VirtualBox

source: vbox/trunk/src/libs/openssl-3.1.7/test/sslapitest.c@ 105945

最後變更 在這個檔案從105945是 105945,由 vboxsync 提交於 2 月 前

openssl-3.1.7: Applied and adjusted our OpenSSL changes to 3.1.7. bugref:10757
檔案大小: 384.0 KB
 
1/*
2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
18#include <stdio.h>
19#include <string.h>
20
21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
25#include <openssl/ocsp.h>
26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
28#include <openssl/aes.h>
29#include <openssl/rand.h>
30#include <openssl/core_names.h>
31#include <openssl/core_dispatch.h>
32#include <openssl/provider.h>
33#include <openssl/param_build.h>
34#include <openssl/x509v3.h>
35#include <openssl/dh.h>
36#include <openssl/engine.h>
37
38#include "helpers/ssltestlib.h"
39#include "testutil.h"
40#include "testutil/output.h"
41#include "internal/nelem.h"
42#include "internal/ktls.h"
43#include "../ssl/ssl_local.h"
44#include "filterprov.h"
45
46#undef OSSL_NO_USABLE_TLS1_3
47#if defined(OPENSSL_NO_TLS1_3) \
48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49/*
50 * If we don't have ec or dh then there are no built-in groups that are usable
51 * with TLSv1.3
52 */
53# define OSSL_NO_USABLE_TLS1_3
54#endif
55
56/* Defined in tls-provider.c */
57int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58 const OSSL_DISPATCH *in,
59 const OSSL_DISPATCH **out,
60 void **provctx);
61
62static OSSL_LIB_CTX *libctx = NULL;
63static OSSL_PROVIDER *defctxnull = NULL;
64
65#ifndef OSSL_NO_USABLE_TLS1_3
66
67static SSL_SESSION *clientpsk = NULL;
68static SSL_SESSION *serverpsk = NULL;
69static const char *pskid = "Identity";
70static const char *srvid;
71
72static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73 size_t *idlen, SSL_SESSION **sess);
74static int find_session_cb(SSL *ssl, const unsigned char *identity,
75 size_t identity_len, SSL_SESSION **sess);
76
77static int use_session_cb_cnt = 0;
78static int find_session_cb_cnt = 0;
79
80static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
81#endif
82
83static char *certsdir = NULL;
84static char *cert = NULL;
85static char *privkey = NULL;
86static char *cert2 = NULL;
87static char *privkey2 = NULL;
88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
98static char *dhfile = NULL;
99
100static int is_fips = 0;
101static int fips_ems_check = 0;
102
103#define LOG_BUFFER_SIZE 2048
104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
105static size_t server_log_buffer_index = 0;
106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107static size_t client_log_buffer_index = 0;
108static int error_writing_log = 0;
109
110#ifndef OPENSSL_NO_OCSP
111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
117#endif
118
119#define NUM_EXTRA_CERTS 40
120#define CLIENT_VERSION_LEN 2
121
122/*
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
125 */
126struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
129 unsigned int client_early_secret_count;
130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
134 unsigned int early_exporter_secret_count;
135 unsigned int exporter_secret_count;
136};
137
138
139static int hostname_cb(SSL *s, int *al, void *arg)
140{
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
146
147 return SSL_TLSEXT_ERR_NOACK;
148}
149
150static void client_keylog_callback(const SSL *ssl, const char *line)
151{
152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
163 client_log_buffer[client_log_buffer_index++] = '\n';
164}
165
166static void server_keylog_callback(const SSL *ssl, const char *line)
167{
168 int line_length = strlen(line);
169
170 /* If the log doesn't fit, error out. */
171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
172 TEST_info("Server log too full");
173 error_writing_log = 1;
174 return;
175 }
176
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
179 server_log_buffer[server_log_buffer_index++] = '\n';
180}
181
182static int compare_hex_encoded_buffer(const char *hex_encoded,
183 size_t hex_length,
184 const uint8_t *raw,
185 size_t raw_length)
186{
187 size_t i, j;
188 char hexed[3];
189
190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
191 return 1;
192
193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
194 sprintf(hexed, "%02x", raw[i]);
195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
197 return 1;
198 }
199
200 return 0;
201}
202
203static int test_keylog_output(char *buffer, const SSL *ssl,
204 const SSL_SESSION *session,
205 struct sslapitest_log_counts *expected)
206{
207 char *token = NULL;
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
214 unsigned int client_early_secret_count = 0;
215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
219 unsigned int early_exporter_secret_count = 0;
220 unsigned int exporter_secret_count = 0;
221
222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
224 if (strcmp(token, "RSA") == 0) {
225 /*
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
227 * hex-encoded encrypted secret, then the hex-encoded pre-master
228 * secret.
229 */
230 if (!TEST_ptr(token = strtok(NULL, " \n")))
231 return 0;
232 if (!TEST_size_t_eq(strlen(token), 16))
233 return 0;
234 if (!TEST_ptr(token = strtok(NULL, " \n")))
235 return 0;
236 /*
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
240 */
241 rsa_key_exchange_count++;
242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
243 /*
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
245 * client random, then the hex-encoded master secret.
246 */
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
249 SSL3_RANDOM_SIZE);
250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
251 return 0;
252
253 if (!TEST_ptr(token = strtok(NULL, " \n")))
254 return 0;
255 if (!TEST_size_t_eq(strlen(token), 64))
256 return 0;
257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
260 return 0;
261
262 if (!TEST_ptr(token = strtok(NULL, " \n")))
263 return 0;
264 master_key_size = SSL_SESSION_get_master_key(session,
265 actual_master_key,
266 master_key_size);
267 if (!TEST_size_t_ne(master_key_size, 0))
268 return 0;
269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
270 actual_master_key,
271 master_key_size)))
272 return 0;
273 master_secret_count++;
274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
280 || strcmp(token, "EXPORTER_SECRET") == 0) {
281 /*
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
286 */
287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
301
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
304 SSL3_RANDOM_SIZE);
305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
306 return 0;
307
308 if (!TEST_ptr(token = strtok(NULL, " \n")))
309 return 0;
310 if (!TEST_size_t_eq(strlen(token), 64))
311 return 0;
312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
315 return 0;
316
317 if (!TEST_ptr(token = strtok(NULL, " \n")))
318 return 0;
319 } else {
320 TEST_info("Unexpected token %s\n", token);
321 return 0;
322 }
323 }
324
325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
339 expected->server_application_secret_count)
340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
344 return 0;
345 return 1;
346}
347
348#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
349static int test_keylog(void)
350{
351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
354 struct sslapitest_log_counts expected;
355
356 /* Clean up logging space */
357 memset(&expected, 0, sizeof(expected));
358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
365 TLS_client_method(),
366 TLS1_VERSION, 0,
367 &sctx, &cctx, cert, privkey)))
368 return 0;
369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
374 /* We also want to ensure that we use RSA-based key exchange. */
375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
376 goto end;
377
378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
380 goto end;
381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
384 goto end;
385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
388 goto end;
389
390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
398 goto end;
399
400 /*
401 * Now we want to test that our output data was vaguely sensible. We
402 * do that by using strtok and confirming that we have more or less the
403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see an RSA key exchange.
405 */
406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
410 goto end;
411
412 expected.rsa_key_exchange_count = 0;
413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
415 goto end;
416
417 testresult = 1;
418
419end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426}
427#endif
428
429#ifndef OSSL_NO_USABLE_TLS1_3
430static int test_keylog_no_master_key(void)
431{
432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
434 SSL_SESSION *sess = NULL;
435 int testresult = 0;
436 struct sslapitest_log_counts expected;
437 unsigned char buf[1];
438 size_t readbytes, written;
439
440 /* Clean up logging space */
441 memset(&expected, 0, sizeof(expected));
442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
452 SSL3_RT_MAX_PLAIN_LENGTH)))
453 return 0;
454
455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
457 goto end;
458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
462 goto end;
463
464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
467 goto end;
468
469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
475 goto end;
476
477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
480 * TLSv1.3, but we do expect both client and server to emit keys.
481 */
482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
486 expected.exporter_secret_count = 1;
487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
492 goto end;
493
494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
525 expected.early_exporter_secret_count = 1;
526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
533 testresult = 1;
534
535end:
536 SSL_SESSION_free(sess);
537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543}
544#endif
545
546static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547{
548 int res = X509_verify_cert(ctx);
549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
550 SSL *ssl;
551
552 /* this should not happen but check anyway */
553 if (idx < 0
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
555 return 0;
556
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
561
562 return res;
563}
564
565static int test_client_cert_verify_cb(void)
566{
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
577 int testresult = 0;
578
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
582 goto end;
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 goto end;
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 goto end;
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
594 goto end;
595
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
599 goto end;
600
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 goto end;
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
608 goto end;
609 crt1 = NULL;
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
611 goto end;
612 crt2 = NULL;
613
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
617 goto end;
618
619 testresult = 1;
620
621end:
622 X509_free(crt1);
623 X509_free(crt2);
624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
626 SSL_free(clientssl);
627 }
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
630 SSL_free(serverssl);
631 }
632 SSL_CTX_free(sctx);
633 SSL_CTX_free(cctx);
634
635 OPENSSL_free(skey);
636 OPENSSL_free(leaf);
637 OPENSSL_free(int2);
638 OPENSSL_free(int1);
639 OPENSSL_free(root);
640
641 return testresult;
642}
643
644static int test_ssl_build_cert_chain(void)
645{
646 int ret = 0;
647 SSL_CTX *ssl_ctx = NULL;
648 SSL *ssl = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 goto end;
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 goto end;
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 goto end;
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
663 goto end;
664 ret = 1;
665end:
666 SSL_free(ssl);
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
669 OPENSSL_free(skey);
670 return ret;
671}
672
673static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674{
675 static const char pass[] = "testpass";
676
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
678 return -1;
679
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
682}
683
684static int test_ssl_ctx_build_cert_chain(void)
685{
686 int ret = 0;
687 SSL_CTX *ctx = NULL;
688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 goto end;
693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 goto end;
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
702 goto end;
703 ret = 1;
704end:
705 SSL_CTX_free(ctx);
706 OPENSSL_free(leaf_chain);
707 OPENSSL_free(skey);
708 return ret;
709}
710
711#ifndef OPENSSL_NO_TLS1_2
712static int full_client_hello_callback(SSL *s, int *al, void *arg)
713{
714 int *ctr = arg;
715 const unsigned char *p;
716 int *exts;
717 /* We only configure two ciphers, but the SCSV is added automatically. */
718#ifdef OPENSSL_NO_EC
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
720#else
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 0x2c, 0x00, 0xff};
723#endif
724 const int expected_extensions[] = {
725#ifndef OPENSSL_NO_EC
726 11, 10,
727#endif
728 35, 22, 23, 13};
729 size_t len;
730
731 /* Make sure we can defer processing and get called back. */
732 if ((*ctr)++ == 0)
733 return SSL_CLIENT_HELLO_RETRY;
734
735 len = SSL_client_hello_get0_ciphers(s, &p);
736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
737 || !TEST_size_t_eq(
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
739 || !TEST_int_eq(*p, 0))
740 return SSL_CLIENT_HELLO_ERROR;
741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
742 return SSL_CLIENT_HELLO_ERROR;
743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
745 printf("ClientHello callback expected extensions mismatch\n");
746 OPENSSL_free(exts);
747 return SSL_CLIENT_HELLO_ERROR;
748 }
749 OPENSSL_free(exts);
750 return SSL_CLIENT_HELLO_SUCCESS;
751}
752
753static int test_client_hello_cb(void)
754{
755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
758
759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
761 &sctx, &cctx, cert, privkey)))
762 goto end;
763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
764
765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
767
768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
774 /*
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
777 * */
778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
781 SSL_ERROR_NONE)))
782 goto end;
783
784 testresult = 1;
785
786end:
787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 SSL_CTX_free(sctx);
790 SSL_CTX_free(cctx);
791
792 return testresult;
793}
794
795static int test_no_ems(void)
796{
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
799 int testresult = 0, status;
800
801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
805 goto end;
806 }
807
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
812 goto end;
813 }
814
815 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
816 if (fips_ems_check) {
817 if (status == 1) {
818 printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
819 goto end;
820 }
821 } else {
822 if (!status) {
823 printf("Creating SSL connection failed\n");
824 goto end;
825 }
826 if (SSL_get_extms_support(serverssl)) {
827 printf("Server reports Extended Master Secret support\n");
828 goto end;
829 }
830 if (SSL_get_extms_support(clientssl)) {
831 printf("Client reports Extended Master Secret support\n");
832 goto end;
833 }
834 }
835 testresult = 1;
836
837end:
838 SSL_free(serverssl);
839 SSL_free(clientssl);
840 SSL_CTX_free(sctx);
841 SSL_CTX_free(cctx);
842
843 return testresult;
844}
845
846/*
847 * Very focused test to exercise a single case in the server-side state
848 * machine, when the ChangeCipherState message needs to actually change
849 * from one cipher to a different cipher (i.e., not changing from null
850 * encryption to real encryption).
851 */
852static int test_ccs_change_cipher(void)
853{
854 SSL_CTX *cctx = NULL, *sctx = NULL;
855 SSL *clientssl = NULL, *serverssl = NULL;
856 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
857 int testresult = 0;
858 int i;
859 unsigned char buf;
860 size_t readbytes;
861
862 /*
863 * Create a connection so we can resume and potentially (but not) use
864 * a different cipher in the second connection.
865 */
866 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
867 TLS_client_method(),
868 TLS1_VERSION, TLS1_2_VERSION,
869 &sctx, &cctx, cert, privkey))
870 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
871 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
872 NULL, NULL))
873 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
874 || !TEST_true(create_ssl_connection(serverssl, clientssl,
875 SSL_ERROR_NONE))
876 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
877 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
878 goto end;
879
880 shutdown_ssl_connection(serverssl, clientssl);
881 serverssl = clientssl = NULL;
882
883 /* Resume, preferring a different cipher. Our server will force the
884 * same cipher to be used as the initial handshake. */
885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
886 NULL, NULL))
887 || !TEST_true(SSL_set_session(clientssl, sess))
888 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
889 || !TEST_true(create_ssl_connection(serverssl, clientssl,
890 SSL_ERROR_NONE))
891 || !TEST_true(SSL_session_reused(clientssl))
892 || !TEST_true(SSL_session_reused(serverssl))
893 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
894 || !TEST_ptr_eq(sesspre, sesspost)
895 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
896 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
897 goto end;
898 shutdown_ssl_connection(serverssl, clientssl);
899 serverssl = clientssl = NULL;
900
901 /*
902 * Now create a fresh connection and try to renegotiate a different
903 * cipher on it.
904 */
905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
906 NULL, NULL))
907 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
908 || !TEST_true(create_ssl_connection(serverssl, clientssl,
909 SSL_ERROR_NONE))
910 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
911 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
912 || !TEST_true(SSL_renegotiate(clientssl))
913 || !TEST_true(SSL_renegotiate_pending(clientssl)))
914 goto end;
915 /* Actually drive the renegotiation. */
916 for (i = 0; i < 3; i++) {
917 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
918 if (!TEST_ulong_eq(readbytes, 0))
919 goto end;
920 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
921 SSL_ERROR_WANT_READ)) {
922 goto end;
923 }
924 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
925 if (!TEST_ulong_eq(readbytes, 0))
926 goto end;
927 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
928 SSL_ERROR_WANT_READ)) {
929 goto end;
930 }
931 }
932 /* sesspre and sesspost should be different since the cipher changed. */
933 if (!TEST_false(SSL_renegotiate_pending(clientssl))
934 || !TEST_false(SSL_session_reused(clientssl))
935 || !TEST_false(SSL_session_reused(serverssl))
936 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
937 || !TEST_ptr_ne(sesspre, sesspost)
938 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
939 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
940 goto end;
941
942 shutdown_ssl_connection(serverssl, clientssl);
943 serverssl = clientssl = NULL;
944
945 testresult = 1;
946
947end:
948 SSL_free(serverssl);
949 SSL_free(clientssl);
950 SSL_CTX_free(sctx);
951 SSL_CTX_free(cctx);
952 SSL_SESSION_free(sess);
953
954 return testresult;
955}
956#endif
957
958static int add_large_cert_chain(SSL_CTX *sctx)
959{
960 BIO *certbio = NULL;
961 X509 *chaincert = NULL;
962 int certlen;
963 int ret = 0;
964 int i;
965
966 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
967 goto end;
968
969 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
970 goto end;
971
972 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
973 goto end;
974 BIO_free(certbio);
975 certbio = NULL;
976
977 /*
978 * We assume the supplied certificate is big enough so that if we add
979 * NUM_EXTRA_CERTS it will make the overall message large enough. The
980 * default buffer size is requested to be 16k, but due to the way BUF_MEM
981 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
982 * test we need to have a message larger than that.
983 */
984 certlen = i2d_X509(chaincert, NULL);
985 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
986 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
987 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
988 if (!X509_up_ref(chaincert))
989 goto end;
990 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
991 X509_free(chaincert);
992 goto end;
993 }
994 }
995
996 ret = 1;
997 end:
998 BIO_free(certbio);
999 X509_free(chaincert);
1000 return ret;
1001}
1002
1003static int execute_test_large_message(const SSL_METHOD *smeth,
1004 const SSL_METHOD *cmeth,
1005 int min_version, int max_version,
1006 int read_ahead)
1007{
1008 SSL_CTX *cctx = NULL, *sctx = NULL;
1009 SSL *clientssl = NULL, *serverssl = NULL;
1010 int testresult = 0;
1011
1012 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
1013 max_version, &sctx, &cctx, cert,
1014 privkey)))
1015 goto end;
1016
1017#ifdef OPENSSL_NO_DTLS1_2
1018 if (smeth == DTLS_server_method()) {
1019 /*
1020 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1021 * level 0
1022 */
1023 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1024 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1025 "DEFAULT:@SECLEVEL=0")))
1026 goto end;
1027 }
1028#endif
1029
1030 if (read_ahead) {
1031 /*
1032 * Test that read_ahead works correctly when dealing with large
1033 * records
1034 */
1035 SSL_CTX_set_read_ahead(cctx, 1);
1036 }
1037
1038 if (!add_large_cert_chain(sctx))
1039 goto end;
1040
1041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1042 NULL, NULL))
1043 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1044 SSL_ERROR_NONE)))
1045 goto end;
1046
1047 /*
1048 * Calling SSL_clear() first is not required but this tests that SSL_clear()
1049 * doesn't leak.
1050 */
1051 if (!TEST_true(SSL_clear(serverssl)))
1052 goto end;
1053
1054 testresult = 1;
1055 end:
1056 SSL_free(serverssl);
1057 SSL_free(clientssl);
1058 SSL_CTX_free(sctx);
1059 SSL_CTX_free(cctx);
1060
1061 return testresult;
1062}
1063
1064#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1065 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1066/* sock must be connected */
1067static int ktls_chk_platform(int sock)
1068{
1069 if (!ktls_enable(sock))
1070 return 0;
1071 return 1;
1072}
1073
1074static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1075{
1076 static char count = 1;
1077 unsigned char cbuf[16000] = {0};
1078 unsigned char sbuf[16000];
1079 size_t err = 0;
1080 char crec_wseq_before[SEQ_NUM_SIZE];
1081 char crec_wseq_after[SEQ_NUM_SIZE];
1082 char crec_rseq_before[SEQ_NUM_SIZE];
1083 char crec_rseq_after[SEQ_NUM_SIZE];
1084 char srec_wseq_before[SEQ_NUM_SIZE];
1085 char srec_wseq_after[SEQ_NUM_SIZE];
1086 char srec_rseq_before[SEQ_NUM_SIZE];
1087 char srec_rseq_after[SEQ_NUM_SIZE];
1088
1089 cbuf[0] = count++;
1090 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1091 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1092 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1093 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1094
1095 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1096 goto end;
1097
1098 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1099 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1100 goto end;
1101 }
1102 }
1103
1104 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1105 goto end;
1106
1107 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1108 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1109 goto end;
1110 }
1111 }
1112
1113 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1114 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1115 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1116 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1117
1118 /* verify the payload */
1119 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1120 goto end;
1121
1122 /*
1123 * If ktls is used then kernel sequences are used instead of
1124 * OpenSSL sequences
1125 */
1126 if (!BIO_get_ktls_send(clientssl->wbio)) {
1127 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1128 crec_wseq_after, SEQ_NUM_SIZE))
1129 goto end;
1130 } else {
1131 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1132 crec_wseq_after, SEQ_NUM_SIZE))
1133 goto end;
1134 }
1135
1136 if (!BIO_get_ktls_send(serverssl->wbio)) {
1137 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1138 srec_wseq_after, SEQ_NUM_SIZE))
1139 goto end;
1140 } else {
1141 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1142 srec_wseq_after, SEQ_NUM_SIZE))
1143 goto end;
1144 }
1145
1146 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1147 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1148 crec_rseq_after, SEQ_NUM_SIZE))
1149 goto end;
1150 } else {
1151 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1152 crec_rseq_after, SEQ_NUM_SIZE))
1153 goto end;
1154 }
1155
1156 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1157 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1158 srec_rseq_after, SEQ_NUM_SIZE))
1159 goto end;
1160 } else {
1161 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1162 srec_rseq_after, SEQ_NUM_SIZE))
1163 goto end;
1164 }
1165
1166 return 1;
1167end:
1168 return 0;
1169}
1170
1171static int execute_test_ktls(int cis_ktls, int sis_ktls,
1172 int tls_version, const char *cipher)
1173{
1174 SSL_CTX *cctx = NULL, *sctx = NULL;
1175 SSL *clientssl = NULL, *serverssl = NULL;
1176 int ktls_used = 0, testresult = 0;
1177 int cfd = -1, sfd = -1;
1178 int rx_supported;
1179
1180 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1181 goto end;
1182
1183 /* Skip this test if the platform does not support ktls */
1184 if (!ktls_chk_platform(cfd)) {
1185 testresult = TEST_skip("Kernel does not support KTLS");
1186 goto end;
1187 }
1188
1189 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1190 testresult = TEST_skip("CHACHA is not supported in FIPS");
1191 goto end;
1192 }
1193
1194 /* Create a session based on SHA-256 */
1195 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1196 TLS_client_method(),
1197 tls_version, tls_version,
1198 &sctx, &cctx, cert, privkey)))
1199 goto end;
1200
1201 if (tls_version == TLS1_3_VERSION) {
1202 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1203 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1204 goto end;
1205 } else {
1206 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1207 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1208 goto end;
1209 }
1210
1211 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1212 &clientssl, sfd, cfd)))
1213 goto end;
1214
1215 if (cis_ktls) {
1216 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1217 goto end;
1218 }
1219
1220 if (sis_ktls) {
1221 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1222 goto end;
1223 }
1224
1225 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1226 goto end;
1227
1228 /*
1229 * The running kernel may not support a given cipher suite
1230 * or direction, so just check that KTLS isn't used when it
1231 * isn't enabled.
1232 */
1233 if (!cis_ktls) {
1234 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1235 goto end;
1236 } else {
1237 if (BIO_get_ktls_send(clientssl->wbio))
1238 ktls_used = 1;
1239 }
1240
1241 if (!sis_ktls) {
1242 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1243 goto end;
1244 } else {
1245 if (BIO_get_ktls_send(serverssl->wbio))
1246 ktls_used = 1;
1247 }
1248
1249#if defined(OPENSSL_NO_KTLS_RX)
1250 rx_supported = 0;
1251#else
1252 rx_supported = (tls_version != TLS1_3_VERSION);
1253#endif
1254 if (!cis_ktls || !rx_supported) {
1255 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1256 goto end;
1257 } else {
1258 if (BIO_get_ktls_send(clientssl->rbio))
1259 ktls_used = 1;
1260 }
1261
1262 if (!sis_ktls || !rx_supported) {
1263 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1264 goto end;
1265 } else {
1266 if (BIO_get_ktls_send(serverssl->rbio))
1267 ktls_used = 1;
1268 }
1269
1270 if ((cis_ktls || sis_ktls) && !ktls_used) {
1271 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1272 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1273 "TLS 1.2", cipher);
1274 goto end;
1275 }
1276
1277 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1278 goto end;
1279
1280 testresult = 1;
1281end:
1282 if (clientssl) {
1283 SSL_shutdown(clientssl);
1284 SSL_free(clientssl);
1285 }
1286 if (serverssl) {
1287 SSL_shutdown(serverssl);
1288 SSL_free(serverssl);
1289 }
1290 SSL_CTX_free(sctx);
1291 SSL_CTX_free(cctx);
1292 serverssl = clientssl = NULL;
1293 if (cfd != -1)
1294 close(cfd);
1295 if (sfd != -1)
1296 close(sfd);
1297 return testresult;
1298}
1299
1300#define SENDFILE_SZ (16 * 4096)
1301#define SENDFILE_CHUNK (4 * 4096)
1302#define min(a,b) ((a) > (b) ? (b) : (a))
1303
1304static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1305{
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
1310 int cfd = -1, sfd = -1, ffd, err;
1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1313 int testresult = 0;
1314 FILE *ffdp;
1315
1316 buf = OPENSSL_zalloc(SENDFILE_SZ);
1317 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1318 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1319 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1320 goto end;
1321
1322 /* Skip this test if the platform does not support ktls */
1323 if (!ktls_chk_platform(sfd)) {
1324 testresult = TEST_skip("Kernel does not support KTLS");
1325 goto end;
1326 }
1327
1328 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1329 testresult = TEST_skip("CHACHA is not supported in FIPS");
1330 goto end;
1331 }
1332
1333 /* Create a session based on SHA-256 */
1334 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1335 TLS_client_method(),
1336 tls_version, tls_version,
1337 &sctx, &cctx, cert, privkey)))
1338 goto end;
1339
1340 if (tls_version == TLS1_3_VERSION) {
1341 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1342 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1343 goto end;
1344 } else {
1345 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1346 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1347 goto end;
1348 }
1349
1350 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1351 &clientssl, sfd, cfd)))
1352 goto end;
1353
1354 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1355 goto end;
1356
1357 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1358 SSL_ERROR_NONE)))
1359 goto end;
1360
1361 if (!BIO_get_ktls_send(serverssl->wbio)) {
1362 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1363 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1364 "TLS 1.2", cipher);
1365 goto end;
1366 }
1367
1368 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1369 goto end;
1370
1371 out = BIO_new_file(tmpfilename, "wb");
1372 if (!TEST_ptr(out))
1373 goto end;
1374
1375 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1376 goto end;
1377
1378 BIO_free(out);
1379 out = NULL;
1380 in = BIO_new_file(tmpfilename, "rb");
1381 BIO_get_fp(in, &ffdp);
1382 ffd = fileno(ffdp);
1383
1384 while (chunk_off < SENDFILE_SZ) {
1385 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1386 while ((err = SSL_sendfile(serverssl,
1387 ffd,
1388 chunk_off,
1389 chunk_size,
1390 0)) != chunk_size) {
1391 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1392 goto end;
1393 }
1394 while ((err = SSL_read(clientssl,
1395 buf_dst + chunk_off,
1396 chunk_size)) != chunk_size) {
1397 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1398 goto end;
1399 }
1400
1401 /* verify the payload */
1402 if (!TEST_mem_eq(buf_dst + chunk_off,
1403 chunk_size,
1404 buf + chunk_off,
1405 chunk_size))
1406 goto end;
1407
1408 chunk_off += chunk_size;
1409 }
1410
1411 testresult = 1;
1412end:
1413 if (clientssl) {
1414 SSL_shutdown(clientssl);
1415 SSL_free(clientssl);
1416 }
1417 if (serverssl) {
1418 SSL_shutdown(serverssl);
1419 SSL_free(serverssl);
1420 }
1421 SSL_CTX_free(sctx);
1422 SSL_CTX_free(cctx);
1423 serverssl = clientssl = NULL;
1424 BIO_free(out);
1425 BIO_free(in);
1426 if (cfd != -1)
1427 close(cfd);
1428 if (sfd != -1)
1429 close(sfd);
1430 OPENSSL_free(buf);
1431 OPENSSL_free(buf_dst);
1432 return testresult;
1433}
1434
1435static struct ktls_test_cipher {
1436 int tls_version;
1437 const char *cipher;
1438} ktls_test_ciphers[] = {
1439# if !defined(OPENSSL_NO_TLS1_2)
1440# ifdef OPENSSL_KTLS_AES_GCM_128
1441 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1442# endif
1443# ifdef OPENSSL_KTLS_AES_CCM_128
1444 { TLS1_2_VERSION, "AES128-CCM"},
1445# endif
1446# ifdef OPENSSL_KTLS_AES_GCM_256
1447 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1448# endif
1449# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1450# ifndef OPENSSL_NO_EC
1451 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1452# endif
1453# endif
1454# endif
1455# if !defined(OSSL_NO_USABLE_TLS1_3)
1456# ifdef OPENSSL_KTLS_AES_GCM_128
1457 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1458# endif
1459# ifdef OPENSSL_KTLS_AES_CCM_128
1460 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1461# endif
1462# ifdef OPENSSL_KTLS_AES_GCM_256
1463 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1464# endif
1465# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1466 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1467# endif
1468# endif
1469};
1470
1471#define NUM_KTLS_TEST_CIPHERS \
1472 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1473
1474static int test_ktls(int test)
1475{
1476 struct ktls_test_cipher *cipher;
1477 int cis_ktls, sis_ktls;
1478
1479 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1480 cipher = &ktls_test_ciphers[test / 4];
1481
1482 cis_ktls = (test & 1) != 0;
1483 sis_ktls = (test & 2) != 0;
1484
1485 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1486 cipher->cipher);
1487}
1488
1489static int test_ktls_sendfile(int tst)
1490{
1491 struct ktls_test_cipher *cipher;
1492
1493 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1494 cipher = &ktls_test_ciphers[tst];
1495
1496 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1497}
1498#endif
1499
1500static int test_large_message_tls(void)
1501{
1502 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1503 TLS1_VERSION, 0, 0);
1504}
1505
1506static int test_large_message_tls_read_ahead(void)
1507{
1508 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1509 TLS1_VERSION, 0, 1);
1510}
1511
1512#ifndef OPENSSL_NO_DTLS
1513static int test_large_message_dtls(void)
1514{
1515# ifdef OPENSSL_NO_DTLS1_2
1516 /* Not supported in the FIPS provider */
1517 if (is_fips)
1518 return 1;
1519# endif
1520 /*
1521 * read_ahead is not relevant to DTLS because DTLS always acts as if
1522 * read_ahead is set.
1523 */
1524 return execute_test_large_message(DTLS_server_method(),
1525 DTLS_client_method(),
1526 DTLS1_VERSION, 0, 0);
1527}
1528#endif
1529
1530/*
1531 * Test we can successfully send the maximum amount of application data. We
1532 * test each protocol version individually, each with and without EtM enabled.
1533 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1534 * simpler this way. We also test all combinations with and without the
1535 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1536 * underlying buffer.
1537 */
1538static int test_large_app_data(int tst)
1539{
1540 SSL_CTX *cctx = NULL, *sctx = NULL;
1541 SSL *clientssl = NULL, *serverssl = NULL;
1542 int testresult = 0, prot;
1543 unsigned char *msg, *buf = NULL;
1544 size_t written, readbytes;
1545 const SSL_METHOD *smeth = TLS_server_method();
1546 const SSL_METHOD *cmeth = TLS_client_method();
1547
1548 switch (tst >> 2) {
1549 case 0:
1550#ifndef OSSL_NO_USABLE_TLS1_3
1551 prot = TLS1_3_VERSION;
1552 break;
1553#else
1554 return 1;
1555#endif
1556
1557 case 1:
1558#ifndef OPENSSL_NO_TLS1_2
1559 prot = TLS1_2_VERSION;
1560 break;
1561#else
1562 return 1;
1563#endif
1564
1565 case 2:
1566#ifndef OPENSSL_NO_TLS1_1
1567 prot = TLS1_1_VERSION;
1568 break;
1569#else
1570 return 1;
1571#endif
1572
1573 case 3:
1574#ifndef OPENSSL_NO_TLS1
1575 prot = TLS1_VERSION;
1576 break;
1577#else
1578 return 1;
1579#endif
1580
1581 case 4:
1582#ifndef OPENSSL_NO_SSL3
1583 prot = SSL3_VERSION;
1584 break;
1585#else
1586 return 1;
1587#endif
1588
1589 case 5:
1590#ifndef OPENSSL_NO_DTLS1_2
1591 prot = DTLS1_2_VERSION;
1592 smeth = DTLS_server_method();
1593 cmeth = DTLS_client_method();
1594 break;
1595#else
1596 return 1;
1597#endif
1598
1599 case 6:
1600#ifndef OPENSSL_NO_DTLS1
1601 prot = DTLS1_VERSION;
1602 smeth = DTLS_server_method();
1603 cmeth = DTLS_client_method();
1604 break;
1605#else
1606 return 1;
1607#endif
1608
1609 default:
1610 /* Shouldn't happen */
1611 return 0;
1612 }
1613
1614 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1615 return 1;
1616
1617 /* Maximal sized message of zeros */
1618 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1619 if (!TEST_ptr(msg))
1620 goto end;
1621
1622 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1623 if (!TEST_ptr(buf))
1624 goto end;
1625 /* Set whole buffer to all bits set */
1626 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1627
1628 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1629 &sctx, &cctx, cert, privkey)))
1630 goto end;
1631
1632 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1633 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1634 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1635 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1636 "DEFAULT:@SECLEVEL=0")))
1637 goto end;
1638 }
1639
1640 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1641 &clientssl, NULL, NULL)))
1642 goto end;
1643
1644 if ((tst & 1) != 0) {
1645 /* Setting this option gives us a minimally sized underlying buffer */
1646 if (!TEST_true(SSL_set_options(serverssl,
1647 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1648 || !TEST_true(SSL_set_options(clientssl,
1649 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1650 goto end;
1651 }
1652
1653 if ((tst & 2) != 0) {
1654 /*
1655 * Setting this option means the MAC is added before encryption
1656 * giving us a larger record for the encryption process
1657 */
1658 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1659 || !TEST_true(SSL_set_options(clientssl,
1660 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1661 goto end;
1662 }
1663
1664 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1665 goto end;
1666
1667 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1668 &written))
1669 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1670 goto end;
1671
1672 /* We provide a buffer slightly larger than what we are actually expecting */
1673 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1674 &readbytes)))
1675 goto end;
1676
1677 if (!TEST_mem_eq(msg, written, buf, readbytes))
1678 goto end;
1679
1680 testresult = 1;
1681end:
1682 OPENSSL_free(msg);
1683 OPENSSL_free(buf);
1684 SSL_free(serverssl);
1685 SSL_free(clientssl);
1686 SSL_CTX_free(sctx);
1687 SSL_CTX_free(cctx);
1688 return testresult;
1689}
1690
1691#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1692 || !defined(OPENSSL_NO_DTLS)
1693static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1694 const SSL_METHOD *cmeth,
1695 int min_version, int max_version)
1696{
1697 size_t i;
1698 SSL_CTX *cctx = NULL, *sctx = NULL;
1699 SSL *clientssl = NULL, *serverssl = NULL;
1700 int testresult = 0;
1701 SSL3_RECORD *rr;
1702 void *zbuf;
1703
1704 static unsigned char cbuf[16000];
1705 static unsigned char sbuf[16000];
1706
1707 if (!TEST_true(create_ssl_ctx_pair(libctx,
1708 smeth, cmeth,
1709 min_version, max_version,
1710 &sctx, &cctx, cert,
1711 privkey)))
1712 goto end;
1713
1714# ifdef OPENSSL_NO_DTLS1_2
1715 if (smeth == DTLS_server_method()) {
1716 /* Not supported in the FIPS provider */
1717 if (is_fips) {
1718 testresult = 1;
1719 goto end;
1720 };
1721 /*
1722 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1723 * level 0
1724 */
1725 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1726 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1727 "DEFAULT:@SECLEVEL=0")))
1728 goto end;
1729 }
1730# endif
1731
1732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1733 NULL, NULL)))
1734 goto end;
1735
1736 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1737 goto end;
1738
1739 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1740 SSL_ERROR_NONE)))
1741 goto end;
1742
1743 for (i = 0; i < sizeof(cbuf); i++) {
1744 cbuf[i] = i & 0xff;
1745 }
1746
1747 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1748 goto end;
1749
1750 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1751 goto end;
1752
1753 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1754 goto end;
1755
1756 /*
1757 * Since we called SSL_peek(), we know the data in the record
1758 * layer is a plaintext record. We can gather the pointer to check
1759 * for zeroization after SSL_read().
1760 */
1761 rr = serverssl->rlayer.rrec;
1762 zbuf = &rr->data[rr->off];
1763 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1764 goto end;
1765
1766 /*
1767 * After SSL_peek() the plaintext must still be stored in the
1768 * record.
