1 /* 2 * Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 #include <openssl/ssl.h> 10 11 #include "helpers/ssltestlib.h" 12 #include "internal/dane.h" 13 #include "testutil.h" 14 15 #undef OSSL_NO_USABLE_TLS1_3 16 #if defined(OPENSSL_NO_TLS1_3) \ 17 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) 18 /* 19 * If we don't have ec or dh then there are no built-in groups that are usable 20 * with TLSv1.3 21 */ 22 # define OSSL_NO_USABLE_TLS1_3 23 #endif 24 25 static char *certsdir = NULL; 26 static char *rootcert = NULL; 27 static char *cert = NULL; 28 static char *privkey = NULL; 29 static char *cert2 = NULL; 30 static char *privkey2 = NULL; 31 static char *cert448 = NULL; 32 static char *privkey448 = NULL; 33 static char *cert25519 = NULL; 34 static char *privkey25519 = NULL; 35 static OSSL_LIB_CTX *libctx = NULL; 36 static OSSL_PROVIDER *defctxnull = NULL; 37 38 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 }; 39 static const unsigned char SID_CTX[] = { 'r', 'p', 'k' }; 40 41 static int rpk_verify_client_cb(int ok, X509_STORE_CTX *ctx) 42 { 43 int err = X509_STORE_CTX_get_error(ctx); 44 45 if (X509_STORE_CTX_get0_rpk(ctx) != NULL) { 46 if (err != X509_V_OK) { 47 TEST_info("rpk_verify_client_cb: ok=%d err=%d", ok, err); 48 return 0; 49 } 50 } 51 return 1; 52 } 53 static int rpk_verify_server_cb(int ok, X509_STORE_CTX *ctx) 54 { 55 int err = X509_STORE_CTX_get_error(ctx); 56 57 if (X509_STORE_CTX_get0_rpk(ctx) != NULL) { 58 if (err != X509_V_OK) { 59 TEST_info("rpk_verify_server_cb: ok=%d err=%d", ok, err); 60 return 0; 61 } 62 } 63 return 1; 64 } 65 66 /* 67 * Test dimensions: 68 * (2) server_cert_type RPK off/on for server 69 * (2) client_cert_type RPK off/on for server 70 * (2) server_cert_type RPK off/on for client 71 * (2) client_cert_type RPK off/on for client 72 * (4) RSA vs ECDSA vs Ed25519 vs Ed448 certificates 73 * (2) TLSv1.2 vs TLSv1.3 74 * 75 * Tests: 76 * idx = 0 - is the normal success case, certificate, single peer key 77 * idx = 1 - only a private key 78 * idx = 2 - add client authentication 79 * idx = 3 - add second peer key (rootcert.pem) 80 * idx = 4 - add second peer key (different, RSA or ECDSA) 81 * idx = 5 - reverse peer keys (rootcert.pem, different order) 82 * idx = 6 - reverse peer keys (RSA or ECDSA, different order) 83 * idx = 7 - expects failure due to mismatched key (RSA or ECDSA) 84 * idx = 8 - expects failure due to no configured key on client 85 * idx = 9 - add client authentication (PHA) 86 * idx = 10 - add client authentication (privake key only) 87 * idx = 11 - simple resumption 88 * idx = 12 - simple resumption, no ticket 89 * idx = 13 - resumption with client authentication 90 * idx = 14 - resumption with client authentication, no ticket 91 * idx = 15 - like 0, but use non-default libctx 92 * idx = 16 - like 7, but with SSL_VERIFY_PEER connection should fail 93 * idx = 17 - like 8, but with SSL_VERIFY_PEER connection should fail 94 * 95 * 18 * 2 * 4 * 2 * 2 * 2 * 2 = 2304 tests 96 */ 97 static int test_rpk(int idx) 98 { 99 # define RPK_TESTS 18 100 # define RPK_DIMS (2 * 4 * 2 * 2 * 2 * 2) 101 SSL_CTX *cctx = NULL, *sctx = NULL; 102 SSL *clientssl = NULL, *serverssl = NULL; 103 EVP_PKEY *pkey = NULL, *other_pkey = NULL, *root_pkey = NULL; 104 X509 *x509 = NULL, *other_x509 = NULL, *root_x509 = NULL; 105 int testresult = 0, ret, expected = 1; 106 int client_expected = X509_V_OK; 107 int verify; 108 int tls_version; 109 char *cert_file = NULL; 110 char *privkey_file = NULL; 111 char *other_cert_file = NULL; 112 SSL_SESSION *client_sess = NULL; 113 SSL_SESSION *server_sess = NULL; 114 int idx_server_server_rpk, idx_server_client_rpk; 115 int idx_client_server_rpk, idx_client_client_rpk; 116 int idx_cert, idx_prot; 117 int client_auth = 0; 118 int resumption = 0; 119 int want_error = SSL_ERROR_NONE; 120 long server_verify_result = 0; 121 long client_verify_result = 0; 122 OSSL_LIB_CTX *test_libctx = NULL; 123 124 if (!TEST_int_le(idx, RPK_TESTS * RPK_DIMS)) 125 return 0; 126 127 idx_server_server_rpk = idx / (RPK_TESTS * 2 * 4 * 2 * 2 * 2); 128 idx %= RPK_TESTS * 2 * 4 * 2 * 2 * 2; 129 idx_server_client_rpk = idx / (RPK_TESTS * 2 * 4 * 2 * 2); 130 idx %= RPK_TESTS * 2 * 4 * 2 * 2; 131 idx_client_server_rpk = idx / (RPK_TESTS * 2 * 4 * 2); 132 idx %= RPK_TESTS * 2 * 4 * 2; 133 idx_client_client_rpk = idx / (RPK_TESTS * 2 * 4); 134 idx %= RPK_TESTS * 2 * 4; 135 idx_cert = idx / (RPK_TESTS * 2); 136 idx %= RPK_TESTS * 2; 137 idx_prot = idx / RPK_TESTS; 138 idx %= RPK_TESTS; 139 140 /* Load "root" cert/pubkey */ 141 root_x509 = load_cert_pem(rootcert, NULL); 142 if (!TEST_ptr(root_x509)) 143 goto end; 144 root_pkey = X509_get0_pubkey(root_x509); 145 if (!TEST_ptr(root_pkey)) 146 goto end; 147 148 switch (idx_cert) { 149 case 0: 150 /* use RSA */ 151 cert_file = cert; 152 privkey_file = privkey; 153 other_cert_file = cert2; 154 break; 155 #ifndef OPENSSL_NO_ECDSA 156 case 1: 157 /* use ECDSA */ 158 cert_file = cert2; 159 privkey_file = privkey2; 160 other_cert_file = cert; 161 break; 162 # ifndef OPENSSL_NO_ECX 163 case 2: 164 /* use Ed448 */ 165 cert_file = cert448; 166 privkey_file = privkey448; 167 other_cert_file = cert; 168 break; 169 case 3: 170 /* use Ed25519 */ 171 cert_file = cert25519; 172 privkey_file = privkey25519; 173 other_cert_file = cert; 174 break; 175 # endif 176 #endif 177 default: 178 testresult = TEST_skip("EDCSA disabled"); 179 goto end; 180 } 181 /* Load primary cert */ 182 x509 = load_cert_pem(cert_file, NULL); 183 if (!TEST_ptr(x509)) 184 goto end; 185 pkey = X509_get0_pubkey(x509); 186 /* load other cert */ 187 other_x509 = load_cert_pem(other_cert_file, NULL); 188 if (!TEST_ptr(other_x509)) 189 goto end; 190 other_pkey = X509_get0_pubkey(other_x509); 191 #ifdef OPENSSL_NO_ECDSA 192 /* Can't get other_key if it's ECDSA */ 193 if (other_pkey == NULL && idx_cert == 0 194 && (idx == 4 || idx == 6 || idx == 7 || idx == 16)) { 195 testresult = TEST_skip("EDCSA disabled"); 196 goto end; 197 } 198 #endif 199 200 switch (idx_prot) { 201 case 0: 202 #ifdef OSSL_NO_USABLE_TLS1_3 203 testresult = TEST_skip("TLSv1.3 disabled"); 204 goto end; 205 #else 206 tls_version = TLS1_3_VERSION; 207 break; 208 #endif 209 case 1: 210 #ifdef OPENSSL_NO_TLS1_2 211 testresult = TEST_skip("TLSv1.2 disabled"); 212 goto end; 213 #else 214 tls_version = TLS1_2_VERSION; 215 break; 216 #endif 217 default: 218 goto end; 219 } 220 221 if (idx == 15) { 222 test_libctx = libctx; 223 defctxnull = OSSL_PROVIDER_load(NULL, "null"); 224 if (!TEST_ptr(defctxnull)) 225 goto end; 226 } 227 if (!TEST_true(create_ssl_ctx_pair(test_libctx, 228 TLS_server_method(), TLS_client_method(), 229 tls_version, tls_version, 230 &sctx, &cctx, NULL, NULL))) 231 goto end; 232 233 if (idx_server_server_rpk) 234 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx, cert_type_rpk, sizeof(cert_type_rpk)))) 235 goto end; 236 if (idx_server_client_rpk) 237 if (!TEST_true(SSL_CTX_set1_client_cert_type(sctx, cert_type_rpk, sizeof(cert_type_rpk)))) 