1 /*
2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "internal/ssl_unwrap.h"
45 #include "../ssl/ssl_local.h"
46 #include "../ssl/record/methods/recmethod_local.h"
47 #include "filterprov.h"
48
49 #undef OSSL_NO_USABLE_TLS1_3
50 #if defined(OPENSSL_NO_TLS1_3) \
51 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
52 /*
53 * If we don't have ec or dh then there are no built-in groups that are usable
54 * with TLSv1.3
55 */
56 # define OSSL_NO_USABLE_TLS1_3
57 #endif
58
59 /* Defined in tls-provider.c */
60 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
61 const OSSL_DISPATCH *in,
62 const OSSL_DISPATCH **out,
63 void **provctx);
64
65 static OSSL_LIB_CTX *libctx = NULL;
66 static OSSL_PROVIDER *defctxnull = NULL;
67
68 #ifndef OSSL_NO_USABLE_TLS1_3
69
70 static SSL_SESSION *clientpsk = NULL;
71 static SSL_SESSION *serverpsk = NULL;
72 static const char *pskid = "Identity";
73 static const char *srvid;
74
75 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
76 size_t *idlen, SSL_SESSION **sess);
77 static int find_session_cb(SSL *ssl, const unsigned char *identity,
78 size_t identity_len, SSL_SESSION **sess);
79
80 static int use_session_cb_cnt = 0;
81 static int find_session_cb_cnt = 0;
82 static int end_of_early_data = 0;
83 #endif
84
85 static char *certsdir = NULL;
86 static char *cert = NULL;
87 static char *privkey = NULL;
88 static char *cert2 = NULL;
89 static char *privkey2 = NULL;
90 static char *cert1024 = NULL;
91 static char *privkey1024 = NULL;
92 static char *cert3072 = NULL;
93 static char *privkey3072 = NULL;
94 static char *cert4096 = NULL;
95 static char *privkey4096 = NULL;
96 static char *cert8192 = NULL;
97 static char *privkey8192 = NULL;
98 static char *srpvfile = NULL;
99 static char *tmpfilename = NULL;
100 static char *dhfile = NULL;
101
102 static int is_fips = 0;
103 static int fips_ems_check = 0;
104
105 #define LOG_BUFFER_SIZE 2048
106 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t server_log_buffer_index = 0;
108 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
109 static size_t client_log_buffer_index = 0;
110 static int error_writing_log = 0;
111
112 #ifndef OPENSSL_NO_OCSP
113 static const unsigned char orespder[] = "Dummy OCSP Response";
114 static int ocsp_server_called = 0;
115 static int ocsp_client_called = 0;
116
117 static int cdummyarg = 1;
118 static X509 *ocspcert = NULL;
119 #endif
120
121 #define CLIENT_VERSION_LEN 2
122
123 /*
124 * This structure is used to validate that the correct number of log messages
125 * of various types are emitted when emitting secret logs.
126 */
127 struct sslapitest_log_counts {
128 unsigned int rsa_key_exchange_count;
129 unsigned int master_secret_count;
130 unsigned int client_early_secret_count;
131 unsigned int client_handshake_secret_count;
132 unsigned int server_handshake_secret_count;
133 unsigned int client_application_secret_count;
134 unsigned int server_application_secret_count;
135 unsigned int early_exporter_secret_count;
136 unsigned int exporter_secret_count;
137 };
138
139
hostname_cb(SSL * s,int * al,void * arg)140 static int hostname_cb(SSL *s, int *al, void *arg)
141 {
142 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
143
144 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
145 || strcmp(hostname, "altgoodhost") == 0))
146 return SSL_TLSEXT_ERR_OK;
147
148 return SSL_TLSEXT_ERR_NOACK;
149 }
150
client_keylog_callback(const SSL * ssl,const char * line)151 static void client_keylog_callback(const SSL *ssl, const char *line)
152 {
153 int line_length = strlen(line);
154
155 /* If the log doesn't fit, error out. */
156 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
157 TEST_info("Client log too full");
158 error_writing_log = 1;
159 return;
160 }
161
162 strcat(client_log_buffer, line);
163 client_log_buffer_index += line_length;
164 client_log_buffer[client_log_buffer_index++] = '\n';
165 }
166
server_keylog_callback(const SSL * ssl,const char * line)167 static void server_keylog_callback(const SSL *ssl, const char *line)
168 {
169 int line_length = strlen(line);
170
171 /* If the log doesn't fit, error out. */
172 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
173 TEST_info("Server log too full");
174 error_writing_log = 1;
175 return;
176 }
177
178 strcat(server_log_buffer, line);
179 server_log_buffer_index += line_length;
180 server_log_buffer[server_log_buffer_index++] = '\n';
181 }
182
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)183 static int compare_hex_encoded_buffer(const char *hex_encoded,
184 size_t hex_length,
185 const uint8_t *raw,
186 size_t raw_length)
187 {
188 size_t i, j;
189 char hexed[3];
190
191 if (!TEST_size_t_eq(raw_length * 2, hex_length))
192 return 1;
193
194 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
195 BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]);
196 if (!TEST_int_eq(hexed[0], hex_encoded[j])
197 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
198 return 1;
199 }
200
201 return 0;
202 }
203
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)204 static int test_keylog_output(char *buffer, const SSL *ssl,
205 const SSL_SESSION *session,
206 struct sslapitest_log_counts *expected)
207 {
208 char *token = NULL;
209 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
210 size_t client_random_size = SSL3_RANDOM_SIZE;
211 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
212 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
213 unsigned int rsa_key_exchange_count = 0;
214 unsigned int master_secret_count = 0;
215 unsigned int client_early_secret_count = 0;
216 unsigned int client_handshake_secret_count = 0;
217 unsigned int server_handshake_secret_count = 0;
218 unsigned int client_application_secret_count = 0;
219 unsigned int server_application_secret_count = 0;
220 unsigned int early_exporter_secret_count = 0;
221 unsigned int exporter_secret_count = 0;
222
223 for (token = strtok(buffer, " \n"); token != NULL;
224 token = strtok(NULL, " \n")) {
225 if (strcmp(token, "RSA") == 0) {
226 /*
227 * Premaster secret. Tokens should be: 16 ASCII bytes of
228 * hex-encoded encrypted secret, then the hex-encoded pre-master
229 * secret.
230 */
231 if (!TEST_ptr(token = strtok(NULL, " \n")))
232 return 0;
233 if (!TEST_size_t_eq(strlen(token), 16))
234 return 0;
235 if (!TEST_ptr(token = strtok(NULL, " \n")))
236 return 0;
237 /*
238 * We can't sensibly check the log because the premaster secret is
239 * transient, and OpenSSL doesn't keep hold of it once the master
240 * secret is generated.
241 */
242 rsa_key_exchange_count++;
243 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
244 /*
245 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
246 * client random, then the hex-encoded master secret.
247 */
248 client_random_size = SSL_get_client_random(ssl,
249 actual_client_random,
250 SSL3_RANDOM_SIZE);
251 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
252 return 0;
253
254 if (!TEST_ptr(token = strtok(NULL, " \n")))
255 return 0;
256 if (!TEST_size_t_eq(strlen(token), 64))
257 return 0;
258 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
259 actual_client_random,
260 client_random_size)))
261 return 0;
262
263 if (!TEST_ptr(token = strtok(NULL, " \n")))
264 return 0;
265 master_key_size = SSL_SESSION_get_master_key(session,
266 actual_master_key,
267 master_key_size);
268 if (!TEST_size_t_ne(master_key_size, 0))
269 return 0;
270 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
271 actual_master_key,
272 master_key_size)))
273 return 0;
274 master_secret_count++;
275 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
280 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
281 || strcmp(token, "EXPORTER_SECRET") == 0) {
282 /*
283 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
284 * client random, and then the hex-encoded secret. In this case,
285 * we treat all of these secrets identically and then just
286 * distinguish between them when counting what we saw.
287 */
288 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
289 client_early_secret_count++;
290 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 client_handshake_secret_count++;
292 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
293 server_handshake_secret_count++;
294 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
295 client_application_secret_count++;
296 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
297 server_application_secret_count++;
298 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
299 early_exporter_secret_count++;
300 else if (strcmp(token, "EXPORTER_SECRET") == 0)
301 exporter_secret_count++;
302
303 client_random_size = SSL_get_client_random(ssl,
304 actual_client_random,
305 SSL3_RANDOM_SIZE);
306 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
307 return 0;
308
309 if (!TEST_ptr(token = strtok(NULL, " \n")))
310 return 0;
311 if (!TEST_size_t_eq(strlen(token), 64))
312 return 0;
313 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
314 actual_client_random,
315 client_random_size)))
316 return 0;
317
318 if (!TEST_ptr(token = strtok(NULL, " \n")))
319 return 0;
320 } else {
321 TEST_info("Unexpected token %s\n", token);
322 return 0;
323 }
324 }
325
326 /* Got what we expected? */
327 if (!TEST_size_t_eq(rsa_key_exchange_count,
328 expected->rsa_key_exchange_count)
329 || !TEST_size_t_eq(master_secret_count,
330 expected->master_secret_count)
331 || !TEST_size_t_eq(client_early_secret_count,
332 expected->client_early_secret_count)
333 || !TEST_size_t_eq(client_handshake_secret_count,
334 expected->client_handshake_secret_count)
335 || !TEST_size_t_eq(server_handshake_secret_count,
336 expected->server_handshake_secret_count)
337 || !TEST_size_t_eq(client_application_secret_count,
338 expected->client_application_secret_count)
339 || !TEST_size_t_eq(server_application_secret_count,
340 expected->server_application_secret_count)
341 || !TEST_size_t_eq(early_exporter_secret_count,
342 expected->early_exporter_secret_count)
343 || !TEST_size_t_eq(exporter_secret_count,
344 expected->exporter_secret_count))
345 return 0;
346 return 1;
347 }
348
349 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
test_keylog(void)350 static int test_keylog(void)
351 {
352 SSL_CTX *cctx = NULL, *sctx = NULL;
353 SSL *clientssl = NULL, *serverssl = NULL;
354 int testresult = 0;
355 struct sslapitest_log_counts expected;
356
357 /* Clean up logging space */
358 memset(&expected, 0, sizeof(expected));
359 memset(client_log_buffer, 0, sizeof(client_log_buffer));
360 memset(server_log_buffer, 0, sizeof(server_log_buffer));
361 client_log_buffer_index = 0;
362 server_log_buffer_index = 0;
363 error_writing_log = 0;
364
365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
366 TLS_client_method(),
367 TLS1_VERSION, 0,
368 &sctx, &cctx, cert, privkey)))
369 return 0;
370
371 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
372 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
373 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
374
375 /* We also want to ensure that we use RSA-based key exchange. */
376 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
377 goto end;
378
379 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
380 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
381 goto end;
382 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
383 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
384 == client_keylog_callback))
385 goto end;
386 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
387 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
388 == server_keylog_callback))
389 goto end;
390
391 /* Now do a handshake and check that the logs have been written to. */
392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
393 &clientssl, NULL, NULL))
394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
395 SSL_ERROR_NONE))
396 || !TEST_false(error_writing_log)
397 || !TEST_int_gt(client_log_buffer_index, 0)
398 || !TEST_int_gt(server_log_buffer_index, 0))
399 goto end;
400
401 /*
402 * Now we want to test that our output data was vaguely sensible. We
403 * do that by using strtok and confirming that we have more or less the
404 * data we expect. For both client and server, we expect to see one master
405 * secret. The client should also see an RSA key exchange.
406 */
407 expected.rsa_key_exchange_count = 1;
408 expected.master_secret_count = 1;
409 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
410 SSL_get_session(clientssl), &expected)))
411 goto end;
412
413 expected.rsa_key_exchange_count = 0;
414 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
415 SSL_get_session(serverssl), &expected)))
416 goto end;
417
418 testresult = 1;
419
420 end:
421 SSL_free(serverssl);
422 SSL_free(clientssl);
423 SSL_CTX_free(sctx);
424 SSL_CTX_free(cctx);
425
426 return testresult;
427 }
428 #endif
429
430 #ifndef OSSL_NO_USABLE_TLS1_3
test_keylog_no_master_key(void)431 static int test_keylog_no_master_key(void)
432 {
433 SSL_CTX *cctx = NULL, *sctx = NULL;
434 SSL *clientssl = NULL, *serverssl = NULL;
435 SSL_SESSION *sess = NULL;
436 int testresult = 0;
437 struct sslapitest_log_counts expected;
438 unsigned char buf[1];
439 size_t readbytes, written;
440
441 /* Clean up logging space */
442 memset(&expected, 0, sizeof(expected));
443 memset(client_log_buffer, 0, sizeof(client_log_buffer));
444 memset(server_log_buffer, 0, sizeof(server_log_buffer));
445 client_log_buffer_index = 0;
446 server_log_buffer_index = 0;
447 error_writing_log = 0;
448
449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
450 TLS_client_method(), TLS1_VERSION, 0,
451 &sctx, &cctx, cert, privkey))
452 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
453 SSL3_RT_MAX_PLAIN_LENGTH)))
454 return 0;
455
456 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
457 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
458 goto end;
459
460 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
462 == client_keylog_callback))
463 goto end;
464
465 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
466 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
467 == server_keylog_callback))
468 goto end;
469
470 /* Now do a handshake and check that the logs have been written to. */
471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472 &clientssl, NULL, NULL))
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
474 SSL_ERROR_NONE))
475 || !TEST_false(error_writing_log))
476 goto end;
477
478 /*
479 * Now we want to test that our output data was vaguely sensible. For this
480 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
481 * TLSv1.3, but we do expect both client and server to emit keys.
482 */
483 expected.client_handshake_secret_count = 1;
484 expected.server_handshake_secret_count = 1;
485 expected.client_application_secret_count = 1;
486 expected.server_application_secret_count = 1;
487 expected.exporter_secret_count = 1;
488 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
489 SSL_get_session(clientssl), &expected))
490 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
491 SSL_get_session(serverssl),
492 &expected)))
493 goto end;
494
495 /* Terminate old session and resume with early data. */
496 sess = SSL_get1_session(clientssl);
497 SSL_shutdown(clientssl);
498 SSL_shutdown(serverssl);
499 SSL_free(serverssl);
500 SSL_free(clientssl);
501 serverssl = clientssl = NULL;
502
503 /* Reset key log */
504 memset(client_log_buffer, 0, sizeof(client_log_buffer));
505 memset(server_log_buffer, 0, sizeof(server_log_buffer));
506 client_log_buffer_index = 0;
507 server_log_buffer_index = 0;
508
509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
510 &clientssl, NULL, NULL))
511 || !TEST_true(SSL_set_session(clientssl, sess))
512 /* Here writing 0 length early data is enough. */
513 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
514 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
515 &readbytes),
516 SSL_READ_EARLY_DATA_ERROR)
517 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
518 SSL_EARLY_DATA_ACCEPTED)
519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
520 SSL_ERROR_NONE))
521 || !TEST_true(SSL_session_reused(clientssl)))
522 goto end;
523
524 /* In addition to the previous entries, expect early secrets. */
525 expected.client_early_secret_count = 1;
526 expected.early_exporter_secret_count = 1;
527 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
528 SSL_get_session(clientssl), &expected))
529 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
530 SSL_get_session(serverssl),
531 &expected)))
532 goto end;
533
534 testresult = 1;
535
536 end:
537 SSL_SESSION_free(sess);
538 SSL_free(serverssl);
539 SSL_free(clientssl);
540 SSL_CTX_free(sctx);
541 SSL_CTX_free(cctx);
542
543 return testresult;
544 }
545 #endif
546
verify_retry_cb(X509_STORE_CTX * ctx,void * arg)547 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
548 {
549 int res = X509_verify_cert(ctx);
550 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
551 SSL *ssl;
552
553 /* this should not happen but check anyway */
554 if (idx < 0
555 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
556 return 0;
557
558 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
559 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
560 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
561 return SSL_set_retry_verify(ssl);
562
563 return res;
564 }
565
test_client_cert_verify_cb(void)566 static int test_client_cert_verify_cb(void)
567 {
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
578 int testresult = 0;
579
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
583 goto end;
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
588 goto end;
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
590 goto end;
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
595 goto end;
596
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
600 goto end;
601
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
606 goto end;
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
609 goto end;
610 crt1 = NULL;
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
612 goto end;
613 crt2 = NULL;
614
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
617 SSL_ERROR_NONE)))
618 goto end;
619
620 testresult = 1;
621
622 end:
623 X509_free(crt1);
624 X509_free(crt2);
625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
627 SSL_free(clientssl);
628 }
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
631 SSL_free(serverssl);
632 }
633 SSL_CTX_free(sctx);
634 SSL_CTX_free(cctx);
635
636 OPENSSL_free(skey);
637 OPENSSL_free(leaf);
638 OPENSSL_free(int2);
639 OPENSSL_free(int1);
640 OPENSSL_free(root);
641
642 return testresult;
643 }
644
test_ssl_build_cert_chain(void)645 static int test_ssl_build_cert_chain(void)
646 {
647 int ret = 0;
648 SSL_CTX *ssl_ctx = NULL;
649 SSL *ssl = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
652
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
654 goto end;
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
656 goto end;
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
661 goto end;
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
664 goto end;
665 ret = 1;
666 end:
667 SSL_free(ssl);
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
670 OPENSSL_free(skey);
671 return ret;
672 }
673
get_password_cb(char * buf,int size,int rw_flag,void * userdata)674 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
675 {
676 static const char pass[] = "testpass";
677
678 if (!TEST_int_eq(size, PEM_BUFSIZE))
679 return -1;
680
681 memcpy(buf, pass, sizeof(pass) - 1);
682 return sizeof(pass) - 1;
683 }
684
test_ssl_ctx_build_cert_chain(void)685 static int test_ssl_ctx_build_cert_chain(void)
686 {
687 int ret = 0;
688 SSL_CTX *ctx = NULL;
689 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
690 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
691
692 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
693 goto end;
694 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
695 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
696 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
697 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
698 SSL_FILETYPE_PEM), 1)
699 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
700 goto end;
701 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
702 | SSL_BUILD_CHAIN_FLAG_CHECK)))
703 goto end;
704 ret = 1;
705 end:
706 SSL_CTX_free(ctx);
707 OPENSSL_free(leaf_chain);
708 OPENSSL_free(skey);
709 return ret;
710 }
711
712 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)713 static int full_client_hello_callback(SSL *s, int *al, void *arg)
714 {
715 int *ctr = arg;
716 const unsigned char *p;
717 int *exts;
718 #ifdef OPENSSL_NO_EC
719 const unsigned char expected_ciphers[] = {0x00, 0x9d};
720 #else
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 0x2c};
723 #endif
724 const int expected_extensions[] = {
725 65281,
726 #ifndef OPENSSL_NO_EC
727 11, 10,
728 #endif
729 35, 22, 23, 13};
730 size_t len;
731
732 /* Make sure we can defer processing and get called back. */
733 if ((*ctr)++ == 0)
734 return SSL_CLIENT_HELLO_RETRY;
735
736 len = SSL_client_hello_get0_ciphers(s, &p);
737 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
738 || !TEST_size_t_eq(
739 SSL_client_hello_get0_compression_methods(s, &p), 1)
740 || !TEST_int_eq(*p, 0))
741 return SSL_CLIENT_HELLO_ERROR;
742 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
743 return SSL_CLIENT_HELLO_ERROR;
744 if (len != OSSL_NELEM(expected_extensions) ||
745 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
746 printf("ClientHello callback expected extensions mismatch\n");
747 OPENSSL_free(exts);
748 return SSL_CLIENT_HELLO_ERROR;
749 }
750 OPENSSL_free(exts);
751 return SSL_CLIENT_HELLO_SUCCESS;
752 }
753
test_client_hello_cb(void)754 static int test_client_hello_cb(void)
755 {
756 SSL_CTX *cctx = NULL, *sctx = NULL;
757 SSL *clientssl = NULL, *serverssl = NULL;
758 int testctr = 0, testresult = 0;
759
760 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
761 TLS_client_method(), TLS1_VERSION, 0,
762 &sctx, &cctx, cert, privkey)))
763 goto end;
764 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
765
766 /* The gimpy cipher list we configure can't do TLS 1.3. */
767 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
768 /* Avoid problems where the default seclevel has been changed */
769 SSL_CTX_set_security_level(cctx, 2);
770 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
771 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
772 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
773 &clientssl, NULL, NULL))
774 || !TEST_false(create_ssl_connection(serverssl, clientssl,
775 SSL_ERROR_WANT_CLIENT_HELLO_CB))
776 /*
777 * Passing a -1 literal is a hack since
778 * the real value was lost.
779 * */
780 || !TEST_int_eq(SSL_get_error(serverssl, -1),
781 SSL_ERROR_WANT_CLIENT_HELLO_CB)
782 || !TEST_true(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE)))
784 goto end;
785
786 testresult = 1;
787
788 end:
789 SSL_free(serverssl);
790 SSL_free(clientssl);
791 SSL_CTX_free(sctx);
792 SSL_CTX_free(cctx);
793
794 return testresult;
795 }
796
test_no_ems(void)797 static int test_no_ems(void)
798 {
799 SSL_CTX *cctx = NULL, *sctx = NULL;
800 SSL *clientssl = NULL, *serverssl = NULL;
801 int testresult = 0, status;
802
803 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
804 TLS1_VERSION, TLS1_2_VERSION,
805 &sctx, &cctx, cert, privkey)) {
806 printf("Unable to create SSL_CTX pair\n");
807 goto end;
808 }
809
810 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
811
812 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
813 printf("Unable to create SSL objects\n");
814 goto end;
815 }
816
817 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
818 if (fips_ems_check) {
819 if (status == 1) {
820 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
821 goto end;
822 }
823 } else {
824 if (!status) {
825 printf("Creating SSL connection failed\n");
826 goto end;
827 }
828 if (SSL_get_extms_support(serverssl)) {
829 printf("Server reports Extended Master Secret support\n");
830 goto end;
831 }
832 if (SSL_get_extms_support(clientssl)) {
833 printf("Client reports Extended Master Secret support\n");
834 goto end;
835 }
836 }
837 testresult = 1;
838
839 end:
840 SSL_free(serverssl);
841 SSL_free(clientssl);
842 SSL_CTX_free(sctx);
843 SSL_CTX_free(cctx);
844
845 return testresult;
846 }
847
848 /*
849 * Very focused test to exercise a single case in the server-side state
850 * machine, when the ChangeCipherState message needs to actually change
851 * from one cipher to a different cipher (i.e., not changing from null
852 * encryption to real encryption).
853 */
test_ccs_change_cipher(void)854 static int test_ccs_change_cipher(void)
855 {
856 SSL_CTX *cctx = NULL, *sctx = NULL;
857 SSL *clientssl = NULL, *serverssl = NULL;
858 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
859 int testresult = 0;
860 int i;
861 unsigned char buf;
862 size_t readbytes;
863
864 /*
865 * Create a connection so we can resume and potentially (but not) use
866 * a different cipher in the second connection.
867 */
868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
869 TLS_client_method(),
870 TLS1_VERSION, TLS1_2_VERSION,
871 &sctx, &cctx, cert, privkey))
872 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
873 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
874 NULL, NULL))
875 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
876 || !TEST_true(create_ssl_connection(serverssl, clientssl,
877 SSL_ERROR_NONE))
878 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
879 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
880 goto end;
881
882 shutdown_ssl_connection(serverssl, clientssl);
883 serverssl = clientssl = NULL;
884
885 /* Resume, preferring a different cipher. Our server will force the
886 * same cipher to be used as the initial handshake. */
887 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
888 NULL, NULL))
889 || !TEST_true(SSL_set_session(clientssl, sess))
890 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
891 || !TEST_true(create_ssl_connection(serverssl, clientssl,
892 SSL_ERROR_NONE))
893 || !TEST_true(SSL_session_reused(clientssl))
894 || !TEST_true(SSL_session_reused(serverssl))
895 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
896 || !TEST_ptr_eq(sesspre, sesspost)
897 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
898 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
899 goto end;
900 shutdown_ssl_connection(serverssl, clientssl);
901 serverssl = clientssl = NULL;
902
903 /*
904 * Now create a fresh connection and try to renegotiate a different
905 * cipher on it.
906 */
907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
908 NULL, NULL))
909 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
910 || !TEST_true(create_ssl_connection(serverssl, clientssl,
911 SSL_ERROR_NONE))
912 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
913 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
914 || !TEST_true(SSL_renegotiate(clientssl))
915 || !TEST_true(SSL_renegotiate_pending(clientssl)))
916 goto end;
917 /* Actually drive the renegotiation. */
918 for (i = 0; i < 3; i++) {
919 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
920 if (!TEST_ulong_eq(readbytes, 0))
921 goto end;
922 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
923 SSL_ERROR_WANT_READ)) {
924 goto end;
925 }
926 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
927 if (!TEST_ulong_eq(readbytes, 0))
928 goto end;
929 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
930 SSL_ERROR_WANT_READ)) {
931 goto end;
932 }
933 }
934 /* sesspre and sesspost should be different since the cipher changed. */
935 if (!TEST_false(SSL_renegotiate_pending(clientssl))
936 || !TEST_false(SSL_session_reused(clientssl))
937 || !TEST_false(SSL_session_reused(serverssl))
938 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
939 || !TEST_ptr_ne(sesspre, sesspost)
940 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
941 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
942 goto end;
943
944 shutdown_ssl_connection(serverssl, clientssl);
945 serverssl = clientssl = NULL;
946
947 testresult = 1;
948
949 end:
950 SSL_free(serverssl);
951 SSL_free(clientssl);
952 SSL_CTX_free(sctx);
953 SSL_CTX_free(cctx);
954 SSL_SESSION_free(sess);
955
956 return testresult;
957 }
958 #endif
959
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)960 static int execute_test_large_message(const SSL_METHOD *smeth,
961 const SSL_METHOD *cmeth,
962 int min_version, int max_version,
963 int read_ahead)
964 {
965 SSL_CTX *cctx = NULL, *sctx = NULL;
966 SSL *clientssl = NULL, *serverssl = NULL;
967 int testresult = 0;
968
969 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
970 max_version, &sctx, &cctx, cert,
971 privkey)))
972 goto end;
973
974 #ifdef OPENSSL_NO_DTLS1_2
975 if (smeth == DTLS_server_method()) {
976 /*
977 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
978 * level 0
979 */
980 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
981 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
982 "DEFAULT:@SECLEVEL=0")))
983 goto end;
984 }
985 #endif
986
987 if (read_ahead) {
988 /*
989 * Test that read_ahead works correctly when dealing with large
990 * records
991 */
992 SSL_CTX_set_read_ahead(cctx, 1);
993 }
994
995 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
996 goto end;
997
998 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
999 NULL, NULL))
1000 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1001 SSL_ERROR_NONE)))
1002 goto end;
1003
1004 /*
1005 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1006 * doesn't leak.
1007 */
1008 if (!TEST_true(SSL_clear(serverssl)))
1009 goto end;
1010
1011 testresult = 1;
1012 end:
1013 SSL_free(serverssl);
1014 SSL_free(clientssl);
1015 SSL_CTX_free(sctx);
1016 SSL_CTX_free(cctx);
1017
1018 return testresult;
1019 }
1020
1021 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1022 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1023 /* sock must be connected */
ktls_chk_platform(int sock)1024 static int ktls_chk_platform(int sock)
1025 {
1026 if (!ktls_enable(sock))
1027 return 0;
1028 return 1;
1029 }
1030
ping_pong_query(SSL * clientssl,SSL * serverssl)1031 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1032 {
1033 static char count = 1;
1034 unsigned char cbuf[16000] = {0};
1035 unsigned char sbuf[16000];
1036 size_t err = 0;
1037 char crec_wseq_before[SEQ_NUM_SIZE];
1038 char crec_wseq_after[SEQ_NUM_SIZE];
1039 char crec_rseq_before[SEQ_NUM_SIZE];
1040 char crec_rseq_after[SEQ_NUM_SIZE];
1041 char srec_wseq_before[SEQ_NUM_SIZE];
1042 char srec_wseq_after[SEQ_NUM_SIZE];
1043 char srec_rseq_before[SEQ_NUM_SIZE];
1044 char srec_rseq_after[SEQ_NUM_SIZE];
1045 SSL_CONNECTION *clientsc, *serversc;
1046
1047 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1048 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1049 goto end;
1050
1051 cbuf[0] = count++;
1052 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1053 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1054 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1055 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1056
1057 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1058 goto end;
1059
1060 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1061 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1062 goto end;
1063 }
1064 }
1065
1066 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1067 goto end;
1068
1069 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1070 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1071 goto end;
1072 }
1073 }
1074
1075 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1076 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1077 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1078 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1079
1080 /* verify the payload */
1081 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1082 goto end;
1083
1084 /*
1085 * If ktls is used then kernel sequences are used instead of
1086 * OpenSSL sequences
1087 */
1088 if (!BIO_get_ktls_send(clientsc->wbio)) {
1089 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1090 crec_wseq_after, SEQ_NUM_SIZE))
1091 goto end;
1092 } else {
1093 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1094 crec_wseq_after, SEQ_NUM_SIZE))
1095 goto end;
1096 }
1097
1098 if (!BIO_get_ktls_send(serversc->wbio)) {
1099 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1100 srec_wseq_after, SEQ_NUM_SIZE))
1101 goto end;
1102 } else {
1103 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1104 srec_wseq_after, SEQ_NUM_SIZE))
1105 goto end;
1106 }
1107
1108 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1109 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1110 crec_rseq_after, SEQ_NUM_SIZE))
1111 goto end;
1112 } else {
1113 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1114 crec_rseq_after, SEQ_NUM_SIZE))
1115 goto end;
1116 }
1117
1118 if (!BIO_get_ktls_recv(serversc->wbio)) {
1119 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1120 srec_rseq_after, SEQ_NUM_SIZE))
1121 goto end;
1122 } else {
1123 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1124 srec_rseq_after, SEQ_NUM_SIZE))
1125 goto end;
1126 }
1127
1128 return 1;
1129 end:
1130 return 0;
1131 }
1132
execute_test_ktls(int cis_ktls,int sis_ktls,int tls_version,const char * cipher)1133 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1134 int tls_version, const char *cipher)
1135 {
1136 SSL_CTX *cctx = NULL, *sctx = NULL;
1137 SSL *clientssl = NULL, *serverssl = NULL;
1138 int ktls_used = 0, testresult = 0;
1139 int cfd = -1, sfd = -1;
1140 int rx_supported;
1141 SSL_CONNECTION *clientsc, *serversc;
1142 unsigned char *buf = NULL;
1143 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1144 int ret;
1145 size_t offset = 0, i;
1146
1147 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1148 goto end;
1149
1150 /* Skip this test if the platform does not support ktls */
1151 if (!ktls_chk_platform(cfd)) {
1152 testresult = TEST_skip("Kernel does not support KTLS");
1153 goto end;
1154 }
1155
1156 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1157 testresult = TEST_skip("CHACHA is not supported in FIPS");
1158 goto end;
1159 }
1160
1161 /* Create a session based on SHA-256 */
1162 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1163 TLS_client_method(),
1164 tls_version, tls_version,
1165 &sctx, &cctx, cert, privkey)))
1166 goto end;
1167
1168 if (tls_version == TLS1_3_VERSION) {
1169 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1170 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1171 goto end;
1172 } else {
1173 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1174 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1175 goto end;
1176 }
1177
1178 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1179 &clientssl, sfd, cfd)))
1180 goto end;
1181
1182 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1183 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1184 goto end;
1185
1186 if (cis_ktls) {
1187 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1188 goto end;
1189 }
1190
1191 if (sis_ktls) {
1192 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1193 goto end;
1194 }
1195
1196 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1197 goto end;
1198
1199 /*
1200 * The running kernel may not support a given cipher suite
1201 * or direction, so just check that KTLS isn't used when it
1202 * isn't enabled.
1203 */
1204 if (!cis_ktls) {
1205 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1206 goto end;
1207 } else {
1208 if (BIO_get_ktls_send(clientsc->wbio))
1209 ktls_used = 1;
1210 }
1211
1212 if (!sis_ktls) {
1213 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1214 goto end;
1215 } else {
1216 if (BIO_get_ktls_send(serversc->wbio))
1217 ktls_used = 1;
1218 }
1219
1220 #if defined(OPENSSL_NO_KTLS_RX)
1221 rx_supported = 0;
1222 #else
1223 rx_supported = 1;
1224 #endif
1225 if (!cis_ktls || !rx_supported) {
1226 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1227 goto end;
1228 } else {
1229 if (BIO_get_ktls_send(clientsc->rbio))
1230 ktls_used = 1;
1231 }
1232
1233 if (!sis_ktls || !rx_supported) {
1234 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1235 goto end;
1236 } else {
1237 if (BIO_get_ktls_send(serversc->rbio))
1238 ktls_used = 1;
1239 }
1240
1241 if ((cis_ktls || sis_ktls) && !ktls_used) {
1242 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1243 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1244 "TLS 1.2", cipher);
1245 goto end;
1246 }
1247
1248 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1249 goto end;
1250
1251 buf = OPENSSL_zalloc(bufsz);
1252 if (!TEST_ptr(buf))
1253 goto end;
1254
1255 /*
1256 * Write some data that exceeds the maximum record length. KTLS may choose
1257 * to coalesce this data into a single buffer when we read it again.
1258 */
1259 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1260 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1261 goto end;
1262 }
1263
1264 /* Now check that we can read all the data we wrote */
1265 do {
1266 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1267 if (ret <= 0) {
1268 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1269 goto end;
1270 } else {
1271 offset += ret;
1272 }
1273 } while (offset < bufsz);
1274
1275 if (!TEST_true(offset == bufsz))
1276 goto end;
1277 for (i = 0; i < bufsz; i++)
1278 if (!TEST_true(buf[i] == 0))
1279 goto end;
1280
1281 testresult = 1;
1282 end:
1283 OPENSSL_free(buf);
1284 if (clientssl) {
1285 SSL_shutdown(clientssl);
1286 SSL_free(clientssl);
1287 }
1288 if (serverssl) {
1289 SSL_shutdown(serverssl);
1290 SSL_free(serverssl);
1291 }
1292 SSL_CTX_free(sctx);
1293 SSL_CTX_free(cctx);
1294 serverssl = clientssl = NULL;
1295 if (cfd != -1)
1296 close(cfd);
1297 if (sfd != -1)
1298 close(sfd);
1299 return testresult;
1300 }
1301
1302 #define SENDFILE_SZ (16 * 4096)
1303 #define SENDFILE_CHUNK (4 * 4096)
1304 #define min(a,b) ((a) > (b) ? (b) : (a))
1305
execute_test_ktls_sendfile(int tls_version,const char * cipher,int zerocopy)1306 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1307 int zerocopy)
1308 {
1309 SSL_CTX *cctx = NULL, *sctx = NULL;
1310 SSL *clientssl = NULL, *serverssl = NULL;
1311 unsigned char *buf, *buf_dst;
1312 BIO *out = NULL, *in = NULL;
1313 int cfd = -1, sfd = -1, ffd, err;
1314 ssize_t chunk_size = 0;
1315 off_t chunk_off = 0;
1316 int testresult = 0;
1317 FILE *ffdp;
1318 SSL_CONNECTION *serversc;
1319
1320 buf = OPENSSL_zalloc(SENDFILE_SZ);
1321 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1322 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1323 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1324 goto end;
1325
1326 /* Skip this test if the platform does not support ktls */
1327 if (!ktls_chk_platform(sfd)) {
1328 testresult = TEST_skip("Kernel does not support KTLS");
1329 goto end;
1330 }
1331
1332 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1333 testresult = TEST_skip("CHACHA is not supported in FIPS");
1334 goto end;
1335 }
1336
1337 /* Create a session based on SHA-256 */
1338 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1339 TLS_client_method(),
1340 tls_version, tls_version,
1341 &sctx, &cctx, cert, privkey)))
1342 goto end;
1343
1344 if (tls_version == TLS1_3_VERSION) {
1345 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1346 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1347 goto end;
1348 } else {
1349 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1350 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1351 goto end;
1352 }
1353
1354 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1355 &clientssl, sfd, cfd)))
1356 goto end;
1357
1358 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1359 goto end;
1360
1361 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1362 goto end;
1363
1364 if (zerocopy) {
1365 if (!TEST_true(SSL_set_options(serverssl,
1366 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1367 goto end;
1368 }
1369
1370 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1371 SSL_ERROR_NONE)))
1372 goto end;
1373
1374 if (!BIO_get_ktls_send(serversc->wbio)) {
1375 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1376 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1377 "TLS 1.2", cipher);
1378 goto end;
1379 }
1380
1381 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1382 goto end;
1383
1384 out = BIO_new_file(tmpfilename, "wb");
1385 if (!TEST_ptr(out))
1386 goto end;
1387
1388 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1389 goto end;
1390
1391 BIO_free(out);
1392 out = NULL;
1393 in = BIO_new_file(tmpfilename, "rb");
1394 BIO_get_fp(in, &ffdp);
1395 ffd = fileno(ffdp);
1396
1397 while (chunk_off < SENDFILE_SZ) {
1398 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1399 while ((err = SSL_sendfile(serverssl,
1400 ffd,
1401 chunk_off,
1402 chunk_size,
1403 0)) != chunk_size) {
1404 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1405 goto end;
1406 }
1407 while ((err = SSL_read(clientssl,
1408 buf_dst + chunk_off,
1409 chunk_size)) != chunk_size) {
1410 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1411 goto end;
1412 }
1413
1414 /* verify the payload */
1415 if (!TEST_mem_eq(buf_dst + chunk_off,
1416 chunk_size,
1417 buf + chunk_off,
1418 chunk_size))
1419 goto end;
1420
1421 chunk_off += chunk_size;
1422 }
1423
1424 testresult = 1;
1425 end:
1426 if (clientssl) {
1427 SSL_shutdown(clientssl);
1428 SSL_free(clientssl);
1429 }
1430 if (serverssl) {
1431 SSL_shutdown(serverssl);
1432 SSL_free(serverssl);
1433 }
1434 SSL_CTX_free(sctx);
1435 SSL_CTX_free(cctx);
1436 serverssl = clientssl = NULL;
1437 BIO_free(out);
1438 BIO_free(in);
1439 if (cfd != -1)
1440 close(cfd);
1441 if (sfd != -1)
1442 close(sfd);
1443 OPENSSL_free(buf);
1444 OPENSSL_free(buf_dst);
1445 return testresult;
1446 }
1447
1448 static struct ktls_test_cipher {
1449 int tls_version;
1450 const char *cipher;
1451 } ktls_test_ciphers[] = {
1452 # if !defined(OPENSSL_NO_TLS1_2)
1453 # ifdef OPENSSL_KTLS_AES_GCM_128
1454 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1455 # endif
1456 # ifdef OPENSSL_KTLS_AES_CCM_128
1457 { TLS1_2_VERSION, "AES128-CCM"},
1458 # endif
1459 # ifdef OPENSSL_KTLS_AES_GCM_256
1460 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1461 # endif
1462 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1463 # ifndef OPENSSL_NO_EC
1464 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1465 # endif
1466 # endif
1467 # endif
1468 # if !defined(OSSL_NO_USABLE_TLS1_3)
1469 # ifdef OPENSSL_KTLS_AES_GCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1471 # endif
1472 # ifdef OPENSSL_KTLS_AES_CCM_128
1473 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1474 # endif
1475 # ifdef OPENSSL_KTLS_AES_GCM_256
1476 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1477 # endif
1478 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1479 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1480 # endif
1481 # endif
1482 };
1483
1484 #define NUM_KTLS_TEST_CIPHERS OSSL_NELEM(ktls_test_ciphers)
1485
test_ktls(int test)1486 static int test_ktls(int test)
1487 {
1488 struct ktls_test_cipher *cipher;
1489 int cis_ktls, sis_ktls;
1490
1491 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1492 cipher = &ktls_test_ciphers[test / 4];
1493
1494 cis_ktls = (test & 1) != 0;
1495 sis_ktls = (test & 2) != 0;
1496
1497 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1498 cipher->cipher);
1499 }
1500
test_ktls_sendfile(int test)1501 static int test_ktls_sendfile(int test)
1502 {
1503 struct ktls_test_cipher *cipher;
1504 int tst = test >> 1;
1505
1506 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1507 cipher = &ktls_test_ciphers[tst];
1508
1509 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1510 test & 1);
1511 }
1512 #endif
1513
test_large_message_tls(void)1514 static int test_large_message_tls(void)
1515 {
1516 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1517 TLS1_VERSION, 0, 0);
1518 }
1519
test_large_message_tls_read_ahead(void)1520 static int test_large_message_tls_read_ahead(void)
1521 {
1522 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1523 TLS1_VERSION, 0, 1);
1524 }
1525
1526 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)1527 static int test_large_message_dtls(void)
1528 {
1529 # ifdef OPENSSL_NO_DTLS1_2
1530 /* Not supported in the FIPS provider */
1531 if (is_fips)
1532 return 1;
1533 # endif
1534 /*
1535 * read_ahead is not relevant to DTLS because DTLS always acts as if
1536 * read_ahead is set.
1537 */
1538 return execute_test_large_message(DTLS_server_method(),
1539 DTLS_client_method(),
1540 DTLS1_VERSION, 0, 0);
1541 }
1542 #endif
1543
1544 /*
1545 * Test we can successfully send the maximum amount of application data. We
1546 * test each protocol version individually, each with and without EtM enabled.
1547 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1548 * simpler this way. We also test all combinations with and without the
1549 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1550 * underlying buffer.
1551 */
test_large_app_data(int tst)1552 static int test_large_app_data(int tst)
1553 {
1554 SSL_CTX *cctx = NULL, *sctx = NULL;
1555 SSL *clientssl = NULL, *serverssl = NULL;
1556 int testresult = 0, prot;
1557 unsigned char *msg, *buf = NULL;
1558 size_t written, readbytes;
1559 const SSL_METHOD *smeth = TLS_server_method();
1560 const SSL_METHOD *cmeth = TLS_client_method();
1561
1562 switch (tst >> 2) {
1563 case 0:
1564 #ifndef OSSL_NO_USABLE_TLS1_3
1565 prot = TLS1_3_VERSION;
1566 break;
1567 #else
1568 return TEST_skip("TLS 1.3 not supported");
1569 #endif
1570
1571 case 1:
1572 #ifndef OPENSSL_NO_TLS1_2
1573 prot = TLS1_2_VERSION;
1574 break;
1575 #else
1576 return TEST_skip("TLS 1.2 not supported");
1577 #endif
1578
1579 case 2:
1580 #ifndef OPENSSL_NO_TLS1_1
1581 prot = TLS1_1_VERSION;
1582 break;
1583 #else
1584 return TEST_skip("TLS 1.1 not supported");
1585 #endif
1586
1587 case 3:
1588 #ifndef OPENSSL_NO_TLS1
1589 prot = TLS1_VERSION;
1590 break;
1591 #else
1592 return TEST_skip("TLS 1 not supported");
1593 #endif
1594
1595 case 4:
1596 #ifndef OPENSSL_NO_SSL3
1597 prot = SSL3_VERSION;
1598 break;
1599 #else
1600 return TEST_skip("SSL 3 not supported");
1601 #endif
1602
1603 case 5:
1604 #ifndef OPENSSL_NO_DTLS1_2
1605 prot = DTLS1_2_VERSION;
1606 smeth = DTLS_server_method();
1607 cmeth = DTLS_client_method();
1608 break;
1609 #else
1610 return TEST_skip("DTLS 1.2 not supported");
1611 #endif
1612
1613 case 6:
1614 #ifndef OPENSSL_NO_DTLS1
1615 if (is_fips)
1616 return TEST_skip("DTLS 1 not supported by FIPS provider");
1617 prot = DTLS1_VERSION;
1618 smeth = DTLS_server_method();
1619 cmeth = DTLS_client_method();
1620 break;
1621 #else
1622 return TEST_skip("DTLS 1 not supported");
1623 #endif
1624
1625 default:
1626 /* Shouldn't happen */
1627 return 0;
1628 }
1629
1630 if (is_fips && prot < TLS1_2_VERSION)
1631 return TEST_skip("TLS versions < 1.2 not supported by FIPS provider");
1632
1633 /* Maximal sized message of zeros */
1634 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1635 if (!TEST_ptr(msg))
1636 goto end;
1637
1638 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1639 if (!TEST_ptr(buf))
1640 goto end;
1641 /* Set whole buffer to all bits set */
1642 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1643
1644 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1645 &sctx, &cctx, cert, privkey)))
1646 goto end;
1647
1648 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1649 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1650 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1651 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1652 "DEFAULT:@SECLEVEL=0")))
1653 goto end;
1654 }
1655
1656 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1657 &clientssl, NULL, NULL)))
1658 goto end;
1659
1660 if ((tst & 1) != 0) {
1661 /* Setting this option gives us a minimally sized underlying buffer */
1662 if (!TEST_true(SSL_set_options(serverssl,
1663 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1664 || !TEST_true(SSL_set_options(clientssl,
1665 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1666 goto end;
1667 }
1668
1669 if ((tst & 2) != 0) {
1670 /*
1671 * Setting this option means the MAC is added before encryption
1672 * giving us a larger record for the encryption process
1673 */
1674 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1675 || !TEST_true(SSL_set_options(clientssl,
1676 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1677 goto end;
1678 }
1679
1680 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1681 goto end;
1682
1683 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1684 &written))
1685 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1686 goto end;
1687
1688 /* We provide a buffer slightly larger than what we are actually expecting */
1689 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1690 &readbytes)))
1691 goto end;
1692
1693 if (!TEST_mem_eq(msg, written, buf, readbytes))
1694 goto end;
1695
1696 testresult = 1;
1697 end:
1698 OPENSSL_free(msg);
1699 OPENSSL_free(buf);
1700 SSL_free(serverssl);
1701 SSL_free(clientssl);
1702 SSL_CTX_free(sctx);
1703 SSL_CTX_free(cctx);
1704 return testresult;
1705 }
1706
1707 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1708 || !defined(OPENSSL_NO_DTLS)
execute_cleanse_plaintext(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version)1709 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1710 const SSL_METHOD *cmeth,
1711 int min_version, int max_version)
1712 {
1713 size_t i;
1714 SSL_CTX *cctx = NULL, *sctx = NULL;
1715 SSL *clientssl = NULL, *serverssl = NULL;
1716 int testresult = 0;
1717 const unsigned char *zbuf;
1718 SSL_CONNECTION *serversc;
1719 TLS_RECORD *rr;
1720
1721 static unsigned char cbuf[16000];
1722 static unsigned char sbuf[16000];
1723
1724 if (!TEST_true(create_ssl_ctx_pair(libctx,
1725 smeth, cmeth,
1726 min_version, max_version,
1727 &sctx, &cctx, cert,
1728 privkey)))
1729 goto end;
1730
1731 # ifdef OPENSSL_NO_DTLS1_2
1732 if (smeth == DTLS_server_method()) {
1733 /* Not supported in the FIPS provider */
1734 if (is_fips) {
1735 testresult = 1;
1736 goto end;
1737 };
1738 /*
1739 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1740 * level 0
1741 */
1742 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1743 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1744 "DEFAULT:@SECLEVEL=0")))
1745 goto end;
1746 }
1747 # endif
1748
1749 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1750 NULL, NULL)))
1751 goto end;
1752
1753 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1754 goto end;
1755
1756 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1757 SSL_ERROR_NONE)))
1758 goto end;
1759
1760 for (i = 0; i < sizeof(cbuf); i++) {
1761 cbuf[i] = i & 0xff;
1762 }
1763
1764 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1765 goto end;
1766
1767 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1768 goto end;
1769
1770 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1771 goto end;
1772
1773 /*
1774 * Since we called SSL_peek(), we know the data in the record
1775 * layer is a plaintext record. We can gather the pointer to check
1776 * for zeroization after SSL_read().
1777 */
1778 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1779 goto end;
1780 rr = serversc->rlayer.tlsrecs;
1781
1782 zbuf = &rr->data[rr->off];
1783 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1784 goto end;
1785
1786 /*
1787 * After SSL_peek() the plaintext must still be stored in the
1788 * record.
