1 /*
2 * Copyright 2016-2026 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 #define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "internal/ssl_unwrap.h"
45 #include "../ssl/ssl_local.h"
46 #include "../ssl/record/methods/recmethod_local.h"
47 #include "filterprov.h"
48
49 #undef OSSL_NO_USABLE_TLS1_3
50 #if defined(OPENSSL_NO_TLS1_3) \
51 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
52 /*
53 * If we don't have ec or dh then there are no built-in groups that are usable
54 * with TLSv1.3
55 */
56 #define OSSL_NO_USABLE_TLS1_3
57 #endif
58
59 /* Defined in tls-provider.c */
60 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
61 const OSSL_DISPATCH *in,
62 const OSSL_DISPATCH **out,
63 void **provctx);
64
65 static OSSL_LIB_CTX *libctx = NULL;
66 static OSSL_PROVIDER *defctxnull = NULL;
67
68 #ifndef OSSL_NO_USABLE_TLS1_3
69
70 static SSL_SESSION *clientpsk = NULL;
71 static SSL_SESSION *serverpsk = NULL;
72 static const char *pskid = "Identity";
73 static const char *srvid;
74
75 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
76 size_t *idlen, SSL_SESSION **sess);
77 static int find_session_cb(SSL *ssl, const unsigned char *identity,
78 size_t identity_len, SSL_SESSION **sess);
79
80 static int use_session_cb_cnt = 0;
81 static int find_session_cb_cnt = 0;
82 static int end_of_early_data = 0;
83 #endif
84
85 static char *certsdir = NULL;
86 static char *cert = NULL;
87 static char *privkey = NULL;
88 static char *cert2 = NULL;
89 static char *privkey2 = NULL;
90 static char *cert1024 = NULL;
91 static char *privkey1024 = NULL;
92 static char *cert3072 = NULL;
93 static char *privkey3072 = NULL;
94 static char *cert4096 = NULL;
95 static char *privkey4096 = NULL;
96 static char *cert8192 = NULL;
97 static char *privkey8192 = NULL;
98 static char *srpvfile = NULL;
99 static char *tmpfilename = NULL;
100 static char *dhfile = NULL;
101 static char *datadir = NULL;
102
103 static int is_fips = 0;
104 static int fips_ems_check = 0;
105
106 #define LOG_BUFFER_SIZE 2048
107 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = { 0 };
108 static size_t server_log_buffer_index = 0;
109 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = { 0 };
110 static size_t client_log_buffer_index = 0;
111 static int error_writing_log = 0;
112
113 #ifndef OPENSSL_NO_OCSP
114 static const unsigned char orespder[] = "Dummy OCSP Response";
115 static int ocsp_server_called = 0;
116 static int ocsp_client_called = 0;
117
118 static int cdummyarg = 1;
119 static X509 *ocspcert = NULL;
120 #endif
121
122 #define CLIENT_VERSION_LEN 2
123
124 /* The ssltrace test assumes some options are switched on/off */
125 #if !defined(OPENSSL_NO_SSL_TRACE) \
126 && defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD) \
127 && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH) \
128 && !defined(OPENSSL_NO_ML_DSA) && !defined(OPENSSL_NO_ML_KEM) \
129 && !defined(OPENSSL_NO_TLS1_3)
130 #define DO_SSL_TRACE_TEST
131 #endif
132
133 /*
134 * This structure is used to validate that the correct number of log messages
135 * of various types are emitted when emitting secret logs.
136 */
137 struct sslapitest_log_counts {
138 unsigned int rsa_key_exchange_count;
139 unsigned int master_secret_count;
140 unsigned int client_early_secret_count;
141 unsigned int client_handshake_secret_count;
142 unsigned int server_handshake_secret_count;
143 unsigned int client_application_secret_count;
144 unsigned int server_application_secret_count;
145 unsigned int early_exporter_secret_count;
146 unsigned int exporter_secret_count;
147 };
148
hostname_cb(SSL * s,int * al,void * arg)149 static int hostname_cb(SSL *s, int *al, void *arg)
150 {
151 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
152
153 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0 || strcmp(hostname, "altgoodhost") == 0))
154 return SSL_TLSEXT_ERR_OK;
155
156 return SSL_TLSEXT_ERR_NOACK;
157 }
158
client_keylog_callback(const SSL * ssl,const char * line)159 static void client_keylog_callback(const SSL *ssl, const char *line)
160 {
161 int line_length = strlen(line);
162
163 /* If the log doesn't fit, error out. */
164 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
165 TEST_info("Client log too full");
166 error_writing_log = 1;
167 return;
168 }
169
170 strcat(client_log_buffer, line);
171 client_log_buffer_index += line_length;
172 client_log_buffer[client_log_buffer_index++] = '\n';
173 }
174
server_keylog_callback(const SSL * ssl,const char * line)175 static void server_keylog_callback(const SSL *ssl, const char *line)
176 {
177 int line_length = strlen(line);
178
179 /* If the log doesn't fit, error out. */
180 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
181 TEST_info("Server log too full");
182 error_writing_log = 1;
183 return;
184 }
185
186 strcat(server_log_buffer, line);
187 server_log_buffer_index += line_length;
188 server_log_buffer[server_log_buffer_index++] = '\n';
189 }
190
compare_hex_encoded_buffer(const char * hex_encoded,size_t hex_length,const uint8_t * raw,size_t raw_length)191 static int compare_hex_encoded_buffer(const char *hex_encoded,
192 size_t hex_length,
193 const uint8_t *raw,
194 size_t raw_length)
195 {
196 size_t i, j;
197 char hexed[3];
198
199 if (!TEST_size_t_eq(raw_length * 2, hex_length))
200 return 1;
201
202 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
203 BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]);
204 if (!TEST_int_eq(hexed[0], hex_encoded[j])
205 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
206 return 1;
207 }
208
209 return 0;
210 }
211
test_keylog_output(char * buffer,const SSL * ssl,const SSL_SESSION * session,struct sslapitest_log_counts * expected)212 static int test_keylog_output(char *buffer, const SSL *ssl,
213 const SSL_SESSION *session,
214 struct sslapitest_log_counts *expected)
215 {
216 char *token = NULL;
217 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = { 0 };
218 size_t client_random_size = SSL3_RANDOM_SIZE;
219 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = { 0 };
220 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
221 unsigned int rsa_key_exchange_count = 0;
222 unsigned int master_secret_count = 0;
223 unsigned int client_early_secret_count = 0;
224 unsigned int client_handshake_secret_count = 0;
225 unsigned int server_handshake_secret_count = 0;
226 unsigned int client_application_secret_count = 0;
227 unsigned int server_application_secret_count = 0;
228 unsigned int early_exporter_secret_count = 0;
229 unsigned int exporter_secret_count = 0;
230
231 for (token = strtok(buffer, " \n"); token != NULL;
232 token = strtok(NULL, " \n")) {
233 if (strcmp(token, "RSA") == 0) {
234 /*
235 * Premaster secret. Tokens should be: 16 ASCII bytes of
236 * hex-encoded encrypted secret, then the hex-encoded pre-master
237 * secret.
238 */
239 if (!TEST_ptr(token = strtok(NULL, " \n")))
240 return 0;
241 if (!TEST_size_t_eq(strlen(token), 16))
242 return 0;
243 if (!TEST_ptr(token = strtok(NULL, " \n")))
244 return 0;
245 /*
246 * We can't sensibly check the log because the premaster secret is
247 * transient, and OpenSSL doesn't keep hold of it once the master
248 * secret is generated.
249 */
250 rsa_key_exchange_count++;
251 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
252 /*
253 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
254 * client random, then the hex-encoded master secret.
255 */
256 client_random_size = SSL_get_client_random(ssl,
257 actual_client_random,
258 SSL3_RANDOM_SIZE);
259 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 if (!TEST_size_t_eq(strlen(token), 64))
265 return 0;
266 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267 actual_client_random,
268 client_random_size)))
269 return 0;
270
271 if (!TEST_ptr(token = strtok(NULL, " \n")))
272 return 0;
273 master_key_size = SSL_SESSION_get_master_key(session,
274 actual_master_key,
275 master_key_size);
276 if (!TEST_size_t_ne(master_key_size, 0))
277 return 0;
278 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
279 actual_master_key,
280 master_key_size)))
281 return 0;
282 master_secret_count++;
283 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
284 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
285 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
287 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
288 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
289 || strcmp(token, "EXPORTER_SECRET") == 0) {
290 /*
291 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
292 * client random, and then the hex-encoded secret. In this case,
293 * we treat all of these secrets identically and then just
294 * distinguish between them when counting what we saw.
295 */
296 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
297 client_early_secret_count++;
298 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
299 client_handshake_secret_count++;
300 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 server_handshake_secret_count++;
302 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
303 client_application_secret_count++;
304 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
305 server_application_secret_count++;
306 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
307 early_exporter_secret_count++;
308 else if (strcmp(token, "EXPORTER_SECRET") == 0)
309 exporter_secret_count++;
310
311 client_random_size = SSL_get_client_random(ssl,
312 actual_client_random,
313 SSL3_RANDOM_SIZE);
314 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
315 return 0;
316
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
318 return 0;
319 if (!TEST_size_t_eq(strlen(token), 64))
320 return 0;
321 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
322 actual_client_random,
323 client_random_size)))
324 return 0;
325
326 if (!TEST_ptr(token = strtok(NULL, " \n")))
327 return 0;
328 } else {
329 TEST_info("Unexpected token %s\n", token);
330 return 0;
331 }
332 }
333
334 /* Got what we expected? */
335 if (!TEST_size_t_eq(rsa_key_exchange_count,
336 expected->rsa_key_exchange_count)
337 || !TEST_size_t_eq(master_secret_count,
338 expected->master_secret_count)
339 || !TEST_size_t_eq(client_early_secret_count,
340 expected->client_early_secret_count)
341 || !TEST_size_t_eq(client_handshake_secret_count,
342 expected->client_handshake_secret_count)
343 || !TEST_size_t_eq(server_handshake_secret_count,
344 expected->server_handshake_secret_count)
345 || !TEST_size_t_eq(client_application_secret_count,
346 expected->client_application_secret_count)
347 || !TEST_size_t_eq(server_application_secret_count,
348 expected->server_application_secret_count)
349 || !TEST_size_t_eq(early_exporter_secret_count,
350 expected->early_exporter_secret_count)
351 || !TEST_size_t_eq(exporter_secret_count,
352 expected->exporter_secret_count))
353 return 0;
354 return 1;
355 }
356
357 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
test_keylog(void)358 static int test_keylog(void)
359 {
360 SSL_CTX *cctx = NULL, *sctx = NULL;
361 SSL *clientssl = NULL, *serverssl = NULL;
362 int testresult = 0;
363 struct sslapitest_log_counts expected;
364
365 /* Clean up logging space */
366 memset(&expected, 0, sizeof(expected));
367 memset(client_log_buffer, 0, sizeof(client_log_buffer));
368 memset(server_log_buffer, 0, sizeof(server_log_buffer));
369 client_log_buffer_index = 0;
370 server_log_buffer_index = 0;
371 error_writing_log = 0;
372
373 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
374 TLS_client_method(),
375 TLS1_VERSION, 0,
376 &sctx, &cctx, cert, privkey)))
377 return 0;
378
379 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
380 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
381 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
382
383 /* We also want to ensure that we use RSA-based key exchange. */
384 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
385 goto end;
386
387 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
388 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
389 goto end;
390 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
391 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
392 == client_keylog_callback))
393 goto end;
394 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
395 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
396 == server_keylog_callback))
397 goto end;
398
399 /* Now do a handshake and check that the logs have been written to. */
400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
401 &clientssl, NULL, NULL))
402 || !TEST_true(create_ssl_connection(serverssl, clientssl,
403 SSL_ERROR_NONE))
404 || !TEST_false(error_writing_log)
405 || !TEST_int_gt(client_log_buffer_index, 0)
406 || !TEST_int_gt(server_log_buffer_index, 0))
407 goto end;
408
409 /*
410 * Now we want to test that our output data was vaguely sensible. We
411 * do that by using strtok and confirming that we have more or less the
412 * data we expect. For both client and server, we expect to see one master
413 * secret. The client should also see an RSA key exchange.
414 */
415 expected.rsa_key_exchange_count = 1;
416 expected.master_secret_count = 1;
417 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
418 SSL_get_session(clientssl), &expected)))
419 goto end;
420
421 expected.rsa_key_exchange_count = 0;
422 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
423 SSL_get_session(serverssl), &expected)))
424 goto end;
425
426 testresult = 1;
427
428 end:
429 SSL_free(serverssl);
430 SSL_free(clientssl);
431 SSL_CTX_free(sctx);
432 SSL_CTX_free(cctx);
433
434 return testresult;
435 }
436 #endif
437
438 #ifndef OSSL_NO_USABLE_TLS1_3
test_keylog_no_master_key(void)439 static int test_keylog_no_master_key(void)
440 {
441 SSL_CTX *cctx = NULL, *sctx = NULL;
442 SSL *clientssl = NULL, *serverssl = NULL;
443 SSL_SESSION *sess = NULL;
444 int testresult = 0;
445 struct sslapitest_log_counts expected;
446 unsigned char buf[1];
447 size_t readbytes, written;
448
449 /* Clean up logging space */
450 memset(&expected, 0, sizeof(expected));
451 memset(client_log_buffer, 0, sizeof(client_log_buffer));
452 memset(server_log_buffer, 0, sizeof(server_log_buffer));
453 client_log_buffer_index = 0;
454 server_log_buffer_index = 0;
455 error_writing_log = 0;
456
457 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
458 TLS_client_method(), TLS1_VERSION, 0,
459 &sctx, &cctx, cert, privkey))
460 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
461 SSL3_RT_MAX_PLAIN_LENGTH)))
462 return 0;
463
464 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
465 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
466 goto end;
467
468 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
469 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
470 == client_keylog_callback))
471 goto end;
472
473 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
474 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
475 == server_keylog_callback))
476 goto end;
477
478 /* Now do a handshake and check that the logs have been written to. */
479 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
480 &clientssl, NULL, NULL))
481 || !TEST_true(create_ssl_connection(serverssl, clientssl,
482 SSL_ERROR_NONE))
483 || !TEST_false(error_writing_log))
484 goto end;
485
486 /*
487 * Now we want to test that our output data was vaguely sensible. For this
488 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
489 * TLSv1.3, but we do expect both client and server to emit keys.
490 */
491 expected.client_handshake_secret_count = 1;
492 expected.server_handshake_secret_count = 1;
493 expected.client_application_secret_count = 1;
494 expected.server_application_secret_count = 1;
495 expected.exporter_secret_count = 1;
496 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
497 SSL_get_session(clientssl), &expected))
498 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
499 SSL_get_session(serverssl),
500 &expected)))
501 goto end;
502
503 /* Terminate old session and resume with early data. */
504 sess = SSL_get1_session(clientssl);
505 SSL_shutdown(clientssl);
506 SSL_shutdown(serverssl);
507 SSL_free(serverssl);
508 SSL_free(clientssl);
509 serverssl = clientssl = NULL;
510
511 /* Reset key log */
512 memset(client_log_buffer, 0, sizeof(client_log_buffer));
513 memset(server_log_buffer, 0, sizeof(server_log_buffer));
514 client_log_buffer_index = 0;
515 server_log_buffer_index = 0;
516
517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
518 &clientssl, NULL, NULL))
519 || !TEST_true(SSL_set_session(clientssl, sess))
520 /* Here writing 0 length early data is enough. */
521 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
522 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
523 &readbytes),
524 SSL_READ_EARLY_DATA_ERROR)
525 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
526 SSL_EARLY_DATA_ACCEPTED)
527 || !TEST_true(create_ssl_connection(serverssl, clientssl,
528 SSL_ERROR_NONE))
529 || !TEST_true(SSL_session_reused(clientssl)))
530 goto end;
531
532 /* In addition to the previous entries, expect early secrets. */
533 expected.client_early_secret_count = 1;
534 expected.early_exporter_secret_count = 1;
535 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
536 SSL_get_session(clientssl), &expected))
537 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
538 SSL_get_session(serverssl),
539 &expected)))
540 goto end;
541
542 testresult = 1;
543
544 end:
545 SSL_SESSION_free(sess);
546 SSL_free(serverssl);
547 SSL_free(clientssl);
548 SSL_CTX_free(sctx);
549 SSL_CTX_free(cctx);
550
551 return testresult;
552 }
553 #endif
554
verify_retry_cb(X509_STORE_CTX * ctx,void * arg)555 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
556 {
557 int res = X509_verify_cert(ctx);
558 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
559 SSL *ssl;
560
561 /* this should not happen but check anyway */
562 if (idx < 0
563 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
564 return 0;
565
566 if (res == 0 && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
567 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
568 return SSL_set_retry_verify(ssl);
569
570 return res;
571 }
572
test_client_cert_verify_cb(void)573 static int test_client_cert_verify_cb(void)
574 {
575 /* server key, cert, chain, and root */
576 char *skey = test_mk_file_path(certsdir, "leaf.key");
577 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
578 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
579 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
580 char *root = test_mk_file_path(certsdir, "rootCA.pem");
581 X509 *crt1 = NULL, *crt2 = NULL;
582 STACK_OF(X509) *server_chain;
583 SSL_CTX *cctx = NULL, *sctx = NULL;
584 SSL *clientssl = NULL, *serverssl = NULL;
585 int testresult = 0;
586
587 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
588 TLS_client_method(), TLS1_VERSION, 0,
589 &sctx, &cctx, NULL, NULL)))
590 goto end;
591 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
592 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
593 SSL_FILETYPE_PEM),
594 1)
595 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
596 goto end;
597 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
598 goto end;
599 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
600 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
602 &clientssl, NULL, NULL)))
603 goto end;
604
605 /* attempt SSL_connect() with incomplete server chain */
606 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
607 SSL_ERROR_WANT_RETRY_VERIFY)))
608 goto end;
609
610 /* application provides intermediate certs needed to verify server cert */
611 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
612 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
613 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
614 goto end;
615 /* add certs in reverse order to demonstrate real chain building */
616 if (!TEST_true(sk_X509_push(server_chain, crt1)))
617 goto end;
618 crt1 = NULL;
619 if (!TEST_true(sk_X509_push(server_chain, crt2)))
620 goto end;
621 crt2 = NULL;
622
623 /* continue SSL_connect(), must now succeed with completed server chain */
624 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625 SSL_ERROR_NONE)))
626 goto end;
627
628 testresult = 1;
629
630 end:
631 X509_free(crt1);
632 X509_free(crt2);
633 if (clientssl != NULL) {
634 SSL_shutdown(clientssl);
635 SSL_free(clientssl);
636 }
637 if (serverssl != NULL) {
638 SSL_shutdown(serverssl);
639 SSL_free(serverssl);
640 }
641 SSL_CTX_free(sctx);
642 SSL_CTX_free(cctx);
643
644 OPENSSL_free(skey);
645 OPENSSL_free(leaf);
646 OPENSSL_free(int2);
647 OPENSSL_free(int1);
648 OPENSSL_free(root);
649
650 return testresult;
651 }
652
test_ssl_build_cert_chain(void)653 static int test_ssl_build_cert_chain(void)
654 {
655 int ret = 0;
656 SSL_CTX *ssl_ctx = NULL;
657 SSL *ssl = NULL;
658 char *skey = test_mk_file_path(certsdir, "leaf.key");
659 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
660
661 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
662 goto end;
663 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
664 goto end;
665 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
666 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
667 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
668 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
669 goto end;
670 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_CHECK)))
671 goto end;
672 ret = 1;
673 end:
674 SSL_free(ssl);
675 SSL_CTX_free(ssl_ctx);
676 OPENSSL_free(leaf_chain);
677 OPENSSL_free(skey);
678 return ret;
679 }
680
get_password_cb(char * buf,int size,int rw_flag,void * userdata)681 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
682 {
683 static const char pass[] = "testpass";
684
685 if (!TEST_int_eq(size, PEM_BUFSIZE))
686 return -1;
687
688 memcpy(buf, pass, sizeof(pass) - 1);
689 return sizeof(pass) - 1;
690 }
691
test_ssl_ctx_build_cert_chain(void)692 static int test_ssl_ctx_build_cert_chain(void)
693 {
694 int ret = 0;
695 SSL_CTX *ctx = NULL;
696 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
697 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
698
699 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
700 goto end;
701 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
702 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
703 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
704 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
705 SSL_FILETYPE_PEM),
706 1)
707 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
708 goto end;
709 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_CHECK)))
710 goto end;
711 ret = 1;
712 end:
713 SSL_CTX_free(ctx);
714 OPENSSL_free(leaf_chain);
715 OPENSSL_free(skey);
716 return ret;
717 }
718
719 #ifndef OPENSSL_NO_TLS1_2
full_client_hello_callback(SSL * s,int * al,void * arg)720 static int full_client_hello_callback(SSL *s, int *al, void *arg)
721 {
722 int *ctr = arg;
723 const unsigned char *p;
724 int *exts;
725 #ifdef OPENSSL_NO_EC
726 const unsigned char expected_ciphers[] = { 0x00, 0x9d };
727 #else
728 const unsigned char expected_ciphers[] = { 0x00, 0x9d, 0xc0,
729 0x2c };
730 #endif
731 const int expected_extensions[] = {
732 65281,
733 #ifndef OPENSSL_NO_EC
734 11, 10,
735 #endif
736 35, 22, 23, 13
737 };
738 size_t len;
739
740 /* Make sure we can defer processing and get called back. */
741 if ((*ctr)++ == 0)
742 return SSL_CLIENT_HELLO_RETRY;
743
744 len = SSL_client_hello_get0_ciphers(s, &p);
745 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
746 || !TEST_size_t_eq(
747 SSL_client_hello_get0_compression_methods(s, &p), 1)
748 || !TEST_int_eq(*p, 0))
749 return SSL_CLIENT_HELLO_ERROR;
750 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
751 return SSL_CLIENT_HELLO_ERROR;
752 if (len != OSSL_NELEM(expected_extensions) || memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
753 printf("ClientHello callback expected extensions mismatch\n");
754 OPENSSL_free(exts);
755 return SSL_CLIENT_HELLO_ERROR;
756 }
757 OPENSSL_free(exts);
758 return SSL_CLIENT_HELLO_SUCCESS;
759 }
760
test_client_hello_cb(void)761 static int test_client_hello_cb(void)
762 {
763 SSL_CTX *cctx = NULL, *sctx = NULL;
764 SSL *clientssl = NULL, *serverssl = NULL;
765 int testctr = 0, testresult = 0;
766
767 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
768 TLS_client_method(), TLS1_VERSION, 0,
769 &sctx, &cctx, cert, privkey)))
770 goto end;
771 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
772
773 /* The gimpy cipher list we configure can't do TLS 1.3. */
774 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
775 /* Avoid problems where the default seclevel has been changed */
776 SSL_CTX_set_security_level(cctx, 2);
777 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
778 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
779 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 || !TEST_false(create_ssl_connection(serverssl, clientssl,
782 SSL_ERROR_WANT_CLIENT_HELLO_CB))
783 /*
784 * Passing a -1 literal is a hack since
785 * the real value was lost.
786 * */
787 || !TEST_int_eq(SSL_get_error(serverssl, -1),
788 SSL_ERROR_WANT_CLIENT_HELLO_CB)
789 || !TEST_true(create_ssl_connection(serverssl, clientssl,
790 SSL_ERROR_NONE)))
791 goto end;
792
793 testresult = 1;
794
795 end:
796 SSL_free(serverssl);
797 SSL_free(clientssl);
798 SSL_CTX_free(sctx);
799 SSL_CTX_free(cctx);
800
801 return testresult;
802 }
803
test_no_ems(void)804 static int test_no_ems(void)
805 {
806 SSL_CTX *cctx = NULL, *sctx = NULL;
807 SSL *clientssl = NULL, *serverssl = NULL;
808 int testresult = 0, status;
809
810 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
811 TLS1_VERSION, TLS1_2_VERSION,
812 &sctx, &cctx, cert, privkey)) {
813 printf("Unable to create SSL_CTX pair\n");
814 goto end;
815 }
816
817 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
818
819 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
820 printf("Unable to create SSL objects\n");
821 goto end;
822 }
823
824 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
825 if (fips_ems_check) {
826 if (status == 1) {
827 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
828 goto end;
829 }
830 } else {
831 if (!status) {
832 printf("Creating SSL connection failed\n");
833 goto end;
834 }
835 if (SSL_get_extms_support(serverssl)) {
836 printf("Server reports Extended Master Secret support\n");
837 goto end;
838 }
839 if (SSL_get_extms_support(clientssl)) {
840 printf("Client reports Extended Master Secret support\n");
841 goto end;
842 }
843 }
844 testresult = 1;
845
846 end:
847 SSL_free(serverssl);
848 SSL_free(clientssl);
849 SSL_CTX_free(sctx);
850 SSL_CTX_free(cctx);
851
852 return testresult;
853 }
854
855 /*
856 * Very focused test to exercise a single case in the server-side state
857 * machine, when the ChangeCipherState message needs to actually change
858 * from one cipher to a different cipher (i.e., not changing from null
859 * encryption to real encryption).
860 */
test_ccs_change_cipher(void)861 static int test_ccs_change_cipher(void)
862 {
863 SSL_CTX *cctx = NULL, *sctx = NULL;
864 SSL *clientssl = NULL, *serverssl = NULL;
865 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
866 int testresult = 0;
867 int i;
868 unsigned char buf;
869 size_t readbytes;
870
871 /*
872 * Create a connection so we can resume and potentially (but not) use
873 * a different cipher in the second connection.
874 */
875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
876 TLS_client_method(),
877 TLS1_VERSION, TLS1_2_VERSION,
878 &sctx, &cctx, cert, privkey))
879 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
880 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
881 NULL, NULL))
882 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl, clientssl,
884 SSL_ERROR_NONE))
885 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
886 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
887 goto end;
888
889 shutdown_ssl_connection(serverssl, clientssl);
890 serverssl = clientssl = NULL;
891
892 /* Resume, preferring a different cipher. Our server will force the
893 * same cipher to be used as the initial handshake. */
894 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
895 NULL, NULL))
896 || !TEST_true(SSL_set_session(clientssl, sess))
897 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
898 || !TEST_true(create_ssl_connection(serverssl, clientssl,
899 SSL_ERROR_NONE))
900 || !TEST_true(SSL_session_reused(clientssl))
901 || !TEST_true(SSL_session_reused(serverssl))
902 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
903 || !TEST_ptr_eq(sesspre, sesspost)
904 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
905 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
906 goto end;
907 shutdown_ssl_connection(serverssl, clientssl);
908 serverssl = clientssl = NULL;
909
910 /*
911 * Now create a fresh connection and try to renegotiate a different
912 * cipher on it.
913 */
914 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
915 NULL, NULL))
916 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
917 || !TEST_true(create_ssl_connection(serverssl, clientssl,
918 SSL_ERROR_NONE))
919 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
920 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
921 || !TEST_true(SSL_renegotiate(clientssl))
922 || !TEST_true(SSL_renegotiate_pending(clientssl)))
923 goto end;
924 /* Actually drive the renegotiation. */
925 for (i = 0; i < 3; i++) {
926 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
927 if (!TEST_ulong_eq(readbytes, 0))
928 goto end;
929 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
930 SSL_ERROR_WANT_READ)) {
931 goto end;
932 }
933 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
934 if (!TEST_ulong_eq(readbytes, 0))
935 goto end;
936 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
937 SSL_ERROR_WANT_READ)) {
938 goto end;
939 }
940 }
941 /* sesspre and sesspost should be different since the cipher changed. */
942 if (!TEST_false(SSL_renegotiate_pending(clientssl))
943 || !TEST_false(SSL_session_reused(clientssl))
944 || !TEST_false(SSL_session_reused(serverssl))
945 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
946 || !TEST_ptr_ne(sesspre, sesspost)
947 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
948 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
949 goto end;
950
951 shutdown_ssl_connection(serverssl, clientssl);
952 serverssl = clientssl = NULL;
953
954 testresult = 1;
955
956 end:
957 SSL_free(serverssl);
958 SSL_free(clientssl);
959 SSL_CTX_free(sctx);
960 SSL_CTX_free(cctx);
961 SSL_SESSION_free(sess);
962
963 return testresult;
964 }
965 #endif
966
execute_test_large_message(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version,int read_ahead)967 static int execute_test_large_message(const SSL_METHOD *smeth,
968 const SSL_METHOD *cmeth,
969 int min_version, int max_version,
970 int read_ahead)
971 {
972 SSL_CTX *cctx = NULL, *sctx = NULL;
973 SSL *clientssl = NULL, *serverssl = NULL;
974 int testresult = 0;
975
976 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977 max_version, &sctx, &cctx, cert,
978 privkey)))
979 goto end;
980
981 #ifdef OPENSSL_NO_DTLS1_2
982 if (smeth == DTLS_server_method()) {
983 /*
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
985 * level 0
986 */
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989 "DEFAULT:@SECLEVEL=0")))
990 goto end;
991 }
992 #endif
993
994 if (read_ahead) {
995 /*
996 * Test that read_ahead works correctly when dealing with large
997 * records
998 */
999 SSL_CTX_set_read_ahead(cctx, 1);
1000 }
1001
1002 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
1003 goto end;
1004
1005 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1006 NULL, NULL))
1007 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1008 SSL_ERROR_NONE)))
1009 goto end;
1010
1011 /*
1012 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1013 * doesn't leak.
1014 */
1015 if (!TEST_true(SSL_clear(serverssl)))
1016 goto end;
1017
1018 testresult = 1;
1019 end:
1020 SSL_free(serverssl);
1021 SSL_free(clientssl);
1022 SSL_CTX_free(sctx);
1023 SSL_CTX_free(cctx);
1024
1025 return testresult;
1026 }
1027
1028 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1029 /* sock must be connected */
ktls_chk_platform(int sock)1030 static int ktls_chk_platform(int sock)
1031 {
1032 if (!ktls_enable(sock))
1033 return 0;
1034 return 1;
1035 }
1036
ping_pong_query(SSL * clientssl,SSL * serverssl)1037 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1038 {
1039 static char count = 1;
1040 unsigned char cbuf[16000] = { 0 };
1041 unsigned char sbuf[16000];
1042 size_t err = 0;
1043 char crec_wseq_before[SEQ_NUM_SIZE];
1044 char crec_wseq_after[SEQ_NUM_SIZE];
1045 char crec_rseq_before[SEQ_NUM_SIZE];
1046 char crec_rseq_after[SEQ_NUM_SIZE];
1047 char srec_wseq_before[SEQ_NUM_SIZE];
1048 char srec_wseq_after[SEQ_NUM_SIZE];
1049 char srec_rseq_before[SEQ_NUM_SIZE];
1050 char srec_rseq_after[SEQ_NUM_SIZE];
1051 SSL_CONNECTION *clientsc, *serversc;
1052
1053 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1054 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1055 goto end;
1056
1057 cbuf[0] = count++;
1058 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1059 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1060 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1061 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1062
1063 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1064 goto end;
1065
1066 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1067 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1068 goto end;
1069 }
1070 }
1071
1072 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1073 goto end;
1074
1075 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1076 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1077 goto end;
1078 }
1079 }
1080
1081 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1082 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1083 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1084 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1085
1086 /* verify the payload */
1087 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1088 goto end;
1089
1090 /*
1091 * If ktls is used then kernel sequences are used instead of
1092 * OpenSSL sequences
1093 */
1094 if (!BIO_get_ktls_send(clientsc->wbio)) {
1095 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1096 crec_wseq_after, SEQ_NUM_SIZE))
1097 goto end;
1098 } else {
1099 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1100 crec_wseq_after, SEQ_NUM_SIZE))
1101 goto end;
1102 }
1103
1104 if (!BIO_get_ktls_send(serversc->wbio)) {
1105 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1106 srec_wseq_after, SEQ_NUM_SIZE))
1107 goto end;
1108 } else {
1109 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1110 srec_wseq_after, SEQ_NUM_SIZE))
1111 goto end;
1112 }
1113
1114 if (!BIO_get_ktls_recv(clientsc->wbio)) {
1115 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1116 crec_rseq_after, SEQ_NUM_SIZE))
1117 goto end;
1118 } else {
1119 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1120 crec_rseq_after, SEQ_NUM_SIZE))
1121 goto end;
1122 }
1123
1124 if (!BIO_get_ktls_recv(serversc->wbio)) {
1125 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1126 srec_rseq_after, SEQ_NUM_SIZE))
1127 goto end;
1128 } else {
1129 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1130 srec_rseq_after, SEQ_NUM_SIZE))
1131 goto end;
1132 }
1133
1134 return 1;
1135 end:
1136 return 0;
1137 }
1138
execute_test_ktls(int cis_ktls,int sis_ktls,int tls_version,const char * cipher)1139 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1140 int tls_version, const char *cipher)
1141 {
1142 SSL_CTX *cctx = NULL, *sctx = NULL;
1143 SSL *clientssl = NULL, *serverssl = NULL;
1144 int ktls_used = 0, testresult = 0;
1145 int cfd = -1, sfd = -1;
1146 int rx_supported;
1147 SSL_CONNECTION *clientsc, *serversc;
1148 unsigned char *buf = NULL;
1149 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1150 int ret;
1151 size_t offset = 0, i;
1152
1153 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1154 goto end;
1155
1156 /* Skip this test if the platform does not support ktls */
1157 if (!ktls_chk_platform(cfd)) {
1158 testresult = TEST_skip("Kernel does not support KTLS");
1159 goto end;
1160 }
1161
1162 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1163 testresult = TEST_skip("CHACHA is not supported in FIPS");
1164 goto end;
1165 }
1166
1167 /* Create a session based on SHA-256 */
1168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1169 TLS_client_method(),
1170 tls_version, tls_version,
1171 &sctx, &cctx, cert, privkey)))
1172 goto end;
1173
1174 if (tls_version == TLS1_3_VERSION) {
1175 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1176 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1177 goto end;
1178 } else {
1179 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1180 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1181 goto end;
1182 }
1183
1184 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1185 &clientssl, sfd, cfd)))
1186 goto end;
1187
1188 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1189 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1190 goto end;
1191
1192 if (cis_ktls) {
1193 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1194 goto end;
1195 }
1196
1197 if (sis_ktls) {
1198 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1199 goto end;
1200 }
1201
1202 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1203 goto end;
1204
1205 /*
1206 * The running kernel may not support a given cipher suite
1207 * or direction, so just check that KTLS isn't used when it
1208 * isn't enabled.
1209 */
1210 if (!cis_ktls) {
1211 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1212 goto end;
1213 } else {
1214 if (BIO_get_ktls_send(clientsc->wbio))
1215 ktls_used = 1;
1216 }
1217
1218 if (!sis_ktls) {
1219 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1220 goto end;
1221 } else {
1222 if (BIO_get_ktls_send(serversc->wbio))
1223 ktls_used = 1;
1224 }
1225
1226 #if defined(OPENSSL_NO_KTLS_RX)
1227 rx_supported = 0;
1228 #else
1229 rx_supported = 1;
1230 #endif
1231 if (!cis_ktls || !rx_supported) {
1232 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1233 goto end;
1234 } else {
1235 if (BIO_get_ktls_send(clientsc->rbio))
1236 ktls_used = 1;
1237 }
1238
1239 if (!sis_ktls || !rx_supported) {
1240 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1241 goto end;
1242 } else {
1243 if (BIO_get_ktls_send(serversc->rbio))
1244 ktls_used = 1;
1245 }
1246
1247 if ((cis_ktls || sis_ktls) && !ktls_used) {
1248 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1249 tls_version == TLS1_3_VERSION ? "TLS 1.3" : "TLS 1.2", cipher);
1250 goto end;
1251 }
1252
1253 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1254 goto end;
1255
1256 buf = OPENSSL_zalloc(bufsz);
1257 if (!TEST_ptr(buf))
1258 goto end;
1259
1260 /*
1261 * Write some data that exceeds the maximum record length. KTLS may choose
1262 * to coalesce this data into a single buffer when we read it again.
1263 */
1264 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1265 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1266 goto end;
1267 }
1268
1269 /* Now check that we can read all the data we wrote */
1270 do {
1271 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1272 if (ret <= 0) {
1273 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1274 goto end;
1275 } else {
1276 offset += ret;
1277 }
1278 } while (offset < bufsz);
1279
1280 if (!TEST_true(offset == bufsz))
1281 goto end;
1282 for (i = 0; i < bufsz; i++)
1283 if (!TEST_true(buf[i] == 0))
1284 goto end;
1285
1286 testresult = 1;
1287 end:
1288 OPENSSL_free(buf);
1289 if (clientssl) {
1290 SSL_shutdown(clientssl);
1291 SSL_free(clientssl);
1292 }
1293 if (serverssl) {
1294 SSL_shutdown(serverssl);
1295 SSL_free(serverssl);
1296 }
1297 SSL_CTX_free(sctx);
1298 SSL_CTX_free(cctx);
1299 serverssl = clientssl = NULL;
1300 if (cfd != -1)
1301 close(cfd);
1302 if (sfd != -1)
1303 close(sfd);
1304 return testresult;
1305 }
1306
1307 #define SENDFILE_SZ (16 * 4096)
1308 #define SENDFILE_CHUNK (4 * 4096)
1309 #define min(a, b) ((a) > (b) ? (b) : (a))
1310
execute_test_ktls_sendfile(int tls_version,const char * cipher,int zerocopy)1311 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1312 int zerocopy)
1313 {
1314 SSL_CTX *cctx = NULL, *sctx = NULL;
1315 SSL *clientssl = NULL, *serverssl = NULL;
1316 unsigned char *buf, *buf_dst;
1317 BIO *out = NULL, *in = NULL;
1318 int cfd = -1, sfd = -1, ffd, err;
1319 ssize_t chunk_size = 0;
1320 off_t chunk_off = 0;
1321 int testresult = 0;
1322 FILE *ffdp;
1323 SSL_CONNECTION *serversc;
1324
1325 buf = OPENSSL_zalloc(SENDFILE_SZ);
1326 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1327 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1328 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1329 goto end;
1330
1331 /* Skip this test if the platform does not support ktls */
1332 if (!ktls_chk_platform(sfd)) {
1333 testresult = TEST_skip("Kernel does not support KTLS");
1334 goto end;
1335 }
1336
1337 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1338 testresult = TEST_skip("CHACHA is not supported in FIPS");
1339 goto end;
1340 }
1341
1342 /* Create a session based on SHA-256 */
1343 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1344 TLS_client_method(),
1345 tls_version, tls_version,
1346 &sctx, &cctx, cert, privkey)))
1347 goto end;
1348
1349 if (tls_version == TLS1_3_VERSION) {
1350 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1351 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1352 goto end;
1353 } else {
1354 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1355 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1356 goto end;
1357 }
1358
1359 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1360 &clientssl, sfd, cfd)))
1361 goto end;
1362
1363 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1364 goto end;
1365
1366 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1367 goto end;
1368
1369 if (zerocopy) {
1370 if (!TEST_true(SSL_set_options(serverssl,
1371 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1372 goto end;
1373 }
1374
1375 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1376 SSL_ERROR_NONE)))
1377 goto end;
1378
1379 if (!BIO_get_ktls_send(serversc->wbio)) {
1380 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1381 tls_version == TLS1_3_VERSION ? "TLS 1.3" : "TLS 1.2", cipher);
1382 goto end;
1383 }
1384
1385 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1386 goto end;
1387
1388 out = BIO_new_file(tmpfilename, "wb");
1389 if (!TEST_ptr(out))
1390 goto end;
1391
1392 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1393 goto end;
1394
1395 BIO_free(out);
1396 out = NULL;
1397 in = BIO_new_file(tmpfilename, "rb");
1398 BIO_get_fp(in, &ffdp);
1399 ffd = fileno(ffdp);
1400
1401 while (chunk_off < SENDFILE_SZ) {
1402 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1403 while ((err = SSL_sendfile(serverssl,
1404 ffd,
1405 chunk_off,
1406 chunk_size,
1407 0))
1408 != chunk_size) {
1409 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1410 goto end;
1411 }
1412 while ((err = SSL_read(clientssl,
1413 buf_dst + chunk_off,
1414 chunk_size))
1415 != chunk_size) {
1416 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1417 goto end;
1418 }
1419
1420 /* verify the payload */
1421 if (!TEST_mem_eq(buf_dst + chunk_off,
1422 chunk_size,
1423 buf + chunk_off,
1424 chunk_size))
1425 goto end;
1426
1427 chunk_off += chunk_size;
1428 }
1429
1430 testresult = 1;
1431 end:
1432 if (clientssl) {
1433 SSL_shutdown(clientssl);
1434 SSL_free(clientssl);
1435 }
1436 if (serverssl) {
1437 SSL_shutdown(serverssl);
1438 SSL_free(serverssl);
1439 }
1440 SSL_CTX_free(sctx);
1441 SSL_CTX_free(cctx);
1442 serverssl = clientssl = NULL;
1443 BIO_free(out);
1444 BIO_free(in);
1445 if (cfd != -1)
1446 close(cfd);
1447 if (sfd != -1)
1448 close(sfd);
1449 OPENSSL_free(buf);
1450 OPENSSL_free(buf_dst);
1451 return testresult;
1452 }
1453
1454 #ifndef OSSL_NO_USABLE_TLS1_3
1455 /*
1456 * Test kTLS with SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: retry SSL_write() after
1457 * SSL_ERROR_WANT_WRITE using a different buffer pointer (same content) and
1458 * verify that the data arrives intact.
1459 */
test_ktls_moving_write_buffer(void)1460 static int test_ktls_moving_write_buffer(void)
1461 {
1462 SSL_CTX *cctx = NULL, *sctx = NULL;
1463 SSL *clientssl = NULL, *serverssl = NULL;
1464 BIO *bio_retry = NULL, *bio_orig = NULL;
1465 int testresult = 0, cfd = -1, sfd = -1;
1466 unsigned char *buf_orig = NULL, *buf_retry = NULL;
1467 unsigned char outbuf[1024];
1468 const size_t bufsz = sizeof(outbuf);
1469 size_t written, readbytes, totread = 0, i;
1470
1471 /* kTLS requires real sockets */
1472 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1473 goto end;
1474
1475 /* Skip if the kernel does not support kTLS */
1476 if (!ktls_chk_platform(cfd)) {
1477 testresult = TEST_skip("Kernel does not support KTLS");
1478 goto end;
1479 }
1480
1481 if (!TEST_true(create_ssl_ctx_pair(libctx,
1482 TLS_server_method(), TLS_client_method(),
1483 TLS1_3_VERSION, TLS1_3_VERSION,
1484 &sctx, &cctx, cert, privkey)))
1485 goto end;
1486
1487 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256"))
1488 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, "TLS_AES_128_GCM_SHA256")))
1489 goto end;
1490
1491 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1492 &clientssl, sfd, cfd)))
1493 goto end;
1494
1495 /* Enable kTLS on the writing side (client) */
1496 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1497 goto end;
1498
1499 SSL_set_mode(clientssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
1500 SSL_set_mode(clientssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
1501
1502 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1503 goto end;
1504
1505 /* Get a reference to the original BIO to replace it later. */
1506 bio_orig = SSL_get_wbio(clientssl);
1507 if (!TEST_ptr(bio_orig) || !TEST_true(BIO_up_ref(bio_orig))) {
1508 bio_orig = NULL;
1509 goto end;
1510 }
1511
1512 /* Skip if kTLS TX was not activated for this cipher */
1513 if (!BIO_get_ktls_send(bio_orig)) {
1514 testresult = TEST_skip("kTLS send not supported");
1515 goto end;
1516 }
1517
1518 /* Swap write BIO to force WANT_WRITE */
1519 bio_retry = BIO_new(bio_s_always_retry());
1520 if (!TEST_ptr(bio_retry))
1521 goto end;
1522
1523 SSL_set0_wbio(clientssl, bio_retry);
1524 bio_retry = NULL; /* ownership transferred to clientssl */
1525
1526 /* Allocate two buffers with identical content but different addresses */
1527 buf_orig = OPENSSL_malloc(bufsz);
1528 buf_retry = OPENSSL_malloc(bufsz);
1529 if (!TEST_ptr(buf_orig) || !TEST_ptr(buf_retry))
1530 goto end;
1531
1532 for (i = 0; i < bufsz; i++)
1533 buf_orig[i] = buf_retry[i] = (unsigned char)(i & 0xff);
1534
1535 /* First write attempt - will fail with WANT_WRITE */
1536 if (!TEST_false(SSL_write_ex(clientssl, buf_orig, bufsz, &written))
1537 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
1538 goto end;
1539
1540 /* Restore the real socket BIO so the retry can actually send data */
1541 SSL_set0_wbio(clientssl, bio_orig);
1542 bio_orig = NULL;
1543
1544 /* Poison and free the original buffer */
1545 memset(buf_orig, 0xDE, bufsz);
1546 OPENSSL_free(buf_orig);
1547 buf_orig = NULL;
1548
1549 /* Retry with a different buffer pointer */
1550 if (!TEST_true(SSL_write_ex(clientssl, buf_retry, bufsz, &written)))
1551 goto end;
1552
1553 /* Read the data on the server side */
1554 totread = 0;
1555 while (totread < bufsz) {
1556 if (!SSL_read_ex(serverssl, outbuf + totread, bufsz - totread,
1557 &readbytes)) {
1558 if (!TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
1559 goto end;
1560 } else {
1561 totread += readbytes;
1562 }
1563 }
1564
1565 /* Verify data integrity */
1566 if (!TEST_mem_eq(buf_retry, bufsz, outbuf, totread))
1567 goto end;
1568
1569 testresult = 1;
1570 end:
1571 OPENSSL_free(buf_orig);
1572 OPENSSL_free(buf_retry);
1573 if (clientssl != NULL) {
1574 SSL_shutdown(clientssl);
1575 SSL_free(clientssl);
1576 }
1577 if (serverssl != NULL) {
1578 SSL_shutdown(serverssl);
1579 SSL_free(serverssl);
1580 }
1581 SSL_CTX_free(sctx);
1582 SSL_CTX_free(cctx);
1583 BIO_free_all(bio_orig);
1584 if (cfd != -1)
1585 close(cfd);
1586 if (sfd != -1)
1587 close(sfd);
1588 return testresult;
1589 }
1590 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
1591
1592 static struct ktls_test_cipher {
1593 int tls_version;
1594 const char *cipher;
1595 } ktls_test_ciphers[] = {
1596 #if !defined(OPENSSL_NO_TLS1_2)
1597 #ifdef OPENSSL_KTLS_AES_GCM_128
1598 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1599 #endif
1600 #ifdef OPENSSL_KTLS_AES_CCM_128
1601 { TLS1_2_VERSION, "AES128-CCM" },
1602 #endif
1603 #ifdef OPENSSL_KTLS_AES_GCM_256
1604 { TLS1_2_VERSION, "AES256-GCM-SHA384" },
1605 #endif
1606 #ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1607 #ifndef OPENSSL_NO_EC
1608 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305" },
1609 #endif
1610 #endif
1611 #endif
1612 #if !defined(OSSL_NO_USABLE_TLS1_3)
1613 #ifdef OPENSSL_KTLS_AES_GCM_128
1614 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1615 #endif
1616 #ifdef OPENSSL_KTLS_AES_CCM_128
1617 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1618 #endif
1619 #ifdef OPENSSL_KTLS_AES_GCM_256
1620 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1621 #endif
1622 #ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1623 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1624 #endif
1625 #endif
1626 };
1627
1628 #define NUM_KTLS_TEST_CIPHERS OSSL_NELEM(ktls_test_ciphers)
1629
test_ktls(int test)1630 static int test_ktls(int test)
1631 {
1632 struct ktls_test_cipher *cipher;
1633 int cis_ktls, sis_ktls;
1634
1635 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1636 cipher = &ktls_test_ciphers[test / 4];
1637
1638 cis_ktls = (test & 1) != 0;
1639 sis_ktls = (test & 2) != 0;
1640
1641 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1642 cipher->cipher);
1643 }
1644
test_ktls_sendfile(int test)1645 static int test_ktls_sendfile(int test)
1646 {
1647 struct ktls_test_cipher *cipher;
1648 int tst = test >> 1;
1649
1650 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1651 cipher = &ktls_test_ciphers[tst];
1652
1653 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1654 test & 1);
1655 }
1656 #endif
1657
test_large_message_tls(void)1658 static int test_large_message_tls(void)
1659 {
1660 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1661 TLS1_VERSION, 0, 0);
1662 }
1663
test_large_message_tls_read_ahead(void)1664 static int test_large_message_tls_read_ahead(void)
1665 {
1666 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1667 TLS1_VERSION, 0, 1);
1668 }
1669
1670 #ifndef OPENSSL_NO_DTLS
test_large_message_dtls(void)1671 static int test_large_message_dtls(void)
1672 {
1673 #ifdef OPENSSL_NO_DTLS1_2
1674 /* Not supported in the FIPS provider */
1675 if (is_fips)
1676 return 1;
1677 #endif
1678 /*
1679 * read_ahead is not relevant to DTLS because DTLS always acts as if
1680 * read_ahead is set.
1681 */
1682 return execute_test_large_message(DTLS_server_method(),
1683 DTLS_client_method(),
1684 DTLS1_VERSION, 0, 0);
1685 }
1686 #endif
1687
1688 /*
1689 * Test we can successfully send the maximum amount of application data. We
1690 * test each protocol version individually, each with and without EtM enabled.
1691 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1692 * simpler this way. We also test all combinations with and without the
1693 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1694 * underlying buffer.
1695 */
test_large_app_data(int tst)1696 static int test_large_app_data(int tst)
1697 {
1698 SSL_CTX *cctx = NULL, *sctx = NULL;
1699 SSL *clientssl = NULL, *serverssl = NULL;
1700 int testresult = 0, prot;
1701 unsigned char *msg, *buf = NULL;
1702 size_t written, readbytes;
1703 const SSL_METHOD *smeth = TLS_server_method();
1704 const SSL_METHOD *cmeth = TLS_client_method();
1705
1706 switch (tst >> 2) {
1707 case 0:
1708 #ifndef OSSL_NO_USABLE_TLS1_3
1709 prot = TLS1_3_VERSION;
1710 break;
1711 #else
1712 return TEST_skip("TLS 1.3 not supported");
1713 #endif
1714
1715 case 1:
1716 #ifndef OPENSSL_NO_TLS1_2
1717 prot = TLS1_2_VERSION;
1718 break;
1719 #else
1720 return TEST_skip("TLS 1.2 not supported");
1721 #endif
1722
1723 case 2:
1724 #ifndef OPENSSL_NO_TLS1_1
1725 prot = TLS1_1_VERSION;
1726 break;
1727 #else
1728 return TEST_skip("TLS 1.1 not supported");
1729 #endif
1730
1731 case 3:
1732 #ifndef OPENSSL_NO_TLS1
1733 prot = TLS1_VERSION;
1734 break;
1735 #else
1736 return TEST_skip("TLS 1 not supported");
1737 #endif
1738
1739 case 4:
1740 #ifndef OPENSSL_NO_SSL3
1741 prot = SSL3_VERSION;
1742 break;
1743 #else
1744 return TEST_skip("SSL 3 not supported");
1745 #endif
1746
1747 case 5:
1748 #ifndef OPENSSL_NO_DTLS1_2
1749 prot = DTLS1_2_VERSION;
1750 smeth = DTLS_server_method();
1751 cmeth = DTLS_client_method();
1752 break;
1753 #else
1754 return TEST_skip("DTLS 1.2 not supported");
1755 #endif
1756
1757 case 6:
1758 #ifndef OPENSSL_NO_DTLS1
1759 if (is_fips)
1760 return TEST_skip("DTLS 1 not supported by FIPS provider");
1761 prot = DTLS1_VERSION;
1762 smeth = DTLS_server_method();
1763 cmeth = DTLS_client_method();
1764 break;
1765 #else
1766 return TEST_skip("DTLS 1 not supported");
1767 #endif
1768
1769 default:
1770 /* Shouldn't happen */
1771 return 0;
1772 }
1773
1774 if (is_fips && prot < TLS1_2_VERSION)
1775 return TEST_skip("TLS versions < 1.2 not supported by FIPS provider");
1776
1777 /* Maximal sized message of zeros */
1778 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1779 if (!TEST_ptr(msg))
1780 goto end;
1781
1782 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1783 if (!TEST_ptr(buf))
1784 goto end;
1785 /* Set whole buffer to all bits set */
1786 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1787
1788 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1789 &sctx, &cctx, cert, privkey)))
1790 goto end;
1791
1792 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1793 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1794 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1795 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1796 "DEFAULT:@SECLEVEL=0")))
1797 goto end;
1798 }
1799
1800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1801 &clientssl, NULL, NULL)))
1802 goto end;
1803
1804 if ((tst & 1) != 0) {
1805 /* Setting this option gives us a minimally sized underlying buffer */
1806 if (!TEST_true(SSL_set_options(serverssl,
1807 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1808 || !TEST_true(SSL_set_options(clientssl,
1809 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1810 goto end;
1811 }
1812
1813 if ((tst & 2) != 0) {
1814 /*
1815 * Setting this option means the MAC is added before encryption
1816 * giving us a larger record for the encryption process
1817 */
1818 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1819 || !TEST_true(SSL_set_options(clientssl,
1820 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1821 goto end;
1822 }
1823
1824 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1825 goto end;
1826
1827 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1828 &written))
1829 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1830 goto end;
1831
1832 /* We provide a buffer slightly larger than what we are actually expecting */
1833 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1834 &readbytes)))
1835 goto end;
1836
1837 if (!TEST_mem_eq(msg, written, buf, readbytes))
1838 goto end;
1839
1840 testresult = 1;
1841 end:
1842 OPENSSL_free(msg);
1843 OPENSSL_free(buf);
1844 SSL_free(serverssl);
1845 SSL_free(clientssl);
1846 SSL_CTX_free(sctx);
1847 SSL_CTX_free(cctx);
1848 return testresult;
1849 }
1850
1851 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1852 || !defined(OPENSSL_NO_DTLS)
execute_cleanse_plaintext(const SSL_METHOD * smeth,const SSL_METHOD * cmeth,int min_version,int max_version)1853 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1854 const SSL_METHOD *cmeth,
1855 int min_version, int max_version)
1856 {
1857 size_t i;
1858 SSL_CTX *cctx = NULL, *sctx = NULL;
1859 SSL *clientssl = NULL, *serverssl = NULL;
1860 int testresult = 0;
1861 const unsigned char *zbuf;
1862 SSL_CONNECTION *serversc;
1863 TLS_RECORD *rr;
1864
1865 static unsigned char cbuf[16000];
1866 static unsigned char sbuf[16000];
1867
1868 if (!TEST_true(create_ssl_ctx_pair(libctx,
1869 smeth, cmeth,
1870 min_version, max_version,
1871 &sctx, &cctx, cert,
1872 privkey)))
1873 goto end;
1874
1875 #ifdef OPENSSL_NO_DTLS1_2
1876 if (smeth == DTLS_server_method()) {
1877 /* Not supported in the FIPS provider */
1878 if (is_fips) {
1879 testresult = 1;
1880 goto end;
1881 };
1882 /*
1883 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1884 * level 0
1885 */
1886 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1887 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1888 "DEFAULT:@SECLEVEL=0")))
1889 goto end;
1890 }
1891 #endif
1892
1893 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1894 NULL, NULL)))
1895 goto end;
1896
1897 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1898 goto end;
1899
1900 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1901 SSL_ERROR_NONE)))
1902 goto end;
1903
1904 for (i = 0; i < sizeof(cbuf); i++) {
1905 cbuf[i] = i & 0xff;
1906 }
1907
1908 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1909 goto end;
1910
1911 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1912 goto end;
1913
1914 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1915 goto end;
1916
1917 /*
1918 * Since we called SSL_peek(), we know the data in the record
1919 * layer is a plaintext record. We can gather the pointer to check
1920 * for zeroization after SSL_read().
