serverssl);
4842 SSL_free(clientssl);
4843 SSL_CTX_free(sctx);
4844 SSL_CTX_free(cctx);
4845
4846 return testresult;
4847 }
4848
4849 /*
4850 * Test TLSv1.3 Key exchange
4851 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4852 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4853 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4854 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4855 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4856 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4857 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4858 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4859 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4860 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4861 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4862 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4863 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4864 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4865 */
4866 # ifndef OPENSSL_NO_EC
4867 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4868 NID_secp521r1, NID_X25519, NID_X448};
4869 # endif
4870 # ifndef OPENSSL_NO_DH
4871 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4872 NID_ffdhe6144, NID_ffdhe8192};
4873 # endif
test_key_exchange(int idx)4874 static int test_key_exchange(int idx)
4875 {
4876 SSL_CTX *sctx = NULL, *cctx = NULL;
4877 SSL *serverssl = NULL, *clientssl = NULL;
4878 int testresult = 0;
4879 int kexch_alg;
4880 int *kexch_groups = &kexch_alg;
4881 int kexch_groups_size = 1;
4882 int max_version = TLS1_3_VERSION;
4883 char *kexch_name0 = NULL;
4884
4885 switch (idx) {
4886 # ifndef OPENSSL_NO_EC
4887 # ifndef OPENSSL_NO_TLS1_2
4888 case 12:
4889 max_version = TLS1_2_VERSION;
4890 # endif
4891 /* Fall through */
4892 case 0:
4893 kexch_groups = ecdhe_kexch_groups;
4894 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4895 kexch_name0 = "secp256r1";
4896 break;
4897 case 1:
4898 kexch_alg = NID_X9_62_prime256v1;
4899 kexch_name0 = "secp256r1";
4900 break;
4901 case 2:
4902 kexch_alg = NID_secp384r1;
4903 kexch_name0 = "secp384r1";
4904 break;
4905 case 3:
4906 kexch_alg = NID_secp521r1;
4907 kexch_name0 = "secp521r1";
4908 break;
4909 case 4:
4910 if (is_fips)
4911 return TEST_skip("X25519 might not be supported by fips provider.");
4912 kexch_alg = NID_X25519;
4913 kexch_name0 = "x25519";
4914 break;
4915 case 5:
4916 if (is_fips)
4917 return TEST_skip("X448 might not be supported by fips provider.");
4918 kexch_alg = NID_X448;
4919 kexch_name0 = "x448";
4920 break;
4921 # endif
4922 # ifndef OPENSSL_NO_DH
4923 # ifndef OPENSSL_NO_TLS1_2
4924 case 13:
4925 max_version = TLS1_2_VERSION;
4926 kexch_name0 = "ffdhe2048";
4927 # endif
4928 /* Fall through */
4929 case 6:
4930 kexch_groups = ffdhe_kexch_groups;
4931 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4932 kexch_name0 = "ffdhe2048";
4933 break;
4934 case 7:
4935 kexch_alg = NID_ffdhe2048;
4936 kexch_name0 = "ffdhe2048";
4937 break;
4938 case 8:
4939 kexch_alg = NID_ffdhe3072;
4940 kexch_name0 = "ffdhe3072";
4941 break;
4942 case 9:
4943 kexch_alg = NID_ffdhe4096;
4944 kexch_name0 = "ffdhe4096";
4945 break;
4946 case 10:
4947 kexch_alg = NID_ffdhe6144;
4948 kexch_name0 = "ffdhe6144";
4949 break;
4950 case 11:
4951 kexch_alg = NID_ffdhe8192;
4952 kexch_name0 = "ffdhe8192";
4953 break;
4954 # endif
4955 default:
4956 /* We're skipping this test */
4957 return 1;
4958 }
4959
4960 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4961 TLS_client_method(), TLS1_VERSION,
4962 max_version, &sctx, &cctx, cert,
4963 privkey)))
4964 goto end;
4965
4966 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4967 TLS1_3_RFC_AES_128_GCM_SHA256)))
4968 goto end;
4969
4970 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4971 TLS1_3_RFC_AES_128_GCM_SHA256)))
4972 goto end;
4973
4974 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4975 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4976 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4977 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4978 goto end;
4979
4980 /*
4981 * Must include an EC ciphersuite so that we send supported groups in
4982 * TLSv1.2
4983 */
4984 # ifndef OPENSSL_NO_TLS1_2
4985 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4986 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4987 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4988 goto end;
4989 # endif
4990
4991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4992 NULL, NULL)))
4993 goto end;
4994
4995 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4996 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4997 goto end;
4998
4999 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5000 goto end;
5001
5002 /*
5003 * If Handshake succeeds the negotiated kexch alg should be the first one in
5004 * configured, except in the case of FFDHE groups (idx 13), which are
5005 * TLSv1.3 only so we expect no shared group to exist.
5006 */
5007 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5008 idx == 13 ? 0 : kexch_groups[0]))
5009 goto end;
5010
5011 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5012 kexch_name0))
5013 goto end;
5014
5015 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5016 if (idx != 13) {
5017 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5018 goto end;
5019 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5020 goto end;
5021 }
5022
5023 testresult = 1;
5024 end:
5025 SSL_free(serverssl);
5026 SSL_free(clientssl);
5027 SSL_CTX_free(sctx);
5028 SSL_CTX_free(cctx);
5029 return testresult;
5030 }
5031
5032 # if !defined(OPENSSL_NO_TLS1_2) \
5033 && !defined(OPENSSL_NO_EC) \
5034 && !defined(OPENSSL_NO_DH)
set_ssl_groups(SSL * serverssl,SSL * clientssl,int clientmulti,int isecdhe,int idx)5035 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5036 int isecdhe, int idx)
5037 {
5038 int kexch_alg;
5039 int *kexch_groups = &kexch_alg;
5040 int numec, numff;
5041
5042 numec = OSSL_NELEM(ecdhe_kexch_groups);
5043 numff = OSSL_NELEM(ffdhe_kexch_groups);
5044 if (isecdhe)
5045 kexch_alg = ecdhe_kexch_groups[idx];
5046 else
5047 kexch_alg = ffdhe_kexch_groups[idx];
5048
5049 if (clientmulti) {
5050 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5051 return 0;
5052 if (isecdhe) {
5053 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5054 numec)))
5055 return 0;
5056 } else {
5057 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5058 numff)))
5059 return 0;
5060 }
5061 } else {
5062 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5063 return 0;
5064 if (isecdhe) {
5065 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5066 numec)))
5067 return 0;
5068 } else {
5069 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5070 numff)))
5071 return 0;
5072 }
5073 }
5074 return 1;
5075 }
5076
5077 /*-
5078 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5079 * Run through both the ECDHE and FFDHE group lists used in the previous
5080 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5081 * confirming the expected result; then perform a resumption handshake
5082 * while offering the same group list, and another resumption handshake
5083 * offering a different group list. The returned value should be the
5084 * negotiated group for the initial handshake; for TLS 1.3 resumption
5085 * handshakes the returned value will be negotiated on the resumption
5086 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5087 * be cached in the session from the original handshake, regardless of what
5088 * was offered in the resumption ClientHello.
5089 *
5090 * Using E for the number of EC groups and F for the number of FF groups:
5091 * E tests of ECDHE with TLS 1.3, server only has one group
5092 * F tests of FFDHE with TLS 1.3, server only has one group
5093 * E tests of ECDHE with TLS 1.2, server only has one group
5094 * F tests of FFDHE with TLS 1.2, server only has one group
5095 * E tests of ECDHE with TLS 1.3, client sends only one group
5096 * F tests of FFDHE with TLS 1.3, client sends only one group
5097 * E tests of ECDHE with TLS 1.2, client sends only one group
5098 * F tests of FFDHE with TLS 1.2, client sends only one group
5099 */
test_negotiated_group(int idx)5100 static int test_negotiated_group(int idx)
5101 {
5102 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5103 int expectednid;
5104 SSL_CTX *sctx = NULL, *cctx = NULL;
5105 SSL *serverssl = NULL, *clientssl = NULL;
5106 SSL_SESSION *origsess = NULL;
5107 int testresult = 0;
5108 int kexch_alg;
5109 int max_version = TLS1_3_VERSION;
5110
5111 numec = OSSL_NELEM(ecdhe_kexch_groups);
5112 numff = OSSL_NELEM(ffdhe_kexch_groups);
5113 numgroups = numec + numff;
5114 clientmulti = (idx < 2 * numgroups);
5115 idx = idx % (2 * numgroups);
5116 istls13 = (idx < numgroups);
5117 idx = idx % numgroups;
5118 isecdhe = (idx < numec);
5119 if (!isecdhe)
5120 idx -= numec;
5121 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5122 if (isecdhe)
5123 kexch_alg = ecdhe_kexch_groups[idx];
5124 else
5125 kexch_alg = ffdhe_kexch_groups[idx];
5126 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5127 if (!istls13 && !isecdhe)
5128 expectednid = NID_undef;
5129 else
5130 expectednid = kexch_alg;
5131
5132 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5133 return TEST_skip("X25519 and X448 might not be available in fips provider.");
5134
5135 if (!istls13)
5136 max_version = TLS1_2_VERSION;
5137
5138 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5139 TLS_client_method(), TLS1_VERSION,
5140 max_version, &sctx, &cctx, cert,
5141 privkey)))
5142 goto end;
5143
5144 /*
5145 * Force (EC)DHE ciphers for TLS 1.2.
5146 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5147 */
5148 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5149 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5150 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5151 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5152 goto end;
5153 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5154 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5155 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5156 goto end;
5157
5158 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5159 NULL, NULL)))
5160 goto end;
5161
5162 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5163 idx)))
5164 goto end;
5165
5166 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5167 goto end;
5168
5169 /* Initial handshake; always the configured one */
5170 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5171 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5172 goto end;
5173
5174 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5175 goto end;
5176
5177 SSL_shutdown(clientssl);
5178 SSL_shutdown(serverssl);
5179 SSL_free(serverssl);
5180 SSL_free(clientssl);
5181 serverssl = clientssl = NULL;
5182
5183 /* First resumption attempt; use the same config as initial handshake */
5184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5185 NULL, NULL))
5186 || !TEST_true(SSL_set_session(clientssl, origsess))
5187 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5188 isecdhe, idx)))
5189 goto end;
5190
5191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5192 || !TEST_true(SSL_session_reused(clientssl)))
5193 goto end;
5194
5195 /* Still had better agree, since nothing changed... */
5196 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5197 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5198 goto end;
5199
5200 SSL_shutdown(clientssl);
5201 SSL_shutdown(serverssl);
5202 SSL_free(serverssl);
5203 SSL_free(clientssl);
5204 serverssl = clientssl = NULL;
5205
5206 /*-
5207 * Second resumption attempt
5208 * The party that picks one group changes it, which we effectuate by
5209 * changing 'idx' and updating what we expect.
5210 */
5211 if (idx == 0)
5212 idx = 1;
5213 else
5214 idx--;
5215 if (istls13) {
5216 if (isecdhe)
5217 expectednid = ecdhe_kexch_groups[idx];
5218 else
5219 expectednid = ffdhe_kexch_groups[idx];
5220 /* Verify that we are changing what we expect. */
5221 if (!TEST_int_ne(expectednid, kexch_alg))
5222 goto end;
5223 } else {
5224 /* TLS 1.2 only supports named groups for ECDHE. */
5225 if (isecdhe)
5226 expectednid = kexch_alg;
5227 else
5228 expectednid = 0;
5229 }
5230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5231 NULL, NULL))
5232 || !TEST_true(SSL_set_session(clientssl, origsess))
5233 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5234 isecdhe, idx)))
5235 goto end;
5236
5237 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5238 || !TEST_true(SSL_session_reused(clientssl)))
5239 goto end;
5240
5241 /* Check that we get what we expected */
5242 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5243 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5244 goto end;
5245
5246 testresult = 1;
5247 end:
5248 SSL_free(serverssl);
5249 SSL_free(clientssl);
5250 SSL_CTX_free(sctx);
5251 SSL_CTX_free(cctx);
5252 SSL_SESSION_free(origsess);
5253 return testresult;
5254 }
5255 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5256
5257 /*
5258 * Test TLSv1.3 Cipher Suite
5259 * Test 0 = Set TLS1.3 cipher on context
5260 * Test 1 = Set TLS1.3 cipher on SSL
5261 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5262 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5263 */
test_tls13_ciphersuite(int idx)5264 static int test_tls13_ciphersuite(int idx)
5265 {
5266 SSL_CTX *sctx = NULL, *cctx = NULL;
5267 SSL *serverssl = NULL, *clientssl = NULL;
5268 static const struct {
5269 const char *ciphername;
5270 int fipscapable;
5271 } t13_ciphers[] = {
5272 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
5273 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
5274 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5275 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5276 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5277 { TLS1_3_RFC_AES_256_GCM_SHA384
5278 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5279 # endif
5280 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5281 };
5282 const char *t13_cipher = NULL;
5283 const char *t12_cipher = NULL;
5284 const char *negotiated_scipher;
5285 const char *negotiated_ccipher;
5286 int set_at_ctx = 0;
5287 int set_at_ssl = 0;
5288 int testresult = 0;
5289 int max_ver;
5290 size_t i;
5291
5292 switch (idx) {
5293 case 0:
5294 set_at_ctx = 1;
5295 break;
5296 case 1:
5297 set_at_ssl = 1;
5298 break;
5299 case 2:
5300 set_at_ctx = 1;
5301 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5302 break;
5303 case 3:
5304 set_at_ssl = 1;
5305 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5306 break;
5307 }
5308
5309 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5310 # ifdef OPENSSL_NO_TLS1_2
5311 if (max_ver == TLS1_2_VERSION)
5312 continue;
5313 # endif
5314 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5315 if (is_fips && !t13_ciphers[i].fipscapable)
5316 continue;
5317 t13_cipher = t13_ciphers[i].ciphername;
5318 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5319 TLS_client_method(),
5320 TLS1_VERSION, max_ver,
5321 &sctx, &cctx, cert, privkey)))
5322 goto end;
5323
5324 if (set_at_ctx) {
5325 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5326 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5327 goto end;
5328 if (t12_cipher != NULL) {
5329 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5330 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5331 t12_cipher)))
5332 goto end;
5333 }
5334 }
5335
5336 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5337 &clientssl, NULL, NULL)))
5338 goto end;
5339
5340 if (set_at_ssl) {
5341 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5342 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5343 goto end;
5344 if (t12_cipher != NULL) {
5345 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5346 || !TEST_true(SSL_set_cipher_list(clientssl,
5347 t12_cipher)))
5348 goto end;
5349 }
5350 }
5351
5352 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5353 SSL_ERROR_NONE)))
5354 goto end;
5355
5356 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5357 serverssl));
5358 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5359 clientssl));
5360 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5361 goto end;
5362
5363 /*
5364 * TEST_strn_eq is used below because t13_cipher can contain
5365 * multiple ciphersuites
5366 */
5367 if (max_ver == TLS1_3_VERSION
5368 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5369 strlen(negotiated_scipher)))
5370 goto end;
5371
5372 # ifndef OPENSSL_NO_TLS1_2
5373 /* Below validation is not done when t12_cipher is NULL */
5374 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5375 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5376 goto end;
5377 # endif
5378
5379 SSL_free(serverssl);
5380 serverssl = NULL;
5381 SSL_free(clientssl);
5382 clientssl = NULL;
5383 SSL_CTX_free(sctx);
5384 sctx = NULL;
5385 SSL_CTX_free(cctx);
5386 cctx = NULL;
5387 }
5388 }
5389
5390 testresult = 1;
5391 end:
5392 SSL_free(serverssl);
5393 SSL_free(clientssl);
5394 SSL_CTX_free(sctx);
5395 SSL_CTX_free(cctx);
5396 return testresult;
5397 }
5398
5399 /*
5400 * Test TLSv1.3 PSKs
5401 * Test 0 = Test new style callbacks
5402 * Test 1 = Test both new and old style callbacks
5403 * Test 2 = Test old style callbacks
5404 * Test 3 = Test old style callbacks with no certificate
5405 */
test_tls13_psk(int idx)5406 static int test_tls13_psk(int idx)
5407 {
5408 SSL_CTX *sctx = NULL, *cctx = NULL;
5409 SSL *serverssl = NULL, *clientssl = NULL;
5410 const SSL_CIPHER *cipher = NULL;
5411 const unsigned char key[] = {
5412 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5413 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5414 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5415 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5416 };
5417 int testresult = 0;
5418
5419 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5420 TLS_client_method(), TLS1_VERSION, 0,
5421 &sctx, &cctx, idx == 3 ? NULL : cert,
5422 idx == 3 ? NULL : privkey)))
5423 goto end;
5424
5425 if (idx != 3) {
5426 /*
5427 * We use a ciphersuite with SHA256 to ease testing old style PSK
5428 * callbacks which will always default to SHA256. This should not be
5429 * necessary if we have no cert/priv key. In that case the server should
5430 * prefer SHA256 automatically.
5431 */
5432 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5433 "TLS_AES_128_GCM_SHA256")))
5434 goto end;
5435 } else {
5436 /*
5437 * As noted above the server should prefer SHA256 automatically. However
5438 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5439 * code works even if we are testing with only the FIPS provider loaded.
5440 */
5441 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5442 "TLS_AES_256_GCM_SHA384:"
5443 "TLS_AES_128_GCM_SHA256")))
5444 goto end;
5445 }
5446
5447 /*
5448 * Test 0: New style callbacks only
5449 * Test 1: New and old style callbacks (only the new ones should be used)
5450 * Test 2: Old style callbacks only
5451 */
5452 if (idx == 0 || idx == 1) {
5453 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5454 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5455 }
5456 #ifndef OPENSSL_NO_PSK
5457 if (idx >= 1) {
5458 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5459 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5460 }
5461 #endif
5462 srvid = pskid;
5463 use_session_cb_cnt = 0;
5464 find_session_cb_cnt = 0;
5465 psk_client_cb_cnt = 0;
5466 psk_server_cb_cnt = 0;
5467
5468 if (idx != 3) {
5469 /*
5470 * Check we can create a connection if callback decides not to send a
5471 * PSK
5472 */
5473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5474 NULL, NULL))
5475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5476 SSL_ERROR_NONE))
5477 || !TEST_false(SSL_session_reused(clientssl))
5478 || !TEST_false(SSL_session_reused(serverssl)))
5479 goto end;
5480
5481 if (idx == 0 || idx == 1) {
5482 if (!TEST_true(use_session_cb_cnt == 1)
5483 || !TEST_true(find_session_cb_cnt == 0)
5484 /*
5485 * If no old style callback then below should be 0
5486 * otherwise 1
5487 */
5488 || !TEST_true(psk_client_cb_cnt == idx)
5489 || !TEST_true(psk_server_cb_cnt == 0))
5490 goto end;
5491 } else {
5492 if (!TEST_true(use_session_cb_cnt == 0)
5493 || !TEST_true(find_session_cb_cnt == 0)
5494 || !TEST_true(psk_client_cb_cnt == 1)
5495 || !TEST_true(psk_server_cb_cnt == 0))
5496 goto end;
5497 }
5498
5499 shutdown_ssl_connection(serverssl, clientssl);
5500 serverssl = clientssl = NULL;
5501 use_session_cb_cnt = psk_client_cb_cnt = 0;
5502 }
5503
5504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5505 NULL, NULL)))
5506 goto end;
5507
5508 /* Create the PSK */
5509 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5510 clientpsk = SSL_SESSION_new();
5511 if (!TEST_ptr(clientpsk)
5512 || !TEST_ptr(cipher)
5513 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5514 sizeof(key)))
5515 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5516 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5517 TLS1_3_VERSION))
5518 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5519 goto end;
5520 serverpsk = clientpsk;
5521
5522 /* Check we can create a connection and the PSK is used */
5523 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5524 || !TEST_true(SSL_session_reused(clientssl))
5525 || !TEST_true(SSL_session_reused(serverssl)))
5526 goto end;
5527
5528 if (idx == 0 || idx == 1) {
5529 if (!TEST_true(use_session_cb_cnt == 1)
5530 || !TEST_true(find_session_cb_cnt == 1)
5531 || !TEST_true(psk_client_cb_cnt == 0)
5532 || !TEST_true(psk_server_cb_cnt == 0))
5533 goto end;
5534 } else {
5535 if (!TEST_true(use_session_cb_cnt == 0)
5536 || !TEST_true(find_session_cb_cnt == 0)
5537 || !TEST_true(psk_client_cb_cnt == 1)
5538 || !TEST_true(psk_server_cb_cnt == 1))
5539 goto end;
5540 }
5541
5542 shutdown_ssl_connection(serverssl, clientssl);
5543 serverssl = clientssl = NULL;
5544 use_session_cb_cnt = find_session_cb_cnt = 0;
5545 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5546
5547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5548 NULL, NULL)))
5549 goto end;
5550
5551 /* Force an HRR */
5552 #if defined(OPENSSL_NO_EC)
5553 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5554 goto end;
5555 #else
5556 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5557 goto end;
5558 #endif
5559
5560 /*
5561 * Check we can create a connection, the PSK is used and the callbacks are
5562 * called twice.
5563 */
5564 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5565 || !TEST_true(SSL_session_reused(clientssl))
5566 || !TEST_true(SSL_session_reused(serverssl)))
5567 goto end;
5568
5569 if (idx == 0 || idx == 1) {
5570 if (!TEST_true(use_session_cb_cnt == 2)
5571 || !TEST_true(find_session_cb_cnt == 2)
5572 || !TEST_true(psk_client_cb_cnt == 0)
5573 || !TEST_true(psk_server_cb_cnt == 0))
5574 goto end;
5575 } else {
5576 if (!TEST_true(use_session_cb_cnt == 0)
5577 || !TEST_true(find_session_cb_cnt == 0)
5578 || !TEST_true(psk_client_cb_cnt == 2)
5579 || !TEST_true(psk_server_cb_cnt == 2))
5580 goto end;
5581 }
5582
5583 shutdown_ssl_connection(serverssl, clientssl);
5584 serverssl = clientssl = NULL;
5585 use_session_cb_cnt = find_session_cb_cnt = 0;
5586 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5587
5588 if (idx != 3) {
5589 /*
5590 * Check that if the server rejects the PSK we can still connect, but with
5591 * a full handshake
5592 */
5593 srvid = "Dummy Identity";
5594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5595 NULL, NULL))
5596 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5597 SSL_ERROR_NONE))
5598 || !TEST_false(SSL_session_reused(clientssl))
5599 || !TEST_false(SSL_session_reused(serverssl)))
5600 goto end;
5601
5602 if (idx == 0 || idx == 1) {
5603 if (!TEST_true(use_session_cb_cnt == 1)
5604 || !TEST_true(find_session_cb_cnt == 1)
5605 || !TEST_true(psk_client_cb_cnt == 0)
5606 /*
5607 * If no old style callback then below should be 0
5608 * otherwise 1
5609 */
5610 || !TEST_true(psk_server_cb_cnt == idx))
5611 goto end;
5612 } else {
5613 if (!TEST_true(use_session_cb_cnt == 0)
5614 || !TEST_true(find_session_cb_cnt == 0)
5615 || !TEST_true(psk_client_cb_cnt == 1)
5616 || !TEST_true(psk_server_cb_cnt == 1))
5617 goto end;
5618 }
5619
5620 shutdown_ssl_connection(serverssl, clientssl);
5621 serverssl = clientssl = NULL;
5622 }
5623 testresult = 1;
5624
5625 end:
5626 SSL_SESSION_free(clientpsk);
5627 SSL_SESSION_free(serverpsk);
5628 clientpsk = serverpsk = NULL;
5629 SSL_free(serverssl);
5630 SSL_free(clientssl);
5631 SSL_CTX_free(sctx);
5632 SSL_CTX_free(cctx);
5633 return testresult;
5634 }
5635
5636 static unsigned char cookie_magic_value[] = "cookie magic";
5637
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)5638 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5639 unsigned int *cookie_len)
5640 {
5641 /*
5642 * Not suitable as a real cookie generation function but good enough for
5643 * testing!