1789 */
1790 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1791 goto end;
1792
1793 memset(sbuf, 0, sizeof(sbuf));
1794 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1795 goto end;
1796
1797 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1798 goto end;
1799
1800 /* Check if rbuf is cleansed */
1801 memset(cbuf, 0, sizeof(cbuf));
1802 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1803 goto end;
1804
1805 testresult = 1;
1806 end:
1807 SSL_free(serverssl);
1808 SSL_free(clientssl);
1809 SSL_CTX_free(sctx);
1810 SSL_CTX_free(cctx);
1811
1812 return testresult;
1813 }
1814 #endif /*
1815 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1816 * || !defined(OPENSSL_NO_DTLS)
1817 */
1818
test_cleanse_plaintext(void)1819 static int test_cleanse_plaintext(void)
1820 {
1821 #if !defined(OPENSSL_NO_TLS1_2)
1822 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1823 TLS_client_method(),
1824 TLS1_2_VERSION,
1825 TLS1_2_VERSION)))
1826 return 0;
1827
1828 #endif
1829
1830 #if !defined(OSSL_NO_USABLE_TLS1_3)
1831 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1832 TLS_client_method(),
1833 TLS1_3_VERSION,
1834 TLS1_3_VERSION)))
1835 return 0;
1836 #endif
1837
1838 #if !defined(OPENSSL_NO_DTLS)
1839
1840 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1841 DTLS_client_method(),
1842 DTLS1_VERSION,
1843 0)))
1844 return 0;
1845 #endif
1846 return 1;
1847 }
1848
1849 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)1850 static int ocsp_server_cb(SSL *s, void *arg)
1851 {
1852 int *argi = (int *)arg;
1853 unsigned char *copy = NULL;
1854 STACK_OF(OCSP_RESPID) *ids = NULL;
1855 OCSP_RESPID *id = NULL;
1856
1857 if (*argi == 2) {
1858 /* In this test we are expecting exactly 1 OCSP_RESPID */
1859 SSL_get_tlsext_status_ids(s, &ids);
1860 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862
1863 id = sk_OCSP_RESPID_value(ids, 0);
1864 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1865 return SSL_TLSEXT_ERR_ALERT_FATAL;
1866 } else if (*argi != 1) {
1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1868 }
1869
1870 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1871 return SSL_TLSEXT_ERR_ALERT_FATAL;
1872
1873 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1874 sizeof(orespder)))) {
1875 OPENSSL_free(copy);
1876 return SSL_TLSEXT_ERR_ALERT_FATAL;
1877 }
1878 ocsp_server_called = 1;
1879 return SSL_TLSEXT_ERR_OK;
1880 }
1881
ocsp_client_cb(SSL * s,void * arg)1882 static int ocsp_client_cb(SSL *s, void *arg)
1883 {
1884 int *argi = (int *)arg;
1885 const unsigned char *respderin;
1886 size_t len;
1887
1888 if (*argi != 1 && *argi != 2)
1889 return 0;
1890
1891 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1892 if (!TEST_mem_eq(orespder, len, respderin, len))
1893 return 0;
1894
1895 ocsp_client_called = 1;
1896 return 1;
1897 }
1898
test_tlsext_status_type(void)1899 static int test_tlsext_status_type(void)
1900 {
1901 SSL_CTX *cctx = NULL, *sctx = NULL;
1902 SSL *clientssl = NULL, *serverssl = NULL;
1903 int testresult = 0;
1904 STACK_OF(OCSP_RESPID) *ids = NULL;
1905 OCSP_RESPID *id = NULL;
1906 BIO *certbio = NULL;
1907
1908 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1909 TLS1_VERSION, 0,
1910 &sctx, &cctx, cert, privkey))
1911 return 0;
1912
1913 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1914 goto end;
1915
1916 /* First just do various checks getting and setting tlsext_status_type */
1917
1918 clientssl = SSL_new(cctx);
1919 if (!TEST_ptr(clientssl))
1920 goto end;
1921 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1922 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1923 TLSEXT_STATUSTYPE_ocsp))
1924 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1925 TLSEXT_STATUSTYPE_ocsp))
1926 goto end;
1927
1928 SSL_free(clientssl);
1929 clientssl = NULL;
1930
1931 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1932 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1933 goto end;
1934
1935 clientssl = SSL_new(cctx);
1936 if (!TEST_ptr(clientssl))
1937 goto end;
1938 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1939 goto end;
1940 SSL_free(clientssl);
1941 clientssl = NULL;
1942
1943 /*
1944 * Now actually do a handshake and check OCSP information is exchanged and
1945 * the callbacks get called
1946 */
1947 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1948 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1949 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1950 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1951 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1952 &clientssl, NULL, NULL))
1953 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1954 SSL_ERROR_NONE))
1955 || !TEST_true(ocsp_client_called)
1956 || !TEST_true(ocsp_server_called))
1957 goto end;
1958 SSL_free(serverssl);
1959 SSL_free(clientssl);
1960 serverssl = NULL;
1961 clientssl = NULL;
1962
1963 /* Try again but this time force the server side callback to fail */
1964 ocsp_client_called = 0;
1965 ocsp_server_called = 0;
1966 cdummyarg = 0;
1967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1968 &clientssl, NULL, NULL))
1969 /* This should fail because the callback will fail */
1970 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1971 SSL_ERROR_NONE))
1972 || !TEST_false(ocsp_client_called)
1973 || !TEST_false(ocsp_server_called))
1974 goto end;
1975 SSL_free(serverssl);
1976 SSL_free(clientssl);
1977 serverssl = NULL;
1978 clientssl = NULL;
1979
1980 /*
1981 * This time we'll get the client to send an OCSP_RESPID that it will
1982 * accept.
1983 */
1984 ocsp_client_called = 0;
1985 ocsp_server_called = 0;
1986 cdummyarg = 2;
1987 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1988 &clientssl, NULL, NULL)))
1989 goto end;
1990
1991 /*
1992 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1993 * specific one. We'll use the server cert.
1994 */
1995 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1996 || !TEST_ptr(id = OCSP_RESPID_new())
1997 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1998 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1999 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
2000 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
2001 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
2002 goto end;
2003 id = NULL;
2004 SSL_set_tlsext_status_ids(clientssl, ids);
2005 /* Control has been transferred */
2006 ids = NULL;
2007
2008 BIO_free(certbio);
2009 certbio = NULL;
2010
2011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2012 SSL_ERROR_NONE))
2013 || !TEST_true(ocsp_client_called)
2014 || !TEST_true(ocsp_server_called))
2015 goto end;
2016
2017 testresult = 1;
2018
2019 end:
2020 SSL_free(serverssl);
2021 SSL_free(clientssl);
2022 SSL_CTX_free(sctx);
2023 SSL_CTX_free(cctx);
2024 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2025 OCSP_RESPID_free(id);
2026 BIO_free(certbio);
2027 X509_free(ocspcert);
2028 ocspcert = NULL;
2029
2030 return testresult;
2031 }
2032 #endif
2033
2034 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2035 static int new_called, remove_called, get_called;
2036
new_session_cb(SSL * ssl,SSL_SESSION * sess)2037 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2038 {
2039 new_called++;
2040 /*
2041 * sess has been up-refed for us, but we don't actually need it so free it
2042 * immediately.
2043 */
2044 SSL_SESSION_free(sess);
2045 return 1;
2046 }
2047
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)2048 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2049 {
2050 remove_called++;
2051 }
2052
2053 static SSL_SESSION *get_sess_val = NULL;
2054
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)2055 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2056 int *copy)
2057 {
2058 get_called++;
2059 *copy = 1;
2060 return get_sess_val;
2061 }
2062
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache,long s_options)2063 static int execute_test_session(int maxprot, int use_int_cache,
2064 int use_ext_cache, long s_options)
2065 {
2066 SSL_CTX *sctx = NULL, *cctx = NULL;
2067 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2068 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2069 # ifndef OPENSSL_NO_TLS1_1
2070 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2071 # endif
2072 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2073 int testresult = 0, numnewsesstick = 1;
2074
2075 new_called = remove_called = 0;
2076
2077 /* TLSv1.3 sends 2 NewSessionTickets */
2078 if (maxprot == TLS1_3_VERSION)
2079 numnewsesstick = 2;
2080
2081 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2082 TLS_client_method(), TLS1_VERSION, 0,
2083 &sctx, &cctx, cert, privkey)))
2084 return 0;
2085
2086 /*
2087 * Only allow the max protocol version so we can force a connection failure
2088 * later
2089 */
2090 SSL_CTX_set_min_proto_version(cctx, maxprot);
2091 SSL_CTX_set_max_proto_version(cctx, maxprot);
2092
2093 /* Set up session cache */
2094 if (use_ext_cache) {
2095 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2096 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2097 }
2098 if (use_int_cache) {
2099 /* Also covers instance where both are set */
2100 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2101 } else {
2102 SSL_CTX_set_session_cache_mode(cctx,
2103 SSL_SESS_CACHE_CLIENT
2104 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2105 }
2106
2107 if (s_options) {
2108 SSL_CTX_set_options(sctx, s_options);
2109 }
2110
2111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2112 NULL, NULL))
2113 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2114 SSL_ERROR_NONE))
2115 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2116 goto end;
2117
2118 /* Should fail because it should already be in the cache */
2119 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2120 goto end;
2121 if (use_ext_cache
2122 && (!TEST_int_eq(new_called, numnewsesstick)
2123
2124 || !TEST_int_eq(remove_called, 0)))
2125 goto end;
2126
2127 new_called = remove_called = 0;
2128 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2129 &clientssl2, NULL, NULL))
2130 || !TEST_true(SSL_set_session(clientssl2, sess1))
2131 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2132 SSL_ERROR_NONE))
2133 || !TEST_true(SSL_session_reused(clientssl2)))
2134 goto end;
2135
2136 if (maxprot == TLS1_3_VERSION) {
2137 /*
2138 * In TLSv1.3 we should have created a new session even though we have
2139 * resumed. Since we attempted a resume we should also have removed the
2140 * old ticket from the cache so that we try to only use tickets once.
2141 */
2142 if (use_ext_cache
2143 && (!TEST_int_eq(new_called, 1)
2144 || !TEST_int_eq(remove_called, 1)))
2145 goto end;
2146 } else {
2147 /*
2148 * In TLSv1.2 we expect to have resumed so no sessions added or
2149 * removed.
2150 */
2151 if (use_ext_cache
2152 && (!TEST_int_eq(new_called, 0)
2153 || !TEST_int_eq(remove_called, 0)))
2154 goto end;
2155 }
2156
2157 SSL_SESSION_free(sess1);
2158 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2159 goto end;
2160 shutdown_ssl_connection(serverssl2, clientssl2);
2161 serverssl2 = clientssl2 = NULL;
2162
2163 new_called = remove_called = 0;
2164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2165 &clientssl2, NULL, NULL))
2166 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2167 SSL_ERROR_NONE)))
2168 goto end;
2169
2170 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2171 goto end;
2172
2173 if (use_ext_cache
2174 && (!TEST_int_eq(new_called, numnewsesstick)
2175 || !TEST_int_eq(remove_called, 0)))
2176 goto end;
2177
2178 new_called = remove_called = 0;
2179 /*
2180 * This should clear sess2 from the cache because it is a "bad" session.
2181 * See SSL_set_session() documentation.
2182 */
2183 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2184 goto end;
2185 if (use_ext_cache
2186 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2187 goto end;
2188 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2189 goto end;
2190
2191 if (use_int_cache) {
2192 /* Should succeeded because it should not already be in the cache */
2193 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2194 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2195 goto end;
2196 }
2197
2198 new_called = remove_called = 0;
2199 /* This shouldn't be in the cache so should fail */
2200 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2201 goto end;
2202
2203 if (use_ext_cache
2204 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2205 goto end;
2206
2207 # if !defined(OPENSSL_NO_TLS1_1)
2208 new_called = remove_called = 0;
2209 /* Force a connection failure */
2210 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2211 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2212 &clientssl3, NULL, NULL))
2213 || !TEST_true(SSL_set_session(clientssl3, sess1))
2214 /* This should fail because of the mismatched protocol versions */
2215 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2216 SSL_ERROR_NONE)))
2217 goto end;
2218
2219 /* We should have automatically removed the session from the cache */
2220 if (use_ext_cache
2221 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2222 goto end;
2223
2224 /* Should succeed because it should not already be in the cache */
2225 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2226 goto end;
2227 # endif
2228
2229 /* Now do some tests for server side caching */
2230 if (use_ext_cache) {
2231 SSL_CTX_sess_set_new_cb(cctx, NULL);
2232 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2233 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2234 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2235 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2236 get_sess_val = NULL;
2237 }
2238
2239 SSL_CTX_set_session_cache_mode(cctx, 0);
2240 /* Internal caching is the default on the server side */
2241 if (!use_int_cache)
2242 SSL_CTX_set_session_cache_mode(sctx,
2243 SSL_SESS_CACHE_SERVER
2244 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2245
2246 SSL_free(serverssl1);
2247 SSL_free(clientssl1);
2248 serverssl1 = clientssl1 = NULL;
2249 SSL_free(serverssl2);
2250 SSL_free(clientssl2);
2251 serverssl2 = clientssl2 = NULL;
2252 SSL_SESSION_free(sess1);
2253 sess1 = NULL;
2254 SSL_SESSION_free(sess2);
2255 sess2 = NULL;
2256
2257 SSL_CTX_set_max_proto_version(sctx, maxprot);
2258 if (maxprot == TLS1_2_VERSION)
2259 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2260 new_called = remove_called = get_called = 0;
2261 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2262 NULL, NULL))
2263 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2264 SSL_ERROR_NONE))
2265 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2266 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2267 goto end;
2268
2269 if (use_int_cache) {
2270 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2271 /*
2272 * In TLSv1.3 it should not have been added to the internal cache,
2273 * except in the case where we also have an external cache (in that
2274 * case it gets added to the cache in order to generate remove
2275 * events after timeout).
2276 */
2277 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2278 goto end;
2279 } else {
2280 /* Should fail because it should already be in the cache */
2281 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2282 goto end;
2283 }
2284 }
2285
2286 if (use_ext_cache) {
2287 SSL_SESSION *tmp = sess2;
2288
2289 if (!TEST_int_eq(new_called, numnewsesstick)
2290 || !TEST_int_eq(remove_called, 0)
2291 || !TEST_int_eq(get_called, 0))
2292 goto end;
2293 /*
2294 * Delete the session from the internal cache to force a lookup from
2295 * the external cache. We take a copy first because
2296 * SSL_CTX_remove_session() also marks the session as non-resumable.
2297 */
2298 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2299 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2300 || !TEST_true(sess2->owner != NULL)
2301 || !TEST_true(tmp->owner == NULL)
2302 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2303 goto end;
2304 SSL_SESSION_free(sess2);
2305 }
2306 sess2 = tmp;
2307 }
2308
2309 new_called = remove_called = get_called = 0;
2310 get_sess_val = sess2;
2311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2312 &clientssl2, NULL, NULL))
2313 || !TEST_true(SSL_set_session(clientssl2, sess1))
2314 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2315 SSL_ERROR_NONE))
2316 || !TEST_true(SSL_session_reused(clientssl2)))
2317 goto end;
2318
2319 if (use_ext_cache) {
2320 if (!TEST_int_eq(remove_called, 0))
2321 goto end;
2322
2323 if (maxprot == TLS1_3_VERSION) {
2324 if (!TEST_int_eq(new_called, 1)
2325 || !TEST_int_eq(get_called, 0))
2326 goto end;
2327 } else {
2328 if (!TEST_int_eq(new_called, 0)
2329 || !TEST_int_eq(get_called, 1))
2330 goto end;
2331 }
2332 }
2333 /*
2334 * Make a small cache, force out all other sessions but
2335 * sess2, try to add sess1, which should succeed. Then
2336 * make sure it's there by checking the owners. Despite
2337 * the timeouts, sess1 should have kicked out sess2
2338 */
2339
2340 /* Make sess1 expire before sess2 */
2341 if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0)
2342 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2343 || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0)
2344 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2345 goto end;
2346
2347 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2348 goto end;
2349
2350 /* Don't care about results - cache should only be sess2 at end */
2351 SSL_CTX_add_session(sctx, sess1);
2352 SSL_CTX_add_session(sctx, sess2);
2353
2354 /* Now add sess1, and make sure it remains, despite timeout */
2355 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2356 || !TEST_ptr(sess1->owner)
2357 || !TEST_ptr_null(sess2->owner))
2358 goto end;
2359
2360 testresult = 1;
2361
2362 end:
2363 SSL_free(serverssl1);
2364 SSL_free(clientssl1);
2365 SSL_free(serverssl2);
2366 SSL_free(clientssl2);
2367 # ifndef OPENSSL_NO_TLS1_1
2368 SSL_free(serverssl3);
2369 SSL_free(clientssl3);
2370 # endif
2371 SSL_SESSION_free(sess1);
2372 SSL_SESSION_free(sess2);
2373 SSL_CTX_free(sctx);
2374 SSL_CTX_free(cctx);
2375
2376 return testresult;
2377 }
2378 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2379
test_session_with_only_int_cache(void)2380 static int test_session_with_only_int_cache(void)
2381 {
2382 #ifndef OSSL_NO_USABLE_TLS1_3
2383 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2384 return 0;
2385 #endif
2386
2387 #ifndef OPENSSL_NO_TLS1_2
2388 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2389 #else
2390 return 1;
2391 #endif
2392 }
2393
test_session_with_only_ext_cache(void)2394 static int test_session_with_only_ext_cache(void)
2395 {
2396 #ifndef OSSL_NO_USABLE_TLS1_3
2397 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2398 return 0;
2399 #endif
2400
2401 #ifndef OPENSSL_NO_TLS1_2
2402 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2403 #else
2404 return 1;
2405 #endif
2406 }
2407
test_session_with_both_cache(void)2408 static int test_session_with_both_cache(void)
2409 {
2410 #ifndef OSSL_NO_USABLE_TLS1_3
2411 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2412 return 0;
2413 #endif
2414
2415 #ifndef OPENSSL_NO_TLS1_2
2416 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2417 #else
2418 return 1;
2419 #endif
2420 }
2421
test_session_wo_ca_names(void)2422 static int test_session_wo_ca_names(void)
2423 {
2424 #ifndef OSSL_NO_USABLE_TLS1_3
2425 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2426 return 0;
2427 #endif
2428
2429 #ifndef OPENSSL_NO_TLS1_2
2430 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2431 #else
2432 return 1;
2433 #endif
2434 }
2435
2436 #ifndef OSSL_NO_USABLE_TLS1_3
2437 static SSL_SESSION *sesscache[6];
2438 static int do_cache;
2439
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)2440 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2441 {
2442 if (do_cache) {
2443 sesscache[new_called] = sess;
2444 } else {
2445 /* We don't need the reference to the session, so free it */
2446 SSL_SESSION_free(sess);
2447 }
2448 new_called++;
2449
2450 return 1;
2451 }
2452
post_handshake_verify(SSL * sssl,SSL * cssl)2453 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2454 {
2455 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2456 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2457 return 0;
2458
2459 /* Start handshake on the server and client */
2460 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2461 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2462 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2463 || !TEST_true(create_ssl_connection(sssl, cssl,
2464 SSL_ERROR_NONE)))
2465 return 0;
2466
2467 return 1;
2468 }
2469
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)2470 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2471 SSL_CTX **cctx)
2472 {
2473 int sess_id_ctx = 1;
2474
2475 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2476 TLS_client_method(), TLS1_VERSION, 0,
2477 sctx, cctx, cert, privkey))
2478 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2479 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2480 (void *)&sess_id_ctx,
2481 sizeof(sess_id_ctx))))
2482 return 0;
2483
2484 if (stateful)
2485 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2486
2487 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2488 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2489 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2490
2491 return 1;
2492 }
2493
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)2494 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2495 {
2496 SSL *serverssl = NULL, *clientssl = NULL;
2497 int i;
2498
2499 /* Test that we can resume with all the tickets we got given */
2500 for (i = 0; i < idx * 2; i++) {
2501 new_called = 0;
2502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2503 &clientssl, NULL, NULL))
2504 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2505 goto end;
2506
2507 SSL_set_post_handshake_auth(clientssl, 1);
2508
2509 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2510 SSL_ERROR_NONE)))
2511 goto end;
2512
2513 /*
2514 * Following a successful resumption we only get 1 ticket. After a
2515 * failed one we should get idx tickets.
2516 */
2517 if (succ) {
2518 if (!TEST_true(SSL_session_reused(clientssl))
2519 || !TEST_int_eq(new_called, 1))
2520 goto end;
2521 } else {
2522 if (!TEST_false(SSL_session_reused(clientssl))
2523 || !TEST_int_eq(new_called, idx))
2524 goto end;
2525 }
2526
2527 new_called = 0;
2528 /* After a post-handshake authentication we should get 1 new ticket */
2529 if (succ
2530 && (!post_handshake_verify(serverssl, clientssl)
2531 || !TEST_int_eq(new_called, 1)))
2532 goto end;
2533
2534 SSL_shutdown(clientssl);
2535 SSL_shutdown(serverssl);
2536 SSL_free(serverssl);
2537 SSL_free(clientssl);
2538 serverssl = clientssl = NULL;
2539 SSL_SESSION_free(sesscache[i]);
2540 sesscache[i] = NULL;
2541 }
2542
2543 return 1;
2544
2545 end:
2546 SSL_free(clientssl);
2547 SSL_free(serverssl);
2548 return 0;
2549 }
2550
test_tickets(int stateful,int idx)2551 static int test_tickets(int stateful, int idx)
2552 {
2553 SSL_CTX *sctx = NULL, *cctx = NULL;
2554 SSL *serverssl = NULL, *clientssl = NULL;
2555 int testresult = 0;
2556 size_t j;
2557
2558 /* idx is the test number, but also the number of tickets we want */
2559
2560 new_called = 0;
2561 do_cache = 1;
2562
2563 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2564 goto end;
2565
2566 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2567 &clientssl, NULL, NULL)))
2568 goto end;
2569
2570 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2571 SSL_ERROR_NONE))
2572 /* Check we got the number of tickets we were expecting */
2573 || !TEST_int_eq(idx, new_called))
2574 goto end;
2575
2576 SSL_shutdown(clientssl);
2577 SSL_shutdown(serverssl);
2578 SSL_free(serverssl);
2579 SSL_free(clientssl);
2580 SSL_CTX_free(sctx);
2581 SSL_CTX_free(cctx);
2582 clientssl = serverssl = NULL;
2583 sctx = cctx = NULL;
2584
2585 /*
2586 * Now we try to resume with the tickets we previously created. The
2587 * resumption attempt is expected to fail (because we're now using a new
2588 * SSL_CTX). We should see idx number of tickets issued again.
2589 */
2590
2591 /* Stop caching sessions - just count them */
2592 do_cache = 0;
2593
2594 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2595 goto end;
2596
2597 if (!check_resumption(idx, sctx, cctx, 0))
2598 goto end;
2599
2600 /* Start again with caching sessions */
2601 new_called = 0;
2602 do_cache = 1;
2603 SSL_CTX_free(sctx);
2604 SSL_CTX_free(cctx);
2605 sctx = cctx = NULL;
2606
2607 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2608 goto end;
2609
2610 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2611 &clientssl, NULL, NULL)))
2612 goto end;
2613
2614 SSL_set_post_handshake_auth(clientssl, 1);
2615
2616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2617 SSL_ERROR_NONE))
2618 /* Check we got the number of tickets we were expecting */
2619 || !TEST_int_eq(idx, new_called))
2620 goto end;
2621
2622 /* After a post-handshake authentication we should get new tickets issued */
2623 if (!post_handshake_verify(serverssl, clientssl)
2624 || !TEST_int_eq(idx * 2, new_called))
2625 goto end;
2626
2627 SSL_shutdown(clientssl);
2628 SSL_shutdown(serverssl);
2629 SSL_free(serverssl);
2630 SSL_free(clientssl);
2631 serverssl = clientssl = NULL;
2632
2633 /* Stop caching sessions - just count them */
2634 do_cache = 0;
2635
2636 /*
2637 * Check we can resume with all the tickets we created. This time around the
2638 * resumptions should all be successful.
2639 */
2640 if (!check_resumption(idx, sctx, cctx, 1))
2641 goto end;
2642
2643 testresult = 1;
2644
2645 end:
2646 SSL_free(serverssl);
2647 SSL_free(clientssl);
2648 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2649 SSL_SESSION_free(sesscache[j]);
2650 sesscache[j] = NULL;
2651 }
2652 SSL_CTX_free(sctx);
2653 SSL_CTX_free(cctx);
2654
2655 return testresult;
2656 }
2657
test_stateless_tickets(int idx)2658 static int test_stateless_tickets(int idx)
2659 {
2660 return test_tickets(0, idx);
2661 }
2662
test_stateful_tickets(int idx)2663 static int test_stateful_tickets(int idx)
2664 {
2665 return test_tickets(1, idx);
2666 }
2667
test_psk_tickets(void)2668 static int test_psk_tickets(void)
2669 {
2670 SSL_CTX *sctx = NULL, *cctx = NULL;
2671 SSL *serverssl = NULL, *clientssl = NULL;
2672 int testresult = 0;
2673 int sess_id_ctx = 1;
2674
2675 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2676 TLS_client_method(), TLS1_VERSION, 0,
2677 &sctx, &cctx, NULL, NULL))
2678 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2679 (void *)&sess_id_ctx,
2680 sizeof(sess_id_ctx))))
2681 goto end;
2682
2683 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2684 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2685 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2686 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2687 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2688 use_session_cb_cnt = 0;
2689 find_session_cb_cnt = 0;
2690 srvid = pskid;
2691 new_called = 0;
2692
2693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2694 NULL, NULL)))
2695 goto end;
2696 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2697 if (!TEST_ptr(clientpsk) || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2698 goto end;
2699
2700 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2701 SSL_ERROR_NONE))
2702 || !TEST_int_eq(1, find_session_cb_cnt)
2703 || !TEST_int_eq(1, use_session_cb_cnt)
2704 /* We should always get 1 ticket when using external PSK */
2705 || !TEST_int_eq(1, new_called))
2706 goto end;
2707
2708 testresult = 1;
2709
2710 end:
2711 SSL_free(serverssl);
2712 SSL_free(clientssl);
2713 SSL_CTX_free(sctx);
2714 SSL_CTX_free(cctx);
2715 SSL_SESSION_free(clientpsk);
2716 SSL_SESSION_free(serverpsk);
2717 clientpsk = serverpsk = NULL;
2718
2719 return testresult;
2720 }
2721
test_extra_tickets(int idx)2722 static int test_extra_tickets(int idx)
2723 {
2724 SSL_CTX *sctx = NULL, *cctx = NULL;
2725 SSL *serverssl = NULL, *clientssl = NULL;
2726 BIO *bretry = BIO_new(bio_s_always_retry());
2727 BIO *tmp = NULL;
2728 int testresult = 0;
2729 int stateful = 0;
2730 size_t nbytes;
2731 unsigned char c, buf[1];
2732
2733 new_called = 0;
2734 do_cache = 1;
2735
2736 if (idx >= 3) {
2737 idx -= 3;
2738 stateful = 1;
2739 }
2740
2741 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2742 goto end;
2743 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2744 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2745 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2746
2747 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2748 &clientssl, NULL, NULL)))
2749 goto end;
2750
2751 /*
2752 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2753 * incremented by both client and server.
2754 */
2755 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2756 SSL_ERROR_NONE))
2757 /* Check we got the number of tickets we were expecting */
2758 || !TEST_int_eq(idx * 2, new_called)
2759 || !TEST_true(SSL_new_session_ticket(serverssl))
2760 || !TEST_true(SSL_new_session_ticket(serverssl))
2761 || !TEST_int_eq(idx * 2, new_called))
2762 goto end;
2763
2764 /* Now try a (real) write to actually send the tickets */
2765 c = '1';
2766 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2767 || !TEST_size_t_eq(1, nbytes)
2768 || !TEST_int_eq(idx * 2 + 2, new_called)
2769 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2770 || !TEST_int_eq(idx * 2 + 4, new_called)
2771 || !TEST_int_eq(sizeof(buf), nbytes)
2772 || !TEST_int_eq(c, buf[0])
2773 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2774 goto end;
2775
2776 /* Try with only requesting one new ticket, too */
2777 c = '2';
2778 new_called = 0;
2779 if (!TEST_true(SSL_new_session_ticket(serverssl))
2780 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2781 || !TEST_size_t_eq(sizeof(c), nbytes)
2782 || !TEST_int_eq(1, new_called)
2783 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2784 || !TEST_int_eq(2, new_called)
2785 || !TEST_size_t_eq(sizeof(buf), nbytes)
2786 || !TEST_int_eq(c, buf[0]))
2787 goto end;
2788
2789 /* Do it again but use dummy writes to drive the ticket generation */
2790 c = '3';
2791 new_called = 0;
2792 if (!TEST_true(SSL_new_session_ticket(serverssl))
2793 || !TEST_true(SSL_new_session_ticket(serverssl))
2794 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2795 || !TEST_size_t_eq(0, nbytes)
2796 || !TEST_int_eq(2, new_called)
2797 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2798 || !TEST_int_eq(4, new_called))
2799 goto end;
2800
2801 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2802 c = '4';
2803 new_called = 0;
2804 if (!TEST_true(SSL_new_session_ticket(serverssl))
2805 || !TEST_true(SSL_new_session_ticket(serverssl))
2806 || !TEST_true(SSL_do_handshake(serverssl))
2807 || !TEST_int_eq(2, new_called)
2808 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2809 || !TEST_int_eq(4, new_called))
2810 goto end;
2811
2812 /*
2813 * Use the always-retry BIO to exercise the logic that forces ticket
2814 * generation to wait until a record boundary.
2815 */
2816 c = '5';
2817 new_called = 0;
2818 tmp = SSL_get_wbio(serverssl);
2819 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2820 tmp = NULL;
2821 goto end;
2822 }
2823 SSL_set0_wbio(serverssl, bretry);
2824 bretry = NULL;
2825 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2826 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2827 || !TEST_size_t_eq(nbytes, 0))
2828 goto end;
2829 /* Restore a BIO that will let the write succeed */
2830 SSL_set0_wbio(serverssl, tmp);
2831 tmp = NULL;
2832 /*
2833 * These calls should just queue the request and not send anything
2834 * even if we explicitly try to hit the state machine.
2835 */
2836 if (!TEST_true(SSL_new_session_ticket(serverssl))
2837 || !TEST_true(SSL_new_session_ticket(serverssl))
2838 || !TEST_int_eq(0, new_called)
2839 || !TEST_true(SSL_do_handshake(serverssl))
2840 || !TEST_int_eq(0, new_called))
2841 goto end;
2842 /* Re-do the write; still no tickets sent */
2843 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2844 || !TEST_size_t_eq(1, nbytes)
2845 || !TEST_int_eq(0, new_called)
2846 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2847 || !TEST_int_eq(0, new_called)
2848 || !TEST_int_eq(sizeof(buf), nbytes)
2849 || !TEST_int_eq(c, buf[0])
2850 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2851 goto end;
2852 /* Even trying to hit the state machine now will still not send tickets */
2853 if (!TEST_true(SSL_do_handshake(serverssl))
2854 || !TEST_int_eq(0, new_called))
2855 goto end;
2856 /* Now the *next* write should send the tickets */
2857 c = '6';
2858 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2859 || !TEST_size_t_eq(1, nbytes)
2860 || !TEST_int_eq(2, new_called)
2861 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2862 || !TEST_int_eq(4, new_called)
2863 || !TEST_int_eq(sizeof(buf), nbytes)
2864 || !TEST_int_eq(c, buf[0])
2865 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2866 goto end;
2867
2868 SSL_shutdown(clientssl);
2869 SSL_shutdown(serverssl);
2870 testresult = 1;
2871
2872 end:
2873 BIO_free(bretry);
2874 BIO_free(tmp);
2875 SSL_free(serverssl);
2876 SSL_free(clientssl);
2877 SSL_CTX_free(sctx);
2878 SSL_CTX_free(cctx);
2879 clientssl = serverssl = NULL;
2880 sctx = cctx = NULL;
2881 return testresult;
2882 }
2883 #endif
2884
2885 #define USE_NULL 0
2886 #define USE_BIO_1 1
2887 #define USE_BIO_2 2
2888 #define USE_DEFAULT 3
2889
2890 #define CONNTYPE_CONNECTION_SUCCESS 0
2891 #define CONNTYPE_CONNECTION_FAIL 1
2892 #define CONNTYPE_NO_CONNECTION 2
2893
2894 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2895 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2896 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2897 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2898 #else
2899 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2900 #endif
2901
2902 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2903 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2904 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2905
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)2906 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2907 {
2908 switch (type) {
2909 case USE_NULL:
2910 *res = NULL;
2911 break;
2912 case USE_BIO_1:
2913 *res = bio1;
2914 break;
2915 case USE_BIO_2:
2916 *res = bio2;
2917 break;
2918 }
2919 }
2920
2921
2922 /*
2923 * Tests calls to SSL_set_bio() under various conditions.
2924 *
2925 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2926 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2927 * then do more tests where we create a successful connection first using our
2928 * standard connection setup functions, and then call SSL_set_bio() with
2929 * various combinations of valid BIOs or NULL. We then repeat these tests
2930 * following a failed connection. In this last case we are looking to check that
2931 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2932 */
test_ssl_set_bio(int idx)2933 static int test_ssl_set_bio(int idx)
2934 {
2935 SSL_CTX *sctx = NULL, *cctx = NULL;
2936 BIO *bio1 = NULL;
2937 BIO *bio2 = NULL;
2938 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2939 SSL *serverssl = NULL, *clientssl = NULL;
2940 int initrbio, initwbio, newrbio, newwbio, conntype;
2941 int testresult = 0;
2942
2943 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2944 initrbio = idx % 3;
2945 idx /= 3;
2946 initwbio = idx % 3;
2947 idx /= 3;
2948 newrbio = idx % 3;
2949 idx /= 3;
2950 newwbio = idx % 3;
2951 conntype = CONNTYPE_NO_CONNECTION;
2952 } else {
2953 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2954 initrbio = initwbio = USE_DEFAULT;
2955 newrbio = idx % 2;
2956 idx /= 2;
2957 newwbio = idx % 2;
2958 idx /= 2;
2959 conntype = idx % 2;
2960 }
2961
2962 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2963 TLS_client_method(), TLS1_VERSION, 0,
2964 &sctx, &cctx, cert, privkey)))
2965 goto end;
2966
2967 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2968 /*
2969 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2970 * because we reduced the number of tests in the definition of
2971 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2972 * mismatched protocol versions we will force a connection failure.
2973 */
2974 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2975 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2976 }
2977
2978 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2979 NULL, NULL)))
2980 goto end;
2981
2982 if (initrbio == USE_BIO_1
2983 || initwbio == USE_BIO_1
2984 || newrbio == USE_BIO_1
2985 || newwbio == USE_BIO_1) {
2986 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2987 goto end;
2988 }
2989
2990 if (initrbio == USE_BIO_2
2991 || initwbio == USE_BIO_2
2992 || newrbio == USE_BIO_2
2993 || newwbio == USE_BIO_2) {
2994 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2995 goto end;
2996 }
2997
2998 if (initrbio != USE_DEFAULT) {
2999 setupbio(&irbio, bio1, bio2, initrbio);
3000 setupbio(&iwbio, bio1, bio2, initwbio);
3001 SSL_set_bio(clientssl, irbio, iwbio);
3002
3003 /*
3004 * We want to maintain our own refs to these BIO, so do an up ref for
3005 * each BIO that will have ownership transferred in the SSL_set_bio()
3006 * call
3007 */
3008 if (irbio != NULL && !BIO_up_ref(irbio))
3009 goto end;
3010 if (iwbio != NULL && iwbio != irbio && !BIO_up_ref(iwbio)) {
3011 BIO_free(irbio);
3012 goto end;
3013 }
3014 }
3015
3016 if (conntype != CONNTYPE_NO_CONNECTION
3017 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3018 SSL_ERROR_NONE)
3019 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3020 goto end;
3021
3022 setupbio(&nrbio, bio1, bio2, newrbio);
3023 setupbio(&nwbio, bio1, bio2, newwbio);
3024
3025 /*
3026 * We will (maybe) transfer ownership again so do more up refs.
3027 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3028 * already been set!
3029 */
3030 if (nrbio != NULL
3031 && nrbio != irbio
3032 && (nwbio != iwbio || nrbio != nwbio))
3033 if (!TEST_true(BIO_up_ref(nrbio)))
3034 goto end;
3035 if (nwbio != NULL
3036 && nwbio != nrbio
3037 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3038 if (!TEST_true(BIO_up_ref(nwbio))) {
3039 if (nrbio != irbio
3040 && (nwbio != iwbio || nrbio != nwbio))
3041 BIO_free(nrbio);
3042 goto end;
3043 }
3044
3045 SSL_set_bio(clientssl, nrbio, nwbio);
3046
3047 testresult = 1;
3048
3049 end:
3050 BIO_free(bio1);
3051 BIO_free(bio2);
3052
3053 /*
3054 * This test is checking that the ref counting for SSL_set_bio is correct.
3055 * If we get here and we did too many frees then we will fail in the above
3056 * functions.
3057 */
3058 SSL_free(serverssl);
3059 SSL_free(clientssl);
3060 SSL_CTX_free(sctx);
3061 SSL_CTX_free(cctx);
3062 return testresult;
3063 }
3064
3065 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3066
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)3067 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3068 {
3069 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3070 SSL_CTX *ctx;
3071 SSL *ssl = NULL;
3072 int testresult = 0;
3073
3074 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3075 || !TEST_ptr(ssl = SSL_new(ctx))
3076 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3077 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3078 goto end;
3079
3080 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3081
3082 /*
3083 * If anything goes wrong here then we could leak memory.
3084 */
3085 BIO_push(sslbio, membio1);
3086
3087 /* Verify changing the rbio/wbio directly does not cause leaks */
3088 if (change_bio != NO_BIO_CHANGE) {
3089 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3090 ssl = NULL;
3091 goto end;
3092 }
3093 if (change_bio == CHANGE_RBIO)
3094 SSL_set0_rbio(ssl, membio2);
3095 else
3096 SSL_set0_wbio(ssl, membio2);
3097 }
3098 ssl = NULL;
3099
3100 if (pop_ssl)
3101 BIO_pop(sslbio);
3102 else
3103 BIO_pop(membio1);
3104
3105 testresult = 1;
3106 end:
3107 BIO_free(membio1);
3108 BIO_free(sslbio);
3109 SSL_free(ssl);
3110 SSL_CTX_free(ctx);
3111
3112 return testresult;
3113 }
3114
test_ssl_bio_pop_next_bio(void)3115 static int test_ssl_bio_pop_next_bio(void)
3116 {
3117 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3118 }
3119
test_ssl_bio_pop_ssl_bio(void)3120 static int test_ssl_bio_pop_ssl_bio(void)
3121 {
3122 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3123 }
3124
test_ssl_bio_change_rbio(void)3125 static int test_ssl_bio_change_rbio(void)
3126 {
3127 return execute_test_ssl_bio(0, CHANGE_RBIO);
3128 }
3129
test_ssl_bio_change_wbio(void)3130 static int test_ssl_bio_change_wbio(void)
3131 {
3132 return execute_test_ssl_bio(0, CHANGE_WBIO);
3133 }
3134
3135 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3136 typedef struct {
3137 /* The list of sig algs */
3138 const int *list;
3139 /* The length of the list */
3140 size_t listlen;
3141 /* A sigalgs list in string format */
3142 const char *liststr;
3143 /* Whether setting the list should succeed */
3144 int valid;
3145 /* Whether creating a connection with the list should succeed */
3146 int connsuccess;
3147 } sigalgs_list;
3148
3149 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3150 # ifndef OPENSSL_NO_EC
3151 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3152 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3153 # endif
3154 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3155 static const int invalidlist2[] = {NID_sha256, NID_undef};
3156 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3157 static const int invalidlist4[] = {NID_sha256};
3158 static const sigalgs_list testsigalgs[] = {
3159 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3160 # ifndef OPENSSL_NO_EC
3161 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3162 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3163 # endif
3164 {NULL, 0, "RSA+SHA256", 1, 1},
3165 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
3166 # ifndef OPENSSL_NO_EC
3167 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3168 {NULL, 0, "ECDSA+SHA512", 1, 0},
3169 # endif
3170 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3171 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3172 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3173 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3174 {NULL, 0, "RSA", 0, 0},
3175 {NULL, 0, "SHA256", 0, 0},
3176 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3177 {NULL, 0, "Invalid", 0, 0}
3178 };
3179
test_set_sigalgs(int idx)3180 static int test_set_sigalgs(int idx)
3181 {
3182 SSL_CTX *cctx = NULL, *sctx = NULL;
3183 SSL *clientssl = NULL, *serverssl = NULL;
3184 int testresult = 0;
3185 const sigalgs_list *curr;
3186 int testctx;
3187
3188 /* Should never happen */
3189 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3190 return 0;
3191
3192 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3193 curr = testctx ? &testsigalgs[idx]
3194 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3195
3196 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3197 TLS_client_method(), TLS1_VERSION, 0,
3198 &sctx, &cctx, cert, privkey)))
3199 return 0;
3200
3201 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3202
3203 if (testctx) {
3204 int ret;
3205
3206 if (curr->list != NULL)
3207 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3208 else
3209 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3210
3211 if (!ret) {
3212 if (curr->valid)
3213 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3214 else
3215 testresult = 1;
3216 goto end;
3217 }
3218 if (!curr->valid) {
3219 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3220 goto end;
3221 }
3222 }
3223
3224 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3225 &clientssl, NULL, NULL)))
3226 goto end;
3227
3228 if (!testctx) {
3229 int ret;
3230
3231 if (curr->list != NULL)
3232 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3233 else
3234 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3235 if (!ret) {
3236 if (curr->valid)
3237 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3238 else
3239 testresult = 1;
3240 goto end;
3241 }
3242 if (!curr->valid)
3243 goto end;
3244 }
3245
3246 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3247 SSL_ERROR_NONE),
3248 curr->connsuccess))
3249 goto end;
3250
3251 testresult = 1;
3252
3253 end:
3254 SSL_free(serverssl);
3255 SSL_free(clientssl);
3256 SSL_CTX_free(sctx);
3257 SSL_CTX_free(cctx);
3258
3259 return testresult;
3260 }
3261 #endif
3262
3263 #ifndef OSSL_NO_USABLE_TLS1_3
3264 static int psk_client_cb_cnt = 0;
3265 static int psk_server_cb_cnt = 0;
3266
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)3267 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3268 size_t *idlen, SSL_SESSION **sess)
3269 {
3270 switch (++use_session_cb_cnt) {
3271 case 1:
3272 /* The first call should always have a NULL md */
3273 if (md != NULL)
3274 return 0;
3275 break;
3276
3277 case 2:
3278 /* The second call should always have an md */
3279 if (md == NULL)
3280 return 0;
3281 break;
3282
3283 default:
3284 /* We should only be called a maximum of twice */
3285 return 0;
3286 }
3287
3288 if (clientpsk != NULL && !SSL_SESSION_up_ref(clientpsk))
3289 return 0;
3290
3291 *sess = clientpsk;
3292 *id = (const unsigned char *)pskid;
3293 *idlen = strlen(pskid);
3294
3295 return 1;
3296 }
3297
3298 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)3299 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3300 unsigned int max_id_len,
3301 unsigned char *psk,
3302 unsigned int max_psk_len)
3303 {
3304 unsigned int psklen = 0;
3305
3306 psk_client_cb_cnt++;
3307
3308 if (strlen(pskid) + 1 > max_id_len)
3309 return 0;
3310
3311 /* We should only ever be called a maximum of twice per connection */
3312 if (psk_client_cb_cnt > 2)
3313 return 0;
3314
3315 if (clientpsk == NULL)
3316 return 0;
3317
3318 /* We'll reuse the PSK we set up for TLSv1.3 */
3319 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3320 return 0;
3321 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3322 strncpy(id, pskid, max_id_len);
3323
3324 return psklen;
3325 }
3326 #endif /* OPENSSL_NO_PSK */
3327
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)3328 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3329 size_t identity_len, SSL_SESSION **sess)
3330 {
3331 find_session_cb_cnt++;
3332
3333 /* We should only ever be called a maximum of twice per connection */
3334 if (find_session_cb_cnt > 2)
3335 return 0;
3336
3337 if (serverpsk == NULL)
3338 return 0;
3339
3340 /* Identity should match that set by the client */
3341 if (strlen(srvid) != identity_len
3342 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3343 /* No PSK found, continue but without a PSK */
3344 *sess = NULL;
3345 return 1;
3346 }
3347
3348 if (!SSL_SESSION_up_ref(serverpsk))
3349 return 0;
3350
3351 *sess = serverpsk;
3352
3353 return 1;
3354 }
3355
3356 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)3357 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3358 unsigned char *psk, unsigned int max_psk_len)
3359 {
3360 unsigned int psklen = 0;
3361
3362 psk_server_cb_cnt++;
3363
3364 /* We should only ever be called a maximum of twice per connection */
3365 if (find_session_cb_cnt > 2)
3366 return 0;
3367
3368 if (serverpsk == NULL)
3369 return 0;
3370
3371 /* Identity should match that set by the client */
3372 if (strcmp(srvid, identity) != 0) {
3373 return 0;
3374 }
3375
3376 /* We'll reuse the PSK we set up for TLSv1.3 */
3377 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3378 return 0;
3379 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3380
3381 return psklen;
3382 }
3383 #endif /* OPENSSL_NO_PSK */
3384
3385 #define MSG1 "Hello"
3386 #define MSG2 "World."
3387 #define MSG3 "This"
3388 #define MSG4 "is"
3389 #define MSG5 "a"
3390 #define MSG6 "test"
3391 #define MSG7 "message."
3392
3393 static int artificial_ticket_time = 0;
3394
sub_session_time(SSL_SESSION * sess)3395 static int sub_session_time(SSL_SESSION *sess)
3396 {
3397 OSSL_TIME tick_time;
3398
3399 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3400 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3401
3402 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3403 }
3404
ed_gen_cb(SSL * s,void * arg)3405 static int ed_gen_cb(SSL *s, void *arg)
3406 {
3407 SSL_SESSION *sess = SSL_get0_session(s);
3408
3409 if (sess == NULL)
3410 return 0;
3411
3412 /*
3413 * Artificially give the ticket some age. Just do it for the number of
3414 * tickets we've been told to do.
3415 */
3416 if (artificial_ticket_time == 0)
3417 return 1;
3418 artificial_ticket_time--;
3419
3420 return sub_session_time(sess);
3421 }
3422
3423 /*
3424 * Helper method to setup objects for early data test. Caller frees objects on
3425 * error.
3426 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx,size_t mdsize)3427 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3428 SSL **serverssl, SSL_SESSION **sess, int idx,
3429 size_t mdsize)
3430 {
3431 int artificial = (artificial_ticket_time > 0);
3432
3433 if (*sctx == NULL
3434 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3435 TLS_client_method(),
3436 TLS1_VERSION, 0,
3437 sctx, cctx, cert, privkey)))
3438 return 0;
3439
3440 if (artificial)
3441 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3442
3443 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3444 return 0;
3445
3446 if (idx == 1) {
3447 /* When idx == 1 we repeat the tests with read_ahead set */
3448 SSL_CTX_set_read_ahead(*cctx, 1);
3449 SSL_CTX_set_read_ahead(*sctx, 1);
3450 } else if (idx == 2) {
3451 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3452 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3453 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3454 use_session_cb_cnt = 0;
3455 find_session_cb_cnt = 0;
3456 srvid = pskid;
3457 }
3458
3459 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3460 NULL, NULL)))
3461 return 0;
3462
3463 /*
3464 * For one of the run throughs (doesn't matter which one), we'll try sending
3465 * some SNI data in the initial ClientHello. This will be ignored (because
3466 * there is no SNI cb set up by the server), so it should not impact
3467 * early_data.
3468 */
3469 if (idx == 1
3470 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3471 return 0;
3472
3473 if (idx == 2) {
3474 clientpsk = create_a_psk(*clientssl, mdsize);
3475 if (!TEST_ptr(clientpsk)
3476 /*
3477 * We just choose an arbitrary value for max_early_data which
3478 * should be big enough for testing purposes.
3479 */
3480 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3481 0x100))
3482 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3483 SSL_SESSION_free(clientpsk);
3484 clientpsk = NULL;
3485 return 0;
3486 }
3487 serverpsk = clientpsk;
3488
3489 if (sess != NULL) {
3490 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3491 SSL_SESSION_free(clientpsk);
3492 SSL_SESSION_free(serverpsk);
3493 clientpsk = serverpsk = NULL;
3494 return 0;
3495 }
3496 *sess = clientpsk;
3497 }
3498 return 1;
3499 }
3500
3501 if (sess == NULL)
3502 return 1;
3503
3504 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3505 SSL_ERROR_NONE)))
3506 return 0;
3507
3508 *sess = SSL_get1_session(*clientssl);
3509 SSL_shutdown(*clientssl);
3510 SSL_shutdown(*serverssl);
3511 SSL_free(*serverssl);
3512 SSL_free(*clientssl);
3513 *serverssl = *clientssl = NULL;
3514
3515 /*
3516 * Artificially give the ticket some age to match the artificial age we
3517 * gave it on the server side
3518 */
3519 if (artificial
3520 && !TEST_true(sub_session_time(*sess)))
3521 return 0;
3522
3523 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3524 clientssl, NULL, NULL))
3525 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3526 return 0;
3527
3528 return 1;
3529 }
3530
check_early_data_timeout(OSSL_TIME timer)3531 static int check_early_data_timeout(OSSL_TIME timer)
3532 {
3533 int res = 0;
3534
3535 /*
3536 * Early data is time sensitive. We have an approx 8 second allowance
3537 * between writing the early data and reading it. If we exceed that time
3538 * then this test will fail. This can sometimes (rarely) occur in normal CI
3539 * operation. We can try and detect this and just ignore the result of this
3540 * test if it has taken too long. We assume anything over 7 seconds is too
3541 * long
3542 */
3543 timer = ossl_time_subtract(ossl_time_now(), timer);
3544 if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3545 res = TEST_skip("Test took too long, ignoring result");
3546
3547 return res;
3548 }
3549
test_early_data_read_write(int idx)3550 static int test_early_data_read_write(int idx)
3551 {
3552 SSL_CTX *cctx = NULL, *sctx = NULL;
3553 SSL *clientssl = NULL, *serverssl = NULL;
3554 int testresult = 0;
3555 SSL_SESSION *sess = NULL;
3556 unsigned char buf[20], data[1024];
3557 size_t readbytes, written, eoedlen, rawread, rawwritten;
3558 BIO *rbio;
3559 OSSL_TIME timer;
3560
3561 /* Artificially give the next 2 tickets some age for non PSK sessions */
3562 if (idx != 2)
3563 artificial_ticket_time = 2;
3564 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3565 &serverssl, &sess, idx,
3566 SHA384_DIGEST_LENGTH))) {
3567 artificial_ticket_time = 0;
3568 goto end;
3569 }
3570 artificial_ticket_time = 0;
3571
3572 /* Write and read some early data */
3573 timer = ossl_time_now();
3574 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3575 &written))
3576 || !TEST_size_t_eq(written, strlen(MSG1)))
3577 goto end;
3578
3579 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3580 &readbytes),
3581 SSL_READ_EARLY_DATA_SUCCESS)) {
3582 testresult = check_early_data_timeout(timer);
3583 goto end;
3584 }
3585
3586 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3587 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3588 SSL_EARLY_DATA_ACCEPTED))
3589 goto end;
3590
3591 /*
3592 * Server should be able to write data, and client should be able to
3593 * read it.
