1 /* 2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * We need access to the deprecated low level HMAC APIs for legacy purposes 12 * when the deprecated calls are not hidden 13 */ 14 #ifndef OPENSSL_NO_DEPRECATED_3_0 15 # define OPENSSL_SUPPRESS_DEPRECATED 16 #endif 17 18 #include <stdio.h> 19 #include <string.h> 20 21 #include <openssl/opensslconf.h> 22 #include <openssl/bio.h> 23 #include <openssl/crypto.h> 24 #include <openssl/ssl.h> 25 #include <openssl/ocsp.h> 26 #include <openssl/srp.h> 27 #include <openssl/txt_db.h> 28 #include <openssl/aes.h> 29 #include <openssl/rand.h> 30 #include <openssl/core_names.h> 31 #include <openssl/core_dispatch.h> 32 #include <openssl/provider.h> 33 #include <openssl/param_build.h> 34 #include <openssl/x509v3.h> 35 #include <openssl/dh.h> 36 #include <openssl/engine.h> 37 38 #include "helpers/ssltestlib.h" 39 #include "testutil.h" 40 #include "testutil/output.h" 41 #include "internal/nelem.h" 42 #include "internal/ktls.h" 43 #include "../ssl/ssl_local.h" 44 #include "filterprov.h" 45 46 #undef OSSL_NO_USABLE_TLS1_3 47 #if defined(OPENSSL_NO_TLS1_3) \ 48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) 49 /* 50 * If we don't have ec or dh then there are no built-in groups that are usable 51 * with TLSv1.3 52 */ 53 # define OSSL_NO_USABLE_TLS1_3 54 #endif 55 56 /* Defined in tls-provider.c */ 57 int tls_provider_init(const OSSL_CORE_HANDLE *handle, 58 const OSSL_DISPATCH *in, 59 const OSSL_DISPATCH **out, 60 void **provctx); 61 62 static OSSL_LIB_CTX *libctx = NULL; 63 static OSSL_PROVIDER *defctxnull = NULL; 64 65 #ifndef OSSL_NO_USABLE_TLS1_3 66 67 static SSL_SESSION *clientpsk = NULL; 68 static SSL_SESSION *serverpsk = NULL; 69 static const char *pskid = "Identity"; 70 static const char *srvid; 71 72 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, 73 size_t *idlen, SSL_SESSION **sess); 74 static int find_session_cb(SSL *ssl, const unsigned char *identity, 75 size_t identity_len, SSL_SESSION **sess); 76 77 static int use_session_cb_cnt = 0; 78 static int find_session_cb_cnt = 0; 79 80 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize); 81 #endif 82 83 static char *certsdir = NULL; 84 static char *cert = NULL; 85 static char *privkey = NULL; 86 static char *cert2 = NULL; 87 static char *privkey2 = NULL; 88 static char *cert1024 = NULL; 89 static char *privkey1024 = NULL; 90 static char *cert3072 = NULL; 91 static char *privkey3072 = NULL; 92 static char *cert4096 = NULL; 93 static char *privkey4096 = NULL; 94 static char *cert8192 = NULL; 95 static char *privkey8192 = NULL; 96 static char *srpvfile = NULL; 97 static char *tmpfilename = NULL; 98 static char *dhfile = NULL; 99 100 static int is_fips = 0; 101 102 #define LOG_BUFFER_SIZE 2048 103 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; 104 static size_t server_log_buffer_index = 0; 105 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; 106 static size_t client_log_buffer_index = 0; 107 static int error_writing_log = 0; 108 109 #ifndef OPENSSL_NO_OCSP 110 static const unsigned char orespder[] = "Dummy OCSP Response"; 111 static int ocsp_server_called = 0; 112 static int ocsp_client_called = 0; 113 114 static int cdummyarg = 1; 115 static X509 *ocspcert = NULL; 116 #endif 117 118 #define NUM_EXTRA_CERTS 40 119 #define CLIENT_VERSION_LEN 2 120 121 /* 122 * This structure is used to validate that the correct number of log messages 123 * of various types are emitted when emitting secret logs. 124 */ 125 struct sslapitest_log_counts { 126 unsigned int rsa_key_exchange_count; 127 unsigned int master_secret_count; 128 unsigned int client_early_secret_count; 129 unsigned int client_handshake_secret_count; 130 unsigned int server_handshake_secret_count; 131 unsigned int client_application_secret_count; 132 unsigned int server_application_secret_count; 133 unsigned int early_exporter_secret_count; 134 unsigned int exporter_secret_count; 135 }; 136 137 138 static int hostname_cb(SSL *s, int *al, void *arg) 139 { 140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 141 142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0 143 || strcmp(hostname, "altgoodhost") == 0)) 144 return SSL_TLSEXT_ERR_OK; 145 146 return SSL_TLSEXT_ERR_NOACK; 147 } 148 149 static void client_keylog_callback(const SSL *ssl, const char *line) 150 { 151 int line_length = strlen(line); 152 153 /* If the log doesn't fit, error out. */ 154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) { 155 TEST_info("Client log too full"); 156 error_writing_log = 1; 157 return; 158 } 159 160 strcat(client_log_buffer, line); 161 client_log_buffer_index += line_length; 162 client_log_buffer[client_log_buffer_index++] = '\n'; 163 } 164 165 static void server_keylog_callback(const SSL *ssl, const char *line) 166 { 167 int line_length = strlen(line); 168 169 /* If the log doesn't fit, error out. */ 170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) { 171 TEST_info("Server log too full"); 172 error_writing_log = 1; 173 return; 174 } 175 176 strcat(server_log_buffer, line); 177 server_log_buffer_index += line_length; 178 server_log_buffer[server_log_buffer_index++] = '\n'; 179 } 180 181 static int compare_hex_encoded_buffer(const char *hex_encoded, 182 size_t hex_length, 183 const uint8_t *raw, 184 size_t raw_length) 185 { 186 size_t i, j; 187 char hexed[3]; 188 189 if (!TEST_size_t_eq(raw_length * 2, hex_length)) 190 return 1; 191 192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) { 193 sprintf(hexed, "%02x", raw[i]); 194 if (!TEST_int_eq(hexed[0], hex_encoded[j]) 195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1])) 196 return 1; 197 } 198 199 return 0; 200 } 201 202 static int test_keylog_output(char *buffer, const SSL *ssl, 203 const SSL_SESSION *session, 204 struct sslapitest_log_counts *expected) 205 { 206 char *token = NULL; 207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0}; 208 size_t client_random_size = SSL3_RANDOM_SIZE; 209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0}; 210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH; 211 unsigned int rsa_key_exchange_count = 0; 212 unsigned int master_secret_count = 0; 213 unsigned int client_early_secret_count = 0; 214 unsigned int client_handshake_secret_count = 0; 215 unsigned int server_handshake_secret_count = 0; 216 unsigned int client_application_secret_count = 0; 217 unsigned int server_application_secret_count = 0; 218 unsigned int early_exporter_secret_count = 0; 219 unsigned int exporter_secret_count = 0; 220 221 for (token = strtok(buffer, " \n"); token != NULL; 222 token = strtok(NULL, " \n")) { 223 if (strcmp(token, "RSA") == 0) { 224 /* 225 * Premaster secret. Tokens should be: 16 ASCII bytes of 226 * hex-encoded encrypted secret, then the hex-encoded pre-master 227 * secret. 228 */ 229 if (!TEST_ptr(token = strtok(NULL, " \n"))) 230 return 0; 231 if (!TEST_size_t_eq(strlen(token), 16)) 232 return 0; 233 if (!TEST_ptr(token = strtok(NULL, " \n"))) 234 return 0; 235 /* 236 * We can't sensibly check the log because the premaster secret is 237 * transient, and OpenSSL doesn't keep hold of it once the master 238 * secret is generated. 239 */ 240 rsa_key_exchange_count++; 241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) { 242 /* 243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded 244 * client random, then the hex-encoded master secret. 245 */ 246 client_random_size = SSL_get_client_random(ssl, 247 actual_client_random, 248 SSL3_RANDOM_SIZE); 249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE)) 250 return 0; 251 252 if (!TEST_ptr(token = strtok(NULL, " \n"))) 253 return 0; 254 if (!TEST_size_t_eq(strlen(token), 64)) 255 return 0; 256 if (!TEST_false(compare_hex_encoded_buffer(token, 64, 257 actual_client_random, 258 client_random_size))) 259 return 0; 260 261 if (!TEST_ptr(token = strtok(NULL, " \n"))) 262 return 0; 263 master_key_size = SSL_SESSION_get_master_key(session, 264 actual_master_key, 265 master_key_size); 266 if (!TEST_size_t_ne(master_key_size, 0)) 267 return 0; 268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token), 269 actual_master_key, 270 master_key_size))) 271 return 0; 272 master_secret_count++; 273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0 274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0 275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0 276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0 277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0 278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0 279 || strcmp(token, "EXPORTER_SECRET") == 0) { 280 /* 281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded 282 * client random, and then the hex-encoded secret. In this case, 283 * we treat all of these secrets identically and then just 284 * distinguish between them when counting what we saw. 285 */ 286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0) 287 client_early_secret_count++; 288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0) 289 client_handshake_secret_count++; 290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0) 291 server_handshake_secret_count++; 292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0) 293 client_application_secret_count++; 294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) 295 server_application_secret_count++; 296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0) 297 early_exporter_secret_count++; 298 else if (strcmp(token, "EXPORTER_SECRET") == 0) 299 exporter_secret_count++; 300 301 client_random_size = SSL_get_client_random(ssl, 302 actual_client_random, 303 SSL3_RANDOM_SIZE); 304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE)) 305 return 0; 306 307 if (!TEST_ptr(token = strtok(NULL, " \n"))) 308 return 0; 309 if (!TEST_size_t_eq(strlen(token), 64)) 310 return 0; 311 if (!TEST_false(compare_hex_encoded_buffer(token, 64, 312 actual_client_random, 313 client_random_size))) 314 return 0; 315 316 if (!TEST_ptr(token = strtok(NULL, " \n"))) 317 return 0; 318 } else { 319 TEST_info("Unexpected token %s\n", token); 320 return 0; 321 } 322 } 323 324 /* Got what we expected? */ 325 if (!TEST_size_t_eq(rsa_key_exchange_count, 326 expected->rsa_key_exchange_count) 327 || !TEST_size_t_eq(master_secret_count, 328 expected->master_secret_count) 329 || !TEST_size_t_eq(client_early_secret_count, 330 expected->client_early_secret_count) 331 || !TEST_size_t_eq(client_handshake_secret_count, 332 expected->client_handshake_secret_count) 333 || !TEST_size_t_eq(server_handshake_secret_count, 334 expected->server_handshake_secret_count) 335 || !TEST_size_t_eq(client_application_secret_count, 336 expected->client_application_secret_count) 337 || !TEST_size_t_eq(server_application_secret_count, 338 expected->server_application_secret_count) 339 || !TEST_size_t_eq(early_exporter_secret_count, 340 expected->early_exporter_secret_count) 341 || !TEST_size_t_eq(exporter_secret_count, 342 expected->exporter_secret_count)) 343 return 0; 344 return 1; 345 } 346 347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) 348 static int test_keylog(void) 349 { 350 SSL_CTX *cctx = NULL, *sctx = NULL; 351 SSL *clientssl = NULL, *serverssl = NULL; 352 int testresult = 0; 353 struct sslapitest_log_counts expected; 354 355 /* Clean up logging space */ 356 memset(&expected, 0, sizeof(expected)); 357 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 358 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 359 client_log_buffer_index = 0; 360 server_log_buffer_index = 0; 361 error_writing_log = 0; 362 363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 364 TLS_client_method(), 365 TLS1_VERSION, 0, 366 &sctx, &cctx, cert, privkey))) 367 return 0; 368 369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */ 370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3); 371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3); 372 373 /* We also want to ensure that we use RSA-based key exchange. */ 374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA"))) 375 goto end; 376 377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) 378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL)) 379 goto end; 380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback); 381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) 382 == client_keylog_callback)) 383 goto end; 384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback); 385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx) 386 == server_keylog_callback)) 387 goto end; 388 389 /* Now do a handshake and check that the logs have been written to. */ 390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 391 &clientssl, NULL, NULL)) 392 || !TEST_true(create_ssl_connection(serverssl, clientssl, 393 SSL_ERROR_NONE)) 394 || !TEST_false(error_writing_log) 395 || !TEST_int_gt(client_log_buffer_index, 0) 396 || !TEST_int_gt(server_log_buffer_index, 0)) 397 goto end; 398 399 /* 400 * Now we want to test that our output data was vaguely sensible. We 401 * do that by using strtok and confirming that we have more or less the 402 * data we expect. For both client and server, we expect to see one master 403 * secret. The client should also see an RSA key exchange. 404 */ 405 expected.rsa_key_exchange_count = 1; 406 expected.master_secret_count = 1; 407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 408 SSL_get_session(clientssl), &expected))) 409 goto end; 410 411 expected.rsa_key_exchange_count = 0; 412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl, 413 SSL_get_session(serverssl), &expected))) 414 goto end; 415 416 testresult = 1; 417 418 end: 419 SSL_free(serverssl); 420 SSL_free(clientssl); 421 SSL_CTX_free(sctx); 422 SSL_CTX_free(cctx); 423 424 return testresult; 425 } 426 #endif 427 428 #ifndef OSSL_NO_USABLE_TLS1_3 429 static int test_keylog_no_master_key(void) 430 { 431 SSL_CTX *cctx = NULL, *sctx = NULL; 432 SSL *clientssl = NULL, *serverssl = NULL; 433 SSL_SESSION *sess = NULL; 434 int testresult = 0; 435 struct sslapitest_log_counts expected; 436 unsigned char buf[1]; 437 size_t readbytes, written; 438 439 /* Clean up logging space */ 440 memset(&expected, 0, sizeof(expected)); 441 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 442 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 443 client_log_buffer_index = 0; 444 server_log_buffer_index = 0; 445 error_writing_log = 0; 446 447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 448 TLS_client_method(), TLS1_VERSION, 0, 449 &sctx, &cctx, cert, privkey)) 450 || !TEST_true(SSL_CTX_set_max_early_data(sctx, 451 SSL3_RT_MAX_PLAIN_LENGTH))) 452 return 0; 453 454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL) 455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL)) 456 goto end; 457 458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback); 459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) 460 == client_keylog_callback)) 461 goto end; 462 463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback); 464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx) 465 == server_keylog_callback)) 466 goto end; 467 468 /* Now do a handshake and check that the logs have been written to. */ 469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 470 &clientssl, NULL, NULL)) 471 || !TEST_true(create_ssl_connection(serverssl, clientssl, 472 SSL_ERROR_NONE)) 473 || !TEST_false(error_writing_log)) 474 goto end; 475 476 /* 477 * Now we want to test that our output data was vaguely sensible. For this 478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for 479 * TLSv1.3, but we do expect both client and server to emit keys. 480 */ 481 expected.client_handshake_secret_count = 1; 482 expected.server_handshake_secret_count = 1; 483 expected.client_application_secret_count = 1; 484 expected.server_application_secret_count = 1; 485 expected.exporter_secret_count = 1; 486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 487 SSL_get_session(clientssl), &expected)) 488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl, 489 SSL_get_session(serverssl), 490 &expected))) 491 goto end; 492 493 /* Terminate old session and resume with early data. */ 494 sess = SSL_get1_session(clientssl); 495 SSL_shutdown(clientssl); 496 SSL_shutdown(serverssl); 497 SSL_free(serverssl); 498 SSL_free(clientssl); 499 serverssl = clientssl = NULL; 500 501 /* Reset key log */ 502 memset(client_log_buffer, 0, sizeof(client_log_buffer)); 503 memset(server_log_buffer, 0, sizeof(server_log_buffer)); 504 client_log_buffer_index = 0; 505 server_log_buffer_index = 0; 506 507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 508 &clientssl, NULL, NULL)) 509 || !TEST_true(SSL_set_session(clientssl, sess)) 510 /* Here writing 0 length early data is enough. */ 511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) 512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 513 &readbytes), 514 SSL_READ_EARLY_DATA_ERROR) 515 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 516 SSL_EARLY_DATA_ACCEPTED) 517 || !TEST_true(create_ssl_connection(serverssl, clientssl, 518 SSL_ERROR_NONE)) 519 || !TEST_true(SSL_session_reused(clientssl))) 520 goto end; 521 522 /* In addition to the previous entries, expect early secrets. */ 523 expected.client_early_secret_count = 1; 524 expected.early_exporter_secret_count = 1; 525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl, 526 SSL_get_session(clientssl), &expected)) 527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl, 528 SSL_get_session(serverssl), 529 &expected))) 530 goto end; 531 532 testresult = 1; 533 534 end: 535 SSL_SESSION_free(sess); 536 SSL_free(serverssl); 537 SSL_free(clientssl); 538 SSL_CTX_free(sctx); 539 SSL_CTX_free(cctx); 540 541 return testresult; 542 } 543 #endif 544 545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg) 546 { 547 int res = X509_verify_cert(ctx); 548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 549 SSL *ssl; 550 551 /* this should not happen but check anyway */ 552 if (idx < 0 553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) 554 return 0; 555 556 if (res == 0 && X509_STORE_CTX_get_error(ctx) == 557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) 558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */ 559 return SSL_set_retry_verify(ssl); 560 561 return res; 562 } 563 564 static int test_client_cert_verify_cb(void) 565 { 566 /* server key, cert, chain, and root */ 567 char *skey = test_mk_file_path(certsdir, "leaf.key"); 568 char *leaf = test_mk_file_path(certsdir, "leaf.pem"); 569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem"); 570 char *int1 = test_mk_file_path(certsdir, "interCA.pem"); 571 char *root = test_mk_file_path(certsdir, "rootCA.pem"); 572 X509 *crt1 = NULL, *crt2 = NULL; 573 STACK_OF(X509) *server_chain; 574 SSL_CTX *cctx = NULL, *sctx = NULL; 575 SSL *clientssl = NULL, *serverssl = NULL; 576 int testresult = 0; 577 578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 579 TLS_client_method(), TLS1_VERSION, 0, 580 &sctx, &cctx, NULL, NULL))) 581 goto end; 582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1) 583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey, 584 SSL_FILETYPE_PEM), 1) 585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)) 586 goto end; 587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL))) 588 goto end; 589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL); 590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL); 591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 592 &clientssl, NULL, NULL))) 593 goto end; 594 595 /* attempt SSL_connect() with incomplete server chain */ 596 if (!TEST_false(create_ssl_connection(serverssl, clientssl, 597 SSL_ERROR_WANT_RETRY_VERIFY))) 598 goto end; 599 600 /* application provides intermediate certs needed to verify server cert */ 601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx))) 602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx))) 603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl)))) 604 goto end; 605 /* add certs in reverse order to demonstrate real chain building */ 606 if (!TEST_true(sk_X509_push(server_chain, crt1))) 607 goto end; 608 crt1 = NULL; 609 if (!TEST_true(sk_X509_push(server_chain, crt2))) 610 goto end; 611 crt2 = NULL; 612 613 /* continue SSL_connect(), must now succeed with completed server chain */ 614 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 615 SSL_ERROR_NONE))) 616 goto end; 617 618 testresult = 1; 619 620 end: 621 X509_free(crt1); 622 X509_free(crt2); 623 if (clientssl != NULL) { 624 SSL_shutdown(clientssl); 625 SSL_free(clientssl); 626 } 627 if (serverssl != NULL) { 628 SSL_shutdown(serverssl); 629 SSL_free(serverssl); 630 } 631 SSL_CTX_free(sctx); 632 SSL_CTX_free(cctx); 633 634 OPENSSL_free(skey); 635 OPENSSL_free(leaf); 636 OPENSSL_free(int2); 637 OPENSSL_free(int1); 638 OPENSSL_free(root); 639 640 return testresult; 641 } 642 643 static int test_ssl_build_cert_chain(void) 644 { 645 int ret = 0; 646 SSL_CTX *ssl_ctx = NULL; 647 SSL *ssl = NULL; 648 char *skey = test_mk_file_path(certsdir, "leaf.key"); 649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem"); 650 651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) 652 goto end; 653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx))) 654 goto end; 655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */ 656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1) 657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1) 658 || !TEST_int_eq(SSL_check_private_key(ssl), 1)) 659 goto end; 660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT 661 | SSL_BUILD_CHAIN_FLAG_CHECK))) 662 goto end; 663 ret = 1; 664 end: 665 SSL_free(ssl); 666 SSL_CTX_free(ssl_ctx); 667 OPENSSL_free(leaf_chain); 668 OPENSSL_free(skey); 669 return ret; 670 } 671 672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata) 673 { 674 static const char pass[] = "testpass"; 675 676 if (!TEST_int_eq(size, PEM_BUFSIZE)) 677 return -1; 678 679 memcpy(buf, pass, sizeof(pass) - 1); 680 return sizeof(pass) - 1; 681 } 682 683 static int test_ssl_ctx_build_cert_chain(void) 684 { 685 int ret = 0; 686 SSL_CTX *ctx = NULL; 687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key"); 688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem"); 689 690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) 691 goto end; 692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb); 693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */ 694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1) 695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey, 696 SSL_FILETYPE_PEM), 1) 697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1)) 698 goto end; 699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT 700 | SSL_BUILD_CHAIN_FLAG_CHECK))) 701 goto end; 702 ret = 1; 703 end: 704 SSL_CTX_free(ctx); 705 OPENSSL_free(leaf_chain); 706 OPENSSL_free(skey); 707 return ret; 708 } 709 710 #ifndef OPENSSL_NO_TLS1_2 711 static int full_client_hello_callback(SSL *s, int *al, void *arg) 712 { 713 int *ctr = arg; 714 const unsigned char *p; 715 int *exts; 716 /* We only configure two ciphers, but the SCSV is added automatically. */ 717 #ifdef OPENSSL_NO_EC 718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff}; 719 #else 720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0, 721 0x2c, 0x00, 0xff}; 722 #endif 723 const int expected_extensions[] = { 724 #ifndef OPENSSL_NO_EC 725 11, 10, 726 #endif 727 35, 22, 23, 13}; 728 size_t len; 729 730 /* Make sure we can defer processing and get called back. */ 731 if ((*ctr)++ == 0) 732 return SSL_CLIENT_HELLO_RETRY; 733 734 len = SSL_client_hello_get0_ciphers(s, &p); 735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers)) 736 || !TEST_size_t_eq( 737 SSL_client_hello_get0_compression_methods(s, &p), 1) 738 || !TEST_int_eq(*p, 0)) 739 return SSL_CLIENT_HELLO_ERROR; 740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len)) 741 return SSL_CLIENT_HELLO_ERROR; 742 if (len != OSSL_NELEM(expected_extensions) || 743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) { 744 printf("ClientHello callback expected extensions mismatch\n"); 745 OPENSSL_free(exts); 746 return SSL_CLIENT_HELLO_ERROR; 747 } 748 OPENSSL_free(exts); 749 return SSL_CLIENT_HELLO_SUCCESS; 750 } 751 752 static int test_client_hello_cb(void) 753 { 754 SSL_CTX *cctx = NULL, *sctx = NULL; 755 SSL *clientssl = NULL, *serverssl = NULL; 756 int testctr = 0, testresult = 0; 757 758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 759 TLS_client_method(), TLS1_VERSION, 0, 760 &sctx, &cctx, cert, privkey))) 761 goto end; 762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); 763 764 /* The gimpy cipher list we configure can't do TLS 1.3. */ 765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 766 767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384")) 769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 770 &clientssl, NULL, NULL)) 771 || !TEST_false(create_ssl_connection(serverssl, clientssl, 772 SSL_ERROR_WANT_CLIENT_HELLO_CB)) 773 /* 774 * Passing a -1 literal is a hack since 775 * the real value was lost. 776 * */ 777 || !TEST_int_eq(SSL_get_error(serverssl, -1), 778 SSL_ERROR_WANT_CLIENT_HELLO_CB) 779 || !TEST_true(create_ssl_connection(serverssl, clientssl, 780 SSL_ERROR_NONE))) 781 goto end; 782 783 testresult = 1; 784 785 end: 786 SSL_free(serverssl); 787 SSL_free(clientssl); 788 SSL_CTX_free(sctx); 789 SSL_CTX_free(cctx); 790 791 return testresult; 792 } 793 794 static int test_no_ems(void) 795 { 796 SSL_CTX *cctx = NULL, *sctx = NULL; 797 SSL *clientssl = NULL, *serverssl = NULL; 798 int testresult = 0; 799 800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), 801 TLS1_VERSION, TLS1_2_VERSION, 802 &sctx, &cctx, cert, privkey)) { 803 printf("Unable to create SSL_CTX pair\n"); 804 goto end; 805 } 806 807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET); 808 809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { 810 printf("Unable to create SSL objects\n"); 811 goto end; 812 } 813 814 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { 815 printf("Creating SSL connection failed\n"); 816 goto end; 817 } 818 819 if (SSL_get_extms_support(serverssl)) { 820 printf("Server reports Extended Master Secret support\n"); 821 goto end; 822 } 823 824 if (SSL_get_extms_support(clientssl)) { 825 printf("Client reports Extended Master Secret support\n"); 826 goto end; 827 } 828 testresult = 1; 829 830 end: 831 SSL_free(serverssl); 832 SSL_free(clientssl); 833 SSL_CTX_free(sctx); 834 SSL_CTX_free(cctx); 835 836 return testresult; 837 } 838 839 /* 840 * Very focused test to exercise a single case in the server-side state 841 * machine, when the ChangeCipherState message needs to actually change 842 * from one cipher to a different cipher (i.e., not changing from null 843 * encryption to real encryption). 844 */ 845 static int test_ccs_change_cipher(void) 846 { 847 SSL_CTX *cctx = NULL, *sctx = NULL; 848 SSL *clientssl = NULL, *serverssl = NULL; 849 SSL_SESSION *sess = NULL, *sesspre, *sesspost; 850 int testresult = 0; 851 int i; 852 unsigned char buf; 853 size_t readbytes; 854 855 /* 856 * Create a conection so we can resume and potentially (but not) use 857 * a different cipher in the second connection. 858 */ 859 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 860 TLS_client_method(), 861 TLS1_VERSION, TLS1_2_VERSION, 862 &sctx, &cctx, cert, privkey)) 863 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)) 864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 865 NULL, NULL)) 866 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256")) 867 || !TEST_true(create_ssl_connection(serverssl, clientssl, 868 SSL_ERROR_NONE)) 869 || !TEST_ptr(sesspre = SSL_get0_session(serverssl)) 870 || !TEST_ptr(sess = SSL_get1_session(clientssl))) 871 goto end; 872 873 shutdown_ssl_connection(serverssl, clientssl); 874 serverssl = clientssl = NULL; 875 876 /* Resume, preferring a different cipher. Our server will force the 877 * same cipher to be used as the initial handshake. */ 878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 879 NULL, NULL)) 880 || !TEST_true(SSL_set_session(clientssl, sess)) 881 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256")) 882 || !TEST_true(create_ssl_connection(serverssl, clientssl, 883 SSL_ERROR_NONE)) 884 || !TEST_true(SSL_session_reused(clientssl)) 885 || !TEST_true(SSL_session_reused(serverssl)) 886 || !TEST_ptr(sesspost = SSL_get0_session(serverssl)) 887 || !TEST_ptr_eq(sesspre, sesspost) 888 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 889 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl)))) 890 goto end; 891 shutdown_ssl_connection(serverssl, clientssl); 892 serverssl = clientssl = NULL; 893 894 /* 895 * Now create a fresh connection and try to renegotiate a different 896 * cipher on it. 897 */ 898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 899 NULL, NULL)) 900 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256")) 901 || !TEST_true(create_ssl_connection(serverssl, clientssl, 902 SSL_ERROR_NONE)) 903 || !TEST_ptr(sesspre = SSL_get0_session(serverssl)) 904 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")) 905 || !TEST_true(SSL_renegotiate(clientssl)) 906 || !TEST_true(SSL_renegotiate_pending(clientssl))) 907 goto end; 908 /* Actually drive the renegotiation. */ 909 for (i = 0; i < 3; i++) { 910 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) { 911 if (!TEST_ulong_eq(readbytes, 0)) 912 goto end; 913 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0), 914 SSL_ERROR_WANT_READ)) { 915 goto end; 916 } 917 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) { 918 if (!TEST_ulong_eq(readbytes, 0)) 919 goto end; 920 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0), 921 SSL_ERROR_WANT_READ)) { 922 goto end; 923 } 924 } 925 /* sesspre and sesspost should be different since the cipher changed. */ 926 if (!TEST_false(SSL_renegotiate_pending(clientssl)) 927 || !TEST_false(SSL_session_reused(clientssl)) 928 || !TEST_false(SSL_session_reused(serverssl)) 929 || !TEST_ptr(sesspost = SSL_get0_session(serverssl)) 930 || !TEST_ptr_ne(sesspre, sesspost) 931 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 932 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl)))) 933 goto end; 934 935 shutdown_ssl_connection(serverssl, clientssl); 936 serverssl = clientssl = NULL; 937 938 testresult = 1; 939 940 end: 941 SSL_free(serverssl); 942 SSL_free(clientssl); 943 SSL_CTX_free(sctx); 944 SSL_CTX_free(cctx); 945 SSL_SESSION_free(sess); 946 947 return testresult; 948 } 949 #endif 950 951 static int add_large_cert_chain(SSL_CTX *sctx) 952 { 953 BIO *certbio = NULL; 954 X509 *chaincert = NULL; 955 int certlen; 956 int ret = 0; 957 int i; 958 959 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))) 960 goto end; 961 962 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL))) 963 goto end; 964 965 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL) 966 goto end; 967 BIO_free(certbio); 968 certbio = NULL; 969 970 /* 971 * We assume the supplied certificate is big enough so that if we add 972 * NUM_EXTRA_CERTS it will make the overall message large enough. The 973 * default buffer size is requested to be 16k, but due to the way BUF_MEM 974 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this 975 * test we need to have a message larger than that. 976 */ 977 certlen = i2d_X509(chaincert, NULL); 978 OPENSSL_assert(certlen * NUM_EXTRA_CERTS > 979 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3); 980 for (i = 0; i < NUM_EXTRA_CERTS; i++) { 981 if (!X509_up_ref(chaincert)) 982 goto end; 983 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) { 984 X509_free(chaincert); 985 goto end; 986 } 987 } 988 989 ret = 1; 990 end: 991 BIO_free(certbio); 992 X509_free(chaincert); 993 return ret; 994 } 995 996 static int execute_test_large_message(const SSL_METHOD *smeth, 997 const SSL_METHOD *cmeth, 998 int min_version, int max_version, 999 int read_ahead) 1000 { 1001 SSL_CTX *cctx = NULL, *sctx = NULL; 1002 SSL *clientssl = NULL, *serverssl = NULL; 1003 int testresult = 0; 1004 1005 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version, 1006 max_version, &sctx, &cctx, cert, 1007 privkey))) 1008 goto end; 1009 1010 #ifdef OPENSSL_NO_DTLS1_2 1011 if (smeth == DTLS_server_method()) { 1012 /* 1013 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security 1014 * level 0 1015 */ 1016 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")) 1017 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 1018 "DEFAULT:@SECLEVEL=0"))) 1019 goto end; 1020 } 1021 #endif 1022 1023 if (read_ahead) { 1024 /* 1025 * Test that read_ahead works correctly when dealing with large 1026 * records 1027 */ 1028 SSL_CTX_set_read_ahead(cctx, 1); 1029 } 1030 1031 if (!add_large_cert_chain(sctx)) 1032 goto end; 1033 1034 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 1035 NULL, NULL)) 1036 || !TEST_true(create_ssl_connection(serverssl, clientssl, 1037 SSL_ERROR_NONE))) 1038 goto end; 1039 1040 /* 1041 * Calling SSL_clear() first is not required but this tests that SSL_clear() 1042 * doesn't leak. 1043 */ 1044 if (!TEST_true(SSL_clear(serverssl))) 1045 goto end; 1046 1047 testresult = 1; 1048 end: 1049 SSL_free(serverssl); 1050 SSL_free(clientssl); 1051 SSL_CTX_free(sctx); 1052 SSL_CTX_free(cctx); 1053 1054 return testresult; 1055 } 1056 1057 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \ 1058 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) 1059 /* sock must be connected */ 1060 static int ktls_chk_platform(int sock) 1061 { 1062 if (!ktls_enable(sock)) 1063 return 0; 1064 return 1; 1065 } 1066 1067 static int ping_pong_query(SSL *clientssl, SSL *serverssl) 1068 { 1069 static char count = 1; 1070 unsigned char cbuf[16000] = {0}; 1071 unsigned char sbuf[16000]; 1072 size_t err = 0; 1073 char crec_wseq_before[SEQ_NUM_SIZE]; 1074 char crec_wseq_after[SEQ_NUM_SIZE]; 1075 char crec_rseq_before[SEQ_NUM_SIZE]; 1076 char crec_rseq_after[SEQ_NUM_SIZE]; 1077 char srec_wseq_before[SEQ_NUM_SIZE]; 1078 char srec_wseq_after[SEQ_NUM_SIZE]; 1079 char srec_rseq_before[SEQ_NUM_SIZE]; 1080 char srec_rseq_after[SEQ_NUM_SIZE]; 1081 1082 cbuf[0] = count++; 1083 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE); 1084 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE); 1085 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE); 1086 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE); 1087 1088 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf))) 1089 goto end; 1090 1091 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) { 1092 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) { 1093 goto end; 1094 } 1095 } 1096 1097 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf))) 1098 goto end; 1099 1100 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) { 1101 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) { 1102 goto end; 1103 } 1104 } 1105 1106 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE); 1107 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE); 1108 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE); 1109 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE); 1110 1111 /* verify the payload */ 1112 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf))) 1113 goto end; 1114 1115 /* 1116 * If ktls is used then kernel sequences are used instead of 1117 * OpenSSL sequences 1118 */ 1119 if (!BIO_get_ktls_send(clientssl->wbio)) { 1120 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE, 1121 crec_wseq_after, SEQ_NUM_SIZE)) 1122 goto end; 1123 } else { 1124 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE, 1125 crec_wseq_after, SEQ_NUM_SIZE)) 1126 goto end; 1127 } 1128 1129 if (!BIO_get_ktls_send(serverssl->wbio)) { 1130 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE, 1131 srec_wseq_after, SEQ_NUM_SIZE)) 1132 goto end; 1133 } else { 1134 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE, 1135 srec_wseq_after, SEQ_NUM_SIZE)) 1136 goto end; 1137 } 1138 1139 if (!BIO_get_ktls_recv(clientssl->wbio)) { 1140 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE, 1141 crec_rseq_after, SEQ_NUM_SIZE)) 1142 goto end; 1143 } else { 1144 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE, 1145 crec_rseq_after, SEQ_NUM_SIZE)) 1146 goto end; 1147 } 1148 1149 if (!BIO_get_ktls_recv(serverssl->wbio)) { 1150 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE, 1151 srec_rseq_after, SEQ_NUM_SIZE)) 1152 goto end; 1153 } else { 1154 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE, 1155 srec_rseq_after, SEQ_NUM_SIZE)) 1156 goto end; 1157 } 1158 1159 return 1; 1160 end: 1161 return 0; 1162 } 1163 1164 static int execute_test_ktls(int cis_ktls, int sis_ktls, 1165 int tls_version, const char *cipher) 1166 { 1167 SSL_CTX *cctx = NULL, *sctx = NULL; 1168 SSL *clientssl = NULL, *serverssl = NULL; 1169 int ktls_used = 0, testresult = 0; 1170 int cfd = -1, sfd = -1; 1171 int rx_supported; 1172 1173 if (!TEST_true(create_test_sockets(&cfd, &sfd))) 1174 goto end; 1175 1176 /* Skip this test if the platform does not support ktls */ 1177 if (!ktls_chk_platform(cfd)) { 1178 testresult = TEST_skip("Kernel does not support KTLS"); 1179 goto end; 1180 } 1181 1182 if (is_fips && strstr(cipher, "CHACHA") != NULL) { 1183 testresult = TEST_skip("CHACHA is not supported in FIPS"); 1184 goto end; 1185 } 1186 1187 /* Create a session based on SHA-256 */ 1188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 1189 TLS_client_method(), 1190 tls_version, tls_version, 1191 &sctx, &cctx, cert, privkey))) 1192 goto end; 1193 1194 if (tls_version == TLS1_3_VERSION) { 1195 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher)) 1196 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher))) 1197 goto end; 1198 } else { 1199 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) 1200 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))) 1201 goto end; 1202 } 1203 1204 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, 1205 &clientssl, sfd, cfd))) 1206 goto end; 1207 1208 if (cis_ktls) { 1209 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS))) 1210 goto end; 1211 } 1212 1213 if (sis_ktls) { 1214 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS))) 1215 goto end; 1216 } 1217 1218 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 1219 goto end; 1220 1221 /* 1222 * The running kernel may not support a given cipher suite 1223 * or direction, so just check that KTLS isn't used when it 1224 * isn't enabled. 