1769 */
1770 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1771 goto end;
1772
1773 memset(sbuf, 0, sizeof(sbuf));
1774 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1775 goto end;
1776
1777 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1778 goto end;
1779
1780 /* Check if rbuf is cleansed */
1781 memset(cbuf, 0, sizeof(cbuf));
1782 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1783 goto end;
1784
1785 testresult = 1;
1786 end:
1787 SSL_free(serverssl);
1788 SSL_free(clientssl);
1789 SSL_CTX_free(sctx);
1790 SSL_CTX_free(cctx);
1791
1792 return testresult;
1793}
1794#endif /*
1795 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1796 * || !defined(OPENSSL_NO_DTLS)
1797 */
1798
1799static int test_cleanse_plaintext(void)
1800{
1801#if !defined(OPENSSL_NO_TLS1_2)
1802 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1803 TLS_client_method(),
1804 TLS1_2_VERSION,
1805 TLS1_2_VERSION)))
1806 return 0;
1807
1808#endif
1809
1810#if !defined(OSSL_NO_USABLE_TLS1_3)
1811 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1812 TLS_client_method(),
1813 TLS1_3_VERSION,
1814 TLS1_3_VERSION)))
1815 return 0;
1816#endif
1817
1818#if !defined(OPENSSL_NO_DTLS)
1819
1820 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1821 DTLS_client_method(),
1822 DTLS1_VERSION,
1823 0)))
1824 return 0;
1825#endif
1826 return 1;
1827}
1828
1829#ifndef OPENSSL_NO_OCSP
1830static int ocsp_server_cb(SSL *s, void *arg)
1831{
1832 int *argi = (int *)arg;
1833 unsigned char *copy = NULL;
1834 STACK_OF(OCSP_RESPID) *ids = NULL;
1835 OCSP_RESPID *id = NULL;
1836
1837 if (*argi == 2) {
1838 /* In this test we are expecting exactly 1 OCSP_RESPID */
1839 SSL_get_tlsext_status_ids(s, &ids);
1840 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1841 return SSL_TLSEXT_ERR_ALERT_FATAL;
1842
1843 id = sk_OCSP_RESPID_value(ids, 0);
1844 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1845 return SSL_TLSEXT_ERR_ALERT_FATAL;
1846 } else if (*argi != 1) {
1847 return SSL_TLSEXT_ERR_ALERT_FATAL;
1848 }
1849
1850 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1851 return SSL_TLSEXT_ERR_ALERT_FATAL;
1852
1853 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1854 sizeof(orespder)))) {
1855 OPENSSL_free(copy);
1856 return SSL_TLSEXT_ERR_ALERT_FATAL;
1857 }
1858 ocsp_server_called = 1;
1859 return SSL_TLSEXT_ERR_OK;
1860}
1861
1862static int ocsp_client_cb(SSL *s, void *arg)
1863{
1864 int *argi = (int *)arg;
1865 const unsigned char *respderin;
1866 size_t len;
1867
1868 if (*argi != 1 && *argi != 2)
1869 return 0;
1870
1871 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1872 if (!TEST_mem_eq(orespder, len, respderin, len))
1873 return 0;
1874
1875 ocsp_client_called = 1;
1876 return 1;
1877}
1878
1879static int test_tlsext_status_type(void)
1880{
1881 SSL_CTX *cctx = NULL, *sctx = NULL;
1882 SSL *clientssl = NULL, *serverssl = NULL;
1883 int testresult = 0;
1884 STACK_OF(OCSP_RESPID) *ids = NULL;
1885 OCSP_RESPID *id = NULL;
1886 BIO *certbio = NULL;
1887
1888 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1889 TLS1_VERSION, 0,
1890 &sctx, &cctx, cert, privkey))
1891 return 0;
1892
1893 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1894 goto end;
1895
1896 /* First just do various checks getting and setting tlsext_status_type */
1897
1898 clientssl = SSL_new(cctx);
1899 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1900 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1901 TLSEXT_STATUSTYPE_ocsp))
1902 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1903 TLSEXT_STATUSTYPE_ocsp))
1904 goto end;
1905
1906 SSL_free(clientssl);
1907 clientssl = NULL;
1908
1909 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1910 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1911 goto end;
1912
1913 clientssl = SSL_new(cctx);
1914 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1915 goto end;
1916 SSL_free(clientssl);
1917 clientssl = NULL;
1918
1919 /*
1920 * Now actually do a handshake and check OCSP information is exchanged and
1921 * the callbacks get called
1922 */
1923 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1924 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1925 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1926 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1928 &clientssl, NULL, NULL))
1929 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1930 SSL_ERROR_NONE))
1931 || !TEST_true(ocsp_client_called)
1932 || !TEST_true(ocsp_server_called))
1933 goto end;
1934 SSL_free(serverssl);
1935 SSL_free(clientssl);
1936 serverssl = NULL;
1937 clientssl = NULL;
1938
1939 /* Try again but this time force the server side callback to fail */
1940 ocsp_client_called = 0;
1941 ocsp_server_called = 0;
1942 cdummyarg = 0;
1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 /* This should fail because the callback will fail */
1946 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1947 SSL_ERROR_NONE))
1948 || !TEST_false(ocsp_client_called)
1949 || !TEST_false(ocsp_server_called))
1950 goto end;
1951 SSL_free(serverssl);
1952 SSL_free(clientssl);
1953 serverssl = NULL;
1954 clientssl = NULL;
1955
1956 /*
1957 * This time we'll get the client to send an OCSP_RESPID that it will
1958 * accept.
1959 */
1960 ocsp_client_called = 0;
1961 ocsp_server_called = 0;
1962 cdummyarg = 2;
1963 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1964 &clientssl, NULL, NULL)))
1965 goto end;
1966
1967 /*
1968 * We'll just use any old cert for this test - it doesn't have to be an OCSP
1969 * specific one. We'll use the server cert.
1970 */
1971 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1972 || !TEST_ptr(id = OCSP_RESPID_new())
1973 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1974 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1975 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1976 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1977 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1978 goto end;
1979 id = NULL;
1980 SSL_set_tlsext_status_ids(clientssl, ids);
1981 /* Control has been transferred */
1982 ids = NULL;
1983
1984 BIO_free(certbio);
1985 certbio = NULL;
1986
1987 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1988 SSL_ERROR_NONE))
1989 || !TEST_true(ocsp_client_called)
1990 || !TEST_true(ocsp_server_called))
1991 goto end;
1992
1993 testresult = 1;
1994
1995 end:
1996 SSL_free(serverssl);
1997 SSL_free(clientssl);
1998 SSL_CTX_free(sctx);
1999 SSL_CTX_free(cctx);
2000 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2001 OCSP_RESPID_free(id);
2002 BIO_free(certbio);
2003 X509_free(ocspcert);
2004 ocspcert = NULL;
2005
2006 return testresult;
2007}
2008#endif
2009
2010#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2011static int new_called, remove_called, get_called;
2012
2013static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2014{
2015 new_called++;
2016 /*
2017 * sess has been up-refed for us, but we don't actually need it so free it
2018 * immediately.
2019 */
2020 SSL_SESSION_free(sess);
2021 return 1;
2022}
2023
2024static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2025{
2026 remove_called++;
2027}
2028
2029static SSL_SESSION *get_sess_val = NULL;
2030
2031static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2032 int *copy)
2033{
2034 get_called++;
2035 *copy = 1;
2036 return get_sess_val;
2037}
2038
2039static int execute_test_session(int maxprot, int use_int_cache,
2040 int use_ext_cache, long s_options)
2041{
2042 SSL_CTX *sctx = NULL, *cctx = NULL;
2043 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2044 SSL *serverssl2 = NULL, *clientssl2 = NULL;
2045# ifndef OPENSSL_NO_TLS1_1
2046 SSL *serverssl3 = NULL, *clientssl3 = NULL;
2047# endif
2048 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2049 int testresult = 0, numnewsesstick = 1;
2050
2051 new_called = remove_called = 0;
2052
2053 /* TLSv1.3 sends 2 NewSessionTickets */
2054 if (maxprot == TLS1_3_VERSION)
2055 numnewsesstick = 2;
2056
2057 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2058 TLS_client_method(), TLS1_VERSION, 0,
2059 &sctx, &cctx, cert, privkey)))
2060 return 0;
2061
2062 /*
2063 * Only allow the max protocol version so we can force a connection failure
2064 * later
2065 */
2066 SSL_CTX_set_min_proto_version(cctx, maxprot);
2067 SSL_CTX_set_max_proto_version(cctx, maxprot);
2068
2069 /* Set up session cache */
2070 if (use_ext_cache) {
2071 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2072 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2073 }
2074 if (use_int_cache) {
2075 /* Also covers instance where both are set */
2076 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2077 } else {
2078 SSL_CTX_set_session_cache_mode(cctx,
2079 SSL_SESS_CACHE_CLIENT
2080 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2081 }
2082
2083 if (s_options) {
2084 SSL_CTX_set_options(sctx, s_options);
2085 }
2086
2087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2088 NULL, NULL))
2089 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2090 SSL_ERROR_NONE))
2091 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2092 goto end;
2093
2094 /* Should fail because it should already be in the cache */
2095 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2096 goto end;
2097 if (use_ext_cache
2098 && (!TEST_int_eq(new_called, numnewsesstick)
2099
2100 || !TEST_int_eq(remove_called, 0)))
2101 goto end;
2102
2103 new_called = remove_called = 0;
2104 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2105 &clientssl2, NULL, NULL))
2106 || !TEST_true(SSL_set_session(clientssl2, sess1))
2107 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2108 SSL_ERROR_NONE))
2109 || !TEST_true(SSL_session_reused(clientssl2)))
2110 goto end;
2111
2112 if (maxprot == TLS1_3_VERSION) {
2113 /*
2114 * In TLSv1.3 we should have created a new session even though we have
2115 * resumed. Since we attempted a resume we should also have removed the
2116 * old ticket from the cache so that we try to only use tickets once.
2117 */
2118 if (use_ext_cache
2119 && (!TEST_int_eq(new_called, 1)
2120 || !TEST_int_eq(remove_called, 1)))
2121 goto end;
2122 } else {
2123 /*
2124 * In TLSv1.2 we expect to have resumed so no sessions added or
2125 * removed.
2126 */
2127 if (use_ext_cache
2128 && (!TEST_int_eq(new_called, 0)
2129 || !TEST_int_eq(remove_called, 0)))
2130 goto end;
2131 }
2132
2133 SSL_SESSION_free(sess1);
2134 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2135 goto end;
2136 shutdown_ssl_connection(serverssl2, clientssl2);
2137 serverssl2 = clientssl2 = NULL;
2138
2139 new_called = remove_called = 0;
2140 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2141 &clientssl2, NULL, NULL))
2142 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2143 SSL_ERROR_NONE)))
2144 goto end;
2145
2146 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2147 goto end;
2148
2149 if (use_ext_cache
2150 && (!TEST_int_eq(new_called, numnewsesstick)
2151 || !TEST_int_eq(remove_called, 0)))
2152 goto end;
2153
2154 new_called = remove_called = 0;
2155 /*
2156 * This should clear sess2 from the cache because it is a "bad" session.
2157 * See SSL_set_session() documentation.
2158 */
2159 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2160 goto end;
2161 if (use_ext_cache
2162 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2163 goto end;
2164 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2165 goto end;
2166
2167 if (use_int_cache) {
2168 /* Should succeeded because it should not already be in the cache */
2169 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2170 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2171 goto end;
2172 }
2173
2174 new_called = remove_called = 0;
2175 /* This shouldn't be in the cache so should fail */
2176 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2177 goto end;
2178
2179 if (use_ext_cache
2180 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2181 goto end;
2182
2183# if !defined(OPENSSL_NO_TLS1_1)
2184 new_called = remove_called = 0;
2185 /* Force a connection failure */
2186 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2188 &clientssl3, NULL, NULL))
2189 || !TEST_true(SSL_set_session(clientssl3, sess1))
2190 /* This should fail because of the mismatched protocol versions */
2191 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2192 SSL_ERROR_NONE)))
2193 goto end;
2194
2195 /* We should have automatically removed the session from the cache */
2196 if (use_ext_cache
2197 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2198 goto end;
2199
2200 /* Should succeed because it should not already be in the cache */
2201 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2202 goto end;
2203# endif
2204
2205 /* Now do some tests for server side caching */
2206 if (use_ext_cache) {
2207 SSL_CTX_sess_set_new_cb(cctx, NULL);
2208 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2209 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2210 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2211 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2212 get_sess_val = NULL;
2213 }
2214
2215 SSL_CTX_set_session_cache_mode(cctx, 0);
2216 /* Internal caching is the default on the server side */
2217 if (!use_int_cache)
2218 SSL_CTX_set_session_cache_mode(sctx,
2219 SSL_SESS_CACHE_SERVER
2220 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2221
2222 SSL_free(serverssl1);
2223 SSL_free(clientssl1);
2224 serverssl1 = clientssl1 = NULL;
2225 SSL_free(serverssl2);
2226 SSL_free(clientssl2);
2227 serverssl2 = clientssl2 = NULL;
2228 SSL_SESSION_free(sess1);
2229 sess1 = NULL;
2230 SSL_SESSION_free(sess2);
2231 sess2 = NULL;
2232
2233 SSL_CTX_set_max_proto_version(sctx, maxprot);
2234 if (maxprot == TLS1_2_VERSION)
2235 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2236 new_called = remove_called = get_called = 0;
2237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2238 NULL, NULL))
2239 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2240 SSL_ERROR_NONE))
2241 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2242 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2243 goto end;
2244
2245 if (use_int_cache) {
2246 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2247 /*
2248 * In TLSv1.3 it should not have been added to the internal cache,
2249 * except in the case where we also have an external cache (in that
2250 * case it gets added to the cache in order to generate remove
2251 * events after timeout).
2252 */
2253 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2254 goto end;
2255 } else {
2256 /* Should fail because it should already be in the cache */
2257 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2258 goto end;
2259 }
2260 }
2261
2262 if (use_ext_cache) {
2263 SSL_SESSION *tmp = sess2;
2264
2265 if (!TEST_int_eq(new_called, numnewsesstick)
2266 || !TEST_int_eq(remove_called, 0)
2267 || !TEST_int_eq(get_called, 0))
2268 goto end;
2269 /*
2270 * Delete the session from the internal cache to force a lookup from
2271 * the external cache. We take a copy first because
2272 * SSL_CTX_remove_session() also marks the session as non-resumable.
2273 */
2274 if (use_int_cache && maxprot != TLS1_3_VERSION) {
2275 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2276 || !TEST_true(sess2->owner != NULL)
2277 || !TEST_true(tmp->owner == NULL)
2278 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2279 goto end;
2280 SSL_SESSION_free(sess2);
2281 }
2282 sess2 = tmp;
2283 }
2284
2285 new_called = remove_called = get_called = 0;
2286 get_sess_val = sess2;
2287 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2288 &clientssl2, NULL, NULL))
2289 || !TEST_true(SSL_set_session(clientssl2, sess1))
2290 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2291 SSL_ERROR_NONE))
2292 || !TEST_true(SSL_session_reused(clientssl2)))
2293 goto end;
2294
2295 if (use_ext_cache) {
2296 if (!TEST_int_eq(remove_called, 0))
2297 goto end;
2298
2299 if (maxprot == TLS1_3_VERSION) {
2300 if (!TEST_int_eq(new_called, 1)
2301 || !TEST_int_eq(get_called, 0))
2302 goto end;
2303 } else {
2304 if (!TEST_int_eq(new_called, 0)
2305 || !TEST_int_eq(get_called, 1))
2306 goto end;
2307 }
2308 }
2309 /*
2310 * Make a small cache, force out all other sessions but
2311 * sess2, try to add sess1, which should succeed. Then
2312 * make sure it's there by checking the owners. Despite
2313 * the timeouts, sess1 should have kicked out sess2
2314 */
2315
2316 /* Make sess1 expire before sess2 */
2317 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2318 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2319 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2320 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2321 goto end;
2322
2323 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2324 goto end;
2325
2326 /* Don't care about results - cache should only be sess2 at end */
2327 SSL_CTX_add_session(sctx, sess1);
2328 SSL_CTX_add_session(sctx, sess2);
2329
2330 /* Now add sess1, and make sure it remains, despite timeout */
2331 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2332 || !TEST_ptr(sess1->owner)
2333 || !TEST_ptr_null(sess2->owner))
2334 goto end;
2335
2336 testresult = 1;
2337
2338 end:
2339 SSL_free(serverssl1);
2340 SSL_free(clientssl1);
2341 SSL_free(serverssl2);
2342 SSL_free(clientssl2);
2343# ifndef OPENSSL_NO_TLS1_1
2344 SSL_free(serverssl3);
2345 SSL_free(clientssl3);
2346# endif
2347 SSL_SESSION_free(sess1);
2348 SSL_SESSION_free(sess2);
2349 SSL_CTX_free(sctx);
2350 SSL_CTX_free(cctx);
2351
2352 return testresult;
2353}
2354#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2355
2356static int test_session_with_only_int_cache(void)
2357{
2358#ifndef OSSL_NO_USABLE_TLS1_3
2359 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2360 return 0;
2361#endif
2362
2363#ifndef OPENSSL_NO_TLS1_2
2364 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2365#else
2366 return 1;
2367#endif
2368}
2369
2370static int test_session_with_only_ext_cache(void)
2371{
2372#ifndef OSSL_NO_USABLE_TLS1_3
2373 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2374 return 0;
2375#endif
2376
2377#ifndef OPENSSL_NO_TLS1_2
2378 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2379#else
2380 return 1;
2381#endif
2382}
2383
2384static int test_session_with_both_cache(void)
2385{
2386#ifndef OSSL_NO_USABLE_TLS1_3
2387 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2388 return 0;
2389#endif
2390
2391#ifndef OPENSSL_NO_TLS1_2
2392 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2393#else
2394 return 1;
2395#endif
2396}
2397
2398static int test_session_wo_ca_names(void)
2399{
2400#ifndef OSSL_NO_USABLE_TLS1_3
2401 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2402 return 0;
2403#endif
2404
2405#ifndef OPENSSL_NO_TLS1_2
2406 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2407#else
2408 return 1;
2409#endif
2410}
2411
2412#ifndef OSSL_NO_USABLE_TLS1_3
2413static SSL_SESSION *sesscache[6];
2414static int do_cache;
2415
2416static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2417{
2418 if (do_cache) {
2419 sesscache[new_called] = sess;
2420 } else {
2421 /* We don't need the reference to the session, so free it */
2422 SSL_SESSION_free(sess);
2423 }
2424 new_called++;
2425
2426 return 1;
2427}
2428
2429static int post_handshake_verify(SSL *sssl, SSL *cssl)
2430{
2431 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2432 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2433 return 0;
2434
2435 /* Start handshake on the server and client */
2436 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2437 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2438 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2439 || !TEST_true(create_ssl_connection(sssl, cssl,
2440 SSL_ERROR_NONE)))
2441 return 0;
2442
2443 return 1;
2444}
2445
2446static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2447 SSL_CTX **cctx)
2448{
2449 int sess_id_ctx = 1;
2450
2451 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2452 TLS_client_method(), TLS1_VERSION, 0,
2453 sctx, cctx, cert, privkey))
2454 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2455 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2456 (void *)&sess_id_ctx,
2457 sizeof(sess_id_ctx))))
2458 return 0;
2459
2460 if (stateful)
2461 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2462
2463 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2464 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2465 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2466
2467 return 1;
2468}
2469
2470static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2471{
2472 SSL *serverssl = NULL, *clientssl = NULL;
2473 int i;
2474
2475 /* Test that we can resume with all the tickets we got given */
2476 for (i = 0; i < idx * 2; i++) {
2477 new_called = 0;
2478 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2479 &clientssl, NULL, NULL))
2480 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2481 goto end;
2482
2483 SSL_set_post_handshake_auth(clientssl, 1);
2484
2485 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2486 SSL_ERROR_NONE)))
2487 goto end;
2488
2489 /*
2490 * Following a successful resumption we only get 1 ticket. After a
2491 * failed one we should get idx tickets.
2492 */
2493 if (succ) {
2494 if (!TEST_true(SSL_session_reused(clientssl))
2495 || !TEST_int_eq(new_called, 1))
2496 goto end;
2497 } else {
2498 if (!TEST_false(SSL_session_reused(clientssl))
2499 || !TEST_int_eq(new_called, idx))
2500 goto end;
2501 }
2502
2503 new_called = 0;
2504 /* After a post-handshake authentication we should get 1 new ticket */
2505 if (succ
2506 && (!post_handshake_verify(serverssl, clientssl)
2507 || !TEST_int_eq(new_called, 1)))
2508 goto end;
2509
2510 SSL_shutdown(clientssl);
2511 SSL_shutdown(serverssl);
2512 SSL_free(serverssl);
2513 SSL_free(clientssl);
2514 serverssl = clientssl = NULL;
2515 SSL_SESSION_free(sesscache[i]);
2516 sesscache[i] = NULL;
2517 }
2518
2519 return 1;
2520
2521 end:
2522 SSL_free(clientssl);
2523 SSL_free(serverssl);
2524 return 0;
2525}
2526
2527static int test_tickets(int stateful, int idx)
2528{
2529 SSL_CTX *sctx = NULL, *cctx = NULL;
2530 SSL *serverssl = NULL, *clientssl = NULL;
2531 int testresult = 0;
2532 size_t j;
2533
2534 /* idx is the test number, but also the number of tickets we want */
2535
2536 new_called = 0;
2537 do_cache = 1;
2538
2539 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2540 goto end;
2541
2542 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2543 &clientssl, NULL, NULL)))
2544 goto end;
2545
2546 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2547 SSL_ERROR_NONE))
2548 /* Check we got the number of tickets we were expecting */
2549 || !TEST_int_eq(idx, new_called))
2550 goto end;
2551
2552 SSL_shutdown(clientssl);
2553 SSL_shutdown(serverssl);
2554 SSL_free(serverssl);
2555 SSL_free(clientssl);
2556 SSL_CTX_free(sctx);
2557 SSL_CTX_free(cctx);
2558 clientssl = serverssl = NULL;
2559 sctx = cctx = NULL;
2560
2561 /*
2562 * Now we try to resume with the tickets we previously created. The
2563 * resumption attempt is expected to fail (because we're now using a new
2564 * SSL_CTX). We should see idx number of tickets issued again.
2565 */
2566
2567 /* Stop caching sessions - just count them */
2568 do_cache = 0;
2569
2570 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2571 goto end;
2572
2573 if (!check_resumption(idx, sctx, cctx, 0))
2574 goto end;
2575
2576 /* Start again with caching sessions */
2577 new_called = 0;
2578 do_cache = 1;
2579 SSL_CTX_free(sctx);
2580 SSL_CTX_free(cctx);
2581 sctx = cctx = NULL;
2582
2583 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2584 goto end;
2585
2586 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2587 &clientssl, NULL, NULL)))
2588 goto end;
2589
2590 SSL_set_post_handshake_auth(clientssl, 1);
2591
2592 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2593 SSL_ERROR_NONE))
2594 /* Check we got the number of tickets we were expecting */
2595 || !TEST_int_eq(idx, new_called))
2596 goto end;
2597
2598 /* After a post-handshake authentication we should get new tickets issued */
2599 if (!post_handshake_verify(serverssl, clientssl)
2600 || !TEST_int_eq(idx * 2, new_called))
2601 goto end;
2602
2603 SSL_shutdown(clientssl);
2604 SSL_shutdown(serverssl);
2605 SSL_free(serverssl);
2606 SSL_free(clientssl);
2607 serverssl = clientssl = NULL;
2608
2609 /* Stop caching sessions - just count them */
2610 do_cache = 0;
2611
2612 /*
2613 * Check we can resume with all the tickets we created. This time around the
2614 * resumptions should all be successful.
2615 */
2616 if (!check_resumption(idx, sctx, cctx, 1))
2617 goto end;
2618
2619 testresult = 1;
2620
2621 end:
2622 SSL_free(serverssl);
2623 SSL_free(clientssl);
2624 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2625 SSL_SESSION_free(sesscache[j]);
2626 sesscache[j] = NULL;
2627 }
2628 SSL_CTX_free(sctx);
2629 SSL_CTX_free(cctx);
2630
2631 return testresult;
2632}
2633
2634static int test_stateless_tickets(int idx)
2635{
2636 return test_tickets(0, idx);
2637}
2638
2639static int test_stateful_tickets(int idx)
2640{
2641 return test_tickets(1, idx);
2642}
2643
2644static int test_psk_tickets(void)
2645{
2646 SSL_CTX *sctx = NULL, *cctx = NULL;
2647 SSL *serverssl = NULL, *clientssl = NULL;
2648 int testresult = 0;
2649 int sess_id_ctx = 1;
2650
2651 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2652 TLS_client_method(), TLS1_VERSION, 0,
2653 &sctx, &cctx, NULL, NULL))
2654 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2655 (void *)&sess_id_ctx,
2656 sizeof(sess_id_ctx))))
2657 goto end;
2658
2659 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2660 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2661 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2662 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2663 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2664 use_session_cb_cnt = 0;
2665 find_session_cb_cnt = 0;
2666 srvid = pskid;
2667 new_called = 0;
2668
2669 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2670 NULL, NULL)))
2671 goto end;
2672 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2673 if (!TEST_ptr(clientpsk))
2674 goto end;
2675 SSL_SESSION_up_ref(clientpsk);
2676
2677 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2678 SSL_ERROR_NONE))
2679 || !TEST_int_eq(1, find_session_cb_cnt)
2680 || !TEST_int_eq(1, use_session_cb_cnt)
2681 /* We should always get 1 ticket when using external PSK */
2682 || !TEST_int_eq(1, new_called))
2683 goto end;
2684
2685 testresult = 1;
2686
2687 end:
2688 SSL_free(serverssl);
2689 SSL_free(clientssl);
2690 SSL_CTX_free(sctx);
2691 SSL_CTX_free(cctx);
2692 SSL_SESSION_free(clientpsk);
2693 SSL_SESSION_free(serverpsk);
2694 clientpsk = serverpsk = NULL;
2695
2696 return testresult;
2697}
2698
2699static int test_extra_tickets(int idx)
2700{
2701 SSL_CTX *sctx = NULL, *cctx = NULL;
2702 SSL *serverssl = NULL, *clientssl = NULL;
2703 BIO *bretry = BIO_new(bio_s_always_retry());
2704 BIO *tmp = NULL;
2705 int testresult = 0;
2706 int stateful = 0;
2707 size_t nbytes;
2708 unsigned char c, buf[1];
2709
2710 new_called = 0;
2711 do_cache = 1;
2712
2713 if (idx >= 3) {
2714 idx -= 3;
2715 stateful = 1;
2716 }
2717
2718 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2719 goto end;
2720 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2721 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2722 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2723
2724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2725 &clientssl, NULL, NULL)))
2726 goto end;
2727
2728 /*
2729 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2730 * incremented by both client and server.
2731 */
2732 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2733 SSL_ERROR_NONE))
2734 /* Check we got the number of tickets we were expecting */
2735 || !TEST_int_eq(idx * 2, new_called)
2736 || !TEST_true(SSL_new_session_ticket(serverssl))
2737 || !TEST_true(SSL_new_session_ticket(serverssl))
2738 || !TEST_int_eq(idx * 2, new_called))
2739 goto end;
2740
2741 /* Now try a (real) write to actually send the tickets */
2742 c = '1';
2743 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2744 || !TEST_size_t_eq(1, nbytes)
2745 || !TEST_int_eq(idx * 2 + 2, new_called)
2746 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2747 || !TEST_int_eq(idx * 2 + 4, new_called)
2748 || !TEST_int_eq(sizeof(buf), nbytes)
2749 || !TEST_int_eq(c, buf[0])
2750 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2751 goto end;
2752
2753 /* Try with only requesting one new ticket, too */
2754 c = '2';
2755 new_called = 0;
2756 if (!TEST_true(SSL_new_session_ticket(serverssl))
2757 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2758 || !TEST_size_t_eq(sizeof(c), nbytes)
2759 || !TEST_int_eq(1, new_called)
2760 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2761 || !TEST_int_eq(2, new_called)
2762 || !TEST_size_t_eq(sizeof(buf), nbytes)
2763 || !TEST_int_eq(c, buf[0]))
2764 goto end;
2765
2766 /* Do it again but use dummy writes to drive the ticket generation */
2767 c = '3';
2768 new_called = 0;
2769 if (!TEST_true(SSL_new_session_ticket(serverssl))
2770 || !TEST_true(SSL_new_session_ticket(serverssl))
2771 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2772 || !TEST_size_t_eq(0, nbytes)
2773 || !TEST_int_eq(2, new_called)
2774 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2775 || !TEST_int_eq(4, new_called))
2776 goto end;
2777
2778 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2779 c = '4';
2780 new_called = 0;
2781 if (!TEST_true(SSL_new_session_ticket(serverssl))
2782 || !TEST_true(SSL_new_session_ticket(serverssl))
2783 || !TEST_true(SSL_do_handshake(serverssl))
2784 || !TEST_int_eq(2, new_called)
2785 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2786 || !TEST_int_eq(4, new_called))
2787 goto end;
2788
2789 /*
2790 * Use the always-retry BIO to exercise the logic that forces ticket
2791 * generation to wait until a record boundary.
2792 */
2793 c = '5';
2794 new_called = 0;
2795 tmp = SSL_get_wbio(serverssl);
2796 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2797 tmp = NULL;
2798 goto end;
2799 }
2800 SSL_set0_wbio(serverssl, bretry);
2801 bretry = NULL;
2802 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2803 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2804 || !TEST_size_t_eq(nbytes, 0))
2805 goto end;
2806 /* Restore a BIO that will let the write succeed */
2807 SSL_set0_wbio(serverssl, tmp);
2808 tmp = NULL;
2809 /*
2810 * These calls should just queue the request and not send anything
2811 * even if we explicitly try to hit the state machine.
2812 */
2813 if (!TEST_true(SSL_new_session_ticket(serverssl))
2814 || !TEST_true(SSL_new_session_ticket(serverssl))
2815 || !TEST_int_eq(0, new_called)
2816 || !TEST_true(SSL_do_handshake(serverssl))
2817 || !TEST_int_eq(0, new_called))
2818 goto end;
2819 /* Re-do the write; still no tickets sent */
2820 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2821 || !TEST_size_t_eq(1, nbytes)
2822 || !TEST_int_eq(0, new_called)
2823 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2824 || !TEST_int_eq(0, new_called)
2825 || !TEST_int_eq(sizeof(buf), nbytes)
2826 || !TEST_int_eq(c, buf[0])
2827 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2828 goto end;
2829 /* Even trying to hit the state machine now will still not send tickets */
2830 if (!TEST_true(SSL_do_handshake(serverssl))
2831 || !TEST_int_eq(0, new_called))
2832 goto end;
2833 /* Now the *next* write should send the tickets */
2834 c = '6';
2835 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2836 || !TEST_size_t_eq(1, nbytes)
2837 || !TEST_int_eq(2, new_called)
2838 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2839 || !TEST_int_eq(4, new_called)
2840 || !TEST_int_eq(sizeof(buf), nbytes)
2841 || !TEST_int_eq(c, buf[0])
2842 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2843 goto end;
2844
2845 SSL_shutdown(clientssl);
2846 SSL_shutdown(serverssl);
2847 testresult = 1;
2848
2849 end:
2850 BIO_free(bretry);
2851 BIO_free(tmp);
2852 SSL_free(serverssl);
2853 SSL_free(clientssl);
2854 SSL_CTX_free(sctx);
2855 SSL_CTX_free(cctx);
2856 clientssl = serverssl = NULL;
2857 sctx = cctx = NULL;
2858 return testresult;
2859}
2860#endif
2861
2862#define USE_NULL 0
2863#define USE_BIO_1 1
2864#define USE_BIO_2 2
2865#define USE_DEFAULT 3
2866
2867#define CONNTYPE_CONNECTION_SUCCESS 0
2868#define CONNTYPE_CONNECTION_FAIL 1
2869#define CONNTYPE_NO_CONNECTION 2
2870
2871#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2872#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2873#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2874# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2875#else
2876# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2877#endif
2878
2879#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2880 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2881 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2882
2883static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2884{
2885 switch (type) {
2886 case USE_NULL:
2887 *res = NULL;
2888 break;
2889 case USE_BIO_1:
2890 *res = bio1;
2891 break;
2892 case USE_BIO_2:
2893 *res = bio2;
2894 break;
2895 }
2896}
2897
2898
2899/*
2900 * Tests calls to SSL_set_bio() under various conditions.
2901 *
2902 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2903 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2904 * then do more tests where we create a successful connection first using our
2905 * standard connection setup functions, and then call SSL_set_bio() with
2906 * various combinations of valid BIOs or NULL. We then repeat these tests
2907 * following a failed connection. In this last case we are looking to check that
2908 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2909 */
2910static int test_ssl_set_bio(int idx)
2911{
2912 SSL_CTX *sctx = NULL, *cctx = NULL;
2913 BIO *bio1 = NULL;
2914 BIO *bio2 = NULL;
2915 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2916 SSL *serverssl = NULL, *clientssl = NULL;
2917 int initrbio, initwbio, newrbio, newwbio, conntype;
2918 int testresult = 0;
2919
2920 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2921 initrbio = idx % 3;
2922 idx /= 3;
2923 initwbio = idx % 3;
2924 idx /= 3;
2925 newrbio = idx % 3;
2926 idx /= 3;
2927 newwbio = idx % 3;
2928 conntype = CONNTYPE_NO_CONNECTION;
2929 } else {
2930 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2931 initrbio = initwbio = USE_DEFAULT;
2932 newrbio = idx % 2;
2933 idx /= 2;
2934 newwbio = idx % 2;
2935 idx /= 2;
2936 conntype = idx % 2;
2937 }
2938
2939 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2940 TLS_client_method(), TLS1_VERSION, 0,
2941 &sctx, &cctx, cert, privkey)))
2942 goto end;
2943
2944 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2945 /*
2946 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2947 * because we reduced the number of tests in the definition of
2948 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2949 * mismatched protocol versions we will force a connection failure.
2950 */
2951 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2952 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2953 }
2954
2955 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2956 NULL, NULL)))
2957 goto end;
2958
2959 if (initrbio == USE_BIO_1
2960 || initwbio == USE_BIO_1
2961 || newrbio == USE_BIO_1
2962 || newwbio == USE_BIO_1) {
2963 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2964 goto end;
2965 }
2966
2967 if (initrbio == USE_BIO_2
2968 || initwbio == USE_BIO_2
2969 || newrbio == USE_BIO_2
2970 || newwbio == USE_BIO_2) {
2971 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2972 goto end;
2973 }
2974
2975 if (initrbio != USE_DEFAULT) {
2976 setupbio(&irbio, bio1, bio2, initrbio);
2977 setupbio(&iwbio, bio1, bio2, initwbio);
2978 SSL_set_bio(clientssl, irbio, iwbio);
2979
2980 /*
2981 * We want to maintain our own refs to these BIO, so do an up ref for
2982 * each BIO that will have ownership transferred in the SSL_set_bio()
2983 * call
2984 */
2985 if (irbio != NULL)
2986 BIO_up_ref(irbio);
2987 if (iwbio != NULL && iwbio != irbio)
2988 BIO_up_ref(iwbio);
2989 }
2990
2991 if (conntype != CONNTYPE_NO_CONNECTION
2992 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2993 SSL_ERROR_NONE)
2994 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2995 goto end;
2996
2997 setupbio(&nrbio, bio1, bio2, newrbio);
2998 setupbio(&nwbio, bio1, bio2, newwbio);
2999
3000 /*
3001 * We will (maybe) transfer ownership again so do more up refs.
3002 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3003 * already been set!
3004 */
3005 if (nrbio != NULL
3006 && nrbio != irbio
3007 && (nwbio != iwbio || nrbio != nwbio))
3008 BIO_up_ref(nrbio);
3009 if (nwbio != NULL
3010 && nwbio != nrbio
3011 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3012 BIO_up_ref(nwbio);
3013
3014 SSL_set_bio(clientssl, nrbio, nwbio);
3015
3016 testresult = 1;
3017
3018 end:
3019 BIO_free(bio1);
3020 BIO_free(bio2);
3021
3022 /*
3023 * This test is checking that the ref counting for SSL_set_bio is correct.
3024 * If we get here and we did too many frees then we will fail in the above
3025 * functions.
3026 */
3027 SSL_free(serverssl);
3028 SSL_free(clientssl);
3029 SSL_CTX_free(sctx);
3030 SSL_CTX_free(cctx);
3031 return testresult;
3032}
3033
3034typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3035
3036static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3037{
3038 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3039 SSL_CTX *ctx;
3040 SSL *ssl = NULL;
3041 int testresult = 0;
3042
3043 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3044 || !TEST_ptr(ssl = SSL_new(ctx))
3045 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3046 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3047 goto end;
3048
3049 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3050
3051 /*
3052 * If anything goes wrong here then we could leak memory.
3053 */
3054 BIO_push(sslbio, membio1);
3055
3056 /* Verify changing the rbio/wbio directly does not cause leaks */
3057 if (change_bio != NO_BIO_CHANGE) {
3058 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3059 ssl = NULL;
3060 goto end;
3061 }
3062 if (change_bio == CHANGE_RBIO)
3063 SSL_set0_rbio(ssl, membio2);
3064 else
3065 SSL_set0_wbio(ssl, membio2);
3066 }
3067 ssl = NULL;
3068
3069 if (pop_ssl)
3070 BIO_pop(sslbio);
3071 else
3072 BIO_pop(membio1);
3073
3074 testresult = 1;
3075 end:
3076 BIO_free(membio1);
3077 BIO_free(sslbio);
3078 SSL_free(ssl);
3079 SSL_CTX_free(ctx);
3080
3081 return testresult;
3082}
3083
3084static int test_ssl_bio_pop_next_bio(void)
3085{
3086 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3087}
3088
3089static int test_ssl_bio_pop_ssl_bio(void)
3090{
3091 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3092}
3093
3094static int test_ssl_bio_change_rbio(void)
3095{
3096 return execute_test_ssl_bio(0, CHANGE_RBIO);
3097}
3098
3099static int test_ssl_bio_change_wbio(void)
3100{
3101 return execute_test_ssl_bio(0, CHANGE_WBIO);
3102}
3103
3104#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3105typedef struct {
3106 /* The list of sig algs */
3107 const int *list;
3108 /* The length of the list */
3109 size_t listlen;
3110 /* A sigalgs list in string format */
3111 const char *liststr;
3112 /* Whether setting the list should succeed */
3113 int valid;
3114 /* Whether creating a connection with the list should succeed */
3115 int connsuccess;
3116} sigalgs_list;
3117
3118static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3119# ifndef OPENSSL_NO_EC
3120static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3121static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3122# endif
3123static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3124static const int invalidlist2[] = {NID_sha256, NID_undef};
3125static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3126static const int invalidlist4[] = {NID_sha256};
3127static const sigalgs_list testsigalgs[] = {
3128 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3129# ifndef OPENSSL_NO_EC
3130 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3131 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3132# endif
3133 {NULL, 0, "RSA+SHA256", 1, 1},
3134# ifndef OPENSSL_NO_EC
3135 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3136 {NULL, 0, "ECDSA+SHA512", 1, 0},
3137# endif
3138 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3139 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3140 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3141 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3142 {NULL, 0, "RSA", 0, 0},
3143 {NULL, 0, "SHA256", 0, 0},
3144 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3145 {NULL, 0, "Invalid", 0, 0}
3146};
3147
3148static int test_set_sigalgs(int idx)
3149{
3150 SSL_CTX *cctx = NULL, *sctx = NULL;
3151 SSL *clientssl = NULL, *serverssl = NULL;
3152 int testresult = 0;
3153 const sigalgs_list *curr;
3154 int testctx;
3155
3156 /* Should never happen */
3157 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3158 return 0;
3159
3160 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3161 curr = testctx ? &testsigalgs[idx]
3162 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3163
3164 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3165 TLS_client_method(), TLS1_VERSION, 0,
3166 &sctx, &cctx, cert, privkey)))
3167 return 0;
3168
3169 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3170
3171 if (testctx) {
3172 int ret;
3173
3174 if (curr->list != NULL)
3175 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3176 else
3177 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3178
3179 if (!ret) {
3180 if (curr->valid)
3181 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3182 else
3183 testresult = 1;
3184 goto end;
3185 }
3186 if (!curr->valid) {
3187 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3188 goto end;
3189 }
3190 }
3191
3192 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3193 &clientssl, NULL, NULL)))
3194 goto end;
3195
3196 if (!testctx) {
3197 int ret;
3198
3199 if (curr->list != NULL)
3200 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3201 else
3202 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3203 if (!ret) {
3204 if (curr->valid)
3205 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3206 else
3207 testresult = 1;
3208 goto end;
3209 }
3210 if (!curr->valid)
3211 goto end;
3212 }
3213
3214 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3215 SSL_ERROR_NONE),
3216 curr->connsuccess))
3217 goto end;
3218
3219 testresult = 1;
3220
3221 end:
3222 SSL_free(serverssl);
3223 SSL_free(clientssl);
3224 SSL_CTX_free(sctx);
3225 SSL_CTX_free(cctx);
3226
3227 return testresult;
3228}
3229#endif
3230
3231#ifndef OSSL_NO_USABLE_TLS1_3
3232static int psk_client_cb_cnt = 0;
3233static int psk_server_cb_cnt = 0;
3234
3235static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3236 size_t *idlen, SSL_SESSION **sess)
3237{
3238 switch (++use_session_cb_cnt) {
3239 case 1:
3240 /* The first call should always have a NULL md */
3241 if (md != NULL)
3242 return 0;
3243 break;
3244
3245 case 2:
3246 /* The second call should always have an md */
3247 if (md == NULL)
3248 return 0;
3249 break;
3250
3251 default:
3252 /* We should only be called a maximum of twice */
3253 return 0;
3254 }
3255
3256 if (clientpsk != NULL)
3257 SSL_SESSION_up_ref(clientpsk);
3258
3259 *sess = clientpsk;
3260 *id = (const unsigned char *)pskid;
3261 *idlen = strlen(pskid);
3262
3263 return 1;
3264}
3265
3266#ifndef OPENSSL_NO_PSK
3267static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3268 unsigned int max_id_len,
3269 unsigned char *psk,
3270 unsigned int max_psk_len)
3271{
3272 unsigned int psklen = 0;
3273
3274 psk_client_cb_cnt++;
3275
3276 if (strlen(pskid) + 1 > max_id_len)
3277 return 0;
3278
3279 /* We should only ever be called a maximum of twice per connection */
3280 if (psk_client_cb_cnt > 2)
3281 return 0;
3282
3283 if (clientpsk == NULL)
3284 return 0;
3285
3286 /* We'll reuse the PSK we set up for TLSv1.3 */
3287 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3288 return 0;
3289 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3290 strncpy(id, pskid, max_id_len);
3291
3292 return psklen;
3293}
3294#endif /* OPENSSL_NO_PSK */
3295
3296static int find_session_cb(SSL *ssl, const unsigned char *identity,
3297 size_t identity_len, SSL_SESSION **sess)
3298{
3299 find_session_cb_cnt++;
3300
3301 /* We should only ever be called a maximum of twice per connection */
3302 if (find_session_cb_cnt > 2)
3303 return 0;
3304
3305 if (serverpsk == NULL)
3306 return 0;
3307
3308 /* Identity should match that set by the client */
3309 if (strlen(srvid) != identity_len
3310 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3311 /* No PSK found, continue but without a PSK */
3312 *sess = NULL;
3313 return 1;
3314 }
3315
3316 SSL_SESSION_up_ref(serverpsk);
3317 *sess = serverpsk;
3318
3319 return 1;
3320}
3321
3322#ifndef OPENSSL_NO_PSK
3323static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3324 unsigned char *psk, unsigned int max_psk_len)
3325{
3326 unsigned int psklen = 0;
3327
3328 psk_server_cb_cnt++;
3329
3330 /* We should only ever be called a maximum of twice per connection */
3331 if (find_session_cb_cnt > 2)
3332 return 0;
3333
3334 if (serverpsk == NULL)
3335 return 0;
3336
3337 /* Identity should match that set by the client */
3338 if (strcmp(srvid, identity) != 0) {
3339 return 0;
3340 }
3341
3342 /* We'll reuse the PSK we set up for TLSv1.3 */
3343 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3344 return 0;
3345 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3346
3347 return psklen;
3348}
3349#endif /* OPENSSL_NO_PSK */
3350
3351#define MSG1 "Hello"
3352#define MSG2 "World."