238 goto end; 239 if (idx_client_server_rpk) 240 if (!TEST_true(SSL_CTX_set1_server_cert_type(cctx, cert_type_rpk, sizeof(cert_type_rpk)))) 241 goto end; 242 if (idx_client_client_rpk) 243 if (!TEST_true(SSL_CTX_set1_client_cert_type(cctx, cert_type_rpk, sizeof(cert_type_rpk)))) 244 goto end; 245 if (!TEST_true(SSL_CTX_set_session_id_context(sctx, SID_CTX, sizeof(SID_CTX)))) 246 goto end; 247 if (!TEST_true(SSL_CTX_set_session_id_context(cctx, SID_CTX, sizeof(SID_CTX)))) 248 goto end; 249 250 if (!TEST_int_gt(SSL_CTX_dane_enable(sctx), 0)) 251 goto end; 252 if (!TEST_int_gt(SSL_CTX_dane_enable(cctx), 0)) 253 goto end; 254 255 /* NEW */ 256 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, rpk_verify_client_cb); 257 258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 259 NULL, NULL))) 260 goto end; 261 262 if (!TEST_int_gt(SSL_dane_enable(serverssl, NULL), 0)) 263 goto end; 264 if (!TEST_int_gt(SSL_dane_enable(clientssl, "example.com"), 0)) 265 goto end; 266 267 /* Set private key and certificate */ 268 if (!TEST_int_eq(SSL_use_PrivateKey_file(serverssl, privkey_file, SSL_FILETYPE_PEM), 1)) 269 goto end; 270 /* Only a private key */ 271 if (idx == 1) { 272 if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) { 273 expected = 0; 274 want_error = SSL_ERROR_SSL; 275 } 276 } else { 277 /* Add certificate */ 278 if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1)) 279 goto end; 280 if (!TEST_int_eq(SSL_check_private_key(serverssl), 1)) 281 goto end; 282 } 283 284 switch (idx) { 285 default: 286 if (!TEST_true(idx < RPK_TESTS)) 287 goto end; 288 break; 289 case 0: 290 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 291 goto end; 292 break; 293 case 1: 294 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 295 goto end; 296 break; 297 case 2: 298 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 299 goto end; 300 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey))) 301 goto end; 302 /* Use the same key for client auth */ 303 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) 304 goto end; 305 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1)) 306 goto end; 307 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1)) 308 goto end; 309 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); 310 client_auth = 1; 311 break; 312 case 3: 313 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 314 goto end; 315 if (!TEST_true(SSL_add_expected_rpk(clientssl, root_pkey))) 316 goto end; 317 break; 318 case 4: 319 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 320 goto end; 321 if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) 322 goto end; 323 break; 324 case 5: 325 if (!TEST_true(SSL_add_expected_rpk(clientssl, root_pkey))) 326 goto end; 327 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 328 goto end; 329 break; 330 case 6: 331 if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) 332 goto end; 333 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 334 goto end; 335 break; 336 case 7: 337 if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) 338 client_expected = -1; 339 if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) 340 goto end; 341 SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); 342 client_verify_result = X509_V_ERR_DANE_NO_MATCH; 343 break; 344 case 8: 345 if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) 346 client_expected = -1; 347 /* no peer keys */ 348 SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); 