3594 */
3595 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3596 &written))
3597 || !TEST_size_t_eq(written, strlen(MSG2))
3598 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3599 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3600 goto end;
3601
3602 /* Even after reading normal data, client should be able write early data */
3603 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3604 &written))
3605 || !TEST_size_t_eq(written, strlen(MSG3)))
3606 goto end;
3607
3608 /* Server should still be able read early data after writing data */
3609 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3610 &readbytes),
3611 SSL_READ_EARLY_DATA_SUCCESS)
3612 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3613 goto end;
3614
3615 /* Write more data from server and read it from client */
3616 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3617 &written))
3618 || !TEST_size_t_eq(written, strlen(MSG4))
3619 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3620 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3621 goto end;
3622
3623 /*
3624 * If client writes normal data it should mean writing early data is no
3625 * longer possible.
3626 */
3627 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3628 || !TEST_size_t_eq(written, strlen(MSG5))
3629 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3630 SSL_EARLY_DATA_ACCEPTED))
3631 goto end;
3632
3633 /*
3634 * At this point the client has written EndOfEarlyData, ClientFinished and
3635 * normal (fully protected) data. We are going to cause a delay between the
3636 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3637 * in the read BIO, and then just put back the EndOfEarlyData message.
3638 */
3639 rbio = SSL_get_rbio(serverssl);
3640 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3641 || !TEST_size_t_lt(rawread, sizeof(data))
3642 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3643 goto end;
3644
3645 /* Record length is in the 4th and 5th bytes of the record header */
3646 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3647 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3648 || !TEST_size_t_eq(rawwritten, eoedlen))
3649 goto end;
3650
3651 /* Server should be told that there is no more early data */
3652 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3653 &readbytes),
3654 SSL_READ_EARLY_DATA_FINISH)
3655 || !TEST_size_t_eq(readbytes, 0))
3656 goto end;
3657
3658 /*
3659 * Server has not finished init yet, so should still be able to write early
3660 * data.
3661 */
3662 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3663 &written))
3664 || !TEST_size_t_eq(written, strlen(MSG6)))
3665 goto end;
3666
3667 /* Push the ClientFinished and the normal data back into the server rbio */
3668 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3669 &rawwritten))
3670 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3671 goto end;
3672
3673 /* Server should be able to read normal data */
3674 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3675 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3676 goto end;
3677
3678 /* Client and server should not be able to write/read early data now */
3679 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3680 &written)))
3681 goto end;
3682 ERR_clear_error();
3683 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3684 &readbytes),
3685 SSL_READ_EARLY_DATA_ERROR))
3686 goto end;
3687 ERR_clear_error();
3688
3689 /* Client should be able to read the data sent by the server */
3690 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3692 goto end;
3693
3694 /*
3695 * Make sure we process the two NewSessionTickets. These arrive
3696 * post-handshake. We attempt reads which we do not expect to return any
3697 * data.
3698 */
3699 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3700 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3701 &readbytes)))
3702 goto end;
3703
3704 /* Server should be able to write normal data */
3705 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3706 || !TEST_size_t_eq(written, strlen(MSG7))
3707 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3708 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3709 goto end;
3710
3711 SSL_SESSION_free(sess);
3712 sess = SSL_get1_session(clientssl);
3713 use_session_cb_cnt = 0;
3714 find_session_cb_cnt = 0;
3715
3716 SSL_shutdown(clientssl);
3717 SSL_shutdown(serverssl);
3718 SSL_free(serverssl);
3719 SSL_free(clientssl);
3720 serverssl = clientssl = NULL;
3721 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3722 &clientssl, NULL, NULL))
3723 || !TEST_true(SSL_set_session(clientssl, sess)))
3724 goto end;
3725
3726 /* Write and read some early data */
3727 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3728 &written))
3729 || !TEST_size_t_eq(written, strlen(MSG1))
3730 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3731 &readbytes),
3732 SSL_READ_EARLY_DATA_SUCCESS)
3733 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3734 goto end;
3735
3736 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3737 || !TEST_int_gt(SSL_accept(serverssl), 0))
3738 goto end;
3739
3740 /* Client and server should not be able to write/read early data now */
3741 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3742 &written)))
3743 goto end;
3744 ERR_clear_error();
3745 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3746 &readbytes),
3747 SSL_READ_EARLY_DATA_ERROR))
3748 goto end;
3749 ERR_clear_error();
3750
3751 /* Client and server should be able to write/read normal data */
3752 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3753 || !TEST_size_t_eq(written, strlen(MSG5))
3754 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3755 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3756 goto end;
3757
3758 testresult = 1;
3759
3760 end:
3761 SSL_SESSION_free(sess);
3762 SSL_SESSION_free(clientpsk);
3763 SSL_SESSION_free(serverpsk);
3764 clientpsk = serverpsk = NULL;
3765 SSL_free(serverssl);
3766 SSL_free(clientssl);
3767 SSL_CTX_free(sctx);
3768 SSL_CTX_free(cctx);
3769 return testresult;
3770 }
3771
3772 static int allow_ed_cb_called = 0;
3773
allow_early_data_cb(SSL * s,void * arg)3774 static int allow_early_data_cb(SSL *s, void *arg)
3775 {
3776 int *usecb = (int *)arg;
3777
3778 allow_ed_cb_called++;
3779
3780 if (*usecb == 1)
3781 return 0;
3782
3783 return 1;
3784 }
3785
3786 /*
3787 * idx == 0: Standard early_data setup
3788 * idx == 1: early_data setup using read_ahead
3789 * usecb == 0: Don't use a custom early data callback
3790 * usecb == 1: Use a custom early data callback and reject the early data
3791 * usecb == 2: Use a custom early data callback and accept the early data
3792 * confopt == 0: Configure anti-replay directly
3793 * confopt == 1: Configure anti-replay using SSL_CONF
3794 */
test_early_data_replay_int(int idx,int usecb,int confopt)3795 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3796 {
3797 SSL_CTX *cctx = NULL, *sctx = NULL;
3798 SSL *clientssl = NULL, *serverssl = NULL;
3799 int testresult = 0;
3800 SSL_SESSION *sess = NULL;
3801 size_t readbytes, written;
3802 unsigned char buf[20];
3803 OSSL_TIME timer;
3804
3805 allow_ed_cb_called = 0;
3806
3807 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3808 TLS_client_method(), TLS1_VERSION, 0,
3809 &sctx, &cctx, cert, privkey)))
3810 return 0;
3811
3812 if (usecb > 0) {
3813 if (confopt == 0) {
3814 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3815 } else {
3816 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3817
3818 if (!TEST_ptr(confctx))
3819 goto end;
3820 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3821 | SSL_CONF_FLAG_SERVER);
3822 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3823 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3824 2)) {
3825 SSL_CONF_CTX_free(confctx);
3826 goto end;
3827 }
3828 SSL_CONF_CTX_free(confctx);
3829 }
3830 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3831 }
3832
3833 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3834 &serverssl, &sess, idx,
3835 SHA384_DIGEST_LENGTH)))
3836 goto end;
3837
3838 /*
3839 * The server is configured to accept early data. Create a connection to
3840 * "use up" the ticket
3841 */
3842 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3843 || !TEST_true(SSL_session_reused(clientssl)))
3844 goto end;
3845
3846 SSL_shutdown(clientssl);
3847 SSL_shutdown(serverssl);
3848 SSL_free(serverssl);
3849 SSL_free(clientssl);
3850 serverssl = clientssl = NULL;
3851
3852 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3853 &clientssl, NULL, NULL))
3854 || !TEST_true(SSL_set_session(clientssl, sess)))
3855 goto end;
3856
3857 /* Write and read some early data */
3858 timer = ossl_time_now();
3859 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3860 &written))
3861 || !TEST_size_t_eq(written, strlen(MSG1)))
3862 goto end;
3863
3864 if (usecb <= 1) {
3865 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3866 &readbytes),
3867 SSL_READ_EARLY_DATA_FINISH)
3868 /*
3869 * The ticket was reused, so the we should have rejected the
3870 * early data
3871 */
3872 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3873 SSL_EARLY_DATA_REJECTED))
3874 goto end;
3875 } else {
3876 /* In this case the callback decides to accept the early data */
3877 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3878 &readbytes),
3879 SSL_READ_EARLY_DATA_SUCCESS)) {
3880 testresult = check_early_data_timeout(timer);
3881 goto end;
3882 }
3883 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3884 /*
3885 * Server will have sent its flight so client can now send
3886 * end of early data and complete its half of the handshake
3887 */
3888 || !TEST_int_gt(SSL_connect(clientssl), 0)
3889 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3890 &readbytes),
3891 SSL_READ_EARLY_DATA_FINISH)
3892 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3893 SSL_EARLY_DATA_ACCEPTED))
3894 goto end;
3895 }
3896
3897 /* Complete the connection */
3898 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3899 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3900 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3901 goto end;
3902
3903 testresult = 1;
3904
3905 end:
3906 SSL_SESSION_free(sess);
3907 SSL_SESSION_free(clientpsk);
3908 SSL_SESSION_free(serverpsk);
3909 clientpsk = serverpsk = NULL;
3910 SSL_free(serverssl);
3911 SSL_free(clientssl);
3912 SSL_CTX_free(sctx);
3913 SSL_CTX_free(cctx);
3914 return testresult;
3915 }
3916
test_early_data_replay(int idx)3917 static int test_early_data_replay(int idx)
3918 {
3919 int ret = 1, usecb, confopt;
3920
3921 for (usecb = 0; usecb < 3; usecb++) {
3922 for (confopt = 0; confopt < 2; confopt++)
3923 ret &= test_early_data_replay_int(idx, usecb, confopt);
3924 }
3925
3926 return ret;
3927 }
3928
3929 static const char *ciphersuites[] = {
3930 "TLS_AES_128_CCM_8_SHA256",
3931 "TLS_AES_128_GCM_SHA256",
3932 "TLS_AES_256_GCM_SHA384",
3933 "TLS_AES_128_CCM_SHA256",
3934 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3935 "TLS_CHACHA20_POLY1305_SHA256",
3936 #else
3937 NULL,
3938 #endif
3939 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
3940 "TLS_SHA256_SHA256",
3941 "TLS_SHA384_SHA384"
3942 #endif
3943 };
3944
3945 /*
3946 * Helper function to test that a server attempting to read early data can
3947 * handle a connection from a client where the early data should be skipped.
3948 * testtype: 0 == No HRR
3949 * testtype: 1 == HRR
3950 * testtype: 2 == HRR, invalid early_data sent after HRR
3951 * testtype: 3 == recv_max_early_data set to 0
3952 */
early_data_skip_helper(int testtype,int cipher,int idx)3953 static int early_data_skip_helper(int testtype, int cipher, int idx)
3954 {
3955 SSL_CTX *cctx = NULL, *sctx = NULL;
3956 SSL *clientssl = NULL, *serverssl = NULL;
3957 int testresult = 0;
3958 SSL_SESSION *sess = NULL;
3959 unsigned char buf[20];
3960 size_t readbytes, written;
3961
3962 if (is_fips && cipher >= 4)
3963 return 1;
3964
3965 if (ciphersuites[cipher] == NULL)
3966 return TEST_skip("Cipher not supported");
3967
3968 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3969 TLS_client_method(),
3970 TLS1_VERSION, 0,
3971 &sctx, &cctx, cert, privkey)))
3972 goto end;
3973
3974 if (cipher == 0 || cipher == 5 || cipher == 6) {
3975 SSL_CTX_set_security_level(sctx, 0);
3976 SSL_CTX_set_security_level(cctx, 0);
3977 }
3978
3979 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3980 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3981 goto end;
3982
3983 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3984 &serverssl, &sess, idx,
3985 (cipher == 2 || cipher == 6)
3986 ? SHA384_DIGEST_LENGTH
3987 : SHA256_DIGEST_LENGTH)))
3988 goto end;
3989
3990 if (testtype == 1 || testtype == 2) {
3991 /* Force an HRR to occur */
3992 #if defined(OPENSSL_NO_EC)
3993 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3994 goto end;
3995 #else
3996 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3997 goto end;
3998 #endif
3999 } else if (idx == 2) {
4000 /*
4001 * We force early_data rejection by ensuring the PSK identity is
4002 * unrecognised
4003 */
4004 srvid = "Dummy Identity";
4005 } else {
4006 /*
4007 * Deliberately corrupt the creation time. We take 20 seconds off the
4008 * time. It could be any value as long as it is not within tolerance.
4009 * This should mean the ticket is rejected.
4010 */
4011 if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20)))
4012 goto end;
4013 }
4014
4015 if (testtype == 3
4016 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4017 goto end;
4018
4019 /* Write some early data */
4020 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4021 &written))
4022 || !TEST_size_t_eq(written, strlen(MSG1)))
4023 goto end;
4024
4025 /* Server should reject the early data */
4026 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4027 &readbytes),
4028 SSL_READ_EARLY_DATA_FINISH)
4029 || !TEST_size_t_eq(readbytes, 0)
4030 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4031 SSL_EARLY_DATA_REJECTED))
4032 goto end;
4033
4034 switch (testtype) {
4035 case 0:
4036 /* Nothing to do */
4037 break;
4038
4039 case 1:
4040 /*
4041 * Finish off the handshake. We perform the same writes and reads as
4042 * further down but we expect them to fail due to the incomplete
4043 * handshake.
4044 */
4045 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4046 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4047 &readbytes)))
4048 goto end;
4049 break;
4050
4051 case 2:
4052 {
4053 BIO *wbio = SSL_get_wbio(clientssl);
4054 /* A record that will appear as bad early_data */
4055 const unsigned char bad_early_data[] = {
4056 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4057 };
4058
4059 /*
4060 * We force the client to attempt a write. This will fail because
4061 * we're still in the handshake. It will cause the second
4062 * ClientHello to be sent.
4063 */
4064 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4065 &written)))
4066 goto end;
4067
4068 /*
4069 * Inject some early_data after the second ClientHello. This should
4070 * cause the server to fail
4071 */
4072 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4073 sizeof(bad_early_data), &written)))
4074 goto end;
4075 }
4076 /* FALLTHROUGH */
4077
4078 case 3:
4079 /*
4080 * This client has sent more early_data than we are willing to skip
4081 * (case 3) or sent invalid early_data (case 2) so the connection should
4082 * abort.
4083 */
4084 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4085 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4086 goto end;
4087
4088 /* Connection has failed - nothing more to do */
4089 testresult = 1;
4090 goto end;
4091
4092 default:
4093 TEST_error("Invalid test type");
4094 goto end;
4095 }
4096
4097 ERR_clear_error();
4098 /*
4099 * Should be able to send normal data despite rejection of early data. The
4100 * early_data should be skipped.
4101 */
4102 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4103 || !TEST_size_t_eq(written, strlen(MSG2))
4104 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4105 SSL_EARLY_DATA_REJECTED)
4106 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4107 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4108 goto end;
4109
4110 /*
4111 * Failure to decrypt early data records should not leave spurious errors
4112 * on the error stack
4113 */
4114 if (!TEST_long_eq(ERR_peek_error(), 0))
4115 goto end;
4116
4117 testresult = 1;
4118
4119 end:
4120 SSL_SESSION_free(clientpsk);
4121 SSL_SESSION_free(serverpsk);
4122 clientpsk = serverpsk = NULL;
4123 SSL_SESSION_free(sess);
4124 SSL_free(serverssl);
4125 SSL_free(clientssl);
4126 SSL_CTX_free(sctx);
4127 SSL_CTX_free(cctx);
4128 return testresult;
4129 }
4130
4131 /*
4132 * Test that a server attempting to read early data can handle a connection
4133 * from a client where the early data is not acceptable.
4134 */
test_early_data_skip(int idx)4135 static int test_early_data_skip(int idx)
4136 {
4137 return early_data_skip_helper(0,
4138 idx % OSSL_NELEM(ciphersuites),
4139 idx / OSSL_NELEM(ciphersuites));
4140 }
4141
4142 /*
4143 * Test that a server attempting to read early data can handle a connection
4144 * from a client where an HRR occurs.
4145 */
test_early_data_skip_hrr(int idx)4146 static int test_early_data_skip_hrr(int idx)
4147 {
4148 return early_data_skip_helper(1,
4149 idx % OSSL_NELEM(ciphersuites),
4150 idx / OSSL_NELEM(ciphersuites));
4151 }
4152
4153 /*
4154 * Test that a server attempting to read early data can handle a connection
4155 * from a client where an HRR occurs and correctly fails if early_data is sent
4156 * after the HRR
4157 */
test_early_data_skip_hrr_fail(int idx)4158 static int test_early_data_skip_hrr_fail(int idx)
4159 {
4160 return early_data_skip_helper(2,
4161 idx % OSSL_NELEM(ciphersuites),
4162 idx / OSSL_NELEM(ciphersuites));
4163 }
4164
4165 /*
4166 * Test that a server attempting to read early data will abort if it tries to
4167 * skip over too much.
4168 */
test_early_data_skip_abort(int idx)4169 static int test_early_data_skip_abort(int idx)
4170 {
4171 return early_data_skip_helper(3,
4172 idx % OSSL_NELEM(ciphersuites),
4173 idx / OSSL_NELEM(ciphersuites));
4174 }
4175
4176 /*
4177 * Test that a server attempting to read early data can handle a connection
4178 * from a client that doesn't send any.
4179 */
test_early_data_not_sent(int idx)4180 static int test_early_data_not_sent(int idx)
4181 {
4182 SSL_CTX *cctx = NULL, *sctx = NULL;
4183 SSL *clientssl = NULL, *serverssl = NULL;
4184 int testresult = 0;
4185 SSL_SESSION *sess = NULL;
4186 unsigned char buf[20];
4187 size_t readbytes, written;
4188
4189 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4190 &serverssl, &sess, idx,
4191 SHA384_DIGEST_LENGTH)))
4192 goto end;
4193
4194 /* Write some data - should block due to handshake with server */
4195 SSL_set_connect_state(clientssl);
4196 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4197 goto end;
4198
4199 /* Server should detect that early data has not been sent */
4200 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4201 &readbytes),
4202 SSL_READ_EARLY_DATA_FINISH)
4203 || !TEST_size_t_eq(readbytes, 0)
4204 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4205 SSL_EARLY_DATA_NOT_SENT)
4206 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4207 SSL_EARLY_DATA_NOT_SENT))
4208 goto end;
4209
4210 /* Continue writing the message we started earlier */
4211 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4212 || !TEST_size_t_eq(written, strlen(MSG1))
4213 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4214 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4215 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4216 || !TEST_size_t_eq(written, strlen(MSG2)))
4217 goto end;
4218
4219 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4220 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4221 goto end;
4222
4223 testresult = 1;
4224
4225 end:
4226 SSL_SESSION_free(sess);
4227 SSL_SESSION_free(clientpsk);
4228 SSL_SESSION_free(serverpsk);
4229 clientpsk = serverpsk = NULL;
4230 SSL_free(serverssl);
4231 SSL_free(clientssl);
4232 SSL_CTX_free(sctx);
4233 SSL_CTX_free(cctx);
4234 return testresult;
4235 }
4236
4237 static const char *servalpn;
4238
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)4239 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4240 unsigned char *outlen, const unsigned char *in,
4241 unsigned int inlen, void *arg)
4242 {
4243 unsigned int protlen = 0;
4244 const unsigned char *prot;
4245
4246 for (prot = in; prot < in + inlen; prot += protlen) {
4247 protlen = *prot++;
4248 if (in + inlen < prot + protlen)
4249 return SSL_TLSEXT_ERR_NOACK;
4250
4251 if (protlen == strlen(servalpn)
4252 && memcmp(prot, servalpn, protlen) == 0) {
4253 *out = prot;
4254 *outlen = protlen;
4255 return SSL_TLSEXT_ERR_OK;
4256 }
4257 }
4258
4259 return SSL_TLSEXT_ERR_NOACK;
4260 }
4261
4262 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)4263 static int test_early_data_psk(int idx)
4264 {
4265 SSL_CTX *cctx = NULL, *sctx = NULL;
4266 SSL *clientssl = NULL, *serverssl = NULL;
4267 int testresult = 0;
4268 SSL_SESSION *sess = NULL;
4269 unsigned char alpnlist[] = {
4270 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4271 'l', 'p', 'n'
4272 };
4273 #define GOODALPNLEN 9
4274 #define BADALPNLEN 8
4275 #define GOODALPN (alpnlist)
4276 #define BADALPN (alpnlist + GOODALPNLEN)
4277 int err = 0;
4278 unsigned char buf[20];
4279 size_t readbytes, written;
4280 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4281 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4282
4283 /* We always set this up with a final parameter of "2" for PSK */
4284 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4285 &serverssl, &sess, 2,
4286 SHA384_DIGEST_LENGTH)))
4287 goto end;
4288
4289 servalpn = "goodalpn";
4290
4291 /*
4292 * Note: There is no test for inconsistent SNI with late client detection.
4293 * This is because servers do not acknowledge SNI even if they are using
4294 * it in a resumption handshake - so it is not actually possible for a
4295 * client to detect a problem.
4296 */
4297 switch (idx) {
4298 case 0:
4299 /* Set inconsistent SNI (early client detection) */
4300 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4301 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4302 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4303 goto end;
4304 break;
4305
4306 case 1:
4307 /* Set inconsistent ALPN (early client detection) */
4308 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4309 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4310 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4311 GOODALPNLEN))
4312 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4313 BADALPNLEN)))
4314 goto end;
4315 break;
4316
4317 case 2:
4318 /*
4319 * Set invalid protocol version. Technically this affects PSKs without
4320 * early_data too, but we test it here because it is similar to the
4321 * SNI/ALPN consistency tests.
4322 */
4323 err = SSL_R_BAD_PSK;
4324 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4325 goto end;
4326 break;
4327
4328 case 3:
4329 /*
4330 * Set inconsistent SNI (server side). In this case the connection
4331 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4332 * is associated with each handshake - not the session. Therefore it
4333 * should not matter that we used a different server name last time.
4334 */
4335 SSL_SESSION_free(serverpsk);
4336 serverpsk = SSL_SESSION_dup(clientpsk);
4337 if (!TEST_ptr(serverpsk)
4338 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4339 goto end;
4340 /* Fall through */
4341 case 4:
4342 /* Set consistent SNI */
4343 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4344 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4345 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4346 hostname_cb)))
4347 goto end;
4348 break;
4349
4350 case 5:
4351 /*
4352 * Set inconsistent ALPN (server detected). In this case the connection
4353 * will succeed but reject early_data.
4354 */
4355 servalpn = "badalpn";
4356 edstatus = SSL_EARLY_DATA_REJECTED;
4357 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4358 /* Fall through */
4359 case 6:
4360 /*
4361 * Set consistent ALPN.
4362 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4363 * accepts a list of protos (each one length prefixed).
4364 * SSL_set1_alpn_selected accepts a single protocol (not length
4365 * prefixed)
4366 */
4367 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4368 GOODALPNLEN - 1))
4369 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4370 GOODALPNLEN)))
4371 goto end;
4372
4373 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4374 break;
4375
4376 case 7:
4377 /* Set inconsistent ALPN (late client detection) */
4378 SSL_SESSION_free(serverpsk);
4379 serverpsk = SSL_SESSION_dup(clientpsk);
4380 if (!TEST_ptr(serverpsk)
4381 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4382 BADALPN + 1,
4383 BADALPNLEN - 1))
4384 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4385 GOODALPN + 1,
4386 GOODALPNLEN - 1))
4387 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4388 sizeof(alpnlist))))
4389 goto end;
4390 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4391 edstatus = SSL_EARLY_DATA_ACCEPTED;
4392 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4393 /* SSL_connect() call should fail */
4394 connectres = -1;
4395 break;
4396
4397 default:
4398 TEST_error("Bad test index");
4399 goto end;
4400 }
4401
4402 SSL_set_connect_state(clientssl);
4403 if (err != 0) {
4404 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4405 &written))
4406 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4407 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4408 goto end;
4409 } else {
4410 OSSL_TIME timer = ossl_time_now();
4411
4412 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4413 &written)))
4414 goto end;
4415
4416 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4417 &readbytes), readearlyres)) {
4418 testresult = check_early_data_timeout(timer);
4419 goto end;
4420 }
4421
4422 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4423 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4424 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4425 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4426 goto end;
4427 }
4428
4429 testresult = 1;
4430
4431 end:
4432 SSL_SESSION_free(sess);
4433 SSL_SESSION_free(clientpsk);
4434 SSL_SESSION_free(serverpsk);
4435 clientpsk = serverpsk = NULL;
4436 SSL_free(serverssl);
4437 SSL_free(clientssl);
4438 SSL_CTX_free(sctx);
4439 SSL_CTX_free(cctx);
4440 return testresult;
4441 }
4442
4443 /*
4444 * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
4445 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4446 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4447 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4448 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4449 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4450 * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
4451 * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
4452 */
test_early_data_psk_with_all_ciphers(int idx)4453 static int test_early_data_psk_with_all_ciphers(int idx)
4454 {
4455 SSL_CTX *cctx = NULL, *sctx = NULL;
4456 SSL *clientssl = NULL, *serverssl = NULL;
4457 int testresult = 0;
4458 SSL_SESSION *sess = NULL;
4459 unsigned char buf[20];
4460 size_t readbytes, written;
4461 const SSL_CIPHER *cipher;
4462 OSSL_TIME timer;
4463 const char *cipher_str[] = {
4464 TLS1_3_RFC_AES_128_GCM_SHA256,
4465 TLS1_3_RFC_AES_256_GCM_SHA384,
4466 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4467 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4468 # else
4469 NULL,
4470 # endif
4471 TLS1_3_RFC_AES_128_CCM_SHA256,
4472 TLS1_3_RFC_AES_128_CCM_8_SHA256,
4473 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4474 TLS1_3_RFC_SHA256_SHA256,
4475 TLS1_3_RFC_SHA384_SHA384
4476 #else
4477 NULL,
4478 NULL
4479 #endif
4480 };
4481 const unsigned char *cipher_bytes[] = {
4482 TLS13_AES_128_GCM_SHA256_BYTES,
4483 TLS13_AES_256_GCM_SHA384_BYTES,
4484 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4485 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4486 # else
4487 NULL,
4488 # endif
4489 TLS13_AES_128_CCM_SHA256_BYTES,
4490 TLS13_AES_128_CCM_8_SHA256_BYTES,
4491 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4492 TLS13_SHA256_SHA256_BYTES,
4493 TLS13_SHA384_SHA384_BYTES
4494 #else
4495 NULL,
4496 NULL
4497 #endif
4498 };
4499
4500 if (cipher_str[idx] == NULL)
4501 return 1;
4502 /*
4503 * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
4504 * as currently FIPS module does not support them.
4505 */
4506 if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
4507 return 1;
4508
4509 /* We always set this up with a final parameter of "2" for PSK */
4510 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4511 &serverssl, &sess, 2,
4512 SHA384_DIGEST_LENGTH)))
4513 goto end;
4514
4515 if (idx == 4 || idx == 5 || idx == 6) {
4516 /*
4517 * CCM8 ciphers are considered low security due to their short tag.
4518 * Integrity-only cipher do not provide any confidentiality.
4519 */
4520 SSL_set_security_level(clientssl, 0);
4521 SSL_set_security_level(serverssl, 0);
4522 }
4523
4524 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4525 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4526 goto end;
4527
4528 /*
4529 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4530 * and assigns to both client and server with incremented reference
4531 * and the same instance is updated in 'sess'.
4532 * So updating ciphersuite in 'sess' which will get reflected in
4533 * PSK handshake using psk use sess and find sess cb.
4534 */
4535 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4536 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4537 goto end;
4538
4539 SSL_set_connect_state(clientssl);
4540 timer = ossl_time_now();
4541 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4542 &written)))
4543 goto end;
4544
4545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4546 &readbytes),
4547 SSL_READ_EARLY_DATA_SUCCESS)) {
4548 testresult = check_early_data_timeout(timer);
4549 goto end;
4550 }
4551
4552 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4553 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4554 SSL_EARLY_DATA_ACCEPTED)
4555 || !TEST_int_eq(SSL_connect(clientssl), 1)
4556 || !TEST_int_eq(SSL_accept(serverssl), 1))
4557 goto end;
4558
4559 /* Send some normal data from client to server */
4560 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4561 || !TEST_size_t_eq(written, strlen(MSG2)))
4562 goto end;
4563
4564 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4565 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4566 goto end;
4567
4568 testresult = 1;
4569 end:
4570 SSL_SESSION_free(sess);
4571 SSL_SESSION_free(clientpsk);
4572 SSL_SESSION_free(serverpsk);
4573 clientpsk = serverpsk = NULL;
4574 if (clientssl != NULL)
4575 SSL_shutdown(clientssl);
4576 if (serverssl != NULL)
4577 SSL_shutdown(serverssl);
4578 SSL_free(serverssl);
4579 SSL_free(clientssl);
4580 SSL_CTX_free(sctx);
4581 SSL_CTX_free(cctx);
4582 return testresult;
4583 }
4584
4585 /*
4586 * Test that a server that doesn't try to read early data can handle a
4587 * client sending some.
4588 */
test_early_data_not_expected(int idx)4589 static int test_early_data_not_expected(int idx)
4590 {
4591 SSL_CTX *cctx = NULL, *sctx = NULL;
4592 SSL *clientssl = NULL, *serverssl = NULL;
4593 int testresult = 0;
4594 SSL_SESSION *sess = NULL;
4595 unsigned char buf[20];
4596 size_t readbytes, written;
4597
4598 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4599 &serverssl, &sess, idx,
4600 SHA384_DIGEST_LENGTH)))
4601 goto end;
4602
4603 /* Write some early data */
4604 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4605 &written)))
4606 goto end;
4607
4608 /*
4609 * Server should skip over early data and then block waiting for client to
4610 * continue handshake
4611 */
4612 if (!TEST_int_le(SSL_accept(serverssl), 0)
4613 || !TEST_int_gt(SSL_connect(clientssl), 0)
4614 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4615 SSL_EARLY_DATA_REJECTED)
4616 || !TEST_int_gt(SSL_accept(serverssl), 0)
4617 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4618 SSL_EARLY_DATA_REJECTED))
4619 goto end;
4620
4621 /* Send some normal data from client to server */
4622 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4623 || !TEST_size_t_eq(written, strlen(MSG2)))
4624 goto end;
4625
4626 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4627 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4628 goto end;
4629
4630 testresult = 1;
4631
4632 end:
4633 SSL_SESSION_free(sess);
4634 SSL_SESSION_free(clientpsk);
4635 SSL_SESSION_free(serverpsk);
4636 clientpsk = serverpsk = NULL;
4637 SSL_free(serverssl);
4638 SSL_free(clientssl);
4639 SSL_CTX_free(sctx);
4640 SSL_CTX_free(cctx);
4641 return testresult;
4642 }
4643
4644
4645 # ifndef OPENSSL_NO_TLS1_2
4646 /*
4647 * Test that a server attempting to read early data can handle a connection
4648 * from a TLSv1.2 client.
4649 */
test_early_data_tls1_2(int idx)4650 static int test_early_data_tls1_2(int idx)
4651 {
4652 SSL_CTX *cctx = NULL, *sctx = NULL;
4653 SSL *clientssl = NULL, *serverssl = NULL;
4654 int testresult = 0;
4655 unsigned char buf[20];
4656 size_t readbytes, written;
4657
4658 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4659 &serverssl, NULL, idx,
4660 SHA384_DIGEST_LENGTH)))
4661 goto end;
4662
4663 /* Write some data - should block due to handshake with server */
4664 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4665 SSL_set_connect_state(clientssl);
4666 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4667 goto end;
4668
4669 /*
4670 * Server should do TLSv1.2 handshake. First it will block waiting for more
4671 * messages from client after ServerDone. Then SSL_read_early_data should
4672 * finish and detect that early data has not been sent
4673 */
4674 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4675 &readbytes),
4676 SSL_READ_EARLY_DATA_ERROR))
4677 goto end;
4678
4679 /*
4680 * Continue writing the message we started earlier. Will still block waiting
4681 * for the CCS/Finished from server
4682 */
4683 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4684 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4685 &readbytes),
4686 SSL_READ_EARLY_DATA_FINISH)
4687 || !TEST_size_t_eq(readbytes, 0)
4688 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4689 SSL_EARLY_DATA_NOT_SENT))
4690 goto end;
4691
4692 /* Continue writing the message we started earlier */
4693 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4694 || !TEST_size_t_eq(written, strlen(MSG1))
4695 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4696 SSL_EARLY_DATA_NOT_SENT)
4697 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4698 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4699 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4700 || !TEST_size_t_eq(written, strlen(MSG2))
4701 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4702 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4703 goto end;
4704
4705 testresult = 1;
4706
4707 end:
4708 SSL_SESSION_free(clientpsk);
4709 SSL_SESSION_free(serverpsk);
4710 clientpsk = serverpsk = NULL;
4711 SSL_free(serverssl);
4712 SSL_free(clientssl);
4713 SSL_CTX_free(sctx);
4714 SSL_CTX_free(cctx);
4715
4716 return testresult;
4717 }
4718 # endif /* OPENSSL_NO_TLS1_2 */
4719
4720 /*
4721 * Test configuring the TLSv1.3 ciphersuites
4722 *
4723 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4724 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4725 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4726 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4727 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4728 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4729 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4730 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4731 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4732 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4733 */
test_set_ciphersuite(int idx)4734 static int test_set_ciphersuite(int idx)
4735 {
4736 SSL_CTX *cctx = NULL, *sctx = NULL;
4737 SSL *clientssl = NULL, *serverssl = NULL;
4738 int testresult = 0;
4739
4740 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4741 TLS_client_method(), TLS1_VERSION, 0,
4742 &sctx, &cctx, cert, privkey))
4743 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4744 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4745 goto end;
4746
4747 if (idx >=4 && idx <= 7) {
4748 /* SSL_CTX explicit cipher list */
4749 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4750 goto end;
4751 }
4752
4753 if (idx == 0 || idx == 4) {
4754 /* Default ciphersuite */
4755 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4756 "TLS_AES_128_GCM_SHA256")))
4757 goto end;
4758 } else if (idx == 1 || idx == 5) {
4759 /* Non default ciphersuite */
4760 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4761 "TLS_AES_128_CCM_SHA256")))
4762 goto end;
4763 }
4764
4765 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4766 &clientssl, NULL, NULL)))
4767 goto end;
4768
4769 if (idx == 8 || idx == 9) {
4770 /* SSL explicit cipher list */
4771 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4772 goto end;
4773 }
4774
4775 if (idx == 2 || idx == 6 || idx == 8) {
4776 /* Default ciphersuite */
4777 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4778 "TLS_AES_128_GCM_SHA256")))
4779 goto end;
4780 } else if (idx == 3 || idx == 7 || idx == 9) {
4781 /* Non default ciphersuite */
4782 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4783 "TLS_AES_128_CCM_SHA256")))
4784 goto end;
4785 }
4786
4787 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4788 goto end;
4789
4790 testresult = 1;
4791
4792 end:
4793 SSL_free(serverssl);
4794 SSL_free(clientssl);
4795 SSL_CTX_free(sctx);
4796 SSL_CTX_free(cctx);
4797
4798 return testresult;
4799 }
4800
test_ciphersuite_change(void)4801 static int test_ciphersuite_change(void)
4802 {
4803 SSL_CTX *cctx = NULL, *sctx = NULL;
4804 SSL *clientssl = NULL, *serverssl = NULL;
4805 SSL_SESSION *clntsess = NULL;
4806 int testresult = 0;
4807 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4808
4809 /* Create a session based on SHA-256 */
4810 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4811 TLS_client_method(), TLS1_VERSION, 0,
4812 &sctx, &cctx, cert, privkey))
4813 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4814 "TLS_AES_128_GCM_SHA256:"
4815 "TLS_AES_256_GCM_SHA384:"
4816 "TLS_AES_128_CCM_SHA256"))
4817 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4818 "TLS_AES_128_GCM_SHA256")))
4819 goto end;
4820
4821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4822 NULL, NULL))
4823 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4824 SSL_ERROR_NONE)))
4825 goto end;
4826
4827 clntsess = SSL_get1_session(clientssl);
4828 /* Save for later */
4829 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4830 SSL_shutdown(clientssl);
4831 SSL_shutdown(serverssl);
4832 SSL_free(serverssl);
4833 SSL_free(clientssl);
4834 serverssl = clientssl = NULL;
4835
4836 /* Check we can resume a session with a different SHA-256 ciphersuite */
4837 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4838 "TLS_AES_128_CCM_SHA256"))
4839 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4840 &clientssl, NULL, NULL))
4841 || !TEST_true(SSL_set_session(clientssl, clntsess))
4842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4843 SSL_ERROR_NONE))
4844 || !TEST_true(SSL_session_reused(clientssl)))
4845 goto end;
4846
4847 SSL_SESSION_free(clntsess);
4848 clntsess = SSL_get1_session(clientssl);
4849 SSL_shutdown(clientssl);
4850 SSL_shutdown(serverssl);
4851 SSL_free(serverssl);
4852 SSL_free(clientssl);
4853 serverssl = clientssl = NULL;
4854
4855 /*
4856 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4857 * succeeds but does not resume.
4858 */
4859 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4860 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4861 NULL, NULL))
4862 || !TEST_true(SSL_set_session(clientssl, clntsess))
4863 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4864 SSL_ERROR_SSL))
4865 || !TEST_false(SSL_session_reused(clientssl)))
4866 goto end;
4867
4868 SSL_SESSION_free(clntsess);
4869 clntsess = NULL;
4870 SSL_shutdown(clientssl);
4871 SSL_shutdown(serverssl);
4872 SSL_free(serverssl);
4873 SSL_free(clientssl);
4874 serverssl = clientssl = NULL;
4875
4876 /* Create a session based on SHA384 */
4877 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4878 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4879 &clientssl, NULL, NULL))
4880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4881 SSL_ERROR_NONE)))
4882 goto end;
4883
4884 clntsess = SSL_get1_session(clientssl);
4885 SSL_shutdown(clientssl);
4886 SSL_shutdown(serverssl);
4887 SSL_free(serverssl);
4888 SSL_free(clientssl);
4889 serverssl = clientssl = NULL;
4890
4891 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4892 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4893 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4894 "TLS_AES_256_GCM_SHA384"))
4895 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4896 NULL, NULL))
4897 || !TEST_true(SSL_set_session(clientssl, clntsess))
4898 /*
4899 * We use SSL_ERROR_WANT_READ below so that we can pause the
4900 * connection after the initial ClientHello has been sent to
4901 * enable us to make some session changes.
4902 */
4903 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4904 SSL_ERROR_WANT_READ)))
4905 goto end;
4906
4907 /* Trick the client into thinking this session is for a different digest */
4908 clntsess->cipher = aes_128_gcm_sha256;
4909 clntsess->cipher_id = clntsess->cipher->id;
4910
4911 /*
4912 * Continue the previously started connection. Server has selected a SHA-384
4913 * ciphersuite, but client thinks the session is for SHA-256, so it should
4914 * bail out.
4915 */
4916 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4917 SSL_ERROR_SSL))
4918 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4919 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4920 goto end;
4921
4922 testresult = 1;
4923
4924 end:
4925 SSL_SESSION_free(clntsess);
4926 SSL_free(serverssl);
4927 SSL_free(clientssl);
4928 SSL_CTX_free(sctx);
4929 SSL_CTX_free(cctx);
4930
4931 return testresult;
4932 }
4933
4934 /*
4935 * Test TLSv1.3 Key exchange
4936 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4937 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4938 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4939 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4940 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4941 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4942 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4943 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4944 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4945 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4946 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4947 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4948 * Test 12 = Test all ML-KEM with TLSv1.3 client and server
4949 * Test 13 = Test MLKEM512
4950 * Test 14 = Test MLKEM768
4951 * Test 15 = Test MLKEM1024
4952 * Test 16 = Test X25519MLKEM768
4953 * Test 17 = Test SecP256r1MLKEM768
4954 * Test 18 = Test SecP384r1MLKEM1024
4955 * Test 19 = Test all ML-KEM with TLSv1.2 client and server
4956 * Test 20 = Test all FFDHE with TLSv1.2 client and server
4957 * Test 21 = Test all ECDHE with TLSv1.2 client and server
4958 */
4959 # ifndef OPENSSL_NO_EC
4960 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4961 NID_secp521r1,
4962 # ifndef OPENSSL_NO_ECX
4963 NID_X25519, NID_X448
4964 # endif
4965 };
4966 # endif
4967 # ifndef OPENSSL_NO_DH
4968 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4969 NID_ffdhe6144, NID_ffdhe8192};
4970 # endif
test_key_exchange(int idx)4971 static int test_key_exchange(int idx)
4972 {
4973 SSL_CTX *sctx = NULL, *cctx = NULL;
4974 SSL *serverssl = NULL, *clientssl = NULL;
4975 int testresult = 0;
4976 int kexch_alg = NID_undef;
4977 int *kexch_groups = &kexch_alg;
4978 int kexch_groups_size = 1;
4979 int max_version = TLS1_3_VERSION;
4980 char *kexch_name0 = NULL;
4981 const char *kexch_names = NULL;
4982 int shared_group0;
4983
4984 switch (idx) {
4985 # ifndef OPENSSL_NO_EC
4986 # ifndef OPENSSL_NO_TLS1_2
4987 case 21:
4988 max_version = TLS1_2_VERSION;
4989 # endif
4990 /* Fall through */
4991 case 0:
4992 kexch_groups = ecdhe_kexch_groups;
4993 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4994 kexch_name0 = "secp256r1";
4995 break;
4996 case 1:
4997 kexch_alg = NID_X9_62_prime256v1;
4998 kexch_name0 = "secp256r1";
4999 break;
5000 case 2:
5001 kexch_alg = NID_secp384r1;
5002 kexch_name0 = "secp384r1";
5003 break;
5004 case 3:
5005 kexch_alg = NID_secp521r1;
5006 kexch_name0 = "secp521r1";
5007 break;
5008 # ifndef OPENSSL_NO_ECX
5009 case 4:
5010 if (is_fips)
5011 return TEST_skip("X25519 might not be supported by fips provider.");
5012 kexch_alg = NID_X25519;
5013 kexch_name0 = "x25519";
5014 break;
5015 case 5:
5016 if (is_fips)
5017 return TEST_skip("X448 might not be supported by fips provider.");
5018 kexch_alg = NID_X448;
5019 kexch_name0 = "x448";
5020 break;
5021 # endif
5022 # endif
5023 # ifndef OPENSSL_NO_DH
5024 # ifndef OPENSSL_NO_TLS1_2
5025 case 20:
5026 max_version = TLS1_2_VERSION;
5027 kexch_name0 = "ffdhe2048";
5028 # endif
5029 /* Fall through */
5030 case 6:
5031 kexch_groups = ffdhe_kexch_groups;
5032 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
5033 kexch_name0 = "ffdhe2048";
5034 break;
5035 case 7:
5036 kexch_alg = NID_ffdhe2048;
5037 kexch_name0 = "ffdhe2048";
5038 break;
5039 case 8:
5040 kexch_alg = NID_ffdhe3072;
5041 kexch_name0 = "ffdhe3072";
5042 break;
5043 case 9:
5044 kexch_alg = NID_ffdhe4096;
5045 kexch_name0 = "ffdhe4096";
5046 break;
5047 case 10:
5048 kexch_alg = NID_ffdhe6144;
5049 kexch_name0 = "ffdhe6144";
5050 break;
5051 case 11:
5052 kexch_alg = NID_ffdhe8192;
5053 kexch_name0 = "ffdhe8192";
5054 break;
5055 # endif
5056 # ifndef OPENSSL_NO_ML_KEM
5057 # if !defined(OPENSSL_NO_TLS1_2)
5058 case 19:
5059 max_version = TLS1_2_VERSION;
5060 # if !defined(OPENSSL_NO_EC)
5061 /* Set at least one EC group so the handshake completes */
5062 kexch_names = "MLKEM512:MLKEM768:MLKEM1024:secp256r1";
5063 # elif !defined(OPENSSL_NO_DH)
5064 kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5065 # else
5066 /* With neither EC nor DH TLS 1.2 can't happen */
5067 return 1;
5068 # endif
5069 # endif
5070 /* Fall through */
5071 case 12:
5072 kexch_groups = NULL;
5073 if (kexch_names == NULL)
5074 kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5075 kexch_name0 = "MLKEM512";
5076 break;
5077 case 13:
5078 kexch_groups = NULL;
5079 kexch_name0 = "MLKEM512";
5080 kexch_names = kexch_name0;
5081 break;
5082 case 14:
5083 kexch_groups = NULL;
5084 kexch_name0 = "MLKEM768";
5085 kexch_names = kexch_name0;
5086 break;
5087 case 15:
5088 kexch_groups = NULL;
5089 kexch_name0 = "MLKEM1024";
5090 kexch_names = kexch_name0;
5091 break;
5092 # ifndef OPENSSL_NO_EC
5093 # ifndef OPENSSL_NO_ECX
5094 case 16:
5095 kexch_groups = NULL;
5096 kexch_name0 = "X25519MLKEM768";
5097 kexch_names = kexch_name0;
5098 break;
5099 # endif
5100 case 17:
5101 kexch_groups = NULL;
5102 kexch_name0 = "SecP256r1MLKEM768";
5103 kexch_names = kexch_name0;
5104 break;
5105 case 18:
5106 kexch_groups = NULL;
5107 kexch_name0 = "SecP384r1MLKEM1024";
5108 kexch_names = kexch_name0;
5109 break;
5110 # endif
5111 # endif
5112 default:
5113 /* We're skipping this test */
5114 return 1;
5115 }
5116
5117 if (is_fips && fips_provider_version_lt(libctx, 3, 5, 0)
5118 && idx >= 12 && idx <= 19)
5119 return TEST_skip("ML-KEM not supported in this version of fips provider");
5120
5121 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5122 TLS_client_method(), TLS1_VERSION,
5123 max_version, &sctx, &cctx, cert,
5124 privkey)))
5125 goto end;
5126
5127 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5128 TLS1_3_RFC_AES_128_GCM_SHA256)))
5129 goto end;
5130
5131 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5132 TLS1_3_RFC_AES_128_GCM_SHA256)))
5133 goto end;
5134
5135 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5136 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5137 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5138 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5139 goto end;
5140
5141 /*
5142 * Must include an EC ciphersuite so that we send supported groups in
5143 * TLSv1.2
5144 */
5145 # ifndef OPENSSL_NO_TLS1_2
5146 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5147 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5148 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5149 goto end;
5150 # endif
5151
5152 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5153 NULL, NULL)))
5154 goto end;
5155
5156 if (kexch_groups != NULL) {
5157 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5158 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5159 goto end;
5160 } else {
5161 if (!TEST_true(SSL_set1_groups_list(serverssl, kexch_names))
5162 || !TEST_true(SSL_set1_groups_list(clientssl, kexch_names)))
5163 goto end;
5164 }
5165
5166 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5167 goto end;
5168
5169 /*
5170 * If the handshake succeeds the negotiated kexch alg should be the first
5171 * one in configured, except in the case of "all" FFDHE and "all" ML-KEM
5172 * groups (idx == 19, 20), which are TLSv1.3 only so we expect no shared
5173 * group to exist.