5644 */
5645 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5646 *cookie_len = sizeof(cookie_magic_value) - 1;
5647
5648 return 1;
5649 }
5650
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)5651 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5652 unsigned int cookie_len)
5653 {
5654 if (cookie_len == sizeof(cookie_magic_value) - 1
5655 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5656 return 1;
5657
5658 return 0;
5659 }
5660
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)5661 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5662 size_t *cookie_len)
5663 {
5664 unsigned int temp;
5665 int res = generate_cookie_callback(ssl, cookie, &temp);
5666 *cookie_len = temp;
5667 return res;
5668 }
5669
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)5670 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5671 size_t cookie_len)
5672 {
5673 return verify_cookie_callback(ssl, cookie, cookie_len);
5674 }
5675
test_stateless(void)5676 static int test_stateless(void)
5677 {
5678 SSL_CTX *sctx = NULL, *cctx = NULL;
5679 SSL *serverssl = NULL, *clientssl = NULL;
5680 int testresult = 0;
5681
5682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5683 TLS_client_method(), TLS1_VERSION, 0,
5684 &sctx, &cctx, cert, privkey)))
5685 goto end;
5686
5687 /* The arrival of CCS messages can confuse the test */
5688 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5689
5690 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5691 NULL, NULL))
5692 /* Send the first ClientHello */
5693 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5694 SSL_ERROR_WANT_READ))
5695 /*
5696 * This should fail with a -1 return because we have no callbacks
5697 * set up
5698 */
5699 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5700 goto end;
5701
5702 /* Fatal error so abandon the connection from this client */
5703 SSL_free(clientssl);
5704 clientssl = NULL;
5705
5706 /* Set up the cookie generation and verification callbacks */
5707 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5708 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5709
5710 /*
5711 * Create a new connection from the client (we can reuse the server SSL
5712 * object).
5713 */
5714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5715 NULL, NULL))
5716 /* Send the first ClientHello */
5717 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5718 SSL_ERROR_WANT_READ))
5719 /* This should fail because there is no cookie */
5720 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5721 goto end;
5722
5723 /* Abandon the connection from this client */
5724 SSL_free(clientssl);
5725 clientssl = NULL;
5726
5727 /*
5728 * Now create a connection from a new client but with the same server SSL
5729 * object
5730 */
5731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5732 NULL, NULL))
5733 /* Send the first ClientHello */
5734 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5735 SSL_ERROR_WANT_READ))
5736 /* This should fail because there is no cookie */
5737 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5738 /* Send the second ClientHello */
5739 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5740 SSL_ERROR_WANT_READ))
5741 /* This should succeed because a cookie is now present */
5742 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5743 /* Complete the connection */
5744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5745 SSL_ERROR_NONE)))
5746 goto end;
5747
5748 shutdown_ssl_connection(serverssl, clientssl);
5749 serverssl = clientssl = NULL;
5750 testresult = 1;
5751
5752 end:
5753 SSL_free(serverssl);
5754 SSL_free(clientssl);
5755 SSL_CTX_free(sctx);
5756 SSL_CTX_free(cctx);
5757 return testresult;
5758
5759 }
5760 #endif /* OSSL_NO_USABLE_TLS1_3 */
5761
5762 static int clntaddoldcb = 0;
5763 static int clntparseoldcb = 0;
5764 static int srvaddoldcb = 0;
5765 static int srvparseoldcb = 0;
5766 static int clntaddnewcb = 0;
5767 static int clntparsenewcb = 0;
5768 static int srvaddnewcb = 0;
5769 static int srvparsenewcb = 0;
5770 static int snicb = 0;
5771
5772 #define TEST_EXT_TYPE1 0xff00
5773
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)5774 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5775 size_t *outlen, int *al, void *add_arg)
5776 {
5777 int *server = (int *)add_arg;
5778 unsigned char *data;
5779
5780 if (SSL_is_server(s))
5781 srvaddoldcb++;
5782 else
5783 clntaddoldcb++;
5784
5785 if (*server != SSL_is_server(s)
5786 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5787 return -1;
5788
5789 *data = 1;
5790 *out = data;
5791 *outlen = sizeof(char);
5792 return 1;
5793 }
5794
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)5795 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5796 void *add_arg)
5797 {
5798 OPENSSL_free((unsigned char *)out);
5799 }
5800
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)5801 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5802 size_t inlen, int *al, void *parse_arg)
5803 {
5804 int *server = (int *)parse_arg;
5805
5806 if (SSL_is_server(s))
5807 srvparseoldcb++;
5808 else
5809 clntparseoldcb++;
5810
5811 if (*server != SSL_is_server(s)
5812 || inlen != sizeof(char)
5813 || *in != 1)
5814 return -1;
5815
5816 return 1;
5817 }
5818
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)5819 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5820 const unsigned char **out, size_t *outlen, X509 *x,
5821 size_t chainidx, int *al, void *add_arg)
5822 {
5823 int *server = (int *)add_arg;
5824 unsigned char *data;
5825
5826 if (SSL_is_server(s))
5827 srvaddnewcb++;
5828 else
5829 clntaddnewcb++;
5830
5831 if (*server != SSL_is_server(s)
5832 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5833 return -1;
5834
5835 *data = 1;
5836 *out = data;
5837 *outlen = sizeof(*data);
5838 return 1;
5839 }
5840
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)5841 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5842 const unsigned char *out, void *add_arg)
5843 {
5844 OPENSSL_free((unsigned char *)out);
5845 }
5846
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)5847 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5848 const unsigned char *in, size_t inlen, X509 *x,
5849 size_t chainidx, int *al, void *parse_arg)
5850 {
5851 int *server = (int *)parse_arg;
5852
5853 if (SSL_is_server(s))
5854 srvparsenewcb++;
5855 else
5856 clntparsenewcb++;
5857
5858 if (*server != SSL_is_server(s)
5859 || inlen != sizeof(char) || *in != 1)
5860 return -1;
5861
5862 return 1;
5863 }
5864
sni_cb(SSL * s,int * al,void * arg)5865 static int sni_cb(SSL *s, int *al, void *arg)
5866 {
5867 SSL_CTX *ctx = (SSL_CTX *)arg;
5868
5869 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5870 *al = SSL_AD_INTERNAL_ERROR;
5871 return SSL_TLSEXT_ERR_ALERT_FATAL;
5872 }
5873 snicb++;
5874 return SSL_TLSEXT_ERR_OK;
5875 }
5876
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)5877 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5878 {
5879 return 1;
5880 }
5881
5882 /*
5883 * Custom call back tests.
5884 * Test 0: Old style callbacks in TLSv1.2
5885 * Test 1: New style callbacks in TLSv1.2
5886 * Test 2: New style callbacks in TLSv1.2 with SNI
5887 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5888 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5889 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5890 */
test_custom_exts(int tst)5891 static int test_custom_exts(int tst)
5892 {
5893 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5894 SSL *clientssl = NULL, *serverssl = NULL;
5895 int testresult = 0;
5896 static int server = 1;
5897 static int client = 0;
5898 SSL_SESSION *sess = NULL;
5899 unsigned int context;
5900
5901 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5902 /* Skip tests for TLSv1.2 and below in this case */
5903 if (tst < 3)
5904 return 1;
5905 #endif
5906
5907 /* Reset callback counters */
5908 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5909 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5910 snicb = 0;
5911
5912 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5913 TLS_client_method(), TLS1_VERSION, 0,
5914 &sctx, &cctx, cert, privkey)))
5915 goto end;
5916
5917 if (tst == 2
5918 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5919 TLS1_VERSION, 0,
5920 &sctx2, NULL, cert, privkey)))
5921 goto end;
5922
5923
5924 if (tst < 3) {
5925 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5926 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5927 if (sctx2 != NULL)
5928 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5929 }
5930
5931 if (tst == 5) {
5932 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5933 | SSL_EXT_TLS1_3_CERTIFICATE;
5934 SSL_CTX_set_verify(sctx,
5935 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5936 verify_cb);
5937 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5938 SSL_FILETYPE_PEM), 1)
5939 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5940 SSL_FILETYPE_PEM), 1)
5941 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5942 goto end;
5943 } else if (tst == 4) {
5944 context = SSL_EXT_CLIENT_HELLO
5945 | SSL_EXT_TLS1_2_SERVER_HELLO
5946 | SSL_EXT_TLS1_3_SERVER_HELLO
5947 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5948 | SSL_EXT_TLS1_3_CERTIFICATE
5949 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5950 } else {
5951 context = SSL_EXT_CLIENT_HELLO
5952 | SSL_EXT_TLS1_2_SERVER_HELLO
5953 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5954 }
5955
5956 /* Create a client side custom extension */
5957 if (tst == 0) {
5958 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5959 old_add_cb, old_free_cb,
5960 &client, old_parse_cb,
5961 &client)))
5962 goto end;
5963 } else {
5964 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5965 new_add_cb, new_free_cb,
5966 &client, new_parse_cb, &client)))
5967 goto end;
5968 }
5969
5970 /* Should not be able to add duplicates */
5971 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5972 old_add_cb, old_free_cb,
5973 &client, old_parse_cb,
5974 &client))
5975 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5976 context, new_add_cb,
5977 new_free_cb, &client,
5978 new_parse_cb, &client)))
5979 goto end;
5980
5981 /* Create a server side custom extension */
5982 if (tst == 0) {
5983 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5984 old_add_cb, old_free_cb,
5985 &server, old_parse_cb,
5986 &server)))
5987 goto end;
5988 } else {
5989 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5990 new_add_cb, new_free_cb,
5991 &server, new_parse_cb, &server)))
5992 goto end;
5993 if (sctx2 != NULL
5994 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5995 context, new_add_cb,
5996 new_free_cb, &server,
5997 new_parse_cb, &server)))
5998 goto end;
5999 }
6000
6001 /* Should not be able to add duplicates */
6002 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6003 old_add_cb, old_free_cb,
6004 &server, old_parse_cb,
6005 &server))
6006 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6007 context, new_add_cb,
6008 new_free_cb, &server,
6009 new_parse_cb, &server)))
6010 goto end;
6011
6012 if (tst == 2) {
6013 /* Set up SNI */
6014 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6015 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6016 goto end;
6017 }
6018
6019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6020 &clientssl, NULL, NULL))
6021 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6022 SSL_ERROR_NONE)))
6023 goto end;
6024
6025 if (tst == 0) {
6026 if (clntaddoldcb != 1
6027 || clntparseoldcb != 1
6028 || srvaddoldcb != 1
6029 || srvparseoldcb != 1)
6030 goto end;
6031 } else if (tst == 1 || tst == 2 || tst == 3) {
6032 if (clntaddnewcb != 1
6033 || clntparsenewcb != 1
6034 || srvaddnewcb != 1
6035 || srvparsenewcb != 1
6036 || (tst != 2 && snicb != 0)
6037 || (tst == 2 && snicb != 1))
6038 goto end;
6039 } else if (tst == 5) {
6040 if (clntaddnewcb != 1
6041 || clntparsenewcb != 1
6042 || srvaddnewcb != 1
6043 || srvparsenewcb != 1)
6044 goto end;
6045 } else {
6046 /* In this case there 2 NewSessionTicket messages created */
6047 if (clntaddnewcb != 1
6048 || clntparsenewcb != 5
6049 || srvaddnewcb != 5
6050 || srvparsenewcb != 1)
6051 goto end;
6052 }
6053
6054 sess = SSL_get1_session(clientssl);
6055 SSL_shutdown(clientssl);
6056 SSL_shutdown(serverssl);
6057 SSL_free(serverssl);
6058 SSL_free(clientssl);
6059 serverssl = clientssl = NULL;
6060
6061 if (tst == 3 || tst == 5) {
6062 /* We don't bother with the resumption aspects for these tests */
6063 testresult = 1;
6064 goto end;
6065 }
6066
6067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6068 NULL, NULL))
6069 || !TEST_true(SSL_set_session(clientssl, sess))
6070 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6071 SSL_ERROR_NONE)))
6072 goto end;
6073
6074 /*
6075 * For a resumed session we expect to add the ClientHello extension. For the
6076 * old style callbacks we ignore it on the server side because they set
6077 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6078 * them.
6079 */
6080 if (tst == 0) {
6081 if (clntaddoldcb != 2
6082 || clntparseoldcb != 1
6083 || srvaddoldcb != 1
6084 || srvparseoldcb != 1)
6085 goto end;
6086 } else if (tst == 1 || tst == 2 || tst == 3) {
6087 if (clntaddnewcb != 2
6088 || clntparsenewcb != 2
6089 || srvaddnewcb != 2
6090 || srvparsenewcb != 2)
6091 goto end;
6092 } else {
6093 /*
6094 * No Certificate message extensions in the resumption handshake,
6095 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6096 */
6097 if (clntaddnewcb != 2
6098 || clntparsenewcb != 8
6099 || srvaddnewcb != 8
6100 || srvparsenewcb != 2)
6101 goto end;
6102 }
6103
6104 testresult = 1;
6105
6106 end:
6107 SSL_SESSION_free(sess);
6108 SSL_free(serverssl);
6109 SSL_free(clientssl);
6110 SSL_CTX_free(sctx2);
6111 SSL_CTX_free(sctx);
6112 SSL_CTX_free(cctx);
6113 return testresult;
6114 }
6115
6116 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6117
6118 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6119 | SSL_EXT_CLIENT_HELLO \
6120 | SSL_EXT_TLS1_2_SERVER_HELLO \
6121 | SSL_EXT_IGNORE_ON_RESUMPTION)
6122
6123 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6124 | SSL_EXT_TLS1_2_SERVER_HELLO \
6125 | SSL_EXT_CLIENT_HELLO)
6126
6127 #define SERVERINFO_CUSTOM \
6128 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6129 0x00, 0x03, \
6130 0x04, 0x05, 0x06 \
6131
6132 static const unsigned char serverinfo_custom_tls13[] = {
6133 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6134 SERVERINFO_CUSTOM
6135 };
6136 static const unsigned char serverinfo_custom_v2[] = {
6137 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6138 SERVERINFO_CUSTOM
6139 };
6140 static const unsigned char serverinfo_custom_v1[] = {
6141 SERVERINFO_CUSTOM
6142 };
6143 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6144 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6145 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6146
serverinfo_custom_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6147 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6148 unsigned int context,
6149 const unsigned char *in,
6150 size_t inlen, X509 *x,
6151 size_t chainidx, int *al,
6152 void *parse_arg)
6153 {
6154 const size_t len = serverinfo_custom_v1_len;
6155 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6156 int *p_cb_result = (int*)parse_arg;
6157 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6158 return 1;
6159 }
6160
test_serverinfo_custom(const int idx)6161 static int test_serverinfo_custom(const int idx)
6162 {
6163 SSL_CTX *sctx = NULL, *cctx = NULL;
6164 SSL *clientssl = NULL, *serverssl = NULL;
6165 int testresult = 0;
6166 int cb_result = 0;
6167
6168 /*
6169 * Following variables are set in the switch statement
6170 * according to the test iteration.
6171 * Default values do not make much sense: test would fail with them.
6172 */
6173 int serverinfo_version = 0;
6174 int protocol_version = 0;
6175 unsigned int extension_context = 0;
6176 const unsigned char *si = NULL;
6177 size_t si_len = 0;
6178
6179 const int call_use_serverinfo_ex = idx > 0;
6180 switch (idx) {
6181 case 0: /* FALLTHROUGH */
6182 case 1:
6183 serverinfo_version = SSL_SERVERINFOV1;
6184 protocol_version = TLS1_2_VERSION;
6185 extension_context = SYNTHV1CONTEXT;
6186 si = serverinfo_custom_v1;
6187 si_len = serverinfo_custom_v1_len;
6188 break;
6189 case 2:
6190 serverinfo_version = SSL_SERVERINFOV2;
6191 protocol_version = TLS1_2_VERSION;
6192 extension_context = SYNTHV1CONTEXT;
6193 si = serverinfo_custom_v2;
6194 si_len = serverinfo_custom_v2_len;
6195 break;
6196 case 3:
6197 serverinfo_version = SSL_SERVERINFOV2;
6198 protocol_version = TLS1_3_VERSION;
6199 extension_context = TLS13CONTEXT;
6200 si = serverinfo_custom_tls13;
6201 si_len = serverinfo_custom_tls13_len;
6202 break;
6203 }
6204
6205 if (!TEST_true(create_ssl_ctx_pair(libctx,
6206 TLS_method(),
6207 TLS_method(),
6208 protocol_version,
6209 protocol_version,
6210 &sctx, &cctx, cert, privkey)))
6211 goto end;
6212
6213 if (call_use_serverinfo_ex) {
6214 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6215 si, si_len)))
6216 goto end;
6217 } else {
6218 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6219 goto end;
6220 }
6221
6222 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6223 extension_context,
6224 NULL, NULL, NULL,
6225 serverinfo_custom_parse_cb,
6226 &cb_result))
6227 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6228 NULL, NULL))
6229 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6230 SSL_ERROR_NONE))
6231 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6232 goto end;
6233
6234 if (!TEST_true(cb_result))
6235 goto end;
6236
6237 testresult = 1;
6238
6239 end:
6240 SSL_free(serverssl);
6241 SSL_free(clientssl);
6242 SSL_CTX_free(sctx);
6243 SSL_CTX_free(cctx);
6244
6245 return testresult;
6246 }
6247 #endif
6248
6249 /*
6250 * Test that SSL_export_keying_material() produces expected results. There are
6251 * no test vectors so all we do is test that both sides of the communication
6252 * produce the same results for different protocol versions.
6253 */
6254 #define SMALL_LABEL_LEN 10
6255 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)6256 static int test_export_key_mat(int tst)
6257 {
6258 int testresult = 0;
6259 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6260 SSL *clientssl = NULL, *serverssl = NULL;
6261 const char label[LONG_LABEL_LEN + 1] = "test label";
6262 const unsigned char context[] = "context";
6263 const unsigned char *emptycontext = NULL;
6264 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6265 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6266 size_t labellen;
6267 const int protocols[] = {
6268 TLS1_VERSION,
6269 TLS1_1_VERSION,
6270 TLS1_2_VERSION,
6271 TLS1_3_VERSION,
6272 TLS1_3_VERSION,
6273 TLS1_3_VERSION
6274 };
6275
6276 #ifdef OPENSSL_NO_TLS1
6277 if (tst == 0)
6278 return 1;
6279 #endif
6280 #ifdef OPENSSL_NO_TLS1_1
6281 if (tst == 1)
6282 return 1;
6283 #endif
6284 if (is_fips && (tst == 0 || tst == 1))
6285 return 1;
6286 #ifdef OPENSSL_NO_TLS1_2
6287 if (tst == 2)
6288 return 1;
6289 #endif
6290 #ifdef OSSL_NO_USABLE_TLS1_3
6291 if (tst >= 3)
6292 return 1;
6293 #endif
6294 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6295 TLS_client_method(), TLS1_VERSION, 0,
6296 &sctx, &cctx, cert, privkey)))
6297 goto end;
6298
6299 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6300 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6301 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6302 if ((protocols[tst] < TLS1_2_VERSION) &&
6303 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6304 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6305 goto end;
6306
6307 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6308 NULL)))
6309 goto end;
6310
6311 /*
6312 * Premature call of SSL_export_keying_material should just fail.
6313 */
6314 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6315 sizeof(ckeymat1), label,
6316 SMALL_LABEL_LEN + 1, context,
6317 sizeof(context) - 1, 1), 0))
6318 goto end;
6319
6320 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6321 SSL_ERROR_NONE)))
6322 goto end;
6323
6324 if (tst == 5) {
6325 /*
6326 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6327 * go over that.
6328 */
6329 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6330 sizeof(ckeymat1), label,
6331 LONG_LABEL_LEN + 1, context,
6332 sizeof(context) - 1, 1), 0))
6333 goto end;
6334
6335 testresult = 1;
6336 goto end;
6337 } else if (tst == 4) {
6338 labellen = LONG_LABEL_LEN;
6339 } else {
6340 labellen = SMALL_LABEL_LEN;
6341 }
6342
6343 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6344 sizeof(ckeymat1), label,
6345 labellen, context,
6346 sizeof(context) - 1, 1), 1)
6347 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6348 sizeof(ckeymat2), label,
6349 labellen,
6350 emptycontext,
6351 0, 1), 1)
6352 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6353 sizeof(ckeymat3), label,
6354 labellen,
6355 NULL, 0, 0), 1)
6356 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6357 sizeof(skeymat1), label,
6358 labellen,
6359 context,
6360 sizeof(context) -1, 1),
6361 1)
6362 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6363 sizeof(skeymat2), label,
6364 labellen,
6365 emptycontext,
6366 0, 1), 1)
6367 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6368 sizeof(skeymat3), label,
6369 labellen,
6370 NULL, 0, 0), 1)
6371 /*
6372 * Check that both sides created the same key material with the
6373 * same context.
6374 */
6375 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6376 sizeof(skeymat1))
6377 /*
6378 * Check that both sides created the same key material with an
6379 * empty context.
6380 */
6381 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6382 sizeof(skeymat2))
6383 /*
6384 * Check that both sides created the same key material without a
6385 * context.
6386 */
6387 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6388 sizeof(skeymat3))
6389 /* Different contexts should produce different results */
6390 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6391 sizeof(ckeymat2)))
6392 goto end;
6393
6394 /*
6395 * Check that an empty context and no context produce different results in
6396 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6397 */
6398 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6399 sizeof(ckeymat3)))
6400 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6401 sizeof(ckeymat3))))
6402 goto end;
6403
6404 testresult = 1;
6405
6406 end:
6407 SSL_free(serverssl);
6408 SSL_free(clientssl);
6409 SSL_CTX_free(sctx2);
6410 SSL_CTX_free(sctx);
6411 SSL_CTX_free(cctx);
6412
6413 return testresult;
6414 }
6415
6416 #ifndef OSSL_NO_USABLE_TLS1_3
6417 /*
6418 * Test that SSL_export_keying_material_early() produces expected
6419 * results. There are no test vectors so all we do is test that both
6420 * sides of the communication produce the same results for different
6421 * protocol versions.