349 client_verify_result = X509_V_ERR_RPK_UNTRUSTED; 350 break; 351 case 9: 352 if (tls_version != TLS1_3_VERSION) { 353 testresult = TEST_skip("PHA requires TLSv1.3"); 354 goto end; 355 } 356 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 357 goto end; 358 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey))) 359 goto end; 360 /* Use the same key for client auth */ 361 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) 362 goto end; 363 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1)) 364 goto end; 365 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1)) 366 goto end; 367 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_POST_HANDSHAKE, rpk_verify_server_cb); 368 SSL_set_post_handshake_auth(clientssl, 1); 369 client_auth = 1; 370 break; 371 case 10: 372 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 373 goto end; 374 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey))) 375 goto end; 376 /* Use the same key for client auth */ 377 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) 378 goto end; 379 /* Since there's no cert, this is expected to fail without RPK support */ 380 if (!idx_server_client_rpk || !idx_client_client_rpk) { 381 expected = 0; 382 want_error = SSL_ERROR_SSL; 383 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); 384 } else { 385 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); 386 } 387 client_auth = 1; 388 break; 389 case 11: 390 if (!idx_server_server_rpk || !idx_client_server_rpk) { 391 testresult = TEST_skip("Only testing resumption with server RPK"); 392 goto end; 393 } 394 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 395 goto end; 396 resumption = 1; 397 break; 398 case 12: 399 if (!idx_server_server_rpk || !idx_client_server_rpk) { 400 testresult = TEST_skip("Only testing resumption with server RPK"); 401 goto end; 402 } 403 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 404 goto end; 405 SSL_set_options(serverssl, SSL_OP_NO_TICKET); 406 SSL_set_options(clientssl, SSL_OP_NO_TICKET); 407 resumption = 1; 408 break; 409 case 13: 410 if (!idx_server_server_rpk || !idx_client_server_rpk) { 411 testresult = TEST_skip("Only testing resumption with server RPK"); 412 goto end; 413 } 414 if (!idx_server_client_rpk || !idx_client_client_rpk) { 415 testresult = TEST_skip("Only testing client authentication resumption with client RPK"); 416 goto end; 417 } 418 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 419 goto end; 420 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey))) 421 goto end; 422 /* Use the same key for client auth */ 423 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) 424 goto end; 425 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1)) 426 goto end; 427 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1)) 428 goto end; 429 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); 430 client_auth = 1; 431 resumption = 1; 432 break; 433 case 14: 434 if (!idx_server_server_rpk || !idx_client_server_rpk) { 435 testresult = TEST_skip("Only testing resumption with server RPK"); 436 goto end; 437 } 438 if (!idx_server_client_rpk || !idx_client_client_rpk) { 439 testresult = TEST_skip("Only testing client authentication resumption with client RPK"); 440 goto end; 441 } 442 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 443 goto end; 444 if (!TEST_true(SSL_add_expected_rpk(serverssl, pkey))) 445 goto end; 446 /* Use the same key for client auth */ 447 