1225 */ 1226 if (!cis_ktls) { 1227 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio))) 1228 goto end; 1229 } else { 1230 if (BIO_get_ktls_send(clientssl->wbio)) 1231 ktls_used = 1; 1232 } 1233 1234 if (!sis_ktls) { 1235 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio))) 1236 goto end; 1237 } else { 1238 if (BIO_get_ktls_send(serverssl->wbio)) 1239 ktls_used = 1; 1240 } 1241 1242 #if defined(OPENSSL_NO_KTLS_RX) 1243 rx_supported = 0; 1244 #else 1245 rx_supported = (tls_version != TLS1_3_VERSION); 1246 #endif 1247 if (!cis_ktls || !rx_supported) { 1248 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) 1249 goto end; 1250 } else { 1251 if (BIO_get_ktls_send(clientssl->rbio)) 1252 ktls_used = 1; 1253 } 1254 1255 if (!sis_ktls || !rx_supported) { 1256 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio))) 1257 goto end; 1258 } else { 1259 if (BIO_get_ktls_send(serverssl->rbio)) 1260 ktls_used = 1; 1261 } 1262 1263 if ((cis_ktls || sis_ktls) && !ktls_used) { 1264 testresult = TEST_skip("KTLS not supported for %s cipher %s", 1265 tls_version == TLS1_3_VERSION ? "TLS 1.3" : 1266 "TLS 1.2", cipher); 1267 goto end; 1268 } 1269 1270 if (!TEST_true(ping_pong_query(clientssl, serverssl))) 1271 goto end; 1272 1273 testresult = 1; 1274 end: 1275 if (clientssl) { 1276 SSL_shutdown(clientssl); 1277 SSL_free(clientssl); 1278 } 1279 if (serverssl) { 1280 SSL_shutdown(serverssl); 1281 SSL_free(serverssl); 1282 } 1283 SSL_CTX_free(sctx); 1284 SSL_CTX_free(cctx); 1285 serverssl = clientssl = NULL; 1286 if (cfd != -1) 1287 close(cfd); 1288 if (sfd != -1) 1289 close(sfd); 1290 return testresult; 1291 } 1292 1293 #define SENDFILE_SZ (16 * 4096) 1294 #define SENDFILE_CHUNK (4 * 4096) 1295 #define min(a,b) ((a) > (b) ? (b) : (a)) 1296 1297 static int execute_test_ktls_sendfile(int tls_version, const char *cipher) 1298 { 1299 SSL_CTX *cctx = NULL, *sctx = NULL; 1300 SSL *clientssl = NULL, *serverssl = NULL; 1301 unsigned char *buf, *buf_dst; 1302 BIO *out = NULL, *in = NULL; 1303 int cfd = -1, sfd = -1, ffd, err; 1304 ssize_t chunk_size = 0; 1305 off_t chunk_off = 0; 1306 int testresult = 0; 1307 FILE *ffdp; 1308 1309 buf = OPENSSL_zalloc(SENDFILE_SZ); 1310 buf_dst = OPENSSL_zalloc(SENDFILE_SZ); 1311 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst) 1312 || !TEST_true(create_test_sockets(&cfd, &sfd))) 1313 goto end; 1314 1315 /* Skip this test if the platform does not support ktls */ 1316 if (!ktls_chk_platform(sfd)) { 1317 testresult = TEST_skip("Kernel does not support KTLS"); 1318 goto end; 1319 } 1320 1321 if (is_fips && strstr(cipher, "CHACHA") != NULL) { 1322 testresult = TEST_skip("CHACHA is not supported in FIPS"); 1323 goto end; 1324 } 1325 1326 /* Create a session based on SHA-256 */ 1327 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 1328 TLS_client_method(), 1329 tls_version, tls_version, 1330 &sctx, &cctx, cert, privkey))) 1331 goto end; 1332 1333 if (tls_version == TLS1_3_VERSION) { 1334 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher)) 1335 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher))) 1336 goto end; 1337 } else { 1338 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) 1339 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))) 1340 goto end; 1341 } 1342 1343 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, 1344 &clientssl, sfd, cfd))) 1345 goto end; 1346 1347 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS))) 1348 goto end; 1349 1350 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1351 SSL_ERROR_NONE))) 1352 goto end; 1353 1354 if (!BIO_get_ktls_send(serverssl->wbio)) { 1355 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s", 1356 tls_version == TLS1_3_VERSION ? "TLS 1.3" : 1357 "TLS 1.2", cipher); 1358 goto end; 1359 } 1360 1361 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0)) 1362 goto end; 1363 1364 out = BIO_new_file(tmpfilename, "wb"); 1365 if (!TEST_ptr(out)) 1366 goto end; 1367 1368 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ) 1369 goto end; 1370 1371 BIO_free(out); 1372 out = NULL; 1373 in = BIO_new_file(tmpfilename, "rb"); 1374 BIO_get_fp(in, &ffdp); 1375 ffd = fileno(ffdp); 1376 1377 while (chunk_off < SENDFILE_SZ) { 1378 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off); 1379 while ((err = SSL_sendfile(serverssl, 1380 ffd, 1381 chunk_off, 1382 chunk_size, 1383 0)) != chunk_size) { 1384 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE) 1385 goto end; 1386 } 1387 while ((err = SSL_read(clientssl, 1388 buf_dst + chunk_off, 1389 chunk_size)) != chunk_size) { 1390 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) 1391 goto end; 1392 } 1393 1394 /* verify the payload */ 1395 if (!TEST_mem_eq(buf_dst + chunk_off, 1396 chunk_size, 1397 buf + chunk_off, 1398 chunk_size)) 1399 goto end; 1400 1401 chunk_off += chunk_size; 1402 } 1403 1404 testresult = 1; 1405 end: 1406 if (clientssl) { 1407 SSL_shutdown(clientssl); 1408 SSL_free(clientssl); 1409 } 1410 if (serverssl) { 1411 SSL_shutdown(serverssl); 1412 SSL_free(serverssl); 1413 } 1414 SSL_CTX_free(sctx); 1415 SSL_CTX_free(cctx); 1416 serverssl = clientssl = NULL; 1417 BIO_free(out); 1418 BIO_free(in); 1419 if (cfd != -1) 1420 close(cfd); 1421 if (sfd != -1) 1422 close(sfd); 1423 OPENSSL_free(buf); 1424 OPENSSL_free(buf_dst); 1425 return testresult; 1426 } 1427 1428 static struct ktls_test_cipher { 1429 int tls_version; 1430 const char *cipher; 1431 } ktls_test_ciphers[] = { 1432 # if !defined(OPENSSL_NO_TLS1_2) 1433 # ifdef OPENSSL_KTLS_AES_GCM_128 1434 { TLS1_2_VERSION, "AES128-GCM-SHA256" }, 1435 # endif 1436 # ifdef OPENSSL_KTLS_AES_CCM_128 1437 { TLS1_2_VERSION, "AES128-CCM"}, 1438 # endif 1439 # ifdef OPENSSL_KTLS_AES_GCM_256 1440 { TLS1_2_VERSION, "AES256-GCM-SHA384"}, 1441 # endif 1442 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 1443 # ifndef OPENSSL_NO_EC 1444 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"}, 1445 # endif 1446 # endif 1447 # endif 1448 # if !defined(OSSL_NO_USABLE_TLS1_3) 1449 # ifdef OPENSSL_KTLS_AES_GCM_128 1450 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" }, 1451 # endif 1452 # ifdef OPENSSL_KTLS_AES_CCM_128 1453 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" }, 1454 # endif 1455 # ifdef OPENSSL_KTLS_AES_GCM_256 1456 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" }, 1457 # endif 1458 # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 1459 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" }, 1460 # endif 1461 # endif 1462 }; 1463 1464 #define NUM_KTLS_TEST_CIPHERS \ 1465 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0])) 1466 1467 static int test_ktls(int test) 1468 { 1469 struct ktls_test_cipher *cipher; 1470 int cis_ktls, sis_ktls; 1471 1472 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS); 1473 cipher = &ktls_test_ciphers[test / 4]; 1474 1475 cis_ktls = (test & 1) != 0; 1476 sis_ktls = (test & 2) != 0; 1477 1478 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version, 1479 cipher->cipher); 1480 } 1481 1482 static int test_ktls_sendfile(int tst) 1483 { 1484 struct ktls_test_cipher *cipher; 1485 1486 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS); 1487 cipher = &ktls_test_ciphers[tst]; 1488 1489 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher); 1490 } 1491 #endif 1492 1493 static int test_large_message_tls(void) 1494 { 1495 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 1496 TLS1_VERSION, 0, 0); 1497 } 1498 1499 static int test_large_message_tls_read_ahead(void) 1500 { 1501 return execute_test_large_message(TLS_server_method(), TLS_client_method(), 1502 TLS1_VERSION, 0, 1); 1503 } 1504 1505 #ifndef OPENSSL_NO_DTLS 1506 static int test_large_message_dtls(void) 1507 { 1508 # ifdef OPENSSL_NO_DTLS1_2 1509 /* Not supported in the FIPS provider */ 1510 if (is_fips) 1511 return 1; 1512 # endif 1513 /* 1514 * read_ahead is not relevant to DTLS because DTLS always acts as if 1515 * read_ahead is set. 1516 */ 1517 return execute_test_large_message(DTLS_server_method(), 1518 DTLS_client_method(), 1519 DTLS1_VERSION, 0, 0); 1520 } 1521 #endif 1522 1523 /* 1524 * Test we can successfully send the maximum amount of application data. We 1525 * test each protocol version individually, each with and without EtM enabled. 1526 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is 1527 * simpler this way. We also test all combinations with and without the 1528 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the 1529 * underlying buffer. 1530 */ 1531 static int test_large_app_data(int tst) 1532 { 1533 SSL_CTX *cctx = NULL, *sctx = NULL; 1534 SSL *clientssl = NULL, *serverssl = NULL; 1535 int testresult = 0, prot; 1536 unsigned char *msg, *buf = NULL; 1537 size_t written, readbytes; 1538 const SSL_METHOD *smeth = TLS_server_method(); 1539 const SSL_METHOD *cmeth = TLS_client_method(); 1540 1541 switch (tst >> 2) { 1542 case 0: 1543 #ifndef OSSL_NO_USABLE_TLS1_3 1544 prot = TLS1_3_VERSION; 1545 break; 1546 #else 1547 return 1; 1548 #endif 1549 1550 case 1: 1551 #ifndef OPENSSL_NO_TLS1_2 1552 prot = TLS1_2_VERSION; 1553 break; 1554 #else 1555 return 1; 1556 #endif 1557 1558 case 2: 1559 #ifndef OPENSSL_NO_TLS1_1 1560 prot = TLS1_1_VERSION; 1561 break; 1562 #else 1563 return 1; 1564 #endif 1565 1566 case 3: 1567 #ifndef OPENSSL_NO_TLS1 1568 prot = TLS1_VERSION; 1569 break; 1570 #else 1571 return 1; 1572 #endif 1573 1574 case 4: 1575 #ifndef OPENSSL_NO_SSL3 1576 prot = SSL3_VERSION; 1577 break; 1578 #else 1579 return 1; 1580 #endif 1581 1582 case 5: 1583 #ifndef OPENSSL_NO_DTLS1_2 1584 prot = DTLS1_2_VERSION; 1585 smeth = DTLS_server_method(); 1586 cmeth = DTLS_client_method(); 1587 break; 1588 #else 1589 return 1; 1590 #endif 1591 1592 case 6: 1593 #ifndef OPENSSL_NO_DTLS1 1594 prot = DTLS1_VERSION; 1595 smeth = DTLS_server_method(); 1596 cmeth = DTLS_client_method(); 1597 break; 1598 #else 1599 return 1; 1600 #endif 1601 1602 default: 1603 /* Shouldn't happen */ 1604 return 0; 1605 } 1606 1607 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips) 1608 return 1; 1609 1610 /* Maximal sized message of zeros */ 1611 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH); 1612 if (!TEST_ptr(msg)) 1613 goto end; 1614 1615 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1); 1616 if (!TEST_ptr(buf)) 1617 goto end; 1618 /* Set whole buffer to all bits set */ 1619 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1); 1620 1621 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot, 1622 &sctx, &cctx, cert, privkey))) 1623 goto end; 1624 1625 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) { 1626 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */ 1627 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")) 1628 || !TEST_true(SSL_CTX_set_cipher_list(sctx, 1629 "DEFAULT:@SECLEVEL=0"))) 1630 goto end; 1631 } 1632 1633 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1634 &clientssl, NULL, NULL))) 1635 goto end; 1636 1637 if ((tst & 1) != 0) { 1638 /* Setting this option gives us a minimally sized underlying buffer */ 1639 if (!TEST_true(SSL_set_options(serverssl, 1640 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 1641 || !TEST_true(SSL_set_options(clientssl, 1642 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))) 1643 goto end; 1644 } 1645 1646 if ((tst & 2) != 0) { 1647 /* 1648 * Setting this option means the MAC is added before encryption 1649 * giving us a larger record for the encryption process 1650 */ 1651 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC)) 1652 || !TEST_true(SSL_set_options(clientssl, 1653 SSL_OP_NO_ENCRYPT_THEN_MAC))) 1654 goto end; 1655 } 1656 1657 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 1658 goto end; 1659 1660 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH, 1661 &written)) 1662 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH)) 1663 goto end; 1664 1665 /* We provide a buffer slightly larger than what we are actually expecting */ 1666 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1, 1667 &readbytes))) 1668 goto end; 1669 1670 if (!TEST_mem_eq(msg, written, buf, readbytes)) 1671 goto end; 1672 1673 testresult = 1; 1674 end: 1675 OPENSSL_free(msg); 1676 OPENSSL_free(buf); 1677 SSL_free(serverssl); 1678 SSL_free(clientssl); 1679 SSL_CTX_free(sctx); 1680 SSL_CTX_free(cctx); 1681 return testresult; 1682 } 1683 1684 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \ 1685 || !defined(OPENSSL_NO_DTLS) 1686 static int execute_cleanse_plaintext(const SSL_METHOD *smeth, 1687 const SSL_METHOD *cmeth, 1688 int min_version, int max_version) 1689 { 1690 size_t i; 1691 SSL_CTX *cctx = NULL, *sctx = NULL; 1692 SSL *clientssl = NULL, *serverssl = NULL; 1693 int testresult = 0; 1694 SSL3_RECORD *rr; 1695 void *zbuf; 1696 1697 static unsigned char cbuf[16000]; 1698 static unsigned char sbuf[16000]; 1699 1700 if (!TEST_true(create_ssl_ctx_pair(libctx, 1701 smeth, cmeth, 1702 min_version, max_version, 1703 &sctx, &cctx, cert, 1704 privkey))) 1705 goto end; 1706 1707 # ifdef OPENSSL_NO_DTLS1_2 1708 if (smeth == DTLS_server_method()) { 1709 /* Not supported in the FIPS provider */ 1710 if (is_fips) { 1711 testresult = 1; 1712 goto end; 1713 }; 1714 /* 1715 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security 1716 * level 0 1717 */ 1718 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")) 1719 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 1720 "DEFAULT:@SECLEVEL=0"))) 1721 goto end; 1722 } 1723 # endif 1724 1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 1726 NULL, NULL))) 1727 goto end; 1728 1729 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT))) 1730 goto end; 1731 1732 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1733 SSL_ERROR_NONE))) 1734 goto end; 1735 1736 for (i = 0; i < sizeof(cbuf); i++) { 1737 cbuf[i] = i & 0xff; 1738 } 1739 1740 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf))) 1741 goto end; 1742 1743 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf))) 1744 goto end; 1745 1746 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf))) 1747 goto end; 1748 1749 /* 1750 * Since we called SSL_peek(), we know the data in the record 1751 * layer is a plaintext record. We can gather the pointer to check 1752 * for zeroization after SSL_read(). 1753 */ 1754 rr = serverssl->rlayer.rrec; 1755 zbuf = &rr->data[rr->off]; 1756 if (!TEST_int_eq(rr->length, sizeof(cbuf))) 1757 goto end; 1758 1759 /* 1760 * After SSL_peek() the plaintext must still be stored in the 1761 * record. 1762 */ 1763 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf))) 1764 goto end; 1765 1766 memset(sbuf, 0, sizeof(sbuf)); 1767 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf))) 1768 goto end; 1769 1770 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf))) 1771 goto end; 1772 1773 /* Check if rbuf is cleansed */ 1774 memset(cbuf, 0, sizeof(cbuf)); 1775 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf))) 1776 goto end; 1777 1778 testresult = 1; 1779 end: 1780 SSL_free(serverssl); 1781 SSL_free(clientssl); 1782 SSL_CTX_free(sctx); 1783 SSL_CTX_free(cctx); 1784 1785 return testresult; 1786 } 1787 #endif /* 1788 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) 1789 * || !defined(OPENSSL_NO_DTLS) 1790 */ 1791 1792 static int test_cleanse_plaintext(void) 1793 { 1794 #if !defined(OPENSSL_NO_TLS1_2) 1795 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(), 1796 TLS_client_method(), 1797 TLS1_2_VERSION, 1798 TLS1_2_VERSION))) 1799 return 0; 1800 1801 #endif 1802 1803 #if !defined(OSSL_NO_USABLE_TLS1_3) 1804 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(), 1805 TLS_client_method(), 1806 TLS1_3_VERSION, 1807 TLS1_3_VERSION))) 1808 return 0; 1809 #endif 1810 1811 #if !defined(OPENSSL_NO_DTLS) 1812 1813 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(), 1814 DTLS_client_method(), 1815 DTLS1_VERSION, 1816 0))) 1817 return 0; 1818 #endif 1819 return 1; 1820 } 1821 1822 #ifndef OPENSSL_NO_OCSP 1823 static int ocsp_server_cb(SSL *s, void *arg) 1824 { 1825 int *argi = (int *)arg; 1826 unsigned char *copy = NULL; 1827 STACK_OF(OCSP_RESPID) *ids = NULL; 1828 OCSP_RESPID *id = NULL; 1829 1830 if (*argi == 2) { 1831 /* In this test we are expecting exactly 1 OCSP_RESPID */ 1832 SSL_get_tlsext_status_ids(s, &ids); 1833 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1) 1834 return SSL_TLSEXT_ERR_ALERT_FATAL; 1835 1836 id = sk_OCSP_RESPID_value(ids, 0); 1837 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL)) 1838 return SSL_TLSEXT_ERR_ALERT_FATAL; 1839 } else if (*argi != 1) { 1840 return SSL_TLSEXT_ERR_ALERT_FATAL; 1841 } 1842 1843 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder)))) 1844 return SSL_TLSEXT_ERR_ALERT_FATAL; 1845 1846 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy, 1847 sizeof(orespder)))) { 1848 OPENSSL_free(copy); 1849 return SSL_TLSEXT_ERR_ALERT_FATAL; 1850 } 1851 ocsp_server_called = 1; 1852 return SSL_TLSEXT_ERR_OK; 1853 } 1854 1855 static int ocsp_client_cb(SSL *s, void *arg) 1856 { 1857 int *argi = (int *)arg; 1858 const unsigned char *respderin; 1859 size_t len; 1860 1861 if (*argi != 1 && *argi != 2) 1862 return 0; 1863 1864 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin); 1865 if (!TEST_mem_eq(orespder, len, respderin, len)) 1866 return 0; 1867 1868 ocsp_client_called = 1; 1869 return 1; 1870 } 1871 1872 static int test_tlsext_status_type(void) 1873 { 1874 SSL_CTX *cctx = NULL, *sctx = NULL; 1875 SSL *clientssl = NULL, *serverssl = NULL; 1876 int testresult = 0; 1877 STACK_OF(OCSP_RESPID) *ids = NULL; 1878 OCSP_RESPID *id = NULL; 1879 BIO *certbio = NULL; 1880 1881 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), 1882 TLS1_VERSION, 0, 1883 &sctx, &cctx, cert, privkey)) 1884 return 0; 1885 1886 if (SSL_CTX_get_tlsext_status_type(cctx) != -1) 1887 goto end; 1888 1889 /* First just do various checks getting and setting tlsext_status_type */ 1890 1891 clientssl = SSL_new(cctx); 1892 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1) 1893 || !TEST_true(SSL_set_tlsext_status_type(clientssl, 1894 TLSEXT_STATUSTYPE_ocsp)) 1895 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl), 1896 TLSEXT_STATUSTYPE_ocsp)) 1897 goto end; 1898 1899 SSL_free(clientssl); 1900 clientssl = NULL; 1901 1902 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp) 1903 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) 1904 goto end; 1905 1906 clientssl = SSL_new(cctx); 1907 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) 1908 goto end; 1909 SSL_free(clientssl); 1910 clientssl = NULL; 1911 1912 /* 1913 * Now actually do a handshake and check OCSP information is exchanged and 1914 * the callbacks get called 1915 */ 1916 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb); 1917 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg); 1918 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb); 1919 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg); 1920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1921 &clientssl, NULL, NULL)) 1922 || !TEST_true(create_ssl_connection(serverssl, clientssl, 1923 SSL_ERROR_NONE)) 1924 || !TEST_true(ocsp_client_called) 1925 || !TEST_true(ocsp_server_called)) 1926 goto end; 1927 SSL_free(serverssl); 1928 SSL_free(clientssl); 1929 serverssl = NULL; 1930 clientssl = NULL; 1931 1932 /* Try again but this time force the server side callback to fail */ 1933 ocsp_client_called = 0; 1934 ocsp_server_called = 0; 1935 cdummyarg = 0; 1936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1937 &clientssl, NULL, NULL)) 1938 /* This should fail because the callback will fail */ 1939 || !TEST_false(create_ssl_connection(serverssl, clientssl, 1940 SSL_ERROR_NONE)) 1941 || !TEST_false(ocsp_client_called) 1942 || !TEST_false(ocsp_server_called)) 1943 goto end; 1944 SSL_free(serverssl); 1945 SSL_free(clientssl); 1946 serverssl = NULL; 1947 clientssl = NULL; 1948 1949 /* 1950 * This time we'll get the client to send an OCSP_RESPID that it will 1951 * accept. 1952 */ 1953 ocsp_client_called = 0; 1954 ocsp_server_called = 0; 1955 cdummyarg = 2; 1956 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 1957 &clientssl, NULL, NULL))) 1958 goto end; 1959 1960 /* 1961 * We'll just use any old cert for this test - it doesn't have to be an OCSP 1962 * specific one. We'll use the server cert. 1963 */ 1964 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")) 1965 || !TEST_ptr(id = OCSP_RESPID_new()) 1966 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null()) 1967 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL)) 1968 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL)) 1969 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL)) 1970 || !TEST_true(sk_OCSP_RESPID_push(ids, id))) 1971 goto end; 1972 id = NULL; 1973 SSL_set_tlsext_status_ids(clientssl, ids); 1974 /* Control has been transferred */ 1975 ids = NULL; 1976 1977 BIO_free(certbio); 1978 certbio = NULL; 1979 1980 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 1981 SSL_ERROR_NONE)) 1982 || !TEST_true(ocsp_client_called) 1983 || !TEST_true(ocsp_server_called)) 1984 goto end; 1985 1986 testresult = 1; 1987 1988 end: 1989 SSL_free(serverssl); 1990 SSL_free(clientssl); 1991 SSL_CTX_free(sctx); 1992 SSL_CTX_free(cctx); 1993 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free); 1994 OCSP_RESPID_free(id); 1995 BIO_free(certbio); 1996 X509_free(ocspcert); 1997 ocspcert = NULL; 1998 1999 return testresult; 2000 } 2001 #endif 2002 2003 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 2004 static int new_called, remove_called, get_called; 2005 2006 static int new_session_cb(SSL *ssl, SSL_SESSION *sess) 2007 { 2008 new_called++; 2009 /* 2010 * sess has been up-refed for us, but we don't actually need it so free it 2011 * immediately. 2012 */ 2013 SSL_SESSION_free(sess); 2014 return 1; 2015 } 2016 2017 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess) 2018 { 2019 remove_called++; 2020 } 2021 2022 static SSL_SESSION *get_sess_val = NULL; 2023 2024 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len, 2025 int *copy) 2026 { 2027 get_called++; 2028 *copy = 1; 2029 return get_sess_val; 2030 } 2031 2032 static int execute_test_session(int maxprot, int use_int_cache, 2033 int use_ext_cache, long s_options) 2034 { 2035 SSL_CTX *sctx = NULL, *cctx = NULL; 2036 SSL *serverssl1 = NULL, *clientssl1 = NULL; 2037 SSL *serverssl2 = NULL, *clientssl2 = NULL; 2038 # ifndef OPENSSL_NO_TLS1_1 2039 SSL *serverssl3 = NULL, *clientssl3 = NULL; 2040 # endif 2041 SSL_SESSION *sess1 = NULL, *sess2 = NULL; 2042 int testresult = 0, numnewsesstick = 1; 2043 2044 new_called = remove_called = 0; 2045 2046 /* TLSv1.3 sends 2 NewSessionTickets */ 2047 if (maxprot == TLS1_3_VERSION) 2048 numnewsesstick = 2; 2049 2050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 2051 TLS_client_method(), TLS1_VERSION, 0, 2052 &sctx, &cctx, cert, privkey))) 2053 return 0; 2054 2055 /* 2056 * Only allow the max protocol version so we can force a connection failure 2057 * later 2058 */ 2059 SSL_CTX_set_min_proto_version(cctx, maxprot); 2060 SSL_CTX_set_max_proto_version(cctx, maxprot); 2061 2062 /* Set up session cache */ 2063 if (use_ext_cache) { 2064 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 2065 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb); 2066 } 2067 if (use_int_cache) { 2068 /* Also covers instance where both are set */ 2069 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT); 2070 } else { 2071 SSL_CTX_set_session_cache_mode(cctx, 2072 SSL_SESS_CACHE_CLIENT 2073 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 2074 } 2075 2076 if (s_options) { 2077 SSL_CTX_set_options(sctx, s_options); 2078 } 2079 2080 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, 2081 NULL, NULL)) 2082 || !TEST_true(create_ssl_connection(serverssl1, clientssl1, 2083 SSL_ERROR_NONE)) 2084 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))) 2085 goto end; 2086 2087 /* Should fail because it should already be in the cache */ 2088 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1))) 2089 goto end; 2090 if (use_ext_cache 2091 && (!TEST_int_eq(new_called, numnewsesstick) 2092 2093 || !TEST_int_eq(remove_called, 0))) 2094 goto end; 2095 2096 new_called = remove_called = 0; 2097 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 2098 &clientssl2, NULL, NULL)) 2099 || !TEST_true(SSL_set_session(clientssl2, sess1)) 2100 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 2101 SSL_ERROR_NONE)) 2102 || !TEST_true(SSL_session_reused(clientssl2))) 2103 goto end; 2104 2105 if (maxprot == TLS1_3_VERSION) { 2106 /* 2107 * In TLSv1.3 we should have created a new session even though we have 2108 * resumed. Since we attempted a resume we should also have removed the 2109 * old ticket from the cache so that we try to only use tickets once. 2110 */ 2111 if (use_ext_cache 2112 && (!TEST_int_eq(new_called, 1) 2113 || !TEST_int_eq(remove_called, 1))) 2114 goto end; 2115 } else { 2116 /* 2117 * In TLSv1.2 we expect to have resumed so no sessions added or 2118 * removed. 2119 */ 2120 if (use_ext_cache 2121 && (!TEST_int_eq(new_called, 0) 2122 || !TEST_int_eq(remove_called, 0))) 2123 goto end; 2124 } 2125 2126 SSL_SESSION_free(sess1); 2127 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2))) 2128 goto end; 2129 shutdown_ssl_connection(serverssl2, clientssl2); 2130 serverssl2 = clientssl2 = NULL; 2131 2132 new_called = remove_called = 0; 2133 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 2134 &clientssl2, NULL, NULL)) 2135 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 2136 SSL_ERROR_NONE))) 2137 goto end; 2138 2139 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2))) 2140 goto end; 2141 2142 if (use_ext_cache 2143 && (!TEST_int_eq(new_called, numnewsesstick) 2144 || !TEST_int_eq(remove_called, 0))) 2145 goto end; 2146 2147 new_called = remove_called = 0; 2148 /* 2149 * This should clear sess2 from the cache because it is a "bad" session. 2150 * See SSL_set_session() documentation. 2151 */ 2152 if (!TEST_true(SSL_set_session(clientssl2, sess1))) 2153 goto end; 2154 if (use_ext_cache 2155 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 2156 goto end; 2157 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1)) 2158 goto end; 2159 2160 if (use_int_cache) { 2161 /* Should succeeded because it should not already be in the cache */ 2162 if (!TEST_true(SSL_CTX_add_session(cctx, sess2)) 2163 || !TEST_true(SSL_CTX_remove_session(cctx, sess2))) 2164 goto end; 2165 } 2166 2167 new_called = remove_called = 0; 2168 /* This shouldn't be in the cache so should fail */ 2169 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2))) 2170 goto end; 2171 2172 if (use_ext_cache 2173 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 2174 goto end; 2175 2176 # if !defined(OPENSSL_NO_TLS1_1) 2177 new_called = remove_called = 0; 2178 /* Force a connection failure */ 2179 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); 2180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3, 2181 &clientssl3, NULL, NULL)) 2182 || !TEST_true(SSL_set_session(clientssl3, sess1)) 2183 /* This should fail because of the mismatched protocol versions */ 2184 || !TEST_false(create_ssl_connection(serverssl3, clientssl3, 2185 SSL_ERROR_NONE))) 2186 goto end; 2187 2188 /* We should have automatically removed the session from the cache */ 2189 if (use_ext_cache 2190 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1))) 2191 goto end; 2192 2193 /* Should succeed because it should not already be in the cache */ 2194 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2))) 2195 goto end; 2196 # endif 2197 2198 /* Now do some tests for server side caching */ 2199 if (use_ext_cache) { 2200 SSL_CTX_sess_set_new_cb(cctx, NULL); 2201 SSL_CTX_sess_set_remove_cb(cctx, NULL); 2202 SSL_CTX_sess_set_new_cb(sctx, new_session_cb); 2203 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb); 2204 SSL_CTX_sess_set_get_cb(sctx, get_session_cb); 2205 get_sess_val = NULL; 2206 } 2207 2208 SSL_CTX_set_session_cache_mode(cctx, 0); 2209 /* Internal caching is the default on the server side */ 2210 if (!use_int_cache) 2211 SSL_CTX_set_session_cache_mode(sctx, 2212 SSL_SESS_CACHE_SERVER 2213 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 2214 2215 SSL_free(serverssl1); 2216 SSL_free(clientssl1); 2217 serverssl1 = clientssl1 = NULL; 2218 SSL_free(serverssl2); 2219 SSL_free(clientssl2); 2220 serverssl2 = clientssl2 = NULL; 2221 SSL_SESSION_free(sess1); 2222 sess1 = NULL; 2223 SSL_SESSION_free(sess2); 2224 sess2 = NULL; 2225 2226 SSL_CTX_set_max_proto_version(sctx, maxprot); 2227 if (maxprot == TLS1_2_VERSION) 2228 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); 2229 new_called = remove_called = get_called = 0; 2230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, 2231 NULL, NULL)) 2232 || !TEST_true(create_ssl_connection(serverssl1, clientssl1, 2233 SSL_ERROR_NONE)) 2234 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)) 2235 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1))) 2236 goto end; 2237 2238 if (use_int_cache) { 2239 if (maxprot == TLS1_3_VERSION && !use_ext_cache) { 2240 /* 2241 * In TLSv1.3 it should not have been added to the internal cache, 2242 * except in the case where we also have an external cache (in that 2243 * case it gets added to the cache in order to generate remove 2244 * events after timeout). 2245 */ 2246 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2))) 2247 goto end; 2248 } else { 2249 /* Should fail because it should already be in the cache */ 2250 if (!TEST_false(SSL_CTX_add_session(sctx, sess2))) 2251 goto end; 2252 } 2253 } 2254 2255 if (use_ext_cache) { 2256 SSL_SESSION *tmp = sess2; 2257 2258 if (!TEST_int_eq(new_called, numnewsesstick) 2259 || !TEST_int_eq(remove_called, 0) 2260 || !TEST_int_eq(get_called, 0)) 2261 goto end; 2262 /* 2263 * Delete the session from the internal cache to force a lookup from 2264 * the external cache. We take a copy first because 2265 * SSL_CTX_remove_session() also marks the session as non-resumable. 2266 */ 2267 if (use_int_cache && maxprot != TLS1_3_VERSION) { 2268 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2)) 2269 || !TEST_true(sess2->owner != NULL) 2270 || !TEST_true(tmp->owner == NULL) 2271 || !TEST_true(SSL_CTX_remove_session(sctx, sess2))) 2272 goto end; 2273 SSL_SESSION_free(sess2); 2274 } 2275 sess2 = tmp; 2276 } 2277 2278 new_called = remove_called = get_called = 0; 2279 get_sess_val = sess2; 2280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, 2281 &clientssl2, NULL, NULL)) 2282 || !TEST_true(SSL_set_session(clientssl2, sess1)) 2283 || !TEST_true(create_ssl_connection(serverssl2, clientssl2, 2284 SSL_ERROR_NONE)) 2285 || !TEST_true(SSL_session_reused(clientssl2))) 2286 goto end; 2287 2288 if (use_ext_cache) { 2289 if (!TEST_int_eq(remove_called, 0)) 2290 goto end; 2291 2292 if (maxprot == TLS1_3_VERSION) { 2293 if (!TEST_int_eq(new_called, 1) 2294 || !TEST_int_eq(get_called, 0)) 2295 goto end; 2296 } else { 2297 if (!TEST_int_eq(new_called, 0) 2298 || !TEST_int_eq(get_called, 1)) 2299 goto end; 2300 } 2301 } 2302 /* 2303 * Make a small cache, force out all other sessions but 2304 * sess2, try to add sess1, which should succeed. Then 2305 * make sure it's there by checking the owners. Despite 2306 * the timeouts, sess1 should have kicked out sess2 2307 */ 2308 2309 /* Make sess1 expire before sess2 */ 2310 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0) 2311 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0) 2312 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0) 2313 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0)) 2314 goto end; 2315 2316 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0)) 2317 goto end; 2318 2319 /* Don't care about results - cache should only be sess2 at end */ 2320 SSL_CTX_add_session(sctx, sess1); 2321 SSL_CTX_add_session(sctx, sess2); 2322 2323 /* Now add sess1, and make sure it remains, despite timeout */ 2324 if (!TEST_true(SSL_CTX_add_session(sctx, sess1)) 2325 || !TEST_ptr(sess1->owner) 2326 || !TEST_ptr_null(sess2->owner)) 2327 goto end; 2328 2329 testresult = 1; 2330 2331 end: 2332 SSL_free(serverssl1); 2333 SSL_free(clientssl1); 2334 SSL_free(serverssl2); 2335 SSL_free(clientssl2); 2336 # ifndef OPENSSL_NO_TLS1_1 2337 SSL_free(serverssl3); 2338 SSL_free(clientssl3); 2339 # endif 2340 SSL_SESSION_free(sess1); 2341 SSL_SESSION_free(sess2); 2342 SSL_CTX_free(sctx); 2343 SSL_CTX_free(cctx); 2344 2345 return testresult; 2346 } 2347 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ 2348 2349 static int test_session_with_only_int_cache(void) 2350 { 2351 #ifndef OSSL_NO_USABLE_TLS1_3 2352 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0)) 2353 return 0; 2354 #endif 2355 2356 #ifndef OPENSSL_NO_TLS1_2 2357 return execute_test_session(TLS1_2_VERSION, 1, 0, 0); 2358 #else 2359 return 1; 2360 #endif 2361 } 2362 2363 static int test_session_with_only_ext_cache(void) 2364 { 2365 #ifndef OSSL_NO_USABLE_TLS1_3 2366 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0)) 2367 return 0; 2368 #endif 2369 2370 #ifndef OPENSSL_NO_TLS1_2 2371 return execute_test_session(TLS1_2_VERSION, 0, 1, 0); 2372 #else 2373 return 1; 2374 #endif 2375 } 2376 2377 static int test_session_with_both_cache(void) 2378 { 2379 #ifndef OSSL_NO_USABLE_TLS1_3 2380 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0)) 2381 return 0; 2382 #endif 2383 2384 #ifndef OPENSSL_NO_TLS1_2 2385 return execute_test_session(TLS1_2_VERSION, 1, 1, 0); 2386 #else 2387 return 1; 2388 #endif 2389 } 2390 2391 static int test_session_wo_ca_names(void) 2392 { 2393 #ifndef OSSL_NO_USABLE_TLS1_3 2394 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES)) 2395 return 0; 2396 #endif 2397 2398 #ifndef OPENSSL_NO_TLS1_2 2399 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES); 2400 #else 2401 return 1; 2402 #endif 2403 } 2404 2405 #ifndef OSSL_NO_USABLE_TLS1_3 2406 static SSL_SESSION *sesscache[6]; 2407 static int do_cache; 2408 2409 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess) 2410 { 2411 if (do_cache) { 2412 sesscache[new_called] = sess; 2413 } else { 2414 /* We don't need the reference to the session, so free it */ 2415 SSL_SESSION_free(sess); 2416 } 2417 new_called++; 2418 2419 return 1; 2420 } 2421 2422 static int post_handshake_verify(SSL *sssl, SSL *cssl) 2423 { 2424 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL); 2425 if (!TEST_true(SSL_verify_client_post_handshake(sssl))) 2426 return 0; 2427 2428 /* Start handshake on the server and client */ 2429 if (!TEST_int_eq(SSL_do_handshake(sssl), 1) 2430 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0) 2431 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0) 2432 || !TEST_true(create_ssl_connection(sssl, cssl, 2433 SSL_ERROR_NONE))) 2434 return 0; 2435 2436 return 1; 2437 } 2438 2439 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx, 2440 SSL_CTX **cctx) 2441 { 2442 int sess_id_ctx = 1; 2443 2444 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 2445 TLS_client_method(), TLS1_VERSION, 0, 2446 sctx, cctx, cert, privkey)) 2447 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx)) 2448 || !TEST_true(SSL_CTX_set_session_id_context(*sctx, 2449 (void *)&sess_id_ctx, 2450 sizeof(sess_id_ctx)))) 2451 return 0; 2452 2453 if (stateful) 2454 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET); 2455 2456 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT 2457 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 2458 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb); 2459 2460 return 1; 2461 } 2462 2463 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ) 2464 { 2465 SSL *serverssl = NULL, *clientssl = NULL; 2466 int i; 2467 2468 /* Test that we can resume with all the tickets we got given */ 2469 for (i = 0; i < idx * 2; i++) { 2470 new_called = 0; 2471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2472 &clientssl, NULL, NULL)) 2473 || !TEST_true(SSL_set_session(clientssl, sesscache[i]))) 2474 goto end; 2475 2476 SSL_set_post_handshake_auth(clientssl, 1); 2477 2478 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2479 SSL_ERROR_NONE))) 2480 goto end; 2481 2482 /* 2483 * Following a successful resumption we only get 1 ticket. After a 2484 * failed one we should get idx tickets. 2485 */ 2486 if (succ) { 2487 if (!TEST_true(SSL_session_reused(clientssl)) 2488 || !TEST_int_eq(new_called, 1)) 2489 goto end; 2490 } else { 2491 if (!TEST_false(SSL_session_reused(clientssl)) 2492 || !TEST_int_eq(new_called, idx)) 2493 goto end; 2494 } 2495 2496 new_called = 0; 2497 /* After a post-handshake authentication we should get 1 new ticket */ 2498 if (succ 2499 && (!post_handshake_verify(serverssl, clientssl) 2500 || !TEST_int_eq(new_called, 1))) 2501 goto end; 2502 2503 SSL_shutdown(clientssl); 2504 SSL_shutdown(serverssl); 2505 SSL_free(serverssl); 2506 SSL_free(clientssl); 2507 serverssl = clientssl = NULL; 2508 SSL_SESSION_free(sesscache[i]); 2509 sesscache[i] = NULL; 2510 } 2511 2512 return 1; 2513 2514 end: 2515 SSL_free(clientssl); 2516 SSL_free(serverssl); 2517 return 0; 2518 } 2519 2520 static int test_tickets(int stateful, int idx) 2521 { 2522 SSL_CTX *sctx = NULL, *cctx = NULL; 2523 SSL *serverssl = NULL, *clientssl = NULL; 2524 int testresult = 0; 2525 size_t j; 2526 2527 /* idx is the test number, but also the number of tickets we want */ 2528 2529 new_called = 0; 2530 do_cache = 1; 2531 2532 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 2533 goto end; 2534 2535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2536 &clientssl, NULL, NULL))) 2537 goto end; 2538 2539 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2540 SSL_ERROR_NONE)) 2541 /* Check we got the number of tickets we were expecting */ 2542 || !TEST_int_eq(idx, new_called)) 2543 goto end; 2544 2545 SSL_shutdown(clientssl); 2546 SSL_shutdown(serverssl); 2547 SSL_free(serverssl); 2548 SSL_free(clientssl); 2549 SSL_CTX_free(sctx); 2550 SSL_CTX_free(cctx); 2551 clientssl = serverssl = NULL; 2552 sctx = cctx = NULL; 2553 2554 /* 2555 * Now we try to resume with the tickets we previously created. The 2556 * resumption attempt is expected to fail (because we're now using a new 2557 * SSL_CTX). We should see idx number of tickets issued again. 2558 */ 2559 2560 /* Stop caching sessions - just count them */ 2561 do_cache = 0; 2562 2563 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 2564 goto end; 2565 2566 if (!check_resumption(idx, sctx, cctx, 0)) 2567 goto end; 2568 2569 /* Start again with caching sessions */ 2570 new_called = 0; 2571 do_cache = 1; 2572 SSL_CTX_free(sctx); 2573 SSL_CTX_free(cctx); 2574 sctx = cctx = NULL; 2575 2576 if (!setup_ticket_test(stateful, idx, &sctx, &cctx)) 2577 goto end; 2578 2579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2580 &clientssl, NULL, NULL))) 2581 goto end; 2582 2583 SSL_set_post_handshake_auth(clientssl, 1); 2584 2585 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2586 SSL_ERROR_NONE)) 2587 /* Check we got the number of tickets we were expecting */ 2588 || !TEST_int_eq(idx, new_called)) 2589 goto end; 2590 2591 /* After a post-handshake authentication we should get new tickets issued */ 2592 if (!post_handshake_verify(serverssl, clientssl) 2593 || !TEST_int_eq(idx * 2, new_called)) 2594 goto end; 2595 2596 SSL_shutdown(clientssl); 2597 SSL_shutdown(serverssl); 2598 SSL_free(serverssl); 2599 SSL_free(clientssl); 2600 serverssl = clientssl = NULL; 2601 2602 /* Stop caching sessions - just count them */ 2603 do_cache = 0; 2604 2605 /* 2606 * Check we can resume with all the tickets we created. This time around the 2607 * resumptions should all be successful. 2608 */ 2609 if (!check_resumption(idx, sctx, cctx, 1)) 2610 goto end; 2611 2612 testresult = 1; 2613 2614 end: 2615 SSL_free(serverssl); 2616 SSL_free(clientssl); 2617 for (j = 0; j < OSSL_NELEM(sesscache); j++) { 2618 SSL_SESSION_free(sesscache[j]); 2619 sesscache[j] = NULL; 2620 } 2621 SSL_CTX_free(sctx); 2622 SSL_CTX_free(cctx); 2623 2624 return testresult; 2625 } 2626 2627 static int test_stateless_tickets(int idx) 2628 { 2629 return test_tickets(0, idx); 2630 } 2631 2632 static int test_stateful_tickets(int idx) 2633 { 2634 return test_tickets(1, idx); 2635 } 2636 2637 static int test_psk_tickets(void) 2638 { 2639 SSL_CTX *sctx = NULL, *cctx = NULL; 2640 SSL *serverssl = NULL, *clientssl = NULL; 2641 int testresult = 0; 2642 int sess_id_ctx = 1; 2643 2644 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 2645 TLS_client_method(), TLS1_VERSION, 0, 2646 &sctx, &cctx, NULL, NULL)) 2647 || !TEST_true(SSL_CTX_set_session_id_context(sctx, 2648 (void *)&sess_id_ctx, 2649 sizeof(sess_id_ctx)))) 2650 goto end; 2651 2652 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT 2653 | SSL_SESS_CACHE_NO_INTERNAL_STORE); 2654 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); 2655 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); 2656 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 2657 use_session_cb_cnt = 0; 2658 find_session_cb_cnt = 0; 2659 srvid = pskid; 2660 new_called = 0; 2661 2662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 2663 NULL, NULL))) 2664 goto end; 2665 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH); 2666 if (!TEST_ptr(clientpsk)) 2667 goto end; 2668 SSL_SESSION_up_ref(clientpsk); 2669 2670 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2671 SSL_ERROR_NONE)) 2672 || !TEST_int_eq(1, find_session_cb_cnt) 2673 || !TEST_int_eq(1, use_session_cb_cnt) 2674 /* We should always get 1 ticket when using external PSK */ 2675 || !TEST_int_eq(1, new_called)) 2676 goto end; 2677 2678 testresult = 1; 2679 2680 end: 2681 SSL_free(serverssl); 2682 SSL_free(clientssl); 2683 SSL_CTX_free(sctx); 2684 SSL_CTX_free(cctx); 2685 SSL_SESSION_free(clientpsk); 2686 SSL_SESSION_free(serverpsk); 2687 clientpsk = serverpsk = NULL; 2688 2689 return testresult; 2690 } 2691 2692 static int test_extra_tickets(int idx) 2693 { 2694 SSL_CTX *sctx = NULL, *cctx = NULL; 2695 SSL *serverssl = NULL, *clientssl = NULL; 2696 BIO *bretry = BIO_new(bio_s_always_retry()); 2697 BIO *tmp = NULL; 2698 int testresult = 0; 2699 int stateful = 0; 2700 size_t nbytes; 2701 unsigned char c, buf[1]; 2702 2703 new_called = 0; 2704 do_cache = 1; 2705 2706 if (idx >= 3) { 2707 idx -= 3; 2708 stateful = 1; 2709 } 2710 2711 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx)) 2712 goto end; 2713 SSL_CTX_sess_set_new_cb(sctx, new_session_cb); 2714 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */ 2715 SSL_CTX_sess_set_new_cb(cctx, new_session_cb); 2716 2717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 2718 &clientssl, NULL, NULL))) 2719 goto end; 2720 2721 /* 2722 * Note that we have new_session_cb on both sctx and cctx, so new_called is 2723 * incremented by both client and server. 2724 */ 2725 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 2726 SSL_ERROR_NONE)) 2727 /* Check we got the number of tickets we were expecting */ 2728 || !TEST_int_eq(idx * 2, new_called) 2729 || !TEST_true(SSL_new_session_ticket(serverssl)) 2730 || !TEST_true(SSL_new_session_ticket(serverssl)) 2731 || !TEST_int_eq(idx * 2, new_called)) 2732 goto end; 2733 2734 /* Now try a (real) write to actually send the tickets */ 2735 c = '1'; 2736 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes)) 2737 || !TEST_size_t_eq(1, nbytes) 2738 || !TEST_int_eq(idx * 2 + 2, new_called) 2739 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2740 || !TEST_int_eq(idx * 2 + 4, new_called) 2741 || !TEST_int_eq(sizeof(buf), nbytes) 2742 || !TEST_int_eq(c, buf[0]) 2743 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))) 2744 goto end; 2745 2746 /* Try with only requesting one new ticket, too */ 2747 c = '2'; 2748 new_called = 0; 2749 if (!TEST_true(SSL_new_session_ticket(serverssl)) 2750 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes)) 2751 || !TEST_size_t_eq(sizeof(c), nbytes) 2752 || !TEST_int_eq(1, new_called) 2753 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2754 || !TEST_int_eq(2, new_called) 2755 || !TEST_size_t_eq(sizeof(buf), nbytes) 2756 || !TEST_int_eq(c, buf[0])) 2757 goto end; 2758 2759 /* Do it again but use dummy writes to drive the ticket generation */ 2760 c = '3'; 2761 new_called = 0; 2762 if (!TEST_true(SSL_new_session_ticket(serverssl)) 2763 || !TEST_true(SSL_new_session_ticket(serverssl)) 2764 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes)) 2765 || !TEST_size_t_eq(0, nbytes) 2766 || !TEST_int_eq(2, new_called) 2767 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2768 || !TEST_int_eq(4, new_called)) 2769 goto end; 2770 2771 /* Once more, but with SSL_do_handshake() to drive the ticket generation */ 2772 c = '4'; 2773 new_called = 0; 2774 if (!TEST_true(SSL_new_session_ticket(serverssl)) 2775 || !TEST_true(SSL_new_session_ticket(serverssl)) 2776 || !TEST_true(SSL_do_handshake(serverssl)) 2777 || !TEST_int_eq(2, new_called) 2778 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2779 || !TEST_int_eq(4, new_called)) 2780 goto end; 2781 2782 /* 2783 * Use the always-retry BIO to exercise the logic that forces ticket 2784 * generation to wait until a record boundary. 2785 */ 2786 c = '5'; 2787 new_called = 0; 2788 tmp = SSL_get_wbio(serverssl); 2789 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { 2790 tmp = NULL; 2791 goto end; 2792 } 2793 SSL_set0_wbio(serverssl, bretry); 2794 bretry = NULL; 2795 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes)) 2796 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE) 2797 || !TEST_size_t_eq(nbytes, 0)) 2798 goto end; 2799 /* Restore a BIO that will let the write succeed */ 2800 SSL_set0_wbio(serverssl, tmp); 2801 tmp = NULL; 2802 /* 2803 * These calls should just queue the request and not send anything 2804 * even if we explicitly try to hit the state machine. 