3353#define MSG3 "This"
3354#define MSG4 "is"
3355#define MSG5 "a"
3356#define MSG6 "test"
3357#define MSG7 "message."
3358
3359#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
3360#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3361#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3362#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3363#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3364
3365
3366static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3367{
3368 const SSL_CIPHER *cipher = NULL;
3369 const unsigned char key[] = {
3370 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3371 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3372 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3373 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3374 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3375 };
3376 SSL_SESSION *sess = NULL;
3377
3378 if (mdsize == SHA384_DIGEST_LENGTH) {
3379 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3380 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3381 /*
3382 * Any ciphersuite using SHA256 will do - it will be compatible with
3383 * the actual ciphersuite selected as long as it too is based on SHA256
3384 */
3385 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3386 } else {
3387 /* Should not happen */
3388 return NULL;
3389 }
3390 sess = SSL_SESSION_new();
3391 if (!TEST_ptr(sess)
3392 || !TEST_ptr(cipher)
3393 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3394 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3395 || !TEST_true(
3396 SSL_SESSION_set_protocol_version(sess,
3397 TLS1_3_VERSION))) {
3398 SSL_SESSION_free(sess);
3399 return NULL;
3400 }
3401 return sess;
3402}
3403
3404/*
3405 * Helper method to setup objects for early data test. Caller frees objects on
3406 * error.
3407 */
3408static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3409 SSL **serverssl, SSL_SESSION **sess, int idx,
3410 size_t mdsize)
3411{
3412 if (*sctx == NULL
3413 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3414 TLS_client_method(),
3415 TLS1_VERSION, 0,
3416 sctx, cctx, cert, privkey)))
3417 return 0;
3418
3419 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3420 return 0;
3421
3422 if (idx == 1) {
3423 /* When idx == 1 we repeat the tests with read_ahead set */
3424 SSL_CTX_set_read_ahead(*cctx, 1);
3425 SSL_CTX_set_read_ahead(*sctx, 1);
3426 } else if (idx == 2) {
3427 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3428 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3429 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3430 use_session_cb_cnt = 0;
3431 find_session_cb_cnt = 0;
3432 srvid = pskid;
3433 }
3434
3435 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3436 NULL, NULL)))
3437 return 0;
3438
3439 /*
3440 * For one of the run throughs (doesn't matter which one), we'll try sending
3441 * some SNI data in the initial ClientHello. This will be ignored (because
3442 * there is no SNI cb set up by the server), so it should not impact
3443 * early_data.
3444 */
3445 if (idx == 1
3446 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3447 return 0;
3448
3449 if (idx == 2) {
3450 clientpsk = create_a_psk(*clientssl, mdsize);
3451 if (!TEST_ptr(clientpsk)
3452 /*
3453 * We just choose an arbitrary value for max_early_data which
3454 * should be big enough for testing purposes.
3455 */
3456 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3457 0x100))
3458 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3459 SSL_SESSION_free(clientpsk);
3460 clientpsk = NULL;
3461 return 0;
3462 }
3463 serverpsk = clientpsk;
3464
3465 if (sess != NULL) {
3466 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3467 SSL_SESSION_free(clientpsk);
3468 SSL_SESSION_free(serverpsk);
3469 clientpsk = serverpsk = NULL;
3470 return 0;
3471 }
3472 *sess = clientpsk;
3473 }
3474 return 1;
3475 }
3476
3477 if (sess == NULL)
3478 return 1;
3479
3480 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3481 SSL_ERROR_NONE)))
3482 return 0;
3483
3484 *sess = SSL_get1_session(*clientssl);
3485 SSL_shutdown(*clientssl);
3486 SSL_shutdown(*serverssl);
3487 SSL_free(*serverssl);
3488 SSL_free(*clientssl);
3489 *serverssl = *clientssl = NULL;
3490
3491 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3492 clientssl, NULL, NULL))
3493 || !TEST_true(SSL_set_session(*clientssl, *sess)))
3494 return 0;
3495
3496 return 1;
3497}
3498
3499static int check_early_data_timeout(time_t timer)
3500{
3501 int res = 0;
3502
3503 /*
3504 * Early data is time sensitive. We have an approx 8 second allowance
3505 * between writing the early data and reading it. If we exceed that time
3506 * then this test will fail. This can sometimes (rarely) occur in normal CI
3507 * operation. We can try and detect this and just ignore the result of this
3508 * test if it has taken too long. We assume anything over 7 seconds is too
3509 * long
3510 */
3511 timer = time(NULL) - timer;
3512 if (timer >= 7)
3513 res = TEST_skip("Test took too long, ignoring result");
3514
3515 return res;
3516}
3517
3518static int test_early_data_read_write(int idx)
3519{
3520 SSL_CTX *cctx = NULL, *sctx = NULL;
3521 SSL *clientssl = NULL, *serverssl = NULL;
3522 int testresult = 0;
3523 SSL_SESSION *sess = NULL;
3524 unsigned char buf[20], data[1024];
3525 size_t readbytes, written, eoedlen, rawread, rawwritten;
3526 BIO *rbio;
3527 time_t timer;
3528
3529 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3530 &serverssl, &sess, idx,
3531 SHA384_DIGEST_LENGTH)))
3532 goto end;
3533
3534 /* Write and read some early data */
3535 timer = time(NULL);
3536 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3537 &written))
3538 || !TEST_size_t_eq(written, strlen(MSG1)))
3539 goto end;
3540
3541 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3542 &readbytes),
3543 SSL_READ_EARLY_DATA_SUCCESS)) {
3544 testresult = check_early_data_timeout(timer);
3545 goto end;
3546 }
3547
3548 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3549 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3550 SSL_EARLY_DATA_ACCEPTED))
3551 goto end;
3552
3553 /*
3554 * Server should be able to write data, and client should be able to
3555 * read it.
3556 */
3557 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3558 &written))
3559 || !TEST_size_t_eq(written, strlen(MSG2))
3560 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3561 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3562 goto end;
3563
3564 /* Even after reading normal data, client should be able write early data */
3565 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3566 &written))
3567 || !TEST_size_t_eq(written, strlen(MSG3)))
3568 goto end;
3569
3570 /* Server should still be able read early data after writing data */
3571 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3572 &readbytes),
3573 SSL_READ_EARLY_DATA_SUCCESS)
3574 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3575 goto end;
3576
3577 /* Write more data from server and read it from client */
3578 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3579 &written))
3580 || !TEST_size_t_eq(written, strlen(MSG4))
3581 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3582 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3583 goto end;
3584
3585 /*
3586 * If client writes normal data it should mean writing early data is no
3587 * longer possible.
3588 */
3589 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3590 || !TEST_size_t_eq(written, strlen(MSG5))
3591 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3592 SSL_EARLY_DATA_ACCEPTED))
3593 goto end;
3594
3595 /*
3596 * At this point the client has written EndOfEarlyData, ClientFinished and
3597 * normal (fully protected) data. We are going to cause a delay between the
3598 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3599 * in the read BIO, and then just put back the EndOfEarlyData message.
3600 */
3601 rbio = SSL_get_rbio(serverssl);
3602 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3603 || !TEST_size_t_lt(rawread, sizeof(data))
3604 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3605 goto end;
3606
3607 /* Record length is in the 4th and 5th bytes of the record header */
3608 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3609 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3610 || !TEST_size_t_eq(rawwritten, eoedlen))
3611 goto end;
3612
3613 /* Server should be told that there is no more early data */
3614 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3615 &readbytes),
3616 SSL_READ_EARLY_DATA_FINISH)
3617 || !TEST_size_t_eq(readbytes, 0))
3618 goto end;
3619
3620 /*
3621 * Server has not finished init yet, so should still be able to write early
3622 * data.
3623 */
3624 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3625 &written))
3626 || !TEST_size_t_eq(written, strlen(MSG6)))
3627 goto end;
3628
3629 /* Push the ClientFinished and the normal data back into the server rbio */
3630 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3631 &rawwritten))
3632 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3633 goto end;
3634
3635 /* Server should be able to read normal data */
3636 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3637 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3638 goto end;
3639
3640 /* Client and server should not be able to write/read early data now */
3641 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3642 &written)))
3643 goto end;
3644 ERR_clear_error();
3645 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3646 &readbytes),
3647 SSL_READ_EARLY_DATA_ERROR))
3648 goto end;
3649 ERR_clear_error();
3650
3651 /* Client should be able to read the data sent by the server */
3652 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3653 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3654 goto end;
3655
3656 /*
3657 * Make sure we process the two NewSessionTickets. These arrive
3658 * post-handshake. We attempt reads which we do not expect to return any
3659 * data.
3660 */
3661 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3662 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3663 &readbytes)))
3664 goto end;
3665
3666 /* Server should be able to write normal data */
3667 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3668 || !TEST_size_t_eq(written, strlen(MSG7))
3669 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3670 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3671 goto end;
3672
3673 SSL_SESSION_free(sess);
3674 sess = SSL_get1_session(clientssl);
3675 use_session_cb_cnt = 0;
3676 find_session_cb_cnt = 0;
3677
3678 SSL_shutdown(clientssl);
3679 SSL_shutdown(serverssl);
3680 SSL_free(serverssl);
3681 SSL_free(clientssl);
3682 serverssl = clientssl = NULL;
3683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3684 &clientssl, NULL, NULL))
3685 || !TEST_true(SSL_set_session(clientssl, sess)))
3686 goto end;
3687
3688 /* Write and read some early data */
3689 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3690 &written))
3691 || !TEST_size_t_eq(written, strlen(MSG1))
3692 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3693 &readbytes),
3694 SSL_READ_EARLY_DATA_SUCCESS)
3695 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3696 goto end;
3697
3698 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3699 || !TEST_int_gt(SSL_accept(serverssl), 0))
3700 goto end;
3701
3702 /* Client and server should not be able to write/read early data now */
3703 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3704 &written)))
3705 goto end;
3706 ERR_clear_error();
3707 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3708 &readbytes),
3709 SSL_READ_EARLY_DATA_ERROR))
3710 goto end;
3711 ERR_clear_error();
3712
3713 /* Client and server should be able to write/read normal data */
3714 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3715 || !TEST_size_t_eq(written, strlen(MSG5))
3716 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3717 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3718 goto end;
3719
3720 testresult = 1;
3721
3722 end:
3723 SSL_SESSION_free(sess);
3724 SSL_SESSION_free(clientpsk);
3725 SSL_SESSION_free(serverpsk);
3726 clientpsk = serverpsk = NULL;
3727 SSL_free(serverssl);
3728 SSL_free(clientssl);
3729 SSL_CTX_free(sctx);
3730 SSL_CTX_free(cctx);
3731 return testresult;
3732}
3733
3734static int allow_ed_cb_called = 0;
3735
3736static int allow_early_data_cb(SSL *s, void *arg)
3737{
3738 int *usecb = (int *)arg;
3739
3740 allow_ed_cb_called++;
3741
3742 if (*usecb == 1)
3743 return 0;
3744
3745 return 1;
3746}
3747
3748/*
3749 * idx == 0: Standard early_data setup
3750 * idx == 1: early_data setup using read_ahead
3751 * usecb == 0: Don't use a custom early data callback
3752 * usecb == 1: Use a custom early data callback and reject the early data
3753 * usecb == 2: Use a custom early data callback and accept the early data
3754 * confopt == 0: Configure anti-replay directly
3755 * confopt == 1: Configure anti-replay using SSL_CONF
3756 */
3757static int test_early_data_replay_int(int idx, int usecb, int confopt)
3758{
3759 SSL_CTX *cctx = NULL, *sctx = NULL;
3760 SSL *clientssl = NULL, *serverssl = NULL;
3761 int testresult = 0;
3762 SSL_SESSION *sess = NULL;
3763 size_t readbytes, written;
3764 unsigned char buf[20];
3765 time_t timer;
3766
3767 allow_ed_cb_called = 0;
3768
3769 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3770 TLS_client_method(), TLS1_VERSION, 0,
3771 &sctx, &cctx, cert, privkey)))
3772 return 0;
3773
3774 if (usecb > 0) {
3775 if (confopt == 0) {
3776 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3777 } else {
3778 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3779
3780 if (!TEST_ptr(confctx))
3781 goto end;
3782 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3783 | SSL_CONF_FLAG_SERVER);
3784 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3785 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3786 2)) {
3787 SSL_CONF_CTX_free(confctx);
3788 goto end;
3789 }
3790 SSL_CONF_CTX_free(confctx);
3791 }
3792 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3793 }
3794
3795 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3796 &serverssl, &sess, idx,
3797 SHA384_DIGEST_LENGTH)))
3798 goto end;
3799
3800 /*
3801 * The server is configured to accept early data. Create a connection to
3802 * "use up" the ticket
3803 */
3804 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3805 || !TEST_true(SSL_session_reused(clientssl)))
3806 goto end;
3807
3808 SSL_shutdown(clientssl);
3809 SSL_shutdown(serverssl);
3810 SSL_free(serverssl);
3811 SSL_free(clientssl);
3812 serverssl = clientssl = NULL;
3813
3814 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3815 &clientssl, NULL, NULL))
3816 || !TEST_true(SSL_set_session(clientssl, sess)))
3817 goto end;
3818
3819 /* Write and read some early data */
3820 timer = time(NULL);
3821 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3822 &written))
3823 || !TEST_size_t_eq(written, strlen(MSG1)))
3824 goto end;
3825
3826 if (usecb <= 1) {
3827 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3828 &readbytes),
3829 SSL_READ_EARLY_DATA_FINISH)
3830 /*
3831 * The ticket was reused, so the we should have rejected the
3832 * early data
3833 */
3834 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3835 SSL_EARLY_DATA_REJECTED))
3836 goto end;
3837 } else {
3838 /* In this case the callback decides to accept the early data */
3839 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3840 &readbytes),
3841 SSL_READ_EARLY_DATA_SUCCESS)) {
3842 testresult = check_early_data_timeout(timer);
3843 goto end;
3844 }
3845 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3846 /*
3847 * Server will have sent its flight so client can now send
3848 * end of early data and complete its half of the handshake
3849 */
3850 || !TEST_int_gt(SSL_connect(clientssl), 0)
3851 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3852 &readbytes),
3853 SSL_READ_EARLY_DATA_FINISH)
3854 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3855 SSL_EARLY_DATA_ACCEPTED))
3856 goto end;
3857 }
3858
3859 /* Complete the connection */
3860 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3861 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3862 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3863 goto end;
3864
3865 testresult = 1;
3866
3867 end:
3868 SSL_SESSION_free(sess);
3869 SSL_SESSION_free(clientpsk);
3870 SSL_SESSION_free(serverpsk);
3871 clientpsk = serverpsk = NULL;
3872 SSL_free(serverssl);
3873 SSL_free(clientssl);
3874 SSL_CTX_free(sctx);
3875 SSL_CTX_free(cctx);
3876 return testresult;
3877}
3878
3879static int test_early_data_replay(int idx)
3880{
3881 int ret = 1, usecb, confopt;
3882
3883 for (usecb = 0; usecb < 3; usecb++) {
3884 for (confopt = 0; confopt < 2; confopt++)
3885 ret &= test_early_data_replay_int(idx, usecb, confopt);
3886 }
3887
3888 return ret;
3889}
3890
3891static const char *ciphersuites[] = {
3892 "TLS_AES_128_CCM_8_SHA256",
3893 "TLS_AES_128_GCM_SHA256",
3894 "TLS_AES_256_GCM_SHA384",
3895 "TLS_AES_128_CCM_SHA256",
3896#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3897 "TLS_CHACHA20_POLY1305_SHA256"
3898#endif
3899};
3900
3901/*
3902 * Helper function to test that a server attempting to read early data can
3903 * handle a connection from a client where the early data should be skipped.
3904 * testtype: 0 == No HRR
3905 * testtype: 1 == HRR
3906 * testtype: 2 == HRR, invalid early_data sent after HRR
3907 * testtype: 3 == recv_max_early_data set to 0
3908 */
3909static int early_data_skip_helper(int testtype, int cipher, int idx)
3910{
3911 SSL_CTX *cctx = NULL, *sctx = NULL;
3912 SSL *clientssl = NULL, *serverssl = NULL;
3913 int testresult = 0;
3914 SSL_SESSION *sess = NULL;
3915 unsigned char buf[20];
3916 size_t readbytes, written;
3917
3918 if (is_fips && cipher == 4)
3919 return 1;
3920
3921 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3922 TLS_client_method(),
3923 TLS1_VERSION, 0,
3924 &sctx, &cctx, cert, privkey)))
3925 goto end;
3926
3927 if (cipher == 0) {
3928 SSL_CTX_set_security_level(sctx, 0);
3929 SSL_CTX_set_security_level(cctx, 0);
3930 }
3931
3932 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3933 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3934 goto end;
3935
3936 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3937 &serverssl, &sess, idx,
3938 cipher == 2 ? SHA384_DIGEST_LENGTH
3939 : SHA256_DIGEST_LENGTH)))
3940 goto end;
3941
3942 if (testtype == 1 || testtype == 2) {
3943 /* Force an HRR to occur */
3944#if defined(OPENSSL_NO_EC)
3945 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3946 goto end;
3947#else
3948 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3949 goto end;
3950#endif
3951 } else if (idx == 2) {
3952 /*
3953 * We force early_data rejection by ensuring the PSK identity is
3954 * unrecognised
3955 */
3956 srvid = "Dummy Identity";
3957 } else {
3958 /*
3959 * Deliberately corrupt the creation time. We take 20 seconds off the
3960 * time. It could be any value as long as it is not within tolerance.
3961 * This should mean the ticket is rejected.
3962 */
3963 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3964 goto end;
3965 }
3966
3967 if (testtype == 3
3968 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3969 goto end;
3970
3971 /* Write some early data */
3972 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3973 &written))
3974 || !TEST_size_t_eq(written, strlen(MSG1)))
3975 goto end;
3976
3977 /* Server should reject the early data */
3978 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3979 &readbytes),
3980 SSL_READ_EARLY_DATA_FINISH)
3981 || !TEST_size_t_eq(readbytes, 0)
3982 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3983 SSL_EARLY_DATA_REJECTED))
3984 goto end;
3985
3986 switch (testtype) {
3987 case 0:
3988 /* Nothing to do */
3989 break;
3990
3991 case 1:
3992 /*
3993 * Finish off the handshake. We perform the same writes and reads as
3994 * further down but we expect them to fail due to the incomplete
3995 * handshake.
3996 */
3997 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3998 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3999 &readbytes)))
4000 goto end;
4001 break;
4002
4003 case 2:
4004 {
4005 BIO *wbio = SSL_get_wbio(clientssl);
4006 /* A record that will appear as bad early_data */
4007 const unsigned char bad_early_data[] = {
4008 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4009 };
4010
4011 /*
4012 * We force the client to attempt a write. This will fail because
4013 * we're still in the handshake. It will cause the second
4014 * ClientHello to be sent.
4015 */
4016 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4017 &written)))
4018 goto end;
4019
4020 /*
4021 * Inject some early_data after the second ClientHello. This should
4022 * cause the server to fail
4023 */
4024 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4025 sizeof(bad_early_data), &written)))
4026 goto end;
4027 }
4028 /* fallthrough */
4029
4030 case 3:
4031 /*
4032 * This client has sent more early_data than we are willing to skip
4033 * (case 3) or sent invalid early_data (case 2) so the connection should
4034 * abort.
4035 */
4036 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4037 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4038 goto end;
4039
4040 /* Connection has failed - nothing more to do */
4041 testresult = 1;
4042 goto end;
4043
4044 default:
4045 TEST_error("Invalid test type");
4046 goto end;
4047 }
4048
4049 ERR_clear_error();
4050 /*
4051 * Should be able to send normal data despite rejection of early data. The
4052 * early_data should be skipped.
4053 */
4054 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4055 || !TEST_size_t_eq(written, strlen(MSG2))
4056 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4057 SSL_EARLY_DATA_REJECTED)
4058 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4059 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4060 goto end;
4061
4062 /*
4063 * Failure to decrypt early data records should not leave spurious errors
4064 * on the error stack
4065 */
4066 if (!TEST_long_eq(ERR_peek_error(), 0))
4067 goto end;
4068
4069 testresult = 1;
4070
4071 end:
4072 SSL_SESSION_free(clientpsk);
4073 SSL_SESSION_free(serverpsk);
4074 clientpsk = serverpsk = NULL;
4075 SSL_SESSION_free(sess);
4076 SSL_free(serverssl);
4077 SSL_free(clientssl);
4078 SSL_CTX_free(sctx);
4079 SSL_CTX_free(cctx);
4080 return testresult;
4081}
4082
4083/*
4084 * Test that a server attempting to read early data can handle a connection
4085 * from a client where the early data is not acceptable.
4086 */
4087static int test_early_data_skip(int idx)
4088{
4089 return early_data_skip_helper(0,
4090 idx % OSSL_NELEM(ciphersuites),
4091 idx / OSSL_NELEM(ciphersuites));
4092}
4093
4094/*
4095 * Test that a server attempting to read early data can handle a connection
4096 * from a client where an HRR occurs.
4097 */
4098static int test_early_data_skip_hrr(int idx)
4099{
4100 return early_data_skip_helper(1,
4101 idx % OSSL_NELEM(ciphersuites),
4102 idx / OSSL_NELEM(ciphersuites));
4103}
4104
4105/*
4106 * Test that a server attempting to read early data can handle a connection
4107 * from a client where an HRR occurs and correctly fails if early_data is sent
4108 * after the HRR
4109 */
4110static int test_early_data_skip_hrr_fail(int idx)
4111{
4112 return early_data_skip_helper(2,
4113 idx % OSSL_NELEM(ciphersuites),
4114 idx / OSSL_NELEM(ciphersuites));
4115}
4116
4117/*
4118 * Test that a server attempting to read early data will abort if it tries to
4119 * skip over too much.
4120 */
4121static int test_early_data_skip_abort(int idx)
4122{
4123 return early_data_skip_helper(3,
4124 idx % OSSL_NELEM(ciphersuites),
4125 idx / OSSL_NELEM(ciphersuites));
4126}
4127
4128/*
4129 * Test that a server attempting to read early data can handle a connection
4130 * from a client that doesn't send any.
4131 */
4132static int test_early_data_not_sent(int idx)
4133{
4134 SSL_CTX *cctx = NULL, *sctx = NULL;
4135 SSL *clientssl = NULL, *serverssl = NULL;
4136 int testresult = 0;
4137 SSL_SESSION *sess = NULL;
4138 unsigned char buf[20];
4139 size_t readbytes, written;
4140
4141 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4142 &serverssl, &sess, idx,
4143 SHA384_DIGEST_LENGTH)))
4144 goto end;
4145
4146 /* Write some data - should block due to handshake with server */
4147 SSL_set_connect_state(clientssl);
4148 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4149 goto end;
4150
4151 /* Server should detect that early data has not been sent */
4152 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4153 &readbytes),
4154 SSL_READ_EARLY_DATA_FINISH)
4155 || !TEST_size_t_eq(readbytes, 0)
4156 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4157 SSL_EARLY_DATA_NOT_SENT)
4158 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4159 SSL_EARLY_DATA_NOT_SENT))
4160 goto end;
4161
4162 /* Continue writing the message we started earlier */
4163 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4164 || !TEST_size_t_eq(written, strlen(MSG1))
4165 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4166 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4167 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4168 || !TEST_size_t_eq(written, strlen(MSG2)))
4169 goto end;
4170
4171 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4172 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4173 goto end;
4174
4175 testresult = 1;
4176
4177 end:
4178 SSL_SESSION_free(sess);
4179 SSL_SESSION_free(clientpsk);
4180 SSL_SESSION_free(serverpsk);
4181 clientpsk = serverpsk = NULL;
4182 SSL_free(serverssl);
4183 SSL_free(clientssl);
4184 SSL_CTX_free(sctx);
4185 SSL_CTX_free(cctx);
4186 return testresult;
4187}
4188
4189static const char *servalpn;
4190
4191static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4192 unsigned char *outlen, const unsigned char *in,
4193 unsigned int inlen, void *arg)
4194{
4195 unsigned int protlen = 0;
4196 const unsigned char *prot;
4197
4198 for (prot = in; prot < in + inlen; prot += protlen) {
4199 protlen = *prot++;
4200 if (in + inlen < prot + protlen)
4201 return SSL_TLSEXT_ERR_NOACK;
4202
4203 if (protlen == strlen(servalpn)
4204 && memcmp(prot, servalpn, protlen) == 0) {
4205 *out = prot;
4206 *outlen = protlen;
4207 return SSL_TLSEXT_ERR_OK;
4208 }
4209 }
4210
4211 return SSL_TLSEXT_ERR_NOACK;
4212}
4213
4214/* Test that a PSK can be used to send early_data */
4215static int test_early_data_psk(int idx)
4216{
4217 SSL_CTX *cctx = NULL, *sctx = NULL;
4218 SSL *clientssl = NULL, *serverssl = NULL;
4219 int testresult = 0;
4220 SSL_SESSION *sess = NULL;
4221 unsigned char alpnlist[] = {
4222 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4223 'l', 'p', 'n'
4224 };
4225#define GOODALPNLEN 9
4226#define BADALPNLEN 8
4227#define GOODALPN (alpnlist)
4228#define BADALPN (alpnlist + GOODALPNLEN)
4229 int err = 0;
4230 unsigned char buf[20];
4231 size_t readbytes, written;
4232 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4233 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4234
4235 /* We always set this up with a final parameter of "2" for PSK */
4236 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4237 &serverssl, &sess, 2,
4238 SHA384_DIGEST_LENGTH)))
4239 goto end;
4240
4241 servalpn = "goodalpn";
4242
4243 /*
4244 * Note: There is no test for inconsistent SNI with late client detection.
4245 * This is because servers do not acknowledge SNI even if they are using
4246 * it in a resumption handshake - so it is not actually possible for a
4247 * client to detect a problem.
4248 */
4249 switch (idx) {
4250 case 0:
4251 /* Set inconsistent SNI (early client detection) */
4252 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4253 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4254 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4255 goto end;
4256 break;
4257
4258 case 1:
4259 /* Set inconsistent ALPN (early client detection) */
4260 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4261 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4262 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4263 GOODALPNLEN))
4264 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4265 BADALPNLEN)))
4266 goto end;
4267 break;
4268
4269 case 2:
4270 /*
4271 * Set invalid protocol version. Technically this affects PSKs without
4272 * early_data too, but we test it here because it is similar to the
4273 * SNI/ALPN consistency tests.
4274 */
4275 err = SSL_R_BAD_PSK;
4276 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4277 goto end;
4278 break;
4279
4280 case 3:
4281 /*
4282 * Set inconsistent SNI (server side). In this case the connection
4283 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4284 * is associated with each handshake - not the session. Therefore it
4285 * should not matter that we used a different server name last time.
4286 */
4287 SSL_SESSION_free(serverpsk);
4288 serverpsk = SSL_SESSION_dup(clientpsk);
4289 if (!TEST_ptr(serverpsk)
4290 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4291 goto end;
4292 /* Fall through */
4293 case 4:
4294 /* Set consistent SNI */
4295 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4296 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4297 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4298 hostname_cb)))
4299 goto end;
4300 break;
4301
4302 case 5:
4303 /*
4304 * Set inconsistent ALPN (server detected). In this case the connection
4305 * will succeed but reject early_data.
4306 */
4307 servalpn = "badalpn";
4308 edstatus = SSL_EARLY_DATA_REJECTED;
4309 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4310 /* Fall through */
4311 case 6:
4312 /*
4313 * Set consistent ALPN.
4314 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4315 * accepts a list of protos (each one length prefixed).
4316 * SSL_set1_alpn_selected accepts a single protocol (not length
4317 * prefixed)
4318 */
4319 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4320 GOODALPNLEN - 1))
4321 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4322 GOODALPNLEN)))
4323 goto end;
4324
4325 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4326 break;
4327
4328 case 7:
4329 /* Set inconsistent ALPN (late client detection) */
4330 SSL_SESSION_free(serverpsk);
4331 serverpsk = SSL_SESSION_dup(clientpsk);
4332 if (!TEST_ptr(serverpsk)
4333 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4334 BADALPN + 1,
4335 BADALPNLEN - 1))
4336 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4337 GOODALPN + 1,
4338 GOODALPNLEN - 1))
4339 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4340 sizeof(alpnlist))))
4341 goto end;
4342 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4343 edstatus = SSL_EARLY_DATA_ACCEPTED;
4344 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4345 /* SSL_connect() call should fail */
4346 connectres = -1;
4347 break;
4348
4349 default:
4350 TEST_error("Bad test index");
4351 goto end;
4352 }
4353
4354 SSL_set_connect_state(clientssl);
4355 if (err != 0) {
4356 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4357 &written))
4358 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4359 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4360 goto end;
4361 } else {
4362 time_t timer = time(NULL);
4363
4364 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4365 &written)))
4366 goto end;
4367
4368 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4369 &readbytes), readearlyres)) {
4370 testresult = check_early_data_timeout(timer);
4371 goto end;
4372 }
4373
4374 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4375 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4376 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4377 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4378 goto end;
4379 }
4380
4381 testresult = 1;
4382
4383 end:
4384 SSL_SESSION_free(sess);
4385 SSL_SESSION_free(clientpsk);
4386 SSL_SESSION_free(serverpsk);
4387 clientpsk = serverpsk = NULL;
4388 SSL_free(serverssl);
4389 SSL_free(clientssl);
4390 SSL_CTX_free(sctx);
4391 SSL_CTX_free(cctx);
4392 return testresult;
4393}
4394
4395/*
4396 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4397 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4398 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4399 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4400 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4401 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4402 */
4403static int test_early_data_psk_with_all_ciphers(int idx)
4404{
4405 SSL_CTX *cctx = NULL, *sctx = NULL;
4406 SSL *clientssl = NULL, *serverssl = NULL;
4407 int testresult = 0;
4408 SSL_SESSION *sess = NULL;
4409 unsigned char buf[20];
4410 size_t readbytes, written;
4411 const SSL_CIPHER *cipher;
4412 time_t timer;
4413 const char *cipher_str[] = {
4414 TLS1_3_RFC_AES_128_GCM_SHA256,
4415 TLS1_3_RFC_AES_256_GCM_SHA384,
4416# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4417 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4418# else
4419 NULL,
4420# endif
4421 TLS1_3_RFC_AES_128_CCM_SHA256,
4422 TLS1_3_RFC_AES_128_CCM_8_SHA256
4423 };
4424 const unsigned char *cipher_bytes[] = {
4425 TLS13_AES_128_GCM_SHA256_BYTES,
4426 TLS13_AES_256_GCM_SHA384_BYTES,
4427# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4428 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4429# else
4430 NULL,
4431# endif
4432 TLS13_AES_128_CCM_SHA256_BYTES,
4433 TLS13_AES_128_CCM_8_SHA256_BYTES
4434 };
4435
4436 if (cipher_str[idx] == NULL)
4437 return 1;
4438 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4439 if (idx == 2 && is_fips == 1)
4440 return 1;
4441
4442 /* We always set this up with a final parameter of "2" for PSK */
4443 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4444 &serverssl, &sess, 2,
4445 SHA384_DIGEST_LENGTH)))
4446 goto end;
4447
4448 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4449 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4450 goto end;
4451
4452 /*
4453 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4454 * and assigns to both client and server with incremented reference
4455 * and the same instance is updated in 'sess'.
4456 * So updating ciphersuite in 'sess' which will get reflected in
4457 * PSK handshake using psk use sess and find sess cb.
4458 */
4459 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4460 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4461 goto end;
4462
4463 SSL_set_connect_state(clientssl);
4464 timer = time(NULL);
4465 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4466 &written)))
4467 goto end;
4468
4469 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4470 &readbytes),
4471 SSL_READ_EARLY_DATA_SUCCESS)) {
4472 testresult = check_early_data_timeout(timer);
4473 goto end;
4474 }
4475
4476 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4477 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4478 SSL_EARLY_DATA_ACCEPTED)
4479 || !TEST_int_eq(SSL_connect(clientssl), 1)
4480 || !TEST_int_eq(SSL_accept(serverssl), 1))
4481 goto end;
4482
4483 /* Send some normal data from client to server */
4484 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4485 || !TEST_size_t_eq(written, strlen(MSG2)))
4486 goto end;
4487
4488 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4489 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4490 goto end;
4491
4492 testresult = 1;
4493 end:
4494 SSL_SESSION_free(sess);
4495 SSL_SESSION_free(clientpsk);
4496 SSL_SESSION_free(serverpsk);
4497 clientpsk = serverpsk = NULL;
4498 if (clientssl != NULL)
4499 SSL_shutdown(clientssl);
4500 if (serverssl != NULL)
4501 SSL_shutdown(serverssl);
4502 SSL_free(serverssl);
4503 SSL_free(clientssl);
4504 SSL_CTX_free(sctx);
4505 SSL_CTX_free(cctx);
4506 return testresult;
4507}
4508
4509/*
4510 * Test that a server that doesn't try to read early data can handle a
4511 * client sending some.
4512 */
4513static int test_early_data_not_expected(int idx)
4514{
4515 SSL_CTX *cctx = NULL, *sctx = NULL;
4516 SSL *clientssl = NULL, *serverssl = NULL;
4517 int testresult = 0;
4518 SSL_SESSION *sess = NULL;
4519 unsigned char buf[20];
4520 size_t readbytes, written;
4521
4522 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4523 &serverssl, &sess, idx,
4524 SHA384_DIGEST_LENGTH)))
4525 goto end;
4526
4527 /* Write some early data */
4528 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4529 &written)))
4530 goto end;
4531
4532 /*
4533 * Server should skip over early data and then block waiting for client to
4534 * continue handshake
4535 */
4536 if (!TEST_int_le(SSL_accept(serverssl), 0)
4537 || !TEST_int_gt(SSL_connect(clientssl), 0)
4538 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4539 SSL_EARLY_DATA_REJECTED)
4540 || !TEST_int_gt(SSL_accept(serverssl), 0)
4541 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4542 SSL_EARLY_DATA_REJECTED))
4543 goto end;
4544
4545 /* Send some normal data from client to server */
4546 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4547 || !TEST_size_t_eq(written, strlen(MSG2)))
4548 goto end;
4549
4550 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4551 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4552 goto end;
4553
4554 testresult = 1;
4555
4556 end:
4557 SSL_SESSION_free(sess);
4558 SSL_SESSION_free(clientpsk);
4559 SSL_SESSION_free(serverpsk);
4560 clientpsk = serverpsk = NULL;
4561 SSL_free(serverssl);
4562 SSL_free(clientssl);
4563 SSL_CTX_free(sctx);
4564 SSL_CTX_free(cctx);
4565 return testresult;
4566}
4567
4568
4569# ifndef OPENSSL_NO_TLS1_2
4570/*
4571 * Test that a server attempting to read early data can handle a connection
4572 * from a TLSv1.2 client.