5174 */
5175 shared_group0 = SSL_get_shared_group(serverssl, 0);
5176 switch (idx) {
5177 case 19:
5178 # if !defined(OPENSSL_NO_EC)
5179 /* MLKEM + TLS 1.2 and no DH => "secp526r1" */
5180 if (!TEST_int_eq(shared_group0, NID_X9_62_prime256v1))
5181 goto end;
5182 break;
5183 # endif
5184 /* Fall through */
5185 case 20:
5186 if (!TEST_int_eq(shared_group0, 0))
5187 goto end;
5188 break;
5189 default:
5190 if (kexch_groups != NULL
5191 && !TEST_int_eq(shared_group0, kexch_groups[0]))
5192 goto end;
5193 if (!TEST_str_eq(SSL_group_to_name(serverssl, shared_group0),
5194 kexch_name0))
5195 goto end;
5196 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5197 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5198 goto end;
5199 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), shared_group0))
5200 goto end;
5201 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), shared_group0))
5202 goto end;
5203 break;
5204 }
5205
5206 testresult = 1;
5207 end:
5208 SSL_free(serverssl);
5209 SSL_free(clientssl);
5210 SSL_CTX_free(sctx);
5211 SSL_CTX_free(cctx);
5212 return testresult;
5213 }
5214
5215 # if !defined(OPENSSL_NO_TLS1_2) \
5216 && !defined(OPENSSL_NO_EC) \
5217 && !defined(OPENSSL_NO_DH)
set_ssl_groups(SSL * serverssl,SSL * clientssl,int clientmulti,int isecdhe,int idx)5218 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5219 int isecdhe, int idx)
5220 {
5221 int kexch_alg;
5222 int *kexch_groups = &kexch_alg;
5223 int numec, numff;
5224
5225 numec = OSSL_NELEM(ecdhe_kexch_groups);
5226 numff = OSSL_NELEM(ffdhe_kexch_groups);
5227 if (isecdhe)
5228 kexch_alg = ecdhe_kexch_groups[idx];
5229 else
5230 kexch_alg = ffdhe_kexch_groups[idx];
5231
5232 if (clientmulti) {
5233 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5234 return 0;
5235 if (isecdhe) {
5236 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5237 numec)))
5238 return 0;
5239 } else {
5240 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5241 numff)))
5242 return 0;
5243 }
5244 } else {
5245 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5246 return 0;
5247 if (isecdhe) {
5248 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5249 numec)))
5250 return 0;
5251 } else {
5252 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5253 numff)))
5254 return 0;
5255 }
5256 }
5257 return 1;
5258 }
5259
5260 /*-
5261 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5262 * Run through both the ECDHE and FFDHE group lists used in the previous
5263 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5264 * confirming the expected result; then perform a resumption handshake
5265 * while offering the same group list, and another resumption handshake
5266 * offering a different group list. The returned value should be the
5267 * negotiated group for the initial handshake; for TLS 1.3 resumption
5268 * handshakes the returned value will be negotiated on the resumption
5269 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5270 * be cached in the session from the original handshake, regardless of what
5271 * was offered in the resumption ClientHello.
5272 *
5273 * Using E for the number of EC groups and F for the number of FF groups:
5274 * E tests of ECDHE with TLS 1.3, server only has one group
5275 * F tests of FFDHE with TLS 1.3, server only has one group
5276 * E tests of ECDHE with TLS 1.2, server only has one group
5277 * F tests of FFDHE with TLS 1.2, server only has one group
5278 * E tests of ECDHE with TLS 1.3, client sends only one group
5279 * F tests of FFDHE with TLS 1.3, client sends only one group
5280 * E tests of ECDHE with TLS 1.2, client sends only one group
5281 * F tests of FFDHE with TLS 1.2, client sends only one group
5282 */
test_negotiated_group(int idx)5283 static int test_negotiated_group(int idx)
5284 {
5285 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5286 int expectednid;
5287 SSL_CTX *sctx = NULL, *cctx = NULL;
5288 SSL *serverssl = NULL, *clientssl = NULL;
5289 SSL_SESSION *origsess = NULL;
5290 int testresult = 0;
5291 int kexch_alg;
5292 int max_version = TLS1_3_VERSION;
5293
5294 numec = OSSL_NELEM(ecdhe_kexch_groups);
5295 numff = OSSL_NELEM(ffdhe_kexch_groups);
5296 numgroups = numec + numff;
5297 clientmulti = (idx < 2 * numgroups);
5298 idx = idx % (2 * numgroups);
5299 istls13 = (idx < numgroups);
5300 idx = idx % numgroups;
5301 isecdhe = (idx < numec);
5302 if (!isecdhe)
5303 idx -= numec;
5304 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5305 if (isecdhe)
5306 kexch_alg = ecdhe_kexch_groups[idx];
5307 else
5308 kexch_alg = ffdhe_kexch_groups[idx];
5309 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5310 if (!istls13 && !isecdhe)
5311 expectednid = NID_undef;
5312 else
5313 expectednid = kexch_alg;
5314
5315 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5316 return TEST_skip("X25519 and X448 might not be available in fips provider.");
5317
5318 if (!istls13)
5319 max_version = TLS1_2_VERSION;
5320
5321 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5322 TLS_client_method(), TLS1_VERSION,
5323 max_version, &sctx, &cctx, cert,
5324 privkey)))
5325 goto end;
5326
5327 /*
5328 * Force (EC)DHE ciphers for TLS 1.2.
5329 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5330 */
5331 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5332 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5333 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5334 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5335 goto end;
5336 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5337 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5338 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5339 goto end;
5340
5341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5342 NULL, NULL)))
5343 goto end;
5344
5345 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5346 idx)))
5347 goto end;
5348
5349 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5350 goto end;
5351
5352 /* Initial handshake; always the configured one */
5353 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5354 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5355 goto end;
5356
5357 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5358 goto end;
5359
5360 SSL_shutdown(clientssl);
5361 SSL_shutdown(serverssl);
5362 SSL_free(serverssl);
5363 SSL_free(clientssl);
5364 serverssl = clientssl = NULL;
5365
5366 /* First resumption attempt; use the same config as initial handshake */
5367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5368 NULL, NULL))
5369 || !TEST_true(SSL_set_session(clientssl, origsess))
5370 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5371 isecdhe, idx)))
5372 goto end;
5373
5374 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5375 || !TEST_true(SSL_session_reused(clientssl)))
5376 goto end;
5377
5378 /* Still had better agree, since nothing changed... */
5379 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5380 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5381 goto end;
5382
5383 SSL_shutdown(clientssl);
5384 SSL_shutdown(serverssl);
5385 SSL_free(serverssl);
5386 SSL_free(clientssl);
5387 serverssl = clientssl = NULL;
5388
5389 /*-
5390 * Second resumption attempt
5391 * The party that picks one group changes it, which we effectuate by
5392 * changing 'idx' and updating what we expect.
5393 */
5394 if (idx == 0)
5395 idx = 1;
5396 else
5397 idx--;
5398 if (istls13) {
5399 if (isecdhe)
5400 expectednid = ecdhe_kexch_groups[idx];
5401 else
5402 expectednid = ffdhe_kexch_groups[idx];
5403 /* Verify that we are changing what we expect. */
5404 if (!TEST_int_ne(expectednid, kexch_alg))
5405 goto end;
5406 } else {
5407 /* TLS 1.2 only supports named groups for ECDHE. */
5408 if (isecdhe)
5409 expectednid = kexch_alg;
5410 else
5411 expectednid = 0;
5412 }
5413 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5414 NULL, NULL))
5415 || !TEST_true(SSL_set_session(clientssl, origsess))
5416 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5417 isecdhe, idx)))
5418 goto end;
5419
5420 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5421 || !TEST_true(SSL_session_reused(clientssl)))
5422 goto end;
5423
5424 /* Check that we get what we expected */
5425 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5426 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5427 goto end;
5428
5429 testresult = 1;
5430 end:
5431 SSL_free(serverssl);
5432 SSL_free(clientssl);
5433 SSL_CTX_free(sctx);
5434 SSL_CTX_free(cctx);
5435 SSL_SESSION_free(origsess);
5436 return testresult;
5437 }
5438 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5439
5440 /*
5441 * Test TLSv1.3 Cipher Suite
5442 * Test 0 = Set TLS1.3 cipher on context
5443 * Test 1 = Set TLS1.3 cipher on SSL
5444 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5445 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5446 */
test_tls13_ciphersuite(int idx)5447 static int test_tls13_ciphersuite(int idx)
5448 {
5449 SSL_CTX *sctx = NULL, *cctx = NULL;
5450 SSL *serverssl = NULL, *clientssl = NULL;
5451 static const struct {
5452 const char *ciphername;
5453 int fipscapable;
5454 int low_security;
5455 } t13_ciphers[] = {
5456 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5457 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5458 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5459 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5460 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5461 { TLS1_3_RFC_AES_256_GCM_SHA384
5462 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5463 # endif
5464 /* CCM8 ciphers are considered low security due to their short tag */
5465 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5466 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 },
5467 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
5468 /* Integrity-only cipher do not provide any confidentiality */
5469 { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
5470 { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
5471 # endif
5472 };
5473 const char *t13_cipher = NULL;
5474 const char *t12_cipher = NULL;
5475 const char *negotiated_scipher;
5476 const char *negotiated_ccipher;
5477 int set_at_ctx = 0;
5478 int set_at_ssl = 0;
5479 int testresult = 0;
5480 int max_ver;
5481 size_t i;
5482
5483 switch (idx) {
5484 case 0:
5485 set_at_ctx = 1;
5486 break;
5487 case 1:
5488 set_at_ssl = 1;
5489 break;
5490 case 2:
5491 set_at_ctx = 1;
5492 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5493 break;
5494 case 3:
5495 set_at_ssl = 1;
5496 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5497 break;
5498 }
5499
5500 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5501 # ifdef OPENSSL_NO_TLS1_2
5502 if (max_ver == TLS1_2_VERSION)
5503 continue;
5504 # endif
5505 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5506 if (is_fips && !t13_ciphers[i].fipscapable)
5507 continue;
5508 t13_cipher = t13_ciphers[i].ciphername;
5509 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5510 TLS_client_method(),
5511 TLS1_VERSION, max_ver,
5512 &sctx, &cctx, cert, privkey)))
5513 goto end;
5514
5515 if (t13_ciphers[i].low_security) {
5516 SSL_CTX_set_security_level(sctx, 0);
5517 SSL_CTX_set_security_level(cctx, 0);
5518 }
5519
5520 if (set_at_ctx) {
5521 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5522 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5523 goto end;
5524 if (t12_cipher != NULL) {
5525 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5526 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5527 t12_cipher)))
5528 goto end;
5529 }
5530 }
5531
5532 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5533 &clientssl, NULL, NULL)))
5534 goto end;
5535
5536 if (set_at_ssl) {
5537 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5538 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5539 goto end;
5540 if (t12_cipher != NULL) {
5541 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5542 || !TEST_true(SSL_set_cipher_list(clientssl,
5543 t12_cipher)))
5544 goto end;
5545 }
5546 }
5547
5548 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5549 SSL_ERROR_NONE)))
5550 goto end;
5551
5552 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5553 serverssl));
5554 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5555 clientssl));
5556 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5557 goto end;
5558
5559 /*
5560 * TEST_strn_eq is used below because t13_cipher can contain
5561 * multiple ciphersuites
5562 */
5563 if (max_ver == TLS1_3_VERSION
5564 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5565 strlen(negotiated_scipher)))
5566 goto end;
5567
5568 # ifndef OPENSSL_NO_TLS1_2
5569 /* Below validation is not done when t12_cipher is NULL */
5570 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5571 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5572 goto end;
5573 # endif
5574
5575 SSL_free(serverssl);
5576 serverssl = NULL;
5577 SSL_free(clientssl);
5578 clientssl = NULL;
5579 SSL_CTX_free(sctx);
5580 sctx = NULL;
5581 SSL_CTX_free(cctx);
5582 cctx = NULL;
5583 }
5584 }
5585
5586 testresult = 1;
5587 end:
5588 SSL_free(serverssl);
5589 SSL_free(clientssl);
5590 SSL_CTX_free(sctx);
5591 SSL_CTX_free(cctx);
5592 return testresult;
5593 }
5594
5595 /*
5596 * Test TLSv1.3 PSKs
5597 * Test 0 = Test new style callbacks
5598 * Test 1 = Test both new and old style callbacks
5599 * Test 2 = Test old style callbacks
5600 * Test 3 = Test old style callbacks with no certificate
5601 */
test_tls13_psk(int idx)5602 static int test_tls13_psk(int idx)
5603 {
5604 SSL_CTX *sctx = NULL, *cctx = NULL;
5605 SSL *serverssl = NULL, *clientssl = NULL;
5606 const SSL_CIPHER *cipher = NULL;
5607 const unsigned char key[] = {
5608 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5609 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5610 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5611 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5612 };
5613 int testresult = 0;
5614
5615 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5616 TLS_client_method(), TLS1_VERSION, 0,
5617 &sctx, &cctx, idx == 3 ? NULL : cert,
5618 idx == 3 ? NULL : privkey)))
5619 goto end;
5620
5621 if (idx != 3) {
5622 /*
5623 * We use a ciphersuite with SHA256 to ease testing old style PSK
5624 * callbacks which will always default to SHA256. This should not be
5625 * necessary if we have no cert/priv key. In that case the server should
5626 * prefer SHA256 automatically.
5627 */
5628 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5629 "TLS_AES_128_GCM_SHA256")))
5630 goto end;
5631 } else {
5632 /*
5633 * As noted above the server should prefer SHA256 automatically. However
5634 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5635 * code works even if we are testing with only the FIPS provider loaded.
5636 */
5637 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5638 "TLS_AES_256_GCM_SHA384:"
5639 "TLS_AES_128_GCM_SHA256")))
5640 goto end;
5641 }
5642
5643 /*
5644 * Test 0: New style callbacks only
5645 * Test 1: New and old style callbacks (only the new ones should be used)
5646 * Test 2: Old style callbacks only
5647 */
5648 if (idx == 0 || idx == 1) {
5649 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5650 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5651 }
5652 #ifndef OPENSSL_NO_PSK
5653 if (idx >= 1) {
5654 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5655 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5656 }
5657 #endif
5658 srvid = pskid;
5659 use_session_cb_cnt = 0;
5660 find_session_cb_cnt = 0;
5661 psk_client_cb_cnt = 0;
5662 psk_server_cb_cnt = 0;
5663
5664 if (idx != 3) {
5665 /*
5666 * Check we can create a connection if callback decides not to send a
5667 * PSK
5668 */
5669 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5670 NULL, NULL))
5671 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5672 SSL_ERROR_NONE))
5673 || !TEST_false(SSL_session_reused(clientssl))
5674 || !TEST_false(SSL_session_reused(serverssl)))
5675 goto end;
5676
5677 if (idx == 0 || idx == 1) {
5678 if (!TEST_true(use_session_cb_cnt == 1)
5679 || !TEST_true(find_session_cb_cnt == 0)
5680 /*
5681 * If no old style callback then below should be 0
5682 * otherwise 1
5683 */
5684 || !TEST_true(psk_client_cb_cnt == idx)
5685 || !TEST_true(psk_server_cb_cnt == 0))
5686 goto end;
5687 } else {
5688 if (!TEST_true(use_session_cb_cnt == 0)
5689 || !TEST_true(find_session_cb_cnt == 0)
5690 || !TEST_true(psk_client_cb_cnt == 1)
5691 || !TEST_true(psk_server_cb_cnt == 0))
5692 goto end;
5693 }
5694
5695 shutdown_ssl_connection(serverssl, clientssl);
5696 serverssl = clientssl = NULL;
5697 use_session_cb_cnt = psk_client_cb_cnt = 0;
5698 }
5699
5700 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5701 NULL, NULL)))
5702 goto end;
5703
5704 /* Create the PSK */
5705 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5706 clientpsk = SSL_SESSION_new();
5707 if (!TEST_ptr(clientpsk)
5708 || !TEST_ptr(cipher)
5709 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5710 sizeof(key)))
5711 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5712 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5713 TLS1_3_VERSION))
5714 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5715 goto end;
5716 serverpsk = clientpsk;
5717
5718 /* Check we can create a connection and the PSK is used */
5719 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5720 || !TEST_true(SSL_session_reused(clientssl))
5721 || !TEST_true(SSL_session_reused(serverssl)))
5722 goto end;
5723
5724 if (idx == 0 || idx == 1) {
5725 if (!TEST_true(use_session_cb_cnt == 1)
5726 || !TEST_true(find_session_cb_cnt == 1)
5727 || !TEST_true(psk_client_cb_cnt == 0)
5728 || !TEST_true(psk_server_cb_cnt == 0))
5729 goto end;
5730 } else {
5731 if (!TEST_true(use_session_cb_cnt == 0)
5732 || !TEST_true(find_session_cb_cnt == 0)
5733 || !TEST_true(psk_client_cb_cnt == 1)
5734 || !TEST_true(psk_server_cb_cnt == 1))
5735 goto end;
5736 }
5737
5738 shutdown_ssl_connection(serverssl, clientssl);
5739 serverssl = clientssl = NULL;
5740 use_session_cb_cnt = find_session_cb_cnt = 0;
5741 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5742
5743 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5744 NULL, NULL)))
5745 goto end;
5746
5747 /* Force an HRR */
5748 #if defined(OPENSSL_NO_EC)
5749 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5750 goto end;
5751 #else
5752 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5753 goto end;
5754 #endif
5755
5756 /*
5757 * Check we can create a connection, the PSK is used and the callbacks are
5758 * called twice.
5759 */
5760 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5761 || !TEST_true(SSL_session_reused(clientssl))
5762 || !TEST_true(SSL_session_reused(serverssl)))
5763 goto end;
5764
5765 if (idx == 0 || idx == 1) {
5766 if (!TEST_true(use_session_cb_cnt == 2)
5767 || !TEST_true(find_session_cb_cnt == 2)
5768 || !TEST_true(psk_client_cb_cnt == 0)
5769 || !TEST_true(psk_server_cb_cnt == 0))
5770 goto end;
5771 } else {
5772 if (!TEST_true(use_session_cb_cnt == 0)
5773 || !TEST_true(find_session_cb_cnt == 0)
5774 || !TEST_true(psk_client_cb_cnt == 2)
5775 || !TEST_true(psk_server_cb_cnt == 2))
5776 goto end;
5777 }
5778
5779 shutdown_ssl_connection(serverssl, clientssl);
5780 serverssl = clientssl = NULL;
5781 use_session_cb_cnt = find_session_cb_cnt = 0;
5782 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5783
5784 if (idx != 3) {
5785 /*
5786 * Check that if the server rejects the PSK we can still connect, but with
5787 * a full handshake
5788 */
5789 srvid = "Dummy Identity";
5790 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5791 NULL, NULL))
5792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5793 SSL_ERROR_NONE))
5794 || !TEST_false(SSL_session_reused(clientssl))
5795 || !TEST_false(SSL_session_reused(serverssl)))
5796 goto end;
5797
5798 if (idx == 0 || idx == 1) {
5799 if (!TEST_true(use_session_cb_cnt == 1)
5800 || !TEST_true(find_session_cb_cnt == 1)
5801 || !TEST_true(psk_client_cb_cnt == 0)
5802 /*
5803 * If no old style callback then below should be 0
5804 * otherwise 1
5805 */
5806 || !TEST_true(psk_server_cb_cnt == idx))
5807 goto end;
5808 } else {
5809 if (!TEST_true(use_session_cb_cnt == 0)
5810 || !TEST_true(find_session_cb_cnt == 0)
5811 || !TEST_true(psk_client_cb_cnt == 1)
5812 || !TEST_true(psk_server_cb_cnt == 1))
5813 goto end;
5814 }
5815
5816 shutdown_ssl_connection(serverssl, clientssl);
5817 serverssl = clientssl = NULL;
5818 }
5819 testresult = 1;
5820
5821 end:
5822 SSL_SESSION_free(clientpsk);
5823 SSL_SESSION_free(serverpsk);
5824 clientpsk = serverpsk = NULL;
5825 SSL_free(serverssl);
5826 SSL_free(clientssl);
5827 SSL_CTX_free(sctx);
5828 SSL_CTX_free(cctx);
5829 return testresult;
5830 }
5831
5832 #ifndef OSSL_NO_USABLE_TLS1_3
5833 /*
5834 * Test TLS1.3 connection establishment succeeds with various configurations of
5835 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5836 * The verification of whether the right KEX mode is chosen is not covered by
5837 * this test but by `test_tls13kexmodes`.
5838 *
5839 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5840 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5841 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5842 */
test_tls13_no_dhe_kex(const int idx)5843 static int test_tls13_no_dhe_kex(const int idx)
5844 {
5845 SSL_CTX *sctx = NULL, *cctx = NULL;
5846 SSL *serverssl = NULL, *clientssl = NULL;
5847 int testresult = 0;
5848 size_t j;
5849 SSL_SESSION *saved_session;
5850
5851 int server_allow_no_dhe = (idx & 1) != 0;
5852 int server_prefer_no_dhe = (idx & 2) != 0;
5853 int client_allow_no_dhe = (idx & 4) != 0;
5854
5855 uint64_t server_options = 0
5856 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5857 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5858
5859 uint64_t client_options = 0
5860 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5861
5862 new_called = 0;
5863 do_cache = 1;
5864
5865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5866 TLS_client_method(), TLS1_3_VERSION, 0,
5867 &sctx, &cctx, cert, privkey)))
5868 goto end;
5869
5870 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5871 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5872
5873 SSL_CTX_set_options(sctx, server_options);
5874 SSL_CTX_set_options(cctx, client_options);
5875
5876 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5877
5878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5879 &clientssl, NULL, NULL)))
5880 goto end;
5881
5882 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5883 SSL_ERROR_NONE))
5884 /* Check we got the number of tickets we were expecting */
5885 || !TEST_int_eq(2, new_called))
5886 goto end;
5887
5888 /* We'll reuse the last ticket. */
5889 saved_session = sesscache[new_called - 1];
5890
5891 SSL_shutdown(clientssl);
5892 SSL_shutdown(serverssl);
5893 SSL_free(serverssl);
5894 SSL_free(clientssl);
5895 SSL_CTX_free(cctx);
5896 clientssl = serverssl = NULL;
5897 cctx = NULL;
5898
5899 /*
5900 * Now we resume with the last ticket we created.
5901 */
5902
5903 /* The server context already exists, so we only create the client. */
5904 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5905 TLS_client_method(), TLS1_3_VERSION, 0,
5906 NULL, &cctx, cert, privkey)))
5907 goto end;
5908
5909 SSL_CTX_set_options(cctx, client_options);
5910
5911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5912 &clientssl, NULL, NULL))
5913 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5914 goto end;
5915
5916 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5917 SSL_ERROR_NONE)))
5918 goto end;
5919
5920 /*
5921 * Make sure, the session was resumed.
5922 */
5923 if (!TEST_true(SSL_session_reused(clientssl)))
5924 goto end;
5925
5926 SSL_shutdown(clientssl);
5927 SSL_shutdown(serverssl);
5928
5929 testresult = 1;
5930
5931 end:
5932 SSL_free(serverssl);
5933 SSL_free(clientssl);
5934 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5935 SSL_SESSION_free(sesscache[j]);
5936 sesscache[j] = NULL;
5937 }
5938 SSL_CTX_free(sctx);
5939 SSL_CTX_free(cctx);
5940
5941 return testresult;
5942 }
5943 #endif /* OSSL_NO_USABLE_TLS1_3 */
5944
5945 static unsigned char cookie_magic_value[] = "cookie magic";
5946
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)5947 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5948 unsigned int *cookie_len)
5949 {
5950 /*
5951 * Not suitable as a real cookie generation function but good enough for
5952 * testing!
5953 */
5954 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5955 *cookie_len = sizeof(cookie_magic_value) - 1;
5956
5957 return 1;
5958 }
5959
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)5960 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5961 unsigned int cookie_len)
5962 {
5963 if (cookie_len == sizeof(cookie_magic_value) - 1
5964 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5965 return 1;
5966
5967 return 0;
5968 }
5969
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)5970 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5971 size_t *cookie_len)
5972 {
5973 unsigned int temp;
5974 int res = generate_cookie_callback(ssl, cookie, &temp);
5975 *cookie_len = temp;
5976 return res;
5977 }
5978
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)5979 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5980 size_t cookie_len)
5981 {
5982 return verify_cookie_callback(ssl, cookie, cookie_len);
5983 }
5984
test_stateless(void)5985 static int test_stateless(void)
5986 {
5987 SSL_CTX *sctx = NULL, *cctx = NULL;
5988 SSL *serverssl = NULL, *clientssl = NULL;
5989 int testresult = 0;
5990
5991 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5992 TLS_client_method(), TLS1_VERSION, 0,
5993 &sctx, &cctx, cert, privkey)))
5994 goto end;
5995
5996 /* The arrival of CCS messages can confuse the test */
5997 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5998
5999 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6000 NULL, NULL))
6001 /* Send the first ClientHello */
6002 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6003 SSL_ERROR_WANT_READ))
6004 /*
6005 * This should fail with a -1 return because we have no callbacks
6006 * set up
6007 */
6008 || !TEST_int_eq(SSL_stateless(serverssl), -1))
6009 goto end;
6010
6011 /* Fatal error so abandon the connection from this client */
6012 SSL_free(clientssl);
6013 clientssl = NULL;
6014
6015 /* Set up the cookie generation and verification callbacks */
6016 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
6017 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
6018
6019 /*
6020 * Create a new connection from the client (we can reuse the server SSL
6021 * object).
6022 */
6023 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6024 NULL, NULL))
6025 /* Send the first ClientHello */
6026 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6027 SSL_ERROR_WANT_READ))
6028 /* This should fail because there is no cookie */
6029 || !TEST_int_eq(SSL_stateless(serverssl), 0))
6030 goto end;
6031
6032 /* Abandon the connection from this client */
6033 SSL_free(clientssl);
6034 clientssl = NULL;
6035
6036 /*
6037 * Now create a connection from a new client but with the same server SSL
6038 * object
6039 */
6040 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6041 NULL, NULL))
6042 /* Send the first ClientHello */
6043 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6044 SSL_ERROR_WANT_READ))
6045 /* This should fail because there is no cookie */
6046 || !TEST_int_eq(SSL_stateless(serverssl), 0)
6047 /* Send the second ClientHello */
6048 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6049 SSL_ERROR_WANT_READ))
6050 /* This should succeed because a cookie is now present */
6051 || !TEST_int_eq(SSL_stateless(serverssl), 1)
6052 /* Complete the connection */
6053 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6054 SSL_ERROR_NONE)))
6055 goto end;
6056
6057 shutdown_ssl_connection(serverssl, clientssl);
6058 serverssl = clientssl = NULL;
6059 testresult = 1;
6060
6061 end:
6062 SSL_free(serverssl);
6063 SSL_free(clientssl);
6064 SSL_CTX_free(sctx);
6065 SSL_CTX_free(cctx);
6066 return testresult;
6067
6068 }
6069 #endif /* OSSL_NO_USABLE_TLS1_3 */
6070
6071 static int clntaddoldcb = 0;
6072 static int clntparseoldcb = 0;
6073 static int srvaddoldcb = 0;
6074 static int srvparseoldcb = 0;
6075 static int clntaddnewcb = 0;
6076 static int clntparsenewcb = 0;
6077 static int srvaddnewcb = 0;
6078 static int srvparsenewcb = 0;
6079 static int snicb = 0;
6080
6081 #define TEST_EXT_TYPE1 0xff00
6082
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)6083 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
6084 size_t *outlen, int *al, void *add_arg)
6085 {
6086 int *server = (int *)add_arg;
6087 unsigned char *data;
6088
6089 if (SSL_is_server(s))
6090 srvaddoldcb++;
6091 else
6092 clntaddoldcb++;
6093
6094 if (*server != SSL_is_server(s)
6095 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6096 return -1;
6097
6098 *data = 1;
6099 *out = data;
6100 *outlen = sizeof(char);
6101 return 1;
6102 }
6103
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)6104 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
6105 void *add_arg)
6106 {
6107 OPENSSL_free((unsigned char *)out);
6108 }
6109
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)6110 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
6111 size_t inlen, int *al, void *parse_arg)
6112 {
6113 int *server = (int *)parse_arg;
6114
6115 if (SSL_is_server(s))
6116 srvparseoldcb++;
6117 else
6118 clntparseoldcb++;
6119
6120 if (*server != SSL_is_server(s)
6121 || inlen != sizeof(char)
6122 || *in != 1)
6123 return -1;
6124
6125 return 1;
6126 }
6127
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)6128 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
6129 const unsigned char **out, size_t *outlen, X509 *x,
6130 size_t chainidx, int *al, void *add_arg)
6131 {
6132 int *server = (int *)add_arg;
6133 unsigned char *data;
6134
6135 if (SSL_is_server(s))
6136 srvaddnewcb++;
6137 else
6138 clntaddnewcb++;
6139
6140 if (*server != SSL_is_server(s)
6141 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6142 return -1;
6143
6144 *data = 1;
6145 *out = data;
6146 *outlen = sizeof(*data);
6147 return 1;
6148 }
6149
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)6150 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6151 const unsigned char *out, void *add_arg)
6152 {
6153 OPENSSL_free((unsigned char *)out);
6154 }
6155
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6156 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6157 const unsigned char *in, size_t inlen, X509 *x,
6158 size_t chainidx, int *al, void *parse_arg)
6159 {
6160 int *server = (int *)parse_arg;
6161
6162 if (SSL_is_server(s))
6163 srvparsenewcb++;
6164 else
6165 clntparsenewcb++;
6166
6167 if (*server != SSL_is_server(s)
6168 || inlen != sizeof(char) || *in != 1)
6169 return -1;
6170
6171 return 1;
6172 }
6173
sni_cb(SSL * s,int * al,void * arg)6174 static int sni_cb(SSL *s, int *al, void *arg)
6175 {
6176 SSL_CTX *ctx = (SSL_CTX *)arg;
6177
6178 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6179 *al = SSL_AD_INTERNAL_ERROR;
6180 return SSL_TLSEXT_ERR_ALERT_FATAL;
6181 }
6182 snicb++;
6183 return SSL_TLSEXT_ERR_OK;
6184 }
6185
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)6186 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6187 {
6188 return 1;
6189 }
6190
6191 /*
6192 * Custom call back tests.
6193 * Test 0: Old style callbacks in TLSv1.2
6194 * Test 1: New style callbacks in TLSv1.2
6195 * Test 2: New style callbacks in TLSv1.2 with SNI
6196 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6197 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6198 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6199 */
test_custom_exts(int tst)6200 static int test_custom_exts(int tst)
6201 {
6202 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6203 SSL *clientssl = NULL, *serverssl = NULL;
6204 int testresult = 0;
6205 static int server = 1;
6206 static int client = 0;
6207 SSL_SESSION *sess = NULL;
6208 unsigned int context;
6209
6210 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6211 /* Skip tests for TLSv1.2 and below in this case */
6212 if (tst < 3)
6213 return 1;
6214 #endif
6215
6216 /* Reset callback counters */
6217 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6218 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6219 snicb = 0;
6220
6221 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6222 TLS_client_method(), TLS1_VERSION, 0,
6223 &sctx, &cctx, cert, privkey)))
6224 goto end;
6225
6226 if (tst == 2
6227 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6228 TLS1_VERSION, 0,
6229 &sctx2, NULL, cert, privkey)))
6230 goto end;
6231
6232
6233 if (tst < 3) {
6234 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6235 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6236 if (sctx2 != NULL)
6237 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6238 }
6239
6240 if (tst == 5) {
6241 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6242 | SSL_EXT_TLS1_3_CERTIFICATE;
6243 SSL_CTX_set_verify(sctx,
6244 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6245 verify_cb);
6246 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6247 SSL_FILETYPE_PEM), 1)
6248 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6249 SSL_FILETYPE_PEM), 1)
6250 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6251 goto end;
6252 } else if (tst == 4) {
6253 context = SSL_EXT_CLIENT_HELLO
6254 | SSL_EXT_TLS1_2_SERVER_HELLO
6255 | SSL_EXT_TLS1_3_SERVER_HELLO
6256 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6257 | SSL_EXT_TLS1_3_CERTIFICATE
6258 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6259 } else {
6260 context = SSL_EXT_CLIENT_HELLO
6261 | SSL_EXT_TLS1_2_SERVER_HELLO
6262 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6263 }
6264
6265 /* Create a client side custom extension */
6266 if (tst == 0) {
6267 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6268 old_add_cb, old_free_cb,
6269 &client, old_parse_cb,
6270 &client)))
6271 goto end;
6272 } else {
6273 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6274 new_add_cb, new_free_cb,
6275 &client, new_parse_cb, &client)))
6276 goto end;
6277 }
6278
6279 /* Should not be able to add duplicates */
6280 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6281 old_add_cb, old_free_cb,
6282 &client, old_parse_cb,
6283 &client))
6284 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6285 context, new_add_cb,
6286 new_free_cb, &client,
6287 new_parse_cb, &client)))
6288 goto end;
6289
6290 /* Create a server side custom extension */
6291 if (tst == 0) {
6292 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6293 old_add_cb, old_free_cb,
6294 &server, old_parse_cb,
6295 &server)))
6296 goto end;
6297 } else {
6298 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6299 new_add_cb, new_free_cb,
6300 &server, new_parse_cb, &server)))
6301 goto end;
6302 if (sctx2 != NULL
6303 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6304 context, new_add_cb,
6305 new_free_cb, &server,
6306 new_parse_cb, &server)))
6307 goto end;
6308 }
6309
6310 /* Should not be able to add duplicates */
6311 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6312 old_add_cb, old_free_cb,
6313 &server, old_parse_cb,
6314 &server))
6315 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6316 context, new_add_cb,
6317 new_free_cb, &server,
6318 new_parse_cb, &server)))
6319 goto end;
6320
6321 if (tst == 2) {
6322 /* Set up SNI */
6323 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6324 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6325 goto end;
6326 }
6327
6328 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6329 &clientssl, NULL, NULL))
6330 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6331 SSL_ERROR_NONE)))
6332 goto end;
6333
6334 if (tst == 0) {
6335 if (clntaddoldcb != 1
6336 || clntparseoldcb != 1
6337 || srvaddoldcb != 1
6338 || srvparseoldcb != 1)
6339 goto end;
6340 } else if (tst == 1 || tst == 2 || tst == 3) {
6341 if (clntaddnewcb != 1
6342 || clntparsenewcb != 1
6343 || srvaddnewcb != 1
6344 || srvparsenewcb != 1
6345 || (tst != 2 && snicb != 0)
6346 || (tst == 2 && snicb != 1))
6347 goto end;
6348 } else if (tst == 5) {
6349 if (clntaddnewcb != 1
6350 || clntparsenewcb != 1
6351 || srvaddnewcb != 1
6352 || srvparsenewcb != 1)
6353 goto end;
6354 } else {
6355 /* In this case there 2 NewSessionTicket messages created */
6356 if (clntaddnewcb != 1
6357 || clntparsenewcb != 5
6358 || srvaddnewcb != 5
6359 || srvparsenewcb != 1)
6360 goto end;
6361 }
6362
6363 sess = SSL_get1_session(clientssl);
6364 SSL_shutdown(clientssl);
6365 SSL_shutdown(serverssl);
6366 SSL_free(serverssl);
6367 SSL_free(clientssl);
6368 serverssl = clientssl = NULL;
6369
6370 if (tst == 3 || tst == 5) {
6371 /* We don't bother with the resumption aspects for these tests */
6372 testresult = 1;
6373 goto end;
6374 }
6375
6376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6377 NULL, NULL))
6378 || !TEST_true(SSL_set_session(clientssl, sess))
6379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6380 SSL_ERROR_NONE)))
6381 goto end;
6382
6383 /*
6384 * For a resumed session we expect to add the ClientHello extension. For the
6385 * old style callbacks we ignore it on the server side because they set
6386 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6387 * them.
6388 */
6389 if (tst == 0) {
6390 if (clntaddoldcb != 2
6391 || clntparseoldcb != 1
6392 || srvaddoldcb != 1
6393 || srvparseoldcb != 1)
6394 goto end;
6395 } else if (tst == 1 || tst == 2 || tst == 3) {
6396 if (clntaddnewcb != 2
6397 || clntparsenewcb != 2
6398 || srvaddnewcb != 2
6399 || srvparsenewcb != 2)
6400 goto end;
6401 } else {
6402 /*
6403 * No Certificate message extensions in the resumption handshake,
6404 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6405 */
6406 if (clntaddnewcb != 2
6407 || clntparsenewcb != 8
6408 || srvaddnewcb != 8
6409 || srvparsenewcb != 2)
6410 goto end;
6411 }
6412
6413 testresult = 1;
6414
6415 end:
6416 SSL_SESSION_free(sess);
6417 SSL_free(serverssl);
6418 SSL_free(clientssl);
6419 SSL_CTX_free(sctx2);
6420 SSL_CTX_free(sctx);
6421 SSL_CTX_free(cctx);
6422 return testresult;
6423 }
6424
6425 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6426
6427 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6428 | SSL_EXT_CLIENT_HELLO \
6429 | SSL_EXT_TLS1_2_SERVER_HELLO \
6430 | SSL_EXT_IGNORE_ON_RESUMPTION)
6431
6432 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6433 | SSL_EXT_TLS1_2_SERVER_HELLO \
6434 | SSL_EXT_CLIENT_HELLO)
6435
6436 #define SERVERINFO_CUSTOM \
6437 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6438 0x00, 0x03, \
6439 0x04, 0x05, 0x06 \
6440
6441 static const unsigned char serverinfo_custom_tls13[] = {
6442 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6443 SERVERINFO_CUSTOM
6444 };
6445 static const unsigned char serverinfo_custom_v2[] = {
6446 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6447 SERVERINFO_CUSTOM
6448 };
6449 static const unsigned char serverinfo_custom_v1[] = {
6450 SERVERINFO_CUSTOM
6451 };
6452 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6453 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6454 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6455
serverinfo_custom_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6456 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6457 unsigned int context,
6458 const unsigned char *in,
6459 size_t inlen, X509 *x,
6460 size_t chainidx, int *al,
6461 void *parse_arg)
6462 {
6463 const size_t len = serverinfo_custom_v1_len;
6464 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6465 int *p_cb_result = (int*)parse_arg;
6466 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6467 return 1;
6468 }
6469
test_serverinfo_custom(const int idx)6470 static int test_serverinfo_custom(const int idx)
6471 {
6472 SSL_CTX *sctx = NULL, *cctx = NULL;
6473 SSL *clientssl = NULL, *serverssl = NULL;
6474 int testresult = 0;
6475 int cb_result = 0;
6476
6477 /*
6478 * Following variables are set in the switch statement
6479 * according to the test iteration.
6480 * Default values do not make much sense: test would fail with them.
6481 */
6482 int serverinfo_version = 0;
6483 int protocol_version = 0;
6484 unsigned int extension_context = 0;
6485 const unsigned char *si = NULL;
6486 size_t si_len = 0;
6487
6488 const int call_use_serverinfo_ex = idx > 0;
6489 switch (idx) {
6490 case 0: /* FALLTHROUGH */
6491 case 1:
6492 serverinfo_version = SSL_SERVERINFOV1;
6493 protocol_version = TLS1_2_VERSION;
6494 extension_context = SYNTHV1CONTEXT;
6495 si = serverinfo_custom_v1;
6496 si_len = serverinfo_custom_v1_len;
6497 break;
6498 case 2:
6499 serverinfo_version = SSL_SERVERINFOV2;
6500 protocol_version = TLS1_2_VERSION;
6501 extension_context = SYNTHV1CONTEXT;
6502 si = serverinfo_custom_v2;
6503 si_len = serverinfo_custom_v2_len;
6504 break;
6505 case 3:
6506 serverinfo_version = SSL_SERVERINFOV2;
6507 protocol_version = TLS1_3_VERSION;
6508 extension_context = TLS13CONTEXT;
6509 si = serverinfo_custom_tls13;
6510 si_len = serverinfo_custom_tls13_len;
6511 break;
6512 }
6513
6514 if (!TEST_true(create_ssl_ctx_pair(libctx,
6515 TLS_method(),
6516 TLS_method(),
6517 protocol_version,
6518 protocol_version,
6519 &sctx, &cctx, cert, privkey)))
6520 goto end;
6521
6522 if (call_use_serverinfo_ex) {
6523 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6524 si, si_len)))
6525 goto end;
6526 } else {
6527 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6528 goto end;
6529 }
6530
6531 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6532 extension_context,
6533 NULL, NULL, NULL,
6534 serverinfo_custom_parse_cb,
6535 &cb_result))
6536 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6537 NULL, NULL))
6538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6539 SSL_ERROR_NONE))
6540 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6541 goto end;
6542
6543 if (!TEST_true(cb_result))
6544 goto end;
6545
6546 testresult = 1;
6547
6548 end:
6549 SSL_free(serverssl);
6550 SSL_free(clientssl);
6551 SSL_CTX_free(sctx);
6552 SSL_CTX_free(cctx);
6553
6554 return testresult;
6555 }
6556 #endif
6557
6558 /*
6559 * Test that SSL_export_keying_material() produces expected results. There are
6560 * no test vectors so all we do is test that both sides of the communication
6561 * produce the same results for different protocol versions.
6562 */
6563 #define SMALL_LABEL_LEN 10
6564 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)6565 static int test_export_key_mat(int tst)
6566 {
6567 int testresult = 0;
6568 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6569 SSL *clientssl = NULL, *serverssl = NULL;
6570 const char label[LONG_LABEL_LEN + 1] = "test label";
6571 const unsigned char context[] = "context";
6572 const unsigned char *emptycontext = NULL;
6573 unsigned char longcontext[1280];
6574 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6575 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6576 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6577 size_t labellen;
6578 const int protocols[] = {
6579 TLS1_VERSION,
6580 TLS1_1_VERSION,
6581 TLS1_2_VERSION,
6582 TLS1_3_VERSION,
6583 TLS1_3_VERSION,
6584 TLS1_3_VERSION
6585 };
6586
6587 #ifdef OPENSSL_NO_TLS1
6588 if (tst == 0)
6589 return 1;
6590 #endif
6591 #ifdef OPENSSL_NO_TLS1_1
6592 if (tst == 1)
6593 return 1;
6594 #endif
6595 if (is_fips && (tst == 0 || tst == 1))
6596 return 1;
6597 #ifdef OPENSSL_NO_TLS1_2
6598 if (tst == 2)
6599 return 1;
6600 #endif
6601 #ifdef OSSL_NO_USABLE_TLS1_3
6602 if (tst >= 3)
6603 return 1;
6604 #endif
6605 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6606 TLS_client_method(), TLS1_VERSION, 0,
6607 &sctx, &cctx, cert, privkey)))
6608 goto end;
6609
6610 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6611 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6612 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6613 if ((protocols[tst] < TLS1_2_VERSION) &&
6614 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6615 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6616 goto end;
6617
6618 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6619 NULL)))
6620 goto end;
6621
6622 /*
6623 * Premature call of SSL_export_keying_material should just fail.
6624 */
6625 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6626 sizeof(ckeymat1), label,
6627 SMALL_LABEL_LEN + 1, context,
6628 sizeof(context) - 1, 1), 0))
6629 goto end;
6630
6631 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6632 SSL_ERROR_NONE)))
6633 goto end;
6634
6635 if (tst == 5) {
6636 /*
6637 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6638 * go over that.
6639 */
6640 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6641 sizeof(ckeymat1), label,
6642 LONG_LABEL_LEN + 1, context,
6643 sizeof(context) - 1, 1), 0))
6644 goto end;
6645
6646 testresult = 1;
6647 goto end;
6648 } else if (tst == 4) {
6649 labellen = LONG_LABEL_LEN;
6650 } else {
6651 labellen = SMALL_LABEL_LEN;
6652 }
6653
6654 memset(longcontext, 1, sizeof(longcontext));
6655
6656 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6657 sizeof(ckeymat1), label,
6658 labellen, context,
6659 sizeof(context) - 1, 1), 1)
6660 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6661 sizeof(ckeymat2), label,
6662 labellen,
6663 emptycontext,
6664 0, 1), 1)
6665 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6666 sizeof(ckeymat3), label,
6667 labellen,
6668 NULL, 0, 0), 1)
6669 || (test_longcontext
6670 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6671 ckeymat4,
6672 sizeof(ckeymat4), label,
6673 labellen,
6674 longcontext,
6675 sizeof(longcontext), 1),
6676 1))
6677 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6678 sizeof(skeymat1), label,
6679 labellen,
6680 context,
6681 sizeof(context) -1, 1),
6682 1)
6683 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6684 sizeof(skeymat2), label,
6685 labellen,
6686 emptycontext,
6687 0, 1), 1)
6688 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6689 sizeof(skeymat3), label,
6690 labellen,
6691 NULL, 0, 0), 1)
6692 || (test_longcontext
6693 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6694 sizeof(skeymat4), label,
6695 labellen,
6696 longcontext,
6697 sizeof(longcontext), 1),
6698 1))
6699 /*
6700 * Check that both sides created the same key material with the
6701 * same context.
6702 */
6703 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6704 sizeof(skeymat1))
6705 /*
6706 * Check that both sides created the same key material with an
6707 * empty context.
6708 */
6709 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6710 sizeof(skeymat2))
6711 /*
6712 * Check that both sides created the same key material without a
6713 * context.
6714 */
6715 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6716 sizeof(skeymat3))
6717 /*
6718 * Check that both sides created the same key material with a
6719 * long context.
6720 */
6721 || (test_longcontext
6722 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6723 sizeof(skeymat4)))
6724 /* Different contexts should produce different results */
6725 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6726 sizeof(ckeymat2)))
6727 goto end;
6728
6729 /*
6730 * Check that an empty context and no context produce different results in
6731 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6732 */
6733 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6734 sizeof(ckeymat3)))
6735 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6736 sizeof(ckeymat3))))
6737 goto end;
6738
6739 testresult = 1;
6740
6741 end:
6742 SSL_free(serverssl);
6743 SSL_free(clientssl);
6744 SSL_CTX_free(sctx2);
6745 SSL_CTX_free(sctx);
6746 SSL_CTX_free(cctx);
6747
6748 return testresult;
6749 }
6750
6751 #ifndef OSSL_NO_USABLE_TLS1_3
6752 /*
6753 * Test that SSL_export_keying_material_early() produces expected
6754 * results. There are no test vectors so all we do is test that both
6755 * sides of the communication produce the same results for different
6756 * protocol versions.
6757 */
test_export_key_mat_early(int idx)6758 static int test_export_key_mat_early(int idx)
6759 {
6760 static const char label[] = "test label";
6761 static const unsigned char context[] = "context";
6762 int testresult = 0;
6763 SSL_CTX *cctx = NULL, *sctx = NULL;
6764 SSL *clientssl = NULL, *serverssl = NULL;
6765 SSL_SESSION *sess = NULL;
6766 const unsigned char *emptycontext = NULL;
6767 unsigned char ckeymat1[80], ckeymat2[80];
6768 unsigned char skeymat1[80], skeymat2[80];
6769 unsigned char buf[1];
6770 size_t readbytes, written;
6771
6772 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6773 &sess, idx, SHA384_DIGEST_LENGTH)))
6774 goto end;
6775
6776 /* Here writing 0 length early data is enough. */
6777 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6778 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6779 &readbytes),
6780 SSL_READ_EARLY_DATA_ERROR)
6781 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6782 SSL_EARLY_DATA_ACCEPTED))
6783 goto end;
6784
6785 if (!TEST_int_eq(SSL_export_keying_material_early(
6786 clientssl, ckeymat1, sizeof(ckeymat1), label,
6787 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6788 || !TEST_int_eq(SSL_export_keying_material_early(
6789 clientssl, ckeymat2, sizeof(ckeymat2), label,
6790 sizeof(label) - 1, emptycontext, 0), 1)
6791 || !TEST_int_eq(SSL_export_keying_material_early(
6792 serverssl, skeymat1, sizeof(skeymat1), label,
6793 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6794 || !TEST_int_eq(SSL_export_keying_material_early(
6795 serverssl, skeymat2, sizeof(skeymat2), label,
6796 sizeof(label) - 1, emptycontext, 0), 1)
6797 /*
6798 * Check that both sides created the same key material with the
6799 * same context.
6800 */
6801 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6802 sizeof(skeymat1))
6803 /*
6804 * Check that both sides created the same key material with an
6805 * empty context.
6806 */
6807 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6808 sizeof(skeymat2))
6809 /* Different contexts should produce different results */
6810 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6811 sizeof(ckeymat2)))
6812 goto end;
6813
6814 testresult = 1;
6815
6816 end:
6817 SSL_SESSION_free(sess);
6818 SSL_SESSION_free(clientpsk);
6819 SSL_SESSION_free(serverpsk);
6820 clientpsk = serverpsk = NULL;
6821 SSL_free(serverssl);
6822 SSL_free(clientssl);
6823 SSL_CTX_free(sctx);
6824 SSL_CTX_free(cctx);
6825
6826 return testresult;
6827 }
6828
6829 #define NUM_KEY_UPDATE_MESSAGES 40
6830 /*
6831 * Test KeyUpdate.