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) 448 goto end; 449 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1)) 450 goto end; 451 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1)) 452 goto end; 453 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); 454 SSL_set_options(serverssl, SSL_OP_NO_TICKET); 455 SSL_set_options(clientssl, SSL_OP_NO_TICKET); 456 client_auth = 1; 457 resumption = 1; 458 break; 459 case 15: 460 if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) 461 goto end; 462 break; 463 case 16: 464 if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { 465 /* wrong expected server key */ 466 expected = 0; 467 want_error = SSL_ERROR_SSL; 468 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 469 } 470 if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) 471 goto end; 472 break; 473 case 17: 474 if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { 475 /* no expected server keys */ 476 expected = 0; 477 want_error = SSL_ERROR_SSL; 478 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 479 } 480 break; 481 } 482 483 ret = create_ssl_connection(serverssl, clientssl, want_error); 484 if (!TEST_int_eq(expected, ret)) 485 goto end; 486 487 if (expected <= 0) { 488 testresult = 1; 489 goto end; 490 } 491 492 /* Make sure client gets RPK or certificate as configured */ 493 if (idx_server_server_rpk && idx_client_server_rpk) { 494 if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result)) 495 goto end; 496 if (!TEST_ptr(SSL_get0_peer_rpk(clientssl))) 497 goto end; 498 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk)) 499 goto end; 500 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk)) 501 goto end; 502 } else { 503 if (!TEST_ptr(SSL_get0_peer_certificate(clientssl))) 504 goto end; 505 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509)) 506 goto end; 507 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509)) 508 goto end; 509 } 510 511 if (idx == 9) { 512 /* Make PHA happen... */ 513 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 514 goto end; 515 if (!TEST_true(SSL_do_handshake(serverssl))) 516 goto end; 517 if (!TEST_int_le(SSL_read(clientssl, NULL, 0), 0)) 518 goto end; 519 if (!TEST_int_le(SSL_read(serverssl, NULL, 0), 0)) 520 goto end; 521 } 522 523 /* Make sure server gets an RPK or certificate as configured */ 524 if (client_auth) { 525 if (idx_server_client_rpk && idx_client_client_rpk) { 526 if (!TEST_long_eq(SSL_get_verify_result(serverssl), server_verify_result)) 527 goto end; 528 if (!TEST_ptr(SSL_get0_peer_rpk(serverssl))) 529 goto end; 530 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_rpk)) 531 goto end; 532 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_rpk)) 533 goto end; 534 } else { 535 if (!TEST_ptr(SSL_get0_peer_certificate(serverssl))) 536 goto end; 537 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_x509)) 538 goto end; 539 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_x509)) 540 goto end; 541 } 542 } 543 544 if (resumption) { 545 EVP_PKEY *client_pkey = NULL; 546 EVP_PKEY *server_pkey = NULL; 547 548 if (!TEST_ptr((client_sess = SSL_get1_session(clientssl))) 549 || !TEST_ptr((client_pkey = SSL_SESSION_get0_peer_rpk(client_sess)))) 550 goto end; 551 if (client_auth) { 552 if (!TEST_ptr((server_sess = SSL_get1_session(serverssl))) 553 || !TEST_ptr((server_pkey = SSL_SESSION_get0_peer_rpk(server_sess)))) 554 goto end; 555 } 556 SSL_shutdown(clientssl); 557 SSL_shutdown(serverssl); 558 SSL_free(clientssl); 