1921 */
1922 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1923 goto end;
1924 rr = serversc->rlayer.tlsrecs;
1925
1926 zbuf = &rr->data[rr->off];
1927 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1928 goto end;
1929
1930 /*
1931 * After SSL_peek() the plaintext must still be stored in the
1932 * record.
1933 */
1934 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1935 goto end;
1936
1937 memset(sbuf, 0, sizeof(sbuf));
1938 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1939 goto end;
1940
1941 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1942 goto end;
1943
1944 /* Check if rbuf is cleansed */
1945 memset(cbuf, 0, sizeof(cbuf));
1946 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1947 goto end;
1948
1949 testresult = 1;
1950 end:
1951 SSL_free(serverssl);
1952 SSL_free(clientssl);
1953 SSL_CTX_free(sctx);
1954 SSL_CTX_free(cctx);
1955
1956 return testresult;
1957 }
1958 #endif /* \
1959 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1960 * || !defined(OPENSSL_NO_DTLS) \
1961 */
1962
test_cleanse_plaintext(void)1963 static int test_cleanse_plaintext(void)
1964 {
1965 #if !defined(OPENSSL_NO_TLS1_2)
1966 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1967 TLS_client_method(),
1968 TLS1_2_VERSION,
1969 TLS1_2_VERSION)))
1970 return 0;
1971
1972 #endif
1973
1974 #if !defined(OSSL_NO_USABLE_TLS1_3)
1975 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1976 TLS_client_method(),
1977 TLS1_3_VERSION,
1978 TLS1_3_VERSION)))
1979 return 0;
1980 #endif
1981
1982 #if !defined(OPENSSL_NO_DTLS)
1983
1984 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1985 DTLS_client_method(),
1986 DTLS1_VERSION,
1987 0)))
1988 return 0;
1989 #endif
1990 return 1;
1991 }
1992
1993 #ifndef OPENSSL_NO_OCSP
ocsp_server_cb(SSL * s,void * arg)1994 static int ocsp_server_cb(SSL *s, void *arg)
1995 {
1996 int *argi = (int *)arg;
1997 unsigned char *copy = NULL;
1998 STACK_OF(OCSP_RESPID) *ids = NULL;
1999 OCSP_RESPID *id = NULL;
2000
2001 if (*argi == 2) {
2002 /* In this test we are expecting exactly 1 OCSP_RESPID */
2003 SSL_get_tlsext_status_ids(s, &ids);
2004 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
2005 return SSL_TLSEXT_ERR_ALERT_FATAL;
2006
2007 id = sk_OCSP_RESPID_value(ids, 0);
2008 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
2009 return SSL_TLSEXT_ERR_ALERT_FATAL;
2010 } else if (*argi != 1) {
2011 return SSL_TLSEXT_ERR_ALERT_FATAL;
2012 }
2013
2014 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
2015 return SSL_TLSEXT_ERR_ALERT_FATAL;
2016
2017 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
2018 sizeof(orespder)))) {
2019 OPENSSL_free(copy);
2020 return SSL_TLSEXT_ERR_ALERT_FATAL;
2021 }
2022 ocsp_server_called = 1;
2023 return SSL_TLSEXT_ERR_OK;
2024 }
2025
ocsp_client_cb(SSL * s,void * arg)2026 static int ocsp_client_cb(SSL *s, void *arg)
2027 {
2028 int *argi = (int *)arg;
2029 const unsigned char *respderin;
2030 size_t len;
2031
2032 if (*argi != 1 && *argi != 2)
2033 return 0;
2034
2035 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
2036 if (!TEST_mem_eq(orespder, len, respderin, len))
2037 return 0;
2038
2039 ocsp_client_called = 1;
2040 return 1;
2041 }
2042
test_tlsext_status_type(void)2043 static int test_tlsext_status_type(void)
2044 {
2045 SSL_CTX *cctx = NULL, *sctx = NULL;
2046 SSL *clientssl = NULL, *serverssl = NULL;
2047 int testresult = 0;
2048 STACK_OF(OCSP_RESPID) *ids = NULL;
2049 OCSP_RESPID *id = NULL;
2050 BIO *certbio = NULL;
2051
2052 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
2053 TLS1_VERSION, 0,
2054 &sctx, &cctx, cert, privkey))
2055 return 0;
2056
2057 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2058 goto end;
2059
2060 /* First just do various checks getting and setting tlsext_status_type */
2061
2062 clientssl = SSL_new(cctx);
2063 if (!TEST_ptr(clientssl))
2064 goto end;
2065 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
2066 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
2067 TLSEXT_STATUSTYPE_ocsp))
2068 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
2069 TLSEXT_STATUSTYPE_ocsp))
2070 goto end;
2071
2072 SSL_free(clientssl);
2073 clientssl = NULL;
2074
2075 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
2076 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2077 goto end;
2078
2079 clientssl = SSL_new(cctx);
2080 if (!TEST_ptr(clientssl))
2081 goto end;
2082 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2083 goto end;
2084 SSL_free(clientssl);
2085 clientssl = NULL;
2086
2087 /*
2088 * Now actually do a handshake and check OCSP information is exchanged and
2089 * the callbacks get called
2090 */
2091 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
2092 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
2093 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
2094 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
2095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2096 &clientssl, NULL, NULL))
2097 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2098 SSL_ERROR_NONE))
2099 || !TEST_true(ocsp_client_called)
2100 || !TEST_true(ocsp_server_called))
2101 goto end;
2102 SSL_free(serverssl);
2103 SSL_free(clientssl);
2104 serverssl = NULL;
2105 clientssl = NULL;
2106
2107 /* Try again but this time force the server side callback to fail */
2108 ocsp_client_called = 0;
2109 ocsp_server_called = 0;
2110 cdummyarg = 0;
2111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2112 &clientssl, NULL, NULL))
2113 /* This should fail because the callback will fail */
2114 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2115 SSL_ERROR_NONE))
2116 || !TEST_false(ocsp_client_called)
2117 || !TEST_false(ocsp_server_called))
2118 goto end;
2119 SSL_free(serverssl);
2120 SSL_free(clientssl);
2121 serverssl = NULL;
2122 clientssl = NULL;
2123
2124 /*
2125 * This time we'll get the client to send an OCSP_RESPID that it will
2126 * accept.
2127 */
2128 ocsp_client_called = 0;
2129 ocsp_server_called = 0;
2130 cdummyarg = 2;
2131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2132 &clientssl, NULL, NULL)))
2133 goto end;
2134
2135 /*
2136 * We'll just use any old cert for this test - it doesn't have to be an OCSP
2137 * specific one. We'll use the server cert.
2138 */
2139 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
2140 || !TEST_ptr(id = OCSP_RESPID_new())
2141 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
2142 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
2143 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
2144 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
2145 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
2146 goto end;
2147 id = NULL;
2148 SSL_set_tlsext_status_ids(clientssl, ids);
2149 /* Control has been transferred */
2150 ids = NULL;
2151
2152 BIO_free(certbio);
2153 certbio = NULL;
2154
2155 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2156 SSL_ERROR_NONE))
2157 || !TEST_true(ocsp_client_called)
2158 || !TEST_true(ocsp_server_called))
2159 goto end;
2160
2161 testresult = 1;
2162
2163 end:
2164 SSL_free(serverssl);
2165 SSL_free(clientssl);
2166 SSL_CTX_free(sctx);
2167 SSL_CTX_free(cctx);
2168 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2169 OCSP_RESPID_free(id);
2170 BIO_free(certbio);
2171 X509_free(ocspcert);
2172 ocspcert = NULL;
2173
2174 return testresult;
2175 }
2176 #endif
2177
2178 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2179 static int new_called, remove_called, get_called;
2180
new_session_cb(SSL * ssl,SSL_SESSION * sess)2181 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2182 {
2183 new_called++;
2184 /*
2185 * sess has been up-refed for us, but we don't actually need it so free it
2186 * immediately.
2187 */
2188 SSL_SESSION_free(sess);
2189 return 1;
2190 }
2191
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)2192 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2193 {
2194 remove_called++;
2195 }
2196
2197 static SSL_SESSION *get_sess_val = NULL;
2198
get_session_cb(SSL * ssl,const unsigned char * id,int len,int * copy)2199 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2200 int *copy)
2201 {
2202 get_called++;
2203 *copy = 1;
2204 return get_sess_val;
2205 }
2206
execute_test_session(int maxprot,int use_int_cache,int use_ext_cache,long s_options)2207 static int execute_test_session(int maxprot, int use_int_cache,
2208 int use_ext_cache, long s_options)
2209 {
2210 SSL_CTX *sctx = NULL, *cctx = NULL;
2211 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2212 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2213 #ifndef OPENSSL_NO_TLS1_1
2214 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2215 #endif
2216 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2217 int testresult = 0, numnewsesstick = 1;
2218
2219 new_called = remove_called = 0;
2220
2221 /* TLSv1.3 sends 2 NewSessionTickets */
2222 if (maxprot == TLS1_3_VERSION)
2223 numnewsesstick = 2;
2224
2225 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2226 TLS_client_method(), TLS1_VERSION, 0,
2227 &sctx, &cctx, cert, privkey)))
2228 return 0;
2229
2230 /*
2231 * Only allow the max protocol version so we can force a connection failure
2232 * later
2233 */
2234 SSL_CTX_set_min_proto_version(cctx, maxprot);
2235 SSL_CTX_set_max_proto_version(cctx, maxprot);
2236
2237 /* Set up session cache */
2238 if (use_ext_cache) {
2239 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2240 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2241 }
2242 if (use_int_cache) {
2243 /* Also covers instance where both are set */
2244 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2245 } else {
2246 SSL_CTX_set_session_cache_mode(cctx,
2247 SSL_SESS_CACHE_CLIENT
2248 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2249 }
2250
2251 if (s_options) {
2252 SSL_CTX_set_options(sctx, s_options);
2253 }
2254
2255 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2256 NULL, NULL))
2257 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2258 SSL_ERROR_NONE))
2259 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2260 goto end;
2261
2262 /* Should fail because it should already be in the cache */
2263 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2264 goto end;
2265 if (use_ext_cache
2266 && (!TEST_int_eq(new_called, numnewsesstick)
2267
2268 || !TEST_int_eq(remove_called, 0)))
2269 goto end;
2270
2271 new_called = remove_called = 0;
2272 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2273 &clientssl2, NULL, NULL))
2274 || !TEST_true(SSL_set_session(clientssl2, sess1))
2275 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2276 SSL_ERROR_NONE))
2277 || !TEST_true(SSL_session_reused(clientssl2)))
2278 goto end;
2279
2280 if (maxprot == TLS1_3_VERSION) {
2281 /*
2282 * In TLSv1.3 we should have created a new session even though we have
2283 * resumed. Since we attempted a resume we should also have removed the
2284 * old ticket from the cache so that we try to only use tickets once.
2285 */
2286 if (use_ext_cache
2287 && (!TEST_int_eq(new_called, 1)
2288 || !TEST_int_eq(remove_called, 1)))
2289 goto end;
2290 } else {
2291 /*
2292 * In TLSv1.2 we expect to have resumed so no sessions added or
2293 * removed.
2294 */
2295 if (use_ext_cache
2296 && (!TEST_int_eq(new_called, 0)
2297 || !TEST_int_eq(remove_called, 0)))
2298 goto end;
2299 }
2300
2301 SSL_SESSION_free(sess1);
2302 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2303 goto end;
2304 shutdown_ssl_connection(serverssl2, clientssl2);
2305 serverssl2 = clientssl2 = NULL;
2306
2307 new_called = remove_called = 0;
2308 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2309 &clientssl2, NULL, NULL))
2310 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2311 SSL_ERROR_NONE)))
2312 goto end;
2313
2314 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2315 goto end;
2316
2317 if (use_ext_cache
2318 && (!TEST_int_eq(new_called, numnewsesstick)
2319 || !TEST_int_eq(remove_called, 0)))
2320 goto end;
2321
2322 new_called = remove_called = 0;
2323 /*
2324 * This should clear sess2 from the cache because it is a "bad" session.
2325 * See SSL_set_session() documentation.
2326 */
2327 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2328 goto end;
2329 if (use_ext_cache
2330 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2331 goto end;
2332 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2333 goto end;
2334
2335 if (use_int_cache) {
2336 /* Should succeeded because it should not already be in the cache */
2337 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2338 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2339 goto end;
2340 }
2341
2342 new_called = remove_called = 0;
2343 /* This shouldn't be in the cache so should fail */
2344 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2345 goto end;
2346
2347 if (use_ext_cache
2348 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2349 goto end;
2350
2351 #if !defined(OPENSSL_NO_TLS1_1)
2352 new_called = remove_called = 0;
2353 /* Force a connection failure */
2354 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2355 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2356 &clientssl3, NULL, NULL))
2357 || !TEST_true(SSL_set_session(clientssl3, sess1))
2358 /* This should fail because of the mismatched protocol versions */
2359 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2360 SSL_ERROR_NONE)))
2361 goto end;
2362
2363 /* We should have automatically removed the session from the cache */
2364 if (use_ext_cache
2365 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2366 goto end;
2367
2368 /* Should succeed because it should not already be in the cache */
2369 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2370 goto end;
2371 #endif
2372
2373 /* Now do some tests for server side caching */
2374 if (use_ext_cache) {
2375 SSL_CTX_sess_set_new_cb(cctx, NULL);
2376 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2377 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2378 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2379 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2380 get_sess_val = NULL;
2381 }
2382
2383 SSL_CTX_set_session_cache_mode(cctx, 0);
2384 /* Internal caching is the default on the server side */
2385 if (!use_int_cache)
2386 SSL_CTX_set_session_cache_mode(sctx,
2387 SSL_SESS_CACHE_SERVER
2388 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2389
2390 SSL_free(serverssl1);
2391 SSL_free(clientssl1);
2392 serverssl1 = clientssl1 = NULL;
2393 SSL_free(serverssl2);
2394 SSL_free(clientssl2);
2395 serverssl2 = clientssl2 = NULL;
2396 SSL_SESSION_free(sess1);
2397 sess1 = NULL;
2398 SSL_SESSION_free(sess2);
2399 sess2 = NULL;
2400
2401 SSL_CTX_set_max_proto_version(sctx, maxprot);
2402 if (maxprot == TLS1_2_VERSION)
2403 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2404 new_called = remove_called = get_called = 0;
2405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2406 NULL, NULL))
2407 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2408 SSL_ERROR_NONE))
2409 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2410 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2411 goto end;
2412
2413 if (use_int_cache) {
2414 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2415 /*
2416 * In TLSv1.3 it should not have been added to the internal cache,
2417 * except in the case where we also have an external cache (in that
2418 * case it gets added to the cache in order to generate remove
2419 * events after timeout).
2420 */
2421 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2422 goto end;
2423 } else {
2424 /* Should fail because it should already be in the cache */
2425 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2426 goto end;
2427 }
2428 }
2429
2430 if (use_ext_cache) {
2431 SSL_SESSION *tmp = sess2;
2432
2433 if (!TEST_int_eq(new_called, numnewsesstick)
2434 || !TEST_int_eq(remove_called, 0)
2435 || !TEST_int_eq(get_called, 0))
2436 goto end;
2437 /*
2438 * Delete the session from the internal cache to force a lookup from
2439 * the external cache. We take a copy first because
2440 * SSL_CTX_remove_session() also marks the session as non-resumable.
2441 */
2442 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2443 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2444 || !TEST_true(sess2->owner != NULL)
2445 || !TEST_true(tmp->owner == NULL)
2446 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2447 goto end;
2448 SSL_SESSION_free(sess2);
2449 }
2450 sess2 = tmp;
2451 }
2452
2453 new_called = remove_called = get_called = 0;
2454 get_sess_val = sess2;
2455 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2456 &clientssl2, NULL, NULL))
2457 || !TEST_true(SSL_set_session(clientssl2, sess1))
2458 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2459 SSL_ERROR_NONE))
2460 || !TEST_true(SSL_session_reused(clientssl2)))
2461 goto end;
2462
2463 if (use_ext_cache) {
2464 if (!TEST_int_eq(remove_called, 0))
2465 goto end;
2466
2467 if (maxprot == TLS1_3_VERSION) {
2468 if (!TEST_int_eq(new_called, 1)
2469 || !TEST_int_eq(get_called, 0))
2470 goto end;
2471 } else {
2472 if (!TEST_int_eq(new_called, 0)
2473 || !TEST_int_eq(get_called, 1))
2474 goto end;
2475 }
2476 }
2477 /*
2478 * Make a small cache, force out all other sessions but
2479 * sess2, try to add sess1, which should succeed. Then
2480 * make sure it's there by checking the owners. Despite
2481 * the timeouts, sess1 should have kicked out sess2
2482 */
2483
2484 /* Make sess1 expire before sess2 */
2485 if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0)
2486 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2487 || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0)
2488 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2489 goto end;
2490
2491 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2492 goto end;
2493
2494 /* Don't care about results - cache should only be sess2 at end */
2495 SSL_CTX_add_session(sctx, sess1);
2496 SSL_CTX_add_session(sctx, sess2);
2497
2498 /* Now add sess1, and make sure it remains, despite timeout */
2499 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2500 || !TEST_ptr(sess1->owner)
2501 || !TEST_ptr_null(sess2->owner))
2502 goto end;
2503
2504 testresult = 1;
2505
2506 end:
2507 SSL_free(serverssl1);
2508 SSL_free(clientssl1);
2509 SSL_free(serverssl2);
2510 SSL_free(clientssl2);
2511 #ifndef OPENSSL_NO_TLS1_1
2512 SSL_free(serverssl3);
2513 SSL_free(clientssl3);
2514 #endif
2515 SSL_SESSION_free(sess1);
2516 SSL_SESSION_free(sess2);
2517 SSL_CTX_free(sctx);
2518 SSL_CTX_free(cctx);
2519
2520 return testresult;
2521 }
2522 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2523
test_session_with_only_int_cache(void)2524 static int test_session_with_only_int_cache(void)
2525 {
2526 #ifndef OSSL_NO_USABLE_TLS1_3
2527 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2528 return 0;
2529 #endif
2530
2531 #ifndef OPENSSL_NO_TLS1_2
2532 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2533 #else
2534 return 1;
2535 #endif
2536 }
2537
test_session_with_only_ext_cache(void)2538 static int test_session_with_only_ext_cache(void)
2539 {
2540 #ifndef OSSL_NO_USABLE_TLS1_3
2541 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2542 return 0;
2543 #endif
2544
2545 #ifndef OPENSSL_NO_TLS1_2
2546 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2547 #else
2548 return 1;
2549 #endif
2550 }
2551
test_session_with_both_cache(void)2552 static int test_session_with_both_cache(void)
2553 {
2554 #ifndef OSSL_NO_USABLE_TLS1_3
2555 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2556 return 0;
2557 #endif
2558
2559 #ifndef OPENSSL_NO_TLS1_2
2560 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2561 #else
2562 return 1;
2563 #endif
2564 }
2565
test_session_wo_ca_names(void)2566 static int test_session_wo_ca_names(void)
2567 {
2568 #ifndef OSSL_NO_USABLE_TLS1_3
2569 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2570 return 0;
2571 #endif
2572
2573 #ifndef OPENSSL_NO_TLS1_2
2574 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2575 #else
2576 return 1;
2577 #endif
2578 }
2579
2580 #ifndef OSSL_NO_USABLE_TLS1_3
2581 static SSL_SESSION *sesscache[6];
2582 static int do_cache;
2583
new_cachesession_cb(SSL * ssl,SSL_SESSION * sess)2584 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2585 {
2586 if (do_cache) {
2587 sesscache[new_called] = sess;
2588 } else {
2589 /* We don't need the reference to the session, so free it */
2590 SSL_SESSION_free(sess);
2591 }
2592 new_called++;
2593
2594 return 1;
2595 }
2596
post_handshake_verify(SSL * sssl,SSL * cssl)2597 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2598 {
2599 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2600 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2601 return 0;
2602
2603 /* Start handshake on the server and client */
2604 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2605 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2606 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2607 || !TEST_true(create_ssl_connection(sssl, cssl,
2608 SSL_ERROR_NONE)))
2609 return 0;
2610
2611 return 1;
2612 }
2613
setup_ticket_test(int stateful,int idx,SSL_CTX ** sctx,SSL_CTX ** cctx)2614 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2615 SSL_CTX **cctx)
2616 {
2617 int sess_id_ctx = 1;
2618
2619 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2620 TLS_client_method(), TLS1_VERSION, 0,
2621 sctx, cctx, cert, privkey))
2622 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2623 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2624 (void *)&sess_id_ctx,
2625 sizeof(sess_id_ctx))))
2626 return 0;
2627
2628 if (stateful)
2629 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2630
2631 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2632 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2633
2634 return 1;
2635 }
2636
check_resumption(int idx,SSL_CTX * sctx,SSL_CTX * cctx,int succ)2637 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2638 {
2639 SSL *serverssl = NULL, *clientssl = NULL;
2640 int i;
2641
2642 /* Test that we can resume with all the tickets we got given */
2643 for (i = 0; i < idx * 2; i++) {
2644 new_called = 0;
2645 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2646 &clientssl, NULL, NULL))
2647 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2648 goto end;
2649
2650 SSL_set_post_handshake_auth(clientssl, 1);
2651
2652 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2653 SSL_ERROR_NONE)))
2654 goto end;
2655
2656 /*
2657 * Following a successful resumption we only get 1 ticket. After a
2658 * failed one we should get idx tickets.
2659 */
2660 if (succ) {
2661 if (!TEST_true(SSL_session_reused(clientssl))
2662 || !TEST_int_eq(new_called, 1))
2663 goto end;
2664 } else {
2665 if (!TEST_false(SSL_session_reused(clientssl))
2666 || !TEST_int_eq(new_called, idx))
2667 goto end;
2668 }
2669
2670 new_called = 0;
2671 /* After a post-handshake authentication we should get 1 new ticket */
2672 if (succ
2673 && (!post_handshake_verify(serverssl, clientssl)
2674 || !TEST_int_eq(new_called, 1)))
2675 goto end;
2676
2677 SSL_shutdown(clientssl);
2678 SSL_shutdown(serverssl);
2679 SSL_free(serverssl);
2680 SSL_free(clientssl);
2681 serverssl = clientssl = NULL;
2682 SSL_SESSION_free(sesscache[i]);
2683 sesscache[i] = NULL;
2684 }
2685
2686 return 1;
2687
2688 end:
2689 SSL_free(clientssl);
2690 SSL_free(serverssl);
2691 return 0;
2692 }
2693
test_tickets(int stateful,int idx)2694 static int test_tickets(int stateful, int idx)
2695 {
2696 SSL_CTX *sctx = NULL, *cctx = NULL;
2697 SSL *serverssl = NULL, *clientssl = NULL;
2698 int testresult = 0;
2699 size_t j;
2700
2701 /* idx is the test number, but also the number of tickets we want */
2702
2703 new_called = 0;
2704 do_cache = 1;
2705
2706 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2707 goto end;
2708
2709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2710 &clientssl, NULL, NULL)))
2711 goto end;
2712
2713 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2714 SSL_ERROR_NONE))
2715 /* Check we got the number of tickets we were expecting */
2716 || !TEST_int_eq(idx, new_called))
2717 goto end;
2718
2719 SSL_shutdown(clientssl);
2720 SSL_shutdown(serverssl);
2721 SSL_free(serverssl);
2722 SSL_free(clientssl);
2723 SSL_CTX_free(sctx);
2724 SSL_CTX_free(cctx);
2725 clientssl = serverssl = NULL;
2726 sctx = cctx = NULL;
2727
2728 /*
2729 * Now we try to resume with the tickets we previously created. The
2730 * resumption attempt is expected to fail (because we're now using a new
2731 * SSL_CTX). We should see idx number of tickets issued again.
2732 */
2733
2734 /* Stop caching sessions - just count them */
2735 do_cache = 0;
2736
2737 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2738 goto end;
2739
2740 if (!check_resumption(idx, sctx, cctx, 0))
2741 goto end;
2742
2743 /* Start again with caching sessions */
2744 new_called = 0;
2745 do_cache = 1;
2746 SSL_CTX_free(sctx);
2747 SSL_CTX_free(cctx);
2748 sctx = cctx = NULL;
2749
2750 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2751 goto end;
2752
2753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2754 &clientssl, NULL, NULL)))
2755 goto end;
2756
2757 SSL_set_post_handshake_auth(clientssl, 1);
2758
2759 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2760 SSL_ERROR_NONE))
2761 /* Check we got the number of tickets we were expecting */
2762 || !TEST_int_eq(idx, new_called))
2763 goto end;
2764
2765 /* After a post-handshake authentication we should get new tickets issued */
2766 if (!post_handshake_verify(serverssl, clientssl)
2767 || !TEST_int_eq(idx * 2, new_called))
2768 goto end;
2769
2770 SSL_shutdown(clientssl);
2771 SSL_shutdown(serverssl);
2772 SSL_free(serverssl);
2773 SSL_free(clientssl);
2774 serverssl = clientssl = NULL;
2775
2776 /* Stop caching sessions - just count them */
2777 do_cache = 0;
2778
2779 /*
2780 * Check we can resume with all the tickets we created. This time around the
2781 * resumptions should all be successful.
2782 */
2783 if (!check_resumption(idx, sctx, cctx, 1))
2784 goto end;
2785
2786 testresult = 1;
2787
2788 end:
2789 SSL_free(serverssl);
2790 SSL_free(clientssl);
2791 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2792 SSL_SESSION_free(sesscache[j]);
2793 sesscache[j] = NULL;
2794 }
2795 SSL_CTX_free(sctx);
2796 SSL_CTX_free(cctx);
2797
2798 return testresult;
2799 }
2800
test_stateless_tickets(int idx)2801 static int test_stateless_tickets(int idx)
2802 {
2803 return test_tickets(0, idx);
2804 }
2805
test_stateful_tickets(int idx)2806 static int test_stateful_tickets(int idx)
2807 {
2808 return test_tickets(1, idx);
2809 }
2810
test_psk_tickets(void)2811 static int test_psk_tickets(void)
2812 {
2813 SSL_CTX *sctx = NULL, *cctx = NULL;
2814 SSL *serverssl = NULL, *clientssl = NULL;
2815 int testresult = 0;
2816 int sess_id_ctx = 1;
2817
2818 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2819 TLS_client_method(), TLS1_VERSION, 0,
2820 &sctx, &cctx, NULL, NULL))
2821 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2822 (void *)&sess_id_ctx,
2823 sizeof(sess_id_ctx))))
2824 goto end;
2825
2826 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2827 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2828 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2829 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2830 use_session_cb_cnt = 0;
2831 find_session_cb_cnt = 0;
2832 srvid = pskid;
2833 new_called = 0;
2834
2835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2836 NULL, NULL)))
2837 goto end;
2838 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2839 if (!TEST_ptr(clientpsk) || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2840 goto end;
2841
2842 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2843 SSL_ERROR_NONE))
2844 || !TEST_int_eq(1, find_session_cb_cnt)
2845 || !TEST_int_eq(1, use_session_cb_cnt)
2846 /* We should always get 1 ticket when using external PSK */
2847 || !TEST_int_eq(1, new_called))
2848 goto end;
2849
2850 testresult = 1;
2851
2852 end:
2853 SSL_free(serverssl);
2854 SSL_free(clientssl);
2855 SSL_CTX_free(sctx);
2856 SSL_CTX_free(cctx);
2857 SSL_SESSION_free(clientpsk);
2858 SSL_SESSION_free(serverpsk);
2859 clientpsk = serverpsk = NULL;
2860
2861 return testresult;
2862 }
2863
test_extra_tickets(int idx)2864 static int test_extra_tickets(int idx)
2865 {
2866 SSL_CTX *sctx = NULL, *cctx = NULL;
2867 SSL *serverssl = NULL, *clientssl = NULL;
2868 BIO *bretry = BIO_new(bio_s_always_retry());
2869 BIO *tmp = NULL;
2870 int testresult = 0;
2871 int stateful = 0;
2872 size_t nbytes;
2873 unsigned char c, buf[1];
2874
2875 new_called = 0;
2876 do_cache = 1;
2877
2878 if (idx >= 3) {
2879 idx -= 3;
2880 stateful = 1;
2881 }
2882
2883 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2884 goto end;
2885 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2886 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2887 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2888
2889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2890 &clientssl, NULL, NULL)))
2891 goto end;
2892
2893 /*
2894 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2895 * incremented by both client and server.
2896 */
2897 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2898 SSL_ERROR_NONE))
2899 /* Check we got the number of tickets we were expecting */
2900 || !TEST_int_eq(idx * 2, new_called)
2901 || !TEST_true(SSL_new_session_ticket(serverssl))
2902 || !TEST_true(SSL_new_session_ticket(serverssl))
2903 || !TEST_int_eq(idx * 2, new_called))
2904 goto end;
2905
2906 /* Now try a (real) write to actually send the tickets */
2907 c = '1';
2908 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2909 || !TEST_size_t_eq(1, nbytes)
2910 || !TEST_int_eq(idx * 2 + 2, new_called)
2911 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2912 || !TEST_int_eq(idx * 2 + 4, new_called)
2913 || !TEST_int_eq(sizeof(buf), nbytes)
2914 || !TEST_int_eq(c, buf[0])
2915 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2916 goto end;
2917
2918 /* Try with only requesting one new ticket, too */
2919 c = '2';
2920 new_called = 0;
2921 if (!TEST_true(SSL_new_session_ticket(serverssl))
2922 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2923 || !TEST_size_t_eq(sizeof(c), nbytes)
2924 || !TEST_int_eq(1, new_called)
2925 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2926 || !TEST_int_eq(2, new_called)
2927 || !TEST_size_t_eq(sizeof(buf), nbytes)
2928 || !TEST_int_eq(c, buf[0]))
2929 goto end;
2930
2931 /* Do it again but use dummy writes to drive the ticket generation */
2932 c = '3';
2933 new_called = 0;
2934 if (!TEST_true(SSL_new_session_ticket(serverssl))
2935 || !TEST_true(SSL_new_session_ticket(serverssl))
2936 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2937 || !TEST_size_t_eq(0, nbytes)
2938 || !TEST_int_eq(2, new_called)
2939 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2940 || !TEST_int_eq(4, new_called))
2941 goto end;
2942
2943 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2944 c = '4';
2945 new_called = 0;
2946 if (!TEST_true(SSL_new_session_ticket(serverssl))
2947 || !TEST_true(SSL_new_session_ticket(serverssl))
2948 || !TEST_true(SSL_do_handshake(serverssl))
2949 || !TEST_int_eq(2, new_called)
2950 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2951 || !TEST_int_eq(4, new_called))
2952 goto end;
2953
2954 /*
2955 * Use the always-retry BIO to exercise the logic that forces ticket
2956 * generation to wait until a record boundary.
2957 */
2958 c = '5';
2959 new_called = 0;
2960 tmp = SSL_get_wbio(serverssl);
2961 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2962 tmp = NULL;
2963 goto end;
2964 }
2965 SSL_set0_wbio(serverssl, bretry);
2966 bretry = NULL;
2967 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2968 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2969 || !TEST_size_t_eq(nbytes, 0))
2970 goto end;
2971 /* Restore a BIO that will let the write succeed */
2972 SSL_set0_wbio(serverssl, tmp);
2973 tmp = NULL;
2974 /*
2975 * These calls should just queue the request and not send anything
2976 * even if we explicitly try to hit the state machine.
2977 */
2978 if (!TEST_true(SSL_new_session_ticket(serverssl))
2979 || !TEST_true(SSL_new_session_ticket(serverssl))
2980 || !TEST_int_eq(0, new_called)
2981 || !TEST_true(SSL_do_handshake(serverssl))
2982 || !TEST_int_eq(0, new_called))
2983 goto end;
2984 /* Re-do the write; still no tickets sent */
2985 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2986 || !TEST_size_t_eq(1, nbytes)
2987 || !TEST_int_eq(0, new_called)
2988 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2989 || !TEST_int_eq(0, new_called)
2990 || !TEST_int_eq(sizeof(buf), nbytes)
2991 || !TEST_int_eq(c, buf[0])
2992 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2993 goto end;
2994 /* Even trying to hit the state machine now will still not send tickets */
2995 if (!TEST_true(SSL_do_handshake(serverssl))
2996 || !TEST_int_eq(0, new_called))
2997 goto end;
2998 /* Now the *next* write should send the tickets */
2999 c = '6';
3000 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
3001 || !TEST_size_t_eq(1, nbytes)
3002 || !TEST_int_eq(2, new_called)
3003 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
3004 || !TEST_int_eq(4, new_called)
3005 || !TEST_int_eq(sizeof(buf), nbytes)
3006 || !TEST_int_eq(c, buf[0])
3007 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
3008 goto end;
3009
3010 SSL_shutdown(clientssl);
3011 SSL_shutdown(serverssl);
3012 testresult = 1;
3013
3014 end:
3015 BIO_free(bretry);
3016 BIO_free(tmp);
3017 SSL_free(serverssl);
3018 SSL_free(clientssl);
3019 SSL_CTX_free(sctx);
3020 SSL_CTX_free(cctx);
3021 clientssl = serverssl = NULL;
3022 sctx = cctx = NULL;
3023 return testresult;
3024 }
3025 #endif
3026
3027 #define USE_NULL 0
3028 #define USE_BIO_1 1
3029 #define USE_BIO_2 2
3030 #define USE_DEFAULT 3
3031
3032 #define CONNTYPE_CONNECTION_SUCCESS 0
3033 #define CONNTYPE_CONNECTION_FAIL 1
3034 #define CONNTYPE_NO_CONNECTION 2
3035
3036 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
3037 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
3038 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
3039 #define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
3040 #else
3041 #define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
3042 #endif
3043
3044 #define TOTAL_SSL_SET_BIO_TESTS \
3045 TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
3046 +TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
3047 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
3048
setupbio(BIO ** res,BIO * bio1,BIO * bio2,int type)3049 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
3050 {
3051 switch (type) {
3052 case USE_NULL:
3053 *res = NULL;
3054 break;
3055 case USE_BIO_1:
3056 *res = bio1;
3057 break;
3058 case USE_BIO_2:
3059 *res = bio2;
3060 break;
3061 }
3062 }
3063
3064 /*
3065 * Tests calls to SSL_set_bio() under various conditions.
3066 *
3067 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
3068 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
3069 * then do more tests where we create a successful connection first using our
3070 * standard connection setup functions, and then call SSL_set_bio() with
3071 * various combinations of valid BIOs or NULL. We then repeat these tests
3072 * following a failed connection. In this last case we are looking to check that
3073 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
3074 */
test_ssl_set_bio(int idx)3075 static int test_ssl_set_bio(int idx)
3076 {
3077 SSL_CTX *sctx = NULL, *cctx = NULL;
3078 BIO *bio1 = NULL;
3079 BIO *bio2 = NULL;
3080 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
3081 SSL *serverssl = NULL, *clientssl = NULL;
3082 int initrbio, initwbio, newrbio, newwbio, conntype;
3083 int testresult = 0;
3084
3085 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
3086 initrbio = idx % 3;
3087 idx /= 3;
3088 initwbio = idx % 3;
3089 idx /= 3;
3090 newrbio = idx % 3;
3091 idx /= 3;
3092 newwbio = idx % 3;
3093 conntype = CONNTYPE_NO_CONNECTION;
3094 } else {
3095 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
3096 initrbio = initwbio = USE_DEFAULT;
3097 newrbio = idx % 2;
3098 idx /= 2;
3099 newwbio = idx % 2;
3100 idx /= 2;
3101 conntype = idx % 2;
3102 }
3103
3104 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3105 TLS_client_method(), TLS1_VERSION, 0,
3106 &sctx, &cctx, cert, privkey)))
3107 goto end;
3108
3109 if (conntype == CONNTYPE_CONNECTION_FAIL) {
3110 /*
3111 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
3112 * because we reduced the number of tests in the definition of
3113 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
3114 * mismatched protocol versions we will force a connection failure.
3115 */
3116 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
3117 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3118 }
3119
3120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3121 NULL, NULL)))
3122 goto end;
3123
3124 if (initrbio == USE_BIO_1
3125 || initwbio == USE_BIO_1
3126 || newrbio == USE_BIO_1
3127 || newwbio == USE_BIO_1) {
3128 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
3129 goto end;
3130 }
3131
3132 if (initrbio == USE_BIO_2
3133 || initwbio == USE_BIO_2
3134 || newrbio == USE_BIO_2
3135 || newwbio == USE_BIO_2) {
3136 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
3137 goto end;
3138 }
3139
3140 if (initrbio != USE_DEFAULT) {
3141 setupbio(&irbio, bio1, bio2, initrbio);
3142 setupbio(&iwbio, bio1, bio2, initwbio);
3143 SSL_set_bio(clientssl, irbio, iwbio);
3144
3145 /*
3146 * We want to maintain our own refs to these BIO, so do an up ref for
3147 * each BIO that will have ownership transferred in the SSL_set_bio()
3148 * call
3149 */
3150 if (irbio != NULL && !BIO_up_ref(irbio))
3151 goto end;
3152 if (iwbio != NULL && iwbio != irbio && !BIO_up_ref(iwbio)) {
3153 BIO_free(irbio);
3154 goto end;
3155 }
3156 }
3157
3158 if (conntype != CONNTYPE_NO_CONNECTION
3159 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3160 SSL_ERROR_NONE)
3161 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3162 goto end;
3163
3164 setupbio(&nrbio, bio1, bio2, newrbio);
3165 setupbio(&nwbio, bio1, bio2, newwbio);
3166
3167 /*
3168 * We will (maybe) transfer ownership again so do more up refs.
3169 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3170 * already been set!
3171 */
3172 if (nrbio != NULL
3173 && nrbio != irbio
3174 && (nwbio != iwbio || nrbio != nwbio))
3175 if (!TEST_true(BIO_up_ref(nrbio)))
3176 goto end;
3177 if (nwbio != NULL
3178 && nwbio != nrbio
3179 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3180 if (!TEST_true(BIO_up_ref(nwbio))) {
3181 if (nrbio != irbio
3182 && (nwbio != iwbio || nrbio != nwbio))
3183 BIO_free(nrbio);
3184 goto end;
3185 }
3186
3187 SSL_set_bio(clientssl, nrbio, nwbio);
3188
3189 testresult = 1;
3190
3191 end:
3192 BIO_free(bio1);
3193 BIO_free(bio2);
3194
3195 /*
3196 * This test is checking that the ref counting for SSL_set_bio is correct.
3197 * If we get here and we did too many frees then we will fail in the above
3198 * functions.
3199 */
3200 SSL_free(serverssl);
3201 SSL_free(clientssl);
3202 SSL_CTX_free(sctx);
3203 SSL_CTX_free(cctx);
3204 return testresult;
3205 }
3206
3207 typedef enum { NO_BIO_CHANGE,
3208 CHANGE_RBIO,
3209 CHANGE_WBIO } bio_change_t;
3210
execute_test_ssl_bio(int pop_ssl,bio_change_t change_bio)3211 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3212 {
3213 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3214 SSL_CTX *ctx;
3215 SSL *ssl = NULL;
3216 int testresult = 0;
3217
3218 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3219 || !TEST_ptr(ssl = SSL_new(ctx))
3220 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3221 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3222 goto end;
3223
3224 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3225
3226 /*
3227 * If anything goes wrong here then we could leak memory.
3228 */
3229 BIO_push(sslbio, membio1);
3230
3231 /* Verify changing the rbio/wbio directly does not cause leaks */
3232 if (change_bio != NO_BIO_CHANGE) {
3233 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3234 ssl = NULL;
3235 goto end;
3236 }
3237 if (change_bio == CHANGE_RBIO)
3238 SSL_set0_rbio(ssl, membio2);
3239 else
3240 SSL_set0_wbio(ssl, membio2);
3241 }
3242 ssl = NULL;
3243
3244 if (pop_ssl)
3245 BIO_pop(sslbio);
3246 else
3247 BIO_pop(membio1);
3248
3249 testresult = 1;
3250 end:
3251 BIO_free(membio1);
3252 BIO_free(sslbio);
3253 SSL_free(ssl);
3254 SSL_CTX_free(ctx);
3255
3256 return testresult;
3257 }
3258
test_ssl_bio_pop_next_bio(void)3259 static int test_ssl_bio_pop_next_bio(void)
3260 {
3261 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3262 }
3263
test_ssl_bio_pop_ssl_bio(void)3264 static int test_ssl_bio_pop_ssl_bio(void)
3265 {
3266 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3267 }
3268
test_ssl_bio_change_rbio(void)3269 static int test_ssl_bio_change_rbio(void)
3270 {
3271 return execute_test_ssl_bio(0, CHANGE_RBIO);
3272 }
3273
test_ssl_bio_change_wbio(void)3274 static int test_ssl_bio_change_wbio(void)
3275 {
3276 return execute_test_ssl_bio(0, CHANGE_WBIO);
3277 }
3278
3279 /*
3280 * Regression for GH #30458: tls_set1_bio() must BIO_free_all the old chain
3281 * when the write BIO is replaced, not only the top BIO.
3282 */
test_ssl_set_wbio_chain_no_leak(void)3283 static int test_ssl_set_wbio_chain_no_leak(void)
3284 {
3285 SSL_CTX *ctx = NULL;
3286 SSL *ssl = NULL;
3287 BIO *bio = NULL, *filter = NULL, *chain1 = NULL;
3288 int testresult = 0;
3289
3290 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method())))
3291 goto end;
3292 if (!TEST_ptr(ssl = SSL_new(ctx)))
3293 goto end;
3294
3295 if (!TEST_ptr(filter = BIO_new(BIO_f_nbio_test())))
3296 goto end;
3297 if (!TEST_ptr(bio = BIO_new(BIO_s_mem()))) {
3298 BIO_free(filter);
3299 filter = NULL;
3300 goto end;
3301 }
3302 if (!TEST_ptr(chain1 = BIO_push(filter, bio))) {
3303 BIO_free_all(filter);
3304 filter = bio = NULL;
3305 goto end;
3306 }
3307 filter = bio = NULL;
3308
3309 SSL_set0_wbio(ssl, chain1);
3310 chain1 = NULL;
3311 SSL_set0_wbio(ssl, NULL);
3312
3313 testresult = 1;
3314
3315 end:
3316 BIO_free(filter);
3317 BIO_free(bio);
3318 BIO_free(chain1);
3319 SSL_free(ssl);
3320 SSL_CTX_free(ctx);
3321
3322 return testresult;
3323 }
3324
3325 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3326 typedef struct {
3327 /* The list of sig algs */
3328 const int *list;
3329 /* The length of the list */
3330 size_t listlen;
3331 /* A sigalgs list in string format */
3332 const char *liststr;
3333 /* Whether setting the list should succeed */
3334 int valid;
3335 /* Whether creating a connection with the list should succeed */
3336 int connsuccess;
3337 } sigalgs_list;
3338
3339 static const int validlist1[] = { NID_sha256, EVP_PKEY_RSA };
3340 #ifndef OPENSSL_NO_EC
3341 static const int validlist2[] = { NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC };
3342 static const int validlist3[] = { NID_sha512, EVP_PKEY_EC };
3343 #endif
3344 static const int invalidlist1[] = { NID_undef, EVP_PKEY_RSA };
3345 static const int invalidlist2[] = { NID_sha256, NID_undef };
3346 static const int invalidlist3[] = { NID_sha256, EVP_PKEY_RSA, NID_sha256 };
3347 static const int invalidlist4[] = { NID_sha256 };
3348 static const sigalgs_list testsigalgs[] = {
3349 { validlist1, OSSL_NELEM(validlist1), NULL, 1, 1 },
3350 #ifndef OPENSSL_NO_EC
3351 { validlist2, OSSL_NELEM(validlist2), NULL, 1, 1 },
3352 { validlist3, OSSL_NELEM(validlist3), NULL, 1, 0 },
3353 #endif
3354 { NULL, 0, "RSA+SHA256", 1, 1 },
3355 { NULL, 0, "RSA+SHA256:?Invalid", 1, 1 },
3356 #ifndef OPENSSL_NO_EC
3357 { NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1 },
3358 { NULL, 0, "ECDSA+SHA512", 1, 0 },
3359 #endif
3360 { invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0 },
3361 { invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0 },
3362 { invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0 },
3363 { invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0 },
3364 { NULL, 0, "RSA", 0, 0 },
3365 { NULL, 0, "SHA256", 0, 0 },
3366 { NULL, 0, "RSA+SHA256:SHA256", 0, 0 },
3367 { NULL, 0, "Invalid", 0, 0 }
3368 };
3369
test_set_sigalgs(int idx)3370 static int test_set_sigalgs(int idx)
3371 {
3372 SSL_CTX *cctx = NULL, *sctx = NULL;
3373 SSL *clientssl = NULL, *serverssl = NULL;
3374 int testresult = 0;
3375 const sigalgs_list *curr;
3376 int testctx;
3377
3378 /* Should never happen */
3379 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3380 return 0;
3381
3382 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3383 curr = testctx ? &testsigalgs[idx]
3384 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3385
3386 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3387 TLS_client_method(), TLS1_VERSION, 0,
3388 &sctx, &cctx, cert, privkey)))
3389 return 0;
3390
3391 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3392
3393 if (testctx) {
3394 int ret;
3395
3396 if (curr->list != NULL)
3397 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3398 else
3399 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3400
3401 if (!ret) {
3402 if (curr->valid)
3403 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3404 else
3405 testresult = 1;
3406 goto end;
3407 }
3408 if (!curr->valid) {
3409 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3410 goto end;
3411 }
3412 }
3413
3414 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3415 &clientssl, NULL, NULL)))
3416 goto end;
3417
3418 if (!testctx) {
3419 int ret;
3420
3421 if (curr->list != NULL)
3422 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3423 else
3424 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3425 if (!ret) {
3426 if (curr->valid)
3427 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3428 else
3429 testresult = 1;
3430 goto end;
3431 }
3432 if (!curr->valid)
3433 goto end;
3434 }
3435
3436 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3437 SSL_ERROR_NONE),
3438 curr->connsuccess))
3439 goto end;
3440
3441 testresult = 1;
3442
3443 end:
3444 SSL_free(serverssl);
3445 SSL_free(clientssl);
3446 SSL_CTX_free(sctx);
3447 SSL_CTX_free(cctx);
3448
3449 return testresult;
3450 }
3451 #endif
3452
3453 #ifndef OSSL_NO_USABLE_TLS1_3
3454 static int psk_client_cb_cnt = 0;
3455 static int psk_server_cb_cnt = 0;
3456
use_session_cb(SSL * ssl,const EVP_MD * md,const unsigned char ** id,size_t * idlen,SSL_SESSION ** sess)3457 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3458 size_t *idlen, SSL_SESSION **sess)
3459 {
3460 switch (++use_session_cb_cnt) {
3461 case 1:
3462 /* The first call should always have a NULL md */
3463 if (md != NULL)
3464 return 0;
3465 break;
3466
3467 case 2:
3468 /* The second call should always have an md */
3469 if (md == NULL)
3470 return 0;
3471 break;
3472
3473 default:
3474 /* We should only be called a maximum of twice */
3475 return 0;
3476 }
3477
3478 if (clientpsk != NULL && !SSL_SESSION_up_ref(clientpsk))
3479 return 0;
3480
3481 *sess = clientpsk;
3482 *id = (const unsigned char *)pskid;
3483 *idlen = strlen(pskid);
3484
3485 return 1;
3486 }
3487
3488 #ifndef OPENSSL_NO_PSK
psk_client_cb(SSL * ssl,const char * hint,char * id,unsigned int max_id_len,unsigned char * psk,unsigned int max_psk_len)3489 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3490 unsigned int max_id_len,
3491 unsigned char *psk,
3492 unsigned int max_psk_len)
3493 {
3494 unsigned int psklen = 0;
3495
3496 psk_client_cb_cnt++;
3497
3498 if (strlen(pskid) + 1 > max_id_len)
3499 return 0;
3500
3501 /* We should only ever be called a maximum of twice per connection */
3502 if (psk_client_cb_cnt > 2)
3503 return 0;
3504
3505 if (clientpsk == NULL)
3506 return 0;
3507
3508 /* We'll reuse the PSK we set up for TLSv1.3 */
3509 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3510 return 0;
3511 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3512 strncpy(id, pskid, max_id_len);
3513
3514 return psklen;
3515 }
3516 #endif /* OPENSSL_NO_PSK */
3517
find_session_cb(SSL * ssl,const unsigned char * identity,size_t identity_len,SSL_SESSION ** sess)3518 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3519 size_t identity_len, SSL_SESSION **sess)
3520 {
3521 find_session_cb_cnt++;
3522
3523 /* We should only ever be called a maximum of twice per connection */
3524 if (find_session_cb_cnt > 2)
3525 return 0;
3526
3527 if (serverpsk == NULL)
3528 return 0;
3529
3530 /* Identity should match that set by the client */
3531 if (strlen(srvid) != identity_len
3532 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3533 /* No PSK found, continue but without a PSK */
3534 *sess = NULL;
3535 return 1;
3536 }
3537
3538 if (!SSL_SESSION_up_ref(serverpsk))
3539 return 0;
3540
3541 *sess = serverpsk;
3542
3543 return 1;
3544 }
3545
3546 #ifndef OPENSSL_NO_PSK
psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)3547 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3548 unsigned char *psk, unsigned int max_psk_len)
3549 {
3550 unsigned int psklen = 0;
3551
3552 psk_server_cb_cnt++;
3553
3554 /* We should only ever be called a maximum of twice per connection */
3555 if (find_session_cb_cnt > 2)
3556 return 0;
3557
3558 if (serverpsk == NULL)
3559 return 0;
3560
3561 /* Identity should match that set by the client */
3562 if (strcmp(srvid, identity) != 0) {
3563 return 0;
3564 }
3565
3566 /* We'll reuse the PSK we set up for TLSv1.3 */
3567 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3568 return 0;
3569 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3570
3571 return psklen;
3572 }
3573 #endif /* OPENSSL_NO_PSK */
3574
3575 #define MSG1 "Hello"
3576 #define MSG2 "World."
3577 #define MSG3 "This"
3578 #define MSG4 "is"
3579 #define MSG5 "a"
3580 #define MSG6 "test"
3581 #define MSG7 "message."
3582
3583 static int artificial_ticket_time = 0;
3584
sub_session_time(SSL_SESSION * sess)3585 static int sub_session_time(SSL_SESSION *sess)
3586 {
3587 OSSL_TIME tick_time;
3588
3589 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3590 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3591
3592 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3593 }
3594
ed_gen_cb(SSL * s,void * arg)3595 static int ed_gen_cb(SSL *s, void *arg)
3596 {
3597 SSL_SESSION *sess = SSL_get0_session(s);
3598
3599 if (sess == NULL)
3600 return 0;
3601
3602 /*
3603 * Artificially give the ticket some age. Just do it for the number of
3604 * tickets we've been told to do.
3605 */
3606 if (artificial_ticket_time == 0)
3607 return 1;
3608 artificial_ticket_time--;
3609
3610 return sub_session_time(sess);
3611 }
3612
3613 /*
3614 * Helper method to setup objects for early data test. Caller frees objects on
3615 * error.
3616 */
setupearly_data_test(SSL_CTX ** cctx,SSL_CTX ** sctx,SSL ** clientssl,SSL ** serverssl,SSL_SESSION ** sess,int idx,size_t mdsize)3617 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3618 SSL **serverssl, SSL_SESSION **sess, int idx,
3619 size_t mdsize)
3620 {
3621 int artificial = (artificial_ticket_time > 0);
3622
3623 if (*sctx == NULL
3624 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3625 TLS_client_method(),
3626 TLS1_VERSION, 0,
3627 sctx, cctx, cert, privkey)))
3628 return 0;
3629
3630 if (artificial)
3631 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3632
3633 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3634 return 0;
3635
3636 if (idx == 1) {
3637 /* When idx == 1 we repeat the tests with read_ahead set */
3638 SSL_CTX_set_read_ahead(*cctx, 1);
3639 SSL_CTX_set_read_ahead(*sctx, 1);
3640 } else if (idx == 2) {
3641 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3642 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3643 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3644 use_session_cb_cnt = 0;
3645 find_session_cb_cnt = 0;
3646 srvid = pskid;
3647 }
3648
3649 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3650 NULL, NULL)))
3651 return 0;
3652
3653 /*
3654 * For one of the run throughs (doesn't matter which one), we'll try sending
3655 * some SNI data in the initial ClientHello. This will be ignored (because
3656 * there is no SNI cb set up by the server), so it should not impact
3657 * early_data.
3658 */
3659 if (idx == 1
3660 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3661 return 0;
3662
3663 if (idx == 2) {
3664 clientpsk = create_a_psk(*clientssl, mdsize);
3665 if (!TEST_ptr(clientpsk)
3666 /*
3667 * We just choose an arbitrary value for max_early_data which
3668 * should be big enough for testing purposes.