6832 */
test_key_update(void)6833 static int test_key_update(void)
6834 {
6835 SSL_CTX *cctx = NULL, *sctx = NULL;
6836 SSL *clientssl = NULL, *serverssl = NULL;
6837 int testresult = 0, i, j;
6838 char buf[20];
6839 static char *mess = "A test message";
6840
6841 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6842 TLS_client_method(),
6843 TLS1_3_VERSION,
6844 0,
6845 &sctx, &cctx, cert, privkey))
6846 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6847 NULL, NULL))
6848 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6849 SSL_ERROR_NONE)))
6850 goto end;
6851
6852 for (j = 0; j < 2; j++) {
6853 /* Send lots of KeyUpdate messages */
6854 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6855 if (!TEST_true(SSL_key_update(clientssl,
6856 (j == 0)
6857 ? SSL_KEY_UPDATE_NOT_REQUESTED
6858 : SSL_KEY_UPDATE_REQUESTED))
6859 || !TEST_true(SSL_do_handshake(clientssl)))
6860 goto end;
6861 }
6862
6863 /* Check that sending and receiving app data is ok */
6864 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6865 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6866 strlen(mess)))
6867 goto end;
6868
6869 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6870 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6871 strlen(mess)))
6872 goto end;
6873 }
6874
6875 testresult = 1;
6876
6877 end:
6878 SSL_free(serverssl);
6879 SSL_free(clientssl);
6880 SSL_CTX_free(sctx);
6881 SSL_CTX_free(cctx);
6882
6883 return testresult;
6884 }
6885
6886 /*
6887 * Test we can handle a KeyUpdate (update requested) message while
6888 * write data is pending in peer.
6889 * Test 0: Client sends KeyUpdate while Server is writing
6890 * Test 1: Server sends KeyUpdate while Client is writing
6891 */
test_key_update_peer_in_write(int tst)6892 static int test_key_update_peer_in_write(int tst)
6893 {
6894 SSL_CTX *cctx = NULL, *sctx = NULL;
6895 SSL *clientssl = NULL, *serverssl = NULL;
6896 int testresult = 0;
6897 char buf[20];
6898 static char *mess = "A test message";
6899 BIO *bretry = BIO_new(bio_s_always_retry());
6900 BIO *tmp = NULL;
6901 SSL *peerupdate = NULL, *peerwrite = NULL;
6902
6903 if (!TEST_ptr(bretry)
6904 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6905 TLS_client_method(),
6906 TLS1_3_VERSION,
6907 0,
6908 &sctx, &cctx, cert, privkey))
6909 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6910 NULL, NULL))
6911 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6912 SSL_ERROR_NONE)))
6913 goto end;
6914
6915 peerupdate = tst == 0 ? clientssl : serverssl;
6916 peerwrite = tst == 0 ? serverssl : clientssl;
6917
6918 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6919 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6920 goto end;
6921
6922 /* Swap the writing endpoint's write BIO to force a retry */
6923 tmp = SSL_get_wbio(peerwrite);
6924 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6925 tmp = NULL;
6926 goto end;
6927 }
6928 SSL_set0_wbio(peerwrite, bretry);
6929 bretry = NULL;
6930
6931 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6932 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6933 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6934 || !TEST_true(SSL_want_write(peerwrite))
6935 || !TEST_true(SSL_net_write_desired(peerwrite)))
6936 goto end;
6937
6938 /* Reinstate the original writing endpoint's write BIO */
6939 SSL_set0_wbio(peerwrite, tmp);
6940 tmp = NULL;
6941
6942 /* Now read some data - we will read the key update */
6943 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6944 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6945 || !TEST_true(SSL_want_read(peerwrite))
6946 || !TEST_true(SSL_net_read_desired(peerwrite)))
6947 goto end;
6948
6949 /*
6950 * Complete the write we started previously and read it from the other
6951 * endpoint
6952 */
6953 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6954 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6955 goto end;
6956
6957 /* Write more data to ensure we send the KeyUpdate message back */
6958 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6959 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6960 goto end;
6961
6962 if (!TEST_false(SSL_net_read_desired(peerwrite))
6963 || !TEST_false(SSL_net_write_desired(peerwrite))
6964 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6965 goto end;
6966
6967 testresult = 1;
6968
6969 end:
6970 SSL_free(serverssl);
6971 SSL_free(clientssl);
6972 SSL_CTX_free(sctx);
6973 SSL_CTX_free(cctx);
6974 BIO_free(bretry);
6975 BIO_free(tmp);
6976
6977 return testresult;
6978 }
6979
6980 /*
6981 * Test we can handle a KeyUpdate (update requested) message while
6982 * peer read data is pending after peer accepted keyupdate(the msg header
6983 * had been read 5 bytes).
6984 * Test 0: Client sends KeyUpdate while Server is reading
6985 * Test 1: Server sends KeyUpdate while Client is reading
6986 */
test_key_update_peer_in_read(int tst)6987 static int test_key_update_peer_in_read(int tst)
6988 {
6989 SSL_CTX *cctx = NULL, *sctx = NULL;
6990 SSL *clientssl = NULL, *serverssl = NULL;
6991 int testresult = 0;
6992 char prbuf[515], lwbuf[515] = {0};
6993 static char *mess = "A test message";
6994 BIO *lbio = NULL, *pbio = NULL;
6995 SSL *local = NULL, *peer = NULL;
6996
6997 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6998 TLS_client_method(),
6999 TLS1_3_VERSION,
7000 0,
7001 &sctx, &cctx, cert, privkey))
7002 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7003 NULL, NULL))
7004 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7005 SSL_ERROR_NONE)))
7006 goto end;
7007
7008 local = tst == 0 ? clientssl : serverssl;
7009 peer = tst == 0 ? serverssl : clientssl;
7010
7011 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7012 goto end;
7013
7014 SSL_set_bio(local, lbio, lbio);
7015 SSL_set_bio(peer, pbio, pbio);
7016
7017 /*
7018 * we first write keyupdate msg then appdata in local
7019 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
7020 * lwbuf app data msg size + key updata msg size > 512(the size of
7021 * the bio pair buffer)
7022 */
7023 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7024 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
7025 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7026 goto end;
7027
7028 /*
7029 * first read keyupdate msg in peer in peer
7030 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
7031 */
7032 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
7033 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
7034 goto end;
7035
7036 /* Now write some data in peer - we will write the key update */
7037 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
7038 goto end;
7039
7040 /*
7041 * write data in local previously that we will complete
7042 * read data in peer previously that we will complete
7043 */
7044 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
7045 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
7046 goto end;
7047
7048 /* check that sending and receiving appdata ok */
7049 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7050 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7051 goto end;
7052
7053 testresult = 1;
7054
7055 end:
7056 SSL_free(serverssl);
7057 SSL_free(clientssl);
7058 SSL_CTX_free(sctx);
7059 SSL_CTX_free(cctx);
7060
7061 return testresult;
7062 }
7063
7064 /*
7065 * Test we can't send a KeyUpdate (update requested) message while
7066 * local write data is pending.
7067 * Test 0: Client sends KeyUpdate while Client is writing
7068 * Test 1: Server sends KeyUpdate while Server is writing
7069 */
test_key_update_local_in_write(int tst)7070 static int test_key_update_local_in_write(int tst)
7071 {
7072 SSL_CTX *cctx = NULL, *sctx = NULL;
7073 SSL *clientssl = NULL, *serverssl = NULL;
7074 int testresult = 0;
7075 char buf[20];
7076 static char *mess = "A test message";
7077 BIO *bretry = BIO_new(bio_s_always_retry());
7078 BIO *tmp = NULL;
7079 SSL *local = NULL, *peer = NULL;
7080
7081 if (!TEST_ptr(bretry)
7082 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7083 TLS_client_method(),
7084 TLS1_3_VERSION,
7085 0,
7086 &sctx, &cctx, cert, privkey))
7087 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7088 NULL, NULL))
7089 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7090 SSL_ERROR_NONE)))
7091 goto end;
7092
7093 local = tst == 0 ? clientssl : serverssl;
7094 peer = tst == 0 ? serverssl : clientssl;
7095
7096 /* Swap the writing endpoint's write BIO to force a retry */
7097 tmp = SSL_get_wbio(local);
7098 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
7099 tmp = NULL;
7100 goto end;
7101 }
7102 SSL_set0_wbio(local, bretry);
7103 bretry = NULL;
7104
7105 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
7106 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
7107 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7108 goto end;
7109
7110 /* Reinstate the original writing endpoint's write BIO */
7111 SSL_set0_wbio(local, tmp);
7112 tmp = NULL;
7113
7114 /* SSL_key_update will fail, because writing in local*/
7115 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7116 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
7117 goto end;
7118
7119 ERR_clear_error();
7120 /* write data in local previously that we will complete */
7121 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
7122 goto end;
7123
7124 /* SSL_key_update will succeed because there is no pending write data */
7125 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7126 || !TEST_int_eq(SSL_do_handshake(local), 1))
7127 goto end;
7128
7129 /*
7130 * we write some appdata in local
7131 * read data in peer - we will read the keyupdate msg
7132 */
7133 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7134 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
7135 goto end;
7136
7137 /* Write more peer more data to ensure we send the keyupdate message back */
7138 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7139 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
7140 goto end;
7141
7142 testresult = 1;
7143
7144 end:
7145 SSL_free(serverssl);
7146 SSL_free(clientssl);
7147 SSL_CTX_free(sctx);
7148 SSL_CTX_free(cctx);
7149 BIO_free(bretry);
7150 BIO_free(tmp);
7151
7152 return testresult;
7153 }
7154
7155 /*
7156 * Test we can handle a KeyUpdate (update requested) message while
7157 * local read data is pending(the msg header had been read 5 bytes).
7158 * Test 0: Client sends KeyUpdate while Client is reading
7159 * Test 1: Server sends KeyUpdate while Server is reading
7160 */
test_key_update_local_in_read(int tst)7161 static int test_key_update_local_in_read(int tst)
7162 {
7163 SSL_CTX *cctx = NULL, *sctx = NULL;
7164 SSL *clientssl = NULL, *serverssl = NULL;
7165 int testresult = 0;
7166 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
7167 static char *mess = "A test message";
7168 BIO *lbio = NULL, *pbio = NULL;
7169 SSL *local = NULL, *peer = NULL;
7170
7171 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7172 TLS_client_method(),
7173 TLS1_3_VERSION,
7174 0,
7175 &sctx, &cctx, cert, privkey))
7176 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7177 NULL, NULL))
7178 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7179 SSL_ERROR_NONE)))
7180 goto end;
7181
7182 local = tst == 0 ? clientssl : serverssl;
7183 peer = tst == 0 ? serverssl : clientssl;
7184
7185 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7186 goto end;
7187
7188 SSL_set_bio(local, lbio, lbio);
7189 SSL_set_bio(peer, pbio, pbio);
7190
7191 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7192 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7193 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7194 goto end;
7195
7196 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7197 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7198 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7199 goto end;
7200
7201 /* SSL_do_handshake will send keyupdate msg */
7202 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7203 || !TEST_int_eq(SSL_do_handshake(local), 1))
7204 goto end;
7205
7206 /*
7207 * write data in peer previously that we will complete
7208 * read data in local previously that we will complete
7209 */
7210 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7211 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7212 goto end;
7213
7214 /*
7215 * write data in local
7216 * read data in peer - we will read the key update
7217 */
7218 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7219 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7220 goto end;
7221
7222 /* Write more peer data to ensure we send the keyupdate message back */
7223 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7224 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7225 goto end;
7226
7227 testresult = 1;
7228
7229 end:
7230 SSL_free(serverssl);
7231 SSL_free(clientssl);
7232 SSL_CTX_free(sctx);
7233 SSL_CTX_free(cctx);
7234
7235 return testresult;
7236 }
7237 #endif /* OSSL_NO_USABLE_TLS1_3 */
7238
7239 /*
7240 * Test clearing a connection via SSL_clear(), or resetting it via
7241 * SSL_set_connect_state()/SSL_set_accept_state()
7242 * Test 0: SSL_set_connect_state, TLSv1.3
7243 * Test 1: SSL_set_connect_state, TLSv1.2
7244 * Test 2: SSL_set_accept_state, TLSv1.3
7245 * Test 3: SSL_set_accept_state, TLSv1.2
7246 * Test 4: SSL_clear (client), TLSv1.3
7247 * Test 5: SSL_clear (client), TLSv1.2
7248 * Test 6: SSL_clear (server), TLSv1.3
7249 * Test 7: SSL_clear (server), TLSv1.2
7250 */
test_ssl_clear(int idx)7251 static int test_ssl_clear(int idx)
7252 {
7253 SSL_CTX *cctx = NULL, *sctx = NULL;
7254 SSL *clientssl = NULL, *serverssl = NULL;
7255 SSL *writer, *reader;
7256 int testresult = 0;
7257 int tls12test, servertest, cleartest;
7258 size_t written, readbytes;
7259 const char *msg = "Hello World";
7260 unsigned char buf[5];
7261
7262 tls12test = idx & 1;
7263 idx >>= 1;
7264 servertest = idx & 1;
7265 idx >>= 1;
7266 cleartest = idx & 1;
7267
7268 #ifdef OPENSSL_NO_TLS1_2
7269 if (tls12test == 1)
7270 return TEST_skip("No TLSv1.2 in this build");
7271 #endif
7272
7273 /* Create an initial connection */
7274 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7275 TLS_client_method(), TLS1_VERSION, 0,
7276 &sctx, &cctx, cert, privkey))
7277 || (tls12test
7278 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7279 TLS1_2_VERSION)))
7280 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7281 &clientssl, NULL, NULL))
7282 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7283 SSL_ERROR_NONE)))
7284 goto end;
7285
7286 if (servertest) {
7287 writer = clientssl;
7288 reader = serverssl;
7289 } else {
7290 writer = serverssl;
7291 reader = clientssl;
7292 }
7293
7294 /* Write some data */
7295 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7296 || written != strlen(msg))
7297 goto end;
7298
7299 /*
7300 * Read a partial record. The remaining buffered data should be cleared by
7301 * the subsequent clear/reset
7302 */
7303 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7304 || readbytes != sizeof(buf))
7305 goto end;
7306
7307 SSL_shutdown(clientssl);
7308 SSL_shutdown(serverssl);
7309
7310 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7311 if (servertest) {
7312 if (cleartest) {
7313 if (!TEST_true(SSL_clear(serverssl)))
7314 goto end;
7315 } else {
7316 SSL_set_accept_state(serverssl);
7317 }
7318 SSL_free(clientssl);
7319 clientssl = NULL;
7320 } else {
7321 if (cleartest) {
7322 if (!TEST_true(SSL_clear(clientssl)))
7323 goto end;
7324 } else {
7325 SSL_set_connect_state(clientssl);
7326 }
7327 SSL_free(serverssl);
7328 serverssl = NULL;
7329 }
7330
7331 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7332 NULL, NULL))
7333 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7334 SSL_ERROR_NONE))
7335 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7336 goto end;
7337
7338 SSL_shutdown(clientssl);
7339 SSL_shutdown(serverssl);
7340
7341 testresult = 1;
7342
7343 end:
7344 SSL_free(serverssl);
7345 SSL_free(clientssl);
7346 SSL_CTX_free(sctx);
7347 SSL_CTX_free(cctx);
7348
7349 return testresult;
7350 }
7351
7352 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)7353 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7354 {
7355 long len;
7356 unsigned char *data;
7357 PACKET pkt, pkt2, pkt3;
7358 unsigned int MFL_code = 0, type = 0;
7359
7360 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7361 goto end;
7362
7363 memset(&pkt, 0, sizeof(pkt));
7364 memset(&pkt2, 0, sizeof(pkt2));
7365 memset(&pkt3, 0, sizeof(pkt3));
7366
7367 if (!TEST_long_gt(len, 0)
7368 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7369 /* Skip the record header */
7370 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7371 /* Skip the handshake message header */
7372 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7373 /* Skip client version and random */
7374 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7375 + SSL3_RANDOM_SIZE))
7376 /* Skip session id */
7377 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7378 /* Skip ciphers */
7379 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7380 /* Skip compression */
7381 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7382 /* Extensions len */
7383 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7384 goto end;
7385
7386 /* Loop through all extensions */
7387 while (PACKET_remaining(&pkt2)) {
7388 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7389 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7390 goto end;
7391
7392 if (type == TLSEXT_TYPE_max_fragment_length) {
7393 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7394 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7395 goto end;
7396
7397 *mfl_codemfl_code = MFL_code;
7398 return 1;
7399 }
7400 }
7401
7402 end:
7403 return 0;
7404 }
7405
7406 /* Maximum-Fragment-Length TLS extension mode to test */
7407 static const unsigned char max_fragment_len_test[] = {
7408 TLSEXT_max_fragment_length_512,
7409 TLSEXT_max_fragment_length_1024,
7410 TLSEXT_max_fragment_length_2048,
7411 TLSEXT_max_fragment_length_4096
7412 };
7413
test_max_fragment_len_ext(int idx_tst)7414 static int test_max_fragment_len_ext(int idx_tst)
7415 {
7416 SSL_CTX *ctx = NULL;
7417 SSL *con = NULL;
7418 int testresult = 0, MFL_mode = 0;
7419 BIO *rbio, *wbio;
7420
7421 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7422 TLS1_VERSION, 0, NULL, &ctx, NULL,
7423 NULL)))
7424 return 0;
7425
7426 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7427 ctx, max_fragment_len_test[idx_tst])))
7428 goto end;
7429
7430 con = SSL_new(ctx);
7431 if (!TEST_ptr(con))
7432 goto end;
7433
7434 rbio = BIO_new(BIO_s_mem());
7435 wbio = BIO_new(BIO_s_mem());
7436 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7437 BIO_free(rbio);
7438 BIO_free(wbio);
7439 goto end;
7440 }
7441
7442 SSL_set_bio(con, rbio, wbio);
7443
7444 if (!TEST_int_le(SSL_connect(con), 0)) {
7445 /* This shouldn't succeed because we don't have a server! */
7446 goto end;
7447 }
7448
7449 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7450 /* no MFL in client hello */
7451 goto end;
7452 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7453 goto end;
7454
7455 testresult = 1;
7456
7457 end:
7458 SSL_free(con);
7459 SSL_CTX_free(ctx);
7460
7461 return testresult;
7462 }
7463
7464 #ifndef OSSL_NO_USABLE_TLS1_3
test_pha_key_update(void)7465 static int test_pha_key_update(void)
7466 {
7467 SSL_CTX *cctx = NULL, *sctx = NULL;
7468 SSL *clientssl = NULL, *serverssl = NULL;
7469 int testresult = 0;
7470
7471 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7472 TLS_client_method(), TLS1_VERSION, 0,
7473 &sctx, &cctx, cert, privkey)))
7474 return 0;
7475
7476 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7477 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7478 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7479 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7480 goto end;
7481
7482 SSL_CTX_set_post_handshake_auth(cctx, 1);
7483
7484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7485 NULL, NULL)))
7486 goto end;
7487
7488 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7489 SSL_ERROR_NONE)))
7490 goto end;
7491
7492 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7493 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7494 goto end;
7495
7496 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7497 goto end;
7498
7499 /* Start handshake on the server */
7500 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7501 goto end;
7502
7503 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7504 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7505 SSL_ERROR_NONE)))
7506 goto end;
7507
7508 SSL_shutdown(clientssl);
7509 SSL_shutdown(serverssl);
7510
7511 testresult = 1;
7512
7513 end:
7514 SSL_free(serverssl);
7515 SSL_free(clientssl);
7516 SSL_CTX_free(sctx);
7517 SSL_CTX_free(cctx);
7518 return testresult;
7519 }
7520 #endif
7521
7522 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7523
7524 static SRP_VBASE *vbase = NULL;
7525
ssl_srp_cb(SSL * s,int * ad,void * arg)7526 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7527 {
7528 int ret = SSL3_AL_FATAL;
7529 char *username;
7530 SRP_user_pwd *user = NULL;
7531
7532 username = SSL_get_srp_username(s);
7533 if (username == NULL) {
7534 *ad = SSL_AD_INTERNAL_ERROR;
7535 goto err;
7536 }
7537
7538 user = SRP_VBASE_get1_by_user(vbase, username);
7539 if (user == NULL) {
7540 *ad = SSL_AD_INTERNAL_ERROR;
7541 goto err;
7542 }
7543
7544 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7545 user->info) <= 0) {
7546 *ad = SSL_AD_INTERNAL_ERROR;
7547 goto err;
7548 }
7549
7550 ret = 0;
7551
7552 err:
7553 SRP_user_pwd_free(user);
7554 return ret;
7555 }
7556
create_new_vfile(char * userid,char * password,const char * filename)7557 static int create_new_vfile(char *userid, char *password, const char *filename)
7558 {
7559 char *gNid = NULL;
7560 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7561 TXT_DB *db = NULL;
7562 int ret = 0;
7563 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7564 size_t i;
7565
7566 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7567 goto end;
7568
7569 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7570 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7571 if (!TEST_ptr(gNid))
7572 goto end;
7573
7574 /*
7575 * The only way to create an empty TXT_DB is to provide a BIO with no data
7576 * in it!
7577 */
7578 db = TXT_DB_read(dummy, DB_NUMBER);
7579 if (!TEST_ptr(db))
7580 goto end;
7581
7582 out = BIO_new_file(filename, "w");
7583 if (!TEST_ptr(out))
7584 goto end;
7585
7586 row[DB_srpid] = OPENSSL_strdup(userid);
7587 row[DB_srptype] = OPENSSL_strdup("V");
7588 row[DB_srpgN] = OPENSSL_strdup(gNid);
7589
7590 if (!TEST_ptr(row[DB_srpid])
7591 || !TEST_ptr(row[DB_srptype])
7592 || !TEST_ptr(row[DB_srpgN])
7593 || !TEST_true(TXT_DB_insert(db, row)))
7594 goto end;
7595
7596 row = NULL;
7597
7598 if (TXT_DB_write(out, db) <= 0)
7599 goto end;
7600
7601 ret = 1;
7602 end:
7603 if (row != NULL) {
7604 for (i = 0; i < DB_NUMBER; i++)
7605 OPENSSL_free(row[i]);
7606 }
7607 OPENSSL_free(row);
7608 BIO_free(dummy);
7609 BIO_free(out);
7610 TXT_DB_free(db);
7611
7612 return ret;
7613 }
7614
create_new_vbase(char * userid,char * password)7615 static int create_new_vbase(char *userid, char *password)
7616 {
7617 BIGNUM *verifier = NULL, *salt = NULL;
7618 const SRP_gN *lgN = NULL;
7619 SRP_user_pwd *user_pwd = NULL;
7620 int ret = 0;
7621
7622 lgN = SRP_get_default_gN(NULL);
7623 if (!TEST_ptr(lgN))
7624 goto end;
7625
7626 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7627 lgN->N, lgN->g, libctx, NULL)))
7628 goto end;
7629
7630 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7631 if (!TEST_ptr(user_pwd))
7632 goto end;
7633
7634 user_pwd->N = lgN->N;
7635 user_pwd->g = lgN->g;
7636 user_pwd->id = OPENSSL_strdup(userid);
7637 if (!TEST_ptr(user_pwd->id))
7638 goto end;
7639
7640 user_pwd->v = verifier;
7641 user_pwd->s = salt;
7642 verifier = salt = NULL;
7643
7644 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7645 goto end;
7646 user_pwd = NULL;
7647
7648 ret = 1;
7649 end:
7650 SRP_user_pwd_free(user_pwd);
7651 BN_free(salt);
7652 BN_free(verifier);
7653
7654 return ret;
7655 }
7656
7657 /*
7658 * SRP tests
7659 *
7660 * Test 0: Simple successful SRP connection, new vbase
7661 * Test 1: Connection failure due to bad password, new vbase
7662 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7663 * Test 3: Connection failure due to bad password, vbase loaded from existing
7664 * file
7665 * Test 4: Simple successful SRP connection, vbase loaded from new file
7666 * Test 5: Connection failure due to bad password, vbase loaded from new file
7667 */
test_srp(int tst)7668 static int test_srp(int tst)
7669 {
7670 char *userid = "test", *password = "password", *tstsrpfile;
7671 SSL_CTX *cctx = NULL, *sctx = NULL;
7672 SSL *clientssl = NULL, *serverssl = NULL;
7673 int ret, testresult = 0;
7674
7675 vbase = SRP_VBASE_new(NULL);
7676 if (!TEST_ptr(vbase))
7677 goto end;
7678
7679 if (tst == 0 || tst == 1) {
7680 if (!TEST_true(create_new_vbase(userid, password)))
7681 goto end;
7682 } else {
7683 if (tst == 4 || tst == 5) {
7684 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7685 goto end;
7686 tstsrpfile = tmpfilename;
7687 } else {
7688 tstsrpfile = srpvfile;
7689 }
7690 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7691 goto end;
7692 }
7693
7694 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7695 TLS_client_method(), TLS1_VERSION, 0,
7696 &sctx, &cctx, cert, privkey)))
7697 goto end;
7698
7699 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7700 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7701 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7702 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7703 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7704 goto end;
7705
7706 if (tst % 2 == 1) {
7707 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7708 goto end;
7709 } else {
7710 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7711 goto end;
7712 }
7713
7714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7715 NULL, NULL)))
7716 goto end;
7717
7718 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7719 if (ret) {
7720 if (!TEST_true(tst % 2 == 0))
7721 goto end;
7722 } else {
7723 if (!TEST_true(tst % 2 == 1))
7724 goto end;
7725 }
7726
7727 testresult = 1;
7728
7729 end:
7730 SRP_VBASE_free(vbase);
7731 vbase = NULL;
7732 SSL_free(serverssl);
7733 SSL_free(clientssl);
7734 SSL_CTX_free(sctx);
7735 SSL_CTX_free(cctx);
7736
7737 return testresult;
7738 }
7739 #endif
7740
7741 static int info_cb_failed = 0;
7742 static int info_cb_offset = 0;
7743 static int info_cb_this_state = -1;
7744
7745 static struct info_cb_states_st {
7746 int where;
7747 const char *statestr;
7748 } info_cb_states[][60] = {
7749 {
7750 /* TLSv1.2 server followed by resumption */
7751 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7752 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7753 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7754 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7755 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7756 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7757 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7758 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7759 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7760 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7761 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7762 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7763 {SSL_CB_EXIT, NULL}, {0, NULL},
7764 }, {
7765 /* TLSv1.2 client followed by resumption */
7766 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7767 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7768 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7769 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7770 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7771 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7772 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7773 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7774 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7775 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7776 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7777 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7778 }, {
7779 /* TLSv1.3 server followed by resumption */
7780 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7781 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7782 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7783 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7784 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7785 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7786 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7787 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7788 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7789 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7790 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7791 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7792 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7793 }, {
7794 /* TLSv1.3 client followed by resumption */
7795 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7796 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7797 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7798 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7799 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7800 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7801 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7802 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7803 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7804 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7805 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7806 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7807 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7808 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7809 {SSL_CB_EXIT, NULL}, {0, NULL},
7810 }, {
7811 /* TLSv1.3 server, early_data */
7812 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7813 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7814 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7815 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7816 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7817 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7818 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7819 {SSL_CB_EXIT, NULL}, {0, NULL},
7820 }, {
7821 /* TLSv1.3 client, early_data */
7822 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7823 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7824 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7825 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7826 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7827 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7828 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7829 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7830 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7831 }, {
7832 /* TLSv1.3 server, certificate compression, followed by resumption */
7833 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7834 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7835 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7836 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7837 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7838 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7839 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7840 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7841 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7842 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7843 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7844 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7845 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7846 }, {
7847 /* TLSv1.3 client, certificate compression, followed by resumption */
7848 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7849 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7850 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7851 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7852 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7853 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7854 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7855 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7856 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7857 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7858 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7859 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7860 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7861 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7862 {SSL_CB_EXIT, NULL}, {0, NULL},
7863 }, {
7864 {0, NULL},
7865 }
7866 };
7867
sslapi_info_callback(const SSL * s,int where,int ret)7868 static void sslapi_info_callback(const SSL *s, int where, int ret)
7869 {
7870 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7871
7872 /* We do not ever expect a connection to fail in this test */
7873 if (!TEST_false(ret == 0)) {
7874 info_cb_failed = 1;
7875 return;
7876 }
7877
7878 /*
7879 * Do some sanity checks. We never expect these things to happen in this
7880 * test
7881 */
7882 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7883 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7884 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7885 info_cb_failed = 1;
7886 return;
7887 }
7888
7889 /* Now check we're in the right state */
7890 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7891 info_cb_failed = 1;
7892 return;
7893 }
7894 if ((where & SSL_CB_LOOP) != 0
7895 && !TEST_int_eq(strcmp(SSL_state_string(s),
7896 state[info_cb_this_state].statestr), 0)) {
7897 info_cb_failed = 1;
7898 return;
7899 }
7900
7901 /*
7902 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7903 */
7904 if ((where & SSL_CB_HANDSHAKE_DONE)
7905 && SSL_in_init((SSL *)s) != 0) {
7906 info_cb_failed = 1;
7907 return;
7908 }
7909 }
7910
7911 /*
7912 * Test the info callback gets called when we expect it to.
7913 *
7914 * Test 0: TLSv1.2, server
7915 * Test 1: TLSv1.2, client
7916 * Test 2: TLSv1.3, server
7917 * Test 3: TLSv1.3, client
7918 * Test 4: TLSv1.3, server, early_data
7919 * Test 5: TLSv1.3, client, early_data
7920 * Test 6: TLSv1.3, server, compressed certificate
7921 * Test 7: TLSv1.3, client, compressed certificate
7922 */
test_info_callback(int tst)7923 static int test_info_callback(int tst)
7924 {
7925 SSL_CTX *cctx = NULL, *sctx = NULL;
7926 SSL *clientssl = NULL, *serverssl = NULL;
7927 SSL_SESSION *clntsess = NULL;
7928 int testresult = 0;
7929 int tlsvers;
7930
7931 if (tst < 2) {
7932 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7933 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7934 || !defined(OPENSSL_NO_DH))
7935 tlsvers = TLS1_2_VERSION;
7936 #else
7937 return 1;
7938 #endif
7939 } else {
7940 #ifndef OSSL_NO_USABLE_TLS1_3
7941 tlsvers = TLS1_3_VERSION;
7942 #else
7943 return 1;
7944 #endif
7945 }
7946
7947 /* Reset globals */
7948 info_cb_failed = 0;
7949 info_cb_this_state = -1;
7950 info_cb_offset = tst;
7951
7952 #ifndef OSSL_NO_USABLE_TLS1_3
7953 if (tst >= 4 && tst < 6) {
7954 SSL_SESSION *sess = NULL;
7955 size_t written, readbytes;
7956 unsigned char buf[80];
7957 OSSL_TIME timer;
7958
7959 /* early_data tests */
7960 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7961 &serverssl, &sess, 0,
7962 SHA384_DIGEST_LENGTH)))
7963 goto end;
7964
7965 /* We don't actually need this reference */
7966 SSL_SESSION_free(sess);
7967
7968 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7969 sslapi_info_callback);
7970
7971 /* Write and read some early data and then complete the connection */
7972 timer = ossl_time_now();
7973 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7974 &written))
7975 || !TEST_size_t_eq(written, strlen(MSG1)))
7976 goto end;
7977
7978 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7979 sizeof(buf), &readbytes),
7980 SSL_READ_EARLY_DATA_SUCCESS)) {
7981 testresult = check_early_data_timeout(timer);
7982 goto end;
7983 }
7984
7985 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7986 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7987 SSL_EARLY_DATA_ACCEPTED)
7988 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7989 SSL_ERROR_NONE))
7990 || !TEST_false(info_cb_failed))
7991 goto end;
7992
7993 testresult = 1;
7994 goto end;
7995 }
7996 #endif
7997
7998 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7999 TLS_client_method(),
8000 tlsvers, tlsvers, &sctx, &cctx, cert,
8001 privkey)))
8002 goto end;
8003
8004 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8005 goto end;
8006
8007 /*
8008 * For even numbered tests we check the server callbacks. For odd numbers we
8009 * check the client.
8010 */
8011 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
8012 sslapi_info_callback);
8013 if (tst >= 6) {
8014 if (!SSL_CTX_compress_certs(sctx, 0))
8015 goto end;
8016 }
8017
8018 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8019 &clientssl, NULL, NULL))
8020 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8021 SSL_ERROR_NONE))
8022 || !TEST_false(info_cb_failed))
8023 goto end;
8024
8025
8026
8027 clntsess = SSL_get1_session(clientssl);
8028 SSL_shutdown(clientssl);
8029 SSL_shutdown(serverssl);
8030 SSL_free(serverssl);
8031 SSL_free(clientssl);
8032 serverssl = clientssl = NULL;
8033
8034 /* Now do a resumption */
8035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8036 NULL))
8037 || !TEST_true(SSL_set_session(clientssl, clntsess))
8038 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8039 SSL_ERROR_NONE))
8040 || !TEST_true(SSL_session_reused(clientssl))
8041 || !TEST_false(info_cb_failed))
8042 goto end;
8043
8044 testresult = 1;
8045
8046 end:
8047 SSL_free(serverssl);
8048 SSL_free(clientssl);
8049 SSL_SESSION_free(clntsess);
8050 SSL_CTX_free(sctx);
8051 SSL_CTX_free(cctx);
8052 return testresult;
8053 }
8054
test_ssl_pending(int tst)8055 static int test_ssl_pending(int tst)
8056 {
8057 SSL_CTX *cctx = NULL, *sctx = NULL;
8058 SSL *clientssl = NULL, *serverssl = NULL;
8059 int testresult = 0;
8060 char msg[] = "A test message";
8061 char buf[5];
8062 size_t written, readbytes;
8063
8064 if (tst == 0) {
8065 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8066 TLS_client_method(),
8067 TLS1_VERSION, 0,
8068 &sctx, &cctx, cert, privkey)))
8069 goto end;
8070 } else {
8071 #ifndef OPENSSL_NO_DTLS
8072 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
8073 DTLS_client_method(),
8074 DTLS1_VERSION, 0,
8075 &sctx, &cctx, cert, privkey)))
8076 goto end;
8077
8078 # ifdef OPENSSL_NO_DTLS1_2
8079 /* Not supported in the FIPS provider */
8080 if (is_fips) {
8081 testresult = 1;
8082 goto end;
8083 };
8084 /*
8085 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
8086 * level 0
8087 */
8088 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
8089 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
8090 "DEFAULT:@SECLEVEL=0")))
8091 goto end;
8092 # endif
8093 #else
8094 return 1;
8095 #endif
8096 }
8097
8098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8099 NULL, NULL))
8100 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8101 SSL_ERROR_NONE)))
8102 goto end;
8103
8104 if (!TEST_int_eq(SSL_pending(clientssl), 0)
8105 || !TEST_false(SSL_has_pending(clientssl))
8106 || !TEST_int_eq(SSL_pending(serverssl), 0)
8107 || !TEST_false(SSL_has_pending(serverssl))
8108 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8109 || !TEST_size_t_eq(written, sizeof(msg))
8110 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
8111 || !TEST_size_t_eq(readbytes, sizeof(buf))
8112 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
8113 || !TEST_true(SSL_has_pending(clientssl)))
8114 goto end;
8115
8116 testresult = 1;
8117
8118 end:
8119 SSL_free(serverssl);
8120 SSL_free(clientssl);
8121 SSL_CTX_free(sctx);
8122 SSL_CTX_free(cctx);
8123
8124 return testresult;
8125 }
8126
8127 static struct {
8128 unsigned int maxprot;
8129 const char *clntciphers;
8130 const char *clnttls13ciphers;
8131 const char *srvrciphers;
8132 const char *srvrtls13ciphers;
8133 const char *shared;
8134 const char *fipsshared;
8135 } shared_ciphers_data[] = {
8136 /*
8137 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8138 * TLSv1.3 is enabled but TLSv1.2 is disabled.
8139 */
8140 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8141 {
8142 TLS1_2_VERSION,
8143 "AES128-SHA:AES256-SHA",
8144 NULL,
8145 "AES256-SHA:DHE-RSA-AES128-SHA",
8146 NULL,
8147 "AES256-SHA",
8148 "AES256-SHA"
8149 },
8150 # if !defined(OPENSSL_NO_CHACHA) \
8151 && !defined(OPENSSL_NO_POLY1305) \
8152 && !defined(OPENSSL_NO_EC)
8153 {
8154 TLS1_2_VERSION,
8155 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8156 NULL,
8157 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8158 NULL,
8159 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8160 "AES128-SHA"
8161 },
8162 # endif
8163 {
8164 TLS1_2_VERSION,
8165 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8166 NULL,
8167 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8168 NULL,
8169 "AES128-SHA:AES256-SHA",
8170 "AES128-SHA:AES256-SHA"
8171 },
8172 {
8173 TLS1_2_VERSION,
8174 "AES128-SHA:AES256-SHA",
8175 NULL,
8176 "AES128-SHA:DHE-RSA-AES128-SHA",
8177 NULL,
8178 "AES128-SHA",
8179 "AES128-SHA"
8180 },
8181 #endif
8182 /*
8183 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8184 * enabled.
8185 */
8186 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8187 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8188 {
8189 TLS1_3_VERSION,
8190 "AES128-SHA:AES256-SHA",
8191 NULL,
8192 "AES256-SHA:AES128-SHA256",
8193 NULL,
8194 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8195 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8196 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
8197 },
8198 #endif
8199 #ifndef OSSL_NO_USABLE_TLS1_3
8200 {
8201 TLS1_3_VERSION,
8202 "AES128-SHA",
8203 "TLS_AES_256_GCM_SHA384",
8204 "AES256-SHA",
8205 "TLS_AES_256_GCM_SHA384",
8206 "TLS_AES_256_GCM_SHA384",
8207 "TLS_AES_256_GCM_SHA384"
8208 },
8209 #endif
8210 };
8211
int_test_ssl_get_shared_ciphers(int tst,int clnt)8212 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8213 {
8214 SSL_CTX *cctx = NULL, *sctx = NULL;
8215 SSL *clientssl = NULL, *serverssl = NULL;
8216 int testresult = 0;
8217 char buf[1024];
8218 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8219
8220 if (!TEST_ptr(tmplibctx))
8221 goto end;
8222
8223 /*
8224 * Regardless of whether we're testing with the FIPS provider loaded into
8225 * libctx, we want one peer to always use the full set of ciphersuites
8226 * available. Therefore we use a separate libctx with the default provider
8227 * loaded into it. We run the same tests twice - once with the client side
8228 * having the full set of ciphersuites and once with the server side.
8229 */
8230 if (clnt) {
8231 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8232 if (!TEST_ptr(cctx))
8233 goto end;
8234 } else {
8235 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8236 if (!TEST_ptr(sctx))
8237 goto end;
8238 }
8239
8240 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8241 TLS_client_method(),
8242 TLS1_VERSION,
8243 shared_ciphers_data[tst].maxprot,
8244 &sctx, &cctx, cert, privkey)))
8245 goto end;
8246
8247 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8248 shared_ciphers_data[tst].clntciphers))
8249 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8250 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8251 shared_ciphers_data[tst].clnttls13ciphers)))
8252 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8253 shared_ciphers_data[tst].srvrciphers))
8254 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8255 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8256 shared_ciphers_data[tst].srvrtls13ciphers))))
8257 goto end;
8258
8259
8260 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8261 NULL, NULL))
8262 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8263 SSL_ERROR_NONE)))
8264 goto end;
8265
8266 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8267 || !TEST_int_eq(strcmp(buf,
8268 is_fips
8269 ? shared_ciphers_data[tst].fipsshared
8270 : shared_ciphers_data[tst].shared),
8271 0)) {
8272 TEST_info("Shared ciphers are: %s\n", buf);
8273 goto end;
8274 }
8275
8276 testresult = 1;
8277
8278 end:
8279 SSL_free(serverssl);
8280 SSL_free(clientssl);
8281 SSL_CTX_free(sctx);
8282 SSL_CTX_free(cctx);
8283 OSSL_LIB_CTX_free(tmplibctx);
8284
8285 return testresult;
8286 }
8287
test_ssl_get_shared_ciphers(int tst)8288 static int test_ssl_get_shared_ciphers(int tst)
8289 {
8290 return int_test_ssl_get_shared_ciphers(tst, 0)
8291 && int_test_ssl_get_shared_ciphers(tst, 1);
8292 }
8293
8294
8295 static const char *appdata = "Hello World";
8296 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8297 static int tick_key_renew = 0;
8298 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8299
gen_tick_cb(SSL * s,void * arg)8300 static int gen_tick_cb(SSL *s, void *arg)
8301 {
8302 gen_tick_called = 1;
8303
8304 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8305 strlen(appdata));
8306 }
8307
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)8308 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8309 const unsigned char *keyname,
8310 size_t keyname_length,
8311 SSL_TICKET_STATUS status,
8312 void *arg)
8313 {
8314 void *tickdata;
8315 size_t tickdlen;
8316
8317 dec_tick_called = 1;
8318
8319 if (status == SSL_TICKET_EMPTY)
8320 return SSL_TICKET_RETURN_IGNORE_RENEW;
8321
8322 if (!TEST_true(status == SSL_TICKET_SUCCESS
8323 || status == SSL_TICKET_SUCCESS_RENEW))
8324 return SSL_TICKET_RETURN_ABORT;
8325
8326 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8327 &tickdlen))
8328 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8329 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8330 return SSL_TICKET_RETURN_ABORT;
8331
8332 if (tick_key_cb_called) {
8333 /* Don't change what the ticket key callback wanted to do */
8334 switch (status) {
8335 case SSL_TICKET_NO_DECRYPT:
8336 return SSL_TICKET_RETURN_IGNORE_RENEW;
8337
8338 case SSL_TICKET_SUCCESS:
8339 return SSL_TICKET_RETURN_USE;
8340
8341 case SSL_TICKET_SUCCESS_RENEW:
8342 return SSL_TICKET_RETURN_USE_RENEW;
8343
8344 default:
8345 return SSL_TICKET_RETURN_ABORT;
8346 }
8347 }
8348 return tick_dec_ret;
8349
8350 }
8351
8352 #ifndef OPENSSL_NO_DEPRECATED_3_0
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)8353 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8354 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8355 HMAC_CTX *hctx, int enc)
8356 {
8357 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8358 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8359 EVP_CIPHER *aes128cbc;
8360 EVP_MD *sha256;
8361 int ret;
8362
8363 tick_key_cb_called = 1;
8364
8365 if (tick_key_renew == -1)
8366 return 0;
8367
8368 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8369 if (!TEST_ptr(aes128cbc))
8370 return 0;
8371 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8372 if (!TEST_ptr(sha256)) {
8373 EVP_CIPHER_free(aes128cbc);
8374 return 0;
8375 }
8376
8377 memset(iv, 0, AES_BLOCK_SIZE);
8378 memset(key_name, 0, 16);
8379 if (aes128cbc == NULL
8380 || sha256 == NULL
8381 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8382 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8383 NULL))
8384 ret = -1;
8385 else
8386 ret = tick_key_renew ? 2 : 1;
8387
8388 EVP_CIPHER_free(aes128cbc);
8389 EVP_MD_free(sha256);
8390
8391 return ret;
8392 }
8393 #endif
8394
tick_key_evp_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int enc)8395 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8396 unsigned char iv[EVP_MAX_IV_LENGTH],
8397 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8398 {
8399 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8400 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8401 OSSL_PARAM params[2];
8402 EVP_CIPHER *aes128cbc;
8403 int ret;
8404
8405 tick_key_cb_called = 1;
8406
8407 if (tick_key_renew == -1)
8408 return 0;
8409
8410 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8411 if (!TEST_ptr(aes128cbc))
8412 return 0;
8413
8414 memset(iv, 0, AES_BLOCK_SIZE);
8415 memset(key_name, 0, 16);
8416 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8417 "SHA256", 0);
8418 params[1] = OSSL_PARAM_construct_end();
8419 if (aes128cbc == NULL
8420 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8421 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8422 params))
8423 ret = -1;
8424 else
8425 ret = tick_key_renew ? 2 : 1;
8426
8427 EVP_CIPHER_free(aes128cbc);
8428
8429 return ret;
8430 }
8431
8432 /*
8433 * Test the various ticket callbacks
8434 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8435 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8436 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8437 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8438 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8439 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8440 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8441 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8442 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8443 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8444 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8445 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8446 * Test 12: TLSv1.2, old ticket key callback, no ticket
8447 * Test 13: TLSv1.3, old ticket key callback, no ticket
8448 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8449 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8450 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8451 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8452 * Test 18: TLSv1.2, ticket key callback, no ticket
8453 * Test 19: TLSv1.3, ticket key callback, no ticket
8454 */
test_ticket_callbacks(int tst)8455 static int test_ticket_callbacks(int tst)
8456 {
8457 SSL_CTX *cctx = NULL, *sctx = NULL;
8458 SSL *clientssl = NULL, *serverssl = NULL;
8459 SSL_SESSION *clntsess = NULL;
8460 int testresult = 0;
8461
8462 #ifdef OPENSSL_NO_TLS1_2
8463 if (tst % 2 == 0)
8464 return 1;
8465 #endif
8466 #ifdef OSSL_NO_USABLE_TLS1_3
8467 if (tst % 2 == 1)
8468 return 1;
8469 #endif
8470 #ifdef OPENSSL_NO_DEPRECATED_3_0
8471 if (tst >= 8 && tst <= 13)
8472 return 1;
8473 #endif
8474
8475 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8476
8477 /* Which tests the ticket key callback should request renewal for */
8478
8479 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8480 tick_key_renew = 1;
8481 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8482 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8483 else
8484 tick_key_renew = 0;
8485
8486 /* Which tests the decrypt ticket callback should request renewal for */
8487 switch (tst) {
8488 case 0:
8489 case 1:
8490 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8491 break;
8492
8493 case 2:
8494 case 3:
8495 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8496 break;
8497
8498 case 4:
8499 case 5:
8500 tick_dec_ret = SSL_TICKET_RETURN_USE;
8501 break;
8502
8503 case 6:
8504 case 7:
8505 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8506 break;
8507
8508 default:
8509 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8510 }
8511
8512 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8513 TLS_client_method(),
8514 TLS1_VERSION,
8515 ((tst % 2) == 0) ? TLS1_2_VERSION
8516 : TLS1_3_VERSION,
8517 &sctx, &cctx, cert, privkey)))
8518 goto end;
8519
8520 /*
8521 * We only want sessions to resume from tickets - not the session cache. So
8522 * switch the cache off.
8523 */
8524 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8525 goto end;
8526
8527 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8528 NULL)))
8529 goto end;
8530
8531 if (tst >= 14) {
8532 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8533 goto end;
8534 #ifndef OPENSSL_NO_DEPRECATED_3_0
8535 } else if (tst >= 8) {
8536 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8537 goto end;
8538 #endif
8539 }
8540
8541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8542 NULL, NULL))
8543 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8544 SSL_ERROR_NONE)))
8545 goto end;
8546
8547 /*
8548 * The decrypt ticket key callback in TLSv1.2 should be called even though
8549 * we have no ticket yet, because it gets called with a status of
8550 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8551 * actually send any ticket data). This does not happen in TLSv1.3 because
8552 * it is not valid to send empty ticket data in TLSv1.3.
8553 */
8554 if (!TEST_int_eq(gen_tick_called, 1)
8555 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8556 goto end;
8557
8558 gen_tick_called = dec_tick_called = 0;
8559
8560 clntsess = SSL_get1_session(clientssl);
8561 SSL_shutdown(clientssl);
8562 SSL_shutdown(serverssl);
8563 SSL_free(serverssl);
8564 SSL_free(clientssl);
8565 serverssl = clientssl = NULL;
8566
8567 /* Now do a resumption */
8568 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8569 NULL))
8570 || !TEST_true(SSL_set_session(clientssl, clntsess))
8571 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8572 SSL_ERROR_NONE)))
8573 goto end;
8574
8575 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8576 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8577 || tick_key_renew == -1) {
8578 if (!TEST_false(SSL_session_reused(clientssl)))
8579 goto end;
8580 } else {
8581 if (!TEST_true(SSL_session_reused(clientssl)))
8582 goto end;
8583 }
8584
8585 if (!TEST_int_eq(gen_tick_called,
8586 (tick_key_renew
8587 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8588 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8589 ? 1 : 0)
8590 /* There is no ticket to decrypt in tests 13 and 19 */
8591 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8592 goto end;
8593
8594 testresult = 1;
8595
8596 end:
8597 SSL_SESSION_free(clntsess);
8598 SSL_free(serverssl);
8599 SSL_free(clientssl);
8600 SSL_CTX_free(sctx);
8601 SSL_CTX_free(cctx);
8602
8603 return testresult;
8604 }
8605
8606 /*
8607 * Test incorrect shutdown.