2805 */ 2806 if (!TEST_true(SSL_new_session_ticket(serverssl)) 2807 || !TEST_true(SSL_new_session_ticket(serverssl)) 2808 || !TEST_int_eq(0, new_called) 2809 || !TEST_true(SSL_do_handshake(serverssl)) 2810 || !TEST_int_eq(0, new_called)) 2811 goto end; 2812 /* Re-do the write; still no tickets sent */ 2813 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes)) 2814 || !TEST_size_t_eq(1, nbytes) 2815 || !TEST_int_eq(0, new_called) 2816 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2817 || !TEST_int_eq(0, new_called) 2818 || !TEST_int_eq(sizeof(buf), nbytes) 2819 || !TEST_int_eq(c, buf[0]) 2820 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))) 2821 goto end; 2822 /* Even trying to hit the state machine now will still not send tickets */ 2823 if (!TEST_true(SSL_do_handshake(serverssl)) 2824 || !TEST_int_eq(0, new_called)) 2825 goto end; 2826 /* Now the *next* write should send the tickets */ 2827 c = '6'; 2828 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes)) 2829 || !TEST_size_t_eq(1, nbytes) 2830 || !TEST_int_eq(2, new_called) 2831 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)) 2832 || !TEST_int_eq(4, new_called) 2833 || !TEST_int_eq(sizeof(buf), nbytes) 2834 || !TEST_int_eq(c, buf[0]) 2835 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))) 2836 goto end; 2837 2838 SSL_shutdown(clientssl); 2839 SSL_shutdown(serverssl); 2840 testresult = 1; 2841 2842 end: 2843 BIO_free(bretry); 2844 BIO_free(tmp); 2845 SSL_free(serverssl); 2846 SSL_free(clientssl); 2847 SSL_CTX_free(sctx); 2848 SSL_CTX_free(cctx); 2849 clientssl = serverssl = NULL; 2850 sctx = cctx = NULL; 2851 return testresult; 2852 } 2853 #endif 2854 2855 #define USE_NULL 0 2856 #define USE_BIO_1 1 2857 #define USE_BIO_2 2 2858 #define USE_DEFAULT 3 2859 2860 #define CONNTYPE_CONNECTION_SUCCESS 0 2861 #define CONNTYPE_CONNECTION_FAIL 1 2862 #define CONNTYPE_NO_CONNECTION 2 2863 2864 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) 2865 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2) 2866 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) 2867 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2) 2868 #else 2869 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0 2870 #endif 2871 2872 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \ 2873 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \ 2874 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 2875 2876 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type) 2877 { 2878 switch (type) { 2879 case USE_NULL: 2880 *res = NULL; 2881 break; 2882 case USE_BIO_1: 2883 *res = bio1; 2884 break; 2885 case USE_BIO_2: 2886 *res = bio2; 2887 break; 2888 } 2889 } 2890 2891 2892 /* 2893 * Tests calls to SSL_set_bio() under various conditions. 2894 * 2895 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with 2896 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We 2897 * then do more tests where we create a successful connection first using our 2898 * standard connection setup functions, and then call SSL_set_bio() with 2899 * various combinations of valid BIOs or NULL. We then repeat these tests 2900 * following a failed connection. In this last case we are looking to check that 2901 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL. 2902 */ 2903 static int test_ssl_set_bio(int idx) 2904 { 2905 SSL_CTX *sctx = NULL, *cctx = NULL; 2906 BIO *bio1 = NULL; 2907 BIO *bio2 = NULL; 2908 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL; 2909 SSL *serverssl = NULL, *clientssl = NULL; 2910 int initrbio, initwbio, newrbio, newwbio, conntype; 2911 int testresult = 0; 2912 2913 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) { 2914 initrbio = idx % 3; 2915 idx /= 3; 2916 initwbio = idx % 3; 2917 idx /= 3; 2918 newrbio = idx % 3; 2919 idx /= 3; 2920 newwbio = idx % 3; 2921 conntype = CONNTYPE_NO_CONNECTION; 2922 } else { 2923 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS; 2924 initrbio = initwbio = USE_DEFAULT; 2925 newrbio = idx % 2; 2926 idx /= 2; 2927 newwbio = idx % 2; 2928 idx /= 2; 2929 conntype = idx % 2; 2930 } 2931 2932 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 2933 TLS_client_method(), TLS1_VERSION, 0, 2934 &sctx, &cctx, cert, privkey))) 2935 goto end; 2936 2937 if (conntype == CONNTYPE_CONNECTION_FAIL) { 2938 /* 2939 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled 2940 * because we reduced the number of tests in the definition of 2941 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting 2942 * mismatched protocol versions we will force a connection failure. 2943 */ 2944 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION); 2945 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 2946 } 2947 2948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 2949 NULL, NULL))) 2950 goto end; 2951 2952 if (initrbio == USE_BIO_1 2953 || initwbio == USE_BIO_1 2954 || newrbio == USE_BIO_1 2955 || newwbio == USE_BIO_1) { 2956 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem()))) 2957 goto end; 2958 } 2959 2960 if (initrbio == USE_BIO_2 2961 || initwbio == USE_BIO_2 2962 || newrbio == USE_BIO_2 2963 || newwbio == USE_BIO_2) { 2964 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem()))) 2965 goto end; 2966 } 2967 2968 if (initrbio != USE_DEFAULT) { 2969 setupbio(&irbio, bio1, bio2, initrbio); 2970 setupbio(&iwbio, bio1, bio2, initwbio); 2971 SSL_set_bio(clientssl, irbio, iwbio); 2972 2973 /* 2974 * We want to maintain our own refs to these BIO, so do an up ref for 2975 * each BIO that will have ownership transferred in the SSL_set_bio() 2976 * call 2977 */ 2978 if (irbio != NULL) 2979 BIO_up_ref(irbio); 2980 if (iwbio != NULL && iwbio != irbio) 2981 BIO_up_ref(iwbio); 2982 } 2983 2984 if (conntype != CONNTYPE_NO_CONNECTION 2985 && !TEST_true(create_ssl_connection(serverssl, clientssl, 2986 SSL_ERROR_NONE) 2987 == (conntype == CONNTYPE_CONNECTION_SUCCESS))) 2988 goto end; 2989 2990 setupbio(&nrbio, bio1, bio2, newrbio); 2991 setupbio(&nwbio, bio1, bio2, newwbio); 2992 2993 /* 2994 * We will (maybe) transfer ownership again so do more up refs. 2995 * SSL_set_bio() has some really complicated ownership rules where BIOs have 2996 * already been set! 2997 */ 2998 if (nrbio != NULL 2999 && nrbio != irbio 3000 && (nwbio != iwbio || nrbio != nwbio)) 3001 BIO_up_ref(nrbio); 3002 if (nwbio != NULL 3003 && nwbio != nrbio 3004 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio))) 3005 BIO_up_ref(nwbio); 3006 3007 SSL_set_bio(clientssl, nrbio, nwbio); 3008 3009 testresult = 1; 3010 3011 end: 3012 BIO_free(bio1); 3013 BIO_free(bio2); 3014 3015 /* 3016 * This test is checking that the ref counting for SSL_set_bio is correct. 3017 * If we get here and we did too many frees then we will fail in the above 3018 * functions. 3019 */ 3020 SSL_free(serverssl); 3021 SSL_free(clientssl); 3022 SSL_CTX_free(sctx); 3023 SSL_CTX_free(cctx); 3024 return testresult; 3025 } 3026 3027 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t; 3028 3029 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio) 3030 { 3031 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL; 3032 SSL_CTX *ctx; 3033 SSL *ssl = NULL; 3034 int testresult = 0; 3035 3036 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method())) 3037 || !TEST_ptr(ssl = SSL_new(ctx)) 3038 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl())) 3039 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem()))) 3040 goto end; 3041 3042 BIO_set_ssl(sslbio, ssl, BIO_CLOSE); 3043 3044 /* 3045 * If anything goes wrong here then we could leak memory. 3046 */ 3047 BIO_push(sslbio, membio1); 3048 3049 /* Verify changing the rbio/wbio directly does not cause leaks */ 3050 if (change_bio != NO_BIO_CHANGE) { 3051 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) { 3052 ssl = NULL; 3053 goto end; 3054 } 3055 if (change_bio == CHANGE_RBIO) 3056 SSL_set0_rbio(ssl, membio2); 3057 else 3058 SSL_set0_wbio(ssl, membio2); 3059 } 3060 ssl = NULL; 3061 3062 if (pop_ssl) 3063 BIO_pop(sslbio); 3064 else 3065 BIO_pop(membio1); 3066 3067 testresult = 1; 3068 end: 3069 BIO_free(membio1); 3070 BIO_free(sslbio); 3071 SSL_free(ssl); 3072 SSL_CTX_free(ctx); 3073 3074 return testresult; 3075 } 3076 3077 static int test_ssl_bio_pop_next_bio(void) 3078 { 3079 return execute_test_ssl_bio(0, NO_BIO_CHANGE); 3080 } 3081 3082 static int test_ssl_bio_pop_ssl_bio(void) 3083 { 3084 return execute_test_ssl_bio(1, NO_BIO_CHANGE); 3085 } 3086 3087 static int test_ssl_bio_change_rbio(void) 3088 { 3089 return execute_test_ssl_bio(0, CHANGE_RBIO); 3090 } 3091 3092 static int test_ssl_bio_change_wbio(void) 3093 { 3094 return execute_test_ssl_bio(0, CHANGE_WBIO); 3095 } 3096 3097 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) 3098 typedef struct { 3099 /* The list of sig algs */ 3100 const int *list; 3101 /* The length of the list */ 3102 size_t listlen; 3103 /* A sigalgs list in string format */ 3104 const char *liststr; 3105 /* Whether setting the list should succeed */ 3106 int valid; 3107 /* Whether creating a connection with the list should succeed */ 3108 int connsuccess; 3109 } sigalgs_list; 3110 3111 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA}; 3112 # ifndef OPENSSL_NO_EC 3113 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC}; 3114 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC}; 3115 # endif 3116 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA}; 3117 static const int invalidlist2[] = {NID_sha256, NID_undef}; 3118 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256}; 3119 static const int invalidlist4[] = {NID_sha256}; 3120 static const sigalgs_list testsigalgs[] = { 3121 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1}, 3122 # ifndef OPENSSL_NO_EC 3123 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1}, 3124 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, 3125 # endif 3126 {NULL, 0, "RSA+SHA256", 1, 1}, 3127 # ifndef OPENSSL_NO_EC 3128 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, 3129 {NULL, 0, "ECDSA+SHA512", 1, 0}, 3130 # endif 3131 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0}, 3132 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0}, 3133 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0}, 3134 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0}, 3135 {NULL, 0, "RSA", 0, 0}, 3136 {NULL, 0, "SHA256", 0, 0}, 3137 {NULL, 0, "RSA+SHA256:SHA256", 0, 0}, 3138 {NULL, 0, "Invalid", 0, 0} 3139 }; 3140 3141 static int test_set_sigalgs(int idx) 3142 { 3143 SSL_CTX *cctx = NULL, *sctx = NULL; 3144 SSL *clientssl = NULL, *serverssl = NULL; 3145 int testresult = 0; 3146 const sigalgs_list *curr; 3147 int testctx; 3148 3149 /* Should never happen */ 3150 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2)) 3151 return 0; 3152 3153 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs)); 3154 curr = testctx ? &testsigalgs[idx] 3155 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; 3156 3157 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 3158 TLS_client_method(), TLS1_VERSION, 0, 3159 &sctx, &cctx, cert, privkey))) 3160 return 0; 3161 3162 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); 3163 3164 if (testctx) { 3165 int ret; 3166 3167 if (curr->list != NULL) 3168 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); 3169 else 3170 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); 3171 3172 if (!ret) { 3173 if (curr->valid) 3174 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx); 3175 else 3176 testresult = 1; 3177 goto end; 3178 } 3179 if (!curr->valid) { 3180 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx); 3181 goto end; 3182 } 3183 } 3184 3185 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3186 &clientssl, NULL, NULL))) 3187 goto end; 3188 3189 if (!testctx) { 3190 int ret; 3191 3192 if (curr->list != NULL) 3193 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen); 3194 else 3195 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr); 3196 if (!ret) { 3197 if (curr->valid) 3198 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx); 3199 else 3200 testresult = 1; 3201 goto end; 3202 } 3203 if (!curr->valid) 3204 goto end; 3205 } 3206 3207 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl, 3208 SSL_ERROR_NONE), 3209 curr->connsuccess)) 3210 goto end; 3211 3212 testresult = 1; 3213 3214 end: 3215 SSL_free(serverssl); 3216 SSL_free(clientssl); 3217 SSL_CTX_free(sctx); 3218 SSL_CTX_free(cctx); 3219 3220 return testresult; 3221 } 3222 #endif 3223 3224 #ifndef OSSL_NO_USABLE_TLS1_3 3225 static int psk_client_cb_cnt = 0; 3226 static int psk_server_cb_cnt = 0; 3227 3228 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, 3229 size_t *idlen, SSL_SESSION **sess) 3230 { 3231 switch (++use_session_cb_cnt) { 3232 case 1: 3233 /* The first call should always have a NULL md */ 3234 if (md != NULL) 3235 return 0; 3236 break; 3237 3238 case 2: 3239 /* The second call should always have an md */ 3240 if (md == NULL) 3241 return 0; 3242 break; 3243 3244 default: 3245 /* We should only be called a maximum of twice */ 3246 return 0; 3247 } 3248 3249 if (clientpsk != NULL) 3250 SSL_SESSION_up_ref(clientpsk); 3251 3252 *sess = clientpsk; 3253 *id = (const unsigned char *)pskid; 3254 *idlen = strlen(pskid); 3255 3256 return 1; 3257 } 3258 3259 #ifndef OPENSSL_NO_PSK 3260 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id, 3261 unsigned int max_id_len, 3262 unsigned char *psk, 3263 unsigned int max_psk_len) 3264 { 3265 unsigned int psklen = 0; 3266 3267 psk_client_cb_cnt++; 3268 3269 if (strlen(pskid) + 1 > max_id_len) 3270 return 0; 3271 3272 /* We should only ever be called a maximum of twice per connection */ 3273 if (psk_client_cb_cnt > 2) 3274 return 0; 3275 3276 if (clientpsk == NULL) 3277 return 0; 3278 3279 /* We'll reuse the PSK we set up for TLSv1.3 */ 3280 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len) 3281 return 0; 3282 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len); 3283 strncpy(id, pskid, max_id_len); 3284 3285 return psklen; 3286 } 3287 #endif /* OPENSSL_NO_PSK */ 3288 3289 static int find_session_cb(SSL *ssl, const unsigned char *identity, 3290 size_t identity_len, SSL_SESSION **sess) 3291 { 3292 find_session_cb_cnt++; 3293 3294 /* We should only ever be called a maximum of twice per connection */ 3295 if (find_session_cb_cnt > 2) 3296 return 0; 3297 3298 if (serverpsk == NULL) 3299 return 0; 3300 3301 /* Identity should match that set by the client */ 3302 if (strlen(srvid) != identity_len 3303 || strncmp(srvid, (const char *)identity, identity_len) != 0) { 3304 /* No PSK found, continue but without a PSK */ 3305 *sess = NULL; 3306 return 1; 3307 } 3308 3309 SSL_SESSION_up_ref(serverpsk); 3310 *sess = serverpsk; 3311 3312 return 1; 3313 } 3314 3315 #ifndef OPENSSL_NO_PSK 3316 static unsigned int psk_server_cb(SSL *ssl, const char *identity, 3317 unsigned char *psk, unsigned int max_psk_len) 3318 { 3319 unsigned int psklen = 0; 3320 3321 psk_server_cb_cnt++; 3322 3323 /* We should only ever be called a maximum of twice per connection */ 3324 if (find_session_cb_cnt > 2) 3325 return 0; 3326 3327 if (serverpsk == NULL) 3328 return 0; 3329 3330 /* Identity should match that set by the client */ 3331 if (strcmp(srvid, identity) != 0) { 3332 return 0; 3333 } 3334 3335 /* We'll reuse the PSK we set up for TLSv1.3 */ 3336 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len) 3337 return 0; 3338 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len); 3339 3340 return psklen; 3341 } 3342 #endif /* OPENSSL_NO_PSK */ 3343 3344 #define MSG1 "Hello" 3345 #define MSG2 "World." 3346 #define MSG3 "This" 3347 #define MSG4 "is" 3348 #define MSG5 "a" 3349 #define MSG6 "test" 3350 #define MSG7 "message." 3351 3352 #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") 3353 #define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") 3354 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") 3355 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04") 3356 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05") 3357 3358 3359 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize) 3360 { 3361 const SSL_CIPHER *cipher = NULL; 3362 const unsigned char key[] = { 3363 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 3364 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 3365 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 3366 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 3367 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */ 3368 }; 3369 SSL_SESSION *sess = NULL; 3370 3371 if (mdsize == SHA384_DIGEST_LENGTH) { 3372 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES); 3373 } else if (mdsize == SHA256_DIGEST_LENGTH) { 3374 /* 3375 * Any ciphersuite using SHA256 will do - it will be compatible with 3376 * the actual ciphersuite selected as long as it too is based on SHA256 3377 */ 3378 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES); 3379 } else { 3380 /* Should not happen */ 3381 return NULL; 3382 } 3383 sess = SSL_SESSION_new(); 3384 if (!TEST_ptr(sess) 3385 || !TEST_ptr(cipher) 3386 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize)) 3387 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)) 3388 || !TEST_true( 3389 SSL_SESSION_set_protocol_version(sess, 3390 TLS1_3_VERSION))) { 3391 SSL_SESSION_free(sess); 3392 return NULL; 3393 } 3394 return sess; 3395 } 3396 3397 /* 3398 * Helper method to setup objects for early data test. Caller frees objects on 3399 * error. 3400 */ 3401 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, 3402 SSL **serverssl, SSL_SESSION **sess, int idx, 3403 size_t mdsize) 3404 { 3405 if (*sctx == NULL 3406 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 3407 TLS_client_method(), 3408 TLS1_VERSION, 0, 3409 sctx, cctx, cert, privkey))) 3410 return 0; 3411 3412 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH))) 3413 return 0; 3414 3415 if (idx == 1) { 3416 /* When idx == 1 we repeat the tests with read_ahead set */ 3417 SSL_CTX_set_read_ahead(*cctx, 1); 3418 SSL_CTX_set_read_ahead(*sctx, 1); 3419 } else if (idx == 2) { 3420 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */ 3421 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb); 3422 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb); 3423 use_session_cb_cnt = 0; 3424 find_session_cb_cnt = 0; 3425 srvid = pskid; 3426 } 3427 3428 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl, 3429 NULL, NULL))) 3430 return 0; 3431 3432 /* 3433 * For one of the run throughs (doesn't matter which one), we'll try sending 3434 * some SNI data in the initial ClientHello. This will be ignored (because 3435 * there is no SNI cb set up by the server), so it should not impact 3436 * early_data. 3437 */ 3438 if (idx == 1 3439 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost"))) 3440 return 0; 3441 3442 if (idx == 2) { 3443 clientpsk = create_a_psk(*clientssl, mdsize); 3444 if (!TEST_ptr(clientpsk) 3445 /* 3446 * We just choose an arbitrary value for max_early_data which 3447 * should be big enough for testing purposes. 3448 */ 3449 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk, 3450 0x100)) 3451 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) { 3452 SSL_SESSION_free(clientpsk); 3453 clientpsk = NULL; 3454 return 0; 3455 } 3456 serverpsk = clientpsk; 3457 3458 if (sess != NULL) { 3459 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) { 3460 SSL_SESSION_free(clientpsk); 3461 SSL_SESSION_free(serverpsk); 3462 clientpsk = serverpsk = NULL; 3463 return 0; 3464 } 3465 *sess = clientpsk; 3466 } 3467 return 1; 3468 } 3469 3470 if (sess == NULL) 3471 return 1; 3472 3473 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl, 3474 SSL_ERROR_NONE))) 3475 return 0; 3476 3477 *sess = SSL_get1_session(*clientssl); 3478 SSL_shutdown(*clientssl); 3479 SSL_shutdown(*serverssl); 3480 SSL_free(*serverssl); 3481 SSL_free(*clientssl); 3482 *serverssl = *clientssl = NULL; 3483 3484 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, 3485 clientssl, NULL, NULL)) 3486 || !TEST_true(SSL_set_session(*clientssl, *sess))) 3487 return 0; 3488 3489 return 1; 3490 } 3491 3492 static int check_early_data_timeout(time_t timer) 3493 { 3494 int res = 0; 3495 3496 /* 3497 * Early data is time sensitive. We have an approx 8 second allowance 3498 * between writing the early data and reading it. If we exceed that time 3499 * then this test will fail. This can sometimes (rarely) occur in normal CI 3500 * operation. We can try and detect this and just ignore the result of this 3501 * test if it has taken too long. We assume anything over 7 seconds is too 3502 * long 3503 */ 3504 timer = time(NULL) - timer; 3505 if (timer >= 7) 3506 res = TEST_skip("Test took too long, ignoring result"); 3507 3508 return res; 3509 } 3510 3511 static int test_early_data_read_write(int idx) 3512 { 3513 SSL_CTX *cctx = NULL, *sctx = NULL; 3514 SSL *clientssl = NULL, *serverssl = NULL; 3515 int testresult = 0; 3516 SSL_SESSION *sess = NULL; 3517 unsigned char buf[20], data[1024]; 3518 size_t readbytes, written, eoedlen, rawread, rawwritten; 3519 BIO *rbio; 3520 time_t timer; 3521 3522 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3523 &serverssl, &sess, idx, 3524 SHA384_DIGEST_LENGTH))) 3525 goto end; 3526 3527 /* Write and read some early data */ 3528 timer = time(NULL); 3529 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3530 &written)) 3531 || !TEST_size_t_eq(written, strlen(MSG1))) 3532 goto end; 3533 3534 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3535 &readbytes), 3536 SSL_READ_EARLY_DATA_SUCCESS)) { 3537 testresult = check_early_data_timeout(timer); 3538 goto end; 3539 } 3540 3541 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) 3542 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3543 SSL_EARLY_DATA_ACCEPTED)) 3544 goto end; 3545 3546 /* 3547 * Server should be able to write data, and client should be able to 3548 * read it. 3549 */ 3550 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2), 3551 &written)) 3552 || !TEST_size_t_eq(written, strlen(MSG2)) 3553 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3554 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 3555 goto end; 3556 3557 /* Even after reading normal data, client should be able write early data */ 3558 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3), 3559 &written)) 3560 || !TEST_size_t_eq(written, strlen(MSG3))) 3561 goto end; 3562 3563 /* Server should still be able read early data after writing data */ 3564 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3565 &readbytes), 3566 SSL_READ_EARLY_DATA_SUCCESS) 3567 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3))) 3568 goto end; 3569 3570 /* Write more data from server and read it from client */ 3571 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4), 3572 &written)) 3573 || !TEST_size_t_eq(written, strlen(MSG4)) 3574 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3575 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4))) 3576 goto end; 3577 3578 /* 3579 * If client writes normal data it should mean writing early data is no 3580 * longer possible. 3581 */ 3582 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written)) 3583 || !TEST_size_t_eq(written, strlen(MSG5)) 3584 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 3585 SSL_EARLY_DATA_ACCEPTED)) 3586 goto end; 3587 3588 /* 3589 * At this point the client has written EndOfEarlyData, ClientFinished and 3590 * normal (fully protected) data. We are going to cause a delay between the 3591 * arrival of EndOfEarlyData and ClientFinished. We read out all the data 3592 * in the read BIO, and then just put back the EndOfEarlyData message. 3593 */ 3594 rbio = SSL_get_rbio(serverssl); 3595 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread)) 3596 || !TEST_size_t_lt(rawread, sizeof(data)) 3597 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH)) 3598 goto end; 3599 3600 /* Record length is in the 4th and 5th bytes of the record header */ 3601 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]); 3602 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten)) 3603 || !TEST_size_t_eq(rawwritten, eoedlen)) 3604 goto end; 3605 3606 /* Server should be told that there is no more early data */ 3607 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3608 &readbytes), 3609 SSL_READ_EARLY_DATA_FINISH) 3610 || !TEST_size_t_eq(readbytes, 0)) 3611 goto end; 3612 3613 /* 3614 * Server has not finished init yet, so should still be able to write early 3615 * data. 3616 */ 3617 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6), 3618 &written)) 3619 || !TEST_size_t_eq(written, strlen(MSG6))) 3620 goto end; 3621 3622 /* Push the ClientFinished and the normal data back into the server rbio */ 3623 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen, 3624 &rawwritten)) 3625 || !TEST_size_t_eq(rawwritten, rawread - eoedlen)) 3626 goto end; 3627 3628 /* Server should be able to read normal data */ 3629 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 3630 || !TEST_size_t_eq(readbytes, strlen(MSG5))) 3631 goto end; 3632 3633 /* Client and server should not be able to write/read early data now */ 3634 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6), 3635 &written))) 3636 goto end; 3637 ERR_clear_error(); 3638 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3639 &readbytes), 3640 SSL_READ_EARLY_DATA_ERROR)) 3641 goto end; 3642 ERR_clear_error(); 3643 3644 /* Client should be able to read the data sent by the server */ 3645 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3646 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6))) 3647 goto end; 3648 3649 /* 3650 * Make sure we process the two NewSessionTickets. These arrive 3651 * post-handshake. We attempt reads which we do not expect to return any 3652 * data. 3653 */ 3654 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3655 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), 3656 &readbytes))) 3657 goto end; 3658 3659 /* Server should be able to write normal data */ 3660 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written)) 3661 || !TEST_size_t_eq(written, strlen(MSG7)) 3662 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 3663 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7))) 3664 goto end; 3665 3666 SSL_SESSION_free(sess); 3667 sess = SSL_get1_session(clientssl); 3668 use_session_cb_cnt = 0; 3669 find_session_cb_cnt = 0; 3670 3671 SSL_shutdown(clientssl); 3672 SSL_shutdown(serverssl); 3673 SSL_free(serverssl); 3674 SSL_free(clientssl); 3675 serverssl = clientssl = NULL; 3676 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3677 &clientssl, NULL, NULL)) 3678 || !TEST_true(SSL_set_session(clientssl, sess))) 3679 goto end; 3680 3681 /* Write and read some early data */ 3682 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3683 &written)) 3684 || !TEST_size_t_eq(written, strlen(MSG1)) 3685 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3686 &readbytes), 3687 SSL_READ_EARLY_DATA_SUCCESS) 3688 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) 3689 goto end; 3690 3691 if (!TEST_int_gt(SSL_connect(clientssl), 0) 3692 || !TEST_int_gt(SSL_accept(serverssl), 0)) 3693 goto end; 3694 3695 /* Client and server should not be able to write/read early data now */ 3696 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6), 3697 &written))) 3698 goto end; 3699 ERR_clear_error(); 3700 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3701 &readbytes), 3702 SSL_READ_EARLY_DATA_ERROR)) 3703 goto end; 3704 ERR_clear_error(); 3705 3706 /* Client and server should be able to write/read normal data */ 3707 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written)) 3708 || !TEST_size_t_eq(written, strlen(MSG5)) 3709 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 3710 || !TEST_size_t_eq(readbytes, strlen(MSG5))) 3711 goto end; 3712 3713 testresult = 1; 3714 3715 end: 3716 SSL_SESSION_free(sess); 3717 SSL_SESSION_free(clientpsk); 3718 SSL_SESSION_free(serverpsk); 3719 clientpsk = serverpsk = NULL; 3720 SSL_free(serverssl); 3721 SSL_free(clientssl); 3722 SSL_CTX_free(sctx); 3723 SSL_CTX_free(cctx); 3724 return testresult; 3725 } 3726 3727 static int allow_ed_cb_called = 0; 3728 3729 static int allow_early_data_cb(SSL *s, void *arg) 3730 { 3731 int *usecb = (int *)arg; 3732 3733 allow_ed_cb_called++; 3734 3735 if (*usecb == 1) 3736 return 0; 3737 3738 return 1; 3739 } 3740 3741 /* 3742 * idx == 0: Standard early_data setup 3743 * idx == 1: early_data setup using read_ahead 3744 * usecb == 0: Don't use a custom early data callback 3745 * usecb == 1: Use a custom early data callback and reject the early data 3746 * usecb == 2: Use a custom early data callback and accept the early data 3747 * confopt == 0: Configure anti-replay directly 3748 * confopt == 1: Configure anti-replay using SSL_CONF 3749 */ 3750 static int test_early_data_replay_int(int idx, int usecb, int confopt) 3751 { 3752 SSL_CTX *cctx = NULL, *sctx = NULL; 3753 SSL *clientssl = NULL, *serverssl = NULL; 3754 int testresult = 0; 3755 SSL_SESSION *sess = NULL; 3756 size_t readbytes, written; 3757 unsigned char buf[20]; 3758 time_t timer; 3759 3760 allow_ed_cb_called = 0; 3761 3762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 3763 TLS_client_method(), TLS1_VERSION, 0, 3764 &sctx, &cctx, cert, privkey))) 3765 return 0; 3766 3767 if (usecb > 0) { 3768 if (confopt == 0) { 3769 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY); 3770 } else { 3771 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new(); 3772 3773 if (!TEST_ptr(confctx)) 3774 goto end; 3775 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE 3776 | SSL_CONF_FLAG_SERVER); 3777 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx); 3778 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"), 3779 2)) { 3780 SSL_CONF_CTX_free(confctx); 3781 goto end; 3782 } 3783 SSL_CONF_CTX_free(confctx); 3784 } 3785 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb); 3786 } 3787 3788 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3789 &serverssl, &sess, idx, 3790 SHA384_DIGEST_LENGTH))) 3791 goto end; 3792 3793 /* 3794 * The server is configured to accept early data. Create a connection to 3795 * "use up" the ticket 3796 */ 3797 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 3798 || !TEST_true(SSL_session_reused(clientssl))) 3799 goto end; 3800 3801 SSL_shutdown(clientssl); 3802 SSL_shutdown(serverssl); 3803 SSL_free(serverssl); 3804 SSL_free(clientssl); 3805 serverssl = clientssl = NULL; 3806 3807 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 3808 &clientssl, NULL, NULL)) 3809 || !TEST_true(SSL_set_session(clientssl, sess))) 3810 goto end; 3811 3812 /* Write and read some early data */ 3813 timer = time(NULL); 3814 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3815 &written)) 3816 || !TEST_size_t_eq(written, strlen(MSG1))) 3817 goto end; 3818 3819 if (usecb <= 1) { 3820 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3821 &readbytes), 3822 SSL_READ_EARLY_DATA_FINISH) 3823 /* 3824 * The ticket was reused, so the we should have rejected the 3825 * early data 3826 */ 3827 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3828 SSL_EARLY_DATA_REJECTED)) 3829 goto end; 3830 } else { 3831 /* In this case the callback decides to accept the early data */ 3832 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3833 &readbytes), 3834 SSL_READ_EARLY_DATA_SUCCESS)) { 3835 testresult = check_early_data_timeout(timer); 3836 goto end; 3837 } 3838 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes) 3839 /* 3840 * Server will have sent its flight so client can now send 3841 * end of early data and complete its half of the handshake 3842 */ 3843 || !TEST_int_gt(SSL_connect(clientssl), 0) 3844 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3845 &readbytes), 3846 SSL_READ_EARLY_DATA_FINISH) 3847 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3848 SSL_EARLY_DATA_ACCEPTED)) 3849 goto end; 3850 } 3851 3852 /* Complete the connection */ 3853 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 3854 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0) 3855 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0)) 3856 goto end; 3857 3858 testresult = 1; 3859 3860 end: 3861 SSL_SESSION_free(sess); 3862 SSL_SESSION_free(clientpsk); 3863 SSL_SESSION_free(serverpsk); 3864 clientpsk = serverpsk = NULL; 3865 SSL_free(serverssl); 3866 SSL_free(clientssl); 3867 SSL_CTX_free(sctx); 3868 SSL_CTX_free(cctx); 3869 return testresult; 3870 } 3871 3872 static int test_early_data_replay(int idx) 3873 { 3874 int ret = 1, usecb, confopt; 3875 3876 for (usecb = 0; usecb < 3; usecb++) { 3877 for (confopt = 0; confopt < 2; confopt++) 3878 ret &= test_early_data_replay_int(idx, usecb, confopt); 3879 } 3880 3881 return ret; 3882 } 3883 3884 static const char *ciphersuites[] = { 3885 "TLS_AES_128_CCM_8_SHA256", 3886 "TLS_AES_128_GCM_SHA256", 3887 "TLS_AES_256_GCM_SHA384", 3888 "TLS_AES_128_CCM_SHA256", 3889 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 3890 "TLS_CHACHA20_POLY1305_SHA256" 3891 #endif 3892 }; 3893 3894 /* 3895 * Helper function to test that a server attempting to read early data can 3896 * handle a connection from a client where the early data should be skipped. 3897 * testtype: 0 == No HRR 3898 * testtype: 1 == HRR 3899 * testtype: 2 == HRR, invalid early_data sent after HRR 3900 * testtype: 3 == recv_max_early_data set to 0 3901 */ 3902 static int early_data_skip_helper(int testtype, int cipher, int idx) 3903 { 3904 SSL_CTX *cctx = NULL, *sctx = NULL; 3905 SSL *clientssl = NULL, *serverssl = NULL; 3906 int testresult = 0; 3907 SSL_SESSION *sess = NULL; 3908 unsigned char buf[20]; 3909 size_t readbytes, written; 3910 3911 if (is_fips && cipher == 4) 3912 return 1; 3913 3914 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 3915 TLS_client_method(), 3916 TLS1_VERSION, 0, 3917 &sctx, &cctx, cert, privkey))) 3918 goto end; 3919 3920 if (cipher == 0) { 3921 SSL_CTX_set_security_level(sctx, 0); 3922 SSL_CTX_set_security_level(cctx, 0); 3923 } 3924 3925 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher])) 3926 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher]))) 3927 goto end; 3928 3929 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 3930 &serverssl, &sess, idx, 3931 cipher == 2 ? SHA384_DIGEST_LENGTH 3932 : SHA256_DIGEST_LENGTH))) 3933 goto end; 3934 3935 if (testtype == 1 || testtype == 2) { 3936 /* Force an HRR to occur */ 3937 #if defined(OPENSSL_NO_EC) 3938 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072"))) 3939 goto end; 3940 #else 3941 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) 3942 goto end; 3943 #endif 3944 } else if (idx == 2) { 3945 /* 3946 * We force early_data rejection by ensuring the PSK identity is 3947 * unrecognised 3948 */ 3949 srvid = "Dummy Identity"; 3950 } else { 3951 /* 3952 * Deliberately corrupt the creation time. We take 20 seconds off the 3953 * time. It could be any value as long as it is not within tolerance. 3954 * This should mean the ticket is rejected. 3955 */ 3956 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20)))) 3957 goto end; 3958 } 3959 3960 if (testtype == 3 3961 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0))) 3962 goto end; 3963 3964 /* Write some early data */ 3965 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 3966 &written)) 3967 || !TEST_size_t_eq(written, strlen(MSG1))) 3968 goto end; 3969 3970 /* Server should reject the early data */ 3971 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 3972 &readbytes), 3973 SSL_READ_EARLY_DATA_FINISH) 3974 || !TEST_size_t_eq(readbytes, 0) 3975 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 3976 SSL_EARLY_DATA_REJECTED)) 3977 goto end; 3978 3979 switch (testtype) { 3980 case 0: 3981 /* Nothing to do */ 3982 break; 3983 3984 case 1: 3985 /* 3986 * Finish off the handshake. We perform the same writes and reads as 3987 * further down but we expect them to fail due to the incomplete 3988 * handshake. 3989 */ 3990 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 3991 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), 3992 &readbytes))) 3993 goto end; 3994 break; 3995 3996 case 2: 3997 { 3998 BIO *wbio = SSL_get_wbio(clientssl); 3999 /* A record that will appear as bad early_data */ 4000 const unsigned char bad_early_data[] = { 4001 0x17, 0x03, 0x03, 0x00, 0x01, 0x00 4002 }; 4003 4004 /* 4005 * We force the client to attempt a write. This will fail because 4006 * we're still in the handshake. It will cause the second 4007 * ClientHello to be sent. 4008 */ 4009 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), 4010 &written))) 4011 goto end; 4012 4013 /* 4014 * Inject some early_data after the second ClientHello. This should 4015 * cause the server to fail 4016 */ 4017 if (!TEST_true(BIO_write_ex(wbio, bad_early_data, 4018 sizeof(bad_early_data), &written))) 4019 goto end; 4020 } 4021 /* fallthrough */ 4022 4023 case 3: 4024 /* 4025 * This client has sent more early_data than we are willing to skip 4026 * (case 3) or sent invalid early_data (case 2) so the connection should 4027 * abort. 4028 */ 4029 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4030 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL)) 4031 goto end; 4032 4033 /* Connection has failed - nothing more to do */ 4034 testresult = 1; 4035 goto end; 4036 4037 default: 4038 TEST_error("Invalid test type"); 4039 goto end; 4040 } 4041 4042 ERR_clear_error(); 4043 /* 4044 * Should be able to send normal data despite rejection of early data. The 4045 * early_data should be skipped. 4046 */ 4047 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 4048 || !TEST_size_t_eq(written, strlen(MSG2)) 4049 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 4050 SSL_EARLY_DATA_REJECTED) 4051 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4052 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4053 goto end; 4054 4055 /* 4056 * Failure to decrypt early data records should not leave spurious errors 4057 * on the error stack 4058 */ 4059 if (!TEST_long_eq(ERR_peek_error(), 0)) 4060 goto end; 4061 4062 testresult = 1; 4063 4064 end: 4065 SSL_SESSION_free(clientpsk); 4066 SSL_SESSION_free(serverpsk); 4067 clientpsk = serverpsk = NULL; 4068 SSL_SESSION_free(sess); 4069 SSL_free(serverssl); 4070 SSL_free(clientssl); 4071 SSL_CTX_free(sctx); 4072 SSL_CTX_free(cctx); 4073 return testresult; 4074 } 4075 4076 /* 4077 * Test that a server attempting to read early data can handle a connection 4078 * from a client where the early data is not acceptable. 4079 */ 4080 static int test_early_data_skip(int idx) 4081 { 4082 return early_data_skip_helper(0, 4083 idx % OSSL_NELEM(ciphersuites), 4084 idx / OSSL_NELEM(ciphersuites)); 4085 } 4086 4087 /* 4088 * Test that a server attempting to read early data can handle a connection 4089 * from a client where an HRR occurs. 4090 */ 4091 static int test_early_data_skip_hrr(int idx) 4092 { 4093 return early_data_skip_helper(1, 4094 idx % OSSL_NELEM(ciphersuites), 4095 idx / OSSL_NELEM(ciphersuites)); 4096 } 4097 4098 /* 4099 * Test that a server attempting to read early data can handle a connection 4100 * from a client where an HRR occurs and correctly fails if early_data is sent 4101 * after the HRR 4102 */ 4103 static int test_early_data_skip_hrr_fail(int idx) 4104 { 4105 return early_data_skip_helper(2, 4106 idx % OSSL_NELEM(ciphersuites), 4107 idx / OSSL_NELEM(ciphersuites)); 4108 } 4109 4110 /* 4111 * Test that a server attempting to read early data will abort if it tries to 4112 * skip over too much. 4113 */ 4114 static int test_early_data_skip_abort(int idx) 4115 { 4116 return early_data_skip_helper(3, 4117 idx % OSSL_NELEM(ciphersuites), 4118 idx / OSSL_NELEM(ciphersuites)); 4119 } 4120 4121 /* 4122 * Test that a server attempting to read early data can handle a connection 4123 * from a client that doesn't send any. 4124 */ 4125 static int test_early_data_not_sent(int idx) 4126 { 4127 SSL_CTX *cctx = NULL, *sctx = NULL; 4128 SSL *clientssl = NULL, *serverssl = NULL; 4129 int testresult = 0; 4130 SSL_SESSION *sess = NULL; 4131 unsigned char buf[20]; 4132 size_t readbytes, written; 4133 4134 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4135 &serverssl, &sess, idx, 4136 SHA384_DIGEST_LENGTH))) 4137 goto end; 4138 4139 /* Write some data - should block due to handshake with server */ 4140 SSL_set_connect_state(clientssl); 4141 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))) 4142 goto end; 4143 4144 /* Server should detect that early data has not been sent */ 4145 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4146 &readbytes), 4147 SSL_READ_EARLY_DATA_FINISH) 4148 || !TEST_size_t_eq(readbytes, 0) 4149 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4150 SSL_EARLY_DATA_NOT_SENT) 4151 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 4152 SSL_EARLY_DATA_NOT_SENT)) 4153 goto end; 4154 4155 /* Continue writing the message we started earlier */ 4156 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 4157 || !TEST_size_t_eq(written, strlen(MSG1)) 4158 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4159 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 4160 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written) 4161 || !TEST_size_t_eq(written, strlen(MSG2))) 4162 goto end; 4163 4164 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 4165 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4166 goto end; 4167 4168 testresult = 1; 4169 4170 end: 4171 SSL_SESSION_free(sess); 4172 SSL_SESSION_free(clientpsk); 4173 SSL_SESSION_free(serverpsk); 4174 clientpsk = serverpsk = NULL; 4175 SSL_free(serverssl); 4176 SSL_free(clientssl); 4177 SSL_CTX_free(sctx); 4178 SSL_CTX_free(cctx); 4179 return testresult; 4180 } 4181 4182 static const char *servalpn; 4183 4184 static int alpn_select_cb(SSL *ssl, const unsigned char **out, 4185 unsigned char *outlen, const unsigned char *in, 4186 unsigned int inlen, void *arg) 4187 { 4188 unsigned int protlen = 0; 4189 const unsigned char *prot; 4190 4191 for (prot = in; prot < in + inlen; prot += protlen) { 4192 protlen = *prot++; 4193 if (in + inlen < prot + protlen) 4194 return SSL_TLSEXT_ERR_NOACK; 4195 4196 if (protlen == strlen(servalpn) 4197 && memcmp(prot, servalpn, protlen) == 0) { 4198 *out = prot; 4199 *outlen = protlen; 4200 return SSL_TLSEXT_ERR_OK; 4201 } 4202 } 4203 4204 return SSL_TLSEXT_ERR_NOACK; 4205 } 4206 4207 /* Test that a PSK can be used to send early_data */ 4208 static int test_early_data_psk(int idx) 4209 { 4210 SSL_CTX *cctx = NULL, *sctx = NULL; 4211 SSL *clientssl = NULL, *serverssl = NULL; 4212 int testresult = 0; 4213 SSL_SESSION *sess = NULL; 4214 unsigned char alpnlist[] = { 4215 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a', 4216 'l', 'p', 'n' 4217 }; 4218 #define GOODALPNLEN 9 4219 #define BADALPNLEN 8 4220 #define GOODALPN (alpnlist) 4221 #define BADALPN (alpnlist + GOODALPNLEN) 4222 int err = 0; 4223 unsigned char buf[20]; 4224 size_t readbytes, written; 4225 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1; 4226 int edstatus = SSL_EARLY_DATA_ACCEPTED; 4227 4228 /* We always set this up with a final parameter of "2" for PSK */ 4229 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4230 &serverssl, &sess, 2, 4231 SHA384_DIGEST_LENGTH))) 4232 goto end; 4233 4234 servalpn = "goodalpn"; 4235 4236 /* 4237 * Note: There is no test for inconsistent SNI with late client detection. 