3669 */
3670 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3671 0x100))
3672 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3673 SSL_SESSION_free(clientpsk);
3674 clientpsk = NULL;
3675 return 0;
3676 }
3677 serverpsk = clientpsk;
3678
3679 if (sess != NULL) {
3680 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3681 SSL_SESSION_free(clientpsk);
3682 SSL_SESSION_free(serverpsk);
3683 clientpsk = serverpsk = NULL;
3684 return 0;
3685 }
3686 *sess = clientpsk;
3687 }
3688 return 1;
3689 }
3690
3691 if (sess == NULL)
3692 return 1;
3693
3694 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3695 SSL_ERROR_NONE)))
3696 return 0;
3697
3698 *sess = SSL_get1_session(*clientssl);
3699 SSL_shutdown(*clientssl);
3700 SSL_shutdown(*serverssl);
3701 SSL_free(*serverssl);
3702 SSL_free(*clientssl);
3703 *serverssl = *clientssl = NULL;
3704
3705 /*
3706 * Artificially give the ticket some age to match the artificial age we
3707 * gave it on the server side
3708 */
3709 if (artificial
3710 && !TEST_true(sub_session_time(*sess)))
3711 return 0;
3712
3713 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3714 clientssl, NULL, NULL))
3715 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3716 return 0;
3717
3718 return 1;
3719 }
3720
check_early_data_timeout(OSSL_TIME timer)3721 static int check_early_data_timeout(OSSL_TIME timer)
3722 {
3723 int res = 0;
3724
3725 /*
3726 * Early data is time sensitive. We have an approx 8 second allowance
3727 * between writing the early data and reading it. If we exceed that time
3728 * then this test will fail. This can sometimes (rarely) occur in normal CI
3729 * operation. We can try and detect this and just ignore the result of this
3730 * test if it has taken too long. We assume anything over 7 seconds is too
3731 * long
3732 */
3733 timer = ossl_time_subtract(ossl_time_now(), timer);
3734 if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3735 res = TEST_skip("Test took too long, ignoring result");
3736
3737 return res;
3738 }
3739
test_early_data_read_write(int idx)3740 static int test_early_data_read_write(int idx)
3741 {
3742 SSL_CTX *cctx = NULL, *sctx = NULL;
3743 SSL *clientssl = NULL, *serverssl = NULL;
3744 int testresult = 0;
3745 SSL_SESSION *sess = NULL;
3746 unsigned char buf[20], data[1024];
3747 size_t readbytes, written, eoedlen, rawread, rawwritten;
3748 BIO *rbio;
3749 OSSL_TIME timer;
3750
3751 /* Artificially give the next 2 tickets some age for non PSK sessions */
3752 if (idx != 2)
3753 artificial_ticket_time = 2;
3754 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3755 &serverssl, &sess, idx,
3756 SHA384_DIGEST_LENGTH))) {
3757 artificial_ticket_time = 0;
3758 goto end;
3759 }
3760 artificial_ticket_time = 0;
3761
3762 /* Write and read some early data */
3763 timer = ossl_time_now();
3764 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3765 &written))
3766 || !TEST_size_t_eq(written, strlen(MSG1)))
3767 goto end;
3768
3769 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3770 &readbytes),
3771 SSL_READ_EARLY_DATA_SUCCESS)) {
3772 testresult = check_early_data_timeout(timer);
3773 goto end;
3774 }
3775
3776 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3777 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3778 SSL_EARLY_DATA_ACCEPTED))
3779 goto end;
3780
3781 /*
3782 * Server should be able to write data, and client should be able to
3783 * read it.
3784 */
3785 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3786 &written))
3787 || !TEST_size_t_eq(written, strlen(MSG2))
3788 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3789 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3790 goto end;
3791
3792 /* Even after reading normal data, client should be able write early data */
3793 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3794 &written))
3795 || !TEST_size_t_eq(written, strlen(MSG3)))
3796 goto end;
3797
3798 /* Server should still be able read early data after writing data */
3799 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3800 &readbytes),
3801 SSL_READ_EARLY_DATA_SUCCESS)
3802 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3803 goto end;
3804
3805 /* Write more data from server and read it from client */
3806 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3807 &written))
3808 || !TEST_size_t_eq(written, strlen(MSG4))
3809 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3810 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3811 goto end;
3812
3813 /*
3814 * If client writes normal data it should mean writing early data is no
3815 * longer possible.
3816 */
3817 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3818 || !TEST_size_t_eq(written, strlen(MSG5))
3819 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3820 SSL_EARLY_DATA_ACCEPTED))
3821 goto end;
3822
3823 /*
3824 * At this point the client has written EndOfEarlyData, ClientFinished and
3825 * normal (fully protected) data. We are going to cause a delay between the
3826 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3827 * in the read BIO, and then just put back the EndOfEarlyData message.
3828 */
3829 rbio = SSL_get_rbio(serverssl);
3830 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3831 || !TEST_size_t_lt(rawread, sizeof(data))
3832 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3833 goto end;
3834
3835 /* Record length is in the 4th and 5th bytes of the record header */
3836 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3837 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3838 || !TEST_size_t_eq(rawwritten, eoedlen))
3839 goto end;
3840
3841 /* Server should be told that there is no more early data */
3842 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3843 &readbytes),
3844 SSL_READ_EARLY_DATA_FINISH)
3845 || !TEST_size_t_eq(readbytes, 0))
3846 goto end;
3847
3848 /*
3849 * Server has not finished init yet, so should still be able to write early
3850 * data.
3851 */
3852 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3853 &written))
3854 || !TEST_size_t_eq(written, strlen(MSG6)))
3855 goto end;
3856
3857 /* Push the ClientFinished and the normal data back into the server rbio */
3858 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3859 &rawwritten))
3860 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3861 goto end;
3862
3863 /* Server should be able to read normal data */
3864 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3865 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3866 goto end;
3867
3868 /* Client and server should not be able to write/read early data now */
3869 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3870 &written)))
3871 goto end;
3872 ERR_clear_error();
3873 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3874 &readbytes),
3875 SSL_READ_EARLY_DATA_ERROR))
3876 goto end;
3877 ERR_clear_error();
3878
3879 /* Client should be able to read the data sent by the server */
3880 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3881 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3882 goto end;
3883
3884 /*
3885 * Make sure we process the two NewSessionTickets. These arrive
3886 * post-handshake. We attempt reads which we do not expect to return any
3887 * data.
3888 */
3889 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3890 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3891 &readbytes)))
3892 goto end;
3893
3894 /* Server should be able to write normal data */
3895 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3896 || !TEST_size_t_eq(written, strlen(MSG7))
3897 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3898 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3899 goto end;
3900
3901 SSL_SESSION_free(sess);
3902 sess = SSL_get1_session(clientssl);
3903 use_session_cb_cnt = 0;
3904 find_session_cb_cnt = 0;
3905
3906 SSL_shutdown(clientssl);
3907 SSL_shutdown(serverssl);
3908 SSL_free(serverssl);
3909 SSL_free(clientssl);
3910 serverssl = clientssl = NULL;
3911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3912 &clientssl, NULL, NULL))
3913 || !TEST_true(SSL_set_session(clientssl, sess)))
3914 goto end;
3915
3916 /* Write and read some early data */
3917 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3918 &written))
3919 || !TEST_size_t_eq(written, strlen(MSG1))
3920 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3921 &readbytes),
3922 SSL_READ_EARLY_DATA_SUCCESS)
3923 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3924 goto end;
3925
3926 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3927 || !TEST_int_gt(SSL_accept(serverssl), 0))
3928 goto end;
3929
3930 /* Client and server should not be able to write/read early data now */
3931 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3932 &written)))
3933 goto end;
3934 ERR_clear_error();
3935 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3936 &readbytes),
3937 SSL_READ_EARLY_DATA_ERROR))
3938 goto end;
3939 ERR_clear_error();
3940
3941 /* Client and server should be able to write/read normal data */
3942 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3943 || !TEST_size_t_eq(written, strlen(MSG5))
3944 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3945 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3946 goto end;
3947
3948 testresult = 1;
3949
3950 end:
3951 SSL_SESSION_free(sess);
3952 SSL_SESSION_free(clientpsk);
3953 SSL_SESSION_free(serverpsk);
3954 clientpsk = serverpsk = NULL;
3955 SSL_free(serverssl);
3956 SSL_free(clientssl);
3957 SSL_CTX_free(sctx);
3958 SSL_CTX_free(cctx);
3959 return testresult;
3960 }
3961
3962 static int allow_ed_cb_called = 0;
3963
allow_early_data_cb(SSL * s,void * arg)3964 static int allow_early_data_cb(SSL *s, void *arg)
3965 {
3966 int *usecb = (int *)arg;
3967
3968 allow_ed_cb_called++;
3969
3970 if (*usecb == 1)
3971 return 0;
3972
3973 return 1;
3974 }
3975
3976 /*
3977 * idx == 0: Standard early_data setup
3978 * idx == 1: early_data setup using read_ahead
3979 * usecb == 0: Don't use a custom early data callback
3980 * usecb == 1: Use a custom early data callback and reject the early data
3981 * usecb == 2: Use a custom early data callback and accept the early data
3982 * confopt == 0: Configure anti-replay directly
3983 * confopt == 1: Configure anti-replay using SSL_CONF
3984 */
test_early_data_replay_int(int idx,int usecb,int confopt)3985 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3986 {
3987 SSL_CTX *cctx = NULL, *sctx = NULL;
3988 SSL *clientssl = NULL, *serverssl = NULL;
3989 int testresult = 0;
3990 SSL_SESSION *sess = NULL;
3991 size_t readbytes, written;
3992 unsigned char buf[20];
3993 OSSL_TIME timer;
3994
3995 allow_ed_cb_called = 0;
3996
3997 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3998 TLS_client_method(), TLS1_VERSION, 0,
3999 &sctx, &cctx, cert, privkey)))
4000 return 0;
4001
4002 if (usecb > 0) {
4003 if (confopt == 0) {
4004 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
4005 } else {
4006 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
4007
4008 if (!TEST_ptr(confctx))
4009 goto end;
4010 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_SERVER);
4011 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
4012 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
4013 2)) {
4014 SSL_CONF_CTX_free(confctx);
4015 goto end;
4016 }
4017 SSL_CONF_CTX_free(confctx);
4018 }
4019 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
4020 }
4021
4022 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4023 &serverssl, &sess, idx,
4024 SHA384_DIGEST_LENGTH)))
4025 goto end;
4026
4027 /*
4028 * The server is configured to accept early data. Create a connection to
4029 * "use up" the ticket
4030 */
4031 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4032 || !TEST_true(SSL_session_reused(clientssl)))
4033 goto end;
4034
4035 SSL_shutdown(clientssl);
4036 SSL_shutdown(serverssl);
4037 SSL_free(serverssl);
4038 SSL_free(clientssl);
4039 serverssl = clientssl = NULL;
4040
4041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4042 &clientssl, NULL, NULL))
4043 || !TEST_true(SSL_set_session(clientssl, sess)))
4044 goto end;
4045
4046 /* Write and read some early data */
4047 timer = ossl_time_now();
4048 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4049 &written))
4050 || !TEST_size_t_eq(written, strlen(MSG1)))
4051 goto end;
4052
4053 if (usecb <= 1) {
4054 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4055 &readbytes),
4056 SSL_READ_EARLY_DATA_FINISH)
4057 /*
4058 * The ticket was reused, so the we should have rejected the
4059 * early data
4060 */
4061 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4062 SSL_EARLY_DATA_REJECTED))
4063 goto end;
4064 } else {
4065 /* In this case the callback decides to accept the early data */
4066 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4067 &readbytes),
4068 SSL_READ_EARLY_DATA_SUCCESS)) {
4069 testresult = check_early_data_timeout(timer);
4070 goto end;
4071 }
4072 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
4073 /*
4074 * Server will have sent its flight so client can now send
4075 * end of early data and complete its half of the handshake
4076 */
4077 || !TEST_int_gt(SSL_connect(clientssl), 0)
4078 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4079 &readbytes),
4080 SSL_READ_EARLY_DATA_FINISH)
4081 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4082 SSL_EARLY_DATA_ACCEPTED))
4083 goto end;
4084 }
4085
4086 /* Complete the connection */
4087 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4088 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
4089 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
4090 goto end;
4091
4092 testresult = 1;
4093
4094 end:
4095 SSL_SESSION_free(sess);
4096 SSL_SESSION_free(clientpsk);
4097 SSL_SESSION_free(serverpsk);
4098 clientpsk = serverpsk = NULL;
4099 SSL_free(serverssl);
4100 SSL_free(clientssl);
4101 SSL_CTX_free(sctx);
4102 SSL_CTX_free(cctx);
4103 return testresult;
4104 }
4105
test_early_data_replay(int idx)4106 static int test_early_data_replay(int idx)
4107 {
4108 int ret = 1, usecb, confopt;
4109
4110 for (usecb = 0; usecb < 3; usecb++) {
4111 for (confopt = 0; confopt < 2; confopt++)
4112 ret &= test_early_data_replay_int(idx, usecb, confopt);
4113 }
4114
4115 return ret;
4116 }
4117
4118 static const char *ciphersuites[] = {
4119 "TLS_AES_128_CCM_8_SHA256",
4120 "TLS_AES_128_GCM_SHA256",
4121 "TLS_AES_256_GCM_SHA384",
4122 "TLS_AES_128_CCM_SHA256",
4123 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4124 "TLS_CHACHA20_POLY1305_SHA256",
4125 #else
4126 NULL,
4127 #endif
4128 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4129 "TLS_SHA256_SHA256",
4130 "TLS_SHA384_SHA384"
4131 #endif
4132 };
4133
4134 /*
4135 * Helper function to test that a server attempting to read early data can
4136 * handle a connection from a client where the early data should be skipped.
4137 * testtype: 0 == No HRR
4138 * testtype: 1 == HRR
4139 * testtype: 2 == HRR, invalid early_data sent after HRR
4140 * testtype: 3 == recv_max_early_data set to 0
4141 */
early_data_skip_helper(int testtype,int cipher,int idx)4142 static int early_data_skip_helper(int testtype, int cipher, int idx)
4143 {
4144 SSL_CTX *cctx = NULL, *sctx = NULL;
4145 SSL *clientssl = NULL, *serverssl = NULL;
4146 int testresult = 0;
4147 SSL_SESSION *sess = NULL;
4148 unsigned char buf[20];
4149 size_t readbytes, written;
4150
4151 if (is_fips && cipher >= 4)
4152 return 1;
4153
4154 if (ciphersuites[cipher] == NULL)
4155 return TEST_skip("Cipher not supported");
4156
4157 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4158 TLS_client_method(),
4159 TLS1_VERSION, 0,
4160 &sctx, &cctx, cert, privkey)))
4161 goto end;
4162
4163 if (cipher == 0 || cipher == 5 || cipher == 6) {
4164 SSL_CTX_set_security_level(sctx, 0);
4165 SSL_CTX_set_security_level(cctx, 0);
4166 }
4167
4168 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
4169 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
4170 goto end;
4171
4172 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4173 &serverssl, &sess, idx,
4174 (cipher == 2 || cipher == 6)
4175 ? SHA384_DIGEST_LENGTH
4176 : SHA256_DIGEST_LENGTH)))
4177 goto end;
4178
4179 if (testtype == 1 || testtype == 2) {
4180 /* Force an HRR to occur */
4181 #if defined(OPENSSL_NO_EC)
4182 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4183 goto end;
4184 #else
4185 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
4186 goto end;
4187 #endif
4188 } else if (idx == 2) {
4189 /*
4190 * We force early_data rejection by ensuring the PSK identity is
4191 * unrecognised
4192 */
4193 srvid = "Dummy Identity";
4194 } else {
4195 /*
4196 * Deliberately corrupt the creation time. We take 20 seconds off the
4197 * time. It could be any value as long as it is not within tolerance.
4198 * This should mean the ticket is rejected.
4199 */
4200 if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20)))
4201 goto end;
4202 }
4203
4204 if (testtype == 3
4205 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4206 goto end;
4207
4208 /* Write some early data */
4209 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4210 &written))
4211 || !TEST_size_t_eq(written, strlen(MSG1)))
4212 goto end;
4213
4214 /* Server should reject the early data */
4215 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4216 &readbytes),
4217 SSL_READ_EARLY_DATA_FINISH)
4218 || !TEST_size_t_eq(readbytes, 0)
4219 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4220 SSL_EARLY_DATA_REJECTED))
4221 goto end;
4222
4223 switch (testtype) {
4224 case 0:
4225 /* Nothing to do */
4226 break;
4227
4228 case 1:
4229 /*
4230 * Finish off the handshake. We perform the same writes and reads as
4231 * further down but we expect them to fail due to the incomplete
4232 * handshake.
4233 */
4234 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4235 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4236 &readbytes)))
4237 goto end;
4238 break;
4239
4240 case 2: {
4241 BIO *wbio = SSL_get_wbio(clientssl);
4242 /* A record that will appear as bad early_data */
4243 const unsigned char bad_early_data[] = {
4244 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4245 };
4246
4247 /*
4248 * We force the client to attempt a write. This will fail because
4249 * we're still in the handshake. It will cause the second
4250 * ClientHello to be sent.
4251 */
4252 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4253 &written)))
4254 goto end;
4255
4256 /*
4257 * Inject some early_data after the second ClientHello. This should
4258 * cause the server to fail
4259 */
4260 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4261 sizeof(bad_early_data), &written)))
4262 goto end;
4263 }
4264 /* FALLTHROUGH */
4265
4266 case 3:
4267 /*
4268 * This client has sent more early_data than we are willing to skip
4269 * (case 3) or sent invalid early_data (case 2) so the connection should
4270 * abort.
4271 */
4272 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4273 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4274 goto end;
4275
4276 /* Connection has failed - nothing more to do */
4277 testresult = 1;
4278 goto end;
4279
4280 default:
4281 TEST_error("Invalid test type");
4282 goto end;
4283 }
4284
4285 ERR_clear_error();
4286 /*
4287 * Should be able to send normal data despite rejection of early data. The
4288 * early_data should be skipped.
4289 */
4290 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4291 || !TEST_size_t_eq(written, strlen(MSG2))
4292 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4293 SSL_EARLY_DATA_REJECTED)
4294 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4295 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4296 goto end;
4297
4298 /*
4299 * Failure to decrypt early data records should not leave spurious errors
4300 * on the error stack
4301 */
4302 if (!TEST_long_eq(ERR_peek_error(), 0))
4303 goto end;
4304
4305 testresult = 1;
4306
4307 end:
4308 SSL_SESSION_free(clientpsk);
4309 SSL_SESSION_free(serverpsk);
4310 clientpsk = serverpsk = NULL;
4311 SSL_SESSION_free(sess);
4312 SSL_free(serverssl);
4313 SSL_free(clientssl);
4314 SSL_CTX_free(sctx);
4315 SSL_CTX_free(cctx);
4316 return testresult;
4317 }
4318
4319 /*
4320 * Test that a server attempting to read early data can handle a connection
4321 * from a client where the early data is not acceptable.
4322 */
test_early_data_skip(int idx)4323 static int test_early_data_skip(int idx)
4324 {
4325 return early_data_skip_helper(0,
4326 idx % OSSL_NELEM(ciphersuites),
4327 idx / OSSL_NELEM(ciphersuites));
4328 }
4329
4330 /*
4331 * Test that a server attempting to read early data can handle a connection
4332 * from a client where an HRR occurs.
4333 */
test_early_data_skip_hrr(int idx)4334 static int test_early_data_skip_hrr(int idx)
4335 {
4336 return early_data_skip_helper(1,
4337 idx % OSSL_NELEM(ciphersuites),
4338 idx / OSSL_NELEM(ciphersuites));
4339 }
4340
4341 /*
4342 * Test that a server attempting to read early data can handle a connection
4343 * from a client where an HRR occurs and correctly fails if early_data is sent
4344 * after the HRR
4345 */
test_early_data_skip_hrr_fail(int idx)4346 static int test_early_data_skip_hrr_fail(int idx)
4347 {
4348 return early_data_skip_helper(2,
4349 idx % OSSL_NELEM(ciphersuites),
4350 idx / OSSL_NELEM(ciphersuites));
4351 }
4352
4353 /*
4354 * Test that a server attempting to read early data will abort if it tries to
4355 * skip over too much.
4356 */
test_early_data_skip_abort(int idx)4357 static int test_early_data_skip_abort(int idx)
4358 {
4359 return early_data_skip_helper(3,
4360 idx % OSSL_NELEM(ciphersuites),
4361 idx / OSSL_NELEM(ciphersuites));
4362 }
4363
4364 /*
4365 * Test that a server attempting to read early data can handle a connection
4366 * from a client that doesn't send any.
4367 */
test_early_data_not_sent(int idx)4368 static int test_early_data_not_sent(int idx)
4369 {
4370 SSL_CTX *cctx = NULL, *sctx = NULL;
4371 SSL *clientssl = NULL, *serverssl = NULL;
4372 int testresult = 0;
4373 SSL_SESSION *sess = NULL;
4374 unsigned char buf[20];
4375 size_t readbytes, written;
4376
4377 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4378 &serverssl, &sess, idx,
4379 SHA384_DIGEST_LENGTH)))
4380 goto end;
4381
4382 /* Write some data - should block due to handshake with server */
4383 SSL_set_connect_state(clientssl);
4384 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4385 goto end;
4386
4387 /* Server should detect that early data has not been sent */
4388 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4389 &readbytes),
4390 SSL_READ_EARLY_DATA_FINISH)
4391 || !TEST_size_t_eq(readbytes, 0)
4392 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4393 SSL_EARLY_DATA_NOT_SENT)
4394 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4395 SSL_EARLY_DATA_NOT_SENT))
4396 goto end;
4397
4398 /* Continue writing the message we started earlier */
4399 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4400 || !TEST_size_t_eq(written, strlen(MSG1))
4401 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4402 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4403 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4404 || !TEST_size_t_eq(written, strlen(MSG2)))
4405 goto end;
4406
4407 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4408 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4409 goto end;
4410
4411 testresult = 1;
4412
4413 end:
4414 SSL_SESSION_free(sess);
4415 SSL_SESSION_free(clientpsk);
4416 SSL_SESSION_free(serverpsk);
4417 clientpsk = serverpsk = NULL;
4418 SSL_free(serverssl);
4419 SSL_free(clientssl);
4420 SSL_CTX_free(sctx);
4421 SSL_CTX_free(cctx);
4422 return testresult;
4423 }
4424
4425 static const char *servalpn;
4426
alpn_select_cb(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)4427 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4428 unsigned char *outlen, const unsigned char *in,
4429 unsigned int inlen, void *arg)
4430 {
4431 unsigned int protlen = 0;
4432 const unsigned char *prot;
4433
4434 for (prot = in; prot < in + inlen; prot += protlen) {
4435 protlen = *prot++;
4436 if (in + inlen < prot + protlen)
4437 return SSL_TLSEXT_ERR_NOACK;
4438
4439 if (protlen == strlen(servalpn)
4440 && memcmp(prot, servalpn, protlen) == 0) {
4441 *out = prot;
4442 *outlen = protlen;
4443 return SSL_TLSEXT_ERR_OK;
4444 }
4445 }
4446
4447 return SSL_TLSEXT_ERR_NOACK;
4448 }
4449
4450 /* Test that a PSK can be used to send early_data */
test_early_data_psk(int idx)4451 static int test_early_data_psk(int idx)
4452 {
4453 SSL_CTX *cctx = NULL, *sctx = NULL;
4454 SSL *clientssl = NULL, *serverssl = NULL;
4455 int testresult = 0;
4456 SSL_SESSION *sess = NULL;
4457 unsigned char alpnlist[] = {
4458 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4459 'l', 'p', 'n'
4460 };
4461 #define GOODALPNLEN 9
4462 #define BADALPNLEN 8
4463 #define GOODALPN (alpnlist)
4464 #define BADALPN (alpnlist + GOODALPNLEN)
4465 int err = 0;
4466 unsigned char buf[20];
4467 size_t readbytes, written;
4468 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4469 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4470
4471 /* We always set this up with a final parameter of "2" for PSK */
4472 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4473 &serverssl, &sess, 2,
4474 SHA384_DIGEST_LENGTH)))
4475 goto end;
4476
4477 servalpn = "goodalpn";
4478
4479 /*
4480 * Note: There is no test for inconsistent SNI with late client detection.
4481 * This is because servers do not acknowledge SNI even if they are using
4482 * it in a resumption handshake - so it is not actually possible for a
4483 * client to detect a problem.
4484 */
4485 switch (idx) {
4486 case 0:
4487 /* Set inconsistent SNI (early client detection) */
4488 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4489 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4490 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4491 goto end;
4492 break;
4493
4494 case 1:
4495 /* Set inconsistent ALPN (early client detection) */
4496 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4497 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4498 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4499 GOODALPNLEN))
4500 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4501 BADALPNLEN)))
4502 goto end;
4503 break;
4504
4505 case 2:
4506 /*
4507 * Set invalid protocol version. Technically this affects PSKs without
4508 * early_data too, but we test it here because it is similar to the
4509 * SNI/ALPN consistency tests.
4510 */
4511 err = SSL_R_BAD_PSK;
4512 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4513 goto end;
4514 break;
4515
4516 case 3:
4517 /*
4518 * Set inconsistent SNI (server side). In this case the connection
4519 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4520 * is associated with each handshake - not the session. Therefore it
4521 * should not matter that we used a different server name last time.
4522 */
4523 SSL_SESSION_free(serverpsk);
4524 serverpsk = SSL_SESSION_dup(clientpsk);
4525 if (!TEST_ptr(serverpsk)
4526 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4527 goto end;
4528 /* Fall through */
4529 case 4:
4530 /* Set consistent SNI */
4531 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4532 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4533 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4534 hostname_cb)))
4535 goto end;
4536 break;
4537
4538 case 5:
4539 /*
4540 * Set inconsistent ALPN (server detected). In this case the connection
4541 * will succeed but reject early_data.
4542 */
4543 servalpn = "badalpn";
4544 edstatus = SSL_EARLY_DATA_REJECTED;
4545 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4546 /* Fall through */
4547 case 6:
4548 /*
4549 * Set consistent ALPN.
4550 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4551 * accepts a list of protos (each one length prefixed).
4552 * SSL_set1_alpn_selected accepts a single protocol (not length
4553 * prefixed)
4554 */
4555 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4556 GOODALPNLEN - 1))
4557 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4558 GOODALPNLEN)))
4559 goto end;
4560
4561 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4562 break;
4563
4564 case 7:
4565 /* Set inconsistent ALPN (late client detection) */
4566 SSL_SESSION_free(serverpsk);
4567 serverpsk = SSL_SESSION_dup(clientpsk);
4568 if (!TEST_ptr(serverpsk)
4569 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4570 BADALPN + 1,
4571 BADALPNLEN - 1))
4572 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4573 GOODALPN + 1,
4574 GOODALPNLEN - 1))
4575 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4576 sizeof(alpnlist))))
4577 goto end;
4578 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4579 edstatus = SSL_EARLY_DATA_ACCEPTED;
4580 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4581 /* SSL_connect() call should fail */
4582 connectres = -1;
4583 break;
4584
4585 default:
4586 TEST_error("Bad test index");
4587 goto end;
4588 }
4589
4590 SSL_set_connect_state(clientssl);
4591 if (err != 0) {
4592 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4593 &written))
4594 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4595 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4596 goto end;
4597 } else {
4598 OSSL_TIME timer = ossl_time_now();
4599
4600 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4601 &written)))
4602 goto end;
4603
4604 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4605 &readbytes),
4606 readearlyres)) {
4607 testresult = check_early_data_timeout(timer);
4608 goto end;
4609 }
4610
4611 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4612 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4613 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4614 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4615 goto end;
4616 }
4617
4618 testresult = 1;
4619
4620 end:
4621 SSL_SESSION_free(sess);
4622 SSL_SESSION_free(clientpsk);
4623 SSL_SESSION_free(serverpsk);
4624 clientpsk = serverpsk = NULL;
4625 SSL_free(serverssl);
4626 SSL_free(clientssl);
4627 SSL_CTX_free(sctx);
4628 SSL_CTX_free(cctx);
4629 return testresult;
4630 }
4631
4632 /*
4633 * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
4634 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4635 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4636 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4637 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4638 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4639 * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
4640 * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
4641 */
test_early_data_psk_with_all_ciphers(int idx)4642 static int test_early_data_psk_with_all_ciphers(int idx)
4643 {
4644 SSL_CTX *cctx = NULL, *sctx = NULL;
4645 SSL *clientssl = NULL, *serverssl = NULL;
4646 int testresult = 0;
4647 SSL_SESSION *sess = NULL;
4648 unsigned char buf[20];
4649 size_t readbytes, written;
4650 const SSL_CIPHER *cipher;
4651 OSSL_TIME timer;
4652 const char *cipher_str[] = {
4653 TLS1_3_RFC_AES_128_GCM_SHA256,
4654 TLS1_3_RFC_AES_256_GCM_SHA384,
4655 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4656 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4657 #else
4658 NULL,
4659 #endif
4660 TLS1_3_RFC_AES_128_CCM_SHA256,
4661 TLS1_3_RFC_AES_128_CCM_8_SHA256,
4662 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4663 TLS1_3_RFC_SHA256_SHA256,
4664 TLS1_3_RFC_SHA384_SHA384
4665 #else
4666 NULL,
4667 NULL
4668 #endif
4669 };
4670 const unsigned char *cipher_bytes[] = {
4671 TLS13_AES_128_GCM_SHA256_BYTES,
4672 TLS13_AES_256_GCM_SHA384_BYTES,
4673 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4674 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4675 #else
4676 NULL,
4677 #endif
4678 TLS13_AES_128_CCM_SHA256_BYTES,
4679 TLS13_AES_128_CCM_8_SHA256_BYTES,
4680 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4681 TLS13_SHA256_SHA256_BYTES,
4682 TLS13_SHA384_SHA384_BYTES
4683 #else
4684 NULL,
4685 NULL
4686 #endif
4687 };
4688
4689 if (cipher_str[idx] == NULL)
4690 return 1;
4691 /*
4692 * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
4693 * as currently FIPS module does not support them.
4694 */
4695 if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
4696 return 1;
4697
4698 /* We always set this up with a final parameter of "2" for PSK */
4699 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4700 &serverssl, &sess, 2,
4701 SHA384_DIGEST_LENGTH)))
4702 goto end;
4703
4704 if (idx == 4 || idx == 5 || idx == 6) {
4705 /*
4706 * CCM8 ciphers are considered low security due to their short tag.
4707 * Integrity-only cipher do not provide any confidentiality.
4708 */
4709 SSL_set_security_level(clientssl, 0);
4710 SSL_set_security_level(serverssl, 0);
4711 }
4712
4713 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4714 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4715 goto end;
4716
4717 /*
4718 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4719 * and assigns to both client and server with incremented reference
4720 * and the same instance is updated in 'sess'.
4721 * So updating ciphersuite in 'sess' which will get reflected in
4722 * PSK handshake using psk use sess and find sess cb.
4723 */
4724 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4725 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4726 goto end;
4727
4728 SSL_set_connect_state(clientssl);
4729 timer = ossl_time_now();
4730 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4731 &written)))
4732 goto end;
4733
4734 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4735 &readbytes),
4736 SSL_READ_EARLY_DATA_SUCCESS)) {
4737 testresult = check_early_data_timeout(timer);
4738 goto end;
4739 }
4740
4741 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4742 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4743 SSL_EARLY_DATA_ACCEPTED)
4744 || !TEST_int_eq(SSL_connect(clientssl), 1)
4745 || !TEST_int_eq(SSL_accept(serverssl), 1))
4746 goto end;
4747
4748 /* Send some normal data from client to server */
4749 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4750 || !TEST_size_t_eq(written, strlen(MSG2)))
4751 goto end;
4752
4753 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4754 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4755 goto end;
4756
4757 testresult = 1;
4758 end:
4759 SSL_SESSION_free(sess);
4760 SSL_SESSION_free(clientpsk);
4761 SSL_SESSION_free(serverpsk);
4762 clientpsk = serverpsk = NULL;
4763 if (clientssl != NULL)
4764 SSL_shutdown(clientssl);
4765 if (serverssl != NULL)
4766 SSL_shutdown(serverssl);
4767 SSL_free(serverssl);
4768 SSL_free(clientssl);
4769 SSL_CTX_free(sctx);
4770 SSL_CTX_free(cctx);
4771 return testresult;
4772 }
4773
4774 /*
4775 * Test that a server that doesn't try to read early data can handle a
4776 * client sending some.
4777 */
test_early_data_not_expected(int idx)4778 static int test_early_data_not_expected(int idx)
4779 {
4780 SSL_CTX *cctx = NULL, *sctx = NULL;
4781 SSL *clientssl = NULL, *serverssl = NULL;
4782 int testresult = 0;
4783 SSL_SESSION *sess = NULL;
4784 unsigned char buf[20];
4785 size_t readbytes, written;
4786
4787 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4788 &serverssl, &sess, idx,
4789 SHA384_DIGEST_LENGTH)))
4790 goto end;
4791
4792 /* Write some early data */
4793 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4794 &written)))
4795 goto end;
4796
4797 /*
4798 * Server should skip over early data and then block waiting for client to
4799 * continue handshake
4800 */
4801 if (!TEST_int_le(SSL_accept(serverssl), 0)
4802 || !TEST_int_gt(SSL_connect(clientssl), 0)
4803 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4804 SSL_EARLY_DATA_REJECTED)
4805 || !TEST_int_gt(SSL_accept(serverssl), 0)
4806 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4807 SSL_EARLY_DATA_REJECTED))
4808 goto end;
4809
4810 /* Send some normal data from client to server */
4811 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4812 || !TEST_size_t_eq(written, strlen(MSG2)))
4813 goto end;
4814
4815 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4816 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4817 goto end;
4818
4819 testresult = 1;
4820
4821 end:
4822 SSL_SESSION_free(sess);
4823 SSL_SESSION_free(clientpsk);
4824 SSL_SESSION_free(serverpsk);
4825 clientpsk = serverpsk = NULL;
4826 SSL_free(serverssl);
4827 SSL_free(clientssl);
4828 SSL_CTX_free(sctx);
4829 SSL_CTX_free(cctx);
4830 return testresult;
4831 }
4832
4833 #ifndef OPENSSL_NO_TLS1_2
4834 /*
4835 * Test that a server attempting to read early data can handle a connection
4836 * from a TLSv1.2 client.
4837 */
test_early_data_tls1_2(int idx)4838 static int test_early_data_tls1_2(int idx)
4839 {
4840 SSL_CTX *cctx = NULL, *sctx = NULL;
4841 SSL *clientssl = NULL, *serverssl = NULL;
4842 int testresult = 0;
4843 unsigned char buf[20];
4844 size_t readbytes, written;
4845
4846 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4847 &serverssl, NULL, idx,
4848 SHA384_DIGEST_LENGTH)))
4849 goto end;
4850
4851 /* Write some data - should block due to handshake with server */
4852 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4853 SSL_set_connect_state(clientssl);
4854 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4855 goto end;
4856
4857 /*
4858 * Server should do TLSv1.2 handshake. First it will block waiting for more
4859 * messages from client after ServerDone. Then SSL_read_early_data should
4860 * finish and detect that early data has not been sent
4861 */
4862 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4863 &readbytes),
4864 SSL_READ_EARLY_DATA_ERROR))
4865 goto end;
4866
4867 /*
4868 * Continue writing the message we started earlier. Will still block waiting
4869 * for the CCS/Finished from server
4870 */
4871 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4872 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4873 &readbytes),
4874 SSL_READ_EARLY_DATA_FINISH)
4875 || !TEST_size_t_eq(readbytes, 0)
4876 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4877 SSL_EARLY_DATA_NOT_SENT))
4878 goto end;
4879
4880 /* Continue writing the message we started earlier */
4881 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4882 || !TEST_size_t_eq(written, strlen(MSG1))
4883 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4884 SSL_EARLY_DATA_NOT_SENT)
4885 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4886 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4887 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4888 || !TEST_size_t_eq(written, strlen(MSG2))
4889 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4890 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4891 goto end;
4892
4893 testresult = 1;
4894
4895 end:
4896 SSL_SESSION_free(clientpsk);
4897 SSL_SESSION_free(serverpsk);
4898 clientpsk = serverpsk = NULL;
4899 SSL_free(serverssl);
4900 SSL_free(clientssl);
4901 SSL_CTX_free(sctx);
4902 SSL_CTX_free(cctx);
4903
4904 return testresult;
4905 }
4906 #endif /* OPENSSL_NO_TLS1_2 */
4907
4908 /*
4909 * Test configuring the TLSv1.3 ciphersuites
4910 *
4911 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4912 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4913 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4914 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4915 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4916 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4917 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4918 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4919 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4920 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4921 */
test_set_ciphersuite(int idx)4922 static int test_set_ciphersuite(int idx)
4923 {
4924 SSL_CTX *cctx = NULL, *sctx = NULL;
4925 SSL *clientssl = NULL, *serverssl = NULL;
4926 int testresult = 0;
4927
4928 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4929 TLS_client_method(), TLS1_VERSION, 0,
4930 &sctx, &cctx, cert, privkey))
4931 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4932 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4933 goto end;
4934
4935 if (idx >= 4 && idx <= 7) {
4936 /* SSL_CTX explicit cipher list */
4937 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4938 goto end;
4939 }
4940
4941 if (idx == 0 || idx == 4) {
4942 /* Default ciphersuite */
4943 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4944 "TLS_AES_128_GCM_SHA256")))
4945 goto end;
4946 } else if (idx == 1 || idx == 5) {
4947 /* Non default ciphersuite */
4948 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4949 "TLS_AES_128_CCM_SHA256")))
4950 goto end;
4951 }
4952
4953 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4954 &clientssl, NULL, NULL)))
4955 goto end;
4956
4957 if (idx == 8 || idx == 9) {
4958 /* SSL explicit cipher list */
4959 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4960 goto end;
4961 }
4962
4963 if (idx == 2 || idx == 6 || idx == 8) {
4964 /* Default ciphersuite */
4965 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4966 "TLS_AES_128_GCM_SHA256")))
4967 goto end;
4968 } else if (idx == 3 || idx == 7 || idx == 9) {
4969 /* Non default ciphersuite */
4970 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4971 "TLS_AES_128_CCM_SHA256")))
4972 goto end;
4973 }
4974
4975 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4976 goto end;
4977
4978 testresult = 1;
4979
4980 end:
4981 SSL_free(serverssl);
4982 SSL_free(clientssl);
4983 SSL_CTX_free(sctx);
4984 SSL_CTX_free(cctx);
4985
4986 return testresult;
4987 }
4988
test_ciphersuite_change(void)4989 static int test_ciphersuite_change(void)
4990 {
4991 SSL_CTX *cctx = NULL, *sctx = NULL;
4992 SSL *clientssl = NULL, *serverssl = NULL;
4993 SSL_SESSION *clntsess = NULL;
4994 int testresult = 0;
4995 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4996
4997 /* Create a session based on SHA-256 */
4998 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4999 TLS_client_method(), TLS1_VERSION, 0,
5000 &sctx, &cctx, cert, privkey))
5001 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5002 "TLS_AES_128_GCM_SHA256:"
5003 "TLS_AES_256_GCM_SHA384:"
5004 "TLS_AES_128_CCM_SHA256"))
5005 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5006 "TLS_AES_128_GCM_SHA256")))
5007 goto end;
5008
5009 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5010 NULL, NULL))
5011 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5012 SSL_ERROR_NONE)))
5013 goto end;
5014
5015 clntsess = SSL_get1_session(clientssl);
5016 /* Save for later */
5017 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
5018 SSL_shutdown(clientssl);
5019 SSL_shutdown(serverssl);
5020 SSL_free(serverssl);
5021 SSL_free(clientssl);
5022 serverssl = clientssl = NULL;
5023
5024 /* Check we can resume a session with a different SHA-256 ciphersuite */
5025 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5026 "TLS_AES_128_CCM_SHA256"))
5027 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5028 &clientssl, NULL, NULL))
5029 || !TEST_true(SSL_set_session(clientssl, clntsess))
5030 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5031 SSL_ERROR_NONE))
5032 || !TEST_true(SSL_session_reused(clientssl)))
5033 goto end;
5034
5035 SSL_SESSION_free(clntsess);
5036 clntsess = SSL_get1_session(clientssl);
5037 SSL_shutdown(clientssl);
5038 SSL_shutdown(serverssl);
5039 SSL_free(serverssl);
5040 SSL_free(clientssl);
5041 serverssl = clientssl = NULL;
5042
5043 /*
5044 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
5045 * succeeds but does not resume.
5046 */
5047 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
5048 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5049 NULL, NULL))
5050 || !TEST_true(SSL_set_session(clientssl, clntsess))
5051 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5052 SSL_ERROR_SSL))
5053 || !TEST_false(SSL_session_reused(clientssl)))
5054 goto end;
5055
5056 SSL_SESSION_free(clntsess);
5057 clntsess = NULL;
5058 SSL_shutdown(clientssl);
5059 SSL_shutdown(serverssl);
5060 SSL_free(serverssl);
5061 SSL_free(clientssl);
5062 serverssl = clientssl = NULL;
5063
5064 /* Create a session based on SHA384 */
5065 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
5066 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5067 &clientssl, NULL, NULL))
5068 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5069 SSL_ERROR_NONE)))
5070 goto end;
5071
5072 clntsess = SSL_get1_session(clientssl);
5073 SSL_shutdown(clientssl);
5074 SSL_shutdown(serverssl);
5075 SSL_free(serverssl);
5076 SSL_free(clientssl);
5077 serverssl = clientssl = NULL;
5078
5079 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5080 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
5081 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5082 "TLS_AES_256_GCM_SHA384"))
5083 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5084 NULL, NULL))
5085 || !TEST_true(SSL_set_session(clientssl, clntsess))
5086 /*
5087 * We use SSL_ERROR_WANT_READ below so that we can pause the
5088 * connection after the initial ClientHello has been sent to
5089 * enable us to make some session changes.
5090 */
5091 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5092 SSL_ERROR_WANT_READ)))
5093 goto end;
5094
5095 /* Trick the client into thinking this session is for a different digest */
5096 clntsess->cipher = aes_128_gcm_sha256;
5097 clntsess->cipher_id = clntsess->cipher->id;
5098
5099 /*
5100 * Continue the previously started connection. Server has selected a SHA-384
5101 * ciphersuite, but client thinks the session is for SHA-256, so it should
5102 * bail out.
5103 */
5104 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
5105 SSL_ERROR_SSL))
5106 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
5107 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
5108 goto end;
5109
5110 testresult = 1;
5111
5112 end:
5113 SSL_SESSION_free(clntsess);
5114 SSL_free(serverssl);
5115 SSL_free(clientssl);
5116 SSL_CTX_free(sctx);
5117 SSL_CTX_free(cctx);
5118
5119 return testresult;
5120 }
5121
5122 /*
5123 * Test TLSv1.3 Key exchange
5124 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
5125 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
5126 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
5127 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
5128 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
5129 * Test 5 = Test NID_X448 with TLSv1.3 client and server
5130 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
5131 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
5132 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
5133 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
5134 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
5135 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
5136 * Test 12 = Test all ML-KEM with TLSv1.3 client and server
5137 * Test 13 = Test MLKEM512
5138 * Test 14 = Test MLKEM768
5139 * Test 15 = Test MLKEM1024
5140 * Test 16 = Test X25519MLKEM768
5141 * Test 17 = Test SecP256r1MLKEM768
5142 * Test 18 = Test SecP384r1MLKEM1024
5143 * Test 19 = Test all ML-KEM with TLSv1.2 client and server
5144 * Test 20 = Test all FFDHE with TLSv1.2 client and server
5145 * Test 21 = Test all ECDHE with TLSv1.2 client and server
5146 */
5147 #ifndef OPENSSL_NO_EC
5148 static int ecdhe_kexch_groups[] = { NID_X9_62_prime256v1, NID_secp384r1,
5149 NID_secp521r1,
5150 #ifndef OPENSSL_NO_ECX
5151 NID_X25519, NID_X448
5152 #endif
5153 };
5154 #endif
5155 #ifndef OPENSSL_NO_DH
5156 static int ffdhe_kexch_groups[] = { NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
5157 NID_ffdhe6144, NID_ffdhe8192 };
5158 #endif
test_key_exchange(int idx)5159 static int test_key_exchange(int idx)
5160 {
5161 SSL_CTX *sctx = NULL, *cctx = NULL;
5162 SSL *serverssl = NULL, *clientssl = NULL;
5163 int testresult = 0;
5164 int kexch_alg = NID_undef;
5165 int *kexch_groups = &kexch_alg;
5166 int kexch_groups_size = 1;
5167 int max_version = TLS1_3_VERSION;
5168 char *kexch_name0 = NULL;
5169 const char *kexch_names = NULL;
5170 int shared_group0;
5171
5172 switch (idx) {
5173 #ifndef OPENSSL_NO_EC
5174 #ifndef OPENSSL_NO_TLS1_2
5175 case 21:
5176 max_version = TLS1_2_VERSION;
5177 #endif
5178 /* Fall through */
5179 case 0:
5180 kexch_groups = ecdhe_kexch_groups;
5181 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
5182 kexch_name0 = "secp256r1";
5183 break;
5184 case 1:
5185 kexch_alg = NID_X9_62_prime256v1;
5186 kexch_name0 = "secp256r1";
5187 break;
5188 case 2:
5189 kexch_alg = NID_secp384r1;
5190 kexch_name0 = "secp384r1";
5191 break;
5192 case 3:
5193 kexch_alg = NID_secp521r1;
5194 kexch_name0 = "secp521r1";
5195 break;
5196 #ifndef OPENSSL_NO_ECX
5197 case 4:
5198 if (is_fips)
5199 return TEST_skip("X25519 might not be supported by fips provider.");
5200 kexch_alg = NID_X25519;
5201 kexch_name0 = "x25519";
5202 break;
5203 case 5:
5204 if (is_fips)
5205 return TEST_skip("X448 might not be supported by fips provider.");
5206 kexch_alg = NID_X448;
5207 kexch_name0 = "x448";
5208 break;
5209 #endif
5210 #endif
5211 #ifndef OPENSSL_NO_DH
5212 #ifndef OPENSSL_NO_TLS1_2
5213 case 20:
5214 max_version = TLS1_2_VERSION;
5215 kexch_name0 = "ffdhe2048";
5216 #endif
5217 /* Fall through */
5218 case 6:
5219 kexch_groups = ffdhe_kexch_groups;
5220 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
5221 kexch_name0 = "ffdhe2048";
5222 break;
5223 case 7:
5224 kexch_alg = NID_ffdhe2048;
5225 kexch_name0 = "ffdhe2048";
5226 break;
5227 case 8:
5228 kexch_alg = NID_ffdhe3072;
5229 kexch_name0 = "ffdhe3072";
5230 break;
5231 case 9:
5232 kexch_alg = NID_ffdhe4096;
5233 kexch_name0 = "ffdhe4096";
5234 break;
5235 case 10:
5236 kexch_alg = NID_ffdhe6144;
5237 kexch_name0 = "ffdhe6144";
5238 break;
5239 case 11:
5240 kexch_alg = NID_ffdhe8192;
5241 kexch_name0 = "ffdhe8192";
5242 break;
5243 #endif
5244 #ifndef OPENSSL_NO_ML_KEM
5245 #if !defined(OPENSSL_NO_TLS1_2)
5246 case 19:
5247 max_version = TLS1_2_VERSION;
5248 #if !defined(OPENSSL_NO_EC)
5249 /* Set at least one EC group so the handshake completes */
5250 kexch_names = "MLKEM512:MLKEM768:MLKEM1024:secp256r1";
5251 #elif !defined(OPENSSL_NO_DH)
5252 kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5253 #else
5254 /* With neither EC nor DH TLS 1.2 can't happen */
5255 return 1;
5256 #endif
5257 #endif
5258 /* Fall through */
5259 case 12:
5260 kexch_groups = NULL;
5261 if (kexch_names == NULL)
5262 kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5263 kexch_name0 = "MLKEM512";
5264 break;
5265 case 13:
5266 kexch_groups = NULL;
5267 kexch_name0 = "MLKEM512";
5268 kexch_names = kexch_name0;
5269 break;
5270 case 14:
5271 kexch_groups = NULL;
5272 kexch_name0 = "MLKEM768";
5273 kexch_names = kexch_name0;
5274 break;
5275 case 15:
5276 kexch_groups = NULL;
5277 kexch_name0 = "MLKEM1024";
5278 kexch_names = kexch_name0;
5279 break;
5280 #ifndef OPENSSL_NO_EC
5281 #ifndef OPENSSL_NO_ECX
5282 case 16:
5283 kexch_groups = NULL;
5284 kexch_name0 = "X25519MLKEM768";
5285 kexch_names = kexch_name0;
5286 break;
5287 #endif
5288 case 17:
5289 kexch_groups = NULL;
5290 kexch_name0 = "SecP256r1MLKEM768";
5291 kexch_names = kexch_name0;
5292 break;
5293 case 18:
5294 kexch_groups = NULL;
5295 kexch_name0 = "SecP384r1MLKEM1024";
5296 kexch_names = kexch_name0;
5297 break;
5298 #endif
5299 #endif
5300 default:
5301 /* We're skipping this test */
5302 return 1;
5303 }
5304
5305 if (is_fips && fips_provider_version_lt(libctx, 3, 5, 0)
5306 && idx >= 12 && idx <= 19)
5307 return TEST_skip("ML-KEM not supported in this version of fips provider");
5308
5309 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5310 TLS_client_method(), TLS1_VERSION,
5311 max_version, &sctx, &cctx, cert,
5312 privkey)))
5313 goto end;
5314
5315 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5316 TLS1_3_RFC_AES_128_GCM_SHA256)))
5317 goto end;
5318
5319 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5320 TLS1_3_RFC_AES_128_GCM_SHA256)))
5321 goto end;
5322
5323 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5324 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5325 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5326 goto end;
5327
5328 /*
5329 * Must include an EC ciphersuite so that we send supported groups in
5330 * TLSv1.2
5331 */
5332 #ifndef OPENSSL_NO_TLS1_2
5333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5334 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5335 goto end;
5336 #endif
5337
5338 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5339 NULL, NULL)))
5340 goto end;
5341
5342 if (kexch_groups != NULL) {
5343 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5344 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5345 goto end;
5346 } else {
5347 if (!TEST_true(SSL_set1_groups_list(serverssl, kexch_names))
5348 || !TEST_true(SSL_set1_groups_list(clientssl, kexch_names)))
5349 goto end;
5350 }
5351
5352 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5353 goto end;
5354
5355 /*
5356 * If the handshake succeeds the negotiated kexch alg should be the first
5357 * one in configured, except in the case of "all" FFDHE and "all" ML-KEM
5358 * groups (idx == 19, 20), which are TLSv1.3 only so we expect no shared
5359 * group to exist.
5360 */
5361 shared_group0 = SSL_get_shared_group(serverssl, 0);
5362 switch (idx) {
5363 case 19:
5364 #if !defined(OPENSSL_NO_EC)
5365 /* MLKEM + TLS 1.2 and no DH => "secp526r1" */
5366 if (!TEST_int_eq(shared_group0, NID_X9_62_prime256v1))
5367 goto end;
5368 break;
5369 #endif
5370 /* Fall through */
5371 case 20:
5372 if (!TEST_int_eq(shared_group0, 0))
5373 goto end;
5374 break;
5375 default:
5376 if (kexch_groups != NULL
5377 && !TEST_int_eq(shared_group0, kexch_groups[0]))
5378 goto end;
5379 if (!TEST_str_eq(SSL_group_to_name(serverssl, shared_group0),
5380 kexch_name0))
5381 goto end;
5382 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5383 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5384 goto end;
5385 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), shared_group0))
5386 goto end;
5387 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), shared_group0))
5388 goto end;
5389 break;
5390 }
5391
5392 testresult = 1;
5393 end:
5394 SSL_free(serverssl);
5395 SSL_free(clientssl);
5396 SSL_CTX_free(sctx);
5397 SSL_CTX_free(cctx);
5398 return testresult;
5399 }
5400
5401 #if !defined(OPENSSL_NO_TLS1_2) \
5402 && !defined(OPENSSL_NO_EC) \
5403 && !defined(OPENSSL_NO_DH)
set_ssl_groups(SSL * serverssl,SSL * clientssl,int clientmulti,int isecdhe,int idx)5404 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5405 int isecdhe, int idx)
5406 {
5407 int kexch_alg;
5408 int *kexch_groups = &kexch_alg;
5409 int numec, numff;
5410
5411 numec = OSSL_NELEM(ecdhe_kexch_groups);
5412 numff = OSSL_NELEM(ffdhe_kexch_groups);
5413 if (isecdhe)
5414 kexch_alg = ecdhe_kexch_groups[idx];
5415 else
5416 kexch_alg = ffdhe_kexch_groups[idx];
5417
5418 if (clientmulti) {
5419 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5420 return 0;
5421 if (isecdhe) {
5422 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5423 numec)))
5424 return 0;
5425 } else {
5426 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5427 numff)))
5428 return 0;
5429 }
5430 } else {
5431 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5432 return 0;
5433 if (isecdhe) {
5434 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5435 numec)))
5436 return 0;
5437 } else {
5438 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5439 numff)))
5440 return 0;
5441 }
5442 }
5443 return 1;
5444 }
5445
5446 /*-
5447 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5448 * Run through both the ECDHE and FFDHE group lists used in the previous
5449 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5450 * confirming the expected result; then perform a resumption handshake
5451 * while offering the same group list, and another resumption handshake
5452 * offering a different group list. The returned value should be the
5453 * negotiated group for the initial handshake; for TLS 1.3 resumption
5454 * handshakes the returned value will be negotiated on the resumption
5455 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5456 * be cached in the session from the original handshake, regardless of what
5457 * was offered in the resumption ClientHello.
5458 *
5459 * Using E for the number of EC groups and F for the number of FF groups:
5460 * E tests of ECDHE with TLS 1.3, server only has one group
5461 * F tests of FFDHE with TLS 1.3, server only has one group
5462 * E tests of ECDHE with TLS 1.2, server only has one group
5463 * F tests of FFDHE with TLS 1.2, server only has one group
5464 * E tests of ECDHE with TLS 1.3, client sends only one group
5465 * F tests of FFDHE with TLS 1.3, client sends only one group
5466 * E tests of ECDHE with TLS 1.2, client sends only one group
5467 * F tests of FFDHE with TLS 1.2, client sends only one group
5468 */
test_negotiated_group(int idx)5469 static int test_negotiated_group(int idx)
5470 {
5471 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5472 int expectednid;
5473 SSL_CTX *sctx = NULL, *cctx = NULL;
5474 SSL *serverssl = NULL, *clientssl = NULL;
5475 SSL_SESSION *origsess = NULL;
5476 int testresult = 0;
5477 int kexch_alg;
5478 int max_version = TLS1_3_VERSION;
5479
5480 numec = OSSL_NELEM(ecdhe_kexch_groups);
5481 numff = OSSL_NELEM(ffdhe_kexch_groups);
5482 numgroups = numec + numff;
5483 clientmulti = (idx < 2 * numgroups);
5484 idx = idx % (2 * numgroups);
5485 istls13 = (idx < numgroups);
5486 idx = idx % numgroups;
5487 isecdhe = (idx < numec);
5488 if (!isecdhe)
5489 idx -= numec;
5490 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5491 if (isecdhe)
5492 kexch_alg = ecdhe_kexch_groups[idx];
5493 else
5494 kexch_alg = ffdhe_kexch_groups[idx];
5495 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5496 if (!istls13 && !isecdhe)
5497 expectednid = NID_undef;
5498 else
5499 expectednid = kexch_alg;
5500
5501 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5502 return TEST_skip("X25519 and X448 might not be available in fips provider.");
5503
5504 if (!istls13)
5505 max_version = TLS1_2_VERSION;
5506
5507 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5508 TLS_client_method(), TLS1_VERSION,
5509 max_version, &sctx, &cctx, cert,
5510 privkey)))
5511 goto end;
5512
5513 /*
5514 * Force (EC)DHE ciphers for TLS 1.2.