8608 * Test 0: client does not shutdown properly,
8609 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8610 * server should get SSL_ERROR_SSL
8611 * Test 1: client does not shutdown properly,
8612 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8613 * server should get SSL_ERROR_ZERO_RETURN
8614 */
test_incorrect_shutdown(int tst)8615 static int test_incorrect_shutdown(int tst)
8616 {
8617 SSL_CTX *cctx = NULL, *sctx = NULL;
8618 SSL *clientssl = NULL, *serverssl = NULL;
8619 int testresult = 0;
8620 char buf[80];
8621 BIO *c2s;
8622
8623 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8624 TLS_client_method(), 0, 0,
8625 &sctx, &cctx, cert, privkey)))
8626 goto end;
8627
8628 if (tst == 1)
8629 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8630
8631 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8632 NULL, NULL)))
8633 goto end;
8634
8635 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8636 SSL_ERROR_NONE)))
8637 goto end;
8638
8639 c2s = SSL_get_rbio(serverssl);
8640 BIO_set_mem_eof_return(c2s, 0);
8641
8642 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8643 goto end;
8644
8645 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8646 goto end;
8647 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8648 goto end;
8649
8650 testresult = 1;
8651
8652 end:
8653 SSL_free(serverssl);
8654 SSL_free(clientssl);
8655 SSL_CTX_free(sctx);
8656 SSL_CTX_free(cctx);
8657
8658 return testresult;
8659 }
8660
8661 /*
8662 * Test bi-directional shutdown.
8663 * Test 0: TLSv1.2
8664 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8665 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8666 * Test 3: TLSv1.3, pending NewSessionTicket messages
8667 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8668 * sends key update, client reads it
8669 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8670 * sends CertificateRequest, client reads and ignores it
8671 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8672 * doesn't read it
8673 */
test_shutdown(int tst)8674 static int test_shutdown(int tst)
8675 {
8676 SSL_CTX *cctx = NULL, *sctx = NULL;
8677 SSL *clientssl = NULL, *serverssl = NULL;
8678 int testresult = 0;
8679 char msg[] = "A test message";
8680 char buf[80];
8681 size_t written, readbytes;
8682 SSL_SESSION *sess;
8683
8684 #ifdef OPENSSL_NO_TLS1_2
8685 if (tst <= 1)
8686 return 1;
8687 #endif
8688 #ifdef OSSL_NO_USABLE_TLS1_3
8689 if (tst >= 2)
8690 return 1;
8691 #endif
8692
8693 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8694 TLS_client_method(),
8695 TLS1_VERSION,
8696 (tst <= 1) ? TLS1_2_VERSION
8697 : TLS1_3_VERSION,
8698 &sctx, &cctx, cert, privkey)))
8699 goto end;
8700
8701 if (tst == 5)
8702 SSL_CTX_set_post_handshake_auth(cctx, 1);
8703
8704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8705 NULL, NULL)))
8706 goto end;
8707
8708 if (tst == 3) {
8709 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8710 SSL_ERROR_NONE, 1, 0))
8711 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8712 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8713 goto end;
8714 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8715 SSL_ERROR_NONE))
8716 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8717 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8718 goto end;
8719 }
8720
8721 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8722 goto end;
8723
8724 if (tst >= 4) {
8725 /*
8726 * Reading on the server after the client has sent close_notify should
8727 * fail and provide SSL_ERROR_ZERO_RETURN
8728 */
8729 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8730 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8731 SSL_ERROR_ZERO_RETURN)
8732 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8733 SSL_RECEIVED_SHUTDOWN)
8734 /*
8735 * Even though we're shutdown on receive we should still be
8736 * able to write.
8737 */
8738 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8739 goto end;
8740 if (tst == 4
8741 && !TEST_true(SSL_key_update(serverssl,
8742 SSL_KEY_UPDATE_REQUESTED)))
8743 goto end;
8744 if (tst == 5) {
8745 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8746 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8747 goto end;
8748 }
8749 if ((tst == 4 || tst == 5)
8750 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8751 goto end;
8752 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8753 goto end;
8754 if (tst == 4 || tst == 5) {
8755 /* Should still be able to read data from server */
8756 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8757 &readbytes))
8758 || !TEST_size_t_eq(readbytes, sizeof(msg))
8759 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8760 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8761 &readbytes))
8762 || !TEST_size_t_eq(readbytes, sizeof(msg))
8763 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8764 goto end;
8765 }
8766 }
8767
8768 /* Writing on the client after sending close_notify shouldn't be possible */
8769 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8770 goto end;
8771
8772 if (tst < 4) {
8773 /*
8774 * For these tests the client has sent close_notify but it has not yet
8775 * been received by the server. The server has not sent close_notify
8776 * yet.
8777 */
8778 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8779 /*
8780 * Writing on the server after sending close_notify shouldn't
8781 * be possible.
8782 */
8783 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8784 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8785 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8786 || !TEST_true(SSL_SESSION_is_resumable(sess))
8787 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8788 goto end;
8789 } else if (tst == 4 || tst == 5) {
8790 /*
8791 * In this test the client has sent close_notify and it has been
8792 * received by the server which has responded with a close_notify. The
8793 * client needs to read the close_notify sent by the server.
8794 */
8795 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8796 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8797 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8798 goto end;
8799 } else {
8800 /*
8801 * tst == 6
8802 *
8803 * The client has sent close_notify and is expecting a close_notify
8804 * back, but instead there is application data first. The shutdown
8805 * should fail with a fatal error.
8806 */
8807 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8808 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8809 goto end;
8810 }
8811
8812 testresult = 1;
8813
8814 end:
8815 SSL_free(serverssl);
8816 SSL_free(clientssl);
8817 SSL_CTX_free(sctx);
8818 SSL_CTX_free(cctx);
8819
8820 return testresult;
8821 }
8822
8823 /*
8824 * Test that sending close_notify alerts works correctly in the case of a
8825 * retryable write failure.
8826 */
test_async_shutdown(void)8827 static int test_async_shutdown(void)
8828 {
8829 SSL_CTX *cctx = NULL, *sctx = NULL;
8830 SSL *clientssl = NULL, *serverssl = NULL;
8831 int testresult = 0;
8832 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8833
8834 if (!TEST_ptr(bretry))
8835 goto end;
8836
8837 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8838 TLS_client_method(),
8839 0, 0,
8840 &sctx, &cctx, cert, privkey)))
8841 goto end;
8842
8843 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8844 NULL)))
8845 goto end;
8846
8847 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8848 goto end;
8849
8850 /* Close write side of clientssl */
8851 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8852 goto end;
8853
8854 tmp = SSL_get_wbio(serverssl);
8855 if (!TEST_true(BIO_up_ref(tmp))) {
8856 tmp = NULL;
8857 goto end;
8858 }
8859 SSL_set0_wbio(serverssl, bretry);
8860 bretry = NULL;
8861
8862 /* First server shutdown should fail because of a retrable write failure */
8863 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8864 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8865 goto end;
8866
8867 /* Second server shutdown should fail for the same reason */
8868 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8869 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8870 goto end;
8871
8872 SSL_set0_wbio(serverssl, tmp);
8873 tmp = NULL;
8874
8875 /* Third server shutdown should send close_notify */
8876 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8877 goto end;
8878
8879 /* Fourth server shutdown should read close_notify from client and finish */
8880 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8881 goto end;
8882
8883 /* Client should also successfully fully shutdown */
8884 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8885 goto end;
8886
8887 testresult = 1;
8888 end:
8889 SSL_free(serverssl);
8890 SSL_free(clientssl);
8891 SSL_CTX_free(sctx);
8892 SSL_CTX_free(cctx);
8893 BIO_free(bretry);
8894 BIO_free(tmp);
8895
8896 return testresult;
8897 }
8898
8899 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8900 static int cert_cb_cnt;
8901
load_chain(const char * file,EVP_PKEY ** pkey,X509 ** x509,STACK_OF (X509)* chain)8902 static int load_chain(const char *file, EVP_PKEY **pkey, X509 **x509,
8903 STACK_OF(X509) *chain)
8904 {
8905 char *path = test_mk_file_path(certsdir, file);
8906 BIO *in = NULL;
8907 X509 *x = NULL;
8908 int ok = 0;
8909
8910 if (path == NULL)
8911 return 0;
8912 if ((in = BIO_new(BIO_s_file())) == NULL
8913 || BIO_read_filename(in, path) <= 0)
8914 goto out;
8915 if (pkey == NULL) {
8916 if ((x = X509_new_ex(libctx, NULL)) == NULL
8917 || PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
8918 goto out;
8919 if (chain == NULL)
8920 *x509 = x;
8921 else if (!sk_X509_push(chain, x))
8922 goto out;
8923 } else if (PEM_read_bio_PrivateKey_ex(in, pkey, NULL, NULL,
8924 libctx, NULL) == NULL) {
8925 goto out;
8926 }
8927
8928 x = NULL;
8929 ok = 1;
8930 out:
8931 X509_free(x);
8932 BIO_free(in);
8933 OPENSSL_free(path);
8934 return ok;
8935 }
8936
cert_cb(SSL * s,void * arg)8937 static int cert_cb(SSL *s, void *arg)
8938 {
8939 SSL_CTX *ctx = (SSL_CTX *)arg;
8940 EVP_PKEY *pkey = NULL;
8941 X509 *x509 = NULL, *x = NULL;
8942 STACK_OF(X509) *chain = NULL;
8943 int ret = 0;
8944
8945 if (cert_cb_cnt == 0) {
8946 /* Suspend the handshake */
8947 cert_cb_cnt++;
8948 return -1;
8949 } else if (cert_cb_cnt == 1) {
8950 /*
8951 * Update the SSL_CTX, set the certificate and private key and then
8952 * continue the handshake normally.
8953 */
8954 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8955 return 0;
8956
8957 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8958 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8959 SSL_FILETYPE_PEM))
8960 || !TEST_true(SSL_check_private_key(s)))
8961 return 0;
8962 cert_cb_cnt++;
8963 return 1;
8964 } else if (cert_cb_cnt == 3) {
8965 int rv;
8966
8967 chain = sk_X509_new_null();
8968 if (!TEST_ptr(chain)
8969 || !TEST_true(load_chain("ca-cert.pem", NULL, NULL, chain))
8970 || !TEST_true(load_chain("root-cert.pem", NULL, NULL, chain))
8971 || !TEST_true(load_chain("p256-ee-rsa-ca-cert.pem", NULL,
8972 &x509, NULL))
8973 || !TEST_true(load_chain("p256-ee-rsa-ca-key.pem", &pkey,
8974 NULL, NULL)))
8975 goto out;
8976 rv = SSL_check_chain(s, x509, pkey, chain);
8977 /*
8978 * If the cert doesn't show as valid here (e.g., because we don't
8979 * have any shared sigalgs), then we will not set it, and there will
8980 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8981 * will cause tls_choose_sigalgs() to fail the connection.
8982 */
8983 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8984 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8985 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8986 goto out;
8987 }
8988
8989 ret = 1;
8990 }
8991
8992 /* Abort the handshake */
8993 out:
8994 EVP_PKEY_free(pkey);
8995 X509_free(x509);
8996 X509_free(x);
8997 OSSL_STACK_OF_X509_free(chain);
8998 return ret;
8999 }
9000
9001 /*
9002 * Test the certificate callback.
9003 * Test 0: Callback fails
9004 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
9005 * Test 2: Success - SSL_set_SSL_CTX() in the callback
9006 * Test 3: Success - Call SSL_check_chain from the callback
9007 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
9008 * chain
9009 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
9010 */
test_cert_cb_int(int prot,int tst)9011 static int test_cert_cb_int(int prot, int tst)
9012 {
9013 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
9014 SSL *clientssl = NULL, *serverssl = NULL;
9015 int testresult = 0, ret;
9016
9017 #ifdef OPENSSL_NO_EC
9018 /* We use an EC cert in these tests, so we skip in a no-ec build */
9019 if (tst >= 3)
9020 return 1;
9021 #endif
9022
9023 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9024 TLS_client_method(),
9025 prot,
9026 prot,
9027 &sctx, &cctx, NULL, NULL)))
9028 goto end;
9029
9030 if (tst == 0)
9031 cert_cb_cnt = -1;
9032 else if (tst >= 3)
9033 cert_cb_cnt = 3;
9034 else
9035 cert_cb_cnt = 0;
9036
9037 if (tst == 2) {
9038 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9039 if (!TEST_ptr(snictx))
9040 goto end;
9041 }
9042
9043 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
9044
9045 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9046 NULL, NULL)))
9047 goto end;
9048
9049 if (tst == 4) {
9050 /*
9051 * We cause SSL_check_chain() to fail by specifying sig_algs that
9052 * the chain doesn't meet (the root uses an RSA cert)
9053 */
9054 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9055 "ecdsa_secp256r1_sha256")))
9056 goto end;
9057 } else if (tst == 5) {
9058 /*
9059 * We cause SSL_check_chain() to fail by specifying sig_algs that
9060 * the ee cert doesn't meet (the ee uses an ECDSA cert)
9061 */
9062 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9063 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
9064 goto end;
9065 }
9066
9067 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
9068 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
9069 || (tst > 0
9070 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
9071 goto end;
9072 }
9073
9074 testresult = 1;
9075
9076 end:
9077 SSL_free(serverssl);
9078 SSL_free(clientssl);
9079 SSL_CTX_free(sctx);
9080 SSL_CTX_free(cctx);
9081 SSL_CTX_free(snictx);
9082
9083 return testresult;
9084 }
9085 #endif
9086
test_cert_cb(int tst)9087 static int test_cert_cb(int tst)
9088 {
9089 int testresult = 1;
9090
9091 #ifndef OPENSSL_NO_TLS1_2
9092 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
9093 #endif
9094 #ifndef OSSL_NO_USABLE_TLS1_3
9095 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
9096 #endif
9097
9098 return testresult;
9099 }
9100
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)9101 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
9102 {
9103 X509 *xcert;
9104 EVP_PKEY *privpkey;
9105 BIO *in = NULL;
9106 BIO *priv_in = NULL;
9107
9108 /* Check that SSL_get0_peer_certificate() returns something sensible */
9109 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
9110 return 0;
9111
9112 in = BIO_new_file(cert, "r");
9113 if (!TEST_ptr(in))
9114 return 0;
9115
9116 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
9117 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
9118 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
9119 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
9120 NULL, NULL,
9121 libctx, NULL)))
9122 goto err;
9123
9124 *x509 = xcert;
9125 *pkey = privpkey;
9126
9127 BIO_free(in);
9128 BIO_free(priv_in);
9129 return 1;
9130 err:
9131 X509_free(xcert);
9132 BIO_free(in);
9133 BIO_free(priv_in);
9134 return 0;
9135 }
9136
test_client_cert_cb(int tst)9137 static int test_client_cert_cb(int tst)
9138 {
9139 SSL_CTX *cctx = NULL, *sctx = NULL;
9140 SSL *clientssl = NULL, *serverssl = NULL;
9141 int testresult = 0;
9142
9143 #ifdef OPENSSL_NO_TLS1_2
9144 if (tst == 0)
9145 return 1;
9146 #endif
9147 #ifdef OSSL_NO_USABLE_TLS1_3
9148 if (tst == 1)
9149 return 1;
9150 #endif
9151
9152 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9153 TLS_client_method(),
9154 TLS1_VERSION,
9155 tst == 0 ? TLS1_2_VERSION
9156 : TLS1_3_VERSION,
9157 &sctx, &cctx, cert, privkey)))
9158 goto end;
9159
9160 /*
9161 * Test that setting a client_cert_cb results in a client certificate being
9162 * sent.
9163 */
9164 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9165 SSL_CTX_set_verify(sctx,
9166 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9167 verify_cb);
9168
9169 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9170 NULL, NULL))
9171 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9172 SSL_ERROR_NONE)))
9173 goto end;
9174
9175 testresult = 1;
9176
9177 end:
9178 SSL_free(serverssl);
9179 SSL_free(clientssl);
9180 SSL_CTX_free(sctx);
9181 SSL_CTX_free(cctx);
9182
9183 return testresult;
9184 }
9185
9186 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9187 /*
9188 * Test setting certificate authorities on both client and server.
9189 *
9190 * Test 0: SSL_CTX_set0_CA_list() only
9191 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9192 * Test 2: Only SSL_CTX_set_client_CA_list()
9193 */
test_ca_names_int(int prot,int tst)9194 static int test_ca_names_int(int prot, int tst)
9195 {
9196 SSL_CTX *cctx = NULL, *sctx = NULL;
9197 SSL *clientssl = NULL, *serverssl = NULL;
9198 int testresult = 0;
9199 size_t i;
9200 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9201 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9202 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9203 const STACK_OF(X509_NAME) *sktmp = NULL;
9204
9205 for (i = 0; i < OSSL_NELEM(name); i++) {
9206 name[i] = X509_NAME_new();
9207 if (!TEST_ptr(name[i])
9208 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9209 MBSTRING_ASC,
9210 (unsigned char *)
9211 strnames[i],
9212 -1, -1, 0)))
9213 goto end;
9214 }
9215
9216 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9217 TLS_client_method(),
9218 TLS1_VERSION,
9219 prot,
9220 &sctx, &cctx, cert, privkey)))
9221 goto end;
9222
9223 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9224
9225 if (tst == 0 || tst == 1) {
9226 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9227 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9228 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9229 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9230 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9231 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9232 goto end;
9233
9234 SSL_CTX_set0_CA_list(sctx, sk1);
9235 SSL_CTX_set0_CA_list(cctx, sk2);
9236 sk1 = sk2 = NULL;
9237 }
9238 if (tst == 1 || tst == 2) {
9239 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9240 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9241 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9242 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9243 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9244 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9245 goto end;
9246
9247 SSL_CTX_set_client_CA_list(sctx, sk1);
9248 SSL_CTX_set_client_CA_list(cctx, sk2);
9249 sk1 = sk2 = NULL;
9250 }
9251
9252 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9253 NULL, NULL))
9254 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9255 SSL_ERROR_NONE)))
9256 goto end;
9257
9258 /*
9259 * We only expect certificate authorities to have been sent to the server
9260 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9261 */
9262 sktmp = SSL_get0_peer_CA_list(serverssl);
9263 if (prot == TLS1_3_VERSION
9264 && (tst == 0 || tst == 1)) {
9265 if (!TEST_ptr(sktmp)
9266 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9267 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9268 name[0]), 0)
9269 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9270 name[1]), 0))
9271 goto end;
9272 } else if (!TEST_ptr_null(sktmp)) {
9273 goto end;
9274 }
9275
9276 /*
9277 * In all tests we expect certificate authorities to have been sent to the
9278 * client. However, SSL_set_client_CA_list() should override
9279 * SSL_set0_CA_list()
9280 */
9281 sktmp = SSL_get0_peer_CA_list(clientssl);
9282 if (!TEST_ptr(sktmp)
9283 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9284 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9285 name[tst == 0 ? 0 : 2]), 0)
9286 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9287 name[tst == 0 ? 1 : 3]), 0))
9288 goto end;
9289
9290 testresult = 1;
9291
9292 end:
9293 SSL_free(serverssl);
9294 SSL_free(clientssl);
9295 SSL_CTX_free(sctx);
9296 SSL_CTX_free(cctx);
9297 for (i = 0; i < OSSL_NELEM(name); i++)
9298 X509_NAME_free(name[i]);
9299 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9300 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9301
9302 return testresult;
9303 }
9304 #endif
9305
test_ca_names(int tst)9306 static int test_ca_names(int tst)
9307 {
9308 int testresult = 1;
9309
9310 #ifndef OPENSSL_NO_TLS1_2
9311 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9312 #endif
9313 #ifndef OSSL_NO_USABLE_TLS1_3
9314 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9315 #endif
9316
9317 return testresult;
9318 }
9319
9320 #ifndef OPENSSL_NO_TLS1_2
9321 static const char *multiblock_cipherlist_data[]=
9322 {
9323 "AES128-SHA",
9324 "AES128-SHA256",
9325 "AES256-SHA",
9326 "AES256-SHA256",
9327 };
9328
9329 /* Reduce the fragment size - so the multiblock test buffer can be small */
9330 # define MULTIBLOCK_FRAGSIZE 512
9331
test_multiblock_write(int test_index)9332 static int test_multiblock_write(int test_index)
9333 {
9334 static const char *fetchable_ciphers[]=
9335 {
9336 "AES-128-CBC-HMAC-SHA1",
9337 "AES-128-CBC-HMAC-SHA256",
9338 "AES-256-CBC-HMAC-SHA1",
9339 "AES-256-CBC-HMAC-SHA256"
9340 };
9341 const char *cipherlist = multiblock_cipherlist_data[test_index];
9342 const SSL_METHOD *smeth = TLS_server_method();
9343 const SSL_METHOD *cmeth = TLS_client_method();
9344 int min_version = TLS1_VERSION;
9345 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9346 SSL_CTX *cctx = NULL, *sctx = NULL;
9347 SSL *clientssl = NULL, *serverssl = NULL;
9348 int testresult = 0;
9349
9350 /*
9351 * Choose a buffer large enough to perform a multi-block operation
9352 * i.e: write_len >= 4 * frag_size
9353 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9354 */
9355 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9356 unsigned char buf[sizeof(msg)], *p = buf;
9357 size_t readbytes, written, len;
9358 EVP_CIPHER *ciph = NULL;
9359
9360 /*
9361 * Check if the cipher exists before attempting to use it since it only has
9362 * a hardware specific implementation.
9363 */
9364 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9365 if (ciph == NULL) {
9366 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9367 return 1;
9368 }
9369 EVP_CIPHER_free(ciph);
9370
9371 /* Set up a buffer with some data that will be sent to the client */
9372 RAND_bytes(msg, sizeof(msg));
9373
9374 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9375 max_version, &sctx, &cctx, cert,
9376 privkey)))
9377 goto end;
9378
9379 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9380 goto end;
9381
9382 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9383 NULL, NULL)))
9384 goto end;
9385
9386 /* settings to force it to use AES-CBC-HMAC_SHA */
9387 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9388 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9389 goto end;
9390
9391 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9392 goto end;
9393
9394 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9395 || !TEST_size_t_eq(written, sizeof(msg)))
9396 goto end;
9397
9398 len = written;
9399 while (len > 0) {
9400 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9401 goto end;
9402 p += readbytes;
9403 len -= readbytes;
9404 }
9405 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9406 goto end;
9407
9408 testresult = 1;
9409 end:
9410 SSL_free(serverssl);
9411 SSL_free(clientssl);
9412 SSL_CTX_free(sctx);
9413 SSL_CTX_free(cctx);
9414
9415 return testresult;
9416 }
9417 #endif /* OPENSSL_NO_TLS1_2 */
9418
test_session_timeout(int test)9419 static int test_session_timeout(int test)
9420 {
9421 /*
9422 * Test session ordering and timeout
9423 * Can't explicitly test performance of the new code,
9424 * but can test to see if the ordering of the sessions
9425 * are correct, and they are removed as expected
9426 */
9427 SSL_SESSION *early = NULL;
9428 SSL_SESSION *middle = NULL;
9429 SSL_SESSION *late = NULL;
9430 SSL_CTX *ctx;
9431 int testresult = 0;
9432 time_t now = time(NULL);
9433 #define TIMEOUT 10
9434
9435 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9436 || !TEST_ptr(early = SSL_SESSION_new())
9437 || !TEST_ptr(middle = SSL_SESSION_new())
9438 || !TEST_ptr(late = SSL_SESSION_new()))
9439 goto end;
9440
9441 /* assign unique session ids */
9442 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9443 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9444 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9445 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9446 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9447 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9448
9449 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9450 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9451 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9452 goto end;
9453
9454 /* Make sure they are all added */
9455 if (!TEST_ptr(early->prev)
9456 || !TEST_ptr(middle->prev)
9457 || !TEST_ptr(late->prev))
9458 goto end;
9459
9460 if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0)
9461 || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0)
9462 || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0))
9463 goto end;
9464
9465 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9466 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9467 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9468 goto end;
9469
9470 /* Make sure they are all still there */
9471 if (!TEST_ptr(early->prev)
9472 || !TEST_ptr(middle->prev)
9473 || !TEST_ptr(late->prev))
9474 goto end;
9475
9476 /* Make sure they are in the expected order */
9477 if (!TEST_ptr_eq(late->next, middle)
9478 || !TEST_ptr_eq(middle->next, early)
9479 || !TEST_ptr_eq(early->prev, middle)
9480 || !TEST_ptr_eq(middle->prev, late))
9481 goto end;
9482
9483 /* This should remove "early" */
9484 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT - 1);
9485 if (!TEST_ptr_null(early->prev)
9486 || !TEST_ptr(middle->prev)
9487 || !TEST_ptr(late->prev))
9488 goto end;
9489
9490 /* This should remove "middle" */
9491 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 1);
9492 if (!TEST_ptr_null(early->prev)
9493 || !TEST_ptr_null(middle->prev)
9494 || !TEST_ptr(late->prev))
9495 goto end;
9496
9497 /* This should remove "late" */
9498 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 11);
9499 if (!TEST_ptr_null(early->prev)
9500 || !TEST_ptr_null(middle->prev)
9501 || !TEST_ptr_null(late->prev))
9502 goto end;
9503
9504 /* Add them back in again */
9505 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9506 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9507 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9508 goto end;
9509
9510 /* Make sure they are all added */
9511 if (!TEST_ptr(early->prev)
9512 || !TEST_ptr(middle->prev)
9513 || !TEST_ptr(late->prev))
9514 goto end;
9515
9516 /* This should remove all of them */
9517 SSL_CTX_flush_sessions_ex(ctx, 0);
9518 if (!TEST_ptr_null(early->prev)
9519 || !TEST_ptr_null(middle->prev)
9520 || !TEST_ptr_null(late->prev))
9521 goto end;
9522
9523 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9524 | SSL_CTX_get_session_cache_mode(ctx));
9525
9526 /* make sure |now| is NOT equal to the current time */
9527 now -= 10;
9528 if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0)
9529 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9530 || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now))
9531 goto end;
9532
9533 testresult = 1;
9534 end:
9535 SSL_CTX_free(ctx);
9536 SSL_SESSION_free(early);
9537 SSL_SESSION_free(middle);
9538 SSL_SESSION_free(late);
9539 return testresult;
9540 }
9541
9542 /*
9543 * Test that a session cache overflow works as expected
9544 * Test 0: TLSv1.3, timeout on new session later than old session
9545 * Test 1: TLSv1.2, timeout on new session later than old session
9546 * Test 2: TLSv1.3, timeout on new session earlier than old session
9547 * Test 3: TLSv1.2, timeout on new session earlier than old session
9548 */
9549 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
test_session_cache_overflow(int idx)9550 static int test_session_cache_overflow(int idx)
9551 {
9552 SSL_CTX *sctx = NULL, *cctx = NULL;
9553 SSL *serverssl = NULL, *clientssl = NULL;
9554 int testresult = 0;
9555 SSL_SESSION *sess = NULL;
9556
9557 #ifdef OSSL_NO_USABLE_TLS1_3
9558 /* If no TLSv1.3 available then do nothing in this case */
9559 if (idx % 2 == 0)
9560 return TEST_skip("No TLSv1.3 available");
9561 #endif
9562 #ifdef OPENSSL_NO_TLS1_2
9563 /* If no TLSv1.2 available then do nothing in this case */
9564 if (idx % 2 == 1)
9565 return TEST_skip("No TLSv1.2 available");
9566 #endif
9567
9568 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9569 TLS_client_method(), TLS1_VERSION,
9570 (idx % 2 == 0) ? TLS1_3_VERSION
9571 : TLS1_2_VERSION,
9572 &sctx, &cctx, cert, privkey))
9573 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9574 goto end;
9575
9576 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9577 get_sess_val = NULL;
9578
9579 SSL_CTX_sess_set_cache_size(sctx, 1);
9580
9581 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9582 NULL, NULL)))
9583 goto end;
9584
9585 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9586 goto end;
9587
9588 if (idx > 1) {
9589 sess = SSL_get_session(serverssl);
9590 if (!TEST_ptr(sess))
9591 goto end;
9592
9593 /*
9594 * Cause this session to have a longer timeout than the next session to
9595 * be added.
9596 */
9597 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9598 sess = NULL;
9599 goto end;
9600 }
9601 sess = NULL;
9602 }
9603
9604 SSL_shutdown(serverssl);
9605 SSL_shutdown(clientssl);
9606 SSL_free(serverssl);
9607 SSL_free(clientssl);
9608 serverssl = clientssl = NULL;
9609
9610 /*
9611 * Session cache size is 1 and we already populated the cache with a session
9612 * so the next connection should cause an overflow.
9613 */
9614
9615 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9616 NULL, NULL)))
9617 goto end;
9618
9619 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9620 goto end;
9621
9622 /*
9623 * The session we just negotiated may have been already removed from the
9624 * internal cache - but we will return it anyway from our external cache.
9625 */
9626 get_sess_val = SSL_get_session(serverssl);
9627 if (!TEST_ptr(get_sess_val))
9628 goto end;
9629 sess = SSL_get1_session(clientssl);
9630 if (!TEST_ptr(sess))
9631 goto end;
9632
9633 SSL_shutdown(serverssl);
9634 SSL_shutdown(clientssl);
9635 SSL_free(serverssl);
9636 SSL_free(clientssl);
9637 serverssl = clientssl = NULL;
9638
9639 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9640 NULL, NULL)))
9641 goto end;
9642
9643 if (!TEST_true(SSL_set_session(clientssl, sess)))
9644 goto end;
9645
9646 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9647 goto end;
9648
9649 testresult = 1;
9650
9651 end:
9652 SSL_free(serverssl);
9653 SSL_free(clientssl);
9654 SSL_CTX_free(sctx);
9655 SSL_CTX_free(cctx);
9656 SSL_SESSION_free(sess);
9657
9658 return testresult;
9659 }
9660 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9661
9662 /*
9663 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9664 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9665 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9666 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9667 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9668 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9669 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9670 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9671 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9672 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9673 */
test_servername(int tst)9674 static int test_servername(int tst)
9675 {
9676 SSL_CTX *cctx = NULL, *sctx = NULL;
9677 SSL *clientssl = NULL, *serverssl = NULL;
9678 int testresult = 0;
9679 SSL_SESSION *sess = NULL;
9680 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9681
9682 #ifdef OPENSSL_NO_TLS1_2
9683 if (tst <= 4)
9684 return 1;
9685 #endif
9686 #ifdef OSSL_NO_USABLE_TLS1_3
9687 if (tst >= 5)
9688 return 1;
9689 #endif
9690
9691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9692 TLS_client_method(),
9693 TLS1_VERSION,
9694 (tst <= 4) ? TLS1_2_VERSION
9695 : TLS1_3_VERSION,
9696 &sctx, &cctx, cert, privkey))
9697 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9698 NULL, NULL)))
9699 goto end;
9700
9701 if (tst != 1 && tst != 6) {
9702 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9703 hostname_cb)))
9704 goto end;
9705 }
9706
9707 if (tst != 3 && tst != 8) {
9708 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9709 goto end;
9710 sexpectedhost = cexpectedhost = "goodhost";
9711 }
9712
9713 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9714 goto end;
9715
9716 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9717 cexpectedhost)
9718 || !TEST_str_eq(SSL_get_servername(serverssl,
9719 TLSEXT_NAMETYPE_host_name),
9720 sexpectedhost))
9721 goto end;
9722
9723 /* Now repeat with a resumption handshake */
9724
9725 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9726 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9727 || !TEST_true(SSL_SESSION_is_resumable(sess))
9728 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9729 goto end;
9730
9731 SSL_free(clientssl);
9732 SSL_free(serverssl);
9733 clientssl = serverssl = NULL;
9734
9735 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9736 NULL)))
9737 goto end;
9738
9739 if (!TEST_true(SSL_set_session(clientssl, sess)))
9740 goto end;
9741
9742 sexpectedhost = cexpectedhost = "goodhost";
9743 if (tst == 2 || tst == 7) {
9744 /* Set an inconsistent hostname */
9745 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9746 goto end;
9747 /*
9748 * In TLSv1.2 we expect the hostname from the original handshake, in
9749 * TLSv1.3 we expect the hostname from this handshake
9750 */
9751 if (tst == 7)
9752 sexpectedhost = cexpectedhost = "altgoodhost";
9753
9754 if (!TEST_str_eq(SSL_get_servername(clientssl,
9755 TLSEXT_NAMETYPE_host_name),
9756 "altgoodhost"))
9757 goto end;
9758 } else if (tst == 4 || tst == 9) {
9759 /*
9760 * A TLSv1.3 session does not associate a session with a servername,
9761 * but a TLSv1.2 session does.
9762 */
9763 if (tst == 9)
9764 sexpectedhost = cexpectedhost = NULL;
9765
9766 if (!TEST_str_eq(SSL_get_servername(clientssl,
9767 TLSEXT_NAMETYPE_host_name),
9768 cexpectedhost))
9769 goto end;
9770 } else {
9771 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9772 goto end;
9773 /*
9774 * In a TLSv1.2 resumption where the hostname was not acknowledged
9775 * we expect the hostname on the server to be empty. On the client we
9776 * return what was requested in this case.
9777 *
9778 * Similarly if the client didn't set a hostname on an original TLSv1.2
9779 * session but is now, the server hostname will be empty, but the client
9780 * is as we set it.
9781 */
9782 if (tst == 1 || tst == 3)
9783 sexpectedhost = NULL;
9784
9785 if (!TEST_str_eq(SSL_get_servername(clientssl,
9786 TLSEXT_NAMETYPE_host_name),
9787 "goodhost"))
9788 goto end;
9789 }
9790
9791 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9792 goto end;
9793
9794 if (!TEST_true(SSL_session_reused(clientssl))
9795 || !TEST_true(SSL_session_reused(serverssl))
9796 || !TEST_str_eq(SSL_get_servername(clientssl,
9797 TLSEXT_NAMETYPE_host_name),
9798 cexpectedhost)
9799 || !TEST_str_eq(SSL_get_servername(serverssl,
9800 TLSEXT_NAMETYPE_host_name),
9801 sexpectedhost))
9802 goto end;
9803
9804 testresult = 1;
9805
9806 end:
9807 SSL_SESSION_free(sess);
9808 SSL_free(serverssl);
9809 SSL_free(clientssl);
9810 SSL_CTX_free(sctx);
9811 SSL_CTX_free(cctx);
9812
9813 return testresult;
9814 }
9815
test_unknown_sigalgs_groups(void)9816 static int test_unknown_sigalgs_groups(void)
9817 {
9818 int ret = 0;
9819 SSL_CTX *ctx = NULL;
9820
9821 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9822 goto end;
9823
9824 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9825 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9826 0))
9827 goto end;
9828 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9829 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9830 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9831 goto end;
9832
9833 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9834 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9835 0))
9836 goto end;
9837 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9838 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9839 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9840 goto end;
9841
9842 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9843 "nonexistent"),
9844 0))
9845 goto end;
9846
9847 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9848 "?nonexistent1:?nonexistent2:?nonexistent3"),
9849 0))
9850 goto end;
9851
9852 #ifndef OPENSSL_NO_EC
9853 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9854 "P-256:nonexistent"),
9855 0))
9856 goto end;
9857
9858 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9859 "P-384:?nonexistent:?P-521"),
9860 0))
9861 goto end;
9862 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9863 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9864 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9865 goto end;
9866 #endif
9867
9868 ret = 1;
9869 end:
9870 SSL_CTX_free(ctx);
9871 return ret;
9872 }
9873
9874 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
test_configuration_of_groups(void)9875 static int test_configuration_of_groups(void)
9876 {
9877 int ret = 0;
9878 SSL_CTX *ctx = NULL;
9879 size_t groups_len;
9880
9881 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9882 goto end;
9883 groups_len = ctx->ext.supportedgroups_len;
9884
9885 if (!TEST_size_t_gt(groups_len, 0)
9886 || !TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT"), 0)
9887 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len))
9888 goto end;
9889
9890 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT:-?P-256"), 0)
9891 # if !defined(OPENSSL_NO_EC)
9892 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len - 1)
9893 # else
9894 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len)
9895 # endif
9896 )
9897 goto end;
9898
9899 # if !defined(OPENSSL_NO_EC)
9900 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "?P-256:?P-521:-?P-256"), 0)
9901 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, 1)
9902 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp521r1)
9903 )
9904 goto end;
9905 # endif
9906
9907 ret = 1;
9908
9909 end:
9910 SSL_CTX_free(ctx);
9911 return ret;
9912 }
9913 #endif
9914
9915 #if !defined(OPENSSL_NO_EC) \
9916 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9917 /*
9918 * Test that if signature algorithms are not available, then we do not offer or
9919 * accept them.
9920 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9921 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9922 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9923 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9924 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9925 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9926 */
test_sigalgs_available(int idx)9927 static int test_sigalgs_available(int idx)
9928 {
9929 SSL_CTX *cctx = NULL, *sctx = NULL;
9930 SSL *clientssl = NULL, *serverssl = NULL;
9931 int testresult = 0;
9932 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9933 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9934 OSSL_PROVIDER *filterprov = NULL;
9935 int sig, hash, numshared, numshared_expected, hash_expected, sig_expected;
9936 const char *sigalg_name, *signame_expected;
9937
9938 if (!TEST_ptr(tmpctx))
9939 goto end;
9940
9941 if (idx != 0 && idx != 3) {
9942 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9943 filter_provider_init)))
9944 goto end;
9945
9946 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9947 if (!TEST_ptr(filterprov))
9948 goto end;
9949
9950 if (idx < 3) {
9951 /*
9952 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9953 * or accepted for the peer that uses this libctx. Note that libssl
9954 * *requires* SHA2-256 to be available so we cannot disable that. We
9955 * also need SHA1 for our certificate.
9956 */
9957 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9958 "SHA2-256:SHA1")))
9959 goto end;
9960 } else {
9961 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9962 "ECDSA"))
9963 # ifdef OPENSSL_NO_ECX
9964 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9965 # else
9966 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9967 "EC:X25519:X448"))
9968 # endif
9969 )
9970 goto end;
9971 }
9972
9973 if (idx == 1 || idx == 4)
9974 clientctx = tmpctx;
9975 else
9976 serverctx = tmpctx;
9977 }
9978
9979 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9980 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9981 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9982 goto end;
9983
9984 /* Avoid MLKEM groups that depend on possibly filtered-out digests */
9985 if (!TEST_true(SSL_CTX_set1_groups_list(cctx,
9986 "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072"))
9987 || !TEST_true(SSL_CTX_set1_groups_list(sctx,
9988 "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072")))
9989 goto end;
9990
9991 if (idx != 5) {
9992 /* RSA first server key */
9993 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9994 TLS_client_method(),
9995 TLS1_VERSION,
9996 0,
9997 &sctx, &cctx, cert, privkey)))
9998 goto end;
9999 } else {
10000 /* ECDSA P-256 first server key */
10001 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10002 TLS_client_method(),
10003 TLS1_VERSION,
10004 0,
10005 &sctx, &cctx, cert2, privkey2)))
10006 goto end;
10007 }
10008
10009 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
10010 if (idx < 4) {
10011 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10012 "ECDHE-RSA-AES128-GCM-SHA256")))
10013 goto end;
10014 } else {
10015 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10016 "ECDHE-ECDSA-AES128-GCM-SHA256")))
10017 goto end;
10018 }
10019
10020 if (idx < 3) {
10021 if (!SSL_CTX_set1_sigalgs_list(cctx,
10022 "rsa_pss_rsae_sha384"
10023 ":rsa_pss_rsae_sha256")
10024 || !SSL_CTX_set1_sigalgs_list(sctx,
10025 "rsa_pss_rsae_sha384"
10026 ":rsa_pss_rsae_sha256"))
10027 goto end;
10028 } else {
10029 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
10030 || !SSL_CTX_set1_sigalgs_list(sctx,
10031 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
10032 goto end;
10033 }
10034
10035 /* ECDSA P-256 second server key, unless already first */
10036 if (idx != 5
10037 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
10038 SSL_FILETYPE_PEM), 1)
10039 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10040 privkey2,
10041 SSL_FILETYPE_PEM), 1)
10042 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
10043 goto end;
10044
10045 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10046 NULL, NULL)))
10047 goto end;
10048
10049 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10050 goto end;
10051
10052 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
10053 numshared = SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash,
10054 NULL, NULL, NULL);
10055 numshared_expected = 1;
10056 hash_expected = NID_sha256;
10057 sig_expected = NID_rsassaPss;
10058 signame_expected = "rsa_pss_rsae_sha256";
10059 switch (idx) {
10060 case 0:
10061 hash_expected = NID_sha384;
10062 signame_expected = "rsa_pss_rsae_sha384";
10063 /* FALLTHROUGH */
10064 case 3:
10065 numshared_expected = 2;
10066 break;
10067 case 4:
10068 case 5:
10069 sig_expected = EVP_PKEY_EC;
10070 signame_expected = "ecdsa_secp256r1_sha256";
10071 break;
10072 }
10073 if (!TEST_int_eq(numshared, numshared_expected)
10074 || !TEST_int_eq(hash, hash_expected)
10075 || !TEST_int_eq(sig, sig_expected)
10076 || !TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10077 || !TEST_ptr(sigalg_name)
10078 || !TEST_str_eq(sigalg_name, signame_expected))
10079 goto end;
10080
10081 testresult = filter_provider_check_clean_finish();
10082
10083 end:
10084 SSL_free(serverssl);
10085 SSL_free(clientssl);
10086 SSL_CTX_free(sctx);
10087 SSL_CTX_free(cctx);
10088 OSSL_PROVIDER_unload(filterprov);
10089 OSSL_LIB_CTX_free(tmpctx);
10090
10091 return testresult;
10092 }
10093 #endif /*
10094 * !defined(OPENSSL_NO_EC) \
10095 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10096 */
10097
10098 #ifndef OPENSSL_NO_TLS1_3
10099 /* This test can run in TLSv1.3 even if ec and dh are disabled */
test_pluggable_group(int idx)10100 static int test_pluggable_group(int idx)
10101 {
10102 SSL_CTX *cctx = NULL, *sctx = NULL;
10103 SSL *clientssl = NULL, *serverssl = NULL;
10104 int testresult = 0;
10105 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10106 /* Check that we are not impacted by a provider without any groups */
10107 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
10108 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
10109
10110 if (!TEST_ptr(tlsprov))
10111 goto end;
10112
10113 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10114 TLS_client_method(),
10115 TLS1_3_VERSION,
10116 TLS1_3_VERSION,
10117 &sctx, &cctx, cert, privkey))
10118 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10119 NULL, NULL)))
10120 goto end;
10121
10122 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
10123 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
10124 /* removing a single algorithm from the list makes the test pass */
10125 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
10126 goto end;
10127
10128 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10129 goto end;
10130
10131 if (!TEST_str_eq(group_name,
10132 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
10133 goto end;
10134
10135 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
10136 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
10137 goto end;
10138
10139 testresult = 1;
10140
10141 end:
10142 SSL_free(serverssl);
10143 SSL_free(clientssl);
10144 SSL_CTX_free(sctx);
10145 SSL_CTX_free(cctx);
10146 OSSL_PROVIDER_unload(tlsprov);
10147 OSSL_PROVIDER_unload(legacyprov);
10148
10149 return testresult;
10150 }
10151
10152 /*
10153 * This function triggers encode, decode and sign functions
10154 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
10155 * creating private key and certificate files for use in TLS testing.
10156 */
create_cert_key(int idx,char * certfilename,char * privkeyfilename)10157 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
10158 {
10159 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
10160 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
10161 EVP_PKEY *pkey = NULL;
10162 X509 *x509 = X509_new();
10163 X509_NAME *name = NULL;
10164 BIO *keybio = NULL, *certbio = NULL;
10165 int ret = 1;
10166
10167 if (!TEST_ptr(evpctx)
10168 || !TEST_int_gt(EVP_PKEY_keygen_init(evpctx), 0)
10169 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
10170 || !TEST_ptr(pkey)
10171 || !TEST_ptr(x509)
10172 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
10173 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
10174 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
10175 || !TEST_true(X509_set_pubkey(x509, pkey))
10176 || !TEST_ptr(name = X509_get_subject_name(x509))
10177 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
10178 (unsigned char *)"CH", -1, -1, 0))
10179 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
10180 (unsigned char *)"test.org", -1, -1, 0))
10181 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
10182 (unsigned char *)"localhost", -1, -1, 0))
10183 || !TEST_true(X509_set_issuer_name(x509, name))
10184 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
10185 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
10186 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
10187 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
10188 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
10189 ret = 0;
10190
10191 EVP_PKEY_free(pkey);
10192 X509_free(x509);
10193 EVP_PKEY_CTX_free(evpctx);
10194 BIO_free(keybio);
10195 BIO_free(certbio);
10196 return ret;
10197 }
10198
10199 /*
10200 * Test that signature algorithms loaded via the provider interface can
10201 * correctly establish a TLS (1.3) connection.
10202 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
10203 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
10204 * Test 2: Signature algorithm with built-in hashing configured via SSL_CONF_cmd
10205 * Test 3: Test 0 using RPK
10206 * Test 4: Test 1 using RPK
10207 * Test 5: Test 2 using RPK
10208 */
test_pluggable_signature(int idx)10209 static int test_pluggable_signature(int idx)
10210 {
10211 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
10212 SSL_CTX *cctx = NULL, *sctx = NULL;
10213 SSL *clientssl = NULL, *serverssl = NULL;
10214 int testresult = 0;
10215 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10216 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10217 char *certfilename = "tls-prov-cert.pem";
10218 char *privkeyfilename = "tls-prov-key.pem";
10219 const char *sigalg_name = NULL, *expected_sigalg_name;
10220 int sigidx = idx % 3;
10221 int rpkidx = idx / 3;
10222 int do_conf_cmd = 0;
10223
10224 if (sigidx == 2) {
10225 sigidx = 0;
10226 do_conf_cmd = 1;
10227 }
10228
10229 /* See create_cert_key() above */
10230 expected_sigalg_name = (sigidx == 0) ? "xorhmacsig" : "xorhmacsha2sig";
10231
10232 /* create key and certificate for the different algorithm types */
10233 if (!TEST_ptr(tlsprov)
10234 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10235 goto end;
10236
10237 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10238 TLS_client_method(),
10239 TLS1_3_VERSION,
10240 TLS1_3_VERSION,
10241 &sctx, &cctx, NULL, NULL)))
10242 goto end;
10243
10244 if (do_conf_cmd) {
10245 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
10246
10247 if (!TEST_ptr(confctx))
10248 goto end;
10249 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
10250 | SSL_CONF_FLAG_SERVER
10251 | SSL_CONF_FLAG_CERTIFICATE
10252 | SSL_CONF_FLAG_REQUIRE_PRIVATE
10253 | SSL_CONF_FLAG_SHOW_ERRORS);
10254 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
10255 if (!TEST_int_gt(SSL_CONF_cmd(confctx, "Certificate", certfilename), 0)
10256 || !TEST_int_gt(SSL_CONF_cmd(confctx, "PrivateKey", privkeyfilename), 0)
10257 || !TEST_true(SSL_CONF_CTX_finish(confctx))) {
10258 SSL_CONF_CTX_free(confctx);
10259 goto end;
10260 }
10261 SSL_CONF_CTX_free(confctx);
10262 } else {
10263 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, certfilename,
10264 SSL_FILETYPE_PEM), 1)
10265 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10266 privkeyfilename,
10267 SSL_FILETYPE_PEM), 1))
10268 goto end;
10269 }
10270 if (!TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
10271 goto end;
10272
10273 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10274 NULL, NULL)))
10275 goto end;
10276
10277 /* Enable RPK for server cert */
10278 if (rpkidx) {
10279 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10280 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10281 goto end;
10282 }
10283
10284 /* This is necessary to pass minimal setup w/o other groups configured */
10285 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10286 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10287 goto end;
10288
10289 /*
10290 * If this connection gets established, it must have been completed
10291 * via the tls-provider-implemented "hmacsig" algorithm, testing
10292 * both sign and verify functions during handshake.