4573 */
4574static int test_early_data_tls1_2(int idx)
4575{
4576 SSL_CTX *cctx = NULL, *sctx = NULL;
4577 SSL *clientssl = NULL, *serverssl = NULL;
4578 int testresult = 0;
4579 unsigned char buf[20];
4580 size_t readbytes, written;
4581
4582 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4583 &serverssl, NULL, idx,
4584 SHA384_DIGEST_LENGTH)))
4585 goto end;
4586
4587 /* Write some data - should block due to handshake with server */
4588 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4589 SSL_set_connect_state(clientssl);
4590 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4591 goto end;
4592
4593 /*
4594 * Server should do TLSv1.2 handshake. First it will block waiting for more
4595 * messages from client after ServerDone. Then SSL_read_early_data should
4596 * finish and detect that early data has not been sent
4597 */
4598 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4599 &readbytes),
4600 SSL_READ_EARLY_DATA_ERROR))
4601 goto end;
4602
4603 /*
4604 * Continue writing the message we started earlier. Will still block waiting
4605 * for the CCS/Finished from server
4606 */
4607 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4608 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4609 &readbytes),
4610 SSL_READ_EARLY_DATA_FINISH)
4611 || !TEST_size_t_eq(readbytes, 0)
4612 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4613 SSL_EARLY_DATA_NOT_SENT))
4614 goto end;
4615
4616 /* Continue writing the message we started earlier */
4617 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4618 || !TEST_size_t_eq(written, strlen(MSG1))
4619 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4620 SSL_EARLY_DATA_NOT_SENT)
4621 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4622 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4623 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4624 || !TEST_size_t_eq(written, strlen(MSG2))
4625 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4626 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4627 goto end;
4628
4629 testresult = 1;
4630
4631 end:
4632 SSL_SESSION_free(clientpsk);
4633 SSL_SESSION_free(serverpsk);
4634 clientpsk = serverpsk = NULL;
4635 SSL_free(serverssl);
4636 SSL_free(clientssl);
4637 SSL_CTX_free(sctx);
4638 SSL_CTX_free(cctx);
4639
4640 return testresult;
4641}
4642# endif /* OPENSSL_NO_TLS1_2 */
4643
4644/*
4645 * Test configuring the TLSv1.3 ciphersuites
4646 *
4647 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4648 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4649 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4650 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4651 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4652 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4653 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4654 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4655 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4656 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4657 */
4658static int test_set_ciphersuite(int idx)
4659{
4660 SSL_CTX *cctx = NULL, *sctx = NULL;
4661 SSL *clientssl = NULL, *serverssl = NULL;
4662 int testresult = 0;
4663
4664 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4665 TLS_client_method(), TLS1_VERSION, 0,
4666 &sctx, &cctx, cert, privkey))
4667 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4668 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4669 goto end;
4670
4671 if (idx >=4 && idx <= 7) {
4672 /* SSL_CTX explicit cipher list */
4673 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4674 goto end;
4675 }
4676
4677 if (idx == 0 || idx == 4) {
4678 /* Default ciphersuite */
4679 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4680 "TLS_AES_128_GCM_SHA256")))
4681 goto end;
4682 } else if (idx == 1 || idx == 5) {
4683 /* Non default ciphersuite */
4684 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4685 "TLS_AES_128_CCM_SHA256")))
4686 goto end;
4687 }
4688
4689 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4690 &clientssl, NULL, NULL)))
4691 goto end;
4692
4693 if (idx == 8 || idx == 9) {
4694 /* SSL explicit cipher list */
4695 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4696 goto end;
4697 }
4698
4699 if (idx == 2 || idx == 6 || idx == 8) {
4700 /* Default ciphersuite */
4701 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4702 "TLS_AES_128_GCM_SHA256")))
4703 goto end;
4704 } else if (idx == 3 || idx == 7 || idx == 9) {
4705 /* Non default ciphersuite */
4706 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4707 "TLS_AES_128_CCM_SHA256")))
4708 goto end;
4709 }
4710
4711 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4712 goto end;
4713
4714 testresult = 1;
4715
4716 end:
4717 SSL_free(serverssl);
4718 SSL_free(clientssl);
4719 SSL_CTX_free(sctx);
4720 SSL_CTX_free(cctx);
4721
4722 return testresult;
4723}
4724
4725static int test_ciphersuite_change(void)
4726{
4727 SSL_CTX *cctx = NULL, *sctx = NULL;
4728 SSL *clientssl = NULL, *serverssl = NULL;
4729 SSL_SESSION *clntsess = NULL;
4730 int testresult = 0;
4731 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4732
4733 /* Create a session based on SHA-256 */
4734 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4735 TLS_client_method(), TLS1_VERSION, 0,
4736 &sctx, &cctx, cert, privkey))
4737 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4738 "TLS_AES_128_GCM_SHA256:"
4739 "TLS_AES_256_GCM_SHA384:"
4740 "TLS_AES_128_CCM_SHA256"))
4741 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4742 "TLS_AES_128_GCM_SHA256"))
4743 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4744 &clientssl, NULL, NULL))
4745 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4746 SSL_ERROR_NONE)))
4747 goto end;
4748
4749 clntsess = SSL_get1_session(clientssl);
4750 /* Save for later */
4751 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4752 SSL_shutdown(clientssl);
4753 SSL_shutdown(serverssl);
4754 SSL_free(serverssl);
4755 SSL_free(clientssl);
4756 serverssl = clientssl = NULL;
4757
4758 /* Check we can resume a session with a different SHA-256 ciphersuite */
4759 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4760 "TLS_AES_128_CCM_SHA256"))
4761 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4762 &clientssl, NULL, NULL))
4763 || !TEST_true(SSL_set_session(clientssl, clntsess))
4764 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4765 SSL_ERROR_NONE))
4766 || !TEST_true(SSL_session_reused(clientssl)))
4767 goto end;
4768
4769 SSL_SESSION_free(clntsess);
4770 clntsess = SSL_get1_session(clientssl);
4771 SSL_shutdown(clientssl);
4772 SSL_shutdown(serverssl);
4773 SSL_free(serverssl);
4774 SSL_free(clientssl);
4775 serverssl = clientssl = NULL;
4776
4777 /*
4778 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4779 * succeeds but does not resume.
4780 */
4781 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4782 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4783 NULL, NULL))
4784 || !TEST_true(SSL_set_session(clientssl, clntsess))
4785 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4786 SSL_ERROR_SSL))
4787 || !TEST_false(SSL_session_reused(clientssl)))
4788 goto end;
4789
4790 SSL_SESSION_free(clntsess);
4791 clntsess = NULL;
4792 SSL_shutdown(clientssl);
4793 SSL_shutdown(serverssl);
4794 SSL_free(serverssl);
4795 SSL_free(clientssl);
4796 serverssl = clientssl = NULL;
4797
4798 /* Create a session based on SHA384 */
4799 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4800 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4801 &clientssl, NULL, NULL))
4802 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4803 SSL_ERROR_NONE)))
4804 goto end;
4805
4806 clntsess = SSL_get1_session(clientssl);
4807 SSL_shutdown(clientssl);
4808 SSL_shutdown(serverssl);
4809 SSL_free(serverssl);
4810 SSL_free(clientssl);
4811 serverssl = clientssl = NULL;
4812
4813 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4814 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4815 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4816 "TLS_AES_256_GCM_SHA384"))
4817 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4818 NULL, NULL))
4819 || !TEST_true(SSL_set_session(clientssl, clntsess))
4820 /*
4821 * We use SSL_ERROR_WANT_READ below so that we can pause the
4822 * connection after the initial ClientHello has been sent to
4823 * enable us to make some session changes.
4824 */
4825 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4826 SSL_ERROR_WANT_READ)))
4827 goto end;
4828
4829 /* Trick the client into thinking this session is for a different digest */
4830 clntsess->cipher = aes_128_gcm_sha256;
4831 clntsess->cipher_id = clntsess->cipher->id;
4832
4833 /*
4834 * Continue the previously started connection. Server has selected a SHA-384
4835 * ciphersuite, but client thinks the session is for SHA-256, so it should
4836 * bail out.
4837 */
4838 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4839 SSL_ERROR_SSL))
4840 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4841 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4842 goto end;
4843
4844 testresult = 1;
4845
4846 end:
4847 SSL_SESSION_free(clntsess);
4848 SSL_free(serverssl);
4849 SSL_free(clientssl);
4850 SSL_CTX_free(sctx);
4851 SSL_CTX_free(cctx);
4852
4853 return testresult;
4854}
4855
4856/*
4857 * Test TLSv1.3 Key exchange
4858 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4859 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4860 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4861 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4862 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4863 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4864 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4865 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4866 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4867 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4868 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4869 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4870 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4871 * Test 13 = Test all FFDHE with TLSv1.2 client and server
4872 */
4873# ifndef OPENSSL_NO_EC
4874static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4875 NID_secp521r1, NID_X25519, NID_X448};
4876# endif
4877# ifndef OPENSSL_NO_DH
4878static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4879 NID_ffdhe6144, NID_ffdhe8192};
4880# endif
4881static int test_key_exchange(int idx)
4882{
4883 SSL_CTX *sctx = NULL, *cctx = NULL;
4884 SSL *serverssl = NULL, *clientssl = NULL;
4885 int testresult = 0;
4886 int kexch_alg;
4887 int *kexch_groups = &kexch_alg;
4888 int kexch_groups_size = 1;
4889 int max_version = TLS1_3_VERSION;
4890 char *kexch_name0 = NULL;
4891
4892 switch (idx) {
4893# ifndef OPENSSL_NO_EC
4894# ifndef OPENSSL_NO_TLS1_2
4895 case 12:
4896 max_version = TLS1_2_VERSION;
4897# endif
4898 /* Fall through */
4899 case 0:
4900 kexch_groups = ecdhe_kexch_groups;
4901 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4902 kexch_name0 = "secp256r1";
4903 break;
4904 case 1:
4905 kexch_alg = NID_X9_62_prime256v1;
4906 kexch_name0 = "secp256r1";
4907 break;
4908 case 2:
4909 kexch_alg = NID_secp384r1;
4910 kexch_name0 = "secp384r1";
4911 break;
4912 case 3:
4913 kexch_alg = NID_secp521r1;
4914 kexch_name0 = "secp521r1";
4915 break;
4916 case 4:
4917 if (is_fips)
4918 return TEST_skip("X25519 might not be supported by fips provider.");
4919 kexch_alg = NID_X25519;
4920 kexch_name0 = "x25519";
4921 break;
4922 case 5:
4923 if (is_fips)
4924 return TEST_skip("X448 might not be supported by fips provider.");
4925 kexch_alg = NID_X448;
4926 kexch_name0 = "x448";
4927 break;
4928# endif
4929# ifndef OPENSSL_NO_DH
4930# ifndef OPENSSL_NO_TLS1_2
4931 case 13:
4932 max_version = TLS1_2_VERSION;
4933 kexch_name0 = "ffdhe2048";
4934# endif
4935 /* Fall through */
4936 case 6:
4937 kexch_groups = ffdhe_kexch_groups;
4938 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4939 kexch_name0 = "ffdhe2048";
4940 break;
4941 case 7:
4942 kexch_alg = NID_ffdhe2048;
4943 kexch_name0 = "ffdhe2048";
4944 break;
4945 case 8:
4946 kexch_alg = NID_ffdhe3072;
4947 kexch_name0 = "ffdhe3072";
4948 break;
4949 case 9:
4950 kexch_alg = NID_ffdhe4096;
4951 kexch_name0 = "ffdhe4096";
4952 break;
4953 case 10:
4954 kexch_alg = NID_ffdhe6144;
4955 kexch_name0 = "ffdhe6144";
4956 break;
4957 case 11:
4958 kexch_alg = NID_ffdhe8192;
4959 kexch_name0 = "ffdhe8192";
4960 break;
4961# endif
4962 default:
4963 /* We're skipping this test */
4964 return 1;
4965 }
4966
4967 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4968 TLS_client_method(), TLS1_VERSION,
4969 max_version, &sctx, &cctx, cert,
4970 privkey)))
4971 goto end;
4972
4973 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4974 TLS1_3_RFC_AES_128_GCM_SHA256)))
4975 goto end;
4976
4977 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4978 TLS1_3_RFC_AES_128_GCM_SHA256)))
4979 goto end;
4980
4981 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4982 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4983 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4984 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4985 goto end;
4986
4987 /*
4988 * Must include an EC ciphersuite so that we send supported groups in
4989 * TLSv1.2
4990 */
4991# ifndef OPENSSL_NO_TLS1_2
4992 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4993 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4994 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4995 goto end;
4996# endif
4997
4998 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4999 NULL, NULL)))
5000 goto end;
5001
5002 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5003 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5004 goto end;
5005
5006 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5007 goto end;
5008
5009 /*
5010 * If Handshake succeeds the negotiated kexch alg should be the first one in
5011 * configured, except in the case of FFDHE groups (idx 13), which are
5012 * TLSv1.3 only so we expect no shared group to exist.
5013 */
5014 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5015 idx == 13 ? 0 : kexch_groups[0]))
5016 goto end;
5017
5018 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5019 kexch_name0))
5020 goto end;
5021
5022 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5023 if (idx != 13) {
5024 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5025 goto end;
5026 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5027 goto end;
5028 }
5029
5030 testresult = 1;
5031 end:
5032 SSL_free(serverssl);
5033 SSL_free(clientssl);
5034 SSL_CTX_free(sctx);
5035 SSL_CTX_free(cctx);
5036 return testresult;
5037}
5038
5039# if !defined(OPENSSL_NO_TLS1_2) \
5040 && !defined(OPENSSL_NO_EC) \
5041 && !defined(OPENSSL_NO_DH)
5042static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5043 int isecdhe, int idx)
5044{
5045 int kexch_alg;
5046 int *kexch_groups = &kexch_alg;
5047 int numec, numff;
5048
5049 numec = OSSL_NELEM(ecdhe_kexch_groups);
5050 numff = OSSL_NELEM(ffdhe_kexch_groups);
5051 if (isecdhe)
5052 kexch_alg = ecdhe_kexch_groups[idx];
5053 else
5054 kexch_alg = ffdhe_kexch_groups[idx];
5055
5056 if (clientmulti) {
5057 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5058 return 0;
5059 if (isecdhe) {
5060 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5061 numec)))
5062 return 0;
5063 } else {
5064 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5065 numff)))
5066 return 0;
5067 }
5068 } else {
5069 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5070 return 0;
5071 if (isecdhe) {
5072 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5073 numec)))
5074 return 0;
5075 } else {
5076 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5077 numff)))
5078 return 0;
5079 }
5080 }
5081 return 1;
5082}
5083
5084/*-
5085 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5086 * Run through both the ECDHE and FFDHE group lists used in the previous
5087 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5088 * confirming the expected result; then perform a resumption handshake
5089 * while offering the same group list, and another resumption handshake
5090 * offering a different group list. The returned value should be the
5091 * negotiated group for the initial handshake; for TLS 1.3 resumption
5092 * handshakes the returned value will be negotiated on the resumption
5093 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5094 * be cached in the session from the original handshake, regardless of what
5095 * was offered in the resumption ClientHello.
5096 *
5097 * Using E for the number of EC groups and F for the number of FF groups:
5098 * E tests of ECDHE with TLS 1.3, server only has one group
5099 * F tests of FFDHE with TLS 1.3, server only has one group
5100 * E tests of ECDHE with TLS 1.2, server only has one group
5101 * F tests of FFDHE with TLS 1.2, server only has one group
5102 * E tests of ECDHE with TLS 1.3, client sends only one group
5103 * F tests of FFDHE with TLS 1.3, client sends only one group
5104 * E tests of ECDHE with TLS 1.2, client sends only one group
5105 * F tests of FFDHE with TLS 1.2, client sends only one group
5106 */
5107static int test_negotiated_group(int idx)
5108{
5109 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5110 int expectednid;
5111 SSL_CTX *sctx = NULL, *cctx = NULL;
5112 SSL *serverssl = NULL, *clientssl = NULL;
5113 SSL_SESSION *origsess = NULL;
5114 int testresult = 0;
5115 int kexch_alg;
5116 int max_version = TLS1_3_VERSION;
5117
5118 numec = OSSL_NELEM(ecdhe_kexch_groups);
5119 numff = OSSL_NELEM(ffdhe_kexch_groups);
5120 numgroups = numec + numff;
5121 clientmulti = (idx < 2 * numgroups);
5122 idx = idx % (2 * numgroups);
5123 istls13 = (idx < numgroups);
5124 idx = idx % numgroups;
5125 isecdhe = (idx < numec);
5126 if (!isecdhe)
5127 idx -= numec;
5128 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5129 if (isecdhe)
5130 kexch_alg = ecdhe_kexch_groups[idx];
5131 else
5132 kexch_alg = ffdhe_kexch_groups[idx];
5133 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5134 if (!istls13 && !isecdhe)
5135 expectednid = NID_undef;
5136 else
5137 expectednid = kexch_alg;
5138
5139 if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5140 return TEST_skip("X25519 and X448 might not be available in fips provider.");
5141
5142 if (!istls13)
5143 max_version = TLS1_2_VERSION;
5144
5145 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5146 TLS_client_method(), TLS1_VERSION,
5147 max_version, &sctx, &cctx, cert,
5148 privkey)))
5149 goto end;
5150
5151 /*
5152 * Force (EC)DHE ciphers for TLS 1.2.
5153 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5154 */
5155 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5156 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5157 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5158 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5159 goto end;
5160 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5161 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5162 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5163 goto end;
5164
5165 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5166 NULL, NULL)))
5167 goto end;
5168
5169 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5170 idx)))
5171 goto end;
5172
5173 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5174 goto end;
5175
5176 /* Initial handshake; always the configured one */
5177 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5178 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5179 goto end;
5180
5181 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5182 goto end;
5183
5184 SSL_shutdown(clientssl);
5185 SSL_shutdown(serverssl);
5186 SSL_free(serverssl);
5187 SSL_free(clientssl);
5188 serverssl = clientssl = NULL;
5189
5190 /* First resumption attempt; use the same config as initial handshake */
5191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5192 NULL, NULL))
5193 || !TEST_true(SSL_set_session(clientssl, origsess))
5194 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5195 isecdhe, idx)))
5196 goto end;
5197
5198 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5199 || !TEST_true(SSL_session_reused(clientssl)))
5200 goto end;
5201
5202 /* Still had better agree, since nothing changed... */
5203 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5204 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5205 goto end;
5206
5207 SSL_shutdown(clientssl);
5208 SSL_shutdown(serverssl);
5209 SSL_free(serverssl);
5210 SSL_free(clientssl);
5211 serverssl = clientssl = NULL;
5212
5213 /*-
5214 * Second resumption attempt
5215 * The party that picks one group changes it, which we effectuate by
5216 * changing 'idx' and updating what we expect.
5217 */
5218 if (idx == 0)
5219 idx = 1;
5220 else
5221 idx--;
5222 if (istls13) {
5223 if (isecdhe)
5224 expectednid = ecdhe_kexch_groups[idx];
5225 else
5226 expectednid = ffdhe_kexch_groups[idx];
5227 /* Verify that we are changing what we expect. */
5228 if (!TEST_int_ne(expectednid, kexch_alg))
5229 goto end;
5230 } else {
5231 /* TLS 1.2 only supports named groups for ECDHE. */
5232 if (isecdhe)
5233 expectednid = kexch_alg;
5234 else
5235 expectednid = 0;
5236 }
5237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5238 NULL, NULL))
5239 || !TEST_true(SSL_set_session(clientssl, origsess))
5240 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5241 isecdhe, idx)))
5242 goto end;
5243
5244 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5245 || !TEST_true(SSL_session_reused(clientssl)))
5246 goto end;
5247
5248 /* Check that we get what we expected */
5249 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5250 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5251 goto end;
5252
5253 testresult = 1;
5254 end:
5255 SSL_free(serverssl);
5256 SSL_free(clientssl);
5257 SSL_CTX_free(sctx);
5258 SSL_CTX_free(cctx);
5259 SSL_SESSION_free(origsess);
5260 return testresult;
5261}
5262# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5263
5264/*
5265 * Test TLSv1.3 Cipher Suite
5266 * Test 0 = Set TLS1.3 cipher on context
5267 * Test 1 = Set TLS1.3 cipher on SSL
5268 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5269 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5270 */
5271static int test_tls13_ciphersuite(int idx)
5272{
5273 SSL_CTX *sctx = NULL, *cctx = NULL;
5274 SSL *serverssl = NULL, *clientssl = NULL;
5275 static const struct {
5276 const char *ciphername;
5277 int fipscapable;
5278 } t13_ciphers[] = {
5279 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
5280 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
5281 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5282# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5283 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5284 { TLS1_3_RFC_AES_256_GCM_SHA384
5285 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5286# endif
5287 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5288 };
5289 const char *t13_cipher = NULL;
5290 const char *t12_cipher = NULL;
5291 const char *negotiated_scipher;
5292 const char *negotiated_ccipher;
5293 int set_at_ctx = 0;
5294 int set_at_ssl = 0;
5295 int testresult = 0;
5296 int max_ver;
5297 size_t i;
5298
5299 switch (idx) {
5300 case 0:
5301 set_at_ctx = 1;
5302 break;
5303 case 1:
5304 set_at_ssl = 1;
5305 break;
5306 case 2:
5307 set_at_ctx = 1;
5308 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5309 break;
5310 case 3:
5311 set_at_ssl = 1;
5312 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5313 break;
5314 }
5315
5316 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5317# ifdef OPENSSL_NO_TLS1_2
5318 if (max_ver == TLS1_2_VERSION)
5319 continue;
5320# endif
5321 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5322 if (is_fips && !t13_ciphers[i].fipscapable)
5323 continue;
5324 t13_cipher = t13_ciphers[i].ciphername;
5325 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5326 TLS_client_method(),
5327 TLS1_VERSION, max_ver,
5328 &sctx, &cctx, cert, privkey)))
5329 goto end;
5330
5331 if (set_at_ctx) {
5332 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5333 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5334 goto end;
5335 if (t12_cipher != NULL) {
5336 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5337 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5338 t12_cipher)))
5339 goto end;
5340 }
5341 }
5342
5343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5344 &clientssl, NULL, NULL)))
5345 goto end;
5346
5347 if (set_at_ssl) {
5348 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5349 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5350 goto end;
5351 if (t12_cipher != NULL) {
5352 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5353 || !TEST_true(SSL_set_cipher_list(clientssl,
5354 t12_cipher)))
5355 goto end;
5356 }
5357 }
5358
5359 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5360 SSL_ERROR_NONE)))
5361 goto end;
5362
5363 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5364 serverssl));
5365 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5366 clientssl));
5367 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5368 goto end;
5369
5370 /*
5371 * TEST_strn_eq is used below because t13_cipher can contain
5372 * multiple ciphersuites
5373 */
5374 if (max_ver == TLS1_3_VERSION
5375 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5376 strlen(negotiated_scipher)))
5377 goto end;
5378
5379# ifndef OPENSSL_NO_TLS1_2
5380 /* Below validation is not done when t12_cipher is NULL */
5381 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5382 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5383 goto end;
5384# endif
5385
5386 SSL_free(serverssl);
5387 serverssl = NULL;
5388 SSL_free(clientssl);
5389 clientssl = NULL;
5390 SSL_CTX_free(sctx);
5391 sctx = NULL;
5392 SSL_CTX_free(cctx);
5393 cctx = NULL;
5394 }
5395 }
5396
5397 testresult = 1;
5398 end:
5399 SSL_free(serverssl);
5400 SSL_free(clientssl);
5401 SSL_CTX_free(sctx);
5402 SSL_CTX_free(cctx);
5403 return testresult;
5404}
5405
5406/*
5407 * Test TLSv1.3 PSKs
5408 * Test 0 = Test new style callbacks
5409 * Test 1 = Test both new and old style callbacks
5410 * Test 2 = Test old style callbacks
5411 * Test 3 = Test old style callbacks with no certificate
5412 */
5413static int test_tls13_psk(int idx)
5414{
5415 SSL_CTX *sctx = NULL, *cctx = NULL;
5416 SSL *serverssl = NULL, *clientssl = NULL;
5417 const SSL_CIPHER *cipher = NULL;
5418 const unsigned char key[] = {
5419 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5420 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5421 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5422 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5423 };
5424 int testresult = 0;
5425
5426 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5427 TLS_client_method(), TLS1_VERSION, 0,
5428 &sctx, &cctx, idx == 3 ? NULL : cert,
5429 idx == 3 ? NULL : privkey)))
5430 goto end;
5431
5432 if (idx != 3) {
5433 /*
5434 * We use a ciphersuite with SHA256 to ease testing old style PSK
5435 * callbacks which will always default to SHA256. This should not be
5436 * necessary if we have no cert/priv key. In that case the server should
5437 * prefer SHA256 automatically.
5438 */
5439 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5440 "TLS_AES_128_GCM_SHA256")))
5441 goto end;
5442 } else {
5443 /*
5444 * As noted above the server should prefer SHA256 automatically. However
5445 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5446 * code works even if we are testing with only the FIPS provider loaded.
5447 */
5448 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5449 "TLS_AES_256_GCM_SHA384:"
5450 "TLS_AES_128_GCM_SHA256")))
5451 goto end;
5452 }
5453
5454 /*
5455 * Test 0: New style callbacks only
5456 * Test 1: New and old style callbacks (only the new ones should be used)
5457 * Test 2: Old style callbacks only
5458 */
5459 if (idx == 0 || idx == 1) {
5460 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5461 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5462 }
5463#ifndef OPENSSL_NO_PSK
5464 if (idx >= 1) {
5465 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5466 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5467 }
5468#endif
5469 srvid = pskid;
5470 use_session_cb_cnt = 0;
5471 find_session_cb_cnt = 0;
5472 psk_client_cb_cnt = 0;
5473 psk_server_cb_cnt = 0;
5474
5475 if (idx != 3) {
5476 /*
5477 * Check we can create a connection if callback decides not to send a
5478 * PSK
5479 */
5480 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5481 NULL, NULL))
5482 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5483 SSL_ERROR_NONE))
5484 || !TEST_false(SSL_session_reused(clientssl))
5485 || !TEST_false(SSL_session_reused(serverssl)))
5486 goto end;
5487
5488 if (idx == 0 || idx == 1) {
5489 if (!TEST_true(use_session_cb_cnt == 1)
5490 || !TEST_true(find_session_cb_cnt == 0)
5491 /*
5492 * If no old style callback then below should be 0
5493 * otherwise 1
5494 */
5495 || !TEST_true(psk_client_cb_cnt == idx)
5496 || !TEST_true(psk_server_cb_cnt == 0))
5497 goto end;
5498 } else {
5499 if (!TEST_true(use_session_cb_cnt == 0)
5500 || !TEST_true(find_session_cb_cnt == 0)
5501 || !TEST_true(psk_client_cb_cnt == 1)
5502 || !TEST_true(psk_server_cb_cnt == 0))
5503 goto end;
5504 }
5505
5506 shutdown_ssl_connection(serverssl, clientssl);
5507 serverssl = clientssl = NULL;
5508 use_session_cb_cnt = psk_client_cb_cnt = 0;
5509 }
5510
5511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5512 NULL, NULL)))
5513 goto end;
5514
5515 /* Create the PSK */
5516 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5517 clientpsk = SSL_SESSION_new();
5518 if (!TEST_ptr(clientpsk)
5519 || !TEST_ptr(cipher)
5520 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5521 sizeof(key)))
5522 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5523 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5524 TLS1_3_VERSION))
5525 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5526 goto end;
5527 serverpsk = clientpsk;
5528
5529 /* Check we can create a connection and the PSK is used */
5530 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5531 || !TEST_true(SSL_session_reused(clientssl))
5532 || !TEST_true(SSL_session_reused(serverssl)))
5533 goto end;
5534
5535 if (idx == 0 || idx == 1) {
5536 if (!TEST_true(use_session_cb_cnt == 1)
5537 || !TEST_true(find_session_cb_cnt == 1)
5538 || !TEST_true(psk_client_cb_cnt == 0)
5539 || !TEST_true(psk_server_cb_cnt == 0))
5540 goto end;
5541 } else {
5542 if (!TEST_true(use_session_cb_cnt == 0)
5543 || !TEST_true(find_session_cb_cnt == 0)
5544 || !TEST_true(psk_client_cb_cnt == 1)
5545 || !TEST_true(psk_server_cb_cnt == 1))
5546 goto end;
5547 }
5548
5549 shutdown_ssl_connection(serverssl, clientssl);
5550 serverssl = clientssl = NULL;
5551 use_session_cb_cnt = find_session_cb_cnt = 0;
5552 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5553
5554 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5555 NULL, NULL)))
5556 goto end;
5557
5558 /* Force an HRR */
5559#if defined(OPENSSL_NO_EC)
5560 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5561 goto end;
5562#else
5563 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5564 goto end;
5565#endif
5566
5567 /*
5568 * Check we can create a connection, the PSK is used and the callbacks are
5569 * called twice.
5570 */
5571 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5572 || !TEST_true(SSL_session_reused(clientssl))
5573 || !TEST_true(SSL_session_reused(serverssl)))
5574 goto end;
5575
5576 if (idx == 0 || idx == 1) {
5577 if (!TEST_true(use_session_cb_cnt == 2)
5578 || !TEST_true(find_session_cb_cnt == 2)
5579 || !TEST_true(psk_client_cb_cnt == 0)
5580 || !TEST_true(psk_server_cb_cnt == 0))
5581 goto end;
5582 } else {
5583 if (!TEST_true(use_session_cb_cnt == 0)
5584 || !TEST_true(find_session_cb_cnt == 0)
5585 || !TEST_true(psk_client_cb_cnt == 2)
5586 || !TEST_true(psk_server_cb_cnt == 2))
5587 goto end;
5588 }
5589
5590 shutdown_ssl_connection(serverssl, clientssl);
5591 serverssl = clientssl = NULL;
5592 use_session_cb_cnt = find_session_cb_cnt = 0;
5593 psk_client_cb_cnt = psk_server_cb_cnt = 0;
5594
5595 if (idx != 3) {
5596 /*
5597 * Check that if the server rejects the PSK we can still connect, but with
5598 * a full handshake
5599 */
5600 srvid = "Dummy Identity";
5601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5602 NULL, NULL))
5603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5604 SSL_ERROR_NONE))
5605 || !TEST_false(SSL_session_reused(clientssl))
5606 || !TEST_false(SSL_session_reused(serverssl)))
5607 goto end;
5608
5609 if (idx == 0 || idx == 1) {
5610 if (!TEST_true(use_session_cb_cnt == 1)
5611 || !TEST_true(find_session_cb_cnt == 1)
5612 || !TEST_true(psk_client_cb_cnt == 0)
5613 /*
5614 * If no old style callback then below should be 0
5615 * otherwise 1
5616 */
5617 || !TEST_true(psk_server_cb_cnt == idx))
5618 goto end;
5619 } else {
5620 if (!TEST_true(use_session_cb_cnt == 0)
5621 || !TEST_true(find_session_cb_cnt == 0)
5622 || !TEST_true(psk_client_cb_cnt == 1)
5623 || !TEST_true(psk_server_cb_cnt == 1))
5624 goto end;
5625 }
5626
5627 shutdown_ssl_connection(serverssl, clientssl);
5628 serverssl = clientssl = NULL;
5629 }
5630 testresult = 1;
5631
5632 end:
5633 SSL_SESSION_free(clientpsk);
5634 SSL_SESSION_free(serverpsk);
5635 clientpsk = serverpsk = NULL;
5636 SSL_free(serverssl);
5637 SSL_free(clientssl);
5638 SSL_CTX_free(sctx);
5639 SSL_CTX_free(cctx);
5640 return testresult;
5641}
5642
5643static unsigned char cookie_magic_value[] = "cookie magic";
5644
5645static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5646 unsigned int *cookie_len)
5647{
5648 /*
5649 * Not suitable as a real cookie generation function but good enough for
5650 * testing!
5651 */
5652 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5653 *cookie_len = sizeof(cookie_magic_value) - 1;
5654
5655 return 1;
5656}
5657
5658static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5659 unsigned int cookie_len)
5660{
5661 if (cookie_len == sizeof(cookie_magic_value) - 1
5662 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5663 return 1;
5664
5665 return 0;
5666}
5667
5668static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5669 size_t *cookie_len)
5670{
5671 unsigned int temp;
5672 int res = generate_cookie_callback(ssl, cookie, &temp);
5673 *cookie_len = temp;
5674 return res;
5675}
5676
5677static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5678 size_t cookie_len)
5679{
5680 return verify_cookie_callback(ssl, cookie, cookie_len);
5681}
5682
5683static int test_stateless(void)
5684{
5685 SSL_CTX *sctx = NULL, *cctx = NULL;
5686 SSL *serverssl = NULL, *clientssl = NULL;
5687 int testresult = 0;
5688
5689 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5690 TLS_client_method(), TLS1_VERSION, 0,
5691 &sctx, &cctx, cert, privkey)))
5692 goto end;
5693
5694 /* The arrival of CCS messages can confuse the test */
5695 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5696
5697 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5698 NULL, NULL))
5699 /* Send the first ClientHello */
5700 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5701 SSL_ERROR_WANT_READ))
5702 /*
5703 * This should fail with a -1 return because we have no callbacks
5704 * set up
5705 */
5706 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5707 goto end;
5708
5709 /* Fatal error so abandon the connection from this client */
5710 SSL_free(clientssl);
5711 clientssl = NULL;
5712
5713 /* Set up the cookie generation and verification callbacks */
5714 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5715 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5716
5717 /*
5718 * Create a new connection from the client (we can reuse the server SSL
5719 * object).
5720 */
5721 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5722 NULL, NULL))
5723 /* Send the first ClientHello */
5724 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5725 SSL_ERROR_WANT_READ))
5726 /* This should fail because there is no cookie */
5727 || !TEST_int_eq(SSL_stateless(serverssl), 0))
5728 goto end;
5729
5730 /* Abandon the connection from this client */
5731 SSL_free(clientssl);
5732 clientssl = NULL;
5733
5734 /*
5735 * Now create a connection from a new client but with the same server SSL
5736 * object
5737 */
5738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5739 NULL, NULL))
5740 /* Send the first ClientHello */
5741 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5742 SSL_ERROR_WANT_READ))
5743 /* This should fail because there is no cookie */
5744 || !TEST_int_eq(SSL_stateless(serverssl), 0)
5745 /* Send the second ClientHello */
5746 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5747 SSL_ERROR_WANT_READ))
5748 /* This should succeed because a cookie is now present */
5749 || !TEST_int_eq(SSL_stateless(serverssl), 1)
5750 /* Complete the connection */
5751 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5752 SSL_ERROR_NONE)))
5753 goto end;
5754
5755 shutdown_ssl_connection(serverssl, clientssl);
5756 serverssl = clientssl = NULL;
5757 testresult = 1;
5758
5759 end:
5760 SSL_free(serverssl);
5761 SSL_free(clientssl);
5762 SSL_CTX_free(sctx);
5763 SSL_CTX_free(cctx);
5764 return testresult;
5765
5766}
5767#endif /* OSSL_NO_USABLE_TLS1_3 */
5768
5769static int clntaddoldcb = 0;
5770static int clntparseoldcb = 0;
5771static int srvaddoldcb = 0;
5772static int srvparseoldcb = 0;
5773static int clntaddnewcb = 0;
5774static int clntparsenewcb = 0;
5775static int srvaddnewcb = 0;
5776static int srvparsenewcb = 0;
5777static int snicb = 0;
5778
5779#define TEST_EXT_TYPE1 0xff00
5780
5781static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5782 size_t *outlen, int *al, void *add_arg)
5783{
5784 int *server = (int *)add_arg;
5785 unsigned char *data;
5786
5787 if (SSL_is_server(s))
5788 srvaddoldcb++;
5789 else
5790 clntaddoldcb++;
5791
5792 if (*server != SSL_is_server(s)
5793 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5794 return -1;
5795
5796 *data = 1;
5797 *out = data;
5798 *outlen = sizeof(char);
5799 return 1;
5800}
5801
5802static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5803 void *add_arg)
5804{
5805 OPENSSL_free((unsigned char *)out);
5806}
5807
5808static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5809 size_t inlen, int *al, void *parse_arg)
5810{
5811 int *server = (int *)parse_arg;
5812
5813 if (SSL_is_server(s))
5814 srvparseoldcb++;
5815 else
5816 clntparseoldcb++;
5817
5818 if (*server != SSL_is_server(s)
5819 || inlen != sizeof(char)
5820 || *in != 1)
5821 return -1;
5822
5823 return 1;
5824}
5825
5826static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5827 const unsigned char **out, size_t *outlen, X509 *x,
5828 size_t chainidx, int *al, void *add_arg)
5829{
5830 int *server = (int *)add_arg;
5831 unsigned char *data;
5832
5833 if (SSL_is_server(s))
5834 srvaddnewcb++;
5835 else
5836 clntaddnewcb++;
5837
5838 if (*server != SSL_is_server(s)
5839 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5840 return -1;
5841
5842 *data = 1;
5843 *out = data;
5844 *outlen = sizeof(*data);
5845 return 1;
5846}
5847
5848static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5849 const unsigned char *out, void *add_arg)
5850{
5851 OPENSSL_free((unsigned char *)out);
5852}
5853
5854static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5855 const unsigned char *in, size_t inlen, X509 *x,
5856 size_t chainidx, int *al, void *parse_arg)
5857{
5858 int *server = (int *)parse_arg;
5859
5860 if (SSL_is_server(s))
5861 srvparsenewcb++;
5862 else
5863 clntparsenewcb++;
5864
5865 if (*server != SSL_is_server(s)
5866 || inlen != sizeof(char) || *in != 1)
5867 return -1;
5868
5869 return 1;
5870}
5871
5872static int sni_cb(SSL *s, int *al, void *arg)
5873{
5874 SSL_CTX *ctx = (SSL_CTX *)arg;
5875
5876 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5877 *al = SSL_AD_INTERNAL_ERROR;
5878 return SSL_TLSEXT_ERR_ALERT_FATAL;
5879 }
5880 snicb++;
5881 return SSL_TLSEXT_ERR_OK;
5882}
5883
5884static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5885{
5886 return 1;
5887}
5888
5889/*
5890 * Custom call back tests.