6422 */
test_export_key_mat_early(int idx)6423 static int test_export_key_mat_early(int idx)
6424 {
6425 static const char label[] = "test label";
6426 static const unsigned char context[] = "context";
6427 int testresult = 0;
6428 SSL_CTX *cctx = NULL, *sctx = NULL;
6429 SSL *clientssl = NULL, *serverssl = NULL;
6430 SSL_SESSION *sess = NULL;
6431 const unsigned char *emptycontext = NULL;
6432 unsigned char ckeymat1[80], ckeymat2[80];
6433 unsigned char skeymat1[80], skeymat2[80];
6434 unsigned char buf[1];
6435 size_t readbytes, written;
6436
6437 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6438 &sess, idx, SHA384_DIGEST_LENGTH)))
6439 goto end;
6440
6441 /* Here writing 0 length early data is enough. */
6442 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6443 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6444 &readbytes),
6445 SSL_READ_EARLY_DATA_ERROR)
6446 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6447 SSL_EARLY_DATA_ACCEPTED))
6448 goto end;
6449
6450 if (!TEST_int_eq(SSL_export_keying_material_early(
6451 clientssl, ckeymat1, sizeof(ckeymat1), label,
6452 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6453 || !TEST_int_eq(SSL_export_keying_material_early(
6454 clientssl, ckeymat2, sizeof(ckeymat2), label,
6455 sizeof(label) - 1, emptycontext, 0), 1)
6456 || !TEST_int_eq(SSL_export_keying_material_early(
6457 serverssl, skeymat1, sizeof(skeymat1), label,
6458 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6459 || !TEST_int_eq(SSL_export_keying_material_early(
6460 serverssl, skeymat2, sizeof(skeymat2), label,
6461 sizeof(label) - 1, emptycontext, 0), 1)
6462 /*
6463 * Check that both sides created the same key material with the
6464 * same context.
6465 */
6466 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6467 sizeof(skeymat1))
6468 /*
6469 * Check that both sides created the same key material with an
6470 * empty context.
6471 */
6472 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6473 sizeof(skeymat2))
6474 /* Different contexts should produce different results */
6475 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6476 sizeof(ckeymat2)))
6477 goto end;
6478
6479 testresult = 1;
6480
6481 end:
6482 SSL_SESSION_free(sess);
6483 SSL_SESSION_free(clientpsk);
6484 SSL_SESSION_free(serverpsk);
6485 clientpsk = serverpsk = NULL;
6486 SSL_free(serverssl);
6487 SSL_free(clientssl);
6488 SSL_CTX_free(sctx);
6489 SSL_CTX_free(cctx);
6490
6491 return testresult;
6492 }
6493
6494 #define NUM_KEY_UPDATE_MESSAGES 40
6495 /*
6496 * Test KeyUpdate.
6497 */
test_key_update(void)6498 static int test_key_update(void)
6499 {
6500 SSL_CTX *cctx = NULL, *sctx = NULL;
6501 SSL *clientssl = NULL, *serverssl = NULL;
6502 int testresult = 0, i, j;
6503 char buf[20];
6504 static char *mess = "A test message";
6505
6506 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6507 TLS_client_method(),
6508 TLS1_3_VERSION,
6509 0,
6510 &sctx, &cctx, cert, privkey))
6511 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6512 NULL, NULL))
6513 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6514 SSL_ERROR_NONE)))
6515 goto end;
6516
6517 for (j = 0; j < 2; j++) {
6518 /* Send lots of KeyUpdate messages */
6519 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6520 if (!TEST_true(SSL_key_update(clientssl,
6521 (j == 0)
6522 ? SSL_KEY_UPDATE_NOT_REQUESTED
6523 : SSL_KEY_UPDATE_REQUESTED))
6524 || !TEST_true(SSL_do_handshake(clientssl)))
6525 goto end;
6526 }
6527
6528 /* Check that sending and receiving app data is ok */
6529 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6530 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6531 strlen(mess)))
6532 goto end;
6533
6534 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6535 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6536 strlen(mess)))
6537 goto end;
6538 }
6539
6540 testresult = 1;
6541
6542 end:
6543 SSL_free(serverssl);
6544 SSL_free(clientssl);
6545 SSL_CTX_free(sctx);
6546 SSL_CTX_free(cctx);
6547
6548 return testresult;
6549 }
6550
6551 /*
6552 * Test we can handle a KeyUpdate (update requested) message while
6553 * write data is pending in peer.
6554 * Test 0: Client sends KeyUpdate while Server is writing
6555 * Test 1: Server sends KeyUpdate while Client is writing
6556 */
test_key_update_peer_in_write(int tst)6557 static int test_key_update_peer_in_write(int tst)
6558 {
6559 SSL_CTX *cctx = NULL, *sctx = NULL;
6560 SSL *clientssl = NULL, *serverssl = NULL;
6561 int testresult = 0;
6562 char buf[20];
6563 static char *mess = "A test message";
6564 BIO *bretry = BIO_new(bio_s_always_retry());
6565 BIO *tmp = NULL;
6566 SSL *peerupdate = NULL, *peerwrite = NULL;
6567
6568 if (!TEST_ptr(bretry)
6569 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6570 TLS_client_method(),
6571 TLS1_3_VERSION,
6572 0,
6573 &sctx, &cctx, cert, privkey))
6574 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6575 NULL, NULL))
6576 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6577 SSL_ERROR_NONE)))
6578 goto end;
6579
6580 peerupdate = tst == 0 ? clientssl : serverssl;
6581 peerwrite = tst == 0 ? serverssl : clientssl;
6582
6583 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6584 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6585 goto end;
6586
6587 /* Swap the writing endpoint's write BIO to force a retry */
6588 tmp = SSL_get_wbio(peerwrite);
6589 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6590 tmp = NULL;
6591 goto end;
6592 }
6593 SSL_set0_wbio(peerwrite, bretry);
6594 bretry = NULL;
6595
6596 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6597 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6598 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6599 goto end;
6600
6601 /* Reinstate the original writing endpoint's write BIO */
6602 SSL_set0_wbio(peerwrite, tmp);
6603 tmp = NULL;
6604
6605 /* Now read some data - we will read the key update */
6606 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6607 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6608 goto end;
6609
6610 /*
6611 * Complete the write we started previously and read it from the other
6612 * endpoint
6613 */
6614 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6615 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6616 goto end;
6617
6618 /* Write more data to ensure we send the KeyUpdate message back */
6619 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6620 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6621 goto end;
6622
6623 testresult = 1;
6624
6625 end:
6626 SSL_free(serverssl);
6627 SSL_free(clientssl);
6628 SSL_CTX_free(sctx);
6629 SSL_CTX_free(cctx);
6630 BIO_free(bretry);
6631 BIO_free(tmp);
6632
6633 return testresult;
6634 }
6635
6636 /*
6637 * Test we can handle a KeyUpdate (update requested) message while
6638 * peer read data is pending after peer accepted keyupdate(the msg header
6639 * had been read 5 bytes).
6640 * Test 0: Client sends KeyUpdate while Server is reading
6641 * Test 1: Server sends KeyUpdate while Client is reading
6642 */
test_key_update_peer_in_read(int tst)6643 static int test_key_update_peer_in_read(int tst)
6644 {
6645 SSL_CTX *cctx = NULL, *sctx = NULL;
6646 SSL *clientssl = NULL, *serverssl = NULL;
6647 int testresult = 0;
6648 char prbuf[515], lwbuf[515] = {0};
6649 static char *mess = "A test message";
6650 BIO *lbio = NULL, *pbio = NULL;
6651 SSL *local = NULL, *peer = NULL;
6652
6653 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6654 TLS_client_method(),
6655 TLS1_3_VERSION,
6656 0,
6657 &sctx, &cctx, cert, privkey))
6658 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6659 NULL, NULL))
6660 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6661 SSL_ERROR_NONE)))
6662 goto end;
6663
6664 local = tst == 0 ? clientssl : serverssl;
6665 peer = tst == 0 ? serverssl : clientssl;
6666
6667 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6668 goto end;
6669
6670 SSL_set_bio(local, lbio, lbio);
6671 SSL_set_bio(peer, pbio, pbio);
6672
6673 /*
6674 * we first write keyupdate msg then appdata in local
6675 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6676 * lwbuf app data msg size + key updata msg size > 512(the size of
6677 * the bio pair buffer)
6678 */
6679 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6680 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6681 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6682 goto end;
6683
6684 /*
6685 * first read keyupdate msg in peer in peer
6686 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6687 */
6688 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6689 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6690 goto end;
6691
6692 /* Now write some data in peer - we will write the key update */
6693 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6694 goto end;
6695
6696 /*
6697 * write data in local previously that we will complete
6698 * read data in peer previously that we will complete
6699 */
6700 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6701 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6702 goto end;
6703
6704 /* check that sending and receiving appdata ok */
6705 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6706 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6707 goto end;
6708
6709 testresult = 1;
6710
6711 end:
6712 SSL_free(serverssl);
6713 SSL_free(clientssl);
6714 SSL_CTX_free(sctx);
6715 SSL_CTX_free(cctx);
6716
6717 return testresult;
6718 }
6719
6720 /*
6721 * Test we can't send a KeyUpdate (update requested) message while
6722 * local write data is pending.
6723 * Test 0: Client sends KeyUpdate while Client is writing
6724 * Test 1: Server sends KeyUpdate while Server is writing
6725 */
test_key_update_local_in_write(int tst)6726 static int test_key_update_local_in_write(int tst)
6727 {
6728 SSL_CTX *cctx = NULL, *sctx = NULL;
6729 SSL *clientssl = NULL, *serverssl = NULL;
6730 int testresult = 0;
6731 char buf[20];
6732 static char *mess = "A test message";
6733 BIO *bretry = BIO_new(bio_s_always_retry());
6734 BIO *tmp = NULL;
6735 SSL *local = NULL, *peer = NULL;
6736
6737 if (!TEST_ptr(bretry)
6738 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6739 TLS_client_method(),
6740 TLS1_3_VERSION,
6741 0,
6742 &sctx, &cctx, cert, privkey))
6743 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6744 NULL, NULL))
6745 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6746 SSL_ERROR_NONE)))
6747 goto end;
6748
6749 local = tst == 0 ? clientssl : serverssl;
6750 peer = tst == 0 ? serverssl : clientssl;
6751
6752 /* Swap the writing endpoint's write BIO to force a retry */
6753 tmp = SSL_get_wbio(local);
6754 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6755 tmp = NULL;
6756 goto end;
6757 }
6758 SSL_set0_wbio(local, bretry);
6759 bretry = NULL;
6760
6761 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6762 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6763 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6764 goto end;
6765
6766 /* Reinstate the original writing endpoint's write BIO */
6767 SSL_set0_wbio(local, tmp);
6768 tmp = NULL;
6769
6770 /* SSL_key_update will fail, because writing in local*/
6771 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6772 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6773 goto end;
6774
6775 ERR_clear_error();
6776 /* write data in local previously that we will complete */
6777 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6778 goto end;
6779
6780 /* SSL_key_update will succeed because there is no pending write data */
6781 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6782 || !TEST_int_eq(SSL_do_handshake(local), 1))
6783 goto end;
6784
6785 /*
6786 * we write some appdata in local
6787 * read data in peer - we will read the keyupdate msg
6788 */
6789 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6790 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6791 goto end;
6792
6793 /* Write more peer more data to ensure we send the keyupdate message back */
6794 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6795 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6796 goto end;
6797
6798 testresult = 1;
6799
6800 end:
6801 SSL_free(serverssl);
6802 SSL_free(clientssl);
6803 SSL_CTX_free(sctx);
6804 SSL_CTX_free(cctx);
6805 BIO_free(bretry);
6806 BIO_free(tmp);
6807
6808 return testresult;
6809 }
6810
6811 /*
6812 * Test we can handle a KeyUpdate (update requested) message while
6813 * local read data is pending(the msg header had been read 5 bytes).
6814 * Test 0: Client sends KeyUpdate while Client is reading
6815 * Test 1: Server sends KeyUpdate while Server is reading
6816 */
test_key_update_local_in_read(int tst)6817 static int test_key_update_local_in_read(int tst)
6818 {
6819 SSL_CTX *cctx = NULL, *sctx = NULL;
6820 SSL *clientssl = NULL, *serverssl = NULL;
6821 int testresult = 0;
6822 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6823 static char *mess = "A test message";
6824 BIO *lbio = NULL, *pbio = NULL;
6825 SSL *local = NULL, *peer = NULL;
6826
6827 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6828 TLS_client_method(),
6829 TLS1_3_VERSION,
6830 0,
6831 &sctx, &cctx, cert, privkey))
6832 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6833 NULL, NULL))
6834 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6835 SSL_ERROR_NONE)))
6836 goto end;
6837
6838 local = tst == 0 ? clientssl : serverssl;
6839 peer = tst == 0 ? serverssl : clientssl;
6840
6841 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6842 goto end;
6843
6844 SSL_set_bio(local, lbio, lbio);
6845 SSL_set_bio(peer, pbio, pbio);
6846
6847 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6848 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6849 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6850 goto end;
6851
6852 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6853 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6854 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6855 goto end;
6856
6857 /* SSL_do_handshake will send keyupdate msg */
6858 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6859 || !TEST_int_eq(SSL_do_handshake(local), 1))
6860 goto end;
6861
6862 /*
6863 * write data in peer previously that we will complete
6864 * read data in local previously that we will complete
6865 */
6866 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6867 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6868 goto end;
6869
6870 /*
6871 * write data in local
6872 * read data in peer - we will read the key update
6873 */
6874 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6875 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6876 goto end;
6877
6878 /* Write more peer data to ensure we send the keyupdate message back */
6879 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6880 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6881 goto end;
6882
6883 testresult = 1;
6884
6885 end:
6886 SSL_free(serverssl);
6887 SSL_free(clientssl);
6888 SSL_CTX_free(sctx);
6889 SSL_CTX_free(cctx);
6890
6891 return testresult;
6892 }
6893 #endif /* OSSL_NO_USABLE_TLS1_3 */
6894
test_ssl_clear(int idx)6895 static int test_ssl_clear(int idx)
6896 {
6897 SSL_CTX *cctx = NULL, *sctx = NULL;
6898 SSL *clientssl = NULL, *serverssl = NULL;
6899 int testresult = 0;
6900
6901 #ifdef OPENSSL_NO_TLS1_2
6902 if (idx == 1)
6903 return 1;
6904 #endif
6905
6906 /* Create an initial connection */
6907 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6908 TLS_client_method(), TLS1_VERSION, 0,
6909 &sctx, &cctx, cert, privkey))
6910 || (idx == 1
6911 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6912 TLS1_2_VERSION)))
6913 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6914 &clientssl, NULL, NULL))
6915 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6916 SSL_ERROR_NONE)))
6917 goto end;
6918
6919 SSL_shutdown(clientssl);
6920 SSL_shutdown(serverssl);
6921 SSL_free(serverssl);
6922 serverssl = NULL;
6923
6924 /* Clear clientssl - we're going to reuse the object */
6925 if (!TEST_true(SSL_clear(clientssl)))
6926 goto end;
6927
6928 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6929 NULL, NULL))
6930 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6931 SSL_ERROR_NONE))
6932 || !TEST_true(SSL_session_reused(clientssl)))
6933 goto end;
6934
6935 SSL_shutdown(clientssl);
6936 SSL_shutdown(serverssl);
6937
6938 testresult = 1;
6939
6940 end:
6941 SSL_free(serverssl);
6942 SSL_free(clientssl);
6943 SSL_CTX_free(sctx);
6944 SSL_CTX_free(cctx);
6945
6946 return testresult;
6947 }
6948
6949 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)6950 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6951 {
6952 long len;
6953 unsigned char *data;
6954 PACKET pkt, pkt2, pkt3;
6955 unsigned int MFL_code = 0, type = 0;
6956
6957 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6958 goto end;
6959
6960 memset(&pkt, 0, sizeof(pkt));
6961 memset(&pkt2, 0, sizeof(pkt2));
6962 memset(&pkt3, 0, sizeof(pkt3));
6963
6964 if (!TEST_long_gt(len, 0)
6965 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6966 /* Skip the record header */
6967 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6968 /* Skip the handshake message header */
6969 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6970 /* Skip client version and random */
6971 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6972 + SSL3_RANDOM_SIZE))
6973 /* Skip session id */
6974 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6975 /* Skip ciphers */
6976 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6977 /* Skip compression */
6978 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6979 /* Extensions len */
6980 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6981 goto end;
6982
6983 /* Loop through all extensions */
6984 while (PACKET_remaining(&pkt2)) {
6985 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6986 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6987 goto end;
6988
6989 if (type == TLSEXT_TYPE_max_fragment_length) {
6990 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6991 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6992 goto end;
6993
6994 *mfl_codemfl_code = MFL_code;
6995 return 1;
6996 }
6997 }
6998
6999 end:
7000 return 0;
7001 }
7002
7003 /* Maximum-Fragment-Length TLS extension mode to test */
7004 static const unsigned char max_fragment_len_test[] = {
7005 TLSEXT_max_fragment_length_512,
7006 TLSEXT_max_fragment_length_1024,
7007 TLSEXT_max_fragment_length_2048,
7008 TLSEXT_max_fragment_length_4096
7009 };
7010
test_max_fragment_len_ext(int idx_tst)7011 static int test_max_fragment_len_ext(int idx_tst)
7012 {
7013 SSL_CTX *ctx = NULL;
7014 SSL *con = NULL;
7015 int testresult = 0, MFL_mode = 0;
7016 BIO *rbio, *wbio;
7017
7018 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7019 TLS1_VERSION, 0, NULL, &ctx, NULL,
7020 NULL)))
7021 return 0;
7022
7023 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7024 ctx, max_fragment_len_test[idx_tst])))
7025 goto end;
7026
7027 con = SSL_new(ctx);
7028 if (!TEST_ptr(con))
7029 goto end;
7030
7031 rbio = BIO_new(BIO_s_mem());
7032 wbio = BIO_new(BIO_s_mem());
7033 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7034 BIO_free(rbio);
7035 BIO_free(wbio);
7036 goto end;
7037 }
7038
7039 SSL_set_bio(con, rbio, wbio);
7040
7041 if (!TEST_int_le(SSL_connect(con), 0)) {
7042 /* This shouldn't succeed because we don't have a server! */
7043 goto end;
7044 }
7045
7046 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7047 /* no MFL in client hello */
7048 goto end;
7049 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7050 goto end;
7051
7052 testresult = 1;
7053
7054 end:
7055 SSL_free(con);
7056 SSL_CTX_free(ctx);
7057
7058 return testresult;
7059 }
7060
7061 #ifndef OSSL_NO_USABLE_TLS1_3
test_pha_key_update(void)7062 static int test_pha_key_update(void)
7063 {
7064 SSL_CTX *cctx = NULL, *sctx = NULL;
7065 SSL *clientssl = NULL, *serverssl = NULL;
7066 int testresult = 0;
7067
7068 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7069 TLS_client_method(), TLS1_VERSION, 0,
7070 &sctx, &cctx, cert, privkey)))
7071 return 0;
7072
7073 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7074 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7075 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7076 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7077 goto end;
7078
7079 SSL_CTX_set_post_handshake_auth(cctx, 1);
7080
7081 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7082 NULL, NULL)))
7083 goto end;
7084
7085 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7086 SSL_ERROR_NONE)))
7087 goto end;
7088
7089 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7090 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7091 goto end;
7092
7093 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7094 goto end;
7095
7096 /* Start handshake on the server */
7097 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7098 goto end;
7099
7100 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7101 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7102 SSL_ERROR_NONE)))
7103 goto end;
7104
7105 SSL_shutdown(clientssl);
7106 SSL_shutdown(serverssl);
7107
7108 testresult = 1;
7109
7110 end:
7111 SSL_free(serverssl);
7112 SSL_free(clientssl);
7113 SSL_CTX_free(sctx);
7114 SSL_CTX_free(cctx);
7115 return testresult;
7116 }
7117 #endif
7118
7119 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7120
7121 static SRP_VBASE *vbase = NULL;
7122
ssl_srp_cb(SSL * s,int * ad,void * arg)7123 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7124 {
7125 int ret = SSL3_AL_FATAL;
7126 char *username;
7127 SRP_user_pwd *user = NULL;
7128
7129 username = SSL_get_srp_username(s);
7130 if (username == NULL) {
7131 *ad = SSL_AD_INTERNAL_ERROR;
7132 goto err;
7133 }
7134
7135 user = SRP_VBASE_get1_by_user(vbase, username);
7136 if (user == NULL) {
7137 *ad = SSL_AD_INTERNAL_ERROR;
7138 goto err;
7139 }
7140
7141 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7142 user->info) <= 0) {
7143 *ad = SSL_AD_INTERNAL_ERROR;
7144 goto err;
7145 }
7146
7147 ret = 0;
7148
7149 err:
7150 SRP_user_pwd_free(user);
7151 return ret;
7152 }
7153
create_new_vfile(char * userid,char * password,const char * filename)7154 static int create_new_vfile(char *userid, char *password, const char *filename)
7155 {
7156 char *gNid = NULL;
7157 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7158 TXT_DB *db = NULL;
7159 int ret = 0;
7160 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7161 size_t i;
7162
7163 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7164 goto end;
7165
7166 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7167 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7168 if (!TEST_ptr(gNid))
7169 goto end;
7170
7171 /*
7172 * The only way to create an empty TXT_DB is to provide a BIO with no data
7173 * in it!