4238 * This is because servers do not acknowledge SNI even if they are using 4239 * it in a resumption handshake - so it is not actually possible for a 4240 * client to detect a problem. 4241 */ 4242 switch (idx) { 4243 case 0: 4244 /* Set inconsistent SNI (early client detection) */ 4245 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI; 4246 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) 4247 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost"))) 4248 goto end; 4249 break; 4250 4251 case 1: 4252 /* Set inconsistent ALPN (early client detection) */ 4253 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN; 4254 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */ 4255 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN, 4256 GOODALPNLEN)) 4257 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN, 4258 BADALPNLEN))) 4259 goto end; 4260 break; 4261 4262 case 2: 4263 /* 4264 * Set invalid protocol version. Technically this affects PSKs without 4265 * early_data too, but we test it here because it is similar to the 4266 * SNI/ALPN consistency tests. 4267 */ 4268 err = SSL_R_BAD_PSK; 4269 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION))) 4270 goto end; 4271 break; 4272 4273 case 3: 4274 /* 4275 * Set inconsistent SNI (server side). In this case the connection 4276 * will succeed and accept early_data. In TLSv1.3 on the server side SNI 4277 * is associated with each handshake - not the session. Therefore it 4278 * should not matter that we used a different server name last time. 4279 */ 4280 SSL_SESSION_free(serverpsk); 4281 serverpsk = SSL_SESSION_dup(clientpsk); 4282 if (!TEST_ptr(serverpsk) 4283 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost"))) 4284 goto end; 4285 /* Fall through */ 4286 case 4: 4287 /* Set consistent SNI */ 4288 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost")) 4289 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")) 4290 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, 4291 hostname_cb))) 4292 goto end; 4293 break; 4294 4295 case 5: 4296 /* 4297 * Set inconsistent ALPN (server detected). In this case the connection 4298 * will succeed but reject early_data. 4299 */ 4300 servalpn = "badalpn"; 4301 edstatus = SSL_EARLY_DATA_REJECTED; 4302 readearlyres = SSL_READ_EARLY_DATA_FINISH; 4303 /* Fall through */ 4304 case 6: 4305 /* 4306 * Set consistent ALPN. 4307 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It 4308 * accepts a list of protos (each one length prefixed). 4309 * SSL_set1_alpn_selected accepts a single protocol (not length 4310 * prefixed) 4311 */ 4312 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1, 4313 GOODALPNLEN - 1)) 4314 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN, 4315 GOODALPNLEN))) 4316 goto end; 4317 4318 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); 4319 break; 4320 4321 case 7: 4322 /* Set inconsistent ALPN (late client detection) */ 4323 SSL_SESSION_free(serverpsk); 4324 serverpsk = SSL_SESSION_dup(clientpsk); 4325 if (!TEST_ptr(serverpsk) 4326 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk, 4327 BADALPN + 1, 4328 BADALPNLEN - 1)) 4329 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk, 4330 GOODALPN + 1, 4331 GOODALPNLEN - 1)) 4332 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist, 4333 sizeof(alpnlist)))) 4334 goto end; 4335 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL); 4336 edstatus = SSL_EARLY_DATA_ACCEPTED; 4337 readearlyres = SSL_READ_EARLY_DATA_SUCCESS; 4338 /* SSL_connect() call should fail */ 4339 connectres = -1; 4340 break; 4341 4342 default: 4343 TEST_error("Bad test index"); 4344 goto end; 4345 } 4346 4347 SSL_set_connect_state(clientssl); 4348 if (err != 0) { 4349 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4350 &written)) 4351 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL) 4352 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err)) 4353 goto end; 4354 } else { 4355 time_t timer = time(NULL); 4356 4357 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4358 &written))) 4359 goto end; 4360 4361 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4362 &readbytes), readearlyres)) { 4363 testresult = check_early_data_timeout(timer); 4364 goto end; 4365 } 4366 4367 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS 4368 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))) 4369 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus) 4370 || !TEST_int_eq(SSL_connect(clientssl), connectres)) 4371 goto end; 4372 } 4373 4374 testresult = 1; 4375 4376 end: 4377 SSL_SESSION_free(sess); 4378 SSL_SESSION_free(clientpsk); 4379 SSL_SESSION_free(serverpsk); 4380 clientpsk = serverpsk = NULL; 4381 SSL_free(serverssl); 4382 SSL_free(clientssl); 4383 SSL_CTX_free(sctx); 4384 SSL_CTX_free(cctx); 4385 return testresult; 4386 } 4387 4388 /* 4389 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites 4390 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256 4391 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384 4392 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 4393 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256 4394 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256 4395 */ 4396 static int test_early_data_psk_with_all_ciphers(int idx) 4397 { 4398 SSL_CTX *cctx = NULL, *sctx = NULL; 4399 SSL *clientssl = NULL, *serverssl = NULL; 4400 int testresult = 0; 4401 SSL_SESSION *sess = NULL; 4402 unsigned char buf[20]; 4403 size_t readbytes, written; 4404 const SSL_CIPHER *cipher; 4405 time_t timer; 4406 const char *cipher_str[] = { 4407 TLS1_3_RFC_AES_128_GCM_SHA256, 4408 TLS1_3_RFC_AES_256_GCM_SHA384, 4409 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 4410 TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 4411 # else 4412 NULL, 4413 # endif 4414 TLS1_3_RFC_AES_128_CCM_SHA256, 4415 TLS1_3_RFC_AES_128_CCM_8_SHA256 4416 }; 4417 const unsigned char *cipher_bytes[] = { 4418 TLS13_AES_128_GCM_SHA256_BYTES, 4419 TLS13_AES_256_GCM_SHA384_BYTES, 4420 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 4421 TLS13_CHACHA20_POLY1305_SHA256_BYTES, 4422 # else 4423 NULL, 4424 # endif 4425 TLS13_AES_128_CCM_SHA256_BYTES, 4426 TLS13_AES_128_CCM_8_SHA256_BYTES 4427 }; 4428 4429 if (cipher_str[idx] == NULL) 4430 return 1; 4431 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */ 4432 if (idx == 2 && is_fips == 1) 4433 return 1; 4434 4435 /* We always set this up with a final parameter of "2" for PSK */ 4436 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4437 &serverssl, &sess, 2, 4438 SHA384_DIGEST_LENGTH))) 4439 goto end; 4440 4441 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx])) 4442 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx]))) 4443 goto end; 4444 4445 /* 4446 * 'setupearly_data_test' creates only one instance of SSL_SESSION 4447 * and assigns to both client and server with incremented reference 4448 * and the same instance is updated in 'sess'. 4449 * So updating ciphersuite in 'sess' which will get reflected in 4450 * PSK handshake using psk use sess and find sess cb. 4451 */ 4452 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]); 4453 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))) 4454 goto end; 4455 4456 SSL_set_connect_state(clientssl); 4457 timer = time(NULL); 4458 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4459 &written))) 4460 goto end; 4461 4462 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4463 &readbytes), 4464 SSL_READ_EARLY_DATA_SUCCESS)) { 4465 testresult = check_early_data_timeout(timer); 4466 goto end; 4467 } 4468 4469 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 4470 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4471 SSL_EARLY_DATA_ACCEPTED) 4472 || !TEST_int_eq(SSL_connect(clientssl), 1) 4473 || !TEST_int_eq(SSL_accept(serverssl), 1)) 4474 goto end; 4475 4476 /* Send some normal data from client to server */ 4477 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 4478 || !TEST_size_t_eq(written, strlen(MSG2))) 4479 goto end; 4480 4481 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4482 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4483 goto end; 4484 4485 testresult = 1; 4486 end: 4487 SSL_SESSION_free(sess); 4488 SSL_SESSION_free(clientpsk); 4489 SSL_SESSION_free(serverpsk); 4490 clientpsk = serverpsk = NULL; 4491 if (clientssl != NULL) 4492 SSL_shutdown(clientssl); 4493 if (serverssl != NULL) 4494 SSL_shutdown(serverssl); 4495 SSL_free(serverssl); 4496 SSL_free(clientssl); 4497 SSL_CTX_free(sctx); 4498 SSL_CTX_free(cctx); 4499 return testresult; 4500 } 4501 4502 /* 4503 * Test that a server that doesn't try to read early data can handle a 4504 * client sending some. 4505 */ 4506 static int test_early_data_not_expected(int idx) 4507 { 4508 SSL_CTX *cctx = NULL, *sctx = NULL; 4509 SSL *clientssl = NULL, *serverssl = NULL; 4510 int testresult = 0; 4511 SSL_SESSION *sess = NULL; 4512 unsigned char buf[20]; 4513 size_t readbytes, written; 4514 4515 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4516 &serverssl, &sess, idx, 4517 SHA384_DIGEST_LENGTH))) 4518 goto end; 4519 4520 /* Write some early data */ 4521 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 4522 &written))) 4523 goto end; 4524 4525 /* 4526 * Server should skip over early data and then block waiting for client to 4527 * continue handshake 4528 */ 4529 if (!TEST_int_le(SSL_accept(serverssl), 0) 4530 || !TEST_int_gt(SSL_connect(clientssl), 0) 4531 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4532 SSL_EARLY_DATA_REJECTED) 4533 || !TEST_int_gt(SSL_accept(serverssl), 0) 4534 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 4535 SSL_EARLY_DATA_REJECTED)) 4536 goto end; 4537 4538 /* Send some normal data from client to server */ 4539 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) 4540 || !TEST_size_t_eq(written, strlen(MSG2))) 4541 goto end; 4542 4543 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4544 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4545 goto end; 4546 4547 testresult = 1; 4548 4549 end: 4550 SSL_SESSION_free(sess); 4551 SSL_SESSION_free(clientpsk); 4552 SSL_SESSION_free(serverpsk); 4553 clientpsk = serverpsk = NULL; 4554 SSL_free(serverssl); 4555 SSL_free(clientssl); 4556 SSL_CTX_free(sctx); 4557 SSL_CTX_free(cctx); 4558 return testresult; 4559 } 4560 4561 4562 # ifndef OPENSSL_NO_TLS1_2 4563 /* 4564 * Test that a server attempting to read early data can handle a connection 4565 * from a TLSv1.2 client. 4566 */ 4567 static int test_early_data_tls1_2(int idx) 4568 { 4569 SSL_CTX *cctx = NULL, *sctx = NULL; 4570 SSL *clientssl = NULL, *serverssl = NULL; 4571 int testresult = 0; 4572 unsigned char buf[20]; 4573 size_t readbytes, written; 4574 4575 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 4576 &serverssl, NULL, idx, 4577 SHA384_DIGEST_LENGTH))) 4578 goto end; 4579 4580 /* Write some data - should block due to handshake with server */ 4581 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION); 4582 SSL_set_connect_state(clientssl); 4583 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))) 4584 goto end; 4585 4586 /* 4587 * Server should do TLSv1.2 handshake. First it will block waiting for more 4588 * messages from client after ServerDone. Then SSL_read_early_data should 4589 * finish and detect that early data has not been sent 4590 */ 4591 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4592 &readbytes), 4593 SSL_READ_EARLY_DATA_ERROR)) 4594 goto end; 4595 4596 /* 4597 * Continue writing the message we started earlier. Will still block waiting 4598 * for the CCS/Finished from server 4599 */ 4600 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 4601 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 4602 &readbytes), 4603 SSL_READ_EARLY_DATA_FINISH) 4604 || !TEST_size_t_eq(readbytes, 0) 4605 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 4606 SSL_EARLY_DATA_NOT_SENT)) 4607 goto end; 4608 4609 /* Continue writing the message we started earlier */ 4610 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)) 4611 || !TEST_size_t_eq(written, strlen(MSG1)) 4612 || !TEST_int_eq(SSL_get_early_data_status(clientssl), 4613 SSL_EARLY_DATA_NOT_SENT) 4614 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 4615 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) 4616 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)) 4617 || !TEST_size_t_eq(written, strlen(MSG2)) 4618 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes) 4619 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) 4620 goto end; 4621 4622 testresult = 1; 4623 4624 end: 4625 SSL_SESSION_free(clientpsk); 4626 SSL_SESSION_free(serverpsk); 4627 clientpsk = serverpsk = NULL; 4628 SSL_free(serverssl); 4629 SSL_free(clientssl); 4630 SSL_CTX_free(sctx); 4631 SSL_CTX_free(cctx); 4632 4633 return testresult; 4634 } 4635 # endif /* OPENSSL_NO_TLS1_2 */ 4636 4637 /* 4638 * Test configuring the TLSv1.3 ciphersuites 4639 * 4640 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list) 4641 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list) 4642 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list) 4643 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list) 4644 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list) 4645 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list) 4646 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list) 4647 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list) 4648 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list) 4649 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list) 4650 */ 4651 static int test_set_ciphersuite(int idx) 4652 { 4653 SSL_CTX *cctx = NULL, *sctx = NULL; 4654 SSL *clientssl = NULL, *serverssl = NULL; 4655 int testresult = 0; 4656 4657 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 4658 TLS_client_method(), TLS1_VERSION, 0, 4659 &sctx, &cctx, cert, privkey)) 4660 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 4661 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256"))) 4662 goto end; 4663 4664 if (idx >=4 && idx <= 7) { 4665 /* SSL_CTX explicit cipher list */ 4666 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384"))) 4667 goto end; 4668 } 4669 4670 if (idx == 0 || idx == 4) { 4671 /* Default ciphersuite */ 4672 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4673 "TLS_AES_128_GCM_SHA256"))) 4674 goto end; 4675 } else if (idx == 1 || idx == 5) { 4676 /* Non default ciphersuite */ 4677 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4678 "TLS_AES_128_CCM_SHA256"))) 4679 goto end; 4680 } 4681 4682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4683 &clientssl, NULL, NULL))) 4684 goto end; 4685 4686 if (idx == 8 || idx == 9) { 4687 /* SSL explicit cipher list */ 4688 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))) 4689 goto end; 4690 } 4691 4692 if (idx == 2 || idx == 6 || idx == 8) { 4693 /* Default ciphersuite */ 4694 if (!TEST_true(SSL_set_ciphersuites(clientssl, 4695 "TLS_AES_128_GCM_SHA256"))) 4696 goto end; 4697 } else if (idx == 3 || idx == 7 || idx == 9) { 4698 /* Non default ciphersuite */ 4699 if (!TEST_true(SSL_set_ciphersuites(clientssl, 4700 "TLS_AES_128_CCM_SHA256"))) 4701 goto end; 4702 } 4703 4704 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 4705 goto end; 4706 4707 testresult = 1; 4708 4709 end: 4710 SSL_free(serverssl); 4711 SSL_free(clientssl); 4712 SSL_CTX_free(sctx); 4713 SSL_CTX_free(cctx); 4714 4715 return testresult; 4716 } 4717 4718 static int test_ciphersuite_change(void) 4719 { 4720 SSL_CTX *cctx = NULL, *sctx = NULL; 4721 SSL *clientssl = NULL, *serverssl = NULL; 4722 SSL_SESSION *clntsess = NULL; 4723 int testresult = 0; 4724 const SSL_CIPHER *aes_128_gcm_sha256 = NULL; 4725 4726 /* Create a session based on SHA-256 */ 4727 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 4728 TLS_client_method(), TLS1_VERSION, 0, 4729 &sctx, &cctx, cert, privkey)) 4730 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 4731 "TLS_AES_128_GCM_SHA256:" 4732 "TLS_AES_256_GCM_SHA384:" 4733 "TLS_AES_128_CCM_SHA256")) 4734 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, 4735 "TLS_AES_128_GCM_SHA256")) 4736 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4737 &clientssl, NULL, NULL)) 4738 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4739 SSL_ERROR_NONE))) 4740 goto end; 4741 4742 clntsess = SSL_get1_session(clientssl); 4743 /* Save for later */ 4744 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess); 4745 SSL_shutdown(clientssl); 4746 SSL_shutdown(serverssl); 4747 SSL_free(serverssl); 4748 SSL_free(clientssl); 4749 serverssl = clientssl = NULL; 4750 4751 /* Check we can resume a session with a different SHA-256 ciphersuite */ 4752 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4753 "TLS_AES_128_CCM_SHA256")) 4754 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4755 &clientssl, NULL, NULL)) 4756 || !TEST_true(SSL_set_session(clientssl, clntsess)) 4757 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4758 SSL_ERROR_NONE)) 4759 || !TEST_true(SSL_session_reused(clientssl))) 4760 goto end; 4761 4762 SSL_SESSION_free(clntsess); 4763 clntsess = SSL_get1_session(clientssl); 4764 SSL_shutdown(clientssl); 4765 SSL_shutdown(serverssl); 4766 SSL_free(serverssl); 4767 SSL_free(clientssl); 4768 serverssl = clientssl = NULL; 4769 4770 /* 4771 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites 4772 * succeeds but does not resume. 4773 */ 4774 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384")) 4775 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4776 NULL, NULL)) 4777 || !TEST_true(SSL_set_session(clientssl, clntsess)) 4778 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4779 SSL_ERROR_SSL)) 4780 || !TEST_false(SSL_session_reused(clientssl))) 4781 goto end; 4782 4783 SSL_SESSION_free(clntsess); 4784 clntsess = NULL; 4785 SSL_shutdown(clientssl); 4786 SSL_shutdown(serverssl); 4787 SSL_free(serverssl); 4788 SSL_free(clientssl); 4789 serverssl = clientssl = NULL; 4790 4791 /* Create a session based on SHA384 */ 4792 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384")) 4793 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 4794 &clientssl, NULL, NULL)) 4795 || !TEST_true(create_ssl_connection(serverssl, clientssl, 4796 SSL_ERROR_NONE))) 4797 goto end; 4798 4799 clntsess = SSL_get1_session(clientssl); 4800 SSL_shutdown(clientssl); 4801 SSL_shutdown(serverssl); 4802 SSL_free(serverssl); 4803 SSL_free(clientssl); 4804 serverssl = clientssl = NULL; 4805 4806 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4807 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384")) 4808 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, 4809 "TLS_AES_256_GCM_SHA384")) 4810 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4811 NULL, NULL)) 4812 || !TEST_true(SSL_set_session(clientssl, clntsess)) 4813 /* 4814 * We use SSL_ERROR_WANT_READ below so that we can pause the 4815 * connection after the initial ClientHello has been sent to 4816 * enable us to make some session changes. 4817 */ 4818 || !TEST_false(create_ssl_connection(serverssl, clientssl, 4819 SSL_ERROR_WANT_READ))) 4820 goto end; 4821 4822 /* Trick the client into thinking this session is for a different digest */ 4823 clntsess->cipher = aes_128_gcm_sha256; 4824 clntsess->cipher_id = clntsess->cipher->id; 4825 4826 /* 4827 * Continue the previously started connection. Server has selected a SHA-384 4828 * ciphersuite, but client thinks the session is for SHA-256, so it should 4829 * bail out. 4830 */ 4831 if (!TEST_false(create_ssl_connection(serverssl, clientssl, 4832 SSL_ERROR_SSL)) 4833 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), 4834 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED)) 4835 goto end; 4836 4837 testresult = 1; 4838 4839 end: 4840 SSL_SESSION_free(clntsess); 4841 SSL_free(serverssl); 4842 SSL_free(clientssl); 4843 SSL_CTX_free(sctx); 4844 SSL_CTX_free(cctx); 4845 4846 return testresult; 4847 } 4848 4849 /* 4850 * Test TLSv1.3 Key exchange 4851 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server 4852 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server 4853 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server 4854 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server 4855 * Test 4 = Test NID_X25519 with TLSv1.3 client and server 4856 * Test 5 = Test NID_X448 with TLSv1.3 client and server 4857 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server 4858 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server 4859 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server 4860 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server 4861 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server 4862 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server 4863 * Test 12 = Test all ECDHE with TLSv1.2 client and server 4864 * Test 13 = Test all FFDHE with TLSv1.2 client and server 4865 */ 4866 # ifndef OPENSSL_NO_EC 4867 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, 4868 NID_secp521r1, NID_X25519, NID_X448}; 4869 # endif 4870 # ifndef OPENSSL_NO_DH 4871 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096, 4872 NID_ffdhe6144, NID_ffdhe8192}; 4873 # endif 4874 static int test_key_exchange(int idx) 4875 { 4876 SSL_CTX *sctx = NULL, *cctx = NULL; 4877 SSL *serverssl = NULL, *clientssl = NULL; 4878 int testresult = 0; 4879 int kexch_alg; 4880 int *kexch_groups = &kexch_alg; 4881 int kexch_groups_size = 1; 4882 int max_version = TLS1_3_VERSION; 4883 char *kexch_name0 = NULL; 4884 4885 switch (idx) { 4886 # ifndef OPENSSL_NO_EC 4887 # ifndef OPENSSL_NO_TLS1_2 4888 case 12: 4889 max_version = TLS1_2_VERSION; 4890 # endif 4891 /* Fall through */ 4892 case 0: 4893 kexch_groups = ecdhe_kexch_groups; 4894 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups); 4895 kexch_name0 = "secp256r1"; 4896 break; 4897 case 1: 4898 kexch_alg = NID_X9_62_prime256v1; 4899 kexch_name0 = "secp256r1"; 4900 break; 4901 case 2: 4902 kexch_alg = NID_secp384r1; 4903 kexch_name0 = "secp384r1"; 4904 break; 4905 case 3: 4906 kexch_alg = NID_secp521r1; 4907 kexch_name0 = "secp521r1"; 4908 break; 4909 case 4: 4910 if (is_fips) 4911 return TEST_skip("X25519 might not be supported by fips provider."); 4912 kexch_alg = NID_X25519; 4913 kexch_name0 = "x25519"; 4914 break; 4915 case 5: 4916 if (is_fips) 4917 return TEST_skip("X448 might not be supported by fips provider."); 4918 kexch_alg = NID_X448; 4919 kexch_name0 = "x448"; 4920 break; 4921 # endif 4922 # ifndef OPENSSL_NO_DH 4923 # ifndef OPENSSL_NO_TLS1_2 4924 case 13: 4925 max_version = TLS1_2_VERSION; 4926 kexch_name0 = "ffdhe2048"; 4927 # endif 4928 /* Fall through */ 4929 case 6: 4930 kexch_groups = ffdhe_kexch_groups; 4931 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups); 4932 kexch_name0 = "ffdhe2048"; 4933 break; 4934 case 7: 4935 kexch_alg = NID_ffdhe2048; 4936 kexch_name0 = "ffdhe2048"; 4937 break; 4938 case 8: 4939 kexch_alg = NID_ffdhe3072; 4940 kexch_name0 = "ffdhe3072"; 4941 break; 4942 case 9: 4943 kexch_alg = NID_ffdhe4096; 4944 kexch_name0 = "ffdhe4096"; 4945 break; 4946 case 10: 4947 kexch_alg = NID_ffdhe6144; 4948 kexch_name0 = "ffdhe6144"; 4949 break; 4950 case 11: 4951 kexch_alg = NID_ffdhe8192; 4952 kexch_name0 = "ffdhe8192"; 4953 break; 4954 # endif 4955 default: 4956 /* We're skipping this test */ 4957 return 1; 4958 } 4959 4960 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 4961 TLS_client_method(), TLS1_VERSION, 4962 max_version, &sctx, &cctx, cert, 4963 privkey))) 4964 goto end; 4965 4966 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, 4967 TLS1_3_RFC_AES_128_GCM_SHA256))) 4968 goto end; 4969 4970 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 4971 TLS1_3_RFC_AES_128_GCM_SHA256))) 4972 goto end; 4973 4974 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, 4975 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" 4976 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)) 4977 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1))) 4978 goto end; 4979 4980 /* 4981 * Must include an EC ciphersuite so that we send supported groups in 4982 * TLSv1.2 4983 */ 4984 # ifndef OPENSSL_NO_TLS1_2 4985 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 4986 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" 4987 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))) 4988 goto end; 4989 # endif 4990 4991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 4992 NULL, NULL))) 4993 goto end; 4994 4995 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size)) 4996 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size))) 4997 goto end; 4998 4999 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 5000 goto end; 5001 5002 /* 5003 * If Handshake succeeds the negotiated kexch alg should be the first one in 5004 * configured, except in the case of FFDHE groups (idx 13), which are 5005 * TLSv1.3 only so we expect no shared group to exist. 5006 */ 5007 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0), 5008 idx == 13 ? 0 : kexch_groups[0])) 5009 goto end; 5010 5011 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]), 5012 kexch_name0)) 5013 goto end; 5014 5015 /* We don't implement RFC 7919 named groups for TLS 1.2. */ 5016 if (idx != 13) { 5017 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0])) 5018 goto end; 5019 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0])) 5020 goto end; 5021 } 5022 5023 testresult = 1; 5024 end: 5025 SSL_free(serverssl); 5026 SSL_free(clientssl); 5027 SSL_CTX_free(sctx); 5028 SSL_CTX_free(cctx); 5029 return testresult; 5030 } 5031 5032 # if !defined(OPENSSL_NO_TLS1_2) \ 5033 && !defined(OPENSSL_NO_EC) \ 5034 && !defined(OPENSSL_NO_DH) 5035 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti, 5036 int isecdhe, int idx) 5037 { 5038 int kexch_alg; 5039 int *kexch_groups = &kexch_alg; 5040 int numec, numff; 5041 5042 numec = OSSL_NELEM(ecdhe_kexch_groups); 5043 numff = OSSL_NELEM(ffdhe_kexch_groups); 5044 if (isecdhe) 5045 kexch_alg = ecdhe_kexch_groups[idx]; 5046 else 5047 kexch_alg = ffdhe_kexch_groups[idx]; 5048 5049 if (clientmulti) { 5050 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1))) 5051 return 0; 5052 if (isecdhe) { 5053 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups, 5054 numec))) 5055 return 0; 5056 } else { 5057 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups, 5058 numff))) 5059 return 0; 5060 } 5061 } else { 5062 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1))) 5063 return 0; 5064 if (isecdhe) { 5065 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups, 5066 numec))) 5067 return 0; 5068 } else { 5069 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups, 5070 numff))) 5071 return 0; 5072 } 5073 } 5074 return 1; 5075 } 5076 5077 /*- 5078 * Test the SSL_get_negotiated_group() API across a battery of scenarios. 5079 * Run through both the ECDHE and FFDHE group lists used in the previous 5080 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn, 5081 * confirming the expected result; then perform a resumption handshake 5082 * while offering the same group list, and another resumption handshake 5083 * offering a different group list. The returned value should be the 5084 * negotiated group for the initial handshake; for TLS 1.3 resumption 5085 * handshakes the returned value will be negotiated on the resumption 5086 * handshake itself, but for TLS 1.2 resumption handshakes the value will 5087 * be cached in the session from the original handshake, regardless of what 5088 * was offered in the resumption ClientHello. 5089 * 5090 * Using E for the number of EC groups and F for the number of FF groups: 5091 * E tests of ECDHE with TLS 1.3, server only has one group 5092 * F tests of FFDHE with TLS 1.3, server only has one group 5093 * E tests of ECDHE with TLS 1.2, server only has one group 5094 * F tests of FFDHE with TLS 1.2, server only has one group 5095 * E tests of ECDHE with TLS 1.3, client sends only one group 5096 * F tests of FFDHE with TLS 1.3, client sends only one group 5097 * E tests of ECDHE with TLS 1.2, client sends only one group 5098 * F tests of FFDHE with TLS 1.2, client sends only one group 5099 */ 5100 static int test_negotiated_group(int idx) 5101 { 5102 int clientmulti, istls13, isecdhe, numec, numff, numgroups; 5103 int expectednid; 5104 SSL_CTX *sctx = NULL, *cctx = NULL; 5105 SSL *serverssl = NULL, *clientssl = NULL; 5106 SSL_SESSION *origsess = NULL; 5107 int testresult = 0; 5108 int kexch_alg; 5109 int max_version = TLS1_3_VERSION; 5110 5111 numec = OSSL_NELEM(ecdhe_kexch_groups); 5112 numff = OSSL_NELEM(ffdhe_kexch_groups); 5113 numgroups = numec + numff; 5114 clientmulti = (idx < 2 * numgroups); 5115 idx = idx % (2 * numgroups); 5116 istls13 = (idx < numgroups); 5117 idx = idx % numgroups; 5118 isecdhe = (idx < numec); 5119 if (!isecdhe) 5120 idx -= numec; 5121 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */ 5122 if (isecdhe) 5123 kexch_alg = ecdhe_kexch_groups[idx]; 5124 else 5125 kexch_alg = ffdhe_kexch_groups[idx]; 5126 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */ 5127 if (!istls13 && !isecdhe) 5128 expectednid = NID_undef; 5129 else 5130 expectednid = kexch_alg; 5131 5132 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448)) 5133 return TEST_skip("X25519 and X448 might not be available in fips provider."); 5134 5135 if (!istls13) 5136 max_version = TLS1_2_VERSION; 5137 5138 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5139 TLS_client_method(), TLS1_VERSION, 5140 max_version, &sctx, &cctx, cert, 5141 privkey))) 5142 goto end; 5143 5144 /* 5145 * Force (EC)DHE ciphers for TLS 1.2. 5146 * Be sure to enable auto tmp DH so that FFDHE can succeed. 5147 */ 5148 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, 5149 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" 5150 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)) 5151 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1))) 5152 goto end; 5153 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 5154 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" 5155 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))) 5156 goto end; 5157 5158 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5159 NULL, NULL))) 5160 goto end; 5161 5162 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe, 5163 idx))) 5164 goto end; 5165 5166 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 5167 goto end; 5168 5169 /* Initial handshake; always the configured one */ 5170 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid) 5171 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)) 5172 goto end; 5173 5174 if (!TEST_ptr((origsess = SSL_get1_session(clientssl)))) 5175 goto end; 5176 5177 SSL_shutdown(clientssl); 5178 SSL_shutdown(serverssl); 5179 SSL_free(serverssl); 5180 SSL_free(clientssl); 5181 serverssl = clientssl = NULL; 5182 5183 /* First resumption attempt; use the same config as initial handshake */ 5184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5185 NULL, NULL)) 5186 || !TEST_true(SSL_set_session(clientssl, origsess)) 5187 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, 5188 isecdhe, idx))) 5189 goto end; 5190 5191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 5192 || !TEST_true(SSL_session_reused(clientssl))) 5193 goto end; 5194 5195 /* Still had better agree, since nothing changed... */ 5196 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid) 5197 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)) 5198 goto end; 5199 5200 SSL_shutdown(clientssl); 5201 SSL_shutdown(serverssl); 5202 SSL_free(serverssl); 5203 SSL_free(clientssl); 5204 serverssl = clientssl = NULL; 5205 5206 /*- 5207 * Second resumption attempt 5208 * The party that picks one group changes it, which we effectuate by 5209 * changing 'idx' and updating what we expect. 5210 */ 5211 if (idx == 0) 5212 idx = 1; 5213 else 5214 idx--; 5215 if (istls13) { 5216 if (isecdhe) 5217 expectednid = ecdhe_kexch_groups[idx]; 5218 else 5219 expectednid = ffdhe_kexch_groups[idx]; 5220 /* Verify that we are changing what we expect. */ 5221 if (!TEST_int_ne(expectednid, kexch_alg)) 5222 goto end; 5223 } else { 5224 /* TLS 1.2 only supports named groups for ECDHE. */ 5225 if (isecdhe) 5226 expectednid = kexch_alg; 5227 else 5228 expectednid = 0; 5229 } 5230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5231 NULL, NULL)) 5232 || !TEST_true(SSL_set_session(clientssl, origsess)) 5233 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, 5234 isecdhe, idx))) 5235 goto end; 5236 5237 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 5238 || !TEST_true(SSL_session_reused(clientssl))) 5239 goto end; 5240 5241 /* Check that we get what we expected */ 5242 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid) 5243 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)) 5244 goto end; 5245 5246 testresult = 1; 5247 end: 5248 SSL_free(serverssl); 5249 SSL_free(clientssl); 5250 SSL_CTX_free(sctx); 5251 SSL_CTX_free(cctx); 5252 SSL_SESSION_free(origsess); 5253 return testresult; 5254 } 5255 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */ 5256 5257 /* 5258 * Test TLSv1.3 Cipher Suite 5259 * Test 0 = Set TLS1.3 cipher on context 5260 * Test 1 = Set TLS1.3 cipher on SSL 5261 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context 5262 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL 5263 */ 5264 static int test_tls13_ciphersuite(int idx) 5265 { 5266 SSL_CTX *sctx = NULL, *cctx = NULL; 5267 SSL *serverssl = NULL, *clientssl = NULL; 5268 static const struct { 5269 const char *ciphername; 5270 int fipscapable; 5271 } t13_ciphers[] = { 5272 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 }, 5273 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 }, 5274 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 }, 5275 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 5276 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 }, 5277 { TLS1_3_RFC_AES_256_GCM_SHA384 5278 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 }, 5279 # endif 5280 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 } 5281 }; 5282 const char *t13_cipher = NULL; 5283 const char *t12_cipher = NULL; 5284 const char *negotiated_scipher; 5285 const char *negotiated_ccipher; 5286 int set_at_ctx = 0; 5287 int set_at_ssl = 0; 5288 int testresult = 0; 5289 int max_ver; 5290 size_t i; 5291 5292 switch (idx) { 5293 case 0: 5294 set_at_ctx = 1; 5295 break; 5296 case 1: 5297 set_at_ssl = 1; 5298 break; 5299 case 2: 5300 set_at_ctx = 1; 5301 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256; 5302 break; 5303 case 3: 5304 set_at_ssl = 1; 5305 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256; 5306 break; 5307 } 5308 5309 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) { 5310 # ifdef OPENSSL_NO_TLS1_2 5311 if (max_ver == TLS1_2_VERSION) 5312 continue; 5313 # endif 5314 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) { 5315 if (is_fips && !t13_ciphers[i].fipscapable) 5316 continue; 5317 t13_cipher = t13_ciphers[i].ciphername; 5318 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5319 TLS_client_method(), 5320 TLS1_VERSION, max_ver, 5321 &sctx, &cctx, cert, privkey))) 5322 goto end; 5323 5324 if (set_at_ctx) { 5325 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher)) 5326 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher))) 5327 goto end; 5328 if (t12_cipher != NULL) { 5329 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher)) 5330 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 5331 t12_cipher))) 5332 goto end; 5333 } 5334 } 5335 5336 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 5337 &clientssl, NULL, NULL))) 5338 goto end; 5339 5340 if (set_at_ssl) { 5341 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher)) 5342 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher))) 5343 goto end; 5344 if (t12_cipher != NULL) { 5345 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher)) 5346 || !TEST_true(SSL_set_cipher_list(clientssl, 5347 t12_cipher))) 5348 goto end; 5349 } 5350 } 5351 5352 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 5353 SSL_ERROR_NONE))) 5354 goto end; 5355 5356 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher( 5357 serverssl)); 5358 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher( 5359 clientssl)); 5360 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher)) 5361 goto end; 5362 5363 /* 5364 * TEST_strn_eq is used below because t13_cipher can contain 5365 * multiple ciphersuites 5366 */ 5367 if (max_ver == TLS1_3_VERSION 5368 && !TEST_strn_eq(t13_cipher, negotiated_scipher, 5369 strlen(negotiated_scipher))) 5370 goto end; 5371 5372 # ifndef OPENSSL_NO_TLS1_2 5373 /* Below validation is not done when t12_cipher is NULL */ 5374 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL 5375 && !TEST_str_eq(t12_cipher, negotiated_scipher)) 5376 goto end; 5377 # endif 5378 5379 SSL_free(serverssl); 5380 serverssl = NULL; 5381 SSL_free(clientssl); 5382 clientssl = NULL; 5383 SSL_CTX_free(sctx); 5384 sctx = NULL; 5385 SSL_CTX_free(cctx); 5386 cctx = NULL; 5387 } 5388 } 5389 5390 testresult = 1; 5391 end: 5392 SSL_free(serverssl); 5393 SSL_free(clientssl); 5394 SSL_CTX_free(sctx); 5395 SSL_CTX_free(cctx); 5396 return testresult; 5397 } 5398 5399 /* 5400 * Test TLSv1.3 PSKs 5401 * Test 0 = Test new style callbacks 5402 * Test 1 = Test both new and old style callbacks 5403 * Test 2 = Test old style callbacks 5404 * Test 3 = Test old style callbacks with no certificate 5405 */ 5406 static int test_tls13_psk(int idx) 5407 { 5408 SSL_CTX *sctx = NULL, *cctx = NULL; 5409 SSL *serverssl = NULL, *clientssl = NULL; 5410 const SSL_CIPHER *cipher = NULL; 5411 const unsigned char key[] = { 5412 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 5413 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 5414 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 5415 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f 5416 }; 5417 int testresult = 0; 5418 5419 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5420 TLS_client_method(), TLS1_VERSION, 0, 5421 &sctx, &cctx, idx == 3 ? NULL : cert, 5422 idx == 3 ? NULL : privkey))) 5423 goto end; 5424 5425 if (idx != 3) { 5426 /* 5427 * We use a ciphersuite with SHA256 to ease testing old style PSK 5428 * callbacks which will always default to SHA256. This should not be 5429 * necessary if we have no cert/priv key. In that case the server should 5430 * prefer SHA256 automatically. 5431 */ 5432 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 5433 "TLS_AES_128_GCM_SHA256"))) 5434 goto end; 5435 } else { 5436 /* 5437 * As noted above the server should prefer SHA256 automatically. However 5438 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same 5439 * code works even if we are testing with only the FIPS provider loaded. 