5891 * Test 0: Old style callbacks in TLSv1.2
5892 * Test 1: New style callbacks in TLSv1.2
5893 * Test 2: New style callbacks in TLSv1.2 with SNI
5894 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5895 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5896 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5897 */
5898static int test_custom_exts(int tst)
5899{
5900 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5901 SSL *clientssl = NULL, *serverssl = NULL;
5902 int testresult = 0;
5903 static int server = 1;
5904 static int client = 0;
5905 SSL_SESSION *sess = NULL;
5906 unsigned int context;
5907
5908#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5909 /* Skip tests for TLSv1.2 and below in this case */
5910 if (tst < 3)
5911 return 1;
5912#endif
5913
5914 /* Reset callback counters */
5915 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5916 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5917 snicb = 0;
5918
5919 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5920 TLS_client_method(), TLS1_VERSION, 0,
5921 &sctx, &cctx, cert, privkey)))
5922 goto end;
5923
5924 if (tst == 2
5925 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5926 TLS1_VERSION, 0,
5927 &sctx2, NULL, cert, privkey)))
5928 goto end;
5929
5930
5931 if (tst < 3) {
5932 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5933 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5934 if (sctx2 != NULL)
5935 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5936 }
5937
5938 if (tst == 5) {
5939 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5940 | SSL_EXT_TLS1_3_CERTIFICATE;
5941 SSL_CTX_set_verify(sctx,
5942 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5943 verify_cb);
5944 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5945 SSL_FILETYPE_PEM), 1)
5946 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5947 SSL_FILETYPE_PEM), 1)
5948 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5949 goto end;
5950 } else if (tst == 4) {
5951 context = SSL_EXT_CLIENT_HELLO
5952 | SSL_EXT_TLS1_2_SERVER_HELLO
5953 | SSL_EXT_TLS1_3_SERVER_HELLO
5954 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5955 | SSL_EXT_TLS1_3_CERTIFICATE
5956 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5957 } else {
5958 context = SSL_EXT_CLIENT_HELLO
5959 | SSL_EXT_TLS1_2_SERVER_HELLO
5960 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5961 }
5962
5963 /* Create a client side custom extension */
5964 if (tst == 0) {
5965 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5966 old_add_cb, old_free_cb,
5967 &client, old_parse_cb,
5968 &client)))
5969 goto end;
5970 } else {
5971 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5972 new_add_cb, new_free_cb,
5973 &client, new_parse_cb, &client)))
5974 goto end;
5975 }
5976
5977 /* Should not be able to add duplicates */
5978 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5979 old_add_cb, old_free_cb,
5980 &client, old_parse_cb,
5981 &client))
5982 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5983 context, new_add_cb,
5984 new_free_cb, &client,
5985 new_parse_cb, &client)))
5986 goto end;
5987
5988 /* Create a server side custom extension */
5989 if (tst == 0) {
5990 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5991 old_add_cb, old_free_cb,
5992 &server, old_parse_cb,
5993 &server)))
5994 goto end;
5995 } else {
5996 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5997 new_add_cb, new_free_cb,
5998 &server, new_parse_cb, &server)))
5999 goto end;
6000 if (sctx2 != NULL
6001 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6002 context, new_add_cb,
6003 new_free_cb, &server,
6004 new_parse_cb, &server)))
6005 goto end;
6006 }
6007
6008 /* Should not be able to add duplicates */
6009 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6010 old_add_cb, old_free_cb,
6011 &server, old_parse_cb,
6012 &server))
6013 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6014 context, new_add_cb,
6015 new_free_cb, &server,
6016 new_parse_cb, &server)))
6017 goto end;
6018
6019 if (tst == 2) {
6020 /* Set up SNI */
6021 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6022 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6023 goto end;
6024 }
6025
6026 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6027 &clientssl, NULL, NULL))
6028 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6029 SSL_ERROR_NONE)))
6030 goto end;
6031
6032 if (tst == 0) {
6033 if (clntaddoldcb != 1
6034 || clntparseoldcb != 1
6035 || srvaddoldcb != 1
6036 || srvparseoldcb != 1)
6037 goto end;
6038 } else if (tst == 1 || tst == 2 || tst == 3) {
6039 if (clntaddnewcb != 1
6040 || clntparsenewcb != 1
6041 || srvaddnewcb != 1
6042 || srvparsenewcb != 1
6043 || (tst != 2 && snicb != 0)
6044 || (tst == 2 && snicb != 1))
6045 goto end;
6046 } else if (tst == 5) {
6047 if (clntaddnewcb != 1
6048 || clntparsenewcb != 1
6049 || srvaddnewcb != 1
6050 || srvparsenewcb != 1)
6051 goto end;
6052 } else {
6053 /* In this case there 2 NewSessionTicket messages created */
6054 if (clntaddnewcb != 1
6055 || clntparsenewcb != 5
6056 || srvaddnewcb != 5
6057 || srvparsenewcb != 1)
6058 goto end;
6059 }
6060
6061 sess = SSL_get1_session(clientssl);
6062 SSL_shutdown(clientssl);
6063 SSL_shutdown(serverssl);
6064 SSL_free(serverssl);
6065 SSL_free(clientssl);
6066 serverssl = clientssl = NULL;
6067
6068 if (tst == 3 || tst == 5) {
6069 /* We don't bother with the resumption aspects for these tests */
6070 testresult = 1;
6071 goto end;
6072 }
6073
6074 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6075 NULL, NULL))
6076 || !TEST_true(SSL_set_session(clientssl, sess))
6077 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6078 SSL_ERROR_NONE)))
6079 goto end;
6080
6081 /*
6082 * For a resumed session we expect to add the ClientHello extension. For the
6083 * old style callbacks we ignore it on the server side because they set
6084 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6085 * them.
6086 */
6087 if (tst == 0) {
6088 if (clntaddoldcb != 2
6089 || clntparseoldcb != 1
6090 || srvaddoldcb != 1
6091 || srvparseoldcb != 1)
6092 goto end;
6093 } else if (tst == 1 || tst == 2 || tst == 3) {
6094 if (clntaddnewcb != 2
6095 || clntparsenewcb != 2
6096 || srvaddnewcb != 2
6097 || srvparsenewcb != 2)
6098 goto end;
6099 } else {
6100 /*
6101 * No Certificate message extensions in the resumption handshake,
6102 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6103 */
6104 if (clntaddnewcb != 2
6105 || clntparsenewcb != 8
6106 || srvaddnewcb != 8
6107 || srvparsenewcb != 2)
6108 goto end;
6109 }
6110
6111 testresult = 1;
6112
6113end:
6114 SSL_SESSION_free(sess);
6115 SSL_free(serverssl);
6116 SSL_free(clientssl);
6117 SSL_CTX_free(sctx2);
6118 SSL_CTX_free(sctx);
6119 SSL_CTX_free(cctx);
6120 return testresult;
6121}
6122
6123#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6124
6125#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6126 | SSL_EXT_CLIENT_HELLO \
6127 | SSL_EXT_TLS1_2_SERVER_HELLO \
6128 | SSL_EXT_IGNORE_ON_RESUMPTION)
6129
6130#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6131 | SSL_EXT_TLS1_2_SERVER_HELLO \
6132 | SSL_EXT_CLIENT_HELLO)
6133
6134#define SERVERINFO_CUSTOM \
6135 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6136 0x00, 0x03, \
6137 0x04, 0x05, 0x06 \
6138
6139static const unsigned char serverinfo_custom_tls13[] = {
6140 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6141 SERVERINFO_CUSTOM
6142};
6143static const unsigned char serverinfo_custom_v2[] = {
6144 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6145 SERVERINFO_CUSTOM
6146};
6147static const unsigned char serverinfo_custom_v1[] = {
6148 SERVERINFO_CUSTOM
6149};
6150static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6151static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6152static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6153
6154static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6155 unsigned int context,
6156 const unsigned char *in,
6157 size_t inlen, X509 *x,
6158 size_t chainidx, int *al,
6159 void *parse_arg)
6160{
6161 const size_t len = serverinfo_custom_v1_len;
6162 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6163 int *p_cb_result = (int*)parse_arg;
6164 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6165 return 1;
6166}
6167
6168static int test_serverinfo_custom(const int idx)
6169{
6170 SSL_CTX *sctx = NULL, *cctx = NULL;
6171 SSL *clientssl = NULL, *serverssl = NULL;
6172 int testresult = 0;
6173 int cb_result = 0;
6174
6175 /*
6176 * Following variables are set in the switch statement
6177 * according to the test iteration.
6178 * Default values do not make much sense: test would fail with them.
6179 */
6180 int serverinfo_version = 0;
6181 int protocol_version = 0;
6182 unsigned int extension_context = 0;
6183 const unsigned char *si = NULL;
6184 size_t si_len = 0;
6185
6186 const int call_use_serverinfo_ex = idx > 0;
6187 switch (idx) {
6188 case 0: /* FALLTHROUGH */
6189 case 1:
6190 serverinfo_version = SSL_SERVERINFOV1;
6191 protocol_version = TLS1_2_VERSION;
6192 extension_context = SYNTHV1CONTEXT;
6193 si = serverinfo_custom_v1;
6194 si_len = serverinfo_custom_v1_len;
6195 break;
6196 case 2:
6197 serverinfo_version = SSL_SERVERINFOV2;
6198 protocol_version = TLS1_2_VERSION;
6199 extension_context = SYNTHV1CONTEXT;
6200 si = serverinfo_custom_v2;
6201 si_len = serverinfo_custom_v2_len;
6202 break;
6203 case 3:
6204 serverinfo_version = SSL_SERVERINFOV2;
6205 protocol_version = TLS1_3_VERSION;
6206 extension_context = TLS13CONTEXT;
6207 si = serverinfo_custom_tls13;
6208 si_len = serverinfo_custom_tls13_len;
6209 break;
6210 }
6211
6212 if (!TEST_true(create_ssl_ctx_pair(libctx,
6213 TLS_method(),
6214 TLS_method(),
6215 protocol_version,
6216 protocol_version,
6217 &sctx, &cctx, cert, privkey)))
6218 goto end;
6219
6220 if (call_use_serverinfo_ex) {
6221 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6222 si, si_len)))
6223 goto end;
6224 } else {
6225 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6226 goto end;
6227 }
6228
6229 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6230 extension_context,
6231 NULL, NULL, NULL,
6232 serverinfo_custom_parse_cb,
6233 &cb_result))
6234 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6235 NULL, NULL))
6236 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6237 SSL_ERROR_NONE))
6238 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6239 goto end;
6240
6241 if (!TEST_true(cb_result))
6242 goto end;
6243
6244 testresult = 1;
6245
6246 end:
6247 SSL_free(serverssl);
6248 SSL_free(clientssl);
6249 SSL_CTX_free(sctx);
6250 SSL_CTX_free(cctx);
6251
6252 return testresult;
6253}
6254#endif
6255
6256/*
6257 * Test that SSL_export_keying_material() produces expected results. There are
6258 * no test vectors so all we do is test that both sides of the communication
6259 * produce the same results for different protocol versions.
6260 */
6261#define SMALL_LABEL_LEN 10
6262#define LONG_LABEL_LEN 249
6263static int test_export_key_mat(int tst)
6264{
6265 int testresult = 0;
6266 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6267 SSL *clientssl = NULL, *serverssl = NULL;
6268 const char label[LONG_LABEL_LEN + 1] = "test label";
6269 const unsigned char context[] = "context";
6270 const unsigned char *emptycontext = NULL;
6271 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6272 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6273 size_t labellen;
6274 const int protocols[] = {
6275 TLS1_VERSION,
6276 TLS1_1_VERSION,
6277 TLS1_2_VERSION,
6278 TLS1_3_VERSION,
6279 TLS1_3_VERSION,
6280 TLS1_3_VERSION
6281 };
6282
6283#ifdef OPENSSL_NO_TLS1
6284 if (tst == 0)
6285 return 1;
6286#endif
6287#ifdef OPENSSL_NO_TLS1_1
6288 if (tst == 1)
6289 return 1;
6290#endif
6291 if (is_fips && (tst == 0 || tst == 1))
6292 return 1;
6293#ifdef OPENSSL_NO_TLS1_2
6294 if (tst == 2)
6295 return 1;
6296#endif
6297#ifdef OSSL_NO_USABLE_TLS1_3
6298 if (tst >= 3)
6299 return 1;
6300#endif
6301 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6302 TLS_client_method(), TLS1_VERSION, 0,
6303 &sctx, &cctx, cert, privkey)))
6304 goto end;
6305
6306 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6307 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6308 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6309 if ((protocols[tst] < TLS1_2_VERSION) &&
6310 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6311 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6312 goto end;
6313
6314 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6315 NULL)))
6316 goto end;
6317
6318 /*
6319 * Premature call of SSL_export_keying_material should just fail.
6320 */
6321 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6322 sizeof(ckeymat1), label,
6323 SMALL_LABEL_LEN + 1, context,
6324 sizeof(context) - 1, 1), 0))
6325 goto end;
6326
6327 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6328 SSL_ERROR_NONE)))
6329 goto end;
6330
6331 if (tst == 5) {
6332 /*
6333 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6334 * go over that.
6335 */
6336 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6337 sizeof(ckeymat1), label,
6338 LONG_LABEL_LEN + 1, context,
6339 sizeof(context) - 1, 1), 0))
6340 goto end;
6341
6342 testresult = 1;
6343 goto end;
6344 } else if (tst == 4) {
6345 labellen = LONG_LABEL_LEN;
6346 } else {
6347 labellen = SMALL_LABEL_LEN;
6348 }
6349
6350 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6351 sizeof(ckeymat1), label,
6352 labellen, context,
6353 sizeof(context) - 1, 1), 1)
6354 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6355 sizeof(ckeymat2), label,
6356 labellen,
6357 emptycontext,
6358 0, 1), 1)
6359 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6360 sizeof(ckeymat3), label,
6361 labellen,
6362 NULL, 0, 0), 1)
6363 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6364 sizeof(skeymat1), label,
6365 labellen,
6366 context,
6367 sizeof(context) -1, 1),
6368 1)
6369 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6370 sizeof(skeymat2), label,
6371 labellen,
6372 emptycontext,
6373 0, 1), 1)
6374 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6375 sizeof(skeymat3), label,
6376 labellen,
6377 NULL, 0, 0), 1)
6378 /*
6379 * Check that both sides created the same key material with the
6380 * same context.
6381 */
6382 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6383 sizeof(skeymat1))
6384 /*
6385 * Check that both sides created the same key material with an
6386 * empty context.
6387 */
6388 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6389 sizeof(skeymat2))
6390 /*
6391 * Check that both sides created the same key material without a
6392 * context.
6393 */
6394 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6395 sizeof(skeymat3))
6396 /* Different contexts should produce different results */
6397 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6398 sizeof(ckeymat2)))
6399 goto end;
6400
6401 /*
6402 * Check that an empty context and no context produce different results in
6403 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6404 */
6405 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6406 sizeof(ckeymat3)))
6407 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6408 sizeof(ckeymat3))))
6409 goto end;
6410
6411 testresult = 1;
6412
6413 end:
6414 SSL_free(serverssl);
6415 SSL_free(clientssl);
6416 SSL_CTX_free(sctx2);
6417 SSL_CTX_free(sctx);
6418 SSL_CTX_free(cctx);
6419
6420 return testresult;
6421}
6422
6423#ifndef OSSL_NO_USABLE_TLS1_3
6424/*
6425 * Test that SSL_export_keying_material_early() produces expected
6426 * results. There are no test vectors so all we do is test that both
6427 * sides of the communication produce the same results for different
6428 * protocol versions.
6429 */
6430static int test_export_key_mat_early(int idx)
6431{
6432 static const char label[] = "test label";
6433 static const unsigned char context[] = "context";
6434 int testresult = 0;
6435 SSL_CTX *cctx = NULL, *sctx = NULL;
6436 SSL *clientssl = NULL, *serverssl = NULL;
6437 SSL_SESSION *sess = NULL;
6438 const unsigned char *emptycontext = NULL;
6439 unsigned char ckeymat1[80], ckeymat2[80];
6440 unsigned char skeymat1[80], skeymat2[80];
6441 unsigned char buf[1];
6442 size_t readbytes, written;
6443
6444 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6445 &sess, idx, SHA384_DIGEST_LENGTH)))
6446 goto end;
6447
6448 /* Here writing 0 length early data is enough. */
6449 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6450 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6451 &readbytes),
6452 SSL_READ_EARLY_DATA_ERROR)
6453 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6454 SSL_EARLY_DATA_ACCEPTED))
6455 goto end;
6456
6457 if (!TEST_int_eq(SSL_export_keying_material_early(
6458 clientssl, ckeymat1, sizeof(ckeymat1), label,
6459 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6460 || !TEST_int_eq(SSL_export_keying_material_early(
6461 clientssl, ckeymat2, sizeof(ckeymat2), label,
6462 sizeof(label) - 1, emptycontext, 0), 1)
6463 || !TEST_int_eq(SSL_export_keying_material_early(
6464 serverssl, skeymat1, sizeof(skeymat1), label,
6465 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6466 || !TEST_int_eq(SSL_export_keying_material_early(
6467 serverssl, skeymat2, sizeof(skeymat2), label,
6468 sizeof(label) - 1, emptycontext, 0), 1)
6469 /*
6470 * Check that both sides created the same key material with the
6471 * same context.
6472 */
6473 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6474 sizeof(skeymat1))
6475 /*
6476 * Check that both sides created the same key material with an
6477 * empty context.
6478 */
6479 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6480 sizeof(skeymat2))
6481 /* Different contexts should produce different results */
6482 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6483 sizeof(ckeymat2)))
6484 goto end;
6485
6486 testresult = 1;
6487
6488 end:
6489 SSL_SESSION_free(sess);
6490 SSL_SESSION_free(clientpsk);
6491 SSL_SESSION_free(serverpsk);
6492 clientpsk = serverpsk = NULL;
6493 SSL_free(serverssl);
6494 SSL_free(clientssl);
6495 SSL_CTX_free(sctx);
6496 SSL_CTX_free(cctx);
6497
6498 return testresult;
6499}
6500
6501#define NUM_KEY_UPDATE_MESSAGES 40
6502/*
6503 * Test KeyUpdate.
6504 */
6505static int test_key_update(void)
6506{
6507 SSL_CTX *cctx = NULL, *sctx = NULL;
6508 SSL *clientssl = NULL, *serverssl = NULL;
6509 int testresult = 0, i, j;
6510 char buf[20];
6511 static char *mess = "A test message";
6512
6513 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6514 TLS_client_method(),
6515 TLS1_3_VERSION,
6516 0,
6517 &sctx, &cctx, cert, privkey))
6518 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6519 NULL, NULL))
6520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6521 SSL_ERROR_NONE)))
6522 goto end;
6523
6524 for (j = 0; j < 2; j++) {
6525 /* Send lots of KeyUpdate messages */
6526 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6527 if (!TEST_true(SSL_key_update(clientssl,
6528 (j == 0)
6529 ? SSL_KEY_UPDATE_NOT_REQUESTED
6530 : SSL_KEY_UPDATE_REQUESTED))
6531 || !TEST_true(SSL_do_handshake(clientssl)))
6532 goto end;
6533 }
6534
6535 /* Check that sending and receiving app data is ok */
6536 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6537 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6538 strlen(mess)))
6539 goto end;
6540
6541 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6542 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6543 strlen(mess)))
6544 goto end;
6545 }
6546
6547 testresult = 1;
6548
6549 end:
6550 SSL_free(serverssl);
6551 SSL_free(clientssl);
6552 SSL_CTX_free(sctx);
6553 SSL_CTX_free(cctx);
6554
6555 return testresult;
6556}
6557
6558/*
6559 * Test we can handle a KeyUpdate (update requested) message while
6560 * write data is pending in peer.
6561 * Test 0: Client sends KeyUpdate while Server is writing
6562 * Test 1: Server sends KeyUpdate while Client is writing
6563 */
6564static int test_key_update_peer_in_write(int tst)
6565{
6566 SSL_CTX *cctx = NULL, *sctx = NULL;
6567 SSL *clientssl = NULL, *serverssl = NULL;
6568 int testresult = 0;
6569 char buf[20];
6570 static char *mess = "A test message";
6571 BIO *bretry = BIO_new(bio_s_always_retry());
6572 BIO *tmp = NULL;
6573 SSL *peerupdate = NULL, *peerwrite = NULL;
6574
6575 if (!TEST_ptr(bretry)
6576 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6577 TLS_client_method(),
6578 TLS1_3_VERSION,
6579 0,
6580 &sctx, &cctx, cert, privkey))
6581 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6582 NULL, NULL))
6583 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6584 SSL_ERROR_NONE)))
6585 goto end;
6586
6587 peerupdate = tst == 0 ? clientssl : serverssl;
6588 peerwrite = tst == 0 ? serverssl : clientssl;
6589
6590 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6591 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6592 goto end;
6593
6594 /* Swap the writing endpoint's write BIO to force a retry */
6595 tmp = SSL_get_wbio(peerwrite);
6596 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6597 tmp = NULL;
6598 goto end;
6599 }
6600 SSL_set0_wbio(peerwrite, bretry);
6601 bretry = NULL;
6602
6603 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6604 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6605 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6606 goto end;
6607
6608 /* Reinstate the original writing endpoint's write BIO */
6609 SSL_set0_wbio(peerwrite, tmp);
6610 tmp = NULL;
6611
6612 /* Now read some data - we will read the key update */
6613 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6614 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6615 goto end;
6616
6617 /*
6618 * Complete the write we started previously and read it from the other
6619 * endpoint
6620 */
6621 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6622 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6623 goto end;
6624
6625 /* Write more data to ensure we send the KeyUpdate message back */
6626 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6627 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6628 goto end;
6629
6630 testresult = 1;
6631
6632 end:
6633 SSL_free(serverssl);
6634 SSL_free(clientssl);
6635 SSL_CTX_free(sctx);
6636 SSL_CTX_free(cctx);
6637 BIO_free(bretry);
6638 BIO_free(tmp);
6639
6640 return testresult;
6641}
6642
6643/*
6644 * Test we can handle a KeyUpdate (update requested) message while
6645 * peer read data is pending after peer accepted keyupdate(the msg header
6646 * had been read 5 bytes).
6647 * Test 0: Client sends KeyUpdate while Server is reading
6648 * Test 1: Server sends KeyUpdate while Client is reading
6649 */
6650static int test_key_update_peer_in_read(int tst)
6651{
6652 SSL_CTX *cctx = NULL, *sctx = NULL;
6653 SSL *clientssl = NULL, *serverssl = NULL;
6654 int testresult = 0;
6655 char prbuf[515], lwbuf[515] = {0};
6656 static char *mess = "A test message";
6657 BIO *lbio = NULL, *pbio = NULL;
6658 SSL *local = NULL, *peer = NULL;
6659
6660 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6661 TLS_client_method(),
6662 TLS1_3_VERSION,
6663 0,
6664 &sctx, &cctx, cert, privkey))
6665 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6666 NULL, NULL))
6667 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6668 SSL_ERROR_NONE)))
6669 goto end;
6670
6671 local = tst == 0 ? clientssl : serverssl;
6672 peer = tst == 0 ? serverssl : clientssl;
6673
6674 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6675 goto end;
6676
6677 SSL_set_bio(local, lbio, lbio);
6678 SSL_set_bio(peer, pbio, pbio);
6679
6680 /*
6681 * we first write keyupdate msg then appdata in local
6682 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6683 * lwbuf app data msg size + key updata msg size > 512(the size of
6684 * the bio pair buffer)
6685 */
6686 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6687 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6688 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6689 goto end;
6690
6691 /*
6692 * first read keyupdate msg in peer in peer
6693 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6694 */
6695 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6696 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6697 goto end;
6698
6699 /* Now write some data in peer - we will write the key update */
6700 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6701 goto end;
6702
6703 /*
6704 * write data in local previously that we will complete
6705 * read data in peer previously that we will complete
6706 */
6707 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6708 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6709 goto end;
6710
6711 /* check that sending and receiving appdata ok */
6712 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6713 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6714 goto end;
6715
6716 testresult = 1;
6717
6718 end:
6719 SSL_free(serverssl);
6720 SSL_free(clientssl);
6721 SSL_CTX_free(sctx);
6722 SSL_CTX_free(cctx);
6723
6724 return testresult;
6725}
6726
6727/*
6728 * Test we can't send a KeyUpdate (update requested) message while
6729 * local write data is pending.
6730 * Test 0: Client sends KeyUpdate while Client is writing
6731 * Test 1: Server sends KeyUpdate while Server is writing
6732 */
6733static int test_key_update_local_in_write(int tst)
6734{
6735 SSL_CTX *cctx = NULL, *sctx = NULL;
6736 SSL *clientssl = NULL, *serverssl = NULL;
6737 int testresult = 0;
6738 char buf[20];
6739 static char *mess = "A test message";
6740 BIO *bretry = BIO_new(bio_s_always_retry());
6741 BIO *tmp = NULL;
6742 SSL *local = NULL, *peer = NULL;
6743
6744 if (!TEST_ptr(bretry)
6745 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6746 TLS_client_method(),
6747 TLS1_3_VERSION,
6748 0,
6749 &sctx, &cctx, cert, privkey))
6750 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6751 NULL, NULL))
6752 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6753 SSL_ERROR_NONE)))
6754 goto end;
6755
6756 local = tst == 0 ? clientssl : serverssl;
6757 peer = tst == 0 ? serverssl : clientssl;
6758
6759 /* Swap the writing endpoint's write BIO to force a retry */
6760 tmp = SSL_get_wbio(local);
6761 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6762 tmp = NULL;
6763 goto end;
6764 }
6765 SSL_set0_wbio(local, bretry);
6766 bretry = NULL;
6767
6768 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6769 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6770 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6771 goto end;
6772
6773 /* Reinstate the original writing endpoint's write BIO */
6774 SSL_set0_wbio(local, tmp);
6775 tmp = NULL;
6776
6777 /* SSL_key_update will fail, because writing in local*/
6778 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6779 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6780 goto end;
6781
6782 ERR_clear_error();
6783 /* write data in local previously that we will complete */
6784 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6785 goto end;
6786
6787 /* SSL_key_update will succeed because there is no pending write data */
6788 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6789 || !TEST_int_eq(SSL_do_handshake(local), 1))
6790 goto end;
6791
6792 /*
6793 * we write some appdata in local
6794 * read data in peer - we will read the keyupdate msg
6795 */
6796 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6797 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6798 goto end;
6799
6800 /* Write more peer more data to ensure we send the keyupdate message back */
6801 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6802 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6803 goto end;
6804
6805 testresult = 1;
6806
6807 end:
6808 SSL_free(serverssl);
6809 SSL_free(clientssl);
6810 SSL_CTX_free(sctx);
6811 SSL_CTX_free(cctx);
6812 BIO_free(bretry);
6813 BIO_free(tmp);
6814
6815 return testresult;
6816}
6817
6818/*
6819 * Test we can handle a KeyUpdate (update requested) message while
6820 * local read data is pending(the msg header had been read 5 bytes).
6821 * Test 0: Client sends KeyUpdate while Client is reading
6822 * Test 1: Server sends KeyUpdate while Server is reading
6823 */
6824static int test_key_update_local_in_read(int tst)
6825{
6826 SSL_CTX *cctx = NULL, *sctx = NULL;
6827 SSL *clientssl = NULL, *serverssl = NULL;
6828 int testresult = 0;
6829 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6830 static char *mess = "A test message";
6831 BIO *lbio = NULL, *pbio = NULL;
6832 SSL *local = NULL, *peer = NULL;
6833
6834 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6835 TLS_client_method(),
6836 TLS1_3_VERSION,
6837 0,
6838 &sctx, &cctx, cert, privkey))
6839 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6840 NULL, NULL))
6841 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6842 SSL_ERROR_NONE)))
6843 goto end;
6844
6845 local = tst == 0 ? clientssl : serverssl;
6846 peer = tst == 0 ? serverssl : clientssl;
6847
6848 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6849 goto end;
6850
6851 SSL_set_bio(local, lbio, lbio);
6852 SSL_set_bio(peer, pbio, pbio);
6853
6854 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6855 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6856 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6857 goto end;
6858
6859 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6860 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6861 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6862 goto end;
6863
6864 /* SSL_do_handshake will send keyupdate msg */
6865 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6866 || !TEST_int_eq(SSL_do_handshake(local), 1))
6867 goto end;
6868
6869 /*
6870 * write data in peer previously that we will complete
6871 * read data in local previously that we will complete
6872 */
6873 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6874 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6875 goto end;
6876
6877 /*
6878 * write data in local
6879 * read data in peer - we will read the key update
6880 */
6881 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6882 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6883 goto end;
6884
6885 /* Write more peer data to ensure we send the keyupdate message back */
6886 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6887 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6888 goto end;
6889
6890 testresult = 1;
6891
6892 end:
6893 SSL_free(serverssl);
6894 SSL_free(clientssl);
6895 SSL_CTX_free(sctx);
6896 SSL_CTX_free(cctx);
6897
6898 return testresult;
6899}
6900#endif /* OSSL_NO_USABLE_TLS1_3 */
6901
6902static int test_ssl_clear(int idx)
6903{
6904 SSL_CTX *cctx = NULL, *sctx = NULL;
6905 SSL *clientssl = NULL, *serverssl = NULL;
6906 int testresult = 0;
6907
6908#ifdef OPENSSL_NO_TLS1_2
6909 if (idx == 1)
6910 return 1;
6911#endif
6912
6913 /* Create an initial connection */
6914 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6915 TLS_client_method(), TLS1_VERSION, 0,
6916 &sctx, &cctx, cert, privkey))
6917 || (idx == 1
6918 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6919 TLS1_2_VERSION)))
6920 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6921 &clientssl, NULL, NULL))
6922 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6923 SSL_ERROR_NONE)))
6924 goto end;
6925
6926 SSL_shutdown(clientssl);
6927 SSL_shutdown(serverssl);
6928 SSL_free(serverssl);
6929 serverssl = NULL;
6930
6931 /* Clear clientssl - we're going to reuse the object */
6932 if (!TEST_true(SSL_clear(clientssl)))
6933 goto end;
6934
6935 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6936 NULL, NULL))
6937 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6938 SSL_ERROR_NONE))
6939 || !TEST_true(SSL_session_reused(clientssl)))
6940 goto end;
6941
6942 SSL_shutdown(clientssl);
6943 SSL_shutdown(serverssl);
6944
6945 testresult = 1;
6946
6947 end:
6948 SSL_free(serverssl);
6949 SSL_free(clientssl);
6950 SSL_CTX_free(sctx);
6951 SSL_CTX_free(cctx);
6952
6953 return testresult;
6954}
6955
6956/* Parse CH and retrieve any MFL extension value if present */
6957static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6958{
6959 long len;
6960 unsigned char *data;
6961 PACKET pkt, pkt2, pkt3;
6962 unsigned int MFL_code = 0, type = 0;
6963
6964 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6965 goto end;
6966
6967 memset(&pkt, 0, sizeof(pkt));
6968 memset(&pkt2, 0, sizeof(pkt2));
6969 memset(&pkt3, 0, sizeof(pkt3));
6970
6971 if (!TEST_long_gt(len, 0)
6972 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6973 /* Skip the record header */
6974 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6975 /* Skip the handshake message header */
6976 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6977 /* Skip client version and random */
6978 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6979 + SSL3_RANDOM_SIZE))
6980 /* Skip session id */
6981 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6982 /* Skip ciphers */
6983 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6984 /* Skip compression */
6985 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6986 /* Extensions len */
6987 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6988 goto end;
6989
6990 /* Loop through all extensions */
6991 while (PACKET_remaining(&pkt2)) {
6992 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6993 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6994 goto end;
6995
6996 if (type == TLSEXT_TYPE_max_fragment_length) {
6997 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6998 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6999 goto end;
7000
7001 *mfl_codemfl_code = MFL_code;
7002 return 1;
7003 }
7004 }
7005
7006 end:
7007 return 0;
7008}
7009
7010/* Maximum-Fragment-Length TLS extension mode to test */
7011static const unsigned char max_fragment_len_test[] = {
7012 TLSEXT_max_fragment_length_512,
7013 TLSEXT_max_fragment_length_1024,
7014 TLSEXT_max_fragment_length_2048,
7015 TLSEXT_max_fragment_length_4096
7016};
7017
7018static int test_max_fragment_len_ext(int idx_tst)
7019{
7020 SSL_CTX *ctx = NULL;
7021 SSL *con = NULL;
7022 int testresult = 0, MFL_mode = 0;
7023 BIO *rbio, *wbio;
7024
7025 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7026 TLS1_VERSION, 0, NULL, &ctx, NULL,
7027 NULL)))
7028 return 0;
7029
7030 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7031 ctx, max_fragment_len_test[idx_tst])))
7032 goto end;
7033
7034 con = SSL_new(ctx);
7035 if (!TEST_ptr(con))
7036 goto end;
7037
7038 rbio = BIO_new(BIO_s_mem());
7039 wbio = BIO_new(BIO_s_mem());
7040 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7041 BIO_free(rbio);
7042 BIO_free(wbio);
7043 goto end;
7044 }
7045
7046 SSL_set_bio(con, rbio, wbio);
7047
7048 if (!TEST_int_le(SSL_connect(con), 0)) {
7049 /* This shouldn't succeed because we don't have a server! */
7050 goto end;
7051 }
7052
7053 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7054 /* no MFL in client hello */
7055 goto end;
7056 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7057 goto end;
7058
7059 testresult = 1;
7060
7061end:
7062 SSL_free(con);
7063 SSL_CTX_free(ctx);
7064
7065 return testresult;
7066}
7067
7068#ifndef OSSL_NO_USABLE_TLS1_3
7069static int test_pha_key_update(void)
7070{
7071 SSL_CTX *cctx = NULL, *sctx = NULL;
7072 SSL *clientssl = NULL, *serverssl = NULL;
7073 int testresult = 0;
7074
7075 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7076 TLS_client_method(), TLS1_VERSION, 0,
7077 &sctx, &cctx, cert, privkey)))
7078 return 0;
7079
7080 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7081 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7082 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7083 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7084 goto end;
7085
7086 SSL_CTX_set_post_handshake_auth(cctx, 1);
7087
7088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7089 NULL, NULL)))
7090 goto end;
7091
7092 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7093 SSL_ERROR_NONE)))
7094 goto end;
7095
7096 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7097 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7098 goto end;
7099
7100 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7101 goto end;
7102
7103 /* Start handshake on the server */
7104 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7105 goto end;
7106
7107 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7108 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7109 SSL_ERROR_NONE)))
7110 goto end;
7111
7112 SSL_shutdown(clientssl);
7113 SSL_shutdown(serverssl);
7114
7115 testresult = 1;
7116
7117 end:
7118 SSL_free(serverssl);
7119 SSL_free(clientssl);
7120 SSL_CTX_free(sctx);
7121 SSL_CTX_free(cctx);
7122 return testresult;
7123}
7124#endif
7125
7126#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7127
7128static SRP_VBASE *vbase = NULL;
7129
7130static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7131{
7132 int ret = SSL3_AL_FATAL;
7133 char *username;
7134 SRP_user_pwd *user = NULL;
7135
7136 username = SSL_get_srp_username(s);
7137 if (username == NULL) {
7138 *ad = SSL_AD_INTERNAL_ERROR;
7139 goto err;
7140 }
7141
7142 user = SRP_VBASE_get1_by_user(vbase, username);
7143 if (user == NULL) {
7144 *ad = SSL_AD_INTERNAL_ERROR;
7145 goto err;
7146 }
7147
7148 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7149 user->info) <= 0) {
7150 *ad = SSL_AD_INTERNAL_ERROR;
7151 goto err;
7152 }
7153
7154 ret = 0;
7155
7156 err:
7157 SRP_user_pwd_free(user);
7158 return ret;
7159}
7160
7161static int create_new_vfile(char *userid, char *password, const char *filename)
7162{
7163 char *gNid = NULL;
7164 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7165 TXT_DB *db = NULL;
7166 int ret = 0;
7167 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7168 size_t i;
7169
7170 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7171 goto end;
7172
7173 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7174 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7175 if (!TEST_ptr(gNid))
7176 goto end;
7177
7178 /*
7179 * The only way to create an empty TXT_DB is to provide a BIO with no data
7180 * in it!
7181 */
7182 db = TXT_DB_read(dummy, DB_NUMBER);
7183 if (!TEST_ptr(db))
7184 goto end;
7185
7186 out = BIO_new_file(filename, "w");
7187 if (!TEST_ptr(out))
7188 goto end;
7189
7190 row[DB_srpid] = OPENSSL_strdup(userid);
7191 row[DB_srptype] = OPENSSL_strdup("V");
7192 row[DB_srpgN] = OPENSSL_strdup(gNid);
7193
7194 if (!TEST_ptr(row[DB_srpid])
7195 || !TEST_ptr(row[DB_srptype])
7196 || !TEST_ptr(row[DB_srpgN])
7197 || !TEST_true(TXT_DB_insert(db, row)))
7198 goto end;
7199
7200 row = NULL;
7201
7202 if (TXT_DB_write(out, db) <= 0)
7203 goto end;
7204
7205 ret = 1;
7206 end:
7207 if (row != NULL) {
7208 for (i = 0; i < DB_NUMBER; i++)
7209 OPENSSL_free(row[i]);
7210 }
7211 OPENSSL_free(row);
7212 BIO_free(dummy);
7213 BIO_free(out);
7214 TXT_DB_free(db);
7215
7216 return ret;
7217}
7218
7219static int create_new_vbase(char *userid, char *password)
7220{
7221 BIGNUM *verifier = NULL, *salt = NULL;
7222 const SRP_gN *lgN = NULL;
7223 SRP_user_pwd *user_pwd = NULL;
7224 int ret = 0;
7225
7226 lgN = SRP_get_default_gN(NULL);
7227 if (!TEST_ptr(lgN))
7228 goto end;
7229
7230 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7231 lgN->N, lgN->g, libctx, NULL)))
7232 goto end;
7233
7234 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7235 if (!TEST_ptr(user_pwd))
7236 goto end;
7237
7238 user_pwd->N = lgN->N;
7239 user_pwd->g = lgN->g;
7240 user_pwd->id = OPENSSL_strdup(userid);
7241 if (!TEST_ptr(user_pwd->id))
7242 goto end;
7243
7244 user_pwd->v = verifier;
7245 user_pwd->s = salt;
7246 verifier = salt = NULL;
7247
7248 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7249 goto end;
7250 user_pwd = NULL;
7251
7252 ret = 1;
7253end:
7254 SRP_user_pwd_free(user_pwd);
7255 BN_free(salt);
7256 BN_free(verifier);
7257
7258 return ret;
7259}
7260
7261/*
7262 * SRP tests
7263 *
7264 * Test 0: Simple successful SRP connection, new vbase
7265 * Test 1: Connection failure due to bad password, new vbase
7266 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7267 * Test 3: Connection failure due to bad password, vbase loaded from existing
7268 * file
7269 * Test 4: Simple successful SRP connection, vbase loaded from new file
7270 * Test 5: Connection failure due to bad password, vbase loaded from new file
7271 */
7272static int test_srp(int tst)
7273{
7274 char *userid = "test", *password = "password", *tstsrpfile;
7275 SSL_CTX *cctx = NULL, *sctx = NULL;
7276 SSL *clientssl = NULL, *serverssl = NULL;
7277 int ret, testresult = 0;
7278
7279 vbase = SRP_VBASE_new(NULL);
7280 if (!TEST_ptr(vbase))
7281 goto end;
7282
7283 if (tst == 0 || tst == 1) {
7284 if (!TEST_true(create_new_vbase(userid, password)))
7285 goto end;
7286 } else {
7287 if (tst == 4 || tst == 5) {
7288 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7289 goto end;
7290 tstsrpfile = tmpfilename;
7291 } else {
7292 tstsrpfile = srpvfile;
7293 }
7294 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7295 goto end;
7296 }
7297
7298 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7299 TLS_client_method(), TLS1_VERSION, 0,
7300 &sctx, &cctx, cert, privkey)))
7301 goto end;
7302
7303 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7304 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7305 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7306 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7307 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7308 goto end;
7309
7310 if (tst % 2 == 1) {
7311 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7312 goto end;
7313 } else {
7314 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7315 goto end;
7316 }
7317
7318 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7319 NULL, NULL)))
7320 goto end;
7321
7322 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7323 if (ret) {
7324 if (!TEST_true(tst % 2 == 0))
7325 goto end;
7326 } else {
7327 if (!TEST_true(tst % 2 == 1))
7328 goto end;
7329 }
7330
7331 testresult = 1;
7332
7333 end:
7334 SRP_VBASE_free(vbase);
7335 vbase = NULL;
7336 SSL_free(serverssl);
7337 SSL_free(clientssl);
7338 SSL_CTX_free(sctx);
7339 SSL_CTX_free(cctx);
7340
7341 return testresult;
7342}
7343#endif
7344
7345static int info_cb_failed = 0;
7346static int info_cb_offset = 0;
7347static int info_cb_this_state = -1;
7348
7349static struct info_cb_states_st {
7350 int where;
7351 const char *statestr;
7352} info_cb_states[][60] = {
7353 {
7354 /* TLSv1.2 server followed by resumption */
7355 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7356 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7357 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7358 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7359 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7360 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7361 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7362 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7363 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7364 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7365 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7366 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7367 {SSL_CB_EXIT, NULL}, {0, NULL},
7368 }, {
7369 /* TLSv1.2 client followed by resumption */
7370 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7371 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7372 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7373 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7374 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7375 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7376 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7377 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7378 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7379 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7380 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7381 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7382 }, {
7383 /* TLSv1.3 server followed by resumption */
7384 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7385 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7386 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7387 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7388 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7389 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7390 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7391 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7392 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7393 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7394 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7395 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7396 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7397 }, {
7398 /* TLSv1.3 client followed by resumption */
7399 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7400 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7401 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7402 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7403 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7404 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7405 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7406 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7407 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7408 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7409 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7410 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7411 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7412 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7413 {SSL_CB_EXIT, NULL}, {0, NULL},
7414 }, {
7415 /* TLSv1.3 server, early_data */
7416 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7417 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7418 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7419 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7420 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7421 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7422 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7423 {SSL_CB_EXIT, NULL}, {0, NULL},
7424 }, {
7425 /* TLSv1.3 client, early_data */
7426 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7427 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7428 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7429 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7430 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7431 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7432 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7433 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7434 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7435 }, {
7436 {0, NULL},
7437 }
7438};
7439
7440static void sslapi_info_callback(const SSL *s, int where, int ret)
7441{
7442 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7443
7444 /* We do not ever expect a connection to fail in this test */
7445 if (!TEST_false(ret == 0)) {
7446 info_cb_failed = 1;
7447 return;
7448 }
7449
7450 /*
7451 * Do some sanity checks. We never expect these things to happen in this
7452 * test
7453 */
7454 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7455 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7456 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7457 info_cb_failed = 1;
7458 return;
7459 }
7460
7461 /* Now check we're in the right state */
7462 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7463 info_cb_failed = 1;
7464 return;
7465 }
7466 if ((where & SSL_CB_LOOP) != 0
7467 && !TEST_int_eq(strcmp(SSL_state_string(s),
7468 state[info_cb_this_state].statestr), 0)) {
7469 info_cb_failed = 1;
7470 return;
7471 }
7472
7473 /*
7474 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7475 */
7476 if ((where & SSL_CB_HANDSHAKE_DONE)
7477 && SSL_in_init((SSL *)s) != 0) {
7478 info_cb_failed = 1;
7479 return;
7480 }
7481}
7482
7483/*
7484 * Test the info callback gets called when we expect it to.