7174 */
7175 db = TXT_DB_read(dummy, DB_NUMBER);
7176 if (!TEST_ptr(db))
7177 goto end;
7178
7179 out = BIO_new_file(filename, "w");
7180 if (!TEST_ptr(out))
7181 goto end;
7182
7183 row[DB_srpid] = OPENSSL_strdup(userid);
7184 row[DB_srptype] = OPENSSL_strdup("V");
7185 row[DB_srpgN] = OPENSSL_strdup(gNid);
7186
7187 if (!TEST_ptr(row[DB_srpid])
7188 || !TEST_ptr(row[DB_srptype])
7189 || !TEST_ptr(row[DB_srpgN])
7190 || !TEST_true(TXT_DB_insert(db, row)))
7191 goto end;
7192
7193 row = NULL;
7194
7195 if (TXT_DB_write(out, db) <= 0)
7196 goto end;
7197
7198 ret = 1;
7199 end:
7200 if (row != NULL) {
7201 for (i = 0; i < DB_NUMBER; i++)
7202 OPENSSL_free(row[i]);
7203 }
7204 OPENSSL_free(row);
7205 BIO_free(dummy);
7206 BIO_free(out);
7207 TXT_DB_free(db);
7208
7209 return ret;
7210 }
7211
create_new_vbase(char * userid,char * password)7212 static int create_new_vbase(char *userid, char *password)
7213 {
7214 BIGNUM *verifier = NULL, *salt = NULL;
7215 const SRP_gN *lgN = NULL;
7216 SRP_user_pwd *user_pwd = NULL;
7217 int ret = 0;
7218
7219 lgN = SRP_get_default_gN(NULL);
7220 if (!TEST_ptr(lgN))
7221 goto end;
7222
7223 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7224 lgN->N, lgN->g, libctx, NULL)))
7225 goto end;
7226
7227 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7228 if (!TEST_ptr(user_pwd))
7229 goto end;
7230
7231 user_pwd->N = lgN->N;
7232 user_pwd->g = lgN->g;
7233 user_pwd->id = OPENSSL_strdup(userid);
7234 if (!TEST_ptr(user_pwd->id))
7235 goto end;
7236
7237 user_pwd->v = verifier;
7238 user_pwd->s = salt;
7239 verifier = salt = NULL;
7240
7241 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7242 goto end;
7243 user_pwd = NULL;
7244
7245 ret = 1;
7246 end:
7247 SRP_user_pwd_free(user_pwd);
7248 BN_free(salt);
7249 BN_free(verifier);
7250
7251 return ret;
7252 }
7253
7254 /*
7255 * SRP tests
7256 *
7257 * Test 0: Simple successful SRP connection, new vbase
7258 * Test 1: Connection failure due to bad password, new vbase
7259 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7260 * Test 3: Connection failure due to bad password, vbase loaded from existing
7261 * file
7262 * Test 4: Simple successful SRP connection, vbase loaded from new file
7263 * Test 5: Connection failure due to bad password, vbase loaded from new file
7264 */
test_srp(int tst)7265 static int test_srp(int tst)
7266 {
7267 char *userid = "test", *password = "password", *tstsrpfile;
7268 SSL_CTX *cctx = NULL, *sctx = NULL;
7269 SSL *clientssl = NULL, *serverssl = NULL;
7270 int ret, testresult = 0;
7271
7272 vbase = SRP_VBASE_new(NULL);
7273 if (!TEST_ptr(vbase))
7274 goto end;
7275
7276 if (tst == 0 || tst == 1) {
7277 if (!TEST_true(create_new_vbase(userid, password)))
7278 goto end;
7279 } else {
7280 if (tst == 4 || tst == 5) {
7281 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7282 goto end;
7283 tstsrpfile = tmpfilename;
7284 } else {
7285 tstsrpfile = srpvfile;
7286 }
7287 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7288 goto end;
7289 }
7290
7291 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7292 TLS_client_method(), TLS1_VERSION, 0,
7293 &sctx, &cctx, cert, privkey)))
7294 goto end;
7295
7296 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7297 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7298 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7299 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7300 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7301 goto end;
7302
7303 if (tst % 2 == 1) {
7304 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7305 goto end;
7306 } else {
7307 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7308 goto end;
7309 }
7310
7311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7312 NULL, NULL)))
7313 goto end;
7314
7315 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7316 if (ret) {
7317 if (!TEST_true(tst % 2 == 0))
7318 goto end;
7319 } else {
7320 if (!TEST_true(tst % 2 == 1))
7321 goto end;
7322 }
7323
7324 testresult = 1;
7325
7326 end:
7327 SRP_VBASE_free(vbase);
7328 vbase = NULL;
7329 SSL_free(serverssl);
7330 SSL_free(clientssl);
7331 SSL_CTX_free(sctx);
7332 SSL_CTX_free(cctx);
7333
7334 return testresult;
7335 }
7336 #endif
7337
7338 static int info_cb_failed = 0;
7339 static int info_cb_offset = 0;
7340 static int info_cb_this_state = -1;
7341
7342 static struct info_cb_states_st {
7343 int where;
7344 const char *statestr;
7345 } info_cb_states[][60] = {
7346 {
7347 /* TLSv1.2 server followed by resumption */
7348 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7349 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7350 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7351 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7352 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7353 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7354 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7355 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7356 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7357 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7358 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7359 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7360 {SSL_CB_EXIT, NULL}, {0, NULL},
7361 }, {
7362 /* TLSv1.2 client followed by resumption */
7363 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7364 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7365 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7366 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7367 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7368 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7369 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7370 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7371 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7372 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7373 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7374 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7375 }, {
7376 /* TLSv1.3 server followed by resumption */
7377 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7378 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7379 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7380 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7381 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7382 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7383 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7384 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7385 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7386 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7387 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7388 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7389 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7390 }, {
7391 /* TLSv1.3 client followed by resumption */
7392 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7393 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7394 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7395 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7396 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7397 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7398 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7399 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7400 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7401 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7402 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7403 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7404 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7405 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7406 {SSL_CB_EXIT, NULL}, {0, NULL},
7407 }, {
7408 /* TLSv1.3 server, early_data */
7409 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7410 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7411 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7412 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7413 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7414 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7415 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7416 {SSL_CB_EXIT, NULL}, {0, NULL},
7417 }, {
7418 /* TLSv1.3 client, early_data */
7419 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7420 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7421 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7422 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7423 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7424 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7425 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7426 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7427 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7428 }, {
7429 {0, NULL},
7430 }
7431 };
7432
sslapi_info_callback(const SSL * s,int where,int ret)7433 static void sslapi_info_callback(const SSL *s, int where, int ret)
7434 {
7435 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7436
7437 /* We do not ever expect a connection to fail in this test */
7438 if (!TEST_false(ret == 0)) {
7439 info_cb_failed = 1;
7440 return;
7441 }
7442
7443 /*
7444 * Do some sanity checks. We never expect these things to happen in this
7445 * test
7446 */
7447 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7448 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7449 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7450 info_cb_failed = 1;
7451 return;
7452 }
7453
7454 /* Now check we're in the right state */
7455 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7456 info_cb_failed = 1;
7457 return;
7458 }
7459 if ((where & SSL_CB_LOOP) != 0
7460 && !TEST_int_eq(strcmp(SSL_state_string(s),
7461 state[info_cb_this_state].statestr), 0)) {
7462 info_cb_failed = 1;
7463 return;
7464 }
7465
7466 /*
7467 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7468 */
7469 if ((where & SSL_CB_HANDSHAKE_DONE)
7470 && SSL_in_init((SSL *)s) != 0) {
7471 info_cb_failed = 1;
7472 return;
7473 }
7474 }
7475
7476 /*
7477 * Test the info callback gets called when we expect it to.
7478 *
7479 * Test 0: TLSv1.2, server
7480 * Test 1: TLSv1.2, client
7481 * Test 2: TLSv1.3, server
7482 * Test 3: TLSv1.3, client
7483 * Test 4: TLSv1.3, server, early_data
7484 * Test 5: TLSv1.3, client, early_data
7485 */
test_info_callback(int tst)7486 static int test_info_callback(int tst)
7487 {
7488 SSL_CTX *cctx = NULL, *sctx = NULL;
7489 SSL *clientssl = NULL, *serverssl = NULL;
7490 SSL_SESSION *clntsess = NULL;
7491 int testresult = 0;
7492 int tlsvers;
7493
7494 if (tst < 2) {
7495 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7496 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7497 || !defined(OPENSSL_NO_DH))
7498 tlsvers = TLS1_2_VERSION;
7499 #else
7500 return 1;
7501 #endif
7502 } else {
7503 #ifndef OSSL_NO_USABLE_TLS1_3
7504 tlsvers = TLS1_3_VERSION;
7505 #else
7506 return 1;
7507 #endif
7508 }
7509
7510 /* Reset globals */
7511 info_cb_failed = 0;
7512 info_cb_this_state = -1;
7513 info_cb_offset = tst;
7514
7515 #ifndef OSSL_NO_USABLE_TLS1_3
7516 if (tst >= 4) {
7517 SSL_SESSION *sess = NULL;
7518 size_t written, readbytes;
7519 unsigned char buf[80];
7520 time_t timer;
7521
7522 /* early_data tests */
7523 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7524 &serverssl, &sess, 0,
7525 SHA384_DIGEST_LENGTH)))
7526 goto end;
7527
7528 /* We don't actually need this reference */
7529 SSL_SESSION_free(sess);
7530
7531 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7532 sslapi_info_callback);
7533
7534 /* Write and read some early data and then complete the connection */
7535 timer = time(NULL);
7536 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7537 &written))
7538 || !TEST_size_t_eq(written, strlen(MSG1)))
7539 goto end;
7540
7541 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7542 sizeof(buf), &readbytes),
7543 SSL_READ_EARLY_DATA_SUCCESS)) {
7544 testresult = check_early_data_timeout(timer);
7545 goto end;
7546 }
7547
7548 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7549 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7550 SSL_EARLY_DATA_ACCEPTED)
7551 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7552 SSL_ERROR_NONE))
7553 || !TEST_false(info_cb_failed))
7554 goto end;
7555
7556 testresult = 1;
7557 goto end;
7558 }
7559 #endif
7560
7561 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7562 TLS_client_method(),
7563 tlsvers, tlsvers, &sctx, &cctx, cert,
7564 privkey)))
7565 goto end;
7566
7567 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7568 goto end;
7569
7570 /*
7571 * For even numbered tests we check the server callbacks. For odd numbers we
7572 * check the client.
7573 */
7574 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7575 sslapi_info_callback);
7576
7577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7578 &clientssl, NULL, NULL))
7579 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7580 SSL_ERROR_NONE))
7581 || !TEST_false(info_cb_failed))
7582 goto end;
7583
7584
7585
7586 clntsess = SSL_get1_session(clientssl);
7587 SSL_shutdown(clientssl);
7588 SSL_shutdown(serverssl);
7589 SSL_free(serverssl);
7590 SSL_free(clientssl);
7591 serverssl = clientssl = NULL;
7592
7593 /* Now do a resumption */
7594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7595 NULL))
7596 || !TEST_true(SSL_set_session(clientssl, clntsess))
7597 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7598 SSL_ERROR_NONE))
7599 || !TEST_true(SSL_session_reused(clientssl))
7600 || !TEST_false(info_cb_failed))
7601 goto end;
7602
7603 testresult = 1;
7604
7605 end:
7606 SSL_free(serverssl);
7607 SSL_free(clientssl);
7608 SSL_SESSION_free(clntsess);
7609 SSL_CTX_free(sctx);
7610 SSL_CTX_free(cctx);
7611 return testresult;
7612 }
7613
test_ssl_pending(int tst)7614 static int test_ssl_pending(int tst)
7615 {
7616 SSL_CTX *cctx = NULL, *sctx = NULL;
7617 SSL *clientssl = NULL, *serverssl = NULL;
7618 int testresult = 0;
7619 char msg[] = "A test message";
7620 char buf[5];
7621 size_t written, readbytes;
7622
7623 if (tst == 0) {
7624 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7625 TLS_client_method(),
7626 TLS1_VERSION, 0,
7627 &sctx, &cctx, cert, privkey)))
7628 goto end;
7629 } else {
7630 #ifndef OPENSSL_NO_DTLS
7631 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7632 DTLS_client_method(),
7633 DTLS1_VERSION, 0,
7634 &sctx, &cctx, cert, privkey)))
7635 goto end;
7636
7637 # ifdef OPENSSL_NO_DTLS1_2
7638 /* Not supported in the FIPS provider */
7639 if (is_fips) {
7640 testresult = 1;
7641 goto end;
7642 };
7643 /*
7644 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7645 * level 0
7646 */
7647 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7648 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7649 "DEFAULT:@SECLEVEL=0")))
7650 goto end;
7651 # endif
7652 #else
7653 return 1;
7654 #endif
7655 }
7656
7657 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7658 NULL, NULL))
7659 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7660 SSL_ERROR_NONE)))
7661 goto end;
7662
7663 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7664 || !TEST_false(SSL_has_pending(clientssl))
7665 || !TEST_int_eq(SSL_pending(serverssl), 0)
7666 || !TEST_false(SSL_has_pending(serverssl))
7667 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7668 || !TEST_size_t_eq(written, sizeof(msg))
7669 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7670 || !TEST_size_t_eq(readbytes, sizeof(buf))
7671 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7672 || !TEST_true(SSL_has_pending(clientssl)))
7673 goto end;
7674
7675 testresult = 1;
7676
7677 end:
7678 SSL_free(serverssl);
7679 SSL_free(clientssl);
7680 SSL_CTX_free(sctx);
7681 SSL_CTX_free(cctx);
7682
7683 return testresult;
7684 }
7685
7686 static struct {
7687 unsigned int maxprot;
7688 const char *clntciphers;
7689 const char *clnttls13ciphers;
7690 const char *srvrciphers;
7691 const char *srvrtls13ciphers;
7692 const char *shared;
7693 const char *fipsshared;
7694 } shared_ciphers_data[] = {
7695 /*
7696 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7697 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7698 */
7699 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7700 {
7701 TLS1_2_VERSION,
7702 "AES128-SHA:AES256-SHA",
7703 NULL,
7704 "AES256-SHA:DHE-RSA-AES128-SHA",
7705 NULL,
7706 "AES256-SHA",
7707 "AES256-SHA"
7708 },
7709 # if !defined(OPENSSL_NO_CHACHA) \
7710 && !defined(OPENSSL_NO_POLY1305) \
7711 && !defined(OPENSSL_NO_EC)
7712 {
7713 TLS1_2_VERSION,
7714 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7715 NULL,
7716 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7717 NULL,
7718 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7719 "AES128-SHA"
7720 },
7721 # endif
7722 {
7723 TLS1_2_VERSION,
7724 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7725 NULL,
7726 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7727 NULL,
7728 "AES128-SHA:AES256-SHA",
7729 "AES128-SHA:AES256-SHA"
7730 },
7731 {
7732 TLS1_2_VERSION,
7733 "AES128-SHA:AES256-SHA",
7734 NULL,
7735 "AES128-SHA:DHE-RSA-AES128-SHA",
7736 NULL,
7737 "AES128-SHA",
7738 "AES128-SHA"
7739 },
7740 #endif
7741 /*
7742 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7743 * enabled.
7744 */
7745 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7746 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7747 {
7748 TLS1_3_VERSION,
7749 "AES128-SHA:AES256-SHA",
7750 NULL,
7751 "AES256-SHA:AES128-SHA256",
7752 NULL,
7753 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7754 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7755 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7756 },
7757 #endif
7758 #ifndef OSSL_NO_USABLE_TLS1_3
7759 {
7760 TLS1_3_VERSION,
7761 "AES128-SHA",
7762 "TLS_AES_256_GCM_SHA384",
7763 "AES256-SHA",
7764 "TLS_AES_256_GCM_SHA384",
7765 "TLS_AES_256_GCM_SHA384",
7766 "TLS_AES_256_GCM_SHA384"
7767 },
7768 #endif
7769 };
7770
int_test_ssl_get_shared_ciphers(int tst,int clnt)7771 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7772 {
7773 SSL_CTX *cctx = NULL, *sctx = NULL;
7774 SSL *clientssl = NULL, *serverssl = NULL;
7775 int testresult = 0;
7776 char buf[1024];
7777 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7778
7779 if (!TEST_ptr(tmplibctx))
7780 goto end;
7781
7782 /*
7783 * Regardless of whether we're testing with the FIPS provider loaded into
7784 * libctx, we want one peer to always use the full set of ciphersuites
7785 * available. Therefore we use a separate libctx with the default provider
7786 * loaded into it. We run the same tests twice - once with the client side
7787 * having the full set of ciphersuites and once with the server side.
7788 */
7789 if (clnt) {
7790 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7791 if (!TEST_ptr(cctx))
7792 goto end;
7793 } else {
7794 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7795 if (!TEST_ptr(sctx))
7796 goto end;
7797 }
7798
7799 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7800 TLS_client_method(),
7801 TLS1_VERSION,
7802 shared_ciphers_data[tst].maxprot,
7803 &sctx, &cctx, cert, privkey)))
7804 goto end;
7805
7806 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7807 shared_ciphers_data[tst].clntciphers))
7808 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7809 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7810 shared_ciphers_data[tst].clnttls13ciphers)))
7811 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7812 shared_ciphers_data[tst].srvrciphers))
7813 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7814 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7815 shared_ciphers_data[tst].srvrtls13ciphers))))
7816 goto end;
7817
7818
7819 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7820 NULL, NULL))
7821 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7822 SSL_ERROR_NONE)))
7823 goto end;
7824
7825 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7826 || !TEST_int_eq(strcmp(buf,
7827 is_fips
7828 ? shared_ciphers_data[tst].fipsshared
7829 : shared_ciphers_data[tst].shared),
7830 0)) {
7831 TEST_info("Shared ciphers are: %s\n", buf);
7832 goto end;
7833 }
7834
7835 testresult = 1;
7836
7837 end:
7838 SSL_free(serverssl);
7839 SSL_free(clientssl);
7840 SSL_CTX_free(sctx);
7841 SSL_CTX_free(cctx);
7842 OSSL_LIB_CTX_free(tmplibctx);
7843
7844 return testresult;
7845 }
7846
test_ssl_get_shared_ciphers(int tst)7847 static int test_ssl_get_shared_ciphers(int tst)
7848 {
7849 return int_test_ssl_get_shared_ciphers(tst, 0)
7850 && int_test_ssl_get_shared_ciphers(tst, 1);
7851 }
7852
7853
7854 static const char *appdata = "Hello World";
7855 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7856 static int tick_key_renew = 0;
7857 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7858
gen_tick_cb(SSL * s,void * arg)7859 static int gen_tick_cb(SSL *s, void *arg)
7860 {
7861 gen_tick_called = 1;
7862
7863 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7864 strlen(appdata));
7865 }
7866
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)7867 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7868 const unsigned char *keyname,
7869 size_t keyname_length,
7870 SSL_TICKET_STATUS status,
7871 void *arg)
7872 {
7873 void *tickdata;
7874 size_t tickdlen;
7875
7876 dec_tick_called = 1;
7877
7878 if (status == SSL_TICKET_EMPTY)
7879 return SSL_TICKET_RETURN_IGNORE_RENEW;
7880
7881 if (!TEST_true(status == SSL_TICKET_SUCCESS
7882 || status == SSL_TICKET_SUCCESS_RENEW))
7883 return SSL_TICKET_RETURN_ABORT;
7884
7885 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7886 &tickdlen))
7887 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7888 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7889 return SSL_TICKET_RETURN_ABORT;
7890
7891 if (tick_key_cb_called) {
7892 /* Don't change what the ticket key callback wanted to do */
7893 switch (status) {
7894 case SSL_TICKET_NO_DECRYPT:
7895 return SSL_TICKET_RETURN_IGNORE_RENEW;
7896
7897 case SSL_TICKET_SUCCESS:
7898 return SSL_TICKET_RETURN_USE;
7899
7900 case SSL_TICKET_SUCCESS_RENEW:
7901 return SSL_TICKET_RETURN_USE_RENEW;
7902
7903 default:
7904 return SSL_TICKET_RETURN_ABORT;
7905 }
7906 }
7907 return tick_dec_ret;
7908
7909 }
7910
7911 #ifndef OPENSSL_NO_DEPRECATED_3_0
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)7912 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7913 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7914 HMAC_CTX *hctx, int enc)
7915 {
7916 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7917 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7918 EVP_CIPHER *aes128cbc;
7919 EVP_MD *sha256;
7920 int ret;
7921
7922 tick_key_cb_called = 1;
7923
7924 if (tick_key_renew == -1)
7925 return 0;
7926
7927 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7928 if (!TEST_ptr(aes128cbc))
7929 return 0;
7930 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7931 if (!TEST_ptr(sha256)) {
7932 EVP_CIPHER_free(aes128cbc);
7933 return 0;
7934 }
7935
7936 memset(iv, 0, AES_BLOCK_SIZE);
7937 memset(key_name, 0, 16);
7938 if (aes128cbc == NULL
7939 || sha256 == NULL
7940 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7941 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7942 NULL))
7943 ret = -1;
7944 else
7945 ret = tick_key_renew ? 2 : 1;
7946
7947 EVP_CIPHER_free(aes128cbc);
7948 EVP_MD_free(sha256);
7949
7950 return ret;
7951 }
7952 #endif
7953
tick_key_evp_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int enc)7954 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7955 unsigned char iv[EVP_MAX_IV_LENGTH],
7956 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7957 {
7958 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7959 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7960 OSSL_PARAM params[2];
7961 EVP_CIPHER *aes128cbc;
7962 int ret;
7963
7964 tick_key_cb_called = 1;
7965
7966 if (tick_key_renew == -1)
7967 return 0;
7968
7969 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7970 if (!TEST_ptr(aes128cbc))
7971 return 0;
7972
7973 memset(iv, 0, AES_BLOCK_SIZE);
7974 memset(key_name, 0, 16);
7975 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7976 "SHA256", 0);
7977 params[1] = OSSL_PARAM_construct_end();
7978 if (aes128cbc == NULL
7979 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7980 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7981 params))
7982 ret = -1;
7983 else
7984 ret = tick_key_renew ? 2 : 1;
7985
7986 EVP_CIPHER_free(aes128cbc);
7987
7988 return ret;
7989 }
7990
7991 /*
7992 * Test the various ticket callbacks
7993 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7994 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7995 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7996 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7997 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7998 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7999 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8000 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8001 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8002 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8003 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8004 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8005 * Test 12: TLSv1.2, old ticket key callback, no ticket
8006 * Test 13: TLSv1.3, old ticket key callback, no ticket
8007 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8008 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8009 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8010 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8011 * Test 18: TLSv1.2, ticket key callback, no ticket
8012 * Test 19: TLSv1.3, ticket key callback, no ticket
8013 */
test_ticket_callbacks(int tst)8014 static int test_ticket_callbacks(int tst)
8015 {
8016 SSL_CTX *cctx = NULL, *sctx = NULL;
8017 SSL *clientssl = NULL, *serverssl = NULL;
8018 SSL_SESSION *clntsess = NULL;
8019 int testresult = 0;
8020
8021 #ifdef OPENSSL_NO_TLS1_2
8022 if (tst % 2 == 0)
8023 return 1;
8024 #endif
8025 #ifdef OSSL_NO_USABLE_TLS1_3
8026 if (tst % 2 == 1)
8027 return 1;
8028 #endif
8029 #ifdef OPENSSL_NO_DEPRECATED_3_0
8030 if (tst >= 8 && tst <= 13)
8031 return 1;
8032 #endif
8033
8034 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8035
8036 /* Which tests the ticket key callback should request renewal for */
8037
8038 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8039 tick_key_renew = 1;
8040 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8041 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8042 else
8043 tick_key_renew = 0;
8044
8045 /* Which tests the decrypt ticket callback should request renewal for */
8046 switch (tst) {
8047 case 0:
8048 case 1:
8049 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8050 break;
8051
8052 case 2:
8053 case 3:
8054 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8055 break;
8056
8057 case 4:
8058 case 5:
8059 tick_dec_ret = SSL_TICKET_RETURN_USE;
8060 break;
8061
8062 case 6:
8063 case 7:
8064 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8065 break;
8066
8067 default:
8068 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8069 }
8070
8071 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8072 TLS_client_method(),
8073 TLS1_VERSION,
8074 ((tst % 2) == 0) ? TLS1_2_VERSION
8075 : TLS1_3_VERSION,
8076 &sctx, &cctx, cert, privkey)))
8077 goto end;
8078
8079 /*
8080 * We only want sessions to resume from tickets - not the session cache. So
8081 * switch the cache off.
8082 */
8083 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8084 goto end;
8085
8086 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8087 NULL)))
8088 goto end;
8089
8090 if (tst >= 14) {
8091 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8092 goto end;
8093 #ifndef OPENSSL_NO_DEPRECATED_3_0
8094 } else if (tst >= 8) {
8095 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8096 goto end;
8097 #endif
8098 }
8099
8100 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8101 NULL, NULL))
8102 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8103 SSL_ERROR_NONE)))
8104 goto end;
8105
8106 /*
8107 * The decrypt ticket key callback in TLSv1.2 should be called even though
8108 * we have no ticket yet, because it gets called with a status of
8109 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8110 * actually send any ticket data). This does not happen in TLSv1.3 because
8111 * it is not valid to send empty ticket data in TLSv1.3.
8112 */
8113 if (!TEST_int_eq(gen_tick_called, 1)
8114 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8115 goto end;
8116
8117 gen_tick_called = dec_tick_called = 0;
8118
8119 clntsess = SSL_get1_session(clientssl);
8120 SSL_shutdown(clientssl);
8121 SSL_shutdown(serverssl);
8122 SSL_free(serverssl);
8123 SSL_free(clientssl);
8124 serverssl = clientssl = NULL;
8125
8126 /* Now do a resumption */
8127 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8128 NULL))
8129 || !TEST_true(SSL_set_session(clientssl, clntsess))
8130 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8131 SSL_ERROR_NONE)))
8132 goto end;
8133
8134 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8135 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8136 || tick_key_renew == -1) {
8137 if (!TEST_false(SSL_session_reused(clientssl)))
8138 goto end;
8139 } else {
8140 if (!TEST_true(SSL_session_reused(clientssl)))
8141 goto end;
8142 }
8143
8144 if (!TEST_int_eq(gen_tick_called,
8145 (tick_key_renew
8146 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8147 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8148 ? 1 : 0)
8149 /* There is no ticket to decrypt in tests 13 and 19 */
8150 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8151 goto end;
8152
8153 testresult = 1;
8154
8155 end:
8156 SSL_SESSION_free(clntsess);
8157 SSL_free(serverssl);
8158 SSL_free(clientssl);
8159 SSL_CTX_free(sctx);
8160 SSL_CTX_free(cctx);
8161
8162 return testresult;
8163 }
8164
8165 /*
8166 * Test incorrect shutdown.