10293 */
10294 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10295 goto end;
10296
10297 /* If using RPK, make sure we got one */
10298 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10299 goto end;
10300
10301 if (!TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10302 || !TEST_str_eq(sigalg_name, expected_sigalg_name)
10303 || !TEST_ptr(sigalg_name))
10304 goto end;
10305
10306 testresult = 1;
10307
10308 end:
10309 SSL_free(serverssl);
10310 SSL_free(clientssl);
10311 SSL_CTX_free(sctx);
10312 SSL_CTX_free(cctx);
10313 OSSL_PROVIDER_unload(tlsprov);
10314 OSSL_PROVIDER_unload(defaultprov);
10315
10316 return testresult;
10317 }
10318 #endif
10319
10320 #ifndef OPENSSL_NO_TLS1_2
test_ssl_dup(void)10321 static int test_ssl_dup(void)
10322 {
10323 SSL_CTX *cctx = NULL, *sctx = NULL;
10324 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10325 int testresult = 0;
10326 BIO *rbio = NULL, *wbio = NULL;
10327
10328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10329 TLS_client_method(),
10330 0,
10331 0,
10332 &sctx, &cctx, cert, privkey)))
10333 goto end;
10334
10335 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10336 NULL, NULL)))
10337 goto end;
10338
10339 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10340 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10341 goto end;
10342
10343 client2ssl = SSL_dup(clientssl);
10344 rbio = SSL_get_rbio(clientssl);
10345 if (!TEST_ptr(rbio)
10346 || !TEST_true(BIO_up_ref(rbio)))
10347 goto end;
10348 SSL_set0_rbio(client2ssl, rbio);
10349 rbio = NULL;
10350
10351 wbio = SSL_get_wbio(clientssl);
10352 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10353 goto end;
10354 SSL_set0_wbio(client2ssl, wbio);
10355 rbio = NULL;
10356
10357 if (!TEST_ptr(client2ssl)
10358 /* Handshake not started so pointers should be different */
10359 || !TEST_ptr_ne(clientssl, client2ssl))
10360 goto end;
10361
10362 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10363 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10364 goto end;
10365
10366 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10367 goto end;
10368
10369 SSL_free(clientssl);
10370 clientssl = SSL_dup(client2ssl);
10371 if (!TEST_ptr(clientssl)
10372 /* Handshake has finished so pointers should be the same */
10373 || !TEST_ptr_eq(clientssl, client2ssl))
10374 goto end;
10375
10376 testresult = 1;
10377
10378 end:
10379 SSL_free(serverssl);
10380 SSL_free(clientssl);
10381 SSL_free(client2ssl);
10382 SSL_CTX_free(sctx);
10383 SSL_CTX_free(cctx);
10384
10385 return testresult;
10386 }
10387
secret_cb(SSL * s,void * secretin,int * secret_len,STACK_OF (SSL_CIPHER)* peer_ciphers,const SSL_CIPHER ** cipher,void * arg)10388 static int secret_cb(SSL *s, void *secretin, int *secret_len,
10389 STACK_OF(SSL_CIPHER) *peer_ciphers,
10390 const SSL_CIPHER **cipher, void *arg)
10391 {
10392 int i;
10393 unsigned char *secret = secretin;
10394
10395 /* Just use a fixed master secret */
10396 for (i = 0; i < *secret_len; i++)
10397 secret[i] = 0xff;
10398
10399 /* We don't set a preferred cipher */
10400
10401 return 1;
10402 }
10403
10404 /*
10405 * Test the session_secret_cb which is designed for use with EAP-FAST
10406 */
test_session_secret_cb(void)10407 static int test_session_secret_cb(void)
10408 {
10409 SSL_CTX *cctx = NULL, *sctx = NULL;
10410 SSL *clientssl = NULL, *serverssl = NULL;
10411 SSL_SESSION *secret_sess = NULL;
10412 int testresult = 0;
10413
10414 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10415 TLS_client_method(),
10416 0,
10417 0,
10418 &sctx, &cctx, cert, privkey)))
10419 goto end;
10420
10421 /* Create an initial connection and save the session */
10422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10423 NULL, NULL)))
10424 goto end;
10425
10426 /* session_secret_cb does not support TLSv1.3 */
10427 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10428 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10429 goto end;
10430
10431 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10432 goto end;
10433
10434 if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10435 goto end;
10436
10437 shutdown_ssl_connection(serverssl, clientssl);
10438 serverssl = clientssl = NULL;
10439
10440 /* Resume the earlier session */
10441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10442 NULL, NULL)))
10443 goto end;
10444
10445 /*
10446 * No session ids for EAP-FAST - otherwise the state machine gets very
10447 * confused.
10448 */
10449 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10450 goto end;
10451
10452 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10453 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10454 || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10455 NULL))
10456 || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10457 NULL))
10458 || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10459 goto end;
10460
10461 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10462 goto end;
10463
10464 testresult = 1;
10465
10466 end:
10467 SSL_SESSION_free(secret_sess);
10468 SSL_free(serverssl);
10469 SSL_free(clientssl);
10470 SSL_CTX_free(sctx);
10471 SSL_CTX_free(cctx);
10472
10473 return testresult;
10474 }
10475
10476 # ifndef OPENSSL_NO_DH
10477
10478 static EVP_PKEY *tmp_dh_params = NULL;
10479
10480 /* Helper function for the test_set_tmp_dh() tests */
get_tmp_dh_params(void)10481 static EVP_PKEY *get_tmp_dh_params(void)
10482 {
10483 if (tmp_dh_params == NULL) {
10484 BIGNUM *p = NULL;
10485 OSSL_PARAM_BLD *tmpl = NULL;
10486 EVP_PKEY_CTX *pctx = NULL;
10487 OSSL_PARAM *params = NULL;
10488 EVP_PKEY *dhpkey = NULL;
10489
10490 p = BN_get_rfc3526_prime_2048(NULL);
10491 if (!TEST_ptr(p))
10492 goto end;
10493
10494 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10495 if (!TEST_ptr(pctx)
10496 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
10497 goto end;
10498
10499 tmpl = OSSL_PARAM_BLD_new();
10500 if (!TEST_ptr(tmpl)
10501 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10502 OSSL_PKEY_PARAM_FFC_P,
10503 p))
10504 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10505 OSSL_PKEY_PARAM_FFC_G,
10506 2)))
10507 goto end;
10508
10509 params = OSSL_PARAM_BLD_to_param(tmpl);
10510 if (!TEST_ptr(params)
10511 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10512 EVP_PKEY_KEY_PARAMETERS,
10513 params), 1))
10514 goto end;
10515
10516 tmp_dh_params = dhpkey;
10517 end:
10518 BN_free(p);
10519 EVP_PKEY_CTX_free(pctx);
10520 OSSL_PARAM_BLD_free(tmpl);
10521 OSSL_PARAM_free(params);
10522 }
10523
10524 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
10525 return NULL;
10526
10527 return tmp_dh_params;
10528 }
10529
10530 # ifndef OPENSSL_NO_DEPRECATED_3_0
10531 /* Callback used by test_set_tmp_dh() */
tmp_dh_callback(SSL * s,int is_export,int keylen)10532 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10533 {
10534 EVP_PKEY *dhpkey = get_tmp_dh_params();
10535 DH *ret = NULL;
10536
10537 if (!TEST_ptr(dhpkey))
10538 return NULL;
10539
10540 /*
10541 * libssl does not free the returned DH, so we free it now knowing that even
10542 * after we free dhpkey, there will still be a reference to the owning
10543 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10544 * of time we need it for.
10545 */
10546 ret = EVP_PKEY_get1_DH(dhpkey);
10547 DH_free(ret);
10548
10549 EVP_PKEY_free(dhpkey);
10550
10551 return ret;
10552 }
10553 # endif
10554
10555 /*
10556 * Test the various methods for setting temporary DH parameters
10557 *
10558 * Test 0: Default (no auto) setting
10559 * Test 1: Explicit SSL_CTX auto off
10560 * Test 2: Explicit SSL auto off
10561 * Test 3: Explicit SSL_CTX auto on
10562 * Test 4: Explicit SSL auto on
10563 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10564 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10565 *
10566 * The following are testing deprecated APIs, so we only run them if available
10567 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10568 * Test 8: Explicit SSL auto off, custom DH params via DH
10569 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10570 * Test 10: Explicit SSL auto off, custom DH params via callback
10571 */
test_set_tmp_dh(int idx)10572 static int test_set_tmp_dh(int idx)
10573 {
10574 SSL_CTX *cctx = NULL, *sctx = NULL;
10575 SSL *clientssl = NULL, *serverssl = NULL;
10576 int testresult = 0;
10577 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10578 int expected = (idx <= 2) ? 0 : 1;
10579 EVP_PKEY *dhpkey = NULL;
10580 # ifndef OPENSSL_NO_DEPRECATED_3_0
10581 DH *dh = NULL;
10582 # else
10583
10584 if (idx >= 7)
10585 return 1;
10586 # endif
10587
10588 if (idx >= 5 && idx <= 8) {
10589 dhpkey = get_tmp_dh_params();
10590 if (!TEST_ptr(dhpkey))
10591 goto end;
10592 }
10593 # ifndef OPENSSL_NO_DEPRECATED_3_0
10594 if (idx == 7 || idx == 8) {
10595 dh = EVP_PKEY_get1_DH(dhpkey);
10596 if (!TEST_ptr(dh))
10597 goto end;
10598 }
10599 # endif
10600
10601 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10602 TLS_client_method(),
10603 0,
10604 0,
10605 &sctx, &cctx, cert, privkey)))
10606 goto end;
10607
10608 if ((idx & 1) == 1) {
10609 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10610 goto end;
10611 }
10612
10613 if (idx == 5) {
10614 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10615 goto end;
10616 dhpkey = NULL;
10617 }
10618 # ifndef OPENSSL_NO_DEPRECATED_3_0
10619 else if (idx == 7) {
10620 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10621 goto end;
10622 } else if (idx == 9) {
10623 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10624 }
10625 # endif
10626
10627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10628 NULL, NULL)))
10629 goto end;
10630
10631 if ((idx & 1) == 0 && idx != 0) {
10632 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10633 goto end;
10634 }
10635 if (idx == 6) {
10636 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10637 goto end;
10638 dhpkey = NULL;
10639 }
10640 # ifndef OPENSSL_NO_DEPRECATED_3_0
10641 else if (idx == 8) {
10642 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10643 goto end;
10644 } else if (idx == 10) {
10645 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10646 }
10647 # endif
10648
10649 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10650 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10651 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10652 goto end;
10653
10654 /*
10655 * If autoon then we should succeed. Otherwise we expect failure because
10656 * there are no parameters
10657 */
10658 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10659 SSL_ERROR_NONE), expected))
10660 goto end;
10661
10662 testresult = 1;
10663
10664 end:
10665 # ifndef OPENSSL_NO_DEPRECATED_3_0
10666 DH_free(dh);
10667 # endif
10668 SSL_free(serverssl);
10669 SSL_free(clientssl);
10670 SSL_CTX_free(sctx);
10671 SSL_CTX_free(cctx);
10672 EVP_PKEY_free(dhpkey);
10673
10674 return testresult;
10675 }
10676
10677 /*
10678 * Test the auto DH keys are appropriately sized
10679 */
test_dh_auto(int idx)10680 static int test_dh_auto(int idx)
10681 {
10682 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10683 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10684 SSL *clientssl = NULL, *serverssl = NULL;
10685 int testresult = 0;
10686 EVP_PKEY *tmpkey = NULL;
10687 char *thiscert = NULL, *thiskey = NULL;
10688 size_t expdhsize = 0;
10689 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10690
10691 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10692 goto end;
10693
10694 switch (idx) {
10695 case 0:
10696 /* The FIPS provider doesn't support this DH size - so we ignore it */
10697 if (is_fips) {
10698 testresult = 1;
10699 goto end;
10700 }
10701 thiscert = cert1024;
10702 thiskey = privkey1024;
10703 expdhsize = 1024;
10704 SSL_CTX_set_security_level(sctx, 1);
10705 SSL_CTX_set_security_level(cctx, 1);
10706 break;
10707 case 1:
10708 /* 2048 bit prime */
10709 thiscert = cert;
10710 thiskey = privkey;
10711 expdhsize = 2048;
10712 break;
10713 case 2:
10714 thiscert = cert3072;
10715 thiskey = privkey3072;
10716 expdhsize = 3072;
10717 break;
10718 case 3:
10719 thiscert = cert4096;
10720 thiskey = privkey4096;
10721 expdhsize = 4096;
10722 break;
10723 case 4:
10724 thiscert = cert8192;
10725 thiskey = privkey8192;
10726 expdhsize = 8192;
10727 break;
10728 /* No certificate cases */
10729 case 5:
10730 /* The FIPS provider doesn't support this DH size - so we ignore it */
10731 if (is_fips) {
10732 testresult = 1;
10733 goto end;
10734 }
10735 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10736 expdhsize = 1024;
10737 break;
10738 case 6:
10739 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10740 expdhsize = 3072;
10741 break;
10742 default:
10743 TEST_error("Invalid text index");
10744 goto end;
10745 }
10746
10747 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10748 NULL,
10749 0,
10750 0,
10751 &sctx, &cctx, thiscert, thiskey)))
10752 goto end;
10753
10754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10755 NULL, NULL)))
10756 goto end;
10757
10758 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10759 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10760 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10761 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10762 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10763 goto end;
10764
10765 /*
10766 * Send the server's first flight. At this point the server has created the
10767 * temporary DH key but hasn't finished using it yet. Once used it is
10768 * removed, so we cannot test it.
10769 */
10770 if (!TEST_int_le(SSL_connect(clientssl), 0)
10771 || !TEST_int_le(SSL_accept(serverssl), 0))
10772 goto end;
10773
10774 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10775 goto end;
10776 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10777 goto end;
10778
10779 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10780 goto end;
10781
10782 testresult = 1;
10783
10784 end:
10785 SSL_free(serverssl);
10786 SSL_free(clientssl);
10787 SSL_CTX_free(sctx);
10788 SSL_CTX_free(cctx);
10789 EVP_PKEY_free(tmpkey);
10790
10791 return testresult;
10792
10793 }
10794 # endif /* OPENSSL_NO_DH */
10795 #endif /* OPENSSL_NO_TLS1_2 */
10796
10797 #ifndef OSSL_NO_USABLE_TLS1_3
10798 /*
10799 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10800 * that it works even without a certificate configured for the original
10801 * SSL_CTX
10802 */
test_sni_tls13(void)10803 static int test_sni_tls13(void)
10804 {
10805 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10806 SSL *clientssl = NULL, *serverssl = NULL;
10807 int testresult = 0;
10808
10809 /* Reset callback counter */
10810 snicb = 0;
10811
10812 /* Create an initial SSL_CTX with no certificate configured */
10813 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10814 if (!TEST_ptr(sctx))
10815 goto end;
10816 /* Require TLSv1.3 as a minimum */
10817 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10818 TLS_client_method(), TLS1_3_VERSION, 0,
10819 &sctx2, &cctx, cert, privkey)))
10820 goto end;
10821
10822 /* Set up SNI */
10823 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10824 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10825 goto end;
10826
10827 /*
10828 * Connection should still succeed because the final SSL_CTX has the right
10829 * certificates configured.
10830 */
10831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10832 &clientssl, NULL, NULL))
10833 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10834 SSL_ERROR_NONE)))
10835 goto end;
10836
10837 /* We should have had the SNI callback called exactly once */
10838 if (!TEST_int_eq(snicb, 1))
10839 goto end;
10840
10841 testresult = 1;
10842
10843 end:
10844 SSL_free(serverssl);
10845 SSL_free(clientssl);
10846 SSL_CTX_free(sctx2);
10847 SSL_CTX_free(sctx);
10848 SSL_CTX_free(cctx);
10849 return testresult;
10850 }
10851
10852 /*
10853 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10854 * 0 = TLSv1.2
10855 * 1 = TLSv1.3
10856 */
test_ticket_lifetime(int idx)10857 static int test_ticket_lifetime(int idx)
10858 {
10859 SSL_CTX *cctx = NULL, *sctx = NULL;
10860 SSL *clientssl = NULL, *serverssl = NULL;
10861 int testresult = 0;
10862 int version = TLS1_3_VERSION;
10863
10864 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10865 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10866
10867 if (idx == 0) {
10868 #ifdef OPENSSL_NO_TLS1_2
10869 return TEST_skip("TLS 1.2 is disabled.");
10870 #else
10871 version = TLS1_2_VERSION;
10872 #endif
10873 }
10874
10875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10876 TLS_client_method(), version, version,
10877 &sctx, &cctx, cert, privkey)))
10878 goto end;
10879
10880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10881 &clientssl, NULL, NULL)))
10882 goto end;
10883
10884 /*
10885 * Set the timeout to be more than 1 week
10886 * make sure the returned value is the default
10887 */
10888 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10889 SSL_get_default_timeout(serverssl)))
10890 goto end;
10891
10892 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10893 goto end;
10894
10895 if (idx == 0) {
10896 /* TLSv1.2 uses the set value */
10897 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10898 goto end;
10899 } else {
10900 /* TLSv1.3 uses the limited value */
10901 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10902 goto end;
10903 }
10904 testresult = 1;
10905
10906 end:
10907 SSL_free(serverssl);
10908 SSL_free(clientssl);
10909 SSL_CTX_free(sctx);
10910 SSL_CTX_free(cctx);
10911 return testresult;
10912 }
10913 #endif
10914 /*
10915 * Test that setting an ALPN does not violate RFC
10916 */
test_set_alpn(void)10917 static int test_set_alpn(void)
10918 {
10919 SSL_CTX *ctx = NULL;
10920 SSL *ssl = NULL;
10921 int testresult = 0;
10922
10923 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10924 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10925 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10926 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10927 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10928 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10929
10930 /* Create an initial SSL_CTX with no certificate configured */
10931 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10932 if (!TEST_ptr(ctx))
10933 goto end;
10934
10935 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10936 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10937 goto end;
10938 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10939 goto end;
10940 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10941 goto end;
10942 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10943 goto end;
10944 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10945 goto end;
10946 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10947 goto end;
10948 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10949 goto end;
10950 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10951 goto end;
10952 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10953 goto end;
10954
10955 ssl = SSL_new(ctx);
10956 if (!TEST_ptr(ssl))
10957 goto end;
10958
10959 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10960 goto end;
10961 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10962 goto end;
10963 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10964 goto end;
10965 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10966 goto end;
10967 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10968 goto end;
10969 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10970 goto end;
10971 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10972 goto end;
10973 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10974 goto end;
10975 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10976 goto end;
10977
10978 testresult = 1;
10979
10980 end:
10981 SSL_free(ssl);
10982 SSL_CTX_free(ctx);
10983 return testresult;
10984 }
10985
10986 /*
10987 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10988 */
test_set_verify_cert_store_ssl_ctx(void)10989 static int test_set_verify_cert_store_ssl_ctx(void)
10990 {
10991 SSL_CTX *ctx = NULL;
10992 int testresult = 0;
10993 X509_STORE *store = NULL, *new_store = NULL,
10994 *cstore = NULL, *new_cstore = NULL;
10995
10996 /* Create an initial SSL_CTX. */
10997 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10998 if (!TEST_ptr(ctx))
10999 goto end;
11000
11001 /* Retrieve verify store pointer. */
11002 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11003 goto end;
11004
11005 /* Retrieve chain store pointer. */
11006 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11007 goto end;
11008
11009 /* We haven't set any yet, so this should be NULL. */
11010 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11011 goto end;
11012
11013 /* Create stores. We use separate stores so pointers are different. */
11014 new_store = X509_STORE_new();
11015 if (!TEST_ptr(new_store))
11016 goto end;
11017
11018 new_cstore = X509_STORE_new();
11019 if (!TEST_ptr(new_cstore))
11020 goto end;
11021
11022 /* Set stores. */
11023 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
11024 goto end;
11025
11026 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
11027 goto end;
11028
11029 /* Should be able to retrieve the same pointer. */
11030 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11031 goto end;
11032
11033 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11034 goto end;
11035
11036 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11037 goto end;
11038
11039 /* Should be able to unset again. */
11040 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
11041 goto end;
11042
11043 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
11044 goto end;
11045
11046 /* Should now be NULL. */
11047 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11048 goto end;
11049
11050 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11051 goto end;
11052
11053 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11054 goto end;
11055
11056 testresult = 1;
11057
11058 end:
11059 X509_STORE_free(new_store);
11060 X509_STORE_free(new_cstore);
11061 SSL_CTX_free(ctx);
11062 return testresult;
11063 }
11064
11065 /*
11066 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
11067 */
test_set_verify_cert_store_ssl(void)11068 static int test_set_verify_cert_store_ssl(void)
11069 {
11070 SSL_CTX *ctx = NULL;
11071 SSL *ssl = NULL;
11072 int testresult = 0;
11073 X509_STORE *store = NULL, *new_store = NULL,
11074 *cstore = NULL, *new_cstore = NULL;
11075
11076 /* Create an initial SSL_CTX. */
11077 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11078 if (!TEST_ptr(ctx))
11079 goto end;
11080
11081 /* Create an SSL object. */
11082 ssl = SSL_new(ctx);
11083 if (!TEST_ptr(ssl))
11084 goto end;
11085
11086 /* Retrieve verify store pointer. */
11087 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11088 goto end;
11089
11090 /* Retrieve chain store pointer. */
11091 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11092 goto end;
11093
11094 /* We haven't set any yet, so this should be NULL. */
11095 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11096 goto end;
11097
11098 /* Create stores. We use separate stores so pointers are different. */
11099 new_store = X509_STORE_new();
11100 if (!TEST_ptr(new_store))
11101 goto end;
11102
11103 new_cstore = X509_STORE_new();
11104 if (!TEST_ptr(new_cstore))
11105 goto end;
11106
11107 /* Set stores. */
11108 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
11109 goto end;
11110
11111 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
11112 goto end;
11113
11114 /* Should be able to retrieve the same pointer. */
11115 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11116 goto end;
11117
11118 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11119 goto end;
11120
11121 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11122 goto end;
11123
11124 /* Should be able to unset again. */
11125 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
11126 goto end;
11127
11128 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
11129 goto end;
11130
11131 /* Should now be NULL. */
11132 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11133 goto end;
11134
11135 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11136 goto end;
11137
11138 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11139 goto end;
11140
11141 testresult = 1;
11142
11143 end:
11144 X509_STORE_free(new_store);
11145 X509_STORE_free(new_cstore);
11146 SSL_free(ssl);
11147 SSL_CTX_free(ctx);
11148 return testresult;
11149 }
11150
11151
test_inherit_verify_param(void)11152 static int test_inherit_verify_param(void)
11153 {
11154 int testresult = 0;
11155
11156 SSL_CTX *ctx = NULL;
11157 X509_VERIFY_PARAM *cp = NULL;
11158 SSL *ssl = NULL;
11159 X509_VERIFY_PARAM *sp = NULL;
11160 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
11161
11162 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11163 if (!TEST_ptr(ctx))
11164 goto end;
11165
11166 cp = SSL_CTX_get0_param(ctx);
11167 if (!TEST_ptr(cp))
11168 goto end;
11169 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
11170 goto end;
11171
11172 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
11173
11174 ssl = SSL_new(ctx);
11175 if (!TEST_ptr(ssl))
11176 goto end;
11177
11178 sp = SSL_get0_param(ssl);
11179 if (!TEST_ptr(sp))
11180 goto end;
11181 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
11182 goto end;
11183
11184 testresult = 1;
11185
11186 end:
11187 SSL_free(ssl);
11188 SSL_CTX_free(ctx);
11189
11190 return testresult;
11191 }
11192
test_load_dhfile(void)11193 static int test_load_dhfile(void)
11194 {
11195 #ifndef OPENSSL_NO_DH
11196 int testresult = 0;
11197
11198 SSL_CTX *ctx = NULL;
11199 SSL_CONF_CTX *cctx = NULL;
11200
11201 if (dhfile == NULL)
11202 return 1;
11203
11204 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
11205 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
11206 goto end;
11207
11208 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
11209 SSL_CONF_CTX_set_flags(cctx,
11210 SSL_CONF_FLAG_CERTIFICATE
11211 | SSL_CONF_FLAG_SERVER
11212 | SSL_CONF_FLAG_FILE);
11213
11214 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
11215 goto end;
11216
11217 testresult = 1;
11218 end:
11219 SSL_CONF_CTX_free(cctx);
11220 SSL_CTX_free(ctx);
11221
11222 return testresult;
11223 #else
11224 return TEST_skip("DH not supported by this build");
11225 #endif
11226 }
11227
11228 #ifndef OSSL_NO_USABLE_TLS1_3
11229 /* Test that read_ahead works across a key change */
test_read_ahead_key_change(void)11230 static int test_read_ahead_key_change(void)
11231 {
11232 SSL_CTX *cctx = NULL, *sctx = NULL;
11233 SSL *clientssl = NULL, *serverssl = NULL;
11234 int testresult = 0;
11235 char *msg = "Hello World";
11236 size_t written, readbytes;
11237 char buf[80];
11238 int i;
11239
11240 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11241 TLS_client_method(), TLS1_3_VERSION, 0,
11242 &sctx, &cctx, cert, privkey)))
11243 goto end;
11244
11245 SSL_CTX_set_read_ahead(sctx, 1);
11246
11247 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11248 &clientssl, NULL, NULL)))
11249 goto end;
11250
11251 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11252 goto end;
11253
11254 /* Write some data, send a key update, write more data */
11255 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11256 || !TEST_size_t_eq(written, strlen(msg)))
11257 goto end;
11258
11259 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11260 goto end;
11261
11262 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11263 || !TEST_size_t_eq(written, strlen(msg)))
11264 goto end;
11265
11266 /*
11267 * Since read_ahead is on the first read below should read the record with
11268 * the first app data, the second record with the key update message, and
11269 * the third record with the app data all in one go. We should be able to
11270 * still process the read_ahead data correctly even though it crosses
11271 * epochs
11272 */
11273 for (i = 0; i < 2; i++) {
11274 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11275 &readbytes)))
11276 goto end;
11277
11278 buf[readbytes] = '\0';
11279 if (!TEST_str_eq(buf, msg))
11280 goto end;
11281 }
11282
11283 testresult = 1;
11284
11285 end:
11286 SSL_free(serverssl);
11287 SSL_free(clientssl);
11288 SSL_CTX_free(sctx);
11289 SSL_CTX_free(cctx);
11290 return testresult;
11291 }
11292
record_pad_cb(SSL * s,int type,size_t len,void * arg)11293 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11294 {
11295 int *called = arg;
11296
11297 switch ((*called)++) {
11298 case 0:
11299 /* Add some padding to first record */
11300 return 512;
11301 case 1:
11302 /* Maximally pad the second record */
11303 return SSL3_RT_MAX_PLAIN_LENGTH - len;
11304 case 2:
11305 /*
11306 * Exceeding the maximum padding should be fine. It should just pad to
11307 * the maximum anyway
11308 */
11309 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11310 case 3:
11311 /*
11312 * Very large padding should also be ok. Should just pad to the maximum
11313 * allowed
11314 */
11315 return SIZE_MAX;
11316 default:
11317 return 0;
11318 }
11319 }
11320
11321 /*
11322 * Test that setting record padding in TLSv1.3 works as expected
11323 * Test 0: Record padding callback on the SSL_CTX
11324 * Test 1: Record padding callback on the SSL
11325 * Test 2: Record block padding on the SSL_CTX
11326 * Test 3: Record block padding on the SSL
11327 * Test 4: Extended record block padding on the SSL_CTX
11328 * Test 5: Extended record block padding on the SSL
11329 */
test_tls13_record_padding(int idx)11330 static int test_tls13_record_padding(int idx)
11331 {
11332 SSL_CTX *cctx = NULL, *sctx = NULL;
11333 SSL *clientssl = NULL, *serverssl = NULL;
11334 int testresult = 0;
11335 char *msg = "Hello World";
11336 size_t written, readbytes;
11337 char buf[80];
11338 int i;
11339 int called = 0;
11340
11341 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11342 TLS_client_method(), TLS1_3_VERSION, 0,
11343 &sctx, &cctx, cert, privkey)))
11344 goto end;
11345
11346 if (idx == 0) {
11347 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11348 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11349 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11350 goto end;
11351 } else if (idx == 2) {
11352 /* Exceeding the max plain length should fail */
11353 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11354 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11355 goto end;
11356 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11357 goto end;
11358 } else if (idx == 4) {
11359 /* pad only handshake/alert messages */
11360 if (!TEST_true(SSL_CTX_set_block_padding_ex(cctx, 0, 512)))
11361 goto end;
11362 }
11363
11364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11365 &clientssl, NULL, NULL)))
11366 goto end;
11367
11368 if (idx == 1) {
11369 SSL_set_record_padding_callback(clientssl, record_pad_cb);
11370 SSL_set_record_padding_callback_arg(clientssl, &called);
11371 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11372 goto end;
11373 } else if (idx == 3) {
11374 /* Exceeding the max plain length should fail */
11375 if (!TEST_false(SSL_set_block_padding(clientssl,
11376 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11377 goto end;
11378 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11379 goto end;
11380 } else if (idx == 5) {
11381 /* Exceeding the max plain length should fail */
11382 if (!TEST_false(SSL_set_block_padding_ex(clientssl, 0,
11383 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11384 goto end;
11385 /* pad server and client handshake only */
11386 if (!TEST_true(SSL_set_block_padding_ex(clientssl, 0, 512)))
11387 goto end;
11388 if (!TEST_true(SSL_set_block_padding_ex(serverssl, 0, 512)))
11389 goto end;
11390 }
11391
11392 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11393 goto end;
11394
11395 called = 0;
11396 /*
11397 * Write some data, then check we can read it. Do this four times to check
11398 * we can continue to write and read padded data after the initial record
11399 * padding has been added. We don't actually check that the padding has
11400 * been applied to the record - just that we can continue to communicate
11401 * normally and that the callback has been called (if appropriate).
11402 */
11403 for (i = 0; i < 4; i++) {
11404 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11405 || !TEST_size_t_eq(written, strlen(msg)))
11406 goto end;
11407
11408 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11409 &readbytes))
11410 || !TEST_size_t_eq(written, readbytes))
11411 goto end;
11412
11413 buf[readbytes] = '\0';
11414 if (!TEST_str_eq(buf, msg))
11415 goto end;
11416 }
11417
11418 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11419 goto end;
11420
11421 testresult = 1;
11422 end:
11423 SSL_free(serverssl);
11424 SSL_free(clientssl);
11425 SSL_CTX_free(sctx);
11426 SSL_CTX_free(cctx);
11427 return testresult;
11428 }
11429 #endif /* OSSL_NO_USABLE_TLS1_3 */
11430
11431 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11432 /*
11433 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11434 * support this yet. The only pipeline capable cipher that we have is in the
11435 * dasync engine (providers don't support this yet), so we have to use
11436 * deprecated APIs for this test.
11437 *
11438 * Test 0: Client has pipelining enabled, server does not
11439 * Test 1: Server has pipelining enabled, client does not
11440 * Test 2: Client has pipelining enabled, server does not: not enough data to
11441 * fill all the pipelines
11442 * Test 3: Client has pipelining enabled, server does not: not enough data to
11443 * fill all the pipelines by more than a full pipeline's worth
11444 * Test 4: Client has pipelining enabled, server does not: more data than all
11445 * the available pipelines can take
11446 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11447 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11448 * is created)
11449 */
test_pipelining(int idx)11450 static int test_pipelining(int idx)
11451 {
11452 SSL_CTX *cctx = NULL, *sctx = NULL;
11453 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11454 int testresult = 0, numreads;
11455 /* A 55 byte message */
11456 unsigned char *msg = (unsigned char *)
11457 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11458 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11459 size_t expectedreads;
11460 unsigned char *buf = NULL;
11461 ENGINE *e = NULL;
11462
11463 if (idx != 6) {
11464 e = load_dasync();
11465 if (e == NULL)
11466 return 0;
11467 }
11468
11469 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11470 TLS_client_method(), 0,
11471 TLS1_2_VERSION, &sctx, &cctx, cert,
11472 privkey)))
11473 goto end;
11474
11475 if (idx == 6) {
11476 e = load_dasync();
11477 if (e == NULL)
11478 goto end;
11479 /* Now act like test 0 */
11480 idx = 0;
11481 }
11482
11483 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11484 &clientssl, NULL, NULL)))
11485 goto end;
11486
11487 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11488 goto end;
11489
11490 /* peera is always configured for pipelining, while peerb is not. */
11491 if (idx == 1) {
11492 peera = serverssl;
11493 peerb = clientssl;
11494
11495 } else {
11496 peera = clientssl;
11497 peerb = serverssl;
11498 }
11499
11500 if (idx == 5) {
11501 numpipes = 2;
11502 /* Maximum allowed fragment size */
11503 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11504 msglen = fragsize * numpipes;
11505 msg = OPENSSL_malloc(msglen);
11506 if (!TEST_ptr(msg))
11507 goto end;
11508 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11509 goto end;
11510 } else if (idx == 4) {
11511 msglen = 55;
11512 } else {
11513 msglen = 50;
11514 }
11515 if (idx == 2)
11516 msglen -= 2; /* Send 2 less bytes */
11517 else if (idx == 3)
11518 msglen -= 12; /* Send 12 less bytes */
11519
11520 buf = OPENSSL_malloc(msglen);
11521 if (!TEST_ptr(buf))
11522 goto end;
11523
11524 if (idx == 5) {
11525 /*
11526 * Test that setting a split send fragment longer than the maximum
11527 * allowed fails
11528 */
11529 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11530 goto end;
11531 }
11532
11533 /*
11534 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11535 * (50 bytes in total). This is a ridiculously small number of bytes -
11536 * but sufficient for our purposes
11537 */
11538 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11539 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11540 goto end;
11541
11542 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11543 goto end;
11544
11545 /* Write some data from peera to peerb */
11546 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11547 || !TEST_size_t_eq(written, msglen))
11548 goto end;
11549
11550 /*
11551 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11552 * have been used - except in test 3 where only |numpipes - 1| pipelines
11553 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11554 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11555 * expect this to be read in |numpipes| or |numpipes - 1| separate
11556 * SSL_read_ex calls. In the case of test 4, there is then one additional
11557 * read for left over data that couldn't fit in the previous pipelines
11558 */
11559 for (offset = 0, numreads = 0;
11560 offset < msglen;
11561 offset += readbytes, numreads++) {
11562 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11563 msglen - offset, &readbytes)))
11564 goto end;
11565 }
11566
11567 expectedreads = idx == 4 ? numpipes + 1
11568 : (idx == 3 ? numpipes - 1 : numpipes);
11569 if (!TEST_mem_eq(msg, msglen, buf, offset)
11570 || !TEST_int_eq(numreads, expectedreads))
11571 goto end;
11572
11573 /*
11574 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11575 * chunks to exercise the read pipelining code on peera.
11576 */
11577 for (offset = 0; offset < msglen; offset += fragsize) {
11578 size_t sendlen = msglen - offset;
11579
11580 if (sendlen > fragsize)
11581 sendlen = fragsize;
11582 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11583 || !TEST_size_t_eq(written, sendlen))
11584 goto end;
11585 }
11586
11587 /*
11588 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11589 * separate chunks (depending on which test we are running). If the
11590 * pipelining is working then we expect peera to read up to numpipes chunks
11591 * and process them in parallel, giving back the complete result in a single
11592 * call to SSL_read_ex
11593 */
11594 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11595 || !TEST_size_t_le(readbytes, msglen))
11596 goto end;
11597
11598 if (idx == 4) {
11599 size_t readbytes2;
11600
11601 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11602 msglen - readbytes, &readbytes2)))
11603 goto end;
11604 readbytes += readbytes2;
11605 if (!TEST_size_t_le(readbytes, msglen))
11606 goto end;
11607 }
11608
11609 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11610 goto end;
11611
11612 testresult = 1;
11613 end:
11614 SSL_free(serverssl);
11615 SSL_free(clientssl);
11616 SSL_CTX_free(sctx);
11617 SSL_CTX_free(cctx);
11618 if (e != NULL) {
11619 ENGINE_unregister_ciphers(e);
11620 ENGINE_finish(e);
11621 ENGINE_free(e);
11622 }
11623 OPENSSL_free(buf);
11624 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11625 OPENSSL_free(msg);
11626 return testresult;
11627 }
11628 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11629
check_version_string(SSL * s,int version)11630 static int check_version_string(SSL *s, int version)
11631 {
11632 const char *verstr = NULL;
11633
11634 switch (version) {
11635 case SSL3_VERSION:
11636 verstr = "SSLv3";
11637 break;
11638 case TLS1_VERSION:
11639 verstr = "TLSv1";
11640 break;
11641 case TLS1_1_VERSION:
11642 verstr = "TLSv1.1";
11643 break;
11644 case TLS1_2_VERSION:
11645 verstr = "TLSv1.2";
11646 break;
11647 case TLS1_3_VERSION:
11648 verstr = "TLSv1.3";
11649 break;
11650 case DTLS1_VERSION:
11651 verstr = "DTLSv1";
11652 break;
11653 case DTLS1_2_VERSION:
11654 verstr = "DTLSv1.2";
11655 }
11656
11657 return TEST_str_eq(verstr, SSL_get_version(s));
11658 }
11659
11660 /*
11661 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11662 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11663 * test_version() in quicapitest.c which does the same thing for QUIC
11664 * connections.
11665 */
test_version(int idx)11666 static int test_version(int idx)
11667 {
11668 SSL_CTX *cctx = NULL, *sctx = NULL;
11669 SSL *clientssl = NULL, *serverssl = NULL;
11670 int testresult = 0, version;
11671 const SSL_METHOD *servmeth = TLS_server_method();
11672 const SSL_METHOD *clientmeth = TLS_client_method();
11673
11674 switch (idx) {
11675 #if !defined(OPENSSL_NO_SSL3)
11676 case 0:
11677 version = SSL3_VERSION;
11678 break;
11679 #endif
11680 #if !defined(OPENSSL_NO_TLS1)
11681 case 1:
11682 version = TLS1_VERSION;
11683 break;
11684 #endif
11685 #if !defined(OPENSSL_NO_TLS1_2)
11686 case 2:
11687 version = TLS1_2_VERSION;
11688 break;
11689 #endif
11690 #if !defined(OSSL_NO_USABLE_TLS1_3)
11691 case 3:
11692 version = TLS1_3_VERSION;
11693 break;
11694 #endif
11695 #if !defined(OPENSSL_NO_DTLS1)
11696 case 4:
11697 version = DTLS1_VERSION;
11698 break;
11699 #endif
11700 #if !defined(OPENSSL_NO_DTLS1_2)
11701 case 5:
11702 version = DTLS1_2_VERSION;
11703 break;
11704 #endif
11705 /*
11706 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11707 * We also don't support DTLS1_BAD_VER since we have no server support for
11708 * that.
11709 */
11710 default:
11711 TEST_skip("Unsupported protocol version");
11712 return 1;
11713 }
11714
11715 if (is_fips
11716 && (version == SSL3_VERSION
11717 || version == TLS1_VERSION
11718 || version == DTLS1_VERSION)) {
11719 TEST_skip("Protocol version not supported with FIPS");
11720 return 1;
11721 }
11722
11723 #if !defined(OPENSSL_NO_DTLS)
11724 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11725 servmeth = DTLS_server_method();
11726 clientmeth = DTLS_client_method();
11727 }
11728 #endif
11729
11730 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11731 version, &sctx, &cctx, cert, privkey)))
11732 goto end;
11733
11734 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11735 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11736 "DEFAULT:@SECLEVEL=0")))
11737 goto end;
11738
11739 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11740 &clientssl, NULL, NULL)))
11741 goto end;
11742
11743 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11744 goto end;
11745
11746 if (!TEST_int_eq(SSL_version(serverssl), version)
11747 || !TEST_int_eq(SSL_version(clientssl), version)
11748 || !TEST_true(check_version_string(serverssl, version))
11749 || !TEST_true(check_version_string(clientssl, version)))
11750 goto end;
11751
11752 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11753 if (!TEST_true(SSL_is_dtls(serverssl))
11754 || !TEST_true(SSL_is_dtls(clientssl))
11755 || !TEST_false(SSL_is_tls(serverssl))
11756 || !TEST_false(SSL_is_tls(clientssl))
11757 || !TEST_false(SSL_is_quic(serverssl))
11758 || !TEST_false(SSL_is_quic(clientssl)))
11759 goto end;
11760 } else {
11761 if (!TEST_true(SSL_is_tls(serverssl))
11762 || !TEST_true(SSL_is_tls(clientssl))
11763 || !TEST_false(SSL_is_dtls(serverssl))
11764 || !TEST_false(SSL_is_dtls(clientssl))
11765 || !TEST_false(SSL_is_quic(serverssl))
11766 || !TEST_false(SSL_is_quic(clientssl)))
11767 goto end;
11768 }
11769
11770 testresult = 1;
11771 end:
11772 SSL_free(serverssl);
11773 SSL_free(clientssl);
11774 SSL_CTX_free(sctx);
11775 SSL_CTX_free(cctx);
11776 return testresult;
11777 }
11778
11779 /*
11780 * Test that the SSL_rstate_string*() APIs return sane results
11781 */
test_rstate_string(void)11782 static int test_rstate_string(void)
11783 {
11784 SSL_CTX *cctx = NULL, *sctx = NULL;
11785 SSL *clientssl = NULL, *serverssl = NULL;
11786 int testresult = 0, version;
11787 const SSL_METHOD *servmeth = TLS_server_method();
11788 const SSL_METHOD *clientmeth = TLS_client_method();
11789 size_t written, readbytes;
11790 unsigned char buf[2];
11791 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11792 SSL3_RT_APPLICATION_DATA,
11793 TLS1_2_VERSION_MAJOR,
11794 0, /* To be filled in later */
11795 0,
11796 1
11797 };
11798
11799 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11800 0, &sctx, &cctx, cert, privkey)))
11801 goto end;
11802
11803 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11804 &clientssl, NULL, NULL)))
11805 goto end;
11806
11807 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11808 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11809 goto end;
11810
11811 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11812 goto end;
11813
11814 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11815 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11816 goto end;
11817
11818 /* Fill in the correct version for the record header */
11819 version = SSL_version(serverssl);
11820 if (version == TLS1_3_VERSION)
11821 version = TLS1_2_VERSION;
11822 dummyheader[2] = version & 0xff;
11823
11824 /*
11825 * Send a dummy header. If we continued to read the body as well this
11826 * would fail with a bad record mac, but we're not going to go that far.
11827 */
11828 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11829 sizeof(dummyheader), &written))
11830 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11831 goto end;
11832
11833 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11834 goto end;
11835
11836 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11837 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11838 goto end;
11839
11840 testresult = 1;
11841 end:
11842 SSL_free(serverssl);
11843 SSL_free(clientssl);
11844 SSL_CTX_free(sctx);
11845 SSL_CTX_free(cctx);
11846 return testresult;
11847 }
11848
11849 /*
11850 * Force a write retry during handshaking. We test various combinations of
11851 * scenarios. We test a large certificate message which will fill the buffering
11852 * BIO used in the handshake. We try with client auth on and off. Finally we
11853 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11854 * to indicate retry via -1 - but sometimes BIOs don't do that.
11855 *
11856 * Test 0: Standard certificate message
11857 * Test 1: Large certificate message
11858 * Test 2: Standard cert, verify peer
11859 * Test 3: Large cert, verify peer
11860 * Test 4: Standard cert, BIO returns 0 on retry
11861 * Test 5: Large cert, BIO returns 0 on retry
11862 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11863 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11864 * Test 8-15: Repeat of above with TLSv1.2
11865 */
test_handshake_retry(int idx)11866 static int test_handshake_retry(int idx)
11867 {
11868 SSL_CTX *cctx = NULL, *sctx = NULL;
11869 SSL *clientssl = NULL, *serverssl = NULL;
11870 int testresult = 0;
11871 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11872 int maxversion = 0;
11873
11874 if (!TEST_ptr(bretry))
11875 goto end;
11876
11877 #ifndef OPENSSL_NO_TLS1_2
11878 if ((idx & 8) == 8)
11879 maxversion = TLS1_2_VERSION;
11880 #else
11881 if ((idx & 8) == 8)
11882 return TEST_skip("No TLSv1.2");
11883 #endif
11884
11885 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11886 TLS_client_method(), 0, maxversion,
11887 &sctx, &cctx, cert, privkey)))
11888 goto end;
11889
11890 /*
11891 * Add a large amount of data to fill the buffering BIO used by the SSL
11892 * object
11893 */
11894 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11895 goto end;
11896
11897 /*
11898 * We don't actually configure a client cert, but neither do we fail if one
11899 * isn't present.
11900 */
11901 if ((idx & 2) == 2)
11902 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11903
11904 if ((idx & 4) == 4)
11905 set_always_retry_err_val(0);
11906
11907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11908 &clientssl, NULL, NULL)))
11909 goto end;
11910
11911 tmp = SSL_get_wbio(serverssl);
11912 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11913 tmp = NULL;
11914 goto end;
11915 }
11916 SSL_set0_wbio(serverssl, bretry);
11917 bretry = NULL;
11918
11919 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11920 goto end;
11921
11922 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11923 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11924 goto end;
11925
11926 /* Restore a BIO that will let the write succeed */
11927 SSL_set0_wbio(serverssl, tmp);
11928 tmp = NULL;
11929
11930 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11931 goto end;
11932
11933 testresult = 1;
11934 end:
11935 SSL_free(serverssl);
11936 SSL_free(clientssl);
11937 SSL_CTX_free(sctx);
11938 SSL_CTX_free(cctx);
11939 BIO_free(bretry);
11940 BIO_free(tmp);
11941 set_always_retry_err_val(-1);
11942 return testresult;
11943 }
11944
11945 /*
11946 * Test that receiving retries when writing application data works as expected
11947 */
test_data_retry(void)11948 static int test_data_retry(void)
11949 {
11950 SSL_CTX *cctx = NULL, *sctx = NULL;
11951 SSL *clientssl = NULL, *serverssl = NULL;
11952 int testresult = 0;
11953 unsigned char inbuf[1200], outbuf[1200];
11954 size_t i;
11955 BIO *tmp = NULL;
11956 BIO *bretry = BIO_new(bio_s_maybe_retry());
11957 size_t written, readbytes, totread = 0;
11958
11959 if (!TEST_ptr(bretry))
11960 goto end;
11961
11962 for (i = 0; i < sizeof(inbuf); i++)
11963 inbuf[i] = (unsigned char)(0xff & i);
11964 memset(outbuf, 0, sizeof(outbuf));
11965
11966 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11967 TLS_client_method(), 0, 0, &sctx, &cctx,
11968 cert, privkey)))
11969 goto end;
11970
11971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11972 NULL)))
11973 goto end;
11974
11975 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11976 goto end;
11977
11978 /* Smallest possible max send fragment is 512 */
11979 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11980 goto end;
11981
11982 tmp = SSL_get_wbio(clientssl);
11983 if (!TEST_ptr(tmp))
11984 goto end;
11985 if (!TEST_true(BIO_up_ref(tmp)))
11986 goto end;
11987 BIO_push(bretry, tmp);
11988 tmp = NULL;
11989 SSL_set0_wbio(clientssl, bretry);
11990 if (!BIO_up_ref(bretry)) {
11991 bretry = NULL;
11992 goto end;
11993 }
11994
11995 for (i = 0; i < 3; i++) {
11996 /* We expect this call to make no progress and indicate retry */
11997 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11998 goto end;
11999 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12000 goto end;
12001
12002 /* Allow one write to progress, but the next one to signal retry */
12003 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
12004 NULL)))
12005 goto end;
12006
12007 if (i == 2)
12008 break;
12009
12010 /*
12011 * This call will hopefully make progress but will still indicate retry
12012 * because there is more data than will fit into a single record.
12013 */
12014 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12015 goto end;
12016 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12017 goto end;
12018 }
12019
12020 /* The final call should write the last chunk of data and succeed */
12021 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12022 goto end;
12023 /* Read all the data available */
12024 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
12025 &readbytes))
12026 totread += readbytes;
12027 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
12028 goto end;
12029
12030 testresult = 1;
12031 end:
12032 SSL_free(serverssl);
12033 SSL_free(clientssl);
12034 SSL_CTX_free(sctx);
12035 SSL_CTX_free(cctx);
12036 BIO_free_all(bretry);
12037 BIO_free(tmp);
12038 return testresult;
12039 }
12040
12041 struct resume_servername_cb_data {
12042 int i;
12043 SSL_CTX *cctx;
12044 SSL_CTX *sctx;
12045 SSL_SESSION *sess;
12046 int recurse;
12047 };
12048
12049 /*
12050 * Servername callback. We use it here to run another complete handshake using
12051 * the same session - and mark the session as not_resuamble at the end
12052 */
resume_servername_cb(SSL * s,int * ad,void * arg)12053 static int resume_servername_cb(SSL *s, int *ad, void *arg)
12054 {
12055 struct resume_servername_cb_data *cbdata = arg;
12056 SSL *serverssl = NULL, *clientssl = NULL;
12057 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
12058
12059 if (cbdata->recurse)
12060 return SSL_TLSEXT_ERR_ALERT_FATAL;
12061
12062 if ((cbdata->i % 3) != 1)
12063 return SSL_TLSEXT_ERR_OK;
12064
12065 cbdata->recurse = 1;
12066
12067 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
12068 &clientssl, NULL, NULL))
12069 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
12070 goto end;
12071
12072 ERR_set_mark();
12073 /*
12074 * We expect this to fail - because the servername cb will fail. This will
12075 * mark the session as not_resumable.
12076 */
12077 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
12078 ERR_clear_last_mark();
12079 goto end;
12080 }
12081 ERR_pop_to_mark();
12082
12083 ret = SSL_TLSEXT_ERR_OK;
12084 end:
12085 SSL_free(serverssl);
12086 SSL_free(clientssl);
12087 cbdata->recurse = 0;
12088 return ret;
12089 }
12090 /*
12091 * Test multiple resumptions and cache size handling
12092 * Test 0: TLSv1.3 (max_early_data set)
12093 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
12094 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
12095 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
12096 * Test 4: TLSv1.2
12097 */
test_multi_resume(int idx)12098 static int test_multi_resume(int idx)
12099 {
12100 SSL_CTX *sctx = NULL, *cctx = NULL;
12101 SSL *serverssl = NULL, *clientssl = NULL;
12102 SSL_SESSION *sess = NULL;
12103 int max_version = TLS1_3_VERSION;
12104 int i, testresult = 0;
12105 struct resume_servername_cb_data cbdata;
12106
12107 #if defined(OPENSSL_NO_TLS1_2)
12108 if (idx == 4)
12109 return TEST_skip("TLSv1.2 is disabled in this build");
12110 #else
12111 if (idx == 4)
12112 max_version = TLS1_2_VERSION;
12113 #endif
12114 #if defined(OSSL_NO_USABLE_TLS1_3)
12115 if (idx != 4)
12116 return TEST_skip("No usable TLSv1.3 in this build");
12117 #endif
12118
12119 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12120 TLS_client_method(), TLS1_VERSION,
12121 max_version, &sctx, &cctx, cert,
12122 privkey)))
12123 goto end;
12124
12125 /*
12126 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
12127 * replay protection), or if SSL_OP_NO_TICKET is in use
12128 */
12129 if (idx == 0 || idx == 2) {
12130 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
12131 goto end;
12132 }
12133 if (idx == 1 || idx == 2 || idx == 3)
12134 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
12135
12136 SSL_CTX_sess_set_cache_size(sctx, 5);
12137
12138 if (idx == 3) {
12139 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
12140 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
12141 cbdata.cctx = cctx;
12142 cbdata.sctx = sctx;
12143 cbdata.recurse = 0;
12144 }
12145
12146 for (i = 0; i < 30; i++) {
12147 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
12148 NULL, NULL))
12149 || !TEST_true(SSL_set_session(clientssl, sess)))
12150 goto end;
12151
12152 /*
12153 * Check simultaneous resumes. We pause the connection part way through
12154 * the handshake by (mis)using the servername_cb. The pause occurs after
12155 * session resumption has already occurred, but before any session
12156 * tickets have been issued. While paused we run another complete
12157 * handshake resuming the same session.