7485 *
7486 * Test 0: TLSv1.2, server
7487 * Test 1: TLSv1.2, client
7488 * Test 2: TLSv1.3, server
7489 * Test 3: TLSv1.3, client
7490 * Test 4: TLSv1.3, server, early_data
7491 * Test 5: TLSv1.3, client, early_data
7492 */
7493static int test_info_callback(int tst)
7494{
7495 SSL_CTX *cctx = NULL, *sctx = NULL;
7496 SSL *clientssl = NULL, *serverssl = NULL;
7497 SSL_SESSION *clntsess = NULL;
7498 int testresult = 0;
7499 int tlsvers;
7500
7501 if (tst < 2) {
7502/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7503#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7504 || !defined(OPENSSL_NO_DH))
7505 tlsvers = TLS1_2_VERSION;
7506#else
7507 return 1;
7508#endif
7509 } else {
7510#ifndef OSSL_NO_USABLE_TLS1_3
7511 tlsvers = TLS1_3_VERSION;
7512#else
7513 return 1;
7514#endif
7515 }
7516
7517 /* Reset globals */
7518 info_cb_failed = 0;
7519 info_cb_this_state = -1;
7520 info_cb_offset = tst;
7521
7522#ifndef OSSL_NO_USABLE_TLS1_3
7523 if (tst >= 4) {
7524 SSL_SESSION *sess = NULL;
7525 size_t written, readbytes;
7526 unsigned char buf[80];
7527 time_t timer;
7528
7529 /* early_data tests */
7530 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7531 &serverssl, &sess, 0,
7532 SHA384_DIGEST_LENGTH)))
7533 goto end;
7534
7535 /* We don't actually need this reference */
7536 SSL_SESSION_free(sess);
7537
7538 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7539 sslapi_info_callback);
7540
7541 /* Write and read some early data and then complete the connection */
7542 timer = time(NULL);
7543 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7544 &written))
7545 || !TEST_size_t_eq(written, strlen(MSG1)))
7546 goto end;
7547
7548 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7549 sizeof(buf), &readbytes),
7550 SSL_READ_EARLY_DATA_SUCCESS)) {
7551 testresult = check_early_data_timeout(timer);
7552 goto end;
7553 }
7554
7555 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7556 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7557 SSL_EARLY_DATA_ACCEPTED)
7558 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7559 SSL_ERROR_NONE))
7560 || !TEST_false(info_cb_failed))
7561 goto end;
7562
7563 testresult = 1;
7564 goto end;
7565 }
7566#endif
7567
7568 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7569 TLS_client_method(),
7570 tlsvers, tlsvers, &sctx, &cctx, cert,
7571 privkey)))
7572 goto end;
7573
7574 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7575 goto end;
7576
7577 /*
7578 * For even numbered tests we check the server callbacks. For odd numbers we
7579 * check the client.
7580 */
7581 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7582 sslapi_info_callback);
7583
7584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7585 &clientssl, NULL, NULL))
7586 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7587 SSL_ERROR_NONE))
7588 || !TEST_false(info_cb_failed))
7589 goto end;
7590
7591
7592
7593 clntsess = SSL_get1_session(clientssl);
7594 SSL_shutdown(clientssl);
7595 SSL_shutdown(serverssl);
7596 SSL_free(serverssl);
7597 SSL_free(clientssl);
7598 serverssl = clientssl = NULL;
7599
7600 /* Now do a resumption */
7601 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7602 NULL))
7603 || !TEST_true(SSL_set_session(clientssl, clntsess))
7604 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7605 SSL_ERROR_NONE))
7606 || !TEST_true(SSL_session_reused(clientssl))
7607 || !TEST_false(info_cb_failed))
7608 goto end;
7609
7610 testresult = 1;
7611
7612 end:
7613 SSL_free(serverssl);
7614 SSL_free(clientssl);
7615 SSL_SESSION_free(clntsess);
7616 SSL_CTX_free(sctx);
7617 SSL_CTX_free(cctx);
7618 return testresult;
7619}
7620
7621static int test_ssl_pending(int tst)
7622{
7623 SSL_CTX *cctx = NULL, *sctx = NULL;
7624 SSL *clientssl = NULL, *serverssl = NULL;
7625 int testresult = 0;
7626 char msg[] = "A test message";
7627 char buf[5];
7628 size_t written, readbytes;
7629
7630 if (tst == 0) {
7631 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7632 TLS_client_method(),
7633 TLS1_VERSION, 0,
7634 &sctx, &cctx, cert, privkey)))
7635 goto end;
7636 } else {
7637#ifndef OPENSSL_NO_DTLS
7638 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7639 DTLS_client_method(),
7640 DTLS1_VERSION, 0,
7641 &sctx, &cctx, cert, privkey)))
7642 goto end;
7643
7644# ifdef OPENSSL_NO_DTLS1_2
7645 /* Not supported in the FIPS provider */
7646 if (is_fips) {
7647 testresult = 1;
7648 goto end;
7649 };
7650 /*
7651 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7652 * level 0
7653 */
7654 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7655 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7656 "DEFAULT:@SECLEVEL=0")))
7657 goto end;
7658# endif
7659#else
7660 return 1;
7661#endif
7662 }
7663
7664 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7665 NULL, NULL))
7666 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7667 SSL_ERROR_NONE)))
7668 goto end;
7669
7670 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7671 || !TEST_false(SSL_has_pending(clientssl))
7672 || !TEST_int_eq(SSL_pending(serverssl), 0)
7673 || !TEST_false(SSL_has_pending(serverssl))
7674 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7675 || !TEST_size_t_eq(written, sizeof(msg))
7676 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7677 || !TEST_size_t_eq(readbytes, sizeof(buf))
7678 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7679 || !TEST_true(SSL_has_pending(clientssl)))
7680 goto end;
7681
7682 testresult = 1;
7683
7684 end:
7685 SSL_free(serverssl);
7686 SSL_free(clientssl);
7687 SSL_CTX_free(sctx);
7688 SSL_CTX_free(cctx);
7689
7690 return testresult;
7691}
7692
7693static struct {
7694 unsigned int maxprot;
7695 const char *clntciphers;
7696 const char *clnttls13ciphers;
7697 const char *srvrciphers;
7698 const char *srvrtls13ciphers;
7699 const char *shared;
7700 const char *fipsshared;
7701} shared_ciphers_data[] = {
7702/*
7703 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7704 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7705 */
7706#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7707 {
7708 TLS1_2_VERSION,
7709 "AES128-SHA:AES256-SHA",
7710 NULL,
7711 "AES256-SHA:DHE-RSA-AES128-SHA",
7712 NULL,
7713 "AES256-SHA",
7714 "AES256-SHA"
7715 },
7716# if !defined(OPENSSL_NO_CHACHA) \
7717 && !defined(OPENSSL_NO_POLY1305) \
7718 && !defined(OPENSSL_NO_EC)
7719 {
7720 TLS1_2_VERSION,
7721 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7722 NULL,
7723 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7724 NULL,
7725 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7726 "AES128-SHA"
7727 },
7728# endif
7729 {
7730 TLS1_2_VERSION,
7731 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7732 NULL,
7733 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7734 NULL,
7735 "AES128-SHA:AES256-SHA",
7736 "AES128-SHA:AES256-SHA"
7737 },
7738 {
7739 TLS1_2_VERSION,
7740 "AES128-SHA:AES256-SHA",
7741 NULL,
7742 "AES128-SHA:DHE-RSA-AES128-SHA",
7743 NULL,
7744 "AES128-SHA",
7745 "AES128-SHA"
7746 },
7747#endif
7748/*
7749 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7750 * enabled.
7751 */
7752#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7753 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7754 {
7755 TLS1_3_VERSION,
7756 "AES128-SHA:AES256-SHA",
7757 NULL,
7758 "AES256-SHA:AES128-SHA256",
7759 NULL,
7760 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7761 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7762 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7763 },
7764#endif
7765#ifndef OSSL_NO_USABLE_TLS1_3
7766 {
7767 TLS1_3_VERSION,
7768 "AES128-SHA",
7769 "TLS_AES_256_GCM_SHA384",
7770 "AES256-SHA",
7771 "TLS_AES_256_GCM_SHA384",
7772 "TLS_AES_256_GCM_SHA384",
7773 "TLS_AES_256_GCM_SHA384"
7774 },
7775#endif
7776};
7777
7778static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7779{
7780 SSL_CTX *cctx = NULL, *sctx = NULL;
7781 SSL *clientssl = NULL, *serverssl = NULL;
7782 int testresult = 0;
7783 char buf[1024];
7784 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7785
7786 if (!TEST_ptr(tmplibctx))
7787 goto end;
7788
7789 /*
7790 * Regardless of whether we're testing with the FIPS provider loaded into
7791 * libctx, we want one peer to always use the full set of ciphersuites
7792 * available. Therefore we use a separate libctx with the default provider
7793 * loaded into it. We run the same tests twice - once with the client side
7794 * having the full set of ciphersuites and once with the server side.
7795 */
7796 if (clnt) {
7797 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7798 if (!TEST_ptr(cctx))
7799 goto end;
7800 } else {
7801 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7802 if (!TEST_ptr(sctx))
7803 goto end;
7804 }
7805
7806 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7807 TLS_client_method(),
7808 TLS1_VERSION,
7809 shared_ciphers_data[tst].maxprot,
7810 &sctx, &cctx, cert, privkey)))
7811 goto end;
7812
7813 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7814 shared_ciphers_data[tst].clntciphers))
7815 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7816 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7817 shared_ciphers_data[tst].clnttls13ciphers)))
7818 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7819 shared_ciphers_data[tst].srvrciphers))
7820 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7821 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7822 shared_ciphers_data[tst].srvrtls13ciphers))))
7823 goto end;
7824
7825
7826 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7827 NULL, NULL))
7828 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7829 SSL_ERROR_NONE)))
7830 goto end;
7831
7832 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7833 || !TEST_int_eq(strcmp(buf,
7834 is_fips
7835 ? shared_ciphers_data[tst].fipsshared
7836 : shared_ciphers_data[tst].shared),
7837 0)) {
7838 TEST_info("Shared ciphers are: %s\n", buf);
7839 goto end;
7840 }
7841
7842 testresult = 1;
7843
7844 end:
7845 SSL_free(serverssl);
7846 SSL_free(clientssl);
7847 SSL_CTX_free(sctx);
7848 SSL_CTX_free(cctx);
7849 OSSL_LIB_CTX_free(tmplibctx);
7850
7851 return testresult;
7852}
7853
7854static int test_ssl_get_shared_ciphers(int tst)
7855{
7856 return int_test_ssl_get_shared_ciphers(tst, 0)
7857 && int_test_ssl_get_shared_ciphers(tst, 1);
7858}
7859
7860
7861static const char *appdata = "Hello World";
7862static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7863static int tick_key_renew = 0;
7864static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7865
7866static int gen_tick_cb(SSL *s, void *arg)
7867{
7868 gen_tick_called = 1;
7869
7870 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7871 strlen(appdata));
7872}
7873
7874static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7875 const unsigned char *keyname,
7876 size_t keyname_length,
7877 SSL_TICKET_STATUS status,
7878 void *arg)
7879{
7880 void *tickdata;
7881 size_t tickdlen;
7882
7883 dec_tick_called = 1;
7884
7885 if (status == SSL_TICKET_EMPTY)
7886 return SSL_TICKET_RETURN_IGNORE_RENEW;
7887
7888 if (!TEST_true(status == SSL_TICKET_SUCCESS
7889 || status == SSL_TICKET_SUCCESS_RENEW))
7890 return SSL_TICKET_RETURN_ABORT;
7891
7892 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7893 &tickdlen))
7894 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7895 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7896 return SSL_TICKET_RETURN_ABORT;
7897
7898 if (tick_key_cb_called) {
7899 /* Don't change what the ticket key callback wanted to do */
7900 switch (status) {
7901 case SSL_TICKET_NO_DECRYPT:
7902 return SSL_TICKET_RETURN_IGNORE_RENEW;
7903
7904 case SSL_TICKET_SUCCESS:
7905 return SSL_TICKET_RETURN_USE;
7906
7907 case SSL_TICKET_SUCCESS_RENEW:
7908 return SSL_TICKET_RETURN_USE_RENEW;
7909
7910 default:
7911 return SSL_TICKET_RETURN_ABORT;
7912 }
7913 }
7914 return tick_dec_ret;
7915
7916}
7917
7918#ifndef OPENSSL_NO_DEPRECATED_3_0
7919static int tick_key_cb(SSL *s, unsigned char key_name[16],
7920 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7921 HMAC_CTX *hctx, int enc)
7922{
7923 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7924 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7925 EVP_CIPHER *aes128cbc;
7926 EVP_MD *sha256;
7927 int ret;
7928
7929 tick_key_cb_called = 1;
7930
7931 if (tick_key_renew == -1)
7932 return 0;
7933
7934 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7935 if (!TEST_ptr(aes128cbc))
7936 return 0;
7937 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7938 if (!TEST_ptr(sha256)) {
7939 EVP_CIPHER_free(aes128cbc);
7940 return 0;
7941 }
7942
7943 memset(iv, 0, AES_BLOCK_SIZE);
7944 memset(key_name, 0, 16);
7945 if (aes128cbc == NULL
7946 || sha256 == NULL
7947 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7948 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7949 NULL))
7950 ret = -1;
7951 else
7952 ret = tick_key_renew ? 2 : 1;
7953
7954 EVP_CIPHER_free(aes128cbc);
7955 EVP_MD_free(sha256);
7956
7957 return ret;
7958}
7959#endif
7960
7961static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7962 unsigned char iv[EVP_MAX_IV_LENGTH],
7963 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7964{
7965 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7966 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7967 OSSL_PARAM params[2];
7968 EVP_CIPHER *aes128cbc;
7969 int ret;
7970
7971 tick_key_cb_called = 1;
7972
7973 if (tick_key_renew == -1)
7974 return 0;
7975
7976 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7977 if (!TEST_ptr(aes128cbc))
7978 return 0;
7979
7980 memset(iv, 0, AES_BLOCK_SIZE);
7981 memset(key_name, 0, 16);
7982 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7983 "SHA256", 0);
7984 params[1] = OSSL_PARAM_construct_end();
7985 if (aes128cbc == NULL
7986 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7987 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7988 params))
7989 ret = -1;
7990 else
7991 ret = tick_key_renew ? 2 : 1;
7992
7993 EVP_CIPHER_free(aes128cbc);
7994
7995 return ret;
7996}
7997
7998/*
7999 * Test the various ticket callbacks
8000 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8001 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8002 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8003 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8004 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8005 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8006 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8007 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8008 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8009 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8010 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8011 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8012 * Test 12: TLSv1.2, old ticket key callback, no ticket
8013 * Test 13: TLSv1.3, old ticket key callback, no ticket
8014 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8015 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8016 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8017 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8018 * Test 18: TLSv1.2, ticket key callback, no ticket
8019 * Test 19: TLSv1.3, ticket key callback, no ticket
8020 */
8021static int test_ticket_callbacks(int tst)
8022{
8023 SSL_CTX *cctx = NULL, *sctx = NULL;
8024 SSL *clientssl = NULL, *serverssl = NULL;
8025 SSL_SESSION *clntsess = NULL;
8026 int testresult = 0;
8027
8028#ifdef OPENSSL_NO_TLS1_2
8029 if (tst % 2 == 0)
8030 return 1;
8031#endif
8032#ifdef OSSL_NO_USABLE_TLS1_3
8033 if (tst % 2 == 1)
8034 return 1;
8035#endif
8036#ifdef OPENSSL_NO_DEPRECATED_3_0
8037 if (tst >= 8 && tst <= 13)
8038 return 1;
8039#endif
8040
8041 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8042
8043 /* Which tests the ticket key callback should request renewal for */
8044
8045 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8046 tick_key_renew = 1;
8047 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8048 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8049 else
8050 tick_key_renew = 0;
8051
8052 /* Which tests the decrypt ticket callback should request renewal for */
8053 switch (tst) {
8054 case 0:
8055 case 1:
8056 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8057 break;
8058
8059 case 2:
8060 case 3:
8061 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8062 break;
8063
8064 case 4:
8065 case 5:
8066 tick_dec_ret = SSL_TICKET_RETURN_USE;
8067 break;
8068
8069 case 6:
8070 case 7:
8071 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8072 break;
8073
8074 default:
8075 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8076 }
8077
8078 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8079 TLS_client_method(),
8080 TLS1_VERSION,
8081 ((tst % 2) == 0) ? TLS1_2_VERSION
8082 : TLS1_3_VERSION,
8083 &sctx, &cctx, cert, privkey)))
8084 goto end;
8085
8086 /*
8087 * We only want sessions to resume from tickets - not the session cache. So
8088 * switch the cache off.
8089 */
8090 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8091 goto end;
8092
8093 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8094 NULL)))
8095 goto end;
8096
8097 if (tst >= 14) {
8098 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8099 goto end;
8100#ifndef OPENSSL_NO_DEPRECATED_3_0
8101 } else if (tst >= 8) {
8102 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8103 goto end;
8104#endif
8105 }
8106
8107 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8108 NULL, NULL))
8109 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8110 SSL_ERROR_NONE)))
8111 goto end;
8112
8113 /*
8114 * The decrypt ticket key callback in TLSv1.2 should be called even though
8115 * we have no ticket yet, because it gets called with a status of
8116 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8117 * actually send any ticket data). This does not happen in TLSv1.3 because
8118 * it is not valid to send empty ticket data in TLSv1.3.
8119 */
8120 if (!TEST_int_eq(gen_tick_called, 1)
8121 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8122 goto end;
8123
8124 gen_tick_called = dec_tick_called = 0;
8125
8126 clntsess = SSL_get1_session(clientssl);
8127 SSL_shutdown(clientssl);
8128 SSL_shutdown(serverssl);
8129 SSL_free(serverssl);
8130 SSL_free(clientssl);
8131 serverssl = clientssl = NULL;
8132
8133 /* Now do a resumption */
8134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8135 NULL))
8136 || !TEST_true(SSL_set_session(clientssl, clntsess))
8137 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8138 SSL_ERROR_NONE)))
8139 goto end;
8140
8141 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8142 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8143 || tick_key_renew == -1) {
8144 if (!TEST_false(SSL_session_reused(clientssl)))
8145 goto end;
8146 } else {
8147 if (!TEST_true(SSL_session_reused(clientssl)))
8148 goto end;
8149 }
8150
8151 if (!TEST_int_eq(gen_tick_called,
8152 (tick_key_renew
8153 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8154 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8155 ? 1 : 0)
8156 /* There is no ticket to decrypt in tests 13 and 19 */
8157 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8158 goto end;
8159
8160 testresult = 1;
8161
8162 end:
8163 SSL_SESSION_free(clntsess);
8164 SSL_free(serverssl);
8165 SSL_free(clientssl);
8166 SSL_CTX_free(sctx);
8167 SSL_CTX_free(cctx);
8168
8169 return testresult;
8170}
8171
8172/*
8173 * Test incorrect shutdown.
8174 * Test 0: client does not shutdown properly,
8175 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8176 * server should get SSL_ERROR_SSL
8177 * Test 1: client does not shutdown properly,
8178 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8179 * server should get SSL_ERROR_ZERO_RETURN
8180 */
8181static int test_incorrect_shutdown(int tst)
8182{
8183 SSL_CTX *cctx = NULL, *sctx = NULL;
8184 SSL *clientssl = NULL, *serverssl = NULL;
8185 int testresult = 0;
8186 char buf[80];
8187 BIO *c2s;
8188
8189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8190 TLS_client_method(), 0, 0,
8191 &sctx, &cctx, cert, privkey)))
8192 goto end;
8193
8194 if (tst == 1)
8195 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8196
8197 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8198 NULL, NULL)))
8199 goto end;
8200
8201 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8202 SSL_ERROR_NONE)))
8203 goto end;
8204
8205 c2s = SSL_get_rbio(serverssl);
8206 BIO_set_mem_eof_return(c2s, 0);
8207
8208 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8209 goto end;
8210
8211 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8212 goto end;
8213 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8214 goto end;
8215
8216 testresult = 1;
8217
8218 end:
8219 SSL_free(serverssl);
8220 SSL_free(clientssl);
8221 SSL_CTX_free(sctx);
8222 SSL_CTX_free(cctx);
8223
8224 return testresult;
8225}
8226
8227/*
8228 * Test bi-directional shutdown.
8229 * Test 0: TLSv1.2
8230 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8231 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8232 * Test 3: TLSv1.3, pending NewSessionTicket messages
8233 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8234 * sends key update, client reads it
8235 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8236 * sends CertificateRequest, client reads and ignores it
8237 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8238 * doesn't read it
8239 */
8240static int test_shutdown(int tst)
8241{
8242 SSL_CTX *cctx = NULL, *sctx = NULL;
8243 SSL *clientssl = NULL, *serverssl = NULL;
8244 int testresult = 0;
8245 char msg[] = "A test message";
8246 char buf[80];
8247 size_t written, readbytes;
8248 SSL_SESSION *sess;
8249
8250#ifdef OPENSSL_NO_TLS1_2
8251 if (tst <= 1)
8252 return 1;
8253#endif
8254#ifdef OSSL_NO_USABLE_TLS1_3
8255 if (tst >= 2)
8256 return 1;
8257#endif
8258
8259 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8260 TLS_client_method(),
8261 TLS1_VERSION,
8262 (tst <= 1) ? TLS1_2_VERSION
8263 : TLS1_3_VERSION,
8264 &sctx, &cctx, cert, privkey)))
8265 goto end;
8266
8267 if (tst == 5)
8268 SSL_CTX_set_post_handshake_auth(cctx, 1);
8269
8270 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8271 NULL, NULL)))
8272 goto end;
8273
8274 if (tst == 3) {
8275 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8276 SSL_ERROR_NONE, 1))
8277 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8278 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8279 goto end;
8280 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8281 SSL_ERROR_NONE))
8282 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8283 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8284 goto end;
8285 }
8286
8287 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8288 goto end;
8289
8290 if (tst >= 4) {
8291 /*
8292 * Reading on the server after the client has sent close_notify should
8293 * fail and provide SSL_ERROR_ZERO_RETURN
8294 */
8295 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8296 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8297 SSL_ERROR_ZERO_RETURN)
8298 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8299 SSL_RECEIVED_SHUTDOWN)
8300 /*
8301 * Even though we're shutdown on receive we should still be
8302 * able to write.
8303 */
8304 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8305 goto end;
8306 if (tst == 4
8307 && !TEST_true(SSL_key_update(serverssl,
8308 SSL_KEY_UPDATE_REQUESTED)))
8309 goto end;
8310 if (tst == 5) {
8311 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8312 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8313 goto end;
8314 }
8315 if ((tst == 4 || tst == 5)
8316 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8317 goto end;
8318 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8319 goto end;
8320 if (tst == 4 || tst == 5) {
8321 /* Should still be able to read data from server */
8322 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8323 &readbytes))
8324 || !TEST_size_t_eq(readbytes, sizeof(msg))
8325 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8326 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8327 &readbytes))
8328 || !TEST_size_t_eq(readbytes, sizeof(msg))
8329 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8330 goto end;
8331 }
8332 }
8333
8334 /* Writing on the client after sending close_notify shouldn't be possible */
8335 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8336 goto end;
8337
8338 if (tst < 4) {
8339 /*
8340 * For these tests the client has sent close_notify but it has not yet
8341 * been received by the server. The server has not sent close_notify
8342 * yet.
8343 */
8344 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8345 /*
8346 * Writing on the server after sending close_notify shouldn't
8347 * be possible.
8348 */
8349 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8350 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8351 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8352 || !TEST_true(SSL_SESSION_is_resumable(sess))
8353 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8354 goto end;
8355 } else if (tst == 4 || tst == 5) {
8356 /*
8357 * In this test the client has sent close_notify and it has been
8358 * received by the server which has responded with a close_notify. The
8359 * client needs to read the close_notify sent by the server.
8360 */
8361 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8362 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8363 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8364 goto end;
8365 } else {
8366 /*
8367 * tst == 6
8368 *
8369 * The client has sent close_notify and is expecting a close_notify
8370 * back, but instead there is application data first. The shutdown
8371 * should fail with a fatal error.
8372 */
8373 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8374 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8375 goto end;
8376 }
8377
8378 testresult = 1;
8379
8380 end:
8381 SSL_free(serverssl);
8382 SSL_free(clientssl);
8383 SSL_CTX_free(sctx);
8384 SSL_CTX_free(cctx);
8385
8386 return testresult;
8387}
8388
8389#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8390static int cert_cb_cnt;
8391
8392static int cert_cb(SSL *s, void *arg)
8393{
8394 SSL_CTX *ctx = (SSL_CTX *)arg;
8395 BIO *in = NULL;
8396 EVP_PKEY *pkey = NULL;
8397 X509 *x509 = NULL, *rootx = NULL;
8398 STACK_OF(X509) *chain = NULL;
8399 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8400 int ret = 0;
8401
8402 if (cert_cb_cnt == 0) {
8403 /* Suspend the handshake */
8404 cert_cb_cnt++;
8405 return -1;
8406 } else if (cert_cb_cnt == 1) {
8407 /*
8408 * Update the SSL_CTX, set the certificate and private key and then
8409 * continue the handshake normally.
8410 */
8411 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8412 return 0;
8413
8414 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8415 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8416 SSL_FILETYPE_PEM))
8417 || !TEST_true(SSL_check_private_key(s)))
8418 return 0;
8419 cert_cb_cnt++;
8420 return 1;
8421 } else if (cert_cb_cnt == 3) {
8422 int rv;
8423
8424 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8425 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8426 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8427 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8428 goto out;
8429 chain = sk_X509_new_null();
8430 if (!TEST_ptr(chain))
8431 goto out;
8432 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8433 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8434 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8435 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8436 || !TEST_true(sk_X509_push(chain, rootx)))
8437 goto out;
8438 rootx = NULL;
8439 BIO_free(in);
8440 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8441 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8442 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8443 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8444 goto out;
8445 BIO_free(in);
8446 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8447 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8448 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8449 NULL, NULL,
8450 libctx, NULL)))
8451 goto out;
8452 rv = SSL_check_chain(s, x509, pkey, chain);
8453 /*
8454 * If the cert doesn't show as valid here (e.g., because we don't
8455 * have any shared sigalgs), then we will not set it, and there will
8456 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8457 * will cause tls_choose_sigalgs() to fail the connection.
8458 */
8459 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8460 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8461 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8462 goto out;
8463 }
8464
8465 ret = 1;
8466 }
8467
8468 /* Abort the handshake */
8469 out:
8470 OPENSSL_free(ecdsacert);
8471 OPENSSL_free(ecdsakey);
8472 OPENSSL_free(rootfile);
8473 BIO_free(in);
8474 EVP_PKEY_free(pkey);
8475 X509_free(x509);
8476 X509_free(rootx);
8477 sk_X509_pop_free(chain, X509_free);
8478 return ret;
8479}
8480
8481/*
8482 * Test the certificate callback.
8483 * Test 0: Callback fails
8484 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8485 * Test 2: Success - SSL_set_SSL_CTX() in the callback
8486 * Test 3: Success - Call SSL_check_chain from the callback
8487 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8488 * chain
8489 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8490 */
8491static int test_cert_cb_int(int prot, int tst)
8492{
8493 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8494 SSL *clientssl = NULL, *serverssl = NULL;
8495 int testresult = 0, ret;
8496
8497#ifdef OPENSSL_NO_EC
8498 /* We use an EC cert in these tests, so we skip in a no-ec build */
8499 if (tst >= 3)
8500 return 1;
8501#endif
8502
8503 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8504 TLS_client_method(),
8505 TLS1_VERSION,
8506 prot,
8507 &sctx, &cctx, NULL, NULL)))
8508 goto end;
8509
8510 if (tst == 0)
8511 cert_cb_cnt = -1;
8512 else if (tst >= 3)
8513 cert_cb_cnt = 3;
8514 else
8515 cert_cb_cnt = 0;
8516
8517 if (tst == 2) {
8518 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8519 if (!TEST_ptr(snictx))
8520 goto end;
8521 }
8522
8523 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8524
8525 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8526 NULL, NULL)))
8527 goto end;
8528
8529 if (tst == 4) {
8530 /*
8531 * We cause SSL_check_chain() to fail by specifying sig_algs that
8532 * the chain doesn't meet (the root uses an RSA cert)
8533 */
8534 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8535 "ecdsa_secp256r1_sha256")))
8536 goto end;
8537 } else if (tst == 5) {
8538 /*
8539 * We cause SSL_check_chain() to fail by specifying sig_algs that
8540 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8541 */
8542 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8543 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8544 goto end;
8545 }
8546
8547 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8548 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8549 || (tst > 0
8550 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8551 goto end;
8552 }
8553
8554 testresult = 1;
8555
8556 end:
8557 SSL_free(serverssl);
8558 SSL_free(clientssl);
8559 SSL_CTX_free(sctx);
8560 SSL_CTX_free(cctx);
8561 SSL_CTX_free(snictx);
8562
8563 return testresult;
8564}
8565#endif
8566
8567static int test_cert_cb(int tst)
8568{
8569 int testresult = 1;
8570
8571#ifndef OPENSSL_NO_TLS1_2
8572 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8573#endif
8574#ifndef OSSL_NO_USABLE_TLS1_3
8575 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8576#endif
8577
8578 return testresult;
8579}
8580
8581static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8582{
8583 X509 *xcert;
8584 EVP_PKEY *privpkey;
8585 BIO *in = NULL;
8586 BIO *priv_in = NULL;
8587
8588 /* Check that SSL_get0_peer_certificate() returns something sensible */
8589 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8590 return 0;
8591
8592 in = BIO_new_file(cert, "r");
8593 if (!TEST_ptr(in))
8594 return 0;
8595
8596 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8597 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8598 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8599 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8600 NULL, NULL,
8601 libctx, NULL)))
8602 goto err;
8603
8604 *x509 = xcert;
8605 *pkey = privpkey;
8606
8607 BIO_free(in);
8608 BIO_free(priv_in);
8609 return 1;
8610err:
8611 X509_free(xcert);
8612 BIO_free(in);
8613 BIO_free(priv_in);
8614 return 0;
8615}
8616
8617static int test_client_cert_cb(int tst)
8618{
8619 SSL_CTX *cctx = NULL, *sctx = NULL;
8620 SSL *clientssl = NULL, *serverssl = NULL;
8621 int testresult = 0;
8622
8623#ifdef OPENSSL_NO_TLS1_2
8624 if (tst == 0)
8625 return 1;
8626#endif
8627#ifdef OSSL_NO_USABLE_TLS1_3
8628 if (tst == 1)
8629 return 1;
8630#endif
8631
8632 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8633 TLS_client_method(),
8634 TLS1_VERSION,
8635 tst == 0 ? TLS1_2_VERSION
8636 : TLS1_3_VERSION,
8637 &sctx, &cctx, cert, privkey)))
8638 goto end;
8639
8640 /*
8641 * Test that setting a client_cert_cb results in a client certificate being
8642 * sent.
8643 */
8644 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8645 SSL_CTX_set_verify(sctx,
8646 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8647 verify_cb);
8648
8649 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8650 NULL, NULL))
8651 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8652 SSL_ERROR_NONE)))
8653 goto end;
8654
8655 testresult = 1;
8656
8657 end:
8658 SSL_free(serverssl);
8659 SSL_free(clientssl);
8660 SSL_CTX_free(sctx);
8661 SSL_CTX_free(cctx);
8662
8663 return testresult;
8664}
8665
8666#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8667/*
8668 * Test setting certificate authorities on both client and server.
8669 *
8670 * Test 0: SSL_CTX_set0_CA_list() only
8671 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8672 * Test 2: Only SSL_CTX_set_client_CA_list()
8673 */
8674static int test_ca_names_int(int prot, int tst)
8675{
8676 SSL_CTX *cctx = NULL, *sctx = NULL;
8677 SSL *clientssl = NULL, *serverssl = NULL;
8678 int testresult = 0;
8679 size_t i;
8680 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8681 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8682 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8683 const STACK_OF(X509_NAME) *sktmp = NULL;
8684
8685 for (i = 0; i < OSSL_NELEM(name); i++) {
8686 name[i] = X509_NAME_new();
8687 if (!TEST_ptr(name[i])
8688 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8689 MBSTRING_ASC,
8690 (unsigned char *)
8691 strnames[i],
8692 -1, -1, 0)))
8693 goto end;
8694 }
8695
8696 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8697 TLS_client_method(),
8698 TLS1_VERSION,
8699 prot,
8700 &sctx, &cctx, cert, privkey)))
8701 goto end;
8702
8703 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8704
8705 if (tst == 0 || tst == 1) {
8706 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8707 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8708 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8709 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8710 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8711 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8712 goto end;
8713
8714 SSL_CTX_set0_CA_list(sctx, sk1);
8715 SSL_CTX_set0_CA_list(cctx, sk2);
8716 sk1 = sk2 = NULL;
8717 }
8718 if (tst == 1 || tst == 2) {
8719 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8720 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8721 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8722 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8723 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8724 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8725 goto end;
8726
8727 SSL_CTX_set_client_CA_list(sctx, sk1);
8728 SSL_CTX_set_client_CA_list(cctx, sk2);
8729 sk1 = sk2 = NULL;
8730 }
8731
8732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8733 NULL, NULL))
8734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8735 SSL_ERROR_NONE)))
8736 goto end;
8737
8738 /*
8739 * We only expect certificate authorities to have been sent to the server
8740 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8741 */
8742 sktmp = SSL_get0_peer_CA_list(serverssl);
8743 if (prot == TLS1_3_VERSION
8744 && (tst == 0 || tst == 1)) {
8745 if (!TEST_ptr(sktmp)
8746 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8747 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8748 name[0]), 0)
8749 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8750 name[1]), 0))
8751 goto end;
8752 } else if (!TEST_ptr_null(sktmp)) {
8753 goto end;
8754 }
8755
8756 /*
8757 * In all tests we expect certificate authorities to have been sent to the
8758 * client. However, SSL_set_client_CA_list() should override
8759 * SSL_set0_CA_list()
8760 */
8761 sktmp = SSL_get0_peer_CA_list(clientssl);
8762 if (!TEST_ptr(sktmp)
8763 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8764 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8765 name[tst == 0 ? 0 : 2]), 0)
8766 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8767 name[tst == 0 ? 1 : 3]), 0))
8768 goto end;
8769
8770 testresult = 1;
8771
8772 end:
8773 SSL_free(serverssl);
8774 SSL_free(clientssl);
8775 SSL_CTX_free(sctx);
8776 SSL_CTX_free(cctx);
8777 for (i = 0; i < OSSL_NELEM(name); i++)
8778 X509_NAME_free(name[i]);
8779 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8780 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8781
8782 return testresult;
8783}
8784#endif
8785
8786static int test_ca_names(int tst)
8787{
8788 int testresult = 1;
8789
8790#ifndef OPENSSL_NO_TLS1_2
8791 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8792#endif
8793#ifndef OSSL_NO_USABLE_TLS1_3
8794 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8795#endif
8796
8797 return testresult;
8798}
8799
8800#ifndef OPENSSL_NO_TLS1_2
8801static const char *multiblock_cipherlist_data[]=
8802{
8803 "AES128-SHA",
8804 "AES128-SHA256",
8805 "AES256-SHA",
8806 "AES256-SHA256",
8807};
8808
8809/* Reduce the fragment size - so the multiblock test buffer can be small */
8810# define MULTIBLOCK_FRAGSIZE 512
8811
8812static int test_multiblock_write(int test_index)
8813{
8814 static const char *fetchable_ciphers[]=
8815 {
8816 "AES-128-CBC-HMAC-SHA1",
8817 "AES-128-CBC-HMAC-SHA256",
8818 "AES-256-CBC-HMAC-SHA1",
8819 "AES-256-CBC-HMAC-SHA256"
8820 };
8821 const char *cipherlist = multiblock_cipherlist_data[test_index];
8822 const SSL_METHOD *smeth = TLS_server_method();
8823 const SSL_METHOD *cmeth = TLS_client_method();
8824 int min_version = TLS1_VERSION;
8825 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8826 SSL_CTX *cctx = NULL, *sctx = NULL;
8827 SSL *clientssl = NULL, *serverssl = NULL;
8828 int testresult = 0;
8829
8830 /*
8831 * Choose a buffer large enough to perform a multi-block operation
8832 * i.e: write_len >= 4 * frag_size
8833 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8834 */
8835 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8836 unsigned char buf[sizeof(msg)], *p = buf;
8837 size_t readbytes, written, len;
8838 EVP_CIPHER *ciph = NULL;
8839
8840 /*
8841 * Check if the cipher exists before attempting to use it since it only has
8842 * a hardware specific implementation.