5440 */ 5441 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, 5442 "TLS_AES_256_GCM_SHA384:" 5443 "TLS_AES_128_GCM_SHA256"))) 5444 goto end; 5445 } 5446 5447 /* 5448 * Test 0: New style callbacks only 5449 * Test 1: New and old style callbacks (only the new ones should be used) 5450 * Test 2: Old style callbacks only 5451 */ 5452 if (idx == 0 || idx == 1) { 5453 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb); 5454 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb); 5455 } 5456 #ifndef OPENSSL_NO_PSK 5457 if (idx >= 1) { 5458 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb); 5459 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb); 5460 } 5461 #endif 5462 srvid = pskid; 5463 use_session_cb_cnt = 0; 5464 find_session_cb_cnt = 0; 5465 psk_client_cb_cnt = 0; 5466 psk_server_cb_cnt = 0; 5467 5468 if (idx != 3) { 5469 /* 5470 * Check we can create a connection if callback decides not to send a 5471 * PSK 5472 */ 5473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5474 NULL, NULL)) 5475 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5476 SSL_ERROR_NONE)) 5477 || !TEST_false(SSL_session_reused(clientssl)) 5478 || !TEST_false(SSL_session_reused(serverssl))) 5479 goto end; 5480 5481 if (idx == 0 || idx == 1) { 5482 if (!TEST_true(use_session_cb_cnt == 1) 5483 || !TEST_true(find_session_cb_cnt == 0) 5484 /* 5485 * If no old style callback then below should be 0 5486 * otherwise 1 5487 */ 5488 || !TEST_true(psk_client_cb_cnt == idx) 5489 || !TEST_true(psk_server_cb_cnt == 0)) 5490 goto end; 5491 } else { 5492 if (!TEST_true(use_session_cb_cnt == 0) 5493 || !TEST_true(find_session_cb_cnt == 0) 5494 || !TEST_true(psk_client_cb_cnt == 1) 5495 || !TEST_true(psk_server_cb_cnt == 0)) 5496 goto end; 5497 } 5498 5499 shutdown_ssl_connection(serverssl, clientssl); 5500 serverssl = clientssl = NULL; 5501 use_session_cb_cnt = psk_client_cb_cnt = 0; 5502 } 5503 5504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5505 NULL, NULL))) 5506 goto end; 5507 5508 /* Create the PSK */ 5509 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES); 5510 clientpsk = SSL_SESSION_new(); 5511 if (!TEST_ptr(clientpsk) 5512 || !TEST_ptr(cipher) 5513 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key, 5514 sizeof(key))) 5515 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher)) 5516 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk, 5517 TLS1_3_VERSION)) 5518 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) 5519 goto end; 5520 serverpsk = clientpsk; 5521 5522 /* Check we can create a connection and the PSK is used */ 5523 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 5524 || !TEST_true(SSL_session_reused(clientssl)) 5525 || !TEST_true(SSL_session_reused(serverssl))) 5526 goto end; 5527 5528 if (idx == 0 || idx == 1) { 5529 if (!TEST_true(use_session_cb_cnt == 1) 5530 || !TEST_true(find_session_cb_cnt == 1) 5531 || !TEST_true(psk_client_cb_cnt == 0) 5532 || !TEST_true(psk_server_cb_cnt == 0)) 5533 goto end; 5534 } else { 5535 if (!TEST_true(use_session_cb_cnt == 0) 5536 || !TEST_true(find_session_cb_cnt == 0) 5537 || !TEST_true(psk_client_cb_cnt == 1) 5538 || !TEST_true(psk_server_cb_cnt == 1)) 5539 goto end; 5540 } 5541 5542 shutdown_ssl_connection(serverssl, clientssl); 5543 serverssl = clientssl = NULL; 5544 use_session_cb_cnt = find_session_cb_cnt = 0; 5545 psk_client_cb_cnt = psk_server_cb_cnt = 0; 5546 5547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5548 NULL, NULL))) 5549 goto end; 5550 5551 /* Force an HRR */ 5552 #if defined(OPENSSL_NO_EC) 5553 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072"))) 5554 goto end; 5555 #else 5556 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) 5557 goto end; 5558 #endif 5559 5560 /* 5561 * Check we can create a connection, the PSK is used and the callbacks are 5562 * called twice. 5563 */ 5564 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) 5565 || !TEST_true(SSL_session_reused(clientssl)) 5566 || !TEST_true(SSL_session_reused(serverssl))) 5567 goto end; 5568 5569 if (idx == 0 || idx == 1) { 5570 if (!TEST_true(use_session_cb_cnt == 2) 5571 || !TEST_true(find_session_cb_cnt == 2) 5572 || !TEST_true(psk_client_cb_cnt == 0) 5573 || !TEST_true(psk_server_cb_cnt == 0)) 5574 goto end; 5575 } else { 5576 if (!TEST_true(use_session_cb_cnt == 0) 5577 || !TEST_true(find_session_cb_cnt == 0) 5578 || !TEST_true(psk_client_cb_cnt == 2) 5579 || !TEST_true(psk_server_cb_cnt == 2)) 5580 goto end; 5581 } 5582 5583 shutdown_ssl_connection(serverssl, clientssl); 5584 serverssl = clientssl = NULL; 5585 use_session_cb_cnt = find_session_cb_cnt = 0; 5586 psk_client_cb_cnt = psk_server_cb_cnt = 0; 5587 5588 if (idx != 3) { 5589 /* 5590 * Check that if the server rejects the PSK we can still connect, but with 5591 * a full handshake 5592 */ 5593 srvid = "Dummy Identity"; 5594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5595 NULL, NULL)) 5596 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5597 SSL_ERROR_NONE)) 5598 || !TEST_false(SSL_session_reused(clientssl)) 5599 || !TEST_false(SSL_session_reused(serverssl))) 5600 goto end; 5601 5602 if (idx == 0 || idx == 1) { 5603 if (!TEST_true(use_session_cb_cnt == 1) 5604 || !TEST_true(find_session_cb_cnt == 1) 5605 || !TEST_true(psk_client_cb_cnt == 0) 5606 /* 5607 * If no old style callback then below should be 0 5608 * otherwise 1 5609 */ 5610 || !TEST_true(psk_server_cb_cnt == idx)) 5611 goto end; 5612 } else { 5613 if (!TEST_true(use_session_cb_cnt == 0) 5614 || !TEST_true(find_session_cb_cnt == 0) 5615 || !TEST_true(psk_client_cb_cnt == 1) 5616 || !TEST_true(psk_server_cb_cnt == 1)) 5617 goto end; 5618 } 5619 5620 shutdown_ssl_connection(serverssl, clientssl); 5621 serverssl = clientssl = NULL; 5622 } 5623 testresult = 1; 5624 5625 end: 5626 SSL_SESSION_free(clientpsk); 5627 SSL_SESSION_free(serverpsk); 5628 clientpsk = serverpsk = NULL; 5629 SSL_free(serverssl); 5630 SSL_free(clientssl); 5631 SSL_CTX_free(sctx); 5632 SSL_CTX_free(cctx); 5633 return testresult; 5634 } 5635 5636 static unsigned char cookie_magic_value[] = "cookie magic"; 5637 5638 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie, 5639 unsigned int *cookie_len) 5640 { 5641 /* 5642 * Not suitable as a real cookie generation function but good enough for 5643 * testing! 5644 */ 5645 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1); 5646 *cookie_len = sizeof(cookie_magic_value) - 1; 5647 5648 return 1; 5649 } 5650 5651 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, 5652 unsigned int cookie_len) 5653 { 5654 if (cookie_len == sizeof(cookie_magic_value) - 1 5655 && memcmp(cookie, cookie_magic_value, cookie_len) == 0) 5656 return 1; 5657 5658 return 0; 5659 } 5660 5661 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie, 5662 size_t *cookie_len) 5663 { 5664 unsigned int temp; 5665 int res = generate_cookie_callback(ssl, cookie, &temp); 5666 *cookie_len = temp; 5667 return res; 5668 } 5669 5670 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie, 5671 size_t cookie_len) 5672 { 5673 return verify_cookie_callback(ssl, cookie, cookie_len); 5674 } 5675 5676 static int test_stateless(void) 5677 { 5678 SSL_CTX *sctx = NULL, *cctx = NULL; 5679 SSL *serverssl = NULL, *clientssl = NULL; 5680 int testresult = 0; 5681 5682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5683 TLS_client_method(), TLS1_VERSION, 0, 5684 &sctx, &cctx, cert, privkey))) 5685 goto end; 5686 5687 /* The arrival of CCS messages can confuse the test */ 5688 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); 5689 5690 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5691 NULL, NULL)) 5692 /* Send the first ClientHello */ 5693 || !TEST_false(create_ssl_connection(serverssl, clientssl, 5694 SSL_ERROR_WANT_READ)) 5695 /* 5696 * This should fail with a -1 return because we have no callbacks 5697 * set up 5698 */ 5699 || !TEST_int_eq(SSL_stateless(serverssl), -1)) 5700 goto end; 5701 5702 /* Fatal error so abandon the connection from this client */ 5703 SSL_free(clientssl); 5704 clientssl = NULL; 5705 5706 /* Set up the cookie generation and verification callbacks */ 5707 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback); 5708 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback); 5709 5710 /* 5711 * Create a new connection from the client (we can reuse the server SSL 5712 * object). 5713 */ 5714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5715 NULL, NULL)) 5716 /* Send the first ClientHello */ 5717 || !TEST_false(create_ssl_connection(serverssl, clientssl, 5718 SSL_ERROR_WANT_READ)) 5719 /* This should fail because there is no cookie */ 5720 || !TEST_int_eq(SSL_stateless(serverssl), 0)) 5721 goto end; 5722 5723 /* Abandon the connection from this client */ 5724 SSL_free(clientssl); 5725 clientssl = NULL; 5726 5727 /* 5728 * Now create a connection from a new client but with the same server SSL 5729 * object 5730 */ 5731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 5732 NULL, NULL)) 5733 /* Send the first ClientHello */ 5734 || !TEST_false(create_ssl_connection(serverssl, clientssl, 5735 SSL_ERROR_WANT_READ)) 5736 /* This should fail because there is no cookie */ 5737 || !TEST_int_eq(SSL_stateless(serverssl), 0) 5738 /* Send the second ClientHello */ 5739 || !TEST_false(create_ssl_connection(serverssl, clientssl, 5740 SSL_ERROR_WANT_READ)) 5741 /* This should succeed because a cookie is now present */ 5742 || !TEST_int_eq(SSL_stateless(serverssl), 1) 5743 /* Complete the connection */ 5744 || !TEST_true(create_ssl_connection(serverssl, clientssl, 5745 SSL_ERROR_NONE))) 5746 goto end; 5747 5748 shutdown_ssl_connection(serverssl, clientssl); 5749 serverssl = clientssl = NULL; 5750 testresult = 1; 5751 5752 end: 5753 SSL_free(serverssl); 5754 SSL_free(clientssl); 5755 SSL_CTX_free(sctx); 5756 SSL_CTX_free(cctx); 5757 return testresult; 5758 5759 } 5760 #endif /* OSSL_NO_USABLE_TLS1_3 */ 5761 5762 static int clntaddoldcb = 0; 5763 static int clntparseoldcb = 0; 5764 static int srvaddoldcb = 0; 5765 static int srvparseoldcb = 0; 5766 static int clntaddnewcb = 0; 5767 static int clntparsenewcb = 0; 5768 static int srvaddnewcb = 0; 5769 static int srvparsenewcb = 0; 5770 static int snicb = 0; 5771 5772 #define TEST_EXT_TYPE1 0xff00 5773 5774 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out, 5775 size_t *outlen, int *al, void *add_arg) 5776 { 5777 int *server = (int *)add_arg; 5778 unsigned char *data; 5779 5780 if (SSL_is_server(s)) 5781 srvaddoldcb++; 5782 else 5783 clntaddoldcb++; 5784 5785 if (*server != SSL_is_server(s) 5786 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 5787 return -1; 5788 5789 *data = 1; 5790 *out = data; 5791 *outlen = sizeof(char); 5792 return 1; 5793 } 5794 5795 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out, 5796 void *add_arg) 5797 { 5798 OPENSSL_free((unsigned char *)out); 5799 } 5800 5801 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, 5802 size_t inlen, int *al, void *parse_arg) 5803 { 5804 int *server = (int *)parse_arg; 5805 5806 if (SSL_is_server(s)) 5807 srvparseoldcb++; 5808 else 5809 clntparseoldcb++; 5810 5811 if (*server != SSL_is_server(s) 5812 || inlen != sizeof(char) 5813 || *in != 1) 5814 return -1; 5815 5816 return 1; 5817 } 5818 5819 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context, 5820 const unsigned char **out, size_t *outlen, X509 *x, 5821 size_t chainidx, int *al, void *add_arg) 5822 { 5823 int *server = (int *)add_arg; 5824 unsigned char *data; 5825 5826 if (SSL_is_server(s)) 5827 srvaddnewcb++; 5828 else 5829 clntaddnewcb++; 5830 5831 if (*server != SSL_is_server(s) 5832 || (data = OPENSSL_malloc(sizeof(*data))) == NULL) 5833 return -1; 5834 5835 *data = 1; 5836 *out = data; 5837 *outlen = sizeof(*data); 5838 return 1; 5839 } 5840 5841 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context, 5842 const unsigned char *out, void *add_arg) 5843 { 5844 OPENSSL_free((unsigned char *)out); 5845 } 5846 5847 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context, 5848 const unsigned char *in, size_t inlen, X509 *x, 5849 size_t chainidx, int *al, void *parse_arg) 5850 { 5851 int *server = (int *)parse_arg; 5852 5853 if (SSL_is_server(s)) 5854 srvparsenewcb++; 5855 else 5856 clntparsenewcb++; 5857 5858 if (*server != SSL_is_server(s) 5859 || inlen != sizeof(char) || *in != 1) 5860 return -1; 5861 5862 return 1; 5863 } 5864 5865 static int sni_cb(SSL *s, int *al, void *arg) 5866 { 5867 SSL_CTX *ctx = (SSL_CTX *)arg; 5868 5869 if (SSL_set_SSL_CTX(s, ctx) == NULL) { 5870 *al = SSL_AD_INTERNAL_ERROR; 5871 return SSL_TLSEXT_ERR_ALERT_FATAL; 5872 } 5873 snicb++; 5874 return SSL_TLSEXT_ERR_OK; 5875 } 5876 5877 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) 5878 { 5879 return 1; 5880 } 5881 5882 /* 5883 * Custom call back tests. 5884 * Test 0: Old style callbacks in TLSv1.2 5885 * Test 1: New style callbacks in TLSv1.2 5886 * Test 2: New style callbacks in TLSv1.2 with SNI 5887 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE 5888 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST 5889 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert 5890 */ 5891 static int test_custom_exts(int tst) 5892 { 5893 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 5894 SSL *clientssl = NULL, *serverssl = NULL; 5895 int testresult = 0; 5896 static int server = 1; 5897 static int client = 0; 5898 SSL_SESSION *sess = NULL; 5899 unsigned int context; 5900 5901 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) 5902 /* Skip tests for TLSv1.2 and below in this case */ 5903 if (tst < 3) 5904 return 1; 5905 #endif 5906 5907 /* Reset callback counters */ 5908 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0; 5909 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0; 5910 snicb = 0; 5911 5912 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 5913 TLS_client_method(), TLS1_VERSION, 0, 5914 &sctx, &cctx, cert, privkey))) 5915 goto end; 5916 5917 if (tst == 2 5918 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL, 5919 TLS1_VERSION, 0, 5920 &sctx2, NULL, cert, privkey))) 5921 goto end; 5922 5923 5924 if (tst < 3) { 5925 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3); 5926 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3); 5927 if (sctx2 != NULL) 5928 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3); 5929 } 5930 5931 if (tst == 5) { 5932 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 5933 | SSL_EXT_TLS1_3_CERTIFICATE; 5934 SSL_CTX_set_verify(sctx, 5935 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 5936 verify_cb); 5937 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert, 5938 SSL_FILETYPE_PEM), 1) 5939 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey, 5940 SSL_FILETYPE_PEM), 1) 5941 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1)) 5942 goto end; 5943 } else if (tst == 4) { 5944 context = SSL_EXT_CLIENT_HELLO 5945 | SSL_EXT_TLS1_2_SERVER_HELLO 5946 | SSL_EXT_TLS1_3_SERVER_HELLO 5947 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 5948 | SSL_EXT_TLS1_3_CERTIFICATE 5949 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET; 5950 } else { 5951 context = SSL_EXT_CLIENT_HELLO 5952 | SSL_EXT_TLS1_2_SERVER_HELLO 5953 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS; 5954 } 5955 5956 /* Create a client side custom extension */ 5957 if (tst == 0) { 5958 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, 5959 old_add_cb, old_free_cb, 5960 &client, old_parse_cb, 5961 &client))) 5962 goto end; 5963 } else { 5964 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context, 5965 new_add_cb, new_free_cb, 5966 &client, new_parse_cb, &client))) 5967 goto end; 5968 } 5969 5970 /* Should not be able to add duplicates */ 5971 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, 5972 old_add_cb, old_free_cb, 5973 &client, old_parse_cb, 5974 &client)) 5975 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, 5976 context, new_add_cb, 5977 new_free_cb, &client, 5978 new_parse_cb, &client))) 5979 goto end; 5980 5981 /* Create a server side custom extension */ 5982 if (tst == 0) { 5983 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, 5984 old_add_cb, old_free_cb, 5985 &server, old_parse_cb, 5986 &server))) 5987 goto end; 5988 } else { 5989 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context, 5990 new_add_cb, new_free_cb, 5991 &server, new_parse_cb, &server))) 5992 goto end; 5993 if (sctx2 != NULL 5994 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1, 5995 context, new_add_cb, 5996 new_free_cb, &server, 5997 new_parse_cb, &server))) 5998 goto end; 5999 } 6000 6001 /* Should not be able to add duplicates */ 6002 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, 6003 old_add_cb, old_free_cb, 6004 &server, old_parse_cb, 6005 &server)) 6006 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, 6007 context, new_add_cb, 6008 new_free_cb, &server, 6009 new_parse_cb, &server))) 6010 goto end; 6011 6012 if (tst == 2) { 6013 /* Set up SNI */ 6014 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)) 6015 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2))) 6016 goto end; 6017 } 6018 6019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 6020 &clientssl, NULL, NULL)) 6021 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6022 SSL_ERROR_NONE))) 6023 goto end; 6024 6025 if (tst == 0) { 6026 if (clntaddoldcb != 1 6027 || clntparseoldcb != 1 6028 || srvaddoldcb != 1 6029 || srvparseoldcb != 1) 6030 goto end; 6031 } else if (tst == 1 || tst == 2 || tst == 3) { 6032 if (clntaddnewcb != 1 6033 || clntparsenewcb != 1 6034 || srvaddnewcb != 1 6035 || srvparsenewcb != 1 6036 || (tst != 2 && snicb != 0) 6037 || (tst == 2 && snicb != 1)) 6038 goto end; 6039 } else if (tst == 5) { 6040 if (clntaddnewcb != 1 6041 || clntparsenewcb != 1 6042 || srvaddnewcb != 1 6043 || srvparsenewcb != 1) 6044 goto end; 6045 } else { 6046 /* In this case there 2 NewSessionTicket messages created */ 6047 if (clntaddnewcb != 1 6048 || clntparsenewcb != 5 6049 || srvaddnewcb != 5 6050 || srvparsenewcb != 1) 6051 goto end; 6052 } 6053 6054 sess = SSL_get1_session(clientssl); 6055 SSL_shutdown(clientssl); 6056 SSL_shutdown(serverssl); 6057 SSL_free(serverssl); 6058 SSL_free(clientssl); 6059 serverssl = clientssl = NULL; 6060 6061 if (tst == 3 || tst == 5) { 6062 /* We don't bother with the resumption aspects for these tests */ 6063 testresult = 1; 6064 goto end; 6065 } 6066 6067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6068 NULL, NULL)) 6069 || !TEST_true(SSL_set_session(clientssl, sess)) 6070 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6071 SSL_ERROR_NONE))) 6072 goto end; 6073 6074 /* 6075 * For a resumed session we expect to add the ClientHello extension. For the 6076 * old style callbacks we ignore it on the server side because they set 6077 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore 6078 * them. 6079 */ 6080 if (tst == 0) { 6081 if (clntaddoldcb != 2 6082 || clntparseoldcb != 1 6083 || srvaddoldcb != 1 6084 || srvparseoldcb != 1) 6085 goto end; 6086 } else if (tst == 1 || tst == 2 || tst == 3) { 6087 if (clntaddnewcb != 2 6088 || clntparsenewcb != 2 6089 || srvaddnewcb != 2 6090 || srvparsenewcb != 2) 6091 goto end; 6092 } else { 6093 /* 6094 * No Certificate message extensions in the resumption handshake, 6095 * 2 NewSessionTickets in the initial handshake, 1 in the resumption 6096 */ 6097 if (clntaddnewcb != 2 6098 || clntparsenewcb != 8 6099 || srvaddnewcb != 8 6100 || srvparsenewcb != 2) 6101 goto end; 6102 } 6103 6104 testresult = 1; 6105 6106 end: 6107 SSL_SESSION_free(sess); 6108 SSL_free(serverssl); 6109 SSL_free(clientssl); 6110 SSL_CTX_free(sctx2); 6111 SSL_CTX_free(sctx); 6112 SSL_CTX_free(cctx); 6113 return testresult; 6114 } 6115 6116 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) 6117 6118 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \ 6119 | SSL_EXT_CLIENT_HELLO \ 6120 | SSL_EXT_TLS1_2_SERVER_HELLO \ 6121 | SSL_EXT_IGNORE_ON_RESUMPTION) 6122 6123 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \ 6124 | SSL_EXT_TLS1_2_SERVER_HELLO \ 6125 | SSL_EXT_CLIENT_HELLO) 6126 6127 #define SERVERINFO_CUSTOM \ 6128 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \ 6129 0x00, 0x03, \ 6130 0x04, 0x05, 0x06 \ 6131 6132 static const unsigned char serverinfo_custom_tls13[] = { 6133 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff, 6134 SERVERINFO_CUSTOM 6135 }; 6136 static const unsigned char serverinfo_custom_v2[] = { 6137 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff, 6138 SERVERINFO_CUSTOM 6139 }; 6140 static const unsigned char serverinfo_custom_v1[] = { 6141 SERVERINFO_CUSTOM 6142 }; 6143 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13); 6144 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2); 6145 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1); 6146 6147 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type, 6148 unsigned int context, 6149 const unsigned char *in, 6150 size_t inlen, X509 *x, 6151 size_t chainidx, int *al, 6152 void *parse_arg) 6153 { 6154 const size_t len = serverinfo_custom_v1_len; 6155 const unsigned char *si = &serverinfo_custom_v1[len - 3]; 6156 int *p_cb_result = (int*)parse_arg; 6157 *p_cb_result = TEST_mem_eq(in, inlen, si, 3); 6158 return 1; 6159 } 6160 6161 static int test_serverinfo_custom(const int idx) 6162 { 6163 SSL_CTX *sctx = NULL, *cctx = NULL; 6164 SSL *clientssl = NULL, *serverssl = NULL; 6165 int testresult = 0; 6166 int cb_result = 0; 6167 6168 /* 6169 * Following variables are set in the switch statement 6170 * according to the test iteration. 6171 * Default values do not make much sense: test would fail with them. 6172 */ 6173 int serverinfo_version = 0; 6174 int protocol_version = 0; 6175 unsigned int extension_context = 0; 6176 const unsigned char *si = NULL; 6177 size_t si_len = 0; 6178 6179 const int call_use_serverinfo_ex = idx > 0; 6180 switch (idx) { 6181 case 0: /* FALLTHROUGH */ 6182 case 1: 6183 serverinfo_version = SSL_SERVERINFOV1; 6184 protocol_version = TLS1_2_VERSION; 6185 extension_context = SYNTHV1CONTEXT; 6186 si = serverinfo_custom_v1; 6187 si_len = serverinfo_custom_v1_len; 6188 break; 6189 case 2: 6190 serverinfo_version = SSL_SERVERINFOV2; 6191 protocol_version = TLS1_2_VERSION; 6192 extension_context = SYNTHV1CONTEXT; 6193 si = serverinfo_custom_v2; 6194 si_len = serverinfo_custom_v2_len; 6195 break; 6196 case 3: 6197 serverinfo_version = SSL_SERVERINFOV2; 6198 protocol_version = TLS1_3_VERSION; 6199 extension_context = TLS13CONTEXT; 6200 si = serverinfo_custom_tls13; 6201 si_len = serverinfo_custom_tls13_len; 6202 break; 6203 } 6204 6205 if (!TEST_true(create_ssl_ctx_pair(libctx, 6206 TLS_method(), 6207 TLS_method(), 6208 protocol_version, 6209 protocol_version, 6210 &sctx, &cctx, cert, privkey))) 6211 goto end; 6212 6213 if (call_use_serverinfo_ex) { 6214 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version, 6215 si, si_len))) 6216 goto end; 6217 } else { 6218 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len))) 6219 goto end; 6220 } 6221 6222 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp, 6223 extension_context, 6224 NULL, NULL, NULL, 6225 serverinfo_custom_parse_cb, 6226 &cb_result)) 6227 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6228 NULL, NULL)) 6229 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6230 SSL_ERROR_NONE)) 6231 || !TEST_int_eq(SSL_do_handshake(clientssl), 1)) 6232 goto end; 6233 6234 if (!TEST_true(cb_result)) 6235 goto end; 6236 6237 testresult = 1; 6238 6239 end: 6240 SSL_free(serverssl); 6241 SSL_free(clientssl); 6242 SSL_CTX_free(sctx); 6243 SSL_CTX_free(cctx); 6244 6245 return testresult; 6246 } 6247 #endif 6248 6249 /* 6250 * Test that SSL_export_keying_material() produces expected results. There are 6251 * no test vectors so all we do is test that both sides of the communication 6252 * produce the same results for different protocol versions. 6253 */ 6254 #define SMALL_LABEL_LEN 10 6255 #define LONG_LABEL_LEN 249 6256 static int test_export_key_mat(int tst) 6257 { 6258 int testresult = 0; 6259 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 6260 SSL *clientssl = NULL, *serverssl = NULL; 6261 const char label[LONG_LABEL_LEN + 1] = "test label"; 6262 const unsigned char context[] = "context"; 6263 const unsigned char *emptycontext = NULL; 6264 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; 6265 unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; 6266 size_t labellen; 6267 const int protocols[] = { 6268 TLS1_VERSION, 6269 TLS1_1_VERSION, 6270 TLS1_2_VERSION, 6271 TLS1_3_VERSION, 6272 TLS1_3_VERSION, 6273 TLS1_3_VERSION 6274 }; 6275 6276 #ifdef OPENSSL_NO_TLS1 6277 if (tst == 0) 6278 return 1; 6279 #endif 6280 #ifdef OPENSSL_NO_TLS1_1 6281 if (tst == 1) 6282 return 1; 6283 #endif 6284 if (is_fips && (tst == 0 || tst == 1)) 6285 return 1; 6286 #ifdef OPENSSL_NO_TLS1_2 6287 if (tst == 2) 6288 return 1; 6289 #endif 6290 #ifdef OSSL_NO_USABLE_TLS1_3 6291 if (tst >= 3) 6292 return 1; 6293 #endif 6294 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6295 TLS_client_method(), TLS1_VERSION, 0, 6296 &sctx, &cctx, cert, privkey))) 6297 goto end; 6298 6299 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols)); 6300 SSL_CTX_set_max_proto_version(cctx, protocols[tst]); 6301 SSL_CTX_set_min_proto_version(cctx, protocols[tst]); 6302 if ((protocols[tst] < TLS1_2_VERSION) && 6303 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0") 6304 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))) 6305 goto end; 6306 6307 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 6308 NULL))) 6309 goto end; 6310 6311 /* 6312 * Premature call of SSL_export_keying_material should just fail. 6313 */ 6314 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, 6315 sizeof(ckeymat1), label, 6316 SMALL_LABEL_LEN + 1, context, 6317 sizeof(context) - 1, 1), 0)) 6318 goto end; 6319 6320 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 6321 SSL_ERROR_NONE))) 6322 goto end; 6323 6324 if (tst == 5) { 6325 /* 6326 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we 6327 * go over that. 6328 */ 6329 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, 6330 sizeof(ckeymat1), label, 6331 LONG_LABEL_LEN + 1, context, 6332 sizeof(context) - 1, 1), 0)) 6333 goto end; 6334 6335 testresult = 1; 6336 goto end; 6337 } else if (tst == 4) { 6338 labellen = LONG_LABEL_LEN; 6339 } else { 6340 labellen = SMALL_LABEL_LEN; 6341 } 6342 6343 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, 6344 sizeof(ckeymat1), label, 6345 labellen, context, 6346 sizeof(context) - 1, 1), 1) 6347 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, 6348 sizeof(ckeymat2), label, 6349 labellen, 6350 emptycontext, 6351 0, 1), 1) 6352 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, 6353 sizeof(ckeymat3), label, 6354 labellen, 6355 NULL, 0, 0), 1) 6356 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, 6357 sizeof(skeymat1), label, 6358 labellen, 6359 context, 6360 sizeof(context) -1, 1), 6361 1) 6362 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, 6363 sizeof(skeymat2), label, 6364 labellen, 6365 emptycontext, 6366 0, 1), 1) 6367 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, 6368 sizeof(skeymat3), label, 6369 labellen, 6370 NULL, 0, 0), 1) 6371 /* 6372 * Check that both sides created the same key material with the 6373 * same context. 6374 */ 6375 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, 6376 sizeof(skeymat1)) 6377 /* 6378 * Check that both sides created the same key material with an 6379 * empty context. 6380 */ 6381 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, 6382 sizeof(skeymat2)) 6383 /* 6384 * Check that both sides created the same key material without a 6385 * context. 6386 */ 6387 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3, 6388 sizeof(skeymat3)) 6389 /* Different contexts should produce different results */ 6390 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, 6391 sizeof(ckeymat2))) 6392 goto end; 6393 6394 /* 6395 * Check that an empty context and no context produce different results in 6396 * protocols less than TLSv1.3. In TLSv1.3 they should be the same. 6397 */ 6398 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, 6399 sizeof(ckeymat3))) 6400 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, 6401 sizeof(ckeymat3)))) 6402 goto end; 6403 6404 testresult = 1; 6405 6406 end: 6407 SSL_free(serverssl); 6408 SSL_free(clientssl); 6409 SSL_CTX_free(sctx2); 6410 SSL_CTX_free(sctx); 6411 SSL_CTX_free(cctx); 6412 6413 return testresult; 6414 } 6415 6416 #ifndef OSSL_NO_USABLE_TLS1_3 6417 /* 6418 * Test that SSL_export_keying_material_early() produces expected 6419 * results. There are no test vectors so all we do is test that both 6420 * sides of the communication produce the same results for different 6421 * protocol versions. 6422 */ 6423 static int test_export_key_mat_early(int idx) 6424 { 6425 static const char label[] = "test label"; 6426 static const unsigned char context[] = "context"; 6427 int testresult = 0; 6428 SSL_CTX *cctx = NULL, *sctx = NULL; 6429 SSL *clientssl = NULL, *serverssl = NULL; 6430 SSL_SESSION *sess = NULL; 6431 const unsigned char *emptycontext = NULL; 6432 unsigned char ckeymat1[80], ckeymat2[80]; 6433 unsigned char skeymat1[80], skeymat2[80]; 6434 unsigned char buf[1]; 6435 size_t readbytes, written; 6436 6437 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, 6438 &sess, idx, SHA384_DIGEST_LENGTH))) 6439 goto end; 6440 6441 /* Here writing 0 length early data is enough. */ 6442 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written)) 6443 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), 6444 &readbytes), 6445 SSL_READ_EARLY_DATA_ERROR) 6446 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 6447 SSL_EARLY_DATA_ACCEPTED)) 6448 goto end; 6449 6450 if (!TEST_int_eq(SSL_export_keying_material_early( 6451 clientssl, ckeymat1, sizeof(ckeymat1), label, 6452 sizeof(label) - 1, context, sizeof(context) - 1), 1) 6453 || !TEST_int_eq(SSL_export_keying_material_early( 6454 clientssl, ckeymat2, sizeof(ckeymat2), label, 6455 sizeof(label) - 1, emptycontext, 0), 1) 6456 || !TEST_int_eq(SSL_export_keying_material_early( 6457 serverssl, skeymat1, sizeof(skeymat1), label, 6458 sizeof(label) - 1, context, sizeof(context) - 1), 1) 6459 || !TEST_int_eq(SSL_export_keying_material_early( 6460 serverssl, skeymat2, sizeof(skeymat2), label, 6461 sizeof(label) - 1, emptycontext, 0), 1) 6462 /* 6463 * Check that both sides created the same key material with the 6464 * same context. 6465 */ 6466 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1, 6467 sizeof(skeymat1)) 6468 /* 6469 * Check that both sides created the same key material with an 6470 * empty context. 6471 */ 6472 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2, 6473 sizeof(skeymat2)) 6474 /* Different contexts should produce different results */ 6475 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2, 6476 sizeof(ckeymat2))) 6477 goto end; 6478 6479 testresult = 1; 6480 6481 end: 6482 SSL_SESSION_free(sess); 6483 SSL_SESSION_free(clientpsk); 6484 SSL_SESSION_free(serverpsk); 6485 clientpsk = serverpsk = NULL; 6486 SSL_free(serverssl); 6487 SSL_free(clientssl); 6488 SSL_CTX_free(sctx); 6489 SSL_CTX_free(cctx); 6490 6491 return testresult; 6492 } 6493 6494 #define NUM_KEY_UPDATE_MESSAGES 40 6495 /* 6496 * Test KeyUpdate. 6497 */ 6498 static int test_key_update(void) 6499 { 6500 SSL_CTX *cctx = NULL, *sctx = NULL; 6501 SSL *clientssl = NULL, *serverssl = NULL; 6502 int testresult = 0, i, j; 6503 char buf[20]; 6504 static char *mess = "A test message"; 6505 6506 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6507 TLS_client_method(), 6508 TLS1_3_VERSION, 6509 0, 6510 &sctx, &cctx, cert, privkey)) 6511 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6512 NULL, NULL)) 6513 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6514 SSL_ERROR_NONE))) 6515 goto end; 6516 6517 for (j = 0; j < 2; j++) { 6518 /* Send lots of KeyUpdate messages */ 6519 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) { 6520 if (!TEST_true(SSL_key_update(clientssl, 6521 (j == 0) 6522 ? SSL_KEY_UPDATE_NOT_REQUESTED 6523 : SSL_KEY_UPDATE_REQUESTED)) 6524 || !TEST_true(SSL_do_handshake(clientssl))) 6525 goto end; 6526 } 6527 6528 /* Check that sending and receiving app data is ok */ 6529 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess)) 6530 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)), 6531 strlen(mess))) 6532 goto end; 6533 6534 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess)) 6535 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)), 6536 strlen(mess))) 6537 goto end; 6538 } 6539 6540 testresult = 1; 6541 6542 end: 6543 SSL_free(serverssl); 6544 SSL_free(clientssl); 6545 SSL_CTX_free(sctx); 6546 SSL_CTX_free(cctx); 6547 6548 return testresult; 6549 } 6550 6551 /* 6552 * Test we can handle a KeyUpdate (update requested) message while 6553 * write data is pending in peer. 6554 * Test 0: Client sends KeyUpdate while Server is writing 6555 * Test 1: Server sends KeyUpdate while Client is writing 6556 */ 6557 static int test_key_update_peer_in_write(int tst) 6558 { 6559 SSL_CTX *cctx = NULL, *sctx = NULL; 6560 SSL *clientssl = NULL, *serverssl = NULL; 6561 int testresult = 0; 6562 char buf[20]; 6563 static char *mess = "A test message"; 6564 BIO *bretry = BIO_new(bio_s_always_retry()); 6565 BIO *tmp = NULL; 6566 SSL *peerupdate = NULL, *peerwrite = NULL; 6567 6568 if (!TEST_ptr(bretry) 6569 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6570 TLS_client_method(), 6571 TLS1_3_VERSION, 6572 0, 6573 &sctx, &cctx, cert, privkey)) 6574 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6575 NULL, NULL)) 6576 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6577 SSL_ERROR_NONE))) 6578 goto end; 6579 6580 peerupdate = tst == 0 ? clientssl : serverssl; 6581 peerwrite = tst == 0 ? serverssl : clientssl; 6582 6583 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED)) 6584 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1)) 6585 goto end; 6586 6587 /* Swap the writing endpoint's write BIO to force a retry */ 6588 tmp = SSL_get_wbio(peerwrite); 6589 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { 6590 tmp = NULL; 6591 goto end; 6592 } 6593 SSL_set0_wbio(peerwrite, bretry); 6594 bretry = NULL; 6595 6596 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */ 6597 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1) 6598 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)) 6599 goto end; 6600 6601 /* Reinstate the original writing endpoint's write BIO */ 6602 SSL_set0_wbio(peerwrite, tmp); 6603 tmp = NULL; 6604 6605 /* Now read some data - we will read the key update */ 6606 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1) 6607 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)) 6608 goto end; 6609 6610 /* 6611 * Complete the write we started previously and read it from the other 6612 * endpoint 6613 */ 6614 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) 6615 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) 6616 goto end; 6617 6618 /* Write more data to ensure we send the KeyUpdate message back */ 6619 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) 6620 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) 6621 goto end; 6622 6623 testresult = 1; 6624 6625 end: 6626 SSL_free(serverssl); 6627 SSL_free(clientssl); 6628 SSL_CTX_free(sctx); 6629 SSL_CTX_free(cctx); 6630 BIO_free(bretry); 6631 BIO_free(tmp); 6632 6633 return testresult; 6634 } 6635 6636 /* 6637 * Test we can handle a KeyUpdate (update requested) message while 6638 * peer read data is pending after peer accepted keyupdate(the msg header 6639 * had been read 5 bytes). 6640 * Test 0: Client sends KeyUpdate while Server is reading 6641 * Test 1: Server sends KeyUpdate while Client is reading 6642 */ 6643 static int test_key_update_peer_in_read(int tst) 6644 { 6645 SSL_CTX *cctx = NULL, *sctx = NULL; 6646 SSL *clientssl = NULL, *serverssl = NULL; 6647 int testresult = 0; 6648 char prbuf[515], lwbuf[515] = {0}; 6649 static char *mess = "A test message"; 6650 BIO *lbio = NULL, *pbio = NULL; 6651 SSL *local = NULL, *peer = NULL; 6652 6653 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6654 TLS_client_method(), 6655 TLS1_3_VERSION, 6656 0, 6657 &sctx, &cctx, cert, privkey)) 6658 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6659 NULL, NULL)) 6660 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6661 SSL_ERROR_NONE))) 6662 goto end; 6663 6664 local = tst == 0 ? clientssl : serverssl; 6665 peer = tst == 0 ? serverssl : clientssl; 6666 6667 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1)) 6668 goto end; 6669 6670 SSL_set_bio(local, lbio, lbio); 6671 SSL_set_bio(peer, pbio, pbio); 6672 6673 /* 6674 * we first write keyupdate msg then appdata in local 6675 * write data in local will fail with SSL_ERROR_WANT_WRITE,because 6676 * lwbuf app data msg size + key updata msg size > 512(the size of 6677 * the bio pair buffer) 6678 */ 6679 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) 6680 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1) 6681 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE)) 6682 goto end; 6683 6684 /* 6685 * first read keyupdate msg in peer in peer 6686 * then read appdata that we know will fail with SSL_ERROR_WANT_READ 6687 */ 6688 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1) 6689 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ)) 6690 goto end; 6691 6692 /* Now write some data in peer - we will write the key update */ 6693 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))) 6694 goto end; 6695 6696 /* 6697 * write data in local previously that we will complete 6698 * read data in peer previously that we will complete 6699 */ 6700 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf)) 6701 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf))) 6702 goto end; 6703 6704 /* check that sending and receiving appdata ok */ 6705 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) 6706 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess))) 6707 goto end; 6708 6709 testresult = 1; 6710 6711 end: 6712 SSL_free(serverssl); 6713 SSL_free(clientssl); 6714 SSL_CTX_free(sctx); 6715 SSL_CTX_free(cctx); 6716 6717 return testresult; 6718 } 6719 6720 /* 6721 * Test we can't send a KeyUpdate (update requested) message while 6722 * local write data is pending. 6723 * Test 0: Client sends KeyUpdate while Client is writing 6724 * Test 1: Server sends KeyUpdate while Server is writing 6725 */ 6726 static int test_key_update_local_in_write(int tst) 6727 { 6728 SSL_CTX *cctx = NULL, *sctx = NULL; 6729 SSL *clientssl = NULL, *serverssl = NULL; 6730 int testresult = 0; 6731 char buf[20]; 6732 static char *mess = "A test message"; 6733 BIO *bretry = BIO_new(bio_s_always_retry()); 6734 BIO *tmp = NULL; 6735 SSL *local = NULL, *peer = NULL; 6736 6737 if (!TEST_ptr(bretry) 6738 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6739 TLS_client_method(), 6740 TLS1_3_VERSION, 6741 0, 6742 &sctx, &cctx, cert, privkey)) 6743 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6744 NULL, NULL)) 6745 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6746 SSL_ERROR_NONE))) 6747 goto end; 6748 6749 local = tst == 0 ? clientssl : serverssl; 6750 peer = tst == 0 ? serverssl : clientssl; 6751 6752 /* Swap the writing endpoint's write BIO to force a retry */ 6753 tmp = SSL_get_wbio(local); 6754 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { 6755 tmp = NULL; 6756 goto end; 6757 } 6758 SSL_set0_wbio(local, bretry); 6759 bretry = NULL; 6760 6761 /* write data in local will fail with SSL_ERROR_WANT_WRITE */ 6762 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1) 6763 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE)) 6764 goto end; 6765 6766 /* Reinstate the original writing endpoint's write BIO */ 6767 SSL_set0_wbio(local, tmp); 6768 tmp = NULL; 6769 6770 /* SSL_key_update will fail, because writing in local*/ 6771 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) 6772 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY)) 6773 goto end; 6774 6775 ERR_clear_error(); 6776 /* write data in local previously that we will complete */ 6777 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))) 6778 goto end; 6779 6780 /* SSL_key_update will succeed because there is no pending write data */ 6781 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) 6782 || !TEST_int_eq(SSL_do_handshake(local), 1)) 6783 goto end; 6784 6785 /* 6786 * we write some appdata in local 6787 * read data in peer - we will read the keyupdate msg 6788 */ 6789 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) 6790 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess))) 6791 goto end; 6792 6793 /* Write more peer more data to ensure we send the keyupdate message back */ 6794 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)) 6795 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess))) 6796 goto end; 6797 6798 testresult = 1; 6799 6800 end: 6801 SSL_free(serverssl); 6802 SSL_free(clientssl); 6803 SSL_CTX_free(sctx); 6804 SSL_CTX_free(cctx); 6805 BIO_free(bretry); 6806 BIO_free(tmp); 6807 6808 return testresult; 6809 } 6810 6811 /* 6812 * Test we can handle a KeyUpdate (update requested) message while 6813 * local read data is pending(the msg header had been read 5 bytes). 