8167 * Test 0: client does not shutdown properly,
8168 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8169 * server should get SSL_ERROR_SSL
8170 * Test 1: client does not shutdown properly,
8171 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8172 * server should get SSL_ERROR_ZERO_RETURN
8173 */
test_incorrect_shutdown(int tst)8174 static int test_incorrect_shutdown(int tst)
8175 {
8176 SSL_CTX *cctx = NULL, *sctx = NULL;
8177 SSL *clientssl = NULL, *serverssl = NULL;
8178 int testresult = 0;
8179 char buf[80];
8180 BIO *c2s;
8181
8182 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8183 TLS_client_method(), 0, 0,
8184 &sctx, &cctx, cert, privkey)))
8185 goto end;
8186
8187 if (tst == 1)
8188 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8189
8190 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8191 NULL, NULL)))
8192 goto end;
8193
8194 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8195 SSL_ERROR_NONE)))
8196 goto end;
8197
8198 c2s = SSL_get_rbio(serverssl);
8199 BIO_set_mem_eof_return(c2s, 0);
8200
8201 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8202 goto end;
8203
8204 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8205 goto end;
8206 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8207 goto end;
8208
8209 testresult = 1;
8210
8211 end:
8212 SSL_free(serverssl);
8213 SSL_free(clientssl);
8214 SSL_CTX_free(sctx);
8215 SSL_CTX_free(cctx);
8216
8217 return testresult;
8218 }
8219
8220 /*
8221 * Test bi-directional shutdown.
8222 * Test 0: TLSv1.2
8223 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8224 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8225 * Test 3: TLSv1.3, pending NewSessionTicket messages
8226 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8227 * sends key update, client reads it
8228 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8229 * sends CertificateRequest, client reads and ignores it
8230 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8231 * doesn't read it
8232 */
test_shutdown(int tst)8233 static int test_shutdown(int tst)
8234 {
8235 SSL_CTX *cctx = NULL, *sctx = NULL;
8236 SSL *clientssl = NULL, *serverssl = NULL;
8237 int testresult = 0;
8238 char msg[] = "A test message";
8239 char buf[80];
8240 size_t written, readbytes;
8241 SSL_SESSION *sess;
8242
8243 #ifdef OPENSSL_NO_TLS1_2
8244 if (tst <= 1)
8245 return 1;
8246 #endif
8247 #ifdef OSSL_NO_USABLE_TLS1_3
8248 if (tst >= 2)
8249 return 1;
8250 #endif
8251
8252 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8253 TLS_client_method(),
8254 TLS1_VERSION,
8255 (tst <= 1) ? TLS1_2_VERSION
8256 : TLS1_3_VERSION,
8257 &sctx, &cctx, cert, privkey)))
8258 goto end;
8259
8260 if (tst == 5)
8261 SSL_CTX_set_post_handshake_auth(cctx, 1);
8262
8263 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8264 NULL, NULL)))
8265 goto end;
8266
8267 if (tst == 3) {
8268 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8269 SSL_ERROR_NONE, 1))
8270 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8271 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8272 goto end;
8273 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8274 SSL_ERROR_NONE))
8275 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8276 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8277 goto end;
8278 }
8279
8280 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8281 goto end;
8282
8283 if (tst >= 4) {
8284 /*
8285 * Reading on the server after the client has sent close_notify should
8286 * fail and provide SSL_ERROR_ZERO_RETURN
8287 */
8288 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8289 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8290 SSL_ERROR_ZERO_RETURN)
8291 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8292 SSL_RECEIVED_SHUTDOWN)
8293 /*
8294 * Even though we're shutdown on receive we should still be
8295 * able to write.
8296 */
8297 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8298 goto end;
8299 if (tst == 4
8300 && !TEST_true(SSL_key_update(serverssl,
8301 SSL_KEY_UPDATE_REQUESTED)))
8302 goto end;
8303 if (tst == 5) {
8304 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8305 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8306 goto end;
8307 }
8308 if ((tst == 4 || tst == 5)
8309 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8310 goto end;
8311 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8312 goto end;
8313 if (tst == 4 || tst == 5) {
8314 /* Should still be able to read data from server */
8315 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8316 &readbytes))
8317 || !TEST_size_t_eq(readbytes, sizeof(msg))
8318 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8319 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8320 &readbytes))
8321 || !TEST_size_t_eq(readbytes, sizeof(msg))
8322 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8323 goto end;
8324 }
8325 }
8326
8327 /* Writing on the client after sending close_notify shouldn't be possible */
8328 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8329 goto end;
8330
8331 if (tst < 4) {
8332 /*
8333 * For these tests the client has sent close_notify but it has not yet
8334 * been received by the server. The server has not sent close_notify
8335 * yet.
8336 */
8337 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8338 /*
8339 * Writing on the server after sending close_notify shouldn't
8340 * be possible.
8341 */
8342 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8343 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8344 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8345 || !TEST_true(SSL_SESSION_is_resumable(sess))
8346 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8347 goto end;
8348 } else if (tst == 4 || tst == 5) {
8349 /*
8350 * In this test the client has sent close_notify and it has been
8351 * received by the server which has responded with a close_notify. The
8352 * client needs to read the close_notify sent by the server.
8353 */
8354 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8355 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8356 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8357 goto end;
8358 } else {
8359 /*
8360 * tst == 6
8361 *
8362 * The client has sent close_notify and is expecting a close_notify
8363 * back, but instead there is application data first. The shutdown
8364 * should fail with a fatal error.
8365 */
8366 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8367 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8368 goto end;
8369 }
8370
8371 testresult = 1;
8372
8373 end:
8374 SSL_free(serverssl);
8375 SSL_free(clientssl);
8376 SSL_CTX_free(sctx);
8377 SSL_CTX_free(cctx);
8378
8379 return testresult;
8380 }
8381
8382 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8383 static int cert_cb_cnt;
8384
cert_cb(SSL * s,void * arg)8385 static int cert_cb(SSL *s, void *arg)
8386 {
8387 SSL_CTX *ctx = (SSL_CTX *)arg;
8388 BIO *in = NULL;
8389 EVP_PKEY *pkey = NULL;
8390 X509 *x509 = NULL, *rootx = NULL;
8391 STACK_OF(X509) *chain = NULL;
8392 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8393 int ret = 0;
8394
8395 if (cert_cb_cnt == 0) {
8396 /* Suspend the handshake */
8397 cert_cb_cnt++;
8398 return -1;
8399 } else if (cert_cb_cnt == 1) {
8400 /*
8401 * Update the SSL_CTX, set the certificate and private key and then
8402 * continue the handshake normally.
8403 */
8404 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8405 return 0;
8406
8407 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8408 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8409 SSL_FILETYPE_PEM))
8410 || !TEST_true(SSL_check_private_key(s)))
8411 return 0;
8412 cert_cb_cnt++;
8413 return 1;
8414 } else if (cert_cb_cnt == 3) {
8415 int rv;
8416
8417 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8418 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8419 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8420 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8421 goto out;
8422 chain = sk_X509_new_null();
8423 if (!TEST_ptr(chain))
8424 goto out;
8425 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8426 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8427 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8428 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8429 || !TEST_true(sk_X509_push(chain, rootx)))
8430 goto out;
8431 rootx = NULL;
8432 BIO_free(in);
8433 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8434 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8435 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8436 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8437 goto out;
8438 BIO_free(in);
8439 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8440 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8441 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8442 NULL, NULL,
8443 libctx, NULL)))
8444 goto out;
8445 rv = SSL_check_chain(s, x509, pkey, chain);
8446 /*
8447 * If the cert doesn't show as valid here (e.g., because we don't
8448 * have any shared sigalgs), then we will not set it, and there will
8449 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8450 * will cause tls_choose_sigalgs() to fail the connection.
8451 */
8452 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8453 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8454 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8455 goto out;
8456 }
8457
8458 ret = 1;
8459 }
8460
8461 /* Abort the handshake */
8462 out:
8463 OPENSSL_free(ecdsacert);
8464 OPENSSL_free(ecdsakey);
8465 OPENSSL_free(rootfile);
8466 BIO_free(in);
8467 EVP_PKEY_free(pkey);
8468 X509_free(x509);
8469 X509_free(rootx);
8470 sk_X509_pop_free(chain, X509_free);
8471 return ret;
8472 }
8473
8474 /*
8475 * Test the certificate callback.
8476 * Test 0: Callback fails
8477 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8478 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8479 * Test 3: Success - Call SSL_check_chain from the callback
8480 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8481 * chain
8482 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8483 */
test_cert_cb_int(int prot,int tst)8484 static int test_cert_cb_int(int prot, int tst)
8485 {
8486 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8487 SSL *clientssl = NULL, *serverssl = NULL;
8488 int testresult = 0, ret;
8489
8490 #ifdef OPENSSL_NO_EC
8491 /* We use an EC cert in these tests, so we skip in a no-ec build */
8492 if (tst >= 3)
8493 return 1;
8494 #endif
8495
8496 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8497 TLS_client_method(),
8498 TLS1_VERSION,
8499 prot,
8500 &sctx, &cctx, NULL, NULL)))
8501 goto end;
8502
8503 if (tst == 0)
8504 cert_cb_cnt = -1;
8505 else if (tst >= 3)
8506 cert_cb_cnt = 3;
8507 else
8508 cert_cb_cnt = 0;
8509
8510 if (tst == 2) {
8511 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8512 if (!TEST_ptr(snictx))
8513 goto end;
8514 }
8515
8516 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8517
8518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8519 NULL, NULL)))
8520 goto end;
8521
8522 if (tst == 4) {
8523 /*
8524 * We cause SSL_check_chain() to fail by specifying sig_algs that
8525 * the chain doesn't meet (the root uses an RSA cert)
8526 */
8527 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8528 "ecdsa_secp256r1_sha256")))
8529 goto end;
8530 } else if (tst == 5) {
8531 /*
8532 * We cause SSL_check_chain() to fail by specifying sig_algs that
8533 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8534 */
8535 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8536 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8537 goto end;
8538 }
8539
8540 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8541 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8542 || (tst > 0
8543 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8544 goto end;
8545 }
8546
8547 testresult = 1;
8548
8549 end:
8550 SSL_free(serverssl);
8551 SSL_free(clientssl);
8552 SSL_CTX_free(sctx);
8553 SSL_CTX_free(cctx);
8554 SSL_CTX_free(snictx);
8555
8556 return testresult;
8557 }
8558 #endif
8559
test_cert_cb(int tst)8560 static int test_cert_cb(int tst)
8561 {
8562 int testresult = 1;
8563
8564 #ifndef OPENSSL_NO_TLS1_2
8565 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8566 #endif
8567 #ifndef OSSL_NO_USABLE_TLS1_3
8568 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8569 #endif
8570
8571 return testresult;
8572 }
8573
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)8574 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8575 {
8576 X509 *xcert;
8577 EVP_PKEY *privpkey;
8578 BIO *in = NULL;
8579 BIO *priv_in = NULL;
8580
8581 /* Check that SSL_get0_peer_certificate() returns something sensible */
8582 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8583 return 0;
8584
8585 in = BIO_new_file(cert, "r");
8586 if (!TEST_ptr(in))
8587 return 0;
8588
8589 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8590 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8591 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8592 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8593 NULL, NULL,
8594 libctx, NULL)))
8595 goto err;
8596
8597 *x509 = xcert;
8598 *pkey = privpkey;
8599
8600 BIO_free(in);
8601 BIO_free(priv_in);
8602 return 1;
8603 err:
8604 X509_free(xcert);
8605 BIO_free(in);
8606 BIO_free(priv_in);
8607 return 0;
8608 }
8609
test_client_cert_cb(int tst)8610 static int test_client_cert_cb(int tst)
8611 {
8612 SSL_CTX *cctx = NULL, *sctx = NULL;
8613 SSL *clientssl = NULL, *serverssl = NULL;
8614 int testresult = 0;
8615
8616 #ifdef OPENSSL_NO_TLS1_2
8617 if (tst == 0)
8618 return 1;
8619 #endif
8620 #ifdef OSSL_NO_USABLE_TLS1_3
8621 if (tst == 1)
8622 return 1;
8623 #endif
8624
8625 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8626 TLS_client_method(),
8627 TLS1_VERSION,
8628 tst == 0 ? TLS1_2_VERSION
8629 : TLS1_3_VERSION,
8630 &sctx, &cctx, cert, privkey)))
8631 goto end;
8632
8633 /*
8634 * Test that setting a client_cert_cb results in a client certificate being
8635 * sent.
8636 */
8637 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8638 SSL_CTX_set_verify(sctx,
8639 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8640 verify_cb);
8641
8642 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8643 NULL, NULL))
8644 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8645 SSL_ERROR_NONE)))
8646 goto end;
8647
8648 testresult = 1;
8649
8650 end:
8651 SSL_free(serverssl);
8652 SSL_free(clientssl);
8653 SSL_CTX_free(sctx);
8654 SSL_CTX_free(cctx);
8655
8656 return testresult;
8657 }
8658
8659 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8660 /*
8661 * Test setting certificate authorities on both client and server.
8662 *
8663 * Test 0: SSL_CTX_set0_CA_list() only
8664 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8665 * Test 2: Only SSL_CTX_set_client_CA_list()
8666 */
test_ca_names_int(int prot,int tst)8667 static int test_ca_names_int(int prot, int tst)
8668 {
8669 SSL_CTX *cctx = NULL, *sctx = NULL;
8670 SSL *clientssl = NULL, *serverssl = NULL;
8671 int testresult = 0;
8672 size_t i;
8673 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8674 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8675 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8676 const STACK_OF(X509_NAME) *sktmp = NULL;
8677
8678 for (i = 0; i < OSSL_NELEM(name); i++) {
8679 name[i] = X509_NAME_new();
8680 if (!TEST_ptr(name[i])
8681 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8682 MBSTRING_ASC,
8683 (unsigned char *)
8684 strnames[i],
8685 -1, -1, 0)))
8686 goto end;
8687 }
8688
8689 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8690 TLS_client_method(),
8691 TLS1_VERSION,
8692 prot,
8693 &sctx, &cctx, cert, privkey)))
8694 goto end;
8695
8696 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8697
8698 if (tst == 0 || tst == 1) {
8699 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8700 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8701 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8702 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8703 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8704 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8705 goto end;
8706
8707 SSL_CTX_set0_CA_list(sctx, sk1);
8708 SSL_CTX_set0_CA_list(cctx, sk2);
8709 sk1 = sk2 = NULL;
8710 }
8711 if (tst == 1 || tst == 2) {
8712 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8713 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8714 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8715 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8716 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8717 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8718 goto end;
8719
8720 SSL_CTX_set_client_CA_list(sctx, sk1);
8721 SSL_CTX_set_client_CA_list(cctx, sk2);
8722 sk1 = sk2 = NULL;
8723 }
8724
8725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8726 NULL, NULL))
8727 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8728 SSL_ERROR_NONE)))
8729 goto end;
8730
8731 /*
8732 * We only expect certificate authorities to have been sent to the server
8733 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8734 */
8735 sktmp = SSL_get0_peer_CA_list(serverssl);
8736 if (prot == TLS1_3_VERSION
8737 && (tst == 0 || tst == 1)) {
8738 if (!TEST_ptr(sktmp)
8739 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8740 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8741 name[0]), 0)
8742 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8743 name[1]), 0))
8744 goto end;
8745 } else if (!TEST_ptr_null(sktmp)) {
8746 goto end;
8747 }
8748
8749 /*
8750 * In all tests we expect certificate authorities to have been sent to the
8751 * client. However, SSL_set_client_CA_list() should override
8752 * SSL_set0_CA_list()
8753 */
8754 sktmp = SSL_get0_peer_CA_list(clientssl);
8755 if (!TEST_ptr(sktmp)
8756 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8757 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8758 name[tst == 0 ? 0 : 2]), 0)
8759 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8760 name[tst == 0 ? 1 : 3]), 0))
8761 goto end;
8762
8763 testresult = 1;
8764
8765 end:
8766 SSL_free(serverssl);
8767 SSL_free(clientssl);
8768 SSL_CTX_free(sctx);
8769 SSL_CTX_free(cctx);
8770 for (i = 0; i < OSSL_NELEM(name); i++)
8771 X509_NAME_free(name[i]);
8772 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8773 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8774
8775 return testresult;
8776 }
8777 #endif
8778
test_ca_names(int tst)8779 static int test_ca_names(int tst)
8780 {
8781 int testresult = 1;
8782
8783 #ifndef OPENSSL_NO_TLS1_2
8784 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8785 #endif
8786 #ifndef OSSL_NO_USABLE_TLS1_3
8787 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8788 #endif
8789
8790 return testresult;
8791 }
8792
8793 #ifndef OPENSSL_NO_TLS1_2
8794 static const char *multiblock_cipherlist_data[]=
8795 {
8796 "AES128-SHA",
8797 "AES128-SHA256",
8798 "AES256-SHA",
8799 "AES256-SHA256",
8800 };
8801
8802 /* Reduce the fragment size - so the multiblock test buffer can be small */
8803 # define MULTIBLOCK_FRAGSIZE 512
8804
test_multiblock_write(int test_index)8805 static int test_multiblock_write(int test_index)
8806 {
8807 static const char *fetchable_ciphers[]=
8808 {
8809 "AES-128-CBC-HMAC-SHA1",
8810 "AES-128-CBC-HMAC-SHA256",
8811 "AES-256-CBC-HMAC-SHA1",
8812 "AES-256-CBC-HMAC-SHA256"
8813 };
8814 const char *cipherlist = multiblock_cipherlist_data[test_index];
8815 const SSL_METHOD *smeth = TLS_server_method();
8816 const SSL_METHOD *cmeth = TLS_client_method();
8817 int min_version = TLS1_VERSION;
8818 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8819 SSL_CTX *cctx = NULL, *sctx = NULL;
8820 SSL *clientssl = NULL, *serverssl = NULL;
8821 int testresult = 0;
8822
8823 /*
8824 * Choose a buffer large enough to perform a multi-block operation
8825 * i.e: write_len >= 4 * frag_size
8826 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8827 */
8828 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8829 unsigned char buf[sizeof(msg)], *p = buf;
8830 size_t readbytes, written, len;
8831 EVP_CIPHER *ciph = NULL;
8832
8833 /*
8834 * Check if the cipher exists before attempting to use it since it only has
8835 * a hardware specific implementation.
8836 */
8837 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8838 if (ciph == NULL) {
8839 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8840 return 1;
8841 }
8842 EVP_CIPHER_free(ciph);
8843
8844 /* Set up a buffer with some data that will be sent to the client */
8845 RAND_bytes(msg, sizeof(msg));
8846
8847 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8848 max_version, &sctx, &cctx, cert,
8849 privkey)))
8850 goto end;
8851
8852 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8853 goto end;
8854
8855 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8856 NULL, NULL)))
8857 goto end;
8858
8859 /* settings to force it to use AES-CBC-HMAC_SHA */
8860 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8861 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8862 goto end;
8863
8864 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8865 goto end;
8866
8867 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8868 || !TEST_size_t_eq(written, sizeof(msg)))
8869 goto end;
8870
8871 len = written;
8872 while (len > 0) {
8873 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8874 goto end;
8875 p += readbytes;
8876 len -= readbytes;
8877 }
8878 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8879 goto end;
8880
8881 testresult = 1;
8882 end:
8883 SSL_free(serverssl);
8884 SSL_free(clientssl);
8885 SSL_CTX_free(sctx);
8886 SSL_CTX_free(cctx);
8887
8888 return testresult;
8889 }
8890 #endif /* OPENSSL_NO_TLS1_2 */
8891
test_session_timeout(int test)8892 static int test_session_timeout(int test)
8893 {
8894 /*
8895 * Test session ordering and timeout
8896 * Can't explicitly test performance of the new code,
8897 * but can test to see if the ordering of the sessions
8898 * are correct, and they they are removed as expected
8899 */
8900 SSL_SESSION *early = NULL;
8901 SSL_SESSION *middle = NULL;
8902 SSL_SESSION *late = NULL;
8903 SSL_CTX *ctx;
8904 int testresult = 0;
8905 long now = (long)time(NULL);
8906 #define TIMEOUT 10
8907
8908 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8909 || !TEST_ptr(early = SSL_SESSION_new())
8910 || !TEST_ptr(middle = SSL_SESSION_new())
8911 || !TEST_ptr(late = SSL_SESSION_new()))
8912 goto end;
8913
8914 /* assign unique session ids */
8915 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8916 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8917 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8918 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8919 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8920 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8921
8922 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8923 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8924 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8925 goto end;
8926
8927 /* Make sure they are all added */
8928 if (!TEST_ptr(early->prev)
8929 || !TEST_ptr(middle->prev)
8930 || !TEST_ptr(late->prev))
8931 goto end;
8932
8933 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8934 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8935 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8936 goto end;
8937
8938 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8939 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8940 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8941 goto end;
8942
8943 /* Make sure they are all still there */
8944 if (!TEST_ptr(early->prev)
8945 || !TEST_ptr(middle->prev)
8946 || !TEST_ptr(late->prev))
8947 goto end;
8948
8949 /* Make sure they are in the expected order */
8950 if (!TEST_ptr_eq(late->next, middle)
8951 || !TEST_ptr_eq(middle->next, early)
8952 || !TEST_ptr_eq(early->prev, middle)
8953 || !TEST_ptr_eq(middle->prev, late))
8954 goto end;
8955
8956 /* This should remove "early" */
8957 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8958 if (!TEST_ptr_null(early->prev)
8959 || !TEST_ptr(middle->prev)
8960 || !TEST_ptr(late->prev))
8961 goto end;
8962
8963 /* This should remove "middle" */
8964 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8965 if (!TEST_ptr_null(early->prev)
8966 || !TEST_ptr_null(middle->prev)
8967 || !TEST_ptr(late->prev))
8968 goto end;
8969
8970 /* This should remove "late" */
8971 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8972 if (!TEST_ptr_null(early->prev)
8973 || !TEST_ptr_null(middle->prev)
8974 || !TEST_ptr_null(late->prev))
8975 goto end;
8976
8977 /* Add them back in again */
8978 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8979 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8980 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8981 goto end;
8982
8983 /* Make sure they are all added */
8984 if (!TEST_ptr(early->prev)
8985 || !TEST_ptr(middle->prev)
8986 || !TEST_ptr(late->prev))
8987 goto end;
8988
8989 /* This should remove all of them */
8990 SSL_CTX_flush_sessions(ctx, 0);
8991 if (!TEST_ptr_null(early->prev)
8992 || !TEST_ptr_null(middle->prev)
8993 || !TEST_ptr_null(late->prev))
8994 goto end;
8995
8996 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8997 | SSL_CTX_get_session_cache_mode(ctx));
8998
8999 /* make sure |now| is NOT equal to the current time */
9000 now -= 10;
9001 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9002 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9003 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9004 goto end;
9005
9006 testresult = 1;
9007 end:
9008 SSL_CTX_free(ctx);
9009 SSL_SESSION_free(early);
9010 SSL_SESSION_free(middle);
9011 SSL_SESSION_free(late);
9012 return testresult;
9013 }
9014
9015 /*
9016 * Test that a session cache overflow works as expected
9017 * Test 0: TLSv1.3, timeout on new session later than old session
9018 * Test 1: TLSv1.2, timeout on new session later than old session
9019 * Test 2: TLSv1.3, timeout on new session earlier than old session
9020 * Test 3: TLSv1.2, timeout on new session earlier than old session
9021 */
9022 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
test_session_cache_overflow(int idx)9023 static int test_session_cache_overflow(int idx)
9024 {
9025 SSL_CTX *sctx = NULL, *cctx = NULL;
9026 SSL *serverssl = NULL, *clientssl = NULL;
9027 int testresult = 0;
9028 SSL_SESSION *sess = NULL;
9029
9030 #ifdef OSSL_NO_USABLE_TLS1_3
9031 /* If no TLSv1.3 available then do nothing in this case */
9032 if (idx % 2 == 0)
9033 return TEST_skip("No TLSv1.3 available");
9034 #endif
9035 #ifdef OPENSSL_NO_TLS1_2
9036 /* If no TLSv1.2 available then do nothing in this case */
9037 if (idx % 2 == 1)
9038 return TEST_skip("No TLSv1.2 available");
9039 #endif
9040
9041 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9042 TLS_client_method(), TLS1_VERSION,
9043 (idx % 2 == 0) ? TLS1_3_VERSION
9044 : TLS1_2_VERSION,
9045 &sctx, &cctx, cert, privkey))
9046 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9047 goto end;
9048
9049 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9050 get_sess_val = NULL;
9051
9052 SSL_CTX_sess_set_cache_size(sctx, 1);
9053
9054 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9055 NULL, NULL)))
9056 goto end;
9057
9058 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9059 goto end;
9060
9061 if (idx > 1) {
9062 sess = SSL_get_session(serverssl);
9063 if (!TEST_ptr(sess))
9064 goto end;
9065
9066 /*
9067 * Cause this session to have a longer timeout than the next session to
9068 * be added.