5515 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5516 */
5517 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5518 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5519 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5520 goto end;
5521 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5522 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5523 goto end;
5524
5525 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5526 NULL, NULL)))
5527 goto end;
5528
5529 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5530 idx)))
5531 goto end;
5532
5533 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5534 goto end;
5535
5536 /* Initial handshake; always the configured one */
5537 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5538 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5539 goto end;
5540
5541 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5542 goto end;
5543
5544 SSL_shutdown(clientssl);
5545 SSL_shutdown(serverssl);
5546 SSL_free(serverssl);
5547 SSL_free(clientssl);
5548 serverssl = clientssl = NULL;
5549
5550 /* First resumption attempt; use the same config as initial handshake */
5551 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5552 NULL, NULL))
5553 || !TEST_true(SSL_set_session(clientssl, origsess))
5554 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5555 isecdhe, idx)))
5556 goto end;
5557
5558 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5559 || !TEST_true(SSL_session_reused(clientssl)))
5560 goto end;
5561
5562 /* Still had better agree, since nothing changed... */
5563 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5564 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5565 goto end;
5566
5567 SSL_shutdown(clientssl);
5568 SSL_shutdown(serverssl);
5569 SSL_free(serverssl);
5570 SSL_free(clientssl);
5571 serverssl = clientssl = NULL;
5572
5573 /*-
5574 * Second resumption attempt
5575 * The party that picks one group changes it, which we effectuate by
5576 * changing 'idx' and updating what we expect.
5577 */
5578 if (idx == 0)
5579 idx = 1;
5580 else
5581 idx--;
5582 if (istls13) {
5583 if (isecdhe)
5584 expectednid = ecdhe_kexch_groups[idx];
5585 else
5586 expectednid = ffdhe_kexch_groups[idx];
5587 /* Verify that we are changing what we expect. */
5588 if (!TEST_int_ne(expectednid, kexch_alg))
5589 goto end;
5590 } else {
5591 /* TLS 1.2 only supports named groups for ECDHE. */
5592 if (isecdhe)
5593 expectednid = kexch_alg;
5594 else
5595 expectednid = 0;
5596 }
5597 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5598 NULL, NULL))
5599 || !TEST_true(SSL_set_session(clientssl, origsess))
5600 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5601 isecdhe, idx)))
5602 goto end;
5603
5604 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5605 || !TEST_true(SSL_session_reused(clientssl)))
5606 goto end;
5607
5608 /* Check that we get what we expected */
5609 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5610 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5611 goto end;
5612
5613 testresult = 1;
5614 end:
5615 SSL_free(serverssl);
5616 SSL_free(clientssl);
5617 SSL_CTX_free(sctx);
5618 SSL_CTX_free(cctx);
5619 SSL_SESSION_free(origsess);
5620 return testresult;
5621 }
5622 #endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5623
5624 /*
5625 * Test TLSv1.3 Cipher Suite
5626 * Test 0 = Set TLS1.3 cipher on context
5627 * Test 1 = Set TLS1.3 cipher on SSL
5628 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5629 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5630 */
test_tls13_ciphersuite(int idx)5631 static int test_tls13_ciphersuite(int idx)
5632 {
5633 SSL_CTX *sctx = NULL, *cctx = NULL;
5634 SSL *serverssl = NULL, *clientssl = NULL;
5635 static const struct {
5636 const char *ciphername;
5637 int fipscapable;
5638 int low_security;
5639 } t13_ciphers[] = {
5640 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5641 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5642 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5643 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5644 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5645 { TLS1_3_RFC_AES_256_GCM_SHA384
5646 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
5647 0, 0 },
5648 #endif
5649 /* CCM8 ciphers are considered low security due to their short tag */
5650 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5651 ":" TLS1_3_RFC_AES_128_CCM_SHA256,
5652 1, 1 },
5653 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
5654 /* Integrity-only cipher do not provide any confidentiality */
5655 { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
5656 { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
5657 #endif
5658 };
5659 const char *t13_cipher = NULL;
5660 const char *t12_cipher = NULL;
5661 const char *negotiated_scipher;
5662 const char *negotiated_ccipher;
5663 int set_at_ctx = 0;
5664 int set_at_ssl = 0;
5665 int testresult = 0;
5666 int max_ver;
5667 size_t i;
5668
5669 switch (idx) {
5670 case 0:
5671 set_at_ctx = 1;
5672 break;
5673 case 1:
5674 set_at_ssl = 1;
5675 break;
5676 case 2:
5677 set_at_ctx = 1;
5678 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5679 break;
5680 case 3:
5681 set_at_ssl = 1;
5682 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5683 break;
5684 }
5685
5686 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5687 #ifdef OPENSSL_NO_TLS1_2
5688 if (max_ver == TLS1_2_VERSION)
5689 continue;
5690 #endif
5691 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5692 if (is_fips && !t13_ciphers[i].fipscapable)
5693 continue;
5694 t13_cipher = t13_ciphers[i].ciphername;
5695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5696 TLS_client_method(),
5697 TLS1_VERSION, max_ver,
5698 &sctx, &cctx, cert, privkey)))
5699 goto end;
5700
5701 if (t13_ciphers[i].low_security) {
5702 SSL_CTX_set_security_level(sctx, 0);
5703 SSL_CTX_set_security_level(cctx, 0);
5704 }
5705
5706 if (set_at_ctx) {
5707 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5708 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5709 goto end;
5710 if (t12_cipher != NULL) {
5711 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5712 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5713 t12_cipher)))
5714 goto end;
5715 }
5716 }
5717
5718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5719 &clientssl, NULL, NULL)))
5720 goto end;
5721
5722 if (set_at_ssl) {
5723 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5724 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5725 goto end;
5726 if (t12_cipher != NULL) {
5727 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5728 || !TEST_true(SSL_set_cipher_list(clientssl,
5729 t12_cipher)))
5730 goto end;
5731 }
5732 }
5733
5734 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5735 SSL_ERROR_NONE)))
5736 goto end;
5737
5738 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5739 serverssl));
5740 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5741 clientssl));
5742 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5743 goto end;
5744
5745 /*
5746 * TEST_strn_eq is used below because t13_cipher can contain
5747 * multiple ciphersuites
5748 */
5749 if (max_ver == TLS1_3_VERSION
5750 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5751 strlen(negotiated_scipher)))
5752 goto end;
5753
5754 #ifndef OPENSSL_NO_TLS1_2
5755 /* Below validation is not done when t12_cipher is NULL */
5756 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5757 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5758 goto end;
5759 #endif
5760
5761 SSL_free(serverssl);
5762 serverssl = NULL;
5763 SSL_free(clientssl);
5764 clientssl = NULL;
5765 SSL_CTX_free(sctx);
5766 sctx = NULL;
5767 SSL_CTX_free(cctx);
5768 cctx = NULL;
5769 }
5770 }
5771
5772 testresult = 1;
5773 end:
5774 SSL_free(serverssl);
5775 SSL_free(clientssl);
5776 SSL_CTX_free(sctx);
5777 SSL_CTX_free(cctx);
5778 return testresult;
5779 }
5780
5781 /*
5782 * Test TLSv1.3 PSKs
5783 * Test 0 = Test new style callbacks
5784 * Test 1 = Test both new and old style callbacks
5785 * Test 2 = Test old style callbacks
5786 * Test 3 = Test old style callbacks with no certificate
5787 */
test_tls13_psk(int idx)5788 static int test_tls13_psk(int idx)
5789 {
5790 SSL_CTX *sctx = NULL, *cctx = NULL;
5791 SSL *serverssl = NULL, *clientssl = NULL;
5792 const SSL_CIPHER *cipher = NULL;
5793 const unsigned char key[] = {
5794 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5795 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5796 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5797 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5798 };
5799 int testresult = 0;
5800
5801 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5802 TLS_client_method(), TLS1_VERSION, 0,
5803 &sctx, &cctx, idx == 3 ? NULL : cert,
5804 idx == 3 ? NULL : privkey)))
5805 goto end;
5806
5807 if (idx != 3) {
5808 /*
5809 * We use a ciphersuite with SHA256 to ease testing old style PSK
5810 * callbacks which will always default to SHA256. This should not be
5811 * necessary if we have no cert/priv key. In that case the server should
5812 * prefer SHA256 automatically.
5813 */
5814 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5815 "TLS_AES_128_GCM_SHA256")))
5816 goto end;
5817 } else {
5818 /*
5819 * As noted above the server should prefer SHA256 automatically. However
5820 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5821 * code works even if we are testing with only the FIPS provider loaded.
5822 */
5823 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5824 "TLS_AES_256_GCM_SHA384:"
5825 "TLS_AES_128_GCM_SHA256")))
5826 goto end;
5827 }
5828
5829 /*
5830 * Test 0: New style callbacks only
5831 * Test 1: New and old style callbacks (only the new ones should be used)
5832 * Test 2: Old style callbacks only
5833 */
5834 if (idx == 0 || idx == 1) {
5835 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5836 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5837 }
5838 #ifndef OPENSSL_NO_PSK
5839 if (idx >= 1) {
5840 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5841 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5842 }
5843 #endif
5844 srvid = pskid;
5845 use_session_cb_cnt = 0;
5846 find_session_cb_cnt = 0;
5847 psk_client_cb_cnt = 0;
5848 psk_server_cb_cnt = 0;
5849
5850 if (idx != 3) {
5851 /*
5852 * Check we can create a connection if callback decides not to send a
5853 * PSK
5854 */
5855 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5856 NULL, NULL))
5857 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5858 SSL_ERROR_NONE))
5859 || !TEST_false(SSL_session_reused(clientssl))
5860 || !TEST_false(SSL_session_reused(serverssl)))
5861 goto end;
5862
5863 if (idx == 0 || idx == 1) {
5864 if (!TEST_true(use_session_cb_cnt == 1)
5865 || !TEST_true(find_session_cb_cnt == 0)
5866 /*
5867 * If no old style callback then below should be 0
5868 * otherwise 1
5869 */
5870 || !TEST_true(psk_client_cb_cnt == idx)
5871 || !TEST_true(psk_server_cb_cnt == 0))
5872 goto end;
5873 } else {
5874 if (!TEST_true(use_session_cb_cnt == 0)
5875 || !TEST_true(find_session_cb_cnt == 0)
5876 || !TEST_true(psk_client_cb_cnt == 1)
5877 || !TEST_true(psk_server_cb_cnt == 0))
5878 goto end;
5879 }
5880
5881 shutdown_ssl_connection(serverssl, clientssl);
5882 serverssl = clientssl = NULL;
5883 use_session_cb_cnt = psk_client_cb_cnt = 0;
5884 }
5885
5886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5887 NULL, NULL)))
5888 goto end;
5889
5890 /* Create the PSK */
5891 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5892 clientpsk = SSL_SESSION_new();
5893 if (!TEST_ptr(clientpsk)
5894 || !TEST_ptr(cipher)
5895 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5896 sizeof(key)))
5897 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5898 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5899 TLS1_3_VERSION))
5900 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5901 goto end;
5902 serverpsk = clientpsk;
5903
5904 /* Check we can create a connection and the PSK is used */
5905 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5906 || !TEST_true(SSL_session_reused(clientssl))
5907 || !TEST_true(SSL_session_reused(serverssl)))
5908 goto end;
5909
5910 if (idx == 0 || idx == 1) {
5911 if (!TEST_true(use_session_cb_cnt == 1)
5912 || !TEST_true(find_session_cb_cnt == 1)
5913 || !TEST_true(psk_client_cb_cnt == 0)
5914 || !TEST_true(psk_server_cb_cnt == 0))
5915 goto end;
5916 } else {
5917 if (!TEST_true(use_session_cb_cnt == 0)
5918 || !TEST_true(find_session_cb_cnt == 0)
5919 || !TEST_true(psk_client_cb_cnt == 1)
5920 || !TEST_true(psk_server_cb_cnt == 1))
5921 goto end;
5922 }
5923
5924 shutdown_ssl_connection(serverssl, clientssl);
5925 serverssl = clientssl = NULL;
5926 use_session_cb_cnt = find_session_cb_cnt = 0;
5927 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5928
5929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5930 NULL, NULL)))
5931 goto end;
5932
5933 /* Force an HRR */
5934 #if defined(OPENSSL_NO_EC)
5935 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5936 goto end;
5937 #else
5938 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5939 goto end;
5940 #endif
5941
5942 /*
5943 * Check we can create a connection, the PSK is used and the callbacks are
5944 * called twice.
5945 */
5946 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5947 || !TEST_true(SSL_session_reused(clientssl))
5948 || !TEST_true(SSL_session_reused(serverssl)))
5949 goto end;
5950
5951 if (idx == 0 || idx == 1) {
5952 if (!TEST_true(use_session_cb_cnt == 2)
5953 || !TEST_true(find_session_cb_cnt == 2)
5954 || !TEST_true(psk_client_cb_cnt == 0)
5955 || !TEST_true(psk_server_cb_cnt == 0))
5956 goto end;
5957 } else {
5958 if (!TEST_true(use_session_cb_cnt == 0)
5959 || !TEST_true(find_session_cb_cnt == 0)
5960 || !TEST_true(psk_client_cb_cnt == 2)
5961 || !TEST_true(psk_server_cb_cnt == 2))
5962 goto end;
5963 }
5964
5965 shutdown_ssl_connection(serverssl, clientssl);
5966 serverssl = clientssl = NULL;
5967 use_session_cb_cnt = find_session_cb_cnt = 0;
5968 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5969
5970 if (idx != 3) {
5971 /*
5972 * Check that if the server rejects the PSK we can still connect, but with
5973 * a full handshake
5974 */
5975 srvid = "Dummy Identity";
5976 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5977 NULL, NULL))
5978 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5979 SSL_ERROR_NONE))
5980 || !TEST_false(SSL_session_reused(clientssl))
5981 || !TEST_false(SSL_session_reused(serverssl)))
5982 goto end;
5983
5984 if (idx == 0 || idx == 1) {
5985 if (!TEST_true(use_session_cb_cnt == 1)
5986 || !TEST_true(find_session_cb_cnt == 1)
5987 || !TEST_true(psk_client_cb_cnt == 0)
5988 /*
5989 * If no old style callback then below should be 0
5990 * otherwise 1
5991 */
5992 || !TEST_true(psk_server_cb_cnt == idx))
5993 goto end;
5994 } else {
5995 if (!TEST_true(use_session_cb_cnt == 0)
5996 || !TEST_true(find_session_cb_cnt == 0)
5997 || !TEST_true(psk_client_cb_cnt == 1)
5998 || !TEST_true(psk_server_cb_cnt == 1))
5999 goto end;
6000 }
6001
6002 shutdown_ssl_connection(serverssl, clientssl);
6003 serverssl = clientssl = NULL;
6004 }
6005 testresult = 1;
6006
6007 end:
6008 SSL_SESSION_free(clientpsk);
6009 SSL_SESSION_free(serverpsk);
6010 clientpsk = serverpsk = NULL;
6011 SSL_free(serverssl);
6012 SSL_free(clientssl);
6013 SSL_CTX_free(sctx);
6014 SSL_CTX_free(cctx);
6015 return testresult;
6016 }
6017
6018 #ifndef OSSL_NO_USABLE_TLS1_3
6019 /*
6020 * Test TLS1.3 connection establishment succeeds with various configurations of
6021 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
6022 * The verification of whether the right KEX mode is chosen is not covered by
6023 * this test but by `test_tls13kexmodes`.
6024 *
6025 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
6026 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
6027 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
6028 */
test_tls13_no_dhe_kex(const int idx)6029 static int test_tls13_no_dhe_kex(const int idx)
6030 {
6031 SSL_CTX *sctx = NULL, *cctx = NULL;
6032 SSL *serverssl = NULL, *clientssl = NULL;
6033 int testresult = 0;
6034 size_t j;
6035 SSL_SESSION *saved_session;
6036
6037 int server_allow_no_dhe = (idx & 1) != 0;
6038 int server_prefer_no_dhe = (idx & 2) != 0;
6039 int client_allow_no_dhe = (idx & 4) != 0;
6040
6041 uint64_t server_options = 0
6042 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
6043 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
6044
6045 uint64_t client_options = 0
6046 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
6047
6048 new_called = 0;
6049 do_cache = 1;
6050
6051 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6052 TLS_client_method(), TLS1_3_VERSION, 0,
6053 &sctx, &cctx, cert, privkey)))
6054 goto end;
6055
6056 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
6057
6058 SSL_CTX_set_options(sctx, server_options);
6059 SSL_CTX_set_options(cctx, client_options);
6060
6061 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
6062
6063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6064 &clientssl, NULL, NULL)))
6065 goto end;
6066
6067 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6068 SSL_ERROR_NONE))
6069 /* Check we got the number of tickets we were expecting */
6070 || !TEST_int_eq(2, new_called))
6071 goto end;
6072
6073 /* We'll reuse the last ticket. */
6074 saved_session = sesscache[new_called - 1];
6075
6076 SSL_shutdown(clientssl);
6077 SSL_shutdown(serverssl);
6078 SSL_free(serverssl);
6079 SSL_free(clientssl);
6080 SSL_CTX_free(cctx);
6081 clientssl = serverssl = NULL;
6082 cctx = NULL;
6083
6084 /*
6085 * Now we resume with the last ticket we created.
6086 */
6087
6088 /* The server context already exists, so we only create the client. */
6089 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6090 TLS_client_method(), TLS1_3_VERSION, 0,
6091 NULL, &cctx, cert, privkey)))
6092 goto end;
6093
6094 SSL_CTX_set_options(cctx, client_options);
6095
6096 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6097 &clientssl, NULL, NULL))
6098 || !TEST_true(SSL_set_session(clientssl, saved_session)))
6099 goto end;
6100
6101 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6102 SSL_ERROR_NONE)))
6103 goto end;
6104
6105 /*
6106 * Make sure, the session was resumed.
6107 */
6108 if (!TEST_true(SSL_session_reused(clientssl)))
6109 goto end;
6110
6111 SSL_shutdown(clientssl);
6112 SSL_shutdown(serverssl);
6113
6114 testresult = 1;
6115
6116 end:
6117 SSL_free(serverssl);
6118 SSL_free(clientssl);
6119 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
6120 SSL_SESSION_free(sesscache[j]);
6121 sesscache[j] = NULL;
6122 }
6123 SSL_CTX_free(sctx);
6124 SSL_CTX_free(cctx);
6125
6126 return testresult;
6127 }
6128 #endif /* OSSL_NO_USABLE_TLS1_3 */
6129
6130 static unsigned char cookie_magic_value[] = "cookie magic";
6131
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)6132 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
6133 unsigned int *cookie_len)
6134 {
6135 /*
6136 * Not suitable as a real cookie generation function but good enough for
6137 * testing!
6138 */
6139 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
6140 *cookie_len = sizeof(cookie_magic_value) - 1;
6141
6142 return 1;
6143 }
6144
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)6145 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
6146 unsigned int cookie_len)
6147 {
6148 if (cookie_len == sizeof(cookie_magic_value) - 1
6149 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
6150 return 1;
6151
6152 return 0;
6153 }
6154
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)6155 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
6156 size_t *cookie_len)
6157 {
6158 unsigned int temp;
6159 int res = generate_cookie_callback(ssl, cookie, &temp);
6160 *cookie_len = temp;
6161 return res;
6162 }
6163
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)6164 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
6165 size_t cookie_len)
6166 {
6167 return verify_cookie_callback(ssl, cookie, cookie_len);
6168 }
6169
test_stateless(void)6170 static int test_stateless(void)
6171 {
6172 SSL_CTX *sctx = NULL, *cctx = NULL;
6173 SSL *serverssl = NULL, *clientssl = NULL;
6174 int testresult = 0;
6175
6176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6177 TLS_client_method(), TLS1_VERSION, 0,
6178 &sctx, &cctx, cert, privkey)))
6179 goto end;
6180
6181 /* The arrival of CCS messages can confuse the test */
6182 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
6183
6184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6185 NULL, NULL))
6186 /* Send the first ClientHello */
6187 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6188 SSL_ERROR_WANT_READ))
6189 /*
6190 * This should fail with a -1 return because we have no callbacks
6191 * set up
6192 */
6193 || !TEST_int_eq(SSL_stateless(serverssl), -1))
6194 goto end;
6195
6196 /* Fatal error so abandon the connection from this client */
6197 SSL_free(clientssl);
6198 clientssl = NULL;
6199
6200 /* Set up the cookie generation and verification callbacks */
6201 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
6202 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
6203
6204 /*
6205 * Create a new connection from the client (we can reuse the server SSL
6206 * object).
6207 */
6208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6209 NULL, NULL))
6210 /* Send the first ClientHello */
6211 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6212 SSL_ERROR_WANT_READ))
6213 /* This should fail because there is no cookie */
6214 || !TEST_int_eq(SSL_stateless(serverssl), 0))
6215 goto end;
6216
6217 /* Abandon the connection from this client */
6218 SSL_free(clientssl);
6219 clientssl = NULL;
6220
6221 /*
6222 * Now create a connection from a new client but with the same server SSL
6223 * object
6224 */
6225 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6226 NULL, NULL))
6227 /* Send the first ClientHello */
6228 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6229 SSL_ERROR_WANT_READ))
6230 /* This should fail because there is no cookie */
6231 || !TEST_int_eq(SSL_stateless(serverssl), 0)
6232 /* Send the second ClientHello */
6233 || !TEST_false(create_ssl_connection(serverssl, clientssl,
6234 SSL_ERROR_WANT_READ))
6235 /* This should succeed because a cookie is now present */
6236 || !TEST_int_eq(SSL_stateless(serverssl), 1)
6237 /* Complete the connection */
6238 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6239 SSL_ERROR_NONE)))
6240 goto end;
6241
6242 shutdown_ssl_connection(serverssl, clientssl);
6243 serverssl = clientssl = NULL;
6244 testresult = 1;
6245
6246 end:
6247 SSL_free(serverssl);
6248 SSL_free(clientssl);
6249 SSL_CTX_free(sctx);
6250 SSL_CTX_free(cctx);
6251 return testresult;
6252 }
6253 #endif /* OSSL_NO_USABLE_TLS1_3 */
6254
6255 static int clntaddoldcb = 0;
6256 static int clntparseoldcb = 0;
6257 static int srvaddoldcb = 0;
6258 static int srvparseoldcb = 0;
6259 static int clntaddnewcb = 0;
6260 static int clntparsenewcb = 0;
6261 static int srvaddnewcb = 0;
6262 static int srvparsenewcb = 0;
6263 static int snicb = 0;
6264
6265 #define TEST_EXT_TYPE1 0xff00
6266
old_add_cb(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)6267 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
6268 size_t *outlen, int *al, void *add_arg)
6269 {
6270 int *server = (int *)add_arg;
6271 unsigned char *data;
6272
6273 if (SSL_is_server(s))
6274 srvaddoldcb++;
6275 else
6276 clntaddoldcb++;
6277
6278 if (*server != SSL_is_server(s)
6279 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6280 return -1;
6281
6282 *data = 1;
6283 *out = data;
6284 *outlen = sizeof(char);
6285 return 1;
6286 }
6287
old_free_cb(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)6288 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
6289 void *add_arg)
6290 {
6291 OPENSSL_free((unsigned char *)out);
6292 }
6293
old_parse_cb(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)6294 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
6295 size_t inlen, int *al, void *parse_arg)
6296 {
6297 int *server = (int *)parse_arg;
6298
6299 if (SSL_is_server(s))
6300 srvparseoldcb++;
6301 else
6302 clntparseoldcb++;
6303
6304 if (*server != SSL_is_server(s)
6305 || inlen != sizeof(char)
6306 || *in != 1)
6307 return -1;
6308
6309 return 1;
6310 }
6311
new_add_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char ** out,size_t * outlen,X509 * x,size_t chainidx,int * al,void * add_arg)6312 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
6313 const unsigned char **out, size_t *outlen, X509 *x,
6314 size_t chainidx, int *al, void *add_arg)
6315 {
6316 int *server = (int *)add_arg;
6317 unsigned char *data;
6318
6319 if (SSL_is_server(s))
6320 srvaddnewcb++;
6321 else
6322 clntaddnewcb++;
6323
6324 if (*server != SSL_is_server(s)
6325 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6326 return -1;
6327
6328 *data = 1;
6329 *out = data;
6330 *outlen = sizeof(*data);
6331 return 1;
6332 }
6333
new_free_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * out,void * add_arg)6334 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6335 const unsigned char *out, void *add_arg)
6336 {
6337 OPENSSL_free((unsigned char *)out);
6338 }
6339
new_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6340 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6341 const unsigned char *in, size_t inlen, X509 *x,
6342 size_t chainidx, int *al, void *parse_arg)
6343 {
6344 int *server = (int *)parse_arg;
6345
6346 if (SSL_is_server(s))
6347 srvparsenewcb++;
6348 else
6349 clntparsenewcb++;
6350
6351 if (*server != SSL_is_server(s)
6352 || inlen != sizeof(char) || *in != 1)
6353 return -1;
6354
6355 return 1;
6356 }
6357
sni_cb(SSL * s,int * al,void * arg)6358 static int sni_cb(SSL *s, int *al, void *arg)
6359 {
6360 SSL_CTX *ctx = (SSL_CTX *)arg;
6361
6362 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6363 *al = SSL_AD_INTERNAL_ERROR;
6364 return SSL_TLSEXT_ERR_ALERT_FATAL;
6365 }
6366 snicb++;
6367 return SSL_TLSEXT_ERR_OK;
6368 }
6369
verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)6370 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6371 {
6372 return 1;
6373 }
6374
6375 /*
6376 * Custom call back tests.
6377 * Test 0: Old style callbacks in TLSv1.2
6378 * Test 1: New style callbacks in TLSv1.2
6379 * Test 2: New style callbacks in TLSv1.2 with SNI
6380 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6381 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6382 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6383 */
test_custom_exts(int tst)6384 static int test_custom_exts(int tst)
6385 {
6386 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6387 SSL *clientssl = NULL, *serverssl = NULL;
6388 int testresult = 0;
6389 static int server = 1;
6390 static int client = 0;
6391 SSL_SESSION *sess = NULL;
6392 unsigned int context;
6393
6394 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6395 /* Skip tests for TLSv1.2 and below in this case */
6396 if (tst < 3)
6397 return 1;
6398 #endif
6399
6400 /* Reset callback counters */
6401 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6402 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6403 snicb = 0;
6404
6405 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6406 TLS_client_method(), TLS1_VERSION, 0,
6407 &sctx, &cctx, cert, privkey)))
6408 goto end;
6409
6410 if (tst == 2
6411 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6412 TLS1_VERSION, 0,
6413 &sctx2, NULL, cert, privkey)))
6414 goto end;
6415
6416 if (tst < 3) {
6417 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6418 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6419 if (sctx2 != NULL)
6420 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6421 }
6422
6423 if (tst == 5) {
6424 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6425 | SSL_EXT_TLS1_3_CERTIFICATE;
6426 SSL_CTX_set_verify(sctx,
6427 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6428 verify_cb);
6429 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6430 SSL_FILETYPE_PEM),
6431 1)
6432 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6433 SSL_FILETYPE_PEM),
6434 1)
6435 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6436 goto end;
6437 } else if (tst == 4) {
6438 context = SSL_EXT_CLIENT_HELLO
6439 | SSL_EXT_TLS1_2_SERVER_HELLO
6440 | SSL_EXT_TLS1_3_SERVER_HELLO
6441 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6442 | SSL_EXT_TLS1_3_CERTIFICATE
6443 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6444 } else {
6445 context = SSL_EXT_CLIENT_HELLO
6446 | SSL_EXT_TLS1_2_SERVER_HELLO
6447 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6448 }
6449
6450 /* Create a client side custom extension */
6451 if (tst == 0) {
6452 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6453 old_add_cb, old_free_cb,
6454 &client, old_parse_cb,
6455 &client)))
6456 goto end;
6457 } else {
6458 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6459 new_add_cb, new_free_cb,
6460 &client, new_parse_cb, &client)))
6461 goto end;
6462 }
6463
6464 /* Should not be able to add duplicates */
6465 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6466 old_add_cb, old_free_cb,
6467 &client, old_parse_cb,
6468 &client))
6469 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6470 context, new_add_cb,
6471 new_free_cb, &client,
6472 new_parse_cb, &client)))
6473 goto end;
6474
6475 /* Create a server side custom extension */
6476 if (tst == 0) {
6477 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6478 old_add_cb, old_free_cb,
6479 &server, old_parse_cb,
6480 &server)))
6481 goto end;
6482 } else {
6483 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6484 new_add_cb, new_free_cb,
6485 &server, new_parse_cb, &server)))
6486 goto end;
6487 if (sctx2 != NULL
6488 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6489 context, new_add_cb,
6490 new_free_cb, &server,
6491 new_parse_cb, &server)))
6492 goto end;
6493 }
6494
6495 /* Should not be able to add duplicates */
6496 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6497 old_add_cb, old_free_cb,
6498 &server, old_parse_cb,
6499 &server))
6500 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6501 context, new_add_cb,
6502 new_free_cb, &server,
6503 new_parse_cb, &server)))
6504 goto end;
6505
6506 if (tst == 2) {
6507 /* Set up SNI */
6508 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6509 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6510 goto end;
6511 }
6512
6513 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6514 &clientssl, NULL, NULL))
6515 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6516 SSL_ERROR_NONE)))
6517 goto end;
6518
6519 if (tst == 0) {
6520 if (clntaddoldcb != 1
6521 || clntparseoldcb != 1
6522 || srvaddoldcb != 1
6523 || srvparseoldcb != 1)
6524 goto end;
6525 } else if (tst == 1 || tst == 2 || tst == 3) {
6526 if (clntaddnewcb != 1
6527 || clntparsenewcb != 1
6528 || srvaddnewcb != 1
6529 || srvparsenewcb != 1
6530 || (tst != 2 && snicb != 0)
6531 || (tst == 2 && snicb != 1))
6532 goto end;
6533 } else if (tst == 5) {
6534 if (clntaddnewcb != 1
6535 || clntparsenewcb != 1
6536 || srvaddnewcb != 1
6537 || srvparsenewcb != 1)
6538 goto end;
6539 } else {
6540 /* In this case there 2 NewSessionTicket messages created */
6541 if (clntaddnewcb != 1
6542 || clntparsenewcb != 5
6543 || srvaddnewcb != 5
6544 || srvparsenewcb != 1)
6545 goto end;
6546 }
6547
6548 sess = SSL_get1_session(clientssl);
6549 SSL_shutdown(clientssl);
6550 SSL_shutdown(serverssl);
6551 SSL_free(serverssl);
6552 SSL_free(clientssl);
6553 serverssl = clientssl = NULL;
6554
6555 if (tst == 3 || tst == 5) {
6556 /* We don't bother with the resumption aspects for these tests */
6557 testresult = 1;
6558 goto end;
6559 }
6560
6561 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6562 NULL, NULL))
6563 || !TEST_true(SSL_set_session(clientssl, sess))
6564 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6565 SSL_ERROR_NONE)))
6566 goto end;
6567
6568 /*
6569 * For a resumed session we expect to add the ClientHello extension. For the
6570 * old style callbacks we ignore it on the server side because they set
6571 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6572 * them.
6573 */
6574 if (tst == 0) {
6575 if (clntaddoldcb != 2
6576 || clntparseoldcb != 1
6577 || srvaddoldcb != 1
6578 || srvparseoldcb != 1)
6579 goto end;
6580 } else if (tst == 1 || tst == 2 || tst == 3) {
6581 if (clntaddnewcb != 2
6582 || clntparsenewcb != 2
6583 || srvaddnewcb != 2
6584 || srvparsenewcb != 2)
6585 goto end;
6586 } else {
6587 /*
6588 * No Certificate message extensions in the resumption handshake,
6589 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6590 */
6591 if (clntaddnewcb != 2
6592 || clntparsenewcb != 8
6593 || srvaddnewcb != 8
6594 || srvparsenewcb != 2)
6595 goto end;
6596 }
6597
6598 testresult = 1;
6599
6600 end:
6601 SSL_SESSION_free(sess);
6602 SSL_free(serverssl);
6603 SSL_free(clientssl);
6604 SSL_CTX_free(sctx2);
6605 SSL_CTX_free(sctx);
6606 SSL_CTX_free(cctx);
6607 return testresult;
6608 }
6609
6610 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6611
6612 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6613 | SSL_EXT_CLIENT_HELLO \
6614 | SSL_EXT_TLS1_2_SERVER_HELLO \
6615 | SSL_EXT_IGNORE_ON_RESUMPTION)
6616
6617 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6618 | SSL_EXT_TLS1_2_SERVER_HELLO \
6619 | SSL_EXT_CLIENT_HELLO)
6620
6621 #define SERVERINFO_CUSTOM \
6622 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6623 0x00, 0x03, \
6624 0x04, 0x05, 0x06
6625
6626 static const unsigned char serverinfo_custom_tls13[] = {
6627 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6628 SERVERINFO_CUSTOM
6629 };
6630 static const unsigned char serverinfo_custom_v2[] = {
6631 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6632 SERVERINFO_CUSTOM
6633 };
6634 static const unsigned char serverinfo_custom_v1[] = {
6635 SERVERINFO_CUSTOM
6636 };
6637 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6638 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6639 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6640
serverinfo_custom_parse_cb(SSL * s,unsigned int ext_type,unsigned int context,const unsigned char * in,size_t inlen,X509 * x,size_t chainidx,int * al,void * parse_arg)6641 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6642 unsigned int context,
6643 const unsigned char *in,
6644 size_t inlen, X509 *x,
6645 size_t chainidx, int *al,
6646 void *parse_arg)
6647 {
6648 const size_t len = serverinfo_custom_v1_len;
6649 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6650 int *p_cb_result = (int *)parse_arg;
6651 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6652 return 1;
6653 }
6654
test_serverinfo_custom(const int idx)6655 static int test_serverinfo_custom(const int idx)
6656 {
6657 SSL_CTX *sctx = NULL, *cctx = NULL;
6658 SSL *clientssl = NULL, *serverssl = NULL;
6659 int testresult = 0;
6660 int cb_result = 0;
6661
6662 /*
6663 * Following variables are set in the switch statement
6664 * according to the test iteration.
6665 * Default values do not make much sense: test would fail with them.
6666 */
6667 int serverinfo_version = 0;
6668 int protocol_version = 0;
6669 unsigned int extension_context = 0;
6670 const unsigned char *si = NULL;
6671 size_t si_len = 0;
6672
6673 const int call_use_serverinfo_ex = idx > 0;
6674 switch (idx) {
6675 case 0: /* FALLTHROUGH */
6676 case 1:
6677 serverinfo_version = SSL_SERVERINFOV1;
6678 protocol_version = TLS1_2_VERSION;
6679 extension_context = SYNTHV1CONTEXT;
6680 si = serverinfo_custom_v1;
6681 si_len = serverinfo_custom_v1_len;
6682 break;
6683 case 2:
6684 serverinfo_version = SSL_SERVERINFOV2;
6685 protocol_version = TLS1_2_VERSION;
6686 extension_context = SYNTHV1CONTEXT;
6687 si = serverinfo_custom_v2;
6688 si_len = serverinfo_custom_v2_len;
6689 break;
6690 case 3:
6691 serverinfo_version = SSL_SERVERINFOV2;
6692 protocol_version = TLS1_3_VERSION;
6693 extension_context = TLS13CONTEXT;
6694 si = serverinfo_custom_tls13;
6695 si_len = serverinfo_custom_tls13_len;
6696 break;
6697 }
6698
6699 if (!TEST_true(create_ssl_ctx_pair(libctx,
6700 TLS_method(),
6701 TLS_method(),
6702 protocol_version,
6703 protocol_version,
6704 &sctx, &cctx, cert, privkey)))
6705 goto end;
6706
6707 if (call_use_serverinfo_ex) {
6708 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6709 si, si_len)))
6710 goto end;
6711 } else {
6712 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6713 goto end;
6714 }
6715
6716 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6717 extension_context,
6718 NULL, NULL, NULL,
6719 serverinfo_custom_parse_cb,
6720 &cb_result))
6721 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6722 NULL, NULL))
6723 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6724 SSL_ERROR_NONE))
6725 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6726 goto end;
6727
6728 if (!TEST_true(cb_result))
6729 goto end;
6730
6731 testresult = 1;
6732
6733 end:
6734 SSL_free(serverssl);
6735 SSL_free(clientssl);
6736 SSL_CTX_free(sctx);
6737 SSL_CTX_free(cctx);
6738
6739 return testresult;
6740 }
6741 #endif
6742
6743 /*
6744 * Test that SSL_export_keying_material() produces expected results. There are
6745 * no test vectors so all we do is test that both sides of the communication
6746 * produce the same results for different protocol versions.
6747 */
6748 #define SMALL_LABEL_LEN 10
6749 #define LONG_LABEL_LEN 249
test_export_key_mat(int tst)6750 static int test_export_key_mat(int tst)
6751 {
6752 int testresult = 0;
6753 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6754 SSL *clientssl = NULL, *serverssl = NULL;
6755 const char label[LONG_LABEL_LEN + 1] = "test label";
6756 const unsigned char context[] = "context";
6757 const unsigned char *emptycontext = NULL;
6758 unsigned char longcontext[1280];
6759 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6760 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6761 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6762 size_t labellen;
6763 const int protocols[] = {
6764 TLS1_VERSION,
6765 TLS1_1_VERSION,
6766 TLS1_2_VERSION,
6767 TLS1_3_VERSION,
6768 TLS1_3_VERSION,
6769 TLS1_3_VERSION
6770 };
6771
6772 #ifdef OPENSSL_NO_TLS1
6773 if (tst == 0)
6774 return 1;
6775 #endif
6776 #ifdef OPENSSL_NO_TLS1_1
6777 if (tst == 1)
6778 return 1;
6779 #endif
6780 if (is_fips && (tst == 0 || tst == 1))
6781 return 1;
6782 #ifdef OPENSSL_NO_TLS1_2
6783 if (tst == 2)
6784 return 1;
6785 #endif
6786 #ifdef OSSL_NO_USABLE_TLS1_3
6787 if (tst >= 3)
6788 return 1;
6789 #endif
6790 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6791 TLS_client_method(), TLS1_VERSION, 0,
6792 &sctx, &cctx, cert, privkey)))
6793 goto end;
6794
6795 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6796 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6797 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6798 if ((protocols[tst] < TLS1_2_VERSION) && (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0") || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6799 goto end;
6800
6801 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6802 NULL)))
6803 goto end;
6804
6805 /*
6806 * Premature call of SSL_export_keying_material should just fail.
6807 */
6808 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6809 sizeof(ckeymat1), label,
6810 SMALL_LABEL_LEN + 1, context,
6811 sizeof(context) - 1, 1),
6812 0))
6813 goto end;
6814
6815 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6816 SSL_ERROR_NONE)))
6817 goto end;
6818
6819 if (tst == 5) {
6820 /*
6821 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6822 * go over that.
6823 */
6824 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6825 sizeof(ckeymat1), label,
6826 LONG_LABEL_LEN + 1, context,
6827 sizeof(context) - 1, 1),
6828 0))
6829 goto end;
6830
6831 testresult = 1;
6832 goto end;
6833 } else if (tst == 4) {
6834 labellen = LONG_LABEL_LEN;
6835 } else {
6836 labellen = SMALL_LABEL_LEN;
6837 }
6838
6839 memset(longcontext, 1, sizeof(longcontext));
6840
6841 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6842 sizeof(ckeymat1), label,
6843 labellen, context,
6844 sizeof(context) - 1, 1),
6845 1)
6846 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6847 sizeof(ckeymat2), label,
6848 labellen,
6849 emptycontext,
6850 0, 1),
6851 1)
6852 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6853 sizeof(ckeymat3), label,
6854 labellen,
6855 NULL, 0, 0),
6856 1)
6857 || (test_longcontext
6858 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6859 ckeymat4,
6860 sizeof(ckeymat4), label,
6861 labellen,
6862 longcontext,
6863 sizeof(longcontext), 1),
6864 1))
6865 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6866 sizeof(skeymat1), label,
6867 labellen,
6868 context,
6869 sizeof(context) - 1, 1),
6870 1)
6871 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6872 sizeof(skeymat2), label,
6873 labellen,
6874 emptycontext,
6875 0, 1),
6876 1)
6877 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6878 sizeof(skeymat3), label,
6879 labellen,
6880 NULL, 0, 0),
6881 1)
6882 || (test_longcontext
6883 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6884 sizeof(skeymat4), label,
6885 labellen,
6886 longcontext,
6887 sizeof(longcontext), 1),
6888 1))
6889 /*
6890 * Check that both sides created the same key material with the
6891 * same context.
6892 */
6893 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6894 sizeof(skeymat1))
6895 /*
6896 * Check that both sides created the same key material with an
6897 * empty context.
6898 */
6899 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6900 sizeof(skeymat2))
6901 /*
6902 * Check that both sides created the same key material without a
6903 * context.
6904 */
6905 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6906 sizeof(skeymat3))
6907 /*
6908 * Check that both sides created the same key material with a
6909 * long context.
6910 */
6911 || (test_longcontext
6912 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6913 sizeof(skeymat4)))
6914 /* Different contexts should produce different results */
6915 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6916 sizeof(ckeymat2)))
6917 goto end;
6918
6919 /*
6920 * Check that an empty context and no context produce different results in
6921 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6922 */
6923 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3)))
6924 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3))))
6925 goto end;
6926
6927 testresult = 1;
6928
6929 end:
6930 SSL_free(serverssl);
6931 SSL_free(clientssl);
6932 SSL_CTX_free(sctx2);
6933 SSL_CTX_free(sctx);
6934 SSL_CTX_free(cctx);
6935
6936 return testresult;
6937 }
6938
6939 #ifndef OSSL_NO_USABLE_TLS1_3
6940 /*
6941 * Test that SSL_export_keying_material_early() produces expected
6942 * results. There are no test vectors so all we do is test that both
6943 * sides of the communication produce the same results for different
6944 * protocol versions.
6945 */
test_export_key_mat_early(int idx)6946 static int test_export_key_mat_early(int idx)
6947 {
6948 static const char label[] = "test label";
6949 static const unsigned char context[] = "context";
6950 int testresult = 0;
6951 SSL_CTX *cctx = NULL, *sctx = NULL;
6952 SSL *clientssl = NULL, *serverssl = NULL;
6953 SSL_SESSION *sess = NULL;
6954 const unsigned char *emptycontext = NULL;
6955 unsigned char ckeymat1[80], ckeymat2[80];
6956 unsigned char skeymat1[80], skeymat2[80];
6957 unsigned char buf[1];
6958 size_t readbytes, written;
6959
6960 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6961 &sess, idx, SHA384_DIGEST_LENGTH)))
6962 goto end;
6963
6964 /* Here writing 0 length early data is enough. */
6965 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6966 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6967 &readbytes),
6968 SSL_READ_EARLY_DATA_ERROR)
6969 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6970 SSL_EARLY_DATA_ACCEPTED))
6971 goto end;
6972
6973 if (!TEST_int_eq(SSL_export_keying_material_early(
6974 clientssl, ckeymat1, sizeof(ckeymat1), label,
6975 sizeof(label) - 1, context, sizeof(context) - 1),
6976 1)
6977 || !TEST_int_eq(SSL_export_keying_material_early(
6978 clientssl, ckeymat2, sizeof(ckeymat2), label,
6979 sizeof(label) - 1, emptycontext, 0),
6980 1)
6981 || !TEST_int_eq(SSL_export_keying_material_early(
6982 serverssl, skeymat1, sizeof(skeymat1), label,
6983 sizeof(label) - 1, context, sizeof(context) - 1),
6984 1)
6985 || !TEST_int_eq(SSL_export_keying_material_early(
6986 serverssl, skeymat2, sizeof(skeymat2), label,
6987 sizeof(label) - 1, emptycontext, 0),
6988 1)
6989 /*
6990 * Check that both sides created the same key material with the
6991 * same context.
6992 */
6993 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6994 sizeof(skeymat1))
6995 /*
6996 * Check that both sides created the same key material with an
6997 * empty context.
6998 */
6999 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
7000 sizeof(skeymat2))
7001 /* Different contexts should produce different results */
7002 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
7003 sizeof(ckeymat2)))
7004 goto end;
7005
7006 testresult = 1;
7007
7008 end:
7009 SSL_SESSION_free(sess);
7010 SSL_SESSION_free(clientpsk);
7011 SSL_SESSION_free(serverpsk);
7012 clientpsk = serverpsk = NULL;
7013 SSL_free(serverssl);
7014 SSL_free(clientssl);
7015 SSL_CTX_free(sctx);
7016 SSL_CTX_free(cctx);
7017
7018 return testresult;
7019 }
7020
7021 #define NUM_KEY_UPDATE_MESSAGES 40
7022 /*
7023 * Test KeyUpdate.
7024 */
test_key_update(void)7025 static int test_key_update(void)
7026 {
7027 SSL_CTX *cctx = NULL, *sctx = NULL;
7028 SSL *clientssl = NULL, *serverssl = NULL;
7029 int testresult = 0, i, j;
7030 char buf[20];
7031 static char *mess = "A test message";
7032
7033 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7034 TLS_client_method(),
7035 TLS1_3_VERSION,
7036 0,
7037 &sctx, &cctx, cert, privkey))
7038 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7039 NULL, NULL))
7040 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7041 SSL_ERROR_NONE)))
7042 goto end;
7043
7044 for (j = 0; j < 2; j++) {
7045 /* Send lots of KeyUpdate messages */
7046 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
7047 if (!TEST_true(SSL_key_update(clientssl,
7048 (j == 0)
7049 ? SSL_KEY_UPDATE_NOT_REQUESTED
7050 : SSL_KEY_UPDATE_REQUESTED))
7051 || !TEST_true(SSL_do_handshake(clientssl)))
7052 goto end;
7053 }
7054
7055 /* Check that sending and receiving app data is ok */
7056 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
7057 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
7058 strlen(mess)))
7059 goto end;
7060
7061 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
7062 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
7063 strlen(mess)))
7064 goto end;
7065 }
7066
7067 testresult = 1;
7068
7069 end:
7070 SSL_free(serverssl);
7071 SSL_free(clientssl);
7072 SSL_CTX_free(sctx);
7073 SSL_CTX_free(cctx);
7074
7075 return testresult;
7076 }
7077
7078 /*
7079 * Test we can handle a KeyUpdate (update requested) message while
7080 * write data is pending in peer.
7081 * Test 0: Client sends KeyUpdate while Server is writing
7082 * Test 1: Server sends KeyUpdate while Client is writing
7083 */
test_key_update_peer_in_write(int tst)7084 static int test_key_update_peer_in_write(int tst)
7085 {
7086 SSL_CTX *cctx = NULL, *sctx = NULL;
7087 SSL *clientssl = NULL, *serverssl = NULL;
7088 int testresult = 0;
7089 char buf[20];
7090 static char *mess = "A test message";
7091 BIO *bretry = BIO_new(bio_s_always_retry());
7092 BIO *tmp = NULL;
7093 SSL *peerupdate = NULL, *peerwrite = NULL;
7094
7095 if (!TEST_ptr(bretry)
7096 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7097 TLS_client_method(),
7098 TLS1_3_VERSION,
7099 0,
7100 &sctx, &cctx, cert, privkey))
7101 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7102 NULL, NULL))
7103 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7104 SSL_ERROR_NONE)))
7105 goto end;
7106
7107 peerupdate = tst == 0 ? clientssl : serverssl;
7108 peerwrite = tst == 0 ? serverssl : clientssl;
7109
7110 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
7111 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
7112 goto end;
7113
7114 /* Swap the writing endpoint's write BIO to force a retry */
7115 tmp = SSL_get_wbio(peerwrite);
7116 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
7117 tmp = NULL;
7118 goto end;
7119 }
7120 SSL_set0_wbio(peerwrite, bretry);
7121 bretry = NULL;
7122
7123 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
7124 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
7125 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
7126 || !TEST_true(SSL_want_write(peerwrite))
7127 || !TEST_true(SSL_net_write_desired(peerwrite)))
7128 goto end;
7129
7130 /* Reinstate the original writing endpoint's write BIO */
7131 SSL_set0_wbio(peerwrite, tmp);
7132 tmp = NULL;
7133
7134 /* Now read some data - we will read the key update */
7135 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
7136 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
7137 || !TEST_true(SSL_want_read(peerwrite))
7138 || !TEST_true(SSL_net_read_desired(peerwrite)))
7139 goto end;
7140
7141 /*
7142 * Complete the write we started previously and read it from the other
7143 * endpoint
7144 */
7145 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
7146 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
7147 goto end;
7148
7149 /* Write more data to ensure we send the KeyUpdate message back */
7150 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
7151 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
7152 goto end;
7153
7154 if (!TEST_false(SSL_net_read_desired(peerwrite))
7155 || !TEST_false(SSL_net_write_desired(peerwrite))
7156 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
7157 goto end;
7158
7159 testresult = 1;
7160
7161 end:
7162 SSL_free(serverssl);
7163 SSL_free(clientssl);
7164 SSL_CTX_free(sctx);
7165 SSL_CTX_free(cctx);
7166 BIO_free(bretry);
7167 BIO_free(tmp);
7168
7169 return testresult;
7170 }
7171
7172 /*
7173 * Test we can handle a KeyUpdate (update requested) message while
7174 * peer read data is pending after peer accepted keyupdate(the msg header
7175 * had been read 5 bytes).
7176 * Test 0: Client sends KeyUpdate while Server is reading
7177 * Test 1: Server sends KeyUpdate while Client is reading
7178 */
test_key_update_peer_in_read(int tst)7179 static int test_key_update_peer_in_read(int tst)
7180 {
7181 SSL_CTX *cctx = NULL, *sctx = NULL;
7182 SSL *clientssl = NULL, *serverssl = NULL;
7183 int testresult = 0;
7184 char prbuf[515], lwbuf[515] = { 0 };
7185 static char *mess = "A test message";
7186 BIO *lbio = NULL, *pbio = NULL;
7187 SSL *local = NULL, *peer = NULL;
7188
7189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7190 TLS_client_method(),
7191 TLS1_3_VERSION,
7192 0,
7193 &sctx, &cctx, cert, privkey))
7194 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7195 NULL, NULL))
7196 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7197 SSL_ERROR_NONE)))
7198 goto end;
7199
7200 local = tst == 0 ? clientssl : serverssl;
7201 peer = tst == 0 ? serverssl : clientssl;
7202
7203 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7204 goto end;
7205
7206 SSL_set_bio(local, lbio, lbio);
7207 SSL_set_bio(peer, pbio, pbio);
7208
7209 /*
7210 * we first write keyupdate msg then appdata in local
7211 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
7212 * lwbuf app data msg size + key updata msg size > 512(the size of
7213 * the bio pair buffer)
7214 */
7215 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7216 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
7217 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7218 goto end;
7219
7220 /*
7221 * first read keyupdate msg in peer in peer
7222 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
7223 */
7224 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
7225 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
7226 goto end;
7227
7228 /* Now write some data in peer - we will write the key update */
7229 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
7230 goto end;
7231
7232 /*
7233 * write data in local previously that we will complete
7234 * read data in peer previously that we will complete
7235 */
7236 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
7237 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
7238 goto end;
7239
7240 /* check that sending and receiving appdata ok */
7241 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7242 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7243 goto end;
7244
7245 testresult = 1;
7246
7247 end:
7248 SSL_free(serverssl);
7249 SSL_free(clientssl);
7250 SSL_CTX_free(sctx);
7251 SSL_CTX_free(cctx);
7252
7253 return testresult;
7254 }
7255
7256 /*
7257 * Test we can't send a KeyUpdate (update requested) message while
7258 * local write data is pending.
7259 * Test 0: Client sends KeyUpdate while Client is writing
7260 * Test 1: Server sends KeyUpdate while Server is writing
7261 */
test_key_update_local_in_write(int tst)7262 static int test_key_update_local_in_write(int tst)
7263 {
7264 SSL_CTX *cctx = NULL, *sctx = NULL;
7265 SSL *clientssl = NULL, *serverssl = NULL;
7266 int testresult = 0;
7267 char buf[20];
7268 static char *mess = "A test message";
7269 BIO *bretry = BIO_new(bio_s_always_retry());
7270 BIO *tmp = NULL;
7271 SSL *local = NULL, *peer = NULL;
7272
7273 if (!TEST_ptr(bretry)
7274 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7275 TLS_client_method(),
7276 TLS1_3_VERSION,
7277 0,
7278 &sctx, &cctx, cert, privkey))
7279 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7280 NULL, NULL))
7281 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7282 SSL_ERROR_NONE)))
7283 goto end;
7284
7285 local = tst == 0 ? clientssl : serverssl;
7286 peer = tst == 0 ? serverssl : clientssl;
7287
7288 /* Swap the writing endpoint's write BIO to force a retry */
7289 tmp = SSL_get_wbio(local);
7290 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
7291 tmp = NULL;
7292 goto end;
7293 }
7294 SSL_set0_wbio(local, bretry);
7295 bretry = NULL;
7296
7297 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
7298 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
7299 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7300 goto end;
7301
7302 /* Reinstate the original writing endpoint's write BIO */
7303 SSL_set0_wbio(local, tmp);
7304 tmp = NULL;
7305
7306 /* SSL_key_update will fail, because writing in local*/
7307 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7308 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
7309 goto end;
7310
7311 ERR_clear_error();
7312 /* write data in local previously that we will complete */
7313 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
7314 goto end;
7315
7316 /* SSL_key_update will succeed because there is no pending write data */
7317 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7318 || !TEST_int_eq(SSL_do_handshake(local), 1))
7319 goto end;
7320
7321 /*
7322 * we write some appdata in local
7323 * read data in peer - we will read the keyupdate msg
7324 */
7325 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7326 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
7327 goto end;
7328
7329 /* Write more peer more data to ensure we send the keyupdate message back */
7330 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7331 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
7332 goto end;
7333
7334 testresult = 1;
7335
7336 end:
7337 SSL_free(serverssl);
7338 SSL_free(clientssl);
7339 SSL_CTX_free(sctx);
7340 SSL_CTX_free(cctx);
7341 BIO_free(bretry);
7342 BIO_free(tmp);
7343
7344 return testresult;
7345 }
7346
7347 /*
7348 * Test we can handle a KeyUpdate (update requested) message while
7349 * local read data is pending(the msg header had been read 5 bytes).