12158 */
12159 if (idx == 3) {
12160 cbdata.i = i;
12161 cbdata.sess = sess;
12162 }
12163
12164 /*
12165 * Recreate a bug where dynamically changing the max_early_data value
12166 * can cause sessions in the session cache which cannot be deleted.
12167 */
12168 if ((idx == 0 || idx == 2) && (i % 3) == 2)
12169 SSL_set_max_early_data(serverssl, 0);
12170
12171 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12172 goto end;
12173
12174 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
12175 if (!TEST_false(SSL_session_reused(clientssl)))
12176 goto end;
12177 } else {
12178 if (!TEST_true(SSL_session_reused(clientssl)))
12179 goto end;
12180 }
12181 SSL_SESSION_free(sess);
12182
12183 /* Do a full handshake, followed by two resumptions */
12184 if ((i % 3) == 2) {
12185 sess = NULL;
12186 } else {
12187 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
12188 goto end;
12189 }
12190
12191 SSL_shutdown(clientssl);
12192 SSL_shutdown(serverssl);
12193 SSL_free(serverssl);
12194 SSL_free(clientssl);
12195 serverssl = clientssl = NULL;
12196 }
12197
12198 /* We should never exceed the session cache size limit */
12199 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
12200 goto end;
12201
12202 testresult = 1;
12203 end:
12204 SSL_free(serverssl);
12205 SSL_free(clientssl);
12206 SSL_CTX_free(sctx);
12207 SSL_CTX_free(cctx);
12208 SSL_SESSION_free(sess);
12209 return testresult;
12210 }
12211
12212 static struct next_proto_st {
12213 int serverlen;
12214 unsigned char server[40];
12215 int clientlen;
12216 unsigned char client[40];
12217 int expected_ret;
12218 size_t selectedlen;
12219 unsigned char selected[40];
12220 } next_proto_tests[] = {
12221 {
12222 4, { 3, 'a', 'b', 'c' },
12223 4, { 3, 'a', 'b', 'c' },
12224 OPENSSL_NPN_NEGOTIATED,
12225 3, { 'a', 'b', 'c' }
12226 },
12227 {
12228 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
12229 4, { 3, 'a', 'b', 'c' },
12230 OPENSSL_NPN_NEGOTIATED,
12231 3, { 'a', 'b', 'c' }
12232 },
12233 {
12234 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
12235 4, { 3, 'a', 'b', 'c' },
12236 OPENSSL_NPN_NEGOTIATED,
12237 3, { 'a', 'b', 'c' }
12238 },
12239 {
12240 4, { 3, 'a', 'b', 'c' },
12241 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
12242 OPENSSL_NPN_NEGOTIATED,
12243 3, { 'a', 'b', 'c' }
12244 },
12245 {
12246 4, { 3, 'a', 'b', 'c' },
12247 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12248 OPENSSL_NPN_NEGOTIATED,
12249 3, { 'a', 'b', 'c' }
12250 },
12251 {
12252 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
12253 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12254 OPENSSL_NPN_NEGOTIATED,
12255 3, { 'a', 'b', 'c' }
12256 },
12257 {
12258 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
12259 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12260 OPENSSL_NPN_NEGOTIATED,
12261 3, { 'a', 'b', 'c' }
12262 },
12263 {
12264 4, { 3, 'b', 'c', 'd' },
12265 4, { 3, 'a', 'b', 'c' },
12266 OPENSSL_NPN_NO_OVERLAP,
12267 3, { 'a', 'b', 'c' }
12268 },
12269 {
12270 0, { 0 },
12271 4, { 3, 'a', 'b', 'c' },
12272 OPENSSL_NPN_NO_OVERLAP,
12273 3, { 'a', 'b', 'c' }
12274 },
12275 {
12276 -1, { 0 },
12277 4, { 3, 'a', 'b', 'c' },
12278 OPENSSL_NPN_NO_OVERLAP,
12279 3, { 'a', 'b', 'c' }
12280 },
12281 {
12282 4, { 3, 'a', 'b', 'c' },
12283 0, { 0 },
12284 OPENSSL_NPN_NO_OVERLAP,
12285 0, { 0 }
12286 },
12287 {
12288 4, { 3, 'a', 'b', 'c' },
12289 -1, { 0 },
12290 OPENSSL_NPN_NO_OVERLAP,
12291 0, { 0 }
12292 },
12293 {
12294 3, { 3, 'a', 'b', 'c' },
12295 4, { 3, 'a', 'b', 'c' },
12296 OPENSSL_NPN_NO_OVERLAP,
12297 3, { 'a', 'b', 'c' }
12298 },
12299 {
12300 4, { 3, 'a', 'b', 'c' },
12301 3, { 3, 'a', 'b', 'c' },
12302 OPENSSL_NPN_NO_OVERLAP,
12303 0, { 0 }
12304 }
12305 };
12306
test_select_next_proto(int idx)12307 static int test_select_next_proto(int idx)
12308 {
12309 struct next_proto_st *np = &next_proto_tests[idx];
12310 int ret = 0;
12311 unsigned char *out, *client, *server;
12312 unsigned char outlen;
12313 unsigned int clientlen, serverlen;
12314
12315 if (np->clientlen == -1) {
12316 client = NULL;
12317 clientlen = 0;
12318 } else {
12319 client = np->client;
12320 clientlen = (unsigned int)np->clientlen;
12321 }
12322 if (np->serverlen == -1) {
12323 server = NULL;
12324 serverlen = 0;
12325 } else {
12326 server = np->server;
12327 serverlen = (unsigned int)np->serverlen;
12328 }
12329
12330 if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
12331 client, clientlen),
12332 np->expected_ret))
12333 goto err;
12334
12335 if (np->selectedlen == 0) {
12336 if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
12337 goto err;
12338 } else {
12339 if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
12340 goto err;
12341 }
12342
12343 ret = 1;
12344 err:
12345 return ret;
12346 }
12347
12348 static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
12349 static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
12350
12351 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
npn_advert_cb(SSL * ssl,const unsigned char ** out,unsigned int * outlen,void * arg)12352 static int npn_advert_cb(SSL *ssl, const unsigned char **out,
12353 unsigned int *outlen, void *arg)
12354 {
12355 int *idx = (int *)arg;
12356
12357 switch (*idx) {
12358 default:
12359 case 0:
12360 *out = fooprot;
12361 *outlen = sizeof(fooprot);
12362 return SSL_TLSEXT_ERR_OK;
12363
12364 case 1:
12365 *out = NULL;
12366 *outlen = 0;
12367 return SSL_TLSEXT_ERR_OK;
12368
12369 case 2:
12370 return SSL_TLSEXT_ERR_NOACK;
12371 }
12372 }
12373
npn_select_cb(SSL * s,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)12374 static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
12375 const unsigned char *in, unsigned int inlen, void *arg)
12376 {
12377 int *idx = (int *)arg;
12378
12379 switch (*idx) {
12380 case 0:
12381 case 1:
12382 *out = (unsigned char *)(fooprot + 1);
12383 *outlen = *fooprot;
12384 return SSL_TLSEXT_ERR_OK;
12385
12386 case 3:
12387 *out = (unsigned char *)(barprot + 1);
12388 *outlen = *barprot;
12389 return SSL_TLSEXT_ERR_OK;
12390
12391 case 4:
12392 *outlen = 0;
12393 return SSL_TLSEXT_ERR_OK;
12394
12395 default:
12396 case 2:
12397 return SSL_TLSEXT_ERR_ALERT_FATAL;
12398 }
12399 }
12400
12401 /*
12402 * Test the NPN callbacks
12403 * Test 0: advert = foo, select = foo
12404 * Test 1: advert = <empty>, select = foo
12405 * Test 2: no advert
12406 * Test 3: advert = foo, select = bar
12407 * Test 4: advert = foo, select = <empty> (should fail)
12408 */
test_npn(int idx)12409 static int test_npn(int idx)
12410 {
12411 SSL_CTX *sctx = NULL, *cctx = NULL;
12412 SSL *serverssl = NULL, *clientssl = NULL;
12413 int testresult = 0;
12414
12415 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12416 TLS_client_method(), 0, TLS1_2_VERSION,
12417 &sctx, &cctx, cert, privkey)))
12418 goto end;
12419
12420 SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
12421 SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
12422
12423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12424 NULL)))
12425 goto end;
12426
12427 if (idx == 4) {
12428 /* We don't allow empty selection of NPN, so this should fail */
12429 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12430 SSL_ERROR_NONE)))
12431 goto end;
12432 } else {
12433 const unsigned char *prot;
12434 unsigned int protlen;
12435
12436 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12437 SSL_ERROR_NONE)))
12438 goto end;
12439
12440 SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
12441 switch (idx) {
12442 case 0:
12443 case 1:
12444 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12445 goto end;
12446 break;
12447 case 2:
12448 if (!TEST_uint_eq(protlen, 0))
12449 goto end;
12450 break;
12451 case 3:
12452 if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
12453 goto end;
12454 break;
12455 default:
12456 TEST_error("Should not get here");
12457 goto end;
12458 }
12459 }
12460
12461 testresult = 1;
12462 end:
12463 SSL_free(serverssl);
12464 SSL_free(clientssl);
12465 SSL_CTX_free(sctx);
12466 SSL_CTX_free(cctx);
12467
12468 return testresult;
12469 }
12470 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
12471
alpn_select_cb2(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)12472 static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
12473 unsigned char *outlen, const unsigned char *in,
12474 unsigned int inlen, void *arg)
12475 {
12476 int *idx = (int *)arg;
12477
12478 switch (*idx) {
12479 case 0:
12480 *out = (unsigned char *)(fooprot + 1);
12481 *outlen = *fooprot;
12482 return SSL_TLSEXT_ERR_OK;
12483
12484 case 2:
12485 *out = (unsigned char *)(barprot + 1);
12486 *outlen = *barprot;
12487 return SSL_TLSEXT_ERR_OK;
12488
12489 case 3:
12490 *outlen = 0;
12491 return SSL_TLSEXT_ERR_OK;
12492
12493 default:
12494 case 1:
12495 return SSL_TLSEXT_ERR_ALERT_FATAL;
12496 }
12497 return 0;
12498 }
12499
12500 /*
12501 * Test the ALPN callbacks
12502 * Test 0: client = foo, select = foo
12503 * Test 1: client = <empty>, select = none
12504 * Test 2: client = foo, select = bar (should fail)
12505 * Test 3: client = foo, select = <empty> (should fail)
12506 */
test_alpn(int idx)12507 static int test_alpn(int idx)
12508 {
12509 SSL_CTX *sctx = NULL, *cctx = NULL;
12510 SSL *serverssl = NULL, *clientssl = NULL;
12511 int testresult = 0;
12512 const unsigned char *prots = fooprot;
12513 unsigned int protslen = sizeof(fooprot);
12514
12515 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12516 TLS_client_method(), 0, 0,
12517 &sctx, &cctx, cert, privkey)))
12518 goto end;
12519
12520 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
12521
12522 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12523 NULL)))
12524 goto end;
12525
12526 if (idx == 1) {
12527 prots = NULL;
12528 protslen = 0;
12529 }
12530
12531 /* SSL_set_alpn_protos returns 0 for success! */
12532 if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
12533 goto end;
12534
12535 if (idx == 2 || idx == 3) {
12536 /* We don't allow empty selection of NPN, so this should fail */
12537 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12538 SSL_ERROR_NONE)))
12539 goto end;
12540 } else {
12541 const unsigned char *prot;
12542 unsigned int protlen;
12543
12544 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12545 SSL_ERROR_NONE)))
12546 goto end;
12547
12548 SSL_get0_alpn_selected(clientssl, &prot, &protlen);
12549 switch (idx) {
12550 case 0:
12551 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12552 goto end;
12553 break;
12554 case 1:
12555 if (!TEST_uint_eq(protlen, 0))
12556 goto end;
12557 break;
12558 default:
12559 TEST_error("Should not get here");
12560 goto end;
12561 }
12562 }
12563
12564 testresult = 1;
12565 end:
12566 SSL_free(serverssl);
12567 SSL_free(clientssl);
12568 SSL_CTX_free(sctx);
12569 SSL_CTX_free(cctx);
12570
12571 return testresult;
12572 }
12573
12574 #if !defined(OSSL_NO_USABLE_TLS1_3)
12575 struct quic_tls_test_data {
12576 struct quic_tls_test_data *peer;
12577 uint32_t renc_level;
12578 uint32_t wenc_level;
12579 unsigned char rcd_data[4][2048];
12580 size_t rcd_data_len[4];
12581 unsigned char rsecret[3][48];
12582 size_t rsecret_len[3];
12583 unsigned char wsecret[3][48];
12584 size_t wsecret_len[3];
12585 unsigned char params[3];
12586 size_t params_len;
12587 int alert;
12588 int err;
12589 int forcefail;
12590 int sm_count;
12591 };
12592
12593 static int clientquicdata = 0xff, serverquicdata = 0xfe;
12594
check_app_data(SSL * s)12595 static int check_app_data(SSL *s)
12596 {
12597 int *data, *comparedata;
12598
12599 /* Check app data works */
12600 data = (int *)SSL_get_app_data(s);
12601 comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata;
12602
12603 if (!TEST_true(comparedata == data))
12604 return 0;
12605
12606 return 1;
12607 }
12608
crypto_send_cb(SSL * s,const unsigned char * buf,size_t buf_len,size_t * consumed,void * arg)12609 static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
12610 size_t *consumed, void *arg)
12611 {
12612 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12613 struct quic_tls_test_data *peer = data->peer;
12614 size_t max_len = sizeof(peer->rcd_data[data->wenc_level])
12615 - peer->rcd_data_len[data->wenc_level];
12616
12617 if (!check_app_data(s)) {
12618 data->err = 1;
12619 return 0;
12620 }
12621
12622 if (buf_len > max_len)
12623 buf_len = max_len;
12624
12625 if (buf_len == 0) {
12626 *consumed = 0;
12627 return 1;
12628 }
12629
12630 memcpy(peer->rcd_data[data->wenc_level]
12631 + peer->rcd_data_len[data->wenc_level], buf, buf_len);
12632 peer->rcd_data_len[data->wenc_level] += buf_len;
12633
12634 *consumed = buf_len;
12635 return 1;
12636 }
crypto_recv_rcd_cb(SSL * s,const unsigned char ** buf,size_t * bytes_read,void * arg)12637 static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf,
12638 size_t *bytes_read, void *arg)
12639 {
12640 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12641
12642 if (!check_app_data(s)) {
12643 data->err = 1;
12644 return 0;
12645 }
12646
12647 *bytes_read = data->rcd_data_len[data->renc_level];
12648 *buf = data->rcd_data[data->renc_level];
12649 return 1;
12650 }
12651
crypto_release_rcd_cb(SSL * s,size_t bytes_read,void * arg)12652 static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg)
12653 {
12654 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12655
12656 if (!check_app_data(s)) {
12657 data->err = 1;
12658 return 0;
12659 }
12660
12661 /* See if we need to force a failure in this callback */
12662 if (data->forcefail) {
12663 data->forcefail = 0;
12664 data->err = 1;
12665 return 0;
12666 }
12667
12668 if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level])
12669 || !TEST_size_t_gt(bytes_read, 0)) {
12670 data->err = 1;
12671 return 0;
12672 }
12673 data->rcd_data_len[data->renc_level] = 0;
12674
12675 return 1;
12676 }
12677
12678 struct secret_yield_entry {
12679 uint8_t recorded;
12680 int prot_level;
12681 int direction;
12682 int sm_generation;
12683 SSL *ssl;
12684 };
12685
12686 static struct secret_yield_entry secret_history[16];
12687 static int secret_history_idx = 0;
12688 /*
12689 * Note, this enum needs to match the direction values passed
12690 * to yield_secret_cb
12691 */
12692 typedef enum {
12693 LAST_DIR_READ = 0,
12694 LAST_DIR_WRITE = 1,
12695 LAST_DIR_UNSET = 2
12696 } last_dir_history_state;
12697
check_secret_history(SSL * s)12698 static int check_secret_history(SSL *s)
12699 {
12700 int i;
12701 int ret = 0;
12702 last_dir_history_state last_state = LAST_DIR_UNSET;
12703 int last_prot_level = 0;
12704 int last_generation = 0;
12705
12706 TEST_info("Checking history for %p\n", (void *)s);
12707 for (i = 0; secret_history[i].recorded == 1; i++) {
12708 if (secret_history[i].ssl != s)
12709 continue;
12710 TEST_info("Got %s(%d) secret for level %d, last level %d, last state %d, gen %d\n",
12711 secret_history[i].direction == 1 ? "Write" : "Read", secret_history[i].direction,
12712 secret_history[i].prot_level, last_prot_level, last_state,
12713 secret_history[i].sm_generation);
12714
12715 if (last_state == LAST_DIR_UNSET) {
12716 last_prot_level = secret_history[i].prot_level;
12717 last_state = secret_history[i].direction;
12718 last_generation = secret_history[i].sm_generation;
12719 continue;
12720 }
12721
12722 switch(secret_history[i].direction) {
12723 case 1:
12724 /*
12725 * write case
12726 * NOTE: There is an odd corner case here. It may occur that
12727 * in a single iteration of the state machine, the read key is yielded
12728 * prior to the write key for the same level. This is undesireable
12729 * for quic, but it is ok, as the general implementation of every 3rd
12730 * party quic stack while prefering write keys before read, allows
12731 * for read before write if both keys are yielded in the same call
12732 * to SSL_do_handshake, as the tls adaptation code for that quic stack
12733 * can then cache keys until both are available, so we allow read before
12734 * write here iff they occur in the same iteration of SSL_do_handshake
12735 * as represented by the recorded sm_generation value.
12736 */
12737 if (last_prot_level == secret_history[i].prot_level
12738 && last_state == LAST_DIR_READ) {
12739 if (last_generation == secret_history[i].sm_generation) {
12740 TEST_info("Read before write key in same SSL state machine iteration is ok");
12741 } else {
12742 TEST_error("Got read key before write key");
12743 goto end;
12744 }
12745 }
12746 /* FALLTHROUGH */
12747 case 0:
12748 /*
12749 * Read case
12750 */
12751 break;
12752 default:
12753 TEST_error("Unknown direction");
12754 goto end;
12755 }
12756 last_prot_level = secret_history[i].prot_level;
12757 last_state = secret_history[i].direction;
12758 last_generation = secret_history[i].sm_generation;
12759 }
12760
12761 ret = 1;
12762 end:
12763 return ret;
12764 }
12765
yield_secret_cb(SSL * s,uint32_t prot_level,int direction,const unsigned char * secret,size_t secret_len,void * arg)12766 static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
12767 const unsigned char *secret, size_t secret_len,
12768 void *arg)
12769 {
12770 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12771
12772 if (!check_app_data(s))
12773 goto err;
12774
12775 if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY
12776 || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
12777 goto err;
12778
12779 switch (direction) {
12780 case 0: /* read */
12781 if (!TEST_size_t_le(secret_len, sizeof(data->rsecret)))
12782 goto err;
12783 data->renc_level = prot_level;
12784 memcpy(data->rsecret[prot_level - 1], secret, secret_len);
12785 data->rsecret_len[prot_level - 1] = secret_len;
12786 break;
12787
12788 case 1: /* write */
12789 if (!TEST_size_t_le(secret_len, sizeof(data->wsecret)))
12790 goto err;
12791 data->wenc_level = prot_level;
12792 memcpy(data->wsecret[prot_level - 1], secret, secret_len);
12793 data->wsecret_len[prot_level - 1] = secret_len;
12794 break;
12795
12796 default:
12797 goto err;
12798 }
12799
12800 secret_history[secret_history_idx].direction = direction;
12801 secret_history[secret_history_idx].prot_level = (int)prot_level;
12802 secret_history[secret_history_idx].recorded = 1;
12803 secret_history[secret_history_idx].ssl = s;
12804 secret_history[secret_history_idx].sm_generation = data->sm_count;
12805 secret_history_idx++;
12806 return 1;
12807 err:
12808 data->err = 1;
12809 return 0;
12810 }
12811
yield_secret_cb_fail(SSL * s,uint32_t prot_level,int direction,const unsigned char * secret,size_t secret_len,void * arg)12812 static int yield_secret_cb_fail(SSL *s, uint32_t prot_level, int direction,
12813 const unsigned char *secret, size_t secret_len,
12814 void *arg)
12815 {
12816 (void)s;
12817 (void)prot_level;
12818 (void)direction;
12819 (void)secret;
12820 (void)secret_len;
12821 (void)arg;
12822 /*
12823 * This callback is to test double free in quic tls
12824 */
12825 return 0;
12826 }
12827
got_transport_params_cb(SSL * s,const unsigned char * params,size_t params_len,void * arg)12828 static int got_transport_params_cb(SSL *s, const unsigned char *params,
12829 size_t params_len,
12830 void *arg)
12831 {
12832 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12833
12834 if (!check_app_data(s)) {
12835 data->err = 1;
12836 return 0;
12837 }
12838
12839 if (!TEST_size_t_le(params_len, sizeof(data->params))) {
12840 data->err = 1;
12841 return 0;
12842 }
12843
12844 memcpy(data->params, params, params_len);
12845 data->params_len = params_len;
12846
12847 return 1;
12848 }
12849
alert_cb(SSL * s,unsigned char alert_code,void * arg)12850 static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
12851 {
12852 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12853
12854 if (!check_app_data(s)) {
12855 data->err = 1;
12856 return 0;
12857 }
12858
12859 data->alert = 1;
12860 return 1;
12861 }
12862
12863 /*
12864 * Test the QUIC TLS API
12865 * Test 0: Normal run
12866 * Test 1: Force a failure
12867 * Test 3: Use a CCM based ciphersuite
12868 * Test 4: fail yield_secret_cb to see double free
12869 * Test 5: Normal run with SNI
12870 */
test_quic_tls(int idx)12871 static int test_quic_tls(int idx)
12872 {
12873 SSL_CTX *sctx = NULL, *sctx2 = NULL, *cctx = NULL;
12874 SSL *serverssl = NULL, *clientssl = NULL;
12875 int testresult = 0;
12876 OSSL_DISPATCH qtdis[] = {
12877 {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb},
12878 {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
12879 (void (*)(void))crypto_recv_rcd_cb},
12880 {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
12881 (void (*)(void))crypto_release_rcd_cb},
12882 {OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
12883 (void (*)(void))yield_secret_cb},
12884 {OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
12885 (void (*)(void))got_transport_params_cb},
12886 {OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb},
12887 {0, NULL}
12888 };
12889 struct quic_tls_test_data sdata, cdata;
12890 const unsigned char cparams[] = {
12891 0xff, 0x01, 0x00
12892 };
12893 const unsigned char sparams[] = {
12894 0xfe, 0x01, 0x00
12895 };
12896 int i;
12897
12898 if (idx == 4)
12899 qtdis[3].function = (void (*)(void))yield_secret_cb_fail;
12900
12901 snicb = 0;
12902 memset(secret_history, 0, sizeof(secret_history));
12903 secret_history_idx = 0;
12904 memset(&sdata, 0, sizeof(sdata));
12905 memset(&cdata, 0, sizeof(cdata));
12906 sdata.peer = &cdata;
12907 cdata.peer = &sdata;
12908 if (idx == 1)
12909 sdata.forcefail = 1;
12910
12911 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12912 TLS_client_method(), TLS1_3_VERSION, 0,
12913 &sctx, &cctx, cert, privkey)))
12914 goto end;
12915
12916 if (idx == 5) {
12917 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
12918 TLS1_3_VERSION, 0,
12919 &sctx2, NULL, cert, privkey)))
12920 goto end;
12921
12922 /* Set up SNI */
12923 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
12924 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
12925 goto end;
12926 }
12927
12928 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12929 NULL)))
12930 goto end;
12931
12932 /* Reset the BIOs we set in create_ssl_objects. We should not need them */
12933 SSL_set_bio(serverssl, NULL, NULL);
12934 SSL_set_bio(clientssl, NULL, NULL);
12935
12936 if (idx == 2) {
12937 if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256"))
12938 || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256")))
12939 goto end;
12940 }
12941
12942 if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
12943 || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
12944 goto end;
12945
12946 if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
12947 || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
12948 || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
12949 sizeof(cparams)))
12950 || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
12951 sizeof(sparams))))
12952 goto end;
12953
12954 if (idx != 1 && idx != 4) {
12955 if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
12956 &cdata.sm_count, &sdata.sm_count)))
12957 goto end;
12958 } else {
12959 /* We expect this connection to fail */
12960 if (!TEST_false(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
12961 &cdata.sm_count, &sdata.sm_count)))
12962 goto end;
12963 testresult = 1;
12964 sdata.err = 0;
12965 goto end;
12966 }
12967
12968 /* We should have had the SNI callback called exactly once */
12969 if (idx == 5) {
12970 if (!TEST_int_eq(snicb, 1))
12971 goto end;
12972 }
12973
12974 /* Check no problems during the handshake */
12975 if (!TEST_false(sdata.alert)
12976 || !TEST_false(cdata.alert)
12977 || !TEST_false(sdata.err)
12978 || !TEST_false(cdata.err))
12979 goto end;
12980
12981 /* Check the secrets all match */
12982 for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
12983 i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
12984 i++) {
12985 if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
12986 cdata.rsecret[i], cdata.rsecret_len[i]))
12987 goto end;
12988 }
12989
12990 /*
12991 * Check that our secret history yields write secrets before read secrets
12992 */
12993 if (!TEST_int_eq(check_secret_history(serverssl), 1))
12994 goto end;
12995 if (!TEST_int_eq(check_secret_history(clientssl), 1))
12996 goto end;
12997
12998 /* Check the transport params */
12999 if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13000 || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13001 sizeof(sparams)))
13002 goto end;
13003
13004 /* Check the encryption levels are what we expect them to be */
13005 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13006 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13007 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13008 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13009 goto end;
13010
13011 testresult = 1;
13012 end:
13013 SSL_free(serverssl);
13014 SSL_free(clientssl);
13015 SSL_CTX_free(sctx2);
13016 SSL_CTX_free(sctx);
13017 SSL_CTX_free(cctx);
13018
13019 /* Check that we didn't suddenly hit an unexpected failure during cleanup */
13020 if (!TEST_false(sdata.err) || !TEST_false(cdata.err))
13021 testresult = 0;
13022
13023 return testresult;
13024 }
13025
assert_no_end_of_early_data(int write_p,int version,int content_type,const void * buf,size_t msglen,SSL * ssl,void * arg)13026 static void assert_no_end_of_early_data(int write_p, int version, int content_type,
13027 const void *buf, size_t msglen, SSL *ssl, void *arg)
13028 {
13029 const unsigned char *msg = buf;
13030
13031 if (content_type == SSL3_RT_HANDSHAKE && msg[0] == SSL3_MT_END_OF_EARLY_DATA)
13032 end_of_early_data = 1;
13033 }
13034
test_quic_tls_early_data(void)13035 static int test_quic_tls_early_data(void)
13036 {
13037 SSL_CTX *sctx = NULL, *cctx = NULL;
13038 SSL *serverssl = NULL, *clientssl = NULL;
13039 int testresult = 0;
13040 SSL_SESSION *sess = NULL;
13041 const OSSL_DISPATCH qtdis[] = {
13042 {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb},
13043 {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
13044 (void (*)(void))crypto_recv_rcd_cb},
13045 {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
13046 (void (*)(void))crypto_release_rcd_cb},
13047 {OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
13048 (void (*)(void))yield_secret_cb},
13049 {OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
13050 (void (*)(void))got_transport_params_cb},
13051 {OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb},
13052 {0, NULL}
13053 };
13054 struct quic_tls_test_data sdata, cdata;
13055 const unsigned char cparams[] = {
13056 0xff, 0x01, 0x00
13057 };
13058 const unsigned char sparams[] = {
13059 0xfe, 0x01, 0x00
13060 };
13061 int i;
13062
13063 memset(secret_history, 0, sizeof(secret_history));
13064 secret_history_idx = 0;
13065 memset(&sdata, 0, sizeof(sdata));
13066 memset(&cdata, 0, sizeof(cdata));
13067 sdata.peer = &cdata;
13068 cdata.peer = &sdata;
13069 end_of_early_data = 0;
13070
13071 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13072 TLS_client_method(), TLS1_3_VERSION, 0,
13073 &sctx, &cctx, cert, privkey)))
13074 goto end;
13075
13076 SSL_CTX_set_max_early_data(sctx, 0xffffffff);
13077 SSL_CTX_set_max_early_data(cctx, 0xffffffff);
13078
13079 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13080 NULL)))
13081 goto end;
13082
13083 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13084 goto end;
13085
13086 sess = SSL_get1_session(clientssl);
13087 SSL_shutdown(clientssl);
13088 SSL_shutdown(serverssl);
13089 SSL_free(serverssl);
13090 SSL_free(clientssl);
13091 serverssl = clientssl = NULL;
13092
13093 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
13094 &clientssl, NULL, NULL))
13095 || !TEST_true(SSL_set_session(clientssl, sess)))
13096 goto end;
13097
13098 /* Reset the BIOs we set in create_ssl_objects. We should not need them */
13099 SSL_set_bio(serverssl, NULL, NULL);
13100 SSL_set_bio(clientssl, NULL, NULL);
13101
13102 if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
13103 || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
13104 goto end;
13105
13106 if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
13107 || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
13108 || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
13109 sizeof(cparams)))
13110 || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
13111 sizeof(sparams))))
13112 goto end;
13113
13114 /*
13115 * Reset our secret history so we get the record of the second connection
13116 */
13117 memset(secret_history, 0, sizeof(secret_history));
13118 secret_history_idx = 0;
13119
13120 SSL_set_quic_tls_early_data_enabled(serverssl, 1);
13121 SSL_set_quic_tls_early_data_enabled(clientssl, 1);
13122
13123 SSL_set_msg_callback(serverssl, assert_no_end_of_early_data);
13124 SSL_set_msg_callback(clientssl, assert_no_end_of_early_data);
13125
13126 if (!TEST_int_eq(SSL_connect(clientssl), -1)
13127 || !TEST_int_eq(SSL_accept(serverssl), -1)
13128 || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)
13129 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ)
13130 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
13131 goto end;
13132
13133 /* Check the encryption levels are what we expect them to be */
13134 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE)
13135 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13136 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
13137 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY))
13138 goto end;
13139
13140 sdata.sm_count = 0;
13141 cdata.sm_count = 0;
13142 if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13143 &cdata.sm_count, &sdata.sm_count)))
13144 goto end;
13145
13146 /* Check no problems during the handshake */
13147 if (!TEST_false(sdata.alert)
13148 || !TEST_false(cdata.alert)
13149 || !TEST_false(sdata.err)
13150 || !TEST_false(cdata.err))
13151 goto end;
13152
13153 /* Check the secrets all match */
13154 for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
13155 i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
13156 i++) {
13157 if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
13158 cdata.rsecret[i], cdata.rsecret_len[i]))
13159 goto end;
13160 }
13161
13162 if (!TEST_int_eq(check_secret_history(serverssl), 1))
13163 goto end;
13164 if (!TEST_int_eq(check_secret_history(clientssl), 1))
13165 goto end;
13166
13167 /* Check the transport params */
13168 if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13169 || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13170 sizeof(sparams)))
13171 goto end;
13172
13173 /* Check the encryption levels are what we expect them to be */
13174 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13175 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13176 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13177 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13178 goto end;
13179
13180 /* Check there is no EndOfEearlyData in handshake */
13181 if (!TEST_int_eq(end_of_early_data, 0))
13182 goto end;
13183
13184 testresult = 1;
13185 end:
13186 SSL_SESSION_free(sess);
13187 SSL_SESSION_free(clientpsk);
13188 SSL_SESSION_free(serverpsk);
13189 clientpsk = serverpsk = NULL;
13190 SSL_free(serverssl);
13191 SSL_free(clientssl);
13192 SSL_CTX_free(sctx);
13193 SSL_CTX_free(cctx);
13194
13195 return testresult;
13196 }
13197 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
13198
test_no_renegotiation(int idx)13199 static int test_no_renegotiation(int idx)
13200 {
13201 SSL_CTX *sctx = NULL, *cctx = NULL;
13202 SSL *serverssl = NULL, *clientssl = NULL;
13203 int testresult = 0, ret;
13204 int max_proto;
13205 const SSL_METHOD *sm, *cm;
13206 unsigned char buf[5];
13207
13208 if (idx == 0) {
13209 #ifndef OPENSSL_NO_TLS1_2
13210 max_proto = TLS1_2_VERSION;
13211 sm = TLS_server_method();
13212 cm = TLS_client_method();
13213 #else
13214 return TEST_skip("TLSv1.2 is disabled in this build");
13215 #endif
13216 } else {
13217 #ifndef OPENSSL_NO_DTLS1_2
13218 max_proto = DTLS1_2_VERSION;
13219 sm = DTLS_server_method();
13220 cm = DTLS_client_method();
13221 #else
13222 return TEST_skip("DTLSv1.2 is disabled in this build");
13223 #endif
13224 }
13225 if (!TEST_true(create_ssl_ctx_pair(libctx, sm, cm, 0, max_proto,
13226 &sctx, &cctx, cert, privkey)))
13227 goto end;
13228
13229 SSL_CTX_set_options(sctx, SSL_OP_NO_RENEGOTIATION);
13230
13231 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13232 NULL)))
13233 goto end;
13234
13235 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13236 goto end;
13237
13238 if (!TEST_true(SSL_renegotiate(clientssl))
13239 || !TEST_int_le(ret = SSL_connect(clientssl), 0)
13240 || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ))
13241 goto end;
13242
13243 /*
13244 * We've not sent any application data, so we expect this to fail. It should
13245 * also read the renegotiation attempt, and send back a no_renegotiation
13246 * warning alert because we have renegotiation disabled.
13247 */
13248 if (!TEST_int_le(ret = SSL_read(serverssl, buf, sizeof(buf)), 0))
13249 goto end;
13250 if (!TEST_int_eq(SSL_get_error(serverssl, ret), SSL_ERROR_WANT_READ))
13251 goto end;
13252
13253 /*
13254 * The client should now see the no_renegotiation warning and fail the
13255 * connection
13256 */
13257 if (!TEST_int_le(ret = SSL_connect(clientssl), 0)
13258 || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_SSL)
13259 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_RENEGOTIATION))
13260 goto end;
13261
13262 testresult = 1;
13263 end:
13264 SSL_free(serverssl);
13265 SSL_free(clientssl);
13266 SSL_CTX_free(sctx);
13267 SSL_CTX_free(cctx);
13268
13269 return testresult;
13270 }
13271
13272 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
13273
setup_tests(void)13274 int setup_tests(void)
13275 {
13276 char *modulename;
13277 char *configfile;
13278
13279 libctx = OSSL_LIB_CTX_new();
13280 if (!TEST_ptr(libctx))
13281 return 0;
13282
13283 defctxnull = OSSL_PROVIDER_load(NULL, "null");
13284
13285 /*
13286 * Verify that the default and fips providers in the default libctx are not
13287 * available
13288 */
13289 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
13290 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
13291 return 0;
13292
13293 if (!test_skip_common_options()) {
13294 TEST_error("Error parsing test options\n");
13295 return 0;
13296 }
13297
13298 if (!TEST_ptr(certsdir = test_get_argument(0))
13299 || !TEST_ptr(srpvfile = test_get_argument(1))
13300 || !TEST_ptr(tmpfilename = test_get_argument(2))
13301 || !TEST_ptr(modulename = test_get_argument(3))
13302 || !TEST_ptr(configfile = test_get_argument(4))
13303 || !TEST_ptr(dhfile = test_get_argument(5)))
13304 return 0;
13305
13306 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
13307 return 0;
13308
13309 /* Check we have the expected provider available */
13310 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
13311 return 0;
13312
13313 /* Check the default provider is not available */
13314 if (strcmp(modulename, "default") != 0
13315 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
13316 return 0;
13317
13318 if (strcmp(modulename, "fips") == 0) {
13319 OSSL_PROVIDER *prov = NULL;
13320 OSSL_PARAM params[2];
13321
13322 is_fips = 1;
13323
13324 prov = OSSL_PROVIDER_load(libctx, "fips");
13325 if (prov != NULL) {
13326 /* Query the fips provider to check if the check ems option is enabled */
13327 params[0] =
13328 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
13329 &fips_ems_check);
13330 params[1] = OSSL_PARAM_construct_end();
13331 OSSL_PROVIDER_get_params(prov, params);
13332 OSSL_PROVIDER_unload(prov);
13333 }
13334 }
13335
13336 /*
13337 * We add, but don't load the test "tls-provider". We'll load it when we
13338 * need it.
13339 */
13340 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
13341 tls_provider_init)))
13342 return 0;
13343
13344
13345 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
13346 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
13347 TEST_error("not supported in this build");
13348 return 0;
13349 #else
13350 int i, mcount, rcount, fcount;
13351
13352 for (i = 0; i < 4; i++)
13353 test_export_key_mat(i);
13354 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
13355 test_printf_stdout("malloc %d realloc %d free %d\n",
13356 mcount, rcount, fcount);
13357 return 1;
13358 #endif
13359 }
13360
13361 cert = test_mk_file_path(certsdir, "servercert.pem");
13362 if (cert == NULL)
13363 goto err;
13364
13365 privkey = test_mk_file_path(certsdir, "serverkey.pem");
13366 if (privkey == NULL)
13367 goto err;
13368
13369 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
13370 if (cert2 == NULL)
13371 goto err;
13372
13373 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
13374 if (privkey2 == NULL)
13375 goto err;
13376
13377 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
13378 if (cert1024 == NULL)
13379 goto err;
13380
13381 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
13382 if (privkey1024 == NULL)
13383 goto err;
13384
13385 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
13386 if (cert3072 == NULL)
13387 goto err;
13388
13389 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
13390 if (privkey3072 == NULL)
13391 goto err;
13392
13393 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
13394 if (cert4096 == NULL)
13395 goto err;
13396
13397 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
13398 if (privkey4096 == NULL)
13399 goto err;
13400
13401 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
13402 if (cert8192 == NULL)
13403 goto err;
13404
13405 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
13406 if (privkey8192 == NULL)
13407 goto err;
13408
13409 if (fips_ems_check) {
13410 #ifndef OPENSSL_NO_TLS1_2
13411 ADD_TEST(test_no_ems);
13412 #endif
13413 return 1;
13414 }
13415 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
13416 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
13417 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
13418 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
13419 # endif
13420 #endif
13421 ADD_TEST(test_large_message_tls);
13422 ADD_TEST(test_large_message_tls_read_ahead);
13423 #ifndef OPENSSL_NO_DTLS
13424 ADD_TEST(test_large_message_dtls);
13425 #endif
13426 ADD_ALL_TESTS(test_large_app_data, 28);
13427 ADD_TEST(test_cleanse_plaintext);
13428 #ifndef OPENSSL_NO_OCSP
13429 ADD_TEST(test_tlsext_status_type);
13430 #endif
13431 ADD_TEST(test_session_with_only_int_cache);
13432 ADD_TEST(test_session_with_only_ext_cache);
13433 ADD_TEST(test_session_with_both_cache);
13434 ADD_TEST(test_session_wo_ca_names);
13435 #ifndef OSSL_NO_USABLE_TLS1_3
13436 ADD_ALL_TESTS(test_stateful_tickets, 3);
13437 ADD_ALL_TESTS(test_stateless_tickets, 3);
13438 ADD_TEST(test_psk_tickets);
13439 ADD_ALL_TESTS(test_extra_tickets, 6);
13440 #endif
13441 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
13442 ADD_TEST(test_ssl_bio_pop_next_bio);
13443 ADD_TEST(test_ssl_bio_pop_ssl_bio);
13444 ADD_TEST(test_ssl_bio_change_rbio);
13445 ADD_TEST(test_ssl_bio_change_wbio);
13446 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
13447 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
13448 ADD_TEST(test_keylog);
13449 #endif
13450 #ifndef OSSL_NO_USABLE_TLS1_3
13451 ADD_TEST(test_keylog_no_master_key);
13452 #endif
13453 ADD_TEST(test_client_cert_verify_cb);
13454 ADD_TEST(test_ssl_build_cert_chain);
13455 ADD_TEST(test_ssl_ctx_build_cert_chain);
13456 #ifndef OPENSSL_NO_TLS1_2
13457 ADD_TEST(test_client_hello_cb);
13458 ADD_TEST(test_no_ems);
13459 ADD_TEST(test_ccs_change_cipher);
13460 #endif
13461 #ifndef OSSL_NO_USABLE_TLS1_3
13462 ADD_ALL_TESTS(test_early_data_read_write, 6);
13463 /*
13464 * We don't do replay tests for external PSK. Replay protection isn't used
13465 * in that scenario.
13466 */
13467 ADD_ALL_TESTS(test_early_data_replay, 2);
13468 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
13469 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
13470 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
13471 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
13472 ADD_ALL_TESTS(test_early_data_not_sent, 3);
13473 ADD_ALL_TESTS(test_early_data_psk, 8);
13474 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
13475 ADD_ALL_TESTS(test_early_data_not_expected, 3);
13476 # ifndef OPENSSL_NO_TLS1_2
13477 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
13478 # endif
13479 #endif
13480 #ifndef OSSL_NO_USABLE_TLS1_3
13481 ADD_ALL_TESTS(test_set_ciphersuite, 10);
13482 ADD_TEST(test_ciphersuite_change);
13483 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
13484 # ifdef OPENSSL_NO_PSK
13485 ADD_ALL_TESTS(test_tls13_psk, 1);
13486 # else
13487 ADD_ALL_TESTS(test_tls13_psk, 4);
13488 # endif /* OPENSSL_NO_PSK */
13489 #ifndef OSSL_NO_USABLE_TLS1_3
13490 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
13491 #endif /* OSSL_NO_USABLE_TLS1_3 */
13492 # ifndef OPENSSL_NO_TLS1_2
13493 /* Test with both TLSv1.3 and 1.2 versions */
13494 ADD_ALL_TESTS(test_key_exchange, 21);
13495 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
13496 ADD_ALL_TESTS(test_negotiated_group,
13497 4 * (OSSL_NELEM(ecdhe_kexch_groups)
13498 + OSSL_NELEM(ffdhe_kexch_groups)));
13499 # endif
13500 # else
13501 /* Test with only TLSv1.3 versions */
13502 ADD_ALL_TESTS(test_key_exchange, 18);
13503 # endif
13504 ADD_ALL_TESTS(test_custom_exts, 6);
13505 ADD_TEST(test_stateless);
13506 ADD_TEST(test_pha_key_update);
13507 #else
13508 ADD_ALL_TESTS(test_custom_exts, 3);
13509 #endif
13510 ADD_ALL_TESTS(test_export_key_mat, 6);
13511 #ifndef OSSL_NO_USABLE_TLS1_3
13512 ADD_ALL_TESTS(test_export_key_mat_early, 3);
13513 ADD_TEST(test_key_update);
13514 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
13515 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
13516 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
13517 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
13518 #endif
13519 ADD_ALL_TESTS(test_ssl_clear, 8);
13520 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
13521 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
13522 ADD_ALL_TESTS(test_srp, 6);
13523 #endif
13524 #if !defined(OPENSSL_NO_COMP_ALG)
13525 /* Add compression case */
13526 ADD_ALL_TESTS(test_info_callback, 8);
13527 #else
13528 ADD_ALL_TESTS(test_info_callback, 6);
13529 #endif
13530 ADD_ALL_TESTS(test_ssl_pending, 2);
13531 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
13532 ADD_ALL_TESTS(test_ticket_callbacks, 20);
13533 ADD_ALL_TESTS(test_shutdown, 7);
13534 ADD_TEST(test_async_shutdown);
13535 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
13536 ADD_ALL_TESTS(test_cert_cb, 6);
13537 ADD_ALL_TESTS(test_client_cert_cb, 2);
13538 ADD_ALL_TESTS(test_ca_names, 3);
13539 #ifndef OPENSSL_NO_TLS1_2
13540 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
13541 #endif
13542 ADD_ALL_TESTS(test_servername, 10);
13543 ADD_TEST(test_unknown_sigalgs_groups);
13544 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
13545 ADD_TEST(test_configuration_of_groups);
13546 #endif
13547 #if !defined(OPENSSL_NO_EC) \
13548 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
13549 ADD_ALL_TESTS(test_sigalgs_available, 6);
13550 #endif
13551 #ifndef OPENSSL_NO_TLS1_3
13552 ADD_ALL_TESTS(test_pluggable_group, 2);
13553 ADD_ALL_TESTS(test_pluggable_signature, 6);
13554 #endif
13555 #ifndef OPENSSL_NO_TLS1_2
13556 ADD_TEST(test_ssl_dup);
13557 ADD_TEST(test_session_secret_cb);
13558 # ifndef OPENSSL_NO_DH
13559 ADD_ALL_TESTS(test_set_tmp_dh, 11);
13560 ADD_ALL_TESTS(test_dh_auto, 7);
13561 # endif
13562 #endif
13563 #ifndef OSSL_NO_USABLE_TLS1_3
13564 ADD_TEST(test_sni_tls13);
13565 ADD_ALL_TESTS(test_ticket_lifetime, 2);
13566 #endif
13567 ADD_TEST(test_inherit_verify_param);
13568 ADD_TEST(test_set_alpn);
13569 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
13570 ADD_TEST(test_set_verify_cert_store_ssl);
13571 ADD_ALL_TESTS(test_session_timeout, 1);
13572 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
13573 ADD_ALL_TESTS(test_session_cache_overflow, 4);
13574 #endif
13575 ADD_TEST(test_load_dhfile);
13576 #ifndef OSSL_NO_USABLE_TLS1_3
13577 ADD_TEST(test_read_ahead_key_change);
13578 ADD_ALL_TESTS(test_tls13_record_padding, 6);
13579 #endif
13580 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
13581 ADD_ALL_TESTS(test_serverinfo_custom, 4);
13582 #endif
13583 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
13584 ADD_ALL_TESTS(test_pipelining, 7);
13585 #endif
13586 ADD_ALL_TESTS(test_version, 6);
13587 ADD_TEST(test_rstate_string);
13588 ADD_ALL_TESTS(test_handshake_retry, 16);
13589 ADD_TEST(test_data_retry);
13590 ADD_ALL_TESTS(test_multi_resume, 5);
13591 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
13592 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
13593 ADD_ALL_TESTS(test_npn, 5);
13594 #endif
13595 ADD_ALL_TESTS(test_alpn, 4);
13596 #if !defined(OSSL_NO_USABLE_TLS1_3)
13597 ADD_ALL_TESTS(test_quic_tls, 6);
13598 ADD_TEST(test_quic_tls_early_data);
13599 #endif
13600 ADD_ALL_TESTS(test_no_renegotiation, 2);
13601 return 1;
13602
13603 err:
13604 OPENSSL_free(cert);
13605 OPENSSL_free(privkey);
13606 OPENSSL_free(cert2);
13607 OPENSSL_free(privkey2);
13608 return 0;
13609 }
13610
cleanup_tests(void)13611 void cleanup_tests(void)
13612 {
13613 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
13614 EVP_PKEY_free(tmp_dh_params);
13615 #endif
13616 OPENSSL_free(cert);
13617 OPENSSL_free(privkey);
13618 OPENSSL_free(cert2);
13619 OPENSSL_free(privkey2);
13620 OPENSSL_free(cert1024);
13621 OPENSSL_free(privkey1024);
13622 OPENSSL_free(cert3072);
13623 OPENSSL_free(privkey3072);
13624 OPENSSL_free(cert4096);
13625 OPENSSL_free(privkey4096);
13626 OPENSSL_free(cert8192);
13627 OPENSSL_free(privkey8192);
13628 bio_s_mempacket_test_free();
13629 bio_s_always_retry_free();
13630 bio_s_maybe_retry_free();
13631 OSSL_PROVIDER_unload(defctxnull);
13632 OSSL_LIB_CTX_free(libctx);
13633 }
13634