9069 */
9070 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) {
9071 sess = NULL;
9072 goto end;
9073 }
9074 sess = NULL;
9075 }
9076
9077 SSL_shutdown(serverssl);
9078 SSL_shutdown(clientssl);
9079 SSL_free(serverssl);
9080 SSL_free(clientssl);
9081 serverssl = clientssl = NULL;
9082
9083 /*
9084 * Session cache size is 1 and we already populated the cache with a session
9085 * so the next connection should cause an overflow.
9086 */
9087
9088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9089 NULL, NULL)))
9090 goto end;
9091
9092 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9093 goto end;
9094
9095 /*
9096 * The session we just negotiated may have been already removed from the
9097 * internal cache - but we will return it anyway from our external cache.
9098 */
9099 get_sess_val = SSL_get_session(serverssl);
9100 if (!TEST_ptr(get_sess_val))
9101 goto end;
9102 sess = SSL_get1_session(clientssl);
9103 if (!TEST_ptr(sess))
9104 goto end;
9105
9106 SSL_shutdown(serverssl);
9107 SSL_shutdown(clientssl);
9108 SSL_free(serverssl);
9109 SSL_free(clientssl);
9110 serverssl = clientssl = NULL;
9111
9112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9113 NULL, NULL)))
9114 goto end;
9115
9116 if (!TEST_true(SSL_set_session(clientssl, sess)))
9117 goto end;
9118
9119 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9120 goto end;
9121
9122 testresult = 1;
9123
9124 end:
9125 SSL_free(serverssl);
9126 SSL_free(clientssl);
9127 SSL_CTX_free(sctx);
9128 SSL_CTX_free(cctx);
9129 SSL_SESSION_free(sess);
9130
9131 return testresult;
9132 }
9133 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9134
9135 /*
9136 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9137 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9138 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9139 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9140 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9141 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9142 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9143 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9144 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9145 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9146 */
test_servername(int tst)9147 static int test_servername(int tst)
9148 {
9149 SSL_CTX *cctx = NULL, *sctx = NULL;
9150 SSL *clientssl = NULL, *serverssl = NULL;
9151 int testresult = 0;
9152 SSL_SESSION *sess = NULL;
9153 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9154
9155 #ifdef OPENSSL_NO_TLS1_2
9156 if (tst <= 4)
9157 return 1;
9158 #endif
9159 #ifdef OSSL_NO_USABLE_TLS1_3
9160 if (tst >= 5)
9161 return 1;
9162 #endif
9163
9164 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9165 TLS_client_method(),
9166 TLS1_VERSION,
9167 (tst <= 4) ? TLS1_2_VERSION
9168 : TLS1_3_VERSION,
9169 &sctx, &cctx, cert, privkey))
9170 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9171 NULL, NULL)))
9172 goto end;
9173
9174 if (tst != 1 && tst != 6) {
9175 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9176 hostname_cb)))
9177 goto end;
9178 }
9179
9180 if (tst != 3 && tst != 8) {
9181 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9182 goto end;
9183 sexpectedhost = cexpectedhost = "goodhost";
9184 }
9185
9186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9187 goto end;
9188
9189 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9190 cexpectedhost)
9191 || !TEST_str_eq(SSL_get_servername(serverssl,
9192 TLSEXT_NAMETYPE_host_name),
9193 sexpectedhost))
9194 goto end;
9195
9196 /* Now repeat with a resumption handshake */
9197
9198 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9199 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9200 || !TEST_true(SSL_SESSION_is_resumable(sess))
9201 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9202 goto end;
9203
9204 SSL_free(clientssl);
9205 SSL_free(serverssl);
9206 clientssl = serverssl = NULL;
9207
9208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9209 NULL)))
9210 goto end;
9211
9212 if (!TEST_true(SSL_set_session(clientssl, sess)))
9213 goto end;
9214
9215 sexpectedhost = cexpectedhost = "goodhost";
9216 if (tst == 2 || tst == 7) {
9217 /* Set an inconsistent hostname */
9218 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9219 goto end;
9220 /*
9221 * In TLSv1.2 we expect the hostname from the original handshake, in
9222 * TLSv1.3 we expect the hostname from this handshake
9223 */
9224 if (tst == 7)
9225 sexpectedhost = cexpectedhost = "altgoodhost";
9226
9227 if (!TEST_str_eq(SSL_get_servername(clientssl,
9228 TLSEXT_NAMETYPE_host_name),
9229 "altgoodhost"))
9230 goto end;
9231 } else if (tst == 4 || tst == 9) {
9232 /*
9233 * A TLSv1.3 session does not associate a session with a servername,
9234 * but a TLSv1.2 session does.
9235 */
9236 if (tst == 9)
9237 sexpectedhost = cexpectedhost = NULL;
9238
9239 if (!TEST_str_eq(SSL_get_servername(clientssl,
9240 TLSEXT_NAMETYPE_host_name),
9241 cexpectedhost))
9242 goto end;
9243 } else {
9244 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9245 goto end;
9246 /*
9247 * In a TLSv1.2 resumption where the hostname was not acknowledged
9248 * we expect the hostname on the server to be empty. On the client we
9249 * return what was requested in this case.
9250 *
9251 * Similarly if the client didn't set a hostname on an original TLSv1.2
9252 * session but is now, the server hostname will be empty, but the client
9253 * is as we set it.
9254 */
9255 if (tst == 1 || tst == 3)
9256 sexpectedhost = NULL;
9257
9258 if (!TEST_str_eq(SSL_get_servername(clientssl,
9259 TLSEXT_NAMETYPE_host_name),
9260 "goodhost"))
9261 goto end;
9262 }
9263
9264 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9265 goto end;
9266
9267 if (!TEST_true(SSL_session_reused(clientssl))
9268 || !TEST_true(SSL_session_reused(serverssl))
9269 || !TEST_str_eq(SSL_get_servername(clientssl,
9270 TLSEXT_NAMETYPE_host_name),
9271 cexpectedhost)
9272 || !TEST_str_eq(SSL_get_servername(serverssl,
9273 TLSEXT_NAMETYPE_host_name),
9274 sexpectedhost))
9275 goto end;
9276
9277 testresult = 1;
9278
9279 end:
9280 SSL_SESSION_free(sess);
9281 SSL_free(serverssl);
9282 SSL_free(clientssl);
9283 SSL_CTX_free(sctx);
9284 SSL_CTX_free(cctx);
9285
9286 return testresult;
9287 }
9288
9289 #if !defined(OPENSSL_NO_EC) \
9290 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9291 /*
9292 * Test that if signature algorithms are not available, then we do not offer or
9293 * accept them.
9294 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9295 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9296 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9297 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9298 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9299 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9300 */
test_sigalgs_available(int idx)9301 static int test_sigalgs_available(int idx)
9302 {
9303 SSL_CTX *cctx = NULL, *sctx = NULL;
9304 SSL *clientssl = NULL, *serverssl = NULL;
9305 int testresult = 0;
9306 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9307 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9308 OSSL_PROVIDER *filterprov = NULL;
9309 int sig, hash;
9310
9311 if (!TEST_ptr(tmpctx))
9312 goto end;
9313
9314 if (idx != 0 && idx != 3) {
9315 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9316 filter_provider_init)))
9317 goto end;
9318
9319 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9320 if (!TEST_ptr(filterprov))
9321 goto end;
9322
9323 if (idx < 3) {
9324 /*
9325 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9326 * or accepted for the peer that uses this libctx. Note that libssl
9327 * *requires* SHA2-256 to be available so we cannot disable that. We
9328 * also need SHA1 for our certificate.
9329 */
9330 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9331 "SHA2-256:SHA1")))
9332 goto end;
9333 } else {
9334 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9335 "ECDSA"))
9336 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9337 "EC:X25519:X448")))
9338 goto end;
9339 }
9340
9341 if (idx == 1 || idx == 4)
9342 clientctx = tmpctx;
9343 else
9344 serverctx = tmpctx;
9345 }
9346
9347 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9348 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9349 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9350 goto end;
9351
9352 if (idx != 5) {
9353 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9354 TLS_client_method(),
9355 TLS1_VERSION,
9356 0,
9357 &sctx, &cctx, cert, privkey)))
9358 goto end;
9359 } else {
9360 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9361 TLS_client_method(),
9362 TLS1_VERSION,
9363 0,
9364 &sctx, &cctx, cert2, privkey2)))
9365 goto end;
9366 }
9367
9368 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9369 if (idx < 4) {
9370 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9371 "ECDHE-RSA-AES128-GCM-SHA256")))
9372 goto end;
9373 } else {
9374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9375 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9376 goto end;
9377 }
9378
9379 if (idx < 3) {
9380 if (!SSL_CTX_set1_sigalgs_list(cctx,
9381 "rsa_pss_rsae_sha384"
9382 ":rsa_pss_rsae_sha256")
9383 || !SSL_CTX_set1_sigalgs_list(sctx,
9384 "rsa_pss_rsae_sha384"
9385 ":rsa_pss_rsae_sha256"))
9386 goto end;
9387 } else {
9388 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9389 || !SSL_CTX_set1_sigalgs_list(sctx,
9390 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9391 goto end;
9392 }
9393
9394 if (idx != 5
9395 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9396 SSL_FILETYPE_PEM), 1)
9397 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9398 privkey2,
9399 SSL_FILETYPE_PEM), 1)
9400 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9401 goto end;
9402
9403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9404 NULL, NULL)))
9405 goto end;
9406
9407 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9408 goto end;
9409
9410 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9411 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9412 NULL, NULL),
9413 (idx == 0 || idx == 3) ? 2 : 1))
9414 goto end;
9415
9416 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9417 goto end;
9418
9419 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9420 : NID_rsassaPss))
9421 goto end;
9422
9423 testresult = filter_provider_check_clean_finish();
9424
9425 end:
9426 SSL_free(serverssl);
9427 SSL_free(clientssl);
9428 SSL_CTX_free(sctx);
9429 SSL_CTX_free(cctx);
9430 OSSL_PROVIDER_unload(filterprov);
9431 OSSL_LIB_CTX_free(tmpctx);
9432
9433 return testresult;
9434 }
9435 #endif /*
9436 * !defined(OPENSSL_NO_EC) \
9437 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9438 */
9439
9440 #ifndef OPENSSL_NO_TLS1_3
9441 /* This test can run in TLSv1.3 even if ec and dh are disabled */
test_pluggable_group(int idx)9442 static int test_pluggable_group(int idx)
9443 {
9444 SSL_CTX *cctx = NULL, *sctx = NULL;
9445 SSL *clientssl = NULL, *serverssl = NULL;
9446 int testresult = 0;
9447 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9448 /* Check that we are not impacted by a provider without any groups */
9449 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9450 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9451
9452 if (!TEST_ptr(tlsprov))
9453 goto end;
9454
9455 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9456 TLS_client_method(),
9457 TLS1_3_VERSION,
9458 TLS1_3_VERSION,
9459 &sctx, &cctx, cert, privkey))
9460 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9461 NULL, NULL)))
9462 goto end;
9463
9464 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9465 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9466 /* removing a single algorithm from the list makes the test pass */
9467 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9468 goto end;
9469
9470 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9471 goto end;
9472
9473 if (!TEST_str_eq(group_name,
9474 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9475 goto end;
9476
9477 testresult = 1;
9478
9479 end:
9480 SSL_free(serverssl);
9481 SSL_free(clientssl);
9482 SSL_CTX_free(sctx);
9483 SSL_CTX_free(cctx);
9484 OSSL_PROVIDER_unload(tlsprov);
9485 OSSL_PROVIDER_unload(legacyprov);
9486
9487 return testresult;
9488 }
9489 #endif
9490
9491 #ifndef OPENSSL_NO_TLS1_2
test_ssl_dup(void)9492 static int test_ssl_dup(void)
9493 {
9494 SSL_CTX *cctx = NULL, *sctx = NULL;
9495 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9496 int testresult = 0;
9497 BIO *rbio = NULL, *wbio = NULL;
9498
9499 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9500 TLS_client_method(),
9501 0,
9502 0,
9503 &sctx, &cctx, cert, privkey)))
9504 goto end;
9505
9506 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9507 NULL, NULL)))
9508 goto end;
9509
9510 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9511 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9512 goto end;
9513
9514 client2ssl = SSL_dup(clientssl);
9515 rbio = SSL_get_rbio(clientssl);
9516 if (!TEST_ptr(rbio)
9517 || !TEST_true(BIO_up_ref(rbio)))
9518 goto end;
9519 SSL_set0_rbio(client2ssl, rbio);
9520 rbio = NULL;
9521
9522 wbio = SSL_get_wbio(clientssl);
9523 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9524 goto end;
9525 SSL_set0_wbio(client2ssl, wbio);
9526 rbio = NULL;
9527
9528 if (!TEST_ptr(client2ssl)
9529 /* Handshake not started so pointers should be different */
9530 || !TEST_ptr_ne(clientssl, client2ssl))
9531 goto end;
9532
9533 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9534 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9535 goto end;
9536
9537 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9538 goto end;
9539
9540 SSL_free(clientssl);
9541 clientssl = SSL_dup(client2ssl);
9542 if (!TEST_ptr(clientssl)
9543 /* Handshake has finished so pointers should be the same */
9544 || !TEST_ptr_eq(clientssl, client2ssl))
9545 goto end;
9546
9547 testresult = 1;
9548
9549 end:
9550 SSL_free(serverssl);
9551 SSL_free(clientssl);
9552 SSL_free(client2ssl);
9553 SSL_CTX_free(sctx);
9554 SSL_CTX_free(cctx);
9555
9556 return testresult;
9557 }
9558
9559 # ifndef OPENSSL_NO_DH
9560
9561 static EVP_PKEY *tmp_dh_params = NULL;
9562
9563 /* Helper function for the test_set_tmp_dh() tests */
get_tmp_dh_params(void)9564 static EVP_PKEY *get_tmp_dh_params(void)
9565 {
9566 if (tmp_dh_params == NULL) {
9567 BIGNUM *p = NULL;
9568 OSSL_PARAM_BLD *tmpl = NULL;
9569 EVP_PKEY_CTX *pctx = NULL;
9570 OSSL_PARAM *params = NULL;
9571 EVP_PKEY *dhpkey = NULL;
9572
9573 p = BN_get_rfc3526_prime_2048(NULL);
9574 if (!TEST_ptr(p))
9575 goto end;
9576
9577 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9578 if (!TEST_ptr(pctx)
9579 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9580 goto end;
9581
9582 tmpl = OSSL_PARAM_BLD_new();
9583 if (!TEST_ptr(tmpl)
9584 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9585 OSSL_PKEY_PARAM_FFC_P,
9586 p))
9587 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9588 OSSL_PKEY_PARAM_FFC_G,
9589 2)))
9590 goto end;
9591
9592 params = OSSL_PARAM_BLD_to_param(tmpl);
9593 if (!TEST_ptr(params)
9594 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9595 EVP_PKEY_KEY_PARAMETERS,
9596 params), 1))
9597 goto end;
9598
9599 tmp_dh_params = dhpkey;
9600 end:
9601 BN_free(p);
9602 EVP_PKEY_CTX_free(pctx);
9603 OSSL_PARAM_BLD_free(tmpl);
9604 OSSL_PARAM_free(params);
9605 }
9606
9607 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9608 return NULL;
9609
9610 return tmp_dh_params;
9611 }
9612
9613 # ifndef OPENSSL_NO_DEPRECATED_3_0
9614 /* Callback used by test_set_tmp_dh() */
tmp_dh_callback(SSL * s,int is_export,int keylen)9615 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9616 {
9617 EVP_PKEY *dhpkey = get_tmp_dh_params();
9618 DH *ret = NULL;
9619
9620 if (!TEST_ptr(dhpkey))
9621 return NULL;
9622
9623 /*
9624 * libssl does not free the returned DH, so we free it now knowing that even
9625 * after we free dhpkey, there will still be a reference to the owning
9626 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9627 * of time we need it for.
9628 */
9629 ret = EVP_PKEY_get1_DH(dhpkey);
9630 DH_free(ret);
9631
9632 EVP_PKEY_free(dhpkey);
9633
9634 return ret;
9635 }
9636 # endif
9637
9638 /*
9639 * Test the various methods for setting temporary DH parameters
9640 *
9641 * Test 0: Default (no auto) setting
9642 * Test 1: Explicit SSL_CTX auto off
9643 * Test 2: Explicit SSL auto off
9644 * Test 3: Explicit SSL_CTX auto on
9645 * Test 4: Explicit SSL auto on
9646 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9647 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9648 *
9649 * The following are testing deprecated APIs, so we only run them if available
9650 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9651 * Test 8: Explicit SSL auto off, custom DH params via DH
9652 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9653 * Test 10: Explicit SSL auto off, custom DH params via callback
9654 */
test_set_tmp_dh(int idx)9655 static int test_set_tmp_dh(int idx)
9656 {
9657 SSL_CTX *cctx = NULL, *sctx = NULL;
9658 SSL *clientssl = NULL, *serverssl = NULL;
9659 int testresult = 0;
9660 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9661 int expected = (idx <= 2) ? 0 : 1;
9662 EVP_PKEY *dhpkey = NULL;
9663 # ifndef OPENSSL_NO_DEPRECATED_3_0
9664 DH *dh = NULL;
9665 # else
9666
9667 if (idx >= 7)
9668 return 1;
9669 # endif
9670
9671 if (idx >= 5 && idx <= 8) {
9672 dhpkey = get_tmp_dh_params();
9673 if (!TEST_ptr(dhpkey))
9674 goto end;
9675 }
9676 # ifndef OPENSSL_NO_DEPRECATED_3_0
9677 if (idx == 7 || idx == 8) {
9678 dh = EVP_PKEY_get1_DH(dhpkey);
9679 if (!TEST_ptr(dh))
9680 goto end;
9681 }
9682 # endif
9683
9684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9685 TLS_client_method(),
9686 0,
9687 0,
9688 &sctx, &cctx, cert, privkey)))
9689 goto end;
9690
9691 if ((idx & 1) == 1) {
9692 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9693 goto end;
9694 }
9695
9696 if (idx == 5) {
9697 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9698 goto end;
9699 dhpkey = NULL;
9700 }
9701 # ifndef OPENSSL_NO_DEPRECATED_3_0
9702 else if (idx == 7) {
9703 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9704 goto end;
9705 } else if (idx == 9) {
9706 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9707 }
9708 # endif
9709
9710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9711 NULL, NULL)))
9712 goto end;
9713
9714 if ((idx & 1) == 0 && idx != 0) {
9715 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9716 goto end;
9717 }
9718 if (idx == 6) {
9719 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9720 goto end;
9721 dhpkey = NULL;
9722 }
9723 # ifndef OPENSSL_NO_DEPRECATED_3_0
9724 else if (idx == 8) {
9725 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9726 goto end;
9727 } else if (idx == 10) {
9728 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9729 }
9730 # endif
9731
9732 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9733 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9734 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9735 goto end;
9736
9737 /*
9738 * If autoon then we should succeed. Otherwise we expect failure because
9739 * there are no parameters
9740 */
9741 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9742 SSL_ERROR_NONE), expected))
9743 goto end;
9744
9745 testresult = 1;
9746
9747 end:
9748 # ifndef OPENSSL_NO_DEPRECATED_3_0
9749 DH_free(dh);
9750 # endif
9751 SSL_free(serverssl);
9752 SSL_free(clientssl);
9753 SSL_CTX_free(sctx);
9754 SSL_CTX_free(cctx);
9755 EVP_PKEY_free(dhpkey);
9756
9757 return testresult;
9758 }
9759
9760 /*
9761 * Test the auto DH keys are appropriately sized
9762 */
test_dh_auto(int idx)9763 static int test_dh_auto(int idx)
9764 {
9765 SSL_CTX *cctx = NULL, *sctx = NULL;
9766 SSL *clientssl = NULL, *serverssl = NULL;
9767 int testresult = 0;
9768 EVP_PKEY *tmpkey = NULL;
9769 char *thiscert = NULL, *thiskey = NULL;
9770 size_t expdhsize = 0;
9771 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9772
9773 switch (idx) {
9774 case 0:
9775 /* The FIPS provider doesn't support this DH size - so we ignore it */
9776 if (is_fips)
9777 return 1;
9778 thiscert = cert1024;
9779 thiskey = privkey1024;
9780 expdhsize = 1024;
9781 break;
9782 case 1:
9783 /* 2048 bit prime */
9784 thiscert = cert;
9785 thiskey = privkey;
9786 expdhsize = 2048;
9787 break;
9788 case 2:
9789 thiscert = cert3072;
9790 thiskey = privkey3072;
9791 expdhsize = 3072;
9792 break;
9793 case 3:
9794 thiscert = cert4096;
9795 thiskey = privkey4096;
9796 expdhsize = 4096;
9797 break;
9798 case 4:
9799 thiscert = cert8192;
9800 thiskey = privkey8192;
9801 expdhsize = 8192;
9802 break;
9803 /* No certificate cases */
9804 case 5:
9805 /* The FIPS provider doesn't support this DH size - so we ignore it */
9806 if (is_fips)
9807 return 1;
9808 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9809 expdhsize = 1024;
9810 break;
9811 case 6:
9812 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9813 expdhsize = 3072;
9814 break;
9815 default:
9816 TEST_error("Invalid text index");
9817 goto end;
9818 }
9819
9820 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9821 TLS_client_method(),
9822 0,
9823 0,
9824 &sctx, &cctx, thiscert, thiskey)))
9825 goto end;
9826
9827 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9828 NULL, NULL)))
9829 goto end;
9830
9831 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9832 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9833 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9834 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9835 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9836 goto end;
9837
9838 /*
9839 * Send the server's first flight. At this point the server has created the
9840 * temporary DH key but hasn't finished using it yet. Once used it is
9841 * removed, so we cannot test it.