7350 * Test 0: Client sends KeyUpdate while Client is reading
7351 * Test 1: Server sends KeyUpdate while Server is reading
7352 */
test_key_update_local_in_read(int tst)7353 static int test_key_update_local_in_read(int tst)
7354 {
7355 SSL_CTX *cctx = NULL, *sctx = NULL;
7356 SSL *clientssl = NULL, *serverssl = NULL;
7357 int testresult = 0;
7358 char lrbuf[515], pwbuf[515] = { 0 }, prbuf[20];
7359 static char *mess = "A test message";
7360 BIO *lbio = NULL, *pbio = NULL;
7361 SSL *local = NULL, *peer = NULL;
7362
7363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7364 TLS_client_method(),
7365 TLS1_3_VERSION,
7366 0,
7367 &sctx, &cctx, cert, privkey))
7368 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7369 NULL, NULL))
7370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7371 SSL_ERROR_NONE)))
7372 goto end;
7373
7374 local = tst == 0 ? clientssl : serverssl;
7375 peer = tst == 0 ? serverssl : clientssl;
7376
7377 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7378 goto end;
7379
7380 SSL_set_bio(local, lbio, lbio);
7381 SSL_set_bio(peer, pbio, pbio);
7382
7383 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7384 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7385 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7386 goto end;
7387
7388 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7389 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7390 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7391 goto end;
7392
7393 /* SSL_do_handshake will send keyupdate msg */
7394 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7395 || !TEST_int_eq(SSL_do_handshake(local), 1))
7396 goto end;
7397
7398 /*
7399 * write data in peer previously that we will complete
7400 * read data in local previously that we will complete
7401 */
7402 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7403 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7404 goto end;
7405
7406 /*
7407 * write data in local
7408 * read data in peer - we will read the key update
7409 */
7410 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7411 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7412 goto end;
7413
7414 /* Write more peer data to ensure we send the keyupdate message back */
7415 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7416 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7417 goto end;
7418
7419 testresult = 1;
7420
7421 end:
7422 SSL_free(serverssl);
7423 SSL_free(clientssl);
7424 SSL_CTX_free(sctx);
7425 SSL_CTX_free(cctx);
7426
7427 return testresult;
7428 }
7429 #endif /* OSSL_NO_USABLE_TLS1_3 */
7430
7431 /*
7432 * Test clearing a connection via SSL_clear(), or resetting it via
7433 * SSL_set_connect_state()/SSL_set_accept_state()
7434 * Test 0: SSL_set_connect_state, TLSv1.3
7435 * Test 1: SSL_set_connect_state, TLSv1.2
7436 * Test 2: SSL_set_accept_state, TLSv1.3
7437 * Test 3: SSL_set_accept_state, TLSv1.2
7438 * Test 4: SSL_clear (client), TLSv1.3
7439 * Test 5: SSL_clear (client), TLSv1.2
7440 * Test 6: SSL_clear (server), TLSv1.3
7441 * Test 7: SSL_clear (server), TLSv1.2
7442 */
test_ssl_clear(int idx)7443 static int test_ssl_clear(int idx)
7444 {
7445 SSL_CTX *cctx = NULL, *sctx = NULL;
7446 SSL *clientssl = NULL, *serverssl = NULL;
7447 SSL *writer, *reader;
7448 int testresult = 0;
7449 int tls12test, servertest, cleartest;
7450 size_t written, readbytes;
7451 const char *msg = "Hello World";
7452 unsigned char buf[5];
7453
7454 tls12test = idx & 1;
7455 idx >>= 1;
7456 servertest = idx & 1;
7457 idx >>= 1;
7458 cleartest = idx & 1;
7459
7460 #ifdef OPENSSL_NO_TLS1_2
7461 if (tls12test == 1)
7462 return TEST_skip("No TLSv1.2 in this build");
7463 #endif
7464
7465 /* Create an initial connection */
7466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7467 TLS_client_method(), TLS1_VERSION, 0,
7468 &sctx, &cctx, cert, privkey))
7469 || (tls12test
7470 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7471 TLS1_2_VERSION)))
7472 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7473 &clientssl, NULL, NULL))
7474 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7475 SSL_ERROR_NONE)))
7476 goto end;
7477
7478 if (servertest) {
7479 writer = clientssl;
7480 reader = serverssl;
7481 } else {
7482 writer = serverssl;
7483 reader = clientssl;
7484 }
7485
7486 /* Write some data */
7487 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7488 || written != strlen(msg))
7489 goto end;
7490
7491 /*
7492 * Read a partial record. The remaining buffered data should be cleared by
7493 * the subsequent clear/reset
7494 */
7495 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7496 || readbytes != sizeof(buf))
7497 goto end;
7498
7499 SSL_shutdown(clientssl);
7500 SSL_shutdown(serverssl);
7501
7502 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7503 if (servertest) {
7504 if (cleartest) {
7505 if (!TEST_true(SSL_clear(serverssl)))
7506 goto end;
7507 } else {
7508 SSL_set_accept_state(serverssl);
7509 }
7510 SSL_free(clientssl);
7511 clientssl = NULL;
7512 } else {
7513 if (cleartest) {
7514 if (!TEST_true(SSL_clear(clientssl)))
7515 goto end;
7516 } else {
7517 SSL_set_connect_state(clientssl);
7518 }
7519 SSL_free(serverssl);
7520 serverssl = NULL;
7521 }
7522
7523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7524 NULL, NULL))
7525 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7526 SSL_ERROR_NONE))
7527 || !TEST_true(servertest || SSL_session_reused(clientssl)))
7528 goto end;
7529
7530 SSL_shutdown(clientssl);
7531 SSL_shutdown(serverssl);
7532
7533 testresult = 1;
7534
7535 end:
7536 SSL_free(serverssl);
7537 SSL_free(clientssl);
7538 SSL_CTX_free(sctx);
7539 SSL_CTX_free(cctx);
7540
7541 return testresult;
7542 }
7543
7544 /* Parse CH and retrieve any MFL extension value if present */
get_MFL_from_client_hello(BIO * bio,int * mfl_codemfl_code)7545 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7546 {
7547 long len;
7548 unsigned char *data;
7549 PACKET pkt, pkt2, pkt3;
7550 unsigned int MFL_code = 0, type = 0;
7551
7552 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **)&data), 0))
7553 goto end;
7554
7555 memset(&pkt, 0, sizeof(pkt));
7556 memset(&pkt2, 0, sizeof(pkt2));
7557 memset(&pkt3, 0, sizeof(pkt3));
7558
7559 if (!TEST_long_gt(len, 0)
7560 || !TEST_true(PACKET_buf_init(&pkt, data, len))
7561 /* Skip the record header */
7562 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7563 /* Skip the handshake message header */
7564 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7565 /* Skip client version and random */
7566 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN + SSL3_RANDOM_SIZE))
7567 /* Skip session id */
7568 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7569 /* Skip ciphers */
7570 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7571 /* Skip compression */
7572 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7573 /* Extensions len */
7574 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7575 goto end;
7576
7577 /* Loop through all extensions */
7578 while (PACKET_remaining(&pkt2)) {
7579 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7580 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7581 goto end;
7582
7583 if (type == TLSEXT_TYPE_max_fragment_length) {
7584 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7585 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7586 goto end;
7587
7588 *mfl_codemfl_code = MFL_code;
7589 return 1;
7590 }
7591 }
7592
7593 end:
7594 return 0;
7595 }
7596
7597 /* Maximum-Fragment-Length TLS extension mode to test */
7598 static const unsigned char max_fragment_len_test[] = {
7599 TLSEXT_max_fragment_length_512,
7600 TLSEXT_max_fragment_length_1024,
7601 TLSEXT_max_fragment_length_2048,
7602 TLSEXT_max_fragment_length_4096
7603 };
7604
test_max_fragment_len_ext(int idx_tst)7605 static int test_max_fragment_len_ext(int idx_tst)
7606 {
7607 SSL_CTX *ctx = NULL;
7608 SSL *con = NULL;
7609 int testresult = 0, MFL_mode = 0;
7610 BIO *rbio, *wbio;
7611
7612 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7613 TLS1_VERSION, 0, NULL, &ctx, NULL,
7614 NULL)))
7615 return 0;
7616
7617 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7618 ctx, max_fragment_len_test[idx_tst])))
7619 goto end;
7620
7621 con = SSL_new(ctx);
7622 if (!TEST_ptr(con))
7623 goto end;
7624
7625 rbio = BIO_new(BIO_s_mem());
7626 wbio = BIO_new(BIO_s_mem());
7627 if (!TEST_ptr(rbio) || !TEST_ptr(wbio)) {
7628 BIO_free(rbio);
7629 BIO_free(wbio);
7630 goto end;
7631 }
7632
7633 SSL_set_bio(con, rbio, wbio);
7634
7635 if (!TEST_int_le(SSL_connect(con), 0)) {
7636 /* This shouldn't succeed because we don't have a server! */
7637 goto end;
7638 }
7639
7640 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7641 /* no MFL in client hello */
7642 goto end;
7643 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7644 goto end;
7645
7646 testresult = 1;
7647
7648 end:
7649 SSL_free(con);
7650 SSL_CTX_free(ctx);
7651
7652 return testresult;
7653 }
7654
7655 #ifndef OSSL_NO_USABLE_TLS1_3
test_pha_key_update(void)7656 static int test_pha_key_update(void)
7657 {
7658 SSL_CTX *cctx = NULL, *sctx = NULL;
7659 SSL *clientssl = NULL, *serverssl = NULL;
7660 int testresult = 0;
7661
7662 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7663 TLS_client_method(), TLS1_VERSION, 0,
7664 &sctx, &cctx, cert, privkey)))
7665 return 0;
7666
7667 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7668 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7669 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7670 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7671 goto end;
7672
7673 SSL_CTX_set_post_handshake_auth(cctx, 1);
7674
7675 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7676 NULL, NULL)))
7677 goto end;
7678
7679 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7680 SSL_ERROR_NONE)))
7681 goto end;
7682
7683 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7684 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7685 goto end;
7686
7687 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7688 goto end;
7689
7690 /* Start handshake on the server */
7691 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7692 goto end;
7693
7694 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7695 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7696 SSL_ERROR_NONE)))
7697 goto end;
7698
7699 SSL_shutdown(clientssl);
7700 SSL_shutdown(serverssl);
7701
7702 testresult = 1;
7703
7704 end:
7705 SSL_free(serverssl);
7706 SSL_free(clientssl);
7707 SSL_CTX_free(sctx);
7708 SSL_CTX_free(cctx);
7709 return testresult;
7710 }
7711 #endif
7712
7713 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7714
7715 static SRP_VBASE *vbase = NULL;
7716
ssl_srp_cb(SSL * s,int * ad,void * arg)7717 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7718 {
7719 int ret = SSL3_AL_FATAL;
7720 char *username;
7721 SRP_user_pwd *user = NULL;
7722
7723 username = SSL_get_srp_username(s);
7724 if (username == NULL) {
7725 *ad = SSL_AD_INTERNAL_ERROR;
7726 goto err;
7727 }
7728
7729 user = SRP_VBASE_get1_by_user(vbase, username);
7730 if (user == NULL) {
7731 *ad = SSL_AD_INTERNAL_ERROR;
7732 goto err;
7733 }
7734
7735 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7736 user->info)
7737 <= 0) {
7738 *ad = SSL_AD_INTERNAL_ERROR;
7739 goto err;
7740 }
7741
7742 ret = 0;
7743
7744 err:
7745 SRP_user_pwd_free(user);
7746 return ret;
7747 }
7748
create_new_vfile(char * userid,char * password,const char * filename)7749 static int create_new_vfile(char *userid, char *password, const char *filename)
7750 {
7751 char *gNid = NULL;
7752 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7753 TXT_DB *db = NULL;
7754 int ret = 0;
7755 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7756 size_t i;
7757
7758 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7759 goto end;
7760
7761 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7762 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7763 if (!TEST_ptr(gNid))
7764 goto end;
7765
7766 /*
7767 * The only way to create an empty TXT_DB is to provide a BIO with no data
7768 * in it!
7769 */
7770 db = TXT_DB_read(dummy, DB_NUMBER);
7771 if (!TEST_ptr(db))
7772 goto end;
7773
7774 out = BIO_new_file(filename, "w");
7775 if (!TEST_ptr(out))
7776 goto end;
7777
7778 row[DB_srpid] = OPENSSL_strdup(userid);
7779 row[DB_srptype] = OPENSSL_strdup("V");
7780 row[DB_srpgN] = OPENSSL_strdup(gNid);
7781
7782 if (!TEST_ptr(row[DB_srpid])
7783 || !TEST_ptr(row[DB_srptype])
7784 || !TEST_ptr(row[DB_srpgN])
7785 || !TEST_true(TXT_DB_insert(db, row)))
7786 goto end;
7787
7788 row = NULL;
7789
7790 if (TXT_DB_write(out, db) <= 0)
7791 goto end;
7792
7793 ret = 1;
7794 end:
7795 if (row != NULL) {
7796 for (i = 0; i < DB_NUMBER; i++)
7797 OPENSSL_free(row[i]);
7798 }
7799 OPENSSL_free(row);
7800 BIO_free(dummy);
7801 BIO_free(out);
7802 TXT_DB_free(db);
7803
7804 return ret;
7805 }
7806
create_new_vbase(char * userid,char * password)7807 static int create_new_vbase(char *userid, char *password)
7808 {
7809 BIGNUM *verifier = NULL, *salt = NULL;
7810 const SRP_gN *lgN = NULL;
7811 SRP_user_pwd *user_pwd = NULL;
7812 int ret = 0;
7813
7814 lgN = SRP_get_default_gN(NULL);
7815 if (!TEST_ptr(lgN))
7816 goto end;
7817
7818 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7819 lgN->N, lgN->g, libctx, NULL)))
7820 goto end;
7821
7822 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7823 if (!TEST_ptr(user_pwd))
7824 goto end;
7825
7826 user_pwd->N = lgN->N;
7827 user_pwd->g = lgN->g;
7828 user_pwd->id = OPENSSL_strdup(userid);
7829 if (!TEST_ptr(user_pwd->id))
7830 goto end;
7831
7832 user_pwd->v = verifier;
7833 user_pwd->s = salt;
7834 verifier = salt = NULL;
7835
7836 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7837 goto end;
7838 user_pwd = NULL;
7839
7840 ret = 1;
7841 end:
7842 SRP_user_pwd_free(user_pwd);
7843 BN_free(salt);
7844 BN_free(verifier);
7845
7846 return ret;
7847 }
7848
7849 /*
7850 * SRP tests
7851 *
7852 * Test 0: Simple successful SRP connection, new vbase
7853 * Test 1: Connection failure due to bad password, new vbase
7854 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7855 * Test 3: Connection failure due to bad password, vbase loaded from existing
7856 * file
7857 * Test 4: Simple successful SRP connection, vbase loaded from new file
7858 * Test 5: Connection failure due to bad password, vbase loaded from new file
7859 */
test_srp(int tst)7860 static int test_srp(int tst)
7861 {
7862 char *userid = "test", *password = "password", *tstsrpfile;
7863 SSL_CTX *cctx = NULL, *sctx = NULL;
7864 SSL *clientssl = NULL, *serverssl = NULL;
7865 int ret, testresult = 0;
7866
7867 vbase = SRP_VBASE_new(NULL);
7868 if (!TEST_ptr(vbase))
7869 goto end;
7870
7871 if (tst == 0 || tst == 1) {
7872 if (!TEST_true(create_new_vbase(userid, password)))
7873 goto end;
7874 } else {
7875 if (tst == 4 || tst == 5) {
7876 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7877 goto end;
7878 tstsrpfile = tmpfilename;
7879 } else {
7880 tstsrpfile = srpvfile;
7881 }
7882 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7883 goto end;
7884 }
7885
7886 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7887 TLS_client_method(), TLS1_VERSION, 0,
7888 &sctx, &cctx, cert, privkey)))
7889 goto end;
7890
7891 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7892 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7893 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7894 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7895 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7896 goto end;
7897
7898 if (tst % 2 == 1) {
7899 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7900 goto end;
7901 } else {
7902 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7903 goto end;
7904 }
7905
7906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7907 NULL, NULL)))
7908 goto end;
7909
7910 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7911 if (ret) {
7912 if (!TEST_true(tst % 2 == 0))
7913 goto end;
7914 } else {
7915 if (!TEST_true(tst % 2 == 1))
7916 goto end;
7917 }
7918
7919 testresult = 1;
7920
7921 end:
7922 SRP_VBASE_free(vbase);
7923 vbase = NULL;
7924 SSL_free(serverssl);
7925 SSL_free(clientssl);
7926 SSL_CTX_free(sctx);
7927 SSL_CTX_free(cctx);
7928
7929 return testresult;
7930 }
7931 #endif
7932
7933 static int info_cb_failed = 0;
7934 static int info_cb_offset = 0;
7935 static int info_cb_this_state = -1;
7936
7937 static struct info_cb_states_st {
7938 int where;
7939 const char *statestr;
7940 } info_cb_states[][60] = {
7941 {
7942 /* TLSv1.2 server followed by resumption */
7943 { SSL_CB_HANDSHAKE_START, NULL },
7944 { SSL_CB_LOOP, "PINIT" },
7945 { SSL_CB_LOOP, "PINIT" },
7946 { SSL_CB_LOOP, "TRCH" },
7947 { SSL_CB_LOOP, "TWSH" },
7948 { SSL_CB_LOOP, "TWSC" },
7949 { SSL_CB_LOOP, "TWSKE" },
7950 { SSL_CB_LOOP, "TWSD" },
7951 { SSL_CB_EXIT, NULL },
7952 { SSL_CB_LOOP, "TWSD" },
7953 { SSL_CB_LOOP, "TRCKE" },
7954 { SSL_CB_LOOP, "TRCCS" },
7955 { SSL_CB_LOOP, "TRFIN" },
7956 { SSL_CB_LOOP, "TWST" },
7957 { SSL_CB_LOOP, "TWCCS" },
7958 { SSL_CB_LOOP, "TWFIN" },
7959 { SSL_CB_HANDSHAKE_DONE, NULL },
7960 { SSL_CB_EXIT, NULL },
7961 { SSL_CB_ALERT, NULL },
7962 { SSL_CB_HANDSHAKE_START, NULL },
7963 { SSL_CB_LOOP, "PINIT" },
7964 { SSL_CB_LOOP, "PINIT" },
7965 { SSL_CB_LOOP, "TRCH" },
7966 { SSL_CB_LOOP, "TWSH" },
7967 { SSL_CB_LOOP, "TWCCS" },
7968 { SSL_CB_LOOP, "TWFIN" },
7969 { SSL_CB_EXIT, NULL },
7970 { SSL_CB_LOOP, "TWFIN" },
7971 { SSL_CB_LOOP, "TRCCS" },
7972 { SSL_CB_LOOP, "TRFIN" },
7973 { SSL_CB_HANDSHAKE_DONE, NULL },
7974 { SSL_CB_EXIT, NULL },
7975 { 0, NULL },
7976 },
7977 {
7978 /* TLSv1.2 client followed by resumption */
7979 { SSL_CB_HANDSHAKE_START, NULL },
7980 { SSL_CB_LOOP, "PINIT" },
7981 { SSL_CB_LOOP, "TWCH" },
7982 { SSL_CB_EXIT, NULL },
7983 { SSL_CB_LOOP, "TWCH" },
7984 { SSL_CB_LOOP, "TRSH" },
7985 { SSL_CB_LOOP, "TRSC" },
7986 { SSL_CB_LOOP, "TRSKE" },
7987 { SSL_CB_LOOP, "TRSD" },
7988 { SSL_CB_LOOP, "TWCKE" },
7989 { SSL_CB_LOOP, "TWCCS" },
7990 { SSL_CB_LOOP, "TWFIN" },
7991 { SSL_CB_EXIT, NULL },
7992 { SSL_CB_LOOP, "TWFIN" },
7993 { SSL_CB_LOOP, "TRST" },
7994 { SSL_CB_LOOP, "TRCCS" },
7995 { SSL_CB_LOOP, "TRFIN" },
7996 { SSL_CB_HANDSHAKE_DONE, NULL },
7997 { SSL_CB_EXIT, NULL },
7998 { SSL_CB_ALERT, NULL },
7999 { SSL_CB_HANDSHAKE_START, NULL },
8000 { SSL_CB_LOOP, "PINIT" },
8001 { SSL_CB_LOOP, "TWCH" },
8002 { SSL_CB_EXIT, NULL },
8003 { SSL_CB_LOOP, "TWCH" },
8004 { SSL_CB_LOOP, "TRSH" },
8005 { SSL_CB_LOOP, "TRCCS" },
8006 { SSL_CB_LOOP, "TRFIN" },
8007 { SSL_CB_LOOP, "TWCCS" },
8008 { SSL_CB_LOOP, "TWFIN" },
8009 { SSL_CB_HANDSHAKE_DONE, NULL },
8010 { SSL_CB_EXIT, NULL },
8011 { 0, NULL },
8012 },
8013 {
8014 /* TLSv1.3 server followed by resumption */
8015 { SSL_CB_HANDSHAKE_START, NULL },
8016 { SSL_CB_LOOP, "PINIT" },
8017 { SSL_CB_LOOP, "PINIT" },
8018 { SSL_CB_LOOP, "TRCH" },
8019 { SSL_CB_LOOP, "TWSH" },
8020 { SSL_CB_LOOP, "TWCCS" },
8021 { SSL_CB_LOOP, "TWEE" },
8022 { SSL_CB_LOOP, "TWSC" },
8023 { SSL_CB_LOOP, "TWSCV" },
8024 { SSL_CB_LOOP, "TWFIN" },
8025 { SSL_CB_LOOP, "TED" },
8026 { SSL_CB_EXIT, NULL },
8027 { SSL_CB_LOOP, "TED" },
8028 { SSL_CB_LOOP, "TRFIN" },
8029 { SSL_CB_HANDSHAKE_DONE, NULL },
8030 { SSL_CB_LOOP, "TWST" },
8031 { SSL_CB_LOOP, "TWST" },
8032 { SSL_CB_EXIT, NULL },
8033 { SSL_CB_ALERT, NULL },
8034 { SSL_CB_HANDSHAKE_START, NULL },
8035 { SSL_CB_LOOP, "PINIT" },
8036 { SSL_CB_LOOP, "PINIT" },
8037 { SSL_CB_LOOP, "TRCH" },
8038 { SSL_CB_LOOP, "TWSH" },
8039 { SSL_CB_LOOP, "TWCCS" },
8040 { SSL_CB_LOOP, "TWEE" },
8041 { SSL_CB_LOOP, "TWFIN" },
8042 { SSL_CB_LOOP, "TED" },
8043 { SSL_CB_EXIT, NULL },
8044 { SSL_CB_LOOP, "TED" },
8045 { SSL_CB_LOOP, "TRFIN" },
8046 { SSL_CB_HANDSHAKE_DONE, NULL },
8047 { SSL_CB_LOOP, "TWST" },
8048 { SSL_CB_EXIT, NULL },
8049 { 0, NULL },
8050 },
8051 {
8052 /* TLSv1.3 client followed by resumption */
8053 { SSL_CB_HANDSHAKE_START, NULL },
8054 { SSL_CB_LOOP, "PINIT" },
8055 { SSL_CB_LOOP, "TWCH" },
8056 { SSL_CB_EXIT, NULL },
8057 { SSL_CB_LOOP, "TWCH" },
8058 { SSL_CB_LOOP, "TRSH" },
8059 { SSL_CB_LOOP, "TREE" },
8060 { SSL_CB_LOOP, "TRSC" },
8061 { SSL_CB_LOOP, "TRSCV" },
8062 { SSL_CB_LOOP, "TRFIN" },
8063 { SSL_CB_LOOP, "TWCCS" },
8064 { SSL_CB_LOOP, "TWFIN" },
8065 { SSL_CB_HANDSHAKE_DONE, NULL },
8066 { SSL_CB_EXIT, NULL },
8067 { SSL_CB_LOOP, "SSLOK" },
8068 { SSL_CB_LOOP, "SSLOK" },
8069 { SSL_CB_LOOP, "TRST" },
8070 { SSL_CB_EXIT, NULL },
8071 { SSL_CB_LOOP, "SSLOK" },
8072 { SSL_CB_LOOP, "SSLOK" },
8073 { SSL_CB_LOOP, "TRST" },
8074 { SSL_CB_EXIT, NULL },
8075 { SSL_CB_ALERT, NULL },
8076 { SSL_CB_HANDSHAKE_START, NULL },
8077 { SSL_CB_LOOP, "PINIT" },
8078 { SSL_CB_LOOP, "TWCH" },
8079 { SSL_CB_EXIT, NULL },
8080 { SSL_CB_LOOP, "TWCH" },
8081 { SSL_CB_LOOP, "TRSH" },
8082 { SSL_CB_LOOP, "TREE" },
8083 { SSL_CB_LOOP, "TRFIN" },
8084 { SSL_CB_LOOP, "TWCCS" },
8085 { SSL_CB_LOOP, "TWFIN" },
8086 { SSL_CB_HANDSHAKE_DONE, NULL },
8087 { SSL_CB_EXIT, NULL },
8088 { SSL_CB_LOOP, "SSLOK" },
8089 { SSL_CB_LOOP, "SSLOK" },
8090 { SSL_CB_LOOP, "TRST" },
8091 { SSL_CB_EXIT, NULL },
8092 { 0, NULL },
8093 },
8094 {
8095 /* TLSv1.3 server, early_data */
8096 { SSL_CB_HANDSHAKE_START, NULL },
8097 { SSL_CB_LOOP, "PINIT" },
8098 { SSL_CB_LOOP, "PINIT" },
8099 { SSL_CB_LOOP, "TRCH" },
8100 { SSL_CB_LOOP, "TWSH" },
8101 { SSL_CB_LOOP, "TWCCS" },
8102 { SSL_CB_LOOP, "TWEE" },
8103 { SSL_CB_LOOP, "TWFIN" },
8104 { SSL_CB_HANDSHAKE_DONE, NULL },
8105 { SSL_CB_EXIT, NULL },
8106 { SSL_CB_HANDSHAKE_START, NULL },
8107 { SSL_CB_LOOP, "TED" },
8108 { SSL_CB_LOOP, "TED" },
8109 { SSL_CB_LOOP, "TWEOED" },
8110 { SSL_CB_LOOP, "TRFIN" },
8111 { SSL_CB_HANDSHAKE_DONE, NULL },
8112 { SSL_CB_LOOP, "TWST" },
8113 { SSL_CB_EXIT, NULL },
8114 { 0, NULL },
8115 },
8116 {
8117 /* TLSv1.3 client, early_data */
8118 { SSL_CB_HANDSHAKE_START, NULL },
8119 { SSL_CB_LOOP, "PINIT" },
8120 { SSL_CB_LOOP, "TWCH" },
8121 { SSL_CB_LOOP, "TWCCS" },
8122 { SSL_CB_HANDSHAKE_DONE, NULL },
8123 { SSL_CB_EXIT, NULL },
8124 { SSL_CB_HANDSHAKE_START, NULL },
8125 { SSL_CB_LOOP, "TED" },
8126 { SSL_CB_LOOP, "TED" },
8127 { SSL_CB_LOOP, "TRSH" },
8128 { SSL_CB_LOOP, "TREE" },
8129 { SSL_CB_LOOP, "TRFIN" },
8130 { SSL_CB_LOOP, "TPEDE" },
8131 { SSL_CB_LOOP, "TWEOED" },
8132 { SSL_CB_LOOP, "TWFIN" },
8133 { SSL_CB_HANDSHAKE_DONE, NULL },
8134 { SSL_CB_EXIT, NULL },
8135 { SSL_CB_LOOP, "SSLOK" },
8136 { SSL_CB_LOOP, "SSLOK" },
8137 { SSL_CB_LOOP, "TRST" },
8138 { SSL_CB_EXIT, NULL },
8139 { 0, NULL },
8140 },
8141 {
8142 /* TLSv1.3 server, certificate compression, followed by resumption */
8143 { SSL_CB_HANDSHAKE_START, NULL },
8144 { SSL_CB_LOOP, "PINIT" },
8145 { SSL_CB_LOOP, "PINIT" },
8146 { SSL_CB_LOOP, "TRCH" },
8147 { SSL_CB_LOOP, "TWSH" },
8148 { SSL_CB_LOOP, "TWCCS" },
8149 { SSL_CB_LOOP, "TWEE" },
8150 { SSL_CB_LOOP, "TWSCC" },
8151 { SSL_CB_LOOP, "TWSCV" },
8152 { SSL_CB_LOOP, "TWFIN" },
8153 { SSL_CB_LOOP, "TED" },
8154 { SSL_CB_EXIT, NULL },
8155 { SSL_CB_LOOP, "TED" },
8156 { SSL_CB_LOOP, "TRFIN" },
8157 { SSL_CB_HANDSHAKE_DONE, NULL },
8158 { SSL_CB_LOOP, "TWST" },
8159 { SSL_CB_LOOP, "TWST" },
8160 { SSL_CB_EXIT, NULL },
8161 { SSL_CB_ALERT, NULL },
8162 { SSL_CB_HANDSHAKE_START, NULL },
8163 { SSL_CB_LOOP, "PINIT" },
8164 { SSL_CB_LOOP, "PINIT" },
8165 { SSL_CB_LOOP, "TRCH" },
8166 { SSL_CB_LOOP, "TWSH" },
8167 { SSL_CB_LOOP, "TWCCS" },
8168 { SSL_CB_LOOP, "TWEE" },
8169 { SSL_CB_LOOP, "TWFIN" },
8170 { SSL_CB_LOOP, "TED" },
8171 { SSL_CB_EXIT, NULL },
8172 { SSL_CB_LOOP, "TED" },
8173 { SSL_CB_LOOP, "TRFIN" },
8174 { SSL_CB_HANDSHAKE_DONE, NULL },
8175 { SSL_CB_LOOP, "TWST" },
8176 { SSL_CB_EXIT, NULL },
8177 { 0, NULL },
8178 },
8179 {
8180 /* TLSv1.3 client, certificate compression, followed by resumption */
8181 { SSL_CB_HANDSHAKE_START, NULL },
8182 { SSL_CB_LOOP, "PINIT" },
8183 { SSL_CB_LOOP, "TWCH" },
8184 { SSL_CB_EXIT, NULL },
8185 { SSL_CB_LOOP, "TWCH" },
8186 { SSL_CB_LOOP, "TRSH" },
8187 { SSL_CB_LOOP, "TREE" },
8188 { SSL_CB_LOOP, "TRSCC" },
8189 { SSL_CB_LOOP, "TRSCV" },
8190 { SSL_CB_LOOP, "TRFIN" },
8191 { SSL_CB_LOOP, "TWCCS" },
8192 { SSL_CB_LOOP, "TWFIN" },
8193 { SSL_CB_HANDSHAKE_DONE, NULL },
8194 { SSL_CB_EXIT, NULL },
8195 { SSL_CB_LOOP, "SSLOK" },
8196 { SSL_CB_LOOP, "SSLOK" },
8197 { SSL_CB_LOOP, "TRST" },
8198 { SSL_CB_EXIT, NULL },
8199 { SSL_CB_LOOP, "SSLOK" },
8200 { SSL_CB_LOOP, "SSLOK" },
8201 { SSL_CB_LOOP, "TRST" },
8202 { SSL_CB_EXIT, NULL },
8203 { SSL_CB_ALERT, NULL },
8204 { SSL_CB_HANDSHAKE_START, NULL },
8205 { SSL_CB_LOOP, "PINIT" },
8206 { SSL_CB_LOOP, "TWCH" },
8207 { SSL_CB_EXIT, NULL },
8208 { SSL_CB_LOOP, "TWCH" },
8209 { SSL_CB_LOOP, "TRSH" },
8210 { SSL_CB_LOOP, "TREE" },
8211 { SSL_CB_LOOP, "TRFIN" },
8212 { SSL_CB_LOOP, "TWCCS" },
8213 { SSL_CB_LOOP, "TWFIN" },
8214 { SSL_CB_HANDSHAKE_DONE, NULL },
8215 { SSL_CB_EXIT, NULL },
8216 { SSL_CB_LOOP, "SSLOK" },
8217 { SSL_CB_LOOP, "SSLOK" },
8218 { SSL_CB_LOOP, "TRST" },
8219 { SSL_CB_EXIT, NULL },
8220 { 0, NULL },
8221 },
8222 {
8223 { 0, NULL },
8224 }
8225 };
8226
sslapi_info_callback(const SSL * s,int where,int ret)8227 static void sslapi_info_callback(const SSL *s, int where, int ret)
8228 {
8229 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
8230
8231 /* We do not ever expect a connection to fail in this test */
8232 if (!TEST_false(ret == 0)) {
8233 info_cb_failed = 1;
8234 return;
8235 }
8236
8237 /*
8238 * Do some sanity checks. We never expect these things to happen in this
8239 * test
8240 */
8241 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
8242 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
8243 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
8244 info_cb_failed = 1;
8245 return;
8246 }
8247
8248 /* Now check we're in the right state */
8249 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
8250 info_cb_failed = 1;
8251 return;
8252 }
8253 if ((where & SSL_CB_LOOP) != 0
8254 && !TEST_int_eq(strcmp(SSL_state_string(s),
8255 state[info_cb_this_state].statestr),
8256 0)) {
8257 info_cb_failed = 1;
8258 return;
8259 }
8260
8261 /*
8262 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
8263 */
8264 if ((where & SSL_CB_HANDSHAKE_DONE)
8265 && SSL_in_init((SSL *)s) != 0) {
8266 info_cb_failed = 1;
8267 return;
8268 }
8269 }
8270
8271 /*
8272 * Test the info callback gets called when we expect it to.
8273 *
8274 * Test 0: TLSv1.2, server
8275 * Test 1: TLSv1.2, client
8276 * Test 2: TLSv1.3, server
8277 * Test 3: TLSv1.3, client
8278 * Test 4: TLSv1.3, server, early_data
8279 * Test 5: TLSv1.3, client, early_data
8280 * Test 6: TLSv1.3, server, compressed certificate
8281 * Test 7: TLSv1.3, client, compressed certificate
8282 */
test_info_callback(int tst)8283 static int test_info_callback(int tst)
8284 {
8285 SSL_CTX *cctx = NULL, *sctx = NULL;
8286 SSL *clientssl = NULL, *serverssl = NULL;
8287 SSL_SESSION *clntsess = NULL;
8288 int testresult = 0;
8289 int tlsvers;
8290
8291 if (tst < 2) {
8292 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
8293 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH))
8294 tlsvers = TLS1_2_VERSION;
8295 #else
8296 return 1;
8297 #endif
8298 } else {
8299 #ifndef OSSL_NO_USABLE_TLS1_3
8300 tlsvers = TLS1_3_VERSION;
8301 #else
8302 return 1;
8303 #endif
8304 }
8305
8306 /* Reset globals */
8307 info_cb_failed = 0;
8308 info_cb_this_state = -1;
8309 info_cb_offset = tst;
8310
8311 #ifndef OSSL_NO_USABLE_TLS1_3
8312 if (tst >= 4 && tst < 6) {
8313 SSL_SESSION *sess = NULL;
8314 size_t written, readbytes;
8315 unsigned char buf[80];
8316 OSSL_TIME timer;
8317
8318 /* early_data tests */
8319 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
8320 &serverssl, &sess, 0,
8321 SHA384_DIGEST_LENGTH)))
8322 goto end;
8323
8324 /* We don't actually need this reference */
8325 SSL_SESSION_free(sess);
8326
8327 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
8328 sslapi_info_callback);
8329
8330 /* Write and read some early data and then complete the connection */
8331 timer = ossl_time_now();
8332 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
8333 &written))
8334 || !TEST_size_t_eq(written, strlen(MSG1)))
8335 goto end;
8336
8337 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
8338 sizeof(buf), &readbytes),
8339 SSL_READ_EARLY_DATA_SUCCESS)) {
8340 testresult = check_early_data_timeout(timer);
8341 goto end;
8342 }
8343
8344 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
8345 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
8346 SSL_EARLY_DATA_ACCEPTED)
8347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8348 SSL_ERROR_NONE))
8349 || !TEST_false(info_cb_failed))
8350 goto end;
8351
8352 testresult = 1;
8353 goto end;
8354 }
8355 #endif
8356
8357 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8358 TLS_client_method(),
8359 tlsvers, tlsvers, &sctx, &cctx, cert,
8360 privkey)))
8361 goto end;
8362
8363 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8364 goto end;
8365
8366 /*
8367 * For even numbered tests we check the server callbacks. For odd numbers we
8368 * check the client.
8369 */
8370 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
8371 sslapi_info_callback);
8372 if (tst >= 6) {
8373 if (!SSL_CTX_compress_certs(sctx, 0))
8374 goto end;
8375 }
8376
8377 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8378 &clientssl, NULL, NULL))
8379 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8380 SSL_ERROR_NONE))
8381 || !TEST_false(info_cb_failed))
8382 goto end;
8383
8384 clntsess = SSL_get1_session(clientssl);
8385 SSL_shutdown(clientssl);
8386 SSL_shutdown(serverssl);
8387 SSL_free(serverssl);
8388 SSL_free(clientssl);
8389 serverssl = clientssl = NULL;
8390
8391 /* Now do a resumption */
8392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8393 NULL))
8394 || !TEST_true(SSL_set_session(clientssl, clntsess))
8395 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8396 SSL_ERROR_NONE))
8397 || !TEST_true(SSL_session_reused(clientssl))
8398 || !TEST_false(info_cb_failed))
8399 goto end;
8400
8401 testresult = 1;
8402
8403 end:
8404 SSL_free(serverssl);
8405 SSL_free(clientssl);
8406 SSL_SESSION_free(clntsess);
8407 SSL_CTX_free(sctx);
8408 SSL_CTX_free(cctx);
8409 return testresult;
8410 }
8411
test_ssl_pending(int tst)8412 static int test_ssl_pending(int tst)
8413 {
8414 SSL_CTX *cctx = NULL, *sctx = NULL;
8415 SSL *clientssl = NULL, *serverssl = NULL;
8416 int testresult = 0;
8417 char msg[] = "A test message";
8418 char buf[5];
8419 size_t written, readbytes;
8420
8421 if (tst == 0) {
8422 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8423 TLS_client_method(),
8424 TLS1_VERSION, 0,
8425 &sctx, &cctx, cert, privkey)))
8426 goto end;
8427 } else {
8428 #ifndef OPENSSL_NO_DTLS
8429 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
8430 DTLS_client_method(),
8431 DTLS1_VERSION, 0,
8432 &sctx, &cctx, cert, privkey)))
8433 goto end;
8434
8435 #ifdef OPENSSL_NO_DTLS1_2
8436 /* Not supported in the FIPS provider */
8437 if (is_fips) {
8438 testresult = 1;
8439 goto end;
8440 };
8441 /*
8442 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
8443 * level 0
8444 */
8445 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
8446 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
8447 "DEFAULT:@SECLEVEL=0")))
8448 goto end;
8449 #endif
8450 #else
8451 return 1;
8452 #endif
8453 }
8454
8455 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8456 NULL, NULL))
8457 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8458 SSL_ERROR_NONE)))
8459 goto end;
8460
8461 if (!TEST_int_eq(SSL_pending(clientssl), 0)
8462 || !TEST_false(SSL_has_pending(clientssl))
8463 || !TEST_int_eq(SSL_pending(serverssl), 0)
8464 || !TEST_false(SSL_has_pending(serverssl))
8465 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8466 || !TEST_size_t_eq(written, sizeof(msg))
8467 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
8468 || !TEST_size_t_eq(readbytes, sizeof(buf))
8469 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
8470 || !TEST_true(SSL_has_pending(clientssl)))
8471 goto end;
8472
8473 testresult = 1;
8474
8475 end:
8476 SSL_free(serverssl);
8477 SSL_free(clientssl);
8478 SSL_CTX_free(sctx);
8479 SSL_CTX_free(cctx);
8480
8481 return testresult;
8482 }
8483
8484 static struct {
8485 unsigned int maxprot;
8486 const char *clntciphers;
8487 const char *clnttls13ciphers;
8488 const char *srvrciphers;
8489 const char *srvrtls13ciphers;
8490 const char *shared;
8491 const char *fipsshared;
8492 } shared_ciphers_data[] = {
8493 /*
8494 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8495 * TLSv1.3 is enabled but TLSv1.2 is disabled.
8496 */
8497 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8498 { TLS1_2_VERSION,
8499 "AES128-SHA:AES256-SHA",
8500 NULL,
8501 "AES256-SHA:DHE-RSA-AES128-SHA",
8502 NULL,
8503 "AES256-SHA",
8504 "AES256-SHA" },
8505 #if !defined(OPENSSL_NO_CHACHA) \
8506 && !defined(OPENSSL_NO_POLY1305) \
8507 && !defined(OPENSSL_NO_EC)
8508 { TLS1_2_VERSION,
8509 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8510 NULL,
8511 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8512 NULL,
8513 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8514 "AES128-SHA" },
8515 #endif
8516 { TLS1_2_VERSION,
8517 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8518 NULL,
8519 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8520 NULL,
8521 "AES128-SHA:AES256-SHA",
8522 "AES128-SHA:AES256-SHA" },
8523 { TLS1_2_VERSION,
8524 "AES128-SHA:AES256-SHA",
8525 NULL,
8526 "AES128-SHA:DHE-RSA-AES128-SHA",
8527 NULL,
8528 "AES128-SHA",
8529 "AES128-SHA" },
8530 { TLS1_2_VERSION,
8531 "AES256-SHA",
8532 NULL,
8533 "AES128-SHA",
8534 NULL,
8535 "",
8536 "" },
8537 #endif
8538 /*
8539 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8540 * enabled.
8541 */
8542 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8543 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8544 { TLS1_3_VERSION,
8545 "AES128-SHA:AES256-SHA",
8546 NULL,
8547 "AES256-SHA:AES128-SHA256",
8548 NULL,
8549 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8550 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8551 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" },
8552 #endif
8553 #ifndef OSSL_NO_USABLE_TLS1_3
8554 { TLS1_3_VERSION,
8555 "AES128-SHA",
8556 "TLS_AES_256_GCM_SHA384",
8557 "AES256-SHA",
8558 "TLS_AES_256_GCM_SHA384",
8559 "TLS_AES_256_GCM_SHA384",
8560 "TLS_AES_256_GCM_SHA384" },
8561 { TLS1_3_VERSION,
8562 "AES128-SHA",
8563 "TLS_AES_128_GCM_SHA256",
8564 "AES256-SHA",
8565 "TLS_AES_256_GCM_SHA384",
8566 "",
8567 "" },
8568 #endif
8569 };
8570
int_test_ssl_get_shared_ciphers(int tst,int clnt)8571 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8572 {
8573 SSL_CTX *cctx = NULL, *sctx = NULL;
8574 SSL *clientssl = NULL, *serverssl = NULL;
8575 int testresult = 0;
8576 char buf[1024];
8577 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8578 const char *expbuf = is_fips ? shared_ciphers_data[tst].fipsshared
8579 : shared_ciphers_data[tst].shared;
8580 int handshakeok = strcmp(expbuf, "") != 0;
8581
8582 if (!TEST_ptr(tmplibctx))
8583 goto end;
8584
8585 /*
8586 * Regardless of whether we're testing with the FIPS provider loaded into
8587 * libctx, we want one peer to always use the full set of ciphersuites
8588 * available. Therefore we use a separate libctx with the default provider
8589 * loaded into it. We run the same tests twice - once with the client side
8590 * having the full set of ciphersuites and once with the server side.
8591 */
8592 if (clnt) {
8593 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8594 if (!TEST_ptr(cctx))
8595 goto end;
8596 } else {
8597 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8598 if (!TEST_ptr(sctx))
8599 goto end;
8600 }
8601
8602 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8603 TLS_client_method(),
8604 TLS1_VERSION,
8605 shared_ciphers_data[tst].maxprot,
8606 &sctx, &cctx, cert, privkey)))
8607 goto end;
8608
8609 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8610 shared_ciphers_data[tst].clntciphers))
8611 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8612 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8613 shared_ciphers_data[tst].clnttls13ciphers)))
8614 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8615 shared_ciphers_data[tst].srvrciphers))
8616 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8617 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8618 shared_ciphers_data[tst].srvrtls13ciphers))))
8619 goto end;
8620
8621 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8622 NULL)))
8623 goto end;
8624
8625 if (handshakeok) {
8626 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8627 SSL_ERROR_NONE)))
8628 goto end;
8629 } else {
8630 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
8631 SSL_ERROR_NONE)))
8632 goto end;
8633 }
8634
8635 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8636 || !TEST_int_eq(strcmp(buf, expbuf), 0)) {
8637 TEST_info("Shared ciphers are: %s\n", buf);
8638 goto end;
8639 }
8640
8641 testresult = 1;
8642
8643 end:
8644 SSL_free(serverssl);
8645 SSL_free(clientssl);
8646 SSL_CTX_free(sctx);
8647 SSL_CTX_free(cctx);
8648 OSSL_LIB_CTX_free(tmplibctx);
8649
8650 return testresult;
8651 }
8652
test_ssl_get_shared_ciphers(int tst)8653 static int test_ssl_get_shared_ciphers(int tst)
8654 {
8655 return int_test_ssl_get_shared_ciphers(tst, 0)
8656 && int_test_ssl_get_shared_ciphers(tst, 1);
8657 }
8658
8659 static const char *appdata = "Hello World";
8660 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8661 static int tick_key_renew = 0;
8662 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8663
gen_tick_cb(SSL * s,void * arg)8664 static int gen_tick_cb(SSL *s, void *arg)
8665 {
8666 gen_tick_called = 1;
8667
8668 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8669 strlen(appdata));
8670 }
8671
dec_tick_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)8672 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8673 const unsigned char *keyname,
8674 size_t keyname_length,
8675 SSL_TICKET_STATUS status,
8676 void *arg)
8677 {
8678 void *tickdata;
8679 size_t tickdlen;
8680
8681 dec_tick_called = 1;
8682
8683 if (status == SSL_TICKET_EMPTY)
8684 return SSL_TICKET_RETURN_IGNORE_RENEW;
8685
8686 if (!TEST_true(status == SSL_TICKET_SUCCESS
8687 || status == SSL_TICKET_SUCCESS_RENEW))
8688 return SSL_TICKET_RETURN_ABORT;
8689
8690 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8691 &tickdlen))
8692 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8693 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8694 return SSL_TICKET_RETURN_ABORT;
8695
8696 if (tick_key_cb_called) {
8697 /* Don't change what the ticket key callback wanted to do */
8698 switch (status) {
8699 case SSL_TICKET_NO_DECRYPT:
8700 return SSL_TICKET_RETURN_IGNORE_RENEW;
8701
8702 case SSL_TICKET_SUCCESS:
8703 return SSL_TICKET_RETURN_USE;
8704
8705 case SSL_TICKET_SUCCESS_RENEW:
8706 return SSL_TICKET_RETURN_USE_RENEW;
8707
8708 default:
8709 return SSL_TICKET_RETURN_ABORT;
8710 }
8711 }
8712 return tick_dec_ret;
8713 }
8714
8715 #ifndef OPENSSL_NO_DEPRECATED_3_0
tick_key_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int enc)8716 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8717 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8718 HMAC_CTX *hctx, int enc)
8719 {
8720 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8721 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8722 EVP_CIPHER *aes128cbc;
8723 EVP_MD *sha256;
8724 int ret;
8725
8726 tick_key_cb_called = 1;
8727
8728 if (tick_key_renew == -1)
8729 return 0;
8730
8731 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8732 if (!TEST_ptr(aes128cbc))
8733 return 0;
8734 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8735 if (!TEST_ptr(sha256)) {
8736 EVP_CIPHER_free(aes128cbc);
8737 return 0;
8738 }
8739
8740 memset(iv, 0, AES_BLOCK_SIZE);
8741 memset(key_name, 0, 16);
8742 if (aes128cbc == NULL
8743 || sha256 == NULL
8744 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8745 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8746 NULL))
8747 ret = -1;
8748 else
8749 ret = tick_key_renew ? 2 : 1;
8750
8751 EVP_CIPHER_free(aes128cbc);
8752 EVP_MD_free(sha256);
8753
8754 return ret;
8755 }
8756 #endif
8757
tick_key_evp_cb(SSL * s,unsigned char key_name[16],unsigned char iv[EVP_MAX_IV_LENGTH],EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int enc)8758 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8759 unsigned char iv[EVP_MAX_IV_LENGTH],
8760 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8761 {
8762 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8763 unsigned char tick_hmac_key[16] = "0123456789abcdef";
8764 OSSL_PARAM params[2];
8765 EVP_CIPHER *aes128cbc;
8766 int ret;
8767
8768 tick_key_cb_called = 1;
8769
8770 if (tick_key_renew == -1)
8771 return 0;
8772
8773 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8774 if (!TEST_ptr(aes128cbc))
8775 return 0;
8776
8777 memset(iv, 0, AES_BLOCK_SIZE);
8778 memset(key_name, 0, 16);
8779 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8780 "SHA256", 0);
8781 params[1] = OSSL_PARAM_construct_end();
8782 if (aes128cbc == NULL
8783 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8784 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8785 params))
8786 ret = -1;
8787 else
8788 ret = tick_key_renew ? 2 : 1;
8789
8790 EVP_CIPHER_free(aes128cbc);
8791
8792 return ret;
8793 }
8794
8795 /*
8796 * Test the various ticket callbacks
8797 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8798 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8799 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8800 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8801 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8802 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8803 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8804 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8805 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8806 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8807 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8808 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8809 * Test 12: TLSv1.2, old ticket key callback, no ticket
8810 * Test 13: TLSv1.3, old ticket key callback, no ticket
8811 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8812 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8813 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8814 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8815 * Test 18: TLSv1.2, ticket key callback, no ticket
8816 * Test 19: TLSv1.3, ticket key callback, no ticket
8817 */
test_ticket_callbacks(int tst)8818 static int test_ticket_callbacks(int tst)
8819 {
8820 SSL_CTX *cctx = NULL, *sctx = NULL;
8821 SSL *clientssl = NULL, *serverssl = NULL;
8822 SSL_SESSION *clntsess = NULL;
8823 int testresult = 0;
8824
8825 #ifdef OPENSSL_NO_TLS1_2
8826 if (tst % 2 == 0)
8827 return 1;
8828 #endif
8829 #ifdef OSSL_NO_USABLE_TLS1_3
8830 if (tst % 2 == 1)
8831 return 1;
8832 #endif
8833 #ifdef OPENSSL_NO_DEPRECATED_3_0
8834 if (tst >= 8 && tst <= 13)
8835 return 1;
8836 #endif
8837
8838 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8839
8840 /* Which tests the ticket key callback should request renewal for */
8841
8842 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8843 tick_key_renew = 1;
8844 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8845 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8846 else
8847 tick_key_renew = 0;
8848
8849 /* Which tests the decrypt ticket callback should request renewal for */
8850 switch (tst) {
8851 case 0:
8852 case 1:
8853 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8854 break;
8855
8856 case 2:
8857 case 3:
8858 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8859 break;
8860
8861 case 4:
8862 case 5:
8863 tick_dec_ret = SSL_TICKET_RETURN_USE;
8864 break;
8865
8866 case 6:
8867 case 7:
8868 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8869 break;
8870
8871 default:
8872 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8873 }
8874
8875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8876 TLS_client_method(),
8877 TLS1_VERSION,
8878 ((tst % 2) == 0) ? TLS1_2_VERSION
8879 : TLS1_3_VERSION,
8880 &sctx, &cctx, cert, privkey)))
8881 goto end;
8882
8883 /*
8884 * We only want sessions to resume from tickets - not the session cache. So
8885 * switch the cache off.
8886 */
8887 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8888 goto end;
8889
8890 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8891 NULL)))
8892 goto end;
8893
8894 if (tst >= 14) {
8895 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8896 goto end;
8897 #ifndef OPENSSL_NO_DEPRECATED_3_0
8898 } else if (tst >= 8) {
8899 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8900 goto end;
8901 #endif
8902 }
8903
8904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8905 NULL, NULL))
8906 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8907 SSL_ERROR_NONE)))
8908 goto end;
8909
8910 /*
8911 * The decrypt ticket key callback in TLSv1.2 should be called even though
8912 * we have no ticket yet, because it gets called with a status of
8913 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8914 * actually send any ticket data). This does not happen in TLSv1.3 because
8915 * it is not valid to send empty ticket data in TLSv1.3.
8916 */
8917 if (!TEST_int_eq(gen_tick_called, 1)
8918 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8919 goto end;
8920
8921 gen_tick_called = dec_tick_called = 0;
8922
8923 clntsess = SSL_get1_session(clientssl);
8924 SSL_shutdown(clientssl);
8925 SSL_shutdown(serverssl);
8926 SSL_free(serverssl);
8927 SSL_free(clientssl);
8928 serverssl = clientssl = NULL;
8929
8930 /* Now do a resumption */
8931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8932 NULL))
8933 || !TEST_true(SSL_set_session(clientssl, clntsess))
8934 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8935 SSL_ERROR_NONE)))
8936 goto end;
8937
8938 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8939 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8940 || tick_key_renew == -1) {
8941 if (!TEST_false(SSL_session_reused(clientssl)))
8942 goto end;
8943 } else {
8944 if (!TEST_true(SSL_session_reused(clientssl)))
8945 goto end;
8946 }
8947
8948 if (!TEST_int_eq(gen_tick_called,
8949 (tick_key_renew
8950 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8951 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8952 ? 1
8953 : 0)
8954 /* There is no ticket to decrypt in tests 13 and 19 */
8955 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8956 goto end;
8957
8958 testresult = 1;
8959
8960 end:
8961 SSL_SESSION_free(clntsess);
8962 SSL_free(serverssl);
8963 SSL_free(clientssl);
8964 SSL_CTX_free(sctx);
8965 SSL_CTX_free(cctx);
8966
8967 return testresult;
8968 }
8969
8970 /*
8971 * Callback that always returns ABORT for successfully decrypted tickets.
8972 * Used by test_ticket_abort_session_leak to exercise the error path in
8973 * tls_parse_ctos_psk() that previously leaked the SSL_SESSION.