6814 * Test 0: Client sends KeyUpdate while Client is reading 6815 * Test 1: Server sends KeyUpdate while Server is reading 6816 */ 6817 static int test_key_update_local_in_read(int tst) 6818 { 6819 SSL_CTX *cctx = NULL, *sctx = NULL; 6820 SSL *clientssl = NULL, *serverssl = NULL; 6821 int testresult = 0; 6822 char lrbuf[515], pwbuf[515] = {0}, prbuf[20]; 6823 static char *mess = "A test message"; 6824 BIO *lbio = NULL, *pbio = NULL; 6825 SSL *local = NULL, *peer = NULL; 6826 6827 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6828 TLS_client_method(), 6829 TLS1_3_VERSION, 6830 0, 6831 &sctx, &cctx, cert, privkey)) 6832 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6833 NULL, NULL)) 6834 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6835 SSL_ERROR_NONE))) 6836 goto end; 6837 6838 local = tst == 0 ? clientssl : serverssl; 6839 peer = tst == 0 ? serverssl : clientssl; 6840 6841 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1)) 6842 goto end; 6843 6844 SSL_set_bio(local, lbio, lbio); 6845 SSL_set_bio(peer, pbio, pbio); 6846 6847 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */ 6848 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1) 6849 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE)) 6850 goto end; 6851 6852 /* read appdata in local will fail with SSL_ERROR_WANT_READ */ 6853 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1) 6854 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ)) 6855 goto end; 6856 6857 /* SSL_do_handshake will send keyupdate msg */ 6858 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) 6859 || !TEST_int_eq(SSL_do_handshake(local), 1)) 6860 goto end; 6861 6862 /* 6863 * write data in peer previously that we will complete 6864 * read data in local previously that we will complete 6865 */ 6866 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf)) 6867 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf))) 6868 goto end; 6869 6870 /* 6871 * write data in local 6872 * read data in peer - we will read the key update 6873 */ 6874 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) 6875 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess))) 6876 goto end; 6877 6878 /* Write more peer data to ensure we send the keyupdate message back */ 6879 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)) 6880 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess))) 6881 goto end; 6882 6883 testresult = 1; 6884 6885 end: 6886 SSL_free(serverssl); 6887 SSL_free(clientssl); 6888 SSL_CTX_free(sctx); 6889 SSL_CTX_free(cctx); 6890 6891 return testresult; 6892 } 6893 #endif /* OSSL_NO_USABLE_TLS1_3 */ 6894 6895 static int test_ssl_clear(int idx) 6896 { 6897 SSL_CTX *cctx = NULL, *sctx = NULL; 6898 SSL *clientssl = NULL, *serverssl = NULL; 6899 int testresult = 0; 6900 6901 #ifdef OPENSSL_NO_TLS1_2 6902 if (idx == 1) 6903 return 1; 6904 #endif 6905 6906 /* Create an initial connection */ 6907 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 6908 TLS_client_method(), TLS1_VERSION, 0, 6909 &sctx, &cctx, cert, privkey)) 6910 || (idx == 1 6911 && !TEST_true(SSL_CTX_set_max_proto_version(cctx, 6912 TLS1_2_VERSION))) 6913 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 6914 &clientssl, NULL, NULL)) 6915 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6916 SSL_ERROR_NONE))) 6917 goto end; 6918 6919 SSL_shutdown(clientssl); 6920 SSL_shutdown(serverssl); 6921 SSL_free(serverssl); 6922 serverssl = NULL; 6923 6924 /* Clear clientssl - we're going to reuse the object */ 6925 if (!TEST_true(SSL_clear(clientssl))) 6926 goto end; 6927 6928 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 6929 NULL, NULL)) 6930 || !TEST_true(create_ssl_connection(serverssl, clientssl, 6931 SSL_ERROR_NONE)) 6932 || !TEST_true(SSL_session_reused(clientssl))) 6933 goto end; 6934 6935 SSL_shutdown(clientssl); 6936 SSL_shutdown(serverssl); 6937 6938 testresult = 1; 6939 6940 end: 6941 SSL_free(serverssl); 6942 SSL_free(clientssl); 6943 SSL_CTX_free(sctx); 6944 SSL_CTX_free(cctx); 6945 6946 return testresult; 6947 } 6948 6949 /* Parse CH and retrieve any MFL extension value if present */ 6950 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code) 6951 { 6952 long len; 6953 unsigned char *data; 6954 PACKET pkt, pkt2, pkt3; 6955 unsigned int MFL_code = 0, type = 0; 6956 6957 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) ) 6958 goto end; 6959 6960 memset(&pkt, 0, sizeof(pkt)); 6961 memset(&pkt2, 0, sizeof(pkt2)); 6962 memset(&pkt3, 0, sizeof(pkt3)); 6963 6964 if (!TEST_long_gt(len, 0) 6965 || !TEST_true( PACKET_buf_init( &pkt, data, len ) ) 6966 /* Skip the record header */ 6967 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH) 6968 /* Skip the handshake message header */ 6969 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH)) 6970 /* Skip client version and random */ 6971 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN 6972 + SSL3_RANDOM_SIZE)) 6973 /* Skip session id */ 6974 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) 6975 /* Skip ciphers */ 6976 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2)) 6977 /* Skip compression */ 6978 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2)) 6979 /* Extensions len */ 6980 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2))) 6981 goto end; 6982 6983 /* Loop through all extensions */ 6984 while (PACKET_remaining(&pkt2)) { 6985 if (!TEST_true(PACKET_get_net_2(&pkt2, &type)) 6986 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3))) 6987 goto end; 6988 6989 if (type == TLSEXT_TYPE_max_fragment_length) { 6990 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0) 6991 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code))) 6992 goto end; 6993 6994 *mfl_codemfl_code = MFL_code; 6995 return 1; 6996 } 6997 } 6998 6999 end: 7000 return 0; 7001 } 7002 7003 /* Maximum-Fragment-Length TLS extension mode to test */ 7004 static const unsigned char max_fragment_len_test[] = { 7005 TLSEXT_max_fragment_length_512, 7006 TLSEXT_max_fragment_length_1024, 7007 TLSEXT_max_fragment_length_2048, 7008 TLSEXT_max_fragment_length_4096 7009 }; 7010 7011 static int test_max_fragment_len_ext(int idx_tst) 7012 { 7013 SSL_CTX *ctx = NULL; 7014 SSL *con = NULL; 7015 int testresult = 0, MFL_mode = 0; 7016 BIO *rbio, *wbio; 7017 7018 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(), 7019 TLS1_VERSION, 0, NULL, &ctx, NULL, 7020 NULL))) 7021 return 0; 7022 7023 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length( 7024 ctx, max_fragment_len_test[idx_tst]))) 7025 goto end; 7026 7027 con = SSL_new(ctx); 7028 if (!TEST_ptr(con)) 7029 goto end; 7030 7031 rbio = BIO_new(BIO_s_mem()); 7032 wbio = BIO_new(BIO_s_mem()); 7033 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) { 7034 BIO_free(rbio); 7035 BIO_free(wbio); 7036 goto end; 7037 } 7038 7039 SSL_set_bio(con, rbio, wbio); 7040 7041 if (!TEST_int_le(SSL_connect(con), 0)) { 7042 /* This shouldn't succeed because we don't have a server! */ 7043 goto end; 7044 } 7045 7046 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode))) 7047 /* no MFL in client hello */ 7048 goto end; 7049 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode)) 7050 goto end; 7051 7052 testresult = 1; 7053 7054 end: 7055 SSL_free(con); 7056 SSL_CTX_free(ctx); 7057 7058 return testresult; 7059 } 7060 7061 #ifndef OSSL_NO_USABLE_TLS1_3 7062 static int test_pha_key_update(void) 7063 { 7064 SSL_CTX *cctx = NULL, *sctx = NULL; 7065 SSL *clientssl = NULL, *serverssl = NULL; 7066 int testresult = 0; 7067 7068 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7069 TLS_client_method(), TLS1_VERSION, 0, 7070 &sctx, &cctx, cert, privkey))) 7071 return 0; 7072 7073 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION)) 7074 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION)) 7075 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION)) 7076 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION))) 7077 goto end; 7078 7079 SSL_CTX_set_post_handshake_auth(cctx, 1); 7080 7081 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 7082 NULL, NULL))) 7083 goto end; 7084 7085 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 7086 SSL_ERROR_NONE))) 7087 goto end; 7088 7089 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 7090 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 7091 goto end; 7092 7093 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED))) 7094 goto end; 7095 7096 /* Start handshake on the server */ 7097 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1)) 7098 goto end; 7099 7100 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */ 7101 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 7102 SSL_ERROR_NONE))) 7103 goto end; 7104 7105 SSL_shutdown(clientssl); 7106 SSL_shutdown(serverssl); 7107 7108 testresult = 1; 7109 7110 end: 7111 SSL_free(serverssl); 7112 SSL_free(clientssl); 7113 SSL_CTX_free(sctx); 7114 SSL_CTX_free(cctx); 7115 return testresult; 7116 } 7117 #endif 7118 7119 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) 7120 7121 static SRP_VBASE *vbase = NULL; 7122 7123 static int ssl_srp_cb(SSL *s, int *ad, void *arg) 7124 { 7125 int ret = SSL3_AL_FATAL; 7126 char *username; 7127 SRP_user_pwd *user = NULL; 7128 7129 username = SSL_get_srp_username(s); 7130 if (username == NULL) { 7131 *ad = SSL_AD_INTERNAL_ERROR; 7132 goto err; 7133 } 7134 7135 user = SRP_VBASE_get1_by_user(vbase, username); 7136 if (user == NULL) { 7137 *ad = SSL_AD_INTERNAL_ERROR; 7138 goto err; 7139 } 7140 7141 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v, 7142 user->info) <= 0) { 7143 *ad = SSL_AD_INTERNAL_ERROR; 7144 goto err; 7145 } 7146 7147 ret = 0; 7148 7149 err: 7150 SRP_user_pwd_free(user); 7151 return ret; 7152 } 7153 7154 static int create_new_vfile(char *userid, char *password, const char *filename) 7155 { 7156 char *gNid = NULL; 7157 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1)); 7158 TXT_DB *db = NULL; 7159 int ret = 0; 7160 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0); 7161 size_t i; 7162 7163 if (!TEST_ptr(dummy) || !TEST_ptr(row)) 7164 goto end; 7165 7166 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt], 7167 &row[DB_srpverifier], NULL, NULL, libctx, NULL); 7168 if (!TEST_ptr(gNid)) 7169 goto end; 7170 7171 /* 7172 * The only way to create an empty TXT_DB is to provide a BIO with no data 7173 * in it! 7174 */ 7175 db = TXT_DB_read(dummy, DB_NUMBER); 7176 if (!TEST_ptr(db)) 7177 goto end; 7178 7179 out = BIO_new_file(filename, "w"); 7180 if (!TEST_ptr(out)) 7181 goto end; 7182 7183 row[DB_srpid] = OPENSSL_strdup(userid); 7184 row[DB_srptype] = OPENSSL_strdup("V"); 7185 row[DB_srpgN] = OPENSSL_strdup(gNid); 7186 7187 if (!TEST_ptr(row[DB_srpid]) 7188 || !TEST_ptr(row[DB_srptype]) 7189 || !TEST_ptr(row[DB_srpgN]) 7190 || !TEST_true(TXT_DB_insert(db, row))) 7191 goto end; 7192 7193 row = NULL; 7194 7195 if (TXT_DB_write(out, db) <= 0) 7196 goto end; 7197 7198 ret = 1; 7199 end: 7200 if (row != NULL) { 7201 for (i = 0; i < DB_NUMBER; i++) 7202 OPENSSL_free(row[i]); 7203 } 7204 OPENSSL_free(row); 7205 BIO_free(dummy); 7206 BIO_free(out); 7207 TXT_DB_free(db); 7208 7209 return ret; 7210 } 7211 7212 static int create_new_vbase(char *userid, char *password) 7213 { 7214 BIGNUM *verifier = NULL, *salt = NULL; 7215 const SRP_gN *lgN = NULL; 7216 SRP_user_pwd *user_pwd = NULL; 7217 int ret = 0; 7218 7219 lgN = SRP_get_default_gN(NULL); 7220 if (!TEST_ptr(lgN)) 7221 goto end; 7222 7223 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier, 7224 lgN->N, lgN->g, libctx, NULL))) 7225 goto end; 7226 7227 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd)); 7228 if (!TEST_ptr(user_pwd)) 7229 goto end; 7230 7231 user_pwd->N = lgN->N; 7232 user_pwd->g = lgN->g; 7233 user_pwd->id = OPENSSL_strdup(userid); 7234 if (!TEST_ptr(user_pwd->id)) 7235 goto end; 7236 7237 user_pwd->v = verifier; 7238 user_pwd->s = salt; 7239 verifier = salt = NULL; 7240 7241 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0) 7242 goto end; 7243 user_pwd = NULL; 7244 7245 ret = 1; 7246 end: 7247 SRP_user_pwd_free(user_pwd); 7248 BN_free(salt); 7249 BN_free(verifier); 7250 7251 return ret; 7252 } 7253 7254 /* 7255 * SRP tests 7256 * 7257 * Test 0: Simple successful SRP connection, new vbase 7258 * Test 1: Connection failure due to bad password, new vbase 7259 * Test 2: Simple successful SRP connection, vbase loaded from existing file 7260 * Test 3: Connection failure due to bad password, vbase loaded from existing 7261 * file 7262 * Test 4: Simple successful SRP connection, vbase loaded from new file 7263 * Test 5: Connection failure due to bad password, vbase loaded from new file 7264 */ 7265 static int test_srp(int tst) 7266 { 7267 char *userid = "test", *password = "password", *tstsrpfile; 7268 SSL_CTX *cctx = NULL, *sctx = NULL; 7269 SSL *clientssl = NULL, *serverssl = NULL; 7270 int ret, testresult = 0; 7271 7272 vbase = SRP_VBASE_new(NULL); 7273 if (!TEST_ptr(vbase)) 7274 goto end; 7275 7276 if (tst == 0 || tst == 1) { 7277 if (!TEST_true(create_new_vbase(userid, password))) 7278 goto end; 7279 } else { 7280 if (tst == 4 || tst == 5) { 7281 if (!TEST_true(create_new_vfile(userid, password, tmpfilename))) 7282 goto end; 7283 tstsrpfile = tmpfilename; 7284 } else { 7285 tstsrpfile = srpvfile; 7286 } 7287 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR)) 7288 goto end; 7289 } 7290 7291 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7292 TLS_client_method(), TLS1_VERSION, 0, 7293 &sctx, &cctx, cert, privkey))) 7294 goto end; 7295 7296 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0) 7297 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA")) 7298 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION)) 7299 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION)) 7300 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0)) 7301 goto end; 7302 7303 if (tst % 2 == 1) { 7304 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0)) 7305 goto end; 7306 } else { 7307 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0)) 7308 goto end; 7309 } 7310 7311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 7312 NULL, NULL))) 7313 goto end; 7314 7315 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 7316 if (ret) { 7317 if (!TEST_true(tst % 2 == 0)) 7318 goto end; 7319 } else { 7320 if (!TEST_true(tst % 2 == 1)) 7321 goto end; 7322 } 7323 7324 testresult = 1; 7325 7326 end: 7327 SRP_VBASE_free(vbase); 7328 vbase = NULL; 7329 SSL_free(serverssl); 7330 SSL_free(clientssl); 7331 SSL_CTX_free(sctx); 7332 SSL_CTX_free(cctx); 7333 7334 return testresult; 7335 } 7336 #endif 7337 7338 static int info_cb_failed = 0; 7339 static int info_cb_offset = 0; 7340 static int info_cb_this_state = -1; 7341 7342 static struct info_cb_states_st { 7343 int where; 7344 const char *statestr; 7345 } info_cb_states[][60] = { 7346 { 7347 /* TLSv1.2 server followed by resumption */ 7348 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7349 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 7350 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"}, 7351 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"}, 7352 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"}, 7353 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 7354 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 7355 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, 7356 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, 7357 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 7358 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"}, 7359 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 7360 {SSL_CB_EXIT, NULL}, {0, NULL}, 7361 }, { 7362 /* TLSv1.2 client followed by resumption */ 7363 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7364 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 7365 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"}, 7366 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"}, 7367 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, 7368 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, 7369 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, 7370 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7371 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 7372 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, 7373 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 7374 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL}, 7375 }, { 7376 /* TLSv1.3 server followed by resumption */ 7377 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7378 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 7379 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"}, 7380 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, 7381 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"}, 7382 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, 7383 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, 7384 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7385 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 7386 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, 7387 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, 7388 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 7389 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, 7390 }, { 7391 /* TLSv1.3 client followed by resumption */ 7392 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7393 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, 7394 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"}, 7395 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, 7396 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 7397 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, 7398 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, 7399 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, 7400 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, 7401 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, 7402 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, 7403 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, 7404 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 7405 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, 7406 {SSL_CB_EXIT, NULL}, {0, NULL}, 7407 }, { 7408 /* TLSv1.3 server, early_data */ 7409 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7410 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, 7411 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, 7412 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 7413 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, 7414 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"}, 7415 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, 7416 {SSL_CB_EXIT, NULL}, {0, NULL}, 7417 }, { 7418 /* TLSv1.3 client, early_data */ 7419 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"}, 7420 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"}, 7421 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, 7422 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, 7423 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, 7424 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"}, 7425 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, 7426 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, 7427 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, 7428 }, { 7429 {0, NULL}, 7430 } 7431 }; 7432 7433 static void sslapi_info_callback(const SSL *s, int where, int ret) 7434 { 7435 struct info_cb_states_st *state = info_cb_states[info_cb_offset]; 7436 7437 /* We do not ever expect a connection to fail in this test */ 7438 if (!TEST_false(ret == 0)) { 7439 info_cb_failed = 1; 7440 return; 7441 } 7442 7443 /* 7444 * Do some sanity checks. We never expect these things to happen in this 7445 * test 7446 */ 7447 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0)) 7448 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0) 7449 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) { 7450 info_cb_failed = 1; 7451 return; 7452 } 7453 7454 /* Now check we're in the right state */ 7455 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) { 7456 info_cb_failed = 1; 7457 return; 7458 } 7459 if ((where & SSL_CB_LOOP) != 0 7460 && !TEST_int_eq(strcmp(SSL_state_string(s), 7461 state[info_cb_this_state].statestr), 0)) { 7462 info_cb_failed = 1; 7463 return; 7464 } 7465 7466 /* 7467 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init 7468 */ 7469 if ((where & SSL_CB_HANDSHAKE_DONE) 7470 && SSL_in_init((SSL *)s) != 0) { 7471 info_cb_failed = 1; 7472 return; 7473 } 7474 } 7475 7476 /* 7477 * Test the info callback gets called when we expect it to. 7478 * 7479 * Test 0: TLSv1.2, server 7480 * Test 1: TLSv1.2, client 7481 * Test 2: TLSv1.3, server 7482 * Test 3: TLSv1.3, client 7483 * Test 4: TLSv1.3, server, early_data 7484 * Test 5: TLSv1.3, client, early_data 7485 */ 7486 static int test_info_callback(int tst) 7487 { 7488 SSL_CTX *cctx = NULL, *sctx = NULL; 7489 SSL *clientssl = NULL, *serverssl = NULL; 7490 SSL_SESSION *clntsess = NULL; 7491 int testresult = 0; 7492 int tlsvers; 7493 7494 if (tst < 2) { 7495 /* We need either ECDHE or DHE for the TLSv1.2 test to work */ 7496 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \ 7497 || !defined(OPENSSL_NO_DH)) 7498 tlsvers = TLS1_2_VERSION; 7499 #else 7500 return 1; 7501 #endif 7502 } else { 7503 #ifndef OSSL_NO_USABLE_TLS1_3 7504 tlsvers = TLS1_3_VERSION; 7505 #else 7506 return 1; 7507 #endif 7508 } 7509 7510 /* Reset globals */ 7511 info_cb_failed = 0; 7512 info_cb_this_state = -1; 7513 info_cb_offset = tst; 7514 7515 #ifndef OSSL_NO_USABLE_TLS1_3 7516 if (tst >= 4) { 7517 SSL_SESSION *sess = NULL; 7518 size_t written, readbytes; 7519 unsigned char buf[80]; 7520 time_t timer; 7521 7522 /* early_data tests */ 7523 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, 7524 &serverssl, &sess, 0, 7525 SHA384_DIGEST_LENGTH))) 7526 goto end; 7527 7528 /* We don't actually need this reference */ 7529 SSL_SESSION_free(sess); 7530 7531 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl, 7532 sslapi_info_callback); 7533 7534 /* Write and read some early data and then complete the connection */ 7535 timer = time(NULL); 7536 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), 7537 &written)) 7538 || !TEST_size_t_eq(written, strlen(MSG1))) 7539 goto end; 7540 7541 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, 7542 sizeof(buf), &readbytes), 7543 SSL_READ_EARLY_DATA_SUCCESS)) { 7544 testresult = check_early_data_timeout(timer); 7545 goto end; 7546 } 7547 7548 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1)) 7549 || !TEST_int_eq(SSL_get_early_data_status(serverssl), 7550 SSL_EARLY_DATA_ACCEPTED) 7551 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7552 SSL_ERROR_NONE)) 7553 || !TEST_false(info_cb_failed)) 7554 goto end; 7555 7556 testresult = 1; 7557 goto end; 7558 } 7559 #endif 7560 7561 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7562 TLS_client_method(), 7563 tlsvers, tlsvers, &sctx, &cctx, cert, 7564 privkey))) 7565 goto end; 7566 7567 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1))) 7568 goto end; 7569 7570 /* 7571 * For even numbered tests we check the server callbacks. For odd numbers we 7572 * check the client. 7573 */ 7574 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx, 7575 sslapi_info_callback); 7576 7577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 7578 &clientssl, NULL, NULL)) 7579 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7580 SSL_ERROR_NONE)) 7581 || !TEST_false(info_cb_failed)) 7582 goto end; 7583 7584 7585 7586 clntsess = SSL_get1_session(clientssl); 7587 SSL_shutdown(clientssl); 7588 SSL_shutdown(serverssl); 7589 SSL_free(serverssl); 7590 SSL_free(clientssl); 7591 serverssl = clientssl = NULL; 7592 7593 /* Now do a resumption */ 7594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 7595 NULL)) 7596 || !TEST_true(SSL_set_session(clientssl, clntsess)) 7597 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7598 SSL_ERROR_NONE)) 7599 || !TEST_true(SSL_session_reused(clientssl)) 7600 || !TEST_false(info_cb_failed)) 7601 goto end; 7602 7603 testresult = 1; 7604 7605 end: 7606 SSL_free(serverssl); 7607 SSL_free(clientssl); 7608 SSL_SESSION_free(clntsess); 7609 SSL_CTX_free(sctx); 7610 SSL_CTX_free(cctx); 7611 return testresult; 7612 } 7613 7614 static int test_ssl_pending(int tst) 7615 { 7616 SSL_CTX *cctx = NULL, *sctx = NULL; 7617 SSL *clientssl = NULL, *serverssl = NULL; 7618 int testresult = 0; 7619 char msg[] = "A test message"; 7620 char buf[5]; 7621 size_t written, readbytes; 7622 7623 if (tst == 0) { 7624 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7625 TLS_client_method(), 7626 TLS1_VERSION, 0, 7627 &sctx, &cctx, cert, privkey))) 7628 goto end; 7629 } else { 7630 #ifndef OPENSSL_NO_DTLS 7631 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(), 7632 DTLS_client_method(), 7633 DTLS1_VERSION, 0, 7634 &sctx, &cctx, cert, privkey))) 7635 goto end; 7636 7637 # ifdef OPENSSL_NO_DTLS1_2 7638 /* Not supported in the FIPS provider */ 7639 if (is_fips) { 7640 testresult = 1; 7641 goto end; 7642 }; 7643 /* 7644 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security 7645 * level 0 7646 */ 7647 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")) 7648 || !TEST_true(SSL_CTX_set_cipher_list(cctx, 7649 "DEFAULT:@SECLEVEL=0"))) 7650 goto end; 7651 # endif 7652 #else 7653 return 1; 7654 #endif 7655 } 7656 7657 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 7658 NULL, NULL)) 7659 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7660 SSL_ERROR_NONE))) 7661 goto end; 7662 7663 if (!TEST_int_eq(SSL_pending(clientssl), 0) 7664 || !TEST_false(SSL_has_pending(clientssl)) 7665 || !TEST_int_eq(SSL_pending(serverssl), 0) 7666 || !TEST_false(SSL_has_pending(serverssl)) 7667 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 7668 || !TEST_size_t_eq(written, sizeof(msg)) 7669 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) 7670 || !TEST_size_t_eq(readbytes, sizeof(buf)) 7671 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes)) 7672 || !TEST_true(SSL_has_pending(clientssl))) 7673 goto end; 7674 7675 testresult = 1; 7676 7677 end: 7678 SSL_free(serverssl); 7679 SSL_free(clientssl); 7680 SSL_CTX_free(sctx); 7681 SSL_CTX_free(cctx); 7682 7683 return testresult; 7684 } 7685 7686 static struct { 7687 unsigned int maxprot; 7688 const char *clntciphers; 7689 const char *clnttls13ciphers; 7690 const char *srvrciphers; 7691 const char *srvrtls13ciphers; 7692 const char *shared; 7693 const char *fipsshared; 7694 } shared_ciphers_data[] = { 7695 /* 7696 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if 7697 * TLSv1.3 is enabled but TLSv1.2 is disabled. 7698 */ 7699 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 7700 { 7701 TLS1_2_VERSION, 7702 "AES128-SHA:AES256-SHA", 7703 NULL, 7704 "AES256-SHA:DHE-RSA-AES128-SHA", 7705 NULL, 7706 "AES256-SHA", 7707 "AES256-SHA" 7708 }, 7709 # if !defined(OPENSSL_NO_CHACHA) \ 7710 && !defined(OPENSSL_NO_POLY1305) \ 7711 && !defined(OPENSSL_NO_EC) 7712 { 7713 TLS1_2_VERSION, 7714 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305", 7715 NULL, 7716 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305", 7717 NULL, 7718 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305", 7719 "AES128-SHA" 7720 }, 7721 # endif 7722 { 7723 TLS1_2_VERSION, 7724 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA", 7725 NULL, 7726 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA", 7727 NULL, 7728 "AES128-SHA:AES256-SHA", 7729 "AES128-SHA:AES256-SHA" 7730 }, 7731 { 7732 TLS1_2_VERSION, 7733 "AES128-SHA:AES256-SHA", 7734 NULL, 7735 "AES128-SHA:DHE-RSA-AES128-SHA", 7736 NULL, 7737 "AES128-SHA", 7738 "AES128-SHA" 7739 }, 7740 #endif 7741 /* 7742 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be 7743 * enabled. 7744 */ 7745 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ 7746 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 7747 { 7748 TLS1_3_VERSION, 7749 "AES128-SHA:AES256-SHA", 7750 NULL, 7751 "AES256-SHA:AES128-SHA256", 7752 NULL, 7753 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:" 7754 "TLS_AES_128_GCM_SHA256:AES256-SHA", 7755 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" 7756 }, 7757 #endif 7758 #ifndef OSSL_NO_USABLE_TLS1_3 7759 { 7760 TLS1_3_VERSION, 7761 "AES128-SHA", 7762 "TLS_AES_256_GCM_SHA384", 7763 "AES256-SHA", 7764 "TLS_AES_256_GCM_SHA384", 7765 "TLS_AES_256_GCM_SHA384", 7766 "TLS_AES_256_GCM_SHA384" 7767 }, 7768 #endif 7769 }; 7770 7771 static int int_test_ssl_get_shared_ciphers(int tst, int clnt) 7772 { 7773 SSL_CTX *cctx = NULL, *sctx = NULL; 7774 SSL *clientssl = NULL, *serverssl = NULL; 7775 int testresult = 0; 7776 char buf[1024]; 7777 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new(); 7778 7779 if (!TEST_ptr(tmplibctx)) 7780 goto end; 7781 7782 /* 7783 * Regardless of whether we're testing with the FIPS provider loaded into 7784 * libctx, we want one peer to always use the full set of ciphersuites 7785 * available. Therefore we use a separate libctx with the default provider 7786 * loaded into it. We run the same tests twice - once with the client side 7787 * having the full set of ciphersuites and once with the server side. 7788 */ 7789 if (clnt) { 7790 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method()); 7791 if (!TEST_ptr(cctx)) 7792 goto end; 7793 } else { 7794 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method()); 7795 if (!TEST_ptr(sctx)) 7796 goto end; 7797 } 7798 7799 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 7800 TLS_client_method(), 7801 TLS1_VERSION, 7802 shared_ciphers_data[tst].maxprot, 7803 &sctx, &cctx, cert, privkey))) 7804 goto end; 7805 7806 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 7807 shared_ciphers_data[tst].clntciphers)) 7808 || (shared_ciphers_data[tst].clnttls13ciphers != NULL 7809 && !TEST_true(SSL_CTX_set_ciphersuites(cctx, 7810 shared_ciphers_data[tst].clnttls13ciphers))) 7811 || !TEST_true(SSL_CTX_set_cipher_list(sctx, 7812 shared_ciphers_data[tst].srvrciphers)) 7813 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL 7814 && !TEST_true(SSL_CTX_set_ciphersuites(sctx, 7815 shared_ciphers_data[tst].srvrtls13ciphers)))) 7816 goto end; 7817 7818 7819 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 7820 NULL, NULL)) 7821 || !TEST_true(create_ssl_connection(serverssl, clientssl, 7822 SSL_ERROR_NONE))) 7823 goto end; 7824 7825 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf))) 7826 || !TEST_int_eq(strcmp(buf, 7827 is_fips 7828 ? shared_ciphers_data[tst].fipsshared 7829 : shared_ciphers_data[tst].shared), 7830 0)) { 7831 TEST_info("Shared ciphers are: %s\n", buf); 7832 goto end; 7833 } 7834 7835 testresult = 1; 7836 7837 end: 7838 SSL_free(serverssl); 7839 SSL_free(clientssl); 7840 SSL_CTX_free(sctx); 7841 SSL_CTX_free(cctx); 7842 OSSL_LIB_CTX_free(tmplibctx); 7843 7844 return testresult; 7845 } 7846 7847 static int test_ssl_get_shared_ciphers(int tst) 7848 { 7849 return int_test_ssl_get_shared_ciphers(tst, 0) 7850 && int_test_ssl_get_shared_ciphers(tst, 1); 7851 } 7852 7853 7854 static const char *appdata = "Hello World"; 7855 static int gen_tick_called, dec_tick_called, tick_key_cb_called; 7856 static int tick_key_renew = 0; 7857 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT; 7858 7859 static int gen_tick_cb(SSL *s, void *arg) 7860 { 7861 gen_tick_called = 1; 7862 7863 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata, 7864 strlen(appdata)); 7865 } 7866 7867 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss, 7868 const unsigned char *keyname, 7869 size_t keyname_length, 7870 SSL_TICKET_STATUS status, 7871 void *arg) 7872 { 7873 void *tickdata; 7874 size_t tickdlen; 7875 7876 dec_tick_called = 1; 7877 7878 if (status == SSL_TICKET_EMPTY) 7879 return SSL_TICKET_RETURN_IGNORE_RENEW; 7880 7881 if (!TEST_true(status == SSL_TICKET_SUCCESS 7882 || status == SSL_TICKET_SUCCESS_RENEW)) 7883 return SSL_TICKET_RETURN_ABORT; 7884 7885 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata, 7886 &tickdlen)) 7887 || !TEST_size_t_eq(tickdlen, strlen(appdata)) 7888 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0)) 7889 return SSL_TICKET_RETURN_ABORT; 7890 7891 if (tick_key_cb_called) { 7892 /* Don't change what the ticket key callback wanted to do */ 7893 switch (status) { 7894 case SSL_TICKET_NO_DECRYPT: 7895 return SSL_TICKET_RETURN_IGNORE_RENEW; 7896 7897 case SSL_TICKET_SUCCESS: 7898 return SSL_TICKET_RETURN_USE; 7899 7900 case SSL_TICKET_SUCCESS_RENEW: 7901 return SSL_TICKET_RETURN_USE_RENEW; 7902 7903 default: 7904 return SSL_TICKET_RETURN_ABORT; 7905 } 7906 } 7907 return tick_dec_ret; 7908 7909 } 7910 7911 #ifndef OPENSSL_NO_DEPRECATED_3_0 7912 static int tick_key_cb(SSL *s, unsigned char key_name[16], 7913 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx, 7914 HMAC_CTX *hctx, int enc) 7915 { 7916 const unsigned char tick_aes_key[16] = "0123456789abcdef"; 7917 const unsigned char tick_hmac_key[16] = "0123456789abcdef"; 7918 EVP_CIPHER *aes128cbc; 7919 EVP_MD *sha256; 7920 int ret; 7921 7922 tick_key_cb_called = 1; 7923 7924 if (tick_key_renew == -1) 7925 return 0; 7926 7927 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL); 7928 if (!TEST_ptr(aes128cbc)) 7929 return 0; 7930 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL); 7931 if (!TEST_ptr(sha256)) { 7932 EVP_CIPHER_free(aes128cbc); 7933 return 0; 7934 } 7935 7936 memset(iv, 0, AES_BLOCK_SIZE); 7937 memset(key_name, 0, 16); 7938 if (aes128cbc == NULL 7939 || sha256 == NULL 7940 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc) 7941 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256, 7942 NULL)) 7943 ret = -1; 7944 else 7945 ret = tick_key_renew ? 2 : 1; 7946 7947 EVP_CIPHER_free(aes128cbc); 7948 EVP_MD_free(sha256); 7949 7950 return ret; 7951 } 7952 #endif 7953 7954 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16], 7955 unsigned char iv[EVP_MAX_IV_LENGTH], 7956 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc) 7957 { 7958 const unsigned char tick_aes_key[16] = "0123456789abcdef"; 7959 unsigned char tick_hmac_key[16] = "0123456789abcdef"; 7960 OSSL_PARAM params[2]; 7961 EVP_CIPHER *aes128cbc; 7962 int ret; 7963 7964 tick_key_cb_called = 1; 7965 7966 if (tick_key_renew == -1) 7967 return 0; 7968 7969 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL); 7970 if (!TEST_ptr(aes128cbc)) 7971 return 0; 7972 7973 memset(iv, 0, AES_BLOCK_SIZE); 7974 memset(key_name, 0, 16); 7975 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 7976 "SHA256", 0); 7977 params[1] = OSSL_PARAM_construct_end(); 7978 if (aes128cbc == NULL 7979 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc) 7980 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key), 7981 params)) 7982 ret = -1; 7983 else 7984 ret = tick_key_renew ? 2 : 1; 7985 7986 EVP_CIPHER_free(aes128cbc); 7987 7988 return ret; 7989 } 7990 7991 /* 7992 * Test the various ticket callbacks 7993 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal 7994 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal 7995 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal 7996 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal 7997 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal 7998 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal 7999 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal 8000 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal 8001 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal 8002 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal 8003 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal 8004 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal 8005 * Test 12: TLSv1.2, old ticket key callback, no ticket 8006 * Test 13: TLSv1.3, old ticket key callback, no ticket 8007 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal 8008 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal 8009 * Test 16: TLSv1.2, ticket key callback, ticket, renewal 8010 * Test 17: TLSv1.3, ticket key callback, ticket, renewal 8011 * Test 18: TLSv1.2, ticket key callback, no ticket 8012 * Test 19: TLSv1.3, ticket key callback, no ticket 8013 */ 8014 static int test_ticket_callbacks(int tst) 8015 { 8016 SSL_CTX *cctx = NULL, *sctx = NULL; 8017 SSL *clientssl = NULL, *serverssl = NULL; 8018 SSL_SESSION *clntsess = NULL; 8019 int testresult = 0; 8020 8021 #ifdef OPENSSL_NO_TLS1_2 8022 if (tst % 2 == 0) 8023 return 1; 8024 #endif 8025 #ifdef OSSL_NO_USABLE_TLS1_3 8026 if (tst % 2 == 1) 8027 return 1; 8028 #endif 8029 #ifdef OPENSSL_NO_DEPRECATED_3_0 8030 if (tst >= 8 && tst <= 13) 8031 return 1; 8032 #endif 8033 8034 gen_tick_called = dec_tick_called = tick_key_cb_called = 0; 8035 8036 /* Which tests the ticket key callback should request renewal for */ 8037 8038 if (tst == 10 || tst == 11 || tst == 16 || tst == 17) 8039 tick_key_renew = 1; 8040 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19) 8041 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */ 8042 else 8043 tick_key_renew = 0; 8044 8045 /* Which tests the decrypt ticket callback should request renewal for */ 8046 switch (tst) { 8047 case 0: 8048 case 1: 8049 tick_dec_ret = SSL_TICKET_RETURN_IGNORE; 8050 break; 8051 8052 case 2: 8053 case 3: 8054 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW; 8055 break; 8056 8057 case 4: 8058 case 5: 8059 tick_dec_ret = SSL_TICKET_RETURN_USE; 8060 break; 8061 8062 case 6: 8063 case 7: 8064 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW; 8065 break; 8066 8067 default: 8068 tick_dec_ret = SSL_TICKET_RETURN_ABORT; 8069 } 8070 8071 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8072 TLS_client_method(), 8073 TLS1_VERSION, 8074 ((tst % 2) == 0) ? TLS1_2_VERSION 8075 : TLS1_3_VERSION, 8076 &sctx, &cctx, cert, privkey))) 8077 goto end; 8078 8079 /* 8080 * We only want sessions to resume from tickets - not the session cache. So 8081 * switch the cache off. 8082 */ 8083 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF))) 8084 goto end; 8085 8086 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb, 8087 NULL))) 8088 goto end; 8089 8090 if (tst >= 14) { 8091 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb))) 8092 goto end; 8093 #ifndef OPENSSL_NO_DEPRECATED_3_0 8094 } else if (tst >= 8) { 8095 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb))) 8096 goto end; 8097 #endif 8098 } 8099 8100 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8101 NULL, NULL)) 8102 || !TEST_true(create_ssl_connection(serverssl, clientssl, 8103 SSL_ERROR_NONE))) 8104 goto end; 8105 8106 /* 8107 * The decrypt ticket key callback in TLSv1.2 should be called even though 8108 * we have no ticket yet, because it gets called with a status of 8109 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not 8110 * actually send any ticket data). This does not happen in TLSv1.3 because 8111 * it is not valid to send empty ticket data in TLSv1.3. 8112 */ 8113 if (!TEST_int_eq(gen_tick_called, 1) 8114 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0)) 8115 goto end; 8116 8117 gen_tick_called = dec_tick_called = 0; 8118 8119 clntsess = SSL_get1_session(clientssl); 8120 SSL_shutdown(clientssl); 8121 SSL_shutdown(serverssl); 8122 SSL_free(serverssl); 8123 SSL_free(clientssl); 8124 serverssl = clientssl = NULL; 8125 8126 /* Now do a resumption */ 8127 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 8128 NULL)) 8129 || !TEST_true(SSL_set_session(clientssl, clntsess)) 8130 || !TEST_true(create_ssl_connection(serverssl, clientssl, 8131 SSL_ERROR_NONE))) 8132 goto end; 8133 8134 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE 8135 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW 8136 || tick_key_renew == -1) { 8137 if (!TEST_false(SSL_session_reused(clientssl))) 8138 goto end; 8139 } else { 8140 if (!TEST_true(SSL_session_reused(clientssl))) 8141 goto end; 8142 } 8143 8144 if (!TEST_int_eq(gen_tick_called, 8145 (tick_key_renew 8146 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW 8147 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW) 8148 ? 1 : 0) 8149 /* There is no ticket to decrypt in tests 13 and 19 */ 8150 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1)) 8151 goto end; 8152 8153 testresult = 1; 8154 8155 end: 8156 SSL_SESSION_free(clntsess); 8157 SSL_free(serverssl); 8158 SSL_free(clientssl); 8159 SSL_CTX_free(sctx); 8160 SSL_CTX_free(cctx); 8161 8162 return testresult; 8163 } 8164 8165 /* 8166 * Test incorrect shutdown. 8167 * Test 0: client does not shutdown properly, 8168 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF, 8169 * server should get SSL_ERROR_SSL 8170 * Test 1: client does not shutdown properly, 8171 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF, 8172 * server should get SSL_ERROR_ZERO_RETURN 8173 */ 8174 static int test_incorrect_shutdown(int tst) 8175 { 8176 SSL_CTX *cctx = NULL, *sctx = NULL; 8177 SSL *clientssl = NULL, *serverssl = NULL; 8178 int testresult = 0; 8179 char buf[80]; 8180 BIO *c2s; 8181 8182 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8183 TLS_client_method(), 0, 0, 8184 &sctx, &cctx, cert, privkey))) 8185 goto end; 8186 8187 if (tst == 1) 8188 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF); 8189 8190 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8191 NULL, NULL))) 8192 goto end; 8193 8194 if (!TEST_true(create_ssl_connection(serverssl, clientssl, 8195 SSL_ERROR_NONE))) 8196 goto end; 8197 8198 c2s = SSL_get_rbio(serverssl); 8199 BIO_set_mem_eof_return(c2s, 0); 8200 8201 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf)))) 8202 goto end; 8203 8204 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) ) 8205 goto end; 8206 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) ) 8207 goto end; 8208 8209 testresult = 1; 8210 8211 end: 8212 SSL_free(serverssl); 8213 SSL_free(clientssl); 8214 SSL_CTX_free(sctx); 8215 SSL_CTX_free(cctx); 8216 8217 return testresult; 8218 } 8219 8220 /* 8221 * Test bi-directional shutdown. 8222 * Test 0: TLSv1.2 8223 * Test 1: TLSv1.2, server continues to read/write after client shutdown 8224 * Test 2: TLSv1.3, no pending NewSessionTicket messages 8225 * Test 3: TLSv1.3, pending NewSessionTicket messages 8226 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server 8227 * sends key update, client reads it 8228 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server 8229 * sends CertificateRequest, client reads and ignores it 8230 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client 8231 * doesn't read it 8232 */ 8233 static int test_shutdown(int tst) 8234 { 8235 SSL_CTX *cctx = NULL, *sctx = NULL; 8236 SSL *clientssl = NULL, *serverssl = NULL; 8237 int testresult = 0; 8238 char msg[] = "A test message"; 8239 char buf[80]; 8240 size_t written, readbytes; 8241 SSL_SESSION *sess; 8242 8243 #ifdef OPENSSL_NO_TLS1_2 8244 if (tst <= 1) 8245 return 1; 8246 #endif 8247 #ifdef OSSL_NO_USABLE_TLS1_3 8248 if (tst >= 2) 8249 return 1; 8250 #endif 8251 8252 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8253 TLS_client_method(), 8254 TLS1_VERSION, 8255 (tst <= 1) ? TLS1_2_VERSION 8256 : TLS1_3_VERSION, 8257 &sctx, &cctx, cert, privkey))) 8258 goto end; 8259 8260 if (tst == 5) 8261 SSL_CTX_set_post_handshake_auth(cctx, 1); 8262 8263 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8264 NULL, NULL))) 8265 goto end; 8266 8267 if (tst == 3) { 8268 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, 8269 SSL_ERROR_NONE, 1)) 8270 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 8271 || !TEST_false(SSL_SESSION_is_resumable(sess))) 8272 goto end; 8273 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl, 8274 SSL_ERROR_NONE)) 8275 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 8276 || !TEST_true(SSL_SESSION_is_resumable(sess))) { 8277 goto end; 8278 } 8279 8280 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)) 8281 goto end; 8282 8283 if (tst >= 4) { 8284 /* 8285 * Reading on the server after the client has sent close_notify should 8286 * fail and provide SSL_ERROR_ZERO_RETURN 8287 */ 8288 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) 8289 || !TEST_int_eq(SSL_get_error(serverssl, 0), 8290 SSL_ERROR_ZERO_RETURN) 8291 || !TEST_int_eq(SSL_get_shutdown(serverssl), 8292 SSL_RECEIVED_SHUTDOWN) 8293 /* 8294 * Even though we're shutdown on receive we should still be 8295 * able to write. 