9842 */
9843 if (!TEST_int_le(SSL_connect(clientssl), 0)
9844 || !TEST_int_le(SSL_accept(serverssl), 0))
9845 goto end;
9846
9847 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9848 goto end;
9849 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9850 goto end;
9851
9852 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9853 goto end;
9854
9855 testresult = 1;
9856
9857 end:
9858 SSL_free(serverssl);
9859 SSL_free(clientssl);
9860 SSL_CTX_free(sctx);
9861 SSL_CTX_free(cctx);
9862 EVP_PKEY_free(tmpkey);
9863
9864 return testresult;
9865
9866 }
9867 # endif /* OPENSSL_NO_DH */
9868 #endif /* OPENSSL_NO_TLS1_2 */
9869
9870 #ifndef OSSL_NO_USABLE_TLS1_3
9871 /*
9872 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9873 * that it works even without a certificate configured for the original
9874 * SSL_CTX
9875 */
test_sni_tls13(void)9876 static int test_sni_tls13(void)
9877 {
9878 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9879 SSL *clientssl = NULL, *serverssl = NULL;
9880 int testresult = 0;
9881
9882 /* Reset callback counter */
9883 snicb = 0;
9884
9885 /* Create an initial SSL_CTX with no certificate configured */
9886 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9887 if (!TEST_ptr(sctx))
9888 goto end;
9889 /* Require TLSv1.3 as a minimum */
9890 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9891 TLS_client_method(), TLS1_3_VERSION, 0,
9892 &sctx2, &cctx, cert, privkey)))
9893 goto end;
9894
9895 /* Set up SNI */
9896 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9897 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9898 goto end;
9899
9900 /*
9901 * Connection should still succeed because the final SSL_CTX has the right
9902 * certificates configured.
9903 */
9904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9905 &clientssl, NULL, NULL))
9906 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9907 SSL_ERROR_NONE)))
9908 goto end;
9909
9910 /* We should have had the SNI callback called exactly once */
9911 if (!TEST_int_eq(snicb, 1))
9912 goto end;
9913
9914 testresult = 1;
9915
9916 end:
9917 SSL_free(serverssl);
9918 SSL_free(clientssl);
9919 SSL_CTX_free(sctx2);
9920 SSL_CTX_free(sctx);
9921 SSL_CTX_free(cctx);
9922 return testresult;
9923 }
9924
9925 /*
9926 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9927 * 0 = TLSv1.2
9928 * 1 = TLSv1.3
9929 */
test_ticket_lifetime(int idx)9930 static int test_ticket_lifetime(int idx)
9931 {
9932 SSL_CTX *cctx = NULL, *sctx = NULL;
9933 SSL *clientssl = NULL, *serverssl = NULL;
9934 int testresult = 0;
9935 int version = TLS1_3_VERSION;
9936
9937 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9938 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9939
9940 if (idx == 0) {
9941 #ifdef OPENSSL_NO_TLS1_2
9942 return TEST_skip("TLS 1.2 is disabled.");
9943 #else
9944 version = TLS1_2_VERSION;
9945 #endif
9946 }
9947
9948 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9949 TLS_client_method(), version, version,
9950 &sctx, &cctx, cert, privkey)))
9951 goto end;
9952
9953 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9954 &clientssl, NULL, NULL)))
9955 goto end;
9956
9957 /*
9958 * Set the timeout to be more than 1 week
9959 * make sure the returned value is the default
9960 */
9961 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9962 SSL_get_default_timeout(serverssl)))
9963 goto end;
9964
9965 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9966 goto end;
9967
9968 if (idx == 0) {
9969 /* TLSv1.2 uses the set value */
9970 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9971 goto end;
9972 } else {
9973 /* TLSv1.3 uses the limited value */
9974 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9975 goto end;
9976 }
9977 testresult = 1;
9978
9979 end:
9980 SSL_free(serverssl);
9981 SSL_free(clientssl);
9982 SSL_CTX_free(sctx);
9983 SSL_CTX_free(cctx);
9984 return testresult;
9985 }
9986 #endif
9987 /*
9988 * Test that setting an ALPN does not violate RFC
9989 */
test_set_alpn(void)9990 static int test_set_alpn(void)
9991 {
9992 SSL_CTX *ctx = NULL;
9993 SSL *ssl = NULL;
9994 int testresult = 0;
9995
9996 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9997 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9998 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9999 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10000 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10001 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10002
10003 /* Create an initial SSL_CTX with no certificate configured */
10004 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10005 if (!TEST_ptr(ctx))
10006 goto end;
10007
10008 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10009 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10010 goto end;
10011 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10012 goto end;
10013 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10014 goto end;
10015 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10016 goto end;
10017 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10018 goto end;
10019 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10020 goto end;
10021 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10022 goto end;
10023 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10024 goto end;
10025 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10026 goto end;
10027
10028 ssl = SSL_new(ctx);
10029 if (!TEST_ptr(ssl))
10030 goto end;
10031
10032 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10033 goto end;
10034 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10035 goto end;
10036 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10037 goto end;
10038 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10039 goto end;
10040 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10041 goto end;
10042 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10043 goto end;
10044 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10045 goto end;
10046 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10047 goto end;
10048 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10049 goto end;
10050
10051 testresult = 1;
10052
10053 end:
10054 SSL_free(ssl);
10055 SSL_CTX_free(ctx);
10056 return testresult;
10057 }
10058
10059 /*
10060 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10061 */
test_set_verify_cert_store_ssl_ctx(void)10062 static int test_set_verify_cert_store_ssl_ctx(void)
10063 {
10064 SSL_CTX *ctx = NULL;
10065 int testresult = 0;
10066 X509_STORE *store = NULL, *new_store = NULL,
10067 *cstore = NULL, *new_cstore = NULL;
10068
10069 /* Create an initial SSL_CTX. */
10070 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10071 if (!TEST_ptr(ctx))
10072 goto end;
10073
10074 /* Retrieve verify store pointer. */
10075 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10076 goto end;
10077
10078 /* Retrieve chain store pointer. */
10079 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10080 goto end;
10081
10082 /* We haven't set any yet, so this should be NULL. */
10083 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10084 goto end;
10085
10086 /* Create stores. We use separate stores so pointers are different. */
10087 new_store = X509_STORE_new();
10088 if (!TEST_ptr(new_store))
10089 goto end;
10090
10091 new_cstore = X509_STORE_new();
10092 if (!TEST_ptr(new_cstore))
10093 goto end;
10094
10095 /* Set stores. */
10096 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10097 goto end;
10098
10099 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10100 goto end;
10101
10102 /* Should be able to retrieve the same pointer. */
10103 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10104 goto end;
10105
10106 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10107 goto end;
10108
10109 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10110 goto end;
10111
10112 /* Should be able to unset again. */
10113 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10114 goto end;
10115
10116 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10117 goto end;
10118
10119 /* Should now be NULL. */
10120 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10121 goto end;
10122
10123 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10124 goto end;
10125
10126 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10127 goto end;
10128
10129 testresult = 1;
10130
10131 end:
10132 X509_STORE_free(new_store);
10133 X509_STORE_free(new_cstore);
10134 SSL_CTX_free(ctx);
10135 return testresult;
10136 }
10137
10138 /*
10139 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10140 */
test_set_verify_cert_store_ssl(void)10141 static int test_set_verify_cert_store_ssl(void)
10142 {
10143 SSL_CTX *ctx = NULL;
10144 SSL *ssl = NULL;
10145 int testresult = 0;
10146 X509_STORE *store = NULL, *new_store = NULL,
10147 *cstore = NULL, *new_cstore = NULL;
10148
10149 /* Create an initial SSL_CTX. */
10150 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10151 if (!TEST_ptr(ctx))
10152 goto end;
10153
10154 /* Create an SSL object. */
10155 ssl = SSL_new(ctx);
10156 if (!TEST_ptr(ssl))
10157 goto end;
10158
10159 /* Retrieve verify store pointer. */
10160 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10161 goto end;
10162
10163 /* Retrieve chain store pointer. */
10164 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10165 goto end;
10166
10167 /* We haven't set any yet, so this should be NULL. */
10168 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10169 goto end;
10170
10171 /* Create stores. We use separate stores so pointers are different. */
10172 new_store = X509_STORE_new();
10173 if (!TEST_ptr(new_store))
10174 goto end;
10175
10176 new_cstore = X509_STORE_new();
10177 if (!TEST_ptr(new_cstore))
10178 goto end;
10179
10180 /* Set stores. */
10181 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10182 goto end;
10183
10184 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10185 goto end;
10186
10187 /* Should be able to retrieve the same pointer. */
10188 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10189 goto end;
10190
10191 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10192 goto end;
10193
10194 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10195 goto end;
10196
10197 /* Should be able to unset again. */
10198 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10199 goto end;
10200
10201 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10202 goto end;
10203
10204 /* Should now be NULL. */
10205 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10206 goto end;
10207
10208 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10209 goto end;
10210
10211 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10212 goto end;
10213
10214 testresult = 1;
10215
10216 end:
10217 X509_STORE_free(new_store);
10218 X509_STORE_free(new_cstore);
10219 SSL_free(ssl);
10220 SSL_CTX_free(ctx);
10221 return testresult;
10222 }
10223
10224
test_inherit_verify_param(void)10225 static int test_inherit_verify_param(void)
10226 {
10227 int testresult = 0;
10228
10229 SSL_CTX *ctx = NULL;
10230 X509_VERIFY_PARAM *cp = NULL;
10231 SSL *ssl = NULL;
10232 X509_VERIFY_PARAM *sp = NULL;
10233 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10234
10235 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10236 if (!TEST_ptr(ctx))
10237 goto end;
10238
10239 cp = SSL_CTX_get0_param(ctx);
10240 if (!TEST_ptr(cp))
10241 goto end;
10242 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10243 goto end;
10244
10245 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10246
10247 ssl = SSL_new(ctx);
10248 if (!TEST_ptr(ssl))
10249 goto end;
10250
10251 sp = SSL_get0_param(ssl);
10252 if (!TEST_ptr(sp))
10253 goto end;
10254 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10255 goto end;
10256
10257 testresult = 1;
10258
10259 end:
10260 SSL_free(ssl);
10261 SSL_CTX_free(ctx);
10262
10263 return testresult;
10264 }
10265
test_load_dhfile(void)10266 static int test_load_dhfile(void)
10267 {
10268 #ifndef OPENSSL_NO_DH
10269 int testresult = 0;
10270
10271 SSL_CTX *ctx = NULL;
10272 SSL_CONF_CTX *cctx = NULL;
10273
10274 if (dhfile == NULL)
10275 return 1;
10276
10277 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10278 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10279 goto end;
10280
10281 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10282 SSL_CONF_CTX_set_flags(cctx,
10283 SSL_CONF_FLAG_CERTIFICATE
10284 | SSL_CONF_FLAG_SERVER
10285 | SSL_CONF_FLAG_FILE);
10286
10287 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10288 goto end;
10289
10290 testresult = 1;
10291 end:
10292 SSL_CONF_CTX_free(cctx);
10293 SSL_CTX_free(ctx);
10294
10295 return testresult;
10296 #else
10297 return TEST_skip("DH not supported by this build");
10298 #endif
10299 }
10300
10301 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10302 /*
10303 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10304 * support this yet. The only pipeline capable cipher that we have is in the
10305 * dasync engine (providers don't support this yet), so we have to use
10306 * deprecated APIs for this test.
10307 *
10308 * Test 0: Client has pipelining enabled, server does not
10309 * Test 1: Server has pipelining enabled, client does not
10310 * Test 2: Client has pipelining enabled, server does not: not enough data to
10311 * fill all the pipelines
10312 * Test 3: Client has pipelining enabled, server does not: not enough data to
10313 * fill all the pipelines by more than a full pipeline's worth
10314 * Test 4: Client has pipelining enabled, server does not: more data than all
10315 * the available pipelines can take
10316 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10317 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10318 * is created)
10319 */
test_pipelining(int idx)10320 static int test_pipelining(int idx)
10321 {
10322 SSL_CTX *cctx = NULL, *sctx = NULL;
10323 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10324 int testresult = 0, numreads;
10325 /* A 55 byte message */
10326 unsigned char *msg = (unsigned char *)
10327 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10328 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10329 size_t expectedreads;
10330 unsigned char *buf = NULL;
10331 ENGINE *e = NULL;
10332
10333 if (idx != 6) {
10334 e = load_dasync();
10335 if (e == NULL)
10336 return 0;
10337 }
10338
10339 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10340 TLS_client_method(), 0,
10341 TLS1_2_VERSION, &sctx, &cctx, cert,
10342 privkey)))
10343 goto end;
10344
10345 if (idx == 6) {
10346 e = load_dasync();
10347 if (e == NULL)
10348 goto end;
10349 /* Now act like test 0 */
10350 idx = 0;
10351 }
10352
10353 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10354 &clientssl, NULL, NULL)))
10355 goto end;
10356
10357 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10358 goto end;
10359
10360 /* peera is always configured for pipelining, while peerb is not. */
10361 if (idx == 1) {
10362 peera = serverssl;
10363 peerb = clientssl;
10364
10365 } else {
10366 peera = clientssl;
10367 peerb = serverssl;
10368 }
10369
10370 if (idx == 5) {
10371 numpipes = 2;
10372 /* Maximum allowed fragment size */
10373 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10374 msglen = fragsize * numpipes;
10375 msg = OPENSSL_malloc(msglen);
10376 if (!TEST_ptr(msg))
10377 goto end;
10378 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10379 goto end;
10380 } else if (idx == 4) {
10381 msglen = 55;
10382 } else {
10383 msglen = 50;
10384 }
10385 if (idx == 2)
10386 msglen -= 2; /* Send 2 less bytes */
10387 else if (idx == 3)
10388 msglen -= 12; /* Send 12 less bytes */
10389
10390 buf = OPENSSL_malloc(msglen);
10391 if (!TEST_ptr(buf))
10392 goto end;
10393
10394 if (idx == 5) {
10395 /*
10396 * Test that setting a split send fragment longer than the maximum
10397 * allowed fails
10398 */
10399 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10400 goto end;
10401 }
10402
10403 /*
10404 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10405 * (50 bytes in total). This is a ridiculously small number of bytes -
10406 * but sufficient for our purposes
10407 */
10408 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10409 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10410 goto end;
10411
10412 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10413 goto end;
10414
10415 /* Write some data from peera to peerb */
10416 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10417 || !TEST_size_t_eq(written, msglen))
10418 goto end;
10419
10420 /*
10421 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10422 * have been used - except in test 3 where only |numpipes - 1| pipelines
10423 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10424 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10425 * expect this to be read in |numpipes| or |numpipes - 1| separate
10426 * SSL_read_ex calls. In the case of test 4, there is then one additional
10427 * read for left over data that couldn't fit in the previous pipelines
10428 */
10429 for (offset = 0, numreads = 0;
10430 offset < msglen;
10431 offset += readbytes, numreads++) {
10432 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10433 msglen - offset, &readbytes)))
10434 goto end;
10435 }
10436
10437 expectedreads = idx == 4 ? numpipes + 1
10438 : (idx == 3 ? numpipes - 1 : numpipes);
10439 if (!TEST_mem_eq(msg, msglen, buf, offset)
10440 || !TEST_int_eq(numreads, expectedreads))
10441 goto end;
10442
10443 /*
10444 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10445 * chunks to exercise the read pipelining code on peera.
10446 */
10447 for (offset = 0; offset < msglen; offset += fragsize) {
10448 size_t sendlen = msglen - offset;
10449
10450 if (sendlen > fragsize)
10451 sendlen = fragsize;
10452 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10453 || !TEST_size_t_eq(written, sendlen))
10454 goto end;
10455 }
10456
10457 /*
10458 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10459 * separate chunks (depending on which test we are running). If the
10460 * pipelining is working then we expect peera to read up to numpipes chunks
10461 * and process them in parallel, giving back the complete result in a single
10462 * call to SSL_read_ex
10463 */
10464 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10465 || !TEST_size_t_le(readbytes, msglen))
10466 goto end;
10467
10468 if (idx == 4) {
10469 size_t readbytes2;
10470
10471 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10472 msglen - readbytes, &readbytes2)))
10473 goto end;
10474 readbytes += readbytes2;
10475 if (!TEST_size_t_le(readbytes, msglen))
10476 goto end;
10477 }
10478
10479 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10480 goto end;
10481
10482 testresult = 1;
10483 end:
10484 SSL_free(serverssl);
10485 SSL_free(clientssl);
10486 SSL_CTX_free(sctx);
10487 SSL_CTX_free(cctx);
10488 if (e != NULL) {
10489 ENGINE_unregister_ciphers(e);
10490 ENGINE_finish(e);
10491 ENGINE_free(e);
10492 }
10493 OPENSSL_free(buf);
10494 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
10495 OPENSSL_free(msg);
10496 return testresult;
10497 }
10498 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10499
10500 /*
10501 * Force a write retry during handshaking. We test various combinations of
10502 * scenarios. We test a large certificate message which will fill the buffering
10503 * BIO used in the handshake. We try with client auth on and off. Finally we
10504 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
10505 * to indicate retry via -1 - but sometimes BIOs don't do that.
10506 *
10507 * Test 0: Standard certificate message
10508 * Test 1: Large certificate message
10509 * Test 2: Standard cert, verify peer
10510 * Test 3: Large cert, verify peer
10511 * Test 4: Standard cert, BIO returns 0 on retry
10512 * Test 5: Large cert, BIO returns 0 on retry
10513 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
10514 * Test 7: Large cert, verify peer, BIO returns 0 on retry
10515 * Test 8-15: Repeat of above with TLSv1.2
10516 */
test_handshake_retry(int idx)10517 static int test_handshake_retry(int idx)
10518 {
10519 SSL_CTX *cctx = NULL, *sctx = NULL;
10520 SSL *clientssl = NULL, *serverssl = NULL;
10521 int testresult = 0;
10522 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
10523 int maxversion = 0;
10524
10525 if (!TEST_ptr(bretry))
10526 goto end;
10527
10528 #ifndef OPENSSL_NO_TLS1_2
10529 if ((idx & 8) == 8)
10530 maxversion = TLS1_2_VERSION;
10531 #else
10532 if ((idx & 8) == 8)
10533 return TEST_skip("No TLSv1.2");
10534 #endif
10535
10536 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10537 TLS_client_method(), 0, maxversion,
10538 &sctx, &cctx, cert, privkey)))
10539 goto end;
10540
10541 /*
10542 * Add a large amount of data to fill the buffering BIO used by the SSL
10543 * object
10544 */
10545 if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
10546 goto end;
10547
10548 /*
10549 * We don't actually configure a client cert, but neither do we fail if one
10550 * isn't present.
10551 */
10552 if ((idx & 2) == 2)
10553 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
10554
10555 if ((idx & 4) == 4)
10556 set_always_retry_err_val(0);
10557
10558 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10559 &clientssl, NULL, NULL)))
10560 goto end;
10561
10562 tmp = SSL_get_wbio(serverssl);
10563 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
10564 tmp = NULL;
10565 goto end;
10566 }
10567 SSL_set0_wbio(serverssl, bretry);
10568 bretry = NULL;
10569
10570 if (!TEST_int_eq(SSL_connect(clientssl), -1))
10571 goto end;
10572
10573 if (!TEST_int_eq(SSL_accept(serverssl), -1)
10574 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
10575 goto end;
10576
10577 /* Restore a BIO that will let the write succeed */
10578 SSL_set0_wbio(serverssl, tmp);
10579 tmp = NULL;
10580
10581 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10582 goto end;
10583
10584 testresult = 1;
10585 end:
10586 SSL_free(serverssl);
10587 SSL_free(clientssl);
10588 SSL_CTX_free(sctx);
10589 SSL_CTX_free(cctx);
10590 BIO_free(bretry);
10591 BIO_free(tmp);
10592 set_always_retry_err_val(-1);
10593 return testresult;
10594 }
10595
10596 struct resume_servername_cb_data {
10597 int i;
10598 SSL_CTX *cctx;
10599 SSL_CTX *sctx;
10600 SSL_SESSION *sess;
10601 int recurse;
10602 };
10603
10604 /*
10605 * Servername callback. We use it here to run another complete handshake using
10606 * the same session - and mark the session as not_resuamble at the end
10607 */
resume_servername_cb(SSL * s,int * ad,void * arg)10608 static int resume_servername_cb(SSL *s, int *ad, void *arg)
10609 {
10610 struct resume_servername_cb_data *cbdata = arg;
10611 SSL *serverssl = NULL, *clientssl = NULL;
10612 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
10613
10614 if (cbdata->recurse)
10615 return SSL_TLSEXT_ERR_ALERT_FATAL;
10616
10617 if ((cbdata->i % 3) != 1)
10618 return SSL_TLSEXT_ERR_OK;
10619
10620 cbdata->recurse = 1;
10621
10622 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
10623 &clientssl, NULL, NULL))
10624 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
10625 goto end;
10626
10627 ERR_set_mark();
10628 /*
10629 * We expect this to fail - because the servername cb will fail. This will
10630 * mark the session as not_resumable.
10631 */
10632 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
10633 ERR_clear_last_mark();
10634 goto end;
10635 }
10636 ERR_pop_to_mark();
10637
10638 ret = SSL_TLSEXT_ERR_OK;
10639 end:
10640 SSL_free(serverssl);
10641 SSL_free(clientssl);
10642 cbdata->recurse = 0;
10643 return ret;
10644 }
10645
10646 /*
10647 * Test multiple resumptions and cache size handling
10648 * Test 0: TLSv1.3 (max_early_data set)
10649 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
10650 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
10651 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
10652 * Test 4: TLSv1.2
10653 */
test_multi_resume(int idx)10654 static int test_multi_resume(int idx)
10655 {
10656 SSL_CTX *sctx = NULL, *cctx = NULL;
10657 SSL *serverssl = NULL, *clientssl = NULL;
10658 SSL_SESSION *sess = NULL;
10659 int max_version = TLS1_3_VERSION;
10660 int i, testresult = 0;
10661 struct resume_servername_cb_data cbdata;
10662
10663 #if defined(OPENSSL_NO_TLS1_2)
10664 if (idx == 4)
10665 return TEST_skip("TLSv1.2 is disabled in this build");
10666 #else
10667 if (idx == 4)
10668 max_version = TLS1_2_VERSION;
10669 #endif
10670 #if defined(OSSL_NO_USABLE_TLS1_3)
10671 if (idx != 4)
10672 return TEST_skip("No usable TLSv1.3 in this build");
10673 #endif
10674
10675 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10676 TLS_client_method(), TLS1_VERSION,
10677 max_version, &sctx, &cctx, cert,
10678 privkey)))
10679 goto end;
10680
10681 /*
10682 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
10683 * replay protection), or if SSL_OP_NO_TICKET is in use
10684 */
10685 if (idx == 0 || idx == 2) {
10686 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
10687 goto end;
10688 }
10689 if (idx == 1 || idx == 2 || idx == 3)
10690 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
10691
10692 SSL_CTX_sess_set_cache_size(sctx, 5);
10693
10694 if (idx == 3) {
10695 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
10696 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
10697 cbdata.cctx = cctx;
10698 cbdata.sctx = sctx;
10699 cbdata.recurse = 0;
10700 }
10701
10702 for (i = 0; i < 30; i++) {
10703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10704 NULL, NULL))
10705 || !TEST_true(SSL_set_session(clientssl, sess)))
10706 goto end;
10707
10708 /*
10709 * Check simultaneous resumes. We pause the connection part way through
10710 * the handshake by (mis)using the servername_cb. The pause occurs after
10711 * session resumption has already occurred, but before any session
10712 * tickets have been issued. While paused we run another complete
10713 * handshake resuming the same session.