8974 */
dec_tick_abort_cb(SSL * s,SSL_SESSION * ss,const unsigned char * keyname,size_t keyname_length,SSL_TICKET_STATUS status,void * arg)8975 static SSL_TICKET_RETURN dec_tick_abort_cb(SSL *s, SSL_SESSION *ss,
8976 const unsigned char *keyname,
8977 size_t keyname_length,
8978 SSL_TICKET_STATUS status,
8979 void *arg)
8980 {
8981 if (status == SSL_TICKET_SUCCESS || status == SSL_TICKET_SUCCESS_RENEW)
8982 return SSL_TICKET_RETURN_ABORT;
8983
8984 return SSL_TICKET_RETURN_IGNORE_RENEW;
8985 }
8986
8987 /*
8988 * Test that returning SSL_TICKET_RETURN_ABORT from the decrypt ticket callback
8989 * during TLS 1.3 resumption does not leak the SSL_SESSION allocated by
8990 * tls_decrypt_ticket(). Before the fix, tls_parse_ctos_psk() would execute a
8991 * bare "return 0" instead of "goto err", bypassing SSL_SESSION_free(sess).
8992 * When run under LeakSanitizer the leaked session will be reported.
8993 */
test_ticket_abort_session_leak(void)8994 static int test_ticket_abort_session_leak(void)
8995 {
8996 SSL_CTX *cctx = NULL, *sctx = NULL;
8997 SSL *clientssl = NULL, *serverssl = NULL;
8998 SSL_SESSION *clntsess = NULL;
8999 int testresult = 0;
9000
9001 #ifdef OSSL_NO_USABLE_TLS1_3
9002 return 1;
9003 #endif
9004
9005 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9006 TLS_client_method(),
9007 TLS1_3_VERSION, TLS1_3_VERSION,
9008 &sctx, &cctx, cert, privkey)))
9009 goto end;
9010
9011 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
9012 goto end;
9013
9014 /* First handshake: use the normal gen/dec callbacks to get a ticket */
9015 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
9016 NULL)))
9017 goto end;
9018
9019 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
9020 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
9021
9022 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9023 NULL, NULL))
9024 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9025 SSL_ERROR_NONE)))
9026 goto end;
9027
9028 clntsess = SSL_get1_session(clientssl);
9029 if (!TEST_ptr(clntsess))
9030 goto end;
9031
9032 SSL_shutdown(clientssl);
9033 SSL_shutdown(serverssl);
9034 SSL_free(serverssl);
9035 SSL_free(clientssl);
9036 serverssl = clientssl = NULL;
9037
9038 /*
9039 * Second handshake (resumption): switch to the abort callback.
9040 * The server will decrypt the ticket, allocate an SSL_SESSION, then the
9041 * callback returns ABORT. The handshake must fail, and the session
9042 * allocated inside tls_decrypt_ticket() must be freed (not leaked).
9043 */
9044 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb,
9045 dec_tick_abort_cb, NULL)))
9046 goto end;
9047
9048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9049 NULL, NULL))
9050 || !TEST_true(SSL_set_session(clientssl, clntsess)))
9051 goto end;
9052
9053 /* Resumption should fail because the callback aborts */
9054 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
9055 SSL_ERROR_SSL)))
9056 goto end;
9057
9058 testresult = 1;
9059
9060 end:
9061 SSL_SESSION_free(clntsess);
9062 SSL_free(serverssl);
9063 SSL_free(clientssl);
9064 SSL_CTX_free(sctx);
9065 SSL_CTX_free(cctx);
9066
9067 return testresult;
9068 }
9069
9070 /*
9071 * Test incorrect shutdown.
9072 * Test 0: client does not shutdown properly,
9073 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
9074 * server should get SSL_ERROR_SSL
9075 * Test 1: client does not shutdown properly,
9076 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
9077 * server should get SSL_ERROR_ZERO_RETURN
9078 */
test_incorrect_shutdown(int tst)9079 static int test_incorrect_shutdown(int tst)
9080 {
9081 SSL_CTX *cctx = NULL, *sctx = NULL;
9082 SSL *clientssl = NULL, *serverssl = NULL;
9083 int testresult = 0;
9084 char buf[80];
9085 BIO *c2s;
9086
9087 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9088 TLS_client_method(), 0, 0,
9089 &sctx, &cctx, cert, privkey)))
9090 goto end;
9091
9092 if (tst == 1)
9093 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
9094
9095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9096 NULL, NULL)))
9097 goto end;
9098
9099 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
9100 SSL_ERROR_NONE)))
9101 goto end;
9102
9103 c2s = SSL_get_rbio(serverssl);
9104 BIO_set_mem_eof_return(c2s, 0);
9105
9106 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
9107 goto end;
9108
9109 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
9110 goto end;
9111 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN))
9112 goto end;
9113
9114 testresult = 1;
9115
9116 end:
9117 SSL_free(serverssl);
9118 SSL_free(clientssl);
9119 SSL_CTX_free(sctx);
9120 SSL_CTX_free(cctx);
9121
9122 return testresult;
9123 }
9124
9125 /*
9126 * Test bi-directional shutdown.
9127 * Test 0: TLSv1.2
9128 * Test 1: TLSv1.2, server continues to read/write after client shutdown
9129 * Test 2: TLSv1.3, no pending NewSessionTicket messages
9130 * Test 3: TLSv1.3, pending NewSessionTicket messages
9131 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
9132 * sends key update, client reads it
9133 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
9134 * sends CertificateRequest, client reads and ignores it
9135 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
9136 * doesn't read it
9137 */
test_shutdown(int tst)9138 static int test_shutdown(int tst)
9139 {
9140 SSL_CTX *cctx = NULL, *sctx = NULL;
9141 SSL *clientssl = NULL, *serverssl = NULL;
9142 int testresult = 0;
9143 char msg[] = "A test message";
9144 char buf[80];
9145 size_t written, readbytes;
9146 SSL_SESSION *sess;
9147
9148 #ifdef OPENSSL_NO_TLS1_2
9149 if (tst <= 1)
9150 return 1;
9151 #endif
9152 #ifdef OSSL_NO_USABLE_TLS1_3
9153 if (tst >= 2)
9154 return 1;
9155 #endif
9156
9157 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9158 TLS_client_method(),
9159 TLS1_VERSION,
9160 (tst <= 1) ? TLS1_2_VERSION
9161 : TLS1_3_VERSION,
9162 &sctx, &cctx, cert, privkey)))
9163 goto end;
9164
9165 if (tst == 5)
9166 SSL_CTX_set_post_handshake_auth(cctx, 1);
9167
9168 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9169 NULL, NULL)))
9170 goto end;
9171
9172 if (tst == 3) {
9173 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
9174 SSL_ERROR_NONE, 1, 0))
9175 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
9176 || !TEST_false(SSL_SESSION_is_resumable(sess)))
9177 goto end;
9178 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
9179 SSL_ERROR_NONE))
9180 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
9181 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
9182 goto end;
9183 }
9184
9185 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
9186 goto end;
9187
9188 if (tst >= 4) {
9189 /*
9190 * Reading on the server after the client has sent close_notify should
9191 * fail and provide SSL_ERROR_ZERO_RETURN
9192 */
9193 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
9194 || !TEST_int_eq(SSL_get_error(serverssl, 0),
9195 SSL_ERROR_ZERO_RETURN)
9196 || !TEST_int_eq(SSL_get_shutdown(serverssl),
9197 SSL_RECEIVED_SHUTDOWN)
9198 /*
9199 * Even though we're shutdown on receive we should still be
9200 * able to write.
9201 */
9202 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
9203 goto end;
9204 if (tst == 4
9205 && !TEST_true(SSL_key_update(serverssl,
9206 SSL_KEY_UPDATE_REQUESTED)))
9207 goto end;
9208 if (tst == 5) {
9209 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
9210 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
9211 goto end;
9212 }
9213 if ((tst == 4 || tst == 5)
9214 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
9215 goto end;
9216 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
9217 goto end;
9218 if (tst == 4 || tst == 5) {
9219 /* Should still be able to read data from server */
9220 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
9221 &readbytes))
9222 || !TEST_size_t_eq(readbytes, sizeof(msg))
9223 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
9224 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
9225 &readbytes))
9226 || !TEST_size_t_eq(readbytes, sizeof(msg))
9227 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
9228 goto end;
9229 }
9230 }
9231
9232 /* Writing on the client after sending close_notify shouldn't be possible */
9233 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
9234 goto end;
9235
9236 if (tst < 4) {
9237 /*
9238 * For these tests the client has sent close_notify but it has not yet
9239 * been received by the server. The server has not sent close_notify
9240 * yet.
9241 */
9242 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
9243 /*
9244 * Writing on the server after sending close_notify shouldn't
9245 * be possible.
9246 */
9247 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9248 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
9249 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
9250 || !TEST_true(SSL_SESSION_is_resumable(sess))
9251 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
9252 goto end;
9253 } else if (tst == 4 || tst == 5) {
9254 /*
9255 * In this test the client has sent close_notify and it has been
9256 * received by the server which has responded with a close_notify. The
9257 * client needs to read the close_notify sent by the server.
9258 */
9259 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
9260 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
9261 || !TEST_true(SSL_SESSION_is_resumable(sess)))
9262 goto end;
9263 } else {
9264 /*
9265 * tst == 6
9266 *
9267 * The client has sent close_notify and is expecting a close_notify
9268 * back, but instead there is application data first. The shutdown
9269 * should fail with a fatal error.
9270 */
9271 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
9272 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
9273 goto end;
9274 }
9275
9276 testresult = 1;
9277
9278 end:
9279 SSL_free(serverssl);
9280 SSL_free(clientssl);
9281 SSL_CTX_free(sctx);
9282 SSL_CTX_free(cctx);
9283
9284 return testresult;
9285 }
9286
9287 /*
9288 * Test that sending close_notify alerts works correctly in the case of a
9289 * retryable write failure.
9290 */
test_async_shutdown(void)9291 static int test_async_shutdown(void)
9292 {
9293 SSL_CTX *cctx = NULL, *sctx = NULL;
9294 SSL *clientssl = NULL, *serverssl = NULL;
9295 int testresult = 0;
9296 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
9297
9298 if (!TEST_ptr(bretry))
9299 goto end;
9300
9301 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9302 TLS_client_method(),
9303 0, 0,
9304 &sctx, &cctx, cert, privkey)))
9305 goto end;
9306
9307 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9308 NULL)))
9309 goto end;
9310
9311 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9312 goto end;
9313
9314 /* Close write side of clientssl */
9315 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
9316 goto end;
9317
9318 tmp = SSL_get_wbio(serverssl);
9319 if (!TEST_true(BIO_up_ref(tmp))) {
9320 tmp = NULL;
9321 goto end;
9322 }
9323 SSL_set0_wbio(serverssl, bretry);
9324 bretry = NULL;
9325
9326 /* First server shutdown should fail because of a retrable write failure */
9327 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
9328 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
9329 goto end;
9330
9331 /* Second server shutdown should fail for the same reason */
9332 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
9333 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
9334 goto end;
9335
9336 SSL_set0_wbio(serverssl, tmp);
9337 tmp = NULL;
9338
9339 /* Third server shutdown should send close_notify */
9340 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
9341 goto end;
9342
9343 /* Fourth server shutdown should read close_notify from client and finish */
9344 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
9345 goto end;
9346
9347 /* Client should also successfully fully shutdown */
9348 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
9349 goto end;
9350
9351 testresult = 1;
9352 end:
9353 SSL_free(serverssl);
9354 SSL_free(clientssl);
9355 SSL_CTX_free(sctx);
9356 SSL_CTX_free(cctx);
9357 BIO_free(bretry);
9358 BIO_free(tmp);
9359
9360 return testresult;
9361 }
9362
9363 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9364 static int cert_cb_cnt;
9365
load_chain(const char * file,EVP_PKEY ** pkey,X509 ** x509,STACK_OF (X509)* chain)9366 static int load_chain(const char *file, EVP_PKEY **pkey, X509 **x509,
9367 STACK_OF(X509) *chain)
9368 {
9369 char *path = test_mk_file_path(certsdir, file);
9370 BIO *in = NULL;
9371 X509 *x = NULL;
9372 int ok = 0;
9373
9374 if (path == NULL)
9375 return 0;
9376 if ((in = BIO_new(BIO_s_file())) == NULL
9377 || BIO_read_filename(in, path) <= 0)
9378 goto out;
9379 if (pkey == NULL) {
9380 if ((x = X509_new_ex(libctx, NULL)) == NULL
9381 || PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
9382 goto out;
9383 if (chain == NULL)
9384 *x509 = x;
9385 else if (!sk_X509_push(chain, x))
9386 goto out;
9387 } else if (PEM_read_bio_PrivateKey_ex(in, pkey, NULL, NULL,
9388 libctx, NULL)
9389 == NULL) {
9390 goto out;
9391 }
9392
9393 x = NULL;
9394 ok = 1;
9395 out:
9396 X509_free(x);
9397 BIO_free(in);
9398 OPENSSL_free(path);
9399 return ok;
9400 }
9401
cert_cb(SSL * s,void * arg)9402 static int cert_cb(SSL *s, void *arg)
9403 {
9404 SSL_CTX *ctx = (SSL_CTX *)arg;
9405 EVP_PKEY *pkey = NULL;
9406 X509 *x509 = NULL, *x = NULL;
9407 STACK_OF(X509) *chain = NULL;
9408 int ret = 0;
9409
9410 if (cert_cb_cnt == 0) {
9411 /* Suspend the handshake */
9412 cert_cb_cnt++;
9413 return -1;
9414 } else if (cert_cb_cnt == 1) {
9415 /*
9416 * Update the SSL_CTX, set the certificate and private key and then
9417 * continue the handshake normally.
9418 */
9419 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
9420 return 0;
9421
9422 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
9423 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
9424 SSL_FILETYPE_PEM))
9425 || !TEST_true(SSL_check_private_key(s)))
9426 return 0;
9427 cert_cb_cnt++;
9428 return 1;
9429 } else if (cert_cb_cnt == 3) {
9430 int rv;
9431
9432 chain = sk_X509_new_null();
9433 #ifndef OPENSSL_NO_ML_DSA
9434 if (SSL_version(s) >= TLS1_3_VERSION
9435 && fips_provider_version_ge(libctx, 3, 5, 0)) {
9436 if (!TEST_ptr(chain)
9437 || !TEST_true(load_chain("root-ml-dsa-44-cert.pem", NULL, NULL, chain))
9438 || !TEST_true(load_chain("server-ml-dsa-44-cert.pem", NULL, &x509, NULL))
9439 || !TEST_true(load_chain("server-ml-dsa-44-key.pem", &pkey, NULL, NULL)))
9440 goto out;
9441 goto check;
9442 }
9443 #endif
9444 if (!TEST_ptr(chain)
9445 || !TEST_true(load_chain("ca-cert.pem", NULL, NULL, chain))
9446 || !TEST_true(load_chain("root-cert.pem", NULL, NULL, chain))
9447 || !TEST_true(load_chain("p256-ee-rsa-ca-cert.pem", NULL,
9448 &x509, NULL))
9449 || !TEST_true(load_chain("p256-ee-rsa-ca-key.pem", &pkey,
9450 NULL, NULL)))
9451 goto out;
9452
9453 #ifndef OPENSSL_NO_ML_DSA
9454 check:
9455 #endif
9456 rv = SSL_check_chain(s, x509, pkey, chain);
9457 /*
9458 * If the cert doesn't show as valid here (e.g., because we don't
9459 * have any shared sigalgs), then we will not set it, and there will
9460 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
9461 * will cause tls_choose_sigalgs() to fail the connection.
9462 */
9463 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
9464 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
9465 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
9466 goto out;
9467 }
9468
9469 ret = 1;
9470 }
9471
9472 /* Abort the handshake */
9473 out:
9474 EVP_PKEY_free(pkey);
9475 X509_free(x509);
9476 X509_free(x);
9477 OSSL_STACK_OF_X509_free(chain);
9478 return ret;
9479 }
9480
9481 /*
9482 * Test the certificate callback.
9483 * Test 0: Callback fails
9484 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
9485 * Test 2: Success - SSL_set_SSL_CTX() in the callback
9486 * Test 3: Success - Call SSL_check_chain from the callback
9487 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
9488 * chain
9489 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
9490 */
test_cert_cb_int(int prot,int tst)9491 static int test_cert_cb_int(int prot, int tst)
9492 {
9493 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
9494 SSL *clientssl = NULL, *serverssl = NULL;
9495 int testresult = 0, ret;
9496
9497 #ifdef OPENSSL_NO_EC
9498 /* We use an EC cert in these tests with TLS 1.2 or absent ML-DSA */
9499 if (tst >= 3)
9500 return 1;
9501 #endif
9502
9503 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9504 TLS_client_method(),
9505 prot,
9506 prot,
9507 &sctx, &cctx, NULL, NULL)))
9508 goto end;
9509
9510 if (tst == 0)
9511 cert_cb_cnt = -1;
9512 else if (tst >= 3)
9513 cert_cb_cnt = 3;
9514 else
9515 cert_cb_cnt = 0;
9516
9517 if (tst == 2) {
9518 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9519 if (!TEST_ptr(snictx))
9520 goto end;
9521 }
9522
9523 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
9524
9525 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9526 NULL, NULL)))
9527 goto end;
9528
9529 if (tst == 3) {
9530 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9531 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
9532 "?ecdsa_secp256r1_sha256:?mldsa44"))
9533 || !TEST_true(SSL_set1_sigalgs_list(serverssl,
9534 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
9535 "?ecdsa_secp256r1_sha256:?mldsa44")))
9536 goto end;
9537 } else if (tst == 4) {
9538 /*
9539 * We cause SSL_check_chain() to fail by specifying sig_algs that
9540 * the chain doesn't meet (root either RSA or ML-DSA).
9541 */
9542 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9543 "ecdsa_secp256r1_sha256"))
9544 || !TEST_true(SSL_set1_sigalgs_list(serverssl,
9545 "?ecdsa_secp256r1_sha256:?mldsa44")))
9546 goto end;
9547 } else if (tst == 5) {
9548 /*
9549 * We cause SSL_check_chain() to fail by specifying sig_algs that
9550 * the ee cert doesn't meet (the ee uses an ECDSA or ML-DSA cert)
9551 */
9552 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9553 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256"))
9554 || !TEST_true(SSL_set1_sigalgs_list(serverssl,
9555 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
9556 "?ecdsa_secp256r1_sha256:?mldsa44")))
9557 goto end;
9558 }
9559
9560 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
9561 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
9562 || (tst > 0
9563 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
9564 goto end;
9565 }
9566
9567 testresult = 1;
9568
9569 end:
9570 SSL_free(serverssl);
9571 SSL_free(clientssl);
9572 SSL_CTX_free(sctx);
9573 SSL_CTX_free(cctx);
9574 SSL_CTX_free(snictx);
9575
9576 return testresult;
9577 }
9578 #endif
9579
test_cert_cb(int tst)9580 static int test_cert_cb(int tst)
9581 {
9582 int testresult = 1;
9583
9584 #ifndef OPENSSL_NO_TLS1_2
9585 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
9586 #endif
9587 #ifndef OSSL_NO_USABLE_TLS1_3
9588 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
9589 #endif
9590
9591 return testresult;
9592 }
9593
client_cert_cb(SSL * ssl,X509 ** x509,EVP_PKEY ** pkey)9594 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
9595 {
9596 X509 *xcert;
9597 EVP_PKEY *privpkey;
9598 BIO *in = NULL;
9599 BIO *priv_in = NULL;
9600
9601 /* Check that SSL_get0_peer_certificate() returns something sensible */
9602 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
9603 return 0;
9604
9605 in = BIO_new_file(cert, "r");
9606 if (!TEST_ptr(in))
9607 return 0;
9608
9609 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
9610 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
9611 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
9612 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
9613 NULL, NULL,
9614 libctx, NULL)))
9615 goto err;
9616
9617 *x509 = xcert;
9618 *pkey = privpkey;
9619
9620 BIO_free(in);
9621 BIO_free(priv_in);
9622 return 1;
9623 err:
9624 X509_free(xcert);
9625 BIO_free(in);
9626 BIO_free(priv_in);
9627 return 0;
9628 }
9629
test_client_cert_cb(int tst)9630 static int test_client_cert_cb(int tst)
9631 {
9632 SSL_CTX *cctx = NULL, *sctx = NULL;
9633 SSL *clientssl = NULL, *serverssl = NULL;
9634 int testresult = 0;
9635
9636 #ifdef OPENSSL_NO_TLS1_2
9637 if (tst == 0)
9638 return 1;
9639 #endif
9640 #ifdef OSSL_NO_USABLE_TLS1_3
9641 if (tst == 1)
9642 return 1;
9643 #endif
9644
9645 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9646 TLS_client_method(),
9647 TLS1_VERSION,
9648 tst == 0 ? TLS1_2_VERSION
9649 : TLS1_3_VERSION,
9650 &sctx, &cctx, cert, privkey)))
9651 goto end;
9652
9653 /*
9654 * Test that setting a client_cert_cb results in a client certificate being
9655 * sent.
9656 */
9657 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9658 SSL_CTX_set_verify(sctx,
9659 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9660 verify_cb);
9661
9662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9663 NULL, NULL))
9664 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9665 SSL_ERROR_NONE)))
9666 goto end;
9667
9668 testresult = 1;
9669
9670 end:
9671 SSL_free(serverssl);
9672 SSL_free(clientssl);
9673 SSL_CTX_free(sctx);
9674 SSL_CTX_free(cctx);
9675
9676 return testresult;
9677 }
9678
9679 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9680 /*
9681 * Test setting certificate authorities on both client and server.
9682 *
9683 * Test 0: SSL_CTX_set0_CA_list() only
9684 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9685 * Test 2: Only SSL_CTX_set_client_CA_list()
9686 */
test_ca_names_int(int prot,int tst)9687 static int test_ca_names_int(int prot, int tst)
9688 {
9689 SSL_CTX *cctx = NULL, *sctx = NULL;
9690 SSL *clientssl = NULL, *serverssl = NULL;
9691 int testresult = 0;
9692 size_t i;
9693 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9694 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9695 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9696 const STACK_OF(X509_NAME) *sktmp = NULL;
9697
9698 for (i = 0; i < OSSL_NELEM(name); i++) {
9699 name[i] = X509_NAME_new();
9700 if (!TEST_ptr(name[i])
9701 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9702 MBSTRING_ASC,
9703 (unsigned char *)
9704 strnames[i],
9705 -1, -1, 0)))
9706 goto end;
9707 }
9708
9709 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9710 TLS_client_method(),
9711 TLS1_VERSION,
9712 prot,
9713 &sctx, &cctx, cert, privkey)))
9714 goto end;
9715
9716 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9717
9718 if (tst == 0 || tst == 1) {
9719 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9720 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9721 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9722 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9723 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9724 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9725 goto end;
9726
9727 SSL_CTX_set0_CA_list(sctx, sk1);
9728 SSL_CTX_set0_CA_list(cctx, sk2);
9729 sk1 = sk2 = NULL;
9730 }
9731 if (tst == 1 || tst == 2) {
9732 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9733 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9734 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9735 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9736 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9737 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9738 goto end;
9739
9740 SSL_CTX_set_client_CA_list(sctx, sk1);
9741 SSL_CTX_set_client_CA_list(cctx, sk2);
9742 sk1 = sk2 = NULL;
9743 }
9744
9745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9746 NULL, NULL))
9747 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9748 SSL_ERROR_NONE)))
9749 goto end;
9750
9751 /*
9752 * We only expect certificate authorities to have been sent to the server
9753 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9754 */
9755 sktmp = SSL_get0_peer_CA_list(serverssl);
9756 if (prot == TLS1_3_VERSION
9757 && (tst == 0 || tst == 1)) {
9758 if (!TEST_ptr(sktmp)
9759 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9760 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9761 name[0]),
9762 0)
9763 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9764 name[1]),
9765 0))
9766 goto end;
9767 } else if (!TEST_ptr_null(sktmp)) {
9768 goto end;
9769 }
9770
9771 /*
9772 * In all tests we expect certificate authorities to have been sent to the
9773 * client. However, SSL_set_client_CA_list() should override
9774 * SSL_set0_CA_list()
9775 */
9776 sktmp = SSL_get0_peer_CA_list(clientssl);
9777 if (!TEST_ptr(sktmp)
9778 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9779 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9780 name[tst == 0 ? 0 : 2]),
9781 0)
9782 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9783 name[tst == 0 ? 1 : 3]),
9784 0))
9785 goto end;
9786
9787 testresult = 1;
9788
9789 end:
9790 SSL_free(serverssl);
9791 SSL_free(clientssl);
9792 SSL_CTX_free(sctx);
9793 SSL_CTX_free(cctx);
9794 for (i = 0; i < OSSL_NELEM(name); i++)
9795 X509_NAME_free(name[i]);
9796 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9797 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9798
9799 return testresult;
9800 }
9801 #endif
9802
test_ca_names(int tst)9803 static int test_ca_names(int tst)
9804 {
9805 int testresult = 1;
9806
9807 #ifndef OPENSSL_NO_TLS1_2
9808 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9809 #endif
9810 #ifndef OSSL_NO_USABLE_TLS1_3
9811 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9812 #endif
9813
9814 return testresult;
9815 }
9816
9817 #ifndef OPENSSL_NO_TLS1_2
9818 static const char *multiblock_cipherlist_data[] = {
9819 "AES128-SHA",
9820 "AES128-SHA256",
9821 "AES256-SHA",
9822 "AES256-SHA256",
9823 };
9824
9825 /* Reduce the fragment size - so the multiblock test buffer can be small */
9826 #define MULTIBLOCK_FRAGSIZE 512
9827
test_multiblock_write(int test_index)9828 static int test_multiblock_write(int test_index)
9829 {
9830 static const char *fetchable_ciphers[] = {
9831 "AES-128-CBC-HMAC-SHA1",
9832 "AES-128-CBC-HMAC-SHA256",
9833 "AES-256-CBC-HMAC-SHA1",
9834 "AES-256-CBC-HMAC-SHA256"
9835 };
9836 const char *cipherlist = multiblock_cipherlist_data[test_index];
9837 const SSL_METHOD *smeth = TLS_server_method();
9838 const SSL_METHOD *cmeth = TLS_client_method();
9839 int min_version = TLS1_VERSION;
9840 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9841 SSL_CTX *cctx = NULL, *sctx = NULL;
9842 SSL *clientssl = NULL, *serverssl = NULL;
9843 int testresult = 0;
9844
9845 /*
9846 * Choose a buffer large enough to perform a multi-block operation
9847 * i.e: write_len >= 4 * frag_size
9848 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9849 */
9850 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9851 unsigned char buf[sizeof(msg)], *p = buf;
9852 size_t readbytes, written, len;
9853 EVP_CIPHER *ciph = NULL;
9854
9855 /*
9856 * Check if the cipher exists before attempting to use it since it only has
9857 * a hardware specific implementation.
9858 */
9859 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9860 if (ciph == NULL) {
9861 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9862 return 1;
9863 }
9864 EVP_CIPHER_free(ciph);
9865
9866 /* Set up a buffer with some data that will be sent to the client */
9867 RAND_bytes(msg, sizeof(msg));
9868
9869 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9870 max_version, &sctx, &cctx, cert,
9871 privkey)))
9872 goto end;
9873
9874 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9875 goto end;
9876
9877 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9878 NULL, NULL)))
9879 goto end;
9880
9881 /* settings to force it to use AES-CBC-HMAC_SHA */
9882 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9883 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9884 goto end;
9885
9886 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9887 goto end;
9888
9889 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9890 || !TEST_size_t_eq(written, sizeof(msg)))
9891 goto end;
9892
9893 len = written;
9894 while (len > 0) {
9895 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9896 goto end;
9897 p += readbytes;
9898 len -= readbytes;
9899 }
9900 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9901 goto end;
9902
9903 testresult = 1;
9904 end:
9905 SSL_free(serverssl);
9906 SSL_free(clientssl);
9907 SSL_CTX_free(sctx);
9908 SSL_CTX_free(cctx);
9909
9910 return testresult;
9911 }
9912 #endif /* OPENSSL_NO_TLS1_2 */
9913
test_session_timeout(int test)9914 static int test_session_timeout(int test)
9915 {
9916 /*
9917 * Test session ordering and timeout
9918 * Can't explicitly test performance of the new code,
9919 * but can test to see if the ordering of the sessions
9920 * are correct, and they are removed as expected
9921 */
9922 SSL_SESSION *early = NULL;
9923 SSL_SESSION *middle = NULL;
9924 SSL_SESSION *late = NULL;
9925 SSL_CTX *ctx;
9926 int testresult = 0;
9927 time_t now = time(NULL);
9928 #define TIMEOUT 10
9929
9930 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9931 || !TEST_ptr(early = SSL_SESSION_new())
9932 || !TEST_ptr(middle = SSL_SESSION_new())
9933 || !TEST_ptr(late = SSL_SESSION_new()))
9934 goto end;
9935
9936 /* assign unique session ids */
9937 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9938 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9939 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9940 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9941 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9942 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9943
9944 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9945 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9946 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9947 goto end;
9948
9949 /* Make sure they are all added */
9950 if (!TEST_ptr(early->prev)
9951 || !TEST_ptr(middle->prev)
9952 || !TEST_ptr(late->prev))
9953 goto end;
9954
9955 if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0)
9956 || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0)
9957 || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0))
9958 goto end;
9959
9960 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9961 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9962 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9963 goto end;
9964
9965 /* Make sure they are all still there */
9966 if (!TEST_ptr(early->prev)
9967 || !TEST_ptr(middle->prev)
9968 || !TEST_ptr(late->prev))
9969 goto end;
9970
9971 /* Make sure they are in the expected order */
9972 if (!TEST_ptr_eq(late->next, middle)
9973 || !TEST_ptr_eq(middle->next, early)
9974 || !TEST_ptr_eq(early->prev, middle)
9975 || !TEST_ptr_eq(middle->prev, late))
9976 goto end;
9977
9978 /* This should remove "early" */
9979 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT - 1);
9980 if (!TEST_ptr_null(early->prev)
9981 || !TEST_ptr(middle->prev)
9982 || !TEST_ptr(late->prev))
9983 goto end;
9984
9985 /* This should remove "middle" */
9986 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 1);
9987 if (!TEST_ptr_null(early->prev)
9988 || !TEST_ptr_null(middle->prev)
9989 || !TEST_ptr(late->prev))
9990 goto end;
9991
9992 /* This should remove "late" */
9993 SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 11);
9994 if (!TEST_ptr_null(early->prev)
9995 || !TEST_ptr_null(middle->prev)
9996 || !TEST_ptr_null(late->prev))
9997 goto end;
9998
9999 /* Add them back in again */
10000 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
10001 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
10002 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
10003 goto end;
10004
10005 /* Make sure they are all added */
10006 if (!TEST_ptr(early->prev)
10007 || !TEST_ptr(middle->prev)
10008 || !TEST_ptr(late->prev))
10009 goto end;
10010
10011 /* This should remove all of them */
10012 SSL_CTX_flush_sessions_ex(ctx, 0);
10013 if (!TEST_ptr_null(early->prev)
10014 || !TEST_ptr_null(middle->prev)
10015 || !TEST_ptr_null(late->prev))
10016 goto end;
10017
10018 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME | SSL_CTX_get_session_cache_mode(ctx));
10019
10020 /* make sure |now| is NOT equal to the current time */
10021 now -= 10;
10022 if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0)
10023 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
10024 || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now))
10025 goto end;
10026
10027 testresult = 1;
10028 end:
10029 SSL_CTX_free(ctx);
10030 SSL_SESSION_free(early);
10031 SSL_SESSION_free(middle);
10032 SSL_SESSION_free(late);
10033 return testresult;
10034 }
10035
10036 /*
10037 * Test that a session cache overflow works as expected
10038 * Test 0: TLSv1.3, timeout on new session later than old session
10039 * Test 1: TLSv1.2, timeout on new session later than old session
10040 * Test 2: TLSv1.3, timeout on new session earlier than old session
10041 * Test 3: TLSv1.2, timeout on new session earlier than old session
10042 */
10043 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
test_session_cache_overflow(int idx)10044 static int test_session_cache_overflow(int idx)
10045 {
10046 SSL_CTX *sctx = NULL, *cctx = NULL;
10047 SSL *serverssl = NULL, *clientssl = NULL;
10048 int testresult = 0;
10049 SSL_SESSION *sess = NULL;
10050 int references;
10051
10052 #ifdef OSSL_NO_USABLE_TLS1_3
10053 /* If no TLSv1.3 available then do nothing in this case */
10054 if (idx % 2 == 0)
10055 return TEST_skip("No TLSv1.3 available");
10056 #endif
10057 #ifdef OPENSSL_NO_TLS1_2
10058 /* If no TLSv1.2 available then do nothing in this case */
10059 if (idx % 2 == 1)
10060 return TEST_skip("No TLSv1.2 available");
10061 #endif
10062
10063 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10064 TLS_client_method(), TLS1_VERSION,
10065 (idx % 2 == 0) ? TLS1_3_VERSION
10066 : TLS1_2_VERSION,
10067 &sctx, &cctx, cert, privkey))
10068 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
10069 goto end;
10070
10071 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
10072 get_sess_val = NULL;
10073
10074 SSL_CTX_sess_set_cache_size(sctx, 1);
10075
10076 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10077 NULL, NULL)))
10078 goto end;
10079
10080 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10081 goto end;
10082
10083 if (idx > 1) {
10084 sess = SSL_get_session(serverssl);
10085 if (!TEST_ptr(sess))
10086 goto end;
10087
10088 /*
10089 * Cause this session to have a longer timeout than the next session to
10090 * be added.
10091 */
10092 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
10093 sess = NULL;
10094 goto end;
10095 }
10096 sess = NULL;
10097 }
10098
10099 SSL_shutdown(serverssl);
10100 SSL_shutdown(clientssl);
10101 SSL_free(serverssl);
10102 SSL_free(clientssl);
10103 serverssl = clientssl = NULL;
10104
10105 /*
10106 * Session cache size is 1 and we already populated the cache with a session
10107 * so the next connection should cause an overflow.
10108 */
10109
10110 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10111 NULL, NULL)))
10112 goto end;
10113
10114 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10115 goto end;
10116
10117 /*
10118 * The session we just negotiated may have been already removed from the
10119 * internal cache - but we will return it anyway from our external cache.
10120 */
10121 get_sess_val = SSL_get_session(serverssl);
10122 if (!TEST_ptr(get_sess_val))
10123 goto end;
10124 /*
10125 * Normally the session is also stored in the cache, thus we have more than
10126 * one reference, but due to an out-of-memory error it can happen that this
10127 * is the only reference, and in that case the SSL_free(serverssl) below
10128 * would free the get_sess_val, causing a use-after-free error.
10129 */
10130 if (!TEST_true(CRYPTO_GET_REF(&get_sess_val->references, &references))
10131 || !TEST_int_ge(references, 2))
10132 goto end;
10133 sess = SSL_get1_session(clientssl);
10134 if (!TEST_ptr(sess))
10135 goto end;
10136
10137 SSL_shutdown(serverssl);
10138 SSL_shutdown(clientssl);
10139 SSL_free(serverssl);
10140 SSL_free(clientssl);
10141 serverssl = clientssl = NULL;
10142
10143 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10144 NULL, NULL)))
10145 goto end;
10146
10147 if (!TEST_true(SSL_set_session(clientssl, sess)))
10148 goto end;
10149
10150 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10151 goto end;
10152
10153 testresult = 1;
10154
10155 end:
10156 SSL_free(serverssl);
10157 SSL_free(clientssl);
10158 SSL_CTX_free(sctx);
10159 SSL_CTX_free(cctx);
10160 SSL_SESSION_free(sess);
10161
10162 return testresult;
10163 }
10164 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
10165
10166 /*
10167 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
10168 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
10169 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
10170 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
10171 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
10172 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
10173 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
10174 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
10175 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
10176 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
10177 */
test_servername(int tst)10178 static int test_servername(int tst)
10179 {
10180 SSL_CTX *cctx = NULL, *sctx = NULL;
10181 SSL *clientssl = NULL, *serverssl = NULL;
10182 int testresult = 0;
10183 SSL_SESSION *sess = NULL;
10184 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
10185
10186 #ifdef OPENSSL_NO_TLS1_2
10187 if (tst <= 4)
10188 return 1;
10189 #endif
10190 #ifdef OSSL_NO_USABLE_TLS1_3
10191 if (tst >= 5)
10192 return 1;
10193 #endif
10194
10195 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10196 TLS_client_method(),
10197 TLS1_VERSION,
10198 (tst <= 4) ? TLS1_2_VERSION
10199 : TLS1_3_VERSION,
10200 &sctx, &cctx, cert, privkey))
10201 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10202 NULL, NULL)))
10203 goto end;
10204
10205 if (tst != 1 && tst != 6) {
10206 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
10207 hostname_cb)))
10208 goto end;
10209 }
10210
10211 if (tst != 3 && tst != 8) {
10212 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
10213 goto end;
10214 sexpectedhost = cexpectedhost = "goodhost";
10215 }
10216
10217 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10218 goto end;
10219
10220 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
10221 cexpectedhost)
10222 || !TEST_str_eq(SSL_get_servername(serverssl,
10223 TLSEXT_NAMETYPE_host_name),
10224 sexpectedhost))
10225 goto end;
10226
10227 /* Now repeat with a resumption handshake */
10228
10229 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
10230 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
10231 || !TEST_true(SSL_SESSION_is_resumable(sess))
10232 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
10233 goto end;
10234
10235 SSL_free(clientssl);
10236 SSL_free(serverssl);
10237 clientssl = serverssl = NULL;
10238
10239 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
10240 NULL)))
10241 goto end;
10242
10243 if (!TEST_true(SSL_set_session(clientssl, sess)))
10244 goto end;
10245
10246 sexpectedhost = cexpectedhost = "goodhost";
10247 if (tst == 2 || tst == 7) {
10248 /* Set an inconsistent hostname */
10249 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
10250 goto end;
10251 /*
10252 * In TLSv1.2 we expect the hostname from the original handshake, in
10253 * TLSv1.3 we expect the hostname from this handshake
10254 */
10255 if (tst == 7)
10256 sexpectedhost = cexpectedhost = "altgoodhost";
10257
10258 if (!TEST_str_eq(SSL_get_servername(clientssl,
10259 TLSEXT_NAMETYPE_host_name),
10260 "altgoodhost"))
10261 goto end;
10262 } else if (tst == 4 || tst == 9) {
10263 /*
10264 * A TLSv1.3 session does not associate a session with a servername,
10265 * but a TLSv1.2 session does.
10266 */
10267 if (tst == 9)
10268 sexpectedhost = cexpectedhost = NULL;
10269
10270 if (!TEST_str_eq(SSL_get_servername(clientssl,
10271 TLSEXT_NAMETYPE_host_name),
10272 cexpectedhost))
10273 goto end;
10274 } else {
10275 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
10276 goto end;
10277 /*
10278 * In a TLSv1.2 resumption where the hostname was not acknowledged
10279 * we expect the hostname on the server to be empty. On the client we
10280 * return what was requested in this case.
10281 *
10282 * Similarly if the client didn't set a hostname on an original TLSv1.2
10283 * session but is now, the server hostname will be empty, but the client
10284 * is as we set it.
10285 */
10286 if (tst == 1 || tst == 3)
10287 sexpectedhost = NULL;
10288
10289 if (!TEST_str_eq(SSL_get_servername(clientssl,
10290 TLSEXT_NAMETYPE_host_name),
10291 "goodhost"))
10292 goto end;
10293 }
10294
10295 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10296 goto end;
10297
10298 if (!TEST_true(SSL_session_reused(clientssl))
10299 || !TEST_true(SSL_session_reused(serverssl))
10300 || !TEST_str_eq(SSL_get_servername(clientssl,
10301 TLSEXT_NAMETYPE_host_name),
10302 cexpectedhost)
10303 || !TEST_str_eq(SSL_get_servername(serverssl,
10304 TLSEXT_NAMETYPE_host_name),
10305 sexpectedhost))
10306 goto end;
10307
10308 testresult = 1;
10309
10310 end:
10311 SSL_SESSION_free(sess);
10312 SSL_free(serverssl);
10313 SSL_free(clientssl);
10314 SSL_CTX_free(sctx);
10315 SSL_CTX_free(cctx);
10316
10317 return testresult;
10318 }
10319
test_unknown_sigalgs_groups(void)10320 static int test_unknown_sigalgs_groups(void)
10321 {
10322 int ret = 0;
10323 SSL_CTX *ctx = NULL;
10324
10325 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
10326 goto end;
10327
10328 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
10329 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
10330 0))
10331 goto end;
10332 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
10333 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
10334 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
10335 goto end;
10336
10337 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
10338 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
10339 0))
10340 goto end;
10341 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
10342 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
10343 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
10344 goto end;
10345
10346 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
10347 "nonexistent"),
10348 0))
10349 goto end;
10350
10351 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
10352 "?nonexistent1:?nonexistent2:?nonexistent3"),
10353 0))
10354 goto end;
10355
10356 #ifndef OPENSSL_NO_EC
10357 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
10358 "P-256:nonexistent"),
10359 0))
10360 goto end;
10361
10362 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
10363 "P-384:?nonexistent:?P-521"),
10364 0))
10365 goto end;
10366 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
10367 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
10368 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
10369 goto end;
10370 #endif
10371
10372 ret = 1;
10373 end:
10374 SSL_CTX_free(ctx);
10375 return ret;
10376 }
10377
10378 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
test_configuration_of_groups(void)10379 static int test_configuration_of_groups(void)
10380 {
10381 int ret = 0;
10382 SSL_CTX *ctx = NULL;
10383 size_t groups_len;
10384
10385 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
10386 goto end;
10387 groups_len = ctx->ext.supportedgroups_len;
10388
10389 if (!TEST_size_t_gt(groups_len, 0)
10390 || !TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT"), 0)
10391 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len))
10392 goto end;
10393
10394 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT:-?P-256"), 0)
10395 #if !defined(OPENSSL_NO_EC)
10396 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len - 1)
10397 #else
10398 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len)
10399 #endif
10400 )
10401 goto end;
10402
10403 #if !defined(OPENSSL_NO_EC)
10404 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "?P-256:?P-521:-?P-256"), 0)
10405 || !TEST_size_t_eq(ctx->ext.supportedgroups_len, 1)
10406 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp521r1))
10407 goto end;
10408 #endif
10409
10410 ret = 1;
10411
10412 end:
10413 SSL_CTX_free(ctx);
10414 return ret;
10415 }
10416 #endif
10417
10418 #if !defined(OPENSSL_NO_EC) \
10419 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10420 /*
10421 * Test that if signature algorithms are not available, then we do not offer or
10422 * accept them.
10423 * Test 0: Two RSA sig algs available: both RSA sig algs shared
10424 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
10425 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
10426 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
10427 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
10428 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
10429 */
test_sigalgs_available(int idx)10430 static int test_sigalgs_available(int idx)
10431 {
10432 SSL_CTX *cctx = NULL, *sctx = NULL;
10433 SSL *clientssl = NULL, *serverssl = NULL;
10434 int testresult = 0;
10435 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
10436 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
10437 OSSL_PROVIDER *filterprov = NULL;
10438 int sig, hash, numshared, numshared_expected, hash_expected, sig_expected;
10439 const char *sigalg_name, *signame_expected;
10440
10441 if (!TEST_ptr(tmpctx))
10442 goto end;
10443
10444 if (idx != 0 && idx != 3) {
10445 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
10446 filter_provider_init)))
10447 goto end;
10448
10449 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
10450 if (!TEST_ptr(filterprov))
10451 goto end;
10452
10453 if (idx < 3) {
10454 /*
10455 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
10456 * or accepted for the peer that uses this libctx. Note that libssl
10457 * *requires* SHA2-256 to be available so we cannot disable that. We
10458 * also need SHA1 for our certificate.
10459 */
10460 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
10461 "SHA2-256:SHA1")))
10462 goto end;
10463 } else {
10464 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
10465 "ECDSA"))
10466 #ifdef OPENSSL_NO_ECX
10467 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
10468 #else
10469 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
10470 "EC:X25519:X448"))
10471 #endif
10472 )
10473 goto end;
10474 }
10475
10476 if (idx == 1 || idx == 4)
10477 clientctx = tmpctx;
10478 else
10479 serverctx = tmpctx;
10480 }
10481
10482 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
10483 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
10484 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
10485 goto end;
10486
10487 /* Avoid MLKEM groups that depend on possibly filtered-out digests */
10488 if (!TEST_true(SSL_CTX_set1_groups_list(cctx,
10489 "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072"))
10490 || !TEST_true(SSL_CTX_set1_groups_list(sctx,
10491 "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072")))
10492 goto end;
10493
10494 if (idx != 5) {
10495 /* RSA first server key */
10496 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10497 TLS_client_method(),
10498 TLS1_VERSION,
10499 0,
10500 &sctx, &cctx, cert, privkey)))
10501 goto end;
10502 } else {
10503 /* ECDSA P-256 first server key */
10504 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10505 TLS_client_method(),
10506 TLS1_VERSION,
10507 0,
10508 &sctx, &cctx, cert2, privkey2)))
10509 goto end;
10510 }
10511
10512 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
10513 if (idx < 4) {
10514 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10515 "ECDHE-RSA-AES128-GCM-SHA256")))
10516 goto end;
10517 } else {
10518 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10519 "ECDHE-ECDSA-AES128-GCM-SHA256")))
10520 goto end;
10521 }
10522
10523 if (idx < 3) {
10524 if (!SSL_CTX_set1_sigalgs_list(cctx,
10525 "rsa_pss_rsae_sha384"
10526 ":rsa_pss_rsae_sha256")
10527 || !SSL_CTX_set1_sigalgs_list(sctx,
10528 "rsa_pss_rsae_sha384"
10529 ":rsa_pss_rsae_sha256"))
10530 goto end;
10531 } else {
10532 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
10533 || !SSL_CTX_set1_sigalgs_list(sctx,
10534 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
10535 goto end;
10536 }
10537
10538 /* ECDSA P-256 second server key, unless already first */
10539 if (idx != 5
10540 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
10541 SSL_FILETYPE_PEM),
10542 1)
10543 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10544 privkey2,
10545 SSL_FILETYPE_PEM),
10546 1)
10547 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
10548 goto end;
10549
10550 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10551 NULL, NULL)))
10552 goto end;
10553
10554 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10555 goto end;
10556
10557 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
10558 numshared = SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash,
10559 NULL, NULL, NULL);
10560 numshared_expected = 1;
10561 hash_expected = NID_sha256;
10562 sig_expected = NID_rsassaPss;
10563 signame_expected = "rsa_pss_rsae_sha256";
10564 switch (idx) {
10565 case 0:
10566 hash_expected = NID_sha384;
10567 signame_expected = "rsa_pss_rsae_sha384";
10568 /* FALLTHROUGH */
10569 case 3:
10570 numshared_expected = 2;
10571 break;
10572 case 4:
10573 case 5:
10574 sig_expected = EVP_PKEY_EC;
10575 signame_expected = "ecdsa_secp256r1_sha256";
10576 break;
10577 }
10578 if (!TEST_int_eq(numshared, numshared_expected)
10579 || !TEST_int_eq(hash, hash_expected)
10580 || !TEST_int_eq(sig, sig_expected)
10581 || !TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10582 || !TEST_ptr(sigalg_name)
10583 || !TEST_str_eq(sigalg_name, signame_expected))
10584 goto end;
10585
10586 testresult = filter_provider_check_clean_finish();
10587
10588 end:
10589 SSL_free(serverssl);
10590 SSL_free(clientssl);
10591 SSL_CTX_free(sctx);
10592 SSL_CTX_free(cctx);
10593 OSSL_PROVIDER_unload(filterprov);
10594 OSSL_LIB_CTX_free(tmpctx);
10595
10596 return testresult;
10597 }
10598 #endif /* \
10599 * !defined(OPENSSL_NO_EC) \
10600 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) \
10601 */
10602
10603 #ifndef OPENSSL_NO_TLS1_3
10604 /* This test can run in TLSv1.3 even if ec and dh are disabled */
test_pluggable_group(int idx)10605 static int test_pluggable_group(int idx)
10606 {
10607 SSL_CTX *cctx = NULL, *sctx = NULL;
10608 SSL *clientssl = NULL, *serverssl = NULL;
10609 int testresult = 0;
10610 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10611 /* Check that we are not impacted by a provider without any groups */
10612 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
10613 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
10614
10615 if (!TEST_ptr(tlsprov))
10616 goto end;
10617
10618 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10619 TLS_client_method(),
10620 TLS1_3_VERSION,
10621 TLS1_3_VERSION,
10622 &sctx, &cctx, cert, privkey))
10623 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10624 NULL, NULL)))
10625 goto end;
10626
10627 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
10628 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
10629 /* removing a single algorithm from the list makes the test pass */
10630 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
10631 goto end;
10632
10633 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10634 goto end;
10635
10636 if (!TEST_str_eq(group_name,
10637 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
10638 goto end;
10639
10640 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
10641 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
10642 goto end;
10643
10644 testresult = 1;
10645
10646 end:
10647 SSL_free(serverssl);
10648 SSL_free(clientssl);
10649 SSL_CTX_free(sctx);
10650 SSL_CTX_free(cctx);
10651 OSSL_PROVIDER_unload(tlsprov);
10652 OSSL_PROVIDER_unload(legacyprov);
10653
10654 return testresult;
10655 }
10656
10657 /*
10658 * This function triggers encode, decode and sign functions
10659 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
10660 * creating private key and certificate files for use in TLS testing.
10661 */
create_cert_key(int idx,char * certfilename,char * privkeyfilename)10662 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
10663 {
10664 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
10665 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
10666 EVP_PKEY *pkey = NULL;
10667 X509 *x509 = X509_new();
10668 X509_NAME *name = NULL;
10669 BIO *keybio = NULL, *certbio = NULL;
10670 int ret = 1;
10671
10672 if (!TEST_ptr(evpctx)
10673 || !TEST_int_gt(EVP_PKEY_keygen_init(evpctx), 0)
10674 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
10675 || !TEST_ptr(pkey)
10676 || !TEST_ptr(x509)
10677 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
10678 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
10679 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
10680 || !TEST_true(X509_set_pubkey(x509, pkey))
10681 || !TEST_ptr(name = X509_get_subject_name(x509))
10682 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
10683 (unsigned char *)"CH", -1, -1, 0))
10684 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
10685 (unsigned char *)"test.org", -1, -1, 0))
10686 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
10687 (unsigned char *)"localhost", -1, -1, 0))
10688 || !TEST_true(X509_set_issuer_name(x509, name))
10689 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
10690 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
10691 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
10692 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
10693 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
10694 ret = 0;
10695
10696 EVP_PKEY_free(pkey);
10697 X509_free(x509);
10698 EVP_PKEY_CTX_free(evpctx);
10699 BIO_free(keybio);
10700 BIO_free(certbio);
10701 return ret;
10702 }
10703
10704 /*
10705 * Test that signature algorithms loaded via the provider interface can
10706 * correctly establish a TLS (1.3) connection.
10707 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
10708 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
10709 * Test 2: Signature algorithm with built-in hashing configured via SSL_CONF_cmd
10710 * Test 3: Test 0 using RPK
10711 * Test 4: Test 1 using RPK
10712 * Test 5: Test 2 using RPK
10713 */
test_pluggable_signature(int idx)10714 static int test_pluggable_signature(int idx)
10715 {
10716 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
10717 SSL_CTX *cctx = NULL, *sctx = NULL;
10718 SSL *clientssl = NULL, *serverssl = NULL;
10719 int testresult = 0;
10720 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10721 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10722 char *certfilename = "tls-prov-cert.pem";
10723 char *privkeyfilename = "tls-prov-key.pem";
10724 const char *sigalg_name = NULL, *expected_sigalg_name;
10725 int sigidx = idx % 3;
10726 int rpkidx = idx / 3;
10727 int do_conf_cmd = 0;
10728
10729 if (sigidx == 2) {
10730 sigidx = 0;
10731 do_conf_cmd = 1;
10732 }
10733
10734 /* See create_cert_key() above */
10735 expected_sigalg_name = (sigidx == 0) ? "xorhmacsig" : "xorhmacsha2sig";
10736
10737 /* create key and certificate for the different algorithm types */
10738 if (!TEST_ptr(tlsprov)
10739 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10740 goto end;
10741
10742 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10743 TLS_client_method(),
10744 TLS1_3_VERSION,
10745 TLS1_3_VERSION,
10746 &sctx, &cctx, NULL, NULL)))
10747 goto end;
10748
10749 if (do_conf_cmd) {
10750 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
10751
10752 if (!TEST_ptr(confctx))
10753 goto end;
10754 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE | SSL_CONF_FLAG_SHOW_ERRORS);
10755 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
10756 if (!TEST_int_gt(SSL_CONF_cmd(confctx, "Certificate", certfilename), 0)
10757 || !TEST_int_gt(SSL_CONF_cmd(confctx, "PrivateKey", privkeyfilename), 0)
10758 || !TEST_true(SSL_CONF_CTX_finish(confctx))) {
10759 SSL_CONF_CTX_free(confctx);
10760 goto end;
10761 }
10762 SSL_CONF_CTX_free(confctx);
10763 } else {
10764 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, certfilename,
10765 SSL_FILETYPE_PEM),
10766 1)
10767 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10768 privkeyfilename,
10769 SSL_FILETYPE_PEM),
10770 1))
10771 goto end;
10772 }
10773 if (!TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
10774 goto end;
10775
10776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10777 NULL, NULL)))
10778 goto end;
10779
10780 /* Enable RPK for server cert */
10781 if (rpkidx) {
10782 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10783 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10784 goto end;
10785 }
10786
10787 /* This is necessary to pass minimal setup w/o other groups configured */
10788 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10789 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10790 goto end;
10791
10792 /*
10793 * If this connection gets established, it must have been completed
10794 * via the tls-provider-implemented "hmacsig" algorithm, testing
10795 * both sign and verify functions during handshake.