559 SSL_free(serverssl); 560 serverssl = clientssl = NULL; 561 562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 563 NULL, NULL)) 564 || !TEST_true(SSL_set_session(clientssl, client_sess))) 565 goto end; 566 567 /* Set private key (and maybe certificate) */ 568 if (!TEST_int_eq(SSL_use_PrivateKey_file(serverssl, privkey_file, SSL_FILETYPE_PEM), 1)) 569 goto end; 570 if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1)) 571 goto end; 572 if (!TEST_int_eq(SSL_check_private_key(serverssl), 1)) 573 goto end; 574 if (!TEST_int_gt(SSL_dane_enable(serverssl, "example.com"), 0)) 575 goto end; 576 if (!TEST_int_gt(SSL_dane_enable(clientssl, "example.com"), 0)) 577 goto end; 578 579 switch (idx) { 580 default: 581 break; 582 case 11: 583 if (!TEST_true(SSL_add_expected_rpk(clientssl, client_pkey))) 584 goto end; 585 break; 586 case 12: 587 if (!TEST_true(SSL_add_expected_rpk(clientssl, client_pkey))) 588 goto end; 589 SSL_set_options(clientssl, SSL_OP_NO_TICKET); 590 SSL_set_options(serverssl, SSL_OP_NO_TICKET); 591 break; 592 case 13: 593 if (!TEST_true(SSL_add_expected_rpk(clientssl, client_pkey))) 594 goto end; 595 if (!TEST_true(SSL_add_expected_rpk(serverssl, server_pkey))) 596 goto end; 597 /* Use the same key for client auth */ 598 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) 599 goto end; 600 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1)) 601 goto end; 602 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1)) 603 goto end; 604 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); 605 break; 606 case 14: 607 if (!TEST_true(SSL_add_expected_rpk(clientssl, client_pkey))) 608 goto end; 609 if (!TEST_true(SSL_add_expected_rpk(serverssl, server_pkey))) 610 goto end; 611 /* Use the same key for client auth */ 612 if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) 613 goto end; 614 if (!TEST_int_eq(SSL_use_certificate_file(clientssl, cert_file, SSL_FILETYPE_PEM), 1)) 615 goto end; 616 if (!TEST_int_eq(SSL_check_private_key(clientssl), 1)) 617 goto end; 618 SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); 619 SSL_set_options(serverssl, SSL_OP_NO_TICKET); 620 SSL_set_options(clientssl, SSL_OP_NO_TICKET); 621 break; 622 } 623 624 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 625 if (!TEST_true(ret)) 626 goto end; 627 verify = SSL_get_verify_result(clientssl); 628 if (!TEST_int_eq(client_expected, verify)) 629 goto end; 630 if (!TEST_true(SSL_session_reused(clientssl))) 631 goto end; 632 633 if (!TEST_ptr(SSL_get0_peer_rpk(clientssl))) 634 goto end; 635 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk)) 636 goto end; 637 if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk)) 638 goto end; 639 640 if (client_auth) { 641 if (!TEST_ptr(SSL_get0_peer_rpk(serverssl))) 642 goto end; 643 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_rpk)) 644 goto end; 645 if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_rpk)) 646 goto end; 647 } 648 } 649 650 testresult = 1; 651 652 end: 653 OSSL_PROVIDER_unload(defctxnull); 654 defctxnull = NULL; 655 SSL_SESSION_free(client_sess); 656 SSL_SESSION_free(server_sess); 657 SSL_free(serverssl); 658 SSL_free(clientssl); 659 SSL_CTX_free(sctx); 660 SSL_CTX_free(cctx); 661 X509_free(x509); 662 X509_free(other_x509); 663 X509_free(root_x509); 664 665 if (testresult == 0) { 666 TEST_info("idx_ss_rpk=%d, idx_sc_rpk=%d, idx_cs_rpk=%d, idx_cc_rpk=%d, idx_cert=%d, idx_prot=%d, idx=%d", 667 idx_server_server_rpk, idx_server_client_rpk, 