8843 */
8844 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8845 if (ciph == NULL) {
8846 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8847 return 1;
8848 }
8849 EVP_CIPHER_free(ciph);
8850
8851 /* Set up a buffer with some data that will be sent to the client */
8852 RAND_bytes(msg, sizeof(msg));
8853
8854 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8855 max_version, &sctx, &cctx, cert,
8856 privkey)))
8857 goto end;
8858
8859 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8860 goto end;
8861
8862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8863 NULL, NULL)))
8864 goto end;
8865
8866 /* settings to force it to use AES-CBC-HMAC_SHA */
8867 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8868 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8869 goto end;
8870
8871 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8872 goto end;
8873
8874 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8875 || !TEST_size_t_eq(written, sizeof(msg)))
8876 goto end;
8877
8878 len = written;
8879 while (len > 0) {
8880 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8881 goto end;
8882 p += readbytes;
8883 len -= readbytes;
8884 }
8885 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8886 goto end;
8887
8888 testresult = 1;
8889end:
8890 SSL_free(serverssl);
8891 SSL_free(clientssl);
8892 SSL_CTX_free(sctx);
8893 SSL_CTX_free(cctx);
8894
8895 return testresult;
8896}
8897#endif /* OPENSSL_NO_TLS1_2 */
8898
8899static int test_session_timeout(int test)
8900{
8901 /*
8902 * Test session ordering and timeout
8903 * Can't explicitly test performance of the new code,
8904 * but can test to see if the ordering of the sessions
8905 * are correct, and they they are removed as expected
8906 */
8907 SSL_SESSION *early = NULL;
8908 SSL_SESSION *middle = NULL;
8909 SSL_SESSION *late = NULL;
8910 SSL_CTX *ctx;
8911 int testresult = 0;
8912 long now = (long)time(NULL);
8913#define TIMEOUT 10
8914
8915 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8916 || !TEST_ptr(early = SSL_SESSION_new())
8917 || !TEST_ptr(middle = SSL_SESSION_new())
8918 || !TEST_ptr(late = SSL_SESSION_new()))
8919 goto end;
8920
8921 /* assign unique session ids */
8922 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8923 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8924 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8925 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8926 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8927 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8928
8929 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8930 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8931 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8932 goto end;
8933
8934 /* Make sure they are all added */
8935 if (!TEST_ptr(early->prev)
8936 || !TEST_ptr(middle->prev)
8937 || !TEST_ptr(late->prev))
8938 goto end;
8939
8940 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8941 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8942 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8943 goto end;
8944
8945 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8946 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8947 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8948 goto end;
8949
8950 /* Make sure they are all still there */
8951 if (!TEST_ptr(early->prev)
8952 || !TEST_ptr(middle->prev)
8953 || !TEST_ptr(late->prev))
8954 goto end;
8955
8956 /* Make sure they are in the expected order */
8957 if (!TEST_ptr_eq(late->next, middle)
8958 || !TEST_ptr_eq(middle->next, early)
8959 || !TEST_ptr_eq(early->prev, middle)
8960 || !TEST_ptr_eq(middle->prev, late))
8961 goto end;
8962
8963 /* This should remove "early" */
8964 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8965 if (!TEST_ptr_null(early->prev)
8966 || !TEST_ptr(middle->prev)
8967 || !TEST_ptr(late->prev))
8968 goto end;
8969
8970 /* This should remove "middle" */
8971 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8972 if (!TEST_ptr_null(early->prev)
8973 || !TEST_ptr_null(middle->prev)
8974 || !TEST_ptr(late->prev))
8975 goto end;
8976
8977 /* This should remove "late" */
8978 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8979 if (!TEST_ptr_null(early->prev)
8980 || !TEST_ptr_null(middle->prev)
8981 || !TEST_ptr_null(late->prev))
8982 goto end;
8983
8984 /* Add them back in again */
8985 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8986 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8987 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8988 goto end;
8989
8990 /* Make sure they are all added */
8991 if (!TEST_ptr(early->prev)
8992 || !TEST_ptr(middle->prev)
8993 || !TEST_ptr(late->prev))
8994 goto end;
8995
8996 /* This should remove all of them */
8997 SSL_CTX_flush_sessions(ctx, 0);
8998 if (!TEST_ptr_null(early->prev)
8999 || !TEST_ptr_null(middle->prev)
9000 || !TEST_ptr_null(late->prev))
9001 goto end;
9002
9003 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9004 | SSL_CTX_get_session_cache_mode(ctx));
9005
9006 /* make sure |now| is NOT equal to the current time */
9007 now -= 10;
9008 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9009 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9010 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9011 goto end;
9012
9013 testresult = 1;
9014 end:
9015 SSL_CTX_free(ctx);
9016 SSL_SESSION_free(early);
9017 SSL_SESSION_free(middle);
9018 SSL_SESSION_free(late);
9019 return testresult;
9020}
9021
9022/*
9023 * Test that a session cache overflow works as expected
9024 * Test 0: TLSv1.3, timeout on new session later than old session
9025 * Test 1: TLSv1.2, timeout on new session later than old session
9026 * Test 2: TLSv1.3, timeout on new session earlier than old session
9027 * Test 3: TLSv1.2, timeout on new session earlier than old session
9028 */
9029#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9030static int test_session_cache_overflow(int idx)
9031{
9032 SSL_CTX *sctx = NULL, *cctx = NULL;
9033 SSL *serverssl = NULL, *clientssl = NULL;
9034 int testresult = 0;
9035 SSL_SESSION *sess = NULL;
9036
9037#ifdef OSSL_NO_USABLE_TLS1_3
9038 /* If no TLSv1.3 available then do nothing in this case */
9039 if (idx % 2 == 0)
9040 return TEST_skip("No TLSv1.3 available");
9041#endif
9042#ifdef OPENSSL_NO_TLS1_2
9043 /* If no TLSv1.2 available then do nothing in this case */
9044 if (idx % 2 == 1)
9045 return TEST_skip("No TLSv1.2 available");
9046#endif
9047
9048 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9049 TLS_client_method(), TLS1_VERSION,
9050 (idx % 2 == 0) ? TLS1_3_VERSION
9051 : TLS1_2_VERSION,
9052 &sctx, &cctx, cert, privkey))
9053 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9054 goto end;
9055
9056 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9057 get_sess_val = NULL;
9058
9059 SSL_CTX_sess_set_cache_size(sctx, 1);
9060
9061 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9062 NULL, NULL)))
9063 goto end;
9064
9065 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9066 goto end;
9067
9068 if (idx > 1) {
9069 sess = SSL_get_session(serverssl);
9070 if (!TEST_ptr(sess))
9071 goto end;
9072
9073 /*
9074 * Cause this session to have a longer timeout than the next session to
9075 * be added.
9076 */
9077 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) {
9078 sess = NULL;
9079 goto end;
9080 }
9081 sess = NULL;
9082 }
9083
9084 SSL_shutdown(serverssl);
9085 SSL_shutdown(clientssl);
9086 SSL_free(serverssl);
9087 SSL_free(clientssl);
9088 serverssl = clientssl = NULL;
9089
9090 /*
9091 * Session cache size is 1 and we already populated the cache with a session
9092 * so the next connection should cause an overflow.
9093 */
9094
9095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9096 NULL, NULL)))
9097 goto end;
9098
9099 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9100 goto end;
9101
9102 /*
9103 * The session we just negotiated may have been already removed from the
9104 * internal cache - but we will return it anyway from our external cache.
9105 */
9106 get_sess_val = SSL_get_session(serverssl);
9107 if (!TEST_ptr(get_sess_val))
9108 goto end;
9109 sess = SSL_get1_session(clientssl);
9110 if (!TEST_ptr(sess))
9111 goto end;
9112
9113 SSL_shutdown(serverssl);
9114 SSL_shutdown(clientssl);
9115 SSL_free(serverssl);
9116 SSL_free(clientssl);
9117 serverssl = clientssl = NULL;
9118
9119 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9120 NULL, NULL)))
9121 goto end;
9122
9123 if (!TEST_true(SSL_set_session(clientssl, sess)))
9124 goto end;
9125
9126 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9127 goto end;
9128
9129 testresult = 1;
9130
9131 end:
9132 SSL_free(serverssl);
9133 SSL_free(clientssl);
9134 SSL_CTX_free(sctx);
9135 SSL_CTX_free(cctx);
9136 SSL_SESSION_free(sess);
9137
9138 return testresult;
9139}
9140#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9141
9142/*
9143 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9144 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9145 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9146 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9147 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9148 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9149 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9150 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9151 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9152 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9153 */
9154static int test_servername(int tst)
9155{
9156 SSL_CTX *cctx = NULL, *sctx = NULL;
9157 SSL *clientssl = NULL, *serverssl = NULL;
9158 int testresult = 0;
9159 SSL_SESSION *sess = NULL;
9160 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9161
9162#ifdef OPENSSL_NO_TLS1_2
9163 if (tst <= 4)
9164 return 1;
9165#endif
9166#ifdef OSSL_NO_USABLE_TLS1_3
9167 if (tst >= 5)
9168 return 1;
9169#endif
9170
9171 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9172 TLS_client_method(),
9173 TLS1_VERSION,
9174 (tst <= 4) ? TLS1_2_VERSION
9175 : TLS1_3_VERSION,
9176 &sctx, &cctx, cert, privkey))
9177 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9178 NULL, NULL)))
9179 goto end;
9180
9181 if (tst != 1 && tst != 6) {
9182 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9183 hostname_cb)))
9184 goto end;
9185 }
9186
9187 if (tst != 3 && tst != 8) {
9188 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9189 goto end;
9190 sexpectedhost = cexpectedhost = "goodhost";
9191 }
9192
9193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9194 goto end;
9195
9196 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9197 cexpectedhost)
9198 || !TEST_str_eq(SSL_get_servername(serverssl,
9199 TLSEXT_NAMETYPE_host_name),
9200 sexpectedhost))
9201 goto end;
9202
9203 /* Now repeat with a resumption handshake */
9204
9205 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9206 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9207 || !TEST_true(SSL_SESSION_is_resumable(sess))
9208 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9209 goto end;
9210
9211 SSL_free(clientssl);
9212 SSL_free(serverssl);
9213 clientssl = serverssl = NULL;
9214
9215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9216 NULL)))
9217 goto end;
9218
9219 if (!TEST_true(SSL_set_session(clientssl, sess)))
9220 goto end;
9221
9222 sexpectedhost = cexpectedhost = "goodhost";
9223 if (tst == 2 || tst == 7) {
9224 /* Set an inconsistent hostname */
9225 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9226 goto end;
9227 /*
9228 * In TLSv1.2 we expect the hostname from the original handshake, in
9229 * TLSv1.3 we expect the hostname from this handshake
9230 */
9231 if (tst == 7)
9232 sexpectedhost = cexpectedhost = "altgoodhost";
9233
9234 if (!TEST_str_eq(SSL_get_servername(clientssl,
9235 TLSEXT_NAMETYPE_host_name),
9236 "altgoodhost"))
9237 goto end;
9238 } else if (tst == 4 || tst == 9) {
9239 /*
9240 * A TLSv1.3 session does not associate a session with a servername,
9241 * but a TLSv1.2 session does.
9242 */
9243 if (tst == 9)
9244 sexpectedhost = cexpectedhost = NULL;
9245
9246 if (!TEST_str_eq(SSL_get_servername(clientssl,
9247 TLSEXT_NAMETYPE_host_name),
9248 cexpectedhost))
9249 goto end;
9250 } else {
9251 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9252 goto end;
9253 /*
9254 * In a TLSv1.2 resumption where the hostname was not acknowledged
9255 * we expect the hostname on the server to be empty. On the client we
9256 * return what was requested in this case.
9257 *
9258 * Similarly if the client didn't set a hostname on an original TLSv1.2
9259 * session but is now, the server hostname will be empty, but the client
9260 * is as we set it.
9261 */
9262 if (tst == 1 || tst == 3)
9263 sexpectedhost = NULL;
9264
9265 if (!TEST_str_eq(SSL_get_servername(clientssl,
9266 TLSEXT_NAMETYPE_host_name),
9267 "goodhost"))
9268 goto end;
9269 }
9270
9271 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9272 goto end;
9273
9274 if (!TEST_true(SSL_session_reused(clientssl))
9275 || !TEST_true(SSL_session_reused(serverssl))
9276 || !TEST_str_eq(SSL_get_servername(clientssl,
9277 TLSEXT_NAMETYPE_host_name),
9278 cexpectedhost)
9279 || !TEST_str_eq(SSL_get_servername(serverssl,
9280 TLSEXT_NAMETYPE_host_name),
9281 sexpectedhost))
9282 goto end;
9283
9284 testresult = 1;
9285
9286 end:
9287 SSL_SESSION_free(sess);
9288 SSL_free(serverssl);
9289 SSL_free(clientssl);
9290 SSL_CTX_free(sctx);
9291 SSL_CTX_free(cctx);
9292
9293 return testresult;
9294}
9295
9296#if !defined(OPENSSL_NO_EC) \
9297 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9298/*
9299 * Test that if signature algorithms are not available, then we do not offer or
9300 * accept them.
9301 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9302 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9303 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9304 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9305 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9306 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9307 */
9308static int test_sigalgs_available(int idx)
9309{
9310 SSL_CTX *cctx = NULL, *sctx = NULL;
9311 SSL *clientssl = NULL, *serverssl = NULL;
9312 int testresult = 0;
9313 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9314 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9315 OSSL_PROVIDER *filterprov = NULL;
9316 int sig, hash;
9317
9318 if (!TEST_ptr(tmpctx))
9319 goto end;
9320
9321 if (idx != 0 && idx != 3) {
9322 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9323 filter_provider_init)))
9324 goto end;
9325
9326 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9327 if (!TEST_ptr(filterprov))
9328 goto end;
9329
9330 if (idx < 3) {
9331 /*
9332 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9333 * or accepted for the peer that uses this libctx. Note that libssl
9334 * *requires* SHA2-256 to be available so we cannot disable that. We
9335 * also need SHA1 for our certificate.
9336 */
9337 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9338 "SHA2-256:SHA1")))
9339 goto end;
9340 } else {
9341 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9342 "ECDSA"))
9343 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9344 "EC:X25519:X448")))
9345 goto end;
9346 }
9347
9348 if (idx == 1 || idx == 4)
9349 clientctx = tmpctx;
9350 else
9351 serverctx = tmpctx;
9352 }
9353
9354 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9355 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9356 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9357 goto end;
9358
9359 if (idx != 5) {
9360 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9361 TLS_client_method(),
9362 TLS1_VERSION,
9363 0,
9364 &sctx, &cctx, cert, privkey)))
9365 goto end;
9366 } else {
9367 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9368 TLS_client_method(),
9369 TLS1_VERSION,
9370 0,
9371 &sctx, &cctx, cert2, privkey2)))
9372 goto end;
9373 }
9374
9375 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9376 if (idx < 4) {
9377 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9378 "ECDHE-RSA-AES128-GCM-SHA256")))
9379 goto end;
9380 } else {
9381 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9382 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9383 goto end;
9384 }
9385
9386 if (idx < 3) {
9387 if (!SSL_CTX_set1_sigalgs_list(cctx,
9388 "rsa_pss_rsae_sha384"
9389 ":rsa_pss_rsae_sha256")
9390 || !SSL_CTX_set1_sigalgs_list(sctx,
9391 "rsa_pss_rsae_sha384"
9392 ":rsa_pss_rsae_sha256"))
9393 goto end;
9394 } else {
9395 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9396 || !SSL_CTX_set1_sigalgs_list(sctx,
9397 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9398 goto end;
9399 }
9400
9401 if (idx != 5
9402 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9403 SSL_FILETYPE_PEM), 1)
9404 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9405 privkey2,
9406 SSL_FILETYPE_PEM), 1)
9407 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9408 goto end;
9409
9410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9411 NULL, NULL)))
9412 goto end;
9413
9414 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9415 goto end;
9416
9417 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9418 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9419 NULL, NULL),
9420 (idx == 0 || idx == 3) ? 2 : 1))
9421 goto end;
9422
9423 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9424 goto end;
9425
9426 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9427 : NID_rsassaPss))
9428 goto end;
9429
9430 testresult = filter_provider_check_clean_finish();
9431
9432 end:
9433 SSL_free(serverssl);
9434 SSL_free(clientssl);
9435 SSL_CTX_free(sctx);
9436 SSL_CTX_free(cctx);
9437 OSSL_PROVIDER_unload(filterprov);
9438 OSSL_LIB_CTX_free(tmpctx);
9439
9440 return testresult;
9441}
9442#endif /*
9443 * !defined(OPENSSL_NO_EC) \
9444 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9445 */
9446
9447#ifndef OPENSSL_NO_TLS1_3
9448/* This test can run in TLSv1.3 even if ec and dh are disabled */
9449static int test_pluggable_group(int idx)
9450{
9451 SSL_CTX *cctx = NULL, *sctx = NULL;
9452 SSL *clientssl = NULL, *serverssl = NULL;
9453 int testresult = 0;
9454 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9455 /* Check that we are not impacted by a provider without any groups */
9456 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9457 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9458
9459 if (!TEST_ptr(tlsprov))
9460 goto end;
9461
9462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9463 TLS_client_method(),
9464 TLS1_3_VERSION,
9465 TLS1_3_VERSION,
9466 &sctx, &cctx, cert, privkey))
9467 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9468 NULL, NULL)))
9469 goto end;
9470
9471 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9472 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9473 /* removing a single algorithm from the list makes the test pass */
9474 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9475 goto end;
9476
9477 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9478 goto end;
9479
9480 if (!TEST_str_eq(group_name,
9481 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9482 goto end;
9483
9484 testresult = 1;
9485
9486 end:
9487 SSL_free(serverssl);
9488 SSL_free(clientssl);
9489 SSL_CTX_free(sctx);
9490 SSL_CTX_free(cctx);
9491 OSSL_PROVIDER_unload(tlsprov);
9492 OSSL_PROVIDER_unload(legacyprov);
9493
9494 return testresult;
9495}
9496#endif
9497
9498#ifndef OPENSSL_NO_TLS1_2
9499static int test_ssl_dup(void)
9500{
9501 SSL_CTX *cctx = NULL, *sctx = NULL;
9502 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9503 int testresult = 0;
9504 BIO *rbio = NULL, *wbio = NULL;
9505
9506 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9507 TLS_client_method(),
9508 0,
9509 0,
9510 &sctx, &cctx, cert, privkey)))
9511 goto end;
9512
9513 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9514 NULL, NULL)))
9515 goto end;
9516
9517 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9518 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9519 goto end;
9520
9521 client2ssl = SSL_dup(clientssl);
9522 rbio = SSL_get_rbio(clientssl);
9523 if (!TEST_ptr(rbio)
9524 || !TEST_true(BIO_up_ref(rbio)))
9525 goto end;
9526 SSL_set0_rbio(client2ssl, rbio);
9527 rbio = NULL;
9528
9529 wbio = SSL_get_wbio(clientssl);
9530 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9531 goto end;
9532 SSL_set0_wbio(client2ssl, wbio);
9533 rbio = NULL;
9534
9535 if (!TEST_ptr(client2ssl)
9536 /* Handshake not started so pointers should be different */
9537 || !TEST_ptr_ne(clientssl, client2ssl))
9538 goto end;
9539
9540 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9541 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9542 goto end;
9543
9544 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9545 goto end;
9546
9547 SSL_free(clientssl);
9548 clientssl = SSL_dup(client2ssl);
9549 if (!TEST_ptr(clientssl)
9550 /* Handshake has finished so pointers should be the same */
9551 || !TEST_ptr_eq(clientssl, client2ssl))
9552 goto end;
9553
9554 testresult = 1;
9555
9556 end:
9557 SSL_free(serverssl);
9558 SSL_free(clientssl);
9559 SSL_free(client2ssl);
9560 SSL_CTX_free(sctx);
9561 SSL_CTX_free(cctx);
9562
9563 return testresult;
9564}
9565
9566# ifndef OPENSSL_NO_DH
9567
9568static EVP_PKEY *tmp_dh_params = NULL;
9569
9570/* Helper function for the test_set_tmp_dh() tests */
9571static EVP_PKEY *get_tmp_dh_params(void)
9572{
9573 if (tmp_dh_params == NULL) {
9574 BIGNUM *p = NULL;
9575 OSSL_PARAM_BLD *tmpl = NULL;
9576 EVP_PKEY_CTX *pctx = NULL;
9577 OSSL_PARAM *params = NULL;
9578 EVP_PKEY *dhpkey = NULL;
9579
9580 p = BN_get_rfc3526_prime_2048(NULL);
9581 if (!TEST_ptr(p))
9582 goto end;
9583
9584 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9585 if (!TEST_ptr(pctx)
9586 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9587 goto end;
9588
9589 tmpl = OSSL_PARAM_BLD_new();
9590 if (!TEST_ptr(tmpl)
9591 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9592 OSSL_PKEY_PARAM_FFC_P,
9593 p))
9594 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9595 OSSL_PKEY_PARAM_FFC_G,
9596 2)))
9597 goto end;
9598
9599 params = OSSL_PARAM_BLD_to_param(tmpl);
9600 if (!TEST_ptr(params)
9601 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9602 EVP_PKEY_KEY_PARAMETERS,
9603 params), 1))
9604 goto end;
9605
9606 tmp_dh_params = dhpkey;
9607 end:
9608 BN_free(p);
9609 EVP_PKEY_CTX_free(pctx);
9610 OSSL_PARAM_BLD_free(tmpl);
9611 OSSL_PARAM_free(params);
9612 }
9613
9614 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9615 return NULL;
9616
9617 return tmp_dh_params;
9618}
9619
9620# ifndef OPENSSL_NO_DEPRECATED_3_0
9621/* Callback used by test_set_tmp_dh() */
9622static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9623{
9624 EVP_PKEY *dhpkey = get_tmp_dh_params();
9625 DH *ret = NULL;
9626
9627 if (!TEST_ptr(dhpkey))
9628 return NULL;
9629
9630 /*
9631 * libssl does not free the returned DH, so we free it now knowing that even
9632 * after we free dhpkey, there will still be a reference to the owning
9633 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9634 * of time we need it for.
9635 */
9636 ret = EVP_PKEY_get1_DH(dhpkey);
9637 DH_free(ret);
9638
9639 EVP_PKEY_free(dhpkey);
9640
9641 return ret;
9642}
9643# endif
9644
9645/*
9646 * Test the various methods for setting temporary DH parameters
9647 *
9648 * Test 0: Default (no auto) setting
9649 * Test 1: Explicit SSL_CTX auto off
9650 * Test 2: Explicit SSL auto off
9651 * Test 3: Explicit SSL_CTX auto on
9652 * Test 4: Explicit SSL auto on
9653 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9654 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9655 *
9656 * The following are testing deprecated APIs, so we only run them if available
9657 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9658 * Test 8: Explicit SSL auto off, custom DH params via DH
9659 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9660 * Test 10: Explicit SSL auto off, custom DH params via callback
9661 */
9662static int test_set_tmp_dh(int idx)
9663{
9664 SSL_CTX *cctx = NULL, *sctx = NULL;
9665 SSL *clientssl = NULL, *serverssl = NULL;
9666 int testresult = 0;
9667 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9668 int expected = (idx <= 2) ? 0 : 1;
9669 EVP_PKEY *dhpkey = NULL;
9670# ifndef OPENSSL_NO_DEPRECATED_3_0
9671 DH *dh = NULL;
9672# else
9673
9674 if (idx >= 7)
9675 return 1;
9676# endif
9677
9678 if (idx >= 5 && idx <= 8) {
9679 dhpkey = get_tmp_dh_params();
9680 if (!TEST_ptr(dhpkey))
9681 goto end;
9682 }
9683# ifndef OPENSSL_NO_DEPRECATED_3_0
9684 if (idx == 7 || idx == 8) {
9685 dh = EVP_PKEY_get1_DH(dhpkey);
9686 if (!TEST_ptr(dh))
9687 goto end;
9688 }
9689# endif
9690
9691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9692 TLS_client_method(),
9693 0,
9694 0,
9695 &sctx, &cctx, cert, privkey)))
9696 goto end;
9697
9698 if ((idx & 1) == 1) {
9699 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9700 goto end;
9701 }
9702
9703 if (idx == 5) {
9704 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9705 goto end;
9706 dhpkey = NULL;
9707 }
9708# ifndef OPENSSL_NO_DEPRECATED_3_0
9709 else if (idx == 7) {
9710 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9711 goto end;
9712 } else if (idx == 9) {
9713 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9714 }
9715# endif
9716
9717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9718 NULL, NULL)))
9719 goto end;
9720
9721 if ((idx & 1) == 0 && idx != 0) {
9722 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9723 goto end;
9724 }
9725 if (idx == 6) {
9726 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9727 goto end;
9728 dhpkey = NULL;
9729 }
9730# ifndef OPENSSL_NO_DEPRECATED_3_0
9731 else if (idx == 8) {
9732 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9733 goto end;
9734 } else if (idx == 10) {
9735 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9736 }
9737# endif
9738
9739 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9740 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9741 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9742 goto end;
9743
9744 /*
9745 * If autoon then we should succeed. Otherwise we expect failure because
9746 * there are no parameters
9747 */
9748 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9749 SSL_ERROR_NONE), expected))
9750 goto end;
9751
9752 testresult = 1;
9753
9754 end:
9755# ifndef OPENSSL_NO_DEPRECATED_3_0
9756 DH_free(dh);
9757# endif
9758 SSL_free(serverssl);
9759 SSL_free(clientssl);
9760 SSL_CTX_free(sctx);
9761 SSL_CTX_free(cctx);
9762 EVP_PKEY_free(dhpkey);
9763
9764 return testresult;
9765}
9766
9767/*
9768 * Test the auto DH keys are appropriately sized
9769 */
9770static int test_dh_auto(int idx)
9771{
9772 SSL_CTX *cctx = NULL, *sctx = NULL;
9773 SSL *clientssl = NULL, *serverssl = NULL;
9774 int testresult = 0;
9775 EVP_PKEY *tmpkey = NULL;
9776 char *thiscert = NULL, *thiskey = NULL;
9777 size_t expdhsize = 0;
9778 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9779
9780 switch (idx) {
9781 case 0:
9782 /* The FIPS provider doesn't support this DH size - so we ignore it */
9783 if (is_fips)
9784 return 1;
9785 thiscert = cert1024;
9786 thiskey = privkey1024;
9787 expdhsize = 1024;
9788 break;
9789 case 1:
9790 /* 2048 bit prime */
9791 thiscert = cert;
9792 thiskey = privkey;
9793 expdhsize = 2048;
9794 break;
9795 case 2:
9796 thiscert = cert3072;
9797 thiskey = privkey3072;
9798 expdhsize = 3072;
9799 break;
9800 case 3:
9801 thiscert = cert4096;
9802 thiskey = privkey4096;
9803 expdhsize = 4096;
9804 break;
9805 case 4:
9806 thiscert = cert8192;
9807 thiskey = privkey8192;
9808 expdhsize = 8192;
9809 break;
9810 /* No certificate cases */
9811 case 5:
9812 /* The FIPS provider doesn't support this DH size - so we ignore it */
9813 if (is_fips)
9814 return 1;
9815 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9816 expdhsize = 1024;
9817 break;
9818 case 6:
9819 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9820 expdhsize = 3072;
9821 break;
9822 default:
9823 TEST_error("Invalid text index");
9824 goto end;
9825 }
9826
9827 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9828 TLS_client_method(),
9829 0,
9830 0,
9831 &sctx, &cctx, thiscert, thiskey)))
9832 goto end;
9833
9834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9835 NULL, NULL)))
9836 goto end;
9837
9838 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9839 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9840 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9841 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9842 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9843 goto end;
9844
9845 /*
9846 * Send the server's first flight. At this point the server has created the
9847 * temporary DH key but hasn't finished using it yet. Once used it is
9848 * removed, so we cannot test it.
9849 */
9850 if (!TEST_int_le(SSL_connect(clientssl), 0)
9851 || !TEST_int_le(SSL_accept(serverssl), 0))
9852 goto end;
9853
9854 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9855 goto end;
9856 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9857 goto end;
9858
9859 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9860 goto end;
9861
9862 testresult = 1;
9863
9864 end:
9865 SSL_free(serverssl);
9866 SSL_free(clientssl);
9867 SSL_CTX_free(sctx);
9868 SSL_CTX_free(cctx);
9869 EVP_PKEY_free(tmpkey);
9870
9871 return testresult;
9872
9873}
9874# endif /* OPENSSL_NO_DH */
9875#endif /* OPENSSL_NO_TLS1_2 */
9876
9877#ifndef OSSL_NO_USABLE_TLS1_3
9878/*
9879 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9880 * that it works even without a certificate configured for the original
9881 * SSL_CTX
9882 */
9883static int test_sni_tls13(void)
9884{
9885 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9886 SSL *clientssl = NULL, *serverssl = NULL;
9887 int testresult = 0;
9888
9889 /* Reset callback counter */
9890 snicb = 0;
9891
9892 /* Create an initial SSL_CTX with no certificate configured */
9893 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9894 if (!TEST_ptr(sctx))
9895 goto end;
9896 /* Require TLSv1.3 as a minimum */
9897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9898 TLS_client_method(), TLS1_3_VERSION, 0,
9899 &sctx2, &cctx, cert, privkey)))
9900 goto end;
9901
9902 /* Set up SNI */
9903 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9904 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9905 goto end;
9906
9907 /*
9908 * Connection should still succeed because the final SSL_CTX has the right
9909 * certificates configured.
9910 */
9911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9912 &clientssl, NULL, NULL))
9913 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9914 SSL_ERROR_NONE)))
9915 goto end;
9916
9917 /* We should have had the SNI callback called exactly once */
9918 if (!TEST_int_eq(snicb, 1))
9919 goto end;
9920
9921 testresult = 1;
9922
9923end:
9924 SSL_free(serverssl);
9925 SSL_free(clientssl);
9926 SSL_CTX_free(sctx2);
9927 SSL_CTX_free(sctx);
9928 SSL_CTX_free(cctx);
9929 return testresult;
9930}
9931
9932/*
9933 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9934 * 0 = TLSv1.2
9935 * 1 = TLSv1.3
9936 */
9937static int test_ticket_lifetime(int idx)
9938{
9939 SSL_CTX *cctx = NULL, *sctx = NULL;
9940 SSL *clientssl = NULL, *serverssl = NULL;
9941 int testresult = 0;
9942 int version = TLS1_3_VERSION;
9943
9944#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9945#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9946
9947 if (idx == 0) {
9948#ifdef OPENSSL_NO_TLS1_2
9949 return TEST_skip("TLS 1.2 is disabled.");
9950#else
9951 version = TLS1_2_VERSION;
9952#endif
9953 }
9954
9955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9956 TLS_client_method(), version, version,
9957 &sctx, &cctx, cert, privkey)))
9958 goto end;
9959
9960 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9961 &clientssl, NULL, NULL)))
9962 goto end;
9963
9964 /*
9965 * Set the timeout to be more than 1 week
9966 * make sure the returned value is the default
9967 */
9968 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9969 SSL_get_default_timeout(serverssl)))
9970 goto end;
9971
9972 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9973 goto end;
9974
9975 if (idx == 0) {
9976 /* TLSv1.2 uses the set value */
9977 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9978 goto end;
9979 } else {
9980 /* TLSv1.3 uses the limited value */
9981 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9982 goto end;
9983 }
9984 testresult = 1;
9985
9986end:
9987 SSL_free(serverssl);
9988 SSL_free(clientssl);
9989 SSL_CTX_free(sctx);
9990 SSL_CTX_free(cctx);
9991 return testresult;
9992}
9993#endif
9994/*
9995 * Test that setting an ALPN does not violate RFC
9996 */
9997static int test_set_alpn(void)
9998{
9999 SSL_CTX *ctx = NULL;
10000 SSL *ssl = NULL;
10001 int testresult = 0;
10002
10003 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10004 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10005 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10006 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10007 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10008 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10009
10010 /* Create an initial SSL_CTX with no certificate configured */
10011 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10012 if (!TEST_ptr(ctx))
10013 goto end;
10014
10015 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10016 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10017 goto end;
10018 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10019 goto end;
10020 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10021 goto end;
10022 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10023 goto end;
10024 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10025 goto end;
10026 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10027 goto end;
10028 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10029 goto end;
10030 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10031 goto end;
10032 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10033 goto end;
10034
10035 ssl = SSL_new(ctx);
10036 if (!TEST_ptr(ssl))
10037 goto end;
10038
10039 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10040 goto end;
10041 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10042 goto end;
10043 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10044 goto end;
10045 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10046 goto end;
10047 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10048 goto end;
10049 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10050 goto end;
10051 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10052 goto end;
10053 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10054 goto end;
10055 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10056 goto end;
10057
10058 testresult = 1;
10059
10060end:
10061 SSL_free(ssl);
10062 SSL_CTX_free(ctx);
10063 return testresult;
10064}
10065
10066/*
10067 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10068 */
10069static int test_set_verify_cert_store_ssl_ctx(void)
10070{
10071 SSL_CTX *ctx = NULL;
10072 int testresult = 0;
10073 X509_STORE *store = NULL, *new_store = NULL,
10074 *cstore = NULL, *new_cstore = NULL;
10075
10076 /* Create an initial SSL_CTX. */
10077 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10078 if (!TEST_ptr(ctx))
10079 goto end;
10080
10081 /* Retrieve verify store pointer. */
10082 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10083 goto end;
10084
10085 /* Retrieve chain store pointer. */
10086 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10087 goto end;
10088
10089 /* We haven't set any yet, so this should be NULL. */
10090 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10091 goto end;
10092
10093 /* Create stores. We use separate stores so pointers are different. */
10094 new_store = X509_STORE_new();
10095 if (!TEST_ptr(new_store))
10096 goto end;
10097
10098 new_cstore = X509_STORE_new();
10099 if (!TEST_ptr(new_cstore))
10100 goto end;
10101
10102 /* Set stores. */
10103 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10104 goto end;
10105
10106 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10107 goto end;
10108
10109 /* Should be able to retrieve the same pointer. */
10110 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10111 goto end;
10112
10113 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10114 goto end;
10115
10116 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10117 goto end;
10118
10119 /* Should be able to unset again. */
10120 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10121 goto end;
10122
10123 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10124 goto end;
10125
10126 /* Should now be NULL. */
10127 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10128 goto end;
10129
10130 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10131 goto end;
10132
10133 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10134 goto end;
10135
10136 testresult = 1;
10137
10138end:
10139 X509_STORE_free(new_store);
10140 X509_STORE_free(new_cstore);
10141 SSL_CTX_free(ctx);
10142 return testresult;
10143}
10144
10145/*
10146 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10147 */
10148static int test_set_verify_cert_store_ssl(void)
10149{
10150 SSL_CTX *ctx = NULL;
10151 SSL *ssl = NULL;
10152 int testresult = 0;
10153 X509_STORE *store = NULL, *new_store = NULL,
10154 *cstore = NULL, *new_cstore = NULL;
10155
10156 /* Create an initial SSL_CTX. */
10157 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10158 if (!TEST_ptr(ctx))
10159 goto end;
10160
10161 /* Create an SSL object. */
10162 ssl = SSL_new(ctx);
10163 if (!TEST_ptr(ssl))
10164 goto end;
10165
10166 /* Retrieve verify store pointer. */
10167 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10168 goto end;
10169
10170 /* Retrieve chain store pointer. */
10171 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10172 goto end;
10173
10174 /* We haven't set any yet, so this should be NULL. */
10175 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10176 goto end;
10177
10178 /* Create stores. We use separate stores so pointers are different. */
10179 new_store = X509_STORE_new();
10180 if (!TEST_ptr(new_store))
10181 goto end;
10182
10183 new_cstore = X509_STORE_new();
10184 if (!TEST_ptr(new_cstore))
10185 goto end;
10186
10187 /* Set stores. */
10188 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10189 goto end;
10190
10191 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10192 goto end;
10193
10194 /* Should be able to retrieve the same pointer. */
10195 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10196 goto end;
10197
10198 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10199 goto end;
10200
10201 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10202 goto end;
10203
10204 /* Should be able to unset again. */
10205 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10206 goto end;
10207
10208 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10209 goto end;
10210
10211 /* Should now be NULL. */
10212 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10213 goto end;
10214
10215 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10216 goto end;
10217
10218 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10219 goto end;
10220
10221 testresult = 1;
10222
10223end:
10224 X509_STORE_free(new_store);
10225 X509_STORE_free(new_cstore);
10226 SSL_free(ssl);
10227 SSL_CTX_free(ctx);
10228 return testresult;
10229}
10230
10231
10232static int test_inherit_verify_param(void)
10233{
10234 int testresult = 0;
10235
10236 SSL_CTX *ctx = NULL;
10237 X509_VERIFY_PARAM *cp = NULL;
10238 SSL *ssl = NULL;
10239 X509_VERIFY_PARAM *sp = NULL;
10240 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10241
10242 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10243 if (!TEST_ptr(ctx))
10244 goto end;
10245
10246 cp = SSL_CTX_get0_param(ctx);
10247 if (!TEST_ptr(cp))
10248 goto end;
10249 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10250 goto end;
10251
10252 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10253
10254 ssl = SSL_new(ctx);
10255 if (!TEST_ptr(ssl))
10256 goto end;
10257
10258 sp = SSL_get0_param(ssl);
10259 if (!TEST_ptr(sp))
10260 goto end;
10261 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10262 goto end;
10263
10264 testresult = 1;
10265
10266 end:
10267 SSL_free(ssl);
10268 SSL_CTX_free(ctx);
10269
10270 return testresult;
10271}
10272
10273static int test_load_dhfile(void)
10274{
10275#ifndef OPENSSL_NO_DH
10276 int testresult = 0;
10277
10278 SSL_CTX *ctx = NULL;
10279 SSL_CONF_CTX *cctx = NULL;
10280
10281 if (dhfile == NULL)
10282 return 1;
10283
10284 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10285 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10286 goto end;
10287
10288 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10289 SSL_CONF_CTX_set_flags(cctx,
10290 SSL_CONF_FLAG_CERTIFICATE
10291 | SSL_CONF_FLAG_SERVER
10292 | SSL_CONF_FLAG_FILE);
10293
10294 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10295 goto end;
10296
10297 testresult = 1;
10298end:
10299 SSL_CONF_CTX_free(cctx);
10300 SSL_CTX_free(ctx);
10301
10302 return testresult;
10303#else
10304 return TEST_skip("DH not supported by this build");
10305#endif
10306}
10307
10308#ifndef OSSL_NO_USABLE_TLS1_3
10309/* Test that read_ahead works across a key change */
10310static int test_read_ahead_key_change(void)
10311{
10312 SSL_CTX *cctx = NULL, *sctx = NULL;
10313 SSL *clientssl = NULL, *serverssl = NULL;
10314 int testresult = 0;
10315 char *msg = "Hello World";
10316 size_t written, readbytes;
10317 char buf[80];
10318 int i;
10319
10320 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10321 TLS_client_method(), TLS1_3_VERSION, 0,
10322 &sctx, &cctx, cert, privkey)))
10323 goto end;
10324
10325 SSL_CTX_set_read_ahead(sctx, 1);
10326
10327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10328 &clientssl, NULL, NULL)))
10329 goto end;
10330
10331 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10332 goto end;
10333
10334 /* Write some data, send a key update, write more data */
10335 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10336 || !TEST_size_t_eq(written, strlen(msg)))
10337 goto end;
10338
10339 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10340 goto end;
10341
10342 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10343 || !TEST_size_t_eq(written, strlen(msg)))
10344 goto end;
10345
10346 /*
10347 * Since read_ahead is on the first read below should read the record with
10348 * the first app data, the second record with the key update message, and
10349 * the third record with the app data all in one go. We should be able to
10350 * still process the read_ahead data correctly even though it crosses
10351 * epochs
10352 */
10353 for (i = 0; i < 2; i++) {
10354 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10355 &readbytes)))
10356 goto end;
10357
10358 buf[readbytes] = '\0';
10359 if (!TEST_str_eq(buf, msg))
10360 goto end;
10361 }
10362
10363 testresult = 1;
10364
10365end:
10366 SSL_free(serverssl);
10367 SSL_free(clientssl);
10368 SSL_CTX_free(sctx);
10369 SSL_CTX_free(cctx);
10370 return testresult;
10371}
10372
10373static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10374{
10375 int *called = arg;
10376
10377 switch ((*called)++) {
10378 case 0:
10379 /* Add some padding to first record */
10380 return 512;
10381 case 1:
10382 /* Maximally pad the second record */
10383 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10384 case 2:
10385 /*
10386 * Exceeding the maximum padding should be fine. It should just pad to
10387 * the maximum anyway
10388 */
10389 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10390 case 3:
10391 /*
10392 * Very large padding should also be ok. Should just pad to the maximum
10393 * allowed
10394 */
10395 return SIZE_MAX;
10396 default:
10397 return 0;
10398 }
10399}
10400
10401/*
10402 * Test that setting record padding in TLSv1.3 works as expected
10403 * Test 0: Record padding callback on the SSL_CTX
10404 * Test 1: Record padding callback on the SSL
10405 * Test 2: Record block padding on the SSL_CTX
10406 * Test 3: Record block padding on the SSL
10407 */
10408static int test_tls13_record_padding(int idx)
10409{
10410 SSL_CTX *cctx = NULL, *sctx = NULL;
10411 SSL *clientssl = NULL, *serverssl = NULL;
10412 int testresult = 0;
10413 char *msg = "Hello World";
10414 size_t written, readbytes;
10415 char buf[80];
10416 int i;
10417 int called = 0;
10418
10419 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10420 TLS_client_method(), TLS1_3_VERSION, 0,
10421 &sctx, &cctx, cert, privkey)))
10422 goto end;
10423
10424 if (idx == 0) {
10425 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10426 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10427 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10428 goto end;
10429 } else if (idx == 2) {
10430 /* Exceeding the max plain length should fail */
10431 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10432 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10433 goto end;
10434 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10435 goto end;
10436 }
10437
10438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10439 &clientssl, NULL, NULL)))
10440 goto end;
10441
10442 if (idx == 1) {
10443 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10444 SSL_set_record_padding_callback_arg(clientssl, &called);
10445 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10446 goto end;
10447 } else if (idx == 3) {
10448 /* Exceeding the max plain length should fail */
10449 if (!TEST_false(SSL_set_block_padding(clientssl,
10450 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10451 goto end;
10452 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10453 goto end;
10454 }
10455
10456 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10457 goto end;
10458
10459 called = 0;
10460 /*
10461 * Write some data, then check we can read it. Do this four times to check
10462 * we can continue to write and read padded data after the initial record
10463 * padding has been added. We don't actually check that the padding has
10464 * been applied to the record - just that we can continue to communicate
10465 * normally and that the callback has been called (if appropriate).