10796 */
10797 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10798 goto end;
10799
10800 /* If using RPK, make sure we got one */
10801 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10802 goto end;
10803
10804 if (!TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10805 || !TEST_str_eq(sigalg_name, expected_sigalg_name)
10806 || !TEST_ptr(sigalg_name))
10807 goto end;
10808
10809 testresult = 1;
10810
10811 end:
10812 SSL_free(serverssl);
10813 SSL_free(clientssl);
10814 SSL_CTX_free(sctx);
10815 SSL_CTX_free(cctx);
10816 OSSL_PROVIDER_unload(tlsprov);
10817 OSSL_PROVIDER_unload(defaultprov);
10818
10819 return testresult;
10820 }
10821 #endif
10822
10823 #ifndef OPENSSL_NO_TLS1_2
test_ssl_dup(void)10824 static int test_ssl_dup(void)
10825 {
10826 SSL_CTX *cctx = NULL, *sctx = NULL;
10827 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10828 int testresult = 0;
10829 BIO *rbio = NULL, *wbio = NULL;
10830
10831 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10832 TLS_client_method(),
10833 0,
10834 0,
10835 &sctx, &cctx, cert, privkey)))
10836 goto end;
10837
10838 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10839 NULL, NULL)))
10840 goto end;
10841
10842 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10843 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10844 goto end;
10845
10846 client2ssl = SSL_dup(clientssl);
10847 rbio = SSL_get_rbio(clientssl);
10848 if (!TEST_ptr(rbio)
10849 || !TEST_true(BIO_up_ref(rbio)))
10850 goto end;
10851 SSL_set0_rbio(client2ssl, rbio);
10852 rbio = NULL;
10853
10854 wbio = SSL_get_wbio(clientssl);
10855 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10856 goto end;
10857 SSL_set0_wbio(client2ssl, wbio);
10858 rbio = NULL;
10859
10860 if (!TEST_ptr(client2ssl)
10861 /* Handshake not started so pointers should be different */
10862 || !TEST_ptr_ne(clientssl, client2ssl))
10863 goto end;
10864
10865 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10866 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10867 goto end;
10868
10869 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10870 goto end;
10871
10872 SSL_free(clientssl);
10873 clientssl = SSL_dup(client2ssl);
10874 if (!TEST_ptr(clientssl)
10875 /* Handshake has finished so pointers should be the same */
10876 || !TEST_ptr_eq(clientssl, client2ssl))
10877 goto end;
10878
10879 testresult = 1;
10880
10881 end:
10882 SSL_free(serverssl);
10883 SSL_free(clientssl);
10884 SSL_free(client2ssl);
10885 SSL_CTX_free(sctx);
10886 SSL_CTX_free(cctx);
10887
10888 return testresult;
10889 }
10890
secret_cb(SSL * s,void * secretin,int * secret_len,STACK_OF (SSL_CIPHER)* peer_ciphers,const SSL_CIPHER ** cipher,void * arg)10891 static int secret_cb(SSL *s, void *secretin, int *secret_len,
10892 STACK_OF(SSL_CIPHER) *peer_ciphers,
10893 const SSL_CIPHER **cipher, void *arg)
10894 {
10895 int i;
10896 unsigned char *secret = secretin;
10897
10898 /* Just use a fixed master secret */
10899 for (i = 0; i < *secret_len; i++)
10900 secret[i] = 0xff;
10901
10902 /* We don't set a preferred cipher */
10903
10904 return 1;
10905 }
10906
10907 /*
10908 * Test the session_secret_cb which is designed for use with EAP-FAST
10909 */
test_session_secret_cb(int idx)10910 static int test_session_secret_cb(int idx)
10911 {
10912 SSL_CTX *cctx = NULL, *sctx = NULL;
10913 SSL *clientssl = NULL, *serverssl = NULL;
10914 SSL_SESSION *secret_sess = NULL, *server_sess = NULL;
10915 unsigned int sess_len;
10916 const unsigned char *sessid;
10917 int testresult = 0;
10918
10919 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10920 TLS_client_method(),
10921 0,
10922 0,
10923 &sctx, &cctx, cert, privkey)))
10924 goto end;
10925
10926 /* Create an initial connection and save the session */
10927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10928 NULL, NULL)))
10929 goto end;
10930
10931 /* session_secret_cb does not support TLSv1.3 */
10932 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10933 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10934 goto end;
10935
10936 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10937 goto end;
10938
10939 if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10940 goto end;
10941
10942 shutdown_ssl_connection(serverssl, clientssl);
10943 serverssl = clientssl = NULL;
10944
10945 /* Resume the earlier session */
10946 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10947 NULL, NULL)))
10948 goto end;
10949
10950 if (idx == 0) {
10951 /*
10952 * Normal case: no session id
10953 */
10954 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10955 goto end;
10956 } else {
10957 /*
10958 * Set an explicit session id. Normally we don't support this, but we
10959 * can get away with it if we reset the session id later
10960 */
10961 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, (unsigned char *)"sessionid", 9)))
10962 goto end;
10963 }
10964
10965 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10966 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10967 || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10968 NULL))
10969 || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10970 NULL))
10971 || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10972 goto end;
10973
10974 if (idx == 1) {
10975 /*
10976 * We just send the ClientHello here. We expect this to fail with
10977 * SSL_ERROR_WANT_READ
10978 */
10979 if (!TEST_int_le(SSL_connect(clientssl), 0))
10980 goto end;
10981 /* Reset the session id to avoid confusing the state machine */
10982 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10983 goto end;
10984 }
10985 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10986 goto end;
10987
10988 /* Check that session resumption was successful */
10989 if (!TEST_true(SSL_session_reused(clientssl))
10990 || !TEST_true(SSL_session_reused(serverssl)))
10991 goto end;
10992
10993 if (idx == 1) {
10994 server_sess = SSL_get1_session(serverssl);
10995 if (!TEST_ptr(server_sess))
10996 goto end;
10997 sessid = SSL_SESSION_get_id(server_sess, &sess_len);
10998
10999 if (!TEST_mem_eq(sessid, sess_len, "sessionid", 9))
11000 goto end;
11001 }
11002 testresult = 1;
11003
11004 end:
11005 SSL_SESSION_free(secret_sess);
11006 SSL_SESSION_free(server_sess);
11007 SSL_free(serverssl);
11008 SSL_free(clientssl);
11009 SSL_CTX_free(sctx);
11010 SSL_CTX_free(cctx);
11011
11012 return testresult;
11013 }
11014
11015 #ifndef OPENSSL_NO_DH
11016
11017 static EVP_PKEY *tmp_dh_params = NULL;
11018
11019 /* Helper function for the test_set_tmp_dh() tests */
get_tmp_dh_params(void)11020 static EVP_PKEY *get_tmp_dh_params(void)
11021 {
11022 if (tmp_dh_params == NULL) {
11023 BIGNUM *p = NULL;
11024 OSSL_PARAM_BLD *tmpl = NULL;
11025 EVP_PKEY_CTX *pctx = NULL;
11026 OSSL_PARAM *params = NULL;
11027 EVP_PKEY *dhpkey = NULL;
11028
11029 p = BN_get_rfc3526_prime_2048(NULL);
11030 if (!TEST_ptr(p))
11031 goto end;
11032
11033 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
11034 if (!TEST_ptr(pctx)
11035 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
11036 goto end;
11037
11038 tmpl = OSSL_PARAM_BLD_new();
11039 if (!TEST_ptr(tmpl)
11040 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
11041 OSSL_PKEY_PARAM_FFC_P,
11042 p))
11043 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
11044 OSSL_PKEY_PARAM_FFC_G,
11045 2)))
11046 goto end;
11047
11048 params = OSSL_PARAM_BLD_to_param(tmpl);
11049 if (!TEST_ptr(params)
11050 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
11051 EVP_PKEY_KEY_PARAMETERS,
11052 params),
11053 1))
11054 goto end;
11055
11056 tmp_dh_params = dhpkey;
11057 end:
11058 BN_free(p);
11059 EVP_PKEY_CTX_free(pctx);
11060 OSSL_PARAM_BLD_free(tmpl);
11061 OSSL_PARAM_free(params);
11062 }
11063
11064 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
11065 return NULL;
11066
11067 return tmp_dh_params;
11068 }
11069
11070 #ifndef OPENSSL_NO_DEPRECATED_3_0
11071 /* Callback used by test_set_tmp_dh() */
tmp_dh_callback(SSL * s,int is_export,int keylen)11072 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
11073 {
11074 EVP_PKEY *dhpkey = get_tmp_dh_params();
11075 DH *ret = NULL;
11076
11077 if (!TEST_ptr(dhpkey))
11078 return NULL;
11079
11080 /*
11081 * libssl does not free the returned DH, so we free it now knowing that even
11082 * after we free dhpkey, there will still be a reference to the owning
11083 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
11084 * of time we need it for.
11085 */
11086 ret = EVP_PKEY_get1_DH(dhpkey);
11087 DH_free(ret);
11088
11089 EVP_PKEY_free(dhpkey);
11090
11091 return ret;
11092 }
11093 #endif
11094
11095 /*
11096 * Test the various methods for setting temporary DH parameters
11097 *
11098 * Test 0: Default (no auto) setting
11099 * Test 1: Explicit SSL_CTX auto off
11100 * Test 2: Explicit SSL auto off
11101 * Test 3: Explicit SSL_CTX auto on
11102 * Test 4: Explicit SSL auto on
11103 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
11104 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
11105 *
11106 * The following are testing deprecated APIs, so we only run them if available
11107 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
11108 * Test 8: Explicit SSL auto off, custom DH params via DH
11109 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
11110 * Test 10: Explicit SSL auto off, custom DH params via callback
11111 */
test_set_tmp_dh(int idx)11112 static int test_set_tmp_dh(int idx)
11113 {
11114 SSL_CTX *cctx = NULL, *sctx = NULL;
11115 SSL *clientssl = NULL, *serverssl = NULL;
11116 int testresult = 0;
11117 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
11118 int expected = (idx <= 2) ? 0 : 1;
11119 EVP_PKEY *dhpkey = NULL;
11120 #ifndef OPENSSL_NO_DEPRECATED_3_0
11121 DH *dh = NULL;
11122 #else
11123
11124 if (idx >= 7)
11125 return 1;
11126 #endif
11127
11128 if (idx >= 5 && idx <= 8) {
11129 dhpkey = get_tmp_dh_params();
11130 if (!TEST_ptr(dhpkey))
11131 goto end;
11132 }
11133 #ifndef OPENSSL_NO_DEPRECATED_3_0
11134 if (idx == 7 || idx == 8) {
11135 dh = EVP_PKEY_get1_DH(dhpkey);
11136 if (!TEST_ptr(dh))
11137 goto end;
11138 }
11139 #endif
11140
11141 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11142 TLS_client_method(),
11143 0,
11144 0,
11145 &sctx, &cctx, cert, privkey)))
11146 goto end;
11147
11148 if ((idx & 1) == 1) {
11149 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
11150 goto end;
11151 }
11152
11153 if (idx == 5) {
11154 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
11155 goto end;
11156 dhpkey = NULL;
11157 }
11158 #ifndef OPENSSL_NO_DEPRECATED_3_0
11159 else if (idx == 7) {
11160 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
11161 goto end;
11162 } else if (idx == 9) {
11163 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
11164 }
11165 #endif
11166
11167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11168 NULL, NULL)))
11169 goto end;
11170
11171 if ((idx & 1) == 0 && idx != 0) {
11172 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
11173 goto end;
11174 }
11175 if (idx == 6) {
11176 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
11177 goto end;
11178 dhpkey = NULL;
11179 }
11180 #ifndef OPENSSL_NO_DEPRECATED_3_0
11181 else if (idx == 8) {
11182 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
11183 goto end;
11184 } else if (idx == 10) {
11185 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
11186 }
11187 #endif
11188
11189 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
11190 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
11191 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
11192 goto end;
11193
11194 /*
11195 * If autoon then we should succeed. Otherwise we expect failure because
11196 * there are no parameters
11197 */
11198 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
11199 SSL_ERROR_NONE),
11200 expected))
11201 goto end;
11202
11203 testresult = 1;
11204
11205 end:
11206 #ifndef OPENSSL_NO_DEPRECATED_3_0
11207 DH_free(dh);
11208 #endif
11209 SSL_free(serverssl);
11210 SSL_free(clientssl);
11211 SSL_CTX_free(sctx);
11212 SSL_CTX_free(cctx);
11213 EVP_PKEY_free(dhpkey);
11214
11215 return testresult;
11216 }
11217
11218 /*
11219 * Test the auto DH keys are appropriately sized
11220 */
test_dh_auto(int idx)11221 static int test_dh_auto(int idx)
11222 {
11223 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
11224 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11225 SSL *clientssl = NULL, *serverssl = NULL;
11226 int testresult = 0;
11227 EVP_PKEY *tmpkey = NULL;
11228 char *thiscert = NULL, *thiskey = NULL;
11229 size_t expdhsize = 0;
11230 const char *ciphersuite = "DHE-RSA-AES128-SHA";
11231
11232 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
11233 goto end;
11234
11235 switch (idx) {
11236 case 0:
11237 /* The FIPS provider doesn't support this DH size - so we ignore it */
11238 if (is_fips) {
11239 testresult = 1;
11240 goto end;
11241 }
11242 thiscert = cert1024;
11243 thiskey = privkey1024;
11244 expdhsize = 1024;
11245 SSL_CTX_set_security_level(sctx, 1);
11246 SSL_CTX_set_security_level(cctx, 1);
11247 break;
11248 case 1:
11249 /* 2048 bit prime */
11250 thiscert = cert;
11251 thiskey = privkey;
11252 expdhsize = 2048;
11253 break;
11254 case 2:
11255 thiscert = cert3072;
11256 thiskey = privkey3072;
11257 expdhsize = 3072;
11258 break;
11259 case 3:
11260 thiscert = cert4096;
11261 thiskey = privkey4096;
11262 expdhsize = 4096;
11263 break;
11264 case 4:
11265 thiscert = cert8192;
11266 thiskey = privkey8192;
11267 expdhsize = 8192;
11268 break;
11269 /* No certificate cases */
11270 case 5:
11271 /* The FIPS provider doesn't support this DH size - so we ignore it */
11272 if (is_fips) {
11273 testresult = 1;
11274 goto end;
11275 }
11276 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
11277 expdhsize = 1024;
11278 break;
11279 case 6:
11280 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
11281 expdhsize = 3072;
11282 break;
11283 default:
11284 TEST_error("Invalid text index");
11285 goto end;
11286 }
11287
11288 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
11289 NULL,
11290 0,
11291 0,
11292 &sctx, &cctx, thiscert, thiskey)))
11293 goto end;
11294
11295 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11296 NULL, NULL)))
11297 goto end;
11298
11299 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
11300 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
11301 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
11302 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
11303 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
11304 goto end;
11305
11306 /*
11307 * Send the server's first flight. At this point the server has created the
11308 * temporary DH key but hasn't finished using it yet. Once used it is
11309 * removed, so we cannot test it.
11310 */
11311 if (!TEST_int_le(SSL_connect(clientssl), 0)
11312 || !TEST_int_le(SSL_accept(serverssl), 0))
11313 goto end;
11314
11315 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
11316 goto end;
11317 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
11318 goto end;
11319
11320 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11321 goto end;
11322
11323 testresult = 1;
11324
11325 end:
11326 SSL_free(serverssl);
11327 SSL_free(clientssl);
11328 SSL_CTX_free(sctx);
11329 SSL_CTX_free(cctx);
11330 EVP_PKEY_free(tmpkey);
11331
11332 return testresult;
11333 }
11334 #endif /* OPENSSL_NO_DH */
11335 #endif /* OPENSSL_NO_TLS1_2 */
11336
11337 #ifndef OSSL_NO_USABLE_TLS1_3
11338 /*
11339 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
11340 * that it works even without a certificate configured for the original
11341 * SSL_CTX
11342 */
test_sni_tls13(void)11343 static int test_sni_tls13(void)
11344 {
11345 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
11346 SSL *clientssl = NULL, *serverssl = NULL;
11347 int testresult = 0;
11348
11349 /* Reset callback counter */
11350 snicb = 0;
11351
11352 /* Create an initial SSL_CTX with no certificate configured */
11353 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11354 if (!TEST_ptr(sctx))
11355 goto end;
11356 /* Require TLSv1.3 as a minimum */
11357 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11358 TLS_client_method(), TLS1_3_VERSION, 0,
11359 &sctx2, &cctx, cert, privkey)))
11360 goto end;
11361
11362 /* Set up SNI */
11363 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
11364 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
11365 goto end;
11366
11367 /*
11368 * Connection should still succeed because the final SSL_CTX has the right
11369 * certificates configured.
11370 */
11371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11372 &clientssl, NULL, NULL))
11373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
11374 SSL_ERROR_NONE)))
11375 goto end;
11376
11377 /* We should have had the SNI callback called exactly once */
11378 if (!TEST_int_eq(snicb, 1))
11379 goto end;
11380
11381 testresult = 1;
11382
11383 end:
11384 SSL_free(serverssl);
11385 SSL_free(clientssl);
11386 SSL_CTX_free(sctx2);
11387 SSL_CTX_free(sctx);
11388 SSL_CTX_free(cctx);
11389 return testresult;
11390 }
11391
11392 /*
11393 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
11394 * 0 = TLSv1.2
11395 * 1 = TLSv1.3
11396 */
test_ticket_lifetime(int idx)11397 static int test_ticket_lifetime(int idx)
11398 {
11399 SSL_CTX *cctx = NULL, *sctx = NULL;
11400 SSL *clientssl = NULL, *serverssl = NULL;
11401 int testresult = 0;
11402 int version = TLS1_3_VERSION;
11403
11404 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
11405 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
11406
11407 if (idx == 0) {
11408 #ifdef OPENSSL_NO_TLS1_2
11409 return TEST_skip("TLS 1.2 is disabled.");
11410 #else
11411 version = TLS1_2_VERSION;
11412 #endif
11413 }
11414
11415 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11416 TLS_client_method(), version, version,
11417 &sctx, &cctx, cert, privkey)))
11418 goto end;
11419
11420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11421 &clientssl, NULL, NULL)))
11422 goto end;
11423
11424 /*
11425 * Set the timeout to be more than 1 week
11426 * make sure the returned value is the default
11427 */
11428 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
11429 SSL_get_default_timeout(serverssl)))
11430 goto end;
11431
11432 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11433 goto end;
11434
11435 if (idx == 0) {
11436 /* TLSv1.2 uses the set value */
11437 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
11438 goto end;
11439 } else {
11440 /* TLSv1.3 uses the limited value */
11441 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
11442 goto end;
11443 }
11444 testresult = 1;
11445
11446 end:
11447 SSL_free(serverssl);
11448 SSL_free(clientssl);
11449 SSL_CTX_free(sctx);
11450 SSL_CTX_free(cctx);
11451 return testresult;
11452 }
11453 #endif
11454 /*
11455 * Test that setting an ALPN does not violate RFC
11456 */
test_set_alpn(void)11457 static int test_set_alpn(void)
11458 {
11459 SSL_CTX *ctx = NULL;
11460 SSL *ssl = NULL;
11461 int testresult = 0;
11462
11463 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
11464 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
11465 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
11466 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00 };
11467 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd' };
11468 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd' };
11469
11470 /* Create an initial SSL_CTX with no certificate configured */
11471 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11472 if (!TEST_ptr(ctx))
11473 goto end;
11474
11475 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
11476 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
11477 goto end;
11478 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
11479 goto end;
11480 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
11481 goto end;
11482 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
11483 goto end;
11484 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
11485 goto end;
11486 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
11487 goto end;
11488 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
11489 goto end;
11490 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
11491 goto end;
11492 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
11493 goto end;
11494
11495 ssl = SSL_new(ctx);
11496 if (!TEST_ptr(ssl))
11497 goto end;
11498
11499 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
11500 goto end;
11501 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
11502 goto end;
11503 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
11504 goto end;
11505 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
11506 goto end;
11507 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
11508 goto end;
11509 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
11510 goto end;
11511 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
11512 goto end;
11513 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
11514 goto end;
11515 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
11516 goto end;
11517
11518 testresult = 1;
11519
11520 end:
11521 SSL_free(ssl);
11522 SSL_CTX_free(ctx);
11523 return testresult;
11524 }
11525
11526 /*
11527 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
11528 */
test_set_verify_cert_store_ssl_ctx(void)11529 static int test_set_verify_cert_store_ssl_ctx(void)
11530 {
11531 SSL_CTX *ctx = NULL;
11532 int testresult = 0;
11533 X509_STORE *store = NULL, *new_store = NULL,
11534 *cstore = NULL, *new_cstore = NULL;
11535
11536 /* Create an initial SSL_CTX. */
11537 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11538 if (!TEST_ptr(ctx))
11539 goto end;
11540
11541 /* Retrieve verify store pointer. */
11542 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11543 goto end;
11544
11545 /* Retrieve chain store pointer. */
11546 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11547 goto end;
11548
11549 /* We haven't set any yet, so this should be NULL. */
11550 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11551 goto end;
11552
11553 /* Create stores. We use separate stores so pointers are different. */
11554 new_store = X509_STORE_new();
11555 if (!TEST_ptr(new_store))
11556 goto end;
11557
11558 new_cstore = X509_STORE_new();
11559 if (!TEST_ptr(new_cstore))
11560 goto end;
11561
11562 /* Set stores. */
11563 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
11564 goto end;
11565
11566 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
11567 goto end;
11568
11569 /* Should be able to retrieve the same pointer. */
11570 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11571 goto end;
11572
11573 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11574 goto end;
11575
11576 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11577 goto end;
11578
11579 /* Should be able to unset again. */
11580 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
11581 goto end;
11582
11583 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
11584 goto end;
11585
11586 /* Should now be NULL. */
11587 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11588 goto end;
11589
11590 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11591 goto end;
11592
11593 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11594 goto end;
11595
11596 testresult = 1;
11597
11598 end:
11599 X509_STORE_free(new_store);
11600 X509_STORE_free(new_cstore);
11601 SSL_CTX_free(ctx);
11602 return testresult;
11603 }
11604
11605 /*
11606 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
11607 */
test_set_verify_cert_store_ssl(void)11608 static int test_set_verify_cert_store_ssl(void)
11609 {
11610 SSL_CTX *ctx = NULL;
11611 SSL *ssl = NULL;
11612 int testresult = 0;
11613 X509_STORE *store = NULL, *new_store = NULL,
11614 *cstore = NULL, *new_cstore = NULL;
11615
11616 /* Create an initial SSL_CTX. */
11617 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11618 if (!TEST_ptr(ctx))
11619 goto end;
11620
11621 /* Create an SSL object. */
11622 ssl = SSL_new(ctx);
11623 if (!TEST_ptr(ssl))
11624 goto end;
11625
11626 /* Retrieve verify store pointer. */
11627 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11628 goto end;
11629
11630 /* Retrieve chain store pointer. */
11631 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11632 goto end;
11633
11634 /* We haven't set any yet, so this should be NULL. */
11635 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11636 goto end;
11637
11638 /* Create stores. We use separate stores so pointers are different. */
11639 new_store = X509_STORE_new();
11640 if (!TEST_ptr(new_store))
11641 goto end;
11642
11643 new_cstore = X509_STORE_new();
11644 if (!TEST_ptr(new_cstore))
11645 goto end;
11646
11647 /* Set stores. */
11648 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
11649 goto end;
11650
11651 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
11652 goto end;
11653
11654 /* Should be able to retrieve the same pointer. */
11655 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11656 goto end;
11657
11658 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11659 goto end;
11660
11661 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11662 goto end;
11663
11664 /* Should be able to unset again. */
11665 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
11666 goto end;
11667
11668 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
11669 goto end;
11670
11671 /* Should now be NULL. */
11672 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11673 goto end;
11674
11675 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11676 goto end;
11677
11678 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11679 goto end;
11680
11681 testresult = 1;
11682
11683 end:
11684 X509_STORE_free(new_store);
11685 X509_STORE_free(new_cstore);
11686 SSL_free(ssl);
11687 SSL_CTX_free(ctx);
11688 return testresult;
11689 }
11690
test_inherit_verify_param(void)11691 static int test_inherit_verify_param(void)
11692 {
11693 int testresult = 0;
11694
11695 SSL_CTX *ctx = NULL;
11696 X509_VERIFY_PARAM *cp = NULL;
11697 SSL *ssl = NULL;
11698 X509_VERIFY_PARAM *sp = NULL;
11699 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
11700
11701 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11702 if (!TEST_ptr(ctx))
11703 goto end;
11704
11705 cp = SSL_CTX_get0_param(ctx);
11706 if (!TEST_ptr(cp))
11707 goto end;
11708 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
11709 goto end;
11710
11711 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
11712
11713 ssl = SSL_new(ctx);
11714 if (!TEST_ptr(ssl))
11715 goto end;
11716
11717 sp = SSL_get0_param(ssl);
11718 if (!TEST_ptr(sp))
11719 goto end;
11720 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
11721 goto end;
11722
11723 testresult = 1;
11724
11725 end:
11726 SSL_free(ssl);
11727 SSL_CTX_free(ctx);
11728
11729 return testresult;
11730 }
11731
test_load_dhfile(void)11732 static int test_load_dhfile(void)
11733 {
11734 #ifndef OPENSSL_NO_DH
11735 int testresult = 0;
11736
11737 SSL_CTX *ctx = NULL;
11738 SSL_CONF_CTX *cctx = NULL;
11739
11740 if (dhfile == NULL)
11741 return 1;
11742
11743 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
11744 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
11745 goto end;
11746
11747 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
11748 SSL_CONF_CTX_set_flags(cctx,
11749 SSL_CONF_FLAG_CERTIFICATE
11750 | SSL_CONF_FLAG_SERVER
11751 | SSL_CONF_FLAG_FILE);
11752
11753 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
11754 goto end;
11755
11756 testresult = 1;
11757 end:
11758 SSL_CONF_CTX_free(cctx);
11759 SSL_CTX_free(ctx);
11760
11761 return testresult;
11762 #else
11763 return TEST_skip("DH not supported by this build");
11764 #endif
11765 }
11766
11767 #ifndef OSSL_NO_USABLE_TLS1_3
11768 /* Test that read_ahead works across a key change */
test_read_ahead_key_change(void)11769 static int test_read_ahead_key_change(void)
11770 {
11771 SSL_CTX *cctx = NULL, *sctx = NULL;
11772 SSL *clientssl = NULL, *serverssl = NULL;
11773 int testresult = 0;
11774 char *msg = "Hello World";
11775 size_t written, readbytes;
11776 char buf[80];
11777 int i;
11778
11779 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11780 TLS_client_method(), TLS1_3_VERSION, 0,
11781 &sctx, &cctx, cert, privkey)))
11782 goto end;
11783
11784 SSL_CTX_set_read_ahead(sctx, 1);
11785
11786 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11787 &clientssl, NULL, NULL)))
11788 goto end;
11789
11790 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11791 goto end;
11792
11793 /* Write some data, send a key update, write more data */
11794 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11795 || !TEST_size_t_eq(written, strlen(msg)))
11796 goto end;
11797
11798 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11799 goto end;
11800
11801 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11802 || !TEST_size_t_eq(written, strlen(msg)))
11803 goto end;
11804
11805 /*
11806 * Since read_ahead is on the first read below should read the record with
11807 * the first app data, the second record with the key update message, and
11808 * the third record with the app data all in one go. We should be able to
11809 * still process the read_ahead data correctly even though it crosses
11810 * epochs
11811 */
11812 for (i = 0; i < 2; i++) {
11813 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11814 &readbytes)))
11815 goto end;
11816
11817 buf[readbytes] = '\0';
11818 if (!TEST_str_eq(buf, msg))
11819 goto end;
11820 }
11821
11822 testresult = 1;
11823
11824 end:
11825 SSL_free(serverssl);
11826 SSL_free(clientssl);
11827 SSL_CTX_free(sctx);
11828 SSL_CTX_free(cctx);
11829 return testresult;
11830 }
11831
record_pad_cb(SSL * s,int type,size_t len,void * arg)11832 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11833 {
11834 int *called = arg;
11835
11836 switch ((*called)++) {
11837 case 0:
11838 /* Add some padding to first record */
11839 return 512;
11840 case 1:
11841 /* Maximally pad the second record */
11842 return SSL3_RT_MAX_PLAIN_LENGTH - len;
11843 case 2:
11844 /*
11845 * Exceeding the maximum padding should be fine. It should just pad to
11846 * the maximum anyway
11847 */
11848 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11849 case 3:
11850 /*
11851 * Very large padding should also be ok. Should just pad to the maximum
11852 * allowed
11853 */
11854 return SIZE_MAX;
11855 default:
11856 return 0;
11857 }
11858 }
11859
11860 /*
11861 * Test that setting record padding in TLSv1.3 works as expected
11862 * Test 0: Record padding callback on the SSL_CTX
11863 * Test 1: Record padding callback on the SSL
11864 * Test 2: Record block padding on the SSL_CTX
11865 * Test 3: Record block padding on the SSL
11866 * Test 4: Extended record block padding on the SSL_CTX
11867 * Test 5: Extended record block padding on the SSL
11868 */
test_tls13_record_padding(int idx)11869 static int test_tls13_record_padding(int idx)
11870 {
11871 SSL_CTX *cctx = NULL, *sctx = NULL;
11872 SSL *clientssl = NULL, *serverssl = NULL;
11873 int testresult = 0;
11874 char *msg = "Hello World";
11875 size_t written, readbytes;
11876 char buf[80];
11877 int i;
11878 int called = 0;
11879
11880 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11881 TLS_client_method(), TLS1_3_VERSION, 0,
11882 &sctx, &cctx, cert, privkey)))
11883 goto end;
11884
11885 if (idx == 0) {
11886 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11887 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11888 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11889 goto end;
11890 } else if (idx == 2) {
11891 /* Exceeding the max plain length should fail */
11892 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11893 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11894 goto end;
11895 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11896 goto end;
11897 } else if (idx == 4) {
11898 /* pad only handshake/alert messages */
11899 if (!TEST_true(SSL_CTX_set_block_padding_ex(cctx, 0, 512)))
11900 goto end;
11901 }
11902
11903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11904 &clientssl, NULL, NULL)))
11905 goto end;
11906
11907 if (idx == 1) {
11908 SSL_set_record_padding_callback(clientssl, record_pad_cb);
11909 SSL_set_record_padding_callback_arg(clientssl, &called);
11910 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11911 goto end;
11912 } else if (idx == 3) {
11913 /* Exceeding the max plain length should fail */
11914 if (!TEST_false(SSL_set_block_padding(clientssl,
11915 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11916 goto end;
11917 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11918 goto end;
11919 } else if (idx == 5) {
11920 /* Exceeding the max plain length should fail */
11921 if (!TEST_false(SSL_set_block_padding_ex(clientssl, 0,
11922 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11923 goto end;
11924 /* pad server and client handshake only */
11925 if (!TEST_true(SSL_set_block_padding_ex(clientssl, 0, 512)))
11926 goto end;
11927 if (!TEST_true(SSL_set_block_padding_ex(serverssl, 0, 512)))
11928 goto end;
11929 }
11930
11931 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11932 goto end;
11933
11934 called = 0;
11935 /*
11936 * Write some data, then check we can read it. Do this four times to check
11937 * we can continue to write and read padded data after the initial record
11938 * padding has been added. We don't actually check that the padding has
11939 * been applied to the record - just that we can continue to communicate
11940 * normally and that the callback has been called (if appropriate).
11941 */
11942 for (i = 0; i < 4; i++) {
11943 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11944 || !TEST_size_t_eq(written, strlen(msg)))
11945 goto end;
11946
11947 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11948 &readbytes))
11949 || !TEST_size_t_eq(written, readbytes))
11950 goto end;
11951
11952 buf[readbytes] = '\0';
11953 if (!TEST_str_eq(buf, msg))
11954 goto end;
11955 }
11956
11957 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11958 goto end;
11959
11960 testresult = 1;
11961 end:
11962 SSL_free(serverssl);
11963 SSL_free(clientssl);
11964 SSL_CTX_free(sctx);
11965 SSL_CTX_free(cctx);
11966 return testresult;
11967 }
11968 #endif /* OSSL_NO_USABLE_TLS1_3 */
11969
11970 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11971 /*
11972 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11973 * support this yet. The only pipeline capable cipher that we have is in the
11974 * dasync engine (providers don't support this yet), so we have to use
11975 * deprecated APIs for this test.
11976 *
11977 * Test 0: Client has pipelining enabled, server does not
11978 * Test 1: Server has pipelining enabled, client does not
11979 * Test 2: Client has pipelining enabled, server does not: not enough data to
11980 * fill all the pipelines
11981 * Test 3: Client has pipelining enabled, server does not: not enough data to
11982 * fill all the pipelines by more than a full pipeline's worth
11983 * Test 4: Client has pipelining enabled, server does not: more data than all
11984 * the available pipelines can take
11985 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11986 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11987 * is created)
11988 */
test_pipelining(int idx)11989 static int test_pipelining(int idx)
11990 {
11991 SSL_CTX *cctx = NULL, *sctx = NULL;
11992 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11993 int testresult = 0, numreads;
11994 /* A 55 byte message */
11995 unsigned char *msg = (unsigned char *)"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11996 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11997 size_t expectedreads;
11998 unsigned char *buf = NULL;
11999 ENGINE *e = NULL;
12000
12001 if (idx != 6) {
12002 e = load_dasync();
12003 if (e == NULL)
12004 return 0;
12005 }
12006
12007 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12008 TLS_client_method(), 0,
12009 TLS1_2_VERSION, &sctx, &cctx, cert,
12010 privkey)))
12011 goto end;
12012
12013 if (idx == 6) {
12014 e = load_dasync();
12015 if (e == NULL)
12016 goto end;
12017 /* Now act like test 0 */
12018 idx = 0;
12019 }
12020
12021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12022 &clientssl, NULL, NULL)))
12023 goto end;
12024
12025 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
12026 goto end;
12027
12028 /* peera is always configured for pipelining, while peerb is not. */
12029 if (idx == 1) {
12030 peera = serverssl;
12031 peerb = clientssl;
12032
12033 } else {
12034 peera = clientssl;
12035 peerb = serverssl;
12036 }
12037
12038 if (idx == 5) {
12039 numpipes = 2;
12040 /* Maximum allowed fragment size */
12041 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
12042 msglen = fragsize * numpipes;
12043 msg = OPENSSL_malloc(msglen);
12044 if (!TEST_ptr(msg))
12045 goto end;
12046 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
12047 goto end;
12048 } else if (idx == 4) {
12049 msglen = 55;
12050 } else {
12051 msglen = 50;
12052 }
12053 if (idx == 2)
12054 msglen -= 2; /* Send 2 less bytes */
12055 else if (idx == 3)
12056 msglen -= 12; /* Send 12 less bytes */
12057
12058 buf = OPENSSL_malloc(msglen);
12059 if (!TEST_ptr(buf))
12060 goto end;
12061
12062 if (idx == 5) {
12063 /*
12064 * Test that setting a split send fragment longer than the maximum
12065 * allowed fails
12066 */
12067 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
12068 goto end;
12069 }
12070
12071 /*
12072 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
12073 * (50 bytes in total). This is a ridiculously small number of bytes -
12074 * but sufficient for our purposes
12075 */
12076 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
12077 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
12078 goto end;
12079
12080 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12081 goto end;
12082
12083 /* Write some data from peera to peerb */
12084 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
12085 || !TEST_size_t_eq(written, msglen))
12086 goto end;
12087
12088 /*
12089 * If the pipelining code worked, then we expect all |numpipes| pipelines to
12090 * have been used - except in test 3 where only |numpipes - 1| pipelines
12091 * will be used. This will result in |numpipes| records (|numpipes - 1| for
12092 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
12093 * expect this to be read in |numpipes| or |numpipes - 1| separate
12094 * SSL_read_ex calls. In the case of test 4, there is then one additional
12095 * read for left over data that couldn't fit in the previous pipelines
12096 */
12097 for (offset = 0, numreads = 0;
12098 offset < msglen;
12099 offset += readbytes, numreads++) {
12100 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
12101 msglen - offset, &readbytes)))
12102 goto end;
12103 }
12104
12105 expectedreads = idx == 4 ? numpipes + 1
12106 : (idx == 3 ? numpipes - 1 : numpipes);
12107 if (!TEST_mem_eq(msg, msglen, buf, offset)
12108 || !TEST_int_eq(numreads, expectedreads))
12109 goto end;
12110
12111 /*
12112 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
12113 * chunks to exercise the read pipelining code on peera.
12114 */
12115 for (offset = 0; offset < msglen; offset += fragsize) {
12116 size_t sendlen = msglen - offset;
12117
12118 if (sendlen > fragsize)
12119 sendlen = fragsize;
12120 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
12121 || !TEST_size_t_eq(written, sendlen))
12122 goto end;
12123 }
12124
12125 /*
12126 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
12127 * separate chunks (depending on which test we are running). If the
12128 * pipelining is working then we expect peera to read up to numpipes chunks
12129 * and process them in parallel, giving back the complete result in a single
12130 * call to SSL_read_ex
12131 */
12132 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
12133 || !TEST_size_t_le(readbytes, msglen))
12134 goto end;
12135
12136 if (idx == 4) {
12137 size_t readbytes2;
12138
12139 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
12140 msglen - readbytes, &readbytes2)))
12141 goto end;
12142 readbytes += readbytes2;
12143 if (!TEST_size_t_le(readbytes, msglen))
12144 goto end;
12145 }
12146
12147 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
12148 goto end;
12149
12150 testresult = 1;
12151 end:
12152 SSL_free(serverssl);
12153 SSL_free(clientssl);
12154 SSL_CTX_free(sctx);
12155 SSL_CTX_free(cctx);
12156 if (e != NULL) {
12157 ENGINE_unregister_ciphers(e);
12158 ENGINE_finish(e);
12159 ENGINE_free(e);
12160 }
12161 OPENSSL_free(buf);
12162 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
12163 OPENSSL_free(msg);
12164 return testresult;
12165 }
12166 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
12167
check_version_string(SSL * s,int version)12168 static int check_version_string(SSL *s, int version)
12169 {
12170 const char *verstr = NULL;
12171
12172 switch (version) {
12173 case SSL3_VERSION:
12174 verstr = "SSLv3";
12175 break;
12176 case TLS1_VERSION:
12177 verstr = "TLSv1";
12178 break;
12179 case TLS1_1_VERSION:
12180 verstr = "TLSv1.1";
12181 break;
12182 case TLS1_2_VERSION:
12183 verstr = "TLSv1.2";
12184 break;
12185 case TLS1_3_VERSION:
12186 verstr = "TLSv1.3";
12187 break;
12188 case DTLS1_VERSION:
12189 verstr = "DTLSv1";
12190 break;
12191 case DTLS1_2_VERSION:
12192 verstr = "DTLSv1.2";
12193 }
12194
12195 return TEST_str_eq(verstr, SSL_get_version(s));
12196 }
12197
12198 /*
12199 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
12200 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
12201 * test_version() in quicapitest.c which does the same thing for QUIC
12202 * connections.
12203 */
test_version(int idx)12204 static int test_version(int idx)
12205 {
12206 SSL_CTX *cctx = NULL, *sctx = NULL;
12207 SSL *clientssl = NULL, *serverssl = NULL;
12208 int testresult = 0, version;
12209 const SSL_METHOD *servmeth = TLS_server_method();
12210 const SSL_METHOD *clientmeth = TLS_client_method();
12211
12212 switch (idx) {
12213 #if !defined(OPENSSL_NO_SSL3)
12214 case 0:
12215 version = SSL3_VERSION;
12216 break;
12217 #endif
12218 #if !defined(OPENSSL_NO_TLS1)
12219 case 1:
12220 version = TLS1_VERSION;
12221 break;
12222 #endif
12223 #if !defined(OPENSSL_NO_TLS1_2)
12224 case 2:
12225 version = TLS1_2_VERSION;
12226 break;
12227 #endif
12228 #if !defined(OSSL_NO_USABLE_TLS1_3)
12229 case 3:
12230 version = TLS1_3_VERSION;
12231 break;
12232 #endif
12233 #if !defined(OPENSSL_NO_DTLS1)
12234 case 4:
12235 version = DTLS1_VERSION;
12236 break;
12237 #endif
12238 #if !defined(OPENSSL_NO_DTLS1_2)
12239 case 5:
12240 version = DTLS1_2_VERSION;
12241 break;
12242 #endif
12243 /*
12244 * NB we do not support QUIC in this test. That is covered by quicapitest.c
12245 * We also don't support DTLS1_BAD_VER since we have no server support for
12246 * that.
12247 */
12248 default:
12249 TEST_skip("Unsupported protocol version");
12250 return 1;
12251 }
12252
12253 if (is_fips
12254 && (version == SSL3_VERSION
12255 || version == TLS1_VERSION
12256 || version == DTLS1_VERSION)) {
12257 TEST_skip("Protocol version not supported with FIPS");
12258 return 1;
12259 }
12260
12261 #if !defined(OPENSSL_NO_DTLS)
12262 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
12263 servmeth = DTLS_server_method();
12264 clientmeth = DTLS_client_method();
12265 }
12266 #endif
12267
12268 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
12269 version, &sctx, &cctx, cert, privkey)))
12270 goto end;
12271
12272 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
12273 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
12274 "DEFAULT:@SECLEVEL=0")))
12275 goto end;
12276
12277 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12278 &clientssl, NULL, NULL)))
12279 goto end;
12280
12281 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12282 goto end;
12283
12284 if (!TEST_int_eq(SSL_version(serverssl), version)
12285 || !TEST_int_eq(SSL_version(clientssl), version)
12286 || !TEST_true(check_version_string(serverssl, version))
12287 || !TEST_true(check_version_string(clientssl, version)))
12288 goto end;
12289
12290 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
12291 if (!TEST_true(SSL_is_dtls(serverssl))
12292 || !TEST_true(SSL_is_dtls(clientssl))
12293 || !TEST_false(SSL_is_tls(serverssl))
12294 || !TEST_false(SSL_is_tls(clientssl))
12295 || !TEST_false(SSL_is_quic(serverssl))
12296 || !TEST_false(SSL_is_quic(clientssl)))
12297 goto end;
12298 } else {
12299 if (!TEST_true(SSL_is_tls(serverssl))
12300 || !TEST_true(SSL_is_tls(clientssl))
12301 || !TEST_false(SSL_is_dtls(serverssl))
12302 || !TEST_false(SSL_is_dtls(clientssl))
12303 || !TEST_false(SSL_is_quic(serverssl))
12304 || !TEST_false(SSL_is_quic(clientssl)))
12305 goto end;
12306 }
12307
12308 testresult = 1;
12309 end:
12310 SSL_free(serverssl);
12311 SSL_free(clientssl);
12312 SSL_CTX_free(sctx);
12313 SSL_CTX_free(cctx);
12314 return testresult;
12315 }
12316
12317 /*
12318 * Test that the SSL_rstate_string*() APIs return sane results
12319 */
test_rstate_string(void)12320 static int test_rstate_string(void)
12321 {
12322 SSL_CTX *cctx = NULL, *sctx = NULL;
12323 SSL *clientssl = NULL, *serverssl = NULL;
12324 int testresult = 0, version;
12325 const SSL_METHOD *servmeth = TLS_server_method();
12326 const SSL_METHOD *clientmeth = TLS_client_method();
12327 size_t written, readbytes;
12328 unsigned char buf[2];
12329 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
12330 SSL3_RT_APPLICATION_DATA,
12331 TLS1_2_VERSION_MAJOR,
12332 0, /* To be filled in later */
12333 0,
12334 1
12335 };
12336
12337 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
12338 0, &sctx, &cctx, cert, privkey)))
12339 goto end;
12340
12341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12342 &clientssl, NULL, NULL)))
12343 goto end;
12344
12345 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
12346 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
12347 goto end;
12348
12349 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12350 goto end;
12351
12352 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
12353 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
12354 goto end;
12355
12356 /* Fill in the correct version for the record header */
12357 version = SSL_version(serverssl);
12358 if (version == TLS1_3_VERSION)
12359 version = TLS1_2_VERSION;
12360 dummyheader[2] = version & 0xff;
12361
12362 /*
12363 * Send a dummy header. If we continued to read the body as well this
12364 * would fail with a bad record mac, but we're not going to go that far.
12365 */
12366 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
12367 sizeof(dummyheader), &written))
12368 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
12369 goto end;
12370
12371 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
12372 goto end;
12373
12374 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
12375 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
12376 goto end;
12377
12378 testresult = 1;
12379 end:
12380 SSL_free(serverssl);
12381 SSL_free(clientssl);
12382 SSL_CTX_free(sctx);
12383 SSL_CTX_free(cctx);
12384 return testresult;
12385 }
12386
12387 /*
12388 * Force a write retry during handshaking. We test various combinations of
12389 * scenarios. We test a large certificate message which will fill the buffering
12390 * BIO used in the handshake. We try with client auth on and off. Finally we
12391 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
12392 * to indicate retry via -1 - but sometimes BIOs don't do that.
12393 *
12394 * Test 0: Standard certificate message
12395 * Test 1: Large certificate message
12396 * Test 2: Standard cert, verify peer
12397 * Test 3: Large cert, verify peer
12398 * Test 4: Standard cert, BIO returns 0 on retry
12399 * Test 5: Large cert, BIO returns 0 on retry
12400 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
12401 * Test 7: Large cert, verify peer, BIO returns 0 on retry
12402 * Test 8-15: Repeat of above with TLSv1.2
12403 */
test_handshake_retry(int idx)12404 static int test_handshake_retry(int idx)
12405 {
12406 SSL_CTX *cctx = NULL, *sctx = NULL;
12407 SSL *clientssl = NULL, *serverssl = NULL;
12408 int testresult = 0;
12409 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
12410 int maxversion = 0;
12411
12412 if (!TEST_ptr(bretry))
12413 goto end;
12414
12415 #ifndef OPENSSL_NO_TLS1_2
12416 if ((idx & 8) == 8)
12417 maxversion = TLS1_2_VERSION;
12418 #else
12419 if ((idx & 8) == 8)
12420 return TEST_skip("No TLSv1.2");
12421 #endif
12422
12423 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12424 TLS_client_method(), 0, maxversion,
12425 &sctx, &cctx, cert, privkey)))
12426 goto end;
12427
12428 /*
12429 * Add a large amount of data to fill the buffering BIO used by the SSL
12430 * object
12431 */
12432 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
12433 goto end;
12434
12435 /*
12436 * We don't actually configure a client cert, but neither do we fail if one
12437 * isn't present.
12438 */
12439 if ((idx & 2) == 2)
12440 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
12441
12442 if ((idx & 4) == 4)
12443 set_always_retry_err_val(0);
12444
12445 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12446 &clientssl, NULL, NULL)))
12447 goto end;
12448
12449 tmp = SSL_get_wbio(serverssl);
12450 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
12451 tmp = NULL;
12452 goto end;
12453 }
12454 SSL_set0_wbio(serverssl, bretry);
12455 bretry = NULL;
12456
12457 if (!TEST_int_eq(SSL_connect(clientssl), -1))
12458 goto end;
12459
12460 if (!TEST_int_eq(SSL_accept(serverssl), -1)
12461 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
12462 goto end;
12463
12464 /* Restore a BIO that will let the write succeed */
12465 SSL_set0_wbio(serverssl, tmp);
12466 tmp = NULL;
12467
12468 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12469 goto end;
12470
12471 testresult = 1;
12472 end:
12473 SSL_free(serverssl);
12474 SSL_free(clientssl);
12475 SSL_CTX_free(sctx);
12476 SSL_CTX_free(cctx);
12477 BIO_free(bretry);
12478 BIO_free(tmp);
12479 set_always_retry_err_val(-1);
12480 return testresult;
12481 }
12482
12483 /*
12484 * Test that receiving retries when writing application data works as expected
12485 */
test_data_retry(void)12486 static int test_data_retry(void)
12487 {
12488 SSL_CTX *cctx = NULL, *sctx = NULL;
12489 SSL *clientssl = NULL, *serverssl = NULL;
12490 int testresult = 0;
12491 unsigned char inbuf[1200], outbuf[1200];
12492 size_t i;
12493 BIO *tmp = NULL;
12494 BIO *bretry = BIO_new(bio_s_maybe_retry());
12495 size_t written, readbytes, totread = 0;
12496
12497 if (!TEST_ptr(bretry))
12498 goto end;
12499
12500 for (i = 0; i < sizeof(inbuf); i++)
12501 inbuf[i] = (unsigned char)(0xff & i);
12502 memset(outbuf, 0, sizeof(outbuf));
12503
12504 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12505 TLS_client_method(), 0, 0, &sctx, &cctx,
12506 cert, privkey)))
12507 goto end;
12508
12509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12510 NULL)))
12511 goto end;
12512
12513 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12514 goto end;
12515
12516 /* Smallest possible max send fragment is 512 */
12517 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
12518 goto end;
12519
12520 tmp = SSL_get_wbio(clientssl);
12521 if (!TEST_ptr(tmp))
12522 goto end;
12523 if (!TEST_true(BIO_up_ref(tmp)))
12524 goto end;
12525 BIO_push(bretry, tmp);
12526 tmp = NULL;
12527 SSL_set0_wbio(clientssl, bretry);
12528 if (!BIO_up_ref(bretry)) {
12529 bretry = NULL;
12530 goto end;
12531 }
12532
12533 for (i = 0; i < 3; i++) {
12534 /* We expect this call to make no progress and indicate retry */
12535 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12536 goto end;
12537 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12538 goto end;
12539
12540 /* Allow one write to progress, but the next one to signal retry */
12541 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
12542 NULL)))
12543 goto end;
12544
12545 if (i == 2)
12546 break;
12547
12548 /*
12549 * This call will hopefully make progress but will still indicate retry
12550 * because there is more data than will fit into a single record.
12551 */
12552 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12553 goto end;
12554 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12555 goto end;
12556 }
12557
12558 /* The final call should write the last chunk of data and succeed */
12559 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12560 goto end;
12561 /* Read all the data available */
12562 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
12563 &readbytes))
12564 totread += readbytes;
12565 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
12566 goto end;
12567
12568 testresult = 1;
12569 end:
12570 SSL_free(serverssl);
12571 SSL_free(clientssl);
12572 SSL_CTX_free(sctx);
12573 SSL_CTX_free(cctx);
12574 BIO_free_all(bretry);
12575 BIO_free(tmp);
12576 return testresult;
12577 }
12578
12579 struct resume_servername_cb_data {
12580 int i;
12581 SSL_CTX *cctx;
12582 SSL_CTX *sctx;
12583 SSL_SESSION *sess;
12584 int recurse;
12585 };
12586
12587 /*
12588 * Servername callback. We use it here to run another complete handshake using
12589 * the same session - and mark the session as not_resuamble at the end
12590 */
resume_servername_cb(SSL * s,int * ad,void * arg)12591 static int resume_servername_cb(SSL *s, int *ad, void *arg)
12592 {
12593 struct resume_servername_cb_data *cbdata = arg;
12594 SSL *serverssl = NULL, *clientssl = NULL;
12595 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
12596
12597 if (cbdata->recurse)
12598 return SSL_TLSEXT_ERR_ALERT_FATAL;
12599
12600 if ((cbdata->i % 3) != 1)
12601 return SSL_TLSEXT_ERR_OK;
12602
12603 cbdata->recurse = 1;
12604
12605 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
12606 &clientssl, NULL, NULL))
12607 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
12608 goto end;
12609
12610 ERR_set_mark();
12611 /*
12612 * We expect this to fail - because the servername cb will fail. This will
12613 * mark the session as not_resumable.
12614 */
12615 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
12616 ERR_clear_last_mark();
12617 goto end;
12618 }
12619 ERR_pop_to_mark();
12620
12621 ret = SSL_TLSEXT_ERR_OK;
12622 end:
12623 SSL_free(serverssl);
12624 SSL_free(clientssl);
12625 cbdata->recurse = 0;
12626 return ret;
12627 }
12628 /*
12629 * Test multiple resumptions and cache size handling
12630 * Test 0: TLSv1.3 (max_early_data set)
12631 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
12632 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
12633 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
12634 * Test 4: TLSv1.2
12635 */
test_multi_resume(int idx)12636 static int test_multi_resume(int idx)
12637 {
12638 SSL_CTX *sctx = NULL, *cctx = NULL;
12639 SSL *serverssl = NULL, *clientssl = NULL;
12640 SSL_SESSION *sess = NULL;
12641 int max_version = TLS1_3_VERSION;
12642 int i, testresult = 0;
12643 struct resume_servername_cb_data cbdata;
12644
12645 #if defined(OPENSSL_NO_TLS1_2)
12646 if (idx == 4)
12647 return TEST_skip("TLSv1.2 is disabled in this build");
12648 #else
12649 if (idx == 4)
12650 max_version = TLS1_2_VERSION;
12651 #endif
12652 #if defined(OSSL_NO_USABLE_TLS1_3)
12653 if (idx != 4)
12654 return TEST_skip("No usable TLSv1.3 in this build");
12655 #endif
12656
12657 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12658 TLS_client_method(), TLS1_VERSION,
12659 max_version, &sctx, &cctx, cert,
12660 privkey)))
12661 goto end;
12662
12663 /*
12664 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
12665 * replay protection), or if SSL_OP_NO_TICKET is in use
12666 */
12667 if (idx == 0 || idx == 2) {
12668 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
12669 goto end;
12670 }
12671 if (idx == 1 || idx == 2 || idx == 3)
12672 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
12673
12674 SSL_CTX_sess_set_cache_size(sctx, 5);
12675
12676 if (idx == 3) {
12677 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
12678 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
12679 cbdata.cctx = cctx;
12680 cbdata.sctx = sctx;
12681 cbdata.recurse = 0;
12682 }
12683
12684 for (i = 0; i < 30; i++) {
12685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
12686 NULL, NULL))
12687 || !TEST_true(SSL_set_session(clientssl, sess)))
12688 goto end;
12689
12690 /*
12691 * Check simultaneous resumes. We pause the connection part way through
12692 * the handshake by (mis)using the servername_cb. The pause occurs after
12693 * session resumption has already occurred, but before any session
12694 * tickets have been issued. While paused we run another complete
12695 * handshake resuming the same session.
12696 */
12697 if (idx == 3) {
12698 cbdata.i = i;
12699 cbdata.sess = sess;
12700 }
12701
12702 /*
12703 * Recreate a bug where dynamically changing the max_early_data value
12704 * can cause sessions in the session cache which cannot be deleted.