8296 */ 8297 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) 8298 goto end; 8299 if (tst == 4 8300 && !TEST_true(SSL_key_update(serverssl, 8301 SSL_KEY_UPDATE_REQUESTED))) 8302 goto end; 8303 if (tst == 5) { 8304 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); 8305 if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) 8306 goto end; 8307 } 8308 if ((tst == 4 || tst == 5) 8309 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) 8310 goto end; 8311 if (!TEST_int_eq(SSL_shutdown(serverssl), 1)) 8312 goto end; 8313 if (tst == 4 || tst == 5) { 8314 /* Should still be able to read data from server */ 8315 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), 8316 &readbytes)) 8317 || !TEST_size_t_eq(readbytes, sizeof(msg)) 8318 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0) 8319 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), 8320 &readbytes)) 8321 || !TEST_size_t_eq(readbytes, sizeof(msg)) 8322 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)) 8323 goto end; 8324 } 8325 } 8326 8327 /* Writing on the client after sending close_notify shouldn't be possible */ 8328 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written))) 8329 goto end; 8330 8331 if (tst < 4) { 8332 /* 8333 * For these tests the client has sent close_notify but it has not yet 8334 * been received by the server. The server has not sent close_notify 8335 * yet. 8336 */ 8337 if (!TEST_int_eq(SSL_shutdown(serverssl), 0) 8338 /* 8339 * Writing on the server after sending close_notify shouldn't 8340 * be possible. 8341 */ 8342 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 8343 || !TEST_int_eq(SSL_shutdown(clientssl), 1) 8344 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 8345 || !TEST_true(SSL_SESSION_is_resumable(sess)) 8346 || !TEST_int_eq(SSL_shutdown(serverssl), 1)) 8347 goto end; 8348 } else if (tst == 4 || tst == 5) { 8349 /* 8350 * In this test the client has sent close_notify and it has been 8351 * received by the server which has responded with a close_notify. The 8352 * client needs to read the close_notify sent by the server. 8353 */ 8354 if (!TEST_int_eq(SSL_shutdown(clientssl), 1) 8355 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) 8356 || !TEST_true(SSL_SESSION_is_resumable(sess))) 8357 goto end; 8358 } else { 8359 /* 8360 * tst == 6 8361 * 8362 * The client has sent close_notify and is expecting a close_notify 8363 * back, but instead there is application data first. The shutdown 8364 * should fail with a fatal error. 8365 */ 8366 if (!TEST_int_eq(SSL_shutdown(clientssl), -1) 8367 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL)) 8368 goto end; 8369 } 8370 8371 testresult = 1; 8372 8373 end: 8374 SSL_free(serverssl); 8375 SSL_free(clientssl); 8376 SSL_CTX_free(sctx); 8377 SSL_CTX_free(cctx); 8378 8379 return testresult; 8380 } 8381 8382 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) 8383 static int cert_cb_cnt; 8384 8385 static int cert_cb(SSL *s, void *arg) 8386 { 8387 SSL_CTX *ctx = (SSL_CTX *)arg; 8388 BIO *in = NULL; 8389 EVP_PKEY *pkey = NULL; 8390 X509 *x509 = NULL, *rootx = NULL; 8391 STACK_OF(X509) *chain = NULL; 8392 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL; 8393 int ret = 0; 8394 8395 if (cert_cb_cnt == 0) { 8396 /* Suspend the handshake */ 8397 cert_cb_cnt++; 8398 return -1; 8399 } else if (cert_cb_cnt == 1) { 8400 /* 8401 * Update the SSL_CTX, set the certificate and private key and then 8402 * continue the handshake normally. 8403 */ 8404 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx))) 8405 return 0; 8406 8407 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM)) 8408 || !TEST_true(SSL_use_PrivateKey_file(s, privkey, 8409 SSL_FILETYPE_PEM)) 8410 || !TEST_true(SSL_check_private_key(s))) 8411 return 0; 8412 cert_cb_cnt++; 8413 return 1; 8414 } else if (cert_cb_cnt == 3) { 8415 int rv; 8416 8417 rootfile = test_mk_file_path(certsdir, "rootcert.pem"); 8418 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem"); 8419 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem"); 8420 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey)) 8421 goto out; 8422 chain = sk_X509_new_null(); 8423 if (!TEST_ptr(chain)) 8424 goto out; 8425 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 8426 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0) 8427 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL)) 8428 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL)) 8429 || !TEST_true(sk_X509_push(chain, rootx))) 8430 goto out; 8431 rootx = NULL; 8432 BIO_free(in); 8433 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 8434 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0) 8435 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL)) 8436 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL))) 8437 goto out; 8438 BIO_free(in); 8439 if (!TEST_ptr(in = BIO_new(BIO_s_file())) 8440 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0) 8441 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL, 8442 NULL, NULL, 8443 libctx, NULL))) 8444 goto out; 8445 rv = SSL_check_chain(s, x509, pkey, chain); 8446 /* 8447 * If the cert doesn't show as valid here (e.g., because we don't 8448 * have any shared sigalgs), then we will not set it, and there will 8449 * be no certificate at all on the SSL or SSL_CTX. This, in turn, 8450 * will cause tls_choose_sigalgs() to fail the connection. 8451 */ 8452 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) 8453 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) { 8454 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1)) 8455 goto out; 8456 } 8457 8458 ret = 1; 8459 } 8460 8461 /* Abort the handshake */ 8462 out: 8463 OPENSSL_free(ecdsacert); 8464 OPENSSL_free(ecdsakey); 8465 OPENSSL_free(rootfile); 8466 BIO_free(in); 8467 EVP_PKEY_free(pkey); 8468 X509_free(x509); 8469 X509_free(rootx); 8470 sk_X509_pop_free(chain, X509_free); 8471 return ret; 8472 } 8473 8474 /* 8475 * Test the certificate callback. 8476 * Test 0: Callback fails 8477 * Test 1: Success - no SSL_set_SSL_CTX() in the callback 8478 * Test 2: Success - SSL_set_SSL_CTX() in the callback 8479 * Test 3: Success - Call SSL_check_chain from the callback 8480 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the 8481 * chain 8482 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert 8483 */ 8484 static int test_cert_cb_int(int prot, int tst) 8485 { 8486 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL; 8487 SSL *clientssl = NULL, *serverssl = NULL; 8488 int testresult = 0, ret; 8489 8490 #ifdef OPENSSL_NO_EC 8491 /* We use an EC cert in these tests, so we skip in a no-ec build */ 8492 if (tst >= 3) 8493 return 1; 8494 #endif 8495 8496 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8497 TLS_client_method(), 8498 TLS1_VERSION, 8499 prot, 8500 &sctx, &cctx, NULL, NULL))) 8501 goto end; 8502 8503 if (tst == 0) 8504 cert_cb_cnt = -1; 8505 else if (tst >= 3) 8506 cert_cb_cnt = 3; 8507 else 8508 cert_cb_cnt = 0; 8509 8510 if (tst == 2) { 8511 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 8512 if (!TEST_ptr(snictx)) 8513 goto end; 8514 } 8515 8516 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); 8517 8518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8519 NULL, NULL))) 8520 goto end; 8521 8522 if (tst == 4) { 8523 /* 8524 * We cause SSL_check_chain() to fail by specifying sig_algs that 8525 * the chain doesn't meet (the root uses an RSA cert) 8526 */ 8527 if (!TEST_true(SSL_set1_sigalgs_list(clientssl, 8528 "ecdsa_secp256r1_sha256"))) 8529 goto end; 8530 } else if (tst == 5) { 8531 /* 8532 * We cause SSL_check_chain() to fail by specifying sig_algs that 8533 * the ee cert doesn't meet (the ee uses an ECDSA cert) 8534 */ 8535 if (!TEST_true(SSL_set1_sigalgs_list(clientssl, 8536 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256"))) 8537 goto end; 8538 } 8539 8540 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); 8541 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret) 8542 || (tst > 0 8543 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) { 8544 goto end; 8545 } 8546 8547 testresult = 1; 8548 8549 end: 8550 SSL_free(serverssl); 8551 SSL_free(clientssl); 8552 SSL_CTX_free(sctx); 8553 SSL_CTX_free(cctx); 8554 SSL_CTX_free(snictx); 8555 8556 return testresult; 8557 } 8558 #endif 8559 8560 static int test_cert_cb(int tst) 8561 { 8562 int testresult = 1; 8563 8564 #ifndef OPENSSL_NO_TLS1_2 8565 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst); 8566 #endif 8567 #ifndef OSSL_NO_USABLE_TLS1_3 8568 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst); 8569 #endif 8570 8571 return testresult; 8572 } 8573 8574 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 8575 { 8576 X509 *xcert; 8577 EVP_PKEY *privpkey; 8578 BIO *in = NULL; 8579 BIO *priv_in = NULL; 8580 8581 /* Check that SSL_get0_peer_certificate() returns something sensible */ 8582 if (!TEST_ptr(SSL_get0_peer_certificate(ssl))) 8583 return 0; 8584 8585 in = BIO_new_file(cert, "r"); 8586 if (!TEST_ptr(in)) 8587 return 0; 8588 8589 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL)) 8590 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL)) 8591 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r")) 8592 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL, 8593 NULL, NULL, 8594 libctx, NULL))) 8595 goto err; 8596 8597 *x509 = xcert; 8598 *pkey = privpkey; 8599 8600 BIO_free(in); 8601 BIO_free(priv_in); 8602 return 1; 8603 err: 8604 X509_free(xcert); 8605 BIO_free(in); 8606 BIO_free(priv_in); 8607 return 0; 8608 } 8609 8610 static int test_client_cert_cb(int tst) 8611 { 8612 SSL_CTX *cctx = NULL, *sctx = NULL; 8613 SSL *clientssl = NULL, *serverssl = NULL; 8614 int testresult = 0; 8615 8616 #ifdef OPENSSL_NO_TLS1_2 8617 if (tst == 0) 8618 return 1; 8619 #endif 8620 #ifdef OSSL_NO_USABLE_TLS1_3 8621 if (tst == 1) 8622 return 1; 8623 #endif 8624 8625 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8626 TLS_client_method(), 8627 TLS1_VERSION, 8628 tst == 0 ? TLS1_2_VERSION 8629 : TLS1_3_VERSION, 8630 &sctx, &cctx, cert, privkey))) 8631 goto end; 8632 8633 /* 8634 * Test that setting a client_cert_cb results in a client certificate being 8635 * sent. 8636 */ 8637 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb); 8638 SSL_CTX_set_verify(sctx, 8639 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 8640 verify_cb); 8641 8642 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8643 NULL, NULL)) 8644 || !TEST_true(create_ssl_connection(serverssl, clientssl, 8645 SSL_ERROR_NONE))) 8646 goto end; 8647 8648 testresult = 1; 8649 8650 end: 8651 SSL_free(serverssl); 8652 SSL_free(clientssl); 8653 SSL_CTX_free(sctx); 8654 SSL_CTX_free(cctx); 8655 8656 return testresult; 8657 } 8658 8659 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) 8660 /* 8661 * Test setting certificate authorities on both client and server. 8662 * 8663 * Test 0: SSL_CTX_set0_CA_list() only 8664 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list() 8665 * Test 2: Only SSL_CTX_set_client_CA_list() 8666 */ 8667 static int test_ca_names_int(int prot, int tst) 8668 { 8669 SSL_CTX *cctx = NULL, *sctx = NULL; 8670 SSL *clientssl = NULL, *serverssl = NULL; 8671 int testresult = 0; 8672 size_t i; 8673 X509_NAME *name[] = { NULL, NULL, NULL, NULL }; 8674 char *strnames[] = { "Jack", "Jill", "John", "Joanne" }; 8675 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL; 8676 const STACK_OF(X509_NAME) *sktmp = NULL; 8677 8678 for (i = 0; i < OSSL_NELEM(name); i++) { 8679 name[i] = X509_NAME_new(); 8680 if (!TEST_ptr(name[i]) 8681 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN", 8682 MBSTRING_ASC, 8683 (unsigned char *) 8684 strnames[i], 8685 -1, -1, 0))) 8686 goto end; 8687 } 8688 8689 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 8690 TLS_client_method(), 8691 TLS1_VERSION, 8692 prot, 8693 &sctx, &cctx, cert, privkey))) 8694 goto end; 8695 8696 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL); 8697 8698 if (tst == 0 || tst == 1) { 8699 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null()) 8700 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0]))) 8701 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1]))) 8702 || !TEST_ptr(sk2 = sk_X509_NAME_new_null()) 8703 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0]))) 8704 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1])))) 8705 goto end; 8706 8707 SSL_CTX_set0_CA_list(sctx, sk1); 8708 SSL_CTX_set0_CA_list(cctx, sk2); 8709 sk1 = sk2 = NULL; 8710 } 8711 if (tst == 1 || tst == 2) { 8712 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null()) 8713 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2]))) 8714 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3]))) 8715 || !TEST_ptr(sk2 = sk_X509_NAME_new_null()) 8716 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2]))) 8717 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3])))) 8718 goto end; 8719 8720 SSL_CTX_set_client_CA_list(sctx, sk1); 8721 SSL_CTX_set_client_CA_list(cctx, sk2); 8722 sk1 = sk2 = NULL; 8723 } 8724 8725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8726 NULL, NULL)) 8727 || !TEST_true(create_ssl_connection(serverssl, clientssl, 8728 SSL_ERROR_NONE))) 8729 goto end; 8730 8731 /* 8732 * We only expect certificate authorities to have been sent to the server 8733 * if we are using TLSv1.3 and SSL_set0_CA_list() was used 8734 */ 8735 sktmp = SSL_get0_peer_CA_list(serverssl); 8736 if (prot == TLS1_3_VERSION 8737 && (tst == 0 || tst == 1)) { 8738 if (!TEST_ptr(sktmp) 8739 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2) 8740 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0), 8741 name[0]), 0) 8742 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1), 8743 name[1]), 0)) 8744 goto end; 8745 } else if (!TEST_ptr_null(sktmp)) { 8746 goto end; 8747 } 8748 8749 /* 8750 * In all tests we expect certificate authorities to have been sent to the 8751 * client. However, SSL_set_client_CA_list() should override 8752 * SSL_set0_CA_list() 8753 */ 8754 sktmp = SSL_get0_peer_CA_list(clientssl); 8755 if (!TEST_ptr(sktmp) 8756 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2) 8757 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0), 8758 name[tst == 0 ? 0 : 2]), 0) 8759 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1), 8760 name[tst == 0 ? 1 : 3]), 0)) 8761 goto end; 8762 8763 testresult = 1; 8764 8765 end: 8766 SSL_free(serverssl); 8767 SSL_free(clientssl); 8768 SSL_CTX_free(sctx); 8769 SSL_CTX_free(cctx); 8770 for (i = 0; i < OSSL_NELEM(name); i++) 8771 X509_NAME_free(name[i]); 8772 sk_X509_NAME_pop_free(sk1, X509_NAME_free); 8773 sk_X509_NAME_pop_free(sk2, X509_NAME_free); 8774 8775 return testresult; 8776 } 8777 #endif 8778 8779 static int test_ca_names(int tst) 8780 { 8781 int testresult = 1; 8782 8783 #ifndef OPENSSL_NO_TLS1_2 8784 testresult &= test_ca_names_int(TLS1_2_VERSION, tst); 8785 #endif 8786 #ifndef OSSL_NO_USABLE_TLS1_3 8787 testresult &= test_ca_names_int(TLS1_3_VERSION, tst); 8788 #endif 8789 8790 return testresult; 8791 } 8792 8793 #ifndef OPENSSL_NO_TLS1_2 8794 static const char *multiblock_cipherlist_data[]= 8795 { 8796 "AES128-SHA", 8797 "AES128-SHA256", 8798 "AES256-SHA", 8799 "AES256-SHA256", 8800 }; 8801 8802 /* Reduce the fragment size - so the multiblock test buffer can be small */ 8803 # define MULTIBLOCK_FRAGSIZE 512 8804 8805 static int test_multiblock_write(int test_index) 8806 { 8807 static const char *fetchable_ciphers[]= 8808 { 8809 "AES-128-CBC-HMAC-SHA1", 8810 "AES-128-CBC-HMAC-SHA256", 8811 "AES-256-CBC-HMAC-SHA1", 8812 "AES-256-CBC-HMAC-SHA256" 8813 }; 8814 const char *cipherlist = multiblock_cipherlist_data[test_index]; 8815 const SSL_METHOD *smeth = TLS_server_method(); 8816 const SSL_METHOD *cmeth = TLS_client_method(); 8817 int min_version = TLS1_VERSION; 8818 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */ 8819 SSL_CTX *cctx = NULL, *sctx = NULL; 8820 SSL *clientssl = NULL, *serverssl = NULL; 8821 int testresult = 0; 8822 8823 /* 8824 * Choose a buffer large enough to perform a multi-block operation 8825 * i.e: write_len >= 4 * frag_size 8826 * 9 * is chosen so that multiple multiblocks are used + some leftover. 8827 */ 8828 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9]; 8829 unsigned char buf[sizeof(msg)], *p = buf; 8830 size_t readbytes, written, len; 8831 EVP_CIPHER *ciph = NULL; 8832 8833 /* 8834 * Check if the cipher exists before attempting to use it since it only has 8835 * a hardware specific implementation. 8836 */ 8837 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], ""); 8838 if (ciph == NULL) { 8839 TEST_skip("Multiblock cipher is not available for %s", cipherlist); 8840 return 1; 8841 } 8842 EVP_CIPHER_free(ciph); 8843 8844 /* Set up a buffer with some data that will be sent to the client */ 8845 RAND_bytes(msg, sizeof(msg)); 8846 8847 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version, 8848 max_version, &sctx, &cctx, cert, 8849 privkey))) 8850 goto end; 8851 8852 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE))) 8853 goto end; 8854 8855 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 8856 NULL, NULL))) 8857 goto end; 8858 8859 /* settings to force it to use AES-CBC-HMAC_SHA */ 8860 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC); 8861 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist))) 8862 goto end; 8863 8864 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 8865 goto end; 8866 8867 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) 8868 || !TEST_size_t_eq(written, sizeof(msg))) 8869 goto end; 8870 8871 len = written; 8872 while (len > 0) { 8873 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes))) 8874 goto end; 8875 p += readbytes; 8876 len -= readbytes; 8877 } 8878 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf))) 8879 goto end; 8880 8881 testresult = 1; 8882 end: 8883 SSL_free(serverssl); 8884 SSL_free(clientssl); 8885 SSL_CTX_free(sctx); 8886 SSL_CTX_free(cctx); 8887 8888 return testresult; 8889 } 8890 #endif /* OPENSSL_NO_TLS1_2 */ 8891 8892 static int test_session_timeout(int test) 8893 { 8894 /* 8895 * Test session ordering and timeout 8896 * Can't explicitly test performance of the new code, 8897 * but can test to see if the ordering of the sessions 8898 * are correct, and they they are removed as expected 8899 */ 8900 SSL_SESSION *early = NULL; 8901 SSL_SESSION *middle = NULL; 8902 SSL_SESSION *late = NULL; 8903 SSL_CTX *ctx; 8904 int testresult = 0; 8905 long now = (long)time(NULL); 8906 #define TIMEOUT 10 8907 8908 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method())) 8909 || !TEST_ptr(early = SSL_SESSION_new()) 8910 || !TEST_ptr(middle = SSL_SESSION_new()) 8911 || !TEST_ptr(late = SSL_SESSION_new())) 8912 goto end; 8913 8914 /* assign unique session ids */ 8915 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; 8916 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH); 8917 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; 8918 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH); 8919 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; 8920 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH); 8921 8922 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1) 8923 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1) 8924 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1)) 8925 goto end; 8926 8927 /* Make sure they are all added */ 8928 if (!TEST_ptr(early->prev) 8929 || !TEST_ptr(middle->prev) 8930 || !TEST_ptr(late->prev)) 8931 goto end; 8932 8933 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0) 8934 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0) 8935 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0)) 8936 goto end; 8937 8938 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0) 8939 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0) 8940 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0)) 8941 goto end; 8942 8943 /* Make sure they are all still there */ 8944 if (!TEST_ptr(early->prev) 8945 || !TEST_ptr(middle->prev) 8946 || !TEST_ptr(late->prev)) 8947 goto end; 8948 8949 /* Make sure they are in the expected order */ 8950 if (!TEST_ptr_eq(late->next, middle) 8951 || !TEST_ptr_eq(middle->next, early) 8952 || !TEST_ptr_eq(early->prev, middle) 8953 || !TEST_ptr_eq(middle->prev, late)) 8954 goto end; 8955 8956 /* This should remove "early" */ 8957 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1); 8958 if (!TEST_ptr_null(early->prev) 8959 || !TEST_ptr(middle->prev) 8960 || !TEST_ptr(late->prev)) 8961 goto end; 8962 8963 /* This should remove "middle" */ 8964 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1); 8965 if (!TEST_ptr_null(early->prev) 8966 || !TEST_ptr_null(middle->prev) 8967 || !TEST_ptr(late->prev)) 8968 goto end; 8969 8970 /* This should remove "late" */ 8971 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11); 8972 if (!TEST_ptr_null(early->prev) 8973 || !TEST_ptr_null(middle->prev) 8974 || !TEST_ptr_null(late->prev)) 8975 goto end; 8976 8977 /* Add them back in again */ 8978 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1) 8979 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1) 8980 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1)) 8981 goto end; 8982 8983 /* Make sure they are all added */ 8984 if (!TEST_ptr(early->prev) 8985 || !TEST_ptr(middle->prev) 8986 || !TEST_ptr(late->prev)) 8987 goto end; 8988 8989 /* This should remove all of them */ 8990 SSL_CTX_flush_sessions(ctx, 0); 8991 if (!TEST_ptr_null(early->prev) 8992 || !TEST_ptr_null(middle->prev) 8993 || !TEST_ptr_null(late->prev)) 8994 goto end; 8995 8996 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME 8997 | SSL_CTX_get_session_cache_mode(ctx)); 8998 8999 /* make sure |now| is NOT equal to the current time */ 9000 now -= 10; 9001 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0) 9002 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1) 9003 || !TEST_long_ne(SSL_SESSION_get_time(early), now)) 9004 goto end; 9005 9006 testresult = 1; 9007 end: 9008 SSL_CTX_free(ctx); 9009 SSL_SESSION_free(early); 9010 SSL_SESSION_free(middle); 9011 SSL_SESSION_free(late); 9012 return testresult; 9013 } 9014 9015 /* 9016 * Test that a session cache overflow works as expected 9017 * Test 0: TLSv1.3, timeout on new session later than old session 9018 * Test 1: TLSv1.2, timeout on new session later than old session 9019 * Test 2: TLSv1.3, timeout on new session earlier than old session 9020 * Test 3: TLSv1.2, timeout on new session earlier than old session 9021 */ 9022 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 9023 static int test_session_cache_overflow(int idx) 9024 { 9025 SSL_CTX *sctx = NULL, *cctx = NULL; 9026 SSL *serverssl = NULL, *clientssl = NULL; 9027 int testresult = 0; 9028 SSL_SESSION *sess = NULL; 9029 9030 #ifdef OSSL_NO_USABLE_TLS1_3 9031 /* If no TLSv1.3 available then do nothing in this case */ 9032 if (idx % 2 == 0) 9033 return TEST_skip("No TLSv1.3 available"); 9034 #endif 9035 #ifdef OPENSSL_NO_TLS1_2 9036 /* If no TLSv1.2 available then do nothing in this case */ 9037 if (idx % 2 == 1) 9038 return TEST_skip("No TLSv1.2 available"); 9039 #endif 9040 9041 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9042 TLS_client_method(), TLS1_VERSION, 9043 (idx % 2 == 0) ? TLS1_3_VERSION 9044 : TLS1_2_VERSION, 9045 &sctx, &cctx, cert, privkey)) 9046 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))) 9047 goto end; 9048 9049 SSL_CTX_sess_set_get_cb(sctx, get_session_cb); 9050 get_sess_val = NULL; 9051 9052 SSL_CTX_sess_set_cache_size(sctx, 1); 9053 9054 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9055 NULL, NULL))) 9056 goto end; 9057 9058 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9059 goto end; 9060 9061 if (idx > 1) { 9062 sess = SSL_get_session(serverssl); 9063 if (!TEST_ptr(sess)) 9064 goto end; 9065 9066 /* 9067 * Cause this session to have a longer timeout than the next session to 9068 * be added. 9069 */ 9070 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) { 9071 sess = NULL; 9072 goto end; 9073 } 9074 sess = NULL; 9075 } 9076 9077 SSL_shutdown(serverssl); 9078 SSL_shutdown(clientssl); 9079 SSL_free(serverssl); 9080 SSL_free(clientssl); 9081 serverssl = clientssl = NULL; 9082 9083 /* 9084 * Session cache size is 1 and we already populated the cache with a session 9085 * so the next connection should cause an overflow. 9086 */ 9087 9088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9089 NULL, NULL))) 9090 goto end; 9091 9092 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9093 goto end; 9094 9095 /* 9096 * The session we just negotiated may have been already removed from the 9097 * internal cache - but we will return it anyway from our external cache. 9098 */ 9099 get_sess_val = SSL_get_session(serverssl); 9100 if (!TEST_ptr(get_sess_val)) 9101 goto end; 9102 sess = SSL_get1_session(clientssl); 9103 if (!TEST_ptr(sess)) 9104 goto end; 9105 9106 SSL_shutdown(serverssl); 9107 SSL_shutdown(clientssl); 9108 SSL_free(serverssl); 9109 SSL_free(clientssl); 9110 serverssl = clientssl = NULL; 9111 9112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9113 NULL, NULL))) 9114 goto end; 9115 9116 if (!TEST_true(SSL_set_session(clientssl, sess))) 9117 goto end; 9118 9119 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9120 goto end; 9121 9122 testresult = 1; 9123 9124 end: 9125 SSL_free(serverssl); 9126 SSL_free(clientssl); 9127 SSL_CTX_free(sctx); 9128 SSL_CTX_free(cctx); 9129 SSL_SESSION_free(sess); 9130 9131 return testresult; 9132 } 9133 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ 9134 9135 /* 9136 * Test 0: Client sets servername and server acknowledges it (TLSv1.2) 9137 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2) 9138 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2) 9139 * Test 3: Client does not set servername on initial handshake (TLSv1.2) 9140 * Test 4: Client does not set servername on resumption handshake (TLSv1.2) 9141 * Test 5: Client sets servername and server acknowledges it (TLSv1.3) 9142 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3) 9143 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3) 9144 * Test 8: Client does not set servername on initial handshake(TLSv1.3) 9145 * Test 9: Client does not set servername on resumption handshake (TLSv1.3) 9146 */ 9147 static int test_servername(int tst) 9148 { 9149 SSL_CTX *cctx = NULL, *sctx = NULL; 9150 SSL *clientssl = NULL, *serverssl = NULL; 9151 int testresult = 0; 9152 SSL_SESSION *sess = NULL; 9153 const char *sexpectedhost = NULL, *cexpectedhost = NULL; 9154 9155 #ifdef OPENSSL_NO_TLS1_2 9156 if (tst <= 4) 9157 return 1; 9158 #endif 9159 #ifdef OSSL_NO_USABLE_TLS1_3 9160 if (tst >= 5) 9161 return 1; 9162 #endif 9163 9164 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9165 TLS_client_method(), 9166 TLS1_VERSION, 9167 (tst <= 4) ? TLS1_2_VERSION 9168 : TLS1_3_VERSION, 9169 &sctx, &cctx, cert, privkey)) 9170 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9171 NULL, NULL))) 9172 goto end; 9173 9174 if (tst != 1 && tst != 6) { 9175 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, 9176 hostname_cb))) 9177 goto end; 9178 } 9179 9180 if (tst != 3 && tst != 8) { 9181 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))) 9182 goto end; 9183 sexpectedhost = cexpectedhost = "goodhost"; 9184 } 9185 9186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9187 goto end; 9188 9189 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name), 9190 cexpectedhost) 9191 || !TEST_str_eq(SSL_get_servername(serverssl, 9192 TLSEXT_NAMETYPE_host_name), 9193 sexpectedhost)) 9194 goto end; 9195 9196 /* Now repeat with a resumption handshake */ 9197 9198 if (!TEST_int_eq(SSL_shutdown(clientssl), 0) 9199 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL) 9200 || !TEST_true(SSL_SESSION_is_resumable(sess)) 9201 || !TEST_int_eq(SSL_shutdown(serverssl), 0)) 9202 goto end; 9203 9204 SSL_free(clientssl); 9205 SSL_free(serverssl); 9206 clientssl = serverssl = NULL; 9207 9208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, 9209 NULL))) 9210 goto end; 9211 9212 if (!TEST_true(SSL_set_session(clientssl, sess))) 9213 goto end; 9214 9215 sexpectedhost = cexpectedhost = "goodhost"; 9216 if (tst == 2 || tst == 7) { 9217 /* Set an inconsistent hostname */ 9218 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost"))) 9219 goto end; 9220 /* 9221 * In TLSv1.2 we expect the hostname from the original handshake, in 9222 * TLSv1.3 we expect the hostname from this handshake 9223 */ 9224 if (tst == 7) 9225 sexpectedhost = cexpectedhost = "altgoodhost"; 9226 9227 if (!TEST_str_eq(SSL_get_servername(clientssl, 9228 TLSEXT_NAMETYPE_host_name), 9229 "altgoodhost")) 9230 goto end; 9231 } else if (tst == 4 || tst == 9) { 9232 /* 9233 * A TLSv1.3 session does not associate a session with a servername, 9234 * but a TLSv1.2 session does. 9235 */ 9236 if (tst == 9) 9237 sexpectedhost = cexpectedhost = NULL; 9238 9239 if (!TEST_str_eq(SSL_get_servername(clientssl, 9240 TLSEXT_NAMETYPE_host_name), 9241 cexpectedhost)) 9242 goto end; 9243 } else { 9244 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))) 9245 goto end; 9246 /* 9247 * In a TLSv1.2 resumption where the hostname was not acknowledged 9248 * we expect the hostname on the server to be empty. On the client we 9249 * return what was requested in this case. 9250 * 9251 * Similarly if the client didn't set a hostname on an original TLSv1.2 9252 * session but is now, the server hostname will be empty, but the client 9253 * is as we set it. 9254 */ 9255 if (tst == 1 || tst == 3) 9256 sexpectedhost = NULL; 9257 9258 if (!TEST_str_eq(SSL_get_servername(clientssl, 9259 TLSEXT_NAMETYPE_host_name), 9260 "goodhost")) 9261 goto end; 9262 } 9263 9264 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9265 goto end; 9266 9267 if (!TEST_true(SSL_session_reused(clientssl)) 9268 || !TEST_true(SSL_session_reused(serverssl)) 9269 || !TEST_str_eq(SSL_get_servername(clientssl, 9270 TLSEXT_NAMETYPE_host_name), 9271 cexpectedhost) 9272 || !TEST_str_eq(SSL_get_servername(serverssl, 9273 TLSEXT_NAMETYPE_host_name), 9274 sexpectedhost)) 9275 goto end; 9276 9277 testresult = 1; 9278 9279 end: 9280 SSL_SESSION_free(sess); 9281 SSL_free(serverssl); 9282 SSL_free(clientssl); 9283 SSL_CTX_free(sctx); 9284 SSL_CTX_free(cctx); 9285 9286 return testresult; 9287 } 9288 9289 #if !defined(OPENSSL_NO_EC) \ 9290 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) 9291 /* 9292 * Test that if signature algorithms are not available, then we do not offer or 9293 * accept them. 9294 * Test 0: Two RSA sig algs available: both RSA sig algs shared 9295 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared 9296 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared 9297 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared 9298 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared 9299 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared 9300 */ 9301 static int test_sigalgs_available(int idx) 9302 { 9303 SSL_CTX *cctx = NULL, *sctx = NULL; 9304 SSL *clientssl = NULL, *serverssl = NULL; 9305 int testresult = 0; 9306 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new(); 9307 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx; 9308 OSSL_PROVIDER *filterprov = NULL; 9309 int sig, hash; 9310 9311 if (!TEST_ptr(tmpctx)) 9312 goto end; 9313 9314 if (idx != 0 && idx != 3) { 9315 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter", 9316 filter_provider_init))) 9317 goto end; 9318 9319 filterprov = OSSL_PROVIDER_load(tmpctx, "filter"); 9320 if (!TEST_ptr(filterprov)) 9321 goto end; 9322 9323 if (idx < 3) { 9324 /* 9325 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered 9326 * or accepted for the peer that uses this libctx. Note that libssl 9327 * *requires* SHA2-256 to be available so we cannot disable that. We 9328 * also need SHA1 for our certificate. 9329 */ 9330 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST, 9331 "SHA2-256:SHA1"))) 9332 goto end; 9333 } else { 9334 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE, 9335 "ECDSA")) 9336 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, 9337 "EC:X25519:X448"))) 9338 goto end; 9339 } 9340 9341 if (idx == 1 || idx == 4) 9342 clientctx = tmpctx; 9343 else 9344 serverctx = tmpctx; 9345 } 9346 9347 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method()); 9348 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method()); 9349 if (!TEST_ptr(cctx) || !TEST_ptr(sctx)) 9350 goto end; 9351 9352 if (idx != 5) { 9353 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9354 TLS_client_method(), 9355 TLS1_VERSION, 9356 0, 9357 &sctx, &cctx, cert, privkey))) 9358 goto end; 9359 } else { 9360 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9361 TLS_client_method(), 9362 TLS1_VERSION, 9363 0, 9364 &sctx, &cctx, cert2, privkey2))) 9365 goto end; 9366 } 9367 9368 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */ 9369 if (idx < 4) { 9370 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 9371 "ECDHE-RSA-AES128-GCM-SHA256"))) 9372 goto end; 9373 } else { 9374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, 9375 "ECDHE-ECDSA-AES128-GCM-SHA256"))) 9376 goto end; 9377 } 9378 9379 if (idx < 3) { 9380 if (!SSL_CTX_set1_sigalgs_list(cctx, 9381 "rsa_pss_rsae_sha384" 9382 ":rsa_pss_rsae_sha256") 9383 || !SSL_CTX_set1_sigalgs_list(sctx, 9384 "rsa_pss_rsae_sha384" 9385 ":rsa_pss_rsae_sha256")) 9386 goto end; 9387 } else { 9388 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256") 9389 || !SSL_CTX_set1_sigalgs_list(sctx, 9390 "rsa_pss_rsae_sha256:ECDSA+SHA256")) 9391 goto end; 9392 } 9393 9394 if (idx != 5 9395 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2, 9396 SSL_FILETYPE_PEM), 1) 9397 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, 9398 privkey2, 9399 SSL_FILETYPE_PEM), 1) 9400 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))) 9401 goto end; 9402 9403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9404 NULL, NULL))) 9405 goto end; 9406 9407 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9408 goto end; 9409 9410 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */ 9411 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL, 9412 NULL, NULL), 9413 (idx == 0 || idx == 3) ? 2 : 1)) 9414 goto end; 9415 9416 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256)) 9417 goto end; 9418 9419 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC 9420 : NID_rsassaPss)) 9421 goto end; 9422 9423 testresult = filter_provider_check_clean_finish(); 9424 9425 end: 9426 SSL_free(serverssl); 9427 SSL_free(clientssl); 9428 SSL_CTX_free(sctx); 9429 SSL_CTX_free(cctx); 9430 OSSL_PROVIDER_unload(filterprov); 9431 OSSL_LIB_CTX_free(tmpctx); 9432 9433 return testresult; 9434 } 9435 #endif /* 9436 * !defined(OPENSSL_NO_EC) \ 9437 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) 9438 */ 9439 9440 #ifndef OPENSSL_NO_TLS1_3 9441 /* This test can run in TLSv1.3 even if ec and dh are disabled */ 9442 static int test_pluggable_group(int idx) 9443 { 9444 SSL_CTX *cctx = NULL, *sctx = NULL; 9445 SSL *clientssl = NULL, *serverssl = NULL; 9446 int testresult = 0; 9447 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider"); 9448 /* Check that we are not impacted by a provider without any groups */ 9449 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy"); 9450 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup"; 9451 9452 if (!TEST_ptr(tlsprov)) 9453 goto end; 9454 9455 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9456 TLS_client_method(), 9457 TLS1_3_VERSION, 9458 TLS1_3_VERSION, 9459 &sctx, &cctx, cert, privkey)) 9460 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9461 NULL, NULL))) 9462 goto end; 9463 9464 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */ 9465 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43")) 9466 /* removing a single algorithm from the list makes the test pass */ 9467 || !TEST_true(SSL_set1_groups_list(clientssl, group_name))) 9468 goto end; 9469 9470 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9471 goto end; 9472 9473 if (!TEST_str_eq(group_name, 9474 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0)))) 9475 goto end; 9476 9477 testresult = 1; 9478 9479 end: 9480 SSL_free(serverssl); 9481 SSL_free(clientssl); 9482 SSL_CTX_free(sctx); 9483 SSL_CTX_free(cctx); 9484 OSSL_PROVIDER_unload(tlsprov); 9485 OSSL_PROVIDER_unload(legacyprov); 9486 9487 return testresult; 9488 } 9489 #endif 9490 9491 #ifndef OPENSSL_NO_TLS1_2 9492 static int test_ssl_dup(void) 9493 { 9494 SSL_CTX *cctx = NULL, *sctx = NULL; 9495 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL; 9496 int testresult = 0; 9497 BIO *rbio = NULL, *wbio = NULL; 9498 9499 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9500 TLS_client_method(), 9501 0, 9502 0, 9503 &sctx, &cctx, cert, privkey))) 9504 goto end; 9505 9506 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9507 NULL, NULL))) 9508 goto end; 9509 9510 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION)) 9511 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION))) 9512 goto end; 9513 9514 client2ssl = SSL_dup(clientssl); 9515 rbio = SSL_get_rbio(clientssl); 9516 if (!TEST_ptr(rbio) 9517 || !TEST_true(BIO_up_ref(rbio))) 9518 goto end; 9519 SSL_set0_rbio(client2ssl, rbio); 9520 rbio = NULL; 9521 9522 wbio = SSL_get_wbio(clientssl); 9523 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio))) 9524 goto end; 9525 SSL_set0_wbio(client2ssl, wbio); 9526 rbio = NULL; 9527 9528 if (!TEST_ptr(client2ssl) 9529 /* Handshake not started so pointers should be different */ 9530 || !TEST_ptr_ne(clientssl, client2ssl)) 9531 goto end; 9532 9533 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION) 9534 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION)) 9535 goto end; 9536 9537 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE))) 9538 goto end; 9539 9540 SSL_free(clientssl); 9541 clientssl = SSL_dup(client2ssl); 9542 if (!TEST_ptr(clientssl) 9543 /* Handshake has finished so pointers should be the same */ 9544 || !TEST_ptr_eq(clientssl, client2ssl)) 9545 goto end; 9546 9547 testresult = 1; 9548 9549 end: 9550 SSL_free(serverssl); 9551 SSL_free(clientssl); 9552 SSL_free(client2ssl); 9553 SSL_CTX_free(sctx); 9554 SSL_CTX_free(cctx); 9555 9556 return testresult; 9557 } 9558 9559 # ifndef OPENSSL_NO_DH 9560 9561 static EVP_PKEY *tmp_dh_params = NULL; 9562 9563 /* Helper function for the test_set_tmp_dh() tests */ 9564 static EVP_PKEY *get_tmp_dh_params(void) 9565 { 9566 if (tmp_dh_params == NULL) { 9567 BIGNUM *p = NULL; 9568 OSSL_PARAM_BLD *tmpl = NULL; 9569 EVP_PKEY_CTX *pctx = NULL; 9570 OSSL_PARAM *params = NULL; 9571 EVP_PKEY *dhpkey = NULL; 9572 9573 p = BN_get_rfc3526_prime_2048(NULL); 9574 if (!TEST_ptr(p)) 9575 goto end; 9576 9577 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL); 9578 if (!TEST_ptr(pctx) 9579 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1)) 9580 goto end; 9581 9582 tmpl = OSSL_PARAM_BLD_new(); 9583 if (!TEST_ptr(tmpl) 9584 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl, 9585 OSSL_PKEY_PARAM_FFC_P, 9586 p)) 9587 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl, 9588 OSSL_PKEY_PARAM_FFC_G, 9589 2))) 9590 goto end; 9591 9592 params = OSSL_PARAM_BLD_to_param(tmpl); 9593 if (!TEST_ptr(params) 9594 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey, 9595 EVP_PKEY_KEY_PARAMETERS, 9596 params), 1)) 9597 goto end; 9598 9599 tmp_dh_params = dhpkey; 9600 end: 9601 BN_free(p); 9602 EVP_PKEY_CTX_free(pctx); 9603 OSSL_PARAM_BLD_free(tmpl); 9604 OSSL_PARAM_free(params); 9605 } 9606 9607 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params)) 9608 return NULL; 9609 9610 return tmp_dh_params; 9611 } 9612 9613 # ifndef OPENSSL_NO_DEPRECATED_3_0 9614 /* Callback used by test_set_tmp_dh() */ 9615 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen) 9616 { 9617 EVP_PKEY *dhpkey = get_tmp_dh_params(); 9618 DH *ret = NULL; 9619 9620 if (!TEST_ptr(dhpkey)) 9621 return NULL; 9622 9623 /* 9624 * libssl does not free the returned DH, so we free it now knowing that even 9625 * after we free dhpkey, there will still be a reference to the owning 9626 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length 9627 * of time we need it for. 9628 */ 9629 ret = EVP_PKEY_get1_DH(dhpkey); 9630 DH_free(ret); 9631 9632 EVP_PKEY_free(dhpkey); 9633 9634 return ret; 9635 } 9636 # endif 9637 9638 /* 9639 * Test the various methods for setting temporary DH parameters 9640 * 9641 * Test 0: Default (no auto) setting 9642 * Test 1: Explicit SSL_CTX auto off 9643 * Test 2: Explicit SSL auto off 9644 * Test 3: Explicit SSL_CTX auto on 9645 * Test 4: Explicit SSL auto on 9646 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY 9647 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY 9648 * 9649 * The following are testing deprecated APIs, so we only run them if available 9650 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH 9651 * Test 8: Explicit SSL auto off, custom DH params via DH 9652 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback 9653 * Test 10: Explicit SSL auto off, custom DH params via callback 9654 */ 9655 static int test_set_tmp_dh(int idx) 9656 { 9657 SSL_CTX *cctx = NULL, *sctx = NULL; 9658 SSL *clientssl = NULL, *serverssl = NULL; 9659 int testresult = 0; 9660 int dhauto = (idx == 3 || idx == 4) ? 1 : 0; 9661 int expected = (idx <= 2) ? 