10714 */
10715 if (idx == 3) {
10716 cbdata.i = i;
10717 cbdata.sess = sess;
10718 }
10719
10720 /*
10721 * Recreate a bug where dynamically changing the max_early_data value
10722 * can cause sessions in the session cache which cannot be deleted.
10723 */
10724 if ((idx == 0 || idx == 2) && (i % 3) == 2)
10725 SSL_set_max_early_data(serverssl, 0);
10726
10727 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10728 goto end;
10729
10730 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
10731 if (!TEST_false(SSL_session_reused(clientssl)))
10732 goto end;
10733 } else {
10734 if (!TEST_true(SSL_session_reused(clientssl)))
10735 goto end;
10736 }
10737 SSL_SESSION_free(sess);
10738
10739 /* Do a full handshake, followed by two resumptions */
10740 if ((i % 3) == 2) {
10741 sess = NULL;
10742 } else {
10743 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
10744 goto end;
10745 }
10746
10747 SSL_shutdown(clientssl);
10748 SSL_shutdown(serverssl);
10749 SSL_free(serverssl);
10750 SSL_free(clientssl);
10751 serverssl = clientssl = NULL;
10752 }
10753
10754 /* We should never exceed the session cache size limit */
10755 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
10756 goto end;
10757
10758 testresult = 1;
10759 end:
10760 SSL_free(serverssl);
10761 SSL_free(clientssl);
10762 SSL_CTX_free(sctx);
10763 SSL_CTX_free(cctx);
10764 SSL_SESSION_free(sess);
10765 return testresult;
10766 }
10767
10768 static struct next_proto_st {
10769 int serverlen;
10770 unsigned char server[40];
10771 int clientlen;
10772 unsigned char client[40];
10773 int expected_ret;
10774 size_t selectedlen;
10775 unsigned char selected[40];
10776 } next_proto_tests[] = {
10777 {
10778 4, { 3, 'a', 'b', 'c' },
10779 4, { 3, 'a', 'b', 'c' },
10780 OPENSSL_NPN_NEGOTIATED,
10781 3, { 'a', 'b', 'c' }
10782 },
10783 {
10784 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
10785 4, { 3, 'a', 'b', 'c' },
10786 OPENSSL_NPN_NEGOTIATED,
10787 3, { 'a', 'b', 'c' }
10788 },
10789 {
10790 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
10791 4, { 3, 'a', 'b', 'c' },
10792 OPENSSL_NPN_NEGOTIATED,
10793 3, { 'a', 'b', 'c' }
10794 },
10795 {
10796 4, { 3, 'a', 'b', 'c' },
10797 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
10798 OPENSSL_NPN_NEGOTIATED,
10799 3, { 'a', 'b', 'c' }
10800 },
10801 {
10802 4, { 3, 'a', 'b', 'c' },
10803 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
10804 OPENSSL_NPN_NEGOTIATED,
10805 3, { 'a', 'b', 'c' }
10806 },
10807 {
10808 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
10809 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
10810 OPENSSL_NPN_NEGOTIATED,
10811 3, { 'a', 'b', 'c' }
10812 },
10813 {
10814 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
10815 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
10816 OPENSSL_NPN_NEGOTIATED,
10817 3, { 'a', 'b', 'c' }
10818 },
10819 {
10820 4, { 3, 'b', 'c', 'd' },
10821 4, { 3, 'a', 'b', 'c' },
10822 OPENSSL_NPN_NO_OVERLAP,
10823 3, { 'a', 'b', 'c' }
10824 },
10825 {
10826 0, { 0 },
10827 4, { 3, 'a', 'b', 'c' },
10828 OPENSSL_NPN_NO_OVERLAP,
10829 3, { 'a', 'b', 'c' }
10830 },
10831 {
10832 -1, { 0 },
10833 4, { 3, 'a', 'b', 'c' },
10834 OPENSSL_NPN_NO_OVERLAP,
10835 3, { 'a', 'b', 'c' }
10836 },
10837 {
10838 4, { 3, 'a', 'b', 'c' },
10839 0, { 0 },
10840 OPENSSL_NPN_NO_OVERLAP,
10841 0, { 0 }
10842 },
10843 {
10844 4, { 3, 'a', 'b', 'c' },
10845 -1, { 0 },
10846 OPENSSL_NPN_NO_OVERLAP,
10847 0, { 0 }
10848 },
10849 {
10850 3, { 3, 'a', 'b', 'c' },
10851 4, { 3, 'a', 'b', 'c' },
10852 OPENSSL_NPN_NO_OVERLAP,
10853 3, { 'a', 'b', 'c' }
10854 },
10855 {
10856 4, { 3, 'a', 'b', 'c' },
10857 3, { 3, 'a', 'b', 'c' },
10858 OPENSSL_NPN_NO_OVERLAP,
10859 0, { 0 }
10860 }
10861 };
10862
test_select_next_proto(int idx)10863 static int test_select_next_proto(int idx)
10864 {
10865 struct next_proto_st *np = &next_proto_tests[idx];
10866 int ret = 0;
10867 unsigned char *out, *client, *server;
10868 unsigned char outlen;
10869 unsigned int clientlen, serverlen;
10870
10871 if (np->clientlen == -1) {
10872 client = NULL;
10873 clientlen = 0;
10874 } else {
10875 client = np->client;
10876 clientlen = (unsigned int)np->clientlen;
10877 }
10878 if (np->serverlen == -1) {
10879 server = NULL;
10880 serverlen = 0;
10881 } else {
10882 server = np->server;
10883 serverlen = (unsigned int)np->serverlen;
10884 }
10885
10886 if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
10887 client, clientlen),
10888 np->expected_ret))
10889 goto err;
10890
10891 if (np->selectedlen == 0) {
10892 if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
10893 goto err;
10894 } else {
10895 if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
10896 goto err;
10897 }
10898
10899 ret = 1;
10900 err:
10901 return ret;
10902 }
10903
10904 static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
10905 static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
10906
10907 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
npn_advert_cb(SSL * ssl,const unsigned char ** out,unsigned int * outlen,void * arg)10908 static int npn_advert_cb(SSL *ssl, const unsigned char **out,
10909 unsigned int *outlen, void *arg)
10910 {
10911 int *idx = (int *)arg;
10912
10913 switch (*idx) {
10914 default:
10915 case 0:
10916 *out = fooprot;
10917 *outlen = sizeof(fooprot);
10918 return SSL_TLSEXT_ERR_OK;
10919
10920 case 1:
10921 *outlen = 0;
10922 return SSL_TLSEXT_ERR_OK;
10923
10924 case 2:
10925 return SSL_TLSEXT_ERR_NOACK;
10926 }
10927 }
10928
npn_select_cb(SSL * s,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)10929 static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
10930 const unsigned char *in, unsigned int inlen, void *arg)
10931 {
10932 int *idx = (int *)arg;
10933
10934 switch (*idx) {
10935 case 0:
10936 case 1:
10937 *out = (unsigned char *)(fooprot + 1);
10938 *outlen = *fooprot;
10939 return SSL_TLSEXT_ERR_OK;
10940
10941 case 3:
10942 *out = (unsigned char *)(barprot + 1);
10943 *outlen = *barprot;
10944 return SSL_TLSEXT_ERR_OK;
10945
10946 case 4:
10947 *outlen = 0;
10948 return SSL_TLSEXT_ERR_OK;
10949
10950 default:
10951 case 2:
10952 return SSL_TLSEXT_ERR_ALERT_FATAL;
10953 }
10954 }
10955
10956 /*
10957 * Test the NPN callbacks
10958 * Test 0: advert = foo, select = foo
10959 * Test 1: advert = <empty>, select = foo
10960 * Test 2: no advert
10961 * Test 3: advert = foo, select = bar
10962 * Test 4: advert = foo, select = <empty> (should fail)
10963 */
test_npn(int idx)10964 static int test_npn(int idx)
10965 {
10966 SSL_CTX *sctx = NULL, *cctx = NULL;
10967 SSL *serverssl = NULL, *clientssl = NULL;
10968 int testresult = 0;
10969
10970 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10971 TLS_client_method(), 0, TLS1_2_VERSION,
10972 &sctx, &cctx, cert, privkey)))
10973 goto end;
10974
10975 SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
10976 SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
10977
10978 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
10979 NULL)))
10980 goto end;
10981
10982 if (idx == 4) {
10983 /* We don't allow empty selection of NPN, so this should fail */
10984 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
10985 SSL_ERROR_NONE)))
10986 goto end;
10987 } else {
10988 const unsigned char *prot;
10989 unsigned int protlen;
10990
10991 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
10992 SSL_ERROR_NONE)))
10993 goto end;
10994
10995 SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
10996 switch (idx) {
10997 case 0:
10998 case 1:
10999 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
11000 goto end;
11001 break;
11002 case 2:
11003 if (!TEST_uint_eq(protlen, 0))
11004 goto end;
11005 break;
11006 case 3:
11007 if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
11008 goto end;
11009 break;
11010 default:
11011 TEST_error("Should not get here");
11012 goto end;
11013 }
11014 }
11015
11016 testresult = 1;
11017 end:
11018 SSL_free(serverssl);
11019 SSL_free(clientssl);
11020 SSL_CTX_free(sctx);
11021 SSL_CTX_free(cctx);
11022
11023 return testresult;
11024 }
11025 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
11026
alpn_select_cb2(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)11027 static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
11028 unsigned char *outlen, const unsigned char *in,
11029 unsigned int inlen, void *arg)
11030 {
11031 int *idx = (int *)arg;
11032
11033 switch (*idx) {
11034 case 0:
11035 *out = (unsigned char *)(fooprot + 1);
11036 *outlen = *fooprot;
11037 return SSL_TLSEXT_ERR_OK;
11038
11039 case 2:
11040 *out = (unsigned char *)(barprot + 1);
11041 *outlen = *barprot;
11042 return SSL_TLSEXT_ERR_OK;
11043
11044 case 3:
11045 *outlen = 0;
11046 return SSL_TLSEXT_ERR_OK;
11047
11048 default:
11049 case 1:
11050 return SSL_TLSEXT_ERR_ALERT_FATAL;
11051 }
11052 return 0;
11053 }
11054
11055 /*
11056 * Test the ALPN callbacks
11057 * Test 0: client = foo, select = foo
11058 * Test 1: client = <empty>, select = none
11059 * Test 2: client = foo, select = bar (should fail)
11060 * Test 3: client = foo, select = <empty> (should fail)
11061 */
test_alpn(int idx)11062 static int test_alpn(int idx)
11063 {
11064 SSL_CTX *sctx = NULL, *cctx = NULL;
11065 SSL *serverssl = NULL, *clientssl = NULL;
11066 int testresult = 0;
11067 const unsigned char *prots = fooprot;
11068 unsigned int protslen = sizeof(fooprot);
11069
11070 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11071 TLS_client_method(), 0, 0,
11072 &sctx, &cctx, cert, privkey)))
11073 goto end;
11074
11075 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
11076
11077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11078 NULL)))
11079 goto end;
11080
11081 if (idx == 1) {
11082 prots = NULL;
11083 protslen = 0;
11084 }
11085
11086 /* SSL_set_alpn_protos returns 0 for success! */
11087 if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
11088 goto end;
11089
11090 if (idx == 2 || idx == 3) {
11091 /* We don't allow empty selection of NPN, so this should fail */
11092 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
11093 SSL_ERROR_NONE)))
11094 goto end;
11095 } else {
11096 const unsigned char *prot;
11097 unsigned int protlen;
11098
11099 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
11100 SSL_ERROR_NONE)))
11101 goto end;
11102
11103 SSL_get0_alpn_selected(clientssl, &prot, &protlen);
11104 switch (idx) {
11105 case 0:
11106 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
11107 goto end;
11108 break;
11109 case 1:
11110 if (!TEST_uint_eq(protlen, 0))
11111 goto end;
11112 break;
11113 default:
11114 TEST_error("Should not get here");
11115 goto end;
11116 }
11117 }
11118
11119 testresult = 1;
11120 end:
11121 SSL_free(serverssl);
11122 SSL_free(clientssl);
11123 SSL_CTX_free(sctx);
11124 SSL_CTX_free(cctx);
11125
11126 return testresult;
11127 }
11128
11129 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11130
setup_tests(void)11131 int setup_tests(void)
11132 {
11133 char *modulename;
11134 char *configfile;
11135
11136 libctx = OSSL_LIB_CTX_new();
11137 if (!TEST_ptr(libctx))
11138 return 0;
11139
11140 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11141
11142 /*
11143 * Verify that the default and fips providers in the default libctx are not
11144 * available
11145 */
11146 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11147 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11148 return 0;
11149
11150 if (!test_skip_common_options()) {
11151 TEST_error("Error parsing test options\n");
11152 return 0;
11153 }
11154
11155 if (!TEST_ptr(certsdir = test_get_argument(0))
11156 || !TEST_ptr(srpvfile = test_get_argument(1))
11157 || !TEST_ptr(tmpfilename = test_get_argument(2))
11158 || !TEST_ptr(modulename = test_get_argument(3))
11159 || !TEST_ptr(configfile = test_get_argument(4))
11160 || !TEST_ptr(dhfile = test_get_argument(5)))
11161 return 0;
11162
11163 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11164 return 0;
11165
11166 /* Check we have the expected provider available */
11167 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11168 return 0;
11169
11170 /* Check the default provider is not available */
11171 if (strcmp(modulename, "default") != 0
11172 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11173 return 0;
11174
11175 if (strcmp(modulename, "fips") == 0)
11176 is_fips = 1;
11177
11178 /*
11179 * We add, but don't load the test "tls-provider". We'll load it when we
11180 * need it.
11181 */
11182 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11183 tls_provider_init)))
11184 return 0;
11185
11186
11187 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11188 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11189 TEST_error("not supported in this build");
11190 return 0;
11191 #else
11192 int i, mcount, rcount, fcount;
11193
11194 for (i = 0; i < 4; i++)
11195 test_export_key_mat(i);
11196 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11197 test_printf_stdout("malloc %d realloc %d free %d\n",
11198 mcount, rcount, fcount);
11199 return 1;
11200 #endif
11201 }
11202
11203 cert = test_mk_file_path(certsdir, "servercert.pem");
11204 if (cert == NULL)
11205 goto err;
11206
11207 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11208 if (privkey == NULL)
11209 goto err;
11210
11211 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11212 if (cert2 == NULL)
11213 goto err;
11214
11215 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11216 if (privkey2 == NULL)
11217 goto err;
11218
11219 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11220 if (cert1024 == NULL)
11221 goto err;
11222
11223 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11224 if (privkey1024 == NULL)
11225 goto err;
11226
11227 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11228 if (cert3072 == NULL)
11229 goto err;
11230
11231 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11232 if (privkey3072 == NULL)
11233 goto err;
11234
11235 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11236 if (cert4096 == NULL)
11237 goto err;
11238
11239 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11240 if (privkey4096 == NULL)
11241 goto err;
11242
11243 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11244 if (cert8192 == NULL)
11245 goto err;
11246
11247 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11248 if (privkey8192 == NULL)
11249 goto err;
11250
11251 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11252 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11253 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11254 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
11255 # endif
11256 #endif
11257 ADD_TEST(test_large_message_tls);
11258 ADD_TEST(test_large_message_tls_read_ahead);
11259 #ifndef OPENSSL_NO_DTLS
11260 ADD_TEST(test_large_message_dtls);
11261 #endif
11262 ADD_ALL_TESTS(test_large_app_data, 28);
11263 ADD_TEST(test_cleanse_plaintext);
11264 #ifndef OPENSSL_NO_OCSP
11265 ADD_TEST(test_tlsext_status_type);
11266 #endif
11267 ADD_TEST(test_session_with_only_int_cache);
11268 ADD_TEST(test_session_with_only_ext_cache);
11269 ADD_TEST(test_session_with_both_cache);
11270 ADD_TEST(test_session_wo_ca_names);
11271 #ifndef OSSL_NO_USABLE_TLS1_3
11272 ADD_ALL_TESTS(test_stateful_tickets, 3);
11273 ADD_ALL_TESTS(test_stateless_tickets, 3);
11274 ADD_TEST(test_psk_tickets);
11275 ADD_ALL_TESTS(test_extra_tickets, 6);
11276 #endif
11277 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11278 ADD_TEST(test_ssl_bio_pop_next_bio);
11279 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11280 ADD_TEST(test_ssl_bio_change_rbio);
11281 ADD_TEST(test_ssl_bio_change_wbio);
11282 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11283 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11284 ADD_TEST(test_keylog);
11285 #endif
11286 #ifndef OSSL_NO_USABLE_TLS1_3
11287 ADD_TEST(test_keylog_no_master_key);
11288 #endif
11289 ADD_TEST(test_client_cert_verify_cb);
11290 ADD_TEST(test_ssl_build_cert_chain);
11291 ADD_TEST(test_ssl_ctx_build_cert_chain);
11292 #ifndef OPENSSL_NO_TLS1_2
11293 ADD_TEST(test_client_hello_cb);
11294 ADD_TEST(test_no_ems);
11295 ADD_TEST(test_ccs_change_cipher);
11296 #endif
11297 #ifndef OSSL_NO_USABLE_TLS1_3
11298 ADD_ALL_TESTS(test_early_data_read_write, 6);
11299 /*
11300 * We don't do replay tests for external PSK. Replay protection isn't used
11301 * in that scenario.
11302 */
11303 ADD_ALL_TESTS(test_early_data_replay, 2);
11304 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11305 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11306 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11307 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11308 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11309 ADD_ALL_TESTS(test_early_data_psk, 8);
11310 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11311 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11312 # ifndef OPENSSL_NO_TLS1_2
11313 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11314 # endif
11315 #endif
11316 #ifndef OSSL_NO_USABLE_TLS1_3
11317 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11318 ADD_TEST(test_ciphersuite_change);
11319 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11320 # ifdef OPENSSL_NO_PSK
11321 ADD_ALL_TESTS(test_tls13_psk, 1);
11322 # else
11323 ADD_ALL_TESTS(test_tls13_psk, 4);
11324 # endif /* OPENSSL_NO_PSK */
11325 # ifndef OPENSSL_NO_TLS1_2
11326 /* Test with both TLSv1.3 and 1.2 versions */
11327 ADD_ALL_TESTS(test_key_exchange, 14);
11328 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11329 ADD_ALL_TESTS(test_negotiated_group,
11330 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11331 + OSSL_NELEM(ffdhe_kexch_groups)));
11332 # endif
11333 # else
11334 /* Test with only TLSv1.3 versions */
11335 ADD_ALL_TESTS(test_key_exchange, 12);
11336 # endif
11337 ADD_ALL_TESTS(test_custom_exts, 6);
11338 ADD_TEST(test_stateless);
11339 ADD_TEST(test_pha_key_update);
11340 #else
11341 ADD_ALL_TESTS(test_custom_exts, 3);
11342 #endif
11343 ADD_ALL_TESTS(test_export_key_mat, 6);
11344 #ifndef OSSL_NO_USABLE_TLS1_3
11345 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11346 ADD_TEST(test_key_update);
11347 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11348 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11349 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11350 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11351 #endif
11352 ADD_ALL_TESTS(test_ssl_clear, 2);
11353 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11354 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11355 ADD_ALL_TESTS(test_srp, 6);
11356 #endif
11357 ADD_ALL_TESTS(test_info_callback, 6);
11358 ADD_ALL_TESTS(test_ssl_pending, 2);
11359 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11360 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11361 ADD_ALL_TESTS(test_shutdown, 7);
11362 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11363 ADD_ALL_TESTS(test_cert_cb, 6);
11364 ADD_ALL_TESTS(test_client_cert_cb, 2);
11365 ADD_ALL_TESTS(test_ca_names, 3);
11366 #ifndef OPENSSL_NO_TLS1_2
11367 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11368 #endif
11369 ADD_ALL_TESTS(test_servername, 10);
11370 #if !defined(OPENSSL_NO_EC) \
11371 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11372 ADD_ALL_TESTS(test_sigalgs_available, 6);
11373 #endif
11374 #ifndef OPENSSL_NO_TLS1_3
11375 ADD_ALL_TESTS(test_pluggable_group, 2);
11376 #endif
11377 #ifndef OPENSSL_NO_TLS1_2
11378 ADD_TEST(test_ssl_dup);
11379 # ifndef OPENSSL_NO_DH
11380 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11381 ADD_ALL_TESTS(test_dh_auto, 7);
11382 # endif
11383 #endif
11384 #ifndef OSSL_NO_USABLE_TLS1_3
11385 ADD_TEST(test_sni_tls13);
11386 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11387 #endif
11388 ADD_TEST(test_inherit_verify_param);
11389 ADD_TEST(test_set_alpn);
11390 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11391 ADD_TEST(test_set_verify_cert_store_ssl);
11392 ADD_ALL_TESTS(test_session_timeout, 1);
11393 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
11394 ADD_ALL_TESTS(test_session_cache_overflow, 4);
11395 #endif
11396 ADD_TEST(test_load_dhfile);
11397 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11398 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11399 #endif
11400 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11401 ADD_ALL_TESTS(test_pipelining, 7);
11402 #endif
11403 ADD_ALL_TESTS(test_handshake_retry, 16);
11404 ADD_ALL_TESTS(test_multi_resume, 5);
11405 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
11406 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
11407 ADD_ALL_TESTS(test_npn, 5);
11408 #endif
11409 ADD_ALL_TESTS(test_alpn, 4);
11410 return 1;
11411
11412 err:
11413 OPENSSL_free(cert);
11414 OPENSSL_free(privkey);
11415 OPENSSL_free(cert2);
11416 OPENSSL_free(privkey2);
11417 return 0;
11418 }
11419
cleanup_tests(void)11420 void cleanup_tests(void)
11421 {
11422 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11423 EVP_PKEY_free(tmp_dh_params);
11424 #endif
11425 OPENSSL_free(cert);
11426 OPENSSL_free(privkey);
11427 OPENSSL_free(cert2);
11428 OPENSSL_free(privkey2);
11429 OPENSSL_free(cert1024);
11430 OPENSSL_free(privkey1024);
11431 OPENSSL_free(cert3072);
11432 OPENSSL_free(privkey3072);
11433 OPENSSL_free(cert4096);
11434 OPENSSL_free(privkey4096);
11435 OPENSSL_free(cert8192);
11436 OPENSSL_free(privkey8192);
11437 bio_s_mempacket_test_free();
11438 bio_s_always_retry_free();
11439 OSSL_PROVIDER_unload(defctxnull);
11440 OSSL_LIB_CTX_free(libctx);
11441 }
11442