12705 */
12706 if ((idx == 0 || idx == 2) && (i % 3) == 2)
12707 SSL_set_max_early_data(serverssl, 0);
12708
12709 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12710 goto end;
12711
12712 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
12713 if (!TEST_false(SSL_session_reused(clientssl)))
12714 goto end;
12715 } else {
12716 if (!TEST_true(SSL_session_reused(clientssl)))
12717 goto end;
12718 }
12719 SSL_SESSION_free(sess);
12720
12721 /* Do a full handshake, followed by two resumptions */
12722 if ((i % 3) == 2) {
12723 sess = NULL;
12724 } else {
12725 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
12726 goto end;
12727 }
12728
12729 SSL_shutdown(clientssl);
12730 SSL_shutdown(serverssl);
12731 SSL_free(serverssl);
12732 SSL_free(clientssl);
12733 serverssl = clientssl = NULL;
12734 }
12735
12736 /* We should never exceed the session cache size limit */
12737 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
12738 goto end;
12739
12740 testresult = 1;
12741 end:
12742 SSL_free(serverssl);
12743 SSL_free(clientssl);
12744 SSL_CTX_free(sctx);
12745 SSL_CTX_free(cctx);
12746 SSL_SESSION_free(sess);
12747 return testresult;
12748 }
12749
12750 static struct next_proto_st {
12751 int serverlen;
12752 unsigned char server[40];
12753 int clientlen;
12754 unsigned char client[40];
12755 int expected_ret;
12756 size_t selectedlen;
12757 unsigned char selected[40];
12758 } next_proto_tests[] = {
12759 { 4, { 3, 'a', 'b', 'c' },
12760 4, { 3, 'a', 'b', 'c' },
12761 OPENSSL_NPN_NEGOTIATED,
12762 3, { 'a', 'b', 'c' } },
12763 { 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
12764 4, { 3, 'a', 'b', 'c' },
12765 OPENSSL_NPN_NEGOTIATED,
12766 3, { 'a', 'b', 'c' } },
12767 { 7, {
12768 2,
12769 'a',
12770 'b',
12771 3,
12772 'a',
12773 'b',
12774 'c',
12775 },
12776 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } },
12777 { 4, { 3, 'a', 'b', 'c' }, 7, {
12778 3,
12779 'a',
12780 'b',
12781 'c',
12782 2,
12783 'a',
12784 'b',
12785 },
12786 OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } },
12787 { 4, { 3, 'a', 'b', 'c' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'b', 'c', 'd' }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 0, { 0 }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { -1, { 0 }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'a', 'b', 'c' }, 0, { 0 }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }, { 4, { 3, 'a', 'b', 'c' }, -1, { 0 }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }, { 3, { 3, 'a', 'b', 'c' }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'a', 'b', 'c' }, 3, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }
12788 };
12789
test_select_next_proto(int idx)12790 static int test_select_next_proto(int idx)
12791 {
12792 struct next_proto_st *np = &next_proto_tests[idx];
12793 int ret = 0;
12794 unsigned char *out, *client, *server;
12795 unsigned char outlen;
12796 unsigned int clientlen, serverlen;
12797
12798 if (np->clientlen == -1) {
12799 client = NULL;
12800 clientlen = 0;
12801 } else {
12802 client = np->client;
12803 clientlen = (unsigned int)np->clientlen;
12804 }
12805 if (np->serverlen == -1) {
12806 server = NULL;
12807 serverlen = 0;
12808 } else {
12809 server = np->server;
12810 serverlen = (unsigned int)np->serverlen;
12811 }
12812
12813 if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
12814 client, clientlen),
12815 np->expected_ret))
12816 goto err;
12817
12818 if (np->selectedlen == 0) {
12819 if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
12820 goto err;
12821 } else {
12822 if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
12823 goto err;
12824 }
12825
12826 ret = 1;
12827 err:
12828 return ret;
12829 }
12830
12831 static const unsigned char fooprot[] = { 3, 'f', 'o', 'o' };
12832 static const unsigned char barprot[] = { 3, 'b', 'a', 'r' };
12833
12834 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
npn_advert_cb(SSL * ssl,const unsigned char ** out,unsigned int * outlen,void * arg)12835 static int npn_advert_cb(SSL *ssl, const unsigned char **out,
12836 unsigned int *outlen, void *arg)
12837 {
12838 int *idx = (int *)arg;
12839
12840 switch (*idx) {
12841 default:
12842 case 0:
12843 *out = fooprot;
12844 *outlen = sizeof(fooprot);
12845 return SSL_TLSEXT_ERR_OK;
12846
12847 case 1:
12848 *out = NULL;
12849 *outlen = 0;
12850 return SSL_TLSEXT_ERR_OK;
12851
12852 case 2:
12853 return SSL_TLSEXT_ERR_NOACK;
12854 }
12855 }
12856
npn_select_cb(SSL * s,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)12857 static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
12858 const unsigned char *in, unsigned int inlen, void *arg)
12859 {
12860 int *idx = (int *)arg;
12861
12862 switch (*idx) {
12863 case 0:
12864 case 1:
12865 *out = (unsigned char *)(fooprot + 1);
12866 *outlen = *fooprot;
12867 return SSL_TLSEXT_ERR_OK;
12868
12869 case 3:
12870 *out = (unsigned char *)(barprot + 1);
12871 *outlen = *barprot;
12872 return SSL_TLSEXT_ERR_OK;
12873
12874 case 4:
12875 *outlen = 0;
12876 return SSL_TLSEXT_ERR_OK;
12877
12878 default:
12879 case 2:
12880 return SSL_TLSEXT_ERR_ALERT_FATAL;
12881 }
12882 }
12883
12884 /*
12885 * Test the NPN callbacks
12886 * Test 0: advert = foo, select = foo
12887 * Test 1: advert = <empty>, select = foo
12888 * Test 2: no advert
12889 * Test 3: advert = foo, select = bar
12890 * Test 4: advert = foo, select = <empty> (should fail)
12891 */
test_npn(int idx)12892 static int test_npn(int idx)
12893 {
12894 SSL_CTX *sctx = NULL, *cctx = NULL;
12895 SSL *serverssl = NULL, *clientssl = NULL;
12896 int testresult = 0;
12897
12898 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12899 TLS_client_method(), 0, TLS1_2_VERSION,
12900 &sctx, &cctx, cert, privkey)))
12901 goto end;
12902
12903 SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
12904 SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
12905
12906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12907 NULL)))
12908 goto end;
12909
12910 if (idx == 4) {
12911 /* We don't allow empty selection of NPN, so this should fail */
12912 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12913 SSL_ERROR_NONE)))
12914 goto end;
12915 } else {
12916 const unsigned char *prot;
12917 unsigned int protlen;
12918
12919 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12920 SSL_ERROR_NONE)))
12921 goto end;
12922
12923 SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
12924 switch (idx) {
12925 case 0:
12926 case 1:
12927 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12928 goto end;
12929 break;
12930 case 2:
12931 if (!TEST_uint_eq(protlen, 0))
12932 goto end;
12933 break;
12934 case 3:
12935 if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
12936 goto end;
12937 break;
12938 default:
12939 TEST_error("Should not get here");
12940 goto end;
12941 }
12942 }
12943
12944 testresult = 1;
12945 end:
12946 SSL_free(serverssl);
12947 SSL_free(clientssl);
12948 SSL_CTX_free(sctx);
12949 SSL_CTX_free(cctx);
12950
12951 return testresult;
12952 }
12953 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
12954
alpn_select_cb2(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)12955 static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
12956 unsigned char *outlen, const unsigned char *in,
12957 unsigned int inlen, void *arg)
12958 {
12959 int *idx = (int *)arg;
12960
12961 switch (*idx) {
12962 case 0:
12963 *out = (unsigned char *)(fooprot + 1);
12964 *outlen = *fooprot;
12965 return SSL_TLSEXT_ERR_OK;
12966
12967 case 2:
12968 *out = (unsigned char *)(barprot + 1);
12969 *outlen = *barprot;
12970 return SSL_TLSEXT_ERR_OK;
12971
12972 case 3:
12973 *outlen = 0;
12974 return SSL_TLSEXT_ERR_OK;
12975
12976 default:
12977 case 1:
12978 return SSL_TLSEXT_ERR_ALERT_FATAL;
12979 }
12980 return 0;
12981 }
12982
12983 /*
12984 * Test the ALPN callbacks
12985 * Test 0: client = foo, select = foo
12986 * Test 1: client = <empty>, select = none
12987 * Test 2: client = foo, select = bar (should fail)
12988 * Test 3: client = foo, select = <empty> (should fail)
12989 */
test_alpn(int idx)12990 static int test_alpn(int idx)
12991 {
12992 SSL_CTX *sctx = NULL, *cctx = NULL;
12993 SSL *serverssl = NULL, *clientssl = NULL;
12994 int testresult = 0;
12995 const unsigned char *prots = fooprot;
12996 unsigned int protslen = sizeof(fooprot);
12997
12998 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12999 TLS_client_method(), 0, 0,
13000 &sctx, &cctx, cert, privkey)))
13001 goto end;
13002
13003 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
13004
13005 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13006 NULL)))
13007 goto end;
13008
13009 if (idx == 1) {
13010 prots = NULL;
13011 protslen = 0;
13012 }
13013
13014 /* SSL_set_alpn_protos returns 0 for success! */
13015 if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
13016 goto end;
13017
13018 if (idx == 2 || idx == 3) {
13019 /* We don't allow empty selection of NPN, so this should fail */
13020 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
13021 SSL_ERROR_NONE)))
13022 goto end;
13023 } else {
13024 const unsigned char *prot;
13025 unsigned int protlen;
13026
13027 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
13028 SSL_ERROR_NONE)))
13029 goto end;
13030
13031 SSL_get0_alpn_selected(clientssl, &prot, &protlen);
13032 switch (idx) {
13033 case 0:
13034 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
13035 goto end;
13036 break;
13037 case 1:
13038 if (!TEST_uint_eq(protlen, 0))
13039 goto end;
13040 break;
13041 default:
13042 TEST_error("Should not get here");
13043 goto end;
13044 }
13045 }
13046
13047 testresult = 1;
13048 end:
13049 SSL_free(serverssl);
13050 SSL_free(clientssl);
13051 SSL_CTX_free(sctx);
13052 SSL_CTX_free(cctx);
13053
13054 return testresult;
13055 }
13056
13057 #if !defined(OSSL_NO_USABLE_TLS1_3)
13058 struct quic_tls_test_data {
13059 struct quic_tls_test_data *peer;
13060 uint32_t renc_level;
13061 uint32_t wenc_level;
13062 unsigned char rcd_data[4][2048];
13063 size_t rcd_data_len[4];
13064 unsigned char rsecret[3][48];
13065 size_t rsecret_len[3];
13066 unsigned char wsecret[3][48];
13067 size_t wsecret_len[3];
13068 unsigned char params[3];
13069 size_t params_len;
13070 int alert;
13071 int err;
13072 int forcefail;
13073 int sm_count;
13074 };
13075
13076 static int clientquicdata = 0xff, serverquicdata = 0xfe;
13077
check_app_data(SSL * s)13078 static int check_app_data(SSL *s)
13079 {
13080 int *data, *comparedata;
13081
13082 /* Check app data works */
13083 data = (int *)SSL_get_app_data(s);
13084 comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata;
13085
13086 if (!TEST_true(comparedata == data))
13087 return 0;
13088
13089 return 1;
13090 }
13091
crypto_send_cb(SSL * s,const unsigned char * buf,size_t buf_len,size_t * consumed,void * arg)13092 static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
13093 size_t *consumed, void *arg)
13094 {
13095 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13096 struct quic_tls_test_data *peer = data->peer;
13097 size_t max_len = sizeof(peer->rcd_data[data->wenc_level])
13098 - peer->rcd_data_len[data->wenc_level];
13099
13100 if (!check_app_data(s)) {
13101 data->err = 1;
13102 return 0;
13103 }
13104
13105 if (buf_len > max_len)
13106 buf_len = max_len;
13107
13108 if (buf_len == 0) {
13109 *consumed = 0;
13110 return 1;
13111 }
13112
13113 memcpy(peer->rcd_data[data->wenc_level]
13114 + peer->rcd_data_len[data->wenc_level],
13115 buf, buf_len);
13116 peer->rcd_data_len[data->wenc_level] += buf_len;
13117
13118 *consumed = buf_len;
13119 return 1;
13120 }
crypto_recv_rcd_cb(SSL * s,const unsigned char ** buf,size_t * bytes_read,void * arg)13121 static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf,
13122 size_t *bytes_read, void *arg)
13123 {
13124 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13125
13126 if (!check_app_data(s)) {
13127 data->err = 1;
13128 return 0;
13129 }
13130
13131 *bytes_read = data->rcd_data_len[data->renc_level];
13132 *buf = data->rcd_data[data->renc_level];
13133 return 1;
13134 }
13135
crypto_release_rcd_cb(SSL * s,size_t bytes_read,void * arg)13136 static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg)
13137 {
13138 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13139
13140 if (!check_app_data(s)) {
13141 data->err = 1;
13142 return 0;
13143 }
13144
13145 /* See if we need to force a failure in this callback */
13146 if (data->forcefail) {
13147 data->forcefail = 0;
13148 data->err = 1;
13149 return 0;
13150 }
13151
13152 if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level])
13153 || !TEST_size_t_gt(bytes_read, 0)) {
13154 data->err = 1;
13155 return 0;
13156 }
13157 data->rcd_data_len[data->renc_level] = 0;
13158
13159 return 1;
13160 }
13161
13162 struct secret_yield_entry {
13163 uint8_t recorded;
13164 int prot_level;
13165 int direction;
13166 int sm_generation;
13167 SSL *ssl;
13168 };
13169
13170 static struct secret_yield_entry secret_history[16];
13171 static int secret_history_idx = 0;
13172 /*
13173 * Note, this enum needs to match the direction values passed
13174 * to yield_secret_cb
13175 */
13176 typedef enum {
13177 LAST_DIR_READ = 0,
13178 LAST_DIR_WRITE = 1,
13179 LAST_DIR_UNSET = 2
13180 } last_dir_history_state;
13181
check_secret_history(SSL * s)13182 static int check_secret_history(SSL *s)
13183 {
13184 int i;
13185 int ret = 0;
13186 last_dir_history_state last_state = LAST_DIR_UNSET;
13187 int last_prot_level = 0;
13188 int last_generation = 0;
13189
13190 TEST_info("Checking history for %p\n", (void *)s);
13191 for (i = 0; secret_history[i].recorded == 1; i++) {
13192 if (secret_history[i].ssl != s)
13193 continue;
13194 TEST_info("Got %s(%d) secret for level %d, last level %d, last state %d, gen %d\n",
13195 secret_history[i].direction == 1 ? "Write" : "Read", secret_history[i].direction,
13196 secret_history[i].prot_level, last_prot_level, last_state,
13197 secret_history[i].sm_generation);
13198
13199 if (last_state == LAST_DIR_UNSET) {
13200 last_prot_level = secret_history[i].prot_level;
13201 last_state = secret_history[i].direction;
13202 last_generation = secret_history[i].sm_generation;
13203 continue;
13204 }
13205
13206 switch (secret_history[i].direction) {
13207 case 1:
13208 /*
13209 * write case
13210 * NOTE: There is an odd corner case here. It may occur that
13211 * in a single iteration of the state machine, the read key is yielded
13212 * prior to the write key for the same level. This is undesirable
13213 * for quic, but it is ok, as the general implementation of every 3rd
13214 * party quic stack while preferring write keys before read, allows
13215 * for read before write if both keys are yielded in the same call
13216 * to SSL_do_handshake, as the tls adaptation code for that quic stack
13217 * can then cache keys until both are available, so we allow read before
13218 * write here iff they occur in the same iteration of SSL_do_handshake
13219 * as represented by the recorded sm_generation value.
13220 */
13221 if (last_prot_level == secret_history[i].prot_level
13222 && last_state == LAST_DIR_READ) {
13223 if (last_generation == secret_history[i].sm_generation) {
13224 TEST_info("Read before write key in same SSL state machine iteration is ok");
13225 } else {
13226 TEST_error("Got read key before write key");
13227 goto end;
13228 }
13229 }
13230 /* FALLTHROUGH */
13231 case 0:
13232 /*
13233 * Read case
13234 */
13235 break;
13236 default:
13237 TEST_error("Unknown direction");
13238 goto end;
13239 }
13240 last_prot_level = secret_history[i].prot_level;
13241 last_state = secret_history[i].direction;
13242 last_generation = secret_history[i].sm_generation;
13243 }
13244
13245 ret = 1;
13246 end:
13247 return ret;
13248 }
13249
yield_secret_cb(SSL * s,uint32_t prot_level,int direction,const unsigned char * secret,size_t secret_len,void * arg)13250 static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
13251 const unsigned char *secret, size_t secret_len,
13252 void *arg)
13253 {
13254 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13255
13256 if (!check_app_data(s))
13257 goto err;
13258
13259 if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY
13260 || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13261 goto err;
13262
13263 switch (direction) {
13264 case 0: /* read */
13265 if (!TEST_size_t_le(secret_len, sizeof(data->rsecret)))
13266 goto err;
13267 data->renc_level = prot_level;
13268 memcpy(data->rsecret[prot_level - 1], secret, secret_len);
13269 data->rsecret_len[prot_level - 1] = secret_len;
13270 break;
13271
13272 case 1: /* write */
13273 if (!TEST_size_t_le(secret_len, sizeof(data->wsecret)))
13274 goto err;
13275 data->wenc_level = prot_level;
13276 memcpy(data->wsecret[prot_level - 1], secret, secret_len);
13277 data->wsecret_len[prot_level - 1] = secret_len;
13278 break;
13279
13280 default:
13281 goto err;
13282 }
13283
13284 secret_history[secret_history_idx].direction = direction;
13285 secret_history[secret_history_idx].prot_level = (int)prot_level;
13286 secret_history[secret_history_idx].recorded = 1;
13287 secret_history[secret_history_idx].ssl = s;
13288 secret_history[secret_history_idx].sm_generation = data->sm_count;
13289 secret_history_idx++;
13290 return 1;
13291 err:
13292 data->err = 1;
13293 return 0;
13294 }
13295
yield_secret_cb_fail(SSL * s,uint32_t prot_level,int direction,const unsigned char * secret,size_t secret_len,void * arg)13296 static int yield_secret_cb_fail(SSL *s, uint32_t prot_level, int direction,
13297 const unsigned char *secret, size_t secret_len,
13298 void *arg)
13299 {
13300 (void)s;
13301 (void)prot_level;
13302 (void)direction;
13303 (void)secret;
13304 (void)secret_len;
13305 (void)arg;
13306 /*
13307 * This callback is to test double free in quic tls
13308 */
13309 return 0;
13310 }
13311
got_transport_params_cb(SSL * s,const unsigned char * params,size_t params_len,void * arg)13312 static int got_transport_params_cb(SSL *s, const unsigned char *params,
13313 size_t params_len,
13314 void *arg)
13315 {
13316 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13317
13318 if (!check_app_data(s)) {
13319 data->err = 1;
13320 return 0;
13321 }
13322
13323 if (!TEST_size_t_le(params_len, sizeof(data->params))) {
13324 data->err = 1;
13325 return 0;
13326 }
13327
13328 memcpy(data->params, params, params_len);
13329 data->params_len = params_len;
13330
13331 return 1;
13332 }
13333
alert_cb(SSL * s,unsigned char alert_code,void * arg)13334 static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
13335 {
13336 struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13337
13338 if (!check_app_data(s)) {
13339 data->err = 1;
13340 return 0;
13341 }
13342
13343 data->alert = 1;
13344 return 1;
13345 }
13346
13347 /* Extension id reserved for private use by IANA */
13348 #define TEST_TLS_EXTENSION_ID 65282
13349
13350 static int add_ext_cb_called = 0;
13351 static int parse_ext_cb_called = 0;
13352
add_old_ext(SSL * s,unsigned int ext_type,const unsigned char ** out,size_t * outlen,int * al,void * add_arg)13353 static int add_old_ext(SSL *s, unsigned int ext_type,
13354 const unsigned char **out, size_t *outlen,
13355 int *al, void *add_arg)
13356 {
13357 static const unsigned char data = 0xff;
13358
13359 add_ext_cb_called++;
13360 *out = &data;
13361 *outlen = 1;
13362 return 1;
13363 }
13364
free_old_ext(SSL * s,unsigned int ext_type,const unsigned char * out,void * add_arg)13365 static void free_old_ext(SSL *s, unsigned int ext_type,
13366 const unsigned char *out, void *add_arg)
13367 {
13368 /* Do nothing */
13369 }
13370
parse_old_ext(SSL * s,unsigned int ext_type,const unsigned char * in,size_t inlen,int * al,void * parse_arg)13371 static int parse_old_ext(SSL *s, unsigned int ext_type,
13372 const unsigned char *in, size_t inlen,
13373 int *al, void *parse_arg)
13374 {
13375 parse_ext_cb_called++;
13376 if (inlen != 1 || *in != 0xff) {
13377 *al = SSL_AD_DECODE_ERROR;
13378 return 0;
13379 }
13380 return 1;
13381 }
13382
13383 /*
13384 * Test the QUIC TLS API
13385 * Test 0: Normal run
13386 * Test 1: Force a failure
13387 * Test 3: Use a CCM based ciphersuite
13388 * Test 4: fail yield_secret_cb to see double free
13389 * Test 5: Normal run with SNI
13390 */
test_quic_tls(int idx)13391 static int test_quic_tls(int idx)
13392 {
13393 SSL_CTX *sctx = NULL, *sctx2 = NULL, *cctx = NULL;
13394 SSL *serverssl = NULL, *clientssl = NULL;
13395 int testresult = 0;
13396 OSSL_DISPATCH qtdis[] = {
13397 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb },
13398 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
13399 (void (*)(void))crypto_recv_rcd_cb },
13400 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
13401 (void (*)(void))crypto_release_rcd_cb },
13402 { OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
13403 (void (*)(void))yield_secret_cb },
13404 { OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
13405 (void (*)(void))got_transport_params_cb },
13406 { OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb },
13407 { 0, NULL }
13408 };
13409 struct quic_tls_test_data sdata, cdata;
13410 const unsigned char cparams[] = {
13411 0xff, 0x01, 0x00
13412 };
13413 const unsigned char sparams[] = {
13414 0xfe, 0x01, 0x00
13415 };
13416 int i;
13417
13418 if (idx == 4)
13419 qtdis[3].function = (void (*)(void))yield_secret_cb_fail;
13420
13421 snicb = 0;
13422 memset(secret_history, 0, sizeof(secret_history));
13423 secret_history_idx = 0;
13424 memset(&sdata, 0, sizeof(sdata));
13425 memset(&cdata, 0, sizeof(cdata));
13426 sdata.peer = &cdata;
13427 cdata.peer = &sdata;
13428 if (idx == 1)
13429 sdata.forcefail = 1;
13430
13431 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13432 TLS_client_method(), TLS1_3_VERSION, 0,
13433 &sctx, &cctx, cert, privkey)))
13434 goto end;
13435
13436 if (idx == 5) {
13437 static int dummy = 1;
13438
13439 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
13440 TLS1_3_VERSION, 0,
13441 &sctx2, NULL, cert, privkey)))
13442 goto end;
13443
13444 /*
13445 * We add an old style custom extension to ensure that it gets correctly
13446 * handled when we copy QUIC's connection specific custom extensions.
13447 */
13448 add_ext_cb_called = 0;
13449 parse_ext_cb_called = 0;
13450 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx,
13451 TEST_TLS_EXTENSION_ID,
13452 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
13453 goto end;
13454 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx,
13455 TEST_TLS_EXTENSION_ID,
13456 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
13457 goto end;
13458 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx2,
13459 TEST_TLS_EXTENSION_ID,
13460 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
13461 goto end;
13462
13463 /* Set up SNI */
13464 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
13465 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
13466 goto end;
13467 }
13468
13469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13470 NULL)))
13471 goto end;
13472
13473 /* Reset the BIOs we set in create_ssl_objects. We should not need them */
13474 SSL_set_bio(serverssl, NULL, NULL);
13475 SSL_set_bio(clientssl, NULL, NULL);
13476
13477 if (idx == 2) {
13478 if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256"))
13479 || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256")))
13480 goto end;
13481 }
13482
13483 if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
13484 || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
13485 goto end;
13486
13487 if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
13488 || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
13489 || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
13490 sizeof(cparams)))
13491 || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
13492 sizeof(sparams))))
13493 goto end;
13494
13495 if (idx != 1 && idx != 4) {
13496 if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13497 &cdata.sm_count, &sdata.sm_count)))
13498 goto end;
13499 } else {
13500 /* We expect this connection to fail */
13501 if (!TEST_false(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13502 &cdata.sm_count, &sdata.sm_count)))
13503 goto end;
13504 testresult = 1;
13505 sdata.err = 0;
13506 goto end;
13507 }
13508
13509 /* We should have had the SNI callback called exactly once */
13510 if (idx == 5) {
13511 if (!TEST_int_eq(snicb, 1))
13512 goto end;
13513 }
13514
13515 /* Check no problems during the handshake */
13516 if (!TEST_false(sdata.alert)
13517 || !TEST_false(cdata.alert)
13518 || !TEST_false(sdata.err)
13519 || !TEST_false(cdata.err))
13520 goto end;
13521
13522 /* Check the secrets all match */
13523 for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
13524 i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
13525 i++) {
13526 if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
13527 cdata.rsecret[i], cdata.rsecret_len[i]))
13528 goto end;
13529 }
13530
13531 /*
13532 * Check that our secret history yields write secrets before read secrets
13533 */
13534 if (!TEST_int_eq(check_secret_history(serverssl), 1))
13535 goto end;
13536 if (!TEST_int_eq(check_secret_history(clientssl), 1))
13537 goto end;
13538
13539 /* Check the transport params */
13540 if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13541 || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13542 sizeof(sparams)))
13543 goto end;
13544
13545 /* Check the encryption levels are what we expect them to be */
13546 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13547 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13548 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13549 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13550 goto end;
13551
13552 /*
13553 * We only expect the add cb to have actually been called because we are
13554 * using the old style callbacks that only apply to TLSv1.2. Since we are
13555 * using TLSv1.3 here, the add will be called for the ClientHello but
13556 * nothing else.
13557 */
13558 if (idx == 5) {
13559 if (!TEST_int_eq(add_ext_cb_called, 1)
13560 || !TEST_int_eq(parse_ext_cb_called, 0))
13561 goto end;
13562 }
13563
13564 testresult = 1;
13565 end:
13566 SSL_free(serverssl);
13567 SSL_free(clientssl);
13568 SSL_CTX_free(sctx2);
13569 SSL_CTX_free(sctx);
13570 SSL_CTX_free(cctx);
13571
13572 /* Check that we didn't suddenly hit an unexpected failure during cleanup */
13573 if (!TEST_false(sdata.err) || !TEST_false(cdata.err))
13574 testresult = 0;
13575
13576 return testresult;
13577 }
13578
assert_no_end_of_early_data(int write_p,int version,int content_type,const void * buf,size_t msglen,SSL * ssl,void * arg)13579 static void assert_no_end_of_early_data(int write_p, int version, int content_type,
13580 const void *buf, size_t msglen, SSL *ssl, void *arg)
13581 {
13582 const unsigned char *msg = buf;
13583
13584 if (content_type == SSL3_RT_HANDSHAKE && msg[0] == SSL3_MT_END_OF_EARLY_DATA)
13585 end_of_early_data = 1;
13586 }
13587
test_quic_tls_early_data(void)13588 static int test_quic_tls_early_data(void)
13589 {
13590 SSL_CTX *sctx = NULL, *cctx = NULL;
13591 SSL *serverssl = NULL, *clientssl = NULL;
13592 int testresult = 0;
13593 SSL_SESSION *sess = NULL;
13594 const OSSL_DISPATCH qtdis[] = {
13595 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb },
13596 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
13597 (void (*)(void))crypto_recv_rcd_cb },
13598 { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
13599 (void (*)(void))crypto_release_rcd_cb },
13600 { OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
13601 (void (*)(void))yield_secret_cb },
13602 { OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
13603 (void (*)(void))got_transport_params_cb },
13604 { OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb },
13605 { 0, NULL }
13606 };
13607 struct quic_tls_test_data sdata, cdata;
13608 const unsigned char cparams[] = {
13609 0xff, 0x01, 0x00
13610 };
13611 const unsigned char sparams[] = {
13612 0xfe, 0x01, 0x00
13613 };
13614 int i;
13615
13616 memset(secret_history, 0, sizeof(secret_history));
13617 secret_history_idx = 0;
13618 memset(&sdata, 0, sizeof(sdata));
13619 memset(&cdata, 0, sizeof(cdata));
13620 sdata.peer = &cdata;
13621 cdata.peer = &sdata;
13622 end_of_early_data = 0;
13623
13624 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13625 TLS_client_method(), TLS1_3_VERSION, 0,
13626 &sctx, &cctx, cert, privkey)))
13627 goto end;
13628
13629 SSL_CTX_set_max_early_data(sctx, 0xffffffff);
13630 SSL_CTX_set_max_early_data(cctx, 0xffffffff);
13631
13632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13633 NULL)))
13634 goto end;
13635
13636 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13637 goto end;
13638
13639 sess = SSL_get1_session(clientssl);
13640 SSL_shutdown(clientssl);
13641 SSL_shutdown(serverssl);
13642 SSL_free(serverssl);
13643 SSL_free(clientssl);
13644 serverssl = clientssl = NULL;
13645
13646 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
13647 &clientssl, NULL, NULL))
13648 || !TEST_true(SSL_set_session(clientssl, sess)))
13649 goto end;
13650
13651 /* Reset the BIOs we set in create_ssl_objects. We should not need them */
13652 SSL_set_bio(serverssl, NULL, NULL);
13653 SSL_set_bio(clientssl, NULL, NULL);
13654
13655 if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
13656 || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
13657 goto end;
13658
13659 if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
13660 || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
13661 || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
13662 sizeof(cparams)))
13663 || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
13664 sizeof(sparams))))
13665 goto end;
13666
13667 /*
13668 * Reset our secret history so we get the record of the second connection
13669 */
13670 memset(secret_history, 0, sizeof(secret_history));
13671 secret_history_idx = 0;
13672
13673 SSL_set_quic_tls_early_data_enabled(serverssl, 1);
13674 SSL_set_quic_tls_early_data_enabled(clientssl, 1);
13675
13676 SSL_set_msg_callback(serverssl, assert_no_end_of_early_data);
13677 SSL_set_msg_callback(clientssl, assert_no_end_of_early_data);
13678
13679 if (!TEST_int_eq(SSL_connect(clientssl), -1)
13680 || !TEST_int_eq(SSL_accept(serverssl), -1)
13681 || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)
13682 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ)
13683 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
13684 goto end;
13685
13686 /* Check the encryption levels are what we expect them to be */
13687 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE)
13688 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13689 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
13690 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY))
13691 goto end;
13692
13693 sdata.sm_count = 0;
13694 cdata.sm_count = 0;
13695 if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13696 &cdata.sm_count, &sdata.sm_count)))
13697 goto end;
13698
13699 /* Check no problems during the handshake */
13700 if (!TEST_false(sdata.alert)
13701 || !TEST_false(cdata.alert)
13702 || !TEST_false(sdata.err)
13703 || !TEST_false(cdata.err))
13704 goto end;
13705
13706 /* Check the secrets all match */
13707 for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
13708 i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
13709 i++) {
13710 if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
13711 cdata.rsecret[i], cdata.rsecret_len[i]))
13712 goto end;
13713 }
13714
13715 if (!TEST_int_eq(check_secret_history(serverssl), 1))
13716 goto end;
13717 if (!TEST_int_eq(check_secret_history(clientssl), 1))
13718 goto end;
13719
13720 /* Check the transport params */
13721 if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13722 || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13723 sizeof(sparams)))
13724 goto end;
13725
13726 /* Check the encryption levels are what we expect them to be */
13727 if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13728 || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13729 || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13730 || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13731 goto end;
13732
13733 /* Check there is no EndOfEearlyData in handshake */
13734 if (!TEST_int_eq(end_of_early_data, 0))
13735 goto end;
13736
13737 testresult = 1;
13738 end:
13739 SSL_SESSION_free(sess);
13740 SSL_SESSION_free(clientpsk);
13741 SSL_SESSION_free(serverpsk);
13742 clientpsk = serverpsk = NULL;
13743 SSL_free(serverssl);
13744 SSL_free(clientssl);
13745 SSL_CTX_free(sctx);
13746 SSL_CTX_free(cctx);
13747
13748 return testresult;
13749 }
13750 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
13751
test_no_renegotiation(int idx)13752 static int test_no_renegotiation(int idx)
13753 {
13754 SSL_CTX *sctx = NULL, *cctx = NULL;
13755 SSL *serverssl = NULL, *clientssl = NULL;
13756 int testresult = 0, ret;
13757 int max_proto;
13758 const SSL_METHOD *sm, *cm;
13759 unsigned char buf[5];
13760
13761 if (idx == 0) {
13762 #ifndef OPENSSL_NO_TLS1_2
13763 max_proto = TLS1_2_VERSION;
13764 sm = TLS_server_method();
13765 cm = TLS_client_method();
13766 #else
13767 return TEST_skip("TLSv1.2 is disabled in this build");
13768 #endif
13769 } else {
13770 #ifndef OPENSSL_NO_DTLS1_2
13771 max_proto = DTLS1_2_VERSION;
13772 sm = DTLS_server_method();
13773 cm = DTLS_client_method();
13774 #else
13775 return TEST_skip("DTLSv1.2 is disabled in this build");
13776 #endif
13777 }
13778 if (!TEST_true(create_ssl_ctx_pair(libctx, sm, cm, 0, max_proto,
13779 &sctx, &cctx, cert, privkey)))
13780 goto end;
13781
13782 SSL_CTX_set_options(sctx, SSL_OP_NO_RENEGOTIATION);
13783
13784 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13785 NULL)))
13786 goto end;
13787
13788 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13789 goto end;
13790
13791 if (!TEST_true(SSL_renegotiate(clientssl))
13792 || !TEST_int_le(ret = SSL_connect(clientssl), 0)
13793 || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ))
13794 goto end;
13795
13796 /*
13797 * We've not sent any application data, so we expect this to fail. It should
13798 * also read the renegotiation attempt, and send back a no_renegotiation
13799 * warning alert because we have renegotiation disabled.
13800 */
13801 if (!TEST_int_le(ret = SSL_read(serverssl, buf, sizeof(buf)), 0))
13802 goto end;
13803 if (!TEST_int_eq(SSL_get_error(serverssl, ret), SSL_ERROR_WANT_READ))
13804 goto end;
13805
13806 /*
13807 * The client should now see the no_renegotiation warning and fail the
13808 * connection
13809 */
13810 if (!TEST_int_le(ret = SSL_connect(clientssl), 0)
13811 || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_SSL)
13812 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_RENEGOTIATION))
13813 goto end;
13814
13815 testresult = 1;
13816 end:
13817 SSL_free(serverssl);
13818 SSL_free(clientssl);
13819 SSL_CTX_free(sctx);
13820 SSL_CTX_free(cctx);
13821
13822 return testresult;
13823 }
13824
13825 #if defined(DO_SSL_TRACE_TEST)
13826 /*
13827 * Tests that the SSL_trace() msg_callback works as expected with a PQ Groups.
13828 */
test_ssl_trace(void)13829 static int test_ssl_trace(void)
13830 {
13831 SSL_CTX *sctx = NULL, *cctx = NULL;
13832 SSL *serverssl = NULL, *clientssl = NULL;
13833 int testresult = 0;
13834 BIO *bio = NULL;
13835 char *reffile = NULL;
13836 char *grouplist = "MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768"
13837 ":SecP384r1MLKEM1024:secp521r1:secp384r1:secp256r1";
13838
13839 if (!fips_provider_version_ge(libctx, 3, 5, 0))
13840 return TEST_skip("FIPS provider does not support MLKEM algorithms");
13841
13842 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13843 TLS_client_method(),
13844 TLS1_3_VERSION, TLS1_3_VERSION,
13845 &sctx, &cctx, cert, privkey))
13846 || !TEST_ptr(bio = BIO_new(BIO_s_mem()))
13847 || !TEST_true(SSL_CTX_set1_groups_list(sctx, grouplist))
13848 || !TEST_true(SSL_CTX_set1_groups_list(cctx, grouplist))
13849 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
13850 "TLS_AES_128_GCM_SHA256"))
13851 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
13852 "TLS_AES_128_GCM_SHA256"))
13853 #ifdef SSL_OP_LEGACY_EC_POINT_FORMATS
13854 || !TEST_true(SSL_CTX_set_options(cctx, SSL_OP_LEGACY_EC_POINT_FORMATS))
13855 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_LEGACY_EC_POINT_FORMATS))
13856 #endif
13857 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
13858 NULL, NULL)))
13859 goto err;
13860
13861 SSL_set_msg_callback(clientssl, SSL_trace);
13862 SSL_set_msg_callback_arg(clientssl, bio);
13863
13864 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13865 goto err;
13866
13867 /* Skip the comparison of the trace when the fips provider is used. */
13868 if (is_fips) {
13869 /* Check whether there was something written. */
13870 if (!TEST_int_gt(BIO_pending(bio), 0))
13871 goto err;
13872 } else {
13873
13874 #ifdef OPENSSL_NO_ZLIB
13875 reffile = test_mk_file_path(datadir, "ssltraceref.txt");
13876 #else
13877 reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt");
13878 #endif
13879 if (!TEST_true(compare_with_reference_file(bio, reffile)))
13880 goto err;
13881 }
13882
13883 testresult = 1;
13884 err:
13885 BIO_free(bio);
13886 SSL_free(serverssl);
13887 SSL_free(clientssl);
13888 SSL_CTX_free(sctx);
13889 SSL_CTX_free(cctx);
13890 OPENSSL_free(reffile);
13891
13892 return testresult;
13893 }
13894 #endif
13895
13896 /*
13897 * Test that SSL_CTX_set1_groups() when called with a list where the first
13898 * entry is unsupported, will send a key_share that uses the next usable entry.
13899 */
test_ssl_set_groups_unsupported_keyshare(int idx)13900 static int test_ssl_set_groups_unsupported_keyshare(int idx)
13901 {
13902 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
13903 int testresult = 0;
13904 SSL_CTX *sctx = NULL, *cctx = NULL;
13905 SSL *serverssl = NULL, *clientssl = NULL;
13906 int client_groups[] = {
13907 NID_brainpoolP256r1tls13,
13908 NID_sect163k1,
13909 NID_secp384r1,
13910 NID_ffdhe2048,
13911 };
13912
13913 switch (idx) {
13914 case 1:
13915 client_groups[0] = NID_id_tc26_gost_3410_2012_512_paramSetC;
13916 if (sizeof(unsigned long) == 4) {
13917 return TEST_skip("SSL_CTX_set1_groups() is broken on 32-bit systems with TLS"
13918 " group IDs > 0x20, see https://github.com/openssl/openssl/issues/29196");
13919 }
13920 break;
13921 }
13922
13923 if (!TEST_true(create_ssl_ctx_pair(libctx,
13924 TLS_server_method(),
13925 TLS_client_method(),
13926 0, 0,
13927 &sctx,
13928 &cctx,
13929 cert,
13930 privkey)))
13931 goto end;
13932
13933 if (!TEST_true(SSL_CTX_set1_groups(cctx,
13934 client_groups,
13935 OSSL_NELEM(client_groups))))
13936 goto end;
13937
13938 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13939 NULL)))
13940 goto end;
13941
13942 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13943 goto end;
13944
13945 testresult = 1;
13946 end:
13947 SSL_free(serverssl);
13948 SSL_free(clientssl);
13949 SSL_CTX_free(sctx);
13950 SSL_CTX_free(cctx);
13951
13952 return testresult;
13953 #else /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
13954 return TEST_skip("No EC and DH support.");
13955 #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
13956 }
13957
13958 /*
13959 * Test that if we attempt to send HTTP to a TLS server that we get the expected
13960 * failure reason code.
13961 */
test_http_verbs(int idx)13962 static int test_http_verbs(int idx)
13963 {
13964 SSL_CTX *sctx = NULL;
13965 SSL *serverssl = NULL;
13966 int testresult = 0;
13967 const char *verbs[] = { "GET", "POST", "HEAD" };
13968 const char *http_trailer = " / HTTP/1.0\r\n\r\n";
13969 BIO *b = BIO_new(BIO_s_mem());
13970
13971 if (!TEST_true((unsigned int)idx < OSSL_NELEM(verbs)))
13972 goto end;
13973
13974 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13975 NULL, 0, 0, &sctx, NULL, cert, privkey)))
13976 goto end;
13977
13978 serverssl = SSL_new(sctx);
13979 if (!TEST_ptr(serverssl))
13980 goto end;
13981
13982 if (!TEST_int_gt(BIO_write(b, verbs[idx], (int)strlen(verbs[idx])), 0))
13983 goto end;
13984 if (!TEST_int_gt(BIO_write(b, http_trailer, (int)strlen(http_trailer)), 0))
13985 goto end;
13986 SSL_set_bio(serverssl, b, b);
13987 b = NULL;
13988
13989 ERR_clear_error();
13990 if (!TEST_int_le(SSL_accept(serverssl), 0))
13991 goto end;
13992 if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_HTTP_REQUEST))
13993 goto end;
13994
13995 testresult = 1;
13996 end:
13997 SSL_free(serverssl);
13998 SSL_CTX_free(sctx);
13999 BIO_free(b);
14000
14001 return testresult;
14002 }
14003
14004 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
14005
setup_tests(void)14006 int setup_tests(void)
14007 {
14008 char *modulename;
14009 char *configfile;
14010
14011 libctx = OSSL_LIB_CTX_new();
14012 if (!TEST_ptr(libctx))
14013 return 0;
14014
14015 defctxnull = OSSL_PROVIDER_load(NULL, "null");
14016
14017 /*
14018 * Verify that the default and fips providers in the default libctx are not
14019 * available
14020 */
14021 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
14022 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
14023 return 0;
14024
14025 if (!test_skip_common_options()) {
14026 TEST_error("Error parsing test options\n");
14027 return 0;
14028 }
14029
14030 if (!TEST_ptr(certsdir = test_get_argument(0))
14031 || !TEST_ptr(srpvfile = test_get_argument(1))
14032 || !TEST_ptr(tmpfilename = test_get_argument(2))
14033 || !TEST_ptr(modulename = test_get_argument(3))
14034 || !TEST_ptr(configfile = test_get_argument(4))
14035 || !TEST_ptr(dhfile = test_get_argument(5)))
14036 return 0;
14037
14038 datadir = test_get_argument(6);
14039
14040 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
14041 return 0;
14042
14043 /* Check we have the expected provider available */
14044 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
14045 return 0;
14046
14047 /* Check the default provider is not available */
14048 if (strcmp(modulename, "default") != 0
14049 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
14050 return 0;
14051
14052 if (strcmp(modulename, "fips") == 0) {
14053 OSSL_PROVIDER *prov = NULL;
14054 OSSL_PARAM params[2];
14055
14056 is_fips = 1;
14057
14058 prov = OSSL_PROVIDER_load(libctx, "fips");
14059 if (prov != NULL) {
14060 /* Query the fips provider to check if the check ems option is enabled */
14061 params[0] = OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
14062 &fips_ems_check);
14063 params[1] = OSSL_PARAM_construct_end();
14064 OSSL_PROVIDER_get_params(prov, params);
14065 OSSL_PROVIDER_unload(prov);
14066 }
14067 }
14068
14069 /*
14070 * We add, but don't load the test "tls-provider". We'll load it when we
14071 * need it.
14072 */
14073 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
14074 tls_provider_init)))
14075 return 0;
14076
14077 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
14078 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
14079 TEST_error("not supported in this build");
14080 return 0;
14081 #else
14082 int i, mcount, rcount, fcount;
14083
14084 for (i = 0; i < 4; i++)
14085 test_export_key_mat(i);
14086 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
14087 test_printf_stdout("malloc %d realloc %d free %d\n",
14088 mcount, rcount, fcount);
14089 return 1;
14090 #endif
14091 }
14092
14093 cert = test_mk_file_path(certsdir, "servercert.pem");
14094 if (cert == NULL)
14095 goto err;
14096
14097 privkey = test_mk_file_path(certsdir, "serverkey.pem");
14098 if (privkey == NULL)
14099 goto err;
14100
14101 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
14102 if (cert2 == NULL)
14103 goto err;
14104
14105 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
14106 if (privkey2 == NULL)
14107 goto err;
14108
14109 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
14110 if (cert1024 == NULL)
14111 goto err;
14112
14113 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
14114 if (privkey1024 == NULL)
14115 goto err;
14116
14117 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
14118 if (cert3072 == NULL)
14119 goto err;
14120
14121 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
14122 if (privkey3072 == NULL)
14123 goto err;
14124
14125 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
14126 if (cert4096 == NULL)
14127 goto err;
14128
14129 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
14130 if (privkey4096 == NULL)
14131 goto err;
14132
14133 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
14134 if (cert8192 == NULL)
14135 goto err;
14136
14137 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
14138 if (privkey8192 == NULL)
14139 goto err;
14140
14141 if (fips_ems_check) {
14142 #ifndef OPENSSL_NO_TLS1_2
14143 ADD_TEST(test_no_ems);
14144 #endif
14145 return 1;
14146 }
14147 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
14148 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
14149 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
14150 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
14151 #endif
14152 #ifndef OSSL_NO_USABLE_TLS1_3
14153 ADD_TEST(test_ktls_moving_write_buffer);
14154 #endif
14155 #endif
14156 ADD_TEST(test_large_message_tls);
14157 ADD_TEST(test_large_message_tls_read_ahead);
14158 #ifndef OPENSSL_NO_DTLS
14159 ADD_TEST(test_large_message_dtls);
14160 #endif
14161 ADD_ALL_TESTS(test_large_app_data, 28);
14162 ADD_TEST(test_cleanse_plaintext);
14163 #ifndef OPENSSL_NO_OCSP
14164 ADD_TEST(test_tlsext_status_type);
14165 #endif
14166 ADD_TEST(test_session_with_only_int_cache);
14167 ADD_TEST(test_session_with_only_ext_cache);
14168 ADD_TEST(test_session_with_both_cache);
14169 ADD_TEST(test_session_wo_ca_names);
14170 #ifndef OSSL_NO_USABLE_TLS1_3
14171 ADD_ALL_TESTS(test_stateful_tickets, 3);
14172 ADD_ALL_TESTS(test_stateless_tickets, 3);
14173 ADD_TEST(test_psk_tickets);
14174 ADD_ALL_TESTS(test_extra_tickets, 6);
14175 #endif
14176 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
14177 ADD_TEST(test_ssl_bio_pop_next_bio);
14178 ADD_TEST(test_ssl_bio_pop_ssl_bio);
14179 ADD_TEST(test_ssl_bio_change_rbio);
14180 ADD_TEST(test_ssl_bio_change_wbio);
14181 ADD_TEST(test_ssl_set_wbio_chain_no_leak);
14182 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
14183 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
14184 ADD_TEST(test_keylog);
14185 #endif
14186 #ifndef OSSL_NO_USABLE_TLS1_3
14187 ADD_TEST(test_keylog_no_master_key);
14188 #endif
14189 ADD_TEST(test_client_cert_verify_cb);
14190 ADD_TEST(test_ssl_build_cert_chain);
14191 ADD_TEST(test_ssl_ctx_build_cert_chain);
14192 #ifndef OPENSSL_NO_TLS1_2
14193 ADD_TEST(test_client_hello_cb);
14194 ADD_TEST(test_no_ems);
14195 ADD_TEST(test_ccs_change_cipher);
14196 #endif
14197 #ifndef OSSL_NO_USABLE_TLS1_3
14198 ADD_ALL_TESTS(test_early_data_read_write, 6);
14199 /*
14200 * We don't do replay tests for external PSK. Replay protection isn't used
14201 * in that scenario.
14202 */
14203 ADD_ALL_TESTS(test_early_data_replay, 2);
14204 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
14205 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
14206 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
14207 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
14208 ADD_ALL_TESTS(test_early_data_not_sent, 3);
14209 ADD_ALL_TESTS(test_early_data_psk, 8);
14210 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
14211 ADD_ALL_TESTS(test_early_data_not_expected, 3);
14212 #ifndef OPENSSL_NO_TLS1_2
14213 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
14214 #endif
14215 #endif
14216 #ifndef OSSL_NO_USABLE_TLS1_3
14217 ADD_ALL_TESTS(test_set_ciphersuite, 10);
14218 ADD_TEST(test_ciphersuite_change);
14219 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
14220 #ifdef OPENSSL_NO_PSK
14221 ADD_ALL_TESTS(test_tls13_psk, 1);
14222 #else
14223 ADD_ALL_TESTS(test_tls13_psk, 4);
14224 #endif /* OPENSSL_NO_PSK */
14225 #ifndef OSSL_NO_USABLE_TLS1_3
14226 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
14227 #endif /* OSSL_NO_USABLE_TLS1_3 */
14228 #ifndef OPENSSL_NO_TLS1_2
14229 /* Test with both TLSv1.3 and 1.2 versions */
14230 ADD_ALL_TESTS(test_key_exchange, 21);
14231 #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
14232 ADD_ALL_TESTS(test_negotiated_group,
14233 4 * (OSSL_NELEM(ecdhe_kexch_groups) + OSSL_NELEM(ffdhe_kexch_groups)));
14234 #endif
14235 #else
14236 /* Test with only TLSv1.3 versions */
14237 ADD_ALL_TESTS(test_key_exchange, 18);
14238 #endif
14239 ADD_ALL_TESTS(test_custom_exts, 6);
14240 ADD_TEST(test_stateless);
14241 ADD_TEST(test_pha_key_update);
14242 #else
14243 ADD_ALL_TESTS(test_custom_exts, 3);
14244 #endif
14245 ADD_ALL_TESTS(test_export_key_mat, 6);
14246 #ifndef OSSL_NO_USABLE_TLS1_3
14247 ADD_ALL_TESTS(test_export_key_mat_early, 3);
14248 ADD_TEST(test_key_update);
14249 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
14250 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
14251 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
14252 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
14253 #endif
14254 ADD_ALL_TESTS(test_ssl_clear, 8);
14255 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
14256 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
14257 ADD_ALL_TESTS(test_srp, 6);
14258 #endif
14259 #if !defined(OPENSSL_NO_COMP_ALG)
14260 /* Add compression case */
14261 ADD_ALL_TESTS(test_info_callback, 8);
14262 #else
14263 ADD_ALL_TESTS(test_info_callback, 6);
14264 #endif
14265 ADD_ALL_TESTS(test_ssl_pending, 2);
14266 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
14267 ADD_ALL_TESTS(test_ticket_callbacks, 20);
14268 ADD_TEST(test_ticket_abort_session_leak);
14269 ADD_ALL_TESTS(test_shutdown, 7);
14270 ADD_TEST(test_async_shutdown);
14271 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
14272 ADD_ALL_TESTS(test_cert_cb, 6);
14273 ADD_ALL_TESTS(test_client_cert_cb, 2);
14274 ADD_ALL_TESTS(test_ca_names, 3);
14275 #ifndef OPENSSL_NO_TLS1_2
14276 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
14277 #endif
14278 ADD_ALL_TESTS(test_servername, 10);
14279 ADD_TEST(test_unknown_sigalgs_groups);
14280 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
14281 ADD_TEST(test_configuration_of_groups);
14282 #endif
14283 #if !defined(OPENSSL_NO_EC) \
14284 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
14285 ADD_ALL_TESTS(test_sigalgs_available, 6);
14286 #endif
14287 #ifndef OPENSSL_NO_TLS1_3
14288 ADD_ALL_TESTS(test_pluggable_group, 2);
14289 ADD_ALL_TESTS(test_pluggable_signature, 6);
14290 #endif
14291 #ifndef OPENSSL_NO_TLS1_2
14292 ADD_TEST(test_ssl_dup);
14293 ADD_ALL_TESTS(test_session_secret_cb, 2);
14294 #ifndef OPENSSL_NO_DH
14295 ADD_ALL_TESTS(test_set_tmp_dh, 11);
14296 ADD_ALL_TESTS(test_dh_auto, 7);
14297 #endif
14298 #endif
14299 #ifndef OSSL_NO_USABLE_TLS1_3
14300 ADD_TEST(test_sni_tls13);
14301 ADD_ALL_TESTS(test_ticket_lifetime, 2);
14302 #endif
14303 ADD_TEST(test_inherit_verify_param);
14304 ADD_TEST(test_set_alpn);
14305 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
14306 ADD_TEST(test_set_verify_cert_store_ssl);
14307 ADD_ALL_TESTS(test_session_timeout, 1);
14308 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
14309 ADD_ALL_TESTS(test_session_cache_overflow, 4);
14310 #endif
14311 ADD_TEST(test_load_dhfile);
14312 #ifndef OSSL_NO_USABLE_TLS1_3
14313 ADD_TEST(test_read_ahead_key_change);
14314 ADD_ALL_TESTS(test_tls13_record_padding, 6);
14315 #endif
14316 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
14317 ADD_ALL_TESTS(test_serverinfo_custom, 4);
14318 #endif
14319 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
14320 ADD_ALL_TESTS(test_pipelining, 7);
14321 #endif
14322 ADD_ALL_TESTS(test_version, 6);
14323 ADD_TEST(test_rstate_string);
14324 ADD_ALL_TESTS(test_handshake_retry, 16);
14325 ADD_TEST(test_data_retry);
14326 ADD_ALL_TESTS(test_multi_resume, 5);
14327 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
14328 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
14329 ADD_ALL_TESTS(test_npn, 5);
14330 #endif
14331 ADD_ALL_TESTS(test_alpn, 4);
14332 #if !defined(OSSL_NO_USABLE_TLS1_3)
14333 ADD_ALL_TESTS(test_quic_tls, 6);
14334 ADD_TEST(test_quic_tls_early_data);
14335 #endif
14336 ADD_ALL_TESTS(test_no_renegotiation, 2);
14337 #if defined(DO_SSL_TRACE_TEST)
14338 if (datadir != NULL)
14339 ADD_TEST(test_ssl_trace);
14340 #endif
14341 ADD_ALL_TESTS(test_ssl_set_groups_unsupported_keyshare, 2);
14342 ADD_ALL_TESTS(test_http_verbs, 3);
14343 return 1;
14344
14345 err:
14346 OPENSSL_free(cert);
14347 OPENSSL_free(privkey);
14348 OPENSSL_free(cert2);
14349 OPENSSL_free(privkey2);
14350 return 0;
14351 }
14352
cleanup_tests(void)14353 void cleanup_tests(void)
14354 {
14355 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
14356 EVP_PKEY_free(tmp_dh_params);
14357 #endif
14358 OPENSSL_free(cert);
14359 OPENSSL_free(privkey);
14360 OPENSSL_free(cert2);
14361 OPENSSL_free(privkey2);
14362 OPENSSL_free(cert1024);
14363 OPENSSL_free(privkey1024);
14364 OPENSSL_free(cert3072);
14365 OPENSSL_free(privkey3072);
14366 OPENSSL_free(cert4096);
14367 OPENSSL_free(privkey4096);
14368 OPENSSL_free(cert8192);
14369 OPENSSL_free(privkey8192);
14370 bio_s_mempacket_test_free();
14371 bio_s_always_retry_free();
14372 bio_s_maybe_retry_free();
14373 OSSL_PROVIDER_unload(defctxnull);
14374 OSSL_LIB_CTX_free(libctx);
14375 }
14376