668 idx_client_server_rpk, idx_client_client_rpk, 669 idx_cert, idx_prot, idx); 670 } 671 return testresult; 672 } 673 674 static int test_rpk_api(void) 675 { 676 int ret = 0; 677 SSL_CTX *cctx = NULL, *sctx = NULL; 678 unsigned char cert_type_dups[] = { TLSEXT_cert_type_rpk, 679 TLSEXT_cert_type_x509, 680 TLSEXT_cert_type_x509 }; 681 unsigned char cert_type_bad[] = { 0xFF }; 682 unsigned char cert_type_extra[] = { TLSEXT_cert_type_rpk, 683 TLSEXT_cert_type_x509, 684 0xFF }; 685 unsigned char cert_type_unsup[] = { TLSEXT_cert_type_pgp, 686 TLSEXT_cert_type_1609dot2 }; 687 unsigned char cert_type_just_x509[] = { TLSEXT_cert_type_x509 }; 688 unsigned char cert_type_just_rpk[] = { TLSEXT_cert_type_rpk }; 689 690 if (!TEST_true(create_ssl_ctx_pair(NULL, 691 TLS_server_method(), TLS_client_method(), 692 TLS1_2_VERSION, TLS1_2_VERSION, 693 &sctx, &cctx, NULL, NULL))) 694 goto end; 695 696 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx, cert_type_dups, sizeof(cert_type_dups)))) 697 goto end; 698 699 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx, cert_type_bad, sizeof(cert_type_bad)))) 700 goto end; 701 702 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx, cert_type_extra, sizeof(cert_type_extra)))) 703 goto end; 704 705 if (!TEST_false(SSL_CTX_set1_server_cert_type(sctx, cert_type_unsup, sizeof(cert_type_unsup)))) 706 goto end; 707 708 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx, cert_type_just_x509, sizeof(cert_type_just_x509)))) 709 goto end; 710 711 if (!TEST_true(SSL_CTX_set1_server_cert_type(sctx, cert_type_just_rpk, sizeof(cert_type_just_rpk)))) 712 goto end; 713 714 ret = 1; 715 end: 716 SSL_CTX_free(sctx); 717 SSL_CTX_free(cctx); 718 return ret; 719 } 720 OPT_TEST_DECLARE_USAGE("certdir\n") 721 722 int setup_tests(void) 723 { 724 if (!test_skip_common_options()) { 725 TEST_error("Error parsing test options\n"); 726 return 0; 727 } 728 729 if (!TEST_ptr(certsdir = test_get_argument(0))) 730 return 0; 731 732 rootcert = test_mk_file_path(certsdir, "rootcert.pem"); 733 if (rootcert == NULL) 734 goto err; 735 736 cert = test_mk_file_path(certsdir, "servercert.pem"); 737 if (cert == NULL) 738 goto err; 739 740 privkey = test_mk_file_path(certsdir, "serverkey.pem"); 741 if (privkey == NULL) 742 goto err; 743 744 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem"); 745 if (cert2 == NULL) 746 goto err; 747 748 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem"); 749 if (privkey2 == NULL) 750 goto err; 751 752 cert448 = test_mk_file_path(certsdir, "server-ed448-cert.pem"); 753 if (cert2 == NULL) 754 goto err; 755 756 privkey448 = test_mk_file_path(certsdir, "server-ed448-key.pem"); 757 if (privkey2 == NULL) 758 goto err; 759 760 cert25519 = test_mk_file_path(certsdir, "server-ed25519-cert.pem"); 761 if (cert2 == NULL) 762 goto err; 763 764 privkey25519 = test_mk_file_path(certsdir, "server-ed25519-key.pem"); 765 if (privkey2 == NULL) 766 goto err; 767 768 libctx = OSSL_LIB_CTX_new(); 769 if (libctx == NULL) 770 goto err; 771 772 ADD_TEST(test_rpk_api); 773 ADD_ALL_TESTS(test_rpk, RPK_TESTS * RPK_DIMS); 774 return 1; 775 776 err: 777 return 0; 778 } 779 780 void cleanup_tests(void) 781 { 782 OPENSSL_free(rootcert); 783 OPENSSL_free(cert); 784 OPENSSL_free(privkey); 785 OPENSSL_free(cert2); 786 OPENSSL_free(privkey2); 787 OPENSSL_free(cert448); 788 OPENSSL_free(privkey448); 789 OPENSSL_free(cert25519); 790 OPENSSL_free(privkey25519); 791 OSSL_LIB_CTX_free(libctx); 792 } 793