0 : 1; 9662 EVP_PKEY *dhpkey = NULL; 9663 # ifndef OPENSSL_NO_DEPRECATED_3_0 9664 DH *dh = NULL; 9665 # else 9666 9667 if (idx >= 7) 9668 return 1; 9669 # endif 9670 9671 if (idx >= 5 && idx <= 8) { 9672 dhpkey = get_tmp_dh_params(); 9673 if (!TEST_ptr(dhpkey)) 9674 goto end; 9675 } 9676 # ifndef OPENSSL_NO_DEPRECATED_3_0 9677 if (idx == 7 || idx == 8) { 9678 dh = EVP_PKEY_get1_DH(dhpkey); 9679 if (!TEST_ptr(dh)) 9680 goto end; 9681 } 9682 # endif 9683 9684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9685 TLS_client_method(), 9686 0, 9687 0, 9688 &sctx, &cctx, cert, privkey))) 9689 goto end; 9690 9691 if ((idx & 1) == 1) { 9692 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto))) 9693 goto end; 9694 } 9695 9696 if (idx == 5) { 9697 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey))) 9698 goto end; 9699 dhpkey = NULL; 9700 } 9701 # ifndef OPENSSL_NO_DEPRECATED_3_0 9702 else if (idx == 7) { 9703 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh))) 9704 goto end; 9705 } else if (idx == 9) { 9706 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback); 9707 } 9708 # endif 9709 9710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9711 NULL, NULL))) 9712 goto end; 9713 9714 if ((idx & 1) == 0 && idx != 0) { 9715 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto))) 9716 goto end; 9717 } 9718 if (idx == 6) { 9719 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey))) 9720 goto end; 9721 dhpkey = NULL; 9722 } 9723 # ifndef OPENSSL_NO_DEPRECATED_3_0 9724 else if (idx == 8) { 9725 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh))) 9726 goto end; 9727 } else if (idx == 10) { 9728 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback); 9729 } 9730 # endif 9731 9732 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION)) 9733 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)) 9734 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA"))) 9735 goto end; 9736 9737 /* 9738 * If autoon then we should succeed. Otherwise we expect failure because 9739 * there are no parameters 9740 */ 9741 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl, 9742 SSL_ERROR_NONE), expected)) 9743 goto end; 9744 9745 testresult = 1; 9746 9747 end: 9748 # ifndef OPENSSL_NO_DEPRECATED_3_0 9749 DH_free(dh); 9750 # endif 9751 SSL_free(serverssl); 9752 SSL_free(clientssl); 9753 SSL_CTX_free(sctx); 9754 SSL_CTX_free(cctx); 9755 EVP_PKEY_free(dhpkey); 9756 9757 return testresult; 9758 } 9759 9760 /* 9761 * Test the auto DH keys are appropriately sized 9762 */ 9763 static int test_dh_auto(int idx) 9764 { 9765 SSL_CTX *cctx = NULL, *sctx = NULL; 9766 SSL *clientssl = NULL, *serverssl = NULL; 9767 int testresult = 0; 9768 EVP_PKEY *tmpkey = NULL; 9769 char *thiscert = NULL, *thiskey = NULL; 9770 size_t expdhsize = 0; 9771 const char *ciphersuite = "DHE-RSA-AES128-SHA"; 9772 9773 switch (idx) { 9774 case 0: 9775 /* The FIPS provider doesn't support this DH size - so we ignore it */ 9776 if (is_fips) 9777 return 1; 9778 thiscert = cert1024; 9779 thiskey = privkey1024; 9780 expdhsize = 1024; 9781 break; 9782 case 1: 9783 /* 2048 bit prime */ 9784 thiscert = cert; 9785 thiskey = privkey; 9786 expdhsize = 2048; 9787 break; 9788 case 2: 9789 thiscert = cert3072; 9790 thiskey = privkey3072; 9791 expdhsize = 3072; 9792 break; 9793 case 3: 9794 thiscert = cert4096; 9795 thiskey = privkey4096; 9796 expdhsize = 4096; 9797 break; 9798 case 4: 9799 thiscert = cert8192; 9800 thiskey = privkey8192; 9801 expdhsize = 8192; 9802 break; 9803 /* No certificate cases */ 9804 case 5: 9805 /* The FIPS provider doesn't support this DH size - so we ignore it */ 9806 if (is_fips) 9807 return 1; 9808 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0"; 9809 expdhsize = 1024; 9810 break; 9811 case 6: 9812 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0"; 9813 expdhsize = 3072; 9814 break; 9815 default: 9816 TEST_error("Invalid text index"); 9817 goto end; 9818 } 9819 9820 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9821 TLS_client_method(), 9822 0, 9823 0, 9824 &sctx, &cctx, thiscert, thiskey))) 9825 goto end; 9826 9827 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 9828 NULL, NULL))) 9829 goto end; 9830 9831 if (!TEST_true(SSL_set_dh_auto(serverssl, 1)) 9832 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION)) 9833 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)) 9834 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite)) 9835 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite))) 9836 goto end; 9837 9838 /* 9839 * Send the server's first flight. At this point the server has created the 9840 * temporary DH key but hasn't finished using it yet. Once used it is 9841 * removed, so we cannot test it. 9842 */ 9843 if (!TEST_int_le(SSL_connect(clientssl), 0) 9844 || !TEST_int_le(SSL_accept(serverssl), 0)) 9845 goto end; 9846 9847 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0)) 9848 goto end; 9849 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize)) 9850 goto end; 9851 9852 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9853 goto end; 9854 9855 testresult = 1; 9856 9857 end: 9858 SSL_free(serverssl); 9859 SSL_free(clientssl); 9860 SSL_CTX_free(sctx); 9861 SSL_CTX_free(cctx); 9862 EVP_PKEY_free(tmpkey); 9863 9864 return testresult; 9865 9866 } 9867 # endif /* OPENSSL_NO_DH */ 9868 #endif /* OPENSSL_NO_TLS1_2 */ 9869 9870 #ifndef OSSL_NO_USABLE_TLS1_3 9871 /* 9872 * Test that setting an SNI callback works with TLSv1.3. Specifically we check 9873 * that it works even without a certificate configured for the original 9874 * SSL_CTX 9875 */ 9876 static int test_sni_tls13(void) 9877 { 9878 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; 9879 SSL *clientssl = NULL, *serverssl = NULL; 9880 int testresult = 0; 9881 9882 /* Reset callback counter */ 9883 snicb = 0; 9884 9885 /* Create an initial SSL_CTX with no certificate configured */ 9886 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 9887 if (!TEST_ptr(sctx)) 9888 goto end; 9889 /* Require TLSv1.3 as a minimum */ 9890 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9891 TLS_client_method(), TLS1_3_VERSION, 0, 9892 &sctx2, &cctx, cert, privkey))) 9893 goto end; 9894 9895 /* Set up SNI */ 9896 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)) 9897 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2))) 9898 goto end; 9899 9900 /* 9901 * Connection should still succeed because the final SSL_CTX has the right 9902 * certificates configured. 9903 */ 9904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 9905 &clientssl, NULL, NULL)) 9906 || !TEST_true(create_ssl_connection(serverssl, clientssl, 9907 SSL_ERROR_NONE))) 9908 goto end; 9909 9910 /* We should have had the SNI callback called exactly once */ 9911 if (!TEST_int_eq(snicb, 1)) 9912 goto end; 9913 9914 testresult = 1; 9915 9916 end: 9917 SSL_free(serverssl); 9918 SSL_free(clientssl); 9919 SSL_CTX_free(sctx2); 9920 SSL_CTX_free(sctx); 9921 SSL_CTX_free(cctx); 9922 return testresult; 9923 } 9924 9925 /* 9926 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week 9927 * 0 = TLSv1.2 9928 * 1 = TLSv1.3 9929 */ 9930 static int test_ticket_lifetime(int idx) 9931 { 9932 SSL_CTX *cctx = NULL, *sctx = NULL; 9933 SSL *clientssl = NULL, *serverssl = NULL; 9934 int testresult = 0; 9935 int version = TLS1_3_VERSION; 9936 9937 #define ONE_WEEK_SEC (7 * 24 * 60 * 60) 9938 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC) 9939 9940 if (idx == 0) { 9941 #ifdef OPENSSL_NO_TLS1_2 9942 return TEST_skip("TLS 1.2 is disabled."); 9943 #else 9944 version = TLS1_2_VERSION; 9945 #endif 9946 } 9947 9948 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 9949 TLS_client_method(), version, version, 9950 &sctx, &cctx, cert, privkey))) 9951 goto end; 9952 9953 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 9954 &clientssl, NULL, NULL))) 9955 goto end; 9956 9957 /* 9958 * Set the timeout to be more than 1 week 9959 * make sure the returned value is the default 9960 */ 9961 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC), 9962 SSL_get_default_timeout(serverssl))) 9963 goto end; 9964 9965 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 9966 goto end; 9967 9968 if (idx == 0) { 9969 /* TLSv1.2 uses the set value */ 9970 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC)) 9971 goto end; 9972 } else { 9973 /* TLSv1.3 uses the limited value */ 9974 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC)) 9975 goto end; 9976 } 9977 testresult = 1; 9978 9979 end: 9980 SSL_free(serverssl); 9981 SSL_free(clientssl); 9982 SSL_CTX_free(sctx); 9983 SSL_CTX_free(cctx); 9984 return testresult; 9985 } 9986 #endif 9987 /* 9988 * Test that setting an ALPN does not violate RFC 9989 */ 9990 static int test_set_alpn(void) 9991 { 9992 SSL_CTX *ctx = NULL; 9993 SSL *ssl = NULL; 9994 int testresult = 0; 9995 9996 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' }; 9997 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' }; 9998 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' }; 9999 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00}; 10000 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'}; 10001 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'}; 10002 10003 /* Create an initial SSL_CTX with no certificate configured */ 10004 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 10005 if (!TEST_ptr(ctx)) 10006 goto end; 10007 10008 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */ 10009 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2))) 10010 goto end; 10011 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0))) 10012 goto end; 10013 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good)))) 10014 goto end; 10015 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1))) 10016 goto end; 10017 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0)))) 10018 goto end; 10019 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1)))) 10020 goto end; 10021 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2)))) 10022 goto end; 10023 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3)))) 10024 goto end; 10025 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4)))) 10026 goto end; 10027 10028 ssl = SSL_new(ctx); 10029 if (!TEST_ptr(ssl)) 10030 goto end; 10031 10032 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2))) 10033 goto end; 10034 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0))) 10035 goto end; 10036 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good)))) 10037 goto end; 10038 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1))) 10039 goto end; 10040 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0)))) 10041 goto end; 10042 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1)))) 10043 goto end; 10044 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2)))) 10045 goto end; 10046 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3)))) 10047 goto end; 10048 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4)))) 10049 goto end; 10050 10051 testresult = 1; 10052 10053 end: 10054 SSL_free(ssl); 10055 SSL_CTX_free(ctx); 10056 return testresult; 10057 } 10058 10059 /* 10060 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store. 10061 */ 10062 static int test_set_verify_cert_store_ssl_ctx(void) 10063 { 10064 SSL_CTX *ctx = NULL; 10065 int testresult = 0; 10066 X509_STORE *store = NULL, *new_store = NULL, 10067 *cstore = NULL, *new_cstore = NULL; 10068 10069 /* Create an initial SSL_CTX. */ 10070 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 10071 if (!TEST_ptr(ctx)) 10072 goto end; 10073 10074 /* Retrieve verify store pointer. */ 10075 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) 10076 goto end; 10077 10078 /* Retrieve chain store pointer. */ 10079 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) 10080 goto end; 10081 10082 /* We haven't set any yet, so this should be NULL. */ 10083 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) 10084 goto end; 10085 10086 /* Create stores. We use separate stores so pointers are different. */ 10087 new_store = X509_STORE_new(); 10088 if (!TEST_ptr(new_store)) 10089 goto end; 10090 10091 new_cstore = X509_STORE_new(); 10092 if (!TEST_ptr(new_cstore)) 10093 goto end; 10094 10095 /* Set stores. */ 10096 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store))) 10097 goto end; 10098 10099 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore))) 10100 goto end; 10101 10102 /* Should be able to retrieve the same pointer. */ 10103 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) 10104 goto end; 10105 10106 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) 10107 goto end; 10108 10109 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore)) 10110 goto end; 10111 10112 /* Should be able to unset again. */ 10113 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL))) 10114 goto end; 10115 10116 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL))) 10117 goto end; 10118 10119 /* Should now be NULL. */ 10120 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) 10121 goto end; 10122 10123 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) 10124 goto end; 10125 10126 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) 10127 goto end; 10128 10129 testresult = 1; 10130 10131 end: 10132 X509_STORE_free(new_store); 10133 X509_STORE_free(new_cstore); 10134 SSL_CTX_free(ctx); 10135 return testresult; 10136 } 10137 10138 /* 10139 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store. 10140 */ 10141 static int test_set_verify_cert_store_ssl(void) 10142 { 10143 SSL_CTX *ctx = NULL; 10144 SSL *ssl = NULL; 10145 int testresult = 0; 10146 X509_STORE *store = NULL, *new_store = NULL, 10147 *cstore = NULL, *new_cstore = NULL; 10148 10149 /* Create an initial SSL_CTX. */ 10150 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 10151 if (!TEST_ptr(ctx)) 10152 goto end; 10153 10154 /* Create an SSL object. */ 10155 ssl = SSL_new(ctx); 10156 if (!TEST_ptr(ssl)) 10157 goto end; 10158 10159 /* Retrieve verify store pointer. */ 10160 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) 10161 goto end; 10162 10163 /* Retrieve chain store pointer. */ 10164 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) 10165 goto end; 10166 10167 /* We haven't set any yet, so this should be NULL. */ 10168 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) 10169 goto end; 10170 10171 /* Create stores. We use separate stores so pointers are different. */ 10172 new_store = X509_STORE_new(); 10173 if (!TEST_ptr(new_store)) 10174 goto end; 10175 10176 new_cstore = X509_STORE_new(); 10177 if (!TEST_ptr(new_cstore)) 10178 goto end; 10179 10180 /* Set stores. */ 10181 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store))) 10182 goto end; 10183 10184 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore))) 10185 goto end; 10186 10187 /* Should be able to retrieve the same pointer. */ 10188 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) 10189 goto end; 10190 10191 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) 10192 goto end; 10193 10194 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore)) 10195 goto end; 10196 10197 /* Should be able to unset again. */ 10198 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL))) 10199 goto end; 10200 10201 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL))) 10202 goto end; 10203 10204 /* Should now be NULL. */ 10205 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) 10206 goto end; 10207 10208 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) 10209 goto end; 10210 10211 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) 10212 goto end; 10213 10214 testresult = 1; 10215 10216 end: 10217 X509_STORE_free(new_store); 10218 X509_STORE_free(new_cstore); 10219 SSL_free(ssl); 10220 SSL_CTX_free(ctx); 10221 return testresult; 10222 } 10223 10224 10225 static int test_inherit_verify_param(void) 10226 { 10227 int testresult = 0; 10228 10229 SSL_CTX *ctx = NULL; 10230 X509_VERIFY_PARAM *cp = NULL; 10231 SSL *ssl = NULL; 10232 X509_VERIFY_PARAM *sp = NULL; 10233 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; 10234 10235 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); 10236 if (!TEST_ptr(ctx)) 10237 goto end; 10238 10239 cp = SSL_CTX_get0_param(ctx); 10240 if (!TEST_ptr(cp)) 10241 goto end; 10242 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0)) 10243 goto end; 10244 10245 X509_VERIFY_PARAM_set_hostflags(cp, hostflags); 10246 10247 ssl = SSL_new(ctx); 10248 if (!TEST_ptr(ssl)) 10249 goto end; 10250 10251 sp = SSL_get0_param(ssl); 10252 if (!TEST_ptr(sp)) 10253 goto end; 10254 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags)) 10255 goto end; 10256 10257 testresult = 1; 10258 10259 end: 10260 SSL_free(ssl); 10261 SSL_CTX_free(ctx); 10262 10263 return testresult; 10264 } 10265 10266 static int test_load_dhfile(void) 10267 { 10268 #ifndef OPENSSL_NO_DH 10269 int testresult = 0; 10270 10271 SSL_CTX *ctx = NULL; 10272 SSL_CONF_CTX *cctx = NULL; 10273 10274 if (dhfile == NULL) 10275 return 1; 10276 10277 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method())) 10278 || !TEST_ptr(cctx = SSL_CONF_CTX_new())) 10279 goto end; 10280 10281 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); 10282 SSL_CONF_CTX_set_flags(cctx, 10283 SSL_CONF_FLAG_CERTIFICATE 10284 | SSL_CONF_FLAG_SERVER 10285 | SSL_CONF_FLAG_FILE); 10286 10287 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2)) 10288 goto end; 10289 10290 testresult = 1; 10291 end: 10292 SSL_CONF_CTX_free(cctx); 10293 SSL_CTX_free(ctx); 10294 10295 return testresult; 10296 #else 10297 return TEST_skip("DH not supported by this build"); 10298 #endif 10299 } 10300 10301 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) 10302 /* 10303 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not 10304 * support this yet. The only pipeline capable cipher that we have is in the 10305 * dasync engine (providers don't support this yet), so we have to use 10306 * deprecated APIs for this test. 10307 * 10308 * Test 0: Client has pipelining enabled, server does not 10309 * Test 1: Server has pipelining enabled, client does not 10310 * Test 2: Client has pipelining enabled, server does not: not enough data to 10311 * fill all the pipelines 10312 * Test 3: Client has pipelining enabled, server does not: not enough data to 10313 * fill all the pipelines by more than a full pipeline's worth 10314 * Test 4: Client has pipelining enabled, server does not: more data than all 10315 * the available pipelines can take 10316 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline 10317 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX 10318 * is created) 10319 */ 10320 static int test_pipelining(int idx) 10321 { 10322 SSL_CTX *cctx = NULL, *sctx = NULL; 10323 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb; 10324 int testresult = 0, numreads; 10325 /* A 55 byte message */ 10326 unsigned char *msg = (unsigned char *) 10327 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123"; 10328 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5; 10329 size_t expectedreads; 10330 unsigned char *buf = NULL; 10331 ENGINE *e = NULL; 10332 10333 if (idx != 6) { 10334 e = load_dasync(); 10335 if (e == NULL) 10336 return 0; 10337 } 10338 10339 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 10340 TLS_client_method(), 0, 10341 TLS1_2_VERSION, &sctx, &cctx, cert, 10342 privkey))) 10343 goto end; 10344 10345 if (idx == 6) { 10346 e = load_dasync(); 10347 if (e == NULL) 10348 goto end; 10349 /* Now act like test 0 */ 10350 idx = 0; 10351 } 10352 10353 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 10354 &clientssl, NULL, NULL))) 10355 goto end; 10356 10357 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA"))) 10358 goto end; 10359 10360 /* peera is always configured for pipelining, while peerb is not. */ 10361 if (idx == 1) { 10362 peera = serverssl; 10363 peerb = clientssl; 10364 10365 } else { 10366 peera = clientssl; 10367 peerb = serverssl; 10368 } 10369 10370 if (idx == 5) { 10371 numpipes = 2; 10372 /* Maximum allowed fragment size */ 10373 fragsize = SSL3_RT_MAX_PLAIN_LENGTH; 10374 msglen = fragsize * numpipes; 10375 msg = OPENSSL_malloc(msglen); 10376 if (!TEST_ptr(msg)) 10377 goto end; 10378 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0)) 10379 goto end; 10380 } else if (idx == 4) { 10381 msglen = 55; 10382 } else { 10383 msglen = 50; 10384 } 10385 if (idx == 2) 10386 msglen -= 2; /* Send 2 less bytes */ 10387 else if (idx == 3) 10388 msglen -= 12; /* Send 12 less bytes */ 10389 10390 buf = OPENSSL_malloc(msglen); 10391 if (!TEST_ptr(buf)) 10392 goto end; 10393 10394 if (idx == 5) { 10395 /* 10396 * Test that setting a split send fragment longer than the maximum 10397 * allowed fails 10398 */ 10399 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1))) 10400 goto end; 10401 } 10402 10403 /* 10404 * In the normal case. We have 5 pipelines with 10 bytes per pipeline 10405 * (50 bytes in total). This is a ridiculously small number of bytes - 10406 * but sufficient for our purposes 10407 */ 10408 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes)) 10409 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize))) 10410 goto end; 10411 10412 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 10413 goto end; 10414 10415 /* Write some data from peera to peerb */ 10416 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written)) 10417 || !TEST_size_t_eq(written, msglen)) 10418 goto end; 10419 10420 /* 10421 * If the pipelining code worked, then we expect all |numpipes| pipelines to 10422 * have been used - except in test 3 where only |numpipes - 1| pipelines 10423 * will be used. This will result in |numpipes| records (|numpipes - 1| for 10424 * test 3) having been sent to peerb. Since peerb is not using read_ahead we 10425 * expect this to be read in |numpipes| or |numpipes - 1| separate 10426 * SSL_read_ex calls. In the case of test 4, there is then one additional 10427 * read for left over data that couldn't fit in the previous pipelines 10428 */ 10429 for (offset = 0, numreads = 0; 10430 offset < msglen; 10431 offset += readbytes, numreads++) { 10432 if (!TEST_true(SSL_read_ex(peerb, buf + offset, 10433 msglen - offset, &readbytes))) 10434 goto end; 10435 } 10436 10437 expectedreads = idx == 4 ? numpipes + 1 10438 : (idx == 3 ? numpipes - 1 : numpipes); 10439 if (!TEST_mem_eq(msg, msglen, buf, offset) 10440 || !TEST_int_eq(numreads, expectedreads)) 10441 goto end; 10442 10443 /* 10444 * Write some data from peerb to peera. We do this in up to |numpipes + 1| 10445 * chunks to exercise the read pipelining code on peera. 10446 */ 10447 for (offset = 0; offset < msglen; offset += fragsize) { 10448 size_t sendlen = msglen - offset; 10449 10450 if (sendlen > fragsize) 10451 sendlen = fragsize; 10452 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written)) 10453 || !TEST_size_t_eq(written, sendlen)) 10454 goto end; 10455 } 10456 10457 /* 10458 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1| 10459 * separate chunks (depending on which test we are running). If the 10460 * pipelining is working then we expect peera to read up to numpipes chunks 10461 * and process them in parallel, giving back the complete result in a single 10462 * call to SSL_read_ex 10463 */ 10464 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes)) 10465 || !TEST_size_t_le(readbytes, msglen)) 10466 goto end; 10467 10468 if (idx == 4) { 10469 size_t readbytes2; 10470 10471 if (!TEST_true(SSL_read_ex(peera, buf + readbytes, 10472 msglen - readbytes, &readbytes2))) 10473 goto end; 10474 readbytes += readbytes2; 10475 if (!TEST_size_t_le(readbytes, msglen)) 10476 goto end; 10477 } 10478 10479 if (!TEST_mem_eq(msg, msglen, buf, readbytes)) 10480 goto end; 10481 10482 testresult = 1; 10483 end: 10484 SSL_free(serverssl); 10485 SSL_free(clientssl); 10486 SSL_CTX_free(sctx); 10487 SSL_CTX_free(cctx); 10488 if (e != NULL) { 10489 ENGINE_unregister_ciphers(e); 10490 ENGINE_finish(e); 10491 ENGINE_free(e); 10492 } 10493 OPENSSL_free(buf); 10494 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH) 10495 OPENSSL_free(msg); 10496 return testresult; 10497 } 10498 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */ 10499 10500 /* 10501 * Force a write retry during handshaking. We test various combinations of 10502 * scenarios. We test a large certificate message which will fill the buffering 10503 * BIO used in the handshake. We try with client auth on and off. Finally we 10504 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented 10505 * to indicate retry via -1 - but sometimes BIOs don't do that. 10506 * 10507 * Test 0: Standard certificate message 10508 * Test 1: Large certificate message 10509 * Test 2: Standard cert, verify peer 10510 * Test 3: Large cert, verify peer 10511 * Test 4: Standard cert, BIO returns 0 on retry 10512 * Test 5: Large cert, BIO returns 0 on retry 10513 * Test 6: Standard cert, verify peer, BIO returns 0 on retry 10514 * Test 7: Large cert, verify peer, BIO returns 0 on retry 10515 * Test 8-15: Repeat of above with TLSv1.2 10516 */ 10517 static int test_handshake_retry(int idx) 10518 { 10519 SSL_CTX *cctx = NULL, *sctx = NULL; 10520 SSL *clientssl = NULL, *serverssl = NULL; 10521 int testresult = 0; 10522 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry()); 10523 int maxversion = 0; 10524 10525 if (!TEST_ptr(bretry)) 10526 goto end; 10527 10528 #ifndef OPENSSL_NO_TLS1_2 10529 if ((idx & 8) == 8) 10530 maxversion = TLS1_2_VERSION; 10531 #else 10532 if ((idx & 8) == 8) 10533 return TEST_skip("No TLSv1.2"); 10534 #endif 10535 10536 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 10537 TLS_client_method(), 0, maxversion, 10538 &sctx, &cctx, cert, privkey))) 10539 goto end; 10540 10541 /* 10542 * Add a large amount of data to fill the buffering BIO used by the SSL 10543 * object 10544 */ 10545 if ((idx & 1) == 1 && !add_large_cert_chain(sctx)) 10546 goto end; 10547 10548 /* 10549 * We don't actually configure a client cert, but neither do we fail if one 10550 * isn't present. 10551 */ 10552 if ((idx & 2) == 2) 10553 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL); 10554 10555 if ((idx & 4) == 4) 10556 set_always_retry_err_val(0); 10557 10558 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, 10559 &clientssl, NULL, NULL))) 10560 goto end; 10561 10562 tmp = SSL_get_wbio(serverssl); 10563 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { 10564 tmp = NULL; 10565 goto end; 10566 } 10567 SSL_set0_wbio(serverssl, bretry); 10568 bretry = NULL; 10569 10570 if (!TEST_int_eq(SSL_connect(clientssl), -1)) 10571 goto end; 10572 10573 if (!TEST_int_eq(SSL_accept(serverssl), -1) 10574 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE)) 10575 goto end; 10576 10577 /* Restore a BIO that will let the write succeed */ 10578 SSL_set0_wbio(serverssl, tmp); 10579 tmp = NULL; 10580 10581 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 10582 goto end; 10583 10584 testresult = 1; 10585 end: 10586 SSL_free(serverssl); 10587 SSL_free(clientssl); 10588 SSL_CTX_free(sctx); 10589 SSL_CTX_free(cctx); 10590 BIO_free(bretry); 10591 BIO_free(tmp); 10592 set_always_retry_err_val(-1); 10593 return testresult; 10594 } 10595 10596 struct resume_servername_cb_data { 10597 int i; 10598 SSL_CTX *cctx; 10599 SSL_CTX *sctx; 10600 SSL_SESSION *sess; 10601 int recurse; 10602 }; 10603 10604 /* 10605 * Servername callback. We use it here to run another complete handshake using 10606 * the same session - and mark the session as not_resuamble at the end 10607 */ 10608 static int resume_servername_cb(SSL *s, int *ad, void *arg) 10609 { 10610 struct resume_servername_cb_data *cbdata = arg; 10611 SSL *serverssl = NULL, *clientssl = NULL; 10612 int ret = SSL_TLSEXT_ERR_ALERT_FATAL; 10613 10614 if (cbdata->recurse) 10615 return SSL_TLSEXT_ERR_ALERT_FATAL; 10616 10617 if ((cbdata->i % 3) != 1) 10618 return SSL_TLSEXT_ERR_OK; 10619 10620 cbdata->recurse = 1; 10621 10622 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl, 10623 &clientssl, NULL, NULL)) 10624 || !TEST_true(SSL_set_session(clientssl, cbdata->sess))) 10625 goto end; 10626 10627 ERR_set_mark(); 10628 /* 10629 * We expect this to fail - because the servername cb will fail. This will 10630 * mark the session as not_resumable. 10631 */ 10632 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) { 10633 ERR_clear_last_mark(); 10634 goto end; 10635 } 10636 ERR_pop_to_mark(); 10637 10638 ret = SSL_TLSEXT_ERR_OK; 10639 end: 10640 SSL_free(serverssl); 10641 SSL_free(clientssl); 10642 cbdata->recurse = 0; 10643 return ret; 10644 } 10645 10646 /* 10647 * Test multiple resumptions and cache size handling 10648 * Test 0: TLSv1.3 (max_early_data set) 10649 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set) 10650 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set) 10651 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes) 10652 * Test 4: TLSv1.2 10653 */ 10654 static int test_multi_resume(int idx) 10655 { 10656 SSL_CTX *sctx = NULL, *cctx = NULL; 10657 SSL *serverssl = NULL, *clientssl = NULL; 10658 SSL_SESSION *sess = NULL; 10659 int max_version = TLS1_3_VERSION; 10660 int i, testresult = 0; 10661 struct resume_servername_cb_data cbdata; 10662 10663 #if defined(OPENSSL_NO_TLS1_2) 10664 if (idx == 4) 10665 return TEST_skip("TLSv1.2 is disabled in this build"); 10666 #else 10667 if (idx == 4) 10668 max_version = TLS1_2_VERSION; 10669 #endif 10670 #if defined(OSSL_NO_USABLE_TLS1_3) 10671 if (idx != 4) 10672 return TEST_skip("No usable TLSv1.3 in this build"); 10673 #endif 10674 10675 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), 10676 TLS_client_method(), TLS1_VERSION, 10677 max_version, &sctx, &cctx, cert, 10678 privkey))) 10679 goto end; 10680 10681 /* 10682 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for 10683 * replay protection), or if SSL_OP_NO_TICKET is in use 10684 */ 10685 if (idx == 0 || idx == 2) { 10686 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024))) 10687 goto end; 10688 } 10689 if (idx == 1 || idx == 2 || idx == 3) 10690 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); 10691 10692 SSL_CTX_sess_set_cache_size(sctx, 5); 10693 10694 if (idx == 3) { 10695 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb); 10696 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata); 10697 cbdata.cctx = cctx; 10698 cbdata.sctx = sctx; 10699 cbdata.recurse = 0; 10700 } 10701 10702 for (i = 0; i < 30; i++) { 10703 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, 10704 NULL, NULL)) 10705 || !TEST_true(SSL_set_session(clientssl, sess))) 10706 goto end; 10707 10708 /* 10709 * Check simultaneous resumes. We pause the connection part way through 10710 * the handshake by (mis)using the servername_cb. The pause occurs after 10711 * session resumption has already occurred, but before any session 10712 * tickets have been issued. While paused we run another complete 10713 * handshake resuming the same session. 10714 */ 10715 if (idx == 3) { 10716 cbdata.i = i; 10717 cbdata.sess = sess; 10718 } 10719 10720 /* 10721 * Recreate a bug where dynamically changing the max_early_data value 10722 * can cause sessions in the session cache which cannot be deleted. 10723 */ 10724 if ((idx == 0 || idx == 2) && (i % 3) == 2) 10725 SSL_set_max_early_data(serverssl, 0); 10726 10727 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) 10728 goto end; 10729 10730 if (sess == NULL || (idx == 0 && (i % 3) == 2)) { 10731 if (!TEST_false(SSL_session_reused(clientssl))) 10732 goto end; 10733 } else { 10734 if (!TEST_true(SSL_session_reused(clientssl))) 10735 goto end; 10736 } 10737 SSL_SESSION_free(sess); 10738 10739 /* Do a full handshake, followed by two resumptions */ 10740 if ((i % 3) == 2) { 10741 sess = NULL; 10742 } else { 10743 if (!TEST_ptr((sess = SSL_get1_session(clientssl)))) 10744 goto end; 10745 } 10746 10747 SSL_shutdown(clientssl); 10748 SSL_shutdown(serverssl); 10749 SSL_free(serverssl); 10750 SSL_free(clientssl); 10751 serverssl = clientssl = NULL; 10752 } 10753 10754 /* We should never exceed the session cache size limit */ 10755 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5)) 10756 goto end; 10757 10758 testresult = 1; 10759 end: 10760 SSL_free(serverssl); 10761 SSL_free(clientssl); 10762 SSL_CTX_free(sctx); 10763 SSL_CTX_free(cctx); 10764 SSL_SESSION_free(sess); 10765 return testresult; 10766 } 10767 10768 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") 10769 10770 int setup_tests(void) 10771 { 10772 char *modulename; 10773 char *configfile; 10774 10775 libctx = OSSL_LIB_CTX_new(); 10776 if (!TEST_ptr(libctx)) 10777 return 0; 10778 10779 defctxnull = OSSL_PROVIDER_load(NULL, "null"); 10780 10781 /* 10782 * Verify that the default and fips providers in the default libctx are not 10783 * available 10784 */ 10785 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")) 10786 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips"))) 10787 return 0; 10788 10789 if (!test_skip_common_options()) { 10790 TEST_error("Error parsing test options\n"); 10791 return 0; 10792 } 10793 10794 if (!TEST_ptr(certsdir = test_get_argument(0)) 10795 || !TEST_ptr(srpvfile = test_get_argument(1)) 10796 || !TEST_ptr(tmpfilename = test_get_argument(2)) 10797 || !TEST_ptr(modulename = test_get_argument(3)) 10798 || !TEST_ptr(configfile = test_get_argument(4)) 10799 || !TEST_ptr(dhfile = test_get_argument(5))) 10800 return 0; 10801 10802 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile))) 10803 return 0; 10804 10805 /* Check we have the expected provider available */ 10806 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename))) 10807 return 0; 10808 10809 /* Check the default provider is not available */ 10810 if (strcmp(modulename, "default") != 0 10811 && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) 10812 return 0; 10813 10814 if (strcmp(modulename, "fips") == 0) 10815 is_fips = 1; 10816 10817 /* 10818 * We add, but don't load the test "tls-provider". We'll load it when we 10819 * need it. 10820 */ 10821 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider", 10822 tls_provider_init))) 10823 return 0; 10824 10825 10826 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) { 10827 #ifdef OPENSSL_NO_CRYPTO_MDEBUG 10828 TEST_error("not supported in this build"); 10829 return 0; 10830 #else 10831 int i, mcount, rcount, fcount; 10832 10833 for (i = 0; i < 4; i++) 10834 test_export_key_mat(i); 10835 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount); 10836 test_printf_stdout("malloc %d realloc %d free %d\n", 10837 mcount, rcount, fcount); 10838 return 1; 10839 #endif 10840 } 10841 10842 cert = test_mk_file_path(certsdir, "servercert.pem"); 10843 if (cert == NULL) 10844 goto err; 10845 10846 privkey = test_mk_file_path(certsdir, "serverkey.pem"); 10847 if (privkey == NULL) 10848 goto err; 10849 10850 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem"); 10851 if (cert2 == NULL) 10852 goto err; 10853 10854 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem"); 10855 if (privkey2 == NULL) 10856 goto err; 10857 10858 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem"); 10859 if (cert1024 == NULL) 10860 goto err; 10861 10862 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem"); 10863 if (privkey1024 == NULL) 10864 goto err; 10865 10866 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem"); 10867 if (cert3072 == NULL) 10868 goto err; 10869 10870 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem"); 10871 if (privkey3072 == NULL) 10872 goto err; 10873 10874 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem"); 10875 if (cert4096 == NULL) 10876 goto err; 10877 10878 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem"); 10879 if (privkey4096 == NULL) 10880 goto err; 10881 10882 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem"); 10883 if (cert8192 == NULL) 10884 goto err; 10885 10886 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem"); 10887 if (privkey8192 == NULL) 10888 goto err; 10889 10890 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) 10891 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) 10892 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); 10893 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS); 10894 # endif 10895 #endif 10896 ADD_TEST(test_large_message_tls); 10897 ADD_TEST(test_large_message_tls_read_ahead); 10898 #ifndef OPENSSL_NO_DTLS 10899 ADD_TEST(test_large_message_dtls); 10900 #endif 10901 ADD_ALL_TESTS(test_large_app_data, 28); 10902 ADD_TEST(test_cleanse_plaintext); 10903 #ifndef OPENSSL_NO_OCSP 10904 ADD_TEST(test_tlsext_status_type); 10905 #endif 10906 ADD_TEST(test_session_with_only_int_cache); 10907 ADD_TEST(test_session_with_only_ext_cache); 10908 ADD_TEST(test_session_with_both_cache); 10909 ADD_TEST(test_session_wo_ca_names); 10910 #ifndef OSSL_NO_USABLE_TLS1_3 10911 ADD_ALL_TESTS(test_stateful_tickets, 3); 10912 ADD_ALL_TESTS(test_stateless_tickets, 3); 10913 ADD_TEST(test_psk_tickets); 10914 ADD_ALL_TESTS(test_extra_tickets, 6); 10915 #endif 10916 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS); 10917 ADD_TEST(test_ssl_bio_pop_next_bio); 10918 ADD_TEST(test_ssl_bio_pop_ssl_bio); 10919 ADD_TEST(test_ssl_bio_change_rbio); 10920 ADD_TEST(test_ssl_bio_change_wbio); 10921 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) 10922 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); 10923 ADD_TEST(test_keylog); 10924 #endif 10925 #ifndef OSSL_NO_USABLE_TLS1_3 10926 ADD_TEST(test_keylog_no_master_key); 10927 #endif 10928 ADD_TEST(test_client_cert_verify_cb); 10929 ADD_TEST(test_ssl_build_cert_chain); 10930 ADD_TEST(test_ssl_ctx_build_cert_chain); 10931 #ifndef OPENSSL_NO_TLS1_2 10932 ADD_TEST(test_client_hello_cb); 10933 ADD_TEST(test_no_ems); 10934 ADD_TEST(test_ccs_change_cipher); 10935 #endif 10936 #ifndef OSSL_NO_USABLE_TLS1_3 10937 ADD_ALL_TESTS(test_early_data_read_write, 6); 10938 /* 10939 * We don't do replay tests for external PSK. Replay protection isn't used 10940 * in that scenario. 10941 */ 10942 ADD_ALL_TESTS(test_early_data_replay, 2); 10943 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3); 10944 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3); 10945 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3); 10946 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3); 10947 ADD_ALL_TESTS(test_early_data_not_sent, 3); 10948 ADD_ALL_TESTS(test_early_data_psk, 8); 10949 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5); 10950 ADD_ALL_TESTS(test_early_data_not_expected, 3); 10951 # ifndef OPENSSL_NO_TLS1_2 10952 ADD_ALL_TESTS(test_early_data_tls1_2, 3); 10953 # endif 10954 #endif 10955 #ifndef OSSL_NO_USABLE_TLS1_3 10956 ADD_ALL_TESTS(test_set_ciphersuite, 10); 10957 ADD_TEST(test_ciphersuite_change); 10958 ADD_ALL_TESTS(test_tls13_ciphersuite, 4); 10959 # ifdef OPENSSL_NO_PSK 10960 ADD_ALL_TESTS(test_tls13_psk, 1); 10961 # else 10962 ADD_ALL_TESTS(test_tls13_psk, 4); 10963 # endif /* OPENSSL_NO_PSK */ 10964 # ifndef OPENSSL_NO_TLS1_2 10965 /* Test with both TLSv1.3 and 1.2 versions */ 10966 ADD_ALL_TESTS(test_key_exchange, 14); 10967 # if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) 10968 ADD_ALL_TESTS(test_negotiated_group, 10969 4 * (OSSL_NELEM(ecdhe_kexch_groups) 10970 + OSSL_NELEM(ffdhe_kexch_groups))); 10971 # endif 10972 # else 10973 /* Test with only TLSv1.3 versions */ 10974 ADD_ALL_TESTS(test_key_exchange, 12); 10975 # endif 10976 ADD_ALL_TESTS(test_custom_exts, 6); 10977 ADD_TEST(test_stateless); 10978 ADD_TEST(test_pha_key_update); 10979 #else 10980 ADD_ALL_TESTS(test_custom_exts, 3); 10981 #endif 10982 ADD_ALL_TESTS(test_export_key_mat, 6); 10983 #ifndef OSSL_NO_USABLE_TLS1_3 10984 ADD_ALL_TESTS(test_export_key_mat_early, 3); 10985 ADD_TEST(test_key_update); 10986 ADD_ALL_TESTS(test_key_update_peer_in_write, 2); 10987 ADD_ALL_TESTS(test_key_update_peer_in_read, 2); 10988 ADD_ALL_TESTS(test_key_update_local_in_write, 2); 10989 ADD_ALL_TESTS(test_key_update_local_in_read, 2); 10990 #endif 10991 ADD_ALL_TESTS(test_ssl_clear, 2); 10992 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); 10993 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) 10994 ADD_ALL_TESTS(test_srp, 6); 10995 #endif 10996 ADD_ALL_TESTS(test_info_callback, 6); 10997 ADD_ALL_TESTS(test_ssl_pending, 2); 10998 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data)); 10999 ADD_ALL_TESTS(test_ticket_callbacks, 20); 11000 ADD_ALL_TESTS(test_shutdown, 7); 11001 ADD_ALL_TESTS(test_incorrect_shutdown, 2); 11002 ADD_ALL_TESTS(test_cert_cb, 6); 11003 ADD_ALL_TESTS(test_client_cert_cb, 2); 11004 ADD_ALL_TESTS(test_ca_names, 3); 11005 #ifndef OPENSSL_NO_TLS1_2 11006 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data)); 11007 #endif 11008 ADD_ALL_TESTS(test_servername, 10); 11009 #if !defined(OPENSSL_NO_EC) \ 11010 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) 11011 ADD_ALL_TESTS(test_sigalgs_available, 6); 11012 #endif 11013 #ifndef OPENSSL_NO_TLS1_3 11014 ADD_ALL_TESTS(test_pluggable_group, 2); 11015 #endif 11016 #ifndef OPENSSL_NO_TLS1_2 11017 ADD_TEST(test_ssl_dup); 11018 # ifndef OPENSSL_NO_DH 11019 ADD_ALL_TESTS(test_set_tmp_dh, 11); 11020 ADD_ALL_TESTS(test_dh_auto, 7); 11021 # endif 11022 #endif 11023 #ifndef OSSL_NO_USABLE_TLS1_3 11024 ADD_TEST(test_sni_tls13); 11025 ADD_ALL_TESTS(test_ticket_lifetime, 2); 11026 #endif 11027 ADD_TEST(test_inherit_verify_param); 11028 ADD_TEST(test_set_alpn); 11029 ADD_TEST(test_set_verify_cert_store_ssl_ctx); 11030 ADD_TEST(test_set_verify_cert_store_ssl); 11031 ADD_ALL_TESTS(test_session_timeout, 1); 11032 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) 11033 ADD_ALL_TESTS(test_session_cache_overflow, 4); 11034 #endif 11035 ADD_TEST(test_load_dhfile); 11036 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) 11037 ADD_ALL_TESTS(test_serverinfo_custom, 4); 11038 #endif 11039 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) 11040 ADD_ALL_TESTS(test_pipelining, 7); 11041 #endif 11042 ADD_ALL_TESTS(test_handshake_retry, 16); 11043 ADD_ALL_TESTS(test_multi_resume, 5); 11044 return 1; 11045 11046 err: 11047 OPENSSL_free(cert); 11048 OPENSSL_free(privkey); 11049 OPENSSL_free(cert2); 11050 OPENSSL_free(privkey2); 11051 return 0; 11052 } 11053 11054 void cleanup_tests(void) 11055 { 11056 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH) 11057 EVP_PKEY_free(tmp_dh_params); 11058 #endif 11059 OPENSSL_free(cert); 11060 OPENSSL_free(privkey); 11061 OPENSSL_free(cert2); 11062 OPENSSL_free(privkey2); 11063 OPENSSL_free(cert1024); 11064 OPENSSL_free(privkey1024); 11065 OPENSSL_free(cert3072); 11066 OPENSSL_free(privkey3072); 11067 OPENSSL_free(cert4096); 11068 OPENSSL_free(privkey4096); 11069 OPENSSL_free(cert8192); 11070 OPENSSL_free(privkey8192); 11071 bio_s_mempacket_test_free(); 11072 bio_s_always_retry_free(); 11073 OSSL_PROVIDER_unload(defctxnull); 11074 OSSL_LIB_CTX_free(libctx); 11075 } 11076