10466 */
10467 for (i = 0; i < 4; i++) {
10468 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10469 || !TEST_size_t_eq(written, strlen(msg)))
10470 goto end;
10471
10472 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10473 &readbytes))
10474 || !TEST_size_t_eq(written, readbytes))
10475 goto end;
10476
10477 buf[readbytes] = '\0';
10478 if (!TEST_str_eq(buf, msg))
10479 goto end;
10480 }
10481
10482 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10483 goto end;
10484
10485 testresult = 1;
10486end:
10487 SSL_free(serverssl);
10488 SSL_free(clientssl);
10489 SSL_CTX_free(sctx);
10490 SSL_CTX_free(cctx);
10491 return testresult;
10492}
10493#endif /* OSSL_NO_USABLE_TLS1_3 */
10494
10495#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10496/*
10497 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10498 * support this yet. The only pipeline capable cipher that we have is in the
10499 * dasync engine (providers don't support this yet), so we have to use
10500 * deprecated APIs for this test.
10501 *
10502 * Test 0: Client has pipelining enabled, server does not
10503 * Test 1: Server has pipelining enabled, client does not
10504 * Test 2: Client has pipelining enabled, server does not: not enough data to
10505 * fill all the pipelines
10506 * Test 3: Client has pipelining enabled, server does not: not enough data to
10507 * fill all the pipelines by more than a full pipeline's worth
10508 * Test 4: Client has pipelining enabled, server does not: more data than all
10509 * the available pipelines can take
10510 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10511 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10512 * is created)
10513 */
10514static int test_pipelining(int idx)
10515{
10516 SSL_CTX *cctx = NULL, *sctx = NULL;
10517 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10518 int testresult = 0, numreads;
10519 /* A 55 byte message */
10520 unsigned char *msg = (unsigned char *)
10521 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10522 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10523 size_t expectedreads;
10524 unsigned char *buf = NULL;
10525 ENGINE *e = NULL;
10526
10527 if (idx != 6) {
10528 e = load_dasync();
10529 if (e == NULL)
10530 return 0;
10531 }
10532
10533 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10534 TLS_client_method(), 0,
10535 TLS1_2_VERSION, &sctx, &cctx, cert,
10536 privkey)))
10537 goto end;
10538
10539 if (idx == 6) {
10540 e = load_dasync();
10541 if (e == NULL)
10542 goto end;
10543 /* Now act like test 0 */
10544 idx = 0;
10545 }
10546
10547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10548 &clientssl, NULL, NULL)))
10549 goto end;
10550
10551 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10552 goto end;
10553
10554 /* peera is always configured for pipelining, while peerb is not. */
10555 if (idx == 1) {
10556 peera = serverssl;
10557 peerb = clientssl;
10558
10559 } else {
10560 peera = clientssl;
10561 peerb = serverssl;
10562 }
10563
10564 if (idx == 5) {
10565 numpipes = 2;
10566 /* Maximum allowed fragment size */
10567 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10568 msglen = fragsize * numpipes;
10569 msg = OPENSSL_malloc(msglen);
10570 if (!TEST_ptr(msg))
10571 goto end;
10572 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10573 goto end;
10574 } else if (idx == 4) {
10575 msglen = 55;
10576 } else {
10577 msglen = 50;
10578 }
10579 if (idx == 2)
10580 msglen -= 2; /* Send 2 less bytes */
10581 else if (idx == 3)
10582 msglen -= 12; /* Send 12 less bytes */
10583
10584 buf = OPENSSL_malloc(msglen);
10585 if (!TEST_ptr(buf))
10586 goto end;
10587
10588 if (idx == 5) {
10589 /*
10590 * Test that setting a split send fragment longer than the maximum
10591 * allowed fails
10592 */
10593 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10594 goto end;
10595 }
10596
10597 /*
10598 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10599 * (50 bytes in total). This is a ridiculously small number of bytes -
10600 * but sufficient for our purposes
10601 */
10602 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10603 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10604 goto end;
10605
10606 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10607 goto end;
10608
10609 /* Write some data from peera to peerb */
10610 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10611 || !TEST_size_t_eq(written, msglen))
10612 goto end;
10613
10614 /*
10615 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10616 * have been used - except in test 3 where only |numpipes - 1| pipelines
10617 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10618 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10619 * expect this to be read in |numpipes| or |numpipes - 1| separate
10620 * SSL_read_ex calls. In the case of test 4, there is then one additional
10621 * read for left over data that couldn't fit in the previous pipelines
10622 */
10623 for (offset = 0, numreads = 0;
10624 offset < msglen;
10625 offset += readbytes, numreads++) {
10626 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10627 msglen - offset, &readbytes)))
10628 goto end;
10629 }
10630
10631 expectedreads = idx == 4 ? numpipes + 1
10632 : (idx == 3 ? numpipes - 1 : numpipes);
10633 if (!TEST_mem_eq(msg, msglen, buf, offset)
10634 || !TEST_int_eq(numreads, expectedreads))
10635 goto end;
10636
10637 /*
10638 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10639 * chunks to exercise the read pipelining code on peera.
10640 */
10641 for (offset = 0; offset < msglen; offset += fragsize) {
10642 size_t sendlen = msglen - offset;
10643
10644 if (sendlen > fragsize)
10645 sendlen = fragsize;
10646 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10647 || !TEST_size_t_eq(written, sendlen))
10648 goto end;
10649 }
10650
10651 /*
10652 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10653 * separate chunks (depending on which test we are running). If the
10654 * pipelining is working then we expect peera to read up to numpipes chunks
10655 * and process them in parallel, giving back the complete result in a single
10656 * call to SSL_read_ex
10657 */
10658 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10659 || !TEST_size_t_le(readbytes, msglen))
10660 goto end;
10661
10662 if (idx == 4) {
10663 size_t readbytes2;
10664
10665 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10666 msglen - readbytes, &readbytes2)))
10667 goto end;
10668 readbytes += readbytes2;
10669 if (!TEST_size_t_le(readbytes, msglen))
10670 goto end;
10671 }
10672
10673 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10674 goto end;
10675
10676 testresult = 1;
10677end:
10678 SSL_free(serverssl);
10679 SSL_free(clientssl);
10680 SSL_CTX_free(sctx);
10681 SSL_CTX_free(cctx);
10682 if (e != NULL) {
10683 ENGINE_unregister_ciphers(e);
10684 ENGINE_finish(e);
10685 ENGINE_free(e);
10686 }
10687 OPENSSL_free(buf);
10688 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
10689 OPENSSL_free(msg);
10690 return testresult;
10691}
10692#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10693
10694/*
10695 * Force a write retry during handshaking. We test various combinations of
10696 * scenarios. We test a large certificate message which will fill the buffering
10697 * BIO used in the handshake. We try with client auth on and off. Finally we
10698 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
10699 * to indicate retry via -1 - but sometimes BIOs don't do that.
10700 *
10701 * Test 0: Standard certificate message
10702 * Test 1: Large certificate message
10703 * Test 2: Standard cert, verify peer
10704 * Test 3: Large cert, verify peer
10705 * Test 4: Standard cert, BIO returns 0 on retry
10706 * Test 5: Large cert, BIO returns 0 on retry
10707 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
10708 * Test 7: Large cert, verify peer, BIO returns 0 on retry
10709 * Test 8-15: Repeat of above with TLSv1.2
10710 */
10711static int test_handshake_retry(int idx)
10712{
10713 SSL_CTX *cctx = NULL, *sctx = NULL;
10714 SSL *clientssl = NULL, *serverssl = NULL;
10715 int testresult = 0;
10716 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
10717 int maxversion = 0;
10718
10719 if (!TEST_ptr(bretry))
10720 goto end;
10721
10722#ifndef OPENSSL_NO_TLS1_2
10723 if ((idx & 8) == 8)
10724 maxversion = TLS1_2_VERSION;
10725#else
10726 if ((idx & 8) == 8)
10727 return TEST_skip("No TLSv1.2");
10728#endif
10729
10730 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10731 TLS_client_method(), 0, maxversion,
10732 &sctx, &cctx, cert, privkey)))
10733 goto end;
10734
10735 /*
10736 * Add a large amount of data to fill the buffering BIO used by the SSL
10737 * object
10738 */
10739 if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
10740 goto end;
10741
10742 /*
10743 * We don't actually configure a client cert, but neither do we fail if one
10744 * isn't present.
10745 */
10746 if ((idx & 2) == 2)
10747 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
10748
10749 if ((idx & 4) == 4)
10750 set_always_retry_err_val(0);
10751
10752 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10753 &clientssl, NULL, NULL)))
10754 goto end;
10755
10756 tmp = SSL_get_wbio(serverssl);
10757 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
10758 tmp = NULL;
10759 goto end;
10760 }
10761 SSL_set0_wbio(serverssl, bretry);
10762 bretry = NULL;
10763
10764 if (!TEST_int_eq(SSL_connect(clientssl), -1))
10765 goto end;
10766
10767 if (!TEST_int_eq(SSL_accept(serverssl), -1)
10768 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
10769 goto end;
10770
10771 /* Restore a BIO that will let the write succeed */
10772 SSL_set0_wbio(serverssl, tmp);
10773 tmp = NULL;
10774
10775 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10776 goto end;
10777
10778 testresult = 1;
10779end:
10780 SSL_free(serverssl);
10781 SSL_free(clientssl);
10782 SSL_CTX_free(sctx);
10783 SSL_CTX_free(cctx);
10784 BIO_free(bretry);
10785 BIO_free(tmp);
10786 set_always_retry_err_val(-1);
10787 return testresult;
10788}
10789
10790struct resume_servername_cb_data {
10791 int i;
10792 SSL_CTX *cctx;
10793 SSL_CTX *sctx;
10794 SSL_SESSION *sess;
10795 int recurse;
10796};
10797
10798/*
10799 * Servername callback. We use it here to run another complete handshake using
10800 * the same session - and mark the session as not_resuamble at the end
10801 */
10802static int resume_servername_cb(SSL *s, int *ad, void *arg)
10803{
10804 struct resume_servername_cb_data *cbdata = arg;
10805 SSL *serverssl = NULL, *clientssl = NULL;
10806 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
10807
10808 if (cbdata->recurse)
10809 return SSL_TLSEXT_ERR_ALERT_FATAL;
10810
10811 if ((cbdata->i % 3) != 1)
10812 return SSL_TLSEXT_ERR_OK;
10813
10814 cbdata->recurse = 1;
10815
10816 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
10817 &clientssl, NULL, NULL))
10818 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
10819 goto end;
10820
10821 ERR_set_mark();
10822 /*
10823 * We expect this to fail - because the servername cb will fail. This will
10824 * mark the session as not_resumable.
10825 */
10826 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
10827 ERR_clear_last_mark();
10828 goto end;
10829 }
10830 ERR_pop_to_mark();
10831
10832 ret = SSL_TLSEXT_ERR_OK;
10833 end:
10834 SSL_free(serverssl);
10835 SSL_free(clientssl);
10836 cbdata->recurse = 0;
10837 return ret;
10838}
10839
10840/*
10841 * Test multiple resumptions and cache size handling
10842 * Test 0: TLSv1.3 (max_early_data set)
10843 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
10844 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
10845 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
10846 * Test 4: TLSv1.2
10847 */
10848static int test_multi_resume(int idx)
10849{
10850 SSL_CTX *sctx = NULL, *cctx = NULL;
10851 SSL *serverssl = NULL, *clientssl = NULL;
10852 SSL_SESSION *sess = NULL;
10853 int max_version = TLS1_3_VERSION;
10854 int i, testresult = 0;
10855 struct resume_servername_cb_data cbdata;
10856
10857#if defined(OPENSSL_NO_TLS1_2)
10858 if (idx == 4)
10859 return TEST_skip("TLSv1.2 is disabled in this build");
10860#else
10861 if (idx == 4)
10862 max_version = TLS1_2_VERSION;
10863#endif
10864#if defined(OSSL_NO_USABLE_TLS1_3)
10865 if (idx != 4)
10866 return TEST_skip("No usable TLSv1.3 in this build");
10867#endif
10868
10869 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10870 TLS_client_method(), TLS1_VERSION,
10871 max_version, &sctx, &cctx, cert,
10872 privkey)))
10873 goto end;
10874
10875 /*
10876 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
10877 * replay protection), or if SSL_OP_NO_TICKET is in use
10878 */
10879 if (idx == 0 || idx == 2) {
10880 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
10881 goto end;
10882 }
10883 if (idx == 1 || idx == 2 || idx == 3)
10884 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
10885
10886 SSL_CTX_sess_set_cache_size(sctx, 5);
10887
10888 if (idx == 3) {
10889 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
10890 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
10891 cbdata.cctx = cctx;
10892 cbdata.sctx = sctx;
10893 cbdata.recurse = 0;
10894 }
10895
10896 for (i = 0; i < 30; i++) {
10897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10898 NULL, NULL))
10899 || !TEST_true(SSL_set_session(clientssl, sess)))
10900 goto end;
10901
10902 /*
10903 * Check simultaneous resumes. We pause the connection part way through
10904 * the handshake by (mis)using the servername_cb. The pause occurs after
10905 * session resumption has already occurred, but before any session
10906 * tickets have been issued. While paused we run another complete
10907 * handshake resuming the same session.
10908 */
10909 if (idx == 3) {
10910 cbdata.i = i;
10911 cbdata.sess = sess;
10912 }
10913
10914 /*
10915 * Recreate a bug where dynamically changing the max_early_data value
10916 * can cause sessions in the session cache which cannot be deleted.
10917 */
10918 if ((idx == 0 || idx == 2) && (i % 3) == 2)
10919 SSL_set_max_early_data(serverssl, 0);
10920
10921 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10922 goto end;
10923
10924 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
10925 if (!TEST_false(SSL_session_reused(clientssl)))
10926 goto end;
10927 } else {
10928 if (!TEST_true(SSL_session_reused(clientssl)))
10929 goto end;
10930 }
10931 SSL_SESSION_free(sess);
10932
10933 /* Do a full handshake, followed by two resumptions */
10934 if ((i % 3) == 2) {
10935 sess = NULL;
10936 } else {
10937 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
10938 goto end;
10939 }
10940
10941 SSL_shutdown(clientssl);
10942 SSL_shutdown(serverssl);
10943 SSL_free(serverssl);
10944 SSL_free(clientssl);
10945 serverssl = clientssl = NULL;
10946 }
10947
10948 /* We should never exceed the session cache size limit */
10949 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
10950 goto end;
10951
10952 testresult = 1;
10953 end:
10954 SSL_free(serverssl);
10955 SSL_free(clientssl);
10956 SSL_CTX_free(sctx);
10957 SSL_CTX_free(cctx);
10958 SSL_SESSION_free(sess);
10959 return testresult;
10960}
10961
10962static struct next_proto_st {
10963 int serverlen;
10964 unsigned char server[40];
10965 int clientlen;
10966 unsigned char client[40];
10967 int expected_ret;
10968 size_t selectedlen;
10969 unsigned char selected[40];
10970} next_proto_tests[] = {
10971 {
10972 4, { 3, 'a', 'b', 'c' },
10973 4, { 3, 'a', 'b', 'c' },
10974 OPENSSL_NPN_NEGOTIATED,
10975 3, { 'a', 'b', 'c' }
10976 },
10977 {
10978 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
10979 4, { 3, 'a', 'b', 'c' },
10980 OPENSSL_NPN_NEGOTIATED,
10981 3, { 'a', 'b', 'c' }
10982 },
10983 {
10984 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
10985 4, { 3, 'a', 'b', 'c' },
10986 OPENSSL_NPN_NEGOTIATED,
10987 3, { 'a', 'b', 'c' }
10988 },
10989 {
10990 4, { 3, 'a', 'b', 'c' },
10991 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
10992 OPENSSL_NPN_NEGOTIATED,
10993 3, { 'a', 'b', 'c' }
10994 },
10995 {
10996 4, { 3, 'a', 'b', 'c' },
10997 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
10998 OPENSSL_NPN_NEGOTIATED,
10999 3, { 'a', 'b', 'c' }
11000 },
11001 {
11002 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
11003 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
11004 OPENSSL_NPN_NEGOTIATED,
11005 3, { 'a', 'b', 'c' }
11006 },
11007 {
11008 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
11009 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
11010 OPENSSL_NPN_NEGOTIATED,
11011 3, { 'a', 'b', 'c' }
11012 },
11013 {
11014 4, { 3, 'b', 'c', 'd' },
11015 4, { 3, 'a', 'b', 'c' },
11016 OPENSSL_NPN_NO_OVERLAP,
11017 3, { 'a', 'b', 'c' }
11018 },
11019 {
11020 0, { 0 },
11021 4, { 3, 'a', 'b', 'c' },
11022 OPENSSL_NPN_NO_OVERLAP,
11023 3, { 'a', 'b', 'c' }
11024 },
11025 {
11026 -1, { 0 },
11027 4, { 3, 'a', 'b', 'c' },
11028 OPENSSL_NPN_NO_OVERLAP,
11029 3, { 'a', 'b', 'c' }
11030 },
11031 {
11032 4, { 3, 'a', 'b', 'c' },
11033 0, { 0 },
11034 OPENSSL_NPN_NO_OVERLAP,
11035 0, { 0 }
11036 },
11037 {
11038 4, { 3, 'a', 'b', 'c' },
11039 -1, { 0 },
11040 OPENSSL_NPN_NO_OVERLAP,
11041 0, { 0 }
11042 },
11043 {
11044 3, { 3, 'a', 'b', 'c' },
11045 4, { 3, 'a', 'b', 'c' },
11046 OPENSSL_NPN_NO_OVERLAP,
11047 3, { 'a', 'b', 'c' }
11048 },
11049 {
11050 4, { 3, 'a', 'b', 'c' },
11051 3, { 3, 'a', 'b', 'c' },
11052 OPENSSL_NPN_NO_OVERLAP,
11053 0, { 0 }
11054 }
11055};
11056
11057static int test_select_next_proto(int idx)
11058{
11059 struct next_proto_st *np = &next_proto_tests[idx];
11060 int ret = 0;
11061 unsigned char *out, *client, *server;
11062 unsigned char outlen;
11063 unsigned int clientlen, serverlen;
11064
11065 if (np->clientlen == -1) {
11066 client = NULL;
11067 clientlen = 0;
11068 } else {
11069 client = np->client;
11070 clientlen = (unsigned int)np->clientlen;
11071 }
11072 if (np->serverlen == -1) {
11073 server = NULL;
11074 serverlen = 0;
11075 } else {
11076 server = np->server;
11077 serverlen = (unsigned int)np->serverlen;
11078 }
11079
11080 if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
11081 client, clientlen),
11082 np->expected_ret))
11083 goto err;
11084
11085 if (np->selectedlen == 0) {
11086 if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
11087 goto err;
11088 } else {
11089 if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
11090 goto err;
11091 }
11092
11093 ret = 1;
11094 err:
11095 return ret;
11096}
11097
11098static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
11099static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
11100
11101#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
11102static int npn_advert_cb(SSL *ssl, const unsigned char **out,
11103 unsigned int *outlen, void *arg)
11104{
11105 int *idx = (int *)arg;
11106
11107 switch (*idx) {
11108 default:
11109 case 0:
11110 *out = fooprot;
11111 *outlen = sizeof(fooprot);
11112 return SSL_TLSEXT_ERR_OK;
11113
11114 case 1:
11115 *outlen = 0;
11116 return SSL_TLSEXT_ERR_OK;
11117
11118 case 2:
11119 return SSL_TLSEXT_ERR_NOACK;
11120 }
11121}
11122
11123static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
11124 const unsigned char *in, unsigned int inlen, void *arg)
11125{
11126 int *idx = (int *)arg;
11127
11128 switch (*idx) {
11129 case 0:
11130 case 1:
11131 *out = (unsigned char *)(fooprot + 1);
11132 *outlen = *fooprot;
11133 return SSL_TLSEXT_ERR_OK;
11134
11135 case 3:
11136 *out = (unsigned char *)(barprot + 1);
11137 *outlen = *barprot;
11138 return SSL_TLSEXT_ERR_OK;
11139
11140 case 4:
11141 *outlen = 0;
11142 return SSL_TLSEXT_ERR_OK;
11143
11144 default:
11145 case 2:
11146 return SSL_TLSEXT_ERR_ALERT_FATAL;
11147 }
11148}
11149
11150/*
11151 * Test the NPN callbacks
11152 * Test 0: advert = foo, select = foo
11153 * Test 1: advert = <empty>, select = foo
11154 * Test 2: no advert
11155 * Test 3: advert = foo, select = bar
11156 * Test 4: advert = foo, select = <empty> (should fail)
11157 */
11158static int test_npn(int idx)
11159{
11160 SSL_CTX *sctx = NULL, *cctx = NULL;
11161 SSL *serverssl = NULL, *clientssl = NULL;
11162 int testresult = 0;
11163
11164 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11165 TLS_client_method(), 0, TLS1_2_VERSION,
11166 &sctx, &cctx, cert, privkey)))
11167 goto end;
11168
11169 SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
11170 SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
11171
11172 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11173 NULL)))
11174 goto end;
11175
11176 if (idx == 4) {
11177 /* We don't allow empty selection of NPN, so this should fail */
11178 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
11179 SSL_ERROR_NONE)))
11180 goto end;
11181 } else {
11182 const unsigned char *prot;
11183 unsigned int protlen;
11184
11185 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
11186 SSL_ERROR_NONE)))
11187 goto end;
11188
11189 SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
11190 switch (idx) {
11191 case 0:
11192 case 1:
11193 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
11194 goto end;
11195 break;
11196 case 2:
11197 if (!TEST_uint_eq(protlen, 0))
11198 goto end;
11199 break;
11200 case 3:
11201 if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
11202 goto end;
11203 break;
11204 default:
11205 TEST_error("Should not get here");
11206 goto end;
11207 }
11208 }
11209
11210 testresult = 1;
11211 end:
11212 SSL_free(serverssl);
11213 SSL_free(clientssl);
11214 SSL_CTX_free(sctx);
11215 SSL_CTX_free(cctx);
11216
11217 return testresult;
11218}
11219#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
11220
11221static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
11222 unsigned char *outlen, const unsigned char *in,
11223 unsigned int inlen, void *arg)
11224{
11225 int *idx = (int *)arg;
11226
11227 switch (*idx) {
11228 case 0:
11229 *out = (unsigned char *)(fooprot + 1);
11230 *outlen = *fooprot;
11231 return SSL_TLSEXT_ERR_OK;
11232
11233 case 2:
11234 *out = (unsigned char *)(barprot + 1);
11235 *outlen = *barprot;
11236 return SSL_TLSEXT_ERR_OK;
11237
11238 case 3:
11239 *outlen = 0;
11240 return SSL_TLSEXT_ERR_OK;
11241
11242 default:
11243 case 1:
11244 return SSL_TLSEXT_ERR_ALERT_FATAL;
11245 }
11246 return 0;
11247}
11248
11249/*
11250 * Test the ALPN callbacks
11251 * Test 0: client = foo, select = foo
11252 * Test 1: client = <empty>, select = none
11253 * Test 2: client = foo, select = bar (should fail)
11254 * Test 3: client = foo, select = <empty> (should fail)
11255 */
11256static int test_alpn(int idx)
11257{
11258 SSL_CTX *sctx = NULL, *cctx = NULL;
11259 SSL *serverssl = NULL, *clientssl = NULL;
11260 int testresult = 0;
11261 const unsigned char *prots = fooprot;
11262 unsigned int protslen = sizeof(fooprot);
11263
11264 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11265 TLS_client_method(), 0, 0,
11266 &sctx, &cctx, cert, privkey)))
11267 goto end;
11268
11269 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
11270
11271 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11272 NULL)))
11273 goto end;
11274
11275 if (idx == 1) {
11276 prots = NULL;
11277 protslen = 0;
11278 }
11279
11280 /* SSL_set_alpn_protos returns 0 for success! */
11281 if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
11282 goto end;
11283
11284 if (idx == 2 || idx == 3) {
11285 /* We don't allow empty selection of NPN, so this should fail */
11286 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
11287 SSL_ERROR_NONE)))
11288 goto end;
11289 } else {
11290 const unsigned char *prot;
11291 unsigned int protlen;
11292
11293 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
11294 SSL_ERROR_NONE)))
11295 goto end;
11296
11297 SSL_get0_alpn_selected(clientssl, &prot, &protlen);
11298 switch (idx) {
11299 case 0:
11300 if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
11301 goto end;
11302 break;
11303 case 1:
11304 if (!TEST_uint_eq(protlen, 0))
11305 goto end;
11306 break;
11307 default:
11308 TEST_error("Should not get here");
11309 goto end;
11310 }
11311 }
11312
11313 testresult = 1;
11314 end:
11315 SSL_free(serverssl);
11316 SSL_free(clientssl);
11317 SSL_CTX_free(sctx);
11318 SSL_CTX_free(cctx);
11319
11320 return testresult;
11321}
11322
11323OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11324
11325int setup_tests(void)
11326{
11327 char *modulename;
11328 char *configfile;
11329
11330 libctx = OSSL_LIB_CTX_new();
11331 if (!TEST_ptr(libctx))
11332 return 0;
11333
11334 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11335
11336 /*
11337 * Verify that the default and fips providers in the default libctx are not
11338 * available
11339 */
11340 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11341 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11342 return 0;
11343
11344 if (!test_skip_common_options()) {
11345 TEST_error("Error parsing test options\n");
11346 return 0;
11347 }
11348
11349 if (!TEST_ptr(certsdir = test_get_argument(0))
11350 || !TEST_ptr(srpvfile = test_get_argument(1))
11351 || !TEST_ptr(tmpfilename = test_get_argument(2))
11352 || !TEST_ptr(modulename = test_get_argument(3))
11353 || !TEST_ptr(configfile = test_get_argument(4))
11354 || !TEST_ptr(dhfile = test_get_argument(5)))
11355 return 0;
11356
11357 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11358 return 0;
11359
11360 /* Check we have the expected provider available */
11361 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11362 return 0;
11363
11364 /* Check the default provider is not available */
11365 if (strcmp(modulename, "default") != 0
11366 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11367 return 0;
11368
11369 if (strcmp(modulename, "fips") == 0) {
11370 OSSL_PROVIDER *prov = NULL;
11371 OSSL_PARAM params[2];
11372
11373 is_fips = 1;
11374
11375 prov = OSSL_PROVIDER_load(libctx, "fips");
11376 if (prov != NULL) {
11377 /* Query the fips provider to check if the check ems option is enabled */
11378 params[0] =
11379 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11380 &fips_ems_check);
11381 params[1] = OSSL_PARAM_construct_end();
11382 OSSL_PROVIDER_get_params(prov, params);
11383 OSSL_PROVIDER_unload(prov);
11384 }
11385 }
11386
11387 /*
11388 * We add, but don't load the test "tls-provider". We'll load it when we
11389 * need it.
11390 */
11391 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11392 tls_provider_init)))
11393 return 0;
11394
11395
11396 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11397#ifdef OPENSSL_NO_CRYPTO_MDEBUG
11398 TEST_error("not supported in this build");
11399 return 0;
11400#else
11401 int i, mcount, rcount, fcount;
11402
11403 for (i = 0; i < 4; i++)
11404 test_export_key_mat(i);
11405 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11406 test_printf_stdout("malloc %d realloc %d free %d\n",
11407 mcount, rcount, fcount);
11408 return 1;
11409#endif
11410 }
11411
11412 cert = test_mk_file_path(certsdir, "servercert.pem");
11413 if (cert == NULL)
11414 goto err;
11415
11416 privkey = test_mk_file_path(certsdir, "serverkey.pem");
11417 if (privkey == NULL)
11418 goto err;
11419
11420 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11421 if (cert2 == NULL)
11422 goto err;
11423
11424 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11425 if (privkey2 == NULL)
11426 goto err;
11427
11428 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11429 if (cert1024 == NULL)
11430 goto err;
11431
11432 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11433 if (privkey1024 == NULL)
11434 goto err;
11435
11436 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11437 if (cert3072 == NULL)
11438 goto err;
11439
11440 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11441 if (privkey3072 == NULL)
11442 goto err;
11443
11444 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11445 if (cert4096 == NULL)
11446 goto err;
11447
11448 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11449 if (privkey4096 == NULL)
11450 goto err;
11451
11452 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11453 if (cert8192 == NULL)
11454 goto err;
11455
11456 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11457 if (privkey8192 == NULL)
11458 goto err;
11459
11460 if (fips_ems_check) {
11461#ifndef OPENSSL_NO_TLS1_2
11462 ADD_TEST(test_no_ems);
11463#endif
11464 return 1;
11465 }
11466#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11467# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11468 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11469 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
11470# endif
11471#endif
11472 ADD_TEST(test_large_message_tls);
11473 ADD_TEST(test_large_message_tls_read_ahead);
11474#ifndef OPENSSL_NO_DTLS
11475 ADD_TEST(test_large_message_dtls);
11476#endif
11477 ADD_ALL_TESTS(test_large_app_data, 28);
11478 ADD_TEST(test_cleanse_plaintext);
11479#ifndef OPENSSL_NO_OCSP
11480 ADD_TEST(test_tlsext_status_type);
11481#endif
11482 ADD_TEST(test_session_with_only_int_cache);
11483 ADD_TEST(test_session_with_only_ext_cache);
11484 ADD_TEST(test_session_with_both_cache);
11485 ADD_TEST(test_session_wo_ca_names);
11486#ifndef OSSL_NO_USABLE_TLS1_3
11487 ADD_ALL_TESTS(test_stateful_tickets, 3);
11488 ADD_ALL_TESTS(test_stateless_tickets, 3);
11489 ADD_TEST(test_psk_tickets);
11490 ADD_ALL_TESTS(test_extra_tickets, 6);
11491#endif
11492 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11493 ADD_TEST(test_ssl_bio_pop_next_bio);
11494 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11495 ADD_TEST(test_ssl_bio_change_rbio);
11496 ADD_TEST(test_ssl_bio_change_wbio);
11497#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11498 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11499 ADD_TEST(test_keylog);
11500#endif
11501#ifndef OSSL_NO_USABLE_TLS1_3
11502 ADD_TEST(test_keylog_no_master_key);
11503#endif
11504 ADD_TEST(test_client_cert_verify_cb);
11505 ADD_TEST(test_ssl_build_cert_chain);
11506 ADD_TEST(test_ssl_ctx_build_cert_chain);
11507#ifndef OPENSSL_NO_TLS1_2
11508 ADD_TEST(test_client_hello_cb);
11509 ADD_TEST(test_no_ems);
11510 ADD_TEST(test_ccs_change_cipher);
11511#endif
11512#ifndef OSSL_NO_USABLE_TLS1_3
11513 ADD_ALL_TESTS(test_early_data_read_write, 6);
11514 /*
11515 * We don't do replay tests for external PSK. Replay protection isn't used
11516 * in that scenario.
11517 */
11518 ADD_ALL_TESTS(test_early_data_replay, 2);
11519 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11520 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11521 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11522 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11523 ADD_ALL_TESTS(test_early_data_not_sent, 3);
11524 ADD_ALL_TESTS(test_early_data_psk, 8);
11525 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11526 ADD_ALL_TESTS(test_early_data_not_expected, 3);
11527# ifndef OPENSSL_NO_TLS1_2
11528 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11529# endif
11530#endif
11531#ifndef OSSL_NO_USABLE_TLS1_3
11532 ADD_ALL_TESTS(test_set_ciphersuite, 10);
11533 ADD_TEST(test_ciphersuite_change);
11534 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11535# ifdef OPENSSL_NO_PSK
11536 ADD_ALL_TESTS(test_tls13_psk, 1);
11537# else
11538 ADD_ALL_TESTS(test_tls13_psk, 4);
11539# endif /* OPENSSL_NO_PSK */
11540# ifndef OPENSSL_NO_TLS1_2
11541 /* Test with both TLSv1.3 and 1.2 versions */
11542 ADD_ALL_TESTS(test_key_exchange, 14);
11543# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11544 ADD_ALL_TESTS(test_negotiated_group,
11545 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11546 + OSSL_NELEM(ffdhe_kexch_groups)));
11547# endif
11548# else
11549 /* Test with only TLSv1.3 versions */
11550 ADD_ALL_TESTS(test_key_exchange, 12);
11551# endif
11552 ADD_ALL_TESTS(test_custom_exts, 6);
11553 ADD_TEST(test_stateless);
11554 ADD_TEST(test_pha_key_update);
11555#else
11556 ADD_ALL_TESTS(test_custom_exts, 3);
11557#endif
11558 ADD_ALL_TESTS(test_export_key_mat, 6);
11559#ifndef OSSL_NO_USABLE_TLS1_3
11560 ADD_ALL_TESTS(test_export_key_mat_early, 3);
11561 ADD_TEST(test_key_update);
11562 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11563 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11564 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11565 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11566#endif
11567 ADD_ALL_TESTS(test_ssl_clear, 2);
11568 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11569#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11570 ADD_ALL_TESTS(test_srp, 6);
11571#endif
11572 ADD_ALL_TESTS(test_info_callback, 6);
11573 ADD_ALL_TESTS(test_ssl_pending, 2);
11574 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11575 ADD_ALL_TESTS(test_ticket_callbacks, 20);
11576 ADD_ALL_TESTS(test_shutdown, 7);
11577 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11578 ADD_ALL_TESTS(test_cert_cb, 6);
11579 ADD_ALL_TESTS(test_client_cert_cb, 2);
11580 ADD_ALL_TESTS(test_ca_names, 3);
11581#ifndef OPENSSL_NO_TLS1_2
11582 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11583#endif
11584 ADD_ALL_TESTS(test_servername, 10);
11585#if !defined(OPENSSL_NO_EC) \
11586 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11587 ADD_ALL_TESTS(test_sigalgs_available, 6);
11588#endif
11589#ifndef OPENSSL_NO_TLS1_3
11590 ADD_ALL_TESTS(test_pluggable_group, 2);
11591#endif
11592#ifndef OPENSSL_NO_TLS1_2
11593 ADD_TEST(test_ssl_dup);
11594# ifndef OPENSSL_NO_DH
11595 ADD_ALL_TESTS(test_set_tmp_dh, 11);
11596 ADD_ALL_TESTS(test_dh_auto, 7);
11597# endif
11598#endif
11599#ifndef OSSL_NO_USABLE_TLS1_3
11600 ADD_TEST(test_sni_tls13);
11601 ADD_ALL_TESTS(test_ticket_lifetime, 2);
11602#endif
11603 ADD_TEST(test_inherit_verify_param);
11604 ADD_TEST(test_set_alpn);
11605 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11606 ADD_TEST(test_set_verify_cert_store_ssl);
11607 ADD_ALL_TESTS(test_session_timeout, 1);
11608#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
11609 ADD_ALL_TESTS(test_session_cache_overflow, 4);
11610#endif
11611 ADD_TEST(test_load_dhfile);
11612#ifndef OSSL_NO_USABLE_TLS1_3
11613 ADD_TEST(test_read_ahead_key_change);
11614 ADD_ALL_TESTS(test_tls13_record_padding, 4);
11615#endif
11616#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11617 ADD_ALL_TESTS(test_serverinfo_custom, 4);
11618#endif
11619#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11620 ADD_ALL_TESTS(test_pipelining, 7);
11621#endif
11622 ADD_ALL_TESTS(test_handshake_retry, 16);
11623 ADD_ALL_TESTS(test_multi_resume, 5);
11624 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
11625#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
11626 ADD_ALL_TESTS(test_npn, 5);
11627#endif
11628 ADD_ALL_TESTS(test_alpn, 4);
11629 return 1;
11630
11631 err:
11632 OPENSSL_free(cert);
11633 OPENSSL_free(privkey);
11634 OPENSSL_free(cert2);
11635 OPENSSL_free(privkey2);
11636 return 0;
11637}
11638
11639void cleanup_tests(void)
11640{
11641# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11642 EVP_PKEY_free(tmp_dh_params);
11643#endif
11644 OPENSSL_free(cert);
11645 OPENSSL_free(privkey);
11646 OPENSSL_free(cert2);
11647 OPENSSL_free(privkey2);
11648 OPENSSL_free(cert1024);
11649 OPENSSL_free(privkey1024);
11650 OPENSSL_free(cert3072);
11651 OPENSSL_free(privkey3072);
11652 OPENSSL_free(cert4096);
11653 OPENSSL_free(privkey4096);
11654 OPENSSL_free(cert8192);
11655 OPENSSL_free(privkey8192);
11656 bio_s_mempacket_test_free();
11657 bio_s_always_retry_free();
11658 OSSL_PROVIDER_unload(defctxnull);
11659 OSSL_LIB_CTX_free(libctx);
11660}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette